diff -Nru snort-2.9.0.1/aclocal.m4 snort-2.9.2/aclocal.m4 --- snort-2.9.0.1/aclocal.m4 2010-10-08 02:56:47.000000000 -0700 +++ snort-2.9.2/aclocal.m4 2011-12-07 11:23:11.000000000 -0800 @@ -13,8 +13,8 @@ m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl -m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.65],, -[m4_warning([this file was generated for autoconf 2.65. +m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.63],, +[m4_warning([this file was generated for autoconf 2.63. You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically `autoreconf'.])]) @@ -7968,6 +7968,162 @@ m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])]) m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])]) +# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +# +# Copyright © 2004 Scott James Remnant . +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# PKG_PROG_PKG_CONFIG([MIN-VERSION]) +# ---------------------------------- +AC_DEFUN([PKG_PROG_PKG_CONFIG], +[m4_pattern_forbid([^_?PKG_[A-Z_]+$]) +m4_pattern_allow([^PKG_CONFIG(_PATH)?$]) +AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + AC_PATH_TOOL([PKG_CONFIG], [pkg-config]) +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=m4_default([$1], [0.9.0]) + AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version]) + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + PKG_CONFIG="" + fi + +fi[]dnl +])# PKG_PROG_PKG_CONFIG + +# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +# +# Check to see whether a particular set of modules exists. Similar +# to PKG_CHECK_MODULES(), but does not set variables or print errors. +# +# +# Similar to PKG_CHECK_MODULES, make sure that the first instance of +# this or PKG_CHECK_MODULES is called, or make sure to call +# PKG_CHECK_EXISTS manually +# -------------------------------------------------------------- +AC_DEFUN([PKG_CHECK_EXISTS], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +if test -n "$PKG_CONFIG" && \ + AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then + m4_ifval([$2], [$2], [:]) +m4_ifvaln([$3], [else + $3])dnl +fi]) + + +# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) +# --------------------------------------------- +m4_define([_PKG_CONFIG], +[if test -n "$$1"; then + pkg_cv_[]$1="$$1" + elif test -n "$PKG_CONFIG"; then + PKG_CHECK_EXISTS([$3], + [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`], + [pkg_failed=yes]) + else + pkg_failed=untried +fi[]dnl +])# _PKG_CONFIG + +# _PKG_SHORT_ERRORS_SUPPORTED +# ----------------------------- +AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi[]dnl +])# _PKG_SHORT_ERRORS_SUPPORTED + + +# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +# [ACTION-IF-NOT-FOUND]) +# +# +# Note that if there is a possibility the first call to +# PKG_CHECK_MODULES might not happen, you should be sure to include an +# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac +# +# +# -------------------------------------------------------------- +AC_DEFUN([PKG_CHECK_MODULES], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl +AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl + +pkg_failed=no +AC_MSG_CHECKING([for $1]) + +_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) +_PKG_CONFIG([$1][_LIBS], [libs], [$2]) + +m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS +and $1[]_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details.]) + +if test $pkg_failed = yes; then + _PKG_SHORT_ERRORS_SUPPORTED + if test $_pkg_short_errors_supported = yes; then + $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "$2" 2>&1` + else + $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors "$2" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD + + ifelse([$4], , [AC_MSG_ERROR(dnl +[Package requirements ($2) were not met: + +$$1_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +_PKG_TEXT +])], + [AC_MSG_RESULT([no]) + $4]) +elif test $pkg_failed = untried; then + ifelse([$4], , [AC_MSG_FAILURE(dnl +[The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +_PKG_TEXT + +To get pkg-config, see .])], + [$4]) +else + $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS + $1[]_LIBS=$pkg_cv_[]$1[]_LIBS + AC_MSG_RESULT([yes]) + ifelse([$3], , :, [$3]) +fi[]dnl +])# PKG_CHECK_MODULES + # Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation diff -Nru snort-2.9.0.1/ChangeLog snort-2.9.2/ChangeLog --- snort-2.9.0.1/ChangeLog 2010-10-25 12:48:54.000000000 -0700 +++ snort-2.9.2/ChangeLog 2011-12-08 08:49:14.000000000 -0800 @@ -1,4 +1,1528 @@ +2011-12-14 Ryan Jordan +Snort 2.9.2 + * src/build.h: updating build number to 78 + + * snort.8: + Fixed spelling errors. Thanks to Neline van Ginkel for the report. + + * src/: snort.c, preprocessors/spp_perfmonitor.c: + Perfmonitor "now" files are created after Snort drops privileges. + + * src/output-plugins/spo_unified2.c: + Only log IPv6 extra data when the packet is IPv6. + + * src/preprocessors/HttpInspect/: server/hi_server.c, client/hi_client.c: + Fixed unfolding of HTTP Headers across packet boundaries. + Thanks to Jim Hranicky for reporting this issue on the RC build. + + * src/preprocessors/spp_httpinspect.c: + HTTP Inspect should check for hi_swap_config in HttpInspectInit() + only when snort is compiled with --enable-reload. + Fixed build errors on Win32. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + When pruning a session, don't attempt to flush if the grinder + failed to decode a TCP header. + Thanks to Jim Hranicky for reporting this issue on the RC build. + +2011-11-23 Ryan Jordan +Snort 2.9.2 RC + * src/build.h: updating build number to 75 + + * src/preprocessors/spp_httpinspect.c: + Fixed an issue with HTTP Inspect server conf reload + (when the HTTP Inspect is turned on from off between a reload) + + * src/preprocessors/spp_stream5.c: + Fixed a memory leak caused by initializing the expected channel + more than once. + + * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: + Fixed a segfault during dcerpc2 startup when stream5 is not enabled. + + * src/preprocessors/spp_normalize.c: + Added support to turn normalization off or on during a Snort reload. + + * src/dynamic-preprocessors/modbus/spp_modbus.c: + Moved the check for truncated PDUs past the port check, to avoid + false positives. + + * src/sfutil/bitop_funcs.h: + Fixed an error in the allocation of flowbit groups, where bytes + were interpreted as bits. + + * src/detection-plugins/sp_flowbits.c: + Fixed a flowbits issue where the "isset" operation failed when + there was only a single flowbit in a group. + Fixed the error message logged when the same flowbit is added + to two groups. + + * src/ipv6_port.h: + * src/: dynamic-preprocessors/gtp/gtp_parser.c, + dynamic-preprocessors/gtp/gtp_roptions.c, + dynamic-preprocessors/ftptelnet/pp_ftp.c, + dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, + dynamic-preprocessors/reputation/reputation_config.c, + sfutil/segment_mem.c, encode.c: + Compiler warning cleanup. + + * doc/: README.reload, snort_manual.pdf, snort_manual.tex: + Updated the reload documentation to mention the caveat that exists + with reload and fail-open in OpenBSD when Snort is run on primary + network interface. + + * src/dynamic-preprocessors/dnp3/: dnp3_reassembly.c, + dnp3_reassembly.h, dnp3_roptions.c, spp_dnp3.c: + Added support for multiple DNP3 PDUs in a single DNP3 payload. + Fixed an issue where the DNP3 preprocessor only identified the + minimum reserved address, instead of all reserved addresses. + + * src/dynamic-preprocessors/dnp3/spp_dnp3.h: + Updated an incorrect minimum DNP3 memcap to match the documented + minimum of 4144 bytes. + + * src/output-plugins/spo_unified2.c: + Snort will fatal error when the user configures the same filename + for options "alert_unified2" and "log_unified2". + + * src/sfutil/: sfrt.c, sfrt.h, sfrt_dir.c, sfrt_dir.h: + Added the ability to delete entries in the sfrt table. + + * src/preprocessors/snort_httpinspect.c, + src/preprocessors/spp_frag3.c, src/preprocessors/spp_normalize.c, + src/preprocessors/spp_stream5.c, + src/preprocessors/Stream5/snort_stream5_tcp.c, + src/preprocessors/Stream5/stream5_common.c, + src/dynamic-preprocessors/reputation/reputation_config.c, + etc/gen-msg.map, src/detection-plugins/sp_flowbits.c, + src/detection-plugins/sp_replace.c, + src/output-plugins/spo_alert_sf_socket.c, src/decode.c, + src/detect.c, src/generators.h, src/sfdaq.c, src/snort.c, + src/tag.c, src/util.c, src/dynamic-plugins/sf_dynamic_plugins.c, + src/sfutil/acsmx2.c, configure.in, + src/dynamic-preprocessors/dnp3/spp_dnp3.c, + src/target-based/sftarget_protocol_reference.c: + * src/dynamic-preprocessors/dnp3/dnp3_roptions.c: + Made the format of warning messages consistent. + + * src/dynamic-preprocessors/: dnp3/spp_dnp3.c, modbus/spp_modbus.c: + Providing an empty port list now causes a fatal error. + + * src/dynamic-preprocessors/dnp3/spp_dnp3.h: + Fixed reserved address check on big-endian machines. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Changed identification of TCP retransmits by comparing payloads + instead of TCP checksums. + + * src/decode.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h, + src/dynamic-preprocessors/imap/snort_imap.c, + src/dynamic-preprocessors/pop/snort_pop.c, + src/dynamic-preprocessors/smtp/smtp_util.c, + src/dynamic-preprocessors/smtp/snort_smtp.c, + src/output-plugins/spo_unified2.c, + src/preprocessors/snort_httpinspect.c, + src/preprocessors/snort_httpinspect.h, + src/preprocessors/spp_httpinspect.c, + src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, + src/preprocessors/HttpInspect/include/hi_ui_config.h, + src/sfutil/Unified2_common.h, tools/u2spewfoo/u2spewfoo.c: + Enable logging of normalized JavaScript to unified2 when built + without --enable-sourcefire. + - Changed extra data logging to log packet-specific data + (gzip/normalized) after each packet. + - Updated u2spewfoo to read the normalized JavaScript + extra data. + + * src/dynamic-preprocessors/dnp3/dnp3_reassembly.c: + Fixed a bug where "dnp3_data" rules would not work if the content + was broken up by CRCs or split across multiple DNP3 segments. + As a result, DNP3 rules that inspect the DNP3 headers now require + "rawbytes" to work correctly, as the DNP3 reassembly buffer is + inspected by default. + + * etc/gen-msg.map, preproc_rules/preprocessor.rules, + src/dynamic-preprocessors/dnp3/spp_dnp3.h: + Removed DNP3 rule 145:5, and decremented the SIDs of rules 145:6 + and 145:7. The old 145:5 was never able to be triggered. + Updated references for rules 119:15 and 137:1. + + * rpm/snort.spec: + Updated the RPM spec file to use wildcards for linking and installing + preprocessors. Thanks to Tim Brigham for the suggestion. + + * src/detection_util.h: + Increased the URI buffer size from 4096 to 8192 to normalize and + detect longer URIs. + + * src/preprocessors/: spp_frag3.c, spp_stream5.c, + Stream5/snort_stream5_tcp.c, Stream5/snort_stream5_udp.c: + Change the printing function of tracker/session sizes + (TcpSession/UdpSession/StreamLWSession/FragTarcker) from fprintf + to LogMessage. + Fix handling of "first" and "vista" policies in stream5 that, + under certain circumstances with overlaps and gaps, could cause + the stream5 segmentation list to get out of order. + + * doc/snort_manual.pdf, doc/snort_manual.tex, + src/detection-plugins/sp_dsize_check.c: + Enable the "dsize" rule option with rebuilt packets, if it is the + start of a PDU. Thanks to Dave Bertouille for reporting this problem. + + * src/dynamic-preprocessors/modbus/modbus_decode.c: + Added length checking for Modbus "Read File Record" and + "Write File Record" requests. + + * src/output-plugins/spo_unified2.c, src/sfutil/Unified2_common.h, + tools/u2spewfoo/u2spewfoo.c: + Added new Unified2 event structs with extra application ID data. + Updated u2spewfoo to read these fields. + + * src/detection-plugins/: sp_asn1_detect.c, sp_byte_check.c, + sp_byte_jump.c, sp_isdataat.c: + Allow rule evaluation to continue if the doe_ptr reaches the end + of a buffer, but a negative offset brings it back in-bounds. + Thanks again to Dave Bertouille for the suggestion. + + * src/target-based/sf_attribute_table.y: + Allow empty attribute_value in attribute table. + + * configure.in, + src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: + Added Protocol-Aware Flushing support for FTP. + + * snort.8: + Updated the man page to include more signals that have been used. + Made some format changes, thanks to Markus Lude. + + * doc/Makefile.am: + Fixed an error while running "make distcleancheck". + + * doc/snort_manual.pdf, doc/snort_manual.tex, + src/win32/WIN32-Includes/config.h, configure.in, src/snort.c, + src/snort.h, src/util.c, src/control/sfcontrol.c, + src/target-based/sftarget_reader.c: + Redefined default signals, and added support for signal + customization. + + +2011-10-28 Ryan Jordan +Snort 2.9.2 Beta + * src/build.h: updating build number to 64 + + * src/preprocessors/: snort_httpinspect.c, + HttpInspect/include/hi_ui_config.h, + HttpInspect/server/hi_server.c, + HttpInspect/server/hi_server_norm.c, + HttpInspect/user_interface/hi_ui_config.c: + * src/sfutil/: util_jsnorm.c, util_jsnorm.h: + Updated the HTTP preprocessor to normalize HTTP responses that include + javascript escaped data in their bodies. This expands Snort's coverage + in detecting HTTP client-side attacks. + See the Snort Manual and README.http_inspect for configuration details. + + * doc/README.modbus: + * src/dynamic-preprocessors/modbus/: Makefile.am, modbus_decode.c, + modbus_decode.h, modbus_paf.c, modbus_paf.h, modbus_roptions.c, + modbus_roptions.h, sf_modbus.dsp, spp_modbus.c, spp_modbus.h: + Added the Modbus preprocessor, which decodes the Modbus protocol and + provides new rule options for some protocol fields. + See the Snort Manual and README.modbus for more details. + + * doc/README.dnp3: + * src/dynamic-preprocessors/dnp3/: Makefile.am, dnp3_map.c, dnp3_map.h, + dnp3_paf.c, dnp3_paf.h, dnp3_reassembly.c, dnp3_reassembly.h, + dnp3_roptions.c, dnp3_roptions.h, sf_dnp3.dsp, spp_dnp3.c, spp_dnp3.h: + Added the DNP3 preprocessor, which decodes the DNP3 protocol + and provides new rule options for some protocol fields. + The preprocessor also performs reassembly of segmented DNP3 traffic. + See the Snort Manual and README.dnp3 for more details. + + * doc/README.gtp: + * src/decode.c: + * src/dynamic-preprocessors/gtp/: Makefile.am, gtp_config.c, + gtp_config.h, gtp_debug.h, gtp_parser.c, gtp_parser.h, gtp_roptions.c, + gtp_roptions.h, sf_gtp.dsp, spp_gtp.c, spp_gtp.h + Added a packet decoder and preprocessor for the GTP protocol. + These support detecting attacks over GTP (GPRS Tunneling Protocol). + See the Snort Manual and README.gtp for more details. + + * doc/faq.pdf, doc/faq.tex, src/Makefile.am, src/debug.c, + src/smalloc.h, src/snort_debug.h, + src/dynamic-plugins/sf_dynamic_common.h, + src/dynamic-preprocessors/dcerpc2/dce2_paf.c, + src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, + src/dynamic-preprocessors/gtp/gtp_debug.h, + src/dynamic-preprocessors/sip/sip_debug.h, + src/parser/IpAddrSet.c, + src/preprocessors/HttpInspect/utils/hi_paf.c, + src/preprocessors/Stream5/stream5_paf.c: + Expanded the debug bits from 32 to 64 bits. + + * src/preprocessors/: spp_stream5.c, Stream5/snort_stream5_icmp.c, + Stream5/snort_stream5_icmp.h, Stream5/snort_stream5_ip.c, + Stream5/snort_stream5_ip.h, Stream5/snort_stream5_udp.c, + Stream5/snort_stream5_udp.h: + Cleaned up application data for non-TCP sessions after + a block or timeout. + + * src/preprocessors/spp_sfportscan.c: + Negative memcap numbers are no longer allowed. + + * src/preprocessors/HttpInspect/server/hi_server.c: + HTTP responses with incorrect status messages are now inspected. + + * src/preprocessors/Stream5/stream5_paf.c: + Fixed PAF callback registration during Snort reload. + + * src/parser.c: + Fixed crash when setting HOME_NET to an empty variable. + Thanks to Elof for reporting this issue. + + * src/preprocessors/spp_normalize.c: + Don't register the packet callback if Snort is not inline. + Fixed a crash in the normalizer during Snort reload. + + * src/: sfdaq.c, sfdaq.h, snort.c, snort.h, util.c: + Fixed a possible segfault upon fatal error during Snort reload. + + * src/win32/WIN32-Prj/snort_installer.nsi: + Updated Windows project files for new preprocessors. + + * doc/: snort_manual.pdf, snort_manual.tex: + Updated the Snort manual for new features. + Updated the names of contributors to match those found on snort.org. + Updated the 'config cs_dir' path to be relative to pid-path. + + Described the FlowIP CSV file format. Thanks to Eoin Miller for + pointing out the lack of documentation. + + * src/preprocessors/: perf-base.c, perf-base.h, perf.c, perf.h, + spp_frag3.c, spp_frag3.h, Stream5/snort_stream5_tcp.c: + Added frag3 and stream5 memory usage to perfmon output. + + * src/control/sfcontrol.c: + Added counters to bypass the work queue mutex when nothing + is queued. + Cleaned up compiler warnings. + + * src/preprocessors/HttpInspect/client/hi_client.c: + When the same IP is parsed multiple times for XFF/True-client-IP + , the duplicate entries are freed from memory. + + * src/preprocessors/: stream_expect.c, spp_stream5.c, stream_api.h, + stream_expect.h, Stream5/snort_stream5_session.c, + Stream5/snort_stream5_session.h, Stream5/stream5_common.h: + Changed instances of "char" to "uint8_t" when dealing with + protocol numbers, preventing a potential issue when Snort + supports protocols > 128. Thanks to Joshua Kinard for + providing a patch for this issue. + + * src/detection-plugins/sp_react.c: + Added a content-length header to the react responses. + + * src/: decode.h, dynamic-plugins/sf_engine/sf_snort_packet.h, + dynamic-preprocessors/imap/snort_imap.c, + dynamic-preprocessors/pop/snort_pop.c, + dynamic-preprocessors/smtp/smtp_config.h, + dynamic-preprocessors/smtp/smtp_util.c, + dynamic-preprocessors/smtp/smtp_util.h, + dynamic-preprocessors/smtp/snort_smtp.c, + dynamic-preprocessors/smtp/snort_smtp.h, + dynamic-preprocessors/smtp/spp_smtp.c, + output-plugins/spo_unified2.c, preprocessors/snort_httpinspect.c, + preprocessors/snort_httpinspect.h, + preprocessors/spp_httpinspect.c, preprocessors/spp_stream5.c, + preprocessors/stream_api.h, + preprocessors/HttpInspect/include/hi_ui_config.h, + preprocessors/Stream5/snort_stream5_tcp.c, + preprocessors/Stream5/snort_stream5_tcp.h, + preprocessors/Stream5/stream5_common.h: + Reduced the memory usage per TCP session for extra data event + logging. + + * src/dynamic-preprocessors/sip/spp_sip.c: + Changed a description in the SIP exit stats. + + * configure.in, src/snort.c, src/util.c, + src/target-based/sftarget_reader.c: + Where possible, sigaction() is used instead of signal() to + establish signal handlers. + + * src/util.c: + Fixed an error in the calculation of dropped packets. + Thanks to Will Metcalf for identifying the issue. + + * src/preprocessors/: perf-flow.c, perf-flow.h: + Fixed a bug where packets longer than 4500 bytes were not logged + in the perfmon flow stats. + + * src/: active.c, decode.c, decode.h, encode.c, parser.c, + sf_protocols.h, snort.c: + Fix PPPoE support and active responses to ICMP. + Thanks to Eric Lauzon for identifying an issue with PPPoE traffic. + + * etc/gen-msg.map, preproc_rules/preprocessor.rules, + src/generators.h, + src/preprocessors/HttpInspect/client/hi_client.c, + src/preprocessors/HttpInspect/event_output/hi_eo_log.c, + src/preprocessors/HttpInspect/include/hi_client.h, + src/preprocessors/HttpInspect/include/hi_eo_events.h: + Added new preprocessor alerts: + 1) Both true-client-ip and XFF headers exist in single packet + 2) Multiple client-ips with different values in the same session + + * etc/gen-msg.map: + Fixed an error with incorrect SID numbers for some SMTP preprocessor + rules. Thanks to Eric Olsen for identifying the issue. + + * src/: decode.h, detect.c, encode.c, encode.h, plugbase.c, + plugbase.h, snort.c, snort.h, + detection-plugins/detection_options.c, + dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h, + dynamic-plugins/sf_engine/sf_snort_packet.h, + dynamic-preprocessors/dcerpc2/snort_dce2.c, + dynamic-preprocessors/sdf/spp_sdf.c, + output-plugins/spo_alert_fast.c, preprocessors/spp_frag3.c, + preprocessors/spp_rpc_decode.c, preprocessors/spp_sfportscan.c, + preprocessors/stream_api.h, + preprocessors/Stream5/snort_stream5_tcp.c, + preprocessors/Stream5/stream5_common.c: + Refactored packet flags. Added new packet flags for raw in-order + stream segment discrimination. + + * src/preprocessors/snort_httpinspect.c: + Fixed an issue where gzip logging code misinterpreted the data + being passed to it. + + Increased max_method_len to 256. + Thanks to rmkml for identifying the issue. + + * src/: preprocessors/spp_rpc_decode.c, + dynamic-preprocessors/dcerpc2/dce2_roptions.c, + dynamic-preprocessors/dcerpc2/dce2_smb.c: + Fixed compiler warnings. + + * src/sfutil/bnfa_search.c: + Fixed code defined by #ifdef ALLOW_NFA_FULL to compile and run. + Thanks to Brian Hwang for reporting the issue. + + * src/: dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h, + dynamic-plugins/sp_dynamic.h, + dynamic-preprocessors/reputation/reputation_config.c, + dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c, + dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h: + The paths to whitelist & blacklist files are now relative to + the location of snort.conf. + + * src/preprocessors/Stream5/snort_stream5_session.c: + Don't prune blocked sessions if pruning for memcap. + + * src/preprocessors/spp_stream5.c: + Fixed session data lookup for meta data messages. + + * etc/: sf_rule_options, sf_rule_validation.conf: + Updated rule validation files with new rule options. + + * configure.in, doc/INSTALL, doc/README.ARUBA, doc/README.database, + doc/README.ipv6, doc/snort_manual.tex, + src/output-plugins/spo_alert_arubaaction.c, + src/output-plugins/spo_alert_prelude.c, + src/output-plugins/spo_database.c: + Added deprecation warnings for database, alert_aruba_action, + and alert_prelude output plugins. These output plugins are + considered deprecated with this release and will be removed + in Snort 2.9.3. + + * src/: plugbase.c, plugbase.h, preprocids.h, profiler.c, sfdaq.c, + sfdaq.h, snort.c, snort.h, dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h, + preprocessors/spp_stream5.c, preprocessors/stream_api.h, + preprocessors/Stream5/snort_stream5_icmp.c, + preprocessors/Stream5/snort_stream5_ip.c, + preprocessors/Stream5/snort_stream5_session.c, + preprocessors/Stream5/snort_stream5_session.h: + Added API and DAQ functions to get flow start and end events + directly from the DAQ when no stream data is available. + + * src/sfdaq.c: + Prevent underflow when calculating outstanding packets. + Thanks to Hussein Bahaidarah for reporting this issue. + + Don't unload daq modules if --disable-dlclose was a configure + option. + + * src/: active.c, dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h: + Snort dynamic API changes to inject response packets. + +2011-10-20 Ryan Jordan +Snort 2.9.1.2 + * configure.in, + rpm/snort.spec, + src/build.h, + src/win32/WIN32-Includes/config.h, + src/win32/WIN32-Prj/snort_installer.nsi: + Incremented version numbers to Snort 2.9.1.2, Build 84. + + * src/preprocessors/snort_httpinspect.c, + src/sfutil/util_utf.c: + Fixed an issue where Snort would sometimes stop processing traffic + in a persistent HTTP 1.1 connection with a UTF-32 encoded response + followed by a UTF-16 encoded response. + +2011-10-05 Ryan Jordan +Snort 2.9.1.1 + * src/decode.c: + Fixed decode.c to allow building with --enable-debug. + + * src/: dynamic-plugins/sf_engine/sf_decompression.c, + dynamic-plugins/sf_engine/sf_decompression.h, + preprocessors/snort_httpinspect.h, + preprocessors/HttpInspect/server/hi_server.c: + Fixed http_inspect decompression and decompression API to decompress + both raw and zlib deflated data. + Support locating utf charset when spaces are present. + + * src/: preprocessors/HttpInspect/server/hi_server_norm.c, + sfutil/util_utf.h: + Added "Byte Order Mark" support for unicode in http_inspect. + + * src/detection-plugins/sp_urilen_check.c: + Fixed potential false positives when using urilen detection option. + + * src/preprocessors/Stream5/stream5_paf.c: + Fixed flushing beyond "paf_max". + Verify paf configuration before enabling. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Free application and protocol state when a session is blocked. + Ensure that seglist_next is NULL after being freed. + + * src/dynamic-preprocessors/smtp/smtp_util.c: + Fixed an issue with SMTP logging while running in inline mode. + + * src/dynamic-preprocessors/reputation/Makefile.am, + src/dynamic-preprocessors/reputation/reputation_config.c, + src/dynamic-preprocessors/reputation/reputation_config.h, + src/dynamic-preprocessors/reputation/spp_reputation.c, + src/dynamic-preprocessors/reputation/spp_reputation.h, + src/Makefile.am, src/idle_processing.c, src/idle_processing.h, + src/idle_processing_funcs.h, src/plugbase.c, src/plugbase.h, + src/snort.c, src/snort.h, src/util.c, src/util.h, + src/dynamic-examples/Makefile.am, + src/dynamic-preprocessors/reputation/shmem/shmem_config.c, + src/dynamic-preprocessors/reputation/shmem/shmem_config.h, + src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h, + src/dynamic-preprocessors/reputation/shmem/shmem_lib.c, + src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c, + src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h, + src/control/Makefile.am, src/control/sfcontrol.c, + src/control/sfcontrol.h, src/control/sfcontrol_funcs.h, + src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c, + src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h, + src/dynamic-preprocessors/reputation/shmem/shmem_common.h, + src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c, + src/dynamic-preprocessors/reputation/shmem/shmem_lib.h, + src/sfutil/Makefile.am, src/sfutil/segment_mem.c, + src/sfutil/segment_mem.h, src/sfutil/sfrt_flat.c, + src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c, + src/sfutil/sfrt_flat_dir.h, + src/dynamic-preprocessors/Makefile.am, tools/control/Makefile.am, + tools/control/README.snort_control, tools/control/sfcontrol.c, + src/dynamic-plugins/sf_dynamic_plugins.c, + src/dynamic-plugins/sf_dynamic_preprocessor.h, configure.in, + tools/Makefile.am: + - Added support for shared memory between Snort processes. + This is used in the IP Reputation preprocessor to share a single copy + of IP whitelists & blacklists. + - Added a control channel, so that commands may be issued to + a running Snort process by way of a Unix socket. + + * src/preprocessors/HttpInspect/utils/hi_paf.c: + Ensure HTTP 1.1 responses without length indicators (e.g. 304) + are flushed at the end of the headers. + Preprocessor rule 120:8 is fired at end of headers if content-length + and transfer-encoding: chunked are not present, but not for response + codes 1XX, 204, 304. + + * doc/README.reputation, doc/snort_manual.pdf, + doc/snort_manual.tex: + Updated Snort documentation, added documentation for Shared Memory + and the Control Socket. + + * src/: dynamic-preprocessors/reputation/sf_reputation.dsp, + dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, + win32/WIN32-Includes/stdint.h, win32/WIN32-Prj/snort.dsp, + win32/WIN32-Prj/snort.dsw: + Updated Win32 build files. + + +2011-08-23 Ryan Jordan +Snort 2.9.1 + * src/build.h: + Updated build number to 71. + + * etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c, + src/decode.h, src/generators.h, src/snort.c, + src/dynamic-plugins/sf_engine/sf_snort_packet.h: + Fixed an issue with decoding large numbers of IPv6 extension headers. + Added rule 116:456 to safeguard against too many IPv6 extension headers. + Thanks to Martin Schütte for reporting the issue. + + * src/detection-plugins/sp_urilen_check.c, + src/detection-plugins/sp_urilen_check.h: + Fixed the urilen rule option to look at reassembled packets. + Added an extra parameter to specify whether to check raw or normalized + uri buffer. Will check raw uri buffer by default. + + * src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp, + dynamic-preprocessors/dns/sf_dns.dsp, + dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp, + dynamic-preprocessors/imap/sf_imap.dsp, + dynamic-preprocessors/isakmp/sf_isakmp.dsp, + dynamic-preprocessors/pop/sf_pop.dsp, + dynamic-preprocessors/reputation/sf_reputation.dsp, + dynamic-preprocessors/sdf/sf_sdf.dsp, + dynamic-preprocessors/sip/sf_sip.dsp, + dynamic-preprocessors/smtp/sf_smtp.dsp, + dynamic-preprocessors/ssh/sf_ssh.dsp, + dynamic-preprocessors/ssl/sf_ssl.dsp, + win32/WIN32-Prj/sf_engine.dsp: + Fixed a bug where the sensitive_data preprocessor gave an error while + loading sensitive data rules. + + * doc/README.http_inspect, etc/gen-msg.map, + preproc_rules/preprocessor.rules, src/generators.h, + src/preprocessors/snort_httpinspect.c, + src/preprocessors/HttpInspect/event_output/hi_eo_log.c, + src/preprocessors/HttpInspect/include/hi_eo_events.h, + src/preprocessors/HttpInspect/utils/hi_paf.c: + Added two HTTP Inspect preprocessor rules: + 119:28 - post w/o content-length or transfer-encoding: chunked + 120:8 - message with invalid content-length or chunk size + + * src/preprocessors/spp_httpinspect.c: + Fixed a bug where Snort wouldn't reload, giving the error that + "Changing decompress_depth requries a restart". + + * etc/gen-msg.map: + Commented out four rules from gen-msg.map, 133:44 through 133:47, + because they were not yet implemented. + + * preproc_rules/preprocessor.rules: + Added a CVE reference for Rule 119:19. + Added a reference to SMTP preprocessor rule 124:4. + Added a preprocessor rule, 125:9, for an FTPTelnet preprocessor + alert that was missing the corresponding rule. + + * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: + PAF tweak for single-segment full PDUs matching only-stream + + * src/snort.c: + Fixed a bug where Snort wouldn't reload on SIGHUP with OpenBSD. + Set default paf_max to 16K. + + * doc/: README.reputation, snort_manual.pdf, snort_manual.tex: + Added a use case in the IP Reputation preprocessor documentation. + + * src/: dynamic-preprocessors/reputation/reputation_config.c, + dynamic-preprocessors/reputation/sf_reputation.dsp, + win32/WIN32-Prj/snort.dsw, win32/WIN32-Prj/snort_installer.nsi: + Fixed the IP Reputation preprocessor so that it would build on Windows. + + * src/preprocessors/HttpInspect: client/hi_client.c, include/hi_client.h, + server/hi-server.c, utils/hi_paf.c: + Support up to full 32-bit content-lengths + + * src/preprocessors/Stream5/stream5_paf.c: + Fixed compilation with the options "--disable-target-based --enable-paf". + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fixed an error in IDS mode when segments overlap and the sequence + number wraps. + + * tools/u2spewfoo/Makefile.am: + Added the u2spewfoo Windows project file to the Snort source tarball. + +2011-07-19 Ryan Jordan +Snort 2.9.1 RC + * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex, + preproc_rules/preprocessor.rules, + src/dynamic-preprocessors/sip/sip_parser.c, + src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map: + Added three new SIP preprocessor alerts. + + * src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_paf.c, + stream5_paf.h: + Allow multiple preprocs to scan for PDUs on the same port. + This fixes a problem with DCE autodetect using the same + ports as HTTP. + + * src/build.h: + Updated build number to 63. + + * src/: fpcreate.c, log.c, detection-plugins/sp_byte_extract.c, + detection-plugins/sp_tcp_win_check.c, + dynamic-plugins/sf_engine/sf_snort_plugin_content.c, + dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, + preprocessors/spp_normalize.c: + Fixed some compiler warnings. + + * src/: detection-plugins/detection_options.c, + detection-plugins/sp_flowbits.h, + dynamic-plugins/sf_engine/sf_snort_detection_engine.c, + dynamic-plugins/sf_engine/examples/Makefile.am, + dynamic-plugins/sf_engine/examples/flowbits_test.c, + dynamic-plugins/sf_engine/examples/rules.c, + dynamic-plugins/sf_engine/examples/web-client_test.c: + Only set/clear/toggle/unset a flowbit when all of the rule + matches, including the IPs and Ports. Thanks to Eoin Miller + for reporting the issue. + + * src/dynamic-preprocessors/: Makefile.am, dcerpc2/Makefile.am, + dns/Makefile.am, ftptelnet/Makefile.am, imap/Makefile.am, + pop/Makefile.am, reputation/Makefile.am, rzb_saac/Makefile.am, + sdf/Makefile.am, sip/Makefile.am, smtp/Makefile.am, + ssh/Makefile.am, ssl/Makefile.am: + Fixed dynamic preprocesor Makefiles so that they can be built + in parallel. + + * doc/README.http_inspect, doc/snort_manual.pdf, + doc/snort_manual.tex, etc/gen-msg.map, + preproc_rules/preprocessor.rules, src/generators.h, + src/preprocessors/snort_httpinspect.c, + src/preprocessors/snort_httpinspect.h, + src/preprocessors/HttpInspect/client/hi_client.c, + src/preprocessors/HttpInspect/event_output/hi_eo_log.c, + src/preprocessors/HttpInspect/include/hi_eo_events.h, + src/preprocessors/HttpInspect/include/hi_ui_config.h, + src/preprocessors/HttpInspect/include/hi_util.h, + src/preprocessors/HttpInspect/user_interface/hi_ui_config.c, + src/sfutil/util_unfold.c: + Added a new HTTP Inspect preprocessor rule, GID 119 SID 26. + This rule checks for 200+ whitespaces in a folded header line + from an HTTP request. A new config option was added to configure + the allowable amount whitespace. + + Added a new configuration option to http_inspect server configuration: + "small_chunk_length { }", with + preprocessor rules for both client and server. Consecutive chunk lengths + less than or equal to will cause an event to be generated. + + See README.http_inspect for more information. + + * src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp, + dynamic-preprocessors/dns/sf_dns.dsp, + dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp, + dynamic-preprocessors/imap/sf_imap.dsp, + dynamic-preprocessors/isakmp/sf_isakmp.dsp, + dynamic-preprocessors/sdf/sf_sdf.dsp, + dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, + dynamic-preprocessors/sip/sf_sip.dsp, + dynamic-preprocessors/smtp/sf_smtp.dsp, + dynamic-preprocessors/ssh/sf_ssh.dsp, + dynamic-preprocessors/ssl/sf_ssl.dsp, + win32/WIN32-Prj/sf_engine.dsp, + win32/WIN32-Prj/sf_engine_initialize.dsp, + win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp: + Fixed the Win32 build to (1) not use .pch, and (2) correct sed + patterns on ipv6_port.h. + + * src/output-plugins/spo_alert_sf_socket.c: + Fixed a problem where Snort's generic IP address structure was + being sent by the socket output plugin. + The output plugin now only generates events for IPv4 packets, + and is guaranteed to use uint32_t IPv4 addresses for interoperability. + + * src/sfutil/: sfrt.c, sfrt.h: + Optimized some memory usage. + + * configure.in: + Add check for pkg-config and provide instructions to get it if + pkg-config is not installed. + + * src/preprocessors/Stream5/: snort_stream5_tcp.c, + stream5_common.h: + Show single segment PAF packets and only short-circuit at + correct sequence. + When aborting PAF, flush at paf_max. + Tweaked retransmission check to use actual sequence numbers + instead of the adjusted sequence numbers. + Changed the pseudo-random flush point after each flush. + + * src/snort.c: + Fixed a compilation error when active response is disabled. + + * src/snort.h: + Fixed a bug where Snort wouldn't daemonize on OpenBSD if the + process was running as root. Thanks to Olaf Schreck for reporting + this issue. + + * src/preprocessors/: perf-base.c, perf-base.h, perf-event.c, + perf-event.h, perf-flow.c, perf-flow.h, perf.c, perf.h, + spp_perfmonitor.c: + Split out Perfmon submodule Init and Reset, so that everything is + initialized when the Perfmonitor preprocessor is initialized. + Previously, some data was initialized on the first packet. + + * src/detection-plugins/sp_tcp_flag_check.c: + Fixed a couple spots where the "1" and "2" + flags weren't renamed to "C" and "E". Thanks to Joshua Kinard for + reporting the issue and supplying a patch. + + * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex, + src/dynamic-preprocessors/sip/sip_parser.c, + src/dynamic-preprocessors/sip/spp_sip.h, + preproc_rules/preprocessor.rules, etc/gen-msg.map: + Added a new SIP preprocessor alert for missing content type headers. + Fixed an issue where the SIP preprocessor checked for Stream5 even if + the SIP preprocessor was disabled. + + * etc/unicode.map: + Updated unicode.map to match the unicode standard on Windows 7 SP1. + + * etc/snort.conf: + Sync'ed to VRT's latest snort.conf. + + * src/: decode.c, detect.c: + Tweaked the preprocessing loop to bypass app preprocs if no + app data. + + * src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, src/sfutil/sfrt_dir.c, + src/dynamic-preprocessors/reputation/Makefile.am, + src/dynamic-preprocessors/reputation/reputation_config.h, + src/dynamic-preprocessors/reputation/reputation_utils.c, + src/dynamic-preprocessors/reputation/sf_reputation.dsp, + src/dynamic-preprocessors/reputation/spp_reputation.c, + src/dynamic-preprocessors/reputation/spp_reputation.h, + src/dynamic-preprocessors/reputation/reputation_config.c, + src/dynamic-preprocessors/reputation/reputation_debug.h, + src/dynamic-preprocessors/reputation/reputation_utils.h, + doc/README.reputation, doc/Makefile.am, doc/snort_manual.pdf, + doc/snort_manual.tex, preproc_rules/preprocessor.rules, + src/dynamic-preprocessors/Makefile.am, configure.in, + src/preprocids.h, etc/gen-msg.map: + Added the IP Reputation preprocessor. This preprocessor provides + the ability to whitelist and blacklist packets based on IP addresses. + See README.reputation for more information. + + * src/: sf_types.h, dynamic-plugins/sf_dynamic_plugins.c, + dynamic-preprocessors/dcerpc2/Makefile.am, + dynamic-preprocessors/dcerpc2/dce2_config.c, + dynamic-preprocessors/dcerpc2/dce2_debug.h, + dynamic-preprocessors/dcerpc2/dce2_paf.c, + dynamic-preprocessors/dcerpc2/dce2_paf.h, + dynamic-preprocessors/dcerpc2/sf_dce2.dsp, + dynamic-preprocessors/dcerpc2/snort_dce2.c: + Added protocol-aware flushing support for the dcerpc2 preprocessor. + + * src/dynamic-plugins/sf_convert_dynamic.c: + Added the ability to convert shared object rules that use the + preprocessor rule option. + + * src/preprocessors/: snort_httpinspect.c, spp_httpinspect.c, + HttpInspect/include/hi_paf.h, HttpInspect/utils/hi_paf.c, + Stream5/snort_stream5_tcp.c: + Don't enable paf unless stream ports configured + for the given direction; add "(PAF)" to http inspect ports output + to indicate when enabled; and only register port for given + direction if corresponding flow depth is set. + + Support full 32-bit content-lengths and chunk sizes, and flush/abort + when exceeded. + + * doc/README.SMTP, doc/snort_manual.tex, + src/dynamic-preprocessors/smtp/smtp_config.h, + src/dynamic-preprocessors/smtp/smtp_util.c, + src/dynamic-preprocessors/smtp/snort_smtp.c, + src/dynamic-preprocessors/smtp/snort_smtp.h, + src/dynamic-preprocessors/smtp/spp_smtp.c: + Fixed performance issue: allocate the buffers used + for filename, mailfrom and rcptto logging using mempool + ('memcap' used to allocate the mempool). + Added a fatal error when b64_decode_depth is used with + enable_mime_decoding. + + * src/dynamic-plugins/sf_engine/examples: all rule files: + Fixed compiler warnings. + +2011-06-13 Ryan Jordan +Snort 2.9.1 Beta + * configure.in: + Updates to configure.in. + - Fix zlib checks to use correctly named variable for checking zlib + header and library existence. + - Enable IPv6 by default in builds. Can use --disable-ipv6 to turn it off. + using --enable-zlib, configure should fail. snort -V should show + IPv6 by default and VRT config should load without modification. + - Added a new option, "--enable-large-pcap", which allows Snort to read + pcap files that are larger than 2 GB. + - Changed the default ./configure options to match the requirements + for the bundled snort.conf + * doc/: INSTALL, README.imap, README.pop, + README.SMTP, README.stream5, README.sip, README.tag, + README.http_inspect, README.counts, README.normalize, + snort_manual.pdf, snort_manual.tex: + Updated documentation for Snort 2.9.1: + - Added documentation for new SIP, POP and IMAP preprocessors + - Updated README.stream5 with documentation for + Protocol Aware Flushing (PAF) + - Updated README.http_inspect with memcap information, + clarified "http_cookie" information, and documentation for + "log_uri" and "log_hostname". + - Fixed a typo in README.counts + - Updated "byte_extract" section to reflect syntax changes + - Improved the explanation of "max_queued_events" + - Added documentation for the ESP decoder, which is now configurable + - Improved the explanation of "rawbytes" + - Fixed an incorrect example in README.tag. + * etc/snort.conf: + Synced snort.conf with VRT's latest version. + + Added configurations for new preprocessors. + * preproc_rules/: decoder.rules, preprocessor.rules + Added new preprocessor rules for SIP, SMTP, POP, and IMAP. + + Added decoder rules 116:453, 116:454, and 116:455. These rules + were formerly covered by VRT rules. + * src/build.h: Updated build number to 46 + * src/decode.c: + TCP and UDP decoder rules that require a fully-decoded packet will + only fire if the checksum is correct and the port number is not ignored. + + ESP decoding is now configurable, and off by default. + + The "config enable_decode_oversized_alerts" option now applies to + packets where the UDP header claims there is more data than actually exists. + The Teredo decoder now only processes packets in the Teredo prefix + (2001:0000::/32) or the link-local prefix (fe80::/16). + * src/detection-plugins/sp_cvs.c: + Fixed a false positive in the CVS detection plugin. + * doc/snort_manual.tex, src/detection-plugins/sp_byte_extract.c: + Made some changes to the byte_extract syntax: + - Writing "string" without a number type defaults to decimal. + - The "string" and "hex/dec/oct" options are now independent of each + other, like in byte_test and byte_jump. + You can write "string,dec", "hex,string", "string,relative,oct", etc. + - Specifying one of "hex", "dec", and "oct" without using "string" + results in an error. + - byte_extract options can no longer be delimited by spaces. + This does not affect "align " or "multiplier ". + * src/: parser.c, util.c, util.h, + detection-plugins/sp_base64_decode.c, + dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h, + dynamic-plugins/sp_dynamic.c, + dynamic-preprocessors/smtp/smtp_util.c, + preprocessors/HttpInspect/client/hi_client.c, + preprocessors/HttpInspect/server/hi_server.c, + sfutil/sf_base64decode.c, sfutil/sf_base64decode.h: + Changes include the following: + - Attempt dechunkind only when transfer-encoding: chunked is present. + - Override the content length with transfer encoding + - SnortStrcasestr uses slen now. + - unfolding : trim spaces when required. + * src/: pcap_pkthdr32.h, preprocessors/spp_frag3.c, + preprocessors/Stream5/snort_stream5_tcp.c, + preprocessors/Stream5/stream5_common.h, sfutil/sf_ipvar.c, + sfutil/sf_ipvar.h, sfutil/sf_vartable.c: + Update Frag3/Stream5 to print bound addresses, better descriptsions of detect + anomalies and port lists. + - Updated Frag3/Stream5 to print bound addresses for IPv6 enabled builds + - Updated Frag3 to print meaningful detect anomalies configuration + - Updated Stream5 to print that there are more ports than those printed. + * src/dynamic-plugins/sf_engine/: Makefile.am, sf_decompression.c, + sf_decompression.h, sf_snort_detection_engine.c, + sf_snort_plugin_api.h: + Added a Decompression API that wraps Zlib for use with dynamic + plugins. See sf_decompression.h for more details. + * src/: fpcreate.c, fpdetect.c, treenodes.h: + Update pattern matcher and sort functions to + correctly sort by priority as well as implement sorting by + content_length (which was never done with 2.8.2 addition of rule + option tree). + + Added a warning when max-pattern-len is defined twice. + + Packets will no longer be tagged or logged if they are filtered or passed. + * src/preprocessors/Stream5: + Ensured that reassembly doesn't require packet dropping in IPS mode. + The message "additional ports configured but not printed" is only printed + when that is actually the case. + * src/snort.c: + fix output of filename / shutdown alerts sequence when iterating over multiple + pcaps with --pcap-show --pcap-reset and console alerts (eg -A cmg or + -A console:test). + + Fixed an issue with reloading Snort while the default output options + were used. + + When reading several pcap files with --pcap-dir, Snort will move on + to the next file if one fails to load. + * src/output-plugins/spo_alert_full.c: + Update alert_full to print rule references, regardless of whether + there is TCP/UDP/etc. + * src/output-plugins/spo_log_tcpdump.c: + convert DLT_IPV{4,6} to DLT_RAW for compatibility with libpcap 1.0.0 + fix 'mixed decls and code' compiler warning + * src/: decode.h, detect.c, detection_util.c, detection_util.h, + fpcreate.c, fpdetect.c, log.c, log_text.c, parser.h, plugbase.c, + rule_option_types.h, detection-plugins/Makefile.am, + detection-plugins/detection_options.c, + detection-plugins/sp_base64_data.c, + detection-plugins/sp_byte_check.c, + detection-plugins/sp_byte_extract.c, + detection-plugins/sp_byte_jump.c, + detection-plugins/sp_file_data.c, + detection-plugins/sp_ftpbounce.c, + detection-plugins/sp_isdataat.c, + detection-plugins/sp_pattern_match.c, + detection-plugins/sp_pcre.c, detection-plugins/sp_pkt_data.c, + detection-plugins/sp_pkt_data.h, + dynamic-plugins/sf_convert_dynamic.c, + dynamic-plugins/sf_dynamic_common.h, + dynamic-plugins/sf_dynamic_define.h, + dynamic-plugins/sf_dynamic_engine.h, + dynamic-plugins/sf_dynamic_plugins.c, + dynamic-plugins/sf_dynamic_preprocessor.h, + dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h, + dynamic-plugins/sf_engine/sf_snort_detection_engine.c, + dynamic-plugins/sf_engine/sf_snort_packet.h, + dynamic-plugins/sf_engine/sf_snort_plugin_api.c, + dynamic-plugins/sf_engine/sf_snort_plugin_content.c, + dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, + dynamic-plugins/sf_engine/examples/detection_lib_meta.h, + dynamic-preprocessors/ftptelnet/pp_ftp.c, + dynamic-preprocessors/ftptelnet/pp_telnet.c, + dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, + dynamic-preprocessors/smtp/smtp_util.c, + dynamic-preprocessors/smtp/snort_smtp.c, + dynamic-preprocessors/smtp/snort_smtp.h, + preprocessors/snort_httpinspect.c, + preprocessors/snort_httpinspect.h, + preprocessors/spp_rpc_decode.c, + preprocessors/HttpInspect/server/hi_server.c, + preprocessors/HttpInspect/server/hi_server_norm.c, + preprocessors/Stream5/snort_stream5_tcp.c: + The "file_data" and "base64_data" rule options now set the buffer + for any rule options that follow them. This applies to both relative + and non-relative rule options. + + The detection code now uses 3 separate buffers: + - "Alt Detect": set by file_data, base64_data, etc. + - "Alt Decode": set by preprocessor normalization, e.g. HTTP Inspect + - Raw packet data + + The AltDetect buffer can also be set by custom .so rules. + * src/parser.c, src/parser.h, src/snort.h, src/output-plugins/spo_unified2.c, + src/sfutil/Unified2_common.h: + IPv6 source and destination addresses are now logged in Unified2 + as extra data events. This is configured with "config log_ipv6_extra_data". + * src/dynamic-preprocessors/sip/Makefile.am, + src/dynamic-preprocessors/sip/sf_sip.dsp, + src/dynamic-preprocessors/sip/sip_config.c, + src/dynamic-preprocessors/sip/sip_config.h, + src/dynamic-preprocessors/sip/sip_debug.h, + src/dynamic-preprocessors/sip/sip_dialog.c, + src/dynamic-preprocessors/sip/sip_dialog.h, + src/dynamic-preprocessors/sip/sip_parser.c, + src/dynamic-preprocessors/sip/sip_parser.h, + src/dynamic-preprocessors/sip/sip_roptions.c, + src/dynamic-preprocessors/sip/spp_sip.c, + src/dynamic-preprocessors/sip/spp_sip.h, + src/dynamic-preprocessors/sip/sip_roptions.h, + src/dynamic-preprocessors/sip/sip_utils.c, + src/dynamic-preprocessors/sip/sip_utils.h, doc/README.sip, + etc/gen-msg.map, src/dynamic-preprocessors/sip/test/Makefile.am, + src/dynamic-preprocessors/sip/test/sip_test.c, configure.in, + src/dynamic-preprocessors/Makefile.am: + Added a new preprocessor for SIP traffic. + See README.sip and the Snort Manual for more information. + * src/: dynamic-preprocessors/dcerpc2/dce2_utils.c, + dynamic-preprocessors/dcerpc2/spp_dce2.c, + preprocessors/spp_frag3.c: + Make Frag3 OpenBSD Vuln alert only happen if the frag policy is + 'linux' (which includes OpenBSD). The 'bsd' policy is NOT used + for OpenBSD, which is the only OS on which the vulnerability was + present. + + This reduces false positives to only occur when frag3 policy is + linux and its an actual linux system, rather than the alert + occuring regardless of frag policy. + * src/: detection-plugins/Makefile.am, + detection-plugins/sp_byte_extract.c, + detection-plugins/sp_byte_extract.h, + dynamic-plugins/sf_convert_dynamic.c, + dynamic-plugins/sf_engine/Makefile.am, + dynamic-plugins/sf_engine/sf_snort_detection_engine.c, + dynamic-plugins/sf_engine/sf_snort_detection_engine.h, + dynamic-plugins/sf_engine/sf_snort_plugin_api.c, + dynamic-plugins/sf_engine/sf_snort_plugin_api.h, + dynamic-plugins/sf_engine/sf_snort_plugin_byte.c, + dynamic-plugins/sf_engine/sf_snort_plugin_content.c, + dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c, + dynamic-plugins/sf_engine/sf_snort_plugin_loop.c, + dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, + Added support for ByteExtract variables to the .so rule versions of + Content, ByteTest, ByteJump, and isdataat. + * src/: encode.c, preprocessors/spp_normalize.c, + preprocessors/Stream5/snort_stream5_tcp.c, + preprocessors/Stream5/stream5_common.c: + Fixed the TTL on encoded response packets. + * src/: fpcreate.c, fpdetect.c, + detection-plugins/sp_pattern_match.c, + detection-plugins/sp_pattern_match.h, + dynamic-plugins/sf_dynamic_define.h, + dynamic-plugins/sf_engine/sf_snort_detection_engine.c, + dynamic-plugins/sf_engine/sf_snort_plugin_api.h: + Update to not inspect HTTP method buffer with Snort's fast pattern engine. + Rules with only HTTP method content end up as non-content rules. + This eliminates a short cycle of searches with fast pattern on every + initial HTTP request. + * src/dynamic-preprocessors/pop/: all files + Added a new preprocessor for POP traffic. + See README.pop for more information. + * src/dynamic-preprocessors/imap/: all files + Added a new preprocessor for IMAP traffic. + See README.imap for more information. + * src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h: + Base64 decoding was moved to its own section in sfutil, for use + by the new email preprocessors. + + Added support for uuencoded email attachments. + * src/dynamic-preprocessors/sdf/spp_sdf.c: + The Sensitive Data preprocessor now inspects the "file_data" buffer, used + for HTTP response bodies & decoded email attachments. + * src/: snort.c, preprocessors/spp_stream5.c, + preprocessors/stream_api.h: + Update Snort to return a DAQ verdict of whitelist (meaning don't + send Snort any more packets) for sessions that are being ignored + in both directions or ports that are configured to ignore. For + DAQ modules and hardware that supports it, this should result in + a performance gain because Snort no longer has to decode packets + that are part of that connection. + * src/util.c: + Added an error message when opening a pid file fails. + * src/preprocessors/HttpInspect/: client/hi_client.c, + server/hi_server.c: + The Set-Cookie: and Cookie: headers wont be included in the cookie buffers. + * configure.in, src/active.c, src/active.h, src/decode.h, + src/encode.c, src/encode.h, src/log_text.c, src/log_text.h, + src/parser.c, src/parser.h, src/sf_types.h, src/sfdaq.c, + src/sfdaq.h, src/snort.h, src/snort_debug.h, + src/detection-plugins/sp_react.c, + src/detection-plugins/sp_respond3.c, + src/dynamic-plugins/sf_dynamic_define.h, + src/dynamic-plugins/sf_engine/sf_snort_packet.h, + src/preprocessors/snort_httpinspect.c, + src/preprocessors/spp_httpinspect.c, + src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, + src/preprocessors/HttpInspect/Makefile.am, + src/preprocessors/HttpInspect/include/Makefile.am, + src/preprocessors/HttpInspect/include/hi_paf.h, + src/preprocessors/HttpInspect/mode_inspection/hi_mi.c, + src/preprocessors/HttpInspect/server/hi_server.c, + src/preprocessors/HttpInspect/utils/Makefile.am, + src/preprocessors/HttpInspect/utils/hi_paf.c, + src/preprocessors/Stream5/Makefile.am, + src/preprocessors/Stream5/snort_stream5_icmp.c, + src/preprocessors/Stream5/snort_stream5_session.c, + src/preprocessors/Stream5/snort_stream5_tcp.c, + src/preprocessors/Stream5/snort_stream5_tcp.h, + src/preprocessors/Stream5/snort_stream5_udp.c, + src/preprocessors/Stream5/stream5_common.c, + src/preprocessors/Stream5/stream5_common.h, + src/preprocessors/Stream5/stream5_paf.c, + src/preprocessors/Stream5/stream5_paf.h, src/sfutil/sf_textlog.h: + Added support in Stream5 for Protocol Aware Flushing (PAF). + PAF allows Snort to statefully scan a stream and reassemble a complete + PDU regardless of segmentation. + + Added PAF support to HTTP Inspect, allowing the preprocessor to determine + when HTTP sessions are flushed by Stream5. + + See README.stream5 for more details. + * src/preprocessors/: stream_ignore.h, stream_ignore.c, + Stream5/snort_stream5_udp.c: + added support for ignoring UDP channels. Light weight session + will be created to track UDP channel, even ports are not + monitored. + * src/win32/: most files + Updated Snort and its libraries to build/link against MFC. + +2011-03-23 Steven Sturges + * src/build.h: + Increment Snort build number to 134 + * src/: decode.h, encode.c: + * src/dynamic-plugins/sf_engine/: sf_snort_packet.h: + * src/preprocessors/: spp_sfportscan.c, spp_frag3.c: + * src/output-plugins/: spo_alert_fast.c: + * src/preprocessors/Stream5/: stream5_common.c: + Updated portscan to set protocol correctly in raw packet for + IPv6 and changed the encoder to recognize portscan packets as pseudo + packets so that the checksum isn't calculated + * src/: sfdaq.c, util.c: + Improve handling of DAQ failure codes when Snort is shutting down. + * src/preprocessors/spp_perfmonitor.c: + Update perfmonitor to create now files prior to dropping privs + +2011-03-16 Ryan Jordan +Snort 2.9.0.5 + * src/build.h: + Increment Snort build number to 132 + * src/snort.c: + * src/preprocessors/: normalize.c, perf-base.c, perf-base.h, + Stream5/snort_stream5_tcp.c: + TCP timestamp options are only NOPed by the Normalization preprocessor + if Stream5 has seen a full 3-way handshake, and timestamps weren't + negotiated. + + The IPS mode reassembly policy has been refactored to do stream + normalization within the first policy. + + Packets injected by the normalization preprocessor are now counted + in the packet statistics. + * doc/snort_manual.tex: + * src/: parser.c, parser.h: + * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c: + Added a "config vlan_agnostic" setting that globally disables Stream's + use of vlan tag in session tracking. + * src/: snort.c, preprocessors/normalize.c, + preprocessors/spp_normalize.c, preprocessors/spp_normalize.h, + preprocessors/perf-base.c, preprocessors/perf-base.h: + * doc/: README.normalize, snort_manual.pdf, snort_manual.tex: + Fixed the normalization preprocessor to call its post-initialization + config functions during a policy reload. + + Packets can no longer be trimmed below the minimum ethernet frame + length. Trimming is now configurable with the "normalize_ip4: trim;" + option. TOS clearing is now configurable with "normalize_ip4: tos;". + + The "normalize_ip4: trim" option is automatically disabled if the + DAQ can't inject packets. If the DAQ tries and fails to inject + a given packet, the wire packet is not blocked. + + Updated documentation regarding these changes. + * src/detection-plugins/sp_cvs.c: + Fixed a false positive in the CVS detection plugin. It was incorrectly + parsing CVS entries that had a '+' in between the 3rd and 4th slashes. + * src/preprocessors/HttpInspect/: client/hi_client.c, + server/hi_server.c: + Changed a pointer comparison to a size check for code readability. + Belated thanks to Dwane Atkins and Parker Crook for reporting a + related issue that was fixed in Snort 2.9.0.4 build 111. + + Moved the zlib initialization such that gzipped responses are still + inspected if the zipped data starts after the first Stream-reassembled + packet is inspected. + * src/decode.c: + Fixed an issue with decoding too many IP layers in a single packet. The + Teredo proto bit was not unset after hitting the limit on IP layers. + Thanks to Dwane Atkins for reporting this issue. + + IPv6 fragmented packets are no longer inspected unless they have an + offset of zero and the next layer is UDP. This behavior is consistent + with IPv4 decoding. + Thanks to Martin Schütte for reporting an issue where fragged ICMPv6 + packets were being inspected. + + The decoder no longer attempts to decode Teredo packets inside of + IPv4 fragments, instead waiting for the reassembled packet. + * src/encode.c: + Fixed a problem where encoded packets had their lengths calculated + incorrectly. This caused the active response feature to generate + incorrect RST packets if the original packet had a VLAN tag. + * preproc_rules/preprocessor.rules: + Updated references to rule 125:1:1 + * src/preprocessors/spp_perfmonitor.c: + Perfmonitor files are now created after Snort changes uid/gid. + * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: + Fixed the size formatting of an error message argument when + compiling with --enable-rzb-saac. + Thanks to Cleber S. Brandão for reporting this issue. + * etc/snort.conf: + Updated the default snort.conf with max compress and decompress + depths to enable unlimited decompression of gzipped HTTP responses. + * snort.8: + Fixed the man page's URL regarding the location of Snort rules. + Thanks to Michael Scheidell for reporting an out-of-date man page section. + * doc/README.http_inspect, doc/snort_manual.tex, + src/preprocessors/snort_httpinspect.c: + HTTP Inspect's "unlimited_decompress" option now requires that + "compress_depth" and "decompress_depth" are set to their max values. + * src/: fpcreate.c, dynamic-plugins/sf_dynamic_define.h, + dynamic-plugins/sf_dynamic_engine.h, + preprocessors/Stream5/snort_stream5_tcp.c: + Fixed an error that prevented compiling with --disable-dynamicplugin. + Thanks to Jason Wallace for reporting this issue. + * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c, + snort_ftptelnet.h, spp_ftptelnet.c: + Changed the names of ProcessGlobalConf() and PrintGlobalConf() inside + the ftp_telnet preprocessor to avoid a naming conflict with similar + functions in HTTP Inspect. + Thanks to Bruce Corwin for reporting this issue. + * src/preprocessors/: perf.c, perf-base.c, perf-base.h, perf-flow.c, + perf-flow.h: + Fixed comparisons between signed and unsigned int, which lead to + a faulty length check. + Thanks to Cihan Ayyildiz and Jason Wallace for helping us debug this + issue. + +2011-02-28 Ryan Jordan +Snort 2.9.0.4 + * src/build.h: + Increment Snort build number to 111. + * src/preprocessors/HttpInspect/client/hi_client.c: + src/preprocessors/HttpInspect/server/hi_server.c: + Fixed a bug in the way partial HTTP headers are handled. + +2011-02-10 Ryan Jordan +Snort 2.9.0.4 + * src/build.h: Increment Snort build number to 110 + * snort.8, src/snort.c: + Updated Snort man page to match the output of "snort --help". + Removed "-o" from the list of valid options, since it was removed + a while ago. + The verdict from defragged packets are no longer cleared, so that + they can be applied to the raw packet. + Thanks to Markus Lude for submitting a patch that fixed errors in the + man page. + * src/fpcreate.c: + Deletec the call to fpDeletePortGroup() prior to calling FatalError(). + * src/parser.c: + Fixed portvar parsing code to correctly dislpay names of undefined + portvars. + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fixed a FIN sequence number handling issue, where RST after FIN caused a + false positive on Stream5 preprocessor rule 129:15. + Thanks to Jason Wallace for pointing out the issue. + * doc/: INSTALL, README.frag3, README.http_inspect, README.stream5, + snort_manual.tex, snort_manual.pdf: + Added documentation for the option "small-segments". + Updated team members. + Clarified some undocumented "flow" options. + Minor edits to punctuation on "ssl_version" examples. + Re-worded uricontent's description. + Added missing semicolons to rule option examples. + Updated "enable_cookie" documentation. + Added documentation for "iis_encode" in http_encode keywords. + Improved the description of the "disable" keyword. + Added "--enable-sourcefire" description. + Thanks to Joshua Kinard for sending in several patches to the manual. + * doc/: Makefile.am, README.rzb_saac: + Added SaaC readme. + * configure.in, doc/Makefile.am, doc/README.rzb_saac, src/snort.c, + src/util.c, src/util.h, + src/dynamic-plugins/sf_engine/examples/Makefile.am, + src/dynamic-preprocessors/Makefile.am, + src/dynamic-preprocessors/dns/spp_dns.c, + src/dynamic-preprocessors/rzb_saac/Makefile.am, + src/dynamic-preprocessors/rzb_saac/rzb_debug.c, + src/dynamic-preprocessors/rzb_saac/rzb_debug.h, + src/dynamic-preprocessors/rzb_saac/rzb_http-client.c, + src/dynamic-preprocessors/rzb_saac/rzb_http-client.h, + src/dynamic-preprocessors/rzb_saac/rzb_http-collector.h, + src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c, + src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h, + src/dynamic-preprocessors/rzb_saac/rzb_http-server.c, + src/dynamic-preprocessors/rzb_saac/rzb_http-server.h, + src/dynamic-preprocessors/rzb_saac/rzb_http.h, + src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c, + src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h, + src/dynamic-preprocessors/rzb_saac/sf_preproc_info.h, + src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c: + Added Razorback SaaC to the dynamic-preprocessors. + Use --enable-rzb-saac to build it. Moved the initgroups call to a + separate function and call it from the main thread. + * src/detection-plugins/sp_clientserver.c: + Fixed an erroneous error check so that "no_frag" and "no_stream" can be + used in the same "flow" rule option. + * src/detection-plugins/sp_pattern_match.c: + Rules that use a "depth" value lower than the length of their content + now cause an error. Depth should be >= the content length. + * src/detection-plugins/sp_tcp_flag_check.c: + Changed the reserved bits flags "1, 2" to "C, E". The old values can still + be used for backwards compatability. + * preproc_rules/preprocessor.rules: + Added references to FTP and SMTP preprocessor rules. + * src/dynamic-plugins/sf_engine/examples/: detection_lib_meta.h: + Removed extraneous ifdef + * src/: preprocessors/spp_frag3.c, preprocessors/spp_sfportscan.c, + dynamic-preprocessors/dcerpc2/dce2_config.c: + Added startup log message to show that the preprocessors are + inactive when added to snort.conf as "disabled". + Updated frag3 startup log to indicate the memcap frmo which prealloc + fragments were generated. + * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c: + Updated the Frag3KeyCmp and Stream5KeyCmp functions to handle 32bit + sparc platforms where 64bit pointer comparisons can cause bus + errors. Thanks to Stephan for reporting this issue. + * src/: preprocessors/portscan.c, win32/WIN32-Includes/config.h: + Portscan preprocessor's hash table is now allocated based on + the memcap, instead of being the same size. + * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_utils.c, dce2_smb.c: + Fixed a bug that caused dcerpc2 to reassemble some segments incorrectly. + If extra bytes at the end of a request corrupt the next request, they + will be discarded. + * src/dynamic-preprocessors/ssl/spp_ssl.c: + Updated the SSL preproc to count the packets it processes, + instead of counting all packets to enter the intiial function. + * doc/: faq.tex, faq.pdf: + Updated FAQ based on snort.org reorganization. + * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex: + Updated cookie documentation. + Cookie buffer includes "Cookie" header name for HTTP requests and + "Set-Cookie" for HTTP responses. When enable_cookie is disabled, + cookie buffer points to the HTTP header + * src/preprocessors/snort_httpinspect.c: + Fixed the error message during parsing of HTTP inspect + server config. Make it a warning. + * src/: detection_util.h, preprocessors/snort_httpinspect.c, + preprocessors/spp_httpinspect.c, + preprocessors/HttpInspect/client/hi_client.c, + preprocessors/HttpInspect/include/hi_client.h, + preprocessors/HttpInspect/include/hi_norm.h, + preprocessors/HttpInspect/include/hi_ui_config.h, + preprocessors/HttpInspect/normalization/hi_norm.c, + preprocessors/HttpInspect/server/hi_server.c: + Fixed a false positive due to a large chunk length followed + by a small packet. + Moved the lookup table such that they are initialized only once. + When de-chunking returns error, the data is now inspected as a + normal body. + Moved the Initialize function out of hi_ui_config.h. + CRLFs are no longer placed in the status message buffer. + * many files: + Updated all Sourcefire copyright notices to the year 2011. + +2010-12-20 Ryan Jordan +Snort 2.9.0.3 + * src/build.h: + Increment Snort build number to 98 + * doc/: snort_manual.tex, snort_manual.pdf: + Fixed Snort manual descriptions of some rule options. + Changed whitespace in several areas to be more consistent. + Max mime mem example changed from 1000 to 4000. + Updated manual for distance / within / offset / depth combos. + Thanks to Joshua Kinard for submitting several fixes. + * doc/INSTALL: + Update doc/INSTALL with instructions for building on OpenBSD. + * src/dynamic-preprocessors/smtp/smtp_config.c: + Print alert_unknown_commands in SMTP config of snort output. + Print the SMTP MIME config details with snort output. + * src/: decode.c, decode.h, snort.c: + discriminate between ip4 and ip6 raw packets + Thanks to Gerald Maziarski for reporting this issue. + * src/detection-plugins/: detection_options.c, sp_byte_jump.c, + sp_pattern_match.c: + restore doe flags along with doe pointer. + * preproc_rules/preprocessor.rules: + Updated preprocessor.rules references to match VRT. + * src/dynamic-preprocessors/smtp/spp_smtp.c: + When the SMTP preprocessor is started in a + "disabled" state, it no longer requires Stream5. + * src/decode.c: + Truncated ESP traffic is now handled correctly. + Thanks to rmkml for bringing the issue to our attention. + * src/: decode.c, fpdetect.c: + Fixed a problem with handling UDP/IPv6 over Teredo where the inner UDP + header was malformed. + * preproc_rules/preprocessor.rules: + Added a reference to preprocessor.rules. + * src/dynamic-preprocessors/smtp/spp_smtp.c: + When the SMTP preprocessor is started in a + "disabled" state, it no longer requires Stream5. + * src/detection-plugins/: detection_options.c, sp_pattern_match.c: + Update content to check for HTTP_RESP_BODY in packet flag + if option is relative and not using rawbytes. + * etc/snort.conf: + Update with snort.conf from VRT + * src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h: + Bumped minor version number in example detection lib. + * src/preprocessors/spp_frag3.c: + Fix memory leak when there are two zero offset + fragments with different IP options. Previous code was blindly + copying new IP options over top of existing ones. + * src/dynamic-plugins/sf_engine/: sf_snort_detection_engine.c, + sf_snort_plugin_api.h: + Fixed overlaps in various flags in the Shared Object rule API. + Shared Object rules from previous 2.9.0 versions need to be recompiled. + * src/detection-plugins/sp_pattern_match.c: + Moved non-zero initializations in the PatternMatchData struct + to the NewNode() function. This fixes the use of depth, offset, + distance, and within on uricontent options. + Reject invalid combinations of distance/within and offset/depth + including repeated keywords. + Thanks to Dave Bertouille and Daniel Clemens for pointing out issues here. + * src/: snort.c, util.c, util.h: + write correct pid to file for glibc2.2 / linux threads + * src/preprocessors/: snort_httpinspect.c, + HttpInspect/mode_inspection/hi_mi.c: + Fixed an instance where HTTP session data was not checked. +DAQ 0.5 + * daq/os-daq-modules/Makefile.am: + The IPFW DAQ now builds on OpenBSD. + Thanks to Ross Lawrie, Randall Rioux, and many others for reporting this. + +2010-11-15 Ryan Jordan +Snort 2.9.0.2 + * preproc_rules/preprocessor.rules: + Added a reference to an 0day ProFTP bug in a FTP + preprocessor rule. + * src/build.h: + Increment Snort build number to 92 + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Count only acked segs for flushing post-ack. Thanks to Eoin Miller + for helping track this issue and provide test scenarios. + * src/detection_util.h: + * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: + * src/preprocessors/Stream5/snort_stream5_tcp.c: + fix file_data:mime in So rules. content matches following + file_data:mime should not enter fast pattern matcher. Reset file_data_ptr once + stream flush is done and stream reassembled packet is processed. + * src/dynamic-preprocessors/ssl/spp_ssl.c: + Fix return value for SSL rule options + * src/: plugbase.h, preprocessors/snort_httpinspect.c: + Set the dce preproc bit in HTTP only when server flow depth is -1 + * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_smb.c, + dce2_utils.c, dce2_utils.h, includes/smb.h: + use offset or remaining fields and overwrite + as appropriate instead of always appending data + * src/preprocessors/HttpInspect/server/hi_server.c: + * src/preprocessors/HttpInspect/client/hi_client.c: + Fixed a couple of memory leaks. + * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: + Fixed an error in the handling of HTTP Session Data. + * doc/: README.http_inspect,snort_manual.pdf, snort_manual.tex: + Update to the snort manual. remove the stream5 + alerts. reference the gen-msg.map. + * preprocessors/Stream5/snort_stream5_tcp.c: + urgent pointer handling corrected for one + byte of urgent data at the start of a segment. The general case + of an N-byte urgent payload prefix would be handled here by + removing the == 1 limit in urg_offset == 1 but that restrictio + is not safe until we flush urgent data. As is, urgent data is + never flushed in reassembled packets and can only be detected i + raw packets. + pointer handling. + * src/: decode.h, detection_util.h, plugbase.h, + preprocessors/snort_httpinspect.c, + preprocessors/snort_httpinspect.h, + preprocessors/HttpInspect/server/hi_server.c, + Apply server flow depth on a session basis + rather than per packet basis. This change improves the + performance by disabling detect on packet when the packet is + beyond the specified flow depth. server_flow_depth now takes + values from -1 to 65535 + * src/parser.c: + Correct setting of dup_opt_func and cleanup existing opt_func list before + hand to address parse-time leak. + 2010-11-01 Ryan Jordan +Snort 2.9.0.1 * doc/: snort_manual.pdf, snort_manual.tex: Added "flush_factor". Fixed incorrect line wrap (thx Shawn Thompson). @@ -23,6 +1547,9 @@ * etc/gen-msg.map: Added rules 120:4 and 120:5 to gen-msg.map. * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fix issue when handling overlap limit enforcement. Thanks to rmkml + and Miguel Alvarez for pointing out the issue. + * src/preprocessors/Stream5/snort_stream5_tcp.c: fix flush after initial when acks are withheld conditional on NORMALIZER process stream after window slam unless normalizing @@ -126,6 +1653,7 @@ error on multiple --daq args 2010-10-04 Ryan Jordan +Snort 2.9.0 * doc/Makefile.am: * doc/README.FLEXRESP: * doc/README.FLEXRESP2: @@ -212,6 +1740,7 @@ Stream reassembly for the session that matches the rule. 2010-09-03 Ryan Jordan +Snort 2.9.0 RC * Fixed clean shutdown after reload. * Fixed tagging to log tagged packets regardless of filtering. * Fixed mempool initialization of free list count bug reported by @@ -351,6 +1880,7 @@ Handle -g/-u limited with DAQ modules that require root privs. 2010-06-16 Ryan Jordan +Snort 2.9.0 Beta * Snort uses the DAQ library for packet acquisition and injection. ./configure --enable-inline and --enable-ipfw are deleted. Just run ./snort -Q to activate inline mode for DAQs that support it. See the README.daq there diff -Nru snort-2.9.0.1/config.guess snort-2.9.2/config.guess --- snort-2.9.0.1/config.guess 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/config.guess 2011-12-07 11:23:17.000000000 -0800 @@ -1,10 +1,10 @@ #! /bin/sh # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 # Free Software Foundation, Inc. -timestamp='2009-04-27' +timestamp='2009-11-20' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -27,16 +27,16 @@ # the same distribution terms that you use for the rest of that program. -# Originally written by Per Bothner . -# Please send patches to . Submit a context -# diff and a properly formatted ChangeLog entry. +# Originally written by Per Bothner. Please send patches (context +# diff format) to and include a ChangeLog +# entry. # # This script attempts to guess a canonical system name similar to # config.sub. If it succeeds, it prints the system name on stdout, and # exits with 0. Otherwise, it exits with 1. # -# The plan is that this can be called by configure scripts if you -# don't specify an explicit build system type. +# You can get the latest version of this script from: +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD me=`echo "$0" | sed -e 's,.*/,,'` @@ -170,7 +170,7 @@ arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ - | grep __ELF__ >/dev/null + | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? @@ -333,6 +333,9 @@ sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; + i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) + echo i386-pc-auroraux${UNAME_RELEASE} + exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build SUN_ARCH="i386" @@ -656,7 +659,7 @@ # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | - grep __LP64__ >/dev/null + grep -q __LP64__ then HP_ARCH="hppa2.0w" else @@ -807,12 +810,12 @@ i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; - *:Interix*:[3456]*) + *:Interix*:*) case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; - EM64T | authenticamd | genuineintel) + authenticamd | genuineintel | EM64T) echo x86_64-unknown-interix${UNAME_RELEASE} exit ;; IA64) @@ -822,6 +825,9 @@ [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks exit ;; + 8664:Windows_NT:*) + echo x86_64-pc-mks + exit ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we @@ -851,6 +857,20 @@ i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + EV5) UNAME_MACHINE=alphaev5 ;; + EV56) UNAME_MACHINE=alphaev56 ;; + PCA56) UNAME_MACHINE=alphapca56 ;; + PCA57) UNAME_MACHINE=alphapca56 ;; + EV6) UNAME_MACHINE=alphaev6 ;; + EV67) UNAME_MACHINE=alphaev67 ;; + EV68*) UNAME_MACHINE=alphaev68 ;; + esac + objdump --private-headers /bin/sh | grep -q ld.so.1 + if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi + echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} + exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ @@ -873,6 +893,17 @@ frv:Linux:*:*) echo frv-unknown-linux-gnu exit ;; + i*86:Linux:*:*) + LIBC=gnu + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #ifdef __dietlibc__ + LIBC=dietlibc + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` + echo "${UNAME_MACHINE}-pc-linux-${LIBC}" + exit ;; ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; @@ -882,78 +913,34 @@ m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; - mips:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #undef CPU - #undef mips - #undef mipsel - #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mipsel - #else - #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips - #else - CPU= - #endif - #endif -EOF - eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' - /^CPU/{ - s: ::g - p - }'`" - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } - ;; - mips64:Linux:*:*) + mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #undef CPU - #undef mips64 - #undef mips64el + #undef ${UNAME_MACHINE} + #undef ${UNAME_MACHINE}el #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mips64el + CPU=${UNAME_MACHINE}el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips64 + CPU=${UNAME_MACHINE} #else CPU= #endif #endif EOF - eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' - /^CPU/{ - s: ::g - p - }'`" + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; or32:Linux:*:*) echo or32-unknown-linux-gnu exit ;; - ppc:Linux:*:*) - echo powerpc-unknown-linux-gnu - exit ;; - ppc64:Linux:*:*) - echo powerpc64-unknown-linux-gnu - exit ;; - alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in - EV5) UNAME_MACHINE=alphaev5 ;; - EV56) UNAME_MACHINE=alphaev56 ;; - PCA56) UNAME_MACHINE=alphapca56 ;; - PCA57) UNAME_MACHINE=alphapca56 ;; - EV6) UNAME_MACHINE=alphaev6 ;; - EV67) UNAME_MACHINE=alphaev67 ;; - EV68*) UNAME_MACHINE=alphaev68 ;; - esac - objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null - if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi - echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} - exit ;; padre:Linux:*:*) echo sparc-unknown-linux-gnu exit ;; + parisc64:Linux:*:* | hppa64:Linux:*:*) + echo hppa64-unknown-linux-gnu + exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in @@ -962,8 +949,11 @@ *) echo hppa-unknown-linux-gnu ;; esac exit ;; - parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-gnu + ppc64:Linux:*:*) + echo powerpc64-unknown-linux-gnu + exit ;; + ppc:Linux:*:*) + echo powerpc-unknown-linux-gnu exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux @@ -986,66 +976,6 @@ xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; - i*86:Linux:*:*) - # The BFD linker knows what the default object file format is, so - # first see if it will tell us. cd to the root directory to prevent - # problems with other programs or directories called `ld' in the path. - # Set LC_ALL=C to ensure ld outputs messages in English. - ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \ - | sed -ne '/supported targets:/!d - s/[ ][ ]*/ /g - s/.*supported targets: *// - s/ .*// - p'` - case "$ld_supported_targets" in - elf32-i386) - TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu" - ;; - a.out-i386-linux) - echo "${UNAME_MACHINE}-pc-linux-gnuaout" - exit ;; - "") - # Either a pre-BFD a.out linker (linux-gnuoldld) or - # one that does not give us useful --help. - echo "${UNAME_MACHINE}-pc-linux-gnuoldld" - exit ;; - esac - # Determine whether the default compiler is a.out or elf - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #include - #ifdef __ELF__ - # ifdef __GLIBC__ - # if __GLIBC__ >= 2 - LIBC=gnu - # else - LIBC=gnulibc1 - # endif - # else - LIBC=gnulibc1 - # endif - #else - #if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) - LIBC=gnu - #else - LIBC=gnuaout - #endif - #endif - #ifdef __dietlibc__ - LIBC=dietlibc - #endif -EOF - eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' - /^LIBC/{ - s: ::g - p - }'`" - test x"${LIBC}" != x && { - echo "${UNAME_MACHINE}-pc-linux-${LIBC}" - exit - } - test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; } - ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both @@ -1074,7 +1004,7 @@ i*86:syllable:*:*) echo ${UNAME_MACHINE}-pc-syllable exit ;; - i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) echo i386-unknown-lynxos${UNAME_RELEASE} exit ;; i*86:*DOS:*:*) @@ -1182,7 +1112,7 @@ rs6000:LynxOS:2.*:*) echo rs6000-unknown-lynxos${UNAME_RELEASE} exit ;; - PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*) + PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) echo powerpc-unknown-lynxos${UNAME_RELEASE} exit ;; SM[BE]S:UNIX_SV:*:*) @@ -1275,6 +1205,16 @@ *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown case $UNAME_PROCESSOR in + i386) + eval $set_cc_for_build + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + UNAME_PROCESSOR="x86_64" + fi + fi ;; unknown) UNAME_PROCESSOR=powerpc ;; esac echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} diff -Nru snort-2.9.0.1/config.h.in snort-2.9.2/config.h.in --- snort-2.9.0.1/config.h.in 2010-10-08 02:56:48.000000000 -0700 +++ snort-2.9.2/config.h.in 2011-12-07 11:23:14.000000000 -0800 @@ -25,12 +25,24 @@ /* Define to 1 if the system has the type `boolean'. */ #undef HAVE_BOOLEAN +/* Define to 1 if you have the `daq_acquire_with_meta' function. */ +#undef HAVE_DAQ_ACQUIRE_WITH_META + +/* Define to 1 if you have the `daq_hup_apply' function. */ +#undef HAVE_DAQ_HUP_APPLY + /* Define to 1 if you have the header file. */ #undef HAVE_DLFCN_H /* Define to 1 if you have the header file. */ #undef HAVE_DNET_H +/* Define to 1 if you have the header file. */ +#undef HAVE_DUMBNET_H + +/* Define to 1 if you have the `inet_ntop' function. */ +#undef HAVE_INET_NTOP + /* Define to 1 if the system has the type `int16_t'. */ #undef HAVE_INT16_T @@ -46,6 +58,12 @@ /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H +/* Define to 1 if you have the `dnet' library (-ldnet). */ +#undef HAVE_LIBDNET + +/* Define to 1 if you have the `dumbnet' library (-ldumbnet). */ +#undef HAVE_LIBDUMBNET + /* Define to 1 if you have the `m' library (-lm). */ #undef HAVE_LIBM @@ -73,6 +91,9 @@ /* Define to 1 if you have the `socket' library (-lsocket). */ #undef HAVE_LIBSOCKET +/* Define to 1 if you have the `uuid' library (-luuid). */ +#undef HAVE_LIBUUID + /* Define to 1 if you have the `z' library (-lz). */ #undef HAVE_LIBZ @@ -85,6 +106,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H +/* Define to 1 if you have the `memrchr' function. */ +#undef HAVE_MEMRCHR + /* Define to 1 if you have the header file. */ #undef HAVE_PATHS_H @@ -100,9 +124,15 @@ /* Define to 1 if you have the header file. */ #undef HAVE_PFRING_H +/* Define to 1 if you have the `sigaction' function. */ +#undef HAVE_SIGACTION + /* snprintf function is available */ #undef HAVE_SNPRINTF +/* Define to 1 if stdbool.h conforms to C99. */ +#undef HAVE_STDBOOL_H + /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H @@ -151,6 +181,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H +/* Define to 1 if you have the header file. */ +#undef HAVE_UUID_UUID_H + /* Define to 1 if the system has the type `u_int16_t'. */ #undef HAVE_U_INT16_T @@ -184,6 +217,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_ZLIB_H +/* Define to 1 if the system has the type `_Bool'. */ +#undef HAVE__BOOL + /* Define if the compiler understands __FUNCTION__. */ #undef HAVE___FUNCTION__ @@ -236,12 +272,21 @@ /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME -/* Define to the home page for this package. */ -#undef PACKAGE_URL - /* Define to the version of this package. */ #undef PACKAGE_VERSION +/* Set by user */ +#undef SIGNAL_SNORT_DUMP_STATS + +/* Set by user */ +#undef SIGNAL_SNORT_READ_ATTR_TBL + +/* Set by user */ +#undef SIGNAL_SNORT_RELOAD + +/* Set by user */ +#undef SIGNAL_SNORT_ROTATE_STATS + /* The size of `char', as computed by sizeof. */ #undef SIZEOF_CHAR @@ -289,3 +334,9 @@ /* Define __FUNCTION__ as required. */ #undef __FUNCTION__ + +/* Define to `__inline__' or `__inline' if that's what the C compiler + calls it, or to nothing if 'inline' is not supported under any name. */ +#ifndef __cplusplus +#undef inline +#endif diff -Nru snort-2.9.0.1/config.sub snort-2.9.2/config.sub --- snort-2.9.0.1/config.sub 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/config.sub 2011-12-07 11:23:17.000000000 -0800 @@ -1,10 +1,10 @@ #! /bin/sh # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 # Free Software Foundation, Inc. -timestamp='2009-04-17' +timestamp='2009-11-20' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -32,13 +32,16 @@ # Please send patches to . Submit a context -# diff and a properly formatted ChangeLog entry. +# diff and a properly formatted GNU ChangeLog entry. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. +# You can get the latest version of this script from: +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD + # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. @@ -149,10 +152,13 @@ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray) + -apple | -axis | -knuth | -cray | -microblaze) os= basic_machine=$1 ;; + -bluegene*) + os=-cnk + ;; -sim | -cisco | -oki | -wec | -winbond) os= basic_machine=$1 @@ -281,6 +287,7 @@ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ | pyramid \ + | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ @@ -288,13 +295,14 @@ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ | spu | strongarm \ | tahoe | thumb | tic4x | tic80 | tron \ + | ubicom32 \ | v850 | v850e \ | we32k \ | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12) + m6811 | m68hc11 | m6812 | m68hc12 | picochip) # Motorola 68HC11/12. basic_machine=$basic_machine-unknown os=-none @@ -337,7 +345,7 @@ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ + | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ @@ -365,7 +373,7 @@ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ | pyramid-* \ - | romp-* | rs6000-* \ + | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ @@ -374,6 +382,7 @@ | tahoe-* | thumb-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* | tile-* \ | tron-* \ + | ubicom32-* \ | v850-* | v850e-* | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ @@ -467,6 +476,10 @@ basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; + bluegene*) + basic_machine=powerpc-ibm + os=-cnk + ;; c90) basic_machine=c90-cray os=-unicos @@ -719,6 +732,9 @@ basic_machine=ns32k-utek os=-sysv ;; + microblaze) + basic_machine=microblaze-xilinx + ;; mingw32) basic_machine=i386-pc os=-mingw32 @@ -1240,6 +1256,9 @@ # First match some system type aliases # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. + -auroraux) + os=-auroraux + ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; @@ -1260,9 +1279,9 @@ # Each alternative MUST END IN A *, to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ - | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ - | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ - | -kopensolaris* \ + | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ + | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ + | -sym* | -kopensolaris* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ @@ -1283,7 +1302,7 @@ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1613,7 +1632,7 @@ -sunos*) vendor=sun ;; - -aix*) + -cnk*|-aix*) vendor=ibm ;; -beos*) diff -Nru snort-2.9.0.1/configure snort-2.9.2/configure --- snort-2.9.0.1/configure 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/configure 2011-12-07 11:23:25.000000000 -0800 @@ -1,22 +1,18 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.67. -# +# Generated by GNU Autoconf 2.63. # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, -# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software -# Foundation, Inc. -# -# +# 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. -## -------------------- ## -## M4sh Initialization. ## -## -------------------- ## +## --------------------- ## +## M4sh Initialization. ## +## --------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which @@ -24,15 +20,23 @@ alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else - case `(set -o) 2>/dev/null` in #( - *posix*) : - set -o posix ;; #( - *) : - ;; + case `(set -o) 2>/dev/null` in + *posix*) set -o posix ;; esac + fi + + +# PATH needs CR +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + as_nl=' ' export as_nl @@ -40,13 +44,7 @@ as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo -# Prefer a ksh shell builtin over an external printf program on Solaris, -# but without wasting forks for bash or zsh. -if test -z "$BASH_VERSION$ZSH_VERSION" \ - && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then - as_echo='print -r --' - as_echo_n='print -rn --' -elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then +if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else @@ -57,7 +55,7 @@ as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; - case $arg in #( + case $arg in *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; @@ -80,6 +78,13 @@ } fi +# Support unset when possible. +if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then + as_unset=unset +else + as_unset=false +fi + # IFS # We need space, tab and new line, in precisely that order. Quoting is @@ -89,15 +94,15 @@ IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. -case $0 in #(( +case $0 in *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break - done + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break +done IFS=$as_save_IFS ;; @@ -109,16 +114,12 @@ fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 - exit 1 + { (exit 1); exit 1; } fi -# Unset variables that we do not need and which cause bugs (e.g. in -# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" -# suppresses any "Segmentation fault" message there. '((' could -# trigger a bug in pdksh 5.2.14. -for as_var in BASH_ENV ENV MAIL MAILPATH -do eval test x\${$as_var+set} = xset \ - && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +# Work around bugs in pre-3.0 UWIN ksh. +for as_var in ENV MAIL MAILPATH +do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var done PS1='$ ' PS2='> ' @@ -130,248 +131,7 @@ LANGUAGE=C export LANGUAGE -# CDPATH. -(unset CDPATH) >/dev/null 2>&1 && unset CDPATH - -if test "x$CONFIG_SHELL" = x; then - as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : - emulate sh - NULLCMD=: - # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which - # is contrary to our usage. Disable this feature. - alias -g '\${1+\"\$@\"}'='\"\$@\"' - setopt NO_GLOB_SUBST -else - case \`(set -o) 2>/dev/null\` in #( - *posix*) : - set -o posix ;; #( - *) : - ;; -esac -fi -" - as_required="as_fn_return () { (exit \$1); } -as_fn_success () { as_fn_return 0; } -as_fn_failure () { as_fn_return 1; } -as_fn_ret_success () { return 0; } -as_fn_ret_failure () { return 1; } - -exitcode=0 -as_fn_success || { exitcode=1; echo as_fn_success failed.; } -as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } -as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } -as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } -if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : - -else - exitcode=1; echo positional parameters were not saved. -fi -test x\$exitcode = x0 || exit 1" - as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO - as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO - eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && - test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 -test \$(( 1 + 1 )) = 2 || exit 1" - if (eval "$as_required") 2>/dev/null; then : - as_have_required=yes -else - as_have_required=no -fi - if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : - -else - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -as_found=false -for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - as_found=: - case $as_dir in #( - /*) - for as_base in sh bash ksh sh5; do - # Try only shells that exist, to save several forks. - as_shell=$as_dir/$as_base - if { test -f "$as_shell" || test -f "$as_shell.exe"; } && - { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : - CONFIG_SHELL=$as_shell as_have_required=yes - if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : - break 2 -fi -fi - done;; - esac - as_found=false -done -$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && - { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : - CONFIG_SHELL=$SHELL as_have_required=yes -fi; } -IFS=$as_save_IFS - - - if test "x$CONFIG_SHELL" != x; then : - # We cannot yet assume a decent shell, so we have to provide a - # neutralization value for shells without unset; and this also - # works around shells that cannot unset nonexistent variables. - BASH_ENV=/dev/null - ENV=/dev/null - (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV - export CONFIG_SHELL - exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"} -fi - - if test x$as_have_required = xno; then : - $as_echo "$0: This script requires a shell more modern than all" - $as_echo "$0: the shells that I found on your system." - if test x${ZSH_VERSION+set} = xset ; then - $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" - $as_echo "$0: be upgraded to zsh 4.3.4 or later." - else - $as_echo "$0: Please tell bug-autoconf@gnu.org about your system, -$0: including any error possibly output before this -$0: message. Then install a modern shell, or manually run -$0: the script under such a shell if you do have one." - fi - exit 1 -fi -fi -fi -SHELL=${CONFIG_SHELL-/bin/sh} -export SHELL -# Unset more variables known to interfere with behavior of common tools. -CLICOLOR_FORCE= GREP_OPTIONS= -unset CLICOLOR_FORCE GREP_OPTIONS - -## --------------------- ## -## M4sh Shell Functions. ## -## --------------------- ## -# as_fn_unset VAR -# --------------- -# Portably unset VAR. -as_fn_unset () -{ - { eval $1=; unset $1;} -} -as_unset=as_fn_unset - -# as_fn_set_status STATUS -# ----------------------- -# Set $? to STATUS, without forking. -as_fn_set_status () -{ - return $1 -} # as_fn_set_status - -# as_fn_exit STATUS -# ----------------- -# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. -as_fn_exit () -{ - set +e - as_fn_set_status $1 - exit $1 -} # as_fn_exit - -# as_fn_mkdir_p -# ------------- -# Create "$as_dir" as a directory, including parents if necessary. -as_fn_mkdir_p () -{ - - case $as_dir in #( - -*) as_dir=./$as_dir;; - esac - test -d "$as_dir" || eval $as_mkdir_p || { - as_dirs= - while :; do - case $as_dir in #( - *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( - *) as_qdir=$as_dir;; - esac - as_dirs="'$as_qdir' $as_dirs" - as_dir=`$as_dirname -- "$as_dir" || -$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_dir" : 'X\(//\)[^/]' \| \ - X"$as_dir" : 'X\(//\)$' \| \ - X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$as_dir" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - test -d "$as_dir" && break - done - test -z "$as_dirs" || eval "mkdir $as_dirs" - } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" - - -} # as_fn_mkdir_p -# as_fn_append VAR VALUE -# ---------------------- -# Append the text in VALUE to the end of the definition contained in VAR. Take -# advantage of any shell optimizations that allow amortized linear growth over -# repeated appends, instead of the typical quadratic growth present in naive -# implementations. -if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : - eval 'as_fn_append () - { - eval $1+=\$2 - }' -else - as_fn_append () - { - eval $1=\$$1\$2 - } -fi # as_fn_append - -# as_fn_arith ARG... -# ------------------ -# Perform arithmetic evaluation on the ARGs, and store the result in the -# global $as_val. Take advantage of shells that can avoid forks. The arguments -# must be portable across $(()) and expr. -if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : - eval 'as_fn_arith () - { - as_val=$(( $* )) - }' -else - as_fn_arith () - { - as_val=`expr "$@" || test $? -eq 1` - } -fi # as_fn_arith - - -# as_fn_error STATUS ERROR [LINENO LOG_FD] -# ---------------------------------------- -# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are -# provided, also output the error to LOG_FD, referencing LINENO. Then exit the -# script with STATUS, using 1 if that was 0. -as_fn_error () -{ - as_status=$1; test $as_status -eq 0 && as_status=1 - if test "$4"; then - as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 - fi - $as_echo "$as_me: error: $2" >&2 - as_fn_exit $as_status -} # as_fn_error - +# Required to use basename. if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr @@ -385,12 +145,8 @@ as_basename=false fi -if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then - as_dirname=dirname -else - as_dirname=false -fi +# Name of the executable. as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ @@ -410,125 +166,414 @@ } s/.*/./; q'` -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits +# CDPATH. +$as_unset CDPATH - as_lineno_1=$LINENO as_lineno_1a=$LINENO - as_lineno_2=$LINENO as_lineno_2a=$LINENO - eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && - test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { - # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) - sed -n ' - p - /[$]LINENO/= - ' <$as_myself | - sed ' - s/[$]LINENO.*/&-/ - t lineno - b - :lineno - N - :loop - s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ - t loop - s/-\n.*// - ' >$as_me.lineno && - chmod +x "$as_me.lineno" || - { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } +if test "x$CONFIG_SHELL" = x; then + if (eval ":") 2>/dev/null; then + as_have_required=yes +else + as_have_required=no +fi - # Don't try to exec as it changes $[0], causing all sort of problems - # (the dirname of $[0] is not the place where we might find the - # original and so on. Autoconf is especially sensitive to this). - . "./$as_me.lineno" - # Exit status is that of the last command. - exit + if test $as_have_required = yes && (eval ": +(as_func_return () { + (exit \$1) +} +as_func_success () { + as_func_return 0 +} +as_func_failure () { + as_func_return 1 +} +as_func_ret_success () { + return 0 +} +as_func_ret_failure () { + return 1 } -ECHO_C= ECHO_N= ECHO_T= -case `echo -n x` in #((((( --n*) - case `echo 'xy\c'` in - *c*) ECHO_T=' ';; # ECHO_T is single tab character. - xy) ECHO_C='\c';; - *) echo `echo ksh88 bug on AIX 6.1` > /dev/null - ECHO_T=' ';; - esac;; -*) - ECHO_N='-n';; -esac - -rm -f conf$$ conf$$.exe conf$$.file -if test -d conf$$.dir; then - rm -f conf$$.dir/conf$$.file +exitcode=0 +if as_func_success; then + : else - rm -f conf$$.dir - mkdir conf$$.dir 2>/dev/null + exitcode=1 + echo as_func_success failed. fi -if (echo >conf$$.file) 2>/dev/null; then - if ln -s conf$$.file conf$$ 2>/dev/null; then - as_ln_s='ln -s' - # ... but there are two gotchas: - # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. - # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -p'. - ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -p' - elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln - else - as_ln_s='cp -p' - fi -else - as_ln_s='cp -p' + +if as_func_failure; then + exitcode=1 + echo as_func_failure succeeded. fi -rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file -rmdir conf$$.dir 2>/dev/null -if mkdir -p . 2>/dev/null; then - as_mkdir_p='mkdir -p "$as_dir"' +if as_func_ret_success; then + : else - test -d ./-p && rmdir ./-p - as_mkdir_p=false + exitcode=1 + echo as_func_ret_success failed. fi -if test -x / >/dev/null 2>&1; then - as_test_x='test -x' +if as_func_ret_failure; then + exitcode=1 + echo as_func_ret_failure succeeded. +fi + +if ( set x; as_func_ret_success y && test x = \"\$1\" ); then + : else - if ls -dL / >/dev/null 2>&1; then - as_ls_L_option=L - else - as_ls_L_option= - fi - as_test_x=' - eval sh -c '\'' - if test -d "$1"; then - test -d "$1/."; - else - case $1 in #( - -*)set "./$1";; - esac; - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( - ???[sx]*):;;*)false;;esac;fi - '\'' sh - ' + exitcode=1 + echo positional parameters were not saved. fi -as_executable_p=$as_test_x -# Sed expression to map a string onto a valid CPP name. -as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" +test \$exitcode = 0) || { (exit 1); exit 1; } -# Sed expression to map a string onto a valid variable name. -as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" +( + as_lineno_1=\$LINENO + as_lineno_2=\$LINENO + test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" && + test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; } +") 2> /dev/null; then + : +else + as_candidate_shells= + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + case $as_dir in + /*) + for as_base in sh bash ksh sh5; do + as_candidate_shells="$as_candidate_shells $as_dir/$as_base" + done;; + esac +done +IFS=$as_save_IFS + for as_shell in $as_candidate_shells $SHELL; do + # Try only shells that exist, to save several forks. + if { test -f "$as_shell" || test -f "$as_shell.exe"; } && + { ("$as_shell") 2> /dev/null <<\_ASEOF +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in + *posix*) set -o posix ;; +esac -# Check that we are running under the correct shell. -SHELL=${CONFIG_SHELL-/bin/sh} +fi + + +: +_ASEOF +}; then + CONFIG_SHELL=$as_shell + as_have_required=yes + if { "$as_shell" 2> /dev/null <<\_ASEOF +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in + *posix*) set -o posix ;; +esac + +fi + + +: +(as_func_return () { + (exit $1) +} +as_func_success () { + as_func_return 0 +} +as_func_failure () { + as_func_return 1 +} +as_func_ret_success () { + return 0 +} +as_func_ret_failure () { + return 1 +} + +exitcode=0 +if as_func_success; then + : +else + exitcode=1 + echo as_func_success failed. +fi + +if as_func_failure; then + exitcode=1 + echo as_func_failure succeeded. +fi + +if as_func_ret_success; then + : +else + exitcode=1 + echo as_func_ret_success failed. +fi + +if as_func_ret_failure; then + exitcode=1 + echo as_func_ret_failure succeeded. +fi + +if ( set x; as_func_ret_success y && test x = "$1" ); then + : +else + exitcode=1 + echo positional parameters were not saved. +fi + +test $exitcode = 0) || { (exit 1); exit 1; } + +( + as_lineno_1=$LINENO + as_lineno_2=$LINENO + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; } + +_ASEOF +}; then + break +fi + +fi + + done + + if test "x$CONFIG_SHELL" != x; then + for as_var in BASH_ENV ENV + do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var + done + export CONFIG_SHELL + exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"} +fi + + + if test $as_have_required = no; then + echo This script requires a shell more modern than all the + echo shells that I found on your system. Please install a + echo modern shell, or manually run the script under such a + echo shell if you do have one. + { (exit 1); exit 1; } +fi + + +fi + +fi + + + +(eval "as_func_return () { + (exit \$1) +} +as_func_success () { + as_func_return 0 +} +as_func_failure () { + as_func_return 1 +} +as_func_ret_success () { + return 0 +} +as_func_ret_failure () { + return 1 +} + +exitcode=0 +if as_func_success; then + : +else + exitcode=1 + echo as_func_success failed. +fi + +if as_func_failure; then + exitcode=1 + echo as_func_failure succeeded. +fi + +if as_func_ret_success; then + : +else + exitcode=1 + echo as_func_ret_success failed. +fi + +if as_func_ret_failure; then + exitcode=1 + echo as_func_ret_failure succeeded. +fi + +if ( set x; as_func_ret_success y && test x = \"\$1\" ); then + : +else + exitcode=1 + echo positional parameters were not saved. +fi + +test \$exitcode = 0") || { + echo No shell found that supports shell functions. + echo Please tell bug-autoconf@gnu.org about your system, + echo including any error possibly output before this message. + echo This can help us improve future autoconf versions. + echo Configuration will now proceed without shell functions. +} + + + + as_lineno_1=$LINENO + as_lineno_2=$LINENO + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { + + # Create $as_me.lineno as a copy of $as_myself, but with $LINENO + # uniformly replaced by the line number. The first 'sed' inserts a + # line-number line after each line using $LINENO; the second 'sed' + # does the real work. The second script uses 'N' to pair each + # line-number line with the line containing $LINENO, and appends + # trailing '-' during substitution so that $LINENO is not a special + # case at line end. + # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the + # scripts with optimization help from Paolo Bonzini. Blame Lee + # E. McMahon (1931-1989) for sed's syntax. :-) + sed -n ' + p + /[$]LINENO/= + ' <$as_myself | + sed ' + s/[$]LINENO.*/&-/ + t lineno + b + :lineno + N + :loop + s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ + t loop + s/-\n.*// + ' >$as_me.lineno && + chmod +x "$as_me.lineno" || + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 + { (exit 1); exit 1; }; } + + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). + . "./$as_me.lineno" + # Exit status is that of the last command. + exit +} + + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in +-n*) + case `echo 'x\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + *) ECHO_C='\c';; + esac;; +*) + ECHO_N='-n';; +esac +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null +fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -p'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -p' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -p' + fi +else + as_ln_s='cp -p' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + +if mkdir -p . 2>/dev/null; then + as_mkdir_p=: +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + +if test -x / >/dev/null 2>&1; then + as_test_x='test -x' +else + if ls -dL / >/dev/null 2>&1; then + as_ls_L_option=L + else + as_ls_L_option= + fi + as_test_x=' + eval sh -c '\'' + if test -d "$1"; then + test -d "$1/."; + else + case $1 in + -*)set "./$1";; + esac; + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in + ???[sx]*):;;*)false;;esac;fi + '\'' sh + ' +fi +as_executable_p=$as_test_x + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + + + + +# Check that we are running under the correct shell. +SHELL=${CONFIG_SHELL-/bin/sh} case X$lt_ECHO in X*--fallback-echo) @@ -675,11 +720,10 @@ -test -n "$DJDIR" || exec 7<&0 &1 +exec 7<&0 &1 # Name of the host. -# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, +# hostname on some systems (SVR3.2, Linux) returns a bogus exit status, # so uname gets run too. ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` @@ -694,6 +738,7 @@ subdirs= MFLAGS= MAKEFLAGS= +SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME= @@ -701,7 +746,6 @@ PACKAGE_VERSION= PACKAGE_STRING= PACKAGE_BUGREPORT= -PACKAGE_URL= ac_unique_file="src/snort.c" # Factoring default headers for most tests. @@ -744,7 +788,17 @@ am__EXEEXT_TRUE LTLIBOBJS LIBOBJS +ICONFIGFLAGS +CCONFIGFLAGS +CONFIGFLAGS INCLUDES +WANT_SF_SAAC_FALSE +WANT_SF_SAAC_TRUE +RAZORBACK_LIBS +RAZORBACK_CFLAGS +PKG_CONFIG +HAVE_SHARED_REP_FALSE +HAVE_SHARED_REP_TRUE HAVE_INTEL_SOFT_CPM_FALSE HAVE_INTEL_SOFT_CPM_TRUE BUILD_RESPOND3_FALSE @@ -770,8 +824,16 @@ HAVE_SUP_IP6_TRUE BUILD_DYNAMIC_EXAMPLES_FALSE BUILD_DYNAMIC_EXAMPLES_TRUE +BUILD_CONTROL_SOCKET_FALSE +BUILD_CONTROL_SOCKET_TRUE +SO_WITH_STATIC_LIB_FALSE +SO_WITH_STATIC_LIB_TRUE HAVE_DYNAMIC_PLUGINS_FALSE HAVE_DYNAMIC_PLUGINS_TRUE +SIGNAL_SNORT_READ_ATTR_TBL +SIGNAL_SNORT_ROTATE_STATS +SIGNAL_SNORT_DUMP_STATS +SIGNAL_SNORT_RELOAD BUILD_SNPRINTF_FALSE BUILD_SNPRINTF_TRUE LEX @@ -878,7 +940,6 @@ program_transform_name prefix exec_prefix -PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION @@ -905,8 +966,10 @@ with_libpcre_includes with_libpcre_libraries enable_dynamicplugin -with_dumbnet_includes -with_dumbnet_libraries +enable_so_with_static_lib +enable_control_socket +with_dnet_includes +with_dnet_libraries with_daq_includes with_daq_libraries enable_static_daq @@ -927,6 +990,7 @@ enable_pthread enable_debug_msgs enable_debug +enable_gdb enable_profile enable_ppm_test enable_sourcefire @@ -942,12 +1006,17 @@ with_postgresql with_pgsql_includes with_oracle +enable_paf enable_react enable_flexresp3 enable_aruba enable_intel_soft_cpm with_intel_soft_cpm_includes with_intel_soft_cpm_libraries +enable_shared_rep +enable_rzb_saac +with_librzb_api +enable_large_pcap ' ac_precious_vars='build_alias host_alias @@ -957,7 +1026,14 @@ LDFLAGS LIBS CPPFLAGS -CPP' +CPP +SIGNAL_SNORT_RELOAD +SIGNAL_SNORT_DUMP_STATS +SIGNAL_SNORT_ROTATE_STATS +SIGNAL_SNORT_READ_ATTR_TBL +PKG_CONFIG +RAZORBACK_CFLAGS +RAZORBACK_LIBS' # Initialize some variables set by options. @@ -1020,9 +1096,8 @@ fi case $ac_option in - *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; - *=) ac_optarg= ;; - *) ac_optarg=yes ;; + *=*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; + *) ac_optarg=yes ;; esac # Accept the important Cygnus configure options, so we can diagnose typos. @@ -1067,7 +1142,8 @@ ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid feature name: $ac_useropt" + { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2 + { (exit 1); exit 1; }; } ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in @@ -1093,7 +1169,8 @@ ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid feature name: $ac_useropt" + { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2 + { (exit 1); exit 1; }; } ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in @@ -1297,7 +1374,8 @@ ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid package name: $ac_useropt" + { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2 + { (exit 1); exit 1; }; } ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in @@ -1313,7 +1391,8 @@ ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid package name: $ac_useropt" + { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2 + { (exit 1); exit 1; }; } ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in @@ -1343,17 +1422,17 @@ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; - -*) as_fn_error $? "unrecognized option: \`$ac_option' -Try \`$0 --help' for more information" + -*) { $as_echo "$as_me: error: unrecognized option: $ac_option +Try \`$0 --help' for more information." >&2 + { (exit 1); exit 1; }; } ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. - case $ac_envvar in #( - '' | [0-9]* | *[!_$as_cr_alnum]* ) - as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; - esac + expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null && + { $as_echo "$as_me: error: invalid variable name: $ac_envvar" >&2 + { (exit 1); exit 1; }; } eval $ac_envvar=\$ac_optarg export $ac_envvar ;; @@ -1370,13 +1449,15 @@ if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` - as_fn_error $? "missing argument to $ac_option" + { $as_echo "$as_me: error: missing argument to $ac_option" >&2 + { (exit 1); exit 1; }; } fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; - fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; + fatal) { $as_echo "$as_me: error: unrecognized options: $ac_unrecognized_opts" >&2 + { (exit 1); exit 1; }; } ;; *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi @@ -1399,7 +1480,8 @@ [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac - as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" + { $as_echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2 + { (exit 1); exit 1; }; } done # There might be people who depend on the old broken behavior: `$host' @@ -1413,8 +1495,8 @@ if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe - $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. - If a cross compiler is detected then cross compile mode will be used" >&2 + $as_echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host. + If a cross compiler is detected then cross compile mode will be used." >&2 elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi @@ -1429,9 +1511,11 @@ ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || - as_fn_error $? "working directory cannot be determined" + { $as_echo "$as_me: error: working directory cannot be determined" >&2 + { (exit 1); exit 1; }; } test "X$ac_ls_di" = "X$ac_pwd_ls_di" || - as_fn_error $? "pwd does not report name of working directory" + { $as_echo "$as_me: error: pwd does not report name of working directory" >&2 + { (exit 1); exit 1; }; } # Find the source files, if location was not specified. @@ -1470,11 +1554,13 @@ fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." - as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" + { $as_echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2 + { (exit 1); exit 1; }; } fi ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" ac_abs_confdir=`( - cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" + cd "$srcdir" && test -r "./$ac_unique_file" || { $as_echo "$as_me: error: $ac_msg" >&2 + { (exit 1); exit 1; }; } pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then @@ -1514,7 +1600,7 @@ --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit - -q, --quiet, --silent do not print \`checking ...' messages + -q, --quiet, --silent do not print \`checking...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for \`--cache-file=config.cache' -n, --no-create do not create output files @@ -1586,36 +1672,43 @@ optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) --enable-64bit-gcc Try to compile 64bit (only tested on Sparc Solaris 9 and 10). - --enable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries) - --enable-static-daq Link static DAQ modules. + --disable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries) + --enable-so-with-static-lib Enable linking of dynamically loaded preprocessors with a static preprocessor library + --enable-control-socket Enable the control socket + --disable-static-daq Link static DAQ modules. --enable-build-dynamic-examples Enable building of example dynamically loaded preprocessor and rule (off by default) - --enable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default. - --enable-ipv6 Enable IPv6 support - --enable-zlib Enable Http Response Decompression - --enable-gre Enable GRE and IP in IP encapsulation support - --enable-mpls Enable MPLS support - --enable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly) - --enable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events - --enable-ppm Enable packet/rule performance monitor - --enable-perfprofiling Enable preprocessor and rule performance profiling + --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default. + --disable-ipv6 Disable IPv6 support + --disable-zlib Enable Http Response Decompression + --disable-gre Enable GRE and IP in IP encapsulation support + --disable-mpls Enable MPLS support + --disable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly) + --disable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events + --disable-ppm Enable packet/rule performance monitor + --disable-perfprofiling Enable preprocessor and rule performance profiling --enable-linux-smp-stats Enable statistics reporting through proc --enable-inline-init-failopen Enable Fail Open during initialization for Inline Mode (adds pthread support implicitly) --enable-prelude Enable Prelude Hybrid IDS support - --enable-pthread Enable pthread support + --disable-pthread Disable pthread support --enable-debug-msgs Enable debug printing options (bugreports and developers only) --enable-debug Enable debugging options (bugreports and developers only) + --enable-gdb Enable gdb debugging information --enable-profile Enable profiling options (developers only) - --enable-ppm-test Enable packet/rule performance monitor - --enable-sourcefire Enable Sourcefire specific build options + --disable-ppm-test Enable packet/rule performance monitor + --enable-sourcefire Enable Sourcefire specific build options, encompasing --enable-perfprofiling,--enable-decoder-preprocessor-rules, --enable-ppm --disable-corefiles Prevent Snort from generating core files - --enable-active-response Enable reject injection - --enable-normalizer Enable packet/stream normalizations - --enable-reload Enable reloading a configuration without restarting - --enable-reload-error-restart Enable restarting on reload error - --enable-react Intercept and terminate offending HTTP accesses - --enable-flexresp3 Flexible Responses (v3) on hostile connection attempts + --disable-active-response Enable reject injection + --disable-normalizer Enable packet/stream normalizations + --disable-reload Enable reloading a configuration without restarting + --disable-reload-error-restart Enable restarting on reload error + --disable-paf disable protocol aware flushing + --disable-react Intercept and terminate offending HTTP accesses + --disable-flexresp3 Flexible Responses (v3) on hostile connection attempts --enable-aruba Enable Aruba output plugin --enable-intel-soft-cpm Enable Intel Soft CPM support + --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only) + --enable-rzb-saac Enable Razorback SaaC support + --enable-large-pcap Enable support for pcaps larger than 2 GB Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -1629,8 +1722,8 @@ --with-libpfring-libraries=DIR libpfring library directory --with-libpcre-includes=DIR libpcre include directory --with-libpcre-libraries=DIR libpcre library directory - --with-dumbnet-includes=DIR libdumbnet include directory - --with-dumbnet-libraries=DIR libdumbnet library directory + --with-dnet-includes=DIR libdnet include directory + --with-dnet-libraries=DIR libdnet library directory --with-daq-includes=DIR DAQ include directory --with-daq-libraries=DIR DAQ library directory --with-libprelude-prefix=PFX Prefix where libprelude is installed (optional) @@ -1643,6 +1736,7 @@ --with-oracle=DIR Support for Oracle --with-intel-soft-cpm-includes=DIR Intel Soft CPM include directory --with-intel-soft-cpm-libraries=DIR Intel Soft CPM library directory + --with-librzb-api=DIR librazorback_api directory Some influential environment variables: CC C compiler command @@ -1650,14 +1744,26 @@ LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l - CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if + CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I if you have headers in a nonstandard directory CPP C preprocessor + SIGNAL_SNORT_RELOAD + set the SIGNAL_SNORT_RELOAD value + SIGNAL_SNORT_DUMP_STATS + set the SIGNAL_SNORT_DUMP_STATS value + SIGNAL_SNORT_ROTATE_STATS + set the SIGNAL_SNORT_ROTATE_STATS value + SIGNAL_SNORT_READ_ATTR_TBL + set the SIGNAL_SNORT_READ_ATTR_TBL value + PKG_CONFIG path to pkg-config utility + RAZORBACK_CFLAGS + C compiler flags for RAZORBACK, overriding pkg-config + RAZORBACK_LIBS + linker flags for RAZORBACK, overriding pkg-config Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -Report bugs to the package provider. _ACEOF ac_status=$? fi @@ -1721,942 +1827,371 @@ if $ac_init_version; then cat <<\_ACEOF configure -generated by GNU Autoconf 2.67 +generated by GNU Autoconf 2.63 -Copyright (C) 2010 Free Software Foundation, Inc. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, +2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi +cat >config.log <<_ACEOF +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. -## ------------------------ ## -## Autoconf initialization. ## -## ------------------------ ## - -# ac_fn_c_try_compile LINENO -# -------------------------- -# Try to compile conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_compile () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext - if { { ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_compile") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} - as_fn_set_status $ac_retval +It was created by $as_me, which was +generated by GNU Autoconf 2.63. Invocation command line was -} # ac_fn_c_try_compile + $ $0 $@ -# ac_fn_c_try_link LINENO -# ----------------------- -# Try to link conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_link () +_ACEOF +exec 5>>config.log { - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext conftest$ac_exeext - if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +cat <<_ASUNAME +## --------- ## +## Platform. ## +## --------- ## - ac_retval=1 -fi - # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information - # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would - # interfere with the next link command; also delete a directory that is - # left behind by Apple's compiler. We do this before executing the actions. - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} - as_fn_set_status $ac_retval +hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` +uname -m = `(uname -m) 2>/dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` -} # ac_fn_c_try_link +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` -# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES -# ------------------------------------------------------- -# Tests whether HEADER exists and can be compiled using the include files in -# INCLUDES, setting the cache variable VAR accordingly. -ac_fn_c_check_header_compile () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -$as_echo_n "checking for $2... " >&6; } -if eval "test \"\${$3+set}\"" = set; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -#include <$2> -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "$3=yes" -else - eval "$3=no" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} +/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` +/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` +/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` +/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` -} # ac_fn_c_check_header_compile +_ASUNAME -# ac_fn_c_try_cpp LINENO -# ---------------------- -# Try to preprocess conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_cpp () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - if { { ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } > conftest.i && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + $as_echo "PATH: $as_dir" +done +IFS=$as_save_IFS - ac_retval=1 -fi - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} - as_fn_set_status $ac_retval +} >&5 -} # ac_fn_c_try_cpp +cat >&5 <<_ACEOF -# ac_fn_c_try_run LINENO -# ---------------------- -# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes -# that executables *can* be run. -ac_fn_c_try_run () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' - { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; }; then : - ac_retval=0 -else - $as_echo "$as_me: program exited with status $ac_status" >&5 - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_retval=$ac_status -fi - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} - as_fn_set_status $ac_retval +## ----------- ## +## Core tests. ## +## ----------- ## -} # ac_fn_c_try_run +_ACEOF -# ac_fn_c_check_func LINENO FUNC VAR -# ---------------------------------- -# Tests whether FUNC exists, setting the cache variable VAR accordingly -ac_fn_c_check_func () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -$as_echo_n "checking for $2... " >&6; } -if eval "test \"\${$3+set}\"" = set; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -/* Define $2 to an innocuous variant, in case declares $2. - For example, HP-UX 11i declares gettimeofday. */ -#define $2 innocuous_$2 -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $2 (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ +# Keep a trace of the command line. +# Strip out --no-create and --no-recursion so they do not pile up. +# Strip out --silent because we don't want to record it for future runs. +# Also quote any args containing shell meta-characters. +# Make two passes to allow for proper duplicate-argument suppression. +ac_configure_args= +ac_configure_args0= +ac_configure_args1= +ac_must_keep_next=false +for ac_pass in 1 2 +do + for ac_arg + do + case $ac_arg in + -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + continue ;; + *\'*) + ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + case $ac_pass in + 1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;; + 2) + ac_configure_args1="$ac_configure_args1 '$ac_arg'" + if test $ac_must_keep_next = true; then + ac_must_keep_next=false # Got value, back to normal. + else + case $ac_arg in + *=* | --config-cache | -C | -disable-* | --disable-* \ + | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ + | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ + | -with-* | --with-* | -without-* | --without-* | --x) + case "$ac_configure_args0 " in + "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; + esac + ;; + -* ) ac_must_keep_next=true ;; + esac + fi + ac_configure_args="$ac_configure_args '$ac_arg'" + ;; + esac + done +done +$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; } +$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; } -#ifdef __STDC__ -# include -#else -# include -#endif +# When interrupted or exit'd, cleanup temporary files, and complete +# config.log. We remove comments because anyway the quotes in there +# would cause problems or look ugly. +# WARNING: Use '\'' to represent an apostrophe within the trap. +# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. +trap 'exit_status=$? + # Save into config.log some information that might help in debugging. + { + echo + + cat <<\_ASBOX +## ---------------- ## +## Cache variables. ## +## ---------------- ## +_ASBOX + echo + # The following way of writing the cache mishandles newlines in values, +( + for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: cache variable $ac_var contains a newline" >&5 +$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) $as_unset $ac_var ;; + esac ;; + esac + done + (set) 2>&1 | + case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + sed -n \ + "s/'\''/'\''\\\\'\'''\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" + ;; #( + *) + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) + echo -#undef $2 + cat <<\_ASBOX +## ----------------- ## +## Output variables. ## +## ----------------- ## +_ASBOX + echo + for ac_var in $ac_subst_vars + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char $2 (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_$2 || defined __stub___$2 -choke me -#endif + if test -n "$ac_subst_files"; then + cat <<\_ASBOX +## ------------------- ## +## File substitutions. ## +## ------------------- ## +_ASBOX + echo + for ac_var in $ac_subst_files + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo + fi -int -main () -{ -return $2 (); - ; - return 0; -} + if test -s confdefs.h; then + cat <<\_ASBOX +## ----------- ## +## confdefs.h. ## +## ----------- ## +_ASBOX + echo + cat confdefs.h + echo + fi + test "$ac_signal" != 0 && + $as_echo "$as_me: caught signal $ac_signal" + $as_echo "$as_me: exit $exit_status" + } >&5 + rm -f core *.core core.conftest.* && + rm -f -r conftest* confdefs* conf$$* $ac_clean_files && + exit $exit_status +' 0 +for ac_signal in 1 2 13 15; do + trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal +done +ac_signal=0 + +# confdefs.h avoids OS command line length limits that DEFS can exceed. +rm -f -r conftest* confdefs.h + +# Predefined preprocessor variables. + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_NAME "$PACKAGE_NAME" _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - eval "$3=yes" -else - eval "$3=no" -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -} # ac_fn_c_check_func -# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES -# ------------------------------------------------------- -# Tests whether HEADER exists, giving a warning if it cannot be compiled using -# the include files in INCLUDES and setting the cache variable VAR -# accordingly. -ac_fn_c_check_header_mongrel () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - if eval "test \"\${$3+set}\"" = set; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -$as_echo_n "checking for $2... " >&6; } -if eval "test \"\${$3+set}\"" = set; then : - $as_echo_n "(cached) " >&6 -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -else - # Is the header compilable? -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 -$as_echo_n "checking $2 usability... " >&6; } -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -#include <$2> +cat >>confdefs.h <<_ACEOF +#define PACKAGE_TARNAME "$PACKAGE_TARNAME" _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_header_compiler=yes -else - ac_header_compiler=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 -$as_echo "$ac_header_compiler" >&6; } -# Is the header present? -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 -$as_echo_n "checking $2 presence... " >&6; } -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include <$2> + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_VERSION "$PACKAGE_VERSION" _ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - ac_header_preproc=yes -else - ac_header_preproc=no -fi -rm -f conftest.err conftest.i conftest.$ac_ext -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 -$as_echo "$ac_header_preproc" >&6; } -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( - yes:no: ) - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 -$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 -$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} - ;; - no:yes:* ) - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 -$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 -$as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 -$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 -$as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 -$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} - ;; -esac - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -$as_echo_n "checking for $2... " >&6; } -if eval "test \"\${$3+set}\"" = set; then : - $as_echo_n "(cached) " >&6 -else - eval "$3=\$ac_header_compiler" -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -fi - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} - -} # ac_fn_c_check_header_mongrel - -# ac_fn_c_compute_int LINENO EXPR VAR INCLUDES -# -------------------------------------------- -# Tries to find the compile-time value of EXPR in a program that includes -# INCLUDES, setting VAR accordingly. Returns whether the value could be -# computed -ac_fn_c_compute_int () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - if test "$cross_compiling" = yes; then - # Depending upon the size, compute the lo and hi bounds. -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -static int test_array [1 - 2 * !(($2) >= 0)]; -test_array [0] = 0 - ; - return 0; -} +cat >>confdefs.h <<_ACEOF +#define PACKAGE_STRING "$PACKAGE_STRING" _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_lo=0 ac_mid=0 - while :; do - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -static int test_array [1 - 2 * !(($2) <= $ac_mid)]; -test_array [0] = 0 - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_hi=$ac_mid; break -else - as_fn_arith $ac_mid + 1 && ac_lo=$as_val - if test $ac_lo -le $ac_mid; then - ac_lo= ac_hi= - break - fi - as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -static int test_array [1 - 2 * !(($2) < 0)]; -test_array [0] = 0 - ; - return 0; -} +cat >>confdefs.h <<_ACEOF +#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_hi=-1 ac_mid=-1 - while :; do - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -static int test_array [1 - 2 * !(($2) >= $ac_mid)]; -test_array [0] = 0 - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_lo=$ac_mid; break -else - as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val - if test $ac_mid -le $ac_hi; then - ac_lo= ac_hi= - break - fi - as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done -else - ac_lo= ac_hi= -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -# Binary search between lo and hi bounds. -while test "x$ac_lo" != "x$ac_hi"; do - as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -static int test_array [1 - 2 * !(($2) <= $ac_mid)]; -test_array [0] = 0 - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_hi=$ac_mid +# Let the site file select an alternate cache file if it wants to. +# Prefer an explicitly selected file to automatically selected ones. +ac_site_file1=NONE +ac_site_file2=NONE +if test -n "$CONFIG_SITE"; then + ac_site_file1=$CONFIG_SITE +elif test "x$prefix" != xNONE; then + ac_site_file1=$prefix/share/config.site + ac_site_file2=$prefix/etc/config.site else - as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val + ac_site_file1=$ac_default_prefix/share/config.site + ac_site_file2=$ac_default_prefix/etc/config.site fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +for ac_site_file in "$ac_site_file1" "$ac_site_file2" +do + test "x$ac_site_file" = xNONE && continue + if test -r "$ac_site_file"; then + { $as_echo "$as_me:$LINENO: loading site script $ac_site_file" >&5 +$as_echo "$as_me: loading site script $ac_site_file" >&6;} + sed 's/^/| /' "$ac_site_file" >&5 + . "$ac_site_file" + fi done -case $ac_lo in #(( -?*) eval "$3=\$ac_lo"; ac_retval=0 ;; -'') ac_retval=1 ;; -esac - else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -static long int longval () { return $2; } -static unsigned long int ulongval () { return $2; } -#include -#include -int -main () -{ - - FILE *f = fopen ("conftest.val", "w"); - if (! f) - return 1; - if (($2) < 0) - { - long int i = longval (); - if (i != ($2)) - return 1; - fprintf (f, "%ld", i); - } - else - { - unsigned long int i = ulongval (); - if (i != ($2)) - return 1; - fprintf (f, "%lu", i); - } - /* Do not output a trailing newline, as this causes \r\n confusion - on some platforms. */ - return ferror (f) || fclose (f) != 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - echo >>conftest.val; read $3 &5 +$as_echo "$as_me: loading cache $cache_file" >&6;} + case $cache_file in + [\\/]* | ?:[\\/]* ) . "$cache_file";; + *) . "./$cache_file";; + esac + fi else - ac_retval=1 + { $as_echo "$as_me:$LINENO: creating cache $cache_file" >&5 +$as_echo "$as_me: creating cache $cache_file" >&6;} + >$cache_file fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -rm -f conftest.val +# Check that the precious variables saved in the cache have kept the same +# value. +ac_cache_corrupted=false +for ac_var in $ac_precious_vars; do + eval ac_old_set=\$ac_cv_env_${ac_var}_set + eval ac_new_set=\$ac_env_${ac_var}_set + eval ac_old_val=\$ac_cv_env_${ac_var}_value + eval ac_new_val=\$ac_env_${ac_var}_value + case $ac_old_set,$ac_new_set in + set,) + { $as_echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,set) + { $as_echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,);; + *) + if test "x$ac_old_val" != "x$ac_new_val"; then + # differences in whitespace do not lead to failure. + ac_old_val_w=`echo x $ac_old_val` + ac_new_val_w=`echo x $ac_new_val` + if test "$ac_old_val_w" != "$ac_new_val_w"; then + { $as_echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5 +$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} + ac_cache_corrupted=: + else + { $as_echo "$as_me:$LINENO: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 +$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} + eval $ac_var=\$ac_old_val + fi + { $as_echo "$as_me:$LINENO: former value: \`$ac_old_val'" >&5 +$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} + { $as_echo "$as_me:$LINENO: current value: \`$ac_new_val'" >&5 +$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} + fi;; + esac + # Pass precious variables to config.status. + if test "$ac_new_set" = set; then + case $ac_new_val in + *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; + *) ac_arg=$ac_var=$ac_new_val ;; + esac + case " $ac_configure_args " in + *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. + *) ac_configure_args="$ac_configure_args '$ac_arg'" ;; + esac fi - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} - as_fn_set_status $ac_retval +done +if $ac_cache_corrupted; then + { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} + { $as_echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5 +$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} + { { $as_echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5 +$as_echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;} + { (exit 1); exit 1; }; } +fi -} # ac_fn_c_compute_int -# ac_fn_c_check_type LINENO TYPE VAR INCLUDES -# ------------------------------------------- -# Tests whether TYPE exists after having included INCLUDES, setting cache -# variable VAR accordingly. -ac_fn_c_check_type () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -$as_echo_n "checking for $2... " >&6; } -if eval "test \"\${$3+set}\"" = set; then : - $as_echo_n "(cached) " >&6 -else - eval "$3=no" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -if (sizeof ($2)) - return 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -if (sizeof (($2))) - return 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : -else - eval "$3=yes" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} -} # ac_fn_c_check_type -cat >config.log <<_ACEOF -This file contains any messages produced by compilers while -running configure, to aid debugging if configure makes a mistake. -It was created by $as_me, which was -generated by GNU Autoconf 2.67. Invocation command line was - $ $0 $@ -_ACEOF -exec 5>>config.log -{ -cat <<_ASUNAME -## --------- ## -## Platform. ## -## --------- ## -hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` -uname -m = `(uname -m) 2>/dev/null || echo unknown` -uname -r = `(uname -r) 2>/dev/null || echo unknown` -uname -s = `(uname -s) 2>/dev/null || echo unknown` -uname -v = `(uname -v) 2>/dev/null || echo unknown` -/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` -/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` -/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` -/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` -/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` -/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` -/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` -/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` -/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` -_ASUNAME -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - $as_echo "PATH: $as_dir" - done -IFS=$as_save_IFS -} >&5 -cat >&5 <<_ACEOF -## ----------- ## -## Core tests. ## -## ----------- ## - -_ACEOF - - -# Keep a trace of the command line. -# Strip out --no-create and --no-recursion so they do not pile up. -# Strip out --silent because we don't want to record it for future runs. -# Also quote any args containing shell meta-characters. -# Make two passes to allow for proper duplicate-argument suppression. -ac_configure_args= -ac_configure_args0= -ac_configure_args1= -ac_must_keep_next=false -for ac_pass in 1 2 -do - for ac_arg - do - case $ac_arg in - -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil) - continue ;; - *\'*) - ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; - esac - case $ac_pass in - 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; - 2) - as_fn_append ac_configure_args1 " '$ac_arg'" - if test $ac_must_keep_next = true; then - ac_must_keep_next=false # Got value, back to normal. - else - case $ac_arg in - *=* | --config-cache | -C | -disable-* | --disable-* \ - | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ - | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ - | -with-* | --with-* | -without-* | --without-* | --x) - case "$ac_configure_args0 " in - "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; - esac - ;; - -* ) ac_must_keep_next=true ;; - esac - fi - as_fn_append ac_configure_args " '$ac_arg'" - ;; - esac - done -done -{ ac_configure_args0=; unset ac_configure_args0;} -{ ac_configure_args1=; unset ac_configure_args1;} - -# When interrupted or exit'd, cleanup temporary files, and complete -# config.log. We remove comments because anyway the quotes in there -# would cause problems or look ugly. -# WARNING: Use '\'' to represent an apostrophe within the trap. -# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. -trap 'exit_status=$? - # Save into config.log some information that might help in debugging. - { - echo - - $as_echo "## ---------------- ## -## Cache variables. ## -## ---------------- ##" - echo - # The following way of writing the cache mishandles newlines in values, -( - for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do - eval ac_val=\$$ac_var - case $ac_val in #( - *${as_nl}*) - case $ac_var in #( - *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 -$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; - esac - case $ac_var in #( - _ | IFS | as_nl) ;; #( - BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( - *) { eval $ac_var=; unset $ac_var;} ;; - esac ;; - esac - done - (set) 2>&1 | - case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( - *${as_nl}ac_space=\ *) - sed -n \ - "s/'\''/'\''\\\\'\'''\''/g; - s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" - ;; #( - *) - sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" - ;; - esac | - sort -) - echo - - $as_echo "## ----------------- ## -## Output variables. ## -## ----------------- ##" - echo - for ac_var in $ac_subst_vars - do - eval ac_val=\$$ac_var - case $ac_val in - *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; - esac - $as_echo "$ac_var='\''$ac_val'\''" - done | sort - echo - - if test -n "$ac_subst_files"; then - $as_echo "## ------------------- ## -## File substitutions. ## -## ------------------- ##" - echo - for ac_var in $ac_subst_files - do - eval ac_val=\$$ac_var - case $ac_val in - *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; - esac - $as_echo "$ac_var='\''$ac_val'\''" - done | sort - echo - fi - - if test -s confdefs.h; then - $as_echo "## ----------- ## -## confdefs.h. ## -## ----------- ##" - echo - cat confdefs.h - echo - fi - test "$ac_signal" != 0 && - $as_echo "$as_me: caught signal $ac_signal" - $as_echo "$as_me: exit $exit_status" - } >&5 - rm -f core *.core core.conftest.* && - rm -f -r conftest* confdefs* conf$$* $ac_clean_files && - exit $exit_status -' 0 -for ac_signal in 1 2 13 15; do - trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal -done -ac_signal=0 - -# confdefs.h avoids OS command line length limits that DEFS can exceed. -rm -f -r conftest* confdefs.h - -$as_echo "/* confdefs.h */" > confdefs.h - -# Predefined preprocessor variables. - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_NAME "$PACKAGE_NAME" -_ACEOF - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_TARNAME "$PACKAGE_TARNAME" -_ACEOF - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_VERSION "$PACKAGE_VERSION" -_ACEOF - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_STRING "$PACKAGE_STRING" -_ACEOF - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" -_ACEOF - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_URL "$PACKAGE_URL" -_ACEOF - - -# Let the site file select an alternate cache file if it wants to. -# Prefer an explicitly selected file to automatically selected ones. -ac_site_file1=NONE -ac_site_file2=NONE -if test -n "$CONFIG_SITE"; then - # We do not want a PATH search for config.site. - case $CONFIG_SITE in #(( - -*) ac_site_file1=./$CONFIG_SITE;; - */*) ac_site_file1=$CONFIG_SITE;; - *) ac_site_file1=./$CONFIG_SITE;; - esac -elif test "x$prefix" != xNONE; then - ac_site_file1=$prefix/share/config.site - ac_site_file2=$prefix/etc/config.site -else - ac_site_file1=$ac_default_prefix/share/config.site - ac_site_file2=$ac_default_prefix/etc/config.site -fi -for ac_site_file in "$ac_site_file1" "$ac_site_file2" -do - test "x$ac_site_file" = xNONE && continue - if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 -$as_echo "$as_me: loading site script $ac_site_file" >&6;} - sed 's/^/| /' "$ac_site_file" >&5 - . "$ac_site_file" \ - || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "failed to load site script $ac_site_file -See \`config.log' for more details" "$LINENO" 5 ; } - fi -done - -if test -r "$cache_file"; then - # Some versions of bash will fail to source /dev/null (special files - # actually), so we avoid doing that. DJGPP emulates it as a regular file. - if test /dev/null != "$cache_file" && test -f "$cache_file"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 -$as_echo "$as_me: loading cache $cache_file" >&6;} - case $cache_file in - [\\/]* | ?:[\\/]* ) . "$cache_file";; - *) . "./$cache_file";; - esac - fi -else - { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 -$as_echo "$as_me: creating cache $cache_file" >&6;} - >$cache_file -fi - -# Check that the precious variables saved in the cache have kept the same -# value. -ac_cache_corrupted=false -for ac_var in $ac_precious_vars; do - eval ac_old_set=\$ac_cv_env_${ac_var}_set - eval ac_new_set=\$ac_env_${ac_var}_set - eval ac_old_val=\$ac_cv_env_${ac_var}_value - eval ac_new_val=\$ac_env_${ac_var}_value - case $ac_old_set,$ac_new_set in - set,) - { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 -$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,set) - { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 -$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,);; - *) - if test "x$ac_old_val" != "x$ac_new_val"; then - # differences in whitespace do not lead to failure. - ac_old_val_w=`echo x $ac_old_val` - ac_new_val_w=`echo x $ac_new_val` - if test "$ac_old_val_w" != "$ac_new_val_w"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 -$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} - ac_cache_corrupted=: - else - { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 -$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} - eval $ac_var=\$ac_old_val - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 -$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 -$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} - fi;; - esac - # Pass precious variables to config.status. - if test "$ac_new_set" = set; then - case $ac_new_val in - *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; - *) ac_arg=$ac_var=$ac_new_val ;; - esac - case " $ac_configure_args " in - *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. - *) as_fn_append ac_configure_args " '$ac_arg'" ;; - esac - fi -done -if $ac_cache_corrupted; then - { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 -$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} - as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 -fi -## -------------------- ## -## Main body of script. ## -## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -2691,7 +2226,9 @@ fi done if test -z "$ac_aux_dir"; then - as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5 +$as_echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;} + { (exit 1); exit 1; }; } fi # These three variables are undocumented and unsupported, @@ -2717,10 +2254,10 @@ # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 +{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5 $as_echo_n "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then -if test "${ac_cv_path_install+set}" = set; then : +if test "${ac_cv_path_install+set}" = set; then $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR @@ -2728,11 +2265,11 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - # Account for people who put trailing slashes in PATH elements. -case $as_dir/ in #(( - ./ | .// | /[cC]/* | \ + # Account for people who put trailing slashes in PATH elements. +case $as_dir/ in + ./ | .// | /cC/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ - ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ + ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. @@ -2769,7 +2306,7 @@ ;; esac - done +done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir @@ -2785,7 +2322,7 @@ INSTALL=$ac_install_sh fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 +{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5 $as_echo "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. @@ -2796,7 +2333,7 @@ test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether build environment is sane" >&5 +{ $as_echo "$as_me:$LINENO: checking whether build environment is sane" >&5 $as_echo_n "checking whether build environment is sane... " >&6; } # Just in case sleep 1 @@ -2807,11 +2344,15 @@ ' case `pwd` in *[\\\"\#\$\&\'\`$am_lf]*) - as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5 ;; + { { $as_echo "$as_me:$LINENO: error: unsafe absolute working directory name" >&5 +$as_echo "$as_me: error: unsafe absolute working directory name" >&2;} + { (exit 1); exit 1; }; };; esac case $srcdir in *[\\\"\#\$\&\'\`$am_lf\ \ ]*) - as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5 ;; + { { $as_echo "$as_me:$LINENO: error: unsafe srcdir value: \`$srcdir'" >&5 +$as_echo "$as_me: error: unsafe srcdir value: \`$srcdir'" >&2;} + { (exit 1); exit 1; }; };; esac # Do `set' in a subshell so we don't clobber the current shell's @@ -2833,8 +2374,11 @@ # if, for instance, CONFIG_SHELL is bash and it inherits a # broken ls alias from the environment. This has actually # happened. Such a system could not be considered "sane". - as_fn_error $? "ls -t appears to fail. Make sure there is not a broken -alias in your environment" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: ls -t appears to fail. Make sure there is not a broken +alias in your environment" >&5 +$as_echo "$as_me: error: ls -t appears to fail. Make sure there is not a broken +alias in your environment" >&2;} + { (exit 1); exit 1; }; } fi test "$2" = conftest.file @@ -2843,10 +2387,13 @@ # Ok. : else - as_fn_error $? "newly created file is older than distributed files! -Check your system clock" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: newly created file is older than distributed files! +Check your system clock" >&5 +$as_echo "$as_me: error: newly created file is older than distributed files! +Check your system clock" >&2;} + { (exit 1); exit 1; }; } fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +{ $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } test "$program_prefix" != NONE && program_transform_name="s&^&$program_prefix&;$program_transform_name" @@ -2874,7 +2421,7 @@ am_missing_run="$MISSING --run " else am_missing_run= - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: \`missing' script is too old or missing" >&5 + { $as_echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5 $as_echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;} fi @@ -2895,9 +2442,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. set dummy ${ac_tool_prefix}strip; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_STRIP+set}" = set; then : +if test "${ac_cv_prog_STRIP+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$STRIP"; then @@ -2908,24 +2455,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi STRIP=$ac_cv_prog_STRIP if test -n "$STRIP"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 + { $as_echo "$as_me:$LINENO: result: $STRIP" >&5 $as_echo "$STRIP" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -2935,9 +2482,9 @@ ac_ct_STRIP=$STRIP # Extract the first word of "strip", so it can be a program name with args. set dummy strip; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then : +if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_STRIP"; then @@ -2948,24 +2495,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_STRIP="strip" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP if test -n "$ac_ct_STRIP"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5 $as_echo "$ac_ct_STRIP" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -2974,7 +2521,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -2987,10 +2534,10 @@ fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5 +{ $as_echo "$as_me:$LINENO: checking for a thread-safe mkdir -p" >&5 $as_echo_n "checking for a thread-safe mkdir -p... " >&6; } if test -z "$MKDIR_P"; then - if test "${ac_cv_path_mkdir+set}" = set; then : + if test "${ac_cv_path_mkdir+set}" = set; then $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR @@ -2998,7 +2545,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_prog in mkdir gmkdir; do + for ac_prog in mkdir gmkdir; do for ac_exec_ext in '' $ac_executable_extensions; do { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( @@ -3010,12 +2557,11 @@ esac done done - done +done IFS=$as_save_IFS fi - test -d ./--version && rmdir ./--version if test "${ac_cv_path_mkdir+set}" = set; then MKDIR_P="$ac_cv_path_mkdir -p" else @@ -3023,10 +2569,11 @@ # value for MKDIR_P within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. + test -d ./--version && rmdir ./--version MKDIR_P="$ac_install_sh -d" fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5 +{ $as_echo "$as_me:$LINENO: result: $MKDIR_P" >&5 $as_echo "$MKDIR_P" >&6; } mkdir_p="$MKDIR_P" @@ -3039,9 +2586,9 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_AWK+set}" = set; then : +if test "${ac_cv_prog_AWK+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$AWK"; then @@ -3052,24 +2599,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_AWK="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi AWK=$ac_cv_prog_AWK if test -n "$AWK"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 + { $as_echo "$as_me:$LINENO: result: $AWK" >&5 $as_echo "$AWK" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -3077,11 +2624,11 @@ test -n "$AWK" && break done -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 +{ $as_echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` -if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\"" = set; then : +if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF @@ -3089,7 +2636,7 @@ all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF -# GNU make sometimes prints "make[1]: Entering ...", which would confuse us. +# GNU make sometimes prints "make[1]: Entering...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; @@ -3099,11 +2646,11 @@ rm -f conftest.make fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } SET_MAKE= else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi @@ -3123,7 +2670,9 @@ am__isrc=' -I$(srcdir)' # test to see if srcdir already configured if test -f $srcdir/config.status; then - as_fn_error $? "source directory already configured; run \"make distclean\" there first" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5 +$as_echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;} + { (exit 1); exit 1; }; } fi fi @@ -3139,7 +2688,7 @@ # Define the identity of the package. PACKAGE=snort - VERSION=2.9.0.1 + VERSION=2.9.2 cat >>confdefs.h <<_ACEOF @@ -3193,16 +2742,16 @@ # Disable annoying practice of recursively re-running the autotools -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable maintainer-specific portions of Makefiles" >&5 +{ $as_echo "$as_me:$LINENO: checking whether to enable maintainer-specific portions of Makefiles" >&5 $as_echo_n "checking whether to enable maintainer-specific portions of Makefiles... " >&6; } # Check whether --enable-maintainer-mode was given. -if test "${enable_maintainer_mode+set}" = set; then : +if test "${enable_maintainer_mode+set}" = set; then enableval=$enable_maintainer_mode; USE_MAINTAINER_MODE=$enableval else USE_MAINTAINER_MODE=no fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $USE_MAINTAINER_MODE" >&5 + { $as_echo "$as_me:$LINENO: result: $USE_MAINTAINER_MODE" >&5 $as_echo "$USE_MAINTAINER_MODE" >&6; } if test $USE_MAINTAINER_MODE = yes; then MAINTAINER_MODE_TRUE= @@ -3227,7 +2776,7 @@ .PHONY: am__doit END # If we don't find an include directive, just comment out the code. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5 +{ $as_echo "$as_me:$LINENO: checking for style of include used by $am_make" >&5 $as_echo_n "checking for style of include used by $am_make... " >&6; } am__include="#" am__quote= @@ -3255,12 +2804,12 @@ fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5 +{ $as_echo "$as_me:$LINENO: result: $_am_result" >&5 $as_echo "$_am_result" >&6; } rm -f confinc confmf # Check whether --enable-dependency-tracking was given. -if test "${enable_dependency_tracking+set}" = set; then : +if test "${enable_dependency_tracking+set}" = set; then enableval=$enable_dependency_tracking; fi @@ -3285,9 +2834,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if test "${ac_cv_prog_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -3298,24 +2847,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}gcc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 + { $as_echo "$as_me:$LINENO: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -3325,9 +2874,9 @@ ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : +if test "${ac_cv_prog_ac_ct_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then @@ -3338,24 +2887,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="gcc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -3364,7 +2913,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -3378,9 +2927,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if test "${ac_cv_prog_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -3391,24 +2940,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}cc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 + { $as_echo "$as_me:$LINENO: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -3418,9 +2967,9 @@ if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if test "${ac_cv_prog_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -3432,18 +2981,18 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then @@ -3462,10 +3011,10 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 + { $as_echo "$as_me:$LINENO: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -3477,9 +3026,9 @@ do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if test "${ac_cv_prog_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -3490,24 +3039,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 + { $as_echo "$as_me:$LINENO: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -3521,9 +3070,9 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : +if test "${ac_cv_prog_ac_ct_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then @@ -3534,24 +3083,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -3564,7 +3113,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -3575,37 +3124,57 @@ fi -test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "no acceptable C compiler found in \$PATH -See \`config.log' for more details" "$LINENO" 5 ; } +{ { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: no acceptable C compiler found in \$PATH +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } # Provide some information about the compiler. -$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 +$as_echo "$as_me:$LINENO: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 -for ac_option in --version -v -V -qversion; do - { { ac_try="$ac_compiler $ac_option >&5" +{ (ac_try="$ac_compiler --version >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_compiler $ac_option >&5") 2>conftest.err +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compiler --version >&5") 2>&5 ac_status=$? - if test -s conftest.err; then - sed '10a\ -... rest of stderr output deleted ... - 10q' conftest.err >conftest.er1 - cat conftest.er1 >&5 - fi - rm -f conftest.er1 conftest.err - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } -done + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } +{ (ac_try="$ac_compiler -v >&5" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compiler -v >&5") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } +{ (ac_try="$ac_compiler -V >&5" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compiler -V >&5") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -3621,8 +3190,8 @@ # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 -$as_echo_n "checking whether the C compiler works... " >&6; } +{ $as_echo "$as_me:$LINENO: checking for C compiler default output file name" >&5 +$as_echo_n "checking for C compiler default output file name... " >&6; } ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: @@ -3638,17 +3207,17 @@ done rm -f $ac_rmfiles -if { { ac_try="$ac_link_default" +if { (ac_try="$ac_link_default" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link_default") 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then : + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, @@ -3665,7 +3234,7 @@ # certainly right. break;; *.* ) - if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; + if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi @@ -3684,41 +3253,84 @@ else ac_file='' fi -if test -z "$ac_file"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -$as_echo "$as_me: failed program was:" >&5 + +{ $as_echo "$as_me:$LINENO: result: $ac_file" >&5 +$as_echo "$ac_file" >&6; } +if test -z "$ac_file"; then + $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "C compiler cannot create executables -See \`config.log' for more details" "$LINENO" 5 ; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } +{ { $as_echo "$as_me:$LINENO: error: C compiler cannot create executables +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: C compiler cannot create executables +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 -$as_echo_n "checking for C compiler default output file name... " >&6; } -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 -$as_echo "$ac_file" >&6; } + ac_exeext=$ac_cv_exeext +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:$LINENO: checking whether the C compiler works" >&5 +$as_echo_n "checking whether the C compiler works... " >&6; } +# FIXME: These cross compiler hacks should be removed for Autoconf 3.0 +# If not cross compiling, check that we can run a simple program. +if test "$cross_compiling" != yes; then + if { ac_try='./$ac_file' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + cross_compiling=no + else + if test "$cross_compiling" = maybe; then + cross_compiling=yes + else + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } + fi + fi +fi +{ $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:$LINENO: checking whether we are cross compiling" >&5 +$as_echo_n "checking whether we are cross compiling... " >&6; } +{ $as_echo "$as_me:$LINENO: result: $cross_compiling" >&5 +$as_echo "$cross_compiling" >&6; } + +{ $as_echo "$as_me:$LINENO: checking for suffix of executables" >&5 $as_echo_n "checking for suffix of executables... " >&6; } -if { { ac_try="$ac_link" +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_link") 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then : + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then # If both `conftest.exe' and `conftest' are `present' (well, observable) # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will # work properly (i.e., refer to `conftest.exe'), while it won't with @@ -3733,83 +3345,32 @@ esac done else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot compute suffix of executables: cannot compile and link -See \`config.log' for more details" "$LINENO" 5 ; } +{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute suffix of executables: cannot compile and link +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } fi -rm -f conftest conftest$ac_cv_exeext -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 + +rm -f conftest$ac_cv_exeext +{ $as_echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5 $as_echo "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -FILE *f = fopen ("conftest.out", "w"); - return ferror (f) || fclose (f) != 0; - - ; - return 0; -} -_ACEOF -ac_clean_files="$ac_clean_files conftest.out" -# Check that the compiler produces executables we can run. If not, either -# the compiler is broken, or we cross compile. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 -$as_echo_n "checking whether we are cross compiling... " >&6; } -if test "$cross_compiling" != yes; then - { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } - if { ac_try='./conftest$ac_cv_exeext' - { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; }; then - cross_compiling=no - else - if test "$cross_compiling" = maybe; then - cross_compiling=yes - else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot run C compiled programs. -If you meant to cross compile, use \`--host'. -See \`config.log' for more details" "$LINENO" 5 ; } - fi - fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 -$as_echo "$cross_compiling" >&6; } - -rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out -ac_clean_files=$ac_clean_files_save -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 +{ $as_echo "$as_me:$LINENO: checking for suffix of object files" >&5 $as_echo_n "checking for suffix of object files... " >&6; } -if test "${ac_cv_objext+set}" = set; then : +if test "${ac_cv_objext+set}" = set; then $as_echo_n "(cached) " >&6 else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -3821,17 +3382,17 @@ } _ACEOF rm -f conftest.o conftest.obj -if { { ac_try="$ac_compile" +if { (ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 (eval "$ac_compile") 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then : + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in @@ -3844,23 +3405,31 @@ $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot compute suffix of object files: cannot compile -See \`config.log' for more details" "$LINENO" 5 ; } +{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute suffix of object files: cannot compile +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } fi + rm -f conftest.$ac_cv_objext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_objext" >&5 $as_echo "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 +{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } -if test "${ac_cv_c_compiler_gnu+set}" = set; then : +if test "${ac_cv_c_compiler_gnu+set}" = set; then $as_echo_n "(cached) " >&6 else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -3874,16 +3443,37 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then ac_compiler_gnu=yes else - ac_compiler_gnu=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_compiler_gnu=no fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5 $as_echo "$ac_cv_c_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GCC=yes @@ -3892,16 +3482,20 @@ fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 +{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } -if test "${ac_cv_prog_cc_g+set}" = set; then : +if test "${ac_cv_prog_cc_g+set}" = set; then $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -3912,11 +3506,35 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then ac_cv_prog_cc_g=yes else - CFLAGS="" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + CFLAGS="" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -3927,12 +3545,36 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : else - ac_c_werror_flag=$ac_save_c_werror_flag + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -3943,17 +3585,42 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then ac_cv_prog_cc_g=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5 $as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS @@ -3970,14 +3637,18 @@ CFLAGS= fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 +{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } -if test "${ac_cv_prog_cc_c89+set}" = set; then : +if test "${ac_cv_prog_cc_c89+set}" = set; then $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include #include @@ -4034,9 +3705,32 @@ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" - if ac_fn_c_try_compile "$LINENO"; then : + rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then ac_cv_prog_cc_c89=$ac_arg +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi + rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done @@ -4047,19 +3741,17 @@ # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 + { $as_echo "$as_me:$LINENO: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 + { $as_echo "$as_me:$LINENO: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac -if test "x$ac_cv_prog_cc_c89" != xno; then : -fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -4069,9 +3761,9 @@ depcc="$CC" am_compiler_list= -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5 +{ $as_echo "$as_me:$LINENO: checking dependency style of $depcc" >&5 $as_echo_n "checking dependency style of $depcc... " >&6; } -if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then : +if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then $as_echo_n "(cached) " >&6 else if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then @@ -4179,7 +3871,7 @@ fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_CC_dependencies_compiler_type" >&5 +{ $as_echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5 $as_echo "$am_cv_CC_dependencies_compiler_type" >&6; } CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type @@ -4194,18 +3886,20 @@ fi - case $ac_cv_prog_cc_stdc in #( - no) : - ac_cv_prog_cc_c99=no; ac_cv_prog_cc_c89=no ;; #( - *) : - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C99" >&5 + case $ac_cv_prog_cc_stdc in + no) ac_cv_prog_cc_c99=no; ac_cv_prog_cc_c89=no ;; + *) { $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C99" >&5 $as_echo_n "checking for $CC option to accept ISO C99... " >&6; } -if test "${ac_cv_prog_cc_c99+set}" = set; then : +if test "${ac_cv_prog_cc_c99+set}" = set; then $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c99=no ac_save_CC=$CC -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include #include @@ -4347,9 +4041,32 @@ for ac_arg in '' -std=gnu99 -std=c99 -c99 -AC99 -xc99=all -qlanglvl=extc99 do CC="$ac_save_CC $ac_arg" - if ac_fn_c_try_compile "$LINENO"; then : + rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then ac_cv_prog_cc_c99=$ac_arg +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi + rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c99" != "xno" && break done @@ -4360,27 +4077,31 @@ # AC_CACHE_VAL case "x$ac_cv_prog_cc_c99" in x) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 + { $as_echo "$as_me:$LINENO: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 + { $as_echo "$as_me:$LINENO: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c99" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c99" >&5 $as_echo "$ac_cv_prog_cc_c99" >&6; } ;; esac -if test "x$ac_cv_prog_cc_c99" != xno; then : +if test "x$ac_cv_prog_cc_c99" != xno; then ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c99 else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 + { $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } -if test "${ac_cv_prog_cc_c89+set}" = set; then : +if test "${ac_cv_prog_cc_c89+set}" = set; then $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include #include @@ -4437,9 +4158,32 @@ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" - if ac_fn_c_try_compile "$LINENO"; then : + rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then ac_cv_prog_cc_c89=$ac_arg +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi + rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done @@ -4450,43 +4194,43 @@ # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 + { $as_echo "$as_me:$LINENO: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 + { $as_echo "$as_me:$LINENO: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac -if test "x$ac_cv_prog_cc_c89" != xno; then : +if test "x$ac_cv_prog_cc_c89" != xno; then ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89 else ac_cv_prog_cc_stdc=no fi + fi + ;; esac - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO Standard C" >&5 + { $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO Standard C" >&5 $as_echo_n "checking for $CC option to accept ISO Standard C... " >&6; } - if test "${ac_cv_prog_cc_stdc+set}" = set; then : + if test "${ac_cv_prog_cc_stdc+set}" = set; then $as_echo_n "(cached) " >&6 fi - case $ac_cv_prog_cc_stdc in #( - no) : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 -$as_echo "unsupported" >&6; } ;; #( - '') : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 -$as_echo "none needed" >&6; } ;; #( - *) : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_stdc" >&5 + case $ac_cv_prog_cc_stdc in + no) { $as_echo "$as_me:$LINENO: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; + '') { $as_echo "$as_me:$LINENO: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; + *) { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_stdc" >&5 $as_echo "$ac_cv_prog_cc_stdc" >&6; } ;; esac + ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -4495,9 +4239,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if test "${ac_cv_prog_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -4508,24 +4252,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}gcc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 + { $as_echo "$as_me:$LINENO: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -4535,9 +4279,9 @@ ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : +if test "${ac_cv_prog_ac_ct_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then @@ -4548,24 +4292,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="gcc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -4574,7 +4318,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -4588,9 +4332,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if test "${ac_cv_prog_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -4601,24 +4345,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}cc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 + { $as_echo "$as_me:$LINENO: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -4628,9 +4372,9 @@ if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if test "${ac_cv_prog_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -4642,18 +4386,18 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then @@ -4672,10 +4416,10 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 + { $as_echo "$as_me:$LINENO: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -4687,9 +4431,9 @@ do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then : +if test "${ac_cv_prog_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -4700,24 +4444,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 + { $as_echo "$as_me:$LINENO: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -4731,9 +4475,9 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : +if test "${ac_cv_prog_ac_ct_CC+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then @@ -4744,24 +4488,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -4774,7 +4518,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -4785,42 +4529,62 @@ fi -test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "no acceptable C compiler found in \$PATH -See \`config.log' for more details" "$LINENO" 5 ; } +{ { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: no acceptable C compiler found in \$PATH +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } # Provide some information about the compiler. -$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 +$as_echo "$as_me:$LINENO: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 -for ac_option in --version -v -V -qversion; do - { { ac_try="$ac_compiler $ac_option >&5" +{ (ac_try="$ac_compiler --version >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_compiler $ac_option >&5") 2>conftest.err +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compiler --version >&5") 2>&5 ac_status=$? - if test -s conftest.err; then - sed '10a\ -... rest of stderr output deleted ... - 10q' conftest.err >conftest.er1 - cat conftest.er1 >&5 - fi - rm -f conftest.er1 conftest.err - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } -done + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } +{ (ac_try="$ac_compiler -v >&5" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compiler -v >&5") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } +{ (ac_try="$ac_compiler -V >&5" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compiler -V >&5") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 +{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } -if test "${ac_cv_c_compiler_gnu+set}" = set; then : +if test "${ac_cv_c_compiler_gnu+set}" = set; then $as_echo_n "(cached) " >&6 else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -4834,16 +4598,37 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_compiler_gnu=yes -else - ac_compiler_gnu=no -fi +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_compiler_gnu=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_compiler_gnu=no +fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5 $as_echo "$ac_cv_c_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GCC=yes @@ -4852,16 +4637,20 @@ fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 +{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } -if test "${ac_cv_prog_cc_g+set}" = set; then : +if test "${ac_cv_prog_cc_g+set}" = set; then $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -4872,11 +4661,35 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then ac_cv_prog_cc_g=yes else - CFLAGS="" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + CFLAGS="" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -4887,12 +4700,36 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : else - ac_c_werror_flag=$ac_save_c_werror_flag + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -4903,17 +4740,42 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then ac_cv_prog_cc_g=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5 $as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS @@ -4930,14 +4792,18 @@ CFLAGS= fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 +{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } -if test "${ac_cv_prog_cc_c89+set}" = set; then : +if test "${ac_cv_prog_cc_c89+set}" = set; then $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include #include @@ -4994,9 +4860,32 @@ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" - if ac_fn_c_try_compile "$LINENO"; then : + rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then ac_cv_prog_cc_c89=$ac_arg +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi + rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done @@ -5007,19 +4896,17 @@ # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 + { $as_echo "$as_me:$LINENO: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 + { $as_echo "$as_me:$LINENO: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac -if test "x$ac_cv_prog_cc_c89" != xno; then : -fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -5029,9 +4916,9 @@ depcc="$CC" am_compiler_list= -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5 +{ $as_echo "$as_me:$LINENO: checking dependency style of $depcc" >&5 $as_echo_n "checking dependency style of $depcc... " >&6; } -if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then : +if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then $as_echo_n "(cached) " >&6 else if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then @@ -5139,7 +5026,7 @@ fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_CC_dependencies_compiler_type" >&5 +{ $as_echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5 $as_echo "$am_cv_CC_dependencies_compiler_type" >&6; } CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type @@ -5156,7 +5043,7 @@ case `pwd` in *\ * | *\ *) - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5 + { $as_echo "$as_me:$LINENO: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5 $as_echo "$as_me: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&2;} ;; esac @@ -5181,27 +5068,35 @@ # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || - as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5 +$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;} + { (exit 1); exit 1; }; } -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 +{ $as_echo "$as_me:$LINENO: checking build system type" >&5 $as_echo_n "checking build system type... " >&6; } -if test "${ac_cv_build+set}" = set; then : +if test "${ac_cv_build+set}" = set; then $as_echo_n "(cached) " >&6 else ac_build_alias=$build_alias test "x$ac_build_alias" = x && ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` test "x$ac_build_alias" = x && - as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5 +$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;} + { (exit 1); exit 1; }; } ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || - as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5 +$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;} + { (exit 1); exit 1; }; } fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5 $as_echo "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; -*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5 ;; +*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5 +$as_echo "$as_me: error: invalid value of canonical build" >&2;} + { (exit 1); exit 1; }; };; esac build=$ac_cv_build ac_save_IFS=$IFS; IFS='-' @@ -5217,24 +5112,28 @@ case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 +{ $as_echo "$as_me:$LINENO: checking host system type" >&5 $as_echo_n "checking host system type... " >&6; } -if test "${ac_cv_host+set}" = set; then : +if test "${ac_cv_host+set}" = set; then $as_echo_n "(cached) " >&6 else if test "x$host_alias" = x; then ac_cv_host=$ac_cv_build else ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || - as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5 +$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;} + { (exit 1); exit 1; }; } fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5 $as_echo "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; -*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5 ;; +*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5 +$as_echo "$as_me: error: invalid value of canonical host" >&2;} + { (exit 1); exit 1; }; };; esac host=$ac_cv_host ac_save_IFS=$IFS; IFS='-' @@ -5250,9 +5149,9 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5 +{ $as_echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5 $as_echo_n "checking for a sed that does not truncate output... " >&6; } -if test "${ac_cv_path_SED+set}" = set; then : +if test "${ac_cv_path_SED+set}" = set; then $as_echo_n "(cached) " >&6 else ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ @@ -5260,7 +5159,7 @@ ac_script="$ac_script$as_nl$ac_script" done echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed - { ac_script=; unset ac_script;} + $as_unset ac_script || ac_script= if test -z "$SED"; then ac_path_SED_found=false # Loop through the user's path and test for each of PROGNAME-LIST @@ -5269,7 +5168,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_prog in sed gsed; do + for ac_prog in sed gsed; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_SED="$as_dir/$ac_prog$ac_exec_ext" { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue @@ -5289,7 +5188,7 @@ $as_echo '' >> "conftest.nl" "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - as_fn_arith $ac_count + 1 && ac_count=$as_val + ac_count=`expr $ac_count + 1` if test $ac_count -gt ${ac_path_SED_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_SED="$ac_path_SED" @@ -5304,17 +5203,19 @@ $ac_path_SED_found && break 3 done done - done +done IFS=$as_save_IFS if test -z "$ac_cv_path_SED"; then - as_fn_error $? "no acceptable sed could be found in \$PATH" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: no acceptable sed could be found in \$PATH" >&5 +$as_echo "$as_me: error: no acceptable sed could be found in \$PATH" >&2;} + { (exit 1); exit 1; }; } fi else ac_cv_path_SED=$SED fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_SED" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_SED" >&5 $as_echo "$ac_cv_path_SED" >&6; } SED="$ac_cv_path_SED" rm -f conftest.sed @@ -5332,9 +5233,9 @@ -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 +{ $as_echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5 $as_echo_n "checking for grep that handles long lines and -e... " >&6; } -if test "${ac_cv_path_GREP+set}" = set; then : +if test "${ac_cv_path_GREP+set}" = set; then $as_echo_n "(cached) " >&6 else if test -z "$GREP"; then @@ -5345,7 +5246,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_prog in grep ggrep; do + for ac_prog in grep ggrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue @@ -5365,7 +5266,7 @@ $as_echo 'GREP' >> "conftest.nl" "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - as_fn_arith $ac_count + 1 && ac_count=$as_val + ac_count=`expr $ac_count + 1` if test $ac_count -gt ${ac_path_GREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_GREP="$ac_path_GREP" @@ -5380,24 +5281,26 @@ $ac_path_GREP_found && break 3 done done - done +done IFS=$as_save_IFS if test -z "$ac_cv_path_GREP"; then - as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 +$as_echo "$as_me: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} + { (exit 1); exit 1; }; } fi else ac_cv_path_GREP=$GREP fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5 $as_echo "$ac_cv_path_GREP" >&6; } GREP="$ac_cv_path_GREP" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 +{ $as_echo "$as_me:$LINENO: checking for egrep" >&5 $as_echo_n "checking for egrep... " >&6; } -if test "${ac_cv_path_EGREP+set}" = set; then : +if test "${ac_cv_path_EGREP+set}" = set; then $as_echo_n "(cached) " >&6 else if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 @@ -5411,7 +5314,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_prog in egrep; do + for ac_prog in egrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue @@ -5431,7 +5334,7 @@ $as_echo 'EGREP' >> "conftest.nl" "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - as_fn_arith $ac_count + 1 && ac_count=$as_val + ac_count=`expr $ac_count + 1` if test $ac_count -gt ${ac_path_EGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_EGREP="$ac_path_EGREP" @@ -5446,10 +5349,12 @@ $ac_path_EGREP_found && break 3 done done - done +done IFS=$as_save_IFS if test -z "$ac_cv_path_EGREP"; then - as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 +$as_echo "$as_me: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} + { (exit 1); exit 1; }; } fi else ac_cv_path_EGREP=$EGREP @@ -5457,14 +5362,14 @@ fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5 $as_echo "$ac_cv_path_EGREP" >&6; } EGREP="$ac_cv_path_EGREP" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for fgrep" >&5 +{ $as_echo "$as_me:$LINENO: checking for fgrep" >&5 $as_echo_n "checking for fgrep... " >&6; } -if test "${ac_cv_path_FGREP+set}" = set; then : +if test "${ac_cv_path_FGREP+set}" = set; then $as_echo_n "(cached) " >&6 else if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1 @@ -5478,7 +5383,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_prog in fgrep; do + for ac_prog in fgrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext" { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue @@ -5498,7 +5403,7 @@ $as_echo 'FGREP' >> "conftest.nl" "$ac_path_FGREP" FGREP < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - as_fn_arith $ac_count + 1 && ac_count=$as_val + ac_count=`expr $ac_count + 1` if test $ac_count -gt ${ac_path_FGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_FGREP="$ac_path_FGREP" @@ -5513,10 +5418,12 @@ $ac_path_FGREP_found && break 3 done done - done +done IFS=$as_save_IFS if test -z "$ac_cv_path_FGREP"; then - as_fn_error $? "no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 +$as_echo "$as_me: error: no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} + { (exit 1); exit 1; }; } fi else ac_cv_path_FGREP=$FGREP @@ -5524,7 +5431,7 @@ fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_FGREP" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_FGREP" >&5 $as_echo "$ac_cv_path_FGREP" >&6; } FGREP="$ac_cv_path_FGREP" @@ -5550,7 +5457,7 @@ # Check whether --with-gnu-ld was given. -if test "${with_gnu_ld+set}" = set; then : +if test "${with_gnu_ld+set}" = set; then withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes else with_gnu_ld=no @@ -5559,7 +5466,7 @@ ac_prog=ld if test "$GCC" = yes; then # Check if gcc -print-prog-name=ld gives a path. - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ld used by $CC" >&5 + { $as_echo "$as_me:$LINENO: checking for ld used by $CC" >&5 $as_echo_n "checking for ld used by $CC... " >&6; } case $host in *-*-mingw*) @@ -5589,13 +5496,13 @@ ;; esac elif test "$with_gnu_ld" = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU ld" >&5 + { $as_echo "$as_me:$LINENO: checking for GNU ld" >&5 $as_echo_n "checking for GNU ld... " >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for non-GNU ld" >&5 + { $as_echo "$as_me:$LINENO: checking for non-GNU ld" >&5 $as_echo_n "checking for non-GNU ld... " >&6; } fi -if test "${lt_cv_path_LD+set}" = set; then : +if test "${lt_cv_path_LD+set}" = set; then $as_echo_n "(cached) " >&6 else if test -z "$LD"; then @@ -5626,16 +5533,18 @@ LD="$lt_cv_path_LD" if test -n "$LD"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LD" >&5 + { $as_echo "$as_me:$LINENO: result: $LD" >&5 $as_echo "$LD" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi -test -z "$LD" && as_fn_error $? "no acceptable ld found in \$PATH" "$LINENO" 5 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5 +test -z "$LD" && { { $as_echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5 +$as_echo "$as_me: error: no acceptable ld found in \$PATH" >&2;} + { (exit 1); exit 1; }; } +{ $as_echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5 $as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; } -if test "${lt_cv_prog_gnu_ld+set}" = set; then : +if test "${lt_cv_prog_gnu_ld+set}" = set; then $as_echo_n "(cached) " >&6 else # I'd rather use --version here, but apparently some GNU lds only accept -v. @@ -5648,7 +5557,7 @@ ;; esac fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_gnu_ld" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5 $as_echo "$lt_cv_prog_gnu_ld" >&6; } with_gnu_ld=$lt_cv_prog_gnu_ld @@ -5660,9 +5569,9 @@ -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD- or MS-compatible name lister (nm)" >&5 +{ $as_echo "$as_me:$LINENO: checking for BSD- or MS-compatible name lister (nm)" >&5 $as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; } -if test "${lt_cv_path_NM+set}" = set; then : +if test "${lt_cv_path_NM+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$NM"; then @@ -5709,7 +5618,7 @@ : ${lt_cv_path_NM=no} fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_NM" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5 $as_echo "$lt_cv_path_NM" >&6; } if test "$lt_cv_path_NM" != "no"; then NM="$lt_cv_path_NM" @@ -5720,9 +5629,9 @@ do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_DUMPBIN+set}" = set; then : +if test "${ac_cv_prog_DUMPBIN+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$DUMPBIN"; then @@ -5733,24 +5642,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi DUMPBIN=$ac_cv_prog_DUMPBIN if test -n "$DUMPBIN"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DUMPBIN" >&5 + { $as_echo "$as_me:$LINENO: result: $DUMPBIN" >&5 $as_echo "$DUMPBIN" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -5764,9 +5673,9 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then : +if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_DUMPBIN"; then @@ -5777,24 +5686,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_DUMPBIN="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_DUMPBIN=$ac_cv_prog_ac_ct_DUMPBIN if test -n "$ac_ct_DUMPBIN"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DUMPBIN" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_DUMPBIN" >&5 $as_echo "$ac_ct_DUMPBIN" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -5807,7 +5716,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -5827,44 +5736,44 @@ -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the name lister ($NM) interface" >&5 +{ $as_echo "$as_me:$LINENO: checking the name lister ($NM) interface" >&5 $as_echo_n "checking the name lister ($NM) interface... " >&6; } -if test "${lt_cv_nm_interface+set}" = set; then : +if test "${lt_cv_nm_interface+set}" = set; then $as_echo_n "(cached) " >&6 else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:5837: $ac_compile\"" >&5) + (eval echo "\"\$as_me:5746: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:5840: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:5749: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:5843: output\"" >&5) + (eval echo "\"\$as_me:5752: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" fi rm -f conftest* fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_nm_interface" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_nm_interface" >&5 $as_echo "$lt_cv_nm_interface" >&6; } -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5 +{ $as_echo "$as_me:$LINENO: checking whether ln -s works" >&5 $as_echo_n "checking whether ln -s works... " >&6; } LN_S=$as_ln_s if test "$LN_S" = "ln -s"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5 + { $as_echo "$as_me:$LINENO: result: no, using $LN_S" >&5 $as_echo "no, using $LN_S" >&6; } fi # find the maximum length of command line arguments -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the maximum length of command line arguments" >&5 +{ $as_echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5 $as_echo_n "checking the maximum length of command line arguments... " >&6; } -if test "${lt_cv_sys_max_cmd_len+set}" = set; then : +if test "${lt_cv_sys_max_cmd_len+set}" = set; then $as_echo_n "(cached) " >&6 else i=0 @@ -5982,10 +5891,10 @@ fi if test -n $lt_cv_sys_max_cmd_len ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sys_max_cmd_len" >&5 + { $as_echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5 $as_echo "$lt_cv_sys_max_cmd_len" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: none" >&5 + { $as_echo "$as_me:$LINENO: result: none" >&5 $as_echo "none" >&6; } fi max_cmd_len=$lt_cv_sys_max_cmd_len @@ -5999,7 +5908,7 @@ : ${MV="mv -f"} : ${RM="rm -f"} -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the shell understands some XSI constructs" >&5 +{ $as_echo "$as_me:$LINENO: checking whether the shell understands some XSI constructs" >&5 $as_echo_n "checking whether the shell understands some XSI constructs... " >&6; } # Try some XSI features xsi_shell=no @@ -6009,17 +5918,17 @@ && eval 'test $(( 1 + 1 )) -eq 2 \ && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \ && xsi_shell=yes -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $xsi_shell" >&5 +{ $as_echo "$as_me:$LINENO: result: $xsi_shell" >&5 $as_echo "$xsi_shell" >&6; } -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the shell understands \"+=\"" >&5 +{ $as_echo "$as_me:$LINENO: checking whether the shell understands \"+=\"" >&5 $as_echo_n "checking whether the shell understands \"+=\"... " >&6; } lt_shell_append=no ( foo=bar; set foo baz; eval "$1+=\$2" && test "$foo" = barbaz ) \ >/dev/null 2>&1 \ && lt_shell_append=yes -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_shell_append" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_shell_append" >&5 $as_echo "$lt_shell_append" >&6; } @@ -6054,14 +5963,14 @@ -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $LD option to reload object files" >&5 +{ $as_echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5 $as_echo_n "checking for $LD option to reload object files... " >&6; } -if test "${lt_cv_ld_reload_flag+set}" = set; then : +if test "${lt_cv_ld_reload_flag+set}" = set; then $as_echo_n "(cached) " >&6 else lt_cv_ld_reload_flag='-r' fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_reload_flag" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5 $as_echo "$lt_cv_ld_reload_flag" >&6; } reload_flag=$lt_cv_ld_reload_flag case $reload_flag in @@ -6090,9 +5999,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args. set dummy ${ac_tool_prefix}objdump; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_OBJDUMP+set}" = set; then : +if test "${ac_cv_prog_OBJDUMP+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$OBJDUMP"; then @@ -6103,24 +6012,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi OBJDUMP=$ac_cv_prog_OBJDUMP if test -n "$OBJDUMP"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OBJDUMP" >&5 + { $as_echo "$as_me:$LINENO: result: $OBJDUMP" >&5 $as_echo "$OBJDUMP" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -6130,9 +6039,9 @@ ac_ct_OBJDUMP=$OBJDUMP # Extract the first word of "objdump", so it can be a program name with args. set dummy objdump; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then : +if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OBJDUMP"; then @@ -6143,24 +6052,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OBJDUMP="objdump" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP if test -n "$ac_ct_OBJDUMP"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OBJDUMP" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_OBJDUMP" >&5 $as_echo "$ac_ct_OBJDUMP" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -6169,7 +6078,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -6189,9 +6098,9 @@ -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to recognize dependent libraries" >&5 +{ $as_echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5 $as_echo_n "checking how to recognize dependent libraries... " >&6; } -if test "${lt_cv_deplibs_check_method+set}" = set; then : +if test "${lt_cv_deplibs_check_method+set}" = set; then $as_echo_n "(cached) " >&6 else lt_cv_file_magic_cmd='$MAGIC_CMD' @@ -6385,7 +6294,7 @@ esac fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_deplibs_check_method" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5 $as_echo "$lt_cv_deplibs_check_method" >&6; } file_magic_cmd=$lt_cv_file_magic_cmd deplibs_check_method=$lt_cv_deplibs_check_method @@ -6405,9 +6314,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args. set dummy ${ac_tool_prefix}ar; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_AR+set}" = set; then : +if test "${ac_cv_prog_AR+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$AR"; then @@ -6418,24 +6327,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_AR="${ac_tool_prefix}ar" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi AR=$ac_cv_prog_AR if test -n "$AR"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 + { $as_echo "$as_me:$LINENO: result: $AR" >&5 $as_echo "$AR" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -6445,9 +6354,9 @@ ac_ct_AR=$AR # Extract the first word of "ar", so it can be a program name with args. set dummy ar; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_AR+set}" = set; then : +if test "${ac_cv_prog_ac_ct_AR+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_AR"; then @@ -6458,24 +6367,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_AR="ar" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_AR=$ac_cv_prog_ac_ct_AR if test -n "$ac_ct_AR"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_AR" >&5 $as_echo "$ac_ct_AR" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -6484,7 +6393,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -6510,9 +6419,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. set dummy ${ac_tool_prefix}strip; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_STRIP+set}" = set; then : +if test "${ac_cv_prog_STRIP+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$STRIP"; then @@ -6523,24 +6432,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi STRIP=$ac_cv_prog_STRIP if test -n "$STRIP"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 + { $as_echo "$as_me:$LINENO: result: $STRIP" >&5 $as_echo "$STRIP" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -6550,9 +6459,9 @@ ac_ct_STRIP=$STRIP # Extract the first word of "strip", so it can be a program name with args. set dummy strip; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then : +if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_STRIP"; then @@ -6563,24 +6472,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_STRIP="strip" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP if test -n "$ac_ct_STRIP"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5 $as_echo "$ac_ct_STRIP" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -6589,7 +6498,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -6609,9 +6518,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. set dummy ${ac_tool_prefix}ranlib; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_RANLIB+set}" = set; then : +if test "${ac_cv_prog_RANLIB+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$RANLIB"; then @@ -6622,24 +6531,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 + { $as_echo "$as_me:$LINENO: result: $RANLIB" >&5 $as_echo "$RANLIB" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -6649,9 +6558,9 @@ ac_ct_RANLIB=$RANLIB # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then : +if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_RANLIB"; then @@ -6662,24 +6571,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_RANLIB="ranlib" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5 $as_echo "$ac_ct_RANLIB" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -6688,7 +6597,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -6766,9 +6675,9 @@ # Check for command to grab the raw symbol name followed by C symbol from nm. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking command to parse $NM output from $compiler object" >&5 +{ $as_echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5 $as_echo_n "checking command to parse $NM output from $compiler object... " >&6; } -if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then : +if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then $as_echo_n "(cached) " >&6 else @@ -6884,18 +6793,18 @@ int main(){nm_test_var='a';nm_test_func();return(0);} _LT_EOF - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then # Now try to grab the symbols. nlist=conftest.nm - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\""; } >&5 + if { (eval echo "$as_me:$LINENO: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5 (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && test -s "$nlist"; then + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then mv -f "$nlist"T "$nlist" @@ -6948,11 +6857,11 @@ lt_save_CFLAGS="$CFLAGS" LIBS="conftstm.$ac_objext" CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag" - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 + if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && test -s conftest${ac_exeext}; then + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && test -s conftest${ac_exeext}; then pipe_works=yes fi LIBS="$lt_save_LIBS" @@ -6986,10 +6895,10 @@ lt_cv_sys_global_symbol_to_cdecl= fi if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5 + { $as_echo "$as_me:$LINENO: result: failed" >&5 $as_echo "failed" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5 + { $as_echo "$as_me:$LINENO: result: ok" >&5 $as_echo "ok" >&6; } fi @@ -7016,7 +6925,7 @@ # Check whether --enable-libtool-lock was given. -if test "${enable_libtool_lock+set}" = set; then : +if test "${enable_libtool_lock+set}" = set; then enableval=$enable_libtool_lock; fi @@ -7028,11 +6937,11 @@ ia64-*-hpux*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then case `/usr/bin/file conftest.$ac_objext` in *ELF-32*) HPUX_IA64_MODE="32" @@ -7046,12 +6955,12 @@ ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 7049 "configure"' > conftest.$ac_ext - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + echo '#line 6958 "configure"' > conftest.$ac_ext + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then if test "$lt_cv_prog_gnu_ld" = yes; then case `/usr/bin/file conftest.$ac_objext` in *32-bit*) @@ -7085,11 +6994,11 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then case `/usr/bin/file conftest.o` in *32-bit*) case $host in @@ -7138,9 +7047,9 @@ # On SCO OpenServer 5, we need -belf to get full-featured binaries. SAVE_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -belf" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler needs -belf" >&5 + { $as_echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5 $as_echo_n "checking whether the C compiler needs -belf... " >&6; } -if test "${lt_cv_cc_needs_belf+set}" = set; then : +if test "${lt_cv_cc_needs_belf+set}" = set; then $as_echo_n "(cached) " >&6 else ac_ext=c @@ -7149,7 +7058,11 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -7160,13 +7073,38 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then lt_cv_cc_needs_belf=yes else - lt_cv_cc_needs_belf=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + lt_cv_cc_needs_belf=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -7174,7 +7112,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_cc_needs_belf" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5 $as_echo "$lt_cv_cc_needs_belf" >&6; } if test x"$lt_cv_cc_needs_belf" != x"yes"; then # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf @@ -7184,11 +7122,11 @@ sparc*-*solaris*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then case `/usr/bin/file conftest.o` in *64-bit*) case $lt_cv_prog_gnu_ld in @@ -7214,9 +7152,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args. set dummy ${ac_tool_prefix}dsymutil; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_DSYMUTIL+set}" = set; then : +if test "${ac_cv_prog_DSYMUTIL+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$DSYMUTIL"; then @@ -7227,24 +7165,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi DSYMUTIL=$ac_cv_prog_DSYMUTIL if test -n "$DSYMUTIL"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DSYMUTIL" >&5 + { $as_echo "$as_me:$LINENO: result: $DSYMUTIL" >&5 $as_echo "$DSYMUTIL" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -7254,9 +7192,9 @@ ac_ct_DSYMUTIL=$DSYMUTIL # Extract the first word of "dsymutil", so it can be a program name with args. set dummy dsymutil; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then : +if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_DSYMUTIL"; then @@ -7267,24 +7205,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_DSYMUTIL="dsymutil" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL if test -n "$ac_ct_DSYMUTIL"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DSYMUTIL" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5 $as_echo "$ac_ct_DSYMUTIL" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -7293,7 +7231,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -7306,9 +7244,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args. set dummy ${ac_tool_prefix}nmedit; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_NMEDIT+set}" = set; then : +if test "${ac_cv_prog_NMEDIT+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$NMEDIT"; then @@ -7319,24 +7257,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi NMEDIT=$ac_cv_prog_NMEDIT if test -n "$NMEDIT"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NMEDIT" >&5 + { $as_echo "$as_me:$LINENO: result: $NMEDIT" >&5 $as_echo "$NMEDIT" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -7346,9 +7284,9 @@ ac_ct_NMEDIT=$NMEDIT # Extract the first word of "nmedit", so it can be a program name with args. set dummy nmedit; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then : +if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_NMEDIT"; then @@ -7359,24 +7297,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_NMEDIT="nmedit" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT if test -n "$ac_ct_NMEDIT"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_NMEDIT" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5 $as_echo "$ac_ct_NMEDIT" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -7385,7 +7323,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -7398,9 +7336,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}lipo", so it can be a program name with args. set dummy ${ac_tool_prefix}lipo; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_LIPO+set}" = set; then : +if test "${ac_cv_prog_LIPO+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$LIPO"; then @@ -7411,24 +7349,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_LIPO="${ac_tool_prefix}lipo" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi LIPO=$ac_cv_prog_LIPO if test -n "$LIPO"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIPO" >&5 + { $as_echo "$as_me:$LINENO: result: $LIPO" >&5 $as_echo "$LIPO" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -7438,9 +7376,9 @@ ac_ct_LIPO=$LIPO # Extract the first word of "lipo", so it can be a program name with args. set dummy lipo; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then : +if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_LIPO"; then @@ -7451,24 +7389,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_LIPO="lipo" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_LIPO=$ac_cv_prog_ac_ct_LIPO if test -n "$ac_ct_LIPO"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_LIPO" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_LIPO" >&5 $as_echo "$ac_ct_LIPO" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -7477,7 +7415,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -7490,9 +7428,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}otool", so it can be a program name with args. set dummy ${ac_tool_prefix}otool; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_OTOOL+set}" = set; then : +if test "${ac_cv_prog_OTOOL+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$OTOOL"; then @@ -7503,24 +7441,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OTOOL="${ac_tool_prefix}otool" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi OTOOL=$ac_cv_prog_OTOOL if test -n "$OTOOL"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5 + { $as_echo "$as_me:$LINENO: result: $OTOOL" >&5 $as_echo "$OTOOL" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -7530,9 +7468,9 @@ ac_ct_OTOOL=$OTOOL # Extract the first word of "otool", so it can be a program name with args. set dummy otool; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then : +if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OTOOL"; then @@ -7543,24 +7481,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OTOOL="otool" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_OTOOL=$ac_cv_prog_ac_ct_OTOOL if test -n "$ac_ct_OTOOL"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_OTOOL" >&5 $as_echo "$ac_ct_OTOOL" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -7569,7 +7507,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -7582,9 +7520,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}otool64", so it can be a program name with args. set dummy ${ac_tool_prefix}otool64; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_OTOOL64+set}" = set; then : +if test "${ac_cv_prog_OTOOL64+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$OTOOL64"; then @@ -7595,24 +7533,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi OTOOL64=$ac_cv_prog_OTOOL64 if test -n "$OTOOL64"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL64" >&5 + { $as_echo "$as_me:$LINENO: result: $OTOOL64" >&5 $as_echo "$OTOOL64" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -7622,9 +7560,9 @@ ac_ct_OTOOL64=$OTOOL64 # Extract the first word of "otool64", so it can be a program name with args. set dummy otool64; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then : +if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OTOOL64"; then @@ -7635,24 +7573,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OTOOL64="otool64" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS fi fi ac_ct_OTOOL64=$ac_cv_prog_ac_ct_OTOOL64 if test -n "$ac_ct_OTOOL64"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL64" >&5 + { $as_echo "$as_me:$LINENO: result: $ac_ct_OTOOL64" >&5 $as_echo "$ac_ct_OTOOL64" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -7661,7 +7599,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -7697,9 +7635,9 @@ - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -single_module linker flag" >&5 + { $as_echo "$as_me:$LINENO: checking for -single_module linker flag" >&5 $as_echo_n "checking for -single_module linker flag... " >&6; } -if test "${lt_cv_apple_cc_single_mod+set}" = set; then : +if test "${lt_cv_apple_cc_single_mod+set}" = set; then $as_echo_n "(cached) " >&6 else lt_cv_apple_cc_single_mod=no @@ -7724,18 +7662,22 @@ rm -f conftest.* fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5 $as_echo "$lt_cv_apple_cc_single_mod" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5 + { $as_echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; } -if test "${lt_cv_ld_exported_symbols_list+set}" = set; then : +if test "${lt_cv_ld_exported_symbols_list+set}" = set; then $as_echo_n "(cached) " >&6 else lt_cv_ld_exported_symbols_list=no save_LDFLAGS=$LDFLAGS echo "_main" > conftest.sym LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -7746,17 +7688,42 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then lt_cv_ld_exported_symbols_list=yes else - lt_cv_ld_exported_symbols_list=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + lt_cv_ld_exported_symbols_list=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LDFLAGS="$save_LDFLAGS" fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; } case $host_os in rhapsody* | darwin1.[012]) @@ -7798,14 +7765,14 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 +{ $as_echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5 $as_echo_n "checking how to run the C preprocessor... " >&6; } # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= fi if test -z "$CPP"; then - if test "${ac_cv_prog_CPP+set}" = set; then : + if test "${ac_cv_prog_CPP+set}" = set; then $as_echo_n "(cached) " >&6 else # Double quotes because CPP needs to be expanded @@ -7820,7 +7787,11 @@ # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #ifdef __STDC__ # include @@ -7829,34 +7800,78 @@ #endif Syntax error _ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + : else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + # Broken: fails on valid input. continue fi -rm -f conftest.err conftest.i conftest.$ac_ext + +rm -f conftest.err conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include _ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then # Broken: success on invalid input. continue else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + # Passes both tests. ac_preproc_ok=: break fi -rm -f conftest.err conftest.i conftest.$ac_ext + +rm -f conftest.err conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.i conftest.err conftest.$ac_ext -if $ac_preproc_ok; then : +rm -f conftest.err conftest.$ac_ext +if $ac_preproc_ok; then break fi @@ -7868,7 +7883,7 @@ else ac_cv_prog_CPP=$CPP fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 +{ $as_echo "$as_me:$LINENO: result: $CPP" >&5 $as_echo "$CPP" >&6; } ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes @@ -7879,7 +7894,11 @@ # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #ifdef __STDC__ # include @@ -7888,40 +7907,87 @@ #endif Syntax error _ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + : else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + # Broken: fails on valid input. continue fi -rm -f conftest.err conftest.i conftest.$ac_ext + +rm -f conftest.err conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include _ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then # Broken: success on invalid input. continue else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + # Passes both tests. ac_preproc_ok=: break fi -rm -f conftest.err conftest.i conftest.$ac_ext + +rm -f conftest.err conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.i conftest.err conftest.$ac_ext -if $ac_preproc_ok; then : - +rm -f conftest.err conftest.$ac_ext +if $ac_preproc_ok; then + : else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "C preprocessor \"$CPP\" fails sanity check -See \`config.log' for more details" "$LINENO" 5 ; } +{ { $as_echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } fi ac_ext=c @@ -7931,12 +7997,16 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 +{ $as_echo "$as_me:$LINENO: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } -if test "${ac_cv_header_stdc+set}" = set; then : +if test "${ac_cv_header_stdc+set}" = set; then $as_echo_n "(cached) " >&6 else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include #include @@ -7951,23 +8021,48 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then ac_cv_header_stdc=yes else - ac_cv_header_stdc=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_header_stdc=no fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "memchr" >/dev/null 2>&1; then : - + $EGREP "memchr" >/dev/null 2>&1; then + : else ac_cv_header_stdc=no fi @@ -7977,14 +8072,18 @@ if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "free" >/dev/null 2>&1; then : - + $EGREP "free" >/dev/null 2>&1; then + : else ac_cv_header_stdc=no fi @@ -7994,10 +8093,14 @@ if test $ac_cv_header_stdc = yes; then # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. - if test "$cross_compiling" = yes; then : + if test "$cross_compiling" = yes; then : else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include #include @@ -8024,33 +8127,118 @@ return 0; } _ACEOF -if ac_fn_c_try_run "$LINENO"; then : - +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + : else - ac_cv_header_stdc=no + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +ac_cv_header_stdc=no fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi + fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5 $as_echo "$ac_cv_header_stdc" >&6; } if test $ac_cv_header_stdc = yes; then -$as_echo "#define STDC_HEADERS 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define STDC_HEADERS 1 +_ACEOF fi # On IRIX 5.3, sys/types and inttypes.h are conflicting. + + + + + + + + + for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ inttypes.h stdint.h unistd.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default -" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default + +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + eval "$as_ac_Header=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_Header=no" +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF @@ -8060,13 +8248,62 @@ done + for ac_header in dlfcn.h -do : - ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default -" -if test "x$ac_cv_header_dlfcn_h" = x""yes; then : +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default + +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + eval "$as_ac_Header=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_Header=no" +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_DLFCN_H 1 +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi @@ -8086,7 +8323,7 @@ # Check whether --enable-shared was given. -if test "${enable_shared+set}" = set; then : +if test "${enable_shared+set}" = set; then enableval=$enable_shared; p=${PACKAGE-default} case $enableval in yes) enable_shared=yes ;; @@ -8117,7 +8354,7 @@ # Check whether --enable-static was given. -if test "${enable_static+set}" = set; then : +if test "${enable_static+set}" = set; then enableval=$enable_static; p=${PACKAGE-default} case $enableval in yes) enable_static=yes ;; @@ -8149,7 +8386,7 @@ # Check whether --with-pic was given. -if test "${with_pic+set}" = set; then : +if test "${with_pic+set}" = set; then withval=$with_pic; pic_mode="$withval" else pic_mode=default @@ -8165,7 +8402,7 @@ # Check whether --enable-fast-install was given. -if test "${enable_fast_install+set}" = set; then : +if test "${enable_fast_install+set}" = set; then enableval=$enable_fast_install; p=${PACKAGE-default} case $enableval in yes) enable_fast_install=yes ;; @@ -8246,9 +8483,9 @@ setopt NO_GLOB_SUBST fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for objdir" >&5 +{ $as_echo "$as_me:$LINENO: checking for objdir" >&5 $as_echo_n "checking for objdir... " >&6; } -if test "${lt_cv_objdir+set}" = set; then : +if test "${lt_cv_objdir+set}" = set; then $as_echo_n "(cached) " >&6 else rm -f .libs 2>/dev/null @@ -8261,7 +8498,7 @@ fi rmdir .libs 2>/dev/null fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_objdir" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5 $as_echo "$lt_cv_objdir" >&6; } objdir=$lt_cv_objdir @@ -8354,9 +8591,9 @@ case $deplibs_check_method in file_magic*) if test "$file_magic_cmd" = '$MAGIC_CMD'; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${ac_tool_prefix}file" >&5 + { $as_echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5 $as_echo_n "checking for ${ac_tool_prefix}file... " >&6; } -if test "${lt_cv_path_MAGIC_CMD+set}" = set; then : +if test "${lt_cv_path_MAGIC_CMD+set}" = set; then $as_echo_n "(cached) " >&6 else case $MAGIC_CMD in @@ -8407,10 +8644,10 @@ MAGIC_CMD="$lt_cv_path_MAGIC_CMD" if test -n "$MAGIC_CMD"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5 + { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5 $as_echo "$MAGIC_CMD" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -8420,9 +8657,9 @@ if test -z "$lt_cv_path_MAGIC_CMD"; then if test -n "$ac_tool_prefix"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for file" >&5 + { $as_echo "$as_me:$LINENO: checking for file" >&5 $as_echo_n "checking for file... " >&6; } -if test "${lt_cv_path_MAGIC_CMD+set}" = set; then : +if test "${lt_cv_path_MAGIC_CMD+set}" = set; then $as_echo_n "(cached) " >&6 else case $MAGIC_CMD in @@ -8473,10 +8710,10 @@ MAGIC_CMD="$lt_cv_path_MAGIC_CMD" if test -n "$MAGIC_CMD"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5 + { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5 $as_echo "$MAGIC_CMD" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -8553,9 +8790,9 @@ if test "$GCC" = yes; then lt_prog_compiler_no_builtin_flag=' -fno-builtin' - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 + { $as_echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 $as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; } -if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then : +if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_rtti_exceptions=no @@ -8571,11 +8808,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8574: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8811: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8578: \$? = $ac_status" >&5 + echo "$as_me:8815: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8588,7 +8825,7 @@ $RM conftest* fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_rtti_exceptions" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5 $as_echo "$lt_cv_prog_compiler_rtti_exceptions" >&6; } if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then @@ -8608,7 +8845,7 @@ lt_prog_compiler_pic= lt_prog_compiler_static= -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5 +{ $as_echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5 $as_echo_n "checking for $compiler option to produce PIC... " >&6; } if test "$GCC" = yes; then @@ -8880,7 +9117,7 @@ lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC" ;; esac -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_prog_compiler_pic" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5 $as_echo "$lt_prog_compiler_pic" >&6; } @@ -8892,9 +9129,9 @@ # Check to make sure the PIC flag actually works. # if test -n "$lt_prog_compiler_pic"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5 + { $as_echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5 $as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; } -if test "${lt_cv_prog_compiler_pic_works+set}" = set; then : +if test "${lt_cv_prog_compiler_pic_works+set}" = set; then $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_pic_works=no @@ -8910,11 +9147,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8913: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9150: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8917: \$? = $ac_status" >&5 + echo "$as_me:9154: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8927,7 +9164,7 @@ $RM conftest* fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic_works" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5 $as_echo "$lt_cv_prog_compiler_pic_works" >&6; } if test x"$lt_cv_prog_compiler_pic_works" = xyes; then @@ -8951,9 +9188,9 @@ # Check to make sure the static flag actually works. # wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler static flag $lt_tmp_static_flag works" >&5 +{ $as_echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5 $as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; } -if test "${lt_cv_prog_compiler_static_works+set}" = set; then : +if test "${lt_cv_prog_compiler_static_works+set}" = set; then $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_static_works=no @@ -8979,7 +9216,7 @@ LDFLAGS="$save_LDFLAGS" fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_static_works" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5 $as_echo "$lt_cv_prog_compiler_static_works" >&6; } if test x"$lt_cv_prog_compiler_static_works" = xyes; then @@ -8994,9 +9231,9 @@ - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5 + { $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } -if test "${lt_cv_prog_compiler_c_o+set}" = set; then : +if test "${lt_cv_prog_compiler_c_o+set}" = set; then $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_c_o=no @@ -9015,11 +9252,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9018: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9255: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9022: \$? = $ac_status" >&5 + echo "$as_me:9259: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9041,7 +9278,7 @@ $RM conftest* fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5 $as_echo "$lt_cv_prog_compiler_c_o" >&6; } @@ -9049,9 +9286,9 @@ - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5 + { $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } -if test "${lt_cv_prog_compiler_c_o+set}" = set; then : +if test "${lt_cv_prog_compiler_c_o+set}" = set; then $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_c_o=no @@ -9070,11 +9307,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9073: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9310: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9077: \$? = $ac_status" >&5 + echo "$as_me:9314: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9096,7 +9333,7 @@ $RM conftest* fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5 +{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5 $as_echo "$lt_cv_prog_compiler_c_o" >&6; } @@ -9105,7 +9342,7 @@ hard_links="nottested" if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then # do not overwrite the value of need_locks provided by the user - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we can lock with hard links" >&5 + { $as_echo "$as_me:$LINENO: checking if we can lock with hard links" >&5 $as_echo_n "checking if we can lock with hard links... " >&6; } hard_links=yes $RM conftest* @@ -9113,10 +9350,10 @@ touch conftest.a ln conftest.a conftest.b 2>&5 || hard_links=no ln conftest.a conftest.b 2>/dev/null && hard_links=no - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $hard_links" >&5 + { $as_echo "$as_me:$LINENO: result: $hard_links" >&5 $as_echo "$hard_links" >&6; } if test "$hard_links" = no; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5 + { $as_echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5 $as_echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;} need_locks=warn fi @@ -9129,7 +9366,7 @@ - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $compiler linker ($LD) supports shared libraries" >&5 + { $as_echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5 $as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; } runpath_var= @@ -9571,7 +9808,11 @@ allow_undefined_flag='-berok' # Determine the default libpath from the value encoded in an # empty executable. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -9582,7 +9823,27 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then lt_aix_libpath_sed=' /Import File Strings/,/^$/ { @@ -9596,9 +9857,16 @@ if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` fi +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" @@ -9611,7 +9879,11 @@ else # Determine the default libpath from the value encoded in an # empty executable. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -9622,7 +9894,27 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then lt_aix_libpath_sed=' /Import File Strings/,/^$/ { @@ -9636,9 +9928,16 @@ if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` fi +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" @@ -9850,16 +10149,42 @@ # implicitly export all symbols. save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ + cat >conftest.$ac_ext <<_ACEOF int foo(void) {} _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib' +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LDFLAGS="$save_LDFLAGS" else archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' @@ -10115,7 +10440,7 @@ fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ld_shlibs" >&5 +{ $as_echo "$as_me:$LINENO: result: $ld_shlibs" >&5 $as_echo "$ld_shlibs" >&6; } test "$ld_shlibs" = no && can_build_shared=no @@ -10152,16 +10477,16 @@ # Test whether the compiler implicitly links with -lc since on some # systems, -lgcc has to come before -lc. If gcc already passes -lc # to ld, don't add -lc before -lgcc. - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -lc should be explicitly linked in" >&5 + { $as_echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5 $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; } $RM conftest* echo "$lt_simple_compile_test_code" > conftest.$ac_ext - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } 2>conftest.err; then + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } 2>conftest.err; then soname=conftest lib=conftest libobjs=conftest.$ac_objext @@ -10175,11 +10500,11 @@ libname=conftest lt_save_allow_undefined_flag=$allow_undefined_flag allow_undefined_flag= - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5 + if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\"") >&5 (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } then archive_cmds_need_lc=no else @@ -10190,7 +10515,7 @@ cat conftest.err 1>&5 fi $RM conftest* - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $archive_cmds_need_lc" >&5 + { $as_echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5 $as_echo "$archive_cmds_need_lc" >&6; } ;; esac @@ -10354,7 +10679,7 @@ - { $as_echo "$as_me:${as_lineno-$LINENO}: checking dynamic linker characteristics" >&5 + { $as_echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5 $as_echo_n "checking dynamic linker characteristics... " >&6; } if test "$GCC" = yes; then @@ -10776,7 +11101,11 @@ save_libdir=$libdir eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \ LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\"" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -10787,13 +11116,41 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - if ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + if ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then shlibpath_overrides_runpath=yes fi + +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LDFLAGS=$save_LDFLAGS libdir=$save_libdir @@ -11008,7 +11365,7 @@ dynamic_linker=no ;; esac -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $dynamic_linker" >&5 +{ $as_echo "$as_me:$LINENO: result: $dynamic_linker" >&5 $as_echo "$dynamic_linker" >&6; } test "$dynamic_linker" = no && can_build_shared=no @@ -11110,1998 +11467,7564 @@ - { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to hardcode library paths into programs" >&5 -$as_echo_n "checking how to hardcode library paths into programs... " >&6; } -hardcode_action= -if test -n "$hardcode_libdir_flag_spec" || - test -n "$runpath_var" || - test "X$hardcode_automatic" = "Xyes" ; then + { $as_echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5 +$as_echo_n "checking how to hardcode library paths into programs... " >&6; } +hardcode_action= +if test -n "$hardcode_libdir_flag_spec" || + test -n "$runpath_var" || + test "X$hardcode_automatic" = "Xyes" ; then + + # We can hardcode non-existent directories. + if test "$hardcode_direct" != no && + # If the only mechanism to avoid hardcoding is shlibpath_var, we + # have to relink, otherwise we might link with an installed library + # when we should be linking with a yet-to-be-installed one + ## test "$_LT_TAGVAR(hardcode_shlibpath_var, )" != no && + test "$hardcode_minus_L" != no; then + # Linking always hardcodes the temporary library directory. + hardcode_action=relink + else + # We can link without hardcoding, and we can hardcode nonexisting dirs. + hardcode_action=immediate + fi +else + # We cannot hardcode anything, or else we can only hardcode existing + # directories. + hardcode_action=unsupported +fi +{ $as_echo "$as_me:$LINENO: result: $hardcode_action" >&5 +$as_echo "$hardcode_action" >&6; } + +if test "$hardcode_action" = relink || + test "$inherit_rpath" = yes; then + # Fast installation is not supported + enable_fast_install=no +elif test "$shlibpath_overrides_runpath" = yes || + test "$enable_shared" = no; then + # Fast installation is not necessary + enable_fast_install=needless +fi + + + + + + + if test "x$enable_dlopen" != xyes; then + enable_dlopen=unknown + enable_dlopen_self=unknown + enable_dlopen_self_static=unknown +else + lt_cv_dlopen=no + lt_cv_dlopen_libs= + + case $host_os in + beos*) + lt_cv_dlopen="load_add_on" + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes + ;; + + mingw* | pw32* | cegcc*) + lt_cv_dlopen="LoadLibrary" + lt_cv_dlopen_libs= + ;; + + cygwin*) + lt_cv_dlopen="dlopen" + lt_cv_dlopen_libs= + ;; + + darwin*) + # if libdl is installed we need to link against it + { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5 +$as_echo_n "checking for dlopen in -ldl... " >&6; } +if test "${ac_cv_lib_dl_dlopen+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldl $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dl_dlopen=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_dl_dlopen=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5 +$as_echo "$ac_cv_lib_dl_dlopen" >&6; } +if test "x$ac_cv_lib_dl_dlopen" = x""yes; then + lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" +else + + lt_cv_dlopen="dyld" + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes + +fi + + ;; + + *) + { $as_echo "$as_me:$LINENO: checking for shl_load" >&5 +$as_echo_n "checking for shl_load... " >&6; } +if test "${ac_cv_func_shl_load+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define shl_load to an innocuous variant, in case declares shl_load. + For example, HP-UX 11i declares gettimeofday. */ +#define shl_load innocuous_shl_load + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char shl_load (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef shl_load + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char shl_load (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_shl_load || defined __stub___shl_load +choke me +#endif + +int +main () +{ +return shl_load (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_func_shl_load=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_func_shl_load=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5 +$as_echo "$ac_cv_func_shl_load" >&6; } +if test "x$ac_cv_func_shl_load" = x""yes; then + lt_cv_dlopen="shl_load" +else + { $as_echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5 +$as_echo_n "checking for shl_load in -ldld... " >&6; } +if test "${ac_cv_lib_dld_shl_load+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldld $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char shl_load (); +int +main () +{ +return shl_load (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dld_shl_load=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_dld_shl_load=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5 +$as_echo "$ac_cv_lib_dld_shl_load" >&6; } +if test "x$ac_cv_lib_dld_shl_load" = x""yes; then + lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld" +else + { $as_echo "$as_me:$LINENO: checking for dlopen" >&5 +$as_echo_n "checking for dlopen... " >&6; } +if test "${ac_cv_func_dlopen+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define dlopen to an innocuous variant, in case declares dlopen. + For example, HP-UX 11i declares gettimeofday. */ +#define dlopen innocuous_dlopen + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char dlopen (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef dlopen + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_dlopen || defined __stub___dlopen +choke me +#endif + +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_func_dlopen=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_func_dlopen=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5 +$as_echo "$ac_cv_func_dlopen" >&6; } +if test "x$ac_cv_func_dlopen" = x""yes; then + lt_cv_dlopen="dlopen" +else + { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5 +$as_echo_n "checking for dlopen in -ldl... " >&6; } +if test "${ac_cv_lib_dl_dlopen+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldl $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dl_dlopen=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_dl_dlopen=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5 +$as_echo "$ac_cv_lib_dl_dlopen" >&6; } +if test "x$ac_cv_lib_dl_dlopen" = x""yes; then + lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" +else + { $as_echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5 +$as_echo_n "checking for dlopen in -lsvld... " >&6; } +if test "${ac_cv_lib_svld_dlopen+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lsvld $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_svld_dlopen=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_svld_dlopen=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5 +$as_echo "$ac_cv_lib_svld_dlopen" >&6; } +if test "x$ac_cv_lib_svld_dlopen" = x""yes; then + lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld" +else + { $as_echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5 +$as_echo_n "checking for dld_link in -ldld... " >&6; } +if test "${ac_cv_lib_dld_dld_link+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldld $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dld_link (); +int +main () +{ +return dld_link (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dld_dld_link=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_dld_dld_link=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5 +$as_echo "$ac_cv_lib_dld_dld_link" >&6; } +if test "x$ac_cv_lib_dld_dld_link" = x""yes; then + lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld" +fi + + +fi + + +fi + + +fi + + +fi + + +fi + + ;; + esac + + if test "x$lt_cv_dlopen" != xno; then + enable_dlopen=yes + else + enable_dlopen=no + fi + + case $lt_cv_dlopen in + dlopen) + save_CPPFLAGS="$CPPFLAGS" + test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" + + save_LDFLAGS="$LDFLAGS" + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" + + save_LIBS="$LIBS" + LIBS="$lt_cv_dlopen_libs $LIBS" + + { $as_echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5 +$as_echo_n "checking whether a program can dlopen itself... " >&6; } +if test "${lt_cv_dlopen_self+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then : + lt_cv_dlopen_self=cross +else + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext <<_LT_EOF +#line 12113 "configure" +#include "confdefs.h" + +#if HAVE_DLFCN_H +#include +#endif + +#include + +#ifdef RTLD_GLOBAL +# define LT_DLGLOBAL RTLD_GLOBAL +#else +# ifdef DL_GLOBAL +# define LT_DLGLOBAL DL_GLOBAL +# else +# define LT_DLGLOBAL 0 +# endif +#endif + +/* We may have to define LT_DLLAZY_OR_NOW in the command line if we + find out it does not work in some platform. */ +#ifndef LT_DLLAZY_OR_NOW +# ifdef RTLD_LAZY +# define LT_DLLAZY_OR_NOW RTLD_LAZY +# else +# ifdef DL_LAZY +# define LT_DLLAZY_OR_NOW DL_LAZY +# else +# ifdef RTLD_NOW +# define LT_DLLAZY_OR_NOW RTLD_NOW +# else +# ifdef DL_NOW +# define LT_DLLAZY_OR_NOW DL_NOW +# else +# define LT_DLLAZY_OR_NOW 0 +# endif +# endif +# endif +# endif +#endif + +void fnord() { int i=42;} +int main () +{ + void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); + int status = $lt_dlunknown; + + if (self) + { + if (dlsym (self,"fnord")) status = $lt_dlno_uscore; + else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + /* dlclose (self); */ + } + else + puts (dlerror ()); + + return status; +} +_LT_EOF + if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then + (./conftest; exit; ) >&5 2>/dev/null + lt_status=$? + case x$lt_status in + x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;; + x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;; + x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;; + esac + else : + # compilation failed + lt_cv_dlopen_self=no + fi +fi +rm -fr conftest* + + +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5 +$as_echo "$lt_cv_dlopen_self" >&6; } + + if test "x$lt_cv_dlopen_self" = xyes; then + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" + { $as_echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5 +$as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; } +if test "${lt_cv_dlopen_self_static+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then : + lt_cv_dlopen_self_static=cross +else + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext <<_LT_EOF +#line 12209 "configure" +#include "confdefs.h" + +#if HAVE_DLFCN_H +#include +#endif + +#include + +#ifdef RTLD_GLOBAL +# define LT_DLGLOBAL RTLD_GLOBAL +#else +# ifdef DL_GLOBAL +# define LT_DLGLOBAL DL_GLOBAL +# else +# define LT_DLGLOBAL 0 +# endif +#endif + +/* We may have to define LT_DLLAZY_OR_NOW in the command line if we + find out it does not work in some platform. */ +#ifndef LT_DLLAZY_OR_NOW +# ifdef RTLD_LAZY +# define LT_DLLAZY_OR_NOW RTLD_LAZY +# else +# ifdef DL_LAZY +# define LT_DLLAZY_OR_NOW DL_LAZY +# else +# ifdef RTLD_NOW +# define LT_DLLAZY_OR_NOW RTLD_NOW +# else +# ifdef DL_NOW +# define LT_DLLAZY_OR_NOW DL_NOW +# else +# define LT_DLLAZY_OR_NOW 0 +# endif +# endif +# endif +# endif +#endif + +void fnord() { int i=42;} +int main () +{ + void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); + int status = $lt_dlunknown; + + if (self) + { + if (dlsym (self,"fnord")) status = $lt_dlno_uscore; + else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + /* dlclose (self); */ + } + else + puts (dlerror ()); + + return status; +} +_LT_EOF + if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then + (./conftest; exit; ) >&5 2>/dev/null + lt_status=$? + case x$lt_status in + x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;; + x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;; + x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;; + esac + else : + # compilation failed + lt_cv_dlopen_self_static=no + fi +fi +rm -fr conftest* + + +fi +{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5 +$as_echo "$lt_cv_dlopen_self_static" >&6; } + fi + + CPPFLAGS="$save_CPPFLAGS" + LDFLAGS="$save_LDFLAGS" + LIBS="$save_LIBS" + ;; + esac + + case $lt_cv_dlopen_self in + yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; + *) enable_dlopen_self=unknown ;; + esac + + case $lt_cv_dlopen_self_static in + yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; + *) enable_dlopen_self_static=unknown ;; + esac +fi + + + + + + + + + + + + + + + + + +striplib= +old_striplib= +{ $as_echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5 +$as_echo_n "checking whether stripping libraries is possible... " >&6; } +if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then + test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" + test -z "$striplib" && striplib="$STRIP --strip-unneeded" + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +else +# FIXME - insert some real tests, host_os isn't really good enough + case $host_os in + darwin*) + if test -n "$STRIP" ; then + striplib="$STRIP -x" + old_striplib="$STRIP -S" + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi + ;; + *) + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + ;; + esac +fi + + + + + + + + + + + + + # Report which library types will actually be built + { $as_echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5 +$as_echo_n "checking if libtool supports shared libraries... " >&6; } + { $as_echo "$as_me:$LINENO: result: $can_build_shared" >&5 +$as_echo "$can_build_shared" >&6; } + + { $as_echo "$as_me:$LINENO: checking whether to build shared libraries" >&5 +$as_echo_n "checking whether to build shared libraries... " >&6; } + test "$can_build_shared" = "no" && enable_shared=no + + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test "$enable_shared" = yes && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; + + aix[4-9]*) + if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then + test "$enable_shared" = yes && enable_static=no + fi + ;; + esac + { $as_echo "$as_me:$LINENO: result: $enable_shared" >&5 +$as_echo "$enable_shared" >&6; } + + { $as_echo "$as_me:$LINENO: checking whether to build static libraries" >&5 +$as_echo_n "checking whether to build static libraries... " >&6; } + # Make sure either enable_shared or enable_static is yes. + test "$enable_shared" = yes || enable_static=yes + { $as_echo "$as_me:$LINENO: result: $enable_static" >&5 +$as_echo "$enable_static" >&6; } + + + + +fi +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +CC="$lt_save_CC" + + + + + + + + + + + + + + ac_config_commands="$ac_config_commands libtool" + + + + +# Only expand once: + + +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. +set dummy ${ac_tool_prefix}ranlib; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_RANLIB+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$RANLIB"; then + ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +RANLIB=$ac_cv_prog_RANLIB +if test -n "$RANLIB"; then + { $as_echo "$as_me:$LINENO: result: $RANLIB" >&5 +$as_echo "$RANLIB" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_RANLIB"; then + ac_ct_RANLIB=$RANLIB + # Extract the first word of "ranlib", so it can be a program name with args. +set dummy ranlib; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_RANLIB"; then + ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_RANLIB="ranlib" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB +if test -n "$ac_ct_RANLIB"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5 +$as_echo "$ac_ct_RANLIB" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_RANLIB" = x; then + RANLIB=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + RANLIB=$ac_ct_RANLIB + fi +else + RANLIB="$ac_cv_prog_RANLIB" +fi + + + { $as_echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5 +$as_echo_n "checking whether byte ordering is bigendian... " >&6; } +if test "${ac_cv_c_bigendian+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_c_bigendian=unknown + # See if we're dealing with a universal compiler. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#ifndef __APPLE_CC__ + not a universal capable compiler + #endif + typedef int dummy; + +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + + # Check for potential -arch flags. It is not universal unless + # there are some -arch flags. Note that *ppc* also matches + # ppc64. This check is also rather less than ideal. + case "${CC} ${CFLAGS} ${CPPFLAGS} ${LDFLAGS}" in #( + *-arch*ppc*|*-arch*i386*|*-arch*x86_64*) ac_cv_c_bigendian=universal;; + esac +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + if test $ac_cv_c_bigendian = unknown; then + # See if sys/param.h defines the BYTE_ORDER macro. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + #include + +int +main () +{ +#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \ + && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \ + && LITTLE_ENDIAN) + bogus endian macros + #endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + # It does; now see whether it defined to BIG_ENDIAN or not. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + #include + +int +main () +{ +#if BYTE_ORDER != BIG_ENDIAN + not big endian + #endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_c_bigendian=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_c_bigendian=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test $ac_cv_c_bigendian = unknown; then + # See if defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris). + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +#if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN) + bogus endian macros + #endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + # It does; now see whether it defined to _BIG_ENDIAN or not. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +#ifndef _BIG_ENDIAN + not big endian + #endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_c_bigendian=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_c_bigendian=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test $ac_cv_c_bigendian = unknown; then + # Compile a test program. + if test "$cross_compiling" = yes; then + # Try to guess by grepping values from an object file. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +short int ascii_mm[] = + { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; + short int ascii_ii[] = + { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; + int use_ascii (int i) { + return ascii_mm[i] + ascii_ii[i]; + } + short int ebcdic_ii[] = + { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; + short int ebcdic_mm[] = + { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; + int use_ebcdic (int i) { + return ebcdic_mm[i] + ebcdic_ii[i]; + } + extern int foo; + +int +main () +{ +return use_ascii (foo) == use_ebcdic (foo); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then + ac_cv_c_bigendian=yes + fi + if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then + if test "$ac_cv_c_bigendian" = unknown; then + ac_cv_c_bigendian=no + else + # finding both strings is unlikely to happen, but who knows? + ac_cv_c_bigendian=unknown + fi + fi +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ + + /* Are we little or big endian? From Harbison&Steele. */ + union + { + long int l; + char c[sizeof (long int)]; + } u; + u.l = 1; + return u.c[sizeof (long int) - 1] == 1; + + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_c_bigendian=no +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +ac_cv_c_bigendian=yes +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + + fi +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5 +$as_echo "$ac_cv_c_bigendian" >&6; } + case $ac_cv_c_bigendian in #( + yes) + cat >>confdefs.h <<\_ACEOF +#define WORDS_BIGENDIAN 1 +_ACEOF +;; #( + no) + ;; #( + universal) + +cat >>confdefs.h <<\_ACEOF +#define AC_APPLE_UNIVERSAL_BUILD 1 +_ACEOF + + ;; #( + *) + { { $as_echo "$as_me:$LINENO: error: unknown endianness + presetting ac_cv_c_bigendian=no (or yes) will help" >&5 +$as_echo "$as_me: error: unknown endianness + presetting ac_cv_c_bigendian=no (or yes) will help" >&2;} + { (exit 1); exit 1; }; } ;; + esac + +{ $as_echo "$as_me:$LINENO: checking for inline" >&5 +$as_echo_n "checking for inline... " >&6; } +if test "${ac_cv_c_inline+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_c_inline=no +for ac_kw in inline __inline__ __inline; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#ifndef __cplusplus +typedef int foo_t; +static $ac_kw foo_t static_foo () {return 0; } +$ac_kw foo_t foo () {return 0; } +#endif + +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_c_inline=$ac_kw +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + test "$ac_cv_c_inline" != no && break +done + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5 +$as_echo "$ac_cv_c_inline" >&6; } + + +case $ac_cv_c_inline in + inline | yes) ;; + *) + case $ac_cv_c_inline in + no) ac_val=;; + *) ac_val=$ac_cv_c_inline;; + esac + cat >>confdefs.h <<_ACEOF +#ifndef __cplusplus +#define inline $ac_val +#endif +_ACEOF + ;; +esac + + +#AC_CANONICAL_HOST +linux="no" +sunos4="no" +so_with_static_lib="yes" + +case "$host" in + *-openbsd2.6|*-openbsd2.5|*-openbsd2.4|*-openbsd2.3*) + +cat >>confdefs.h <<\_ACEOF +#define OPENBSD 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define BROKEN_SIOCGIFMTU 1 +_ACEOF + + so_with_static_lib="no" + + ;; + *-openbsd*) + +cat >>confdefs.h <<\_ACEOF +#define OPENBSD 1 +_ACEOF + + so_with_static_lib="no" + + ;; + *-sgi-irix5*) + +cat >>confdefs.h <<\_ACEOF +#define IRIX 1 +_ACEOF + + no_libsocket="yes" + no_libnsl="yes" + if test -z "$GCC"; then + sgi_cc="yes" + fi + LDFLAGS="${LDFLAGS} -L/usr/local/lib" + extra_incl="-I/usr/local/include" + ;; + *-sgi-irix6*) + +cat >>confdefs.h <<\_ACEOF +#define IRIX 1 +_ACEOF + + no_libsocket="yes" + no_libnsl="yes" + if test -z "$GCC"; then + sgi_cc="yes" + fi + LDFLAGS="${LDFLAGS} -L/usr/local/lib" + extra_incl="-I/usr/local/include" + ;; + *-solaris*) + +cat >>confdefs.h <<\_ACEOF +#define SOLARIS 1 +_ACEOF + + CONFIGFLAGS="${CONFIGFLAGS} -DBSD_COMP -D_REENTRANT" + rt_nanosleep="yes" + ;; + *-sunos*) + +cat >>confdefs.h <<\_ACEOF +#define SUNOS 1 +_ACEOF + + sunos4="yes" + ;; + *-linux*) + linux="yes" + +cat >>confdefs.h <<\_ACEOF +#define LINUX 1 +_ACEOF + + + extra_incl="-I/usr/include/pcap" + ;; + *-hpux10*|*-hpux11*) + +cat >>confdefs.h <<\_ACEOF +#define HPUX 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define WORDS_BIGENDIAN 1 +_ACEOF + + + extra_incl="-I/usr/local/include" + ;; + *-freebsd*) + +cat >>confdefs.h <<\_ACEOF +#define FREEBSD 1 +_ACEOF + + ;; + *-bsdi*) + +cat >>confdefs.h <<\_ACEOF +#define BSDI 1 +_ACEOF + + ;; + *-aix*) + +cat >>confdefs.h <<\_ACEOF +#define AIX 1 +_ACEOF + + ;; + *-osf4*) + +cat >>confdefs.h <<\_ACEOF +#define OSF1 1 +_ACEOF + + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" + ;; + *-osf5.1*) + +cat >>confdefs.h <<\_ACEOF +#define OSF1 1 +_ACEOF + + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" + ;; + *-tru64*) + +cat >>confdefs.h <<\_ACEOF +#define OSF1 1 +_ACEOF + + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" + ;; +# it is actually -apple-darwin1.2 or -apple-rhapsody5.x but lets stick with this for the moment + *-apple*) + +cat >>confdefs.h <<\_ACEOF +#define MACOS 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define BROKEN_SIOCGIFMTU 1 +_ACEOF + + LDFLAGS="${LDFLAGS} -L/sw/lib" + extra_incl="-I/sw/include" +esac + +{ $as_echo "$as_me:$LINENO: checking for stdbool.h that conforms to C99" >&5 +$as_echo_n "checking for stdbool.h that conforms to C99... " >&6; } +if test "${ac_cv_header_stdbool_h+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include +#ifndef bool + "error: bool is not defined" +#endif +#ifndef false + "error: false is not defined" +#endif +#if false + "error: false is not 0" +#endif +#ifndef true + "error: true is not defined" +#endif +#if true != 1 + "error: true is not 1" +#endif +#ifndef __bool_true_false_are_defined + "error: __bool_true_false_are_defined is not defined" +#endif + + struct s { _Bool s: 1; _Bool t; } s; + + char a[true == 1 ? 1 : -1]; + char b[false == 0 ? 1 : -1]; + char c[__bool_true_false_are_defined == 1 ? 1 : -1]; + char d[(bool) 0.5 == true ? 1 : -1]; + bool e = &s; + char f[(_Bool) 0.0 == false ? 1 : -1]; + char g[true]; + char h[sizeof (_Bool)]; + char i[sizeof s.t]; + enum { j = false, k = true, l = false * true, m = true * 256 }; + /* The following fails for + HP aC++/ANSI C B3910B A.05.55 [Dec 04 2003]. */ + _Bool n[m]; + char o[sizeof n == m * sizeof n[0] ? 1 : -1]; + char p[-1 - (_Bool) 0 < 0 && -1 - (bool) 0 < 0 ? 1 : -1]; +# if defined __xlc__ || defined __GNUC__ + /* Catch a bug in IBM AIX xlc compiler version 6.0.0.0 + reported by James Lemley on 2005-10-05; see + http://lists.gnu.org/archive/html/bug-coreutils/2005-10/msg00086.html + This test is not quite right, since xlc is allowed to + reject this program, as the initializer for xlcbug is + not one of the forms that C requires support for. + However, doing the test right would require a runtime + test, and that would make cross-compilation harder. + Let us hope that IBM fixes the xlc bug, and also adds + support for this kind of constant expression. In the + meantime, this test will reject xlc, which is OK, since + our stdbool.h substitute should suffice. We also test + this with GCC, where it should work, to detect more + quickly whether someone messes up the test in the + future. */ + char digs[] = "0123456789"; + int xlcbug = 1 / (&(digs + 5)[-2 + (bool) 1] == &digs[4] ? 1 : -1); +# endif + /* Catch a bug in an HP-UX C compiler. See + http://gcc.gnu.org/ml/gcc-patches/2003-12/msg02303.html + http://lists.gnu.org/archive/html/bug-coreutils/2005-11/msg00161.html + */ + _Bool q = true; + _Bool *pq = &q; + +int +main () +{ + + *pq |= q; + *pq |= ! q; + /* Refer to every declared value, to avoid compiler optimizations. */ + return (!a + !b + !c + !d + !e + !f + !g + !h + !i + !!j + !k + !!l + + !m + !n + !o + !p + !q + !pq); + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_header_stdbool_h=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_header_stdbool_h=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdbool_h" >&5 +$as_echo "$ac_cv_header_stdbool_h" >&6; } +{ $as_echo "$as_me:$LINENO: checking for _Bool" >&5 +$as_echo_n "checking for _Bool... " >&6; } +if test "${ac_cv_type__Bool+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type__Bool=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (_Bool)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((_Bool))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_type__Bool=yes +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type__Bool" >&5 +$as_echo "$ac_cv_type__Bool" >&6; } +if test "x$ac_cv_type__Bool" = x""yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE__BOOL 1 +_ACEOF + + +fi + +if test $ac_cv_header_stdbool_h = yes; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_STDBOOL_H 1 +_ACEOF + +fi + + +# ICC stuff +ICC=no +if eval "echo $CC | grep icc > /dev/null" ; then + if eval "$CC -help | grep libcxa > /dev/null" ; then + CFLAGS="$CFLAGS -static-libcxa" + LDFLAGS="$LDFLAGS -static-libcxa" + XCCFLAGS="-XCClinker -static-libcxa" + else + CFLAGS="$CFLAGS -static-intel" + LDFLAGS="$LDFLAGS -static-intel" + XCCFLAGS="-XCClinker -static-intel" + fi + #CFLAGS=`echo $CFLAGS | sed 's/-O2/-O3/'` + CFLAGS="$CFLAGS -O3 -ip -w1" + ICC=yes + GCC= +fi + + +# This is really meant for Solaris Sparc v9 where it has 32bit and 64bit +# capability but builds 32bit by default +# Check whether --enable-64bit-gcc was given. +if test "${enable_64bit_gcc+set}" = set; then + enableval=$enable_64bit_gcc; enable_64bit_gcc="$enableval" +else + enable_64bit_gcc="no" +fi + +if test "x$enable_64bit_gcc" = "xyes"; then + CFLAGS="$CFLAGS -m64" +fi + +# AC_PROG_YACC defaults to "yacc" when not found +# this check defaults to "none" +for ac_prog in bison yacc +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_YACC+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$YACC"; then + ac_cv_prog_YACC="$YACC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_YACC="$ac_prog" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +YACC=$ac_cv_prog_YACC +if test -n "$YACC"; then + { $as_echo "$as_me:$LINENO: result: $YACC" >&5 +$as_echo "$YACC" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$YACC" && break +done +test -n "$YACC" || YACC="none" + +# AC_PROG_YACC includes the -y arg if bison is found +if test "x$YACC" = "xbison"; then + YACC="$YACC -y" +fi + +# AC_PROG_LEX defaults to ":" when not found +# this check defaults to "none" +# We're using flex specific options so we don't support lex +for ac_prog in flex +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_LEX+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$LEX"; then + ac_cv_prog_LEX="$LEX" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_LEX="$ac_prog" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +LEX=$ac_cv_prog_LEX +if test -n "$LEX"; then + { $as_echo "$as_me:$LINENO: result: $LEX" >&5 +$as_echo "$LEX" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$LEX" && break +done +test -n "$LEX" || LEX="none" + + +# + + + + + + + + + + +for ac_header in \ + inttypes.h \ + math.h \ + paths.h \ + stdlib.h \ + string.h \ + strings.h \ + unistd.h \ + wchar.h \ + sys/sockio.h \ + +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + +if test "x$ac_cv_header_wchar_h" = "xyes"; then + CONFIGFLAGS="${CONFIGFLAGS} -DSF_WCHAR" +fi + +{ $as_echo "$as_me:$LINENO: checking for floor in -lm" >&5 +$as_echo_n "checking for floor in -lm... " >&6; } +if test "${ac_cv_lib_m_floor+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lm $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char floor (); +int +main () +{ +return floor (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_m_floor=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_m_floor=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_m_floor" >&5 +$as_echo "$ac_cv_lib_m_floor" >&6; } +if test "x$ac_cv_lib_m_floor" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBM 1 +_ACEOF + + LIBS="-lm $LIBS" + +fi + + +{ $as_echo "$as_me:$LINENO: checking for ceil in -lm" >&5 +$as_echo_n "checking for ceil in -lm... " >&6; } +if test "${ac_cv_lib_m_ceil+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lm $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ceil (); +int +main () +{ +return ceil (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_m_ceil=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_m_ceil=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_m_ceil" >&5 +$as_echo "$ac_cv_lib_m_ceil" >&6; } +if test "x$ac_cv_lib_m_ceil" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBM 1 +_ACEOF + + LIBS="-lm $LIBS" + +fi + + + +for ac_header in uuid/uuid.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +{ $as_echo "$as_me:$LINENO: checking for uuid_parse in -luuid" >&5 +$as_echo_n "checking for uuid_parse in -luuid... " >&6; } +if test "${ac_cv_lib_uuid_uuid_parse+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-luuid $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char uuid_parse (); +int +main () +{ +return uuid_parse (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_uuid_uuid_parse=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_uuid_uuid_parse=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_uuid_uuid_parse" >&5 +$as_echo "$ac_cv_lib_uuid_uuid_parse" >&6; } +if test "x$ac_cv_lib_uuid_uuid_parse" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBUUID 1 +_ACEOF + + LIBS="-luuid $LIBS" + +fi + +fi + +done + + +if test "x$rt_nanosleep" = "xyes"; then + +{ $as_echo "$as_me:$LINENO: checking for nanosleep in -lrt" >&5 +$as_echo_n "checking for nanosleep in -lrt... " >&6; } +if test "${ac_cv_lib_rt_nanosleep+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lrt $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nanosleep (); +int +main () +{ +return nanosleep (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_rt_nanosleep=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_rt_nanosleep=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_rt_nanosleep" >&5 +$as_echo "$ac_cv_lib_rt_nanosleep" >&6; } +if test "x$ac_cv_lib_rt_nanosleep" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBRT 1 +_ACEOF + + LIBS="-lrt $LIBS" + +fi + +fi + +if test -z "$no_libnsl"; then + +{ $as_echo "$as_me:$LINENO: checking for inet_ntoa in -lnsl" >&5 +$as_echo_n "checking for inet_ntoa in -lnsl... " >&6; } +if test "${ac_cv_lib_nsl_inet_ntoa+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnsl $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char inet_ntoa (); +int +main () +{ +return inet_ntoa (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_nsl_inet_ntoa=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_nsl_inet_ntoa=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_inet_ntoa" >&5 +$as_echo "$ac_cv_lib_nsl_inet_ntoa" >&6; } +if test "x$ac_cv_lib_nsl_inet_ntoa" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNSL 1 +_ACEOF + + LIBS="-lnsl $LIBS" + +fi + +fi + +if test -z "$no_libsocket"; then + +{ $as_echo "$as_me:$LINENO: checking for socket in -lsocket" >&5 +$as_echo_n "checking for socket in -lsocket... " >&6; } +if test "${ac_cv_lib_socket_socket+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lsocket $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char socket (); +int +main () +{ +return socket (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_socket_socket=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_socket_socket=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5 +$as_echo "$ac_cv_lib_socket_socket" >&6; } +if test "x$ac_cv_lib_socket_socket" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSOCKET 1 +_ACEOF + + LIBS="-lsocket $LIBS" + +fi + +fi + +# SunOS4 has several things `broken' +if test "$sunos4" != "no"; then + +for ac_func in vsnprintf +do +as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +$as_echo_n "checking for $ac_func... " >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + eval "$as_ac_var=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_var=no" +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +else + LIBS="$LIBS -ldb" +fi +done + + +for ac_func in strtoul +do +as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +$as_echo_n "checking for $ac_func... " >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + eval "$as_ac_var=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_var=no" +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +else + LIBS="$LIBS -l44bsd" +fi +done + +fi + +# some funky macro to be backwards compatible with earlier autoconfs +# in current they have AC_CHECK_DECLS + + + + +# some stuff for declarations which were missed on sunos4 platform too. +# +# add `#undef NEED_DECL_FUNCTIONAME to acconfig.h` because autoheader +# fails to work properly with custom macroses. +# you will see also #undef for each SN_CHECK_DECLS macros invocation +# because autoheader doesn't execute shell script commands. +# it is possible to make loops using m4 but the code would look even +# more confusing.. +for sn_decl in printf fprintf syslog puts fputs fputc fopen \ + fclose fwrite fflush getopt bzero bcopy memset strtol \ + strcasecmp strncasecmp strerror perror socket sendto \ + vsnprintf snprintf strtoul +do +sn_def_decl=`echo $sn_decl | tr a-z A-Z` + +{ $as_echo "$as_me:$LINENO: checking whether $sn_decl must be declared" >&5 +$as_echo_n "checking whether $sn_decl must be declared... " >&6; } +if { as_var=sn_cv_decl_needed_$sn_decl; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include +#ifdef HAVE_STRING_H +#include +#endif +#ifdef HAVE_STRINGS_H +#include +#endif +#ifdef HAVE_STDLIB_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif +#include +#include +#include + +int +main () +{ +char *(*pfn); pfn = (char *(*)) $sn_decl; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + eval "sn_cv_decl_needed_$sn_decl=no" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "sn_cv_decl_needed_$sn_decl=yes" +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + + +if eval "test \"`echo '$sn_cv_decl_needed_'$sn_decl`\" != no"; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + + +cat >>confdefs.h <<_ACEOF +#define NEED_DECL_$sn_def_decl 1 +_ACEOF + + +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + +fi +done + + + + + + + + + + +for ac_func in sigaction strlcpy strlcat strerror vswprintf wprintf memrchr inet_ntop +do +as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +$as_echo_n "checking for $ac_func... " >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + eval "$as_ac_var=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_var=no" +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + +{ $as_echo "$as_me:$LINENO: checking for snprintf" >&5 +$as_echo_n "checking for snprintf... " >&6; } +if test "${ac_cv_func_snprintf+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define snprintf to an innocuous variant, in case declares snprintf. + For example, HP-UX 11i declares gettimeofday. */ +#define snprintf innocuous_snprintf + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char snprintf (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef snprintf + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char snprintf (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_snprintf || defined __stub___snprintf +choke me +#endif + +int +main () +{ +return snprintf (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_func_snprintf=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_func_snprintf=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_snprintf" >&5 +$as_echo "$ac_cv_func_snprintf" >&6; } +if test "x$ac_cv_func_snprintf" = x""yes; then + have_snprintf="yes" +else + have_snprintf="no" +fi + + if test "x$have_snprintf" != "xyes"; then + BUILD_SNPRINTF_TRUE= + BUILD_SNPRINTF_FALSE='#' +else + BUILD_SNPRINTF_TRUE='#' + BUILD_SNPRINTF_FALSE= +fi + +if test "x$have_snprintf" = "xyes"; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_SNPRINTF /**/ +_ACEOF + +fi + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of char" >&5 +$as_echo_n "checking size of char... " >&6; } +if test "${ac_cv_sizeof_char+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (char))) >= 0)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (char))) <= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (char))) < 0)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (char))) >= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_lo= ac_hi= +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (char))) <= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_lo=`expr '(' $ac_mid ')' + 1` +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in +?*) ac_cv_sizeof_char=$ac_lo;; +'') if test "$ac_cv_type_char" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (char) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (char) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_char=0 + fi ;; +esac +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +static long int longval () { return (long int) (sizeof (char)); } +static unsigned long int ulongval () { return (long int) (sizeof (char)); } +#include +#include +int +main () +{ + + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (char))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (char)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (char)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; + + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_char=`cat conftest.val` +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +if test "$ac_cv_type_char" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (char) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (char) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_char=0 + fi +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi +rm -f conftest.val +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_char" >&5 +$as_echo "$ac_cv_sizeof_char" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_CHAR $ac_cv_sizeof_char +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of short" >&5 +$as_echo_n "checking size of short... " >&6; } +if test "${ac_cv_sizeof_short+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (short))) >= 0)]; +test_array [0] = 0 - # We can hardcode non-existent directories. - if test "$hardcode_direct" != no && - # If the only mechanism to avoid hardcoding is shlibpath_var, we - # have to relink, otherwise we might link with an installed library - # when we should be linking with a yet-to-be-installed one - ## test "$_LT_TAGVAR(hardcode_shlibpath_var, )" != no && - test "$hardcode_minus_L" != no; then - # Linking always hardcodes the temporary library directory. - hardcode_action=relink - else - # We can link without hardcoding, and we can hardcode nonexisting dirs. - hardcode_action=immediate - fi + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (short))) <= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break else - # We cannot hardcode anything, or else we can only hardcode existing - # directories. - hardcode_action=unsupported -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $hardcode_action" >&5 -$as_echo "$hardcode_action" >&6; } + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -if test "$hardcode_action" = relink || - test "$inherit_rpath" = yes; then - # Fast installation is not supported - enable_fast_install=no -elif test "$shlibpath_overrides_runpath" = yes || - test "$enable_shared" = no; then - # Fast installation is not necessary - enable_fast_install=needless + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (short))) < 0)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (short))) >= $ac_mid)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` +fi - if test "x$enable_dlopen" != xyes; then - enable_dlopen=unknown - enable_dlopen_self=unknown - enable_dlopen_self_static=unknown +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done else - lt_cv_dlopen=no - lt_cv_dlopen_libs= - - case $host_os in - beos*) - lt_cv_dlopen="load_add_on" - lt_cv_dlopen_libs= - lt_cv_dlopen_self=yes - ;; + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - mingw* | pw32* | cegcc*) - lt_cv_dlopen="LoadLibrary" - lt_cv_dlopen_libs= - ;; + ac_lo= ac_hi= +fi - cygwin*) - lt_cv_dlopen="dlopen" - lt_cv_dlopen_libs= - ;; +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi - darwin*) - # if libdl is installed we need to link against it - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 -$as_echo_n "checking for dlopen in -ldl... " >&6; } -if test "${ac_cv_lib_dl_dlopen+set}" = set; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldl $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlopen (); +$ac_includes_default int main () { -return dlopen (); +static int test_array [1 - 2 * !(((long int) (sizeof (short))) <= $ac_mid)]; +test_array [0] = 0 + ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_dl_dlopen=yes -else - ac_cv_lib_dl_dlopen=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 -$as_echo "$ac_cv_lib_dl_dlopen" >&6; } -if test "x$ac_cv_lib_dl_dlopen" = x""yes; then : - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - lt_cv_dlopen="dyld" - lt_cv_dlopen_libs= - lt_cv_dlopen_self=yes - + ac_lo=`expr '(' $ac_mid ')' + 1` fi - ;; - - *) - ac_fn_c_check_func "$LINENO" "shl_load" "ac_cv_func_shl_load" -if test "x$ac_cv_func_shl_load" = x""yes; then : - lt_cv_dlopen="shl_load" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5 -$as_echo_n "checking for shl_load in -ldld... " >&6; } -if test "${ac_cv_lib_dld_shl_load+set}" = set; then : - $as_echo_n "(cached) " >&6 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in +?*) ac_cv_sizeof_short=$ac_lo;; +'') if test "$ac_cv_type_short" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (short) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (short) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_short=0 + fi ;; +esac else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldld $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char shl_load (); +$ac_includes_default +static long int longval () { return (long int) (sizeof (short)); } +static unsigned long int ulongval () { return (long int) (sizeof (short)); } +#include +#include int main () { -return shl_load (); + + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (short))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (short)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (short)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; + ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_dld_shl_load=yes +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_short=`cat conftest.val` else - ac_cv_lib_dld_shl_load=no + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +if test "$ac_cv_type_short" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (short) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (short) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_short=0 + fi fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5 -$as_echo "$ac_cv_lib_dld_shl_load" >&6; } -if test "x$ac_cv_lib_dld_shl_load" = x""yes; then : - lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld" -else - ac_fn_c_check_func "$LINENO" "dlopen" "ac_cv_func_dlopen" -if test "x$ac_cv_func_dlopen" = x""yes; then : - lt_cv_dlopen="dlopen" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 -$as_echo_n "checking for dlopen in -ldl... " >&6; } -if test "${ac_cv_lib_dl_dlopen+set}" = set; then : +rm -f conftest.val +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_short" >&5 +$as_echo "$ac_cv_sizeof_short" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_SHORT $ac_cv_sizeof_short +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of int" >&5 +$as_echo_n "checking size of int... " >&6; } +if test "${ac_cv_sizeof_int+set}" = set; then $as_echo_n "(cached) " >&6 else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldl $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlopen (); +$ac_includes_default int main () { -return dlopen (); +static int test_array [1 - 2 * !(((long int) (sizeof (int))) >= 0)]; +test_array [0] = 0 + ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_dl_dlopen=yes -else - ac_cv_lib_dl_dlopen=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 -$as_echo "$ac_cv_lib_dl_dlopen" >&6; } -if test "x$ac_cv_lib_dl_dlopen" = x""yes; then : - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -lsvld" >&5 -$as_echo_n "checking for dlopen in -lsvld... " >&6; } -if test "${ac_cv_lib_svld_dlopen+set}" = set; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lsvld $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlopen (); +$ac_includes_default int main () { -return dlopen (); +static int test_array [1 - 2 * !(((long int) (sizeof (int))) <= $ac_mid)]; +test_array [0] = 0 + ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_svld_dlopen=yes +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break else - ac_cv_lib_svld_dlopen=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_svld_dlopen" >&5 -$as_echo "$ac_cv_lib_svld_dlopen" >&6; } -if test "x$ac_cv_lib_svld_dlopen" = x""yes; then : - lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dld_link in -ldld" >&5 -$as_echo_n "checking for dld_link in -ldld... " >&6; } -if test "${ac_cv_lib_dld_dld_link+set}" = set; then : - $as_echo_n "(cached) " >&6 + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldld $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (int))) < 0)]; +test_array [0] = 0 -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dld_link (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default int main () { -return dld_link (); +static int test_array [1 - 2 * !(((long int) (sizeof (int))) >= $ac_mid)]; +test_array [0] = 0 + ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_dld_dld_link=yes +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=$ac_mid; break else - ac_cv_lib_dld_dld_link=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_dld_link" >&5 -$as_echo "$ac_cv_lib_dld_dld_link" >&6; } -if test "x$ac_cv_lib_dld_dld_link" = x""yes; then : - lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld" -fi - - -fi - - -fi - - -fi - - -fi - + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` fi - ;; - esac - - if test "x$lt_cv_dlopen" != xno; then - enable_dlopen=yes - else - enable_dlopen=no - fi - - case $lt_cv_dlopen in - dlopen) - save_CPPFLAGS="$CPPFLAGS" - test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" - - save_LDFLAGS="$LDFLAGS" - wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" - - save_LIBS="$LIBS" - LIBS="$lt_cv_dlopen_libs $LIBS" - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a program can dlopen itself" >&5 -$as_echo_n "checking whether a program can dlopen itself... " >&6; } -if test "${lt_cv_dlopen_self+set}" = set; then : - $as_echo_n "(cached) " >&6 -else - if test "$cross_compiling" = yes; then : - lt_cv_dlopen_self=cross +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done else - lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 - lt_status=$lt_dlunknown - cat > conftest.$ac_ext <<_LT_EOF -#line 11443 "configure" -#include "confdefs.h" - -#if HAVE_DLFCN_H -#include -#endif - -#include - -#ifdef RTLD_GLOBAL -# define LT_DLGLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LT_DLGLOBAL DL_GLOBAL -# else -# define LT_DLGLOBAL 0 -# endif -#endif - -/* We may have to define LT_DLLAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LT_DLLAZY_OR_NOW -# ifdef RTLD_LAZY -# define LT_DLLAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LT_DLLAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LT_DLLAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LT_DLLAZY_OR_NOW DL_NOW -# else -# define LT_DLLAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif - -void fnord() { int i=42;} -int main () -{ - void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); - int status = $lt_dlunknown; - - if (self) - { - if (dlsym (self,"fnord")) status = $lt_dlno_uscore; - else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; - /* dlclose (self); */ - } - else - puts (dlerror ()); + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - return status; -} -_LT_EOF - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 - (eval $ac_link) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && test -s conftest${ac_exeext} 2>/dev/null; then - (./conftest; exit; ) >&5 2>/dev/null - lt_status=$? - case x$lt_status in - x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;; - x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;; - x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;; - esac - else : - # compilation failed - lt_cv_dlopen_self=no - fi + ac_lo= ac_hi= fi -rm -fr conftest* - +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self" >&5 -$as_echo "$lt_cv_dlopen_self" >&6; } - if test "x$lt_cv_dlopen_self" = xyes; then - wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a statically linked program can dlopen itself" >&5 -$as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; } -if test "${lt_cv_dlopen_self_static+set}" = set; then : - $as_echo_n "(cached) " >&6 -else - if test "$cross_compiling" = yes; then : - lt_cv_dlopen_self_static=cross +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (int))) <= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid else - lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 - lt_status=$lt_dlunknown - cat > conftest.$ac_ext <<_LT_EOF -#line 11539 "configure" -#include "confdefs.h" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -#if HAVE_DLFCN_H -#include -#endif + ac_lo=`expr '(' $ac_mid ')' + 1` +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in +?*) ac_cv_sizeof_int=$ac_lo;; +'') if test "$ac_cv_type_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_int=0 + fi ;; +esac +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +static long int longval () { return (long int) (sizeof (int)); } +static unsigned long int ulongval () { return (long int) (sizeof (int)); } #include - -#ifdef RTLD_GLOBAL -# define LT_DLGLOBAL RTLD_GLOBAL -#else -# ifdef DL_GLOBAL -# define LT_DLGLOBAL DL_GLOBAL -# else -# define LT_DLGLOBAL 0 -# endif -#endif - -/* We may have to define LT_DLLAZY_OR_NOW in the command line if we - find out it does not work in some platform. */ -#ifndef LT_DLLAZY_OR_NOW -# ifdef RTLD_LAZY -# define LT_DLLAZY_OR_NOW RTLD_LAZY -# else -# ifdef DL_LAZY -# define LT_DLLAZY_OR_NOW DL_LAZY -# else -# ifdef RTLD_NOW -# define LT_DLLAZY_OR_NOW RTLD_NOW -# else -# ifdef DL_NOW -# define LT_DLLAZY_OR_NOW DL_NOW -# else -# define LT_DLLAZY_OR_NOW 0 -# endif -# endif -# endif -# endif -#endif - -void fnord() { int i=42;} -int main () +#include +int +main () { - void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); - int status = $lt_dlunknown; - if (self) + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (int))) < 0) { - if (dlsym (self,"fnord")) status = $lt_dlno_uscore; - else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; - /* dlclose (self); */ + long int i = longval (); + if (i != ((long int) (sizeof (int)))) + return 1; + fprintf (f, "%ld", i); } else - puts (dlerror ()); + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (int)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; - return status; + ; + return 0; } -_LT_EOF - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 - (eval $ac_link) 2>&5 +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && test -s conftest${ac_exeext} 2>/dev/null; then - (./conftest; exit; ) >&5 2>/dev/null - lt_status=$? - case x$lt_status in - x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;; - x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;; - x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;; - esac - else : - # compilation failed - lt_cv_dlopen_self_static=no - fi -fi -rm -fr conftest* - + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_int=`cat conftest.val` +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 +( exit $ac_status ) +if test "$ac_cv_type_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_int=0 + fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self_static" >&5 -$as_echo "$lt_cv_dlopen_self_static" >&6; } - fi - - CPPFLAGS="$save_CPPFLAGS" - LDFLAGS="$save_LDFLAGS" - LIBS="$save_LIBS" - ;; - esac - - case $lt_cv_dlopen_self in - yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; - *) enable_dlopen_self=unknown ;; - esac - - case $lt_cv_dlopen_self_static in - yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; - *) enable_dlopen_self_static=unknown ;; - esac +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi +rm -f conftest.val +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_int" >&5 +$as_echo "$ac_cv_sizeof_int" >&6; } +cat >>confdefs.h <<_ACEOF +#define SIZEOF_INT $ac_cv_sizeof_int +_ACEOF +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of long int" >&5 +$as_echo_n "checking size of long int... " >&6; } +if test "${ac_cv_sizeof_long_int+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long int))) >= 0)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long int))) <= $ac_mid)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long int))) < 0)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long int))) >= $ac_mid)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo= ac_hi= +fi - -striplib= -old_striplib= -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether stripping libraries is possible" >&5 -$as_echo_n "checking whether stripping libraries is possible... " >&6; } -if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then - test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" - test -z "$striplib" && striplib="$STRIP --strip-unneeded" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } -else -# FIXME - insert some real tests, host_os isn't really good enough - case $host_os in - darwin*) - if test -n "$STRIP" ; then - striplib="$STRIP -x" - old_striplib="$STRIP -S" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - fi - ;; - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - ;; - esac +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long int))) <= $ac_mid)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo=`expr '(' $ac_mid ')' + 1` +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in +?*) ac_cv_sizeof_long_int=$ac_lo;; +'') if test "$ac_cv_type_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_long_int=0 + fi ;; +esac +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +static long int longval () { return (long int) (sizeof (long int)); } +static unsigned long int ulongval () { return (long int) (sizeof (long int)); } +#include +#include +int +main () +{ + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (long int))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (long int)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (long int)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_long_int=`cat conftest.val` +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 +( exit $ac_status ) +if test "$ac_cv_type_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_long_int=0 + fi +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi +rm -f conftest.val +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_long_int" >&5 +$as_echo "$ac_cv_sizeof_long_int" >&6; } +cat >>confdefs.h <<_ACEOF +#define SIZEOF_LONG_INT $ac_cv_sizeof_long_int +_ACEOF - # Report which library types will actually be built - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if libtool supports shared libraries" >&5 -$as_echo_n "checking if libtool supports shared libraries... " >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $can_build_shared" >&5 -$as_echo "$can_build_shared" >&6; } +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of long long int" >&5 +$as_echo_n "checking size of long long int... " >&6; } +if test "${ac_cv_sizeof_long_long_int+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long long int))) >= 0)]; +test_array [0] = 0 - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build shared libraries" >&5 -$as_echo_n "checking whether to build shared libraries... " >&6; } - test "$can_build_shared" = "no" && enable_shared=no + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long long int))) <= $ac_mid)]; +test_array [0] = 0 - # On AIX, shared libraries and static libraries use the same namespace, and - # are all built from PIC. - case $host_os in - aix3*) - test "$enable_shared" = yes && enable_static=no - if test -n "$RANLIB"; then - archive_cmds="$archive_cmds~\$RANLIB \$lib" - postinstall_cmds='$RANLIB $lib' - fi - ;; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - aix[4-9]*) - if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then - test "$enable_shared" = yes && enable_static=no - fi - ;; - esac - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_shared" >&5 -$as_echo "$enable_shared" >&6; } + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` +fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build static libraries" >&5 -$as_echo_n "checking whether to build static libraries... " >&6; } - # Make sure either enable_shared or enable_static is yes. - test "$enable_shared" = yes || enable_static=yes - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_static" >&5 -$as_echo "$enable_static" >&6; } +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long long int))) < 0)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long long int))) >= $ac_mid)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` fi -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - -CC="$lt_save_CC" - - - - +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo= ac_hi= +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (long long int))) <= $ac_mid)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo=`expr '(' $ac_mid ')' + 1` +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in +?*) ac_cv_sizeof_long_long_int=$ac_lo;; +'') if test "$ac_cv_type_long_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (long long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (long long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_long_long_int=0 + fi ;; +esac +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +static long int longval () { return (long int) (sizeof (long long int)); } +static unsigned long int ulongval () { return (long int) (sizeof (long long int)); } +#include +#include +int +main () +{ + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (long long int))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (long long int)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (long long int)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; - ac_config_commands="$ac_config_commands libtool" + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_long_long_int=`cat conftest.val` +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 +( exit $ac_status ) +if test "$ac_cv_type_long_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (long long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (long long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_long_long_int=0 + fi +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi +rm -f conftest.val +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_long_long_int" >&5 +$as_echo "$ac_cv_sizeof_long_long_int" >&6; } -# Only expand once: +cat >>confdefs.h <<_ACEOF +#define SIZEOF_LONG_LONG_INT $ac_cv_sizeof_long_long_int +_ACEOF -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. -set dummy ${ac_tool_prefix}ranlib; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_RANLIB+set}" = set; then : +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of unsigned int" >&5 +$as_echo_n "checking size of unsigned int... " >&6; } +if test "${ac_cv_sizeof_unsigned_int+set}" = set; then $as_echo_n "(cached) " >&6 else - if test -n "$RANLIB"; then - ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned int))) >= 0)]; +test_array [0] = 0 -fi -fi -RANLIB=$ac_cv_prog_RANLIB -if test -n "$RANLIB"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 -$as_echo "$RANLIB" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned int))) <= $ac_mid)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` fi -if test -z "$ac_cv_prog_RANLIB"; then - ac_ct_RANLIB=$RANLIB - # Extract the first word of "ranlib", so it can be a program name with args. -set dummy ranlib; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$ac_ct_RANLIB"; then - ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_RANLIB="ranlib" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done -IFS=$as_save_IFS +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned int))) < 0)]; +test_array [0] = 0 -fi -fi -ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB -if test -n "$ac_ct_RANLIB"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 -$as_echo "$ac_ct_RANLIB" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned int))) >= $ac_mid)]; +test_array [0] = 0 - if test "x$ac_ct_RANLIB" = x; then - RANLIB=":" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; esac - RANLIB=$ac_ct_RANLIB - fi +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=$ac_mid; break else - RANLIB="$ac_cv_prog_RANLIB" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 -$as_echo_n "checking whether byte ordering is bigendian... " >&6; } -if test "${ac_cv_c_bigendian+set}" = set; then : - $as_echo_n "(cached) " >&6 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done else - ac_cv_c_bigendian=unknown - # See if we're dealing with a universal compiler. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#ifndef __APPLE_CC__ - not a universal capable compiler - #endif - typedef int dummy; + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : + ac_lo= ac_hi= +fi - # Check for potential -arch flags. It is not universal unless - # there are at least two -arch flags with different values. - ac_arch= - ac_prev= - for ac_word in $CC $CFLAGS $CPPFLAGS $LDFLAGS; do - if test -n "$ac_prev"; then - case $ac_word in - i?86 | x86_64 | ppc | ppc64) - if test -z "$ac_arch" || test "$ac_arch" = "$ac_word"; then - ac_arch=$ac_word - else - ac_cv_c_bigendian=universal - break - fi - ;; - esac - ac_prev= - elif test "x$ac_word" = "x-arch"; then - ac_prev=arch - fi - done +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - if test $ac_cv_c_bigendian = unknown; then - # See if sys/param.h defines the BYTE_ORDER macro. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include - #include - +$ac_includes_default int main () { -#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \ - && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \ - && LITTLE_ENDIAN) - bogus endian macros - #endif +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned int))) <= $ac_mid)]; +test_array [0] = 0 ; return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - # It does; now see whether it defined to BIG_ENDIAN or not. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - #include +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_lo=`expr '(' $ac_mid ')' + 1` +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in +?*) ac_cv_sizeof_unsigned_int=$ac_lo;; +'') if test "$ac_cv_type_unsigned_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (unsigned int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_unsigned_int=0 + fi ;; +esac +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +static long int longval () { return (long int) (sizeof (unsigned int)); } +static unsigned long int ulongval () { return (long int) (sizeof (unsigned int)); } +#include +#include int main () { -#if BYTE_ORDER != BIG_ENDIAN - not big endian - #endif + + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (unsigned int))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (unsigned int)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (unsigned int)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_c_bigendian=yes +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_unsigned_int=`cat conftest.val` else - ac_cv_c_bigendian=no + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +if test "$ac_cv_type_unsigned_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (unsigned int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_unsigned_int=0 + fi fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - fi - if test $ac_cv_c_bigendian = unknown; then - # See if defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris). - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include +rm -f conftest.val +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_unsigned_int" >&5 +$as_echo "$ac_cv_sizeof_unsigned_int" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_UNSIGNED_INT $ac_cv_sizeof_unsigned_int +_ACEOF + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of unsigned long int" >&5 +$as_echo_n "checking size of unsigned long int... " >&6; } +if test "${ac_cv_sizeof_unsigned_long_int+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default int main () { -#if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN) - bogus endian macros - #endif +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long int))) >= 0)]; +test_array [0] = 0 ; return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - # It does; now see whether it defined to _BIG_ENDIAN or not. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include - +$ac_includes_default int main () { -#ifndef _BIG_ENDIAN - not big endian - #endif +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long int))) <= $ac_mid)]; +test_array [0] = 0 ; return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_c_bigendian=yes +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break else - ac_cv_c_bigendian=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - fi - if test $ac_cv_c_bigendian = unknown; then - # Compile a test program. - if test "$cross_compiling" = yes; then : - # Try to guess by grepping values from an object file. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -short int ascii_mm[] = - { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; - short int ascii_ii[] = - { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; - int use_ascii (int i) { - return ascii_mm[i] + ascii_ii[i]; - } - short int ebcdic_ii[] = - { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; - short int ebcdic_mm[] = - { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; - int use_ebcdic (int i) { - return ebcdic_mm[i] + ebcdic_ii[i]; - } - extern int foo; + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default int main () { -return use_ascii (foo) == use_ebcdic (foo); +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long int))) < 0)]; +test_array [0] = 0 + ; return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then - ac_cv_c_bigendian=yes - fi - if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then - if test "$ac_cv_c_bigendian" = unknown; then - ac_cv_c_bigendian=no - else - # finding both strings is unlikely to happen, but who knows? - ac_cv_c_bigendian=unknown - fi - fi -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ $ac_includes_default int main () { - - /* Are we little or big endian? From Harbison&Steele. */ - union - { - long int l; - char c[sizeof (long int)]; - } u; - u.l = 1; - return u.c[sizeof (long int) - 1] == 1; +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long int))) >= $ac_mid)]; +test_array [0] = 0 ; return 0; } _ACEOF -if ac_fn_c_try_run "$LINENO"; then : - ac_cv_c_bigendian=no -else - ac_cv_c_bigendian=yes -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - - fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5 -$as_echo "$ac_cv_c_bigendian" >&6; } - case $ac_cv_c_bigendian in #( - yes) - $as_echo "#define WORDS_BIGENDIAN 1" >>confdefs.h -;; #( - no) - ;; #( - universal) - -$as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h - - ;; #( - *) - as_fn_error $? "unknown endianness - presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;; - esac - - -#AC_CANONICAL_HOST -linux="no" -sunos4="no" - -case "$host" in - *-openbsd2.6|*-openbsd2.5|*-openbsd2.4|*-openbsd2.3*) - -$as_echo "#define OPENBSD 1" >>confdefs.h - - -$as_echo "#define BROKEN_SIOCGIFMTU 1" >>confdefs.h - - - ;; - *-openbsd*) - -$as_echo "#define OPENBSD 1" >>confdefs.h - - - ;; - *-sgi-irix5*) - -$as_echo "#define IRIX 1" >>confdefs.h - - no_libsocket="yes" - no_libnsl="yes" - if test -z "$GCC"; then - sgi_cc="yes" - fi - LDFLAGS="${LDFLAGS} -L/usr/local/lib" - extra_incl="-I/usr/local/include" - ;; - *-sgi-irix6*) - -$as_echo "#define IRIX 1" >>confdefs.h - - no_libsocket="yes" - no_libnsl="yes" - if test -z "$GCC"; then - sgi_cc="yes" - fi - LDFLAGS="${LDFLAGS} -L/usr/local/lib" - extra_incl="-I/usr/local/include" - ;; - *-solaris*) - -$as_echo "#define SOLARIS 1" >>confdefs.h - - CPPFLAGS="${CPPFLAGS} -DBSD_COMP -D_REENTRANT" - rt_nanosleep="yes" - ;; - *-sunos*) - -$as_echo "#define SUNOS 1" >>confdefs.h - - sunos4="yes" - ;; - *-linux*) - linux="yes" - -$as_echo "#define LINUX 1" >>confdefs.h - - - extra_incl="-I/usr/include/pcap" - ;; - *-hpux10*|*-hpux11*) - -$as_echo "#define HPUX 1" >>confdefs.h - - -$as_echo "#define WORDS_BIGENDIAN 1" >>confdefs.h - - - extra_incl="-I/usr/local/include" - ;; - - *-freebsd*) - -$as_echo "#define FREEBSD 1" >>confdefs.h - - - ;; - *-bsdi*) - -$as_echo "#define BSDI 1" >>confdefs.h - - ;; - *-aix*) - -$as_echo "#define AIX 1" >>confdefs.h - - ;; - *-osf4*) - -$as_echo "#define OSF1 1" >>confdefs.h - - ;; - *-osf5.1*) - -$as_echo "#define OSF1 1" >>confdefs.h - - ;; - *-tru64*) - -$as_echo "#define OSF1 1" >>confdefs.h - - ;; -# it is actually -apple-darwin1.2 or -apple-rhapsody5.x but lets stick with this for the moment - *-apple*) - -$as_echo "#define MACOS 1" >>confdefs.h - - -$as_echo "#define BROKEN_SIOCGIFMTU 1" >>confdefs.h - - LDFLAGS="${LDFLAGS} -L/sw/lib" - extra_incl="-I/sw/include" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; esac - -# ICC stuff -ICC=no -if eval "echo $CC | grep icc > /dev/null" ; then - if eval "$CC -help | grep libcxa > /dev/null" ; then - CFLAGS="$CFLAGS -static-libcxa" - LDFLAGS="$LDFLAGS -static-libcxa" - XCCFLAGS="-XCClinker -static-libcxa" - else - CFLAGS="$CFLAGS -static-intel" - LDFLAGS="$LDFLAGS -static-intel" - XCCFLAGS="-XCClinker -static-intel" - fi - #CFLAGS=`echo $CFLAGS | sed 's/-O2/-O3/'` - CFLAGS="$CFLAGS -O3 -ip -w1" - ICC=yes - GCC= -fi - - -# This is really meant for Solaris Sparc v9 where it has 32bit and 64bit -# capability but builds 32bit by default -# Check whether --enable-64bit-gcc was given. -if test "${enable_64bit_gcc+set}" = set; then : - enableval=$enable_64bit_gcc; enable_64bit_gcc="$enableval" +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=$ac_mid; break else - enable_64bit_gcc="no" -fi + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -if test "x$enable_64bit_gcc" = "xyes"; then - CFLAGS="$CFLAGS -m64" + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` fi -# AC_PROG_YACC defaults to "yacc" when not found -# this check defaults to "none" -for ac_prog in bison yacc -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_YACC+set}" = set; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$YACC"; then - ac_cv_prog_YACC="$YACC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_YACC="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done -IFS=$as_save_IFS +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo= ac_hi= fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -YACC=$ac_cv_prog_YACC -if test -n "$YACC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $YACC" >&5 -$as_echo "$YACC" >&6; } + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long int))) <= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo=`expr '(' $ac_mid ')' + 1` +fi - test -n "$YACC" && break +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done -test -n "$YACC" || YACC="none" +case $ac_lo in +?*) ac_cv_sizeof_unsigned_long_int=$ac_lo;; +'') if test "$ac_cv_type_unsigned_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (unsigned long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_unsigned_long_int=0 + fi ;; +esac +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +static long int longval () { return (long int) (sizeof (unsigned long int)); } +static unsigned long int ulongval () { return (long int) (sizeof (unsigned long int)); } +#include +#include +int +main () +{ -# AC_PROG_YACC includes the -y arg if bison is found -if test "x$YACC" = "xbison"; then - YACC="$YACC -y" -fi + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (unsigned long int))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (unsigned long int)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (unsigned long int)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; -# AC_PROG_LEX defaults to ":" when not found -# this check defaults to "none" -# We're using flex specific options so we don't support lex -for ac_prog in flex -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_LEX+set}" = set; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$LEX"; then - ac_cv_prog_LEX="$LEX" # Let the user override the test. + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_unsigned_long_int=`cat conftest.val` else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_LEX="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 +( exit $ac_status ) +if test "$ac_cv_type_unsigned_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (unsigned long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_unsigned_long_int=0 + fi fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -LEX=$ac_cv_prog_LEX -if test -n "$LEX"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LEX" >&5 -$as_echo "$LEX" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } +rm -f conftest.val fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_unsigned_long_int" >&5 +$as_echo "$ac_cv_sizeof_unsigned_long_int" >&6; } - test -n "$LEX" && break -done -test -n "$LEX" || LEX="none" - - -# -for ac_header in strings.h string.h stdlib.h unistd.h sys/sockio.h paths.h inttypes.h wchar.h math.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +cat >>confdefs.h <<_ACEOF +#define SIZEOF_UNSIGNED_LONG_INT $ac_cv_sizeof_unsigned_long_int _ACEOF -fi - -done -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for floor in -lm" >&5 -$as_echo_n "checking for floor in -lm... " >&6; } -if test "${ac_cv_lib_m_floor+set}" = set; then : +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:$LINENO: checking size of unsigned long long int" >&5 +$as_echo_n "checking size of unsigned long long int... " >&6; } +if test "${ac_cv_sizeof_unsigned_long_long_int+set}" = set; then $as_echo_n "(cached) " >&6 else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lm $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long long int))) >= 0)]; +test_array [0] = 0 -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char floor (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=0 ac_mid=0 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default int main () { -return floor (); +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long long int))) <= $ac_mid)]; +test_array [0] = 0 + ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_m_floor=yes +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid; break else - ac_cv_lib_m_floor=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_lo=`expr $ac_mid + 1` + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid + 1` fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_m_floor" >&5 -$as_echo "$ac_cv_lib_m_floor" >&6; } -if test "x$ac_cv_lib_m_floor" = x""yes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBM 1 + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ _ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long long int))) < 0)]; +test_array [0] = 0 - LIBS="-lm $LIBS" + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=-1 ac_mid=-1 + while :; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long long int))) >= $ac_mid)]; +test_array [0] = 0 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_lo=$ac_mid; break +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_hi=`expr '(' $ac_mid ')' - 1` + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + ac_mid=`expr 2 '*' $ac_mid` fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ceil in -lm" >&5 -$as_echo_n "checking for ceil in -lm... " >&6; } -if test "${ac_cv_lib_m_ceil+set}" = set; then : - $as_echo_n "(cached) " >&6 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lm $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_lo= ac_hi= +fi -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char ceil (); +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default int main () { -return ceil (); +static int test_array [1 - 2 * !(((long int) (sizeof (unsigned long long int))) <= $ac_mid)]; +test_array [0] = 0 + ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_m_ceil=yes +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_hi=$ac_mid else - ac_cv_lib_m_ceil=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_m_ceil" >&5 -$as_echo "$ac_cv_lib_m_ceil" >&6; } -if test "x$ac_cv_lib_m_ceil" = x""yes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBM 1 -_ACEOF - - LIBS="-lm $LIBS" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_lo=`expr '(' $ac_mid ')' + 1` fi - -if test "x$rt_nanosleep" = "xyes"; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for nanosleep in -lrt" >&5 -$as_echo_n "checking for nanosleep in -lrt... " >&6; } -if test "${ac_cv_lib_rt_nanosleep+set}" = set; then : - $as_echo_n "(cached) " >&6 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in +?*) ac_cv_sizeof_unsigned_long_long_int=$ac_lo;; +'') if test "$ac_cv_type_unsigned_long_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (unsigned long long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_unsigned_long_long_int=0 + fi ;; +esac else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lrt $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char nanosleep (); +$ac_includes_default +static long int longval () { return (long int) (sizeof (unsigned long long int)); } +static unsigned long int ulongval () { return (long int) (sizeof (unsigned long long int)); } +#include +#include int main () { -return nanosleep (); + + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (((long int) (sizeof (unsigned long long int))) < 0) + { + long int i = longval (); + if (i != ((long int) (sizeof (unsigned long long int)))) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ((long int) (sizeof (unsigned long long int)))) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; + ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_rt_nanosleep=yes +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_sizeof_unsigned_long_long_int=`cat conftest.val` else - ac_cv_lib_rt_nanosleep=no + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +if test "$ac_cv_type_unsigned_long_long_int" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute sizeof (unsigned long long int) +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute sizeof (unsigned long long int) +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } + else + ac_cv_sizeof_unsigned_long_long_int=0 + fi fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_nanosleep" >&5 -$as_echo "$ac_cv_lib_rt_nanosleep" >&6; } -if test "x$ac_cv_lib_rt_nanosleep" = x""yes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBRT 1 -_ACEOF +rm -f conftest.val +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_sizeof_unsigned_long_long_int" >&5 +$as_echo "$ac_cv_sizeof_unsigned_long_long_int" >&6; } - LIBS="-lrt $LIBS" -fi -fi +cat >>confdefs.h <<_ACEOF +#define SIZEOF_UNSIGNED_LONG_LONG_INT $ac_cv_sizeof_unsigned_long_long_int +_ACEOF -if test -z "$no_libnsl"; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for inet_ntoa in -lnsl" >&5 -$as_echo_n "checking for inet_ntoa in -lnsl... " >&6; } -if test "${ac_cv_lib_nsl_inet_ntoa+set}" = set; then : + + +# Check for int types +{ $as_echo "$as_me:$LINENO: checking for u_int8_t" >&5 +$as_echo_n "checking for u_int8_t... " >&6; } +if test "${ac_cv_type_u_int8_t+set}" = set; then $as_echo_n "(cached) " >&6 else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lnsl $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext + ac_cv_type_u_int8_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char inet_ntoa (); +$ac_includes_default int main () { -return inet_ntoa (); +if (sizeof (u_int8_t)) + return 0; ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_nsl_inet_ntoa=yes -else - ac_cv_lib_nsl_inet_ntoa=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nsl_inet_ntoa" >&5 -$as_echo "$ac_cv_lib_nsl_inet_ntoa" >&6; } -if test "x$ac_cv_lib_nsl_inet_ntoa" = x""yes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBNSL 1 +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ _ACEOF - - LIBS="-lnsl $LIBS" - -fi - -fi - -if test -z "$no_libsocket"; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lsocket" >&5 -$as_echo_n "checking for socket in -lsocket... " >&6; } -if test "${ac_cv_lib_socket_socket+set}" = set; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lsocket $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char socket (); +$ac_includes_default int main () { -return socket (); +if (sizeof ((u_int8_t))) + return 0; ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_socket_socket=yes +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : else - ac_cv_lib_socket_socket=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_socket" >&5 -$as_echo "$ac_cv_lib_socket_socket" >&6; } -if test "x$ac_cv_lib_socket_socket" = x""yes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBSOCKET 1 -_ACEOF - - LIBS="-lsocket $LIBS" - -fi + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_type_u_int8_t=yes fi -# SunOS4 has several things `broken' -if test "$sunos4" != "no"; then -for ac_func in vsnprintf -do : - ac_fn_c_check_func "$LINENO" "vsnprintf" "ac_cv_func_vsnprintf" -if test "x$ac_cv_func_vsnprintf" = x""yes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_VSNPRINTF 1 -_ACEOF - +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext else - LIBS="$LIBS -ldb" -fi -done + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -for ac_func in strtoul -do : - ac_fn_c_check_func "$LINENO" "strtoul" "ac_cv_func_strtoul" -if test "x$ac_cv_func_strtoul" = x""yes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_STRTOUL 1 -_ACEOF -else - LIBS="$LIBS -l44bsd" fi -done +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_u_int8_t" >&5 +$as_echo "$ac_cv_type_u_int8_t" >&6; } +if test "x$ac_cv_type_u_int8_t" = x""yes; then -# some funky macro to be backwards compatible with earlier autoconfs -# in current they have AC_CHECK_DECLS - - - +cat >>confdefs.h <<_ACEOF +#define HAVE_U_INT8_T 1 +_ACEOF -# some stuff for declarations which were missed on sunos4 platform too. -# -# add `#undef NEED_DECL_FUNCTIONAME to acconfig.h` because autoheader -# fails to work properly with custom macroses. -# you will see also #undef for each SN_CHECK_DECLS macros invocation -# because autoheader doesn't execute shell script commands. -# it is possible to make loops using m4 but the code would look even -# more confusing.. -for sn_decl in printf fprintf syslog puts fputs fputc fopen \ - fclose fwrite fflush getopt bzero bcopy memset strtol \ - strcasecmp strncasecmp strerror perror socket sendto \ - vsnprintf snprintf strtoul -do -sn_def_decl=`echo $sn_decl | tr a-z A-Z` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $sn_decl must be declared" >&5 -$as_echo_n "checking whether $sn_decl must be declared... " >&6; } -if eval "test \"\${sn_cv_decl_needed_$sn_decl+set}\"" = set; then : +fi +{ $as_echo "$as_me:$LINENO: checking for u_int16_t" >&5 +$as_echo_n "checking for u_int16_t... " >&6; } +if test "${ac_cv_type_u_int16_t+set}" = set; then $as_echo_n "(cached) " >&6 else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + ac_cv_type_u_int16_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (u_int16_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ - -#include -#ifdef HAVE_STRING_H -#include -#endif -#ifdef HAVE_STRINGS_H -#include -#endif -#ifdef HAVE_STDLIB_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include -#include - +$ac_includes_default int main () { -char *(*pfn); pfn = (char *(*)) $sn_decl; +if (sizeof ((u_int16_t))) + return 0; ; return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "sn_cv_decl_needed_$sn_decl=no" +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : else - eval "sn_cv_decl_needed_$sn_decl=yes" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_type_u_int16_t=yes fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -if eval "test \"`echo '$sn_cv_decl_needed_'$sn_decl`\" != no"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_u_int16_t" >&5 +$as_echo "$ac_cv_type_u_int16_t" >&6; } +if test "x$ac_cv_type_u_int16_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define NEED_DECL_$sn_def_decl 1 +#define HAVE_U_INT16_T 1 _ACEOF -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - fi -done - - -for ac_func in strlcpy strlcat strerror vswprintf wprintf -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +{ $as_echo "$as_me:$LINENO: checking for u_int32_t" >&5 +$as_echo_n "checking for u_int32_t... " >&6; } +if test "${ac_cv_type_u_int32_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_u_int32_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (u_int32_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((u_int32_t))) + return 0; + ; + return 0; +} _ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_type_u_int32_t=yes fi -done - -ac_fn_c_check_func "$LINENO" "snprintf" "ac_cv_func_snprintf" -if test "x$ac_cv_func_snprintf" = x""yes; then : - have_snprintf="yes" +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext else - have_snprintf="no" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + fi - if test "x$have_snprintf" != "xyes"; then - BUILD_SNPRINTF_TRUE= - BUILD_SNPRINTF_FALSE='#' -else - BUILD_SNPRINTF_TRUE='#' - BUILD_SNPRINTF_FALSE= +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_u_int32_t" >&5 +$as_echo "$ac_cv_type_u_int32_t" >&6; } +if test "x$ac_cv_type_u_int32_t" = x""yes; then -if test "x$have_snprintf" = "xyes"; then +cat >>confdefs.h <<_ACEOF +#define HAVE_U_INT32_T 1 +_ACEOF -$as_echo "#define HAVE_SNPRINTF /**/" >>confdefs.h fi - -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of char" >&5 -$as_echo_n "checking size of char... " >&6; } -if test "${ac_cv_sizeof_char+set}" = set; then : +{ $as_echo "$as_me:$LINENO: checking for u_int64_t" >&5 +$as_echo_n "checking for u_int64_t... " >&6; } +if test "${ac_cv_type_u_int64_t+set}" = set; then $as_echo_n "(cached) " >&6 else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (char))" "ac_cv_sizeof_char" "$ac_includes_default"; then : - + ac_cv_type_u_int64_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (u_int64_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((u_int64_t))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : else - if test "$ac_cv_type_char" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (char) -See \`config.log' for more details" "$LINENO" 5 ; } - else - ac_cv_sizeof_char=0 - fi -fi + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_type_u_int64_t=yes fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_char" >&5 -$as_echo "$ac_cv_sizeof_char" >&6; } - - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_CHAR $ac_cv_sizeof_char -_ACEOF - -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of short" >&5 -$as_echo_n "checking size of short... " >&6; } -if test "${ac_cv_sizeof_short+set}" = set; then : - $as_echo_n "(cached) " >&6 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (short))" "ac_cv_sizeof_short" "$ac_includes_default"; then : + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -else - if test "$ac_cv_type_short" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (short) -See \`config.log' for more details" "$LINENO" 5 ; } - else - ac_cv_sizeof_short=0 - fi -fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_short" >&5 -$as_echo "$ac_cv_sizeof_short" >&6; } - +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_u_int64_t" >&5 +$as_echo "$ac_cv_type_u_int64_t" >&6; } +if test "x$ac_cv_type_u_int64_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define SIZEOF_SHORT $ac_cv_sizeof_short +#define HAVE_U_INT64_T 1 _ACEOF -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of int" >&5 -$as_echo_n "checking size of int... " >&6; } -if test "${ac_cv_sizeof_int+set}" = set; then : +fi +{ $as_echo "$as_me:$LINENO: checking for uint8_t" >&5 +$as_echo_n "checking for uint8_t... " >&6; } +if test "${ac_cv_type_uint8_t+set}" = set; then $as_echo_n "(cached) " >&6 else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (int))" "ac_cv_sizeof_int" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_int" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (int) -See \`config.log' for more details" "$LINENO" 5 ; } - else - ac_cv_sizeof_int=0 - fi -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_int" >&5 -$as_echo "$ac_cv_sizeof_int" >&6; } - - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_INT $ac_cv_sizeof_int + ac_cv_type_uint8_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (uint8_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((uint8_t))) + return 0; + ; + return 0; +} _ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_type_uint8_t=yes +fi -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long int" >&5 -$as_echo_n "checking size of long int... " >&6; } -if test "${ac_cv_sizeof_long_int+set}" = set; then : - $as_echo_n "(cached) " >&6 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long int))" "ac_cv_sizeof_long_int" "$ac_includes_default"; then : + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -else - if test "$ac_cv_type_long_int" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (long int) -See \`config.log' for more details" "$LINENO" 5 ; } - else - ac_cv_sizeof_long_int=0 - fi -fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long_int" >&5 -$as_echo "$ac_cv_sizeof_long_int" >&6; } - +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint8_t" >&5 +$as_echo "$ac_cv_type_uint8_t" >&6; } +if test "x$ac_cv_type_uint8_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define SIZEOF_LONG_INT $ac_cv_sizeof_long_int +#define HAVE_UINT8_T 1 _ACEOF -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long long int" >&5 -$as_echo_n "checking size of long long int... " >&6; } -if test "${ac_cv_sizeof_long_long_int+set}" = set; then : +fi +{ $as_echo "$as_me:$LINENO: checking for uint16_t" >&5 +$as_echo_n "checking for uint16_t... " >&6; } +if test "${ac_cv_type_uint16_t+set}" = set; then $as_echo_n "(cached) " >&6 else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long long int))" "ac_cv_sizeof_long_long_int" "$ac_includes_default"; then : - + ac_cv_type_uint16_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (uint16_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((uint16_t))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : else - if test "$ac_cv_type_long_long_int" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (long long int) -See \`config.log' for more details" "$LINENO" 5 ; } - else - ac_cv_sizeof_long_long_int=0 - fi -fi + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_type_uint16_t=yes fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long_long_int" >&5 -$as_echo "$ac_cv_sizeof_long_long_int" >&6; } +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint16_t" >&5 +$as_echo "$ac_cv_type_uint16_t" >&6; } +if test "x$ac_cv_type_uint16_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define SIZEOF_LONG_LONG_INT $ac_cv_sizeof_long_long_int +#define HAVE_UINT16_T 1 _ACEOF -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned int" >&5 -$as_echo_n "checking size of unsigned int... " >&6; } -if test "${ac_cv_sizeof_unsigned_int+set}" = set; then : +fi +{ $as_echo "$as_me:$LINENO: checking for uint32_t" >&5 +$as_echo_n "checking for uint32_t... " >&6; } +if test "${ac_cv_type_uint32_t+set}" = set; then $as_echo_n "(cached) " >&6 else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned int))" "ac_cv_sizeof_unsigned_int" "$ac_includes_default"; then : - + ac_cv_type_uint32_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (uint32_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((uint32_t))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : else - if test "$ac_cv_type_unsigned_int" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (unsigned int) -See \`config.log' for more details" "$LINENO" 5 ; } - else - ac_cv_sizeof_unsigned_int=0 - fi -fi + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_type_uint32_t=yes fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_int" >&5 -$as_echo "$ac_cv_sizeof_unsigned_int" >&6; } + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint32_t" >&5 +$as_echo "$ac_cv_type_uint32_t" >&6; } +if test "x$ac_cv_type_uint32_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define SIZEOF_UNSIGNED_INT $ac_cv_sizeof_unsigned_int +#define HAVE_UINT32_T 1 _ACEOF -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned long int" >&5 -$as_echo_n "checking size of unsigned long int... " >&6; } -if test "${ac_cv_sizeof_unsigned_long_int+set}" = set; then : +fi +{ $as_echo "$as_me:$LINENO: checking for uint64_t" >&5 +$as_echo_n "checking for uint64_t... " >&6; } +if test "${ac_cv_type_uint64_t+set}" = set; then $as_echo_n "(cached) " >&6 else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned long int))" "ac_cv_sizeof_unsigned_long_int" "$ac_includes_default"; then : - + ac_cv_type_uint64_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (uint64_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((uint64_t))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : else - if test "$ac_cv_type_unsigned_long_int" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (unsigned long int) -See \`config.log' for more details" "$LINENO" 5 ; } - else - ac_cv_sizeof_unsigned_long_int=0 - fi -fi + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_type_uint64_t=yes fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_long_int" >&5 -$as_echo "$ac_cv_sizeof_unsigned_long_int" >&6; } +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint64_t" >&5 +$as_echo "$ac_cv_type_uint64_t" >&6; } +if test "x$ac_cv_type_uint64_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define SIZEOF_UNSIGNED_LONG_INT $ac_cv_sizeof_unsigned_long_int +#define HAVE_UINT64_T 1 _ACEOF -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned long long int" >&5 -$as_echo_n "checking size of unsigned long long int... " >&6; } -if test "${ac_cv_sizeof_unsigned_long_long_int+set}" = set; then : +fi + +{ $as_echo "$as_me:$LINENO: checking for int8_t" >&5 +$as_echo_n "checking for int8_t... " >&6; } +if test "${ac_cv_type_int8_t+set}" = set; then $as_echo_n "(cached) " >&6 else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned long long int))" "ac_cv_sizeof_unsigned_long_long_int" "$ac_includes_default"; then : - + ac_cv_type_int8_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (int8_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((int8_t))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : else - if test "$ac_cv_type_unsigned_long_long_int" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (unsigned long long int) -See \`config.log' for more details" "$LINENO" 5 ; } - else - ac_cv_sizeof_unsigned_long_long_int=0 - fi -fi + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_type_int8_t=yes fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_long_long_int" >&5 -$as_echo "$ac_cv_sizeof_unsigned_long_long_int" >&6; } - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_UNSIGNED_LONG_LONG_INT $ac_cv_sizeof_unsigned_long_long_int -_ACEOF +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 +fi -# Check for int types -ac_fn_c_check_type "$LINENO" "u_int8_t" "ac_cv_type_u_int8_t" "$ac_includes_default" -if test "x$ac_cv_type_u_int8_t" = x""yes; then : +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int8_t" >&5 +$as_echo "$ac_cv_type_int8_t" >&6; } +if test "x$ac_cv_type_int8_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT8_T 1 +#define HAVE_INT8_T 1 _ACEOF fi -ac_fn_c_check_type "$LINENO" "u_int16_t" "ac_cv_type_u_int16_t" "$ac_includes_default" -if test "x$ac_cv_type_u_int16_t" = x""yes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT16_T 1 +{ $as_echo "$as_me:$LINENO: checking for int16_t" >&5 +$as_echo_n "checking for int16_t... " >&6; } +if test "${ac_cv_type_int16_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_int16_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ _ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (int16_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((int16_t))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - + ac_cv_type_int16_t=yes fi -ac_fn_c_check_type "$LINENO" "u_int32_t" "ac_cv_type_u_int32_t" "$ac_includes_default" -if test "x$ac_cv_type_u_int32_t" = x""yes; then : -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT32_T 1 -_ACEOF +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -ac_fn_c_check_type "$LINENO" "u_int64_t" "ac_cv_type_u_int64_t" "$ac_includes_default" -if test "x$ac_cv_type_u_int64_t" = x""yes; then : +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int16_t" >&5 +$as_echo "$ac_cv_type_int16_t" >&6; } +if test "x$ac_cv_type_int16_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT64_T 1 +#define HAVE_INT16_T 1 _ACEOF fi -ac_fn_c_check_type "$LINENO" "uint8_t" "ac_cv_type_uint8_t" "$ac_includes_default" -if test "x$ac_cv_type_uint8_t" = x""yes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_UINT8_T 1 +{ $as_echo "$as_me:$LINENO: checking for int32_t" >&5 +$as_echo_n "checking for int32_t... " >&6; } +if test "${ac_cv_type_int32_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_int32_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ _ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (int32_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((int32_t))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - + ac_cv_type_int32_t=yes fi -ac_fn_c_check_type "$LINENO" "uint16_t" "ac_cv_type_uint16_t" "$ac_includes_default" -if test "x$ac_cv_type_uint16_t" = x""yes; then : -cat >>confdefs.h <<_ACEOF -#define HAVE_UINT16_T 1 -_ACEOF +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 fi -ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "$ac_includes_default" -if test "x$ac_cv_type_uint32_t" = x""yes; then : + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int32_t" >&5 +$as_echo "$ac_cv_type_int32_t" >&6; } +if test "x$ac_cv_type_int32_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_UINT32_T 1 +#define HAVE_INT32_T 1 _ACEOF fi -ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "$ac_includes_default" -if test "x$ac_cv_type_uint64_t" = x""yes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_UINT64_T 1 +{ $as_echo "$as_me:$LINENO: checking for int64_t" >&5 +$as_echo_n "checking for int64_t... " >&6; } +if test "${ac_cv_type_int64_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_int64_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ _ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (int64_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((int64_t))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 - + ac_cv_type_int64_t=yes fi -ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" "$ac_includes_default" -if test "x$ac_cv_type_int8_t" = x""yes; then : +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -cat >>confdefs.h <<_ACEOF -#define HAVE_INT8_T 1 -_ACEOF +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -ac_fn_c_check_type "$LINENO" "int16_t" "ac_cv_type_int16_t" "$ac_includes_default" -if test "x$ac_cv_type_int16_t" = x""yes; then : +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int64_t" >&5 +$as_echo "$ac_cv_type_int64_t" >&6; } +if test "x$ac_cv_type_int64_t" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_INT16_T 1 +#define HAVE_INT64_T 1 _ACEOF fi -ac_fn_c_check_type "$LINENO" "int32_t" "ac_cv_type_int32_t" "$ac_includes_default" -if test "x$ac_cv_type_int32_t" = x""yes; then : -cat >>confdefs.h <<_ACEOF -#define HAVE_INT32_T 1 -_ACEOF +{ $as_echo "$as_me:$LINENO: checking for boolean" >&5 +$as_echo_n "checking for boolean... " >&6; } +if test "${ac_cv_type_boolean+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_boolean=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (boolean)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((boolean))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_type_boolean=yes fi -ac_fn_c_check_type "$LINENO" "int64_t" "ac_cv_type_int64_t" "$ac_includes_default" -if test "x$ac_cv_type_int64_t" = x""yes; then : -cat >>confdefs.h <<_ACEOF -#define HAVE_INT64_T 1 -_ACEOF +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 fi - -ac_fn_c_check_type "$LINENO" "boolean" "ac_cv_type_boolean" "$ac_includes_default" -if test "x$ac_cv_type_boolean" = x""yes; then : +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_boolean" >&5 +$as_echo "$ac_cv_type_boolean" >&6; } +if test "x$ac_cv_type_boolean" = x""yes; then cat >>confdefs.h <<_ACEOF #define HAVE_BOOLEAN 1 @@ -13113,15 +19036,22 @@ # In case INADDR_NONE is not defined (like on Solaris) have_inaddr_none="no" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for INADDR_NONE" >&5 +{ $as_echo "$as_me:$LINENO: checking for INADDR_NONE" >&5 $as_echo_n "checking for INADDR_NONE... " >&6; } -if test "$cross_compiling" = yes; then : - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot run test program while cross compiling -See \`config.log' for more details" "$LINENO" 5 ; } +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run test program while cross compiling +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include @@ -13139,24 +19069,57 @@ return 0; } _ACEOF -if ac_fn_c_try_run "$LINENO"; then : +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then have_inaddr_none="yes" else - have_inaddr_none="no" + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +have_inaddr_none="no" fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $have_inaddr_none" >&5 + +{ $as_echo "$as_me:$LINENO: result: $have_inaddr_none" >&5 $as_echo "$have_inaddr_none" >&6; } if test "x$have_inaddr_none" = "xno"; then -$as_echo "#define INADDR_NONE -1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define INADDR_NONE -1 +_ACEOF fi -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include @@ -13169,16 +19132,45 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + +cat >>confdefs.h <<\_ACEOF +#define ERRLIST_PREDEFINED 1 +_ACEOF + +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -$as_echo "#define ERRLIST_PREDEFINED 1" >>confdefs.h fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for __FUNCTION__" >&5 +{ $as_echo "$as_me:$LINENO: checking for __FUNCTION__" >&5 $as_echo_n "checking for __FUNCTION__... " >&6; } -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include @@ -13191,24 +19183,51 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then sn_cv_have___FUNCTION__=yes else - sn_cv__have___FUNCTION__=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + sn_cv__have___FUNCTION__=no fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test "x$sn_cv_have___FUNCTION__" = "xyes"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } -$as_echo "#define HAVE___FUNCTION__ 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define HAVE___FUNCTION__ 1 +_ACEOF else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __func__" >&5 + { $as_echo "$as_me:$LINENO: checking for __func__" >&5 $as_echo_n "checking for __func__... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include @@ -13221,32 +19240,59 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then sn_cv_have___func__=yes else - sn_cv__have___func__=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + sn_cv__have___func__=no fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test "x$sn_cv_have___func__" = "xyes"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } -$as_echo "#define HAVE___func__ 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define HAVE___func__ 1 +_ACEOF -$as_echo "#define __FUNCTION__ __func__" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define __FUNCTION__ __func__ +_ACEOF else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } - $as_echo "#define __FUNCTION__ \"mystery function\"" >>confdefs.h + cat >>confdefs.h <<\_ACEOF +#define __FUNCTION__ "mystery function" +_ACEOF fi fi # Check whether --with-libpcap_includes was given. -if test "${with_libpcap_includes+set}" = set; then : +if test "${with_libpcap_includes+set}" = set; then withval=$with_libpcap_includes; with_libpcap_includes="$withval" else with_libpcap_includes="no" @@ -13255,7 +19301,7 @@ # Check whether --with-libpcap_libraries was given. -if test "${with_libpcap_libraries+set}" = set; then : +if test "${with_libpcap_libraries+set}" = set; then withval=$with_libpcap_libraries; with_libpcap_libraries="$withval" else with_libpcap_libraries="no" @@ -13274,7 +19320,7 @@ # --with-libpfring-* options # Check whether --with-libpfring_includes was given. -if test "${with_libpfring_includes+set}" = set; then : +if test "${with_libpfring_includes+set}" = set; then withval=$with_libpfring_includes; with_libpfring_includes="$withval" else with_libpfring_includes="no" @@ -13283,7 +19329,7 @@ # Check whether --with-libpfring_libraries was given. -if test "${with_libpfring_libraries+set}" = set; then : +if test "${with_libpfring_libraries+set}" = set; then withval=$with_libpfring_libraries; with_libpfring_libraries="$withval" else with_libpfring_libraries="no" @@ -13299,14 +19345,19 @@ fi LPCAP="" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pcap_datalink in -lpcap" >&5 + +{ $as_echo "$as_me:$LINENO: checking for pcap_datalink in -lpcap" >&5 $as_echo_n "checking for pcap_datalink in -lpcap... " >&6; } -if test "${ac_cv_lib_pcap_pcap_datalink+set}" = set; then : +if test "${ac_cv_lib_pcap_pcap_datalink+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpcap $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -13324,18 +19375,43 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_pcap_pcap_datalink=yes else - ac_cv_lib_pcap_pcap_datalink=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_pcap_pcap_datalink=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pcap_pcap_datalink" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pcap_pcap_datalink" >&5 $as_echo "$ac_cv_lib_pcap_pcap_datalink" >&6; } -if test "x$ac_cv_lib_pcap_pcap_datalink" = x""yes; then : +if test "x$ac_cv_lib_pcap_pcap_datalink" = x""yes; then cat >>confdefs.h <<_ACEOF #define HAVE_LIBPCAP 1 _ACEOF @@ -13351,12 +19427,146 @@ # using a pfring-enabled pcap. if test "x$LPCAP" = "xno"; then PFRING_H="" - for ac_header in pfring.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "pfring.h" "ac_cv_header_pfring_h" "$ac_includes_default" -if test "x$ac_cv_header_pfring_h" = x""yes; then : + +for ac_header in pfring.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_PFRING_H 1 +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF else @@ -13373,14 +19583,19 @@ # in configure.in. Durring linking, the pfring library (-lpfring) MUST come # _after_ the libpcap library (-lpcap) or linking will fail. PFRING_L="" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pfring_open in -lpfring" >&5 + +{ $as_echo "$as_me:$LINENO: checking for pfring_open in -lpfring" >&5 $as_echo_n "checking for pfring_open in -lpfring... " >&6; } -if test "${ac_cv_lib_pfring_pfring_open+set}" = set; then : +if test "${ac_cv_lib_pfring_pfring_open+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpfring $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -13398,18 +19613,43 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_pfring_pfring_open=yes else - ac_cv_lib_pfring_pfring_open=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_pfring_pfring_open=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pfring_pfring_open" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pfring_pfring_open" >&5 $as_echo "$ac_cv_lib_pfring_pfring_open" >&6; } -if test "x$ac_cv_lib_pfring_pfring_open" = x""yes; then : +if test "x$ac_cv_lib_pfring_pfring_open" = x""yes; then cat >>confdefs.h <<_ACEOF #define HAVE_LIBPFRING 1 _ACEOF @@ -13422,14 +19662,19 @@ LPFRING_PCAP="" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pfring_open in -lpcap" >&5 + +{ $as_echo "$as_me:$LINENO: checking for pfring_open in -lpcap" >&5 $as_echo_n "checking for pfring_open in -lpcap... " >&6; } -if test "${ac_cv_lib_pcap_pfring_open+set}" = set; then : +if test "${ac_cv_lib_pcap_pfring_open+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpcap -lpfring $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -13447,18 +19692,43 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_pcap_pfring_open=yes else - ac_cv_lib_pcap_pfring_open=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_pcap_pfring_open=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pcap_pfring_open" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pcap_pfring_open" >&5 $as_echo "$ac_cv_lib_pcap_pfring_open" >&6; } -if test "x$ac_cv_lib_pcap_pfring_open" = x""yes; then : +if test "x$ac_cv_lib_pcap_pfring_open" = x""yes; then cat >>confdefs.h <<_ACEOF #define HAVE_LIBPCAP 1 _ACEOF @@ -13484,15 +19754,22 @@ fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pcap_lex_destroy" >&5 +{ $as_echo "$as_me:$LINENO: checking for pcap_lex_destroy" >&5 $as_echo_n "checking for pcap_lex_destroy... " >&6; } -if test "$cross_compiling" = yes; then : - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot run test program while cross compiling -See \`config.log' for more details" "$LINENO" 5 ; } +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run test program while cross compiling +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include @@ -13507,26 +19784,59 @@ return 0; } _ACEOF -if ac_fn_c_try_run "$LINENO"; then : +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then have_pcap_lex_destroy="yes" else - have_pcap_lex_destroy="no" + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +have_pcap_lex_destroy="no" fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $have_pcap_lex_destroy" >&5 + +{ $as_echo "$as_me:$LINENO: result: $have_pcap_lex_destroy" >&5 $as_echo "$have_pcap_lex_destroy" >&6; } if test "x$have_pcap_lex_destroy" = "xyes"; then -$as_echo "#define HAVE_PCAP_LEX_DESTROY 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define HAVE_PCAP_LEX_DESTROY 1 +_ACEOF fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pcap_lib_version" >&5 +{ $as_echo "$as_me:$LINENO: checking for pcap_lib_version" >&5 $as_echo_n "checking for pcap_lib_version... " >&6; } -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include int @@ -13538,20 +19848,47 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then have_pcap_lib_version="yes" else - have_pcap_lib_version="no" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + have_pcap_lib_version="no" fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $have_pcap_lib_version" >&5 + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $have_pcap_lib_version" >&5 $as_echo "$have_pcap_lib_version" >&6; } if test "x$have_pcap_lib_version" = "xyes"; then -$as_echo "#define HAVE_PCAP_LIB_VERSION 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define HAVE_PCAP_LIB_VERSION 1 +_ACEOF fi @@ -13559,7 +19896,7 @@ # Check whether --with-libpcre_includes was given. -if test "${with_libpcre_includes+set}" = set; then : +if test "${with_libpcre_includes+set}" = set; then withval=$with_libpcre_includes; with_libpcre_includes="$withval" else with_libpcre_includes="no" @@ -13567,35 +19904,170 @@ -# Check whether --with-libpcre_libraries was given. -if test "${with_libpcre_libraries+set}" = set; then : - withval=$with_libpcre_libraries; with_libpcre_libraries="$withval" +# Check whether --with-libpcre_libraries was given. +if test "${with_libpcre_libraries+set}" = set; then + withval=$with_libpcre_libraries; with_libpcre_libraries="$withval" +else + with_libpcre_libraries="no" +fi + + +if test "x$with_libpcre_includes" != "xno"; then + CPPFLAGS="${CPPFLAGS} -I${with_libpcre_includes}" + ICONFIGFLAGS="${ICONFIGFLAGS} -I${with_libpcre_includes}" +else + CPPFLAGS="${CPPFLAGS} `pcre-config --cflags`" +fi + +if test "x$with_libpcre_libraries" != "xno"; then + LDFLAGS="${LDFLAGS} -L${with_libpcre_libraries}" +else + LDFLAGS="${LDFLAGS} `pcre-config --libs`" +fi + +# PCRE configuration (required) +# Verify that we have the headers +PCRE_H="" + +for ac_header in pcre.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes else - with_libpcre_libraries="no" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no fi +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } -if test "x$with_libpcre_includes" != "xno"; then - CPPFLAGS="${CPPFLAGS} -I${with_libpcre_includes}" -else - CPPFLAGS="${CPPFLAGS} `pcre-config --cflags`" -fi +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} -if test "x$with_libpcre_libraries" != "xno"; then - LDFLAGS="${LDFLAGS} -L${with_libpcre_libraries}" -else - LDFLAGS="${LDFLAGS} `pcre-config --libs`" -fi + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } -# PCRE configuration (required) -# Verify that we have the headers -PCRE_H="" -for ac_header in pcre.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "pcre.h" "ac_cv_header_pcre_h" "$ac_includes_default" -if test "x$ac_cv_header_pcre_h" = x""yes; then : +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_PCRE_H 1 +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF else @@ -13614,14 +20086,19 @@ # Verify that we have the library PCRE_L="" pcre_version_six="" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pcre_compile in -lpcre" >&5 + +{ $as_echo "$as_me:$LINENO: checking for pcre_compile in -lpcre" >&5 $as_echo_n "checking for pcre_compile in -lpcre... " >&6; } -if test "${ac_cv_lib_pcre_pcre_compile+set}" = set; then : +if test "${ac_cv_lib_pcre_pcre_compile+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpcre $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -13639,18 +20116,43 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_pcre_pcre_compile=yes else - ac_cv_lib_pcre_pcre_compile=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_pcre_pcre_compile=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pcre_pcre_compile" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pcre_pcre_compile" >&5 $as_echo "$ac_cv_lib_pcre_pcre_compile" >&6; } -if test "x$ac_cv_lib_pcre_pcre_compile" = x""yes; then : +if test "x$ac_cv_lib_pcre_pcre_compile" = x""yes; then cat >>confdefs.h <<_ACEOF #define HAVE_LIBPCRE 1 _ACEOF @@ -13668,9 +20170,13 @@ echo exit 1 else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libpcre version 6.0 or greater" >&5 + { $as_echo "$as_me:$LINENO: checking for libpcre version 6.0 or greater" >&5 $as_echo_n "checking for libpcre version 6.0 or greater... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include int @@ -13689,17 +20195,42 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then pcre_version_six="yes" else - pcre_version_six="no" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + pcre_version_six="no" fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext fi if test "x$pcre_version_six" != "xyes"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } echo echo " ERROR! Libpcre library version >= 6.0 not found." @@ -13707,91 +20238,535 @@ echo exit 1 else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } -fi + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +fi + + + +if test "x$SIGNAL_SNORT_RELOAD" != "x" ; then + +cat >>confdefs.h <<_ACEOF +#define SIGNAL_SNORT_RELOAD $SIGNAL_SNORT_RELOAD +_ACEOF + +fi + + +if test "x$SIGNAL_SNORT_DUMP_STATS" != "x" ; then + +cat >>confdefs.h <<_ACEOF +#define SIGNAL_SNORT_DUMP_STATS $SIGNAL_SNORT_DUMP_STATS +_ACEOF + +fi + + +if test "x$SIGNAL_SNORT_ROTATE_STATS" != "x" ; then + +cat >>confdefs.h <<_ACEOF +#define SIGNAL_SNORT_ROTATE_STATS $SIGNAL_SNORT_ROTATE_STATS +_ACEOF + +fi + + +if test "x$SIGNAL_SNORT_READ_ATTR_TBL" != "x" ; then + +cat >>confdefs.h <<_ACEOF +#define SIGNAL_SNORT_READ_ATTR_TBL $SIGNAL_SNORT_READ_ATTR_TBL +_ACEOF + +fi + +# Check whether --enable-dynamicplugin was given. +if test "${enable_dynamicplugin+set}" = set; then + enableval=$enable_dynamicplugin; enable_dynamicplugin="$enableval" +else + enable_dynamicplugin="yes" +fi + + if test "x$enable_dynamicplugin" = "xyes"; then + HAVE_DYNAMIC_PLUGINS_TRUE= + HAVE_DYNAMIC_PLUGINS_FALSE='#' +else + HAVE_DYNAMIC_PLUGINS_TRUE='#' + HAVE_DYNAMIC_PLUGINS_FALSE= +fi + + +if test "x$enable_dynamicplugin" = "xyes"; then + CPPFLAGS="$CPPFLAGS -DDYNAMIC_PLUGIN" +fi + +# Check whether --enable-so_with_static_lib was given. +if test "${enable_so_with_static_lib+set}" = set; then + enableval=$enable_so_with_static_lib; enable_so_with_static_lib="$enableval" +else + enable_so_with_static_lib=$so_with_static_lib +fi + + if test "x$enable_so_with_static_lib" = "xyes"; then + SO_WITH_STATIC_LIB_TRUE= + SO_WITH_STATIC_LIB_FALSE='#' +else + SO_WITH_STATIC_LIB_TRUE='#' + SO_WITH_STATIC_LIB_FALSE= +fi + + +# Check whether --enable-control_socket was given. +if test "${enable_control_socket+set}" = set; then + enableval=$enable_control_socket; enable_control_socket="$enableval" +else + enable_control_socket="no" +fi + +if test "x$linux" != "xyes"; then + if test "x$enable_control_socket" = "xyes"; then + { $as_echo "$as_me:$LINENO: WARNING: The control socket is only supported on Linux systems." >&5 +$as_echo "$as_me: WARNING: The control socket is only supported on Linux systems." >&2;} + enable_control_socket="no" + fi +fi + if test "x$enable_control_socket" = "xyes"; then + BUILD_CONTROL_SOCKET_TRUE= + BUILD_CONTROL_SOCKET_FALSE='#' +else + BUILD_CONTROL_SOCKET_TRUE='#' + BUILD_CONTROL_SOCKET_FALSE= +fi + +if test "x$enable_control_socket" = "xyes"; then + CONFIGFLAGS="$CONFIGFLAGS -DCONTROL_SOCKET" +fi + +# check for dnet first since some DAQs need it + +# Check whether --with-dnet_includes was given. +if test "${with_dnet_includes+set}" = set; then + withval=$with_dnet_includes; with_dnet_includes="$withval" +else + with_dnet_includes="no" +fi + + + +# Check whether --with-dnet_libraries was given. +if test "${with_dnet_libraries+set}" = set; then + withval=$with_dnet_libraries; with_dnet_libraries="$withval" +else + with_dnet_libraries="no" +fi + + +if test "x$with_dnet_includes" != "xno"; then + CPPFLAGS="${CPPFLAGS} -I${with_dnet_includes}" +else + CPPFLAGS="${CPPFLAGS} `dnet-config --cflags 2>/dev/null`" +fi + +if test "x$with_dnet_libraries" != "xno"; then + LDFLAGS="${LDFLAGS} -L${with_dnet_libraries}" +else + LDFLAGS="${LDFLAGS} `dnet-config --libs 2>/dev/null`" +fi + + +for ac_header in dnet.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +else + DNET_H="no" +fi + +done + + +for ac_header in dumbnet.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -# Check whether --enable-dynamicplugin was given. -if test "${enable_dynamicplugin+set}" = set; then : - enableval=$enable_dynamicplugin; enable_dynamicplugin="$enableval" -else - enable_dynamicplugin="yes" + ac_header_compiler=no fi - if test "x$enable_dynamicplugin" = "xyes"; then - HAVE_DYNAMIC_PLUGINS_TRUE= - HAVE_DYNAMIC_PLUGINS_FALSE='#' +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes else - HAVE_DYNAMIC_PLUGINS_TRUE='#' - HAVE_DYNAMIC_PLUGINS_FALSE= + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no fi +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } -if test "x$enable_dynamicplugin" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DDYNAMIC_PLUGIN" -fi +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } -# check for dumbnet first since some DAQs need it +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF -# Check whether --with-dumbnet_includes was given. -if test "${with_dumbnet_includes+set}" = set; then : - withval=$with_dumbnet_includes; with_dumbnet_includes="$withval" else - with_dumbnet_includes="no" + DUMBNET_H="no" fi +done -# Check whether --with-dumbnet_libraries was given. -if test "${with_dumbnet_libraries+set}" = set; then : - withval=$with_dumbnet_libraries; with_dumbnet_libraries="$withval" -else - with_dumbnet_libraries="no" +if test "x$DNET_H" = "xno" -a "x$DUMBNET_H" = "xno"; then + echo + echo " ERROR! dnet header not found, go get it from" + echo " http://code.google.com/p/libdnet/ or use the --with-dnet-*" + echo " options, if you have it installed in an unusual place" + exit fi -if test "x$with_dumbnet_includes" != "xno"; then - CPPFLAGS="${CPPFLAGS} -I${with_dumbnet_includes}" +{ $as_echo "$as_me:$LINENO: checking for eth_set in -ldnet" >&5 +$as_echo_n "checking for eth_set in -ldnet... " >&6; } +if test "${ac_cv_lib_dnet_eth_set+set}" = set; then + $as_echo_n "(cached) " >&6 else - CPPFLAGS="${CPPFLAGS} `dumbnet-config --cflags`" -fi + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldnet $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ -if test "x$with_dumbnet_libraries" != "xno"; then - LDFLAGS="${LDFLAGS} -L${with_dumbnet_libraries} -ldumbnet" +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char eth_set (); +int +main () +{ +return eth_set (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dnet_eth_set=yes else - LDFLAGS="${LDFLAGS} `dumbnet-config --libs`" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_dnet_eth_set=no fi -for ac_header in dumbnet.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "dumbnet.h" "ac_cv_header_dumbnet_h" "$ac_includes_default" -if test "x$ac_cv_header_dumbnet_h" = x""yes; then : +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dnet_eth_set" >&5 +$as_echo "$ac_cv_lib_dnet_eth_set" >&6; } +if test "x$ac_cv_lib_dnet_eth_set" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_DUMBNET_H 1 +#define HAVE_LIBDNET 1 _ACEOF - DNET="yes" + + LIBS="-ldnet $LIBS" + else DNET="no" fi -done - -if test "x$DNET" = "xno"; then - echo - echo " ERROR! dumbnet header not found, go get it from" - echo " http://code.google.com/p/libdnet/ or use the --with-dumbnet-*" - echo " options, if you have it installed in an unusual place" - exit -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for eth_set in -ldumbnet" >&5 +{ $as_echo "$as_me:$LINENO: checking for eth_set in -ldumbnet" >&5 $as_echo_n "checking for eth_set in -ldumbnet... " >&6; } -if test "${ac_cv_lib_dumbnet_eth_set+set}" = set; then : +if test "${ac_cv_lib_dumbnet_eth_set+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldumbnet $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -13809,34 +20784,65 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_dumbnet_eth_set=yes else - ac_cv_lib_dumbnet_eth_set=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_dumbnet_eth_set=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dumbnet_eth_set" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dumbnet_eth_set" >&5 $as_echo "$ac_cv_lib_dumbnet_eth_set" >&6; } -if test "x$ac_cv_lib_dumbnet_eth_set" = x""yes; then : - DNET="yes" +if test "x$ac_cv_lib_dumbnet_eth_set" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBDUMBNET 1 +_ACEOF + + LIBS="-ldumbnet $LIBS" + else - DNET="no" + DUMBNET="no" fi -if test "x$DNET" = "xno"; then + +if test "x$DNET" = "xno" -a "x$DUMBNET" = "xno"; then echo - echo " ERROR! dumbnet library not found, go get it from" - echo " http://code.google.com/p/libdnet/ or use the --with-dumbnet-*" + echo " ERROR! dnet library not found, go get it from" + echo " http://code.google.com/p/libdnet/ or use the --with-dnet-*" echo " options, if you have it installed in an unusual place" exit fi # Check whether --with-daq_includes was given. -if test "${with_daq_includes+set}" = set; then : +if test "${with_daq_includes+set}" = set; then withval=$with_daq_includes; with_daq_includes="$withval" else with_daq_includes="no" @@ -13845,7 +20851,7 @@ # Check whether --with-daq_libraries was given. -if test "${with_daq_libraries+set}" = set; then : +if test "${with_daq_libraries+set}" = set; then withval=$with_daq_libraries; with_daq_libraries="$withval" else with_daq_libraries="no" @@ -13854,6 +20860,7 @@ if test "x$with_daq_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_daq_includes}" + ICONFIGFLAGS="${ICONFIGFLAGS} -I${with_daq_includes}" fi if test "x$with_daq_libraries" != "xno"; then @@ -13861,7 +20868,7 @@ fi # Check whether --enable-static_daq was given. -if test "${enable_static_daq+set}" = set; then : +if test "${enable_static_daq+set}" = set; then enableval=$enable_static_daq; enable_static_daq="$enableval" else enable_static_daq="yes" @@ -13871,14 +20878,18 @@ if test "x$enable_static_daq" = "xyes" \ -o "x$enable_dynamicplugin" = "xyes" ; \ then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlsym in -ldl" >&5 + { $as_echo "$as_me:$LINENO: checking for dlsym in -ldl" >&5 $as_echo_n "checking for dlsym in -ldl... " >&6; } -if test "${ac_cv_lib_dl_dlsym+set}" = set; then : +if test "${ac_cv_lib_dl_dlsym+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldl $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -13896,18 +20907,43 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_dl_dlsym=yes else - ac_cv_lib_dl_dlsym=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_dl_dlsym=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlsym" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlsym" >&5 $as_echo "$ac_cv_lib_dl_dlsym" >&6; } -if test "x$ac_cv_lib_dl_dlsym" = x""yes; then : +if test "x$ac_cv_lib_dl_dlsym" = x""yes; then DLLIB="yes" else DLLIB="no" @@ -13917,14 +20953,18 @@ if test "$DLLIB" != "no"; then LIBS="${LIBS} -ldl" else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlsym in -lc" >&5 + { $as_echo "$as_me:$LINENO: checking for dlsym in -lc" >&5 $as_echo_n "checking for dlsym in -lc... " >&6; } -if test "${ac_cv_lib_c_dlsym+set}" = set; then : +if test "${ac_cv_lib_c_dlsym+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lc $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -13942,18 +20982,43 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_c_dlsym=yes else - ac_cv_lib_c_dlsym=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_c_dlsym=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_dlsym" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_c_dlsym" >&5 $as_echo "$ac_cv_lib_c_dlsym" >&6; } -if test "x$ac_cv_lib_c_dlsym" = x""yes; then : +if test "x$ac_cv_lib_c_dlsym" = x""yes; then DLLIB="yes" else DLLIB="no" @@ -13972,14 +21037,18 @@ if test "x$enable_static_daq" = "xyes"; then LDAQ="" LIBS="${LIBS} `daq-modules-config --static --libs`" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for daq_load_modules in -ldaq_static" >&5 + { $as_echo "$as_me:$LINENO: checking for daq_load_modules in -ldaq_static" >&5 $as_echo_n "checking for daq_load_modules in -ldaq_static... " >&6; } -if test "${ac_cv_lib_daq_static_daq_load_modules+set}" = set; then : +if test "${ac_cv_lib_daq_static_daq_load_modules+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldaq_static $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -13997,18 +21066,43 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_daq_static_daq_load_modules=yes else - ac_cv_lib_daq_static_daq_load_modules=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_daq_static_daq_load_modules=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_daq_static_daq_load_modules" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_daq_static_daq_load_modules" >&5 $as_echo "$ac_cv_lib_daq_static_daq_load_modules" >&6; } -if test "x$ac_cv_lib_daq_static_daq_load_modules" = x""yes; then : +if test "x$ac_cv_lib_daq_static_daq_load_modules" = x""yes; then LIBS="-ldaq_static ${LIBS}" else LDAQ="no" @@ -14024,14 +21118,18 @@ fi else LDAQ="" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for daq_load_modules in -ldaq" >&5 + { $as_echo "$as_me:$LINENO: checking for daq_load_modules in -ldaq" >&5 $as_echo_n "checking for daq_load_modules in -ldaq... " >&6; } -if test "${ac_cv_lib_daq_daq_load_modules+set}" = set; then : +if test "${ac_cv_lib_daq_daq_load_modules+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldaq $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -14049,41 +21147,171 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_daq_daq_load_modules=yes else - ac_cv_lib_daq_daq_load_modules=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_daq_daq_load_modules=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_daq_daq_load_modules" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_daq_daq_load_modules" >&5 $as_echo "$ac_cv_lib_daq_daq_load_modules" >&6; } -if test "x$ac_cv_lib_daq_daq_load_modules" = x""yes; then : +if test "x$ac_cv_lib_daq_daq_load_modules" = x""yes; then LIBS="${LIBS} -ldaq" else LDAQ="no" fi - if test "x$LDAQ" = "xno"; then - echo - echo " ERROR! daq library not found, go get it from" - echo " http://www.snort.org/." - #AC_MSG_ERROR("Fatal!") - exit 1 - fi + if test "x$LDAQ" = "xno"; then + echo + echo " ERROR! daq library not found, go get it from" + echo " http://www.snort.org/." + #AC_MSG_ERROR("Fatal!") + exit 1 + fi +fi + + + +for ac_func in daq_hup_apply daq_acquire_with_meta +do +as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +$as_echo_n "checking for $ac_func... " >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + eval "$as_ac_var=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_var=no" +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + fi +done + # any sparc platform has to have this one defined. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sparc" >&5 +{ $as_echo "$as_me:$LINENO: checking for sparc" >&5 $as_echo_n "checking for sparc... " >&6; } if eval "echo $host_cpu|grep -i sparc >/dev/null"; then -$as_echo "#define WORDS_MUSTALIGN 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define WORDS_MUSTALIGN 1 +_ACEOF - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } # gcc, sparc and optimization not so good @@ -14091,7 +21319,7 @@ NO_OPTIMIZE="yes" fi else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi @@ -14099,15 +21327,22 @@ if eval "echo $host_cpu|grep -i sparc >/dev/null"; then OLD_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -mcpu=v9 " - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sparc %time register" >&5 + { $as_echo "$as_me:$LINENO: checking for sparc %time register" >&5 $as_echo_n "checking for sparc %time register... " >&6; } - if test "$cross_compiling" = yes; then : - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot run test program while cross compiling -See \`config.log' for more details" "$LINENO" 5 ; } +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run test program while cross compiling +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ int @@ -14121,20 +21356,49 @@ return 0; } _ACEOF -if ac_fn_c_try_run "$LINENO"; then : +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then sparcv9="yes" else - sparcv9="no" + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +sparcv9="no" fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sparcv9" >&5 + + { $as_echo "$as_me:$LINENO: result: $sparcv9" >&5 $as_echo "$sparcv9" >&6; } if test "x$sparcv9" = "xyes"; then -$as_echo "#define SPARCV9 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define SPARCV9 1 +_ACEOF else CFLAGS="$OLD_CFLAGS" @@ -14145,9 +21409,9 @@ - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for visibility support" >&5 + { $as_echo "$as_me:$LINENO: checking for visibility support" >&5 $as_echo_n "checking for visibility support... " >&6; } - if test "${gl_cv_cc_visibility+set}" = set; then : + if test "${gl_cv_cc_visibility+set}" = set; then $as_echo_n "(cached) " >&6 else @@ -14155,7 +21419,11 @@ # Add -Werror flag since some compilers, e.g. icc 7.1, don't support it, # but only warn about it instead of compilation failing CFLAGS="$CFLAGS -Werror -fvisibility=hidden" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ extern __attribute__((__visibility__("hidden"))) int hiddenvar; @@ -14170,29 +21438,51 @@ return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then gl_cv_cc_visibility="yes" else - gl_cv_cc_visibility="no" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + gl_cv_cc_visibility="no" fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_cc_visibility" >&5 + { $as_echo "$as_me:$LINENO: result: $gl_cv_cc_visibility" >&5 $as_echo "$gl_cv_cc_visibility" >&6; } + CFLAGS="$gl_save_CFLAGS" if test "x$gl_cv_cc_visibility" = "xyes"; then - CFLAGS="$gl_save_CFLAGS -fvisibility=hidden" + CCONFIGFLAGS="${CCONFIGFLAGS} -DSF_VISIBILITY -fvisibility=hidden" -$as_echo "#define HAVE_VISIBILITY 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define HAVE_VISIBILITY 1 +_ACEOF - else - CFLAGS="$gl_save_CFLAGS" fi # Check whether --enable-build-dynamic-examples was given. -if test "${enable_build_dynamic_examples+set}" = set; then : +if test "${enable_build_dynamic_examples+set}" = set; then enableval=$enable_build_dynamic_examples; build_dynamic_examples="$enableval" else build_dynamic_examples="no" @@ -14216,7 +21506,7 @@ fi # Check whether --enable-dlclose was given. -if test "${enable_dlclose+set}" = set; then : +if test "${enable_dlclose+set}" = set; then enableval=$enable_dlclose; enable_dlclose="$enableval" else enable_dlclose="yes" @@ -14224,19 +21514,21 @@ if test "x$enable_dlclose" = "xno"; then -$as_echo "#define DISABLE_DLCLOSE_FOR_VALGRIND_TESTING 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define DISABLE_DLCLOSE_FOR_VALGRIND_TESTING 1 +_ACEOF fi # Check whether --enable-ipv6 was given. -if test "${enable_ipv6+set}" = set; then : +if test "${enable_ipv6+set}" = set; then enableval=$enable_ipv6; enable_ipv6="$enableval" else - enable_ipv6="no" + enable_ipv6="yes" fi if test "x$enable_ipv6" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSUP_IP6" + CONFIGFLAGS="$CONFIGFLAGS -DSUP_IP6" fi if test "x$enable_ipv6" = "xyes"; then HAVE_SUP_IP6_TRUE= @@ -14248,10 +21540,10 @@ # Check whether --enable-zlib was given. -if test "${enable_zlib+set}" = set; then : +if test "${enable_zlib+set}" = set; then enableval=$enable_zlib; enable_zlib="$enableval" else - enable_zlib="no" + enable_zlib="yes" fi if test "x$enable_zlib" = "xyes"; then @@ -14264,12 +21556,146 @@ if test "x$enable_zlib" = "xyes"; then Z_LIB="" - for ac_header in zlib.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "zlib.h" "ac_cv_header_zlib_h" "$ac_includes_default" -if test "x$ac_cv_header_zlib_h" = x""yes; then : + +for ac_header in zlib.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then cat >>confdefs.h <<_ACEOF -#define HAVE_ZLIB_H 1 +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF else @@ -14278,7 +21704,7 @@ done - if test "x$ZLIB" = "xno"; then + if test "x$Z_LIB" = "xno"; then echo echo " ERROR! zlib header not found, go get it from" echo " http://www.zlib.net" @@ -14286,14 +21712,19 @@ fi Z_LIB="" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inflate in -lz" >&5 + +{ $as_echo "$as_me:$LINENO: checking for inflate in -lz" >&5 $as_echo_n "checking for inflate in -lz... " >&6; } -if test "${ac_cv_lib_z_inflate+set}" = set; then : +if test "${ac_cv_lib_z_inflate+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lz $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -14311,18 +21742,43 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_z_inflate=yes else - ac_cv_lib_z_inflate=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_z_inflate=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_z_inflate" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_z_inflate" >&5 $as_echo "$ac_cv_lib_z_inflate" >&6; } -if test "x$ac_cv_lib_z_inflate" = x""yes; then : +if test "x$ac_cv_lib_z_inflate" = x""yes; then cat >>confdefs.h <<_ACEOF #define HAVE_LIBZ 1 _ACEOF @@ -14333,7 +21789,7 @@ Z_LIB="no" fi - if test "x$ZLIB" = "xno"; then + if test "x$Z_LIB" = "xno"; then echo echo " ERROR! zlib library not found, go get it from" echo " http://www.zlib.net" @@ -14344,10 +21800,10 @@ fi # Check whether --enable-gre was given. -if test "${enable_gre+set}" = set; then : +if test "${enable_gre+set}" = set; then enableval=$enable_gre; enable_gre="$enableval" else - enable_gre="no" + enable_gre="yes" fi if test "x$enable_gre" = "xyes"; then @@ -14355,10 +21811,10 @@ fi # Check whether --enable-mpls was given. -if test "${enable_mpls+set}" = set; then : +if test "${enable_mpls+set}" = set; then enableval=$enable_mpls; enable_mpls="$enableval" else - enable_mpls="no" + enable_mpls="yes" fi if test "x$enable_mpls" = "xyes"; then @@ -14366,10 +21822,10 @@ fi # Check whether --enable-targetbased was given. -if test "${enable_targetbased+set}" = set; then : +if test "${enable_targetbased+set}" = set; then enableval=$enable_targetbased; enable_targetbased="$enableval" else - enable_targetbased="no" + enable_targetbased="yes" fi @@ -14382,7 +21838,7 @@ fi if test "x$enable_targetbased" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DTARGET_BASED" + CONFIGFLAGS="$CONFIGFLAGS -DTARGET_BASED" LIBS="$LIBS -lpthread" if test "$LEX" = "none"; then echo @@ -14403,10 +21859,10 @@ fi # Check whether --enable-decoder-preprocessor-rules was given. -if test "${enable_decoder_preprocessor_rules+set}" = set; then : +if test "${enable_decoder_preprocessor_rules+set}" = set; then enableval=$enable_decoder_preprocessor_rules; enable_decoder_preprocessor_rules="$enableval" else - enable_decoder_preprocessor_rules="no" + enable_decoder_preprocessor_rules="yes" fi if test "x$enable_decoder_preprocessor_rules" = "xyes"; then @@ -14414,10 +21870,10 @@ fi # Check whether --enable-ppm was given. -if test "${enable_ppm+set}" = set; then : +if test "${enable_ppm+set}" = set; then enableval=$enable_ppm; enable_ppm="$enableval" else - enable_ppm="no" + enable_ppm="yes" fi if test "x$enable_ppm" = "xyes"; then @@ -14425,18 +21881,18 @@ fi # Check whether --enable-perfprofiling was given. -if test "${enable_perfprofiling+set}" = set; then : +if test "${enable_perfprofiling+set}" = set; then enableval=$enable_perfprofiling; enable_perfprofiling="$enableval" else - enable_perfprofiling="no" + enable_perfprofiling="yes" fi if test "x$enable_perfprofiling" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DPERF_PROFILING" + CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" fi # Check whether --enable-linux-smp-stats was given. -if test "${enable_linux_smp_stats+set}" = set; then : +if test "${enable_linux_smp_stats+set}" = set; then enableval=$enable_linux_smp_stats; enable_linux_smp_stats="$enableval" else enable_linux_smp_stats="no" @@ -14455,7 +21911,7 @@ fi # Check whether --enable-inline-init-failopen was given. -if test "${enable_inline_init_failopen+set}" = set; then : +if test "${enable_inline_init_failopen+set}" = set; then enableval=$enable_inline_init_failopen; enable_inline_init_failopen="$enableval" else enable_inline_init_failopen="no" @@ -14467,7 +21923,7 @@ fi # Check whether --enable-prelude was given. -if test "${enable_prelude+set}" = set; then : +if test "${enable_prelude+set}" = set; then enableval=$enable_prelude; enable_prelude="$enableval" else enable_prelude="no" @@ -14485,7 +21941,7 @@ if test "x$enable_prelude" = "xyes"; then # Check whether --with-libprelude-prefix was given. -if test "${with_libprelude_prefix+set}" = set; then : +if test "${with_libprelude_prefix+set}" = set; then withval=$with_libprelude_prefix; libprelude_config_prefix="$withval" else libprelude_config_prefix="" @@ -14500,9 +21956,9 @@ # Extract the first word of "libprelude-config", so it can be a program name with args. set dummy libprelude-config; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_path_LIBPRELUDE_CONFIG+set}" = set; then : +if test "${ac_cv_path_LIBPRELUDE_CONFIG+set}" = set; then $as_echo_n "(cached) " >&6 else case $LIBPRELUDE_CONFIG in @@ -14515,14 +21971,14 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_LIBPRELUDE_CONFIG="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done - done +done IFS=$as_save_IFS test -z "$ac_cv_path_LIBPRELUDE_CONFIG" && ac_cv_path_LIBPRELUDE_CONFIG="no" @@ -14531,16 +21987,16 @@ fi LIBPRELUDE_CONFIG=$ac_cv_path_LIBPRELUDE_CONFIG if test -n "$LIBPRELUDE_CONFIG"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIBPRELUDE_CONFIG" >&5 + { $as_echo "$as_me:$LINENO: result: $LIBPRELUDE_CONFIG" >&5 $as_echo "$LIBPRELUDE_CONFIG" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi min_libprelude_version=0.9.6 - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libprelude - version >= $min_libprelude_version" >&5 + { $as_echo "$as_me:$LINENO: checking for libprelude - version >= $min_libprelude_version" >&5 $as_echo_n "checking for libprelude - version >= $min_libprelude_version... " >&6; } no_libprelude="" if test "$LIBPRELUDE_CONFIG" = "no" ; then @@ -14562,10 +22018,14 @@ LDFLAGS="$LDFLAGS $LIBPRELUDE_LDFLAGS" LIBS="$LIBS $LIBPRELUDE_LIBS" rm -f conf.libpreludetest - if test "$cross_compiling" = yes; then : + if test "$cross_compiling" = yes; then echo $ac_n "cross compiling; assumed OK... $ac_c" else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include @@ -14623,29 +22083,56 @@ } _ACEOF -if ac_fn_c_try_run "$LINENO"; then : - +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + : else - no_libprelude=yes + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +no_libprelude=yes fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi + CFLAGS="$ac_save_CFLAGS" LIBS="$ac_save_LIBS" LDFLAGS="$ac_save_LDFLAGS" fi if test "x$no_libprelude" = x ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } use_prelude="yes" else if test -f conf.libpreludetest ; then : else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi if test "$LIBPRELUDE_CONFIG" = "no" ; then @@ -14661,7 +22148,11 @@ CFLAGS="$CFLAGS $LIBPRELUDE_CFLAGS" LDFLAGS="$LDFLAGS $LIBPRELUDE_LDFLAGS" LIBS="$LIBS $LIBPRELUDE_LIBS" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include @@ -14677,7 +22168,27 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then echo "*** The test program compiled, but did not run. This usually means" echo "*** that the run-time linker is not finding LIBPRELUDE or finding the wrong" echo "*** version of LIBPRELUDE. If it is not finding LIBPRELUDE, you'll need to set your" @@ -14689,13 +22200,18 @@ echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH" echo "***" else - echo "*** The test program failed to compile or link. See the file config.log for the" + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + echo "*** The test program failed to compile or link. See the file config.log for the" echo "*** exact error that occured. This usually means LIBPRELUDE was incorrectly installed" echo "*** or that you have moved LIBPRELUDE since it was installed. In the latter case, you" echo "*** may want to edit the libprelude-config script: $LIBPRELUDE_CONFIG" fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext CFLAGS="$ac_save_CFLAGS" LDFLAGS="$ac_save_LDFLAGS" LIBS="$ac_save_LIBS" @@ -14719,16 +22235,18 @@ LIBS="$LIBS ${LIBPRELUDE_LIBS}" CFLAGS="$CFLAGS ${LIBPRELUDE_PTHREAD_CFLAGS}" -$as_echo "#define HAVE_LIBPRELUDE 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define HAVE_LIBPRELUDE 1 +_ACEOF fi fi # Check whether --enable-pthread was given. -if test "${enable_pthread+set}" = set; then : +if test "${enable_pthread+set}" = set; then enableval=$enable_pthread; enable_pthread="$enableval" else - enable_pthread="no" + enable_pthread="yes" fi @@ -14737,18 +22255,18 @@ fi # Check whether --enable-debug-msgs was given. -if test "${enable_debug_msgs+set}" = set; then : +if test "${enable_debug_msgs+set}" = set; then enableval=$enable_debug_msgs; enable_debug_msgs="$enableval" else enable_debug_msgs="no" fi if test "x$enable_debug_msgs" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DDEBUG" + CPPFLAGS="$CPPFLAGS -DDEBUG_MSGS" fi # Check whether --enable-debug was given. -if test "${enable_debug+set}" = set; then : +if test "${enable_debug+set}" = set; then enableval=$enable_debug; enable_debug="$enableval" else enable_debug="no" @@ -14762,10 +22280,24 @@ if echo $CFLAGS | grep -qve -g ; then CFLAGS="$CFLAGS -g" fi + + CPPFLAGS="$CPPFLAGS -DDEBUG" +fi + +# Check whether --enable-gdb was given. +if test "${enable_gdb+set}" = set; then + enableval=$enable_gdb; enable_gdb="$enableval" +else + enable_gdb="no" +fi + + +if test "x$enable_gdb" = "xyes"; then + CFLAGS="$CFLAGS -g -ggdb" fi # Check whether --enable-profile was given. -if test "${enable_profile+set}" = set; then : +if test "${enable_profile+set}" = set; then enableval=$enable_profile; enable_profile="$enableval" else enable_profile="no" @@ -14782,7 +22314,7 @@ fi # Check whether --enable-ppm-test was given. -if test "${enable_ppm_test+set}" = set; then : +if test "${enable_ppm_test+set}" = set; then enableval=$enable_ppm_test; enable_ppm_test="$enableval" else enable_ppm_test="no" @@ -14794,7 +22326,7 @@ fi # Check whether --enable-sourcefire was given. -if test "${enable_sourcefire+set}" = set; then : +if test "${enable_sourcefire+set}" = set; then enableval=$enable_sourcefire; enable_sourcefire="$enableval" else enable_sourcefire="no" @@ -14802,11 +22334,12 @@ if test "x$enable_sourcefire" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSOURCEFIRE -DPERF_PROFILING -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR" + CPPFLAGS="$CPPFLAGS -DSOURCEFIRE -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR" + CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" fi # Check whether --enable-corefiles was given. -if test "${enable_corefiles+set}" = set; then : +if test "${enable_corefiles+set}" = set; then enableval=$enable_corefiles; enable_corefiles="$enableval" else enable_corefiles="yes" @@ -14818,31 +22351,31 @@ fi # Check whether --enable-active-response was given. -if test "${enable_active_response+set}" = set; then : +if test "${enable_active_response+set}" = set; then enableval=$enable_active_response; enable_active_response="$enableval" else - enable_active_response="no" + enable_active_response="yes" fi # Check whether --enable-normalizer was given. -if test "${enable_normalizer+set}" = set; then : +if test "${enable_normalizer+set}" = set; then enableval=$enable_normalizer; enable_normalizer="$enableval" else - enable_normalizer="no" + enable_normalizer="yes" fi # Check whether --enable-reload was given. -if test "${enable_reload+set}" = set; then : +if test "${enable_reload+set}" = set; then enableval=$enable_reload; enable_reload="$enableval" else - enable_reload="no" + enable_reload="yes" fi # Check whether --enable-reload-error-restart was given. -if test "${enable_reload_error_restart+set}" = set; then : +if test "${enable_reload_error_restart+set}" = set; then enableval=$enable_reload_error_restart; enable_reload_error_restart="$enableval" else enable_reload_error_restart="yes" @@ -14851,17 +22384,19 @@ if test "x$enable_reload" = "xyes"; then if test "x$enable_reload_error_restart" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSNORT_RELOAD" + CONFIGFLAGS="$CONFIGFLAGS -DSNORT_RELOAD" else - CPPFLAGS="$CPPFLAGS -DSNORT_RELOAD -DRELOAD_ERROR_FATAL" + CONFIGFLAGS="$CONFIGFLAGS -DSNORT_RELOAD -DRELOAD_ERROR_FATAL" fi LIBS="$LIBS -lpthread" fi +configuring_database="no" + # Check whether --with-mysql was given. -if test "${with_mysql+set}" = set; then : +if test "${with_mysql+set}" = set; then withval=$with_mysql; with_mysql="$withval" else with_mysql="no" @@ -14870,7 +22405,7 @@ # Check whether --with-mysql_includes was given. -if test "${with_mysql_includes+set}" = set; then : +if test "${with_mysql_includes+set}" = set; then withval=$with_mysql_includes; with_mysql_includes="$withval"; with_mysql="yes" else with_mysql_includes="no" @@ -14879,7 +22414,7 @@ # Check whether --with-mysql_libraries was given. -if test "${with_mysql_libraries+set}" = set; then : +if test "${with_mysql_libraries+set}" = set; then withval=$with_mysql_libraries; with_mysql_libraries="$withval"; with_mysql="yes" else with_mysql_libraries="no" @@ -14888,6 +22423,7 @@ default_directory="/usr /usr/local" if test "x$with_mysql" != "xno"; then + configuring_database="yes" if test "x$with_mysql" = "xyes"; then if test "x$with_mysql_includes" != "xno"; then mysql_inc_directory="$with_mysql_includes"; @@ -14901,15 +22437,15 @@ fi mysql_fail="yes" elif test -d "$withval"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Providing a directory for the --with-mysql option" >&5 + { $as_echo "$as_me:$LINENO: WARNING: Providing a directory for the --with-mysql option" >&5 $as_echo "$as_me: WARNING: Providing a directory for the --with-mysql option" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: will be deprecated in the future in favour of" >&5 + { $as_echo "$as_me:$LINENO: WARNING: will be deprecated in the future in favour of" >&5 $as_echo "$as_me: WARNING: will be deprecated in the future in favour of" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: --with-mysql-libraries and --with-mysql-includes" >&5 + { $as_echo "$as_me:$LINENO: WARNING: --with-mysql-libraries and --with-mysql-includes" >&5 $as_echo "$as_me: WARNING: --with-mysql-libraries and --with-mysql-includes" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: options to address issues with non-standard" >&5 + { $as_echo "$as_me:$LINENO: WARNING: options to address issues with non-standard" >&5 $as_echo "$as_me: WARNING: options to address issues with non-standard" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: installations and 64bit platforms." >&5 + { $as_echo "$as_me:$LINENO: WARNING: installations and 64bit platforms." >&5 $as_echo "$as_me: WARNING: installations and 64bit platforms." >&2;} mysql_inc_directory="$withval" mysql_lib_directory="$withval" @@ -14920,7 +22456,7 @@ mysql_fail="yes" fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql" >&5 + { $as_echo "$as_me:$LINENO: checking for mysql" >&5 $as_echo_n "checking for mysql... " >&6; } for i in $mysql_inc_directory; do @@ -15005,7 +22541,7 @@ exit 1 else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi else @@ -15030,22 +22566,27 @@ exit 1 else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } LDFLAGS="${LDFLAGS} -L${MYSQL_LIB_DIR}" CPPFLAGS="${CPPFLAGS} -I${MYSQL_INC_DIR} -DENABLE_MYSQL" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for compress in -lz" >&5 + +{ $as_echo "$as_me:$LINENO: checking for compress in -lz" >&5 $as_echo_n "checking for compress in -lz... " >&6; } -if test "${ac_cv_lib_z_compress+set}" = set; then : +if test "${ac_cv_lib_z_compress+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lz $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -15063,18 +22604,43 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_z_compress=yes else - ac_cv_lib_z_compress=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_z_compress=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_z_compress" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_z_compress" >&5 $as_echo "$ac_cv_lib_z_compress" >&6; } -if test "x$ac_cv_lib_z_compress" = x""yes; then : +if test "x$ac_cv_lib_z_compress" = x""yes; then cat >>confdefs.h <<_ACEOF #define HAVE_LIBZ 1 _ACEOF @@ -15087,16 +22653,23 @@ fi fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql default client reconnect" >&5 + { $as_echo "$as_me:$LINENO: checking for mysql default client reconnect" >&5 $as_echo_n "checking for mysql default client reconnect... " >&6; } - if test "$cross_compiling" = yes; then : - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot run test program while cross compiling -See \`config.log' for more details" "$LINENO" 5 ; } +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run test program while cross compiling +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include @@ -15112,30 +22685,64 @@ return 0; } _ACEOF -if ac_fn_c_try_run "$LINENO"; then : +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then mysql_default_reconnect="no" else - mysql_default_reconnect="yes" + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +mysql_default_reconnect="yes" fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $mysql_default_reconnect" >&5 + + { $as_echo "$as_me:$LINENO: result: $mysql_default_reconnect" >&5 $as_echo "$mysql_default_reconnect" >&6; } if test "x$mysql_default_reconnect" = "xno"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql reconnect option" >&5 + { $as_echo "$as_me:$LINENO: checking for mysql reconnect option" >&5 $as_echo_n "checking for mysql reconnect option... " >&6; } - if test "$cross_compiling" = yes; then : - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot run test program while cross compiling -See \`config.log' for more details" "$LINENO" 5 ; } +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run test program while cross compiling +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include @@ -15151,34 +22758,70 @@ return 0; } _ACEOF -if ac_fn_c_try_run "$LINENO"; then : +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then mysql_has_reconnect="yes" else - mysql_has_reconnect="no" + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +mysql_has_reconnect="no" fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $mysql_has_reconnect" >&5 + + { $as_echo "$as_me:$LINENO: result: $mysql_has_reconnect" >&5 $as_echo "$mysql_has_reconnect" >&6; } if test "x$mysql_has_reconnect" = "xyes"; then -$as_echo "#define MYSQL_HAS_OPT_RECONNECT 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define MYSQL_HAS_OPT_RECONNECT 1 +_ACEOF - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql setting of reconnect option before connect bug" >&5 + { $as_echo "$as_me:$LINENO: checking for mysql setting of reconnect option before connect bug" >&5 $as_echo_n "checking for mysql setting of reconnect option before connect bug... " >&6; } - if test "$cross_compiling" = yes; then : - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot run test program while cross compiling -See \`config.log' for more details" "$LINENO" 5 ; } +{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run test program while cross compiling +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #include @@ -15194,22 +22837,51 @@ return 0; } _ACEOF -if ac_fn_c_try_run "$LINENO"; then : +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then mysql_has_reconnect_bug="no" else - mysql_has_reconnect_bug="yes" + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +mysql_has_reconnect_bug="yes" fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $mysql_has_reconnect_bug" >&5 + + { $as_echo "$as_me:$LINENO: result: $mysql_has_reconnect_bug" >&5 $as_echo "$mysql_has_reconnect_bug" >&6; } if test "x$mysql_has_reconnect_bug" = "xyes"; then -$as_echo "#define MYSQL_HAS_OPT_RECONNECT_BUG 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define MYSQL_HAS_OPT_RECONNECT_BUG 1 +_ACEOF fi fi @@ -15218,7 +22890,7 @@ # Check whether --with-odbc was given. -if test "${with_odbc+set}" = set; then : +if test "${with_odbc+set}" = set; then withval=$with_odbc; with_odbc="$withval" else with_odbc="no" @@ -15226,6 +22898,7 @@ if test "x$with_odbc" != "xno"; then + configuring_database="yes" if test "x$with_odbc" = "xyes"; then odbc_directory="$default_directory" odbc_fail="yes" @@ -15237,7 +22910,7 @@ odbc_fail="no" fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking \"for odbc\"" >&5 + { $as_echo "$as_me:$LINENO: checking \"for odbc\"" >&5 $as_echo_n "checking \"for odbc\"... " >&6; } for i in $odbc_directory; do @@ -15269,7 +22942,7 @@ exit 1 else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi else @@ -15299,11 +22972,11 @@ exit 1 else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } LDFLAGS="${LDFLAGS} -L${ODBC_LIB_DIR}" CPPFLAGS="${CPPFLAGS} -I${ODBC_INC_DIR} -DENABLE_ODBC" @@ -15314,7 +22987,7 @@ # Check whether --with-postgresql was given. -if test "${with_postgresql+set}" = set; then : +if test "${with_postgresql+set}" = set; then withval=$with_postgresql; with_postgresql="$withval" else with_postgresql="no" @@ -15323,7 +22996,7 @@ # Check whether --with-pgsql_includes was given. -if test "${with_pgsql_includes+set}" = set; then : +if test "${with_pgsql_includes+set}" = set; then withval=$with_pgsql_includes; with_pgsql_includes="$withval" else with_pgsql_includes="no" @@ -15331,6 +23004,7 @@ if test "x$with_postgresql" != "xno"; then + configuring_database="yes" if test "x$with_postgresql" = "xyes"; then postgresql_directory="$default_directory /usr/local/pgsql /usr/pgsql /usr/local" postgresql_fail="yes" @@ -15342,7 +23016,7 @@ postgresql_fail="no" fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for postgresql" >&5 + { $as_echo "$as_me:$LINENO: checking for postgresql" >&5 $as_echo_n "checking for postgresql... " >&6; } if test "x$with_pgsql_includes" != "xno"; then @@ -15397,7 +23071,7 @@ exit 1 else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi fi @@ -15434,22 +23108,27 @@ exit 1 else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; }; fi else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } LDFLAGS="${LDFLAGS} -L${POSTGRESQL_LIB_DIR}" CPPFLAGS="${CPPFLAGS} -I${POSTGRESQL_INC_DIR} -DENABLE_POSTGRESQL" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PQexec in -lpq" >&5 + +{ $as_echo "$as_me:$LINENO: checking for PQexec in -lpq" >&5 $as_echo_n "checking for PQexec in -lpq... " >&6; } -if test "${ac_cv_lib_pq_PQexec+set}" = set; then : +if test "${ac_cv_lib_pq_PQexec+set}" = set; then $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpq $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -15467,18 +23146,43 @@ return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then ac_cv_lib_pq_PQexec=yes else - ac_cv_lib_pq_PQexec=no + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_pq_PQexec=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pq_PQexec" >&5 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pq_PQexec" >&5 $as_echo "$ac_cv_lib_pq_PQexec" >&6; } -if test "x$ac_cv_lib_pq_PQexec" = x""yes; then : +if test "x$ac_cv_lib_pq_PQexec" = x""yes; then cat >>confdefs.h <<_ACEOF #define HAVE_LIBPQ 1 _ACEOF @@ -15502,7 +23206,7 @@ # Check whether --with-oracle was given. -if test "${with_oracle+set}" = set; then : +if test "${with_oracle+set}" = set; then withval=$with_oracle; with_oracle="$withval" else with_oracle="no" @@ -15510,6 +23214,7 @@ if test "x$with_oracle" != "xno"; then + configuring_database="yes" if test "x$with_oracle" = "xyes"; then oracle_directory="$default_directory ${ORACLE_HOME}" oracle_fail="yes" @@ -15521,7 +23226,7 @@ oracle_fail="no" fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for oracle" >&5 + { $as_echo "$as_me:$LINENO: checking for oracle" >&5 $as_echo_n "checking for oracle... " >&6; } for i in $oracle_directory; do @@ -15550,7 +23255,7 @@ exit 1 else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi else @@ -15558,7 +23263,7 @@ ORACLE_CPP_FLAGS="$ORACLE_CPP_FLAGS -I$ORACLE_DIR/$i" done ORACLE_LIB_DIR="$ORACLE_DIR/lib" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } LDFLAGS="${LDFLAGS} -L${ORACLE_LIB_DIR}" @@ -15574,24 +23279,36 @@ fi fi +# Check whether --enable-paf was given. +if test "${enable_paf+set}" = set; then + enableval=$enable_paf; enable_paf="$enableval" +else + enable_paf="yes" +fi + + +if test "x$enable_paf" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DENABLE_PAF" +fi + # Check whether --enable-react was given. -if test "${enable_react+set}" = set; then : +if test "${enable_react+set}" = set; then enableval=$enable_react; enable_react="$enableval" else - enable_react="no" + enable_react="yes" fi # Check whether --enable-flexresp3 was given. -if test "${enable_flexresp3+set}" = set; then : +if test "${enable_flexresp3+set}" = set; then enableval=$enable_flexresp3; enable_flexresp3="$enableval" else - enable_flexresp3="no" + enable_flexresp3="yes" fi # Check whether --enable-aruba was given. -if test "${enable_aruba+set}" = set; then : +if test "${enable_aruba+set}" = set; then enableval=$enable_aruba; enable_aruba="$enableval" else enable_aruba="no" @@ -15606,7 +23323,7 @@ # flexresp3 options are a union of flexresp (deleted) and flexresp2 # options so we assume flexresp3 if multiple are enabled. if test "x$enable_flexresp2" = "xyes"; then - echo "WARNING: multiple flexresp versions enabled; using flexresp3" + echo "WARNING: multiple flexresp versions enabled; using flexresp3." enable_flexresp2="no" fi fi @@ -15638,7 +23355,7 @@ if test "x$enable_normalizer" = "xyes" \ -o "x$enable_sourcefire" = "xyes" ; \ then - CPPFLAGS="${CPPFLAGS} -DNORMALIZER" + CONFIGFLAGS="${CONFIGFLAGS} -DNORMALIZER" fi if test "x$enable_active_response" = "xyes" \ @@ -15646,11 +23363,11 @@ -o "x$enable_react" = "xyes" \ -o "x$enable_sourcefire" = "xyes" ; \ then - CPPFLAGS="${CPPFLAGS} -DACTIVE_RESPONSE" + CONFIGFLAGS="${CONFIGFLAGS} -DACTIVE_RESPONSE" fi # Check whether --enable-intel_soft_cpm was given. -if test "${enable_intel_soft_cpm+set}" = set; then : +if test "${enable_intel_soft_cpm+set}" = set; then enableval=$enable_intel_soft_cpm; enable_intel_soft_cpm="$enableval" else enable_intel_soft_cpm="no" @@ -15659,7 +23376,7 @@ # Check whether --with-intel_soft_cpm_includes was given. -if test "${with_intel_soft_cpm_includes+set}" = set; then : +if test "${with_intel_soft_cpm_includes+set}" = set; then withval=$with_intel_soft_cpm_includes; with_intel_soft_cpm_includes="$withval" else with_intel_soft_cpm_includes="no" @@ -15668,7 +23385,7 @@ # Check whether --with-intel_soft_cpm_libraries was given. -if test "${with_intel_soft_cpm_libraries+set}" = set; then : +if test "${with_intel_soft_cpm_libraries+set}" = set; then withval=$with_intel_soft_cpm_libraries; with_intel_soft_cpm_libraries="$withval" else with_intel_soft_cpm_libraries="no" @@ -15698,9 +23415,319 @@ CPPFLAGS="${CPPFLAGS} -DINTEL_SOFT_CPM" fi +# Check whether --enable-shared_rep was given. +if test "${enable_shared_rep+set}" = set; then + enableval=$enable_shared_rep; enable_shared_rep="$enableval" +else + enable_shared_rep="no" +fi + + +if test "x$enable_shared_rep" = "xyes"; then + if test "x$linux" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DSHARED_REP" + LIBS="$LIBS -lrt" + else + echo "WARNING: shared reputation is only available on linux." + enable_shared_rep="no" + fi +fi + + if test "x$enable_shared_rep" = "xyes"; then + HAVE_SHARED_REP_TRUE= + HAVE_SHARED_REP_FALSE='#' +else + HAVE_SHARED_REP_TRUE='#' + HAVE_SHARED_REP_FALSE= +fi + + +# Check whether --enable-rzb-saac was given. +if test "${enable_rzb_saac+set}" = set; then + enableval=$enable_rzb_saac; enable_rzb_saac="$enableval" +else + enable_rzb_saac="no" +fi + + + +# Check whether --with-librzb_api was given. +if test "${with_librzb_api+set}" = set; then + withval=$with_librzb_api; with_librzb_api="$withval" +else + with_librzb_api="no" +fi + + +if test "x$with_librzb_api" = "xno"; then + export PKG_CONFIG_PATH=$prefix/lib/pkgconfig:$PKG_CONFIG_PATH +else + export PKG_CONFIG_PATH=$with_librzb_api/lib/pkgconfig:$PKG_CONFIG_PATH +fi + +if test "x$enable_rzb_saac" = "xyes"; then + # Extract the first word of "pkg-config", so it can be a program name with args. +set dummy pkg-config; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_PKG_CONFIG+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$PKG_CONFIG"; then + ac_cv_prog_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_PKG_CONFIG="yes" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +PKG_CONFIG=$ac_cv_prog_PKG_CONFIG +if test -n "$PKG_CONFIG"; then + { $as_echo "$as_me:$LINENO: result: $PKG_CONFIG" >&5 +$as_echo "$PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test "x$PKG_CONFIG" != "xyes"; then + echo + echo + echo " ERROR! pkg-config not found, go get it from" + echo " http://freedesktop.org" + exit + fi + + + +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. +set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_path_PKG_CONFIG+set}" = set; then + $as_echo_n "(cached) " >&6 +else + case $PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + + ;; +esac +fi +PKG_CONFIG=$ac_cv_path_PKG_CONFIG +if test -n "$PKG_CONFIG"; then + { $as_echo "$as_me:$LINENO: result: $PKG_CONFIG" >&5 +$as_echo "$PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_path_PKG_CONFIG"; then + ac_pt_PKG_CONFIG=$PKG_CONFIG + # Extract the first word of "pkg-config", so it can be a program name with args. +set dummy pkg-config; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then + $as_echo_n "(cached) " >&6 +else + case $ac_pt_PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + + ;; +esac +fi +ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG +if test -n "$ac_pt_PKG_CONFIG"; then + { $as_echo "$as_me:$LINENO: result: $ac_pt_PKG_CONFIG" >&5 +$as_echo "$ac_pt_PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_pt_PKG_CONFIG" = x; then + PKG_CONFIG="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + PKG_CONFIG=$ac_pt_PKG_CONFIG + fi +else + PKG_CONFIG="$ac_cv_path_PKG_CONFIG" +fi + +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=0.9.0 + { $as_echo "$as_me:$LINENO: checking pkg-config is at least version $_pkg_min_version" >&5 +$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + PKG_CONFIG="" + fi + +fi + +pkg_failed=no +{ $as_echo "$as_me:$LINENO: checking for RAZORBACK" >&5 +$as_echo_n "checking for RAZORBACK... " >&6; } + +if test -n "$RAZORBACK_CFLAGS"; then + pkg_cv_RAZORBACK_CFLAGS="$RAZORBACK_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"razorback >= 0.1.3\"") >&5 + ($PKG_CONFIG --exists --print-errors "razorback >= 0.1.3") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + pkg_cv_RAZORBACK_CFLAGS=`$PKG_CONFIG --cflags "razorback >= 0.1.3" 2>/dev/null` +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$RAZORBACK_LIBS"; then + pkg_cv_RAZORBACK_LIBS="$RAZORBACK_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { ($as_echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"razorback >= 0.1.3\"") >&5 + ($PKG_CONFIG --exists --print-errors "razorback >= 0.1.3") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + pkg_cv_RAZORBACK_LIBS=`$PKG_CONFIG --libs "razorback >= 0.1.3" 2>/dev/null` +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + RAZORBACK_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "razorback >= 0.1.3" 2>&1` + else + RAZORBACK_PKG_ERRORS=`$PKG_CONFIG --print-errors "razorback >= 0.1.3" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$RAZORBACK_PKG_ERRORS" >&5 + + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + LRZB=no +elif test $pkg_failed = untried; then + LRZB=no +else + RAZORBACK_CFLAGS=$pkg_cv_RAZORBACK_CFLAGS + RAZORBACK_LIBS=$pkg_cv_RAZORBACK_LIBS + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + if test "x$LRZB" = "xno"; then + echo + echo " ERROR! razorback_api library not found, go get it from" + echo " http://sourceforge.net/projects/razorbacktm/" + exit + fi +fi + + if test x$enable_rzb_saac = xyes; then + WANT_SF_SAAC_TRUE= + WANT_SF_SAAC_FALSE='#' +else + WANT_SF_SAAC_TRUE='#' + WANT_SF_SAAC_FALSE= +fi + + +# Check whether --enable-large-pcap was given. +if test "${enable_large_pcap+set}" = set; then + enableval=$enable_large_pcap; enable_large_pcap="$enableval" +else + enable_large_pcap="no" +fi + + +if test "x$enable_large_pcap" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" +fi + # let's make some fixes.. +CFLAGS="${CFLAGS} ${CCONFIGFLAGS}" CFLAGS=`echo $CFLAGS | sed -e 's/-I\/usr\/include //g'` +CPPFLAGS="${CPPFLAGS} ${CONFIGFLAGS}" CPPFLAGS=`echo $CPPFLAGS | sed -e 's/-I\/usr\/include //g'` if test "x$GCC" = "xyes" ; then @@ -15711,19 +23738,21 @@ fi if test "x$linux" = "xyes"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for linuxthreads" >&5 + { $as_echo "$as_me:$LINENO: checking for linuxthreads" >&5 $as_echo_n "checking for linuxthreads... " >&6; } tstr=`getconf GNU_LIBPTHREAD_VERSION 2>&1` if test $? = 0; then # GNU_LIBPTHREAD_VERSION is a valid system variable echo $tstr | grep -i linuxthreads > /dev/null 2>&1 if test $? = 0; then -$as_echo "#define HAVE_LINUXTHREADS 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define HAVE_LINUXTHREADS 1 +_ACEOF - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi else @@ -15731,19 +23760,21 @@ $( ldd `which --skip-alias ls` | grep libc.so | awk '{print $3}' ) | grep -i linuxthreads > /dev/null 2>&1 if test $? = 0; then -$as_echo "#define HAVE_LINUXTHREADS 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define HAVE_LINUXTHREADS 1 +_ACEOF - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi fi fi if test "$LEX" != "none"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for yylex_destroy support" >&5 + { $as_echo "$as_me:$LINENO: checking for yylex_destroy support" >&5 $as_echo_n "checking for yylex_destroy support... " >&6; } version=`$LEX --version | awk '{print $3}'` @@ -15777,13 +23808,15 @@ fi if test "x$have_yylex_destroy" = "xyes"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:$LINENO: result: yes" >&5 $as_echo "yes" >&6; } -$as_echo "#define HAVE_YYLEX_DESTROY 1" >>confdefs.h +cat >>confdefs.h <<\_ACEOF +#define HAVE_YYLEX_DESTROY 1 +_ACEOF else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi fi @@ -15792,29 +23825,124 @@ if test "x$NO_OPTIMIZE" = "xyes"; then CFLAGS=`echo $CFLAGS | sed -e "s/-O./-O0/"` - # in case user override doesn't include -O - if echo $CFLAGS | grep -qve -O0 ; then - CFLAGS="$CFLAGS -O0" - fi -fi + # in case user override doesn't include -O + if echo $CFLAGS | grep -qve -O0 ; then + CFLAGS="$CFLAGS -O0" + fi +fi + +if test "x$ADD_WERROR" = "xyes"; then + CFLAGS="$CFLAGS -Werror" +fi + +if test -n "$GCC"; then + CFLAGS="$CFLAGS -Wall" +fi + +echo $CFLAGS > cflags.out +echo $CPPFLAGS > cppflags.out + +INCLUDES='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/detection-plugins -I$(top_srcdir)/src/dynamic-plugins -I$(top_srcdir)/src/preprocessors -I$(top_srcdir)/src/preprocessors/portscan -I$(top_srcdir)/src/preprocessors/HttpInspect/include -I$(top_srcdir)/src/preprocessors/Stream5 -I$(top_srcdir)/src/target-based -I$(top_srcdir)/src/control' + + + + + + +# Find a good install program. We prefer a C program (faster), +# so one script is as good as another. But avoid the broken or +# incompatible versions: +# SysV /etc/install, /usr/sbin/install +# SunOS /usr/etc/install +# IRIX /sbin/install +# AIX /bin/install +# AmigaOS /C/install, which installs bootblocks on floppy discs +# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag +# AFS /usr/afsws/bin/install, which mishandles nonexistent args +# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" +# OS/2's system install, which has a completely different semantic +# ./install, which can be erroneously created by make from ./install.sh. +# Reject install programs that cannot install multiple files. +{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5 +$as_echo_n "checking for a BSD-compatible install... " >&6; } +if test -z "$INSTALL"; then +if test "${ac_cv_path_install+set}" = set; then + $as_echo_n "(cached) " >&6 +else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + # Account for people who put trailing slashes in PATH elements. +case $as_dir/ in + ./ | .// | /cC/* | \ + /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ + ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \ + /usr/ucb/* ) ;; + *) + # OSF1 and SCO ODT 3.0 have their own names for install. + # Don't use installbsd from OSF since it installs stuff as root + # by default. + for ac_prog in ginstall scoinst install; do + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then + if test $ac_prog = install && + grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # AIX install. It has an incompatible calling convention. + : + elif test $ac_prog = install && + grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # program-specific install script used by HP pwplus--don't use. + : + else + rm -rf conftest.one conftest.two conftest.dir + echo one > conftest.one + echo two > conftest.two + mkdir conftest.dir + if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && + test -s conftest.one && test -s conftest.two && + test -s conftest.dir/conftest.one && + test -s conftest.dir/conftest.two + then + ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" + break 3 + fi + fi + fi + done + done + ;; +esac + +done +IFS=$as_save_IFS + +rm -rf conftest.one conftest.two conftest.dir -if test "x$ADD_WERROR" = "xyes"; then - CFLAGS="$CFLAGS -Werror" fi - -if test -n "$GCC"; then - CFLAGS="$CFLAGS -Wall" + if test "${ac_cv_path_install+set}" = set; then + INSTALL=$ac_cv_path_install + else + # As a last resort, use the slow shell script. Don't cache a + # value for INSTALL within a source directory, because that will + # break other packages using the cache if that directory is + # removed, or if the value is a relative name. + INSTALL=$ac_install_sh + fi fi +{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5 +$as_echo "$INSTALL" >&6; } -echo $CFLAGS > cflags.out -echo $CPPFLAGS > cppflags.out - -INCLUDES='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/detection-plugins -I$(top_srcdir)/src/dynamic-plugins -I$(top_srcdir)/src/preprocessors -I$(top_srcdir)/src/preprocessors/portscan -I$(top_srcdir)/src/preprocessors/HttpInspect/include -I$(top_srcdir)/src/preprocessors/Stream5 -I$(top_srcdir)/src/target-based' - +# Use test -z because SunOS4 sh mishandles braces in ${var-val}. +# It thinks the first close brace ends the variable substitution. +test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' +test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' +test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' -ac_config_files="$ac_config_files snort.pc Makefile src/Makefile src/sfutil/Makefile src/detection-plugins/Makefile src/dynamic-examples/Makefile src/dynamic-examples/dynamic-preprocessor/Makefile src/dynamic-examples/dynamic-rule/Makefile src/dynamic-plugins/Makefile src/dynamic-plugins/sf_engine/Makefile src/dynamic-plugins/sf_engine/examples/Makefile src/dynamic-plugins/sf_preproc_example/Makefile src/dynamic-preprocessors/Makefile src/dynamic-preprocessors/libs/Makefile src/dynamic-preprocessors/ftptelnet/Makefile src/dynamic-preprocessors/smtp/Makefile src/dynamic-preprocessors/ssh/Makefile src/dynamic-preprocessors/dcerpc2/Makefile src/dynamic-preprocessors/sdf/Makefile src/dynamic-preprocessors/dns/Makefile src/dynamic-preprocessors/ssl/Makefile src/output-plugins/Makefile src/preprocessors/Makefile src/preprocessors/HttpInspect/Makefile src/preprocessors/HttpInspect/include/Makefile src/preprocessors/HttpInspect/utils/Makefile src/preprocessors/HttpInspect/anomaly_detection/Makefile src/preprocessors/HttpInspect/client/Makefile src/preprocessors/HttpInspect/event_output/Makefile src/preprocessors/HttpInspect/mode_inspection/Makefile src/preprocessors/HttpInspect/normalization/Makefile src/preprocessors/HttpInspect/server/Makefile src/preprocessors/HttpInspect/session_inspection/Makefile src/preprocessors/HttpInspect/user_interface/Makefile src/preprocessors/Stream5/Makefile src/parser/Makefile src/target-based/Makefile doc/Makefile contrib/Makefile schemas/Makefile rpm/Makefile preproc_rules/Makefile m4/Makefile etc/Makefile templates/Makefile tools/Makefile tools/u2boat/Makefile tools/u2spewfoo/Makefile src/win32/Makefile" +ac_config_files="$ac_config_files snort.pc Makefile src/Makefile src/sfutil/Makefile src/control/Makefile src/detection-plugins/Makefile src/dynamic-examples/Makefile src/dynamic-examples/dynamic-preprocessor/Makefile src/dynamic-examples/dynamic-rule/Makefile src/dynamic-plugins/Makefile src/dynamic-plugins/sf_engine/Makefile src/dynamic-plugins/sf_engine/examples/Makefile src/dynamic-plugins/sf_preproc_example/Makefile src/dynamic-preprocessors/Makefile src/dynamic-preprocessors/libs/Makefile src/dynamic-preprocessors/libs/snort_preproc.pc src/dynamic-preprocessors/ftptelnet/Makefile src/dynamic-preprocessors/smtp/Makefile src/dynamic-preprocessors/ssh/Makefile src/dynamic-preprocessors/sip/Makefile src/dynamic-preprocessors/reputation/Makefile src/dynamic-preprocessors/gtp/Makefile src/dynamic-preprocessors/dcerpc2/Makefile src/dynamic-preprocessors/pop/Makefile src/dynamic-preprocessors/imap/Makefile src/dynamic-preprocessors/sdf/Makefile src/dynamic-preprocessors/dns/Makefile src/dynamic-preprocessors/ssl/Makefile src/dynamic-preprocessors/modbus/Makefile src/dynamic-preprocessors/dnp3/Makefile src/dynamic-preprocessors/rzb_saac/Makefile src/output-plugins/Makefile src/preprocessors/Makefile src/preprocessors/HttpInspect/Makefile src/preprocessors/HttpInspect/include/Makefile src/preprocessors/HttpInspect/utils/Makefile src/preprocessors/HttpInspect/anomaly_detection/Makefile src/preprocessors/HttpInspect/client/Makefile src/preprocessors/HttpInspect/event_output/Makefile src/preprocessors/HttpInspect/mode_inspection/Makefile src/preprocessors/HttpInspect/normalization/Makefile src/preprocessors/HttpInspect/server/Makefile src/preprocessors/HttpInspect/session_inspection/Makefile src/preprocessors/HttpInspect/user_interface/Makefile src/preprocessors/Stream5/Makefile src/parser/Makefile src/target-based/Makefile doc/Makefile contrib/Makefile rpm/Makefile preproc_rules/Makefile m4/Makefile etc/Makefile schemas/Makefile templates/Makefile tools/Makefile tools/control/Makefile tools/u2boat/Makefile tools/u2spewfoo/Makefile src/win32/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -15843,13 +23971,13 @@ case $ac_val in #( *${as_nl}*) case $ac_var in #( - *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 + *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( - *) { eval $ac_var=; unset $ac_var;} ;; + *) $as_unset $ac_var ;; esac ;; esac done @@ -15857,8 +23985,8 @@ (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) - # `set' does not quote correctly, so add quotes: double-quote - # substitution turns \\\\ into \\, and sed turns \\ into \. + # `set' does not quote correctly, so add quotes (double-quote + # substitution turns \\\\ into \\, and sed turns \\ into \). sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" @@ -15881,11 +24009,11 @@ if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then test "x$cache_file" != "x/dev/null" && - { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 + { $as_echo "$as_me:$LINENO: updating cache $cache_file" >&5 $as_echo "$as_me: updating cache $cache_file" >&6;} cat confcache >$cache_file else - { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 + { $as_echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi @@ -15899,15 +24027,14 @@ ac_libobjs= ac_ltlibobjs= -U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' ac_i=`$as_echo "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. - as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" - as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' + ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext" + ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs @@ -15923,75 +24050,147 @@ fi if test -z "${MAINTAINER_MODE_TRUE}" && test -z "${MAINTAINER_MODE_FALSE}"; then - as_fn_error $? "conditional \"MAINTAINER_MODE\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"MAINTAINER_MODE\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"MAINTAINER_MODE\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then - as_fn_error $? "conditional \"AMDEP\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"AMDEP\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then - as_fn_error $? "conditional \"am__fastdepCC\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then - as_fn_error $? "conditional \"am__fastdepCC\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${BUILD_SNPRINTF_TRUE}" && test -z "${BUILD_SNPRINTF_FALSE}"; then - as_fn_error $? "conditional \"BUILD_SNPRINTF\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_SNPRINTF\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_SNPRINTF\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${HAVE_DYNAMIC_PLUGINS_TRUE}" && test -z "${HAVE_DYNAMIC_PLUGINS_FALSE}"; then - as_fn_error $? "conditional \"HAVE_DYNAMIC_PLUGINS\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_DYNAMIC_PLUGINS\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_DYNAMIC_PLUGINS\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${SO_WITH_STATIC_LIB_TRUE}" && test -z "${SO_WITH_STATIC_LIB_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"SO_WITH_STATIC_LIB\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"SO_WITH_STATIC_LIB\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${BUILD_CONTROL_SOCKET_TRUE}" && test -z "${BUILD_CONTROL_SOCKET_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_CONTROL_SOCKET\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_CONTROL_SOCKET\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${BUILD_DYNAMIC_EXAMPLES_TRUE}" && test -z "${BUILD_DYNAMIC_EXAMPLES_FALSE}"; then - as_fn_error $? "conditional \"BUILD_DYNAMIC_EXAMPLES\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_DYNAMIC_EXAMPLES\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_DYNAMIC_EXAMPLES\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${HAVE_SUP_IP6_TRUE}" && test -z "${HAVE_SUP_IP6_FALSE}"; then - as_fn_error $? "conditional \"HAVE_SUP_IP6\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_SUP_IP6\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_SUP_IP6\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${HAVE_ZLIB_TRUE}" && test -z "${HAVE_ZLIB_FALSE}"; then - as_fn_error $? "conditional \"HAVE_ZLIB\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_ZLIB\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_ZLIB\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${HAVE_TARGET_BASED_TRUE}" && test -z "${HAVE_TARGET_BASED_FALSE}"; then - as_fn_error $? "conditional \"HAVE_TARGET_BASED\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_TARGET_BASED\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_TARGET_BASED\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${BUILD_PROCPIDSTATS_TRUE}" && test -z "${BUILD_PROCPIDSTATS_FALSE}"; then - as_fn_error $? "conditional \"BUILD_PROCPIDSTATS\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_PROCPIDSTATS\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_PROCPIDSTATS\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${BUILD_PRELUDE_TRUE}" && test -z "${BUILD_PRELUDE_FALSE}"; then - as_fn_error $? "conditional \"BUILD_PRELUDE\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_PRELUDE\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_PRELUDE\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${BUILD_REACT_TRUE}" && test -z "${BUILD_REACT_FALSE}"; then - as_fn_error $? "conditional \"BUILD_REACT\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_REACT\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_REACT\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${BUILD_RESPOND3_TRUE}" && test -z "${BUILD_RESPOND3_FALSE}"; then - as_fn_error $? "conditional \"BUILD_RESPOND3\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"BUILD_RESPOND3\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"BUILD_RESPOND3\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi if test -z "${HAVE_INTEL_SOFT_CPM_TRUE}" && test -z "${HAVE_INTEL_SOFT_CPM_FALSE}"; then - as_fn_error $? "conditional \"HAVE_INTEL_SOFT_CPM\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_INTEL_SOFT_CPM\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_INTEL_SOFT_CPM\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_SHARED_REP_TRUE}" && test -z "${HAVE_SHARED_REP_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_SHARED_REP\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_SHARED_REP\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${WANT_SF_SAAC_TRUE}" && test -z "${WANT_SF_SAAC_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"WANT_SF_SAAC\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"WANT_SF_SAAC\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } fi : ${CONFIG_STATUS=./config.status} ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" -{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 +{ $as_echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5 $as_echo "$as_me: creating $CONFIG_STATUS" >&6;} -as_write_fail=0 -cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 +cat >$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. @@ -16001,18 +24200,17 @@ debug=false ac_cs_recheck=false ac_cs_silent=false - SHELL=\${CONFIG_SHELL-$SHELL} -export SHELL -_ASEOF -cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 -## -------------------- ## -## M4sh Initialization. ## -## -------------------- ## +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +## --------------------- ## +## M4sh Initialization. ## +## --------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which @@ -16020,15 +24218,23 @@ alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else - case `(set -o) 2>/dev/null` in #( - *posix*) : - set -o posix ;; #( - *) : - ;; + case `(set -o) 2>/dev/null` in + *posix*) set -o posix ;; esac + fi + + +# PATH needs CR +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + as_nl=' ' export as_nl @@ -16036,13 +24242,7 @@ as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo -# Prefer a ksh shell builtin over an external printf program on Solaris, -# but without wasting forks for bash or zsh. -if test -z "$BASH_VERSION$ZSH_VERSION" \ - && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then - as_echo='print -r --' - as_echo_n='print -rn --' -elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then +if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else @@ -16053,7 +24253,7 @@ as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; - case $arg in #( + case $arg in *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; @@ -16076,6 +24276,13 @@ } fi +# Support unset when possible. +if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then + as_unset=unset +else + as_unset=false +fi + # IFS # We need space, tab and new line, in precisely that order. Quoting is @@ -16085,15 +24292,15 @@ IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. -case $0 in #(( +case $0 in *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break - done + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break +done IFS=$as_save_IFS ;; @@ -16105,16 +24312,12 @@ fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 - exit 1 + { (exit 1); exit 1; } fi -# Unset variables that we do not need and which cause bugs (e.g. in -# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" -# suppresses any "Segmentation fault" message there. '((' could -# trigger a bug in pdksh 5.2.14. -for as_var in BASH_ENV ENV MAIL MAILPATH -do eval test x\${$as_var+set} = xset \ - && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +# Work around bugs in pre-3.0 UWIN ksh. +for as_var in ENV MAIL MAILPATH +do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var done PS1='$ ' PS2='> ' @@ -16126,89 +24329,7 @@ LANGUAGE=C export LANGUAGE -# CDPATH. -(unset CDPATH) >/dev/null 2>&1 && unset CDPATH - - -# as_fn_error STATUS ERROR [LINENO LOG_FD] -# ---------------------------------------- -# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are -# provided, also output the error to LOG_FD, referencing LINENO. Then exit the -# script with STATUS, using 1 if that was 0. -as_fn_error () -{ - as_status=$1; test $as_status -eq 0 && as_status=1 - if test "$4"; then - as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 - fi - $as_echo "$as_me: error: $2" >&2 - as_fn_exit $as_status -} # as_fn_error - - -# as_fn_set_status STATUS -# ----------------------- -# Set $? to STATUS, without forking. -as_fn_set_status () -{ - return $1 -} # as_fn_set_status - -# as_fn_exit STATUS -# ----------------- -# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. -as_fn_exit () -{ - set +e - as_fn_set_status $1 - exit $1 -} # as_fn_exit - -# as_fn_unset VAR -# --------------- -# Portably unset VAR. -as_fn_unset () -{ - { eval $1=; unset $1;} -} -as_unset=as_fn_unset -# as_fn_append VAR VALUE -# ---------------------- -# Append the text in VALUE to the end of the definition contained in VAR. Take -# advantage of any shell optimizations that allow amortized linear growth over -# repeated appends, instead of the typical quadratic growth present in naive -# implementations. -if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : - eval 'as_fn_append () - { - eval $1+=\$2 - }' -else - as_fn_append () - { - eval $1=\$$1\$2 - } -fi # as_fn_append - -# as_fn_arith ARG... -# ------------------ -# Perform arithmetic evaluation on the ARGs, and store the result in the -# global $as_val. Take advantage of shells that can avoid forks. The arguments -# must be portable across $(()) and expr. -if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : - eval 'as_fn_arith () - { - as_val=$(( $* )) - }' -else - as_fn_arith () - { - as_val=`expr "$@" || test $? -eq 1` - } -fi # as_fn_arith - - +# Required to use basename. if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr @@ -16222,12 +24343,8 @@ as_basename=false fi -if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then - as_dirname=dirname -else - as_dirname=false -fi +# Name of the executable. as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ @@ -16247,25 +24364,76 @@ } s/.*/./; q'` -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits +# CDPATH. +$as_unset CDPATH + + + + as_lineno_1=$LINENO + as_lineno_2=$LINENO + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { + + # Create $as_me.lineno as a copy of $as_myself, but with $LINENO + # uniformly replaced by the line number. The first 'sed' inserts a + # line-number line after each line using $LINENO; the second 'sed' + # does the real work. The second script uses 'N' to pair each + # line-number line with the line containing $LINENO, and appends + # trailing '-' during substitution so that $LINENO is not a special + # case at line end. + # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the + # scripts with optimization help from Paolo Bonzini. Blame Lee + # E. McMahon (1931-1989) for sed's syntax. :-) + sed -n ' + p + /[$]LINENO/= + ' <$as_myself | + sed ' + s/[$]LINENO.*/&-/ + t lineno + b + :lineno + N + :loop + s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ + t loop + s/-\n.*// + ' >$as_me.lineno && + chmod +x "$as_me.lineno" || + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 + { (exit 1); exit 1; }; } + + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). + . "./$as_me.lineno" + # Exit status is that of the last command. + exit +} + + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi ECHO_C= ECHO_N= ECHO_T= -case `echo -n x` in #((((( +case `echo -n x` in -n*) - case `echo 'xy\c'` in + case `echo 'x\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. - xy) ECHO_C='\c';; - *) echo `echo ksh88 bug on AIX 6.1` > /dev/null - ECHO_T=' ';; + *) ECHO_C='\c';; esac;; *) ECHO_N='-n';; esac +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then @@ -16294,56 +24462,8 @@ rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null - -# as_fn_mkdir_p -# ------------- -# Create "$as_dir" as a directory, including parents if necessary. -as_fn_mkdir_p () -{ - - case $as_dir in #( - -*) as_dir=./$as_dir;; - esac - test -d "$as_dir" || eval $as_mkdir_p || { - as_dirs= - while :; do - case $as_dir in #( - *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( - *) as_qdir=$as_dir;; - esac - as_dirs="'$as_qdir' $as_dirs" - as_dir=`$as_dirname -- "$as_dir" || -$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_dir" : 'X\(//\)[^/]' \| \ - X"$as_dir" : 'X\(//\)$' \| \ - X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$as_dir" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - test -d "$as_dir" && break - done - test -z "$as_dirs" || eval "mkdir $as_dirs" - } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" - - -} # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then - as_mkdir_p='mkdir -p "$as_dir"' + as_mkdir_p=: else test -d ./-p && rmdir ./-p as_mkdir_p=false @@ -16362,10 +24482,10 @@ if test -d "$1"; then test -d "$1/."; else - case $1 in #( + case $1 in -*)set "./$1";; esac; - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in ???[sx]*):;;*)false;;esac;fi '\'' sh ' @@ -16380,19 +24500,13 @@ exec 6>&1 -## ----------------------------------- ## -## Main body of $CONFIG_STATUS script. ## -## ----------------------------------- ## -_ASEOF -test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -# Save the log message, to keep $0 and so on meaningful, and to +# Save the log message, to keep $[0] and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by $as_me, which was -generated by GNU Autoconf 2.67. Invocation command line was +generated by GNU Autoconf 2.63. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS @@ -16424,15 +24538,13 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ -\`$as_me' instantiates files and other configuration actions -from templates according to the current configuration. Unless the files -and actions are specified as TAGs, all are instantiated by default. +\`$as_me' instantiates files from templates according to the +current configuration. -Usage: $0 [OPTION]... [TAG]... +Usage: $0 [OPTION]... [FILE]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit - --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files @@ -16451,17 +24563,16 @@ Configuration commands: $config_commands -Report bugs to the package provider." +Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ config.status -configured by $0, generated by GNU Autoconf 2.67, - with options \\"\$ac_cs_config\\" +configured by $0, generated by GNU Autoconf 2.63, + with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" -Copyright (C) 2010 Free Software Foundation, Inc. +Copyright (C) 2008 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." @@ -16479,16 +24590,11 @@ while test $# != 0 do case $1 in - --*=?*) + --*=*) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` ac_shift=: ;; - --*=) - ac_option=`expr "X$1" : 'X\([^=]*\)='` - ac_optarg= - ac_shift=: - ;; *) ac_option=$1 ac_optarg=$2 @@ -16502,29 +24608,27 @@ ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) $as_echo "$ac_cs_version"; exit ;; - --config | --confi | --conf | --con | --co | --c ) - $as_echo "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; - '') as_fn_error $? "missing file argument" ;; esac - as_fn_append CONFIG_FILES " '$ac_optarg'" + CONFIG_FILES="$CONFIG_FILES '$ac_optarg'" ac_need_defaults=false;; --header | --heade | --head | --hea ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; esac - as_fn_append CONFIG_HEADERS " '$ac_optarg'" + CONFIG_HEADERS="$CONFIG_HEADERS '$ac_optarg'" ac_need_defaults=false;; --he | --h) # Conflict between --help and --header - as_fn_error $? "ambiguous option: \`$1' -Try \`$0 --help' for more information.";; + { $as_echo "$as_me: error: ambiguous option: $1 +Try \`$0 --help' for more information." >&2 + { (exit 1); exit 1; }; };; --help | --hel | -h ) $as_echo "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ @@ -16532,10 +24636,11 @@ ac_cs_silent=: ;; # This is an error. - -*) as_fn_error $? "unrecognized option: \`$1' -Try \`$0 --help' for more information." ;; + -*) { $as_echo "$as_me: error: unrecognized option: $1 +Try \`$0 --help' for more information." >&2 + { (exit 1); exit 1; }; } ;; - *) as_fn_append ac_config_targets " $1" + *) ac_config_targets="$ac_config_targets $1" ac_need_defaults=false ;; esac @@ -16848,6 +24953,7 @@ "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;; "src/sfutil/Makefile") CONFIG_FILES="$CONFIG_FILES src/sfutil/Makefile" ;; + "src/control/Makefile") CONFIG_FILES="$CONFIG_FILES src/control/Makefile" ;; "src/detection-plugins/Makefile") CONFIG_FILES="$CONFIG_FILES src/detection-plugins/Makefile" ;; "src/dynamic-examples/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-examples/Makefile" ;; "src/dynamic-examples/dynamic-preprocessor/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-examples/dynamic-preprocessor/Makefile" ;; @@ -16858,13 +24964,22 @@ "src/dynamic-plugins/sf_preproc_example/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-plugins/sf_preproc_example/Makefile" ;; "src/dynamic-preprocessors/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/Makefile" ;; "src/dynamic-preprocessors/libs/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/libs/Makefile" ;; + "src/dynamic-preprocessors/libs/snort_preproc.pc") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/libs/snort_preproc.pc" ;; "src/dynamic-preprocessors/ftptelnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/ftptelnet/Makefile" ;; "src/dynamic-preprocessors/smtp/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/smtp/Makefile" ;; "src/dynamic-preprocessors/ssh/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/ssh/Makefile" ;; + "src/dynamic-preprocessors/sip/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/sip/Makefile" ;; + "src/dynamic-preprocessors/reputation/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/reputation/Makefile" ;; + "src/dynamic-preprocessors/gtp/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/gtp/Makefile" ;; "src/dynamic-preprocessors/dcerpc2/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/dcerpc2/Makefile" ;; + "src/dynamic-preprocessors/pop/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/pop/Makefile" ;; + "src/dynamic-preprocessors/imap/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/imap/Makefile" ;; "src/dynamic-preprocessors/sdf/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/sdf/Makefile" ;; "src/dynamic-preprocessors/dns/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/dns/Makefile" ;; "src/dynamic-preprocessors/ssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/ssl/Makefile" ;; + "src/dynamic-preprocessors/modbus/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/modbus/Makefile" ;; + "src/dynamic-preprocessors/dnp3/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/dnp3/Makefile" ;; + "src/dynamic-preprocessors/rzb_saac/Makefile") CONFIG_FILES="$CONFIG_FILES src/dynamic-preprocessors/rzb_saac/Makefile" ;; "src/output-plugins/Makefile") CONFIG_FILES="$CONFIG_FILES src/output-plugins/Makefile" ;; "src/preprocessors/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/Makefile" ;; "src/preprocessors/HttpInspect/Makefile") CONFIG_FILES="$CONFIG_FILES src/preprocessors/HttpInspect/Makefile" ;; @@ -16883,18 +24998,21 @@ "src/target-based/Makefile") CONFIG_FILES="$CONFIG_FILES src/target-based/Makefile" ;; "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;; "contrib/Makefile") CONFIG_FILES="$CONFIG_FILES contrib/Makefile" ;; - "schemas/Makefile") CONFIG_FILES="$CONFIG_FILES schemas/Makefile" ;; "rpm/Makefile") CONFIG_FILES="$CONFIG_FILES rpm/Makefile" ;; "preproc_rules/Makefile") CONFIG_FILES="$CONFIG_FILES preproc_rules/Makefile" ;; "m4/Makefile") CONFIG_FILES="$CONFIG_FILES m4/Makefile" ;; "etc/Makefile") CONFIG_FILES="$CONFIG_FILES etc/Makefile" ;; + "schemas/Makefile") CONFIG_FILES="$CONFIG_FILES schemas/Makefile" ;; "templates/Makefile") CONFIG_FILES="$CONFIG_FILES templates/Makefile" ;; "tools/Makefile") CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;; + "tools/control/Makefile") CONFIG_FILES="$CONFIG_FILES tools/control/Makefile" ;; "tools/u2boat/Makefile") CONFIG_FILES="$CONFIG_FILES tools/u2boat/Makefile" ;; "tools/u2spewfoo/Makefile") CONFIG_FILES="$CONFIG_FILES tools/u2spewfoo/Makefile" ;; "src/win32/Makefile") CONFIG_FILES="$CONFIG_FILES src/win32/Makefile" ;; - *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;; + *) { { $as_echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5 +$as_echo "$as_me: error: invalid argument: $ac_config_target" >&2;} + { (exit 1); exit 1; }; };; esac done @@ -16921,7 +25039,7 @@ trap 'exit_status=$? { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status ' 0 - trap 'as_fn_exit 1' 1 2 13 15 + trap '{ (exit 1); exit 1; }' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. @@ -16932,7 +25050,11 @@ { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") -} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 +} || +{ + $as_echo "$as_me: cannot create a temporary directory in ." >&2 + { (exit 1); exit 1; } +} # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. @@ -16940,13 +25062,7 @@ if test -n "$CONFIG_FILES"; then -ac_cr=`echo X | tr X '\015'` -# On cygwin, bash can eat \r inside `` if the user requested igncr. -# But we know of no other shell where ac_cr would be empty at this -# point, so we can use a bashism as a fallback. -if test "x$ac_cr" = x; then - eval ac_cr=\$\'\\r\' -fi +ac_cr=' ' ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then ac_cs_awk_cr='\\r' @@ -16963,18 +25079,24 @@ echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || - as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 -ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } +ac_delim_num=`echo "$ac_subst_vars" | grep -c '$'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || - as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then - as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi @@ -16996,7 +25118,7 @@ t delim :nl h -s/\(.\{148\}\)..*/\1/ +s/\(.\{148\}\).*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p @@ -17010,7 +25132,7 @@ t nl :delim h -s/\(.\{148\}\)..*/\1/ +s/\(.\{148\}\).*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p @@ -17063,28 +25185,22 @@ else cat fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \ - || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 + || { { $as_echo "$as_me:$LINENO: error: could not setup config files machinery" >&5 +$as_echo "$as_me: error: could not setup config files machinery" >&2;} + { (exit 1); exit 1; }; } _ACEOF -# VPATH may cause trouble with some makes, so we remove sole $(srcdir), -# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and +# VPATH may cause trouble with some makes, so we remove $(srcdir), +# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and # trailing colons and then remove the whole line if VPATH becomes empty # (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then - ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ -h -s/// -s/^/:/ -s/[ ]*$/:/ -s/:\$(srcdir):/:/g -s/:\${srcdir}:/:/g -s/:@srcdir@:/:/g -s/^:*// + ac_vpsub='/^[ ]*VPATH[ ]*=/{ +s/:*\$(srcdir):*/:/ +s/:*\${srcdir}:*/:/ +s/:*@srcdir@:*/:/ +s/^\([^=]*=[ ]*\):*/\1/ s/:*$// -x -s/\(=[ ]*\).*/\1/ -G -s/\n// s/^[^=]*=[ ]*$// }' fi @@ -17112,7 +25228,9 @@ if test -z "$ac_t"; then break elif $ac_last_try; then - as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_HEADERS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_HEADERS" >&2;} + { (exit 1); exit 1; }; } else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi @@ -17197,7 +25315,9 @@ _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: could not setup config headers machinery" >&5 +$as_echo "$as_me: error: could not setup config headers machinery" >&2;} + { (exit 1); exit 1; }; } fi # test -n "$CONFIG_HEADERS" @@ -17210,7 +25330,9 @@ esac case $ac_mode$ac_tag in :[FHL]*:*);; - :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;; + :L* | :C*:*) { { $as_echo "$as_me:$LINENO: error: invalid tag $ac_tag" >&5 +$as_echo "$as_me: error: invalid tag $ac_tag" >&2;} + { (exit 1); exit 1; }; };; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac @@ -17238,10 +25360,12 @@ [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || - as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;; + { { $as_echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5 +$as_echo "$as_me: error: cannot find input file: $ac_f" >&2;} + { (exit 1); exit 1; }; };; esac case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac - as_fn_append ac_file_inputs " '$ac_f'" + ac_file_inputs="$ac_file_inputs '$ac_f'" done # Let's still pretend it is `configure' which instantiates (i.e., don't @@ -17252,7 +25376,7 @@ `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" - { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 + { $as_echo "$as_me:$LINENO: creating $ac_file" >&5 $as_echo "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. @@ -17265,7 +25389,9 @@ case $ac_tag in *:-:* | *:-) cat >"$tmp/stdin" \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } ;; esac ;; esac @@ -17293,7 +25419,47 @@ q } s/.*/./; q'` - as_dir="$ac_dir"; as_fn_mkdir_p + { as_dir="$ac_dir" + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 +$as_echo "$as_me: error: cannot create directory $as_dir" >&2;} + { (exit 1); exit 1; }; }; } ac_builddir=. case "$ac_dir" in @@ -17350,6 +25516,7 @@ # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= + ac_sed_dataroot=' /datarootdir/ { p @@ -17359,11 +25526,12 @@ /@docdir@/p /@infodir@/p /@localedir@/p -/@mandir@/p' +/@mandir@/p +' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 + { $as_echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 $as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 @@ -17373,7 +25541,7 @@ s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g - s&\\\${datarootdir}&$datarootdir&g' ;; + s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF @@ -17402,22 +25570,26 @@ $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } && - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' -which seems to be undefined. Please make sure it is defined" >&5 + { $as_echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined." >&5 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' -which seems to be undefined. Please make sure it is defined" >&2;} +which seems to be undefined. Please make sure it is defined." >&2;} rm -f "$tmp/stdin" case $ac_file in -) cat "$tmp/out" && rm -f "$tmp/out";; *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";; esac \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } ;; :H) # @@ -17428,19 +25600,25 @@ $as_echo "/* $configure_input */" \ && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" } >"$tmp/config.h" \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } if diff "$ac_file" "$tmp/config.h" >/dev/null 2>&1; then - { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 + { $as_echo "$as_me:$LINENO: $ac_file is unchanged" >&5 $as_echo "$as_me: $ac_file is unchanged" >&6;} else rm -f "$ac_file" mv "$tmp/config.h" "$ac_file" \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } fi else $as_echo "/* $configure_input */" \ && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" \ - || as_fn_error $? "could not create -" "$LINENO" 5 + || { { $as_echo "$as_me:$LINENO: error: could not create -" >&5 +$as_echo "$as_me: error: could not create -" >&2;} + { (exit 1); exit 1; }; } fi # Compute "$ac_file"'s index in $config_headers. _am_arg="$ac_file" @@ -17478,7 +25656,7 @@ s/.*/./; q'`/stamp-h$_am_stamp_count ;; - :C) { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5 + :C) { $as_echo "$as_me:$LINENO: executing $ac_file commands" >&5 $as_echo "$as_me: executing $ac_file commands" >&6;} ;; esac @@ -17573,7 +25751,47 @@ q } s/.*/./; q'` - as_dir=$dirpart/$fdir; as_fn_mkdir_p + { as_dir=$dirpart/$fdir + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 +$as_echo "$as_me: error: cannot create directory $as_dir" >&2;} + { (exit 1); exit 1; }; }; } # echo "creating $dirpart/$file" echo '# dummy' > "$dirpart/$file" done @@ -18220,12 +26438,15 @@ done # for ac_tag -as_fn_exit 0 +{ (exit 0); exit 0; } _ACEOF +chmod +x $CONFIG_STATUS ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || - as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 + { { $as_echo "$as_me:$LINENO: error: write failure creating $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: write failure creating $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } # configure is writing to config.log, and then calls config.status. @@ -18246,10 +26467,10 @@ exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. - $ac_cs_success || as_fn_exit 1 + $ac_cs_success || { (exit 1); exit 1; } fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 + { $as_echo "$as_me:$LINENO: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi @@ -18276,3 +26497,25 @@ EOF fi + +if test "x$configuring_database" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Database output plugins are deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3. The recommended approach to logging is to" + echo "!! use unified2 with barnyard2 or similar." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi + +if test "x$enable_aruba" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Arubu output plugin is deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi + +if test "x$enable_prelude" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Prelude output plugin is deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi diff -Nru snort-2.9.0.1/configure.in snort-2.9.2/configure.in --- snort-2.9.0.1/configure.in 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/configure.in 2011-12-07 10:33:49.000000000 -0800 @@ -1,4 +1,4 @@ -# $Id$ +# $Id$ AC_INIT AC_CONFIG_SRCDIR([src/snort.c]) AC_PREREQ(2.50) @@ -6,7 +6,7 @@ AM_CONFIG_HEADER(config.h) # When changing the snort version, please also update the VERSION # definition in "src/win32/WIN32-Includes/config.h" -AM_INIT_AUTOMAKE(snort,2.9.0.1) +AM_INIT_AUTOMAKE(snort,2.9.2) NO_OPTIMIZE="no" ADD_WERROR="no" @@ -26,19 +26,23 @@ AC_PROG_LIBTOOL AC_PROG_RANLIB AC_C_BIGENDIAN +AC_C_INLINE #AC_CANONICAL_HOST linux="no" sunos4="no" +so_with_static_lib="yes" case "$host" in *-openbsd2.6|*-openbsd2.5|*-openbsd2.4|*-openbsd2.3*) AC_DEFINE([OPENBSD],[1],[Define if OpenBSD]) AC_DEFINE([BROKEN_SIOCGIFMTU],[1],[Define if BROKEN_SIOCGIFMTU]) + so_with_static_lib="no" ;; *-openbsd*) AC_DEFINE([OPENBSD],[1],[Define if OpenBSD < 2.3]) + so_with_static_lib="no" ;; *-sgi-irix5*) @@ -63,7 +67,7 @@ ;; *-solaris*) AC_DEFINE([SOLARIS],[1],[Define if Solaris]) - CPPFLAGS="${CPPFLAGS} -DBSD_COMP -D_REENTRANT" + CONFIGFLAGS="${CONFIGFLAGS} -DBSD_COMP -D_REENTRANT" rt_nanosleep="yes" ;; *-sunos*) @@ -82,10 +86,8 @@ AC_SUBST(extra_incl) extra_incl="-I/usr/local/include" ;; - *-freebsd*) AC_DEFINE([FREEBSD],[1],[Define if FreeBSD]) - ;; *-bsdi*) AC_DEFINE([BSDI],[1],[Define if BSDi]) @@ -95,14 +97,17 @@ ;; *-osf4*) AC_DEFINE([OSF1],[1],[Define if OSF-4]) + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" ;; *-osf5.1*) AC_DEFINE([OSF1],[1],[Define if OSF-5.1]) + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" ;; *-tru64*) AC_DEFINE([OSF1],[1],[Define if Tru64]) + CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" ;; -# it is actually -apple-darwin1.2 or -apple-rhapsody5.x but lets stick with this for the moment +# it is actually -apple-darwin1.2 or -apple-rhapsody5.x but lets stick with this for the moment *-apple*) AC_DEFINE([MACOS],[1],[Define if MacOS]) AC_DEFINE([BROKEN_SIOCGIFMTU],[1],[Define if broken SIOCGIFMTU]) @@ -110,6 +115,8 @@ extra_incl="-I/sw/include" esac +AC_HEADER_STDBOOL + # ICC stuff ICC=no if eval "echo $CC | grep icc > /dev/null" ; then @@ -154,10 +161,26 @@ # dnl checking headers -AC_CHECK_HEADERS([strings.h string.h stdlib.h unistd.h sys/sockio.h paths.h inttypes.h wchar.h math.h]) +AC_CHECK_HEADERS([ \ + inttypes.h \ + math.h \ + paths.h \ + stdlib.h \ + string.h \ + strings.h \ + unistd.h \ + wchar.h \ + sys/sockio.h \ +]) + +if test "x$ac_cv_header_wchar_h" = "xyes"; then + CONFIGFLAGS="${CONFIGFLAGS} -DSF_WCHAR" +fi AC_CHECK_LIB([m],[floor]) AC_CHECK_LIB([m],[ceil]) +AC_CHECK_HEADERS(uuid/uuid.h, [AC_CHECK_LIB(uuid,uuid_parse)]) + if test "x$rt_nanosleep" = "xyes"; then AC_CHECK_LIB([rt],[nanosleep]) fi @@ -202,7 +225,7 @@ #include ]], [[char *(*pfn); pfn = (char *(*)) $1;]])],[eval "sn_cv_decl_needed_$1=no"],[eval "sn_cv_decl_needed_$1=yes"]) ]) -if eval "test \"`echo '$sn_cv_decl_needed_'$1`\" != no"; then +if eval "test \"`echo '$sn_cv_decl_needed_'$1`\" != no"; then AC_MSG_RESULT(yes) ifelse([$2], , :, [$2]) else @@ -230,13 +253,13 @@ # you will see also #undef for each SN_CHECK_DECLS macros invocation # because autoheader doesn't execute shell script commands. # it is possible to make loops using m4 but the code would look even -# more confusing.. +# more confusing.. SN_CHECK_DECLS(printf fprintf syslog puts fputs fputc fopen \ fclose fwrite fflush getopt bzero bcopy memset strtol \ strcasecmp strncasecmp strerror perror socket sendto \ vsnprintf snprintf strtoul) -AC_CHECK_FUNCS([strlcpy strlcat strerror vswprintf wprintf]) +AC_CHECK_FUNCS([sigaction strlcpy strlcat strerror vswprintf wprintf memrchr inet_ntop]) AC_CHECK_FUNC([snprintf],[have_snprintf="yes"],[have_snprintf="no"]) AM_CONDITIONAL(BUILD_SNPRINTF, test "x$have_snprintf" != "xyes") @@ -351,11 +374,11 @@ AC_CHECK_HEADERS(pfring.h,, PFRING_H="no") # It is important to have the AC_CHECK_LIB for the pfring library BEFORE -# the one for pfring-enabled pcap. When the Makefile is created, all the -# libraries used during linking are added to the LIBS variable in the -# Makefile in the opposite order that their AC_CHECK_LIB macros appear -# in configure.in. Durring linking, the pfring library (-lpfring) MUST come -# _after_ the libpcap library (-lpcap) or linking will fail. +# the one for pfring-enabled pcap. When the Makefile is created, all the +# libraries used during linking are added to the LIBS variable in the +# Makefile in the opposite order that their AC_CHECK_LIB macros appear +# in configure.in. Durring linking, the pfring library (-lpfring) MUST come +# _after_ the libpcap library (-lpcap) or linking will fail. PFRING_L="" AC_CHECK_LIB(pfring, pfring_open,, PFRING_L="no") @@ -432,6 +455,7 @@ if test "x$with_libpcre_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_libpcre_includes}" + ICONFIGFLAGS="${ICONFIGFLAGS} -I${with_libpcre_includes}" else CPPFLAGS="${CPPFLAGS} `pcre-config --cflags`" fi @@ -458,7 +482,7 @@ pcre_version_six="" AC_CHECK_LIB(pcre, pcre_compile, ,PCRE_L="no") if test "x$PCRE_L" = "xno"; then - echo + echo echo " ERROR! Libpcre library not found." echo " Get it from http://www.pcre.org" echo @@ -478,7 +502,7 @@ if test "x$pcre_version_six" != "xyes"; then AC_MSG_RESULT(no) - echo + echo echo " ERROR! Libpcre library version >= 6.0 not found." echo " Get it from http://www.pcre.org" echo @@ -487,8 +511,29 @@ AC_MSG_RESULT(yes) fi + +AC_ARG_VAR(SIGNAL_SNORT_RELOAD, set the SIGNAL_SNORT_RELOAD value) +if test "x$SIGNAL_SNORT_RELOAD" != "x" ; then + AC_DEFINE_UNQUOTED([SIGNAL_SNORT_RELOAD], [$SIGNAL_SNORT_RELOAD], [Set by user]) +fi + +AC_ARG_VAR(SIGNAL_SNORT_DUMP_STATS, set the SIGNAL_SNORT_DUMP_STATS value) +if test "x$SIGNAL_SNORT_DUMP_STATS" != "x" ; then + AC_DEFINE_UNQUOTED([SIGNAL_SNORT_DUMP_STATS], [$SIGNAL_SNORT_DUMP_STATS], [Set by user]) +fi + +AC_ARG_VAR(SIGNAL_SNORT_ROTATE_STATS, set the SIGNAL_SNORT_ROTATE_STATS value) +if test "x$SIGNAL_SNORT_ROTATE_STATS" != "x" ; then + AC_DEFINE_UNQUOTED([SIGNAL_SNORT_ROTATE_STATS], [$SIGNAL_SNORT_ROTATE_STATS], [Set by user]) +fi + +AC_ARG_VAR(SIGNAL_SNORT_READ_ATTR_TBL, set the SIGNAL_SNORT_READ_ATTR_TBL value) +if test "x$SIGNAL_SNORT_READ_ATTR_TBL" != "x" ; then + AC_DEFINE_UNQUOTED([SIGNAL_SNORT_READ_ATTR_TBL], [$SIGNAL_SNORT_READ_ATTR_TBL], [Set by user]) +fi + AC_ARG_ENABLE(dynamicplugin, -[ --enable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries)], +[ --disable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries)], enable_dynamicplugin="$enableval", enable_dynamicplugin="yes") AM_CONDITIONAL(HAVE_DYNAMIC_PLUGINS, test "x$enable_dynamicplugin" = "xyes") @@ -496,41 +541,64 @@ CPPFLAGS="$CPPFLAGS -DDYNAMIC_PLUGIN" fi -# check for dumbnet first since some DAQs need it -AC_ARG_WITH(dumbnet_includes, - [ --with-dumbnet-includes=DIR libdumbnet include directory], - [with_dumbnet_includes="$withval"],[with_dumbnet_includes="no"]) - -AC_ARG_WITH(dumbnet_libraries, - [ --with-dumbnet-libraries=DIR libdumbnet library directory], - [with_dumbnet_libraries="$withval"],[with_dumbnet_libraries="no"]) +AC_ARG_ENABLE(so_with_static_lib, +[ --enable-so-with-static-lib Enable linking of dynamically loaded preprocessors with a static preprocessor library], + enable_so_with_static_lib="$enableval", enable_so_with_static_lib=$so_with_static_lib) +AM_CONDITIONAL(SO_WITH_STATIC_LIB, test "x$enable_so_with_static_lib" = "xyes") + +AC_ARG_ENABLE(control_socket, +[ --enable-control-socket Enable the control socket], + enable_control_socket="$enableval", enable_control_socket="no") +if test "x$linux" != "xyes"; then + if test "x$enable_control_socket" = "xyes"; then + AC_MSG_WARN([[The control socket is only supported on Linux systems.]]) + enable_control_socket="no" + fi +fi +AM_CONDITIONAL(BUILD_CONTROL_SOCKET, test "x$enable_control_socket" = "xyes") +if test "x$enable_control_socket" = "xyes"; then + CONFIGFLAGS="$CONFIGFLAGS -DCONTROL_SOCKET" +fi + +# check for dnet first since some DAQs need it +AC_ARG_WITH(dnet_includes, + [ --with-dnet-includes=DIR libdnet include directory], + [with_dnet_includes="$withval"],[with_dnet_includes="no"]) + +AC_ARG_WITH(dnet_libraries, + [ --with-dnet-libraries=DIR libdnet library directory], + [with_dnet_libraries="$withval"],[with_dnet_libraries="no"]) -if test "x$with_dumbnet_includes" != "xno"; then - CPPFLAGS="${CPPFLAGS} -I${with_dumbnet_includes}" +if test "x$with_dnet_includes" != "xno"; then + CPPFLAGS="${CPPFLAGS} -I${with_dnet_includes}" else - CPPFLAGS="${CPPFLAGS} `dumbnet-config --cflags`" + CPPFLAGS="${CPPFLAGS} `dnet-config --cflags 2>/dev/null`" fi -if test "x$with_dumbnet_libraries" != "xno"; then - LDFLAGS="${LDFLAGS} -L${with_dumbnet_libraries} -ldumbnet" +if test "x$with_dnet_libraries" != "xno"; then + LDFLAGS="${LDFLAGS} -L${with_dnet_libraries}" else - LDFLAGS="${LDFLAGS} `dumbnet-config --libs`" + LDFLAGS="${LDFLAGS} `dnet-config --libs 2>/dev/null`" fi -AC_CHECK_HEADERS(dumbnet.h, DNET="yes", DNET="no") -if test "x$DNET" = "xno"; then +AC_CHECK_HEADERS(dnet.h,,DNET_H="no") +AC_CHECK_HEADERS(dumbnet.h,,DUMBNET_H="no") + +if test "x$DNET_H" = "xno" -a "x$DUMBNET_H" = "xno"; then echo - echo " ERROR! dumbnet header not found, go get it from" - echo " http://code.google.com/p/libdnet/ or use the --with-dumbnet-*" + echo " ERROR! dnet header not found, go get it from" + echo " http://code.google.com/p/libdnet/ or use the --with-dnet-*" echo " options, if you have it installed in an unusual place" exit fi -AC_CHECK_LIB(dumbnet, eth_set, DNET="yes", DNET="no") -if test "x$DNET" = "xno"; then +AC_CHECK_LIB(dnet, eth_set,,[DNET="no"]) +AC_CHECK_LIB(dumbnet, eth_set,,[DUMBNET="no"]) + +if test "x$DNET" = "xno" -a "x$DUMBNET" = "xno"; then echo - echo " ERROR! dumbnet library not found, go get it from" - echo " http://code.google.com/p/libdnet/ or use the --with-dumbnet-*" + echo " ERROR! dnet library not found, go get it from" + echo " http://code.google.com/p/libdnet/ or use the --with-dnet-*" echo " options, if you have it installed in an unusual place" exit fi @@ -545,6 +613,7 @@ if test "x$with_daq_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_daq_includes}" + ICONFIGFLAGS="${ICONFIGFLAGS} -I${with_daq_includes}" fi if test "x$with_daq_libraries" != "xno"; then @@ -552,7 +621,7 @@ fi AC_ARG_ENABLE(static_daq, -[ --enable-static-daq Link static DAQ modules.], +[ --disable-static-daq Link static DAQ modules.], enable_static_daq="$enableval", enable_static_daq="yes") if test "x$enable_static_daq" = "xyes" \ @@ -601,6 +670,8 @@ fi fi +AC_CHECK_FUNCS([daq_hup_apply] [daq_acquire_with_meta]) + # any sparc platform has to have this one defined. AC_MSG_CHECKING(for sparc) if eval "echo $host_cpu|grep -i sparc >/dev/null"; then @@ -657,12 +728,11 @@ [gl_cv_cc_visibility="no"]) ]) AC_MSG_RESULT([$gl_cv_cc_visibility]) + CFLAGS="$gl_save_CFLAGS" if test "x$gl_cv_cc_visibility" = "xyes"; then - CFLAGS="$gl_save_CFLAGS -fvisibility=hidden" + CCONFIGFLAGS="${CCONFIGFLAGS} -DSF_VISIBILITY -fvisibility=hidden" AC_DEFINE([HAVE_VISIBILITY],[1], [Define if the compiler supports visibility declarations.]) - else - CFLAGS="$gl_save_CFLAGS" fi ]) CC_VISIBILITY() @@ -681,28 +751,28 @@ fi AC_ARG_ENABLE(dlclose, -[ --enable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default.], +[ --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default.], enable_dlclose="$enableval", enable_dlclose="yes") if test "x$enable_dlclose" = "xno"; then AC_DEFINE([DISABLE_DLCLOSE_FOR_VALGRIND_TESTING],[1],[Don't close opened shared objects for valgrind leak testing of dynamic libraries]) fi AC_ARG_ENABLE(ipv6, -[ --enable-ipv6 Enable IPv6 support], - enable_ipv6="$enableval", enable_ipv6="no") +[ --disable-ipv6 Disable IPv6 support], + enable_ipv6="$enableval", enable_ipv6="yes") if test "x$enable_ipv6" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSUP_IP6" + CONFIGFLAGS="$CONFIGFLAGS -DSUP_IP6" fi AM_CONDITIONAL(HAVE_SUP_IP6, test "x$enable_ipv6" = "xyes") AC_ARG_ENABLE(zlib, -[ --enable-zlib Enable Http Response Decompression], - enable_zlib="$enableval", enable_zlib="no") +[ --disable-zlib Enable Http Response Decompression], + enable_zlib="$enableval", enable_zlib="yes") AM_CONDITIONAL(HAVE_ZLIB, test "x$enable_zlib" = "xyes") if test "x$enable_zlib" = "xyes"; then Z_LIB="" AC_CHECK_HEADERS(zlib.h,, Z_LIB="no") - if test "x$ZLIB" = "xno"; then + if test "x$Z_LIB" = "xno"; then echo echo " ERROR! zlib header not found, go get it from" echo " http://www.zlib.net" @@ -711,7 +781,7 @@ Z_LIB="" AC_CHECK_LIB(z, inflate,, Z_LIB="no") - if test "x$ZLIB" = "xno"; then + if test "x$Z_LIB" = "xno"; then echo echo " ERROR! zlib library not found, go get it from" echo " http://www.zlib.net" @@ -722,26 +792,26 @@ fi AC_ARG_ENABLE(gre, -[ --enable-gre Enable GRE and IP in IP encapsulation support], - enable_gre="$enableval", enable_gre="no") +[ --disable-gre Enable GRE and IP in IP encapsulation support], + enable_gre="$enableval", enable_gre="yes") if test "x$enable_gre" = "xyes"; then CPPFLAGS="$CPPFLAGS -DGRE" fi AC_ARG_ENABLE(mpls, -[ --enable-mpls Enable MPLS support], - enable_mpls="$enableval", enable_mpls="no") +[ --disable-mpls Enable MPLS support], + enable_mpls="$enableval", enable_mpls="yes") if test "x$enable_mpls" = "xyes"; then CPPFLAGS="$CPPFLAGS -DMPLS" fi AC_ARG_ENABLE(targetbased, -[ --enable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly)], - enable_targetbased="$enableval", enable_targetbased="no") +[ --disable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly)], + enable_targetbased="$enableval", enable_targetbased="yes") AM_CONDITIONAL(HAVE_TARGET_BASED, test "x$enable_targetbased" = "xyes") if test "x$enable_targetbased" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DTARGET_BASED" + CONFIGFLAGS="$CONFIGFLAGS -DTARGET_BASED" LIBS="$LIBS -lpthread" if test "$LEX" = "none"; then echo @@ -762,24 +832,24 @@ fi AC_ARG_ENABLE(decoder-preprocessor-rules, -[ --enable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events], - enable_decoder_preprocessor_rules="$enableval", enable_decoder_preprocessor_rules="no") +[ --disable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events], + enable_decoder_preprocessor_rules="$enableval", enable_decoder_preprocessor_rules="yes") if test "x$enable_decoder_preprocessor_rules" = "xyes"; then CPPFLAGS="$CPPFLAGS -DPREPROCESSOR_AND_DECODER_RULE_EVENTS" fi AC_ARG_ENABLE(ppm, -[ --enable-ppm Enable packet/rule performance monitor], - enable_ppm="$enableval", enable_ppm="no") +[ --disable-ppm Enable packet/rule performance monitor], + enable_ppm="$enableval", enable_ppm="yes") if test "x$enable_ppm" = "xyes"; then CPPFLAGS="$CPPFLAGS -DPPM_MGR" fi AC_ARG_ENABLE(perfprofiling, -[ --enable-perfprofiling Enable preprocessor and rule performance profiling], - enable_perfprofiling="$enableval", enable_perfprofiling="no") +[ --disable-perfprofiling Enable preprocessor and rule performance profiling], + enable_perfprofiling="$enableval", enable_perfprofiling="yes") if test "x$enable_perfprofiling" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DPERF_PROFILING" + CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" fi AC_ARG_ENABLE(linux-smp-stats, @@ -813,9 +883,9 @@ fi fi -AC_ARG_ENABLE(pthread, -[ --enable-pthread Enable pthread support], - enable_pthread="$enableval", enable_pthread="no") +AC_ARG_ENABLE(pthread, +[ --disable-pthread Disable pthread support], + enable_pthread="$enableval", enable_pthread="yes") if test "x$enable_pthread" = "xyes"; then LIBS="$LIBS -lpthread" @@ -825,7 +895,7 @@ [ --enable-debug-msgs Enable debug printing options (bugreports and developers only)], enable_debug_msgs="$enableval", enable_debug_msgs="no") if test "x$enable_debug_msgs" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DDEBUG" + CPPFLAGS="$CPPFLAGS -DDEBUG_MSGS" fi AC_ARG_ENABLE(debug, @@ -839,6 +909,16 @@ if echo $CFLAGS | grep -qve -g ; then CFLAGS="$CFLAGS -g" fi + + CPPFLAGS="$CPPFLAGS -DDEBUG" +fi + +AC_ARG_ENABLE(gdb, +[ --enable-gdb Enable gdb debugging information], + enable_gdb="$enableval", enable_gdb="no") + +if test "x$enable_gdb" = "xyes"; then + CFLAGS="$CFLAGS -g -ggdb" fi AC_ARG_ENABLE(profile, @@ -855,7 +935,7 @@ fi AC_ARG_ENABLE(ppm-test, -[ --enable-ppm-test Enable packet/rule performance monitor], +[ --disable-ppm-test Enable packet/rule performance monitor], enable_ppm_test="$enableval", enable_ppm_test="no") if test "x$enable_ppm_test" = "xyes"; then @@ -863,48 +943,51 @@ fi AC_ARG_ENABLE(sourcefire, -[ --enable-sourcefire Enable Sourcefire specific build options], +[ --enable-sourcefire Enable Sourcefire specific build options, encompasing --enable-perfprofiling,--enable-decoder-preprocessor-rules, --enable-ppm], enable_sourcefire="$enableval", enable_sourcefire="no") if test "x$enable_sourcefire" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSOURCEFIRE -DPERF_PROFILING -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR" + CPPFLAGS="$CPPFLAGS -DSOURCEFIRE -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR" + CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" fi AC_ARG_ENABLE(corefiles, [ --disable-corefiles Prevent Snort from generating core files], enable_corefiles="$enableval", enable_corefiles="yes") -if test "x$enable_corefiles" = "xno"; then +if test "x$enable_corefiles" = "xno"; then CPPFLAGS="$CPPFLAGS -DNOCOREFILE" fi AC_ARG_ENABLE(active-response, -[ --enable-active-response Enable reject injection], - enable_active_response="$enableval", enable_active_response="no") +[ --disable-active-response Enable reject injection], + enable_active_response="$enableval", enable_active_response="yes") AC_ARG_ENABLE(normalizer, -[ --enable-normalizer Enable packet/stream normalizations], - enable_normalizer="$enableval", enable_normalizer="no") +[ --disable-normalizer Enable packet/stream normalizations], + enable_normalizer="$enableval", enable_normalizer="yes") AC_ARG_ENABLE(reload, -[ --enable-reload Enable reloading a configuration without restarting], - enable_reload="$enableval", enable_reload="no") +[ --disable-reload Enable reloading a configuration without restarting], + enable_reload="$enableval", enable_reload="yes") AC_ARG_ENABLE(reload-error-restart, -[ --enable-reload-error-restart Enable restarting on reload error], +[ --disable-reload-error-restart Enable restarting on reload error], enable_reload_error_restart="$enableval", enable_reload_error_restart="yes") if test "x$enable_reload" = "xyes"; then if test "x$enable_reload_error_restart" = "xyes"; then - CPPFLAGS="$CPPFLAGS -DSNORT_RELOAD" + CONFIGFLAGS="$CONFIGFLAGS -DSNORT_RELOAD" else - CPPFLAGS="$CPPFLAGS -DSNORT_RELOAD -DRELOAD_ERROR_FATAL" + CONFIGFLAGS="$CONFIGFLAGS -DSNORT_RELOAD -DRELOAD_ERROR_FATAL" fi LIBS="$LIBS -lpthread" fi -AC_ARG_WITH(mysql, +configuring_database="no" + +AC_ARG_WITH(mysql, [ --with-mysql=DIR Support for MySQL], [ with_mysql="$withval"], [ with_mysql="no" ]) @@ -919,6 +1002,7 @@ default_directory="/usr /usr/local" if test "x$with_mysql" != "xno"; then + configuring_database="yes" if test "x$with_mysql" = "xyes"; then if test "x$with_mysql_includes" != "xno"; then mysql_inc_directory="$with_mysql_includes"; @@ -988,7 +1072,7 @@ MYSQL_LIB_DIR="$i/mysql" break 2 fi - done + done fi if test -z "$MYSQL_LIB_DIR"; then str="$i/mysql/lib/libmysqlclient.*" @@ -1100,12 +1184,13 @@ fi fi -AC_ARG_WITH(odbc, +AC_ARG_WITH(odbc, [ --with-odbc=DIR Support for ODBC], [ with_odbc="$withval" ], [ with_odbc="no" ]) if test "x$with_odbc" != "xno"; then + configuring_database="yes" if test "x$with_odbc" = "xyes"; then odbc_directory="$default_directory" odbc_fail="yes" @@ -1142,7 +1227,7 @@ str="$ODBC_DIR/lib/libodbc.*" for j in `echo $str`; do - if test -r "$j"; then + if test -r "$j"; then ODBC_LIB_DIR="$ODBC_DIR/lib" ODBC_LIB="odbc" fi @@ -1151,7 +1236,7 @@ dnl if test -z "$ODBC_LIB_DIR"; then dnl str="$ODBC_DIR/lib/libiodbc.*" dnl for j in `echo $str`; do -dnl if test -r $j; then +dnl if test -r $j; then dnl ODBC_LIB_DIR="$ODBC_DIR/lib" dnl ODBC_LIB="iodbc" dnl fi @@ -1173,7 +1258,7 @@ fi fi -AC_ARG_WITH(postgresql, +AC_ARG_WITH(postgresql, [ --with-postgresql=DIR Support for PostgreSQL], [ with_postgresql="$withval" ], [ with_postgresql="no" ]) @@ -1184,6 +1269,7 @@ [with_pgsql_includes="no" ]) if test "x$with_postgresql" != "xno"; then + configuring_database="yes" if test "x$with_postgresql" = "xyes"; then postgresql_directory="$default_directory /usr/local/pgsql /usr/pgsql /usr/local" postgresql_fail="yes" @@ -1280,12 +1366,13 @@ fi fi -AC_ARG_WITH(oracle, +AC_ARG_WITH(oracle, [ --with-oracle=DIR Support for Oracle], [ with_oracle="$withval" ], [ with_oracle="no" ]) if test "x$with_oracle" != "xno"; then + configuring_database="yes" if test "x$with_oracle" = "xyes"; then oracle_directory="$default_directory ${ORACLE_HOME}" oracle_fail="yes" @@ -1335,13 +1422,21 @@ fi fi +AC_ARG_ENABLE(paf, +[ --disable-paf disable protocol aware flushing], + enable_paf="$enableval", enable_paf="yes") + +if test "x$enable_paf" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DENABLE_PAF" +fi + AC_ARG_ENABLE(react, -[ --enable-react Intercept and terminate offending HTTP accesses], - enable_react="$enableval", enable_react="no") +[ --disable-react Intercept and terminate offending HTTP accesses], + enable_react="$enableval", enable_react="yes") AC_ARG_ENABLE(flexresp3, -[ --enable-flexresp3 Flexible Responses (v3) on hostile connection attempts], - enable_flexresp3="$enableval", enable_flexresp3="no") +[ --disable-flexresp3 Flexible Responses (v3) on hostile connection attempts], + enable_flexresp3="$enableval", enable_flexresp3="yes") AC_ARG_ENABLE(aruba, [ --enable-aruba Enable Aruba output plugin], @@ -1355,7 +1450,7 @@ # flexresp3 options are a union of flexresp (deleted) and flexresp2 # options so we assume flexresp3 if multiple are enabled. if test "x$enable_flexresp2" = "xyes"; then - echo "WARNING: multiple flexresp versions enabled; using flexresp3" + echo "WARNING: multiple flexresp versions enabled; using flexresp3." enable_flexresp2="no" fi fi @@ -1373,7 +1468,7 @@ if test "x$enable_normalizer" = "xyes" \ -o "x$enable_sourcefire" = "xyes" ; \ then - CPPFLAGS="${CPPFLAGS} -DNORMALIZER" + CONFIGFLAGS="${CONFIGFLAGS} -DNORMALIZER" fi if test "x$enable_active_response" = "xyes" \ @@ -1381,7 +1476,7 @@ -o "x$enable_react" = "xyes" \ -o "x$enable_sourcefire" = "xyes" ; \ then - CPPFLAGS="${CPPFLAGS} -DACTIVE_RESPONSE" + CONFIGFLAGS="${CONFIGFLAGS} -DACTIVE_RESPONSE" fi AC_ARG_ENABLE(intel_soft_cpm, @@ -1412,14 +1507,75 @@ CPPFLAGS="${CPPFLAGS} -DINTEL_SOFT_CPM" fi +AC_ARG_ENABLE(shared_rep, + [ --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only)], + enable_shared_rep="$enableval", enable_shared_rep="no") + +if test "x$enable_shared_rep" = "xyes"; then + if test "x$linux" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -DSHARED_REP" + LIBS="$LIBS -lrt" + else + echo "WARNING: shared reputation is only available on linux." + enable_shared_rep="no" + fi +fi + +AM_CONDITIONAL(HAVE_SHARED_REP, test "x$enable_shared_rep" = "xyes") + +AC_ARG_ENABLE(rzb-saac, +[ --enable-rzb-saac Enable Razorback SaaC support], + enable_rzb_saac="$enableval", enable_rzb_saac="no") + +AC_ARG_WITH(librzb_api, + [ --with-librzb-api=DIR librazorback_api directory], + [with_librzb_api="$withval"],[with_librzb_api="no"]) + +if test "x$with_librzb_api" = "xno"; then + export PKG_CONFIG_PATH=$prefix/lib/pkgconfig:$PKG_CONFIG_PATH +else + export PKG_CONFIG_PATH=$with_librzb_api/lib/pkgconfig:$PKG_CONFIG_PATH +fi + +if test "x$enable_rzb_saac" = "xyes"; then + AC_CHECK_PROG(PKG_CONFIG,pkg-config,yes) + if test "x$PKG_CONFIG" != "xyes"; then + echo + echo + echo " ERROR! pkg-config not found, go get it from" + echo " http://freedesktop.org" + exit + fi + + PKG_CHECK_MODULES([RAZORBACK], [razorback >= 0.1.3], [], [LRZB=no]) + if test "x$LRZB" = "xno"; then + echo + echo " ERROR! razorback_api library not found, go get it from" + echo " http://sourceforge.net/projects/razorbacktm/" + exit + fi +fi + +AM_CONDITIONAL([WANT_SF_SAAC], [test x$enable_rzb_saac = xyes]) + +AC_ARG_ENABLE(large-pcap, +[ --enable-large-pcap Enable support for pcaps larger than 2 GB], + enable_large_pcap="$enableval", enable_large_pcap="no") + +if test "x$enable_large_pcap" = "xyes"; then + CPPFLAGS="${CPPFLAGS} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" +fi + # let's make some fixes.. +CFLAGS="${CFLAGS} ${CCONFIGFLAGS}" CFLAGS=`echo $CFLAGS | sed -e 's/-I\/usr\/include //g'` +CPPFLAGS="${CPPFLAGS} ${CONFIGFLAGS}" CPPFLAGS=`echo $CPPFLAGS | sed -e 's/-I\/usr\/include //g'` if test "x$GCC" = "xyes" ; then echo `$CC -v 2>&1` | grep "version 4" > /dev/null - if test $? = 0 ; then + if test $? = 0 ; then CFLAGS="$CFLAGS -fno-strict-aliasing" fi fi @@ -1509,9 +1665,12 @@ echo $CFLAGS > cflags.out echo $CPPFLAGS > cppflags.out -INCLUDES='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/detection-plugins -I$(top_srcdir)/src/dynamic-plugins -I$(top_srcdir)/src/preprocessors -I$(top_srcdir)/src/preprocessors/portscan -I$(top_srcdir)/src/preprocessors/HttpInspect/include -I$(top_srcdir)/src/preprocessors/Stream5 -I$(top_srcdir)/src/target-based' +INCLUDES='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/detection-plugins -I$(top_srcdir)/src/dynamic-plugins -I$(top_srcdir)/src/preprocessors -I$(top_srcdir)/src/preprocessors/portscan -I$(top_srcdir)/src/preprocessors/HttpInspect/include -I$(top_srcdir)/src/preprocessors/Stream5 -I$(top_srcdir)/src/target-based -I$(top_srcdir)/src/control' AC_SUBST(INCLUDES) +AC_SUBST(CONFIGFLAGS) +AC_SUBST(CCONFIGFLAGS) +AC_SUBST(ICONFIGFLAGS) AC_PROG_INSTALL AC_CONFIG_FILES([ \ @@ -1519,6 +1678,7 @@ Makefile \ src/Makefile \ src/sfutil/Makefile \ +src/control/Makefile \ src/detection-plugins/Makefile \ src/dynamic-examples/Makefile \ src/dynamic-examples/dynamic-preprocessor/Makefile \ @@ -1529,13 +1689,22 @@ src/dynamic-plugins/sf_preproc_example/Makefile \ src/dynamic-preprocessors/Makefile \ src/dynamic-preprocessors/libs/Makefile \ +src/dynamic-preprocessors/libs/snort_preproc.pc \ src/dynamic-preprocessors/ftptelnet/Makefile \ src/dynamic-preprocessors/smtp/Makefile \ src/dynamic-preprocessors/ssh/Makefile \ +src/dynamic-preprocessors/sip/Makefile \ +src/dynamic-preprocessors/reputation/Makefile \ +src/dynamic-preprocessors/gtp/Makefile \ src/dynamic-preprocessors/dcerpc2/Makefile \ +src/dynamic-preprocessors/pop/Makefile \ +src/dynamic-preprocessors/imap/Makefile \ src/dynamic-preprocessors/sdf/Makefile \ src/dynamic-preprocessors/dns/Makefile \ src/dynamic-preprocessors/ssl/Makefile \ +src/dynamic-preprocessors/modbus/Makefile \ +src/dynamic-preprocessors/dnp3/Makefile \ +src/dynamic-preprocessors/rzb_saac/Makefile \ src/output-plugins/Makefile \ src/preprocessors/Makefile \ src/preprocessors/HttpInspect/Makefile \ @@ -1554,13 +1723,14 @@ src/target-based/Makefile \ doc/Makefile \ contrib/Makefile \ -schemas/Makefile \ rpm/Makefile \ preproc_rules/Makefile \ m4/Makefile \ etc/Makefile \ +schemas/Makefile \ templates/Makefile \ tools/Makefile \ +tools/control/Makefile \ tools/u2boat/Makefile \ tools/u2spewfoo/Makefile \ src/win32/Makefile]) @@ -1588,3 +1758,25 @@ EOF fi + +if test "x$configuring_database" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Database output plugins are deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3. The recommended approach to logging is to" + echo "!! use unified2 with barnyard2 or similar." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi + +if test "x$enable_aruba" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Arubu output plugin is deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi + +if test "x$enable_prelude" = "xyes"; then + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "!! WARNING: Prelude output plugin is deprecated as of Snort 2.9.2 and will be" + echo "!! removed in Snort 2.9.3." + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" +fi diff -Nru snort-2.9.0.1/contrib/Makefile.in snort-2.9.2/contrib/Makefile.in --- snort-2.9.0.1/contrib/Makefile.in 2010-10-08 02:56:51.000000000 -0700 +++ snort-2.9.2/contrib/Makefile.in 2011-12-07 11:23:17.000000000 -0800 @@ -58,7 +58,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -73,6 +75,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -109,13 +112,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/debian/changelog snort-2.9.2/debian/changelog --- snort-2.9.0.1/debian/changelog 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/changelog 2011-12-28 09:41:39.000000000 -0800 @@ -1,3 +1,108 @@ +snort (2.9.2-1) unstable; urgency=low + + * New upstream release + * Switch to dpkg-source 3.0 (quilt) format + * Port across all changes from Snort 2.8.5.2-5 and later in unstable + * debian/snort.postinst: create the directory that the checksum for + snort.debian.conf will be created in if it doesn't already exist + * debian/rules: tell dh_makeshlibs to not call ldconfig in the + preinst/postinst of snort-common-libraries + * debian/rules: don't install README.WIN32 into snort-doc + + -- Andrew Pollock Tue, 27 Dec 2011 17:22:03 -0800 + +snort (2.8.5.2-9.1) unstable; urgency=low + + * Non-maintainer upload. + * Empty dependency_libs in libtool la file(s). + http://wiki.debian.org/ReleaseGoals/LAFileRemoval Closes: #621859 + + -- Andreas Metzler Sat, 18 Jun 2011 14:08:33 +0200 + +snort (2.8.5.2-9) unstable; urgency=low + + * debian/rules: Change gs-common Build-Depends-Indep to ghostscript fo fix + FTBFS, thanks to Andreas Metzler for the solution. (Closes: 618197) + + -- Javier Fernandez-Sanguino Pen~a Sun, 10 Apr 2011 10:57:55 +0200 + +snort (2.8.5.2-8) unstable; urgency=low + + * debian/snort{,-mysql,-pgsql}.config: Remove the '-o' from + DEBIAN_SNORT_OPTIONS that was prepended by the postinst script in + version 2.8.5.2-2 on upgrades. + * debian/snort{,-mysql,-pgsql}.prerm: Change /usr/sbin/nessus to /usr/sbin/snort + + -- Javier Fernandez-Sanguino Pen~a Thu, 22 Jan 2011 12:18:03 +0100 + +snort (2.8.5.2-7) unstable; urgency=low + + * debian/snort{,-mysql,-pgsql}.config: Remove the '-p' from + DEBIAN_SNORT_OPTIONS that is prepended by the postinst script (if disable + promiscuous is set) before adding it to the debconf value to prevent this + option from being readded again and again on reinstall. (Closes: #608635) + * debian/snort{,-mysql,-pgsql}.postinst: Remove the temporary file used to + test if the configuration files has not been modified when upgrading to + a new version. + + -- Javier Fernandez-Sanguino Pen~a Sun, 02 Jan 2011 20:47:26 +0100 + +snort (2.8.5.2-6) unstable; urgency=high + + * debian/snort{,-mysql,-pgsql}.postinst: Introduce code to be able to manage + the situation in which a local admin has introduced changes in the + /etc/snort/snort.debian.conf configuration file manually. Keep the + local changes and leave the file untouched on upgrades. (Closes: #608590) + * debian/snort-{mysql,-pgsql}.postinst: + - Introduce code to be able to manage the situation in which a local + admin has introduced changes in /etc/snort/database.conf and has not + used dpkg-reconfigure. Keep the local changes and do not touch the + file on upgrades. + - Generate the database.conf regardless of the status of the + db-pending-config file as we need the configuration file in any case. + * debian/snort{,-mysql,-pgsql}.config: Read the values of the configuration + file /etc/snort/snort.debian.conf and use them to set to preseed all the + debconf values. This ensures that local changes are reloaded into debconf + if any changes are made in the file and makes it possible to regenerate + the file with dpkg-reconfigure. + * debian/snort{,-mysql,-inline,-pgsq}.config: Make it possible to debug the + scripts through the use of the DEBIAN_SCRIPT_DEBUG environment variable + * debian/snort-{mysql,pgsql}.config: Fix error in call of template which + belongs to the snort package. Use the proper template now. + * debian/README-database.Debian: Fix syntax error in MySQL example calls and + reword the text a bit to clarify that the provided information are just + examples on how to setup the databases. + * debian/po/: Use debconf-updatepo to remove obsolete translations from PO + files. + * debian/NEWS: Remove the indication that database.conf should not be + manually edited. + + -- Javier Fernandez-Sanguino Pen~a Sat, 01 Jan 2011 23:40:30 +0100 + +snort (2.8.5.2-5) unstable; urgency=high + + * Final RC bug fix: + * snort-common: Create the database.conf file on package's configuration not + on the preinstallation script (Closes: #607801) + * Lintian fixes: + * debian/control: Upgrade standards version, no changes required + * debian/snort.init.d: add $remote_fs to Required-Start and Required-Stop + * debian/snort.templates: Move the config_error template over to + debian/snort-common.templates as it is used there + * debian/snort-{mysql,pgsql}.templates: remove the config_error template + there as it is not used + * debian/control: Upgrade the Build-Depends on debhelper + * src/parser.c: Typo fix argu*e*ment -> argument + * src/preprocessors/spp_perfmonitor.c, + src/dynamic-preprocessors/dns/spp_dns.c: + Typo fix: sep*e*rated --> separated + * rules/web-misc.rules: Limit the depth when searching for an HTTP version + to prevent false positives from apt-get User-Agent string (LP: #258155) + * debian/snort.init.d: Separate warning message from main messages. + * debian/TODO: review contents and update + + -- Javier Fernandez-Sanguino Pen~a Sun, 26 Dec 2010 13:20:25 +0100 + snort (2.9.0.1-2) experimental; urgency=low * [ The Merry Xmas for experimental users Release ! ] @@ -10,7 +115,7 @@ snort (2.8.5.2-4) unstable; urgency=high * [ The Merry Xmas and Merry RC bug fixing Release! ] - * debian/snort-common.preinst: + * debian/snort-common.preinst: - Fix how the files are generated and use Perl instead of bash's echo as the latter will interpret content in the configuration file and will botch it diff -Nru snort-2.9.0.1/debian/control snort-2.9.2/debian/control --- snort-2.9.0.1/debian/control 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/control 2011-12-27 13:53:38.000000000 -0800 @@ -3,9 +3,9 @@ Priority: optional Maintainer: Javier Fernandez-Sanguino Pen~a Uploaders: Pascal Hakim -Build-Depends: libnet1-dev, libpcap0.8-dev, libpcre3-dev, debhelper (>= 4.1.13), libmysqlclient15-dev | libmysqlclient-dev, libpq-dev, po-debconf (>= 0.5.0), libprelude-dev, libgnutls-dev, libdumbnet-dev, libdaq-dev -Build-Depends-Indep: texlive, texlive-latex-base, gs-common -Standards-Version: 3.8.3 +Build-Depends: libnet1-dev, libpcap0.8-dev, libpcre3-dev, debhelper (>= 5.0.0), libmysqlclient15-dev | libmysqlclient-dev, libpq-dev, po-debconf (>= 0.5.0), libprelude-dev, libgnutls-dev, libdumbnet-dev, libdaq-dev, flex, bison +Build-Depends-Indep: texlive, texlive-latex-base, ghostscript +Standards-Version: 3.9.1 Homepage: http://www.snort.org/ Package: snort diff -Nru snort-2.9.0.1/debian/NEWS snort-2.9.2/debian/NEWS --- snort-2.9.0.1/debian/NEWS 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/NEWS 2011-12-27 14:04:45.000000000 -0800 @@ -4,9 +4,6 @@ (and configured automatically through Debconf) has now been moved to the /etc/snort/database.conf file. - Please make changes to your database setup using 'dpkg-reconfigure' - and do not edit that file directly. - Note that this file might be empty if you are not logging to a database -- Javier Fernandez-Sanguino Pen~a Mon, 20 Dec 2010 15:31:24 +0100 diff -Nru snort-2.9.0.1/debian/patches/config snort-2.9.2/debian/patches/config --- snort-2.9.0.1/debian/patches/config 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/debian/patches/config 2011-12-28 10:19:47.000000000 -0800 @@ -0,0 +1,162 @@ +Description: Debianize the upstream Snort configuration file + Make the paths FHS compliant + Add in additional rules shipped with the Debian package +Author: Javier Fernandez-Sanguino Pen~a +Origin: vendor +Last-Update: 2011-11-28 + +--- snort-2.9.2.orig/etc/snort.conf ++++ snort-2.9.2/etc/snort.conf +@@ -46,6 +46,7 @@ ipvar HOME_NET any + + # Set up the external network addresses. Leave as "any" in most situations + ipvar EXTERNAL_NET any ++#ipvar EXTERNAL_NET !$HOME_NET + + # List of DNS servers on your network + ipvar DNS_SERVERS $HOME_NET +@@ -95,9 +96,9 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.2 + # Path to your rules files (this can be a relative path) + # Note for Windows users: You are advised to make this an absolute path, + # such as: c:\snort\rules +-var RULE_PATH ../rules +-var SO_RULE_PATH ../so_rules +-var PREPROC_RULE_PATH ../preproc_rules ++var RULE_PATH /etc/snort/rules ++var SO_RULE_PATH /etc/snort/so_rules ++var PREPROC_RULE_PATH /etc/snort/preproc_rules + + ################################################### + # Step #2: Configure the decoder. For more information, see README.decode +@@ -217,13 +218,13 @@ config event_queue: max_queue 8 log 3 or + ################################################### + + # path to dynamic preprocessor libraries +-dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ ++dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ + + # path to base preprocessor engine +-dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so ++dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so + + # path to dynamic rules libraries +-dynamicdetection directory /usr/local/lib/snort_dynamicrules ++# dynamicdetection directory /usr/lib/snort_dynamicrules + + ################################################### + # Step #5: Configure preprocessors +@@ -477,11 +478,19 @@ preprocessor pop: \ + # output alert_syslog: LOG_AUTH LOG_ALERT + + # pcap +-# output log_tcpdump: tcpdump.log ++output log_tcpdump: tcpdump.log + + # database + # output database: alert, , user= password= test dbname= host= + # output database: log, , user= password= test dbname= host= ++# ++# On Debian Systems, the database configuration is kept in a separate file: ++# /etc/snort/database.conf. ++# This file can be empty, if you are not using any database information ++# If you are using databases, please edit that file instead of this one, to ++# ensure smoother upgrades to future versions of this package. ++include database.conf ++# + + # prelude + # output alert_prelude +@@ -504,47 +513,63 @@ include $RULE_PATH/local.rules + include $RULE_PATH/attack-responses.rules + include $RULE_PATH/backdoor.rules + include $RULE_PATH/bad-traffic.rules +-include $RULE_PATH/blacklist.rules +-include $RULE_PATH/botnet-cnc.rules ++# include $RULE_PATH/blacklist.rules ++# include $RULE_PATH/botnet-cnc.rules + include $RULE_PATH/chat.rules +-include $RULE_PATH/content-replace.rules ++# include $RULE_PATH/content-replace.rules + include $RULE_PATH/ddos.rules + include $RULE_PATH/dns.rules + include $RULE_PATH/dos.rules ++include $RULE_PATH/community-dos.rules + include $RULE_PATH/exploit.rules ++include $RULE_PATH/community-exploit.rules + include $RULE_PATH/finger.rules + include $RULE_PATH/ftp.rules ++include $RULE_PATH/community-ftp.rules + include $RULE_PATH/icmp.rules + include $RULE_PATH/icmp-info.rules + include $RULE_PATH/imap.rules ++include $RULE_PATH/community-imap.rules + include $RULE_PATH/info.rules + include $RULE_PATH/misc.rules + include $RULE_PATH/multimedia.rules + include $RULE_PATH/mysql.rules + include $RULE_PATH/netbios.rules + include $RULE_PATH/nntp.rules ++include $RULE_PATH/community-nntp.rules + include $RULE_PATH/oracle.rules ++include $RULE_PATH/community-oracle.rules + include $RULE_PATH/other-ids.rules + include $RULE_PATH/p2p.rules +-include $RULE_PATH/phishing-spam.rules ++# include $RULE_PATH/phishing-spam.rules + include $RULE_PATH/policy.rules ++# include $RULE_PATH/community-policy.rules ++# include $RULE_PATH/community-inappropriate.rules ++# include $RULE_PATH/community-game.rules ++# include $RULE_PATH/community-misc.rules + include $RULE_PATH/pop2.rules + include $RULE_PATH/pop3.rules + include $RULE_PATH/rpc.rules + include $RULE_PATH/rservices.rules +-include $RULE_PATH/scada.rules ++# include $RULE_PATH/scada.rules + include $RULE_PATH/scan.rules ++# Note: this rule is extremely chatty, enable with care + include $RULE_PATH/shellcode.rules + include $RULE_PATH/smtp.rules ++include $RULE_PATH/community-smtp.rules + include $RULE_PATH/snmp.rules +-include $RULE_PATH/specific-threats.rules +-include $RULE_PATH/spyware-put.rules ++# include $RULE_PATH/specific-threats.rules ++# include $RULE_PATH/spyware-put.rules + include $RULE_PATH/sql.rules + include $RULE_PATH/telnet.rules + include $RULE_PATH/tftp.rules + include $RULE_PATH/virus.rules +-include $RULE_PATH/voip.rules +-include $RULE_PATH/web-activex.rules ++include $RULE_PATH/community-virus.rules ++include $RULE_PATH/community-bot.rules ++# include $RULE_PATH/voip.rules ++include $RULE_PATH/community-sip.rules ++# Specific web server rules: ++# include $RULE_PATH/web-activex.rules + include $RULE_PATH/web-attacks.rules + include $RULE_PATH/web-cgi.rules + include $RULE_PATH/web-client.rules +@@ -553,6 +578,20 @@ include $RULE_PATH/web-frontpage.rules + include $RULE_PATH/web-iis.rules + include $RULE_PATH/web-misc.rules + include $RULE_PATH/web-php.rules ++include $RULE_PATH/web-attacks.rules ++include $RULE_PATH/community-sql-injection.rules ++include $RULE_PATH/community-web-client.rules ++include $RULE_PATH/community-web-dos.rules ++include $RULE_PATH/community-web-iis.rules ++include $RULE_PATH/community-web-misc.rules ++include $RULE_PATH/community-web-php.rules ++include $RULE_PATH/web-attacks.rules ++include $RULE_PATH/community-sql-injection.rules ++include $RULE_PATH/community-web-client.rules ++include $RULE_PATH/community-web-dos.rules ++include $RULE_PATH/community-web-iis.rules ++include $RULE_PATH/community-web-misc.rules ++include $RULE_PATH/community-web-php.rules + include $RULE_PATH/x11.rules + + ################################################### diff -Nru snort-2.9.0.1/debian/patches/documentation snort-2.9.2/debian/patches/documentation --- snort-2.9.0.1/debian/patches/documentation 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/debian/patches/documentation 2011-12-28 10:22:00.000000000 -0800 @@ -0,0 +1,435 @@ +Description: Additional documentation +Last-Update: 2011-11-28 + +--- /dev/null ++++ snort-2.9.2/doc/RELEASE.NOTES.2.3 +@@ -0,0 +1,133 @@ ++2005-04-22 - Snort 2.3.3 Released ++ ++* Fixed sfPortscan Open Ports not getting suppressed. ++ ++* Added new mini-preprocessor to catch the X-Link2State vulnerability. ++ See Snort manual for details. ++ ++2005-03-10 - Snort 2.3.2 Released ++ ++* Removed end-of-line parser fix in favor of completely reworking ++ this at the next parser overhaul. ++ ++2005-03-09 - Snort 2.3.1 Released ++ ++* Fixed issue where the number of flowbits were too small. Thanks Marc ++ Norton for the fix. ++ ++* Fixed parsing of comments at end of line in config file. In ++ snort.conf, anything that follows a # on a line is considered a ++ comment. Thanks Steve Sturges for the fix. ++ ++* Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX. ++ Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and ++ Jonathan Miner for working with us on this. ++ ++2005-01-25 - Snort 2.3.0 Final Released ++ ++* Fixed issue with sfPortscan reporting incorrect IP datagram length. ++ Thanks Jon Hart for the test case and finding the bug, and Marc Norton ++ for resolving the issue. ++ ++* Threshold/Suppression now prints properly when logging to syslog. ++ Thanks Sekure for pointing out the problem. Thanks Steve Sturges for ++ working on the fix. ++ ++* Threshold memcap argument now correctly handles non-integer input. ++ Thanks nnposter for the patch. ++ ++* Fixed issue reported by Allan Jensen, where on MacOS X, ppp links were ++ not decoded properly. Thanks Dan Roelker for the fix. ++ ++* Snort manual and FAQ are updated for 2.3. Thanks Jen Harvey for your ++ work on putting it all together. ++ ++2004-12-15 - Snort 2.3.0 RC2 Released ++ ++* Small performance improvement to arpspoof and also fixed a problem ++ where the list of configured IP/MAC entries would contain only one ++ entry and leaked memory (Jeff Nathan). ++ ++* Fixed a problem affecting MacOS X where linking may fail with ++ non-standard libraries when global symbols are encountered multiple ++ times (Jeff Nathan). ++ ++* Ignore RST|ACK midstream pickup case so we don't get an evasive TCP ++ alerts. Thanks for the report, Sekure. Thanks Dan Roelker for the fix. ++ ++* Moved CheckLogDir() to after parsing snort.conf (for IDS mode) so the ++ logdir config will work if the default or command-line logdir does not ++ exist on the system. Thanks Dan Roelker. ++ ++* Fixed bug when setting the doe_ptr on a successful pcre match. ++ It is now set relative to base_ptr. Thanks Steve Sturges for the ++ fix. ++ ++* Added from_beginning and multiplier options for byte_jump. ++ from_beginning skips bytes from the beginning of the content, ++ instead of from the location immediately following the number ++ of bytes to skip. multiplier takes a numeric argument, and ++ skips x times that number of bytes. Thanks again to Steve Sturges. ++ ++* In "fast" output, now log only actual packet contents when UDP ++ data length is greater than actual data length. Thanks Brian ++ Caswell for spotting this, and Andrew Mullican for working on the fix. ++ ++* Please check the ChangeLog for further details. ++ ++2004-11-18 - Snort 2.3.0 RC1 Released ++ ++* Added IPS functionality from Snort-Inline. A big thanks to the ++ Snort-Inline guys (Jed Haile, Rob McMillen, William Metcalf, and Victor ++ Julien). Also, Thanks Dan Roelker for doing the integrating of ++ Snort-Inline into the official Snort project. ++ ++* Added new portscan detector. The design and implementation was headed ++ up by Dan Roelker, and included Marc Norton and Jeremy Hewlett. ++ ++* Numerous changes for better 64bit Snort support from Jeremy Hewlett and ++ Marc Norton. Additionally, an --enable-64bit-gcc option was added to ++ configure. However, there are still some memory alignment issues to ++ work out before 64bit mode is fully functional, patches are welcomed. ++ Thanks Chris Baker for doing 64bit testing. ++ ++* Added not_established keyword to the flow detection option. This allows ++ snort to do dynamic firewall rulesets. Experimental for now. ++ ++* Added an enforce_state keyword to stream4 so we won't pick up midstream ++ sessions. This works well for asynchronous links and also for ++ just monitoring legitimate traffic. ++ ++* Relocated ./contrib files to http://www.snort.org/dl/contrib as many ++ are not maintained by Sourcefire and are out of date. The rpm and ++ schema files have been relocated in their respective 'rpm' and 'schemas' ++ directories under the snort parent directory. ++ ++* perfmonitor config line can now be configured with "accumulate" or ++ "reset." Thanks Marc Norton for the feature, and Barry Basselgia for ++ pointing out the issue. Thanks Scott Dexter and Andreas Ostling for ++ doing some initial testing. ++ ++* Fixed 64-bit bug in sfmemcap.c found and tested by Ryan Matteson ++ and Clay McClure. Thanks guys. ++ ++* Fixed reference times to match log time for first packet, for an event ++ generated by a reassembled packet. Incremented event ID to give ++ unique ID for each packet. Also made unified logging compatible with ++ Windows. Thanks Andrew Mullican for the fix. ++ ++* Fixed linux perfmonitoring stats for the 2.6 kernel. Thanks to ++ everyone that reported this bug. Thanks Dan Roelker for the fix. ++ ++* Get thresholding/suppression to work for alerts that do not ++ contain an ip header (primarily decode alerts). Thanks ++ Brian Caswell. ++ ++* Fix conditions where snort would log double web alerts that ++ contained only content options (no uricontents). Thanks to kawa for ++ finding and reporting this bug. ++ ++* Fix suppression/thresholding bug for non-rule alerts. Thanks to ++ Alex Butcher for reporting it to us. ++ ++* Many other bug fixes, please check the ChangeLog for details. +--- /dev/null ++++ snort-2.9.2/doc/RELEASE.NOTES.2.6 +@@ -0,0 +1,114 @@ ++2007-05-09 - Snort 2.6.1.5 Released ++[*] New Additions ++ * Updated HttpInspect to normalize parameters that are part of the ++ client request body in the same way it normalizes HTTP URIs. ++ Added a modifier keyword to be used in conjunction with a content ++ option in the rules to search only the normalized HTTP client request ++ body. Also added stats for HttpInspect to track number of various ++ types of normalizations and HTTP methods. ++ ++[*] Improvements ++ * Fix header files to avoid conflicts with system files on BSD for ++ IPv6 data structures. ++ ++ * Fix possible memory leak in Stream4 when HttpInspect is being ++ used. ++ ++2007-03-26 - Snort 2.6.1.4 Released ++[*] New Additions ++ * Added detection for BSD IPv6 fragmentation overflow (CVE-2007-1365). ++ New options configure the behavior of the detection and new decoder ++ alerts for truncated IPv6 headers and a Fragmentation alert for the ++ specific overflow attack. ++ ++[*] Security Improvements ++ * Updated code to use safer functions that perform bounds checking ++ when doing string or memory copies and snprintf buffer writes. ++ Ensure null termination on string buffers and perform initialization ++ on memory allocations. ++ ++2007-02-18 - Snort 2.6.1.3 Released ++[*] Improvements ++ * Updated DCE/RPC dynamic protocol normalizer to perform additional ++ boundary checking when reassembling SMB fragments. This addresses ++ a potential remotely exploitable stack-based buffer overflow. ++ ++ * Updated Frag3 to protect against potential for fragments without ++ ethernet header being passed from iptables to Snort inline. ++ ++2006-12-07 - Snort 2.6.1.2 Released ++[*] Improvements ++ * Fixed problem with snort using high CPU and potentially reprocessing ++ the same TCP reassembled packets with a sequence number wrap and ++ packets missing from the queue (out of order, dropped, or async ++ network). ++ ++ * Updated DCE/RPC dynamic protocol normalizer to protect against ++ integer underflow conditions. ++ ++ * Updated unified output plugin to work correctly on certain 64bit ++ platforms where timeval structure is a different size. A patch ++ to barnyard that is associated with this fix can be found at: ++ http://secure.lv/~nikns/stuff/barnyard_64bit.diff. ++ ++2006-11-22 - Snort 2.6.1.1 Released ++[*] Improvements ++ * Fixed problem with snort using high CPU and potentially reprocessing ++ the same TCP reassembled packets at session end or TCP ACK of only ++ part of a packet. ++ ++2006-11-16 - Snort 2.6.1 Released ++[*] New Additions ++ * Support for UDP "session" tracking to Stream4. Enable via ++ --enable-stream4udp option to configure script. This allows ++ the use of flow option with UDP rules. Includes tracking ++ of stats for UDP sessions. A session is created for rules that ++ use the flow or flowbits keywords. Also provided the ability to ++ ignore UDP any any -> any any rules as a performance improvement. ++ ++ * Stream5 (for Beta testing) as replacement for Stream4 ++ and Flow preprocessors. See README.stream for details. ++ ++ * Allow blocking of entire session in inline mode via stream API. ++ All subsequent packets on that session are blocked. ++ ++ * Dynamic DCE/RPC protocol normalizer and defragmentation ++ module. See README.dcerpc for details. ++ ++ * SSH (for Beta testing) protocol analyzer. See README.ssh for ++ details. ++ ++ * Support for GRE encapsulated protocol (experimental). Enable via ++ --enable-gre option to configure script. ++ ++ * Aruba networks output plugin (experimental). See README.ARUBA for ++ details. Enable via --enable-aruba option to configure script. ++ ++ * Smaller memory footprint pattern mattcher using Aho-Corasick, ++ using NFA. Use 'config detection: search-method ac-bnfa' to ++ enable. This will become the default pattern matcher in future ++ releases. Wu-Manhber has been deprecated (mwm). ++ ++[*] Improvements ++ ++ * Added parameter to dynamicengine to allow specification of ++ directory instead of implicit file. This will load all engine shared ++ libraries within the specified directory. Can also use ++ --dynamic-engine-lib-dir command-line option. Fix handling of ++ loading multiple instances of the same dynamic library (engine, ++ detection, or preprocessor). ++ ++ * Updates to HTTP inspect to handle different versions of IIS with ++ the related iis profiles. See README.httpinspect for details. ++ ++ * Cleaned up inline initialization to better handle test mode. ++ ++ * Updates to interface dependent variable definitions. ++ ++ * Added stats for packets not yet processed -- those that are still in ++ the buffer used by pcap. ++ ++ * Fixed issue with fewer alerts being generated when snort is compiled ++ with gcc 4.x by using no-strict-aliasing flag. ++ ++ * Require each rule to have a unique sid/gid pair. +--- snort-2.9.2.orig/doc/README.database ++++ snort-2.9.2/doc/README.database +@@ -332,6 +332,9 @@ IV. Changelog + + V. Changelog of Database schema + ++2007-03-15 -- v107 ++ + ALL: Updated to include signature.sig_gid to log the generator ID ++ + 2002-09-03 -- v106 + + ALL: added sensor.last_cid to store the last used cid for a + given sid +--- /dev/null ++++ snort-2.9.2/doc/RELEASE.NOTES.2.7 +@@ -0,0 +1,23 @@ ++2007-07-09 - Snort 2.7.0 ++ ++[*] New Additions ++ * Stream5 is now the default stream processor and replaces both flow ++ and Stream4. Refer to the Snort manual and README.stream5 for ++ details on how to configure it for OS target-specific TCP ++ processing. ++ ++[*] Improvements ++ * Fixed header files to avoid conflicts with system files on BSD for ++ IPv6 data structures. ++ ++ * Reduced memory footprint for smtp preprocessor. ++ ++ * Ensured Snort frees memory from preprocessors before exit. Only ++ outstanding memory in use is related to pattern matcher and ++ rules. ++ ++[*] Security Improvements ++ * Further updates that use safer functions that perform bounds checking ++ when doing string or memory copies and snprintf buffer writes. ++ Ensure null termination on string buffers and perform initialization ++ on memory allocations. +--- /dev/null ++++ snort-2.9.2/doc/RELEASE.NOTES.2.4 +@@ -0,0 +1,138 @@ ++2006-06-05 - Snort 2.4.5 Released ++ * Fixed potential evasion in URI content buffers ++ * Fixed potential evasion in Stream4 ++ ++2006-03-08 - Snort 2.4.4 Released ++[*] Improvements ++ * Fixed ip options handling in Frag3. ++ * Fixed bug in Wu-Manbher implementation regarding multiple ++ recurring patterns. ++ * Fixed a config file parsing bug which required DNS resolution ++ in certain circumstances. ++ * Updated perfmonitor to properly handle wraps on 64 bit platforms. ++ * Fixed crash in portscan related to bogus data in sfxhash. ++ * Fixed memory leak in Frag3. ++ * Allow use of 0 as a value to -G. ++ ++2005-10-17 - Snort 2.4.3 Released ++[*] Improvements ++ * Fixed possible buffer overflow in back orifice preprocessor. ++ * Added snort.conf options to bo preprocessor for finer control of ++ alerting and dropping of bo traffic. ++ * Added alert to detect the bo buffer overflow attack against snort. ++ ++2005-09-28 - Snort 2.4.2 Released ++[*] Improvements ++ * Fixed crash bug with -T and default logging setup first reported by ++ Zultan. ++ * Corrected Win32 directory setup for new WinPCAP. ++ ++2005-09-16 - Snort 2.4.1 Released ++[*] New additions ++ * Added a -K command line option to manually select the logging mode using ++ a single switch. The -b and -N switches will be deprecated in version ++ 2.7. Pcap logging is now the default for Snort at startup, use "-K ascii" ++ to revert to old behavior. ++ ++[*] Improvements ++ * Win32 version now supports winpcap 3.1 and MySQL client 4.13. ++ * Added event on zero-length RPC fragments. ++ * Fixed TCP SACK processing for text based outputs that could result in a ++ DoS. ++ * General improvements to frag3 including Teardrop detection fix. ++ * Fixed a bug in the PPPoE decoder. ++ * Added patch for time stats from Bill Parker. Enable with configure ++ --enable-timestats. ++ * Fixed IDS mode bailing at startup if logdir is specified in snort.conf ++ and /var/log/snort doesn't exist. ++ * Added decoder for IPEnc for OpenBSD. Thanks Jason Ish for the patch ++ (long time ago) and Chris Kuethe for reraising the issue. ++ * Allow snort to use usernames (-u) and groupnames (-g) that include ++ numbers. Thanks to Shaick for the patch. ++ * Fixed broken -T option. ++ * Change ip_proto to ip for portscan configuration. Thanks David Bianco ++ for pointing this out. ++ * Fix for prelude initialization. Thanks Yoann Vandoorselaere for the ++ update. ++ * For content matches, when subsequent rule options fail, start searching ++ again in correct location. ++ * Updated Win32 to handle pflog patch. ++ * Added support for new OpenBSD pflog format. Older pflog format, ++ OpenBSD 3.3 and earlier is still supported. Thanks Breno Leitao ++ and Christian Reis for the patch. ++ * Added statistics counter for ETH_LOOPBACK packets. Thanks rmkml ++ for the patch. ++ ++2005-07-22 - Snort 2.4.0 Released ++ ++[*] Distribution Change ++ * Rules are no longer distributed as part of the Snort releases, they are ++ available as a separate download from snort.org. This was done for ++ three reasons: ++ 1) To better manage the new rules licensing. ++ 2) To reduce the size of the engine download. ++ 3) To move the thousands of documentation files for the rules into ++ the rules tarballs. If you've ever checked Snort out of CVS you'll ++ know why this is a Good Thing. ++ ++[*] New additions ++ * Added new IP defragmentation preprocessor, Frag3. The frag3 preprocessor ++ is a target-based IP defragmentation module, and is intended as a ++ replacement for the frag2 module. Check out the README.frag3 for full ++ info on this new preprocessor. ++ ++ * Libprelude support has been added (enable with --enable-prelude). ++ Thanks Yoann Vandoorselaere! ++ ++ * An "ftpbounce" rule detection plugin was added for easier detection of ++ FTP bounce attacks. ++ ++ * Added a new Snort config option, "ignore_ports," to ignore packets ++ based on port number. This is similar to bpf filters, but done within ++ snort.conf. ++ ++[*] Improvements ++ * Snort startup messages printed in syslog now contain a PID before each ++ entry. Thanks Sekure for initially bringing this up. ++ ++ * Stream4: Performance improvements. ++ ++ * Stream4: Added 'max_session_limit' option which limits number of ++ concurrent sessions tracked. Added favor_old/favor_new options that ++ affect order in which packets are put together for reassembly. ++ ++ * Stream4: New configuration options to manage flushpoints for improved ++ anti-evasion. The flush_behavior option selects flushpoint management ++ mode. New flush_base, flush_range, and flush_seed manage randomized ++ flushing. Check out the snort.conf file for full config data on the ++ new flush options. ++ ++ * Added two more alerts for BackOrifice client and server packets. This ++ allows specific alerts to be suppressed. ++ ++ * PerfMon preprocessor updated to include more detailed stats for rebuilt ++ packets (applayer, wire, fragmented & TCP). Also added 'atexitonly' ++ option that dumps stats at exit of snort, and command line -Z flag to ++ specify the file to which stats are logged. ++ ++ * Added new Http Inspect config item, "tab_uri_delimiter," which if ++ specified, lets a tab character (0x09) act as the delimiter for a URI. ++ ++ * Added a '-G' command line flag to snort that specifies the Snort ++ instance log identifier. It takes a single argument that can be either ++ hex (prefaced with 0x) or decimal. The unified log files will include ++ the instance ID when the -G flag is used. ++ ++ * "Same SRC/DST" (sid 527) and "Loopback Traffic" (sid 528) are now ++ handled in the IP decoder. Those sids are now considered obsolete. ++ ++ * Http_Inspect "flow_depth" option now accepts a -1 value which tells ++ Snort to ignore all server-side traffic. ++ ++ * RPMs have been updated to be more portable, and also now include a ++ "--with inline" option for those wanting to build Inline RPMs. Thanks ++ Daniel Wittenberg and JP Vossen for your help! ++ ++ * Many, many bug fixes have also gone into this release, please see the ++ ChangeLog for details. ++ diff -Nru snort-2.9.0.1/debian/patches/fix_ftbfs_in_faq.tex snort-2.9.2/debian/patches/fix_ftbfs_in_faq.tex --- snort-2.9.0.1/debian/patches/fix_ftbfs_in_faq.tex 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/debian/patches/fix_ftbfs_in_faq.tex 2011-12-28 10:16:14.000000000 -0800 @@ -0,0 +1,33 @@ +Description: Fix FTBFS caused by html.sty being unavailable +Author: Javier Fernandez-Sanguino Pen~a + +Origin: vendor +Bug-Debian: http://bugs.debian.org/365872 +Last-Update: 2011-12-28 + + +--- snort-2.9.2.orig/doc/faq.tex ++++ snort-2.9.2/doc/faq.tex +@@ -2,7 +2,7 @@ + + %latex2html -info 0 -local_icons -show_section_numbers -link 2 -split +1 faq.tex + \documentclass{article} +-\usepackage{html} ++\usepackage{hyperref} + \usepackage{graphicx} + \usepackage{fancyhdr} + \usepackage{makeidx} +@@ -98,11 +98,11 @@ book. (route++) + + \newpage + +-\begin{latexonly} ++%\begin{latexonly} + \tableofcontents + + \newpage +-\end{latexonly} ++%\end{latexonly} + + \section{Background} + diff -Nru snort-2.9.0.1/debian/patches/fix_ftbfs_in_manual.tex snort-2.9.2/debian/patches/fix_ftbfs_in_manual.tex --- snort-2.9.0.1/debian/patches/fix_ftbfs_in_manual.tex 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/debian/patches/fix_ftbfs_in_manual.tex 2011-12-28 10:17:31.000000000 -0800 @@ -0,0 +1,48 @@ +Description: Fix FTBFS in manual.tex caused by missing html.sty +Author: Michael Bienia +Origin: vendor +Bug-Debian: http://bugs.debian.org/436244 +Last-Update: 2011-11-28 + +--- snort-2.9.2.orig/doc/snort_manual.tex ++++ snort-2.9.2/doc/snort_manual.tex +@@ -16,7 +16,7 @@ + %\IfFileExists{url.sty}{\usepackage{url}} + % {\newcommand{\url}{\texttt}} + +-\usepackage{html} ++\usepackage{hyperref} + + % \makeatletter + +@@ -71,18 +71,18 @@ + } + %\end{latexonly} + +-\begin{htmlonly} +-\newenvironment{note}{ +- \begin{rawhtml} +-

+- Note:   +- \end{rawhtml} +-}{ +- \begin{rawhtml} +-

+- \end{rawhtml} +-} +-\end{htmlonly} ++%\begin{htmlonly} ++%\newenvironment{note}{ ++% \begin{rawhtml} ++%

++% Note:   ++% \end{rawhtml} ++%}{ ++% \begin{rawhtml} ++%

++% \end{rawhtml} ++%} ++%\end{htmlonly} + + \usepackage{babel} + diff -Nru snort-2.9.0.1/debian/patches/fix_upstream_typos snort-2.9.2/debian/patches/fix_upstream_typos --- snort-2.9.0.1/debian/patches/fix_upstream_typos 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/debian/patches/fix_upstream_typos 2011-12-27 14:38:13.000000000 -0800 @@ -0,0 +1,22 @@ +--- a/src/dynamic-preprocessors/dns/spp_dns.c ++++ b/src/dynamic-preprocessors/dns/spp_dns.c +@@ -279,7 +279,7 @@ + if (( !cur_tokenp ) || ( strcmp(cur_tokenp, "{" ))) + { + DynamicPreprocessorFatalMessage("%s(%d) Bad value specified for %s. Must start " +- "with '{' and be space seperated.\n", ++ "with '{' and be space separated.\n", + *(_dpd.config_file), *(_dpd.config_line), + DNS_PORTS_KEYWORD); + //free(argcpyp); +--- a/src/parser.c ++++ b/src/parser.c +@@ -4828,7 +4828,7 @@ + + if(filespec == NULL) + { +- FatalError("no arguement in this file option, remove extra ':' at the end of the alert option\n"); ++ FatalError("no argument in this file option, remove extra ':' at the end of the alert option\n"); + } + + /* look for ".." in the string and complain and exit if it is found */ diff -Nru snort-2.9.0.1/debian/patches/rules snort-2.9.2/debian/patches/rules --- snort-2.9.0.1/debian/patches/rules 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/debian/patches/rules 2011-12-28 10:20:49.000000000 -0800 @@ -0,0 +1,12610 @@ +Description: Additional community rules +Origin: other +Last-Update: 2011-11-28 + +--- /dev/null ++++ b/rules/community-web-dos.rules +@@ -0,0 +1,5 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-web-dos.rules,v 1.8 2005/03/08 14:41:42 bmc Exp $ ++ +--- /dev/null ++++ b/rules/pop2.rules +@@ -0,0 +1,26 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: pop2.rules,v 1.11.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ ++#-------------- ++# POP2 RULES ++#-------------- ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:1934; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:1935; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:284; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:285; rev:8;) +--- /dev/null ++++ b/rules/backdoor.rules +@@ -0,0 +1,119 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: backdoor.rules,v 1.44.2.6.2.3 2005/05/31 17:13:02 mwatchinski Exp $ ++#--------------- ++# BACKDOOR RULES ++#--------------- ++# ++ ++alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flow:to_server,established; content:"|0D 0A|[RPL]002|0D 0A|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:7;) ++alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:6;) ++ ++ ++alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4;) ++ ++alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection established"; flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity; sid:115; rev:9;) ++ ++# 3150, 4120 ++alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1980; rev:4;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:195; rev:7;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1981; rev:3;) ++alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1982; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1983; rev:3;) ++alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1984; rev:3;) ++ ++ ++alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; reference:arachnids,312; classtype:misc-activity; sid:119; rev:5;) ++alert tcp $HOME_NET 1015 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; classtype:trojan-activity; sid:1985; rev:2;) ++ ++ ++alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:16; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:104; rev:7;) ++alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:7;) ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; flow:stateless; ack:101058054; flags:A,12; seq:101058054; reference:arachnids,445; classtype:misc-activity; sid:106; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:108; rev:6;) ++ ++ ++alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; reference:arachnids,315; classtype:misc-activity; sid:117; rev:6;) ++alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:established,from_server; content:"Remote|3A| You are connected to me."; reference:arachnids,316; classtype:misc-activity; sid:118; rev:5;) ++alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; flow:established,from_server; content:"WHATISIT"; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:120; rev:8;) ++alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:121; rev:8;) ++ ++alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; classtype:misc-activity; sid:141; rev:5;) ++ ++alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; reference:arachnids,98; classtype:misc-activity; sid:145; rev:5;) ++alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:146; rev:5;) ++alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; reference:arachnids,99; classtype:misc-activity; sid:147; rev:5;) ++alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; classtype:misc-activity; sid:152; rev:6;) ++alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; reference:mcafee,98575; classtype:misc-activity; sid:153; rev:6;) ++alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; classtype:misc-activity; sid:157; rev:5;) ++alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; classtype:misc-activity; sid:158; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;) ++# alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flow:stateless; flags:A+; reference:arachnids,79; classtype:misc-activity; sid:160; rev:6;) ++alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; classtype:misc-activity; sid:161; rev:4;) ++alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; classtype:misc-activity; sid:162; rev:4;) ++alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; reference:arachnids,36; classtype:misc-activity; sid:163; rev:9;) ++alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; dsize:>1; itype:0; reference:arachnids,202; classtype:misc-activity; sid:183; rev:4;) ++alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; flow:stateless; dsize:>1; flags:A+; reference:arachnids,203; classtype:misc-activity; sid:184; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; reference:arachnids,263; classtype:misc-activity; sid:185; rev:5;) ++ ++ ++alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse"; classtype:misc-activity; sid:208; rev:5;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:3;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; classtype:attempted-admin; sid:211; rev:3;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; classtype:attempted-admin; sid:212; rev:3;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:6;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; classtype:attempted-admin; sid:217; rev:3;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; classtype:attempted-user; sid:218; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; classtype:misc-activity; sid:219; rev:6;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; classtype:misc-activity; sid:220; rev:6;) ++alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:8;) ++alert ip any any -> 216.80.99.202 any (msg:"BACKDOOR fragroute trojan connection attempt"; reference:bugtraq,4898; classtype:trojan-activity; sid:1791; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"BACKDOOR win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:6;) ++ ++ ++# NOTES: this string should be within the first 3 bytes of the connection ++alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:6;) ++alert tcp any any -> 212.146.0.34 1963 (msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:5;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; reference:mcafee,10566; reference:nessus,10409; classtype:misc-activity; sid:2100; rev:6;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flow:stateless; flags:S,12; window:55808; reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice file upload attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BACKDOOR sensepost.exe command shell attempt"; flow:to_server,established; uricontent:"/sensepost.exe"; nocase; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:11;) ++alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3015; rev:3;) ++alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established port 63536"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3016; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get system directory attempt"; flow:to_server,established; content:"SYSDIR"; depth:6; classtype:misc-activity; sid:3011; rev:1;) ++alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"BACKDOOR Asylum 0.1 connection established"; flow:from_server,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; classtype:misc-activity; sid:3014; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get windows directory attempt"; flow:to_server,established; content:"WINDIR"; depth:6; classtype:misc-activity; sid:3010; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"BACKDOOR Asylum 0.1 connection request"; flow:to_server,established; content:"RQS"; depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; classtype:misc-activity; sid:3013; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; classtype:misc-activity; sid:3009; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick upload/execute arbitrary file attempt"; flow:to_server,established; content:"ABCJZDATEIV"; depth:11; classtype:misc-activity; sid:3012; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:3063; rev:2;) ++alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"BACKDOOR Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:3064; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; content:"getclient"; depth:9; flowbits:isset,backdoor.y3krat_15.connect; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; classtype:misc-activity; sid:3082; rev:1;) ++alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connect"; flow:from_server,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; classtype:misc-activity; sid:3081; rev:1;) ++alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:from_server, established; content:"client"; depth:6; flowbits:isset, backdoor.y3krat_15.client.response; classtype:misc-activity; sid:3083; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; classtype:trojan-activity; sid:3155; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"BACKDOOR mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:3272; rev:2;) +--- /dev/null ++++ b/rules/telnet.rules +@@ -0,0 +1,42 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: telnet.rules,v 1.35.2.4.2.5 2005/06/29 15:35:04 mwatchinski Exp $ ++#------------- ++# TELNET RULES ++#------------- ++# ++# These signatures are based on various telnet exploits and unpassword ++# protected accounts. ++# ++ ++ ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:7;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; content:"bin/sh"; reference:arachnids,304; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:8;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; reference:arachnids,367; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:8;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; rawbytes; reference:arachnids,370; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:10;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; reference:arachnids,369; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:7;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flow:from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flow:from_server,established; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root"; classtype:suspicious-login; sid:719; rev:7;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit response"; flow:from_server,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:15;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; flow:to_client,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:13;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:9;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:9;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; classtype:suspicious-login; sid:2406; rev:4;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3274; rev:3;) ++alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|TTYPROMPT|01|"; rawbytes; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3147; rev:3;) +--- /dev/null ++++ b/rules/experimental.rules +@@ -0,0 +1,27 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: experimental.rules,v 1.78.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ ++# --------------- ++# EXPERIMENTAL RULES ++# --------------- ++# These signatures are experimental, new and may trigger way too often. ++# ++# Be forwarned, this is our testing ground. We put new signatures here for ++# testing before incorporating them into the default signature set. This is ++# for bleeding edge stuff only. ++# +--- /dev/null ++++ b/rules/web-php.rules +@@ -0,0 +1,162 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-php.rules,v 1.21.2.2.2.2 2005/07/22 19:19:54 mwatchinski Exp $ ++#-------------- ++# WEB-PHP RULES ++#-------------- ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP bb_smilies.php access"; flow:to_server,established; uricontent:"/bb_smilies.php"; nocase; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"name=|22 CC CC CC CC CC|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:14;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"form-data|3B|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:13;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content:"SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:6;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools access"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; uricontent:"/dostuff.php?action=modify_user"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php access"; flow:to_server,established; uricontent:"/dostuff.php"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Messagerie supp_membre.php access"; flow:to_server,established; uricontent:"/supp_membre.php"; nocase; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP php.exe access"; flow:to_server,established; uricontent:"/php.exe"; nocase; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:3;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php arbitrary command attempt"; flow:to_server,established; uricontent:"/directory.php"; content:"dir="; content:"|3B|"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1815; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php access"; flow:to_server,established; uricontent:"/directory.php"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Wiki cross site scripting attempt"; flow:established,to_server; uricontent:"/modules.php?"; uricontent:"name=Wiki"; nocase; uricontent:" $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php arbitrary command attempt"; flow:established,to_server; uricontent:"/quick-reply.php"; content:"phpbb_root_path="; distance:1; reference:bugtraq,6173; classtype:web-application-attack; sid:1967; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php access"; flow:established,to_server; uricontent:"/quick-reply.php"; reference:bugtraq,6173; classtype:web-application-activity; sid:1968; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP read_body.php access attempt"; flow:established,to_server; uricontent:"/read_body.php"; reference:bugtraq,6302; reference:cve,2002-1341; classtype:web-application-activity; sid:1997; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:bugtraq,5820; reference:bugtraq,9353; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP edit_image.php access"; flow:established,to_server; uricontent:"/edit_image.php"; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:3;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path"; flow:established,to_server; uricontent:".php"; content:"path="; pcre:"/path=(http|https|ftp)/i"; classtype:web-application-attack; sid:2002; rev:5;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:arachnids,205; reference:bugtraq,2271; classtype:attempted-recon; sid:1134; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent:"/passwd.php3"; reference:arachnids,272; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase; reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:arachnids,209; reference:bugtraq,2272; classtype:attempted-recon; sid:1179; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase; reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"file="; pcre:"/file=(http|https|ftp)/i"; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; reference:bugtraq,1997; reference:bugtraq,9361; classtype:web-application-attack; sid:1491; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase; reference:arachnids,206; reference:bugtraq,2274; classtype:attempted-recon; sid:1137; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; reference:arachnids,431; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1254; rev:8;) ++alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP p-news.php access"; flow:to_server,established; uricontent:"/p-news.php"; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php directory traversal attempt"; flow:to_server,established; uricontent:"/shoutbox.php"; content:"conf="; content:"../"; distance:0; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php access"; flow:to_server,established; uricontent:"/shoutbox.php"; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; uricontent:"/gm-2-b2.php"; content:"b2inc="; pcre:"/b2inc=(http|https|ftp)/i"; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php access"; flow:to_server,established; uricontent:"/gm-2-b2.php"; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password admin attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=admin"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2145; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=12345"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2146; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; uricontent:"/objects.inc.php4"; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(http|https|ftp)/"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 access"; flow:to_server,established; uricontent:"/objects.inc.php4"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Turba status.php access"; flow:to_server,established; uricontent:"/turba/status.php"; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file include attempt"; flow:to_server,established; uricontent:"/admin/templates/header.php"; content:"admin_root="; pcre:"/admin_root=(http|https|ftp)/"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php access"; flow:to_server,established; uricontent:"/admin/templates/header.php"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP test.php access"; flow:to_server,established; uricontent:"/test.php"; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php directory traversal attempt"; flow:to_server,established; uricontent:"/autohtml.php"; content:"name="; content:"../../"; distance:0; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php access"; flow:to_server,established; uricontent:"/autohtml.php"; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include attempt"; flow:to_server,established; uricontent:"forum/index.php"; content:"template="; pcre:"/template=(http|https|ftp)/i"; reference:bugtraq,7542; reference:bugtraq,7543; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include attempt"; flow:to_server,established; uricontent:"lib.inc.php"; content:"pm_path="; pcre:"/pm_path=(http|https|ftp)/"; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP forum_details.php access"; flow:to_server,established; uricontent:"forum_details.php"; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; uricontent:"db_details_importdocsql.php"; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; uricontent:"viewtopic.php"; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP UpdateClasses.php access"; flow:to_server,established; uricontent:"/UpdateClasses.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Title.php access"; flow:to_server,established; uricontent:"/Title.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Setup.php access"; flow:to_server,established; uricontent:"/Setup.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2281; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP GlobalFunctions.php access"; flow:to_server,established; uricontent:"/GlobalFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DatabaseFunctions.php access"; flow:to_server,established; uricontent:"/DatabaseFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook remote file include attempt"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; content:"path="; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook access"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP friends.php access"; flow:to_server,established; uricontent:"/friends.php"; nocase; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_comment.php access"; flow:to_server,established; uricontent:"/admin_comment.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_edit.php access"; flow:to_server,established; uricontent:"/admin_edit.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_embed.php access"; flow:to_server,established; uricontent:"/admin_embed.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_help.php access"; flow:to_server,established; uricontent:"/admin_help.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_license.php access"; flow:to_server,established; uricontent:"/admin_license.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_logout.php access"; flow:to_server,established; uricontent:"/admin_logout.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_password.php access"; flow:to_server,established; uricontent:"/admin_password.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_preview.php access"; flow:to_server,established; uricontent:"/admin_preview.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_settings.php access"; flow:to_server,established; uricontent:"/admin_settings.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_stats.php access"; flow:to_server,established; uricontent:"/admin_stats.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; uricontent:"/admin_templates_misc.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates.php access"; flow:to_server,established; uricontent:"/admin_templates.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_misc_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll booth.php access"; flow:to_server,established; uricontent:"/booth.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll poll_ssi.php access"; flow:to_server,established; uricontent:"/poll_ssi.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; flow:to_server,established; uricontent:"/popup.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP files.inc.php access"; flow:to_server,established; uricontent:"/files.inc.php"; nocase; reference:bugtraq,8910; classtype:web-application-activity; sid:2304; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP chatbox.php access"; flow:to_server,established; uricontent:"/chatbox.php"; nocase; reference:bugtraq,8930; classtype:web-application-activity; sid:2305; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include attempt"; flow:to_server,established; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attempt"; flow:to_server,established; content:"do=ext"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP authentication_index.php access"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/editor/editor.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/lib.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"ideaDir"; nocase; content:"cord.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox notification.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"gorumDir"; nocase; content:"notification.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board emailer.php file include"; flow:to_server,established; uricontent:"/ad_member.php"; nocase; content:"emailer.php"; nocase; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat db_mysql.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"db_mysql.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2356; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat english.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"english.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2357; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Typo3 translations.php file include"; flow:to_server,established; uricontent:"/translations.php"; nocase; content:"ONLY"; nocase; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board ipchat.php file include"; flow:to_server,established; uricontent:"/ipchat.php"; nocase; content:"root_path"; nocase; content:"conf_global.php"; nocase; reference:bugtraq,6976; classtype:web-application-attack; sid:2359; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myphpPagetool pt_config.inc file include"; flow:to_server,established; uricontent:"/doc/admin"; nocase; content:"ptinclude"; nocase; content:"pt_config.inc"; nocase; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP news.php file include"; flow:to_server,established; uricontent:"/news.php"; nocase; content:"template"; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP YaBB SE packages.php file include"; flow:to_server,established; uricontent:"/packages.php"; nocase; content:"packer.php"; nocase; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards default_header.php access"; flow:to_server,established; uricontent:"/default_header.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards options_form.php access"; flow:to_server,established; uricontent:"/options_form.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP newsPHP Language file include attempt"; flow:to_server,established; uricontent:"/nphpd.php"; nocase; content:"LangFile"; nocase; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/functions.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/config_gedcom.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Photopost PHP Pro showphoto.php access"; flow:to_server,established; uricontent:"/showphoto.php"; nocase; reference:bugtraq,9557; classtype:web-application-activity; sid:2372; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP /_admin access"; flow:to_server,established; uricontent:"/_admin/"; nocase; reference:bugtraq,9537; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; uricontent:"newsletter.php"; nocase; content:"waroot"; nocase; content:"start.php"; nocase; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter db_type.php access"; flow:to_server,established; uricontent:"/sql/db_type.php"; nocase; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phptest.php access"; flow:to_server,established; uricontent:"/phptest.php"; nocase; reference:bugtraq,9737; classtype:web-application-activity; sid:2405; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; uricontent:"/page.php"; nocase; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP modules.php access"; flow:to_server,established; uricontent:"/modules.php"; nocase; reference:bugtraq,9879; classtype:web-application-activity; sid:2565; rev:1;) ++ ++ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPBB viewforum.php access"; flow:to_server,established; uricontent:"/viewforum.php"; nocase; reference:bugtraq,9865; reference:bugtraq,9866; reference:nessus,12093; classtype:web-application-activity; sid:2566; rev:4;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file include attempt"; flow:to_server,established; uricontent:"/header.php"; nocase; content:"systempath="; pcre:"/systempath=(http|https|ftp)/i"; reference:bugtraq,9732; classtype:web-application-attack; sid:2575; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TUTOS path disclosure attempt"; flow:to_server,established; uricontent:"/note_overview.php"; content:"id="; reference:bugtraq,10129; reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-application-activity; sid:2588; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV base directory manipulation"; flow:to_server,established; uricontent:"_conf.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; classtype:web-application-attack; sid:2926; rev:1;) +--- /dev/null ++++ b/rules/web-coldfusion.rules +@@ -0,0 +1,58 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-coldfusion.rules,v 1.27.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ ++#--------------------- ++# WEB-COLDFUSION RULES ++#--------------------- ++# ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfcache.map access"; flow:to_server,established; uricontent:"/cfcache.map"; nocase; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp application.cfm"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:904; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:905; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getfile.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-recon; sid:906; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION addcontent.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; nocase; classtype:attempted-recon; sid:907; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION administrator access"; flow:to_server,established; uricontent:"/cfide/administrator/index.cfm"; nocase; reference:bugtraq,1314; reference:cve,2000-0538; classtype:attempted-recon; sid:908; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION fileexists.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/fileexists.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:910; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exprcalc access"; flow:to_server,established; uricontent:"/cfdocs/expeval/exprcalc.cfm"; nocase; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; classtype:attempted-recon; sid:911; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION parks access"; flow:to_server,established; uricontent:"/cfdocs/examples/parks/detail.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:912; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfappman access"; flow:to_server,established; uricontent:"/cfappman/index.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:913; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION beaninfo access"; flow:to_server,established; uricontent:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:914; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION evaluate.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/evaluate.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:916; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:917; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION expeval access"; flow:to_server,established; uricontent:"/cfdocs/expeval/"; nocase; reference:bugtraq,550; reference:cve,1999-0477; classtype:attempted-user; sid:918; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:921; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION displayfile access"; flow:to_server,established; uricontent:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:922; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:924; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION mainframeset access"; flow:to_server,established; uricontent:"/cfdocs/examples/mainframeset.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:925; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:926; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:927; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/"; nocase; classtype:attempted-recon; sid:928; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; nocase; reference:bugtraq,550; classtype:attempted-user; sid:929; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION snippets attempt"; flow:to_server,established; uricontent:"/cfdocs/snippets/"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:930; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"; flow:to_server,established; uricontent:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:931; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/application.cfm"; nocase; reference:arachnids,268; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION onrequestend.cfm access"; flow:to_server,established; uricontent:"/onrequestend.cfm"; nocase; reference:arachnids,269; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION startstop DOS access"; flow:to_server,established; uricontent:"/cfide/administrator/startstop.html"; nocase; reference:bugtraq,247; classtype:web-application-attack; sid:935; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION gettempdirectory.cfm access "; flow:to_server,established; uricontent:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:936; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION sendmail.cfm access"; flow:to_server,established; uricontent:"/sendmail.cfm"; nocase; classtype:attempted-recon; sid:1659; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION ?Mode=debug attempt"; flow:to_server,established; uricontent:"Mode=debug"; nocase; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:7;) +--- /dev/null ++++ b/rules/community-web-iis.rules +@@ -0,0 +1,10 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-web-iis.rules,v 1.2 2005/10/20 13:49:44 akirk Exp $ ++ ++#Rules submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost"; flow:to_server,established; content:"localhost"; nocase; pcre:"/http\x3A\/\/localhost\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000138; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000139; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; pcre:"/\x3fRedirect\x3f[^\s]{100,}/smi"; classtype:web-application-activity; sid:100000173; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent access"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; reference:cve,2005-1118; reference:bugtraq,13168; classtype:web-application-activity; sid:100000174; rev:1;) +--- /dev/null ++++ b/rules/community-mail-client.rules +@@ -0,0 +1,4 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-mail-client.rules,v 1.6 2005/03/08 14:41:42 bmc Exp $ +--- /dev/null ++++ b/rules/deleted.rules +@@ -0,0 +1,451 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: deleted.rules,v 1.37.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ ++#------------- ++# DELETED RULES ++#------------- ++# These signatures have been deleted for various reasons, but we are keeping ++# them here for historical purposes. ++ ++# Duplicate to 332 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0 attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:325; rev:4;) ++ ++# Duplicate of 512 ++alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:511; rev:5;) ++ ++# Duplicate of 514 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flow:established; content:"GET "; depth:8; nocase; reference:arachnids,460; classtype:bad-unknown; sid:506; rev:4;) ++ ++# Duplicate of 557 ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;) ++ ++# Duplicate of 559 ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;) ++ ++# Duplicate of 844 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat access"; flow:to_server,established; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; sid:1121; rev:5;) ++ ++# Yeah, so the one site that was vulnerable to edit.pl aint no more. ++# http://packetstorm.widexs.nl/new-exploits/freestats-cgi.txt ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access"; flow:to_server,established; uricontent:"/edit.pl"; nocase; reference:bugtraq,2713; classtype:attempted-recon; sid:855; rev:6;) ++ ++# duplicate of 987 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,4474; reference:cve,2002-0071; reference:nessus,10932; classtype:web-application-activity; sid:1619; rev:8;) ++ ++# webmasters suck, so this happens ever so often. Its really not that bad, ++# so lets disable it. ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114; rev:6;) ++ ++# dup of 1660 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; uricontent:"/traace.axd"; nocase; classtype:web-application-attack; sid:1749; rev:4;) ++ ++# dup ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet ../../ DOS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/../../../../../../../../../../../"; reference:bugtraq,2282; reference:cve,2001-0252; classtype:web-application-attack; sid:1049; rev:11;) ++ ++ ++# Falses WAAAYYY too often. ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; flow:from_server,established; content:"Directory of"; nocase; classtype:unknown; sid:496; rev:8;) ++ ++# Replaced with 1801,1802,1803,1804 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1768; rev:7;) ++ ++# duplicate of sid:1673 ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:4;) ++ ++# Port based only sigs suck, this is why stream4 has flow logs ++alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;) ++ ++# basically duplicate of 330 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:8;) ++ ++# duplicate of 1478 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc attempt"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1477; rev:5;) ++ ++# duplicate of 1248 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>258; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-attack; sid:1246; rev:14;) ++ ++# duplicate of 1249 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>259; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:11;) ++ ++# duplicate of 1755 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1780; rev:9;) ++ ++# duplicate of 1538 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;) ++ ++# This rule looks for the exploit for w3-msql, but very badly ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86 access"; flow:to_server,established; uricontent:"/bin/shA-cA/usr/openwin"; nocase; reference:arachnids,211; reference:cve,1999-0276; classtype:attempted-recon; sid:874; rev:7;) ++ ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"echo netrjs stre"; reference:bugtraq,324; reference:cve,1999-0914; classtype:attempted-admin; sid:318; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5;) ++ ++ ++# duplicate of 109 ++alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags:A+; flow:established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:114; rev:5;) ++ ++# duplicate of 110 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:5;) ++ ++ ++# we have a backorifice preprocessor ++alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags:A+; flow:established; content:"server|3A| BO/"; reference:arachnids,400; classtype:misc-activity; sid:112; rev:6;) ++ ++# we have a backorifice preprocessor ++alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:5;) ++ ++ ++ ++alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; classtype:misc-activity; sid:164; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:165; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; classtype:misc-activity; sid:166; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32"; reference:arachnids,106; classtype:misc-activity; sid:167; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33"; reference:arachnids,106; classtype:misc-activity; sid:168; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; classtype:misc-activity; sid:169; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110"; reference:arachnids,106; classtype:misc-activity; sid:170; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35"; reference:arachnids,106; classtype:misc-activity; sid:171; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; classtype:misc-activity; sid:172; rev:6;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; classtype:misc-activity; sid:173; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31"; reference:arachnids,106; classtype:misc-activity; sid:174; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; classtype:misc-activity; sid:175; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04"; reference:arachnids,106; classtype:misc-activity; sid:176; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down"; reference:arachnids,106; classtype:misc-activity; sid:177; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21"; reference:arachnids,106; classtype:misc-activity; sid:179; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64"; reference:arachnids,106; classtype:misc-activity; sid:180; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; classtype:misc-activity; sid:181; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; classtype:misc-activity; sid:182; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; classtype:misc-activity; sid:122; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; classtype:misc-activity; sid:124; rev:5;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving"; reference:arachnids,106; classtype:misc-activity; sid:125; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12"; reference:arachnids,106; classtype:misc-activity; sid:126; rev:5;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; classtype:misc-activity; sid:127; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; classtype:misc-activity; sid:128; rev:5;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - "; reference:arachnids,106; classtype:misc-activity; sid:129; rev:5;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; classtype:misc-activity; sid:130; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130"; reference:arachnids,106; classtype:misc-activity; sid:131; rev:5;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; classtype:misc-activity; sid:132; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; classtype:misc-activity; sid:133; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17"; reference:arachnids,106; classtype:misc-activity; sid:134; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; classtype:misc-activity; sid:135; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; classtype:misc-activity; sid:136; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911"; reference:arachnids,106; classtype:misc-activity; sid:137; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; classtype:misc-activity; sid:138; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88"; reference:arachnids,106; classtype:misc-activity; sid:140; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content:"40"; reference:arachnids,106; classtype:misc-activity; sid:142; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; classtype:misc-activity; sid:143; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:149; rev:5;) ++alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:150; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; reference:arachnids,106; classtype:misc-activity; sid:151; rev:5;) ++alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; classtype:misc-activity; sid:154; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; classtype:misc-activity; sid:156; rev:5;) ++alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content:"--Ahhhhhhhhhh"; reference:arachnids,405; classtype:misc-activity; sid:113; rev:6;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07"; reference:arachnids,106; classtype:misc-activity; sid:186; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; classtype:misc-activity; sid:187; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38"; reference:arachnids,106; classtype:misc-activity; sid:188; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23"; reference:arachnids,106; classtype:misc-activity; sid:189; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24"; reference:arachnids,106; classtype:misc-activity; sid:190; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; classtype:misc-activity; sid:191; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26"; reference:arachnids,106; classtype:misc-activity; sid:192; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; classtype:misc-activity; sid:193; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; classtype:misc-activity; sid:194; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30"; reference:arachnids,106; classtype:misc-activity; sid:196; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; classtype:misc-activity; sid:197; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; classtype:misc-activity; sid:198; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; classtype:misc-activity; sid:199; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; classtype:misc-activity; sid:200; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15"; reference:arachnids,106; classtype:misc-activity; sid:201; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100"; reference:arachnids,106; classtype:misc-activity; sid:202; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117"; reference:arachnids,106; classtype:misc-activity; sid:203; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118"; reference:arachnids,106; classtype:misc-activity; sid:204; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199"; reference:arachnids,106; classtype:misc-activity; sid:205; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; classtype:misc-activity; sid:206; rev:5;) ++alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; classtype:misc-activity; sid:207; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:arachnids,277; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:7;) ++alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:148; rev:5;) ++ ++# The following ftp rules look for specific exploits, which are not needed now ++# that initial protocol decoding is available. ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:338; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:339; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"PWD|0A|/i"; classtype:attempted-admin; sid:340; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"XXXXX/"; classtype:attempted-admin; sid:341; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:342; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:343; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:344; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:346; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:349; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|C0|1|DB B0 17 CD 80|1|C0 B0 17 CD 80|"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:350; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|DB 89 D8 B0 17 CD 80 EB|,"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:351; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 EC 04|^|83 C6|p|83 C6 28 D5 E0 C0|"; reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352; rev:6;) ++ ++# duplicate of 475 ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:455; rev:7;) ++ ++ ++# not needed thanks to 1964 and 1965 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:8;) ++ ++# dup of 589 ++alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;) ++# dup of 1275 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;) ++ ++# dup of 1280 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;) ++ ++# dup of 1281 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:6;) ++ ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:5;) ++ ++# this has been replaced with sid 1905 and 1906 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content:"|80 00 04|,L|15|u[|00 00 00 00 00 00 00 02|"; depth:32; reference:arachnids,217; reference:cve,1999-0704; classtype:attempted-admin; sid:573; rev:8;) ++ ++# these have been replaced by 1915, 1916, 1914, and 1913 ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;) ++alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:5;) ++ ++# duplicate of 1088 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi?page=../.."; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1094; rev:10;) ++ ++ ++# these are obsolete ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89 D8|@|CD 80 E8 C8 FF FF FF|/"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:295; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|4^|8D 1E 89|^|0B|1|D2 89|V|07|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:296; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|5^|80|F|01|0|80|F|02|0|80|F|03|0"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:297; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|8^|89 F3 89 D8 80|F|01| |80|F|02|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:298; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|X^1|DB 83 C3 08 83 C3 02 88|^&"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:6;) ++ ++# what is this rule? we have no idea... ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:4;) ++ ++# These have been replaced by better rules (1915,1916,1913,1914) ++alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:592; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:1278; rev:5;) ++ ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:1883; rev:5;) ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; classtype:bad-unknown; sid:1884; rev:5;) ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:1885; rev:5;) ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:1886; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; reference:nessus,11110; sid:2102; rev:9;) ++ ++# specific example for sid:1549 ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|EB|S|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,895; reference:cve,2000-0042; classtype:attempted-admin; sid:656; rev:8;) ++ ++# this is properly caught by sid:527 ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; flags:S; id:3868; seq:3868; flow:stateless; reference:bugtraq,2666; reference:cve,1999-0016; classtype:attempted-dos; sid:269; rev:9;) ++ ++# duplicate of 1546 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content:" /%%"; depth:16; reference:arachnids,275; classtype:attempted-dos; sid:1138; rev:7;) ++ ++# these are obsoleted by cleaning up 663 ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3A| |7C| sed '1,/^|24|/d'|7C|"; nocase; reference:arachnids,120; classtype:attempted-user; sid:666; rev:7;) ++ ++# dup of 588 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:15;) ++# dup of 1274 ++alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:14;) ++ ++# these virus rules suck. ++alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; flow:established; content:"Suddlently"; classtype:misc-activity; sid:720; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; flow:established; content:"NAVIDAD.EXE"; nocase; classtype:misc-activity; sid:722; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myjuliet.chm"; nocase; classtype:misc-activity; sid:724; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"ble bla"; nocase; classtype:misc-activity; sid:725; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"I Love You"; classtype:misc-activity; sid:726; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Sorry... Hey you !"; classtype:misc-activity; sid:727; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"my picture from shake-beer"; classtype:misc-activity; sid:728; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:731; rev:7;) ++alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; flow:established; content:"nongmin_cn"; reference:MCAFEE,98775; classtype:misc-activity; sid:733; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; flow:established; content:"Software provide by [MATRiX]"; nocase; classtype:misc-activity; sid:734; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Matrix has you..."; classtype:misc-activity; sid:735; rev:6;) ++alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; flow:established; content:"funguscrack@hotmail.com"; nocase; classtype:misc-activity; sid:736; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; flow:established; content:"filename="; content:"eurocalculator.exe"; nocase; classtype:misc-activity; sid:737; rev:6;) ++alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; flow:established; content:"Pikachu Pokemon"; reference:MCAFEE,98696; classtype:misc-activity; sid:738; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; flow:established; content:"filename=|22|666TEST.VBS|22|"; nocase; reference:MCAFEE,10389; classtype:misc-activity; sid:739; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; flow:established; content:"filename=|22|tune.vbs|22|"; nocase; reference:MCAFEE,10497; classtype:misc-activity; sid:740; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Market share tipoff"; reference:MCAFEE,10109; classtype:misc-activity; sid:741; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"name =|22|WWIII!"; reference:MCAFEE,10109; classtype:misc-activity; sid:742; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"New Developments"; reference:MCAFEE,10109; classtype:misc-activity; sid:743; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Good Times"; reference:MCAFEE,10109; classtype:misc-activity; sid:744; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; flow:established; content:"filename=|22|XPASS.XLS|22|"; nocase; reference:MCAFEE,10145; classtype:misc-activity; sid:745; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; flow:established; content:"LINKS.VBS"; reference:MCAFEE,10225; classtype:misc-activity; sid:746; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; flow:established; content:"filename=|22|SETUP.EXE|22|"; nocase; classtype:misc-activity; sid:747; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; flow:established; content:"name =|22|BADASS.EXE|22|"; reference:MCAFEE,10388; classtype:misc-activity; sid:748; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; flow:established; content:"name =|22|File_zippati.exe|22|"; reference:MCAFEE,10471; classtype:misc-activity; sid:749; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; flow:established; content:"filename=|22|KAK.HTA|22|"; nocase; reference:MCAFEE,10509; classtype:misc-activity; sid:751; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; flow:established; content:"filename=|22|Suppl.doc|22|"; nocase; reference:MCAFEE,10361; classtype:misc-activity; sid:752; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; flow:established; content:"filename=|22|THEOBBQ.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:753; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|MONEY.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:754; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; flow:established; content:"filename=|22|irok.exe|22|"; nocase; reference:MCAFEE,98552; classtype:misc-activity; sid:755; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; flow:established; content:"filename=|22|Fix2001.exe|22|"; nocase; reference:MCAFEE,10355; classtype:misc-activity; sid:756; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; flow:established; content:"filename=|22|Y2K.EXE|22|"; nocase; reference:MCAFEE,10505; classtype:misc-activity; sid:757; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; flow:established; content:"filename=|22|THE_FLY.CHM|22|"; nocase; reference:MCAFEE,10478; classtype:misc-activity; sid:758; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|DINHEIRO.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:759; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; flow:established; content:"filename=|22|ICQ_GREETINGS.EXE|22|"; nocase; reference:MCAFEE,10467; classtype:misc-activity; sid:760; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; flow:established; content:"filename=|22|COOLER3.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:761; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; flow:established; content:"filename=|22|PARTY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:762; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; flow:established; content:"filename=|22|HOG.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:763; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; flow:established; content:"filename=|22|GOAL1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:764; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; flow:established; content:"filename=|22|PIRATE.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:765; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; flow:established; content:"filename=|22|VIDEO.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:766; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; flow:established; content:"filename=|22|BABY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:767; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; flow:established; content:"filename=|22|COOLER1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:768; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; flow:established; content:"filename=|22|BOSS.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:769; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; flow:established; content:"filename=|22|G-ZILLA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:770; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; flow:established; content:"filename=|22|Toadie.exe|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:771; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; flow:established; content:"|5C|CoolProgs|5C|"; depth:750; offset:300; reference:MCAFEE,10175; classtype:misc-activity; sid:772; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; flow:established; content:"X-Spanska|3A|Yes"; reference:MCAFEE,10144; classtype:misc-activity; sid:773; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; flow:established; content:"name =|22|links.vbs|22|"; classtype:misc-activity; sid:774; rev:5;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; flow:established; content:"BubbleBoy is back!"; reference:MCAFEE,10418; classtype:misc-activity; sid:775; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; flow:established; content:"filename=|22|COPIER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:776; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; flow:established; content:"name =|22|pics4you.exe|22|"; reference:MCAFEE,10467; classtype:misc-activity; sid:777; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; flow:established; content:"name =|22|X-MAS.EXE|22|"; reference:MCAFEE,10461; classtype:misc-activity; sid:778; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; flow:established; content:"filename=|22|GADGET.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:779; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; flow:established; content:"filename=|22|IRNGLANT.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:780; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; flow:established; content:"filename=|22|CASPER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:781; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; flow:established; content:"filename=|22|FBORFW.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:782; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; flow:established; content:"filename=|22|SADDAM.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:783; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; flow:established; content:"filename=|22|BBOY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:784; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; flow:established; content:"filename=|22|MONICA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:785; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; flow:established; content:"filename=|22|GOAL.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:786; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; flow:established; content:"filename=|22|PANTHER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:787; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; flow:established; content:"filename=|22|CHESTBURST.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:788; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; flow:established; content:"name =|22|THE_FLY.CHM|22|"; classtype:misc-activity; sid:790; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; flow:established; content:"filename=|22|CUPID2.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:791; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|RESUME1.DOC|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:792; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|Explorer.doc|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:794; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Worm - txt.vbs file"; flow:established; content:"filename="; content:".txt.vbs"; nocase; classtype:misc-activity; sid:795; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; flow:established; content:"filename="; content:".xls.vbs"; nocase; classtype:misc-activity; sid:796; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; flow:established; content:"filename="; content:".jpg.vbs"; nocase; classtype:misc-activity; sid:797; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Worm - gif.vbs file"; flow:established; content:"filename="; content:".gif.vbs"; nocase; classtype:misc-activity; sid:798; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; flow:established; content:"filename=|22|TIMOFONICA.TXT.vbs|22|"; nocase; reference:MCAFEE,98674; classtype:misc-activity; sid:799; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|NORMAL.DOT|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:800; rev:7;) ++alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; flow:established; content:"filename="; content:".doc.vbs"; nocase; classtype:misc-activity; sid:801; rev:6;) ++alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; flow:established; content:"filename=|22|FARTER.EXE|22|"; nocase; reference:MCAFEE,1054; classtype:misc-activity; sid:789; rev:7;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; dsize:>120; flow:to_server,established; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:4;) ++# pcre makes this not needed ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2254; rev:3;) ++ ++# historical reference... this used to be here... ++alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; flow:established; content:"name =|22|Zipped_Files.EXE|22|"; reference:MCAFEE,10450; classtype:misc-activity; sid:802; rev:7;) ++ ++# taken care of by http_inspect now ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS multiple decode attempt"; flow:to_server,established; uricontent:"%5c"; uricontent:".."; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-attack; reference:nessus,10671; sid:970; rev:11;) ++ ++# better rule for 1054 caused these rules to not be needed ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238; rev:6;) ++ ++# these rules are dumb. sid:857 looks for the access, and thats all we can do ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey attempt full path"; flow:to_server,established; uricontent:"/faxsurvey?/"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1647; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey arbitrary file read attempt"; flow:to_server,established; uricontent:"/faxsurvey?cat%20"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1609; rev:7;) ++ ++# dup of 2061 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:1055; rev:9;) ++ ++ ++ ++# squash all of the virus rules into one rule. go PCRE! ++alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:732; rev:8;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".shs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:7;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".exe|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".doc|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vbs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:7;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hta|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".chm|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".reg|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".ini|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".bat|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".diz|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".cpp|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".dll|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vxd|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".sys|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".com|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:4;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".scr|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:7;) ++alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hsq|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:4;) ++ ++# uh, yeah this happens quite a bit. ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?open access"; flow:to_server,established; uricontent:"?open"; nocase; classtype:web-application-activity; sid:1561; rev:5;) ++ ++# dup of 1485 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1665; rev:6;) ++ ++# dup of 2339 ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2336; rev:3;) ++ ++# these happen. more research = more better rules ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2503; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2506; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2499; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2498; rev:8;) ++ ++ ++#nmap is no longer as dumb as it once was... ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:6;) ++ ++# dup of 553 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:1449; rev:7;) ++ ++# dup of 2417, which is a better rule anyways ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; classtype:attempted-admin; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; sid:1530; rev:12;) ++ ++# ans1 goodness takes care of this one for us ++alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2385; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2384; rev:10;) ++ ++ ++# because this rule sucks ++alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; flow:stateless; reference:arachnids,129; reference:bugtraq,705; reference:cve,1999-0430; classtype:bad-unknown; sid:513; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:620; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:618; rev:9;) ++ ++ ++# http inspect does a better job than these rules do ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:981; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:982; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:983; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:1945; rev:6;) ++ ++# dup of 1672 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:1728; rev:7;) ++ ++# dup of 1229 ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:3;) ++ ++# dup of 1757 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 access"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; classtype:web-application-attack; reference:bugtraq,4673; reference:cve,2002-0734; sid:1758; rev:6;) ++ ++# dup of 653 ++alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2314; rev:2;) ++ ++# converted to a dup by 1437 moving to regex ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1438; rev:7;) ++ ++# handled by 1212 ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC order.log access"; flow:to_server,established; uricontent:"/admin_files/order.log"; nocase; classtype:attempted-recon; sid:1176; rev:6;) ++ +--- /dev/null ++++ b/rules/ddos.rules +@@ -0,0 +1,66 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: ddos.rules,v 1.23.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ ++#----------- ++# DDOS RULES ++#----------- ++ ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; icmp_id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:4;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG"; reference:arachnids,187; classtype:attempted-recon; sid:223; rev:3;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:3;) ++ ++ ++alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; reference:arachnids,254; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; content:"alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; content:"alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:2;) ++# alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flow:stateless; flags:S,12; seq:674711609; reference:arachnids,253; reference:cve,2000-0138; classtype:attempted-dos; sid:241; rev:10;) ++ ++ ++ ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186; classtype:attempted-dos; sid:231; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;) ++alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:6;) ++ ++ ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; content:"newserver"; classtype:attempted-dos; sid:243; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; content:"stream/"; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent"; content:"ping"; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler"; content:"pong"; classtype:attempted-dos; sid:246; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:4;) ++alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flow:stateless; flags:S,12; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:8;) ++alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:4;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:3;) ++ ++ ++alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:3;) ++alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:6;) ++alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:6;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:6;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:6;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:5;) ++alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:7;) ++alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:7;) ++alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:7;) +--- /dev/null ++++ b/rules/community-misc.rules +@@ -0,0 +1,48 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-misc.rules,v 1.25 2007/03/05 15:22:49 akirk Exp $ ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY MISC Sentinel License Manager overflow attempt"; dsize:>1000; reference:cve,CAN-2005-0353; reference:bugtraq,12742; classtype:attempted-user; sid:100000125; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2380 (msg:"COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt"; flow:to_server,established; pcre:"/[^\r\n]{1000,}/i"; reference:cve,2005-0768; reference:url,unsecure.altervista.org/security/goodtechtelnet.htm; classtype:attempted-dos; sid:100000126; rev:1;) ++#Rule submitted by rmkml ++alert tcp any any -> any !139 (msg:"COMMUNITY MISC BAD-SSL tcp detect"; flow:stateless; content:"|00 0E|"; depth:4; offset:0; classtype:misc-activity; sid:100000137; rev:1;) ++#Rules submitted by Thierry Chich ++alert tcp any any -> any any (msg:"COMMUNITY MISC streaming RTSP - realplayer"; flow:established; content:"PLAY rtsp|3A 2F 2F|"; depth: 12; classtype:policy-violation; reference:url,www.rtsp.org; sid:100000189; rev:2;) ++alert tcp any any -> any any (msg:"COMMUNITY MISC streaming Windows Mediaplayer"; flow:established; content:"|01 00 00 00 ce fa 0b b0|"; depth: 8; content:"MMS"; distance:4; within:4; classtype:policy-violation; reference:url,www.microsoft.com; sid:100000190; rev:2;) ++#alert udp $EXTERNAL_NET 1023: -> $HOME_NET 123 (msg:"COMMUNITY MISC Ntp fingerprint detect"; dsize:48; content:"|BE 78 2F 1D 19 BA 00 00|"; reference:url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1; classtype:attempted-dos; sid:100000198; rev:1;) ++#Rule submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8008 (msg:"COMMUNITY MISC Novell eDirectory iMonitor access"; flow:to_server,established; uricontent:"/nds/"; nocase; reference:bugtraq,14548; reference:cve,2005-2551; reference:nessus,19248; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18703; classtype:web-application-attack; sid:100000199; rev:1;) ++#Rule submitted jointly by Romain Chartier, Sylvain Sarmejeanne, and Pierre Lalet ++alert udp any any -> any 53 (msg:"COMMUNITY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:100000208; rev:1;) ++#Rules submitted by Crusoe Researches Team ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"COMMUNITY MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:100000222; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"COMMUNITY MISC SNMP trap Format String detected"; content:"%s"; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:100000227; rev:1;) ++#Rule submitted by Nigel Houghton ++alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"COMMUNITY MISC Lotus Domino LDAP attack"; flow:established; content:"|30 0c 02 01 01 60 07 02 00 03 04 00 80 00|"; reference:bugtraq,16523; reference:cve,2006-0580; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html; classtype:misc-attack; sid:100000229; rev:2;) ++ ++#Jabber/Google Talk traffic from the client submitted by Steven Alexander ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Logon"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outoing Message"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Log Out"; flow:to_server,established; content:" $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Logon Success"; flow:to_client,established; content:" $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Incoming Message"; flow:to_client,established; content:" $HOME_NET 1364 (msg:"COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials"; flow:stateless; content:"SVTM056I"; nocase; classtype:bad-unknown; sid:100000281; rev:2;) ++ ++# TOR Rules by Dan Ramaswami ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY MISC DLR-TOR Directory server response"; flow:established,to_client; content:"|54 4f 52|"; offset:109; depth:3; content:"|06 03 55 04 03|"; distance:4; within:5; content:"|20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:2; within:30; reference:url,tor.eff.org; classtype:policy-violation; sid:100000874; rev:2;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY MISC DLR-TOR Client Traffic"; flow:established,to_server;content:"|54 4f 52|"; content:"|06 03 55 04 03 14|"; distance:4; within:6; content:"|63 6c 69 65 6e 74 20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:1; within:17; classtype:policy-violation; reference:url,tor.eff.org; sid:100000875; rev:1;) ++ ++# Additional GoogleTalk Rules by Will Young ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY MISC Google Talk Version Check"; flow: established,to_server; uricontent:"/googletalk/google-talk-versioncheck.txt?"; nocase; classtype: policy-violation; sid:100000876; rev:1;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; classtype:policy-violation; threshold: type limit, track by_src, count 1, seconds 300; sid:100000877; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow"; flow:established; content:"|08|"; depth:1; byte_test:1,>,4,1; classtype:attempted-dos; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.elook.org/internet/126.html; sid:100000892; rev:1;) ++ ++# Rule submitted by dprotich@sagonet.com ++alert udp $EXTERNAL_NET any <> $HOME_NET 1025:1026 (msg:"COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry"; content:"FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!"; classtype:misc-activity; reference:url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx; sid:100000927; rev:1;) +--- /dev/null ++++ b/rules/chat.rules +@@ -0,0 +1,63 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: chat.rules,v 1.25.2.2.2.4 2005/07/22 19:19:54 mwatchinski Exp $ ++#------------- ++# CHAT RULES ++#------------- ++# These signatures look for people using various types of chat programs (for ++# example: AIM, ICQ, and IRC) which may be against corporate policy ++ ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:541; rev:9;) ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; nocase; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:7;) ++ ++alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; classtype:policy-violation; sid:1986; rev:6;) ++alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; classtype:policy-violation; sid:1988; rev:5;) ++alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:1989; rev:6;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:1991; rev:2;) ++ ++alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content:"NICK "; offset:0; nocase; classtype:policy-violation; sid:542; rev:11;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC SEND"; nocase; classtype:policy-violation; sid:1639; rev:6;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC CHAT chat"; nocase; classtype:policy-violation; sid:1640; rev:6;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN |3A| |23|"; offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;) ++alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463; rev:6;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; offset:0; nocase; classtype:policy-violation; sid:1789; rev:3;) ++alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:1790; rev:4;) ++ ++alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; classtype:policy-violation; sid:1631; rev:8;) ++alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:1632; rev:6;) ++alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:1633; rev:6;) ++ ++ ++ ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2450; rev:3;) ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2451; rev:3;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2452; rev:4;) ++ ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2453; rev:3;) ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2454; rev:3;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2455; rev:3;) ++ ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2456; rev:4;) ++alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; classtype:policy-violation; sid:2457; rev:2;) ++ ++alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2459; rev:4;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"CHAT Yahoo IM conference request"; flow:to_server,established; content:" $HOME_NET any (msg:"CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2461; rev:4;) +--- /dev/null ++++ b/rules/community-web-attacks.rules +@@ -0,0 +1,10 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-web-attacks.rules,v 1.6 2005/12/13 14:24:48 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Hydra Activity Detected"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Hydra"; nocase; distance:0; pcre:"/^User-Agent\s*\x3A\s*Mozilla\x2f4\.0 (Hydra)/smi"; nocase; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000168; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Amap fingerprint attempt"; flow:to_server,established; content:"|80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05 00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 80 63 b9 b9 19 c0 2b ae 90 74 4c 73 eb 8b cf d8 55 ea d0 69 82 1b ef 23 c3 39 9b 8e b2 49 3c 5a 79|"; depth:130; classtype:web-application-activity; reference:url,www.thc.org/releases.php; sid:100000169; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter"; flow:to_server,established; content:"Host"; nocase; pcre:"/^Host[^\r\n]{100,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000170; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter"; flow:to_server,established; content:"Accept"; nocase; pcre:"/^Accept[^\r\n]{200,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000171; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS SAP WAS syscmd access"; flow:to_server,established; uricontent:"/sap/bc/BSp/sap/menu/frameset.htm"; nocase; uricontent:"sap-syscmd"; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:100000183; rev:1;) +--- /dev/null ++++ b/rules/web-frontpage.rules +@@ -0,0 +1,58 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-frontpage.rules,v 1.32.2.2.2.2 2005/06/29 15:35:05 mwatchinski Exp $ ++#-------------------- ++# WEB-FRONTPAGE RULES ++#-------------------- ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad fp30reg.dll access"; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-activity; sid:1248; rev:13;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE frontpage rad fp4areg.dll access"; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-activity; sid:1249; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_rpc access"; flow:to_server,established; uricontent:"/_vti_rpc"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE posting"; flow:to_server,established; content:"POST"; uricontent:"/author.dll"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx; classtype:web-application-activity; sid:939; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.dll access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.dll"; nocase; reference:arachnids,292; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx; classtype:web-application-activity; sid:940; rev:15;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE contents.htm access"; flow:to_server,established; uricontent:"/admcgi/contents.htm"; nocase; classtype:web-application-activity; sid:941; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.htm access"; flow:to_server,established; uricontent:"/_private/orders.htm"; nocase; classtype:web-application-activity; sid:942; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpsrvadm.exe access"; flow:to_server,established; uricontent:"/fpsrvadm.exe"; nocase; classtype:web-application-activity; sid:943; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpremadm.exe access"; flow:to_server,established; uricontent:"/fpremadm.exe"; nocase; classtype:web-application-activity; sid:944; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmin.htm access"; flow:to_server,established; uricontent:"/admisapi/fpadmin.htm"; nocase; classtype:web-application-activity; sid:945; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmcgi.exe access"; flow:to_server,established; uricontent:"/scripts/Fpadmcgi.exe"; nocase; classtype:web-application-activity; sid:946; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.txt access"; flow:to_server,established; uricontent:"/_private/orders.txt"; nocase; classtype:web-application-activity; sid:947; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results access"; flow:to_server,established; uricontent:"/_private/form_results.txt"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.htm access"; flow:to_server,established; uricontent:"/_private/registrations.htm"; nocase; classtype:web-application-activity; sid:949; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE cfgwiz.exe access"; flow:to_server,established; uricontent:"/cfgwiz.exe"; nocase; classtype:web-application-activity; sid:950; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE authors.pwd access"; flow:to_server,established; uricontent:"/authors.pwd"; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE author.exe access"; flow:to_server,established; uricontent:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:952; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE administrators.pwd access"; flow:to_server,established; uricontent:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results.htm access"; flow:to_server,established; uricontent:"/_private/form_results.htm"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE access.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/access.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.txt access"; flow:to_server,established; uricontent:"/_private/register.txt"; nocase; classtype:web-application-activity; sid:956; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.txt access"; flow:to_server,established; uricontent:"/_private/registrations.txt"; nocase; classtype:web-application-activity; sid:957; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/service.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.pwd"; flow:to_server,established; uricontent:"/service.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.stp access"; flow:to_server,established; uricontent:"/_vti_pvt/service.stp"; nocase; classtype:web-application-activity; sid:960; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE services.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/services.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.exe access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.exe"; nocase; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:13;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE svcacl.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/svcacl.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE users.pwd access"; flow:to_server,established; uricontent:"/users.pwd"; nocase; classtype:web-application-activity; sid:964; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE writeto.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/writeto.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE .... request"; flow:to_server,established; uricontent:"..../"; nocase; reference:arachnids,248; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE dvwssr.dll access"; flow:to_server,established; uricontent:"/dvwssr.dll"; nocase; reference:arachnids,271; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx; classtype:web-application-activity; sid:967; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.htm access"; flow:to_server,established; uricontent:"/_private/register.htm"; nocase; classtype:web-application-activity; sid:968; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE /_vti_bin/ access"; flow:to_server,established; uricontent:"/_vti_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_inf.html access"; flow:to_server,established; uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:9;) ++ +--- /dev/null ++++ b/rules/community-exploit.rules +@@ -0,0 +1,11 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-exploit.rules,v 1.17 2006/08/18 19:38:06 akirk Exp $ ++ ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit"; flow:to_server,established; pcre:"/.{1050,}/U"; flowbits:set,community_uri.size.1050; flowbits:noalert; reference:cve,2004-0629; reference: bugtraq,10947; classtype:attempted-user; sid: 100000100; rev:2;) ++#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2f(pdf|vnd\x2efdf|vnd\x2eadobe\x2exfdf|vnd\x2eadobe\x2exdp+xml|vnd\x2e\ adobe\x2exfd+xml)/smi"; flowbits:isset,community_uri.size.1050; reference:cve,2004-0629; reference:bugtraq,10947; classtype:attempted-user; sid:100000101; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY EXPLOIT Sentinel LM exploit"; dsize:2048; reference:bugtraq,12742; reference:cve,2005-0353; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=14605; reference:nessus,17326; classtype:attempted-dos; sid:100000165; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"COMMUNITY EXPLOIT HPUX LPD overflow attempt"; flow:to_server,established; content:"|24 7B 49 46 53 7D|"; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-dos; sid:100000176; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP spoof attempt"; content:"|3B|branch|3D 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0A|"; nocase; reference:bugtraq,14174; reference:cve,2005-2182; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17838; classtype:attempted-dos; sid:100000180; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; dsize:>268; reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;) +--- /dev/null ++++ b/rules/community-smtp.rules +@@ -0,0 +1,14 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-smtp.rules,v 1.9 2006/07/14 13:36:01 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Hydra Activity Detected"; flow:to_server,established; content:"hydra"; nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;) ++#Rule submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Gnu Mailman utf8 attachement access"; flow:to_server,established; content:"Content-Disposition|3A 20|attachement"; nocase; content:"filename|2A 3D|utf|2D|8"; nocase; content:"Content-Transfer-Encoding|3A 20|base64"; nocase; reference:bugtraq,15408; reference:cve,2005-3573; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20819; classtype:attempted-dos; sid:100000191; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP MIME-Type ms-tnef access"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"application/ms-tnef"; nocase; reference:bugtraq,16197; reference:cve,2006-0002; reference:url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx; classtype:attempted-admin; sid:100000219; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Mozilla filename overflow attempt"; flow:to_server,established; content:"filename|3D 22|"; nocase; pcre:"/^\s*filename\=\"[^\n]{100,}\.(exe|lnk)/smi"; reference:bugtraq,16271; classtype:attempted-admin; sid:100000224; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Incoming WAB attachment"; flow:to_server, established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=\s*.*\x2ewab/smi"; reference:cve,2006-0014; reference:url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx; classtype:suspicious-filename-detect; sid:100000279; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt"; flow:to_server,established; content:"RCPT"; nocase; pcre:"/^RCPT\s+TO\x3a\s+[^\r\n]*\x25/smi"; reference:bugtraq,16742; reference:cve,2006-0559; classtype:attempted-admin; sid:100000301; rev:1;) ++# Enable only if SMTP_SERVERS is not any ++# alert tcp !$SMTP_SERVERS any -> any 25 (msg:"COMMUNITY SMTP Mytob MAIL FROM Attempt"; flow:established,to_server; content:"MAIL FROM|3A|"; nocase; pcre:"/MAIL\s+FROM\s*\x3A\s*\x3C?(spm|fcnz|www|secur|abuse)@/i"; reference:url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html; classtype:misc-attack; sid:100000689; rev:1;) +--- /dev/null ++++ b/rules/VRT-License.txt +@@ -0,0 +1,326 @@ ++ SOURCEFIRE, INC. ++ VRT CERTIFIED RULES LICENSE AGREEMENT ++ VERSION 1.1 ++ ++THE VRT CERTIFIED RULES ARE LICENSED TO YOU BY SOURCEFIRE, INC. ++("SOURCEFIRE") UNDER THE TERMS OF THIS VRT CERTIFIED RULES LICENSE ++AGREEMENT (THE "AGREEMENT"). BY CLICKING THE "ACCEPT" BUTTON BELOW, OR ++BY INSTALLING OR USING THE VRT CERTIFIED RULES, YOU ARE CONSENTING TO BE ++BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS AND ++CONDITIONS OF THIS AGREEMENT, DO NOT CLICK THE "ACCEPT" BUTTON, AND DO ++NOT INSTALL OR USE ANY PART OF THE VRT CERTIFIED RULES. ++ ++1. Definitions. ++ ++ 1.1. "Commercial Purpose" means the use, reproduction or distribution of ++ (i) the VRT Certified Rules or any Modification, or any portion of the ++ foregoing, or (ii) a Compilation that includes, in whole or in part, the ++ VRT Certified Rules or any Modification that in either case is intended ++ to result in a direct or indirect pecuniary gain or any other ++ consideration or economic benefit to any person or entity involved in ++ such use, reproduction or distribution. Examples of a Commercial ++ Purpose, include without limitation, (v) integrating the VRT Certified ++ Rules with other software or hardware for sale, (w) licensing the VRT ++ Certified Rules for a fee, (x) using the VRT Certified Rules to provide ++ a service to a third party, (y) selling the VRT Certified Rules, or (z) ++ distributing the VRT Certified Rules for use with other products or ++ other services. ++ ++ 1.2. "Compilation" means a work which combines the VRT Certified Rules ++ or any Modification or portions thereof with any services, programs, ++ code or other products not governed by the terms of this Agreement. ++ ++ 1.3. "Improvements" shall mean a Modification to a VRT Certified Rule ++ (or to a modified VRT Certified Rule) that corrects a bug, defect, or ++ error in such rule without affecting the overall functionality of such ++ VRT Certified Rule (or Modification thereof). ++ ++ 1.4. "Modifications" means any alteration, addition to or deletion from ++ the substance or structure of the VRT Certified Rules or any ++ Modifications of such, including, without limitation, ++ ++ (a) any addition to or deletion from the contents of a file ++ containing a VRT Certified Rule or a Modification; ++ (b) any derivative of the VRT Certified Rule or of any Modification; ++ or ++ (c) any new file that contains any part of the VRT Certified Rule or ++ Modifications. ++ ++ 1.5. "Permitted Use" shall have the meaning given such term in Section 2.1. ++ ++ 1.6. "Restricted Activities" shall have the meaning given such term in ++ Section 2.1. ++ ++ 1.7. "Snort(r) Registered User" shall mean an individual who has ++ registered or subscribed on www.snort.org to use the VRT Certified Rules. ++ ++ 1.8. "VRT Certified Rules" means those Snort(r) rules (in text form, ++ source code form, object code form and all documentation related ++ thereto) that have been created, developed, tested and officially ++ approved by Sourcefire. These rules are designated with SIDs of 3465 - ++ 1,000,000, except as otherwise noted in the license file. ++ ++ 1.9. "You" (or "your") means an individual exercising rights under this ++ Agreement. For legal entities, "you'' includes any entity which ++ controls, is controlled by, or is under common control with you or any ++ such entity you are acting on behalf of. For purposes of this ++ definition, "control'' means (a) the power, direct or indirect, to cause ++ the direction or management of such entity, whether by contract or ++ otherwise, or (b) ownership of more than forty percent (40%) of the ++ outstanding shares or beneficial ownership of such entity. ++ ++2. Sourcefire License Grant. ++ ++ 2.1. Grant of License; Permitted Use. Subject to the terms and ++ conditions of this Agreement, Sourcefire hereby grants you a world-wide, ++ non-exclusive license to do any of the following with respect to the VRT ++ Certified Rules: ++ ++ (a) use and deploy the VRT Certified Rules on management consoles and ++ sensors that you manage (over which you have administrative control); ++ ++ (b) use and deploy the VRT Certified Rules on behalf of your employer ++ on its internal management consoles and sensors (e.g., where a valid ++ employer-employee relationship exists between you and a legal entity); ++ ++ (c) modify the VRT Certified Rules and use those Modifications ++ consistent with paragraphs (a) and (b) above; ++ ++ (d) distribute those VRT Certified Rules and any Modifications ++ generally available to Snort(r) Registered Users on a limited basis ++ to other Snort(r) Registered Users; ++ ++ (e) distribute any Improvement generally available to Snort(r) ++ Registered Users on mailing lists commonly used by the Snort(r) user ++ community as a whole; ++ ++ (f) reproduce the VRT Certified Rules as strictly necessary in ++ exercising your rights under this Section 2.1; and ++ ++ (g) Make the VRT Certified Rules (or any Modification) available to ++ your or your employer's consultants, agents and subcontractors for ++ the limited purpose of exercising your rights under this Section 2.1 ++ provided that such use is in compliance with this Agreement. ++ ++ Paragraphs (a) though (g) of this Section 2.1 are collectively referred ++ to as the "Permitted Uses". All rights not granted under this Agreement ++ are reserved by Sourcefire. ++ ++ 2.2. Limitations on License; Restricted Activities. You recognize and ++ agree that the VRT Certified Rules are the property of Sourcefire, ++ contain valuable assets and proprietary information and property of ++ Sourcefire, and are provided to you under the terms and conditions of ++ this Agreement. Notwithstanding anything to the contrary in this ++ Agreement, You agree that you shall NOT do any of the following without ++ Sourcefire's prior written consent: ++ ++ (a) use, deploy, perform, modify, license, display, reproduce or ++ distribute the VRT Certified Rules or Modifications (even if merged ++ with other materials as a Compilation) other than as allowed under a ++ Permitted Use; ++ ++ (b) sell, license, transfer, rent, loan, use, modify, reproduce or ++ disclose the VRT Certified Rules or any Modifications (in whole or in ++ part and whether done independently or as part of a Compilation) for ++ a Commercial Purpose; ++ ++ (c) post or make generally available any VRT Certified Rule (in whole ++ or in part or any Modifications thereto) to individuals or a group of ++ individuals who have not agreed to the terms and conditions of this ++ Agreement, provided, however, that nothing in this Section 2.2(c) ++ shall preclude the Permitted Use in Section 2.1(e); ++ ++ (d) share any user authentication information and/or password ++ provided to you by Sourcefire with any third party to allow such ++ party access your snort.org account or to otherwise access the VRT ++ Certified Rules; ++ ++ (e) alter or remove any copyright notice or proprietary legend ++ contained in or on the VRT Certified Rules. ++ ++ Paragraphs (a) though (e) of this Section 2.2 are collectively referred ++ to as the "Restricted Activities"). ++ ++ 2.3. Reproduction Obligations. You agree that any embodiment of the VRT ++ Certified Rules permitted under this Agreement will contain the notices ++ set forth in Exhibit A. In addition, to the extent you make any copies ++ of or distribute the VRT Certified Rules or any Modifications under this ++ Agreement, you agree to ensure that any and all such copies shall contain: ++ ++ (a) a copy of an appropriate copyright notice and all other ++ applicable proprietary legends; ++ ++ (b) a disclaimer of any warranty consistent with this Agreement; and ++ ++ (c) any and all notices referencing this Agreement and absence of warranties. ++ ++3. Modifications; Derivative Works. In the event you create a ++Modification, the use, reproduction and distribution of such ++Modifications shall be governed by the terms and conditions of this ++Agreement. Additionally, you hereby grant Sourcefire and any other ++licensee of the VRT Certified Rules an irrevocable, perpetual, fully ++paid-up, world-wide, royalty-free, non-exclusive license to use, ++reproduce, modify, display, perform and distribute such Modifications ++(and the source code thereto), provided, however, that you and any ++recipient of such Modifications must include: ++ ++ (a) the original copyright notice and all other applicable ++ proprietary legends; ++ ++ (b) the original warranty disclaimer; ++ ++ (c) the original notices referencing this Agreement and absence of ++ warranties; and ++ ++ (d) a prominent notice stating that you changed the VRT Certified ++ Rule (or any Modification thereto) and the date of any change. ++ ++4. Distribution Obligations. ++ ++ 4.1. General. The source code version of the VRT Certified Rules (or ++ any Modification thereof) may be distributed only under the terms of ++ this Agreement, and you must include a copy of this Agreement with every ++ copy of the VRT Certified Rules you distribute. ++ ++ 4.2. Required Notices. You must duplicate the notice in Exhibit A in ++ each file of the source code. If it is not possible to put such notice ++ in a particular source code file due to its structure, then you must ++ include such notice in a location (such as a relevant directory) where a ++ user would be likely to look for such a notice. If you created one or ++ more Modification(s) you may add your name as a contributor to the ++ notice described in Exhibit A. You must also duplicate this Agreement in ++ any documentation for the source code where you describe recipients' ++ rights or ownership rights relating to the VRT Certified Rules. To the ++ extent you offer additional warranty, support, indemnity or liability ++ obligations, you may do so only on your own behalf, and not on behalf of ++ Sourcefire. You must make it absolutely clear that any such warranty, ++ support, indemnity or liability obligation is offered by you alone, and ++ you hereby agree to indemnify and hold Sourcefire harmless for any ++ liability incurred by Sourcefire as a result of any warranty, support, ++ indemnity or liability terms you offer. ++ ++5. Inability to Comply Due to Statute or Regulation. If it is ++impossible for you to comply with any of the terms of this Agreement ++with respect to some or all of the VRT Certified Rules due to statute, ++judicial order, or regulation then you must: (a) comply with the terms ++of this Agreement to the maximum extent possible; and (b) describe the ++limitations and the code they affect. Such description must be included ++with all distributions of the source code. Except to the extent ++prohibited by statute or regulation, such description must be ++sufficiently detailed for a recipient of ordinary skill to be able to ++understand it. ++ ++6. Application of this Agreement. This Agreement also applies to code ++to which Sourcefire has attached the notice in Exhibit A and to related ++Modifications created under Section 3. ++ ++7. Versions of the Agreement. ++ ++ 7.1. New Versions. Sourcefire may publish revised and/or new versions ++ of the Agreement from time to time. Each version will be given a ++ distinguishing version number. ++ ++ 7.2. Effect of New Versions. Once a VRT Certified Rule has been ++ published under a particular version of the Agreement, you may always ++ continue to use it under the terms of that version. You may also choose ++ to use such VRT Certified Rule under the terms of any subsequent version ++ of the Agreement published by Sourcefire. No one other than Sourcefire ++ has the right to modify the terms applicable to a VRT Certified Rule. ++ ++8. DISCLAIMER OF WARRANTY. THE VRT CERTIFIED RULES AND MODIFICATIONS IS ++ARE PROVIDED UNDER THIS AGREEMENT ON AN "AS IS" BASIS, WITHOUT WARRANTY ++OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ++WARRANTIES THAT THE VRT CERTIFIED RULES OR THE MODIFICATIONS ARE FREE OF ++DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. ++THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE VRT CERTIFIED ++RULES AND MODIFICATIONS IS WITH YOU. SHOULD THE VRT CERTIFIED RULES OR ++MODIFICATIONS PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT SOURCEFIRE) ++ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS ++DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. ++NO USE OF ANY VRT CERTIFIED RULE OR ANY MODIFICATION IS AUTHORIZED ++HEREUNDER EXCEPT UNDER THIS DISCLAIMER. ++ ++9. Termination. This Agreement and the rights granted hereunder will ++terminate automatically if you fail to comply with any or all of the ++terms herein and fail to cure such breach within 30 days of becoming ++aware of the breach. All sublicenses to the VRT Certified Rules, which ++are properly granted, shall survive any termination of this Agreement. ++Provisions which, by their nature, must remain in effect beyond the ++termination of this Agreement shall survive. ++ ++10. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL ++THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, ++SHALL YOU OR SOURCEFIRE BE LIABLE TO ANY PERSON FOR ANY INDIRECT, ++SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER ++INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK ++STOPPAGE, SECURITY BREACHES OR FAILURES, COMPUTER FAILURE OR ++MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR LOSSES, EVEN IF SUCH PARTY ++SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS ++LIMITATION OF LIABILITY SHALL NOT APPLY TO THE EXTENT APPLICABLE LAW ++PROHIBITS SUCH LIMITATIONS. SOME JURISDICTIONS DO NOT ALLOW THE ++EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS ++EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. ++ ++11. Audit Rights. You will, from time to time and as requested by ++Sourcefire, provide assurances to Sourcefire that you are using the VRT ++Certified Rules consistent with a Permitted Use, and you grant ++Sourcefire access, at reasonable times and in a reasonable manner, to ++the VRT Certified Rules in your possession or control, and to your ++books, records and facilities to permit Sourcefire to verify appropriate ++use of the VRT Certified Rules and compliance with this Agreement. ++Sourcefire's non-exercise of this right, or its failure to discover or ++object to any inappropriate use or other breach of this Agreement by ++you, shall not constitute its consent thereto or waiver of Sourcefire's ++rights hereunder or under law. In the event your use of the VRT ++Certified Rules is not in compliance with a Permitted Use, or if you ++otherwise violate the terms of this Agreement, Sourcefire may, since ++remedies at law may be inadequate, in addition to its other remedies: ++(a) demand return of the VRT Certified Rules; (b) forbid and enjoin your ++further use of the VRT Certified Rules; (c) assess you the cost of ++Sourcefire's inspection and enforcement efforts (including attorney ++fees); and/or (d) assess you a use fee appropriate to your actual use of ++the VRT Certified Rules. ++ ++12. United States Government Users. If the VRT Certified Rules or ++Modifications are being acquired by or on behalf of the U.S. Government ++or by a U.S. Government prime contractor or subcontractor (at any tier), ++then the Government's rights in the VRT Certified Rules and ++Modifications shall be subject to Sourcefire's standard commercial terms ++and only as set forth in this Agreement; and only with "Limited Rights" ++and "Restricted Rights" as defined the federal regulations if the ++commercial terms are deemed not to apply.. ++ ++13. Miscellaneous. This Agreement represents the complete agreement ++concerning subject matter hereof. If any provision of this Agreement is ++held to be unenforceable, such provision shall be reformed only to the ++extent necessary to make it enforceable. This Agreement shall be ++governed by Maryland law provisions (except to the extent applicable ++law, if any, provides otherwise), excluding its conflict-of-law ++provisions. Any litigation relating to this Agreement shall be subject ++to the jurisdiction of the state and Federal Courts serving Greenbelt, ++Maryland, with the losing party responsible for costs, including without ++limitation, court costs and reasonable attorneys' fees and expenses. ++You hereby submit to jurisdiction and venue in such courts. The ++application of the United Nations Convention on Contracts for the ++International Sale of Goods is expressly excluded. Any law or regulation ++which provides that the language of a contract shall be construed ++against the drafter shall not apply to this Agreement. Headings and ++section references are used for reference only and shall not be used ++define, limit or describe such section. ++ ++EXHIBIT A - VRT Certified Rules License Agreement ++The contents of this file are subject to the VRT Certified Rules License ++Agreement 1.1 (the "Agreement"). You may not use this file except in ++compliance with the Agreement. You may obtain a copy of the Agreement ++at www.snort.org. ++Software distributed under the Agreement is distributed on an "AS IS" ++basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the ++Agreement for the specific language governing rights and limitations ++under the Agreement. ++The developer of the VRT Certified Rules is Sourcefire, Inc., a Delaware ++corporation. ++Contributor: ++2005(c) Sourcefire, Inc. All Rights Reserved. Snort(r), Sourcefire(tm), ++the Snort(r) logo and the Sourcefire logo are trademarks of Sourcefire. ++ ++Note: A printer friendly version of this Agreement is available in PDF format. +--- /dev/null ++++ b/rules/community-inappropriate.rules +@@ -0,0 +1,8 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-inappropriate.rules,v 1.8 2005/04/01 17:16:23 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE lolita sex"; content:"lolita"; nocase; content:"sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000105; rev:1;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE preteen sex"; content:"teen"; nocase; pcre:"/pre-?teen/i"; flow:to_client,established; classtype:kickass-porn; sid:100000123; rev:1;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE girls gone wild"; content:"girls"; nocase; content:"gone"; nocase; content:"wild"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000124; rev:1;) +--- /dev/null ++++ b/rules/misc.rules +@@ -0,0 +1,119 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: misc.rules,v 1.53.2.7.2.4 2005/07/22 19:19:54 mwatchinski Exp $ ++#----------- ++# MISC RULES ++#----------- ++ ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:500; rev:5;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:501; rev:5;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;) ++alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:7;) ++alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"MISC gopher proxy"; flow:to_server,established; content:"ftp|3A|"; nocase; content:"@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:7;) ++alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"MISC SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1;) ++ ++# once we get response, check for content:"|00 01 00|"; offset:0; depth:3; ++alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:1;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;) ++# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:522; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;) ++alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;) ++alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"MISC AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:10;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:3;) ++alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:5;) ++ ++ ++# once we get response, check for content:"|03|"; offset:0; depth:1; ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request RDP"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1447; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1448; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:4;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"MISC Alcatel PABX 4400 connection attempt"; flow:established,to_server; content:"|00 01|C"; depth:3; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:7;) ++ ++alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:2;) ++alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2043; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2047; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2048; rev:6;) ++ ++ ++# This rule needs some work since you don't have to pass BEGIN and END ++# anywhere near each other. ++# ++#! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \ ++#! msg:"MISC CVS username overflow attempt"; flow:to_server,established; \ ++#! content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \ ++#! within:255; classtype:misc-attack;) ++ ++ ++# normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2010; rev:4;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2011; rev:4;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:2;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2;) ++alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2317; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2318; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:2;) ++ ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; dsize:>156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; reference:url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx; classtype:attempted-admin; sid:2126; rev:8;) ++ ++# this rule is specificly not looking for flow, since tcpdump handles lengths wrong ++alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:8;) ++alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2159; rev:11;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:5;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:12;) ++ ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2532; rev:6;) ++alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2533; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:6;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2547; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2548; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:1;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"MISC distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:3061; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"MISC Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:3453; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup generic info probe"; flow:established,to_server; content:"ARKFS|00|root|00|root"; nocase; reference:bugtraq,12594; classtype:attempted-recon; sid:3454; rev:1;) +--- /dev/null ++++ b/rules/exploit.rules +@@ -0,0 +1,121 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: exploit.rules,v 1.63.2.7.2.7 2005/07/22 19:19:54 mwatchinski Exp $ ++#-------------- ++# EXPLOIT RULES ++#-------------- ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;) ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,215; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 Solaris overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; reference:bugtraq,2319; classtype:attempted-admin; sid:300; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; flow:to_server,established; dsize:>1000; content:"whois|3A|//"; nocase; reference:arachnids,267; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,2000-0766; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:9;) ++alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"EXPLOIT NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; flow:stateless; dsize:>512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; reference:arachnids,273; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:10;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:8;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,214; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:11;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:312; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 Linux overflow"; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; reference:bugtraq,1252; reference:cve,2000-0446; classtype:attempted-admin; sid:1240; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1812; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:7;) ++ ++alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:1838; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:9;) ++alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:9;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:9;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:9;) ++alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:4;) ++alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:4;) ++alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:4;) ++alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:6;) ++ ++alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:7;) ++alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:7;) ++alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:""; nocase; isdataat:1024,relative; content:!""; within:1054; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2489; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:""; nocase; isdataat:1024,relative; content:!""; within:1052; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2490; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"EXPLOIT AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:4;) ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT winamp XM module name overflow"; flow:established,from_server; content:"Extended module|3A|"; nocase; isdataat:20,relative; content:!"|1A|"; within:21; reference:url,www.nextgenss.com/advisories/winampheap.txt; classtype:attempted-user; sid:2550; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2554; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2555; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2556; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2557; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2558; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:2;) ++alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"EXPLOIT eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:3017; rev:6;) ++alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"EXPLOIT Volition Freespace 2 buffer overflow attempt"; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:2;) ++alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"EXPLOIT AIM goaway message buffer overflow attempt"; flow:established,from_server; content:"goaway?message="; nocase; isdataat:500,relative; pcre:"/goaway\?message=[^\s]{500}/smi"; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"EXPLOIT Veritas backup overflow attempt"; flow:established,to_server; content:"|02 00|"; depth:2; content:"|00|"; depth:1; offset:3; isdataat:60; content:!"|00|"; depth:66; offset:6; reference:bugtraq,11974; reference:cve,2004-1172; classtype:misc-attack; sid:3084; rev:3;) ++alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"EXPLOIT MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3130; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3200; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 84 overflow attempt"; flow:established,to_server; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3458; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"EXPLOIT Bontago Game Server Nickname Buffer Overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; reference:bugtraq,12603; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3199; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 77 overflow attempt"; flow:established,to_server; content:"|00|M"; depth:2; byte_test:2,>,23,6; isdataat:31; content:!"|00|"; depth:23; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3457; rev:2;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client domain overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3475; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow"; content:"|9C|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3485; rev:3;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3479; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve discovery service overflow"; dsize:>966; reference:bugtraq,12491; reference:can,2005-0260; classtype:attempted-admin; sid:3472; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow"; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3484; rev:2;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3476; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client domain overflow"; content:"|98|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3481; rev:3;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow"; content:"|9B|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3483; rev:3;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3477; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client name overflow"; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3480; rev:2;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client name overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3474; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow"; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3482; rev:2;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3478; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow"; content:"|99|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3531; rev:2;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client name overflow"; content:"|99|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3530; rev:2;) +--- /dev/null ++++ b/rules/sid +@@ -0,0 +1 @@ ++3827 +--- /dev/null ++++ b/rules/dos.rules +@@ -0,0 +1,45 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: dos.rules,v 1.39.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $ ++#---------- ++# DOS RULES ++#---------- ++ ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;) ++# alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:5;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:272; rev:10;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:273; rev:8;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:5;) ++# alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flow:stateless; flags:S; id:413; seq:6060842; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:276; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:277; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:5;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; flow:to_server,established; dsize:>1445; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flow:stateless; flags:U+; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flow:to_server,established; dsize:>1023; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; classtype:misc-attack; sid:1605; rev:6;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"DOS DB2 dos attempt"; flow:to_server,established; dsize:1; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; flow:to_server,established; dsize:1; content:"|13|"; classtype:web-application-attack; sid:1545; rev:8;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;) ++alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:7;) ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"DOS squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:2;) ++# alert tcp $EXTERNAL_NET !721:731 -> $HOME_NET 515 (msg:"DOS WIN32 TCP print service denial of service attempt"; flow:to_server,established; dsize:>600; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx; classtype:attempted-dos; sid:3442; rev:3;) +--- /dev/null ++++ b/rules/LICENSE +@@ -0,0 +1,340 @@ ++ GNU GENERAL PUBLIC LICENSE ++ Version 2, June 1991 ++ ++ Copyright (C) 1989, 1991 Free Software Foundation, Inc. ++ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ Everyone is permitted to copy and distribute verbatim copies ++ of this license document, but changing it is not allowed. ++ ++ Preamble ++ ++ The licenses for most software are designed to take away your ++freedom to share and change it. By contrast, the GNU General Public ++License is intended to guarantee your freedom to share and change free ++software--to make sure the software is free for all its users. This ++General Public License applies to most of the Free Software ++Foundation's software and to any other program whose authors commit to ++using it. (Some other Free Software Foundation software is covered by ++the GNU Library General Public License instead.) You can apply it to ++your programs, too. ++ ++ When we speak of free software, we are referring to freedom, not ++price. Our General Public Licenses are designed to make sure that you ++have the freedom to distribute copies of free software (and charge for ++this service if you wish), that you receive source code or can get it ++if you want it, that you can change the software or use pieces of it ++in new free programs; and that you know you can do these things. ++ ++ To protect your rights, we need to make restrictions that forbid ++anyone to deny you these rights or to ask you to surrender the rights. ++These restrictions translate to certain responsibilities for you if you ++distribute copies of the software, or if you modify it. ++ ++ For example, if you distribute copies of such a program, whether ++gratis or for a fee, you must give the recipients all the rights that ++you have. You must make sure that they, too, receive or can get the ++source code. And you must show them these terms so they know their ++rights. ++ ++ We protect your rights with two steps: (1) copyright the software, and ++(2) offer you this license which gives you legal permission to copy, ++distribute and/or modify the software. ++ ++ Also, for each author's protection and ours, we want to make certain ++that everyone understands that there is no warranty for this free ++software. If the software is modified by someone else and passed on, we ++want its recipients to know that what they have is not the original, so ++that any problems introduced by others will not reflect on the original ++authors' reputations. ++ ++ Finally, any free program is threatened constantly by software ++patents. We wish to avoid the danger that redistributors of a free ++program will individually obtain patent licenses, in effect making the ++program proprietary. To prevent this, we have made it clear that any ++patent must be licensed for everyone's free use or not licensed at all. ++ ++ The precise terms and conditions for copying, distribution and ++modification follow. ++ ++ GNU GENERAL PUBLIC LICENSE ++ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION ++ ++ 0. This License applies to any program or other work which contains ++a notice placed by the copyright holder saying it may be distributed ++under the terms of this General Public License. The "Program", below, ++refers to any such program or work, and a "work based on the Program" ++means either the Program or any derivative work under copyright law: ++that is to say, a work containing the Program or a portion of it, ++either verbatim or with modifications and/or translated into another ++language. (Hereinafter, translation is included without limitation in ++the term "modification".) Each licensee is addressed as "you". ++ ++Activities other than copying, distribution and modification are not ++covered by this License; they are outside its scope. The act of ++running the Program is not restricted, and the output from the Program ++is covered only if its contents constitute a work based on the ++Program (independent of having been made by running the Program). ++Whether that is true depends on what the Program does. ++ ++ 1. You may copy and distribute verbatim copies of the Program's ++source code as you receive it, in any medium, provided that you ++conspicuously and appropriately publish on each copy an appropriate ++copyright notice and disclaimer of warranty; keep intact all the ++notices that refer to this License and to the absence of any warranty; ++and give any other recipients of the Program a copy of this License ++along with the Program. ++ ++You may charge a fee for the physical act of transferring a copy, and ++you may at your option offer warranty protection in exchange for a fee. ++ ++ 2. You may modify your copy or copies of the Program or any portion ++of it, thus forming a work based on the Program, and copy and ++distribute such modifications or work under the terms of Section 1 ++above, provided that you also meet all of these conditions: ++ ++ a) You must cause the modified files to carry prominent notices ++ stating that you changed the files and the date of any change. ++ ++ b) You must cause any work that you distribute or publish, that in ++ whole or in part contains or is derived from the Program or any ++ part thereof, to be licensed as a whole at no charge to all third ++ parties under the terms of this License. ++ ++ c) If the modified program normally reads commands interactively ++ when run, you must cause it, when started running for such ++ interactive use in the most ordinary way, to print or display an ++ announcement including an appropriate copyright notice and a ++ notice that there is no warranty (or else, saying that you provide ++ a warranty) and that users may redistribute the program under ++ these conditions, and telling the user how to view a copy of this ++ License. (Exception: if the Program itself is interactive but ++ does not normally print such an announcement, your work based on ++ the Program is not required to print an announcement.) ++ ++These requirements apply to the modified work as a whole. If ++identifiable sections of that work are not derived from the Program, ++and can be reasonably considered independent and separate works in ++themselves, then this License, and its terms, do not apply to those ++sections when you distribute them as separate works. But when you ++distribute the same sections as part of a whole which is a work based ++on the Program, the distribution of the whole must be on the terms of ++this License, whose permissions for other licensees extend to the ++entire whole, and thus to each and every part regardless of who wrote it. ++ ++Thus, it is not the intent of this section to claim rights or contest ++your rights to work written entirely by you; rather, the intent is to ++exercise the right to control the distribution of derivative or ++collective works based on the Program. ++ ++In addition, mere aggregation of another work not based on the Program ++with the Program (or with a work based on the Program) on a volume of ++a storage or distribution medium does not bring the other work under ++the scope of this License. ++ ++ 3. You may copy and distribute the Program (or a work based on it, ++under Section 2) in object code or executable form under the terms of ++Sections 1 and 2 above provided that you also do one of the following: ++ ++ a) Accompany it with the complete corresponding machine-readable ++ source code, which must be distributed under the terms of Sections ++ 1 and 2 above on a medium customarily used for software interchange; or, ++ ++ b) Accompany it with a written offer, valid for at least three ++ years, to give any third party, for a charge no more than your ++ cost of physically performing source distribution, a complete ++ machine-readable copy of the corresponding source code, to be ++ distributed under the terms of Sections 1 and 2 above on a medium ++ customarily used for software interchange; or, ++ ++ c) Accompany it with the information you received as to the offer ++ to distribute corresponding source code. (This alternative is ++ allowed only for noncommercial distribution and only if you ++ received the program in object code or executable form with such ++ an offer, in accord with Subsection b above.) ++ ++The source code for a work means the preferred form of the work for ++making modifications to it. For an executable work, complete source ++code means all the source code for all modules it contains, plus any ++associated interface definition files, plus the scripts used to ++control compilation and installation of the executable. However, as a ++special exception, the source code distributed need not include ++anything that is normally distributed (in either source or binary ++form) with the major components (compiler, kernel, and so on) of the ++operating system on which the executable runs, unless that component ++itself accompanies the executable. ++ ++If distribution of executable or object code is made by offering ++access to copy from a designated place, then offering equivalent ++access to copy the source code from the same place counts as ++distribution of the source code, even though third parties are not ++compelled to copy the source along with the object code. ++ ++ 4. You may not copy, modify, sublicense, or distribute the Program ++except as expressly provided under this License. Any attempt ++otherwise to copy, modify, sublicense or distribute the Program is ++void, and will automatically terminate your rights under this License. ++However, parties who have received copies, or rights, from you under ++this License will not have their licenses terminated so long as such ++parties remain in full compliance. ++ ++ 5. You are not required to accept this License, since you have not ++signed it. However, nothing else grants you permission to modify or ++distribute the Program or its derivative works. These actions are ++prohibited by law if you do not accept this License. Therefore, by ++modifying or distributing the Program (or any work based on the ++Program), you indicate your acceptance of this License to do so, and ++all its terms and conditions for copying, distributing or modifying ++the Program or works based on it. ++ ++ 6. Each time you redistribute the Program (or any work based on the ++Program), the recipient automatically receives a license from the ++original licensor to copy, distribute or modify the Program subject to ++these terms and conditions. You may not impose any further ++restrictions on the recipients' exercise of the rights granted herein. ++You are not responsible for enforcing compliance by third parties to ++this License. ++ ++ 7. If, as a consequence of a court judgment or allegation of patent ++infringement or for any other reason (not limited to patent issues), ++conditions are imposed on you (whether by court order, agreement or ++otherwise) that contradict the conditions of this License, they do not ++excuse you from the conditions of this License. If you cannot ++distribute so as to satisfy simultaneously your obligations under this ++License and any other pertinent obligations, then as a consequence you ++may not distribute the Program at all. For example, if a patent ++license would not permit royalty-free redistribution of the Program by ++all those who receive copies directly or indirectly through you, then ++the only way you could satisfy both it and this License would be to ++refrain entirely from distribution of the Program. ++ ++If any portion of this section is held invalid or unenforceable under ++any particular circumstance, the balance of the section is intended to ++apply and the section as a whole is intended to apply in other ++circumstances. ++ ++It is not the purpose of this section to induce you to infringe any ++patents or other property right claims or to contest validity of any ++such claims; this section has the sole purpose of protecting the ++integrity of the free software distribution system, which is ++implemented by public license practices. Many people have made ++generous contributions to the wide range of software distributed ++through that system in reliance on consistent application of that ++system; it is up to the author/donor to decide if he or she is willing ++to distribute software through any other system and a licensee cannot ++impose that choice. ++ ++This section is intended to make thoroughly clear what is believed to ++be a consequence of the rest of this License. ++ ++ 8. If the distribution and/or use of the Program is restricted in ++certain countries either by patents or by copyrighted interfaces, the ++original copyright holder who places the Program under this License ++may add an explicit geographical distribution limitation excluding ++those countries, so that distribution is permitted only in or among ++countries not thus excluded. In such case, this License incorporates ++the limitation as if written in the body of this License. ++ ++ 9. The Free Software Foundation may publish revised and/or new versions ++of the General Public License from time to time. Such new versions will ++be similar in spirit to the present version, but may differ in detail to ++address new problems or concerns. ++ ++Each version is given a distinguishing version number. If the Program ++specifies a version number of this License which applies to it and "any ++later version", you have the option of following the terms and conditions ++either of that version or of any later version published by the Free ++Software Foundation. If the Program does not specify a version number of ++this License, you may choose any version ever published by the Free Software ++Foundation. ++ ++ 10. If you wish to incorporate parts of the Program into other free ++programs whose distribution conditions are different, write to the author ++to ask for permission. For software which is copyrighted by the Free ++Software Foundation, write to the Free Software Foundation; we sometimes ++make exceptions for this. Our decision will be guided by the two goals ++of preserving the free status of all derivatives of our free software and ++of promoting the sharing and reuse of software generally. ++ ++ NO WARRANTY ++ ++ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY ++FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN ++OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES ++PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED ++OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF ++MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS ++TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE ++PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, ++REPAIR OR CORRECTION. ++ ++ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING ++WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR ++REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, ++INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING ++OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED ++TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY ++YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER ++PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE ++POSSIBILITY OF SUCH DAMAGES. ++ ++ END OF TERMS AND CONDITIONS ++ ++ How to Apply These Terms to Your New Programs ++ ++ If you develop a new program, and you want it to be of the greatest ++possible use to the public, the best way to achieve this is to make it ++free software which everyone can redistribute and change under these terms. ++ ++ To do so, attach the following notices to the program. It is safest ++to attach them to the start of each source file to most effectively ++convey the exclusion of warranty; and each file should have at least ++the "copyright" line and a pointer to where the full notice is found. ++ ++ ++ Copyright (C) 19yy ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ ++ ++Also add information on how to contact you by electronic and paper mail. ++ ++If the program is interactive, make it output a short notice like this ++when it starts in an interactive mode: ++ ++ Gnomovision version 69, Copyright (C) 19yy name of author ++ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. ++ This is free software, and you are welcome to redistribute it ++ under certain conditions; type `show c' for details. ++ ++The hypothetical commands `show w' and `show c' should show the appropriate ++parts of the General Public License. Of course, the commands you use may ++be called something other than `show w' and `show c'; they could even be ++mouse-clicks or menu items--whatever suits your program. ++ ++You should also get your employer (if you work as a programmer) or your ++school, if any, to sign a "copyright disclaimer" for the program, if ++necessary. Here is a sample; alter the names: ++ ++ Yoyodyne, Inc., hereby disclaims all copyright interest in the program ++ `Gnomovision' (which makes passes at compilers) written by James Hacker. ++ ++ , 1 April 1989 ++ Ty Coon, President of Vice ++ ++This General Public License does not permit incorporating your program into ++proprietary programs. If your program is a subroutine library, you may ++consider it more useful to permit linking proprietary applications with the ++library. If this is what you want to do, use the GNU Library General ++Public License instead of this License. +--- /dev/null ++++ b/rules/smtp.rules +@@ -0,0 +1,94 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: smtp.rules,v 1.44.2.4.2.6 2005/07/22 19:19:54 mwatchinski Exp $ ++#----------- ++# SMTP RULES ++#----------- ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:654; rev:14;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; reference:arachnids,266; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:12;) ++alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"charset = |22 22|"; nocase; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx; classtype:attempted-dos; sid:658; rev:11;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:9;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:10;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; reference:arachnids,143; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:9;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; nocase; reference:arachnids,119; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:14;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi"; reference:arachnids,121; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:15;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; nocase; reference:arachnids,122; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; reference:arachnids,123; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; reference:arachnids,124; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; reference:arachnids,142; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; reference:arachnids,139; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:7;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; reference:arachnids,141; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:9;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:6;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:6;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:17;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:15;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; reference:bugtraq,6991; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:8;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding|3A|"; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:6;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:7;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:5;) ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2262; rev:4;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2264; rev:4;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2266; rev:4;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2268; rev:4;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2270; rev:5;) ++alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-type buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2487; rev:7;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-disposition buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2488; rev:7;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:9;) ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:9;) ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2538; rev:5;) ++alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2539; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2540; rev:5;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS|0D 0A|"; within:10; flowbits:set,starttls.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2527; rev:3;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:7;) ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:13;) ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2542; rev:6;) ++alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2543; rev:6;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:6;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2590; rev:4;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From command overflow attempt"; flow:to_server,established; content:"From"; nocase; pcre:"/^From\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2591; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ReplyTo command overflow attempt"; flow:to_server,established; content:"ReplyTo"; nocase; pcre:"/^ReplyTo\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2592; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Sender command overflow attempt"; flow:to_server,established; content:"Sender"; nocase; pcre:"/^Sender\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2593; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP To command overflow attempt"; flow:to_server,established; content:"To"; nocase; pcre:"/^To\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2594; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP CC command overflow attempt"; flow:to_server,established; content:"CC"; nocase; pcre:"/^CC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2595; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP BCC command overflow attempt"; flow:to_server,established; content:"BCC"; nocase; pcre:"/^BCC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2596; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Encoding overflow attempt"; flow:to_server,established; content:"Content-Encoding|3A|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3462; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Type overflow attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; pcre:"/Content-Type\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3461; rev:2;) +--- /dev/null ++++ b/rules/community-deleted.rules +@@ -0,0 +1,7 @@ ++# Copyright 2006 Sourcefire, Inc. All Rights Reserved. # These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-deleted.rules,v 1.3 2006/12/05 20:32:48 akirk Exp $ ++ ++#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments.php"; nocase; uricontent:"keyword="; nocase; classtype:web-application-attack; sid:100000819; rev:2;) ++#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments"; nocase; uricontent:"|2E|php"; nocase; uricontent:"|3F|keyword"; nocase; reference:bugtraq,18798; classtype:web-application-attack; sid:100000848; rev:2;) ++#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000381; rev:3;) +--- /dev/null ++++ b/rules/info.rules +@@ -0,0 +1,32 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: info.rules,v 1.27.2.3.2.2 2005/05/31 17:13:02 mwatchinski Exp $ ++#----------- ++# INFO RULES ++#----------- ++ ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login incorrect"; flow:from_server,established; content:"Login incorrect"; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:9;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:716; rev:13;) ++alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;) ++alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INFO battle-mail traffic"; flow:to_server,established; content:"BattleMail"; classtype:policy-violation; sid:490; rev:7;) ++alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;) ++alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:492; rev:9;) ++alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; classtype:bad-unknown; sid:1251; rev:6;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC@lam3rz.de"; classtype:bad-unknown; sid:493; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INFO web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; distance:0; nocase; content:"|01 00 01 00|"; within:4; distance:3; content:","; distance:0; content:"|01 00 01 00|"; within:4; distance:4; classtype:misc-activity; sid:2925; rev:3;) +--- /dev/null ++++ b/rules/web-iis.rules +@@ -0,0 +1,167 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-iis.rules,v 1.78.2.5.2.6 2005/07/22 19:19:54 mwatchinski Exp $ ++#-------------- ++# WEB-IIS RULES ++#-------------- ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; content:"Content-Type|3A|"; nocase; isdataat:50,relative; content:!"|0A|"; within:50; pcre:"/^POST\s/smi"; reference:bugtraq,6214; reference:cve,2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; reference:url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx; classtype:web-application-attack; sid:1970; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS repost.asp access"; flow:to_server,established; uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; uricontent:".htr"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; classtype:web-application-attack; sid:1806; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; uricontent:".asp"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:16;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; uricontent:"/StoreCSVS/InstantOrder.asmx"; nocase; classtype:web-application-activity; sid:1626; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS users.xml access"; flow:to_server,established; uricontent:"/users.xml"; nocase; classtype:web-application-activity; sid:1750; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web.exe access"; flow:to_server,established; uricontent:"/as_web.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1753; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web4.exe access"; flow:to_server,established; uricontent:"/as_web4.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1754; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; reference:bugtraq,4672; classtype:web-application-activity; sid:1756; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS pbserver access"; flow:to_server,established; uricontent:"/pbserver/pbserver.dll"; nocase; reference:cve,2000-1089; reference:url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx; classtype:web-application-activity; sid:1772; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS trace.axd access"; flow:to_server,established; uricontent:"/trace.axd"; nocase; reference:nessus,10993; classtype:web-application-activity; sid:1660; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /isapi/tstisapi.dll access"; flow:to_server,established; uricontent:"/isapi/tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:web-application-activity; sid:1484; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; reference:nessus,10359; reference:url,www.osvdb.org/274; classtype:web-application-activity; sid:1485; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ctss.idc access"; flow:to_server,established; uricontent:"/ctss.idc"; nocase; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/aexp2.htr"; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:971; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; flow:to_server,established; uricontent:".ida"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq attempt"; flow:to_server,established; uricontent:".idq?"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:14;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq access"; flow:to_server,established; uricontent:".idq"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; content:"%2easp"; nocase; reference:bugtraq,1814; reference:cve,1999-0253; classtype:web-application-activity; sid:972; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS *.idc attempt"; flow:to_server,established; uricontent:"/*.idc"; nocase; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:10;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Directory transversal attempt"; flow:to_server,established; content:"..|5C|.."; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; uricontent:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:12;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat? access"; flow:to_server,established; uricontent:".bat?"; nocase; reference:bugtraq,2023; reference:cve,1999-0233; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cnf access"; flow:to_server,established; uricontent:".cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; nocase; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:978; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; uricontent:".htw?CiWebHitsFile"; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:979; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CGImail.exe access"; flow:to_server,established; uricontent:"/scripts/CGImail.exe"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; classtype:web-application-activity; sid:980; rev:7;) ++ ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:10;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/details.idc"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MSProxy access"; flow:to_server,established; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS +.htr code fragment attempt"; flow:to_server,established; uricontent:"+.htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx; classtype:web-application-attack; sid:1725; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr access"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:987; rev:14;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SAM Attempt"; flow:to_server,established; content:"sam._"; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS achg.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/achg.htr"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS adctest.asp access"; flow:to_server,established; uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:web-application-activity; sid:992; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; uricontent:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:994; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll access"; flow:to_server,established; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS anot.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-dot attempt"; flow:to_server,established; uricontent:".asp."; nocase; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-srch attempt"; flow:to_server,established; uricontent:"|23|filename=*.asp"; nocase; classtype:web-application-attack; sid:998; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir access"; flow:to_server,established; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir.htr access"; flow:to_server,established; uricontent:"/bdir.htr"; nocase; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:1661; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; classtype:web-application-attack; sid:1003; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser Exair access"; flow:to_server,established; uricontent:"/iissamples/exair/howitworks/codebrws.asp"; nocase; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser SDK access"; flow:to_server,established; uricontent:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_JScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx; classtype:web-application-attack; sid:1007; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_VBScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; classtype:web-application-attack; sid:1380; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; nocase; classtype:web-application-attack; sid:1008; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS directory listing"; flow:to_server,established; uricontent:"/ServerVariables_Jscript.asp"; nocase; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS encoding access"; flow:to_server,established; content:"%1u"; reference:arachnids,200; reference:bugtraq,886; reference:cve,2000-0024; reference:url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx; classtype:web-application-activity; sid:1010; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; nocase; classtype:web-application-activity; sid:1011; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount attempt"; flow:to_server,established; uricontent:"/fpcount.exe"; content:"Digits="; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount access"; flow:to_server,established; uricontent:"/fpcount.exe"; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS getdrvs.exe access"; flow:to_server,established; uricontent:"/scripts/tools/getdrvs.exe"; nocase; classtype:web-application-activity; sid:1015; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS global.asa access"; flow:to_server,established; uricontent:"/global.asa"; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:1016; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; nocase; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmpwd attempt"; flow:to_server,established; uricontent:"/iisadmpwd/aexp"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:1018; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; uricontent:"CiWebHitsFile="; nocase; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; uricontent:"CiRestriction=none"; nocase; uricontent:"ciHiliteType=Full"; nocase; reference:bugtraq,950; reference:cve,2000-0097; reference:url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:15;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt"; flow:to_server,established; uricontent:".idc|3A 3A 24|data"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; uricontent:" .htr"; nocase; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx; classtype:web-application-attack; sid:1021; rev:14;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS jet vba access"; flow:to_server,established; uricontent:"/advworks/equipment/catalog_type.asp"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:1022; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msadcs.dll access"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:1023; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS newdsn.exe access"; flow:to_server,established; uricontent:"/scripts/tools/newdsn.exe"; nocase; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl access"; flow:to_server,established; uricontent:"/scripts/perl"; nocase; classtype:web-application-activity; sid:1025; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse newline attempt"; flow:to_server,established; uricontent:"|0A|.pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1026; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse space attempt"; flow:to_server,established; uricontent:" .pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1027; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS query.asp access"; flow:to_server,established; uricontent:"/issamples/query.asp"; nocase; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts-browse access"; flow:to_server,established; uricontent:"/scripts/ "; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS search97.vts access"; flow:to_server,established; uricontent:"/search97.vts"; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; uricontent:"/SiteServer/Publishing/viewcode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1032; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1033; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1034; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1035; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1036; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode.asp access"; flow:to_server,established; uricontent:"/showcode.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx; classtype:web-application-activity; sid:1037; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site server config access"; flow:to_server,established; uricontent:"/adsamples/config/site.csc"; nocase; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srch.htm access"; flow:to_server,established; uricontent:"/samples/isapi/srch.htm"; nocase; classtype:web-application-activity; sid:1039; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srchadm access"; flow:to_server,established; uricontent:"/srchadm"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS uploadn.asp access"; flow:to_server,established; uricontent:"/scripts/uploadn.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,1578; reference:cve,2000-0778; classtype:web-application-activity; sid:1042; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS viewcode.asp access"; flow:to_server,established; uricontent:"/viewcode.asp"; nocase; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS webhits access"; flow:to_server,established; uricontent:".htw"; reference:arachnids,237; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS doctodep.btr access"; flow:to_server,established; uricontent:"doctodep.btr"; classtype:web-application-activity; sid:1726; rev:4;) ++# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-IIS Unauthorized IP Access Attempt"; flow:to_server,established; content:"403"; content:"Forbidden|3A|"; classtype:web-application-attack; sid:1045; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site/iisamples access"; flow:to_server,established; uricontent:"/site/iisamples"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS outlook web dos"; flow:to_server,established; uricontent:"/exchange/LogonFrm.asp?"; nocase; content:"mailbox="; nocase; content:"%%%"; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/samples/ access"; flow:to_server,established; uricontent:"/scripts/samples/"; nocase; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /msadc/samples/ access"; flow:to_server,established; uricontent:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iissamples access"; flow:to_server,established; uricontent:"/iissamples/"; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmin access"; flow:to_server,established; uricontent:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msdac access"; flow:to_server,established; uricontent:"/msdac/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS _mem_bin access"; flow:to_server,established; uricontent:"/_mem_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts access"; flow:to_server,established; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS htimage.exe access"; flow:to_server,established; uricontent:"/htimage.exe"; nocase; reference:bugtraq,1117; reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256; reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server default login attempt"; flow:to_server,established; uricontent:"/SiteServer/Admin/knowledge/persmbr/"; nocase; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:1817; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server admin attempt"; flow:to_server,established; uricontent:"/Site Server/Admin/knowledge/persmbr/"; nocase; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; reference:url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx; classtype:web-application-attack; sid:1567; rev:12;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; classtype:web-application-activity; sid:1568; rev:11;) ++ ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asa HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asa"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1802; rev:8;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cer HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cer"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1803; rev:9;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cdx"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1804; rev:9;) ++# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asp"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1801; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2091; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Battleaxe Forum login.asp access"; flow:to_server,established; uricontent:"myaccount/login.asp"; nocase; reference:bugtraq,7416; reference:cve,2003-0215; classtype:web-application-activity; sid:2117; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx; classtype:web-application-activity; sid:2129; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect siteadmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/SiteAdmin.asp"; nocase; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect access"; flow:to_server,established; uricontent:"/iisprotect/admin/"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; uricontent:"/en/admin/aggregate.asp"; nocase; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS BizTalk server access"; flow:to_server,established; uricontent:"/biztalkhttpreceive.dll"; nocase; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-0117; reference:cve,2003-0118; reference:nessus,11638; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; classtype:web-application-activity; sid:2133; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS register.asp access"; flow:to_server,established; uricontent:"/register.asp"; nocase; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS UploadScript11.asp access"; flow:to_server,established; uricontent:"/UploadScript11.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2247; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DirectoryListing.asp access"; flow:to_server,established; uricontent:"/DirectoryListing.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2248; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /pcadmin/login.asp access"; flow:to_server,established; uricontent:"/pcadmin/login.asp"; nocase; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.exe access"; flow:to_server,established; uricontent:"/foxweb.exe"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.dll access"; flow:to_server,established; uricontent:"/foxweb.dll"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; uricontent:"/shopsearch.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2324; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; uricontent:"/ShopDisplayProducts.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS sgdynamo.exe access"; flow:to_server,established; uricontent:"/sgdynamo.exe"; nocase; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2386; rev:9;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established; uricontent:"/frmGetAttachment.aspx"; nocase; reference:bugtraq,9805; classtype:web-application-activity; sid:2571; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"; flow:to_server,established; uricontent:"/login.aspx"; nocase; content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase; reference:bugtraq,9805; classtype:web-application-attack; sid:2572; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established; uricontent:"/frmCompose.aspx"; reference:bugtraq,9805; classtype:web-application-activity; sid:2573; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ping.asp access"; flow:to_server,established; uricontent:"/ping.asp"; nocase; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS w3who.dll buffer overflow attempt"; flow:to_server,established; uricontent:"/w3who.dll?"; nocase; pcre:"/w3who.dll\x3F[^\r\n]{519}/i"; reference:bugtraq,11820; reference:cve,2004-1134; classtype:attempted-admin; sid:3087; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cmd executable file parsing attack"; flow:established,to_server; uricontent:".cmd|22|"; nocase; pcre:"/.cmd\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat executable file parsing attack"; flow:established,to_server; uricontent:".bat|22|"; nocase; pcre:"/.bat\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3194; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS httpodbc.dll access - nimda"; flow:to_server,established; uricontent:"/httpodbc.dll"; nocase; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-activity; sid:3201; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SQLXML content type overflow"; flow:to_server,established; pcre:"/\.x[sm]l/Ui"; uricontent:"contenttype="; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; reference:bugtraq,5004; reference:cve,2002-0186; reference:url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx; reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt; classtype:attempted-admin; sid:3150; rev:4;) +--- /dev/null ++++ b/rules/web-client.rules +@@ -0,0 +1,54 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-client.rules,v 1.20.2.8.2.7 2005/07/22 19:19:54 mwatchinski Exp $ ++#--------------- ++# WEB-CLIENT RULES ++#--------------- ++# ++# These signatures look for two things: ++# * bad things coming from our users ++# * attacks against our web users ++ ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Outlook EML access"; flow:from_client,established; uricontent:".eml"; reference:nessus,10767; classtype:attempted-user; sid:1233; rev:11;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft emf metafile access"; flow:from_client,established; uricontent:".emf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2435; rev:5;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft wmf metafile access"; flow:from_client,established; uricontent:".wmf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2436; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:7;) ++alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:10;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT readme.eml autoload attempt"; flow:to_client,established; content:"window.open|28 22|readme.eml|22|"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:10;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:7;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript|3A|//"; nocase; reference:bugtraq,5293; classtype:attempted-user; sid:1841; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2fsmi.*? $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2438; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2439; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2440; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2485; rev:5;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; classtype:attempted-user; sid:2589; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2673; rev:4;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:2671; rev:4;) ++# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2705; rev:4;) ++# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:2;) ++# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2707; rev:2;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:3079; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; classtype:attempted-user; sid:3088; rev:1;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image width download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,0,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3132; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3134; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image height download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,4,relative; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3133; rev:4;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT object type overflow attempt"; flow:from_server,established; content:"]*type\s*=[\x22\x27]\x2f{32}/smi"; reference:cve,2003-0344; reference:url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx; classtype:attempted-user; sid:3149; rev:3;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:3192; rev:2;) ++alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:4;) +--- /dev/null ++++ b/rules/unicode.map +@@ -0,0 +1,104 @@ ++# Windows Version: 5.00.2195 ++# OEM codepage: 437 ++# ACP codepage: 1252 ++ ++# INSTALLED CODEPAGES ++10000 (MAC - Roman) ++ ++ ++10079 (MAC - Icelandic) ++ ++ ++1250 (ANSI - Central Europe) ++00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1251 (ANSI - Cyrillic) ++00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1252 (ANSI - Latin I) ++0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1253 (ANSI - Greek) ++00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1254 (ANSI - Turkish) ++00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1255 (ANSI - Hebrew) ++0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1256 (ANSI - Arabic) ++00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1257 (ANSI - Baltic) ++ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++1258 (ANSI/OEM - Viet Nam) ++ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++#INVALID CODEPAGE: 1361 ++20127 (US-ASCII) ++00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++20261 (T.61) ++f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f ++ ++20866 (Russian - KOI8) ++00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ++ ++28591 (ISO 8859-1 Latin I) ++0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++28592 (ISO 8859-2 Central Europe) ++00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++#INVALID CODEPAGE: 28595 ++#INVALID CODEPAGE: 28597 ++28605 (ISO 8859-15 Latin 9) ++00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++37 (IBM EBCDIC - U.S./Canada) ++0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f ++ ++437 (OEM - United States) ++00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++500 (IBM EBCDIC - International) ++0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ++ ++850 (OEM - Multilingual Latin I) ++0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++860 (OEM - Portuguese) ++00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 ++ ++861 (OEM - Icelandic) ++00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 ++ ++863 (OEM - Canadian French) ++00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 ++ ++865 (OEM - Nordic) ++00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 ++ ++874 (ANSI/OEM - Thai) ++00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e ++ ++932 (ANSI/OEM - Japanese Shift-JIS) ++00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 ++ ++936 (ANSI/OEM - Simplified Chinese GBK) ++00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 ++ ++949 (ANSI/OEM - Korean) ++00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c ++ ++950 (ANSI/OEM - Traditional Chinese Big5) ++00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 ++ ++65000 (UTF-7) ++ ++ ++65001 (UTF-8) ++ ++ +--- /dev/null ++++ b/rules/community-web-misc.rules +@@ -0,0 +1,215 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-web-misc.rules,v 1.45 2007/04/20 13:28:50 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Test Script Access"; flow:to_server,established; uricontent:"/test"; nocase; pcre:"/test\.(pl|php|cgi|asp|jsp)/Ui"; classtype:web-application-activity; sid:100000121; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-MISC mod_jrun overflow attempt"; flow:to_server,established; content:"|3A|"; pcre:"/^.*\x3a[^\n]{1000}/sm"; reference:bugtraq,11245; reference:cve,2004-0646; classtype:web-application-attack; sid:100000122; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS"; flow:to_server,established; uricontent:"?/ "; reference:bugtraq,10014; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype:successful-dos; sid:100000129; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS"; flow:to_server,established; uricontent:"/Filelist.html"; nocase; reference:bugtraq,12778; classtype:attempted-dos; sid:100000130; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access"; flow:to_server,established; uricontent:"/A|3A|"; nocase; pcre:"/A\x3A[^\r\n]?\.[^\r\n]?[\r\n]/Ui"; reference:bugtraq,12778; classtype:attempted-dos; sid:100000131; rev:1;) ++# Following rule submitted by Alexandru Ionica , and revised by Jason Haar ++alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC Proxy Server Access"; flow:established,from_server; content:"Proxy-Connection"; nocase; content:"Via"; nocase; content:"HTTP"; nocase; content: !"ERR_ACCESS_DENIED"; nocase; classtype:misc-activity; sid:100000132; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request"; flow:to_server,established; pcre:"/GET \/\?{250,}/i"; reference:bugtraq,7398; reference:url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1; classtype:attempted-dos; sid:100000133; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow"; flow:to_server,established; content:"GET"; nocase; depth:3; content:"/%"; distance:0; pcre:"/^GET\s+\/\%[^\r\n]{215,}/smi"; reference:cve,2005-0684; reference:url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities; classtype:attempted-admin; sid:100000140; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt"; flow:to_server,established; content:".jsp"; pcre:"/.jsp\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000141; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt"; flow:to_server,established; content:".jpg"; pcre:"/.jpg\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000142; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt"; flow:to_server,established; content:".gif"; pcre:"/.gif\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000143; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt"; flow:to_server,established; content:".wav"; pcre:"/.wav\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252;classtype:attempted-recon; sid:100000144; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt"; flow:to_server,established; content:".css"; pcre:"/.css\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000145; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt"; flow:to_server,established; content:".htm"; pcre:"/.htm\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000146; rev:1;) ++#Rules submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000 (msg:"COMMUNITY WEB-MISC Barracuda img.pl attempt"; flow:to_server,established; uricontent:"/cgi-bin/img.pl?f=.."; reference:bugtraq,14712; reference:bugtraq,14710; reference:cve,2005-2848; classtype:web-application-attack; sid:100000148; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC Jboss % attempt"; flow:to_server,established; content:"GET %"; reference:bugtraq,13985; reference:cve,2005-2006; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17403; classtype:attempted-recon; sid:100000149; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; content:"chunked"; content:"Content-Length|3A|"; nocase; reference:bugtraq,13873; reference:bugtraq,14106; reference:cve,2005-2088; reference:cve,2005-2089; reference:cve,2005-2090; reference:cve,2005-2091; reference:cve,2005-2092; reference:cve,2005-2093; reference:cve,2005-2094; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17738; reference:nessus,18337; classtype:attempted-admin; sid:100000150; rev:1;) ++alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt"; flow:to_server,established; uricontent:"/apply.cgi"; content:"Content-Length|3A|"; pcre:"/Content-Length\x3A\s*[^\r\n]{1000,}/smi"; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt"; flow:to_server,established; uricontent:"..\:..\:..\:.."; reference:bugtraq,15225; reference:nessus,20097; classtype:attempted-dos; sid:100000178; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 898 (msg:"COMMUNITY WEB-MISC SMC TRACE access"; flow:to_server,established; content:"TRACE"; depth:5; reference:url,www.kb.cert.org/vuls/id/867593; classtype:attempted-recon; sid:100000179; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"COMMUNITY WEB-MISC JBoss JMXInvokerServlet access"; flow:to_server,established; uricontent:"/invoker/JMXInvokerServlet"; reference:url,online.securityfocus.com/archive/1/415707; classtype:misc-activity; sid:100000184; rev:1;) ++alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC apache directory list attempt"; flow:to_client,established; content:"HTTP/1.1 200 OK"; depth:15; content:"Index of /"; nocase; within:200; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:100000185; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 41080 (msg:"COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt"; flow:to_server,established; uricontent:"/brightmail/viewLogin.do"; nocase; uricontent:"user|3D|admin"; nocase; uricontent:"pass|3D|symantec"; nocase; reference:nessus,19598; reference:url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html; classtype:web-application-attack; sid:100000200; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt"; flow:to_server,established; uricontent:"/flsearch.pl"; nocase; uricontent:"cmd|3D|exec_flsearch"; nocase; reference:bugtraq,14367; reference:cve,2005-2420; reference:nessus,19300; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18305; classtype:web-application-attack; sid:100000209; rev:2;) ++#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC generic cmd pipe after = attempt"; flow:to_server,established; uricontent:"|3D 7C|"; nocase; classtype:web-application-attack; sid:100000210; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access"; flow:to_server,established; content:"POST"; nocase; depth:4; uricontent:"/ControlManager/cgi-bin/VA/isaNVWRequest.dll"; nocase; reference:cve,2005-1929; reference:url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities; classtype:web-application-attack; sid:100000216; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC man2web cmd exec attempt"; flow:to_server,established; uricontent:"/man2web"; nocase; uricontent:"|2D|P"; reference:cve,2005-2812; reference:bugtraq,14747; reference:nessus,19591; classtype:web-application-attack; sid:100000217; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access"; flow:to_server,established; uricontent:"/Login_Validate.asp"; nocase; uricontent:"Password|3D|"; nocase; reference:cve,2006-0192; classtype:web-application-activity; sid:100000225; rev:1;) ++ ++#Rule to detect use of Google's translation feature to bypass content monitor submitted by David Bianco ++alert tcp any any -> any $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language"; flow:established, to_server; uricontent:"/translate?"; pcre:"/translate\?.*langpair=([a-zA-Z]+)(%7C|\|)\1\&/Ui"; classtype: policy-violation; reference:url,www.boingboing.net/2006/02/22/argonne_national_lab.html; sid:100000237; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sRedirectUrl="; nocase; pcre:"/sRedirectUrl=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000302; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sCancelURL="; nocase; pcre:"/sCancelURL=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000303; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21700 (msg:"COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal"; flow:to_server,established; content:"GET"; nocase; pcre:"/GET[^\r\n]*?\x2e\x2e(\x2f|\x5c)[^\r\n]*?HTTP[^\r\n]*?\r\n/msi"; reference:bugtraq,14715; reference:cve,2005-2020; classtype:web-application-attack; sid:100000313; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MediaWiki parser script insertion attempt"; flow:to_server,established; content:"POST"; nocase; content:"|7B 7B 7B|"; pcre:"/\x7B\x7B\x7B[^\r\n]*\x3C[^\r\n]*\x7C[^\r\n]*\x3E[^\r\n]*\x7D\x7D\x7D/"; reference:cve,2006-2611; classtype:attempted-user; sid:100000314; rev:1;) ++ ++#Rules for detecting HTTP PUT requests, successful or not, submitted by David Bianco; enable only after reading the rule documentation for these two SIDs ++#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP PUT Request"; flow:to_server,established; content:"PUT "; depth:4; flowbits:set,http.put; flowbits:noalert; classtype:misc-activity; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000315; rev:1;) ++#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC HTTP PUT Request Successful"; flow:from_server,established; flowbits:isset,http.put; content:"HTTP/"; nocase; depth:5; content:"200"; within:7; classtype:web-application-attack; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000316; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar classified_right.php remote file include"; flow:to_server,established; uricontent:"/classified_right.php"; nocase; uricontent:"language_dir="; nocase; pcre:"/language_dir=(https?|ftp)/Ui"; reference:bugtraq,18052; classtype:web-application-attack; sid:100000317; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access"; flow:to_server,established; uricontent:"/admin/admin.php"; nocase; uricontent:"action=edit_member&value=1"; nocase; reference:bugtraq,18053; reference:cve,2006-2527; classtype:web-application-attack; sid:100000318; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ActualScripts direct.php remote file include"; flow:to_server,established; uricontent:"/direct.php"; nocase; uricontent:"rf="; nocase; pcre:"/rf=(https?|ftp)/Ui"; reference:bugtraq,17597; classtype:web-application-attack; sid:100000319; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include"; flow:to_server,established; uricontent:"/functions.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000320; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include"; flow:to_server,established; uricontent:"/help.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000321; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include"; flow:to_server,established; uricontent:"/mail.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000322; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include"; flow:to_server,established; uricontent:"/news.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000323; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000324; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_cats.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000325; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_edit.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000326; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_import.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000327; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_templates.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000328; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include"; flow:to_server,established; uricontent:"/classes/post/class_post.php"; nocase; uricontent:"post_icon="; nocase; pcre:"/post_icon=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000329; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include"; flow:to_server,established; uricontent:"/action_public/moderate.php"; nocase; uricontent:"df="; nocase; pcre:"/df=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000330; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ZixForum settings.asp access"; flow:to_server,established; uricontent:"/settings.asp"; nocase; uricontent:"layid="; nocase; reference:bugtraq,18043; classtype:web-application-attack; sid:100000331; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"email="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000332; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"logfile="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000333; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include"; flow:to_server,established; uricontent:"/reconfig.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000334; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include"; flow:to_server,established; uricontent:"/srxclr.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000335; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include"; flow:to_server,established; uricontent:"/footer.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000336; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include"; flow:to_server,established; uricontent:"/defaults_setup.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000337; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000338; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail core.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3/core.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000339; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail pop3.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000340; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS help.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/help.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000341; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS business.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/business.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000342; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS credits.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/credits.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000343; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000344; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail inc-common.php remote file include"; flow:to_server,established; uricontent:"/inc-common.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000345; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Plume CMS prepend.php remote file include"; flow:to_server,established; uricontent:"/manager/frontinc/prepend.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config[manager_path]=(https?|ftp)/Ui"; reference:bugtraq,16662; classtype:web-application-attack; sid:100000346; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro form.php remote file include"; flow:to_server,established; uricontent:"/form.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000347; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include"; flow:to_server,established; uricontent:"/customize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000348; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include"; flow:to_server,established; uricontent:"/initialize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000349; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include"; flow:to_server,established; uricontent:"/ubbt.inc.php"; nocase; uricontent:"GLOBALS[thispath]="; nocase; pcre:"/GLOBALS[thispath]=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000350; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include"; flow:to_server,established; uricontent:"/includepollresults.php?config[cookieprefix]"; nocase; uricontent:"w3t_language="; nocase; pcre:"/w3t_language=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000351; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include"; flow:to_server,established; uricontent:"/blend_data/blend_common.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18153; reference:url,www.nukedx.com/?viewdoc=41; classtype:web-application-attack; sid:100000352; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC tinyBB footers.php remote file include"; flow:to_server,established; uricontent:"/footers.php"; nocase; uricontent:"tinybb_footers="; nocase; pcre:"/tinybb_footers=(https?|ftp)/Ui"; reference:bugtraq,18147; classtype:web-application-attack; sid:100000353; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include"; flow:to_server,established; uricontent:"/lang_activity.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18155; classtype:web-application-attack; sid:100000354; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC eSyndiCat cron.php remote file include"; flow:to_server,established; uricontent:"/admin/cron.php"; nocase; uricontent:"path_to_config="; nocase; pcre:"/path_to_config=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20218/; classtype:web-application-attack; sid:100000355; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_qry_common.php remote file include"; flow:to_server,established; uricontent:"/base_qry_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000356; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_stat_common.php remote file include"; flow:to_server,established; uricontent:"/base_stat_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000357; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_include.inc.php remote file include"; flow:to_server,established; uricontent:"/base_include.inc.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000358; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include"; flow:to_server,established; uricontent:"/drucken.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000359; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include"; flow:to_server,established; uricontent:"/drucken2.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000360; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include"; flow:to_server,established; uricontent:"/email_an_benutzer.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000361; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include"; flow:to_server,established; uricontent:"/rechnung.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000362; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000363; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000364; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke index.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/index.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000365; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000366; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_board.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_board.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000367; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_disallow.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000368; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forumauth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000369; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_groups.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000370; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ranks.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000371; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_styles.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000372; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_user_ban.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000373; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_words.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_words.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000374; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_avatar.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000375; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_db_utilities.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000376; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forum_prune.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000377; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forums.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000378; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_mass_email.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000379; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_smilies.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000380; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_users.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_users.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000382; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OsTicket open_form.php remote file include"; flow:to_server,established; uricontent:"/open_form.php"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=(https?|ftp)/Ui"; reference:bugtraq,18190; classtype:web-application-attack; sid:100000383; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000384; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman error.php remote file include"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000385; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman main_class.php remote file include"; flow:to_server,established; uricontent:"/classes/main_class.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000386; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia index.php remote file include"; flow:to_server,established; uricontent:"/orid/index.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000387; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia topman.php remote file include"; flow:to_server,established; uricontent:"/orid/topman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000388; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/orid/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000389; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadmb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000390; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadma.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000391; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadm.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000392; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia start.php remote file include"; flow:to_server,established; uricontent:"/orid/start.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000393; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia search.php remote file include"; flow:to_server,established; uricontent:"/orid/search.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000394; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia posts.php remote file include"; flow:to_server,established; uricontent:"/orid/posts.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000395; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia options.php remote file include"; flow:to_server,established; uricontent:"/orid/options.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000396; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia login.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/login.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000397; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia frchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/frchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000398; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/flbchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000399; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia fileman.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/fileman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000400; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia faq.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/faq.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000401; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia event.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/event.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000402; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia directory.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/directory.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000403; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia articles.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/articles.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000404; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia artedit.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/artedit.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000405; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000406; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia calday.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/calday.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000407; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include"; flow:to_server,established; uricontent:"/cache_mngt.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000408; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include"; flow:to_server,established; uricontent:"/gallery_functions.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000409; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/image_resize/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000410; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/simple_user/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000411; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/stats/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000412; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/import_export/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000413; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO community.inc.php remote file include"; flow:to_server,established; uricontent:"/include/pages/community.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000414; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Bytehoard server.php remote file include"; flow:to_server,established; uricontent:"/includes/webdav/server.php"; nocase; uricontent:"bhconfig[bhfilepath]="; nocase; pcre:"/bhconfig[bhfilepath]=(https?|ftp)/Ui"; reference:bugtraq,18234; classtype:web-application-attack; sid:100000415; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000416; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie scode.php remote file include"; flow:to_server,established; uricontent:"/scode.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000417; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include"; flow:to_server,established; uricontent:"/ashheadlines.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000418; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include"; flow:to_server,established; uricontent:"/ashnews.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000419; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Informium common-menu.php remote file include"; flow:to_server,established; uricontent:"/admin/common-menu.php"; nocase; uricontent:"CONF[local_path]="; nocase; pcre:"/CONF[local_path]=(https?|ftp)/Ui"; reference:bugtraq,18249; classtype:web-application-attack; sid:100000420; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Igloo wiki.php remote file include"; flow:to_server,established; uricontent:"/wiki.php"; nocase; uricontent:"c_node[class_path]="; nocase; pcre:"/c_node[class_path]=(https?|ftp)/Ui"; reference:bugtraq,18250; classtype:web-application-attack; sid:100000421; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"page="; nocase; pcre:"/page=(https?|ftp)/Ui"; reference:bugtraq,18255; classtype:web-application-attack; sid:100000422; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000423; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include"; flow:to_server,established; uricontent:"/feedback.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000424; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include"; flow:to_server,established; uricontent:"/printfriendly.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000425; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotClear prepend.php remote file include"; flow:to_server,established; uricontent:"/prepend.php"; nocase; uricontent:"blog_dc_path="; nocase; pcre:"/blog_dc_path=(https?|ftp)/Ui"; reference:bugtraq,18259; classtype:web-application-attack; sid:100000426; rev:2;) ++ ++# JBoss Rules from Jon Hart ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss jmx-console html adaptor access"; flow:to_server,established; uricontent:"/jmx-console/HtmlAdaptor"; reference:url,jboss.org/wiki/Wiki.jsp?page=JMXConsole; classtype:misc-activity; sid:100000427; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:100000428; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss web-console access"; flow:to_server,established; uricontent:"/web-console"; reference:url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole; classtype:misc-activity; sid:100000429; rev:1;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include"; flow:to_server,established; uricontent:"/applications/faq/Bs_Faq.class.php"; nocase; uricontent:"APP[path][applications]="; nocase; pcre:"/APP\[path\]\[applications\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000430; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include"; flow:to_server,established; uricontent:"/applications/filebrowser/fileBrowserInner.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000431; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes file.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/file.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000432; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes viewer.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/viewer.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000433; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include"; flow:to_server,established; uricontent:"/applications/imagearchive/Bs_ImageArchive.class.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000434; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include"; flow:to_server,established; uricontent:"/applications/mailinglist/Bs_Ml_User.class.php"; nocase; uricontent:"GLOBALS[APP][path][core]="; nocase; pcre:"/GLOBALS\[APP\]\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000435; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include"; flow:to_server,established; uricontent:"/applications/websearchengine/Bs_Wse_Profile.class.php"; nocase; uricontent:"APP[path][plugins]="; nocase; pcre:"/APP\[path\]\[plugins\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000436; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include"; flow:to_server,established; uricontent:"/class.cs_phpmailer.php"; nocase; uricontent:"classes_dir="; nocase; pcre:"/classes_dir=(https?|ftp)/Ui"; reference:bugtraq,18263; classtype:web-application-attack; sid:100000437; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/mambo.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000438; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/postnuke.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000439; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CyBoards common.php remote file include"; flow:to_server,established; uricontent:"/include/common.php"; nocase; uricontent:"script_path="; nocase; pcre:"/script_path=(https?|ftp)/Ui"; reference:bugtraq,18272; classtype:web-application-attack; sid:100000440; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include"; flow:to_server,established; uricontent:"/wk_lang.php"; nocase; uricontent:"WK[wkpath]="; nocase; pcre:"/WK\[wkpath\]=(https?|ftp)/Ui"; reference:bugtraq,18291; classtype:web-application-attack; sid:100000441; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include"; flow:to_server,established; uricontent:"/pcltar.lib.php"; nocase; uricontent:"g_pcltar_lib_dir="; nocase; pcre:"/g_pcltar_lib_dir=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000442; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include"; flow:to_server,established; uricontent:"/galimage.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000443; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include"; flow:to_server,established; uricontent:"/galsecurity.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000444; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"sqlType="; nocase; pcre:"/sqlType(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000448; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/files.asp"; nocase; uricontent:"Project="; nocase; pcre:"/Project(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000449; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"username="; nocase; pcre:"/username(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18368; classtype:web-application-attack; sid:100000450; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000451; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"albumid="; nocase; pcre:"/albumid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000452; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"apage="; nocase; pcre:"/apage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000453; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"New Category="; nocase; pcre:"/New Category(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000454; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt"; flow:to_server,established; uricontent:"/viewposts.cfm"; nocase; uricontent:"startrow="; nocase; pcre:"/startrow(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18473; classtype:web-application-attack; sid:100000455; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt"; flow:to_server,established; uricontent:"/index.cfm"; nocase; uricontent:"message="; nocase; pcre:"/message(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18482; classtype:web-application-attack; sid:100000456; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/pages.asp"; nocase; uricontent:"order="; nocase; pcre:"/order(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18512; classtype:web-application-attack; sid:100000457; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt"; flow:to_server,established; uricontent:"/details.cfm"; nocase; uricontent:"image="; nocase; pcre:"/image(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18526; classtype:web-application-attack; sid:100000458; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"host/yeni_host.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18564; classtype:web-application-attack; sid:100000459; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AZureus index.tmpl xss attempt"; flow:to_server,established; uricontent:"/index.tmpl"; nocase; uricontent:"search="; nocase; pcre:"/search(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18596; classtype:web-application-attack; sid:100000460; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"To="; nocase; pcre:"/To(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000461; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"From="; nocase; pcre:"/From(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000462; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt"; flow:to_server,established; uricontent:"/gbrowse.php"; nocase; uricontent:"cat_id="; nocase; pcre:"/cat_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000694; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt"; flow:to_server,established; uricontent:"/rating.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000695; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt"; flow:to_server,established; uricontent:"/create.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000696; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"event_id="; nocase; pcre:"/event_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000697; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BXCP index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; pcre:"/where(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18765; classtype:web-application-attack; sid:100000698; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000699; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"disable="; nocase; pcre:"/disable(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000700; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WordPress index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"paged="; nocase; pcre:"/paged(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18779; classtype:web-application-attack; sid:100000701; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/SayfalaAltList.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18899; classtype:web-application-attack; sid:100000702; rev:1;) ++ ++# Rules submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"COMMUNITY WEB-MISC Webmin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000890; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 20000 (msg:"COMMUNITY WEB-MISC Usermin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000891; rev:1;) ++ ++# Rule submitted by Avinash Shenoi (Cenzic Inc. CIA Research Team) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt"; flow:to_server; content:"blog-category-description"; nocase; pcre:"/blog-category-description(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000895; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt"; flow:to_server; content:"blog-entry-title"; nocase; pcre:"/blog-entry-title(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000896; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt"; flow:to_server; content:"rss-enclosure-url"; nocase; pcre:"/rss-enclosure-url(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000897; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt"; flow:to_server; content:"technorati-tags"; nocase; pcre:"/technorati-tags(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000898; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt"; flow:to_server; content:"blog-category-name"; nocase; pcre:"/blog-category-name(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000899; rev:1;) +--- /dev/null ++++ b/rules/sid-msg.map +@@ -0,0 +1,3544 @@ ++103 || BACKDOOR subseven 22 || arachnids,485 || url,www.hackfix.org/subseven/ ++104 || BACKDOOR - Dagger_1.4.0_client_connect || arachnids,483 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html ++105 || BACKDOOR - Dagger_1.4.0 || arachnids,484 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html ++106 || BACKDOOR ACKcmdC trojan scan || arachnids,445 ++107 || BACKDOOR subseven DEFCON8 2.1 access ++108 || BACKDOOR QAZ Worm Client Login access || MCAFEE,98775 ++109 || BACKDOOR netbus active || arachnids,401 ++110 || BACKDOOR netbus getinfo || arachnids,403 ++111 || BACKDOOR netbus getinfo || arachnids,403 ++112 || BACKDOOR BackOrifice access || arachnids,400 ++113 || BACKDOOR DeepThroat access || arachnids,405 ++114 || BACKDOOR netbus active || arachnids,401 ++115 || BACKDOOR NetBus Pro 2.0 connection established ++116 || BACKDOOR BackOrifice access || arachnids,399 ++117 || BACKDOOR Infector.1.x || arachnids,315 ++118 || BACKDOOR SatansBackdoor.2.0.Beta || arachnids,316 ++119 || BACKDOOR Doly 2.0 access || arachnids,312 ++120 || BACKDOOR Infector 1.6 Server to Client || cve,1999-0660 || nessus,11157 ++121 || BACKDOOR Infector 1.6 Client to Server Connection Request || cve,1999-0660 || nessus,11157 ++122 || BACKDOOR DeepThroat 3.1 System Info Client Request || arachnids,106 ++124 || BACKDOOR DeepThroat 3.1 FTP Status Client Request || arachnids,106 ++125 || BACKDOOR DeepThroat 3.1 E-Mail Info From Server || arachnids,106 ++126 || BACKDOOR DeepThroat 3.1 E-Mail Info Client Request || arachnids,106 ++127 || BACKDOOR DeepThroat 3.1 Server Status From Server || arachnids,106 ++128 || BACKDOOR DeepThroat 3.1 Server Status Client Request || arachnids,106 ++129 || BACKDOOR DeepThroat 3.1 Drive Info From Server || arachnids,106 ++130 || BACKDOOR DeepThroat 3.1 System Info From Server || arachnids,106 ++131 || BACKDOOR DeepThroat 3.1 Drive Info Client Request || arachnids,106 ++132 || BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server || arachnids,106 ++133 || BACKDOOR DeepThroat 3.1 Cached Passwords Client Request || arachnids,106 ++134 || BACKDOOR DeepThroat 3.1 RAS Passwords Client Request || arachnids,106 ++135 || BACKDOOR DeepThroat 3.1 Server Password Change Client Request || arachnids,106 ++136 || BACKDOOR DeepThroat 3.1 Server Password Remove Client Request || arachnids,106 ++137 || BACKDOOR DeepThroat 3.1 Rehash Client Request || arachnids,106 ++138 || BACKDOOR DeepThroat 3.1 Server Rehash Client Request || arachnids,106 ++140 || BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request || arachnids,106 ++141 || BACKDOOR HackAttack 1.20 Connect ++142 || BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request || arachnids,106 ++143 || BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request || arachnids,106 ++144 || FTP ADMw0rm ftp login attempt || arachnids,01 ++145 || BACKDOOR GirlFriendaccess || arachnids,98 ++146 || BACKDOOR NetSphere access || arachnids,76 ++147 || BACKDOOR GateCrasher || arachnids,99 ++148 || BACKDOOR DeepThroat 3.1 Keylogger Active on Network || arachnids,106 ++149 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 ++150 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 ++151 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 ++152 || BACKDOOR BackConstruction 2.1 Connection ++153 || BACKDOOR DonaldDick 1.53 Traffic || mcafee,98575 ++154 || BACKDOOR DeepThroat 3.1 Wrong Password || arachnids,106 ++155 || BACKDOOR NetSphere 1.31.337 access || arachnids,76 ++156 || BACKDOOR DeepThroat 3.1 Visible Window List Client Request || arachnids,106 ++157 || BACKDOOR BackConstruction 2.1 Client FTP Open Request ++158 || BACKDOOR BackConstruction 2.1 Server FTP Open Reply ++159 || BACKDOOR NetMetro File List || arachnids,79 ++160 || BACKDOOR NetMetro Incoming Traffic || arachnids,79 ++161 || BACKDOOR Matrix 2.0 Client connect || arachnids,83 ++162 || BACKDOOR Matrix 2.0 Server access || arachnids,83 ++163 || BACKDOOR WinCrash 1.0 Server Active || arachnids,36 ++164 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 ++165 || BACKDOOR DeepThroat 3.1 Keylogger on Server ON || arachnids,106 ++166 || BACKDOOR DeepThroat 3.1 Show Picture Client Request || arachnids,106 ++167 || BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request || arachnids,106 ++168 || BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request || arachnids,106 ++169 || BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request || arachnids,106 ++170 || BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request || arachnids,106 ++171 || BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request || arachnids,106 ++172 || BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request || arachnids,106 ++173 || BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request || arachnids,106 ++174 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 ++175 || BACKDOOR DeepThroat 3.1 Resolution Change Client Request || arachnids,106 ++176 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 ++177 || BACKDOOR DeepThroat 3.1 Keylogger on Server OFF || arachnids,106 ++179 || BACKDOOR DeepThroat 3.1 FTP Server Port Client Request || arachnids,106 ++180 || BACKDOOR DeepThroat 3.1 Process List Client request || arachnids,106 ++181 || BACKDOOR DeepThroat 3.1 Close Port Scan Client Request || arachnids,106 ++182 || BACKDOOR DeepThroat 3.1 Registry Add Client Request || arachnids,106 ++183 || BACKDOOR SIGNATURE - Q ICMP || arachnids,202 ++184 || BACKDOOR Q access || arachnids,203 ++185 || BACKDOOR CDK || arachnids,263 ++186 || BACKDOOR DeepThroat 3.1 Monitor on/off Client Request || arachnids,106 ++187 || BACKDOOR DeepThroat 3.1 Delete File Client Request || arachnids,106 ++188 || BACKDOOR DeepThroat 3.1 Kill Window Client Request || arachnids,106 ++189 || BACKDOOR DeepThroat 3.1 Disable Window Client Request || arachnids,106 ++190 || BACKDOOR DeepThroat 3.1 Enable Window Client Request || arachnids,106 ++191 || BACKDOOR DeepThroat 3.1 Change Window Title Client Request || arachnids,106 ++192 || BACKDOOR DeepThroat 3.1 Hide Window Client Request || arachnids,106 ++193 || BACKDOOR DeepThroat 3.1 Show Window Client Request || arachnids,106 ++194 || BACKDOOR DeepThroat 3.1 Send Text to Window Client Request || arachnids,106 ++195 || BACKDOOR DeepThroat 3.1 Server Response || arachnids,106 || mcafee,98574 || nessus,10053 ++196 || BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request || arachnids,106 ++197 || BACKDOOR DeepThroat 3.1 Create Directory Client Request || arachnids,106 ++198 || BACKDOOR DeepThroat 3.1 All Window List Client Request || arachnids,106 ++199 || BACKDOOR DeepThroat 3.1 Play Sound Client Request || arachnids,106 ++200 || BACKDOOR DeepThroat 3.1 Run Program Normal Client Request || arachnids,106 ++201 || BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request || arachnids,106 ++202 || BACKDOOR DeepThroat 3.1 Get NET File Client Request || arachnids,106 ++203 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 ++204 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 ++205 || BACKDOOR DeepThroat 3.1 HUP Modem Client Request || arachnids,106 ++206 || BACKDOOR DeepThroat 3.1 CD ROM Open Client Request || arachnids,106 ++207 || BACKDOOR DeepThroat 3.1 CD ROM Close Client Request || arachnids,106 ++208 || BACKDOOR PhaseZero Server Active on Network ++209 || BACKDOOR w00w00 attempt || arachnids,510 ++210 || BACKDOOR attempt ++211 || BACKDOOR MISC r00t attempt ++212 || BACKDOOR MISC rewt attempt ++213 || BACKDOOR MISC Linux rootkit attempt ++214 || BACKDOOR MISC Linux rootkit attempt lrkr0x ++215 || BACKDOOR MISC Linux rootkit attempt ++216 || BACKDOOR MISC Linux rootkit satori attempt || arachnids,516 ++217 || BACKDOOR MISC sm4ck attempt ++218 || BACKDOOR MISC Solaris 2.5 attempt ++219 || BACKDOOR HidePak backdoor attempt ++220 || BACKDOOR HideSource backdoor attempt ++221 || DDOS TFN Probe || arachnids,443 ++222 || DDOS tfn2k icmp possible communication || arachnids,425 ++223 || DDOS Trin00 Daemon to Master PONG message detected || arachnids,187 ++224 || DDOS Stacheldraht server spoof || arachnids,193 ++225 || DDOS Stacheldraht gag server response || arachnids,195 ++226 || DDOS Stacheldraht server response || arachnids,191 ++227 || DDOS Stacheldraht client spoofworks || arachnids,192 ++228 || DDOS TFN client command BE || arachnids,184 ++229 || DDOS Stacheldraht client check skillz || arachnids,190 ++230 || DDOS shaft client login to handler || arachnids,254 || url,security.royans.net/info/posts/bugtraq_ddos3.shtml ++231 || DDOS Trin00 Daemon to Master message detected || arachnids,186 ++232 || DDOS Trin00 Daemon to Master *HELLO* message detected || arachnids,185 || url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm ++233 || DDOS Trin00 Attacker to Master default startup password || arachnids,197 ++234 || DDOS Trin00 Attacker to Master default password ++235 || DDOS Trin00 Attacker to Master default mdie password ++236 || DDOS Stacheldraht client check gag || arachnids,194 ++237 || DDOS Trin00 Master to Daemon default password attempt || arachnids,197 ++238 || DDOS TFN server response || arachnids,182 ++239 || DDOS shaft handler to agent || arachnids,255 ++240 || DDOS shaft agent to handler || arachnids,256 ++241 || DDOS shaft synflood || arachnids,253 || cve,2000-0138 ++243 || DDOS mstream agent to handler ++244 || DDOS mstream handler to agent || cve,2000-0138 ++245 || DDOS mstream handler ping to agent || cve,2000-0138 ++246 || DDOS mstream agent pong to handler ++247 || DDOS mstream client to handler || cve,2000-0138 ++248 || DDOS mstream handler to client || cve,2000-0138 ++249 || DDOS mstream client to handler || arachnids,111 || cve,2000-0138 ++250 || DDOS mstream handler to client || cve,2000-0138 ++251 || DDOS - TFN client command LE || arachnids,183 ++252 || DNS named iquery attempt || arachnids,277 || bugtraq,134 || cve,1999-0009 || url,www.rfc-editor.org/rfc/rfc1035.txt ++253 || DNS SPOOF query response PTR with TTL of 1 min. and no authority ++254 || DNS SPOOF query response with TTL of 1 min. and no authority ++255 || DNS zone transfer TCP || arachnids,212 || cve,1999-0532 || nessus,10595 ++256 || DNS named authors attempt || arachnids,480 || nessus,10728 ++257 || DNS named version attempt || arachnids,278 || nessus,10028 ++258 || DNS EXPLOIT named 8.2->8.2.1 || bugtraq,788 || cve,1999-0833 ++259 || DNS EXPLOIT named overflow ADM || bugtraq,788 || cve,1999-0833 ++260 || DNS EXPLOIT named overflow ADMROCKS || bugtraq,788 || cve,1999-0833 || url,www.cert.org/advisories/CA-1999-14.html ++261 || DNS EXPLOIT named overflow attempt || url,www.cert.org/advisories/CA-1998-05.html ++262 || DNS EXPLOIT x86 Linux overflow attempt ++264 || DNS EXPLOIT x86 Linux overflow attempt ++265 || DNS EXPLOIT x86 Linux overflow attempt ADMv2 ++266 || DNS EXPLOIT x86 FreeBSD overflow attempt ++267 || DNS EXPLOIT sparc overflow attempt ++268 || DOS Jolt attack || cve,1999-0345 ++269 || DOS Land attack || bugtraq,2666 || cve,1999-0016 ++270 || DOS Teardrop attack || bugtraq,124 || cve,1999-0015 || nessus,10279 || url,www.cert.org/advisories/CA-1997-28.html ++271 || DOS UDP echo+chargen bomb || cve,1999-0103 || cve,1999-0635 ++272 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 || url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx ++273 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 ++274 || DOS ath || arachnids,264 || cve,1999-1228 ++275 || DOS NAPTHA || bugtraq,2022 || cve,2000-1039 || url,razor.bindview.com/publish/advisories/adv_NAPTHA.html || url,www.cert.org/advisories/CA-2000-21.html || url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx ++276 || DOS Real Audio Server || arachnids,411 || bugtraq,1288 || cve,2000-0474 ++277 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 ++278 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 ++279 || DOS Bay/Nortel Nautica Marlin || bugtraq,1009 || cve,2000-0221 ++281 || DOS Ascend Route || arachnids,262 || bugtraq,714 || cve,1999-0060 ++282 || DOS arkiea backup || arachnids,261 || bugtraq,662 || cve,1999-0788 ++283 || EXPLOIT Netscape 4.7 client overflow || arachnids,215 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 ++284 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130 ++285 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130 ++286 || POP3 EXPLOIT x86 BSD overflow || bugtraq,133 || cve,1999-0006 || nessus,10196 ++287 || POP3 EXPLOIT x86 BSD overflow ++288 || POP3 EXPLOIT x86 Linux overflow ++289 || POP3 EXPLOIT x86 SCO overflow || bugtraq,156 || cve,1999-0006 ++290 || POP3 EXPLOIT qpopper overflow || bugtraq,830 || cve,1999-0822 || nessus,10184 ++291 || NNTP Cassandra Overflow || arachnids,274 || bugtraq,1156 || cve,2000-0341 ++292 || EXPLOIT x86 Linux samba overflow || bugtraq,1816 || bugtraq,536 || cve,1999-0182 || cve,1999-0811 ++293 || IMAP EXPLOIT overflow ++295 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 ++296 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 ++297 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 ++298 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 ++299 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 ++300 || EXPLOIT nlps x86 Solaris overflow || bugtraq,2319 ++301 || EXPLOIT LPRng overflow || bugtraq,1712 || cve,2000-0917 ++302 || EXPLOIT Redhat 7.0 lprd overflow || bugtraq,1712 || cve,2000-0917 ++303 || DNS EXPLOIT named tsig overflow attempt || arachnids,482 || bugtraq,2302 || cve,2001-0010 ++304 || EXPLOIT SCO calserver overflow || bugtraq,2353 || cve,2000-0306 ++305 || EXPLOIT delegate proxy overflow || arachnids,267 || bugtraq,808 || cve,2000-0165 ++306 || EXPLOIT VQServer admin || bugtraq,1610 || cve,2000-0766 || url,www.vqsoft.com/vq/server/docs/other/control.html ++307 || EXPLOIT CHAT IRC topic overflow || bugtraq,573 || cve,1999-0672 ++308 || EXPLOIT NextFTP client overflow || bugtraq,572 || cve,1999-0671 ++309 || EXPLOIT sniffit overflow || arachnids,273 || bugtraq,1158 || cve,2000-0343 ++310 || EXPLOIT x86 windows MailMax overflow || bugtraq,2312 || cve,1999-0404 ++311 || EXPLOIT Netscape 4.7 unsucessful overflow || arachnids,214 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 ++312 || EXPLOIT ntpdx overflow attempt || arachnids,492 || bugtraq,2540 || cve,2001-0414 ++313 || EXPLOIT ntalkd x86 Linux overflow || bugtraq,210 ++314 || DNS EXPLOIT named tsig overflow attempt || bugtraq,2303 || cve,2001-0010 ++315 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 ++316 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 ++317 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 ++318 || EXPLOIT bootp x86 bsd overfow || bugtraq,324 || cve,1999-0914 ++319 || EXPLOIT bootp x86 linux overflow || cve,1999-0389 || cve,1999-0798 || cve,1999-0799 ++320 || FINGER cmd_rootsh backdoor attempt || nessus,10070 || url,www.sans.org/y2k/TFN_toolkit.htm || url,www.sans.org/y2k/fingerd.htm ++321 || FINGER account enumeration attempt || nessus,10788 ++322 || FINGER search query || arachnids,375 || cve,1999-0259 ++323 || FINGER root query || arachnids,376 ++324 || FINGER null request || arachnids,377 ++325 || FINGER probe 0 attempt || arachnids,378 ++326 || FINGER remote command execution attempt || arachnids,379 || bugtraq,974 || cve,1999-0150 ++327 || FINGER remote command pipe execution attempt || arachnids,380 || bugtraq,2220 || cve,1999-0152 ++328 || FINGER bomb attempt || arachnids,381 || cve,1999-0106 ++329 || FINGER cybercop redirection || arachnids,11 ++330 || FINGER redirection attempt || arachnids,251 || cve,1999-0105 || nessus,10073 ++331 || FINGER cybercop query || arachnids,132 || cve,1999-0612 ++332 || FINGER 0 query || arachnids,131 || arachnids,378 || cve,1999-0197 || nessus,10069 ++333 || FINGER . query || arachnids,130 || cve,1999-0198 || nessus,10072 ++334 || FTP .forward || arachnids,319 ++335 || FTP .rhosts || arachnids,328 ++336 || FTP CWD ~root attempt || arachnids,318 || cve,1999-0082 ++337 || FTP CEL overflow attempt || arachnids,257 || bugtraq,679 || cve,1999-0789 || nessus,10009 ++338 || FTP EXPLOIT format string || arachnids,453 || bugtraq,1387 || cve,2000-0573 ++339 || FTP EXPLOIT OpenBSD x86 ftpd || arachnids,446 || bugtraq,2124 || cve,2001-0053 ++340 || FTP EXPLOIT overflow ++341 || FTP EXPLOIT overflow ++342 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 || arachnids,451 || bugtraq,1387 || cve,2000-0573 ++343 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD || arachnids,228 || bugtraq,1387 || cve,2000-0573 ++344 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux || arachnids,287 || bugtraq,1387 || cve,2000-0573 ++345 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic || arachnids,285 || bugtraq,1387 || cve,2000-0573 || nessus,10452 ++346 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check || arachnids,286 || bugtraq,1387 || cve,2000-0573 ++348 || FTP EXPLOIT wu-ftpd 2.6.0 || arachnids,440 || bugtraq,1387 ++349 || FTP EXPLOIT MKD overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 ++350 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 ++351 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 ++352 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || cve,1999-0368 ++353 || FTP adm scan || arachnids,332 ++354 || FTP iss scan || arachnids,331 ++355 || FTP pass wh00t || arachnids,324 ++356 || FTP passwd retrieval attempt || arachnids,213 ++357 || FTP piss scan ++358 || FTP saint scan || arachnids,330 ++359 || FTP satan scan || arachnids,329 ++360 || FTP serv-u directory transversal || bugtraq,2052 || cve,2001-0054 ++361 || FTP SITE EXEC attempt || arachnids,317 || bugtraq,2241 || cve,1999-0080 || cve,1999-0955 ++362 || FTP tar parameters || arachnids,134 || bugtraq,2240 || cve,1999-0202 || cve,1999-0997 ++363 || ICMP IRDP router advertisement || arachnids,173 || bugtraq,578 || cve,1999-0875 ++364 || ICMP IRDP router selection || arachnids,174 || bugtraq,578 || cve,1999-0875 ++365 || ICMP PING undefined code ++366 || ICMP PING *NIX ++368 || ICMP PING BSDtype || arachnids,152 ++369 || ICMP PING BayRS Router || arachnids,438 || arachnids,444 ++370 || ICMP PING BeOS4.x || arachnids,151 ++371 || ICMP PING Cisco Type.x || arachnids,153 ++372 || ICMP PING Delphi-Piette Windows || arachnids,155 ++373 || ICMP PING Flowpoint2200 or Network Management Software || arachnids,156 ++374 || ICMP PING IP NetMonitor Macintosh || arachnids,157 ++375 || ICMP PING LINUX/*BSD || arachnids,447 ++376 || ICMP PING Microsoft Windows || arachnids,159 ++377 || ICMP PING Network Toolbox 3 Windows || arachnids,161 ++378 || ICMP PING Ping-O-MeterWindows || arachnids,164 ++379 || ICMP PING Pinger Windows || arachnids,163 ++380 || ICMP PING Seer Windows || arachnids,166 ++381 || ICMP PING Sun Solaris || arachnids,448 ++382 || ICMP PING Windows || arachnids,169 ++384 || ICMP PING ++385 || ICMP traceroute || arachnids,118 ++386 || ICMP Address Mask Reply ++387 || ICMP Address Mask Reply undefined code ++388 || ICMP Address Mask Request ++389 || ICMP Address Mask Request undefined code ++390 || ICMP Alternate Host Address ++391 || ICMP Alternate Host Address undefined code ++392 || ICMP Datagram Conversion Error ++393 || ICMP Datagram Conversion Error undefined code ++394 || ICMP Destination Unreachable Destination Host Unknown ++395 || ICMP Destination Unreachable Destination Network Unknown ++396 || ICMP Destination Unreachable Fragmentation Needed and DF bit was set ++397 || ICMP Destination Unreachable Host Precedence Violation ++398 || ICMP Destination Unreachable Host Unreachable for Type of Service ++399 || ICMP Destination Unreachable Host Unreachable ++400 || ICMP Destination Unreachable Network Unreachable for Type of Service ++401 || ICMP Destination Unreachable Network Unreachable ++402 || ICMP Destination Unreachable Port Unreachable ++403 || ICMP Destination Unreachable Precedence Cutoff in effect ++404 || ICMP Destination Unreachable Protocol Unreachable ++405 || ICMP Destination Unreachable Source Host Isolated ++406 || ICMP Destination Unreachable Source Route Failed ++407 || ICMP Destination Unreachable cndefined code ++408 || ICMP Echo Reply ++409 || ICMP Echo Reply undefined code ++410 || ICMP Fragment Reassembly Time Exceeded ++411 || ICMP IPV6 I-Am-Here ++412 || ICMP IPV6 I-Am-Here undefined code ++413 || ICMP IPV6 Where-Are-You ++414 || ICMP IPV6 Where-Are-You undefined code ++415 || ICMP Information Reply ++416 || ICMP Information Reply undefined code ++417 || ICMP Information Request ++418 || ICMP Information Request undefined code ++419 || ICMP Mobile Host Redirect ++420 || ICMP Mobile Host Redirect undefined code ++421 || ICMP Mobile Registration Reply ++422 || ICMP Mobile Registration Reply undefined code ++423 || ICMP Mobile Registration Request ++424 || ICMP Mobile Registration Request undefined code ++425 || ICMP Parameter Problem Bad Length ++426 || ICMP Parameter Problem Missing a Required Option ++427 || ICMP Parameter Problem Unspecified Error ++428 || ICMP Parameter Problem undefined Code ++429 || ICMP Photuris Reserved ++430 || ICMP Photuris Unknown Security Parameters Index ++431 || ICMP Photuris Valid Security Parameters, But Authentication Failed ++432 || ICMP Photuris Valid Security Parameters, But Decryption Failed ++433 || ICMP Photuris undefined code! ++436 || ICMP Redirect for TOS and Host ++437 || ICMP Redirect for TOS and Network ++438 || ICMP Redirect undefined code ++439 || ICMP Reserved for Security Type 19 ++440 || ICMP Reserved for Security Type 19 undefined code ++441 || ICMP Router Advertisement || arachnids,173 ++443 || ICMP Router Selection || arachnids,174 ++445 || ICMP SKIP ++446 || ICMP SKIP undefined code ++448 || ICMP Source Quench undefined code ++449 || ICMP Time-To-Live Exceeded in Transit ++450 || ICMP Time-To-Live Exceeded in Transit undefined code ++451 || ICMP Timestamp Reply ++452 || ICMP Timestamp Reply undefined code ++453 || ICMP Timestamp Request ++454 || ICMP Timestamp Request undefined code ++455 || ICMP Traceroute ipopts || arachnids,238 ++456 || ICMP Traceroute ++457 || ICMP Traceroute undefined code ++458 || ICMP unassigned type 1 ++459 || ICMP unassigned type 1 undefined code ++460 || ICMP unassigned type 2 ++461 || ICMP unassigned type 2 undefined code ++462 || ICMP unassigned type 7 ++463 || ICMP unassigned type 7 undefined code ++465 || ICMP ISS Pinger || arachnids,158 ++466 || ICMP L3retriever Ping || arachnids,311 ++467 || ICMP Nemesis v1.1 Echo || arachnids,449 ++469 || ICMP PING NMAP || arachnids,162 ++471 || ICMP icmpenum v1.1.1 || arachnids,450 ++472 || ICMP redirect host || arachnids,135 || cve,1999-0265 ++473 || ICMP redirect net || arachnids,199 || cve,1999-0265 ++474 || ICMP superscan echo ++475 || ICMP traceroute ipopts || arachnids,238 ++476 || ICMP webtrends scanner || arachnids,307 ++477 || ICMP Source Quench ++478 || ICMP Broadscan Smurf Scanner ++480 || ICMP PING speedera ++481 || ICMP TJPingPro1.1Build 2 Windows || arachnids,167 ++482 || ICMP PING WhatsupGold Windows || arachnids,168 ++483 || ICMP PING CyberKit 2.2 Windows || arachnids,154 ++484 || ICMP PING Sniffer Pro/NetXRay network scan ++485 || ICMP Destination Unreachable Communication Administratively Prohibited ++486 || ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited ++487 || ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited ++488 || INFO Connection Closed MSG from Port 80 ++489 || INFO FTP no password || arachnids,322 ++490 || INFO battle-mail traffic ++491 || INFO FTP Bad login ++492 || INFO TELNET login failed ++493 || INFO psyBNC access ++494 || ATTACK-RESPONSES command completed || bugtraq,1806 ++495 || ATTACK-RESPONSES command error ++496 || ATTACK RESPONSES directory listing ++497 || ATTACK-RESPONSES file copied ok || bugtraq,1806 || cve,2000-0884 ++498 || ATTACK-RESPONSES id check returned root ++499 || ICMP Large ICMP Packet || arachnids,246 ++500 || MISC source route lssr || arachnids,418 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx ++501 || MISC source route lssre || arachnids,420 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx ++502 || MISC source route ssrr || arachnids,422 ++503 || MISC Source Port 20 to <1024 || arachnids,06 ++504 || MISC source port 53 to <1024 || arachnids,07 ++505 || MISC Insecure TIMBUKTU Password || arachnids,229 ++506 || MISC ramen worm incoming || arachnids,460 ++507 || MISC PCAnywhere Attempted Administrator Login ++508 || MISC gopher proxy || arachnids,409 ++509 || WEB-MISC PCCS mysql database admin tool access || arachnids,300 || bugtraq,1557 || cve,2000-0707 || nessus,10783 ++510 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 ++511 || MISC Invalid PCAnywhere Login ++512 || MISC PCAnywhere Failed Login || arachnids,240 ++513 || MISC Cisco Catalyst Remote Access || arachnids,129 || bugtraq,705 || cve,1999-0430 ++514 || MISC ramen worm || arachnids,461 ++516 || MISC SNMP NT UserList || nessus,10546 ++517 || MISC xdmcp query || arachnids,476 ++518 || TFTP Put || arachnids,148 || cve,1999-0183 ++519 || TFTP parent directory || arachnids,137 || cve,1999-0183 || cve,2002-1209 ++520 || TFTP root directory || arachnids,138 || cve,1999-0183 ++521 || MISC Large UDP Packet || arachnids,247 ++522 || MISC Tiny Fragments ++523 || BAD-TRAFFIC ip reserved bit set ++524 || BAD-TRAFFIC tcp port 0 traffic ++525 || BAD-TRAFFIC udp port 0 traffic || bugtraq,576 || cve,1999-0675 || nessus,10074 ++526 || BAD-TRAFFIC data in TCP SYN packet || url,www.cert.org/incident_notes/IN-99-07.html ++527 || BAD-TRAFFIC same SRC/DST || bugtraq,2666 || cve,1999-0016 || url,www.cert.org/advisories/CA-1997-28.html ++528 || BAD-TRAFFIC loopback traffic || url,rr.sans.org/firewall/egress.php ++529 || NETBIOS DOS RFPoison || arachnids,454 ++530 || NETBIOS NT NULL session || arachnids,204 || bugtraq,1163 || cve,2000-0347 ++532 || NETBIOS SMB ADMIN$ share access ++533 || NETBIOS SMB C$ share access ++534 || NETBIOS SMB CD.. || arachnids,338 ++535 || NETBIOS SMB CD... || arachnids,337 ++536 || NETBIOS SMB D$ share access ++537 || NETBIOS SMB IPC$ share access ++538 || NETBIOS SMB IPC$ unicode share access ++539 || NETBIOS Samba clientaccess || arachnids,341 ++540 || CHAT MSN message ++541 || CHAT ICQ access ++542 || CHAT IRC nick change ++543 || POLICY FTP 'STOR 1MB' possible warez site ++544 || POLICY FTP 'RETR 1MB' possible warez site ++545 || POLICY FTP 'CWD / ' possible warez site ++546 || POLICY FTP 'CWD ' possible warez site ++547 || POLICY FTP 'MKD ' possible warez site ++548 || POLICY FTP 'MKD .' possible warez site ++549 || P2P napster login ++550 || P2P napster new user login ++551 || P2P napster download attempt ++552 || P2P napster upload request ++553 || POLICY FTP anonymous login attempt ++554 || POLICY FTP 'MKD / ' possible warez site ++555 || POLICY WinGate telnet server response || arachnids,366 || cve,1999-0657 ++556 || P2P Outbound GNUTella client request ++557 || P2P GNUTella client request ++558 || INFO Outbound GNUTella client request ++559 || P2P Inbound GNUTella client request ++560 || POLICY VNC server response ++561 || P2P Napster Client Data ++562 || P2P Napster Client Data ++563 || P2P Napster Client Data ++564 || P2P Napster Client Data ++565 || P2P Napster Server Login ++566 || POLICY PCAnywhere server response || arachnids,239 ++567 || POLICY SMTP relaying denied || arachnids,249 || url,mail-abuse.org/tsi/ar-fix.html ++568 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 ++569 || RPC snmpXdmi overflow attempt TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html ++570 || RPC EXPLOIT ttdbserv solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html ++571 || RPC EXPLOIT ttdbserv Solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html ++572 || RPC DOS ttdbserv Solaris || arachnids,241 || bugtraq,122 || cve,1999-0003 ++573 || RPC AMD Overflow || arachnids,217 || cve,1999-0704 ++574 || RPC mountd TCP export request || arachnids,26 ++575 || RPC portmap admind request UDP || arachnids,18 ++576 || RPC portmap amountd request UDP || arachnids,19 ++577 || RPC portmap bootparam request UDP || arachnids,16 || cve,1999-0647 ++578 || RPC portmap cmsd request UDP || arachnids,17 ++579 || RPC portmap mountd request UDP || arachnids,13 ++580 || RPC portmap nisd request UDP || arachnids,21 ++581 || RPC portmap pcnfsd request UDP || arachnids,22 ++582 || RPC portmap rexd request UDP || arachnids,23 ++583 || RPC portmap rstatd request UDP || arachnids,10 ++584 || RPC portmap rusers request UDP || arachnids,133 || cve,1999-0626 ++585 || RPC portmap sadmind request UDP || arachnids,20 ++586 || RPC portmap selection_svc request UDP || arachnids,25 ++587 || RPC portmap status request UDP || arachnids,15 ++588 || RPC portmap ttdbserv request UDP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html ++589 || RPC portmap yppasswd request UDP || arachnids,14 ++590 || RPC portmap ypserv request UDP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 ++591 || RPC portmap ypupdated request TCP || arachnids,125 ++592 || RPC rstatd query || arachnids,9 ++593 || RPC portmap snmpXdmi request TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html ++595 || RPC portmap espd request TCP || bugtraq,2714 || cve,2001-0331 ++596 || RPC portmap listing || arachnids,429 ++597 || RPC portmap listing || arachnids,429 ++598 || RPC portmap listing TCP 111 || arachnids,428 ++599 || RPC portmap listing TCP 32771 || arachnids,429 ++600 || RPC EXPLOIT statdx || arachnids,442 ++601 || RSERVICES rlogin LinuxNIS ++602 || RSERVICES rlogin bin || arachnids,384 ++603 || RSERVICES rlogin echo++ || arachnids,385 ++604 || RSERVICES rsh froot || arachnids,387 ++605 || RSERVICES rlogin login failure || arachnids,393 ++606 || RSERVICES rlogin root || arachnids,389 ++607 || RSERVICES rsh bin || arachnids,390 ++608 || RSERVICES rsh echo + + || arachnids,388 ++609 || RSERVICES rsh froot || arachnids,387 ++610 || RSERVICES rsh root || arachnids,391 ++611 || RSERVICES rlogin login failure || arachnids,392 ++612 || RPC rusers query UDP || cve,1999-0626 ++613 || SCAN myscan || arachnids,439 ++614 || BACKDOOR hack-a-tack attempt || arachnids,314 ++615 || SCAN SOCKS Proxy attempt || url,help.undernet.org/proxyscan/ ++616 || SCAN ident version request || arachnids,303 ++617 || SCAN ssh-research-scanner ++618 || SCAN Squid Proxy attempt ++619 || SCAN cybercop os probe || arachnids,146 ++620 || SCAN Proxy Port 8080 attempt ++621 || SCAN FIN || arachnids,27 ++622 || SCAN ipEye SYN scan || arachnids,236 ++623 || SCAN NULL || arachnids,4 ++624 || SCAN SYN FIN || arachnids,198 ++625 || SCAN XMAS || arachnids,144 ++626 || SCAN cybercop os PA12 attempt || arachnids,149 ++627 || SCAN cybercop os SFU12 probe || arachnids,150 ++628 || SCAN nmap TCP || arachnids,28 ++629 || SCAN nmap fingerprint attempt || arachnids,05 ++630 || SCAN synscan portscan || arachnids,441 ++631 || SMTP ehlo cybercop attempt || arachnids,372 ++632 || SMTP expn cybercop attempt || arachnids,371 ++634 || SCAN Amanda client version request ++635 || SCAN XTACACS logout || arachnids,408 ++636 || SCAN cybercop udp bomb || arachnids,363 ++637 || SCAN Webtrends Scanner UDP Probe || arachnids,308 ++638 || SHELLCODE SGI NOOP || arachnids,356 ++639 || SHELLCODE SGI NOOP || arachnids,357 ++640 || SHELLCODE AIX NOOP ++641 || SHELLCODE Digital UNIX NOOP || arachnids,352 ++642 || SHELLCODE HP-UX NOOP || arachnids,358 ++643 || SHELLCODE HP-UX NOOP || arachnids,359 ++644 || SHELLCODE sparc NOOP || arachnids,345 ++645 || SHELLCODE sparc NOOP || arachnids,353 ++646 || SHELLCODE sparc NOOP || arachnids,355 ++647 || SHELLCODE sparc setuid 0 || arachnids,282 ++648 || SHELLCODE x86 NOOP || arachnids,181 ++649 || SHELLCODE x86 setgid 0 || arachnids,284 ++650 || SHELLCODE x86 setuid 0 || arachnids,436 ++651 || SHELLCODE x86 stealth NOOP || arachnids,291 ++652 || SHELLCODE Linux shellcode || arachnids,343 ++653 || SHELLCODE x86 0x90 unicode NOOP ++654 || SMTP RCPT TO overflow || bugtraq,2283 || bugtraq,9696 || cve,2001-0260 ++655 || SMTP sendmail 8.6.9 exploit || arachnids,140 || bugtraq,2311 || cve,1999-0204 ++656 || SMTP EXPLOIT x86 windows CSMMail overflow || bugtraq,895 || cve,2000-0042 ++657 || SMTP chameleon overflow || arachnids,266 || bugtraq,2387 || cve,1999-0261 ++658 || SMTP exchange mime DOS || bugtraq,1869 || cve,2000-1006 || nessus,10558 || url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx ++659 || SMTP expn decode || arachnids,32 || cve,1999-0096 || nessus,10248 ++660 || SMTP expn root || arachnids,31 || cve,1999-0531 || nessus,10249 ++661 || SMTP majordomo ifs || arachnids,143 || bugtraq,2310 || cve,1999-0207 ++662 || SMTP sendmail 5.5.5 exploit || arachnids,119 || cve,1999-0203 || nessus,10258 ++663 || SMTP rcpt to command attempt || arachnids,172 || bugtraq,1 || cve,1999-0095 ++664 || SMTP RCPT TO decode attempt || arachnids,121 || bugtraq,2308 || cve,1999-0203 ++665 || SMTP sendmail 5.6.5 exploit || arachnids,122 || bugtraq,2308 || cve,1999-0203 ++666 || SMTP sendmail 8.4.1 exploit || arachnids,120 ++667 || SMTP sendmail 8.6.10 exploit || arachnids,123 || bugtraq,2311 || cve,1999-0204 ++668 || SMTP sendmail 8.6.10 exploit || arachnids,124 || bugtraq,2311 || cve,1999-0204 ++669 || SMTP sendmail 8.6.9 exploit || arachnids,142 || bugtraq,2311 || cve,1999-0204 ++670 || SMTP sendmail 8.6.9 exploit || arachnids,139 || bugtraq,2311 || cve,1999-0204 ++671 || SMTP sendmail 8.6.9c exploit || arachnids,141 || bugtraq,2311 || cve,1999-0204 ++672 || SMTP vrfy decode || arachnids,373 || bugtraq,10248 || cve,1999-0096 ++673 || MS-SQL sp_start_job - program execution ++674 || MS-SQL xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++675 || MS-SQL xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++676 || MS-SQL/SMB sp_start_job - program execution ++677 || MS-SQL/SMB sp_password password change ++678 || MS-SQL/SMB sp_delete_alert log file deletion ++679 || MS-SQL/SMB sp_adduser database user creation ++680 || MS-SQL/SMB sa login failed || bugtraq,4797 || cve,2000-1209 ++681 || MS-SQL/SMB xp_cmdshell program execution ++682 || MS-SQL xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++683 || MS-SQL sp_password - password change ++684 || MS-SQL sp_delete_alert log file deletion ++685 || MS-SQL sp_adduser - database user creation ++686 || MS-SQL xp_reg* - registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 ++687 || MS-SQL xp_cmdshell - program execution ++688 || MS-SQL sa login failed || bugtraq,4797 || cve,2000-1209 || nessus,10673 ++689 || MS-SQL/SMB xp_reg* registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 ++690 || MS-SQL/SMB xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++691 || MS-SQL shellcode attempt ++692 || MS-SQL/SMB shellcode attempt ++693 || MS-SQL shellcode attempt ++694 || MS-SQL/SMB shellcode attempt ++695 || MS-SQL/SMB xp_sprintf possible buffer overflow || bugtraq,1204 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx ++696 || MS-SQL/SMB xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++697 || MS-SQL/SMB xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++698 || MS-SQL/SMB xp_proxiedmetadata possible buffer overflow || bugtraq,2042 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++699 || MS-SQL xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++700 || MS-SQL/SMB xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++701 || MS-SQL xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++702 || MS-SQL/SMB xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++703 || MS-SQL/SMB xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++704 || MS-SQL xp_sprintf possible buffer overflow || bugtraq,1204 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx ++705 || MS-SQL xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++706 || MS-SQL xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++707 || MS-SQL xp_proxiedmetadata possible buffer overflow || bugtraq,2024 || cve,1999-0287 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++708 || MS-SQL/SMB xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx ++709 || TELNET 4Dgifts SGI account attempt || cve,1999-0501 || nessus,11243 ++710 || TELNET EZsetup account attempt || cve,1999-0501 || nessus,11244 ++711 || TELNET SGI telnetd format bug || arachnids,304 || bugtraq,1572 || cve,2000-0733 ++712 || TELNET ld_library_path || arachnids,367 || bugtraq,459 || cve,1999-0073 ++713 || TELNET livingston DOS || arachnids,370 || bugtraq,2225 || cve,1999-0218 ++714 || TELNET resolv_host_conf || arachnids,369 || bugtraq,2181 || cve,2001-0170 ++715 || TELNET Attempted SU from wrong group ++716 || INFO TELNET access || arachnids,08 || cve,1999-0619 || nessus,10280 ++717 || TELNET not on console || arachnids,365 ++718 || INFO TELNET login incorrect || arachnids,127 ++719 || TELNET root login ++720 || Virus - SnowWhite Trojan Incoming ++721 || VIRUS OUTBOUND bad file attachment ++722 || Virus - Possible NAVIDAD Worm ++723 || Virus - Possible MyRomeo Worm ++724 || Virus - Possible MyRomeo Worm ++725 || Virus - Possible MyRomeo Worm ++726 || Virus - Possible MyRomeo Worm ++727 || Virus - Possible MyRomeo Worm ++728 || Virus - Possible MyRomeo Worm ++729 || VIRUS OUTBOUND .scr file attachment ++730 || VIRUS OUTBOUND .shs file attachment ++731 || Virus - Possible QAZ Worm || MCAFEE,98775 ++732 || Virus - Possible QAZ Worm Infection || MCAFEE,98775 ++733 || Virus - Possible QAZ Worm Calling Home || MCAFEE,98775 ++734 || Virus - Possible Matrix worm ++735 || Virus - Possible MyRomeo Worm ++736 || Virus - Successful eurocalculator execution ++737 || Virus - Possible eurocalculator.exe file ++738 || Virus - Possible Pikachu Pokemon Virus || MCAFEE,98696 ++739 || Virus - Possible Triplesix Worm || MCAFEE,10389 ++740 || Virus - Possible Tune.vbs || MCAFEE,10497 ++741 || Virus - Possible NAIL Worm || MCAFEE,10109 ++742 || Virus - Possible NAIL Worm || MCAFEE,10109 ++743 || Virus - Possible NAIL Worm || MCAFEE,10109 ++744 || Virus - Possible NAIL Worm || MCAFEE,10109 ++745 || Virus - Possible Papa Worm || MCAFEE,10145 ++746 || Virus - Possible Freelink Worm || MCAFEE,10225 ++747 || Virus - Possible Simbiosis Worm ++748 || Virus - Possible BADASS Worm || MCAFEE,10388 ++749 || Virus - Possible ExploreZip.B Worm || MCAFEE,10471 ++751 || Virus - Possible wscript.KakWorm || MCAFEE,10509 ++752 || Virus Possible Suppl Worm || MCAFEE,10361 ++753 || Virus - Possible NewApt.Worm - theobbq.exe || MCAFEE,10540 ++754 || Virus - Possible Word Macro - VALE || MCAFEE,10502 ++755 || Virus - Possible IROK Worm || MCAFEE,98552 ++756 || Virus - Possible Fix2001 Worm || MCAFEE,10355 ++757 || Virus - Possible Y2K Zelu Trojan || MCAFEE,10505 ++758 || Virus - Possible The_Fly Trojan || MCAFEE,10478 ++759 || Virus - Possible Word Macro - VALE || MCAFEE,10502 ++760 || Virus - Possible Passion Worm || MCAFEE,10467 ++761 || Virus - Possible NewApt.Worm - cooler3.exe || MCAFEE,10540 ++762 || Virus - Possible NewApt.Worm - party.exe || MCAFEE,10540 ++763 || Virus - Possible NewApt.Worm - hog.exe || MCAFEE,10540 ++764 || Virus - Possible NewApt.Worm - goal1.exe || MCAFEE,10540 ++765 || Virus - Possible NewApt.Worm - pirate.exe || MCAFEE,10540 ++766 || Virus - Possible NewApt.Worm - video.exe || MCAFEE,10540 ++767 || Virus - Possible NewApt.Worm - baby.exe || MCAFEE,10540 ++768 || Virus - Possible NewApt.Worm - cooler1.exe || MCAFEE,10540 ++769 || Virus - Possible NewApt.Worm - boss.exe || MCAFEE,10540 ++770 || Virus - Possible NewApt.Worm - g-zilla.exe || MCAFEE,10540 ++771 || Virus - Possible ToadieE-mail Trojan || MCAFEE,10540 ++772 || Virus - Possible PrettyPark Trojan || MCAFEE,10175 ++773 || Virus - Possible Happy99 Virus || MCAFEE,10144 ++774 || Virus - Possible CheckThis Trojan ++775 || Virus - Possible Bubbleboy Worm || MCAFEE,10418 ++776 || Virus - Possible NewApt.Worm - copier.exe || MCAFEE,10540 ++777 || Virus - Possible MyPics Worm || MCAFEE,10467 ++778 || Virus - Possible Babylonia - X-MAS.exe || MCAFEE,10461 ++779 || Virus - Possible NewApt.Worm - gadget.exe || MCAFEE,10540 ++780 || Virus - Possible NewApt.Worm - irnglant.exe || MCAFEE,10540 ++781 || Virus - Possible NewApt.Worm - casper.exe || MCAFEE,10540 ++782 || Virus - Possible NewApt.Worm - fborfw.exe || MCAFEE,10540 ++783 || Virus - Possible NewApt.Worm - saddam.exe || MCAFEE,10540 ++784 || Virus - Possible NewApt.Worm - bboy.exe || MCAFEE,10540 ++785 || Virus - Possible NewApt.Worm - monica.exe || MCAFEE,10540 ++786 || Virus - Possible NewApt.Worm - goal.exe || MCAFEE,10540 ++787 || Virus - Possible NewApt.Worm - panther.exe || MCAFEE,10540 ++788 || Virus - Possible NewApt.Worm - chestburst.exe || MCAFEE,10540 ++789 || Virus - Possible NewApt.Worm - farter.exe || MCAFEE,1054 ++790 || Virus - Possible Common Sense Worm ++791 || Virus - Possible NewApt.Worm - cupid2.exe || MCAFEE,10540 ++792 || Virus - Possible Resume Worm || MCAFEE,98661 ++793 || VIRUS OUTBOUND .vbs file attachment ++794 || Virus - Possible Resume Worm || MCAFEE,98661 ++795 || Virus - Possible Worm - txt.vbs file ++796 || Virus - Possible Worm - xls.vbs file ++797 || Virus - Possible Worm - jpg.vbs file ++798 || Virus - Possible Worm - gif.vbs file ++799 || Virus - Possible Timofonica Worm || MCAFEE,98674 ++800 || Virus - Possible Resume Worm || MCAFEE,98661 ++801 || Virus - Possible Worm - doc.vbs file ++802 || Virus - Possbile Zipped Files Trojan || MCAFEE,10450 ++803 || WEB-CGI HyperSeek hsx.cgi directory traversal attempt || bugtraq,2314 || cve,2001-0253 || nessus,10602 ++804 || WEB-CGI SWSoft ASPSeek Overflow attempt || bugtraq,2492 || cve,2001-0476 ++805 || WEB-CGI webspeed access || arachnids,467 || bugtraq,969 || cve,2000-0127 || nessus,10304 ++806 || WEB-CGI yabb directory traversal attempt || arachnids,462 || bugtraq,1668 || cve,2000-0853 ++807 || WEB-CGI /wwwboard/passwd.txt access || arachnids,463 || bugtraq,649 || cve,1999-0953 || cve,1999-0954 || nessus,10321 ++808 || WEB-CGI webdriver access || arachnids,473 || bugtraq,2166 || nessus,10592 ++809 || WEB-CGI whois_raw.cgi arbitrary command execution attempt || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 ++810 || WEB-CGI whois_raw.cgi access || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 ++811 || WEB-CGI websitepro path access || arachnids,468 || bugtraq,932 || cve,2000-0066 ++812 || WEB-CGI webplus version access || arachnids,470 || bugtraq,1102 || cve,2000-0282 ++813 || WEB-CGI webplus directory traversal || arachnids,471 || bugtraq,1102 || cve,2000-0282 ++815 || WEB-CGI websendmail access || arachnids,469 || bugtraq,2077 || cve,1999-0196 || nessus,10301 ++817 || WEB-CGI dcboard.cgi invalid user addition attempt || bugtraq,2728 || cve,2001-0527 || nessus,10583 ++818 || WEB-CGI dcforum.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 ++819 || WEB-CGI mmstdod.cgi access || bugtraq,2063 || cve,2001-0021 || nessus,10566 ++820 || WEB-CGI anaconda directory transversal attempt || bugtraq,2338 || bugtraq,2388 || cve,2000-0975 || cve,2001-0308 ++821 || WEB-CGI imagemap.exe overflow attempt || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 ++823 || WEB-CGI cvsweb.cgi access || bugtraq,1469 || cve,2000-0670 || nessus,10465 ++824 || WEB-CGI php.cgi access || arachnids,232 || bugtraq,2250 || bugtraq,712 || cve,1999-0238 || cve,1999-058 || nessus,10178 ++825 || WEB-CGI glimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 ++826 || WEB-CGI htmlscript access || bugtraq,2001 || cve,1999-0264 || nessus,10106 ++827 || WEB-CGI info2www access || bugtraq,1995 || cve,1999-0266 || nessus,10127 ++828 || WEB-CGI maillist.pl access ++829 || WEB-CGI nph-test-cgi access || arachnids,224 || bugtraq,686 || cve,1999-0045 || nessus,10165 ++830 || WEB-CGI NPH-publish access || cve,1999-1177 || nessus,10164 ++832 || WEB-CGI perl.exe access || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html ++833 || WEB-CGI rguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 ++834 || WEB-CGI rwwwshell.pl access || url,www.itsecurity.com/papers/p37.htm ++835 || WEB-CGI test-cgi access || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 ++836 || WEB-CGI textcounter.pl access || bugtraq,2265 || cve,1999-1479 || nessus,11451 ++837 || WEB-CGI uploader.exe access || bugtraq,1611 || cve,1999-0177 || cve,2000-0769 || nessus,10291 ++838 || WEB-CGI webgais access || arachnids,472 || bugtraq,2058 || cve,1999-0176 || nessus,10300 ++839 || WEB-CGI finger access || arachnids,221 || cve,1999-0612 || nessus,10071 ++840 || WEB-CGI perlshop.cgi access || cve,1999-1374 ++841 || WEB-CGI pfdisplay.cgi access || bugtraq,64 || cve,1999-0270 || nessus,10174 ++842 || WEB-CGI aglimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 ++843 || WEB-CGI anform2 access || arachnids,225 || bugtraq,719 || cve,1999-0066 ++844 || WEB-CGI args.bat access || cve,1999-1180 || nessus,11465 ++845 || WEB-CGI AT-admin.cgi access || cve,1999-1072 ++846 || WEB-CGI bnbform.cgi access || bugtraq,2147 || cve,1999-0937 ++847 || WEB-CGI campas access || bugtraq,1975 || cve,1999-0146 || nessus,10035 ++848 || WEB-CGI view-source directory traversal || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 ++849 || WEB-CGI view-source access || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 ++850 || WEB-CGI wais.pl access ++851 || WEB-CGI files.pl access || cve,1999-1081 ++852 || WEB-CGI wguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 ++853 || WEB-CGI wrap access || arachnids,234 || bugtraq,373 || cve,1999-0149 || nessus,10317 ++854 || WEB-CGI classifieds.cgi access || bugtraq,2020 || cve,1999-0934 ++855 || WEB-CGI edit.pl access || bugtraq,2713 ++856 || WEB-CGI environ.cgi access ++857 || WEB-CGI faxsurvey access || bugtraq,2056 || cve,1999-0262 || nessus,10067 ++858 || WEB-CGI filemail access || cve,1999-1154 ++859 || WEB-CGI man.sh access || bugtraq,2276 || cve,1999-1179 ++860 || WEB-CGI snork.bat access || arachnids,220 || bugtraq,1053 || cve,2000-0169 ++861 || WEB-CGI w3-msql access || arachnids,210 || bugtraq,591 || bugtraq,898 || cve,1999-0276 || cve,1999-0753 || cve,2000-0012 || nessus,10296 ++862 || WEB-CGI csh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++863 || WEB-CGI day5datacopier.cgi access || cve,1999-1232 ++864 || WEB-CGI day5datanotifier.cgi access || cve,1999-1232 ++865 || WEB-CGI ksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++866 || WEB-CGI post-query access || bugtraq,6752 || cve,2001-0291 ++867 || WEB-CGI visadmin.exe access || bugtraq,1808 || cve,1999-0970 || cve,1999-1970 || nessus,10295 ++868 || WEB-CGI rsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++869 || WEB-CGI dumpenv.pl access || cve,1999-1178 || nessus,10060 ++870 || WEB-CGI snorkerz.cmd access ++871 || WEB-CGI survey.cgi access || bugtraq,1817 || cve,1999-0936 ++872 || WEB-CGI tcsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++873 || WEB-CGI scriptalias access || arachnids,227 || bugtraq,2300 || cve,1999-0236 ++874 || WEB-CGI w3-msql solaris x86 access || arachnids,211 || cve,1999-0276 ++875 || WEB-CGI win-c-sample.exe access || arachnids,231 || bugtraq,2078 || cve,1999-0178 || nessus,10008 ++877 || WEB-CGI rksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++878 || WEB-CGI w3tvars.pm access ++879 || WEB-CGI admin.pl access || bugtraq,3839 || url,online.securityfocus.com/archive/1/249355 ++880 || WEB-CGI LWGate access || url,www.netspace.org/~dwb/lwgate/lwgate-history.html || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm ++881 || WEB-CGI archie access ++882 || WEB-CGI calendar access ++883 || WEB-CGI flexform access || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm ++884 || WEB-CGI formmail access || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 ++885 || WEB-CGI bash access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++886 || WEB-CGI phf access || arachnids,128 || bugtraq,629 || cve,1999-0067 ++887 || WEB-CGI www-sql access || url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2 ++888 || WEB-CGI wwwadmin.pl access ++889 || WEB-CGI ppdscgi.exe access || bugtraq,491 || nessus,10187 || url,online.securityfocus.com/archive/1/16878 ++890 || WEB-CGI sendform.cgi access || bugtraq,5286 || cve,2002-0710 || url,www.scn.org/help/sendform.txt ++891 || WEB-CGI upload.pl access ++892 || WEB-CGI AnyForm2 access || bugtraq,719 || cve,1999-0066 || nessus,10277 ++893 || WEB-CGI MachineInfo access || cve,1999-1067 ++894 || WEB-CGI bb-hist.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 ++895 || WEB-CGI redirect access || bugtraq,1179 || cve,2000-0382 ++896 || WEB-CGI way-board access || bugtraq,2370 || cve,2001-0214 || nessus,10610 ++897 || WEB-CGI pals-cgi access || bugtraq,2372 || cve,2001-0216 || cve,2001-0217 || nessus,10611 ++898 || WEB-CGI commerce.cgi access || bugtraq,2361 || cve,2001-0210 || nessus,10612 ++899 || WEB-CGI Amaya templates sendtemp.pl directory traversal attempt || bugtraq,2504 || cve,2001-0272 ++900 || WEB-CGI webspirs.cgi directory traversal attempt || bugtraq,2362 || cve,2001-0211 || nessus,10616 ++901 || WEB-CGI webspirs.cgi access || bugtraq,2362 || cve,2001-0211 || nessus,10616 ++902 || WEB-CGI tstisapi.dll access || bugtraq,2381 || cve,2001-0302 ++903 || WEB-COLDFUSION cfcache.map access || bugtraq,917 || cve,2000-0057 ++904 || WEB-COLDFUSION exampleapp application.cfm || bugtraq,1021 || cve,2000-0189 ++905 || WEB-COLDFUSION application.cfm access || bugtraq,1021 || cve,2000-0189 ++906 || WEB-COLDFUSION getfile.cfm access || bugtraq,229 || cve,1999-0800 ++907 || WEB-COLDFUSION addcontent.cfm access ++908 || WEB-COLDFUSION administrator access || bugtraq,1314 || cve,2000-0538 ++909 || WEB-COLDFUSION datasource username attempt || bugtraq,550 ++910 || WEB-COLDFUSION fileexists.cfm access || bugtraq,550 ++911 || WEB-COLDFUSION exprcalc access || bugtraq,115 || bugtraq,550 || cve,1999-0455 ++912 || WEB-COLDFUSION parks access || bugtraq,550 ++913 || WEB-COLDFUSION cfappman access || bugtraq,550 ++914 || WEB-COLDFUSION beaninfo access || bugtraq,550 ++915 || WEB-COLDFUSION evaluate.cfm access || bugtraq,550 ++916 || WEB-COLDFUSION getodbcdsn access || bugtraq,550 ++917 || WEB-COLDFUSION db connections flush attempt || bugtraq,550 ++918 || WEB-COLDFUSION expeval access || bugtraq,550 || cve,1999-0477 ++919 || WEB-COLDFUSION datasource passwordattempt || bugtraq,550 ++920 || WEB-COLDFUSION datasource attempt || bugtraq,550 ++921 || WEB-COLDFUSION admin encrypt attempt || bugtraq,550 ++922 || WEB-COLDFUSION displayfile access || bugtraq,550 ++923 || WEB-COLDFUSION getodbcin attempt || bugtraq,550 ++924 || WEB-COLDFUSION admin decrypt attempt || bugtraq,550 ++925 || WEB-COLDFUSION mainframeset access || bugtraq,550 ++926 || WEB-COLDFUSION set odbc ini attempt || bugtraq,550 ++927 || WEB-COLDFUSION settings refresh attempt || bugtraq,550 ++928 || WEB-COLDFUSION exampleapp access ++929 || WEB-COLDFUSION CFUSION_VERIFYMAIL access || bugtraq,550 ++930 || WEB-COLDFUSION snippets attempt || bugtraq,550 ++931 || WEB-COLDFUSION cfmlsyntaxcheck.cfm access || bugtraq,550 ++932 || WEB-COLDFUSION application.cfm access || arachnids,268 || bugtraq,550 || cve,2000-0189 ++933 || WEB-COLDFUSION onrequestend.cfm access || arachnids,269 || bugtraq,550 || cve,2000-0189 ++935 || WEB-COLDFUSION startstop DOS access || bugtraq,247 ++936 || WEB-COLDFUSION gettempdirectory.cfm access || bugtraq,550 ++937 || WEB-FRONTPAGE _vti_rpc access || bugtraq,2144 || cve,2001-0096 || nessus,10585 ++939 || WEB-FRONTPAGE posting || bugtraq,2144 || cve,2001-0096 || nessus,10585 || url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx ++940 || WEB-FRONTPAGE shtml.dll access || arachnids,292 || bugtraq,1174 || bugtraq,1594 || bugtraq,1595 || cve,2000-0413 || cve,2000-0746 || nessus,11395 || url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx ++941 || WEB-FRONTPAGE contents.htm access ++942 || WEB-FRONTPAGE orders.htm access ++943 || WEB-FRONTPAGE fpsrvadm.exe access ++944 || WEB-FRONTPAGE fpremadm.exe access ++945 || WEB-FRONTPAGE fpadmin.htm access ++946 || WEB-FRONTPAGE fpadmcgi.exe access ++947 || WEB-FRONTPAGE orders.txt access ++948 || WEB-FRONTPAGE form_results access || cve,1999-1052 ++949 || WEB-FRONTPAGE registrations.htm access ++950 || WEB-FRONTPAGE cfgwiz.exe access ++951 || WEB-FRONTPAGE authors.pwd access || bugtraq,989 || cve,1999-0386 || nessus,10078 ++952 || WEB-FRONTPAGE author.exe access ++953 || WEB-FRONTPAGE administrators.pwd access || bugtraq,1205 ++954 || WEB-FRONTPAGE form_results.htm access || cve,1999-1052 ++955 || WEB-FRONTPAGE access.cnf access || bugtraq,4078 || nessus,10575 ++956 || WEB-FRONTPAGE register.txt access ++957 || WEB-FRONTPAGE registrations.txt access ++958 || WEB-FRONTPAGE service.cnf access || bugtraq,4078 || nessus,10575 ++959 || WEB-FRONTPAGE service.pwd || bugtraq,1205 ++960 || WEB-FRONTPAGE service.stp access ++961 || WEB-FRONTPAGE services.cnf access || bugtraq,4078 || nessus,10575 ++962 || WEB-FRONTPAGE shtml.exe access || bugtraq,1174 || bugtraq,1608 || bugtraq,5804 || cve,2000-0413 || cve,2000-0709 || cve,2002-0692 || nessus,10405 || nessus,11311 ++963 || WEB-FRONTPAGE svcacl.cnf access || bugtraq,4078 || nessus,10575 ++964 || WEB-FRONTPAGE users.pwd access ++965 || WEB-FRONTPAGE writeto.cnf access || bugtraq,4078 || nessus,10575 ++966 || WEB-FRONTPAGE .... request || arachnids,248 || bugtraq,989 || cve,1999-0386 || cve,2000-0153 || nessus,10142 ++967 || WEB-FRONTPAGE dvwssr.dll access || arachnids,271 || bugtraq,1108 || bugtraq,1109 || cve,2000-0260 || url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx ++968 || WEB-FRONTPAGE register.htm access ++969 || WEB-IIS WebDAV file lock attempt || bugtraq,2736 ++970 || WEB-IIS multiple decode attempt || bugtraq,2708 || cve,2001-0333 || nessus,10671 ++971 || WEB-IIS ISAPI .printer access || arachnids,533 || bugtraq,2674 || cve,2001-0241 || nessus,10661 || url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx ++972 || WEB-IIS %2E-asp access || bugtraq,1814 || cve,1999-0253 ++973 || WEB-IIS *.idc attempt || bugtraq,1448 || cve,1999-0874 || cve,2000-0661 ++974 || WEB-IIS Directory transversal attempt || bugtraq,2218 || cve,1999-0229 ++975 || WEB-IIS Alternate Data streams ASP file access attempt || bugtraq,149 || cve,1999-0278 || nessus,10362 || url,support.microsoft.com/default.aspx?scid=kb\ ++976 || WEB-IIS .bat? access || bugtraq,2023 || cve,1999-0233 || url,support.microsoft.com/support/kb/articles/Q148/1/88.asp || url,support.microsoft.com/support/kb/articles/Q155/0/56.asp ++977 || WEB-IIS .cnf access || bugtraq,4078 || nessus,10575 ++978 || WEB-IIS ASP contents view || bugtraq,1084 || cve,2000-0302 || nessus,10356 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx ++979 || WEB-IIS ASP contents view || bugtraq,1861 || cve,2000-0942 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx ++980 || WEB-IIS CGImail.exe access || bugtraq,1623 || cve,2000-0726 ++981 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 ++982 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 ++983 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 ++984 || WEB-IIS JET VBA access || bugtraq,307 || cve,1999-0874 || nessus,10116 ++985 || WEB-IIS JET VBA access || bugtraq,286 || cve,1999-0874 ++986 || WEB-IIS MSProxy access || url,support.microsoft.com/?kbid=331066 ++987 || WEB-IIS .htr access || bugtraq,1488 || cve,2000-0630 || nessus,10680 ++988 || WEB-IIS SAM Attempt || url,www.ciac.org/ciac/bulletins/h-45.shtml ++989 || BACKDOOR sensepost.exe command shell attempt || nessus,11003 ++990 || WEB-FRONTPAGE _vti_inf.html access || nessus,11455 ++991 || WEB-IIS achg.htr access || bugtraq,2110 || cve,1999-0407 ++992 || WEB-IIS adctest.asp access ++993 || WEB-IIS iisadmin access || bugtraq,189 || cve,1999-1538 || nessus,11032 ++994 || WEB-IIS /scripts/iisadmin/default.htm access ++995 || WEB-IIS ism.dll access || bugtraq,189 || cve,1999-1538 || cve,2000-0630 ++996 || WEB-IIS anot.htr access || bugtraq,2110 || cve,1999-0407 ++997 || WEB-IIS asp-dot attempt || bugtraq,1814 || nessus,10363 ++998 || WEB-IIS asp-srch attempt ++999 || WEB-IIS bdir access || bugtraq,2280 ++1000 || WEB-IIS bdir.htr access || bugtraq,2280 || nessus,10577 ++1001 || WEB-MISC carbo.dll access || bugtraq,2126 || cve,1999-1069 ++1002 || WEB-IIS cmd.exe access ++1003 || WEB-IIS cmd? access ++1004 || WEB-IIS codebrowser Exair access || cve,1999-0499 || cve,1999-0815 ++1005 || WEB-IIS codebrowser SDK access || bugtraq,167 || cve,1999-0736 ++1007 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 || url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx ++1008 || WEB-IIS del attempt ++1009 || WEB-IIS directory listing || nessus,10573 ++1010 || WEB-IIS encoding access || arachnids,200 || bugtraq,886 || cve,2000-0024 || url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx ++1011 || WEB-IIS exec-src access ++1012 || WEB-IIS fpcount attempt || bugtraq,2252 || cve,1999-1376 ++1013 || WEB-IIS fpcount access || bugtraq,2252 || cve,1999-1376 ++1015 || WEB-IIS getdrvs.exe access ++1016 || WEB-IIS global.asa access || cve,2000-0778 || nessus,10491 || nessus,10991 ++1017 || WEB-IIS idc-srch attempt || cve,1999-0874 ++1018 || WEB-IIS iisadmpwd attempt || bugtraq,2110 || cve,1999-0407 ++1019 || IIS Malformed Hit-Highlighting Argument File Access Attempt || bugtraq,950 || cve,2000-0097 || url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx || url,www.securityfocus.com/archive/1/43762 ++1020 || WEB-IIS isc$data attempt || bugtraq,307 || cve,1999-0874 || nessus,10116 ++1021 || WEB-IIS ism.dll attempt || bugtraq,1193 || cve,2000-0457 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx ++1022 || WEB-IIS jet vba access || bugtraq,286 || cve,1999-0874 ++1023 || WEB-IIS msadcs.dll access || bugtraq,529 || cve,1999-1011 || nessus,10357 ++1024 || WEB-IIS newdsn.exe access || bugtraq,1818 || cve,1999-0191 || nessus,10360 ++1025 || WEB-IIS perl access ++1026 || WEB-IIS perl-browse newline attempt || bugtraq,6833 ++1027 || WEB-IIS perl-browse space attempt || bugtraq,6833 ++1028 || WEB-IIS query.asp access || bugtraq,193 || cve,1999-0449 ++1029 || WEB-IIS scripts-browse access || nessus,11032 ++1030 || WEB-IIS search97.vts access || bugtraq,162 ++1031 || WEB-IIS /SiteServer/Publishing/viewcode.asp access || nessus,10576 ++1032 || WEB-IIS showcode access || nessus,10576 ++1033 || WEB-IIS showcode access || nessus,10576 ++1034 || WEB-IIS showcode access || nessus,10576 ++1035 || WEB-IIS showcode access || nessus,10576 ++1036 || WEB-IIS showcode access || nessus,10576 ++1037 || WEB-IIS showcode.asp access || bugtraq,167 || cve,1999-0736 || nessus,10007 || url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx ++1038 || WEB-IIS site server config access || bugtraq,256 || cve,1999-1520 ++1039 || WEB-IIS srch.htm access ++1040 || WEB-IIS srchadm access || nessus,11032 ++1041 || WEB-IIS uploadn.asp access || bugtraq,1811 || cve,1999-0360 ++1042 || WEB-IIS view source via translate header || arachnids,305 || bugtraq,1578 || cve,2000-0778 ++1043 || WEB-IIS viewcode.asp access || cve,1999-0737 || nessus,10576 ++1044 || WEB-IIS webhits access || arachnids,237 || bugtraq,950 || cve,2000-0097 ++1045 || WEB-IIS Unauthorized IP Access Attempt ++1046 || WEB-IIS site/iisamples access || nessus,10370 ++1047 || WEB-MISC Netscape Enterprise DOS || bugtraq,2294 || cve,2001-0251 ++1048 || WEB-MISC Netscape Enterprise directory listing attempt || bugtraq,2285 || cve,2001-0250 ++1049 || WEB-MISC iPlanet ../../ DOS attempt || bugtraq,2282 || cve,2001-0252 ++1050 || WEB-MISC iPlanet GETPROPERTIES attempt || bugtraq,2732 || cve,2001-0746 ++1051 || WEB-CGI technote main.cgi file directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584 ++1052 || WEB-CGI technote print.cgi directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584 ++1053 || WEB-CGI ads.cgi command execution attempt || bugtraq,2103 || cve,2001-0025 || nessus,11464 ++1054 || WEB-MISC weblogic/tomcat .jsp view source attempt || bugtraq,2527 ++1055 || WEB-MISC Tomcat directory traversal attempt || bugtraq,2518 ++1056 || WEB-MISC Tomcat view source attempt || bugtraq,2527 || cve,2001-0590 ++1057 || WEB-MISC ftp attempt ++1058 || WEB-MISC xp_enumdsn attempt ++1059 || WEB-MISC xp_filelist attempt ++1060 || WEB-MISC xp_availablemedia attempt ++1061 || WEB-MISC xp_cmdshell attempt ++1062 || WEB-MISC nc.exe attempt ++1064 || WEB-MISC wsh attempt ++1065 || WEB-MISC rcmd attempt ++1066 || WEB-MISC telnet attempt ++1067 || WEB-MISC net attempt ++1068 || WEB-MISC tftp attempt ++1069 || WEB-MISC xp_regread attempt ++1070 || WEB-MISC WebDAV search access || arachnids,474 || bugtraq,1756 || cve,2000-0951 ++1071 || WEB-MISC .htpasswd access ++1072 || WEB-MISC Lotus Domino directory traversal || bugtraq,2173 || cve,2001-0009 || nessus,12248 ++1073 || WEB-MISC webhits.exe access || bugtraq,950 || cve,2000-0097 ++1075 || WEB-IIS postinfo.asp access || bugtraq,1811 || cve,1999-0360 ++1076 || WEB-IIS repost.asp access || nessus,10372 ++1077 || WEB-MISC queryhit.htm access || nessus,10370 ++1078 || WEB-MISC counter.exe access || bugtraq,267 || cve,1999-1030 ++1079 || WEB-MISC WebDAV propfind access || bugtraq,1656 || cve,2000-0869 ++1080 || WEB-MISC unify eWave ServletExec upload || bugtraq,1868 || bugtraq,1876 || cve,2000-1024 || cve,2000-1025 || nessus,10570 ++1081 || WEB-MISC Netscape Servers suite DOS || bugtraq,1868 || cve,2000-1025 ++1082 || WEB-MISC amazon 1-click cookie theft || bugtraq,1194 || cve,2000-0439 ++1083 || WEB-MISC unify eWave ServletExec DOS || bugtraq,1868 || cve,2000-1025 ++1084 || WEB-MISC Allaire JRUN DOS attempt || bugtraq,2337 || cve,2000-1049 ++1085 || WEB-PHP strings overflow || arachnids,431 || bugtraq,802 ++1086 || WEB-PHP strings overflow || arachnids,430 || bugtraq,1786 || cve,2000-0967 ++1087 || WEB-MISC whisker tab splice attack || arachnids,415 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html ++1088 || WEB-CGI eXtropia webstore directory traversal || bugtraq,1774 || cve,2000-1005 || nessus,10532 ++1089 || WEB-CGI shopping cart directory traversal || bugtraq,1777 || cve,2000-0921 ++1090 || WEB-CGI Allaire Pro Web Shell attempt ++1091 || WEB-MISC ICQ Webfront HTTP DOS || bugtraq,1463 || cve,2000-1078 ++1092 || WEB-CGI Armada Style Master Index directory traversal || bugtraq,1772 || cve,2000-0924 || nessus,10562 || url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt ++1093 || WEB-CGI cached_feed.cgi moreover shopping cart directory traversal || bugtraq,1762 || cve,2000-0906 ++1094 || WEB-CGI webstore directory traversal || bugtraq,1774 || cve,2000-1005 ++1095 || WEB-MISC Talentsoft Web+ Source Code view access || bugtraq,1722 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html ++1096 || WEB-MISC Talentsoft Web+ internal IP Address access || bugtraq,1720 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html ++1097 || WEB-CGI Talentsoft Web+ exploit attempt || bugtraq,1725 ++1098 || WEB-MISC SmartWin CyberOffice Shopping Cart access || bugtraq,1734 || cve,2000-0925 ++1099 || WEB-MISC cybercop scan || arachnids,374 ++1100 || WEB-MISC L3retriever HTTP Probe || arachnids,310 ++1101 || WEB-MISC Webtrends HTTP probe || arachnids,309 ++1102 || WEB-MISC nessus 1.X 404 probe || arachnids,301 ++1103 || WEB-MISC Netscape admin passwd || bugtraq,1579 || nessus,10468 ++1104 || WEB-MISC whisker space splice attack || arachnids,296 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html ++1105 || WEB-MISC BigBrother access || bugtraq,1455 || cve,2000-0638 || nessus,10460 ++1106 || WEB-CGI Poll-it access || bugtraq,1431 || cve,2000-0590 || nessus,10459 ++1107 || WEB-MISC ftp.pl access || bugtraq,1471 || cve,2000-0674 || nessus,10467 ++1108 || WEB-MISC Tomcat server snoop access || bugtraq,1532 || cve,2000-0760 ++1109 || WEB-MISC ROXEN directory list attempt || bugtraq,1510 || cve,2000-0671 ++1110 || WEB-MISC apache source.asp file access || bugtraq,1457 || cve,2000-0628 || nessus,10480 ++1111 || WEB-MISC Tomcat server exploit access || bugtraq,1548 || cve,2000-0672 || nessus,10477 ++1112 || WEB-MISC http directory traversal || arachnids,298 ++1113 || WEB-MISC http directory traversal || arachnids,297 ++1114 || WEB-MISC prefix-get // ++1115 || WEB-MISC ICQ webserver DOS || cve,1999-0474 || url,www.securiteam.com/exploits/2ZUQ1QAQOG.html ++1116 || WEB-MISC Lotus DelDoc attempt ++1117 || WEB-MISC Lotus EditDoc attempt || url,www.securiteam.com/exploits/5NP080A1RE.html ++1118 || WEB-MISC ls%20-l ++1119 || WEB-MISC mlog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 ++1120 || WEB-MISC mylog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 ++1121 || WEB-MISC O'Reilly args.bat access ++1122 || WEB-MISC /etc/passwd ++1123 || WEB-MISC ?PageServices access || bugtraq,1063 || bugtraq,7621 || cve,1999-0269 ++1124 || WEB-MISC Ecommerce check.txt access ++1125 || WEB-MISC webcart access || cve,1999-0610 || nessus,10298 ++1126 || WEB-MISC AuthChangeUrl access || bugtraq,2110 || cve,1999-0407 ++1127 || WEB-MISC convert.bas access || bugtraq,2025 || cve,1999-0175 ++1128 || WEB-MISC cpshost.dll access || bugtraq,1811 || bugtraq,4002 || cve,1999-0360 ++1129 || WEB-MISC .htaccess access ++1130 || WEB-MISC .wwwacl access ++1131 || WEB-MISC .wwwacl access ++1132 || WEB-MISC Netscape Unixware overflow || arachnids,180 || bugtraq,908 || cve,1999-0744 ++1133 || SCAN cybercop os probe || arachnids,145 ++1134 || WEB-PHP Phorum admin access || arachnids,205 || bugtraq,2271 ++1136 || WEB-MISC cd.. ++1137 || WEB-PHP Phorum authentication access || arachnids,206 || bugtraq,2274 ++1138 || WEB-MISC Cisco Web DOS attempt || arachnids,275 ++1139 || WEB-MISC whisker HEAD/./ || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html ++1140 || WEB-MISC guestbook.pl access || arachnids,228 || bugtraq,776 || cve,1999-0237 || cve,1999-1053 || nessus,10099 ++1141 || WEB-MISC handler access || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 ++1142 || WEB-MISC /.... access ++1143 || WEB-MISC ///cgi-bin access || nessus,11032 ++1144 || WEB-MISC /cgi-bin/// access || nessus,11032 ++1145 || WEB-MISC /~root access ++1146 || WEB-MISC Ecommerce import.txt access ++1147 || WEB-MISC cat%20 access || bugtraq,374 || cve,1999-0039 ++1148 || WEB-MISC Ecommerce import.txt access ++1149 || WEB-CGI count.cgi access || bugtraq,128 || cve,1999-0021 || nessus,10049 ++1150 || WEB-MISC Domino catalog.nsf access || nessus,10629 ++1151 || WEB-MISC Domino domcfg.nsf access || nessus,10629 ++1152 || WEB-MISC Domino domlog.nsf access || nessus,10629 ++1153 || WEB-MISC Domino log.nsf access || nessus,10629 ++1154 || WEB-MISC Domino names.nsf access || nessus,10629 ++1155 || WEB-MISC Ecommerce checks.txt access || bugtraq,2281 ++1156 || WEB-MISC apache directory disclosure attempt || bugtraq,2503 ++1157 || WEB-MISC Netscape PublishingXpert access || cve,2000-1196 || nessus,10364 ++1158 || WEB-MISC windmail.exe access || arachnids,465 || bugtraq,1073 || cve,2000-0242 || nessus,10365 ++1159 || WEB-MISC webplus access || bugtraq,1174 || bugtraq,1720 || bugtraq,1722 || bugtraq,1725 || cve,2000-1005 ++1160 || WEB-MISC Netscape dir index wp || arachnids,270 || bugtraq,1063 || cve,2000-0236 ++1161 || WEB-PHP piranha passwd.php3 access || arachnids,272 || bugtraq,1149 || cve,2000-0322 ++1162 || WEB-MISC cart 32 AdminPwd access || bugtraq,1153 || cve,2000-0429 ++1163 || WEB-CGI webdist.cgi access || bugtraq,374 || cve,1999-0039 || nessus,10299 ++1164 || WEB-MISC shopping cart access || bugtraq,1983 || bugtraq,2049 || cve,1999-0607 || cve,2000-1188 ++1165 || WEB-MISC Novell Groupwise gwweb.exe access || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 ++1166 || WEB-MISC ws_ftp.ini access || bugtraq,547 || cve,1999-1078 ++1167 || WEB-MISC rpm_query access || bugtraq,1036 || cve,2000-0192 || nessus,10340 ++1168 || WEB-MISC mall log order access || bugtraq,2266 || cve,1999-0606 ++1171 || WEB-MISC whisker HEAD with large datagram || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html ++1172 || WEB-CGI bigconf.cgi access || bugtraq,778 || cve,1999-1550 || nessus,10027 ++1173 || WEB-MISC architext_query.pl access || bugtraq,2248 || cve,1999-0279 || nessus,10064 || url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt ++1174 || WEB-CGI /cgi-bin/jj access || bugtraq,2002 || cve,1999-0260 || nessus,10131 ++1175 || WEB-MISC wwwboard.pl access || bugtraq,1795 || bugtraq,649 || cve,1999-0930 || cve,1999-0954 ++1176 || WEB-MISC order.log access ++1177 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 ++1178 || WEB-PHP Phorum read access || arachnids,208 ++1179 || WEB-PHP Phorum violation access || arachnids,209 || bugtraq,2272 ++1180 || WEB-MISC get32.exe access || arachnids,258 || bugtraq,1485 || bugtraq,770 || cve,1999-0885 || nessus,10011 ++1181 || WEB-MISC Annex Terminal DOS attempt || arachnids,260 || cve,1999-1070 || nessus,10017 ++1182 || WEB-MISC cgitest.exe attempt || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 ++1183 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 || nessus,10352 ++1184 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1185 || WEB-CGI bizdbsearch attempt || bugtraq,1104 || cve,2000-0287 || nessus,10383 ++1186 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1187 || WEB-MISC SalesLogix Eviewer web command attempt || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 ++1188 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1189 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1190 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1191 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1192 || WEB-MISC Trend Micro OfficeScan access || bugtraq,1057 ++1193 || WEB-MISC oracle web arbitrary command execution attempt || bugtraq,1053 || cve,2000-0169 || nessus,10348 ++1194 || WEB-CGI sojourn.cgi File attempt || bugtraq,1052 || cve,2000-0180 || nessus,10349 ++1195 || WEB-CGI sojourn.cgi access || bugtraq,1052 || cve,2000-0180 || nessus,10349 ++1196 || WEB-CGI SGI InfoSearch fname attempt || arachnids,290 || bugtraq,1031 || cve,2000-0207 ++1197 || WEB-PHP Phorum code access || arachnids,207 ++1198 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 ++1199 || WEB-MISC Compaq Insight directory traversal || arachnids,244 || bugtraq,282 || cve,1999-0771 ++1200 || ATTACK-RESPONSES Invalid URL || url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx ++1201 || ATTACK-RESPONSES 403 Forbidden ++1202 || WEB-MISC search.vts access || bugtraq,162 ++1204 || WEB-CGI ax-admin.cgi access ++1205 || WEB-CGI axs.cgi access ++1206 || WEB-CGI cachemgr.cgi access || bugtraq,2059 || cve,1999-0710 || nessus,10034 ++1207 || WEB-MISC htgrep access || cve,2000-0832 ++1208 || WEB-CGI responder.cgi access || bugtraq,3155 ++1209 || WEB-MISC .nsconfig access || url,www.osvdb.org/5709 ++1211 || WEB-CGI web-map.cgi access ++1212 || WEB-MISC Admin_files access ++1213 || WEB-MISC backup access ++1214 || WEB-MISC intranet access || nessus,11626 ++1215 || WEB-CGI ministats admin access ++1216 || WEB-MISC filemail access || cve,1999-1154 || cve,1999-1155 || url,www.securityfocus.com/archive/1/11175 ++1217 || WEB-MISC plusmail access || bugtraq,2653 || cve,2000-0074 || nessus,10181 ++1218 || WEB-MISC adminlogin access || bugtraq,1164 || bugtraq,1175 || nessus,11748 ++1219 || WEB-CGI dfire.cgi access || bugtraq,564 || cve,1999-0913 ++1220 || WEB-MISC ultraboard access || bugtraq,1164 || bugtraq,1175 || nessus,11748 ++1221 || WEB-MISC musicat empower access || bugtraq,2374 || cve,2001-0224 || nessus,10609 ++1222 || WEB-CGI pals-cgi arbitrary file access attempt || bugtraq,2372 || cve,2001-0217 || nessus,10611 ++1224 || WEB-MISC ROADS search.pl attempt || bugtraq,2371 || cve,2001-0215 || nessus,10627 ++1225 || X11 MIT Magic Cookie detected || arachnids,396 ++1226 || X11 xopen || arachnids,395 ++1227 || X11 outbound client connection detected || arachnids,126 ++1228 || SCAN nmap XMAS || arachnids,30 ++1229 || FTP CWD ... || bugtraq,9237 ++1230 || WEB-MISC VirusWall FtpSave access || bugtraq,2808 || cve,2001-0432 || nessus,10733 ++1231 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 ++1232 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 ++1233 || WEB-CLIENT Outlook EML access || nessus,10767 ++1234 || WEB-MISC VirusWall FtpSaveCSP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 ++1235 || WEB-MISC VirusWall FtpSaveCVP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 ++1236 || WEB-MISC Tomcat sourecode view ++1237 || WEB-MISC Tomcat sourecode view ++1238 || WEB-MISC Tomcat sourecode view ++1239 || NETBIOS RFParalyze Attempt || bugtraq,1163 || cve,2000-0347 || nessus,10392 ++1240 || EXPLOIT MDBMS overflow || bugtraq,1252 || cve,2000-0446 ++1241 || WEB-MISC SWEditServlet directory traversal attempt || bugtraq,2868 || cve,2001-0555 ++1242 || WEB-IIS ISAPI .ida access || arachnids,552 || bugtraq,1065 || cve,2000-0071 ++1243 || WEB-IIS ISAPI .ida attempt || arachnids,552 || bugtraq,1065 || cve,2000-0071 ++1244 || WEB-IIS ISAPI .idq attempt || arachnids,553 || bugtraq,1065 || bugtraq,968 || cve,2000-0071 || cve,2000-0126 || nessus,10115 ++1245 || WEB-IIS ISAPI .idq access || arachnids,553 || bugtraq,1065 || cve,2000-0071 ++1246 || WEB-FRONTPAGE rad overflow attempt || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx ++1247 || WEB-FRONTPAGE rad overflow attempt || bugtraq,2906 || cve,2001-0341 ++1248 || WEB-FRONTPAGE rad fp30reg.dll access || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx ++1249 || WEB-FRONTPAGE frontpage rad fp4areg.dll access || bugtraq,2906 || cve,2001-0341 ++1250 || WEB-MISC Cisco IOS HTTP configuration attempt || bugtraq,2936 || cve,2001-0537 ++1251 || INFO TELNET Bad Login ++1252 || TELNET bsd telnet exploit response || bugtraq,3064 || cve,2001-0554 || nessus,10709 ++1253 || TELNET bsd exploit client finishing || bugtraq,3064 || cve,2001-0554 || nessus,10709 ++1254 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 ++1255 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 ++1256 || WEB-IIS CodeRed v2 root.exe access || url,www.cert.org/advisories/CA-2001-19.html ++1257 || DOS Winnuke attack || bugtraq,2010 || cve,1999-0153 ++1258 || WEB-MISC HP OpenView Manager DOS || bugtraq,2845 || cve,2001-0552 ++1259 || WEB-MISC SWEditServlet access || bugtraq,2868 ++1260 || WEB-MISC long basic authorization string || bugtraq,3230 || cve,2001-1067 ++1261 || EXPLOIT AIX pdnsd overflow || bugtraq,3237 || bugtraq,590 || cve,1999-0745 ++1262 || RPC portmap admind request TCP || arachnids,18 ++1263 || RPC portmap amountd request TCP || arachnids,19 ++1264 || RPC portmap bootparam request TCP || arachnids,16 || cve,1999-0647 ++1265 || RPC portmap cmsd request TCP || arachnids,17 ++1266 || RPC portmap mountd request TCP || arachnids,13 ++1267 || RPC portmap nisd request TCP || arachnids,21 ++1268 || RPC portmap pcnfsd request TCP || arachnids,22 ++1269 || RPC portmap rexd request TCP || arachnids,23 ++1270 || RPC portmap rstatd request TCP || arachnids,10 ++1271 || RPC portmap rusers request TCP || arachnids,133 || cve,1999-0626 ++1272 || RPC portmap sadmind request TCP || arachnids,20 ++1273 || RPC portmap selection_svc request TCP || arachnids,25 ++1274 || RPC portmap ttdbserv request TCP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html ++1275 || RPC portmap yppasswd request TCP || arachnids,14 ++1276 || RPC portmap ypserv request TCP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 ++1277 || RPC portmap ypupdated request UDP || arachnids,125 ++1278 || RPC rstatd query || arachnids,9 ++1279 || RPC portmap snmpXdmi request UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html ++1280 || RPC portmap listing UDP 111 || arachnids,428 ++1281 || RPC portmap listing UDP 32771 || arachnids,429 ++1282 || RPC EXPLOIT statdx || arachnids,442 ++1283 || WEB-IIS outlook web dos || bugtraq,3223 ++1284 || WEB-CLIENT readme.eml download attempt || url,www.cert.org/advisories/CA-2001-26.html ++1285 || WEB-IIS msdac access || nessus,11032 ++1286 || WEB-IIS _mem_bin access || nessus,11032 ++1287 || WEB-IIS scripts access ++1288 || WEB-FRONTPAGE /_vti_bin/ access || nessus,11032 ++1289 || TFTP GET Admin.dll || url,www.cert.org/advisories/CA-2001-26.html ++1290 || WEB-CLIENT readme.eml autoload attempt || url,www.cert.org/advisories/CA-2001-26.html ++1291 || WEB-MISC sml3com access || bugtraq,2721 || cve,2001-0740 ++1292 || ATTACK-RESPONSES directory listing ++1293 || NETBIOS nimda .eml || url,www.f-secure.com/v-descs/nimda.shtml ++1294 || NETBIOS nimda .nws || url,www.f-secure.com/v-descs/nimda.shtml ++1295 || NETBIOS nimda RICHED20.DLL || url,www.f-secure.com/v-descs/nimda.shtml ++1296 || RPC portmap request yppasswdd || bugtraq,2763 ++1297 || RPC portmap request yppasswdd || bugtraq,2763 ++1298 || RPC portmap tooltalk request TCP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html ++1299 || RPC portmap tooltalk request UDP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html ++1300 || WEB-PHP admin.php file upload attempt || bugtraq,3361 || cve,2001-1032 ++1301 || WEB-PHP admin.php access || bugtraq,3361 || bugtraq,7532 || bugtraq,9270 || cve,2001-1032 ++1302 || WEB-MISC console.exe access || bugtraq,3375 || cve,2001-1252 ++1303 || WEB-MISC cs.exe access || bugtraq,3375 || cve,2001-1252 ++1304 || WEB-CGI txt2html.cgi access ++1305 || WEB-CGI txt2html.cgi directory traversal attempt ++1306 || WEB-CGI store.cgi product directory traversal attempt || bugtraq,2385 || cve,2001-0305 ++1307 || WEB-CGI store.cgi access || bugtraq,2385 || cve,2001-0305 || nessus,10639 ++1308 || WEB-CGI sendmessage.cgi access || bugtraq,3673 || cve,2001-1100 ++1309 || WEB-CGI zsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html ++1321 || BAD-TRAFFIC 0 ttl || url,support.microsoft.com/default.aspx?scid=kb\ || url,www.isi.edu/in-notes/rfc1122.txt ++1322 || BAD-TRAFFIC bad frag bits ++1323 || EXPLOIT rwhoisd format string attempt || bugtraq,3474 || cve,2001-0838 ++1324 || EXPLOIT ssh CRC32 overflow /bin/sh || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 ++1325 || EXPLOIT ssh CRC32 overflow filler || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 ++1326 || EXPLOIT ssh CRC32 overflow NOOP || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 ++1327 || EXPLOIT ssh CRC32 overflow || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 ++1328 || WEB-ATTACKS /bin/ps command attempt ++1329 || WEB-ATTACKS ps command attempt ++1330 || WEB-ATTACKS wget command attempt || bugtraq,10361 ++1331 || WEB-ATTACKS uname -a command attempt ++1332 || WEB-ATTACKS /usr/bin/id command attempt ++1333 || WEB-ATTACKS id command attempt ++1334 || WEB-ATTACKS echo command attempt ++1335 || WEB-ATTACKS kill command attempt ++1336 || WEB-ATTACKS chmod command attempt ++1337 || WEB-ATTACKS chgrp command attempt ++1338 || WEB-ATTACKS chown command attempt ++1339 || WEB-ATTACKS chsh command attempt ++1340 || WEB-ATTACKS tftp command attempt ++1341 || WEB-ATTACKS /usr/bin/gcc command attempt ++1342 || WEB-ATTACKS gcc command attempt ++1343 || WEB-ATTACKS /usr/bin/cc command attempt ++1344 || WEB-ATTACKS cc command attempt ++1345 || WEB-ATTACKS /usr/bin/cpp command attempt ++1346 || WEB-ATTACKS cpp command attempt ++1347 || WEB-ATTACKS /usr/bin/g++ command attempt ++1348 || WEB-ATTACKS g++ command attempt ++1349 || WEB-ATTACKS bin/python access attempt ++1350 || WEB-ATTACKS python access attempt ++1351 || WEB-ATTACKS bin/tclsh execution attempt ++1352 || WEB-ATTACKS tclsh execution attempt ++1353 || WEB-ATTACKS bin/nasm command attempt ++1354 || WEB-ATTACKS nasm command attempt ++1355 || WEB-ATTACKS /usr/bin/perl execution attempt ++1356 || WEB-ATTACKS perl execution attempt ++1357 || WEB-ATTACKS nt admin addition attempt ++1358 || WEB-ATTACKS traceroute command attempt ++1359 || WEB-ATTACKS ping command attempt ++1360 || WEB-ATTACKS netcat command attempt ++1361 || WEB-ATTACKS nmap command attempt ++1362 || WEB-ATTACKS xterm command attempt ++1363 || WEB-ATTACKS X application to remote host attempt ++1364 || WEB-ATTACKS lsof command attempt ++1365 || WEB-ATTACKS rm command attempt ++1366 || WEB-ATTACKS mail command attempt ++1367 || WEB-ATTACKS mail command attempt ++1368 || WEB-ATTACKS /bin/ls| command attempt ++1369 || WEB-ATTACKS /bin/ls command attempt ++1370 || WEB-ATTACKS /etc/inetd.conf access ++1371 || WEB-ATTACKS /etc/motd access ++1372 || WEB-ATTACKS /etc/shadow access ++1373 || WEB-ATTACKS conf/httpd.conf attempt ++1374 || WEB-MISC .htgroup access ++1375 || WEB-MISC sadmind worm access || url,www.cert.org/advisories/CA-2001-11.html ++1376 || WEB-MISC jrun directory browse attempt || bugtraq,3592 ++1377 || FTP wu-ftp bad file completion attempt [ || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 ++1378 || FTP wu-ftp bad file completion attempt { || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 ++1379 || FTP STAT overflow attempt || bugtraq,3507 || bugtraq,8542 || cve,2001-0325 || cve,2001-1021 || url,labs.defcom.com/adv/2001/def-2001-31.txt ++1380 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 ++1381 || WEB-MISC Trend Micro OfficeScan attempt || bugtraq,1057 ++1382 || EXPLOIT CHAT IRC Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt ++1383 || P2P Fastrack kazaa/morpheus GET request || url,www.kazaa.com || url,www.musiccity.com/technology.htm ++1384 || MISC UPnP malformed advertisement || bugtraq,3723 || cve,2001-0876 || cve,2001-0877 || url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx ++1385 || WEB-MISC mod-plsql administration access || bugtraq,3726 || bugtraq,3727 || cve,2001-1216 || cve,2001-1217 || nessus,10849 ++1386 || MS-SQL/SMB raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx ++1387 || MS-SQL raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || nessus,11217 ++1388 || MISC UPnP Location overflow || bugtraq,3723 || cve,2001-0876 ++1389 || WEB-MISC viewcode.jse access || bugtraq,3715 ++1390 || SHELLCODE x86 inc ebx NOOP ++1391 || WEB-MISC Phorecast remote code execution attempt || bugtraq,3388 || cve,2001-1049 ++1392 || WEB-CGI lastlines.cgi access || bugtraq,3754 || bugtraq,3755 || cve,2001-1205 || cve,2001-1206 ++1393 || MISC AIM AddGame attempt || bugtraq,3769 || cve,2002-0005 || url,www.w00w00.org/files/w00aimexp/ ++1394 || SHELLCODE x86 NOOP ++1395 || WEB-CGI zml.cgi attempt || bugtraq,3759 || cve,2001-1209 ++1396 || WEB-CGI zml.cgi access || bugtraq,3759 || cve,2001-1209 ++1397 || WEB-CGI wayboard attempt || bugtraq,2370 || cve,2001-0214 ++1398 || EXPLOIT CDE dtspcd exploit attempt || bugtraq,3517 || cve,2001-0803 || url,www.cert.org/advisories/CA-2002-01.html ++1399 || WEB-PHP PHP-Nuke remote file include attempt || bugtraq,3889 || cve,2002-0206 ++1400 || WEB-IIS /scripts/samples/ access || nessus,10370 ++1401 || WEB-IIS /msadc/samples/ access || bugtraq,167 || cve,1999-0736 || nessus,1007 ++1402 || WEB-IIS iissamples access || nessus,11032 ++1403 || WEB-MISC viewcode access || cve,1999-0737 || nessus,10576 || nessus,12048 ++1404 || WEB-MISC showcode access || bugtraq,167 || cve,1999-0736 || nessus,10007 ++1405 || WEB-CGI AHG search.cgi access || bugtraq,3985 ++1406 || WEB-CGI agora.cgi access || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 ++1407 || WEB-PHP smssend.php access || bugtraq,3982 || cve,2002-0220 ++1408 || DOS MSDTC attempt || bugtraq,4006 || cve,2002-0224 || nessus,10939 ++1409 || SNMP community string buffer overflow attempt || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html ++1410 || WEB-CGI dcboard.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 ++1411 || SNMP public access udp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 ++1412 || SNMP public access tcp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || bugtraq,7212 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 ++1413 || SNMP private access udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || bugtraq,7212 || cve,2002-0012 || cve,2002-0013 ++1414 || SNMP private access tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1415 || SNMP Broadcast request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1416 || SNMP broadcast trap || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1417 || SNMP request udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1418 || SNMP request tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1419 || SNMP trap udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1420 || SNMP trap tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1421 || SNMP AgentX/tcp request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 ++1422 || SNMP community string buffer overflow attempt with evasion || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html ++1423 || WEB-PHP content-disposition memchr overflow || bugtraq,4183 || cve,2002-0081 || nessus,10867 ++1424 || SHELLCODE x86 0xEB0C NOOP ++1425 || WEB-PHP content-disposition || bugtraq,4183 || cve,2002-0081 || nessus,10867 ++1426 || SNMP PROTOS test-suite-req-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html ++1427 || SNMP PROTOS test-suite-trap-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html ++1428 || MULTIMEDIA audio galaxy keepalive ++1429 || POLICY poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl ++1430 || TELNET Solaris memory mismanagement exploit attempt ++1431 || BAD-TRAFFIC syn to multicast address ++1432 || P2P GNUTella client request ++1433 || WEB-MISC .history access ++1434 || WEB-MISC .bash_history access || bugtraq,337 || cve,1999-0408 ++1435 || DNS named authors attempt || arachnids,480 || nessus,10728 ++1436 || MULTIMEDIA Quicktime User Agent access ++1437 || MULTIMEDIA Windows Media download ++1438 || MULTIMEDIA Windows Media Video download ++1439 || MULTIMEDIA Shoutcast playlist redirection ++1440 || MULTIMEDIA Icecast playlist redirection ++1441 || TFTP GET nc.exe ++1442 || TFTP GET shadow ++1443 || TFTP GET passwd ++1444 || TFTP Get ++1445 || POLICY FTP file_id.diz access possible warez site ++1446 || SMTP vrfy root ++1447 || MISC MS Terminal server request RDP || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx ++1448 || MISC MS Terminal server request || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx ++1449 || POLICY FTP anonymous ftp login attempt ++1450 || SMTP expn *@ || cve,1999-1200 ++1451 || WEB-CGI NPH-publish access || bugtraq,2563 || cve,2001-0400 ++1452 || WEB-CGI args.cmd access || cve,1999-1180 || nessus,11465 ++1453 || WEB-CGI AT-generated.cgi access || cve,1999-1072 ++1454 || WEB-CGI wwwwais access || cve,2001-0223 || nessus,10597 ++1455 || WEB-CGI calendar.pl access || bugtraq,1215 || cve,2000-0432 ++1456 || WEB-CGI calender_admin.pl access || cve,2000-0432 ++1457 || WEB-CGI user_update_admin.pl access || bugtraq,1486 || cve,2000-0627 ++1458 || WEB-CGI user_update_passwd.pl access || bugtraq,1486 || cve,2000-0627 ++1459 || WEB-CGI bb-histlog.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 ++1460 || WEB-CGI bb-histsvc.sh access || bugtraq,142 || cve,1999-1462 ++1461 || WEB-CGI bb-rep.sh access || bugtraq,142 || cve,1999-1462 ++1462 || WEB-CGI bb-replog.sh access || bugtraq,142 || cve,1999-1462 ++1463 || CHAT IRC message ++1464 || ATTACK-RESPONSES oracle one hour install || nessus,10737 ++1465 || WEB-CGI auktion.cgi access || bugtraq,2367 || cve,2001-0212 || nessus,10638 ++1466 || WEB-CGI cgiforum.pl access || bugtraq,1963 || cve,2000-1171 || nessus,10552 ++1467 || WEB-CGI directorypro.cgi access || bugtraq,2793 || cve,2001-0780 ++1468 || WEB-CGI Web Shopper shopper.cgi attempt || bugtraq,1776 || cve,2000-0922 ++1469 || WEB-CGI Web Shopper shopper.cgi access || bugtraq,1776 || cve,2000-0922 ++1470 || WEB-CGI listrec.pl access || bugtraq,3328 || cve,2001-0997 ++1471 || WEB-CGI mailnews.cgi access || bugtraq,2391 || cve,2001-0271 || nessus,10641 ++1472 || WEB-CGI book.cgi access || bugtraq,3178 || cve,2001-1114 || nessus,10721 ++1473 || WEB-CGI newsdesk.cgi access || bugtraq,2172 || cve,2001-0232 ++1474 || WEB-CGI cal_make.pl access || bugtraq,2663 || cve,2001-0463 || nessus,10664 ++1475 || WEB-CGI mailit.pl access || nessus,10417 ++1476 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2001-1130 || nessus,10503 || nessus,10720 ++1477 || WEB-CGI swc attempt ++1478 || WEB-CGI swc access || nessus,10493 ++1479 || WEB-CGI ttawebtop.cgi arbitrary file attempt || bugtraq,2890 || cve,2001-0805 || nessus,10696 ++1480 || WEB-CGI ttawebtop.cgi access || bugtraq,2890 || cve,2001-0805 || nessus,10696 ++1481 || WEB-CGI upload.cgi access || nessus,10290 ++1482 || WEB-CGI view_source access || bugtraq,2251 || cve,1999-0174 || nessus,10294 ++1483 || WEB-CGI ustorekeeper.pl access || cve,2001-0466 || nessus,10645 ++1484 || WEB-IIS /isapi/tstisapi.dll access || bugtraq,2381 || cve,2001-0302 ++1485 || WEB-IIS mkilog.exe access || nessus,10359 || url,www.osvdb.org/274 ++1486 || WEB-IIS ctss.idc access || nessus,10359 ++1487 || WEB-IIS /iisadmpwd/aexp2.htr access || bugtraq,2110 || bugtraq,4236 || cve,1999-0407 || cve,2002-0421 || nessus,10371 ++1488 || WEB-CGI store.cgi directory traversal attempt || bugtraq,2385 || cve,2001-0305 || nessus,10639 ++1489 || WEB-MISC /~nobody access || nessus,10484 ++1490 || WEB-PHP Phorum /support/common.php attempt || bugtraq,1997 ++1491 || WEB-PHP Phorum /support/common.php access || bugtraq,1997 || bugtraq,9361 ++1492 || WEB-MISC RBS ISP /newuser directory traversal attempt || bugtraq,1704 || cve,2000-1036 || nessus,10521 ++1493 || WEB-MISC RBS ISP /newuser access || bugtraq,1704 || cve,2000-1036 || nessus,10521 ++1494 || WEB-CGI SIX webboard generate.cgi attempt || bugtraq,3175 || cve,2001-1115 || nessus,10725 ++1495 || WEB-CGI SIX webboard generate.cgi access || bugtraq,3175 || cve,2001-1115 ++1496 || WEB-CGI spin_client.cgi access || nessus,10393 ++1497 || WEB-MISC cross site scripting attempt ++1498 || WEB-MISC PIX firewall manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819 ++1499 || WEB-MISC SiteScope Service access || nessus,10778 ++1500 || WEB-MISC ExAir access || bugtraq,193 || cve,1999-0449 || nessus,10002 || nessus,10003 || nessus,10004 ++1501 || WEB-CGI a1stats a1disp3.cgi directory traversal attempt || bugtraq,2705 || cve,2001-0561 || nessus,10669 ++1502 || WEB-CGI a1stats a1disp3.cgi access || bugtraq,2705 || cve,2001-0561 || nessus,10669 ++1503 || WEB-CGI admentor admin.asp access || bugtraq,4152 || cve,2002-0308 || nessus,10880 || url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html ++1504 || MISC AFS access || nessus,10441 ++1505 || WEB-CGI alchemy http server PRN arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 ++1506 || WEB-CGI alchemy http server NUL arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 ++1507 || WEB-CGI alibaba.pl arbitrary command execution attempt || bugtraq,770 || cve,1999-0885 || nessus,10013 ++1508 || WEB-CGI alibaba.pl access || bugtraq,770 || cve ,CAN-1999-0885 || nessus,10013 ++1509 || WEB-CGI AltaVista Intranet Search directory traversal attempt || bugtraq,896 || cve,2000-0039 || nessus,10015 ++1510 || WEB-CGI test.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1511 || WEB-CGI test.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1512 || WEB-CGI input.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1513 || WEB-CGI input.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1514 || WEB-CGI input2.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1515 || WEB-CGI input2.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1516 || WEB-CGI envout.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1517 || WEB-CGI envout.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 ++1518 || WEB-MISC nstelemetry.adp access || nessus,10753 ++1519 || WEB-MISC apache ?M=D directory list attempt || bugtraq,3009 || cve,2001-0731 ++1520 || WEB-MISC server-info access || url,httpd.apache.org/docs/mod/mod_info.html ++1521 || WEB-MISC server-status access || url,httpd.apache.org/docs/mod/mod_info.html ++1522 || WEB-MISC ans.pl attempt || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 ++1523 || WEB-MISC ans.pl access || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 ++1524 || WEB-MISC AxisStorpoint CD attempt || bugtraq,1025 || cve,2000-0191 || nessus,10023 ++1525 || WEB-MISC Axis Storpoint CD access || bugtraq,1025 || cve,2000-0191 || nessus,10023 ++1526 || WEB-MISC basilix sendmail.inc access || bugtraq,2198 || cve,2001-1044 || nessus,10601 ++1527 || WEB-MISC basilix mysql.class access || bugtraq,2198 || cve,2001-1044 || nessus,10601 ++1528 || WEB-MISC BBoard access || bugtraq,1459 || cve,2000-0629 || nessus,10507 ++1529 || FTP SITE overflow attempt || cve,1999-0838 || cve,2001-0755 || cve,2001-0770 ++1530 || FTP format string attempt || bugtraq,1387 || bugtraq,2240 || bugtraq,726 || cve,1999-0997 || cve,2000-0573 || nessus,10452 ++1531 || WEB-CGI bb-hist.sh attempt || bugtraq,142 || cve,1999-1462 || nessus,10025 ++1532 || WEB-CGI bb-hostscv.sh attempt || bugtraq,1455 || cve,2000-0638 || nessus,10460 ++1533 || WEB-CGI bb-hostscv.sh access || bugtraq,1455 || cve,2000-0638 || nessus,10460 ++1534 || WEB-CGI agora.cgi attempt || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 ++1535 || WEB-CGI bizdbsearch access || bugtraq,1104 || cve,2000-0287 || nessus,10383 ++1536 || WEB-CGI calendar_admin.pl arbitrary command execution attempt || cve,2000-0432 ++1537 || WEB-CGI calendar_admin.pl access || cve,2000-0432 ++1538 || NNTP AUTHINFO USER overflow attempt || arachnids,274 || bugtraq,1156 || cve,2000-0341 ++1539 || WEB-CGI /cgi-bin/ls access || bugtraq,936 || cve,2000-0079 ++1540 || WEB-COLDFUSION ?Mode=debug attempt || nessus,10797 ++1541 || FINGER version query ++1542 || WEB-CGI cgimail access || bugtraq,1623 || cve,2000-0726 || nessus,11721 ++1543 || WEB-CGI cgiwrap access || bugtraq,1238 || bugtraq,3084 || bugtraq,777 || cve,1999-1530 || cve,2000-0431 || cve,2001-0987 || nessus,10041 ++1544 || WEB-MISC Cisco Catalyst command execution attempt || bugtraq,1846 || cve,2000-0945 || nessus,10545 ++1545 || DOS Cisco attempt ++1546 || WEB-MISC Cisco /%% DOS attempt || bugtraq,1154 || cve,2000-0380 ++1547 || WEB-CGI csSearch.cgi arbitrary command execution attempt || bugtraq,4368 || cve,2002-0495 || nessus,10924 ++1548 || WEB-CGI csSearch.cgi access || bugtraq,4368 || cve,2002-0495 || nessus,10924 ++1549 || SMTP HELO overflow attempt || bugtraq,7726 || bugtraq,895 || cve,2000-0042 || nessus,10324 || nessus,11674 ++1550 || SMTP ETRN overflow attempt || bugtraq,1297 || bugtraq,7515 || cve,2000-0490 || nessus,10438 ++1551 || WEB-MISC /CVS/Entries access || nessus,10922 || nessus,11032 ++1552 || WEB-MISC cvsweb version access || cve,2000-0670 ++1553 || WEB-CGI /cart/cart.cgi access || bugtraq,1115 || cve,2000-0252 ++1554 || WEB-CGI dbman db.cgi access || bugtraq,1178 || cve,2000-0381 || nessus,10403 ++1555 || WEB-CGI DCShop access || bugtraq,2889 || cve,2001-0821 ++1556 || WEB-CGI DCShop orders.txt access || bugtraq,2889 || cve,2001-0821 ++1557 || WEB-CGI DCShop auth_user_file.txt access || bugtraq,2889 || cve,2001-0821 ++1558 || WEB-MISC Delegate whois overflow attempt || cve,2000-0165 ++1559 || WEB-MISC /doc/packages access || bugtraq,1707 || cve,2000-1016 || nessus,10518 || nessus,11032 ++1560 || WEB-MISC /doc/ access || bugtraq,318 || cve,1999-0678 ++1561 || WEB-MISC ?open access ++1562 || FTP SITE CHOWN overflow attempt || bugtraq,2120 || cve,2001-0065 ++1563 || WEB-MISC login.htm attempt || bugtraq,665 || cve,1999-1533 ++1564 || WEB-MISC login.htm access || bugtraq,665 || cve,1999-1533 ++1565 || WEB-CGI eshop.pl arbitrary commane execution attempt || bugtraq,3340 || cve,2001-1014 ++1566 || WEB-CGI eshop.pl access || bugtraq,3340 || cve,2001-1014 ++1567 || WEB-IIS /exchange/root.asp attempt || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 || url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx ++1568 || WEB-IIS /exchange/root.asp access || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 ++1569 || WEB-CGI loadpage.cgi directory traversal attempt || bugtraq,2109 || cve,2000-1092 ++1570 || WEB-CGI loadpage.cgi access || bugtraq,2109 || cve,2000-1092 ++1571 || WEB-CGI dcforum.cgi directory traversal attempt || bugtraq,2611 || cve,2001-0436 || cve,2001-0437 ++1572 || WEB-CGI commerce.cgi arbitrary file access attempt || bugtraq,2361 || cve,2001-0210 || nessus,10612 ++1573 || WEB-CGI cgiforum.pl attempt || bugtraq,1963 || cve,2000-1171 || nessus,10552 ++1574 || WEB-CGI directorypro.cgi attempt || bugtraq,2793 || cve,2001-0780 ++1575 || WEB-MISC Domino mab.nsf access || bugtraq,4022 || nessus,10953 ++1576 || WEB-MISC Domino cersvr.nsf access || nessus,10629 ++1577 || WEB-MISC Domino setup.nsf access || nessus,10629 ++1578 || WEB-MISC Domino statrep.nsf access || nessus,10629 ++1579 || WEB-MISC Domino webadmin.nsf access || bugtraq,9900 || bugtraq,9901 || nessus,10629 ++1580 || WEB-MISC Domino events4.nsf access || nessus,10629 ++1581 || WEB-MISC Domino ntsync4.nsf access || nessus,10629 ++1582 || WEB-MISC Domino collect4.nsf access || nessus,10629 ++1583 || WEB-MISC Domino mailw46.nsf access || nessus,10629 ++1584 || WEB-MISC Domino bookmark.nsf access || nessus,10629 ++1585 || WEB-MISC Domino agentrunner.nsf access || nessus,10629 ++1586 || WEB-MISC Domino mail.box access || bugtraq,881 || nessus,10629 ++1587 || WEB-MISC cgitest.exe access || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 || nessus,11131 ++1588 || WEB-MISC SalesLogix Eviewer access || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 ++1589 || WEB-MISC musicat empower attempt || bugtraq,2374 || cve,2001-0224 || nessus,10609 ++1590 || WEB-CGI faqmanager.cgi arbitrary file access attempt || bugtraq,3810 || nessus,10837 ++1591 || WEB-CGI faqmanager.cgi access || bugtraq,3810 || nessus,10837 ++1592 || WEB-CGI /fcgi-bin/echo.exe access || nessus,10838 ++1593 || WEB-CGI FormHandler.cgi external site redirection attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 ++1594 || WEB-CGI FormHandler.cgi access || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 ++1595 || WEB-IIS htimage.exe access || bugtraq,1117 || bugtraq,964 || cve,2000-0122 || cve,2000-0256 || nessus,10376 ++1597 || WEB-CGI guestbook.cgi access || cve,1999-0237 || nessus,10098 ++1598 || WEB-CGI Home Free search.cgi directory traversal attempt || bugtraq,921 || cve,2000-0054 ++1599 || WEB-CGI search.cgi access || bugtraq,921 || cve,2000-0054 ++1600 || WEB-CGI htsearch arbitrary configuration file attempt || cve,2000-0208 ++1601 || WEB-CGI htsearch arbitrary file read attempt || bugtraq,1026 || cve,2000-0208 || nessus,10105 ++1602 || WEB-CGI htsearch access || bugtraq,1026 || cve,2000-0208 || nessus,10105 ++1603 || WEB-MISC DELETE attempt || nessus,10498 ++1604 || WEB-MISC iChat directory traversal attempt || cve,1999-0897 ++1605 || DOS iParty DOS attempt || bugtraq,6844 || cve,1999-1566 ++1606 || WEB-CGI icat access || cve,1999-1069 ++1607 || WEB-CGI HyperSeek hsx.cgi access || bugtraq,2314 || cve,2001-0253 || nessus,10602 ++1608 || WEB-CGI htmlscript attempt || bugtraq,2001 || cve,1999-0264 || nessus,10106 ++1609 || WEB-CGI faxsurvey arbitrary file read attempt || bugtraq,2056 || cve,1999-0262 || nessus,10067 ++1610 || WEB-CGI formmail arbitrary command execution attempt || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 ++1611 || WEB-CGI eXtropia webstore access || bugtraq,1774 || cve,2000-1005 || nessus,10532 ++1612 || WEB-MISC ftp.pl attempt || bugtraq,1471 || cve,2000-0674 || nessus,10467 ++1613 || WEB-MISC handler attempt || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 ++1614 || WEB-MISC Novell Groupwise gwweb.exe attempt || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 ++1615 || WEB-MISC htgrep attempt || cve,2000-0832 ++1616 || DNS named version attempt || arachnids,278 || nessus,10028 ++1617 || WEB-CGI Bugzilla doeditvotes.cgi access || bugtraq,3800 || cve,2002-0011 ++1618 || WEB-IIS .asp chunked Transfer-Encoding || bugtraq,4474 || bugtraq,4485 || cve,2002-0071 || cve,2002-0079 || nessus,10932 ++1619 || EXPERIMENTAL WEB-IIS .htr request || bugtraq,4474 || cve,2002-0071 || nessus,10932 ++1620 || BAD TRAFFIC Non-Standard IP protocol ++1621 || FTP CMD overflow attempt ++1622 || FTP RNFR ././ attempt ++1623 || FTP invalid MODE ++1624 || FTP large PWD command ++1625 || FTP large SYST command ++1626 || WEB-IIS /StoreCSVS/InstantOrder.asmx request ++1627 || BAD-TRAFFIC Unassigned/Reserved IP protocol || url,www.iana.org/assignments/protocol-numbers ++1628 || WEB-CGI FormHandler.cgi directory traversal attempt attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 ++1629 || OTHER-IDS SecureNetPro traffic ++1631 || CHAT AIM login ++1632 || CHAT AIM send message ++1633 || CHAT AIM receive message ++1634 || POP3 PASS overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10325 ++1635 || POP3 APOP overflow attempt || bugtraq,1652 || cve,2000-0840 || cve,2000-0841 || nessus,10559 ++1636 || MISC Xtramail Username overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10323 ++1637 || WEB-CGI yabb access || arachnids,462 || bugtraq,1668 || cve,2000-0853 ++1638 || SCAN SSH Version map attempt ++1639 || CHAT IRC DCC file transfer request ++1640 || CHAT IRC DCC chat request ++1641 || DOS DB2 dos attempt || bugtraq,3010 || cve,2001-1143 || nessus,10871 ++1642 || WEB-CGI document.d2w access || bugtraq,2017 || cve,2000-1110 ++1643 || WEB-CGI db2www access || cve,2000-0677 ++1644 || WEB-CGI test-cgi attempt || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 ++1645 || WEB-CGI testcgi access || bugtraq,7214 || nessus,11610 ++1646 || WEB-CGI test.cgi access ++1647 || WEB-CGI faxsurvey attempt full path || bugtraq,2056 || cve,1999-0262 || nessus,10067 ++1648 || WEB-CGI perl.exe command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html ++1649 || WEB-CGI perl command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html ++1650 || WEB-CGI tst.bat access || bugtraq,770 || cve,1999-0885 || nessus,10014 ++1651 || WEB-CGI environ.pl access ++1652 || WEB-CGI campus attempt || bugtraq,1975 || cve,1999-0146 || nessus,10035 ++1653 || WEB-CGI campus access || bugtraq,1975 || cve,1999-0146 || nessus,10035 ++1654 || WEB-CGI cart32.exe access || bugtraq,1153 ++1655 || WEB-CGI pfdispaly.cgi arbitrary command execution attempt || cve,1999-0270 || nessus,10174 ++1656 || WEB-CGI pfdispaly.cgi access || cve,1999-0270 || nessus,10174 ++1657 || WEB-CGI pagelog.cgi directory traversal attempt || bugtraq,1864 || cve,2000-0940 || nessus,10591 ++1658 || WEB-CGI pagelog.cgi access || bugtraq,1864 || cve,2000-0940 || nessus,10591 ++1659 || WEB-COLDFUSION sendmail.cfm access ++1660 || WEB-IIS trace.axd access || nessus,10993 ++1661 || WEB-IIS cmd32.exe access ++1662 || WEB-MISC /~ftp access ++1663 || WEB-MISC *%0a.pl access || nessus,11007 || url,www.securityfocus.com/archive/1/149482 ++1664 || WEB-MISC mkplog.exe access ++1665 || WEB-MISC mkilog.exe access ++1666 || ATTACK-RESPONSES index of /cgi-bin/ response || nessus,10039 ++1667 || WEB-MISC cross site scripting HTML Image tag set to javascript attempt || bugtraq,4858 || cve,2002-0902 ++1668 || WEB-CGI /cgi-bin/ access ++1669 || WEB-CGI /cgi-dos/ access ++1670 || WEB-MISC /home/ftp access || nessus,11032 ++1671 || WEB-MISC /home/www access || nessus,11032 ++1672 || FTP CWD ~ attempt || bugtraq,2601 || bugtraq,9215 || cve,2001-0421 ++1673 || ORACLE EXECUTE_SYSTEM attempt ++1674 || ORACLE connect_data remote version detection attempt ++1675 || ORACLE misparsed login response ++1676 || ORACLE select union attempt ++1677 || ORACLE select like '%' attempt ++1678 || ORACLE select like '%' attempt backslash escaped ++1679 || ORACLE describe attempt ++1680 || ORACLE all_constraints access ++1681 || ORACLE all_views access ++1682 || ORACLE all_source access ++1683 || ORACLE all_tables access ++1684 || ORACLE all_tab_columns access ++1685 || ORACLE all_tab_privs access ++1686 || ORACLE dba_tablespace access ++1687 || ORACLE dba_tables access ++1688 || ORACLE user_tablespace access ++1689 || ORACLE sys.all_users access ++1690 || ORACLE grant attempt ++1691 || ORACLE ALTER USER attempt ++1692 || ORACLE drop table attempt ++1693 || ORACLE create table attempt ++1694 || ORACLE alter table attempt ++1695 || ORACLE truncate table attempt ++1696 || ORACLE create database attempt ++1697 || ORACLE alter database attempt ++1698 || ORACLE execute_system attempt ++1699 || P2P Fastrack kazaa/morpheus traffic || url,www.kazaa.com ++1700 || WEB-CGI imagemap.exe access || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 ++1701 || WEB-CGI calendar-admin.pl access || bugtraq,1215 ++1702 || WEB-CGI Amaya templates sendtemp.pl access || bugtraq,2504 || cve,2001-0272 ++1703 || WEB-CGI auktion.cgi directory traversal attempt || bugtraq,2367 || cve,2001-0212 || nessus,10638 ++1704 || WEB-CGI cal_make.pl directory traversal attempt || bugtraq,2663 || cve,2001-0463 || nessus,10664 ++1705 || WEB-CGI echo.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 ++1706 || WEB-CGI echo.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 ++1707 || WEB-CGI hello.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 ++1708 || WEB-CGI hello.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 ++1709 || WEB-CGI ad.cgi access || bugtraq,2103 || cve,2001-0025 || nessus,11464 ++1710 || WEB-CGI bbs_forum.cgi access || bugtraq,2177 || cve,2001-0123 || url,www.cgisecurity.com/advisory/3.1.txt ++1711 || WEB-CGI bsguest.cgi access || bugtraq,2159 || cve,2001-0099 ++1712 || WEB-CGI bslist.cgi access || bugtraq,2160 || cve,2001-0100 ++1713 || WEB-CGI cgforum.cgi access || bugtraq,1951 || cve,2000-1132 ++1714 || WEB-CGI newdesk access ++1715 || WEB-CGI register.cgi access || bugtraq,2157 || cve,2001-0076 ++1716 || WEB-CGI gbook.cgi access || bugtraq,1940 || cve,2000-1131 ++1717 || WEB-CGI simplestguest.cgi access || bugtraq,2106 || cve,2001-0022 ++1718 || WEB-CGI statsconfig.pl access || bugtraq,2211 || cve,2001-0113 ++1719 || WEB-CGI talkback.cgi directory traversal attempt || bugtraq,2547 || cve,2001-0420 ++1720 || WEB-CGI talkback.cgi access || bugtraq,2547 || cve,2001-0420 ++1721 || WEB-CGI adcycle access || bugtraq,3741 || cve,2001-1226 ++1722 || WEB-CGI MachineInfo access || cve,1999-1067 ++1723 || WEB-CGI emumail.cgi NULL attempt || bugtraq,5824 || cve,2002-1526 ++1724 || WEB-CGI emumail.cgi access || bugtraq,5824 || cve,2002-1526 ++1725 || WEB-IIS +.htr code fragment attempt || bugtraq,1488 || cve,2000-0630 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx ++1726 || WEB-IIS doctodep.btr access ++1727 || WEB-CGI SGI InfoSearch fname access || arachnids,290 || bugtraq,1031 || cve,2000-0207 ++1728 || FTP CWD ~ attempt || bugtraq,2601 || cve,2001-0421 ++1729 || CHAT IRC channel join ++1730 || WEB-CGI ustorekeeper.pl directory traversal attempt || bugtraq,2536 || cve,2001-0466 || nessus,10645 ++1731 || WEB-CGI a1stats access || bugtraq,2705 || cve,2001-0561 || nessus,10669 ++1732 || RPC portmap rwalld request UDP ++1733 || RPC portmap rwalld request TCP ++1734 || FTP USER overflow attempt || bugtraq,10078 || bugtraq,1227 || bugtraq,1504 || bugtraq,1690 || bugtraq,4638 || bugtraq,7307 || bugtraq,8376 || cve,1999-1510 || cve,1999-1514 || cve,1999-1519 || cve,1999-1539 || cve,2000-0479 || cve,2000-0656 || cve,2000-0761 || cve,2000-0943 || cve,2000-1035 || cve,2000-1194 || cve,2001-0256 || cve,2001-0794 || cve,2001-0826 || cve,2002-0126 || cve,2002-1522 || cve,2003-0271 || cve,2004-0286 ++1735 || WEB-CLIENT XMLHttpRequest attempt || bugtraq,4628 || cve,2002-0354 ++1736 || WEB-PHP squirrel mail spell-check arbitrary command attempt || bugtraq,3952 ++1737 || WEB-PHP squirrel mail theme arbitrary command attempt || bugtraq,4385 || cve,2002-0516 ++1738 || WEB-MISC global.inc access || bugtraq,4612 || cve,2002-0614 ++1739 || WEB-PHP DNSTools administrator authentication bypass attempt || bugtraq,4617 || cve,2002-0613 ++1740 || WEB-PHP DNSTools authentication bypass attempt || bugtraq,4617 || cve,2002-0613 ++1741 || WEB-PHP DNSTools access || bugtraq,4617 || cve,2002-0613 ++1742 || WEB-PHP Blahz-DNS dostuff.php modify user attempt || bugtraq,4618 || cve,2002-0599 ++1743 || WEB-PHP Blahz-DNS dostuff.php access || bugtraq,4618 || cve,2002-0599 ++1744 || WEB-MISC SecureSite authentication bypass attempt || bugtraq,4621 ++1745 || WEB-PHP Messagerie supp_membre.php access || bugtraq,4635 ++1746 || RPC portmap cachefsd request UDP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 ++1747 || RPC portmap cachefsd request TCP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 ++1748 || FTP command overflow attempt || bugtraq,4638 || cve,2002-0606 ++1749 || EXPERIMENTAL WEB-IIS .NET trace.axd access ++1750 || WEB-IIS users.xml access ++1751 || EXPLOIT cachefsd buffer overflow attempt || bugtraq,4631 || cve,2002-0084 || nessus,10951 ++1752 || MISC AIM AddExternalApp attempt || url,www.w00w00.org/files/w00aimexp/ ++1753 || WEB-IIS as_web.exe access || bugtraq,4670 ++1754 || WEB-IIS as_web4.exe access || bugtraq,4670 ++1755 || IMAP partial body buffer overflow attempt || bugtraq,4713 || cve,2002-0379 ++1756 || WEB-IIS NewsPro administration authentication attempt || bugtraq,4672 ++1757 || WEB-MISC b2 arbitrary command execution attempt || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667 ++1758 || WEB-MISC b2 access || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667 ++1759 || MS-SQL xp_cmdshell program execution 445 ++1760 || OTHER-IDS ISS RealSecure 6 event collector connection attempt ++1761 || OTHER-IDS ISS RealSecure 6 daemon connection attempt ++1762 || WEB-CGI phf arbitrary command execution attempt || arachnids,128 || bugtraq,629 || cve,1999-0067 ++1763 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 ++1764 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 ++1765 || WEB-CGI Nortel Contivity cgiproc access || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 ++1766 || WEB-MISC search.dll directory listing attempt || bugtraq,1684 || cve,2000-0835 || nessus,10514 ++1767 || WEB-MISC search.dll access || bugtraq,1684 || cve,2000-0835 || nessus,10514 ++1768 || WEB-IIS header field buffer overflow attempt || bugtraq,4476 || cve,2002-0150 ++1769 || WEB-MISC .DS_Store access || url,www.macintouch.com/mosxreaderreports46.html ++1770 || WEB-MISC .FBCIndex access || url,www.securiteam.com/securitynews/5LP0O005FS.html ++1771 || POLICY IPSec PGPNet connection attempt ++1772 || WEB-IIS pbserver access || cve,2000-1089 || url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx ++1773 || WEB-PHP php.exe access || url,www.securitytracker.com/alerts/2002/Jan/1003104.html ++1774 || WEB-PHP bb_smilies.php access || url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html ++1775 || MYSQL root login attempt ++1776 || MYSQL show databases attempt ++1777 || FTP EXPLOIT STAT * dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1778 || FTP EXPLOIT STAT ? dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1779 || FTP CWD .... attempt || bugtraq,4884 ++1780 || IMAP EXPLOIT partial body overflow attempt || bugtraq,4713 || cve,2002-0379 ++1787 || WEB-CGI csPassword.cgi access || bugtraq,4885 || bugtraq,4886 || bugtraq,4887 || bugtraq,4889 || cve,2002-0917 || cve,2002-0918 ++1788 || WEB-CGI csPassword password.cgi.tmp access || bugtraq,4889 || cve,2002-0920 ++1789 || CHAT IRC dns request ++1790 || CHAT IRC dns response ++1791 || BACKDOOR fragroute trojan connection attempt || bugtraq,4898 ++1792 || NNTP return code buffer overflow attempt || bugtraq,4900 || cve,2002-0909 ++1800 || VIRUS Klez Incoming ++1801 || WEB-IIS .asp HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1802 || WEB-IIS .asa HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1803 || WEB-IIS .cer HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1804 || WEB-IIS .cdx HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx ++1805 || WEB-CGI Oracle reports CGI access || bugtraq,4848 || cve,2002-0947 ++1806 || WEB-IIS .htr chunked Transfer-Encoding || bugtraq,4855 || bugtraq,5003 || cve,2002-0364 ++1807 || WEB-MISC Chunked-Encoding transfer attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 ++1808 || WEB-MISC apache chunked encoding memory corruption exploit attempt || bugtraq,5033 || cve,2002-0392 ++1809 || WEB-MISC Apache Chunked-Encoding worm attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 ++1810 || ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 ++1811 || ATTACK-RESPONSES successful gobbles ssh exploit uname || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 ++1812 || EXPLOIT gobbles SSH exploit attempt || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 ++1813 || ICMP digital island bandwidth query ++1814 || WEB-MISC CISCO VoIP DOS ATTEMPT || bugtraq,4794 || cve,2002-0882 || nessus,11013 ++1815 || WEB-PHP directory.php arbitrary command attempt || bugtraq,4278 || cve,2002-0434 ++1816 || WEB-PHP directory.php access || bugtraq,4278 || cve,2002-0434 ++1817 || WEB-IIS MS Site Server default login attempt || nessus,11018 ++1818 || WEB-IIS MS Site Server admin attempt || nessus,11018 ++1819 || MISC Alcatel PABX 4400 connection attempt || nessus,11019 ++1820 || WEB-MISC IBM Net.Commerce orderdspc.d2w access || bugtraq,2350 || cve,2001-0319 || nessus,11020 ++1821 || EXPLOIT LPD dvips remote command execution attempt || bugtraq,3241 || cve,2001-1002 || nessus,11023 ++1822 || WEB-CGI alienform.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 ++1823 || WEB-CGI AlienForm af.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 ++1824 || WEB-CGI alienform.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 ++1825 || WEB-CGI AlienForm af.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 ++1826 || WEB-MISC WEB-INF access || bugtraq,1830 || bugtraq,5119 || cve,2000-1050 || cve,2001-0179 || nessus,11037 ++1827 || WEB-MISC Tomcat servlet mapping cross site scripting attempt || bugtraq,5193 || cve,2002-0682 || nessus,11041 ++1828 || WEB-MISC iPlanet Search directory traversal attempt || bugtraq,5191 || cve,2002-1042 || nessus,11043 ++1829 || WEB-MISC Tomcat TroubleShooter servlet access || bugtraq,4575 || nessus,11046 ++1830 || WEB-MISC Tomcat SnoopServlet servlet access || bugtraq,4575 || nessus,11046 ++1831 || WEB-MISC jigsaw dos attempt || nessus,11047 ++1832 || CHAT ICQ forced user addition || bugtraq,3226 || cve,2001-1305 ++1834 || WEB-PHP PHP-Wiki cross site scripting attempt || bugtraq,5254 || cve,2002-1070 ++1835 || WEB-MISC Macromedia SiteSpring cross site scripting attempt || bugtraq,5249 || cve,2002-1027 ++1838 || EXPLOIT SSH server banner overflow || bugtraq,5287 || cve,2002-1059 ++1839 || WEB-MISC mailman cross site scripting attempt || bugtraq,5298 || cve,2002-0855 ++1840 || WEB-CLIENT Javascript document.domain attempt || bugtraq,5346 || cve,2002-0815 ++1841 || WEB-CLIENT Javascript URL host spoofing attempt || bugtraq,5293 ++1842 || IMAP login buffer overflow attempt || bugtraq,13727 || bugtraq,502 || cve,1999-0005 || cve,1999-1557 || cve,2005-1255 || nessus,10123 || nessus,10125 ++1843 || BACKDOOR trinity connection attempt || cve,2000-0138 || nessus,10501 ++1844 || IMAP authenticate overflow attempt || bugtraq,12995 || bugtraq,130 || cve,1999-0005 || cve,1999-0042 || nessus,10292 ++1845 || IMAP list literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++1846 || POLICY vncviewer Java applet download attempt || nessus,10758 ++1847 || WEB-MISC webalizer access || bugtraq,3473 || cve,2001-0835 || nessus,10816 ++1848 || WEB-MISC webcart-lite access || cve,1999-0610 || nessus,10298 ++1849 || WEB-MISC webfind.exe access || bugtraq,1487 || cve,2000-0622 || nessus,10475 ++1850 || WEB-CGI way-board.cgi access || nessus,10610 ++1851 || WEB-MISC active.log access || bugtraq,1497 || cve,2000-0642 || nessus,10470 ++1852 || WEB-MISC robots.txt access || nessus,10302 ++1853 || BACKDOOR win-trin00 connection attempt || cve,2000-0138 || nessus,10307 ++1854 || DDOS Stacheldraht handler->agent niggahbitch || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis ++1855 || DDOS Stacheldraht agent->handler skillz || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis ++1856 || DDOS Stacheldraht handler->agent ficken || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis ++1857 || WEB-MISC robot.txt access || nessus,10302 ++1858 || WEB-MISC CISCO PIX Firewall Manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819 ++1859 || WEB-MISC Sun JavaServer default password login attempt || cve,1999-0508 || nessus,10995 ++1860 || WEB-MISC Linksys router default password login attempt || nessus,10999 ++1861 || WEB-MISC Linksys router default username and password login attempt || nessus,10999 ++1862 || WEB-CGI mrtg.cgi directory traversal attempt || bugtraq,4017 || cve,2002-0232 || nessus,11001 ++1864 || FTP SITE NEWER attempt || cve,1999-0880 || nessus,10319 ++1865 || WEB-CGI webdist.cgi arbitrary command attempt || bugtraq,374 || cve,1999-0039 || nessus,10299 ++1866 || POP3 USER overflow attempt || bugtraq,11256 || bugtraq,789 || cve,1999-0494 || nessus,10311 ++1867 || MISC xdmcp info query || nessus,10891 ++1868 || WEB-CGI story.pl arbitrary file read attempt || bugtraq,3028 || cve,2001-0804 || nessus,10817 ++1869 || WEB-CGI story.pl access || bugtraq,3028 || cve,2001-0804 || nessus,10817 ++1870 || WEB-CGI siteUserMod.cgi access || bugtraq,951 || cve,2000-0117 || nessus,10253 ++1871 || WEB-MISC Oracle XSQLConfig.xml access || bugtraq,4290 || cve,2002-0568 || nessus,10855 ++1872 || WEB-MISC Oracle Dynamic Monitoring Services dms access || nessus,10848 ++1873 || WEB-MISC globals.jsa access || bugtraq,4034 || cve,2002-0562 || nessus,10850 ++1874 || WEB-MISC Oracle Java Process Manager access || nessus,10851 ++1875 || WEB-CGI cgicso access || bugtraq,6141 || nessus,10779 || nessus,10780 ++1876 || WEB-CGI nph-publish.cgi access || cve,1999-1177 || nessus,10164 ++1877 || WEB-CGI printenv access || bugtraq,1658 || cve,2000-0868 || nessus,10188 || nessus,10503 ++1878 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2000-0868 || nessus,10503 ++1879 || WEB-CGI book.cgi arbitrary command execution attempt || bugtraq,3178 || cve,2001-1114 || nessus,10721 ++1880 || WEB-MISC oracle web application server access || bugtraq,1053 || cve,2000-0169 || nessus,10348 ++1881 || WEB-MISC bad HTTP/1.1 request, Potentially worm attack || url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html ++1882 || ATTACK-RESPONSES id check returned userid ++1883 || ATTACK-RESPONSES id check returned nobody ++1884 || ATTACK-RESPONSES id check returned web ++1885 || ATTACK-RESPONSES id check returned http ++1886 || ATTACK-RESPONSES id check returned apache ++1887 || MISC OpenSSL Worm traffic || url,www.cert.org/advisories/CA-2002-27.html ++1888 || FTP SITE CPWD overflow attempt || bugtraq,5427 || cve,2002-0826 ++1889 || MISC slapper worm admin traffic || url,isc.incidents.org/analysis.html?id=167 || url,www.cert.org/advisories/CA-2002-27.html ++1890 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 ++1891 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 ++1892 || SNMP null community string attempt || bugtraq,2112 || bugtraq,8974 || cve,1999-0517 ++1893 || SNMP missing community string attempt || bugtraq,2112 || cve,1999-0517 ++1894 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1895 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1896 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1897 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1898 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1899 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1900 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1901 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 ++1902 || IMAP lsub literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++1903 || IMAP rename overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++1904 || IMAP find overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++1905 || RPC AMD UDP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 ++1906 || RPC AMD TCP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 ++1907 || RPC CMSD UDP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 ++1908 || RPC CMSD TCP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 ++1909 || RPC CMSD TCP CMSD_INSERT buffer overflow attempt || bugtraq,524 || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html ++1910 || RPC CMSD udp CMSD_INSERT buffer overflow attempt || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html ++1911 || RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,866 || cve,1999-0977 ++1912 || RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,0866 || bugtraq,866 || cve,1999-0977 ++1913 || RPC STATD UDP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 ++1914 || RPC STATD TCP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 ++1915 || RPC STATD UDP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 ++1916 || RPC STATD TCP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 ++1917 || SCAN UPnP service discover attempt ++1918 || SCAN SolarWinds IP scan attempt ++1919 || FTP CWD overflow attempt || bugtraq,11069 || bugtraq,1227 || bugtraq,1690 || bugtraq,6869 || bugtraq,7251 || bugtraq,7950 || cve,1999-0219 || cve,1999-1058 || cve,1999-1510 || cve,2000-1035 || cve,2000-1194 || cve,2001-0781 || cve,2002-0126 || cve,2002-0405 ++1920 || FTP SITE NEWER overflow attempt || bugtraq,229 || cve,1999-0800 ++1921 || FTP SITE ZIPCHK overflow attempt || cve,2000-0040 ++1922 || RPC portmap proxy attempt TCP ++1923 || RPC portmap proxy attempt UDP ++1924 || RPC mountd UDP export request || arachnids,26 ++1925 || RPC mountd TCP exportall request || arachnids,26 ++1926 || RPC mountd UDP exportall request || arachnids,26 ++1927 || FTP authorized_keys ++1928 || FTP shadow retrieval attempt ++1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com ++1930 || IMAP auth literal overflow attempt || cve,1999-0005 ++1931 || WEB-CGI rpc-nlog.pl access || cve,1999-1278 || url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2 || url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2 ++1932 || WEB-CGI rpc-smb.pl access || cve,1999-1278 ++1933 || WEB-CGI cart.cgi access || bugtraq,1115 || cve,2000-0252 || nessus,10368 ++1934 || POP2 FOLD overflow attempt || bugtraq,283 || cve,1999-0920 || nessus,10130 ++1935 || POP2 FOLD arbitrary file attempt ++1936 || POP3 AUTH overflow attempt || bugtraq,830 || cve,1999-0822 || nessus,10184 ++1937 || POP3 LIST overflow attempt || bugtraq,948 || cve,2000-0096 || nessus,10197 ++1938 || POP3 XTND overflow attempt ++1939 || MISC bootp hardware address length overflow || cve,1999-0798 ++1940 || MISC bootp invalid hardware type || cve,1999-0798 ++1941 || TFTP GET filename overflow attempt || bugtraq,5328 || cve,2002-0813 ++1942 || FTP RMDIR overflow attempt || bugtraq,819 ++1943 || WEB-MISC /Carello/add.exe access || bugtraq,1245 || cve,2000-0396 || nessus,11776 ++1944 || WEB-MISC /ecscripts/ecware.exe access || bugtraq,6066 ++1945 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 ++1946 || WEB-MISC answerbook2 admin attempt || bugtraq,5383 || cve,2000-0696 ++1947 || WEB-MISC answerbook2 arbitrary command execution attempt || bugtraq,1556 || cve,2000-0697 ++1948 || DNS zone transfer UDP || arachnids,212 || cve,1999-0532 || nessus,10595 ++1949 || RPC portmap SET attempt TCP 111 ++1950 || RPC portmap SET attempt UDP 111 ++1951 || RPC mountd TCP mount request ++1952 || RPC mountd UDP mount request ++1953 || RPC AMD TCP pid request ++1954 || RPC AMD UDP pid request ++1955 || RPC AMD TCP version request ++1956 || RPC AMD UDP version request || bugtraq,1554 || cve,2000-0696 ++1957 || RPC sadmind UDP PING || bugtraq,866 ++1958 || RPC sadmind TCP PING || bugtraq,866 ++1959 || RPC portmap NFS request UDP ++1960 || RPC portmap NFS request TCP ++1961 || RPC portmap RQUOTA request UDP ++1962 || RPC portmap RQUOTA request TCP ++1963 || RPC RQUOTA getquota overflow attempt UDP || bugtraq,864 || cve,1999-0974 ++1964 || RPC tooltalk UDP overflow attempt || bugtraq,122 || cve,1999-0003 ++1965 || RPC tooltalk TCP overflow attempt || bugtraq,122 || cve,1999-0003 ++1966 || MISC GlobalSunTech Access Point Information Disclosure attempt || bugtraq,6100 ++1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173 ++1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173 ++1969 || WEB-MISC ion-p access || bugtraq,6091 || cve,2002-1559 ++1970 || WEB-IIS MDAC Content-Type overflow attempt || bugtraq,6214 || cve,2002-1142 || url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337 || url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx || url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx ++1971 || FTP SITE EXEC format string attempt ++1972 || FTP PASS overflow attempt || bugtraq,10078 || bugtraq,10720 || bugtraq,1690 || bugtraq,3884 || bugtraq,8601 || bugtraq,9285 || cve,1999-1519 || cve,1999-1539 || cve,2000-1035 || cve,2002-0126 || cve,2002-0895 ++1973 || FTP MKD overflow attempt || bugtraq,612 || bugtraq,7278 || bugtraq,9872 || cve,1999-0911 || nessus,12108 ++1974 || FTP REST overflow attempt || bugtraq,2972 || cve,2001-0826 ++1975 || FTP DELE overflow attempt || bugtraq,2972 || cve,2001-0826 || cve,2001-1021 ++1976 || FTP RMD overflow attempt || bugtraq,2972 || cve,2000-0133 || cve,2001-0826 || cve,2001-1021 ++1977 || WEB-MISC xp_regwrite attempt ++1978 || WEB-MISC xp_regdeletekey attempt ++1979 || WEB-MISC perl post attempt || bugtraq,5520 || cve,2002-1436 || nessus,11158 ++1980 || BACKDOOR DeepThroat 3.1 Connection attempt || mcafee,98574 || nessus,10053 ++1981 || BACKDOOR DeepThroat 3.1 Connection attempt [3150] || mcafee,98574 || nessus,10053 ++1982 || BACKDOOR DeepThroat 3.1 Server Response [3150] || arachnids,106 || mcafee,98574 || nessus,10053 ++1983 || BACKDOOR DeepThroat 3.1 Connection attempt [4120] || mcafee,98574 || nessus,10053 ++1984 || BACKDOOR DeepThroat 3.1 Server Response [4120] || arachnids,106 || mcafee,98574 || nessus,10053 ++1985 || BACKDOOR Doly 1.5 server response ++1986 || CHAT MSN outbound file transfer request ++1987 || MISC xfs overflow attempt || bugtraq,6241 || cve,2002-1317 || nessus,11188 ++1988 || CHAT MSN outbound file transfer accept ++1989 || CHAT MSN outbound file transfer rejected ++1990 || CHAT MSN user search ++1991 || CHAT MSN login attempt ++1992 || FTP LIST directory traversal attempt || bugtraq,2618 || cve,2001-0680 || cve,2002-1054 || nessus,11112 ++1993 || IMAP login literal buffer overflow attempt || bugtraq,6298 ++1994 || WEB-CGI vpasswd.cgi access || bugtraq,6038 || nessus,11165 ++1995 || WEB-CGI alya.cgi access || nessus,11118 ++1996 || WEB-CGI viralator.cgi access || bugtraq,3495 || cve,2001-0849 || nessus,11107 ++1997 || WEB-PHP read_body.php access attempt || bugtraq,6302 || cve,2002-1341 ++1998 || WEB-PHP calendar.php access || bugtraq,5820 || bugtraq,9353 || nessus,11179 ++1999 || WEB-PHP edit_image.php access || bugtraq,3288 || cve,2001-1020 || nessus,11104 ++2000 || WEB-PHP readmsg.php access || cve,2001-1408 || nessus,11073 ++2001 || WEB-CGI smartsearch.cgi access || bugtraq,7133 ++2002 || WEB-PHP remote include path ++2003 || MS-SQL Worm propagation attempt || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm ++2004 || MS-SQL Worm propagation attempt OUTBOUND || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm ++2005 || RPC portmap kcms_server request UDP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 ++2006 || RPC portmap kcms_server request TCP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 ++2007 || RPC kcms_server directory traversal attempt || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 ++2008 || MISC CVS invalid user authentication response ++2009 || MISC CVS invalid repository response ++2010 || MISC CVS double free exploit attempt response || bugtraq,6650 || cve,2003-0015 ++2011 || MISC CVS invalid directory response || bugtraq,6650 || cve,2003-0015 ++2012 || MISC CVS missing cvsroot response ++2013 || MISC CVS invalid module response ++2014 || RPC portmap UNSET attempt TCP 111 || bugtraq,1892 ++2015 || RPC portmap UNSET attempt UDP 111 || bugtraq,1892 ++2016 || RPC portmap status request TCP || arachnids,15 ++2017 || RPC portmap espd request UDP || bugtraq,2714 || cve,2001-0331 ++2018 || RPC mountd TCP dump request ++2019 || RPC mountd UDP dump request ++2020 || RPC mountd TCP unmount request ++2021 || RPC mountd UDP unmount request ++2022 || RPC mountd TCP unmountall request ++2023 || RPC mountd UDP unmountall request ++2024 || RPC RQUOTA getquota overflow attempt TCP || bugtraq,864 || cve,1999-0974 ++2025 || RPC yppasswd username overflow attempt UDP || bugtraq,2763 || cve,2001-0779 ++2026 || RPC yppasswd username overflow attempt TCP || bugtraq,2763 || cve,2001-0779 ++2027 || RPC yppasswd old password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 ++2028 || RPC yppasswd old password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 ++2029 || RPC yppasswd new password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 ++2030 || RPC yppasswd new password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 ++2031 || RPC yppasswd user update UDP || bugtraq,2763 || cve,2001-0779 ++2032 || RPC yppasswd user update TCP || bugtraq,2763 || cve,2001-0779 ++2033 || RPC ypserv maplist request UDP || bugtraq,5914 || bugtraq,6016 || cve,2002-1232 ++2034 || RPC ypserv maplist request TCP || Cve,CAN-2002-1232 || bugtraq,5914 || bugtraq,6016 ++2035 || RPC portmap network-status-monitor request UDP ++2036 || RPC portmap network-status-monitor request TCP ++2037 || RPC network-status-monitor mon-callback request UDP ++2038 || RPC network-status-monitor mon-callback request TCP ++2039 || MISC bootp hostname format string attempt || bugtraq,4701 || cve,2002-0702 || nessus,11312 ++2040 || POLICY xtacacs login attempt ++2041 || MISC xtacacs failed login response ++2042 || POLICY xtacacs accepted login response ++2043 || MISC isakmp login failed ++2044 || POLICY PPTP Start Control Request attempt ++2045 || RPC snmpXdmi overflow attempt UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html ++2046 || IMAP partial body.peek buffer overflow attempt || bugtraq,4713 || cve,2002-0379 ++2047 || MISC rsyncd module list access ++2048 || MISC rsyncd overflow attempt || bugtraq,9153 || cve,2003-0962 || nessus,11943 ++2049 || MS-SQL ping attempt || nessus,10674 ++2050 || MS-SQL version overflow attempt || bugtraq,5310 || cve,2002-0649 || nessus,10674 ++2051 || WEB-CGI cached_feed.cgi moreover shopping cart access || bugtraq,1762 || cve,2000-0906 ++2052 || WEB-CGI overflow.cgi access || bugtraq,6326 || cve,2002-1361 || nessus,11190 || url,www.cert.org/advisories/CA-2002-35.html ++2053 || WEB-CGI process_bug.cgi access || bugtraq,3272 || cve,2002-0008 ++2054 || WEB-CGI enter_bug.cgi arbitrary command attempt || bugtraq,3272 || cve,2002-0008 ++2055 || WEB-CGI enter_bug.cgi access || bugtraq,3272 || cve,2002-0008 ++2056 || WEB-MISC TRACE attempt || bugtraq,9561 || nessus,11213 || url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf ++2057 || WEB-MISC helpout.exe access || bugtraq,6002 || cve,2002-1169 || nessus,11162 ++2058 || WEB-MISC MsmMask.exe attempt || nessus,11163 ++2059 || WEB-MISC MsmMask.exe access || nessus,11163 ++2060 || WEB-MISC DB4Web access || nessus,11180 ++2061 || WEB-MISC Tomcat null byte directory listing attempt || bugtraq,2518 || bugtraq,6721 || cve,2003-0042 ++2062 || WEB-MISC iPlanet .perf access || nessus,11220 ++2063 || WEB-MISC Demarc SQL injection attempt || bugtraq,4520 || cve,2002-0539 ++2064 || WEB-MISC Lotus Notes .csp script source download attempt || bugtraq,6841 ++2065 || WEB-MISC Lotus Notes .csp script source download attempt ++2066 || WEB-MISC Lotus Notes .pl script source download attempt || bugtraq,6841 ++2067 || WEB-MISC Lotus Notes .exe script source download attempt || bugtraq,6841 ++2068 || WEB-MISC BitKeeper arbitrary command attempt || bugtraq,6588 ++2069 || WEB-MISC chip.ini access || bugtraq,2755 || bugtraq,2775 || cve,2001-0749 || cve,2001-0771 ++2070 || WEB-MISC post32.exe arbitrary command attempt || bugtraq,1485 ++2071 || WEB-MISC post32.exe access || bugtraq,1485 ++2072 || WEB-MISC lyris.pl access || bugtraq,1584 || cve,2000-0758 ++2073 || WEB-MISC globals.pl access || bugtraq,2671 || cve,2001-0330 ++2074 || WEB-PHP Mambo uploadimage.php upload php file attempt || bugtraq,6572 ++2075 || WEB-PHP Mambo upload.php upload php file attempt || bugtraq,6572 ++2076 || WEB-PHP Mambo uploadimage.php access || bugtraq,6572 ++2077 || WEB-PHP Mambo upload.php access || bugtraq,6572 ++2078 || WEB-PHP phpBB privmsg.php access || bugtraq,6634 ++2079 || RPC portmap nlockmgr request UDP || bugtraq,1372 || cve,2000-0508 ++2080 || RPC portmap nlockmgr request TCP || bugtraq,1372 || cve,2000-0508 ++2081 || RPC portmap rpc.xfsmd request UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 ++2082 || RPC portmap rpc.xfsmd request TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 ++2083 || RPC rpc.xfsmd xfs_export attempt UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 ++2084 || RPC rpc.xfsmd xfs_export attempt TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 ++2085 || WEB-CGI parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 ++2086 || WEB-CGI streaming server parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 ++2087 || SMTP From comment overflow attempt || bugtraq,6991 || cve,2002-1337 || url,www.kb.cert.org/vuls/id/398025 ++2088 || RPC ypupdated arbitrary command attempt UDP ++2089 || RPC ypupdated arbitrary command attempt TCP ++2090 || WEB-IIS WEBDAV exploit attempt || bugtraq,7116 || bugtraq,7716 || cve,2003-0109 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx ++2091 || WEB-IIS WEBDAV nessus safe scan attempt || bugtraq,7116 || cve,2003-0109 || nessus,11412 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx ++2092 || RPC portmap proxy integer overflow attempt UDP || bugtraq,7123 || cve,2003-0028 ++2093 || RPC portmap proxy integer overflow attempt TCP || bugtraq,7123 || cve,2003-0028 ++2094 || RPC CMSD UDP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 ++2095 || RPC CMSD TCP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 ++2100 || BACKDOOR SubSeven 2.1 Gold server connection response || mcafee,10566 || nessus,10409 ++2101 || NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx ++2102 || NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx ++2103 || NETBIOS SMB trans2open buffer overflow attempt || bugtraq,7294 || cve,2003-0201 || url,www.digitaldefense.net/labs/advisories/DDI-1013.txt ++2104 || ATTACK-RESPONSES rexec username too long response || bugtraq,7459 ++2105 || IMAP authenticate literal overflow attempt || cve,1999-0042 || nessus,10292 ++2106 || IMAP lsub overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++2107 || IMAP create buffer overflow attempt || bugtraq,7446 ++2108 || POP3 CAPA overflow attempt ++2109 || POP3 TOP overflow attempt ++2110 || POP3 STAT overflow attempt ++2111 || POP3 DELE overflow attempt ++2112 || POP3 RSET overflow attempt ++2113 || RSERVICES rexec username overflow attempt ++2114 || RSERVICES rexec password overflow attempt ++2115 || WEB-CGI album.pl access || bugtraq,7444 || nessus,11581 ++2116 || WEB-CGI chipcfg.cgi access || bugtraq,2767 || cve,2001-1341 || url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html ++2117 || WEB-IIS Battleaxe Forum login.asp access || bugtraq,7416 || cve,2003-0215 ++2118 || IMAP list overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++2119 || IMAP rename literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 ++2120 || IMAP create literal buffer overflow attempt || bugtraq,7446 ++2121 || POP3 DELE negative argument attempt || bugtraq,6053 || bugtraq,7445 || cve,2002-1539 ++2122 || POP3 UIDL negative argument attempt || bugtraq,6053 || cve,2002-1539 || nessus,11570 ++2123 || ATTACK-RESPONSES Microsoft cmd.exe banner || nessus,11633 ++2124 || BACKDOOR Remote PC Access connection attempt || nessus,11673 ++2125 || FTP CWD Root directory transversal attempt || bugtraq,7674 || cve,2003-0392 || nessus,11677 ++2126 || MISC Microsoft PPTP Start Control Request buffer overflow attempt || bugtraq,5807 || cve,2002-1214 || url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx ++2127 || WEB-CGI ikonboard.cgi access || bugtraq,7361 || nessus,11605 ++2128 || WEB-CGI swsrv.cgi access || bugtraq,7510 || cve,2003-0217 || nessus,11608 ++2129 || WEB-IIS nsiislog.dll access || bugtraq,8035 || cve,2003-0227 || cve,2003-0349 || nessus,11664 || url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx ++2130 || WEB-IIS IISProtect siteadmin.asp access || bugtraq,7675 || cve,2003-0377 || nessus,11662 ++2131 || WEB-IIS IISProtect access || nessus,11661 ++2132 || WEB-IIS Synchrologic Email Accelerator userid list access attempt || nessus,11657 ++2133 || WEB-IIS MS BizTalk server access || bugtraq,7469 || bugtraq,7470 || cve,2003-0117 || cve,2003-0118 || nessus,11638 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx ++2134 || WEB-IIS register.asp access || nessus,11621 ++2135 || WEB-MISC philboard.mdb access || nessus,11682 ++2136 || WEB-MISC philboard_admin.asp authentication bypass attempt || bugtraq,7739 || nessus,11675 ++2137 || WEB-MISC philboard_admin.asp access || bugtraq,7739 || nessus,11675 ++2138 || WEB-MISC logicworks.ini access || bugtraq,6996 || nessus,11639 ++2139 || WEB-MISC /*.shtml access || bugtraq,1517 || cve,2000-0683 || nessus,11604 ++2140 || WEB-PHP p-news.php access || nessus,11669 ++2141 || WEB-PHP shoutbox.php directory traversal attempt || nessus,11668 ++2142 || WEB-PHP shoutbox.php access || nessus,11668 ++2143 || WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt || nessus,11667 ++2144 || WEB-PHP b2 cafelog gm-2-b2.php access || nessus,11667 ++2145 || WEB-PHP TextPortal admin.php default password admin attempt || bugtraq,7673 || nessus,11660 ++2146 || WEB-PHP TextPortal admin.php default password 12345 attempt || bugtraq,7673 || nessus,11660 ++2147 || WEB-PHP BLNews objects.inc.php4 remote file include attempt || bugtraq,7677 || cve,2003-0394 || nessus,11647 ++2148 || WEB-PHP BLNews objects.inc.php4 access || bugtraq,7677 || cve,2003-0394 || nessus,11647 ++2149 || WEB-PHP Turba status.php access || nessus,11646 ++2150 || WEB-PHP ttCMS header.php remote file include attempt || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 ++2151 || WEB-PHP ttCMS header.php access || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 ++2152 || WEB-PHP test.php access || nessus,11617 ++2153 || WEB-PHP autohtml.php directory traversal attempt || nessus,11630 ++2154 || WEB-PHP autohtml.php access || nessus,11630 ++2155 || WEB-PHP ttforum remote file include attempt || bugtraq,7542 || bugtraq,7543 || nessus,11615 ++2156 || WEB-MISC mod_gzip_status access || nessus,11685 ++2157 || WEB-IIS IISProtect globaladmin.asp access || nessus,11661 ++2158 || MISC BGP invalid length || bugtraq,6213 || cve,2002-1350 || url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575 ++2159 || MISC BGP invalid type 0 || bugtraq,6213 || cve,2002-1350 ++2160 || VIRUS OUTBOUND .exe file attachment ++2161 || VIRUS OUTBOUND .doc file attachment ++2162 || VIRUS OUTBOUND .hta file attachment ++2163 || VIRUS OUTBOUND .chm file attachment ++2164 || VIRUS OUTBOUND .reg file attachment ++2165 || VIRUS OUTBOUND .ini file attachment ++2166 || VIRUS OUTBOUND .bat file attachment ++2167 || VIRUS OUTBOUND .diz file attachment ++2168 || VIRUS OUTBOUND .cpp file attachment ++2169 || VIRUS OUTBOUND .dll file attachment ++2170 || VIRUS OUTBOUND .vxd file attachment ++2171 || VIRUS OUTBOUND .sys file attachment ++2172 || VIRUS OUTBOUND .com file attachment ++2173 || VIRUS OUTBOUND .hsq file attachment ++2174 || NETBIOS SMB winreg create tree attempt ++2175 || NETBIOS SMB winreg unicode create tree attempt ++2176 || NETBIOS SMB startup folder access ++2177 || NETBIOS SMB startup folder unicode access ++2178 || FTP USER format string attempt || bugtraq,7474 || bugtraq,7776 || bugtraq,9262 || bugtraq,9402 || bugtraq,9600 || bugtraq,9800 || cve,2004-0277 || nessus,10041 || nessus,11687 ++2179 || FTP PASS format string attempt || bugtraq,7474 || bugtraq,9262 || bugtraq,9800 || cve,2000-0699 ++2180 || P2P BitTorrent announce request ++2181 || P2P BitTorrent transfer ++2182 || BACKDOOR typot trojan traffic || mcafee,100406 ++2183 || SMTP Content-Transfer-Encoding overflow attempt || cve,2003-0161 || url,www.cert.org/advisories/CA-2003-12.html ++2184 || RPC mountd TCP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 ++2185 || RPC mountd UDP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 ++2186 || BAD-TRAFFIC IP Proto 53 SWIPE || bugtraq,8211 || cve,2003-0567 ++2187 || BAD-TRAFFIC IP Proto 55 IP Mobility || bugtraq,8211 || cve,2003-0567 ++2188 || BAD-TRAFFIC IP Proto 77 Sun ND || bugtraq,8211 || cve,2003-0567 ++2189 || BAD-TRAFFIC IP Proto 103 PIM || bugtraq,8211 || cve,2003-0567 ++2190 || NETBIOS DCERPC invalid bind attempt ++2191 || NETBIOS SMB DCERPC invalid bind attempt ++2192 || NETBIOS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++2193 || NETBIOS SMB-DS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++2194 || WEB-CGI CSMailto.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-0749 || nessus,11748 ++2195 || WEB-CGI alert.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 ++2196 || WEB-CGI catgy.cgi access || bugtraq,3714 || bugtraq,4579 || cve,2001-1212 || nessus,11748 ++2197 || WEB-CGI cvsview2.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 ++2198 || WEB-CGI cvslog.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 ++2199 || WEB-CGI multidiff.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 ++2200 || WEB-CGI dnewsweb.cgi access || bugtraq,1172 || bugtraq,4579 || cve,2000-0423 || nessus,11748 ++2201 || WEB-CGI download.cgi access || bugtraq,4579 || cve,1999-1377 || nessus,11748 ++2202 || WEB-CGI edit_action.cgi access || bugtraq,3698 || bugtraq,4579 || cve,2001-1196 || nessus,11748 ++2203 || WEB-CGI everythingform.cgi access || bugtraq,2101 || bugtraq,4579 || cve,2001-0023 || nessus,11748 ++2204 || WEB-CGI ezadmin.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 ++2205 || WEB-CGI ezboard.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 ++2206 || WEB-CGI ezman.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 ++2207 || WEB-CGI fileseek.cgi access || bugtraq,4579 || bugtraq,6784 || cve,2002-0611 || nessus,11748 ++2208 || WEB-CGI fom.cgi access || bugtraq,4579 || cve,2002-0230 || nessus,11748 ++2209 || WEB-CGI getdoc.cgi access || bugtraq,4579 || cve,2000-0288 || nessus,11748 ++2210 || WEB-CGI global.cgi access || bugtraq,4579 || cve,2000-0952 || nessus,11748 ++2211 || WEB-CGI guestserver.cgi access || bugtraq,4579 || cve,2001-0180 || nessus,11748 ++2212 || WEB-CGI imageFolio.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-1334 || nessus,11748 ++2213 || WEB-CGI mailfile.cgi access || bugtraq,1807 || bugtraq,4579 || cve,2000-0977 || nessus,11748 ++2214 || WEB-CGI mailview.cgi access || bugtraq,1335 || bugtraq,4579 || cve,2000-0526 || nessus,11748 ++2215 || WEB-CGI nsManager.cgi access || bugtraq,1710 || bugtraq,4579 || cve,2000-1023 || nessus,11748 ++2216 || WEB-CGI readmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 ++2217 || WEB-CGI printmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 ++2218 || WEB-CGI service.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 ++2219 || WEB-CGI setpasswd.cgi access || bugtraq,2212 || bugtraq,4579 || cve,2001-0133 || nessus,11748 ++2220 || WEB-CGI simplestmail.cgi access || bugtraq,2106 || bugtraq,4579 || cve,2001-0022 || nessus,11748 ++2221 || WEB-CGI ws_mail.cgi access || bugtraq,2861 || bugtraq,4579 || cve,2001-1343 || nessus,11748 ++2222 || WEB-CGI nph-exploitscanget.cgi access || bugtraq,7910 || bugtraq,7911 || bugtraq,7913 || cve,2003-0434 || nessus,11740 ++2223 || WEB-CGI csNews.cgi access || bugtraq,4994 || cve,2002-0923 || nessus,11726 ++2224 || WEB-CGI psunami.cgi access || bugtraq,6607 || nessus,11750 ++2225 || WEB-CGI gozila.cgi access || bugtraq,6086 || cve,2002-1236 || nessus,11773 ++2226 || WEB-PHP pmachine remote file include attempt || bugtraq,7919 || nessus,11739 ++2227 || WEB-PHP forum_details.php access || bugtraq,7933 || nessus,11760 ++2228 || WEB-PHP phpMyAdmin db_details_importdocsql.php access || bugtraq,7962 || bugtraq,7965 || nessus,11761 ++2229 || WEB-PHP viewtopic.php access || bugtraq,7979 || cve,2003-0486 || nessus,11767 ++2230 || WEB-MISC NetGear router default password login attempt admin/password || nessus,11737 ++2231 || WEB-MISC register.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2232 || WEB-MISC ContentFilter.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2233 || WEB-MISC SFNofitication.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2234 || WEB-MISC TOP10.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2235 || WEB-MISC SpamExcp.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2236 || WEB-MISC spamrule.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 ++2237 || WEB-MISC cgiWebupdate.exe access || bugtraq,3216 || cve,2001-1150 || nessus,11722 ++2238 || WEB-MISC WebLogic ConsoleHelp view source attempt || bugtraq,1518 || cve,2000-0682 || nessus,11724 ++2239 || WEB-MISC redirect.exe access || bugtraq,1256 || cve,2000-0401 ++2240 || WEB-MISC changepw.exe access || bugtraq,1256 || cve,2000-0401 ++2241 || WEB-MISC cwmail.exe access || bugtraq,4093 || cve,2002-0273 || nessus,11727 ++2242 || WEB-MISC ddicgi.exe access || bugtraq,1657 || cve,2000-0826 || nessus,11728 ++2243 || WEB-MISC ndcgi.exe access || bugtraq,3583 || cve,2001-0922 || nessus,11730 ++2244 || WEB-MISC VsSetCookie.exe access || bugtraq,3784 || cve,2002-0236 || nessus,11731 ++2245 || WEB-MISC Webnews.exe access || bugtraq,4124 || cve,2002-0290 || nessus,11732 ++2246 || WEB-MISC webadmin.dll access || bugtraq,7438 || bugtraq,7439 || bugtraq,8024 || cve,2003-0471 || nessus,11771 ++2247 || WEB-IIS UploadScript11.asp access || cve,2001-0938 ++2248 || WEB-IIS DirectoryListing.asp access || cve,2001-0938 ++2249 || WEB-IIS /pcadmin/login.asp access || bugtraq,8103 || nessus,11785 ++2250 || POP3 USER format string attempt || bugtraq,10976 || bugtraq,7667 || cve,2003-0391 || nessus,11742 ++2251 || NETBIOS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx ++2252 || NETBIOS SMB-DS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx ++2253 || SMTP XEXCH50 overflow attempt || bugtraq,8838 || cve,2003-0714 || nessus,11889 || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx ++2254 || SMTP XEXCH50 overflow with evasion attempt || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx ++2255 || RPC sadmind query with root credentials attempt TCP ++2256 || RPC sadmind query with root credentials attempt UDP ++2257 || NETBIOS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx ++2258 || NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx ++2259 || SMTP EXPN overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 ++2260 || SMTP VRFY overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 ++2261 || SMTP SEND FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 || nessus,11316 ++2262 || SMTP SEND FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 ++2263 || SMTP SAML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 ++2264 || SMTP SAML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 ++2265 || SMTP SOML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 ++2266 || SMTP SOML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 ++2267 || SMTP MAIL FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 ++2268 || SMTP MAIL FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 ++2269 || SMTP RCPT TO sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 ++2270 || SMTP RCPT TO sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 ++2271 || BACKDOOR FsSniffer connection attempt || nessus,11854 ++2272 || FTP LIST integer overflow attempt || bugtraq,8875 || cve,2003-0853 || cve,2003-0854 ++2273 || IMAP login brute force attempt ++2274 || POP3 login brute force attempt ++2275 || SMTP AUTH LOGON brute force attempt ++2276 || WEB-MISC oracle portal demo access || nessus,11918 ++2277 || WEB-MISC PeopleSoft PeopleBooks psdoccgi access || bugtraq,9037 || bugtraq,9038 || cve,2003-0626 || cve,2003-0627 ++2278 || WEB-MISC client negative Content-Length attempt || bugtraq,9098 || bugtraq,9476 || bugtraq,9576 || cve,2004-0095 ++2279 || WEB-PHP UpdateClasses.php access || bugtraq,9057 ++2280 || WEB-PHP Title.php access || bugtraq,9057 ++2281 || WEB-PHP Setup.php access || bugtraq,9057 ++2282 || WEB-PHP GlobalFunctions.php access || bugtraq,9057 ++2283 || WEB-PHP DatabaseFunctions.php access || bugtraq,9057 ++2284 || WEB-PHP rolis guestbook remote file include attempt || bugtraq,9057 ++2285 || WEB-PHP rolis guestbook access || bugtraq,9057 ++2286 || WEB-PHP friends.php access || bugtraq,9088 ++2287 || WEB-PHP Advanced Poll admin_comment.php access || bugtraq,8890 || nessus,11487 ++2288 || WEB-PHP Advanced Poll admin_edit.php access || bugtraq,8890 || nessus,11487 ++2289 || WEB-PHP Advanced Poll admin_embed.php access || bugtraq,8890 || nessus,11487 ++2290 || WEB-PHP Advanced Poll admin_help.php access || bugtraq,8890 || nessus,11487 ++2291 || WEB-PHP Advanced Poll admin_license.php access || bugtraq,8890 || nessus,11487 ++2292 || WEB-PHP Advanced Poll admin_logout.php access || bugtraq,8890 || nessus,11487 ++2293 || WEB-PHP Advanced Poll admin_password.php access || bugtraq,8890 || nessus,11487 ++2294 || WEB-PHP Advanced Poll admin_preview.php access || bugtraq,8890 || nessus,11487 ++2295 || WEB-PHP Advanced Poll admin_settings.php access || bugtraq,8890 || nessus,11487 ++2296 || WEB-PHP Advanced Poll admin_stats.php access || bugtraq,8890 || nessus,11487 ++2297 || WEB-PHP Advanced Poll admin_templates_misc.php access || bugtraq,8890 || nessus,11487 ++2298 || WEB-PHP Advanced Poll admin_templates.php access || bugtraq,8890 || nessus,11487 ++2299 || WEB-PHP Advanced Poll admin_tpl_misc_new.php access || bugtraq,8890 || nessus,11487 ++2300 || WEB-PHP Advanced Poll admin_tpl_new.php access || bugtraq,8890 || nessus,11487 ++2301 || WEB-PHP Advanced Poll booth.php access || bugtraq,8890 || nessus,11487 ++2302 || WEB-PHP Advanced Poll poll_ssi.php access || bugtraq,8890 || nessus,11487 ++2303 || WEB-PHP Advanced Poll popup.php access || bugtraq,8890 || nessus,11487 ++2304 || WEB-PHP files.inc.php access || bugtraq,8910 ++2305 || WEB-PHP chatbox.php access || bugtraq,8930 ++2306 || WEB-PHP gallery remote file include attempt || bugtraq,8814 || nessus,11876 ++2307 || WEB-PHP PayPal Storefront remote file include attempt || bugtraq,8791 || nessus,11873 ++2308 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2309 || NETBIOS SMB DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2310 || NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2311 || NETBIOS SMB-DS DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2312 || SHELLCODE x86 0x71FB7BAB NOOP ++2313 || SHELLCODE x86 0x71FB7BAB NOOP unicode ++2314 || SHELLCODE x86 0x90 NOOP unicode ++2315 || NETBIOS DCERPC Workstation Service direct service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2316 || NETBIOS DCERPC Workstation Service direct service access attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx ++2317 || MISC CVS non-relative path error response || bugtraq,9178 || cve,2003-0977 ++2318 || MISC CVS non-relative path access attempt || bugtraq,9178 || cve,2003-0977 ++2319 || EXPLOIT ebola PASS overflow attempt || bugtraq,9156 ++2320 || EXPLOIT ebola USER overflow attempt || bugtraq,9156 ++2321 || WEB-IIS foxweb.exe access || nessus,11939 ++2322 || WEB-IIS foxweb.dll access || nessus,11939 ++2323 || WEB-CGI quickstore.cgi access || bugtraq,9282 || nessus,11975 ++2324 || WEB-IIS VP-ASP shopsearch.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 ++2325 || WEB-IIS VP-ASP ShopDisplayProducts.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 ++2326 || WEB-IIS sgdynamo.exe access || bugtraq,4720 || cve,2002-0375 || nessus,11955 ++2327 || WEB-MISC bsml.pl access || bugtraq,9311 || nessus,11973 ++2328 || WEB-PHP authentication_index.php access || cve,2004-0032 || nessus,11982 ++2329 || MS-SQL probe response overflow attempt || bugtraq,9407 || cve,2003-0903 || url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx ++2330 || IMAP auth overflow attempt || bugtraq,8861 ++2331 || WEB-PHP MatrikzGB privilege escalation attempt || bugtraq,8430 ++2332 || FTP MKDIR format string attempt || bugtraq,9262 ++2333 || FTP RENAME format string attempt || bugtraq,9262 ++2334 || FTP Yak! FTP server default account login attempt || bugtraq,9072 ++2335 || FTP RMD / attempt || bugtraq,9159 ++2336 || TFTP NULL command attempt || bugtraq,7575 ++2337 || TFTP PUT filename overflow attempt || bugtraq,7819 || bugtraq,8505 || cve,2003-0380 ++2338 || FTP LIST buffer overflow attempt || bugtraq,10181 || bugtraq,6869 || bugtraq,7251 || bugtraq,7861 || bugtraq,8486 || bugtraq,9675 || cve,1999-0349 || cve,1999-1510 || cve,2000-0129 || url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx ++2339 || TFTP NULL command attempt || bugtraq,7575 ++2340 || FTP SITE CHMOD overflow attempt || bugtraq,10181 || bugtraq,9483 || bugtraq,9675 || cve,1999-0838 || nessus,12037 ++2341 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 ++2342 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 ++2343 || FTP STOR overflow attempt || bugtraq,8668 || cve,2000-0133 ++2344 || FTP XCWD overflow attempt || bugtraq,11542 || bugtraq,8704 ++2345 || WEB-PHP PhpGedView search.php access || bugtraq,9369 || cve,2004-0032 ++2346 || WEB-PHP myPHPNuke chatheader.php access || bugtraq,6544 ++2347 || WEB-PHP myPHPNuke partner.php access || bugtraq,6544 ++2348 || NETBIOS SMB-DS DCERPC print spool bind attempt ++2349 || NETBIOS SMB-DS DCERPC enumerate printers request attempt ++2350 || NETBIOS DCERPC ISystemActivator bind accept || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++2351 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++2352 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++2353 || WEB-PHP IdeaBox cord.php file include || bugtraq,7488 ++2354 || WEB-PHP IdeaBox notification.php file include || bugtraq,7488 ++2355 || WEB-PHP Invision Board emailer.php file include || bugtraq,7204 ++2356 || WEB-PHP WebChat db_mysql.php file include || bugtraq,7000 ++2357 || WEB-PHP WebChat english.php file include || bugtraq,7000 ++2358 || WEB-PHP Typo3 translations.php file include || bugtraq,6984 ++2359 || WEB-PHP Invision Board ipchat.php file include || bugtraq,6976 ++2360 || WEB-PHP myphpPagetool pt_config.inc file include || bugtraq,6744 ++2361 || WEB-PHP news.php file include || bugtraq,6674 ++2362 || WEB-PHP YaBB SE packages.php file include || bugtraq,6663 ++2363 || WEB-PHP Cyboards default_header.php access || bugtraq,6597 ++2364 || WEB-PHP Cyboards options_form.php access || bugtraq,6597 ++2365 || WEB-PHP newsPHP Language file include attempt || bugtraq,8488 ++2366 || WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 ++2367 || WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 ++2368 || WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 ++2369 || WEB-MISC ISAPISkeleton.dll access || bugtraq,9516 ++2370 || WEB-MISC BugPort config.conf file access || bugtraq,9542 ++2371 || WEB-MISC Sample_showcode.html access || bugtraq,9555 ++2372 || WEB-PHP Photopost PHP Pro showphoto.php access || bugtraq,9557 ++2373 || FTP XMKD overflow attempt || bugtraq,7909 || cve,2000-0133 || cve,2001-1021 ++2374 || FTP NLST overflow attempt || bugtraq,10184 || bugtraq,7909 || bugtraq,9675 || cve,1999-1544 ++2375 || BACKDOOR DoomJuice file upload attempt || url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html ++2376 || EXPLOIT ISAKMP first payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 ++2377 || EXPLOIT ISAKMP second payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 ++2378 || EXPLOIT ISAKMP third payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 ++2379 || EXPLOIT ISAKMP forth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 ++2380 || EXPLOIT ISAKMP fifth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 ++2381 || WEB-MISC schema overflow attempt || bugtraq,9581 || cve,2004-0039 || nessus,12084 ++2382 || NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++2383 || NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++2384 || NETBIOS SMB NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 ++2385 || NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 ++2386 || WEB-IIS NTLM ASN.1 vulnerability scan attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12055 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++2387 || WEB-CGI view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 ++2388 || WEB-CGI streaming server view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 ++2389 || FTP RNTO overflow attempt || bugtraq,8315 || cve,2000-0133 || cve,2001-1021 || cve,2003-0466 ++2390 || FTP STOU overflow attempt || bugtraq,8315 || cve,2003-0466 ++2391 || FTP APPE overflow attempt || bugtraq,8315 || bugtraq,8542 || cve,2000-0133 || cve,2003-0466 ++2392 || FTP RETR overflow attempt || bugtraq,8315 || cve,2003-0466 || cve,2004-0287 || cve,2004-0298 ++2393 || WEB-PHP /_admin access || bugtraq,9537 || nessus,12032 ++2394 || WEB-MISC Compaq web-based management agent denial of service attempt || bugtraq,8014 ++2395 || WEB-MISC InteractiveQuery.jsp access || bugtraq,8938 || cve,2003-0624 ++2396 || WEB-CGI CCBill whereami.cgi arbitrary command execution attempt || bugtraq,8095 || url,secunia.com/advisories/9191/ ++2397 || WEB-CGI CCBill whereami.cgi access || bugtraq,8095 || url,secunia.com/advisories/9191/ ++2398 || WEB-PHP WAnewsletter newsletter.php file include attempt || bugtraq,6965 ++2399 || WEB-PHP WAnewsletter db_type.php access || bugtraq,6964 ++2400 || WEB-MISC edittag.pl access || bugtraq,6675 ++2401 || NETBIOS SMB Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html ++2402 || NETBIOS SMB-DS Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html ++2403 || NETBIOS SMB Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html ++2404 || NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html ++2405 || WEB-PHP phptest.php access || bugtraq,9737 ++2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681 || cve,2004-0311 || nessus,12066 ++2407 || WEB-MISC util.pl access || bugtraq,9748 ++2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766 ++2409 || POP3 APOP USER overflow attempt || bugtraq,9794 ++2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773 ++2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || bugtraq,8476 || url,www.service.real.com/help/faq/security/rootexploit091103.html ++2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt ++2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 ++2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 ++2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 ++2416 || FTP invalid MDTM command attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 ++2417 || FTP format string attempt ++2418 || MISC MS Terminal Server no encryption session initiation attempt || url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx ++2419 || MULTIMEDIA realplayer .ram playlist download attempt ++2420 || MULTIMEDIA realplayer .rmp playlist download attempt ++2421 || MULTIMEDIA realplayer .smi playlist download attempt ++2422 || MULTIMEDIA realplayer .rt playlist download attempt ++2423 || MULTIMEDIA realplayer .rp playlist download attempt ++2424 || NNTP sendsys overflow attempt || bugtraq,9382 || cve,2004-0045 ++2425 || NNTP senduuname overflow attempt || bugtraq,9382 || cve,2004-0045 ++2426 || NNTP version overflow attempt || bugtraq,9382 || cve,2004-0045 ++2427 || NNTP checkgroups overflow attempt || bugtraq,9382 || cve,2004-0045 ++2428 || NNTP ihave overflow attempt || bugtraq,9382 || cve,2004-0045 ++2429 || NNTP sendme overflow attempt || bugtraq,9382 || cve,2004-0045 ++2430 || NNTP newgroup overflow attempt || bugtraq,9382 || cve,2004-0045 ++2431 || NNTP rmgroup overflow attempt || bugtraq,9382 || cve,2004-0045 ++2432 || NNTP article post without path attempt ++2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317 || url,secunia.com/advisories/10512/ ++2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317 || url,secunia.com/advisories/10512/ ++2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9378 || cve,2003-0726 ++2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579 || cve,2004-0258 ++2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579 || cve,2004-0258 ++2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 || cve,2004-0258 ++2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319 ++2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || bugtraq,9735 || cve,2004-0169 ++2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html ++2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html ++2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html ++2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt || cve,2004-0362 || url,www.eeye.com/html/Research/Advisories/AD20040318.html ++2447 || WEB-MISC ServletManager access || bugtraq,3697 || cve,2001-1195 || nessus,12122 ++2448 || WEB-MISC setinfo.hts access || bugtraq,9973 || nessus,12120 ++2449 || FTP ALLO overflow attempt || bugtraq,9953 ++2450 || CHAT Yahoo IM successful logon ++2451 || CHAT Yahoo IM voicechat ++2452 || CHAT Yahoo IM ping ++2453 || CHAT Yahoo IM conference invitation ++2454 || CHAT Yahoo IM conference logon success ++2455 || CHAT Yahoo IM conference message ++2456 || CHAT Yahoo Messenger File Transfer Receive Request ++2457 || CHAT Yahoo IM message ++2458 || CHAT Yahoo IM successful chat join ++2459 || CHAT Yahoo IM conference offer invitation ++2460 || CHAT Yahoo IM conference request ++2461 || CHAT Yahoo IM conference watch ++2462 || EXPLOIT IGMP IGAP account overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 ++2463 || EXPLOIT IGMP IGAP message overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 ++2464 || EXPLOIT EIGRP prefix length overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 ++2465 || NETBIOS SMB-DS IPC$ share access ++2466 || NETBIOS SMB-DS IPC$ unicode share access ++2467 || NETBIOS SMB D$ unicode share access ++2468 || NETBIOS SMB-DS D$ share access ++2469 || NETBIOS SMB-DS D$ unicode share access ++2470 || NETBIOS SMB C$ unicode share access ++2471 || NETBIOS SMB-DS C$ share access ++2472 || NETBIOS SMB-DS C$ unicode share access ++2473 || NETBIOS SMB ADMIN$ unicode share access ++2474 || NETBIOS SMB-DS ADMIN$ share access ++2475 || NETBIOS SMB-DS ADMIN$ unicode share access ++2476 || NETBIOS SMB-DS winreg create tree attempt ++2477 || NETBIOS SMB-DS winreg unicode create tree attempt ++2478 || NETBIOS SMB-DS winreg bind attempt ++2479 || NETBIOS SMB-DS winreg unicode bind attempt ++2480 || NETBIOS SMB-DS InitiateSystemShutdown unicode attempt ++2481 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt ++2482 || NETBIOS SMB-DS InitiateSystemShutdown attempt ++2483 || NETBIOS SMB-DS InitiateSystemShutdown little endian attempt ++2484 || WEB-MISC source.jsp access || nessus,12119 ++2485 || WEB-CLIENT Norton antivirus sysmspam.dll load attempt || bugtraq,9916 || cve,2004-0363 ++2486 || DOS ISAKMP invalid identification payload attempt || bugtraq,10004 || cve,2004-0184 ++2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 ++2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 ++2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978 ++2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978 ++2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2494 || NETBIOS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2497 || IMAP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2498 || IMAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2499 || MISC LDAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2500 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2501 || POP3 SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2502 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2503 || SMTP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2504 || SMTP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2505 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2506 || WEB-MISC SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2507 || NETBIOS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2508 || NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2509 || NETBIOS SMB DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2510 || NETBIOS SMB DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2511 || NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2512 || NETBIOS SMB-DS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2513 || NETBIOS SMB-DS DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2514 || NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2515 || WEB-MISC PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2516 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2517 || IMAP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2518 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2520 || WEB-MISC SSLv3 Client_Hello request ++2521 || WEB-MISC SSLv3 Server_Hello request ++2522 || WEB-MISC SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2523 || DOS BGP spoofed connection reset attempt || bugtraq,10183 || cve,2004-0230 || url,www.uniras.gov.uk/vuls/2004/236929/index.htm ++2524 || NETBIOS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2525 || NETBIOS SMB DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2526 || NETBIOS SMB-DS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2527 || SMTP STARTTLS attempt ++2528 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2529 || IMAP SSLv3 Client_Hello request ++2530 || IMAP SSLv3 Server_Hello request ++2531 || IMAP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2532 || POP3 SSLv3 Client_Hello request ++2533 || POP3 SSLv3 Server_Hello request ++2534 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2535 || POP3 SSLv3 Client_Hello request ++2536 || POP3 SSLv3 Server_Hello request ++2537 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2541 || SMTP TLS SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2542 || SMTP SSLv3 Client_Hello request ++2543 || SMTP TLS SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2544 || SMTP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++2545 || EXPLOIT AFP FPLoginExt username buffer overflow attempt || bugtraq,10271 || cve,2004-0430 || url,www.atstake.com/research/advisories/2004/a050304-1.txt ++2546 || FTP MDTM overflow attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 || nessus,12080 ++2547 || MISC HP Web JetAdmin remote file upload attempt || bugtraq,9978 ++2548 || MISC HP Web JetAdmin setinfo access || bugtraq,9972 ++2549 || MISC HP Web JetAdmin file write attempt || bugtraq,9973 ++2550 || EXPLOIT winamp XM module name overflow || url,www.nextgenss.com/advisories/winampheap.txt ++2551 || EXPLOIT Oracle Web Cache GET overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2552 || EXPLOIT Oracle Web Cache HEAD overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2553 || EXPLOIT Oracle Web Cache PUT overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2554 || EXPLOIT Oracle Web Cache POST overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2555 || EXPLOIT Oracle Web Cache TRACE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2556 || EXPLOIT Oracle Web Cache DELETE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2557 || EXPLOIT Oracle Web Cache LOCK overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2558 || EXPLOIT Oracle Web Cache MKCOL overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2559 || EXPLOIT Oracle Web Cache COPY overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2560 || EXPLOIT Oracle Web Cache MOVE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 ++2561 || MISC rsync backup-dir directory traversal attempt || bugtraq,10247 || cve,2004-0426 || nessus,12230 ++2562 || WEB-MISC McAfee ePO file upload attempt || bugtraq,10200 || cve,2004-0038 ++2563 || NETBIOS NS lookup response name overflow attempt || bugtraq,10333 || bugtraq,10334 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512A.html ++2564 || NETBIOS NS lookup short response attempt || bugtraq,10334 || bugtraq,10335 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512C.html ++2565 || WEB-PHP modules.php access || bugtraq,9879 ++2566 || WEB-PHP PHPBB viewforum.php access || bugtraq,9865 || bugtraq,9866 || nessus,12093 ++2567 || WEB-CGI Emumail init.emu access || bugtraq,9861 || nessus,12095 ++2568 || WEB-CGI Emumail emumail.fcgi access || bugtraq,9861 || nessus,12095 ++2569 || WEB-MISC cPanel resetpass access || bugtraq,9848 ++2570 || WEB-MISC Invalid HTTP Version String || bugtraq,9809 || nessus,11593 ++2571 || WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access || bugtraq,9805 ++2572 || WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt || bugtraq,9805 ++2573 || WEB-IIS SmarterTools SmarterMail frmCompose.asp access || bugtraq,9805 ++2574 || FTP RETR format string attempt || bugtraq,9800 ++2575 || WEB-PHP Opt-X header.php remote file include attempt || bugtraq,9732 ++2576 || ORACLE dbms_repcat.generate_replication_support buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck93.html ++2577 || WEB-CLIENT local resource redirection attempt || cve,2004-0549 || url,www.kb.cert.org/vuls/id/713878 ++2578 || EXPLOIT kerberos principal name overflow UDP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt ++2579 || EXPLOIT kerberos principal name overflow TCP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt ++2580 || WEB-MISC server negative Content-Length attempt || cve,2004-0492 || url,www.guninski.com/modproxy1.html ++2581 || WEB-MISC Crystal Reports crystalimagehandler.aspx access || cve,2004-0204 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx ++2582 || WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt || bugtraq,10260 || cve,2004-0204 || nessus,12271 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx ++2583 || MISC CVS Max-dotdot integer overflow attempt || bugtraq,10499 || cve,2004-0417 ++2584 || EXPLOIT eMule buffer overflow attempt || bugtraq,10039 || nessus,12233 ++2585 || WEB-MISC nessus 2.x 404 probe || nessus,10386 ++2586 || P2P eDonkey transfer || url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html ++2587 || P2P eDonkey server response || url,www.emule-project.net ++2588 || WEB-PHP TUTOS path disclosure attempt || bugtraq,10129 || url,www.securiteam.com/unixfocus/5FP0J15CKE.html ++2589 || WEB-CLIENT Content-Disposition CLSID command attempt || bugtraq,9510 || cve,2004-0420 || url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx ++2590 || SMTP MAIL FROM overflow attempt || bugtraq,10290 || bugtraq,7506 || cve,2004-0399 || url,www.guninski.com/exim1.html ++2591 || SMTP From command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2592 || SMTP ReplyTo command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2593 || SMTP Sender command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2594 || SMTP To command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2595 || SMTP CC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2596 || SMTP BCC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html ++2597 || WEB-MISC Samba SWAT Authorization overflow attempt || bugtraq,10780 ++2598 || WEB-MISC Samba SWAT Authorization port 901 overflow attempt || bugtraq,10780 ++2599 || ORACLE dbms_repcat.add_grouped_column buffer overflow attempt ++2600 || ORACLE add_grouped_column ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html ++2601 || ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt ++2602 || ORACLE drop_master_repgroup ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck87.html ++2603 || ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html ++2604 || ORACLE create_mview_repgroup ordered fname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html ++2605 || ORACLE dbms_repcat.compare_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html ++2606 || ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2607 || ORACLE comment_on_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2608 || ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2609 || ORACLE dbms_repcat.cancel_statistics buffer overflow attempt ++2610 || ORACLE cancel_statistics ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html ++2611 || ORACLE LINK metadata buffer overflow attempt || bugtraq,7453 || cve,2003-0222 || url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html ++2612 || ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2613 || ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2614 || ORACLE time_zone buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_time_zone.txt ++2615 || ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2616 || ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2617 || ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2618 || ORACLE alter_mview_propagation ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2619 || ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2620 || ORACLE alter_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2621 || ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2622 || ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2623 || ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2624 || ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html ++2625 || ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html ++2626 || ORACLE dbms_repcat.send_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html ++2627 || ORACLE dbms_repcat.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2628 || ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2629 || ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html ++2630 || ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html ++2631 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2632 || ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2633 || ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2634 || ORACLE rectifier_diff ordered sname1 buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2635 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2636 || ORACLE snapshot.end_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2637 || ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2638 || ORACLE drop_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html ++2639 || ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2640 || ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html ++2641 || ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt ++2642 || ORACLE drop_site_instantiation ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck629.html ++2643 || ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck96.html ++2644 || ORACLE from_tz buffer overflow attempt || url,www.nextgenss.com/advisories/ora_from_tz.txt ++2645 || ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt ++2646 || ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck630.html ++2647 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt ++2648 || ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck631.html ++2649 || ORACLE service_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck52.html ++2650 || ORACLE user name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck62.html ++2651 || ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_numtodsinterval.txt || url,www.nextgenss.com/advisories/ora_numtoyminterval.txt ++2652 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2653 || ORACLE og.begin_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ++2654 || WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt || bugtraq,7193 ++2655 || MISC HP Web JetAdmin ExecuteFile admin access || bugtraq,10224 ++2656 || WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt ++2657 || WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt ++2658 || WEB-MISC SSLv2 Client_Hello request ++2659 || WEB-MISC SSLv2 Client_Hello with pad request ++2660 || WEB-MISC SSLv2 Server_Hello request ++2661 || WEB-MISC TLSv1 Client_Hello request ++2662 || WEB-MISC TLSv1 Server_Hello request ++2663 || WEB-CGI WhatsUpGold instancename overflow attempt || bugtraq,11043 || cve,2004-0798 ++2664 || IMAP login format string attempt || bugtraq,10976 ++2665 || IMAP login literal format string attempt || bugtraq,10976 ++2666 || POP3 PASS format string attempt || bugtraq,10976 ++2667 || WEB-IIS ping.asp access || nessus,10968 ++2668 || WEB-CGI processit access || nessus,10649 ++2669 || WEB-CGI ibillpm.pl access || bugtraq,3476 || nessus,11083 ++2670 || WEB-CGI pgpmail.pl access || bugtraq,3605 || cve,2001-0937 || nessus,11070 ++2671 || WEB-CLIENT bitmap BitmapOffset integer overflow attempt || bugtraq,9663 || cve,2004-0566 ++2672 || WEB-MISC sresult.exe access || bugtraq,10837 || nessus,14186 ++2673 || WEB-CLIENT libpng tRNS overflow attempt || bugtraq,10872 || cve,2004-0597 ++2674 || ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt ++2675 || ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt ++2676 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt ++2677 || ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt ++2678 || ORACLE ctx_output.start_log buffer overflow attempt ++2679 || ORACLE sys.dbms_system.ksdwrt buffer overflow attempt ++2680 || ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt ++2681 || ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt ++2682 || ORACLE mdsys.md2.validate_geom buffer overflow attempt ++2683 || ORACLE mdsys.md2.sdo_code_size buffer overflow attempt ++2684 || ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt ++2685 || ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt ++2686 || ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html ++2687 || ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt ++2688 || ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt ++2689 || ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt ++2690 || ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt ++2691 || ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt ++2692 || ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt ++2693 || ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt ++2694 || ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt ++2695 || ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt ++2696 || ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt ++2697 || ORACLE alter file buffer overflow attempt ++2698 || ORACLE create file buffer overflow attempt ++2699 || ORACLE TO_CHAR buffer overflow attempt ++2700 || ORACLE numtoyminterval buffer overflow attempt ++2701 || WEB-MISC Oracle iSQLPlus sid overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt ++2702 || WEB-MISC Oracle iSQLPlus username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt ++2703 || WEB-MISC Oracle iSQLPlus login.uix username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt ++2704 || WEB-MISC Oracle 10g iSQLPlus login.unix connectID overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt ++2705 || WEB-CLIENT JPEG parser heap overflow attempt || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx ++2706 || WEB-CLIENT JPEG transfer ++2707 || WEB-CLIENT JPEG parser multipacket heap overflow || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx ++2708 || ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2709 || ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2710 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2711 || ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2712 || ORACLE dbms_offline_og.end_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2713 || ORACLE dbms_offline_og.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2714 || ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2715 || ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2716 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2717 || ORACLE dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2718 || ORACLE dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2719 || ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2720 || ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2721 || ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2722 || ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2723 || ORACLE dbms_repcat.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2724 || ORACLE dbms_repcat.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2725 || ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2726 || ORACLE dbms_repcat.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2727 || ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2728 || ORACLE dbms_repcat.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2729 || ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2730 || ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2731 || ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2732 || ORACLE dbms_repcat.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2733 || ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2734 || ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2735 || ORACLE dbms_repcat.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2736 || ORACLE dbms_repcat.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2737 || ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2738 || ORACLE dbms_repcat.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2739 || ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2740 || ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2741 || ORACLE dbms_repcat.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2742 || ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2743 || ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2744 || ORACLE dbms_repcat.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2745 || ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2746 || ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2747 || ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2748 || ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2749 || ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2750 || ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2751 || ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2752 || ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2753 || ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2754 || ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2755 || ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2756 || ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2757 || ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2758 || ORACLE dbms_repcat.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2759 || ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2760 || ORACLE dbms_repcat.define_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2761 || ORACLE dbms_repcat.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2762 || ORACLE dbms_repcat.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2763 || ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2764 || ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2765 || ORACLE dbms_repcat.drop_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2766 || ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2767 || ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2768 || ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2769 || ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2770 || ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2771 || ORACLE dbms_repcat.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2772 || ORACLE dbms_repcat.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2773 || ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2774 || ORACLE dbms_repcat.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2775 || ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2776 || ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2777 || ORACLE dbms_repcat.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2778 || ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2779 || ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2780 || ORACLE dbms_repcat.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2781 || ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2782 || ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2783 || ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2784 || ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2785 || ORACLE dbms_repcat.execute_ddl buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2786 || ORACLE dbms_repcat.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2787 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2788 || ORACLE dbms_repcat.make_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2789 || ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2790 || ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2791 || ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2792 || ORACLE dbms_repcat.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2793 || ORACLE dbms_repcat.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2794 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2795 || ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2796 || ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2797 || ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2798 || ORACLE dbms_repcat.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2799 || ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2800 || ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2801 || ORACLE dbms_repcat.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2802 || ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2803 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2804 || ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2805 || ORACLE dbms_repcat.set_columns buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2806 || ORACLE dbms_repcat.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2807 || ORACLE dbms_repcat.specify_new_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2808 || ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2809 || ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2810 || ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2811 || ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2812 || ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2813 || ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2814 || ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2815 || ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2816 || ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2817 || ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2818 || ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2819 || ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2820 || ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2821 || ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2822 || ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2823 || ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2824 || ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2825 || ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2826 || ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2827 || ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2828 || ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2829 || ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2830 || ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2831 || ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2832 || ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2833 || ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2834 || ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2835 || ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2836 || ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2837 || ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2838 || ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2839 || ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2840 || ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2841 || ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2842 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2843 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2844 || ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2845 || ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2846 || ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2847 || ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2848 || ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2849 || ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2850 || ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2851 || ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2852 || ORACLE dbms_repcat.generate_mview_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2853 || ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2854 || ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2855 || ORACLE dbms_repcat.remove_master_databases buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2856 || ORACLE dbms_repcat.switch_mview_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2857 || ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2858 || ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2859 || ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2860 || ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2861 || ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2862 || ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2863 || ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2864 || ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2865 || ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2866 || ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2867 || ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2868 || ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2869 || ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2870 || ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2871 || ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2872 || ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2873 || ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2874 || ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2875 || ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2876 || ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2877 || ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2878 || ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2879 || ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2880 || ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2881 || ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2882 || ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2883 || ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2884 || ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2885 || ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2886 || ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2887 || ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2888 || ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2889 || ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2890 || ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2891 || ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2892 || ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2893 || ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2894 || ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2895 || ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2896 || ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2897 || ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2898 || ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2899 || ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2900 || ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2901 || ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2902 || ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2903 || ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2904 || ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2905 || ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2906 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2907 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2908 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2909 || ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2910 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2911 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2912 || ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2913 || ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2914 || ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2915 || ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2916 || ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2917 || ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2918 || ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2919 || ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html ++2921 || DNS UDP inverse query || bugtraq,2302 || cve,2001-0010 ++2922 || DNS TCP inverse query || bugtraq,2302 || cve,2001-0010 ++2923 || NETBIOS SMB repeated logon failure ++2924 || NETBIOS SMB-DS repeated logon failure ++2925 || INFO web bug 0x0 gif attempt ++2926 || WEB-PHP PhpGedView PGV base directory manipulation || bugtraq,9368 ++2927 || NNTP XPAT pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx ++2928 || NETBIOS SMB nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 ++2929 || NETBIOS SMB nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 ++2930 || NETBIOS SMB-DS nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 ++2931 || NETBIOS SMB-DS nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 ++2932 || NETBIOS SMB nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 ++2933 || NETBIOS SMB nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 ++2934 || NETBIOS SMB-DS nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 ++2935 || NETBIOS SMB-DS nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 ++2936 || NETBIOS SMB NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 ++2937 || NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 ++2938 || NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 ++2939 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 ++2940 || NETBIOS SMB winreg bind attempt ++2941 || NETBIOS SMB winreg unicode bind attempt ++2942 || NETBIOS SMB InitiateSystemShutdown attempt ++2943 || NETBIOS SMB InitiateSystemShutdown little endian attempt ++2944 || NETBIOS SMB InitiateSystemShutdown unicode attempt ++2945 || NETBIOS SMB InitiateSystemShutdown unicode little endian attempt ++2946 || NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 ++2947 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 ++2948 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 ++2949 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 ++2950 || NETBIOS SMB too many stacked requests ++2951 || NETBIOS SMB-DS too many stacked requests ++2952 || NETBIOS SMB IPC$ andx share access ++2953 || NETBIOS SMB IPC$ unicode andx share access ++2954 || NETBIOS SMB-DS IPC$ andx share access ++2955 || NETBIOS SMB-DS IPC$ unicode andx share access ++2956 || NETBIOS SMB nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 ++2957 || NETBIOS SMB nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 ++2958 || NETBIOS SMB-DS nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 ++2959 || NETBIOS SMB-DS nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 ++2960 || NETBIOS SMB nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 ++2961 || NETBIOS SMB nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 ++2962 || NETBIOS SMB-DS nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 ++2963 || NETBIOS SMB-DS nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 ++2964 || NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2965 || NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2966 || NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2967 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2968 || NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2969 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2970 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2971 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 ++2972 || NETBIOS SMB D$ andx share access ++2973 || NETBIOS SMB D$ unicode andx share access ++2974 || NETBIOS SMB-DS D$ andx share access ++2975 || NETBIOS SMB-DS D$ unicode andx share access ++2976 || NETBIOS SMB C$ andx share access ++2977 || NETBIOS SMB C$ unicode andx share access ++2978 || NETBIOS SMB-DS C$ andx share access ++2979 || NETBIOS SMB-DS C$ unicode andx share access ++2980 || NETBIOS SMB ADMIN$ andx share access ++2981 || NETBIOS SMB ADMIN$ unicode andx share access ++2982 || NETBIOS SMB-DS ADMIN$ andx share access ++2983 || NETBIOS SMB-DS ADMIN$ unicode andx share access ++2984 || NETBIOS SMB winreg andx create tree attempt ++2985 || NETBIOS SMB winreg unicode andx create tree attempt ++2986 || NETBIOS SMB-DS winreg andx create tree attempt ++2987 || NETBIOS SMB-DS winreg unicode andx create tree attempt ++2988 || NETBIOS SMB winreg andx bind attempt ++2989 || NETBIOS SMB winreg unicode andx bind attempt ++2990 || NETBIOS SMB-DS winreg andx bind attempt ++2991 || NETBIOS SMB-DS winreg unicode andx bind attempt ++2992 || NETBIOS SMB InitiateSystemShutdown andx attempt ++2993 || NETBIOS SMB InitiateSystemShutdown little endian andx attempt ++2994 || NETBIOS SMB InitiateSystemShutdown unicode andx attempt ++2995 || NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt ++2996 || NETBIOS SMB-DS InitiateSystemShutdown andx attempt ++2997 || NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt ++2998 || NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt ++2999 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt ++3000 || NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3001 || NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3002 || NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3003 || NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3004 || NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3005 || NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx ++3006 || EXPLOIT Volition Freespace 2 buffer overflow attempt || bugtraq,9785 ++3007 || IMAP delete overflow attempt || bugtraq,11675 ++3008 || IMAP delete literal overflow attempt || bugtraq,11675 ++3009 || BACKDOOR NetBus Pro 2.0 connection request ++3010 || BACKDOOR RUX the Tick get windows directory attempt ++3011 || BACKDOOR RUX the Tick get system directory attempt ++3012 || BACKDOOR RUX the Tick upload/execute arbitrary file attempt ++3013 || BACKDOOR Asylum 0.1 connection request ++3014 || BACKDOOR Asylum 0.1 connection established ++3015 || BACKDOOR Insane Network 4.0 connection established ++3016 || BACKDOOR Insane Network 4.0 connection established port 63536 ++3017 || EXPLOIT WINS overflow attempt || bugtraq,11763 || cve,2004-1080 || url,www.immunitysec.com/downloads/instantanea.pdf || url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx ++3018 || NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 ++3019 || NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 ++3020 || NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 ++3021 || NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 ++3022 || NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 ++3023 || NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 ++3024 || NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 ++3025 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 ++3026 || NETBIOS SMB NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 ++3027 || NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 ++3028 || NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 ++3029 || NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 ++3030 || NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 ++3031 || NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 ++3032 || NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 ++3033 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 ++3034 || NETBIOS SMB NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 ++3035 || NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 ++3036 || NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 ++3037 || NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 ++3038 || NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 ++3039 || NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 ++3040 || NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 ++3041 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 ++3042 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt ++3043 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt ++3044 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt ++3045 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt ++3046 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt ++3047 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt ++3048 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt ++3049 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt ++3050 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt ++3051 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt ++3052 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt ++3053 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt ++3054 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt ++3055 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt ++3056 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt ++3057 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt ++3058 || IMAP copy literal overflow attempt || bugtraq,1110 ++3059 || WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request ++3061 || MISC distccd command execution attempt || url,distcc.samba.org/security.html ++3062 || WEB-CGI NetScreen SA 5000 delhomepage.cgi access || bugtraq,9791 ++3063 || BACKDOOR Vampire 1.2 connection request ++3064 || BACKDOOR Vampire 1.2 connection confirmation ++3065 || IMAP append literal overflow attempt || bugtraq,11775 ++3066 || IMAP append overflow attempt || bugtraq,11775 ++3067 || IMAP examine literal overflow attempt || bugtraq,11775 ++3068 || IMAP examine overflow attempt || bugtraq,11775 ++3069 || IMAP fetch literal overflow attempt || bugtraq,11775 ++3070 || IMAP fetch overflow attempt || bugtraq,11775 ++3071 || IMAP status literal overflow attempt || bugtraq,11775 ++3072 || IMAP status overflow attempt || bugtraq,11775 || bugtraq,13727 || cve,2005-1256 ++3073 || IMAP subscribe literal overflow attempt || bugtraq,11775 ++3074 || IMAP subscribe overflow attempt || bugtraq,11775 ++3075 || IMAP unsubscribe literal overflow attempt || bugtraq,11775 ++3076 || IMAP unsubscribe overflow attempt || bugtraq,11775 ++3077 || FTP RNFR overflow attempt ++3078 || NNTP SEARCH pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx ++3079 || WEB-CLIENT Microsoft ANI file parsing overflow || cve,2004-1049 ++3080 || MISC Unreal Tournament secure overflow attempt || bugtraq,10570 || cve,2004-0608 ++3081 || BACKDOOR Y3KRAT 1.5 Connect ++3082 || BACKDOOR Y3KRAT 1.5 Connect Client Response ++3083 || BACKDOOR Y3KRAT 1.5 Connection confirmation ++3084 || EXPLOIT Veritas backup overflow attempt || bugtraq,11974 || cve,2004-1172 ++3085 || EXPLOIT AIM goaway message buffer overflow attempt || bugtraq,10889 || cve,2004-0636 ++3086 || WEB-MISC 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt || bugtraq,11408 ++3087 || WEB-IIS w3who.dll buffer overflow attempt || bugtraq,11820 || cve,2004-1134 ++3088 || WEB-CLIENT winamp .cda file name overflow attempt || bugtraq,11730 ++3089 || DOS squid WCCP I_SEE_YOU message overflow attempt || bugtraq,12275 || cve,2005-0095 ++3090 || NETBIOS SMB llsrpc create tree attempt ++3091 || NETBIOS SMB llsrpc unicode create tree attempt ++3092 || NETBIOS SMB llsrpc andx create tree attempt ++3093 || NETBIOS SMB llsrpc unicode andx create tree attempt ++3094 || NETBIOS SMB-DS llsrpc create tree attempt ++3095 || NETBIOS SMB-DS llsrpc unicode create tree attempt ++3096 || NETBIOS SMB-DS llsrpc andx create tree attempt ++3097 || NETBIOS SMB-DS llsrpc unicode andx create tree attempt ++3098 || NETBIOS SMB llsrpc bind attempt ++3099 || NETBIOS SMB llsrpc little endian bind attempt ++3100 || NETBIOS SMB llsrpc unicode bind attempt ++3101 || NETBIOS SMB llsrpc unicode little endian bind attempt ++3102 || NETBIOS SMB llsrpc andx bind attempt ++3103 || NETBIOS SMB llsrpc little endian andx bind attempt ++3104 || NETBIOS SMB llsrpc unicode andx bind attempt ++3105 || NETBIOS SMB llsrpc unicode little endian andx bind attempt ++3106 || NETBIOS SMB-DS llsrpc bind attempt ++3107 || NETBIOS SMB-DS llsrpc little endian bind attempt ++3108 || NETBIOS SMB-DS llsrpc unicode bind attempt ++3109 || NETBIOS SMB-DS llsrpc unicode little endian bind attempt ++3110 || NETBIOS SMB-DS llsrpc andx bind attempt ++3111 || NETBIOS SMB-DS llsrpc little endian andx bind attempt ++3112 || NETBIOS SMB-DS llsrpc unicode andx bind attempt ++3113 || NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt ++3114 || NETBIOS SMB llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3115 || NETBIOS SMB llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3116 || NETBIOS SMB llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3117 || NETBIOS SMB llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3118 || NETBIOS SMB llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3119 || NETBIOS SMB llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3120 || NETBIOS SMB llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3121 || NETBIOS SMB llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3122 || NETBIOS SMB-DS llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3123 || NETBIOS SMB-DS llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3124 || NETBIOS SMB-DS llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3125 || NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3126 || NETBIOS SMB-DS llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3127 || NETBIOS SMB-DS llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3128 || NETBIOS SMB-DS llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3129 || NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx ++3130 || EXPLOIT MSN Messenger png overflow || bugtraq,10872 || cve,2004-0957 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx ++3131 || WEB-CGI mailman directory traversal attempt || cve,2005-0202 ++3132 || WEB-CLIENT PNG large image width download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx ++3133 || WEB-CLIENT PNG large image height download attempt || bugtraq,11481 || bugtraq,11523 || cve,2004-0599 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx ++3134 || WEB-CLIENT PNG large colour depth download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx ++3135 || NETBIOS SMB Trans2 QUERY_FILE_INFO attempt ++3136 || NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt ++3137 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt ++3138 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt ++3139 || NETBIOS SMB Trans2 FIND_FIRST2 attempt ++3140 || NETBIOS SMB Trans2 FIND_FIRST2 andx attempt ++3141 || NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt ++3142 || NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt ++3143 || NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx ++3144 || NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx ++3145 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx ++3146 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx ++3147 || TELNET login buffer overflow attempt || bugtraq,3681 || cve,2001-0797 ++3148 || WEB-CLIENT winhelp clsid attempt || bugtraq,4857 || cve,2002-0823 || url,www.ngssoftware.com/advisories/ms-winhlp.txt ++3149 || WEB-CLIENT object type overflow attempt || cve,2003-0344 || url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx ++3150 || WEB-IIS SQLXML content type overflow || bugtraq,5004 || cve,2002-0186 || url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx || url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt ++3151 || FINGER / execution attempt || cve,1999-0612 || cve,2000-0915 ++3152 || MS-SQL sa brute force failed login attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 ++3153 || DNS TCP inverse query overflow || bugtraq,134 || cve,1999-0009 ++3154 || DNS UDP inverse query overflow || bugtraq,134 || cve,1999-0009 ++3155 || BACKDOOR BackOrifice 2000 Inbound Traffic ++3156 || NETBIOS DCERPC msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3157 || NETBIOS DCERPC msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3158 || NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3159 || NETBIOS DCERPC CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3160 || NETBIOS SMB msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3161 || NETBIOS SMB msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3162 || NETBIOS SMB msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3163 || NETBIOS SMB msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3164 || NETBIOS SMB msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3165 || NETBIOS SMB msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3166 || NETBIOS SMB msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3167 || NETBIOS SMB msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3168 || NETBIOS SMB-DS msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3169 || NETBIOS SMB-DS msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3170 || NETBIOS SMB-DS msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3171 || NETBIOS SMB-DS msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3172 || NETBIOS SMB-DS msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3173 || NETBIOS SMB-DS msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3174 || NETBIOS SMB-DS msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3175 || NETBIOS SMB-DS msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3176 || NETBIOS SMB CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3177 || NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3178 || NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3179 || NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3180 || NETBIOS SMB CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3181 || NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3182 || NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3183 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3184 || NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3185 || NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3186 || NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3187 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3188 || NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3189 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3190 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3191 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3192 || WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt || bugtraq,7517 || cve,2003-0228 || url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx ++3193 || WEB-IIS .cmd executable file parsing attack || bugtraq,1912 || cve,2000-0886 ++3194 || WEB-IIS .bat executable file parsing attack || bugtraq,1912 || cve,2000-0886 ++3195 || NETBIOS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 ++3196 || NETBIOS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 ++3197 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3198 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx ++3199 || EXPLOIT WINS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx ++3200 || EXPLOIT WINS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx ++3201 || WEB-IIS httpodbc.dll access - nimda || bugtraq,2708 || cve,2001-0333 ++3202 || NETBIOS SMB winreg bind attempt ++3203 || NETBIOS SMB winreg little endian bind attempt ++3204 || NETBIOS SMB winreg unicode bind attempt ++3205 || NETBIOS SMB winreg unicode little endian bind attempt ++3206 || NETBIOS SMB winreg andx bind attempt ++3207 || NETBIOS SMB winreg little endian andx bind attempt ++3208 || NETBIOS SMB winreg unicode andx bind attempt ++3209 || NETBIOS SMB winreg unicode little endian andx bind attempt ++3210 || NETBIOS SMB-DS winreg bind attempt ++3211 || NETBIOS SMB-DS winreg little endian bind attempt ++3212 || NETBIOS SMB-DS winreg unicode bind attempt ++3213 || NETBIOS SMB-DS winreg unicode little endian bind attempt ++3214 || NETBIOS SMB-DS winreg andx bind attempt ++3215 || NETBIOS SMB-DS winreg little endian andx bind attempt ++3216 || NETBIOS SMB-DS winreg unicode andx bind attempt ++3217 || NETBIOS SMB-DS winreg unicode little endian andx bind attempt ++3218 || NETBIOS SMB OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx ++3219 || NETBIOS SMB OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 ++3220 || NETBIOS SMB OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 ++3221 || NETBIOS SMB OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 ++3222 || NETBIOS SMB OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3223 || NETBIOS SMB OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3224 || NETBIOS SMB OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3225 || NETBIOS SMB OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3226 || NETBIOS SMB-DS OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 ++3227 || NETBIOS SMB-DS OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 ++3228 || NETBIOS SMB-DS OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 ++3229 || NETBIOS SMB-DS OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 ++3230 || NETBIOS SMB-DS OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3231 || NETBIOS SMB-DS OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3232 || NETBIOS SMB-DS OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 ++3233 || NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx ++3234 || NETBIOS Messenger message little endian overflow attempt || bugtraq,8826 || cve,2003-0717 ++3235 || NETBIOS Messenger message overflow attempt || bugtraq,8826 || cve,2003-0717 ++3236 || NETBIOS DCERPC irot bind attempt ++3237 || NETBIOS DCERPC irot little endian bind attempt ++3238 || NETBIOS DCERPC IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3239 || NETBIOS DCERPC IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3240 || NETBIOS SMB irot bind attempt ++3241 || NETBIOS SMB irot little endian bind attempt ++3242 || NETBIOS SMB irot unicode bind attempt ++3243 || NETBIOS SMB irot unicode little endian bind attempt ++3244 || NETBIOS SMB irot andx bind attempt ++3245 || NETBIOS SMB irot little endian andx bind attempt ++3246 || NETBIOS SMB irot unicode andx bind attempt ++3247 || NETBIOS SMB irot unicode little endian andx bind attempt ++3248 || NETBIOS SMB-DS irot bind attempt ++3249 || NETBIOS SMB-DS irot little endian bind attempt ++3250 || NETBIOS SMB-DS irot unicode bind attempt ++3251 || NETBIOS SMB-DS irot unicode little endian bind attempt ++3252 || NETBIOS SMB-DS irot andx bind attempt ++3253 || NETBIOS SMB-DS irot little endian andx bind attempt ++3254 || NETBIOS SMB-DS irot unicode andx bind attempt ++3255 || NETBIOS SMB-DS irot unicode little endian andx bind attempt ++3256 || NETBIOS SMB IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3257 || NETBIOS SMB IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3258 || NETBIOS SMB IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3259 || NETBIOS SMB IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3260 || NETBIOS SMB IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3261 || NETBIOS SMB IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3262 || NETBIOS SMB IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3263 || NETBIOS SMB IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3264 || NETBIOS SMB-DS IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3265 || NETBIOS SMB-DS IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3266 || NETBIOS SMB-DS IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3267 || NETBIOS SMB-DS IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3268 || NETBIOS SMB-DS IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3269 || NETBIOS SMB-DS IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3270 || NETBIOS SMB-DS IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3271 || NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx ++3272 || BACKDOOR mydoom.a backdoor upload/execute attempt ++3273 || MS-SQL sa brute force failed login unicode attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 ++3274 || TELNET login buffer non-evasive overflow attempt || bugtraq,3681 || cve,2001-0797 ++3275 || NETBIOS DCERPC IActivation bind attempt ++3276 || NETBIOS DCERPC IActivation little endian bind attempt ++3377 || NETBIOS SMB IActivation bind attempt ++3378 || NETBIOS SMB IActivation little endian bind attempt ++3379 || NETBIOS SMB IActivation unicode bind attempt ++3380 || NETBIOS SMB IActivation unicode little endian bind attempt ++3381 || NETBIOS SMB IActivation andx bind attempt ++3382 || NETBIOS SMB IActivation little endian andx bind attempt ++3383 || NETBIOS SMB IActivation unicode andx bind attempt ++3384 || NETBIOS SMB IActivation unicode little endian andx bind attempt ++3385 || NETBIOS SMB-DS IActivation bind attempt ++3386 || NETBIOS SMB-DS IActivation little endian bind attempt ++3387 || NETBIOS SMB-DS IActivation unicode bind attempt ++3388 || NETBIOS SMB-DS IActivation unicode little endian bind attempt ++3389 || NETBIOS SMB-DS IActivation andx bind attempt ++3390 || NETBIOS SMB-DS IActivation little endian andx bind attempt ++3391 || NETBIOS SMB-DS IActivation unicode andx bind attempt ++3392 || NETBIOS SMB-DS IActivation unicode little endian andx bind attempt ++3393 || NETBIOS SMB ISystemActivator bind attempt ++3394 || NETBIOS SMB ISystemActivator little endian bind attempt ++3395 || NETBIOS SMB ISystemActivator unicode bind attempt ++3396 || NETBIOS SMB ISystemActivator unicode little endian bind attempt ++3397 || NETBIOS SMB ISystemActivator andx bind attempt ++3398 || NETBIOS SMB ISystemActivator little endian andx bind attempt ++3399 || NETBIOS SMB ISystemActivator unicode andx bind attempt ++3400 || NETBIOS SMB ISystemActivator unicode little endian andx bind attempt ++3401 || NETBIOS SMB-DS ISystemActivator bind attempt ++3402 || NETBIOS SMB-DS ISystemActivator little endian bind attempt ++3403 || NETBIOS SMB-DS ISystemActivator unicode bind attempt ++3404 || NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt ++3405 || NETBIOS SMB-DS ISystemActivator andx bind attempt ++3406 || NETBIOS SMB-DS ISystemActivator little endian andx bind attempt ++3407 || NETBIOS SMB-DS ISystemActivator unicode andx bind attempt ++3408 || NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt ++3409 || NETBIOS SMB RemoteActivation attempt ++3410 || NETBIOS SMB RemoteActivation little endian attempt ++3411 || NETBIOS SMB RemoteActivation unicode attempt ++3412 || NETBIOS SMB RemoteActivation unicode little endian attempt ++3413 || NETBIOS SMB RemoteActivation andx attempt ++3414 || NETBIOS SMB RemoteActivation little endian andx attempt ++3415 || NETBIOS SMB RemoteActivation unicode andx attempt ++3416 || NETBIOS SMB RemoteActivation unicode little endian andx attempt ++3417 || NETBIOS SMB-DS RemoteActivation attempt ++3418 || NETBIOS SMB-DS RemoteActivation little endian attempt ++3419 || NETBIOS SMB-DS RemoteActivation unicode attempt ++3420 || NETBIOS SMB-DS RemoteActivation unicode little endian attempt ++3421 || NETBIOS SMB-DS RemoteActivation andx attempt ++3422 || NETBIOS SMB-DS RemoteActivation little endian andx attempt ++3423 || NETBIOS SMB-DS RemoteActivation unicode andx attempt ++3424 || NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt ++3425 || NETBIOS SMB CoGetInstanceFromFile attempt ++3426 || NETBIOS SMB CoGetInstanceFromFile little endian attempt ++3427 || NETBIOS SMB CoGetInstanceFromFile unicode attempt ++3428 || NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt ++3429 || NETBIOS SMB CoGetInstanceFromFile andx attempt ++3430 || NETBIOS SMB CoGetInstanceFromFile little endian andx attempt ++3431 || NETBIOS SMB CoGetInstanceFromFile unicode andx attempt ++3432 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt ++3433 || NETBIOS SMB-DS CoGetInstanceFromFile attempt ++3434 || NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt ++3435 || NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt ++3436 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt ++3437 || NETBIOS SMB-DS CoGetInstanceFromFile andx attempt ++3438 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt ++3439 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt ++3440 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt ++3441 || FTP PORT bounce attempt ++3442 || DOS WIN32 TCP print service denial of service attempt || bugtraq,1082 || cve,2000-0232 || url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx ++3443 || MS-SQL DNS query with 1 requests ++3444 || MS-SQL DNS query with 2 requests ++3445 || MS-SQL DNS query with 3 requests ++3446 || MS-SQL DNS query with 4 requests ++3447 || MS-SQL DNS query with 5 requests ++3448 || MS-SQL DNS query with 6 requests ++3449 || MS-SQL DNS query with 7 requests ++3450 || MS-SQL DNS query with 8 requests ++3451 || MS-SQL DNS query with 9 requests ++3452 || MS-SQL DNS query with 10 requests ++3453 || MISC Arkeia client backup system info probe || bugtraq,12594 ++3454 || MISC Arkeia client backup generic info probe || bugtraq,12594 ++3455 || EXPLOIT Bontago Game Server Nickname Buffer Overflow || bugtraq,12603 || url,aluigi.altervista.org/adv/bontagobof-adv.txt ++3456 || MYSQL 4.0 root login attempt ++3457 || EXPLOIT Arkeia backup client type 77 overflow attempt || bugtraq,12594 ++3458 || EXPLOIT Arkeia backup client type 84 overflow attempt || bugtraq,12594 ++3459 || P2P Manolito Search Query || url,openlito.sourceforge.net || url,www.blubster.com ++3460 || FTP REST with numeric argument || bugtraq,7825 ++3461 || SMTP Content-Type overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx ++3462 || SMTP Content-Encoding overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx ++3463 || WEB-CGI awstats access || bugtraq,12572 ++3464 || WEB-CGI awstats.pl command execution attempt || bugtraq,12572 ++3465 || WEB-CGI RiSearch show.pl proxy attempt || bugtraq,10812 ++3466 || WEB-MISC Authorization Basic overflow attempt || bugtraq,8375 || cve,2003-0727 ++3467 || WEB-MISC CISCO VoIP Portinformation access || bugtraq,4798 || cve,2002-0882 ++3468 || WEB-CGI math_sum.mscgi access || bugtraq,10831 || nessus,14182 ++3469 || WEB-CGI Ipswitch WhatsUp Gold dos attempt || bugtraq,11110 || cve,2004-0799 || url,www.idefense.com/application/poi/display?id=142&type=vulnerabilities || url,www.ipswitch.com/Support/WhatsUp/patch-upgrades.html || url,www.secunia.com/advisories/12578/ ++3470 || WEB-CLIENT RealPlayer VIDORV30 header length buffer overflow || bugtraq,11309 || url,www.eeye.com/html/research/advisories/AD20041001.html ++3471 || WEB-CLIENT iTunes playlist URL overflow attempt || bugtraq,12238 || cve,2005-0043 ++3472 || EXPLOIT ARCserve discovery service overflow || bugtraq,12491 || can,2005-0260 ++3473 || WEB-CLIENT RealPlayer SMIL file overflow attempt || bugtraq,12698 || cve,2005-0455 ++3474 || EXPLOIT ARCserve backup TCP slot info msg client name overflow || bugtraq,12563 ++3475 || EXPLOIT ARCserve backup TCP slot info msg client domain overflow || bugtraq,12563 ++3476 || EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow || bugtraq,12563 ++3477 || EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow || bugtraq,12563 ++3478 || EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow || bugtraq,12563 ++3479 || EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow || bugtraq,12563 ++3480 || EXPLOIT ARCserve backup UDP slot info msg client name overflow || bugtraq,12563 ++3481 || EXPLOIT ARCserve backup UDP slot info msg client domain overflow || bugtraq,12563 ++3482 || EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow || bugtraq,12563 ++3483 || EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow || bugtraq,12563 ++3484 || EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow || bugtraq,12563 ++3485 || EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow || bugtraq,12563 ++3486 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++3487 || IMAP SSLv2 Client_Hello request ++3488 || IMAP SSLv2 Client_Hello with pad request ++3489 || IMAP TLSv1 Client_Hello request ++3490 || IMAP TLSv1 Client_Hello via SSLv2 handshake request ++3491 || IMAP SSLv2 Server_Hello request ++3492 || IMAP TLSv1 Server_Hello request ++3493 || SMTP SSLv2 Client_Hello request ++3494 || SMTP SSLv2 Client_Hello with pad request ++3495 || SMTP TLSv1 Client_Hello request ++3496 || SMTP TLSv1 Client_Hello via SSLv2 handshake request ++3497 || SMTP SSLv2 Server_Hello request ++3498 || SMTP TLSv1 Server_Hello request ++3499 || POP3 SSLv2 Client_Hello request ++3500 || POP3 SSLv2 Client_Hello with pad request ++3501 || POP3 TLSv1 Client_Hello request ++3502 || POP3 TLSv1 Client_Hello via SSLv2 handshake request ++3503 || POP3 SSLv2 Server_Hello request ++3504 || POP3 TLSv1 Server_Hello request ++3505 || POP3 SSLv2 Client_Hello request ++3506 || POP3 SSLv2 Client_Hello with pad request ++3507 || POP3 TLSv1 Client_Hello request ++3508 || POP3 TLSv1 Client_Hello via SSLv2 handshake request ++3509 || POP3 SSLv2 Server_Hello request ++3510 || POP3 TLSv1 Server_Hello request ++3511 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++3512 || ORACLE utl_file.fcopy directory traversal attempt || bugtraq,12749 ++3513 || ORACLE utl_file.fopen_nchar directory traversal attempt || bugtraq,12749 ++3514 || ORACLE utl_file.fopen directory traversal attempt || bugtraq,12749 ++3515 || ORACLE utl_file.fremove directory traversal attempt || bugtraq,12749 ++3516 || ORACLE utl_file.frename directory traversal attempt || bugtraq,12749 ++3517 || EXPLOIT Computer Associates license PUTOLF overflow attempt || bugtraq,12705 || cve,2005-0581 ++3518 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow || bugtraq,12265 ++3519 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow default port || bugtraq,12265 ++3520 || EXPLOIT Computer Associates license GCR NETWORK overflow attempt || bugtraq,12705 || cve,2005-0581 ++3521 || EXPLOIT Computer Associates license GCR CHECKSUMS overflow attempt || bugtraq,12705 || cve,2005-0581 ++3522 || EXPLOIT Computer Associates license GETCONFIG server overflow attempt || bugtraq,12705 || cve,2005-0581 ++3523 || FTP SITE INDEX format string attempt ++3524 || EXPLOIT Computer Associates license invalid GCR CHECKSUMS attempt || bugtraq,12705 || cve,2005-0581 ++3525 || EXPLOIT Computer Associates license invalid GCR NETWORK attempt || bugtraq,12705 || cve,2005-0581 ++3526 || ORACLE XDB FTP UNLOCK overflow attempt || bugtraq,8375 || cve,2003-0727 ++3527 || EXPLOIT Solaris LPD overflow attempt || bugtraq,3274 ++3528 || MYSQL CREATE FUNCTION attempt || bugtraq,12781 || cve,2005-0709 ++3529 || EXPLOIT Computer Associates license GETCONFIG client overflow attempt || bugtraq,12705 || cve,2005-0581 ++3530 || EXPLOIT ARCserve backup UDP msg 0x99 client name overflow || bugtraq,12563 ++3531 || EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow || bugtraq,12563 ++3532 || FTP ORACLE password buffer overflow attempt || bugtraq,8375 ++3533 || TELNET client LINEMODE SLC overflow attempt || bugtraq,12918 || cve,2005-0469 ++3534 || WEB-CLIENT Mozilla GIF heap overflow || bugtraq,12881 || cve,2005-0399 ++3535 || WEB-CLIENT GIF transfer ++3536 || WEB-CLIENT Mozilla GIF multipacket heap overflow || bugtraq,12881 || cve,2005-0399 ++3537 || TELNET client ENV OPT escape overflow attempt || bugtraq,12918 || cve,2005-0469 ++3538 || EXPLOIT RADIUS registration MSID overflow attempt || bugtraq,12759 || cve,2005-0699 ++3539 || EXPLOIT RADIUS MSID overflow attempt || bugtraq,12759 || cve,2005-0699 ++3540 || EXPLOIT RADIUS registration vendor ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699 ++3541 || EXPLOIT RADIUS ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699 ++3542 || MS-SQL SA brute force login attempt || cve,2000-1209 || nessus,10673 ++3543 || MS-SQL SA brute force login attempt TDS v7/8 || cve,2000-1209 || nessus,10673 ++3544 || WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt || bugtraq,12592 || cve,2005-0481 ++3545 || WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure || bugtraq,12592 || cve,2005-0481 ++3546 || WEB-MISC TrackerCam User-Agent buffer overflow attempt || bugtraq,12592 || cve,2005-0481 ++3547 || WEB-MISC TrackerCam overly long php parameter overflow attempt || bugtraq,12592 || cve,2005-0481 ++3548 || WEB-MISC TrackerCam negative Content-Length attempt || bugtraq,12592 || cve,2005-0481 ++3549 || WEB-CLIENT HTML DOM invalid element creation attempt || cve,2005-0553 ++3550 || WEB-CLIENT HTML http scheme hostname overflow attempt || cve,2005-0553 ++3551 || WEB-CLIENT .hta download attempt ++3552 || WEB-CLIENT OLE32 MSHTA masquerade attempt || cve,2005-0063 ++3553 || WEB-CLIENT HTML DOM null element insertion attempt || cve,2005-0553 ++3554 || NETBIOS DCERPC-DIRECT mqqm bind attempt ++3555 || NETBIOS DCERPC-DIRECT mqqm little endian bind attempt ++3556 || NETBIOS DCERPC mqqm bind attempt ++3557 || NETBIOS DCERPC mqqm little endian bind attempt ++3558 || NETBIOS SMB mqqm WriteAndX andx bind attempt ++3559 || NETBIOS SMB mqqm WriteAndX bind attempt ++3560 || NETBIOS SMB mqqm WriteAndX little endian andx bind attempt ++3561 || NETBIOS SMB mqqm WriteAndX little endian bind attempt ++3562 || NETBIOS SMB mqqm WriteAndX unicode andx bind attempt ++3563 || NETBIOS SMB mqqm WriteAndX unicode bind attempt ++3564 || NETBIOS SMB mqqm WriteAndX unicode little endian andx bind attempt ++3565 || NETBIOS SMB mqqm WriteAndX unicode little endian bind attempt ++3566 || NETBIOS SMB mqqm andx bind attempt ++3567 || NETBIOS SMB mqqm bind attempt ++3568 || NETBIOS SMB mqqm little endian andx bind attempt ++3569 || NETBIOS SMB mqqm little endian bind attempt ++3570 || NETBIOS SMB mqqm unicode andx bind attempt ++3571 || NETBIOS SMB mqqm unicode bind attempt ++3572 || NETBIOS SMB mqqm unicode little endian andx bind attempt ++3573 || NETBIOS SMB mqqm unicode little endian bind attempt ++3574 || NETBIOS SMB-DS mqqm WriteAndX andx bind attempt ++3575 || NETBIOS SMB-DS mqqm WriteAndX bind attempt ++3576 || NETBIOS SMB-DS mqqm WriteAndX little endian andx bind attempt ++3577 || NETBIOS SMB-DS mqqm WriteAndX little endian bind attempt ++3578 || NETBIOS SMB-DS mqqm WriteAndX unicode andx bind attempt ++3579 || NETBIOS SMB-DS mqqm WriteAndX unicode bind attempt ++3580 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian andx bind attempt ++3581 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian bind attempt ++3582 || NETBIOS SMB-DS mqqm andx bind attempt ++3583 || NETBIOS SMB-DS mqqm bind attempt ++3584 || NETBIOS SMB-DS mqqm little endian andx bind attempt ++3585 || NETBIOS SMB-DS mqqm little endian bind attempt ++3586 || NETBIOS SMB-DS mqqm unicode andx bind attempt ++3587 || NETBIOS SMB-DS mqqm unicode bind attempt ++3588 || NETBIOS SMB-DS mqqm unicode little endian andx bind attempt ++3589 || NETBIOS SMB-DS mqqm unicode little endian bind attempt ++3590 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3591 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3592 || NETBIOS DCERPC mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3593 || NETBIOS DCERPC mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3594 || NETBIOS SMB mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3595 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3596 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3597 || NETBIOS SMB mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3598 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3599 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3600 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3601 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3602 || NETBIOS SMB mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3603 || NETBIOS SMB mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3604 || NETBIOS SMB mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3605 || NETBIOS SMB mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3606 || NETBIOS SMB mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3607 || NETBIOS SMB mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3608 || NETBIOS SMB mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3609 || NETBIOS SMB mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3610 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3611 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3612 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3613 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3614 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3615 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3616 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3617 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3618 || NETBIOS SMB-DS mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3619 || NETBIOS SMB-DS mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3620 || NETBIOS SMB-DS mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3621 || NETBIOS SMB-DS mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3622 || NETBIOS SMB-DS mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3623 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3624 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3625 || NETBIOS SMB-DS mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx ++3626 || ICMP PATH MTU denial of service || cve,2004-1060 ++3627 || POLICY X-LINK2STATE CHUNK attempt || url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx ++3628 || POLICY IDA Pro startup license check attempt ++3629 || WEB-MISC sambar /search/results.stm access || bugtraq,7975 ++3630 || FTP ORACLE TEST command buffer overflow attempt || bugtraq,8375 ++3631 || FTP ORACLE user name buffer overflow attempt || bugtraq,8375 ++3632 || WEB-CLIENT Mozilla bitmap width integer overflow attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067 ++3633 || WEB-CLIENT bitmap transfer ++3634 || WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067 ++3635 || BACKDOOR Amanda 2.0 connection established ++3636 || BACKDOOR Crazzy Net 5.0 connection established ++3637 || EXPLOIT Computer Associates license PUTOLF directory traversal attempt || bugtraq,12705 || cve,2005-0581 ++3638 || WEB-CGI SoftCart.exe CGI buffer overflow attempt || bugtraq,10926 ++3639 || NETBIOS SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3640 || NETBIOS SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3641 || NETBIOS SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3642 || NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3643 || NETBIOS SMB-DS Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3644 || NETBIOS SMB-DS Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3645 || NETBIOS SMB-DS Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3646 || NETBIOS SMB-DS Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3647 || NETBIOS-DG SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3648 || NETBIOS-DG SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3649 || NETBIOS-DG SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3650 || NETBIOS-DG SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html ++3651 || EXPLOIT CVS rsh annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 ++3652 || EXPLOIT CVS pserver annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 ++3653 || SMTP SAML overflow attempt || bugtraq,11238 ++3654 || SMTP SOML overflow attempt || bugtraq,11238 ++3655 || SMTP SEND overflow attempt || bugtraq,11238 ++3656 || SMTP MAIL overflow attempt || bugtraq,11238 ++3657 || ORACLE ctxsys.driload attempt || bugtraq,11099 || cve,2004-0637 ++3658 || EXPLOIT ARCserve backup universal agent option 1000 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3659 || EXPLOIT ARCserve backup universal agent option 1000 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3660 || EXPLOIT ARCserve backup universal agent option 00 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3661 || EXPLOIT ARCserve backup universal agent option 00 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3662 || EXPLOIT ARCserve backup universal agent option 03 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3663 || EXPLOIT ARCserve backup universal agent option 03 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 ++3664 || EXPLOIT PPTP echo request buffer overflow attempt || bugtaq,7316 || cve,2003-0213 ++3665 || MYSQL server greeting || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3666 || MYSQL server greeting finished || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt, ++3667 || MYSQL protocol 41 client authentication bypass attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3668 || MYSQL client authentication bypass attempt || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt, ++3669 || MYSQL protocol 41 secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3670 || MYSQL secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3671 || MYSQL protocol 41 client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3672 || MYSQL client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt ++3673 || MISC Microsoft SMS remote control client DoS overly long length attempt || bugtraq,10726 || cve,2004-0728 ++3674 || WEB-CGI db4web_c directory traversal attempt || bugtraq,5723 || cve,2002-1483 || nessus,11182 ++3675 || MISC IBM DB2 DTS empty format string dos attempt || bugtraq,11400 || url,www-1.ibm.com/support/docview.wss?uid=swg1IY61781 ++3676 || WEB-MISC newsscript.pl admin attempt || bugtraq,12761 ++3677 || EXPLOIT SIP UDP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html ++3678 || EXPLOIT SIP TCP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html ++3679 || WEB-CLIENT Firefox IFRAME src javascript code execution || bugtraq,13544 || cve,2005-1476 ++3680 || P2P AOL Instant Messenger Message Send ++3681 || P2P AOL Instant Messenger Message Receive ++3682 || SMTP spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx ++3683 || WEB-CLIENT spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx ++3684 || WEB-CLIENT Bitmap Transfer ++3685 || WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt || bugtraq,9663 || cve,2004-0566 ++3686 || WEB-CLIENT Internet Explorer Content Advisor attempted overflow || bugtraq,13117 || cve,2005-0555 ++3687 || TELNET client ENV OPT USERVAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx ++3688 || TELNET client ENV OPT VAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx ++3689 || WEB-CLIENT Internet Explorer tRNS overflow attempt || bugtraq,13941 || cve,2005-1211 || url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx ++3690 || WEB-CGI Nucleus CMS action.php itemid SQL injection || bugtraq,10798 || nessus,14194 ++3691 || CHAT Yahoo Messenger Message ++3692 || CHAT Yahoo Messenger File Transfer Initiation Request ++3693 || WEB-MISC IBM WebSphere j_security_check overflow attempt || bugtraq,13853 ++3694 || WEB-MISC Squid content length cache poisoning attempt || bugtraq,12412 || cve,2005-0174 ++3695 || EXPLOIT Veritas Backup Agent password overflow attempt || cve,2005-0773 ++3696 || EXPLOIT Veritas Backup Agent DoS attempt || bugtraq,14201 || cve,2005-0772 ++3697 || NETBIOS DCERPC DIRECT veritas alter context attempt ++3698 || NETBIOS DCERPC DIRECT veritas bind attempt ++3699 || NETBIOS DCERPC DIRECT veritas little endian alter context attempt ++3700 || NETBIOS DCERPC DIRECT veritas little endian bind attempt ++3701 || NETBIOS DCERPC NCACN-IP-TCP veritas alter context attempt ++3702 || NETBIOS DCERPC NCACN-IP-TCP veritas bind attempt ++3703 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian alter context attempt ++3704 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian bind attempt ++3705 || NETBIOS SMB veritas WriteAndX alter context attempt ++3706 || NETBIOS SMB veritas WriteAndX andx alter context attempt ++3707 || NETBIOS SMB veritas WriteAndX andx bind attempt ++3708 || NETBIOS SMB veritas WriteAndX bind attempt ++3709 || NETBIOS SMB veritas WriteAndX little endian alter context attempt ++3710 || NETBIOS SMB veritas WriteAndX little endian andx alter context attempt ++3711 || NETBIOS SMB veritas WriteAndX little endian andx bind attempt ++3712 || NETBIOS SMB veritas WriteAndX little endian bind attempt ++3713 || NETBIOS SMB veritas WriteAndX unicode alter context attempt ++3714 || NETBIOS SMB veritas WriteAndX unicode andx alter context attempt ++3715 || NETBIOS SMB veritas WriteAndX unicode andx bind attempt ++3716 || NETBIOS SMB veritas WriteAndX unicode bind attempt ++3717 || NETBIOS SMB veritas WriteAndX unicode little endian alter context attempt ++3718 || NETBIOS SMB veritas WriteAndX unicode little endian andx alter context attempt ++3719 || NETBIOS SMB veritas WriteAndX unicode little endian andx bind attempt ++3720 || NETBIOS SMB veritas WriteAndX unicode little endian bind attempt ++3721 || NETBIOS SMB veritas alter context attempt ++3722 || NETBIOS SMB veritas andx alter context attempt ++3723 || NETBIOS SMB veritas andx bind attempt ++3724 || NETBIOS SMB veritas bind attempt ++3725 || NETBIOS SMB veritas little endian alter context attempt ++3726 || NETBIOS SMB veritas little endian andx alter context attempt ++3727 || NETBIOS SMB veritas little endian andx bind attempt ++3728 || NETBIOS SMB veritas little endian bind attempt ++3729 || NETBIOS SMB veritas unicode alter context attempt ++3730 || NETBIOS SMB veritas unicode andx alter context attempt ++3731 || NETBIOS SMB veritas unicode andx bind attempt ++3732 || NETBIOS SMB veritas unicode bind attempt ++3733 || NETBIOS SMB veritas unicode little endian alter context attempt ++3734 || NETBIOS SMB veritas unicode little endian andx alter context attempt ++3735 || NETBIOS SMB veritas unicode little endian andx bind attempt ++3736 || NETBIOS SMB veritas unicode little endian bind attempt ++3737 || NETBIOS SMB-DS veritas WriteAndX alter context attempt ++3738 || NETBIOS SMB-DS veritas WriteAndX andx alter context attempt ++3739 || NETBIOS SMB-DS veritas WriteAndX andx bind attempt ++3740 || NETBIOS SMB-DS veritas WriteAndX bind attempt ++3741 || NETBIOS SMB-DS veritas WriteAndX little endian alter context attempt ++3742 || NETBIOS SMB-DS veritas WriteAndX little endian andx alter context attempt ++3743 || NETBIOS SMB-DS veritas WriteAndX little endian andx bind attempt ++3744 || NETBIOS SMB-DS veritas WriteAndX little endian bind attempt ++3745 || NETBIOS SMB-DS veritas WriteAndX unicode alter context attempt ++3746 || NETBIOS SMB-DS veritas WriteAndX unicode andx alter context attempt ++3747 || NETBIOS SMB-DS veritas WriteAndX unicode andx bind attempt ++3748 || NETBIOS SMB-DS veritas WriteAndX unicode bind attempt ++3749 || NETBIOS SMB-DS veritas WriteAndX unicode little endian alter context attempt ++3750 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx alter context attempt ++3751 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx bind attempt ++3752 || NETBIOS SMB-DS veritas WriteAndX unicode little endian bind attempt ++3753 || NETBIOS SMB-DS veritas alter context attempt ++3754 || NETBIOS SMB-DS veritas andx alter context attempt ++3755 || NETBIOS SMB-DS veritas andx bind attempt ++3756 || NETBIOS SMB-DS veritas bind attempt ++3757 || NETBIOS SMB-DS veritas little endian alter context attempt ++3758 || NETBIOS SMB-DS veritas little endian andx alter context attempt ++3759 || NETBIOS SMB-DS veritas little endian andx bind attempt ++3760 || NETBIOS SMB-DS veritas little endian bind attempt ++3761 || NETBIOS SMB-DS veritas unicode alter context attempt ++3762 || NETBIOS SMB-DS veritas unicode andx alter context attempt ++3763 || NETBIOS SMB-DS veritas unicode andx bind attempt ++3764 || NETBIOS SMB-DS veritas unicode bind attempt ++3765 || NETBIOS SMB-DS veritas unicode little endian alter context attempt ++3766 || NETBIOS SMB-DS veritas unicode little endian andx alter context attempt ++3767 || NETBIOS SMB-DS veritas unicode little endian andx bind attempt ++3768 || NETBIOS SMB-DS veritas unicode little endian bind attempt ++3769 || NETBIOS DCERPC NCACN-HTTP veritas alter context attempt ++3770 || NETBIOS DCERPC NCACN-HTTP veritas bind attempt ++3771 || NETBIOS DCERPC NCACN-HTTP veritas little endian alter context attempt ++3772 || NETBIOS DCERPC NCACN-HTTP veritas little endian bind attempt ++3773 || NETBIOS DCERPC DIRECT-UDP veritas alter context attempt ++3774 || NETBIOS DCERPC DIRECT-UDP veritas bind attempt ++3775 || NETBIOS DCERPC DIRECT-UDP veritas little endian alter context attempt ++3776 || NETBIOS DCERPC DIRECT-UDP veritas little endian bind attempt ++3777 || NETBIOS DCERPC NCADG-IP-UDP veritas alter context attempt ++3778 || NETBIOS DCERPC NCADG-IP-UDP veritas bind attempt ++3779 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian alter context attempt ++3780 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian bind attempt ++3781 || NETBIOS-DG SMB veritas WriteAndX alter context attempt ++3782 || NETBIOS-DG SMB veritas WriteAndX andx alter context attempt ++3783 || NETBIOS-DG SMB veritas WriteAndX andx bind attempt ++3784 || NETBIOS-DG SMB veritas WriteAndX bind attempt ++3785 || NETBIOS-DG SMB veritas WriteAndX little endian alter context attempt ++3786 || NETBIOS-DG SMB veritas WriteAndX little endian andx alter context attempt ++3787 || NETBIOS-DG SMB veritas WriteAndX little endian andx bind attempt ++3788 || NETBIOS-DG SMB veritas WriteAndX little endian bind attempt ++3789 || NETBIOS-DG SMB veritas WriteAndX unicode alter context attempt ++3790 || NETBIOS-DG SMB veritas WriteAndX unicode andx alter context attempt ++3791 || NETBIOS-DG SMB veritas WriteAndX unicode andx bind attempt ++3792 || NETBIOS-DG SMB veritas WriteAndX unicode bind attempt ++3793 || NETBIOS-DG SMB veritas WriteAndX unicode little endian alter context attempt ++3794 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx alter context attempt ++3795 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx bind attempt ++3796 || NETBIOS-DG SMB veritas WriteAndX unicode little endian bind attempt ++3797 || NETBIOS-DG SMB veritas alter context attempt ++3798 || NETBIOS-DG SMB veritas andx alter context attempt ++3799 || NETBIOS-DG SMB veritas andx bind attempt ++3800 || NETBIOS-DG SMB veritas bind attempt ++3801 || NETBIOS-DG SMB veritas little endian alter context attempt ++3802 || NETBIOS-DG SMB veritas little endian andx alter context attempt ++3803 || NETBIOS-DG SMB veritas little endian andx bind attempt ++3804 || NETBIOS-DG SMB veritas little endian bind attempt ++3805 || NETBIOS-DG SMB veritas unicode alter context attempt ++3806 || NETBIOS-DG SMB veritas unicode andx alter context attempt ++3807 || NETBIOS-DG SMB veritas unicode andx bind attempt ++3808 || NETBIOS-DG SMB veritas unicode bind attempt ++3809 || NETBIOS-DG SMB veritas unicode little endian alter context attempt ++3810 || NETBIOS-DG SMB veritas unicode little endian andx alter context attempt ++3811 || NETBIOS-DG SMB veritas unicode little endian andx bind attempt ++3812 || NETBIOS-DG SMB veritas unicode little endian bind attempt ++3813 || WEB-CGI awstats.pl configdir command execution attempt || bugtraq,12298 || cve,2005-0116 ++3814 || WEB-CLIENT IE javaprxy.dll COM access || bugtraq,14087 || cve,2005-2087 ++3815 || SMTP eXchange POP3 mail server overflow attempt || bugtraq,10180 ++3816 || WEB-MISC BadBlue ext.dll buffer overflow attempt || bugtraq,7387 ++3817 || TFTP GET transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812 ++3818 || TFTP PUT transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812 ++3819 || WEB-CLIENT multipacket CHM file transfer start || bugtraq,13953 || cve,2005-1208 || nessus,18482 ++3820 || WEB-CLIENT multipacket CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482 ++3821 || WEB-CLIENT CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482 ++3822 || WEB-MISC Real Player realtext long URI request ++3823 || WEB-MISC Real Player realtext file bad version buffer overflow attempt || bugtraq,14048 || cve,2005-1766 ++3824 || SMTP AUTH user overflow attempt || bugtraq,13772 ++3825 || POLICY AOL Instant Messenger Message Send ++3826 || POLICY AOL Instant Messenger Message Receive ++3827 || WEB-PHP xmlrpc.php post attempt || bugtraq,14088 || cve,2005-1921 +--- /dev/null ++++ b/rules/dns.rules +@@ -0,0 +1,54 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: dns.rules,v 1.38.2.3.2.3 2005/05/31 17:13:02 mwatchinski Exp $ ++#---------- ++# DNS RULES ++#---------- ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:13;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6;) ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:7;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:9;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:7;) ++ ++ ++ ++alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:253; rev:4;) ++alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:254; rev:4;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;) ++ ++ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:303; rev:11;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; classtype:attempted-admin; sid:262; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; classtype:attempted-admin; sid:264; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; classtype:attempted-admin; sid:265; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; classtype:attempted-admin; sid:266; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; classtype:attempted-admin; sid:267; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2922; rev:1;) ++# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query"; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2921; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:2;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:2;) +--- /dev/null ++++ b/rules/community-icmp.rules +@@ -0,0 +1,8 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-icmp.rules,v 1.4 2006/06/01 15:51:28 akirk Exp $ ++ ++#Rule submitted by rmkml ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP Linux DoS sctp Exploit"; icode:2; itype:3; content:"|28 00 00 50 00 00 00 00 F9 57 1F 30 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:nessus,19777; classtype:attempted-user; sid:100000164; rev:2;) ++alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP undefined code"; icode:>18; classtype:misc-activity; sid:100000197; rev:1;) +--- /dev/null ++++ b/rules/community-oracle.rules +@@ -0,0 +1,6 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-oracle.rules,v 1.2 2005/10/13 14:16:06 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3339 (msg:"COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt"; flow:to_server,established; content:"isqlplus"; nocase; content:"COMMAND"; nocase; distance:0; content:"STOP"; nocase; distance:0; content:"LISTENER"; nocase; distance:0; pcre:"/isqlplus\x2F[^\r\n]*COMMAND\s*\x3D\s*STOP[^\r\n\x26]*LISTENER/si"; reference:bugtraq,15032; reference:url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html; classtype:attempted-user; sid:100000166; rev:1;) +--- /dev/null ++++ b/rules/community-game.rules +@@ -0,0 +1,10 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-game.rules,v 1.8 2005/11/10 14:15:43 akirk Exp $ ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 2305 (msg:"COMMUNITY GAME Halocon Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12281; sid:100000102; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 7649 (msg:"COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12262; sid:100000103; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 27777 (msg:"COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12192; sid:100000104; rev:1;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 29000 (msg:"COMMUNITY GAME FlatFrag game dos exploit"; fragbits:D; id:1; content:"|61 61 61|"; dsize:99; reference:bugtraq,15287; reference:cve,2005-3492; classtype:attempted-dos; sid:100000181; rev:1;) ++alert udp $EXTERNAL_NET any <> $HOME_NET 7000 (msg:"COMMUNITY GAME Battle Carry attempt"; dsize:>8192; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; reference:cve,2005-3493; reference:bugtraq,15282; classtype:attempted-dos; sid:100000182; rev:1;) +--- /dev/null ++++ b/rules/oracle.rules +@@ -0,0 +1,375 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: oracle.rules,v 1.17.2.3.2.4 2005/05/31 17:13:03 mwatchinski Exp $ ++#---------- ++# ORACLE RULES ++#---------- ++# ++# These signatures detect unusual and potentially malicious oracle traffic. ++# These signatures are based from signatures written by Hank Leininger ++# for Enterasys's Dragon IDS that he released ++# publicly. ++# ++# These signatures are not enabled by default as they may generate false ++# positive alarms on networks that do oracle development. If you use an ++# Oracle based web application, you should set the destination port to ++# 80 to catch attackers attempting to exploit your web application. ++# ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:1674; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; flow:from_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:1675; rev:4;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select union attempt"; flow:to_server,established; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; sid:1676; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt"; flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; classtype:protocol-command-decode; sid:1678; rev:7;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE describe attempt"; flow:to_server,established; content:"describe "; nocase; classtype:protocol-command-decode; sid:1679; rev:6;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints"; nocase; classtype:protocol-command-decode; sid:1680; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_views access"; flow:to_server,established; content:"all_views"; nocase; classtype:protocol-command-decode; sid:1681; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_source access"; flow:to_server,established; content:"all_source"; nocase; classtype:protocol-command-decode; sid:1682; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tables access"; flow:to_server,established; content:"all_tables"; nocase; classtype:protocol-command-decode; sid:1683; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1684; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; sid:1685; rev:6;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; sid:1686; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase; classtype:protocol-command-decode; sid:1687; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace"; nocase; classtype:protocol-command-decode; sid:1688; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase; classtype:protocol-command-decode; sid:1689; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; sid:1691; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop table attempt"; flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1692; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; sid:1693; rev:6;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter table attempt"; flow:to_server,established; content:"alter table"; nocase; classtype:protocol-command-decode; sid:1694; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table"; nocase; classtype:protocol-command-decode; sid:1695; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create database attempt"; flow:to_server,established; content:"create database"; nocase; classtype:protocol-command-decode; sid:1696; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter database attempt"; flow:to_server,established; content:"alter database"; nocase; classtype:protocol-command-decode; sid:1697; rev:5;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2576; rev:6;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2599; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22 ]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2600; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2601; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2602; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2604; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2607; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2609; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2610; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE LINK metadata buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"DATABASE"; nocase; content:"LINK"; nocase; pcre:"/USING\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:bugtraq,7453; reference:cve,2003-0222; reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html; classtype:attempted-user; sid:2611; rev:3;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2613; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2616; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2618; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2620; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2622; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2623; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2625; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2626; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2628; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2630; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2631; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2632; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2634; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2635; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2636; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2638; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2640; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2641; rev:3;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2642; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2645; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2646; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2647; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2648; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2649; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt"; flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL"; distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt; reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt; classtype:attempted-user; sid:2651; rev:2;) ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2652; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2653; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2699; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2676; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2690; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2686; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2683; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2694; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2674; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2677; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2696; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2689; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2682; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2691; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2678; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2681; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2695; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2688; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2692; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2697; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2675; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2680; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2679; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2687; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2685; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2693; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2684; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2698; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2700; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2915; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2754; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2864; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2907; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2710; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2845; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2719; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2727; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2808; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2910; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2745; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2736; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2723; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2853; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2796; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2814; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2733; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2882; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2765; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2820; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2774; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2763; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2833; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2712; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2876; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2847; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2865; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2782; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2827; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2758; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2792; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2893; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2801; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2886; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2715; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2791; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2815; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2751; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2911; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2769; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2806; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2860; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2857; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2837; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2787; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2824; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2739; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2909; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2730; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2867; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2871; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2777; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2800; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2825; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2897; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2846; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2855; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2890; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2728; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2807; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2838; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2883; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2753; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2841; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2775; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2863; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2848; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2764; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2797; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2744; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2762; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2711; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2735; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2854; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2888; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2908; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2813; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2724; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2734; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2750; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2818; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2912; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2877; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2828; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2783; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2879; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2757; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2887; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2903; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2786; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2768; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2742; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2872; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2778; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2805; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2839; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2916; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2793; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2894; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2858; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2720; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2898; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2812; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2830; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2725; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2721; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2831; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2718; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2843; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2889; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2767; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2776; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2901; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2785; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2870; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2859; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2849; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2795; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2798; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2874; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2856; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2752; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2761; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2780; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2842; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2900; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2866; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2905; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2817; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2891; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2804; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2731; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2738; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2770; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2851; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2835; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2869; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2834; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2821; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2714; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2741; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2772; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2794; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2708; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2789; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2850; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2779; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2878; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2748; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2862; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2884; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2717; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2756; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2904; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2826; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2709; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2913; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2895; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2784; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2746; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2749; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2743; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2799; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2868; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2811; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2899; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2722; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2829; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2902; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2844; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2832; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2803; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2875; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2810; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2781; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2760; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2881; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2713; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2880; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2740; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2788; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2773; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2790; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2819; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2771; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2759; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2840; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2892; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2737; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2822; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2914; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2906; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2732; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2852; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2836; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2816; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2802; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2823; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2896; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2809; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2766; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2747; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2755; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2729; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2861; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2885; rev:1;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2716; rev:1;) +--- /dev/null ++++ b/rules/x11.rules +@@ -0,0 +1,24 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: x11.rules,v 1.19.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ ++#---------- ++# X11 RULES ++#---------- ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:4;) +--- /dev/null ++++ b/rules/community-sql-injection.rules +@@ -0,0 +1,15 @@ ++# Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# These rules are licensed under the GNU General Public License. ++# Please see the file LICENSE in this directory for more details. ++# $Id: community-sql-injection.rules,v 1.10 2006/10/19 20:19:34 akirk Exp $ ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/rawdocdata.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000106; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/RawCustomSearchField.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000107; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB board.php"; flow:to_server,established; uricontent:"/board.php"; pcre:"/board.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000108; rev:1;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB member.php"; flow:to_server,established; uricontent:"/member.php"; pcre:"/member.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000109; rev:1;) ++#Rules submitted by rmkml ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumTopicDetails.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20846; classtype:web-application-attack; sid:100000192; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumAuthDetails.php"; nocase; uricontent:"AuthID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20845; classtype:web-application-attack; sid:100000193; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumReply.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20847; classtype:web-application-attack; sid:100000194; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION BXCP Sql Injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; pcre:"/\x2b\w*\x54\w*/"; reference:bugtraq,18765; reference:url,www.milw0rm.com/exploits/1975; classtype:web-application-attack; sid:100000690; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"id="; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"admin"; nocase; reference:bugtraq,18760; classtype:web-application-attack; sid:100000691; rev:2;) +--- /dev/null ++++ b/rules/tftp.rules +@@ -0,0 +1,39 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: tftp.rules,v 1.19.2.1.2.2 2005/07/22 19:19:54 mwatchinski Exp $ ++#----------- ++# TFTP RULES ++#----------- ++# ++# These signatures are based on TFTP traffic. These include malicious files ++# that are distributed via TFTP. ++# ++# The last two signatures refer to generic GET and PUT via TFTP, which is ++# generally frowned upon on most networks, but may be used in some enviornments ++ ++alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:1941; rev:9;) ++alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2337; rev:8;) ++alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;) ++alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;) ++alert udp any any -> any 69 (msg:"TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;) ++alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; offset:2; reference:arachnids,137; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:519; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"|00 01|/"; depth:3; reference:arachnids,138; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00 02|"; depth:2; reference:arachnids,148; reference:cve,1999-0183; classtype:bad-unknown; sid:518; rev:6;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:2;) +--- /dev/null ++++ b/rules/policy.rules +@@ -0,0 +1,55 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: policy.rules,v 1.38.2.2.2.3 2005/07/22 19:19:54 mwatchinski Exp $ ++#------------- ++# POLICY RULES ++#------------- ++# ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:553; rev:7;) ++ ++alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY WinGate telnet server response"; flow:from_server,established; content:"WinGate>"; reference:arachnids,366; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:8;) ++ ++ ++# we have started to see multiple versions of this beyond 003.003, so we have ++# expanded this signature to take that into account. ++alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;) ++ ++alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"POLICY PCAnywhere server response"; content:"ST"; depth:2; reference:arachnids,239; classtype:misc-activity; sid:566; rev:4;) ++alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:8;) ++alert ip 66.151.158.177 any -> $HOME_NET any (msg:"POLICY poll.gotomypc.com access"; reference:url,www.gotomypc.com/help2.tmpl; classtype:misc-activity; sid:1429; rev:3;) ++ ++# NOTES: This signature would be better off using uricontent, and having the ++# http decoder looking at 5800 and 5802, but that is on by default ++alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:4;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:1445; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:543; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:544; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD "; depth:5; nocase; classtype:misc-activity; sid:546; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD ' possible warez site"; flow:to_Server,established; content:"MKD "; depth:5; nocase; classtype:misc-activity; sid:547; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:548; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:545; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:6;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2044; rev:5;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2040; rev:3;) ++alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2042; rev:3;) ++alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:6;) +--- /dev/null ++++ b/rules/mysql.rules +@@ -0,0 +1,31 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: mysql.rules,v 1.10.2.2.2.3 2005/05/31 17:13:02 mwatchinski Exp $ ++#---------- ++# MYSQL RULES ++#---------- ++# ++# These signatures detect unusual and potentially malicious mysql traffic. ++# ++# These signatures are not enabled by default as they may generate false ++# positive alarms on networks that do mysql development. ++# ++ ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;) ++alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; within:1; distance:3; content:"root|00|"; within:5; distance:5; nocase; classtype:protocol-command-decode; sid:3456; rev:2;) +--- /dev/null ++++ b/rules/purge-non-gpl.sh +@@ -0,0 +1,23 @@ ++#!/bin/sh ++# Purges non-GPL rules from a common set ++ ++if [ -z "$1" ] ; then ++ echo "Usage: $0 directory_with_rules" ++fi ++ ++if [ ! -d "$1" ] ; then ++ echo "ERROR: $1 is not a directory" ++ exit 1 ++fi ++ ++for file in $1/*rules; do ++ if [ -r "$file" ] ; then ++ name=`basename $file` ++ if [ ! -e "$name" ] ; then ++ cat $file |perl remove-non-gpl.pl >$name ++ else ++ echo "ERROR: Cowardly refusing to overwrite $name" ++ fi ++ fi ++done ++ +--- /dev/null ++++ b/rules/bad-traffic.rules +@@ -0,0 +1,41 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: bad-traffic.rules,v 1.31.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ ++#------------------ ++# BAD TRAFFIC RULES ++#------------------ ++# These signatures are representitive of traffic that should never be seen on ++# any network. None of these signatures include datagram content checking ++# and are extremely quick signatures ++# ++ ++alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;) ++alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flow:stateless; dsize:>6; flags:S,12; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:11;) ++alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;) ++alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;) ++# linux happens. Blah ++# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; classtype:misc-activity; sid:1322; rev:7;) ++alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3;) ++alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flow:stateless; flags:S+; classtype:bad-unknown; sid:1431; rev:9;) ++alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2186; rev:3;) ++alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2187; rev:3;) ++alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2188; rev:3;) ++alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2189; rev:3;) +--- /dev/null ++++ b/rules/generators +@@ -0,0 +1,39 @@ ++# Master Registry of Snort Generator Ids ++# ++# ++# This file is used to maintain unique generator ids for files even if ++# the default snort configuration doesn't include some patch that is ++# required for a specific preprocessor to work ++# ++# ++# ++# Maintainer: Chris Green ++# ++# Contact cmg@sourcefire.com for an assignment ++ ++rules_subsystem 1 # Snort Rules Engine ++tag_subsystem 2 # Tagging Subsystem ++portscan 100 # Portscan1 ++minfrag 101 # Minfrag [ removed ] ++http_decode 102 # HTTP decode 1/2 ++defrag 103 # First defragmenter [ removed ] ++spade 104 # SPADE [ not included anymore ] ++bo 105 # Back Orifice ++rpc_decode 106 # RPC Preprocessor ++stream2 107 # 2nd stream preprocessor [removed] ++stream3 108 # 3rd stream preprocessor (AVL nightmare) [ removed ] ++telnet_neg 109 # telnet option decoder ++unidecode 110 # unicode decoder ++stream4 111 # Stream4 preprocessor ++arpspoof 112 # Arp Spoof detector ++frag2 113 # 2nd fragment preprocessor ++fnord 114 # NOP detector [ removed ] ++asn1 115 # ASN.1 Validator [ removed ] ++decode 116 # Snort Internal Decoder ++scan2 117 # portscan2 ++conversation 118 # conversation ++reserved 119 # TBA ++reserved 120 # TBA ++snmp 121 # Andrew Baker's newer SNMP decoder ++sfportscan 122 # Dan Roelkers portscan ++frag3 123 # Marty Roesch's ip frag reassembler +--- /dev/null ++++ b/rules/web-attacks.rules +@@ -0,0 +1,74 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-attacks.rules,v 1.18.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ ++# ---------------- ++# WEB ATTACKS ++# ---------------- ++# These signatures are generic signatures that will catch common commands ++# used to exploit form variable vulnerabilities. These signatures should ++# not false very often. ++# ++# Please email example PCAP log dumps to snort-sigs@lists.sourceforge.net ++# if you find one of these signatures to be too false possitive. ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; classtype:web-application-attack; sid:1328; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"ps%20"; nocase; classtype:web-application-attack; sid:1329; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS wget command attempt"; flow:to_server,established; content:"wget%20"; nocase; classtype:web-application-attack; reference:bugtraq,10361; sid:1330; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS uname -a command attempt"; flow:to_server,established; content:"uname%20-a"; nocase; classtype:web-application-attack; sid:1331; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flow:to_server,established; content:"|3B|id"; nocase; classtype:web-application-attack; sid:1333; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; classtype:web-application-attack; sid:1334; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS kill command attempt"; flow:to_server,established; content:"/bin/kill"; nocase; classtype:web-application-attack; sid:1335; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; classtype:web-application-attack; sid:1336; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chgrp command attempt"; flow:to_server,established; content:"/chgrp"; nocase; classtype:web-application-attack; sid:1337; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown command attempt"; flow:to_server,established; content:"/chown"; nocase; classtype:web-application-attack; sid:1338; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh command attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase; classtype:web-application-attack; sid:1339; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:1340; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; nocase; classtype:web-application-attack; sid:1341; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; classtype:web-application-attack; sid:1342; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cc command attempt"; flow:to_server,established; content:"/usr/bin/cc"; nocase; classtype:web-application-attack; sid:1343; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cc command attempt"; flow:to_server,established; content:"cc%20"; nocase; classtype:web-application-attack; sid:1344; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cpp command attempt"; flow:to_server,established; content:"/usr/bin/cpp"; nocase; classtype:web-application-attack; sid:1345; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cpp command attempt"; flow:to_server,established; content:"cpp%20"; nocase; classtype:web-application-attack; sid:1346; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/g++ command attempt"; flow:to_server,established; content:"/usr/bin/g++"; nocase; classtype:web-application-attack; sid:1347; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS g++ command attempt"; flow:to_server,established; content:"g++%20"; nocase; classtype:web-application-attack; sid:1348; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/python access attempt"; flow:to_server,established; content:"bin/python"; nocase; classtype:web-application-attack; sid:1349; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS python access attempt"; flow:to_server,established; content:"python%20"; nocase; classtype:web-application-attack; sid:1350; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/tclsh execution attempt"; flow:to_server,established; content:"bin/tclsh"; nocase; classtype:web-application-attack; sid:1351; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tclsh execution attempt"; flow:to_server,established; content:"tclsh8%20"; nocase; classtype:web-application-attack; sid:1352; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/nasm command attempt"; flow:to_server,established; content:"bin/nasm"; nocase; classtype:web-application-attack; sid:1353; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nasm command attempt"; flow:to_server,established; content:"nasm%20"; nocase; classtype:web-application-attack; sid:1354; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; nocase; classtype:web-application-attack; sid:1355; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nt admin addition attempt"; flow:to_server,established; content:"net localgroup administrators /add"; nocase; classtype:web-application-attack; sid:1357; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS traceroute command attempt"; flow:to_server,established; content:"traceroute%20"; nocase; classtype:web-application-attack; sid:1358; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ping command attempt"; flow:to_server,established; content:"/bin/ping"; nocase; classtype:web-application-attack; sid:1359; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat command attempt"; flow:to_server,established; content:"nc%20"; nocase; classtype:web-application-attack; sid:1360; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nmap command attempt"; flow:to_server,established; content:"nmap%20"; nocase; classtype:web-application-attack; sid:1361; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS xterm command attempt"; flow:to_server,established; content:"/usr/X11R6/bin/xterm"; nocase; classtype:web-application-attack; sid:1362; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS X application to remote host attempt"; flow:to_server,established; content:"%20-display%20"; nocase; classtype:web-application-attack; sid:1363; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS lsof command attempt"; flow:to_server,established; content:"lsof%20"; nocase; classtype:web-application-attack; sid:1364; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail"; nocase; classtype:web-application-attack; sid:1366; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20"; nocase; classtype:web-application-attack; sid:1367; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls| command attempt"; flow:to_server,established; uricontent:"/bin/ls|7C|"; nocase; classtype:web-application-attack; sid:1368; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls command attempt"; flow:to_server,established; uricontent:"/bin/ls"; nocase; classtype:web-application-attack; sid:1369; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; classtype:web-application-activity; sid:1371; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:5;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS conf/httpd.conf attempt"; flow:to_server,established; content:"conf/httpd.conf"; nocase; classtype:web-application-activity; sid:1373; rev:6;) +--- /dev/null ++++ b/rules/pop3.rules +@@ -0,0 +1,58 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: pop3.rules,v 1.22.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $ ++#-------------- ++# POP3 RULES ++#-------------- ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2121; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2122; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:11;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:13;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:13;) ++ ++# bsd-qpopper.c ++# overflow in the reading of a line in qpopper ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:11;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:287; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:288; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:9;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+[^\n]*?%/smi"; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:5;) ++# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2274; rev:2;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:10;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:10;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:13;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2535; rev:6;) ++alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2536; rev:6;) ++alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:6;) ++ ++alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2666; rev:1;) +--- /dev/null ++++ b/rules/web-misc.rules +@@ -0,0 +1,443 @@ ++# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved ++# ++# This file may contain proprietary rules that were created, tested and ++# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as ++# rules that were created by Sourcefire and other third parties and ++# distributed under the GNU General Public License (the "GPL Rules"). The ++# VRT Certified Rules contained in this file are the property of ++# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. ++# The GPL Rules created by Sourcefire, Inc. are the property of ++# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights ++# Reserved. All other GPL Rules are owned and copyrighted by their ++# respective owners (please see www.snort.org/contributors for a list of ++# owners and their respective copyrights). In order to determine what ++# rules are VRT Certified Rules or GPL Rules, please refer to the VRT ++# Certified Rules License Agreement. ++# ++# ++# $Id: web-misc.rules,v 1.118.2.8.2.6 2005/07/22 19:19:54 mwatchinski Exp $ ++#--------------- ++# WEB-MISC RULES ++#--------------- ++ ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; byte_test:2,<,768,4; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,10; classtype:attempted-admin; sid:2657; rev:8;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; byte_test:2,<,768,3; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,9; classtype:attempted-admin; sid:2656; rev:7;) ++alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:" ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3144.txt +@@ -0,0 +1,77 @@ ++Rule: ++ ++-- ++Sid: ++3144 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft systems using Server Message Block (SMB). ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++SMB is a client - server protocol used in sharing resources such as ++files, printers, ports, named pipes and other things, between machines ++on a network. ++ ++A vulnerability in the Microsoft implementation of SMB exists due to a ++programming error which may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain unauthorized access to the target host. ++ ++A malicious attacker can exploit the vulnerability by sending a ++malicious response from a server in response to a client request using ++SMB. ++ ++-- ++Affected Systems: ++ Microsoft Windows 2003 ++ Microsoft Windows 2000 ++ Microsoft Windows XP ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message from the server ++containing code of their choosing to be run on the client. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Turn off windows file and print services. ++ ++Use Samba as an alternative. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++eEye: ++http://www.eeye.com/html/research/advisories/AD20050208.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/546.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++546 ++ ++-- ++Summary: ++This event is generated when an attempt is made to navigate in an FTP session to a hidden directory name that begins with a space. ++ ++-- ++Impact: ++Unauthorized file storage. An attacker may attempt to navigate on an FTP server to a directory name that begins with a space to list or store unauthorized files such as unlicensed software. ++ ++-- ++Detailed Information: ++An attacker may attempt to hide unauthorized files in a hidden directory name that begins with a space. This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. ++ ++-- ++Affected Systems: ++FTP servers ++ ++-- ++Attack Scenarios: ++An attacker may navigate to the hidden directory name that begins with a space to list or store unauthorized files. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++It is remotely possible that an authorized directory exists with a name that begins with a space. ++ ++-- ++False Negatives: ++Hidden directories other than those with names that begin with a space may be used to store "warez" files. ++ ++-- ++Corrective Action: ++Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. ++ ++Regularly monitor directories for sudden or drastic increased use of space. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Snort documentation contributed by Chaos ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/432.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++ ++Sid: ++432 ++ ++-- ++ ++Summary: ++This event is generated when a host generates and ICMP Type 40 Code 3 Decryption Failed datagram. ++ ++-- ++ ++Impact: ++ICMP Type 40 Code 3 datagrams are an indication that a received datagram failed a decryption check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. ++ ++-- ++ ++Detailed Information: ++Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 3 datagrams are generated when a received datagram fails the decryption check for a given SPI (Security Parameters Index). ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++ ++-- ++ ++Corrective Action: ++ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. ++ ++-- ++ ++Contributors: ++Original Rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++RFC2521 ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2534.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++2534 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Microsoft implementation of SSL Version 3. ++ ++-- ++Impact: ++Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in the handling of SSL Version 3 requests that ++can be manipulated to cause a DoS condition in various software ++implementations used on Microsoft operating systems. ++ ++The condition exists because of poor error handling routines in the ++Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an ++invalid field, sent to vulnerable systems can cause the affected host to stop ++handling any further requests. ++ ++-- ++Affected Systems: ++ Microsoft Windows 2000, 2003 and XP systems using SSL ++ ++-- ++Attack Scenarios: ++An attcker needs to make an SSL request to an affected system that ++contains an invalid field. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3316.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3316 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3034.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++3034 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Samba implementation. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++Samba is a file and print serving system for heterogenous networks. It ++is available for use as a service and client on UNIX/Linux systems and as ++a client for Microsoft Windows systems. ++ ++Samba uses the SMB/CIFS protocols to allow communication between client ++and server. The SMB protocol contains many commands and is commonly used ++to control network devices and systems from a remote location. A ++vulnerability exists in the way the smb daemon processes commands sent by ++a client system when accessing resources on the remote server.The problem ++exists in the allocation of memory which can be exploited by an attacker ++to cause an integer overflow, possibly leading to the execution of ++arbitrary code on the affected system with the privileges of the user ++running the smbd process. ++ ++-- ++Affected Systems: ++ Samba 3.0.8 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to supply specially crafted data to the smb daemon to ++overflow a buffer containing the information for the access control lists ++to be applied to files in the smb query. ++ ++-- ++Ease of Attack: ++Difficult. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1919.txt +@@ -0,0 +1,59 @@ ++Rule: ++-- ++Sid: ++1919 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer overflow or denial of service vulnerability associated with FTP CWD command. ++ ++-- ++Impact: ++Remote access or denial of service. A successful attack can cause a denial of service or allow remote execution of arbitrary commands with privileges of the process running the FTP server. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit various vulnerabilities associated with the FTP CWD command of different FTP servers. It is possible to cause a denial of service attack or gain remote access to execute arbitrary commands with the privileges of the process running the FTP server by sending an overly long argument with the FTP CWD command. ++ ++-- ++Affected Systems: ++Hosts running BlackMoon FTP Server 1.0 through 1.5. ++Hosts running Argosoft FRP server 1.0. ++Hosts running TYPSoft FTP Server 0.7x. ++ ++-- ++Attack Scenarios: ++An attacker can supply an overly long file argument with the CWD command, causing a denial of service or buffer overflow. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0126 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1194 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1035 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/386.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++386 ++ ++-- ++Summary: ++This event is generated when an internal server replies to an external request for network subnet mask information, which may allow an attacker to learn information about the network for use in later attacks. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++If an attacker sends an ICMP request to an internal server for address mask information (SID 388 should trigger when this activity is seen), an internal server may reply with subnet mask information. This can provide an attacker with information about subnet mask configuration that can be useful for future attacks. ++ ++-- ++Affected Systems: ++Any system that responds to ICMP address mask requests. ++ ++-- ++Attack Scenarios: ++An attacker can send an ICMP request for subnet mask information to the internal network. The server replies, providing the attacker with information about network subnet configuration. ++ ++-- ++Ease of Attack: ++Simple. Tools that use this method of information gathering are freely available. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Use a packet filtering firewall that restricts ICMP type 17 (address mask requests) from entering the protected network, and restricts ICMP type 18 packets (address mask replies) from exiting the protected network. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski ++Sourcefire Technical Publications Team ++Jen Harvey ++ ++-- ++Additional References: ++ ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0524 ++ ++ArachNIDS ++http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids216 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000168.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++100000168 ++ ++-- ++Summary: ++The password-cracking tool Hydra has been detected in HTTP traffic. ++ ++-- ++Impact: ++An attacker may be attempting to break into one or more web servers monitored ++by Snort via a brute-force password attack. If successful, the attacker may ++gain unauthorized access to internal networks. ++ ++-- ++Detailed Information: ++Hydra is a password-cracking tool released by a group of security experts ++called THC, "The Hacker's Choice." Requests sent by this tool to a web server ++contain the User-Agent string "Mozilla/4.0 (Hydra)". Since normal browsers' ++User-Agent strings do not contain the string "(Hydra)", the presence of this ++string indicates that the Hydra tool is likely being used. ++ ++-- ++Affected Systems: ++Any system running a web server. ++ ++-- ++Attack Scenarios: ++Attackers will use the Hydra password-cracking tool. ++ ++-- ++Ease of Attack: ++Simple, as the program is publicly available and is well-documented. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Check system logs and Snort alert logs for suspicious activity, particularly ++unusual logons. Ensure that secure passwords are being used throughout your ++network. ++ ++-- ++Contributors: ++rmkml ++Sourcefire Research Team ++ ++-- ++Additional References ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000146.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++100000146 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a ++directory traversal associated with Imail Web Calendaring ++servicel ++ ++-- ++Impact: ++A successful attack can permit a user to navigate outside ++of the web root directory and read files. ++ ++-- ++Detailed Information: ++The Imail Web Calendaring Server does not properly sanitize ++a malformed URL that contains directory traversal characters. ++This vulnerability is associated with static objects identified ++by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This ++can permit an unauthorized user to examine files that may contain ++sensitive information. ++ ++-- ++Affected Systems: ++Ipswitch IMail Server 8.2 and prior ++Ipswitch IMail Server 8.15 and prior ++ ++-- ++Attack Scenarios: ++An attacker send a URI containing a directory traversal to view ++sensitive files on a vulnerable server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the most current non-affected version of the product. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References ++Other: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/355.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++355 ++ ++-- ++Summary: ++This event is generated when a password of "wh00t" is used to login to an File Transfer Protocol (FTP) server. ++ ++-- ++Impact: ++Remote root access. The attack may indicate that the FTP server has been compromised. ++ ++-- ++Detailed Information: ++The password "wh00t" is a common backdoor password associated with a compromised root account. If this password is observed, it may indicate that the FTP server has been compromised and a backdoor root account with a password of "wh00t" has been created. Alternately, this may indicate a failed attempt of an attacker attempting to locate FTP servers compromised by others. ++ ++-- ++Affected Systems: ++FTP servers. ++ ++-- ++Attack Scenarios: ++An attacker may compromise a host and create a backdoor account. An attacker may attempt to locate FTP servers with a backdoor account. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++It is very remotely possible that a legitimate password of "wh00t" exists. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Examine the suspected compromised host for unauthorized changes. ++ ++Make sure that the suspected compromised host has all security patches applied. ++ ++Log activity to and from the suspected compromised host. ++ ++Examine other systems on the network for evidence of compromise. ++ ++If a compromised is discovered, reinstall the operating system. ++ ++-- ++Contributors: ++Orignal rule written by Ron Gula ++Documented by Steven Alexander ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS324 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000550.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++100000550 ++-- ++Summary: ++This event is generated when an attempt is made to access the file "comment.php ++which contains known vulnerabilities in the "Project Eros BBSEngine" ++application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to access a file with known ++vulnerabilities from a remote machine used by the "Project Eros BBSEngine" ++application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Project Eros BBSEngine ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3428.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3428 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1571.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1571 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/658.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++658 ++ ++-- ++Summary: ++This event is generated when a denial of service is attempted on a Microsoft Exchange mail server. ++ ++-- ++Impact: ++Denial of service. This will cause the Exchange server to fail. ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft Exchange 5.5 that causes a denial of service if a MIME header contains the string 'charset = ""'. The Exchange server does not properly handle this MIME header string, causing it to crash. ++ ++-- ++Affected Systems: ++Microsoft Exchange server 5.5 ++ ++-- ++Attack Scenarios: ++An attacker can supply a malicious string in the MIME header causing the Exchange server to fail. ++ ++-- ++Ease of Attack: ++Easy. An attacker can telnet to port 25 of the Exchange server, start a dialogue with the server, and supply the malicious string in the MIME header. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Apply the appropriate patch or upgrade to Exchange 5.5 service Pack 4. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Microsoft: ++http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-082.asp ++ ++Miscellaneous: ++http://packetstormsecurity.nl/0011-exploits/exchange.dos.txt ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000778.txt +@@ -0,0 +1,56 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000778 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PHPMailList" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "email" parameter in the "maillist.php" script used by the "PHPMailList" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PHPMailList ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000500.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++100000500 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "PictureDis" application running on a webserver. ++Access to the file "wpfiles.php" using a remote file being passed as the "lang" ++parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "lang" parameter in the "wpfiles.php" script used by the ++"PictureDis" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PictureDis ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2177.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2176 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to access a system ++folder via SMB. ++ ++-- ++Impact: ++Serious. This folder contains important operating system information. ++ ++-- ++Detailed Information: ++This event indicates that an attempt was made to access a folder ++containing important operating system files using SMB across the ++network. ++ ++-- ++Affected Systems: ++Microsoft Windows systems. ++ ++-- ++Attack Scenarios: ++If this folder is accessible via SMB the attacker can replace or view ++important operating system files. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the host for signs of system compromise. ++ ++Turn off file and print sharing on the target host. ++ ++Use a packet filtering firewall to disallow SMB access to the host from ++sources external to the protected network. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2495.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++2495 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Microsoft RPC service. ++ ++-- ++Impact: ++Denial of Service (DoS). Possible execution of arbitrary code leading to ++unauthorized remote access to the victim host. ++ ++-- ++Detailed Information: ++It may be possible for an attacker to cause a DoS condition in the ++Microsoft RPC service when multiple simultaneous requests are made to a ++vulnerable host. This can lead to an exhaustion of system resources ++causing the DoS. ++ ++-- ++Affected Systems: ++ Windows systems running RPC services ++ ++-- ++Attack Scenarios: ++An attacker may attempt to bind to the RPC service many times in an ++attempt to cause the DoS condition to occur. ++ ++-- ++Ease of Attack: ++Difficult. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++Apply the appropriate vendor supplied patches ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3343.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3343 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000315.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++100000315 ++ ++-- ++Summary: ++This event is generated when an HTTP client issues a PUT request to upload ++a document into the web content area. ++ ++-- ++Impact: ++The PUT method is a legitimate HTTP command that allows an authorized user ++to upload a document into the web content tree. It is most often associated ++with the WebDAV content management protocol. ++ ++Although there are some legitimate uses for the PUT method, it is also a ++frequent source of web site defacement, as attackers can easily abuse ++misconfigured web servers that allow unrestricted PUT functionality from ++arbitrary users. ++ ++-- ++Detailed Information: ++The rule searches for HTTP requests using the PUT method, and tracks ++these sessions. The rule is intended to be used with SID 100000316 to ++track successful PUT requests, which may represent successful defacement ++attacks, instead of all PUT requests. ++ ++Administrators who wish to track all PUT requests (successful or not) should ++remove the "flowbits:noalert;" section of this rule. ++ ++-- ++Affected Systems: ++Any web server ++ ++-- ++Attack Scenarios: ++An attacker can issue a PUT reuqest via a script, many different pieces of ++software, or through a manual connection to any web server port. ++ ++-- ++Ease of Attack: ++Simple. Numerous tools exist for creating PUT requests, including some geared ++specifically towards web site defacement. ++ ++-- ++False Positives: ++Organizations that use WebDAV to manage their web content may experience ++false positives, as the PUT method is a normal part of the WebDAV protocol. ++Additionally, any other legitimate web applications which use the PUT method ++will generate false positives. ++ ++-- ++False Negatives: ++None ++ ++-- ++Corrective Action: ++In cases of web site defacement, delete the newly-created file(s) and/or ++restore them from a reliable backup. In all cases, be sure to tune web server ++configuration to allow PUT requests only where necessary for a legitimate web ++application to function. ++ ++-- ++Contributors: ++David J. Bianco, ++ ++-- ++Additional References: ++http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6 +--- /dev/null ++++ snort-2.9.2/doc/signatures/2378.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2378 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Checkpoint VPN-1. ++ ++-- ++Impact: ++Unauthorized administrative access to Checkpoint VPN-1 systems ++ ++-- ++Detailed Information: ++Checkpoint VPN-1, SecuRemote and SecureClient contain an error that ++affects the processing of large Certificate requests to the VPN service. ++By sending a large amount of data in the Certificate Request payload an ++attacker may cause a buffer overflow condition to occur, presenting an ++opportunity to execute code of their choosing with the privileges of the ++user running the service, usually root. ++ ++-- ++Affected Systems: ++ CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 ++ CheckPoint Software FW-1 Next Generation FP1, FP0 ++ CheckPoint Software VPN-1 1.4.1 SP5a ++ CheckPoint Software VPN-1 Next Generation FP1, FP0 ++ ++-- ++Attack Scenarios: ++An attacker could supply a large Certificate Request payload containing ++code to be executed on the system. ++ ++-- ++Ease of Attack: ++Proof of concept code exists. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software ++ ++Apply the appropriate vendor supplied patches ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3172.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3172 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/642.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: 642 ++ ++-- ++Summary: ++This event is generated when a buffer overflow attack is attempted against a target machine. ++ ++-- ++Impact: ++Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. ++ ++ ++-- ++Detailed Information: ++This rule tracks the bit combination which may occur in network packets aimed at overflowing HP-UX UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. ++ ++A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. ++ ++-- ++Attack Scenarios: ++An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. ++ ++-- ++Ease of Attack: ++Simple ++ ++ ++-- ++False Positives: ++This event may be generated by legitimate traffic to the specified port. ++ ++ ++-- ++False Negatives: ++This event is specific to the shell code defined in the rule. ++Other shell code sequences may not be detected. ++ ++-- ++Corrective Action: ++Check the target host for other signs of compromise. ++ ++Look for other events concerning the target host. ++ ++Apply vendor supplied patches and keep the operating system up to date. ++ ++-- ++Contributors: ++Original Rule Writer Unkown ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS358 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000445.txt +@@ -0,0 +1,61 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000445 ++ ++-- ++Summary: ++Particle Gallery is susceptible to an injection attack due to a lack ++of input validation on the imageid variable used in the viewimage.php ++component. ++ ++-- ++Impact: ++The injection attack could result in data leakage, or potential remote ++compromise. ++ ++-- ++Detailed Information: ++Particle Gallery is prone to an SQL-injection vulnerability. This issue is due ++to a failure in the application to properly sanitize user-supplied input ++before using it in an SQL query. ++ ++A successful exploit could allow an attacker to compromise the application, ++access or modify data, or exploit vulnerabilities in the underlying database ++implementation. ++ ++The data type assigned to the column referenced by the variable is int, so ++there should never be any text or characters outside of the int used to ++identify the image. ++ ++-- ++Attack Scenarios: ++Variable manipulation can be done with any browser. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Edit code and add input validation. ++ ++-- ++Contributors: ++Dan Ramaswami ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1012.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++1012 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a web server running Microsoft Internet Information ++Server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Microsoft Internet Information Server (IIS). Many known ++vulnerabilities exist for this platform and the attack scenarios are ++legion. ++ ++-- ++Affected Systems: ++ All systems running Microsoft IIS ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1238.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1238 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1577.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1577 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/385.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++385 ++ ++-- ++Summary: ++This event is generated when a Windows traceroute (tracert) is detected. ++ ++-- ++Impact: ++Information gathering. A traceroute can be used to discover live hosts and network topologies. ++ ++-- ++Detailed Information: ++A Windows traceroute command uses an ICMP echo request with a lower than normal Time to Live (TTL) value to identify live hosts and network topolgies. The TTL value is manipulated by the sending host to discover all routers traversed from the source host to the destination host. Eventually, a TTL value of 1 is observed, which elicits an ICMP error message of time exceeded in-transit. A router sends this ICMP error message to the host running traceroute. The traceroute host will record this as a router and continue to incrementally manipulate the TTL until the destination host is reached. ++ ++Additionally There are at least three different implementations of ++traceroute. In one implementation traceroute works by sending an ICMP ++Echo Request packet to a destination host with a TTL value of 1. If the ++host is more than one hop away, the first route that receives the back ++will send back an ICMP packet indicating that the TTL was exceeded. The ++address of this router is then listed as the first hop. The packet is ++then sent out again with a TTL of 2. This continues until the ++destination host is able to reply or some maximum TTL value is reached. ++ ++The other two implementations use the same TTL-based concept with an ++ICMP type of 30(traceroute) or with an UDP packet destined for an ++ephemeral port. ++ ++-- ++Affected Systems: ++All ++ ++-- ++Attack Scenarios: ++An attacker may use a traceroute to discover live hosts and routers on a target network in preparation for an attack. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++The traceroute command may be used to legitimately troubleshoot networking problems. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Block inbound ICMP echo requests. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Judy Novak ++Nigel Houghton ++Snort documentation contributed by by Steven Alexander ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS118 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1961.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++1961 ++ ++-- ++Summary: ++This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rquotad is listening. ++ ++ ++-- ++Impact: ++Information disclosure. This request is used to discover which port rquotad is using. Attackers can also learn what versions of the rquotad protocol are accepted by rquotad. ++ ++-- ++Detailed Information: ++The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rquotad run. The rquotad RPC service can be queried for user disk usage and the limits of a local file system which is mounted by a remote machine over NFS. A vulnerability associated with rquotad may permit the execution of arbitrary commands with the privileges of root. ++ ++-- ++Affected Systems: ++All hosts running the UNIX portmapper. ++ ++-- ++Attack Scenarios: ++An attacker can query the portmapper to discover the port where rquotad runs. This may be a precursor to accessing rquotad. ++ ++-- ++Ease of Attack: ++Easy. ++ ++-- ++False Positives: ++If a legitimate remote user is allowed to access rquotad, this rule may trigger. ++ ++-- ++False Negatives: ++This rule detects probes of the portmapper service for rquotad, not probes of the rquotad service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rquotad service itself. An attacker may attempt to go directly to the rquotad port without querying the portmapper service, which would not trigger the rule. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/227.txt +@@ -0,0 +1,56 @@ ++Rule: ++-- ++Sid: ++227 ++ ++-- ++Summary: ++This event is generated when a Stacheldraht handler attempts to confirm that an agent has the ability to spoof a source IP. ++ ++-- ++Impact: ++Severe. This indicates that a Stacheldraht agent exists on the destination host. ++ ++-- ++Detailed Information: ++The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. ++ ++There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. In order for an agent host to make a good participant in a distributed denial of service, it must be able to spoof source IPs to elude detection. After a host becomes an agent, a test is conducted to see whether the agent can spoof a source IP. If the handler receives such a communication from the agent, it responds with an ICMP echo request with an ICMP identification number of 1000 and a content of "spoofworks" in the payload. ++ ++-- ++Affected Systems: ++Any Stacheldraht compromised host. ++ ++-- ++Attack Scenarios: ++A host on which a Stacheldraht agent has been installed will attempt to send a packet with a spoofed source IP to the handler. If the handler receives this communication, it will reply to the agent informing it that all 32 bits of source IP of DDoS traffic can be spoofed. ++ ++-- ++Ease of Attack: ++Simple. Stacheldraht code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Use egress filtering in your network to prevent traffic leaving your network that is not part of the internal address space so source IPs cannot be spoofed. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS192 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/497.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: 497 ++ ++-- ++Summary: ++This event is generated by the successful completion of a file transfer operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for copying files. ++ ++-- ++Impact: ++Serious. An attacker may have the ability to transfer files from the victim host. ++ ++-- ++Detailed Information: ++This event indicates that a file was successfully copied using Windows command line shell. The string "1 file(s) copied" is shown after the successful completion of a Windows "copy" command. ++ ++Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed the copy command. Note that the source address of this event is actually the victim and not that of the attacker. ++ ++-- ++ ++Attack Scenarios: ++An attacker gains an access to a Windows web server via an IIS vulnerability and then copies "cmd.exe" into the directory accessible by the web server, thus creating a backdoor to access the system. ++ ++-- ++ ++Ease of Attack: ++Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Investigate the web server for other signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3270.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3270 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000463.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000463 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Joomla" application running on a webserver. ++Access to the file "joomla.php" using a remote file being passed as the ++"includepath" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "includepath" parameter in the "joomla.php" script used ++by the "Joomla" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Joomla ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/372.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++372 ++ ++-- ++Summary: ++This event is generated when an ICMP echo request is made from a Windows host running Delphi software. ++ ++-- ++Impact: ++Information gathering. An ICMP echo request can determine if a host is active. ++ ++-- ++Detailed Information: ++An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Delphi software contains a unique payload in the message request. ++ ++-- ++Affected Systems: ++All ++ ++-- ++Attack Scenarios: ++An attacker may attempt to determine live hosts in a network prior to launching an attack. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++An ICMP echo request may be used to legimately troubleshoot networking problems. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Block inbound ICMP echo requests. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Documented by Steven Alexander ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS155 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3160.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3160 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1144.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1144 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3235.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3235 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1564.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1564 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2825.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2825 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure validate_flavor_definition ++. This procedure is included in ++sys.dbms_repcat_fla. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2389.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2389 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow vulnerability associated with WuFtpd RNTO command. ++ ++-- ++Impact: ++Remote access. A successful attack may permit the remote execution of ++arbitrary commands with system privileges. ++ ++-- ++Detailed Information: ++WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists ++with the RNTO command that can cause a buffer overflow and permit the ++execution of arbitrary commands with system privileges. The buffer ++overflow can be caused by supplying an overly long argument to the RNTO ++command. ++ ++The issue exists in the realpath() function. It is possible for an ++attacker to send malformed data to the realpath() function that will ++cause the overflow condition to occur. ++ ++-- ++Affected Systems: ++ Multiple systems using affected C libraries, libc ++ ++-- ++Attack Scenarios: ++An attacker can use one of the publicly available exploit scripts to ++cause the overflow to occur. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Use scp as an alternative to ftp ++ ++Disallow ftp access to internal resources from external sources ++ ++Recompile binaries statically linked to the system libc implementation ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1857.txt +@@ -0,0 +1,64 @@ ++Rule: ++-- ++Sid: ++1857 ++-- ++Summary: ++This event is generated when a client is requesting the file "robot.txt" ++from a web server. ++ ++-- ++Impact: ++Information Disclosure. This file may contain data that could provide an ++attacker with information that could assist in an attack on the server. ++ ++-- ++Detailed Information: ++In the early days of the web, when search engines first began indexing ++sites, it was often desirable to tell the indexing programs, referred ++to as robots, not to index certain parts of a site. A standarized ++method of accomplishing this was created; by placing a file called ++"robot.txt" or "robots.txt" in the root of your web site which search ++engines could read and which would tell them what parts of your site you ++did not want indexed. However, this file can also be very valuable to ++potential attackers if it contains information such as restricted ++directories, cgi-bin locations, etc. ++ ++-- ++Affected Systems: ++Any web site that uses this method to communicate with robots. ++ ++-- ++Attack Scenarios: ++An attacker can read the "robot.txt" file and use any sensitive data in ++it to profile your site in preparation for an attack. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. Any browser can request a copy of ++"robot.txt" from the server. ++ ++-- ++False Positives: ++Many. Most automated search engine indexing programs still request this ++file prior to crawling through a web site. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure that your "robot.txt" file, if you need one, does not contain any ++sensitive data. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Snort documentation contributed by Kevin Peuhkurinen ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/297.txt +@@ -0,0 +1,59 @@ ++SID: ++297 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This event is triggered when an attempt is made to overflow an imapd ++server. ++-- ++ ++Impact: ++Commands may be run on the IMAP server as the root user, This can lead ++to a complete compromise of the targeted system ++-- ++ ++Detailed Information: ++Failure to check the size of the value passed to the 'AUTHENTICATE' ++command on certain IMAPD implementations can lead to a buffer overflow. ++This in turn can allow arbitrary commands to be executed on the server. ++-- ++ ++Affected Systems: ++ Netscape Messaging Server 3.55, University of Washington imapd 10.234 ++-- ++ ++Attack Scenarios: ++An attacker may attempt to exploit a vulnerable imapd server, permitting ++the execution of arbitrary commands possibly with the privilege of user ++"root". ++-- ++ ++Ease of Attack: ++Simple. Sample exploit code is available. ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Vendors have provided updated versions, upgrading will resolve this problem ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1729.txt +@@ -0,0 +1,53 @@ ++Rule: ++ ++-- ++Sid: 1729 ++ ++-- ++Summary: ++This event is generated when activity relating to network chat clients is detected. ++ ++-- ++Impact: ++Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations. ++ ++-- ++Detailed Information: ++Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. ++ ++Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client. ++ ++An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++IRC Protocol ++http://www.irchelp.org/irchelp/rfc/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/973.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++973 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer overflow associated with a file with a .idc extension. ++ ++-- ++Impact: ++Remote access. This attack may permit the execution of arbitrary commands on the victim server. ++ ++-- ++Detailed Information: ++Microsoft Internet Information Service (IIS) supports files extensions including .idc that call the ISM.DLL. A buffer overflow vulnerability exists in ISM.DLL code when it receives a malformed request, permitting the execution of arbitrary code. ++ ++-- ++Affected Systems: ++IIS 4.0 hosts ++ ++-- ++Attack Scenarios: ++An attacker can send a malformed request of a .idc file that causes a buffer overflow. ++ ++-- ++Ease of Attack: ++Simple. Exploit code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to a more current version of IIS. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0874 ++ ++Bugtraq: ++http://www.securityfocus.com/bid/307 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2506.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2506 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Microsoft implementation of SSL Version 3. ++ ++-- ++Impact: ++Denial of Service (DoS). ++-- ++Detailed Information: ++A vulnerability exists in the handling of SSL Version 3 requests that ++can be manipulated to cause a DoS condition in various software ++implementations used on Microsoft operating systems. ++ ++The condition exists because of poor error handling routines in the ++Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an ++invalid field, sent to vulnerable systems can cause the affected host to stop ++handling any further requests. ++ ++-- ++Affected Systems: ++ Microsoft Windows 2000, 2003 and XP systems using SSL ++ ++-- ++Attack Scenarios: ++An attcker needs to make an SSL request to an affected system that ++contains an invalid field. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3220.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3220 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1072.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1072 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/640.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: 640 ++ ++-- ++Summary: ++This event is generated when a buffer overflow attack is attempted against a target machine. ++ ++-- ++Impact: ++Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. ++ ++ ++-- ++Detailed Information: ++This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. ++ ++A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. ++ ++-- ++Attack Scenarios: ++An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. ++ ++-- ++Ease of Attack: ++Simple ++ ++ ++-- ++False Positives: ++This event may be generated by legitimate traffic to the specified port. ++ ++ ++-- ++False Negatives: ++This event is specific to the shell code defined in the rule. ++Other shell code sequences may not be detected. ++ ++-- ++Corrective Action: ++Check the target host for other signs of compromise. ++ ++Look for other events concerning the target host. ++ ++Apply vendor supplied patches and keep the operating system up to date. ++ ++-- ++Contributors: ++Original Rule Writer Unkown ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1288.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1288 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a web server running Microsoft FrontPage ++Server Extensions. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Microsoft FrontPage Server Extensions. Many known ++vulnerabilities exist for this platform and the attack scenarios are ++legion. In particular this rule generates events when the directory ++_vti_bin is accessed. This directory contains sensitive files that may ++be utilized in an attack against the server. ++ ++-- ++Affected Systems: ++ All systems running Microsoft FrontPage Server Extensions ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++A user who is using the "discuss" toolbar in Microsoft Internet Explorer ++may inadvertently generate an event from this rule, due to the browser ++making a check for Office Server Extensions. See this URI for more ++details. ++ ++ http://www.webmasterworld.com/forum39/2158.htm ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000484.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++100000484 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "Confixx" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "lpath" parameter in the "ftp_index.php" script ++used by the "Confixx" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Confixx ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000713.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000713 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "roster.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "roster.php" script used by the "PHPRaid" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PHPRaid ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/609.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: 609 ++ ++-- ++Summary: ++This event is generated due to the use of a suspicious login attempt ++ ++-- ++Impact: ++Serious. If successful the attacker may have gained superuser access to the host. ++ ++-- ++Detailed Information: ++This rule generates an event when a connection is made using "rsh" whilst passing the parameter "-froot". ++ ++A bug in some implementations of the "rsh" daemon software allowed remote root access using the "-froot" parameter for the "rsh command" ++ ++-- ++Attack Scenarios: ++If a UNIX machine has the "rsh" service running and is vulnerable to this bug, in can be exploited simply by running the "rsh" command with "-froot" flag. For example, rlogin host.foo.com -l -froot ++ ++-- ++Ease of Attack: ++Simple, no exploit software required ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Investigate logs on the target host for further details and more signs of suspicious activity ++ ++Use ssh for remote access instead of rlogin. ++ ++Disable the "rsh" service if not used, apply a patch if appropriate. ++ ++-- ++Contributors: ++Original rule by Max Vision modified from a signature written by Ron Gula ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113 ++ ++Arachnids: ++http://www.whitehats.com/info/IDS387 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000555.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++100000555 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "VebiMiau" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "lid" parameter in the "error.php" script used ++by the "VebiMiau" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VebiMiau ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/158.txt +@@ -0,0 +1,103 @@ ++Rule: ++ ++-- ++Sid: ++152, 157-158 ++ ++-- ++Summary: ++Backdoor.Backconstruction is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data via download, upload of files, execution of files ++and reboot the targeted machine. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ ++The Trojan changes system registry settings to add the Backconstruction ++sever to programs normally started on boot. Due to the nature of this ++Trojan it is unlikely that the attacker's client IP address has been ++spoofed. ++ ++ SID Message ++ --- ------- ++ 152 BackConstruction 2.1 Connection (outgoing TCP ++connection) ++ 157 BackConstruction 2.1 Client FTP Open Request (incoming ++TCP connection) ++ 158 BackConstruction 2.1 Server FTP Open Reply (outging TCP ++connection) ++ ++This Trojan is commonly used to install other Trojan programs. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is located at :\WINDOWS\Cmctl32.exe ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a ++previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ ++Registry keys added are: ++ ++ Shell = ":\WINDOWS\Cmctl32.exe" ++ ++Removal of this entry is required. ++ ++Delete the file :\WINDOWS\Cmctl32.exe ++ ++Ending the Trojan process is also necessary. A reboot of the infected ++machine is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS505 ++ ++Dark-e: ++http://www.dark-e.com/archive/trojans/backc/21/index.shtml ++ ++Pest Patrol: ++www.pestpatrol.com/PestInfo/b/back_construction.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3443.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++3443 ++ ++-- ++Summary: ++This rule does not generate an event. It is used in conjunction with ++other rules to reduce the possibility of false postives from occuring. ++ ++-- ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++This rule does not generate an event. It is used in conjunction with ++other rules to reduce the possibility of false postives from occuring. ++ ++-- ++Affected Systems: ++ NA ++ ++-- ++Attack Scenarios: ++NA ++ ++-- ++Ease of Attack: ++NA ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++NA ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2892.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2892 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_priority_nvarchar2 ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000648.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000648 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "whos.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "whos.php" script ++used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000510.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++100000510 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection ++vulnerability in the "VBZoom" application running on a webserver. Access to the ++file "rank.php" with SQL commands being passed as the "MemberID" parameter may ++indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a ++remote machine via the "MemberID" parameter in the "rank.php" script used by ++the "VBZoom" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to compromise the database backend for the ++application, the attacker may also be able to execute system binaries or ++malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VBZoom ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application ++if user input is not correctly sanitized or checked before passing that input ++to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/898.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++898 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2669.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++2669 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the file ++ibillpm.pl. ++ ++-- ++Impact: ++Possible unauthorized administrative access to the victim host. ++Information disclosure. ++ ++-- ++Detailed Information: ++The script ibillpm.pl is used to process billing and payment via a CGI ++application over the Internet. ++ ++The application suffers from a weak default password scheme that could ++be used by an attacker to take control of a user account and view ++billing details. ++ ++-- ++Affected Systems: ++ iBill Internet Billing Company Processing Plus ++ ++-- ++Attack Scenarios: ++An attacker can supply the username and default password for a user to ++the script to gain control. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Uninstall the script ibillpm.pl ++ ++Only allow usage from authenticated users ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2554.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++2554 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Oracle Application Server Web Cache. ++ ++-- ++ ++Impact: ++Serious. Possible execution of arbitrary code leading to remote ++administrative access. ++ ++-- ++Detailed Information: ++The Oracle Application Server Web Cache is vulnerable to a buffer ++overrun caused by poor checking of the length of an HTTP Header. If a ++large invalid HTTP Request Method is supplied to a vulnerable system, an ++attacker may be presented with the opportunity to overrun a fixed length ++buffer and subsequently execute code of their choosing on the server. ++ ++-- ++Affected Systems: ++Oracle Application Server Web Cache 10g 9.0.4 .0 ++Oracle Oracle9i Application Server Web Cache 2.0 .0.4 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .3 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .2 ++Oracle Oracle9i Application Server Web Cache 9.0.3 .1 ++ ++-- ++ ++Attack Scenarios: ++An attacker might supply an HTTP Request Method of more than 432 bytes, ++causing the overflow to occur. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible ++to configure the Oracle Web Cache server to run on different ports. The rule ++should be configured to reflect the appropriate ports of Oracle Web Cache ++servers on your network. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1083.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1083 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000820.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++100000820 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "SaPHPLesson" application running on a webserver. Access to the file "add.php" with SQL commands being passed as the "forumid" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "forumid" parameter in the "add.php" script used by the "SaPHPLesson" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using SaPHPLesson ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1353.txt +@@ -0,0 +1,46 @@ ++Rule: ++ ++-- ++Sid: ++1353 ++ ++-- ++Summary: ++Attempted nasm command access via web. ++ ++-- ++Impact: ++Attempt to compile a binary on a host. ++ ++-- ++Detailed Information: ++This is an attempt to compiile a program source on a host. NASM is the Netwide Assembler which is capable of compiling a variety of sources on a variety of platforms into executable binary files. The attacker could possibly compile a program needed for other attacks on the system or install a binary program of his choosing. ++ ++-- ++Attack Scenarios: ++The attacker can make a standard HTTP request that contains '/bin/nasm'in the URI. ++ ++-- ++Ease of Attack: ++Simple HTTP request. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. Whenever possible, sensitive files and certain areas of the filesystem should have the system immutable flag set to prevent files from being added to the host. On BSD derived systems, setting the systems runtime securelevel also prevents the securelevel from being changed. (note: the securelevel can only be increased). ++-- ++Contributors: ++Sourcefire Research Team ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2780.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2780 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_site_priority ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1200.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++1200 ++ ++-- ++Summary: ++This event is generated when an invalid URL response is sent from a ++webserver to a client. ++ ++-- ++Impact: ++Information gathering and possible Denial of Service (DoS). ++ ++-- ++Detailed Information: ++This event is generated when an invalid URL response is sent from a ++webserver to a client. It is possible under some circumstances, to cause ++a DoS condition by supplying an invalid URL to a web server running an ++affected version of Microsoft IIS 4.0. Certain invalid URLs can cause ++the system to make an invalid memory request that will in turn stop the ++IIS service from running. ++ ++-- ++Affected Systems: ++ Microsoft IIS 4.0 on NT systems ++ ++-- ++Attack Scenarios: ++The attacker would merely need to make a web request using an invalid ++URL. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade the system to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1803.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++1803 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a web server running Microsoft Internet Information ++Server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Microsoft Internet Information Server (IIS). Many known ++vulnerabilities exist for this platform and the attack scenarios are ++legion. ++ ++-- ++Affected Systems: ++ All systems running Microsoft IIS ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/239.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++239 ++ ++-- ++Summary: ++This event is generated when a DDoS Shaft handler communicates with a Shaft agent. It is also possible that this event may be generated when any host attempts to discover a Shaft agent. ++ ++-- ++Impact: ++Attempted DDoS. If the listed source IP is in your network, it may be a Shaft handler or a host attempting to discover Shaft agents. If the listed destination IP is in your network, it may be a Shaft agent. ++ ++-- ++Detailed Information: ++The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Handlers communicate with agents to direct them to launch attacks. A handler may communicate with an agent using a UDP packet to destination port 18753 with a content of "alive tijgu. This communication checks if an agent is alive and uses a default password of "tijgu". ++ ++-- ++Affected Systems: ++Any Shaft compromised host. ++ ++-- ++Attack Scenarios: ++A Shaft handler needs to discover if an agent is alive before directing it to launch an attack. ++ ++-- ++Ease of Attack: ++Simple. Shaft code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. ++ ++Rebuild a confirmed compromised host. ++ ++Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. ++ ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS255 ++ ++Miscellaneous: ++http://biocserver.cwru.edu/~jose/shaft_analysis/ ++ ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2999.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++2999 ++ ++-- ++Summary: ++This event is generated when an attempt is made to shutdown a Windows ++system via SMB. ++ ++-- ++Impact: ++Serious. ++ ++-- ++Detailed Information: ++This event indicates that an attempt was made to shutdown a Windows ++system via SMB across the network. ++ ++It may be possible for an attacker to manipulate a Windows system ++from a remote location. Shutting down a system may lead to a Denial of ++Service for the target host. ++ ++-- ++Affected Systems: ++ Microsoft Windows systems. ++ ++-- ++Attack Scenarios: ++An attacker may be able to manipulate a target system using SMB. The ++attacker may gain complete control over the affected system. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the host for signs of system compromise. ++ ++Turn off file and print sharing on the target host. ++ ++Use a packet filtering firewall to disallow SMB access to the host from ++sources external to the protected network. ++ ++Disallow remote registry manipulation. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1627.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++1627 ++ ++-- ++Summary: ++This event is generated when packets on the network are using an ++unassigned or reserved IP protocol. ++ ++-- ++Impact: ++Possible prelude to system compromise. ++ ++-- ++Detailed Information: ++Under normal circumstances IP packets do not use unassigned or reserved ++protocols. ++ ++an indicator of unauthorized network use, reconnaisance activity or ++system compromise. These rules may also generate an event due to ++improperly configured network devices. ++ ++-- ++Affected Systems: ++ All ++ ++-- ++Attack Scenarios: ++The attacker may send specially crafted packets using an unassigned or ++reserved protocol. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++Research or testing of new protocols may trigger this event. ++ ++Novell use protocol 224 for the Cluster heart beat ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Use a packet filtering device to reject packets using an unknown ++protocol. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++IANA ++http://www.iana.org/assignments/protocol-numbers ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1718.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1718 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000468.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++100000468 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "WebprojectDB" application running on a webserver. ++Access to the file "lang.php" using a remote file being passed as the "INCDIR" ++parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "INCDIR" parameter in the "lang.php" script used by the ++"WebprojectDB" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using WebprojectDB ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/724.txt +@@ -0,0 +1,90 @@ ++Rule: ++ ++-- ++Sid: ++724 ++ ++-- ++Summary: ++This event is generated when worm activity is detected. More specifcally ++this event indicates possible "My Romeo" propogation. ++ ++-- ++Impact: ++Serious. The victim host may be infected with a worm. ++ ++-- ++Detailed Information: ++This worm propogates via electronic mail and exploits a known ++vulnerability in the way that versions of Microsoft Outlook and Internet ++Explorer handle trusted HTML pages. The worm is launched via a compiled ++HTML file (.chm) which is used by Microsoft WIndows Help. ++ ++The executable part of the worm is called from within the trusted ++compiled HTML file. The worm attempts to propagate using hard coded ++addresses of SMTP servers. ++ ++This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A ++ ++-- ++Affected Systems: ++ Microsoft Windows 9x ++ Microsoft Windows 2000 ++ ++-- ++Attack Scenarios: ++Symantec Anti-Virus center states that the worm arrives as an email ++message that has an HTML body and two attachments named Myjuliet.chm ++and Myromeo.exe. The subject of the email is selected at random from ++the following set: ++ ++Romeo&Juliet ++hello world ++subject ++ble bla, bee ++I Love You ;) ++sorry... ++Hey you ! ++Matrix has you... ++my picture ++from shake-beer ++ ++-- ++Ease of Attack: ++Simple. This is worm activity. ++ ++-- ++False Positives: ++Legitimate electronic mail containing the known subject lines used by ++MyRomeo may cause this rule to generate an event. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches and service packs. ++ ++Use Anti-Virus software to detect and delete virus laden email. ++ ++This worm makes changes to the system registry, removal of the affected ++registry keys should be done using an appropriate virus removal tool or ++by an experienced Windows administrator. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++McAfee ++http://vil.nai.com/vil/content/v_98894.htm ++ ++Symantec Security Response ++http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1046.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: 1046 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). ++ ++-- ++Impact: ++Information gathering possible administrator access. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. ++ ++The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. ++ ++The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. ++ ++Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. ++ ++-- ++Affected Systems: ++Any host using IIS. ++ ++-- ++Attack Scenarios: ++An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. ++ ++Ensure that the IIS implementation is fully patched. ++ ++Ensure that the underlying operating system is fully patched. ++ ++Employ strategies to harden the IIS implementation and operating system. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2409.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2409 ++ ++-- ++Summary: ++This event is generated when an attempt is made to overflow a buffer by ++supplying a very long username to an APOP POP3 service. ++ ++-- ++Impact: ++Serious. Several POP3 servers are vulnerable to USER buffer overflows. ++ ++-- ++Detailed Information: ++By supplying more than 626 bytes of data to the APOP USER command on 1st ++Class Internet Solutions' 1st Class Mail Server, an attacker may ++overflow a buffer resulting in the opportunity to execute code of their ++choosing on the targeted machine with the privileges of the user running ++the service. ++ ++Other Mail software may be prone to this attack. ++ ++-- ++Affected Systems: ++ 1st Class Mail Server ++ ++-- ++Attack Scenarios: ++An attacker may connect to the service and supply an over-long username ++to overflow the buffer. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Upgrade to the latest non-affected version of the software. ++ ++Check for other events generated by the source IP address. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2689.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2689 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure disable_receiver_trace ++. This procedure is included in ++sys.dbms_internal_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000742.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000742 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Geeklog ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3080.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++3080 ++ ++-- ++Summary: ++This event is generated when a remote attacker sends an overly long "secure" ++query to a host acting as an Unreal engine server. This may ++indicate an attempt to exploit a buffer overflow vulnerability. ++ ++-- ++Impact: ++Serious. A successful buffer overflow can permit the execution of arbitrary ++code on a vulnerable system. ++ ++-- ++Detailed Information: ++Unreal Tournament 2003 and 2004 are popular games developed by EpicGames and ++available for Linux, Windows and Macintosh platforms. The Unreal engine is ++used for both client and server functionality. An overly long "secure" ++query can be sent to the game server, causing a buffer overflow and the ++subsequent execution of arbitrary code. ++ ++-- ++Affected Systems: ++ Multiple versions of the Unreal Engine running on Linux, Microsoft ++ Windows and Macintosh platforms. ++ ++-- ++Attack Scenarios: ++An attacker can send an overly long "secure" query to a vulnerable host, causing ++a buffer overflow and the subsequent execution of arbitrary code. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++Unreal servers can be configured to run on arbitrary ports. ++Administrators should either change the port used in the rule or create ++a variable for the ports to be used in the rule. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the most current nonaffected version of the software. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++OSVDB ++http://www.osvdb.org/displayvuln.php?osvdb_id=7217&Lookup=Lookup ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3286.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3286 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2458.txt +@@ -0,0 +1,52 @@ ++Rule: ++ ++-- ++Sid: ++2458 ++ ++-- ++Summary: ++This event is generated when a host in your network that has Yahoo Instant Messenger running has joined a chat room or is examining chat rooms to join. ++ ++-- ++Impact: ++Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. ++ ++-- ++Detailed Information: ++Yahoo IM provides a means of allowing users who share similar interests to join a chat room and exchange messages. While there are no known exploits associated with exchanging messages, this type of activity may not be appropriate in certain network environments. ++ ++-- ++Affected Systems: ++Any host running Yahoo Instant Messenger. ++ ++-- ++Attack Scenarios: ++No known attacks. ++ ++-- ++Ease of Attack: ++No known attacks. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++It may be possible for Yahoo IM traffic to use other ports than the default expected ones. ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++-- ++Additional References: ++Yahoo Protocol ++http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1590.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1590 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1920.txt +@@ -0,0 +1,57 @@ ++Nigel: Old reference pointed to something totally unrelated. ++Rule: ++-- ++ ++Sid: ++1920 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a vulnerability associated with the FTP SITE NEWER command that may cause a denial of service or allow the upload of executable files. ++ ++-- ++Impact: ++Remote access or denial of service. A successful attack can cause a denial of service or allow the upload of executable files on the vulnerable FTP server. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a vulnerability associated with the WU-FTP server version of the SITE NEWER command. It is possible to cause a denial of service attack that consumes memory or upload files to execute arbitrary commands with the privileges of the process running the FTP server. ++ ++-- ++Affected Systems: ++Hosts running WU-FTPD 2.5.0. ++ ++-- ++Attack Scenarios: ++An attacker can cause a denial of service or upload files to execute arbitrary commands on the vulnerable FTP server. ++ ++-- ++Ease of Attack: ++Difficult. No known exploits available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/737 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3156.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3156 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/696.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++696 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft SQL. ++ ++-- ++Impact: ++Information gathering and data integrity compromise. Possible unauthorized ++administrative access to the server or application. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to an implementation of Microsoft SQL server or client. This can ++lead to unauthorized access and possibly escalated privileges to that of ++the administrator. Data stored on the machine can be compromised and ++trust relationships between the victim server and other hosts can be ++exploited by the attacker. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An attacker can access the authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow administrative access from sources external to the protected ++network. ++ ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/326.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: 326 ++ ++-- ++ ++Summary: ++This event is generated when a remote command execution exploit against ++a finger daemon is attempted. ++ ++-- ++Impact: ++Serious. The attacker may be presented with the opportunity to run a ++command of his choice on the target UNIX system ++ ++-- ++Detailed Information: ++This event is generated when a specific attack against a vulnerable ++version of finger daemon is detected. ++ ++The Finger daemon is used to provide information about users on a UNIX ++system. It used to be installed and enabled by default on most ++UNIX/Linux systems. The attack may allow an attacker to execute a ++command remotely on a target system with the privileges of the user ++running the "finger" daemon. The user is usually defined in the ++/etc/inetd.conf file and is commonly designated as "nobody". ++ ++-- ++Attack Scenarios: ++An attacker may try the attack and then executes a command to download a ++backdoor to the target system. He then connects to the system and may ++attempt to escalate his privileges by exploiting a local SUID ++application to gain "root" privileges. ++ ++-- ++Ease of Attack: ++Simple, no exploit software is required, just a specially formatted finger query ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disable the finger daemon or limit the addresses that can access the ++service via firewall or TCP wrappers. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS379 ++ ++Bugtraq: ++http://online.securityfocus.com/bid/974 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0150 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000355.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000355 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "eSyndiCat" application running on a webserver. Access to the file "cron.php" using a remote file being passed as the "path_to_config" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_config" parameter in the "cron.php" script used by the "eSyndiCat" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using eSyndiCat ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2887.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2887 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_delete_resolution ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/881.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++881 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Guide to network resource tools: ++http://www.acad.bg/beginner/gnrt/specialist/archie.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/993.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: 993 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). ++ ++-- ++Impact: ++Information gathering possible administrator access. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. ++ ++The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. ++ ++The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. ++ ++Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. ++ ++-- ++Affected Systems: ++Any host using IIS. ++ ++-- ++Attack Scenarios: ++An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. ++ ++Ensure that the IIS implementation is fully patched. ++ ++Ensure that the underlying operating system is fully patched. ++ ++Employ strategies to harden the IIS implementation and operating system. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2629.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++2629 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in database ++replication. The "register_user_repgroup" procedure contains a ++programming error that may allow an attacker to execute a buffer ++overflow attack. ++ ++This overflow is triggered by a long string in a parameter for the ++procedure. ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to the "privilege_type" variable ++to cause the overflow. The result could permit the attacker to gain ++escalated privileges and run code of their choosing. This attack ++requires an attacker to logon to the database with a valid username ++and password combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck94.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/313.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: 313 ++ ++-- ++Summary: ++This event is generated when an attempt to exploit a buffer overflow condition in ntalkd is made. ++ ++-- ++Impact: ++Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. ++ ++-- ++Detailed Information: ++Some versions of the Network Talk Daemon (ntalkd) are vulnerable to a buffer overflow condition which can present the attacker with a root shell. ++ ++Talk is used to communicate between users of UNIX based operating systems. A vulnerability exists such that a buffer overflow condition in talk can be exploited by a malicious user. This may then present the attacker with the opportunity to gain root access to the target system. ++ ++Affected Versions: ++ Multiple vendors ++ ++-- ++Attack Scenarios: ++Once the overflow has been created, the attacker is able to supply incorrect hostname information to the target system and gain root access. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply vendor supplied patches. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/210 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000847.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000847 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Sitemap" application running on a webserver. Access to the file "sitemap.xml.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "sitemap.xml.php" script used by the "Sitemap" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Sitemap ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000677.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000677 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Harpia" application running on a webserver. ++Access to the file "topics.php" using a remote file being passed as the ++"header_prog" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "header_prog" parameter in the "topics.php" script used ++by the "Harpia" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Harpia ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1052.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1052 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2214.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++2214 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access mailview.cgi on an internal web server. This may indicate an attempt to exploit a directory traversal vulnerability in MailStudio 2000 2.0 and earlier. ++ ++-- ++Impact: ++Information disclosure. ++ ++-- ++Detailed Information: ++MailStudio 2000 is mail server software for Solaris or Linux operating systems. It contains a vulnerability where data sent to mailview.cgi is not properly parsed. This can allow an attacker to use directory traversal techniques (/../) within the "html" parameter to view arbitrary files on the system, including other users' email, configuration files, and password files. ++ ++-- ++Affected Systems: ++Systems running MailStudio 2000 2.0 and earlier. ++ ++-- ++Attack Scenarios: ++An attacker sends a specially crafted HTTP request to a vulnerable web server with another user's email file as the html argument. The attacker will then be able to view the file. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++If a legitimate remote user accesses mailview.cgi, this rule may generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++It is not known if this vulnerability has been fixed. Contact the vendor, 3R Soft (http://www.3rsoft.com), for more information. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Sourcefire Technical Publications Team ++Jennifer Harvey ++ ++-- ++Additional References: ++Bugtraq ++http://www.securityfocus.com/bid/1335 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3053.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++3053 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Ethereal. ++ ++-- ++Impact: ++Serious. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++Ethereal is a multi-platform network protocol analyser capable of ++displaying network data to the user in a graphical user interface. ++ ++An error in the processing of access control lists (ACLs) concerning the ++size of the access control entries (ACEs) may lead to a Denial of Service ++(DoS) condition in Ethereal. The ACL parsing routine trusts the size of ++the ACE given in the packet during processing. If a sufficiently large ACL ++structure is supplied combined with a specified ACE size of 0, it is ++possible to cause the DoS condition to occur. ++ ++-- ++Affected Systems: ++ Ethereal 0.10.7 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to craft packet data containing large NT ACLs, the ++attacker then needs to specify one of the ACEs as having a size of 0. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2698.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++2698 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure create file. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/686.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained administrator access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are SQL database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Disallow direct access to the SQL server from sources external to the protected network. ++ ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000174.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++100000174 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in RSA Security RSA Authentication Agent For Web. ++ ++-- ++Impact: ++Cross site scripting leading to possible inclusion of code of the attackers ++choosing. ++ ++-- ++Detailed Information: ++A vulnerability exists in RSA Security RSA Authentication Agent For Web that ++may allow an attacker to include code of their choosing due to the improper ++checking of user supplied input. ++ ++-- ++Affected Systems: ++RSA Security RSA Authentication Agent For Web 5.2 ++ ++-- ++Attack Scenarios: ++An attacker can supply a link to include code of their choosing in data ++supplied to RSA Security RSA Authentication Agent For Web. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Original Rule writer rmkml ++Sourcefire Vulnerability Research Team ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000740.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000740 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "Import.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "Import.Admin.class.php" script used by the "Geeklog" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Geeklog ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000596.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000596 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "inv_config_payment.php" using a remote file being passed as ++the "admin_template_path" parameter may indicate that an exploitation attempt ++has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"inv_config_payment.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/220.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++220 ++ ++-- ++Summary: ++This event is generated when an attacker attempts to connect to a ++Telnet server using the phrase "wank". This is a known password for ++the HideSource rootkit. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a ++compromise of all resources the machine is connected to. ++ ++-- ++Detailed Information: ++This Trojan affects UNIX operating systems: ++ ++Due to the nature of this Trojan it is unlikely that the attacker's ++client IP address has been spoofed. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise may be due to the exploitation of another vulnerability and ++the attacker is leaving another way into the machine for further use. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow Telnet access from external sources. ++ ++Use SSH as opposed to Telnet for access from external locations ++ ++Delete the Trojan and kill any associated processes. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2069.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++2069 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in devices using the IPC@CHIP from Beck IPC GmbH. ++ ++-- ++Impact: ++Information disclosure ++ ++-- ++Detailed Information: ++The IPC@CHIP from Beck IPC GmbH is used in network appliances for use in ++controlling those devices via a web interface. ++ ++The embedded webserver uses the system root as its default webserver ++root directory. This means an attacker can request any file on the ++system by making an http request for the file. ++ ++-- ++Affected Systems: ++All devices using this chip. ++ ++-- ++Attack Scenarios: ++The attacker needs to craft a special URI including chip.ini with a ++request for a file on the system. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Network devices using this chip should be closely monitored, access to ++the embedded webserver should be carefully controlled using a firewall ++or disabled where possible. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/2775 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0749 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3011.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++3011 ++-- ++Summary: ++This event is generated when an attempt is made to find the System ++directory on a target host with the RUX the Tick Trojan. ++ ++-- ++Impact: ++If successful, the attacker would gain unauthorized access to the system, ++to upload and execute file on the target system. The attacker can use ++this function to upload additional backdoors to the victim's system and ++execute them. ++ ++-- ++Detailed Information: ++When executed, RUX the Tick opens up its assigned port (default is ++22222) for communication with the attacker. RUX the Tick has three ++functions: Get Windows Directory, Get System Directory, and Upload And ++Execute File. Get Windows Directory and Get System Directory are used ++for reconnaissance. Upload And Execute File is mainly used to upload and ++run other backdoors onto the victim's computer. ++ ++-- ++Affected Systems: ++ Windows 95/98/ME/NT/2000 ++ ++-- ++Attack Scenarios: ++The victim must first install the server. Be wary of suspicious files ++because they often can be backdoors in disguise. Once the victim ++mistakenly installs the server program, the attacker usually will employ ++an IP scanner program to find the IP addresses of victims that have ++installed the program. Then the attacker enters the IP address, port ++number (which is assigned to the server program by the attacker: ++default is 22222), and presses the connect button and he has access to ++the computer. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Using Windows Task Manager, kill these processes: ruxserver.exe and server.exe. ++Use Windows Explorer to find ruxserver.exe and delete the file. ++ ++Keep anti-virus programs updated with the latest definitions. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Ricky Macatee ++ ++-- ++Additional References: ++ ++PestPatrol: ++http://www.pestpatrol.com/PestInfo/R/RUX.ASP ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1716.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1716 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1400.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: 1400 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). ++ ++-- ++Impact: ++Information gathering possible administrator access. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. ++ ++The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. ++ ++The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. ++ ++Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. ++ ++-- ++Affected Systems: ++Any host using IIS. ++ ++-- ++Attack Scenarios: ++An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. ++ ++Ensure that the IIS implementation is fully patched. ++ ++Ensure that the underlying operating system is fully patched. ++ ++Employ strategies to harden the IIS implementation and operating system. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1967.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1967 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a PHP web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a PHP application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the PHP application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running PHP applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2398.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++2398 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit the PHP web ++application WAnewsletter. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the WAnewsletter PHP web application running on a server. ++Multiple vulnerabilities exist in the application which can lead to the ++execution of arbitrary code of the atttackers choosing. ++ ++-- ++Affected Systems: ++ WAnewsletter ++ ++-- ++Attack Scenarios: ++An attacker can supply code of their choice by including a file in ++parameters supplied to the script newsletter.php or db_type.php. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000177.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++100000177 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Linksys WRT54G wireless router. ++ ++-- ++Impact: ++Unauthorized administrative access to the router and it's configuration. ++ ++-- ++Detailed Information: ++A vulnerability exists in the Linksys WRT54G wireless router that may present ++an attacker with the opportunity to take control of the victim hardware via a ++POST request to the web interface. ++ ++This is due to the apply.cgi script not performing proper checks on user ++supplied input that may allow the attacker to overflow a fixed length buffer ++and execute code of their choosing. ++ ++-- ++Affected Systems: ++Linksys WRT54G Wireless Router firmware 4.0.4.20.6 and prior ++ ++-- ++Attack Scenarios: ++An attacker can supply a malformed POST request to the apply.cgi script on an ++affected piece of hardware. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied firmware upgrade. ++ ++-- ++Contributors: ++Original Rule writer rmkml ++Sourcefire Vulnerability Research Team ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3159.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3159 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3369.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3369 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1811.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++1811 ++ ++-- ++Summary: ++This event is generated when a remote user has exploited a flaw in a ++local SSH server. ++ ++-- ++Impact: ++Serious ++ ++-- ++Detailed Information: ++OpenSSH has a flaw in the challenge-response mechanism when configured ++with either the "PAMAuthenticationViaKbdInt" or the ++"ChallengeResponseAuthentication" options. This flaw can be exploited by ++a user who is not authenicated and can lead to the attacker obtaining a ++root shell. ++ ++-- ++Affected Systems: ++OpenSSH versions 1.2 to 3.3, Solaris 9.0, IBM Linux ++Affinity Toolkit, and HP HP-UX Secure Shell A.03.10. ++ ++-- ++Attack Scenarios: ++An attacker can cause the service to restart or hang, leaving the ++service unavailable to users. ++ ++-- ++Ease of Attack: ++Simple. Exploit code available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to latest version of OpenSSH ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Josh Sakofsky ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/5093 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000388.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000388 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "topman.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "topman.php" script used by the "Ovidentia" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Ovidentia ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/798.txt +@@ -0,0 +1,62 @@ ++ ++Rule: ++ ++-- ++Sid: ++798 ++ ++-- ++Summary: ++This rule has been placed in deleted.rules. It has been superceded by ++sid 721. ++ ++-- ++Impact: ++Mail worms may spread rapidly because users execute them. ++ ++-- ++Detailed Information: ++Windows systems are often configured not to display file extensions. ++By adding a second extension, users get confused and think that an ++executable is a picture - e.g. nicegirl.gif.vbs gets displayed as ++nicegirl.gif but is a visual basic script and not a picture. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. ++ ++-- ++Ease of Attack: ++Very easy. One needs to attach a file and hope that it gets executed. ++ ++-- ++False Positives: ++None Known ++Could be an error on sender's side. ++ ++-- ++False Negatives: ++None Known ++- ++ ++-- ++Corrective Action: ++Use antivirus software. Configure mail clients securely, especially when ++using windows desktops. Educate your mail users. Deny all attachments at ++the gateway if you can. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by tobias.haecker@to.com ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++See websites of antivirus companies. ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/350.txt +@@ -0,0 +1,63 @@ ++SID: ++350 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This event is generated when an attack attempt is made against an ftp ++server possibly running a vulnerable ftpd ++-- ++ ++Impact: ++Possible execution of commands on the affected server as with elevated user privileges ++-- ++ ++Detailed Information: ++The Washington University ftp daemon (wu-ftpd) has a problem with very ++log directory names. There is insufficent checking on directories ++created by users allowing possible insertion of data into the stack.This ++can lead to execution of code with root / elevated user privileges. ++-- ++ ++Affected Systems: ++NcFTP Software NcFTPD 2.3.5 ++Washington University wu-ftpd 2.4.2 (beta 18) VR10 ++RedHat wu-ftpd 2.4.2 b18-2 ++Washington University wu-ftpd 2.4.2 academ[BETA-18] ++Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit. ++-- ++ ++Attack Scenarios: ++A local attacker will attempt to create long named directories on the ++ftp server wich are not checked correctly in the server code. This can ++allow commands to be executed with elevated user privileges ++-- ++ ++Ease of Attack: ++simple, Exploit code exists ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Upgrade to newest version of wuftpd, or replace with something more secure. ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2329.txt +@@ -0,0 +1,78 @@ ++Rule: ++ ++-- ++Sid: ++2329 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Windows Data Access Components. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code is possible. Denial of Service ++(DoS) ++ ++-- ++Detailed Information: ++It may be possible for an attacker to send a specially crafted response ++to a client broadcast query searching for an SQL server. This response ++could take advantage of a buffer overrun condition in an MDAC component ++which may result in the attacker being presented with the opportunity to ++execute code of their choosing with the privileges of the user running ++the service on the client system. ++ ++A DoS condition may also manifest in MDAC version 2.8. ++ ++MDAC is included by default on many Microsoft Windows systems. Client ++workstations may make regular broadcast announcements in an attempt to ++find SQL servers. ++ ++-- ++Affected Systems: ++ Microsoft Data Access Components 2.5 ++ Microsoft Data Access Components 2.6 ++ Microsoft Data Access Components 2.7 ++ Microsoft Data Access Components 2.8 ++ ++-- ++Attack Scenarios: ++The attacker may spoof the response from an SQL server to exploit the ++vulnerability. ++ ++-- ++Ease of Attack: ++Moderate.. ++ ++-- ++False Positives: ++Since this rule cannot be constrained using ports and the connection ++state for MSDAC is not tracked, false positive events may occur under ++normal circumstances. The $SQL_SERVERS variable in snort.conf should be ++configured correctly to eliminate this behavior. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches and service packs. ++ ++Disallow access to database servers from sources external to the ++protected network. ++ ++Disallow access to database servers from untrusted hosts. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/244.txt +@@ -0,0 +1,57 @@ ++Rule: ++-- ++Sid: ++244 ++ ++-- ++Summary: ++This event is generated when a DDoS mstream handler directs an mstream agent to begin an attack against a specified target. ++ ++-- ++Impactn: ++Severe. If the listed source IP is in your network, it may be an mstream handler. If the listed destination IP is in your network, it may be an mstream agent. ++ ++-- ++Detailed Information: ++The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.  There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  A handler can direct a particular agent to attack a target. It directs the agent by sending it a UDP packet to destination port 10498 with a string of "stream/" in the payload. The target IP and duration of the attack will also be included in the payload. ++ ++-- ++Affected Systems: ++Any mstream compromised host. ++ ++-- ++Attack Scenarios: ++After a host becomes an mstream agent, it will likely be directed to participate in a DDoS attack. ++-- ++Ease of Attack: ++Simple. mstream code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++There are other known handler-to-agent ports in addition to 10498. ++ ++-- ++Corrective Action: ++Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. ++ ++Rebuild a confirmed compromised host. ++ ++Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1889.txt +@@ -0,0 +1,56 @@ ++Nigel, Removed isc.incidents.org reference since it is no longer active. ++Rule: ++ ++-- ++Sid: ++1889 ++ ++-- ++Summary: ++This event is generated when a web server infected by the slapper worm attempts to send traffic via a communication channel. ++ ++-- ++Impact: ++Remote access and potentially denial of service. A slapper worm infection indicates a successful compromise of the host. A communication channel established between infected hosts can be used as a vehicle for a distributed denial of service attack of a target host or network. ++ ++-- ++Detailed Information: ++The Apache/mod_ssl worm, also known as slapper, exploits a vulnerability associated with certain versions of OpenSSL. Once a host has been infected by the worm, the worm then attempts to establish a communication channel using UDP port 2002 (both source and destination) to the infecting host. This communication channel is used to create a network for infected hosts to communicate with each other to identify other infected hosts and to deliver attack instructions for other sites. ++ ++-- ++Affected Systems: ++Linux hosts running Apache with mod_ssl using SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures. ++ ++-- ++Attack Scenarios: ++The communication channel created by the slapper worm allows infected hosts to receive direction from other infected hosts. This can be used, for instance, to coordinate a DDoS attack. ++ ++-- ++Ease of Attack: ++Simple. Exploit code exists. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++It has been observed that the port number for the communication channel may vary. Ports 1978 and 4156 have also been seen. ++ ++-- ++Corrective Action: ++Apply the appropriate patch or upgrade to the most current version of OpenSSL. ++ ++-- ++Contributors: ++Original rule writer unknown. ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CERT ++http://www.cert.org/advisories/CA-2002-27.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000172.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++100000172 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Lynx text-based web browser. ++ ++-- ++Impact: ++Code execution on the victim machine with the privileges of the user running ++Lynx. ++ ++-- ++Detailed Information: ++A vulnerability exists in the way that Lynx handles links when browsing NNTP ++resources. The function that handles the display of information from article ++headers when listing available files on the server, inserts extra characters to ++handle certain character sets. This function does not properly check how much ++extra data is inserted and it is possible to overflow a static buffer and ++execute code in the context of the browser process. ++ ++-- ++Affected Systems: ++Lynx versions 2.8.6 and prior ++ ++-- ++Attack Scenarios: ++An attacker would need to supply a malicious link on an nntp server to the user ++using Lynx. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Apply the appropriate patch. ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Original Rule writer rmkml ++Sourcefire Vulnerability Research Team ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Original advisory posting: ++http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2589.txt +@@ -0,0 +1,93 @@ ++Rule: ++ ++-- ++Sid: ++2589 ++ ++-- ++Summary: ++This event is generated when an attempt is made to return to ++a web client a file in the Content-Disposition Header with a ++Class ID (CLSID) embedded in the file name. ++ ++-- ++Impact: ++A successful attack may trick a client on a vulnerable host to download ++a malicious file that will be executed by the Windows Shell. ++ ++-- ++Detailed Information: ++Internet Explorer does not correctly handle or display specially ++crafted files in the browser dialogue where the user choses the ++action (e.g., open, save, cancel) for a downloaded file. ++Specifically, these are overly long file names that employ URL ++encoding of "." %2E before the file extension and contain the ++Class ID (CLSID) associated with the Windows Shell in the file name. ++ ++This serves two purposes; the first is that the file name will ++be truncated in the user dialog so the user doesn't see the ++CLSID reference, making it appear to be a more innocuous file ++with a known extension such as mpg or pdf. Second, the downloaded ++file will actually contain malcious commands that will be ++executed by the Windows Shell when opened because of the hidden ++CLSID in the file name. ++ ++Currently, the only known CLSID that exploits this vulnerability ++is associated with the Windows Shell. Yet, it may be possible ++for another CLSID to be discovered in the future that would be ++associated with a COM component that could be used for malicious ++purposes. ++ ++-- ++Affected Systems: ++ Windows NT Workstation/Server 4.0 SP6a ++ Windows NT Workstation/Server 4.0 SP6a with Active Desktop ++ Windows NT Server 4.0 Terminal Server Edition SP6 ++ Windows 2000 SP2-SP4 ++ Windows XP and XP SP1 ++ Windows XP 64-Bit Edition SP1 ++ Windows XP 64-Bit Edition Version 2003 ++ Windows Server 2003 ++ Windows Server 2003 64-Bit Edition ++ ++-- ++Attack Scenarios: ++An attacker can entice a user to visit a web server that ++will return a malicious file with a file name that contains ++a CLSID, perhaps enabling the execution of the malicious ++code when the file is opened. ++ ++-- ++Ease of Attack: ++Simple. Exploit code is publicly available. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Judy Novak ++ ++-- ++Additional References ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0420 ++ ++Bugtraq: ++http://www.securityfocus.com/bid/9510 ++ ++Other: ++http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000382.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000382 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_users.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_users.php" script used by the "phpNuke" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using phpNuke ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1784.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++ ++1784 ++ ++-- ++Summary: ++This rule indicates that a webpage was visited the included the content "nude celeb". ++ ++-- ++Impact: ++Someone could be violating your company's policy regarding the browsing of inappropriate content. ++ ++-- ++Detailed Information: ++ ++This rule looks for a response from a webserver containing "nude celeb". ++ ++-- ++Affected Systems: ++ ++All ++ ++-- ++Attack Scenarios: ++ ++Not an attack. ++ ++-- ++Ease of Attack: ++ ++N/A. ++ ++-- ++False Positives: ++ ++This could have been caused by a pop-up window or spam with an embedded link to a pornographic website. This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc. ++ ++-- ++False Negatives: ++ ++None known. ++-- ++Corrective Action: ++ ++Dependent on your company's policies. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Steven Alexander ++-- ++Additional References: ++ ++ ++ ++ ++ ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2188.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++2188 ++ ++-- ++Summary: ++This event is generated when a suspicious packet using an unusual ++protocol is sent to a router. ++ ++-- ++Impact: ++Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in multiple Cisco IOS versions such that a Denial ++of Service condition can be issued against a device by sending multiple ++packets using IP protocols 53, 55, 77 and 103 directly to that device. ++ ++Cisco IOS processes these packets and under certain circumstances, can ++be made to incorrectly flag an input interface as being full. ++ ++-- ++Affected Systems: ++Multiple versions of Cisco IOS. ++ ++-- ++Attack Scenarios: ++An attacker may send a large number of IP packets using one of the ++protocols 53, 55, 77 or 103 directly to a router. Exploit code exists. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3308.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3308 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2721.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2721 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure add_columns_to_flavor ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000321.txt +@@ -0,0 +1,78 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000321 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "ScozNet ScozNews" application running on a ++webserver. Access to the file "help.php" using a remote file being passed as ++the "main_path" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "main_path" parameter in the "help.php" script used by ++the "ScozNet ScozNews" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using ScozNet ScozNews ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2895.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2895 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_priority_varchar2 ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3043.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++3043 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Ethereal. ++ ++-- ++Impact: ++Serious. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++Ethereal is a multi-platform network protocol analyser capable of ++displaying network data to the user in a graphical user interface. ++ ++An error in the processing of access control lists (ACLs) concerning the ++size of the access control entries (ACEs) may lead to a Denial of Service ++(DoS) condition in Ethereal. The ACL parsing routine trusts the size of ++the ACE given in the packet during processing. If a sufficiently large ACL ++structure is supplied combined with a specified ACE size of 0, it is ++possible to cause the DoS condition to occur. ++ ++-- ++Affected Systems: ++ Ethereal 0.10.7 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to craft packet data containing large NT ACLs, the ++attacker then needs to specify one of the ACEs as having a size of 0. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1599.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1599 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/301.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: 301 ++ ++-- ++Summary: ++This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in LPRng. ++ ++-- ++Impact: ++System compromize presenting the attacker with escalated system privileges . ++ ++-- ++Detailed Information: ++LPRng is an implementation of the Berkeley lpr print spooling protocol. Some versions are vulnerable to a format-string attack that takes advantage of a bug in the syslog() wrapper. Successfull exploitation may present a remote attacker with the ability to execute arbitrary code using the privileges of the LPD daemon owner (typically root). ++ ++Arbitrary addresses in the lpd process address space can be overwritten by sending specially crafted packets to the LPRng daemon listening on port 515 to execute arbitrary code or generate a segmentation violation. ++ ++-- ++Attack Scenarios: ++Exploit scripts are available ++ ++-- ++Ease of Attack: ++Simple. Exploits are available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Disallow access to LPRng port 515 from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/1712 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3456.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++3456 ++ ++-- ++ ++Summary: ++This event is generated when the user "root" logs in to a MySQL database from an external source. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when someone using the name "root" logs in to a MySQL database. ++ ++The 'root' user may have access to all databases on the system, with full privileges to add users, delete data, add information, etc. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++-- ++ ++Attack Scenarios: ++Simple. The user logs in with the username 'root', full access is then granted to that user for all databases served by the MySQL daemon. The attacker may then continue to gain sensitive information from any database in the system. ++ ++-- ++ ++Ease of Attack: ++Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in as the root user from a location outside the protected network. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2019.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2019 ++ ++-- ++Summary: ++The RPC service mountd enables clients to connect to networked file ++dismounted via UDP. ++ ++-- ++Impact: ++Denial of network resources to users on the local area network. ++ ++-- ++Detailed Information: ++This may be an attempt to deny access to network resources from an ++unauthorized source. It may also be indicative of an attacker probing ++for RPC services on a host in an attempt to discover a possible entry ++point to network resources via a vulnerable daemon. ++ ++-- ++Affected Systems: ++All systems allowing network shares to be unmounted by anonymous hosts, ++all systems allowing RPC services to be stopped by ordinary users and ++systems already compromised by an attacker via another vulnerability. ++ ++-- ++Attack Scenarios: ++This is an intelligence gathering activity, the attacker could remotely ++unmount a shared resource to deny a resource to the local area network ++or a probe to discover possible routes of entry into a system. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++When allowing hosts to mount an external network share, consider using a ++hosts.allow file. ++ ++Do not allow shares to be unmounted by unauthorized hosts or users. ++ ++RPC services should not be available outside the local area network, ++filter RPC ports at the firewall to ensure access is denied to RPC ++enabled machines. ++ ++RPC services should also be disabled where not needed. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/159.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++159 ++ ++-- ++Summary: ++This event is generated when an attempt is made to list files on a host infected with the NetMetro Trojan Horse. ++ ++-- ++Impact: ++Limited control of the target host. ++ ++-- ++Detailed Information: ++Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed. ++ ++The server portion opens TCP port 5031 by default to establish a connection between client and server. ++ ++-- ++Affected Systems: ++ Windows 95 ++ Windows 98 ++ Windows ME ++ Windows NT ++ Windows 2000 ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is named NMS.exe. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++A reboot of the infected machine is recommended. The Trojan does not start automatically at boot time nor does it change any system registry settings. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS79 ++ ++Dark-e: ++http://www.dark-e.com/archive/trojans/NetMetro/index.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000627.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000627 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "message_send.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"message_send.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1119.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1119 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1417.txt +@@ -0,0 +1,77 @@ ++Rule: ++ ++-- ++Sid: ++1417 ++ ++-- ++ ++Summary: ++This event is generated when an SNMP-Trap connection over UDP to an SNMP ++daemon is made. ++ ++-- ++ ++Impact: ++Information gathering ++ ++-- ++ ++Detailed Information: ++The SNMP (Simple Network Management Protocol) Trap daemon usually ++listens on port 161, tcp or udp. ++ ++An attacker may attempt to send this request to determine if a device is ++using SNMP. ++ ++-- ++ ++Affected Systems: ++Devices running SNMP daemons on well known ports. ++ ++-- ++ ++Attack Scenarios: ++An attacker sends a packet directed to udp port 161, if sucessful a ++reply is generated and the attacker may then launch further attacks ++against the SNMP daemon. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++None known. ++ ++-- ++ ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Use a packet filtering firewall to protect devices using the SNMP ++protocol and only allow connections from well-known hosts. ++ ++-- ++ ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Chaos ++ ++-- ++ ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012 ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/122-7.txt +@@ -0,0 +1,93 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++122-7 ++ ++-- ++Summary: ++This event is generated when the pre-processor sfPortscan detects ++network traffic that may constitute an attack. Specifically a tcp ++filtered portsweep was detected. ++ ++-- ++Impact: ++Unknown. This is normally an indicator of possible network ++reconnaisance and may be the prelude to a targeted attack against the ++targeted systems. ++ ++-- ++Detailed Information: ++This event is generated when the sfPortscan pre-processor detects ++network traffic that may consititute an attack. ++ ++A portscan is often the first stage in a targeted attack against a ++system. An attacker can use different portscanning techniques and tools ++to determine the target host operating system and application versions ++running on the host to determine the possible attack vectors against ++that host. ++ ++More information on this event can be found in the individual ++pre-processor documentation README.sfportscan in the docs directory of ++the snort source. Descriptions of different types of portscanning ++techniques can also be found in the same documentation, along with ++instructions and examples on how to tune and use the pre-processor. ++ ++-- ++Affected Systems: ++ All. ++ ++-- ++Attack Scenarios: ++An attacker often uses a portscanning technique to determine operating ++system type and version and also application versions to determine ++possible effective attack vectors that can be used against the target ++host. ++ ++-- ++Ease of Attack: ++Simple. Many portscanning tools are freely available. ++ ++-- ++False Positives: ++While not necessarily a false positive, a security audit or penetration ++test will often employ the use of a portscan in the same way an ++attacker might use the technique. If this is the case, the ++pre-processor should be tuned to ignore the audit if so desired. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check for other events targeting the host. ++ ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches as appropriate. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Daniel Roelker ++Marc Norton ++Jeremy Hewlett ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Nmap: ++http://www.insecure.org/nmap/ ++ ++Port Scanning Techniques and the Defense Against Them - Roger ++Christopher, SANS: ++http://www.sans.org/rr/whitepapers/auditing/70.php ++ ++Hypervivid Tiger Team - Port-Scanning: A Practical Approach ++http://www.hcsw.org/reading/nmapguide.txt ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2864.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2864 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure add_priority_raw ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000734.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000734 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MassDelete.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MassDelete.Admin.class.php" script used by the "Geeklog" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Geeklog ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000513.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++100000513 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection ++vulnerability in the "SAPHPLesson" application running on a webserver. Access ++to the file "showcat.php" with SQL commands being passed as the "forumid" ++parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a ++remote machine via the "forumid" parameter in the "showcat.php" script used by ++the "SAPHPLesson" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to compromise the database backend for the ++application, the attacker may also be able to execute system binaries or ++malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using SAPHPLesson ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application ++if user input is not correctly sanitized or checked before passing that input ++to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1501.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1501 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1248.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++1248 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a web server running Microsoft FrontPage ++Server Extensions. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Microsoft FrontPage Server Extensions. Many known ++vulnerabilities exist for this platform and the attack scenarios are ++legion. ++ ++-- ++Affected Systems: ++ All systems running Microsoft FrontPage Server Extensions ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000509.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++100000509 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "RahnemaCo" application running on a webserver. ++Access to the file "page.php" using a remote file being passed as the "pageid" ++parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "pageid" parameter in the "page.php" script used by the ++"RahnemaCo" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using RahnemaCo ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/440.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++ ++Sid: ++440 ++ ++-- ++ ++Summary: ++This event is generated when an ICMP Type 19 datagram with an undefined ICMP Code is detected on the network. ++ ++-- ++ ++Impact: ++ICMP Type 19 datagrams are not currently used by any known devices. ++ ++-- ++ ++Detailed Information: ++ICMP Type 19 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Ingress filtering should be utilized to block incoming ICMP Type 19 datagrams ++-- ++ ++Contributors: ++Original Rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/899.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++899 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/926.txt +@@ -0,0 +1,62 @@ ++SID: ++926 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This even indicates an attempt to exploit undocumented CFML tags on a ++Allaire ColdFusion Server ++-- ++ ++Impact: ++Extensive server data retrieval including settings and passwords ++-- ++ ++Detailed Information: ++Undocumented CFML tags allow reading and decryption of sensitive data ++contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This ++data can be accesses by constructing a hosted application that accesses ++these undocumented tags with the possibility of changing values on the ++server and reading admin and studio passwords ++-- ++ ++Affected Systems: ++ Allaire ColdFusion Server 2.0 - 4.0.1 ++-- ++ ++Attack Scenarios: ++A user with permission to create pages on the server installs an ++application that accesses the undocumented CFML tags, accessing this ++application would allow viewing and possible modifications of these ++settings ++-- ++ ++Ease of Attack: ++Medium, Attackers need the ability to add files to the server. No "In ++the Wild" exploits were available at type of writing ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Patches are available from Allaire, install them. ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1563.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1563 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1514.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1514 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1386.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1386 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft SQL. ++ ++-- ++Impact: ++Information gathering and data integrity compromise. Possible unauthorized ++administrative access to the server or application. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to an implementation of Microsoft SQL server or client. This can ++lead to unauthorized access and possibly escalated privileges to that of ++the administrator. Data stored on the machine can be compromised and ++trust relationships between the victim server and other hosts can be ++exploited by the attacker. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An attacker can access the authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow administrative access from sources external to the protected ++network. ++ ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1812.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: 1812 ++ ++-- ++Summary: ++Secure Shell (SSH) is used to remotely manage systems over encrypted TCP ++sessions. This event is generated when an attempt is made to exploit ++vulnerable versions of the SSH daemon. ++ ++-- ++Impact: ++System compromize presenting the attacker with either the opportunity to ++execute arbitrary code with the privileges of the user running the SSH daemon (usually root) or a possible Denial of Service (DoS). ++ ++-- ++Detailed Information: ++OpenSSH versions prior to 3.3 contain a flaw that could allow a remote attacker to compromise a vulnerable SSH daemon via an integer overflow on systems with BSD_AUTH or SKEY options compiled and PAM authentication or Challenge Response Authentication enabled. ++ ++Affected Systems: ++ OpenSSH versions 2.9 to 3.2 ++ ++-- ++Attack Scenarios: ++Exploit scripts are available ++ ++-- ++Ease of Attack: ++Simple. Exploits are available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++Enable the privilege separation option in OpenSSH 3.3 if possible. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Securityfocus: ++http://www.securityfocus.com/bid/5093 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1534.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1534 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3465.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++3465 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the cgi script ++show.pl. ++ ++-- ++Impact: ++Use of script as an open proxy. ++ ++-- ++Detailed Information: ++RiSearch is a collection of cgi scripts written in Perl to facilitate ++web site search functionality. Some versions of the script show.pl do ++not correctly sanitize user input. This may present an attacker with the ++opportunity to use the script as an open proxy server, possibly in ++attempts to execute web attacks against other systems anonymously. ++ ++Specifically, it may be possible for an attacker to supply their own ++input to the "uri" parameter. ++ ++-- ++Affected Systems: ++ RiSearch 0.99.8 and prior ++ RiSearch Pro 3.2.6 ++ ++-- ++Attack Scenarios: ++An attacker can supply a URI of their choosing as a value for the ++uri parameter ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3048.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++3048 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Ethereal. ++ ++-- ++Impact: ++Serious. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++Ethereal is a multi-platform network protocol analyser capable of ++displaying network data to the user in a graphical user interface. ++ ++An error in the processing of access control lists (ACLs) concerning the ++size of the access control entries (ACEs) may lead to a Denial of Service ++(DoS) condition in Ethereal. The ACL parsing routine trusts the size of ++the ACE given in the packet during processing. If a sufficiently large ACL ++structure is supplied combined with a specified ACE size of 0, it is ++possible to cause the DoS condition to occur. ++ ++-- ++Affected Systems: ++ Ethereal 0.10.7 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to craft packet data containing large NT ACLs, the ++attacker then needs to specify one of the ACEs as having a size of 0. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3038.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++3038 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Samba implementation. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++Samba is a file and print serving system for heterogenous networks. It ++is available for use as a service and client on UNIX/Linux systems and as ++a client for Microsoft Windows systems. ++ ++Samba uses the SMB/CIFS protocols to allow communication between client ++and server. The SMB protocol contains many commands and is commonly used ++to control network devices and systems from a remote location. A ++vulnerability exists in the way the smb daemon processes commands sent by ++a client system when accessing resources on the remote server.The problem ++exists in the allocation of memory which can be exploited by an attacker ++to cause an integer overflow, possibly leading to the execution of ++arbitrary code on the affected system with the privileges of the user ++running the smbd process. ++ ++-- ++Affected Systems: ++ Samba 3.0.8 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to supply specially crafted data to the smb daemon to ++overflow a buffer containing the information for the access control lists ++to be applied to files in the smb query. ++ ++-- ++Ease of Attack: ++Difficult. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1653.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1653 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++If the webserver has pages or directories by the name of campus this rule will ++fire often. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++False positive information contributed by Colin Harford ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000706.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000706 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "index.php" script used by the "SmartSiteCMS" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using SmartSiteCMS ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1186.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++1186 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a ++vulnerability in some versions of Netscape Enterprise Server. ++ ++-- ++Impact: ++Information leak which could provide an attacker with the data needed to ++launch further attacks or gain more detailed information about your web server. ++ ++-- ++Detailed Information: ++A user can see a directory listing by appending a Web Publishing command ++to the end of a directory URL, for example: "http://www.sun.com/?wp-ver-diff". ++ ++This exploit will work on Netscape Enterprise Server regardless of ++directory indexing settings. ++ ++It will not work on iPlanet Web Server if directory indexing is set to ++"none" or "fancy" (the default). Web Publishing need not be enabled for ++this exploit to work. ++ ++-- ++Affected Systems: ++ Netscape Enterprise Server 3.0, 3.51 and 3.6 ++ ++-- ++Attack Scenarios: ++The gathering of information such as directory listings is valuable when ++planning to attack a web server. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required however, an automated tool for ++scanning exists as does an exploit script. ++ ++-- ++False Positives: ++A web server that uses URLs which contain web publishing commands. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Disable directory indexing. For earlier versions of Netscape Enterprise ++Server, this may not fix the problem. On iPlanet, you can also change ++the indexing type to "fancy". ++ ++To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8. ++ ++-- ++Contributors: ++Snort documentation contributed by Kevin Peuhkurinen ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++iPlanet Knowledge Base Article 4302: ++http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html ++ ++iPlanet Knowledge Base Article 7761: ++http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1190.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++1190 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a ++vulnerability in some versions of Netscape Enterprise Server. ++ ++-- ++Impact: ++Information leak which could provide an attacker with the data needed to ++launch further attacks or gain more detailed information about your web server. ++ ++-- ++Detailed Information: ++A user can see a directory listing by appending a Web Publishing command ++to the end of a directory URL, for example: "http://www.sun.com/?wp-uncheckout". ++ ++This exploit will work on Netscape Enterprise Server regardless of ++directory indexing settings. ++ ++It will not work on iPlanet Web Server if directory indexing is set to ++"none" or "fancy" (the default). Web Publishing need not be enabled for ++this exploit to work. ++ ++-- ++Affected Systems: ++ Netscape Enterprise Server 3.0, 3.51 and 3.6 ++ ++-- ++Attack Scenarios: ++The gathering of information such as directory listings is valuable when ++planning to attack a web server. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required however, an automated tool for ++scanning exists as does an exploit script. ++ ++-- ++False Positives: ++A web server that uses URLs which contain web publishing commands. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Disable directory indexing. For earlier versions of Netscape Enterprise ++Server, this may not fix the problem. On iPlanet, you can also change ++the indexing type to "fancy". ++ ++To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8. ++ ++-- ++Contributors: ++Snort documentation contributed by Kevin Peuhkurinen ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++iPlanet Knowledge Base Article 4302: ++http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html ++ ++iPlanet Knowledge Base Article 7761: ++http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000591.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000591 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "editor_delete.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"editor_delete.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2139.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: 2139 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a vulnerabliity in BEA Systems WebLogic server. ++ ++-- ++Impact: ++Information gathering, source code disclosure. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a vulnerabliity in BEA Systems WebLogic server. ++ ++A weakness in the configuration of the WebLogic server from BEA Systems allows an attacker to view the source code of .jsp and .jhtml pages that reside in the root directory of the webserver. A request for these documents prefixed with /*.shtml/ will exploit a vulnerability in the handling of Server Side Include Servlet (SSIServlet) such that the webserver will return the documents unparsed, rendering the source code viewable. ++ ++-- ++Affected Systems: ++BEA Systems WebLogic Enterprise 5.1 and 5.1.x ++ ++-- ++Attack Scenarios: ++An attacker can retrieve the source code of a .jsp file by making a web request in the form: http://www.foo.com/*.shtml/target.jsp. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade to the latest non-affected version of the software ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3227.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3227 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3304.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3304 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2088.txt +@@ -0,0 +1,87 @@ ++Rule: ++ ++-- ++Sid: ++2088 ++ ++-- ++Summary: ++vulnerability in the rcp service ypupdated. ++ ++-- ++Impact: ++Information disclosure and possible code execution. ++ ++Unauthorized super user access to the vulnerable host resulting in a ++compromise of all data on the host and any network resources that host ++is connected to. Full control of the victim is gained. ++ ++-- ++Detailed Information: ++The ypupdated service is used in conjunction with NIS servers to ++remotely update changes made in NIS databases. ++ ++On recieving a request the yupdated service executes a make command ++using the Bourne shell. It is possible to execute code using ++metacharacters in the request. ++ ++Commands and code after the metacharacters in the request will be ++executed with the privileges of the super user on the vulnerable system. ++ ++-- ++Affected Systems: ++ HP-UX 10.1, 10.10 and 10.20 ++ ++ IBM AIX 3.2 and 4.1 ++ ++ NEC EWS-UX/V (Rel4.2MP), (Rel4.2) ++ NEC UP-UX/V (Rel4.2MP) ++ NEC UX/4800 (64) ++ ++ SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3 ++ SGI IRIX 4.0, 4.0.1 T, 4.0.1,4.0.2, 4.0.3, 4.0.4 T, 4.0.4 B, 4.0.4, 4.0.5 IPR, 4.0.5 H, 4.0.5 G, 4.0.5 F, 4.0.5 E, 4.0.5 D, 4.0.5 A, 4.0.5 (IOP), 4.0.5 ++ SGI IRIX 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3 XFS, 5.3 ++ SGI IRIX 6.0, 6.0.1 XFS, 6.0.1 ++ ++ Sun SunOS 4.1 PSR_A, 4.1, 4.1.1, 4.1.2, 4.1.3 c, 4.1.3 _U1, 4.1.3, 4.1.4 -JL, 4.1.4 ++ ++-- ++Attack Scenarios: ++The attacker needs to craft a specially formulated request to the ++rpc.ypupdated service containing a long username. An exploit for this ++vulnerability exists. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply pacthes for the affected systems as soon as possible. ++ ++Disable the rpc.ypupdated daemon. ++ ++Disallow all RPC requests from external sources and use a firewall to ++block access to RPC ports from outside the LAN. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/1749 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1644.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1644 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1323.txt +@@ -0,0 +1,55 @@ ++Rule: ++ ++-- ++Sid: 1323 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a format string vulnerability in the rwhois daemon from Network Solutions. ++ ++-- ++Impact: ++Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code. ++ ++-- ++Detailed Information: ++Certain versions of rwhoisd from Network Solutions contain a programming error that allows an attacker to execute arbitrary code. The error is present when used with the Start of Authority (soa) file directive. ++ ++Referral Whois (rwhois) is a directory service used to provide information on hosts and networks connected to the internet. ++ ++-- ++Attack Scenarios: ++Exploit scripts are available ++ ++-- ++Ease of Attack: ++Simple. Exploits are available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0838 ++ ++Bugtraq: ++http://www.securityfocus.com/bid/3474 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2966.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++2966 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) ++services. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code with system level privileges ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft NetDDE that may allow an attacker to ++run code of their choosing with system level privileges. A programming ++error in the handling of network messages may give an attacker the ++opportunity to overflow a fixed length buffer by using a specially ++crafted NetDDE message. ++ ++This service is not started by default on Microsoft Windows systems, but ++this issue can also be exploited locally in an attempt to escalate ++privileges after a successful attack from an alternate vector. ++ ++-- ++Affected Systems: ++ Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. ++ ++-- ++Attack Scenarios: ++An attacker needs to craft a special NetDDE message in order to overflow ++the affected buffer. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Disable the NetDDE service. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Security Bulletin MS04-031: ++http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3307.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3307 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/459.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++ ++Sid: ++459 ++ ++-- ++ ++Summary: ++This event is generated when an ICMP Type 1 datagram with an undefined ICMP Code is detected on the network. ++ ++-- ++ ++Impact: ++ICMP Type 1 datagrams are not currently used by any known devices. ++ ++-- ++ ++Detailed Information: ++ICMP Type 1 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Ingress filtering should be utilized to block incoming ICMP Type 1 datagrams ++-- ++ ++Contributors: ++Original Rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++Nigel Houghton ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2110.txt +@@ -0,0 +1,53 @@ ++Rule: ++ ++-- ++Sid: ++2110 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow condition in the Post Office Protocol (POP) command STAT. ++ ++-- ++Impact: ++Possible remote execution of arbitrary code leading to a remote root ++compromise. ++ ++-- ++Detailed Information: ++A vulnerability exists such that an attacker may overflow a buffer by ++sending a line feed character to a POP server via the STAT command. ++ ++-- ++Attack Scenarios: ++Simple. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++RFC 1939: ++http://www.faqs.org/rfcs/rfc1939.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2051.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2051 ++ ++-- ++Summary: ++designated root directory of a web server. ++ ++-- ++Impact: ++Theft of data and important system information may be disclosed to an ++unauthorized party. ++ ++-- ++Detailed Information: ++The script handling file viewing from the vendor moreover.com contains an error that allows files outside the designated root directory to be viewed in a browser. ++ ++The script does not perform checks for the characters ".." when supplied ++by a user in a URL. This allows a classic directory traversal attack to ++be performaed against the server. ++ ++-- ++Affected Systems: ++Version 1.0 from moreover.com ++ ++-- ++Attack Scenarios: ++The attacker merely needs to enter a URL using ../ to traverse the file ++system for example: ++http://www.foo.com/cgi-bin/cached_feed.cgi?../../../etc/passwd ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to version 2.0 or later ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/1762 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0906 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1070.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++Sid: ++1070 ++ ++-- ++ ++Summary: ++This event is generated when an attempt is made to initiate a WebDAV SEARCH ++on a web server. ++ ++-- ++Impact: ++Information gathering. Potential Denial of Service (DoS). ++ ++-- ++Detailed Information: ++IIS 5.0 includes an implementation of WebDAV for purposes of web publishing. ++As shipped, it contains two vulnerabilities that can allow an attacker ++to get a complete directory listing from the web root and to DoS the ++web server. ++ ++If the target is IIS 5.0, then an attacker may have gotten a complete ++directory listing from within the web root, which can be useful information ++for attackers (could be a prelude to a more serious attack). IIS 5.0's ++WebDAV implementation is also vulnerable to a Denial of Service vulnerability ++if the search string is too long. ++ ++-- ++Affected Systems: ++ IIS 5.0 ++ Any web server running WebDAV, though no exploits are known for servers ++ other than IIS 5.0. ++ ++-- ++Attack Scenarios: ++Attacker gets a listing by sending something like: ++SEARCH / HTTP/1.1 ++Attacker DoSes the web server using pre-existing tools. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Check the host for signs of compromise. ++ ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++Disallow WebDAV access to the server from resources external to the ++protected network. ++ ++-- ++Contributors: ++Original rule writer unknown ++Original document author unkown ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++Alex Kirk ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000759.txt +@@ -0,0 +1,56 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000759 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "edit" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using QTO File Manager ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000420.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000420 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Informium" application running on a webserver. Access to the file "common-menu.php" using a remote file being passed as the "CONF[local_path]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "CONF[local_path]" parameter in the "common-menu.php" script used by the "Informium" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Informium ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/105-1.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++105-1 ++ ++-- ++Summary: ++This event is generated when the pre-processor spp_bo detects network ++traffic that may constitute an attack. Specifically back orifice ++traffic was detected. ++ ++-- ++Impact: ++Unknown. This is possible Trojan activity. ++ ++-- ++Detailed Information: ++This event is generated when the spp_bo pre-processor detects network ++traffic that may consititute an attack. ++ ++Back Orifice is a Trojan horse program for Microsoft systems. This event ++may indicate that this Trojan is active and in use on the protected ++network. ++ ++-- ++Affected Systems: ++ Microsoft Windows 95, 98, ME, NT, 2000 ++ ++-- ++Attack Scenarios: ++This is Trojan activity. An attacker can use this Trojan to control the ++target host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2745.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2745 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure alter_snapshot_propagation ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000140.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++100000140 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer overflow in ++the MySQL MaxDB web server. ++ ++-- ++ ++Impact: ++A denial of service will occur, and arbitrary code may be executed with the ++privileges of the user running the web server. ++ ++-- ++Detailed Information: ++If an HTTP GET request beginning with a "%" character and followed by at least ++215 non-newline characters is sent to the MySQL MaxDB web server, a buffer ++overflow will occur. This will result in a denial of service, and possibly ++execution of arbitrary code with the privileges of the user running the web ++server. ++ ++-- ++Affected Systems: ++MySQL MaxDB >= 7.5.00.24 ++ ++-- ++ ++Attack Scenarios: ++This vulnerability may be exploited with a web browser or an automated script. ++ ++-- ++ ++Ease of Attack: ++Simple, as a web browser can be used. ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Upgrade to version 7.5.00.26 or higher. ++ ++-- ++Contributors: ++Alex Kirk ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/895.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++895 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3437.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3437 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000577.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000577 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "cat_path_update.php" using a remote file being passed as ++the "admin_template_path" parameter may indicate that an exploitation attempt ++has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"cat_path_update.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/675.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++675 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft SQL. ++ ++-- ++Impact: ++Information gathering and data integrity compromise. Possible unauthorized ++administrative access to the server or application. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to an implementation of Microsoft SQL server or client. This can ++lead to unauthorized access and possibly escalated privileges to that of ++the administrator. Data stored on the machine can be compromised and ++trust relationships between the victim server and other hosts can be ++exploited by the attacker. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An attacker can access the authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow administrative access from sources external to the protected ++network. ++ ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/267.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++267 ++ ++-- ++Summary: ++This event is generated when spurious DNS traffic is detected on the network. ++ ++-- ++Impact: ++Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). ++ ++-- ++Detailed Information: ++This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. ++ ++This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. ++ ++-- ++Affected Systems: ++Any DNS server. ++ ++-- ++Attack Scenarios: ++An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. ++ ++-- ++Ease of Attack: ++Simple to Difficult depending on the DNS implementation. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Consider using DNSSEC where appropriate. ++ ++Keep all DNS software up to date and correctly configured. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2313.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2313 ++ ++-- ++Summary: ++This event is generated when suspicious shell code is detected in ++network traffic. ++ ++-- ++Impact: ++Denial of Service (DoS) possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++This event is generated when suspicious shell code is detected. Many ++buffer overflow attacks contain large numbers of NOOP instrucions to pad ++out the request. Other attacks contain specific shell code sequences ++directed at certain applications or services. ++ ++The shellcode in question may also use Unicode encoding. ++ ++-- ++Affected Systems: ++ Any software running on x86 architecture. ++ ++-- ++Attack Scenarios: ++An attacker may exploit a DCERPC service by sending shellcode in the RPC ++data stream. Sending large amounts of data to the Microsoft Workstation ++service can cause a buffer overflow condition in the logging function ++thus presenting an attacker with the opportunity to issue a DoS attack ++or in some cases, to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++False positives may be generated by binary file transfers. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Make sure the target host has all current patches applied and has the ++latest software versions installed. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2748.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2748 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure comment_on_column_group ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2772.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2772 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_priority_date ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3411.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3411 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2959.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++2959 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) ++services. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code with system level privileges ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft NetDDE that may allow an attacker to ++run code of their choosing with system level privileges. A programming ++error in the handling of network messages may give an attacker the ++opportunity to overflow a fixed length buffer by using a specially ++crafted NetDDE message. ++ ++This service is not started by default on Microsoft Windows systems, but ++this issue can also be exploited locally in an attempt to escalate ++privileges after a successful attack from an alternate vector. ++ ++-- ++Affected Systems: ++ Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. ++ ++-- ++Attack Scenarios: ++An attacker needs to craft a special NetDDE message in order to overflow ++the affected buffer. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Disable the NetDDE service. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Security Bulletin MS04-031: ++http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2817.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2817 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure add_column_group_to_flavor ++. This procedure is included in ++sys.dbms_repcat_fla_mas. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000327.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000327 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_import.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_import.php" script used by the "ScozNet ScozNews" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using ScozNet ScozNews ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2297.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2297 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2 ++running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt may have been made to exploit a ++known vulnerability in the PHP application Proxy2.de Advanced Poll ++2.0.2. This application does not perform stringent checks when handling ++user input, this may lead to the attacker being able to execute PHP ++code, include php files and possibly retrieve sensitive files from the ++server running the application. ++ ++-- ++Affected Systems: ++ All systems running Proxy2.de Advanced Poll 2.0.2 ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. No exploit code is required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/875.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++875 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000823.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000823 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "ignore-pm.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "ignore-pm.php" script used by the "VBZooM" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VBZooM ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/611.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: 611 ++ ++-- ++Summary: ++This event is generated when a remote login attempt using rlogin fails. ++ ++-- ++Impact: ++Someone has tried to login using rlogin and failed ++ ++-- ++Detailed Information: ++This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution. ++ ++Multiple events may indicate that an attacker is attempting a brute force password guessing attack. ++ ++-- ++Attack Scenarios: ++An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times. ++ ++-- ++Ease of Attack: ++Simple, no exploit software required ++ ++-- ++False Positives: ++A legitimate user may generate an event by entering an incorrect password. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Investigate logs on the target host for further details and more signs of suspicious activity ++ ++Use ssh for remote access instead of rlogin. ++ ++-- ++Contributors: ++Original rule by Max Vision modified from a signature written by Ron Gula ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 ++ ++Arachnids: ++http://www.whitehats.com/info/IDS392 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000344.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000344 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SocketMail" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "site_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "site_path" parameter in the "index.php" script used by the "SocketMail" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using SocketMail ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000622.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000622 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "mail_modify.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "mail_modify.php" ++script used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000393.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000393 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "start.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "start.php" script used by the "Ovidentia" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Ovidentia ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1257.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++1257 ++ ++-- ++Summary: ++This event is generated when an attempt is made to use WinNuke against a ++host. ++ ++-- ++Impact: ++Serious. Possible Denial of Service (DoS), this can cause a system to ++crash or lose network connectivity ++ ++-- ++Detailed Information: ++An attacker can send a malformed data packet to and networked host over ++TCP and cause a DoS, loss of network connectivity, or a system crash. ++ ++-- ++Affected Systems: ++ Windows NT Workstation and Server 4.0 ++ Windows NT Workstation and Server 3.5.x ++ Windows 3.1x ++ Windows 95 ++-- ++Attack Scenarios: ++Program is run against a system in an attempt to knock the system off ++the network. ++ ++-- ++Ease of Attack: ++Simple. An attacker runs WinNuke and enters an IP address of a target ++system. ++ ++-- ++False Positives: ++None Known. ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Since there is no known fix for several of the affected operating ++systems, SMB traffic should be blocked at the firewall and all TCP ++traffic on ports 139/135 should be dropped. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Mike Rivett ebiz@rivett.org ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1209.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1209 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1855.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++1855 ++ ++-- ++Summary: ++This event is generated when activity indicating the presence of a ++variant of the Stacheldraht DDOS tool is detected. ++ ++-- ++Impact: ++Distributed Denial of Service (DDoS) is possible. ++ ++-- ++Detailed Information: ++Stracheldraht is a Distributed denial of service tool normally found on ++Sun Solaris machines. It is made up of a Client, handler and agent. The ++clients connects to the handler. Handlers can connect with up to 1000 ++agents. Communication between the client and the handler is conducted ++using tcp and the communication between the handler and the agent can be ++either tcp or icmp_echoreply. This rule detects the a message sent from ++the agent to the handler. This message is used to tell the handler that ++the machine is still alive and able to take requests. The handler will ++then reply with the string "ficken". This traffic differs from the ++traffic described on ++http://staff.washington.edu/dittrich/misc/stacheldraht.analysis because the ++packets have an icmp id of 6666 rather than 666 as noted in the analysis. ++ ++-- ++Affected Systems: ++ Sun Solaris ++ ++-- ++Attack Scenarios: ++The agent can be used to mount a distributed denial of service attack. It ++also indicates that a machine is compromised. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++The icmp id along with the keywords may be changed in the ++source code which would then evade this rule. ++ ++-- ++Corrective Action: ++Disconnect power from the machine and perform forensic analysis on the ++hard drives. ++ ++-- ++Contributors: ++Snort documentation contributed by Ian Macdonald ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1815.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1815 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a PHP web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a PHP application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the PHP application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running PHP applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1704.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1704 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/884.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++884 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the CGI web application Formmail running on a server. ++ ++-- ++Impact: ++Several vulnerabilities include server access, information ++disclosure, spam relaying and mail anonymizing. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to access the perl cgi ++script Formmail. Early versions (1.6 and prior) had several vulnerabilities ++(Spam engine, ability to run commands under server id and set ++environment variables) and should be upgraded immediately. Newer ++versions can still be used by spammers for anonymizing email and ++defeating email relay controls. ++ ++-- ++Affected Systems: ++ All systems running Formmail ++ ++-- ++Attack Scenarios: ++Information can be appended to the URL to use your ++mail gateway avoiding SMTP relay controls. HTTP header information can ++be manipulated to avoid access control methods in script. Allows SMTP ++exploits that are normally available only to trusted (local) users such ++as Sendmail % hack. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++Legitimate use of the script can cause alerts. Verify ++packet payload and watch web/mailserver logfiles. ++ ++-- ++False Negatives: ++If the name of the script has been changed this rule will not generate ++an event. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Kevin Binsfield (IDS@Safedge.com) ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/107.txt +@@ -0,0 +1,119 @@ ++Rule: ++ ++-- ++Sid: ++107 ++ ++-- ++Summary: ++Subseven22 is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a ++compromise of all resources the machine is connected to. This Trojan ++also has the ability to delete data, steal passwords and disable the ++machine. Other versions are capable of launching DDoS attacks. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ Windows NT ++ Windows 2000 ++ Windows XP ++ ++No other systems are affected. This is a windows exceutable that makes ++changes to the system registry, Win.ini and System.ini. When first ++executed the Trojan replicates itself and in most cases, gives the copy ++a random name. This Trojan may use the file extensions ".exe" or ".dll". ++ ++Subseven is an improved version of the Netbus Trojan (see sids 114, ++115), Subseven DEFCON8 2.1 is an improved version of Subseven that ++affects Windows 95 and 98 implementations. ++ ++The Trojan changes system startup files and registry settings to add the ++Subseven sever to programs normally started on boot. ++ ++ SID Message ++ --- ------- ++ 103 subseven 22 (incoming TCP connection) ++ 107 subseven DEFCON8 2.1 access (outgoing TCP connection) ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++This is a particularly difficult Trojan to remove and should only be ++attempted by an experienced Windows Administrator. ++ ++Edit the system registry to remove the extra keys or restore a ++previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_CLASSES_ROOT\exefile\shell\open\command ++ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run ++ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices ++ HKEY_LOCAL_MACHINE\Hardware\Data ++ HKEY_LOCAL_MACHINE\Hardware\Enum ++ HKEY_LOCAL_MACHINE\Software\Microsoft\DirectXMedia ++ ++Registry keys added are: ++ ++ HKEY_CLASSES_ROOT\.dl ++ ++Removal of the replicant is also required, look for files ending in ++".exe" or ".dll" in the :\Windows\ or :\Windows\System\ ++folders that use alphanumeric file names. The name of the replicant may ++be in one of the registry keys above. ++ ++A machine reboot is required to clear the existing process from running ++in memory. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Hackfix ++http://www.hackfix.org/subseven/ ++ ++McAfee ++http://vil.mcafee.com/dispVirus.asp?virus_k=10566 ++http://vil.nai.com/vil/content/v_10566.htm ++ ++Symantec Security Response ++http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven22.html ++ ++F-Secure: ++http://www.f-secure.com/v-descs/subseven.shtml ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000100.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++100000100 ++ ++-- ++Summary: ++This event is generated when a URI of 1,050 bytes ore more is requested from an ++internal web server. ++ ++-- ++ ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++This rule is used in conjunction with SID 100000101 to detect buffer overflow ++attacks against the Adobe Acrobat/Acrobat Reader ActiveX Control, pdf.ocx. This ++rule should never generate an alert. ++ ++-- ++Affected Systems: ++Adobe Acrobat 5.0 ++Adobe Acrobat 5.0.5 ++Adobe Acrobat 6.0 ++Adobe Acrobat 6.0.1 ++Adobe Acrobat Reader 5.0 ++Adobe Acrobat Reader 5.0.5 ++Adobe Acrobat Reader 5.1 ++Adobe Acrobat Reader 6.0 ++Adobe Acrobat Reader 6.0.1 ++ ++-- ++ ++Attack Scenarios: ++A web browser or automated script may be used to exploit this vulnerability. ++ ++-- ++ ++Ease of Attack: ++Simple, as simply typing a long URI into a web browser will suffice. ++ ++-- ++ ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++ ++Corrective Action: ++Upgrade to Adobe Acrobat/Acrobat Reader 6.0.2. ++An alternate workaround is available: disable "Display PDF in browser" under ++Edit -> Preferences. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++Alex Kirk ++ ++-- ++Additional References: ++http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=2589&fileID=2433 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000595.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000595 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "inv_config.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "inv_config.php" ++script used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1363.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: 1363 ++ ++-- ++Summary: ++This event is generated when execution of a common X Window system command is attempted via HTTP. ++ ++-- ++Impact: ++The attacker may be able to initiate an X session on the web server. ++ ++-- ++Detailed Information: ++This rule generates an event when an X Windows system command command is used with a parameter to set the display location over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. ++ ++The "display" parameter is used to specify an address for the X server to listen for connections. ++ ++The rule looks for the "display" parameter in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the parameter in the URL indicates that an attacker attempted to trick the web server into executing a system command in non-interactive mode i.e. without a valid shell session. ++ ++This rule may also generate an event if it detects this command in an unencrypted HTTP tunneling connection to the server or a shell connection through an exploit of the web server. ++ ++-- ++Attack Scenarios: ++An attacker launches an "xterm" as the web server user and points it to his machine via the 'display" parameter. ++ ++-- ++Ease of Attack: ++Simple, no exploit software required ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Webservers should not be allowed to view or execute files and binaries outside of its designated web root or cgi-bin. ++ ++This command may also be requested on a command line should the attacker gain access to the machine. ++ ++Non-essential binaries should be removed from a webserver once it is in production. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1333.txt +@@ -0,0 +1,80 @@ ++Rule: ++ ++-- ++Sid: ++1333 ++ ++-- ++Summary: ++Attempted id command access via web ++ ++-- ++Impact: ++Attempt to gain information on users and groups that exist on the host ++using the id command. ++ ++-- ++Detailed Information: ++This is an attempt to gain intelligence about the users on a webserver. ++id is a UNIX command that will return information about the system's ++users and groups. This information is valuable to an attacker who can ++use it to plan further attacks based on the users possible login ++information or be more effective in targeting specific users and groups ++who possess elevated privileges . The id command will return information ++on the user, the groups the user belings to and the users' "gid" and "uid". ++ ++The rule looks for the "id" command in the client to web server network ++traffic and does not indicate whether the command was actually ++successful in showing the user information. The presence of the "id" ++command web traffic indicates that an attacker attempted to trick the ++web server into executing system in non-interactive mode i.e. without a ++valid shell session. ++ ++Alternatively this rule may trigger in an unencrypted HTTP tunneling ++connection to the server or a shell connection via another exploit ++against the web server. ++ ++-- ++Attack Scenarios: ++1. The attacker can make a standard HTTP request that contains ++'/usr/bin/id' in the URI which can then return sensitive information on ++groups and users present on the host. ++ ++2. This command may also be requested on a command line should the ++attacker gain access to the machine. ++ ++3. An attacker uses a "id" command via a web server connection to test ++what username the web server runs under. He then looks for all the files ++writable by this user and find a web server configuration file with ++wrong permissions. ++ ++-- ++Ease of Attack: ++Simple HTTP request. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++Additional information from Anton Chuvakin ++ ++-- ++Additional References: ++sid: 1332 ++ ++man id ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1675.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1675 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2197.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++2197 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access cvsview2.cgi on an internal web server. This may indicate an attempt to exploit an information disclosure vulnerability in Mozilla Bonsai 1.3. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++Mozilla Bonsai, a CVS query tool, contains an information disclosure vulnerability in cvsview2.cgi. An attacker can discover the location of the Mozilla Bonsai application by sending a malformed request to the application, which produces an error. The error message shows the full path of the cvsview2.cgi file, providing the attacker with information about the server directory structure. ++ ++-- ++Affected Systems: ++Any system running Mozilla Bonsai 1.3. ++ ++-- ++Attack Scenarios: ++An attacker sends an erroneous request to cvsview2.cgi on the Bonsai server. The error message returns the full path of the script, allowing the attacker to discover more information about the server directory structure for possible use in later attacks. ++ ++-- ++Ease of Attack: ++Simple. A proof of concept exists. ++ ++-- ++False Positives: ++If a legitimate remote user accesses cvsview2.cgi, this rule may generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to a newer build of Mozilla Bonsai 1.3. ++ ++If you are running Mozilla Bonsai on Debian 3.0, Debian has provided patches at http://security.debian.org/pool/updates/main/b/bonsai/. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Sourcefire Technical Publications Team ++Jennifer Harvey ++ ++-- ++Additional References: ++Bugtraq ++http://www.securityfocus.com/bid/5517 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2991.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++2991 ++ ++-- ++Summary: ++This event is generated when an attempt is made to bind to the winreg ++service. ++ ++-- ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to bind to the RPC ++service for winreg. ++ ++-- ++Affected Systems: ++ Windows systems ++ ++-- ++Attack Scenarios: ++An attacker may attempt to bind to the service to manipulate host ++settings. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++Microsoft Technet ++http://support.microsoft.com/support/kb/articles/q153/1/83.asp ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 ++Winreg ++http://www.rutherfurd.net/python/winreg/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1379.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++1379 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow vulnerability associated with IPSWITCH WS_FTP server for ++Windows hosts. ++ ++-- ++Impact: ++Remote administrator access. A successful attack can allow remote ++execution of arbitrary commands with privileges of administrator. ++ ++-- ++Detailed Information: ++A buffer overflow exists in WS_FTP server that may permit the execution ++of arbitrary commands with the privileges of administrator. The exploit ++can be generated by FTP client sending a STAT command accompanied by an ++argument greater than 479 bytes long. This exploit requires login ++access to the FTP server. ++ ++-- ++Affected Systems: ++Hosts running WS_FTP server 2.0.3. ++ ++-- ++Attack Scenarios: ++An attacker may login to a vulnerable WS_FTP server and supply an overly ++long file argument to cause a buffer overflow, allowing execution of ++arbitrary commands with the privileges of administrator. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Security Focus: ++http://www.securityfocus.com/advisories/3641 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3175.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3175 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1163.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++Sid: ++1163 ++ ++-- ++ ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Web server running on an IRIX platform. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code is possible. ++ ++-- ++Detailed Information: ++IRIX versions 5.0 through 6.3 contain a CGI script (/var/www/cgi-bin/webdist.cgi) ++for remote administration purposes. This script, as originally released by ++SGI, contains a vulnerability that can allow an attacker to run any ++arbitrary command that the web server user has access to. ++ ++-- ++Affected Systems: ++ IRIX systems 5.0 to 6.3 ++ ++-- ++Attack Scenarios: ++An attacker makes a request for the script followed by a semi-colon ++character ";" and then the command to be executed. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow the use of this script on the server. ++ ++Check for further signs of compromise. ++ ++-- ++Contributors: ++Original rule writer unknown ++Original document author unkown ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1841.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++1841 ++ ++-- ++Summary: ++This event is generated when a client on the protected network has ++possibly visited a website containing malicious javascript code. ++ ++-- ++Impact: ++Minimal ++ ++-- ++Detailed Information: ++Certain versions of Mozilla and Netscape may allow script code to access ++local cookie data. ++ ++By accessing a maliciously coded webpage, a users cookie data from any ++domain may be viewed by the website's administrator. ++ ++-- ++Affected Systems: ++ Mozilla versions prior to 1.0.1 ++ Netscape versions prior to 6.2.1 ++ ++-- ++Attack Scenarios: ++A devious website admin creates a webpage with malicious code and ++obtains sensitive cookie data from a visiting user's web browser about ++any domain he wishes. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++Some peer-to-peer applications may cause this rule to generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Josh Sakofsky ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/5293 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2356.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++2356 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application WebChat. ++ ++-- ++Impact: ++Execution of arbitrary code on the affected system ++ ++-- ++Detailed Information: ++WebChat contains a flaw such that it may be possible for an attacker ++to include code of their choosing by manipulating the variable ++WEBCHATPATH when making a GET or POST request to a vulnerable system. ++ ++It may be possible for an attacker to execute that code with the ++privileges of the user running the webserver, usually root by supplying ++their code in the file db_mysql.php. ++ ++-- ++Affected Systems: ++ Webdev Webchat 0.77 ++ ++-- ++Attack Scenarios: ++An attacker can make a request to an affected script and define their ++own path for the WEBCHATPATH variable. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade to the latest non-affected version of the software ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/348.txt +@@ -0,0 +1,61 @@ ++SID: ++348 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This event is generated when an attack attempt is made against an ftp ++server possibly running a vulnerable ftpd ++-- ++ ++Impact: ++Possible remote execution of commands on the affected server as the root user ++-- ++ ++Detailed Information: ++The Washington University ftp daemon (wu-ftpd) does not perform proper ++checking in its SITE EXEC implementation, and allows user input to be ++sent directly to printf. This allows an attacker to overwrite data and ++eventually execute code on the server. ++ ++This rule detects code from a published exploit called bobek.c ++-- ++ ++Affected Systems: ++Any system running wu-ftpd 2.6 .0 or below ++-- ++ ++Attack Scenarios: ++A remote attacker will attempt to execute commands on the ftp server ++with root user privileges, over writing or modifying system files. This ++can be done with anonymous and real user logins. ++-- ++ ++Ease of Attack: ++Simple, Exploits exist ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2282.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2282 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application MediaWiki running on a server. ++ ++-- ++Impact: ++Possible execution of arbitrary code and unauthorized administrative ++access to the target system. ++ ++-- ++Detailed Information: ++This event indicates that an attempt may have been made to exploit a ++known vulnerability in the PHP application MediaWiki . This application ++does not perform stringent checks when handling user input, this may ++lead to the attacker being able to execute PHP code and include php files ++of the attackers choosing. ++ ++-- ++Affected Systems: ++ MediaWiki MediaWiki-stable 20031107 ++ MediaWiki MediaWiki-stable 20030829 ++ ++-- ++Attack Scenarios: ++An attacker can exploit weaknesses to gain access as the administrator ++by supplying input of their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. No exploit code is required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000732.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000732 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditIPofURL.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditIPofURL.Admin.class.php" script used by the "Geeklog" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Geeklog ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2416.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2416 ++ ++-- ++Summary: ++This event is generated when activity relating to spurious ftp traffic ++is detected on the network. ++ ++-- ++Impact: ++Varies from information gathering to a serious compromise of an ftp ++server. ++ ++-- ++Detailed Information: ++FTP is used to transfer files between hosts. This event is indicative of ++spurious activity in FTP traffic between hosts. ++ ++The event may be the result of a transfer of a known protected file or ++it could be an attempt to compromise the FTP server by overflowing a ++buffer in the FTP daemon or service. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party ++using FTP. ++ ++An attacker might utilize a vulnerability in an FTP daemon to gain ++access to a host, then upload a Trojan Horse program to gain control of ++that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow access to FTP resources from hosts external to the protected ++network. ++ ++Use secure shell (ssh) to transfer files as a replacement for FTP. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2581.txt +@@ -0,0 +1,77 @@ ++Rule: ++ ++-- ++Sid: ++2581 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a directory ++traversal associated with the Crystal Reports web viewer. ++ ++-- ++Impact: ++A successful attack may allow unauthorized files to be viewed or ++possibly deleted. ++ ++-- ++Detailed Information: ++A vulnerability exists in the Crystal Reports web viewer that may permit ++an attacker to view or delete unauthorized files. The is due to a ++failure to ensure that that a requested Crystal Report file location ++is in the web root directory, permitting unauthorized files to be ++viewed. ++ ++In addition, Crystal Reports assumes that the requested report ++file for viewing is a temporary file and deletes it after the ++web version has been viewed. This problem combined with the ++directory traversal vulnerability may allow sensitive or valuable ++files to be deleted. ++ ++-- ++Affected Systems: ++Crystal Reports 8.5 JAVA SDK ++Crystal Reports RAS 8.5 for UNIX ++Crystal Reports 9.0 ++Crystal Enterprise 9.0 ++Crystal Reports 10 ++Crystal Reports 10.0 ++ ++-- ++Attack Scenarios: ++An attacker can request to view a file not in the web root ++directory, permitting unauthorized information disclosure. ++The viewed file will be deleted subsequently possibly causing ++harm to the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References ++ ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0204 ++ ++Other: ++http://www.microsoft.com/security/bulletins/200406_crystal.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/568.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++568 ++ ++-- ++Summary: ++This event is generated when an attempt is made to change the message on ++the LCD display on a JetDirect enabled HP printer. ++ ++-- ++Impact: ++User confusion and comedy, mostly. ++ ++-- ++Detailed Information: ++HP JetDirect printers allow remote machines to change the message that ++is displayed on the LCD panel via the PJL command. This event indicates ++that this command has been used in network traffic. ++ ++-- ++Affected Systems: ++ HP JetDirect enabled printers ++ ++-- ++Attack Scenarios: ++As part of an attempt to confuse and annoy users, an attacker may ++attempt to change the message displayed on the printers LCD screen. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Update to the latest JetDirect, and investigate the possibility of ++restricting access to a central print-server using the "allow: ++" directive in a printer config file. ++ ++Disallow printer use from hosts outside the protected network. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by Jon Hart ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2410.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2410 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a PHP web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a PHP application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the PHP application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running PHP applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2196.txt +@@ -0,0 +1,55 @@ ++Rule: ++ ++-- ++Sid: ++2196 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access catgy.cgi on an internal web server. This may indicate an attempt to exploit a cross-site scripting vulnerability in Aktivate e-commerce software. ++ ++-- ++Impact: ++Arbitrary code execution, possible session hijack. ++ ++-- ++Detailed Information: ++Aktivate 1.03 is an e-commerce application for use on Linux and other UNIX-based operating systems. An attacker can craft a URL with malicious code in the "desc" command's argument that passes the commands to catgy.cgi. If a legitimate user activates the URL, malicious code may be executed on the client computer. ++ ++-- ++Affected Systems: ++Systems running Aktivate 1.03. ++ ++-- ++Attack Scenarios: ++An attacker may craft a URL that, when activated by a legitimate user, obtains the user's session cookie, thereby allowing the attacker to pose as the user for the duration of the session. ++ ++-- ++Ease of Attack: ++Simple. A proof of concept exists. ++ ++-- ++False Positives: ++If a legitimate remote user accesses catgy.cgi, this rule may generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++It is not known if this vulnerability has been fixed. Contact the vendor, Allen & Keul Web Solutions (http://www.allen-keul.net) for more information. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Sourcefire Technical Publications Team ++Jennifer Harvey ++ ++-- ++Additional References: ++http://www.securityfocus.com/bid/3714 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2016.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++2016 ++ ++-- ++Summary: ++Remote Procedure Call (RPC) is a facility that enables a machine to ++request a service from another remote machine. This is done without the ++request for available services on a host. ++ ++-- ++Impact: ++This may be an intelligence gathering activity that could be the prelude ++to an attack against a vulnerable service on the host. ++ ++-- ++Detailed Information: ++This RPC status request returns information pertaining to available RPC ++services running on a host. This is not an attack against a host by ++itself but may be an intelligence gathering activity in prelude to an ++attack against a vulnerable service running on a target host. ++ ++-- ++Affected Systems: ++All machines running RPC services. ++ ++-- ++Attack Scenarios: ++The attacker merely needs to request information about services being ++offered on a target machine using "rpcinfo" for example. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++When seen on a local area network a legitimate rpcinfo request will ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++RPC services should not be available outside the local area network, ++filter RPC ports at the firewall to ensure access is denied to RPC ++enabled machines. ++ ++Disable all RPC services where not needed. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats: ++http://www.whitehats.com/info/IDS15/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000132.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++100000132 ++ ++-- ++Summary: ++This event is generated when a connection is made to the Internet via a proxy ++server on your internal network. ++ ++-- ++ ++Impact: ++If the server is not legitimate, anyone with access to it can use your ++bandwidth to access the Internet; if users conduct malicious activity on the ++Internet through this server, the activity will appear to have come from the ++misconfigured machine. ++ ++-- ++Detailed Information: ++This rule looks for pieces of HTTP requests being made by a misconfigured ++Squid, ISA, or NetCache proxy server. If it fires, and the machine the alert is ++coming from is not a known proxy server, it indicates that the machine in ++question is either improperly configured or has been compromised. ++ ++False positives associated with this rule may be reduced considerably, or even ++eliminated, by the use of a custom variable. By editing your snort.conf to ++include "var KNOWN_PROXY_SERVERS = [ ++Alex Kirk ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1060.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++1060 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++NGS Whitepaper - Advanced SQL Injection ++www.nextgenss.com/papers/advanced_sql_injection.pdf ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2202.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++2202 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access edit_action.cgi on an internal web server. This may indicate an attempt to exploit a directory traversal vulnerability in Webmin 0.91. ++ ++-- ++Impact: ++Information gathering, possible execution of system utilities to which Webmin has rights. ++ ++-- ++Detailed Information: ++Webmin is a web-based system administration tool for Linux and UNIX-based operating systems. A malicious user could use directory traversal techniques within an argument sent to the edit_action.cgi script in order to view hidden files on the server or execute programs to which Webmin has security privileges. ++ ++-- ++Affected Systems: ++Systems running Webmin 0.91. ++ ++-- ++Attack Scenarios: ++An attacker creates a specially crafted an edit_action.cgi URL and transmits it to a vulnerable server. The attacker can then view or execute any arbitrary file included in the parameter, provided that Webmin has rights to access it. ++ ++-- ++Ease of Attack: ++Simple. A proof of concept exists. ++ ++-- ++False Positives: ++If a legitimate remote user accesses edit_action.cgi, this rule may generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to Webmin 0.92 or higher. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Sourcefire Technical Publications Team ++Jennifer Harvey ++ ++-- ++Additional References: ++Bugtraq ++http://www.securityfocus.com/bid/3698 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2254.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++2254 ++ ++-- ++Summary: ++This rule has been deleted in favor of sid 2253. ++ ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Exchange Server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service ++(DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in versions of Microsoft Exchange Server such ++that it is possible for an attacker to execute arbitrary code or cause a ++DoS condition on the server without the need for prior authentication as ++a valid user. ++ ++It is possible for an attacker to connect to the Exchange server on port ++25 and send an extended verb request to the server that will cause a ++large amount of memory to be allocated. In Exchange Server 5.5 this may ++cause a DoS, whilst in Exchange Server 2000 this same condition could ++present the attacker with an opportunity to execute arbitrary code. ++ ++-- ++Affected Systems: ++ MIcrosoft Exchange Server 5.5 ++ Microsoft Exchange Server 2000 ++ ++-- ++Attack Scenarios: ++The attacker can connect to port 25 of the server and send a specially ++crafted verb request. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Corp. ++http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-046.asp ++ ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0714 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2609.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++2609 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in database ++replication. The "cancel_statistics" procedure contains a ++programming error that may allow an attacker to execute a buffer ++overflow attack. ++ ++This overflow is triggered by long strings in some parameters for the ++procedure. ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to either the "sname" or ++"oname" variables to cause the overflow. The result could ++permit the attacker to gain escalated privileges and run code of their ++choosing. This attack requires an attacker to logon to the database ++with a valid username and password combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck633.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1905.txt +@@ -0,0 +1,68 @@ ++Rule: ++-- ++Sid: ++1905 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow associated with the Remote Procedure Call (RPC) amd service. ++ ++-- ++Impact: ++Remote root access. This attack can permit execution of arbitrary ++commands with the privileges of the user running amd, typically root. ++ ++-- ++Detailed Information: ++The amd RPC service implements the automounter daemon on UNIX hosts. The ++amd service automatically mounts and unmounts requested file systems. ++There is a buffer overflow associated with amd logging that can allow ++execution of arbitrary commands with the privileges of the user running ++amd, typically root. ++ ++-- ++Affected Systems: ++ BSDI BSD/OS 3.1, 4.0.1 ++ FreeBSD 3.0, 3.1, 3.2 ++ Red Hat Linux 4.2, 5.0, 5.1, 5.2, 6.0 ++ ++-- ++Attack Scenarios: ++An attacker can query the portmapper to discover the port where amd runs ++and then attack the amd port. Alternatively, an attacker may attempt to ++execute the exploit code on any listening port in the RPC range if the ++portmapper is blocked. ++ ++-- ++Ease of Attack: ++Simple. Exploit code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to ++RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2828.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2828 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure comment_on_repgroup ++. This procedure is included in ++sys.dbms_repcat_mas. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2190.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++2190 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft: ++http://www.microsoft.com/technet/security/bulletin/MS03-026.asp ++ ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2333.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2333 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an FTP server. ++ ++-- ++Impact: ++Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++FTP is used to transfer files between hosts. This event is indicative of spurious ++activity in FTP traffic between hosts. ++ ++It is possible for a user to supply data to an FTP ommand and have it ++interpreted as code. The attacker might then be able to run code of ++their choosing with the privileges of the user running the FTP service. ++ ++-- ++Affected Systems: ++ PlatinumFTP PlatinumFTPserver 1.0.18 ++ ++-- ++Attack Scenarios: ++An attacker might utilize a vulnerability in an FTP daemon to gain access to a ++host, then upload a Trojan Horse program to gain control of that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Upgrade to the latest non-affected version of the software. ++ ++Disallow access to FTP resources from hosts external to the protected network. ++ ++Use secure shell (ssh) to transfer files as a replacement for FTP. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1592.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1592 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1352.txt +@@ -0,0 +1,48 @@ ++Rule: ++ ++-- ++Sid: ++1352 ++ ++-- ++Summary: ++Attempted tclsh command access via web ++ ++-- ++Impact: ++Attempt to gain information on system processes on webserver ++ ++-- ++Detailed Information: ++This is an attempt to execute a tclsh command or script on a webserver. tclsh is a shell application that reads tcl commands and evaluates them. The attacker could possibly execute a command or script on the host. ++ ++-- ++Attack Scenarios: ++The attacker can make a standard HTTP request that contains 'tclsh'in the URI. ++ ++-- ++Ease of Attack: ++Simple HTTP request. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. ++ ++-- ++Contributors: ++Sourcefire Research Team ++ ++-- ++Additional References: ++sid: 1351 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3060.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++3060 ++ ++-- ++Summary: ++This event is generated when an attempt is made to initiate a TLS ++connection via SSL version 2. ++ ++-- ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++This rule indicates that an attempt has been made to initiate a TLS ++connection via SSL v2. This rule should not generate an event. ++ ++-- ++Affected Systems: ++ All implementations using SSL. ++ ++-- ++Attack Scenarios: ++NA ++ ++-- ++Ease of Attack: ++NA ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++NA ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000839.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000839 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHP Event Calendar" application running on a webserver. Access to the file "calendar.php" using a remote file being passed as the "path_to_calendar" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_calendar" parameter in the "calendar.php" script used by the "PHP Event Calendar" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PHP Event Calendar ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3127.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3127 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2143.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: 2143 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a weakness in the cafelog php application. ++ ++-- ++Impact: ++Arbitrary code execution. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a vulnerability in the cafelog PHP application. ++ ++It is possible for an attacker to include a PHP file of his choosing via a URL, the script is processed and executed with the privileges of the user running the webserver. This is due to poor checking of user supplied variables in the gm-2-b2.php script. ++ ++-- ++Affected Systems: ++Any host using cafelog. ++ ++-- ++Attack Scenarios: ++An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script via gm-2-b2.php. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the php implementation on the host. ++ ++Check the webserver log files for signs of this activity. ++ ++Where possible, ensure the webserver is run as an unprivileged process. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2701.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2701 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++-- ++Affected Systems: ++ Oracle iSQLPlus ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3223.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3223 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/153.txt +@@ -0,0 +1,88 @@ ++Rule: ++ ++-- ++Sid: ++153 ++ ++-- ++Summary: ++Donald Dick is a Trojan Horse allowing the attacker to access various ++resources on the victim host. This event is generated when the attackers ++client connects to the Trojan server. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a ++compromise of all resources the machine is connected to. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows NT ++ ++The Trojan changes system registry settings to add the Donald Dick ++server to programs normally started on boot. Due to the nature of this ++Trojan it is unlikely that the attacker's client IP address has been ++spoofed. ++ ++The default name of the server application is vmldir.vxd. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a ++previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\VxD\ ++ ++Registry keys added: ++ ++ VMLDR ++ ++This contains the key StaticVxD = "vmldir.vxd" ++ ++Delete the registry key VMLDR. ++ ++Delete the Troajn application vmldir.vxd. ++ ++A reboot of the infected machine is needed. ++ ++-- ++Contributors: ++Original rule written by unknown persons. ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Hackfix ++http://www.hackfix.org/miscfix/dd.shtml ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/847.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++847 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/317.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: 317 ++ ++-- ++Summary: ++This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd. ++ ++-- ++Impact: ++System compromize presenting the attacker with escalated system privileges . ++ ++-- ++Detailed Information: ++Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem. ++ ++The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used. ++ ++Affected Systems: ++ Caldera OpenLinux Standard 1.2 ++ RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1 ++ ++-- ++Attack Scenarios: ++Exploit scripts are available ++ ++-- ++Ease of Attack: ++Simple. Exploits are available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/121 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 ++ ++CERT: ++http://www.cert.org/advisories/CA-1998-12.html ++http://www.cert.org/summaries/CS-98-08.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1515.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1515 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2043.txt +@@ -0,0 +1,77 @@ ++Rule: ++ ++-- ++Sid: ++2043 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Internet Security Association and Key Management ++Protocol (ISAKMP). ++ ++ ++-- ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++ISAKMP is a framework for authentication using cryptographic keys. It ++specifically defines the process of key exchange as opposed to the ++generation of a cryptographic key. ++ ++ISAKMP also details the procedures for the required security ++associations in network security services. ++ ++This event indicates that a key exchange using ISAKMP failed. ++ ++-- ++Affected Systems: ++All systems using cryptographic key exchange as an authentication ++method. ++ ++-- ++Attack Scenarios: ++The attacker may have a store of keys associated with valid users and ++may attempt to authenticate using a combination of username and key. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++A user may mistype a username or may be trying to authenticate using an ++expired key. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Ensure that key exchanges are only allowed between trusted hosts. ++ ++Check log files for disallowed login attempts. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ISAKMP: ++http://www.networksorcery.com/enp/protocol/isakmp.htm ++ ++RFC: ++http://www.ietf.org/rfc/rfc2407.txt ++http://www.ietf.org/rfc/rfc2408.txt ++ ++IANA: ++http://www.iana.org/assignments/isakmp-registry ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/698.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++698 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft SQL. ++ ++-- ++Impact: ++Information gathering and data integrity compromise. Possible unauthorized ++administrative access to the server or application. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to an implementation of Microsoft SQL server or client. This can ++lead to unauthorized access and possibly escalated privileges to that of ++the administrator. Data stored on the machine can be compromised and ++trust relationships between the victim server and other hosts can be ++exploited by the attacker. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An attacker can access the authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow administrative access from sources external to the protected ++network. ++ ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000454.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++100000454 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "KAPhotoservice" application running on a ++webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "New Category" parameter in the "edtalbum.asp" ++script used by the "KAPhotoservice" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using KAPhotoservice ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1728.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: ++1728 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known vulnerability in the ftp server included with version 2.6 of the Sun Solaris operating system. ++ ++-- ++Impact: ++Serious. ++ ++-- ++Detailed Information: ++An error in the ftp daemon supplied with version 2.6 of Sun's Solaris operating system can cause the daemon to overflow a buffer and generate a core file that is world readable. ++ ++The attacker may also be able to fill the disk partition by generating core files. ++ ++-- ++Affected Systems: ++Sun Solaris 2.6 ++ ++-- ++Attack Scenarios: ++An attacker can use a non-standard ftp client or initiate a session with the ftp server and issue a CWD ~ command. The attacker may then be able to read the core file and recover usernames and passwords for other users on the system ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade to the latest non-affected version of the software ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/494.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: 494 ++ ++-- ++Summary: ++This event is generated by a successful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell. ++ ++-- ++ ++Impact: ++Serious. An attacker may have the ability to execute commands remotely ++ ++-- ++Detailed Information: ++This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "The command completed successfully". For example, it is generated in Windows 2000/XP after the "net" command (such as "net use") is used. The net commands are used for a wide variety of system tasks of interest to attackers and can be started from the windows shell (cmd.exe, command.com). ++ ++Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has sucessfully executed a command. Note that the source address of this event is actually the victim and not that of the attacker. ++ ++-- ++ ++Attack Scenarios: ++An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to map the DMZ network via "net use" commands. ++ ++-- ++ ++Ease of Attack: ++Simple. This post-attack behavior can accompany different attacks. ++ ++-- ++ ++False Positives: ++This rule will generate an event if the string "Command completed" appears in the content distributed by the web server, in which case the rule should be tuned. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Investigate the web server for signs of compromise. ++ ++Look for other IDS events involving the same IP addresses. ++ ++-- ++Original rule writer unknown ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Technet: ++http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/FAQW2KCP.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/570.txt +@@ -0,0 +1,71 @@ ++SID: ++570 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This event indicates an attempt to exploit the tool talk RPC database ++service ++-- ++ ++Impact: ++Possible unauthorized administrative access to the server or application ++or a denial of service to the affected application ++-- ++ ++Detailed Information: ++ToolTalk RPC database service (rpc.ttdbserverd) does not perform ++adequate input validation or provide a format string specifier argument ++when writing to syslog. This means a specifically crafted RPC request to ++the ToolTalk RPC database service overwriting specific locations in ++memory and therefore allowing execution of code with the same permission ++level as the user running ttdbserverd, usually root. ++-- ++ ++Affected Systems: ++ HP-UX 10.10 - 11.0 ++ AIX 4.1 - 4.3 ++ IRIX 5.2 - 6.4 ++ Solaris 1.1 - 2.6 ++ TriTeal TED CDE 4.3 ++ Xi Graphics Maximum CDE 1.2.3 ++ ++Possibly other vendors, if you are running Tool Talk (rpc.ttdbserverd) check with your vendor. ++-- ++ ++Attack Scenarios: ++An attacker will send a specially crafted RPC call to the ++rpc.ttdbserverd daemon running on an affected system. A sucessful ++attack will then run code on the server with the access level of the ++root user. ++-- ++ ++Ease of Attack: ++Simple, Exploit code is available. ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++Updates packages and patches are available from vendors, install them or ++disable the service if not needed. ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3255.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3255 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1974.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++1974 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with CesarFTPD FTP server REST command. ++ ++-- ++Impact: ++Remote access. A successful attack may permit the remote execution of arbitrary commands with system privileges. ++ ++-- ++Detailed Information: ++CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists with the REST command that can cause a buffer overflow and permit the execution of arbitrary commands with system privileges. The buffer overflow can be caused by supplying an overly long argument to the REST command. ++ ++-- ++Affected Systems: ++Hosts running CesarFTP 0.98b. ++ ++-- ++Attack Scenarios: ++An attacker can supply an overly long file argument with the REST command, causing a buffer overflow. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0826 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/157.txt +@@ -0,0 +1,103 @@ ++Rule: ++ ++-- ++Sid: ++152, 157-158 ++ ++-- ++Summary: ++Backdoor.Backconstruction is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data via download, upload of files, execution of files ++and reboot the targeted machine. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ ++The Trojan changes system registry settings to add the Backconstruction ++sever to programs normally started on boot. Due to the nature of this ++Trojan it is unlikely that the attacker's client IP address has been ++spoofed. ++ ++ SID Message ++ --- ------- ++ 152 BackConstruction 2.1 Connection (outgoing TCP ++connection) ++ 157 BackConstruction 2.1 Client FTP Open Request (incoming ++TCP connection) ++ 158 BackConstruction 2.1 Server FTP Open Reply (outging TCP ++connection) ++ ++This Trojan is commonly used to install other Trojan programs. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is located at :\WINDOWS\Cmctl32.exe ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a ++previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ ++Registry keys added are: ++ ++ Shell = ":\WINDOWS\Cmctl32.exe" ++ ++Removal of this entry is required. ++ ++Delete the file :\WINDOWS\Cmctl32.exe ++ ++Ending the Trojan process is also necessary. A reboot of the infected ++machine is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS505 ++ ++Dark-e: ++http://www.dark-e.com/archive/trojans/backc/21/index.shtml ++ ++Pest Patrol: ++www.pestpatrol.com/PestInfo/b/back_construction.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/932.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++932 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a ColdFusion web server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Coldfusion. Many known vulnerabilities exist for this platform and ++the attack scenarios are legion. ++ ++-- ++Affected Systems: ++ All systems running ColdFusion ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1349.txt +@@ -0,0 +1,47 @@ ++Rule: ++ ++-- ++Sid: ++1349 ++ ++-- ++Summary: ++Attempted /bin/python access via web ++ ++-- ++Impact: ++Attempt to execute a python script on a host. ++ ++-- ++Detailed Information: ++This is an attempt to execute a python script on a host. Python is a scripting language that is available on a wide variety of platforms. By default Python code runs with full access to all libraries and inbuilt commands available to the language. When combined with the access permissions of the user executing the script, the consequences of running arbitrary code can be devastating ++ ++-- ++Attack Scenarios: ++The attacker can make a standard HTTP transaction that includes a reference to Python in the URI. ++ ++-- ++Ease of Attack: ++Simple HTTP. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Python may also be requested on a command line should the attacker gain access to the machine. Whenever possible, all python scripts on the host should be written using the restriceted access mode. This forces Python to execute the scripts in a "sandbox" which will disallow unsafe operations in the code. ++-- ++Contributors: ++Sourcefire Research Team ++ ++-- ++Additional References: ++sid: 1350 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1454.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1454 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server, in this case ++the wwwwais cgi application. ++ ++-- ++Impact: ++Possible execution of arbitrary code of the attackers choosing. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Securiteam: ++http://www.securiteam.com/unixfocus/5SP140035A.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/501.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++501 ++ ++-- ++Summary: ++This event is generated when a packet is discovered with loose source routing set in the IP options. ++ ++-- ++Impact: ++Loose source routing permits the dictation of a route to and from the destination rather than relying on standard dynamic routing. ++ ++-- ++Detailed Information: ++Loose source routing instructs the packet to traverse identified routers in transit to and from the desired destination. Normal routing sends a packet one hop at a time allowing each interim router to determine the next hop. This may permit an attacker to spoof a source IP yet receive the response by sniffing from a network associated with an identified loose source router. A vulnerability exist in Windows 95, 98, and NT hosts that permits a vulernable destination host to accept a specially crafted source routed packet even though the host has a registry setting to drop it. ++ ++-- ++Affected Systems: ++Unless loose source routing is disabled, all hosts can accept them. ++ ++-- ++Attack Scenarios: ++An attacker can craft a special source routed packet to cause Windows 95, 98, and NT hosts to accept them even though a registry setting exists to drop source routed packets. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++This even will trigger if you allow loose source routed packets into your network. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Block all source routed (loose or strict) packets from entering your network. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Bugtraq ++http://www.securityfocus.com/bid/646 ++ ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0909 ++ ++Whitehats ++www.whitehats.com/info/IDS470 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2921.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++2921 ++ ++-- ++Summary: ++This event is generated when an inverse query attempt is made using UDP. ++ ++-- ++ ++Impact: ++Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++Bind 8 contains a programming error that may present an attacker with ++the opportunity to execute code of their choosing on an affected server. ++ ++The error occurs in the handling of malformed transactions. When using ++UDP this can result in the attacker causing a stack overflow in named. ++ ++-- ++Affected Systems: ++ Bind 8. ++ ++-- ++Attack Scenarios: ++An attacker needs to send a specially crafted and malformed query to an ++affected server. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/217.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++217 ++ ++-- ++Summary: ++This event is generated when an attacker attempts to connect to a ++Telnet server using the phrase "hax0r". This is a known password for ++the sm4ck Linux rootkit. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a ++compromise of all resources the machine is connected to. ++ ++-- ++Detailed Information: ++This Trojan affects Linux operating systems: ++ ++Due to the nature of this Trojan it is unlikely that the attacker's ++client IP address has been spoofed. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise may be due to the exploitation of another vulnerability and ++the attacker is leaving another way into the machine for further use. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow Telnet access from external sources. ++ ++Use SSH as opposed to Telnet for access from external locations ++ ++Delete the Trojan and kill any associated processes. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1733.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++1733 ++ ++-- ++Summary: ++This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rwalld is listening. ++ ++ ++-- ++Impact: ++Information disclosure. This request is used to discover which port rwalld is using. Attackers can also learn what versions of the rwalld protocol are accepted by rwalld. ++ ++-- ++Detailed Information: ++The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rwalld run. The rwalld RPC service is used by UNIX hosts to send a message to current users on the host. There is a format string vulnerability associated with rwalld error messages, allowing an attacker to execute abitrary code with the privileges of rwalld, possibly root. According to CERT, this is both a local and remote exploit, but the remote exploit is more difficult to perform. ++ ++-- ++Affected Systems: ++Sun Solaris 2.5.1, 2.6, 7, and 8 ++ ++-- ++Attack Scenarios: ++An attacker can query the portmapper to discover the port where rwalld runs. This may be a precursor to an attack to exploit the rwalld format string vulnerability. ++ ++-- ++Ease of Attack: ++Easy. ++ ++-- ++False Positives: ++If a legitimate remote user is allowed to access rwalld, this rule may trigger. ++ ++-- ++False Negatives: ++This rule detects probes of the portmapper service for rwalld, not probes of the rwalld service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rwalld service itself. An attacker may attempt to go directly to the rwalld port without querying the portmapper service, which would not trigger the rule. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Original rule written by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CERT: ++http://www.cert.org/advisories/CA-2002-10.html ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/357.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++357 ++ ++-- ++Summary: ++This event is generated when activity relating to spurious ftp traffic is detected on the network. ++ ++-- ++Impact: ++Varies from information gathering to a serious compromise of an ftp server. ++ ++-- ++Detailed Information: ++FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts. ++ ++The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party using FTP. ++ ++An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow access to FTP resources from hosts external to the protected network. ++ ++Use secure shell (ssh) to transfer files as a replacement for FTP. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1474.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1474 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1391.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1391 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1110.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1110 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1384.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: ++1384 ++ ++-- ++Summary: ++This event is generated when a remote user attempts to send a NOTIFY directive to an internal host's Universal Plug and Play (UPnP) server. ++ ++-- ++Impact: ++Attempted administrator access or denial of service. A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges. ++ ++-- ++Detailed Information: ++The UPnP is used to find network-based devices. Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network. A vulnerability exists that permits a malformed NOTIFY directive to cause a buffer overflow on the remote host listening on UPnP. Alternately, a malformed NOTIFY directive may be used to exhaust resources on a remote host listening on UPnP. The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges. ++ ++-- ++ ++Affected Systems: ++Microsoft Windows 98, 98SE, ME, XP ++ ++-- ++Attack Scenarios: ++An attacker may obtain craft a malformed NOTIFY directive to cause a denial of service or attempt to execute arbitrary code on the victim host. ++ ++-- ++Ease of Attack: ++Simple. Exploit code is freely available. ++ ++-- ++False Positives: ++This event will be generated if external hosts are permitted to query for UPnP devices. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Block inbound UPnP traffic. ++ ++-- ++Contributors: ++Original rule writer unknown. ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0877 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1730.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1730 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/516.txt +@@ -0,0 +1,61 @@ ++Nigel - added new references to the rule and bumped up revision number. ++Rule: ++ ++-- ++Sid: ++516 ++ ++-- ++Summary: ++This event is generated when an attempt is made by Simple Network Management Protocol (SNMP) to enumerate Server Message Block (SMB) users on the host. ++ ++-- ++Impact: ++Reconnaissance. An attacker may obtain SMB usernames of the remote host. ++ ++-- ++Detailed Information: ++Server Message Block is a network file sharing protocol used between Windows hosts and Unix and between Windows hosts that communicate via Samba. SNMP can be used to query a remote host that listens for SNMP requests and supports SMB, to list the SMB usernames. This provides reconnaissance of valid usernames and may be followed by a brute force attack to guess passwords. ++ ++-- ++Affected Systems: ++Hosts that run SMB and listen for SNMP requests. ++ ++-- ++Attack Scenarios: ++An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users. ++ ++-- ++Ease of Attack: ++A Nessus script exists to list current SMB users. ++ ++-- ++False Positives: ++None. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Block inbound SNMP traffic. ++ ++Disable SNMP as a listening service on the remote host unless it is required. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS333 ++ ++Nessus: ++http://cgi.nessus.org/plugins/dump.php3?id=10546 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1059.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++1059 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++NGS Whitepaper - Advanced SQL Injection ++www.nextgenss.com/papers/advanced_sql_injection.pdf ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2093.txt +@@ -0,0 +1,86 @@ ++Rule: ++ ++-- ++Sid: ++2093 ++ ++-- ++Summary: ++vulnerability in xdrmem_getbytes used by XDR in RPC portmap services. ++ ++-- ++Impact: ++System compromise, denial of service, execution of arbitrary code, ++information disclosure. ++ ++-- ++Detailed Information: ++A vulnerability exists in various implementations of external data ++representation (XDR) libraries. An integer overflow in a component ++(xdrmem_getbytes) used by XDR can lead to a buffer overflow. ++ ++The XDR libraries are widely used by multiple vendors to provide a ++framework for data transmission across networks. This is most commonly ++used in RPC implementations. ++ ++A specially crafted rpc request can lead to remote system compromise and ++super user access to the target host. Additionally, a denial of service ++and execution of arbitrary code with the privilege of the super user is ++also possible. ++ ++-- ++Affected Systems: ++Multiple vendors including all those using: ++ Sun Microsystems Network Services Library (libnsl) ++ GNU C library with sunrpc (glibc) ++ BSD-derived libraries with XDR/RPC routines (libc) ++ ++-- ++Attack Scenarios: ++The attacker needs to send a specially crafted rpc request to the target ++host. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Upgrade the vendor libraries to the latest non-affected versions. Any ++statically linked binaries and applications must be recompiled and ++restarted after the upgrade. ++ ++Disallow all RPC requests from external sources and use a firewall to ++block access to RPC ports from outside the LAN. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/7123 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0028 ++ ++CERT: ++http://www.cert.org/advisories/CA-2003-10.html ++http://www.kb.cert.org/vuls/id/516825 ++http://www.kb.cert.org/vuls/id/192995 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000110.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++100000110 ++ ++-- ++Summary: ++This event is generated when the Dabber virus attempts to exploit a ++vulnerability in the FTP server installed by the Sasser virus. ++ ++-- ++ ++Impact: ++If the Sasser virus is currently running on the affected system, then the ++Dabber virus will be able to install itself as well. ++ ++-- ++Detailed Information: ++Some variants of the Sasser virus install an FTP server that listens on port ++5554. However, this FTP server suffers from a buffer overflow in the PORT ++command, which can be exploited with a command of 100 or more characters. The ++Dabber virus makes use of this vulnerability as an infection vetor. ++ ++-- ++Affected Systems: ++Any machine with a variant of the Sasser virus whose FTP server listens on port ++5554. ++ ++-- ++ ++Attack Scenarios: ++A known virus scans the Internet in search of vulnerable systems. ++ ++-- ++ ++Ease of Attack: ++Simple, as the virus is in the wild. ++ ++-- ++ ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++ ++Corrective Action: ++Users should employ a virus removal tool to clean their system of both Dabber ++and Sasser, and then apply the latest security patches from Microsoft to ++prevent further infections. ++ ++-- ++Contributors: ++Matt Watchinski ++Alex Kirk ++ ++-- ++Additional References: ++ ++http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3330.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3330 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1610.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++1610 ++ ++-- ++Summary: ++An attempt to access a script (formmail) in the cgi-bin which has known ++vulnerabilities. ++ ++Formmail is a freely available perl script that is used to send data ++collected via a form to specified addresses. ++ ++-- ++Impact: ++Attempt to gain information about the web-server environment variables. ++Could also be an attempt to execute commands on the web-server that will ++execute with the privilege of the user owning the daemon running the ++server. The script may also be used to relay SPAM or to disclose the ++contents of files on the host. ++ ++-- ++Detailed Information: ++This could be an attempt to gain intelligence about the web-server that ++might be used to further exploit the machine. The environment variables ++of the web-server might be retrieved and sent via email to an address of ++the attackers choosing. More importantly this could be an attempt to ++execute commands on the web-server. Should this be successful, the ++commands would execute with the privileges of the user owning the httpd daemon. ++ ++-- ++Attack Scenarios: ++Formmail receives information from a form via an HTTP POST. This ++includes the email addresses to which the form data is sent. A URI in ++the form of a POST to the formmail script could be crafted to send ++environment variables to a specified email address. ++ ++-- ++Ease of Attack: ++Simple. Exploit software is not required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Web-servers should not be allowed to view or execute files and binaries ++outside of it's designated web root or cgi-bin. The web-server httpd ++daemon should be run as a non-privileged user without login access to ++the host. The formmail script should be updated to a non-vulnerable ++version as soon as possible. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1830.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1830 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1446.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++1446 ++ ++-- ++Summary: ++This event is generated when an external attacker uses the "vrfy root" ++command to find the login name or mail alias of the system ++administrator. This may also indicate a vulnerability scan. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++An attacker may be able to obtain the email alias or actual email ++address of root users. This allows the attacker to know which email ++accounts may be more valuable to target, and can be used by spammers or ++as targets for denial of service attempts. ++ ++-- ++Affected Systems: ++Systems running Sendmail. ++ ++-- ++Attack Scenarios: ++An attacker uses vrfy root to obtain the name of administrators on the ++server. The attacker now knows which accounts have administrative ++access, and may use this information to focus later attacks. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disable the vrfy command on your mail server, or update your Sendmail ++configuration file so that Sendmail displays non-sensitive information ++when it receives a vrfy root request. ++ ++-- ++Contributors: ++Original rule written by Brian Caswell ++Sourcefire Research Team ++Sourcefire Technical Publications Team ++Jen Harvey ++ ++-- ++Additional References: ++ ++RFC 821: ++http://www.faqs.org/rfcs/rfc821.html ++ ++Security Space: ++http://www.securityspace.com/smysecure/catid.html?viewsrc=1&id=10249 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/718.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++718 ++ ++-- ++Summary: ++This event is generated when an attempted telnet login fails from a remote user. ++ ++-- ++Impact: ++Attempted remote access. This event may indicate that an attacker is attempting to guess username and password combinations. Alternately, it may indicate that an authorized user has entered an incorrect username and password combination. ++ ++-- ++Detailed Information: ++A telnet server will issue an error message after a failed login attempt. This may be an indication of an attacker attempting brute force guessing of username and password combinations. It is also possible that an authorized user has incorrectly entered a legitimate username and password combination. Telnet traffic is passed in clear text so it is not recommended for remote connections. Secure Shell is considered to be a more secure alternative. ++ ++-- ++Affected Systems: ++Telnet servers. ++ ++-- ++Attack Scenarios: ++An attacker may attempt to guess username and password combinations. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++This event may be triggered by a failed telnet login attempt from a remote user. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Consider using Secure Shell instead of telnet. ++ ++Block inbound telnet access if it is not required. ++ ++-- ++Contributors: ++Original rule writer Max Vision ++Documented by Steven Alexander ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS127 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1368.txt +@@ -0,0 +1,48 @@ ++Rule: ++ ++-- ++Sid: ++1368 ++ ++-- ++Summary: ++Attempted ps command access via web ++ ++-- ++Impact: ++Attempt to gain information on system files and filestructure ++ ++-- ++Detailed Information: ++This is an attempt to gain intelligence on the filesystem on a webserver. The ls command lists the files and filesystem layout on a UNIX or Linux based system. The attacker could possibly gain information needed for other attacks on the host. ++ ++-- ++Attack Scenarios: ++The attacker can make a standard HTTP request that contains '/bin/ls'in the URI. ++ ++-- ++Ease of Attack: ++Simple HTTP request. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. ++ ++-- ++Contributors: ++Sourcefire Research Team ++ ++-- ++Additional References: ++sid: 1369 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1098.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1098 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/141.txt +@@ -0,0 +1,94 @@ ++Rule: ++ ++-- ++Sid: ++141 ++ ++-- ++Summary: ++hack-a-tack is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data via download, upload of files, execution of files and reboot the targeted machine. ++ ++-- ++Detailed Information: ++The Trojan changes system registry settings to add the hack-a-tack server to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed. ++ ++ SID Message ++ --- ------- ++ 141 HackAttack 1.20 Connect ++ 614 hack-a-tack attempt ++ ++This Trojan is commonly used to install other Trojan programs. ++ ++The server portion opens TCP ports 31785 and 31787 and UDP ports 31789 and 31791 by default to establish a connection between client and server. The ports may then be configured by the attacker to use something other than these defaults. ++ ++-- ++Affected Systems: ++ Windows 95 ++ Windows 98 ++ Windows ME ++ Windows NT ++ Windows 2000 ++ Windows XP ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is located at :\WINDOWS\Expl32.exe. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ ++Registry keys added are: ++ ++ Explorer32 =":\windows\Expl32.exe" ++ Configuration Wizard = ":\windows=cfgwiz32.exe" ++ ++Removal of this entry is required. ++ ++Delete the file(s) :\WINDOWS\Expl32.exe and :\windows=cfgwiz32.exe ++ ++Ending the Trojan process is also necessary. A reboot of the infected machine is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS314 ++http://www.whitehats.com/info/IDS504 ++ ++Hackfix.org ++http://www.hackfix.org/miscfix/hackatack.shtml ++ ++Commodon Communications ++http://www.commodon.com/threat/threat-hack.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1776.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: 1776 ++ ++-- ++ ++Summary: ++This event is generated when an attempt is made to use the MySQL 'show' command to garner a list of databases. ++ ++-- ++Impact: ++Intelligence gathering. This may be the prelude to an attack against one the databases or the MySQL daemon. ++ ++-- ++Detailed Information: ++This event is generated when the MySQL command 'show' is used to garner a list of MySQL databases being served by the MySQL daemon. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++-- ++ ++Attack Scenarios: ++A MySQL implementation may inappropriately respond to connections from any host external to the protected network. The atttacker may be able to query the daemon to gain a list of databases available, then continue to garner information from the databases. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a legitimate user making a query to a MySQL daemon from an external source. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3416.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3416 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000687.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++100000687 ++ ++-- ++Summary: ++This event is generated when an empty CTCP NOTICE message is sent to an IRC ++channel. ++ ++-- ++Impact: ++If the EnergyMech IRC Bot receives such a message, a denial of service ++condition will occur. ++ ++-- ++Detailed Information: ++Whenever the EnergyMech IRC Bot processes a null CTCP NOTICE message, a denial ++of service condition occurs. Note that this rule is set to examine only default ++IRC ports, in order to conserve system resources; if you are particularly ++concerned about this exploit, you may wish to set the ports to "any", as IRC ++channels can exist on any port. ++ ++-- ++Affected Systems: ++EnergyMech <= 3.0.1 ++ ++-- ++Attack Scenarios: ++An attacker could exploit this vulnerability via any IRC client, or by using an ++automated script. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to version 3.0.2 or greater. ++ ++-- ++Contributors: ++VeriSign MSS Operations Team ++Joel Esler ++ ++-- ++Additional References: ++http://www.energymech.net/versions-3.0.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2345.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++2345 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the ++search.php script which contains known vulnerabilities and ++is part of the phpGedView CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and possible cross site scripting attack. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the phpGedView CGI web application running on a server. ++Multiple vulnerabilities exist in the application which can lead to ++cross site scripting attacks. ++ ++-- ++Affected Systems: ++ phpGedView ++ ++-- ++Attack Scenarios: ++An attacker can supply code of their choice by including it in the ++firstname parameter of the search.php script. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2227.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2227 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP application Pod.Board. ++ ++-- ++Impact: ++Execution of arbitrary code on the client machine connecting to the host ++running the application. Theft of cookie data not limited to ++authentication credentials is possible. ++ ++-- ++Detailed Information: ++The forum_details.php script does not properly check data supplied in ++input fields or via URI parameters which leads to HTML injection ++possibilites. This injection can include malicious script of the ++attackers choosing. ++ ++-- ++Affected Systems: ++ planetinsanity.de pod.board 1.1 ++ ++-- ++Attack Scenarios: ++A cross site scripting attack is possible, the attacker would need to ++entice the victim to use a link supplied by the attacker which could ++then divulge login and cookie information. ++ ++-- ++Ease of Attack: ++Moderate to Difficult. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1762.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1762 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2388.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++2388 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access ++view_broadcast.cgi on a server used for streaming media services. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. ++ ++-- ++Detailed Information: ++The view_broadcast.cgi script contains a known vulnerability that may ++allow an attacker to perform a variety of cross-site scripting attacks. ++This event is generated when an attempt is amde to access the script ++directly from a source external to the protected network. ++ ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000502.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++100000502 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Ji-Takz" application running on a webserver. ++Access to the file "tag.class.php" using a remote file being passed as the ++"mycfg" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "mycfg" parameter in the "tag.class.php" script used by ++the "Ji-Takz" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Ji-Takz ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000493.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000493 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "DeluxeBB" application running on a webserver. ++Access to the file "postreply.php" using a remote file being passed as the ++"templatefolder" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "templatefolder" parameter in the "postreply.php" script ++used by the "DeluxeBB" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using DeluxeBB ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1674.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1674 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1486.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++1486 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the file ctss.idc. ++ ++-- ++Impact: ++Remote access. This attack may permit the execution of arbitrary ++commands on the vulnerable server. ++ ++-- ++Detailed Information: ++This mkilog.exe is a Common Gateway Interface (CGI) script that can be ++used to view and modify SQL database contents. It posts data to another ++module, ctss,idc, that creates a table based on the parameters passed to ++it. If an attacker passes parameters such as a valid username and ++password to create a table, it may be possible to alter the table to ++execute commands on the vulnerable server. ++ ++-- ++Affected Systems: ++ Windows systems. ++ ++-- ++Attack Scenarios: ++An attacker can attempt to exploit this vulnerability to execute remote ++commands on the vulnerable server. ++ ++-- ++Ease of Attack: ++Easy. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Delete file /scripts/tools/ctss.idc ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++SecurityFocus Mail Archive: ++http://www.securityfocus.com/archive/101/200779 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3231.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3231 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1155.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1155 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1873.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1873 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/446.txt +@@ -0,0 +1,53 @@ ++Rule: ++ ++-- ++Sid: ++446 ++ ++-- ++Summary: ++This event is generated when an ICMP "SKIP" message is generated with a non-zero ICMP code. ++ ++-- ++Impact: ++Informational. This may indicate that the ICMP message has been crafted. ++ ++-- ++Detailed Information: ++An ICMP "SKIP" message is issued when a SKIP request to provide keying material fails. The ICMP code value for this message should be 0. If a non-zero code for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value. ++ ++ ++-- ++Affected Systems: ++This traffic should have no adverse impact. ++ ++-- ++Attack Scenarios: ++An attacker may craft an ICMP "SKIP" message with an invalid ICMP code. A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated. ++ ++-- ++Ease of Attack: ++Simple. There are many packages available to generate ICMP messages. ++ ++-- ++False Positives: ++Although it should be rare, it is possible to observe an ICMP "SKIP" message with an ICMP code greater than 0 if it is generated by software that does not conform to standards. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++None. ++ ++-- ++Contributors: ++Original rule writer unknown. ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2736.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2736 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure alter_priority_date ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2014.txt +@@ -0,0 +1,76 @@ ++Rule: ++ ++-- ++Sid: ++2014 ++ ++-- ++Summary: ++Remote Procedure Call (RPC) is a facility that enables a machine to ++request a service from another remote machine. This is done without the ++need for detailed network information. Some versions of RPC have a ++vulnerability that allows an a remote host to register (and un-register) ++applications from a spoofed source. ++ ++-- ++Impact: ++Possible denial of service (DoS) against the target host. Potential ++remote root compromise of the target system. ++ ++-- ++Detailed Information: ++Certain versions of rpcbind portmapper contain a flaw that could allow ++an attacker capable of spoofing TCP packets to set and unset calls to ++arbitrary RPC programs. ++ ++A denial of service could be instigated against the target machine that ++could render network file system services and other such network ++available services unavailable to network users. ++ ++It is also possible for the attacker to gain super user access depending ++on the RPC service he is able to register. This could then lead to a ++compromise of all resources on the network the victim is attached to. ++ ++-- ++Affected Systems: ++All machines running vulnerable RPC services. ++ ++-- ++Attack Scenarios: ++The attacker could potentially spoof TCP packets for pmap_set to ++register an RPC service. The attacker might also spoof TCP packets to ++un-register needed services via pmap_unset. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++RPC services should not be available outside the local area network, ++filter RPC ports at the firewall to ensure access is denied to RPC ++enabled machines. ++ ++RPC services should also be disabled where not needed. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++BugTraq: ++http://www.securityfocus.com/bid/1892 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1431.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: 1431 ++ ++-- ++Summary: ++This event is generated when packets with the SYN flag set are sent to ++multicast addresses. ++ ++-- ++Impact: ++Possible reconnaisance or evidence of a Denial of Service (DoS) attack. ++ ++-- ++Detailed Information: ++Under normal circumstances packets with the SYN flag set should not be ++sent to multicast addresses. ++ ++If the attacker has spoofed a multicast address when sending a SYN flood ++attack this traffic will be seen. ++ ++an indicator of unauthorized network use, reconnaisance activity or ++system compromise. These rules may also generate an event due to ++improperly configured network devices. ++ ++-- ++Affected Systems: ++ Any ++ ++-- ++Attack Scenarios: ++The attacker may have intiated an attack and could have spoofed a ++multicast address as the source. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Employ filtering at the firewall. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/607.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: 607 ++ ++-- ++Summary: ++This event is generated when an attempt to login using the "bin" account is made. ++ ++-- ++Impact: ++An attacker may have gained the ability to initiate a remote interactive session on the server. ++ ++-- ++Detailed Information: ++This event is generated when a connection using the "bin" account via "rsh" is attempted. ++ ++This activity is indicative of attempts to abuse hosts using a default configuration. ++ ++Some UNIX systems used to ship with "bin" account enabled and no password required. Similarly, the "rshd" service was also enabled. This allowed an attacker to connect to the machine and establish an interactive session using the "bin" account. ++ ++-- ++Attack Scenarios: ++An attacker finds a machine with default account "bin" and "rshd" service running and connects to it, then escalates his privileges to "root" ++ ++-- ++Ease of Attack: ++Simple, no exploit software required ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++If a local username is not the same as the remote one ("bin"), the rule will not generate an event. ++ ++-- ++Corrective Action: ++Investigate logs on the target host for further details and more signs of suspicious activity ++ ++Use ssh for remote access instead of rlogin. ++ ++-- ++Contributors: ++Original rule by Max Vision modified from a signature written by Ron Gula ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS384 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/542.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++542 ++ ++-- ++Summary: ++This event is generated when activity relating to network chat clients ++is detected. ++ ++-- ++Impact: ++Policy Violation. Use of chat clients to communicate with unkown ++external sources may be against the policy of many organizations. ++ ++-- ++Detailed Information: ++Instant Messaging (IM) and other chat related client software can allow ++users to transfer files directly between hosts. This can allow malicious ++users to circumvent the protection offered by a network firewall. ++ ++Vulnerabilities in these clients may also allow remote attackers to gain ++unauthorized access to a host. ++ ++This event indicates that an IRC nickname change has been made from a ++client originating from the protected network to an IRC server external ++to the protected network. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party ++using the file transfer capabilities of an IM client. ++ ++An attacker might utilize a vulnerability in an IM client to gain access ++to a host, then upload a Trojan Horse program to gain control of that ++host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or ++implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++IRC Protocol: ++http://www.irchelp.org/irchelp/rfc/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2952.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2952 ++ ++-- ++Summary: ++This event is generated when an attempt is made to gain access to ++private resources using Samba. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to use Samba to gain ++access to private or administrative shares on a host. ++ ++-- ++Affected Systems: ++ All systems using Samba for file sharing. ++ All systems using file and print sharing for Windows. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++direct access to Windows adminsitrative shares. ++ ++-- ++Ease of Attack: ++Simple. Exploit software is not required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000503.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000503 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Nucleus CMS" application running on a webserver. ++Access to the file "action.php" using a remote file being passed as the ++"DIR_LIB" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "DIR_LIB" parameter in the "action.php" script used by ++the "Nucleus CMS" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Nucleus CMS ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000540.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++100000540 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "Enterprise Groupware" application running on a ++webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "module" parameter in the "index.php" script ++used by the "Enterprise Groupware" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Enterprise Groupware ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1031.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++1031 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a web server running Microsoft Internet Information ++Server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. Denial of ++Service is possible. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running Microsoft Internet Information Server (IIS). Many known ++vulnerabilities exist for this platform and the attack scenarios are ++legion. ++ ++-- ++Affected Systems: ++ All systems running Microsoft IIS ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1224.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1224 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/284.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++284 ++ ++-- ++Summary: ++This event generated when an attempt is made to exploit a buffer overflow in the pop2 service. ++ ++-- ++Impact: ++Remote access. This attack may permit the execution of arbitrary commands on the vulnerable host with the privileges of the user "nobody". ++ ++-- ++Detailed Information: ++Access to the user "nobody" can be obtained with pop2 or pop3 servers that support "anonymous proxy". "Anonymous proxy" permits the use of a proxy pop server to access mail on another pop server where the user has a valid account. This access to the proxy server as user "nobody". A buffer overflow exists because of improper user input filtering, allowing the attacker to enter an overly long argment to the FOLD command. This may permit the execution of arbitrary commands on the vulernable server with the privileges of the user "nobody". ++ ++-- ++Affected Systems: ++Debian Linux 2.1 ++Redhat Linux 4.2, 5.0, 5.1, and 5.2 ++University of Washington imap 4.4 ++University of Washington pop2d 4.4 ++ ++-- ++Attack Scenarios: ++An attacker may attempt to exploit a vulnerable pop2 server, permitting the execution of arbitrary commands with the privilege of user "nobody". ++ ++-- ++Ease of Attack: ++Simple. Exploit scripts are freely available. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the pop2d version 4.51 or later. ++ ++Compile pop2d to not support anonymous proxing. ++ ++-- ++Contributors: ++Original rule writer unknown ++Documented by Steven Alexander ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Bugtraq ++http://www.securityfocus.com/bid/283 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000760.txt +@@ -0,0 +1,56 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000760 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "The Banner Engine" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "text" parameter in the "top.php" script used by the "The Banner Engine" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using The Banner Engine ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1396.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1396 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/668.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++668 ++ ++-- ++Summary: ++This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where tab characters in ident messages are not properly parsed. ++ ++-- ++Impact: ++Severe. Remote execution of arbitrary code, leading to remote root compromise. ++ ++-- ++Detailed Information: ++Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of tab characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with tabs in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. ++ ++-- ++Affected Systems: ++Systems running unpatched versions of Sendmail 8.6.10 or earlier. ++ ++-- ++Attack Scenarios: ++An attacker sends an email with tab characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. ++ ++-- ++Ease of Attack: ++Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest version of Sendmail. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Sourcefire Technical Publications Team ++Jen Harvey ++ ++-- ++Additional References: ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203 ++ ++Bugtraq ++http://www.securityfocus.com/bid/2311 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1869.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1869 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2144.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: 2144 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the cafelog php application. ++ ++-- ++Impact: ++Possible arbitrary code execution. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to access the cafelog PHP application. ++ ++It is possible for an attacker to include a PHP file of his choosing via a URL, the script is processed and executed with the privileges of the user running the webserver. This is due to poor checking of user supplied variables in the gm-2-b2.php script. ++ ++-- ++Affected Systems: ++Any host using cafelog. ++ ++-- ++Attack Scenarios: ++An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script via gm-2-b2.php. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the php implementation on the host. ++ ++Check the webserver log files for signs of this activity. ++ ++Where possible, ensure the webserver is run as an unprivileged process. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000444.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000444 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "galsecurity.lib.php" using a remote file being passed as the "listconfigfile[0]" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "listconfigfile[0]" parameter in the "galsecurity.lib.php" script used by the "MiraksGalerie" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using MiraksGalerie ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3203.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3203 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3033.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++3033 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Samba implementation. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++Samba is a file and print serving system for heterogenous networks. It ++is available for use as a service and client on UNIX/Linux systems and as ++a client for Microsoft Windows systems. ++ ++Samba uses the SMB/CIFS protocols to allow communication between client ++and server. The SMB protocol contains many commands and is commonly used ++to control network devices and systems from a remote location. A ++vulnerability exists in the way the smb daemon processes commands sent by ++a client system when accessing resources on the remote server.The problem ++exists in the allocation of memory which can be exploited by an attacker ++to cause an integer overflow, possibly leading to the execution of ++arbitrary code on the affected system with the privileges of the user ++running the smbd process. ++ ++-- ++Affected Systems: ++ Samba 3.0.8 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to supply specially crafted data to the smb daemon to ++overflow a buffer containing the information for the access control lists ++to be applied to files in the smb query. ++ ++-- ++Ease of Attack: ++Difficult. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2264.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2264 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in versions of Sendmail. ++ ++-- ++Impact: ++Remote arbitrary code execution. ++ ++-- ++Detailed Information: ++A vulnerability exists in the prescan() function used in Sendmail prior ++to version 8.12.9. This function contains an error when converting a ++character to an integer value while processing SMTP headers. ++ ++-- ++Affected Systems: ++All systems using Sendmail. ++ ++-- ++Attack Scenarios: ++An attacker could exploit this condition to process code of their ++choosing and open a listening shell bound to a high port, thus opening the ++system to further compromise. ++ ++-- ++Ease of Attack: ++Simple. Exploit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade Sendmail to the latest non-affected verison. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CERT: ++http://www.cert.org/advisories/CA-2003-12.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1136.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1136 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000682.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000682 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Harpia" application running on a webserver. ++Access to the file "email.php" using a remote file being passed as the ++"header_prog" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "header_prog" parameter in the "email.php" script used ++by the "Harpia" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Harpia ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1719.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1719 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1573.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1573 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1146.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1146 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/298.txt +@@ -0,0 +1,60 @@ ++SID: ++298 ++-- ++ ++Rule: ++-- ++ ++Summary: ++This event is triggered when an attempt is made to overflow an imapd server. ++-- ++ ++Impact: ++Commands may be run on the IMAP server as the root user, This can lead to a complete compromise of the targeted system ++-- ++ ++Detailed Information: ++Failure to check the size of the value passed to the 'AUTHENTICATE' ++command on certain IMAPD implementations can lead to a buffer overflow. ++This in turn can allow arbitrary commands to be executed on the server. ++-- ++ ++Affected Systems: ++ Netscape Messaging Server 3.55, University of Washington imapd 10.234 ++-- ++ ++Attack Scenarios: ++An attacker may attempt to exploit a vulnerable imapd server, permitting ++the execution of arbitrary commands possibly with the privilege of user ++"root". ++-- ++ ++Ease of Attack: ++Simple. Sample exploit code is available. ++-- ++ ++False Positives: ++None known ++-- ++ ++False Negatives: ++None known ++ ++-- ++ ++Corrective Action: ++Vendors have provided updated versions, upgrading will resolve this ++problem ++ ++-- ++ ++Contributors: ++Snort documentation contributed by matthew harvey ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/678.txt +@@ -0,0 +1,79 @@ ++Rule: ++ ++-- ++Sid: ++678 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an SQL database ++server that may result in a serious compromise of the data stored on ++that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained administrator access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an ++SQL database that may result in a serious compromise of all data stored ++on that system. ++ ++Such commands may be used to gain access to a system with the privileges ++of an administrator, delete data, add data, add users, delete users, ++return sensitive information or gain intelligence on the server software ++for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the ++result of spawning a remote shell as a consequence of a successful ++network exploit. ++ ++-- ++Affected Systems: ++ Microsoft SQL Servers ++ ++-- ++Attack Scenarios: ++Simple. These are SQL database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and ++issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Disallow direct access to the SQL server from sources external to the ++protected network. ++ ++Ensure that this event was not generated by a legitimate session then ++investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft MSDN: ++http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_da-di_8nas.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1696.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1696 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000714.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000714 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "view.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "view.php" script used by the "PHPRaid" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PHPRaid ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1666.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++1666 ++ ++-- ++Summary: ++This event is generated when a webserver returns a directory listing of ++it's cgi-bin. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++This event is generated when a webserver returns a directory listing of ++it's cgi-bin. The scripts listed may be valuable to an attacker when ++planning further attacks against the webserver. It may also be possible ++for the attacker to download the contents of the cgi-bin and view the ++contents of the script sources. ++ ++-- ++Affected Systems: ++ All web server platforms. ++ ++-- ++Attack Scenarios: ++An attacker can list the contents of the cgi-bin, discover the filename ++of a vulnerable script and use the information to execute an exploit ++against the server. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow directory content listing of the cgi-bin. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/541.txt +@@ -0,0 +1,51 @@ ++Rule: ++ ++-- ++Sid: 541 ++ ++-- ++Summary: ++This event is generated when activity relating to network chat clients is detected. ++ ++-- ++Impact: ++Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations. ++ ++-- ++Detailed Information: ++Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. ++ ++Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client. ++ ++An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/987.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++987 ++ ++-- ++Summary: ++This event is generated when an attempt is made to disclose the contents of an Active Server Page (ASP) using a malformed HTR request. ++ ++-- ++Impact: ++Information gathering. Fragments of the source code of an ASP may be returned possibly disclosing sensitive information. ++ ++-- ++Detailed Information: ++HTR is an older scripting language still supported by Internet Information Service (IIS). HTR requests are preocessed by ISM.DLL that improperly evaluates malformed HTR requests. This may disclose parts of the source code associated with a .asp file referenced in the request. ++ ++-- ++Affected Systems: ++ ++Microsoft IIS 4.0, 5.0 ++ ++-- ++Attack Scenarios: ++An attacker can craft a malformed request to disclose source code possibly revealing sensitive information. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Apply the patch referenced in the Microsoft link. ++ ++Consider running the IIS Lockdown Tool to disable HTR functionality. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CVE ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0063 ++ ++Bugtraq ++http://www.securityfocus.com/bid/1488 ++ ++Microsoft ++http://www.microsoft.com/technet/security/bulletin/ms00-031.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000570.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000570 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "app_change_pwd.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"app_change_pwd.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2992.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++2992 ++ ++-- ++Summary: ++This event is generated when an attempt is made to shutdown a Windows ++system via SMB. ++ ++-- ++Impact: ++Serious. ++ ++-- ++Detailed Information: ++This event indicates that an attempt was made to shutdown a Windows ++system via SMB across the network. ++ ++It may be possible for an attacker to manipulate a Windows system ++from a remote location. Shutting down a system may lead to a Denial of ++Service for the target host. ++ ++-- ++Affected Systems: ++ Microsoft Windows systems. ++ ++-- ++Attack Scenarios: ++An attacker may be able to manipulate a target system using SMB. The ++attacker may gain complete control over the affected system. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the host for signs of system compromise. ++ ++Turn off file and print sharing on the target host. ++ ++Use a packet filtering firewall to disallow SMB access to the host from ++sources external to the protected network. ++ ++Disallow remote registry manipulation. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2471.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2471 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the C$ default ++administrative share of a Windows host. ++ ++-- ++Impact: ++Serious. Possible administrator access to the host. Information ++disclosure. ++ ++-- ++Detailed Information: ++By default, Windows hosts have default administrative shares of the ++local hard drives using the format %DRIVE_LETTER% + $. Anybody with ++administrative rights can remotely access the share. ++ ++-- ++Affected Systems: ++ Windows hosts. ++ ++-- ++Attack Scenarios: ++An attacker may be attempting to access files located on the C drive of ++the host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow Netbios access from external networks (tcp port 139). ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++Snort documentation contributed by Josh Sakofsky ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS339 ++ ++Microsoft: ++http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1107.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1107 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3429.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3429 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1892.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1892 ++ ++-- ++Summary: ++This event is generated when SNMP communications contain a NULL value ++the authentication string. ++ ++-- ++Impact: ++Medium to Serious. Depending on if the community string was for ++read-only, read-create or read-write an attacker could gain a varying ++level of access to a system. ++ ++-- ++Detailed Information: ++An SNMP community string is the authentication process that a host ++running SNMP uses to grant access. ++ ++-- ++Affected Systems: ++Numerous. Routers, switches, servers, NAS systems, many others. ++ ++-- ++Attack Scenarios: ++An attacker can launch a scan of all network attached devices looking ++for port 161 (UDP) and then attempt to gain access using SNMP. ++ ++-- ++Ease of Attack: ++Simple. There are many free SNMP "tree walking" programs, an example of ++such is getIF. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Make sure that all devices that have SNMP turned on have complex ++passwords assigned. ++ ++Disable unneeded WRITE / CREATE community strings. ++ ++Since SNMP traffic is not encrypted, use a packet filtering firewall to ++restrict SNMP communications to the protected network. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Mike Rivett ebiz@rivett.org ++ ++-- ++Additional References: ++ ++GetIF: ++http://www.wtcs.org/snmp4tpc/getif.htm ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/614.txt +@@ -0,0 +1,94 @@ ++Rule: ++ ++-- ++Sid: ++614 ++ ++-- ++Summary: ++hack-a-tack is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data via download, upload of files, execution of files and reboot the targeted machine. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ Windows NT ++ Windows 2000 ++ Windows XP ++ ++The Trojan changes system registry settings to add the hack-a-tack server to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed. ++ ++ SID Message ++ --- ------- ++ 141 HackAttack 1.20 Connect ++ 614 hack-a-tack attempt ++ ++This Trojan is commonly used to install other Trojan programs. ++ ++The server portion opens TCP ports 31785 and 31787 and UDP ports 31789 and 31791 by default to establish a connection between client and server. The ports may then be configured by the attacker to use something other than these defaults. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is located at :\WINDOWS\Expl32.exe. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ ++Registry keys added are: ++ ++ Explorer32 =":\windows\Expl32.exe" ++ Configuration Wizard = ":\windows=cfgwiz32.exe" ++ ++Removal of this entry is required. ++ ++Delete the file(s) :\WINDOWS\Expl32.exe and :\windows=cfgwiz32.exe ++ ++Ending the Trojan process is also necessary. A reboot of the infected machine is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS314 ++http://www.whitehats.com/info/IDS504 ++ ++Hackfix.org ++http://www.hackfix.org/miscfix/hackatack.shtml ++ ++Commodon Communications ++http://www.commodon.com/threat/threat-hack.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3110.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3110 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1761.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++1761 ++ ++-- ++Summary: ++This event is generated when network traffic indicating the use of an ++IDS system on the protected network is detected. ++ ++-- ++Impact: ++These tools may be used to compromise data on the network or may ++indicate mis-use of other IDS systems. ++ ++-- ++Detailed Information: ++This event indicates the use of an IDS tool. The source of the event ++should be investigated carefully. These tools may be used to gather data ++present in traffic on the protected network. ++ ++-- ++Affected Systems: ++ All networks. ++ ++-- ++Attack Scenarios: ++An unathorized user could use an IDS to gather data and observe traffic ++present on the network. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3248.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3248 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/237.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++237 ++ ++-- ++Summary: ++This event is generated when a trinoo DDoS master host communicates with a daemon host. ++ ++-- ++Impact: ++Attempted DDoS. If the listed source IP is in your network, it may be a trinoo master. If the listed destination IP is in your network, it may be a trinoo daemon. ++ ++-- ++Detailed Information: ++The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Masters communicate with daemons to direct them to launch attacks. A master may communicate with a daemon via UDP destination port 27444 with a string of "l44adsl" in the payload. This string is the default password for the daemon. ++ ++-- ++Affected Systems: ++Any trinoo compromised host. ++ ++-- ++Attack Scenarios: ++A trinoo master will communicate with a daemon to direct it to launch attacks. ++ ++-- ++Ease of Attack: ++Simple. trinoo code is freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. ++ ++Rebuild a confirmed compromised host. ++ ++Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. ++ ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++CERT: ++http://www.cert.org/incident_notes/IN-99-07.html#trinoo ++ ++Arachnids: ++http://www.whitehats.com/info/IDS197 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/890.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++890 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running on a web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2535.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2535 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Microsoft implementation of SSL Version 3. ++ ++-- ++Impact: ++Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in the handling of SSL Version 3 requests that ++can be manipulated to cause a DoS condition in various software ++implementations used on Microsoft operating systems. ++ ++The condition exists because of poor error handling routines in the ++Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an ++invalid field, sent to vulnerable systems can cause the affected host to stop ++handling any further requests. ++ ++-- ++Affected Systems: ++ Microsoft Windows 2000, 2003 and XP systems using SSL ++ ++-- ++Attack Scenarios: ++An attcker needs to make an SSL request to an affected system that ++contains an invalid field. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++US-Cert: ++http://www.kb.cert.org/vuls/id/150236 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000416.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000416 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyBloggie" application running on a webserver. Access to the file "admin.php" using a remote file being passed as the "mybloggie_root_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "mybloggie_root_path" parameter in the "admin.php" script used by the "MyBloggie" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using MyBloggie ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/708.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: 708 ++ ++-- ++ ++Summary: ++This event is generated when an attempt is made to overflow a buffer in the Microsoft SQL Server and Data Engine. ++ ++-- ++Impact: ++Serious. A Denial of Service condition or execution of arbitrary code is possible. ++ ++-- ++Detailed Information: ++A buffer overflow condition exists in some versions of Microsoft SQL Server and Data Engine that may allow an attacker to execute arbitrary code with system privileges or crash the SQL Server. ++ ++The attacker must gain access to the SQL Server to exploit this vulnerability. ++ ++-- ++ ++Attack Scenarios: ++Exploit code exists. ++ ++-- ++ ++Ease of Attack: ++Simple. Exploit code exists. ++ ++-- ++ ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Disallow direct access to the SQL server from sources external to the protected network. ++ ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1082 ++ ++Bugtraq: ++http://www.securityfocus.com/bid/2031 ++ ++Microsoft: ++http://www.microsoft.com/technet/security/bulletin/ms00-092.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1520.txt +@@ -0,0 +1,90 @@ ++Rule: ++ ++-- ++Sid: ++1520 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access server-info. ++Using the Apache webserver, this url is generally handled by the ++mod_info module, which will happily disclose valuable information about ++your webserver which may aid in their attack. ++ ++-- ++Impact: ++Information disclosure. ++ ++-- ++Detailed Information: ++The mod_info module "provides a comprehensive overview of the server ++configuration including all installed modules and directives in the ++configuration files" for the Apache webserver. Successfully accessing the url ++that is handle by mod_info may give an attacker valuable information about ++the server. ++ ++If mod_info is in use and the attacking host is allowed to access it, ++every possible configuration option that the Apache server is using can ++be viewed. This includes ACLs, modules, file and directory names, and ++other valuable information that will help an attacker determine ways of ++attacking the server. ++ ++-- ++Affected Systems: ++ Apache webservers with mod_info enabled. ++ ++-- ++Attack Scenarios: ++As part of an attack against an Apache webserver, an attacker may try to ++access "/server-info" which is typically handled by the mod_info module. If ++sucessful, this will give valuable information about the webserver for ++use in further attacks. ++ ++-- ++Ease of Attack: ++Simple. No exploit software is required. ++ ++-- ++False Positives: ++Few, but certainly possible. Since this rule only checks for the ++existance of "/server-info" in the url, any url containing that string will ++trigger this rule. A few common false positives may include urls like: ++ ++http://victim/server-info/contact.html ++http://victim/really/long/directory/server-info.html ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Determine if server-info exists on the victim in question, and if the attacker ++is allowed to access it. ++ ++If mod_info is necessary on this server, consider restricting access to ++it via Apache directives, i.e.: ++ ++ ++ SetHandler server-info ++ Order deny,allow ++ Deny from all ++ Allow from .yourdomain.net ++ ++ ++ ++-- ++Contributors: ++Snort documentation contributed by Jon Hart ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++ ++-- ++Additional References: ++ ++Apache: ++http://httpd.apache.org/docs/mod/mod_info.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2724.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2724 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure add_priority_date ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/391.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++ ++Sid: ++391 ++ ++-- ++ ++Summary: ++This event is generated when an ICMP Alternate Host Address datagram is detected on the network with an invalid ICMP code. This ICMP Type is not documented in an RFC, but may be implemented by routing equipment to direct hosts to the correct IP address of neighboring hosts. ++ ++-- ++ ++Impact: ++This ICMP Type is not implemented in most standard operating systems and is a potential indication of information gathering activities. ++ ++-- ++ ++Detailed Information: ++ICMP Type 6 (Alternate Host Address) is not defined in an RFC and should not be considered legitimate network traffic. ++ ++-- ++ ++Attack Scenarios: ++Attackers may use this ICMP Type to gather information about the network. ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate ICMP Alternate Host Address datagrams with invalid ICMP codes. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++ ++-- ++ ++Corrective Action: ++ICMP Type 6 datagrams should be blocked at the firewall. ++ ++-- ++ ++Contributors: ++Original Rule wirter unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2124.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++2124 ++ ++-- ++Summary: ++This event is generated when an attempt is made to connect to a host running a Remote PC Access Server. ++ ++-- ++Impact: ++Serious. System compromise leading to a compromise of all data on the target host. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to connect to a host using the Remote PC Access Server. This event may also be generated by an attacker using Nessus to scan for Remote PC Access. ++ ++Remote PC is used to remotely administer hosts via the Internet. It offers complete control of the client machine via a TCP connection. ++ ++Login information is transmitted in clear text across a TCP connection, the attacker could recover this information by capturing a legitimate session. It may also be possible for an attacker to gain access by utilizing a brute force attack to discover the password to connect. ++ ++-- ++Affected Systems: ++Any host using the Remote PC Access Server. ++ ++-- ++Attack Scenarios: ++An attacker can connect to the Remote PC Access Server using the client program and gain complete control of the host if the password and username are known. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++A legitimate login session may cause this rule to generate an event. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Disable the Remote PC Access Server ++ ++Disallow connection to the server from clients external to the protected network. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/427.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++ ++Sid: ++427 ++ ++-- ++ ++Summary: ++This event is generated when a router generates and ICMP Parameter Problem Unspecified Error datagram. ++ ++-- ++ ++Impact: ++This could be an indication of a protocol error by a previous hop router. Normally this datagram would only be generated with the datagram was truncated or damaged before it reached its final destination. ++ ++-- ++ ++Detailed Information: ++A router generates a Parameter Problem message for any error not specifically covered by another ICMP message. This could be an indication of routing problems on the network, or malfunctioning routing hardware. ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++ ++-- ++ ++Corrective Action: ++ICMP Type 12 Code 0 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity. ++ ++-- ++ ++Contributors: ++Original Rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1213.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1213 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000629.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000629 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "message_view.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"message_view.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1686.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1686 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2822.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2822 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure publish_flavor_definition ++. This procedure is included in ++sys.dbms_repcat_fla_mas. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000556.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++100000556 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "VebiMiau" application running on a webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "sid" parameter in the "error.php" script used ++by the "VebiMiau" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VebiMiau ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2623.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++2623 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in useful ++tasks. The "create_snapshot_repgroup" procedure contains a ++programming error that may allow an attacker to execute a buffer ++overflow attack. ++ ++This overflow is triggered by a long string in a parameter for the ++procedure. ++ ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to the first variable to cause ++the overflow. The result could permit the attacker to gain escalated ++privileges and run code of their choosing. This attack requires an ++attacker to logon to the database with a valid username and password ++combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck97.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000701.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000701 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "WordPress" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "paged" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "paged" parameter in the "index.php" script used by the "WordPress" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using WordPress ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1574.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1574 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/809.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++809 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2525.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++2525 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overrun condition in Microsoft products via the Local Security Authority ++Subsystem Service (LSASS). ++ ++-- ++Impact: ++Remote execution of arbitrary code. ++ ++-- ++Detailed Information: ++A vulnerability exists in LSASS that may present an attacker with the ++opportunity to execute code of their choosing on an affected host. ++ ++The problem lies in an unchecked buffer in the LSASS service, suscessful ++exploitation may present the attacker with the opportunity to gain ++control of the affected system. ++ ++-- ++Affected Systems: ++ Microsoft Windows 2000, 2003 and XP systems. ++ ++-- ++Attack Scenarios: ++An attcker needs to make a specially crafted request to the LSASS ++service that could contain harmful code to gain further access to the ++system. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Use a packet filtering firewall to deny access to TCP and UDP ports 135 ++and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources ++outside the protected network. ++ ++Access should also be denied to ephemeral ports and any other ports used ++by RPC services from sources external to the protected network. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2157.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: 2157 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the administration interface of IISProtect on a host running Microsoft Internet Information Server (IIS). ++ ++-- ++Impact: ++Administrator access. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to access the administration interface of IISProtect on a host running Microsoft Internet Information Server (IIS). ++ ++The attacker can gain administrator access to the web server running IISProtect without the need to authenticate. ++ ++-- ++Affected Systems: ++Any host using IISProtect. ++ ++-- ++Attack Scenarios: ++An attacker can gain control of the web server without the need to authenticate. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. ++ ++Ensure that the IIS implementation is fully patched. ++ ++Ensure that the underlying operating system is fully patched. ++ ++Employ strategies to harden the IIS implementation and operating system. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000377.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000377 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forum_prune.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forum_prune.php" script used by the "phpNuke" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using phpNuke ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1489.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1489 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1370.txt +@@ -0,0 +1,57 @@ ++Rule: ++-- ++Sid: ++1370 ++ ++-- ++Summary: ++Attempted inetd configuration access via web ++ ++-- ++Impact: ++Attempt to gain information on system processes on webserver ++ ++-- ++Detailed Information: ++This is an attempt to gain intelligence on the processes being run on a ++webserver. The inetd configuration lists the daemons executed at boot ++time on a UNIX or Linux based system. The attacker could possibly gain ++information needed for other attacks on the host. ++ ++-- ++Attack Scenarios: ++The attacker can make a standard HTTP request that contains ++'/etc/inetd.conf'in the URI. ++ ++-- ++Ease of Attack: ++Simple HTTP request. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Webservers should not be allowed to view or execute files and binaries ++outside of it's designated web root or cgi-bin. This file may also be ++requested on a command line should the attacker gain access to the ++machine. Making the file read only by the superuser on the system will ++disallow viewing of the file by other users. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000603.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000603 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "inv_paid.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "inv_paid.php" ++script used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2447.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2447 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the servlet ++administration scripts on a Novell Groupwise servlet server. ++ ++-- ++Impact: ++Possible unauthorized administrative access to the server. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to access the servlet ++administration scripts on a Novell Groupwise servlet server located in /servlet/ServletManager. ++ ++The default installation has a known username and password for ++administration of the server. ++ ++-- ++Affected Systems: ++ Novell Groupwise 6.0 ++ Novell Groupwise Enhancement Pack 5.5 ++ ++-- ++Attack Scenarios: ++The attacker might login to the application using the default username ++and password gaining administrative access to the host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/821.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++821 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/637.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++637 ++ ++-- ++Summary: ++This event is generated when a scan is detected. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to scan a host. ++ ++This may be the prelude to an attack. Scanners are used to ascertain ++which ports a host may be listening on, whether or not the ports are ++filtered by a firewall and if the host is vulnerable to a particular ++exploit. ++ ++-- ++Affected Systems: ++Any host. ++ ++-- ++Attack Scenarios: ++An attacker can determine if ports 21 and 20 are being used for FTP. ++Then the attacker might find out that the FTP service is vulnerable to a ++particular attack and is then able to compromise the host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++A scanner may be used in a security audit. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Determine whether or not the scan was legitimate then look for other ++events concerning the attacking IP address. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2610.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++2610 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in database ++replication. The "cancel_statistics" procedure contains a ++programming error that may allow an attacker to execute a buffer ++overflow attack. ++ ++This overflow is triggered by long strings in some parameters for the ++procedure. ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to either the "sname" or ++"oname" variables to cause the overflow. The result could ++permit the attacker to gain escalated privileges and run code of their ++choosing. This attack requires an attacker to logon to the database ++with a valid username and password combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck633.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1929.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++1929 ++ ++-- ++Summary: ++This event is generated when an attacker attempts to connect to a ++Trojan server installed via compromised tcpdump or libpcap sources. ++ ++-- ++Impact: ++Control of the victim host. ++ ++-- ++Detailed Information: ++This Trojan affects UNIX operating systems: ++ ++Some versions of tcpdump and libpcap were compromised and Trojan code ++inserted into the source. The compromise is similar to that which ++affected OpenSSH. ++ ++Libpcap is a library used for capturing packets in Snort and other ++packet sniffing tools. ++ ++The Trojaned libpcap source contains code in the configure script that ++connects to a server at 212.146.0.34 on port 1963. The script then ++downloads source code for a Trojan horse and compiles it. ++ ++Tcpdump is a tool that is used for capturing network traffic, it ++utilizes libpcap. Some versions of tcpdump also contain the same Trojan. ++ ++Due to the nature of this Trojan it is unlikely that the attacker's ++client IP address has been spoofed. ++ ++-- ++Attack Scenarios: ++This Trojan is delivered to the target via the configure script. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Delete the Trojan and kill any associated processes. ++ ++Restore the system from known good backups. ++ ++Download non-trojaned versions of the library and re-compile. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Houston Linux Users Group ++http://www.hlug.org/trojan/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/423.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++ ++Sid: ++423 ++ ++-- ++ ++Summary: ++This event is generated when a network host generates an ICMP Mobile Registration Request datagram. ++ ++-- ++ ++Impact: ++ICMP Mobile Registration Requests were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 35 datagrams should never be seen in normal network conditions. ++ ++-- ++ ++Detailed Information: ++ICMP Mobile Registration Request datagrams were developed before the development of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++ICMP Type 35 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity ++ ++-- ++ ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000675.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000675 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Harpia" application running on a webserver. ++Access to the file "pfooter.php" using a remote file being passed as the ++"theme_root" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "theme_root" parameter in the "pfooter.php" script used ++by the "Harpia" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Harpia ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/575.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++575 ++ ++-- ++Summary: ++This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) admind is listening. ++ ++-- ++Impact: ++Information disclosure. This request is used to discover which port admind is using. Attackers can also learn what versions of the admind protocol are accepted by admind. ++ ++-- ++Detailed Information: ++The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as admind run. The admind RPC service is used by some UNIX hosts to perform remote distributed system administration tasks such as adding new users. If weak authentication is used, it may be possible for a malicious user to perform remote administration. ++ ++-- ++Affected Systems: ++Any host running admind with weak authentication. ++ ++-- ++Attack Scenarios: ++An attacker can query the portmapper to discover the port where admind runs. This may be a precursor to accessing admind. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++If a legitimate remote user is allowed to access admind, this rule may trigger. ++ ++-- ++False Negatives: ++This rule detects probes of the portmapper service for admind, not probes of the admind service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the admind service itself. An attacker may attempt to go directly to the admind port without querying the portmapper service, which would not trigger the rule. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Arachnids ++http://www.whitehats.com/info/IDS18 ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2277.txt +@@ -0,0 +1,58 @@ ++Rule: ++-- ++Sid: ++2277 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a directory ++traversal vulnerability in the cgi application PeopleSoft PeopleBooks. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++This event may indicate an attempt is made to exploit a directory ++traversal vulnerability in the cgi application PeopleSoft PeopleBooks. ++The script psdoccgi.exe does not sufficiently check script arguements ++for the "headername" and "footername" variables. An attacker may exploit ++this issue to access files outside the root of the web server. ++ ++-- ++Affected Systems: ++ PeopleTools versions 8.43 and earlier. ++ ++-- ++Attack Scenarios: ++An attacker can use directory traversal techniques to access sensitive ++system files to gain information necessary for further system ++compromise. ++ ++-- ++Ease of Attack: ++Simple. No exploit code required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2199.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++2199 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access multidiff.cgi on an internal web server. This may indicate an attempt to exploit an information disclosure vulnerability in Mozilla Bonsai 1.3. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++Mozilla Bonsai, a CVS query tool, contains an information disclosure vulnerability in multidiff.cgi. An attacker can discover the location of the Mozilla Bonsai application by sending a malformed request to the application, which produces an error. The error message shows the full path of the multidiff.cgi file, providing the attacker with information about the server directory structure. ++ ++-- ++Affected Systems: ++Any system running Mozilla Bonsai 1.3. ++ ++-- ++Attack Scenarios: ++An attacker sends an erroneous request to multidiff.cgi on the Bonsai server. The error message returns the full path of the script, allowing the attacker to discover more information about the server directory structure for possible use in later attacks. ++ ++-- ++Ease of Attack: ++Simple. Proof of concept exists. ++ ++-- ++False Positives: ++If a legitimate remote user accesses multidiff.cgi, this rule may generate an event. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to a newer build of Mozilla Bonsai 1.3. ++ ++If you are running Mozilla Bonsai on Debian 3.0, Debian has provided patches at http://security.debian.org/pool/updates/main/b/bonsai/. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Sourcefire Technical Publications Team ++Jennifer Harvey ++ ++-- ++Additional References: ++Bugtraq ++http://www.securityfocus.com/bid/5517 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1088.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1088 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3297.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3297 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1360.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: 1360 ++ ++-- ++Summary: ++A web command execution attack involving the use of a ++"netcat" command ++ ++-- ++Impact: ++Possible intelligence gathering activity or an attempt to gain elevated privileges on the server by using netcat to open another connection. ++ ++-- ++Detailed Information: ++The attacker may have gained the ability to execute system commands remotely or the web server may be incorrectly configured to allow such access. ++ ++This rule generates an event when a "netcat" command is used over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. The "netcat" command may be used establish an interactive shell session to the machine and also transfer files over the connection. ++ ++The rule looks for the "netcat" command in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the "netcat" command in the URI indicates that an attacker attempted to trick the web server into executing system in non-interactive mode i.e. without a valid shell session. ++ ++Alternatively this rule may generate an event in an unencrypted HTTP tunneling connection to the server or a shell connection via another exploit against the web server. ++ ++-- ++Attack Scenarios: ++An attacker uses a "netcat" command to move a rootkit to the system. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required ++ ++-- ++False Positives: ++Any string containing 'nc' followed by space in the URL will trigger the alarm. ++ ++-- ++False Negatives: ++none known ++ ++-- ++Corrective Action: ++Check the web server software for vulnerabilities and possible upgrades or patches for the system to the latest version of the web software, also investigate the server logs for signs of compromise ++ ++Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Disallowing execution of this binary via a URI is suggested. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Anton Chuvakin ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3252.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3252 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000626.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++100000626 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "message_edit.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the ++"message_edit.php" script used by the "Indexu" application running on a ++webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2342.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2342 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application DCP-Portal. ++ ++-- ++Impact: ++Execution of arbitrary code on the affected system ++ ++-- ++Detailed Information: ++DCP-Portal contains a flaw such that it may be possible for an attacker ++to include code of their choosing by manipulating the variable root when ++making a GET or POST request to a vulnerable system. ++ ++It may be possible for an attacker to execute that code with the ++privileges of the user running the webserver, usually root by supplying ++their code in a file included from an external source by modifying the ++variable "root" in the editor.php script. ++ ++-- ++Affected Systems: ++ DCP-Portal 5.0.1 ++ ++-- ++Attack Scenarios: ++An attacker can make a request to an affected script and define their ++own path for the root variable. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade to the latest non-affected version of the software ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2859.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2859 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure add_priority_char ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000148.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++100000148 ++ ++-- ++Summary: ++This event is generated when an attempt is made to perform a directory ++traversal attack against a system running Barracuda Spam Firewall. ++ ++-- ++Impact: ++Serious. Unauthorized remote command execution possibly leading to remote ++access. ++ ++-- ++Detailed Information: ++User supplied data to script parameters are not properly sanitized, this may ++permit an unauthorized attacker to execute commands of their choosing on an ++affected system. ++ ++Note: ++In order to utilize this rule, port 8000 must be added to the http_inspect ++configuration in snort.conf. ++ ++-- ++Affected Systems: ++Barracuda Spam Firewall 3.1.17 and prior. ++ ++-- ++Attack Scenarios: ++An attacker can supply commands as parameters to the img.pl script. ++ ++-- ++Ease of Attack: ++Simple, exploit software exists but is not necessary. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Judy Novak ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2845.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2845 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure register_snapshot_repgroup ++. This procedure is included in ++sys.dbms_repcat_sna_utl. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000605.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000605 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "inv_unpaid.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "inv_unpaid.php" ++script used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1880.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1880 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/631.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++631 ++ ++-- ++Summary: ++This event is generated when an external user scans an internal SMTP ++server using Network Associates' Cybercop vulnerability scanner. ++ ++-- ++Impact: ++Information gathering. ++ ++-- ++Detailed Information: ++Cybercop Scanner is scanning software that searches for system ++vulnerabilities. As one of its scanning procedures, it sends an EHLO ++command to SMTP server ports to determine if the SMTP server will return ++a list of remote commands that it accepts. ++ ++-- ++Affected Systems: ++Any SMTP server that returns a list of acceptable commands for remote mailers. ++ ++-- ++Attack Scenarios: ++An attacker may run Cybercop Scanner against SMTP servers in order to ++determine vulnerabilities that can later be exploited. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure that your SMTP server does not provide more information than is ++necessary when it receives an EHLO request. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Sourcefire Research Team ++Sourcefire Technical Publications Team ++Jen Harvey ++ ++-- ++Additional References: ++ ++General Cybercop information: ++http://www.securityfocus.com/products/126 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3403.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3403 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2913.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2913 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure repcat_import_check ++. This procedure is included in ++sys.dbms_repcat_sna. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3106.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3106 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/828.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++828 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1652.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++1652 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in version 1.2 of NCSA web server. ++ ++-- ++Impact: ++File retrieval leading to compromise of confidential information, ++potential root exploit. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to manipulate a cgi ++script to retrieve files outside the web root of version 1.2 of the NCSA ++web server. ++ ++The vulnerability exists in the cgi script "campas" ++ ++-- ++Affected Systems: ++ web servers running a very old (1995) version of NCSA web ++ server may have this cgi script installed. ++ ++-- ++Attack Scenarios: ++The attacker can make an HTTP GET request to the script and include ++variables to retrieve a sensitive system file in the following manner: ++ ++GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a ++ ++-- ++Ease of Attack: ++Simple. No exploit software required ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2258.txt +@@ -0,0 +1,78 @@ ++Rule: ++ ++-- ++Sid: ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Microsoft Windows Messenger service. ++ ++-- ++Impact: ++Serious. Denial of Service (DoS), execution of arbitrary code is ++possible. ++ ++-- ++Detailed Information: ++Due to improper length validation in the Microsoft Windows Messenger ++service, it may be possible for an attacker to overwrite portions of ++memory. This can result in the attacker being presented with the ++opportunity to execute code of their choosing. Under some circumstances ++a Denial of Service condition may be possible against the target host. ++ ++Specifically, this vulnerability may present the attacker with the ++opportunity to execute code with the privileges of the local system ++account with full access to all resources on the target host. ++ ++-- ++Affected Systems: ++ Microsoft Windows NT Workstation 4.0, Service Pack 6a ++ Microsoft Windows NT Server 4.0, Service Pack 6a ++ Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 ++ Microsoft Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4 ++ Microsoft Windows XP Gold, Service Pack 1 ++ Microsoft Windows XP 64-bit Edition ++ Microsoft Windows XP 64-bit Edition Version 2003 ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2003 64-bit Edition ++ ++-- ++Attack Scenarios: ++The attacker may use one of the available exploits to target a ++vulnerable host. ++ ++-- ++Ease of Attack: ++Simple. Exploit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches and service packs. ++ ++Disable the Windows messenger service ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CERT: ++http://www.kb.cert.org/vuls/id/575892 ++ ++Microsoft: ++http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-043.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2319.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2319 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Ebola from PLD Software. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. ++ ++-- ++Detailed Information: ++Ebola from PLD Software is used to improve the performance of Anti-Virus ++solutions on Linux systems. ++ ++A buffer overflow condition is present in the authentication mechanism ++such that it may be triggered by the generation of an error message from ++an unsuccessful authentication attempt. ++ ++-- ++Affected Systems: ++ All versions of Ebola prior to 0.1.5 ++ ++-- ++Attack Scenarios: ++An attacker can send specially crafted authentication attempts to the Ebola system and ++cause the buffer overflow thus presenting the opportunity to execute ++arbitrary code. ++ ++-- ++Ease of Attack: ++Simple. Expoits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3102.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3102 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000695.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000695 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "rating.php" with SQL commands being passed as the "card_id" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "card_id" parameter in the "rating.php" script used by the "VCard PRO" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VCard PRO ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1075.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: 1075 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). ++ ++-- ++Impact: ++Information gathering possible administrator access. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. ++ ++The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. ++ ++The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. ++ ++Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. ++ ++-- ++Affected Systems: ++Any host using IIS. ++ ++-- ++Attack Scenarios: ++An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. ++ ++Ensure that the IIS implementation is fully patched. ++ ++Ensure that the underlying operating system is fully patched. ++ ++Employ strategies to harden the IIS implementation and operating system. ++ ++Check the host for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2283.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2283 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application MediaWiki running on a server. ++ ++-- ++Impact: ++Possible execution of arbitrary code and unauthorized administrative ++access to the target system. ++ ++-- ++Detailed Information: ++This event indicates that an attempt may have been made to exploit a ++known vulnerability in the PHP application MediaWiki . This application ++does not perform stringent checks when handling user input, this may ++lead to the attacker being able to execute PHP code and include php files ++of the attackers choosing. ++ ++-- ++Affected Systems: ++ MediaWiki MediaWiki-stable 20031107 ++ MediaWiki MediaWiki-stable 20030829 ++ ++-- ++Attack Scenarios: ++An attacker can exploit weaknesses to gain access as the administrator ++by supplying input of their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. No exploit code is required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1527.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++1527 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the Basilix webmail PHP script. ++ ++An attacker can access mysql.class file to obtain MySQL login and use it ++for further attacks. ++ ++-- ++Impact: ++Serious. Password disclosure which can lead to further system ++compromise. ++ ++authenticate directly to a mysql database. Many Sun Cobalt Linux servers use Basilix webmail ++ ++-- ++Detailed Information: ++A webserver usually sends files in the webroot to an anonymous user ++without further processing. PHP scripts often include files (which ++contain configuration variables, functions, etc.) that are stored ++using a suffix that does not prevent a webserver sending them in clear ++text. The ".class" suffix is not usually explicitly denied in a standard ++web server configuration and the file "mysql.class" may be sent to the ++attacker. ++ ++-- ++Attack Scenarios: ++An attacker gets mysql.class containing database login credentials. The attacker can then connect to the database server using the login provided by mysql.class file and modify the database. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++File doesn't exist or mysql.class is for example a java class file publicly available on the server ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Update Basilix script (www.basilix.org) ++ ++Check files which contain php code for a suffix that might be rendered in plaintext by the web server. ++ ++Workaround - register .class the same way that the extensions .php, .php3 or.php4 are registered in the web server configuration file. ++Note: .class is usually used by java applets ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Ueli Kistler, ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3042.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++3042 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Ethereal. ++ ++-- ++Impact: ++Serious. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++Ethereal is a multi-platform network protocol analyser capable of ++displaying network data to the user in a graphical user interface. ++ ++An error in the processing of access control lists (ACLs) concerning the ++size of the access control entries (ACEs) may lead to a Denial of Service ++(DoS) condition in Ethereal. The ACL parsing routine trusts the size of ++the ACE given in the packet during processing. If a sufficiently large ACL ++structure is supplied combined with a specified ACE size of 0, it is ++possible to cause the DoS condition to occur. ++ ++-- ++Affected Systems: ++ Ethereal 0.10.7 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to craft packet data containing large NT ACLs, the ++attacker then needs to specify one of the ACEs as having a size of 0. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2039.txt +@@ -0,0 +1,89 @@ ++Rule: ++ ++-- ++Sid: ++2039 ++ ++-- ++Summary: ++The Dynamic Host Configuration Protocol (DHCP) daemon is used to issue ++dynamic IP addresses from a server to client machines. A vulnerability ++exists such that arbitrary code may be executed on the server using the ++credential of the super user (root). ++ ++-- ++Impact: ++Execution of code and possible control of the targeted machine. ++ ++-- ++Detailed Information: ++A format string vulnerabilty in some versions of dhcpd may lead to the ++execution of arbitrary code as the root user via a DNS server response. ++This is due to the unsafe logging of user data. The option NSUPDATE ++option in the configuration of dhcpd must be enabled, although this is a ++default option in version 3.0 and later. ++ ++Two exploits for this vulnerability are known to exist. ++ ++-- ++Affected Systems: ++ISC DHCPD 3.0 ++ Caldera OpenLinux Server 3.1 and 3.1.1 ++ Caldera OpenLinux Workstation 3.1 and 3.1.1 ++ Conectiva Linux 8.0 ++ MandrakeSoft Linux Mandrake 8.1, 8.1 ia64, 8.2, 8.2 ppc and 9.0 ++ MandrakeSoft Multi Network Firewall 8.2 ++ S.u.S.E. Linux 7.2, 7.3 and 8.0 ++ S.u.S.E. Linux Connectivity Server ++ S.u.S.E. Linux Database Server ++ S.u.S.E. Linux Enterprise Server 7 and S/390 ++ ++ISC DHCPD 3.0.1 rc8 and ISC DHCPD 3.0.1 rc7 ++ FreeBSD FreeBSD 4.1.1, 4.2, 4.3, 4.4 and 4.5 ++ ++ISC DHCPD 3.0.1 rc6 ++ S.u.S.E. Linux 8.0 and 8.0 i386 ++ ++ISC DHCPD 3.0.1 rc5, ISC DHCPD 3.0.1 rc4 ++OpenPKG OpenPKG 1.0 ++ ++ISC DHCPD 3.0.1 rc3, rc2 and rc1 ++ ++-- ++Attack Scenarios: ++The attacker could send a specially crafted packet to the dhcpd server or use one of the exploits widely available for this vulnerability. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Patches from the vendor should be applied as soon as possible. ++ ++Upgrade to ISC DHCPD 3.0.1 rc 9. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/4701 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0702 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3098.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3098 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/106.txt +@@ -0,0 +1,92 @@ ++Rule: ++ ++-- ++Sid: ++106 ++ ++-- ++Summary: ++Backdoor.AckCmd is a Trojan Horse that uses TCP ACK segments to ++communicate. This Trojan may bypass firewalls that do not keep track of ++the session state in a TCP transaction. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a ++compromise of all resources the machine is connected to. This Trojan ++also has the ability to delete data, steal passwords and disable the ++machine. Other versions are capable of launching DDoS attacks. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ Windows NT ++ Windows 2000 ++ Windows XP ++ ++No other systems are affected. This is a windows executable that does ++not make changes to the system registry. ++ ++AckCmd is a "proof of concept" Trojan. ++ ++ SID Message ++ --- ------- ++ 106 ACKcmdC trojan scan ++ ++This event is indicative of an attacker attempting to locate AckCmd ++servers. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Delete the file AckCmd.exe ++ ++A machine reboot is required to clear the existing process from running ++in memory. ++ ++In addition, the use of a firewall that correctly checks the state of a ++TCP session is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS485 ++ ++ntsecurity.nu ++ACK Tunneling Trojans ++http://ntsecurity.nu/papers/acktunneling/ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3317.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3317 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2979.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2979 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the C$ default ++administrative share of a Windows host. ++ ++-- ++Impact: ++Serious. Possible administrator access to the host. Information ++disclosure. ++ ++-- ++Detailed Information: ++By default, Windows hosts have default administrative shares of the ++local hard drives using the format %DRIVE_LETTER% + $. Anybody with ++administrative rights can remotely access the share. ++ ++-- ++Affected Systems: ++ Windows hosts. ++ ++-- ++Attack Scenarios: ++An attacker may be attempting to access files located on the C drive of ++the host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow Netbios access from external networks (tcp port 139). ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++Snort documentation contributed by Josh Sakofsky ++ ++-- ++Additional References: ++ ++Arachnids: ++http://www.whitehats.com/info/IDS339 ++ ++Microsoft: ++http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/122-21.txt +@@ -0,0 +1,93 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++122-21 ++ ++-- ++Summary: ++This event is generated when the pre-processor sfPortscan detects ++network traffic that may constitute an attack. Specifically a udp ++filtered portscan was detected. ++ ++-- ++Impact: ++Unknown. This is normally an indicator of possible network ++reconnaisance and may be the prelude to a targeted attack against the ++targeted systems. ++ ++-- ++Detailed Information: ++This event is generated when the sfPortscan pre-processor detects ++network traffic that may consititute an attack. ++ ++A portscan is often the first stage in a targeted attack against a ++system. An attacker can use different portscanning techniques and tools ++to determine the target host operating system and application versions ++running on the host to determine the possible attack vectors against ++that host. ++ ++More information on this event can be found in the individual ++pre-processor documentation README.sfportscan in the docs directory of ++the snort source. Descriptions of different types of portscanning ++techniques can also be found in the same documentation, along with ++instructions and examples on how to tune and use the pre-processor. ++ ++-- ++Affected Systems: ++ All. ++ ++-- ++Attack Scenarios: ++An attacker often uses a portscanning technique to determine operating ++system type and version and also application versions to determine ++possible effective attack vectors that can be used against the target ++host. ++ ++-- ++Ease of Attack: ++Simple. Many portscanning tools are freely available. ++ ++-- ++False Positives: ++While not necessarily a false positive, a security audit or penetration ++test will often employ the use of a portscan in the same way an ++attacker might use the technique. If this is the case, the ++pre-processor should be tuned to ignore the audit if so desired. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check for other events targeting the host. ++ ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches as appropriate. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Daniel Roelker ++Marc Norton ++Jeremy Hewlett ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Nmap: ++http://www.insecure.org/nmap/ ++ ++Port Scanning Techniques and the Defense Against Them - Roger ++Christopher, SANS: ++http://www.sans.org/rr/whitepapers/auditing/70.php ++ ++Hypervivid Tiger Team - Port-Scanning: A Practical Approach ++http://www.hcsw.org/reading/nmapguide.txt ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2455.txt +@@ -0,0 +1,52 @@ ++Rule: ++ ++-- ++Sid: ++2455 ++ ++-- ++Summary: ++This event is generated when a host in your network that has Yahoo Instant Messenger running has sent a message to a Yahoo IM conference. ++ ++-- ++Impact: ++Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. ++ ++-- ++Detailed Information: ++A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams. It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. ++ ++-- ++Affected Systems: ++Any host running Yahoo Instant Messenger. ++ ++-- ++Attack Scenarios: ++A Yahoo IM user may unwittingly accept a malicious file. ++ ++-- ++Ease of Attack: ++Easy to transfer a malicious file. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++It may be possible for Yahoo IM traffic to use other ports than the default expected ones. ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++-- ++Additional References: ++Yahoo Protocol ++http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2835.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2835 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure purge_master_log ++. This procedure is included in ++sys.dbms_repcat_mas. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/121-3.txt +@@ -0,0 +1,98 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++121-3 ++ ++-- ++Summary: ++This event is generated when the pre-processor flow-portscan detects ++network traffic that may constitute an attack. Specifically a fixed ++scale talker limit exceeded event was generated. ++ ++-- ++Impact: ++Unknown. This is normally an indicator of possible network ++reconnaisance and may be the prelude to a targeted attack against the ++targeted systems. ++ ++-- ++Detailed Information: ++This event is generated when the flow-portscan pre-processor detects ++network traffic that may consititute an attack. ++ ++The flow-portscan pre-processor uses a flow based technique to identify ++portscanning in one-to-many and many-to-one scenarios based on flow ++creation in the flow pre-processor. ++ ++A portscan is often the first stage in a targeted attack against a ++system. An attacker can use different portscanning techniques and tools ++to determine the target host operating system and application versions ++running on the host to determine the possible attack vectors against ++that host. ++ ++More information on this event can be found in the individual ++pre-processor documentation README.flow-portscan in the docs directory ++of the snort source. Descriptions of different types of portscanning ++techniques can also be found in the same documentation, along with ++detailed instructions and examples on how to tune and use the ++pre-processor. ++ ++-- ++Affected Systems: ++ All. ++ ++-- ++Attack Scenarios: ++An attacker often uses a portscanning technique to determine operating ++system type and version and also application versions to determine ++possible effective attack vectors that can be used against the target ++host. ++ ++-- ++Ease of Attack: ++Simple. Many portscanning tools are freely available. ++ ++-- ++False Positives: ++While not necessarily a false positive, a security audit or penetration ++test will often employ the use of a portscan in the same way an ++attacker might use the technique. If this is the case, the ++pre-processor should be tuned to ignore the audit if so desired. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check for other events targeting the host. ++ ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches as appropriate. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Chris Green ++Daniel Roelker ++Marc Norton ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Nmap: ++http://www.insecure.org/nmap/ ++ ++Port Scanning Techniques and the Defense Against Them - Roger ++Christopher, SANS: ++http://www.sans.org/rr/whitepapers/auditing/70.php ++ ++Hypervivid Tiger Team - Port-Scanning: A Practical Approach ++http://www.hcsw.org/reading/nmapguide.txt ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000840.txt +@@ -0,0 +1,55 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000840 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlatNuke" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "mod" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "mod" parameter in the "index.php" script used by the "FlatNuke" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using FlatNuke ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2662.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++2662 ++ ++-- ++Summary: ++This rule is intended to increase the accuracy of rules designed to ++generate events based on attempts to exploit implementations of Secure ++Socket Layer (SSL) version 2. ++ ++-- ++Impact: ++None. This is a protocol decode rule that does not generate events. ++ ++-- ++Detailed Information: ++This is a protocol decode rule that does not generate events. ++ ++-- ++Affected Systems: ++NA ++ ++-- ++Attack Scenarios: ++NA ++ ++-- ++Ease of Attack: ++NA ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++NA ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/329.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: 329 ++ ++-- ++Summary: ++This is an intelligence gathering activity. This event is indicative of a connection laundering attack against the finger daemon ++ ++-- ++Impact: ++The attacker may obtain information about a third party host without making a direct connection to that host. ++ ++-- ++Detailed Information: ++The event is generated when an attempt to use a machine to run ++finger queries against a third party UNIX system is attempted by the ++Cybercop vulnerability scanner. ++ ++The attack utilizes "finger forwarding" functionality, normally used to forward queries to a third party machine. The information is obtained without a direct connection to the said third party, since the target system performs a connection to the third party host for the attacker. ++ ++The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack if successful, will confirm that the target host will try to forward queries. ++ ++-- ++ ++Attack Scenarios: ++An attacker uses the Cybercop vulnerability scanner to test for this weakness. ++ ++-- ++ ++Ease of Attack: ++Simple, performed by a scanner ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Disable the finger daemon or upgrade to a daemon without finger forwarding functionality ++ ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Snort documentation contributed by Anton Chuvakin ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0105 ++ ++Arachnids: ++http://www.whitehats.com/info/IDS11 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2036.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2036 ++ ++-- ++Summary: ++Network Status Monitor (NSM) is used to indicate whether a host is up or ++for its status. ++ ++-- ++Impact: ++Intelligence gathering about the current state of a host and whether rpc ++services are available. ++ ++-- ++Detailed Information: ++NSM runs on client machines and informs other hosts of the status of ++that machine should a crash or reboot occur. Each remote application ++using an rpc service can therefore register with the host when services ++are once again available. ++ ++A request made to a machine will indicate to the attacker the status of ++that host and will also be indicative of rpc services being available. ++The attacker might then continue to ascertain which rpc services are ++being offered and then launch an attack on vulnerable daemons. ++ ++-- ++Affected Systems: ++Any system running the service. ++ ++-- ++Attack Scenarios: ++An attacker merely needs to request the status of the host using rpc. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow all RPC requests from external sources and use a firewall to ++block access to RPC ports from outside the LAN. ++ ++Use the hosts.allow file to restrict the hosts able to request the ++status of the server. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Network Status Monitor Protocol, The Open Group: ++http://www.opengroup.org/onlinepubs/009629799/chap11.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2654.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2654 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the web application PHPNuke. ++ ++-- ++Impact: ++SQL Injection is possible leading to a complete compromise of the data ++in the application database. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHPNuke web application running on a server. ++ ++Insufficient checks are made on user input supplied to the script ++"viewtopic.php", exploitation of this issue could present an attacker ++with the opportunity to inject SQL code of their choosing into a ++vulnerable system. ++ ++-- ++Affected Systems: ++ PHPNuke 6.0 ++ PHPNuke 6.5 RC2 ++ ++-- ++Attack Scenarios: ++An attacker can supply code of their choice by including it in the ++URI that calls on viewtopic.php. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Consider reviewing the database permissions for the application. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Ricky MacAtee ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2559.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++2559 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Oracle Application Server Web Cache. ++ ++-- ++ ++Impact: ++Serious. Possible execution of arbitrary code leading to remote ++administrative access. ++ ++-- ++Detailed Information: ++The Oracle Application Server Web Cache is vulnerable to a buffer ++overrun caused by poor checking of the length of an HTTP Header. If a ++large invalid HTTP Request Method is supplied to a vulnerable system, an ++attacker may be presented with the opportunity to overrun a fixed length ++buffer and subsequently execute code of their choosing on the server. ++ ++-- ++Affected Systems: ++Oracle Application Server Web Cache 10g 9.0.4 .0 ++Oracle Oracle9i Application Server Web Cache 2.0 .0.4 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .3 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .2 ++Oracle Oracle9i Application Server Web Cache 9.0.3 .1 ++ ++-- ++ ++Attack Scenarios: ++An attacker might supply an HTTP Request Method of more than 432 bytes, ++causing the overflow to occur. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible ++to configure the Oracle Web Cache server to run on different ports. The rule ++should be configured to reflect the appropriate ports of Oracle Web Cache ++servers on your network. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000848.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++100000848 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a cross site ++scripting vulnerability in the "PhpWebGallery" application running on a ++webserver. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to exploit a cross site ++scripting vulnerability via the "keyword" parameter in the "comments.php" ++script ++used by the "PhpWebGallery" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to retrieve sensitive data, execute system binaries ++or malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++All systems running CGI applications using PhpWebGallery ++-- ++Attack Scenarios: ++An attacker can supply a malicious link designed to steal information from a ++user clicking on that link. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Chris Jacob ++ ++-- ++Additional References: ++ ++The Cross Site Scripting (XSS) FAQ ++http://www.cgisecurity.com/articles/xss-faq.shtml ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/232.txt +@@ -0,0 +1,70 @@ ++Rule: ++-- ++Sid: ++232 ++ ++-- ++Summary: ++This event is generated when a pong packet for the Trinoo (aka trin00) ++DDos suite is detected. ++ ++-- ++Impact: ++This may indicate a compromised system or be the prelude to a ++Distributed Denial of Service (DDoS) attack. ++ ++-- ++Detailed Information: ++Once a Trinoo client has been installed on a compromised machine and a master is ++ready and listening, the master sends a "png" (ping) command to its drones in ++an attempt to enumerate the drone network. A functioning client will respond to ++port 31335/udp with the text "PONG". ++ ++Once a machine becomes part of a trin00 network, a Denial of Service (DoS) ++is typically initiated against one (or more) victim machines. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++As part of a large scale attack against a machine or a network, an ++attacker will compromise large numbers of machines which will form the ++army that the trin00 master daemon will command. The master daemon ++typically instructs the clients to send mass-quantities of packets to ++a set of victim hosts. If the traffic is sufficient, the victim ++machines will become resource deprived and thus endure a DoS condition. ++ ++-- ++Ease of Attack: ++Simple. Trinoo client and master programs are widely available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disconnect infected machine(s) from the network immediately. ++ ++Use software to determine if a host has been compromised using a ++rootkit. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by Jon Hart ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++SANS: ++http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2312.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2312 ++ ++-- ++Summary: ++This event is generated when suspicious shell code is detected in ++network traffic. ++ ++-- ++Impact: ++Denial of Service (DoS) possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++This event is generated when suspicious shell code is detected. Many ++buffer overflow attacks contain large numbers of NOOP instrucions to pad ++out the request. Other attacks contain specific shell code sequences ++directed at certain applications or services. ++ ++The shellcode in question may also use Unicode encoding. ++ ++-- ++Affected Systems: ++ Any software running on x86 architecture. ++ ++-- ++Attack Scenarios: ++An attacker may exploit a DCERPC service by sending shellcode in the RPC ++data stream. Sending large amounts of data to the Microsoft Workstation ++service can cause a buffer overflow condition in the logging function ++thus presenting an attacker with the opportunity to issue a DoS attack ++or in some cases, to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. Many exploits exist. ++ ++-- ++False Positives: ++False positives may be generated by binary file transfers. ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Make sure the target host has all current patches applied and has the ++latest software versions installed. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2871.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2871 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure alter_priority_nchar ++. This procedure is included in ++sys.dbms_repcat_conf. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1537.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++1537 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit an ++authentication vulnerability in a web server or an application running ++on that server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a web server or an application running ona web server. Some ++applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An attacker can access the authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Disallow administrative access from sources external to the protected ++network. ++ ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2081.txt +@@ -0,0 +1,78 @@ ++Rule: ++ ++-- ++Sid: ++2081 ++ ++-- ++Summary: ++number for the rpc service xfsmd ++ ++-- ++Impact: ++Intelligence gathering ++ ++-- ++Detailed Information: ++This may be an attacker probing for vulnerable versions of rpc services. ++In this case, the rpc service xfsmd. ++ ++It is possible for an attacker to supply a meta character followed by ++any commands or code of his choosing to the xfsmd daemon. ++ ++Due to a programming error, the service does not correctly check for the ++characters and they are not stripped from the request. ++ ++The xfsmd daemon is not installed by default on IRIX systems but it is ++part of an optional package. ++ ++-- ++Affected Systems: ++ IRIX 6.2 ++ IRIX 6.3 ++ IRIX 6.4 ++ IRIX 6.5.x ++ ++-- ++Attack Scenarios: ++Exploits are widely available. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Patches are NOT available for this issue. ++ ++Disable and remove the xfsmd daemon. ++ ++Uprade to the latest non affected version of the operating system ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/5075 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359 ++ ++SGI IRIX: ++ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2235.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++2235 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow in Trend Micro InterScan eManager. ++ ++-- ++Impact: ++Serious. Remote administrative access is possible. ++ ++-- ++Detailed Information: ++Versions of Trend Micro InterScan eManager suffer from a buffer overflow ++condition that can present an attacker with the opportunity to execute ++arbitrary code of their choosing which could lead to remote access to ++the server. ++ ++-- ++Affected Systems: ++ Trend Micro InterScan eManager 3.51 ++ ++-- ++Attack Scenarios: ++If the buffer overflow condition is met, the attacker can run code of ++their choosing on the affected host. ++ ++-- ++Ease of Attack: ++Moderate. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Disable the web interface ++ ++Enable NTLM authentication for the administrative interface ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/3327 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/491.txt +@@ -0,0 +1,63 @@ ++Rule: ++-- ++Sid: ++491 ++ ++-- ++Summary: ++This event is generated when a failed attempt to login to an FTP server ++is detected. ++ ++-- ++Impact: ++Unknown. Multiple events may indicate an attempt to enumerate accounts ++and passwords using brute force methodology. ++ ++-- ++Detailed Information: ++This event is generated when a failed attempt to login to an FTP server ++is detected. ++ ++Multiple events may indicate an attempt to enumerate accounts ++and passwords using brute force methodology. ++ ++-- ++Affected Systems: ++ All FTP Servers ++ ++-- ++Attack Scenarios: ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Check FTP logs for access attempts. ++ ++Disallow FTP access from sources external to the protected network. ++ ++Consider using Secure Shell as a replacement for FTP services. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++RFC: ++http://www.faqs.org/rfcs/rfc959.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1261.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++1261 ++ ++-- ++Summary: ++This event is genereated when an attempt to overflow the buffer of the ++IBM Program Database Name Server Daemon (PDNSD) is made. ++ ++-- ++Impact: ++Serious. System compromize presenting the attacker with the opportunity ++to gain remote access to the victim host or execute arbitrary code with ++the privileges of the superuser account. ++ ++-- ++Detailed Information: ++Some versions of IBM PDSND for AIX are vulnerable to a buffer overflow ++condition which can present the attacker with root privileges. ++ ++ ++Affected Systems: ++ PDSND versions 2 and 3 ++ ++-- ++Attack Scenarios: ++Exploit scripts are available ++ ++-- ++Ease of Attack: ++Simple. Exploits are available. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Disable the PDSND daemon. ++ ++-- ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++CIAC: ++http://www.ciac.org/ciac/bulletins/j-059.shtml ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2460.txt +@@ -0,0 +1,61 @@ ++Rule: ++ ++-- ++Sid: ++2460 ++ ++-- ++Summary: ++This event is generated when a host in your network that has Yahoo ++Instant Messenger running requests to view a webcam listen to an audio ++message of another Yahoo IM user. ++ ++-- ++Impact: ++Possible policy violation. Instant Messenger programs may not be ++appropriate in certain network environments. ++ ++-- ++Detailed Information: ++This event indicates that a Yahoo IM user in your network is requesting ++to view a webcam or listen to an audio message of another Yahoo IM user. ++While there are no known exploits associated with showing or viewing ++webcams, it is possible that this activity is inappropriate in certain ++environments. ++ ++-- ++Affected Systems: ++Any host running Yahoo Instant Messenger. ++ ++-- ++Attack Scenarios: ++No known attack scenarios. ++ ++-- ++Ease of Attack: ++No known attack scenarios. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++It may be possible for Yahoo IM traffic to use other ports than the ++default expected ones. ++ ++-- ++Corrective Action: ++Disallow the use of IM clients on the protected network and enforce or ++implement an organization wide policy on the use of IM clients. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++-- ++Additional References: ++Yahoo Protocol ++http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2241.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2241 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerablity in NetWin CWMail 2.7. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code is possible. ++ ++-- ++Detailed Information: ++Certain versions of NetWin CWMail suffer from a buffer overflow ++condition that can present an attacker with the opportunity to execute ++code of their choosing on the server. ++ ++-- ++Affected Systems: ++ NetWin CWMail 2.7, a, b, c, d, f, i, j, k, l, m, n, o, p, q, s and t ++ ++-- ++Attack Scenarios: ++The attacker would need to supply a large amount of characters to the ++"item=" parameter which could then cause the overflow condition to ++occur. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/4093 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1617.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1617 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1394.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++ ++1394 ++ ++-- ++Summary: ++This event is generated when an attempt is made to possibly overflow a buffer. ++ ++The NOOP warning occurs when a series of NOOP (no operation) are found in a stream. Most buffer overflow exploits typically use NOOPs sleds to pad the code. ++ ++-- ++Impact: ++ ++This might indicate someone is trying to use a buffer overflow exploit. ++ ++Full compromise of system is possible if the exploit is successful. ++ ++-- ++Detailed Information: ++This rule detects a large number of consecutive NOOP instructions used in padding code. It's not specific to a particular service exploit, but rather used to try and detect buffer overflows in general. It is common for buffer overflow code to contain a large sequence of NOOP instructions as it increases the odds of successful execution of the useful shellcode. ++ ++-- ++Affected Systems: ++ ++ Any x86 programs. ++ ++-- ++Attack Scenarios: ++An attacker uses a buffer overflow exploit which contains the following payload: ++ ++ 90 90 90 90 90 90 90 90 90 90 /bin/sh ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++High, This event may be generated by applications such as ftp and http ++when binary data is being transfered. ++ ++A false Positive can be generated if the snort sensor detects text from an IRC ++client or any other application that passes data plaintext. The event is ++generated if snort detects several (a) characters in a row - such as ++'aaaaaaaaaa'. ++ ++-- ++False Negatives: ++ ++None known ++ ++-- ++Corrective Action: ++Apply a non-executable user stack patch to your kernel ++ ++Secure programming/execution of a program ++ ++Check the destination host and service to verify if any buffer overflow vulnerability exists. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3222.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3222 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2365.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2365 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application newsPHP. ++ ++-- ++Impact: ++Execution of arbitrary code on the affected system ++ ++-- ++Detailed Information: ++newsPHP contains a flaw such that it may be possible for an attacker ++to include code of their choosing by manipulating the variable LangFile when ++making a GET or POST request to a vulnerable system. ++ ++It may be possible for an attacker to execute that code with the ++privileges of the user running the webserver, usually root. ++ ++-- ++Affected Systems: ++ newsPHP newsPHP 216 ++ ++-- ++Attack Scenarios: ++An attacker can make a request to an affected script and define their ++own path for the LangFile variable. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade to the latest non-affected version of the software ++ ++-- ++Contributors: ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000483.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000483 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Wheatblog" application running on a webserver. ++Access to the file "view_links.php" using a remote file being passed as the ++"wb_inc_dir" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "wb_inc_dir" parameter in the "view_links.php" script ++used by the "Wheatblog" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Wheatblog ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2641.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++2641 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in database ++replication. The "drop_site_instantiate" procedure contains a ++programming error that may allow an attacker to execute a buffer ++overflow attack. ++ ++This overflow is triggered by a long string in a parameter for the ++procedure. ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to the "refresh_template_name" ++variable to cause the overflow. The result could permit the attacker ++to gain escalated privileges and run code of their choosing. This ++attack requires an attacker to logon to the database with a valid ++username and password combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck629.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1625.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++1625 ++ ++-- ++Summary: ++This event is generated when activity relating to spurious ftp traffic is detected on the network. ++ ++-- ++Impact: ++Varies from information gathering to a serious compromise of an ftp server. ++ ++-- ++Detailed Information: ++FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts. ++ ++The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service. ++ ++-- ++Attack Scenarios: ++A user may transfer sensitive company information to an external party using FTP. ++ ++An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow access to FTP resources from hosts external to the protected network. ++ ++Use secure shell (ssh) to transfer files as a replacement for FTP. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2483.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++Sid: ++2176 ++ ++ ++-- ++Summary: ++This event is generated when an attempt is made to shutdown a service via SMB. ++ ++-- ++Impact: ++Serious. ++ ++-- ++Detailed Information: ++This event indicates that an attempt was made to shutdown a service ++on a system using SMB across the network. ++ ++-- ++Affected Systems: ++ Microsoft Windows systems. ++ ++-- ++Attack Scenarios: ++An attacker may try to deny services to other users. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the host for signs of system compromise. ++ ++Turn off file and print sharing on the target host. ++ ++Use a packet filtering firewall to disallow SMB access to the host from ++sources external to the protected network. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/257.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++257 ++ ++-- ++Summary: ++This event is generated when an attempt is made to determine the version ++of BIND being used on a DNS server. ++ ++-- ++Impact: ++Information gathering. This activity may indicate reconnaisance before ++an impending attack. ++ ++-- ++Detailed Information: ++A remote machine attempted to determine the version of BIND running on a ++nameserver. ++ ++-- ++Affected Systems: ++ All DNS nameservers ++ ++-- ++Attack Scenarios: ++As part of reconnaissance leading upto a potential intrusion attempt, an ++attacker may attempt to determine the BIND version that is in use so ++that a vulnerable version can be used as an attack vector. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disable the ability for untrusted (remote) machines to determine the named ++version. ++ ++-- ++Contributors: ++Original rule writer unknown ++Snort documentation contributed by Jon Hart ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1016.txt +@@ -0,0 +1,56 @@ ++Rule: ++ ++-- ++Sid: ++1016 ++ ++-- ++Summary: ++This event is generated when an attempt is made to craft a URL containing a reference to the "/global.asa" file. ++ ++-- ++Impact: ++Intelligence gathering. This attack may permit disclosure of the source code of global.asa file that is not normally available for viewing. ++ ++-- ++Detailed Information: ++Microsoft Internet Information Services (IIS) 5.0 contains scripting engines to support various advanced files types such as .ASP and .HTR. The scripting engines permit the execution of server-side processing. IIS determines which scripting engine is appropriate depending on the file extension. If an attacker crafts a URL request ending in 'Translate: f' and followed by a slash '/', IIS fails to send the file to the appropriate scripting engine for processing. Instead, it returns the source code of a referenced file, such as global.asa, to the browser. The Nessus vulnerability scanner references the global.asa file in a GET request to determine whether a host is susceptible to this exploit. ++ ++-- ++Affected Systems: ++Microsoft IIS 5.0 ++ ++-- ++Attack Scenarios: ++An attacker can craft a URL that includes the 'Translate: f' followed by a '/' to disclose the source code of a file such as global.asa on the vulnerable server. ++ ++-- ++Ease of Attack: ++Simple. The Nessus vulnerability scanner can test for this exploit. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Apply the patch referenced in the Microsoft link. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Microsoft ++http://www.microsoft.com/technet/security/bulletin/MS00-058.asp ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1672.txt +@@ -0,0 +1,74 @@ ++Rule: ++ ++-- ++Sid: ++1672 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer overflow associated with certain versions of the Sun Solaris FTP server. ++ ++-- ++Impact: ++Reconnaissance. An attacker may be able to examine records from the password shadow file. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with a globbing function in Sun Solaris FTP servers. An attacker may exploit this vulnerability by logging into the FTP server with a valid username and an invalid password then supplying the command "CWD ~". This may produce a core dump in the root directory with world-readable permissions that could be examined to discover valid FTP users for the server. ++ ++-- ++Affected Systems: ++ ++SPARC ++ ++ * Solaris 2.5 without patch 103577-13 ++ * Solaris 2.5.1 without patch 103603-16 ++ * Solaris 2.6 without patch 106301-03 ++ * Solaris 2.7 without patch 110646-02 ++ * Solaris 2.8 without patch 111606-01 ++ ++Intel ++ ++ * Solaris 2.5 without patch 103578-13 ++ * Solaris 2.5.1 without patch 103604-16 ++ * Solaris 2.6 without patch 106302-03 ++ * Solaris 2.7 without patch 110647-02 ++ * Solaris 2.8 without patch 111607-01 ++ ++-- ++Attack Scenarios: ++An attacker may attempt to exploit this vulnerability to learn valid FTP usernames to later attempt brute force guessing of passwords. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software or apply the appropriate patch. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/2601 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0421 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2771.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2771 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure drop_priority_char ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2961.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++2961 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) ++services. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code with system level privileges ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft NetDDE that may allow an attacker to ++run code of their choosing with system level privileges. A programming ++error in the handling of network messages may give an attacker the ++opportunity to overflow a fixed length buffer by using a specially ++crafted NetDDE message. ++ ++This service is not started by default on Microsoft Windows systems, but ++this issue can also be exploited locally in an attempt to escalate ++privileges after a successful attack from an alternate vector. ++ ++-- ++Affected Systems: ++ Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. ++ ++-- ++Attack Scenarios: ++An attacker needs to craft a special NetDDE message in order to overflow ++the affected buffer. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Disable the NetDDE service. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Security Bulletin MS04-031: ++http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/532.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++532 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access an administrative share on a Windows machine. ++ ++-- ++Impact: ++Serious. Possible administrator access on the victim machine. ++ ++-- ++Detailed Information: ++This rule generates an event when the hidden Netbios share Admin$, which is the Winnt directory, is accessed via SMB. ++ ++This is a poor security practice or an indication that a machine is being accessed remotely. ++ ++-- ++Affected Systems: ++ Windows 9x ++ Windows 2000 ++ Windows XP ++ ++-- ++Attack Scenario: ++This can be accessed from GUI "map network drive" remotely ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Use a packet filtering firewall to disallow Netbios access from the unprotected network. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++Snort documentation contributed by Jake Babbin ++ ++-- ++References: ++ ++arachnids 340 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2560.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++2560 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Oracle Application Server Web Cache. ++ ++-- ++ ++Impact: ++Serious. Possible execution of arbitrary code leading to remote ++administrative access. ++ ++-- ++Detailed Information: ++The Oracle Application Server Web Cache is vulnerable to a buffer ++overrun caused by poor checking of the length of an HTTP Header. If a ++large invalid HTTP Request Method is supplied to a vulnerable system, an ++attacker may be presented with the opportunity to overrun a fixed length ++buffer and subsequently execute code of their choosing on the server. ++ ++-- ++Affected Systems: ++Oracle Application Server Web Cache 10g 9.0.4 .0 ++Oracle Oracle9i Application Server Web Cache 2.0 .0.4 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .3 ++Oracle Oracle9i Application Server Web Cache 9.0.2 .2 ++Oracle Oracle9i Application Server Web Cache 9.0.3 .1 ++ ++-- ++ ++Attack Scenarios: ++An attacker might supply an HTTP Request Method of more than 432 bytes, ++causing the overflow to occur. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible ++to configure the Oracle Web Cache server to run on different ports. The rule ++should be configured to reflect the appropriate ports of Oracle Web Cache ++servers on your network. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Judy Novak ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1252.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++1252 ++ ++-- ++Summary: ++This event is generated after a sucessful exploit of the BSD derived Telnet daemon. ++ ++-- ++Impact: ++Remote root access. This may or may not indicate a successful root ++compromise of a telnet server. ++ ++-- ++Detailed Information: ++This event is generated after a possible sucessful attempt to compromise ++a server running a BSD derived version of Telnet. A buffer overflow ++condition exists that may present an attacker with the opportunity to ++execute code of their choosing. ++ ++The attacker does not need to login to the server to exploit this ++vulnerability, only a connection to the server is needed. ++ ++-- ++Affected Systems: ++ Multiple Vendor Telnet servers running versions of telnetd derived ++ from the BSD telnet daemon. ++ ++-- ++Attack Scenarios: ++An attacker may utilize one of the available exploit scripts. ++ ++-- ++Ease of Attack: ++Simple. Exploit scripts are publicly available. This vulnerability may ++also be exploited by a worm. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Consider using Secure Shell instead of telnet. ++ ++Block inbound telnet access if it is not required. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1661.txt +@@ -0,0 +1,55 @@ ++Rule: ++ ++-- ++Sid: ++1661 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access the cmd32.exe file. ++ ++-- ++Impact: ++Remote access. This attack may permit the execution of arbitrary commands on the vulnerable server. ++ ++-- ++Detailed Information: ++The cmd32.exe file allows execution of commands on Windows hosts. This file is only accessible if maliciously placed in the web server's root directory or an attacker performs unauthorized directory traversal. This may permit the attacker to execute arbitrary commands on the vulnerable server. ++ ++-- ++Affected Systems: ++??? ++ ++-- ++Attack Scenarios: ++An attacker can attempt to access the cmd32.exe file to execute arbitrary commands on the vulernable server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Make sure that the cmd32.exe is not in the webroot directory. ++ ++Make sure that all appropriate patches have been applied. ++ ++-- ++Contributors: ++Original rule writer unknown ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1437.txt +@@ -0,0 +1,79 @@ ++Rule: ++ ++-- ++Sid: ++1437 ++ ++-- ++Summary: ++This event is generated when network traffic indicating the use of a ++multimedia application is detected. ++ ++-- ++Impact: ++This may be a violation of corporate policy since these applications can ++be used to bypass security measures designed to restrict the flow of ++corporate information to destinations external to the corporation. ++ ++-- ++Detailed Information: ++Multimedia client applications can be used to view movies and listen to ++music files. Some also include file sharing facilities. Use of these ++programs may constitute a violation of company policy. ++ ++Clients may also contain vulnerabilities that can give an attacker an ++attack vector for delivering Trojan horse programs and viruses. ++ ++This rule detects the following Windows Media file types: ++ ++ File extension MIME type ++ .wmz application/x-ms-wmz ++ .wmd application/x-ms-wmd ++ .wma audio/x-ms-wma ++ .wax audio/x-ms-wax ++ .wmv audio/x-ms-wmv ++ .asf video/x-ms-asf ++ .asx video/x-ms-asf ++ .wvx video/x-ms-wvx ++ .wm video/x-ms-wm ++ .wmx video/x-ms-wmx ++ ++-- ++Affected Systems: ++ All Windows systems running Windows Media player applications ++ ++-- ++Attack Scenarios: ++A user can download files from a source external to the protected ++network that may contain malicious code hidden in the file giving an ++attacker the opportunity to gain access to a host inside the protected ++network. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Windows Media file types: ++http://support.microsoft.com/default.aspx?scid=kb;en-us;288102 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1113.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1113 ++ ++-- ++Summary: ++This event is generated when an attempt is made to execute a directory ++traversal attack. ++ ++-- ++Impact: ++Information disclosure. This is a directory traversal attempt which can ++lead to information disclosure and possible exposure of sensitive ++system information. ++ ++-- ++Detailed Information: ++Directory traversal attacks usually target web, web applications and ftp ++servers that do not correctly check the path to a file when requested by ++the client. ++ ++This can lead to the disclosure of sensitive system information which may ++be used by an attacker to further compromise the system. ++ ++-- ++Affected Systems: ++ ++-- ++Attack Scenarios: ++An authorized user or anonymous user can use the directory traversal ++technique, to browse folders outside the ftp root directory. Information ++gathered may be used in further attacks against the host. ++ ++-- ++Ease of Attack: ++Simple. No exploit software required. ++ ++-- ++False Positives: ++None known ++ ++-- ++False Negatives: ++None known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Upgrade the software to the latest non-affected version. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1676.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1676 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2255.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2255 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability associated with the Remote Procedure Call (RPC) sadmind. ++ ++-- ++Impact: ++Remote root access. This attack may permit execution of arbitrary commands with the privileges of root. ++ ++-- ++Detailed Information: ++The sadmind RPC service is used by Solaris Solstice AdminSuite ++applications to perform remote distributed system administration tasks ++such as adding new users. ++ ++This event indicates that an RPC query for the sadmind service has been ++made with the credentials of the root user supplied. ++ ++This may permit execution of arbitrary commands with the privileges of root. ++ ++-- ++Affected Systems: ++All systems using sadmind ++ ++-- ++Attack Scenarios: ++Exploit code can be used to attack a vulnerable sadmind to obtain root access to the remote host. ++ ++-- ++Ease of Attack: ++Simple. Exploit scripts are freely available. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/195.txt +@@ -0,0 +1,76 @@ ++Rule: ++ ++-- ++Sid: ++195 ++ ++-- ++Summary: ++Deepthroat is a Trojan Horse offering the attacker control of the target. ++ ++-- ++Impact: ++Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ ++The Trojan changes system registry settings to add the Deepthroat sever to programs normally started on boot. ++ ++See also rules with sids 195, 1980, 1981, 1982 and 1983. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. Once compromised, this Trojan grants the attacker the ability to almost completely control the target. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ ++Registry keys added are: ++ ++ Systemtray ++ ++Removal of the files pddt.dat and systray.exe from the Windows system directory is required. ++ ++Ending the process systray.exe is also necessary. A reboot of the infected machine is recommended. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS106 ++ ++Symantec Security Response ++http://securityresponse.symantec.com/avcenter/venc/data/deepthroat.trojan.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2095.txt +@@ -0,0 +1,87 @@ ++Rule: ++ ++-- ++Sid: ++2095 ++ ++-- ++Summary: ++vulnerability in the rpc service for the Calendar Manager Service Daemon ++(CMSD) used by XDR. ++ ++-- ++Impact: ++System compromise, denial of service, execution of arbitrary code, ++information disclosure. ++ ++-- ++Detailed Information: ++A vulnerability exists in various implementations of external data ++representation (XDR) libraries. An integer overflow in a component ++(xdr_array) used by XDR can lead to a buffer overflow. ++ ++The XDR libraries are widely used by multiple vendors to provide a ++framework for data transmission across networks. This is most commonly ++used in RPC implementations. ++ ++A specially crafted rpc request containing a large number of arguments ++to xdr_array can lead to remote system compromise and super user access ++to the target host. Additionally, a denial of service and execution of ++arbitrary code with the privilege of the super user is also possible ++depending on the platform used. ++ ++-- ++Affected Systems: ++Multiple verndors including all those using: ++ Sun Microsystems Network Services Library (libnsl) ++ GNU C library with sunrpc (glibc) ++ BSD-derived libraries with XDR/RPC routines (libc) ++ ++-- ++Attack Scenarios: ++The attacker needs to send a specially crafted rpc request containing a ++large number of arguments for xdr_array to the target host. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Upgrade the vendor libraries to the latest non-affected versions. Any ++statically linked binaries and applications must be recompiled and ++restarted after the upgrade. ++ ++Disallow all RPC requests from external sources and use a firewall to ++block access to RPC ports from outside the LAN. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/5356 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391 ++ ++CERT: ++http://www.cert.org/advisories/CA-2002-25.html ++http://www.kb.cert.org/vuls/id/192995 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/122-27.txt +@@ -0,0 +1,93 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++122-27 ++ ++-- ++Summary: ++This event is generated when the pre-processor sfPortscan detects ++network traffic that may constitute an attack. Specifically a open port ++was detected. ++ ++-- ++Impact: ++Unknown. This is normally an indicator of possible network ++reconnaisance and may be the prelude to a targeted attack against the ++targeted systems. ++ ++-- ++Detailed Information: ++This event is generated when the sfPortscan pre-processor detects ++network traffic that may consititute an attack. ++ ++A portscan is often the first stage in a targeted attack against a ++system. An attacker can use different portscanning techniques and tools ++to determine the target host operating system and application versions ++running on the host to determine the possible attack vectors against ++that host. ++ ++More information on this event can be found in the individual ++pre-processor documentation README.sfportscan in the docs directory of ++the snort source. Descriptions of different types of portscanning ++techniques can also be found in the same documentation, along with ++instructions and examples on how to tune and use the pre-processor. ++ ++-- ++Affected Systems: ++ All. ++ ++-- ++Attack Scenarios: ++An attacker often uses a portscanning technique to determine operating ++system type and version and also application versions to determine ++possible effective attack vectors that can be used against the target ++host. ++ ++-- ++Ease of Attack: ++Simple. Many portscanning tools are freely available. ++ ++-- ++False Positives: ++While not necessarily a false positive, a security audit or penetration ++test will often employ the use of a portscan in the same way an ++attacker might use the technique. If this is the case, the ++pre-processor should be tuned to ignore the audit if so desired. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check for other events targeting the host. ++ ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches as appropriate. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Daniel Roelker ++Marc Norton ++Jeremy Hewlett ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Nmap: ++http://www.insecure.org/nmap/ ++ ++Port Scanning Techniques and the Defense Against Them - Roger ++Christopher, SANS: ++http://www.sans.org/rr/whitepapers/auditing/70.php ++ ++Hypervivid Tiger Team - Port-Scanning: A Practical Approach ++http://www.hcsw.org/reading/nmapguide.txt ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2661.txt +@@ -0,0 +1,54 @@ ++Rule: ++ ++-- ++Sid: ++2661 ++ ++-- ++Summary: ++This rule is intended to increase the accuracy of rules designed to ++generate events based on attempts to exploit implementations of Secure ++Socket Layer (SSL) version 2. ++ ++-- ++Impact: ++None. This is a protocol decode rule that does not generate events. ++ ++-- ++Detailed Information: ++This is a protocol decode rule that does not generate events. ++ ++-- ++Affected Systems: ++NA ++ ++-- ++Attack Scenarios: ++NA ++ ++-- ++Ease of Attack: ++NA ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++NA ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2754.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2754 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure comment_on_site_priority ++. This procedure is included in ++dbms_repcat. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2160.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++2160 ++ ++ ++-- ++Summary: ++This event is generated when a possible outgoing virus is detected. ++ ++-- ++Impact: ++Informational event. An virus on an infected host may be attempting to ++propogate. ++ ++-- ++Detailed Information: ++This event indicates that an outgoing email message possibly containing ++a virus has been detected. ++ ++This rule generates an event when a filename extension commonly used by ++viruses is detected. ++ ++-- ++Affected Systems: ++Any host. ++ ++-- ++Attack Scenarios: ++This is indicative of a virus infection. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++A legitimate attachment to an email may generate this event. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Check the host for signs of virus infection. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1561.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1561 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2267.txt +@@ -0,0 +1,57 @@ ++Rule: ++ ++-- ++Sid: ++2267 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in versions of Sendmail. ++ ++-- ++Impact: ++Remote arbitrary code execution. ++ ++-- ++Detailed Information: ++A vulnerability exists in the prescan() function used in Sendmail prior ++to version 8.12.9. This function contains an error when converting a ++character to an integer value while processing SMTP headers. ++ ++-- ++Affected Systems: ++All systems using Sendmail. ++ ++-- ++Attack Scenarios: ++An attacker could exploit this condition to process code of their ++choosing and open a listening shell bound to a high port, thus opening the ++system to further compromise. ++ ++-- ++Ease of Attack: ++Simple. Exploit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade Sendmail to the latest non-affected verison. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2193.txt +@@ -0,0 +1,87 @@ ++Rule: ++ ++-- ++Sid: ++2193 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++This vulnerability is also exploited by the Billy/Blaster worm. The worm ++also uses the Trivial File Transfer Protocol (TFTP) to propagate. A ++number of events generated by this rule may indicate worm activity. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. This is also exploited by a worm. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++Block access to port 69 used by the worm to propogate. ++ ++Block access to port 4444 used by the worm. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft: ++http://www.microsoft.com/technet/security/bulletin/MS03-026.asp ++ ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 ++ ++Symantec: ++http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3186.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3186 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2295.txt +@@ -0,0 +1,65 @@ ++Rule: ++ ++-- ++Sid: ++2295 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2 ++running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt may have been made to exploit a ++known vulnerability in the PHP application Proxy2.de Advanced Poll ++2.0.2. This application does not perform stringent checks when handling ++user input, this may lead to the attacker being able to execute PHP ++code, include php files and possibly retrieve sensitive files from the ++server running the application. ++ ++-- ++Affected Systems: ++ All systems running Proxy2.de Advanced Poll 2.0.2 ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying PHP script. ++ ++-- ++Ease of Attack: ++Simple. No exploit code is required. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/830.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++830 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3362.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3362 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1277.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++1277 ++ ++-- ++Summary: ++This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypupdated is listening. ++ ++-- ++Impact: ++Information disclosure. This request is used to discover which port ypupdated is using. Attackers can also learn what versions of the ypupdated protocol are accepted by ypupdated. ++ ++-- ++Detailed Information: ++The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypupdated run. The ypupdated RPC service allows clients to update maps for Network Information Service (NIS), formerly known as Sun Yellow Pages. A vulnerability exists with improper validation associated with the 'make' command used to update changes, allowing the execution of arbitrary commands as root. ++ ++-- ++Affected Systems: ++HP HP-UX 10.1, 10.10, 10.20 ++IBM AIX 3.2, 4.1 ++NEC EWS-UX/V, UP-UX/V ++SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3,4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3, 6.0.1 ++Sun SunOS 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4 ++ ++-- ++Attack Scenarios: ++An attacker can query the portmapper to discover the port where ypupdated runs. This may be a precursor to accessing ypupdated. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++If a legitimate remote user is allowed to access ypupdated, this rule may trigger. ++ ++-- ++False Negatives: ++This rule detects probes of the portmapper service for ypupdated, not probes of the ypupdated service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ypupdated service itself. An attacker may attempt to go directly to the ypupdated port without querying the portmapper service, which would not trigger the rule. ++ ++-- ++Corrective Action: ++Limit remote access to RPC services. ++ ++Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. ++ ++Disable unneeded RPC services. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Modified by Brian Caswell ++Sourcefire Research Team ++Judy Novak ++ ++-- ++Additional References: ++ ++Bugtraq ++http://www.securityfocus.com/bid/1749 ++ ++CERT ++http://www.cert.org/advisories/CA-1995-17.html ++ ++Arachnids ++http://www.whitehats.com/info/IDS125 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1764.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1764 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1529.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++1529 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a buffer ++overflow or denial of service vulnerability associated with FTP SITE command. ++ ++-- ++Impact: ++Remote access or denial of service. A successful attack can cause a ++denial of service or allow remote execution of arbitrary commands with ++privileges of the process running the FTP server. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit various ++vulnerabilities associated with the FTP SITE command of different FTP ++servers. The Windows Serv-U FTP server 2.5a can be made to crash when an ++overly long argument is supplied to the SITE PASS command. The GuildFTPd ++free Windows FTP server 0.97 is vulnerable to a buffer overflow caused ++by issuing a SITE command that is 261 bytes or longer. A buffer overflow ++exists in Debian Linux 2.2 FTP daemon that is caused by issuing a SITE ++command that is 400 bytes or longer. The buffer overflow attacks may ++permit the execution of arbitrary commands with the privileges of the ++process running the FTP server. All of these attacks require login ++access to the vulnerable server via an authenticated or anonymous user. ++ ++-- ++Affected Systems: ++ Serv-U FTP server 2.5a. ++ GuildFTPd Server 0.97. ++ Debian 2.2 FTP server. ++ ++-- ++Attack Scenarios: ++An attacker may login to a vulnerable FTP server and enter an overly ++long file argument with the SITE command, causing a denial of service or ++buffer overflow. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2967.txt +@@ -0,0 +1,68 @@ ++Rule: ++ ++-- ++Sid: ++2967 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) ++services. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code with system level privileges ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft NetDDE that may allow an attacker to ++run code of their choosing with system level privileges. A programming ++error in the handling of network messages may give an attacker the ++opportunity to overflow a fixed length buffer by using a specially ++crafted NetDDE message. ++ ++This service is not started by default on Microsoft Windows systems, but ++this issue can also be exploited locally in an attempt to escalate ++privileges after a successful attack from an alternate vector. ++ ++-- ++Affected Systems: ++ Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. ++ ++-- ++Attack Scenarios: ++An attacker needs to craft a special NetDDE message in order to overflow ++the affected buffer. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches ++ ++Disable the NetDDE service. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft Security Bulletin MS04-031: ++http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/119-13.txt +@@ -0,0 +1,62 @@ ++Rule: ++ ++-- ++Sid: ++119-13 ++ ++-- ++Summary: ++This event is generated when the pre-processor http_inspect ++detects network traffic that may constitute an attack. ++ ++-- ++Impact: ++Unknown. ++ ++-- ++Detailed Information: ++This event is generated when the http_inspect pre-processor detects the ++use of a newline "\n" character as a delimeter. This is non-standard but ++is accepted by both Apache and IIS web servers. ++ ++-- ++Affected Systems: ++ All web servers ++ ++-- ++Attack Scenarios: ++An attacker may supply the newline character as the delimeter in a web ++request. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known. ++ ++-- ++False Negatives: ++None Known. ++ ++-- ++ ++Corrective Action: ++Check the target host for signs of compromise. ++ ++Apply any appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Daniel Roelker ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++HTTP IDS Evasions Revisited - Daniel Roelker ++http://docs.idsresearch.org/http_ids_evasions.pdf ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3241.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3241 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2375.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2375 ++ ++-- ++Summary: ++This event is generated when activity from the worm DoomJuice is ++detected. ++ ++-- ++Impact: ++This is indicative of worm activity which may launch of a Denial of ++Service condition against Microsoft from infected machines. ++ ++-- ++Detailed Information: ++This event is indicative of activity by the DoomJuice worm. This worm ++attempts to connect to random addresses on port 3127, if it receives a ++response it will attempt to upload a copy of itself to the target ++machine. If no response is received on that port, it will try on ports ++between 3127 and 3199. ++ ++If the date is between February 8th and February 28th 2004, the worm ++will attempt to launch a Denial of Service (DoS) attack against ++www.microsoft.com. ++ ++-- ++Affected Systems: ++ Windows 95 ++ Windows 98 ++ Windows Me ++ Windows NT ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++This is worm activity. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++It is possible to edit the binary data in the executable to create a ++variant of the worm. This may evade the rule. ++ ++-- ++Corrective Action: ++Use Anti-Virus software to remove the worm. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Matt Watchinski ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000519.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++100000519 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection ++vulnerability in the "VUBB" application running on a webserver. Access to the ++file "index.php" with SQL commands being passed as the "user" parameter may ++indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a ++remote machine via the "user" parameter in the "index.php" script used by the ++"VUBB" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to compromise the database backend for the ++application, the attacker may also be able to execute system binaries or ++malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VUBB ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application ++if user input is not correctly sanitized or checked before passing that input ++to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3194.txt +@@ -0,0 +1,66 @@ ++Rule: ++ ++-- ++Sid: ++3194 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft Internet Information Server. ++ ++-- ++Impact: ++Serious. Code execution leading to unauthorized administrative access ++on the target host. ++ ++-- ++Detailed Information: ++Microsoft IIS contains a programming error that may allow an attacker to ++execute commands of their choosing on a vulnerable system. If a valid ++request for an executable file on the system is made, the server will ++honor the request and execute any commands sent to the system. It may be ++possible for an attacker to execute system commands sent to cmd.exe or ++an executable batch file (.bat) for example. ++ ++-- ++Affected Systems: ++ Microsoft IIS 4.0 ++ Microsoft IIS 5.0 ++ ++-- ++Attack Scenarios: ++An attacker can send a request to an executable file on the system and ++supply command arguments of their choice to the file. The server will ++honor the request and execute the attackers commands. ++ ++For example, http://www.target.com/scripts/cmd.bat"+&+somecommand ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest non-affected version of the software. ++ ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1091.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1091 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000544.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++100000544 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection ++vulnerability in the "Dating Agent" application running on a webserver. Access ++to the file "search.php" with SQL commands being passed as the "relationship" ++parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a ++remote machine via the "relationship" parameter in the "search.php" script used ++by the "Dating Agent" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to compromise the database backend for the ++application, the attacker may also be able to execute system binaries or ++malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Dating Agent ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application ++if user input is not correctly sanitized or checked before passing that input ++to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/478.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++ ++Sid: ++478 ++ ++-- ++ ++Summary: ++This event is generated when Broadscan Smurf Scanner generates an ICMP echo ++request message. ++ ++-- ++ ++Impact: ++ICMP echo requests are used to determine if a host is running at a ++specific IP address. A remote attacker can scan a large range of hosts ++using ICMP echo requests to determine what hosts are operational on the ++network. ++ ++-- ++ ++Detailed Information: ++The Broadscan Smurf Scanner generates an ICMP echo packet with a specific ++datagram signature. ++ ++-- ++ ++Attack Scenarios: ++A remote attacker might scan a large range of hosts using ICMP echo ++requests to determine what hosts are operational on the network. ++ ++-- ++ ++Ease of Attack: ++Simple. Packet generation tools can generate this type of ICMP packet ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++Packet generation tools can generate ICMP echo requests with ++user-defined payloads. This could allow attackers to replace this ++signature with binary values and conceal their operating system. ++ ++-- ++ ++Corrective Action: ++To prevent information gathering, use a firewall to block incoming ICMP ++Type 8 Code 0 traffic. ++ ++-- ++ ++Contributors: ++Original Rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3328.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3328 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1511.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1511 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2832.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++2832 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database server. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code and Denial of Service. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to exploit a known ++vulnerability in an Oracle database implementation. Multiple buffer ++overflow conditions are present in numerous packages and procedures. ++ ++Exploitation of these vulnerable procedures may allow an attacker to ++execute code of their choosing as the user running the database. In the ++case of databases running on Microsoft Windows platforms, this is the ++Local System account which may mean a compromise of the operating system ++as well as the database. ++ ++This event indicates that an attempt has been made to exploit a ++vulnerability in the procedure do_deferred_repcat_admin ++. This procedure is included in ++sys.dbms_repcat_mas. ++ ++-- ++Affected Systems: ++ Oracle Oracle9i ++ ++-- ++Attack Scenarios: ++If an attacker can supply enough data to the procedure in question, it ++may be possible to cause the overflow condition to occur and present the ++attacker with the opportunity to execute code of their choosing. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1691.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: 1691 ++ ++-- ++ ++Summary: ++This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. ++ ++-- ++Impact: ++Serious. An attacker may have gained superuser access to the system. ++ ++-- ++Detailed Information: ++This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. ++ ++Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. ++ ++This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. ++ ++Oracle servers running on a Windows platform may listen on any arbitrary ++port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this ++is applicable to the protected network. ++ ++-- ++ ++Attack Scenarios: ++Simple. These are Oracle database commands. ++ ++-- ++ ++Ease of Attack: ++Simple. ++ ++-- ++ ++False Positives: ++This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. ++ ++-- ++False Negatives: ++Configure your ORACLE_PORTS variable correctly for the environment you are in. ++In many situations ORACLE negotiates a communication port. This means that 1521 ++and 1526 are not used for communication during the entire transaction. A new ++port is negotiated after the initial connect message, all communication after ++that uses this other port. If you are in an environment such as this, you should ++set ORACLE_PORTS to "any" in snort.conf. ++ ++Otherwise, there are no known false negatives. ++ ++-- ++ ++Corrective Action: ++Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. ++Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise ++ ++Look for other events generated by the same IP addresses. ++ ++-- ++Contributors: ++Original Rule Writer Unknown ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1101.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1101 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000623.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000623 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Indexu" application running on a webserver. ++Access to the file "menu.php" using a remote file being passed as the ++"admin_template_path" parameter may indicate that an exploitation attempt has ++been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "admin_template_path" parameter in the "menu.php" script ++used by the "Indexu" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Indexu ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3364.txt +@@ -0,0 +1,70 @@ ++Rule: ++ ++-- ++Sid: ++3364 ++ ++-- ++Summary: ++This rule generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000422.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000422 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpBB" application running on a webserver. Access to the file "template.php" using a remote file being passed as the "page" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a remote machine via the "page" parameter in the "template.php" script used by the "phpBB" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using phpBB ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/421.txt +@@ -0,0 +1,60 @@ ++Rule: ++ ++-- ++ ++Sid: ++421 ++ ++-- ++ ++Summary: ++This event is generated when a network host generates an ICMP Mobile Registration Reply datagram. ++ ++-- ++ ++Impact: ++ICMP Mobile Registration Reply were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 36 datagrams should never be seen in normal network conditions. ++ ++-- ++ ++Detailed Information: ++ICMP Mobile Registration Reply datagrams were developed before the approval of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. ++ ++-- ++ ++Attack Scenarios: ++None known ++ ++-- ++ ++Ease of Attack: ++Numerous tools and scripts can generate this type of ICMP datagram. ++ ++-- ++ ++False Positives: ++None known ++ ++-- ++ ++False Negatives: ++None known ++-- ++ ++Corrective Action: ++ICMP Type 36 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity ++ ++-- ++ ++Contributors: ++Original rule writer unknown ++Sourcefire Research Team ++Matthew Watchinski (matt.watchinski@sourcefire.com) ++ ++-- ++ ++Additional References: ++None ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2705.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++2705 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft GDI using a malformed JPEG image. ++ ++-- ++ ++Impact: ++Serious. Execution of arbitrary code is possible. Denial of Service ++(DoS), ++ ++-- ++Detailed Information: ++The Microsoft Graphics Device Interface contains a programming error ++in the handling of Joint Photographics Experts Group (JPEG) files. This ++error may allow an attacker to execute code of their choosing on a ++vulnerable system. ++ ++Due to the popularity of jpeg files, and in order to provide accurate ++detection for the GDI JPEG vulnerability, sid 2705 may generate false ++positive events in certain situations. Since this rule may generate ++a number of false positives it is disabled by default. ++ ++In order to avoid potential evasion techniques, http_inspect should be ++configured with "flow_depth 0" so that all HTTP server response traffic is ++inspected. ++ ++WARNING ++Setting flow_depth 0 will cause performance problems in some situations. ++WARNING ++ ++-- ++Affected Systems: ++ All Microsoft systems including multiple Microsoft products ++ ++-- ++Attack Scenarios: ++An attacker would need to supply a malformed jpeg image to a victim and ++have the use attempt to view the file. ++ ++-- ++Ease of Attack: ++Medium. ++ ++-- ++ ++False Positives: ++False positive events are known to occur with this rule, the incidence ++is low but may be an inconvenience in some installations. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Alex Kirk ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2084.txt +@@ -0,0 +1,75 @@ ++Rule: ++ ++-- ++Sid: ++2084 ++ ++-- ++Summary: ++xfsmd ++ ++-- ++Impact: ++Possible root access and code execution. ++ ++-- ++Detailed Information: ++It is possible for an attacker to exploit some versions of the xfsmd ++daemon. ++ ++Due to a programming error, the service does not correctly check for ++certain meta-characters and they are not stripped from the request. ++ ++The xfsmd daemon is not installed by default on IRIX systems but it is ++part of an optional package. ++ ++-- ++Affected Systems: ++ IRIX 6.2 ++ IRIX 6.3 ++ IRIX 6.4 ++ IRIX 6.5.x ++ ++-- ++Attack Scenarios: ++Exploits are widely available. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Patches are NOT available for this issue. ++ ++Disable and remove the xfsmd daemon. ++ ++Uprade to the latest non affected version of the operating system ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/5075 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359 ++ ++SGI IRIX: ++ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/819.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++819 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/669.txt +@@ -0,0 +1,58 @@ ++Rule: ++ ++-- ++Sid: ++669 ++ ++-- ++Summary: ++This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where linefeed characters in ident messages are not properly parsed. ++ ++-- ++Impact: ++Severe. Remote execution of arbitrary code, leading to remote root compromise. ++ ++-- ++Detailed Information: ++Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of linefeed characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with linefeeds in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. ++ ++-- ++Affected Systems: ++Systems running unpatched versions of Sendmail 8.6.10 or earlier. ++ ++-- ++Attack Scenarios: ++An attacker sends an email with linefeed characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. ++ ++-- ++Ease of Attack: ++Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Upgrade to the latest version of Sendmail. ++ ++-- ++Contributors: ++Original rule written by Max Vision ++Sourcefire Research Team ++Sourcefire Technical Publications Team ++Jen Harvey ++ ++-- ++Additional References: ++CVE ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 ++ ++Bugtraq ++http://www.securityfocus.com/bid/2311 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000826.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000826 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Phorum" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "mode" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "mode" parameter in the "search.php" script used by the "Phorum" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Phorum ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/2033.txt +@@ -0,0 +1,85 @@ ++Rule: ++ ++-- ++Sid: ++2033 ++ ++-- ++Summary: ++A request has been made to rpc.ypserv from an external source that ++should not have access to this service. This may be indicative of an ++intelligence gathering activity as a prelude to a more serious ++compromise of system resources. ++ ++service against the target host. ++ ++-- ++Impact: ++Disclosure of sensitive system information to an unauthorized user. ++Possible denial of service. ++ ++-- ++Detailed Information: ++The rpc.ypserv daemon queries information in the local NIS maps. A ++response to this query may divulge important information to the user ++performing the query. This could lead to futher exploitation of ++resources on the network. ++ ++In addition, a vulnerability exists in ypserv on some Linux platforms ++that could lead to a buffer overflow and root compromise of the target ++host. This is achieved by making a multitude of requests for a NIS map ++that does not exist. ++ ++-- ++Affected Systems: ++Multiple systems running versions of ypserv prior to 2.5. ++ ++-- ++Attack Scenarios: ++The attacker can craft a malicious request to rpc.ypserv such that ++valuable information can be returned to the attacker. ++ ++In the case of a buffer overflow, the attacker might issue a large ++therefore, be seen many times. ++ ++-- ++Ease of Attack: ++Simple ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Disallow all RPC requests from external sources and use a firewall to ++block access to RPC ports from outside the LAN. ++ ++Upgrade ypserv to the latest version. ++ ++Use /var/yp/securenets to list the hosts allowed to access this resource ++where appropriate. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Bugtraq: ++http://www.securityfocus.com/bid/6016 ++http://www.securityfocus.com/bid/5914 ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1043 ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1042 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1313.txt +@@ -0,0 +1,64 @@ ++Rule: ++-- ++Sid: ++ ++1313 ++ ++-- ++Summary: ++This rule indicates that a webpage was visited the included the content "up skirt". ++ ++-- ++Impact: ++Someone could be violating your company's policy regarding the browsing of inappropriate content. ++ ++-- ++Detailed Information: ++ ++This rule looks for a response from a webserver containing "up skirt". ++ ++-- ++Affected Systems: ++ ++All ++ ++-- ++Attack Scenarios: ++ ++Not an attack. ++ ++-- ++Ease of Attack: ++ ++N/A. ++ ++-- ++False Positives: ++ ++This could have been caused by a pop-up window or spam with an embedded link to a pornographic website. This could also be caused by somebody visiting the snort rule descriptions on the snort website. ++ ++-- ++False Negatives: ++ ++None known. ++-- ++Corrective Action: ++ ++Dependent on your company's policies. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Steven Alexander ++-- ++Additional References: ++ ++ ++ ++ ++ ++ ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1544.txt +@@ -0,0 +1,78 @@ ++Rule: ++-- ++Sid: ++1544 ++-- ++Summary: ++This event is generated when an attempt is made to list the user ++configuration file on a Cisco router or switch. ++-- ++Impact: ++If successful, the switch will reveal the local authentication user ++configuration file to an attacker without requiring prior ++authentication. ++-- ++Detailed Information: ++The HTTP server that is part of some versions of the Cisco IOS software ++allows remote command execution when the access control method is set to ++local authentication. ++ ++-- ++Affected Systems: ++The following Cisco products can be affected. Whether they actually ++are vulnerable or not depends on the version of IOS that they are ++running. To properly determine if your product is vulnerable, see the ++Cisco website referenced below. This is not exploitable if the device ++is using an access control method other than local authentication. ++Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, ++1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, ++AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000 ++series. ++Most recent versions of the LS1010 ATM switch. ++The Catalyst 6000 and 5000 if they are running Cisco IOS software. ++The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco ++IOS software. ++The Catalyst 2900 and 3000 series LAN switches are affected. ++The Cisco Distributed Director. ++-- ++Attack Scenarios: ++By making the request to a vulnerable system, an attacker can take ++complete control of a Cisco device. ++-- ++Ease of Attack: ++Simple. HTTP GET request, a browser may be used. ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++This rule only looks for one particular command (show config cr). ++However, this vulnerability will allow any other command to be executed ++on the device at the highest privilege level, and this rule will ++not detect them. ++ ++This rule only looks for attacks against systems that are included ++in the $HTTP_SERVERS group. Many administrators do not consider ++routers or switches to be web servers, and therefore may not include ++vulnerable devices in this group, causing an attack to proceed ++unnoticed. If you think one of your routers or switches is vulnerable, ++reference it in the $HTTP_SERVERS group. ++-- ++Corrective Action: ++Turn off the web server functionality, use access lists to ensure only ++trusted hosts have access to the device, use TACACS+ or RADIUS for ++access control, or upgrade your version of IOS. ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Snort documentation contributed by Kevin Peuhkurinen ++ ++-- ++Additional References: ++ ++Cisco ++http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000505.txt +@@ -0,0 +1,73 @@ ++Rule: ++ ++-- ++Sid: ++100000505 ++-- ++Summary: ++This event is generated when an attempt is made to exploit a remote file ++include vulnerability in the "Nucleus CMS" application running on a webserver. ++Access to the file "server.php" using a remote file being passed as the ++"DIR_LIB" parameter may indicate that an exploitation attempt has been ++attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution of ++arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to include a file from a ++remote machine via the "DIR_LIB" parameter in the "server.php" script used by ++the "Nucleus CMS" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also ++be possible for an attacker to execute system binaries or malicious code of the ++attackers choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to ++a CGI application running ona web server. Some applications do not perform ++stringent checks when validating the credentials of a client host connecting to ++the services offered on a host server. This can lead to unauthorized access and ++possibly escalated privileges to that of the administrator. Data stored on the ++machine can be compromised and trust relationships between the victim server ++and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using Nucleus CMS ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her own ++credentials to gain access. Alternatively the attacker can exploit weaknesses ++to gain access as the administrator by supplying input of their choosing to the ++underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had ++all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/3031.txt +@@ -0,0 +1,67 @@ ++Rule: ++ ++-- ++Sid: ++3031 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Samba implementation. ++ ++-- ++Impact: ++Serious. Possible execution of arbitrary code. ++ ++-- ++Detailed Information: ++Samba is a file and print serving system for heterogenous networks. It ++is available for use as a service and client on UNIX/Linux systems and as ++a client for Microsoft Windows systems. ++ ++Samba uses the SMB/CIFS protocols to allow communication between client ++and server. The SMB protocol contains many commands and is commonly used ++to control network devices and systems from a remote location. A ++vulnerability exists in the way the smb daemon processes commands sent by ++a client system when accessing resources on the remote server.The problem ++exists in the allocation of memory which can be exploited by an attacker ++to cause an integer overflow, possibly leading to the execution of ++arbitrary code on the affected system with the privileges of the user ++running the smbd process. ++ ++-- ++Affected Systems: ++ Samba 3.0.8 and prior ++ ++-- ++Attack Scenarios: ++An attacker needs to supply specially crafted data to the smb daemon to ++overflow a buffer containing the information for the access control lists ++to be applied to files in the smb query. ++ ++-- ++Ease of Attack: ++Difficult. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/3121.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++3121 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in Microsoft License Logging Service. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code leading to unauthorized ++administrative access to the target host. Denial of Service (DoS) is ++also possible. ++ ++-- ++Detailed Information: ++Microsoft License Logging Service is used to manage licenses for ++Microsoft server products. ++ ++A vulnerability in the service exists due to a programming error such ++that an unchecked buffer may present an attacker with the opportunity to ++exploit the service and run code of their choosing on an affected ++system. The attacker may then cause a DoS condition in the service or ++possibly gain administrative access to the target host. ++ ++The unchecked buffer exists when processing the length of messages sent ++to the logging service. ++ ++-- ++Affected Systems: ++ Microsoft Windows Server 2003 ++ Microsoft Windows Server 2000 ++ Microsoft Windows NT Server ++ ++-- ++Attack Scenarios: ++An attacker can supply extra data in the message to the service ++containing code of their choosing to be run on the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++ ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2622.txt +@@ -0,0 +1,72 @@ ++Rule: ++ ++-- ++Sid: ++2622 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a Oracle database implementation. ++ ++-- ++Impact: ++Serious. Execution of arbitrary code may be possible. A Denial of ++Service (DoS) condition may also be caused. ++ ++-- ++Detailed Information: ++Oracle databases may use a built-in procedure to assist in useful ++tasks. The "drop_an_object" procedure contains a programming error ++that may allow an attacker to execute a buffer overflow attack. ++ ++This overflow is triggered by a long string in a parameter for the ++procedure. ++ ++If you are running Oracle on a Windows server, make sure that the ++variable $ORACLE_PORTS is set to a value of "any". ++ ++-- ++Affected Systems: ++ Oracle 9i ++ ++-- ++Attack Scenarios: ++An attacker can supply a long string to the third variable to cause ++the overflow. The result could permit the attacker to gain escalated ++privileges and run code of their choosing. This attack requires an ++attacker to logon to the database with a valid username and password ++combination. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Matt Watchinski ++Brian Caswell ++Nigel Houghton ++Judy Novak ++ ++-- ++Additional References: ++ ++Other: ++http://www.appsecinc.com/Policy/PolicyCheck97.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2545.txt +@@ -0,0 +1,63 @@ ++Rule: ++ ++-- ++Sid: ++2545 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in AppleFileServer. ++ ++-- ++ ++Impact: ++Serious. Unauthorized remote administrative access. ++ ++-- ++Detailed Information: ++AppleFileServer is used to share files and mount remote drives between ++machines using Apple Macintosh OS X. An error in the processing of ++PathName may lead to a buffer overflow. If the length of a string for ++AFPName is longer than the declared length, the buffer will be ++overflowed and may present an attacker with the opportunity to execute ++code of their choosing. ++ ++-- ++ ++Attack Scenarios: ++An attacker can supply an AFPName longer than what is expected by the ++service and overwrite portions of memory leading to the execution of ++code. ++ ++-- ++ ++Ease of Attack: ++Simple ++ ++-- ++ ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++ ++Corrective Action: ++Disable AFP if not needed ++ ++Apply the appropriate vendor supplied patch ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/100000822.txt +@@ -0,0 +1,58 @@ ++ ++ ++Rule: ++ ++-- ++Sid: ++100000822 ++-- ++Summary: ++This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "reply.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "reply.php" script used by the "VBZooM" application running on a webserver. ++ ++If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. ++ ++This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++All systems running CGI applications using VBZooM ++-- ++Attack Scenarios: ++An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Vulnerability Research Team ++Nigel Houghton ++-- ++Additional References: ++ ++SQL Injection Attack and Defense ++http://www.securitydocs.com/library/3587 ++ ++-- ++ +--- /dev/null ++++ snort-2.9.2/doc/signatures/1871.txt +@@ -0,0 +1,64 @@ ++Rule: ++ ++-- ++Sid: ++1871 ++ ++-- ++Summary: ++This event is generated when an attempt is made to access an Oracle ++Application Server's XSQLConfig.xml configuration file. ++ ++-- ++Impact: ++Serious ++ ++-- ++Detailed Information: ++With the default installation of Oracle's Application Server, it is ++possible for an unauthorized user to view the XSQLConfig.xml file. This ++file contains information such as the database server's name, user id's, ++and passwords. ++ ++-- ++Affected Systems: ++ Oracle 9i Application Server ++ ++-- ++Attack Scenarios: ++An attacker can use this to find out information about the database and ++then use that information to compromise the server. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply appropriate permissions to the file. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++Snort documentation contributed by Josh Sakofsky ++ ++-- ++Additional References: ++ ++CVE: ++http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0568 ++ ++Nessus: ++http://cgi.nessus.org/plugins/dump.php3?id=10855 ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1705.txt +@@ -0,0 +1,69 @@ ++Rule: ++ ++-- ++Sid: ++1705 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in a CGI web application running on a server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server or application. Possible execution ++of arbitrary code of the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to gain unauthorized ++access to a CGI application running ona web server. Some applications do ++not perform stringent checks when validating the credentials of a client ++host connecting to the services offered on a host server. This can lead ++to unauthorized access and possibly escalated privileges to that of the ++administrator. Data stored on the machine can be compromised and trust ++relationships between the victim server and other hosts can be exploited by the attacker. ++ ++If stringent input checks are not performed by the CGI application, it ++may also be possible for an attacker to execute system binaries or ++malicious code of the attackers choosing. ++ ++-- ++Affected Systems: ++ All systems running CGI applications ++ ++-- ++Attack Scenarios: ++An attacker can access an authentication mechanism and supply his/her ++own credentials to gain access. Alternatively the attacker can exploit ++weaknesses to gain access as the administrator by supplying input of ++their choosing to the underlying CGI script. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/121.txt +@@ -0,0 +1,112 @@ ++Rule: ++ ++-- ++Sid: ++121 ++ ++-- ++Summary: ++Infector is a Trojan Horse. ++ ++-- ++Impact: ++Possible theft of data via download, upload of files, execution of files ++and reboot the targeted machine. ++ ++-- ++Detailed Information: ++This Trojan affects the following operating systems: ++ ++ Windows 95 ++ Windows 98 ++ Windows ME ++ ++The Trojan changes system registry settings to add the Infector sever to ++programs normally started on boot. Due to the nature of this Trojan it ++is unlikely that the attacker's client IP address has been spoofed. ++ ++ SID Message ++ --- ------- ++ 117 Infector 1.x ++ 120 Infector 1.6 Server to Client ++ 121 Infector 1.6 Client to Server Connection Request ++ ++This Trojan is commonly used to install other Trojan programs. ++ ++The Trojan also makes changes to the system registry and win.ini file. ++ ++Notification of an active server is achieved via IRC or ICQ. ++ ++-- ++Attack Scenarios: ++This Trojan may be delivered to the target in a number of ways. This ++event is indicative of an existing infection being activated. Initial ++compromise can be in the form of a Win32 installation program that may ++use the extension ".jpg" or ".bmp" when delivered via e-mail for ++example. ++ ++-- ++Ease of Attack: ++This is Trojan activity, the target machine may already be compromised. ++Updated virus definition files are essential in detecting this Trojan. ++ ++The Trojan server is located at :\WINDOWS\Apxil32.exe a backup ++copy is made and usually named D3x32.drv. ++ ++-- ++False Positives: ++None Known ++ ++-- ++False Negatives: ++None Known ++ ++-- ++Corrective Action: ++ ++Edit the system registry to remove the extra keys or restore a ++previously known good copy of the registry. ++ ++Affected registry keys are: ++ ++ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ++ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices ++ ++Registry keys added are: ++ ++ apxil32 = apxil32.exe ++ ++Removal of this entry is required. ++ ++Delete the file :\WINDOWS\Apxil32.exe ++ ++Ending the Trojan process is also necessary. A reboot of the infected ++machine is recommended. ++ ++A change is also made to the win.ini file, the line run=apxil32.exe ++apxil32.exe is added and should be deleted. ++ ++-- ++Contributors: ++Original Rule Writer Max Vision ++Sourcefire Research Team ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Whitehats arachNIDS ++http://www.whitehats.com/info/IDS315 ++http://www.whitehats.com/info/IDS502 ++http://www.whitehats.com/info/IDS503 ++ ++Diamond Computer Systems Security Advisory ++http://www.diamondcs.com.au/web/alerts/infector.htm ++ ++Megasecurity: ++http://www.megasecurity.org/trojans/i/infector/Infector_all.html ++ ++Simovits: ++http://www.simovits.com/trojans/tr_data/y1627.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/1082.txt +@@ -0,0 +1,71 @@ ++Rule: ++ ++-- ++Sid: ++1082 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability on a web server or a web application resident on a web ++server. ++ ++-- ++Impact: ++Information gathering and system integrity compromise. Possible unauthorized ++administrative access to the server. Possible execution of arbitrary code of ++the attackers choosing in some cases. ++ ++-- ++Detailed Information: ++This event is generated when an attempt is made to compromise a host ++running a Web server or a vulnerable application on a web server. ++ ++Many known vulnerabilities exist for each implementation and the ++attack scenarios are legion. ++ ++Some applications do not perform stringent checks when validating the ++credentials of a client host connecting to the services offered on a ++host server. This can lead to unauthorized access and possibly escalated ++privileges to that of the administrator. Data stored on the machine can ++be compromised and trust relationships between the victim server and ++other hosts can be exploited by the attacker. ++ ++-- ++Affected Systems: ++ All systems using a web server. ++ ++-- ++Attack Scenarios: ++Many attack vectors are possible from simple directory traversal to ++exploitation of buffer overflow conditions. ++ ++-- ++Ease of Attack: ++Simple. Exploits exist. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Ensure the system is using an up to date version of the software and has ++had all vendor supplied patches applied. ++ ++Check the host logfiles and application logs for signs of compromise. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2493.txt +@@ -0,0 +1,93 @@ ++Rule: ++ ++-- ++Sid: ++2493 ++ ++-- ++Summary: ++This rule no longer generates an event when an attempt is made to exploit a known ++vulnerability in Microsoft RPC DCOM. ++ ++-- ++Impact: ++Execution of arbitrary code leading to full administrator access of the ++machine. Denial of Service (DoS). ++ ++-- ++Detailed Information: ++This rule now uses flowbits and can be set to generate an event by ++modifying the rule slightly to remove the "flowbits:no_alert;" option. ++When traffic is detected that attempts to bind to the ISystemActivator ++object in MS RPC DCOM communications this rule now activates sids 2351 ++and 2352 to detect exploits against this service. Cool huh? ++ ++A vulnerability exists in Microsoft RPC DCOM such that execution of ++arbitrary code or a Denial of Service condition can be issued against a ++host by sending malformed data via RPC. ++ ++The Distributed Component Object Model (DCOM) handles DCOM requests sent ++by clients to a server using RPC. A malformed request to an RPC port ++will result in a buffer overflow condition that will present the ++attacker with the opportunity to execute arbitrary code with the ++privileges of the local system account. ++ ++This vulnerability is also exploited by the Billy/Blaster worm. The worm ++also uses the Trivial File Transfer Protocol (TFTP) to propagate. A ++number of events generated by this rule may indicate worm activity. ++ ++-- ++Affected Systems: ++ Windows NT 4.0 ++ Windows NT 4.0 Terminal Server Edition ++ Windows 2000 ++ Windows XP ++ Windows Server 2003 ++ ++-- ++Attack Scenarios: ++An attacker may make a request for a file with an overly long filename ++via a network share. ++ ++-- ++Ease of Attack: ++Simple. Expoit code exists. This is also exploited by a worm. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Block access to RPC ports 135, 139 and 445 for both TCP and UDP ++protocols from external sources using a packet filtering firewall. ++ ++Block access to port 69 used by the worm to propogate. ++ ++Block access to port 4444 used by the worm. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++Microsoft: ++http://www.microsoft.com/technet/security/bulletin/MS03-026.asp ++ ++CVE: ++http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 ++ ++Symantec: ++http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html ++ ++-- +--- /dev/null ++++ snort-2.9.2/doc/signatures/2344.txt +@@ -0,0 +1,59 @@ ++Rule: ++ ++-- ++Sid: ++2344 ++ ++-- ++Summary: ++This event is generated when an attempt is made to exploit a known ++vulnerability in ArGoSoft FTP Server. ++ ++-- ++Impact: ++Execution of arbitrary code. Possible unauthorized administrative access. ++ ++-- ++Detailed Information: ++ArGoSoft FTP Server fails to perform sufficient checks on user supplied data to the ++XCWD command. An attacker may exploit this vulnerability to execute code of ++their choosing as the user running the process. This may lead to remote ++administrative access to the server. ++ ++-- ++Affected Systems: ++ ArGoSoft FTP Server 1.4.1 .1 ++ ++-- ++Attack Scenarios: ++An attacker may connect to the server and supply spurious data to the ++XCWD command causing the overrun to occur. ++ ++-- ++Ease of Attack: ++Simple. ++ ++-- ++False Positives: ++None known. ++ ++-- ++False Negatives: ++None known. ++ ++-- ++Corrective Action: ++Apply the appropriate vendor supplied patches. ++ ++Upgrade to the latest non-affected version of the software. ++ ++-- ++Contributors: ++Sourcefire Research Team ++Brian Caswell ++Nigel Houghton ++ ++-- ++Additional References: ++ ++-- diff -Nru snort-2.9.0.1/debian/po/ca.po snort-2.9.2/debian/po/ca.po --- snort-2.9.0.1/debian/po/ca.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/ca.po 2011-12-27 14:03:58.000000000 -0800 @@ -6,7 +6,7 @@ msgstr "" "Project-Id-Version: snort_2.0.1-2_templates\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2005-02-26 10:41+0100\n" "Last-Translator: Aleix Badia i Bosch \n" "Language-Team: Debian L10n Catalan \n" @@ -245,50 +245,29 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -#, fuzzy -#| msgid "Should Snort's rules testing order be changed to Pass|Alert|Log?" -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +msgid "Should daily summaries be sent by e-mail?" msgstr "" -"S'hauria de canviar l'ordre de comprovació de les regles del Snort per Pass|" -"Alert|Log?" #. Type: boolean #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 -msgid "Should daily summaries be sent by e-mail?" -msgstr "" - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 -msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 #, fuzzy #| msgid "Who should receive the daily statistics mails?" msgid "Recipient of daily statistics mails:" @@ -296,8 +275,8 @@ #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -305,29 +284,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 #, fuzzy #| msgid "" #| "An alert needs to appear more times than this number to be included in " @@ -341,15 +320,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -357,33 +336,8 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 #, fuzzy #| msgid "This system uses an obsolete configuration file" msgid "Obsolete configuration file" @@ -391,8 +345,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 #, fuzzy msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." @@ -408,8 +362,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 #, fuzzy msgid "" "Please review the new configuration and remove the obsolete one. Until you " @@ -425,7 +379,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 #, fuzzy #| msgid "Do you want to set up a database for snort-mysql to log to?" msgid "Set up a database for snort-mysql to log to?" @@ -434,7 +388,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -442,7 +396,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -452,7 +406,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -460,7 +414,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -468,13 +422,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 #, fuzzy #| msgid "" #| "Make sure it has been set up correctly to allow incoming connections from " @@ -488,13 +442,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -502,13 +456,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 #, fuzzy #| msgid "" #| "Make sure this database has been created and your database user has write " @@ -521,7 +475,7 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 #, fuzzy #| msgid "Please enter the password for the database connection" msgid "Password for the database connection:" @@ -529,7 +483,7 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 #, fuzzy #| msgid "Please enter a password to connect to the Snort Alert database." msgid "" @@ -540,13 +494,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 #, fuzzy msgid "" "Snort needs a configured database before it can successfully start up. In " @@ -562,7 +516,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -570,7 +524,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -578,7 +532,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 #, fuzzy msgid "" "After you have created the database structure, you will need to start Snort " @@ -589,7 +543,7 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 #, fuzzy #| msgid "Do you want to set up a database for snort-pgsql to log to?" msgid "Set up a database for snort-pgsql to log to?" @@ -598,7 +552,7 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -606,7 +560,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -614,7 +568,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -665,6 +619,35 @@ "S'han trobat les opcions obsoletes següents:\n" "${DEP_CONFIG}" +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" + +#, fuzzy +#~| msgid "Should Snort's rules testing order be changed to Pass|Alert|Log?" +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "" +#~ "S'hauria de canviar l'ordre de comprovació de les regles del Snort per " +#~ "Pass|Alert|Log?" + #, fuzzy #~| msgid "You are running Snort manually." #~ msgid "You are running Snort manually" diff -Nru snort-2.9.0.1/debian/po/cs.po snort-2.9.2/debian/po/cs.po --- snort-2.9.0.1/debian/po/cs.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/cs.po 2011-12-27 14:03:58.000000000 -0800 @@ -15,7 +15,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-28 12:13+0200\n" "Last-Translator: Jan Outrata \n" "Language-Team: Czech \n" @@ -202,33 +202,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "Má být poÅ™adí testovaní Snortu zmÄ›nÄ›no na Pass|Alert|Log?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"Výchozí poÅ™adí testování Snortu je Alert|Pass|Log; pokud tuto volbu " -"odsouhlasíte, bude poÅ™adí zmÄ›nÄ›no na Pass|Alert|Log, což může usnadnit " -"použití Snortu s nÄ›kterými nástroji filtrace paketů." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Mají se denní souhrny zasílat e-mailem?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -238,22 +218,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Zvolte, zda chcete aktivovat tuto možnost." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Příjemce denních mailů se statistikami:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -263,29 +243,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Další vlastní volby:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Zadejte jakékoliv další volby, které by mÄ›l Snort použít." #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Minimální poÄet výskytů pÅ™ed hlášením upozornÄ›ní:" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -295,15 +275,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Vyžadován restart Snortu" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -313,44 +293,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Chyba konfigurace" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"Aktuální konfigurace Snortu je neplatná a Snort nebude možné normálnÄ› " -"spustit. Zkontrolujte a opravte ji." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Pro diagnostikování chyby v konfiguraÄním souboru Snortu použijte '/usr/sbin/" -"snort -T -c '." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Zastaralý konfiguraÄní soubor" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -362,8 +313,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -375,13 +326,13 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "Nastavit databázi, do které má snort-mysql logovat?" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -391,7 +342,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -404,7 +355,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -414,7 +365,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -424,13 +375,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Jméno databázového serveru:" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -440,13 +391,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Jméno databáze:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -456,13 +407,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Uživatelské jméno pro přístup k databázi:" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" @@ -471,26 +422,26 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Heslo pro pÅ™ipojení k databázi:" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "Zadejte heslo pro pÅ™ipojení k Snort Alert databázi." #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Nutná nastavená databáze pro Snort" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -501,7 +452,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -511,7 +462,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -521,7 +472,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -529,13 +480,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "Nastavit databázi, do které má snort-pgsql logovat?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -545,7 +496,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -555,7 +506,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -595,6 +546,44 @@ "V konfiguraÄním souboru byly nalezeny následující zruÅ¡ené volby: " "${DEP_CONFIG}" +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Chyba konfigurace" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"Aktuální konfigurace Snortu je neplatná a Snort nebude možné normálnÄ› " +"spustit. Zkontrolujte a opravte ji." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Pro diagnostikování chyby v konfiguraÄním souboru Snortu použijte '/usr/sbin/" +"snort -T -c '." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "Má být poÅ™adí testovaní Snortu zmÄ›nÄ›no na Pass|Alert|Log?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "Výchozí poÅ™adí testování Snortu je Alert|Pass|Log; pokud tuto volbu " +#~ "odsouhlasíte, bude poÅ™adí zmÄ›nÄ›no na Pass|Alert|Log, což může usnadnit " +#~ "použití Snortu s nÄ›kterými nástroji filtrace paketů." + #~ msgid "You are running Snort manually" #~ msgstr "SpouÅ¡títe Snort ruÄnÄ›" diff -Nru snort-2.9.0.1/debian/po/de.po snort-2.9.2/debian/po/de.po --- snort-2.9.0.1/debian/po/de.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/de.po 2011-12-27 14:03:58.000000000 -0800 @@ -15,7 +15,7 @@ msgstr "" "Project-Id-Version: snort_2.7.0-10_de\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-20 22:17+0200\n" "Last-Translator: Erik Schanze \n" "Language-Team: German \n" @@ -207,33 +207,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "Soll Snorts Reihenfolge der Tests auf Pass|Alert|Log geändert werden?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"Snorts Standard-Testreihenfolge ist Alert|Pass|Log; wenn Sie hier zustimmen, " -"wird die Reihenfolge in Pass|Alert|Log geändert, was die Nutzung von Snort " -"mit einigen Paketfilter-Programmen vereinfachen kann." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Sollen tägliche Zusammenfassungen per E-Mail verschickt werden?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -243,22 +223,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Bitte stimmen Sie zu, wenn Sie das wollen." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Empfänger der täglichen Statistik-E-Mails:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -268,29 +248,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Zusätzliche benutzerspezifische Optionen:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Bitte geben Sie alle weiteren Optionen ein, die Snort benutzen soll." #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Minimale Ereignisanzahl ab der Alarme gemeldet werden:" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -300,15 +280,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Neustart von Snort erforderlich" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -318,44 +298,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Fehler in den Einstellungen" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"Die aktuellen Einstellungen von Snort sind ungültig und verhindern einen " -"normalen Start von Snort. Bitte kontrollieren und berichtigen Sie diese." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Benutzen Sie den Befehl '/usr/sbin/snort -T -c ', um Fehler in einer " -"Konfigurationsdatei von Snort zu finden." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Veraltete Konfigurationsdatei" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -367,8 +318,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -380,13 +331,13 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "Eine Protokoll-Datenbank für Snort-mysql einrichten?" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -396,7 +347,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -410,7 +361,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -420,7 +371,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -430,13 +381,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Rechnername des Datenbank-Servers:" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -446,13 +397,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Datenbankname:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -462,13 +413,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Benutzername für den Datenbankzugriff:" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" @@ -477,13 +428,13 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Passwort für die Datenbankverbindung:" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" @@ -491,13 +442,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Eingerichtete Datenbank für Snort nötig" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -509,7 +460,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -519,7 +470,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -529,7 +480,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -539,13 +490,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "Eine Protokoll-Datenbank für Snort-pgsql einrichten?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -555,7 +506,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -565,7 +516,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -604,3 +555,42 @@ msgstr "" "Folgende veraltete Optionen wurden in der Konfigurationsdatei gefunden: " "${DEP_CONFIG}." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Fehler in den Einstellungen" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"Die aktuellen Einstellungen von Snort sind ungültig und verhindern einen " +"normalen Start von Snort. Bitte kontrollieren und berichtigen Sie diese." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Benutzen Sie den Befehl '/usr/sbin/snort -T -c ', um Fehler in einer " +"Konfigurationsdatei von Snort zu finden." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "" +#~ "Soll Snorts Reihenfolge der Tests auf Pass|Alert|Log geändert werden?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "Snorts Standard-Testreihenfolge ist Alert|Pass|Log; wenn Sie hier " +#~ "zustimmen, wird die Reihenfolge in Pass|Alert|Log geändert, was die " +#~ "Nutzung von Snort mit einigen Paketfilter-Programmen vereinfachen kann." diff -Nru snort-2.9.0.1/debian/po/es.po snort-2.9.2/debian/po/es.po --- snort-2.9.0.1/debian/po/es.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/es.po 2011-12-27 14:03:58.000000000 -0800 @@ -31,7 +31,7 @@ msgstr "" "Project-Id-Version: snort debconf 2.1.0-4.1\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-27 23:44+0200\n" "Last-Translator: Javier Fernandez-Sanguino Peña \n" "Language-Team: Debian Spanish \n" @@ -231,34 +231,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "¿Deberían cambiarse el orden de las pruebas a Pasar|Alertar|Registrar?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"El orden de pruebas por omisión para Snort es Alertar|Pasar|Registrar, si " -"acepta esta opción el orden se modificará a Pasar|Alertar|Registrar que " -"puede ser más sencillo para utilizar Snort con algunas herramientas de " -"filtrado de paquetes." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "¿Deberían enviarse resúmenes por correo electrónico?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -268,22 +247,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Indique si quiere activar esta funcionalidad." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Destinatario de los correos de estadísticas diarias:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -293,30 +272,30 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Opciones adicionales a medida:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Indique las opciones adicionales que Snort debería utilizar." #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "" "Número mínimo de ocurrencias antes de incluir una alerta en los informes:" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -326,15 +305,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Es necesario reiniciar Snort" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -344,44 +323,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Error de configuración" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"La configuración actual de Snort es inválida e impedirá que Snort se " -"ejecute. Por favor, revísela y corríjala." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Puede diagnosticar los errores en el fichero de configuración utilizando «/" -"usr/sbin/snort -T -c »." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Fichero de configuración obsoleto" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -393,8 +343,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -407,7 +357,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "" "¿Quiere configurar una base de datos a la que snort-mysql enviará los " @@ -415,7 +365,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -425,7 +375,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -439,7 +389,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -449,7 +399,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -459,13 +409,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Nombre del servidor de base de datos:" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -475,13 +425,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Nombre de la base de datos:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -491,13 +441,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Nombre de usuario para el acceso a la base de datos:" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" @@ -506,13 +456,13 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Contraseña para la conexión con la base de datos:" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" @@ -521,13 +471,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Es necesario configurar una base de datos para Snort" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -539,7 +489,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -549,7 +499,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -559,7 +509,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -569,13 +519,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "¿Quiere preparar una base de datos para que la utilice snort-pgsql?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -585,7 +535,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -596,7 +546,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -636,6 +586,46 @@ "Se encontraron las siguientes opciones obsoletas en el fichero de " "configuración: ${DEP_CONFIG}" +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Error de configuración" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"La configuración actual de Snort es inválida e impedirá que Snort se " +"ejecute. Por favor, revísela y corríjala." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Puede diagnosticar los errores en el fichero de configuración utilizando «/" +"usr/sbin/snort -T -c »." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "" +#~ "¿Deberían cambiarse el orden de las pruebas a Pasar|Alertar|Registrar?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "El orden de pruebas por omisión para Snort es Alertar|Pasar|Registrar, si " +#~ "acepta esta opción el orden se modificará a Pasar|Alertar|Registrar que " +#~ "puede ser más sencillo para utilizar Snort con algunas herramientas de " +#~ "filtrado de paquetes." + #~ msgid "You are running Snort manually" #~ msgstr "Está ejecutando Snort manualmente" diff -Nru snort-2.9.0.1/debian/po/eu.po snort-2.9.2/debian/po/eu.po --- snort-2.9.0.1/debian/po/eu.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/eu.po 2011-12-27 14:03:58.000000000 -0800 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: snort-eu\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-30 12:13+0200\n" "Last-Translator: Piarres Beobide \n" "Language-Team: Euskara \n" @@ -196,33 +196,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "Snort probatze ordena Pasa|Alerta|Erregistro-ra aldatu?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"Snort-en proba orden lehenetsia Alerta|Pasa|Erregistroa da; aukera hau " -"onartzen baduzu berau Pasa|Alerta|Erregistroa izatera pasako da zenbait " -"pakete-iragazte lanabesekin Snort erabiltzea errazagoa izan dadin." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Eguneko laburpena eposta bidez bidali behar al da?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -232,22 +212,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Mesedez hautatu ezaugarri hau gaitu nahi duzun." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Eguneroko estatistika eposta hartzailea:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -257,29 +237,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Aukera pertsonal gehigarriak:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Mesedez ezarri Snort-ek erabili behar duen edozein aukera gehigarri." #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Alertak erreportatzeko errepikatze gutxienekoa:" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -289,15 +269,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Snort berrabiaraztea beharrezkoa" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -307,44 +287,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Konfigurazio errorea" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"Dagoen Snort konfigurazioa baliogabea da eta Snort behar bezala abiaraztea " -"ezintzen du. Mesedez egiaztatu eta konpondu ezazu." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Snort konfigurazio fitxategian errore bat aztertzeko '/usr/sbin/snort -T -c " -"' erabili." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Zaharkitutako konfigurazio fitxategia" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -356,8 +307,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -369,13 +320,13 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "Datubase bat konfiguratu snort-mysql bertan erregistratzeko?" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -385,7 +336,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -399,7 +350,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -409,7 +360,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -419,13 +370,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Datubase zerbitzari ostalari-izena:" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -435,13 +386,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Datu-base izena:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -451,13 +402,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Datubasea atzitzeko erabiltzaile-izena:" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" @@ -466,13 +417,13 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Datubase konexiorako pasahitza:" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" @@ -480,13 +431,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Konfiguratutako datubasea beharrezkoa Snort erabiltzeko" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -498,7 +449,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -509,7 +460,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -519,7 +470,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -528,13 +479,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "Datubase bat konfiguratu snort-pgsql bertan erregistratzeko?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -544,7 +495,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -555,7 +506,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -595,6 +546,44 @@ "Hurrengo zaharkituriko aukerak aurkitu dira konfigurazio fitxategian: " "${DEP_CONFIG}" +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Konfigurazio errorea" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"Dagoen Snort konfigurazioa baliogabea da eta Snort behar bezala abiaraztea " +"ezintzen du. Mesedez egiaztatu eta konpondu ezazu." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Snort konfigurazio fitxategian errore bat aztertzeko '/usr/sbin/snort -T -c " +"' erabili." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "Snort probatze ordena Pasa|Alerta|Erregistro-ra aldatu?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "Snort-en proba orden lehenetsia Alerta|Pasa|Erregistroa da; aukera hau " +#~ "onartzen baduzu berau Pasa|Alerta|Erregistroa izatera pasako da zenbait " +#~ "pakete-iragazte lanabesekin Snort erabiltzea errazagoa izan dadin." + #~ msgid "You are running Snort manually" #~ msgstr "Snort eskuz exekutatzen ari zara" diff -Nru snort-2.9.0.1/debian/po/fi.po snort-2.9.2/debian/po/fi.po --- snort-2.9.0.1/debian/po/fi.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/fi.po 2011-12-27 14:03:58.000000000 -0800 @@ -2,7 +2,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-28 07:39+0200\n" "Last-Translator: Esko Arajärvi \n" "Language-Team: debian-l10n-finnish@lists.debian.org \n" @@ -193,35 +193,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "" -"Tulisiko Snortin sääntöjen testausjärjestykseksi vaihtaa Pass|Alert|Log?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"Oletuksena Snortin sääntöjen testausjärjestys on Alert|Pass|log. Jos " -"valitset tämän vaihtoehdon, järjestykseksi vaihdetaan Pass|Alert|Log, mikä " -"saattaa helpottaa Snortin käyttöä joidenkin pakettiensuodatustyökalujen " -"kanssa." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Tulisiko päivittäiset yhteenvedot lähettää sähköpostilla?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -231,22 +209,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Valitse otetaanko tämä ominaisuus käyttöön." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Päivittäisten tilastosähköpostien vastaanottaja:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -256,29 +234,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Mukauttavat lisäasetukset:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Anna mahdolliset lisäasetukset, joita Snortin tulisi käyttää." #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Varoituksen esiintymiskertojen vähimmäismäärä:" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -288,15 +266,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Snort tulee käynnistää uudelleen" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -306,44 +284,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Asetusvirhe" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"Snortin nykyiset asetukset ovat virheelliset ja estävät Snortin normaalin " -"käynnistyksen. Tarkista ja korjaa ne." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Snortin asetustiedoston virheitä voidaan etsiä komennolla â€/usr/sbin/snort -" -"T -c â€." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Vanhentunut asetustiedosto" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -355,8 +304,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -368,13 +317,13 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "Alustetaanko tietokanta snort-mysql:n lokeja varten?" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -384,7 +333,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -398,7 +347,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -408,7 +357,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -418,13 +367,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Tietokantapalvelimen verkkonimi:" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -434,13 +383,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Tietokannan nimi:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -450,13 +399,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Tietokantayhteydessä käytettävä käyttäjätunnus:" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" @@ -465,13 +414,13 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Tietokantayhteyden salasana:" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" @@ -479,13 +428,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Snortin tietokannan asetusten teko pakollista" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -497,7 +446,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -507,7 +456,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -517,7 +466,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -525,13 +474,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "Alustetaanko tietokanta snort-pgsql:n lokeja varten?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -541,7 +490,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -551,7 +500,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -591,6 +540,46 @@ "Asetustiedostosta löytyi seuraavat käytöstä poistetut valitsimet:\n" " ${DEB_CONFIG}." +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Asetusvirhe" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"Snortin nykyiset asetukset ovat virheelliset ja estävät Snortin normaalin " +"käynnistyksen. Tarkista ja korjaa ne." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Snortin asetustiedoston virheitä voidaan etsiä komennolla â€/usr/sbin/snort -" +"T -c â€." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "" +#~ "Tulisiko Snortin sääntöjen testausjärjestykseksi vaihtaa Pass|Alert|Log?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "Oletuksena Snortin sääntöjen testausjärjestys on Alert|Pass|log. Jos " +#~ "valitset tämän vaihtoehdon, järjestykseksi vaihdetaan Pass|Alert|Log, " +#~ "mikä saattaa helpottaa Snortin käyttöä joidenkin " +#~ "pakettiensuodatustyökalujen kanssa." + #~ msgid "You are running Snort manually" #~ msgstr "Snortia ajetaan manuaalisesti" diff -Nru snort-2.9.0.1/debian/po/fr.po snort-2.9.2/debian/po/fr.po --- snort-2.9.0.1/debian/po/fr.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/fr.po 2011-12-27 14:03:58.000000000 -0800 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: \n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-06 14:44+0200\n" "Last-Translator: Christian Perrier \n" "Language-Team: French \n" @@ -199,36 +199,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "" -"Faut-il modifier l'ordre de vérification de Snort en « Pass|Alert|Log » ?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"L'ordre de vérification par défaut de Snort est « Alert|Pass|Log » (alerter, " -"faire passer puis journaliser). Si vous choisissez cette option, l'ordre " -"sera modifié pour utiliser « Pass|Alert|Log » (faire passer, alerter puis " -"journaliser), ce qui peut simplifier l'utilisation de Snort avec certains " -"outils de filtrage de paquets." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Faut-il envoyer des rapports quotidiens par courriel ?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -238,22 +215,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Veuillez choisir si vous souhaitez activer cette fonctionnalité." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Destinataire des courriers électroniques quotidiens de statistiques :" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -263,29 +240,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Options personnelles supplémentaires :" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Veuillez indiquer les options supplémentaires qu'utilisera Snort." #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Nombre d'occurrences minimales avant l'envoi d'alertes :" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -295,15 +272,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Redémarrage de Snort indispensable" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -313,44 +290,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Erreur de configuration" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"La configuration actuelle de Snort n'est pas valable et l'empêchera de " -"démarrer. Veuillez la contrôler et la corriger." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Le diagnostic des erreurs du fichier de configuration de Snort peut se faire " -"avec la commande « /usr/sbin/snort -T -c  »." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Fichier de configuration obsolète" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -362,8 +310,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -376,7 +324,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "" "Faut-il configurer une base de données pour la journalisation de snort-" @@ -384,7 +332,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -394,7 +342,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -408,7 +356,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -418,7 +366,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -428,13 +376,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Nom d'hôte du serveur de bases de données :" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -444,13 +392,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Nom de la base de données :" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -460,13 +408,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Identifiant de connexion au serveur de bases de données :" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" @@ -475,13 +423,13 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Mot de passe de connexion au serveur de bases de données :" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" @@ -490,13 +438,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Base de données configurée obligatoire pour Snort" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -508,7 +456,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -518,7 +466,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -528,7 +476,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -538,7 +486,7 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "" "Faut-il configurer une base de données pour la journalisation de snort-" @@ -546,7 +494,7 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -556,7 +504,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -566,7 +514,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -605,6 +553,47 @@ msgstr "" "Liste des options obsolètes dans le fichier de configuration : ${DEP_CONFIG}" +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Erreur de configuration" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"La configuration actuelle de Snort n'est pas valable et l'empêchera de " +"démarrer. Veuillez la contrôler et la corriger." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Le diagnostic des erreurs du fichier de configuration de Snort peut se faire " +"avec la commande « /usr/sbin/snort -T -c  »." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "" +#~ "Faut-il modifier l'ordre de vérification de Snort en « Pass|Alert|Log » ?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "L'ordre de vérification par défaut de Snort est « Alert|Pass|" +#~ "Log » (alerter, faire passer puis journaliser). Si vous choisissez cette " +#~ "option, l'ordre sera modifié pour utiliser « Pass|Alert|Log » (faire " +#~ "passer, alerter puis journaliser), ce qui peut simplifier l'utilisation " +#~ "de Snort avec certains outils de filtrage de paquets." + #~ msgid "You are running Snort manually" #~ msgstr "Utilisation manuelle de Snort" diff -Nru snort-2.9.0.1/debian/po/gl.po snort-2.9.2/debian/po/gl.po --- snort-2.9.0.1/debian/po/gl.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/gl.po 2011-12-27 14:03:58.000000000 -0800 @@ -6,7 +6,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-06 20:22+0100\n" "Last-Translator: Jacobo Tarrio \n" "Language-Team: Galician \n" @@ -195,33 +195,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "¿Débese cambiar a orde de comprobación de Snort a Pass|Alert|Log?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"A orde de comprobación por defecto de Snort é Alert|Pass|Log; se acepta esta " -"opción, a orde hase cambiar a Pass|Alert|Log, o que pode simplificar o uso " -"de Snort con algunhas ferramentas de filtrado de paquetes." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "¿Débense enviar os resumos diarios por email?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -231,22 +211,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Indique se quere activar esta característica." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Destinatario dos emails diarios de estatísticas:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -256,29 +236,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Opcións personalizadas adicionais:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Indique as opcións adicionais que quere que empregue Snort." #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Número mínimo de aparicións antes de informar das alertas:" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -288,15 +268,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Precísase de reiniciar Snort" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -306,44 +286,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Erro na configuración" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"A configuración actual de Snort non é valida e ha impedir que Snort se " -"inicie normalmente. Revísea e corríxaa." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Para diagnosticar un erro nun ficheiro de configuración de Snort, empregue " -"\"/usr/sbin/snort -T -c \"." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Ficheiro de configuración obsoleto" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -355,8 +306,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -368,13 +319,13 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "¿Configurar unha base de datos para os rexistros de snort-mysql?" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -384,7 +335,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -398,7 +349,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -408,7 +359,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -418,13 +369,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Nome do servidor de bases de datos:" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -434,13 +385,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Nome da base de datos:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -450,13 +401,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Nome de usuario para acceder á base de datos:" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" @@ -465,13 +416,13 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Contrasinal para a conexión á base de datos:" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" @@ -480,13 +431,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Snort precisa dunha base de datos configurada" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -498,7 +449,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -508,7 +459,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -518,7 +469,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -528,13 +479,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "¿Configurar unha base de datos para os rexistros de snort-pgsql?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -544,7 +495,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -554,7 +505,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -594,6 +545,44 @@ "Atopáronse as seguintes opcións obsoletas no ficheiro de configuración: " "${DEP_CONFIG}." +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Erro na configuración" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"A configuración actual de Snort non é valida e ha impedir que Snort se " +"inicie normalmente. Revísea e corríxaa." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Para diagnosticar un erro nun ficheiro de configuración de Snort, empregue " +"\"/usr/sbin/snort -T -c \"." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "¿Débese cambiar a orde de comprobación de Snort a Pass|Alert|Log?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "A orde de comprobación por defecto de Snort é Alert|Pass|Log; se acepta " +#~ "esta opción, a orde hase cambiar a Pass|Alert|Log, o que pode simplificar " +#~ "o uso de Snort con algunhas ferramentas de filtrado de paquetes." + #~ msgid "You are running Snort manually" #~ msgstr "Está a executar Snort manualmente" diff -Nru snort-2.9.0.1/debian/po/it.po snort-2.9.2/debian/po/it.po --- snort-2.9.0.1/debian/po/it.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/it.po 2011-12-27 14:03:58.000000000 -0800 @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-20 19:37+0100\n" "Last-Translator: Gianluca Cotrino \n" "Language-Team: Italian \n" @@ -199,33 +199,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "Cambiare l'ordine delle regole di test di Snort in Pass|Alert|Log?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"L'ordine di testing default di Snort è Alert|Pass|Log; se si accetta questa " -"opzione, l'ordine verrà cambiato in Pass|Alert|Log, che può rendere più " -"semplice usare Snort con alcuni strumenti packet-filtering." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Trasmettere via e-mail i riepiloghi giornalieri?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -235,22 +215,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Scegliere se si desidera attivare questa funzione." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Destinazione delle mail statistiche quotidiane:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -260,29 +240,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Opzioni personalizzate aggiuntive:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Specificare ogni altra eventuale opzione che Snort dovrebbe usare." #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Numero minimo necessario prima che gli alert siano rapportati:" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -292,15 +272,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Riavvio di Snort necessario" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -310,44 +290,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Errore di configurazione" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"La corrente configurazione di Snort non è valida ed impedirà a Snort di " -"avviarsi normalmente. Prego, rivederla e correggerla." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Per diagnosticare un errore in un file di configurazione di Snort, usare '/" -"usr/sbin/snort -T -c '." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "File di configurazione obsoleto" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -359,8 +310,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -372,13 +323,13 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "Impostare un database per i log di snort-mysql?" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -388,7 +339,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -402,7 +353,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -412,7 +363,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -422,13 +373,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Hostname del server database:" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -438,13 +389,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Nome del database:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -454,13 +405,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Nome utente per l'accesso al database:" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" @@ -469,13 +420,13 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Password per la connessione al database:" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" @@ -484,13 +435,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Database configurato obbligatorio per Snort" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -502,7 +453,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -512,7 +463,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -522,7 +473,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -532,13 +483,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "Configurare un database per i log di snort-pgsql?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -548,7 +499,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -558,7 +509,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -598,6 +549,44 @@ "Le seguenti opzioni deprecate sono state trovate nel file di configurazione: " "${DEP_CONFIG}" +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Errore di configurazione" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"La corrente configurazione di Snort non è valida ed impedirà a Snort di " +"avviarsi normalmente. Prego, rivederla e correggerla." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Per diagnosticare un errore in un file di configurazione di Snort, usare '/" +"usr/sbin/snort -T -c '." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "Cambiare l'ordine delle regole di test di Snort in Pass|Alert|Log?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "L'ordine di testing default di Snort è Alert|Pass|Log; se si accetta " +#~ "questa opzione, l'ordine verrà cambiato in Pass|Alert|Log, che può " +#~ "rendere più semplice usare Snort con alcuni strumenti packet-filtering." + #~ msgid "You are running Snort manually" #~ msgstr "Si sta eseguendo Snort manualmente" diff -Nru snort-2.9.0.1/debian/po/ja.po snort-2.9.2/debian/po/ja.po --- snort-2.9.0.1/debian/po/ja.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/ja.po 2011-12-27 14:03:58.000000000 -0800 @@ -12,584 +12,574 @@ # Developers do not need to manually edit POT or PO files. # # -msgid "" -msgstr "" -"Project-Id-Version: snort 2.8.1-2\n" -"Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" -"PO-Revision-Date: 2008-12-21 22:26+0900\n" -"Last-Translator: Hideki Yamane (Debian-JP) \n" -"Language-Team: Japanese \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" - -#. Type: select -#. Choices -#: ../snort.templates:1001 ../snort-mysql.templates:1001 -#: ../snort-pgsql.templates:1001 -msgid "boot" -msgstr "起動時" - -#. Type: select -#. Choices -#: ../snort.templates:1001 ../snort-mysql.templates:1001 -#: ../snort-pgsql.templates:1001 -msgid "dialup" -msgstr "ダイヤルアップ時" - -#. Type: select -#. Choices -#: ../snort.templates:1001 ../snort-mysql.templates:1001 -#: ../snort-pgsql.templates:1001 -msgid "manual" -msgstr "手動" - -#. Type: select -#. Description -#: ../snort.templates:1002 ../snort-mysql.templates:1002 -#: ../snort-pgsql.templates:1002 -msgid "Snort start method:" -msgstr "snort ã®èµ·å‹•æ–¹æ³•:" - -#. Type: select -#. Description -#: ../snort.templates:1002 ../snort-mysql.templates:1002 -#: ../snort-pgsql.templates:1002 -msgid "" -"Snort can be started during boot, when connecting to the net with pppd or " -"only manually with the /usr/sbin/snort command." -msgstr "" -"Snort ã¯ã€ã‚·ã‚¹ãƒ†ãƒ èµ·å‹•ä¸­ã€pppd を利用ã—ã¦ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æ¥ç¶šã—ãŸæ™‚ã€ã¾ãŸã¯ " -"/usr/sbin/snort コãƒãƒ³ãƒ‰ã‚’手動ã§å®Ÿè¡Œã—ãŸæ™‚ã®ã¿ã€ã®ã„ãšã‚Œã‹ã§èµ·å‹•ã§ãã¾ã™ã€‚" - -#. Type: string -#. Description -#: ../snort.templates:2001 ../snort-mysql.templates:2001 -#: ../snort-pgsql.templates:2001 -msgid "Interface(s) which Snort should listen on:" -msgstr "Snort ㌠listen ã™ã‚‹ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹:" - -#. Type: string -#. Description -#: ../snort.templates:2001 ../snort-mysql.templates:2001 -#: ../snort-pgsql.templates:2001 -msgid "" -"This value is usually 'eth0', but this may be inappropriate in some network " -"environments; for a dialup connection 'ppp0' might be more appropiate (see " -"the output of '/sbin/ifconfig')." -msgstr "" -"ã“ã“ã§ã®å€¤ã¯é€šå¸¸ 'eth0' ã§ã™ãŒã€ç’°å¢ƒã‚ˆã£ã¦ã¯å¤‰æ›´ã—ãŸã„ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“: ダイヤ" -"ルアップæ¥ç¶šã‚’利用ã—ã¦ã„ã‚‹å ´åˆã¯ã€'ppp0' ãŒã‚ˆã‚Šé©åˆ‡ã§ã—ょㆠ('/sbin/ifconfig' " -"ã®å‡ºåŠ›ã‚’確èªã—ã¦ãã ã•ã„)。" - -#. Type: string -#. Description -#: ../snort.templates:2001 ../snort-mysql.templates:2001 -#: ../snort-pgsql.templates:2001 -msgid "" -"Typically, this is the same interface as the 'default route' is on. You can " -"determine which interface is used for this by running '/sbin/route -n' (look " -"for '0.0.0.0')." -msgstr "" -"大抵ã®å ´åˆã€ã“れ㯠'default route' ãŒå­˜åœ¨ã™ã‚‹ã‚‚ã®ã¨åŒã˜ã§ã™ã€‚ã©ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§" -"イスを使ã†ã‹ã¯ '/sbin/route -n' を実行ã—㦠('0.0.0.0' ã‚’æ¢ã—ã¦)ã€æ±ºå®šã§ãã¾ã™ã€‚" - -#. Type: string -#. Description -#: ../snort.templates:2001 ../snort-mysql.templates:2001 -#: ../snort-pgsql.templates:2001 -msgid "" -"It is also not uncommon to use an interface with no IP address configured in " -"promiscuous mode. For such cases, select the interface in this system that " -"is physically connected to the network that should be inspected, enable " -"promiscuous mode later on and make sure that the network traffic is sent to " -"this interface (either connected to a 'port mirroring/spanning' port in a " -"switch, to a hub or to a tap)." -msgstr "" -"IP を付ä¸ã—ã¦ã„ãªã„インターフェイス上㧠promiscuous モード㮠Snort を動作ã•ã›" -"ã‚‹ã®ã¯ã‚ã¾ã‚Šä¸€èˆ¬çš„ã§ã¯ã‚ã‚Šã¾ã›ã‚“。ã“ã®ã‚ˆã†ãªå ´åˆã€å—ä¿¡ã‚’è¡Œã„ãŸã„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯" -"ã«å¯¾ã—ã¦ç‰©ç†çš„ã«æ¥ç¶šã•ã‚Œã¦ã„ã‚‹ã“ã®ã‚·ã‚¹ãƒ†ãƒ ä¸Šã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹ã‚’é¸æŠã—ã€å¾Œã»" -"ã© promiscuous モードを有効ã«ã—ã¦ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãŒã“ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤" -"ス (スイッãƒã® 'port mirrorining/spanning' ãƒãƒ¼ãƒˆã‹ãƒãƒ–ã€ã‚ã‚‹ã„ã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯" -"タップã«æ¥ç¶šã•ã‚Œã¦ã„ã¾ã™) ã«å±Šã„ã¦ã„ã‚‹ã®ã‚’確èªã—ã¦ãã ã•ã„。" - -#. Type: string -#. Description -#: ../snort.templates:2001 ../snort-mysql.templates:2001 -#: ../snort-pgsql.templates:2001 -msgid "" -"You can configure multiple interfaces, just by adding more than one " -"interface name separated by spaces. Each interface can have its own specific " -"configuration." -msgstr "" -"一ã¤ã‚ˆã‚Šå¤šã„インターフェイスåã¯ç©ºç™½ã§åŒºåˆ‡ã£ã¦è¿½åŠ ã™ã‚‹ã“ã¨ã§ã€è¤‡æ•°ã®ã‚¤ãƒ³ã‚¿ãƒ¼" -"フェイスを設定ã§ãã¾ã™ã€‚インターフェイスã”ã¨ã«å›ºæœ‰ã®è¨­å®šãŒå¯èƒ½ã§ã™ã€‚" - -#. Type: string -#. Description -#: ../snort.templates:3001 ../snort-mysql.templates:3001 -#: ../snort-pgsql.templates:3001 -msgid "Address range for the local network:" -msgstr "ローカルãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ç¯„囲:" - -#. Type: string -#. Description -#: ../snort.templates:3001 ../snort-mysql.templates:3001 -#: ../snort-pgsql.templates:3001 -msgid "" -"Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " -"addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" -"separated (without spaces)." -msgstr "" -"CIDR å½¢å¼ã§è¨˜è¿°ã—ã¦ãã ã•ã„。例ãˆã° 192.168.1.0/24 㯠256 個ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãƒ–ロック" -"ã§ã€192.168.1.42/32 㯠1 個ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¨ãªã‚Šã¾ã™ã€‚複数ã®å€¤ã®å ´åˆã€(スペースã§ã¯" -"ãªã) カンãƒã§åŒºåˆ‡ã£ã¦è¨˜è¿°ã—ã¾ã—ょã†ã€‚" - -#. Type: string -#. Description -#: ../snort.templates:3001 ../snort-mysql.templates:3001 -#: ../snort-pgsql.templates:3001 -msgid "" -"Please note that if Snort is configured to use multiple interfaces, it will " -"use this value as the HOME_NET definition for all of them." -msgstr "" -"Snort ãŒè¤‡æ•°ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹ã‚’使ã†ã‚ˆã†ã«è¨­å®šã•ã‚Œã¦ã„ã‚‹å ´åˆã€ã“ã®å€¤ã¯å…¨ã¦ã®" -"インターフェイス㮠HOME_NET 定義ã¨ã—ã¦åˆ©ç”¨ã•ã‚Œã‚‹ã“ã¨ã«æ³¨æ„ã—ã¦ãã ã•ã„。" - -#. Type: boolean -#. Description -#: ../snort.templates:4001 ../snort-mysql.templates:4001 -#: ../snort-pgsql.templates:4001 -msgid "Should Snort disable promiscuous mode on the interface?" -msgstr "Snort ã¯ã€ã“ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹ã§ promiscuous モードを無効ã«ã—ã¾ã™ã‹?" - -#. Type: boolean -#. Description -#: ../snort.templates:4001 ../snort-mysql.templates:4001 -#: ../snort-pgsql.templates:4001 -msgid "" -"Disabling promiscuous mode means that Snort will only see packets addressed " -"to the interface it is monitoring. Enabling it allows Snort to check every " -"packet that passes the Ethernet segment even if it's a connection between " -"two other computers." -msgstr "" -"promiscuous モードを無効ã«ã™ã‚‹ã¨ã€Snort ã¯è‡ªèº«ãŒãƒ¢ãƒ‹ã‚¿ãƒªãƒ³ã‚°ã—ã¦ã„るインター" -"フェイスã¸å‘ã‘られãŸãƒ‘ケットã®ã¿ã‚’監視ã—ã¾ã™ã€‚有効ã«ã™ã‚‹ã¨ã€è‡ªèº«ä»¥å¤–ã®ä»–ã®ã‚³ãƒ³" -"ピュータ間ã®ã‚„ã‚Šå–ã‚Šã‚’å«ã‚ãŸã‚¤ãƒ¼ã‚µãƒãƒƒãƒˆã‚»ã‚°ãƒ¡ãƒ³ãƒˆä¸Šã®å…¨ã¦ã®ãƒ‘ケットをãƒã‚§ãƒƒã‚¯" -"ã™ã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚" - -#. Type: error -#. Description -#: ../snort.templates:5001 ../snort-mysql.templates:5001 -#: ../snort-pgsql.templates:5001 -msgid "Invalid interface" -msgstr "ä¸æ­£ãªã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹" - -#. Type: error -#. Description -#: ../snort.templates:5001 ../snort-mysql.templates:5001 -#: ../snort-pgsql.templates:5001 -msgid "" -"Snort is trying to use an interface which does not exist or is down. Either " -"it is defaulting inappropriately to 'eth0', or you specified one which is " -"invalid." -msgstr "" -"Snort ãŒå­˜åœ¨ã—ã¦ã„ãªã„ã€ã‚ã‚‹ã„ã¯ãƒ€ã‚¦ãƒ³ã—ã¦ã„るインターフェイスを使ãŠã†ã¨ã—ã¦ã„ã¾ã™ã€‚" -"é©åˆ‡ã§ã¯ãªãデフォルトã«ã•ã‚Œã¦ã„ã‚‹ 'eth0'ã€ã‚ã‚‹ã„ã¯ã‚ãªãŸãŒæŒ‡å®šã—ãŸã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹" -"ã¯æ­£ã—ãã‚ã‚Šã¾ã›ã‚“。" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "Snort ã®ãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆã®ãƒ†ã‚¹ãƒˆé †ã‚’ Pass|Alert|Log ã«å¤‰æ›´ã—ã¾ã™ã‹?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"Snort ã®ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã®ãƒ†ã‚¹ãƒˆé †ã¯ Alert|Pass|Log ã§ã™ã€‚ã“ã®ã‚ªãƒ—ションを有効ã«ã™ã‚‹ã¨" -"ã€é †ç•ªãŒ Pass|Alert|Log ã«å¤‰æ›´ã•ã‚Œã€Snort をパケットフィルタリングツールã¨ä¸€ç·’ã«" -"使ã†ã®ãŒç°¡å˜ã«ãªã‚Šã¾ã™ã€‚" - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 -msgid "Should daily summaries be sent by e-mail?" -msgstr "メールã§æ¯æ—¥ã‚µãƒãƒªã‚’é€ã‚Šã¾ã™ã‹?" - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 -msgid "" -"A cron job can be set up to send daily summaries of Snort logs to a selected " -"e-mail address." -msgstr "" -"cron ジョブã§æŒ‡å®šã—ãŸãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ã« Snort ログã®æ—¥æ¬¡ã‚µãƒãƒªã‚’é€ã‚‹ã‚ˆã†ã«è¨­å®šã§ãã¾ã™ã€‚" - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 -msgid "Please choose whether you want to activate this feature." -msgstr "ã“ã®æ©Ÿèƒ½ã‚’有効ã«ã™ã‚‹ã‹ã©ã†ã‹ã‚’é¸æŠã—ã¦ãã ã•ã„。" - -#. Type: string -#. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 -msgid "Recipient of daily statistics mails:" -msgstr "日次統計ã®ãƒ¡ãƒ¼ãƒ«ã®å®›å…ˆ:" - -#. Type: string -#. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 -msgid "" -"Please specify the e-mail address that should receive daily summaries of " -"Snort logs." -msgstr "" -"Snort ログã®æ—¥æ¬¡ã‚µãƒãƒªã‚’å—ã‘å–れるメールアドレスを指定ã—ã¦ãã ã•ã„。" - -#. Type: string -#. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 -msgid "Additional custom options:" -msgstr "追加ã®ã‚«ã‚¹ã‚¿ãƒ ã‚ªãƒ—ション:" - -#. Type: string -#. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 -msgid "Please specify any additional options Snort should use." -msgstr "Snort ãŒä½¿ã†è¿½åŠ ã®ã‚ªãƒ—ションを指定ã—ã¦ãã ã•ã„。" - -#. Type: string -#. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 -msgid "Minimum occurrences before alerts are reported:" -msgstr "アラートを報告ã™ã‚‹æœ€å°ç™ºç”Ÿä»¶æ•°:" - -#. Type: string -#. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 -msgid "" -"Please enter the minimum number of alert occurrences before a given alert is " -"included in the daily statistics." -msgstr "" -"アラートãŒæ—¥æ™‚統計ã«å«ã‚られる場åˆã®æœ€å°ã‚¢ãƒ©ãƒ¼ãƒˆç™ºç”Ÿæ•°ã‚’入力ã—ã¦ãã ã•ã„。" - -#. Type: note -#. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 -msgid "Snort restart required" -msgstr "Snort ã®å†èµ·å‹•ãŒå¿…è¦ã§ã™" - -#. Type: note -#. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 -msgid "" -"As Snort is manually launched, you need to run '/etc/init.d/snort' for the " -"changes to take place." -msgstr "" -"Snort ãŒæ‰‹å‹•ã§èµ·å‹•ã•ã‚ŒãŸå ´åˆã¨åŒæ§˜ã«ã€å¤‰æ›´ã‚’å映ã™ã‚‹ã«ã¯ '/etc/init.d/snort' " -"を実行ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "設定エラー" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"ç¾åœ¨ã® Snort ã®è¨­å®šãŒæ­£ã—ããªã„ã®ã§ã€Snort ã¯æ­£å¸¸ã«èµ·å‹•ã—ã¾ã›ã‚“。確èªã®ä¸Šã§ä¿®æ­£" -"ã—ã¦ãã ã•ã„。" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Snort ã®è¨­å®šãƒ•ã‚¡ã‚¤ãƒ«ä¸­ã®ã‚¨ãƒ©ãƒ¼ã‚’分æã™ã‚‹ã«ã¯ã€'/usr/sbin/snort -T -c ' " -"ã¨ã—ã¦ãã ã•ã„。" - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 -msgid "Obsolete configuration file" -msgstr "å¤ã無効ãªè¨­å®šãƒ•ã‚¡ã‚¤ãƒ«" - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 -msgid "" -"This system uses an obsolete configuration file (/etc/snort/snort.common." -"parameters) which has been automatically converted into the new " -"configuration file format (at /etc/default/snort)." -msgstr "" -"ã“ã®ã‚·ã‚¹ãƒ†ãƒ ãŒä½¿ã£ã¦ã„ã‚‹ã€æ—¢ã«åˆ©ç”¨ã§ããªã„設定ファイル (/etc/snort/snort." -"common.parameters) ã¯è‡ªå‹•çš„ã«æ–°ã—ã„è¨­å®šãƒ•ã‚¡ã‚¤ãƒ«å½¢å¼ (/etc/default/snort) " -"ã«å¤‰æ›ã•ã‚Œã¾ã™ã€‚" - - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 -msgid "" -"Please review the new configuration and remove the obsolete one. Until you " -"do this, the initialization script will not use the new configuration and " -"you will not take advantage of the benefits introduced in newer releases." -msgstr "" -"æ–°ã—ã„設定を確èªã—ã¦ã€å¤ã„設定を削除ã—ã¦ãã ã•ã„。å¤ã„設定ãŒå‰Šé™¤ã•ã‚Œã‚‹ã¾ã§ã€" -"åˆæœŸåŒ–スクリプトã¯æ–°ã—ã„設定を使ãŠã†ã¨ã¯ã—ãªã„ã®ã§ã€æ–°ã—ã„リリースã§ã®æ©æµã‚’" -"享å—ã™ã‚‹ã“ã¨ã¯ã§ãã¾ã›ã‚“。" - -#. Type: boolean -#. Description -#: ../snort-mysql.templates:14001 -msgid "Set up a database for snort-mysql to log to?" -msgstr "snort-mysql を利用ã—ã¦ãƒ­ã‚°ã«è¨˜éŒ²ã™ã‚‹ãŸã‚ã€ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã‚’設定ã—ã¾ã™ã‹?" - -#. Type: boolean -#. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 -msgid "" -"No database has been set up for Snort to log to. Before continuing, you " -"should make sure you have:" -msgstr "" -"Snort ãŒãƒ­ã‚°ã‚’ä¿å­˜ã™ã‚‹ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ãŒè¨­å®šã•ã‚Œã¦ã„ã¾ã›ã‚“。設定を続ã‘ã‚‹å‰ã«" -"以下を確èªã—ã¦ãŠãå¿…è¦ãŒã‚ã‚Šã¾ã™:" - -#. Type: boolean -#. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 -msgid "" -" - the server host name (that server must allow TCP connections\n" -" from this machine);\n" -" - a database on that server;\n" -" - a username and password to access the database." -msgstr "" -" - サーãƒã®ãƒ›ã‚¹ãƒˆå (サーãƒã¯ã“ã®ãƒã‚·ãƒ³ã‹ã‚‰ã® TCP æ¥ç¶šã‚’許å¯ã—ã¦ã„ã‚‹\n" -" å¿…è¦ãŒã‚ã‚Šã¾ã™);\n" -" - 上記サーãƒä¸Šã®ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹;\n" -" - データベースã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ãŸã‚ã®ãƒ¦ãƒ¼ã‚¶åã¨ãƒ‘スワード" - -#. Type: boolean -#. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 -msgid "" -"If some of these requirements are missing, reject this option and run with " -"regular file logging support." -msgstr "" -"ã“ã®å¿…è¦ãªè¨­å®šã®ã©ã‚Œã‹ãŒåˆ†ã‹ã‚‰ãªã„å ´åˆã¯ã€ã“ã®ã‚ªãƒ—ションを使ã‚ãšã«é€šå¸¸ã®ãƒ•ã‚¡ã‚¤ãƒ«" -"ã§ã®ãƒ­ã‚°è¨­å®šã§å‹•ä½œã•ã›ã¦ãã ã•ã„。" - -#. Type: boolean -#. Description -#: ../snort-mysql.templates:14001 -msgid "" -"Database logging can be reconfigured later by running 'dpkg-reconfigure -" -"plow snort-mysql'." -msgstr "" -"データベースã§ã®ãƒ­ã‚°å集設定をã—ãŸã„å ´åˆã¯ã€å¾Œã»ã© 'dpkg-reconfigure -plow " -"snort-mysql' を実行ã—ã¾ã™ã€‚" - -#. Type: string -#. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 -msgid "Database server hostname:" -msgstr "データベースサーãƒã®ãƒ›ã‚¹ãƒˆå:" - -#. Type: string -#. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 -msgid "" -"Please specify the host name of a database server that allows incoming " -"connections from this host." -msgstr "" -"ã“ã®ãƒ›ã‚¹ãƒˆã‹ã‚‰ã®æ¥ç¶šè¦æ±‚を許å¯ã—ã¦ã„るデータベースサーãƒã®ãƒ›ã‚¹ãƒˆåを指定ã—ã¦" -"ãã ã•ã„。" - -#. Type: string -#. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 -msgid "Database name:" -msgstr "データベースå:" - -#. Type: string -#. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 -msgid "" -"Please specify the name of an existing database to which the database user " -"has write access." -msgstr "" -"データベースユーザãŒæ›¸ãè¾¼ã¿æ¨©é™ã‚’æŒã£ã¦ã„る既存ã®ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹åを指定ã—ã¦ãã ã•ã„。" - -#. Type: string -#. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 -msgid "Username for database access:" -msgstr "データベースã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«ä½¿ã†ãƒ¦ãƒ¼ã‚¶å:" - -#. Type: string -#. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 -msgid "" -"Please specify a database server username with write access to the database." -msgstr "" -"データベースã¸ã®æ›¸ãè¾¼ã¿æ¨©é™ãŒã‚るデータベースサーãƒã®ãƒ¦ãƒ¼ã‚¶åを指定ã—ã¦ãã ã•ã„。" - -#. Type: password -#. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 -msgid "Password for the database connection:" -msgstr "データベースæ¥ç¶šã«ä½¿ç”¨ã™ã‚‹ãƒ‘スワード:" - -#. Type: password -#. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 -msgid "" -"Please enter the password to use to connect to the Snort Alert database." -msgstr "" -"Snort ã®ã‚¢ãƒ©ãƒ¼ãƒˆãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ ã«æ¥ç¶šã™ã‚‹éš›ã«ä½¿ç”¨ã™ã‚‹ãƒ‘スワードを入力" -"ã—ã¦ãã ã•ã„。" - -#. Type: note -#. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 -msgid "Configured database mandatory for Snort" -msgstr "Snort 用ã«ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã‚’強制的ã«è¨­å®š" - -#. Type: note -#. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 -msgid "" -"Snort needs a configured database before it can successfully start up. In " -"order to create the structure you need to run the following commands AFTER " -"the package is installed:" -msgstr "" -"Snort ãŒæ­£ã—ã動作ã™ã‚‹å‰ã«ã¯ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã®è¨­å®šãŒå¿…è¦ã§ã™ã€‚データベースを作æˆ" -"ã™ã‚‹ã«ã¯ã€ãƒ‘ッケージインストール「後ã€ã«ä»¥ä¸‹ã®ã‚³ãƒãƒ³ãƒ‰ã‚’入力ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾" -"ã™:" - -#. Type: note -#. Description -#: ../snort-mysql.templates:19001 -msgid "" -" cd /usr/share/doc/snort-mysql/\n" -" zcat create_mysql.gz | mysql -u -h -p " -msgstr "" -" cd /usr/share/doc/snort-mysql/\n" -" zcat create_mysql.gz | mysql -u -h -p " - -#. Type: note -#. Description -#: ../snort-mysql.templates:19001 -msgid "" -"Fill in the correct values for the user, host, and database names. MySQL " -"will prompt you for the password." -msgstr "" -"ユーザåã€ãƒ›ã‚¹ãƒˆåã€ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹åã«ã¯ãã‚Œãれ正ã—ã„値を入れã¦ãã ã•ã„。MySQL " -"ãŒãƒ‘スワードをè¦æ±‚ã—ã¾ã™ã€‚" - -#. Type: note -#. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 -msgid "" -"After you have created the database structure, you will need to start Snort " -"manually." -msgstr "データベースã®ä½œæˆå¾Œã€æ‰‹å‹•ã§ Snort ã‚’èµ·å‹•ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚" - -#. Type: boolean -#. Description -#: ../snort-pgsql.templates:14001 -msgid "Set up a database for snort-pgsql to log to?" -msgstr "snort-pqsql を利用ã—ã¦ãƒ­ã‚°ã«è¨˜éŒ²ã™ã‚‹ãŸã‚ã€ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã‚’設定ã—ã¾ã™ã‹?" - -#. Type: boolean -#. Description -#: ../snort-pgsql.templates:14001 -msgid "" -"Database logging can be reconfigured later by running 'dpkg-reconfigure -" -"plow snort-pgsql'." -msgstr "" -"データベースã§ã®ãƒ­ã‚°å集設定をã—ãŸã„å ´åˆã¯ã€å¾Œã»ã© 'dpkg-reconfigure -plow " -"snort-pgsql' を実行ã—ã¾ã™ã€‚" - -#. Type: note -#. Description -#: ../snort-pgsql.templates:19001 -msgid "" -" cd /usr/share/doc/snort-pgsql/\n" -" zcat create_postgresql.gz | psql -U -h -W " -msgstr "" -" cd /usr/share/doc/snort-pgsql/\n" -" zcat create_postgresql.gz | psql -U -h -W " - -#. Type: note -#. Description -#: ../snort-pgsql.templates:19001 -msgid "" -"Fill in the correct values for the user, host, and database names. " -"PostgreSQL will prompt you for the password." -msgstr "" -"ユーザåã€ãƒ›ã‚¹ãƒˆåã€ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹åã«ã¯ãã‚Œãれ正ã—ã„値を入れã¦ãã ã•ã„。" -"PostgreSQL ãŒãƒ‘スワードをè¦æ±‚ã—ã¾ã™ã€‚" - -#. Type: note -#. Description -#: ../snort-common.templates:1001 -msgid "Deprecated configuration file" -msgstr "無効ã«ã•ã‚ŒãŸè¨­å®šãƒ•ã‚¡ã‚¤ãƒ«" - -#. Type: note -#. Description -#: ../snort-common.templates:1001 -msgid "" -"The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " -"no longer available for this Snort release. Snort will not be able to start " -"unless you provide a correct configuration file. Either allow the " -"configuration file to be replaced with the one provided in this package or " -"fix it manually by removing deprecated options." -msgstr "" -"Snort ã®è¨­å®šãƒ•ã‚¡ã‚¤ãƒ« (/etc/snort/snort.conf) ã¯ã€ä»Šå›ã® Snort ã®ãƒªãƒªãƒ¼ã‚¹ä»¥é™" -"使ãˆãªããªã£ã¦ã„る無効ãªã‚ªãƒ—ションを指定ã—ã¦ã„ã¾ã™ã€‚設定ファイルを修正ã—ãªã„é™ã‚Š" -"èµ·å‹•ã§ããªããªã‚Šã¾ã™ã€‚設定ファイルをã“ã®ãƒ‘ッケージãŒæä¾›ã—ã¦ã„ã‚‹ã‚‚ã®ã«ç½®æ›ã™ã‚‹ã‹ã€" -"無効ãªã‚ªãƒ—ションを手動ã§å‰Šé™¤ã™ã‚‹ã‹ã™ã‚Œã°èµ·å‹•å‡ºæ¥ã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚" - -#. Type: note -#. Description -#: ../snort-common.templates:1001 -msgid "" -"The following deprecated options were found in the configuration file: " -"${DEP_CONFIG}" -msgstr "設定ファイルã§ä»¥ä¸‹ã®ç„¡åŠ¹ãªã‚ªãƒ—ションãŒè¦‹ã¤ã‹ã‚Šã¾ã—ãŸ: ${DEP_CONFIG}" - +msgid "" +msgstr "" +"Project-Id-Version: snort 2.8.1-2\n" +"Report-Msgid-Bugs-To: snort@packages.debian.org\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" +"PO-Revision-Date: 2008-12-21 22:26+0900\n" +"Last-Translator: Hideki Yamane (Debian-JP) \n" +"Language-Team: Japanese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: select +#. Choices +#: ../snort.templates:1001 ../snort-mysql.templates:1001 +#: ../snort-pgsql.templates:1001 +msgid "boot" +msgstr "起動時" + +#. Type: select +#. Choices +#: ../snort.templates:1001 ../snort-mysql.templates:1001 +#: ../snort-pgsql.templates:1001 +msgid "dialup" +msgstr "ダイヤルアップ時" + +#. Type: select +#. Choices +#: ../snort.templates:1001 ../snort-mysql.templates:1001 +#: ../snort-pgsql.templates:1001 +msgid "manual" +msgstr "手動" + +#. Type: select +#. Description +#: ../snort.templates:1002 ../snort-mysql.templates:1002 +#: ../snort-pgsql.templates:1002 +msgid "Snort start method:" +msgstr "snort ã®èµ·å‹•æ–¹æ³•:" + +#. Type: select +#. Description +#: ../snort.templates:1002 ../snort-mysql.templates:1002 +#: ../snort-pgsql.templates:1002 +msgid "" +"Snort can be started during boot, when connecting to the net with pppd or " +"only manually with the /usr/sbin/snort command." +msgstr "" +"Snort ã¯ã€ã‚·ã‚¹ãƒ†ãƒ èµ·å‹•ä¸­ã€pppd を利用ã—ã¦ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã«æ¥ç¶šã—ãŸæ™‚ã€ã¾ãŸã¯ /" +"usr/sbin/snort コãƒãƒ³ãƒ‰ã‚’手動ã§å®Ÿè¡Œã—ãŸæ™‚ã®ã¿ã€ã®ã„ãšã‚Œã‹ã§èµ·å‹•ã§ãã¾ã™ã€‚" + +#. Type: string +#. Description +#: ../snort.templates:2001 ../snort-mysql.templates:2001 +#: ../snort-pgsql.templates:2001 +msgid "Interface(s) which Snort should listen on:" +msgstr "Snort ㌠listen ã™ã‚‹ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹:" + +#. Type: string +#. Description +#: ../snort.templates:2001 ../snort-mysql.templates:2001 +#: ../snort-pgsql.templates:2001 +msgid "" +"This value is usually 'eth0', but this may be inappropriate in some network " +"environments; for a dialup connection 'ppp0' might be more appropiate (see " +"the output of '/sbin/ifconfig')." +msgstr "" +"ã“ã“ã§ã®å€¤ã¯é€šå¸¸ 'eth0' ã§ã™ãŒã€ç’°å¢ƒã‚ˆã£ã¦ã¯å¤‰æ›´ã—ãŸã„ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“: ダイヤ" +"ルアップæ¥ç¶šã‚’利用ã—ã¦ã„ã‚‹å ´åˆã¯ã€'ppp0' ãŒã‚ˆã‚Šé©åˆ‡ã§ã—ょㆠ('/sbin/" +"ifconfig' ã®å‡ºåŠ›ã‚’確èªã—ã¦ãã ã•ã„)。" + +#. Type: string +#. Description +#: ../snort.templates:2001 ../snort-mysql.templates:2001 +#: ../snort-pgsql.templates:2001 +msgid "" +"Typically, this is the same interface as the 'default route' is on. You can " +"determine which interface is used for this by running '/sbin/route -n' (look " +"for '0.0.0.0')." +msgstr "" +"大抵ã®å ´åˆã€ã“れ㯠'default route' ãŒå­˜åœ¨ã™ã‚‹ã‚‚ã®ã¨åŒã˜ã§ã™ã€‚ã©ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§" +"イスを使ã†ã‹ã¯ '/sbin/route -n' を実行ã—㦠('0.0.0.0' ã‚’æ¢ã—ã¦)ã€æ±ºå®šã§ãã¾" +"ã™ã€‚" + +#. Type: string +#. Description +#: ../snort.templates:2001 ../snort-mysql.templates:2001 +#: ../snort-pgsql.templates:2001 +msgid "" +"It is also not uncommon to use an interface with no IP address configured in " +"promiscuous mode. For such cases, select the interface in this system that " +"is physically connected to the network that should be inspected, enable " +"promiscuous mode later on and make sure that the network traffic is sent to " +"this interface (either connected to a 'port mirroring/spanning' port in a " +"switch, to a hub or to a tap)." +msgstr "" +"IP を付ä¸ã—ã¦ã„ãªã„インターフェイス上㧠promiscuous モード㮠Snort を動作ã•ã›" +"ã‚‹ã®ã¯ã‚ã¾ã‚Šä¸€èˆ¬çš„ã§ã¯ã‚ã‚Šã¾ã›ã‚“。ã“ã®ã‚ˆã†ãªå ´åˆã€å—ä¿¡ã‚’è¡Œã„ãŸã„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯" +"ã«å¯¾ã—ã¦ç‰©ç†çš„ã«æ¥ç¶šã•ã‚Œã¦ã„ã‚‹ã“ã®ã‚·ã‚¹ãƒ†ãƒ ä¸Šã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹ã‚’é¸æŠã—ã€å¾Œã»" +"ã© promiscuous モードを有効ã«ã—ã¦ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãŒã“ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤" +"ス (スイッãƒã® 'port mirrorining/spanning' ãƒãƒ¼ãƒˆã‹ãƒãƒ–ã€ã‚ã‚‹ã„ã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯" +"タップã«æ¥ç¶šã•ã‚Œã¦ã„ã¾ã™) ã«å±Šã„ã¦ã„ã‚‹ã®ã‚’確èªã—ã¦ãã ã•ã„。" + +#. Type: string +#. Description +#: ../snort.templates:2001 ../snort-mysql.templates:2001 +#: ../snort-pgsql.templates:2001 +msgid "" +"You can configure multiple interfaces, just by adding more than one " +"interface name separated by spaces. Each interface can have its own specific " +"configuration." +msgstr "" +"一ã¤ã‚ˆã‚Šå¤šã„インターフェイスåã¯ç©ºç™½ã§åŒºåˆ‡ã£ã¦è¿½åŠ ã™ã‚‹ã“ã¨ã§ã€è¤‡æ•°ã®ã‚¤ãƒ³ã‚¿ãƒ¼" +"フェイスを設定ã§ãã¾ã™ã€‚インターフェイスã”ã¨ã«å›ºæœ‰ã®è¨­å®šãŒå¯èƒ½ã§ã™ã€‚" + +#. Type: string +#. Description +#: ../snort.templates:3001 ../snort-mysql.templates:3001 +#: ../snort-pgsql.templates:3001 +msgid "Address range for the local network:" +msgstr "ローカルãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ç¯„囲:" + +#. Type: string +#. Description +#: ../snort.templates:3001 ../snort-mysql.templates:3001 +#: ../snort-pgsql.templates:3001 +msgid "" +"Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " +"addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" +"separated (without spaces)." +msgstr "" +"CIDR å½¢å¼ã§è¨˜è¿°ã—ã¦ãã ã•ã„。例ãˆã° 192.168.1.0/24 㯠256 個ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãƒ–ロッ" +"クã§ã€192.168.1.42/32 㯠1 個ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¨ãªã‚Šã¾ã™ã€‚複数ã®å€¤ã®å ´åˆã€(スペース" +"ã§ã¯ãªã) カンãƒã§åŒºåˆ‡ã£ã¦è¨˜è¿°ã—ã¾ã—ょã†ã€‚" + +#. Type: string +#. Description +#: ../snort.templates:3001 ../snort-mysql.templates:3001 +#: ../snort-pgsql.templates:3001 +msgid "" +"Please note that if Snort is configured to use multiple interfaces, it will " +"use this value as the HOME_NET definition for all of them." +msgstr "" +"Snort ãŒè¤‡æ•°ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹ã‚’使ã†ã‚ˆã†ã«è¨­å®šã•ã‚Œã¦ã„ã‚‹å ´åˆã€ã“ã®å€¤ã¯å…¨ã¦ã®" +"インターフェイス㮠HOME_NET 定義ã¨ã—ã¦åˆ©ç”¨ã•ã‚Œã‚‹ã“ã¨ã«æ³¨æ„ã—ã¦ãã ã•ã„。" + +#. Type: boolean +#. Description +#: ../snort.templates:4001 ../snort-mysql.templates:4001 +#: ../snort-pgsql.templates:4001 +msgid "Should Snort disable promiscuous mode on the interface?" +msgstr "Snort ã¯ã€ã“ã®ã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹ã§ promiscuous モードを無効ã«ã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../snort.templates:4001 ../snort-mysql.templates:4001 +#: ../snort-pgsql.templates:4001 +msgid "" +"Disabling promiscuous mode means that Snort will only see packets addressed " +"to the interface it is monitoring. Enabling it allows Snort to check every " +"packet that passes the Ethernet segment even if it's a connection between " +"two other computers." +msgstr "" +"promiscuous モードを無効ã«ã™ã‚‹ã¨ã€Snort ã¯è‡ªèº«ãŒãƒ¢ãƒ‹ã‚¿ãƒªãƒ³ã‚°ã—ã¦ã„るインター" +"フェイスã¸å‘ã‘られãŸãƒ‘ケットã®ã¿ã‚’監視ã—ã¾ã™ã€‚有効ã«ã™ã‚‹ã¨ã€è‡ªèº«ä»¥å¤–ã®ä»–ã®ã‚³" +"ンピュータ間ã®ã‚„ã‚Šå–ã‚Šã‚’å«ã‚ãŸã‚¤ãƒ¼ã‚µãƒãƒƒãƒˆã‚»ã‚°ãƒ¡ãƒ³ãƒˆä¸Šã®å…¨ã¦ã®ãƒ‘ケットを" +"ãƒã‚§ãƒƒã‚¯ã™ã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚" + +#. Type: error +#. Description +#: ../snort.templates:5001 ../snort-mysql.templates:5001 +#: ../snort-pgsql.templates:5001 +msgid "Invalid interface" +msgstr "ä¸æ­£ãªã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹" + +#. Type: error +#. Description +#: ../snort.templates:5001 ../snort-mysql.templates:5001 +#: ../snort-pgsql.templates:5001 +msgid "" +"Snort is trying to use an interface which does not exist or is down. Either " +"it is defaulting inappropriately to 'eth0', or you specified one which is " +"invalid." +msgstr "" +"Snort ãŒå­˜åœ¨ã—ã¦ã„ãªã„ã€ã‚ã‚‹ã„ã¯ãƒ€ã‚¦ãƒ³ã—ã¦ã„るインターフェイスを使ãŠã†ã¨ã—ã¦" +"ã„ã¾ã™ã€‚é©åˆ‡ã§ã¯ãªãデフォルトã«ã•ã‚Œã¦ã„ã‚‹ 'eth0'ã€ã‚ã‚‹ã„ã¯ã‚ãªãŸãŒæŒ‡å®šã—ãŸã‚¤" +"ンターフェイスã¯æ­£ã—ãã‚ã‚Šã¾ã›ã‚“。" + +#. Type: boolean +#. Description +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 +msgid "Should daily summaries be sent by e-mail?" +msgstr "メールã§æ¯æ—¥ã‚µãƒãƒªã‚’é€ã‚Šã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 +msgid "" +"A cron job can be set up to send daily summaries of Snort logs to a selected " +"e-mail address." +msgstr "" +"cron ジョブã§æŒ‡å®šã—ãŸãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ã« Snort ログã®æ—¥æ¬¡ã‚µãƒãƒªã‚’é€ã‚‹ã‚ˆã†ã«è¨­å®š" +"ã§ãã¾ã™ã€‚" + +#. Type: boolean +#. Description +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 +msgid "Please choose whether you want to activate this feature." +msgstr "ã“ã®æ©Ÿèƒ½ã‚’有効ã«ã™ã‚‹ã‹ã©ã†ã‹ã‚’é¸æŠã—ã¦ãã ã•ã„。" + +#. Type: string +#. Description +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 +msgid "Recipient of daily statistics mails:" +msgstr "日次統計ã®ãƒ¡ãƒ¼ãƒ«ã®å®›å…ˆ:" + +#. Type: string +#. Description +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 +msgid "" +"Please specify the e-mail address that should receive daily summaries of " +"Snort logs." +msgstr "Snort ログã®æ—¥æ¬¡ã‚µãƒãƒªã‚’å—ã‘å–れるメールアドレスを指定ã—ã¦ãã ã•ã„。" + +#. Type: string +#. Description +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 +msgid "Additional custom options:" +msgstr "追加ã®ã‚«ã‚¹ã‚¿ãƒ ã‚ªãƒ—ション:" + +#. Type: string +#. Description +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 +msgid "Please specify any additional options Snort should use." +msgstr "Snort ãŒä½¿ã†è¿½åŠ ã®ã‚ªãƒ—ションを指定ã—ã¦ãã ã•ã„。" + +#. Type: string +#. Description +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 +msgid "Minimum occurrences before alerts are reported:" +msgstr "アラートを報告ã™ã‚‹æœ€å°ç™ºç”Ÿä»¶æ•°:" + +#. Type: string +#. Description +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 +msgid "" +"Please enter the minimum number of alert occurrences before a given alert is " +"included in the daily statistics." +msgstr "" +"アラートãŒæ—¥æ™‚統計ã«å«ã‚られる場åˆã®æœ€å°ã‚¢ãƒ©ãƒ¼ãƒˆç™ºç”Ÿæ•°ã‚’入力ã—ã¦ãã ã•ã„。" + +#. Type: note +#. Description +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 +msgid "Snort restart required" +msgstr "Snort ã®å†èµ·å‹•ãŒå¿…è¦ã§ã™" + +#. Type: note +#. Description +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 +msgid "" +"As Snort is manually launched, you need to run '/etc/init.d/snort' for the " +"changes to take place." +msgstr "" +"Snort ãŒæ‰‹å‹•ã§èµ·å‹•ã•ã‚ŒãŸå ´åˆã¨åŒæ§˜ã«ã€å¤‰æ›´ã‚’å映ã™ã‚‹ã«ã¯ '/etc/init.d/snort' " +"を実行ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚" + +#. Type: error +#. Description +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 +msgid "Obsolete configuration file" +msgstr "å¤ã無効ãªè¨­å®šãƒ•ã‚¡ã‚¤ãƒ«" + +#. Type: error +#. Description +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 +msgid "" +"This system uses an obsolete configuration file (/etc/snort/snort.common." +"parameters) which has been automatically converted into the new " +"configuration file format (at /etc/default/snort)." +msgstr "" +"ã“ã®ã‚·ã‚¹ãƒ†ãƒ ãŒä½¿ã£ã¦ã„ã‚‹ã€æ—¢ã«åˆ©ç”¨ã§ããªã„設定ファイル (/etc/snort/snort." +"common.parameters) ã¯è‡ªå‹•çš„ã«æ–°ã—ã„è¨­å®šãƒ•ã‚¡ã‚¤ãƒ«å½¢å¼ (/etc/default/snort) ã«å¤‰" +"æ›ã•ã‚Œã¾ã™ã€‚" + +#. Type: error +#. Description +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 +msgid "" +"Please review the new configuration and remove the obsolete one. Until you " +"do this, the initialization script will not use the new configuration and " +"you will not take advantage of the benefits introduced in newer releases." +msgstr "" +"æ–°ã—ã„設定を確èªã—ã¦ã€å¤ã„設定を削除ã—ã¦ãã ã•ã„。å¤ã„設定ãŒå‰Šé™¤ã•ã‚Œã‚‹ã¾ã§ã€" +"åˆæœŸåŒ–スクリプトã¯æ–°ã—ã„設定を使ãŠã†ã¨ã¯ã—ãªã„ã®ã§ã€æ–°ã—ã„リリースã§ã®æ©æµã‚’" +"享å—ã™ã‚‹ã“ã¨ã¯ã§ãã¾ã›ã‚“。" + +#. Type: boolean +#. Description +#: ../snort-mysql.templates:12001 +msgid "Set up a database for snort-mysql to log to?" +msgstr "snort-mysql を利用ã—ã¦ãƒ­ã‚°ã«è¨˜éŒ²ã™ã‚‹ãŸã‚ã€ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã‚’設定ã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 +msgid "" +"No database has been set up for Snort to log to. Before continuing, you " +"should make sure you have:" +msgstr "" +"Snort ãŒãƒ­ã‚°ã‚’ä¿å­˜ã™ã‚‹ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ãŒè¨­å®šã•ã‚Œã¦ã„ã¾ã›ã‚“。設定を続ã‘ã‚‹å‰ã«ä»¥ä¸‹" +"を確èªã—ã¦ãŠãå¿…è¦ãŒã‚ã‚Šã¾ã™:" + +#. Type: boolean +#. Description +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 +msgid "" +" - the server host name (that server must allow TCP connections\n" +" from this machine);\n" +" - a database on that server;\n" +" - a username and password to access the database." +msgstr "" +" - サーãƒã®ãƒ›ã‚¹ãƒˆå (サーãƒã¯ã“ã®ãƒã‚·ãƒ³ã‹ã‚‰ã® TCP æ¥ç¶šã‚’許å¯ã—ã¦ã„ã‚‹\n" +" å¿…è¦ãŒã‚ã‚Šã¾ã™);\n" +" - 上記サーãƒä¸Šã®ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹;\n" +" - データベースã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ãŸã‚ã®ãƒ¦ãƒ¼ã‚¶åã¨ãƒ‘スワード" + +#. Type: boolean +#. Description +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 +msgid "" +"If some of these requirements are missing, reject this option and run with " +"regular file logging support." +msgstr "" +"ã“ã®å¿…è¦ãªè¨­å®šã®ã©ã‚Œã‹ãŒåˆ†ã‹ã‚‰ãªã„å ´åˆã¯ã€ã“ã®ã‚ªãƒ—ションを使ã‚ãšã«é€šå¸¸ã®ãƒ•ã‚¡" +"イルã§ã®ãƒ­ã‚°è¨­å®šã§å‹•ä½œã•ã›ã¦ãã ã•ã„。" + +#. Type: boolean +#. Description +#: ../snort-mysql.templates:12001 +msgid "" +"Database logging can be reconfigured later by running 'dpkg-reconfigure -" +"plow snort-mysql'." +msgstr "" +"データベースã§ã®ãƒ­ã‚°å集設定をã—ãŸã„å ´åˆã¯ã€å¾Œã»ã© 'dpkg-reconfigure -plow " +"snort-mysql' を実行ã—ã¾ã™ã€‚" + +#. Type: string +#. Description +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 +msgid "Database server hostname:" +msgstr "データベースサーãƒã®ãƒ›ã‚¹ãƒˆå:" + +#. Type: string +#. Description +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 +msgid "" +"Please specify the host name of a database server that allows incoming " +"connections from this host." +msgstr "" +"ã“ã®ãƒ›ã‚¹ãƒˆã‹ã‚‰ã®æ¥ç¶šè¦æ±‚を許å¯ã—ã¦ã„るデータベースサーãƒã®ãƒ›ã‚¹ãƒˆåを指定ã—ã¦" +"ãã ã•ã„。" + +#. Type: string +#. Description +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +msgid "Database name:" +msgstr "データベースå:" + +#. Type: string +#. Description +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +msgid "" +"Please specify the name of an existing database to which the database user " +"has write access." +msgstr "" +"データベースユーザãŒæ›¸ãè¾¼ã¿æ¨©é™ã‚’æŒã£ã¦ã„る既存ã®ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹åを指定ã—ã¦ã" +"ã ã•ã„。" + +#. Type: string +#. Description +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +msgid "Username for database access:" +msgstr "データベースã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«ä½¿ã†ãƒ¦ãƒ¼ã‚¶å:" + +#. Type: string +#. Description +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +msgid "" +"Please specify a database server username with write access to the database." +msgstr "" +"データベースã¸ã®æ›¸ãè¾¼ã¿æ¨©é™ãŒã‚るデータベースサーãƒã®ãƒ¦ãƒ¼ã‚¶åを指定ã—ã¦ãã " +"ã•ã„。" + +#. Type: password +#. Description +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +msgid "Password for the database connection:" +msgstr "データベースæ¥ç¶šã«ä½¿ç”¨ã™ã‚‹ãƒ‘スワード:" + +#. Type: password +#. Description +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +msgid "" +"Please enter the password to use to connect to the Snort Alert database." +msgstr "" +"Snort ã®ã‚¢ãƒ©ãƒ¼ãƒˆãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ ã«æ¥ç¶šã™ã‚‹éš›ã«ä½¿ç”¨ã™ã‚‹ãƒ‘スワードを入力ã—ã¦ãã ã•" +"ã„。" + +#. Type: note +#. Description +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +msgid "Configured database mandatory for Snort" +msgstr "Snort 用ã«ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã‚’強制的ã«è¨­å®š" + +#. Type: note +#. Description +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +msgid "" +"Snort needs a configured database before it can successfully start up. In " +"order to create the structure you need to run the following commands AFTER " +"the package is installed:" +msgstr "" +"Snort ãŒæ­£ã—ã動作ã™ã‚‹å‰ã«ã¯ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã®è¨­å®šãŒå¿…è¦ã§ã™ã€‚データベースを作æˆ" +"ã™ã‚‹ã«ã¯ã€ãƒ‘ッケージインストール「後ã€ã«ä»¥ä¸‹ã®ã‚³ãƒãƒ³ãƒ‰ã‚’入力ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾" +"ã™:" + +#. Type: note +#. Description +#: ../snort-mysql.templates:17001 +msgid "" +" cd /usr/share/doc/snort-mysql/\n" +" zcat create_mysql.gz | mysql -u -h -p " +msgstr "" +" cd /usr/share/doc/snort-mysql/\n" +" zcat create_mysql.gz | mysql -u -h -p " + +#. Type: note +#. Description +#: ../snort-mysql.templates:17001 +msgid "" +"Fill in the correct values for the user, host, and database names. MySQL " +"will prompt you for the password." +msgstr "" +"ユーザåã€ãƒ›ã‚¹ãƒˆåã€ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹åã«ã¯ãã‚Œãれ正ã—ã„値を入れã¦ãã ã•ã„。" +"MySQL ãŒãƒ‘スワードをè¦æ±‚ã—ã¾ã™ã€‚" + +#. Type: note +#. Description +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +msgid "" +"After you have created the database structure, you will need to start Snort " +"manually." +msgstr "データベースã®ä½œæˆå¾Œã€æ‰‹å‹•ã§ Snort ã‚’èµ·å‹•ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚" + +#. Type: boolean +#. Description +#: ../snort-pgsql.templates:12001 +msgid "Set up a database for snort-pgsql to log to?" +msgstr "snort-pqsql を利用ã—ã¦ãƒ­ã‚°ã«è¨˜éŒ²ã™ã‚‹ãŸã‚ã€ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã‚’設定ã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../snort-pgsql.templates:12001 +msgid "" +"Database logging can be reconfigured later by running 'dpkg-reconfigure -" +"plow snort-pgsql'." +msgstr "" +"データベースã§ã®ãƒ­ã‚°å集設定をã—ãŸã„å ´åˆã¯ã€å¾Œã»ã© 'dpkg-reconfigure -plow " +"snort-pgsql' を実行ã—ã¾ã™ã€‚" + +#. Type: note +#. Description +#: ../snort-pgsql.templates:17001 +msgid "" +" cd /usr/share/doc/snort-pgsql/\n" +" zcat create_postgresql.gz | psql -U -h -W " +msgstr "" +" cd /usr/share/doc/snort-pgsql/\n" +" zcat create_postgresql.gz | psql -U -h -W " + +#. Type: note +#. Description +#: ../snort-pgsql.templates:17001 +msgid "" +"Fill in the correct values for the user, host, and database names. " +"PostgreSQL will prompt you for the password." +msgstr "" +"ユーザåã€ãƒ›ã‚¹ãƒˆåã€ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹åã«ã¯ãã‚Œãれ正ã—ã„値を入れã¦ãã ã•ã„。" +"PostgreSQL ãŒãƒ‘スワードをè¦æ±‚ã—ã¾ã™ã€‚" + +#. Type: note +#. Description +#: ../snort-common.templates:1001 +msgid "Deprecated configuration file" +msgstr "無効ã«ã•ã‚ŒãŸè¨­å®šãƒ•ã‚¡ã‚¤ãƒ«" + +#. Type: note +#. Description +#: ../snort-common.templates:1001 +msgid "" +"The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " +"no longer available for this Snort release. Snort will not be able to start " +"unless you provide a correct configuration file. Either allow the " +"configuration file to be replaced with the one provided in this package or " +"fix it manually by removing deprecated options." +msgstr "" +"Snort ã®è¨­å®šãƒ•ã‚¡ã‚¤ãƒ« (/etc/snort/snort.conf) ã¯ã€ä»Šå›ã® Snort ã®ãƒªãƒªãƒ¼ã‚¹ä»¥é™" +"使ãˆãªããªã£ã¦ã„る無効ãªã‚ªãƒ—ションを指定ã—ã¦ã„ã¾ã™ã€‚設定ファイルを修正ã—ãªã„" +"é™ã‚Šèµ·å‹•ã§ããªããªã‚Šã¾ã™ã€‚設定ファイルをã“ã®ãƒ‘ッケージãŒæä¾›ã—ã¦ã„ã‚‹ã‚‚ã®ã«ç½®" +"æ›ã™ã‚‹ã‹ã€ç„¡åŠ¹ãªã‚ªãƒ—ションを手動ã§å‰Šé™¤ã™ã‚‹ã‹ã™ã‚Œã°èµ·å‹•å‡ºæ¥ã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚" + +#. Type: note +#. Description +#: ../snort-common.templates:1001 +msgid "" +"The following deprecated options were found in the configuration file: " +"${DEP_CONFIG}" +msgstr "設定ファイルã§ä»¥ä¸‹ã®ç„¡åŠ¹ãªã‚ªãƒ—ションãŒè¦‹ã¤ã‹ã‚Šã¾ã—ãŸ: ${DEP_CONFIG}" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "設定エラー" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"ç¾åœ¨ã® Snort ã®è¨­å®šãŒæ­£ã—ããªã„ã®ã§ã€Snort ã¯æ­£å¸¸ã«èµ·å‹•ã—ã¾ã›ã‚“。確èªã®ä¸Šã§ä¿®" +"æ­£ã—ã¦ãã ã•ã„。" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Snort ã®è¨­å®šãƒ•ã‚¡ã‚¤ãƒ«ä¸­ã®ã‚¨ãƒ©ãƒ¼ã‚’分æã™ã‚‹ã«ã¯ã€'/usr/sbin/snort -T -c ' " +"ã¨ã—ã¦ãã ã•ã„。" + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "Snort ã®ãƒ«ãƒ¼ãƒ«ã‚»ãƒƒãƒˆã®ãƒ†ã‚¹ãƒˆé †ã‚’ Pass|Alert|Log ã«å¤‰æ›´ã—ã¾ã™ã‹?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "Snort ã®ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã®ãƒ†ã‚¹ãƒˆé †ã¯ Alert|Pass|Log ã§ã™ã€‚ã“ã®ã‚ªãƒ—ションを有効ã«" +#~ "ã™ã‚‹ã¨ã€é †ç•ªãŒ Pass|Alert|Log ã«å¤‰æ›´ã•ã‚Œã€Snort をパケットフィルタリング" +#~ "ツールã¨ä¸€ç·’ã«ä½¿ã†ã®ãŒç°¡å˜ã«ãªã‚Šã¾ã™ã€‚" diff -Nru snort-2.9.0.1/debian/po/nl.po snort-2.9.2/debian/po/nl.po --- snort-2.9.0.1/debian/po/nl.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/nl.po 2011-12-27 14:03:58.000000000 -0800 @@ -14,7 +14,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-06 09:33+0200\n" "Last-Translator: Peter Vandenabeele \n" "Language-Team: debian-l10n-dutch \n" @@ -214,43 +214,17 @@ "actief is. Ofwel gebruikt Snort onterecht de standaard interface 'eth0', or " "heb je een interface opgegeven die niet correct is." -# Type: boolean -# Description #. Type: boolean #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "" -"Moet de volgorde van het testen van de regels van Snort aangepast worden " -"naar Pass|Alert|Log (doorlaten|alarmeren|loggen)?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"De standaard test volgorde van Snort is Alert|Pass|Log (Verwittigen|" -"Doorlaten|Loggen); als je deze optie accepteert, zal de volgorde gewijzigd " -"worden in Pass|Alert|Log (Doorlaten|Verwittigen|Loggen)' dit kan het " -"eenvoudiger maken om Snort te gebruiken met sommige pakket filtering " -"programma's." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Moeten de dagelijkse samenvattingen per e-mail worden verstuurd ?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -260,8 +234,8 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Gelieve te kiezen als u deze optie wil activeren." @@ -269,15 +243,15 @@ # Description #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Ontvanger van de dagelijkse statistiekmails:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -287,22 +261,22 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Extra eigen opties:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Gelieve eventuele additionele opties te geven die Snort moet gebruiken" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Minimum aantal keren voorkomen om alarmen te rapporteren:" @@ -310,8 +284,8 @@ # Description #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -321,15 +295,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Een herstart van Snort is vereist" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -339,45 +313,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Configuratiefout" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"De huidige Snort configuratie is ongeldig en zal verhinderen dat Snort " -"normaal wordt opgestart. Gelieve de configuratie na te kijken en te " -"corrigeren." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Om een fout in een Snort congifuratiebestand te analyseren, gebruik '/usr/" -"sbin/snort -T -c '" - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Verouderd configuratie bestand" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -389,8 +333,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -405,7 +349,7 @@ # Description #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "" "Wilt u een een database opzetten waar snort-mysql het logboek in kan " @@ -413,7 +357,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -423,7 +367,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -436,7 +380,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -446,7 +390,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -456,7 +400,7 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Database server hostnaam:" @@ -464,7 +408,7 @@ # Description #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -475,13 +419,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Databanknaam:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -491,7 +435,7 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "gebruikersnaam (account) voor database toegang:" @@ -499,7 +443,7 @@ # Description #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" @@ -510,7 +454,7 @@ # Description #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Gelieve het paswoord voor de databaseverbinding in te geven:" @@ -518,7 +462,7 @@ # Description #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" @@ -526,7 +470,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Een geconfigureerde databank is noodzakelijk voor Snort" @@ -534,7 +478,7 @@ # Description #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -546,7 +490,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -556,7 +500,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -568,7 +512,7 @@ # Description #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -579,14 +523,14 @@ # Description #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "" "Wilt u een database opzetten waar snort-pgsql het logboek in kan bijhouden?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -596,7 +540,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -606,7 +550,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -650,6 +594,51 @@ "De volgende verouderde opties werden in uw configuratiebestand aangetroffen: " "${DEP_CONFIG}" +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Configuratiefout" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"De huidige Snort configuratie is ongeldig en zal verhinderen dat Snort " +"normaal wordt opgestart. Gelieve de configuratie na te kijken en te " +"corrigeren." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Om een fout in een Snort congifuratiebestand te analyseren, gebruik '/usr/" +"sbin/snort -T -c '" + +# Type: boolean +# Description +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "" +#~ "Moet de volgorde van het testen van de regels van Snort aangepast worden " +#~ "naar Pass|Alert|Log (doorlaten|alarmeren|loggen)?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "De standaard test volgorde van Snort is Alert|Pass|Log (Verwittigen|" +#~ "Doorlaten|Loggen); als je deze optie accepteert, zal de volgorde " +#~ "gewijzigd worden in Pass|Alert|Log (Doorlaten|Verwittigen|Loggen)' dit " +#~ "kan het eenvoudiger maken om Snort te gebruiken met sommige pakket " +#~ "filtering programma's." + # Type: note # Description #~ msgid "You are running Snort manually" diff -Nru snort-2.9.0.1/debian/po/pt_BR.po snort-2.9.2/debian/po/pt_BR.po --- snort-2.9.0.1/debian/po/pt_BR.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/pt_BR.po 2011-12-27 14:03:58.000000000 -0800 @@ -15,7 +15,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2004-08-07 22:06-0300\n" "Last-Translator: André Luís Lopes \n" "Language-Team: Debian-BR Project \n" @@ -245,50 +245,29 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -#, fuzzy -#| msgid "Should Snort's rules testing order be changed to Pass|Alert|Log?" -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +msgid "Should daily summaries be sent by e-mail?" msgstr "" -"A ordem de teste das regras do Snort deve ser mudada para Passar|Alertar|" -"Logar ?" #. Type: boolean #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 -msgid "Should daily summaries be sent by e-mail?" -msgstr "" - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 -msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 #, fuzzy #| msgid "Who should receive the daily statistics mails?" msgid "Recipient of daily statistics mails:" @@ -296,8 +275,8 @@ #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -305,29 +284,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 #, fuzzy #| msgid "" #| "An alert needs to appear more times than this number to be included in " @@ -341,15 +320,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -357,40 +336,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -399,8 +353,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -409,7 +363,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 #, fuzzy #| msgid "Do you want to set up a database for snort-mysql to log to?" msgid "Set up a database for snort-mysql to log to?" @@ -419,7 +373,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -427,7 +381,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -437,7 +391,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -445,7 +399,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -453,13 +407,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 #, fuzzy #| msgid "" #| "Make sure it has been set up correctly to allow incoming connections from " @@ -473,13 +427,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -487,13 +441,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 #, fuzzy #| msgid "" #| "Make sure this database has been created and your database user has write " @@ -506,7 +460,7 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 #, fuzzy #| msgid "Please enter the password for the database connection" msgid "Password for the database connection:" @@ -516,7 +470,7 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 #, fuzzy #| msgid "Please enter a password to connect to the Snort Alert database." msgid "" @@ -527,13 +481,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 #, fuzzy msgid "" "Snort needs a configured database before it can successfully start up. In " @@ -549,7 +503,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -557,7 +511,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -565,7 +519,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 #, fuzzy msgid "" "After you have created the database structure, you will need to start Snort " @@ -576,7 +530,7 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 #, fuzzy #| msgid "Do you want to set up a database for snort-pgsql to log to?" msgid "Set up a database for snort-pgsql to log to?" @@ -586,7 +540,7 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -594,7 +548,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -602,7 +556,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -633,6 +587,35 @@ "${DEP_CONFIG}" msgstr "" +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" + +#, fuzzy +#~| msgid "Should Snort's rules testing order be changed to Pass|Alert|Log?" +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "" +#~ "A ordem de teste das regras do Snort deve ser mudada para Passar|Alertar|" +#~ "Logar ?" + #, fuzzy #~| msgid "You are running Snort manually." #~ msgid "You are running Snort manually" diff -Nru snort-2.9.0.1/debian/po/pt.po snort-2.9.2/debian/po/pt.po --- snort-2.9.0.1/debian/po/pt.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/pt.po 2011-12-27 14:03:58.000000000 -0800 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: snort 2.7.0-10\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-08 22:04+0100\n" "Last-Translator: Miguel Figueiredo \n" "Language-Team: Portuguese \n" @@ -196,33 +196,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "Deve a ordem de teste do Snort ser alterada para Pass|Alert|Log?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"O ordem de teste pré-definida do Snort é Alert|Pass|Log; se aceitar esta " -"opção a ordem será alterada para Pass|Alert|Log, que pode simplificar a " -"utilização do Snort com outras ferramentas de filtragem de pacotes." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Devem ser enviados por e-mail sumários diários?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -232,22 +212,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Por favor escolha se quer activar esta funcionalidade." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Destinatário que deve receber mails diários das estatísticas:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -257,29 +237,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Opções adicionais de personalização:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Por favor especifique que opções adicionais deve o Snort utilizar." #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Número minimo de ocorrências antes de serem reportados alertas:" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -289,15 +269,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "É necessário que o Snort seja reiniciado" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -307,44 +287,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Erro na configuração" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"A actual configuração do Snort é inválida e impede que o Snort inicie " -"normalmente. Por favor reveja e corrija." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Para diagnosticar um erro num ficheiro de configuração do Snort, utilize '/" -"usr/sbin/snort -T -c '." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Ficheiro de configuração obsoleto" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -356,8 +307,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -369,13 +320,13 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "Deseja configurar uma base de dados para o snort-mysql fazer registos?" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -385,7 +336,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -400,7 +351,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -410,7 +361,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -420,13 +371,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Nome da máquina do servidor da base de dados:" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -436,13 +387,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Nome da base de dados:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -452,13 +403,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Nome de utilizador para acesso à base de dados:" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" @@ -467,13 +418,13 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Palavra-passe para a ligação à base de dados:" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" @@ -482,13 +433,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "É obrigatório configurar uma base de dados para o Snort" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -500,7 +451,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -511,7 +462,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -521,7 +472,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -531,13 +482,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "Configurar uma base de dados para o snort-pgsql fazer registos?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -547,7 +498,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -558,7 +509,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -599,6 +550,44 @@ "As seguintes opções depreciadas foram encontradas no ficheiro de " "configuração: ${DEP_CONFIG}." +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Erro na configuração" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"A actual configuração do Snort é inválida e impede que o Snort inicie " +"normalmente. Por favor reveja e corrija." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Para diagnosticar um erro num ficheiro de configuração do Snort, utilize '/" +"usr/sbin/snort -T -c '." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "Deve a ordem de teste do Snort ser alterada para Pass|Alert|Log?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "O ordem de teste pré-definida do Snort é Alert|Pass|Log; se aceitar esta " +#~ "opção a ordem será alterada para Pass|Alert|Log, que pode simplificar a " +#~ "utilização do Snort com outras ferramentas de filtragem de pacotes." + #~ msgid "You are running Snort manually" #~ msgstr "Você está a correr o Snort manualmente" diff -Nru snort-2.9.0.1/debian/po/ro.po snort-2.9.2/debian/po/ro.po --- snort-2.9.0.1/debian/po/ro.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/ro.po 2011-12-27 14:03:58.000000000 -0800 @@ -10,14 +10,15 @@ msgstr "" "Project-Id-Version: ro\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-04-27 23:22+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-05-17 13:04+0300\n" "Last-Translator: Eddy PetriÈ™or \n" "Language-Team: Romanian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Plural-Forms: nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < 20)) ? 1 : 2;\n" +"Plural-Forms: nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < " +"20)) ? 1 : 2;\n" "X-Generator: KBabel 1.11.4\n" #. Type: select @@ -201,34 +202,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "Se schimbă ordinea testelor lui Snort în Trece|Alertă|Jurnal?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"Ordinea implicită de testare a lui Snort este Alertă|Trece|Jurnal; dacă " -"acceptaÈ›i această opÈ›iune, ordinea se va schimba în Trece|Alertă|Jurnal, " -"lucru care poate face mai facilă utilizarea lui Snort cu anumite unelte de " -"filtrare a pachetelor." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "DoriÈ›i mesaje electronice zilnice cu sumarul?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -238,22 +218,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "AlegeÈ›i dacă doriÈ›i să activaÈ›i această facilitate." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Destinatarul mesajelor zilnice cu statistici:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -263,29 +243,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "OpÈ›iuni adiÈ›ionale particularizate:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "PrecizaÈ›i orice alte opÈ›iuni pe care să le folosească Snort." #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Numărul minim de apariÈ›ii pentru raportarea unei alerte:" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -295,22 +275,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 -msgid "You are running Snort manually" -msgstr "RulaÈ›i Snort manual" - -#. Type: note -#. Description -#: ../snort.templates:11002 ../snort-mysql.templates:11002 -#: ../snort-pgsql.templates:11002 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Este necesară repornirea lui Snort" #. Type: note #. Description -#: ../snort.templates:11002 ../snort-mysql.templates:11002 -#: ../snort-pgsql.templates:11002 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -320,51 +293,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "There is an error in your configuration" -msgstr "Există o eroare în configuraÈ›ia dumneavoastră" - -#. Type: error -#. Description -#: ../snort.templates:12002 ../snort-mysql.templates:12002 -#: ../snort-pgsql.templates:12002 -msgid "Configuration error" -msgstr "Eroare de configurare" - -#. Type: error -#. Description -#: ../snort.templates:12002 ../snort-mysql.templates:12002 -#: ../snort-pgsql.templates:12002 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"Actuala configuraÈ›ie Snort nu este validă È™i îl va împiedica pe acesta să " -"pornească normal. RevizuiÈ›i-o È™i corectaÈ›i-o." - -#. Type: error -#. Description -#: ../snort.templates:12002 ../snort-mysql.templates:12002 -#: ../snort-pgsql.templates:12002 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Pentru diagnosticarea unui fiÈ™ier de configurare a lui Snort, folosiÈ›i â€/usr/" -"sbin/snort -T -c â€." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "FiÈ™ier de configurare depășit" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -376,8 +313,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -389,13 +326,13 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "Se pregăteÈ™te o bază de date în care snort-mysql va face jurnalizarea?" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -405,7 +342,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -419,7 +356,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -429,7 +366,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -439,13 +376,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Numele serverului cu baza de date:" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -455,13 +392,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Numele bazei de date:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -471,41 +408,43 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Numele de utilizator pentru accesul la baza de date:" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 -msgid "Please specify a database server username with write access to the database." +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +msgid "" +"Please specify a database server username with write access to the database." msgstr "" "PrecizaÈ›i un utilizator de baze de date care are drept de scriere în baza de " "date." #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Parola pentru conectarea la baza de date:" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 -msgid "Please enter the password to use to connect to the Snort Alert database." +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +msgid "" +"Please enter the password to use to connect to the Snort Alert database." msgstr "" "IntroduceÈ›i parola folosită pentru conectarea la baza de date pentru " "alertele Snort." #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Este obligatorie o bază de date configurată pentru Snort" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -517,7 +456,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -528,7 +467,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -538,7 +477,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -548,13 +487,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "Se pregăteÈ™te o bază de date în care snort-pgsql va face jurnalizarea?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -564,7 +503,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -575,7 +514,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -611,7 +550,54 @@ msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" -msgstr "Ãn fiÈ™ierul de configurare au fost găsite următoarele opÈ›inuni învechite: ${DEP_CONFIG}." +msgstr "" +"Ãn fiÈ™ierul de configurare au fost găsite următoarele opÈ›inuni învechite: " +"${DEP_CONFIG}." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Eroare de configurare" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"Actuala configuraÈ›ie Snort nu este validă È™i îl va împiedica pe acesta să " +"pornească normal. RevizuiÈ›i-o È™i corectaÈ›i-o." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Pentru diagnosticarea unui fiÈ™ier de configurare a lui Snort, folosiÈ›i â€/usr/" +"sbin/snort -T -c â€." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "Se schimbă ordinea testelor lui Snort în Trece|Alertă|Jurnal?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "Ordinea implicită de testare a lui Snort este Alertă|Trece|Jurnal; dacă " +#~ "acceptaÈ›i această opÈ›iune, ordinea se va schimba în Trece|Alertă|Jurnal, " +#~ "lucru care poate face mai facilă utilizarea lui Snort cu anumite unelte " +#~ "de filtrare a pachetelor." + +#~ msgid "You are running Snort manually" +#~ msgstr "RulaÈ›i Snort manual" + +#~ msgid "There is an error in your configuration" +#~ msgstr "Există o eroare în configuraÈ›ia dumneavoastră" #~ msgid "Your configuration file is deprecated" #~ msgstr "FiÈ™ierul dumneavoastră de configurare este învechit" @@ -823,4 +809,3 @@ #~ msgstr "" #~ "IntroduceÈ›i numele calculatorului al cărui bază de date pgsql va fi " #~ "folosită." - diff -Nru snort-2.9.0.1/debian/po/ru.po snort-2.9.2/debian/po/ru.po --- snort-2.9.0.1/debian/po/ru.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/ru.po 2011-12-27 14:03:58.000000000 -0800 @@ -9,7 +9,7 @@ msgstr "" "Project-Id-Version: snort 2.7.0-26\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2009-05-14 20:46+0400\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" @@ -17,7 +17,8 @@ "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" -"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%" +"10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #. Type: select #. Choices @@ -200,33 +201,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "Изменить порÑдок проверки правил Snort на Pass|Alert|Log?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"ПорÑдок проверки правил по ÑƒĞ¼Ğ¾Ğ»Ñ‡Ğ°Ğ½Ğ¸Ñ Ğ² Snort уÑтановлен как Alert|Pass|Log; " -"еÑли вы ответите утвердительно, то порÑдок будет изменён на Pass|Alert|Log, " -"что упроÑтит иÑпользование Snort Ñ Ğ´Ñ€ÑƒĞ³Ğ¸Ğ¼Ğ¸ инÑтрументами фильтрации пакетов." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "ĞтправлÑÑ‚ÑŒ ежедневные отчёты по e-mail?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -236,22 +217,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Укажите, хотите ли вы вклÑчить Ñту возможноÑÑ‚ÑŒ." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Получатель ежедневного отчёта по почте:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -261,15 +242,15 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Дополнительные Ñпециальные наÑтройки:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "" "ЗдеÑÑŒ можно указать Ğ»Ñбые дополнительные Ñпециальные наÑтройки, которые " @@ -277,15 +258,16 @@ #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" -msgstr "Минимальное количеÑтво Ğ²Ğ¾Ğ·Ğ½Ğ¸ĞºĞ½Ğ¾Ğ²ĞµĞ½Ğ¸Ñ Ñ‚Ñ€ĞµĞ²Ğ¾Ğ³Ğ¸, чтобы она попала в отчёт:" +msgstr "" +"Минимальное количеÑтво Ğ²Ğ¾Ğ·Ğ½Ğ¸ĞºĞ½Ğ¾Ğ²ĞµĞ½Ğ¸Ñ Ñ‚Ñ€ĞµĞ²Ğ¾Ğ³Ğ¸, чтобы она попала в отчёт:" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -295,15 +277,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Snort требуетÑÑ Ğ¿ĞµÑ€ĞµĞ·Ğ°Ğ¿ÑƒÑтить" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -313,44 +295,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Ğшибка наÑтройки" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"ИмеÑщаÑÑÑ Ğ½Ğ°Ñтройка Snort неправильна и из-Ğ·Ğ° Ñтого Snort не будет " -"запуÑкатьÑÑ. ПроÑмотрите и иÑправьте её." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Чтобы найти ошибку в файле наÑтройки Snort, воÑпользуйтеÑÑŒ '/usr/sbin/snort -" -"T -c <файл>'." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Ğ£Ñтаревший файл наÑтройки" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -362,8 +315,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -375,13 +328,13 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "Подготовить базу данных Ğ´Ğ»Ñ Ğ¶ÑƒÑ€Ğ½Ğ°Ğ»Ğ¸Ñ€Ğ¾Ğ²Ğ°Ğ½Ğ¸Ñ Ñ Ğ¿Ğ¾Ğ¼Ğ¾Ñ‰ÑŒÑ snort-mysql?" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -391,7 +344,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -405,7 +358,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -415,7 +368,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -425,13 +378,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Ğ˜Ğ¼Ñ Ñервера базы данных:" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -441,13 +394,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Ğ˜Ğ¼Ñ Ğ±Ğ°Ğ·Ñ‹ данных:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -457,39 +410,41 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Ğ˜Ğ¼Ñ Ğ¿Ğ¾Ğ»ÑŒĞ·Ğ¾Ğ²Ğ°Ñ‚ĞµĞ»Ñ Ğ±Ğ°Ğ·Ñ‹ данных:" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 -msgid "Please specify a database server username with write access to the database." +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +msgid "" +"Please specify a database server username with write access to the database." msgstr "" "Укажите Ğ¸Ğ¼Ñ Ğ¿Ğ¾Ğ»ÑŒĞ·Ğ¾Ğ²Ğ°Ñ‚ĞµĞ»Ñ Ğ½Ğ° Ñервере базы данных, имеÑщего доÑтуп на запиÑÑŒ в " "базу." #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Пароль Ğ´Ğ»Ñ Ğ¿Ğ¾Ğ´ĞºĞ»ÑÑ‡ĞµĞ½Ğ¸Ñ Ğº базе данных:" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 -msgid "Please enter the password to use to connect to the Snort Alert database." +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +msgid "" +"Please enter the password to use to connect to the Snort Alert database." msgstr "Введите пароль Ğ´Ğ»Ñ Ğ¿Ğ¾Ğ´ĞºĞ»ÑÑ‡ĞµĞ½Ğ¸Ñ Ğº базе данных Snort Alert." #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Ğ”Ğ»Ñ Snort должна быть наÑтроена база данных" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -501,7 +456,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -512,7 +467,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -522,7 +477,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -530,13 +485,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "Подготовить базу данных Ğ´Ğ»Ñ Ğ¶ÑƒÑ€Ğ½Ğ°Ğ»Ğ¸Ñ€Ğ¾Ğ²Ğ°Ğ½Ğ¸Ñ Ñ Ğ¿Ğ¾Ğ¼Ğ¾Ñ‰ÑŒÑ snort-pgsql?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -546,7 +501,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -557,7 +512,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -590,13 +545,47 @@ #. Type: note #. Description #: ../snort-common.templates:1001 -#| msgid "" -#| "The following deprecated options were found in the configuration file: " -#| "${DEP_CONFIG}." msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" -"Ğ’ файле наÑтроек были найдены ÑледуÑщие уÑтаревшие параметры: " -"${DEP_CONFIG}" +"Ğ’ файле наÑтроек были найдены ÑледуÑщие уÑтаревшие параметры: ${DEP_CONFIG}" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Ğшибка наÑтройки" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"ИмеÑщаÑÑÑ Ğ½Ğ°Ñтройка Snort неправильна и из-Ğ·Ğ° Ñтого Snort не будет " +"запуÑкатьÑÑ. ПроÑмотрите и иÑправьте её." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Чтобы найти ошибку в файле наÑтройки Snort, воÑпользуйтеÑÑŒ '/usr/sbin/snort -" +"T -c <файл>'." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "Изменить порÑдок проверки правил Snort на Pass|Alert|Log?" +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "ПорÑдок проверки правил по ÑƒĞ¼Ğ¾Ğ»Ñ‡Ğ°Ğ½Ğ¸Ñ Ğ² Snort уÑтановлен как Alert|Pass|" +#~ "Log; еÑли вы ответите утвердительно, то порÑдок будет изменён на Pass|" +#~ "Alert|Log, что упроÑтит иÑпользование Snort Ñ Ğ´Ñ€ÑƒĞ³Ğ¸Ğ¼Ğ¸ инÑтрументами " +#~ "фильтрации пакетов." diff -Nru snort-2.9.0.1/debian/po/sv.po snort-2.9.2/debian/po/sv.po --- snort-2.9.0.1/debian/po/sv.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/sv.po 2011-12-27 14:03:58.000000000 -0800 @@ -13,7 +13,7 @@ msgstr "" "Project-Id-Version: snort 2.3.3-1\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-07-21 17:41+0100\n" "Last-Translator: Martin Bagge \n" "Language-Team: Swedish \n" @@ -23,309 +23,328 @@ #. Type: select #. Choices -#: ../snort.templates:1001 -#: ../snort-mysql.templates:1001 +#: ../snort.templates:1001 ../snort-mysql.templates:1001 #: ../snort-pgsql.templates:1001 msgid "boot" msgstr "uppstart" #. Type: select #. Choices -#: ../snort.templates:1001 -#: ../snort-mysql.templates:1001 +#: ../snort.templates:1001 ../snort-mysql.templates:1001 #: ../snort-pgsql.templates:1001 msgid "dialup" msgstr "uppringt" #. Type: select #. Choices -#: ../snort.templates:1001 -#: ../snort-mysql.templates:1001 +#: ../snort.templates:1001 ../snort-mysql.templates:1001 #: ../snort-pgsql.templates:1001 msgid "manual" msgstr "manuell" #. Type: select #. Description -#: ../snort.templates:1002 -#: ../snort-mysql.templates:1002 +#: ../snort.templates:1002 ../snort-mysql.templates:1002 #: ../snort-pgsql.templates:1002 msgid "Snort start method:" msgstr "Hur ska Snort starta:" #. Type: select #. Description -#: ../snort.templates:1002 -#: ../snort-mysql.templates:1002 +#: ../snort.templates:1002 ../snort-mysql.templates:1002 #: ../snort-pgsql.templates:1002 -msgid "Snort can be started during boot, when connecting to the net with pppd or only manually with the /usr/sbin/snort command." -msgstr "Snort kan startas vid uppstart, när uppkoppling mot nätverk sker (pppd) eller bara när du manuellt startat den med /usr/sbin/snort." +msgid "" +"Snort can be started during boot, when connecting to the net with pppd or " +"only manually with the /usr/sbin/snort command." +msgstr "" +"Snort kan startas vid uppstart, när uppkoppling mot nätverk sker (pppd) " +"eller bara när du manuellt startat den med /usr/sbin/snort." #. Type: string #. Description -#: ../snort.templates:2001 -#: ../snort-mysql.templates:2001 +#: ../snort.templates:2001 ../snort-mysql.templates:2001 #: ../snort-pgsql.templates:2001 msgid "Interface(s) which Snort should listen on:" msgstr "På vilket/vilka gränssnitt ska Snort lyssna?" #. Type: string #. Description -#: ../snort.templates:2001 -#: ../snort-mysql.templates:2001 +#: ../snort.templates:2001 ../snort-mysql.templates:2001 #: ../snort-pgsql.templates:2001 -msgid "This value is usually 'eth0', but this may be inappropriate in some network environments; for a dialup connection 'ppp0' might be more appropiate (see the output of '/sbin/ifconfig')." -msgstr "Detta värde är oftast 'eth0' men det kan vara fel i en del nätverksmiljöer. För uppringd anslutning bör 'ppp0' användas (se vidare utdatat från '/sbin/ifconfig')" +msgid "" +"This value is usually 'eth0', but this may be inappropriate in some network " +"environments; for a dialup connection 'ppp0' might be more appropiate (see " +"the output of '/sbin/ifconfig')." +msgstr "" +"Detta värde är oftast 'eth0' men det kan vara fel i en del nätverksmiljöer. " +"För uppringd anslutning bör 'ppp0' användas (se vidare utdatat från '/sbin/" +"ifconfig')" #. Type: string #. Description -#: ../snort.templates:2001 -#: ../snort-mysql.templates:2001 +#: ../snort.templates:2001 ../snort-mysql.templates:2001 #: ../snort-pgsql.templates:2001 -msgid "Typically, this is the same interface as the 'default route' is on. You can determine which interface is used for this by running '/sbin/route -n' (look for '0.0.0.0')." -msgstr "Observera att Snort är normalt konfigurerad att inspektera all trafik som kommer från Internet så gränssnittet du lägger till här är normalt det samma som din standardgateway är på. Du kan ta fram denna information genom att köra \"/sbin/route -n\" (leta efter \"0.0.0.0\")." +msgid "" +"Typically, this is the same interface as the 'default route' is on. You can " +"determine which interface is used for this by running '/sbin/route -n' (look " +"for '0.0.0.0')." +msgstr "" +"Observera att Snort är normalt konfigurerad att inspektera all trafik som " +"kommer från Internet så gränssnittet du lägger till här är normalt det samma " +"som din standardgateway är på. Du kan ta fram denna information genom att " +"köra \"/sbin/route -n\" (leta efter \"0.0.0.0\")." #. Type: string #. Description -#: ../snort.templates:2001 -#: ../snort-mysql.templates:2001 +#: ../snort.templates:2001 ../snort-mysql.templates:2001 #: ../snort-pgsql.templates:2001 -msgid "It is also not uncommon to use an interface with no IP address configured in promiscuous mode. For such cases, select the interface in this system that is physically connected to the network that should be inspected, enable promiscuous mode later on and make sure that the network traffic is sent to this interface (either connected to a 'port mirroring/spanning' port in a switch, to a hub or to a tap)." -msgstr "Det är inte helt ovanligt att köra Snort på ett gränssnitt utan IP-adress och som är konfigurerat i läget promiscuous. Om det är det du vill, välj gränssnittet på detta system som är fysiskt kopplad till nätverket du vill inspektera. Aktivera promiscuousläget efter det och kontrollera att nätverkstrafiken skickas till detta gränssnitt (antingen kopplade till en \"port mirror/spanning\"-port i en switch, en hubb eller en nätverkstapp)" +msgid "" +"It is also not uncommon to use an interface with no IP address configured in " +"promiscuous mode. For such cases, select the interface in this system that " +"is physically connected to the network that should be inspected, enable " +"promiscuous mode later on and make sure that the network traffic is sent to " +"this interface (either connected to a 'port mirroring/spanning' port in a " +"switch, to a hub or to a tap)." +msgstr "" +"Det är inte helt ovanligt att köra Snort på ett gränssnitt utan IP-adress " +"och som är konfigurerat i läget promiscuous. Om det är det du vill, välj " +"gränssnittet på detta system som är fysiskt kopplad till nätverket du vill " +"inspektera. Aktivera promiscuousläget efter det och kontrollera att " +"nätverkstrafiken skickas till detta gränssnitt (antingen kopplade till en " +"\"port mirror/spanning\"-port i en switch, en hubb eller en nätverkstapp)" #. Type: string #. Description -#: ../snort.templates:2001 -#: ../snort-mysql.templates:2001 +#: ../snort.templates:2001 ../snort-mysql.templates:2001 #: ../snort-pgsql.templates:2001 -msgid "You can configure multiple interfaces, just by adding more than one interface name separated by spaces. Each interface can have its own specific configuration." -msgstr "Du kan konfigurera flera gränssnitt här, bara att lägga till fler än ett gränssnittsnamn separerade med blanksteg. Varje gränssnitt kan ha sin egen specifika konfiguration." +msgid "" +"You can configure multiple interfaces, just by adding more than one " +"interface name separated by spaces. Each interface can have its own specific " +"configuration." +msgstr "" +"Du kan konfigurera flera gränssnitt här, bara att lägga till fler än ett " +"gränssnittsnamn separerade med blanksteg. Varje gränssnitt kan ha sin egen " +"specifika konfiguration." #. Type: string #. Description -#: ../snort.templates:3001 -#: ../snort-mysql.templates:3001 +#: ../snort.templates:3001 ../snort-mysql.templates:3001 #: ../snort-pgsql.templates:3001 msgid "Address range for the local network:" msgstr "Ange adressintervallet som Snort ska lyssna på." #. Type: string #. Description -#: ../snort.templates:3001 -#: ../snort-mysql.templates:3001 +#: ../snort.templates:3001 ../snort-mysql.templates:3001 #: ../snort-pgsql.templates:3001 -msgid "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 addresses or 192.168.1.42/32 for just one. Multiple values should be comma-separated (without spaces)." -msgstr "Du ska använda CIDR-formatet, till exempel 192.168.1.0/24 för ett block av 256 IP-adresser eller 192.168.1.42/32 för bara en av dem. Ange flera adresser på samma rad separerade med \",\" (kommatecken), blanksteg är inte tillåtna!" +msgid "" +"Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " +"addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" +"separated (without spaces)." +msgstr "" +"Du ska använda CIDR-formatet, till exempel 192.168.1.0/24 för ett block av " +"256 IP-adresser eller 192.168.1.42/32 för bara en av dem. Ange flera " +"adresser på samma rad separerade med \",\" (kommatecken), blanksteg är inte " +"tillåtna!" #. Type: string #. Description -#: ../snort.templates:3001 -#: ../snort-mysql.templates:3001 +#: ../snort.templates:3001 ../snort-mysql.templates:3001 #: ../snort-pgsql.templates:3001 -msgid "Please note that if Snort is configured to use multiple interfaces, it will use this value as the HOME_NET definition for all of them." -msgstr "Observera att om du använder flera gränssnitt kommer denna definition att användas som HOME_NET-definition på alla." +msgid "" +"Please note that if Snort is configured to use multiple interfaces, it will " +"use this value as the HOME_NET definition for all of them." +msgstr "" +"Observera att om du använder flera gränssnitt kommer denna definition att " +"användas som HOME_NET-definition på alla." #. Type: boolean #. Description -#: ../snort.templates:4001 -#: ../snort-mysql.templates:4001 +#: ../snort.templates:4001 ../snort-mysql.templates:4001 #: ../snort-pgsql.templates:4001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Ska Snort inaktivera promiscuousläget på gränssnittet?" #. Type: boolean #. Description -#: ../snort.templates:4001 -#: ../snort-mysql.templates:4001 +#: ../snort.templates:4001 ../snort-mysql.templates:4001 #: ../snort-pgsql.templates:4001 -msgid "Disabling promiscuous mode means that Snort will only see packets addressed to the interface it is monitoring. Enabling it allows Snort to check every packet that passes the Ethernet segment even if it's a connection between two other computers." -msgstr "Inaktivering av promiscuousläget betyder att Snort bara kommer att se paket adresserade till sitt eget gränssnitt. Aktivering av det tillåter Snort att undersöka varje paket som passerar Ethernet-segmentet även om det är anslutning mellan två andra datorer." +msgid "" +"Disabling promiscuous mode means that Snort will only see packets addressed " +"to the interface it is monitoring. Enabling it allows Snort to check every " +"packet that passes the Ethernet segment even if it's a connection between " +"two other computers." +msgstr "" +"Inaktivering av promiscuousläget betyder att Snort bara kommer att se paket " +"adresserade till sitt eget gränssnitt. Aktivering av det tillåter Snort att " +"undersöka varje paket som passerar Ethernet-segmentet även om det är " +"anslutning mellan två andra datorer." #. Type: error #. Description -#: ../snort.templates:5001 -#: ../snort-mysql.templates:5001 +#: ../snort.templates:5001 ../snort-mysql.templates:5001 #: ../snort-pgsql.templates:5001 msgid "Invalid interface" msgstr "Ogiltigt gränssnitt" #. Type: error #. Description -#: ../snort.templates:5001 -#: ../snort-mysql.templates:5001 +#: ../snort.templates:5001 ../snort-mysql.templates:5001 #: ../snort-pgsql.templates:5001 -msgid "Snort is trying to use an interface which does not exist or is down. Either it is defaulting inappropriately to 'eth0', or you specified one which is invalid." -msgstr "Snort försöker använda en nätverksanslutning som inte existerar eller som inte är uppkopplad. Antingen så har standardvärdet 'eth0' smugit sig in eller så har du angivit en felaktig anslutning." - -#. Type: boolean -#. Description -#: ../snort.templates:6001 -#: ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "Ska testordningen för reglerna i Snort ändras til Pass|Alert|Log?" +msgid "" +"Snort is trying to use an interface which does not exist or is down. Either " +"it is defaulting inappropriately to 'eth0', or you specified one which is " +"invalid." +msgstr "" +"Snort försöker använda en nätverksanslutning som inte existerar eller som " +"inte är uppkopplad. Antingen så har standardvärdet 'eth0' smugit sig in " +"eller så har du angivit en felaktig anslutning." #. Type: boolean #. Description -#: ../snort.templates:6001 -#: ../snort-mysql.templates:6001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Snort's default testing order is Alert|Pass|Log; if you accept this option, the order will be changed to Pass|Alert|Log, which can make it simpler to use Snort with some packet-filtering tools." -msgstr "Standardvärdet för Snorts tester är Alert|Pass|Log. Om du väljer detta alternativ så kommer ordningen att ändras till Pass|Alert|Log, vilket kan underlätta användadet av Snort tillsammans med en del paketfiltreringsverktyg." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 -#: ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Ska dagliga sammandrag skickas via e-post?" #. Type: boolean #. Description -#: ../snort.templates:7001 -#: ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 -msgid "A cron job can be set up to send daily summaries of Snort logs to a selected e-mail address." -msgstr "Ett cron-jobb kan ställas in för att sända dagliga summeringar av Snorts logfiler till en förvald e-post-adress." +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 +msgid "" +"A cron job can be set up to send daily summaries of Snort logs to a selected " +"e-mail address." +msgstr "" +"Ett cron-jobb kan ställas in för att sända dagliga summeringar av Snorts " +"logfiler till en förvald e-post-adress." #. Type: boolean #. Description -#: ../snort.templates:7001 -#: ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Vänligen ange om du vill aktivera denna funktionen." #. Type: string #. Description -#: ../snort.templates:8001 -#: ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Vem ska ta emot de dagliga e-postrapporterna?" #. Type: string #. Description -#: ../snort.templates:8001 -#: ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 -msgid "Please specify the e-mail address that should receive daily summaries of Snort logs." -msgstr "Vänligen ange e-post-adressen som ska få dagliga summeringar av Snorts logfiler." +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 +msgid "" +"Please specify the e-mail address that should receive daily summaries of " +"Snort logs." +msgstr "" +"Vänligen ange e-post-adressen som ska få dagliga summeringar av Snorts " +"logfiler." #. Type: string #. Description -#: ../snort.templates:9001 -#: ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Ytterligare alternativ" #. Type: string #. Description -#: ../snort.templates:9001 -#: ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Ange ytterligare inställningar som Snort ska använda." #. Type: string #. Description -#: ../snort.templates:10001 -#: ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Minsta antalet förekomster innan varningar skickas:" #. Type: string #. Description -#: ../snort.templates:10001 -#: ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 -msgid "Please enter the minimum number of alert occurrences before a given alert is included in the daily statistics." -msgstr "Ett larm behöver dyka upp fler gånger än denna siffra för att bli inkluderade i den dagliga rapporten." +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 +msgid "" +"Please enter the minimum number of alert occurrences before a given alert is " +"included in the daily statistics." +msgstr "" +"Ett larm behöver dyka upp fler gånger än denna siffra för att bli " +"inkluderade i den dagliga rapporten." #. Type: note #. Description -#: ../snort.templates:11001 -#: ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Snort måste startas om" #. Type: note #. Description -#: ../snort.templates:11001 -#: ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 -msgid "As Snort is manually launched, you need to run '/etc/init.d/snort' for the changes to take place." -msgstr "I och med att Snort körs manuellt så måste du köra '/etc/init.d/snort' för att ändringarna ska aktiveras." - -#. Type: error -#. Description -#: ../snort.templates:12001 -#: ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Fel i inställningar" - -#. Type: error -#. Description -#: ../snort.templates:12001 -#: ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "The current Snort configuration is invalid and will prevent Snort starting up normally. Please review and correct it." -msgstr "Nuvarande inställningar för Snort är felaktiga och kommer att förhindra Snort från att starta på ett korrekt sätt. Vänligen kontrollera inställningarna och rätta felen." - -#. Type: error -#. Description -#: ../snort.templates:12001 -#: ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -c '." -msgstr "För att hitta fel i Snorts inställningar används kommandot '/usr/sbin/snort -T -c '." +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 +msgid "" +"As Snort is manually launched, you need to run '/etc/init.d/snort' for the " +"changes to take place." +msgstr "" +"I och med att Snort körs manuellt så måste du köra '/etc/init.d/snort' för " +"att ändringarna ska aktiveras." #. Type: error #. Description -#: ../snort.templates:13001 -#: ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Detta system använder en gammal konfigurationsfil" #. Type: error #. Description -#: ../snort.templates:13001 -#: ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 -msgid "This system uses an obsolete configuration file (/etc/snort/snort.common.parameters) which has been automatically converted into the new configuration file format (at /etc/default/snort)." -msgstr "Ditt system har en gammal konfigurationsfil (/etc/snort/snort.common.parameters) vilken har blivit automatiskt konverterad till en ny konfigurationsfil med nytt format (i /etc/default/snort)." +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 +msgid "" +"This system uses an obsolete configuration file (/etc/snort/snort.common." +"parameters) which has been automatically converted into the new " +"configuration file format (at /etc/default/snort)." +msgstr "" +"Ditt system har en gammal konfigurationsfil (/etc/snort/snort.common." +"parameters) vilken har blivit automatiskt konverterad till en ny " +"konfigurationsfil med nytt format (i /etc/default/snort)." #. Type: error #. Description -#: ../snort.templates:13001 -#: ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 -msgid "Please review the new configuration and remove the obsolete one. Until you do this, the initialization script will not use the new configuration and you will not take advantage of the benefits introduced in newer releases." -msgstr "Kontrollera den nya konfiguration och ta bort den gamla. Fram till att du gör detta kommer init.d-skriptet inte använda den nya konfigurationen och du kan inte använda de nya fördelarna i den nya versionen." +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 +msgid "" +"Please review the new configuration and remove the obsolete one. Until you " +"do this, the initialization script will not use the new configuration and " +"you will not take advantage of the benefits introduced in newer releases." +msgstr "" +"Kontrollera den nya konfiguration och ta bort den gamla. Fram till att du " +"gör detta kommer init.d-skriptet inte använda den nya konfigurationen och du " +"kan inte använda de nya fördelarna i den nya versionen." #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "Vill du konfigurera en databas för snort-mysql att logga till?" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 -#: ../snort-pgsql.templates:14001 -msgid "No database has been set up for Snort to log to. Before continuing, you should make sure you have:" -msgstr "Ingen databas har ställts in för Snorts loggningsfunktioner. Du måste ha följande innan du fortsätter:" +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 +msgid "" +"No database has been set up for Snort to log to. Before continuing, you " +"should make sure you have:" +msgstr "" +"Ingen databas har ställts in för Snorts loggningsfunktioner. Du måste ha " +"följande innan du fortsätter:" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 -#: ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -339,137 +358,167 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 -#: ../snort-pgsql.templates:14001 -msgid "If some of these requirements are missing, reject this option and run with regular file logging support." -msgstr "Om du inte har alla uppgifter ännu kan du hoppa över att ställa in detta nu och använda dig av vanlig loggning till fil." +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 +msgid "" +"If some of these requirements are missing, reject this option and run with " +"regular file logging support." +msgstr "" +"Om du inte har alla uppgifter ännu kan du hoppa över att ställa in detta nu " +"och använda dig av vanlig loggning till fil." #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 -msgid "Database logging can be reconfigured later by running 'dpkg-reconfigure -plow snort-mysql'." -msgstr "Loggning till databas kan aktiveras vid ett senare tillfälle genom att köra 'dpkg-reconfigure -plow snort-mysql'." +#: ../snort-mysql.templates:12001 +msgid "" +"Database logging can be reconfigured later by running 'dpkg-reconfigure -" +"plow snort-mysql'." +msgstr "" +"Loggning till databas kan aktiveras vid ett senare tillfälle genom att köra " +"'dpkg-reconfigure -plow snort-mysql'." #. Type: string #. Description -#: ../snort-mysql.templates:15001 -#: ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Värdnamn för databas:" #. Type: string #. Description -#: ../snort-mysql.templates:15001 -#: ../snort-pgsql.templates:15001 -msgid "Please specify the host name of a database server that allows incoming connections from this host." -msgstr "Ange värdnan på databasservern och att den tillåter inkommande uppkopplingar från denna värd." +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 +msgid "" +"Please specify the host name of a database server that allows incoming " +"connections from this host." +msgstr "" +"Ange värdnan på databasservern och att den tillåter inkommande " +"uppkopplingar från denna värd." #. Type: string #. Description -#: ../snort-mysql.templates:16001 -#: ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Databasnamn:" #. Type: string #. Description -#: ../snort-mysql.templates:16001 -#: ../snort-pgsql.templates:16001 -msgid "Please specify the name of an existing database to which the database user has write access." -msgstr "Ange ett namn på en existerande databas som den här användaren har skrivrättigheter till." +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +msgid "" +"Please specify the name of an existing database to which the database user " +"has write access." +msgstr "" +"Ange ett namn på en existerande databas som den här användaren har " +"skrivrättigheter till." #. Type: string #. Description -#: ../snort-mysql.templates:17001 -#: ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Användarnamn för databas:" #. Type: string #. Description -#: ../snort-mysql.templates:17001 -#: ../snort-pgsql.templates:17001 -msgid "Please specify a database server username with write access to the database." -msgstr "Kontrollera att din databasanvändare har skrivrättigheter till denna databas." +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +msgid "" +"Please specify a database server username with write access to the database." +msgstr "" +"Kontrollera att din databasanvändare har skrivrättigheter till denna databas." #. Type: password #. Description -#: ../snort-mysql.templates:18001 -#: ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Ange lösenordet för databasuppkopplingen." #. Type: password #. Description -#: ../snort-mysql.templates:18001 -#: ../snort-pgsql.templates:18001 -msgid "Please enter the password to use to connect to the Snort Alert database." +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +msgid "" +"Please enter the password to use to connect to the Snort Alert database." msgstr "Ange ett lösenord för uppkoppling mot Snorts larmdatabas." #. Type: note #. Description -#: ../snort-mysql.templates:19001 -#: ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "Databasen måste förberedas för Snort före användning." #. Type: note #. Description -#: ../snort-mysql.templates:19001 -#: ../snort-pgsql.templates:19001 -msgid "Snort needs a configured database before it can successfully start up. In order to create the structure you need to run the following commands AFTER the package is installed:" -msgstr "Snort behöver en konfigurerad databas innan den kan starta korrekt. För att skapa databasstrukturen behöver du köra följande kommandon EFTER att paketet har installerats:" +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +msgid "" +"Snort needs a configured database before it can successfully start up. In " +"order to create the structure you need to run the following commands AFTER " +"the package is installed:" +msgstr "" +"Snort behöver en konfigurerad databas innan den kan starta korrekt. För att " +"skapa databasstrukturen behöver du köra följande kommandon EFTER att paketet " +"har installerats:" #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " msgstr "" " cd /usr/share/doc/snort-mysql/\n" -" zcat create_mysql.gz | mysql -u -h -p " +" zcat create_mysql.gz | mysql -u -h -p " +"" #. Type: note #. Description -#: ../snort-mysql.templates:19001 -msgid "Fill in the correct values for the user, host, and database names. MySQL will prompt you for the password." -msgstr "Ange de korrekta värdena för användare, värd och databasens namn. MySQL kommer att fråga efter lösenordet." +#: ../snort-mysql.templates:17001 +msgid "" +"Fill in the correct values for the user, host, and database names. MySQL " +"will prompt you for the password." +msgstr "" +"Ange de korrekta värdena för användare, värd och databasens namn. MySQL " +"kommer att fråga efter lösenordet." #. Type: note #. Description -#: ../snort-mysql.templates:19001 -#: ../snort-pgsql.templates:19001 -msgid "After you have created the database structure, you will need to start Snort manually." -msgstr "Efter att du skapat databasstrukturen behöver du starta Snort manuellt." +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +msgid "" +"After you have created the database structure, you will need to start Snort " +"manually." +msgstr "" +"Efter att du skapat databasstrukturen behöver du starta Snort manuellt." #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "Vill du konfigurera en databas för snort-pgsql att logga till?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 -msgid "Database logging can be reconfigured later by running 'dpkg-reconfigure -plow snort-pgsql'." -msgstr "Loggning till databas kan aktiveras vid ett senare tillfälle genom att köra 'dpkg-reconfigure -plow snort-pgsql'." +#: ../snort-pgsql.templates:12001 +msgid "" +"Database logging can be reconfigured later by running 'dpkg-reconfigure -" +"plow snort-pgsql'." +msgstr "" +"Loggning till databas kan aktiveras vid ett senare tillfälle genom att köra " +"'dpkg-reconfigure -plow snort-pgsql'." #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " msgstr "" " cd /usr/share/doc/snort-pgsql/\n" -" zcat create_postgresql.gz | psql -U -h -W " +" zcat create_postgresql.gz | psql -U -h -W " +"" #. Type: note #. Description -#: ../snort-pgsql.templates:19001 -msgid "Fill in the correct values for the user, host, and database names. PostgreSQL will prompt you for the password." -msgstr "Ange de korrekta värdena för användare, värd och databasens namn. PostgreSQL kommer att fråga efter lösenordet." +#: ../snort-pgsql.templates:17001 +msgid "" +"Fill in the correct values for the user, host, and database names. " +"PostgreSQL will prompt you for the password." +msgstr "" +"Ange de korrekta värdena för användare, värd och databasens namn. PostgreSQL " +"kommer att fråga efter lösenordet." #. Type: note #. Description @@ -480,12 +529,65 @@ #. Type: note #. Description #: ../snort-common.templates:1001 -msgid "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options no longer available for this Snort release. Snort will not be able to start unless you provide a correct configuration file. Either allow the configuration file to be replaced with the one provided in this package or fix it manually by removing deprecated options." -msgstr "Din Snort-konfigurationsfil (/etc/snort/snort.conf) använder gamla inställningar som inte längre används i denna Snort-utgåva. Snort kan inte starta om du har felaktigheter i konfigurationsfilen. Du kan byta ut din konfigurationsfil mot den som följer med detta paket eller lösa problemet manuellt genom att ta bort de felaktiga inställningarna." +msgid "" +"The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " +"no longer available for this Snort release. Snort will not be able to start " +"unless you provide a correct configuration file. Either allow the " +"configuration file to be replaced with the one provided in this package or " +"fix it manually by removing deprecated options." +msgstr "" +"Din Snort-konfigurationsfil (/etc/snort/snort.conf) använder gamla " +"inställningar som inte längre används i denna Snort-utgåva. Snort kan inte " +"starta om du har felaktigheter i konfigurationsfilen. Du kan byta ut din " +"konfigurationsfil mot den som följer med detta paket eller lösa problemet " +"manuellt genom att ta bort de felaktiga inställningarna." #. Type: note #. Description #: ../snort-common.templates:1001 -msgid "The following deprecated options were found in the configuration file: ${DEP_CONFIG}" -msgstr "De följande inställningarna som hittades i din konfigurationsfil är inte längre giltiga: ${DEP_CONFIG}" +msgid "" +"The following deprecated options were found in the configuration file: " +"${DEP_CONFIG}" +msgstr "" +"De följande inställningarna som hittades i din konfigurationsfil är inte " +"längre giltiga: ${DEP_CONFIG}" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Fel i inställningar" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"Nuvarande inställningar för Snort är felaktiga och kommer att förhindra " +"Snort från att starta på ett korrekt sätt. Vänligen kontrollera " +"inställningarna och rätta felen." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"För att hitta fel i Snorts inställningar används kommandot '/usr/sbin/snort -" +"T -c '." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "Ska testordningen för reglerna i Snort ändras til Pass|Alert|Log?" +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "Standardvärdet för Snorts tester är Alert|Pass|Log. Om du väljer detta " +#~ "alternativ så kommer ordningen att ändras till Pass|Alert|Log, vilket kan " +#~ "underlätta användadet av Snort tillsammans med en del " +#~ "paketfiltreringsverktyg." diff -Nru snort-2.9.0.1/debian/po/ta.po snort-2.9.2/debian/po/ta.po --- snort-2.9.0.1/debian/po/ta.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/ta.po 2011-12-27 14:03:58.000000000 -0800 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2007-03-07 17:31+0530\n" "Last-Translator: Dr.T.Vasudevan \n" "Language-Team: TAMIL \n" @@ -232,33 +232,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -#, fuzzy -#| msgid "Should Snort's rules testing order be changed to Pass|Alert|Log?" -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "" -"ஸà¯à®©à¯‹à®°à¯à®Ÿà®¿à®©à¯ சோதிகà¯à®•à¯à®®à¯ வரிசை விதிகள௠அனà¯à®ªà¯à®ªà¯| à®à®šà¯à®šà®°à®¿|லாக௠பதிவ௠à®à®© மாறà¯à®±à®ªà¯ பட வேணà¯à®Ÿà¯à®®à®¾?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "தினசரி சà¯à®°à¯à®•à¯à®•à®¤à¯à®¤à¯ˆ மினà¯à®©à®à¯à®šà®²à®¿à®²à¯ அனà¯à®ªà¯à®ª வேணà¯à®Ÿà¯à®®à®¾?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -266,15 +246,15 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 #, fuzzy #| msgid "Who should receive the daily statistics mails?" msgid "Recipient of daily statistics mails:" @@ -282,8 +262,8 @@ #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -291,29 +271,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 #, fuzzy #| msgid "" #| "An alert needs to appear more times than this number to be included in " @@ -327,15 +307,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -343,33 +323,8 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 #, fuzzy #| msgid "This system uses an obsolete configuration file" msgid "Obsolete configuration file" @@ -377,8 +332,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 #, fuzzy #| msgid "" #| "Your system has an obsolete configuration file (/etc/snort/snort.common." @@ -400,8 +355,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 #, fuzzy #| msgid "" #| "Your system has an obsolete configuration file (/etc/snort/snort.common." @@ -423,7 +378,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 #, fuzzy #| msgid "Do you want to set up a database for snort-mysql to log to?" msgid "Set up a database for snort-mysql to log to?" @@ -431,7 +386,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -439,7 +394,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -449,7 +404,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -457,7 +412,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -465,13 +420,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 #, fuzzy #| msgid "" #| "Make sure it has been set up correctly to allow incoming connections from " @@ -484,13 +439,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -498,13 +453,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 #, fuzzy #| msgid "" #| "Make sure this database has been created and your database user has write " @@ -517,7 +472,7 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 #, fuzzy #| msgid "Please enter the password for the database connection." msgid "Password for the database connection:" @@ -525,7 +480,7 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 #, fuzzy #| msgid "Please enter a password to connect to the Snort Alert database." msgid "" @@ -534,13 +489,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 #, fuzzy #| msgid "" #| "Snort needs a configured database before it can successfully start up. In " @@ -564,7 +519,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -572,7 +527,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -580,7 +535,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 #, fuzzy #| msgid "" #| "After you created the database structure, you will need to start Snort " @@ -592,7 +547,7 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 #, fuzzy #| msgid "Do you want to set up a database for snort-pgsql to log to?" msgid "Set up a database for snort-pgsql to log to?" @@ -600,7 +555,7 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -608,7 +563,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -616,7 +571,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -665,6 +620,34 @@ msgstr "" "உஙà¯à®•à®³à¯ வடிவமைபà¯à®ªà¯ கோபà¯à®ªà®¿à®²à¯ பினà¯à®µà®°à¯à®®à¯ கைவிடபà¯à®ªà®Ÿà¯à®Ÿ தேரà¯à®µà¯à®•à®³à¯ காணப௠படà¯à®Ÿà®©:${DEP_CONFIG}" +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" + +#, fuzzy +#~| msgid "Should Snort's rules testing order be changed to Pass|Alert|Log?" +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "" +#~ "ஸà¯à®©à¯‹à®°à¯à®Ÿà®¿à®©à¯ சோதிகà¯à®•à¯à®®à¯ வரிசை விதிகள௠அனà¯à®ªà¯à®ªà¯| à®à®šà¯à®šà®°à®¿|லாக௠பதிவ௠à®à®© மாறà¯à®±à®ªà¯ பட வேணà¯à®Ÿà¯à®®à®¾?" + #, fuzzy #~| msgid "You are running Snort manually." #~ msgid "You are running Snort manually" diff -Nru snort-2.9.0.1/debian/po/templates.pot snort-2.9.2/debian/po/templates.pot --- snort-2.9.0.1/debian/po/templates.pot 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/templates.pot 2011-12-27 14:03:58.000000000 -0800 @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -168,7 +168,7 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +msgid "Should daily summaries be sent by e-mail?" msgstr "" #. Type: boolean @@ -176,45 +176,28 @@ #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 -msgid "Should daily summaries be sent by e-mail?" -msgstr "" - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 -msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -222,29 +205,29 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "" #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -252,15 +235,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -268,40 +251,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -310,8 +268,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -320,13 +278,13 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -334,7 +292,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -344,7 +302,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -352,7 +310,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -360,13 +318,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -374,13 +332,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -388,39 +346,39 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -429,7 +387,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -437,7 +395,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -445,7 +403,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -453,13 +411,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -467,7 +425,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -475,7 +433,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -505,3 +463,25 @@ "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" diff -Nru snort-2.9.0.1/debian/po/vi.po snort-2.9.2/debian/po/vi.po --- snort-2.9.0.1/debian/po/vi.po 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/po/vi.po 2011-12-27 14:03:58.000000000 -0800 @@ -6,7 +6,7 @@ msgstr "" "Project-Id-Version: snort 2.7.0-15\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" -"POT-Creation-Date: 2008-05-01 21:28+0200\n" +"POT-Creation-Date: 2011-12-27 14:03-0800\n" "PO-Revision-Date: 2008-04-28 16:20+0930\n" "Last-Translator: Clytie Siddall \n" "Language-Team: Vietnamese \n" @@ -208,34 +208,13 @@ #. Description #: ../snort.templates:6001 ../snort-mysql.templates:6001 #: ../snort-pgsql.templates:6001 -msgid "Should Snort's testing order be changed to Pass|Alert|Log?" -msgstr "Thứ tá»± kiểm tra của Snort nên thay đổi thành « Pass|Alert|Log » không?" - -#. Type: boolean -#. Description -#: ../snort.templates:6001 ../snort-mysql.templates:6001 -#: ../snort-pgsql.templates:6001 -msgid "" -"Snort's default testing order is Alert|Pass|Log; if you accept this option, " -"the order will be changed to Pass|Alert|Log, which can make it simpler to " -"use Snort with some packet-filtering tools." -msgstr "" -"Thứ tá»± kiểm tra mặc định của Snort là « Alert|Pass|Log » (Báo Ä‘á»™ng|Äi qua|Ghi " -"lÆ°u). Bật tùy chá»n này thì thứ tá»± sẽ được thay đổi thành « Pass|Alert|Log », " -"mà có thể làm cho Ä‘Æ¡n giản hÆ¡n khi dùng Snort vá»›i má»™t số công cụ nào đó để " -"lá»c gói tin." - -#. Type: boolean -#. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Có nên gá»­i hàng ngày thÆ° đính kèm bản tóm tắt không?" #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." @@ -245,22 +224,22 @@ #. Type: boolean #. Description -#: ../snort.templates:7001 ../snort-mysql.templates:7001 -#: ../snort-pgsql.templates:7001 +#: ../snort.templates:6001 ../snort-mysql.templates:6001 +#: ../snort-pgsql.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Hãy chá»n có nên kích hoạt tính năng này hay không." #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "NgÆ°á»i nhận thÆ° thống kê hàng ngày:" #. Type: string #. Description -#: ../snort.templates:8001 ../snort-mysql.templates:8001 -#: ../snort-pgsql.templates:8001 +#: ../snort.templates:7001 ../snort-mysql.templates:7001 +#: ../snort-pgsql.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." @@ -269,22 +248,22 @@ #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Additional custom options:" msgstr "Tùy chá»n riêng thêm:" #. Type: string #. Description -#: ../snort.templates:9001 ../snort-mysql.templates:9001 -#: ../snort-pgsql.templates:9001 +#: ../snort.templates:8001 ../snort-mysql.templates:8001 +#: ../snort-pgsql.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "Hãy ghi rõ bất cứ tùy chá»n khác nào Snort nên dùng." #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "Số lần xảy ra tối thiểu trÆ°á»›c khi báo Ä‘á»™ng:" @@ -292,8 +271,8 @@ # the daily statistics. #. Type: string #. Description -#: ../snort.templates:10001 ../snort-mysql.templates:10001 -#: ../snort-pgsql.templates:10001 +#: ../snort.templates:9001 ../snort-mysql.templates:9001 +#: ../snort-pgsql.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." @@ -303,15 +282,15 @@ #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "Snort restart required" msgstr "Cần thiết khởi chạy lại Snort" #. Type: note #. Description -#: ../snort.templates:11001 ../snort-mysql.templates:11001 -#: ../snort-pgsql.templates:11001 +#: ../snort.templates:10001 ../snort-mysql.templates:10001 +#: ../snort-pgsql.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." @@ -321,44 +300,15 @@ #. Type: error #. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "Configuration error" -msgstr "Lá»—i cấu hình" - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"The current Snort configuration is invalid and will prevent Snort starting " -"up normally. Please review and correct it." -msgstr "" -"Cấu hình Snort hiện thá»i không phải là hợp lệ thì ngăn cản Snort khởi chạy " -"bình thÆ°á»ng. Hãy xem lại và sá»­a chữa." - -#. Type: error -#. Description -#: ../snort.templates:12001 ../snort-mysql.templates:12001 -#: ../snort-pgsql.templates:12001 -msgid "" -"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" -"c '." -msgstr "" -"Äể chẩn Ä‘oán lá»—i trong tập tin cấu hình Snort, dùng « /usr/sbin/snort -T -c " -" »." - -#. Type: error -#. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "Obsolete configuration file" msgstr "Tập tin cấu hình quá cÅ©" #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " @@ -372,8 +322,8 @@ #. Type: error #. Description -#: ../snort.templates:13001 ../snort-mysql.templates:13001 -#: ../snort-pgsql.templates:13001 +#: ../snort.templates:11001 ../snort-mysql.templates:11001 +#: ../snort-pgsql.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " @@ -385,13 +335,13 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "Set up a database for snort-mysql to log to?" msgstr "Thiết lập má»™t cÆ¡ sở dữ liệu cho snort-mysql đăng nhập vào không?" #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "No database has been set up for Snort to log to. Before continuing, you " "should make sure you have:" @@ -401,7 +351,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" " - the server host name (that server must allow TCP connections\n" " from this machine);\n" @@ -415,7 +365,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 +#: ../snort-mysql.templates:12001 ../snort-pgsql.templates:12001 msgid "" "If some of these requirements are missing, reject this option and run with " "regular file logging support." @@ -425,7 +375,7 @@ #. Type: boolean #. Description -#: ../snort-mysql.templates:14001 +#: ../snort-mysql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-mysql'." @@ -435,13 +385,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "Database server hostname:" msgstr "Tên máy của máy phục vụ cÆ¡ sở dữ liệu :" #. Type: string #. Description -#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 +#: ../snort-mysql.templates:13001 ../snort-pgsql.templates:13001 msgid "" "Please specify the host name of a database server that allows incoming " "connections from this host." @@ -451,13 +401,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "Database name:" msgstr "Tên cÆ¡ sở dữ liệu :" #. Type: string #. Description -#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 +#: ../snort-mysql.templates:14001 ../snort-pgsql.templates:14001 msgid "" "Please specify the name of an existing database to which the database user " "has write access." @@ -467,13 +417,13 @@ #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "Username for database access:" msgstr "Tên ngÆ°á»i dùng để truy cập đến cÆ¡ sở dữ liệu :" #. Type: string #. Description -#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 +#: ../snort-mysql.templates:15001 ../snort-pgsql.templates:15001 msgid "" "Please specify a database server username with write access to the database." msgstr "" @@ -482,13 +432,13 @@ #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "Password for the database connection:" msgstr "Mật khẩu để kết nối đến cÆ¡ sở dữ liệu :" #. Type: password #. Description -#: ../snort-mysql.templates:18001 ../snort-pgsql.templates:18001 +#: ../snort-mysql.templates:16001 ../snort-pgsql.templates:16001 msgid "" "Please enter the password to use to connect to the Snort Alert database." msgstr "" @@ -496,13 +446,13 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "Configured database mandatory for Snort" msgstr "CÆ¡ sở dữ liệu đã cấu hình cần thiết cho Snort" #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "Snort needs a configured database before it can successfully start up. In " "order to create the structure you need to run the following commands AFTER " @@ -513,7 +463,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" " cd /usr/share/doc/snort-mysql/\n" " zcat create_mysql.gz | mysql -u -h -p " @@ -523,7 +473,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 +#: ../snort-mysql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. MySQL " "will prompt you for the password." @@ -533,7 +483,7 @@ #. Type: note #. Description -#: ../snort-mysql.templates:19001 ../snort-pgsql.templates:19001 +#: ../snort-mysql.templates:17001 ../snort-pgsql.templates:17001 msgid "" "After you have created the database structure, you will need to start Snort " "manually." @@ -542,13 +492,13 @@ #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "Set up a database for snort-pgsql to log to?" msgstr "Thiết lập má»™t cÆ¡ sở dữ liệu cho snort-pgsql ghi lÆ°u vào không?" #. Type: boolean #. Description -#: ../snort-pgsql.templates:14001 +#: ../snort-pgsql.templates:12001 msgid "" "Database logging can be reconfigured later by running 'dpkg-reconfigure -" "plow snort-pgsql'." @@ -558,7 +508,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" " cd /usr/share/doc/snort-pgsql/\n" " zcat create_postgresql.gz | psql -U -h -W " @@ -569,7 +519,7 @@ #. Type: note #. Description -#: ../snort-pgsql.templates:19001 +#: ../snort-pgsql.templates:17001 msgid "" "Fill in the correct values for the user, host, and database names. " "PostgreSQL will prompt you for the password." @@ -609,6 +559,46 @@ "Trong tập tin cấu hình, tìm thấy những tùy chá»n bị phản đối này:\n" "${DEP_CONFIG}" +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "Configuration error" +msgstr "Lá»—i cấu hình" + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"The current Snort configuration is invalid and will prevent Snort starting " +"up normally. Please review and correct it." +msgstr "" +"Cấu hình Snort hiện thá»i không phải là hợp lệ thì ngăn cản Snort khởi chạy " +"bình thÆ°á»ng. Hãy xem lại và sá»­a chữa." + +#. Type: error +#. Description +#: ../snort-common.templates:2001 +msgid "" +"To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -" +"c '." +msgstr "" +"Äể chẩn Ä‘oán lá»—i trong tập tin cấu hình Snort, dùng « /usr/sbin/snort -T -c " +" »." + +#~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" +#~ msgstr "" +#~ "Thứ tá»± kiểm tra của Snort nên thay đổi thành « Pass|Alert|Log » không?" + +#~ msgid "" +#~ "Snort's default testing order is Alert|Pass|Log; if you accept this " +#~ "option, the order will be changed to Pass|Alert|Log, which can make it " +#~ "simpler to use Snort with some packet-filtering tools." +#~ msgstr "" +#~ "Thứ tá»± kiểm tra mặc định của Snort là « Alert|Pass|Log » (Báo Ä‘á»™ng|Äi qua|" +#~ "Ghi lÆ°u). Bật tùy chá»n này thì thứ tá»± sẽ được thay đổi thành « Pass|Alert|" +#~ "Log », mà có thể làm cho Ä‘Æ¡n giản hÆ¡n khi dùng Snort vá»›i má»™t số công cụ " +#~ "nào đó để lá»c gói tin." + #~ msgid "You are running Snort manually" #~ msgstr "Bạn Ä‘ang tá»± chạy Snort" diff -Nru snort-2.9.0.1/debian/README-database.Debian snort-2.9.2/debian/README-database.Debian --- snort-2.9.0.1/debian/README-database.Debian 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/README-database.Debian 2011-12-27 14:05:20.000000000 -0800 @@ -7,6 +7,8 @@ In order to create the database structure do: + - first create the database (see below 'CREATING THE DATABASE') + - if using PostgreSQL $ cd /usr/share/doc/snort-pgsql/ $ zcat create_postgresql.gz | psql -U -h -W @@ -34,20 +36,23 @@ ----------------------- Notice that in order for the above to work you need to create first - a database. - - Consider that you have defined the following information when asked - to in the Debconf dialogs when installing the package: + a database. The following section provides some quick examples + that should be sufficient to create a database for Snort. - Database User: snort - Database Password: snort-db - Database name: snort + Note: The following examples assume you have used the following information + when answering the questions related to database configuration when + installing the package: + + * Database Username: snort + * Database Password: snort-db + * Database name: snort + * Database host: localhost - For Mysql you can do this: + To create the database in MySQL you can do the following: [ running as an mysql user with admin privileges ] $ mysql - mysql> CREATE DATABASE snort + mysql> CREATE DATABASE snort; mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost; mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort; mysql> SET PASSWORD FOR snort@localhost=PASSWORD('snort-db'); @@ -59,7 +64,7 @@ $ zcat create_mysql.gz | mysql -u snort -D snort -psnort-db - For PosgreSQL you can do this: + To create the database in PosgreSQL you can do this: [ running as user 'posgres' ] $ psql template1 @@ -69,8 +74,8 @@ $ zcat create_postgresql.gz | psql snort [ creates the database ] - If you are using authentication based on passwords in your Postgres - database use this: + If you are using authentication based on passwords in your PostgreSQL + database you will have to use this: $ psql snort snort=# CREATE USER snort PASSWORD 'snort-db'; @@ -83,10 +88,12 @@ snort=# SELECT * FROM pg_user WHERE usename='snort'; snort=#\q - You should be able now to connect to the Postgres database with: + You should be able now to connect to the PostgreSQL database with: $ psql -U snort --password snort + [ introduce the password defined above when requested ] + Alternatively, if the sensor is running on the same server as the database you could use 'ident' authentication, since the Snort sensor will be running as user 'snort'. Use this line in /etc/postgresql/pg_hba.conf: @@ -97,4 +104,4 @@ -- Javier Fernandez-Sanguino Pen~a - Thu, 25 Aug 2005 16:44:46 +0200 + Sun, 02 Jan 2011 01:53:56 +0100 diff -Nru snort-2.9.0.1/debian/rules snort-2.9.2/debian/rules --- snort-2.9.0.1/debian/rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/rules 2011-12-28 09:28:49.000000000 -0800 @@ -145,7 +145,10 @@ dh_installdirs -s # Install the common binaries $(MAKE) install prefix=$(TMP)/snort-common/usr/ - rm -f $(TMP)/snort-common/usr/sbin/snort + rm -f $(TMP)/snort-common/usr/sbin/snort + # clean dependency_libs + find $(TMP)/snort-common/usr/lib -name "*.la" -exec \ + sed -i -e "s,^dependency_libs=.*,dependency_libs=''," {} + # Snort binaries install -m 755 -o root -g root src/snort-basic $(TMP)/snort/usr/sbin/snort install -m 755 -o root -g root src/snort-mysql $(TMP)/snort-mysql/usr/sbin/snort @@ -218,7 +221,7 @@ binary-indep: build-indep install-indep dh_testdir -i dh_testroot -i - dh_installdocs -i + dh_installdocs -i -XREADME.WIN32 dh_installexamples -i dh_installdebconf -i dh_installman -i @@ -247,10 +250,10 @@ binary-arch: build-arch install-arch dh_testdir -a dh_testroot -a - dh_installdocs -a + dh_installdocs -a dh_installexamples -a dh_installdebconf -a - dh_installman -a + dh_installman -a cp $(TMP)/snort-mysql/usr/share/doc/snort-mysql/copyright $(TMP)/snort/usr/share/doc/snort/ rm -f $(TMP)/snort-mysql/usr/share/man/man8/snort-stat.* rm -f $(TMP)/snort-pgsql/usr/share/man/man8/snort-stat.* @@ -267,7 +270,7 @@ dh_strip -a dh_compress -a dh_fixperms -a - dh_makeshlibs -a + dh_makeshlibs -a -Xsnort-common-libraries dh_installdeb -a dh_perl -a dh_shlibdeps -a diff -Nru snort-2.9.0.1/debian/snort-common.config snort-2.9.2/debian/snort-common.config --- snort-2.9.0.1/debian/snort-common.config 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort-common.config 2011-12-27 13:45:37.000000000 -0800 @@ -1,6 +1,16 @@ #!/bin/sh -e . /usr/share/debconf/confmodule +test $DEBIAN_SCRIPT_DEBUG && set -v -x + +DBCONF="/etc/snort/database.conf" +# TODO: Having an empty file here is a little bit weird for sysadmins +# it might be better to have a file with just a comment saying +# that it does nothing, but then it makes it difficult for +# snort-common to detect if he has to purge it on postrm +# +# Make sure the database configuration file exists: +[ -d /etc/snort ] && [ ! -e "$DBCONF" ] && touch "$DBCONF" # This is a list of deprecated preprocessors used to detect # bad configuration that will prevent Snort from running diff -Nru snort-2.9.0.1/debian/snort-common.preinst snort-2.9.2/debian/snort-common.preinst --- snort-2.9.0.1/debian/snort-common.preinst 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort-common.preinst 2011-12-27 13:43:58.000000000 -0800 @@ -13,12 +13,7 @@ case "$1" in install) - # TODO: Having an empty file here is a little bit weird for sysadmins - # it might be better to have a file with just a comment saying - # that it does nothing, but then it makes it difficult for - # snort-common to detect if he has to purge it on postrm - # make sure the database configuration file exists - [ ! -e "$DBCONF" ] && touch $DBCONF + # Do nothing ;; upgrade) # earlier versions modified /etc/snort/snort.conf directly for the @@ -35,7 +30,7 @@ fi fi - if dpkg --compare-versions "$2" le "2.8.5.2-3" && grep -q "(#DBSTART#)" $GENCONF + if dpkg --compare-versions "$2" le "2.8.5.2-3" && [ -e "$GENCONF" ] && grep -q "(#DBSTART#)" "$GENCONF" then GENCONF_TEMPFILE=`mktemp` DBCONF_TEMPFILE=`mktemp` diff -Nru snort-2.9.0.1/debian/snort-common.templates snort-2.9.2/debian/snort-common.templates --- snort-2.9.0.1/debian/snort-common.templates 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort-common.templates 2011-12-27 13:52:14.000000000 -0800 @@ -9,3 +9,13 @@ . The following deprecated options were found in the configuration file: ${DEP_CONFIG} + +Template: snort/config_error +Type: error +_Description: Configuration error + The current Snort configuration is invalid and will prevent Snort + starting up normally. Please review and correct it. + . + To diagnose an error in a Snort configuration file, use + '/usr/sbin/snort -T -c '. + diff -Nru snort-2.9.0.1/debian/snort.init.d snort-2.9.2/debian/snort.init.d --- snort-2.9.0.1/debian/snort.init.d 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort.init.d 2011-12-27 14:01:44.000000000 -0800 @@ -24,8 +24,8 @@ # ### BEGIN INIT INFO # Provides: snort -# Required-Start: $time $network $local_fs -# Required-Stop: +# Required-Start: $time $network $local_fs $remote_fs +# Required-Stop: $network $remote_fs # Should-Start: $syslog # Should-Stop: # Default-Start: 2 3 4 5 @@ -294,7 +294,7 @@ done if [ "$got_instance" = 0 ]; then - log_warning_msg "No running snort instance found" + log_warning_msg " - No running snort instance found" exit 0 # LSB demands we don't exit with error here fi if [ $myret -eq 0 ] ; then diff -Nru snort-2.9.0.1/debian/snort-mysql.config snort-2.9.2/debian/snort-mysql.config --- snort-2.9.0.1/debian/snort-mysql.config 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort-mysql.config 2011-12-27 14:07:16.000000000 -0800 @@ -1,8 +1,33 @@ #!/bin/sh -e . /usr/share/debconf/confmodule +test $DEBIAN_SCRIPT_DEBUG && set -v -x + +if [ -r /etc/snort/snort.debian.conf ] ; then + . /etc/snort/snort.debian.conf + # Set the variables in debconf using the configuration values + # (if defined) + [ ! -z "$DEBIAN_SNORT_STARTUP" ] && { db_set snort-mysql/startup "$DEBIAN_SNORT_STARTUP"; db_fset snort-mysql/startup seen true ; } + [ ! -z "$DEBIAN_SNORT_HOME_NET" ] && { db_set snort-mysql/address_range "$DEBIAN_SNORT_HOME_NET"; db_fset snort-mysql/address_range seen true ; } + if [ ! -z "$DEBIAN_SNORT_OPTIONS" ] ; then + # Remove the -p option wich is added in postinst due to the 'DISABLE_PROMISCUOUS' debconf option + DEBIAN_SNORT_OPTIONS=`echo "$DEBIAN_SNORT_OPTIONS" | sed -e 's/ -p$//'` + db_get snort/reverse_order + if [ "x$RET" = "xyes" ]; then + # Remove the -o option which was introduced by Debconf + # (snort/reverse_order) in versions previous to 2.8.5.2-2 + DEBIAN_SNORT_OPTIONS=`echo "$DEBIAN_SNORT_OPTIONS" | sed -e 's/ -o$//'` + fi + + db_set snort-mysql/options "$DEBIAN_SNORT_OPTIONS" + db_fset snort-mysql/options seen true + fi + [ ! -z "$DEBIAN_SNORT_INTERFACE" ] && { db_set snort-mysql/interface "$DEBIAN_SNORT_INTERFACE"; db_fset snort-mysql/interface seen true ; } + [ ! -z "$DEBIAN_SNORT_SEND_STATS" ] && { db_set snort-mysql/send_stats "$DEBIAN_SNORT_SEND_STATS"; db_fset snort-mysql/send_stats seen true ; } + [ ! -z "$DEBIAN_SNORT_STATS_RCPT" ] && { db_set snort-mysql/stats_rcpt "$DEBIAN_SNORT_STATS_RCPT" ; db_fset snort-mysql/stats_rcpt seen true ; } + [ ! -z "$DEBIAN_SNORT_STATS_THRESHOLD" ] && { db_set snort-mysql/stats_treshold "$DEBIAN_SNORT_STATS_THRESHOLD"; db_fset snort-mysql/stats_treshold seen true ; } +fi -[ -r /etc/snort/snort.debian.conf ] && . /etc/snort/snort.debian.conf INTERFACES="" @@ -12,7 +37,7 @@ [ -z "$INTERFACES" ] && return 0 ints=`echo $INTERFACES | sed -e 's/,/ /g'` for iface in $ints; do - if ! ifconfig "$iface" | grep -w UP >/dev/null; then + if ! LC_ALL=C ifconfig "$iface" 2>/dev/null | grep -w UP >/dev/null; then return 1 fi done @@ -35,7 +60,7 @@ if [ -z "$DEBIAN_SNORT_INTERFACE" ] ; then INTERFACES=eth0 else - INTERFACES=$DEBIAN_SNORT_INTERFACE + INTERFACES="$DEBIAN_SNORT_INTERFACE" fi # Ask for a valid set of interfaces @@ -62,8 +87,8 @@ db_get snort-mysql/interface INTERFACES=$RET if ! check_interfaces ; then - db_fset snort/invalid_interface seen false - db_input critical snort/invalid_interface + db_fset snort-mysql/invalid_interface seen false + db_input critical snort-mysql/invalid_interface else ok='yes' fi @@ -142,3 +167,4 @@ fi db_stop + diff -Nru snort-2.9.0.1/debian/snort-mysql.postinst snort-2.9.2/debian/snort-mysql.postinst --- snort-2.9.0.1/debian/snort-mysql.postinst 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort-mysql.postinst 2011-12-27 14:10:41.000000000 -0800 @@ -1,6 +1,9 @@ #!/bin/sh -e CONFIG=/etc/snort/snort.debian.conf +CONFIG_CHECKSUM=/var/lib/snort/snort.debian.conf.md5sum +DBCONFIG=/etc/snort/database.conf +DBCONFIG_CHECKSUM=/var/lib/snort/database.conf.md5sum . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x @@ -22,6 +25,24 @@ # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. + +FIRSTINST= +RECONFIGURE= +if [ "$1" = "reconfigure" ] || [ -n "$DEBCONF_RECONFIGURE" ]; then + RECONFIGURE="true" + else + RECONFIGURE= +fi + +if ([ "$1" = "install" ] || [ "$1" = "configure" ]) && [ -z "$2" ]; then + FIRSTINST="yes" +fi + +if [ -z "$RECONFIGURE" ] && [ -z "$FIRSTINST" ]; then + UPGRADE="yes" +fi + + case "$1" in install) ;; @@ -37,23 +58,51 @@ fi ;; configure) - # edit config file - db_get snort-mysql/startup || true; STARTUP=$RET + # only mess with config file it exists; otherwise, assume that's the way the + # user wants it, but only if upgrading + if [ -e "$CONFIG" ] || [ -z "$UPGRADE" ]; then + # similarly, check for the existence of the checksum file; if it doesn't + # exist, assume that's the way the user wants it, but only if upgrading + if [ -e "$CONFIG_CHECKSUM" ] || [ -z "$UPGRADE" ]; then + # next, compare the current and stored checksums; if they do not match, + # assume that's the way the user wants it ... upgrading etc + if [ "$(md5sum "$CONFIG" 2>/dev/null)" = \ + "$(cat "$CONFIG_CHECKSUM" 2>/dev/null)" ] || \ + [ -z "$UPGRADE" ]; then + # they match; get ready to prepare a new version of the config file + overwrite_config="yes" + fi + fi + fi + + # generate new config file + db_get snort-mysql/startup || true; STARTUP="$RET" db_get snort-mysql/interface || true; INTERFACE="$RET" db_get snort-mysql/address_range || true; ADDRESS_RANGE="$RET" - db_get snort-mysql/disable_promiscuous || true; DISABLE_PROMISCUOUS=$RET - db_get snort-mysql/send_stats || true; STATS_SEND="$RET" + db_get snort-mysql/disable_promiscuous || true; DISABLE_PROMISCUOUS="$RET" + db_get snort-mysql/send_stats || true; STATS_SEND="$RET" db_get snort-mysql/stats_rcpt || true; STATS_RCPT="$RET" db_get snort-mysql/stats_treshold || true; STATS_THRESHOLD="$RET" db_get snort-mysql/options || true; OPTIONS="$RET" test "$DISABLE_PROMISCUOUS" = "true" && OPTIONS="$OPTIONS -p" + # Failsafe in case the values above are blank (jfs) [ -z "$STATS_RCPT" ] && STATS_RCPT=root [ -z "$STATS_THRESHOLD" ] && STATS_THRESHOLD=1 - #STATS_RCPT=`echo "$STATS_RCPT" | sed -e 's/@/\\\\@/g' -e 's/,/\\\\,/g'` + # STATS_RCPT=`echo "$STATS_RCPT" | sed -e 's/@/\\\\@/g' -e 's/,/\\\\,/g'` + - cat <$CONFIG + # If this is an upgrade from a previous release that did not have + # a configuration checksum then try to determine if we can + # upgrade. + # + # To do this: tlest the current configuration against the old auto-generated configuration + # file if there is no configuration checksum and create one if it exists. + # Also, tell the script to overwrite with the new configuration file. + if [ ! -e "$CONFIG_CHECKSUM" ] && [ -e "$CONFIG" ] && dpkg --compare-versions "$2" lt-nl 2.8.5.2-6; then + OLD_CONFIG=$(tempfile) + cat <>"$OLD_CONFIG" # This file is used for options that are changed by Debian to leave # the original lib files untouched. # You have to use "dpkg-reconfigure snort" to change them. @@ -66,6 +115,63 @@ DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" EOF + if cmp -s "$CONFIG" "$OLD_CONFIG"; then + md5sum "$CONFIG" > "$CONFIG_CHECKSUM" + overwrite_config="yes" + fi + rm -f "$OLD_CONFIG" + fi + + # Create the new configuration file based on debconf information + NEW_CONFIG=$(tempfile) + + cat <>"$NEW_CONFIG" +# snort.debian.config (Debian Snort configuration file) +# +# This file was generated by the post-installation script of the snort-mysql +# package using values from the debconf database. +# +# It is used for options that are changed by Debian to leave +# the original configuration files untouched. +# +# This file is automatically updated on upgrades of the snort-mysql +# package *only* if it has not been modified since the last upgrade of that package. +# +# If you have edited this file but would like it to be automatically updated +# again, run the following command as root: +# dpkg-reconfigure snort-mysql + +DEBIAN_SNORT_STARTUP="$STARTUP" +DEBIAN_SNORT_HOME_NET="$ADDRESS_RANGE" +DEBIAN_SNORT_OPTIONS="$OPTIONS" +DEBIAN_SNORT_INTERFACE="$INTERFACE" +DEBIAN_SNORT_SEND_STATS="$STATS_SEND" +DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" +DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" +EOF + + if ! cmp -s "$CONFIG" "$NEW_CONFIG"; then + if [ "$overwrite_config" = "yes" ] ;then + cp "$NEW_CONFIG" "$CONFIG.dpkg-new" + mv "$CONFIG.dpkg-new" "$CONFIG" + md5sum "$CONFIG" > "$CONFIG_CHECKSUM" + else + if [ ! -e "$CONFIG" ] ; then + echo "snort: not updating $CONFIG; file does not exist" >&2 + else + if [ ! -e "$CONFIG_CHECKSUM" ] ; then + echo "snort: not updating $CONFIG; no stored checksum available and it does not match the debconf database configuration" >&2 + else + echo "snort: not updating $CONFIG; file has been customized" >&2 + fi + fi + fi + else + # Update the md5sum file + md5sum "$CONFIG" > "$CONFIG_CHECKSUM" + fi + rm -f "$NEW_CONFIG" + if [ -e /etc/snort/db-pending-config ] ; then STARTUP="manual" @@ -77,18 +183,41 @@ echo "and then remove /etc/snort/db-pending-config" fi - if [ "$STARTUP" != "manual" ]; then - # create database config stuff in the configuration file, - # or configure it for syslog-logging. - db_get snort-mysql/configure_db - if [ "$RET" = "true" ]; then +# create database config stuff in the configuration file, +# or configure it for syslog-logging. + db_get snort-mysql/configure_db + if [ "$RET" = "true" ]; then + + # only mess with config file it exists; otherwise, assume that's the way the + # user wants it, but only if upgrading + if [ -e "$DBCONFIG" ] || [ -z "$UPGRADE" ]; then + # similarly, check for the existence of the checksum file; if it doesn't + # exist, assume that's the way the user wants it, but only if upgrading + if [ -e "$DBCONFIG_CHECKSUM" ] || [ -z "$UPGRADE" ]; then + # next, compare the current and stored checksums; if they do not match, + # assume that's the way the user wants it ... upgrading etc + if [ "$(md5sum "$DBCONFIG" 2>/dev/null)" = \ + "$(cat "$DBCONFIG_CHECKSUM" 2>/dev/null)" ] || \ + [ -z "$UPGRADE" ]; then + # they match; get ready to prepare a new version of the config file + overwrite_dbconfig="yes" + fi + fi + fi + if [ ! -e "$DBCONFIG" ] && [ "$FIRSTINST" = "yes" ]; then + overwrite_config="yes" + fi + db_get snort-mysql/db_host || true; DB_HOST=$RET db_get snort-mysql/db_database || true; DB_DATABASE=$RET db_get snort-mysql/db_user || true; DB_USER=$RET db_get snort-mysql/db_pass || true; DB_PASS=$RET + # Check if this is an upgrade from previous version with no checksum + if [ ! -e "$DBCONFIG_CHECKSUM" ] && [ -e "$DBCONFIG" ] && dpkg --compare-versions "$2" lt-nl 2.8.5.2-6; then + # Here we put the database stuff in the config file. - TEMPFILE=`mktemp` + TEMPFILE=$(tempfile) # Header information echo "# AUTOMATIC GENERATED FILE -- DO NOT EDIT" >> $TEMPFILE echo "# Please, keep your paws off of these file" >> $TEMPFILE @@ -96,25 +225,78 @@ echo "# Anything you put in this file will be removed on (re)configure." >> $TEMPFILE echo -n "output database: log, mysql, " >> $TEMPFILE - if [ $DB_USER ] + if [ -n "$DB_USER" ] then echo -n "user=$DB_USER " >> $TEMPFILE fi - if [ $DB_PASS ] + if [ -n "$DB_PASS" ] then echo -n "password=$DB_PASS " >> $TEMPFILE fi - if [ $DB_DATABASE ] + if [ -n "$DB_DATABASE" ] then echo -n "dbname=$DB_DATABASE " >> $TEMPFILE fi - if [ $DB_HOST ] + if [ -n "$DB_HOST" ] then echo -n "host=$DB_HOST " >> $TEMPFILE fi echo " " >> $TEMPFILE - mv -f $TEMPFILE /etc/snort/database.conf - fi # of if $RET + + if cmp -s "$DBCONFIG" "$TEMPFILE"; then + md5sum "$DBCONFIG" > "$DBCONFIG_CHECKSUM" + overwrite_dbconfig="yes" + fi + fi + + NEW_DBCONFIG=$(tempfile) + cat <>"$NEW_DBCONFIG" +# database.config (Debian Snort database configuration file) +# +# This file was generated by the post-installation script of the +# snort-mysql package using values from the debconf database. +# +# It is used for database options for Snort that are configured +# by the sysadmin to live the original configuration files untouched. +# +# This file is automatically updated on upgrades of the snort-mysql +# package *only* if it has not been modified since the last upgrade of that +# package. +# +# If you have edited this file but would like it to be automatically updated +# again, run the following command as root: +# dpkg-reconfigure snort-mysql +# +EOF + + echo -n "output database: log, mysql, " >> "$NEW_DBCONFIG" + [ -n "$DB_USER" ] && echo -n "user=$DB_USER " >> "$NEW_DBCONFIG" + [ -n "$DB_PASS" ] && echo -n "password=$DB_PASS " >> "$NEW_DBCONFIG" + [ -n "$DB_DATABASE" ] && echo -n "dbname=$DB_DATABASE " >> "$NEW_DBCONFIG" + [ -n "$DB_HOST" ] && echo -n "host=$DB_HOST " >> "$NEW_DBCONFIG" + echo " " >> "$NEW_DBCONFIG" + + if ! cmp -s "$CONFIG" "$NEW_DBCONFIG"; then + if [ "$overwrite_dbconfig" = "yes" ] ;then + cp "$NEW_DBCONFIG" "$DBCONFIG.dpkg-new" + mv "$DBCONFIG.dpkg-new" "$DBCONFIG" + md5sum "$DBCONFIG" > "$DBCONFIG_CHECKSUM" + else + if [ ! -e "$DBCONFIG" ] ; then + echo "snort: not updating $DBCONFIG; file does not exist" >&2 + else + if [ ! -e "$DBCONFIG_CHECKSUM" ] ; then + echo "snort: not updating $DBCONFIG; no stored checksum available and it does not match the debconf database configuration" >&2 + else + echo "snort: not updating $DBCONFIG; file has been customized" >&2 + fi + fi + fi + fi + rm -f "$NEW_DBCONFIG" + + + fi # of if $RET true - end of database configuration # Ensure the config file is readable by root.root and mode 600 if ! dpkg-statoverride --list /etc/snort/snort.conf >/dev/null @@ -127,24 +309,26 @@ chown root:snort /etc/snort/database.conf chmod 640 /etc/snort/database.conf fi - fi # of if $STARTUP + db_stop # Check for left-over files from woody packages. OLDCONF=/etc/snort/snort.rules.conf - if [ -f $OLDCONF ]; then - mv $OLDCONF $OLDCONF.OBSOLETE + if [ -f "$OLDCONF" ]; then + mv "$OLDCONF" "$OLDCONF.OBSOLETE" fi # Update the rc.d's update-rc.d snort defaults >/dev/null + if [ "$STARTUP" != "manual" ]; then # in the case we reconfigure we have to restart and not just to start. if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d snort stop || exit $? else /etc/init.d/snort stop || exit $? fi + fi # of if STARTUP - manual ;; abort-upgrade) ;; diff -Nru snort-2.9.0.1/debian/snort-mysql.prerm snort-2.9.2/debian/snort-mysql.prerm --- snort-2.9.0.1/debian/snort-mysql.prerm 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort-mysql.prerm 2011-12-27 13:34:51.000000000 -0800 @@ -24,7 +24,7 @@ /etc/init.d/snort stop || exit $? fi else - start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/nessusd + start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/snort fi rm -f /var/run/snort_*.pid diff -Nru snort-2.9.0.1/debian/snort-mysql.templates snort-2.9.2/debian/snort-mysql.templates --- snort-2.9.0.1/debian/snort-mysql.templates 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort-mysql.templates 2011-12-27 13:53:02.000000000 -0800 @@ -91,15 +91,6 @@ As Snort is manually launched, you need to run '/etc/init.d/snort' for the changes to take place. -Template: snort-mysql/config_error -Type: error -_Description: Configuration error - The current Snort configuration is invalid and will prevent Snort - starting up normally. Please review and correct it. - . - To diagnose an error in a Snort configuration file, use - '/usr/sbin/snort -T -c '. - Template: snort-mysql/config_parameters Type: error _Description: Obsolete configuration file diff -Nru snort-2.9.0.1/debian/snort-pgsql.config snort-2.9.2/debian/snort-pgsql.config --- snort-2.9.0.1/debian/snort-pgsql.config 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort-pgsql.config 2011-12-27 14:07:22.000000000 -0800 @@ -1,8 +1,32 @@ #!/bin/sh -e . /usr/share/debconf/confmodule +test $DEBIAN_SCRIPT_DEBUG && set -v -x -[ -r /etc/snort/snort.debian.conf ] && . /etc/snort/snort.debian.conf +if [ -r /etc/snort/snort.debian.conf ] ; then + . /etc/snort/snort.debian.conf + # Set the variables in debconf using the configuration values + # (if defined) + [ ! -z "$DEBIAN_SNORT_STARTUP" ] && { db_set snort-pgsql/startup "$DEBIAN_SNORT_STARTUP"; db_fset snort-pgsql/startup seen true ; } + [ ! -z "$DEBIAN_SNORT_HOME_NET" ] && { db_set snort-pgsql/address_range "$DEBIAN_SNORT_HOME_NET"; db_fset snort-pgsql/address_range seen true ; } + if [ ! -z "$DEBIAN_SNORT_OPTIONS" ] ; then + # Remove the -p option wich is added in postinst due to the 'DISABLE_PROMISCUOUS' debconf option + DEBIAN_SNORT_OPTIONS=`echo "$DEBIAN_SNORT_OPTIONS" | sed -e 's/ -p$//'` + db_get snort/reverse_order + if [ "x$RET" = "xyes" ]; then + # Remove the -o option which was introduced by Debconf + # (snort/reverse_order) in versions previous to 2.8.5.2-2 + DEBIAN_SNORT_OPTIONS=`echo "$DEBIAN_SNORT_OPTIONS" | sed -e 's/ -o$//'` + fi + + db_set snort-pgsql/options "$DEBIAN_SNORT_OPTIONS" + db_fset snort-pgsql/options seen true + fi + [ ! -z "$DEBIAN_SNORT_INTERFACE" ] && { db_set snort-pgsql/interface "$DEBIAN_SNORT_INTERFACE"; db_fset snort-pgsql/interface seen true ; } + [ ! -z "$DEBIAN_SNORT_SEND_STATS" ] && { db_set snort-pgsql/send_stats "$DEBIAN_SNORT_SEND_STATS"; db_fset snort-pgsql/send_stats seen true ; } + [ ! -z "$DEBIAN_SNORT_STATS_RCPT" ] && { db_set snort-pgsql/stats_rcpt "$DEBIAN_SNORT_STATS_RCPT" ; db_fset snort-pgsql/stats_rcpt seen true ; } + [ ! -z "$DEBIAN_SNORT_STATS_THRESHOLD" ] && { db_set snort-pgsql/stats_treshold "$DEBIAN_SNORT_STATS_THRESHOLD"; db_fset snort-pgsql/stats_treshold seen true ; } +fi INTERFACES="" @@ -12,7 +36,7 @@ [ -z "$INTERFACES" ] && return 0 ints=`echo $INTERFACES | sed -e 's/,/ /g'` for iface in $ints; do - if ! ifconfig "$iface" | grep -w UP >/dev/null; then + if ! LC_ALL=C ifconfig "$iface" 2>/dev/null | grep -w UP >/dev/null; then return 1 fi done @@ -34,7 +58,7 @@ if [ -z "$DEBIAN_SNORT_INTERFACE" ] ; then INTERFACES=eth0 else - INTERFACES=$DEBIAN_SNORT_INTERFACE + INTERFACES="$DEBIAN_SNORT_INTERFACE" fi # Ask for a valid set of interfaces @@ -61,8 +85,8 @@ db_get snort-pgsql/interface INTERFACES=$RET if ! check_interfaces ; then - db_fset snort/invalid_interface seen false - db_input critical snort/invalid_interface + db_fset snort-pgsql/invalid_interface seen false + db_input critical snort-pgsql/invalid_interface else ok='yes' fi @@ -142,3 +166,5 @@ fi db_stop + + diff -Nru snort-2.9.0.1/debian/snort-pgsql.postinst snort-2.9.2/debian/snort-pgsql.postinst --- snort-2.9.0.1/debian/snort-pgsql.postinst 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort-pgsql.postinst 2011-12-27 14:10:08.000000000 -0800 @@ -1,6 +1,9 @@ #!/bin/sh -e CONFIG=/etc/snort/snort.debian.conf +CONFIG_CHECKSUM=/var/lib/snort/snort.debian.conf.md5sum +DBCONFIG=/etc/snort/database.conf +DBCONFIG_CHECKSUM=/var/lib/snort/database.conf.md5sum . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x @@ -22,6 +25,22 @@ # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. +FIRSTINST= +RECONFIGURE= +if [ "$1" = "reconfigure" ] || [ -n "$DEBCONF_RECONFIGURE" ]; then + RECONFIGURE="true" + else + RECONFIGURE= +fi + +if ([ "$1" = "install" ] || [ "$1" = "configure" ]) && [ -z "$2" ]; then + FIRSTINST="yes" +fi + +if [ -z "$RECONFIGURE" ] && [ -z "$FIRSTINST" ]; then + UPGRADE="yes" +fi + case "$1" in install) ;; @@ -37,23 +56,51 @@ fi ;; configure) - # edit config file - db_get snort-pgsql/startup || true; STARTUP=$RET + # only mess with config file it exists; otherwise, assume that's the way the + # user wants it, but only if upgrading + if [ -e "$CONFIG" ] || [ -z "$UPGRADE" ]; then + # similarly, check for the existence of the checksum file; if it doesn't + # exist, assume that's the way the user wants it, but only if upgrading + if [ -e "$CONFIG_CHECKSUM" ] || [ -z "$UPGRADE" ]; then + # next, compare the current and stored checksums; if they do not match, + # assume that's the way the user wants it ... upgrading etc + if [ "$(md5sum "$CONFIG" 2>/dev/null)" = \ + "$(cat "$CONFIG_CHECKSUM" 2>/dev/null)" ] || \ + [ -z "$UPGRADE" ]; then + # they match; get ready to prepare a new version of the config file + overwrite_config="yes" + fi + fi + fi + + # generate new config file + db_get snort-pgsql/startup || true; STARTUP="$RET" db_get snort-pgsql/interface || true; INTERFACE="$RET" db_get snort-pgsql/address_range || true; ADDRESS_RANGE="$RET" - db_get snort-pgsql/disable_promiscuous || true; DISABLE_PROMISCUOUS=$RET - db_get snort-pgsql/send_stats || true; STATS_SEND="$RET" + db_get snort-pgsql/disable_promiscuous || true; DISABLE_PROMISCUOUS="$RET" + db_get snort-pgsql/send_stats || true; STATS_SEND="$RET" db_get snort-pgsql/stats_rcpt || true; STATS_RCPT="$RET" db_get snort-pgsql/stats_treshold || true; STATS_THRESHOLD="$RET" db_get snort-pgsql/options || true; OPTIONS="$RET" test "$DISABLE_PROMISCUOUS" = "true" && OPTIONS="$OPTIONS -p" + # Failsafe in case the values above are blank (jfs) [ -z "$STATS_RCPT" ] && STATS_RCPT=root [ -z "$STATS_THRESHOLD" ] && STATS_THRESHOLD=1 - #STATS_RCPT=`echo "$STATS_RCPT" | sed -e 's/@/\\\\@/g' -e 's/,/\\\\,/g'` + # STATS_RCPT=`echo "$STATS_RCPT" | sed -e 's/@/\\\\@/g' -e 's/,/\\\\,/g'` + - cat <$CONFIG + # If this is an upgrade from a previous release that did not have + # a configuration checksum then try to determine if we can + # upgrade. + # + # To do this: tlest the current configuration against the old auto-generated configuration + # file if there is no configuration checksum and create one if it exists. + # Also, tell the script to overwrite with the new configuration file. + if [ ! -e "$CONFIG_CHECKSUM" ] && [ -e "$CONFIG" ] && dpkg --compare-versions "$2" lt-nl 2.8.5.2-6; then + OLD_CONFIG=$(tempfile) + cat <>"$OLD_CONFIG" # This file is used for options that are changed by Debian to leave # the original lib files untouched. # You have to use "dpkg-reconfigure snort" to change them. @@ -66,7 +113,65 @@ DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" EOF - if [ -e /etc/snort/db-pending-config ] ; then + if cmp -s "$CONFIG" "$OLD_CONFIG"; then + md5sum "$CONFIG" > "$CONFIG_CHECKSUM" + overwrite_config="yes" + fi + rm -f "$OLD_CONFIG" + fi + + # Create the new configuration file based on debconf information + NEW_CONFIG=$(tempfile) + + cat <>"$NEW_CONFIG" +# snort.debian.config (Debian Snort configuration file) +# +# This file was generated by the post-installation script of the snort-pgsql +# package using values from the debconf database. +# +# It is used for options that are changed by Debian to leave +# the original configuration files untouched. +# +# This file is automatically updated on upgrades of the snort-pgsql +# package *only* if it has not been modified since the last upgrade of that package. +# +# If you have edited this file but would like it to be automatically updated +# again, run the following command as root: +# dpkg-reconfigure snort-pgsql + +DEBIAN_SNORT_STARTUP="$STARTUP" +DEBIAN_SNORT_HOME_NET="$ADDRESS_RANGE" +DEBIAN_SNORT_OPTIONS="$OPTIONS" +DEBIAN_SNORT_INTERFACE="$INTERFACE" +DEBIAN_SNORT_SEND_STATS="$STATS_SEND" +DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" +DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" +EOF + + if ! cmp -s "$CONFIG" "$NEW_CONFIG"; then + if [ "$overwrite_config" = "yes" ] ;then + cp "$NEW_CONFIG" "$CONFIG.dpkg-new" + mv "$CONFIG.dpkg-new" "$CONFIG" + md5sum "$CONFIG" > "$CONFIG_CHECKSUM" + else + if [ ! -e "$CONFIG" ] ; then + echo "snort: not updating $CONFIG; file does not exist" >&2 + else + if [ ! -e "$CONFIG_CHECKSUM" ] ; then + echo "snort: not updating $CONFIG; no stored checksum available and it does not match the debconf database configuration" >&2 + else + echo "snort: not updating $CONFIG; file has been customized" >&2 + fi + fi + fi + else + # Update the md5sum file + md5sum "$CONFIG" > "$CONFIG_CHECKSUM" + fi + rm -f "$NEW_CONFIG" + + + if [ -e /etc/snort/db-pending-config ] ; then STARTUP="manual" echo echo "/etc/snort/db-pending-config file found" @@ -76,42 +181,120 @@ echo "and then remove /etc/snort/db-pending-config" fi - if [ "$STARTUP" != "manual" ]; then - # create database config stuff in the database.conf configuration file, - # or configure it for syslog-logging. - db_get snort-pgsql/configure_db - if [ "$RET" = "true" ]; then - db_get snort-pgsql/db_host || true; DB_HOST=$RET - db_get snort-pgsql/db_database || true; DB_DATABASE=$RET - db_get snort-pgsql/db_user || true; DB_USER=$RET - db_get snort-pgsql/db_pass || true; DB_PASS=$RET - - TEMPFILE=`mktemp` - # Header information - echo "# AUTOMATIC GENERATED FILE -- DO NOT EDIT" >> $TEMPFILE - echo "# Please, keep your paws off of these file" >> $TEMPFILE - echo "# or you *will* break the configure process (snort-pgsql/snort-mysql only)" >> $TEMPFILE - echo "# Anything you put in this file will be removed on (re)configure." >> $TEMPFILE - - echo -n "output database: log, postgresql, " >> $TEMPFILE - if [ $DB_USER ] - then - echo -n "user=$DB_USER " >> $TEMPFILE - fi - if [ $DB_PASS ] - then - echo -n "password=$DB_PASS " >> $TEMPFILE - fi - if [ $DB_DATABASE ] - then - echo -n "dbname=$DB_DATABASE " >> $TEMPFILE - fi - if [ $DB_HOST ] - then - echo -n "host=$DB_HOST " >> $TEMPFILE - fi - mv -f $TEMPFILE /etc/snort/database.conf - fi # of if $RET +# create database config stuff in the configuration file, +# or configure it for syslog-logging. + db_get snort-pgsql/configure_db + if [ "$RET" = "true" ]; then + + # only mess with config file it exists; otherwise, assume that's the way the + # user wants it, but only if upgrading + if [ -e "$DBCONFIG" ] || [ -z "$UPGRADE" ]; then + # similarly, check for the existence of the checksum file; if it doesn't + # exist, assume that's the way the user wants it, but only if upgrading + if [ -e "$DBCONFIG_CHECKSUM" ] || [ -z "$UPGRADE" ]; then + # next, compare the current and stored checksums; if they do not match, + # assume that's the way the user wants it ... upgrading etc + if [ "$(md5sum "$DBCONFIG" 2>/dev/null)" = \ + "$(cat "$DBCONFIG_CHECKSUM" 2>/dev/null)" ] || \ + [ -z "$UPGRADE" ]; then + # they match; get ready to prepare a new version of the config file + overwrite_dbconfig="yes" + fi + fi + fi + if [ ! -e "$DBCONFIG" ] && [ "$FIRSTINST" = "yes" ]; then + overwrite_config="yes" + fi + + db_get snort-pgsql/db_host || true; DB_HOST=$RET + db_get snort-pgsql/db_database || true; DB_DATABASE=$RET + db_get snort-pgsql/db_user || true; DB_USER=$RET + db_get snort-pgsql/db_pass || true; DB_PASS=$RET + + # Check if this is an upgrade from previous version with no checksum + if [ ! -e "$DBCONFIG_CHECKSUM" ] && [ -e "$DBCONFIG" ] && dpkg --compare-versions "$2" lt-nl 2.8.5.2-6; then + + # Here we put the database stuff in the config file. + TEMPFILE=$(tempfile) + # Header information + echo "# AUTOMATIC GENERATED FILE -- DO NOT EDIT" >> $TEMPFILE + echo "# Please, keep your paws off of these file" >> $TEMPFILE + echo "# or you *will* break the configure process (snort-pgsql/snort-pgsql only)" >> $TEMPFILE + echo "# Anything you put in this file will be removed on (re)configure." >> $TEMPFILE + + echo -n "output database: log, postgresql, " >> $TEMPFILE + if [ -n "$DB_USER" ] + then + echo -n "user=$DB_USER " >> $TEMPFILE + fi + if [ -n "$DB_PASS" ] + then + echo -n "password=$DB_PASS " >> $TEMPFILE + fi + if [ -n "$DB_DATABASE" ] + then + echo -n "dbname=$DB_DATABASE " >> $TEMPFILE + fi + if [ -n "$DB_HOST" ] + then + echo -n "host=$DB_HOST " >> $TEMPFILE + fi + echo " " >> $TEMPFILE + + if cmp -s "$DBCONFIG" "$TEMPFILE"; then + md5sum "$DBCONFIG" > "$DBCONFIG_CHECKSUM" + overwrite_dbconfig="yes" + fi + fi + + NEW_DBCONFIG=$(tempfile) + cat <>"$NEW_DBCONFIG" +# database.config (Debian Snort database configuration file) +# +# This file was generated by the post-installation script of the +# snort-pgsql package using values from the debconf database. +# +# It is used for database options for Snort that are configured +# by the sysadmin to live the original configuration files untouched. +# +# This file is automatically updated on upgrades of the snort-pgsql +# package *only* if it has not been modified since the last upgrade of that +# package. +# +# If you have edited this file but would like it to be automatically updated +# again, run the following command as root: +# dpkg-reconfigure snort-pgsql +# +EOF + + echo -n "output database: log, postgresql, " >> "$NEW_DBCONFIG" + [ -n "$DB_USER" ] && echo -n "user=$DB_USER " >> "$NEW_DBCONFIG" + [ -n "$DB_PASS" ] && echo -n "password=$DB_PASS " >> "$NEW_DBCONFIG" + [ -n "$DB_DATABASE" ] && echo -n "dbname=$DB_DATABASE " >> "$NEW_DBCONFIG" + [ -n "$DB_HOST" ] && echo -n "host=$DB_HOST " >> "$NEW_DBCONFIG" + echo " " >> "$NEW_DBCONFIG" + + if ! cmp -s "$CONFIG" "$NEW_DBCONFIG"; then + if [ "$overwrite_dbconfig" = "yes" ] ;then + cp "$NEW_DBCONFIG" "$DBCONFIG.dpkg-new" + mv "$DBCONFIG.dpkg-new" "$DBCONFIG" + md5sum "$DBCONFIG" > "$DBCONFIG_CHECKSUM" + else + if [ ! -e "$DBCONFIG" ] ; then + echo "snort: not updating $DBCONFIG; file does not exist" >&2 + else + if [ ! -e "$DBCONFIG_CHECKSUM" ] ; then + echo "snort: not updating $DBCONFIG; no stored checksum available and it does not match the debconf database configuration" >&2 + else + echo "snort: not updating $DBCONFIG; file has been customized" >&2 + fi + fi + fi + fi + rm -f "$NEW_DBCONFIG" + + + fi # of if $RET true - end of database configuration # Ensure the config file is readable by root.root and mode 600 if ! dpkg-statoverride --list /etc/snort/snort.conf >/dev/null @@ -124,7 +307,7 @@ chown root:snort /etc/snort/database.conf chmod 640 /etc/snort/database.conf fi - fi # of if $STARTUP + db_stop # Check for left-over files from woody packages. @@ -136,12 +319,14 @@ # Update the rc.d's update-rc.d snort defaults >/dev/null + if [ "$STARTUP" != "manual" ]; then # in the case we reconfigure we have to restart and not just to start. if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d snort stop || exit $? else /etc/init.d/snort stop || exit $? fi + fi # of if STARTUP - manual ;; abort-upgrade) ;; diff -Nru snort-2.9.0.1/debian/snort-pgsql.prerm snort-2.9.2/debian/snort-pgsql.prerm --- snort-2.9.0.1/debian/snort-pgsql.prerm 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort-pgsql.prerm 2011-12-27 13:34:55.000000000 -0800 @@ -24,7 +24,7 @@ /etc/init.d/snort stop || exit $? fi else - start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/nessusd + start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/snort fi rm -f /var/run/snort_*.pid diff -Nru snort-2.9.0.1/debian/snort-pgsql.templates snort-2.9.2/debian/snort-pgsql.templates --- snort-2.9.0.1/debian/snort-pgsql.templates 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort-pgsql.templates 2011-12-27 13:53:10.000000000 -0800 @@ -91,15 +91,6 @@ As Snort is manually launched, you need to run '/etc/init.d/snort' for the changes to take place. -Template: snort-pgsql/config_error -Type: error -_Description: Configuration error - The current Snort configuration is invalid and will prevent Snort - starting up normally. Please review and correct it. - . - To diagnose an error in a Snort configuration file, use - '/usr/sbin/snort -T -c '. - Template: snort-pgsql/config_parameters Type: error _Description: Obsolete configuration file diff -Nru snort-2.9.0.1/debian/snort.postinst snort-2.9.2/debian/snort.postinst --- snort-2.9.0.1/debian/snort.postinst 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort.postinst 2011-12-27 16:47:11.000000000 -0800 @@ -1,6 +1,7 @@ #!/bin/sh -e CONFIG=/etc/snort/snort.debian.conf +CONFIG_CHECKSUM=/var/lib/snort/snort.debian.conf.md5sum . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x @@ -22,6 +23,25 @@ # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. + +FIRSTINST= +RECONFIGURE= +if [ "$1" = "reconfigure" ] || [ -n "$DEBCONF_RECONFIGURE" ]; then + RECONFIGURE="true" + else + RECONFIGURE= +fi + +if ([ "$1" = "install" ] || [ "$1" = "configure" ]) && [ -z "$2" ]; then + FIRSTINST="yes" +fi + +if [ -z "$RECONFIGURE" ] && [ -z "$FIRSTINST" ]; then + UPGRADE="yes" +fi + + + case "$1" in install) ;; @@ -40,7 +60,25 @@ fi ;; configure) - # edit config file + + # only mess with config file it exists; otherwise, assume that's the way the + # user wants it, but only if upgrading + if [ -e "$CONFIG" ] || [ -z "$UPGRADE" ]; then + # similarly, check for the existence of the checksum file; if it doesn't + # exist, assume that's the way the user wants it, but only if upgrading + if [ -e "$CONFIG_CHECKSUM" ] || [ -z "$UPGRADE" ]; then + # next, compare the current and stored checksums; if they do not match, + # assume that's the way the user wants it ... upgrading etc + if [ "$(md5sum "$CONFIG" 2>/dev/null)" = \ + "$(cat "$CONFIG_CHECKSUM" 2>/dev/null)" ] || \ + [ -z "$UPGRADE" ]; then + # they match; get ready to prepare a new version of the config file + overwrite_config="yes" + fi + fi + fi + + # generate new config file db_get snort/startup || true; STARTUP="$RET" db_get snort/interface || true; INTERFACE="$RET" db_get snort/address_range || true; ADDRESS_RANGE="$RET" @@ -51,12 +89,23 @@ db_get snort/options || true; OPTIONS="$RET" test "$DISABLE_PROMISCUOUS" = "true" && OPTIONS="$OPTIONS -p" + # Failsafe in case the values above are blank (jfs) [ -z "$STATS_RCPT" ] && STATS_RCPT=root [ -z "$STATS_THRESHOLD" ] && STATS_THRESHOLD=1 # STATS_RCPT=`echo "$STATS_RCPT" | sed -e 's/@/\\\\@/g' -e 's/,/\\\\,/g'` - cat <$CONFIG + + # If this is an upgrade from a previous release that did not have + # a configuration checksum then try to determine if we can + # upgrade. + # + # To do this: tlest the current configuration against the old auto-generated configuration + # file if there is no configuration checksum and create one if it exists. + # Also, tell the script to overwrite with the new configuration file. + if [ ! -e "$CONFIG_CHECKSUM" ] && [ -e "$CONFIG" ] && dpkg --compare-versions "$2" lt-nl 2.8.5.2-6; then + OLD_CONFIG=$(tempfile) + cat <>"$OLD_CONFIG" # This file is used for options that are changed by Debian to leave # the original lib files untouched. # You have to use "dpkg-reconfigure snort" to change them. @@ -69,6 +118,65 @@ DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" EOF + if cmp -s "$CONFIG" "$OLD_CONFIG"; then + if [ ! -d $(dirname $CONFIG_CHECKSUM) ]; then + mkdir $(dirname $CONFIG_CHECKSUM) + fi + md5sum "$CONFIG" > "$CONFIG_CHECKSUM" + overwrite_config="yes" + fi + rm -f "$OLD_CONFIG" + fi + + # Create the new configuration file based on debconf information + NEW_CONFIG=$(tempfile) + + cat <>"$NEW_CONFIG" +# snort.debian.config (Debian Snort configuration file) +# +# This file was generated by the post-installation script of the snort +# package using values from the debconf database. +# +# It is used for options that are changed by Debian to leave +# the original configuration files untouched. +# +# This file is automatically updated on upgrades of the snort package +# *only* if it has not been modified since the last upgrade of that package. +# +# If you have edited this file but would like it to be automatically updated +# again, run the following command as root: +# dpkg-reconfigure snort + +DEBIAN_SNORT_STARTUP="$STARTUP" +DEBIAN_SNORT_HOME_NET="$ADDRESS_RANGE" +DEBIAN_SNORT_OPTIONS="$OPTIONS" +DEBIAN_SNORT_INTERFACE="$INTERFACE" +DEBIAN_SNORT_SEND_STATS="$STATS_SEND" +DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" +DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" +EOF + + if ! cmp -s "$CONFIG" "$NEW_CONFIG"; then + if [ "$overwrite_config" = "yes" ] ;then + cp "$NEW_CONFIG" "$CONFIG.dpkg-new" + mv "$CONFIG.dpkg-new" "$CONFIG" + md5sum "$CONFIG" > "$CONFIG_CHECKSUM" + else + if [ ! -e "$CONFIG" ] ; then + echo "snort: not updating $CONFIG; file does not exist" >&2 + else + if [ ! -e "$CONFIG_CHECKSUM" ] ; then + echo "snort: not updating $CONFIG; no stored checksum available and it does not match the debconf database configuration" >&2 + else + echo "snort: not updating $CONFIG; file has been customized" >&2 + fi + fi + fi + else + # Update the md5sum file + md5sum "$CONFIG" > "$CONFIG_CHECKSUM" + fi + rm -f "$NEW_CONFIG" if [ -f /etc/snort/snort.conf ]; then # Ensure the config file is readable by root.root and mode 600 @@ -83,8 +191,8 @@ # Check for left-over files from woody packages. OLDCONF=/etc/snort/snort.rules.conf - if [ -f $OLDCONF ]; then - mv $OLDCONF $OLDCONF.OBSOLETE + if [ -f "$OLDCONF" ]; then + mv "$OLDCONF" "$OLDCONF.OBSOLETE" fi # Update the rc.d's diff -Nru snort-2.9.0.1/debian/snort.prerm snort-2.9.2/debian/snort.prerm --- snort-2.9.0.1/debian/snort.prerm 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort.prerm 2011-12-27 13:34:45.000000000 -0800 @@ -24,7 +24,7 @@ /etc/init.d/snort stop || exit $? fi else - start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/nessusd + start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/snort fi rm -f /var/run/snort_*.pid diff -Nru snort-2.9.0.1/debian/snort.templates snort-2.9.2/debian/snort.templates --- snort-2.9.0.1/debian/snort.templates 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/snort.templates 2011-12-27 13:51:44.000000000 -0800 @@ -91,15 +91,6 @@ As Snort is manually launched, you need to run '/etc/init.d/snort' for the changes to take place. -Template: snort/config_error -Type: error -_Description: Configuration error - The current Snort configuration is invalid and will prevent Snort - starting up normally. Please review and correct it. - . - To diagnose an error in a Snort configuration file, use - '/usr/sbin/snort -T -c '. - Template: snort/config_parameters Type: error _Description: Obsolete configuration file diff -Nru snort-2.9.0.1/debian/source/format snort-2.9.2/debian/source/format --- snort-2.9.0.1/debian/source/format 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/debian/source/format 2011-12-28 14:36:53.912101110 -0800 @@ -0,0 +1 @@ +3.0 (quilt) diff -Nru snort-2.9.0.1/debian/TODO snort-2.9.2/debian/TODO --- snort-2.9.0.1/debian/TODO 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/debian/TODO 2011-12-27 14:02:26.000000000 -0800 @@ -2,7 +2,35 @@ TODO things for Snort in Debian ------------------------------- -- Offer the user an option to automatically create the database since +- Provide support to avoid specifying the address range for multiple + interfaces (or skip this if you have more than once and substitute + by a note telling the admin to configure this in the snort.$IFACE.conf + file). This could be done using 'ip addr show $IFACE' and extracting + the value from the 'inet' component. + + Note: This should only be done if only *one interface is available + +- Try to use the interface defined IP address to set the address range (and + lower the questions priority + This should also handle multiple interfaces. + (see bug #248000) + +- Add a note in the debconf propmt that users can use '\$eth0_ADDRESS' + (or '\$eth1_ADDRESS' etc..) to use the interface's address regardless + of the configured address. (Note that \$ or otherwise it will + be expanded in the scripts) + + REVIEW: How does Snort use this to expand it in HOME_NET + + +- snort-{mysql,pgsl}: + Database configuration should ensure that only valid characters are included + here. Since the information is written into a configuration file at least + hashes should be prevented. See: + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567495 + +- snort-{mysql,pgsl}: + Offer the user an option to automatically create the database since the schemas (at /usr/share/doc/snort*) stuff is not available on installation. This confuses users since they are asked for some information (network @@ -38,8 +66,6 @@ - Use LSB functions in Init.d script -- Use ucf to integrate changes by the maintainer when upgrading - - Break up the init.d script into reusable functions Also: add a check in order to determine if the snort sensor started up properly or it did not. @@ -55,24 +81,11 @@ config file provided, this is related to bug #247665 which is partially fixed by the snort-common Source-Version depends introduced in 2.2.0-2 -- Provide support to avoid specifying the address range for multiple - interfaces (or skip this if you have more than once and substitute - by a note telling the admin to configure this in the snort.$IFACE.conf - file). This could be done using 'ip addr show $IFACE' and extracting - the vaule from the 'inet' component. - -- Rewrite the "address range" question. It actually does not explain what - it is actually used for (HOME_NET) - -- Try to use the interface defined IP address to set the address range (and - lower the questions priority - This should also handle multiple interfaces. - (see bug #248000) - - Add some common logcheck rules (see #222584, and #217175) DONE + - Determine, if the interface is configured and up. (see bug #248000) @@ -83,3 +96,13 @@ Done: snort-rules-default currently recommends: 'oinkmaster' better that than maintaining a separate update script unmaintained upstream. + +- Rewrite the "address range" question. It actually does not explain what + it is actually used for (HOME_NET) + +NOT REQUIRED + +- Use ucf to integrate changes by the maintainer when upgrading. + + Justification: The package has be changed to try to not make changes through + scripts in the maintainer's file Binary files /tmp/ecXKC_j_f4/snort-2.9.0.1/doc/faq.pdf and /tmp/wllGJXgrVI/snort-2.9.2/doc/faq.pdf differ diff -Nru snort-2.9.0.1/doc/faq.tex snort-2.9.2/doc/faq.tex --- snort-2.9.0.1/doc/faq.tex 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/faq.tex 2011-10-26 11:28:51.000000000 -0700 @@ -2,7 +2,7 @@ %latex2html -info 0 -local_icons -show_section_numbers -link 2 -split +1 faq.tex \documentclass{article} -\usepackage{hyperref} +\usepackage{html} \usepackage{graphicx} \usepackage{fancyhdr} \usepackage{makeidx} @@ -86,7 +86,7 @@ If you do not see your name on this list and you have contributed to the faq, -please email \htmladdnormallink{bmc@snort.org}{mailto:bmc@snort.org}. +please email \htmladdnormallink{bugs@snort.org}{mailto:bugs@snort.org}. Dragos Ruiu: This version of this guide has been brought to you by the kind @@ -98,11 +98,11 @@ \newpage -%\begin{latexonly} +\begin{latexonly} \tableofcontents \newpage -%\end{latexonly} +\end{latexonly} \section{Background} @@ -118,8 +118,8 @@ \subsection{Where do I get more help on Snort?} -Check the website, \htmladdnormallink{http://www.snort.org/}{http://www.snort.org/}. Other good resources are available in the source distribution, including the \htmladdnormallink{Snort Users Manual}{http://www.snort.org/doc/SnortUsersManual.pdf} and the USAGE file. There is also a excellent mailing list, snort-users. You can find -info on how to signup at \htmladdnormallink{http://www.snort.org/lists.html}{http://www.snort.org/lists.html}. You can also join +Check the website, \htmladdnormallink{http://www.snort.org/}{http://www.snort.org/}. Other good resources are available in the source distribution, including the \htmladdnormallink{Snort Users Manual}{http://www.snort.org/docs} and the USAGE file. There is also a excellent mailing list, snort-users. You can find +info on how to signup at \htmladdnormallink{http://www.snort.org/community/mailing-lists/}{http://www.snort.org/community/mailing-lists}. You can also join \#snort on irc.freenode.net. \subsection{Where can I get more reading and courses about IDS?\label{courses}} @@ -296,9 +296,10 @@ Repeat after me: \begin{verbatim} - wget http://www.snort.org/downloads/snort-stable.tgz - tar zxvf snort-stable.tgz - cd snort-stable + Go to http://www.snort.org/snort-downloads + Click the link for the tar.gz + tar zxvf snort-.tar.gz + cd ./configure make su @@ -312,9 +313,10 @@ ...and if you want to use our binary package uninstaller :-): \begin{verbatim} - cd snort-stable; make uninstall + cd ; make uninstall \end{verbatim} -And if you must, you can find some binaries at \htmladdnormallink{http://www.snort.org/dl/binaries/}{http://www.snort.org/dl/binaries/}. + +And if you must, you can find some binaries at \htmladdnormallink{http://www.snort.org/snort-downloads}{http://www.snort.org/snort-downloads}. You can also find Snort in most BSD ports' trees. \subsection{How do I run Snort?} @@ -938,7 +940,7 @@ {\bf For $=>$ 2.0:} Please see the documents on v2.0 at: -\htmladdnormallink{http://www.snort.org/docs/\#devel}{http://www.snort.org/docs/\#devel}. +\htmladdnormallink{http://www.snort.org/docs/development-papers/}{http://www.snort.org/docs/development-papers/}. {\bf For $<=$ 1.9.X:} @@ -2952,23 +2954,30 @@ \begin{enumerate} \item ./configure --enable-debug -\item Look up the section of Snort you'd like to debug ( look at src/debug.h ) and add up the values. + +\item Look up the sections of Snort you'd like to debug ( look at src/snort\_debug.h ) +and bitwise-or the flags together to create a hex value. For example, \begin{verbatim} -#define DEBUG_PARSER 0x00000200 /* 512 */ +#define DEBUG_PARSER 0x00000002 ... -#define DEBUG_PATTERN_MATCH 0x00004000 /* 16384 */ +#define DEBUG_PATTERN_MATCH 0x00001000 +\end{verbatim} + +To debug just the parser: +\begin{verbatim} +export SNORT_DEBUG=0x2 \end{verbatim} -To debug just the parser, +To debug both the parser and pattern matcher: \begin{verbatim} -export SNORT_DEBUG=512 +export SNORT_DEBUG=0x1002 \end{verbatim} -To debug both the parser and pattern matcher: +Debugging preprocessors is similar, eg to debug frag3: \begin{verbatim} -export SNORT_DEBUG=16896 +export SNORT_PP_DEBUG=0x1 \end{verbatim} \item Run snort as normal. You will need to redirect output to a file diff -Nru snort-2.9.0.1/doc/INSTALL snort-2.9.2/doc/INSTALL --- snort-2.9.0.1/doc/INSTALL 2010-08-25 13:22:35.000000000 -0700 +++ snort-2.9.2/doc/INSTALL 2011-10-26 11:28:51.000000000 -0700 @@ -15,14 +15,16 @@ 5.) sudo make install -6.) Create a sample rules file (if you want to use rules, check out the - included snort.conf file) +6.) Check your rules file. By default, step 3 configures Snort for the features + required by the included etc/snort.conf. You can validate it with: + + src/snort -c etc/snort.conf -T 7.) snort -? 8.) If you've used previous versions of Snort, you may need to rewrite your - rules to make them compliant to the rules format. See - snort_manual.pdf or http://www.snort.org for more information. + rules to make them compliant to the rules format. See snort_manual.pdf + or http://www.snort.org for more information. 9.) If you used previous versions of Snort and the new Snort dies upon startup, try this and then restart: @@ -43,6 +45,10 @@ `--enable-pthread' Enable pthread support (causes snort to be linked with libpthread). +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! The Prelude output plugin is considered deprecated as of Snort 2.9.2 and +!! will be removed in Snort 2.9.3. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! `--enable-prelude' Enable Prelude Hydrid IDS support. @@ -55,6 +61,10 @@ Enable dynamically loadable preprocessors, detection engine and rules libraries. +`--enable-so-with-static-lib` + Enable linking of dynamically loaded preprocessors with a static + preprocessor library. + `--enable-timestats' Enable real-time performance statistics. @@ -71,6 +81,10 @@ Enable the 'Flexible Response, version 3' code, that allows you to reset hostile sessions. See README.active for details. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! The Aruba output plugin is considered deprecated as of Snort 2.9.2 and will +!! be removed in Snort 2.9.3. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! `--enable-aruba' Enable the Aruba output plugin capability that allows you to send information to an Aruba Networks Mobility Controller. See @@ -81,16 +95,32 @@ Only supports GRE over IP. Only one layer of encapsulation will be decoded - packets with multiple GRE headers will be alerted and discarded/blocked. - + +`--enable-sourcefire' + Enable Sourcefire specific build options, encompasing --enable-perfprofiling, + --enable-decoder-preprocessor-rules, --enable-ppm. + `--with-snmp' Enable SNMP alerting code. -` --with-dnet-includes=DIR' +`--with-dnet-includes=DIR' Specify libdnet include directory. -` --with-dnet-libraries=DIR' +`--with-dnet-libraries=DIR' Specify libdnet library directory. +`--with-libpcap-includes=DIR' + If the configuration script can't find the libpcap include files on its + own, the path can be set manually with this switch. + +`--with-libpcap-libraries=DIR' + If the configuration script can't find the libpcap library files on its + own, the path can be set manually with this switch. + +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! Database output plugins are considered deprecated as of Snort 2.9.2 and will +!! be removed in Snort 2.9.3. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! `--with-mysql=DIR' Support for mysql, turn this on if you want to use ACID with MySQL. NOTE: Specifying a directory will be deprecated in the future. @@ -112,9 +142,6 @@ `--with-oracle=DIR' Support for Oracle databases, turn this on if you want to use ACID with Oracle. - -`--with-openssl=DIR' - Support for openssl (used by the XML output plugin). `--with-libpq-includes=DIR' Set the include directories for Postgres SQL database support to DIR. @@ -122,29 +149,8 @@ `--with-libpq-libraries=DIR' Set the library directories for Postgres SQL database support to DIR. Setting both of these values enables the Postgres output plugin module. - -`--with-libpcap-includes=DIR' - If the configuration script can't find the libpcap include files on its - own, the path can be set manually with this switch. - -`--with-libpcap-libraries=DIR' - If the configuration script can't find the libpcap library files on its - own, the path can be set manually with this switch. - -`--with-libxml2-includes=DIR' - Libxml2 include directory. - -`--with-libxml2-libraries=DIR' - Libxml2 library directory. - -`--with-libntp-libraries=DIR' - Libntp library directory. - -`--with-libidmef-includes=DIR' - Libidmef include directory. - -`--with-libidmef-libraries=DIR' - Libidmef library directory. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Basic Installation ================== @@ -469,6 +475,12 @@ * Open BSD / Free BSD / MAC OSX ------------------------------- +For Open BSD and some versions of Free BSD, use the --disable-static-daq +option to Snort's configure script. This is a work-around to an issue with +building shared libraries that link against a static library. Without this +option to configure, libsf_engine.so and the dynamic preprocessors may not +be built correctly. + On certain BSD-based platforms, the make install may not symlink the version specific shared libraries to the non-versioned shared library. This could cause a failure to load when using dynamic libraries. diff -Nru snort-2.9.0.1/doc/Makefile.am snort-2.9.2/doc/Makefile.am --- snort-2.9.0.1/doc/Makefile.am 2010-09-27 08:28:10.000000000 -0700 +++ snort-2.9.2/doc/Makefile.am 2011-10-27 08:19:41.000000000 -0700 @@ -21,12 +21,14 @@ README.alert_order \ README.ARUBA \ README.asn1 \ +README.counts \ README.csv \ README.daq \ README.database \ README.dcerpc2 \ README.decode \ README.decoder_preproc_rules \ +README.dnp3 \ README.dns \ README.event_queue \ README.filters \ @@ -34,21 +36,28 @@ README.frag3 \ README.ftptelnet \ README.gre \ +README.GTP \ README.http_inspect \ +README.imap \ README.ipip \ README.ipv6 \ +README.modbus \ README.multipleconfigs \ README.normalize \ README.pcap_readmode \ README.PerfProfiling \ README.PLUGINS \ +README.pop \ README.ppm \ README.reload \ +README.reputation \ +README.rzb_saac \ README.sensitive_data \ README.sfportscan \ README.SMTP \ README.ssh \ README.ssl \ +README.sip \ README.stream5 \ README.tag \ README.thresholding \ @@ -59,7 +68,7 @@ USAGE \ WISHLIST -DISTCLEANFILES= snort_manual.log snort_manual.toc snort_manual.aux faq.log faq.toc faq.aux snort_manual.pdf faq.pdf snort_manual.out +DISTCLEANFILES= snort_manual.log snort_manual.toc snort_manual.aux faq.log faq.toc faq.aux snort_manual.pdf faq.pdf snort_manual.out faq.out snort_manual.idx faq.idx docdir = ${datadir}/doc/${PACKAGE} @@ -75,7 +84,7 @@ ps2pdf $< .tex.html: - latex2html -local_icons $< + latex2html -local_icons $< # perhaps one day, we will have a Makefile in the signatures directory... diff -Nru snort-2.9.0.1/doc/Makefile.in snort-2.9.2/doc/Makefile.in --- snort-2.9.0.1/doc/Makefile.in 2010-10-08 02:56:51.000000000 -0700 +++ snort-2.9.2/doc/Makefile.in 2011-12-07 11:23:17.000000000 -0800 @@ -83,7 +83,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -98,6 +100,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -134,13 +137,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -219,12 +228,14 @@ README.alert_order \ README.ARUBA \ README.asn1 \ +README.counts \ README.csv \ README.daq \ README.database \ README.dcerpc2 \ README.decode \ README.decoder_preproc_rules \ +README.dnp3 \ README.dns \ README.event_queue \ README.filters \ @@ -232,21 +243,28 @@ README.frag3 \ README.ftptelnet \ README.gre \ +README.GTP \ README.http_inspect \ +README.imap \ README.ipip \ README.ipv6 \ +README.modbus \ README.multipleconfigs \ README.normalize \ README.pcap_readmode \ README.PerfProfiling \ README.PLUGINS \ +README.pop \ README.ppm \ README.reload \ +README.reputation \ +README.rzb_saac \ README.sensitive_data \ README.sfportscan \ README.SMTP \ README.ssh \ README.ssl \ +README.sip \ README.stream5 \ README.tag \ README.thresholding \ @@ -257,7 +275,7 @@ USAGE \ WISHLIST -DISTCLEANFILES = snort_manual.log snort_manual.toc snort_manual.aux faq.log faq.toc faq.aux snort_manual.pdf faq.pdf snort_manual.out +DISTCLEANFILES = snort_manual.log snort_manual.toc snort_manual.aux faq.log faq.toc faq.aux snort_manual.pdf faq.pdf snort_manual.out faq.out snort_manual.idx faq.idx SUFFIXES = .tex .dvi .ps all: all-am @@ -480,7 +498,7 @@ ps2pdf $< .tex.html: - latex2html -local_icons $< + latex2html -local_icons $< # perhaps one day, we will have a Makefile in the signatures directory... # SUBDIRS = signatures diff -Nru snort-2.9.0.1/doc/README snort-2.9.2/doc/README --- snort-2.9.0.1/doc/README 2010-06-09 15:04:48.000000000 -0700 +++ snort-2.9.2/doc/README 2011-02-09 15:22:34.000000000 -0800 @@ -8,7 +8,7 @@ ****************************************************************************** COPYRIGHT -Copyright (C)2001-2010 Sourcefire Inc. +Copyright (C)2001-2011 Sourcefire Inc. Copyright (C)1998-2001 Martin Roesch This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/doc/README.active snort-2.9.2/doc/README.active --- snort-2.9.0.1/doc/README.active 2010-10-25 12:48:55.000000000 -0700 +++ snort-2.9.2/doc/README.active 2011-06-07 17:33:00.000000000 -0700 @@ -45,14 +45,20 @@ ./configure --enable-active-response - config response: [device ] attempts + config response: [device ] [dst_mac ] attempts ::= ip | eth0 | etc. ::= (1..20) - + ::= nn:nn:nn:nn:nn:nn + (n is a hex number from 0-F) + device ip will perform network layer injection. It is probably a better choice to specify an interface and avoid kernel routing tables, etc. +dst_mac will change response destination MAC address, if the device is eth0, eth1, eth2 etc. +Otherwise, response destination MAC address is derived from packet. +Example: + config response: device eth0 dst_mac 00:06:76:DD:5F:E3 attempts 2 FLEXRESP CHANGES ================ diff -Nru snort-2.9.0.1/doc/README.ARUBA snort-2.9.2/doc/README.ARUBA --- snort-2.9.0.1/doc/README.ARUBA 2006-09-18 06:36:22.000000000 -0700 +++ snort-2.9.2/doc/README.ARUBA 2011-10-26 11:28:51.000000000 -0700 @@ -1,3 +1,8 @@ +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! This output plugin is considered deprecated as of Snort 2.9.2 and will be +!! removed in Snort 2.9.3. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + Aruba Networks Integration ========================== Joshua Wright diff -Nru snort-2.9.0.1/doc/README.counts snort-2.9.2/doc/README.counts --- snort-2.9.0.1/doc/README.counts 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/doc/README.counts 2011-07-13 15:43:17.000000000 -0700 @@ -0,0 +1,204 @@ +Snort does a lot of work and outputs some useful statistics when it is done. +Many of these are self-explanatory. The others are summarized below. This +does not include all possible output data, just the basics. + + +----------------- +Timing Statistics +----------------- + +This section provides basic timing statistics. It includes total seconds and +packets as well as packet processing rates. The rates are based on whole +seconds, minutes, etc. and only shown when non-zero. + +Example: + +=============================================================================== +Run time for packet processing was 175.856509 seconds +Snort processed 3716022 packets. +Snort ran for 0 days 0 hours 2 minutes 55 seconds + Pkts/min: 1858011 + Pkts/sec: 21234 +=============================================================================== + + +----------------- +Packet I/O Totals +----------------- + +This section shows basic packet acquisition and injection peg counts obtained +from the DAQ. If you are reading pcaps, the totals are for all pcaps combined, +unless you use --pcap-reset, in which case it is shown per pcap. + +* Outstanding indicates how many packets are buffered awaiting processing. The + way this is counted varies per DAQ so the DAQ documentation should be + consulted for more info. + +* Filtered packets are not shown for pcap DAQs. + +* Injected packets are the result of active response which can be configured for + inline or passive modes. + +Example: + +=============================================================================== +Packet I/O Totals: + Received: 3716022 + Analyzed: 3716022 (100.000%) + Dropped: 0 ( 0.000%) + Filtered: 0 ( 0.000%) +Outstanding: 0 ( 0.000%) + Injected: 0 +=============================================================================== + + +------------------- +Protocol Statistics +------------------- + +Traffic for all the protocols decoded by Snort is summarized in the breakdown +section. This traffic includes internal "pseudo-packets" if preprocessors such +as frag3 and stream5 are enabled so the total may be greater than the number of +analyzed packets in the packet I/O section. + +* Disc counts are discards due to basic encoding integrity flaws that prevents + Snort from decoding the packet. + +* Other includes packets that contained an encapsulation that Snort doesn't + decode. + +* S5 G 1/2 is the number of client/server sessions stream5 flushed due to cache + limit, session timeout, session reset. + +Example: + +=============================================================================== +Breakdown by protocol (includes rebuilt packets): + Eth: 3722347 (100.000%) + VLAN: 0 ( 0.000%) + IP4: 1782394 ( 47.884%) + Frag: 3839 ( 0.103%) + ICMP: 38860 ( 1.044%) + UDP: 137162 ( 3.685%) + TCP: 1619621 ( 43.511%) + IP6: 1781159 ( 47.850%) + IP6 Ext: 1787327 ( 48.016%) + IP6 Opts: 6168 ( 0.166%) + Frag6: 3839 ( 0.103%) + ICMP6: 1650 ( 0.044%) + UDP6: 140446 ( 3.773%) + TCP6: 1619633 ( 43.511%) + Teredo: 18 ( 0.000%) + ICMP-IP: 0 ( 0.000%) + EAPOL: 0 ( 0.000%) + IP4/IP4: 0 ( 0.000%) + IP4/IP6: 0 ( 0.000%) + IP6/IP4: 0 ( 0.000%) + IP6/IP6: 0 ( 0.000%) + GRE: 202 ( 0.005%) + GRE Eth: 0 ( 0.000%) + GRE VLAN: 0 ( 0.000%) + GRE IP4: 0 ( 0.000%) + GRE IP6: 0 ( 0.000%) +GRE IP6 Ext: 0 ( 0.000%) + GRE PPTP: 202 ( 0.005%) + GRE ARP: 0 ( 0.000%) + GRE IPX: 0 ( 0.000%) + GRE Loop: 0 ( 0.000%) + MPLS: 0 ( 0.000%) + ARP: 104840 ( 2.817%) + IPX: 60 ( 0.002%) + Eth Loop: 0 ( 0.000%) + Eth Disc: 0 ( 0.000%) + IP4 Disc: 0 ( 0.000%) + IP6 Disc: 0 ( 0.000%) + TCP Disc: 0 ( 0.000%) + UDP Disc: 1385 ( 0.037%) + ICMP Disc: 0 ( 0.000%) +All Discard: 1385 ( 0.037%) + Other: 57876 ( 1.555%) +Bad Chk Sum: 32135 ( 0.863%) + Bad TTL: 0 ( 0.000%) + S5 G 1: 1494 ( 0.040%) + S5 G 2: 1654 ( 0.044%) + Total: 3722347 +=============================================================================== + + +----------------------------- +Actions, Limits, and Verdicts +----------------------------- + +Action and verdict counts show what Snort did with the packets it analyzed. +This information is only output in IDS mode (when snort is run with the -c + option). + +* Alerts is the number of activate, alert, and block actions processed as + determined by the rule actions. Here block includes block, drop, and reject + actions. + +Limits arise due to real world constraints on processing time and available +memory. These indicate potential actions that did not happen: + +* Match Limit > 0 means that rule matches were not processed due to the + config detection: max_queue_events setting. The default is 5. + +* Queue Limit > 0 means that events couldn't be stored in the event queue + due to the config event_queue: max_queue setting. The default is 8. + +* Log Limit > 0 means that events were not alerted due to the + config event_queue: log setting. The default is 3. + +* Event Limit > 0 means that events were not alerted due to event_filter + limits. + +* Alert Limit > 0 means that events were not alerted because they already + were triggered on the session. + +Verdicts are rendered by Snort on each packet: + +* Allow = packets Snort analyzed and did not take action on. + +* Block = packets Snort did not forward, eg due to a block rule. "Block" is + used instead of "Drop" to avoid confusion between dropped packets (those + Snort didn't actually see) and blocked packets (those Snort did not allow to + pass). + +* Replace = packets Snort modified, for example, due to normalization or + replace rules. This can only happen in inline mode with a compatible DAQ. + +* Whitelist = packets that caused Snort to allow a flow to pass w/o inspection + by any analysis program. Like blacklist, this is done by the DAQ or by Snort + on subsequent packets. + +* Blacklist = packets that caused Snort to block a flow from passing. This is + the case when a block TCP rule fires. If the DAQ supports this in hardware, + no further packets will be seen by Snort for that session. If not, snort + will block each packet and this count will be higher. + +* Ignore = packets that caused Snort to allow a flow to pass w/o inspection + by this instance of Snort. Like blacklist, this is done by the DAQ or by + Snort on subsequent packets. + +Example: + +=============================================================================== +Action Stats: + Alerts: 0 ( 0.000%) + Logged: 0 ( 0.000%) + Passed: 0 ( 0.000%) +Limits: + Match: 0 + Queue: 0 + Log: 0 + Event: 0 + Alert: 0 +Verdicts: + Allow: 3716022 (100.000%) + Block: 0 ( 0.000%) + Replace: 0 ( 0.000%) + Whitelist: 0 ( 0.000%) + Blacklist: 0 ( 0.000%) + Ignore: 0 ( 0.000%) +=============================================================================== + diff -Nru snort-2.9.0.1/doc/README.database snort-2.9.2/doc/README.database --- snort-2.9.0.1/doc/README.database 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/README.database 2011-10-26 11:28:51.000000000 -0700 @@ -1,3 +1,11 @@ +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! The database output plugins are considered deprecated as of Snort 2.9.2 and +!! will be removed in Snort 2.9.3. +!! +!! The recommended approach to logging is to use unified2 with barnyard2 +!! or similar. +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + I. Summary The database output plug-in enables snort to log to @@ -324,9 +332,6 @@ V. Changelog of Database schema -2007-03-15 -- v107 - + ALL: Updated to include signature.sig_gid to log the generator ID - 2002-09-03 -- v106 + ALL: added sensor.last_cid to store the last used cid for a given sid diff -Nru snort-2.9.0.1/doc/README.dnp3 snort-2.9.2/doc/README.dnp3 --- snort-2.9.0.1/doc/README.dnp3 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/doc/README.dnp3 2011-10-26 11:28:51.000000000 -0700 @@ -0,0 +1,237 @@ +DNP3 Preprocessor +================= + + +Overview +======== +The DNP3 preprocessor is a Snort module that decodes and reassembles the DNP3 +protocol. It also provides rule options to access certain protocol fields. +This allows a user to write rules for DNP3 packets without decoding the +protocol with a series of "content" and "byte_test" options. + +DNP3 is a protocol used in SCADA networks. If your network does not contain any +DNP3-enabled devices, we recommend leaving this preprocessor turned off. + +Dependencies +============ +The Stream5 preprocessor must be enabled for the DNP3 preprocessor to work. +Protocol-Aware Flushing (PAF) is also required. See README.stream5 for more +information. + +Preprocessor Configuration +========================== +DNP3 configuration is split into two parts: the preprocessor config, and the +rule options. The preprocessor config starts with: + +preprocesor dnp3: + +Options are as follows: + + Option Argument Required Default + -------------------------------------------------------------- + ports , or NO ports 20000 + { port [port] ... } + memcap NO memcap 262144 + check_crc NONE NO OFF + disabled NONE NO OFF + +Option explanations + ports + This sets the port numbers on which DNP3 traffic is inspected. + A single port number may be provided, or a space-separated list + enclosed in curly brackets. The default is port 20000. + + memcap + This sets a maximum to the amount of memory allocated to the DNP3 + preprocessor for session-tracking purposes. The argument is given + in bytes. + Each session requires about 4 KB to track, and the default is 256 kB. + This gives the preprocessor the ability to track 63 DNP3 sessions + simultaneously. + Setting the memcap below 4144 bytes will cause a fatal error. + When multiple configs are used, the memcap in the non-default configs + will be overwritten by the memcap in the default config. If the default + config isn't intended to inspect DNP3 traffic, use the "disabled" + keyword. (See README.multipleconfigs for more info) + + check_crc + This option makes the preprocessor validate the checksums contained in + DNP3 Link-Layer Frames. Frames with invalid checksums will be ignored. + If the corresponding preprocessor rule is enabled, invalid checksums + will generate alerts. + The corresponding rule is GID 145, SID 1. + + disabled + This option is used for loading the preprocessor without inspecting + any DNP3 traffic. The "disabled" keyword is only useful when the DNP3 + preprocessor is turned on in a separate policy. + (See README.multipleconfigs for information on Multiple Policies) + +Example preprocessor config + +preprocessor dnp3: ports { 20000 } \ + memcap 262144 \ + check_crc + +Multiple policy example: + +snort.conf +---------- + +preprocessor dnp3: memcap 262144 disabled +config binding: snort.conf.dnp3net net + +snort.conf.dnp3net +------------------ +preprocessor dnp3: ports 20000, check_crc + + +Rule Options +============ +The DNP3 preprocessor adds 4 new rule options. These rule options match on +various pieces of the DNP3 headers. + +The preprocessor must be enabled for these rule options to work. + +dnp3_func +--------- +This option matches against the Function Code inside of a DNP3 +Application-Layer request/response header. The code may be a number +(in decimal format), or a string from the list provided below. + +Syntax: + dnp3_func: + + code = 0-255 + confirm + read + write + select + operate + direct_operate + direct_operate_nr + immed_freeze + immed_freeze_nr + freeze_clear + freeze_clear_nr + freeze_at_time + freeze_at_time_nr + cold_restart + warm_restart + initialize_data + initialize_appl + start_appl + stop_appl + save_config + enable_unsolicited + disable_unsolicited + assign_class + delay_measure + record_current_time + open_file + close_file + delete_file + get_file_info + authenticate_file + abort_file + activate_config + authenticate_req + authenticate_err + response + unsolicited_response + authenticate_resp + +Example: + alert tcp any any -> any 20000 (msg:"DNP3 Write request"; dnp3_func:write; sid:1;) + +dnp3_ind +-------- +This option matches on the Internal Indicators flags present in a +DNP3 Application Response Header. Much like the TCP flags rule option, +providing multiple flags in one option will cause the rule to fire if *ANY* one +of the flags is set. To alert on a combination of flags, use multiple rule +options. + +Syntax: + dnp3_ind:[,...] + + flag = all_stations + class_1_events + class_2_events + class_3_events + need_time + local_control + device_trouble + device_restart + no_func_code_support + object_unknown + parameter_error + event_buffer_overflow + already_executing + config_corrupt + reserved_2 + reserved_1 + +Examples: + # Alerts on reserved_1 OR reserved_2 being set + alert tcp any 20000 -> any any (msg:"Reserved DNP3 Indicator set"; \ + dnp3_ind:reserved_1,reserved_2; sid:1;) + + # Alerts on class_1 AND class_2 AND class_3 events being set + alert tcp any 20000 -> any any (msg:"Lots of DNP3 events"; \ + dnp3_ind:class_1_events; dnp3_ind:class_2_events; dnp3_ind:class_3_events; \ + sid:2;) + +dnp3_obj +-------- +This option matches on DNP3 object headers present in a request or response. + +Syntax: + dnp3_obj:, + + group = 0 - 255 + var = 0 - 255 + +Example: + alert tcp any any -> any any (msg:"DNP3 Time and Date object"; \ + dnp3_obj:50,1; sid:1;) + +dnp3_data +--------- +As Snort processes DNP3 packets, the DNP3 preprocessor collects Link-Layer +Frames and reassembles them back into Application-Layer Fragments. This rule +option sets the cursor to the beginning of an Application-Layer +Fragment, so that other rule options can work on the reassembled data. + +With the dnp3_data rule option, you can write rules based on the data within +Fragments without splitting up the data and adding CRCs every 16 bytes. + +Syntax: + dnp3_data; + + No options. + +Example: + +alert tcp any any -> any any (msg:"String 'badstuff' in DNP3 message"; \ + dnp3_data; content:"badstuff"; sid:1;) + + +Preprocessor Rules +================== +The DNP3 preprocessor uses GID 145 for its preprocessor events. + +SID Description +-------------------------------------------------------------------- + 1 A Link-Layer Frame contained an invalid CRC. + (Enable "check_crc" in the preprocessor config to get this alert.) + 2 A DNP3 Link-Layer Frame was dropped, due to an invalid length. + 3 A Transport-Layer Segment was dropped during reassembly. + This happens when segments have invalid sequence numbers. + 4 The DNP3 Reassembly buffer was cleared before a complete fragment + could be reassembled. + This happens when a segment carrying the "FIR" flag appears after + some other segments have been queued. + 5 A DNP3 Link-Layer Frame is larger than 260 bytes. + 6 A DNP3 Link-Layer Frame uses an address that is reserved. + 7 A DNP3 request or response uses a reserved function code. diff -Nru snort-2.9.0.1/doc/README.frag3 snort-2.9.2/doc/README.frag3 --- snort-2.9.0.1/doc/README.frag3 2010-08-25 13:22:35.000000000 -0700 +++ snort-2.9.2/doc/README.frag3 2011-06-07 17:33:00.000000000 -0700 @@ -7,22 +7,16 @@ Overview -------- The frag3 preprocessor is a target-based IP defragmentation module for Snort. -Frag3 is intended as a replacement for the frag2 defragmentation module and -was designed with the following goals: +Frag3 is designed with the following goals: -1) Faster execution that frag2 with less complex data management. +1) Faster execution with less complex data management. 2) Target-based host modeling anti-evasion techniques. -The frag2 preprocessor used splay trees extensively for managing the data -structures associated with defragmenting packets. Splay trees are excellent -data structures to use when you have some assurance of locality of reference -for the data that you are handling but in high speed, heavily fragmented -environments the nature of the splay trees worked against the system and -actually hindered performance. Frag3 uses the sfxhash data structure and -linked lists for data handling internally which allows it to have much more -predictable and deterministic performance in any environment which should -aid us in managing heavily fragmented environments. +Frag3 uses the sfxhash data structure and linked lists for data handling +internally which allows it to have much more predictable and deterministic +performance in any environment which should aid us in managing heavily +fragmented environments. Target-based analysis is a relatively new concept in network-based intrusion detection. The idea of a target-based system is to model the actual targets @@ -67,11 +61,10 @@ Configuration ------------- -Frag3 configuration is somewhat more complex than frag2. There are at least -two preprocessor directives required to activate frag3, a global configuration -directive and an engine instantiation. There can be an arbitrary number of -engines defined at startup with their own configuration, but only one global -configuration. +There are at least two preprocessor directives required to activate frag3, a +global configuration directive and an engine instantiation. There can be an +arbitrary number of engines defined at startup with their own configuration, +but only one global configuration. Global configuration - Preprocessor name: frag3_global @@ -87,15 +80,17 @@ preallocated fragment nodes based on a static number (faster in some situations) disabled - This optional keyword is allowed with any - policy to avoid packet processing. This - option disables the preprocessor. When - the preprocessor is disabled only the - options memcap, prealloc_memcap, and - prealloc_frags are applied when - specified with the configuration. - The other options are parsed but not - used. Any valid configuration may have - "disabled" added to it. + policy to avoid packet processing. This + option disables the preprocessor for this + config, but not for other instances of + multiple configurations. Use the disable + keyword in the base configuration to specify + values for the options memcap, prealloc_memcap, + and prealloc_frags without having the + preprocessor inspect traffic for traffic + applying to the base configuration. The other + options are parsed but not used. Any valid + configuration may have "disabled" added to it. Engine Configuration @@ -112,14 +107,14 @@ run for packets with destination addresses contained within the IP List. Default value is "all". overlap_limit - Limits the number of overlapping fragments per packet. The default - is "0" (unlimited). This config option takes values equal to or greater than zero. This is an - optional parameter. detect_anomalies option must be configured for this option - to take effect. + is "0" (unlimited). This config option takes values equal to or greater than zero. This is an + optional parameter. detect_anomalies option must be configured for this option + to take effect. min_fragment_length - Defines smallest fragment size (payload size) that should be considered valid. - Fragments smaller than or equal to this limit are considered malicious and an event is raised, - if detect_anomalies is also configured. The default is "0" (check is disabled). This config - option takes values equal to or greater than zero. This is an optional parameter. - detect_anomalies option must be configured for this option to take effect. + Fragments smaller than or equal to this limit are considered malicious and an event is raised, + if detect_anomalies is also configured. The default is "0" (check is disabled). This config + option takes values equal to or greater than zero. This is an optional parameter. + detect_anomalies option must be configured for this option to take effect. policy - Select a target-based defragmentation mode. Available types are first, last, bsd, bsd-right, linux, windows and solaris. Default type is bsd. diff -Nru snort-2.9.0.1/doc/README.GTP snort-2.9.2/doc/README.GTP --- snort-2.9.0.1/doc/README.GTP 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/doc/README.GTP 2011-10-26 11:28:51.000000000 -0700 @@ -0,0 +1,653 @@ +GTP Decoder and Preprocessor +================================================================================ +Hui Cao + +Overview +================================================================================ +GTP (GPRS Tunneling Protocol) is used in core communication networks to establish +a channel between GSNs (GPRS Serving Node). GTP decoding & preprocessor provides +ways to tackle intrusion attempts to those networks through GTP. It also makes +detecting new attacks easier. + +Two components are developed: GTP decoder and GTP preprocessor. +GTP decoder extracts payload inside GTP PDU; +GTP preprocessor inspects all the signaling messages and provide keywords for +further inspection + +Sections: + Dependency Requirements + GTP Data Channel Decoder Configuration + GTP Control Channel Preprocessor Configuration + GTP Decoder Events + GTP Preprocessor Events + Rule Options + +Dependency Requirements +================================================================================ +For proper functioning of the preprocessor: + + Stream session tracking must be enabled, i.e. stream5. UDP must be + enabled in stream5. The preprocessor requires a session tracker to keep + its data. + IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. + + +GTP Data Channel Decoder Configuration +================================================================================ +GTP decoder extracts payload from GTP PDU. The following configuration sets +GTP decoding: + +config enable_gtp + +By default, GTP decoder uses port number 2152 (GTPv1) and 3386 (GTPv0). +If users want to change those values, they can use portvar GTP_PORTS: + +portvar GTP_PORTS [2152,3386] + + +GTP Control Channel Preprocessor Configuration +================================================================================ +Different from GTP decoder, GTP preprocessor examines all signaling messages. +The preprocessor configuration name is "gtp". + +preprocessor sip + +Option Argument Required Default +ports No ports { 2123 3386 } + +Option explanations + + ports + This specifies on what ports to check for GTP control messages. Typically, + this includes 2123 3386. + + Syntax: + ports { [< ... >] } + + Examples: + ports { 2123 3386 } + + Note: there are spaces before and after '{' and '}' + + +Configuration examples + preprocessor gtp + preprocessor sip: ports { 2123 3386 2152 } + +Default configuration + preprocessor sip + +GTP Decoder Events +================================================================================ + +SID Description +-------------------------------------------------------------------------------- + 297 Two or more GTP encapsulation layers present + 298 GTP header length is invalid + +GTP Preprocessor Events +================================================================================ +The preprocessor uses GID 143 to register events. + + +SID Description +-------------------------------------------------------------------------------- + 1 Message length is invalid. + 2 Information element length is invalid. + 3 Information elements are out of order. + +Rule Options +================================================================================ +New rule options are supported by enabling the GTP preprocessor: + +gtp_type +gtp_info +gtp_version + + + gtp_type + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The gtp_type keyword is used to check for specific GTP types. User can input + message type value, an integer in [0, 255], or a string defined in the Table + below. More than one type can be specified, via a comma separated list, and + are OR'ed together. If the type used in a rule is not listed in the + preprocessor configuration, an error will be thrown. + + Same message type might have different message type value in different GTP + versions. For example, sgsn_context_request has message type value 50 in + GTPv0 and GTPv1, but 130 in GTPv2. gtp_type will match to a different value + depending on the version number in the packet. In this example, evaluating + a GTPv0 or GTPv1 packet will check whether the message type value is 50; + evaluating a GTPv2 packet will check whether the message type value is 130. + When a message type is not defined in a version, any packet in that version + will always return "No match". + + If an integer is used to specify message type, every GTP packet is evaluated, + no matter what version the packet is. If the message type matches the value + in packet, it will return "Match". + + Syntax: + gtp_type:; + type-list = type|type, type-list + type = "0-255"| + | "echo_request" | "echo_response" ... + Examples: + gtp_type:10, 11, echo_request; + + GTPv0 message types: + + Value Message Type + ********************************************** + 1 echo_request + 2 echo_response + 3 version_not_supported + 4 node_alive_request + 5 node_alive_response + 6 redirection_request + 7 redirection_response + 16 create_pdp_context_request + 17 create_pdp_context_response + 18 update_pdp_context_request + 19 update_pdp_context_response + 20 delete_pdp_context_request + 21 delete_pdp_context_response + 22 create_aa_pdp_context_request + 23 create_aa_pdp_context_response + 24 delete_aa_pdp_context_request + 25 delete_aa_pdp_context_response + 26 error_indication + 27 pdu_notification_request + 28 pdu_notification_response + 29 pdu_notification_reject_request + 30 pdu_notification_reject_response + 32 send_routing_info_request + 33 send_routing_info_response + 34 failure_report_request + 35 failure_report_response + 36 note_ms_present_request + 37 note_ms_present_response + 48 identification_request + 49 identification_response + 50 sgsn_context_request + 51 sgsn_context_response + 52 sgsn_context_ack + 240 data_record_transfer_request + 241 data_record_transfer_response + 255 pdu + + GTPv1 message types: + + Value Message Type + ********************************************** + 1 echo_request + 2 echo_response + 3 version_not_supported + 4 node_alive_request + 5 node_alive_response + 6 redirection_request + 7 redirection_response + 16 create_pdp_context_request + 17 create_pdp_context_response + 18 update_pdp_context_request + 19 update_pdp_context_response + 20 delete_pdp_context_request + 21 delete_pdp_context_response + 22 init_pdp_context_activation_request + 23 init_pdp_context_activation_response + 26 error_indication + 27 pdu_notification_request + 28 pdu_notification_response + 29 pdu_notification_reject_request + 30 pdu_notification_reject_response + 31 supported_ext_header_notification + 32 send_routing_info_request + 33 send_routing_info_response + 34 failure_report_request + 35 failure_report_response + 36 note_ms_present_request + 37 note_ms_present_response + 48 identification_request + 49 identification_response + 50 sgsn_context_request + 51 sgsn_context_response + 52 sgsn_context_ack + 53 forward_relocation_request + 54 forward_relocation_response + 55 forward_relocation_complete + 56 relocation_cancel_request + 57 relocation_cancel_response + 58 forward_srns_contex + 59 forward_relocation_complete_ack + 60 forward_srns_contex_ack + 70 ran_info_relay + 96 mbms_notification_request + 97 mbms_notification_response + 98 mbms_notification_reject_request + 99 mbms_notification_reject_response + 100 create_mbms_context_request + 101 create_mbms_context_response + 102 update_mbms_context_request + 103 update_mbms_context_response + 104 delete_mbms_context_request + 105 delete_mbms_context_response + 112 mbms_register_request + 113 mbms_register_response + 114 mbms_deregister_request + 115 mbms_deregister_response + 116 mbms_session_start_request + 117 mbms_session_start_response + 118 mbms_session_stop_request + 119 mbms_session_stop_response + 120 mbms_session_update_request + 121 mbms_session_update_response + 128 ms_info_change_request + 129 ms_info_change_response + 240 data_record_transfer_request + 241 data_record_transfer_response + 254 end_marker + 255 pdu + + GTPv2 message types: + + Value Message Type + ********************************************** + 1 echo_request + 2 echo_response + 3 version_not_supported + 32 create_session_request + 33 create_session_response + 34 modify_bearer_request + 35 modify_bearer_response + 36 delete_session_request + 37 delete_session_response + 38 change_notification_request + 39 change_notification_response + 64 modify_bearer_command + 65 modify_bearer_failure_indication + 66 delete_bearer_command + 67 delete_bearer_failure_indication + 68 bearer_resource_command + 69 bearer_resource_failure_indication + 70 downlink_failure_indication + 71 trace_session_activation + 72 trace_session_deactivation + 73 stop_paging_indication + 95 create_bearer_request + 96 create_bearer_response + 97 update_bearer_request + 98 update_bearer_response + 99 delete_bearer_request + 100 delete_bearer_response + 101 delete_pdn_request + 102 delete_pdn_response + 128 identification_request + 129 identification_response + 130 sgsn_context_request + 131 sgsn_context_response + 132 sgsn_context_ack + 133 forward_relocation_request + 134 forward_relocation_response + 135 forward_relocation_complete + 136 forward_relocation_complete_ack + 137 forward_access + 138 forward_access_ack + 139 relocation_cancel_request + 140 relocation_cancel_response + 141 configuration_transfer_tunnel + 149 detach + 150 detach_ack + 151 cs_paging + 152 ran_info_relay + 153 alert_mme + 154 alert_mme_ack + 155 ue_activity + 156 ue_activity_ack + 160 create_forward_tunnel_request + 161 create_forward_tunnel_response + 162 suspend + 163 suspend_ack + 164 resume + 165 resume_ack + 166 create_indirect_forward_tunnel_request + 167 create_indirect_forward_tunnel_response + 168 delete_indirect_forward_tunnel_request + 169 delete_indirect_forward_tunnel_response + 170 release_access_bearer_request + 171 release_access_bearer_response + 176 downlink_data + 177 downlink_data_ack + 179 pgw_restart + 180 pgw_restart_ack + 200 update_pdn_request + 201 update_pdn_response + 211 modify_access_bearer_request + 212 modify_access_bearer_response + 231 mbms_session_start_request + 232 mbms_session_start_response + 233 mbms_session_update_request + 234 mbms_session_update_response + 235 mbms_session_stop_request + 236 mbms_session_stop_response + + gtp_info + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The gtp_info keyword is used to check for specific GTP information element. + This keyword restricts the search to the information element field. User can + input information element value, an integer in [0, 255], or a string defined + in the Table below. If the information element used in this rule is not + listed in the preprocessor configuration, an error will be thrown. + + When there are several information elements with the same type in the message, + this keyword restricts the search to the total consecutive buffer. Because + the standard requires same types group together, this feature will be + available for all valid messages. In the case of "out of order information + elements", this keyword restricts the search to the last buffer. + + Similar to message type, same information element might have different + information element value in different GTP versions. For example, "cause" has + value 1 in GTPv0 and GTPv1, but 2 in GTPv2. gtp_info will match to different + value depending on the version number in the packet. When an information + element is not defined in a version, any packet in that version will always + return "No match". + + If an integer is used to specify information element type, every GTP packet + is evaluated, no matter what version the packet is. If the message type + matches the value in packet, it will return "Match". + + Syntax: + gtp_info:; + ie = "0-255"| + "rai" | "tmsi"... + Examples: + gtp_info: 16; + gtp_info: tmsi + + GTPv0 information elements: + + Value Information elements + *********************************************** + 1 cause + 2 imsi + 3 rai + 4 tlli + 5 p_tmsi + 6 qos + 8 recording_required + 9 authentication + 11 map_cause + 12 p_tmsi_sig + 13 ms_validated + 14 recovery + 15 selection_mode + 16 flow_label_data_1 + 17 flow_label_signalling + 18 flow_label_data_2 + 19 ms_unreachable + 127 charge_id + 128 end_user_address + 129 mm_context + 130 pdp_context + 131 apn + 132 protocol_config + 133 gsn + 134 msisdn + 251 charging_gateway_addr + 255 private_extension + + GTPv1 information elements: + + Value Information elements + *********************************************** + 1 cause + 2 imsi + 3 rai + 4 tlli + 5 p_tmsi + 8 recording_required + 9 authentication + 11 map_cause + 12 p_tmsi_sig + 13 ms_validated + 14 recovery + 15 selection_mode + 16 teid_1 + 17 teid_control + 18 teid_2 + 19 teardown_ind + 20 nsapi + 21 ranap + 22 rab_context + 23 radio_priority_sms + 24 radio_priority + 25 packet_flow_id + 26 charging_char + 27 trace_ref + 28 trace_type + 29 ms_unreachable + 127 charge_id + 128 end_user_address + 129 mm_context + 130 pdp_context + 131 apn + 132 protocol_config + 133 gsn + 134 msisdn + 135 qos + 136 authentication_qu + 137 tft + 138 target_id + 139 utran_trans + 140 rab_setup + 141 ext_header + 142 trigger_id + 143 omc_id + 144 ran_trans + 145 pdp_context_pri + 146 addi_rab_setup + 147 sgsn_number + 148 common_flag + 149 apn_restriction + 150 radio_priority_lcs + 151 rat_type + 152 user_loc_info + 153 ms_time_zone + 154 imei_sv + 155 camel + 156 mbms_ue_context + 157 tmp_mobile_group_id + 158 rim_routing_addr + 159 mbms_config + 160 mbms_service_area + 161 src_rnc_pdcp + 162 addi_trace_info + 163 hop_counter + 164 plmn_id + 165 mbms_session_id + 166 mbms_2g3g_indicator + 167 enhanced_nsapi + 168 mbms_session_duration + 169 addi_mbms_trace_info + 170 mbms_session_repetition_num + 171 mbms_time_to_data + 173 bss + 174 cell_id + 175 pdu_num + 177 mbms_bearer_capab + 178 rim_routing_disc + 179 list_pfc + 180 ps_xid + 181 ms_info_change_report + 182 direct_tunnel_flags + 183 correlation_id + 184 bearer_control_mode + 185 mbms_flow_id + 186 mbms_ip_multicast + 187 mbms_distribution_ack + 188 reliable_inter_rat_handover + 189 rfsp_index + 190 fqdn + 191 evolved_allocation1 + 192 evolved_allocation2 + 193 extended_flags + 194 uci + 195 csg_info + 196 csg_id + 197 cmi + 198 apn_ambr + 199 ue_network + 200 ue_ambr + 201 apn_ambr_nsapi + 202 ggsn_backoff_timer + 203 signalling_priority_indication + 204 signalling_priority_indication_nsapi + 205 high_bitrate + 206 max_mbr + 251 charging_gateway_addr + 255 private_extension + + GTPv2 information elements: + + Value Information elements + *********************************************** + 1 imsi + 1 echo_request + 2 cause + 2 echo_response + 3 recovery + 3 version_not_supported + 4 node_alive_request + 5 node_alive_response + 6 redirection_request + 7 redirection_response + 16 create_pdp_context_request + 17 create_pdp_context_response + 18 update_pdp_context_request + 19 update_pdp_context_response + 20 delete_pdp_context_request + 21 delete_pdp_context_response + 22 create_aa_pdp_context_request + 23 create_aa_pdp_context_response + 24 delete_aa_pdp_context_request + 25 delete_aa_pdp_context_response + 26 error_indication + 27 pdu_notification_request + 28 pdu_notification_response + 29 pdu_notification_reject_request + 30 pdu_notification_reject_response + 32 send_routing_info_request + 33 send_routing_info_response + 34 failure_report_request + 35 failure_report_response + 36 note_ms_present_request + 37 note_ms_present_response + 48 identification_request + 49 identification_response + 50 sgsn_context_request + 51 sgsn_context_response + 52 sgsn_context_ack + 71 apn + 72 ambr + 73 ebi + 74 ip_addr + 75 mei + 76 msisdn + 77 indication + 78 pco + 79 paa + 80 bearer_qos + 81 flow_qos + 82 rat_type + 83 serving_network + 84 bearer_tft + 85 tad + 86 uli + 87 f_teid + 88 tmsi + 89 cn_id + 90 s103pdf + 91 s1udf + 92 delay_value + 93 bearer_context + 94 charging_id + 95 charging_char + 96 trace_info + 97 bearer_flag + 99 pdn_type + 100 pti + 101 drx_parameter + 103 gsm_key_tri + 104 umts_key_cipher_quin + 105 gsm_key_cipher_quin + 106 umts_key_quin + 107 eps_quad + 108 umts_key_quad_quin + 109 pdn_connection + 110 pdn_number + 111 p_tmsi + 112 p_tmsi_sig + 113 hop_counter + 114 ue_time_zone + 115 trace_ref + 116 complete_request_msg + 117 guti + 118 f_container + 119 f_cause + 120 plmn_id + 121 target_id + 123 packet_flow_id + 124 rab_contex + 125 src_rnc_pdcp + 126 udp_src_port + 127 apn_restriction + 128 selection_mode + 129 src_id + 131 change_report_action + 132 fq_csid + 133 channel + 134 emlpp_pri + 135 node_type + 136 fqdn + 137 ti + 138 mbms_session_duration + 139 mbms_service_area + 140 mbms_session_id + 141 mbms_flow_id + 142 mbms_ip_multicast + 143 mbms_distribution_ack + 144 rfsp_index + 145 uci + 146 csg_info + 147 csg_id + 148 cmi + 149 service_indicator + 150 detach_type + 151 ldn + 152 node_feature + 153 mbms_time_to_transfer + 154 throttling + 155 arp + 156 epc_timer + 157 signalling_priority_indication + 158 tmgi + 159 mm_srvcc + 160 flags_srvcc + 161 mmbr + 240 data_record_transfer_request + 241 data_record_transfer_response + 255 private_extension + 255 pdu + + gtp_version + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The gtp_version keyword is used to check for specific GTP version. + Because different GTP version defines different message types and information + elements, this keyword should combine with gtp_type and gtp_info. + + Syntax: + gtp_version:; + version = "0, 1, 2' + + Example: + gtp_version: 1; + \ No newline at end of file diff -Nru snort-2.9.0.1/doc/README.http_inspect snort-2.9.2/doc/README.http_inspect --- snort-2.9.0.1/doc/README.http_inspect 2010-10-25 12:48:56.000000000 -0700 +++ snort-2.9.2/doc/README.http_inspect 2011-10-26 11:28:51.000000000 -0700 @@ -60,26 +60,53 @@ This option specifies the maximum amount of packet payload to decompress. This value can be set from 1 to 65535. The default for this option is 1460. +Please note, in case of multiple policies, the value specified in the default policy +is used and this value overwrites the values specified in the other policies. In case +of unlimited_decompress this should be set to its max value. This value should be specified +in the default policy even when the HTTP inspect preprocessor is turned off using the disabled keyword. + * decompress_depth * This option specifies the maximum amount of decompressed data to obtain from the compressed packet payload. This value can be set from 1 to 65535. The default for this option is 2920. +Please note, in case of multiple policies, the value specified in the default policy +is used and this value overwrites the values specified in the other policies. In case +of unlimited_decompress this should be set to its max value. This value should be specified +in the default policy even when the HTTP inspect preprocessor is turned off using the disabled keyword. + * max_gzip_mem * This option determines (in bytes) the maximum amount of memory the HTTP Inspect preprocessor will use for decompression. This value can be set from 3276 bytes to 100MB. This option along with compress and decompress depth determines the gzip sessions that will be decompressed at any given instant. The default value for this option is 838860. -Note: It is suggested to set this value such that the max gzip session calculated as -follows is atleast 1. +Note: This value should be specified in the default policy even when the HTTP inspect preprocessor is +turned off using the disabled keyword. It is suggested to set this value such that the max gzip +session calculated as follows is atleast 1. max gzip session = max_gzip_mem /(decompress_depth + compress_depth) +* memcap * +This option determines (in bytes) the maximum amount of memory the HTTP Inspect preprocessor +will use for logging the URI and Hostname data. This value can be set from 2304 to 603979776 (576 MB). +This option along with the maximum uri and hostname logging size (which is defined in snort) will +determine the maximum HTTP sessions that will log the URI and hostname data at any given instant. The +maximum size for logging URI data is 2048 and for hostname is 256. The default value for this +option is 150994944 (144 MB). + +Note: This value should be specified in the default policy even when the HTTP inspect preprocessor is +turned off using the "disabled" keyword. In case of multiple policies, the value specified in the +default policy will overwrite the value specified in other policies. + +max http sessions logged = memcap /( max uri logging size + max hostname logging size ) +max uri logging size defined in snort : 2048 +max hostname logging size defined in snort : 256 + * disabled * This optional keyword is allowed with any policy to avoid packet processing. This option disables the preprocessor. When the preprocessor is disabled -only the "max_gzip_mem", "compress_depth" and "decompress_depth" options +only the "memcap", "max_gzip_mem", "compress_depth" and "decompress_depth" options are applied when specified with the configuration. Other options are parsed but not used. Any valid configuration may have "disabled" added to it. @@ -133,12 +160,17 @@ - normalize_utf - max_header_length - max_headers + - max_spaces - enable_cookie - extended_response_inspection - inspect_gzip + - normalize_javascript + - max_javascript_whitespaces - enable_xff - unlimited_decompress - http_methods + - log_uri + - log_hostname These options must be specified after the 'profile' option. Example: @@ -204,7 +236,17 @@ * enable_cookie * This options turns on the cookie extraction from HTTP requests and HTTP response. -By default the cookie inspection and extraction will be turned off. +By default the cookie inspection and extraction will be turned off. The cookie +from the "Cookie" header line is extracted and stored in HTTP Cookie buffer for +HTTP requests and cookie from the "Set-Cookie" is extracted and stored in HTTP +Cookie buffer for HTTP responses. The "Cookie:" and "Set-Cookie:" header names +itself along with the leading spaces and the CRLF terminating the header line +are stored in the HTTP header buffer and are not stored in the HTTP cookie buffer. + +Ex: Set-Cookie: mycookie \r\n + +In this case, Set-Cookie: \r\n will be in the HTTP header buffer and the pattern +mycookie will be in the HTTP cookie buffer. * inspect_gzip * This option specifies the HTTP inspect module to uncompress the compressed @@ -220,14 +262,77 @@ while inspecting). Also the amount of decompressed data that will be inspected depends on the server_flow_depth configured. +Http Inspect generates a preprocessor alert with gid 120 and sid 6 when the decompression +fails. When the decompression fails due to a CRC error encountered by zlib, HTTP Inspect +will also provide the detection module with the data that was decompressed by zlib. + * unlimited_decompress * This option enables the user to decompress unlimited gzip data (across multiple packets).Decompression will stop when the compressed data ends or when a out of -sequence packet is received. To ensure unlimited decompression, it is suggested -to set the 'compress_depth' and 'decompress_depth' to its maximum values. The -decompression in a single packet is still limited by the 'compress_depth' and +sequence packet is received. To ensure unlimited decompression, user should set +the 'compress_depth' and 'decompress_depth' to its maximum values in the default policy. +The decompression in a single packet is still limited by the 'compress_depth' and 'decompress_depth'. +* normalize_javascript * +This option enables the normalization of Javascript within the HTTP response body. +You should select the config option "extended_response_inspection" before configuring this option. +When this option is turned on, Http Inspect searches for a Javascript within the +HTTP response body by searching for the + + + +The above javascript will generate the preprocessor alert with SID 9 and GIDF 120 when normalize_javascript +is turned on. + +Http Inspect will also generate a preprocessor alert with GID 120 and SID 11 when there are more than one type +of encodings within the escaped/encoded data. + +For example: + +unescape("%48\x65%6C%6C%6F%2C%20%73%6E%6F%72%74%20%74%65%61%6D%21"); +String.fromCharCode(0x48, 0x65, 0x6c, 0x6c, 111, 44, 32, 115, 110, 111, 114, 116, 32, 116, 101, 97, 109, 33) + +The above obfuscation will generate the preprocessor alert with GID 120 and SID 11. + +This option is turned off by default in HTTP Inspect. + +* max_javascript_whitespaces [positive integer] * +This option takes an integer as an argument. The integer determines the maximum number +of consecutive whitespaces allowed within the Javascript obfuscated data in a HTTP +response body. The config option "normalize_javascript" should be turned on before configuring + this config option. When the whitespaces in the javascript obfuscated data is equal to or more +than this value a preprocessor alert with GID 120 and SID 10 is generated. The default value for +this option is 200. To enable, specify an integer argument to max_spaces of 1 to 65535. +Specifying a value of 0 is treated as disabling the alert. + * enable_xff * This option enables Snort to parse and log the original client IP present in the X-Forwarded-For or True-Client-IP HTTP request headers along with the generated @@ -240,40 +345,57 @@ * server_flow_depth [integer] * * flow_depth [integer] * (to be deprecated) -This specifies the amount of server response payload to inspect. This option -significantly increases IDS performance because we are ignoring a large part of -the network traffic (HTTP server response payloads). A small percentage of -snort rules are targeted at this traffic and a small flow_depth value may -cause false negatives in some of these rules. Most of these rules target -either the HTTP header, or the content that is likely to be in the first -hundred or so bytes of non-header data. Headers are usually under 300 bytes -long, but your mileage may vary. It is suggested to set the -server_flow_depth to its maximum value or the decompress_depth (if -decompress_depth is less than 2920) when inspect_gzip is enabled . - -This value can be set from -1 to 2920. A value of -1 causes Snort -to ignore all server side traffic for ports defined in "ports." -Inversely, a value of 0 causes Snort to inspect all HTTP server +This specifies the amount of server response payload to inspect. When +extended_response_inspection is turned on, it is applied to the HTTP response body +(decompressed data when inspect_gzip is turned on) and not the HTTP headers. +When extended_response_inspection is turned off the server_flow_depth is applied +to the entire HTTP response (including headers). Unlike client_flow_depth this +option is applied per TCP session. This option can be used to balance the needs of +IDS performance and level of inspection of HTTP server response data. Snort rules are +targeted at HTTP server response traffic and when used with a small flow_depth value +may cause false negatives. Most of these rules target either the HTTP header, or +the content that is likely to be in the first hundred or so bytes of non-header data. +Headers are usually under 300 bytes long, but your mileage may vary. +It is suggested to set the server_flow_depth to its maximum value. + +This value can be set from -1 to 65535. A value of -1 causes Snort +to ignore all server side traffic for ports defined in "ports" when +extended_response_inspection is turned off. When the extended_response_inspection + is turned on, value of -1 causes Snort to ignore the HTTP response body data and + not the HTTP headers. Inversely, a value of 0 causes Snort to inspect all HTTP server payloads defined in "ports" (note that this will likely slow down IDS performance). Values above 0 tell Snort the number of bytes to -inspect in the first packet of the server response. Only packets -payloads starting with 'HTTP' will be considered as the first packet of a -server response. If less than flow_depth bytes are in the payload -of the first packet, the entire payload will be inspected. If more than -flow_depth bytes are in the payload of the first packet only flow_depth -bytes of the payload will be inspected. Rules that are meant to -inspect data in the payload of the first packet of a server response -beyond 1460 bytes will be ineffective unless flow_depth is set to 0. -Note that the 2920 byte maximum flow_depth applies to stream +inspect of the server response (excluding the HTTP headers when extended_response_inspection is +turned on) in a given HTTP session. Only packets payloads starting with 'HTTP' will +be considered as the first packet of a server response. If less than flow_depth bytes +are in the payload of the HTTP response packets in a given session, the entire payload will be +inspected. If more than flow_depth bytes are in the payload of the HTTP response packet in a session +only flow_depth bytes of the payload will be inspected for that session. Rules that are meant to +inspect data in the payload of the HTTP response packets in a session beyond 65535 bytes will be +ineffective unless flow_depth is set to 0. The default value for server_flow_depth is 300. +Note that the 65535 byte maximum flow_depth applies to stream reassembled packets as well. It is suggested to set the server_flow_depth -to its maximum value or the decompress_depth (if decompress_depth is -less than 2920) when inspect_gzip is enabled. +to its maximum value. * client_flow_depth [integer] * -This specifies the amount of raw client request payload to inspect. It is -similar to server_flow_depth (above), and has a default value of 300. It -primarily eliminates Snort from inspecting larger HTTP Cookies that appear -at the end of many client request Headers. +This specifies the amount of raw client request payload to inspect. This +value can be set from -1 to 1460. Unlike server_flow_depth this value is applied +to the first packet of the HTTP request. It is not a session based flow depth. +It has a default value of 300. It primarily eliminates Snort from inspecting +larger HTTP Cookies that appear at the end of many client request Headers. + +A value of -1 causes Snort to ignore all client side traffic for ports +defined in "ports." Inversely, a value of 0 causes Snort to inspect all HTTP client + side traffic defined in "ports" (note that this will likely slow down IDS +performance). Values above 0 tell Snort the number of bytes to +inspect in the first packet of the client request. If less than flow_depth bytes +are in the TCP payload (HTTP request) of the first packet, the entire payload will be inspected. +If more than flow_depth bytes are in the payload of the first packet only flow_depth +bytes of the payload will be inspected. Rules that are meant to +inspect data in the payload of the first packet of a client request beyond 1460 bytes will be +ineffective unless flow_depth is set to 0. Note that the 1460 byte maximum flow_depth +applies to stream reassembled packets as well. It is suggested to set the client_flow_depth +to its maximum value. * post_depth [integer] * This specifies the amount of data to inspect in a client post message. The @@ -322,17 +444,6 @@ The alert on this decoding should be enabled, because there are no legitimate clients that encoded UTF-8 this way, since it is non-standard. -* base36 [yes/no] * -This is an option to decode base36 encoded chars. I didn't have access to -a server with this option, since it appears that this is related to certain -Asian versions of windows. I'm going off of info from: -http://www.yk.rim.or.jp/~shikap/patch/spp_http_decode.patch -So I hope that works for any of you with this option. Please note that if you -have enabled %u encoding, this option will not work. You have to use the -base36 option with the utf_8 option. Don't use the %u option, because base36 -won't work. When base36 is enabled, so is ascii encoding to enforce correct -behavior. - * iis_unicode [yes/no] * The iis_unicode option turns on the unicode codepoint mapping. If there is no iis_unicode_map option specified with the server config, iis_unicode uses the @@ -397,6 +508,20 @@ up the apache chunk encoding exploits, and may also alert on HTTP tunneling that uses chunk encoding. +* small_chunk_length { } * +This option is an evasion detector for consecutive small chunk sizes when +either the client or server use Transfer-Encoding: chunked. + specifies the maximum chunk size for which a chunk will be +considered small. specifies the number of consecutive +small chunks <= before an event will be generated. +This option is turned off by default. Maximum values for each are 255 and +a of 0 disables. +Events generated are gid:119,sid:27 for client small chunks and gid:120,sid:7 +for server small chunks. +Example: + small_chunk_length { 10 5 } +Meaning alert if we see 5 consecutive chunk sizes of 10 or less. + * no_pipeline_req * This option turns HTTP pipeline decoding off, and is a performance enhancement if needed. By default pipeline requests are inspected for attacks, but when @@ -457,6 +582,14 @@ enable, specify an integer argument to max_header_length of 1 to 65535. Specifying a value of 0 is treated as disabling the alert. +* max_spaces [positive integer] * +This option takes an integer as an argument. The integer determines the maximum number +of whitespaces allowed with HTTP client request line folding. Requests headers +folded with whitespaces equal to or more than this value will cause a +"Space Saturation" alert with SID 26 and GID 119. The default value for this +option is 200. To enable, specify an integer argument to max_spaces of 1 to 65535. +Specifying a value of 0 is treated as disabling the alert. + * webroot * This option generates an alert when a directory traversal traverses past the web server root directory. This generates much less false positives than @@ -504,7 +637,31 @@ Example : http_methods { PUT CONNECT } -Please note the maximum length for a method name is 7. +Please note the maximum length for a method name is 256. + +* log_uri * +This option enables HTTP Inspect preprocessor to parse the URI data from the +HTTP request and log it along with all the generated events for that session. +Stream5 reassembly needs to be turned on HTTP ports to enable the logging. +If there are multiple HTTP requests in the session, the URI data of the most recent +HTTP request during the alert will be logged. The maximum URI logged is 2048. + +Please note, this is logged only with the unified2 output and is not logged +with console output (-A cmg). u2spewfoo can be used to read this data from +the unified2. + +* log_hostname * +This option enables HTTP Inspect preprocessor to parse the hostname data from the +"Host" header of the HTTP request and log it along with all the generated events +for that session. Stream5 reassembly needs to be turned on HTTP ports to enable +the logging. If there are multiple HTTP requests in the session, the Hostname data +of the most recent HTTP request during the alert will be logged. In case of +multiple "Host" headers within one HTTP request, a preprocessor alert with sid 24 is +generated. The maximum hostname length logged is 256. + +Please note, this is logged only with the unified2 output and is not logged +with console output (-A cmg). u2spewfoo can be used to read this data from +the unified2. -- Profile Breakout -- There are three profiles that users can select. Only the configuration @@ -525,6 +682,7 @@ utf_8 encoding (alert off) max_header_length 0 (header length not checked) max_headers 0 (number of headers not checked) +max_sapces 200 (number of allowed white spaces) * IIS * @@ -647,11 +805,18 @@ * http_cookie * The http_cookie keyword is a content modifier that restricts the search to the -extracted Cookie Header field of a HTTP client request or a HTTP server -response. As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http_cookie' is specified. This keyword is dependent -on the 'enable_cookie' config option. The Cookie Header field will be extracted only -when this option is configured. +extracted Cookie Header field (excluding the header name itself and the CRLF terminating +the header line) of a HTTP client request or a HTTP server response. The Cookie buffer +does not include the header names ("Cookie:" for HTTP requests or "Set-Cookie:" for +HTTP responses) or leading spaces and the CRLF terminating the header line. +These are included in the HTTP header buffer. + +As this keyword is a modifier to the previous 'content' keyword, there must be a +content in the rule before 'http_cookie' is specified. This keyword is dependent +on the 'enable_cookie' config option. The Cookie Header field will be extracted +only when this option is configured. If enable_cookie is not specified, +the cookie still ends up in HTTP header. When enable_cookie is not specified, +using http_cookie is the same as using http_header. The extracted Cookie Header field will be NORMALIZED if the normalize_cookies is configured with HttpInspect. @@ -729,9 +894,9 @@ The http_encode keyword will enable alerting based on encoding type present in a HTTP client request or a HTTP server response. -There are nine keyword associated with http_encode. The keywords 'uri', 'header' +There are several keywords associated with http_encode. The keywords 'uri', 'header' and 'cookie' determine the HTTP fields used to search for a particular encoding type. -The keywords 'utf8', 'double_encode', 'non_ascii', 'base36', 'uencode', 'ascii' and 'bare_byte' +The keywords 'utf8', 'double_encode', 'non_ascii', 'uencode', 'ascii', 'iis_encode' and 'bare_byte' determine the encoding type which would trigger the alert. These keywords can be combined using a OR operation. Negation is allowed on these keywords. @@ -760,7 +925,7 @@ 2 Double decoding attack 3 U encoding 4 Bare byte Unicode encoding -5 Base36 encoding +5 Base36 encoding # Deprecated in Snort 2.9.1 6 UTF-8 encoding 7 IIS Unicode codepoint encoding 8 multi-slash encoding @@ -775,9 +940,28 @@ 17 Unauthorized proxy use detected 18 Webroot directory traversal 19 Long header +20 Max headers +21 Multiple Content-Length headers +22 Chunk size mismatch +23 Invalid True-IP/XFF Orginal Client IP +24 Multiple Host headers +25 Hostname exceeds 255 characters +27 Chunked encoding - excessive consecutive small chunks +28 Unbounded POST (without Content-Length or Transfer-Encoding: chunked) The following alert is generated with generator ID 120: SID Description --- ----------- 1 Anomalous HTTP server on undefined HTTP port +2 Invalid HTTP response status code +3 No Content-Length or Transfer-Encoding in HTTP response +4 UTF Normalization failure +5 HTTP response has UTF-7 charset +6 HTTP response gzip decompression failed +7 Chunked encoding - excessive consecutive small chunks +8 Invalid Content-Length or chunk size in request or response +9 Javascript obfuscation levels exceeds 1 +10 Javascript consecutive whitespaces exceeds max allowed +11 Multiple encodings within Javascript obfuscated data + diff -Nru snort-2.9.0.1/doc/README.imap snort-2.9.2/doc/README.imap --- snort-2.9.0.1/doc/README.imap 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/doc/README.imap 2011-07-13 15:43:17.000000000 -0700 @@ -0,0 +1,176 @@ +IMAP +==== + +-- Overview -- +IMAP is an IMAP4 decoder for user applications. Given a data buffer, +IMAP will decode the buffer and find IMAP4 commands and responses. +It will also mark the command, data header data body sections and +extract the IMAP4 attachments and decode it appropriately. + +IMAP will handle stateful processing. It saves state between individual +packets. However maintaining correct state is dependent on the resassembly +of the server side of the stream (ie, a loss of coherent stream data results +in a loss of state). + +Stream5 should be turned on for IMAP. Please ensure that the IMAP ports are added + to the stream5 ports for proper reassembly. + + +-- Configuration -- + +The configuration options are described below: + +* ports { port [port] ... } * +This specifies on what ports to check for IMAP data. Typically, this will +include 143. Default ports if none are specified are 143 . + +* disabled * +Disables the IMAP preprocessor in a config. This is useful when specifying +the decoding depths such as b64_decode_depth, qp_decode_depth, uu_decode_depth, +bitenc_decode_depth or the memcap used for decoding in default config +without turning on the IMAP preprocessor. + +* b64_decode_depth * +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A IMAP preprocessor +alert with sid 4 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are +decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +It is recommended that user inputs a value that is a multiple of 4. When the value +specified is not a multiple of 4, the IMAP preprocessor will round it up to the next +multiple of 4. + +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +* qp_decode_depth * +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A IMAP +preprocessor alert with sid 5 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* bitenc_decode_depth * +This config option is used to turn off/on or set the 7bit/8bit/binary extraction +depth used to extract the 7bit/8bit/binary encoded MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A IMAP +preprocessor alert with sid 6 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary MIME attachments/data across multiple packets are +extracted too. + +The extracted data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* uu_decode_depth * +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of IMAP attachments. +The value of 0 sets the decoding of UU encoded IMAP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU IMAP attachments. A IMAP +preprocessor alert with sid 7 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU Encoded attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* memcap * +This option determines (in bytes) the maximum amount of memory the IMAP preprocessor +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. + +This option along with the maximum of the decoding depths will determine the IMAP +sessions that will be decoded at any given instant. The default value for this option +is 838860. + +Note: It is suggested to set this value such that the max imap session calculated as +follows is atleast 1. + +max imap session = memcap /(2 * max of (b64_decode_depth, uu_decode_depth, qp_decode_depth + or bitenc_decode_depth)) + +For example, if b64_decode_depth is 0 (indicates unlimited decoding) and qp_decode_depth is 100, then + +max imap session = memcap/2*65535 (max value for b64_decode_depth) + +In case of multiple configs, the memcap of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable IMAP preprocessor in a config). + +When the memcap for decoding (memcap) is exceeded the IMAP preprocessor alert with sid 3 is +generated (when enabled). + +Example: +preprocessor imap: \ + ports { 143 } \ + memcap 1310700 \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 + + +preprocessor imap: \ + memcap 1310700 \ + qp_decode_depth 0 \ + disabled + +Default: +preprocessor imap: \ + ports { 143 } \ + b64_decode_depth 1460 \ + qp_decode_depth 1460 \ + bitenc_decode_depth 1460 \ + uu_decode_depth 1460 + +Events +================================================================================ +The IMAP preprocessor uses GID 141 to register events. + + +SID Description +-------------------------------------------------------------------------------- + 1 Alert if IMAP encounters an invalid IMAP4 command. + 2 Alert if IMAP encounters an invalid IMAP4 response. + 3 If the decoding memory cap (memcap) is reached and the preprocessor is configured to alert, + this alert will be created. + 4 If the decoding of a base64 MIME attachments fails or when the decoding stops due to exceeded + b64_decode_depth. + 5 If the decoding of a Quoted-Printable MIME attachments fails or when the decoding stops due to exceeded + qp_decode_depth. + 6 If the decoding of a 7bit/8bit/binary MIME attachments fails or when the decoding stops due to + exceeded bitenc_decode_depth. + 7 If the decoding of a Unix-to-Unix encoded attachments fails or when the decoding stops due to exceeded + uu_decode_depth. diff -Nru snort-2.9.0.1/doc/README.ipv6 snort-2.9.2/doc/README.ipv6 --- snort-2.9.0.1/doc/README.ipv6 2010-09-27 08:28:10.000000000 -0700 +++ snort-2.9.2/doc/README.ipv6 2011-10-26 11:28:51.000000000 -0700 @@ -24,15 +24,6 @@ Respond2 Dynamic plugins (Shared Object rules) -IPv6 support is not included for the following, but will be -added in a future release: - - Database - Aruba - Prelude - - Note: For stream reassembly and flow, use Stream5. - All rule options are supported with IPv6 diff -Nru snort-2.9.0.1/doc/README.modbus snort-2.9.2/doc/README.modbus --- snort-2.9.0.1/doc/README.modbus 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/doc/README.modbus 2011-10-26 11:28:51.000000000 -0700 @@ -0,0 +1,134 @@ +Modbus Preprocessor +=================== + + +Overview +======== +The Modbus preprocessor is a Snort module that decodes the Modbus protocol. It +also provides rule options to access certain protocol fields. This allows a +user to write rules for Modbus packets without decoding the protocol with a +series of "content" and "byte_test" options. + +Modbus is a protocol used in SCADA networks. If your network does not contain +any Modbus-enabled devices, we recommend leaving this preprocessor turned off. + +Dependencies +============ +The Stream5 preprocessor must be enabled for the Modbus preprocessor to work. +Protocol-Aware Flushing (PAF) is also required. See README.stream5 for more +information. + +Preprocessor Configuration +========================== +Modbus configuration is split into two parts: the preprocessor config, and the +rule options. The preprocessor config starts with: + +preprocesor modbus: + +Options are as follows: + + Option Argument Required Default + -------------------------------------------------------------- + ports , or NO ports 502 + { port [port] ... } + +Option explanations + ports + This sets the port numbers on which Modbus traffic is inspected. + A single port number may be provided, or a space-separated list + enclosed in curly brackets. The default is port 502. + +Example preprocessor config + +preprocessor modbus: ports { 502 } + +Rule Options +============ +The Modbus preprocessor adds 3 new rule options. These rule options match on +various pieces of the Modbus headers. + +The preprocessor must be enabled for these rule options to work. + +modbus_func +--------- +This option matches against the Function Code inside of a Modbus +Application-Layer request/response header. The code may be a number +(in decimal format), or a string from the list provided below. + +Syntax: + modbus_func: + + code = 0-255 + read_coils + read_discrete_inputs + read_holding_registers + read_input_registers + write_single_coil + write_single_register + read_exception_status + diagnostics + get_comm_event_counter + get_comm_event_log + write_multiple_coils + write_multiple_registers + report_slave_id + read_file_record + write_file_record + mask_write_register + read_write_multiple_registers + read_fifo_queue + encapsulated_interface_transport + +Example: + alert tcp any any -> any 502 (msg:"Modbus Write Coils request"; \ + modbus_func:write_multiple_coils; sid:1;) + +modbus_unit +----------- +This rule option matches against the Unit ID field in a Modbus header. + +Syntax: + modbus_unit: + + unit = 0-255 + +Example: + var MODBUS_ADMIN 192.168.1.2 + alert tcp !$MODBUS_ADMIN any -> any 502 (msg:"Modbus command to Unit 01 \ + from unauthorized host"; modbus_unit:1; sid:1;) + +modbus_data +--------- +This rule option sets the cursor at the beginning of the Data field in +a Modbus request/response. + +Syntax: + modbus_data; + + No options. + +Example: + +alert tcp any any -> any any (msg:"String 'badstuff' in Modbus message"; \ + modbus_data; content:"badstuff"; sid:1;) + + +Preprocessor Rules +================== +The Modbus preprocessor uses GID 144 for its preprocessor events. + +SID Description +-------------------------------------------------------------------- + 1 The length in the Modbus header does not match the length needed + by the Modbus function code. + + Each Modbus function has an expected format for requests and responses. + If the length of the message does not match the expected format, this + alert is generated. + + 2 Modbus protocol ID is non-zero. + The protocol ID field is used for multiplexing other protocols with + Modbus. Since the preprocessor cannot handle these other protocols, + this alert is generated instead. + + 3 Reserved Modbus function code in use. diff -Nru snort-2.9.0.1/doc/README.multipleconfigs snort-2.9.2/doc/README.multipleconfigs --- snort-2.9.0.1/doc/README.multipleconfigs 2010-01-22 15:59:24.000000000 -0800 +++ snort-2.9.2/doc/README.multipleconfigs 2011-10-26 11:28:51.000000000 -0700 @@ -17,11 +17,12 @@ config binding: vlan config binding: net +config binding: policy_id : Refers to the absolute or relative path to the snort.conf for specific configuration. - : Refers to the comma seperated list of vlandIds and vlanId + : Refers to the comma seperated list of vlandIds and vlanId ranges. The format for ranges is two vlanId separated by a "-". Spaces are allowed within ranges. Valid vlanId is any number in 0-4095 range. Negative vland Ids and alphanumeric are not supported. @@ -30,6 +31,8 @@ or IPv4. A maximum of 512 individual IPv4 or IPv6 addresses or CIDRs can be specified. + : Refers to the comma seperated list of 16bit policyIds + NOTE: Vlan and Subnets can not be used in the same line. Configurations can be applied based on either Vlans or Subnets not both. diff -Nru snort-2.9.0.1/doc/README.normalize snort-2.9.2/doc/README.normalize --- snort-2.9.0.1/doc/README.normalize 2010-08-25 13:22:35.000000000 -0700 +++ snort-2.9.2/doc/README.normalize 2011-10-26 11:28:51.000000000 -0700 @@ -13,7 +13,7 @@ Also, normalizations will only be enabled if the selected DAQ supports packet replacement and is operating in inline mode. -If a policy is configured for inline_test or passive mode, any normalization +If a policy is configured for inline_test or passive mode, any normalization statements in the policy config are ignored. @@ -22,24 +22,26 @@ IP4 normalizations are enabled with: - preprocessor normalize_ip4: [df], [rf] + preprocessor normalize_ip4: [df], [rf], [tos], [trim] Base normalizations enabled with "preprocessor normalize_ip4" include: -* Truncate packets with excess payload to the datagram length specified in the - IP header. - * TTL normalizaton if enabled (explained below). -* Clear the differentiated services field (formerly TOS). - * NOP all options octets. Optional normalizations include: * df - don't fragment: clear this bit on incoming packets. + * rf - reserved flag: clear this bit on incoming packets. +* tos - type of service (differentiated services): clear this byte. + +* trim - truncate packets with excess payload to the datagram length specified in the + IP header + the layer 2 header (eg ethernet), but don't truncate below minimum + frame length. This is automatically disabled if the DAQ can't inject packets. + IP6 Normalizations ================== @@ -75,7 +77,7 @@ TCP normalizations are enabled with: preprocessor normalize_tcp: \ - [ips] [urp] \ + [ips], [urp], [trim], \ [ecn ], \ [opts [allow +]] @@ -90,12 +92,10 @@ ::= { 11, 12, 13 } ::= { 14, 15 } ::= { 19 } - ::= (3..255) + ::= (3..255) Base normalizations enabled with "preprocessor normalize_tcp" include: -* Remove data on SYN. - * Clear the reserved bits in the TCP header. * Clear the urgent pointer if the urgent flag is not set. @@ -104,17 +104,11 @@ * Set the urgent pointer to the payload length if it is greater than the payload length. - + * Clear the urgent flag if the urgent pointer is not set. * Clear any option padding bytes. -* Remove any data from RST packet. - -* Trim data to window. - -* Trim data to MSS. - Optional normalizations include: * ips: ensure consistency in retransmitted data (also forces reassembly policy @@ -123,6 +117,14 @@ * urp - urgent pointer: don't adjust the urgent pointer if it is greater than payload length. +* trim: remove data on SYN. + +* trim: remove any data from RST packet. + +* trim: trim data to window. + +* trim: trim data to MSS. + * ecn packet: clear ECN flags on a per packet basis (regardless of negotiation). @@ -142,8 +144,6 @@ * opts: MSS and window scale options are NOP'd if SYN flag is not set. -* opts: trim payload length to MSS if longer. - TTL Normalization ================= @@ -200,13 +200,13 @@ 116,422 TCP: FIN==1 && ACK==0 116,422 TCP: PUSH==1 && ACK==0 129,15 TCP: RST not in window -116,420 TCP: SYN==1 && FIN==1 +116,420 TCP: SYN==1 && FIN==1 129,2 TCP: SYN with data -116,421 TCP: SYN==1 && RST==1 +116,421 TCP: SYN==1 && RST==1 116,423 TCP: SYN==0 && ACK==0 && RST==0 129,1 TCP: SYN on established session 116,422 TCP: URG==1 && ACK==0 -116,419 TCP: URG==1 && (dsize==0 || urp > dsize) +116,419 TCP: URG==1 && (dsize==0 || urp > dsize) 129,6 TCP: Window Too large normalize_tcp 129,4 TCP TS option: packet fails PAWS test 129,14 TCP TS option: missing but negotiated in SYN diff -Nru snort-2.9.0.1/doc/README.PerfProfiling snort-2.9.2/doc/README.PerfProfiling --- snort-2.9.0.1/doc/README.PerfProfiling 2010-04-06 07:05:44.000000000 -0700 +++ snort-2.9.2/doc/README.PerfProfiling 2011-10-26 11:28:51.000000000 -0700 @@ -67,7 +67,7 @@ High Checks and low Avg/Check is usually an ANY->ANY rule with few rule options and no content. Quick to check, the few options may or may not match. We are looking at moving some of these into code... Especially -those with low SIDs. +those with low SIDs. By default, this information will be printed to the console when Snort exits. You can use the "filename" option in snort.conf to specify a @@ -97,7 +97,7 @@ # # 3) Print all preprocessors, sorted by number of checks # config profile_preprocs: print all, sort checks -# +# # When printing a specific number of preprocessors all subtasks info # is printed for each layer 0 preprocessor stat. @@ -119,25 +119,49 @@ - Percent of caller For non layer 0 preprocessors -- ie, subroutines within preprocessors, this identifies the percent of the caller's ticks that is spent for - this subtask. + this subtask. -Example, using config profile_rules: print 3, sort total_ticks -Preprocessor Profile Statistics (worst 3) +Example, using config profile_preprocs: print 10, sort total_ticks +Preprocessor Profile Statistics (worst 10) ========================================================== - Num Preprocessor Layer Checks Exits Ticks Avg/Check Pct of Caller - === ============ ===== ====== ===== ===== ========= ============= - 1 s4 0 106323 106323 5457197986 51326.6 0.0 - 1 s4StateAction 1 106323 106323 1951276047 18352.3 35.8 - 2 s4ProcessRebuilt 1 1876 1876 1400764326 746676.1 25.7 - 3 s4State 1 106323 106323 685831114 6450.4 12.6 - 4 s4GetSess 1 106323 106323 565310684 5316.9 10.4 - 5 s4PktInsert 1 67828 67828 293546724 4327.8 5.4 - 6 s4Flush 1 4064 4064 74460923 18322.1 1.4 - 1 s4Rebuild 2 1876 1876 42991921 22916.8 57.7 - 7 s4NewSess 1 822 822 6625851 8060.6 0.1 - 8 s4Prune 1 30 30 3573059 119102.0 0.1 - 2 httpinspect 0 69704 69704 1090293755 15641.8 0.0 - 3 sfportscan 0 106323 106323 972732074 9148.8 0.0 + Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total + === ============ ===== ====== ===== ========= ========= ============= ============ + 1 detect 0 338181 338181 9054573 26.77 64.62 64.62 + 1 rule eval 1 256978 256978 2570596 10.00 28.39 18.35 + 1 rule tree eval 2 399860 399860 2520629 6.30 98.06 17.99 + 1 pcre 3 51328 51328 505636 9.85 20.06 3.61 + 2 byte_jump 3 6 6 7 1.30 0.00 0.00 + 3 content 3 1077588 1077588 1123373 1.04 44.57 8.02 + 4 uricontent 3 106498 106498 79685 0.75 3.16 0.57 + 5 byte_test 3 9951 9951 5709 0.57 0.23 0.04 + 6 isdataat 3 8486 8486 3192 0.38 0.13 0.02 + 7 flowbits 3 135739 135739 35365 0.26 1.40 0.25 + 8 flags 3 2 2 0 0.20 0.00 0.00 + 9 preproc_rule_options 3 15499 15499 1939 0.13 0.08 0.01 + 10 flow 3 394817 394817 36420 0.09 1.44 0.26 + 11 file_data 3 15957 15957 1264 0.08 0.05 0.01 + 12 ack 3 4 4 0 0.07 0.00 0.00 + 2 rtn eval 2 36928 36928 17500 0.47 0.68 0.12 + 2 mpse 1 646528 646528 5840244 9.03 64.50 41.68 + 2 s5 0 310080 310080 3270702 10.55 23.34 23.34 + 1 s5tcp 1 310080 310080 2993020 9.65 91.51 21.36 + 1 s5TcpState 2 304484 304484 2559085 8.40 85.50 18.26 + 1 s5TcpFlush 3 22148 22148 70681 3.19 2.76 0.50 + 1 s5TcpProcessRebuilt 4 22132 22132 2018748 91.21 2856.11 14.41 + 2 s5TcpBuildPacket 4 22132 22132 34965 1.58 49.47 0.25 + 2 s5TcpData 3 184186 184186 120794 0.66 4.72 0.86 + 1 s5TcpPktInsert 4 46249 46249 89299 1.93 73.93 0.64 + 2 s5TcpNewSess 2 5777 5777 37958 6.57 1.27 0.27 + 3 httpinspect 0 204751 204751 1814731 8.86 12.95 12.95 + 4 ssl 0 10780 10780 16283 1.51 0.12 0.12 + 5 decode 0 312638 312638 437860 1.40 3.12 3.12 + 6 DceRpcMain 0 155358 155358 186061 1.20 1.33 1.33 + 1 DceRpcSession 1 155358 155358 156193 1.01 83.95 1.11 + 7 backorifice 0 77 77 42 0.55 0.00 0.00 + 8 smtp 0 45197 45197 17126 0.38 0.12 0.12 + 9 ssh 0 26453 26453 7195 0.27 0.05 0.05 + 10 dns 0 28 28 5 0.18 0.00 0.00 + total total 0 311202 311202 14011946 45.03 0.00 0.00 Because of task swapping, non-instrumented code, and other factors, the Percent of caller field will not add up to 100% of the caller's time. diff -Nru snort-2.9.0.1/doc/README.pop snort-2.9.2/doc/README.pop --- snort-2.9.0.1/doc/README.pop 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/doc/README.pop 2011-07-13 15:43:17.000000000 -0700 @@ -0,0 +1,176 @@ +POP +==== + +-- Overview -- +POP is an POP3 decoder for user applications. Given a data buffer, +POP will decode the buffer and find POP3 commands and responses. +It will also mark the command, data header data body sections and +extract the POP3 attachments and decode it appropriately. + +POP will handle stateful processing. It saves state between individual +packets. However maintaining correct state is dependent on the resassembly +of the server side of the stream (ie, a loss of coherent stream data results +in a loss of state). + +Stream5 should be turned on for POP. Please ensure that the POP ports are added + to the stream5 ports for proper reassembly. + + +-- Configuration -- + +The configuration options are described below: + +* ports { port [port] ... } * +This specifies on what ports to check for POP data. Typically, this will +include 110. Default ports if none are specified are 110 . + +* disabled * +Disables the POP preprocessor in a config. This is useful when specifying +the decoding depths such as b64_decode_depth, qp_decode_depth, uu_decode_depth, +bitenc_decode_depth or the memcap used for decoding in default config +without turning on the POP preprocessor. + +* b64_decode_depth * +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A POP preprocessor +alert with sid 4 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are +decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +It is recommended that user inputs a value that is a multiple of 4. When the value +specified is not a multiple of 4, the POP preprocessor will round it up to the next +multiple of 4. + +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +* qp_decode_depth * +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A POP +preprocessor alert with sid 5 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* bitenc_decode_depth * +This config option is used to turn off/on or set the 7bit/8bit/binary extraction +depth used to extract the 7bit/8bit/binary encoded MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A POP +preprocessor alert with sid 6 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary MIME attachments/data across multiple packets are +extracted too. + +The extracted data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* uu_decode_depth * +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of POP attachments. +The value of 0 sets the decoding of UU encoded POP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU POP attachments. A POP +preprocessor alert with sid 7 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU Encoded attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* memcap * +This option determines (in bytes) the maximum amount of memory the POP preprocessor +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. + +This option along with the maximum of the decoding depths will determine the POP +sessions that will be decoded at any given instant. The default value for this option +is 838860. + +Note: It is suggested to set this value such that the max pop session calculated as +follows is atleast 1. + +max pop session = memcap /(2 * max of (b64_decode_depth, uu_decode_depth, qp_decode_depth + or bitenc_decode_depth)) + +For example, if b64_decode_depth is 0 (indicates unlimited decoding) and qp_decode_depth is 100, then + +max pop session = memcap/2*65535 (max value for b64_decode_depth) + +In case of multiple configs, the memcap of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable POP preprocessor in a config). + +When the memcap for decoding (memcap) is exceeded the POP preprocessor alert with sid 3 is +generated (when enabled). + +Example: +preprocessor pop: \ + ports { 110 } \ + memcap 1310700 \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 + + +preprocessor pop: \ + memcap 1310700 \ + qp_decode_depth 0 \ + disabled + +Default: +preprocessor pop: \ + ports { 110 } \ + b64_decode_depth 1460 \ + qp_decode_depth 1460 \ + bitenc_decode_depth 1460 \ + uu_decode_depth 1460 + +Events +================================================================================ +The POP preprocessor uses GID 142 to register events. + + +SID Description +-------------------------------------------------------------------------------- + 1 Alert if POP encounters an invalid POP3 command. + 2 Alert if POP encounters an invalid POP3 response. + 3 If the decoding memory cap (memcap) is reached and the preprocessor is configured to alert, + this alert will be created. + 4 If the decoding of a base64 MIME attachments fails or when the decoding stops due to exceeded + b64_decode_depth. + 5 If the decoding of a Quoted-Printable MIME attachments fails or when the decoding stops due to exceeded + qp_decode_depth. + 6 If the decoding of a 7bit/8bit/binary MIME attachments fails or when the decoding stops due to + exceeded bitenc_decode_depth. + 7 If the decoding of a Unix-to-Unix encoded attachments fails or when the decoding stops due to exceeded + uu_decode_depth. diff -Nru snort-2.9.0.1/doc/README.reload snort-2.9.2/doc/README.reload --- snort-2.9.0.1/doc/README.reload 2010-08-25 13:22:35.000000000 -0700 +++ snort-2.9.2/doc/README.reload 2011-11-21 12:15:24.000000000 -0800 @@ -127,3 +127,8 @@ track_udp track_icmp + +Caveats: +======== + +When Snort is run on the primary network interface of an OpenBSD system, the reload and failopen operations may not function as expected. diff -Nru snort-2.9.0.1/doc/README.reputation snort-2.9.2/doc/README.reputation --- snort-2.9.0.1/doc/README.reputation 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/doc/README.reputation 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,253 @@ +Reputation Preprocessor +================================================================================ +Hui Cao + +########################################## +# THIS CODE IS STILL EXPERIMENTAL! +# DO NOT USE IN PRODUCTION ENVIRONMENTS. +# Please send any issues to the Snort team +########################################## + +Overview +================================================================================ +Reputation preprocessor provides basic IP blacklist/whitelist capabilities, to +block/drop/pass traffic from IP addresses listed. In the past, we use standard +Snort rules to implement Reputation-based IP blocking. This preprocessor will +address the performance issue and make the IP reputation management easier. +Repuation preprocessor runs before other preprocessors. + +Sections: + Configuration + IP list file format + Events + Shared memory support + +Configuration +================================================================================ +The preprocessor configuration name is "reputation". + +preprocessor reputation + +Option Argument Required Default +memcap No memcap 500 +scan_local None No off +blacklist No NULL +whitelist No NULL +priority [blacklist whitelist] No priority whitelist +nested_ip [inner outer both] No nested_ip inner + + +memcap = 1 - 4095 Mbytes + +preprocessor reputation:\ + < memcap number >,\ + < scanLocal >, \ + < blacklist < list filename >>,\ + < whitelist < list filename >>,\ + < priority [blacklist whitelist] >,\ + < nested_ip [inner outer both] > +Options: + + < memcap number >: + maximum total memory allocated (in Megabytes). It can be set up to + 4095 Megabytes. + + < scan_local > : + Enable to inspect local address defined in RFC 1918: + 10.0.0.0 - 10.255.255.255 (10/8 prefix) + 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) + 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) + + < list filename > : + The IP lists are loaded from external files. It supports relative + paths for inclusion and $variables for path. Multiple blacklists or + whitelists are supported. + + Note: if the same IP is redefined later, it will overwrite the + previous one. In other words, IP lists always favors the last file or + entry processed. + + < priority > : + Specify either blacklist or whitelist has higher priority when + source/destination is on blacklist while destination/source is on + whitelist. By default, whitelist has higher priority. In other words, + the packet will be passed when either source or destination is + whitelisted. + + Note: this only defines priority when there is a decision conflict, + during run-time. During initialization time, if the same IP address + is defined in whitelist and blacklist, whoever the last one defined + will be the final one. Priority does not work on this case. + + < nested_ip >: + Specify which IP address to be used when there is IP encapsulation. + + +Configuration examples + + Default configuration + # Standard blacklisting. + # If running in inline mode the packets will be dropped. + preprocessor reputation:\ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + + Inspect inner and outer IP configuration + # Inspect both inner and outer, Also adds a whitelist entry + # to make exceptions. + preprocessor reputation: n + nested_ip both, \ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + Full configuration + # Blacklisting with scan local network, use both headers, + # and whitelist has higher priority. + # Also adds a whitelist entry to make exceptions. + preprocessor reputation: \ + memcap 200, scan_local, nested_ip both, \ + priority whitelist, \ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + + Variable path/file configuration + + $REP_BLACK_FILE1 = ../dshield.list + $REP_BLACK_FILE2 = ../snort.org.list + preprocessor reputation: \ + blacklist $REP_BLACK_FILE1,\ + blacklist $REP_BLACK_FILE2 + +IP List File Format + + Syntax + The IP list file has 1 entry per line. The entry can be either IP entry or + comment. + + IP Entry + CIDR notation line break + Example: + 172.16.42.32/32 + + Comment + # + Example: + # This is a full line comment + + IP List File Example + ---------------------- + # This is a full line comment + 172.16.42.32/32 # This is an inline comment, line with single CIDR block + +Use case + + A user wants to protect his/her network from unwanted/unknown IPs, only + allowing some trusted IPs. Here is the configuration: + + preprocessor reputation: \ + blacklist /etc/snort/default.blacklist + whitelist /etc/snort/default.whitelist + + In file "default.blacklist" + # These two entries will match all ipv4 addresses + 1.0.0.0/1 + 128.0.0.0/1 + + In file "default.whitelist" + 68.177.102.22 # sourcefire.com + 74.125.93.104 # google.com + +Events +================================================================================ +The preprocessor uses GID 136 to register events. + + +SID Description +-------------------------------------------------------------------------------- + 1 Packets are blacklisted. + 2 Packets are whitelisted. + +Rule Options +================================================================================ + No rule options + +Shared memory support +================================================================================ + In order to minimize memory consumption when multiple Snort instances are + running concurrently, we introduce the support of shared memory. After + configured, all the snort instances share the same IP tables in shared memory. + +System requirement + This feature is supported only in Linux. + +Build configuration + + A new option, --enable-shared-rep is introduced to ./configure command. + This option enables the support for shared memory. + In order to signal Snort to reload the IP file lists, control socket feature + should be enabled also. --enable-control-socket + +Configuration + + shared_mem + + If the build supports shared memory, this configuration will enable shared + memory. If this option isn't set, standard memory is used. This option must + specify a path or directory where IP lists will be loaded in shared memory. + One snort instance will create and maintain the shared IP lists. + We use instance ID 1, specified in the snort -G option to be the master snort. + All the other snort instances are clients (readers). + + Syntax: + shared_mem: path + Examples: + shared_mem /user/reputation/iplists + + shared_refresh + + This option changes the period of checking new shared memory segment, in the + unit of second. By default, the refresh rate is 60 seconds. + + Syntax: + shared_refresh + period = "1 - 4294967295" + Examples: + shared_refresh 60 + + Steps to configure shared memory + + 1) When building Snort, add option -enable-shared-rep and --enable-control-socket + to ./configure. + For example: + ./configure --enable-gre --enable-sourcefire --enable-flexresp3 + --enable-dynamicplugin --enable-pthread --enable-linux-smp-stats --enable-mpls + --enable-targetbased --enable-shared-rep --enable-control-socket + + 2) Put your IP list file into a directory, where snort has full access + For example: /user/reputation/iplists + In order to separate whitelist with blacklist, you need to specify + whitelist with .wlf extension and blacklist with .blf extension. + 3) In snort config file, specify shared memory support with the path to IP files. + Example: shared_mem /user/reputation/iplists + If you want to change the period of checking new IP lists, add refresh period. + Example: shared_refresh 300 + 4) Start shared memory master(writer) with -G 1 option. Note: only one master + should be enabled. + 5) Start shared memory clients (readers) with -G 2 or other IDs. Note: for + one ID, only one snort instance should be enabled. + 6) You will see the IP lists got loaded and shared across snort instances! + + Reload IP list using control socket + 1) Run snort using command line with option --cs-dir + or configure snort with config cs_dir: + 2) (Optional) you can create a version file named "IPRVersion.dat" in the IP list + directory. This file helps managing reloading IP lists, by specifying version. + When the version isn't changed, IP lists will not be reloaded if they are + already in shared memory. + For example: + VERSION=19 + 3) In the ./src/tools/control directory, you will find snort_control command if + built with --enable-control-socket option. + 4) Type the following command to reload IP lists. Before typing this command, + make sure to update version file if you are using version file. + The is the same path in step 1). + /src/tools/control 1361 \ No newline at end of file diff -Nru snort-2.9.0.1/doc/README.rzb_saac snort-2.9.2/doc/README.rzb_saac --- snort-2.9.0.1/doc/README.rzb_saac 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/doc/README.rzb_saac 2011-06-07 17:33:00.000000000 -0700 @@ -0,0 +1,39 @@ +#### EXPERIMENTAL #### + +RZB_SaaC +--- +Patrick Mullen +Ron Dempster + +Documentation last update 2011-01-05 + +== Overview == + +The Razorback SaaC preprocessor monitors SMTP and HTTP streams and extracts +documents that are forwarded to a Razorback dispatcher for analysis. HTTP +streams have a destination port of 80 and SMTP streams have a destination port +of 25. + +== Configuration == + +The only configuration that is accepted is rzb_conf +By default, all alerts are disabled and the preprocessor checks traffic on port +22. + +The available configuration options are described below: + +* rzb_conf + +This option specifies the name and location of the Razorback configuration file. +For information on Razorback functionality and configuration, please visit + +http://sourceforge.net/projects/razorbacktm/ + +and + +http://sourceforge.net/projects/nuggetfarm/ + +== Example Configuration == + +preprocessor rzb: rzb_conf /var/tmp/rzb.conf + diff -Nru snort-2.9.0.1/doc/README.sip snort-2.9.2/doc/README.sip --- snort-2.9.0.1/doc/README.sip 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/doc/README.sip 2011-07-13 15:43:17.000000000 -0700 @@ -0,0 +1,329 @@ +SIP Preprocessor +================================================================================ +Hui Cao + +Overview +================================================================================ +Session Initiation Protocol (SIP) is an application-layer control (signaling) +protocol for creating, modifying, and terminating sessions with one or more +participants. These sessions include Internet telephone calls, multimedia +distribution, and multimedia conferences. SIP Preprocessor provides ways to +tackle Common Vulnerabilities and Exposures (CVEs) related with SIP found over +the past few years. It also makes detecting new attacks easier. + +Sections: + Dependency Requirements + Configuration + Events + Rule Options + + +Dependency Requirements +================================================================================ +For proper functioning of the preprocessor: + + Stream session tracking must be enabled, i.e. stream5. Both TCP and UDP must be + enabled in stream5. The preprocessor requires a session tracker to keep its + data. In addition, Stream API is able to provide correct support for ignoring + audio/video data channel. + IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. + + +Configuration +================================================================================ +The preprocessor configuration name is "sip". + +preprocessor sip + +Option Argument Required Default +disabled None No OFF +max_sessions No max_sessions 10000 +ports No ports { 5060 5061 } +methods No methods { invite cancel ack bye + register options } +max_uri_len No max_uri_len 256 +max_call_id_len No max_call_id_len 256 +max_requestName_len No max_requestName_len 20 +max_from_len No max_from_len 256 +max_to_len No max_to_len 256 +max_via_len No max_via_len 1024 +max_contact_len No max_contact_len 256 +max_content_len No max_content_len 1024 +ignore_call_channel None No OFF + +max_sessions = 1024 - 4194303 +methods = "invite" | "cancel" | "ack" | "bye" | "register" | "options" + | "refer" | "subscribe" | "update" | "join" | "info" | "message" + | "notify" | "prack" +max_uri_len = 0 - 65535 +max_call_id_len = 0 - 65535 +max_requestName_len = 0 - 65535 +max_from_len = 0 - 65535 +max_to_len = 0 - 65535 +max_via_len = 0 - 65535 +max_contact_len = 0 - 65535 +max_content_len = 0 - 65535 + +Option explanations + + disabled + SIP dynamic preprocessor can be enabled/disabled through configuration. + By default this value is turned off. When the preprocessor is disabled, + only the max_sessions option is applied when specified with the configuration. + + max_sessions + This specifies the maximum number of sessions that can be allocated. + Those sessions are stream sessions, so they are bounded by maximum number of + stream sessions. Default is 10000. + + ports + This specifies on what ports to check for SIP messages. Typically, this will + include 5060, 5061. + + Syntax: + ports { [< ... >] } + + Examples: + ports { 5060 5061 } + + Note: there are spaces before and after '{' and '}' + + methods + This specifies on what methods to check for SIP messages: (1) invite, + (2) cancel, (3) ack, (4) bye, (5) register, (6) options, (7) refer, + (8) subscribe, (9) update (10) join (11) info (12) message (13) notify + (14) prack + Note: those 14 methods are up to date list (Feb. 2011). New methods can be + added to the list. Up to 32 methods supported. + + Syntax: + methods { } + method-list = method|method method-list + method = "invite" | "cancel" | "ack" | "bye" | "register" | "options" + | "refer" | "subscribe" | "update" | "join" | "info" | "message" + | "notify"| "prack" + Examples: + methods { invite cancel ack bye register options } + Add new method "information": + methods { invite cancel ack bye register options information } + + Note: there are spaces before and after '{' and '}' + + max_uri_len + This specifies the maximum Request_URI field size. If the Request_URI field + is greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. "0" means never alert. + + max_call_id_len + This specifies the maximum Call-ID field size. If the Call-ID field is + greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. "0" means never alert. + + max_requestName_len + This specifies the maximum request name size that is part of the CSeq ID. + If the request name is greater than this size, an alert is generated. + Default is set to 20. The allowed range for this option is 0 - 65535. + "0" means never alert. + + max_from_len + This specifies the maximum From field size. If the From field is greater + than this size, an alert is generated. Default is set to 256. The allowed + range for this option is 0 - 65535. "0" means never alert. + + max_to_len + This specifies the maximum To field size. If the To field is greater than + this size, an alert is generated. Default is set to 256. The allowed range + for this option is 0 - 65535. "0" means never alert. + + max_via_len + This specifies the maximum Via field size. If the Via field is greater than + this size, an alert is generated. Default is set to 1024. The allowed range + for this option is 0 - 65535. "0" means never alert. + + max_contact_len + This specifies the maximum Contact field size. If the Contact field is + greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. "0" means never alert. + + max_content_len + This specifies the maximum content length of the message body. If the + content length is greater than this number, an alert is generated. + Default is set to 1024. The allowed range for this option is 0 - 65535. + "0" means never alert. + + ignore_call_channel + This enables the support for ignoring audio/video data channel + (through Stream API). By default, this is disabled. + +Option examples + max_sessions 30000 + disabled + ports { 5060 5061 } + methods { invite cancel ack bye register options } + methods { invite cancel ack bye register options information } + max_uri_len 1024 + max_call_id_len 1024 + max_requestName_len 10 + max_from_len 1024 + max_to_len 1024 + max_via_len 1024 + max_contact_len 1024 + max_content_len 1024 + max_content_len + ignore_call_channel + +Configuration examples + preprocessor sip + preprocessor sip: max_sessions 500000 + preprocessor sip: max_contact_len 512, max_sessions 300000, methods { invite \ + cancel ack bye register options } , ignore_call_channel + preprocessor sip: ports { 5060 49848 36780 10270 }, max_call_id_len 200, \ + max_from_len 100, max_to_len 200, max_via_len 1000, \ + max_requestName_len 50, max_uri_len 100, ignore_call_channel,\ + max_content_len 1000 + preprocessor sip: disabled + preprocessor sip: ignore_call_channel + +Default configuration + preprocessor sip + +Events +================================================================================ +The preprocessor uses GID 140 to register events. + + +SID Description +-------------------------------------------------------------------------------- + 1 If the memory cap is reached and the preprocessor is configured to alert, + this alert will be created. + 2 Request_URI is required. When Request_URI is empty, this alert will be created. + 3 The Request_URI is larger than the defined length in configuration. + 4 When Call-ID is empty, this alert will be created. + 5 The Call-ID is larger than the defined length in configuration. + 6 The sequence e number value MUST be expressible as a 32-bit unsigned integer + and MUST be less than 2**31. + 7 The request name in the CSeq is larger than the defined length in configuration. + 8 From field is empty. + 9 From field is larger than the defined length in configuration. + 10 To field is empty. + 11 To field is larger than the defined length in configuration. + 12 Via filed is empty. + 13 Via filed is larger than the defined length in configuration. + 14 Contact is empty, but it is required non-empty for the message. + 15 The Contact is larger than the defined length in configuration. + 16 The content length is larger than the defined length in configuration or is negative. + 17 There are multiple requests in a single packet. Old SIP protocol supports + multiple sip messages within one packet. + 18 There are inconsistencies between Content-Length in SIP header and + actual body data. + 19 Request name is invalid in response. + 20 Authenticated invite message received, but no challenge from server received. + This is the case of InviteReplay billing attack. + 21 Authenticated invite message received, but session information has been changed. + This is different from re-INVITE, where the dialog has been established. + and authenticated. This is can prevent FakeBusy billing attack. + 22 Response status code is not a 3 digit number. + 23 Content type header field is required if the message body is not empty. + 24 SIP version other than 2.0, 1.0, and 1.1 is invalid + 25 Mismatch in Method of request and the CSEQ header + 26 The method is unknown + +Rule Options +================================================================================ +New rule options are supported by enabling the sip preprocessor: + +sip_method +sip_stat_code +sip_header +sip_body + +Overload modifiers to existing pcre rule options: + +H: Match SIP request or SIP response header, Similar to sip_header. +P: Match SIP request or SIP response body, Similar to sip_body. + + sip_method + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The sip_method keyword is used to check for specific SIP request methods. + The list of methods is: invite, cancel, ack, bye, register, options, refer, + subscribe, update, join, info, message, notify, prack. More than one method + can be specified, via a comma separated list, and are OR'ed together. + It will be applied in fast pattern match if available. If the method used + in this rule is not listed in the preprocessor configuration, it will be added + to the preprocessor configuration for the associated policy. + + Syntax: + sip_method:; + method-list = method|method, method-list + method = ["!"] "invite" | "cancel" | "ack" | "bye" | "register" | "options" + | "refer" | "subscribe" | "update" | "join" | "info" | "notify" | + | "message"| "prack" + Note: if "!" is used, only one method is allowed in sip_method. + + Examples: + sip_method:invite, cancel + sip_method:!invite + + If a user wants to use "and", they can use something like this: + sip_method:!invite; sip_method:!bye + + sip_stat_code + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The sip_stat_code is used to check the SIP response status code. This option + matches if any one of the state codes specified matches the status codes of + the SIP response. + + Syntax: + sip_stat_code: ; + code_list = state_code|state_code, code_list + code = "100-999"|"1-9" + Note: 1,2,3,4,5,6... mean to check for "1xx", "2xx", "3xx", "4xx", "5xx", + ,"6xx"... reponses. + Example: + This rule searches for the response with state code "200". + sip_stat_code:200 + This rule searches for all the 2xx responses. + sip_stat_code: 2 + This rule searches for either 200, or 180 responses. + sip_stat_code: 200, 180 + + sip_header + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The sip_header keyword restricts the search to the extracted Header fields of + a SIP message request or a response. + + Syntax: + sip_header; + + Example: + This rule constrains the search for the pattern "CSeq" to the extracted Header + fields of a SIP message. + alert udp any any -> any 5060 (sip_header; content: "CSeq"; ) + + sip_body + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The sip_body keyword places the cursor at the beginning of the Body fields + of a SIP message. This works similar to file_data and dce_stub_data.The message + body includes channel information using SDP protocol (Session Description Protocol). + + Syntax: + sip_body; + Example: + This rule searches for the pattern "c=IN 0.0.0.0" in the Body fields + of a SIP message. + alert udp any any -> any 5060 (sip_body; content: "C=IN 0.0.0.0"; within 100;) + + pcre + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + SIP overloads two options for pcre: + + H: Match SIP request or SIP response header, Similar to sip_header. + P: Match SIP request or SIP response body, Similar to sip_body. + + Example: + This rule searches for the pattern "INVITE" in the Header fields of a SIP message. + alert udp any any -> any 5060 (pcre:"/INVITE/H"; sid:1000000;) + This rule searches for the pattern "m=" in the Body fields of a SIP message. + alert udp any any -> any 5060 (pcre:"/m=/P"; sid:2000000;) + \ No newline at end of file diff -Nru snort-2.9.0.1/doc/README.SMTP snort-2.9.2/doc/README.SMTP --- snort-2.9.0.1/doc/README.SMTP 2010-06-09 15:04:48.000000000 -0700 +++ snort-2.9.2/doc/README.SMTP 2011-07-13 15:43:17.000000000 -0700 @@ -104,9 +104,88 @@ printed out with the configuration because it prints so much data. * disabled * -Disables the SMTP preprocessor in a policy. This is useful when specifying -the max_mime_depth and max_mime_mem in default policy without turning on -the SMTP preprocessor. +Disables the SMTP preprocessor in a config. This is useful when specifying +the decoding depths such as b64_decode_depth, qp_decode_depth, uu_decode_depth, +bitenc_decode_depth or the memcap used for decoding max_mime_mem in default config +without turning on the SMTP preprocessor. + +* b64_decode_depth * +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A SMTP preprocessor +alert with sid 10 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are +decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +This option replaces the deprecated options, enable_mime_decoding and max_mime_depth. +It is recommended that user inputs a value that is a multiple of 4. When the value +specified is not a multiple of 4, the SMTP preprocessor will round it up to the next +multiple of 4. + +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +* qp_decode_depth * +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A SMTP +preprocessor alert with sid 11 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* bitenc_decode_depth * +This config option is used to turn off/on or set the 7bit/8bit/binary/text extraction +depth used to extract the 7bit/8bit/binary encoded or plain text MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A SMTP +preprocessor alert with sid 12 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary/text MIME attachments/data across multiple packets are +extracted too. + +The extracted data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +* uu_decode_depth * +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of SMTP attachments. +The value of 0 sets the decoding of UU encoded SMTP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU SMTP attachments. A SMTP +preprocessor alert with sid 13 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU Encoded attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option file_data. +See file_data rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. * enable_mime_decoding * Enables Base64 decoding of Mime attachments/data. Multiple base64 encoded MIME @@ -115,30 +194,106 @@ The decoding of base64 encoded attachments/data ends when either the max_mime_depth or maximum MIME sessions (calculated using max_mime_depth and max_mime_mem) is reached or when the encoded data ends. The decoded data is available for detection -using the rule option file_data:mime. See file_data rule option for more details. +using the rule option file_data. See file_data rule option for more details. + +Please note, this option is deprecated. Use the option b64_decode_depth to turn off +or on the base64 decoding instead. * max_mime_depth * Specifies the maximum number of base64 encoded data to decode per SMTP session. -The option take values ranging from 5 to 20480 bytes. The default value for this +The option take values ranging from 4 to 20480 bytes. The default value for this in snort in 1460 bytes. +It is recommended that user inputs a value that is a multiple of 4. When the value +specified is not a multiple of 4, the SMTP preprocessor will round it up to the next +multiple of 4. + +Please note, this option is deprecated. Use the b64_decode_depth to set the decoding +depth for base64 decoding instead. + * max_mime_mem * This option determines (in bytes) the maximum amount of memory the SMTP preprocessor -will use for decoding base64 encode MIME attachments/data. This value can be set from -3276 bytes to 100MB. This option along with max_mime_depth determines the base64 encoded -MIME/SMTP sessions that will be decoded at any given instant. The default value for -this option is 838860. +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. -Note: It is suggested to set this value such that the max mime session calculated as +This option along with the maximum of the decoding depths will determine the SMTP +sessions that will be decoded at any given instant. The default value for this option +is 838860. + +Note: It is suggested to set this value such that the max smtp session calculated as follows is atleast 1. -max mime session = max_mime_mem /(max_mime_depth + max decoded bytes) +max smtp session = max_mime_mem /(2 * max of (b64_decode_depth, uu_decode_depth, qp_decode_depth + or bitenc_decode_depth)) + +For example, if b64_decode_depth is 0 (indicates unlimited decoding) and qp_decode_depth is 100, then + +max smtp session = max_mime_mem/2*65535 (max value for b64_decode_depth) + +In case of multiple configs, the max_mime_mem of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable SMTP preprocessor in a config). + +When the memcap for decoding (max_mime_mem) is exceeded the SMTP preprocessor alert with sid 9 is +generated (when enabled). + +* log_mailfrom * +This option enables SMTP preprocessor to parse and log the sender's email address extracted +from the "MAIL FROM" command along with all the generated events for that session. The maximum +number of bytes logged for this option is 1024. -max decoded bytes = (max_mime_depth/4)*3 +Please note, this is logged only with the unified2 output and is not logged with console output (-A cmg). +u2spewfoo can be used to read this data from the unified2. -Also note that these values for max_mime_mem and max_mime_depth need to be same across -all policy. Hence user needs to define it in the default policy with the new keyword -disabled (used to disable SMTP preprocessor in a policy) +* log_rcptto * +This option enables SMTP preprocessor to parse and log the recipient email addresses +extracted from the "RCPT TO" command along with all the generated events for that session. +Multiple recipients are appended with commas. The maximum number of bytes logged for this option is 1024. + +Please note, this is loggged only with the unified2 output and is not logged with console output (-A cmg). +U2spewfoo can be used to read this data from the unified2. + +* log_filename * +This option enables SMTP preprocessor to parse and log the MIME attachment filenames extracted +from the Content-Disposition header within the MIME body along with all the generated events +for that session. Multiple filenames are appended with commas. The maximum number of bytes +logged for this option is 1024. + +Please note,this is logged only with the unified2 output and is not logged with the +console output (-A cmg). u2spewfoo can be used to read this data from the unified2. + +* log_email_hdrs * +This option enables SMTP preprocessor to parse and log the SMTP email headers extracted from +SMTP data along with all generated events for that session. The number of bytes extracted and +logged depends upon the email_hdrs_log_depth. + +Please note, this is logged only with the unified2 output and is not logged with the console output (-A cmg). +u2spewfoo can be used to read this data from the unified2. + +* email_hdrs_log_depth * +This option specifies the depth for logging email headers. The allowed range for this option is +0 - 20480. A value of 0 will disable email headers logging. The default value for this option is 1464. + +Please note, in case of multiple configs, this default config's value is used. The values specified in + the non-default config will be ignored and overwritten by the default config's values. +This option must be configured in the default config even if the SMTP configuration is disabled. + +* memcap * +This option determines in bytes the maximum amount of memory the SMTP preprocessor will +use for logging of filename, MAIL FROM addresses, RCPT TO addresses and email headers. This value +along with the buffer size used to log MAIL FROM, RCPT TO, filenames and email_hdrs_log_depth will +determine the maximum SMTP sessions that will log the email headers at any given time. When this memcap is +reached SMTP will stop logging the filename, MAIL FROM address, RCPT TO addresses and email headers +until memory becomes available. + +Max SMTP sessions logging email headers at any given time + = memcap/(1024 + 1024 + 1024 + email_hdrs_log_depth) + +The size 1024 is the maximum buffer size used for logging filename, RCPTTO and MAIL FROM addresses. + +Default value for this option is 838860. The allowed range for this option is 3276 to 104857600. +The value specified in the default config is used when this option is specified in multiple configs. +This option must be configured in the default config even if the SMTP configuration is disabled. Example: @@ -157,11 +312,21 @@ invalid_cmds { } \ valid_cmds { } \ xlink2state { disable } \ - print_cmds + print_cmds \ + log_filename \ + log_email_hdrs \ + log_mailfrom \ + log_rcptto \ + email_hdrs_log_depth 2920 \ + memcap 6000 + + preprocessor SMTP: \ max_mime_depth 100 \ - max_mime_mem 1000 \ + max_mime_mem 4000 \ + memcap 6000 \ + email_hdrs_log_depth 2920 \ disabled Default: diff -Nru snort-2.9.0.1/doc/README.stream5 snort-2.9.2/doc/README.stream5 --- snort-2.9.0.1/doc/README.stream5 2010-09-27 08:28:10.000000000 -0700 +++ snort-2.9.2/doc/README.stream5 2011-07-13 15:43:17.000000000 -0700 @@ -44,6 +44,19 @@ detected on a per-target basis. For example, a few operating systems allow data in TCP SYN packets, while others do not. +Protocol Aware Flushing (PAF) +----------------------------- +Protocol aware flushing of HTTP, SMB and DCE/RPC can be enabled with this option: + +config paf_max: + +where is between zero (off) and 63780. This allows Snort to +statefully scan a stream and reassemble a complete PDU regardless of +segmentation. For example, multiple PDUs within a single TCP segment, +as well as one PDU spanning multiple TCP segments will be reassembled +into one PDU per packet for each PDU. PDUs larger than the configured +maximum will be split into multiple packets. + Rule Options ============ Stream5 adds support for a few rule options described below. @@ -233,6 +246,22 @@ minimum of "2", and a maximum of "1073741824" (1GB). A message is written to console/syslog when this limit is enforced. + small_segments bytes [ignore_ports port list] + - Configure the maximum small segments queued. + This feature requires that detect_anomalies be enabled. + num1 is the number of consecutive segments that will + trigger the detection rule. The default value is + "0" (disabled),with a maximum of "2048". + num2 is the minimum bytes for a segment to be + considered "small". The default value is "0" (disabled), + with a maximum of "2048". + ignore_ports is optional, defines the list of + ports in which will be ignored for this rule. + The number of ports can be up to "65535". + Example: + small_segments 3 bytes 15 ignore_ports 33 44 55 + A message is written to console/syslog when this + limit is enforced. The generated alert is 129:12 ports [all|space separated port list] - Specify the client, server, or both and list of ports in which to perform reassembly. This can diff -Nru snort-2.9.0.1/doc/README.tag snort-2.9.2/doc/README.tag --- snort-2.9.0.1/doc/README.tag 2010-08-25 13:22:35.000000000 -0700 +++ snort-2.9.2/doc/README.tag 2011-06-07 17:33:00.000000000 -0700 @@ -51,14 +51,7 @@ that a session could end, but if a new session is started using the same socket pair, packets will continue to get tagged. -The default direction for host type tagging is by source, so - - tag:host,100,packets - -is the same as - - tag:host,100,packets,src - +A tag option with the "host" type MUST specify a direction. Tagged Packet Limit ------------------- diff -Nru snort-2.9.0.1/doc/RELEASE.NOTES.2.3 snort-2.9.2/doc/RELEASE.NOTES.2.3 --- snort-2.9.0.1/doc/RELEASE.NOTES.2.3 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/RELEASE.NOTES.2.3 1969-12-31 16:00:00.000000000 -0800 @@ -1,133 +0,0 @@ -2005-04-22 - Snort 2.3.3 Released - -* Fixed sfPortscan Open Ports not getting suppressed. - -* Added new mini-preprocessor to catch the X-Link2State vulnerability. - See Snort manual for details. - -2005-03-10 - Snort 2.3.2 Released - -* Removed end-of-line parser fix in favor of completely reworking - this at the next parser overhaul. - -2005-03-09 - Snort 2.3.1 Released - -* Fixed issue where the number of flowbits were too small. Thanks Marc - Norton for the fix. - -* Fixed parsing of comments at end of line in config file. In - snort.conf, anything that follows a # on a line is considered a - comment. Thanks Steve Sturges for the fix. - -* Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX. - Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and - Jonathan Miner for working with us on this. - -2005-01-25 - Snort 2.3.0 Final Released - -* Fixed issue with sfPortscan reporting incorrect IP datagram length. - Thanks Jon Hart for the test case and finding the bug, and Marc Norton - for resolving the issue. - -* Threshold/Suppression now prints properly when logging to syslog. - Thanks Sekure for pointing out the problem. Thanks Steve Sturges for - working on the fix. - -* Threshold memcap argument now correctly handles non-integer input. - Thanks nnposter for the patch. - -* Fixed issue reported by Allan Jensen, where on MacOS X, ppp links were - not decoded properly. Thanks Dan Roelker for the fix. - -* Snort manual and FAQ are updated for 2.3. Thanks Jen Harvey for your - work on putting it all together. - -2004-12-15 - Snort 2.3.0 RC2 Released - -* Small performance improvement to arpspoof and also fixed a problem - where the list of configured IP/MAC entries would contain only one - entry and leaked memory (Jeff Nathan). - -* Fixed a problem affecting MacOS X where linking may fail with - non-standard libraries when global symbols are encountered multiple - times (Jeff Nathan). - -* Ignore RST|ACK midstream pickup case so we don't get an evasive TCP - alerts. Thanks for the report, Sekure. Thanks Dan Roelker for the fix. - -* Moved CheckLogDir() to after parsing snort.conf (for IDS mode) so the - logdir config will work if the default or command-line logdir does not - exist on the system. Thanks Dan Roelker. - -* Fixed bug when setting the doe_ptr on a successful pcre match. - It is now set relative to base_ptr. Thanks Steve Sturges for the - fix. - -* Added from_beginning and multiplier options for byte_jump. - from_beginning skips bytes from the beginning of the content, - instead of from the location immediately following the number - of bytes to skip. multiplier takes a numeric argument, and - skips x times that number of bytes. Thanks again to Steve Sturges. - -* In "fast" output, now log only actual packet contents when UDP - data length is greater than actual data length. Thanks Brian - Caswell for spotting this, and Andrew Mullican for working on the fix. - -* Please check the ChangeLog for further details. - -2004-11-18 - Snort 2.3.0 RC1 Released - -* Added IPS functionality from Snort-Inline. A big thanks to the - Snort-Inline guys (Jed Haile, Rob McMillen, William Metcalf, and Victor - Julien). Also, Thanks Dan Roelker for doing the integrating of - Snort-Inline into the official Snort project. - -* Added new portscan detector. The design and implementation was headed - up by Dan Roelker, and included Marc Norton and Jeremy Hewlett. - -* Numerous changes for better 64bit Snort support from Jeremy Hewlett and - Marc Norton. Additionally, an --enable-64bit-gcc option was added to - configure. However, there are still some memory alignment issues to - work out before 64bit mode is fully functional, patches are welcomed. - Thanks Chris Baker for doing 64bit testing. - -* Added not_established keyword to the flow detection option. This allows - snort to do dynamic firewall rulesets. Experimental for now. - -* Added an enforce_state keyword to stream4 so we won't pick up midstream - sessions. This works well for asynchronous links and also for - just monitoring legitimate traffic. - -* Relocated ./contrib files to http://www.snort.org/dl/contrib as many - are not maintained by Sourcefire and are out of date. The rpm and - schema files have been relocated in their respective 'rpm' and 'schemas' - directories under the snort parent directory. - -* perfmonitor config line can now be configured with "accumulate" or - "reset." Thanks Marc Norton for the feature, and Barry Basselgia for - pointing out the issue. Thanks Scott Dexter and Andreas Ostling for - doing some initial testing. - -* Fixed 64-bit bug in sfmemcap.c found and tested by Ryan Matteson - and Clay McClure. Thanks guys. - -* Fixed reference times to match log time for first packet, for an event - generated by a reassembled packet. Incremented event ID to give - unique ID for each packet. Also made unified logging compatible with - Windows. Thanks Andrew Mullican for the fix. - -* Fixed linux perfmonitoring stats for the 2.6 kernel. Thanks to - everyone that reported this bug. Thanks Dan Roelker for the fix. - -* Get thresholding/suppression to work for alerts that do not - contain an ip header (primarily decode alerts). Thanks - Brian Caswell. - -* Fix conditions where snort would log double web alerts that - contained only content options (no uricontents). Thanks to kawa for - finding and reporting this bug. - -* Fix suppression/thresholding bug for non-rule alerts. Thanks to - Alex Butcher for reporting it to us. - -* Many other bug fixes, please check the ChangeLog for details. diff -Nru snort-2.9.0.1/doc/RELEASE.NOTES.2.4 snort-2.9.2/doc/RELEASE.NOTES.2.4 --- snort-2.9.0.1/doc/RELEASE.NOTES.2.4 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/RELEASE.NOTES.2.4 1969-12-31 16:00:00.000000000 -0800 @@ -1,138 +0,0 @@ -2006-06-05 - Snort 2.4.5 Released - * Fixed potential evasion in URI content buffers - * Fixed potential evasion in Stream4 - -2006-03-08 - Snort 2.4.4 Released -[*] Improvements - * Fixed ip options handling in Frag3. - * Fixed bug in Wu-Manbher implementation regarding multiple - recurring patterns. - * Fixed a config file parsing bug which required DNS resolution - in certain circumstances. - * Updated perfmonitor to properly handle wraps on 64 bit platforms. - * Fixed crash in portscan related to bogus data in sfxhash. - * Fixed memory leak in Frag3. - * Allow use of 0 as a value to -G. - -2005-10-17 - Snort 2.4.3 Released -[*] Improvements - * Fixed possible buffer overflow in back orifice preprocessor. - * Added snort.conf options to bo preprocessor for finer control of - alerting and dropping of bo traffic. - * Added alert to detect the bo buffer overflow attack against snort. - -2005-09-28 - Snort 2.4.2 Released -[*] Improvements - * Fixed crash bug with -T and default logging setup first reported by - Zultan. - * Corrected Win32 directory setup for new WinPCAP. - -2005-09-16 - Snort 2.4.1 Released -[*] New additions - * Added a -K command line option to manually select the logging mode using - a single switch. The -b and -N switches will be deprecated in version - 2.7. Pcap logging is now the default for Snort at startup, use "-K ascii" - to revert to old behavior. - -[*] Improvements - * Win32 version now supports winpcap 3.1 and MySQL client 4.13. - * Added event on zero-length RPC fragments. - * Fixed TCP SACK processing for text based outputs that could result in a - DoS. - * General improvements to frag3 including Teardrop detection fix. - * Fixed a bug in the PPPoE decoder. - * Added patch for time stats from Bill Parker. Enable with configure - --enable-timestats. - * Fixed IDS mode bailing at startup if logdir is specified in snort.conf - and /var/log/snort doesn't exist. - * Added decoder for IPEnc for OpenBSD. Thanks Jason Ish for the patch - (long time ago) and Chris Kuethe for reraising the issue. - * Allow snort to use usernames (-u) and groupnames (-g) that include - numbers. Thanks to Shaick for the patch. - * Fixed broken -T option. - * Change ip_proto to ip for portscan configuration. Thanks David Bianco - for pointing this out. - * Fix for prelude initialization. Thanks Yoann Vandoorselaere for the - update. - * For content matches, when subsequent rule options fail, start searching - again in correct location. - * Updated Win32 to handle pflog patch. - * Added support for new OpenBSD pflog format. Older pflog format, - OpenBSD 3.3 and earlier is still supported. Thanks Breno Leitao - and Christian Reis for the patch. - * Added statistics counter for ETH_LOOPBACK packets. Thanks rmkml - for the patch. - -2005-07-22 - Snort 2.4.0 Released - -[*] Distribution Change - * Rules are no longer distributed as part of the Snort releases, they are - available as a separate download from snort.org. This was done for - three reasons: - 1) To better manage the new rules licensing. - 2) To reduce the size of the engine download. - 3) To move the thousands of documentation files for the rules into - the rules tarballs. If you've ever checked Snort out of CVS you'll - know why this is a Good Thing. - -[*] New additions - * Added new IP defragmentation preprocessor, Frag3. The frag3 preprocessor - is a target-based IP defragmentation module, and is intended as a - replacement for the frag2 module. Check out the README.frag3 for full - info on this new preprocessor. - - * Libprelude support has been added (enable with --enable-prelude). - Thanks Yoann Vandoorselaere! - - * An "ftpbounce" rule detection plugin was added for easier detection of - FTP bounce attacks. - - * Added a new Snort config option, "ignore_ports," to ignore packets - based on port number. This is similar to bpf filters, but done within - snort.conf. - -[*] Improvements - * Snort startup messages printed in syslog now contain a PID before each - entry. Thanks Sekure for initially bringing this up. - - * Stream4: Performance improvements. - - * Stream4: Added 'max_session_limit' option which limits number of - concurrent sessions tracked. Added favor_old/favor_new options that - affect order in which packets are put together for reassembly. - - * Stream4: New configuration options to manage flushpoints for improved - anti-evasion. The flush_behavior option selects flushpoint management - mode. New flush_base, flush_range, and flush_seed manage randomized - flushing. Check out the snort.conf file for full config data on the - new flush options. - - * Added two more alerts for BackOrifice client and server packets. This - allows specific alerts to be suppressed. - - * PerfMon preprocessor updated to include more detailed stats for rebuilt - packets (applayer, wire, fragmented & TCP). Also added 'atexitonly' - option that dumps stats at exit of snort, and command line -Z flag to - specify the file to which stats are logged. - - * Added new Http Inspect config item, "tab_uri_delimiter," which if - specified, lets a tab character (0x09) act as the delimiter for a URI. - - * Added a '-G' command line flag to snort that specifies the Snort - instance log identifier. It takes a single argument that can be either - hex (prefaced with 0x) or decimal. The unified log files will include - the instance ID when the -G flag is used. - - * "Same SRC/DST" (sid 527) and "Loopback Traffic" (sid 528) are now - handled in the IP decoder. Those sids are now considered obsolete. - - * Http_Inspect "flow_depth" option now accepts a -1 value which tells - Snort to ignore all server-side traffic. - - * RPMs have been updated to be more portable, and also now include a - "--with inline" option for those wanting to build Inline RPMs. Thanks - Daniel Wittenberg and JP Vossen for your help! - - * Many, many bug fixes have also gone into this release, please see the - ChangeLog for details. - diff -Nru snort-2.9.0.1/doc/RELEASE.NOTES.2.6 snort-2.9.2/doc/RELEASE.NOTES.2.6 --- snort-2.9.0.1/doc/RELEASE.NOTES.2.6 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/RELEASE.NOTES.2.6 1969-12-31 16:00:00.000000000 -0800 @@ -1,114 +0,0 @@ -2007-05-09 - Snort 2.6.1.5 Released -[*] New Additions - * Updated HttpInspect to normalize parameters that are part of the - client request body in the same way it normalizes HTTP URIs. - Added a modifier keyword to be used in conjunction with a content - option in the rules to search only the normalized HTTP client request - body. Also added stats for HttpInspect to track number of various - types of normalizations and HTTP methods. - -[*] Improvements - * Fix header files to avoid conflicts with system files on BSD for - IPv6 data structures. - - * Fix possible memory leak in Stream4 when HttpInspect is being - used. - -2007-03-26 - Snort 2.6.1.4 Released -[*] New Additions - * Added detection for BSD IPv6 fragmentation overflow (CVE-2007-1365). - New options configure the behavior of the detection and new decoder - alerts for truncated IPv6 headers and a Fragmentation alert for the - specific overflow attack. - -[*] Security Improvements - * Updated code to use safer functions that perform bounds checking - when doing string or memory copies and snprintf buffer writes. - Ensure null termination on string buffers and perform initialization - on memory allocations. - -2007-02-18 - Snort 2.6.1.3 Released -[*] Improvements - * Updated DCE/RPC dynamic protocol normalizer to perform additional - boundary checking when reassembling SMB fragments. This addresses - a potential remotely exploitable stack-based buffer overflow. - - * Updated Frag3 to protect against potential for fragments without - ethernet header being passed from iptables to Snort inline. - -2006-12-07 - Snort 2.6.1.2 Released -[*] Improvements - * Fixed problem with snort using high CPU and potentially reprocessing - the same TCP reassembled packets with a sequence number wrap and - packets missing from the queue (out of order, dropped, or async - network). - - * Updated DCE/RPC dynamic protocol normalizer to protect against - integer underflow conditions. - - * Updated unified output plugin to work correctly on certain 64bit - platforms where timeval structure is a different size. A patch - to barnyard that is associated with this fix can be found at: - http://secure.lv/~nikns/stuff/barnyard_64bit.diff. - -2006-11-22 - Snort 2.6.1.1 Released -[*] Improvements - * Fixed problem with snort using high CPU and potentially reprocessing - the same TCP reassembled packets at session end or TCP ACK of only - part of a packet. - -2006-11-16 - Snort 2.6.1 Released -[*] New Additions - * Support for UDP "session" tracking to Stream4. Enable via - --enable-stream4udp option to configure script. This allows - the use of flow option with UDP rules. Includes tracking - of stats for UDP sessions. A session is created for rules that - use the flow or flowbits keywords. Also provided the ability to - ignore UDP any any -> any any rules as a performance improvement. - - * Stream5 (for Beta testing) as replacement for Stream4 - and Flow preprocessors. See README.stream for details. - - * Allow blocking of entire session in inline mode via stream API. - All subsequent packets on that session are blocked. - - * Dynamic DCE/RPC protocol normalizer and defragmentation - module. See README.dcerpc for details. - - * SSH (for Beta testing) protocol analyzer. See README.ssh for - details. - - * Support for GRE encapsulated protocol (experimental). Enable via - --enable-gre option to configure script. - - * Aruba networks output plugin (experimental). See README.ARUBA for - details. Enable via --enable-aruba option to configure script. - - * Smaller memory footprint pattern mattcher using Aho-Corasick, - using NFA. Use 'config detection: search-method ac-bnfa' to - enable. This will become the default pattern matcher in future - releases. Wu-Manhber has been deprecated (mwm). - -[*] Improvements - - * Added parameter to dynamicengine to allow specification of - directory instead of implicit file. This will load all engine shared - libraries within the specified directory. Can also use - --dynamic-engine-lib-dir command-line option. Fix handling of - loading multiple instances of the same dynamic library (engine, - detection, or preprocessor). - - * Updates to HTTP inspect to handle different versions of IIS with - the related iis profiles. See README.httpinspect for details. - - * Cleaned up inline initialization to better handle test mode. - - * Updates to interface dependent variable definitions. - - * Added stats for packets not yet processed -- those that are still in - the buffer used by pcap. - - * Fixed issue with fewer alerts being generated when snort is compiled - with gcc 4.x by using no-strict-aliasing flag. - - * Require each rule to have a unique sid/gid pair. diff -Nru snort-2.9.0.1/doc/RELEASE.NOTES.2.7 snort-2.9.2/doc/RELEASE.NOTES.2.7 --- snort-2.9.0.1/doc/RELEASE.NOTES.2.7 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/RELEASE.NOTES.2.7 1969-12-31 16:00:00.000000000 -0800 @@ -1,23 +0,0 @@ -2007-07-09 - Snort 2.7.0 - -[*] New Additions - * Stream5 is now the default stream processor and replaces both flow - and Stream4. Refer to the Snort manual and README.stream5 for - details on how to configure it for OS target-specific TCP - processing. - -[*] Improvements - * Fixed header files to avoid conflicts with system files on BSD for - IPv6 data structures. - - * Reduced memory footprint for smtp preprocessor. - - * Ensured Snort frees memory from preprocessors before exit. Only - outstanding memory in use is related to pattern matcher and - rules. - -[*] Security Improvements - * Further updates that use safer functions that perform bounds checking - when doing string or memory copies and snprintf buffer writes. - Ensure null termination on string buffers and perform initialization - on memory allocations. diff -Nru snort-2.9.0.1/doc/signatures/100000100.txt snort-2.9.2/doc/signatures/100000100.txt --- snort-2.9.0.1/doc/signatures/100000100.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000100.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000100 - --- -Summary: -This event is generated when a URI of 1,050 bytes ore more is requested from an -internal web server. - --- - -Impact: -Unknown. - --- -Detailed Information: -This rule is used in conjunction with SID 100000101 to detect buffer overflow -attacks against the Adobe Acrobat/Acrobat Reader ActiveX Control, pdf.ocx. This -rule should never generate an alert. - --- -Affected Systems: -Adobe Acrobat 5.0 -Adobe Acrobat 5.0.5 -Adobe Acrobat 6.0 -Adobe Acrobat 6.0.1 -Adobe Acrobat Reader 5.0 -Adobe Acrobat Reader 5.0.5 -Adobe Acrobat Reader 5.1 -Adobe Acrobat Reader 6.0 -Adobe Acrobat Reader 6.0.1 - --- - -Attack Scenarios: -A web browser or automated script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as simply typing a long URI into a web browser will suffice. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Upgrade to Adobe Acrobat/Acrobat Reader 6.0.2. -An alternate workaround is available: disable "Display PDF in browser" under -Edit -> Preferences. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Alex Kirk - --- -Additional References: -http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=2589&fileID=2433 - --- diff -Nru snort-2.9.0.1/doc/signatures/100000101.txt snort-2.9.2/doc/signatures/100000101.txt --- snort-2.9.0.1/doc/signatures/100000101.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000101.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000101 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -vulnerability present in the Adobe Acrobat/Acrobat Reader ActiveX control, -pdf.ocx. - --- - -Impact: -By using properly crafted packets, attackers may execute arbitrary code of -their choosing with the privileges of the user running the affected software. - --- -Detailed Information: -This rule detects attempts to overflow the heap of the Adobe Acrobat/Acrobat -Reader ActiveX control, pdf.ocx. URI requests of 1,050 bytes or greater which -are received by this control will cause a buffer overflow and allow arbitrary -code execution with the privileges of the affected user. This rule is used in -conjunction with SID 100000100. - --- -Affected Systems: -Adobe Acrobat 5.0 -Adobe Acrobat 5.0.5 -Adobe Acrobat 6.0 -Adobe Acrobat 6.0.1 -Adobe Acrobat Reader 5.0 -Adobe Acrobat Reader 5.0.5 -Adobe Acrobat Reader 5.1 -Adobe Acrobat Reader 6.0 -Adobe Acrobat Reader 6.0.1 - --- - -Attack Scenarios: -A web browser or automated script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as simply typing a long URI into a web browser will suffice. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Upgrade to Adobe Acrobat/Acrobat Reader 6.0.2. -An alternate workaround is available: disable "Display PDF in browser" under -Edit -> Preferences. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Alex Kirk - --- -Additional References: -http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=2589&fileID=2433 - --- diff -Nru snort-2.9.0.1/doc/signatures/100000102.txt snort-2.9.2/doc/signatures/100000102.txt --- snort-2.9.0.1/doc/signatures/100000102.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000102.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000102 - --- -Summary: -This event is generated when an empty UDP packet is sent to port 2305, where -Halocon game servers typically listen. - --- - -Impact: -After receiving such a packet, the server will no longer listen on this port, -denying the administrator the ability to send remote commands. - --- -Detailed Information: -Halocon servers listen to UDP port 2305 for commands. Upon receiving an empty -UDP packet to that port, the server shuts down the port. Administrators can no -longer send remote commands to the server, effectively causing a denial of -service. The server must be restarted to re-open the port. - --- -Affected Systems: -Halocon 2.0.0.81 - --- - -Attack Scenarios: -A script that generates empty UDP packets can be used to perform this attack. - --- - -Ease of Attack: -Simple; public exploits exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -No known patches or workarounds exist. System administrators may be able to -reject these packets at their firewall, depending upon the abilities of the -firewall system they use. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000103.txt snort-2.9.2/doc/signatures/100000103.txt --- snort-2.9.0.1/doc/signatures/100000103.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000103.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000103 - --- -Summary: -This event is generated when an empty UDP packet is sent to port 7649, where -Breed game servers typically listen. - --- - -Impact: -Upon receiving such a packet, the server will crash, causing a denial of -service condition. - --- -Detailed Information: -Breed game servers will pass a NULL pointer upon receiving an empty UDP packet -on port 7649, causing an immediate crash. The server must be restarted for -service to resume. - --- -Affected Systems: -Brat Designs Breed -Brat Designs Breed Patch #1 - --- - -Attack Scenarios: -A script that generates empty UDP packets can be used to perform this attack. - --- - -Ease of Attack: -Simple; public exploits exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -No known patches or workarounds exist. System administrators may be able to -reject these packets at their firewall, depending upon the abilities of the -firewall system they use. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000104.txt snort-2.9.2/doc/signatures/100000104.txt --- snort-2.9.0.1/doc/signatures/100000104.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000104.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000104 - --- -Summary: -This event is generated when an empty UDP packet is sent to port 27777, where -Amp II 3D game servers typically listen. - --- - -Impact: -After receiving such a packet, the server will fall into an infinite loop, -potentially consuming all resources on the host system. The administrator will -need to restart the game server, and possibly the host system. - --- -Detailed Information: -Amp II 3D servers listen to UDP port 27777 for commands. Upon receiving an -empty UDP packet to that port, the server falls into an infinite loop, possibly -consuming all resources on the host system. The administrator must restart the -game server and/or the host system. - --- -Affected Systems: -Amp II 3D Game Engine -Amp Gore: Ultimate Soldier 1.50 - --- - -Attack Scenarios: -A script that generates empty UDP packets can be used to perform this attack. - --- - -Ease of Attack: -Simple; public exploits exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -No known patches or workarounds exist. System administrators may be able to -reject these packets at their firewall, depending upon the abilities of the -firewall system they use. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000105.txt snort-2.9.2/doc/signatures/100000105.txt --- snort-2.9.0.1/doc/signatures/100000105.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000105.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -100000105 - --- -Summary: -This event is generated when inappropriate content is detected in network -traffic. - --- -Impact: -Possible policy violation. - --- -Detailed Information: -This event is generated when inappropriate content is detected in network -traffic. Specifically, the content "lolita sex" was observed. - --- -Affected Systems: - All systems. - --- -Attack Scenarios: -This event indicates that inappropriate content may have been accessed from a -host on the protected network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -This may be a policy violation, refer to the appropriate internal policy. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000106.txt snort-2.9.2/doc/signatures/100000106.txt --- snort-2.9.0.1/doc/signatures/100000106.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000106.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,90 +0,0 @@ -Rule: - --- -Sid: -100000106 - --- -Summary: -This event is generated when an SQL injection attempt is made against the -Microsoft BizTalk Server DTA Interface. - --- - -Impact: -Attackers may retreive or modify sensitive in formation stored in the affected -database. Additionally, attackers may use the database's functionality to -execute arbitrary commands on the system with the priviliges of the user -running the script, typically Administrator. - --- -Detailed Information: -This rule looks specifically for attacks against the rawdocdata.asp module of -the DTA Interface which contain the string "exec", which is required to run -commands on the host system. Thus, this rule does not detect generic SQL -injection attempts, only command execution attempts. - --- -Affected Systems: -Microsoft BizTalk Server 2000 Developer Edition SP2 -Microsoft BizTalk Server 2000 Developer Edition SP1a -Microsoft BizTalk Server 2000 Developer Edition -Microsoft BizTalk Server 2000 Enterprise Edition SP2 -Microsoft BizTalk Server 2000 Enterprise Edition SP1a -Microsoft BizTalk Server 2000 Enterprise Edition -Microsoft BizTalk Server 2000 Standard Edition SP2 -Microsoft BizTalk Server 2000 Standard Edition SP1a -Microsoft BizTalk Server 2000 Standard Edition -Microsoft BizTalk Server 2002 Developer Edition -Microsoft BizTalk Server 2002 Enterprise Edition - --- - -Attack Scenarios: -A web browser or a script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as example attacks that can be used with a web browser are publicly -available. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Patches which correct this problem are available from Microsoft.com. - --- -Contributors: -Alex Kirk - --- -Additional References: -Microsoft BizTalk Server 2000 Enterprise Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en -Microsoft BizTalk Server 2000 Developer Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en -Microsoft BizTalk Server 2000 Standard Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en - -Microsoft BizTalk Server 2002 Enterprise Edition: -http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE -7C4ED3C75&displaylang=en - -Microsoft BizTalk Server 2002 Developer Edition: -http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE -7C4ED3C75&displaylang=en - --- diff -Nru snort-2.9.0.1/doc/signatures/100000107.txt snort-2.9.2/doc/signatures/100000107.txt --- snort-2.9.0.1/doc/signatures/100000107.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000107.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,90 +0,0 @@ -Rule: - --- -Sid: -100000107 - --- -Summary: -This event is generated when an SQL injection attempt is made against the -Microsoft BizTalk Server DTA Interface. - --- - -Impact: -Attackers may retreive or modify sensitive in formation stored in the affected -database. Additionally, attackers may use the database's functionality to -execute arbitrary commands on the system with the priviliges of the user -running the script, typically Administrator. - --- -Detailed Information: -This rule looks specifically for attacks against the RawCustomSearchField.asp -module of the DTA Interface which contain the string "exec", which is required -to run commands on the host system. Thus, this rule does not detect generic SQL -injection attempts, only command execution attempts. - --- -Affected Systems: -Microsoft BizTalk Server 2000 Developer Edition SP2 -Microsoft BizTalk Server 2000 Developer Edition SP1a -Microsoft BizTalk Server 2000 Developer Edition -Microsoft BizTalk Server 2000 Enterprise Edition SP2 -Microsoft BizTalk Server 2000 Enterprise Edition SP1a -Microsoft BizTalk Server 2000 Enterprise Edition -Microsoft BizTalk Server 2000 Standard Edition SP2 -Microsoft BizTalk Server 2000 Standard Edition SP1a -Microsoft BizTalk Server 2000 Standard Edition -Microsoft BizTalk Server 2002 Developer Edition -Microsoft BizTalk Server 2002 Enterprise Edition - --- - -Attack Scenarios: -A web browser or a script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as example attacks that can be used with a web browser are publicly -available. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Patches which correct this problem are available from Microsoft.com. - --- -Contributors: -Alex Kirk - --- -Additional References: -Microsoft BizTalk Server 2000 Enterprise Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en -Microsoft BizTalk Server 2000 Developer Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en -Microsoft BizTalk Server 2000 Standard Edition SP2: -http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-916 -1D2E5AF97&displaylang=en - -Microsoft BizTalk Server 2002 Enterprise Edition: -http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE -7C4ED3C75&displaylang=en - -Microsoft BizTalk Server 2002 Developer Edition: -http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE -7C4ED3C75&displaylang=en - --- diff -Nru snort-2.9.0.1/doc/signatures/100000108.txt snort-2.9.2/doc/signatures/100000108.txt --- snort-2.9.0.1/doc/signatures/100000108.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000108.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000108 - --- -Summary: -This event is generated when an SQL injection attempt is made against the -OpenBB web bulliten board system. - --- - -Impact: -Attackers may run arbitrary database commands with the privileges of the -affected script. - --- -Detailed Information: -This rule looks specifically for attacks against the board.php module of the -OpenBB program. Attackers must supply a variable whose value is numeric, -followed by a space, in order to exploit this vulnerability. - --- -Affected Systems: -OpenBB 1.0.5 -OpenBB 1.1.0 - --- - -Attack Scenarios: -A web browser or a script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as example attacks that can be used with a web browser are publicly -available. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, no vendor-supplied patches are available. A descripton of an -unverified workaround is available in the Additional References section. - --- -Contributors: -Alex Kirk - --- -Additional References: -http://www.securityfocus.com/archive/1/319714 - --- diff -Nru snort-2.9.0.1/doc/signatures/100000109.txt snort-2.9.2/doc/signatures/100000109.txt --- snort-2.9.0.1/doc/signatures/100000109.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000109.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000109 - --- -Summary: -This event is generated when an SQL injection attempt is made against the -OpenBB web bulliten board system. - --- - -Impact: -Attackers may run arbitrary database commands with the privileges of the -affected script. - --- -Detailed Information: -This rule looks specifically for attacks against the member.php module of the -OpenBB program. Attackers must supply a variable whose value is numeric, -followed by a space, in order to exploit this vulnerability. - --- -Affected Systems: -OpenBB 1.0.5 -OpenBB 1.1.0 - --- - -Attack Scenarios: -A web browser or a script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as example attacks that can be used with a web browser are publicly -available. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, no vendor-supplied patches are available. A descripton of an -unverified workaround is available in the Additional References section. - --- -Contributors: -Alex Kirk - --- -Additional References: -http://www.securityfocus.com/archive/1/319714 - --- diff -Nru snort-2.9.0.1/doc/signatures/100000110.txt snort-2.9.2/doc/signatures/100000110.txt --- snort-2.9.0.1/doc/signatures/100000110.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000110.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000110 - --- -Summary: -This event is generated when the Dabber virus attempts to exploit a -vulnerability in the FTP server installed by the Sasser virus. - --- - -Impact: -If the Sasser virus is currently running on the affected system, then the -Dabber virus will be able to install itself as well. - --- -Detailed Information: -Some variants of the Sasser virus install an FTP server that listens on port -5554. However, this FTP server suffers from a buffer overflow in the PORT -command, which can be exploited with a command of 100 or more characters. The -Dabber virus makes use of this vulnerability as an infection vetor. - --- -Affected Systems: -Any machine with a variant of the Sasser virus whose FTP server listens on port -5554. - --- - -Attack Scenarios: -A known virus scans the Internet in search of vulnerable systems. - --- - -Ease of Attack: -Simple, as the virus is in the wild. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Users should employ a virus removal tool to clean their system of both Dabber -and Sasser, and then apply the latest security patches from Microsoft to -prevent further infections. - --- -Contributors: -Matt Watchinski -Alex Kirk - --- -Additional References: - -http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/100000111.txt snort-2.9.2/doc/signatures/100000111.txt --- snort-2.9.0.1/doc/signatures/100000111.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000111.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000111 - --- -Summary: -This event is generated when the Dabber virus attempts to exploit a -vulnerability in the FTP server installed by the Sasser virus. - --- - -Impact: -If the Sasser virus is currently running on the affected system, then the -Dabber virus will be able to install itself as well. - --- -Detailed Information: -Some variants of the Sasser virus install an FTP server that listens on port -1023. However, this FTP server suffers from a buffer overflow in the PORT -command, which can be exploited with a command of 100 or more characters. The -Dabber virus makes use of this vulnerability as an infection vetor. - --- -Affected Systems: -Any machine with a variant of the Sasser virus whose FTP server listens on port -1023. - --- - -Attack Scenarios: -A known virus scans the Internet in search of vulnerable systems. - --- - -Ease of Attack: -Simple, as the virus is in the wild. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Users should employ a virus removal tool to clean their system of both Dabber -and Sasser, and then apply the latest security patches from Microsoft to -prevent further infections. - --- -Contributors: -Matt Watchinski -Alex Kirk - --- -Additional References: - -http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/100000112.txt snort-2.9.2/doc/signatures/100000112.txt --- snort-2.9.0.1/doc/signatures/100000112.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000112.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -100000112 - --- -Summary: -This event is generated when the readfile.tcl script on a Nokia IPSO device is -accessed. - --- - -Impact: -Since the script does not perform any input validation, users can read any file -on the host operating system for which the script has permissions. - --- -Detailed Information: -An attacker may specify any file on the host operating system, and if the -script has read permissions for that file, it will be displayed in the web -browser. Users must be able to log into the Nokia web gui to perform this -attack. - --- -Affected Systems: -Nokia IPSO 3.3 SP4 -Nokia IPSO 3.3 SP3 -Nokia IPSO 3.3 SP2 -Nokia IPSO 3.3 SP1 -Nokia IPSO 3.3 -Nokia IPSO 3.3.1 -Nokia IPSO 3.4 -Nokia IPSO 3.4.1 -Nokia IPSO 3.4.2 - --- - -Attack Scenarios: -This vulnerability may be exploited using a web browser, or an automated script. - --- - -Ease of Attack: -Simple, as attacks may be performed via a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, no workarounds or patches are available. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000113.txt snort-2.9.2/doc/signatures/100000113.txt --- snort-2.9.0.1/doc/signatures/100000113.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000113.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000113 - --- -Summary: -This event is generated when an attacker attempts to execute arbitrary commands -on a system running the HappyMall E-Commerce suite. - --- - -Impact: -Attackers may run arbitrary commands of their choosing with the permissions of -the affected script. - --- -Detailed Information: -By specifying a value for the "file" parameter of the "member_html.cgi" script -that is enclosed by any combination of pipe or semicolon characters, attackers -may execute arbitrary commands on the host system with the privileges of the -affected script. - --- -Affected Systems: -HappyCGI HappyMall 4.3 -HappyCGI HappyMall 4.4 - --- - -Attack Scenarios: -This vulnerability may be exploited using a web browser, or an automated script. - --- - -Ease of Attack: -Simple, as a web browser or publicly available exploits may be used. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -An unconfirmed patch is available at the URI listed in the Additional -References section. - --- -Contributors: -Alex Kirk - --- -Additional References: - -http://happymall.happycgi.com/forum/forum_detail.cgi?thread=353 - --- diff -Nru snort-2.9.0.1/doc/signatures/100000114.txt snort-2.9.2/doc/signatures/100000114.txt --- snort-2.9.0.1/doc/signatures/100000114.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000114.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000114 - --- -Summary: -This event is generated when an attacker attempts to execute arbitrary commands -on a system running the HappyMall E-Commerce suite. - --- - -Impact: -Attackers may run arbitrary commands of their choosing with the permissions of -the affected script. - --- -Detailed Information: -By specifying a value for the "file" parameter of the "normal_html.cgi" script -that is enclosed by any combination of pipe or semicolon characters, attackers -may execute arbitrary commands on the host system with the privileges of the -affected script. - --- -Affected Systems: -HappyCGI HappyMall 4.3 -HappyCGI HappyMall 4.4 - --- - -Attack Scenarios: -This vulnerability may be exploited using a web browser, or an automated script. - --- - -Ease of Attack: -Simple, as a web browser or publicly available exploits may be used. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -An unconfirmed patch is available at the URI listed in the Additional -References section. - --- -Contributors: -Alex Kirk - --- -Additional References: - -http://happymall.happycgi.com/forum/forum_detail.cgi?thread=353 - --- diff -Nru snort-2.9.0.1/doc/signatures/100000115.txt snort-2.9.2/doc/signatures/100000115.txt --- snort-2.9.0.1/doc/signatures/100000115.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000115.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -100000115 - --- -Summary: -This event is generated when the PHP-Nuke program's Web_Links module is access -with a NULL value for the CID parameter. - --- - -Impact: -Sensitive path information may be disclosed, allowing an attacker to conduct -reconnaissance against the affected host. - --- -Detailed Information: -Queries made to PHP-Nuke's Web_Links module which omit the CID parameter, or -which leave its value blank, will generate an error that discloses sensitive -path information about the affected host. - --- -Affected Systems: -PHP-Nuke 6.0 -PHP-Nuke 6.5 -PHP-Nuke 6.5 RC1 -PHP-Nuke 6.5 RC2 -PHP-Nuke 6.5 RC3 -PHP-Nuke 6.5 BETA 1 -PHP-Nuke 6.5 FINAL - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser. --- - -Ease of Attack: -Simple, as example exploit URIs exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -An unsupported fix exists at the URI referenced in the Additional References -section. No vendor-supplied patch or workaround exists. - --- -Contributors: -Alex Kirk - --- -Additional References: - -http://www.securityfocus.com/archive/1/321313 - --- diff -Nru snort-2.9.0.1/doc/signatures/100000116.txt snort-2.9.2/doc/signatures/100000116.txt --- snort-2.9.0.1/doc/signatures/100000116.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000116.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -100000116 - --- -Summary: -This event is generated when the PHP-Nuke program's Web_Links module is access -with a value for the CID parameter which is not numeric. - --- - -Impact: -Sensitive path information may be disclosed, allowing an attacker to conduct -reconnaissance against the affected host. - --- -Detailed Information: -Queries made to PHP-Nuke's Web_Links module which use non-numeric values for -the CID parameter will generate an error that discloses sensitive path -information about the affected host. - --- -Affected Systems: -PHP-Nuke 6.0 -PHP-Nuke 6.5 -PHP-Nuke 6.5 RC1 -PHP-Nuke 6.5 RC2 -PHP-Nuke 6.5 RC3 -PHP-Nuke 6.5 BETA 1 -PHP-Nuke 6.5 FINAL - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser. --- - -Ease of Attack: -Simple, as example exploit URIs exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -An unsupported fix exists at the URI referenced in the Additional References -section. No vendor-supplied patch or workaround exists. - --- -Contributors: -Alex Kirk - --- -Additional References: - -http://www.securityfocus.com/archive/1/321313 - --- diff -Nru snort-2.9.0.1/doc/signatures/100000117.txt snort-2.9.2/doc/signatures/100000117.txt --- snort-2.9.0.1/doc/signatures/100000117.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000117.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000117 - --- -Summary: -This event is generated when an attempt is made to execute arbitrary commands -on a web server via the VBulliten system. - --- - -Impact: -Attackers may execute arbitrary code of their choosing with the privileges of -the affected script. - --- -Detailed Information: -The "comma" parameter of VBulliten's "forumdisplay.php" script is not -sufficiently santitized, and will allow users to run arbitrary commands with -the privileges of the affected script on the host system when the -"showforumusers" option has been enabled by the system administrator. - --- -Affected Systems: -VBulletin 3.0 -VBulletin 3.0 Beta 2 -VBulletin 3.0 Beta 3 -VBulletin 3.0 Beta 4 -VBulletin 3.0 Beta 5 -VBulletin 3.0 Beta 6 -VBulletin 3.0 Beta 7 -VBulletin 3.0 Gamma -VBulletin 3.0.1 -VBulletin 3.0.2 -VBulletin 3.0.3 -VBulletin 3.0.4 - --- - -Attack Scenarios: -A web browser or an automated script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as public exploits exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -It has been reported that VBulliten versions 3.0.5 and above are not -vulnerable. Additionally, administrators may disable the "showforumusers" -configuration option as a workaround. - --- -Contributors: -Alex Kirk - --- -Additional References: - -http://www.vbulletin.com/ - --- diff -Nru snort-2.9.0.1/doc/signatures/100000118.txt snort-2.9.2/doc/signatures/100000118.txt --- snort-2.9.0.1/doc/signatures/100000118.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000118.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -100000118 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -present in Internet Explorer's urlmon.dll file. - --- - -Impact: -An attacker may execute arbitrary commands with the privileges of the user -running Internet Explorer. - --- -Detailed Information: -If a web server sends data with a Content-Type value of 300 or more bytes, a -buffer overflow is triggered, and commands may be executed with the privileges -of the user running Internet Explorer. - --- -Affected Systems: -Internet Explorer 5.0.1 -Internet Explorer 5.0.1 SP1 -Internet Explorer 5.0.1 SP2 -Internet Explorer 5.0.1 SP3 -Internet Explorer 5.5 -Internet Explorer 5.5 SP1 -Internet Explorer 5.5 SP2 -Internet Explorer 6.0 -Internet Explorer 6.0 SP1 - --- - -Attack Scenarios: -An attacker must entice a user to click on a link to a properly configured -server, which will return the necessary data. - --- - -Ease of Attack: -Medium. An attacker must control a properly configured web server, and entice -users to click on a link to that server. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Apply the latest patches for Internet Explorer from Microsoft.com. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000119.txt snort-2.9.2/doc/signatures/100000119.txt --- snort-2.9.0.1/doc/signatures/100000119.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000119.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -100000119 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -present in Internet Explorer's urlmon.dll file. - --- - -Impact: -An attacker may execute arbitrary commands with the privileges of the user -running Internet Explorer. - --- -Detailed Information: -If a web server sends data with a Content-Encoding value of 300 or more bytes, -a buffer overflow is triggered, and commands may be executed with the -privileges of the user running Internet Explorer. - --- -Affected Systems: -Internet Explorer 5.0.1 -Internet Explorer 5.0.1 SP1 -Internet Explorer 5.0.1 SP2 -Internet Explorer 5.0.1 SP3 -Internet Explorer 5.5 -Internet Explorer 5.5 SP1 -Internet Explorer 5.5 SP2 -Internet Explorer 6.0 -Internet Explorer 6.0 SP1 - --- - -Attack Scenarios: -An attacker must entice a user to click on a link to a properly configured -server, which will return the necessary data. - --- - -Ease of Attack: -Simple. An attacker must control a properly configured web server, and entice -users to click on a link to that server. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Apply the latest patches for Internet Explorer from Microsoft.com. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000121.txt snort-2.9.2/doc/signatures/100000121.txt --- snort-2.9.0.1/doc/signatures/100000121.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000121.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000121 - --- -Summary: -This event is generated when a script named "test" is accessed from a location -outside of EXTERNAL_NET. - --- - -Impact: -Varies depending upon the script. - --- -Detailed Information: -Generally speaking, scripts named "test" should not be accessed by anyone -outside of the developer's internal network. These scripts rarely lack proper -input sanitization, often allow unfettered access to sensitive resources, and -can suffer from a host of vulnerabilities due to the fact that developers -generally do not have security in mind when testing a script. - --- -Affected Systems: -Any system with an improperly secured developer test script. - --- - -Attack Scenarios: -Attacks vary depending upon the nature of the script. - --- - -Ease of Attack: -The ease of attacks vary depending upon the nature of the script. - --- - -False Positives: -Some scripts may legitimately be named "test", or developers may access these -scripts from outside of their internal development environment. Users who are -receiving an inordinate amount of false positives may wish to disable this rule. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Test scripts should be properly hardened if they are made publicly available, -or access to them should be restricted to authorized personnel. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000122.txt snort-2.9.2/doc/signatures/100000122.txt --- snort-2.9.0.1/doc/signatures/100000122.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000122.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -100000122 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow in -the Macromedia mod_jrun module. - --- - -Impact: -The affected server will be crashed, and remote code execution with the -privileges of the server is possible. - --- -Detailed Information: -Specially crafted data which is sent to the vulnerable server that contains a -colon followed by 1,000 or more bytes will trigger this buffer overflow. The -affected server will crash, and remote code execution with the privileges of -the affected server is possible. -NOTE: This rule may severely impact performance. It is recommended that you -disable this rule if you are not running vulnerable software. - --- -Affected Systems: -Macromedia ColdFusion MX 6.0 -Macromedia ColdFusion MX 6.1 -Macromedia ColdFusion MX J2EE 6.1 -Macromedia JRun 3.0 -Macromedia JRun 3.1 -Macromedia JRun 4.0 -Hitachi Cosminexus Enterprise Enterprise Edition 01-02 -Hitachi Cosminexus Enterprise Enterprise Edition 01-01 -Hitachi Cosminexus Enterprise Standard Edition 01-02 -Hitachi Cosminexus Enterprise Standard Edition 01-01 -Hitachi Cosminexus Server Web Edition 01-02 -Hitachi Cosminexus Server Web Edition 01-01 - --- - -Attack Scenarios: -A script must be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as an attack is included as part of the Metasploit vulnerability -testing framework. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Patches are available from Macromedia. As a workaround, the vendor suggests -disabling the "verbose" debug mode on web server connectors, as it will stop -attackers from exploiting this vulnerability. - --- -Contributors: -Judy Novak -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000123.txt snort-2.9.2/doc/signatures/100000123.txt --- snort-2.9.0.1/doc/signatures/100000123.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000123.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -100000123 - --- -Summary: -This event is generated when inappropriate content is detected in network -traffic. - --- -Impact: -Possible policy violation. - --- -Detailed Information: -This event is generated when inappropriate content is detected in network -traffic. Specifically, the content "pre-teen" was observed. - --- -Affected Systems: - All systems. - --- -Attack Scenarios: -This event indicates that inappropriate content may have been accessed from a -host on the protected network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -This may be a policy violation, refer to the appropriate internal policy. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000124.txt snort-2.9.2/doc/signatures/100000124.txt --- snort-2.9.0.1/doc/signatures/100000124.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000124.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -100000124 - --- -Summary: -This event is generated when inappropriate content is detected in network -traffic. - --- -Impact: -Possible policy violation. - --- -Detailed Information: -This event is generated when inappropriate content is detected in network -traffic. Specifically, the content "girls gone wild" was observed. - --- -Affected Systems: - All systems. - --- -Attack Scenarios: -This event indicates that inappropriate content may have been accessed from a -host on the protected network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -This may be a policy violation, refer to the appropriate internal policy. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000125.txt snort-2.9.2/doc/signatures/100000125.txt --- snort-2.9.0.1/doc/signatures/100000125.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000125.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000125 - --- -Summary: -This event is generated when an attempt is made to overflow a buffer in the -SafeNet Sentinel License Manager. - --- - -Impact: -The affected server will be crashed, and remote code execution with system -privileges is possible. - --- -Detailed Information: -If the SafeNet Sentinel License Manager recieves a packet containing over 1,000 -bytes, a buffer will be overflowed. If properly crafted data is sent, arbitrary -code may be executed with system privileges. - --- -Affected Systems: -SafeNet Sentinel License Manager 7.2.0.2 - --- - -Attack Scenarios: -A script must be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as an attack is included as part of the Metasploit vulnerability -testing framework. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Upgrade to version 8.0 of the affected software. - --- -Contributors: -Judy Novak -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000126.txt snort-2.9.2/doc/signatures/100000126.txt --- snort-2.9.0.1/doc/signatures/100000126.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000126.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000126 - --- -Summary: -This event is generated when an attempt is made to overflow a buffer in the -GoodTech Telenet server. - --- - -Impact: -The affected server will be crashed, and remote code execution with the -privileges of the user running the telnet server is possible. - --- -Detailed Information: -If the GoodTech telnet server recieves 10,083 bytes before a newline, a buffer -will be overflowed. If properly crafted data is sent, arbitrary code may be -executed with the privileges of the user running the server. Note that the rule -looks for 1,000 or more bytes before a newline, due to limitations which do not -allow a search for the full number of bytes required for the exploit. - --- -Affected Systems: -GoodTech Telnet Server 4.0 -GoodTech Telnet Server 5.0 - --- - -Attack Scenarios: -A script must be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as public exploits exist. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Upgrade to version 5.0.7 of the affected software. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000127.txt snort-2.9.2/doc/signatures/100000127.txt --- snort-2.9.0.1/doc/signatures/100000127.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000127.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000127 - --- -Summary: -This event is generated when an attempt is made to link to an external script -as part of the Stadtaus.com PHP Form Mail program. - --- - -Impact: -The script being included will be run in the same security context as the -vulnerable program, enabling a variety of web-based attacks. - --- -Detailed Information: -The Stadtaus.com PHP Form Mail system's formmail.inc.php module, when including -other scripts by way of its script_root parameter, fails to validate the -location of these scripts, and thus allows attackers to include any malicious -script anywhere on the web. The included script will be executed with the same -permissions and in the same security context at the vulnerable program itself, -thus allowing a range of attacks. - --- -Affected Systems: -Stadtaus.com PHP Form Mail Script 2.3 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or a script. - --- - -Ease of Attack: -Simple, as it can be exploited using a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, there are no vendor-supplied patches or workarounds. However, if it -is possible to globally disable PHP's 'allow_url_fopen' and 'register_globals' -directives in your environment, doing so may disable this vulnerability. -However, turning off these directives should be tested in a non-production -environment, in case doing so breaks other scripts on your system. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000128.txt snort-2.9.2/doc/signatures/100000128.txt --- snort-2.9.0.1/doc/signatures/100000128.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000128.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000128 - --- -Summary: -This event is generated when an attempt is made to link to an external script -as part of the Stadtaus.com PHP Form Mail program. - --- - -Impact: -The script being included will be run in the same security context as the -vulnerable program, enabling a variety of web-based attacks. - --- -Detailed Information: -The Stadtaus.com PHP Form Mail system's download_center_lite.inc.php module, -when including other scripts by way of its script_root parameter, fails to -validate the location of these scripts, and thus allows attackers to include -any malicious script anywhere on the web. The included script will be executed -with the same permissions and in the same security context at the vulnerable -program itself, thus allowing a range of attacks. - --- -Affected Systems: -Stadtaus.com PHP Form Mail Script 2.3 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or a script. - --- - -Ease of Attack: -Simple, as it can be exploited using a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, there are no vendor-supplied patches or workarounds. However, if it -is possible to globally disable PHP's 'allow_url_fopen' and 'register_globals' -directives in your environment, doing so may disable this vulnerability. -However, turning off these directives should be tested in a non-production -environment, in case doing so breaks other scripts on your system. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000129.txt snort-2.9.2/doc/signatures/100000129.txt --- snort-2.9.0.1/doc/signatures/100000129.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000129.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,89 +0,0 @@ -Rule: - --- -Sid: -100000129 - --- -Summary: -This event is generated when a malformed URL is sent to a Cisco IOS HTTP -Router, which may cause a denial of service. - --- - -Impact: -If a router running a vulnerable version of the IOS HTTP server receives this -request, it will fall into an infinite loop, causing a denial of service. The -router will restart after two minutes, when the system's watchdog timer -realizes that the router has become unresponsive. - --- -Detailed Information: -If a "?" character immediately follows a "/" character in a URI, vulnerable -versions of the Cisco IOS HTTP Router will fall into an infinite loop, causing -a denial of service. The router will restart after two minutes, when the -system's watchdog timer realizes that the router has become unresponsive. - - --- -Affected Systems: -Cisco IOS 12.0 XJ -Cisco IOS 12.0 XH -Cisco IOS 12.0 XE -Cisco IOS 12.0 XA -Cisco IOS 12.0 W5 -Cisco IOS 12.0 T -Cisco IOS 12.1 XP -Cisco IOS 12.1 XL -Cisco IOS 12.1 XJ -Cisco IOS 12.1 XI -Cisco IOS 12.1 XH -Cisco IOS 12.1 XG -Cisco IOS 12.1 XF -Cisco IOS 12.1 XE -Cisco IOS 12.1 XD -Cisco IOS 12.1 XC -Cisco IOS 12.1 XB -Cisco IOS 12.1 XA -Cisco IOS 12.1 T -Cisco IOS 12.1 EC -Cisco IOS 12.1 E -Cisco IOS 12.1 DC -Cisco IOS 12.1 DB -Cisco IOS 12.1 DA -Cisco IOS 12.1 AA -Cisco IOS 12.1 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or a script. - --- - -Ease of Attack: -Simple, as it can be exploited using a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Apply the vendor-supplied patch, available at Cisco.com. As a workaround, the -IOS HTTP server may be disabled by using the command "no ip http server". - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000130.txt snort-2.9.2/doc/signatures/100000130.txt --- snort-2.9.0.1/doc/signatures/100000130.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000130.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000130 - --- -Summary: -This event is generated when a request for the file "Filelist.html" is sent to -the PY Software Active Webcam Server. - --- - -Impact: -A denial of service will result, and the server will need to be manually -restarted. - --- -Detailed Information: -Requests for the file "Filelist.html" will cause the PY Software Active Webcam -Server to crash. This rule looks for such requests on port 8080, the default -port for this server. - --- -Affected Systems: -PY Software Active WebCam 4.3 -PY Software Active WebCam 5.5 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or a script. - --- - -Ease of Attack: -Simple, as it can be exploited using a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, there are no known workarounds or fixes. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000131.txt snort-2.9.2/doc/signatures/100000131.txt --- snort-2.9.0.1/doc/signatures/100000131.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000131.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000131 - --- -Summary: -This event is generated when a request for a file residing on a floppy drive is -sent to the PY Software Active Webcam Server. - --- - -Impact: -A denial of service will result, and the server will need to be manually -restarted. - --- -Detailed Information: -Requests for files residing on a floppy drive will cause the PY Software Active -Webcam Server to crash. This rule looks for requests in the form of -"/A:file.ext" on port 8080, the default port for this server. - --- -Affected Systems: -PY Software Active WebCam 4.3 -PY Software Active WebCam 5.5 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or a script. - --- - -Ease of Attack: -Simple, as it can be exploited using a web browser. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known. - --- - -Corrective Action: -Currently, there are no known workarounds or fixes. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000132.txt snort-2.9.2/doc/signatures/100000132.txt --- snort-2.9.0.1/doc/signatures/100000132.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000132.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -100000132 - --- -Summary: -This event is generated when a connection is made to the Internet via a proxy -server on your internal network. - --- - -Impact: -If the server is not legitimate, anyone with access to it can use your -bandwidth to access the Internet; if users conduct malicious activity on the -Internet through this server, the activity will appear to have come from the -misconfigured machine. - --- -Detailed Information: -This rule looks for pieces of HTTP requests being made by a misconfigured -Squid, ISA, or NetCache proxy server. If it fires, and the machine the alert is -coming from is not a known proxy server, it indicates that the machine in -question is either improperly configured or has been compromised. - -False positives associated with this rule may be reduced considerably, or even -eliminated, by the use of a custom variable. By editing your snort.conf to -include "var KNOWN_PROXY_SERVERS = [ -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000133.txt snort-2.9.2/doc/signatures/100000133.txt --- snort-2.9.0.1/doc/signatures/100000133.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000133.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000133 - --- -Summary: -This event is generated when an attempt is made to cause a denial of service -against the Xeneo web server by sending it a request with an overly large -number of "?" characters. - --- - -Impact: -A denial of service will occur, and it may be possible to execute arbitrary -code with the privileges of the user running the web server. - --- -Detailed Information: -The denial of service is triggered when a GET request is made with more than -4096 "?" characters. The rule actually looks for 250 consecutive "?" -characters, as even that should never occur, and looking for a smaller number -increases the rule's performance. - --- -Affected Systems: -Northern Solutions Xeneo Web Server 2.2.10 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or an automated script. - --- - -Ease of Attack: -Simple, as a web browser can be used. - --- - -False Positives: -If a valid request contains more than 250 and less than 4096 consecutive "?" -characters, a false positive will be generated. - --- -False Negatives: -None Known - --- - -Corrective Action: -Currently, no patches or upgrades are available from the vendor, and no -workarounds are known. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000134.txt snort-2.9.2/doc/signatures/100000134.txt --- snort-2.9.0.1/doc/signatures/100000134.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000134.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -100000134 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Tcpdump. In particular, this event indicates that the exploit -was attempted via a malformed Resource Reservation Protocol (RSVP) packet. - --- -Impact: -Serious. Denial of Service (DoS). Code execution may be possible. - --- -Detailed Information: -Tcpdump is a packet capture utility used on various BSD, Linux and UNIX style -operating systems. - -An error in the processing of the payload length in an RSVP packet may prevent -an attacker with the opportunity to overflow a fixed length buffer and execute -code of their choosing in the context of the user running tcpdump. This is -normally the super-user or administrator when tcpdump is used to sniff data -directly from a network interface. - --- -Affected Systems: -Tcpdump 3.9.1 and prior -Ethereal 0.10.10 and prior - --- -Attack Scenarios: -An attacker need to craft an RSVP packet with a packet payload length of 0 to -cause the overflow to manifest itself. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000135.txt snort-2.9.2/doc/signatures/100000135.txt --- snort-2.9.0.1/doc/signatures/100000135.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000135.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000135 - --- -Summary: -This event is generated when an attempt to exploit a format string attack -against the GNU Mailutils imap4d server. - --- - -Impact: -A denial of service will occur, and it may be possible to execute arbitrary -code with the privileges of the user running the imap server. - --- -Detailed Information: -The vulnerability is triggered when the request tag contains format string -characters. This will cause the server to read and/or write at invalid memory -locations, potentially allowing an attacker to execute arbitrary code. - --- -Affected Systems: -GNU Mailutils 0.5 -GNU Mailutils 0.6 - --- - -Attack Scenarios: -Publicly available scripts exist to exploit this vulnerability. - --- - -Ease of Attack: -Simple, exploit scripts exist. - --- - -False Positives: -None known. - --- -False Negatives: -None Known - --- - -Corrective Action: -Upgrade to version 0.6.90 or higher. - --- -Contributors: -Judy Novak -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000136.txt snort-2.9.2/doc/signatures/100000136.txt --- snort-2.9.0.1/doc/signatures/100000136.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000136.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -100000136 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the gnu_mailutils IMAP4 server. - --- -Impact: -Serious. Execution of arbitrary commands may be possible. - --- -Detailed Information: - -A vulnerability exists in the way that the GNU Mailutils IMAP4 server handles -malformed IMAP commands containing format strings. This may permit the -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: -GNU Mailutils 0.5, 0.6 - --- -Attack Scenarios: -An attacker can send an IMAP command containing format strings, possibly -permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple, exploit scripts exist. - --- -False Positives: -None known. - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to version 0.6.90 or higher. - --- -Contributors: -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000138.txt snort-2.9.2/doc/signatures/100000138.txt --- snort-2.9.0.1/doc/signatures/100000138.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000138.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000138 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Information Server (IIS). - --- -Impact: -Serious. Information Disclosure, application source code may be disclosed. - --- -Detailed Information: -A programming error in an error page for Microsoft IIS may result in the -discloure of asp code disclosure on an affected system. - -By making a request to a server using a modified SERVER_NAME variable, the -underlying asp code is displayed in the error page returned to the requestor if -the asp page generates an error. - --- -Affected Systems: -Microsoft IIS 6.0 and prior - --- -Attack Scenarios: -An attacker can make a request to the server and modify the SERVER_NAME -variable to be either localhost or 127.0.0.1, if the page returns an error the -asp code is revealed. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000139.txt snort-2.9.2/doc/signatures/100000139.txt --- snort-2.9.0.1/doc/signatures/100000139.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000139.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000139 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Information Server (IIS). - --- -Impact: -Serious. Information Disclosure, application source code may be disclosed. - --- -Detailed Information: -A programming error in an error page for Microsoft IIS may result in the -discloure of asp code disclosure on an affected system. - -By making a request to a server using a modified SERVER_NAME variable, the -underlying asp code is displayed in the error page returned to the requestor if -the asp page generates an error. - --- -Affected Systems: -Microsoft IIS 6.0 and prior - --- -Attack Scenarios: -An attacker can make a request to the server and modify the SERVER_NAME -variable to be either localhost or 127.0.0.1, if the page returns an error the -asp code is revealed. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000140.txt snort-2.9.2/doc/signatures/100000140.txt --- snort-2.9.0.1/doc/signatures/100000140.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000140.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000140 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow in -the MySQL MaxDB web server. - --- - -Impact: -A denial of service will occur, and arbitrary code may be executed with the -privileges of the user running the web server. - --- -Detailed Information: -If an HTTP GET request beginning with a "%" character and followed by at least -215 non-newline characters is sent to the MySQL MaxDB web server, a buffer -overflow will occur. This will result in a denial of service, and possibly -execution of arbitrary code with the privileges of the user running the web -server. - --- -Affected Systems: -MySQL MaxDB >= 7.5.00.24 - --- - -Attack Scenarios: -This vulnerability may be exploited with a web browser or an automated script. - --- - -Ease of Attack: -Simple, as a web browser can be used. - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Upgrade to version 7.5.00.26 or higher. - --- -Contributors: -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000141.txt snort-2.9.2/doc/signatures/100000141.txt --- snort-2.9.0.1/doc/signatures/100000141.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000141.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000141 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000142.txt snort-2.9.2/doc/signatures/100000142.txt --- snort-2.9.0.1/doc/signatures/100000142.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000142.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000142 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000143.txt snort-2.9.2/doc/signatures/100000143.txt --- snort-2.9.0.1/doc/signatures/100000143.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000143.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000143 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000144.txt snort-2.9.2/doc/signatures/100000144.txt --- snort-2.9.0.1/doc/signatures/100000144.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000144.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000144 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000145.txt snort-2.9.2/doc/signatures/100000145.txt --- snort-2.9.0.1/doc/signatures/100000145.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000145.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000145 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000146.txt snort-2.9.2/doc/signatures/100000146.txt --- snort-2.9.0.1/doc/signatures/100000146.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000146.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -100000146 - --- -Summary: -This event is generated when an attempt is made to exploit a -directory traversal associated with Imail Web Calendaring -servicel - --- -Impact: -A successful attack can permit a user to navigate outside -of the web root directory and read files. - --- -Detailed Information: -The Imail Web Calendaring Server does not properly sanitize -a malformed URL that contains directory traversal characters. -This vulnerability is associated with static objects identified -by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This -can permit an unauthorized user to examine files that may contain -sensitive information. - --- -Affected Systems: -Ipswitch IMail Server 8.2 and prior -Ipswitch IMail Server 8.15 and prior - --- -Attack Scenarios: -An attacker send a URI containing a directory traversal to view -sensitive files on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000148.txt snort-2.9.2/doc/signatures/100000148.txt --- snort-2.9.0.1/doc/signatures/100000148.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000148.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000148 - --- -Summary: -This event is generated when an attempt is made to perform a directory -traversal attack against a system running Barracuda Spam Firewall. - --- -Impact: -Serious. Unauthorized remote command execution possibly leading to remote -access. - --- -Detailed Information: -User supplied data to script parameters are not properly sanitized, this may -permit an unauthorized attacker to execute commands of their choosing on an -affected system. - -Note: -In order to utilize this rule, port 8000 must be added to the http_inspect -configuration in snort.conf. - --- -Affected Systems: -Barracuda Spam Firewall 3.1.17 and prior. - --- -Attack Scenarios: -An attacker can supply commands as parameters to the img.pl script. - --- -Ease of Attack: -Simple, exploit software exists but is not necessary. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000152.txt snort-2.9.2/doc/signatures/100000152.txt --- snort-2.9.0.1/doc/signatures/100000152.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000152.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000152 - --- -Summary: -This event is generated when an attempt is made to exploit a -buffer overflow associated with MDaemon IMAP authentication -processing. - --- -Impact: -A successful attack can permit a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable -server. - --- -Detailed Information: -The MDaemon IMAP server allows basic authentication to be -exchanged between the client and server. A vulnerability -exists allowing an unauthenticated user to cause a buffer -overflow by crafting an overly long authentication reply -to a server challenge. This can allow execution of arbitrary -code on a vulnerable server. - --- -Affected Systems: -Alt-N MDaemon prior to 8.0.4 - --- -Attack Scenarios: -An attacker can request IMAP authentication and reply to -a server challenge with an overly long response, causing -a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000153.txt snort-2.9.2/doc/signatures/100000153.txt --- snort-2.9.0.1/doc/signatures/100000153.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000153.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000153 - --- -Summary: -This event is generated when an attempt is made to exploit a -buffer overflow associated with MDaemon IMAP authentication -processing. - --- -Impact: -A successful attack can permit a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable -server. - --- -Detailed Information: -The MDaemon IMAP server allows basic authentication to be -exchanged between the client and server. A vulnerability -exists allowing an unauthenticated user to cause a buffer -overflow by crafting an overly long authentication reply -to a server challenge. This can allow execution of arbitrary -code on a vulnerable server. - --- -Affected Systems: -Alt-N MDaemon prior to 8.0.4 - --- -Attack Scenarios: -An attacker can request IMAP authentication and reply to -a server challenge with an overly long response, causing -a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000154.txt snort-2.9.2/doc/signatures/100000154.txt --- snort-2.9.0.1/doc/signatures/100000154.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000154.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000154 - --- -Summary: -This event is generated when an attempt is made to exploit a -buffer overflow associated with MDaemon IMAP authentication -processing. - --- -Impact: -A successful attack can permit a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable -server. - --- -Detailed Information: -The MDaemon IMAP server allows basic authentication to be -exchanged between the client and server. A vulnerability -exists allowing an unauthenticated user to cause a buffer -overflow by crafting an overly long authentication reply -to a server challenge. This can allow execution of arbitrary -code on a vulnerable server. - --- -Affected Systems: -Alt-N MDaemon prior to 8.0.4 - --- -Attack Scenarios: -An attacker can request IMAP authentication and reply to -a server challenge with an overly long response, causing -a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000155.txt snort-2.9.2/doc/signatures/100000155.txt --- snort-2.9.0.1/doc/signatures/100000155.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000155.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000155 - --- -Summary: -This event is generated when an attempt is made to exploit a -buffer overflow associated with MDaemon IMAP authentication -processing. - --- -Impact: -A successful attack can permit a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable -server. - --- -Detailed Information: -The MDaemon IMAP server allows basic authentication to be -exchanged between the client and server. A vulnerability -exists allowing an unauthenticated user to cause a buffer -overflow by crafting an overly long authentication reply -to a server challenge. This can allow execution of arbitrary -code on a vulnerable server. - --- -Affected Systems: -Alt-N MDaemon prior to 8.0.4 - --- -Attack Scenarios: -An attacker can request IMAP authentication and reply to -a server challenge with an overly long response, causing -a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000158.txt snort-2.9.2/doc/signatures/100000158.txt --- snort-2.9.0.1/doc/signatures/100000158.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000158.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000158 - --- -Summary: -This event is generated when an abnormally larger number of SIP INVITE messages -is received in a short time frame. - --- -Impact: -This can be an indication of a denial of service attack in progress, or simply -a poorly configured or implemented user agent. - --- -Detailed Information: -This rule is used to detect overly large numbers of SIP INVITE messages coming -into hosts on an internal network, which may indicate a denial of service -attack in progress. Since this traffic could also be the the result of a poorly -configured user agent, or simply a very busy SIP proxy, careful analysis of -both the hosts receiving and sending this traffic is required before -determining that an attack has actually taken place. - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to flood a system with INVITE messages, causing -a denial of service. - --- -Ease of Attack: -Simple, as SIP is a public, well-documented protocol. - --- -False Positives: -Known SIP proxies may receive a high volume of legitimate INVITE requests, and -NAT devices may appear to be sending a larger number of INVITE requests than a -regular host. It is recommended that users whitelist known SIP proxies and NAT -devices. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000159.txt snort-2.9.2/doc/signatures/100000159.txt --- snort-2.9.0.1/doc/signatures/100000159.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000159.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000159 - --- -Summary: -This event is generated when an abnormally larger number of SIP REGISTER -messages is received in a short time frame. - --- -Impact: -This can be an indication of a denial of service attack in progress, or simply -a poorly configured or implemented user agent. - --- -Detailed Information: -This rule is used to detect overly large numbers of SIP REGISTER messages -coming into hosts on an internal network, which may indicate a denial of -service attack in progress. Since this traffic could also be the the result of -a poorly configured user agent, or simply a very busy SIP proxy, careful -analysis of both the hosts receiving and sending this traffic is required -before determining that an attack has actually taken place. - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to flood a system with REGISTER messages, -causing a denial of service. - --- -Ease of Attack: -Simple, as SIP is a public, well-documented protocol. - --- -False Positives: -Known SIP proxies may receive a high volume of legitimate REGISTER requests, -and NAT devices may appear to be sending a larger number of REGISTER requests -than a regular host. It is recommended that users whitelist known SIP proxies -and NAT devices. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000160.txt snort-2.9.2/doc/signatures/100000160.txt --- snort-2.9.0.1/doc/signatures/100000160.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000160.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000160 - --- -Summary: -This event is generated when an abnormally larger number of packets are -received from a single source by an SIP-enabled host in a short period of time. - --- -Impact: -This can be an indication of a denial of service attack in progress. - --- -Detailed Information: -This rule is designed to detect overly large amounts of traffic coming from a -single host to the SIP port on an internal host, as it is possible to cause a -denial of service by sending a large number of packets with invalid data. - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to flood a system with invalid messages, causing -a denial of service. - --- -Ease of Attack: -Simple, as it is trivial to write a script to generate random data. - --- -False Positives: -Known SIP proxies may receive a high volume of legitimate data, and NAT devices -may appear to be sending a larger amount of data than a regular host. It is -recommended that users whitelist known SIP proxies and NAT devices. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000161.txt snort-2.9.2/doc/signatures/100000161.txt --- snort-2.9.0.1/doc/signatures/100000161.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000161.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000161 - --- -Summary: -This event is generated when an abnormally larger number of unresolvable DNS -queries are generated by a particular host. - --- -Impact: -This can be an indication of a denial of service attack in progress. - --- -Detailed Information: -Since SIP systems can be overwhelmed by being forced to deal with an overly -large number of invalid hostnames, this rule is designed to detect such attacks -by searching for large volumes of DNS responses which contain the message "No -such name". - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to flood a system with requests from invalid -hosts, causing a denial of service. - --- -Ease of Attack: -Simple, as it is trivial to write a script to generate requests with invalid -hostnames. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000162.txt snort-2.9.2/doc/signatures/100000162.txt --- snort-2.9.0.1/doc/signatures/100000162.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000162.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000162 - --- -Summary: -This event is generated when an abnormally larger number of 401 Unauthorized -messages are returned by an SIP-enabled host. - --- -Impact: -This can be an indication of either a brute force authentication attack or a -denial of service in progress. - --- -Detailed Information: -When a user attempts to send a REGISTER message with invalid credentials, a SIP -server returns a 401 Unauthorized message. A high volume of these may indicate -that an authentication attack, likely brute-force style, or a denial of service -is in progress. - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to attempt a brute-force authentication attack -or a denial of service. - --- -Ease of Attack: -Simple, as it is easy to write a script to cycle through all possible -authentication values or to simply flood a system with unauthorized data. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000163.txt snort-2.9.2/doc/signatures/100000163.txt --- snort-2.9.0.1/doc/signatures/100000163.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000163.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000163 - --- -Summary: -This event is generated when an abnormally larger number of 407 Proxy -Authentication Required messages are returned by an SIP-enabled host. - --- -Impact: -This can be an indication of either a brute force authentication attack or a -denial of service in progress. - --- -Detailed Information: -When a user attempts to send an INVITE message with invalid credentials, a SIP -server returns a 401 Proxy Authentication Required message. A high volume of -these may indicate that an authentication attack, likely brute-force style, or -a denial of service is in progress. - --- -Affected Systems: -Any which implement the SIP protocol. - --- -Attack Scenarios: -An attacker could use a script to attempt a brute-force authentication attack -or a denial of service. - --- -Ease of Attack: -Simple, as it is easy to write a script to cycle through all possible -authentication values or to simply flood a system with unauthorized data. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a firewall or other access-restriction device to block unwanted messages at -your network's border. - --- -Contributors: -Jiri Markl -Sourcefire Research Team - --- -Additional References -Other: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000164.txt snort-2.9.2/doc/signatures/100000164.txt --- snort-2.9.0.1/doc/signatures/100000164.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000164.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000164 - --- -Summary: -This event is generated when an ICMP packet crafted to exploit a denial of -service vulnerability in the Linux kernel is detected. - --- -Impact: -A denial of service will be caused against vulnerable hosts. If an attacker -sends a continuous stream of such packets, the host can be prevented from -functioning properly for a prolonged period of time. - --- -Detailed Information: -Linux kernel versions below 2.6.13 contain a flaw which will result in a null -pointer dereference when processing ICMP packets that contain invalid SCTP -data. In order to be vulnerable, a host must have SCTP enabled. - --- -Affected Systems: -Any Linux system with a kernel version < 2.6.13 with SCTP enabled. - --- -Attack Scenarios: -An attacker could use a script to send malformed packets to a vulnerable host. - --- -Ease of Attack: -Simple, as a publicly available exploit script exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade Linux systems' kernel to version 2.6.13 or higher. Alternately, disable -SCTP or use a firewall to block ICMP traffic at your network's border. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References -Other: -http://oss.sgi.com/projects/netdev/archive/2005-07/msg00142.html - --- diff -Nru snort-2.9.0.1/doc/signatures/100000165.txt snort-2.9.2/doc/signatures/100000165.txt --- snort-2.9.0.1/doc/signatures/100000165.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000165.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -100000165 - --- -Summary: -This event is generated when an overly large UDP packet is sent to port 5093, -where the Sentinel License Manager service typically listens. - --- -Impact: -A denial of service will occur, and arbitrary code may be executed with the -privileges of the user running the service. - --- -Detailed Information: -A stack-based buffer overflow exists within the Sentinel License Manager, which -will be triggered if 2048 or more characters are received by the service. -Authentication is not required, and no specific characters need be present in -malicious packets in order to trigger the vulnerability. - --- -Affected Systems: -SafeNet Sentinel License Manager 7.2.0.2 - --- -Attack Scenarios: -An attacker could use one of the publicly available exploit scripts, or create -a script which simply sends 2048 or more random characters to a vulnerable -server. - --- -Ease of Attack: -Simple, as public exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to version 8.0 or above. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References - --- diff -Nru snort-2.9.0.1/doc/signatures/100000166.txt snort-2.9.2/doc/signatures/100000166.txt --- snort-2.9.0.1/doc/signatures/100000166.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000166.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000166 - --- -Summary: -This event is generated when a command is sent to an Oracle isqlplus instance -which contains a command to halt the Oracle TNS listener service. - --- -Impact: -Vulnerable Oracle servers may shut down their TNS listener service upon receipt -of this command, making the database unavailable for normal use until it is -restarted. - --- -Detailed Information: -iSQLPlus is a web interface to the Oracle SQLPlus system. A wide range of -commands may be sent to an Oracle server via this interface, including -administrative commands. If a request is sent which contains a command to halt -the TNS listener service, vulnerable versions of Oracle will execute the -command, halting the service and denying service to legitimate users until the -service is restarted. - --- -Affected Systems: -Oracle 9i Standard Edition 9.0.2.4 -Oracle 9i Personal Edition 9.0.2.4 -Oracle 9i Enterprise Edition 9.0.2.4 - --- -Attack Scenarios: -A web browser may be used to exploit this vulnerability. - --- -Ease of Attack: -Simple, as a publicly available exploit exists which may be executed via a web -browser. - --- -False Positives: -Any time an authorized administrator chooses to shut down the TNS listener -service via the iSQLPlus interface. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the Oracle Critical Patch Update from July 2005, available at -http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References - --- diff -Nru snort-2.9.0.1/doc/signatures/100000167.txt snort-2.9.2/doc/signatures/100000167.txt --- snort-2.9.0.1/doc/signatures/100000167.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000167.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000167 - --- -Summary: -The password-cracking tool Hydra has been detected in SMTP traffic. - --- -Impact: -An attacker may be attempting to break into one or more mail servers monitored -by Snort via a brute-force password attack. If successful, the attacker may -gain unauthorized access to internal networks. - --- -Detailed Information: -Hydra is a password-cracking tool released by a group of security experts -called THC, "The Hacker's Choice." When connecting to a mail server, it will -begin communications by sending either "HELO hydra" or "EHLO hydra", depending -upon the commands accepted by the remote server. Since a valid HELO or EHLO -command will contain the domain name of the system mail is being sent from, the -presence of either of these strings indicates that the Hydra tool is likely -being used. - --- -Affected Systems: -Any system running a mail server. - --- -Attack Scenarios: -Attackers will use the Hydra password-cracking tool. - --- -Ease of Attack: -Simple, as the program is publicly available and is well-documented. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check system logs and Snort alert logs for suspicious activity, particularly -unusual logons. Ensure that secure passwords are being used throughout your -network. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References - --- diff -Nru snort-2.9.0.1/doc/signatures/100000168.txt snort-2.9.2/doc/signatures/100000168.txt --- snort-2.9.0.1/doc/signatures/100000168.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000168.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000168 - --- -Summary: -The password-cracking tool Hydra has been detected in HTTP traffic. - --- -Impact: -An attacker may be attempting to break into one or more web servers monitored -by Snort via a brute-force password attack. If successful, the attacker may -gain unauthorized access to internal networks. - --- -Detailed Information: -Hydra is a password-cracking tool released by a group of security experts -called THC, "The Hacker's Choice." Requests sent by this tool to a web server -contain the User-Agent string "Mozilla/4.0 (Hydra)". Since normal browsers' -User-Agent strings do not contain the string "(Hydra)", the presence of this -string indicates that the Hydra tool is likely being used. - --- -Affected Systems: -Any system running a web server. - --- -Attack Scenarios: -Attackers will use the Hydra password-cracking tool. - --- -Ease of Attack: -Simple, as the program is publicly available and is well-documented. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check system logs and Snort alert logs for suspicious activity, particularly -unusual logons. Ensure that secure passwords are being used throughout your -network. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References - --- diff -Nru snort-2.9.0.1/doc/signatures/100000169.txt snort-2.9.2/doc/signatures/100000169.txt --- snort-2.9.0.1/doc/signatures/100000169.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000169.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -100000169 - --- -Summary: -The application fingerprinting tool Amap has been detected in HTTP traffic. - --- -Impact: -An attacker may be attempting to gather information about services on a -monitored network, in order to discover vulnerabilities in those services. - --- -Detailed Information: -Amap is an application fingerprinting tool released by a group of security -experts called THC, "The Hacker's Choice"; it is designed to identify services -reliably irrespective of the port they are run on. Amap functions by sending -"triggers" to open ports on a remote system which are designed to elicit a -response from a particular service. This rule is designed to detect the SSL -trigger sent by the program. - --- -Affected Systems: -Any system running an SSL-enabled web server. - --- -Attack Scenarios: -Attackers will use the Amap application fingerprinting tool. - --- -Ease of Attack: -Simple, as the program is publicly available and is well-documented. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check system logs and Snort alert logs for suspicious activity. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References - --- diff -Nru snort-2.9.0.1/doc/signatures/100000170.txt snort-2.9.2/doc/signatures/100000170.txt --- snort-2.9.0.1/doc/signatures/100000170.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000170.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000170 - --- -Summary: -This event is generated when an overly long Host: parameter is sent in an HTTP -request, which will cause a buffer overflow to occur in the GFI MailSecurity -for Exchange/SMTP web interface. - --- -Impact: -A denial of service will occur in the vulnerable application, and remote code -may be executed with the priviliges of the user running the application. - --- -Detailed Information: -GFI MailSecurity for Exchange/SMTP is an anti-virus program that integrates -with Microsoft Exchange servers. Its web interface is vulnerable to a buffer -overflow attack, which may be triggered by sending a Host: parameter of 100 or -more bytes in an HTTP request. Vulnerable versions of the application will -crash, and code may be executed with the priviliges of the user running the -program. - --- -Affected Systems: -GFI MailSecurity for Exchange/SMTP 8.1 - --- -Attack Scenarios: -Attackers will likley exploit this with a script. - --- -Ease of Attack: -Simple, as no authentication is required, and HTTP is a well-documented -protocol, which allows for easy creation of malicious packets. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Download and apply the patch referenced below. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References -ftp://ftp.gfi.com/patches/MSEC8_PATCH_20050919_01.zip - --- diff -Nru snort-2.9.0.1/doc/signatures/100000171.txt snort-2.9.2/doc/signatures/100000171.txt --- snort-2.9.0.1/doc/signatures/100000171.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000171.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000171 - --- -Summary: -This event is generated when an overly long Accept: parameter is sent in an -HTTP request, which will cause a buffer overflow to occur in the GFI -MailSecurity for Exchange/SMTP web interface. - --- -Impact: -A denial of service will occur in the vulnerable application, and remote code -may be executed with the priviliges of the user running the application. - --- -Detailed Information: -GFI MailSecurity for Exchange/SMTP is an anti-virus program that integrates -with Microsoft Exchange servers. Its web interface is vulnerable to a buffer -overflow attack, which may be triggered by sending a Accept: parameter of 100 -or more bytes in an HTTP request. Vulnerable versions of the application will -crash, and code may be executed with the priviliges of the user running the -program. - --- -Affected Systems: -GFI MailSecurity for Exchange/SMTP 8.1 - --- -Attack Scenarios: -Attackers will likley exploit this with a script. - --- -Ease of Attack: -Simple, as no authentication is required, and HTTP is a well-documented -protocol, which allows for easy creation of malicious packets. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Download and apply the patch referenced below. - --- -Contributors: -rmkml -Sourcefire Research Team - --- -Additional References -ftp://ftp.gfi.com/patches/MSEC8_PATCH_20050919_01.zip - --- diff -Nru snort-2.9.0.1/doc/signatures/100000172.txt snort-2.9.2/doc/signatures/100000172.txt --- snort-2.9.0.1/doc/signatures/100000172.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000172.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000172 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Lynx text-based web browser. - --- -Impact: -Code execution on the victim machine with the privileges of the user running -Lynx. - --- -Detailed Information: -A vulnerability exists in the way that Lynx handles links when browsing NNTP -resources. The function that handles the display of information from article -headers when listing available files on the server, inserts extra characters to -handle certain character sets. This function does not properly check how much -extra data is inserted and it is possible to overflow a static buffer and -execute code in the context of the browser process. - --- -Affected Systems: -Lynx versions 2.8.6 and prior - --- -Attack Scenarios: -An attacker would need to supply a malicious link on an nntp server to the user -using Lynx. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the appropriate patch. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - -Original advisory posting: -http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html - --- diff -Nru snort-2.9.0.1/doc/signatures/100000173.txt snort-2.9.2/doc/signatures/100000173.txt --- snort-2.9.0.1/doc/signatures/100000173.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000173.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000173 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in RSA Security RSA Authentication Agent For Web. - --- -Impact: -Cross site scripting leading to possible inclusion of code of the attackers -choosing. - --- -Detailed Information: -A vulnerability exists in RSA Security RSA Authentication Agent For Web that -may allow an attacker to include code of their choosing due to the improper -checking of user supplied input. - --- -Affected Systems: -RSA Security RSA Authentication Agent For Web 5.2 - --- -Attack Scenarios: -An attacker can supply a link to include code of their choosing in data -supplied to RSA Security RSA Authentication Agent For Web. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/100000174.txt snort-2.9.2/doc/signatures/100000174.txt --- snort-2.9.0.1/doc/signatures/100000174.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000174.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000174 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in RSA Security RSA Authentication Agent For Web. - --- -Impact: -Cross site scripting leading to possible inclusion of code of the attackers -choosing. - --- -Detailed Information: -A vulnerability exists in RSA Security RSA Authentication Agent For Web that -may allow an attacker to include code of their choosing due to the improper -checking of user supplied input. - --- -Affected Systems: -RSA Security RSA Authentication Agent For Web 5.2 - --- -Attack Scenarios: -An attacker can supply a link to include code of their choosing in data -supplied to RSA Security RSA Authentication Agent For Web. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/100000175.txt snort-2.9.2/doc/signatures/100000175.txt --- snort-2.9.0.1/doc/signatures/100000175.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000175.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000175 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -vulnerability present in the Ethereal protocol analyzer's SLIMP3 decoder. - --- - -Impact: -By sending a properly crafted UDP packet, attackers may execute arbitrary code -of -their choosing with the privileges of the user running the affected software. - --- -Detailed Information: -This rule detects attempts to overflow a vulnerable buffer in the Ethereal -protocol analyzer's SLIMP3 decoder. It is specifically designed to search for -the payload present in a publicly circulating exploit. - --- -Affected Systems: -Ethereal 0.10.12 and below - --- - -Attack Scenarios: -An automated script may be used to exploit this vulnerability. - --- - -Ease of Attack: -Simple, as an exploit is publicly available. - --- - -False Positives: -None Known. - --- -False Negatives: -Other payloads which will overflow this buffer may be missed. - --- - -Corrective Action: -Upgrade to Ethereal 0.10.13 or higher. - --- -Contributors: -rmkml - --- -Additional References: -http://www.frsirt.com/english/advisories/2005/2148 - --- diff -Nru snort-2.9.0.1/doc/signatures/100000176.txt snort-2.9.2/doc/signatures/100000176.txt --- snort-2.9.0.1/doc/signatures/100000176.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000176.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -100000176 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the lpd service for HP-UX. - --- -Impact: -Denial of Service (DoS). Possible code execution. - --- -Detailed Information: -A vulnerability exists in the lpd service for HP-UX systems. An unauthenticated -attacker may issue a DoS attack on the victim lpd by sending malformed data to -the lpd service and attempting to overflow a fixed length buffer. It may also -be possible for an attacker to execute code of their choosing in the context of -the user running lpd. - --- -Affected Systems: -HP-UX 10.20 -HP-UX B11.10 and B11.11 - --- -Attack Scenarios: -An attacker can supply a malformed request to the lpd service on the victim -host that may leave the service unresponsive. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/100000177.txt snort-2.9.2/doc/signatures/100000177.txt --- snort-2.9.0.1/doc/signatures/100000177.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000177.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000177 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Linksys WRT54G wireless router. - --- -Impact: -Unauthorized administrative access to the router and it's configuration. - --- -Detailed Information: -A vulnerability exists in the Linksys WRT54G wireless router that may present -an attacker with the opportunity to take control of the victim hardware via a -POST request to the web interface. - -This is due to the apply.cgi script not performing proper checks on user -supplied input that may allow the attacker to overflow a fixed length buffer -and execute code of their choosing. - --- -Affected Systems: -Linksys WRT54G Wireless Router firmware 4.0.4.20.6 and prior - --- -Attack Scenarios: -An attacker can supply a malformed POST request to the apply.cgi script on an -affected piece of hardware. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied firmware upgrade. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/100000178.txt snort-2.9.2/doc/signatures/100000178.txt --- snort-2.9.0.1/doc/signatures/100000178.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000178.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -100000178 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Hasbani Web server. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the Hasbani web server that may allow an attacker to -initiate a DoS condition on the server. Poor programming in the web server may -result in the server entering an endless loop when processing malformed GET -requests. This can lead to an exhaustion of system resources and a DoS -condition. - --- -Affected Systems: -Hasbani web server 2.0 - --- -Attack Scenarios: -An attacker can supply a malformed GET request to the web server to cause the -DoS. Alternately, exploit code exists for this vulnerability. - --- -Ease of Attack: -Simple. Exploits exists. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Use Apache. - --- -Contributors: -Original Rule writer rmkml -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/100000179.txt snort-2.9.2/doc/signatures/100000179.txt --- snort-2.9.0.1/doc/signatures/100000179.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000179.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -100000179 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server using the TRACE command. In this case, the attack -is aimed at the Solaris Management Console Java Web Interface. - --- -Impact: -Possible disclosure of information. - --- -Detailed Information: -The TRACE method is used when debugging a webserver to ensure that server -returns information to the client correctly. When used with other -vulnerabilities it is possible to use the TRACE method to return sensitive -information from a webserver such as authentication data and cookies. - -This is known as a Cross Site Tracing (XST) attack. - -Note: Users who are using sid 2056 with the HTTP_PORTS variable set to 898 do -not need to use this rule. - --- -Affected Systems: -All platforms running a webserver that responds to the TRACE method. - --- -Attack Scenarios: -The attacker needs to perform a TRACE request to a vulnerable server. - --- -Ease of Attack: -Simple - --- -False Positives: -The TRACE method is legitimate and may be used to debug a webserver or can be -used to debug other networking equipment. - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the webserver from responding to TRACE requests. - --- -Contributors: -Sid 2056 modification suggested by rmkml -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -RFC: -http://www.ietf.org/rfc/rfc2616.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/100000226.txt snort-2.9.2/doc/signatures/100000226.txt --- snort-2.9.0.1/doc/signatures/100000226.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000226.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000226 - --- -Summary: -This event is generated when a host connected to the Internet is first infected -with the BlackWorm/Nyxem virus. - --- -Impact: -The system generating the alert has likely been infected with the -BlackWorm/Nyxem virus. - --- -Detailed Information: -When a system is first infected with the BlackWorm/Nyxem virus, the malicious -program attempts to access -http://207.172.16.155/cgi-bin/Count.cgi?df=76547 in order to report a -successful installation. Numerous sources, including the Sourcefire VRT, have -confirmed that this URL is static. - --- -Affected Systems: -All Windows systems. - --- -Attack Scenarios: -The virus may arrive by e-mail, in which case a user must execute the file in -order to be infected. Once infected, hosts conduct NetBIOS scans and attempt to -infect other hosts via publicly accessible shares; in this method, no user -interaction is required. - --- -Ease of Attack: -Simple - --- -False Positives: -Any user who directs a web browser to -http://207.172.16.155/cgi-bin/Count.cgi?df=76547 will trigger this rule. - --- -False Negatives: -Hosts without Internet access which become infected (i.e. by another infected -system on their local network) will not trigger this rule until they connect to -the Internet, as they will be unable toaccess this web page. - --- -Corrective Action: -Several antivirus vendors have detection and removal capabilities. -Additionally, Microsoft has detailed instructions for manual removal on their -web site. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matthew Watchinski -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000315.txt snort-2.9.2/doc/signatures/100000315.txt --- snort-2.9.0.1/doc/signatures/100000315.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000315.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000315 - --- -Summary: -This event is generated when an HTTP client issues a PUT request to upload -a document into the web content area. - --- -Impact: -The PUT method is a legitimate HTTP command that allows an authorized user -to upload a document into the web content tree. It is most often associated -with the WebDAV content management protocol. - -Although there are some legitimate uses for the PUT method, it is also a -frequent source of web site defacement, as attackers can easily abuse -misconfigured web servers that allow unrestricted PUT functionality from -arbitrary users. - --- -Detailed Information: -The rule searches for HTTP requests using the PUT method, and tracks -these sessions. The rule is intended to be used with SID 100000316 to -track successful PUT requests, which may represent successful defacement -attacks, instead of all PUT requests. - -Administrators who wish to track all PUT requests (successful or not) should -remove the "flowbits:noalert;" section of this rule. - --- -Affected Systems: -Any web server - --- -Attack Scenarios: -An attacker can issue a PUT reuqest via a script, many different pieces of -software, or through a manual connection to any web server port. - --- -Ease of Attack: -Simple. Numerous tools exist for creating PUT requests, including some geared -specifically towards web site defacement. - --- -False Positives: -Organizations that use WebDAV to manage their web content may experience -false positives, as the PUT method is a normal part of the WebDAV protocol. -Additionally, any other legitimate web applications which use the PUT method -will generate false positives. - --- -False Negatives: -None - --- -Corrective Action: -In cases of web site defacement, delete the newly-created file(s) and/or -restore them from a reliable backup. In all cases, be sure to tune web server -configuration to allow PUT requests only where necessary for a legitimate web -application to function. - --- -Contributors: -David J. Bianco, - --- -Additional References: -http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6 diff -Nru snort-2.9.0.1/doc/signatures/100000316.txt snort-2.9.2/doc/signatures/100000316.txt --- snort-2.9.0.1/doc/signatures/100000316.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000316.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000315 - --- -Summary: -This event is generated when an HTTP server issues a successful status -code in response to a request to update a web document via the PUT method. - --- -Impact: -The PUT method is a legitimate HTTP command that allows an authorized user -to upload a document into the web content tree. It is most often associated -with the WebDAV content management protocol. - -Although there are some legitimate uses for the PUT method, it is also a -frequent source of web site defacement, as attackers can easily abuse -misconfigured web servers that allow unrestricted PUT functionality from -arbitrary users. - --- -Detailed Information: -The rule searches for replies to HTTP PUT requests which indicate success. -When a successful reply is seen, it implies that the web content area has -been modified, which may be an indicaton that the web site has been -defaced. - -This rule is intended to be used with another SID 100000315, which detects -HTTP PUT requests. - --- -Affected Systems: -Any web server - --- -Attack Scenarios: -An attacker can issue a PUT reuqest via a script, many different pieces of -software, or through a manual connection to any web server port. - --- -Ease of Attack: -Simple. Numerous tools exist for creating PUT requests, including some geared -specifically towards web site defacement. - --- -False Positives: -Organizations that use WebDAV to manage their web content may experience -false positives, as the PUT method is a normal part of the WebDAV protocol. -Additionally, any other legitimate web applications which use the PUT method -will generate false positives. - --- -False Negatives: -None - --- -Corrective Action: -In cases of web site defacement, delete the newly-created file(s) and/or -restore them from a reliable backup. In all cases, be sure to tune web server -configuration to allow PUT requests only where necessary for a legitimate web -application to function. - --- -Contributors: -David J. Bianco, - --- -Additional References: -http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6 diff -Nru snort-2.9.0.1/doc/signatures/100000317.txt snort-2.9.2/doc/signatures/100000317.txt --- snort-2.9.0.1/doc/signatures/100000317.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000317.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -100000317 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "phpBazar" application running on a webserver. -Access to the file "classified_right.php" using a remote file being passed as -the "language_dir" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "language_dir" parameter in the "classified_right.php" -script used by the "phpBazar" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpBazar - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000318.txt snort-2.9.2/doc/signatures/100000318.txt --- snort-2.9.0.1/doc/signatures/100000318.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000318.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000318 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "phpBazar" application running on a webserver. -Access to the file "admin.php" using a remote file being passed as the -"action=edit_member&value=1" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "action=edit_member&value=1" parameter in the -"admin.php" script used by the "phpBazar" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpBazar - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000319.txt snort-2.9.2/doc/signatures/100000319.txt --- snort-2.9.0.1/doc/signatures/100000319.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000319.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000319 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ActualScripts" application running on a -webserver. Access to the file "direct.php" using a remote file being passed as -the "rf" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "rf" parameter in the "direct.php" script used by the -"ActualScripts" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ActualScripts - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000320.txt snort-2.9.2/doc/signatures/100000320.txt --- snort-2.9.0.1/doc/signatures/100000320.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000320.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000320 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ScozNet ScozNews" application running on a -webserver. Access to the file "functions.php" using a remote file being passed -as the "main_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "main_path" parameter in the "functions.php" script used -by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000321.txt snort-2.9.2/doc/signatures/100000321.txt --- snort-2.9.0.1/doc/signatures/100000321.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000321.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000321 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ScozNet ScozNews" application running on a -webserver. Access to the file "help.php" using a remote file being passed as -the "main_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "main_path" parameter in the "help.php" script used by -the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000322.txt snort-2.9.2/doc/signatures/100000322.txt --- snort-2.9.0.1/doc/signatures/100000322.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000322.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000322 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ScozNet ScozNews" application running on a -webserver. Access to the file "mail.php" using a remote file being passed as -the "main_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "main_path" parameter in the "mail.php" script used by -the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000323.txt snort-2.9.2/doc/signatures/100000323.txt --- snort-2.9.0.1/doc/signatures/100000323.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000323.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000323 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ScozNet ScozNews" application running on a -webserver. Access to the file "news.php" using a remote file being passed as -the "main_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "main_path" parameter in the "news.php" script used by -the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000324.txt snort-2.9.2/doc/signatures/100000324.txt --- snort-2.9.0.1/doc/signatures/100000324.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000324.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ - - -Rule: - --- -Sid: -100000324 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ScozNet ScozNews" application running on a -webserver. Access to the file "template.php" using a remote file being passed -as the "main_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "main_path" parameter in the "template.php" script used -by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000325.txt snort-2.9.2/doc/signatures/100000325.txt --- snort-2.9.0.1/doc/signatures/100000325.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000325.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000325 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_cats.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_cats.php" script used by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000326.txt snort-2.9.2/doc/signatures/100000326.txt --- snort-2.9.0.1/doc/signatures/100000326.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000326.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000326 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_edit.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_edit.php" script used by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000327.txt snort-2.9.2/doc/signatures/100000327.txt --- snort-2.9.0.1/doc/signatures/100000327.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000327.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000327 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_import.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_import.php" script used by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000328.txt snort-2.9.2/doc/signatures/100000328.txt --- snort-2.9.0.1/doc/signatures/100000328.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000328.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000328 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_templates.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_templates.php" script used by the "ScozNet ScozNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ScozNet ScozNews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000329.txt snort-2.9.2/doc/signatures/100000329.txt --- snort-2.9.0.1/doc/signatures/100000329.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000329.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000329 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Invision Power Board" application running on a webserver. Access to the file "class_post.php" using a remote file being passed as the "post_icon" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "post_icon" parameter in the "class_post.php" script used by the "Invision Power Board" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Invision Power Board - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000330.txt snort-2.9.2/doc/signatures/100000330.txt --- snort-2.9.0.1/doc/signatures/100000330.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000330.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000330 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Invision Power Board" application running on a webserver. Access to the file "moderate.php" using a remote file being passed as the "df" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "df" parameter in the "moderate.php" script used by the "Invision Power Board" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Invision Power Board - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000331.txt snort-2.9.2/doc/signatures/100000331.txt --- snort-2.9.0.1/doc/signatures/100000331.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000331.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000331 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ZixForum" application running on a webserver. Access to the file "settings.asp" using a remote file being passed as the "layid" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "layid" parameter in the "settings.asp" script used by the "ZixForum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ZixForum - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000332.txt snort-2.9.2/doc/signatures/100000332.txt --- snort-2.9.0.1/doc/signatures/100000332.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000332.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000332 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Artmedic Newsletter" application running on a webserver. Access to the file "log.php" using a remote file being passed as the "email" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "email" parameter in the "log.php" script used by the "Artmedic Newsletter" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Artmedic Newsletter - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000333.txt snort-2.9.2/doc/signatures/100000333.txt --- snort-2.9.0.1/doc/signatures/100000333.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000333.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000333 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Artmedic Newsletter" application running on a webserver. Access to the file "log.php" using a remote file being passed as the "logfile" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "logfile" parameter in the "log.php" script used by the "Artmedic Newsletter" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Artmedic Newsletter - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000334.txt snort-2.9.2/doc/signatures/100000334.txt --- snort-2.9.0.1/doc/signatures/100000334.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000334.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000334 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CaLogic Calendars" application running on a webserver. Access to the file "reconfig.php" using a remote file being passed as the "CLPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "CLPath" parameter in the "reconfig.php" script used by the "CaLogic Calendars" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CaLogic Calendars - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000335.txt snort-2.9.2/doc/signatures/100000335.txt --- snort-2.9.0.1/doc/signatures/100000335.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000335.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000335 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CaLogic Calendars" application running on a webserver. Access to the file "srxclr.php" using a remote file being passed as the "CLPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "CLPath" parameter in the "srxclr.php" script used by the "CaLogic Calendars" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CaLogic Calendars - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000336.txt snort-2.9.2/doc/signatures/100000336.txt --- snort-2.9.0.1/doc/signatures/100000336.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000336.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000336 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpMyDirectory" application running on a webserver. Access to the file "footer.php" using a remote file being passed as the "ROOT_PATH" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "ROOT_PATH" parameter in the "footer.php" script used by the "phpMyDirectory" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpMyDirectory - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000337.txt snort-2.9.2/doc/signatures/100000337.txt --- snort-2.9.0.1/doc/signatures/100000337.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000337.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000337 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpMyDirectory" application running on a webserver. Access to the file "defaults_setup.php" using a remote file being passed as the "ROOT_PATH" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "ROOT_PATH" parameter in the "defaults_setup.php" script used by the "phpMyDirectory" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpMyDirectory - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000338.txt snort-2.9.2/doc/signatures/100000338.txt --- snort-2.9.0.1/doc/signatures/100000338.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000338.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000338 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpMyDirectory" application running on a webserver. Access to the file "header.php" using a remote file being passed as the "ROOT_PATH" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "ROOT_PATH" parameter in the "header.php" script used by the "phpMyDirectory" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpMyDirectory - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000339.txt snort-2.9.2/doc/signatures/100000339.txt --- snort-2.9.0.1/doc/signatures/100000339.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000339.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000339 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "V-Webmail" application running on a webserver. Access to the file "core.php" using a remote file being passed as the "CONFIG[pear_dir]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "CONFIG[pear_dir]" parameter in the "core.php" script used by the "V-Webmail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using V-Webmail - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000340.txt snort-2.9.2/doc/signatures/100000340.txt --- snort-2.9.0.1/doc/signatures/100000340.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000340.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000340 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "V-Webmail" application running on a webserver. Access to the file "pop3.php" using a remote file being passed as the "CONFIG[pear_dir]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "CONFIG[pear_dir]" parameter in the "pop3.php" script used by the "V-Webmail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using V-Webmail - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000341.txt snort-2.9.2/doc/signatures/100000341.txt --- snort-2.9.0.1/doc/signatures/100000341.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000341.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000341 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DoceboLMS" application running on a webserver. Access to the file "help.php" using a remote file being passed as the "lang" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lang" parameter in the "help.php" script used by the "DoceboLMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DoceboLMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000342.txt snort-2.9.2/doc/signatures/100000342.txt --- snort-2.9.0.1/doc/signatures/100000342.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000342.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000342 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DoceboLMS" application running on a webserver. Access to the file "business.php" using a remote file being passed as the "lang" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lang" parameter in the "business.php" script used by the "DoceboLMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DoceboLMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000343.txt snort-2.9.2/doc/signatures/100000343.txt --- snort-2.9.0.1/doc/signatures/100000343.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000343.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000343 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DoceboLMS" application running on a webserver. Access to the file "credits.php" using a remote file being passed as the "lang" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lang" parameter in the "credits.php" script used by the "DoceboLMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DoceboLMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000344.txt snort-2.9.2/doc/signatures/100000344.txt --- snort-2.9.0.1/doc/signatures/100000344.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000344.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000344 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SocketMail" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "site_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "site_path" parameter in the "index.php" script used by the "SocketMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SocketMail - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000345.txt snort-2.9.2/doc/signatures/100000345.txt --- snort-2.9.0.1/doc/signatures/100000345.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000345.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000345 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SocketMail" application running on a webserver. Access to the file "inc-common.php" using a remote file being passed as the "site_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "site_path" parameter in the "inc-common.php" script used by the "SocketMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SocketMail - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000346.txt snort-2.9.2/doc/signatures/100000346.txt --- snort-2.9.0.1/doc/signatures/100000346.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000346.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000346 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "prepend.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "prepend.php" script used by the "Plume CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Plume CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000347.txt snort-2.9.2/doc/signatures/100000347.txt --- snort-2.9.0.1/doc/signatures/100000347.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000347.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000347 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ezupload Pro" application running on a webserver. Access to the file "form.php" using a remote file being passed as the "path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "path" parameter in the "form.php" script used by the "Ezupload Pro" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ezupload Pro - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000348.txt snort-2.9.2/doc/signatures/100000348.txt --- snort-2.9.0.1/doc/signatures/100000348.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000348.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000348 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ezupload Pro" application running on a webserver. Access to the file "customize.php" using a remote file being passed as the "path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "path" parameter in the "customize.php" script used by the "Ezupload Pro" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ezupload Pro - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000349.txt snort-2.9.2/doc/signatures/100000349.txt --- snort-2.9.0.1/doc/signatures/100000349.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000349.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000349 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ezupload Pro" application running on a webserver. Access to the file "initialize.php" using a remote file being passed as the "path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "path" parameter in the "initialize.php" script used by the "Ezupload Pro" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ezupload Pro - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000350.txt snort-2.9.2/doc/signatures/100000350.txt --- snort-2.9.0.1/doc/signatures/100000350.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000350.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000350 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "UBBThreads" application running on a webserver. Access to the file "ubbt.inc.php" using a remote file being passed as the "GLOBALS[thispath]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "GLOBALS[thispath]" parameter in the "ubbt.inc.php" script used by the "UBBThreads" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using UBBThreads - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000351.txt snort-2.9.2/doc/signatures/100000351.txt --- snort-2.9.0.1/doc/signatures/100000351.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000351.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000351 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "UBBThreads" application running on a webserver. Access to the file "config[cookieprefix]" using a remote file being passed as the "w3t_language" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "w3t_language" parameter in the "config[cookieprefix]" script used by the "UBBThreads" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using UBBThreads - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000352.txt snort-2.9.2/doc/signatures/100000352.txt --- snort-2.9.0.1/doc/signatures/100000352.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000352.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000352 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Blend Portal" application running on a webserver. Access to the file "blend_common.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "blend_common.php" script used by the "Blend Portal" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blend Portal - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000353.txt snort-2.9.2/doc/signatures/100000353.txt --- snort-2.9.0.1/doc/signatures/100000353.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000353.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000353 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "tinyBB" application running on a webserver. Access to the file "footers.php" using a remote file being passed as the "tinybb_footers" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "tinybb_footers" parameter in the "footers.php" script used by the "tinyBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using tinyBB - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000354.txt snort-2.9.2/doc/signatures/100000354.txt --- snort-2.9.0.1/doc/signatures/100000354.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000354.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000354 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpBB-Amod" application running on a webserver. Access to the file "lang_activity.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "lang_activity.php" script used by the "phpBB-Amod" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpBB-Amod - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000355.txt snort-2.9.2/doc/signatures/100000355.txt --- snort-2.9.0.1/doc/signatures/100000355.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000355.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000355 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "eSyndiCat" application running on a webserver. Access to the file "cron.php" using a remote file being passed as the "path_to_config" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_config" parameter in the "cron.php" script used by the "eSyndiCat" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using eSyndiCat - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000356.txt snort-2.9.2/doc/signatures/100000356.txt --- snort-2.9.0.1/doc/signatures/100000356.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000356.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000356 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BASE" application running on a webserver. Access to the file "base_qry_common.php" using a remote file being passed as the "BASE_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "BASE_path" parameter in the "base_qry_common.php" script used by the "BASE" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BASE - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000357.txt snort-2.9.2/doc/signatures/100000357.txt --- snort-2.9.0.1/doc/signatures/100000357.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000357.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000357 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BASE" application running on a webserver. Access to the file "base_stat_common.php" using a remote file being passed as the "BASE_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "BASE_path" parameter in the "base_stat_common.php" script used by the "BASE" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BASE - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000358.txt snort-2.9.2/doc/signatures/100000358.txt --- snort-2.9.0.1/doc/signatures/100000358.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000358.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000358 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BASE" application running on a webserver. Access to the file "base_include.inc.php" using a remote file being passed as the "BASE_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "BASE_path" parameter in the "base_include.inc.php" script used by the "BASE" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BASE - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000359.txt snort-2.9.2/doc/signatures/100000359.txt --- snort-2.9.0.1/doc/signatures/100000359.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000359.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000359 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "drucken.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "drucken.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000360.txt snort-2.9.2/doc/signatures/100000360.txt --- snort-2.9.0.1/doc/signatures/100000360.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000360.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000360 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "drucken2.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "drucken2.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000361.txt snort-2.9.2/doc/signatures/100000361.txt --- snort-2.9.0.1/doc/signatures/100000361.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000361.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000361 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "email_an_benutzer.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "email_an_benutzer.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000362.txt snort-2.9.2/doc/signatures/100000362.txt --- snort-2.9.0.1/doc/signatures/100000362.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000362.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000362 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "rechnung.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "rechnung.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000363.txt snort-2.9.2/doc/signatures/100000363.txt --- snort-2.9.0.1/doc/signatures/100000363.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000363.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000363 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "search.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000364.txt snort-2.9.2/doc/signatures/100000364.txt --- snort-2.9.0.1/doc/signatures/100000364.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000364.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000364 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Fastpublish CMS" application running on a webserver. Access to the file "admin.php" using a remote file being passed as the "config[fsBase]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "config[fsBase]" parameter in the "admin.php" script used by the "Fastpublish CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Fastpublish CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000365.txt snort-2.9.2/doc/signatures/100000365.txt --- snort-2.9.0.1/doc/signatures/100000365.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000365.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000365 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "index.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000366.txt snort-2.9.2/doc/signatures/100000366.txt --- snort-2.9.0.1/doc/signatures/100000366.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000366.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000366 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_ug_auth.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_ug_auth.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000367.txt snort-2.9.2/doc/signatures/100000367.txt --- snort-2.9.0.1/doc/signatures/100000367.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000367.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000367 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_board.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_board.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000368.txt snort-2.9.2/doc/signatures/100000368.txt --- snort-2.9.0.1/doc/signatures/100000368.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000368.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000368 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_disallow.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_disallow.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000369.txt snort-2.9.2/doc/signatures/100000369.txt --- snort-2.9.0.1/doc/signatures/100000369.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000369.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000369 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forumauth.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forumauth.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000370.txt snort-2.9.2/doc/signatures/100000370.txt --- snort-2.9.0.1/doc/signatures/100000370.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000370.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000370 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_groups.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_groups.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000371.txt snort-2.9.2/doc/signatures/100000371.txt --- snort-2.9.0.1/doc/signatures/100000371.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000371.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000371 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_ranks.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_ranks.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000372.txt snort-2.9.2/doc/signatures/100000372.txt --- snort-2.9.0.1/doc/signatures/100000372.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000372.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000372 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_styles.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_styles.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000373.txt snort-2.9.2/doc/signatures/100000373.txt --- snort-2.9.0.1/doc/signatures/100000373.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000373.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000373 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_user_ban.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_user_ban.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000374.txt snort-2.9.2/doc/signatures/100000374.txt --- snort-2.9.0.1/doc/signatures/100000374.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000374.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000374 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_words.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_words.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000375.txt snort-2.9.2/doc/signatures/100000375.txt --- snort-2.9.0.1/doc/signatures/100000375.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000375.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000375 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_avatar.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_avatar.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000376.txt snort-2.9.2/doc/signatures/100000376.txt --- snort-2.9.0.1/doc/signatures/100000376.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000376.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000376 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_db_utilities.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_db_utilities.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000377.txt snort-2.9.2/doc/signatures/100000377.txt --- snort-2.9.0.1/doc/signatures/100000377.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000377.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000377 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forum_prune.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forum_prune.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000378.txt snort-2.9.2/doc/signatures/100000378.txt --- snort-2.9.0.1/doc/signatures/100000378.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000378.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000378 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forums.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forums.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000379.txt snort-2.9.2/doc/signatures/100000379.txt --- snort-2.9.0.1/doc/signatures/100000379.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000379.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000379 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_mass_email.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_mass_email.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000380.txt snort-2.9.2/doc/signatures/100000380.txt --- snort-2.9.0.1/doc/signatures/100000380.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000380.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000380 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_smilies.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_smilies.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000381.txt snort-2.9.2/doc/signatures/100000381.txt --- snort-2.9.0.1/doc/signatures/100000381.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000381.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000381 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_ug_auth.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_ug_auth.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000382.txt snort-2.9.2/doc/signatures/100000382.txt --- snort-2.9.0.1/doc/signatures/100000382.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000382.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000382 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_users.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_users.php" script used by the "phpNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpNuke - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000383.txt snort-2.9.2/doc/signatures/100000383.txt --- snort-2.9.0.1/doc/signatures/100000383.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000383.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000383 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "OsTicket" application running on a webserver. Access to the file "open_form.php" using a remote file being passed as the "include_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "include_path" parameter in the "open_form.php" script used by the "OsTicket" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using OsTicket - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000384.txt snort-2.9.2/doc/signatures/100000384.txt --- snort-2.9.0.1/doc/signatures/100000384.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000384.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000384 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ottoman" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "default_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "default_path" parameter in the "index.php" script used by the "Ottoman" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ottoman - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000385.txt snort-2.9.2/doc/signatures/100000385.txt --- snort-2.9.0.1/doc/signatures/100000385.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000385.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000385 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ottoman" application running on a webserver. Access to the file "error.php" using a remote file being passed as the "default_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "default_path" parameter in the "error.php" script used by the "Ottoman" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ottoman - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000386.txt snort-2.9.2/doc/signatures/100000386.txt --- snort-2.9.0.1/doc/signatures/100000386.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000386.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000386 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ottoman" application running on a webserver. Access to the file "main_class.php" using a remote file being passed as the "default_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "default_path" parameter in the "main_class.php" script used by the "Ottoman" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ottoman - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000387.txt snort-2.9.2/doc/signatures/100000387.txt --- snort-2.9.0.1/doc/signatures/100000387.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000387.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -100000387 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "index.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000388.txt snort-2.9.2/doc/signatures/100000388.txt --- snort-2.9.0.1/doc/signatures/100000388.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000388.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000388 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "topman.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "topman.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000389.txt snort-2.9.2/doc/signatures/100000389.txt --- snort-2.9.0.1/doc/signatures/100000389.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000389.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000389 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "approb.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "approb.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000390.txt snort-2.9.2/doc/signatures/100000390.txt --- snort-2.9.0.1/doc/signatures/100000390.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000390.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000390 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "vacadmb.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "vacadmb.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000391.txt snort-2.9.2/doc/signatures/100000391.txt --- snort-2.9.0.1/doc/signatures/100000391.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000391.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000391 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "vacadma.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "vacadma.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000392.txt snort-2.9.2/doc/signatures/100000392.txt --- snort-2.9.0.1/doc/signatures/100000392.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000392.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000392 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "vacadm.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "vacadm.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000393.txt snort-2.9.2/doc/signatures/100000393.txt --- snort-2.9.0.1/doc/signatures/100000393.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000393.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000393 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "start.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "start.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000394.txt snort-2.9.2/doc/signatures/100000394.txt --- snort-2.9.0.1/doc/signatures/100000394.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000394.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000394 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "search.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000395.txt snort-2.9.2/doc/signatures/100000395.txt --- snort-2.9.0.1/doc/signatures/100000395.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000395.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000395 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "posts.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "posts.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000396.txt snort-2.9.2/doc/signatures/100000396.txt --- snort-2.9.0.1/doc/signatures/100000396.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000396.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000396 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "options.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "options.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000397.txt snort-2.9.2/doc/signatures/100000397.txt --- snort-2.9.0.1/doc/signatures/100000397.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000397.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000397 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "login.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "login.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000398.txt snort-2.9.2/doc/signatures/100000398.txt --- snort-2.9.0.1/doc/signatures/100000398.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000398.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000398 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "frchart.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "frchart.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000399.txt snort-2.9.2/doc/signatures/100000399.txt --- snort-2.9.0.1/doc/signatures/100000399.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000399.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000399 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "flbchart.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "flbchart.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000400.txt snort-2.9.2/doc/signatures/100000400.txt --- snort-2.9.0.1/doc/signatures/100000400.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000400.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000400 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "fileman.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "fileman.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000401.txt snort-2.9.2/doc/signatures/100000401.txt --- snort-2.9.0.1/doc/signatures/100000401.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000401.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000401 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "faq.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "faq.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000402.txt snort-2.9.2/doc/signatures/100000402.txt --- snort-2.9.0.1/doc/signatures/100000402.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000402.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000402 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "event.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "event.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000403.txt snort-2.9.2/doc/signatures/100000403.txt --- snort-2.9.0.1/doc/signatures/100000403.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000403.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000403 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "directory.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "directory.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000404.txt snort-2.9.2/doc/signatures/100000404.txt --- snort-2.9.0.1/doc/signatures/100000404.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000404.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000404 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "articles.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "articles.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000405.txt snort-2.9.2/doc/signatures/100000405.txt --- snort-2.9.0.1/doc/signatures/100000405.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000405.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000405 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "artedit.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "artedit.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000406.txt snort-2.9.2/doc/signatures/100000406.txt --- snort-2.9.0.1/doc/signatures/100000406.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000406.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000406 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "approb.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "approb.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000407.txt snort-2.9.2/doc/signatures/100000407.txt --- snort-2.9.0.1/doc/signatures/100000407.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000407.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000407 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "calday.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "calday.php" script used by the "Ovidentia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ovidentia - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000408.txt snort-2.9.2/doc/signatures/100000408.txt --- snort-2.9.0.1/doc/signatures/100000408.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000408.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000408 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "AssoCIateD" application running on a webserver. Access to the file "cache_mngt.php" using a remote file being passed as the "root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root_path" parameter in the "cache_mngt.php" script used by the "AssoCIateD" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using AssoCIateD - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000409.txt snort-2.9.2/doc/signatures/100000409.txt --- snort-2.9.0.1/doc/signatures/100000409.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000409.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000409 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "AssoCIateD" application running on a webserver. Access to the file "gallery_functions.php" using a remote file being passed as the "root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root_path" parameter in the "gallery_functions.php" script used by the "AssoCIateD" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using AssoCIateD - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000410.txt snort-2.9.2/doc/signatures/100000410.txt --- snort-2.9.0.1/doc/signatures/100000410.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000410.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000410 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using REDAXO - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000411.txt snort-2.9.2/doc/signatures/100000411.txt --- snort-2.9.0.1/doc/signatures/100000411.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000411.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000411 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using REDAXO - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000412.txt snort-2.9.2/doc/signatures/100000412.txt --- snort-2.9.0.1/doc/signatures/100000412.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000412.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000412 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using REDAXO - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000413.txt snort-2.9.2/doc/signatures/100000413.txt --- snort-2.9.0.1/doc/signatures/100000413.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000413.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000413 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "index.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "index.inc.php" script used by the "REDAXO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using REDAXO - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000414.txt snort-2.9.2/doc/signatures/100000414.txt --- snort-2.9.0.1/doc/signatures/100000414.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000414.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000414 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "REDAXO" application running on a webserver. Access to the file "community.inc.php" using a remote file being passed as the "REX[INCLUDE_PATH]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "REX[INCLUDE_PATH]" parameter in the "community.inc.php" script used by the "REDAXO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using REDAXO - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000415.txt snort-2.9.2/doc/signatures/100000415.txt --- snort-2.9.0.1/doc/signatures/100000415.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000415.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000415 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Bytehoard" application running on a webserver. Access to the file "server.php" using a remote file being passed as the "bhconfig[bhfilepath]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "bhconfig[bhfilepath]" parameter in the "server.php" script used by the "Bytehoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Bytehoard - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000416.txt snort-2.9.2/doc/signatures/100000416.txt --- snort-2.9.0.1/doc/signatures/100000416.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000416.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000416 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyBloggie" application running on a webserver. Access to the file "admin.php" using a remote file being passed as the "mybloggie_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mybloggie_root_path" parameter in the "admin.php" script used by the "MyBloggie" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MyBloggie - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000417.txt snort-2.9.2/doc/signatures/100000417.txt --- snort-2.9.0.1/doc/signatures/100000417.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000417.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000417 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyBloggie" application running on a webserver. Access to the file "scode.php" using a remote file being passed as the "mybloggie_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mybloggie_root_path" parameter in the "scode.php" script used by the "MyBloggie" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MyBloggie - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000418.txt snort-2.9.2/doc/signatures/100000418.txt --- snort-2.9.0.1/doc/signatures/100000418.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000418.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000418 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ashwebstudio Ashnews" application running on a webserver. Access to the file "ashheadlines.php" using a remote file being passed as the "pathtoashnews" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "pathtoashnews" parameter in the "ashheadlines.php" script used by the "Ashwebstudio Ashnews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ashwebstudio Ashnews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000419.txt snort-2.9.2/doc/signatures/100000419.txt --- snort-2.9.0.1/doc/signatures/100000419.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000419.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000419 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ashwebstudio Ashnews" application running on a webserver. Access to the file "ashnews.php" using a remote file being passed as the "pathtoashnews" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "pathtoashnews" parameter in the "ashnews.php" script used by the "Ashwebstudio Ashnews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ashwebstudio Ashnews - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000420.txt snort-2.9.2/doc/signatures/100000420.txt --- snort-2.9.0.1/doc/signatures/100000420.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000420.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000420 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Informium" application running on a webserver. Access to the file "common-menu.php" using a remote file being passed as the "CONF[local_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "CONF[local_path]" parameter in the "common-menu.php" script used by the "Informium" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Informium - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000421.txt snort-2.9.2/doc/signatures/100000421.txt --- snort-2.9.0.1/doc/signatures/100000421.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000421.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000421 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Igloo" application running on a webserver. Access to the file "wiki.php" using a remote file being passed as the "c_node[class_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "c_node[class_path]" parameter in the "wiki.php" script used by the "Igloo" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Igloo - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000422.txt snort-2.9.2/doc/signatures/100000422.txt --- snort-2.9.0.1/doc/signatures/100000422.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000422.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000422 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpBB" application running on a webserver. Access to the file "template.php" using a remote file being passed as the "page" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "page" parameter in the "template.php" script used by the "phpBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using phpBB - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000423.txt snort-2.9.2/doc/signatures/100000423.txt --- snort-2.9.0.1/doc/signatures/100000423.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000423.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000423 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotWidget CMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "file_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "file_path" parameter in the "index.php" script used by the "DotWidget CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DotWidget CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000424.txt snort-2.9.2/doc/signatures/100000424.txt --- snort-2.9.0.1/doc/signatures/100000424.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000424.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000424 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotWidget CMS" application running on a webserver. Access to the file "feedback.php" using a remote file being passed as the "file_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "file_path" parameter in the "feedback.php" script used by the "DotWidget CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DotWidget CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000425.txt snort-2.9.2/doc/signatures/100000425.txt --- snort-2.9.0.1/doc/signatures/100000425.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000425.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000425 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotWidget CMS" application running on a webserver. Access to the file "printfriendly.php" using a remote file being passed as the "file_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "file_path" parameter in the "printfriendly.php" script used by the "DotWidget CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DotWidget CMS - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000426.txt snort-2.9.2/doc/signatures/100000426.txt --- snort-2.9.0.1/doc/signatures/100000426.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000426.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000426 - --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "DotClear" application running on a webserver. Access to the file "prepend.php" using a remote file being passed as the "blog_dc_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "blog_dc_path" parameter in the "prepend.php" script used by the "DotClear" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DotClear - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000430.txt snort-2.9.2/doc/signatures/100000430.txt --- snort-2.9.0.1/doc/signatures/100000430.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000430.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -100000430 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_Faq.class.php" using a remote file being passed as the "APP[path][applications]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][applications]" parameter in the "Bs_Faq.class.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000431.txt snort-2.9.2/doc/signatures/100000431.txt --- snort-2.9.0.1/doc/signatures/100000431.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000431.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000431 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "fileBrowserInner.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "fileBrowserInner.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000432.txt snort-2.9.2/doc/signatures/100000432.txt --- snort-2.9.0.1/doc/signatures/100000432.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000432.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000432 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "file.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "file.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000433.txt snort-2.9.2/doc/signatures/100000433.txt --- snort-2.9.0.1/doc/signatures/100000433.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000433.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000433 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "viewer.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "viewer.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000434.txt snort-2.9.2/doc/signatures/100000434.txt --- snort-2.9.0.1/doc/signatures/100000434.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000434.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000434 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_ImageArchive.class.php" using a remote file being passed as the "APP[path][core]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][core]" parameter in the "Bs_ImageArchive.class.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000435.txt snort-2.9.2/doc/signatures/100000435.txt --- snort-2.9.0.1/doc/signatures/100000435.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000435.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000435 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_Ml_User.class.php" using a remote file being passed as the "GLOBALS[APP][path][core]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "GLOBALS[APP][path][core]" parameter in the "Bs_Ml_User.class.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000436.txt snort-2.9.2/doc/signatures/100000436.txt --- snort-2.9.0.1/doc/signatures/100000436.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000436.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000436 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BlueShoes" application running on a webserver. Access to the file "Bs_Wse_Profile.class.php" using a remote file being passed as the "APP[path][plugins]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "APP[path][plugins]" parameter in the "Bs_Wse_Profile.class.php" script used by the "BlueShoes" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BlueShoes --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000437.txt snort-2.9.2/doc/signatures/100000437.txt --- snort-2.9.0.1/doc/signatures/100000437.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000437.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000437 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CS-Cart" application running on a webserver. Access to the file "class.cs_phpmailer.php" using a remote file being passed as the "classes_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "classes_dir" parameter in the "class.cs_phpmailer.php" script used by the "CS-Cart" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CS-Cart --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000438.txt snort-2.9.2/doc/signatures/100000438.txt --- snort-2.9.0.1/doc/signatures/100000438.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000438.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000438 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Claroline" application running on a webserver. Access to the file "mambo.inc.php" using a remote file being passed as the "includepath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "includepath" parameter in the "mambo.inc.php" script used by the "Claroline" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Claroline --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000439.txt snort-2.9.2/doc/signatures/100000439.txt --- snort-2.9.0.1/doc/signatures/100000439.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000439.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000439 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Claroline" application running on a webserver. Access to the file "postnuke.inc.php" using a remote file being passed as the "includepath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "includepath" parameter in the "postnuke.inc.php" script used by the "Claroline" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Claroline --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000440.txt snort-2.9.2/doc/signatures/100000440.txt --- snort-2.9.0.1/doc/signatures/100000440.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000440.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000440 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "CyBoards" application running on a webserver. Access to the file "common.php" using a remote file being passed as the "script_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "script_path" parameter in the "common.php" script used by the "CyBoards" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CyBoards --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000441.txt snort-2.9.2/doc/signatures/100000441.txt --- snort-2.9.0.1/doc/signatures/100000441.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000441.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000441 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Wikiwig" application running on a webserver. Access to the file "wk_lang.php" using a remote file being passed as the "WK[wkpath]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "WK[wkpath]" parameter in the "wk_lang.php" script used by the "Wikiwig" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Wikiwig --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000442.txt snort-2.9.2/doc/signatures/100000442.txt --- snort-2.9.0.1/doc/signatures/100000442.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000442.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000442 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "pcltar.lib.php" using a remote file being passed as the "g_pcltar_lib_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "g_pcltar_lib_dir" parameter in the "pcltar.lib.php" script used by the "MiraksGalerie" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MiraksGalerie --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000443.txt snort-2.9.2/doc/signatures/100000443.txt --- snort-2.9.0.1/doc/signatures/100000443.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000443.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000443 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "galimage.lib.php" using a remote file being passed as the "listconfigfile[0]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "listconfigfile[0]" parameter in the "galimage.lib.php" script used by the "MiraksGalerie" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MiraksGalerie --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000444.txt snort-2.9.2/doc/signatures/100000444.txt --- snort-2.9.0.1/doc/signatures/100000444.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000444.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000444 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "galsecurity.lib.php" using a remote file being passed as the "listconfigfile[0]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "listconfigfile[0]" parameter in the "galsecurity.lib.php" script used by the "MiraksGalerie" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MiraksGalerie --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000445.txt snort-2.9.2/doc/signatures/100000445.txt --- snort-2.9.0.1/doc/signatures/100000445.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000445.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ - - -Rule: - --- -Sid: -100000445 - --- -Summary: -Particle Gallery is susceptible to an injection attack due to a lack -of input validation on the imageid variable used in the viewimage.php -component. - --- -Impact: -The injection attack could result in data leakage, or potential remote -compromise. - --- -Detailed Information: -Particle Gallery is prone to an SQL-injection vulnerability. This issue is due -to a failure in the application to properly sanitize user-supplied input -before using it in an SQL query. - -A successful exploit could allow an attacker to compromise the application, -access or modify data, or exploit vulnerabilities in the underlying database -implementation. - -The data type assigned to the column referenced by the variable is int, so -there should never be any text or characters outside of the int used to -identify the image. - --- -Attack Scenarios: -Variable manipulation can be done with any browser. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Edit code and add input validation. - --- -Contributors: -Dan Ramaswami - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000446.txt snort-2.9.2/doc/signatures/100000446.txt --- snort-2.9.0.1/doc/signatures/100000446.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000446.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000446 - --- -Summary: -Particle Wiki is susceptible to an injection attack due to a lack of input -validation on the version variable used in the index.php component. - --- -Impact: -The injection attack could result in data leakage, or potential remote -compromise. - --- -Detailed Information: -Particle Wiki is prone to an SQL-injection vulnerability. This issue is due to -a failure in the application to properly sanitize user-supplied input before -using it in an SQL query. - -A successful exploit could allow an attacker to compromise the application, -access or modify data, or exploit vulnerabilities in the underlying database -implementation. - --- -Attack Scenarios: -Variable manipulation can be done with any browser. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Edit code and add input validation. - --- -Contributors: -Dan Ramaswami - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000448.txt snort-2.9.2/doc/signatures/100000448.txt --- snort-2.9.0.1/doc/signatures/100000448.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000448.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000448 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "OfficeFlow" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "sqlType" parameter in the "default.asp" script -used by the "OfficeFlow" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using OfficeFlow --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000449.txt snort-2.9.2/doc/signatures/100000449.txt --- snort-2.9.0.1/doc/signatures/100000449.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000449.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000449 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "OfficeFlow" application running on a webserver. Access to -the file "files.asp" with SQL commands being passed as the "Project" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "Project" parameter in the "files.asp" script used by -the "OfficeFlow" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using OfficeFlow --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000450.txt snort-2.9.2/doc/signatures/100000450.txt --- snort-2.9.0.1/doc/signatures/100000450.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000450.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000450 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VanillaSoft Helpdesk" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "username" parameter in the "default.asp" -script used by the "VanillaSoft Helpdesk" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VanillaSoft Helpdesk --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000451.txt snort-2.9.2/doc/signatures/100000451.txt --- snort-2.9.0.1/doc/signatures/100000451.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000451.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000451 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "KAPhotoservice" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "cat" parameter in the "album.asp" script used -by the "KAPhotoservice" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using KAPhotoservice --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000452.txt snort-2.9.2/doc/signatures/100000452.txt --- snort-2.9.0.1/doc/signatures/100000452.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000452.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000452 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "KAPhotoservice" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "albumid" parameter in the "album.asp" script -used by the "KAPhotoservice" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using KAPhotoservice --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000453.txt snort-2.9.2/doc/signatures/100000453.txt --- snort-2.9.0.1/doc/signatures/100000453.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000453.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000453 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "KAPhotoservice" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "apage" parameter in the "edtalbum.asp" script -used by the "KAPhotoservice" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using KAPhotoservice --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000454.txt snort-2.9.2/doc/signatures/100000454.txt --- snort-2.9.0.1/doc/signatures/100000454.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000454.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000454 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "KAPhotoservice" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "New Category" parameter in the "edtalbum.asp" -script used by the "KAPhotoservice" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using KAPhotoservice --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000455.txt snort-2.9.2/doc/signatures/100000455.txt --- snort-2.9.0.1/doc/signatures/100000455.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000455.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000455 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Axent Forum" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "startrow" parameter in the "viewposts.cfm" -script used by the "Axent Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Axent Forum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000456.txt snort-2.9.2/doc/signatures/100000456.txt --- snort-2.9.0.1/doc/signatures/100000456.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000456.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000456 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "SSPwiz" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "message" parameter in the "index.cfm" script -used by the "SSPwiz" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using SSPwiz --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000457.txt snort-2.9.2/doc/signatures/100000457.txt --- snort-2.9.0.1/doc/signatures/100000457.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000457.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000457 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "ASP Stats" application running on a webserver. Access to -the file "pages.asp" with SQL commands being passed as the "order" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "order" parameter in the "pages.asp" script used by the -"ASP Stats" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ASP Stats --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000458.txt snort-2.9.2/doc/signatures/100000458.txt --- snort-2.9.0.1/doc/signatures/100000458.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000458.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000458 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "DPVision Tradingeye Shop" application running -on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "image" parameter in the "details.cfm" script -used by the "DPVision Tradingeye Shop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using DPVision Tradingeye Shop --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000459.txt snort-2.9.2/doc/signatures/100000459.txt --- snort-2.9.0.1/doc/signatures/100000459.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000459.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000459 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "WeBBoA" application running on a webserver. Access to the -file "yeni_host.asp" with SQL commands being passed as the "id" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "yeni_host.asp" script used by the -"WeBBoA" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using WeBBoA --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000461.txt snort-2.9.2/doc/signatures/100000461.txt --- snort-2.9.0.1/doc/signatures/100000461.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000461.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000461 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Open WebMail" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "To" parameter in the "openwebmail-read.pl" -script used by the "Open WebMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Open WebMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000462.txt snort-2.9.2/doc/signatures/100000462.txt --- snort-2.9.0.1/doc/signatures/100000462.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000462.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000462 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Open WebMail" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "From" parameter in the "openwebmail-read.pl" -script used by the "Open WebMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Open WebMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000463.txt snort-2.9.2/doc/signatures/100000463.txt --- snort-2.9.0.1/doc/signatures/100000463.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000463.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000463 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Joomla" application running on a webserver. -Access to the file "joomla.php" using a remote file being passed as the -"includepath" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "includepath" parameter in the "joomla.php" script used -by the "Joomla" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Joomla --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000464.txt snort-2.9.2/doc/signatures/100000464.txt --- snort-2.9.0.1/doc/signatures/100000464.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000464.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000464 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "LoveCompass AEPartner" application running on a -webserver. Access to the file "design.inc.php" using a remote file being passed -as the "dir[data]" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "dir[data]" parameter in the "design.inc.php" script -used by the "LoveCompass AEPartner" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using LoveCompass AEPartner --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000465.txt snort-2.9.2/doc/signatures/100000465.txt --- snort-2.9.0.1/doc/signatures/100000465.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000465.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000465 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Empris" application running on a webserver. -Access to the file "sql_fcnsOLD.php" using a remote file being passed as the -"phormationdir" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "phormationdir" parameter in the "sql_fcnsOLD.php" -script used by the "Empris" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Empris --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000466.txt snort-2.9.2/doc/signatures/100000466.txt --- snort-2.9.0.1/doc/signatures/100000466.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000466.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000466 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Free QBoard" application running on a webserver. -Access to the file "post.php" using a remote file being passed as the "qb_path" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "qb_path" parameter in the "post.php" script used by the -"Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000467.txt snort-2.9.2/doc/signatures/100000467.txt --- snort-2.9.0.1/doc/signatures/100000467.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000467.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000467 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "WebprojectDB" application running on a webserver. -Access to the file "nav.php" using a remote file being passed as the "INCDIR" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "INCDIR" parameter in the "nav.php" script used by the -"WebprojectDB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using WebprojectDB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000468.txt snort-2.9.2/doc/signatures/100000468.txt --- snort-2.9.0.1/doc/signatures/100000468.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000468.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000468 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "WebprojectDB" application running on a webserver. -Access to the file "lang.php" using a remote file being passed as the "INCDIR" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "INCDIR" parameter in the "lang.php" script used by the -"WebprojectDB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using WebprojectDB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000469.txt snort-2.9.2/doc/signatures/100000469.txt --- snort-2.9.0.1/doc/signatures/100000469.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000469.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000469 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "iFoto" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "dir" parameter in the "index.php" script used -by the "iFoto" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using iFoto --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000470.txt snort-2.9.2/doc/signatures/100000470.txt --- snort-2.9.0.1/doc/signatures/100000470.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000470.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000470 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Foing" application running on a webserver. Access -to the file "manage_songs.php" using a remote file being passed as the -"foing_root_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "foing_root_path" parameter in the "manage_songs.php" -script used by the "Foing" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Foing --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000471.txt snort-2.9.2/doc/signatures/100000471.txt --- snort-2.9.0.1/doc/signatures/100000471.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000471.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000471 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "show.php" with SQL commands being passed as the "objectID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "objectID" parameter in the "show.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000472.txt snort-2.9.2/doc/signatures/100000472.txt --- snort-2.9.0.1/doc/signatures/100000472.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000472.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000472 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "show.php" with SQL commands being passed as the "MAINID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "MAINID" parameter in the "show.php" script used by the -"VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000473.txt snort-2.9.2/doc/signatures/100000473.txt --- snort-2.9.0.1/doc/signatures/100000473.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000473.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000473 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "language.php" with SQL commands being passed as the "Action" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "Action" parameter in the "language.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000474.txt snort-2.9.2/doc/signatures/100000474.txt --- snort-2.9.0.1/doc/signatures/100000474.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000474.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000474 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "meaning.php" with SQL commands being passed as the "QuaranID" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "QuaranID" parameter in the "meaning.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000475.txt snort-2.9.2/doc/signatures/100000475.txt --- snort-2.9.0.1/doc/signatures/100000475.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000475.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000475 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "meaning.php" with SQL commands being passed as the "ShowByQuranID" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "ShowByQuranID" parameter in the "meaning.php" script -used by the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000476.txt snort-2.9.2/doc/signatures/100000476.txt --- snort-2.9.0.1/doc/signatures/100000476.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000476.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000476 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "meaning.php" with SQL commands being passed as the "Action" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "Action" parameter in the "meaning.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000477.txt snort-2.9.2/doc/signatures/100000477.txt --- snort-2.9.0.1/doc/signatures/100000477.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000477.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000477 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "subject.php" with SQL commands being passed as the "MainID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "MainID" parameter in the "subject.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000478.txt snort-2.9.2/doc/signatures/100000478.txt --- snort-2.9.0.1/doc/signatures/100000478.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000478.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000478 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "aWebNews" application running on a webserver. -Access to the file "visview.php" using a remote file being passed as the -"path_to_news" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "path_to_news" parameter in the "visview.php" script -used by the "aWebNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using aWebNews --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000479.txt snort-2.9.2/doc/signatures/100000479.txt --- snort-2.9.0.1/doc/signatures/100000479.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000479.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000479 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "CzarNews" application running on a webserver. -Access to the file "headlines.php" using a remote file being passed as the -"tpath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "tpath" parameter in the "headlines.php" script used by -the "CzarNews" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CzarNews --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000480.txt snort-2.9.2/doc/signatures/100000480.txt --- snort-2.9.0.1/doc/signatures/100000480.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000480.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000480 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Somery" application running on a webserver. -Access to the file "team.php" using a remote file being passed as the -"checkauth" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "checkauth" parameter in the "team.php" script used by -the "Somery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Somery --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000481.txt snort-2.9.2/doc/signatures/100000481.txt --- snort-2.9.0.1/doc/signatures/100000481.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000481.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000481 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Hinton Design PHPHG" application running on a -webserver. Access to the file "signed.php" using a remote file being passed as -the "phphg_real_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "phphg_real_path" parameter in the "signed.php" script -used by the "Hinton Design PHPHG" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Hinton Design PHPHG --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000482.txt snort-2.9.2/doc/signatures/100000482.txt --- snort-2.9.0.1/doc/signatures/100000482.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000482.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000482 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "BoastMachine" application running on a webserver. -Access to the file "vote.php" using a remote file being passed as the "bmc_dir" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "bmc_dir" parameter in the "vote.php" script used by the -"BoastMachine" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BoastMachine --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000483.txt snort-2.9.2/doc/signatures/100000483.txt --- snort-2.9.0.1/doc/signatures/100000483.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000483.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000483 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Wheatblog" application running on a webserver. -Access to the file "view_links.php" using a remote file being passed as the -"wb_inc_dir" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "wb_inc_dir" parameter in the "view_links.php" script -used by the "Wheatblog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Wheatblog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000484.txt snort-2.9.2/doc/signatures/100000484.txt --- snort-2.9.0.1/doc/signatures/100000484.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000484.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000484 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Confixx" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "lpath" parameter in the "ftp_index.php" script -used by the "Confixx" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Confixx --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000485.txt snort-2.9.2/doc/signatures/100000485.txt --- snort-2.9.0.1/doc/signatures/100000485.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000485.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000485 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "RahnemaCo" application running on a webserver. -Access to the file "page.php" using a remote file being passed as the "osCsid" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "osCsid" parameter in the "page.php" script used by the -"RahnemaCo" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using RahnemaCo --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000486.txt snort-2.9.2/doc/signatures/100000486.txt --- snort-2.9.0.1/doc/signatures/100000486.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000486.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000486 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PhpBlueDragon CMS" application running on a -webserver. Access to the file "template.php" using a remote file being passed -as the "vsDragonRootPath" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "vsDragonRootPath" parameter in the "template.php" -script used by the "PhpBlueDragon CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PhpBlueDragon CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000487.txt snort-2.9.2/doc/signatures/100000487.txt --- snort-2.9.0.1/doc/signatures/100000487.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000487.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000487 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ISPConfig" application running on a webserver. -Access to the file "server.inc.php" using a remote file being passed as the -"go_info[isp][classes_root]" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "go_info[isp][classes_root]" parameter in the -"server.inc.php" script used by the "ISPConfig" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ISPConfig --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000488.txt snort-2.9.2/doc/signatures/100000488.txt --- snort-2.9.0.1/doc/signatures/100000488.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000488.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000488 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ISPConfig" application running on a webserver. -Access to the file "app.inc.php" using a remote file being passed as the -"go_info[isp][classes_root]" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "go_info[isp][classes_root]" parameter in the -"app.inc.php" script used by the "ISPConfig" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ISPConfig --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000489.txt snort-2.9.2/doc/signatures/100000489.txt --- snort-2.9.0.1/doc/signatures/100000489.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000489.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000489 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ISPConfig" application running on a webserver. -Access to the file "login.php" using a remote file being passed as the -"go_info[isp][classes_root]" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "go_info[isp][classes_root]" parameter in the -"login.php" script used by the "ISPConfig" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ISPConfig --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000490.txt snort-2.9.2/doc/signatures/100000490.txt --- snort-2.9.0.1/doc/signatures/100000490.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000490.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000490 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "ISPConfig" application running on a webserver. -Access to the file "trylogin.php" using a remote file being passed as the -"go_info[isp][classes_root]" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "go_info[isp][classes_root]" parameter in the -"trylogin.php" script used by the "ISPConfig" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ISPConfig --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000491.txt snort-2.9.2/doc/signatures/100000491.txt --- snort-2.9.0.1/doc/signatures/100000491.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000491.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000491 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "DeluxeBB" application running on a webserver. -Access to the file "posting.php" using a remote file being passed as the -"templatefolder" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "templatefolder" parameter in the "posting.php" script -used by the "DeluxeBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DeluxeBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000492.txt snort-2.9.2/doc/signatures/100000492.txt --- snort-2.9.0.1/doc/signatures/100000492.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000492.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000492 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "DeluxeBB" application running on a webserver. -Access to the file "newpm.php" using a remote file being passed as the -"templatefolder" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "templatefolder" parameter in the "newpm.php" script -used by the "DeluxeBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DeluxeBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000493.txt snort-2.9.2/doc/signatures/100000493.txt --- snort-2.9.0.1/doc/signatures/100000493.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000493.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000493 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "DeluxeBB" application running on a webserver. -Access to the file "postreply.php" using a remote file being passed as the -"templatefolder" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "templatefolder" parameter in the "postreply.php" script -used by the "DeluxeBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using DeluxeBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000494.txt snort-2.9.2/doc/signatures/100000494.txt --- snort-2.9.0.1/doc/signatures/100000494.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000494.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000494 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Zeroboard" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "$s_file_name" parameter in the "write_ok.php" -script used by the "Zeroboard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Zeroboard --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000495.txt snort-2.9.2/doc/signatures/100000495.txt --- snort-2.9.0.1/doc/signatures/100000495.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000495.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000495 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Zeroboard" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "$file_name" parameter in the "write_ok.php" -script used by the "Zeroboard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Zeroboard --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000496.txt snort-2.9.2/doc/signatures/100000496.txt --- snort-2.9.0.1/doc/signatures/100000496.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000496.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000496 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Chipmailer" application running on a webserver. Access to -the file "index.php" with SQL commands being passed as the "anfang" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "anfang" parameter in the "index.php" script used by the -"Chipmailer" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Chipmailer --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000497.txt snort-2.9.2/doc/signatures/100000497.txt --- snort-2.9.0.1/doc/signatures/100000497.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000497.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000497 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Calendarix" application running on a webserver. Access to -the file "cal_event.php" with SQL commands being passed as the "id" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "cal_event.php" script used by the -"Calendarix" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Calendarix --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000498.txt snort-2.9.2/doc/signatures/100000498.txt --- snort-2.9.0.1/doc/signatures/100000498.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000498.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000498 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Calendarix" application running on a webserver. Access to -the file "cal_popup.php" with SQL commands being passed as the "id" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "cal_popup.php" script used by the -"Calendarix" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Calendarix --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000499.txt snort-2.9.2/doc/signatures/100000499.txt --- snort-2.9.0.1/doc/signatures/100000499.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000499.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000499 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PictureDis" application running on a webserver. -Access to the file "thumstbl.php" using a remote file being passed as the -"lang" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "lang" parameter in the "thumstbl.php" script used by -the "PictureDis" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PictureDis --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000500.txt snort-2.9.2/doc/signatures/100000500.txt --- snort-2.9.0.1/doc/signatures/100000500.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000500.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000500 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PictureDis" application running on a webserver. -Access to the file "wpfiles.php" using a remote file being passed as the "lang" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "lang" parameter in the "wpfiles.php" script used by the -"PictureDis" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PictureDis --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000501.txt snort-2.9.2/doc/signatures/100000501.txt --- snort-2.9.0.1/doc/signatures/100000501.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000501.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000501 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PictureDis" application running on a webserver. -Access to the file "wallpapr.php" using a remote file being passed as the -"lang" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "lang" parameter in the "wallpapr.php" script used by -the "PictureDis" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PictureDis --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000502.txt snort-2.9.2/doc/signatures/100000502.txt --- snort-2.9.0.1/doc/signatures/100000502.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000502.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000502 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Ji-Takz" application running on a webserver. -Access to the file "tag.class.php" using a remote file being passed as the -"mycfg" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "mycfg" parameter in the "tag.class.php" script used by -the "Ji-Takz" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Ji-Takz --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000503.txt snort-2.9.2/doc/signatures/100000503.txt --- snort-2.9.0.1/doc/signatures/100000503.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000503.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000503 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Nucleus CMS" application running on a webserver. -Access to the file "action.php" using a remote file being passed as the -"DIR_LIB" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DIR_LIB" parameter in the "action.php" script used by -the "Nucleus CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Nucleus CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000504.txt snort-2.9.2/doc/signatures/100000504.txt --- snort-2.9.0.1/doc/signatures/100000504.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000504.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000504 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Nucleus CMS" application running on a webserver. -Access to the file "media.php" using a remote file being passed as the -"DIR_LIB" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DIR_LIB" parameter in the "media.php" script used by -the "Nucleus CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Nucleus CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000505.txt snort-2.9.2/doc/signatures/100000505.txt --- snort-2.9.0.1/doc/signatures/100000505.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000505.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000505 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Nucleus CMS" application running on a webserver. -Access to the file "server.php" using a remote file being passed as the -"DIR_LIB" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DIR_LIB" parameter in the "server.php" script used by -the "Nucleus CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Nucleus CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000506.txt snort-2.9.2/doc/signatures/100000506.txt --- snort-2.9.0.1/doc/signatures/100000506.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000506.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000506 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Nucleus CMS" application running on a webserver. -Access to the file "api_metaweblog.inc.php" using a remote file being passed as -the "DIR_LIB" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DIR_LIB" parameter in the "api_metaweblog.inc.php" -script used by the "Nucleus CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Nucleus CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000507.txt snort-2.9.2/doc/signatures/100000507.txt --- snort-2.9.0.1/doc/signatures/100000507.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000507.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000507 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "FlashChat" application running on a webserver. -Access to the file "adminips.php" using a remote file being passed as the -"banned_file" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "banned_file" parameter in the "adminips.php" script -used by the "FlashChat" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using FlashChat --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000508.txt snort-2.9.2/doc/signatures/100000508.txt --- snort-2.9.0.1/doc/signatures/100000508.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000508.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000508 --- -Summary: -This event is generated when an attempt is made to access the file "wakka.php -which contains known vulnerabilities in the "Wikkawiki" application running on -a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to access a file with known -vulnerabilities from a remote machine used by the "Wikkawiki" application -running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Wikkawiki --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000509.txt snort-2.9.2/doc/signatures/100000509.txt --- snort-2.9.0.1/doc/signatures/100000509.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000509.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000509 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "RahnemaCo" application running on a webserver. -Access to the file "page.php" using a remote file being passed as the "pageid" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "pageid" parameter in the "page.php" script used by the -"RahnemaCo" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using RahnemaCo --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000510.txt snort-2.9.2/doc/signatures/100000510.txt --- snort-2.9.0.1/doc/signatures/100000510.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000510.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000510 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "rank.php" with SQL commands being passed as the "MemberID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "MemberID" parameter in the "rank.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000511.txt snort-2.9.2/doc/signatures/100000511.txt --- snort-2.9.0.1/doc/signatures/100000511.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000511.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000511 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "message.php" with SQL commands being passed as the "UserID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "UserID" parameter in the "message.php" script used by -the "VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000512.txt snort-2.9.2/doc/signatures/100000512.txt --- snort-2.9.0.1/doc/signatures/100000512.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000512.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000512 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VBZoom" application running on a webserver. Access to the -file "lng.php" with SQL commands being passed as the "QuranID" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "QuranID" parameter in the "lng.php" script used by the -"VBZoom" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZoom --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000513.txt snort-2.9.2/doc/signatures/100000513.txt --- snort-2.9.0.1/doc/signatures/100000513.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000513.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000513 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "SAPHPLesson" application running on a webserver. Access -to the file "showcat.php" with SQL commands being passed as the "forumid" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "forumid" parameter in the "showcat.php" script used by -the "SAPHPLesson" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SAPHPLesson --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000514.txt snort-2.9.2/doc/signatures/100000514.txt --- snort-2.9.0.1/doc/signatures/100000514.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000514.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000514 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "SAPHPLesson" application running on a webserver. Access -to the file "misc.php" with SQL commands being passed as the "action" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "action" parameter in the "misc.php" script used by the -"SAPHPLesson" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SAPHPLesson --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000515.txt snort-2.9.2/doc/signatures/100000515.txt --- snort-2.9.0.1/doc/signatures/100000515.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000515.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000515 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "CMS Faethon" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "mainpath" parameter in the "header.php" script -used by the "CMS Faethon" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using CMS Faethon --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000516.txt snort-2.9.2/doc/signatures/100000516.txt --- snort-2.9.0.1/doc/signatures/100000516.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000516.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000516 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "CMS Faethon" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "mainpath" parameter in the "footer.php" script -used by the "CMS Faethon" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using CMS Faethon --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000517.txt snort-2.9.2/doc/signatures/100000517.txt --- snort-2.9.0.1/doc/signatures/100000517.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000517.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000517 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "e107" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "ep" parameter in the "search.php" script used -by the "e107" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using e107 --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000518.txt snort-2.9.2/doc/signatures/100000518.txt --- snort-2.9.0.1/doc/signatures/100000518.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000518.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000518 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHP Live Helper" application running on a -webserver. Access to the file "initiate.php" using a remote file being passed -as the "abs_path" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "abs_path" parameter in the "initiate.php" script used -by the "PHP Live Helper" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Live Helper --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000519.txt snort-2.9.2/doc/signatures/100000519.txt --- snort-2.9.0.1/doc/signatures/100000519.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000519.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000519 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VUBB" application running on a webserver. Access to the -file "index.php" with SQL commands being passed as the "user" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "user" parameter in the "index.php" script used by the -"VUBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VUBB --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000520.txt snort-2.9.2/doc/signatures/100000520.txt --- snort-2.9.0.1/doc/signatures/100000520.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000520.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000520 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Xarancms" application running on a webserver. Access to -the file "xaramcms_haupt.php" with SQL commands being passed as the "id" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "xaramcms_haupt.php" script used -by the "Xarancms" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Xarancms --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000521.txt snort-2.9.2/doc/signatures/100000521.txt --- snort-2.9.0.1/doc/signatures/100000521.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000521.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -100000521 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "TPL Design TplShop" application running on a webserver. -Access to the file "category.php" with SQL commands being passed as the -"first_row" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "first_row" parameter in the "category.php" script used -by the "TPL Design TplShop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using TPL Design TplShop --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000522.txt snort-2.9.2/doc/signatures/100000522.txt --- snort-2.9.0.1/doc/signatures/100000522.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000522.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000522 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "The Edge eCommerce Shop" application running on -a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "cart_id" parameter in the "productDetail.php" -script used by the "The Edge eCommerce Shop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using The Edge eCommerce Shop --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000523.txt snort-2.9.2/doc/signatures/100000523.txt --- snort-2.9.0.1/doc/signatures/100000523.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000523.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000523 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "CavoxCms" application running on a webserver. Access to -the file "index.php" with SQL commands being passed as the "page" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "page" parameter in the "index.php" script used by the -"CavoxCms" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CavoxCms --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000524.txt snort-2.9.2/doc/signatures/100000524.txt --- snort-2.9.0.1/doc/signatures/100000524.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000524.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000524 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Micro CMS" application running on a webserver. -Access to the file "microcms-include.php" using a remote file being passed as -the "microcms_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "microcms_path" parameter in the "microcms-include.php" -script used by the "Micro CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Micro CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000525.txt snort-2.9.2/doc/signatures/100000525.txt --- snort-2.9.0.1/doc/signatures/100000525.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000525.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000525 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "PHPMyDirectory" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "PIC" parameter in the "offer-pix.php" script -used by the "PHPMyDirectory" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PHPMyDirectory --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000526.txt snort-2.9.2/doc/signatures/100000526.txt --- snort-2.9.0.1/doc/signatures/100000526.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000526.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000526 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "PHPMyDirectory" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "from" parameter in the "index.php" script used -by the "PHPMyDirectory" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PHPMyDirectory --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000527.txt snort-2.9.2/doc/signatures/100000527.txt --- snort-2.9.0.1/doc/signatures/100000527.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000527.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000527 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "AssoCIateD" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "menu" parameter in the "index.php" script used -by the "AssoCIateD" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using AssoCIateD --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000528.txt snort-2.9.2/doc/signatures/100000528.txt --- snort-2.9.0.1/doc/signatures/100000528.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000528.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000528 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "PHPMyForum" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "highlight" parameter in the "topic.php" script -used by the "PHPMyForum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PHPMyForum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000529.txt snort-2.9.2/doc/signatures/100000529.txt --- snort-2.9.0.1/doc/signatures/100000529.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000529.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000529 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "NC Linklist" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "cat" parameter in the "index.php" script used -by the "NC Linklist" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using NC Linklist --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000530.txt snort-2.9.2/doc/signatures/100000530.txt --- snort-2.9.0.1/doc/signatures/100000530.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000530.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000530 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "NC Linklist" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "view" parameter in the "index.php" script used -by the "NC Linklist" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using NC Linklist --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000531.txt snort-2.9.2/doc/signatures/100000531.txt --- snort-2.9.0.1/doc/signatures/100000531.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000531.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000531 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "BtitTracker" application running on a webserver. Access -to the file "torrents.php" with SQL commands being passed as the "by" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "by" parameter in the "torrents.php" script used by the -"BtitTracker" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BtitTracker --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000532.txt snort-2.9.2/doc/signatures/100000532.txt --- snort-2.9.0.1/doc/signatures/100000532.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000532.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000532 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "BtitTracker" application running on a webserver. Access -to the file "torrents.php" with SQL commands being passed as the "order" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "order" parameter in the "torrents.php" script used by -the "BtitTracker" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BtitTracker --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000533.txt snort-2.9.2/doc/signatures/100000533.txt --- snort-2.9.0.1/doc/signatures/100000533.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000533.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000533 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "VUBB" application running on a webserver. Access to the -file "functions.php" with SQL commands being passed as the "email" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "email" parameter in the "functions.php" script used by -the "VUBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VUBB --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000534.txt snort-2.9.2/doc/signatures/100000534.txt --- snort-2.9.0.1/doc/signatures/100000534.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000534.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000534 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VUBB" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "user" parameter in the "english.php" script -used by the "VUBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VUBB --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000535.txt snort-2.9.2/doc/signatures/100000535.txt --- snort-2.9.0.1/doc/signatures/100000535.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000535.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000535 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "IMGallery" application running on a webserver. Access to -the file "galeria.php" with SQL commands being passed as the "start" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "start" parameter in the "galeria.php" script used by -the "IMGallery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IMGallery --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000536.txt snort-2.9.2/doc/signatures/100000536.txt --- snort-2.9.0.1/doc/signatures/100000536.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000536.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000536 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "IMGallery" application running on a webserver. Access to -the file "galeria.php" with SQL commands being passed as the "sort" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "sort" parameter in the "galeria.php" script used by the -"IMGallery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IMGallery --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000537.txt snort-2.9.2/doc/signatures/100000537.txt --- snort-2.9.0.1/doc/signatures/100000537.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000537.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000537 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "thinkWMS" application running on a webserver. Access to -the file "index.php" with SQL commands being passed as the "id" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "index.php" script used by the -"thinkWMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using thinkWMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000538.txt snort-2.9.2/doc/signatures/100000538.txt --- snort-2.9.0.1/doc/signatures/100000538.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000538.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000538 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "thinkWMS" application running on a webserver. Access to -the file "index.php" with SQL commands being passed as the "catid" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "catid" parameter in the "index.php" script used by the -"thinkWMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using thinkWMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000539.txt snort-2.9.2/doc/signatures/100000539.txt --- snort-2.9.0.1/doc/signatures/100000539.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000539.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000539 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "thinkWMS" application running on a webserver. Access to -the file "printarticle.php" with SQL commands being passed as the "id" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "printarticle.php" script used by -the "thinkWMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using thinkWMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000540.txt snort-2.9.2/doc/signatures/100000540.txt --- snort-2.9.0.1/doc/signatures/100000540.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000540.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000540 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Enterprise Groupware" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "module" parameter in the "index.php" script -used by the "Enterprise Groupware" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Enterprise Groupware --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000541.txt snort-2.9.2/doc/signatures/100000541.txt --- snort-2.9.0.1/doc/signatures/100000541.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000541.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000541 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Dating Agent" application running on a webserver. Access -to the file "picture.php" with SQL commands being passed as the "pid" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "pid" parameter in the "picture.php" script used by the -"Dating Agent" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Dating Agent --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000542.txt snort-2.9.2/doc/signatures/100000542.txt --- snort-2.9.0.1/doc/signatures/100000542.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000542.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000542 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Dating Agent" application running on a webserver. Access -to the file "mem.php" with SQL commands being passed as the "mid" parameter may -indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "mid" parameter in the "mem.php" script used by the -"Dating Agent" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Dating Agent --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000543.txt snort-2.9.2/doc/signatures/100000543.txt --- snort-2.9.0.1/doc/signatures/100000543.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000543.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000543 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Dating Agent" application running on a webserver. Access -to the file "search.php" with SQL commands being passed as the "sex" parameter -may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "sex" parameter in the "search.php" script used by the -"Dating Agent" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Dating Agent --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000544.txt snort-2.9.2/doc/signatures/100000544.txt --- snort-2.9.0.1/doc/signatures/100000544.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000544.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000544 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Dating Agent" application running on a webserver. Access -to the file "search.php" with SQL commands being passed as the "relationship" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "relationship" parameter in the "search.php" script used -by the "Dating Agent" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Dating Agent --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000545.txt snort-2.9.2/doc/signatures/100000545.txt --- snort-2.9.0.1/doc/signatures/100000545.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000545.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000545 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHP Blue Dragon CMS" application running on a -webserver. Access to the file "team_admin.php" using a remote file being passed -as the "DragonRootPath" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DragonRootPath" parameter in the "team_admin.php" -script used by the "PHP Blue Dragon CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Blue Dragon CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000546.txt snort-2.9.2/doc/signatures/100000546.txt --- snort-2.9.0.1/doc/signatures/100000546.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000546.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000546 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHP Blue Dragon CMS" application running on a -webserver. Access to the file "rss_admin.php" using a remote file being passed -as the "DragonRootPath" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DragonRootPath" parameter in the "rss_admin.php" script -used by the "PHP Blue Dragon CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Blue Dragon CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000547.txt snort-2.9.2/doc/signatures/100000547.txt --- snort-2.9.0.1/doc/signatures/100000547.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000547.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000547 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHP Blue Dragon CMS" application running on a -webserver. Access to the file "manual_admin.php" using a remote file being -passed as the "DragonRootPath" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DragonRootPath" parameter in the "manual_admin.php" -script used by the "PHP Blue Dragon CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Blue Dragon CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000548.txt snort-2.9.2/doc/signatures/100000548.txt --- snort-2.9.0.1/doc/signatures/100000548.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000548.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000548 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHP Blue Dragon CMS" application running on a -webserver. Access to the file "forum_admin.php" using a remote file being -passed as the "DragonRootPath" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "DragonRootPath" parameter in the "forum_admin.php" -script used by the "PHP Blue Dragon CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Blue Dragon CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000549.txt snort-2.9.2/doc/signatures/100000549.txt --- snort-2.9.0.1/doc/signatures/100000549.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000549.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000549 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Custom Datin Biz" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "u" parameter in the "user_view.php" script -used by the "Custom Datin Biz" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Custom Datin Biz --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000550.txt snort-2.9.2/doc/signatures/100000550.txt --- snort-2.9.0.1/doc/signatures/100000550.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000550.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000550 --- -Summary: -This event is generated when an attempt is made to access the file "comment.php -which contains known vulnerabilities in the "Project Eros BBSEngine" -application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to access a file with known -vulnerabilities from a remote machine used by the "Project Eros BBSEngine" -application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Project Eros BBSEngine --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000551.txt snort-2.9.2/doc/signatures/100000551.txt --- snort-2.9.0.1/doc/signatures/100000551.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000551.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -100000551 --- -Summary: -This event is generated when an attempt is made to access the file -"aolbonics.php which contains known vulnerabilities in the "Project Eros -BBSEngine" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to access a file with known -vulnerabilities from a remote machine used by the "Project Eros BBSEngine" -application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Project Eros BBSEngine --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000552.txt snort-2.9.2/doc/signatures/100000552.txt --- snort-2.9.0.1/doc/signatures/100000552.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000552.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000552 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "SmartSiteCMS" application running on a webserver. -Access to the file "inc_foot.php" using a remote file being passed as the -"root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "root" parameter in the "inc_foot.php" script used by -the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000553.txt snort-2.9.2/doc/signatures/100000553.txt --- snort-2.9.0.1/doc/signatures/100000553.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000553.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000553 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "PHPMySMS" application running on a webserver. -Access to the file "gateway.php" using a remote file being passed as the -"ROOT_PATH" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "ROOT_PATH" parameter in the "gateway.php" script used -by the "PHPMySMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPMySMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000554.txt snort-2.9.2/doc/signatures/100000554.txt --- snort-2.9.0.1/doc/signatures/100000554.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000554.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000554 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VebiMiau" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "tid" parameter in the "error.php" script used -by the "VebiMiau" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VebiMiau --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000555.txt snort-2.9.2/doc/signatures/100000555.txt --- snort-2.9.0.1/doc/signatures/100000555.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000555.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000555 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VebiMiau" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "lid" parameter in the "error.php" script used -by the "VebiMiau" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VebiMiau --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000556.txt snort-2.9.2/doc/signatures/100000556.txt --- snort-2.9.0.1/doc/signatures/100000556.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000556.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000556 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VebiMiau" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "sid" parameter in the "error.php" script used -by the "VebiMiau" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VebiMiau --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000557.txt snort-2.9.2/doc/signatures/100000557.txt --- snort-2.9.0.1/doc/signatures/100000557.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000557.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000557 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VebiMiau" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "f_user" parameter in the "index.php" script -used by the "VebiMiau" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VebiMiau --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000558.txt snort-2.9.2/doc/signatures/100000558.txt --- snort-2.9.0.1/doc/signatures/100000558.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000558.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000558 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "VebiMiau" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "pag" parameter in the "messages.php" script -used by the "VebiMiau" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using VebiMiau --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000559.txt snort-2.9.2/doc/signatures/100000559.txt --- snort-2.9.0.1/doc/signatures/100000559.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000559.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -100000559 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Infinite Core Technologies ICT" application running on a -webserver. Access to the file "index.php" with SQL commands being passed as the -"post" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "post" parameter in the "index.php" script used by the -"Infinite Core Technologies ICT" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Infinite Core Technologies ICT --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000560.txt snort-2.9.2/doc/signatures/100000560.txt --- snort-2.9.0.1/doc/signatures/100000560.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000560.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -100000560 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "eNpaper1" application running on a webserver. -Access to the file "root_header.php" using a remote file being passed as the -"ppath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "ppath" parameter in the "root_header.php" script used -by the "eNpaper1" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using eNpaper1 --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000561.txt snort-2.9.2/doc/signatures/100000561.txt --- snort-2.9.0.1/doc/signatures/100000561.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000561.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000561 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "dotProject" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "login" parameter in the "ui.class.php" script -used by the "dotProject" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using dotProject --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000562.txt snort-2.9.2/doc/signatures/100000562.txt --- snort-2.9.0.1/doc/signatures/100000562.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000562.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000562 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "GL-SH Deaf Forum" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "sort" parameter in the "show.php" script used -by the "GL-SH Deaf Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using GL-SH Deaf Forum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000563.txt snort-2.9.2/doc/signatures/100000563.txt --- snort-2.9.0.1/doc/signatures/100000563.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000563.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000563 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "GL-SH Deaf Forum" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "page" parameter in the "show.php" script used -by the "GL-SH Deaf Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using GL-SH Deaf Forum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000564.txt snort-2.9.2/doc/signatures/100000564.txt --- snort-2.9.0.1/doc/signatures/100000564.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000564.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000564 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "GL-SH Deaf Forum" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "search" parameter in the "show.php" script -used by the "GL-SH Deaf Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using GL-SH Deaf Forum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000565.txt snort-2.9.2/doc/signatures/100000565.txt --- snort-2.9.0.1/doc/signatures/100000565.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000565.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000565 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "GL-SH Deaf Forum" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "action" parameter in the "show.php" script -used by the "GL-SH Deaf Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using GL-SH Deaf Forum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000566.txt snort-2.9.2/doc/signatures/100000566.txt --- snort-2.9.0.1/doc/signatures/100000566.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000566.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000566 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "XennoBB" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "tid" parameter in the "messages.php" script -used by the "XennoBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using XennoBB --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000567.txt snort-2.9.2/doc/signatures/100000567.txt --- snort-2.9.0.1/doc/signatures/100000567.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000567.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000567 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Qdig" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "pre_gallery" parameter in the "index.php" -script used by the "Qdig" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Qdig --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000568.txt snort-2.9.2/doc/signatures/100000568.txt --- snort-2.9.0.1/doc/signatures/100000568.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000568.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000568 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "Qdig" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "post_gallery" parameter in the "index.php" -script used by the "Qdig" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Qdig --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000569.txt snort-2.9.2/doc/signatures/100000569.txt --- snort-2.9.0.1/doc/signatures/100000569.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000569.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000569 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "app_change_email.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"app_change_email.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000570.txt snort-2.9.2/doc/signatures/100000570.txt --- snort-2.9.0.1/doc/signatures/100000570.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000570.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000570 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "app_change_pwd.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"app_change_pwd.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000571.txt snort-2.9.2/doc/signatures/100000571.txt --- snort-2.9.0.1/doc/signatures/100000571.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000571.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000571 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "app_mod_rewrite.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"app_mod_rewrite.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000572.txt snort-2.9.2/doc/signatures/100000572.txt --- snort-2.9.0.1/doc/signatures/100000572.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000572.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000572 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "app_page_caching.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"app_page_caching.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000573.txt snort-2.9.2/doc/signatures/100000573.txt --- snort-2.9.0.1/doc/signatures/100000573.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000573.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000573 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "app_setup.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "app_setup.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000574.txt snort-2.9.2/doc/signatures/100000574.txt --- snort-2.9.0.1/doc/signatures/100000574.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000574.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000574 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_add.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_add.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000575.txt snort-2.9.2/doc/signatures/100000575.txt --- snort-2.9.0.1/doc/signatures/100000575.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000575.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000575 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_delete.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000576.txt snort-2.9.2/doc/signatures/100000576.txt --- snort-2.9.0.1/doc/signatures/100000576.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000576.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000576 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_edit.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_edit.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000577.txt snort-2.9.2/doc/signatures/100000577.txt --- snort-2.9.0.1/doc/signatures/100000577.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000577.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000577 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_path_update.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"cat_path_update.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000578.txt snort-2.9.2/doc/signatures/100000578.txt --- snort-2.9.0.1/doc/signatures/100000578.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000578.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000578 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_search.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_search.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000579.txt snort-2.9.2/doc/signatures/100000579.txt --- snort-2.9.0.1/doc/signatures/100000579.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000579.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000579 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_struc.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_struc.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000580.txt snort-2.9.2/doc/signatures/100000580.txt --- snort-2.9.0.1/doc/signatures/100000580.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000580.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000580 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_view.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "cat_view.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000581.txt snort-2.9.2/doc/signatures/100000581.txt --- snort-2.9.0.1/doc/signatures/100000581.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000581.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000581 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_view_hidden.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"cat_view_hidden.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000582.txt snort-2.9.2/doc/signatures/100000582.txt --- snort-2.9.0.1/doc/signatures/100000582.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000582.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000582 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_view_hierarchy.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"cat_view_hierarchy.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000583.txt snort-2.9.2/doc/signatures/100000583.txt --- snort-2.9.0.1/doc/signatures/100000583.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000583.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000583 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "cat_view_registered_only.php" using a remote file being -passed as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"cat_view_registered_only.php" script used by the "Indexu" application running -on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000584.txt snort-2.9.2/doc/signatures/100000584.txt --- snort-2.9.0.1/doc/signatures/100000584.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000584.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000584 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "checkurl_web.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"checkurl_web.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000585.txt snort-2.9.2/doc/signatures/100000585.txt --- snort-2.9.0.1/doc/signatures/100000585.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000585.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000585 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "db_alter.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "db_alter.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000586.txt snort-2.9.2/doc/signatures/100000586.txt --- snort-2.9.0.1/doc/signatures/100000586.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000586.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000586 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "db_alter_change.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"db_alter_change.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000587.txt snort-2.9.2/doc/signatures/100000587.txt --- snort-2.9.0.1/doc/signatures/100000587.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000587.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000587 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "db_backup.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "db_backup.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000588.txt snort-2.9.2/doc/signatures/100000588.txt --- snort-2.9.0.1/doc/signatures/100000588.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000588.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000588 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "db_export.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "db_export.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000589.txt snort-2.9.2/doc/signatures/100000589.txt --- snort-2.9.0.1/doc/signatures/100000589.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000589.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000589 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "db_import.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "db_import.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000590.txt snort-2.9.2/doc/signatures/100000590.txt --- snort-2.9.0.1/doc/signatures/100000590.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000590.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000590 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "editor_add.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "editor_add.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000591.txt snort-2.9.2/doc/signatures/100000591.txt --- snort-2.9.0.1/doc/signatures/100000591.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000591.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000591 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "editor_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"editor_delete.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000592.txt snort-2.9.2/doc/signatures/100000592.txt --- snort-2.9.0.1/doc/signatures/100000592.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000592.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000592 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "editor_validate.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"editor_validate.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000593.txt snort-2.9.2/doc/signatures/100000593.txt --- snort-2.9.0.1/doc/signatures/100000593.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000593.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000593 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "head.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "head.php" script -used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000594.txt snort-2.9.2/doc/signatures/100000594.txt --- snort-2.9.0.1/doc/signatures/100000594.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000594.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000594 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "index.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "index.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000595.txt snort-2.9.2/doc/signatures/100000595.txt --- snort-2.9.0.1/doc/signatures/100000595.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000595.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000595 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_config.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_config.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000596.txt snort-2.9.2/doc/signatures/100000596.txt --- snort-2.9.0.1/doc/signatures/100000596.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000596.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000596 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_config_payment.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"inv_config_payment.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000597.txt snort-2.9.2/doc/signatures/100000597.txt --- snort-2.9.0.1/doc/signatures/100000597.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000597.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000597 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_create.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_create.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000598.txt snort-2.9.2/doc/signatures/100000598.txt --- snort-2.9.0.1/doc/signatures/100000598.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000598.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000598 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_delete.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000599.txt snort-2.9.2/doc/signatures/100000599.txt --- snort-2.9.0.1/doc/signatures/100000599.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000599.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000599 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_edit.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_edit.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000600.txt snort-2.9.2/doc/signatures/100000600.txt --- snort-2.9.0.1/doc/signatures/100000600.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000600.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000600 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_markpaid.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"inv_markpaid.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000601.txt snort-2.9.2/doc/signatures/100000601.txt --- snort-2.9.0.1/doc/signatures/100000601.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000601.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000601 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_markunpaid.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"inv_markunpaid.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000602.txt snort-2.9.2/doc/signatures/100000602.txt --- snort-2.9.0.1/doc/signatures/100000602.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000602.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000602 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_overdue.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_overdue.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000603.txt snort-2.9.2/doc/signatures/100000603.txt --- snort-2.9.0.1/doc/signatures/100000603.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000603.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000603 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_paid.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_paid.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000604.txt snort-2.9.2/doc/signatures/100000604.txt --- snort-2.9.0.1/doc/signatures/100000604.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000604.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000604 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_send.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_send.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000605.txt snort-2.9.2/doc/signatures/100000605.txt --- snort-2.9.0.1/doc/signatures/100000605.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000605.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000605 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "inv_unpaid.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "inv_unpaid.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000606.txt snort-2.9.2/doc/signatures/100000606.txt --- snort-2.9.0.1/doc/signatures/100000606.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000606.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000606 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "lang_modify.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "lang_modify.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000607.txt snort-2.9.2/doc/signatures/100000607.txt --- snort-2.9.0.1/doc/signatures/100000607.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000607.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000607 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_add.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_add.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000608.txt snort-2.9.2/doc/signatures/100000608.txt --- snort-2.9.0.1/doc/signatures/100000608.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000608.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000608 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_bad.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_bad.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000609.txt snort-2.9.2/doc/signatures/100000609.txt --- snort-2.9.0.1/doc/signatures/100000609.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000609.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000609 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_bad_delete.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_bad_delete.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000610.txt snort-2.9.2/doc/signatures/100000610.txt --- snort-2.9.0.1/doc/signatures/100000610.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000610.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000610 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_checkurl.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_checkurl.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000611.txt snort-2.9.2/doc/signatures/100000611.txt --- snort-2.9.0.1/doc/signatures/100000611.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000611.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000611 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_delete.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000612.txt snort-2.9.2/doc/signatures/100000612.txt --- snort-2.9.0.1/doc/signatures/100000612.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000612.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000612 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_duplicate.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_duplicate.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000613.txt snort-2.9.2/doc/signatures/100000613.txt --- snort-2.9.0.1/doc/signatures/100000613.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000613.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000613 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_edit.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_edit.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000614.txt snort-2.9.2/doc/signatures/100000614.txt --- snort-2.9.0.1/doc/signatures/100000614.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000614.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000614 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_premium_listing.php" using a remote file being passed -as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_premium_listing.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000615.txt snort-2.9.2/doc/signatures/100000615.txt --- snort-2.9.0.1/doc/signatures/100000615.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000615.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000615 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_premium_sponsored.php" using a remote file being -passed as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_premium_sponsored.php" script used by the "Indexu" application running on -a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000616.txt snort-2.9.2/doc/signatures/100000616.txt --- snort-2.9.0.1/doc/signatures/100000616.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000616.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000616 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_search.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_search.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000617.txt snort-2.9.2/doc/signatures/100000617.txt --- snort-2.9.0.1/doc/signatures/100000617.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000617.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000617 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_sponsored_listing.php" using a remote file being -passed as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_sponsored_listing.php" script used by the "Indexu" application running on -a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000618.txt snort-2.9.2/doc/signatures/100000618.txt --- snort-2.9.0.1/doc/signatures/100000618.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000618.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000618 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_validate.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_validate.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000619.txt snort-2.9.2/doc/signatures/100000619.txt --- snort-2.9.0.1/doc/signatures/100000619.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000619.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000619 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_validate_edit.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"link_validate_edit.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000620.txt snort-2.9.2/doc/signatures/100000620.txt --- snort-2.9.0.1/doc/signatures/100000620.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000620.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000620 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "link_view.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "link_view.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000621.txt snort-2.9.2/doc/signatures/100000621.txt --- snort-2.9.0.1/doc/signatures/100000621.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000621.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000621 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "log_search.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "log_search.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000622.txt snort-2.9.2/doc/signatures/100000622.txt --- snort-2.9.0.1/doc/signatures/100000622.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000622.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000622 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "mail_modify.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "mail_modify.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000623.txt snort-2.9.2/doc/signatures/100000623.txt --- snort-2.9.0.1/doc/signatures/100000623.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000623.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000623 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "menu.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "menu.php" script -used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000624.txt snort-2.9.2/doc/signatures/100000624.txt --- snort-2.9.0.1/doc/signatures/100000624.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000624.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000624 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_create.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_create.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000625.txt snort-2.9.2/doc/signatures/100000625.txt --- snort-2.9.0.1/doc/signatures/100000625.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000625.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000625 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_delete.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000626.txt snort-2.9.2/doc/signatures/100000626.txt --- snort-2.9.0.1/doc/signatures/100000626.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000626.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000626 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_edit.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_edit.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000627.txt snort-2.9.2/doc/signatures/100000627.txt --- snort-2.9.0.1/doc/signatures/100000627.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000627.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000627 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_send.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_send.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000628.txt snort-2.9.2/doc/signatures/100000628.txt --- snort-2.9.0.1/doc/signatures/100000628.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000628.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000628 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_subscriber.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_subscriber.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000629.txt snort-2.9.2/doc/signatures/100000629.txt --- snort-2.9.0.1/doc/signatures/100000629.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000629.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000629 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "message_view.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"message_view.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000630.txt snort-2.9.2/doc/signatures/100000630.txt --- snort-2.9.0.1/doc/signatures/100000630.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000630.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000630 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "review_validate.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"review_validate.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000631.txt snort-2.9.2/doc/signatures/100000631.txt --- snort-2.9.0.1/doc/signatures/100000631.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000631.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000631 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "review_validate_edit.php" using a remote file being passed -as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"review_validate_edit.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000632.txt snort-2.9.2/doc/signatures/100000632.txt --- snort-2.9.0.1/doc/signatures/100000632.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000632.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000632 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "summary.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "summary.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000633.txt snort-2.9.2/doc/signatures/100000633.txt --- snort-2.9.0.1/doc/signatures/100000633.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000633.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000633 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_active.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_active.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000634.txt snort-2.9.2/doc/signatures/100000634.txt --- snort-2.9.0.1/doc/signatures/100000634.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000634.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000634 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_add_custom.php" using a remote file being passed -as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_add_custom.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000635.txt snort-2.9.2/doc/signatures/100000635.txt --- snort-2.9.0.1/doc/signatures/100000635.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000635.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000635 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_delete.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_delete.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000636.txt snort-2.9.2/doc/signatures/100000636.txt --- snort-2.9.0.1/doc/signatures/100000636.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000636.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000636 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_delete_file.php" using a remote file being passed -as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_delete_file.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000637.txt snort-2.9.2/doc/signatures/100000637.txt --- snort-2.9.0.1/doc/signatures/100000637.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000637.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000637 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_duplicate.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_duplicate.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000638.txt snort-2.9.2/doc/signatures/100000638.txt --- snort-2.9.0.1/doc/signatures/100000638.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000638.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000638 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_export.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_export.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000639.txt snort-2.9.2/doc/signatures/100000639.txt --- snort-2.9.0.1/doc/signatures/100000639.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000639.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000639 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_import.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_import.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000640.txt snort-2.9.2/doc/signatures/100000640.txt --- snort-2.9.0.1/doc/signatures/100000640.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000640.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000640 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_manager.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_manager.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000641.txt snort-2.9.2/doc/signatures/100000641.txt --- snort-2.9.0.1/doc/signatures/100000641.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000641.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000641 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_modify.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_modify.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000642.txt snort-2.9.2/doc/signatures/100000642.txt --- snort-2.9.0.1/doc/signatures/100000642.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000642.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000642 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_modify_file.php" using a remote file being passed -as the "admin_template_path" parameter may indicate that an exploitation -attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_modify_file.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000643.txt snort-2.9.2/doc/signatures/100000643.txt --- snort-2.9.0.1/doc/signatures/100000643.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000643.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -100000643 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "template_rename.php" using a remote file being passed as -the "admin_template_path" parameter may indicate that an exploitation attempt -has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the -"template_rename.php" script used by the "Indexu" application running on a -webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000644.txt snort-2.9.2/doc/signatures/100000644.txt --- snort-2.9.0.1/doc/signatures/100000644.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000644.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000644 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "user_add.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "user_add.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000645.txt snort-2.9.2/doc/signatures/100000645.txt --- snort-2.9.0.1/doc/signatures/100000645.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000645.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000645 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "user_delete.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "user_delete.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000646.txt snort-2.9.2/doc/signatures/100000646.txt --- snort-2.9.0.1/doc/signatures/100000646.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000646.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000646 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "user_edit.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "user_edit.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000647.txt snort-2.9.2/doc/signatures/100000647.txt --- snort-2.9.0.1/doc/signatures/100000647.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000647.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000647 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "user_search.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "user_search.php" -script used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000648.txt snort-2.9.2/doc/signatures/100000648.txt --- snort-2.9.0.1/doc/signatures/100000648.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000648.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000648 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Indexu" application running on a webserver. -Access to the file "whos.php" using a remote file being passed as the -"admin_template_path" parameter may indicate that an exploitation attempt has -been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "admin_template_path" parameter in the "whos.php" script -used by the "Indexu" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Indexu --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000649.txt snort-2.9.2/doc/signatures/100000649.txt --- snort-2.9.0.1/doc/signatures/100000649.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000649.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000649 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "comment" parameter in the "index.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000650.txt snort-2.9.2/doc/signatures/100000650.txt --- snort-2.9.0.1/doc/signatures/100000650.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000650.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000650 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "email" parameter in the "index.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000651.txt snort-2.9.2/doc/signatures/100000651.txt --- snort-2.9.0.1/doc/signatures/100000651.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000651.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000651 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "homepage" parameter in the "index.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000652.txt snort-2.9.2/doc/signatures/100000652.txt --- snort-2.9.0.1/doc/signatures/100000652.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000652.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000652 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "id" parameter in the "index.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000653.txt snort-2.9.2/doc/signatures/100000653.txt --- snort-2.9.0.1/doc/signatures/100000653.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000653.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000653 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "name" parameter in the "index.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000654.txt snort-2.9.2/doc/signatures/100000654.txt --- snort-2.9.0.1/doc/signatures/100000654.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000654.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000654 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "text" parameter in the "index.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000655.txt snort-2.9.2/doc/signatures/100000655.txt --- snort-2.9.0.1/doc/signatures/100000655.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000655.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000655 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "comment" parameter in the "guestbook.php" -script used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000656.txt snort-2.9.2/doc/signatures/100000656.txt --- snort-2.9.0.1/doc/signatures/100000656.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000656.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000656 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "email" parameter in the "guestbook.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000657.txt snort-2.9.2/doc/signatures/100000657.txt --- snort-2.9.0.1/doc/signatures/100000657.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000657.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000657 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "homepage" parameter in the "guestbook.php" -script used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000658.txt snort-2.9.2/doc/signatures/100000658.txt --- snort-2.9.0.1/doc/signatures/100000658.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000658.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000658 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "number" parameter in the "guestbook.php" -script used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000659.txt snort-2.9.2/doc/signatures/100000659.txt --- snort-2.9.0.1/doc/signatures/100000659.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000659.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000659 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "name" parameter in the "guestbook.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000660.txt snort-2.9.2/doc/signatures/100000660.txt --- snort-2.9.0.1/doc/signatures/100000660.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000660.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000660 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "text" parameter in the "guestbook.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000661.txt snort-2.9.2/doc/signatures/100000661.txt --- snort-2.9.0.1/doc/signatures/100000661.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000661.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000661 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "email" parameter in the "edit.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000662.txt snort-2.9.2/doc/signatures/100000662.txt --- snort-2.9.0.1/doc/signatures/100000662.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000662.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000662 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "homepage" parameter in the "edit.php" script -used by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000663.txt snort-2.9.2/doc/signatures/100000663.txt --- snort-2.9.0.1/doc/signatures/100000663.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000663.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000663 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "icq" parameter in the "edit.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000664.txt snort-2.9.2/doc/signatures/100000664.txt --- snort-2.9.0.1/doc/signatures/100000664.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000664.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000664 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "name" parameter in the "edit.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000665.txt snort-2.9.2/doc/signatures/100000665.txt --- snort-2.9.0.1/doc/signatures/100000665.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000665.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -100000665 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "MyPHP Guestbook" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "text" parameter in the "edit.php" script used -by the "MyPHP Guestbook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using MyPHP Guestbook --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000666.txt snort-2.9.2/doc/signatures/100000666.txt --- snort-2.9.0.1/doc/signatures/100000666.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000666.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000666 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "files.php" using a remote file being passed as the -"footer_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "footer_prog" parameter in the "files.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000667.txt snort-2.9.2/doc/signatures/100000667.txt --- snort-2.9.0.1/doc/signatures/100000667.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000667.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000667 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "files.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "files.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000668.txt snort-2.9.2/doc/signatures/100000668.txt --- snort-2.9.0.1/doc/signatures/100000668.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000668.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000668 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "pheader.php" using a remote file being passed as the -"theme_root" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "theme_root" parameter in the "pheader.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000669.txt snort-2.9.2/doc/signatures/100000669.txt --- snort-2.9.0.1/doc/signatures/100000669.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000669.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000669 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "headlines.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "headlines.php" script -used by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000670.txt snort-2.9.2/doc/signatures/100000670.txt --- snort-2.9.0.1/doc/signatures/100000670.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000670.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000670 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "web_statsConfig.php" using a remote file being passed as -the "mod_dir" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "mod_dir" parameter in the "web_statsConfig.php" script -used by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000671.txt snort-2.9.2/doc/signatures/100000671.txt --- snort-2.9.0.1/doc/signatures/100000671.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000671.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000671 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "preload.php" using a remote file being passed as the -"func_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "func_prog" parameter in the "preload.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000672.txt snort-2.9.2/doc/signatures/100000672.txt --- snort-2.9.0.1/doc/signatures/100000672.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000672.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000672 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "users.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "users.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000673.txt snort-2.9.2/doc/signatures/100000673.txt --- snort-2.9.0.1/doc/signatures/100000673.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000673.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000673 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "web_statsConfig.php" using a remote file being passed as -the "php_ext" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "php_ext" parameter in the "web_statsConfig.php" script -used by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000674.txt snort-2.9.2/doc/signatures/100000674.txt --- snort-2.9.0.1/doc/signatures/100000674.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000674.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000674 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "footer.php" using a remote file being passed as the -"theme_root" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "theme_root" parameter in the "footer.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000675.txt snort-2.9.2/doc/signatures/100000675.txt --- snort-2.9.0.1/doc/signatures/100000675.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000675.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000675 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "pfooter.php" using a remote file being passed as the -"theme_root" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "theme_root" parameter in the "pfooter.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000676.txt snort-2.9.2/doc/signatures/100000676.txt --- snort-2.9.0.1/doc/signatures/100000676.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000676.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000676 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "missing.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "missing.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000677.txt snort-2.9.2/doc/signatures/100000677.txt --- snort-2.9.0.1/doc/signatures/100000677.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000677.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000677 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "topics.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "topics.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000678.txt snort-2.9.2/doc/signatures/100000678.txt --- snort-2.9.0.1/doc/signatures/100000678.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000678.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000678 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "header.php" using a remote file being passed as the -"mod_root" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "mod_root" parameter in the "header.php" script used by -the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000679.txt snort-2.9.2/doc/signatures/100000679.txt --- snort-2.9.0.1/doc/signatures/100000679.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000679.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000679 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "index.php" using a remote file being passed as the -"func_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "func_prog" parameter in the "index.php" script used by -the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000680.txt snort-2.9.2/doc/signatures/100000680.txt --- snort-2.9.0.1/doc/signatures/100000680.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000680.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000680 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "search.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "search.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000681.txt snort-2.9.2/doc/signatures/100000681.txt --- snort-2.9.0.1/doc/signatures/100000681.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000681.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000681 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "header.php" using a remote file being passed as the -"theme_root" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "theme_root" parameter in the "header.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000682.txt snort-2.9.2/doc/signatures/100000682.txt --- snort-2.9.0.1/doc/signatures/100000682.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000682.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -100000682 --- -Summary: -This event is generated when an attempt is made to exploit a remote file -include vulnerability in the "Harpia" application running on a webserver. -Access to the file "email.php" using a remote file being passed as the -"header_prog" parameter may indicate that an exploitation attempt has been -attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a -remote machine via the "header_prog" parameter in the "email.php" script used -by the "Harpia" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to execute system binaries or malicious code of the -attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Harpia --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own -credentials to gain access. Alternatively the attacker can exploit weaknesses -to gain access as the administrator by supplying input of their choosing to the -underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000683.txt snort-2.9.2/doc/signatures/100000683.txt --- snort-2.9.0.1/doc/signatures/100000683.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000683.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -100000683 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "cPanel" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "file" parameter in the "select.html" script -used by the "cPanel" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using cPanel --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000686.txt snort-2.9.2/doc/signatures/100000686.txt --- snort-2.9.0.1/doc/signatures/100000686.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000686.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000686 - --- -Summary: -This event is generated when an empty CTCP NOTICE message is sent to an IRC -channel. - --- -Impact: -If the EnergyMech IRC Bot receives such a message, a denial of service -condition will occur. - --- -Detailed Information: -Whenever the EnergyMech IRC Bot processes a null CTCP NOTICE message, a denial -of service condition occurs. Note that this rule is set to examine only default -IRC ports, in order to conserve system resources; if you are particularly -concerned about this exploit, you may wish to set the ports to "any", as IRC -channels can exist on any port. - --- -Affected Systems: -EnergyMech <= 3.0.1 - --- -Attack Scenarios: -An attacker could exploit this vulnerability via any IRC client, or by using an -automated script. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to version 3.0.2 or greater. - --- -Contributors: -VeriSign MSS Operations Team -Joel Esler - --- -Additional References: -http://www.energymech.net/versions-3.0.html - --- diff -Nru snort-2.9.0.1/doc/signatures/100000687.txt snort-2.9.2/doc/signatures/100000687.txt --- snort-2.9.0.1/doc/signatures/100000687.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000687.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -100000687 - --- -Summary: -This event is generated when an empty CTCP NOTICE message is sent to an IRC -channel. - --- -Impact: -If the EnergyMech IRC Bot receives such a message, a denial of service -condition will occur. - --- -Detailed Information: -Whenever the EnergyMech IRC Bot processes a null CTCP NOTICE message, a denial -of service condition occurs. Note that this rule is set to examine only default -IRC ports, in order to conserve system resources; if you are particularly -concerned about this exploit, you may wish to set the ports to "any", as IRC -channels can exist on any port. - --- -Affected Systems: -EnergyMech <= 3.0.1 - --- -Attack Scenarios: -An attacker could exploit this vulnerability via any IRC client, or by using an -automated script. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to version 3.0.2 or greater. - --- -Contributors: -VeriSign MSS Operations Team -Joel Esler - --- -Additional References: -http://www.energymech.net/versions-3.0.html - --- diff -Nru snort-2.9.0.1/doc/signatures/100000690.txt snort-2.9.2/doc/signatures/100000690.txt --- snort-2.9.0.1/doc/signatures/100000690.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000690.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,79 +0,0 @@ - - -Rule: - --- -Sid: -100000690 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "BXCP" application running on a webserver. Access to the -file "index.php" with SQL commands being passed may indicate that an -exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "index.php" script used by the "BXCP" application -running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running BXCP version 0.3.0.4 and prior. - --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Currently, no patches or workarounds exist. - --- -Contributors: -Sourcefire Vulnerability Research Team -Chris Jacob - --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 -http://www.bxcp.com - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000691.txt snort-2.9.2/doc/signatures/100000691.txt --- snort-2.9.0.1/doc/signatures/100000691.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000691.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,80 +0,0 @@ - - -Rule: - --- -Sid: -100000691 - --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "Diesel Joke Site" application running on a webserver. -Access to the file "category.php" with SQL commands being passed as the "id" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "id" parameter in the "category.php" script used by the -"Diesel Joke Site" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running the Diesel Joke Site system. - --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Currently, no patches or workarounds exist. - --- -Contributors: -Sourcefire Vulnerability Research Team -Chris Jacob - --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 -http://www.dieselscripts.com/diesel-joke-site.html - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000694.txt snort-2.9.2/doc/signatures/100000694.txt --- snort-2.9.0.1/doc/signatures/100000694.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000694.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000694 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "gbrowse.php" with SQL commands being passed as the "cat_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "cat_id" parameter in the "gbrowse.php" script used by the "VCard PRO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VCard PRO --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000695.txt snort-2.9.2/doc/signatures/100000695.txt --- snort-2.9.0.1/doc/signatures/100000695.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000695.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000695 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "rating.php" with SQL commands being passed as the "card_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "card_id" parameter in the "rating.php" script used by the "VCard PRO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VCard PRO --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000696.txt snort-2.9.2/doc/signatures/100000696.txt --- snort-2.9.0.1/doc/signatures/100000696.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000696.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000696 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "create.php" with SQL commands being passed as the "card_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "card_id" parameter in the "create.php" script used by the "VCard PRO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VCard PRO --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000697.txt snort-2.9.2/doc/signatures/100000697.txt --- snort-2.9.0.1/doc/signatures/100000697.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000697.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000697 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "event_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "event_id" parameter in the "search.php" script used by the "VCard PRO" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VCard PRO --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000698.txt snort-2.9.2/doc/signatures/100000698.txt --- snort-2.9.0.1/doc/signatures/100000698.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000698.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000698 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "BXCP" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "where" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "where" parameter in the "index.php" script used by the "BXCP" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BXCP --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000699.txt snort-2.9.2/doc/signatures/100000699.txt --- snort-2.9.0.1/doc/signatures/100000699.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000699.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000699 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Vincent Leclercq News" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "id" parameter in the "diver.php" script used by the "Vincent Leclercq News" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Vincent Leclercq News --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000700.txt snort-2.9.2/doc/signatures/100000700.txt --- snort-2.9.0.1/doc/signatures/100000700.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000700.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000700 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Vincent Leclercq News" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "disable" parameter in the "diver.php" script used by the "Vincent Leclercq News" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Vincent Leclercq News --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000701.txt snort-2.9.2/doc/signatures/100000701.txt --- snort-2.9.0.1/doc/signatures/100000701.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000701.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000701 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "WordPress" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "paged" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "paged" parameter in the "index.php" script used by the "WordPress" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using WordPress --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000702.txt snort-2.9.2/doc/signatures/100000702.txt --- snort-2.9.0.1/doc/signatures/100000702.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000702.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000702 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Webvizyon" application running on a webserver. Access to the file "SayfalaAltList.asp" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "SayfalaAltList.asp" script used by the "Webvizyon" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Webvizyon --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000704.txt snort-2.9.2/doc/signatures/100000704.txt --- snort-2.9.0.1/doc/signatures/100000704.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000704.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -100000704 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "comment.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "comment.php" script used by the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000705.txt snort-2.9.2/doc/signatures/100000705.txt --- snort-2.9.0.1/doc/signatures/100000705.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000705.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000705 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "test.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "test.php" script used by the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000706.txt snort-2.9.2/doc/signatures/100000706.txt --- snort-2.9.0.1/doc/signatures/100000706.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000706.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000706 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "index.php" script used by the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000707.txt snort-2.9.2/doc/signatures/100000707.txt --- snort-2.9.0.1/doc/signatures/100000707.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000707.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000707 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "inc_adminfoot.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "inc_adminfoot.php" script used by the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000708.txt snort-2.9.2/doc/signatures/100000708.txt --- snort-2.9.0.1/doc/signatures/100000708.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000708.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000708 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "comedit.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "comedit.php" script used by the "SmartSiteCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SmartSiteCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000709.txt snort-2.9.2/doc/signatures/100000709.txt --- snort-2.9.0.1/doc/signatures/100000709.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000709.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000709 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "SquirrelMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "mailbox" parameter in the "search.php" script used by the "SquirrelMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using SquirrelMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000710.txt snort-2.9.2/doc/signatures/100000710.txt --- snort-2.9.0.1/doc/signatures/100000710.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000710.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000710 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Xoops MyAds Module" application running on a webserver. Access to the file "annonces-p-f.php" with SQL commands being passed as the "lid" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "lid" parameter in the "annonces-p-f.php" script used by the "Xoops MyAds Module" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Xoops MyAds Module --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000711.txt snort-2.9.2/doc/signatures/100000711.txt --- snort-2.9.0.1/doc/signatures/100000711.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000711.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000711 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "raids.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "raids.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000712.txt snort-2.9.2/doc/signatures/100000712.txt --- snort-2.9.0.1/doc/signatures/100000712.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000712.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000712 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "register.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "register.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000713.txt snort-2.9.2/doc/signatures/100000713.txt --- snort-2.9.0.1/doc/signatures/100000713.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000713.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000713 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "roster.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "roster.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000714.txt snort-2.9.2/doc/signatures/100000714.txt --- snort-2.9.0.1/doc/signatures/100000714.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000714.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000714 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "view.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "view.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000715.txt snort-2.9.2/doc/signatures/100000715.txt --- snort-2.9.0.1/doc/signatures/100000715.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000715.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000715 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "logs.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "logs.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000716.txt snort-2.9.2/doc/signatures/100000716.txt --- snort-2.9.0.1/doc/signatures/100000716.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000716.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000716 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "users.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "users.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000717.txt snort-2.9.2/doc/signatures/100000717.txt --- snort-2.9.0.1/doc/signatures/100000717.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000717.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000717 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "configuration.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "configuration.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000718.txt snort-2.9.2/doc/signatures/100000718.txt --- snort-2.9.0.1/doc/signatures/100000718.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000718.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000718 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "guilds.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "guilds.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000719.txt snort-2.9.2/doc/signatures/100000719.txt --- snort-2.9.0.1/doc/signatures/100000719.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000719.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000719 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "index.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000720.txt snort-2.9.2/doc/signatures/100000720.txt --- snort-2.9.0.1/doc/signatures/100000720.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000720.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000720 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "locations.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "locations.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000721.txt snort-2.9.2/doc/signatures/100000721.txt --- snort-2.9.0.1/doc/signatures/100000721.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000721.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000721 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "login.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "login.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000722.txt snort-2.9.2/doc/signatures/100000722.txt --- snort-2.9.0.1/doc/signatures/100000722.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000722.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000722 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "lua_output.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "lua_output.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000723.txt snort-2.9.2/doc/signatures/100000723.txt --- snort-2.9.0.1/doc/signatures/100000723.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000723.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000723 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "permissions.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "permissions.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000724.txt snort-2.9.2/doc/signatures/100000724.txt --- snort-2.9.0.1/doc/signatures/100000724.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000724.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000724 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "profile.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "profile.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000725.txt snort-2.9.2/doc/signatures/100000725.txt --- snort-2.9.0.1/doc/signatures/100000725.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000725.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000725 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "PHPRaid" application running on a webserver. Access to the file "view.php" with SQL commands being passed as the "raid_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "raid_id" parameter in the "view.php" script used by the "PHPRaid" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPRaid --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000726.txt snort-2.9.2/doc/signatures/100000726.txt --- snort-2.9.0.1/doc/signatures/100000726.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000726.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000726 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Vincent-Leclercq News" application running on a webserver. Access to the file "diver.php" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "diver.php" script used by the "Vincent-Leclercq News" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Vincent-Leclercq News --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000727.txt snort-2.9.2/doc/signatures/100000727.txt --- snort-2.9.0.1/doc/signatures/100000727.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000727.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000727 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Softbiz Banner Exchange" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "city" parameter in the "insertmember.php" script used by the "Softbiz Banner Exchange" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Softbiz Banner Exchange --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000728.txt snort-2.9.2/doc/signatures/100000728.txt --- snort-2.9.0.1/doc/signatures/100000728.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000728.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000728 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000729.txt snort-2.9.2/doc/signatures/100000729.txt --- snort-2.9.0.1/doc/signatures/100000729.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000729.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000729 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000730.txt snort-2.9.2/doc/signatures/100000730.txt --- snort-2.9.0.1/doc/signatures/100000730.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000730.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000730 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "BlackList.Examine.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "BlackList.Examine.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000731.txt snort-2.9.2/doc/signatures/100000731.txt --- snort-2.9.0.1/doc/signatures/100000731.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000731.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000731 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "DeleteComment.Action.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "DeleteComment.Action.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000732.txt snort-2.9.2/doc/signatures/100000732.txt --- snort-2.9.0.1/doc/signatures/100000732.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000732.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000732 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditIPofURL.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditIPofURL.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000733.txt snort-2.9.2/doc/signatures/100000733.txt --- snort-2.9.0.1/doc/signatures/100000733.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000733.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000733 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MTBlackList.Examine.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MTBlackList.Examine.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000734.txt snort-2.9.2/doc/signatures/100000734.txt --- snort-2.9.0.1/doc/signatures/100000734.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000734.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000734 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MassDelete.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MassDelete.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000735.txt snort-2.9.2/doc/signatures/100000735.txt --- snort-2.9.0.1/doc/signatures/100000735.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000735.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000735 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MailAdmin.Action.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MailAdmin.Action.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000736.txt snort-2.9.2/doc/signatures/100000736.txt --- snort-2.9.0.1/doc/signatures/100000736.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000736.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000736 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MassDelTrackback.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MassDelTrackback.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000737.txt snort-2.9.2/doc/signatures/100000737.txt --- snort-2.9.0.1/doc/signatures/100000737.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000737.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000737 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditHeader.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditHeader.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000738.txt snort-2.9.2/doc/signatures/100000738.txt --- snort-2.9.0.1/doc/signatures/100000738.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000738.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000738 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditIP.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditIP.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000739.txt snort-2.9.2/doc/signatures/100000739.txt --- snort-2.9.0.1/doc/signatures/100000739.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000739.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000739 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "IPofUrl.Examine.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "IPofUrl.Examine.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000740.txt snort-2.9.2/doc/signatures/100000740.txt --- snort-2.9.0.1/doc/signatures/100000740.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000740.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000740 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "Import.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "Import.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000741.txt snort-2.9.2/doc/signatures/100000741.txt --- snort-2.9.0.1/doc/signatures/100000741.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000741.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000741 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "LogView.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "LogView.Admin.class.php" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000742.txt snort-2.9.2/doc/signatures/100000742.txt --- snort-2.9.0.1/doc/signatures/100000742.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000742.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000742 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Geeklog --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000743.txt snort-2.9.2/doc/signatures/100000743.txt --- snort-2.9.0.1/doc/signatures/100000743.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000743.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000743 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "dbinstall.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "dbinstall.php" script used by the "Plume CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Plume CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000744.txt snort-2.9.2/doc/signatures/100000744.txt --- snort-2.9.0.1/doc/signatures/100000744.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000744.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000744 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "MyNewsGroups" application running on a webserver. Access to the file "tree.php" with SQL commands being passed as the "grp_id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "grp_id" parameter in the "tree.php" script used by the "MyNewsGroups" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MyNewsGroups --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000745.txt snort-2.9.2/doc/signatures/100000745.txt --- snort-2.9.0.1/doc/signatures/100000745.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000745.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000745 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Diesel Joke Site" application running on a webserver. Access to the file "category.php" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "category.php" script used by the "Diesel Joke Site" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Diesel Joke Site --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000746.txt snort-2.9.2/doc/signatures/100000746.txt --- snort-2.9.0.1/doc/signatures/100000746.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000746.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000746 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Randshop" application running on a webserver. Access to the file "header.inc.php" using a remote file being passed as the "dateiPfad" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "dateiPfad" parameter in the "header.inc.php" script used by the "Randshop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Randshop --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000747.txt snort-2.9.2/doc/signatures/100000747.txt --- snort-2.9.0.1/doc/signatures/100000747.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000747.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000747 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "index.php" script used by the "Plume CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Plume CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000748.txt snort-2.9.2/doc/signatures/100000748.txt --- snort-2.9.0.1/doc/signatures/100000748.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000748.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000748 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "rss.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "rss.php" script used by the "Plume CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Plume CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000749.txt snort-2.9.2/doc/signatures/100000749.txt --- snort-2.9.0.1/doc/signatures/100000749.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000749.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000749 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Plume CMS" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "_PX_config[manager_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "_PX_config[manager_path]" parameter in the "search.php" script used by the "Plume CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Plume CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000750.txt snort-2.9.2/doc/signatures/100000750.txt --- snort-2.9.0.1/doc/signatures/100000750.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000750.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000750 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "index.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000751.txt snort-2.9.2/doc/signatures/100000751.txt --- snort-2.9.0.1/doc/signatures/100000751.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000751.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000751 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "about.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "about.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000752.txt snort-2.9.2/doc/signatures/100000752.txt --- snort-2.9.0.1/doc/signatures/100000752.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000752.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000752 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "contact.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "contact.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000753.txt snort-2.9.2/doc/signatures/100000753.txt --- snort-2.9.0.1/doc/signatures/100000753.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000753.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000753 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "delete.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "delete.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000754.txt snort-2.9.2/doc/signatures/100000754.txt --- snort-2.9.0.1/doc/signatures/100000754.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000754.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000754 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "faq.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "faq.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000755.txt snort-2.9.2/doc/signatures/100000755.txt --- snort-2.9.0.1/doc/signatures/100000755.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000755.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000755 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "features.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "features.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000756.txt snort-2.9.2/doc/signatures/100000756.txt --- snort-2.9.0.1/doc/signatures/100000756.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000756.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000756 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Free QBoard" application running on a webserver. Access to the file "history.php" using a remote file being passed as the "qb_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "qb_path" parameter in the "history.php" script used by the "Free QBoard" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Free QBoard --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000757.txt snort-2.9.2/doc/signatures/100000757.txt --- snort-2.9.0.1/doc/signatures/100000757.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000757.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000757 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "delete" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using QTO File Manager --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000758.txt snort-2.9.2/doc/signatures/100000758.txt --- snort-2.9.0.1/doc/signatures/100000758.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000758.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000758 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "pathext" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using QTO File Manager --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000759.txt snort-2.9.2/doc/signatures/100000759.txt --- snort-2.9.0.1/doc/signatures/100000759.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000759.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000759 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "edit" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using QTO File Manager --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000760.txt snort-2.9.2/doc/signatures/100000760.txt --- snort-2.9.0.1/doc/signatures/100000760.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000760.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000760 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "The Banner Engine" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "text" parameter in the "top.php" script used by the "The Banner Engine" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using The Banner Engine --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000761.txt snort-2.9.2/doc/signatures/100000761.txt --- snort-2.9.0.1/doc/signatures/100000761.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000761.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000761 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PHPWebGallery" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "keyword" parameter in the "comments.php" script used by the "PHPWebGallery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PHPWebGallery --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000762.txt snort-2.9.2/doc/signatures/100000762.txt --- snort-2.9.0.1/doc/signatures/100000762.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000762.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000762 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Randshop" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "incl" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "incl" parameter in the "index.php" script used by the "Randshop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Randshop --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000763.txt snort-2.9.2/doc/signatures/100000763.txt --- snort-2.9.0.1/doc/signatures/100000763.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000763.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000763 --- -Summary: -This event is generated when an attempt is made to access the file "config.inc which contains known vulnerabilities in the "Kamikaze-QSCM" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to access a file with known vulnerabilities from a remote machine used by the "Kamikaze-QSCM" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Kamikaze-QSCM --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000764.txt snort-2.9.2/doc/signatures/100000764.txt --- snort-2.9.0.1/doc/signatures/100000764.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000764.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000764 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyPHP CMS" application running on a webserver. Access to the file "global_header.php" using a remote file being passed as the "domain" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "domain" parameter in the "global_header.php" script used by the "MyPHP CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MyPHP CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000765.txt snort-2.9.2/doc/signatures/100000765.txt --- snort-2.9.0.1/doc/signatures/100000765.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000765.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000765 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "LifeType" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "date" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "date" parameter in the "index.php" script used by the "LifeType" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using LifeType --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000766.txt snort-2.9.2/doc/signatures/100000766.txt --- snort-2.9.0.1/doc/signatures/100000766.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000766.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000766 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Blog CMS" application running on a webserver. Access to the file "thumb.php" using a remote file being passed as the "gallery" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "gallery" parameter in the "thumb.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000767.txt snort-2.9.2/doc/signatures/100000767.txt --- snort-2.9.0.1/doc/signatures/100000767.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000767.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000767 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "item" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "item" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000768.txt snort-2.9.2/doc/signatures/100000768.txt --- snort-2.9.0.1/doc/signatures/100000768.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000768.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000768 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "blog" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "blog" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000769.txt snort-2.9.2/doc/signatures/100000769.txt --- snort-2.9.0.1/doc/signatures/100000769.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000769.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000769 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "member" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "member" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000770.txt snort-2.9.2/doc/signatures/100000770.txt --- snort-2.9.0.1/doc/signatures/100000770.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000770.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000770 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "typeface" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "typeface" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000771.txt snort-2.9.2/doc/signatures/100000771.txt --- snort-2.9.0.1/doc/signatures/100000771.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000771.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000771 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "results" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "results" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000772.txt snort-2.9.2/doc/signatures/100000772.txt --- snort-2.9.0.1/doc/signatures/100000772.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000772.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000772 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "DokiWiki" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "DokiWiki" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000773.txt snort-2.9.2/doc/signatures/100000773.txt --- snort-2.9.0.1/doc/signatures/100000773.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000773.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000773 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "archives" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "archives" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000774.txt snort-2.9.2/doc/signatures/100000774.txt --- snort-2.9.0.1/doc/signatures/100000774.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000774.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000774 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "category" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "category" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000775.txt snort-2.9.2/doc/signatures/100000775.txt --- snort-2.9.0.1/doc/signatures/100000775.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000775.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000775 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "PHPSESSID" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "PHPSESSID" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000776.txt snort-2.9.2/doc/signatures/100000776.txt --- snort-2.9.0.1/doc/signatures/100000776.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000776.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000776 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "query" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "query" parameter in the "index.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000777.txt snort-2.9.2/doc/signatures/100000777.txt --- snort-2.9.0.1/doc/signatures/100000777.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000777.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000777 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Blog CMS" application running on a webserver. Access to the file "action.php" with SQL commands being passed as the "action" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "action" parameter in the "action.php" script used by the "Blog CMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Blog CMS --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000778.txt snort-2.9.2/doc/signatures/100000778.txt --- snort-2.9.0.1/doc/signatures/100000778.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000778.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000778 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PHPMailList" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "email" parameter in the "maillist.php" script used by the "PHPMailList" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PHPMailList --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000779.txt snort-2.9.2/doc/signatures/100000779.txt --- snort-2.9.0.1/doc/signatures/100000779.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000779.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000779 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "show" parameter in the "index.php" script used by the "Horde" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Horde --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton -Dan Raswami - --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000780.txt snort-2.9.2/doc/signatures/100000780.txt --- snort-2.9.0.1/doc/signatures/100000780.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000780.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000780 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "name" parameter in the "problem.php" script used by the "Horde" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Horde --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton -Dan Raswami - --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000781.txt snort-2.9.2/doc/signatures/100000781.txt --- snort-2.9.0.1/doc/signatures/100000781.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000781.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000781 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "untrusted" parameter in the "go.php" script used by the "Horde" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Horde --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton -Dan Raswami - --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000782.txt snort-2.9.2/doc/signatures/100000782.txt --- snort-2.9.0.1/doc/signatures/100000782.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000782.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000782 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Horde" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "url" parameter in the "go.php" script used by the "Horde" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Horde --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton -Dan Raswami - --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000783.txt snort-2.9.2/doc/signatures/100000783.txt --- snort-2.9.0.1/doc/signatures/100000783.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000783.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000783 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "show_courses" parameter in the "create_course.php" script used by the "ATutor" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using ATutor --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000784.txt snort-2.9.2/doc/signatures/100000784.txt --- snort-2.9.0.1/doc/signatures/100000784.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000784.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000784 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "current_cat" parameter in the "create_course.php" script used by the "ATutor" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using ATutor --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000785.txt snort-2.9.2/doc/signatures/100000785.txt --- snort-2.9.0.1/doc/signatures/100000785.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000785.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000785 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "forgot" parameter in the "password_reminder.php" script used by the "ATutor" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using ATutor --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000786.txt snort-2.9.2/doc/signatures/100000786.txt --- snort-2.9.0.1/doc/signatures/100000786.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000786.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000786 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "cat" parameter in the "browse.php" script used by the "ATutor" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using ATutor --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000787.txt snort-2.9.2/doc/signatures/100000787.txt --- snort-2.9.0.1/doc/signatures/100000787.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000787.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000787 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "ATutor" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "submit" parameter in the "fix_content.php" script used by the "ATutor" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using ATutor --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000788.txt snort-2.9.2/doc/signatures/100000788.txt --- snort-2.9.0.1/doc/signatures/100000788.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000788.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000788 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "FreeWebshop" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "page" parameter in the "search.php" script used by the "FreeWebshop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using FreeWebshop --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000789.txt snort-2.9.2/doc/signatures/100000789.txt --- snort-2.9.0.1/doc/signatures/100000789.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000789.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000789 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "FreeWebshop" application running on a webserver. Access to the file "details.php" with SQL commands being passed as the "prod" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "prod" parameter in the "details.php" script used by the "FreeWebshop" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using FreeWebshop --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000790.txt snort-2.9.2/doc/signatures/100000790.txt --- snort-2.9.0.1/doc/signatures/100000790.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000790.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000790 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Pivot" application running on a webserver. Access to the file "edit_new.php" using a remote file being passed as the "Paths[extensions_path]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "Paths[extensions_path]" parameter in the "edit_new.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000791.txt snort-2.9.2/doc/signatures/100000791.txt --- snort-2.9.0.1/doc/signatures/100000791.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000791.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000791 --- -Summary: -This event is generated when an attempt is made to access the file "pv_core.php which contains known vulnerabilities in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to access a file with known vulnerabilities from a remote machine used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000792.txt snort-2.9.2/doc/signatures/100000792.txt --- snort-2.9.0.1/doc/signatures/100000792.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000792.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000792 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "fg" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000793.txt snort-2.9.2/doc/signatures/100000793.txt --- snort-2.9.0.1/doc/signatures/100000793.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000793.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000793 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "line1" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000794.txt snort-2.9.2/doc/signatures/100000794.txt --- snort-2.9.0.1/doc/signatures/100000794.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000794.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000794 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "line2" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000795.txt snort-2.9.2/doc/signatures/100000795.txt --- snort-2.9.0.1/doc/signatures/100000795.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000795.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000795 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "bg" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000796.txt snort-2.9.2/doc/signatures/100000796.txt --- snort-2.9.0.1/doc/signatures/100000796.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000796.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000796 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c1" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000797.txt snort-2.9.2/doc/signatures/100000797.txt --- snort-2.9.0.1/doc/signatures/100000797.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000797.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000797 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c2" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000798.txt snort-2.9.2/doc/signatures/100000798.txt --- snort-2.9.0.1/doc/signatures/100000798.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000798.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000798 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c3" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000799.txt snort-2.9.2/doc/signatures/100000799.txt --- snort-2.9.0.1/doc/signatures/100000799.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000799.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000799 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "c4" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000800.txt snort-2.9.2/doc/signatures/100000800.txt --- snort-2.9.0.1/doc/signatures/100000800.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000800.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000800 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "name" parameter in the "editor_menu.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000801.txt snort-2.9.2/doc/signatures/100000801.txt --- snort-2.9.0.1/doc/signatures/100000801.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000801.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000801 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "js_name" parameter in the "editor_menu.php" script used by the "Pivot" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Pivot --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000802.txt snort-2.9.2/doc/signatures/100000802.txt --- snort-2.9.0.1/doc/signatures/100000802.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000802.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000802 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "index.php" script used by the "BosClassifieds" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BosClassifieds --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000803.txt snort-2.9.2/doc/signatures/100000803.txt --- snort-2.9.0.1/doc/signatures/100000803.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000803.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000803 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "recent.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "recent.php" script used by the "BosClassifieds" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BosClassifieds --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000804.txt snort-2.9.2/doc/signatures/100000804.txt --- snort-2.9.0.1/doc/signatures/100000804.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000804.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000804 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "account.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "account.php" script used by the "BosClassifieds" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BosClassifieds --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000805.txt snort-2.9.2/doc/signatures/100000805.txt --- snort-2.9.0.1/doc/signatures/100000805.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000805.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000805 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "classified.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "classified.php" script used by the "BosClassifieds" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BosClassifieds --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000806.txt snort-2.9.2/doc/signatures/100000806.txt --- snort-2.9.0.1/doc/signatures/100000806.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000806.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000806 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "BosClassifieds" application running on a webserver. Access to the file "search.php" using a remote file being passed as the "insPath" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "insPath" parameter in the "search.php" script used by the "BosClassifieds" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using BosClassifieds --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000807.txt snort-2.9.2/doc/signatures/100000807.txt --- snort-2.9.0.1/doc/signatures/100000807.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000807.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000807 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "CommonSense" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "q" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "q" parameter in the "search.php" script used by the "CommonSense" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using CommonSense --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000808.txt snort-2.9.2/doc/signatures/100000808.txt --- snort-2.9.0.1/doc/signatures/100000808.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000808.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000808 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "AjaxPortal" application running on a webserver. Access to the file "ajaxp.php" with SQL commands being passed as the "username" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "username" parameter in the "ajaxp.php" script used by the "AjaxPortal" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using AjaxPortal --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000809.txt snort-2.9.2/doc/signatures/100000809.txt --- snort-2.9.0.1/doc/signatures/100000809.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000809.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000809 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "RW Download" application running on a webserver. Access to the file "stats.php" using a remote file being passed as the "root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "root_path" parameter in the "stats.php" script used by the "RW Download" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using RW Download --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000810.txt snort-2.9.2/doc/signatures/100000810.txt --- snort-2.9.0.1/doc/signatures/100000810.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000810.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000810 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPBB" application running on a webserver. Access to the file "download.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "download.php" script used by the "PHPBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000811.txt snort-2.9.2/doc/signatures/100000811.txt --- snort-2.9.0.1/doc/signatures/100000811.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000811.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000811 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPBB" application running on a webserver. Access to the file "attach_rules.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "attach_rules.php" script used by the "PHPBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000812.txt snort-2.9.2/doc/signatures/100000812.txt --- snort-2.9.0.1/doc/signatures/100000812.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000812.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000812 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "index.php" script used by the "SimpleBoard SBP" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SimpleBoard SBP --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000813.txt snort-2.9.2/doc/signatures/100000813.txt --- snort-2.9.0.1/doc/signatures/100000813.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000813.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000813 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "file_upload.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "file_upload.php" script used by the "SimpleBoard SBP" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SimpleBoard SBP --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000814.txt snort-2.9.2/doc/signatures/100000814.txt --- snort-2.9.0.1/doc/signatures/100000814.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000814.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000814 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "image_upload.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "image_upload.php" script used by the "SimpleBoard SBP" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SimpleBoard SBP --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000815.txt snort-2.9.2/doc/signatures/100000815.txt --- snort-2.9.0.1/doc/signatures/100000815.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000815.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000815 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SimpleBoard SBP" application running on a webserver. Access to the file "performs.php" using a remote file being passed as the "sbp" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "sbp" parameter in the "performs.php" script used by the "SimpleBoard SBP" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SimpleBoard SBP --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000816.txt snort-2.9.2/doc/signatures/100000816.txt --- snort-2.9.0.1/doc/signatures/100000816.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000816.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000816 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PC_CookBook" application running on a webserver. Access to the file "pccookbook.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "pccookbook.php" script used by the "PC_CookBook" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PC_CookBook --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000817.txt snort-2.9.2/doc/signatures/100000817.txt --- snort-2.9.0.1/doc/signatures/100000817.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000817.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000817 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SMF Forum" application running on a webserver. Access to the file "smf.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "smf.php" script used by the "SMF Forum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SMF Forum --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000818.txt snort-2.9.2/doc/signatures/100000818.txt --- snort-2.9.0.1/doc/signatures/100000818.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000818.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000818 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Graffiti Forums" application running on a webserver. Access to the file "topics.php" with SQL commands being passed as the "f" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "f" parameter in the "topics.php" script used by the "Graffiti Forums" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Graffiti Forums --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000820.txt snort-2.9.2/doc/signatures/100000820.txt --- snort-2.9.0.1/doc/signatures/100000820.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000820.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -100000820 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "SaPHPLesson" application running on a webserver. Access to the file "add.php" with SQL commands being passed as the "forumid" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "forumid" parameter in the "add.php" script used by the "SaPHPLesson" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using SaPHPLesson --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000821.txt snort-2.9.2/doc/signatures/100000821.txt --- snort-2.9.0.1/doc/signatures/100000821.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000821.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000821 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "sub-join.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "sub-join.php" script used by the "VBZooM" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZooM --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000822.txt snort-2.9.2/doc/signatures/100000822.txt --- snort-2.9.0.1/doc/signatures/100000822.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000822.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000822 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "reply.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "reply.php" script used by the "VBZooM" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZooM --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000823.txt snort-2.9.2/doc/signatures/100000823.txt --- snort-2.9.0.1/doc/signatures/100000823.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000823.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000823 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "ignore-pm.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "ignore-pm.php" script used by the "VBZooM" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZooM --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000824.txt snort-2.9.2/doc/signatures/100000824.txt --- snort-2.9.0.1/doc/signatures/100000824.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000824.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000824 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "sendmail.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "sendmail.php" script used by the "VBZooM" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using VBZooM --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000825.txt snort-2.9.2/doc/signatures/100000825.txt --- snort-2.9.0.1/doc/signatures/100000825.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000825.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000825 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Phorum" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "mode" parameter in the "posting.php" script used by the "Phorum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Phorum --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000826.txt snort-2.9.2/doc/signatures/100000826.txt --- snort-2.9.0.1/doc/signatures/100000826.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000826.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000826 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Phorum" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "mode" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "mode" parameter in the "search.php" script used by the "Phorum" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Phorum --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000827.txt snort-2.9.2/doc/signatures/100000827.txt --- snort-2.9.0.1/doc/signatures/100000827.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000827.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000827 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "email" parameter in the "address.view.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000828.txt snort-2.9.2/doc/signatures/100000828.txt --- snort-2.9.0.1/doc/signatures/100000828.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000828.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000828 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "cond" parameter in the "address.view.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000829.txt snort-2.9.2/doc/signatures/100000829.txt --- snort-2.9.0.1/doc/signatures/100000829.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000829.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000829 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "name" parameter in the "address.view.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000830.txt snort-2.9.2/doc/signatures/100000830.txt --- snort-2.9.0.1/doc/signatures/100000830.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000830.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000830 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "dayprune" parameter in the "index.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000831.txt snort-2.9.2/doc/signatures/100000831.txt --- snort-2.9.0.1/doc/signatures/100000831.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000831.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000831 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "data[to]" parameter in the "compose.email.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000832.txt snort-2.9.2/doc/signatures/100000832.txt --- snort-2.9.0.1/doc/signatures/100000832.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000832.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000832 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "HiveMail" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "markas" parameter in the "read.markas.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000833.txt snort-2.9.2/doc/signatures/100000833.txt --- snort-2.9.0.1/doc/signatures/100000833.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000833.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000833 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "HiveMail" application running on a webserver. Access to the file "search.results.php" with SQL commands being passed as the "fields[]" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "fields[]" parameter in the "search.results.php" script used by the "HiveMail" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using HiveMail --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000834.txt snort-2.9.2/doc/signatures/100000834.txt --- snort-2.9.0.1/doc/signatures/100000834.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000834.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000834 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Lazarus" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "show" parameter in the "codes-english.php" script used by the "Lazarus" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Lazarus --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000835.txt snort-2.9.2/doc/signatures/100000835.txt --- snort-2.9.0.1/doc/signatures/100000835.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000835.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000835 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Lazarus" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "img" parameter in the "picture.php" script used by the "Lazarus" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Lazarus --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000836.txt snort-2.9.2/doc/signatures/100000836.txt --- snort-2.9.0.1/doc/signatures/100000836.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000836.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000836 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiniBB" application running on a webserver. Access to the file "com_minibb.php" using a remote file being passed as the "absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "absolute_path" parameter in the "com_minibb.php" script used by the "MiniBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MiniBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000837.txt snort-2.9.2/doc/signatures/100000837.txt --- snort-2.9.0.1/doc/signatures/100000837.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000837.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000837 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiniBB" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "absolute_path" parameter in the "index.php" script used by the "MiniBB" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using MiniBB --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000838.txt snort-2.9.2/doc/signatures/100000838.txt --- snort-2.9.0.1/doc/signatures/100000838.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000838.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000838 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PhotoCycle" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "phppage" parameter in the "photocycle.php" script used by the "PhotoCycle" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PhotoCycle --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000839.txt snort-2.9.2/doc/signatures/100000839.txt --- snort-2.9.0.1/doc/signatures/100000839.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000839.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000839 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHP Event Calendar" application running on a webserver. Access to the file "calendar.php" using a remote file being passed as the "path_to_calendar" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_calendar" parameter in the "calendar.php" script used by the "PHP Event Calendar" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHP Event Calendar --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000840.txt snort-2.9.2/doc/signatures/100000840.txt --- snort-2.9.0.1/doc/signatures/100000840.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000840.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000840 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlatNuke" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "mod" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mod" parameter in the "index.php" script used by the "FlatNuke" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using FlatNuke --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000841.txt snort-2.9.2/doc/signatures/100000841.txt --- snort-2.9.0.1/doc/signatures/100000841.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000841.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000841 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PerForms" application running on a webserver. Access to the file "performs.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "performs.php" script used by the "PerForms" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PerForms --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000842.txt snort-2.9.2/doc/signatures/100000842.txt --- snort-2.9.0.1/doc/signatures/100000842.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000842.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000842 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "PHPBB 3" application running on a webserver. Access to the file "memberlist.php" with SQL commands being passed as the "ip" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "ip" parameter in the "memberlist.php" script used by the "PHPBB 3" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPBB 3 --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000843.txt snort-2.9.2/doc/signatures/100000843.txt --- snort-2.9.0.1/doc/signatures/100000843.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000843.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ - - -Rule: - --- -Sid: -100000843 --- -Summary: -This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Koobi Pro" application running on a webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "showtopic" parameter in the "index.php" script used by the "Koobi Pro" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using Koobi Pro --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000844.txt snort-2.9.2/doc/signatures/100000844.txt --- snort-2.9.0.1/doc/signatures/100000844.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000844.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000844 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Koobi Pro" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "showtopic" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "showtopic" parameter in the "index.php" script used by the "Koobi Pro" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Koobi Pro --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000845.txt snort-2.9.2/doc/signatures/100000845.txt --- snort-2.9.0.1/doc/signatures/100000845.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000845.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000845 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Invision Power Board" application running on a webserver. Access to the file "ipsclass.php" with SQL commands being passed as the "HTTP_CLIENT_IP" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "HTTP_CLIENT_IP" parameter in the "ipsclass.php" script used by the "Invision Power Board" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Invision Power Board --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000846.txt snort-2.9.2/doc/signatures/100000846.txt --- snort-2.9.0.1/doc/signatures/100000846.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000846.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000846 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Subberz Lite" application running on a webserver. Access to the file "user-func.php" using a remote file being passed as the "myadmindir" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "myadmindir" parameter in the "user-func.php" script used by the "Subberz Lite" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Subberz Lite --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000847.txt snort-2.9.2/doc/signatures/100000847.txt --- snort-2.9.0.1/doc/signatures/100000847.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000847.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000847 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Sitemap" application running on a webserver. Access to the file "sitemap.xml.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "sitemap.xml.php" script used by the "Sitemap" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Sitemap --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000848.txt snort-2.9.2/doc/signatures/100000848.txt --- snort-2.9.0.1/doc/signatures/100000848.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000848.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -100000848 --- -Summary: -This event is generated when an attempt is made to exploit a cross site -scripting vulnerability in the "PhpWebGallery" application running on a -webserver. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a cross site -scripting vulnerability via the "keyword" parameter in the "comments.php" -script -used by the "PhpWebGallery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to retrieve sensitive data, execute system binaries -or malicious code of the attackers choosing. - --- -Affected Systems: -All systems running CGI applications using PhpWebGallery --- -Attack Scenarios: -An attacker can supply a malicious link designed to steal information from a -user clicking on that link. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Chris Jacob - --- -Additional References: - -The Cross Site Scripting (XSS) FAQ -http://www.cgisecurity.com/articles/xss-faq.shtml - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000849.txt snort-2.9.2/doc/signatures/100000849.txt --- snort-2.9.0.1/doc/signatures/100000849.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000849.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -100000849 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "language" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "language" parameter in the "include.php" script used by the "IceWarp" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IceWarp --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000850.txt snort-2.9.2/doc/signatures/100000850.txt --- snort-2.9.0.1/doc/signatures/100000850.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000850.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000850 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "lang_settings" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lang_settings" parameter in the "include.php" script used by the "IceWarp" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IceWarp --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000851.txt snort-2.9.2/doc/signatures/100000851.txt --- snort-2.9.0.1/doc/signatures/100000851.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000851.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000851 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "language" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "language" parameter in the "include.php" script used by the "IceWarp" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IceWarp --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000852.txt snort-2.9.2/doc/signatures/100000852.txt --- snort-2.9.0.1/doc/signatures/100000852.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000852.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000852 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "include.php" using a remote file being passed as the "lang_settings" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lang_settings" parameter in the "include.php" script used by the "IceWarp" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IceWarp --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000853.txt snort-2.9.2/doc/signatures/100000853.txt --- snort-2.9.0.1/doc/signatures/100000853.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000853.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000853 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "IceWarp" application running on a webserver. Access to the file "settings.html" using a remote file being passed as the "language" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "language" parameter in the "settings.html" script used by the "IceWarp" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using IceWarp --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000854.txt snort-2.9.2/doc/signatures/100000854.txt --- snort-2.9.0.1/doc/signatures/100000854.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000854.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000854 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ListMessenger" application running on a webserver. Access to the file "listmessenger.php" using a remote file being passed as the "lm_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "lm_path" parameter in the "listmessenger.php" script used by the "ListMessenger" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using ListMessenger --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000855.txt snort-2.9.2/doc/signatures/100000855.txt --- snort-2.9.0.1/doc/signatures/100000855.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000855.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000855 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "name" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "name" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Professional Home Page Tools --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000856.txt snort-2.9.2/doc/signatures/100000856.txt --- snort-2.9.0.1/doc/signatures/100000856.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000856.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000856 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "mail" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "mail" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Professional Home Page Tools --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000857.txt snort-2.9.2/doc/signatures/100000857.txt --- snort-2.9.0.1/doc/signatures/100000857.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000857.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000857 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "ip" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "ip" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Professional Home Page Tools --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000858.txt snort-2.9.2/doc/signatures/100000858.txt --- snort-2.9.0.1/doc/signatures/100000858.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000858.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000858 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "text" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "text" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Professional Home Page Tools --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000859.txt snort-2.9.2/doc/signatures/100000859.txt --- snort-2.9.0.1/doc/signatures/100000859.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000859.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000859 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Professional Home Page Tools" application running on a webserver. Access to the file "class.php" with SQL commands being passed as the "hidemail" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "hidemail" parameter in the "class.php" script used by the "Professional Home Page Tools" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Professional Home Page Tools --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000860.txt snort-2.9.2/doc/signatures/100000860.txt --- snort-2.9.0.1/doc/signatures/100000860.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000860.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ - - -Rule: - --- -Sid: -100000860 --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Francisco Charrua Photo-Gallery" application running on a webserver. Access to the file "room.php" with SQL commands being passed as the "id" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a remote machine via the "id" parameter in the "room.php" script used by the "Francisco Charrua Photo-Gallery" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using Francisco Charrua Photo-Gallery --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - -SQL Injection Attack and Defense -http://www.securitydocs.com/library/3587 - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000861.txt snort-2.9.2/doc/signatures/100000861.txt --- snort-2.9.0.1/doc/signatures/100000861.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000861.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000861 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlushCMS" application running on a webserver. Access to the file "class.rich.php" using a remote file being passed as the "class_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "class_path" parameter in the "class.rich.php" script used by the "FlushCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using FlushCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000862.txt snort-2.9.2/doc/signatures/100000862.txt --- snort-2.9.0.1/doc/signatures/100000862.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000862.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - - -Rule: - --- -Sid: -100000862 --- -Summary: -This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlushCMS" application running on a webserver. Access to the file "class.rich.php" using a remote file being passed as the "class_path" parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to include a file from a remote machine via the "class_path" parameter in the "class.rich.php" script used by the "FlushCMS" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. - -This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using FlushCMS --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton --- -Additional References: - --- - diff -Nru snort-2.9.0.1/doc/signatures/100000863.txt snort-2.9.2/doc/signatures/100000863.txt --- snort-2.9.0.1/doc/signatures/100000863.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000863.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: - --- -Summary: -This event is generated when an attempt is made to exploit an SQL injection -vulnerability in the "PHPMyRing" application running on a webserver. Access to -the file "view_com.php" with SQL commands being passed as the "idsite" -parameter may indicate that an exploitation attempt has been attempted. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution of -arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event indicates that an attempt has been made to inject SQL code from a -remote machine via the "idsite" parameter in the "view_com.php" script used by -the "PHPMyRing" application running on a webserver. - -If stringent input checks are not performed by the CGI application, it may also -be possible for an attacker to compromise the database backend for the -application, the attacker may also be able to execute system binaries or -malicious code of their choosing. - -This event is generated when an attempt is made to gain unauthorized access to -a CGI application running ona web server. Some applications do not perform -stringent checks when validating the credentials of a client host connecting to -the services offered on a host server. This can lead to unauthorized access and -possibly escalated privileges to that of the administrator. Data stored on the -machine can be compromised and trust relationships between the victim server -and other hosts can be exploited by the attacker. - --- -Affected Systems: -All systems running CGI applications using PHPMyRing --- -Attack Scenarios: -An attacker can inject SQL commands to the backend database for an application -if user input is not correctly sanitized or checked before passing that input -to the database. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has had -all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/100000927.txt snort-2.9.2/doc/signatures/100000927.txt --- snort-2.9.0.1/doc/signatures/100000927.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/100000927.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: - --- -Summary: -This rule detects certain phishing attempts sent via Microsoft Messenger. - --- -Impact: -Users who are fooled by the phising attempt may be tricked into downloading -malicious code. - --- -Detailed Information: -The Microsoft Messenger service, which is enabled by default on many Windows -systems, allows remote users to send pop-up messages to a given system. While -legitimate uses exist, many of these pop-ups contain adware, spyware, and/or -phishing attempts. This rule detects a common phishing attempt, which "warns" -users that their registry is corrupted and directs them to download software to -fix the "problem" at a malicious web site. - --- -Affected Systems: -Any Windows system with Microsoft Messenger enabled and reachable from the -Internet. - --- -Attack Scenarios: -Attackers will typically use publicly available scripts to send malicious -messages. - --- -Ease of Attack: -Simple; public scripts exist for sending malicious messages. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block Microsoft Messenger at your firewall and/or disable it on individual -machines, and educate your users regarding the dangers of following links in -such messages. - --- -Contributors: -Sourcefire Vulnerability Research Team -Sago Networks -Dan Protich - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/1000.txt snort-2.9.2/doc/signatures/1000.txt --- snort-2.9.0.1/doc/signatures/1000.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/1000.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -1000 - --- -Summary: -This event is generated when an attempt is made to access the bdir.htr file. - --- -Impact: -Information gathering. This attack can disclose the directory structure on a vulnerable Internet Information Server(IIS). - --- -Detailed Information: -A vulnerability is exposed if an upgrade to IIS 4.0 is performed without deleting the remote administration scripts from IIS 3.0. Because of changes to the authentication methods between versions 3.0 and 4.0, these scripts can be accessed directly, and without authentication. An attacker can access one of these scripts, bdir.htr, to disclose the -vulnerable server's directory structure. - - --- -Affected Systems: -IIS 4.0 servers that are upgraded from IIS 3.0. - --- -Attack Scenarios: -An attacker can craft a URL to access the bdir.htr file, which can disclose the directory structures on the vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove the bdir.htr file if it is not required. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/2280 - - - --- diff -Nru snort-2.9.0.1/doc/signatures/1001.txt snort-2.9.2/doc/signatures/1001.txt --- snort-2.9.0.1/doc/signatures/1001.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/1001.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -1001 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability on an iCat Carbo Server. - --- -Impact: -Serious. Information disclosure. - --- -Detailed Information: -The iCat Carbo server, which is part of the Electronic Commerce Suite, -does not properly check HTTP requests and will give access to any file -object residing on the system when it receives a request such as -http://target/carbo.dll?icatcommand=..\..\directory/filename.ext&catalogname=catalog - --- -Affected Systems: - iCat Electronica Commerce Suite 3.0 - --- -Attack Scenarios: -An attacker can view any file on the server, including sensitive -password files. The information disclosed can then be used to facilitate -further attacks on the system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -None known. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2126 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1069 - --- diff -Nru snort-2.9.0.1/doc/signatures/1002.txt snort-2.9.2/doc/signatures/1002.txt --- snort-2.9.0.1/doc/signatures/1002.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/1002.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: 1002 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -The HotSaNIC (hotsanic.sourceforge.net) System and Network Info Centre -can graph the occurence of worms attacks on a server against time. The -HotSaNIC system displays 'WEB-IIS cmd.exe access ' attempts on the -server in an image file named thumb-cmd.exe.gif. Each time this image -is accessed it generates an event. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -False positive information contributed by Chris McMahon - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/1003.txt snort-2.9.2/doc/signatures/1003.txt --- snort-2.9.0.1/doc/signatures/1003.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/1003.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 1003 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/1004.txt snort-2.9.2/doc/signatures/1004.txt --- snort-2.9.0.1/doc/signatures/1004.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/1004.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -1004 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft Internet Information -Server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft Internet Information Server (IIS). Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft IIS - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/1005.txt snort-2.9.2/doc/signatures/1005.txt --- snort-2.9.0.1/doc/signatures/1005.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/1005.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -1005 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft Internet Information -Server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft Internet Information Server (IIS). Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft IIS - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/1007.txt snort-2.9.2/doc/signatures/1007.txt --- snort-2.9.0.1/doc/signatures/1007.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/1007.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,81 +0,0 @@ -Rule: - --- -Sid: -1007 - --- -Summary: -This event is generated when a cross-site scripting attack is being -attempted, or a potential attacker is testing your site to determine if -it is vulnerable. - --- -Impact: -Successful cross-site scripting attacks generally target the users of -your web site. Attackers can potentially gain access to your users' -cookies or session ids, allowing the attacker to impersonate your -user. They could also set up elaborate fake logon screens to steal -user names and passwords. - --- -Detailed Information: -Whenever a web application accepts input (either via the URL or the -POST method) and then uses that input as part of the HTML of a new page -without filtering, the application is vulnerable to cross-site -scripting. The traditional means of exploiting this is to embed a -" - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2306.txt snort-2.9.2/doc/signatures/2306.txt --- snort-2.9.0.1/doc/signatures/2306.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2306.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application Gallery running on a server. - --- -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when an attempt is made to include script when -accessing the file index.php for the PHP application Gallery. This -application fails to properly check the source of an included file in -the script index.php. As a result an attacker is presented with the -opportunity to execute code of their choosing with the privileges of the -user running the web server. - --- -Affected Systems: - All systems running the PHP application Calerndar. - --- -Attack Scenarios: -An attacker can include code of their choosing by supplying a URI to -their script as a parameter to the HTTP GET request. - --- -Ease of Attack: -Simple. No exploit required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2307.txt snort-2.9.2/doc/signatures/2307.txt --- snort-2.9.0.1/doc/signatures/2307.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2307.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2307 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PayPal Storefront PHP web application running on a server. - --- -Impact: -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the PayPal Storefront PHP web application running -on a server. It may be possible for an attacker to include code of their -choosing from a source external to the server running the application. -This code will execute with the privileges of the user running the web -server. - -The vulnerability exists due to inadequate verification of include file -locations in the application. - --- -Affected Systems: - PayPal Store Front 3.0, others may also be affected. - --- -Attack Scenarios: -An attacker might include their code by including the URI to the script -in the HTTP GET parameters when calling index.php. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -The content/pcre criteria: "content:"page="; pcre:"/page=(http|https|ftp)/i"; -Are met frequently by the strings "page=http" and "lastpage=http" which -occur relatively often in the text of cookies, most commonly ones associated -with MSN passport. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -False positive information contributed by Alan Whinery - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2308.txt snort-2.9.2/doc/signatures/2308.txt --- snort-2.9.0.1/doc/signatures/2308.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2308.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2308 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2309.txt snort-2.9.2/doc/signatures/2309.txt --- snort-2.9.0.1/doc/signatures/2309.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2309.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2309 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/230.txt snort-2.9.2/doc/signatures/230.txt --- snort-2.9.0.1/doc/signatures/230.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/230.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: --- -Sid: -230 - --- -Summary: -This event is generated when a DDoS Shaft client communicates with a Shaft handler. It is also possible that this event may be generated when any host attempts to discover or detect a Shaft handler. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a Shaft client or a host attempting to discover Shaft handlers. If the listed destination IP is in your network, it may be a Shaft handler. - --- -Detailed Information: -The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to direct them to launch attacks. A client may communicate with a handler via TCP destination port 20432. - --- -Affected Systems: -Any Shaft compromised host. - --- -Attack Scenarios: -A Shaft client needs to communicate with handlers to direct attacks. - --- -Ease of Attack: -Simple. Shaft code is freely available. - --- -False Positives: -A legitimate server port of 20432 will cause this rule to fire. It may also create a false positive if port 20432 is selected as an FTP data port. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS254 - --- diff -Nru snort-2.9.0.1/doc/signatures/2310.txt snort-2.9.2/doc/signatures/2310.txt --- snort-2.9.0.1/doc/signatures/2310.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2310.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2310 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2311.txt snort-2.9.2/doc/signatures/2311.txt --- snort-2.9.0.1/doc/signatures/2311.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2311.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2311 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2312.txt snort-2.9.2/doc/signatures/2312.txt --- snort-2.9.0.1/doc/signatures/2312.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2312.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2312 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2313.txt snort-2.9.2/doc/signatures/2313.txt --- snort-2.9.0.1/doc/signatures/2313.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2313.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2313 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2314.txt snort-2.9.2/doc/signatures/2314.txt --- snort-2.9.0.1/doc/signatures/2314.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2314.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2314 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2315.txt snort-2.9.2/doc/signatures/2315.txt --- snort-2.9.0.1/doc/signatures/2315.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2315.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2315 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2316.txt snort-2.9.2/doc/signatures/2316.txt --- snort-2.9.0.1/doc/signatures/2316.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2316.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2316 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft Windows Workstation service. - --- -Impact: -Serious. Denial of Service (DoS), execution of arbitrary code is -possible. - --- -Detailed Information: -Due to insufficient bounds checking in the Microsoft Windows Workstation -service, it may be possible for an attacker to overwrite portions of -memory. This can result in the attacker being presented with the -opportunity to execute code of their choosing. Under some circumstances -a Denial of Service condition may be possible against the target host. - -Specifically, the DCE/RPC service allows for overly long strings to be -sent to the Workstation logging function. This logging function does not -check parameters sufficiently which results in the buffer overflow -condition. - --- -Affected Systems: - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition - --- -Attack Scenarios: -The attacker may use one of the available exploits to target a -vulnerable host. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-28.html -http://www.kb.cert.org/vuls/id/567620 - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2317.txt snort-2.9.2/doc/signatures/2317.txt --- snort-2.9.0.1/doc/signatures/2317.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2317.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2317 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Concurrent Versions System (CVS). - --- -Impact: -Serious. Manipulation of the host file system is possible. - --- -Detailed Information: -Concurrent Versions System (CVS) is used to track the history of source -code files when developing software. - -Some versions of CVS contain a vulnerability that may allow an attacker -to create directories or files in the host filesystem external to the -cvsroot. This is achieved via a malformed module request. - --- -Affected Systems: - CVS versions prior to 1.11.10 - --- -Attack Scenarios: -An attacker may send a specially crafted request to a cvs server and -create files and directories of their choosing in the hosts root -filesystem. The attacker may then access these files at will to further -compromise the system. - --- -Ease of Attack: -Simple. No exploit software is required. - --- -False Positives: -None known. - --- -False Negatives: -If compression is being used in data communications between the CVS -server and clients, this rule will not generate an event. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 - --- diff -Nru snort-2.9.0.1/doc/signatures/2318.txt snort-2.9.2/doc/signatures/2318.txt --- snort-2.9.0.1/doc/signatures/2318.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2318.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2318 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Concurrent Versions System (CVS). - --- -Impact: -Serious. Manipulation of the host file system is possible. - --- -Detailed Information: -Concurrent Versions System (CVS) is used to track the history of source -code files when developing software. - -Some versions of CVS contain a vulnerability that may allow an attacker -to create directories or files in the host filesystem external to the -cvsroot. This is achieved via a malformed module request. - --- -Affected Systems: - CVS versions prior to 1.11.10 - --- -Attack Scenarios: -An attacker may send a specially crafted request to a cvs server and -create files and directories of their choosing in the hosts root -filesystem. The attacker may then access these files at will to further -compromise the system. - --- -Ease of Attack: -Simple. No exploit software is required. - --- -False Positives: -None known. - --- -False Negatives: -If compression is being used in data communications between the CVS -server and clients, this rule will not generate an event. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 - --- diff -Nru snort-2.9.0.1/doc/signatures/2319.txt snort-2.9.2/doc/signatures/2319.txt --- snort-2.9.0.1/doc/signatures/2319.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2319.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2319 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ebola from PLD Software. - --- -Impact: -Serious. Execution of arbitrary code may be possible. - --- -Detailed Information: -Ebola from PLD Software is used to improve the performance of Anti-Virus -solutions on Linux systems. - -A buffer overflow condition is present in the authentication mechanism -such that it may be triggered by the generation of an error message from -an unsuccessful authentication attempt. - --- -Affected Systems: - All versions of Ebola prior to 0.1.5 - --- -Attack Scenarios: -An attacker can send specially crafted authentication attempts to the Ebola system and -cause the buffer overflow thus presenting the opportunity to execute -arbitrary code. - --- -Ease of Attack: -Simple. Expoits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/231.txt snort-2.9.2/doc/signatures/231.txt --- snort-2.9.0.1/doc/signatures/231.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/231.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: --- -Sid: -231 - --- -Summary: -This event is generated when a pong packet for the Trinoo (aka trin00) -DDos suite is detected. - --- -Impact: -This may indicate a compromised system or be the prelude to a -Distributed Denial of Service (DDoS) attack. - --- -Detailed Information: -Once a Trinoo client has been installed on a compromised machine and a master is -ready and listening, the master sends a "png" (ping) command to its drones in -an attempt to enumerate the drone network. A functioning client will respond to -port 31335/udp with the text "PONG". - -Once a machine becomes part of a trin00 network, a Denial of Service (DoS) -is typically initiated against one (or more) victim machines. - --- -Affected Systems: - --- -Attack Scenarios: -As part of a large scale attack against a machine or a network, an -attacker will compromise large numbers of machines which will form the -army that the trin00 master daemon will command. The master daemon -typically instructs the clients to send mass-quantities of packets to -a set of victim hosts. If the traffic is sufficient, the victim -machines will become resource deprived and thus endure a DoS condition. - --- -Ease of Attack: -Simple. Trinoo client and master programs are widely available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disconnect infected machine(s) from the network immediately. - -Use software to determine if a host has been compromised using a -rootkit. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -SANS: -http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2320.txt snort-2.9.2/doc/signatures/2320.txt --- snort-2.9.0.1/doc/signatures/2320.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2320.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2320 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ebola from PLD Software. - --- -Impact: -Serious. Execution of arbitrary code may be possible. - --- -Detailed Information: -Ebola from PLD Software is used to improve the performance of Anti-Virus -solutions on Linux systems. - -A buffer overflow condition is present in the authentication mechanism -such that it may be triggered by the generation of an error message from -an unsuccessful authentication attempt. - --- -Affected Systems: - All versions of Ebola prior to 0.1.5 - --- -Attack Scenarios: -An attacker can send specially crafted authentication attempts to the Ebola system and -cause the buffer overflow thus presenting the opportunity to execute -arbitrary code. - --- -Ease of Attack: -Simple. Expoits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2321.txt snort-2.9.2/doc/signatures/2321.txt --- snort-2.9.0.1/doc/signatures/2321.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2321.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2321 - --- -Summary: -This event is generated when an attempt is made to access foxweb.exe, a -CGI web application running on a server. - --- -Impact: -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -The FoxWeb application is used to communicate with FoxPro databases. The -program foxweb.exe contains an error that may allow an attacker to -execute arbitrary code of their choosing and possibly gain unauthorized -administrator access to the server. - --- -Affected Systems: - FoxWeb 2.5 and prior - --- -Attack Scenarios: -An attacker can exploit weaknesses to gain access as the administrator by supplying input of -their choosing to the CGI program. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2322.txt snort-2.9.2/doc/signatures/2322.txt --- snort-2.9.0.1/doc/signatures/2322.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2322.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2322 - --- -Summary: -This event is generated when an attempt is made to access foxweb.dll, a -component of the FoxWeb CGI web application running on a server. - --- -Impact: -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -The FoxWeb application is used to communicate with FoxPro databases. The -program foxweb.exe contains an error that may allow an attacker to -execute arbitrary code of their choosing and possibly gain unauthorized -administrator access to the server. - --- -Affected Systems: - FoxWeb 2.5 and prior - --- -Attack Scenarios: -An attacker can exploit weaknesses to gain access as the administrator by supplying input of -their choosing to the CGI program. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2323.txt snort-2.9.2/doc/signatures/2323.txt --- snort-2.9.0.1/doc/signatures/2323.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2323.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2323 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the QuickStore CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to the QuickStore CGI application running on a web server. This -application does not perform stringent checks when validating the input -from a user to the script. - -The error document produced by the application may disclose sensitive -information about the installation of the application. - --- -Affected Systems: - QuickStore 2.12 and prior - --- -Attack Scenarios: -An attacker can supply input to the quickstore.cgi script using a single -quote character in the "store" parameter. This will cause the script to -generate an error and disclose the information described above. - -For example: http://vulnerable.com/cgi-bin/quickstore.cgi?store=' - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2324.txt snort-2.9.2/doc/signatures/2324.txt --- snort-2.9.0.1/doc/signatures/2324.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2324.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2324 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Virtual Programming VP-ASP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in Virtual Programming VP-ASP web application running on a -server. It may be possible to use SQL injection techniques to supply -SQL code of an attackers choosing to the database used in the -application. - --- -Affected Systems: - Virtual Programming VP-ASP 4.0 - Virtual Programming VP-ASP 5.0 - --- -Attack Scenarios: -An attacker can inject SQL code of their choosing to view and manipulate -data stored in the underlying database used by the application. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2325.txt snort-2.9.2/doc/signatures/2325.txt --- snort-2.9.0.1/doc/signatures/2325.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2325.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2325 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Virtual Programming VP-ASP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in Virtual Programming VP-ASP web application running on a -server. It may be possible to use SQL injection techniques to supply -SQL code of an attackers choosing to the database used in the -application. - --- -Affected Systems: - Virtual Programming VP-ASP 4.0 - Virtual Programming VP-ASP 5.0 - --- -Attack Scenarios: -An attacker can inject SQL code of their choosing to view and manipulate -data stored in the underlying database used by the application. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2326.txt snort-2.9.2/doc/signatures/2326.txt --- snort-2.9.0.1/doc/signatures/2326.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2326.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2326 - --- -Summary: -This event is generated when a cross-site scripting attack is being -attempted against the SGDynamo web application. - --- -Impact: -Successful cross-site scripting attacks generally target the users of -a web site. Attackers can potentially gain access to a users' cookies -or session identification credentials, allowing the attacker to -impersonate the user. - --- -Detailed Information: -The SGDynamo web application does not correctly filter script code in -URL supplied parameters. It is possible for an attacker to place code of -their choosing in a link supplied to the application. The code is then -executed in the browser of a user who clicks on the link. - -The error occurs in checking the parameters supplied via the HTNAME -parameter in the application. - --- -Affected Systems: -Many older versions of web server software are affected, as are numerous -web applications. - --- -Attack Scenarios: -The most common avenue of attack is for the attacker to send an HTML -formatted email to the victim. The email will contain a link to a -specially crafted URL which contains the exploit. When the victim clicks -on the link, they are directed to the vulnerable web site and the attack -code is executed by their browser. - --- -Affected Systems: - Ecometry SGDynamo 5.32 U - Ecometry SGDynamo 5.32 T - Ecometry SGDynamo 6.1 - Ecometry SGDynamo 7.0 - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2327.txt snort-2.9.2/doc/signatures/2327.txt --- snort-2.9.0.1/doc/signatures/2327.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2327.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2327 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in BulletScript MailList CGI mailing list manager running on a server. - --- -Impact: -Information gathering and possible theft of user information. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in BulletScript MailList CGI mailing list manager running on a server. -The script bsml.pl does not perform stringent checks when processing -input supplied via the action parameter to the script. - -It may be possible for an attacker to compromise the integrity of the -database containing information pertaining to users of the mailing list -being managed. - --- -Affected Systems: - All systems running BulletScript MailList. - --- -Attack Scenarios: -An attacker can supply input of their choosing using the action -parameter. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2328.txt snort-2.9.2/doc/signatures/2328.txt --- snort-2.9.0.1/doc/signatures/2328.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2328.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2328 - --- -Summary: -This event is generated when an attempt is made to access the -authentication_index.php script which contains known vulnerabilities and -is part of the phpGedView CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the phpGedView CGI web application running on a server. -Multiple vulnerabilities exist in the application which can lead to the -execution of arbitrary code of the atttackers choosing. - --- -Affected Systems: - phpGedView - --- -Attack Scenarios: -An attacker can supply code of their choice by including a file in -paramters supplied to the script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2329.txt snort-2.9.2/doc/signatures/2329.txt --- snort-2.9.0.1/doc/signatures/2329.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2329.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2329 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Windows Data Access Components. - --- -Impact: -Serious. Execution of arbitrary code is possible. Denial of Service -(DoS) - --- -Detailed Information: -It may be possible for an attacker to send a specially crafted response -to a client broadcast query searching for an SQL server. This response -could take advantage of a buffer overrun condition in an MDAC component -which may result in the attacker being presented with the opportunity to -execute code of their choosing with the privileges of the user running -the service on the client system. - -A DoS condition may also manifest in MDAC version 2.8. - -MDAC is included by default on many Microsoft Windows systems. Client -workstations may make regular broadcast announcements in an attempt to -find SQL servers. - --- -Affected Systems: - Microsoft Data Access Components 2.5 - Microsoft Data Access Components 2.6 - Microsoft Data Access Components 2.7 - Microsoft Data Access Components 2.8 - --- -Attack Scenarios: -The attacker may spoof the response from an SQL server to exploit the -vulnerability. - --- -Ease of Attack: -Moderate.. - --- -False Positives: -Since this rule cannot be constrained using ports and the connection -state for MSDAC is not tracked, false positive events may occur under -normal circumstances. The $SQL_SERVERS variable in snort.conf should be -configured correctly to eliminate this behavior. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Disallow access to database servers from sources external to the -protected network. - -Disallow access to database servers from untrusted hosts. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/232.txt snort-2.9.2/doc/signatures/232.txt --- snort-2.9.0.1/doc/signatures/232.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/232.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: --- -Sid: -232 - --- -Summary: -This event is generated when a pong packet for the Trinoo (aka trin00) -DDos suite is detected. - --- -Impact: -This may indicate a compromised system or be the prelude to a -Distributed Denial of Service (DDoS) attack. - --- -Detailed Information: -Once a Trinoo client has been installed on a compromised machine and a master is -ready and listening, the master sends a "png" (ping) command to its drones in -an attempt to enumerate the drone network. A functioning client will respond to -port 31335/udp with the text "PONG". - -Once a machine becomes part of a trin00 network, a Denial of Service (DoS) -is typically initiated against one (or more) victim machines. - --- -Affected Systems: - --- -Attack Scenarios: -As part of a large scale attack against a machine or a network, an -attacker will compromise large numbers of machines which will form the -army that the trin00 master daemon will command. The master daemon -typically instructs the clients to send mass-quantities of packets to -a set of victim hosts. If the traffic is sufficient, the victim -machines will become resource deprived and thus endure a DoS condition. - --- -Ease of Attack: -Simple. Trinoo client and master programs are widely available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disconnect infected machine(s) from the network immediately. - -Use software to determine if a host has been compromised using a -rootkit. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -SANS: -http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2330.txt snort-2.9.2/doc/signatures/2330.txt --- snort-2.9.0.1/doc/signatures/2330.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2330.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2330 - --- -Summary: -This event is generated when a remote user sends an overly long string -to an IMAP server via the command AUTH. This may indicate an attempt to -exploit a buffer overflow condition. - --- -Impact: -Serious. Possible remote execution of arbitrary code, which may lead to -a remote root compromise. - --- -Detailed Information: -When a large amount of data is sent to a vulnerable IMAP server in the -AUTHENTICATE command, a buffer overflow condition may occur. This can -allow the attacker to execute arbitrary code, which may allow the -attacker to gain root access to the compromised server. - --- -Affected Systems: - IMAP servers - --- -Attack Scenarios: -An attacker can send a sufficiently long AUTHENTICATE command to the -IMAP server, creating a buffer overflow condition. This can then allow -the attacker to execute code of their choosing and possibly gain root -access to the compromised server. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate patches for your operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2331.txt snort-2.9.2/doc/signatures/2331.txt --- snort-2.9.0.1/doc/signatures/2331.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2331.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2331 - --- -Summary: -This event is generated when an attempt is made to possibly gain -administrative access to the MatrikzGB Guestbook PHP application running -on a server. - --- -Impact: -Possible administrative access to the Guestbook. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the MatrikzGB Guestbook web application running on a server. - -It is possible for an attacker to modify the appropriate URI parameter -in the index.php script to gain administrative rightst to the MatrikzGB -Guestbook. - --- -Affected Systems: - MatrikzGB Guestbook 2.0 - --- -Attack Scenarios: -An attacker can supply "admin" to the "new_rights" parameter in the PHP -script index.php. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2332.txt snort-2.9.2/doc/signatures/2332.txt --- snort-2.9.0.1/doc/signatures/2332.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2332.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2332 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an FTP server. - --- -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of spurious -activity in FTP traffic between hosts. - -It is possible for a user to supply data to an FTP ommand and have it -interpreted as code. The attacker might then be able to run code of -their choosing with the privileges of the user running the FTP service. - --- -Affected Systems: - PlatinumFTP PlatinumFTPserver 1.0.18 - --- -Attack Scenarios: -An attacker might utilize a vulnerability in an FTP daemon to gain access to a -host, then upload a Trojan Horse program to gain control of that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2333.txt snort-2.9.2/doc/signatures/2333.txt --- snort-2.9.0.1/doc/signatures/2333.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2333.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2333 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an FTP server. - --- -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of spurious -activity in FTP traffic between hosts. - -It is possible for a user to supply data to an FTP ommand and have it -interpreted as code. The attacker might then be able to run code of -their choosing with the privileges of the user running the FTP service. - --- -Affected Systems: - PlatinumFTP PlatinumFTPserver 1.0.18 - --- -Attack Scenarios: -An attacker might utilize a vulnerability in an FTP daemon to gain access to a -host, then upload a Trojan Horse program to gain control of that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2334.txt snort-2.9.2/doc/signatures/2334.txt --- snort-2.9.0.1/doc/signatures/2334.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2334.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -2334 - --- -Summary: -This event is generated when an attempt is made to access a Yak! FTP -server using the default username and password. - --- -Impact: -Administrative access to the server. - --- -Detailed Information: -Yak FTP servers have a default username and password of "user" and -"y049575046", if this is not changed by the administrator it is possible -for an attacker to gain unauthorised access to the server. - --- -Affected Systems: - Yak FTP servers - --- -Attack Scenarios: -An attacker merely needs to login to the server using the default -username and password. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Change the username and password. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2335.txt snort-2.9.2/doc/signatures/2335.txt --- snort-2.9.0.1/doc/signatures/2335.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2335.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2335 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in AppleShare IP FTP Server. - --- -Impact: -Denial of Service (DoS) - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of spurious -activity in FTP traffic between hosts. - -It is possible for a user to supply data to an FTP command, in this case -RMD, and cause the service to become unavailble to other users. - --- -Affected Systems: - Apple AppleShare IP 5.0, 5.0.1, 5.0.2, 5.0.3 - Apple AppleShare IP 6.1, 6.2, 6.3, 6.3.1 - --- -Attack Scenarios: -An attacker needs to login to the service and use the RMD command in a -specific manner to cause the DoS. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2336.txt snort-2.9.2/doc/signatures/2336.txt --- snort-2.9.0.1/doc/signatures/2336.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2336.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2336 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Verilink NetEngine Broadband Router. - --- -Impact: -Denial of Service (DoS) - --- -Detailed Information: -TFTP is used to transfer files between hosts and devices. This event is indicative of spurious -activity in TFTP traffic between hosts. - -It is possible for an attacker to send a NULL opcode to a Verilink -NetEngine Broadband Router, this may cause the router to become -unresponsive. - --- -Affected Systems: - Verilink NetEngine 6100-4 - --- -Attack Scenarios: -An attacker may use a publicly available exploit script to cause the -DoS. - --- -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2337.txt snort-2.9.2/doc/signatures/2337.txt --- snort-2.9.0.1/doc/signatures/2337.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2337.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2337 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Tellurian TftpdNT. - --- -Impact: -Execution of arbitrary code. Possible unauthorised root access. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of spurious -activity in FTP traffic between hosts. - -It is possible for an attacker to expoit a buffer overrun condition in -Tellurian TftpdNT. User supplied filenames are not correctly handled by -some versions of Tellurian TftpdNT, this may result in an attacker being -able to cause the overrun condition to occur. - --- -Affected Systems: - Tellurian TftpdNT 2.0 and prior - --- -Attack Scenarios: -An attacker may use a publicly available exploit script to take -advantage of the vulnerability. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2338.txt snort-2.9.2/doc/signatures/2338.txt --- snort-2.9.0.1/doc/signatures/2338.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2338.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2338 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in GtkFtpd. - --- -Impact: -Execution of arbitrary code. Possible unauthorized root access. - --- -Detailed Information: -GtkFtpd fails to perform sufficient checks on user supplied data to the -daemon. An attacker may exploit this vulnerability to execute code of -their choosing as the root user. This may also lead to remote root -access to the server. - --- -Affected Systems: - GtkFtpd 1.0.2, 1.0.3 and 1.0.4 - --- -Attack Scenarios: -An attacker may use a publicly available exploit script to take -advantage of the vulnerability. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Use scp/sftp as an alternative to ftp. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2339.txt snort-2.9.2/doc/signatures/2339.txt --- snort-2.9.0.1/doc/signatures/2339.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2339.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2339 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Verilink Netengine Broadband Routers. - --- -Impact: -Denial of Service (DoS) - --- -Detailed Information: -TFTP is used to transfer files between hosts. This event is indicative of spurious -activity in TFTP traffic from a host to a router. - -It is possible for an attacker to expoit a DoS condition in -Netengine routers. If a UDP packet containing a double-null opcode is -sent to the router's TFTP port the router may crash, thus causing the -DoS. - --- -Affected Systems: - Verilink Netengine Broadband Routers - --- -Attack Scenarios: -An attacker may use a publicly available exploit script to take -advantage of the vulnerability. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/233.txt snort-2.9.2/doc/signatures/233.txt --- snort-2.9.0.1/doc/signatures/233.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/233.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: --- -Sid: -233 - --- -Summary: -This event is generated when a pong packet for the Trinoo (aka trin00) -DDos suite is detected. - --- -Impact: -This may indicate a compromised system or be the prelude to a -Distributed Denial of Service (DDoS) attack. - --- -Detailed Information: -Once a Trinoo client has been installed on a compromised machine and a master is -ready and listening, the master sends a "png" (ping) command to its drones in -an attempt to enumerate the drone network. A functioning client will respond to -port 31335/udp with the text "PONG". - -Once a machine becomes part of a trin00 network, a Denial of Service (DoS) -is typically initiated against one (or more) victim machines. - --- -Affected Systems: - --- -Attack Scenarios: -As part of a large scale attack against a machine or a network, an -attacker will compromise large numbers of machines which will form the -army that the trin00 master daemon will command. The master daemon -typically instructs the clients to send mass-quantities of packets to -a set of victim hosts. If the traffic is sufficient, the victim -machines will become resource deprived and thus endure a DoS condition. - --- -Ease of Attack: -Simple. Trinoo client and master programs are widely available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disconnect infected machine(s) from the network immediately. - -Use software to determine if a host has been compromised using a -rootkit. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -SANS: -http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2340.txt snort-2.9.2/doc/signatures/2340.txt --- snort-2.9.0.1/doc/signatures/2340.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2340.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2340 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with RhinoSoft Serv-u FTP Server CHMOD -command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -Serv-u offers FTP servers for Windows hosts. A vulnerability exists -with the CHMOD command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the CHMOD -command. - --- -Affected Systems: - RhinoSoft Serv-u FTP Server prior to version 4.2 - --- -Attack Scenarios: -An attacker can supply an overly long file argument with the CHMOD -command, causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2341.txt snort-2.9.2/doc/signatures/2341.txt --- snort-2.9.0.1/doc/signatures/2341.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2341.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2341 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application DCP-Portal. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -DCP-Portal contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable root when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in a file included from an external source by modifying the -variable "root" in the editor.php script. - --- -Affected Systems: - DCP-Portal 5.0.1 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the root variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2342.txt snort-2.9.2/doc/signatures/2342.txt --- snort-2.9.0.1/doc/signatures/2342.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2342.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2342 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application DCP-Portal. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -DCP-Portal contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable root when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in a file included from an external source by modifying the -variable "root" in the editor.php script. - --- -Affected Systems: - DCP-Portal 5.0.1 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the root variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2343.txt snort-2.9.2/doc/signatures/2343.txt --- snort-2.9.0.1/doc/signatures/2343.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2343.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2343 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with WuFtpd STOR command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists -with the STOR command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the STOR -command. - -The issue exists in the SockPrintf() function. A server using the -MAIL_ADMIN option to send email notifications to the administrator when -files are uploaded to the server, is vulnerable to the attack. It is -possible for an attacker to send malformed data to the store() function -via sockprintf() that will cause the overflow condition to occur, the -error can be generated by the attacker creating a filename greater than -32768 bytes in length. - --- -Affected Systems: - - --- -Attack Scenarios: -An attacker can supply an overly long file argument with the STOR -command, causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - -Disable the MAIL_ADMIN option - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2344.txt snort-2.9.2/doc/signatures/2344.txt --- snort-2.9.0.1/doc/signatures/2344.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2344.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2344 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ArGoSoft FTP Server. - --- -Impact: -Execution of arbitrary code. Possible unauthorized administrative access. - --- -Detailed Information: -ArGoSoft FTP Server fails to perform sufficient checks on user supplied data to the -XCWD command. An attacker may exploit this vulnerability to execute code of -their choosing as the user running the process. This may lead to remote -administrative access to the server. - --- -Affected Systems: - ArGoSoft FTP Server 1.4.1 .1 - --- -Attack Scenarios: -An attacker may connect to the server and supply spurious data to the -XCWD command causing the overrun to occur. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2345.txt snort-2.9.2/doc/signatures/2345.txt --- snort-2.9.0.1/doc/signatures/2345.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2345.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2345 - --- -Summary: -This event is generated when an attempt is made to access the -search.php script which contains known vulnerabilities and -is part of the phpGedView CGI web application running on a server. - --- -Impact: -Information gathering and possible cross site scripting attack. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the phpGedView CGI web application running on a server. -Multiple vulnerabilities exist in the application which can lead to -cross site scripting attacks. - --- -Affected Systems: - phpGedView - --- -Attack Scenarios: -An attacker can supply code of their choice by including it in the -firstname parameter of the search.php script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2346.txt snort-2.9.2/doc/signatures/2346.txt --- snort-2.9.0.1/doc/signatures/2346.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2346.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2346 - --- -Summary: -This event is generated when an attempt is made to access the -chatheader.php script which contains known vulnerabilities and -is part of the myPHPNuke web application running on a server. - --- -Impact: -Information gathering and possible cross site scripting attack. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the myPHPNuke web application running on a server. -Multiple vulnerabilities exist in the application which can lead to -cross site scripting attacks. - --- -Affected Systems: - myPHPNuke 1.8.8 - --- -Attack Scenarios: -An attacker can supply code of their choice by including it in the -Default_Theme parameter of the chatheader.php script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2347.txt snort-2.9.2/doc/signatures/2347.txt --- snort-2.9.0.1/doc/signatures/2347.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2347.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2347 - --- -Summary: -This event is generated when an attempt is made to access the -partner.php script which contains known vulnerabilities and -is part of the myPHPNuke web application running on a server. - --- -Impact: -Information gathering and possible cross site scripting attack. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the myPHPNuke web application running on a server. -Multiple vulnerabilities exist in the application which can lead to -cross site scripting attacks. - --- -Affected Systems: - myPHPNuke 1.8.8 - --- -Attack Scenarios: -An attacker can supply code of their choice by including it in the -Default_Theme parameter of the partner.php script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2348.txt snort-2.9.2/doc/signatures/2348.txt --- snort-2.9.0.1/doc/signatures/2348.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2348.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -2348 - --- -Summary: -This rule does not generate an event. I does activate sid 2349 however.s - --- -Impact: -Intelligence gathering. - --- -Detailed Information: -This rule checks for a bind to a print spool using DCE RPC. This may be -an attempt to check for printer and printer services available on a -host. Sid 2349 will generate an event when an attempt is made to -enumerate the printer service on a host. - --- -Affected Systems: - All Microsoft DCE RPC enabled systems - --- -Attack Scenarios: - --- -Ease of Attack: -Simple - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2349.txt snort-2.9.2/doc/signatures/2349.txt --- snort-2.9.0.1/doc/signatures/2349.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2349.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -2349 - --- -Summary: -This event is generated when an attempt is made to enumerate the printer -service on a system using DCE RPC. - --- -Impact: -Intelligence gathering. - --- -Detailed Information: -This rule checks for an attempt to enumerate a print spool service using DCE RPC. -This may be an attempt to check for printer and printer services available on a -host. - --- -Affected Systems: - All Microsoft DCE RPC enabled systems - --- -Attack Scenarios: -An attacker may identify the print service being used and exploit that -information in further attacks against the system. - --- -Ease of Attack: -Simple - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/234.txt snort-2.9.2/doc/signatures/234.txt --- snort-2.9.0.1/doc/signatures/234.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/234.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -234 - --- -Summary: -This event is generated when a trinoo DDoS attacker host communicates with a master host. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a trinoo attacker. If the listed destination IP is in your network, it may be a trinoo master. - --- -Detailed Information: -The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, attackers communicate with masters to direct them to launch attacks. An attacker may communicate with a master via TCP destination port 27665 with a string of "g0rave" in the payload. This string is the default master startup password. - --- -Affected Systems: -Any trinoo compromised host. - --- -Attack Scenarios: -A trinoo attacker will communicate with masters to direct them to launch attacks. - --- -Ease of Attack: -Simple. trinoo code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 -SecurityFocus: -http://www.securityfocus.com/archive/1/37706 - -CERT: -http://www.cert.org/incident_notes/IN-99-07.html#trinoo - --- diff -Nru snort-2.9.0.1/doc/signatures/2350.txt snort-2.9.2/doc/signatures/2350.txt --- snort-2.9.0.1/doc/signatures/2350.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2350.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,93 +0,0 @@ -Rule: - --- -Sid: -2192 - --- -Summary: -This rule no longer generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -This rule now uses flowbits and can be set to generate an event by -modifying the rule slightly to remove the "flowbits:no_alert;" option. -When traffic is detected that attempts to bind to the ISystemActivator -object in MS RPC DCOM communications this rule now activates sids 2351 -and 2352 to detect exploits against this service. Cool huh? - -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2351.txt snort-2.9.2/doc/signatures/2351.txt --- snort-2.9.0.1/doc/signatures/2351.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2351.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,87 +0,0 @@ -Rule: - --- -Sid: -2351 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2352.txt snort-2.9.2/doc/signatures/2352.txt --- snort-2.9.0.1/doc/signatures/2352.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2352.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,87 +0,0 @@ -Rule: - --- -Sid: -2192 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2353.txt snort-2.9.2/doc/signatures/2353.txt --- snort-2.9.0.1/doc/signatures/2353.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2353.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2353 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application IdeaBox. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -IdeaBox contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable ideaDir when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file cord.php. - --- -Affected Systems: - PHPOutsourcing IdeaBox 1.0 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the ideaDir variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2354.txt snort-2.9.2/doc/signatures/2354.txt --- snort-2.9.0.1/doc/signatures/2354.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2354.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2354 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application IdeaBox. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -IdeaBox contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable gorumDir when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file notification.php. - --- -Affected Systems: - PHPOutsourcing IdeaBox 1.0 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the gorumDir variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2355.txt snort-2.9.2/doc/signatures/2355.txt --- snort-2.9.0.1/doc/signatures/2355.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2355.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2355 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application Invision Board. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -Invision Board contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating a variable when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file emailer.php. - --- -Affected Systems: - Invision Power Services Invision Board 1.1.1 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the variable that defines the location of the emailer.php -script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2356.txt snort-2.9.2/doc/signatures/2356.txt --- snort-2.9.0.1/doc/signatures/2356.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2356.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2356 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application WebChat. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -WebChat contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable -WEBCHATPATH when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file db_mysql.php. - --- -Affected Systems: - Webdev Webchat 0.77 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the WEBCHATPATH variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2357.txt snort-2.9.2/doc/signatures/2357.txt --- snort-2.9.0.1/doc/signatures/2357.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2357.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2357 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application WebChat. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -WebChat contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable -WEBCHATPATH when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file english.php. - --- -Affected Systems: - Webdev Webchat 0.77 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the WEBCHATPATH variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2358.txt snort-2.9.2/doc/signatures/2358.txt --- snort-2.9.0.1/doc/signatures/2358.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2358.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2358 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application Typo3. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -Typo3 contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable ONLY when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - Typo3 Typo3 3.5 b5 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the ONLY variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2359.txt snort-2.9.2/doc/signatures/2359.txt --- snort-2.9.0.1/doc/signatures/2359.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2359.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2359 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application Invision Board. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -Invision Board contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable root_path when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file conf_global.php. - --- -Affected Systems: - Invision Power Services Invision Board 1.1.1 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the root_path variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/235.txt snort-2.9.2/doc/signatures/235.txt --- snort-2.9.0.1/doc/signatures/235.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/235.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -235 - --- -Summary: -This event is generated when a trinoo DDoS attacker host communicates with a master host. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a trinoo attacker. If the listed destination IP is in your network, it may be a trinoo master. - --- -Detailed Information: -The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, attackers communicate with masters to direct them to launch attacks. An attacker may communicate with a master via TCP destination port 27665 with a string of "killme" in the payload. This string is a default mdie password. - --- -Affected Systems: -Any trinoo compromised host. - --- -Attack Scenarios: -A trinoo attacker will communicate with masters to direct them to launch attacks. - --- -Ease of Attack: -Simple. trinoo code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 -SecurityFocus: -http://www.securityfocus.com/archive/1/37706 - -CERT: -http://www.cert.org/incident_notes/IN-99-07.html#trinoo - --- diff -Nru snort-2.9.0.1/doc/signatures/2360.txt snort-2.9.2/doc/signatures/2360.txt --- snort-2.9.0.1/doc/signatures/2360.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2360.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2360 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application MyphpPagetool. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -MyphpPagetool contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable ptinclude when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root by supplying -their code in the file pt_config.inc. - --- -Affected Systems: - myphpPagetool 0.4.3 -1 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the ptinclude variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2361.txt snort-2.9.2/doc/signatures/2361.txt --- snort-2.9.0.1/doc/signatures/2361.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2361.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2361 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application YaBB SE. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -YaBB SE contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable template -in the script news.php when making a GET or POST request to a -vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - YaBB SE YaBB SE 0.8 - YaBB SE YaBB SE 1.4.1 - YaBB SE YaBB SE 1.5 .0 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path to the template variable. - --- -Ease of Attack: -Simple. No exploit software required. Exploit code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2362.txt snort-2.9.2/doc/signatures/2362.txt --- snort-2.9.0.1/doc/signatures/2362.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2362.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2362 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application YaBB SE. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -YaBB SE contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the location of the -script packer.php parameter when making a GET or POST request -to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - YaBB SE YaBB SE 0.8 - YaBB SE YaBB SE 1.4.1 - YaBB SE YaBB SE 1.5 .0 - --- -Attack Scenarios: -An attacker can make a request to an affected script and supply their -own code in the packer.php script. - --- -Ease of Attack: -Simple. No exploit software required. Exploit code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2363.txt snort-2.9.2/doc/signatures/2363.txt --- snort-2.9.0.1/doc/signatures/2363.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2363.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2363 - --- -Summary: -This event is generated when an attempt is made to access a file that -has a known vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made access the file -default_header.php used in the PHP application Cyboards. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - Cyboards Cyboards PHP Lite 1.21 - Cyboards Cyboards PHP Lite 1.25 - --- -Attack Scenarios: -My manipulating certain variables contained in a PHP script an attacker -may be able to supply code of their choosing and execute it on the -server. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2364.txt snort-2.9.2/doc/signatures/2364.txt --- snort-2.9.0.1/doc/signatures/2364.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2364.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2364 - --- -Summary: -This event is generated when an attempt is made to access a file that -has a known vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made access the file -options_form.php used in the PHP application Cyboards. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - Cyboards Cyboards PHP Lite 1.21 - Cyboards Cyboards PHP Lite 1.25 - --- -Attack Scenarios: -My manipulating certain variables contained in a PHP script an attacker -may be able to supply code of their choosing and execute it on the -server. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2365.txt snort-2.9.2/doc/signatures/2365.txt --- snort-2.9.0.1/doc/signatures/2365.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2365.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2365 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application newsPHP. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -newsPHP contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the variable LangFile when -making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - newsPHP newsPHP 216 - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path for the LangFile variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2366.txt snort-2.9.2/doc/signatures/2366.txt --- snort-2.9.0.1/doc/signatures/2366.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2366.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2366 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application PhpGedView. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -PhpGedView contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the PGV_BASE_DIRECTORY -parameter when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - PhpGedView 2.65.1 and earlier --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path to the PGV_BASE_DIRECTORY variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2367.txt snort-2.9.2/doc/signatures/2367.txt --- snort-2.9.0.1/doc/signatures/2367.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2367.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2367 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application PhpGedView. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -PhpGedView contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the PGV_BASE_DIRECTORY -parameter when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - PhpGedView 2.65.1 and earlier --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path to the PGV_BASE_DIRECTORY variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2003-07.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2368.txt snort-2.9.2/doc/signatures/2368.txt --- snort-2.9.0.1/doc/signatures/2368.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2368.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2368 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application PhpGedView. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -PhpGedView contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the PGV_BASE_DIRECTORY -parameter when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - PhpGedView 2.65.1 and earlier --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path to the PGV_BASE_DIRECTORY variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2369.txt snort-2.9.2/doc/signatures/2369.txt --- snort-2.9.0.1/doc/signatures/2369.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2369.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -2369 - --- -Summary: -This event is generated when an attempt is made to access ISAPISkeleton.dll on a -web server. This may indicate an attempt to exploit a cross-site -scripting vulnerability in BRS WebWeaver. - --- -Impact: -Arbitrary code execution, possible session hijack. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a -cross-site scripting vulnerability in BRS WebWeaver . -An attacker can pass an argument to ISAPISkeleton.dll that may contain -malicious code that could be executed on the victims machine. - --- -Affected Systems: - BRS WebWeaver - --- -Attack Scenarios: -An attacker can pass a specific argument to ISAPISkeleton.dll that may -contain malicious code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/236.txt snort-2.9.2/doc/signatures/236.txt --- snort-2.9.0.1/doc/signatures/236.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/236.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: --- -Sid: -236 - --- -Summary: -This event is generated when a Stacheldraht handler probes for a Stacheldraht agent on the destination host. - --- -Impact: -Severe. This indicates that a Stacheldraht handler may exist on the source host and an agent may exist on the destination host. - --- -Detailed Information: -The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.  - -There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. A handler can discover if a particular host is a Stacheldraht agent by sending it an ICMP echo reply with an ICMP identification number of 668 and a string of "gesundheit!" in the payload. - --- -Affected Systems: -Any Stacheldraht compromised host. - --- -Attack Scenarios: -A handler may attempt to discover if the destination host is a Stacheldraht agent. A script named "gag" can be used to generate this communication for a defender or attacker to discover if a host is a Stacheldraht agent. - --- -Ease of Attack: -Simple. The gag script is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS194 - --- diff -Nru snort-2.9.0.1/doc/signatures/2370.txt snort-2.9.2/doc/signatures/2370.txt --- snort-2.9.0.1/doc/signatures/2370.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2370.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -2370 - --- -Summary: -This event is generated when an attempt is made to access config.conf, a -component of the BugPort PHP web application running on a server. - --- -Impact: -Information disclosure. - --- -Detailed Information: -BugPort is a PHP application used for bug tracking purposes. It is -possible for a remote user to view the configuration file for the -application by making a request for the file using a web browser. - --- -Affected Systems: - BugPort prior to version 1.099 - --- -Attack Scenarios: -An attacker can view the configuration file for the server by using a -web browser to request the file. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2371.txt snort-2.9.2/doc/signatures/2371.txt --- snort-2.9.0.1/doc/signatures/2371.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2371.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2371 - --- -Summary: -This event is generated when an attempt is made to access -Sample_showcode.html, a component of the Niti Telecom Caravan Business -Server. - --- -Impact: -Information disclosure. Possible directory traversal. - --- -Detailed Information: -Caravan Business Server is used to develop web applications. It is -possible for an external user to perform a directory traversal attack -against the server by maipulating the parameter fname in the -Sample_showcode.html file. - --- -Affected Systems: - Caravan Business Server 2.00/03D - --- -Attack Scenarios: -An attacker can view files on the system by performaing a directory -traversal attack using the fname parameter in the Sample_showcode.html -script. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2372.txt snort-2.9.2/doc/signatures/2372.txt --- snort-2.9.0.1/doc/signatures/2372.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2372.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2372 - --- -Summary: -This event is generated when an attempt is made to access showphoto.php, a -component of the Photopost PHP web application running on a server. - --- -Impact: -Unauthorized administrative access to the underlying database. - --- -Detailed Information: -Photopost is a PHP photo gallery application. It is possible for a -remote attacker to perform SQL queries on the database used by Photopost -that could disclose sensitive information or compromise the data stored -on the server. - --- -Affected Systems: - Photopost PHP Pro version 4.6 and earlier - --- -Attack Scenarios: -An attacker can manipulate the photo parameter in the script -showphoto.php to perform SQL queries of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2373.txt snort-2.9.2/doc/signatures/2373.txt --- snort-2.9.0.1/doc/signatures/2373.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2373.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2373 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with Mollensoft Hyperion FTP/Encladus Server Suite XMKD -command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists -with the XMKD command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the XMKD -command. - --- -Affected Systems: - Mollensoft Software Enceladus Server Suite 3.9.11 - Mollensoft Software Hyperion FTP Server 3.5.2 - --- -Attack Scenarios: -An attacker can supply an overly long file argument with the XMKD -command, causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2374.txt snort-2.9.2/doc/signatures/2374.txt --- snort-2.9.0.1/doc/signatures/2374.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2374.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2374 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with Mollensoft Hyperion FTP/Encladus Server Suite NLST -command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists -with the NLST command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the NLST -command. - --- -Affected Systems: - Mollensoft Software Enceladus Server Suite 3.9.11 - Mollensoft Software Hyperion FTP Server 3.5.2 - --- -Attack Scenarios: -An attacker can supply an overly long file argument with the NLST -command, causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2375.txt snort-2.9.2/doc/signatures/2375.txt --- snort-2.9.0.1/doc/signatures/2375.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2375.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2375 - --- -Summary: -This event is generated when activity from the worm DoomJuice is -detected. - --- -Impact: -This is indicative of worm activity which may launch of a Denial of -Service condition against Microsoft from infected machines. - --- -Detailed Information: -This event is indicative of activity by the DoomJuice worm. This worm -attempts to connect to random addresses on port 3127, if it receives a -response it will attempt to upload a copy of itself to the target -machine. If no response is received on that port, it will try on ports -between 3127 and 3199. - -If the date is between February 8th and February 28th 2004, the worm -will attempt to launch a Denial of Service (DoS) attack against -www.microsoft.com. - --- -Affected Systems: - Windows 95 - Windows 98 - Windows Me - Windows NT - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -This is worm activity. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -It is possible to edit the binary data in the executable to create a -variant of the worm. This may evade the rule. - --- -Corrective Action: -Use Anti-Virus software to remove the worm. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2376.txt snort-2.9.2/doc/signatures/2376.txt --- snort-2.9.0.1/doc/signatures/2376.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2376.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2376 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint VPN-1. - --- -Impact: -Unauthorized administrative access to Checkpoint VPN-1 systems - --- -Detailed Information: -Checkpoint VPN-1, SecuRemote and SecureClient contain an error that -affects the processing of large Certificate requests to the VPN service. -By sending a large amount of data in the Certificate Request payload an -attacker may cause a buffer overflow condition to occur, presenting an -opportunity to execute code of their choosing with the privileges of the -user running the service, usually root. - --- -Affected Systems: - CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 - CheckPoint Software FW-1 Next Generation FP1, FP0 - CheckPoint Software VPN-1 1.4.1 SP5a - CheckPoint Software VPN-1 Next Generation FP1, FP0 - --- -Attack Scenarios: -An attacker could supply a large Certificate Request payload containing -code to be executed on the system. - --- -Ease of Attack: -Proof of concept code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2377.txt snort-2.9.2/doc/signatures/2377.txt --- snort-2.9.0.1/doc/signatures/2377.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2377.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2377 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint VPN-1. - --- -Impact: -Unauthorized administrative access to Checkpoint VPN-1 systems - --- -Detailed Information: -Checkpoint VPN-1, SecuRemote and SecureClient contain an error that -affects the processing of large Certificate requests to the VPN service. -By sending a large amount of data in the Certificate Request payload an -attacker may cause a buffer overflow condition to occur, presenting an -opportunity to execute code of their choosing with the privileges of the -user running the service, usually root. - --- -Affected Systems: - CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 - CheckPoint Software FW-1 Next Generation FP1, FP0 - CheckPoint Software VPN-1 1.4.1 SP5a - CheckPoint Software VPN-1 Next Generation FP1, FP0 - --- -Attack Scenarios: -An attacker could supply a large Certificate Request payload containing -code to be executed on the system. - --- -Ease of Attack: -Proof of concept code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2378.txt snort-2.9.2/doc/signatures/2378.txt --- snort-2.9.0.1/doc/signatures/2378.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2378.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2378 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint VPN-1. - --- -Impact: -Unauthorized administrative access to Checkpoint VPN-1 systems - --- -Detailed Information: -Checkpoint VPN-1, SecuRemote and SecureClient contain an error that -affects the processing of large Certificate requests to the VPN service. -By sending a large amount of data in the Certificate Request payload an -attacker may cause a buffer overflow condition to occur, presenting an -opportunity to execute code of their choosing with the privileges of the -user running the service, usually root. - --- -Affected Systems: - CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 - CheckPoint Software FW-1 Next Generation FP1, FP0 - CheckPoint Software VPN-1 1.4.1 SP5a - CheckPoint Software VPN-1 Next Generation FP1, FP0 - --- -Attack Scenarios: -An attacker could supply a large Certificate Request payload containing -code to be executed on the system. - --- -Ease of Attack: -Proof of concept code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2379.txt snort-2.9.2/doc/signatures/2379.txt --- snort-2.9.0.1/doc/signatures/2379.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2379.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2379 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint VPN-1. - --- -Impact: -Unauthorized administrative access to Checkpoint VPN-1 systems - --- -Detailed Information: -Checkpoint VPN-1, SecuRemote and SecureClient contain an error that -affects the processing of large Certificate requests to the VPN service. -By sending a large amount of data in the Certificate Request payload an -attacker may cause a buffer overflow condition to occur, presenting an -opportunity to execute code of their choosing with the privileges of the -user running the service, usually root. - --- -Affected Systems: - CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 - CheckPoint Software FW-1 Next Generation FP1, FP0 - CheckPoint Software VPN-1 1.4.1 SP5a - CheckPoint Software VPN-1 Next Generation FP1, FP0 - --- -Attack Scenarios: -An attacker could supply a large Certificate Request payload containing -code to be executed on the system. - --- -Ease of Attack: -Proof of concept code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/237.txt snort-2.9.2/doc/signatures/237.txt --- snort-2.9.0.1/doc/signatures/237.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/237.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -237 - --- -Summary: -This event is generated when a trinoo DDoS master host communicates with a daemon host. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a trinoo master. If the listed destination IP is in your network, it may be a trinoo daemon. - --- -Detailed Information: -The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Masters communicate with daemons to direct them to launch attacks. A master may communicate with a daemon via UDP destination port 27444 with a string of "l44adsl" in the payload. This string is the default password for the daemon. - --- -Affected Systems: -Any trinoo compromised host. - --- -Attack Scenarios: -A trinoo master will communicate with a daemon to direct it to launch attacks. - --- -Ease of Attack: -Simple. trinoo code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CERT: -http://www.cert.org/incident_notes/IN-99-07.html#trinoo - -Arachnids: -http://www.whitehats.com/info/IDS197 - --- diff -Nru snort-2.9.0.1/doc/signatures/2380.txt snort-2.9.2/doc/signatures/2380.txt --- snort-2.9.0.1/doc/signatures/2380.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2380.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2380 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint VPN-1. - --- -Impact: -Unauthorized administrative access to Checkpoint VPN-1 systems - --- -Detailed Information: -Checkpoint VPN-1, SecuRemote and SecureClient contain an error that -affects the processing of large Certificate requests to the VPN service. -By sending a large amount of data in the Certificate Request payload an -attacker may cause a buffer overflow condition to occur, presenting an -opportunity to execute code of their choosing with the privileges of the -user running the service, usually root. - --- -Affected Systems: - CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 - CheckPoint Software FW-1 Next Generation FP1, FP0 - CheckPoint Software VPN-1 1.4.1 SP5a - CheckPoint Software VPN-1 Next Generation FP1, FP0 - --- -Attack Scenarios: -An attacker could supply a large Certificate Request payload containing -code to be executed on the system. - --- -Ease of Attack: -Proof of concept code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2381.txt snort-2.9.2/doc/signatures/2381.txt --- snort-2.9.0.1/doc/signatures/2381.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2381.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2381 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Checkpoint Firewall-1 - --- -Impact: -Serious. Unauthorized administrative access to the firewall - --- -Detailed Information: -A vulnerability exists in Checkpoint Firewall-1 that may allow a remote -attacker to gain control of the firewall. The issues lies in the -handling of HTTP requests by the Security Server and Application -Intelligence modules of the Firewall's administration console. - -By supplying a malformed scheme in a URI an attacker may present the -attacker with the opportunity to send data of their choosing to the -sprintf() system call. - --- -Affected Systems: - Checkpoint Firewall-1 - --- -Attack Scenarios: -An attacker must supply specially crafted packets containing malformed -URI schema with the data they wish to send to the sprintf() function. -This may then present the attacker with administrative privileges on the -server. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Disallow external access to the Firewall-1 administrative interface. - -Disable the Web interface to the firewall if possible - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2382.txt snort-2.9.2/doc/signatures/2382.txt --- snort-2.9.0.1/doc/signatures/2382.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2382.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -2382 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2383.txt snort-2.9.2/doc/signatures/2383.txt --- snort-2.9.0.1/doc/signatures/2383.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2383.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -2383 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2384.txt snort-2.9.2/doc/signatures/2384.txt --- snort-2.9.0.1/doc/signatures/2384.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2384.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -2384 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2385.txt snort-2.9.2/doc/signatures/2385.txt --- snort-2.9.0.1/doc/signatures/2385.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2385.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -2385 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2386.txt snort-2.9.2/doc/signatures/2386.txt --- snort-2.9.0.1/doc/signatures/2386.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2386.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2386 - --- -Summary: -This event is generated when an attempt is made to scan for a known -vulnerability in the Microsoft implementation of the ASN.1 Library using -Nessus. - --- -Impact: -Intelligence gathering. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - -This event indicates a possible attempt to enumerate vulnerable hosts using -Nessus. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2387.txt snort-2.9.2/doc/signatures/2387.txt --- snort-2.9.0.1/doc/signatures/2387.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2387.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2387 - --- -Summary: -This event is generated when an attempt is made to view a URL with the string "view_broadcast.cgi" in the name. - --- -Impact: -Denial of service. - --- -Detailed Information: -A vulnerabilities exists in Apple Quick Time Streaming Server and -Apple Darwin Streaming Server running on Windows hosts, that may allow -a denial of service to occur. This happens when expected parameters are not -supplied to this script, causing the server to fail to accept new connections. - --- -Affected Systems: -QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows - --- -Attack Scenarios: -An attacker can craft a packet that contains a URL with the location of the view_broadcast.cgi script and not pass it required parameters. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate patches for the systems affected. - -Upgrade to the latest non affected versions of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/8257 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0422 - --- diff -Nru snort-2.9.0.1/doc/signatures/2388.txt snort-2.9.2/doc/signatures/2388.txt --- snort-2.9.0.1/doc/signatures/2388.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2388.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2388 - --- -Summary: -This event is generated when an attempt is made to access -view_broadcast.cgi on a server used for streaming media services. - --- -Impact: -Information gathering and system integrity compromise. - --- -Detailed Information: -The view_broadcast.cgi script contains a known vulnerability that may -allow an attacker to perform a variety of cross-site scripting attacks. -This event is generated when an attempt is amde to access the script -directly from a source external to the protected network. - -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2389.txt snort-2.9.2/doc/signatures/2389.txt --- snort-2.9.0.1/doc/signatures/2389.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2389.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2389 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with WuFtpd RNTO command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists -with the RNTO command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the RNTO -command. - -The issue exists in the realpath() function. It is possible for an -attacker to send malformed data to the realpath() function that will -cause the overflow condition to occur. - --- -Affected Systems: - Multiple systems using affected C libraries, libc - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the overflow to occur. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - -Recompile binaries statically linked to the system libc implementation - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/238.txt snort-2.9.2/doc/signatures/238.txt --- snort-2.9.0.1/doc/signatures/238.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/238.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: --- -Sid: -238 - --- -Summary: -This event is generated when a Tribe Flood Network (TFN) Distributed Denial of Service (DDoS) daemon responds to a client request to spawn a shell. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a TFN daemon. If the listed destination IP is in your network, it may be a TFN client. - --- -Detailed Information: -The TFN DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Clients communicate with daemons to inform them to launch attacks. A daemon will respond with a client request to spawn a shell with an ICMP echo reply with an ICMP identification number of 123, an ICMP sequence number of 0 and a string of "shell bound to port" in the payload. - --- -Affected Systems: -Any TFN compromised host. - --- -Attack Scenarios: -After a host becomes a TFN daemon, it will respond to client requests. - --- -Ease of Attack: -Simple. TFN code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - -Arachnids: -http://www.whitehats.com/info/IDS182 - --- diff -Nru snort-2.9.0.1/doc/signatures/2390.txt snort-2.9.2/doc/signatures/2390.txt --- snort-2.9.0.1/doc/signatures/2390.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2390.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2390 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with WuFtpd STOU command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists -with the STOU command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the STOU -command. - -The issue exists in the realpath() function. It is possible for an -attacker to send malformed data to the realpath() function that will -cause the overflow condition to occur. - --- -Affected Systems: - Multiple systems using affected C libraries, libc - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the overflow to occur. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - -Recompile binaries statically linked to the system libc implementation - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2391.txt snort-2.9.2/doc/signatures/2391.txt --- snort-2.9.0.1/doc/signatures/2391.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2391.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2391 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with WuFtpd APPE command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists -with the APPE command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the APPE -command. - -The issue exists in the realpath() function. It is possible for an -attacker to send malformed data to the realpath() function that will -cause the overflow condition to occur. - --- -Affected Systems: - Multiple systems using affected C libraries, libc - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the overflow to occur. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - -Recompile binaries statically linked to the system libc implementation - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2392.txt snort-2.9.2/doc/signatures/2392.txt --- snort-2.9.0.1/doc/signatures/2392.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2392.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2392 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with WuFtpd RETR command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. - --- -Detailed Information: -WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists -with the RETR command that can cause a buffer overflow and permit the -execution of arbitrary commands with system privileges. The buffer -overflow can be caused by supplying an overly long argument to the RETR -command. - -The issue exists in the realpath() function. It is possible for an -attacker to send malformed data to the realpath() function that will -cause the overflow condition to occur. - --- -Affected Systems: - Multiple systems using affected C libraries, libc - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the overflow to occur. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - -Recompile binaries statically linked to the system libc implementation - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2393.txt snort-2.9.2/doc/signatures/2393.txt --- snort-2.9.0.1/doc/signatures/2393.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2393.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -2393 - --- -Summary: -This event is generated when an attempt is made to access the /_admin directory. - --- -Impact: -Unauthorized file upload or information gathering. This can allow an attacker to upload unauthorized files to the web server or information disclosure. - --- -Detailed Information: -A vulnerability exists in the jbrowser web-based image gallery software that allows unchecked access to the _admin directory, possibly permitting an attacker to execute scripts found in this directory. Execution of admin scripts upload.php3 and upload_ftp.php3 may allow the attacker to upload malicious files to the server or replace existing files. Execution of the list_all.php script may allow an attacker to display files in directories, including those not in the web server root directory. - --- -Affected Systems: -Not reported. - --- -Attack Scenarios: -An attacker can craft a URL to execute the upload.php3, upload_ftp.php3, and list_all.php scripts to upload files or examine files on the vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Restrict access to the '_admin' directory to authorized users only. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -bugtraq -http://www.securityfocus.com/bid/9537 - -nessus: -http://cgi.nessus.org/plugins/dump.php3?id=12032 - --- diff -Nru snort-2.9.0.1/doc/signatures/2394.txt snort-2.9.2/doc/signatures/2394.txt --- snort-2.9.0.1/doc/signatures/2394.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2394.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -2394 - --- -Summary: -This event is generated when a malformed request is sent to the Compaq Web-Based Management Agent. - --- -Impact: -Denial of service. - --- -Detailed Information: -Compaq Web-Based Management Agent is used to perform remote system administration for Windows hosts. A vulnerability exists in the software when traffic is sent t -o access to Compaq Web-Based Management Agent that contains a malformed request, possibly causing the service to crash. URL requests that contain the characters " -" or "" cause the denial of service to occur. Note that the rule uses an initial keyword of "content" instead of "urico -ntent" since uricontent only examines web server ports identified in the pre-processor http_inspect in the configuration setup. Default configurations do not incl -ude port 2301 as a web server port, preventing the event from being generated. - --- -Affected Systems: -Host running Compaq Web-Based Management Agent. - --- -Attack Scenarios: -An attacker can send a malformed request to the listening service, causing the system to crash. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Block inbound port 2301 traffic or restrict access to known authorized IP addresses. - --- -Contributors: -Sourcefire Research Team -Judy Novak - -Additional References: - -bugtraq -http://www.securityfocus.com/bid/8014 - --- diff -Nru snort-2.9.0.1/doc/signatures/2395.txt snort-2.9.2/doc/signatures/2395.txt --- snort-2.9.0.1/doc/signatures/2395.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2395.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2395 - --- -Summary: -This event is generated when an attempt is made to view a URL with the string "InteractiveQuery.jsp" in the name. - --- -Impact: -Successful cross-site scripting attacks generally target the users of -your web site. Attackers can potentially gain access to your users' -cookies or session ids, allowing the attacker to impersonate your -user. - --- -Detailed Information: -BEA WebLogic supplies a CGI script InteractiveQuery.jsp that may be susceptible to cross-site scripting. The vulnerability -occurs because of improper sanitizing of data to the argument 'person'. This may permit malicious code to be executed when -a user visits a vulnerable site. - --- -Affected Systems: -BEA WebLogic 8.1 and earlier versions. - --- -Attack Scenarios: -An attacker can lure a user to a website that is vulnerable, perhaps permitting the malicious code to be executed on the user's host. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Remove the InteractiveQuery.jsp script or move it from the server's CGI path. - -Upgrade to the latest non affected versions of the software. - -Configure the web browser to not allow the execution of code. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/8938 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0624 - --- diff -Nru snort-2.9.0.1/doc/signatures/2396.txt snort-2.9.2/doc/signatures/2396.txt --- snort-2.9.0.1/doc/signatures/2396.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2396.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2396 - --- -Summary: -This event is generated when an attacker attempts to execute an arbitrary command on a web server running the CCBill software. - --- -Impact: -Execution of arbitrary commands. - --- -Detailed Information: -The CCBill software is available to manage credit card information for UNIX and Windows hosts. The script whereami.cgi is used for technical support of the software. A vulnerability exists in the whereami.cgi script that allows the execution of arbitrary commands from an attacker who passes a command via whereami.cgi?g=command format in a URL. Supplied commands can list file names, show the contents of the password file, or install a backdoor to name a few actions that an attacker may attempt. - --- -Affected Systems: -Hosts running CCBill software that has the whereami.cgi in the server's CGI path. - --- -Attack Scenarios: -An attacker can send a request to execute an arbitrary command. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove the whereami.cgi command. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -bugtraq -http://www.securityfocus.com/bid/8095 - --- diff -Nru snort-2.9.0.1/doc/signatures/2397.txt snort-2.9.2/doc/signatures/2397.txt --- snort-2.9.0.1/doc/signatures/2397.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2397.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2397 - --- -Summary: -This event is generated when an attacker includes "/whereami.cgi" in a URL, typically aimed at a web server running the CCBill software. - --- -Impact: -Execution of arbitrary commands. - --- -Detailed Information: -The CCBill software is available to manage credit card information for UNIX and Windows hosts. The script whereami.cgi is used for technical support of the software. A vulnerability exists in the whereami.cgi script that allows the execution of arbitrary commands from an attacker who passes a command via whereami.cgi?g=command format in a URL. Supplied commands can list file names, show the contents of the password file, or install a backdoor to name a few actions that an attacker may attempt. - --- -Affected Systems: -Hosts running CCBill software that has the whereami.cgi in the server's CGI path. - --- -Attack Scenarios: -An attacker can send a request to execute an arbitrary command. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove the whereami.cgi command. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -bugtraq -http://www.securityfocus.com/bid/8095 - --- diff -Nru snort-2.9.0.1/doc/signatures/2398.txt snort-2.9.2/doc/signatures/2398.txt --- snort-2.9.0.1/doc/signatures/2398.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2398.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2398 - --- -Summary: -This event is generated when an attempt is made to exploit the PHP web -application WAnewsletter. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the WAnewsletter PHP web application running on a server. -Multiple vulnerabilities exist in the application which can lead to the -execution of arbitrary code of the atttackers choosing. - --- -Affected Systems: - WAnewsletter - --- -Attack Scenarios: -An attacker can supply code of their choice by including a file in -parameters supplied to the script newsletter.php or db_type.php. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2399.txt snort-2.9.2/doc/signatures/2399.txt --- snort-2.9.0.1/doc/signatures/2399.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2399.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2399 - --- -Summary: -This event is generated when an attempt is made to exploit the PHP web -application WAnewsletter. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the WAnewsletter PHP web application running on a server. -Multiple vulnerabilities exist in the application which can lead to the -execution of arbitrary code of the atttackers choosing. - --- -Affected Systems: - WAnewsletter - --- -Attack Scenarios: -An attacker can supply code of their choice by including a file in -parameters supplied to the script newsletter.php or db_type.php. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/239.txt snort-2.9.2/doc/signatures/239.txt --- snort-2.9.0.1/doc/signatures/239.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/239.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -239 - --- -Summary: -This event is generated when a DDoS Shaft handler communicates with a Shaft agent. It is also possible that this event may be generated when any host attempts to discover a Shaft agent. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a Shaft handler or a host attempting to discover Shaft agents. If the listed destination IP is in your network, it may be a Shaft agent. - --- -Detailed Information: -The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Handlers communicate with agents to direct them to launch attacks. A handler may communicate with an agent using a UDP packet to destination port 18753 with a content of "alive tijgu. This communication checks if an agent is alive and uses a default password of "tijgu". - --- -Affected Systems: -Any Shaft compromised host. - --- -Attack Scenarios: -A Shaft handler needs to discover if an agent is alive before directing it to launch an attack. - --- -Ease of Attack: -Simple. Shaft code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS255 - -Miscellaneous: -http://biocserver.cwru.edu/~jose/shaft_analysis/ - - - --- diff -Nru snort-2.9.0.1/doc/signatures/2400.txt snort-2.9.2/doc/signatures/2400.txt --- snort-2.9.0.1/doc/signatures/2400.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2400.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2400 - --- -Summary: -This event is generated when an attempt is made to access the CGI script -edittag.pl. - --- -Impact: -Information Disclosure - --- -Detailed Information: -EditTag is a perl script that can be used to manage web site content. - -The edittag.pl CGI script may allow an attacker to leverage a directory -traversal attack on a web server. Due to insufficient checks on user -supplied input, it may be possible for an attacker to supply encoded -"../" characters to traverse out of the web root and view sensitive -system files on the web server. - --- -Affected Systems: - EditTag - --- -Attack Scenarios: -An attacker can utilize this vulnerability to gain sensitive information -that may be used in further attacks against the host. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2401.txt snort-2.9.2/doc/signatures/2401.txt --- snort-2.9.0.1/doc/signatures/2401.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2401.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,88 +0,0 @@ -Rule: - --- -Sid: -2401 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISS RealSecure and BlackICE products. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the ISS Analysis Module can be triggered -by an attacker sending a single SMB packet containing an AccountName -greater than 300 bytes. It is possible for an attacker to exploit this -condition by sending a specially crafted packet to a host serving network shares. - -When the systems running one of the affected ISS products decodes the -SMB data, exploit code may be included and executed on the machine with -system level privileges. Alternatively, the malformed data may cause the service to become -unresponsive and cause a DoS condition. - -Sensors under attack will display "PAM_internal_error" as a message on -the console. - -Sucessful exploitation of this issue could present an attacker with the -opportunity to execute code of their choosing on the target host with system -privileges. It is also possible for a Denial of Service (DoS) condition to -be caused by an attacker attempting to exploit this condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 20.15 through 22.9 - Real Secure Server Sensor 7.0 XPU 20.16 through 22.9 - Proventia A Series XPU 20.15 through 22.9 - Proventia G Series XPU 22.3 through 22.9 - Proventia M Series XPU 1.3 through 1.7 - RealSecure Desktop 7.0 eba through ebh - RealSecure Desktop 3.6 ebr through ecb - RealSecure Guard 3.6 ebr through ecb - RealSecure Sentry 3.6 ebr through ecb - BlackICE PC Protection 3.6 cbr through ccb - BlackICE Server Protection 3.6 cbr through ccb - --- -Attack Scenarios: -An attacker may use this vulnerability to disable ISS sensors on a -network or potentially use it to gain control of a machine running one -of the affected products. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -This rule may not generate an alert if a legitimate SMB request contains a password - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Matt Watchinski -Nigel Houghton - --- -References: - -eEye -http://www.eeye.com/html/Research/Advisories/AD20040226.html - -Bugtraq -http://www.securityfocus.com/bid/9752 - --- diff -Nru snort-2.9.0.1/doc/signatures/2402.txt snort-2.9.2/doc/signatures/2402.txt --- snort-2.9.0.1/doc/signatures/2402.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2402.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,88 +0,0 @@ -Rule: - --- -Sid: -2402 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISS RealSecure and BlackICE products. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the ISS Analysis Module can be triggered -by an attacker sending a single SMB packet containing an AccountName -greater than 300 bytes. It is possible for an attacker to exploit this -condition by sending a specially crafted packet to a host serving network shares. - -When the systems running one of the affected ISS products decodes the -SMB data, exploit code may be included and executed on the machine with -system level privileges. Alternatively, the malformed data may cause the service to become -unresponsive and cause a DoS condition. - -Sensors under attack will display "PAM_internal_error" as a message on -the console. - -Sucessful exploitation of this issue could present an attacker with the -opportunity to execute code of their choosing on the target host with system -privileges. It is also possible for a Denial of Service (DoS) condition to -be caused by an attacker attempting to exploit this condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 20.15 through 22.9 - Real Secure Server Sensor 7.0 XPU 20.16 through 22.9 - Proventia A Series XPU 20.15 through 22.9 - Proventia G Series XPU 22.3 through 22.9 - Proventia M Series XPU 1.3 through 1.7 - RealSecure Desktop 7.0 eba through ebh - RealSecure Desktop 3.6 ebr through ecb - RealSecure Guard 3.6 ebr through ecb - RealSecure Sentry 3.6 ebr through ecb - BlackICE PC Protection 3.6 cbr through ccb - BlackICE Server Protection 3.6 cbr through ccb - --- -Attack Scenarios: -An attacker may use this vulnerability to disable ISS sensors on a -network or potentially use it to gain control of a machine running one -of the affected products. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -This rule may not generate an alert if a legitimate SMB request contains a password - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Matt Watchinski -Nigel Houghton - --- -References: - -eEye -http://www.eeye.com/html/Research/Advisories/AD20040226.html - -Bugtraq -http://www.securityfocus.com/bid/9752 - --- diff -Nru snort-2.9.0.1/doc/signatures/2403.txt snort-2.9.2/doc/signatures/2403.txt --- snort-2.9.0.1/doc/signatures/2403.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2403.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,88 +0,0 @@ -Rule: - --- -Sid: -2403 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISS RealSecure and BlackICE products. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the ISS Analysis Module can be triggered -by an attacker sending a single SMB packet containing an AccountName -greater than 300 bytes. It is possible for an attacker to exploit this -condition by sending a specially crafted packet to a host serving network shares. - -When the systems running one of the affected ISS products decodes the -SMB data, exploit code may be included and executed on the machine with -system level privileges. Alternatively, the malformed data may cause the service to become -unresponsive and cause a DoS condition. - -Sensors under attack will display "PAM_internal_error" as a message on -the console. - -Sucessful exploitation of this issue could present an attacker with the -opportunity to execute code of their choosing on the target host with system -privileges. It is also possible for a Denial of Service (DoS) condition to -be caused by an attacker attempting to exploit this condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 20.15 through 22.9 - Real Secure Server Sensor 7.0 XPU 20.16 through 22.9 - Proventia A Series XPU 20.15 through 22.9 - Proventia G Series XPU 22.3 through 22.9 - Proventia M Series XPU 1.3 through 1.7 - RealSecure Desktop 7.0 eba through ebh - RealSecure Desktop 3.6 ebr through ecb - RealSecure Guard 3.6 ebr through ecb - RealSecure Sentry 3.6 ebr through ecb - BlackICE PC Protection 3.6 cbr through ccb - BlackICE Server Protection 3.6 cbr through ccb - --- -Attack Scenarios: -An attacker may use this vulnerability to disable ISS sensors on a -network or potentially use it to gain control of a machine running one -of the affected products. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Matt Watchinski -Nigel Houghton - --- -References: - -eEye -http://www.eeye.com/html/Research/Advisories/AD20040226.html - -Bugtraq -http://www.securityfocus.com/bid/9752 - --- diff -Nru snort-2.9.0.1/doc/signatures/2404.txt snort-2.9.2/doc/signatures/2404.txt --- snort-2.9.0.1/doc/signatures/2404.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2404.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,92 +0,0 @@ -Rule: - --- -Sid: -2404 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISS RealSecure and BlackICE products. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the ISS Analysis Module can be triggered -by an attacker sending a single SMB packet containing an AccountName -greater than 300 bytes. It is possible for an attacker to exploit this -condition by sending a specially crafted packet to a host serving network shares. - -When the systems running one of the affected ISS products decodes the -SMB data, exploit code may be included and executed on the machine with -system level privileges. Alternatively, the malformed data may cause the service to become -unresponsive and cause a DoS condition. - -Sensors under attack will display "PAM_internal_error" as a message on -the console. - -Sucessful exploitation of this issue could present an attacker with the -opportunity to execute code of their choosing on the target host with system -privileges. It is also possible for a Denial of Service (DoS) condition to -be caused by an attacker attempting to exploit this condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 20.15 through 22.9 - Real Secure Server Sensor 7.0 XPU 20.16 through 22.9 - Proventia A Series XPU 20.15 through 22.9 - Proventia G Series XPU 22.3 through 22.9 - Proventia M Series XPU 1.3 through 1.7 - RealSecure Desktop 7.0 eba through ebh - RealSecure Desktop 3.6 ebr through ecb - RealSecure Guard 3.6 ebr through ecb - RealSecure Sentry 3.6 ebr through ecb - BlackICE PC Protection 3.6 cbr through ccb - BlackICE Server Protection 3.6 cbr through ccb - --- -Attack Scenarios: -An attacker may use this vulnerability to disable ISS sensors on a -network or potentially use it to gain control of a machine running one -of the affected products. - --- -Ease of Attack: -Simple. - --- -False Positives: -Data transfer between a Windows 2003 file server and other Windows based -machines may cause this rule to generate events in some circumstances. -Ensure that the HOME_NET and EXTERNAL_NET variables are correctly set in -the snort.conf file to negate the effects of file transfers on local -subnets. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Matt Watchinski -Nigel Houghton - --- -References: - -eEye -http://www.eeye.com/html/Research/Advisories/AD20040226.html - -Bugtraq -http://www.securityfocus.com/bid/9752 - --- diff -Nru snort-2.9.0.1/doc/signatures/2405.txt snort-2.9.2/doc/signatures/2405.txt --- snort-2.9.0.1/doc/signatures/2405.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2405.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2405 - --- -Summary: -This event is generated when an attempt is made to access the file "phptest.php". -BadBlue Personal Edition 2.4 servers could disclose confidential -information on the software configuration towards an attacker. - --- -Impact: -Information gathering. -This signature is usually indicative of a reconaissance probe. -Succesful exploitation would provide the originator of the attack with the -installation path of the software. - --- -Detailed Information: -Web servers running BadBlue Personal Edition 2.4, a -personal file sharing server, are vulnerable to a path disclosure attack. -When a client requests the phptest.php file from such a server, the source -of the HTTP reply page contains the installation path of the software. -This path can be used as information for further attacks. - --- -Affected Systems: - BadBlue Personal Edition 2.4 - --- -Attack Scenarios: -During the reconaissance phase, an attacker could obtain the installation -path of the BadBlue server. This can become valuable information during -the later execution of directory traversal or buffer overflow attacks. - --- -Ease of Attack: -Simple. - --- -False Positives: -While not a true false positive, many PHP installation howtos advise the -creation of a small file "phptest.php" which contains a call for the -phpinfo() function. When this file is accessed legitimately by -someone testing a fresh install, this signature will also trigger. - -NOTE: The amount of information provided (installation directory, version -numbers, environment variables), could also constitute a vulnerability -if this file is present on a production web server. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Snort documentation contributed by Maarten Van Horenbeeck -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2406.txt snort-2.9.2/doc/signatures/2406.txt --- snort-2.9.0.1/doc/signatures/2406.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2406.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2406 - --- -Summary: -This event is generated when an attempt is made to access an APC device -using a known default administrative account and password via Telnet. - --- -Impact: -Serious. Unauthorized administrative access to the device. - --- -Detailed Information: -The APC Management card uses a known default administrative name and -password. This rule generates an event when these credentials are used -in a Telnet session. If this account and password have not been changed -this can lead to unauthorized administrative access to the device. - --- -Affected Systems: - APC WEB/SNMP Management Card (9606) Firmware 3.0 and 3.0.1 - --- -Attack Scenarios: -An attacker may try to use this password and username combination to -gain access to an affected device. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Change the administrative account username and password. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2407.txt snort-2.9.2/doc/signatures/2407.txt --- snort-2.9.0.1/doc/signatures/2407.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2407.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2407 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability on a web server or a web application resident on a web -server. - --- -Impact: -Information gathering and system integrity compromise. This rule generates -an event on a request for the util.pl file, part of the CalaCode @mail -Webmail system. Some versions of this software are vulnerable to a cross -site scripting attack. - --- -Detailed Information: -When accessing the webmail service of @mail, a -cross site scripting bug can be abused in the util.pl file. When -addressing the "settings" bar, Javascript code can be inserted into the -"Displayed Name" field. - -This rule will also trigger on some scripted HTTP vulnerability -scans. Many vulnerability assessment tools include a check which will -verify whether the util.pl file is available on a web server. There are -multiple other known vulnerabilities in version 3.64 of the @mail system, -and the existance of this file would reveal its presence. - --- -Affected Systems: - @mail version 3.64 and prior - --- -Attack Scenarios: -A user can submit malicious Javascript to the "Displayed -Name" field. As usual with most browsers, this script will be executed -within the security context of the web site. The session ID of the -connection, which is available from within this security context, can be -abused by the attacker to obtain access to the session and the user's e-mail account. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Snort documentation contributed by Maarten Van Horenbeeck, GCIA -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2408.txt snort-2.9.2/doc/signatures/2408.txt --- snort-2.9.0.1/doc/signatures/2408.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2408.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2408 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability on a web server or a web application resident on a web -server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. Possible execution of arbitrary code of -the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running a Web server or a vulnerable application on a web server. - -Many known vulnerabilities exist for each implementation and the -attack scenarios are legion. - -Some applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - All systems using a web server. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2409.txt snort-2.9.2/doc/signatures/2409.txt --- snort-2.9.0.1/doc/signatures/2409.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2409.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2409 - --- -Summary: -This event is generated when an attempt is made to overflow a buffer by -supplying a very long username to an APOP POP3 service. - --- -Impact: -Serious. Several POP3 servers are vulnerable to USER buffer overflows. - --- -Detailed Information: -By supplying more than 626 bytes of data to the APOP USER command on 1st -Class Internet Solutions' 1st Class Mail Server, an attacker may -overflow a buffer resulting in the opportunity to execute code of their -choosing on the targeted machine with the privileges of the user running -the service. - -Other Mail software may be prone to this attack. - --- -Affected Systems: - 1st Class Mail Server - --- -Attack Scenarios: -An attacker may connect to the service and supply an over-long username -to overflow the buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - -Check for other events generated by the source IP address. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/240.txt snort-2.9.2/doc/signatures/240.txt --- snort-2.9.0.1/doc/signatures/240.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/240.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -240 - --- -Summary: -This event is generated when a DDoS Shaft agent communicates with a Shaft handler. It is also possible that this event may be generated when any host attempts to discover a Shaft handler. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a Shaft agent or a host attempting to discover Shaft handlers. If the listed destination IP is in your network, it may be a Shaft handler. - --- -Detailed Information: -The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Handlers communicate with agents to direct them to launch attacks. An agent may communicate with a handler using a UDP packet to destination port 20433 with a content of "alive". - --- -Affected Systems: -Any Shaft compromised host. - --- -Attack Scenarios: -A Shaft agent needs to communicate with a handler before it is given directions to launch an attack. - --- -Ease of Attack: -Simple. Shaft code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS256 - -Miscellaneous: -http://biocserver.cwru.edu/~jose/shaft_analysis/ - - --- diff -Nru snort-2.9.0.1/doc/signatures/2410.txt snort-2.9.2/doc/signatures/2410.txt --- snort-2.9.0.1/doc/signatures/2410.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2410.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2410 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a PHP application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running PHP applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying PHP script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2411.txt snort-2.9.2/doc/signatures/2411.txt --- snort-2.9.0.1/doc/signatures/2411.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2411.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2411 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in RealNetworks Helix Media Server. - --- -Impact: -Serious. Execution of arbitrary code is possible. - --- -Detailed Information: -Versions of RealNetworks Helix Media Server and RealSystem Server are -vulnerable to a buffer overflow condition that may present the attacker -with the opportunity to execute code of their choosing on the target -system. - -This may then present the attacker with the opportunity to gain a remote -root shell, thus compromising the system. - --- -Affected Systems: - Helix Universal Server 9.01, versions 9.0.2.794 and earlier - RealSystem Server 8.0 & 7.0 - --- -Attack Scenarios: -The attacker may probe for the existence of an affected server and then -use one of the publicly available scripts to exploit the service. - --- -Ease of Attack: -Simple. Exploits exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -RealNetworks -http://www.service.real.com/help/faq/security/rootexploit091103.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2412.txt snort-2.9.2/doc/signatures/2412.txt --- snort-2.9.0.1/doc/signatures/2412.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2412.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2412 - --- -Summary: -This event is generated when a cross-site scripting attempt using -RealNetworks RealPlayer has been successful. - --- -Impact: -Cross site scripting, information disclosure. - --- -Detailed Information: -A vulnerability exists in versions of RealPlayer from RealNetworks that -may allow a remote attacker to launch a sucessful cross-site scripting -attack against a host running the application. - -This event is indicative of a successful attack. - --- -Affected Systems: - RealNetworks RealPlayer - --- -Attack Scenarios: -An attacker can supply a malformed file to the client making the request -and use the vulnerability to gain sensitive information from the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2413.txt snort-2.9.2/doc/signatures/2413.txt --- snort-2.9.0.1/doc/signatures/2413.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2413.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2413 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the handling of ISAKMP data and SA keys. - --- -Impact: -Serious - --- -Detailed Information: -The Internet Security Association and Key Management Protocol (ISAKMP) -is used as a framework for an authentication method between peers using -secure keys. - -ISAKMP is a framework for authentication using cryptographic keys. It -specifically defines the process of key exchange as opposed to the -generation of a cryptographic key. - -ISAKMP also details the procedures for the required security -associations in network security services. - --- -Affected Systems: - Kame Racoon - --- -Attack Scenarios: -The attacker may attempt to delete keys and security associations in -hosts running the KAME IKE Daemon. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -ISAKMP: -http://www.networksorcery.com/enp/protocol/isakmp.htm - -RFC: -http://www.ietf.org/rfc/rfc2407.txt -http://www.ietf.org/rfc/rfc2408.txt - -IANA: -http://www.iana.org/assignments/isakmp-registry - --- diff -Nru snort-2.9.0.1/doc/signatures/2414.txt snort-2.9.2/doc/signatures/2414.txt --- snort-2.9.0.1/doc/signatures/2414.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2414.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2414 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the handling of ISAKMP data and SA keys. - --- -Impact: -Serious - --- -Detailed Information: -The Internet Security Association and Key Management Protocol (ISAKMP) -is used as a framework for an authentication method between peers using -secure keys. - -ISAKMP is a framework for authentication using cryptographic keys. It -specifically defines the process of key exchange as opposed to the -generation of a cryptographic key. - -ISAKMP also details the procedures for the required security -associations in network security services. - --- -Affected Systems: - Kame Racoon - --- -Attack Scenarios: -The attacker may attempt to delete keys and security associations in -hosts running the KAME IKE Daemon. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -ISAKMP: -http://www.networksorcery.com/enp/protocol/isakmp.htm - -RFC: -http://www.ietf.org/rfc/rfc2407.txt -http://www.ietf.org/rfc/rfc2408.txt - -IANA: -http://www.iana.org/assignments/isakmp-registry - --- diff -Nru snort-2.9.0.1/doc/signatures/2415.txt snort-2.9.2/doc/signatures/2415.txt --- snort-2.9.0.1/doc/signatures/2415.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2415.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2415 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the handling of ISAKMP data and SA keys. - --- -Impact: -Serious - --- -Detailed Information: -The Internet Security Association and Key Management Protocol (ISAKMP) -is used as a framework for an authentication method between peers using -secure keys. - -ISAKMP is a framework for authentication using cryptographic keys. It -specifically defines the process of key exchange as opposed to the -generation of a cryptographic key. - -ISAKMP also details the procedures for the required security -associations in network security services. - --- -Affected Systems: - Kame Racoon - --- -Attack Scenarios: -The attacker may attempt to delete keys and security associations in -hosts running the KAME IKE Daemon. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -ISAKMP: -http://www.networksorcery.com/enp/protocol/isakmp.htm - -RFC: -http://www.ietf.org/rfc/rfc2407.txt -http://www.ietf.org/rfc/rfc2408.txt - -IANA: -http://www.iana.org/assignments/isakmp-registry - --- diff -Nru snort-2.9.0.1/doc/signatures/2416.txt snort-2.9.2/doc/signatures/2416.txt --- snort-2.9.0.1/doc/signatures/2416.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2416.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2416 - --- -Summary: -This event is generated when activity relating to spurious ftp traffic -is detected on the network. - --- -Impact: -Varies from information gathering to a serious compromise of an ftp -server. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of -spurious activity in FTP traffic between hosts. - -The event may be the result of a transfer of a known protected file or -it could be an attempt to compromise the FTP server by overflowing a -buffer in the FTP daemon or service. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party -using FTP. - -An attacker might utilize a vulnerability in an FTP daemon to gain -access to a host, then upload a Trojan Horse program to gain control of -that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow access to FTP resources from hosts external to the protected -network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2417.txt snort-2.9.2/doc/signatures/2417.txt --- snort-2.9.0.1/doc/signatures/2417.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2417.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2417 - --- -Summary: -This event is generated when activity relating to spurious ftp traffic -is detected on the network. - --- -Impact: -Varies from information gathering to a serious compromise of an ftp -server. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of -spurious activity in FTP traffic between hosts. - -The event may be the result of a transfer of a known protected file or -it could be an attempt to compromise the FTP server by overflowing a -buffer in the FTP daemon or service. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party -using FTP. - -An attacker might utilize a vulnerability in an FTP daemon to gain -access to a host, then upload a Trojan Horse program to gain control of -that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow access to FTP resources from hosts external to the protected -network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2418.txt snort-2.9.2/doc/signatures/2418.txt --- snort-2.9.0.1/doc/signatures/2418.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2418.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: - --- -Summary: -This event is generated when an attempt is made to connect to a -Microsoft Terminal Server without using encryption. - --- -Impact: -Serious. Denial of Service. - --- -Detailed Information: -Microsoft Windows Terminal Server for NT systems fails to correctly -validate RDP data from client machines that do not use encryption. - --- -Affected Systems: - Microsoft Windows Terminal Server - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the DoS. - --- -Ease of Attack: -Simple. Exploit software exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patch. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2419.txt snort-2.9.2/doc/signatures/2419.txt --- snort-2.9.0.1/doc/signatures/2419.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2419.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2419 - --- -Summary: -This event is generated when an attempt is made to download a file that -may be an attack vector for a known exploit to a vulnerability in Real -Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/241.txt snort-2.9.2/doc/signatures/241.txt --- snort-2.9.0.1/doc/signatures/241.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/241.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: --- -Sid: -241 - --- -Summary: -This event is generated when a DDoS Shaft handler agent launchs a SYN flood against a target. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a Shaft agent. If the listed destination IP is in your network, your host may be a target of a DDoS SYN flood. - --- -Detailed Information: -The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Agents are hosts that are directed to launch attacks. One type of attack that may be launched is a SYN flood of a target. The SYN packets have a telltale initial sequence number of 674711609. - --- -Affected Systems: -Any Shaft compromised host. - --- -Attack Scenarios: -A Shaft agent may attack a target using a SYN flood. - --- -Ease of Attack: -Simple. Shaft code is freely available. - --- -False Positives: -It is possible that an innocuous SYN packet will have a sequence number of 674711609. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS253 - -Miscellaneous: -http://biocserver.cwru.edu/~jose/shaft_analysis/ - - --- diff -Nru snort-2.9.0.1/doc/signatures/2420.txt snort-2.9.2/doc/signatures/2420.txt --- snort-2.9.0.1/doc/signatures/2420.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2420.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2420 - --- -Summary: -This event is generated when an attempt is made to download a file that -may be an attack vector for a known exploit to a vulnerability in Real -Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2421.txt snort-2.9.2/doc/signatures/2421.txt --- snort-2.9.0.1/doc/signatures/2421.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2421.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2421 - --- -Summary: -This event is generated when an attempt is made to download a file that -may be an attack vector for a known exploit to a vulnerability in Real -Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2422.txt snort-2.9.2/doc/signatures/2422.txt --- snort-2.9.0.1/doc/signatures/2422.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2422.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2422 - --- -Summary: -This event is generated when an attempt is made to download a file that -may be an attack vector for a known exploit to a vulnerability in Real -Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2423.txt snort-2.9.2/doc/signatures/2423.txt --- snort-2.9.0.1/doc/signatures/2423.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2423.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2423 - --- -Summary: -This event is generated when an attempt is made to download a file that -may be an attack vector for a known exploit to a vulnerability in Real -Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2424.txt snort-2.9.2/doc/signatures/2424.txt --- snort-2.9.0.1/doc/signatures/2424.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2424.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2424 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2425.txt snort-2.9.2/doc/signatures/2425.txt --- snort-2.9.0.1/doc/signatures/2425.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2425.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2425 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2426.txt snort-2.9.2/doc/signatures/2426.txt --- snort-2.9.0.1/doc/signatures/2426.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2426.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2426 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2427.txt snort-2.9.2/doc/signatures/2427.txt --- snort-2.9.0.1/doc/signatures/2427.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2427.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2427 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2428.txt snort-2.9.2/doc/signatures/2428.txt --- snort-2.9.0.1/doc/signatures/2428.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2428.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2428 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2429.txt snort-2.9.2/doc/signatures/2429.txt --- snort-2.9.0.1/doc/signatures/2429.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2429.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2429 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2430.txt snort-2.9.2/doc/signatures/2430.txt --- snort-2.9.0.1/doc/signatures/2430.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2430.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2430 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2431.txt snort-2.9.2/doc/signatures/2431.txt --- snort-2.9.0.1/doc/signatures/2431.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2431.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2431 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2432.txt snort-2.9.2/doc/signatures/2432.txt --- snort-2.9.0.1/doc/signatures/2432.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2432.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2432 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ISC INN Usenet/NNTP server. - --- -Impact: -Denial of Service. Execution of arbitrary code is possible. - --- -Detailed Information: -A vulnerability exists in the network news transport protocol server -from ISC. It may be possible for a remote attacker to exploit a buffer -overflow condition in the software to execute code of the attackers -choosing with the privileges of the user running the daemon. - --- -Affected Systems: - ISC INN 2.4 .0 - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. Once successful the attacker may -attempt to escalate privileges by using further local exploits. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2433.txt snort-2.9.2/doc/signatures/2433.txt --- snort-2.9.0.1/doc/signatures/2433.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2433.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: -2433 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Possible unauthorized administrative access to the server or application. -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -MDaemon is mail server software for Microsoft Windows systems. It uses a -CGI web interface to send email. The email form used to submit the -message does not properly check user supplied input. This may result in -an attacker being able to supply a "From" field larger than 249 bytes -which may in turn cause an error condition to occur in the executable -file handling the form input. This error may present the attacker with -the opportunity to gain administrative access to the server and also -execute code of their choosing. - -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running on a web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - Alt-N MDaemon 6.5.2 - Alt-N MDaemon 6.7.5, 6.7.9 - Alt-N MDaemon 6.8.0 through 6.8.5 - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2434.txt snort-2.9.2/doc/signatures/2434.txt --- snort-2.9.0.1/doc/signatures/2434.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2434.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: -2434 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Possible unauthorized administrative access to the server or application. -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -MDaemon is mail server software for Microsoft Windows systems. It uses a -CGI web interface to send email. The email form used to submit the -message does not properly check user supplied input. This may result in -an attacker being able to supply a "From" field larger than 249 bytes -which may in turn cause an error condition to occur in the executable -file handling the form input. This error may present the attacker with -the opportunity to gain administrative access to the server and also -execute code of their choosing. - -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running on a web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - Alt-N MDaemon 6.5.2 - Alt-N MDaemon 6.7.5, 6.7.9 - Alt-N MDaemon 6.8.0 through 6.8.5 - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2435.txt snort-2.9.2/doc/signatures/2435.txt --- snort-2.9.0.1/doc/signatures/2435.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2435.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2435 - --- -Summary: -This event is generated when an attempt is made to access a file type -that may be subject to a known vulnerability in Microsoft Windows Explorer. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -When processing Windows Extended Metafile Format (.emf) files, Windows -Explorer sets a buffer size based on information in the header for the -file. If a malformed header is sent, it may be possible for an attacker -to cause a DoS condition to occur. It may also be possible for an -attacker to execute code of their choosing on a vulnerable host. - -This issue may also affect Microsoft Windows Metafile Format (.wmf) -files also. - --- -Affected Systems: - Microsoft Windows XP Home, Professional and Media Center Edition - Microsoft Windows XP Home and Professional SP-1 - --- -Attack Scenarios: -An attacker might supply a specially crafted request for such a file -that might cause the error condiion to occur. - --- -Ease of Attack: -Moderate/Difficult - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2436.txt snort-2.9.2/doc/signatures/2436.txt --- snort-2.9.0.1/doc/signatures/2436.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2436.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2436 - --- -Summary: -This event is generated when an attempt is made to access a file type -that may be subject to a known vulnerability in Microsoft Windows Explorer. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -When processing Windows Extended Metafile Format (.emf) files, Windows -Explorer sets a buffer size based on information in the header for the -file. If a malformed header is sent, it may be possible for an attacker -to cause a DoS condition to occur. It may also be possible for an -attacker to execute code of their choosing on a vulnerable host. - -This issue may also affect Microsoft Windows Metafile Format (.wmf) -files also. - --- -Affected Systems: - Microsoft Windows XP Home, Professional and Media Center Edition - Microsoft Windows XP Home and Professional SP-1 - --- -Attack Scenarios: -An attacker might supply a specially crafted request for such a file -that might cause the error condiion to occur. - --- -Ease of Attack: -Moderate/Difficult - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2437.txt snort-2.9.2/doc/signatures/2437.txt --- snort-2.9.0.1/doc/signatures/2437.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2437.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2437 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in RealOne Player. - --- -Impact: -Serious. Execution of arbitrary code is possible. - --- -Detailed Information: -It may be possible for an attacker to execute code of their choosing by -using a vulnerability in RealOne Player from RealNetworks. If a -malicious URI is embedded in a SMIL presentation that points to script -of the attackers choosing, the code may be executed with privileges -assigned to the "My Computer" zone. - --- -Affected Systems: - RealOne Player for Windows - --- -Attack Scenarios: -An attacker could embed a URI of their choosing in a presentation and -entice a user to click the link from within RealOne Player. The code -referenced by this URI would then be executed on the client machine. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2438.txt snort-2.9.2/doc/signatures/2438.txt --- snort-2.9.0.1/doc/signatures/2438.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2438.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2438 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Real Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2439.txt snort-2.9.2/doc/signatures/2439.txt --- snort-2.9.0.1/doc/signatures/2439.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2439.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2439 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Real Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/243.txt snort-2.9.2/doc/signatures/243.txt --- snort-2.9.0.1/doc/signatures/243.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/243.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -243 - --- -Summary: -This event is generated when the mstream DDoS tool is used. - --- -Impact: -Severe. This indicates a host may have been compromised and mstream may have been installed. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. - -There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. An agent will attempt to contact its known handlers using a UDP packet to destination port 6838 with a string of "newserver" in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -After a host becomes a mstream agent, it will attempt to communicate with its known handlers. - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There may be ports other than 6838 used for agent-to-handler communications. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: -NAI: -http://vil.nai.com/vil/content/v_98662.htm -SecurityFocus: -http://www.securityfocus.com/archive/82/58040 -CERT: -http://www.cert.org/incident_notes/IN-2000-05.html - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.9.0.1/doc/signatures/2440.txt snort-2.9.2/doc/signatures/2440.txt --- snort-2.9.0.1/doc/signatures/2440.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2440.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2440 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Real Networks RealPlayer/RealOne player. - --- -Impact: -Serious. Execution of arbitrary code. - --- -Detailed Information: -RealNetworks RealPlayer/RealOne player is a streaming media player for -Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. - -A buffer overrun condition is present in some versions of the player -that may present a remote attacker with the opportunity to execute code -of their choosing on a client using one of these players. - --- -Affected Systems: - Real Networks RealOne Desktop Manager - Real Networks RealOne Enterprise Desktop 6.0.11 .774 - Real Networks RealOne Player 1.0 - Real Networks RealOne Player 2.0 - Real Networks RealOne Player 6.0.11 .868 - Real Networks RealOne Player version 2.0 for Windows - Real Networks RealPlayer 8.0 Win32 - Real Networks RealPlayer 8.0 Unix - Real Networks RealPlayer 8.0 Mac - Real Networks RealPlayer 10.0 BETA - --- -Attack Scenarios: -An attacker may supply a malformed file to the client to exploit the -issue. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2441.txt snort-2.9.2/doc/signatures/2441.txt --- snort-2.9.0.1/doc/signatures/2441.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2441.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2441 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in ExploreAnywhere Software's NETObserve. - --- -Impact: -Execution of commands or control of remote machines being managed by the -software. - --- -Detailed Information: -NETObserve is a software solution that can be used to remotely monitor -and control Windows based machines. It's interface is accessed via HTTP. - -By setting a cookie value, used to send login information to NETObserve, -to 0 an attacker can bypass any checks on login credentials. This can -present the attacker with administrative privileges to the NETObserve -application which can be used to manage other remote client machines. - --- -Affected Systems: - NETObserve - --- -Attack Scenarios: -An attacker can set 'Cookie login:0' in a web request to the -administrative interface and gain administrator access to the -application. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2442.txt snort-2.9.2/doc/signatures/2442.txt --- snort-2.9.0.1/doc/signatures/2442.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2442.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2442 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Apple Quicktime/Darwin Streaming Server. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -The Apple Quicktime Streaming Server is used to serve client machines -with streaming media content using TCP/IP. A vulnerability exists in the -processing of client requests that can cause a DoS. - -An overly long User-Agent field in DESCRIBE requests to the server can -cause this condition to occur. - --- -Affected Systems: - Apple Darwin Streaming Server 4.1.3 - Apple Quicktime Streaming Server 4.1.3 - --- -Attack Scenarios: -An attacker can supply a user agent field in excess of 255 characters in -a DESCRIBE request to trigger the DoS condition. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2443.txt snort-2.9.2/doc/signatures/2443.txt --- snort-2.9.0.1/doc/signatures/2443.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2443.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,82 +0,0 @@ -Rule: - --- -Sid: -2443 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in multiple versions of Internet Security Systems software. - --- -Impact: -Serious. Execution of arbitrary code is possible leading to unauthorized -access to the affected host. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the way that multiple ISS products parse ICQ -messages. This can lead to execution of arbitrary code on hosts using -the affected products. - -Due to insufficient bounds checking when ISS products parse protocol -fields in ICQ SRV_META_USER data, a buffer overflow condition can be -exploited to give an attacker the opportunity to execute arbitrary code -and gain unauthorized administrative access to the host. - -It is possible that this condition can be exploited without the need for -an established and valid ICQ session. The attacker could create packets -originating from a host on port 4000 and send specially crafted data to -exploit the condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 22.11 and prior - RealSecure Server Sensor 7.0 XPU 22.11 and prior - RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior - Proventia A Series XPU 22.11 and prior - Proventia G Series XPU 22.11 and prior - Proventia M Series XPU 1.9 and prior - RealSecure Desktop 7.0 ebl and prior - RealSecure Desktop 3.6 ecf and prior - RealSecure Guard 3.6 ecf and prior - RealSecure Sentry 3.6 ecf and prior - BlackICE Agent for Server 3.6 ecf and prior - BlackICE PC Protection 3.6 ccf and prior - BlackICE Server Protection 3.6 ccf and prior - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2444.txt snort-2.9.2/doc/signatures/2444.txt --- snort-2.9.0.1/doc/signatures/2444.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2444.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,82 +0,0 @@ -Rule: - --- -Sid: -2444 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in multiple versions of Internet Security Systems software. - --- -Impact: -Serious. Execution of arbitrary code is possible leading to unauthorized -access to the affected host. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the way that multiple ISS products parse ICQ -messages. This can lead to execution of arbitrary code on hosts using -the affected products. - -Due to insufficient bounds checking when ISS products parse protocol -fields in ICQ SRV_META_USER data, a buffer overflow condition can be -exploited to give an attacker the opportunity to execute arbitrary code -and gain unauthorized administrative access to the host. - -It is possible that this condition can be exploited without the need for -an established and valid ICQ session. The attacker could create packets -originating from a host on port 4000 and send specially crafted data to -exploit the condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 22.11 and prior - RealSecure Server Sensor 7.0 XPU 22.11 and prior - RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior - Proventia A Series XPU 22.11 and prior - Proventia G Series XPU 22.11 and prior - Proventia M Series XPU 1.9 and prior - RealSecure Desktop 7.0 ebl and prior - RealSecure Desktop 3.6 ecf and prior - RealSecure Guard 3.6 ecf and prior - RealSecure Sentry 3.6 ecf and prior - BlackICE Agent for Server 3.6 ecf and prior - BlackICE PC Protection 3.6 ccf and prior - BlackICE Server Protection 3.6 ccf and prior - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2445.txt snort-2.9.2/doc/signatures/2445.txt --- snort-2.9.0.1/doc/signatures/2445.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2445.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,82 +0,0 @@ -Rule: - --- -Sid: -2445 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in multiple versions of Internet Security Systems software. - --- -Impact: -Serious. Execution of arbitrary code is possible leading to unauthorized -access to the affected host. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the way that multiple ISS products parse ICQ -messages. This can lead to execution of arbitrary code on hosts using -the affected products. - -Due to insufficient bounds checking when ISS products parse protocol -fields in ICQ SRV_META_USER data, a buffer overflow condition can be -exploited to give an attacker the opportunity to execute arbitrary code -and gain unauthorized administrative access to the host. - -It is possible that this condition can be exploited without the need for -an established and valid ICQ session. The attacker could create packets -originating from a host on port 4000 and send specially crafted data to -exploit the condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 22.11 and prior - RealSecure Server Sensor 7.0 XPU 22.11 and prior - RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior - Proventia A Series XPU 22.11 and prior - Proventia G Series XPU 22.11 and prior - Proventia M Series XPU 1.9 and prior - RealSecure Desktop 7.0 ebl and prior - RealSecure Desktop 3.6 ecf and prior - RealSecure Guard 3.6 ecf and prior - RealSecure Sentry 3.6 ecf and prior - BlackICE Agent for Server 3.6 ecf and prior - BlackICE PC Protection 3.6 ccf and prior - BlackICE Server Protection 3.6 ccf and prior - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2446.txt snort-2.9.2/doc/signatures/2446.txt --- snort-2.9.0.1/doc/signatures/2446.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2446.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,82 +0,0 @@ -Rule: - --- -Sid: -2446 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in multiple versions of Internet Security Systems software. - --- -Impact: -Serious. Execution of arbitrary code is possible leading to unauthorized -access to the affected host. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the way that multiple ISS products parse ICQ -messages. This can lead to execution of arbitrary code on hosts using -the affected products. - -Due to insufficient bounds checking when ISS products parse protocol -fields in ICQ SRV_META_USER data, a buffer overflow condition can be -exploited to give an attacker the opportunity to execute arbitrary code -and gain unauthorized administrative access to the host. - -It is possible that this condition can be exploited without the need for -an established and valid ICQ session. The attacker could create packets -originating from a host on port 4000 and send specially crafted data to -exploit the condition. - --- -Affected Systems: - RealSecure Network 7.0, XPU 22.11 and prior - RealSecure Server Sensor 7.0 XPU 22.11 and prior - RealSecure Server Sensor 6.5 for Windows SR 3.10 and prior - Proventia A Series XPU 22.11 and prior - Proventia G Series XPU 22.11 and prior - Proventia M Series XPU 1.9 and prior - RealSecure Desktop 7.0 ebl and prior - RealSecure Desktop 3.6 ecf and prior - RealSecure Guard 3.6 ecf and prior - RealSecure Sentry 3.6 ecf and prior - BlackICE Agent for Server 3.6 ecf and prior - BlackICE PC Protection 3.6 ccf and prior - BlackICE Server Protection 3.6 ccf and prior - --- -Attack Scenarios: -An attacker may send specially crafted packets to a vulnerable system to -cause the overflow condition to occur. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2447.txt snort-2.9.2/doc/signatures/2447.txt --- snort-2.9.0.1/doc/signatures/2447.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2447.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2447 - --- -Summary: -This event is generated when an attempt is made to access the servlet -administration scripts on a Novell Groupwise servlet server. - --- -Impact: -Possible unauthorized administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to access the servlet -administration scripts on a Novell Groupwise servlet server located in /servlet/ServletManager. - -The default installation has a known username and password for -administration of the server. - --- -Affected Systems: - Novell Groupwise 6.0 - Novell Groupwise Enhancement Pack 5.5 - --- -Attack Scenarios: -The attacker might login to the application using the default username -and password gaining administrative access to the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2448.txt snort-2.9.2/doc/signatures/2448.txt --- snort-2.9.0.1/doc/signatures/2448.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2448.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2448 - --- -Summary: -This event is generated when an attempt is made to access the file -setinfo.hts on a machine using HP Web JetAdmin. --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -HP Web JetAdmin is software used to remotely manage HP networked -peripheral devices. It may also be used to manage non-HP products also. -It may be possible for a remote user to execute code of their choosing -using the web interface. - -This is due to insufficient checking of user supplied input in the file -setinfo.hts. - --- -Affected Systems: - HP Web JetAdmin 7.5 - --- -Attack Scenarios: -An attacker can supply any code of their choosing directly to the script -in question and manipulate any device being managed by the software. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References - --- diff -Nru snort-2.9.0.1/doc/signatures/2449.txt snort-2.9.2/doc/signatures/2449.txt --- snort-2.9.0.1/doc/signatures/2449.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2449.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2449 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability associated with Ipswitch WS FTP ALLO command. - --- -Impact: -Remote access. A successful attack may permit the remote execution of -arbitrary commands with system privileges. A Denial of Service (DoS) -attack may also be possible. - --- -Detailed Information: -Ipswitch WS FTP is an FTP server. A vulnerability exists with the ALLO -command that can cause a buffer overflow and permit the execution of -arbitrary commands with system privileges. The buffer overflow can be -caused by supplying an overly long argument to the ALLO command. - --- -Affected Systems: - Ipswitch WS FTP Server 1.0.1 through 1.0.5, 2.0 through 2.0.4, - 3.0 1, 3.0, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.4, 4.0 2, 4.0 1 and 4.0 - Ipswitch WS_FTP Pro 6.0, 7.5, 8.0 3, 8.0 2 - --- -Attack Scenarios: -An attacker can use one of the publicly available exploit scripts to -cause the overflow to occur. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use scp as an alternative to ftp - -Disallow ftp access to internal resources from external sources - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/244.txt snort-2.9.2/doc/signatures/244.txt --- snort-2.9.0.1/doc/signatures/244.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/244.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: --- -Sid: -244 - --- -Summary: -This event is generated when a DDoS mstream handler directs an mstream agent to begin an attack against a specified target. - --- -Impactn: -Severe. If the listed source IP is in your network, it may be an mstream handler. If the listed destination IP is in your network, it may be an mstream agent. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.  There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  A handler can direct a particular agent to attack a target. It directs the agent by sending it a UDP packet to destination port 10498 with a string of "stream/" in the payload. The target IP and duration of the attack will also be included in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -After a host becomes an mstream agent, it will likely be directed to participate in a DDoS attack. --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There are other known handler-to-agent ports in addition to 10498. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.9.0.1/doc/signatures/2450.txt snort-2.9.2/doc/signatures/2450.txt --- snort-2.9.0.1/doc/signatures/2450.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2450.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2450 - --- -Summary: -This event is generated when a user in your network has successfully logged into Yahoo Instant Messenger. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -A user must successfully logon to an Yahoo Instant Messenger server before participating in any exchanges, such sending or receiving messages, files, or webcams, or chatting by voice. Many of these activities are not appropriate in a corporate environment. Also, the exchanges are transacted via Yahoo IM servers so there is no assurance of privacy. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -Once logged in, a Yahoo IM user may unwittingly accept a malicious file that may contain a worm, virus, Trojan, or backdoor to name a few. - --- -Ease of Attack: -Easy. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2451.txt snort-2.9.2/doc/signatures/2451.txt --- snort-2.9.0.1/doc/signatures/2451.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2451.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2451 - --- -Summary: -This event is generated when a user in your network has successfully registered with a Yahoo Instant Messenger server to receive voice chat messages or is receiving voice chat messages. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -Yahoo IM voice chat allows IM users to exchange audio messages. This activity may not be appropriate in a corporate environment. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -This particular type of Yahoo IM exchange has no known attacks, however it may represent a policy violation because the host is running Yahoo IM. - --- -Ease of Attack: -Easy to exchange voice messages. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2452.txt snort-2.9.2/doc/signatures/2452.txt --- snort-2.9.0.1/doc/signatures/2452.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2452.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2452 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running attempts to maintain contact with a Yahoo IM server. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -Hosts running Yahoo IM periodically communicate with a Yahoo IM server to maintain their connection. This is a keep-alive message that simply indicates the presences of a host running Yahoo IM. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -This particular type of Yahoo IM exchange has no known attacks, however it may represent a policy violation because the host is running Yahoo IM. - --- -Ease of Attack: -A host running Yahoo IM will automatically ping a Yahoo IM server. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2453.txt snort-2.9.2/doc/signatures/2453.txt --- snort-2.9.0.1/doc/signatures/2453.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2453.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2453 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running is invited to participate in a Yahoo conference. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams. It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -A Yahoo IM user may unwittingly accept a malicious file. - --- -Ease of Attack: -Easy to transfer a malicious file. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2454.txt snort-2.9.2/doc/signatures/2454.txt --- snort-2.9.0.1/doc/signatures/2454.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2454.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2454 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running has successfully logged on to a Yahoo IM conference. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams. It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -A Yahoo IM user may unwittingly accept a malicious file. - --- -Ease of Attack: -Easy to transfer a malicious file. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2455.txt snort-2.9.2/doc/signatures/2455.txt --- snort-2.9.0.1/doc/signatures/2455.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2455.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2455 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running has sent a message to a Yahoo IM conference. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams. It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -A Yahoo IM user may unwittingly accept a malicious file. - --- -Ease of Attack: -Easy to transfer a malicious file. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2456.txt snort-2.9.2/doc/signatures/2456.txt --- snort-2.9.0.1/doc/signatures/2456.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2456.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2456 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running attempts to send a file to another Yahoo IM user. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. This may also provide a less scrutinized means of sharing unauthorized or inappropriate files with others. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -A Yahoo IM user may unwittingly accept a malicious file. - --- -Ease of Attack: -Easy to transfer a malicious file. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2457.txt snort-2.9.2/doc/signatures/2457.txt --- snort-2.9.0.1/doc/signatures/2457.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2457.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,48 +0,0 @@ -Rule: - --- -Sid: -2457 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger sends or receives a Yahoo Instant Messenger message. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -Yahoo IM provides a means of allowing an interactive message exchange between user. While there are no known exploits associated with exchanging messages, this type of activity may not be appropriate in certain network environments. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -No known attacks. - --- -Ease of Attack: -No known attacks. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- diff -Nru snort-2.9.0.1/doc/signatures/2458.txt snort-2.9.2/doc/signatures/2458.txt --- snort-2.9.0.1/doc/signatures/2458.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2458.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2458 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running has joined a chat room or is examining chat rooms to join. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -Yahoo IM provides a means of allowing users who share similar interests to join a chat room and exchange messages. While there are no known exploits associated with exchanging messages, this type of activity may not be appropriate in certain network environments. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -No known attacks. - --- -Ease of Attack: -No known attacks. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2459.txt snort-2.9.2/doc/signatures/2459.txt --- snort-2.9.0.1/doc/signatures/2459.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2459.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -2459 - --- -Summary: -This event is generated when a host in your network that has Yahoo Instant Messenger running starts a webcam or sends an invitation to view a webcam to another Yahoo IM user. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. - --- -Detailed Information: -This event indicates that a Yahoo IM user in your network is sending a notification that he or she is starting a webcam or offering an invitation to view the webcam. While there are no known exploits associated with showing or viewing webcams, it is possible that this activity is inappropriate in certain environments. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -No know attack scenarios. - --- -Ease of Attack: -No know attack scenarios. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/245.txt snort-2.9.2/doc/signatures/245.txt --- snort-2.9.0.1/doc/signatures/245.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/245.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: --- -Sid: -245 - --- -Summary: -This event is generated when an mstream handler attempts to identify active agents. - --- -Impact: -Severe. If the listed source IP is in your network, it may be an mstream handler. If the listed destination IP is in your network, it may be an mstream agent. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. A handler can probe to see if an agent is active by sending it a UDP packet to destination port 10498 with a string of "ping" in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -A mstream handler may probe to see if an agent is active. - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There are other known handler-to-agent ports in addition to 10498. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.9.0.1/doc/signatures/2460.txt snort-2.9.2/doc/signatures/2460.txt --- snort-2.9.0.1/doc/signatures/2460.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2460.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2460 - --- -Summary: -This event is generated when a host in your network that has Yahoo -Instant Messenger running requests to view a webcam listen to an audio -message of another Yahoo IM user. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be -appropriate in certain network environments. - --- -Detailed Information: -This event indicates that a Yahoo IM user in your network is requesting -to view a webcam or listen to an audio message of another Yahoo IM user. -While there are no known exploits associated with showing or viewing -webcams, it is possible that this activity is inappropriate in certain -environments. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -No known attack scenarios. - --- -Ease of Attack: -No known attack scenarios. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the -default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or -implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2461.txt snort-2.9.2/doc/signatures/2461.txt --- snort-2.9.0.1/doc/signatures/2461.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2461.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2461 - --- -Summary: -This event is generated when a user on a host in your network that is -running Yahoo Instant Messenger is viewing a webcam or listening to an -audio message of another Yahoo IM user. - --- -Impact: -Possible policy violation. Instant Messenger programs may not be -appropriate in certain network environments. - --- -Detailed Information: -This event indicates that a Yahoo IM user in your network is requesting -to view a webcam of another Yahoo IM user. While there are no known -exploits associated with showing or viewing webcams, or listening to -audio messages. it is possible that this activity is inappropriate in -certain environments. - --- -Affected Systems: -Any host running Yahoo Instant Messenger. - --- -Attack Scenarios: -No known attack scenarios. - --- -Ease of Attack: -No known attack scenarios. - --- -False Positives: -None Known. - --- -False Negatives: -It may be possible for Yahoo IM traffic to use other ports than the -default expected ones. - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or -implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References: -Yahoo Protocol -http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/2462.txt snort-2.9.2/doc/signatures/2462.txt --- snort-2.9.0.1/doc/signatures/2462.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2462.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: -alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account -overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; -byte_test:1,>,16,12; reference:cve,CAN-2004-0176; reference:bugtraq,9952; -classtype:attempted-admin; sid:2462; rev:1;) - --- -Sid: -2462 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Ethereal decode of the Internet Group membership Authentication -Protocol (IGAP). - --- -Impact: -A successful attack may allow the execution of arbitrary code as root or -LOCAL_SYSTEM privilege on a vulnerable host. - --- -Detailed Information: -There is a vulnerability associated with particular versions of Ethereal that -may cause a buffer overflow when a malformed IGAP packet is decoded using Ethereal -or tethereal. This may permit the execution of arbitrary code with root or -LOCAL_SYSTEM privilege. The buffer overflow occurs when a larger than expected -User Account Size value is discovered in the IGAP payload. - --- -Affected Systems: -Any host running Ethereal/tethereal versions 0.10.0 - 0.10.2. - --- -Attack Scenarios: -An attacker can create and send a malformed IGAP packet, and if decoded by -a vulnerable version of Ethereal/tethereal, can cause a buffer overflow and the -subsequent execution of arbitrary code. - --- -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Update to version 0.10.3 of Ethereal. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176 - -Bugtraq: -http://www.securityfocus.com/bid/9952: - --- diff -Nru snort-2.9.0.1/doc/signatures/2463.txt snort-2.9.2/doc/signatures/2463.txt --- snort-2.9.0.1/doc/signatures/2463.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2463.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: -alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message -overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; -byte_test:1,>,64,13; reference:cve,CAN-2004-0176; reference:bugtraq,9952; -classtype:attempted-admin; sid:2463; rev:1;) - --- -Sid: -2463 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Ethereal decode of the Internet Group membership Authentication -Protocol (IGAP). - --- -Impact: -A successful attack may allow the execution of arbitrary code as root or -LOCAL_SYSTEM privilege on a vulnerable host. - --- -Detailed Information: -There is a vulnerability associated with particular versions of Ethereal that -may cause a buffer overflow when a malformed IGAP packet is decoded using Ethereal -or tethereal. This may permit the execution of arbitrary code with root or -LOCAL_SYSTEM privilege. The buffer overflow occurs when a larger than expected -Message Size value is discovered in the IGAP payload. - --- -Affected Systems: -Any host running Ethereal/tethereal versions 0.10.0 - 0.10.2. - --- -Attack Scenarios: -An attacker can create and send a malformed IGAP packet, and if decoded by -a vulnerable version of Ethereal/tethereal, can cause a buffer overflow and the -subsequent execution of arbitrary code. - --- -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Update to version 0.10.3 of Ethereal. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176 - -Bugtraq: -http://www.securityfocus.com/bid/9952: - --- diff -Nru snort-2.9.0.1/doc/signatures/2464.txt snort-2.9.2/doc/signatures/2464.txt --- snort-2.9.0.1/doc/signatures/2464.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2464.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: -alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; -ip_proto:88; byte_test:1,>,32,44; reference:cve,CAN-2004-0176; -reference:bugtraq,9952; classtype:attempted-admin; sid:2464; rev:1;) - --- -Sid: -2464 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Ethereal decode of the Enhanced Interior Gateway Routing Protocol -(EIGRP). - --- -Impact: -A successful attack may allow the execution of arbitrary code as root or -LOCAL_SYSTEM privilege on a vulnerable host. - --- -Detailed Information: -There is a vulnerability associated with particular versions of Ethereal that -may cause a buffer overflow when a malformed EIGRP packet is decoded. This -may permit the execution of arbitrary code with root or LOCAL_SYSTEM privilege. -The buffer overflow occurs when a larger than expected packet length value is -discovered in the EIGRP payload. - --- -Affected Systems: -Any host running Ethereal versions 0.8.14 through 0.10.2. - --- -Attack Scenarios: -An attacker can create and send a malformed EIGRP packet, and if decoded by -a vulnerable version of Ethereal, can cause a buffer overflow and the -subsequent execution of arbitrary code. - --- -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Update to version 0.10.3 of Ethereal. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176 - -Bugtraq: -http://www.securityfocus.com/bid/9952 - --- diff -Nru snort-2.9.0.1/doc/signatures/2465.txt snort-2.9.2/doc/signatures/2465.txt --- snort-2.9.0.1/doc/signatures/2465.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2465.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2465 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2466.txt snort-2.9.2/doc/signatures/2466.txt --- snort-2.9.0.1/doc/signatures/2466.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2466.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2466 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2467.txt snort-2.9.2/doc/signatures/2467.txt --- snort-2.9.0.1/doc/signatures/2467.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2467.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2467 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2468.txt snort-2.9.2/doc/signatures/2468.txt --- snort-2.9.0.1/doc/signatures/2468.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2468.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2468 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2469.txt snort-2.9.2/doc/signatures/2469.txt --- snort-2.9.0.1/doc/signatures/2469.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2469.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2469 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/246.txt snort-2.9.2/doc/signatures/246.txt --- snort-2.9.0.1/doc/signatures/246.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/246.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: --- -Sid: -246 - --- -Summary: -This event is generated when an mstream agent responds to an mstream handler's "ping" request. - --- -Impact: -Severe. If the listed source IP is in your network, it may be an mstream agent. If the listed destination IP is in your network, it may be an mstream agent. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. A handler can probe to see if an agent is active by sending it a UDP packet to destination port 10498 with a string of "ping" in the payload. An active agent will reply with a UDP packet to destination port 6838 with a string of "pong" in payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -A mstream agent may respond with a "pong" to a "ping" request from a handler. - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There are other known agent-to-handler ports in addition to 6838. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: -NAI: -http://vil.nai.com/vil/content/v_98662.htm -SecurityFocus: -http://www.securityfocus.com/archive/82/58040 -CERT: -http://www.cert.org/incident_notes/IN-2000-05.html - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.9.0.1/doc/signatures/2470.txt snort-2.9.2/doc/signatures/2470.txt --- snort-2.9.0.1/doc/signatures/2470.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2470.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2470 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2471.txt snort-2.9.2/doc/signatures/2471.txt --- snort-2.9.0.1/doc/signatures/2471.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2471.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2471 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2472.txt snort-2.9.2/doc/signatures/2472.txt --- snort-2.9.0.1/doc/signatures/2472.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2472.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2472 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2473.txt snort-2.9.2/doc/signatures/2473.txt --- snort-2.9.0.1/doc/signatures/2473.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2473.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2473 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2474.txt snort-2.9.2/doc/signatures/2474.txt --- snort-2.9.0.1/doc/signatures/2474.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2474.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2474 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2475.txt snort-2.9.2/doc/signatures/2475.txt --- snort-2.9.0.1/doc/signatures/2475.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2475.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2475 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2476.txt snort-2.9.2/doc/signatures/2476.txt --- snort-2.9.0.1/doc/signatures/2476.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2476.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2476 - --- -Summary: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings then create an entry in the winreg service. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.9.0.1/doc/signatures/2477.txt snort-2.9.2/doc/signatures/2477.txt --- snort-2.9.0.1/doc/signatures/2477.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2477.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2477 - --- -Summary: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings then create an entry in the winreg service. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.9.0.1/doc/signatures/2478.txt snort-2.9.2/doc/signatures/2478.txt --- snort-2.9.0.1/doc/signatures/2478.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2478.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2478 - --- -Summary: -This event is generated when an attempt is made to bind to the winreg -service. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to bind to the RPC -service for winreg. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.9.0.1/doc/signatures/2479.txt snort-2.9.2/doc/signatures/2479.txt --- snort-2.9.0.1/doc/signatures/2479.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2479.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2479 - --- -Summary: -This event is generated when an attempt is made to bind to the winreg -service. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to bind to the RPC -service for winreg. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.9.0.1/doc/signatures/247.txt snort-2.9.2/doc/signatures/247.txt --- snort-2.9.0.1/doc/signatures/247.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/247.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -247 - --- -Summary: -This event is generated when an mstream DDoS client communicates with a handler. - --- -Impact: -Severe. If the listed source IP is in your network, it may be an mstream client. If the listed destination IP is in your network, it may be an mstream handler. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to inform them to launch attacks. A client may communicate with a handler using a TCP packet to destination port 12754 with a string of ">" in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -After a host becomes an mstream client, it will attempt to communicate with handlers. - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There are other known client-to-handler ports in addition to 12754. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.9.0.1/doc/signatures/2480.txt snort-2.9.2/doc/signatures/2480.txt --- snort-2.9.0.1/doc/signatures/2480.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2480.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2176 - - --- -Summary: -This event is generated when an attempt is made to shutdown a service via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a service -on a system using SMB across the network. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may try to deny services to other users. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2481.txt snort-2.9.2/doc/signatures/2481.txt --- snort-2.9.0.1/doc/signatures/2481.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2481.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2176 - - --- -Summary: -This event is generated when an attempt is made to shutdown a service via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a service -on a system using SMB across the network. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may try to deny services to other users. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2482.txt snort-2.9.2/doc/signatures/2482.txt --- snort-2.9.0.1/doc/signatures/2482.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2482.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2176 - - --- -Summary: -This event is generated when an attempt is made to shutdown a service via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a service -on a system using SMB across the network. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may try to deny services to other users. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2483.txt snort-2.9.2/doc/signatures/2483.txt --- snort-2.9.0.1/doc/signatures/2483.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2483.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2176 - - --- -Summary: -This event is generated when an attempt is made to shutdown a service via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a service -on a system using SMB across the network. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may try to deny services to other users. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2484.txt snort-2.9.2/doc/signatures/2484.txt --- snort-2.9.0.1/doc/signatures/2484.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2484.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: --- -Sid: -2484 - --- -Summary: -This event is generated when a remote user attempts to access source.jsp -on a Tomcat web server. This may indicate an attempt to exploit a -directory traversal vulnerability. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event may indicate an attempt to exploit a vulnerability in the -source.jsp script. An attacker can use directory traversal techniques -when accessing source.jsp to view hidden files and directories on the -web server with the access privileges of the server. - --- -Affected Systems: - Apache Tomcat on Novell Netware 6.0 - --- -Attack Scenarios: -An attacker can use directory traversal techniques when executing -source.jsp to view directories and files on the web server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2485.txt snort-2.9.2/doc/signatures/2485.txt --- snort-2.9.0.1/doc/signatures/2485.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2485.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2485 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with Norton Internet Security 2004 AntiSpam feature. - --- -Impact: -A successful attack may permit a buffer overflow that allows the -execution of arbitrary code in the context of LOCAL_SYSTEM. - --- -Detailed Information: -Norton Internet Security 2004 provides desktop security for Windows hosts. -A buffer overflow exists in a module associated with the AntiSpam feature of -Norton Internet Security. This is an ActiveX module that has been labeled -"safe for scripting" allowing it to be accessed and run via a client's -web browser on a host running a vulnerable version of Norton Internet -Security 2004. If an attacker can entice a user on a vulnerable host to -a malicious web server, it is possible to invoke the faulty ActiveX -component. This may cause a buffer overflow and the execution of arbitrary -code in the context of LOCAL_SYSTEM. - --- -Affected Systems: -Norton Internet Security 2004, Norton Internet Security Pro 2004 versions before 7.0.3.8 - --- -Attack Scenarios: -An attacker can entice a user on a vulnerable host to a malicious web -page and execute the faulty ActiveX component, possibly causing -a buffer overflow and the subsequent execution of arbitrary code on the -vulnerable host. - --- Ease of Attack: -Difficult unless exploit code becomes available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References - -Bugtraq: -http://security.focus.com/bid/9916 - --- diff -Nru snort-2.9.0.1/doc/signatures/2486.txt snort-2.9.2/doc/signatures/2486.txt --- snort-2.9.0.1/doc/signatures/2486.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2486.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid -identification payload attempt"; content:"|05|"; offset:16; depth:1; -byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; -classtype:attempted-dos; sid:2486; rev:1;) - --- -Sid: -2486 - --- -Summary: -This event is generated when an attempt is made to exploit a denial of service -(DoS) associated with tcpdump decoding of an isakmp payload. - --- -Impact: -A successful attack may cause a DoS of the host running tcpdump. - --- -Detailed Information: -The tcpdump decode of an isakmp packet with an identification payload may be -susceptible to a DoS attack. This occurs because the code does not properly -convert the payload length field from network-to-host byte order. This may -cause tcpdump to crash when specific values are supplied to the payload length. - --- -Affected Systems: -Hosts running tcpdump versions 3.8.1 and earlier - --- -Attack Scenarios: -An attacker can create and send a malformed isakmp packet that may cause -a host running tcpdump and analyzing the packet to crash. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10004 - --- diff -Nru snort-2.9.0.1/doc/signatures/2487.txt snort-2.9.2/doc/signatures/2487.txt --- snort-2.9.0.1/doc/signatures/2487.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2487.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: --- - -Sid: -2487 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with winzip's processing of certain MIME archive files. - --- -Impact: -A successful attack may permit a buffer overflow that allows the execution -of arbitrary code at the privilege level of the user running winzip. - --- -Detailed Information: -Winzip is a program that is used for file compression on Windows hosts. -A buffer overflow exists when parsing specific header fields for certain -MIME file types. An overly long value passed to specific Content-Type attributes -may trigger the buffer overflow and allow the execution of arbitrary code -in the context of the user running winzip. - --- -Affected Systems: -Winzip 6.x, 7.x, 8.0, 8.1 SR-1, 8.1, Winzip 9.0 beta versions - --- -Attack Scenarios: -An attacker can entice a user to open a malformed MIME file that will -invoke winzip to process it, possibly causing a a buffer overflow -and the subsequent execution of arbitrary code on the vulnerable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References - -Bugtraq: -http://securityfocus.com/bid/9758 - --- diff -Nru snort-2.9.0.1/doc/signatures/2488.txt snort-2.9.2/doc/signatures/2488.txt --- snort-2.9.0.1/doc/signatures/2488.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2488.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2488 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with winzip's processing of certain MIME archive files. - --- -Impact: -A successful attack may permit a buffer overflow that allows the execution -of arbitrary code at the privilege level of the user running winzip. - --- -Detailed Information: -Winzip is a program that is used for file compression on Windows hosts. -A buffer overflow exists when parsing specific header fields for certain -MIME file types. An overly long value passed to the Content-Disposition -name field may trigger the buffer overflow and allow the execution of -arbitrary code in the context of the user running winzip. - --- -Affected Systems: -Winzip 6.x, 7.x, 8.0, 8.1 SR-1, 8.1, Winzip 9.0 beta versions - --- -Attack Scenarios: -An attacker can entice a user to open a malformed MIME file that will -invoke winzip to process it, possibly causing a a buffer overflow -and the subsequent execution of arbitrary code on the vulnerable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References - -Bugtraq: -http://securityfocus.com/bid/9758 - --- diff -Nru snort-2.9.0.1/doc/signatures/2489.txt snort-2.9.2/doc/signatures/2489.txt --- snort-2.9.0.1/doc/signatures/2489.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2489.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2489 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with eSignal software. - --- -Impact: -A successful attack may allow the execution of arbitrary code with -LOCAL_SYSTEM privilege on a vulnerable host. - --- -Detailed Information: -eSignal software provides real-time stock market data to client hosts. -There is a vulnerability associated with eSignal that may cause a buffer overflow, -permitting the execution of arbitrary code with the context of LOCAL_SYSTEM. -The buffer overflow occurs when a larger than expected data payload is supplied -for certain message exchanges. - --- -Affected Systems: -eSignal versions 7.5 and 7.6 - --- -Attack Scenarios: -An attacker can create and send a malformed eSignal message that may cause a buffer overflow and -allow the subsequent execution of arbitrary code with the context of LOCAL_SYSTEM. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/9978 - --- diff -Nru snort-2.9.0.1/doc/signatures/248.txt snort-2.9.2/doc/signatures/248.txt --- snort-2.9.0.1/doc/signatures/248.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/248.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: --- -Sid: -248 - --- -Summary: -This event is generated when an mstream DDoS handler responds to an mstream client. - --- -Impact: -Severe. If the list source IP is in your network, it may be an mstream handler. If the listed destination IP is in your network, it may be an mstream client. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to inform them to launch attacks. A client may communicate with a handler using a TCP packet to destination port 12754 with a string of ">" in the payload. A handler responds to this with a TCP source port of 12754 and a string of ">" in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -An mstream handler may be respond to a communication from an mstream client. --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -There are other known client-to-handler ports in addition to 12754. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.9.0.1/doc/signatures/2490.txt snort-2.9.2/doc/signatures/2490.txt --- snort-2.9.0.1/doc/signatures/2490.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2490.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2490 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with eSignal software. - --- -Impact: -A successful attack may allow the execution of arbitrary code with -LOCAL_SYSTEM privilege on a vulnerable host. - --- -Detailed Information: -eSignal software provides real-time stock market data to client hosts. -There is a vulnerability associated with eSignal that may cause a buffer overflow, -permitting the execution of arbitrary code with the context of LOCAL_SYSTEM. -The buffer overflow occurs when a larger than expected data payload is supplied -for certain message exchanges. - --- -Affected Systems: -eSignal versions 7.5 and 7.6 - --- -Attack Scenarios: -An attacker can create and send a malformed eSignal message that may cause a buffer overflow and -allow the subsequent execution of arbitrary code with the context of LOCAL_SYSTEM. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/9978 - --- diff -Nru snort-2.9.0.1/doc/signatures/2491.txt snort-2.9.2/doc/signatures/2491.txt --- snort-2.9.0.1/doc/signatures/2491.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2491.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,93 +0,0 @@ -Rule: - --- -Sid: -2491 - --- -Summary: -This rule no longer generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -This rule now uses flowbits and can be set to generate an event by -modifying the rule slightly to remove the "flowbits:no_alert;" option. -When traffic is detected that attempts to bind to the ISystemActivator -object in MS RPC DCOM communications this rule now activates sids 2351 -and 2352 to detect exploits against this service. Cool huh? - -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2492.txt snort-2.9.2/doc/signatures/2492.txt --- snort-2.9.0.1/doc/signatures/2492.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2492.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,93 +0,0 @@ -Rule: - --- -Sid: -2492 - --- -Summary: -This rule no longer generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -This rule now uses flowbits and can be set to generate an event by -modifying the rule slightly to remove the "flowbits:no_alert;" option. -When traffic is detected that attempts to bind to the ISystemActivator -object in MS RPC DCOM communications this rule now activates sids 2351 -and 2352 to detect exploits against this service. Cool huh? - -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2493.txt snort-2.9.2/doc/signatures/2493.txt --- snort-2.9.0.1/doc/signatures/2493.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2493.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,93 +0,0 @@ -Rule: - --- -Sid: -2493 - --- -Summary: -This rule no longer generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -This rule now uses flowbits and can be set to generate an event by -modifying the rule slightly to remove the "flowbits:no_alert;" option. -When traffic is detected that attempts to bind to the ISystemActivator -object in MS RPC DCOM communications this rule now activates sids 2351 -and 2352 to detect exploits against this service. Cool huh? - -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2494.txt snort-2.9.2/doc/signatures/2494.txt --- snort-2.9.0.1/doc/signatures/2494.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2494.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2494 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft RPC service. - --- -Impact: -Denial of Service (DoS). Possible execution of arbitrary code leading to -unauthorized remote access to the victim host. - --- -Detailed Information: -It may be possible for an attacker to cause a DoS condition in the -Microsoft RPC service when multiple simultaneous requests are made to a -vulnerable host. This can lead to an exhaustion of system resources -causing the DoS. - --- -Affected Systems: - Windows systems running RPC services - --- -Attack Scenarios: -An attacker may attempt to bind to the RPC service many times in an -attempt to cause the DoS condition to occur. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2495.txt snort-2.9.2/doc/signatures/2495.txt --- snort-2.9.0.1/doc/signatures/2495.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2495.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2495 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft RPC service. - --- -Impact: -Denial of Service (DoS). Possible execution of arbitrary code leading to -unauthorized remote access to the victim host. - --- -Detailed Information: -It may be possible for an attacker to cause a DoS condition in the -Microsoft RPC service when multiple simultaneous requests are made to a -vulnerable host. This can lead to an exhaustion of system resources -causing the DoS. - --- -Affected Systems: - Windows systems running RPC services - --- -Attack Scenarios: -An attacker may attempt to bind to the RPC service many times in an -attempt to cause the DoS condition to occur. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2496.txt snort-2.9.2/doc/signatures/2496.txt --- snort-2.9.0.1/doc/signatures/2496.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2496.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2496 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft RPC service. - --- -Impact: -Denial of Service (DoS). Possible execution of arbitrary code leading to -unauthorized remote access to the victim host. - --- -Detailed Information: -It may be possible for an attacker to cause a DoS condition in the -Microsoft RPC service when multiple simultaneous requests are made to a -vulnerable host. This can lead to an exhaustion of system resources -causing the DoS. - --- -Affected Systems: - Windows systems running RPC services - --- -Attack Scenarios: -An attacker may attempt to bind to the RPC service many times in an -attempt to cause the DoS condition to occur. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2497.txt snort-2.9.2/doc/signatures/2497.txt --- snort-2.9.0.1/doc/signatures/2497.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2497.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2497 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2498.txt snort-2.9.2/doc/signatures/2498.txt --- snort-2.9.0.1/doc/signatures/2498.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2498.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2498 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2499.txt snort-2.9.2/doc/signatures/2499.txt --- snort-2.9.0.1/doc/signatures/2499.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2499.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2499 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/249.txt snort-2.9.2/doc/signatures/249.txt --- snort-2.9.0.1/doc/signatures/249.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/249.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: --- -Sid: -249 - --- -Summary: -The event is generated when a DDoS mstream client makes contact with an mstream handler. - --- -Impact: -Severe. If the listed source IP is in your network, it is possibly an mstream client. If the listed destination IP is in your network, it is possibly an mstream handler. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to inform them to launch attacks. A client may contact a handler using a TCP SYN packet to destination port 15104. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -After a host becomes an mstream handler, the client will attempt to communicate with the handler. - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -A legitimate server port of 15104 will cause this rule to fire. This rule may also generate a false positive if port 15104 is selected as an FTP data port. - --- -False Negatives: -There are other known client-to-handler ports in addition to 15104. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet filtering-firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - --- diff -Nru snort-2.9.0.1/doc/signatures/2500.txt snort-2.9.2/doc/signatures/2500.txt --- snort-2.9.0.1/doc/signatures/2500.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2500.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2500 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2501.txt snort-2.9.2/doc/signatures/2501.txt --- snort-2.9.0.1/doc/signatures/2501.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2501.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2501 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2502.txt snort-2.9.2/doc/signatures/2502.txt --- snort-2.9.0.1/doc/signatures/2502.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2502.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2502 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2503.txt snort-2.9.2/doc/signatures/2503.txt --- snort-2.9.0.1/doc/signatures/2503.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2503.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2503 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2504.txt snort-2.9.2/doc/signatures/2504.txt --- snort-2.9.0.1/doc/signatures/2504.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2504.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2504 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2505.txt snort-2.9.2/doc/signatures/2505.txt --- snort-2.9.0.1/doc/signatures/2505.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2505.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2505 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2506.txt snort-2.9.2/doc/signatures/2506.txt --- snort-2.9.0.1/doc/signatures/2506.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2506.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2506 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2507.txt snort-2.9.2/doc/signatures/2507.txt --- snort-2.9.0.1/doc/signatures/2507.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2507.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2507 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2508.txt snort-2.9.2/doc/signatures/2508.txt --- snort-2.9.0.1/doc/signatures/2508.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2508.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2508 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2509.txt snort-2.9.2/doc/signatures/2509.txt --- snort-2.9.0.1/doc/signatures/2509.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2509.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2509 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/250.txt snort-2.9.2/doc/signatures/250.txt --- snort-2.9.0.1/doc/signatures/250.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/250.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -250 - --- -Summary: -The event is generated when a DDoS mstream handler responds to an mstream client. - --- -Impact: -Severe. If the source IP is in your network, it is possibly an mstream handler. If the destination IP is in your network, it is possibly an mstream client. - --- -Detailed Information: -The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to direct them to launch attacks. A client may contact a handler using a TCP SYN packet to destination port 15104. A listening handler would respond to this on source port 15104 with a string of ">" in the payload. - --- -Affected Systems: -Any mstream compromised host. - --- -Attack Scenarios: -After a host becomes an mstream handler, the client will attempt to communicate with the handler. A handler will respond to this communication. - - --- -Ease of Attack: -Simple. mstream code is freely available. - --- -False Positives: -A legitimate server port of 15104 will cause this rule to fire. This rule may also generate a false positive if port 15104 is selected as an FTP data port. - --- -False Negatives: -There are other known client-to-handler ports in addition to 15104. - -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - - --- diff -Nru snort-2.9.0.1/doc/signatures/2510.txt snort-2.9.2/doc/signatures/2510.txt --- snort-2.9.0.1/doc/signatures/2510.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2510.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2510 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2511.txt snort-2.9.2/doc/signatures/2511.txt --- snort-2.9.0.1/doc/signatures/2511.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2511.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2511 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2512.txt snort-2.9.2/doc/signatures/2512.txt --- snort-2.9.0.1/doc/signatures/2512.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2512.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2512 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2513.txt snort-2.9.2/doc/signatures/2513.txt --- snort-2.9.0.1/doc/signatures/2513.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2513.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2513 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2514.txt snort-2.9.2/doc/signatures/2514.txt --- snort-2.9.0.1/doc/signatures/2514.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2514.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2514 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2515.txt snort-2.9.2/doc/signatures/2515.txt --- snort-2.9.0.1/doc/signatures/2515.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2515.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2515 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2516.txt snort-2.9.2/doc/signatures/2516.txt --- snort-2.9.0.1/doc/signatures/2516.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2516.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2516 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2517.txt snort-2.9.2/doc/signatures/2517.txt --- snort-2.9.0.1/doc/signatures/2517.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2517.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2517 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2518.txt snort-2.9.2/doc/signatures/2518.txt --- snort-2.9.0.1/doc/signatures/2518.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2518.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2518 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2519.txt snort-2.9.2/doc/signatures/2519.txt --- snort-2.9.0.1/doc/signatures/2519.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2519.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2519 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/251.txt snort-2.9.2/doc/signatures/251.txt --- snort-2.9.0.1/doc/signatures/251.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/251.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: --- -Sid: -238 - --- -Summary: -This event is generated when a command is sent to a Tribal Flood Network -(TFN) Distributed Denial of Service (DDoS) daemon. - --- -Impact: -Attempted DDoS. If the listed source IP is in your network, it may be a -TFN client. If the listed destination IP is in your network, it may be -a TFN daemon. - --- -Detailed Information: -The TFN DDoS uses a tiered structure of compromised hosts to coordinate -and participate in a distributed denial of service attack. Clients -communicate with daemons to inform them to launch attacks. - -This event is indicative of a client sending commands to a daemon. - --- -Affected Systems: -Any TFN compromised host. - --- -Attack Scenarios: -After a host becomes a TFN daemon, it will respond to client requests. - --- -Ease of Attack: -Simple. TFN code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. - -Rebuild a confirmed compromised host. - -Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 - -Arachnids: -http://www.whitehats.com/info/IDS183 - --- diff -Nru snort-2.9.0.1/doc/signatures/2520.txt snort-2.9.2/doc/signatures/2520.txt --- snort-2.9.0.1/doc/signatures/2520.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2520.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2520 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2521.txt snort-2.9.2/doc/signatures/2521.txt --- snort-2.9.0.1/doc/signatures/2521.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2521.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2521 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2522.txt snort-2.9.2/doc/signatures/2522.txt --- snort-2.9.0.1/doc/signatures/2522.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2522.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2522 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2523.txt snort-2.9.2/doc/signatures/2523.txt --- snort-2.9.0.1/doc/signatures/2523.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2523.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2523 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Transmission Control Protocol (TCP) used in Border -Gateway Protocol (BGP). - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -The Border Gateway Protocol uses TCP to maintain sessions when handling -DNS queries. A vulnerability in the core implementation of TCP may make -it possible for an attacker to reset a number of connections and cause a -Denial of Service (DoS) to occur. - -The attack is possible because the listening service will accept a TCP -sequence number within a range of what is expected in an established -session. Since BGP relies on an established TCP session state, guessing -a suitable sequence number to reset connections is feasible. - --- -Affected Systems: - Various implementations of TCP by multiple vendors - --- -Attack Scenarios: -An attcker needs to send a specially crafted packet to reset a -connection. - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2524.txt snort-2.9.2/doc/signatures/2524.txt --- snort-2.9.0.1/doc/signatures/2524.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2524.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2524 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2525.txt snort-2.9.2/doc/signatures/2525.txt --- snort-2.9.0.1/doc/signatures/2525.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2525.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2525 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2526.txt snort-2.9.2/doc/signatures/2526.txt --- snort-2.9.0.1/doc/signatures/2526.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2526.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2526 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in Microsoft products via the Local Security Authority -Subsystem Service (LSASS). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in LSASS that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an unchecked buffer in the LSASS service, suscessful -exploitation may present the attacker with the opportunity to gain -control of the affected system. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems. - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the LSASS -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Use a packet filtering firewall to deny access to TCP and UDP ports 135 -and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources -outside the protected network. - -Access should also be denied to ephemeral ports and any other ports used -by RPC services from sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2527.txt snort-2.9.2/doc/signatures/2527.txt --- snort-2.9.0.1/doc/signatures/2527.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2527.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2527 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2528.txt snort-2.9.2/doc/signatures/2528.txt --- snort-2.9.0.1/doc/signatures/2528.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2528.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2528 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the Private -Communications Transport (PCT) protocol. - --- -Impact: -Execution of arbitrary code. Unauthorized administrative access to an -affected host. - --- -Detailed Information: -A vulnerability exists in the handling of PCT requests that -can be manipulated to give an attacker the opportunity to execute -arbitrary code of their choosing leading to a possible remote -administrative compromize of an affected host. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003 and XP systems using PCT - --- -Attack Scenarios: -An attcker needs to make a specially crafted PCT request to an affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the use of PCT - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2529.txt snort-2.9.2/doc/signatures/2529.txt --- snort-2.9.0.1/doc/signatures/2529.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2529.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2529 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/252.txt snort-2.9.2/doc/signatures/252.txt --- snort-2.9.0.1/doc/signatures/252.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/252.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -252 - --- -Summary: -This event is generated when an attempt is made to send an inverse query -to a DNS server. This could indicate a future attack. - --- -Impact: -Intelligence gathering. This is just an attempt to see if the DNS server -responds to such a query. - --- -Detailed Information: -Certain versions of BIND fail to propery bound data recieved when -handling an inverse query. Upon being copied to memory, portions of the -program can be overwritten and arbitrary commands can be run on the -affected host. - --- -Affected Systems: - BIND pre 8.1.2 / 4.9.8 - --- -Attack Scenarios: -An attacker can send the reverse query and if the server responds the -attacker might then proceed to exploit the flaw in Bind. - --- -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade BIND. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -RFC: -http://www.rfc-editor.org/rfc/rfc1035.txt - -Bugtraq: -http://www.securityfocus.com/bid/134 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0009 - -Arachnids: -http://www.whitehats.com/info/IDS277 - --- diff -Nru snort-2.9.0.1/doc/signatures/2530.txt snort-2.9.2/doc/signatures/2530.txt --- snort-2.9.0.1/doc/signatures/2530.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2530.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2530 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2531.txt snort-2.9.2/doc/signatures/2531.txt --- snort-2.9.0.1/doc/signatures/2531.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2531.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2531 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2532.txt snort-2.9.2/doc/signatures/2532.txt --- snort-2.9.0.1/doc/signatures/2532.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2532.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2532 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2533.txt snort-2.9.2/doc/signatures/2533.txt --- snort-2.9.0.1/doc/signatures/2533.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2533.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2533 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2534.txt snort-2.9.2/doc/signatures/2534.txt --- snort-2.9.0.1/doc/signatures/2534.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2534.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2534 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2535.txt snort-2.9.2/doc/signatures/2535.txt --- snort-2.9.0.1/doc/signatures/2535.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2535.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2535 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-Cert: -http://www.kb.cert.org/vuls/id/150236 - --- diff -Nru snort-2.9.0.1/doc/signatures/2536.txt snort-2.9.2/doc/signatures/2536.txt --- snort-2.9.0.1/doc/signatures/2536.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2536.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2536 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-Cert: -http://www.kb.cert.org/vuls/id/150236 - --- diff -Nru snort-2.9.0.1/doc/signatures/2537.txt snort-2.9.2/doc/signatures/2537.txt --- snort-2.9.0.1/doc/signatures/2537.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2537.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2537 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-Cert: -http://www.kb.cert.org/vuls/id/150236 - --- diff -Nru snort-2.9.0.1/doc/signatures/2538.txt snort-2.9.2/doc/signatures/2538.txt --- snort-2.9.0.1/doc/signatures/2538.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2538.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2538 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2539.txt snort-2.9.2/doc/signatures/2539.txt --- snort-2.9.0.1/doc/signatures/2539.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2539.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2539 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.9.0.1/doc/signatures/253.txt snort-2.9.2/doc/signatures/253.txt --- snort-2.9.0.1/doc/signatures/253.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/253.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -253 - --- -Summary: -This event is generated when a specific DNS response. In this case, there are no DNS authority records for the queried pointer record and has a DNS time-to-live value of one minute. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This is presumably from an attacker engaged in a race condition to respond to a legitimate DNS query. An attacker may sniff a DNS query requesting an address record and attempt to respond before an actual DNS server can. The spoofed response is atypical because it does not include the authoritative DNS servers in the returned record. A legitimate DNS response will likely return the names of the authoritative DNS servers. The response associated with this traffic has a DNS time-to-live value of one minute. It is suspected that the TTL is set to expire quickly to eliminate any evidence of the spoofed response. - --- -Affected Systems: -Any DNS server not using DNSSEC. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Moderate. The attacker has to be able to sniff DNS queries and generate spoofed responses before the actual DNS server. - --- -False Positives: -None Known. - --- -False Negatives: -This rule uses very specific DNS flag values that could be modified. Also, if the DNS TTL value is changed from 1, this rule will not trigger. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2540.txt snort-2.9.2/doc/signatures/2540.txt --- snort-2.9.0.1/doc/signatures/2540.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2540.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2540 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2541.txt snort-2.9.2/doc/signatures/2541.txt --- snort-2.9.0.1/doc/signatures/2541.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2541.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2541 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2542.txt snort-2.9.2/doc/signatures/2542.txt --- snort-2.9.0.1/doc/signatures/2542.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2542.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2542 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2543.txt snort-2.9.2/doc/signatures/2543.txt --- snort-2.9.0.1/doc/signatures/2543.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2543.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2543 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2544.txt snort-2.9.2/doc/signatures/2544.txt --- snort-2.9.0.1/doc/signatures/2544.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2544.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2544 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of SSL Version 3. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in the handling of SSL Version 3 requests that -can be manipulated to cause a DoS condition in various software -implementations used on Microsoft operating systems. - -The condition exists because of poor error handling routines in the -Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an -invalid field, sent to vulnerable systems can cause the affected host to stop -handling any further requests. - --- -Affected Systems: - Microsoft Windows 2000, 2003 and XP systems using SSL - --- -Attack Scenarios: -An attcker needs to make an SSL request to an affected system that -contains an invalid field. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -US-CERT: -http://www.us-cert.gov/cas/techalerts/TA04-104A.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2545.txt snort-2.9.2/doc/signatures/2545.txt --- snort-2.9.0.1/doc/signatures/2545.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2545.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2545 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in AppleFileServer. - --- - -Impact: -Serious. Unauthorized remote administrative access. - --- -Detailed Information: -AppleFileServer is used to share files and mount remote drives between -machines using Apple Macintosh OS X. An error in the processing of -PathName may lead to a buffer overflow. If the length of a string for -AFPName is longer than the declared length, the buffer will be -overflowed and may present an attacker with the opportunity to execute -code of their choosing. - --- - -Attack Scenarios: -An attacker can supply an AFPName longer than what is expected by the -service and overwrite portions of memory leading to the execution of -code. - --- - -Ease of Attack: -Simple - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable AFP if not needed - -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2546.txt snort-2.9.2/doc/signatures/2546.txt --- snort-2.9.0.1/doc/signatures/2546.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2546.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2546 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Serv-U FTP server, namely the MDTM buffer overflow. - --- -Impact: -Serious. Denial of service is possible; when combined with shellcode, -arbitrary code can be remotely executed with SYSTEM privileges. - --- -Detailed Information: -The vulnerability in question is a buffer overflow present in the handling -of the MDTM command in the RhinoSoft Serv-U FTP server for Windows. - -The rule searches for an MDTM command which is not terminated within 100 -characters; no valid command would be longer than this. - --- -Affected Systems: -All versions of RhinoSoft Serv-U FTP 4.2 and earlier. - --- -Attack Scenarios: -Several scripts exist to exploit this flaw, and shellcode is publicly available. -An attacker could either use one of these scripts, craft their own, or simply -manually enter an MDTM command which triggers the overflow after having logged -into a vulnerable server. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk - --- Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2547.txt snort-2.9.2/doc/signatures/2547.txt --- snort-2.9.0.1/doc/signatures/2547.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2547.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2547 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the web interface support for the HP JetAdmin printer. - --- -Impact: -A successful attack may allow the execution of arbitrary code as root -on a vulnerable server. - --- -Detailed Information: -The HP Web JetAdmin provides a web interface for the administration of the HP -Web JetAdmin printer. A vulnerability exists that allows the uploading -of unauthorized files using the script -/plugins/hpjwja/script/devices_update_printer_fw_upload.hts. This capability -was included to allow the upload of legitimate files, such as firmware updates, -by an authorized administrator. However, there is no file validation on the -uploaded file, allowing the upload of any random file. An attacker can upload -a file with a .hts extension that subsequently can be executed when the -attacker accesses the file using a web browser. - --- -Affected Systems: -HP Web JetAdmin 7.2. - --- -Attack Scenarios: -An attacker can create upload and execute a malicious file on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -An authorized administrator who uploads a file from an IP address outside the trusted -network will cause a false positive alert. - --- -False Negatives: -The default HP Web JetAdmin port is 8000. If an administrator selects a different port -on which to run the web interface, no alert will be detected. In that case, the rule -should be altered to reflect the port on which the web interface runs. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software or apply the appropriate patch -when it becomes available. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/9971 - --- diff -Nru snort-2.9.0.1/doc/signatures/2548.txt snort-2.9.2/doc/signatures/2548.txt --- snort-2.9.0.1/doc/signatures/2548.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2548.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2548 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the web interface support for the HP JetAdmin printer. - --- -Impact: -A successful attack may allow unauthorized files to be read or the injection -of a .hts script on a vulnerable server. - --- -Detailed Information: -The HP Web JetAdmin provides a web interface for the administration of the HP -Web JetAdmin printer. A vulnerability exists that allows unauthorized -files to be read or a .hts script to be executed. This is caused when the -/plugins/hpjdwm/script/test/setinfo.hts script is supplied a value to the -setinclude parameter that represents an unauthorized file to be read outside -the web root or represents a .hts file that will be executed with system -privileges on the vulnerable server. - --- -Affected Systems: -HP Web JetAdmin 7.2. - --- -Attack Scenarios: -An attacker can execute the vulnerable script and supply a value to setinclude -indicating an unauthorized file to be read or an .hts file to be executed. - --- -Ease of Attack: -Simple. - --- -False Positives: -An authorized administrator who uses the setinclude parameter with the above -script from a source IP outside of the trusted network will cause a false positive alert. - --- -False Negatives: -The default HP Web JetAdmin port is 8000. If an administrator selects a different port -on which to run the web interface, no alert will be detected. In that case, the rule -should be altered to reflect the port on which the web interface runs. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software or apply the appropriate patch -when it becomes available. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/9972 - --- diff -Nru snort-2.9.0.1/doc/signatures/2549.txt snort-2.9.2/doc/signatures/2549.txt --- snort-2.9.0.1/doc/signatures/2549.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2549.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2549 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the web interface support for the HP JetAdmin printer. - --- -Impact: -A successful attack may allow a sensitive system file to be overwritten. - --- -Detailed Information: -The HP Web JetAdmin provides a web interface for the administration of the HP -Web JetAdmin printer. A vulnerability is present that allows an existing file -on the server to be overwritten. This problem exists because the script -/plugins/framework/script/tree.xms does not sanitize the value supplied to -the parameter WriteToFile, permitting a directory traversal from the web root -directory to any file. An attacker can supply the data to write to the specified -file. - --- -Affected Systems: -HP Web JetAdmin 7.2. - --- -Attack Scenarios: -An attacker can overwrite a sensitive system file using the WriteToFile parameter -and supplying the data to write to the file. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -The default HP Web JetAdmin port is 8000. If an administrator selects a different port -on which to run the web interface, no alert will be detected. In that case, the rule -should be altered to reflect the port on which the web interface runs. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software or apply the appropriate patch -when it becomes available. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/9973 - --- diff -Nru snort-2.9.0.1/doc/signatures/254.txt snort-2.9.2/doc/signatures/254.txt --- snort-2.9.0.1/doc/signatures/254.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/254.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -254 - --- -Summary: -This event is generated when a specific DNS response is returned. In this case, there are no DNS authority records for the queried address record and has a DNS time-to-live value of one minute. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile IP). - --- -Detailed Information: -This is presumably from an attacker engaged in a race condition to respond to a legitimate DNS query. An attacker may sniff a DNS query requeting an address record and attempt to respond before an actual DNS server can. The spoofed response is atypical because it does not include the authoritative DNS servers in the returned record. A legitimate DNS response will likely return the names of the authoritative DNS servers. The response associated with this traffic has a DNS time-to-live value of one minute. It is suspected that the TTL is set to expire quickly to eliminate any evidence of the spoofed response. - --- -Affected Systems: -Any DNS server not using DNSSEC. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent a host name to IP pairing. The forged IP number can direct a user to a potentially hostile IP address. - --- -Ease of Attack: -The attacker has to be able to sniff DNS queries and generate spoofed responses before the actual DNS server. - --- -False Positives: -None Known. - --- -False Negatives: -This rule uses very specific DNS flag values that could be modified. Also, if the DNS TTL value is changed from 1, this rule will not trigger. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2550.txt snort-2.9.2/doc/signatures/2550.txt --- snort-2.9.0.1/doc/signatures/2550.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2550.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2550 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with Winamp's processing of a .XM file module name. - --- -Impact: -A successful attack may permit a buffer overflow that allows the execution -of arbitrary code at the privilege level of the user running Winamp. - --- -Detailed Information: -Winamp is a media file player for Windows developed by Nullsoft. A buffer -overflow exists because of insufficient bounds checking while parsing fields -in a .XM file. An overly long module name may cause the buffer overflow -permitting the execution of arbitrary code at the privilege level of the user -running Winamp. - --- -Affected Systems: -Winamp 2.x, 3.x, and 5.0-5.02 - --- -Attack Scenarios: -An attacker can create and send a malformed .XM tracker name that may cause -a buffer overflow and the subsequent execution of arbitrary code on the -vulnerable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Brian Caswell - --- -Additional References - -Other: -http://www.nextgenss.com/advisories/winampheap.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/2551.txt snort-2.9.2/doc/signatures/2551.txt --- snort-2.9.0.1/doc/signatures/2551.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2551.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2551 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2552.txt snort-2.9.2/doc/signatures/2552.txt --- snort-2.9.0.1/doc/signatures/2552.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2552.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2552 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2553.txt snort-2.9.2/doc/signatures/2553.txt --- snort-2.9.0.1/doc/signatures/2553.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2553.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2553 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2554.txt snort-2.9.2/doc/signatures/2554.txt --- snort-2.9.0.1/doc/signatures/2554.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2554.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2554 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2555.txt snort-2.9.2/doc/signatures/2555.txt --- snort-2.9.0.1/doc/signatures/2555.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2555.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2555 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2556.txt snort-2.9.2/doc/signatures/2556.txt --- snort-2.9.0.1/doc/signatures/2556.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2556.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2556 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2557.txt snort-2.9.2/doc/signatures/2557.txt --- snort-2.9.0.1/doc/signatures/2557.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2557.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2557 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2558.txt snort-2.9.2/doc/signatures/2558.txt --- snort-2.9.0.1/doc/signatures/2558.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2558.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2558 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2559.txt snort-2.9.2/doc/signatures/2559.txt --- snort-2.9.0.1/doc/signatures/2559.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2559.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2559 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/255.txt snort-2.9.2/doc/signatures/255.txt --- snort-2.9.0.1/doc/signatures/255.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/255.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: --- -Sid: -255 - --- - -Summary: -This event is generated when an attempt is made to request a zone -transfer from a DNS Server - --- -Impact: -Information disclosure. - --- -Detailed Information: -DNS Zone transfers are normally used between DNS Servers to replicate -zone information. Zone transfers can also be used to gain information -about a network. - --- -Affected Systems: - All DNS Servers - --- -Attack Scenarios: -A malicious user may request a Zone Transfer to gather information -before commencing an attack. This can give the user a list of hosts to -target. - --- -Ease of Attack: -Simple. - --- -False Positives: -DNS Zone transfers may be part of normal traffic for DNS servers. - --- -False Negatives: -None known - --- -Corrective Action: -Configure the DNS servers to only allow zone transfers from authorised -hosts, limit the information available from publicly acessible DNS -server by using Split Horizon DNS or separate DNS Servers for internal -networks. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2560.txt snort-2.9.2/doc/signatures/2560.txt --- snort-2.9.0.1/doc/signatures/2560.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2560.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2560 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Oracle Application Server Web Cache. - --- - -Impact: -Serious. Possible execution of arbitrary code leading to remote -administrative access. - --- -Detailed Information: -The Oracle Application Server Web Cache is vulnerable to a buffer -overrun caused by poor checking of the length of an HTTP Header. If a -large invalid HTTP Request Method is supplied to a vulnerable system, an -attacker may be presented with the opportunity to overrun a fixed length -buffer and subsequently execute code of their choosing on the server. - --- -Affected Systems: -Oracle Application Server Web Cache 10g 9.0.4 .0 -Oracle Oracle9i Application Server Web Cache 2.0 .0.4 -Oracle Oracle9i Application Server Web Cache 9.0.2 .3 -Oracle Oracle9i Application Server Web Cache 9.0.2 .2 -Oracle Oracle9i Application Server Web Cache 9.0.3 .1 - --- - -Attack Scenarios: -An attacker might supply an HTTP Request Method of more than 432 bytes, -causing the overflow to occur. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None Known - --- -False Negatives: -This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible -to configure the Oracle Web Cache server to run on different ports. The rule -should be configured to reflect the appropriate ports of Oracle Web Cache -servers on your network. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2561.txt snort-2.9.2/doc/signatures/2561.txt --- snort-2.9.0.1/doc/signatures/2561.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2561.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2561 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with rsync. - --- -Impact: -A successful attack may allow files to be existing files to be overwritten -or new files created on the rsync server. - --- -Detailed Information: -rsync is used to remote copy files. A command line option "--backup-dir" -can be used to specify a directory where backup files are to be placed. -There is no validation of the argument supplied to this option to scrutinize -it for proper formatting. A malicious user can try to overwrite existing -files or create new ones on a vulnerable host by supplying a value to -"--backup-dir" that is relative to the root directory. - --- -Affected Systems: -Many Unix and Linux distributions running rsync. -See http://www.securityfocus.com/bid/10247 for affected operating systems. - --- -Attack Scenarios: -An attacker can send a rsync command supplying the -backup-dir option -with a path relative to the root file system, overwriting or creating -new files on the vulnerable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. -Run the rsync server in a chroot environment. - --- -Contributors: -Sourcefire Research Team -Judy Novak --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426 - -Bugtraq: -http://www.securityfocus.com/bid/10247 - --- diff -Nru snort-2.9.0.1/doc/signatures/2562.txt snort-2.9.2/doc/signatures/2562.txt --- snort-2.9.0.1/doc/signatures/2562.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2562.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2562 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the server component of McAfee's ePolicy Orchestrator (ePO). - --- -Impact: -A successful attack may permit an attacker to upload malicious code on -the ePolicy Orchestrator server that may subsequently deliver the -malicious code to ePolicy agents. - --- -Detailed Information: -There is a problem with access authentication in McAfee's ePolicy Orchestrator -server. This product is responsible for distributing packages and code to -ePolicy agents, making this a potentially widespread and damaging attack in -a network. Because of a failure to authenticate credentials, -an attacker can perform administrator functions, such as file uploads, by -connecting the the ePO web server. The malicious files may be pushed to -the ePO agents by the ePO Orchestrator. - --- -Affected Systems: -McAfee ePolicy Orchestrator 2.5.0 -McAfee ePolicy Orchestrator 2.5.1 before Patch 14 -McAfee ePolicy Orchestrator 3.0 before Patch 4 for 2.0 SP2A - --- -Attack Scenarios: -An attacker can attempt to upload a malicious file using the web -server of the ePO Orchestrator. The file may be subsequently -pushed by the Orchestrator to ePO agents. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a valid administrator connects to the ePO server and uploads -files, the alert will trigger. - --- -False Negatives: -If the ePO server listens on a port other than 81, no alert will -trigger. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0038 - -Bugtraq: -http://www.securityfocus.com/bid/10200 - --- diff -Nru snort-2.9.0.1/doc/signatures/2563.txt snort-2.9.2/doc/signatures/2563.txt --- snort-2.9.0.1/doc/signatures/2563.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2563.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2563 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the Symantec Firewall. - --- -Impact: -A successful attack may cause a heap overflow, permitting the execution -of arbitrary code on the vulnerable host. - --- -Detailed Information: -There is a vulnerability in the way the Symantec Firewall handles NetBIOS -Name Service response packets. If an attacker crafts a malicious UDP NetBIOS -Name Service unsolicited response to a vulnerable Symantec Firewall that does -not block port 137, it is possible to cause a heap overflow and execute -abitrary code with kernel privileges. The vulnerability exists because of -improper validation of the existence of required fields for the NetBIOS name -returned. The default configuration does not allow UDP port 137 traffic and -should not be exploitable if UDP port 137 is blocked. - --- -Affected Systems: -Symantec Norton Internet Security and Professional 2002,2003,2004 -Symantec Norton Personal Firewall 2002,2003,2004 -Symantec Norton AntiSpam 2004 -Symantec Client Firewall 5.01, 5.1.1 -Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) - --- -Attack Scenarios: -An attacker can craft a malicious UDP NetBIOS Name Service response, -possibly causing a heap overflow and the subsequent execution of -arbitrary code with kernel privileges on an exploitable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0444 - -Bugtraq: -http://www.securityfocus.com/bid/10335 - -Misc: -http://www.eeye.com/html/Research/Advisories/AD20040512C.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2564.txt snort-2.9.2/doc/signatures/2564.txt --- snort-2.9.0.1/doc/signatures/2564.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2564.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2564 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the Symantec Firewall. - --- -Impact: -A successful attack may cause a buffer overflow, permitting the execution -of arbitrary code on the vulnerable host. - --- -Detailed Information: -There is a vulnerability in the way the Symantec Firewall handles NetBIOS -Name Service response packets. If an attacker crafts a malicious UDP NetBIOS -Name Service unsolicited response to a vulnerable Symantec Firewall that does -not block port 137, it is possible to cause a buffer overflow and execute -abitrary code with kernel privileges. The vulnerability exists because of -improper validation of the length field value for the NetBIOS name returned. -The default configuration does not allow UDP port 137 traffic and should -not be exploitable if UDP port 137 is blocked. - --- -Affected Systems: -Symantec Norton Internet Security and Professional 2002,2003,2004 -Symantec Norton Personal Firewall 2002,2003,2004 -Symantec Norton AntiSpam 2004 -Symantec Client Firewall 5.01, 5.1.1 -Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) - --- -Attack Scenarios: -An attacker can craft a malicious UDP NetBIOS Name Service response, -possibly causing a buffer overflow and the subsequent execution of -arbitrary code with kernel privileges on an exploitable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0444 - -Bugtraq: -http://www.securityfocus.com/bid/10333 - -Misc: -http://www.eeye.com/html/Research/Advisories/AD20040512A.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2565.txt snort-2.9.2/doc/signatures/2565.txt --- snort-2.9.0.1/doc/signatures/2565.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2565.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2565 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a PHP application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running PHP applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying PHP script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2566.txt snort-2.9.2/doc/signatures/2566.txt --- snort-2.9.0.1/doc/signatures/2566.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2566.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2566 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a PHP application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running PHP applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying PHP script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2567.txt snort-2.9.2/doc/signatures/2567.txt --- snort-2.9.0.1/doc/signatures/2567.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2567.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2567 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2568.txt snort-2.9.2/doc/signatures/2568.txt --- snort-2.9.0.1/doc/signatures/2568.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2568.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2568 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2569.txt snort-2.9.2/doc/signatures/2569.txt --- snort-2.9.0.1/doc/signatures/2569.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2569.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2569 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability on a web server or a web application resident on a web -server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. Possible execution of arbitrary code of -the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running a Web server or a vulnerable application on a web server. - -Many known vulnerabilities exist for each implementation and the -attack scenarios are legion. - -Some applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - All systems using a web server. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/256.txt snort-2.9.2/doc/signatures/256.txt --- snort-2.9.0.1/doc/signatures/256.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/256.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -256 - --- -Summary: -This event is generated when an attempt is made to query authors.bind chaos -record on a DNS server. - --- -Impact: -Information gathering. This activity may indicate reconnaisance before -an impending attack. - --- -Detailed Information: -Bind 9.x allows you get the authors.bind chaos record. The ability to -retrieve this file indicates that the machine is running at least a -9.x variant of the bind nameserver. - --- -Affected Systems: - All DNS Servers using Bind - --- -Attack Scenarios: -As part of a reconnaissance mission, an attacker may attempt to glean -important information about network infrastructure by determining the -bind version on a nameserver. If authors.bind is retrievable, this -indicates that Bind 9.x is in use. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Remove the ability to retrieve the authors.bind chaos record by changing -the DNS configuration accordingly. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2570.txt snort-2.9.2/doc/signatures/2570.txt --- snort-2.9.0.1/doc/signatures/2570.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2570.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2570 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability on a web server or a web application resident on a web -server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. Possible execution of arbitrary code of -the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running a Web server or a vulnerable application on a web server. - -In particular this rule generates events when a non-standard HTTP -request is made to a server. Some applications do not handle this -exception in an acceptable manner and may present an attacker with the -opportunity to exploit the application and server becasue of this. - -Some applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - All systems using a web server. - Seattle Lab Software SLMail Pro 2.0 to 2.0.9 inclusive - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -The use of some proxy servers like Inktomi, may cause this rule to -generate events. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2571.txt snort-2.9.2/doc/signatures/2571.txt --- snort-2.9.0.1/doc/signatures/2571.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2571.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2571 - --- -Summary: -This event is generated when an attempt is made to exploit a potential -weakness on a host running a web application on Microsoft Internet -Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential -weaknesses in a host running a web application on Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation -on the host, this may be the prelude to an attack against that host -using that information. - -The attacker may also be trying to gain administrator access to the -host, garner information on users of the system or retrieve sensitive -customer information. - -Some applications may store sensitive information such as database -connections, user information, passwords and customer information in -files accessible via a web interface. Care should be taken to ensure -these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been -taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2572.txt snort-2.9.2/doc/signatures/2572.txt --- snort-2.9.0.1/doc/signatures/2572.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2572.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2572 - --- -Summary: -This event is generated when an attempt is made to exploit a potential -weakness on a host running a web application on Microsoft Internet -Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential -weaknesses in a host running a web application on Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation -on the host, this may be the prelude to an attack against that host -using that information. - -The attacker may also be trying to gain administrator access to the -host, garner information on users of the system or retrieve sensitive -customer information. - -Some applications may store sensitive information such as database -connections, user information, passwords and customer information in -files accessible via a web interface. Care should be taken to ensure -these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been -taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2573.txt snort-2.9.2/doc/signatures/2573.txt --- snort-2.9.0.1/doc/signatures/2573.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2573.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2573 - --- -Summary: -This event is generated when an attempt is made to exploit a potential -weakness on a host running a web application on Microsoft Internet -Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential -weaknesses in a host running a web application on Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation -on the host, this may be the prelude to an attack against that host -using that information. - -The attacker may also be trying to gain administrator access to the -host, garner information on users of the system or retrieve sensitive -customer information. - -Some applications may store sensitive information such as database -connections, user information, passwords and customer information in -files accessible via a web interface. Care should be taken to ensure -these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been -taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2574.txt snort-2.9.2/doc/signatures/2574.txt --- snort-2.9.0.1/doc/signatures/2574.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2574.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2574 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -format string vulnerability against an FTP server during authentication. - --- - -Impact: -Attempted Admin. A successful format string attack could result in the -execution of arbitrary code with the same privileges as the user running -the FTP daemon. - --- - -Detailed Information: -Several FTP daemons are vulnerable to format string exploits during -authentication to the FTP server. A successful exploit attempt could -result in the remote attacker gaining unauthorized root access to the -vulnerable system. - --- -Affected Systems: - BolinTech Dream FTP Server version 1.02 - --- - -Attack Scenarios: -A remote attacker could use a publicly available script to exploit the -vulnerability an gain control of the target host. - --- - -Ease of Attack: -Simple. Numerous attack scripts exist to exploit this vulnerabiliy. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- - -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2575.txt snort-2.9.2/doc/signatures/2575.txt --- snort-2.9.0.1/doc/signatures/2575.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2575.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2575 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a PHP web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a PHP application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the PHP application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running PHP applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying PHP script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2576.txt snort-2.9.2/doc/signatures/2576.txt --- snort-2.9.0.1/doc/signatures/2576.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2576.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2576 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use an inbuilt procedure to generate triggers -needed for database replication. The "generate_replication_support" -procedure contains a programming error that may allow an attacker to -execute a buffer overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -Oracle servers running on a Windows platform may listen on any arbitrary -port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this -is applicable to the protected network. - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "package_prefix" or -"procedure_prefix" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton - --- -Additional References: - -Application Security Inc. -https://www.appsecinc.com/Policy/PolicyCheck93.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2577.txt snort-2.9.2/doc/signatures/2577.txt --- snort-2.9.0.1/doc/signatures/2577.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2577.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2577 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Explorer. - --- -Impact: -Serious. Execution of arbitrary code may be possible. - --- -Detailed Information: -Internet Explorer does not correctly handle the validation of data from -an external source when processing data in a frame from a redirected -source. This may lead to the execution of arbitrary code in the context -of the Local Machine zone. - -It may be possible for an attacker to supply an HTTP 300 response from a -webserver that points to a local file on the victim host. If the -attacker includes code of their choosing, this code is executed in the -context of the trusted Local Machine zone. - --- -Affected Systems: - Microsoft Internet Explorer - Microsoft Outlook - Microsoft Outlook Express - --- -Attack Scenarios: -An attacker would need to supply an HTTP 300 series code to redirect the -contents of a frame to a local resource on the victim host. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -A valid 300 server response that uses the Location parameter to redirect -users to a new location may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Disable Active Scripting and ActiveX - -Disable the use of HTML email - -Use a browser other than Internet Explorer - --- -Contributors: -Original Snort documentation contributed by nnposter@users.sourceforge.net -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2578.txt snort-2.9.2/doc/signatures/2578.txt --- snort-2.9.0.1/doc/signatures/2578.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2578.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2578 - --- -Summary: -This event is generated when an attempt is made to exploit a heap overflow -associated with Kerberos V5. - --- -Impact: -A successful attack may cause a heap overflow, permitting the execution of -arbitrary code. - --- -Detailed Information: -When Kerberos V5 uses a non-default configuration of enabling rules-based -mapping, it is possible to cause a heap overflow and the subsequent -execution of arbitrary code on the vulnerable host. The attacker has -to successfully authenticate in order to exploit the vulnerability. -If an attacker supplies an overly long principal name, it may be possible -to cause a heap overflow on the vulnerable Kerberos-enabled server. - --- -Affected Systems: -MIT Kerberos V5 including krb5-1.3.3 - --- -Attack Scenarios: -An attacker authenticates to the Kerberos server and later supplies -an overly long principle name when attempting to connect to a server -that employs Kerberos authentication. This can cause a heap overflow -and subsequent execution of code on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Dan Roelker - --- -Additional References - -Other: -http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/2579.txt snort-2.9.2/doc/signatures/2579.txt --- snort-2.9.0.1/doc/signatures/2579.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2579.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2579 - --- -Summary: -This event is generated when an attempt is made to exploit a heap overflow -associated with Kerberos V5. - --- -Impact: -A successful attack may cause a heap overflow, permitting the execution of -arbitrary code. - --- -Detailed Information: -When Kerberos V5 uses a non-default configuration of enabling rules-based -mapping, it is possible to cause a heap overflow and the subsequent -execution of arbitrary code on the vulnerable host. The attacker has -to successfully authenticate in order to exploit the vulnerability. -If an attacker supplies an overly long principal name, it may be possible -to cause a heap overflow on the vulnerable Kerberos-enabled server. - --- -Affected Systems: -MIT Kerberos V5 including krb5-1.3.3 - --- -Attack Scenarios: -An attacker authenticates to the Kerberos server and later supplies -an overly long principle name when attempting to connect to a server -that employs Kerberos authentication. This can cause a heap overflow -and subsequent execution of code on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Dan Roelker - --- -Additional References - -Other: -http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/257.txt snort-2.9.2/doc/signatures/257.txt --- snort-2.9.0.1/doc/signatures/257.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/257.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -257 - --- -Summary: -This event is generated when an attempt is made to determine the version -of BIND being used on a DNS server. - --- -Impact: -Information gathering. This activity may indicate reconnaisance before -an impending attack. - --- -Detailed Information: -A remote machine attempted to determine the version of BIND running on a -nameserver. - --- -Affected Systems: - All DNS nameservers - --- -Attack Scenarios: -As part of reconnaissance leading upto a potential intrusion attempt, an -attacker may attempt to determine the BIND version that is in use so -that a vulnerable version can be used as an attack vector. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the ability for untrusted (remote) machines to determine the named -version. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2580.txt snort-2.9.2/doc/signatures/2580.txt --- snort-2.9.0.1/doc/signatures/2580.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2580.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2580 - --- -Summary: -This event is generated when an attempt is made to exploit a heap overflow -associated with Apache 1.3 proxy and cache module. - --- -Impact: -A successful attack may cause a heap overflow, permitting the execution of -arbitrary code. - --- -Detailed Information: -When Apache 1.3 is used and the host is configured to be a web proxy, -reverse proxy and/or cache server, a vulnerability exists that may -allow a heap overflow and the subsequent execution of arbitrary code -on the vulnerable server. This may occur when the server receives -a malformed response from a malicious web server that includes a -negative content length value. This can cause invalid memory access -and a denial of service or heap overflow. - --- -Affected Systems: -Apache 1.3.x - --- -Attack Scenarios: -An attacker can entice a user to visit a malicious web server. If -a vulnerable server proxies the request and receives a malformed -response, a heap overflow may occur. - --- -Ease of Attack: -Simple. Exploit code is publicly available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Brian Caswell - --- -Additional References -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492 - -Other: -http://www.guninski.com/modproxy1.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2581.txt snort-2.9.2/doc/signatures/2581.txt --- snort-2.9.0.1/doc/signatures/2581.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2581.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -2581 - --- -Summary: -This event is generated when an attempt is made to exploit a directory -traversal associated with the Crystal Reports web viewer. - --- -Impact: -A successful attack may allow unauthorized files to be viewed or -possibly deleted. - --- -Detailed Information: -A vulnerability exists in the Crystal Reports web viewer that may permit -an attacker to view or delete unauthorized files. The is due to a -failure to ensure that that a requested Crystal Report file location -is in the web root directory, permitting unauthorized files to be -viewed. - -In addition, Crystal Reports assumes that the requested report -file for viewing is a temporary file and deletes it after the -web version has been viewed. This problem combined with the -directory traversal vulnerability may allow sensitive or valuable -files to be deleted. - --- -Affected Systems: -Crystal Reports 8.5 JAVA SDK -Crystal Reports RAS 8.5 for UNIX -Crystal Reports 9.0 -Crystal Enterprise 9.0 -Crystal Reports 10 -Crystal Reports 10.0 - --- -Attack Scenarios: -An attacker can request to view a file not in the web root -directory, permitting unauthorized information disclosure. -The viewed file will be deleted subsequently possibly causing -harm to the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0204 - -Other: -http://www.microsoft.com/security/bulletins/200406_crystal.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2582.txt snort-2.9.2/doc/signatures/2582.txt --- snort-2.9.0.1/doc/signatures/2582.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2582.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -2582 - --- -Summary: -This event is generated when an attempt is made to exploit a directory -traversal associated with the Crystal Reports web viewer. - --- -Impact: -A successful attack may allow unauthorized files to be viewed or -possibly deleted. - --- -Detailed Information: -A vulnerability exists in the Crystal Reports web viewer that may permit -an attacker to view or delete unauthorized files. The is due to a -failure to ensure that that a requested Crystal Report file location -is in the web root directory, permitting unauthorized files to be -viewed. - -In addition, Crystal Reports assumes that the requested report -file for viewing is a temporary file and deletes it after the -web version has been viewed. This problem combined with the -directory traversal vulnerability may allow sensitive or valuable -files to be deleted. - --- -Affected Systems: -Crystal Reports 8.5 JAVA SDK -Crystal Reports RAS 8.5 for UNIX -Crystal Reports 9.0 -Crystal Enterprise 9.0 -Crystal Reports 10 -Crystal Reports 10.0 - --- -Attack Scenarios: -An attacker can request to view a file not in the web root -directory, permitting unauthorized information disclosure. -The viewed file will be deleted subsequently possibly causing -harm to the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0204 - -Other: -http://www.microsoft.com/security/bulletins/200406_crystal.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2583.txt snort-2.9.2/doc/signatures/2583.txt --- snort-2.9.0.1/doc/signatures/2583.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2583.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2583 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with CVS. - --- -Impact: -A successful attack may perform a buffer overflow or a denial of service by -either causing the CVS server to terminate abruptly or causing an exhaustion of -disk resources. - --- -Detailed Information: -A CVS client transaction may reference a file using a relative path -requiring the use of a directory traversal. The Max-dotdot keyword and -appropriate argument are created by the CVS client software to handle -relative paths. The appropriate argument represents the maximum number of -directory levels to be traversed. It is possible for an attacker -to supply an overly large value to the Max-dotdot keyword, causing an -incorrect allocation of memory and possibly causing a buffer overflow or the CVS -server to crash. In addition, temporary files are not deleted enabling a disk -resource exhaustion attack, if repeated many times. It should be noted -that an attacker must have CVS access privileges in order to attempt -these attacks. - - --- -Affected Systems: -CVS versions 1.12.8 with the exception of version 1.11.17 - --- -Attack Scenarios: -An attacker can connect to a CVS server and craft an overly large Max-dotdot -argument value, causing a buffer overflow or causing the vulnerable CVS server -to crash. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0417 - -Bugtraq: -http://www.securityfocus.com/bid/10499 - - --- diff -Nru snort-2.9.0.1/doc/signatures/2584.txt snort-2.9.2/doc/signatures/2584.txt --- snort-2.9.0.1/doc/signatures/2584.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2584.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -1102 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the peer to peer (p2p) client eMule. - --- -Impact: -Possible execution of arbitrary code of the attackers choosing. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the p2p application eMule. The eMule client is prone to -a buffer overflow condition which may present an attacker with the -opportunity to execute code of their choosing on a vulnerable host. - -The issue surrounds the IRC module and the Web server portions of the -client. Sufficient bounds checking of user supplied data is not -correctly implemented causing the opportunity to overflow a buffer. - --- -Affected Systems: - All systems using eMule. - --- -Attack Scenarios: -An attacker can supply overly long data in an IRC session between two -clients to trigger the overflow. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2585.txt snort-2.9.2/doc/signatures/2585.txt --- snort-2.9.0.1/doc/signatures/2585.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2585.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2585 - --- -Summary: -This event is generated when an attempt is made to probe for a known -vulnerability on a web server or a web application resident on a web -server using Nessus. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event is generated when an attempt is made to ascertain wether or -not a Web server or an application running on a web server is subject -to a possible vulnerability using the tool Nessus. - -Many known vulnerabilities exist for each implementation and the -attack scenarios are legion. - -Some applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - All systems using a web server. - --- -Attack Scenarios: -An attacker merely needs to use Nessus against a server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2586.txt snort-2.9.2/doc/signatures/2586.txt --- snort-2.9.0.1/doc/signatures/2586.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2586.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2586 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. -This may be against corporate policy. p2p clients connect to other p2p -clients to share files, commonly music and video files but can be configured -to share any file on the local machine. In particular this event is -generated when the p2p client eDonkey is used. - -This activity may not only use bandwidth but may also be used to transfer -company confidential information to unauthorized hosts external to the -protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using an eDonkey p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2587.txt snort-2.9.2/doc/signatures/2587.txt --- snort-2.9.0.1/doc/signatures/2587.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2587.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2587 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. -This may be against corporate policy. p2p clients connect to other p2p -clients to share files, commonly music and video files but can be configured -to share any file on the local machine. In particular this event is -generated when the p2p client eDonkey is used. - -This activity may not only use bandwidth but may also be used to transfer -company confidential information to unauthorized hosts external to the -protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using an eDonkey p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2588.txt snort-2.9.2/doc/signatures/2588.txt --- snort-2.9.0.1/doc/signatures/2588.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2588.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2588 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application TUTOS. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application TUTOS. The PHP application -TUTOS is vulnerable to a path disclosure bug which may allow an attacker -to gain information that can be used in further attacks against the -system. - -The vulnerability surrounds the file note_overview.php, by manipulating -input to the file an attacker may be presented with sensitive -information regarding the system. - --- -Affected Systems: - All systems using TUTOS. - --- -Attack Scenarios: -An attacker can leverage this vulnerability to gain information that may -be useful in further attacks against the system. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2589.txt snort-2.9.2/doc/signatures/2589.txt --- snort-2.9.0.1/doc/signatures/2589.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2589.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,93 +0,0 @@ -Rule: - --- -Sid: -2589 - --- -Summary: -This event is generated when an attempt is made to return to -a web client a file in the Content-Disposition Header with a -Class ID (CLSID) embedded in the file name. - --- -Impact: -A successful attack may trick a client on a vulnerable host to download -a malicious file that will be executed by the Windows Shell. - --- -Detailed Information: -Internet Explorer does not correctly handle or display specially -crafted files in the browser dialogue where the user choses the -action (e.g., open, save, cancel) for a downloaded file. -Specifically, these are overly long file names that employ URL -encoding of "." %2E before the file extension and contain the -Class ID (CLSID) associated with the Windows Shell in the file name. - -This serves two purposes; the first is that the file name will -be truncated in the user dialog so the user doesn't see the -CLSID reference, making it appear to be a more innocuous file -with a known extension such as mpg or pdf. Second, the downloaded -file will actually contain malcious commands that will be -executed by the Windows Shell when opened because of the hidden -CLSID in the file name. - -Currently, the only known CLSID that exploits this vulnerability -is associated with the Windows Shell. Yet, it may be possible -for another CLSID to be discovered in the future that would be -associated with a COM component that could be used for malicious -purposes. - --- -Affected Systems: - Windows NT Workstation/Server 4.0 SP6a - Windows NT Workstation/Server 4.0 SP6a with Active Desktop - Windows NT Server 4.0 Terminal Server Edition SP6 - Windows 2000 SP2-SP4 - Windows XP and XP SP1 - Windows XP 64-Bit Edition SP1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition - --- -Attack Scenarios: -An attacker can entice a user to visit a web server that -will return a malicious file with a file name that contains -a CLSID, perhaps enabling the execution of the malicious -code when the file is opened. - --- -Ease of Attack: -Simple. Exploit code is publicly available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0420 - -Bugtraq: -http://www.securityfocus.com/bid/9510 - -Other: -http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/258.txt snort-2.9.2/doc/signatures/258.txt --- snort-2.9.0.1/doc/signatures/258.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/258.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -258 - --- -Summary: -This event is generated when an exploit that targets vulnerabilities in -BIND 8.2 and 8.2.1 ("ADM named exploit 8.2/8.2.1") is executed against a -local DNS server. - --- -Impact: -Severe. Remote code execution with the privileges of the BIND DNS daemon -(named). - --- -Detailed Information: -BIND is DNS server software shipped with a number of UNIX and -Linux-based operating systems. Attackers can exploit multiple -vulnerabilities in BIND versions between 8.2 and 8.2.1 to obtain remote -shell access. This enables the attacker to execute arbitrary code from -the command shell with the security privileges of the BIND DNS daemon -(named). If named is running as root, the attacker automatically obtains -root privileges to the system. - --- -Affected Systems: -Any operating system running BIND implementations below 8.2.2. - --- -Attack Scenarios: -An attacker executes an exploit script against a vulnerable server, -obtaining shell access to the compromised machine. If named is running -as root, the attacker automatically obtains root privileges on the -server. Otherwise, the attacker can execute arbitrary code with the -privileges of named, which can lead to remote root compromise. - --- -Ease of Attack: -Simple. An exploit exists. - --- -False Positives: -None known - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to BIND 8.2.2 or higher. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak (judy.novak@sourcefire.com) -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2590.txt snort-2.9.2/doc/signatures/2590.txt --- snort-2.9.0.1/doc/signatures/2590.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2590.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2590 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2591.txt snort-2.9.2/doc/signatures/2591.txt --- snort-2.9.0.1/doc/signatures/2591.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2591.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2591 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2592.txt snort-2.9.2/doc/signatures/2592.txt --- snort-2.9.0.1/doc/signatures/2592.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2592.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2592 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2593.txt snort-2.9.2/doc/signatures/2593.txt --- snort-2.9.0.1/doc/signatures/2593.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2593.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2593 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2594.txt snort-2.9.2/doc/signatures/2594.txt --- snort-2.9.0.1/doc/signatures/2594.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2594.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2594 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2595.txt snort-2.9.2/doc/signatures/2595.txt --- snort-2.9.0.1/doc/signatures/2595.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2595.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2595 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2596.txt snort-2.9.2/doc/signatures/2596.txt --- snort-2.9.0.1/doc/signatures/2596.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2596.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - - --- -Sid: -2596 - - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the Mail Transfer Agent Exim. - --- -Impact: -A successful attack may allow the execution of arbitrary code on a vulnerable -server with the privilege of the process running Exim. - --- -Detailed Information: -Exim is vulnerable to a buffer overflow, permitting an attacker to execute -arbitrary code. The vulnerability may be exploited if Exim is configured to -verify header syntax in the e-mail message body. This is not the default -configuration. If an attacker supplies a large number of spaces after certain -header fields, it may be possible to cause a buffer overflow. - --- -Affected Systems: -Exim prior to version 4.34 - --- -Attack Scenarios: -An attacker can create and send mail with a malformed header, -possibly causing a buffer overflow and permitting the execution of arbitrary code. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Bugtraq: -http://www.securityfocus.com/bid/10291 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 - -Other: -http://www.guninski.com/exim1.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2597.txt snort-2.9.2/doc/signatures/2597.txt --- snort-2.9.0.1/doc/signatures/2597.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2597.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2597 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in the Samba Web Administration Tool (SWAT). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in SWAT that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in the functions that handle base64 decoding -during HTTP basic authentication. Exploitation of this vulnerability -may present the attacker with the opportunity to gain control of the -affected system. - --- -Affected Systems: - Versions of Samba greater than or equal to 3.0.2 and - less than 3.0.5 - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the SWAT -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600 - -Bugtraq: -http://www.securityfocus.com/bid/10780 - --- diff -Nru snort-2.9.0.1/doc/signatures/2598.txt snort-2.9.2/doc/signatures/2598.txt --- snort-2.9.0.1/doc/signatures/2598.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2598.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2598 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overrun condition in the Samba Web Administration Tool (SWAT). - --- -Impact: -Remote execution of arbitrary code. - --- -Detailed Information: -A vulnerability exists in SWAT that may present an attacker with the -opportunity to execute code of their choosing on an affected host. - -The problem lies in an the functions that handle base64 decoding -during HTTP basic authentication. Exploitation of this vulnerability -may present the attacker with the opportunity to gain control of the -affected system. - --- -Affected Systems: - Versions of Samba greater than or equal to 3.0.2 and - less than 3.0.5 - --- -Attack Scenarios: -An attcker needs to make a specially crafted request to the SWAT -service that could contain harmful code to gain further access to the -system. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600 - -Bugtraq: -http://www.securityfocus.com/bid/10780 - --- diff -Nru snort-2.9.0.1/doc/signatures/2599.txt snort-2.9.2/doc/signatures/2599.txt --- snort-2.9.0.1/doc/signatures/2599.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2599.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2599 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "add_grouped_column" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.9.0.1/doc/signatures/259.txt snort-2.9.2/doc/signatures/259.txt --- snort-2.9.0.1/doc/signatures/259.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/259.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -259 - --- -Summary: -This event is generated by an attempted buffer overflow associated with incorrect validation of DNS NXT records. - --- -Impact: -Severe. The DNS server can be compromised allowing the attacker to execute arbitrary commands with the privileges of the user running BIND. - --- -Detailed Information: -Improper validation of DNS NXT records may allow at attacker to perform a buffer overflow. This can allow the attacker to execute arbitrary code with the privileges of the user running BIND. - --- -Affected Systems: -BIND versions 8.2 up to, but not including, 8.2.2. - --- -Attack Scenarios: -An attacker can launch this exploit to gain remote access to the DNS server. - --- -Ease of Attack: -Simple. Code exists to exploit the buffer overflow. - --- -False Positives: -None Known - --- -False Negatives: -This rule examines content based on the exploit code written by ADM. If the content is changed, the rule may not fire. - --- -Corrective Action: -Upgrade to a version of BIND 8.2.2 or greater, or patch vulnerable versions of BIND. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-1999-14.html - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0833 - -Bugtraq: -http://www.securityfocus.com/bid/788 - - --- diff -Nru snort-2.9.0.1/doc/signatures/2600.txt snort-2.9.2/doc/signatures/2600.txt --- snort-2.9.0.1/doc/signatures/2600.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2600.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2600 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "add_grouped_column" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2601.txt snort-2.9.2/doc/signatures/2601.txt --- snort-2.9.0.1/doc/signatures/2601.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2601.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2601 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_master_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck87.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2602.txt snort-2.9.2/doc/signatures/2602.txt --- snort-2.9.0.1/doc/signatures/2602.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2602.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2602 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_master_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck87.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2603.txt snort-2.9.2/doc/signatures/2603.txt --- snort-2.9.0.1/doc/signatures/2603.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2603.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2603 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "create_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "fname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2604.txt snort-2.9.2/doc/signatures/2604.txt --- snort-2.9.0.1/doc/signatures/2604.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2604.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2604 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "create_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "fname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2605.txt snort-2.9.2/doc/signatures/2605.txt --- snort-2.9.0.1/doc/signatures/2605.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2605.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2605 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "compare_old_value" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck91.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2606.txt snort-2.9.2/doc/signatures/2606.txt --- snort-2.9.0.1/doc/signatures/2606.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2606.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2606 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "comment_on_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "type" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck634.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2607.txt snort-2.9.2/doc/signatures/2607.txt --- snort-2.9.0.1/doc/signatures/2607.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2607.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2607 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "comment_on_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "type" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck634.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2608.txt snort-2.9.2/doc/signatures/2608.txt --- snort-2.9.0.1/doc/signatures/2608.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2608.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2608 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "check_ddl_text" procedure contains a programming error -that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the second variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2609.txt snort-2.9.2/doc/signatures/2609.txt --- snort-2.9.0.1/doc/signatures/2609.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2609.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2609 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "cancel_statistics" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.9.0.1/doc/signatures/260.txt snort-2.9.2/doc/signatures/260.txt --- snort-2.9.0.1/doc/signatures/260.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/260.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -261 - --- -Summary: -This event is generated by an attempted buffer overflow associated with improperly formatted DNS inverse queries. - --- -Impact: -Severe. The DNS server can be compromised allowing the attacker access at the privilege level at which BIND runs. - --- -Detailed Information: -Certain versions of BIND do no perform correct bounds checking when responding to an inverse query. A maliciously formatted inverse query can cause the DNS server to crash and allow remote access with the privileges of the user running BIND. Inverse queries are disabled by default; this attack can affect DNS servers that have been configured to enable them. - --- -Affected Systems: -BIND 4.9 releases prior to 4.9.7 and BIND 8 releases prior to 8.1.2. - --- -Attack Scenarios: -An attacker can launch this exploit to gain remote access to the DNS server. - --- -Ease of Attack: -Simple. Code exists to exploit the buffer overflow. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to a version of BIND that is not vulnerable to this attack. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-1998-05.html - - --- diff -Nru snort-2.9.0.1/doc/signatures/2610.txt snort-2.9.2/doc/signatures/2610.txt --- snort-2.9.0.1/doc/signatures/2610.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2610.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2610 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "cancel_statistics" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck633.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2611.txt snort-2.9.2/doc/signatures/2611.txt --- snort-2.9.0.1/doc/signatures/2611.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2611.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2611 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: - -An attacker can create a database link and supply it an overly -long string to the "USING" parameter of the "CREATE DATABASE LINK" -command. This long value is stored for later use. When subsequently -accessed via the link, a buffer overflow can occur. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i and earlier - --- -Attack Scenarios: -An attacker can create a database link and supply it an overly long -"USING" value. The result could permit the attacker to gain escalated -privileges and run code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0222 - -Bugtraq -http://www.securityfocus.com/bid/7453 - -Other: -http://archives.neohapsis.com/archives/bugtraq/2003-04/0360.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2612.txt snort-2.9.2/doc/signatures/2612.txt --- snort-2.9.0.1/doc/signatures/2612.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2612.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2612 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "revoke_surrogate_repcate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "userid" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2613.txt snort-2.9.2/doc/signatures/2613.txt --- snort-2.9.0.1/doc/signatures/2613.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2613.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2613 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "revoke_surrogate_repcate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "userid" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2614.txt snort-2.9.2/doc/signatures/2614.txt --- snort-2.9.0.1/doc/signatures/2614.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2614.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2614 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases allow a user to set a time zone for the session. -The "alter session set time_zone" command contains a programming -error that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in the parameter for the -command. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string as the value for this command. -The result could permit the attacker to gain escalated privileges and -run code of their choosing. This attack requires an attacker to logon -to the database with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/9587 - -Other: -http://www.nextgenss.com/advisories/ora_time_zone.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/2615.txt snort-2.9.2/doc/signatures/2615.txt --- snort-2.9.0.1/doc/signatures/2615.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2615.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2615 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "grant_surrogate_repcate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "userid" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2616.txt snort-2.9.2/doc/signatures/2616.txt --- snort-2.9.0.1/doc/signatures/2616.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2616.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2616 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "grant_surrogate_repcate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "userid" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2617.txt snort-2.9.2/doc/signatures/2617.txt --- snort-2.9.0.1/doc/signatures/2617.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2617.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2617 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "alter_mview_propagation" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2618.txt snort-2.9.2/doc/signatures/2618.txt --- snort-2.9.0.1/doc/signatures/2618.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2618.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2618 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "alter_mview_propagation" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2619.txt snort-2.9.2/doc/signatures/2619.txt --- snort-2.9.0.1/doc/signatures/2619.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2619.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2619 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "alter_master_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "type" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck634.html - --- diff -Nru snort-2.9.0.1/doc/signatures/261.txt snort-2.9.2/doc/signatures/261.txt --- snort-2.9.0.1/doc/signatures/261.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/261.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -260 - --- -Summary: -This event is generated by an attempted buffer overflow associated with incorrect validation of NXT records. - --- -Impact: -Severe. The DNS server can be compromised allowing the attacker access with the privileges of the user running BIND. This attack is sometimes referred to as ADMROCKS because a subdirectory named ADMROCKS is placed in the directory associated with BIND software. - --- -Detailed Information: -Improper validation of DNS NXT records may allow an attacker to perform a buffer overflow. This can allow execution of arbitrary code with the privileges of the user running BIND. - --- -Affected Systems: -BIND versions 8.2 up to, but not including, 8.2.2. - --- -Attack Scenarios: -An attacker can launch this exploit to gain remote access to the DNS server. - --- -Ease of Attack: -Simple. Code exists to exploit the buffer overflow. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to a version of BIND 8.2.2, or greater or patch vulnerable versions of BIND. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-1999-14.html - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0833 - -Bugtraq: -http://www.securityfocus.com/bid/788 - - --- diff -Nru snort-2.9.0.1/doc/signatures/2620.txt snort-2.9.2/doc/signatures/2620.txt --- snort-2.9.0.1/doc/signatures/2620.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2620.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2620 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "alter_master_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "type" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck634.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2621.txt snort-2.9.2/doc/signatures/2621.txt --- snort-2.9.0.1/doc/signatures/2621.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2621.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2621 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "register_flavor_change" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the second variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2622.txt snort-2.9.2/doc/signatures/2622.txt --- snort-2.9.0.1/doc/signatures/2622.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2622.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2622 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "drop_an_object" procedure contains a programming error -that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the third variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2623.txt snort-2.9.2/doc/signatures/2623.txt --- snort-2.9.0.1/doc/signatures/2623.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2623.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2623 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "create_snapshot_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the first variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2624.txt snort-2.9.2/doc/signatures/2624.txt --- snort-2.9.0.1/doc/signatures/2624.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2624.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2624 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "unregister_user_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "privilege_type" variable -to cause the overflow. The result could permit the attacker to gain -escalated privileges and run code of their choosing. This attack -requires an attacker to logon to the database with a valid username -and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck94.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2625.txt snort-2.9.2/doc/signatures/2625.txt --- snort-2.9.0.1/doc/signatures/2625.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2625.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2625 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "unregister_user_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "privilege_type" variable -to cause the overflow. The result could permit the attacker to gain -escalated privileges and run code of their choosing. This attack -requires an attacker to logon to the database with a valid username -and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck94.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2626.txt snort-2.9.2/doc/signatures/2626.txt --- snort-2.9.0.1/doc/signatures/2626.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2626.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2626 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "send_old_value" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by long strings in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to either the "sname" or -"oname" variables to cause the overflow. The result could -permit the attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the database -with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck91.html -Action: - --- diff -Nru snort-2.9.0.1/doc/signatures/2627.txt snort-2.9.2/doc/signatures/2627.txt --- snort-2.9.0.1/doc/signatures/2627.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2627.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2627 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "repcat_import_check" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" or "gname" -variable to cause the overflow. The result could permit the -attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the -database with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2628.txt snort-2.9.2/doc/signatures/2628.txt --- snort-2.9.0.1/doc/signatures/2628.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2628.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2628 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "repcat_import_check" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in some parameters for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" or "gname" -variable to cause the overflow. The result could permit the -attacker to gain escalated privileges and run code of their -choosing. This attack requires an attacker to logon to the -database with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2629.txt snort-2.9.2/doc/signatures/2629.txt --- snort-2.9.0.1/doc/signatures/2629.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2629.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2629 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "register_user_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "privilege_type" variable -to cause the overflow. The result could permit the attacker to gain -escalated privileges and run code of their choosing. This attack -requires an attacker to logon to the database with a valid username -and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck94.html - --- diff -Nru snort-2.9.0.1/doc/signatures/262.txt snort-2.9.2/doc/signatures/262.txt --- snort-2.9.0.1/doc/signatures/262.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/262.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -262 - --- -Summary: -This event is generated when spurious DNS traffic is detected on the network. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. - -This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. - --- -Affected Systems: -Any DNS server. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Simple to Difficult depending on the DNS implementation. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - -Keep all DNS software up to date and correctly configured. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2630.txt snort-2.9.2/doc/signatures/2630.txt --- snort-2.9.0.1/doc/signatures/2630.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2630.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2630 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "register_user_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "privilege_type" variable -to cause the overflow. The result could permit the attacker to gain -escalated privileges and run code of their choosing. This attack -requires an attacker to logon to the database with a valid username -and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck94.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2631.txt snort-2.9.2/doc/signatures/2631.txt --- snort-2.9.0.1/doc/signatures/2631.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2631.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2631 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "refresh_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2632.txt snort-2.9.2/doc/signatures/2632.txt --- snort-2.9.0.1/doc/signatures/2632.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2632.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2632 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "refresh_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2633.txt snort-2.9.2/doc/signatures/2633.txt --- snort-2.9.0.1/doc/signatures/2633.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2633.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2633 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "rectifier_diff.differences" and "rectifier_diff.rectify" -procedures are used to find and resolve inconsistencies between -two replicated sites. These procedures contain a programming error -that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "sname1" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2634.txt snort-2.9.2/doc/signatures/2634.txt --- snort-2.9.0.1/doc/signatures/2634.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2634.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2634 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in useful -tasks. The "rectifier_diff.differences" and "rectifier_diff.rectify" -procedures are used to find and resolve inconsistencies between -two replicated sites. These procedures contain a programming error -that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "sname1" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck97.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2635.txt snort-2.9.2/doc/signatures/2635.txt --- snort-2.9.0.1/doc/signatures/2635.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2635.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2635 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in many -useful tasks. The "offline_snapshot.begin_load" procedure is used for -offline instantiation of snapshots. This procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2636.txt snort-2.9.2/doc/signatures/2636.txt --- snort-2.9.0.1/doc/signatures/2636.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2636.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2636 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in many -useful tasks. The "offline_snapshot.begin_load" procedure is used for -offline instantiation of snapshots. This procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2637.txt snort-2.9.2/doc/signatures/2637.txt --- snort-2.9.0.1/doc/signatures/2637.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2637.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2637 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_master_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck630.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2638.txt snort-2.9.2/doc/signatures/2638.txt --- snort-2.9.0.1/doc/signatures/2638.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2638.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -2638 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_master_repobject" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck630.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2639.txt snort-2.9.2/doc/signatures/2639.txt --- snort-2.9.0.1/doc/signatures/2639.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2639.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2639 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2640.txt snort-2.9.2/doc/signatures/2640.txt --- snort-2.9.0.1/doc/signatures/2640.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2640.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2640 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_mview_repgroup" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gowner" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck90.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2641.txt snort-2.9.2/doc/signatures/2641.txt --- snort-2.9.0.1/doc/signatures/2641.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2641.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2641 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_site_instantiate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck629.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2642.txt snort-2.9.2/doc/signatures/2642.txt --- snort-2.9.0.1/doc/signatures/2642.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2642.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2642 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "drop_site_instantiate" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck629.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2643.txt snort-2.9.2/doc/signatures/2643.txt --- snort-2.9.0.1/doc/signatures/2643.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2643.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2643 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "ensure_not_published" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "fname" variable to -cause the overflow. The result could permit the attacker to gain -escalated privileges and run code of their choosing. This attack -requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck96.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2644.txt snort-2.9.2/doc/signatures/2644.txt --- snort-2.9.0.1/doc/signatures/2644.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2644.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -2644 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases have a built-in function "from_tz" that is used to -convert the format of a timestamp. This function contains a programming -error that may allow an attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in the second parameter -of the function. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string as the value for this command. -The result could permit the attacker to gain escalated privileges and -run code of their choosing. This attack requires an attacker to logon -to the database with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.nextgenss.com/advisories/ora_from_tz.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/2645.txt snort-2.9.2/doc/signatures/2645.txt --- snort-2.9.0.1/doc/signatures/2645.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2645.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2645 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "instantiate_offline" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck630.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2646.txt snort-2.9.2/doc/signatures/2646.txt --- snort-2.9.0.1/doc/signatures/2646.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2646.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2646 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "instantiate_offline" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck630.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2647.txt snort-2.9.2/doc/signatures/2647.txt --- snort-2.9.0.1/doc/signatures/2647.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2647.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2647 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "instantiate_online" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck631.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2648.txt snort-2.9.2/doc/signatures/2648.txt --- snort-2.9.0.1/doc/signatures/2648.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2648.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -2648 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in database -replication. The "instantiate_online" procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "refresh_template_name" -variable to cause the overflow. The result could permit the attacker -to gain escalated privileges and run code of their choosing. This -attack requires an attacker to logon to the database with a valid -username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck631.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2649.txt snort-2.9.2/doc/signatures/2649.txt --- snort-2.9.0.1/doc/signatures/2649.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2649.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2649 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: - -An attacker can attempt to connect to a database using an overly -long service_name value. This can cause a buffer overflow, allowing -an attacker to execute arbitrary code. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle7, Oracle8, Oracle8i, and Oracle9i - --- -Attack Scenarios: -An attacker can attempt to connect to a database supplying the -service_name an overly long value. The result could permit the -attacker to gain escalated privileges and run code of their -choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - ---Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck52.html - --- diff -Nru snort-2.9.0.1/doc/signatures/264.txt snort-2.9.2/doc/signatures/264.txt --- snort-2.9.0.1/doc/signatures/264.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/264.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -264 - --- -Summary: -This event is generated when spurious DNS traffic is detected on the network. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. - -This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. - --- -Affected Systems: -Any DNS server. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Simple to Difficult depending on the DNS implementation. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - -Keep all DNS software up to date and correctly configured. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2650.txt snort-2.9.2/doc/signatures/2650.txt --- snort-2.9.0.1/doc/signatures/2650.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2650.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2650 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: - -An attacker can attempt to connect to a database using an overly -long user name value. This can cause a buffer overflow, allowing -an attacker to execute arbitrary code. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle8, Oracle8i, and Oracle9i - --- -Attack Scenarios: -An attacker can attempt to connect to a database supplying the -user an overly long value. The result could permit the -attacker to gain escalated privileges and run code of their -choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck62.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2651.txt snort-2.9.2/doc/signatures/2651.txt --- snort-2.9.0.1/doc/signatures/2651.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2651.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2651 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases have a built-in functions NUMTOYMINTERVAL and -NUMTODSINTERVAL that are used to convert a number to an interval -year to month or interval day to second literal. - -These functions contain a programming error that may allow an -attacker to execute a buffer overflow attack. - -This overflow is triggered by a long string in the second parameter -of the function. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string as a value for this command. -The result could permit the attacker to gain escalated privileges and -run code of their choosing. This attack requires an attacker to logon -to the database with a valid username and password combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/9587 - -Other: -http://www.nextgenss.com/advisories/ora_numtodsinterval.txt -http://www.nextgenss.com/advisories/ora_numtoyminterval.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/2652.txt snort-2.9.2/doc/signatures/2652.txt --- snort-2.9.0.1/doc/signatures/2652.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2652.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2652 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in many -useful tasks. The "offline_og.begin_load" procedure is used for -offline instantiation of master groups. This procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2653.txt snort-2.9.2/doc/signatures/2653.txt --- snort-2.9.0.1/doc/signatures/2653.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2653.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -2653 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Oracle database implementation. - --- -Impact: -Serious. Execution of arbitrary code may be possible. A Denial of -Service (DoS) condition may also be caused. - --- -Detailed Information: -Oracle databases may use a built-in procedure to assist in many -useful tasks. The "offline_og.begin_load" procedure is used for -offline instantiation of master groups. This procedure contains a -programming error that may allow an attacker to execute a buffer -overflow attack. - -This overflow is triggered by a long string in a parameter for the -procedure. - -If you are running Oracle on a Windows server, make sure that the -variable $ORACLE_PORTS is set to a value of "any". - --- -Affected Systems: - Oracle 9i - --- -Attack Scenarios: -An attacker can supply a long string to the "gname" variable to cause -the overflow. The result could permit the attacker to gain escalated -privileges and run code of their choosing. This attack requires an -attacker to logon to the database with a valid username and password -combination. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton -Judy Novak - --- -Additional References: - -Other: -http://www.appsecinc.com/Policy/PolicyCheck632.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2654.txt snort-2.9.2/doc/signatures/2654.txt --- snort-2.9.0.1/doc/signatures/2654.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2654.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2654 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the web application PHPNuke. - --- -Impact: -SQL Injection is possible leading to a complete compromise of the data -in the application database. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHPNuke web application running on a server. - -Insufficient checks are made on user input supplied to the script -"viewtopic.php", exploitation of this issue could present an attacker -with the opportunity to inject SQL code of their choosing into a -vulnerable system. - --- -Affected Systems: - PHPNuke 6.0 - PHPNuke 6.5 RC2 - --- -Attack Scenarios: -An attacker can supply code of their choice by including it in the -URI that calls on viewtopic.php. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Consider reviewing the database permissions for the application. - --- -Contributors: -Sourcefire Research Team -Ricky MacAtee -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2655.txt snort-2.9.2/doc/signatures/2655.txt --- snort-2.9.0.1/doc/signatures/2655.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2655.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -2655 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with an HP WebJetAdmin web server. - --- -Impact: -A successful attack may allow the execution of arbitrary code as root on UNIX -and SYSTEM on Windows on a vulnerable server. - --- -Detailed Information: -The HP Web JetAdmin application allows users to manage HP JetDirect-connected -printers within their intranet using a browser. The httpd core supports an -exported function called ExecuteFile. A vulnerability exists that allows the -uploading and execution of unauthorized files by posting a malicious http -request with the script /plugins/framework/script/content.hts in conjunction -with ExecuteFile function to the web server. Discovery of the vulnerability is -credited to FX of Phenoelit. - --- -Affected Systems: - HP Web JetAdmin 6.5. - --- -Attack Scenarios: -An attacker can create upload and execute a malicious file on a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -The default HP Web JetAdmin port is 8000. If an administrator selects a -different port on which to run the web server, no event will be -generated. In that case, the rule should be altered to reflect the -port on which the web server runs. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Thomas Alex -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Phenoelit: -http://www.phenoelit.de/stuff/HP_Web_Jetadmin_advisory.txt> - -Hewlett-Packard: -http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=PSD_HPSBPI01026 - --- diff -Nru snort-2.9.0.1/doc/signatures/2656.txt snort-2.9.2/doc/signatures/2656.txt --- snort-2.9.0.1/doc/signatures/2656.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2656.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2656 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with Netscape Network Security Services (NSS) message parsing. - --- -Impact: -A successful attack can cause a heap overflow and the subsequent execution -of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way NSS parses a client connect SSLv2 message -that can cause a heap overflow and the subsequent execution of arbitrary code -on a vulnerable server. This can occur when an overly long challenge length -and accompanying data are supplied in a Client Hello message. - --- -Affected Systems: -Netscape Enterprise Webserver all versions -Netscape Personalization Engine all versions -Nescape Directory Server all versions -Netscape Certificate Management Server all versions -Sun One/iPlanet all versions - --- -Attack Scenarios: -An attacker can send a Client Hello message with an overly long challenge -length and data, causing a heap overflow on a vulnerable server. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak -Brian Caswell - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2657.txt snort-2.9.2/doc/signatures/2657.txt --- snort-2.9.0.1/doc/signatures/2657.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2657.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -2657 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with Netscape Network Security Services (NSS) message parsing. - --- -Impact: -A successful attack can cause a heap overflow and the subsequent execution -of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way NSS parses a client connect SSLv2 message -that can cause a heap overflow and the subsequent execution of arbitrary code -on a vulnerable server. This can occur when an overly long challenge length -and accompanying data are supplied in a Client Hello message. - --- -Affected Systems: -Netscape Enterprise Webserver all versions -Netscape Personalization Engine all versions -Nescape Directory Server all versions -Netscape Certificate Management Server all versions -Sun One/iPlanet all versions - --- -Attack Scenarios: -An attacker can send a Client Hello message with an overly long challenge -length and data, causing a heap overflow on a vulnerable server. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None known. - --- -False Negatives:None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak -Brian Caswell - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2658.txt snort-2.9.2/doc/signatures/2658.txt --- snort-2.9.0.1/doc/signatures/2658.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2658.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2658 - --- -Summary: -This rule is intended to increase the accuracy of rules designed to -generate events based on attempts to exploit implementations of Secure -Socket Layer (SSL) version 2. - --- -Impact: -None. This is a protocol decode rule that does not generate events. - --- -Detailed Information: -This is a protocol decode rule that does not generate events. - --- -Affected Systems: -NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2659.txt snort-2.9.2/doc/signatures/2659.txt --- snort-2.9.0.1/doc/signatures/2659.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2659.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2659 - --- -Summary: -This rule is intended to increase the accuracy of rules designed to -generate events based on attempts to exploit implementations of Secure -Socket Layer (SSL) version 2. - --- -Impact: -None. This is a protocol decode rule that does not generate events. - --- -Detailed Information: -This is a protocol decode rule that does not generate events. - --- -Affected Systems: -NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/265.txt snort-2.9.2/doc/signatures/265.txt --- snort-2.9.0.1/doc/signatures/265.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/265.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -265 - --- -Summary: -This event is generated when spurious DNS traffic is detected on the network. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. - -This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. - --- -Affected Systems: -Any DNS server. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Simple to Difficult depending on the DNS implementation. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - -Keep all DNS software up to date and correctly configured. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2660.txt snort-2.9.2/doc/signatures/2660.txt --- snort-2.9.0.1/doc/signatures/2660.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2660.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2660 - --- -Summary: -This rule is intended to increase the accuracy of rules designed to -generate events based on attempts to exploit implementations of Secure -Socket Layer (SSL) version 2. - --- -Impact: -None. This is a protocol decode rule that does not generate events. - --- -Detailed Information: -This is a protocol decode rule that does not generate events. - --- -Affected Systems: -NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2661.txt snort-2.9.2/doc/signatures/2661.txt --- snort-2.9.0.1/doc/signatures/2661.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2661.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2661 - --- -Summary: -This rule is intended to increase the accuracy of rules designed to -generate events based on attempts to exploit implementations of Secure -Socket Layer (SSL) version 2. - --- -Impact: -None. This is a protocol decode rule that does not generate events. - --- -Detailed Information: -This is a protocol decode rule that does not generate events. - --- -Affected Systems: -NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2662.txt snort-2.9.2/doc/signatures/2662.txt --- snort-2.9.0.1/doc/signatures/2662.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2662.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -2662 - --- -Summary: -This rule is intended to increase the accuracy of rules designed to -generate events based on attempts to exploit implementations of Secure -Socket Layer (SSL) version 2. - --- -Impact: -None. This is a protocol decode rule that does not generate events. - --- -Detailed Information: -This is a protocol decode rule that does not generate events. - --- -Affected Systems: -NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2663.txt snort-2.9.2/doc/signatures/2663.txt --- snort-2.9.0.1/doc/signatures/2663.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2663.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2663 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the web server of WhatsUp Gold. - --- -Impact: -A successful attack can cause a denial of service or a buffer overflow and -the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -WhatsUp Gold is a Windows application that can be used to monitor the status -of a network and the availability and performance of servers. A vulnerability -exists in the web server component of WhatsUp Gold that can cause a denial of -service or buffer overflow and the subsequent execution of arbitrary code on a -vulnerable server. This can occur when an overly long value is passed to the -parameter "instancename" when invoking the _maincfgret CGI. It should be noted -that the web server is not enabled by default in WhatsUp Gold. - --- -Affected Systems: -WhatsUp Gold 8.x. - --- -Attack Scenarios: -An attacker can connect to a web-enabled WhatsUp Gold server and send -an overly long value to the "instancename" when calling _maincfgret, -possibly causing a denial of service or buffer overflow. - --- -Ease of Attack: -Denial of service - simple, buffer overflow - harder. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak -Brian Caswell - --- -Additional References - -Other: -http://www.idefense.com/application/poi/display?id=133&type=vulnerabilities - --- diff -Nru snort-2.9.0.1/doc/signatures/2664.txt snort-2.9.2/doc/signatures/2664.txt --- snort-2.9.0.1/doc/signatures/2664.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2664.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2664 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -format string vulnerability against an IMAP server. - --- -Impact: -Serious. A successful format string attack could result in the -execution of arbitrary code with the same privileges as the user running -the IMAP daemon. - --- -Detailed Information: -Some versions of the Courier IMAP daemon are vulnerable to format string -exploits prior to and during authentication to the IMAP server. A -successful exploit attempt could result in the remote attacker gaining -unauthorized root access to a vulnerable system. - --- -Affected Systems: - Courier IMAP server versions 1.6 though 3.0.2 - --- -Attack Scenarios: -A remote attacker could use a publicly available script to exploit the -vulnerability an gain control of the target host. - --- - -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -This rule may generate an event if the password for a valid user contains -the character "%". - --- -False Negatives: -None known. - --- - -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- - -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Nigel Houghton - --- - -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2665.txt snort-2.9.2/doc/signatures/2665.txt --- snort-2.9.0.1/doc/signatures/2665.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2665.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2665 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -format string vulnerability against an IMAP server. - --- -Impact: -Serious. A successful format string attack could result in the -execution of arbitrary code with the same privileges as the user running -the IMAP daemon. - --- -Detailed Information: -Some versions of the Courier IMAP daemon are vulnerable to format string -exploits prior to and during authentication to the IMAP server. A -successful exploit attempt could result in the remote attacker gaining -unauthorized root access to a vulnerable system. - --- -Affected Systems: - Courier IMAP server versions 1.6 though 3.0.2 - --- -Attack Scenarios: -A remote attacker could use a publicly available script to exploit the -vulnerability an gain control of the target host. - --- - -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- - -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Nigel Houghton - --- - -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2666.txt snort-2.9.2/doc/signatures/2666.txt --- snort-2.9.0.1/doc/signatures/2666.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2666.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -2664 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -format string vulnerability against a POP server. - --- -Impact: -Serious. A successful format string attack could result in the -execution of arbitrary code with the same privileges as the user running -the POP daemon. - --- -Detailed Information: -Some versions of the Courier POP daemon are vulnerable to format string -exploits prior to and during authentication to the POP server. A -successful exploit attempt could result in the remote attacker gaining -unauthorized root access to a vulnerable system. - --- -Affected Systems: - Courier IMAP/POP server versions 1.6 though 3.0.2 - --- -Attack Scenarios: -A remote attacker could use a publicly available script to exploit the -vulnerability an gain control of the target host. - --- - -Ease of Attack: -Simple. Exploit code is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- - -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Nigel Houghton - --- - -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2667.txt snort-2.9.2/doc/signatures/2667.txt --- snort-2.9.0.1/doc/signatures/2667.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2667.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -2667 - --- -Summary: -This event is generated when an attempt is made to access the file -ping.asp. - --- -Impact: -Possible Denial of Service (DoS) - --- -Detailed Information: -The script ping.asp allows a user to use the system ping command to send -ICMP echo request messages to a third party from the web server hosting -the script. - -This script does not properly sanitize user input and may be used as a -tool in a DoS attack against that third party server. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -An attacker can supply the address of a target host and pass parameters -to the ping command via the web interface to cause a possible exhaustion -of resources on a target host to cause the DoS condition. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Uninstall the script ping.asp - -Only allow usage from authenticated users - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - -SecurityFocus mailing list: -http://online.securityfocus.com/archive/82/275088 - --- diff -Nru snort-2.9.0.1/doc/signatures/2668.txt snort-2.9.2/doc/signatures/2668.txt --- snort-2.9.0.1/doc/signatures/2668.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2668.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2668 - --- -Summary: -This event is generated when an attempt is made to access the file -processit.pl. - --- -Impact: -Information Disclosure. - --- -Detailed Information: -The script processit.pl returns envirnoment variables used by the server -hosting the application. This can divulge information valuable to an -attacker that can be used in further attacks against the host. - --- -Affected Systems: - All systems using processit.pl - --- -Attack Scenarios: -An attacker can retrieve environment variables by accessing the script -processit.pl, these can be used in further attacks against the system. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Uninstall the script processit.pl - -Only allow usage from authenticated users - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2669.txt snort-2.9.2/doc/signatures/2669.txt --- snort-2.9.0.1/doc/signatures/2669.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2669.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2669 - --- -Summary: -This event is generated when an attempt is made to access the file -ibillpm.pl. - --- -Impact: -Possible unauthorized administrative access to the victim host. -Information disclosure. - --- -Detailed Information: -The script ibillpm.pl is used to process billing and payment via a CGI -application over the Internet. - -The application suffers from a weak default password scheme that could -be used by an attacker to take control of a user account and view -billing details. - --- -Affected Systems: - iBill Internet Billing Company Processing Plus - --- -Attack Scenarios: -An attacker can supply the username and default password for a user to -the script to gain control. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Uninstall the script ibillpm.pl - -Only allow usage from authenticated users - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/266.txt snort-2.9.2/doc/signatures/266.txt --- snort-2.9.0.1/doc/signatures/266.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/266.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -266 - --- -Summary: -This event is generated when spurious DNS traffic is detected on the network. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. - -This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. - --- -Affected Systems: -Any DNS server. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Simple to Difficult depending on the DNS implementation. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - -Keep all DNS software up to date and correctly configured. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2670.txt snort-2.9.2/doc/signatures/2670.txt --- snort-2.9.0.1/doc/signatures/2670.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2670.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -2670 - --- -Summary: -This event is generated when an attempt is made to access the file -pgpmail.pl. - --- -Impact: -Possible unauthorized administrative access to the victim host. - --- -Detailed Information: -The script pgpmail.pl does not properly sanitize user supplied input. -This may allow an attacker to supply commands of their choosing to the -victim host with the privileges of the user running the web server. - --- -Affected Systems: - pgpmail prior to and including 3.6 - --- -Attack Scenarios: -An attacker can supply arbitrary commands to the pgpmail.pl script. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Uninstall the script pgpmail.pl - -Only allow usage from authenticated users - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2671.txt snort-2.9.2/doc/signatures/2671.txt --- snort-2.9.0.1/doc/signatures/2671.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2671.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2671 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Explorer. - --- -Impact: -A successful attack can cause a buffer overflow and present the attacker -with the opportunity to execute code of their choosing on a vulnerable -system. - --- -Detailed Information: -An error in the processing of bitmap images exists in Internet Explorer -that can present an attacker with the opportunity to execute code of -their choosing on a vulnerable system. - -The error exists due to poor boundary checking in the processing of -bitmap images. - --- -Affected Systems: - Microsoft Windows using Internet Explorer - --- -Attack Scenarios: -An attacker would need to supply a malformed bitmap image either in a -web page or possibly via HTML email to a victim host. - --- -Ease of Attack: -Simple, exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2672.txt snort-2.9.2/doc/signatures/2672.txt --- snort-2.9.0.1/doc/signatures/2672.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2672.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2672 - --- -Summary: -This event is generated when an attempt is made to access the file -sresult.exe. - --- -Impact: -Possible cross site scripting. - --- -Detailed Information: -The executable file sresult.exe does not properly sanitize user input, -as a result it may be possible for an attacker to leverage the binary in -a cross site scripting attack. - --- -Affected Systems: - Webcam Corp Webcam Watchdog 4.0.1 a - --- -Attack Scenarios: -An attacker can leverage the sresult.exe binary in a cross site -scripting attack. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Uninstall the script sresult.exe - -Only allow usage from authenticated users - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2673.txt snort-2.9.2/doc/signatures/2673.txt --- snort-2.9.0.1/doc/signatures/2673.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2673.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,89 +0,0 @@ -Rule: - --- -Sid: -2673 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the processing of a Portable Network Graphics (PNG) file by -libpng. - --- -Impact: -A successful attack may cause a buffer overflow and the subsequent execution -of arbitrary code on a vulnerable client host. - --- -Detailed Information: -A vulnerability exists in the way libpng handles the transparency chunk of -a PNG file, enabling a buffer overflow and the subsequent execution of -arbitrary code on a vulnerable client. A PNG datastream consists of a PNG -marker followed by a sequence of chunks that have a specific format and -function. - -When libpng processes a PNG datastream, it expects to find chunk types -in a particular order. For an image with palette color type, the PLTE -(palette) chunk must precede a tRNS (transparency) chunk. If it does not, -an error is generated, but decoding continues. Due to a logic error, -the length associated with the tRNS chunk is not properly validated. A -length of greater than 256 bytes can cause a buffer overflow and the -subsequent execution of arbitrary code when the PNG image is processed. - --- -Affected Systems: -Hosts running libpng 1.2.5 and prior -Hosts running libpng 1.0.15 and prior - --- -Attack Scenarios: -An attacker can create a malformed PNG file on a web server, entice a user -to download it, possibly causing a buffer overflow on a vulnerable client. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -A false positive may be generated if both the PLTE and tRNS chunks of the PNG -datastream are not found in the first 300 bytes of the returned packet. The -flow_depth parameter of http_inspect can be configured to increase the default -size of the returned packet. It should be noted that altering this from the -default value of 300 bytes may slow performance depending on the type and volume -of traffic found on your network. - --- -False Negatives: -An alert may not be generated if PLTE and tRNS chunks of the PNG datastream are -not found in the first 300 bytes of the returned packet. The flow_depth -parameter of http_inspect can be configured to increase the default size of the -returned packet. It should be noted that altering this from the default value -of 300 bytes may slow performance depending on the type and volume of traffic -found on your network. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Joe Stewart -Judy Novak -Brian Caswell - --- -Additional References - -CVE: -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 - -Bugtraq: -http://www.securityfocus.com/bid/10872 - -Other: -http://scary.beasts.org/security/CESA-2004-001.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/2674.txt snort-2.9.2/doc/signatures/2674.txt --- snort-2.9.0.1/doc/signatures/2674.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2674.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2674 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_delete_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2675.txt snort-2.9.2/doc/signatures/2675.txt --- snort-2.9.0.1/doc/signatures/2675.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2675.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2675 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure instantiate_offline -. This procedure is included in -dbms_repcat_rgt. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2676.txt snort-2.9.2/doc/signatures/2676.txt --- snort-2.9.0.1/doc/signatures/2676.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2676.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2676 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_instantiation -. This procedure is included in -dbms_repcat_rgt. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2677.txt snort-2.9.2/doc/signatures/2677.txt --- snort-2.9.0.1/doc/signatures/2677.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2677.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2677 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure instantiate_online -. This procedure is included in -dbms_repcat_rgt. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2678.txt snort-2.9.2/doc/signatures/2678.txt --- snort-2.9.0.1/doc/signatures/2678.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2678.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2678 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure start_log -. This procedure is included in -ctx_output. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2679.txt snort-2.9.2/doc/signatures/2679.txt --- snort-2.9.0.1/doc/signatures/2679.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2679.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2679 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure ksdwrt -. This procedure is included in -sys.dbms_system. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/267.txt snort-2.9.2/doc/signatures/267.txt --- snort-2.9.0.1/doc/signatures/267.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/267.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -267 - --- -Summary: -This event is generated when spurious DNS traffic is detected on the network. - --- -Impact: -Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). - --- -Detailed Information: -This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. - -This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. - --- -Affected Systems: -Any DNS server. - --- -Attack Scenarios: -An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. - --- -Ease of Attack: -Simple to Difficult depending on the DNS implementation. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using DNSSEC where appropriate. - -Keep all DNS software up to date and correctly configured. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2680.txt snort-2.9.2/doc/signatures/2680.txt --- snort-2.9.0.1/doc/signatures/2680.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2680.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2680 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure subindexpopulate -. This procedure is included in -ctxsys.driddlr. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2681.txt snort-2.9.2/doc/signatures/2681.txt --- snort-2.9.0.1/doc/signatures/2681.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2681.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2681 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure sdo_code_size -. This procedure is included in -mdsys.sdo_admin. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2682.txt snort-2.9.2/doc/signatures/2682.txt --- snort-2.9.0.1/doc/signatures/2682.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2682.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2682 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_geom -. This procedure is included in -mdsys.md2. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2683.txt snort-2.9.2/doc/signatures/2683.txt --- snort-2.9.0.1/doc/signatures/2683.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2683.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2683 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure sdo_code_size -. This procedure is included in -mdsys.md2. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2684.txt snort-2.9.2/doc/signatures/2684.txt --- snort-2.9.0.1/doc/signatures/2684.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2684.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2684 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure pushdeferredtxns -. This procedure is included in -sys.ltutil. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2685.txt snort-2.9.2/doc/signatures/2685.txt --- snort-2.9.0.1/doc/signatures/2685.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2685.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2685 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_column -. This procedure is included in -sys.dbms_repcat_rq. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2686.txt snort-2.9.2/doc/signatures/2686.txt --- snort-2.9.0.1/doc/signatures/2686.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2686.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2686 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure differences -. This procedure is included in -sys.dbms_rectifier_diff. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2687.txt snort-2.9.2/doc/signatures/2687.txt --- snort-2.9.0.1/doc/signatures/2687.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2687.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2687 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate -. This procedure is included in -sys.dbms_internal_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2688.txt snort-2.9.2/doc/signatures/2688.txt --- snort-2.9.0.1/doc/signatures/2688.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2688.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2688 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure enable_receiver_trace -. This procedure is included in -sys.dbms_internal_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2689.txt snort-2.9.2/doc/signatures/2689.txt --- snort-2.9.0.1/doc/signatures/2689.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2689.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2689 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure disable_receiver_trace -. This procedure is included in -sys.dbms_internal_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/268.txt snort-2.9.2/doc/signatures/268.txt --- snort-2.9.0.1/doc/signatures/268.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/268.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -268 - --- -Summary: -This event is generated when a remote attacker attempts to send large, fragmented IP packets to the internal network, indicating a Jolt Denial of Service (DoS) attack. - --- -Impact: -Denial of service. - --- -Detailed Information: -Jolt is a DoS attack characterized by large, fragmented IP packets that, when launched at a Windows system, can hang or crash the computer. - --- -Affected Systems: -Windows 95 -Windows 98 -Windows NT -Windows 2000 - --- -Attack Scenarios: -An attacker sends oversized, fragmented IP packets to a target computer. If the computer is running an unpatched version of Windows, it may crash. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the latest patches available for your operating system. - -Implement a packet-filtering firewall to block inappropriate traffic to the network. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2690.txt snort-2.9.2/doc/signatures/2690.txt --- snort-2.9.0.1/doc/signatures/2690.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2690.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2690 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure enable_propagation_to_dblink -. This procedure is included in -sys.dbms_defer_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2691.txt snort-2.9.2/doc/signatures/2691.txt --- snort-2.9.0.1/doc/signatures/2691.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2691.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2691 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure parallel_push_recovery -. This procedure is included in -sys.dbms_defer_internal_sys. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2692.txt snort-2.9.2/doc/signatures/2692.txt --- snort-2.9.0.1/doc/signatures/2692.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2692.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2692 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure verify_queue_types -. This procedure is included in -sys.dbms_aqadm_sys. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2693.txt snort-2.9.2/doc/signatures/2693.txt --- snort-2.9.0.1/doc/signatures/2693.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2693.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2693 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure verify_queue_types_no_queue -. This procedure is included in -sys.dbms_aqadm. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2694.txt snort-2.9.2/doc/signatures/2694.txt --- snort-2.9.0.1/doc/signatures/2694.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2694.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2694 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure verify_queue_types_get_nrp -. This procedure is included in -sys.dbms_aqadm. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2695.txt snort-2.9.2/doc/signatures/2695.txt --- snort-2.9.0.1/doc/signatures/2695.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2695.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2695 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure aq_table_defn_update -. This procedure is included in -sys.dbms_aq_import_internal. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2696.txt snort-2.9.2/doc/signatures/2696.txt --- snort-2.9.0.1/doc/signatures/2696.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2696.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2696 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure is_master -. This procedure is included in -sys.dbms_repcat_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2697.txt snort-2.9.2/doc/signatures/2697.txt --- snort-2.9.0.1/doc/signatures/2697.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2697.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2697 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter file. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2698.txt snort-2.9.2/doc/signatures/2698.txt --- snort-2.9.0.1/doc/signatures/2698.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2698.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2698 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create file. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2699.txt snort-2.9.2/doc/signatures/2699.txt --- snort-2.9.0.1/doc/signatures/2699.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2699.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2699 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure TO_CHAR. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/269.txt snort-2.9.2/doc/signatures/269.txt --- snort-2.9.0.1/doc/signatures/269.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/269.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: --- -Sid: -269 - --- -Summary: -A denial of service attack known as Land has been launched. Some TCP/IP -stacks crash or hang when sent a spoofed TCP SYN packet with the same -source and destination host and the same source and destination port. - --- -Impact: -Denial of service against a target host. - --- -Detailed Information: -The Land denial of service attack attempts to crash or disable a target -host by sending a spoofed TCP SYN packet with an identical source and -destination IP and identical source and destination port. Some target -hosts will crash others will be temporarily disabled. - --- -Affected Systems: - Windows 95 - Windows NT Any unpatched version - SCO CMW+ 3.0 - SCO Open Desktop/Open Server 3.0 - SCO Open Server 5.0 - SCO UnixWare 2.1.0 - Gauntlet 3.2/HP-UX 10.10 and Gauntlet 4.1/HP-UX 10.20 - --- -Attack Scenarios: -A malicious user crafts a packet to cause a Denial of Service against a -target host. - --- -Ease of Attack: -Simple to craft such a packet using any number of packet crafting tools -such as nmap and hping. - - --- -False Positives: -None known. This should have a very low likelihood of false positives. - --- -False Negatives: -The exploit code has an IP identification number and TCP sequence number -of 3868. If a user changes the source code to have a different IP -identification or TCP sequence number, the rule will not fire. - --- -Corrective Action: -Malicious outside attacks can be prevented by configuring your -packet-filtering device to block packets from entering your network that -have source IP's from your network address space. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Judy Novak - --- -Additional References: - -CVE: -CAN-1999-0016 - -CERT: -CA-1997-28 - --- diff -Nru snort-2.9.0.1/doc/signatures/2700.txt snort-2.9.2/doc/signatures/2700.txt --- snort-2.9.0.1/doc/signatures/2700.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2700.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2700 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure numtoyminterval. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2701.txt snort-2.9.2/doc/signatures/2701.txt --- snort-2.9.0.1/doc/signatures/2701.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2701.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2701 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - --- -Affected Systems: - Oracle iSQLPlus - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2702.txt snort-2.9.2/doc/signatures/2702.txt --- snort-2.9.0.1/doc/signatures/2702.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2702.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2702 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - --- -Affected Systems: - Oracle iSQLPlus - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2703.txt snort-2.9.2/doc/signatures/2703.txt --- snort-2.9.0.1/doc/signatures/2703.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2703.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2703 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - --- -Affected Systems: - Oracle iSQLPlus - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2704.txt snort-2.9.2/doc/signatures/2704.txt --- snort-2.9.0.1/doc/signatures/2704.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2704.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2704 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - --- -Affected Systems: - Oracle iSQLPlus - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2705.txt snort-2.9.2/doc/signatures/2705.txt --- snort-2.9.0.1/doc/signatures/2705.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2705.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2705 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft GDI using a malformed JPEG image. - --- - -Impact: -Serious. Execution of arbitrary code is possible. Denial of Service -(DoS), - --- -Detailed Information: -The Microsoft Graphics Device Interface contains a programming error -in the handling of Joint Photographics Experts Group (JPEG) files. This -error may allow an attacker to execute code of their choosing on a -vulnerable system. - -Due to the popularity of jpeg files, and in order to provide accurate -detection for the GDI JPEG vulnerability, sid 2705 may generate false -positive events in certain situations. Since this rule may generate -a number of false positives it is disabled by default. - -In order to avoid potential evasion techniques, http_inspect should be -configured with "flow_depth 0" so that all HTTP server response traffic is -inspected. - -WARNING -Setting flow_depth 0 will cause performance problems in some situations. -WARNING - --- -Affected Systems: - All Microsoft systems including multiple Microsoft products - --- -Attack Scenarios: -An attacker would need to supply a malformed jpeg image to a victim and -have the use attempt to view the file. - --- -Ease of Attack: -Medium. - --- - -False Positives: -False positive events are known to occur with this rule, the incidence -is low but may be an inconvenience in some installations. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2706.txt snort-2.9.2/doc/signatures/2706.txt --- snort-2.9.0.1/doc/signatures/2706.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2706.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -2706 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft GDI using a malformed JPEG image. - -This rule does not generate an event, however, Sid 2707 depends -on this rule to function properly. - --- - -Impact: -Serious. Execution of arbitrary code is possible. Denial of Service -(DoS), - --- -Detailed Information: -The Microsoft Graphics Device Interface contains a programming error -in the handling of Joint Photographics Experts Group (JPEG) files. This -error may allow an attacker to execute code of their choosing on a -vulnerable system. - -Due to the popularity of jpeg files, and in order to provide accurate -detection for the GDI JPEG vulnerability, sid 2705 may generate false -positive events in certain situations. Since this rule may generate -a number of false positives it is disabled by default. - -In order to avoid potential evasion techniques, http_inspect should be -configured with "flow_depth 0" so that all HTTP server response traffic is -inspected. - -WARNING -Setting flow_depth 0 will cause performance problems in some situations. -WARNING - --- -Affected Systems: - All Microsoft systems including multiple Microsoft products - --- -Attack Scenarios: -An attacker would need to supply a malformed jpeg image to a victim and -have the use attempt to view the file. - --- -Ease of Attack: -Medium. - --- - -False Positives: -False positive events are known to occur with this rule, the incidence -is low but may be an inconvenience in some installations. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2707.txt snort-2.9.2/doc/signatures/2707.txt --- snort-2.9.0.1/doc/signatures/2707.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2707.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -2707 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft GDI using a malformed JPEG image. - --- - -Impact: -Serious. Execution of arbitrary code is possible. Denial of Service -(DoS), - --- -Detailed Information: -The Microsoft Graphics Device Interface contains a programming error -in the handling of Joint Photographics Experts Group (JPEG) files. This -error may allow an attacker to execute code of their choosing on a -vulnerable system. - -Due to the popularity of jpeg files, and in order to provide accurate -detection for the GDI JPEG vulnerability, sid 2705 may generate false -positive events in certain situations. Since this rule may generate -a number of false positives it is disabled by default. - -In order to avoid potential evasion techniques, http_inspect should be -configured with "flow_depth 0" so that all HTTP server response traffic is -inspected. - -WARNING -Setting flow_depth 0 will cause performance problems in some situations. -WARNING - --- -Affected Systems: - All Microsoft systems including multiple Microsoft products - --- -Attack Scenarios: -An attacker would need to supply a malformed jpeg image to a victim and -have the use attempt to view the file. - --- -Ease of Attack: -Medium. - --- - -False Positives: -False positive events are known to occur with this rule, the incidence -is low but may be an inconvenience in some installations. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2708.txt snort-2.9.2/doc/signatures/2708.txt --- snort-2.9.0.1/doc/signatures/2708.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2708.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2708 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_flavor_change -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2709.txt snort-2.9.2/doc/signatures/2709.txt --- snort-2.9.0.1/doc/signatures/2709.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2709.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2709 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_instantiation -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/270.txt snort-2.9.2/doc/signatures/270.txt --- snort-2.9.0.1/doc/signatures/270.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/270.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -270 - --- -Summary: -This event is generated when an attempt is made to issue a Teardrop -Denial of Service (DoS) attack. - --- -Impact: -Denial of Service. - --- -Detailed Information: -Teardrop exploits a vulnerability in some TCP/IP stack implementations. - -The program sends a specially crafted fragmented packet where the first -fragment has offset 0 and data length N and the second fragment has an -offset less than N (The fragments overlap). The resulting packet cannot -be properly assembled. - -Systems may hang or crash. - --- -Affected Systems: - Windows 95 - Windows NT 4.0 SP3 and earlier - HP HPUX 10.34 and earlier - Linux kernels 2.0.31 and earlier - FreeBSD 3.0 prior to October 27, 1998 - --- -Attack Scenarios: -The can be done remotely against any open UDP port using a spoofed -address. - --- -Ease of Attack: -Simple. Tools are readily available and require little knowledge on the -part of the attacker. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Patches are available from all affected vendors. Newer versions from -each vendor are not vulnerable. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/124 - -CERT: -http://www.cert.org/advisories/CA-1997-28.html - -FreeBSD: -ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-98:08.fragment.asc - --- diff -Nru snort-2.9.0.1/doc/signatures/2710.txt snort-2.9.2/doc/signatures/2710.txt --- snort-2.9.0.1/doc/signatures/2710.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2710.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2710 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_load -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2711.txt snort-2.9.2/doc/signatures/2711.txt --- snort-2.9.0.1/doc/signatures/2711.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2711.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2711 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure end_flavor_change -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2712.txt snort-2.9.2/doc/signatures/2712.txt --- snort-2.9.0.1/doc/signatures/2712.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2712.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2712 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure end_instantiation -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2713.txt snort-2.9.2/doc/signatures/2713.txt --- snort-2.9.0.1/doc/signatures/2713.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2713.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2713 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure end_load -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2714.txt snort-2.9.2/doc/signatures/2714.txt --- snort-2.9.0.1/doc/signatures/2714.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2714.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2714 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure resume_subset_of_masters -. This procedure is included in -dbms_offline_og. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2715.txt snort-2.9.2/doc/signatures/2715.txt --- snort-2.9.0.1/doc/signatures/2715.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2715.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2715 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_load -. This procedure is included in -dbms_offline_snapshot. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2716.txt snort-2.9.2/doc/signatures/2716.txt --- snort-2.9.0.1/doc/signatures/2716.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2716.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2716 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure end_load -. This procedure is included in -dbms_offline_snapshot. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2717.txt snort-2.9.2/doc/signatures/2717.txt --- snort-2.9.0.1/doc/signatures/2717.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2717.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2717 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure differences -. This procedure is included in -dbms_rectifier_diff. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2718.txt snort-2.9.2/doc/signatures/2718.txt --- snort-2.9.0.1/doc/signatures/2718.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2718.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2718 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure rectify -. This procedure is included in -dbms_rectifier_diff. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2719.txt snort-2.9.2/doc/signatures/2719.txt --- snort-2.9.0.1/doc/signatures/2719.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2719.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2719 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure abort_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/271.txt snort-2.9.2/doc/signatures/271.txt --- snort-2.9.0.1/doc/signatures/271.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/271.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: --- -Sid: -271 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of -Service attack against a host or network by generating traffic between -your udp echo port and their udp chargen port. - --- -Impact: -Potential Denial of service (DoS) condition for the target host, hosts -between the target host and the attacker, and more. - --- -Detailed Information: -Traffic was detected between the udp echo port on a host on the -protected network and the udp chargen (character generator) service. -Due to the connectionless nature of udp, a single packet from the udp chargen -service to a listening udp echo service will result in mass quantities -of traffic back and forth between the two services. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker will find a host that still provides the udp chargen service -and generate traffic between it and the udp echo service on a machine. -If proper ingress/egress filtering is not in place, this traffic can be -trivially spoofed provided the attacker has elevated privledges on the -attacking/initiating machine (the source port being less than 1024). - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the chargen service unless it is absolutely needed, and apply -ingress and egress filtering. - -Additionally, disable the udp echo service. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - - - --- diff -Nru snort-2.9.0.1/doc/signatures/2720.txt snort-2.9.2/doc/signatures/2720.txt --- snort-2.9.0.1/doc/signatures/2720.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2720.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2720 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_column_group_to_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2721.txt snort-2.9.2/doc/signatures/2721.txt --- snort-2.9.0.1/doc/signatures/2721.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2721.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2721 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_columns_to_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2722.txt snort-2.9.2/doc/signatures/2722.txt --- snort-2.9.0.1/doc/signatures/2722.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2722.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2722 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_object_to_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2723.txt snort-2.9.2/doc/signatures/2723.txt --- snort-2.9.0.1/doc/signatures/2723.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2723.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2723 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_char -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2724.txt snort-2.9.2/doc/signatures/2724.txt --- snort-2.9.0.1/doc/signatures/2724.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2724.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2724 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_date -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2725.txt snort-2.9.2/doc/signatures/2725.txt --- snort-2.9.0.1/doc/signatures/2725.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2725.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2725 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_nchar -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2726.txt snort-2.9.2/doc/signatures/2726.txt --- snort-2.9.0.1/doc/signatures/2726.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2726.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2726 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_number -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2727.txt snort-2.9.2/doc/signatures/2727.txt --- snort-2.9.0.1/doc/signatures/2727.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2727.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2727 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_nvarchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2728.txt snort-2.9.2/doc/signatures/2728.txt --- snort-2.9.0.1/doc/signatures/2728.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2728.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2728 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_raw -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2729.txt snort-2.9.2/doc/signatures/2729.txt --- snort-2.9.0.1/doc/signatures/2729.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2729.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2729 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_varchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/272.txt snort-2.9.2/doc/signatures/272.txt --- snort-2.9.0.1/doc/signatures/272.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/272.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -272 - --- -Summary: -This event is generated when a remote attacker transmits fragmented IGMP packets with malformed headers to the internal network, indicating an IGMP Denial of Service (DoS) attack. - --- -Impact: -Denial of service. - --- -Detailed Information: -If an IGMP packet with a malformed header is transmitted to an unpatched Microsoft Windows computer, the computer may crash when it attempts to process the packet. - --- -Affected Systems: -Microsoft Windows 95 -Microsoft Windows 98 -Microsoft Windows 98 SE -Microsoft Windows NT 4 - --- -Attack Scenarios: -An attacker sends fragmented IGMP packets with malformed headers to a target computer. If the computer is running an unpatched version of Windows, it may crash. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the latest patches available for your operating system. See http://www.microsoft.com/technet/security/bulletin/ms99-034.asp for more information. - -Implement a packet-filtering firewall to block inappropriate traffic to the network. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/514 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms99-034.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2730.txt snort-2.9.2/doc/signatures/2730.txt --- snort-2.9.0.1/doc/signatures/2730.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2730.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2730 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_site_priority_site -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2731.txt snort-2.9.2/doc/signatures/2731.txt --- snort-2.9.0.1/doc/signatures/2731.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2731.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2731 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_unique_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2732.txt snort-2.9.2/doc/signatures/2732.txt --- snort-2.9.0.1/doc/signatures/2732.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2732.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2732 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_update_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2733.txt snort-2.9.2/doc/signatures/2733.txt --- snort-2.9.0.1/doc/signatures/2733.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2733.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2733 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_master_propagation -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2734.txt snort-2.9.2/doc/signatures/2734.txt --- snort-2.9.0.1/doc/signatures/2734.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2734.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2734 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_mview_propagation -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2735.txt snort-2.9.2/doc/signatures/2735.txt --- snort-2.9.0.1/doc/signatures/2735.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2735.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2735 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_char -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2736.txt snort-2.9.2/doc/signatures/2736.txt --- snort-2.9.0.1/doc/signatures/2736.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2736.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2736 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_date -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2737.txt snort-2.9.2/doc/signatures/2737.txt --- snort-2.9.0.1/doc/signatures/2737.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2737.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2737 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_nchar -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2738.txt snort-2.9.2/doc/signatures/2738.txt --- snort-2.9.0.1/doc/signatures/2738.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2738.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2738 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_number -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2739.txt snort-2.9.2/doc/signatures/2739.txt --- snort-2.9.0.1/doc/signatures/2739.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2739.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2739 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_nvarchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/273.txt snort-2.9.2/doc/signatures/273.txt --- snort-2.9.0.1/doc/signatures/273.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/273.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -273 - --- -Summary: -This event is generated when a remote attacker transmits fragmented IGMP packets with malformed headers to the internal network, indicating an IGMP Denial of Service (DoS) attack. - --- -Impact: -Denial of service. - --- -Detailed Information: -If an IGMP packet with a malformed header is transmitted to an unpatched Microsoft Windows computer, the computer may crash when it attempts to process the packet. - --- -Affected Systems: -Microsoft Windows 95 -Microsoft Windows 98 -Microsoft Windows 98 SE -Microsoft Windows NT 4 - --- -Attack Scenarios: -An attacker sends fragmented IGMP packets with malformed headers to a target computer. If the computer is running an unpatched version of Windows, it may crash. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the latest patches available for your operating system. See http://www.microsoft.com/technet/security/bulletin/ms99-034.asp for more information. - -Implement a packet-filtering firewall to block inappropriate traffic to the network. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/514 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms99-034.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/2740.txt snort-2.9.2/doc/signatures/2740.txt --- snort-2.9.0.1/doc/signatures/2740.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2740.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2740 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_raw -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2741.txt snort-2.9.2/doc/signatures/2741.txt --- snort-2.9.0.1/doc/signatures/2741.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2741.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2741 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2742.txt snort-2.9.2/doc/signatures/2742.txt --- snort-2.9.0.1/doc/signatures/2742.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2742.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2742 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_varchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2743.txt snort-2.9.2/doc/signatures/2743.txt --- snort-2.9.0.1/doc/signatures/2743.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2743.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2743 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_site_priority_site -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2744.txt snort-2.9.2/doc/signatures/2744.txt --- snort-2.9.0.1/doc/signatures/2744.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2744.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2744 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_site_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2745.txt snort-2.9.2/doc/signatures/2745.txt --- snort-2.9.0.1/doc/signatures/2745.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2745.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2745 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_snapshot_propagation -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2746.txt snort-2.9.2/doc/signatures/2746.txt --- snort-2.9.0.1/doc/signatures/2746.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2746.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2746 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure revoke_surrogate_repcat -. This procedure is included in -dbms_repcat_auth. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2747.txt snort-2.9.2/doc/signatures/2747.txt --- snort-2.9.0.1/doc/signatures/2747.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2747.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2747 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2748.txt snort-2.9.2/doc/signatures/2748.txt --- snort-2.9.0.1/doc/signatures/2748.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2748.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2748 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_column_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2749.txt snort-2.9.2/doc/signatures/2749.txt --- snort-2.9.0.1/doc/signatures/2749.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2749.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2749 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_delete_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/274.txt snort-2.9.2/doc/signatures/274.txt --- snort-2.9.0.1/doc/signatures/274.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/274.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -274 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of Service attack that works against some modems. - --- -Impact: -The system may be disconnected from it's dial-up connection. - --- -Detailed Information: -An ICMP Echo Request is sent to a target system with a payload that -includes "+++ath". The "+++" is an attention sequence that allows a -user to enter commands to the modem. "ath" is the modem hangup command. -An ICMP Echo Reply includes the same payload as the associated request. -On some modems, when the machine tries to reply to this packet, "+++ath" -will be interpreted as a command and the modem will hangup. The remote -address can be spoofed. - --- -Affected Systems: -unknown - --- -Attack Scenarios: -A user can remotely cause a modem to disconnect. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Set a guard time on the modem. Contact the modem manufacturer for -details. A guard time will cause the modem to wait after receiving -"+++". Any further input during this wait, including "ath", will be -disregarded. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS264 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-1999-1228 - -Security Focus: -http://www.securityfocus.com/archive/1/10706 - --- diff -Nru snort-2.9.0.1/doc/signatures/2750.txt snort-2.9.2/doc/signatures/2750.txt --- snort-2.9.0.1/doc/signatures/2750.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2750.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2750 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_mview_repsites -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2751.txt snort-2.9.2/doc/signatures/2751.txt --- snort-2.9.0.1/doc/signatures/2751.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2751.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2751 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_priority_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2752.txt snort-2.9.2/doc/signatures/2752.txt --- snort-2.9.0.1/doc/signatures/2752.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2752.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2752 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2753.txt snort-2.9.2/doc/signatures/2753.txt --- snort-2.9.0.1/doc/signatures/2753.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2753.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2753 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_repsites -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2754.txt snort-2.9.2/doc/signatures/2754.txt --- snort-2.9.0.1/doc/signatures/2754.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2754.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2754 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_site_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2755.txt snort-2.9.2/doc/signatures/2755.txt --- snort-2.9.0.1/doc/signatures/2755.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2755.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2755 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_unique_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2756.txt snort-2.9.2/doc/signatures/2756.txt --- snort-2.9.0.1/doc/signatures/2756.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2756.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2756 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_update_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2757.txt snort-2.9.2/doc/signatures/2757.txt --- snort-2.9.0.1/doc/signatures/2757.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2757.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2757 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_master_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2758.txt snort-2.9.2/doc/signatures/2758.txt --- snort-2.9.0.1/doc/signatures/2758.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2758.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2758 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_master_repobject -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2759.txt snort-2.9.2/doc/signatures/2759.txt --- snort-2.9.0.1/doc/signatures/2759.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2759.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2759 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/275.txt snort-2.9.2/doc/signatures/275.txt --- snort-2.9.0.1/doc/signatures/275.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/275.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -275 - --- -Summary: -This event is generated when a remote attacker transmits a malformed TCP packet to an internal server. This may indicate a "NAPTHA" Denial of Service (DoS) attack. - --- -Impact: -Denial of service. - --- -Detailed Information: -An attacker can craft a TCP packet that, when transmitted to the target server, maintains the TCP session on the target server in an unresolved state. This consumes system resources and overwhelms the target server, causing the server to stop responding to other network requests. In some cases, this type of attack can crash the target server. - --- -Affected Systems: -Microsoft Windows 95 -Microsoft Windows 98 -Microsoft Windows 98SE -Microsoft Windows Millennium -Windows NT 4.0 -HP-UX 11 -IBM AIX 4.3 -Sun Solaris 7-8 -FreeBSD 4.0-REL -Redhat Linux 6.1 - 7.0 -Other Linux operating systems based on the Linux 2.0 kernel - - --- -Attack Scenarios: -An attacker sends a number of malformed TCP packets to a target computer. The computer attempts to maintain all incoming connections, causing it to slow down or stop responding to legitimate network requests. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the latest patches available for your operating system. Patches and workarounds for Microsoft are available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-091.asp. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2760.txt snort-2.9.2/doc/signatures/2760.txt --- snort-2.9.0.1/doc/signatures/2760.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2760.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2760 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure define_column_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2761.txt snort-2.9.2/doc/signatures/2761.txt --- snort-2.9.0.1/doc/signatures/2761.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2761.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2761 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure define_priority_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2762.txt snort-2.9.2/doc/signatures/2762.txt --- snort-2.9.0.1/doc/signatures/2762.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2762.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2762 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure define_site_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2763.txt snort-2.9.2/doc/signatures/2763.txt --- snort-2.9.0.1/doc/signatures/2763.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2763.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2763 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure do_deferred_repcat_admin -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2764.txt snort-2.9.2/doc/signatures/2764.txt --- snort-2.9.0.1/doc/signatures/2764.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2764.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2764 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_column_group_from_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2765.txt snort-2.9.2/doc/signatures/2765.txt --- snort-2.9.0.1/doc/signatures/2765.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2765.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2765 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_column_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2766.txt snort-2.9.2/doc/signatures/2766.txt --- snort-2.9.0.1/doc/signatures/2766.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2766.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2766 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_columns_from_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2767.txt snort-2.9.2/doc/signatures/2767.txt --- snort-2.9.0.1/doc/signatures/2767.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2767.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2767 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_delete_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2768.txt snort-2.9.2/doc/signatures/2768.txt --- snort-2.9.0.1/doc/signatures/2768.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2768.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2768 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_grouped_column -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2769.txt snort-2.9.2/doc/signatures/2769.txt --- snort-2.9.0.1/doc/signatures/2769.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2769.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2769 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_mview_repobject -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/276.txt snort-2.9.2/doc/signatures/276.txt --- snort-2.9.0.1/doc/signatures/276.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/276.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -276 - --- -Summary: -This event is generated when a remote attacker transmits a malformed -request for a page on a RealNetworks RealServer port, which can indicate -a Denial of Service (DoS) attack on the RealServer. - --- -Impact: -The RealNetworks RealServer service will crash. - --- -Detailed Information: -RealNetworks RealServer is a server application that serves streaming -audio to clients. When an attacker sends a request for a template file -in the /viewsource/ directory with an empty variable value, RealServer -crashes. - --- -Affected Systems: -Systems running RealNetworks RealServer 7.0 with View Source -functionality enabled. - --- -Attack Scenarios: -An attacker sends an HTTP request for /viewsource/template.html? on a -RealServer audio server. RealServer crashes, stopping audio -transmission. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of the software or disable the View Source -functionality. The vendor has issued an advisory, workarounds, and -downloadable patches at http://service.real.com/help/faq/servgviewsrc.html. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -RealNetworks -http://service.real.com/help/faq/servgviewsrc.html - - --- diff -Nru snort-2.9.0.1/doc/signatures/2770.txt snort-2.9.2/doc/signatures/2770.txt --- snort-2.9.0.1/doc/signatures/2770.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2770.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2770 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_object_from_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2771.txt snort-2.9.2/doc/signatures/2771.txt --- snort-2.9.0.1/doc/signatures/2771.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2771.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2771 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_char -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2772.txt snort-2.9.2/doc/signatures/2772.txt --- snort-2.9.0.1/doc/signatures/2772.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2772.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2772 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_date -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2773.txt snort-2.9.2/doc/signatures/2773.txt --- snort-2.9.0.1/doc/signatures/2773.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2773.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2773 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_nchar -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2774.txt snort-2.9.2/doc/signatures/2774.txt --- snort-2.9.0.1/doc/signatures/2774.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2774.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2774 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_number -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2775.txt snort-2.9.2/doc/signatures/2775.txt --- snort-2.9.0.1/doc/signatures/2775.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2775.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2775 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_nvarchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2776.txt snort-2.9.2/doc/signatures/2776.txt --- snort-2.9.0.1/doc/signatures/2776.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2776.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2776 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_raw -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2777.txt snort-2.9.2/doc/signatures/2777.txt --- snort-2.9.0.1/doc/signatures/2777.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2777.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2777 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2778.txt snort-2.9.2/doc/signatures/2778.txt --- snort-2.9.0.1/doc/signatures/2778.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2778.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2778 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_varchar2 -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2779.txt snort-2.9.2/doc/signatures/2779.txt --- snort-2.9.0.1/doc/signatures/2779.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2779.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2779 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_priority_site -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/277.txt snort-2.9.2/doc/signatures/277.txt --- snort-2.9.0.1/doc/signatures/277.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/277.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -277 - --- -Summary: -This event is generated when a remote attacker transmits a malformed request for a page on a RealNetworks RealServer port, which can indicate a Denial of Service (DoS) attack on the RealServer. - --- -Impact: -The RealNetworks RealServer service will crash. - --- -Detailed Information: -RealNetworks RealServer is a server application that serves streaming audio to clients. When an attacker sends a request for a template file in the /viewsource/ directory with an empty variable value, RealServer crashes. - --- -Affected Systems: -Systems running RealNetworks RealServer 7.0 with View Source functionality enabled. - --- -Attack Scenarios: -An attacker sends an HTTP request for /viewsource/template.html? on a RealServer audio server. RealServer crashes, stopping audio transmission. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user attempts to use the View Source function on the RealServer, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of the software or disable the View Source functionality. The vendor has issued an advisory, workarounds, and downloadable patches at http://service.real.com/help/faq/servgviewsrc.html. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -RealNetworks -http://service.real.com/help/faq/servgviewsrc.html - - --- diff -Nru snort-2.9.0.1/doc/signatures/2780.txt snort-2.9.2/doc/signatures/2780.txt --- snort-2.9.0.1/doc/signatures/2780.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2780.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2780 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_priority -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2781.txt snort-2.9.2/doc/signatures/2781.txt --- snort-2.9.0.1/doc/signatures/2781.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2781.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2781 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2782.txt snort-2.9.2/doc/signatures/2782.txt --- snort-2.9.0.1/doc/signatures/2782.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2782.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2782 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repobject -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2783.txt snort-2.9.2/doc/signatures/2783.txt --- snort-2.9.0.1/doc/signatures/2783.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2783.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2783 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_unique_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2784.txt snort-2.9.2/doc/signatures/2784.txt --- snort-2.9.0.1/doc/signatures/2784.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2784.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2784 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_update_resolution -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2785.txt snort-2.9.2/doc/signatures/2785.txt --- snort-2.9.0.1/doc/signatures/2785.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2785.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2785 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure execute_ddl -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2786.txt snort-2.9.2/doc/signatures/2786.txt --- snort-2.9.0.1/doc/signatures/2786.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2786.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2786 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_replication_package -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2787.txt snort-2.9.2/doc/signatures/2787.txt --- snort-2.9.0.1/doc/signatures/2787.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2787.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2787 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure instantiate_online -. This procedure is included in -dbms_repcat_instantiate. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2788.txt snort-2.9.2/doc/signatures/2788.txt --- snort-2.9.0.1/doc/signatures/2788.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2788.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2788 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure make_column_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2789.txt snort-2.9.2/doc/signatures/2789.txt --- snort-2.9.0.1/doc/signatures/2789.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2789.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2789 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure obsolete_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/278.txt snort-2.9.2/doc/signatures/278.txt --- snort-2.9.0.1/doc/signatures/278.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/278.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -278 - --- -Summary: -This event is generated when a remote attacker transmits a malformed request for a page on a web server port, which can indicate a Denial of Service (DoS) attack on a RealNetworks RealServer. - --- -Impact: -The RealNetworks RealServer service will crash. - --- -Detailed Information: -RealNetworks RealServer is a server application that serves streaming audio to clients. When an attacker sends a request for a template file in the /viewsource/ directory with an empty variable value, RealServer crashes. - --- -Affected Systems: -Systems running RealNetworks RealServer 7.0 with View Source functionality enabled. - --- -Attack Scenarios: -An attacker sends an HTTP request for /viewsource/template.html? on a RealServer audio server. RealServer crashes, stopping audio transmission. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user attempts to use the View Source function on RealServer, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of the software or disable the View Source functionality. The vendor has issued an advisory, workarounds, and downloadable patches at http://service.real.com/help/faq/servgviewsrc.html. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -RealNetworks -http://service.real.com/help/faq/servgviewsrc.html - - --- diff -Nru snort-2.9.0.1/doc/signatures/2790.txt snort-2.9.2/doc/signatures/2790.txt --- snort-2.9.0.1/doc/signatures/2790.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2790.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2790 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure publish_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2791.txt snort-2.9.2/doc/signatures/2791.txt --- snort-2.9.0.1/doc/signatures/2791.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2791.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2791 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2792.txt snort-2.9.2/doc/signatures/2792.txt --- snort-2.9.0.1/doc/signatures/2792.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2792.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2792 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_master_log -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2793.txt snort-2.9.2/doc/signatures/2793.txt --- snort-2.9.0.1/doc/signatures/2793.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2793.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2793 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_statistics -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2794.txt snort-2.9.2/doc/signatures/2794.txt --- snort-2.9.0.1/doc/signatures/2794.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2794.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2794 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure refresh_mview_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2795.txt snort-2.9.2/doc/signatures/2795.txt --- snort-2.9.0.1/doc/signatures/2795.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2795.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2795 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure refresh_snapshot_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2796.txt snort-2.9.2/doc/signatures/2796.txt --- snort-2.9.0.1/doc/signatures/2796.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2796.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2796 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_mview_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2797.txt snort-2.9.2/doc/signatures/2797.txt --- snort-2.9.0.1/doc/signatures/2797.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2797.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2797 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_snapshot_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2798.txt snort-2.9.2/doc/signatures/2798.txt --- snort-2.9.0.1/doc/signatures/2798.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2798.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2798 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_statistics -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2799.txt snort-2.9.2/doc/signatures/2799.txt --- snort-2.9.0.1/doc/signatures/2799.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2799.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2799 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure relocate_masterdef -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/279.txt snort-2.9.2/doc/signatures/279.txt --- snort-2.9.0.1/doc/signatures/279.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/279.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -279 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of -Service attack that causes Bay/Nortel Nautical Marlin bridges to crash. - --- -Impact: -Denial of Service. Network traffic can be disrupted. - --- -Detailed Information: -Nautica Marlin bridges will crash if a UDP packet is received on the -SNMP port (161) which has a data length of 0. - --- -Affected Systems: - Bay/Nortel Nautica Marlin Bridges - --- -Attack Scenarios: -The bridges can be crashed remotely. The offending packet uses UDP -(which is not connection oriented) and can be easily spoofed. - --- -Ease of Attack: -Simple. Tools are available that can exploit this vulnerability. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block connections to port 161 from unauthorized hosts using firewall or -router ACLs. The release notes for the only available upgrade for this -product do not mention this vulnerability. The product has been -discontinued. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2800.txt snort-2.9.2/doc/signatures/2800.txt --- snort-2.9.0.1/doc/signatures/2800.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2800.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2800 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure rename_shadow_column_group -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2801.txt snort-2.9.2/doc/signatures/2801.txt --- snort-2.9.0.1/doc/signatures/2801.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2801.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2801 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure resume_master_activity -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2802.txt snort-2.9.2/doc/signatures/2802.txt --- snort-2.9.0.1/doc/signatures/2802.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2802.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2802 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure check_ddl_text -. This procedure is included in -dbms_repcat_rgt. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2803.txt snort-2.9.2/doc/signatures/2803.txt --- snort-2.9.0.1/doc/signatures/2803.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2803.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2803 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_instantiation -. This procedure is included in -dbms_repcat_rgt. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2804.txt snort-2.9.2/doc/signatures/2804.txt --- snort-2.9.0.1/doc/signatures/2804.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2804.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2804 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure send_and_compare_old_values -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2805.txt snort-2.9.2/doc/signatures/2805.txt --- snort-2.9.0.1/doc/signatures/2805.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2805.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2805 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure set_columns -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2806.txt snort-2.9.2/doc/signatures/2806.txt --- snort-2.9.0.1/doc/signatures/2806.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2806.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2806 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure set_local_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2807.txt snort-2.9.2/doc/signatures/2807.txt --- snort-2.9.0.1/doc/signatures/2807.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2807.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2807 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure specify_new_masters -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2808.txt snort-2.9.2/doc/signatures/2808.txt --- snort-2.9.0.1/doc/signatures/2808.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2808.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2808 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure suspend_master_activity -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2809.txt snort-2.9.2/doc/signatures/2809.txt --- snort-2.9.0.1/doc/signatures/2809.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2809.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2809 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure unregister_mview_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2810.txt snort-2.9.2/doc/signatures/2810.txt --- snort-2.9.0.1/doc/signatures/2810.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2810.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2810 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure unregister_snapshot_repgroup -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2811.txt snort-2.9.2/doc/signatures/2811.txt --- snort-2.9.0.1/doc/signatures/2811.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2811.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2811 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_flavor_definition -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2812.txt snort-2.9.2/doc/signatures/2812.txt --- snort-2.9.0.1/doc/signatures/2812.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2812.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2812 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_for_local_flavor -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2813.txt snort-2.9.2/doc/signatures/2813.txt --- snort-2.9.0.1/doc/signatures/2813.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2813.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2813 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure abort_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2814.txt snort-2.9.2/doc/signatures/2814.txt --- snort-2.9.0.1/doc/signatures/2814.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2814.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2814 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_object_to_flavor -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2815.txt snort-2.9.2/doc/signatures/2815.txt --- snort-2.9.0.1/doc/signatures/2815.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2815.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2815 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure begin_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2816.txt snort-2.9.2/doc/signatures/2816.txt --- snort-2.9.0.1/doc/signatures/2816.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2816.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2816 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_object_from_flavor -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2817.txt snort-2.9.2/doc/signatures/2817.txt --- snort-2.9.0.1/doc/signatures/2817.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2817.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2817 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_column_group_to_flavor -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2818.txt snort-2.9.2/doc/signatures/2818.txt --- snort-2.9.0.1/doc/signatures/2818.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2818.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2818 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_columns_to_flavor -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2819.txt snort-2.9.2/doc/signatures/2819.txt --- snort-2.9.0.1/doc/signatures/2819.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2819.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2819 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_column_group_from_flavor -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/281.txt snort-2.9.2/doc/signatures/281.txt --- snort-2.9.0.1/doc/signatures/281.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/281.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -281 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of -Service (DoS) attack that causes some Ascend routers to reboot. - --- -Impact: -Denial of Service. Traffic between network segments or between internal -and external networks can be disrupted. - --- -Detailed Information: -Some Ascend routers run configuration software that is able to locate -other Ascend routers by broadcasting on UDP port 9 (discard). This port -is listened on by the Java Configurator tool. A packet with a specially -crafted payload can cause the routers to reboot. - --- -Affected Systems: - Lucent Ascend MAX Router 5.0 and previous - Lucent Ascend Pipeline Router 6.0 and previous - Lucent Ascend Pipeline Router 6.0 and previous - - --- -Attack Scenarios: -Ascend routers can be forced to reboot remotely without authorization. -Since the offending packet is UDP (which is not connection oriented), -the sending address can be easily spoofed. - --- -Ease of Attack: -Simple. An exploit is available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -An upgrade is available from the manufacturer. Filtering traffic to -port 9 will also prevent this exploit. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS262 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0060 - -Bugtraq: -http://www.securityfocus.com/bid/714 - --- diff -Nru snort-2.9.0.1/doc/signatures/2820.txt snort-2.9.2/doc/signatures/2820.txt --- snort-2.9.0.1/doc/signatures/2820.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2820.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2820 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_columns_from_flavor -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2821.txt snort-2.9.2/doc/signatures/2821.txt --- snort-2.9.0.1/doc/signatures/2821.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2821.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2821 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure obsolete_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2822.txt snort-2.9.2/doc/signatures/2822.txt --- snort-2.9.0.1/doc/signatures/2822.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2822.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2822 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure publish_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2823.txt snort-2.9.2/doc/signatures/2823.txt --- snort-2.9.0.1/doc/signatures/2823.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2823.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2823 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2824.txt snort-2.9.2/doc/signatures/2824.txt --- snort-2.9.0.1/doc/signatures/2824.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2824.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2824 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure set_local_flavor -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2825.txt snort-2.9.2/doc/signatures/2825.txt --- snort-2.9.0.1/doc/signatures/2825.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2825.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2825 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_flavor_definition -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2826.txt snort-2.9.2/doc/signatures/2826.txt --- snort-2.9.0.1/doc/signatures/2826.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2826.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2826 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_for_local_flavor -. This procedure is included in -sys.dbms_repcat_fla. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2827.txt snort-2.9.2/doc/signatures/2827.txt --- snort-2.9.0.1/doc/signatures/2827.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2827.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2827 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_master_repobject -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2828.txt snort-2.9.2/doc/signatures/2828.txt --- snort-2.9.0.1/doc/signatures/2828.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2828.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2828 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_repgroup -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2829.txt snort-2.9.2/doc/signatures/2829.txt --- snort-2.9.0.1/doc/signatures/2829.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2829.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2829 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_repobject -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/282.txt snort-2.9.2/doc/signatures/282.txt --- snort-2.9.0.1/doc/signatures/282.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/282.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: - -282 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of -Service (DoS) attack against a host running Arkiea backup software. - --- -Impact: -Denial of Service - --- -Detailed Information: - -Arkiea package is a backup application that is used to manage backups -for a number of systems. A Denial of Service (DoS) vulnerability -exists in nlservd program, if fed with large inputs, will cause a -program to crash. - -A vulnerability in the nlservd from the Arkiea backup application allows -remote users to shut it down by sending it large amounts of input over -the network. - --- -Affected Systems: - - Arkeia 4.0 - Arkeia 4.1 - --- -Attack Scenarios: - -An attacker sends a overly large strings to a nlservd daemon, the -service will crash immediately. - --- -Ease of Attack: - -Simple. - --- -False Positives: - -None known - --- -False Negatives: - -None known - --- -Corrective Action: - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule Writer Paul Bobby paul.bobby@lmco.com -Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/662 - --- diff -Nru snort-2.9.0.1/doc/signatures/2830.txt snort-2.9.2/doc/signatures/2830.txt --- snort-2.9.0.1/doc/signatures/2830.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2830.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2830 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_master_repgroup -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2831.txt snort-2.9.2/doc/signatures/2831.txt --- snort-2.9.0.1/doc/signatures/2831.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2831.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2831 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_master_repobject -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2832.txt snort-2.9.2/doc/signatures/2832.txt --- snort-2.9.0.1/doc/signatures/2832.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2832.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2832 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure do_deferred_repcat_admin -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2833.txt snort-2.9.2/doc/signatures/2833.txt --- snort-2.9.0.1/doc/signatures/2833.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2833.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2833 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_master_repgroup -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2834.txt snort-2.9.2/doc/signatures/2834.txt --- snort-2.9.0.1/doc/signatures/2834.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2834.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2834 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_replication_package -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2835.txt snort-2.9.2/doc/signatures/2835.txt --- snort-2.9.0.1/doc/signatures/2835.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2835.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2835 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_master_log -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2836.txt snort-2.9.2/doc/signatures/2836.txt --- snort-2.9.0.1/doc/signatures/2836.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2836.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2836 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure relocate_masterdef -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2837.txt snort-2.9.2/doc/signatures/2837.txt --- snort-2.9.0.1/doc/signatures/2837.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2837.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2837 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure rename_shadow_column_group -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2838.txt snort-2.9.2/doc/signatures/2838.txt --- snort-2.9.0.1/doc/signatures/2838.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2838.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2838 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure resume_master_activity -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2839.txt snort-2.9.2/doc/signatures/2839.txt --- snort-2.9.0.1/doc/signatures/2839.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2839.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2839 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure suspend_master_activity -. This procedure is included in -sys.dbms_repcat_mas. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/283.txt snort-2.9.2/doc/signatures/283.txt --- snort-2.9.0.1/doc/signatures/283.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/283.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 283 - --- -Summary: -Versions of the Netscape browser including and prior to 4.75 are vulnerable to a buffer overflow that may lead to a root shell listening on port 6968. This event is generated when a request is made to a web site exploiting this vulnerability. - --- -Impact: -System compromize presenting the attacker with the opportunity to -gain remote access to the victim host. - --- -Detailed Information: -A buffer overflow condition exists in the HTML parser on some versions of Netscape Navigator. It is possible for a remote attacker to gain a root shell on the victim host. - -A long password value in a form field may result in an attacker being able to execute arbitrary commands. - -Affected Systems: - Netscape Navigator 4.75 and prior - --- -Attack Scenarios: -The attacker would need to supply a link on a web page or HTML email that triggers the overflow. - -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1189 - -Arachnids: -http://www.whitehats.com/info/IDS215 - -Bugtraq: -http://www.securityfocus.com/bid/822 - --- diff -Nru snort-2.9.0.1/doc/signatures/2840.txt snort-2.9.2/doc/signatures/2840.txt --- snort-2.9.0.1/doc/signatures/2840.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2840.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2840 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_snapshot_propagation -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2841.txt snort-2.9.2/doc/signatures/2841.txt --- snort-2.9.0.1/doc/signatures/2841.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2841.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2841 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2842.txt snort-2.9.2/doc/signatures/2842.txt --- snort-2.9.0.1/doc/signatures/2842.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2842.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2842 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2843.txt snort-2.9.2/doc/signatures/2843.txt --- snort-2.9.0.1/doc/signatures/2843.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2843.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2843 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repobject -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2844.txt snort-2.9.2/doc/signatures/2844.txt --- snort-2.9.0.1/doc/signatures/2844.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2844.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2844 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure refresh_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2845.txt snort-2.9.2/doc/signatures/2845.txt --- snort-2.9.0.1/doc/signatures/2845.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2845.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2845 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2846.txt snort-2.9.2/doc/signatures/2846.txt --- snort-2.9.0.1/doc/signatures/2846.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2846.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2846 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure repcat_import_check -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2847.txt snort-2.9.2/doc/signatures/2847.txt --- snort-2.9.0.1/doc/signatures/2847.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2847.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2847 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure unregister_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2848.txt snort-2.9.2/doc/signatures/2848.txt --- snort-2.9.0.1/doc/signatures/2848.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2848.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2848 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_master_repobject -. This procedure is included in -sys.dbms_repcat_utl4. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2849.txt snort-2.9.2/doc/signatures/2849.txt --- snort-2.9.0.1/doc/signatures/2849.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2849.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2849 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_an_object -. This procedure is included in -sys.dbms_repcat_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/284.txt snort-2.9.2/doc/signatures/284.txt --- snort-2.9.0.1/doc/signatures/284.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/284.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -284 - --- -Summary: -This event generated when an attempt is made to exploit a buffer overflow in the pop2 service. - --- -Impact: -Remote access. This attack may permit the execution of arbitrary commands on the vulnerable host with the privileges of the user "nobody". - --- -Detailed Information: -Access to the user "nobody" can be obtained with pop2 or pop3 servers that support "anonymous proxy". "Anonymous proxy" permits the use of a proxy pop server to access mail on another pop server where the user has a valid account. This access to the proxy server as user "nobody". A buffer overflow exists because of improper user input filtering, allowing the attacker to enter an overly long argment to the FOLD command. This may permit the execution of arbitrary commands on the vulernable server with the privileges of the user "nobody". - --- -Affected Systems: -Debian Linux 2.1 -Redhat Linux 4.2, 5.0, 5.1, and 5.2 -University of Washington imap 4.4 -University of Washington pop2d 4.4 - --- -Attack Scenarios: -An attacker may attempt to exploit a vulnerable pop2 server, permitting the execution of arbitrary commands with the privilege of user "nobody". - --- -Ease of Attack: -Simple. Exploit scripts are freely available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the pop2d version 4.51 or later. - -Compile pop2d to not support anonymous proxing. - --- -Contributors: -Original rule writer unknown -Documented by Steven Alexander -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/283 - --- diff -Nru snort-2.9.0.1/doc/signatures/2850.txt snort-2.9.2/doc/signatures/2850.txt --- snort-2.9.0.1/doc/signatures/2850.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2850.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2850 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_mview_repobject -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2851.txt snort-2.9.2/doc/signatures/2851.txt --- snort-2.9.0.1/doc/signatures/2851.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2851.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2851 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repobject -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2852.txt snort-2.9.2/doc/signatures/2852.txt --- snort-2.9.0.1/doc/signatures/2852.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2852.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2852 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_mview_support -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2853.txt snort-2.9.2/doc/signatures/2853.txt --- snort-2.9.0.1/doc/signatures/2853.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2853.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2853 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_replication_trigger -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2854.txt snort-2.9.2/doc/signatures/2854.txt --- snort-2.9.0.1/doc/signatures/2854.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2854.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2854 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_snapshot_support -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2855.txt snort-2.9.2/doc/signatures/2855.txt --- snort-2.9.0.1/doc/signatures/2855.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2855.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2855 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure remove_master_databases -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2856.txt snort-2.9.2/doc/signatures/2856.txt --- snort-2.9.0.1/doc/signatures/2856.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2856.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2856 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure switch_mview_master -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2857.txt snort-2.9.2/doc/signatures/2857.txt --- snort-2.9.0.1/doc/signatures/2857.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2857.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2857 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure switch_snapshot_master -. This procedure is included in -dbms_repcat. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2858.txt snort-2.9.2/doc/signatures/2858.txt --- snort-2.9.0.1/doc/signatures/2858.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2858.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2858 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_delete_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2859.txt snort-2.9.2/doc/signatures/2859.txt --- snort-2.9.0.1/doc/signatures/2859.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2859.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2859 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_char -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/285.txt snort-2.9.2/doc/signatures/285.txt --- snort-2.9.0.1/doc/signatures/285.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/285.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -285 - --- -Summary: -This event generated when an attempt is made to exploit a buffer overflow in the pop2 service. - --- -Impact: -Remote access. This attack may permit the execution of arbitrary commands on the vulnerable host with the privileges of the user "nobody". - --- -Detailed Information: -Access to the user "nobody" can be obtained with pop2 or pop3 servers that support "anonymous proxy". "Anonymous proxy" permits the use of a proxy pop server to access mail on another pop server where the user has a valid account. This access to the proxy server as user "nobody". A buffer overflow exists because of improper user input filtering, allowing the attacker to enter an overly long argment to the FOLD command. This may permit the execution of arbitrary commands on the vulernable server with the privileges of the user "nobody". - --- -Affected Systems: -Debian Linux 2.1 -Redhat Linux 4.2, 5.0, 5.1, and 5.2 -University of Washington imap 4.4 -University of Washington pop2d 4.4 - --- -Attack Scenarios: -An attacker may attempt to exploit a vulnerable pop2 server, permitting the execution of arbitrary commands with the privilege of user "nobody". - --- -Ease of Attack: -Simple. Exploit scripts are freely available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the pop2d version 4.51 or later. - -Compile pop2d to not support anonymous proxing. - --- -Contributors: -Original rule writer unknown -Documented by Steven Alexander -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/283 - - --- diff -Nru snort-2.9.0.1/doc/signatures/2860.txt snort-2.9.2/doc/signatures/2860.txt --- snort-2.9.0.1/doc/signatures/2860.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2860.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2860 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_date -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2861.txt snort-2.9.2/doc/signatures/2861.txt --- snort-2.9.0.1/doc/signatures/2861.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2861.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2861 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_nchar -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2862.txt snort-2.9.2/doc/signatures/2862.txt --- snort-2.9.0.1/doc/signatures/2862.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2862.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2862 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_number -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2863.txt snort-2.9.2/doc/signatures/2863.txt --- snort-2.9.0.1/doc/signatures/2863.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2863.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2863 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_nvarchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2864.txt snort-2.9.2/doc/signatures/2864.txt --- snort-2.9.0.1/doc/signatures/2864.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2864.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2864 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_raw -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2865.txt snort-2.9.2/doc/signatures/2865.txt --- snort-2.9.0.1/doc/signatures/2865.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2865.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2865 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_priority_varchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2866.txt snort-2.9.2/doc/signatures/2866.txt --- snort-2.9.0.1/doc/signatures/2866.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2866.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2866 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_site_priority_site -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2867.txt snort-2.9.2/doc/signatures/2867.txt --- snort-2.9.0.1/doc/signatures/2867.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2867.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2867 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_unique_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2868.txt snort-2.9.2/doc/signatures/2868.txt --- snort-2.9.0.1/doc/signatures/2868.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2868.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2868 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure add_update_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2869.txt snort-2.9.2/doc/signatures/2869.txt --- snort-2.9.0.1/doc/signatures/2869.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2869.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2869 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_char -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/286.txt snort-2.9.2/doc/signatures/286.txt --- snort-2.9.0.1/doc/signatures/286.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/286.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -286 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow in the POP3 qpopper service on BSD systems. - --- -Impact: -An attacker can gain access to a shell running with root privileges. - --- -Detailed Information: -This rule looks for a piece of shell code (executable code) that is -used to exploit a known vulnerability in an older version of the Qualcom -based POP3 daemon distributed with BSD Unixes. - --- -Affected Systems: -*BSD systems using Qualcomm Qpopper 2.4 - --- -Attack Scenarios: -The attack is done remotely and gives the attacker a command shell -running with root privileges. - --- -Ease of Attack: -Simple. An exploit is readily available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the available security patches from your vendor. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/133 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-1999-0006 - --- diff -Nru snort-2.9.0.1/doc/signatures/2870.txt snort-2.9.2/doc/signatures/2870.txt --- snort-2.9.0.1/doc/signatures/2870.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2870.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2870 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_date -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2871.txt snort-2.9.2/doc/signatures/2871.txt --- snort-2.9.0.1/doc/signatures/2871.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2871.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2871 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_nchar -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2872.txt snort-2.9.2/doc/signatures/2872.txt --- snort-2.9.0.1/doc/signatures/2872.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2872.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2872 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_number -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2873.txt snort-2.9.2/doc/signatures/2873.txt --- snort-2.9.0.1/doc/signatures/2873.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2873.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2873 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_nvarchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2874.txt snort-2.9.2/doc/signatures/2874.txt --- snort-2.9.0.1/doc/signatures/2874.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2874.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2874 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_raw -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2875.txt snort-2.9.2/doc/signatures/2875.txt --- snort-2.9.0.1/doc/signatures/2875.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2875.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2875 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2876.txt snort-2.9.2/doc/signatures/2876.txt --- snort-2.9.0.1/doc/signatures/2876.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2876.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2876 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_priority_varchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2877.txt snort-2.9.2/doc/signatures/2877.txt --- snort-2.9.0.1/doc/signatures/2877.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2877.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2877 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_site_priority_site -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2878.txt snort-2.9.2/doc/signatures/2878.txt --- snort-2.9.0.1/doc/signatures/2878.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2878.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2878 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_site_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2879.txt snort-2.9.2/doc/signatures/2879.txt --- snort-2.9.0.1/doc/signatures/2879.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2879.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2879 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure cancel_statistics -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/287.txt snort-2.9.2/doc/signatures/287.txt --- snort-2.9.0.1/doc/signatures/287.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/287.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -287 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -QUALCOMM Qpopper POP3 buffer overflow vulnerability in BSD operating -systems. - --- -Impact: -Remote execution of arbitrary code leading to remote root compromise. - --- -Detailed Information: -An exploit is available that takes advantage of a buffer overflow -vulnerability in QUALCOMM Qpopper POP3 mail server version 2.53 or -earlier. This exploit can be used to obtain root access to the -compromised server. - --- -Affected Systems: -BSD distributions that ship QUALCOMM Qpopper POP3 server version 2.53 or -earlier. - --- -Attack Scenarios: -An attacker executes exploit code against a vulnerable server and -obtains root privileges on the compromised computer. - --- -Ease of Attack: -Simple. An exploit exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of QUALCOMM Qpopper appropriate for your -BSD distribution. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -CERT -http://www.cert.org/advisories/CA-1998-08.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2880.txt snort-2.9.2/doc/signatures/2880.txt --- snort-2.9.0.1/doc/signatures/2880.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2880.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2880 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_delete_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2881.txt snort-2.9.2/doc/signatures/2881.txt --- snort-2.9.0.1/doc/signatures/2881.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2881.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2881 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_priority_group -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2882.txt snort-2.9.2/doc/signatures/2882.txt --- snort-2.9.0.1/doc/signatures/2882.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2882.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2882 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_site_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2883.txt snort-2.9.2/doc/signatures/2883.txt --- snort-2.9.0.1/doc/signatures/2883.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2883.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2883 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_unique_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2884.txt snort-2.9.2/doc/signatures/2884.txt --- snort-2.9.0.1/doc/signatures/2884.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2884.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2884 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure comment_on_update_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2885.txt snort-2.9.2/doc/signatures/2885.txt --- snort-2.9.0.1/doc/signatures/2885.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2885.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2885 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure define_priority_group -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2886.txt snort-2.9.2/doc/signatures/2886.txt --- snort-2.9.0.1/doc/signatures/2886.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2886.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2886 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure define_site_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2887.txt snort-2.9.2/doc/signatures/2887.txt --- snort-2.9.0.1/doc/signatures/2887.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2887.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2887 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_delete_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2888.txt snort-2.9.2/doc/signatures/2888.txt --- snort-2.9.0.1/doc/signatures/2888.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2888.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2888 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_char -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2889.txt snort-2.9.2/doc/signatures/2889.txt --- snort-2.9.0.1/doc/signatures/2889.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2889.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2889 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_date -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/288.txt snort-2.9.2/doc/signatures/288.txt --- snort-2.9.0.1/doc/signatures/288.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/288.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -288 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow in the POP3 service on Linux systems. - --- -Impact: -An attacker can gain access to a shell running with root privileges. - --- -Detailed Information: -This rule looks for a piece of shell code (executable code) that is -used to exploit a known vulnerability in an older version of the POP3 -daemon distributed in Linux systems. - --- -Affected Systems: -Various Linux versions. - --- -Attack Scenarios: -The attack is done remotely and gives the attacker a command shell -running with root privileges. - --- -Ease of Attack: -Simple. An exploit is readily available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the available security patches from your linux vendor. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2890.txt snort-2.9.2/doc/signatures/2890.txt --- snort-2.9.0.1/doc/signatures/2890.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2890.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2890 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_nchar -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2891.txt snort-2.9.2/doc/signatures/2891.txt --- snort-2.9.0.1/doc/signatures/2891.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2891.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2891 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_number -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2892.txt snort-2.9.2/doc/signatures/2892.txt --- snort-2.9.0.1/doc/signatures/2892.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2892.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2892 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_nvarchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2893.txt snort-2.9.2/doc/signatures/2893.txt --- snort-2.9.0.1/doc/signatures/2893.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2893.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2893 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_raw -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2894.txt snort-2.9.2/doc/signatures/2894.txt --- snort-2.9.0.1/doc/signatures/2894.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2894.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2894 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2895.txt snort-2.9.2/doc/signatures/2895.txt --- snort-2.9.0.1/doc/signatures/2895.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2895.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2895 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_priority_varchar2 -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2896.txt snort-2.9.2/doc/signatures/2896.txt --- snort-2.9.0.1/doc/signatures/2896.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2896.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2896 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_priority_site -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2897.txt snort-2.9.2/doc/signatures/2897.txt --- snort-2.9.0.1/doc/signatures/2897.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2897.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2897 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_site_priority -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2898.txt snort-2.9.2/doc/signatures/2898.txt --- snort-2.9.0.1/doc/signatures/2898.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2898.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2898 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_unique_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2899.txt snort-2.9.2/doc/signatures/2899.txt --- snort-2.9.0.1/doc/signatures/2899.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2899.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2899 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_update_resolution -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/289.txt snort-2.9.2/doc/signatures/289.txt --- snort-2.9.0.1/doc/signatures/289.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/289.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -289 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a -QUALCOMM Qpopper POP3 buffer overflow vulnerability in SCO OpenServer -systems. - --- -Impact: -Remote execution of arbitrary code leading to remote root compromise. - --- -Detailed Information: -An exploit is available that takes advantage of a buffer overflow -vulnerability in QUALCOMM Qpopper POP3 mail server version 2.53 or -earlier. This exploit can be used to obtain root access to the -compromised server. - --- -Affected Systems: -SCO servers that ship QUALCOMM Qpopper POP3 server version 2.53 or -earlier: - -SCO OpenServer Enterprise System Release 5.0.5, 5.0.6, 5.0.6a - -SCO OpenServer Host System Release 5.0.5, 5.0.6, 5.0.6a - -SCO OpenServer Desktop System Release 5.0.5, 5.0.6, 5.0.6a - -SCO OpenServer Enterprise System Release 5.0.4 - -SCO OpenServer Host System Release 5.0.4 - -SCO OpenServer Desktop System Release 5.0.4 - --- -Attack Scenarios: -An attacker executes exploit code against a vulnerable server and -obtains root privileges on the compromised computer. - --- -Ease of Attack: -Simple. An exploit exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade QUALCOMM Qpopper. See ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.8/ for patched binaries for SCO OpenServer and an advisory with installation instructions. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -CERT -http://www.cert.org/advisories/CA-1998-08.html - --- diff -Nru snort-2.9.0.1/doc/signatures/2900.txt snort-2.9.2/doc/signatures/2900.txt --- snort-2.9.0.1/doc/signatures/2900.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2900.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2900 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure purge_statistics -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2901.txt snort-2.9.2/doc/signatures/2901.txt --- snort-2.9.0.1/doc/signatures/2901.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2901.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2901 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_statistics -. This procedure is included in -sys.dbms_repcat_conf. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2902.txt snort-2.9.2/doc/signatures/2902.txt --- snort-2.9.0.1/doc/signatures/2902.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2902.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2902 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure alter_snapshot_propagation -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2903.txt snort-2.9.2/doc/signatures/2903.txt --- snort-2.9.0.1/doc/signatures/2903.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2903.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2903 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2904.txt snort-2.9.2/doc/signatures/2904.txt --- snort-2.9.0.1/doc/signatures/2904.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2904.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2904 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repobject -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2905.txt snort-2.9.2/doc/signatures/2905.txt --- snort-2.9.0.1/doc/signatures/2905.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2905.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2905 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure create_snapshot_repschema -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2906.txt snort-2.9.2/doc/signatures/2906.txt --- snort-2.9.0.1/doc/signatures/2906.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2906.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2906 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2907.txt snort-2.9.2/doc/signatures/2907.txt --- snort-2.9.0.1/doc/signatures/2907.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2907.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2907 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repobject -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2908.txt snort-2.9.2/doc/signatures/2908.txt --- snort-2.9.0.1/doc/signatures/2908.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2908.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2908 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure drop_snapshot_repschema -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2909.txt snort-2.9.2/doc/signatures/2909.txt --- snort-2.9.0.1/doc/signatures/2909.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2909.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2909 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure generate_snapshot_support -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/290.txt snort-2.9.2/doc/signatures/290.txt --- snort-2.9.0.1/doc/signatures/290.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/290.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -290 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow in Qualcomm qpopper. - --- -Impact: -Remote access. This attack may permit the execution of arbitrary commands with the privileges of root on the vulernable server. - --- -Detailed Information: -A buffer overflow exploit exists in version 3.x of Qualcomm qpopper daemon, permitting the execution of arbitrary commands with the privileges of root. The buffer overflow vulnerability is present because of improper bounds checking associated with vsprintf() and sprintf() calls in pop_msg.c. - --- -Affected Systems: -Qualcomm qpopper 3.0 b20 -Qualcomm qpopper 3.0 - --- -Attack Scenarios: -An attacker may exploit the qpopper buffer overflow vulnerability, permitting the execution of arbitrary commands with the privileges of root on the vulnerable server. - --- -Ease of Attack: -Simple. Exploit code is freely available. - --- -False Positives: -None known. - --- -False Negatives: -None known. --- -Corrective Action: -Upgrade to qpopper3.0b22 - --- -Contributors: -Original rule writer unknown. -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0822 - -Bugtraq -http://www.securityfocus.com/bid/830 - --- diff -Nru snort-2.9.0.1/doc/signatures/2910.txt snort-2.9.2/doc/signatures/2910.txt --- snort-2.9.0.1/doc/signatures/2910.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2910.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2910 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure refresh_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2911.txt snort-2.9.2/doc/signatures/2911.txt --- snort-2.9.0.1/doc/signatures/2911.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2911.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2911 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure refresh_snapshot_repschema -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2912.txt snort-2.9.2/doc/signatures/2912.txt --- snort-2.9.0.1/doc/signatures/2912.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2912.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2912 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2913.txt snort-2.9.2/doc/signatures/2913.txt --- snort-2.9.0.1/doc/signatures/2913.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2913.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2913 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure repcat_import_check -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2914.txt snort-2.9.2/doc/signatures/2914.txt --- snort-2.9.0.1/doc/signatures/2914.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2914.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2914 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure set_local_flavor -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2915.txt snort-2.9.2/doc/signatures/2915.txt --- snort-2.9.0.1/doc/signatures/2915.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2915.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2915 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure switch_snapshot_master -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2916.txt snort-2.9.2/doc/signatures/2916.txt --- snort-2.9.0.1/doc/signatures/2916.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2916.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2916 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure unregister_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2917.txt snort-2.9.2/doc/signatures/2917.txt --- snort-2.9.0.1/doc/signatures/2917.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2917.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2917 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure switch_snapshot_master -. This procedure is included in -sys.dbms_repcat_sna_utl. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2918.txt snort-2.9.2/doc/signatures/2918.txt --- snort-2.9.0.1/doc/signatures/2918.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2918.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2918 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure validate_for_local_flavor -. This procedure is included in -sys.dbms_repcat_sna. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2919.txt snort-2.9.2/doc/signatures/2919.txt --- snort-2.9.0.1/doc/signatures/2919.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2919.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -2919 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database server. - --- -Impact: -Serious. Possible execution of arbitrary code and Denial of Service. - --- -Detailed Information: -This event is generated when an attempt is made to exploit a known -vulnerability in an Oracle database implementation. Multiple buffer -overflow conditions are present in numerous packages and procedures. - -Exploitation of these vulnerable procedures may allow an attacker to -execute code of their choosing as the user running the database. In the -case of databases running on Microsoft Windows platforms, this is the -Local System account which may mean a compromise of the operating system -as well as the database. - -This event indicates that an attempt has been made to exploit a -vulnerability in the procedure register_snapshot_repgroup -. This procedure is included in -sys.dbms_repcat_untrusted. - --- -Affected Systems: - Oracle Oracle9i - --- -Attack Scenarios: -If an attacker can supply enough data to the procedure in question, it -may be possible to cause the overflow condition to occur and present the -attacker with the opportunity to execute code of their choosing. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/291.txt snort-2.9.2/doc/signatures/291.txt --- snort-2.9.0.1/doc/signatures/291.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/291.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -291 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow in the Cassandra NNTP service. - --- -Impact: -Denial of Service. - --- -Detailed Information: -The denial of service is caused by providing an unusually long login -name. The rule looks for a data payload of over 512 characters. - --- -Affected Systems: - Cassandra NNTP server v1.10 - --- -Attack Scenarios: -The attack is done remotely and causes denial of service. - --- -Ease of Attack: -Simple. An exploit is readily available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the available security patches from your vendor. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS274 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2000-0341 - --- diff -Nru snort-2.9.0.1/doc/signatures/2921.txt snort-2.9.2/doc/signatures/2921.txt --- snort-2.9.0.1/doc/signatures/2921.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2921.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2921 - --- -Summary: -This event is generated when an inverse query attempt is made using UDP. - --- - -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -Bind 8 contains a programming error that may present an attacker with -the opportunity to execute code of their choosing on an affected server. - -The error occurs in the handling of malformed transactions. When using -UDP this can result in the attacker causing a stack overflow in named. - --- -Affected Systems: - Bind 8. - --- -Attack Scenarios: -An attacker needs to send a specially crafted and malformed query to an -affected server. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2922.txt snort-2.9.2/doc/signatures/2922.txt --- snort-2.9.0.1/doc/signatures/2922.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2922.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2922 - --- -Summary: -This event is generated when an inverse query attempt is made using TCP. - --- - -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -Bind 8 contains a programming error that may present an attacker with -the opportunity to execute code of their choosing on an affected server. - -The error occurs in the handling of malformed transactions. When using -TCP this can result in the attacker causing a heap overflow. - --- -Affected Systems: - Bind 8. - --- -Attack Scenarios: -An attacker needs to send a specially crafted and malformed query to an -affected server. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2923.txt snort-2.9.2/doc/signatures/2923.txt --- snort-2.9.0.1/doc/signatures/2923.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2923.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -2923 - --- -Summary: -This event is generated when repeated failed attempts are made to access -an SMB share. - --- -Impact: -Unknown. Possible information disclosure and loss of data. - --- -Detailed Information: -This event indicates that multiple failed attempts have been made to -access an SMB network share. This may indicate a determined effort by an -unauthorized user to access information and data on a network share. - --- -Affected Systems: - All systems sharing resources using SMB - --- -Attack Scenarios: -An attacker can make repeated attempts to access network shares in an -attempt to gain information. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply strict access control to all networked resources. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2924.txt snort-2.9.2/doc/signatures/2924.txt --- snort-2.9.0.1/doc/signatures/2924.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2924.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -2924 - --- -Summary: -This event is generated when repeated failed attempts are made to access -an SMB share. - --- -Impact: -Unknown. Possible information disclosure and loss of data. - --- -Detailed Information: -This event indicates that multiple failed attempts have been made to -access an SMB network share. This may indicate a determined effort by an -unauthorized user to access information and data on a network share. - --- -Affected Systems: - All systems sharing resources using SMB - --- -Attack Scenarios: -An attacker can make repeated attempts to access network shares in an -attempt to gain information. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply strict access control to all networked resources. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2925.txt snort-2.9.2/doc/signatures/2925.txt --- snort-2.9.0.1/doc/signatures/2925.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2925.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2925 - --- -Summary: -This event is generated when an image fitting the profile of a web bug -has been detected in network traffic. - --- - -Impact: -Information disclosure. - --- -Detailed Information: -Web bugs are 1x1 pixel image files that are found in web pages or HTML -email. These are often used to monitor and track a users activity on the -web. Information such as the browsers IP address, cookie information, -time, browser version and other user identifiable charateristics can be -collected using web bugs. - -This rule identifies an image that conforms to the usual size and format -of a web bug. - --- -Affected Systems: - All. - --- -Attack Scenarios: -An attacker can use this type of image in an HTML email or on a web -page to gather information about the host and user. Since these images -can be not only small but transparent, they are almost undetectable in -HTML pages. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow the use of HTML email - -Use a web proxy server to strip all web bug images from server -responses. - --- -Contributors: -Sourcefire Vulnerability Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2926.txt snort-2.9.2/doc/signatures/2926.txt --- snort-2.9.0.1/doc/signatures/2926.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2926.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2926 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the PHP web application PhpGedView. - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -PhpGedView contains a flaw such that it may be possible for an attacker -to include code of their choosing by manipulating the PGV_BASE_DIRECTORY -parameter when making a GET or POST request to a vulnerable system. - -It may be possible for an attacker to execute that code with the -privileges of the user running the webserver, usually root. - --- -Affected Systems: - PhpGedView 2.65.1 and earlier - --- -Attack Scenarios: -An attacker can make a request to an affected script and define their -own path to the PGV_BASE_DIRECTORY variable. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2927.txt snort-2.9.2/doc/signatures/2927.txt --- snort-2.9.0.1/doc/signatures/2927.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2927.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2927 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft implementation of the Network News Transport -Protocol (NNTP) for Internet Information Server (IIS). - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -The Microsoft implementation of NNTP for IIS contains a programming -error in the processing of user supplied input that may present an -attacker with multiple opportunites to execute code of their choosing on -an affected system. - --- -Affected Systems: -. Microsoft Windows NT Server 4.0 NNTP component -. Microsoft Windows 2000 Server NNTP component -. Microsoft Windows Server 2003 NNTP Component -. Microsoft Windows Server 2003 64-Bit Edition NNTP Component - --- -Attack Scenarios: -An attacker must supply specially crafted input to a vulnerable system -to cause the overflow to occur. - --- -Ease of Attack: -Moderate. Example code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CORE Technologies: -http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10 - --- diff -Nru snort-2.9.0.1/doc/signatures/2928.txt snort-2.9.2/doc/signatures/2928.txt --- snort-2.9.0.1/doc/signatures/2928.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2928.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2928 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2929.txt snort-2.9.2/doc/signatures/2929.txt --- snort-2.9.0.1/doc/signatures/2929.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2929.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2929 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/292.txt snort-2.9.2/doc/signatures/292.txt --- snort-2.9.0.1/doc/signatures/292.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/292.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 292 - --- -Summary: -Versions of the file sharing software Samba 1.9.19 and prior contain a buffer overflow condition that can be exploited by supplying an overly long password to the Samba server. - --- -Impact: -System compromize presenting the attacker with the opportunity to -gain remote access to the victim host or execute arbitrary code with the privileges of the user running the Samba server. - --- -Detailed Information: -Samba is used to share files and printers between hosts on a network. A buffer overflow in the handling of passwords exists such that an overly long password can trigger the vulnerability presenting the attacker with an opportunity to remotely compromise the server running the Samba software. - -Affected Systems: - Samba 1.9.19 and prior - --- -Attack Scenarios: -The attacker would need to supply an excessively long password. - -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest version of Samba. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0182 - -Bugtraq: -http://www.securityfocus.com/bid/1816 - --- diff -Nru snort-2.9.0.1/doc/signatures/2930.txt snort-2.9.2/doc/signatures/2930.txt --- snort-2.9.0.1/doc/signatures/2930.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2930.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2930 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2931.txt snort-2.9.2/doc/signatures/2931.txt --- snort-2.9.0.1/doc/signatures/2931.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2931.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2931 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2932.txt snort-2.9.2/doc/signatures/2932.txt --- snort-2.9.0.1/doc/signatures/2932.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2932.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2932 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2933.txt snort-2.9.2/doc/signatures/2933.txt --- snort-2.9.0.1/doc/signatures/2933.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2933.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2933 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2934.txt snort-2.9.2/doc/signatures/2934.txt --- snort-2.9.0.1/doc/signatures/2934.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2934.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2934 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2935.txt snort-2.9.2/doc/signatures/2935.txt --- snort-2.9.0.1/doc/signatures/2935.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2935.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2935 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2936.txt snort-2.9.2/doc/signatures/2936.txt --- snort-2.9.0.1/doc/signatures/2936.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2936.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2936 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2937.txt snort-2.9.2/doc/signatures/2937.txt --- snort-2.9.0.1/doc/signatures/2937.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2937.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2937 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2938.txt snort-2.9.2/doc/signatures/2938.txt --- snort-2.9.0.1/doc/signatures/2938.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2938.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2938 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2939.txt snort-2.9.2/doc/signatures/2939.txt --- snort-2.9.0.1/doc/signatures/2939.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2939.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2939 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2940.txt snort-2.9.2/doc/signatures/2940.txt --- snort-2.9.0.1/doc/signatures/2940.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2940.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2940 - --- -Summary: -This event is generated when an attempt is made to bind to the Windows -registry service via SMB. - --- -Impact: -Serious. Remote administration of the Windows reqistry may be possible. - --- -Detailed Information: -This event indicates that an attempt was made to bind to the Windows -registry service via SMB across the network. - -It may be possible for an attacker to manipulate the Windows registry -from a remote location. This could give the attacker administrative -privileges on the target host as well as the opportunity to execute code -of their choosing. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -If the Windows registry is accessible via SMB the attacker can -manipulate the operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2941.txt snort-2.9.2/doc/signatures/2941.txt --- snort-2.9.0.1/doc/signatures/2941.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2941.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2941 - --- -Summary: -This event is generated when an attempt is made to bind to the Windows -registry service via SMB. - --- -Impact: -Serious. Remote administration of the Windows reqistry may be possible. - --- -Detailed Information: -This event indicates that an attempt was made to bind to the Windows -registry service via SMB across the network. - -It may be possible for an attacker to manipulate the Windows registry -from a remote location. This could give the attacker administrative -privileges on the target host as well as the opportunity to execute code -of their choosing. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -If the Windows registry is accessible via SMB the attacker can -manipulate the operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2942.txt snort-2.9.2/doc/signatures/2942.txt --- snort-2.9.0.1/doc/signatures/2942.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2942.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2942 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2943.txt snort-2.9.2/doc/signatures/2943.txt --- snort-2.9.0.1/doc/signatures/2943.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2943.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2943 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2944.txt snort-2.9.2/doc/signatures/2944.txt --- snort-2.9.0.1/doc/signatures/2944.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2944.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2944 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2945.txt snort-2.9.2/doc/signatures/2945.txt --- snort-2.9.0.1/doc/signatures/2945.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2945.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2945 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2946.txt snort-2.9.2/doc/signatures/2946.txt --- snort-2.9.0.1/doc/signatures/2946.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2946.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2946 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2947.txt snort-2.9.2/doc/signatures/2947.txt --- snort-2.9.0.1/doc/signatures/2947.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2947.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2947 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2948.txt snort-2.9.2/doc/signatures/2948.txt --- snort-2.9.0.1/doc/signatures/2948.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2948.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2948 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2949.txt snort-2.9.2/doc/signatures/2949.txt --- snort-2.9.0.1/doc/signatures/2949.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2949.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2949 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2950.txt snort-2.9.2/doc/signatures/2950.txt --- snort-2.9.0.1/doc/signatures/2950.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2950.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2950 - --- -Summary: -This event is generated when multiple stacked SMB requests are made. - --- -Impact: -Possible IDS evasion. - --- -Detailed Information: -This event is generated when multiple stacked SMB requests are detected. -This behavior does not occur on a regular basis in normal network -traffic. This event may indicate an attempt to evade an IDS. - --- -Affected Systems: - All systems using SMB. - --- -Attack Scenarios: -An attacker might create multiple stacked SMB requests in an attempt to -bypass an IDS. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -If the second and third stacked requests are of a combined length that -is less than 37 bytes this rule will not generate an event. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disallow the use of SMB. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2951.txt snort-2.9.2/doc/signatures/2951.txt --- snort-2.9.0.1/doc/signatures/2951.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2951.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -2951 - --- -Summary: -This event is generated when multiple stacked SMB requests are made. - --- -Impact: -Possible IDS evasion. - --- -Detailed Information: -This event is generated when multiple stacked SMB requests are detected. -This behavior does not occur on a regular basis in normal network -traffic. This event may indicate an attempt to evade an IDS. - --- -Affected Systems: - All systems using SMB. - --- -Attack Scenarios: -An attacker might create multiple stacked SMB requests in an attempt to -bypass an IDS. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -If the second and third stacked requests are of a combined length that -is less than 37 bytes this rule will not generate an event. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disallow the use of SMB. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/2952.txt snort-2.9.2/doc/signatures/2952.txt --- snort-2.9.0.1/doc/signatures/2952.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2952.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2952 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2953.txt snort-2.9.2/doc/signatures/2953.txt --- snort-2.9.0.1/doc/signatures/2953.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2953.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2953 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2954.txt snort-2.9.2/doc/signatures/2954.txt --- snort-2.9.0.1/doc/signatures/2954.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2954.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2954 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2955.txt snort-2.9.2/doc/signatures/2955.txt --- snort-2.9.0.1/doc/signatures/2955.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2955.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2955 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2956.txt snort-2.9.2/doc/signatures/2956.txt --- snort-2.9.0.1/doc/signatures/2956.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2956.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2956 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2957.txt snort-2.9.2/doc/signatures/2957.txt --- snort-2.9.0.1/doc/signatures/2957.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2957.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2957 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2958.txt snort-2.9.2/doc/signatures/2958.txt --- snort-2.9.0.1/doc/signatures/2958.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2958.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2958 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2959.txt snort-2.9.2/doc/signatures/2959.txt --- snort-2.9.0.1/doc/signatures/2959.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2959.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2959 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/295.txt snort-2.9.2/doc/signatures/295.txt --- snort-2.9.0.1/doc/signatures/295.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/295.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -SID: -295 --- - -Rule: --- - -Summary: -This event is triggered when an attempt is made to overflow an imapd -server. --- - -Impact: -Commands may be run on the IMAP server as the root user, This can lead -to a complete compromise of the targeted system --- - -Detailed Information: -Failure to check the size of the value passed to the 'AUTHENTICATE' -command on certain IMAPD implementations can lead to a buffer overflow. -This in turn can allow arbitrary commands to be executed on the server. --- - -Affected Systems: - Netscape Messaging Server 3.55 - University of Washington imapd 10.234 --- - -Attack Scenarios: -An attacker may attempt to exploit a vulnerable imapd server, permitting -the execution of arbitrary commands possibly with the privilege of user -"root". --- - -Ease of Attack: -simple. Sample exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Vendors have provided updated versions, upgrading will resolve this -problem --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2960.txt snort-2.9.2/doc/signatures/2960.txt --- snort-2.9.0.1/doc/signatures/2960.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2960.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2960 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2961.txt snort-2.9.2/doc/signatures/2961.txt --- snort-2.9.0.1/doc/signatures/2961.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2961.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2961 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2962.txt snort-2.9.2/doc/signatures/2962.txt --- snort-2.9.0.1/doc/signatures/2962.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2962.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2962 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2963.txt snort-2.9.2/doc/signatures/2963.txt --- snort-2.9.0.1/doc/signatures/2963.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2963.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2963 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2964.txt snort-2.9.2/doc/signatures/2964.txt --- snort-2.9.0.1/doc/signatures/2964.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2964.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2964 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2965.txt snort-2.9.2/doc/signatures/2965.txt --- snort-2.9.0.1/doc/signatures/2965.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2965.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2965 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2966.txt snort-2.9.2/doc/signatures/2966.txt --- snort-2.9.0.1/doc/signatures/2966.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2966.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2966 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2967.txt snort-2.9.2/doc/signatures/2967.txt --- snort-2.9.0.1/doc/signatures/2967.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2967.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2967 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2968.txt snort-2.9.2/doc/signatures/2968.txt --- snort-2.9.0.1/doc/signatures/2968.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2968.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2968 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2969.txt snort-2.9.2/doc/signatures/2969.txt --- snort-2.9.0.1/doc/signatures/2969.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2969.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2969 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/296.txt snort-2.9.2/doc/signatures/296.txt --- snort-2.9.0.1/doc/signatures/296.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/296.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -SID: -296 --- - -Rule: --- - -Summary: -This event is triggered when an attempt is made to overflow an imapd -server. --- - -Impact: -Commands may be run on the IMAP server as the root user, This can lead -to a complete compromise of the targeted system --- - -Detailed Information: -Failure to check the size of the value passed to the 'AUTHENTICATE' -command on certain IMAPD implementations can lead to a buffer overflow. -This in turn can allow arbitrary commands to be executed on the server. --- - -Affected Systems: - Netscape Messaging Server 3.55, - University of Washington imapd 10.234 --- - -Attack Scenarios: -An attacker may attempt to exploit a vulnerable imapd server, permitting -the execution of arbitrary commands possibly with the privilege of user -"root". --- - -Ease of Attack: -Simple. Sample exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Vendors have provided updated versions, upgrading will resolve this -problem --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2970.txt snort-2.9.2/doc/signatures/2970.txt --- snort-2.9.0.1/doc/signatures/2970.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2970.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2970 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2971.txt snort-2.9.2/doc/signatures/2971.txt --- snort-2.9.0.1/doc/signatures/2971.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2971.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -2971 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) -services. - --- -Impact: -Serious. Execution of arbitrary code with system level privileges - --- -Detailed Information: -A vulnerability exists in Microsoft NetDDE that may allow an attacker to -run code of their choosing with system level privileges. A programming -error in the handling of network messages may give an attacker the -opportunity to overflow a fixed length buffer by using a specially -crafted NetDDE message. - -This service is not started by default on Microsoft Windows systems, but -this issue can also be exploited locally in an attempt to escalate -privileges after a successful attack from an alternate vector. - --- -Affected Systems: - Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. - --- -Attack Scenarios: -An attacker needs to craft a special NetDDE message in order to overflow -the affected buffer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Disable the NetDDE service. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft Security Bulletin MS04-031: -http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/2972.txt snort-2.9.2/doc/signatures/2972.txt --- snort-2.9.0.1/doc/signatures/2972.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2972.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -536 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2973.txt snort-2.9.2/doc/signatures/2973.txt --- snort-2.9.0.1/doc/signatures/2973.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2973.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2973 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2974.txt snort-2.9.2/doc/signatures/2974.txt --- snort-2.9.0.1/doc/signatures/2974.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2974.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2974 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2975.txt snort-2.9.2/doc/signatures/2975.txt --- snort-2.9.0.1/doc/signatures/2975.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2975.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -2975 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2976.txt snort-2.9.2/doc/signatures/2976.txt --- snort-2.9.0.1/doc/signatures/2976.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2976.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -533 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2977.txt snort-2.9.2/doc/signatures/2977.txt --- snort-2.9.0.1/doc/signatures/2977.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2977.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2977 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2978.txt snort-2.9.2/doc/signatures/2978.txt --- snort-2.9.0.1/doc/signatures/2978.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2978.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2978 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2979.txt snort-2.9.2/doc/signatures/2979.txt --- snort-2.9.0.1/doc/signatures/2979.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2979.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2979 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/297.txt snort-2.9.2/doc/signatures/297.txt --- snort-2.9.0.1/doc/signatures/297.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/297.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -SID: -297 --- - -Rule: --- - -Summary: -This event is triggered when an attempt is made to overflow an imapd -server. --- - -Impact: -Commands may be run on the IMAP server as the root user, This can lead -to a complete compromise of the targeted system --- - -Detailed Information: -Failure to check the size of the value passed to the 'AUTHENTICATE' -command on certain IMAPD implementations can lead to a buffer overflow. -This in turn can allow arbitrary commands to be executed on the server. --- - -Affected Systems: - Netscape Messaging Server 3.55, University of Washington imapd 10.234 --- - -Attack Scenarios: -An attacker may attempt to exploit a vulnerable imapd server, permitting -the execution of arbitrary commands possibly with the privilege of user -"root". --- - -Ease of Attack: -Simple. Sample exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Vendors have provided updated versions, upgrading will resolve this problem --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2980.txt snort-2.9.2/doc/signatures/2980.txt --- snort-2.9.0.1/doc/signatures/2980.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2980.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -532 - --- -Summary: -This event is generated when an attempt is made to access an administrative share on a Windows machine. - --- -Impact: -Serious. Possible administrator access on the victim machine. - --- -Detailed Information: -This rule generates an event when the hidden Netbios share Admin$, which is the Winnt directory, is accessed via SMB. - -This is a poor security practice or an indication that a machine is being accessed remotely. - --- -Affected Systems: - Windows 9x - Windows 2000 - Windows XP - --- -Attack Scenario: -This can be accessed from GUI "map network drive" remotely - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a packet filtering firewall to disallow Netbios access from the unprotected network. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Jake Babbin - --- -References: - -arachnids 340 - --- diff -Nru snort-2.9.0.1/doc/signatures/2981.txt snort-2.9.2/doc/signatures/2981.txt --- snort-2.9.0.1/doc/signatures/2981.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2981.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2981 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2982.txt snort-2.9.2/doc/signatures/2982.txt --- snort-2.9.0.1/doc/signatures/2982.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2982.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2982 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2983.txt snort-2.9.2/doc/signatures/2983.txt --- snort-2.9.0.1/doc/signatures/2983.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2983.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -2983 - --- -Summary: -This event is generated when an attempt is made to access the ADMIN$ -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/2984.txt snort-2.9.2/doc/signatures/2984.txt --- snort-2.9.0.1/doc/signatures/2984.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2984.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2176 - --- -Summary: -This event is generated when an attempt is made to access a system -file via SMB. - --- -Impact: -Serious. This file contains important operating system information. - --- -Detailed Information: -This event indicates that an attempt was made to access a file -containing important operating system information using SMB across the -network. - --- -Affected Systems: -Microsoft Windows systems. - --- -Attack Scenarios: -If this file is accessible via SMB the attacker can manipulate the -operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.9.0.1/doc/signatures/2985.txt snort-2.9.2/doc/signatures/2985.txt --- snort-2.9.0.1/doc/signatures/2985.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2985.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2176 - --- -Summary: -This event is generated when an attempt is made to access a system -file via SMB. - --- -Impact: -Serious. This file contains important operating system information. - --- -Detailed Information: -This event indicates that an attempt was made to access a file -containing important operating system information using SMB across the -network. - --- -Affected Systems: -Microsoft Windows systems. - --- -Attack Scenarios: -If this file is accessible via SMB the attacker can manipulate the -operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.9.0.1/doc/signatures/2986.txt snort-2.9.2/doc/signatures/2986.txt --- snort-2.9.0.1/doc/signatures/2986.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2986.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2986 - --- -Summary: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings then create an entry in the winreg service. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.9.0.1/doc/signatures/2987.txt snort-2.9.2/doc/signatures/2987.txt --- snort-2.9.0.1/doc/signatures/2987.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2987.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2987 - --- -Summary: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to create an AndX entry -via SMB. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings then create an entry in the winreg service. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.9.0.1/doc/signatures/2988.txt snort-2.9.2/doc/signatures/2988.txt --- snort-2.9.0.1/doc/signatures/2988.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2988.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2988 - --- -Summary: -This event is generated when an attempt is made to bind to the Windows -registry service via SMB. - --- -Impact: -Serious. Remote administration of the Windows reqistry may be possible. - --- -Detailed Information: -This event indicates that an attempt was made to bind to the Windows -registry service via SMB across the network. - -It may be possible for an attacker to manipulate the Windows registry -from a remote location. This could give the attacker administrative -privileges on the target host as well as the opportunity to execute code -of their choosing. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -If the Windows registry is accessible via SMB the attacker can -manipulate the operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2989.txt snort-2.9.2/doc/signatures/2989.txt --- snort-2.9.0.1/doc/signatures/2989.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2989.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -2989 - --- -Summary: -This event is generated when an attempt is made to bind to the Windows -registry service via SMB. - --- -Impact: -Serious. Remote administration of the Windows reqistry may be possible. - --- -Detailed Information: -This event indicates that an attempt was made to bind to the Windows -registry service via SMB across the network. - -It may be possible for an attacker to manipulate the Windows registry -from a remote location. This could give the attacker administrative -privileges on the target host as well as the opportunity to execute code -of their choosing. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -If the Windows registry is accessible via SMB the attacker can -manipulate the operating system registry settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/298.txt snort-2.9.2/doc/signatures/298.txt --- snort-2.9.0.1/doc/signatures/298.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/298.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -SID: -298 --- - -Rule: --- - -Summary: -This event is triggered when an attempt is made to overflow an imapd server. --- - -Impact: -Commands may be run on the IMAP server as the root user, This can lead to a complete compromise of the targeted system --- - -Detailed Information: -Failure to check the size of the value passed to the 'AUTHENTICATE' -command on certain IMAPD implementations can lead to a buffer overflow. -This in turn can allow arbitrary commands to be executed on the server. --- - -Affected Systems: - Netscape Messaging Server 3.55, University of Washington imapd 10.234 --- - -Attack Scenarios: -An attacker may attempt to exploit a vulnerable imapd server, permitting -the execution of arbitrary commands possibly with the privilege of user -"root". --- - -Ease of Attack: -Simple. Sample exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known - --- - -Corrective Action: -Vendors have provided updated versions, upgrading will resolve this -problem - --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2990.txt snort-2.9.2/doc/signatures/2990.txt --- snort-2.9.0.1/doc/signatures/2990.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2990.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2990 - --- -Summary: -This event is generated when an attempt is made to bind to the winreg -service. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to bind to the RPC -service for winreg. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.9.0.1/doc/signatures/2991.txt snort-2.9.2/doc/signatures/2991.txt --- snort-2.9.0.1/doc/signatures/2991.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2991.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2991 - --- -Summary: -This event is generated when an attempt is made to bind to the winreg -service. - --- -Impact: -Unknown. - --- -Detailed Information: -This event is generated when an attempt is made to bind to the RPC -service for winreg. - --- -Affected Systems: - Windows systems - --- -Attack Scenarios: -An attacker may attempt to bind to the service to manipulate host -settings. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Microsoft Technet -http://support.microsoft.com/support/kb/articles/q153/1/83.asp -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 -Winreg -http://www.rutherfurd.net/python/winreg/ - --- diff -Nru snort-2.9.0.1/doc/signatures/2992.txt snort-2.9.2/doc/signatures/2992.txt --- snort-2.9.0.1/doc/signatures/2992.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2992.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2992 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2993.txt snort-2.9.2/doc/signatures/2993.txt --- snort-2.9.0.1/doc/signatures/2993.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2993.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2993 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2994.txt snort-2.9.2/doc/signatures/2994.txt --- snort-2.9.0.1/doc/signatures/2994.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2994.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2994 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2995.txt snort-2.9.2/doc/signatures/2995.txt --- snort-2.9.0.1/doc/signatures/2995.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2995.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2995 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2996.txt snort-2.9.2/doc/signatures/2996.txt --- snort-2.9.0.1/doc/signatures/2996.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2996.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2996 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2997.txt snort-2.9.2/doc/signatures/2997.txt --- snort-2.9.0.1/doc/signatures/2997.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2997.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2997 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2998.txt snort-2.9.2/doc/signatures/2998.txt --- snort-2.9.0.1/doc/signatures/2998.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2998.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2998 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/2999.txt snort-2.9.2/doc/signatures/2999.txt --- snort-2.9.0.1/doc/signatures/2999.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/2999.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -2999 - --- -Summary: -This event is generated when an attempt is made to shutdown a Windows -system via SMB. - --- -Impact: -Serious. - --- -Detailed Information: -This event indicates that an attempt was made to shutdown a Windows -system via SMB across the network. - -It may be possible for an attacker to manipulate a Windows system -from a remote location. Shutting down a system may lead to a Denial of -Service for the target host. - --- -Affected Systems: - Microsoft Windows systems. - --- -Attack Scenarios: -An attacker may be able to manipulate a target system using SMB. The -attacker may gain complete control over the affected system. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the host for signs of system compromise. - -Turn off file and print sharing on the target host. - -Use a packet filtering firewall to disallow SMB access to the host from -sources external to the protected network. - -Disallow remote registry manipulation. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/299.txt snort-2.9.2/doc/signatures/299.txt --- snort-2.9.0.1/doc/signatures/299.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/299.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -SID: -299 --- - -Rule: --- - -Summary: -This event is triggered when an attempt is made to overflow an imapd -server. --- - -Impact: -Commands may be run on the IMAP server as the root user, This can lead -to a complete compromise of the targeted system --- - -Detailed Information: -Failure to check the size of the value passed to the 'AUTHENTICATE' -command on certain IMAPD implementations can lead to a buffer overflow. -This in turn can allow arbitrary commands to be executed on the server. --- - -Affected Systems: - Netscape Messaging Server 3.55, University of Washington imapd 10.234 --- - -Attack Scenarios: -An attacker may attempt to exploit a vulnerable imapd server, permitting -the execution of arbitrary commands possibly with the privilege of user -"root". --- - -Ease of Attack: -Simple. Sample exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Vendors have provided updated versions, upgrading will resolve this -problem --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3000.txt snort-2.9.2/doc/signatures/3000.txt --- snort-2.9.0.1/doc/signatures/3000.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3000.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3000 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/3001.txt snort-2.9.2/doc/signatures/3001.txt --- snort-2.9.0.1/doc/signatures/3001.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3001.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3001 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/3002.txt snort-2.9.2/doc/signatures/3002.txt --- snort-2.9.0.1/doc/signatures/3002.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3002.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3002 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/3003.txt snort-2.9.2/doc/signatures/3003.txt --- snort-2.9.0.1/doc/signatures/3003.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3003.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3003 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition exists in the Microsoft implementation of -the ASN.1 Library. It may be possible for an attacker to exploit this -condition by sending specially crafted authentication packets to a host -running a vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/3004.txt snort-2.9.2/doc/signatures/3004.txt --- snort-2.9.0.1/doc/signatures/3004.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3004.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3004 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/3005.txt snort-2.9.2/doc/signatures/3005.txt --- snort-2.9.0.1/doc/signatures/3005.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3005.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3005 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Microsoft implementation of the ASN.1 Library. - --- -Impact: -Serious. Execution of arbitrary code, DoS. - --- -Detailed Information: -A buffer overflow condition in the Microsoft implementation of the ASN.1 -Library. It may be possible for an attacker to exploit this condition by -sending specially crafted authentication packets to a host running a -vulnerable operating system. - -When the taget system decodes the ASN.1 data, exploit code may be included -in the data that may be excuted on the host with system level privileges. -Alternatively, the malformed data may cause the service to become -unresponsive thus causing the DoS condition to occur. - --- -Affected Systems: - Microsoft Windows NT - Microsoft Windows NT Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows 2003 - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 - -US-CERT -http://www.us-cert.gov/cas/techalerts/TA04-041A.html - -Microsoft -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/3006.txt snort-2.9.2/doc/signatures/3006.txt --- snort-2.9.0.1/doc/signatures/3006.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3006.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3006 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Freespace 2. - --- -Impact: -A successful attack may present an attacker with the opportunity to -execute arbitrary code on a vulnerable system. - --- -Detailed Information: -A vulnerability exists in in Freespace 2 that may allow an attacker to -execute code of their choosing on a vulnerable system. - -The problem lies in the handling of data by the client application when -processing server responses. Proper checks are not performed by the -client application and large amounts of data in a server response may -trigger a buffer overflow condition to occur, thus presenting the -attacker with the opportunity to execute code. - --- -Affected Systems: - Freespace 2 - --- -Attack Scenarios: -An attacker may supply a large amount of data containing code of their -choosing in a server response to client requests. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3007.txt snort-2.9.2/doc/signatures/3007.txt --- snort-2.9.0.1/doc/signatures/3007.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3007.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -3007 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the DELETE command of the IPSwitch IMail IMAP service. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that the IPSwitch IMail IMAP service -handles a DELETE command. An excessively long user-supplied mailbox name -to be deleted can trigger a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - IPSwitch IMail IMAP4 server 8.13 - --- -Attack Scenarios: -An attacker can supply an overly long mailbox name for deletion, possibly causing -denial of service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3008.txt snort-2.9.2/doc/signatures/3008.txt --- snort-2.9.0.1/doc/signatures/3008.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3008.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -3008 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the DELETE command of the IPSwitch IMail IMAP service. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that the IPSwitch IMail IMAP service -handles a DELETE command. An excessively long user-supplied mailbox name -to be deleted can trigger a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - IPSwitch IMail IMAP4 server 8.13 - --- -Attack Scenarios: -An attacker can supply an overly long mailbox name for deletion, possibly causing -denial of service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3009.txt snort-2.9.2/doc/signatures/3009.txt --- snort-2.9.0.1/doc/signatures/3009.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3009.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,115 +0,0 @@ -Rule: - --- -Sid: -3009 - --- -Summary: -This event is generated when an attempt is made to request a connection -using the NetBus Pro 2.0 Trojan. - --- -Impact: -If connected, the attacker could execute files remotely on your computer, -capture an image of your desktop, send messages, steal your passwords, -open and close your CD-ROM, play sounds, print documents, and even -shutdown or reboot your computer, among many other things. The attacker -will have almost total control of the PC should he connect successfully. - --- -Detailed Information: -NetBus Pro 2.0 incorporates its own protocol. It uses port 20034 by -default, but it can be changed by the attacker. - -Its packets included a ten byte header followed by the packet's encrypted -data. The first two bytes of the header are static: 42 4E. The next two -bytes indicate the size of the packet, followed by two bytes -for the version number, followed by two random bytes, and the final ninth -and tenth byte make up the command code. To look for an attack from one of -these functions, the header of the suspicious packet will look like: - - 42 4E S1 S2 V1 V2 R1 R2 C1 C2 - -NOTE: S1 and S2 are size byte one and size byte two. V1 and V2 are version -number byte one and version number byte two. R1 and R2 are random bytes -one and two. C1 and C2 are the command code bytes. - -The following is a list of the command codes for many of Net Bus Pro 2.0's -functions: - - Capture Desktop Image: 41 01 - CD-ROM Open and Close: 60 01 - Client Chat: 08 00 - Execute File: 30 01 - Reading Directory Listing: 50 00 - Directory Traversal: 51 00 - Go To URL: 33 01 - Keyboard Tricks: 61 01 - Keylogger: 40 01 - Mouse Tricks: 65 01 - Open Document: 33 01 - Play Sound: 31 01 - Plugin Manager: 90 00 - Print Document: 34 01 - Record Sound: 43 01 - Redirect Application: 10 01 - Redirect Port: 00 01 - Registry Manager: 70 00 - Remote Control: 73 01 and 72 01 - Send Message: 40 00 - Send Text: 64 01 - Show Image: 32 01 - Sound System: 80 00 - System Administrator: 21 00 - System Information: 30 00 - Windows Manager: 60 00 - Any Windows Exit Function(Shutdown, Reboot, etc.): 50 01 - --- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files -because they often can be backdoor programs in disguise. - -Once the victim mistakenly installs the server program, the attacker -will usually employ an IP scanner program to find the IP addresses of -victims that have installed the program. The attacker then enters the IP -address, port number (which is assigned to the server program by the -attacker: default is 20034), and presses the connect button to gain access -to the targeted system. - --- -Ease of Attack: -Simple. Trojan Horse programs are widely available. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -In order to get rid of it, you will have to uninstall the program, -deleting the folder and its contents or uninstalling it from the -Add/Remove Programs option under the control panel. The Trojan usually -does not attempt to hide itself, making the process of finding it much easier. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -Dark-E: -http://www.dark-e.com/archive/trojans/netbus/200/index.shtml - --- diff -Nru snort-2.9.0.1/doc/signatures/300.txt snort-2.9.2/doc/signatures/300.txt --- snort-2.9.0.1/doc/signatures/300.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/300.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: 300 - --- -Summary: -This event is generated when a buffer overflow attempt is made against a host running Solaris x86. - --- -Impact: -System compromize presenting the attacker with the opportunity to -execute arbitrary code or gain remote access to the victim host. - --- -Detailed Information: -A buffer overflow condition exists in the nlps_server daemon on certain versions of Solaris for x86 architecture. - -nlps_server is a network listener used for printing services. The buffer overflow can be generated by sending an excessively long string of characters to the daemon on port 2766 followed by the command to be executed. - -Affected Systems: - Solaris 2.4, 2.5 and 2.51 for x86 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2319 - --- diff -Nru snort-2.9.0.1/doc/signatures/3010.txt snort-2.9.2/doc/signatures/3010.txt --- snort-2.9.0.1/doc/signatures/3010.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3010.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -3010 - --- -Summary: -This event is generated when an attacker attempts to find the victim's -Windows directory with the RUX the Tick trojan. - --- -Impact: -If successful, the attacker would gain unauthorized access to your -system, enabling him to upload and execute file on your computer. The -attacker can use this function to upload additional backdoors to the -victim's sytem and execute them. - --- -Detailed Information: -When executed, RUX the Tick opens up its assigned port (default is -22222) for communication with the attacker. RUX the Tick has three -functions: Get Windows Directory, Get System Directory, and Upload And -Execute File. Get Windows Directory and Get System Directory are used -for reconnaissance. Upload And Execute File is mainly used to upload and -run other backdoors onto the victim's computer. - --- -Affected Systems: - Windows 95/98/ME/NT/2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files -because they often can be backdoors in disguise. Once the victim -mistakenly installs the server program, the attacker usually will employ -an IP scanner program to find the IP addresses of victims that have -installed the program. Then the attacker enters the IP address, port -number (which is assigned to the server program by the attacker: -default is 22222), and presses the connect button and he has access to -your computer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Using Windows Task Manager, kill these processes: ruxserver.exe and -server.exe. Use Windows Explorer to find ruxserver.exe and delete the file. - -Keep your anti-virus programs updated with the latest definitions. - --- -Contributors: -Sourcefire Vulnerability Research Team -Ricky Macatee - --- -Additional References: - -PestPatrol: -http://www.pestpatrol.com/PestInfo/R/RUX.ASP - --- diff -Nru snort-2.9.0.1/doc/signatures/3011.txt snort-2.9.2/doc/signatures/3011.txt --- snort-2.9.0.1/doc/signatures/3011.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3011.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -3011 --- -Summary: -This event is generated when an attempt is made to find the System -directory on a target host with the RUX the Tick Trojan. - --- -Impact: -If successful, the attacker would gain unauthorized access to the system, -to upload and execute file on the target system. The attacker can use -this function to upload additional backdoors to the victim's system and -execute them. - --- -Detailed Information: -When executed, RUX the Tick opens up its assigned port (default is -22222) for communication with the attacker. RUX the Tick has three -functions: Get Windows Directory, Get System Directory, and Upload And -Execute File. Get Windows Directory and Get System Directory are used -for reconnaissance. Upload And Execute File is mainly used to upload and -run other backdoors onto the victim's computer. - --- -Affected Systems: - Windows 95/98/ME/NT/2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files -because they often can be backdoors in disguise. Once the victim -mistakenly installs the server program, the attacker usually will employ -an IP scanner program to find the IP addresses of victims that have -installed the program. Then the attacker enters the IP address, port -number (which is assigned to the server program by the attacker: -default is 22222), and presses the connect button and he has access to -the computer. - --- - -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Using Windows Task Manager, kill these processes: ruxserver.exe and server.exe. -Use Windows Explorer to find ruxserver.exe and delete the file. - -Keep anti-virus programs updated with the latest definitions. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -PestPatrol: -http://www.pestpatrol.com/PestInfo/R/RUX.ASP - --- diff -Nru snort-2.9.0.1/doc/signatures/3012.txt snort-2.9.2/doc/signatures/3012.txt --- snort-2.9.0.1/doc/signatures/3012.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3012.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: -3012 --- -Summary: -This event is generated when an attacker attempts to remotely upload and -execute a file with the RUX the Tick trojan. - --- -Impact: -If successful, the attacker would gain unauthorized access to an -affected system, enabling him to upload and execute file on the machine. -The attacker can use this function to upload additional backdoors to the -victim's sytem and execute them. - --- -Detailed Information: -When executed, RUX the Tick opens up its assigned port (default is -22222) for communication with the attacker. RUX the Tick has three -functions: Get Windows Directory, Get System Directory, and Upload And -Execute File. - -Get Windows Directory and Get System Directory are used for -reconnaissance. Upload And Execute File is mainly used to upload and run -other backdoors onto the victim's computer. - --- -Affected Systems: - Windows 95/98/ME/NT/2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files -because they often can be backdoors in disguise. Once the victim -mistakenly installs the server program, the attacker usually will employ -an IP scanner program to find the IP addresses of victims that have -installed the program. Then the attacker enters the IP address, port -number (which is assigned to the server program by the attacker: -default is 22222), and presses the connect button and he has access to -the computer. - --- -Ease of Attack: -Simple. - - --- -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Using Windows Task Manager, kill these processes: ruxserver.exe and server.exe -Use Windows Explorer to find ruxserver.exe and delete the file. - -This program may hide itself in the process list and can use different -names and can exist in many locations on an infected machine. - -Keep anti-virus programs updated with the latest definitions. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -PestPatrol: -http://www.pestpatrol.com/PestInfo/R/RUX.ASP - --- diff -Nru snort-2.9.0.1/doc/signatures/3013.txt snort-2.9.2/doc/signatures/3013.txt --- snort-2.9.0.1/doc/signatures/3013.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3013.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,85 +0,0 @@ -Rule: - --- -Sid: -3013 --- -Summary: -This event is generated when an attacker attempts to connect to the -victim using the Asylum 0.1 trojan. - --- -Impact: -If successful, the attacker would gain unauthorized access to the -system, enabling him to upload and execute files on the computer and -reboot it at will, resulting in a full compromise of the victim's computer. - --- -Detailed Information: -When executed, Asylum 0.1 opens up its assigned port (default is 23432) -for communication with the attacker. Asylum 0.1 has four functions: -Upload File, Open File, Reboot Computer, and Remove Server. - -Upload File: Look for traffic on port 23432 containing UPL followed by a file location. -Open File: Look for traffic on port 23432 containing RUN followed by a file location. -Reboot: Look for the string "RBT" on port 23432. -Remove Server: Look for the string "DIE" on port 23432. - --- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files -because they often can be backdoors in disguise. Once the victim -mistakenly installs the server program, the attacker usually will employ -an IP scanner program to find the IP addresses of victims that have -installed the program. Then the attacker enters the IP address, port -number (which is assigned to the server program by the attacker: -default is 23432), and presses the connect button and he has access to -the computer. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: - -Delete the System Administration key (if found) in -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices or -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - -Open the system.ini and (if found) replace shell=Explore.exe win32cmp.exe to shell=explore.exe - -Open the win.ini and (if found) delete load=c:\windows\wincmp32.exe or run=c:\windows\wincmp32.exe - -Find and delete the Asylum 0.1 trojan server file, usually called wincmp32.exe. - -Keep anti-virus programs updated with the latest definitions. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -PestPatrol: -http://www.pestpatrol.com/PestInfo/A/Asylum.asp - -Dark-E: -http://www.dark-e.com/archive/trojans/asylum/01/index.shtml - --- diff -Nru snort-2.9.0.1/doc/signatures/3014.txt snort-2.9.2/doc/signatures/3014.txt --- snort-2.9.0.1/doc/signatures/3014.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3014.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,81 +0,0 @@ -Rule: - --- -Sid: -3014 - --- -Summary: -This event is generated when a victim host attempts to send a connection -confirmation to an attacker using the Asylum 0.1 trojan. - --- -Impact: -If successful, the attacker would gain unauthorized access to your system, enabling him to upload and execute files on your -computer and reboot it at will, resulting in a full compromise of the victim's computer. - --- -Detailed Information: -When executed, Asylum 0.1 opens up its assigned port (default is 23432) for communication with the attacker. -Asylum 0.1 has four functions: Upload File, Open File, Reboot Computer, and Remove Server. - -Upload File: Look for traffic on port 23432 containing UPL followed by a file location. -Open File: Look for traffic on port 23432 containing RUN followed by a file location. -Reboot: Look for the string "RBT" on port 23432. -Remove Server: Look for the string "DIE" on port 23432. - --- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address, port number (which -is assigned to the server program by the attacker: default is 23432), and presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Delete the System Administration key (if found) in -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices or -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - -Open the system.ini and (if found) replace shell=Explore.exe win32cmp.exe to shell=explore.exe - -Open the win.ini and (if found) delete load=c:\windows\wincmp32.exe or run=c:\windows\wincmp32.exe - -Find and delete the Asylum 0.1 trojan server file, usually called wincmp32.exe. - -Keep your anti-virus programs updated with the latest definitions. - --- -Contributors: -Original Rule Writer: Ricky Macatee -Sourcefire Research Team - --- -Additional References: -http://www.pestpatrol.com/PestInfo/A/Asylum.asp -http://www.dark-e.com/archive/trojans/asylum/01/index.shtml - - --- diff -Nru snort-2.9.0.1/doc/signatures/3015.txt snort-2.9.2/doc/signatures/3015.txt --- snort-2.9.0.1/doc/signatures/3015.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3015.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,90 +0,0 @@ -Rule: - --- -Sid: -3015 --- -Summary: -This event is generated when an attempt is made to request a connection on port 2000 using the Insane Network 4.0 trojan. - --- - -Impact: -If connected, the attacker could remotetly execute a multitude of functions resulting in a full compromise of the victim's machine. - --- -Detailed Information: -Insane Network 4.0 uses port 2000 as its default, but -2000, or port 63536, incarnations also exist. -Insane Network 4.0 has a number of functions. The following strings are indicative of a particular Insane Network 4.0 attack. -Be aware that some versions of Insane Network 4.0 will send their attack strings one letter at a time. For example, -to send the bomb command, some versions will send only one letter per packet, resulting in bomb being spelled out in multiple packets. - -Format: Name of function (Description of what it does *only if necessary*) - string to look for - -Bomb ("Bombs" monitor) - bomb -Snow (Makes monitor snowy) - snow -Melt ("Melts" the screen) - melt -Reverse (Reverses screen) - reverse -Copy File - cp followed by a file name and the destination path -Ctrl-Alt-Del (Enable/Disable Ctrl-Alt-Del) - cad -e (for enable) cad -d (for disable) -Delete File - rm followed by a file name, including path -File List - ls followed by directory -File Sharing (Gets shared file password information) - share -Dial-Up Passwords (Get Dial-up password information) - passwd -Make Text File - mktext -Popup Message - popup -Read File - cat followed by a file name, including path -Reboot - reboot -Registry Edit - regrun -Rename File - ren followed by a file and its new name -Run File - exec followed by a file name, including path -Shutdown - shutdown -Taskbar (Enable/Disable Task Bar) - task -e (for enable) tast -d (for disable) -Telnet - telnet - --- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address, port number (which -is assigned to the server program by the attacker: default is 2000), and presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Remove insane network.exe and commands.txt -Kill insane network.exe in the process list - -Keep your anti-virus software updated with the latest virus definitions. - --- -Contributors: -Original Rule Writer: Ricky Macatee -Sourcefire Research Team - --- -Additional References: -http://www.pestpatrol.com/PestInfo/i/insane_network.asp - - --- diff -Nru snort-2.9.0.1/doc/signatures/3016.txt snort-2.9.2/doc/signatures/3016.txt --- snort-2.9.0.1/doc/signatures/3016.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3016.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,90 +0,0 @@ -Rule: - --- -Sid: -3016 --- -Summary: -This event is generated when an attempt is made to request a connection on port 63536 using the Insane Network 4.0 trojan. - --- - -Impact: -If connected, the attacker could remotetly execute a multitude of functions resulting in a full compromise of the victim's machine. - --- -Detailed Information: -Insane Network 4.0 uses port 2000 as its default, but -2000, or port 63536, incarnations also exist. -Insane Network 4.0 has a number of functions. The following strings are indicative of a particular Insane Network 4.0 attack. -Be aware that some versions of Insane Network 4.0 will send their attack strings one letter at a time. For example, -to send the bomb command, some versions will send only one letter per packet, resulting in bomb being spelled out in multiple packets. - -Format: Name of function (Description of what it does *only if necessary*) - string to look for - -Bomb ("Bombs" monitor) - bomb -Snow (Makes monitor snowy) - snow -Melt ("Melts" the screen) - melt -Reverse (Reverses screen) - reverse -Copy File - cp followed by a file name and the destination path -Ctrl-Alt-Del (Enable/Disable Ctrl-Alt-Del) - cad -e (for enable) cad -d (for disable) -Delete File - rm followed by a file name, including path -File List - ls followed by directory -File Sharing (Gets shared file password information) - share -Dial-Up Passwords (Get Dial-up password information) - passwd -Make Text File - mktext -Popup Message - popup -Read File - cat followed by a file name, including path -Reboot - reboot -Registry Edit - regrun -Rename File - ren followed by a file and its new name -Run File - exec followed by a file name, including path -Shutdown - shutdown -Taskbar (Enable/Disable Task Bar) - task -e (for enable) tast -d (for disable) -Telnet - telnet - --- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address, port number (which -is assigned to the server program by the attacker: default is 2000), and presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Remove insane network.exe and commands.txt -Kill insane network.exe in the process list - -Keep your anti-virus software updated with the latest virus definitions. - --- -Contributors: -Original Rule Writer: Ricky Macatee -Sourcefire Research Team - --- -Additional References: -http://www.pestpatrol.com/PestInfo/i/insane_network.asp - - --- diff -Nru snort-2.9.0.1/doc/signatures/3017.txt snort-2.9.2/doc/signatures/3017.txt --- snort-2.9.0.1/doc/signatures/3017.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3017.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -3017 - --- -Summary: -An oversized request was sent to a WINS server. - --- -Impact: -Client-supplied data is written to client-specified locations in memory, -allowing for arbitrary code execution. Since WINS servers run with -administrative privileges, this allows an attacker to gain -administrative access remotely without any prior authentication. - --- -Detailed Information: -Vulnerable WINS servers write client-supplied data to a client-supplied -memory address. This allows clients to supply arbitrary code for -execution with administrative privileges. This attack does not require authentication. - -In order to reduce false positives, the rule looks for requests that are -greater than 204 bytes. As the maximum length of a hostname is 192 -bytes, and a standard request has 12 bytes of headers, no standard -request should exceed this length. Additionally, this rule checks to see -if particular flags that are required to exploit this vulnerability are -set in the client request. - --- -Affected Systems: -Microsoft Windows servers running the WINS service. - --- -Attack Scenarios: -Since WINS clients are programmed to not exceed the maximum length for a -request, an attacker would need to use a script which generated -malformed WINS requests. - --- -Ease of Attack: -Simple; exploits exist. - --- -False Positives: -This rule will generate false positives when replication occurs. -Additionally, there may be unknown scenarios which generate false positives. - --- -False Negatives: -None known. - --- -Corrective Action: -See the Microsoft Knowledge Base article referenced below. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Alex Kirk - --- -Additional References: -http://support.microsoft.com/kb/890710 - --- diff -Nru snort-2.9.0.1/doc/signatures/3018.txt snort-2.9.2/doc/signatures/3018.txt --- snort-2.9.0.1/doc/signatures/3018.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3018.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3018 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3019.txt snort-2.9.2/doc/signatures/3019.txt --- snort-2.9.0.1/doc/signatures/3019.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3019.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3019 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/301.txt snort-2.9.2/doc/signatures/301.txt --- snort-2.9.0.1/doc/signatures/301.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/301.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 301 - --- -Summary: -This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in LPRng. - --- -Impact: -System compromize presenting the attacker with escalated system privileges . - --- -Detailed Information: -LPRng is an implementation of the Berkeley lpr print spooling protocol. Some versions are vulnerable to a format-string attack that takes advantage of a bug in the syslog() wrapper. Successfull exploitation may present a remote attacker with the ability to execute arbitrary code using the privileges of the LPD daemon owner (typically root). - -Arbitrary addresses in the lpd process address space can be overwritten by sending specially crafted packets to the LPRng daemon listening on port 515 to execute arbitrary code or generate a segmentation violation. - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Disallow access to LPRng port 515 from external sources using a packet filtering firewall. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/1712 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 - --- diff -Nru snort-2.9.0.1/doc/signatures/3020.txt snort-2.9.2/doc/signatures/3020.txt --- snort-2.9.0.1/doc/signatures/3020.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3020.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3020 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3021.txt snort-2.9.2/doc/signatures/3021.txt --- snort-2.9.0.1/doc/signatures/3021.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3021.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3021 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3022.txt snort-2.9.2/doc/signatures/3022.txt --- snort-2.9.0.1/doc/signatures/3022.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3022.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3022 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3023.txt snort-2.9.2/doc/signatures/3023.txt --- snort-2.9.0.1/doc/signatures/3023.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3023.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3023 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3024.txt snort-2.9.2/doc/signatures/3024.txt --- snort-2.9.0.1/doc/signatures/3024.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3024.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3024 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3025.txt snort-2.9.2/doc/signatures/3025.txt --- snort-2.9.0.1/doc/signatures/3025.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3025.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3025 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3026.txt snort-2.9.2/doc/signatures/3026.txt --- snort-2.9.0.1/doc/signatures/3026.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3026.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3026 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3027.txt snort-2.9.2/doc/signatures/3027.txt --- snort-2.9.0.1/doc/signatures/3027.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3027.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3027 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3028.txt snort-2.9.2/doc/signatures/3028.txt --- snort-2.9.0.1/doc/signatures/3028.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3028.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3028 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3029.txt snort-2.9.2/doc/signatures/3029.txt --- snort-2.9.0.1/doc/signatures/3029.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3029.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3029 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/302.txt snort-2.9.2/doc/signatures/302.txt --- snort-2.9.0.1/doc/signatures/302.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/302.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 301 - --- -Summary: -This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in LPRng on RedHat systems. - --- -Impact: -System compromize presenting the attacker with escalated system privileges . - --- -Detailed Information: -LPRng is an implementation of the Berkeley lpr print spooling protocol. Some versions are vulnerable to a format-string attack that takes advantage of a bug in the syslog() wrapper. Successfull exploitation may present a remote attacker with the ability to execute arbitrary code using the privileges of the LPD daemon owner (typically root). - -Arbitrary addresses in the lpd process address space can be overwritten by sending specially crafted packets to the LPRng daemon listening on port 515 to execute arbitrary code or generate a segmentation violation. - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Disallow access to LPRng port 515 from external sources using a packet filtering firewall. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/1712 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 - --- diff -Nru snort-2.9.0.1/doc/signatures/3030.txt snort-2.9.2/doc/signatures/3030.txt --- snort-2.9.0.1/doc/signatures/3030.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3030.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3030 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3031.txt snort-2.9.2/doc/signatures/3031.txt --- snort-2.9.0.1/doc/signatures/3031.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3031.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3031 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3032.txt snort-2.9.2/doc/signatures/3032.txt --- snort-2.9.0.1/doc/signatures/3032.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3032.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3032 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3033.txt snort-2.9.2/doc/signatures/3033.txt --- snort-2.9.0.1/doc/signatures/3033.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3033.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3033 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3034.txt snort-2.9.2/doc/signatures/3034.txt --- snort-2.9.0.1/doc/signatures/3034.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3034.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3034 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3035.txt snort-2.9.2/doc/signatures/3035.txt --- snort-2.9.0.1/doc/signatures/3035.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3035.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3035 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3036.txt snort-2.9.2/doc/signatures/3036.txt --- snort-2.9.0.1/doc/signatures/3036.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3036.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3036 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3037.txt snort-2.9.2/doc/signatures/3037.txt --- snort-2.9.0.1/doc/signatures/3037.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3037.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3037 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3038.txt snort-2.9.2/doc/signatures/3038.txt --- snort-2.9.0.1/doc/signatures/3038.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3038.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3038 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3039.txt snort-2.9.2/doc/signatures/3039.txt --- snort-2.9.0.1/doc/signatures/3039.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3039.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3039 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/303.txt snort-2.9.2/doc/signatures/303.txt --- snort-2.9.0.1/doc/signatures/303.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/303.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,79 +0,0 @@ -Rule: --- -Sid: -303 - --- -Summary: -A specific inverse query has been performed against your DNS server as a -precursor to a possible transaction signature (TSIG) buffer overflow -attack. - --- -Impact: -attempt to gain access to information required for the TSIG exploit. A -TSIG buffer overflow exploit attempt will usually follow if there is a -response to the inverse query. - - --- -Detailed Information: -This is an attempt to perform a specific DNS inverse query against your -DNS server. While this specific action is not harmful itself, it -signals a precusor to a possible buffer overflow attack for a TSIG -vulernability. The inverse query is performed for reconnaissance for -the TSIG attack. - --- -Affected Systems: -BIND Versions 4 and through 8.2 are susceptible to the inverse query -information leak. - - --- -Attack Scenarios: -The envisioned scenario is that if a DNS server responds to the inverse -query and leaks information required in the actual attack, the exploit -code then attacks the TSIG buffer overflow vulnerability. If this is -successful, the attacker gains access to the DNS server at the privilege -of the DNS daemon, named (potentially root). - - --- -Ease of Attack: -Code is available to exploit the vulnerability. - --- -False Positives: -None Known. - --- -False Negatives: -A user could change the exploit code. For instance, a user could change -the DNS identification number in the code to be something other than -0xABCD and the rule would not fire. - --- -Corrective Action: -Update to BIND versions greater than 8.2 to prevent the information -leak. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2302 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0010 - -Arachnids: -http://www.whitehats.com/info/IDS482 - --- diff -Nru snort-2.9.0.1/doc/signatures/3040.txt snort-2.9.2/doc/signatures/3040.txt --- snort-2.9.0.1/doc/signatures/3040.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3040.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3040 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3041.txt snort-2.9.2/doc/signatures/3041.txt --- snort-2.9.0.1/doc/signatures/3041.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3041.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3041 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Samba implementation. - --- -Impact: -Serious. Possible execution of arbitrary code. - --- -Detailed Information: -Samba is a file and print serving system for heterogenous networks. It -is available for use as a service and client on UNIX/Linux systems and as -a client for Microsoft Windows systems. - -Samba uses the SMB/CIFS protocols to allow communication between client -and server. The SMB protocol contains many commands and is commonly used -to control network devices and systems from a remote location. A -vulnerability exists in the way the smb daemon processes commands sent by -a client system when accessing resources on the remote server.The problem -exists in the allocation of memory which can be exploited by an attacker -to cause an integer overflow, possibly leading to the execution of -arbitrary code on the affected system with the privileges of the user -running the smbd process. - --- -Affected Systems: - Samba 3.0.8 and prior - --- -Attack Scenarios: -An attacker needs to supply specially crafted data to the smb daemon to -overflow a buffer containing the information for the access control lists -to be applied to files in the smb query. - --- -Ease of Attack: -Difficult. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3042.txt snort-2.9.2/doc/signatures/3042.txt --- snort-2.9.0.1/doc/signatures/3042.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3042.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3042 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3043.txt snort-2.9.2/doc/signatures/3043.txt --- snort-2.9.0.1/doc/signatures/3043.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3043.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3043 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3044.txt snort-2.9.2/doc/signatures/3044.txt --- snort-2.9.0.1/doc/signatures/3044.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3044.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3044 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3045.txt snort-2.9.2/doc/signatures/3045.txt --- snort-2.9.0.1/doc/signatures/3045.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3045.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3045 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3046.txt snort-2.9.2/doc/signatures/3046.txt --- snort-2.9.0.1/doc/signatures/3046.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3046.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3046 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3047.txt snort-2.9.2/doc/signatures/3047.txt --- snort-2.9.0.1/doc/signatures/3047.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3047.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3047 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3048.txt snort-2.9.2/doc/signatures/3048.txt --- snort-2.9.0.1/doc/signatures/3048.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3048.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3048 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3049.txt snort-2.9.2/doc/signatures/3049.txt --- snort-2.9.0.1/doc/signatures/3049.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3049.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3049 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/304.txt snort-2.9.2/doc/signatures/304.txt --- snort-2.9.0.1/doc/signatures/304.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/304.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 304 - --- -Summary: -This event is genereated when an attempt to overflow the buffer of a SCO server is attempted. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. - --- -Detailed Information: -Some versions of SCO UNIX Calserver are vulnerable to a buffer overflow condition which can present the attacker with a root shell. - -Affected Systems: - SCO Internet faststart 1.0, 1.1 - SCO Open Server 5.0, 5.0.2, 5.0.3 and 5.0.4 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0306 - -Bugtraq: -http://www.securityfocus.com/bid/2353 - --- diff -Nru snort-2.9.0.1/doc/signatures/3050.txt snort-2.9.2/doc/signatures/3050.txt --- snort-2.9.0.1/doc/signatures/3050.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3050.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3050 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3051.txt snort-2.9.2/doc/signatures/3051.txt --- snort-2.9.0.1/doc/signatures/3051.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3051.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3051 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3052.txt snort-2.9.2/doc/signatures/3052.txt --- snort-2.9.0.1/doc/signatures/3052.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3052.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3052 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3053.txt snort-2.9.2/doc/signatures/3053.txt --- snort-2.9.0.1/doc/signatures/3053.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3053.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3053 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3054.txt snort-2.9.2/doc/signatures/3054.txt --- snort-2.9.0.1/doc/signatures/3054.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3054.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3054 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3055.txt snort-2.9.2/doc/signatures/3055.txt --- snort-2.9.0.1/doc/signatures/3055.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3055.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3055 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3056.txt snort-2.9.2/doc/signatures/3056.txt --- snort-2.9.0.1/doc/signatures/3056.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3056.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3056 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3057.txt snort-2.9.2/doc/signatures/3057.txt --- snort-2.9.0.1/doc/signatures/3057.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3057.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3057 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Ethereal. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Ethereal is a multi-platform network protocol analyser capable of -displaying network data to the user in a graphical user interface. - -An error in the processing of access control lists (ACLs) concerning the -size of the access control entries (ACEs) may lead to a Denial of Service -(DoS) condition in Ethereal. The ACL parsing routine trusts the size of -the ACE given in the packet during processing. If a sufficiently large ACL -structure is supplied combined with a specified ACE size of 0, it is -possible to cause the DoS condition to occur. - --- -Affected Systems: - Ethereal 0.10.7 and prior - --- -Attack Scenarios: -An attacker needs to craft packet data containing large NT ACLs, the -attacker then needs to specify one of the ACEs as having a size of 0. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patch - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3058.txt snort-2.9.2/doc/signatures/3058.txt --- snort-2.9.0.1/doc/signatures/3058.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3058.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -3058 - --- -Summary: -This event is generated when a remote user sends an overly long string -to an IMAP server via the command COPY. This may indicate an attempt to -exploit a buffer overflow condition. - --- -Impact: -Serious. Possible remote execution of arbitrary code, which may lead to -a remote root compromise. - --- -Detailed Information: -When a large amount of data is sent to a vulnerable IMAP server in the -COPY command, a buffer overflow condition may occur. This can allow the -attacker to execute arbitrary code, which may allow the attacker to gain -root access to the compromised server. - -The attacker must use a valid IMAP account to exploit this condition. - --- -Affected Systems: - IMAP servers - --- -Attack Scenarios: -An attacker can send a sufficiently long COPY command to the IMAP -server, creating a buffer overflow condition. This can then allow the -attacker to execute code of their choosing and possibly gain root access -to the compromised server. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate patches for your operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3059.txt snort-2.9.2/doc/signatures/3059.txt --- snort-2.9.0.1/doc/signatures/3059.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3059.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3059 - --- -Summary: -This event is generated when an attempt is made to initiate a TLS -connection via SSL version 2. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule indicates that an attempt has been made to initiate a TLS -connection via SSL v2. This rule should not generate an event. - --- -Affected Systems: - All implementations using SSL. - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/305.txt snort-2.9.2/doc/signatures/305.txt --- snort-2.9.0.1/doc/signatures/305.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/305.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 305 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow condition in ElectroTechnical Laboratories Delegate proxy server. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host with the privileges of the root user. - --- -Detailed Information: -Numerous buffer overflow conditions exist in ElectroTechnical Laboratories Delegate proxy server. It is possible for a remote attacker to gain a root shell on the victim host. - -Affected Systems: - ETL Delegate 5.9.x - ETL Delegate 6.0.x - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original rule writer unkown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0165 - -Bugtraq: -http://www.securityfocus.com/bid/808 - --- diff -Nru snort-2.9.0.1/doc/signatures/3060.txt snort-2.9.2/doc/signatures/3060.txt --- snort-2.9.0.1/doc/signatures/3060.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3060.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3060 - --- -Summary: -This event is generated when an attempt is made to initiate a TLS -connection via SSL version 2. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule indicates that an attempt has been made to initiate a TLS -connection via SSL v2. This rule should not generate an event. - --- -Affected Systems: - All implementations using SSL. - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3061.txt snort-2.9.2/doc/signatures/3061.txt --- snort-2.9.0.1/doc/signatures/3061.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3061.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3061 - --- -Summary: -This event is generated when an attempt is made to connect to the distcc -daemon. - --- -Impact: -Serious. Execution of arbitrary commands may be possible. - --- -Detailed Information: -Distcc is an open source distributed C/C++ compiler that can be used -to compile code on remote hosts that run the distcc daemon. A vulnerability -exists in the handling of commands that are generated via a distcc client. The -server does not ensure that compile commands only are sent to it. A command -sequence can be created that executes commands on a vulnerable server. No -authentication is required to execute a command on a distcc server. - --- -Affected Systems: - 2.18.3 and prior - --- -Attack Scenarios: -An attacker can generated a valid distcc command sequence that executes -a command other than a compile on a vulnerable distcc server. - --- -Ease of Attack: -Simple. - --- -False Positives: -This is a policy rule and requires proper customization for the -variable $EXTERNAL_NET for sites that allow distcc traffic from -remote hosts. The $EXTERNAL_NET variable should be replaced with -the IP address(es) of unauthorized client hosts only. - --- -False Negatives: -None known. - --- -Corrective Action: -Use the --allow option when starting the distcc daemon -to specify authorized client hosts. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3062.txt snort-2.9.2/doc/signatures/3062.txt --- snort-2.9.0.1/doc/signatures/3062.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3062.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -3062 - --- -Summary: -This event is generated when an attempt is made to access the -delhomepage.cgi script which contains known vulnerabilities and -is resident on Netscreen SA 5000 devices. - --- -Impact: -Information gathering and possible cross site scripting attack. - --- -Detailed Information: -This event is generated when an attempt is made to access the -delhomepage.cgi script which is known to be vulnerable to a cross site -scripting attack - --- -Affected Systems: - Netscreen SA 5000 - --- -Attack Scenarios: -An attacker can supply code of their choosing to a client system by -using the cgi script as part of a cross site scripting attack. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3063.txt snort-2.9.2/doc/signatures/3063.txt --- snort-2.9.0.1/doc/signatures/3063.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3063.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,133 +0,0 @@ -Rule: - --- -Sid: -3063 - --- -Summary: -This event is generated when an attempt is made to request a connection using -the Vampire 1.2 trojan. - --- -Impact: -If connected, the attacker could execute a multitude of functions resulting in a -complete compromise of the victim's machine. - --- -Detailed Information: -Vampire 1.2 uses port 1020 by default. This port cannot be changed by the attacker. - -The following is a list of the commands for many of Vampier 1.2's functions -(Command Name: Command String): - -Chat With Victim: chat -Clear Recent Folder: cleardoc -Close Windows: endwin -Corrupt File: currfile -Crazy Mouse: crazy -Delete Directory: deletedir -Delete File: delete -Disk Space Left: space -Disable CTRL-ALT-DEL: ctrldisable -Enable CTRL-ALT-DEL: ctrlenable -Fill Hard Drive: fillhd -Find File: findfiles -Format: format -Get Active Windows: getact -Get ICQ Number: geticq -Get Local Time: gettime -Get Operating System: getos -Get Server Path: getpath -Get System Owner: getowner -Get Temp Directory: gettemp -Get Windows Directory: getwin -Get Current User: getname -Get Disk Serial Number: getserial -Get Hard Drive: gethd -Get Organization: getorg -Hang Up Modem: hangup -ISP Account Info: ispinfo -Kill Window: killtask\ -Logoff: logoff -Make Directory: makedir -Monitor Off: monitoroff -Monitor On: monitoron -Hide Mouse: hidemouse -Show Mouse: showmouse -Open Control Panel: panel -Open Date And Time: date -Open CD-ROM: cdopen -Close CD-ROM: cdclose -Open URL: www\ -Ping: ping -Read A Drive: reada -Reboot: reboot -Kill Registry: regfuck -Run Program: run -Screenshot: screenshot -Send Keys: text -Send Message: sndmsg -Set Computer Name: pcname -Set Volume Label: setvolumelabel -Shutdown: shutdown -Hide Task Bar: hidetask -Show Task Bar: showtask -Wacky CR-ROM: wackycd --- -Affected Systems: -Windows 95/98/ME - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because -they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually -will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the -attacker enters the IP address and -presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has -installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -In order to get rid of it, you must kill the following processes: -vampire.exe or (if not there) server.exe - -You must delete the following files from your hard drive: -vampire.exe or (if not there) server.exe - -Keep your anti-virus software updated. - --- -Contributors: -Original Rule Writer: Ricky Macatee -Sourcefire Research Team - --- -Additional References: - -Pestpatrol: -http://www.pestpatrol.com/pestinfo/v/vampire_1_2.asp - -Dark-E: -http://www.dark-e.com/archive/trojans/vampire/index.shtml - --- diff -Nru snort-2.9.0.1/doc/signatures/3064.txt snort-2.9.2/doc/signatures/3064.txt --- snort-2.9.0.1/doc/signatures/3064.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3064.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,158 +0,0 @@ -Rule: - --- -Sid: -3064 - --- -Summary: -This event is generated when an attempt is made by the victim to send a -connection confirmation to the attacker using the CrazzyNet trojan. - --- -Impact: -If connected, the attacker could remotetly execute a multitude of functions -resulting in a full compromise of the victim's machine. - --- -Detailed Information: -CrazzyNet uses port 17499. CrazzyNet has a number of functions. Each function is -associated with an attack signal string -that is sent to the victim. Be suspicious of the following strings: - -Format: Function Name - String To Look For - -Add Line To File - addlin -Overwrite File With Added Line - ovwlin -Add Icon To Desktop - addico -Beep Sound - sndbep -Change Windows Control Text - chgawc -Change Resolution - chgres -Chat - chatwy -Get Clipboard Text - clpget -Crazy Mouse On - crazym;1 -Crazy Mouse Off - crazym;0 -Delete File/Directory - delete -Remove Windows Functions - remwma;0 -Download File - getfil -Disable Ctl-Alt-Del - discad;0 -Enable Ctl-Alt-Del - discad;1 -Disable Windows Startup - wndsas;0 -Enable Windows Startup - wndsas;1 -Find Files - findfi -Format - format -Get Colors - getcol -Get Computer Name - getcon -Set Computer Name - setcon -Get Date - gettad -Set Date - settad -Get Internet Explorer Start Page - geties -Set Internet Explorer Start Page - chgies -Get Mouse Position - getpos -Set Mouse Position - setmse -Get Clients Connected - geticc -Get Computer Information - getinf -Hide Picture - hidpic -List Installed Programs - asplst -Keylogger - keylog;1 -Kill Mouse - kilmse -List Files And Directories - nextdr -List ICQ - icqlst -List Of Apps - lstapp -Make Directory - makdir -Monitor On - onmoni -Monitor Off - ofmoni -Get Mouse Double Click Time - getdcl -Set Mouse Double Click Time - setdcl -Open CD - opencd -Close CD - closcd -Ping - *ICMP Packet* Echo this string of data -Play Sound - playsd -Print Text - printt -Refresh File Listing - refdir -Run File - runfil -Screen Dump - screen -Get Screensaver - getfon -Set Screensaver - setscr -Enable Scrolling Text - scroll -Disable Scrolling Text - sscrol -Send To URL - senurl -Send Key - runkey -Send Message - msgbox -Set Clipboard Text - clpset -Set Desktop Image - chgdes -Show Clock - sclock;1 -Hide Clock - sclock;0 -Show Desktop Icons - deskic;1 -Hide Desktop Icons - deskic;0 -Show Start Bar - startb;1 -Hide Start Bar - startb;0 -Show Task Bar - sotask -Hide Task Bar - hitask -Show Task Bar Icons - staskb;1 -Hide Task Bar Icons - staskb;0 -Show Picture - shopic -Start CD loop - cdloop;1 -Stop CD loop - cdloop;0 -Steal Passwords - geticp -Swap Mouse Buttons On - swpmse;1 -Swap Mouse Buttons Off - swpmse;0 -Terminate Application - terapp -Get Text Box Cursor Blink Rate - getret -Set Text Box Cursor Blink Rate - setret -Upload File - uplfil -Change Volume - volume -Warp On - warpon -Warp Off - warpof -List Windows - wndlst - -- -Affected Systems: -Windows 95/98/ME/NT/2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because -they often can be backdoors in disguise. -Once the victim has unknowingly installed the server, the attacker will usually -employ an IP scanner tool to find vulnerable -systems. Once an IP is found, the attacker simply has to make the connection. --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has -installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -CrazzyNet copies itself to C:\WINDOWS\Registry32.exe -Delete the registry key Reg32=Registry32.exe found in -HKCUU\Software\Microsoft\Windows\CurrentVersion\Run -Delete Registry32.exe from Win.ini and System.ini -If found, delete Registry32.exe and server.exe -Make sure to keep your virus definitions updated on your anti-virus software. - --- -Contributors: -Original Rule Writer: Ricky Macatee -Sourcefire Research Team - --- -Additional References: - -Pestpatrol: -http://www.pestpatrol.com/PestInfo/C/CrazzyNet.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/3065.txt snort-2.9.2/doc/signatures/3065.txt --- snort-2.9.0.1/doc/signatures/3065.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3065.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3065 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"append" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3066.txt snort-2.9.2/doc/signatures/3066.txt --- snort-2.9.0.1/doc/signatures/3066.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3066.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3066 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"append" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3067.txt snort-2.9.2/doc/signatures/3067.txt --- snort-2.9.0.1/doc/signatures/3067.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3067.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -3067 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"examine" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - -In the case of Ipswitch IMail, an overly long mailbox name supplied as a -parameter to the examine command may be a trigger condition of a buffer -overflow. A name of 259 bytes or more may cause this to occur. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - Ipswitch IMail 8.1.3 - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3068.txt snort-2.9.2/doc/signatures/3068.txt --- snort-2.9.0.1/doc/signatures/3068.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3068.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -3068 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"examine" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - -In the case of Ipswitch IMail, an overly long mailbox name supplied as a -parameter to the examine command may be a trigger condition of a buffer -overflow. A name of 259 bytes or more may cause this to occur. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - Ipswitch IMail 8.1.3 - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3069.txt snort-2.9.2/doc/signatures/3069.txt --- snort-2.9.0.1/doc/signatures/3069.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3069.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3069 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"fetch" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/306.txt snort-2.9.2/doc/signatures/306.txt --- snort-2.9.0.1/doc/signatures/306.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/306.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 306 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability in VQ Server to cause a Denial of Service (DoS). - --- -Impact: -Serious. A Denial of Service on the target server is possible. - --- -Detailed Information: -vqServer is a personal web server that runs on Microsoft Windows, Linux and Solaris. Version 1.4.49 suffers from a DoS condition if a long GET request is issued to the server. - -Affected Systems: - vqServer 1.4.49 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/1610 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0766 - -vqSoft: -http://www.vqsoft.com/ - - --- diff -Nru snort-2.9.0.1/doc/signatures/3070.txt snort-2.9.2/doc/signatures/3070.txt --- snort-2.9.0.1/doc/signatures/3070.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3070.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3070 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"fetch" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3071.txt snort-2.9.2/doc/signatures/3071.txt --- snort-2.9.0.1/doc/signatures/3071.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3071.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3071 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"status" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3072.txt snort-2.9.2/doc/signatures/3072.txt --- snort-2.9.0.1/doc/signatures/3072.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3072.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3072 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"status" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3073.txt snort-2.9.2/doc/signatures/3073.txt --- snort-2.9.0.1/doc/signatures/3073.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3073.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3073 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"subscribe" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3074.txt snort-2.9.2/doc/signatures/3074.txt --- snort-2.9.0.1/doc/signatures/3074.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3074.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3074 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"subscribe" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3075.txt snort-2.9.2/doc/signatures/3075.txt --- snort-2.9.0.1/doc/signatures/3075.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3075.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3075 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"unsubscribe" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3076.txt snort-2.9.2/doc/signatures/3076.txt --- snort-2.9.0.1/doc/signatures/3076.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3076.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3076 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the several commands of an IMAP service. This -event is concerned with data supplied as a parameter to the -"unsubscribe" command. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -This event is generated when excess data is detected in an IMAP command. -Some IMAP implementations exhibit programming errors that can lead to a -buffer overflow condition when excess data is supplied to a static -buffer. - -A vulnerability exists in the way that the Mercury Mail IMAP service -handles several commands. An excessively long command argument can -trigger a denial of service or a buffer overflow and the subsequent -execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - Pegasus Mail Mercury Mail Transport System 3.32 - Pegasus Mail Mercury Mail Transport System 4.01a - --- -Attack Scenarios: -An attacker can supplied an overly long command, causing denial of -service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Judy Novak -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3077.txt snort-2.9.2/doc/signatures/3077.txt --- snort-2.9.0.1/doc/signatures/3077.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3077.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -3077 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with the RNFR command of the IPSwitch WS_FTP server. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow -and the subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that the IPSwitch WS_FTP service -handles the RNFR command. An excessively long parameter supplied to the -command can trigger a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Affected Systems: - IPSwitch WS_FTP 4.x, 5.x - --- -Attack Scenarios: -An attacker can supplied an overly long parameter with the RNFR command, -possibly causing denial of service or a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Secunia: -http://secunia.com/advisories/13334 - --- diff -Nru snort-2.9.0.1/doc/signatures/3078.txt snort-2.9.2/doc/signatures/3078.txt --- snort-2.9.0.1/doc/signatures/3078.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3078.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -3078 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft implementation of the Network News Transport -Protocol (NNTP) for Internet Information Server (IIS). - --- -Impact: -Execution of arbitrary code on the affected system - --- -Detailed Information: -The Microsoft implementation of NNTP for IIS contains a programming -error in the processing of user supplied input that may present an -attacker with multiple opportunites to execute code of their choosing on -an affected system. - --- -Affected Systems: -. Microsoft Windows NT Server 4.0 NNTP component -. Microsoft Windows 2000 Server NNTP component -. Microsoft Windows Server 2003 NNTP Component -. Microsoft Windows Server 2003 64-Bit Edition NNTP Component - --- -Attack Scenarios: -An attacker must supply specially crafted input to a vulnerable system -to cause the overflow to occur. - --- -Ease of Attack: -Moderate. Example code exists. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade to the latest non-affected version of the software - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CORE Technologies: -http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10 - --- diff -Nru snort-2.9.0.1/doc/signatures/3079.txt snort-2.9.2/doc/signatures/3079.txt --- snort-2.9.0.1/doc/signatures/3079.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3079.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3079 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow associated with Microsoft's processing of an animated cursor -file. - --- -Impact: -A successful attack may permit a buffer overflow that allows the execution -of arbitrary code at the privilege level of the user downloading the -malicious file. - --- -Detailed Information: -A vulnerability exists in the way the Microsoft Windows LoadImage API validates -animated cursor (ANI) files. An invalid length associated with a structure -supporting the properties of the animated cursor can cause a buffer overflow -and the subsequent execution of arbirary code in the context of the current user. - --- -Affected Systems: - Windows 98, ME, NT, 2000, XP (not SP2), and Server 2003 - --- -Attack Scenarios: -An attacker can entice a user to download a malicious animated cursor -file, causing a buffer overflow and the subsequent execution of arbitrary -code on the vulnerable client. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -In order to avoid potential evasion techniques, http_inspect should be -configured with "flow_depth 0" so that all HTTP server response traffic is -inspected. - -WARNING -Setting flow_depth 0 will cause performance problems in some situations. -WARNING - --- -Corrective Action: -Apply the patch(s) discussed in Microsoft bulletin MS05-002. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Microsoft Technet: -http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/307.txt snort-2.9.2/doc/signatures/307.txt --- snort-2.9.0.1/doc/signatures/307.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/307.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 307 - --- -Summary: -This event is generated when an attempt is made to exploit -vulnerable versions of the Chocoa IRC client. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code on the client. - --- -Detailed Information: -It is possible for a malicious attacker to exploit a vulnerability in the Chocoa IRC client by setting an IRC channel topic specially designed to cause a buffer overflow. - -Affected Systems: - Fujitsu Chocoa 1.0 beta 7r for Windows 9x and NT. - - --- -Attack Scenarios: -The attacker would need to set a specially crafted IRC channel topic to cause the overflow. - -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0672 - -Bugtraq: -http://www.securityfocus.com/bid/573 - --- diff -Nru snort-2.9.0.1/doc/signatures/3080.txt snort-2.9.2/doc/signatures/3080.txt --- snort-2.9.0.1/doc/signatures/3080.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3080.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -3080 - --- -Summary: -This event is generated when a remote attacker sends an overly long "secure" -query to a host acting as an Unreal engine server. This may -indicate an attempt to exploit a buffer overflow vulnerability. - --- -Impact: -Serious. A successful buffer overflow can permit the execution of arbitrary -code on a vulnerable system. - --- -Detailed Information: -Unreal Tournament 2003 and 2004 are popular games developed by EpicGames and -available for Linux, Windows and Macintosh platforms. The Unreal engine is -used for both client and server functionality. An overly long "secure" -query can be sent to the game server, causing a buffer overflow and the -subsequent execution of arbitrary code. - --- -Affected Systems: - Multiple versions of the Unreal Engine running on Linux, Microsoft - Windows and Macintosh platforms. - --- -Attack Scenarios: -An attacker can send an overly long "secure" query to a vulnerable host, causing -a buffer overflow and the subsequent execution of arbitrary code. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -Unreal servers can be configured to run on arbitrary ports. -Administrators should either change the port used in the rule or create -a variable for the ports to be used in the rule. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current nonaffected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak - --- -Additional References: - -OSVDB -http://www.osvdb.org/displayvuln.php?osvdb_id=7217&Lookup=Lookup - --- diff -Nru snort-2.9.0.1/doc/signatures/3081.txt snort-2.9.2/doc/signatures/3081.txt --- snort-2.9.0.1/doc/signatures/3081.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3081.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,145 +0,0 @@ -Rule: - --- -Sid: -3081 --- -Summary: -This event is generated when a Y3KRAT 1.5 server attempts to respond to a client's connect request. - --- -Impact: -If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine. - --- -Detailed Information: -Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. - -The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String): - -AIM Passwords: aolpwd -AIM Spy: aolspy -Change Internet Explorer Caption: changeiecaptest -Chat With Server: chatsrvY3K Rat user -Clipboard: pastefromclip -Change Desktop Color Scheme: clsys -Change Recycle Bin Name: nrbin -Change System Name: sysname -Change Time: time -Video List: getvideolist -Dialup: autoconnect -Access Directories: getclientgetpaths -Get Directory Paths: getpaths -Disable Mouse Buttons: dbuttons -Disable Num Lock: dnumlock -Disable System Keys: dsyskeys -Disable All Keys: dkeys{all} -DOS Commands: doscommands -Fast Mouse: fastmouseon -Find File: findfile -Flip Screen: flip1hor -FTP: openftp21 -Go To URL: gotourl -Hide Taskbar: hidetask -Hide Clock: hideclock -Hide Desktop Icons: hidedeskicons -Hide Start Button: hidestart -Hide System Tray: hidesystray -ICQ Information: getclienticqinfo -ICQ Passwords: geticqpass -ICQ Spy: icqspy -Internet Explorer Spy: iespy -General Information: general -Lights On: lightson -Lights Off: lightsoff -Live Shot: cap -Logged Passwords: getpasses -Logoff: boot41 -Make File: makefile -Matrix Chat: matrix -Modify File (Read System File): readsysfiles -Modify File (Write System File): writesysfiles -Monitor Off: enablestandby -Mouse Settings (Set Position): setpos -Mouse Settings (Freeze Mouse Position): freezepos -Mouse Settings (Speed Up Cursor): speedcursor -MSN Spy: msnspy -Napster Spy: napsterspy -Net Get: netget -NetStat (Read): netstatread -NetStat (Kill): netstatkill -CD-ROM open: cdopen -CD-ROM close: cdclose -Open File: getfiles -Overclock: upmhz -Play Sound: snd (*followed by the sound, for example, err for the error sound*) -Power Off: boot31 -Print: print -Ras Passwords: getras -Remove Server: killserver -Change Resolution: setdevmode -Restart: boot21 -Safe Mode: safemode -Screenshot: cap -Send Keys: sendtextf -Send Message: messText -Show Windows With Text: showwin -Shutdown: boot11 -Swap Mouse Buttons: swapbuttons -Write System Error: writesystem -Yahoo Spy: yahoospy - - --- -Affected Systems: - Windows 95, 98, ME, NT, 2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and -presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Remove the Dcomcnofg key located at the following places in the registry: -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices -HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run - -Reboot the computer or close Dcomcnofg.exe. - -Delete Dcomcnofg.exe from the windows system directory. - -If found, delete server.exe and kill the process called server.exe. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -Dark-E: -http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml - --- diff -Nru snort-2.9.0.1/doc/signatures/3082.txt snort-2.9.2/doc/signatures/3082.txt --- snort-2.9.0.1/doc/signatures/3082.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3082.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,145 +0,0 @@ -Rule: - --- -Sid: -3082 --- -Summary: -This event is generated when a Y3KRAT 1.5 client attempts to respond to the Y3KRAT 1.5 server. - --- -Impact: -If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine. - --- -Detailed Information: -Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. - -The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String): - -AIM Passwords: aolpwd -AIM Spy: aolspy -Change Internet Explorer Caption: changeiecaptest -Chat With Server: chatsrvY3K Rat user -Clipboard: pastefromclip -Change Desktop Color Scheme: clsys -Change Recycle Bin Name: nrbin -Change System Name: sysname -Change Time: time -Video List: getvideolist -Dialup: autoconnect -Access Directories: getclientgetpaths -Get Directory Paths: getpaths -Disable Mouse Buttons: dbuttons -Disable Num Lock: dnumlock -Disable System Keys: dsyskeys -Disable All Keys: dkeys{all} -DOS Commands: doscommands -Fast Mouse: fastmouseon -Find File: findfile -Flip Screen: flip1hor -FTP: openftp21 -Go To URL: gotourl -Hide Taskbar: hidetask -Hide Clock: hideclock -Hide Desktop Icons: hidedeskicons -Hide Start Button: hidestart -Hide System Tray: hidesystray -ICQ Information: getclienticqinfo -ICQ Passwords: geticqpass -ICQ Spy: icqspy -Internet Explorer Spy: iespy -General Information: general -Lights On: lightson -Lights Off: lightsoff -Live Shot: cap -Logged Passwords: getpasses -Logoff: boot41 -Make File: makefile -Matrix Chat: matrix -Modify File (Read System File): readsysfiles -Modify File (Write System File): writesysfiles -Monitor Off: enablestandby -Mouse Settings (Set Position): setpos -Mouse Settings (Freeze Mouse Position): freezepos -Mouse Settings (Speed Up Cursor): speedcursor -MSN Spy: msnspy -Napster Spy: napsterspy -Net Get: netget -NetStat (Read): netstatread -NetStat (Kill): netstatkill -CD-ROM open: cdopen -CD-ROM close: cdclose -Open File: getfiles -Overclock: upmhz -Play Sound: snd (*followed by the sound, for example, err for the error sound*) -Power Off: boot31 -Print: print -Ras Passwords: getras -Remove Server: killserver -Change Resolution: setdevmode -Restart: boot21 -Safe Mode: safemode -Screenshot: cap -Send Keys: sendtextf -Send Message: messText -Show Windows With Text: showwin -Shutdown: boot11 -Swap Mouse Buttons: swapbuttons -Write System Error: writesystem -Yahoo Spy: yahoospy - - --- -Affected Systems: - Windows 95, 98, ME, NT, 2000 - --- - -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and -presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Easy. Simply a matter of pressing the connect button once the victim has installed the server. - - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: -Remove the Dcomcnofg key located at the following places in the registry: -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices -HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run - -Reboot the computer or close Dcomcnofg.exe. - -Delete Dcomcnofg.exe from the windows system directory. - -If found, delete server.exe and kill the process called server.exe. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -Dark-E: -http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml - --- diff -Nru snort-2.9.0.1/doc/signatures/3083.txt snort-2.9.2/doc/signatures/3083.txt --- snort-2.9.0.1/doc/signatures/3083.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3083.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,141 +0,0 @@ -Rule: - --- -Sid: -3083 --- -Summary: -This event is generated when a Y3KRAT 1.5 server attempts to confirm the client's response. - --- -Impact: -If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine. - --- -Detailed Information: -Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. - -The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String): - -AIM Passwords: aolpwd -AIM Spy: aolspy -Change Internet Explorer Caption: changeiecaptest -Chat With Server: chatsrvY3K Rat user -Clipboard: pastefromclip -Change Desktop Color Scheme: clsys -Change Recycle Bin Name: nrbin -Change System Name: sysname -Change Time: time -Video List: getvideolist -Dialup: autoconnect -Access Directories: getclientgetpaths -Get Directory Paths: getpaths -Disable Mouse Buttons: dbuttons -Disable Num Lock: dnumlock -Disable System Keys: dsyskeys -Disable All Keys: dkeys{all} -DOS Commands: doscommands -Fast Mouse: fastmouseon -Find File: findfile -Flip Screen: flip1hor -FTP: openftp21 -Go To URL: gotourl -Hide Taskbar: hidetask -Hide Clock: hideclock -Hide Desktop Icons: hidedeskicons -Hide Start Button: hidestart -Hide System Tray: hidesystray -ICQ Information: getclienticqinfo -ICQ Passwords: geticqpass -ICQ Spy: icqspy -Internet Explorer Spy: iespy -General Information: general -Lights On: lightson -Lights Off: lightsoff -Live Shot: cap -Logged Passwords: getpasses -Logoff: boot41 -Make File: makefile -Matrix Chat: matrix -Modify File (Read System File): readsysfiles -Modify File (Write System File): writesysfiles -Monitor Off: enablestandby -Mouse Settings (Set Position): setpos -Mouse Settings (Freeze Mouse Position): freezepos -Mouse Settings (Speed Up Cursor): speedcursor -MSN Spy: msnspy -Napster Spy: napsterspy -Net Get: netget -NetStat (Read): netstatread -NetStat (Kill): netstatkill -CD-ROM open: cdopen -CD-ROM close: cdclose -Open File: getfiles -Overclock: upmhz -Play Sound: snd (*followed by the sound, for example, err for the error sound*) -Power Off: boot31 -Print: print -Ras Passwords: getras -Remove Server: killserver -Change Resolution: setdevmode -Restart: boot21 -Safe Mode: safemode -Screenshot: cap -Send Keys: sendtextf -Send Message: messText -Show Windows With Text: showwin -Shutdown: boot11 -Swap Mouse Buttons: swapbuttons -Write System Error: writesystem -Yahoo Spy: yahoospy - - --- -Affected Systems: - Windows 95, 98, ME, NT, 2000 - --- -Attack Scenarios: -The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. -Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program -to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and -presses the connect button and he has access to your computer. - --- - -Ease of Attack: -Simple - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Remove the Dcomcnofg key located at the following places in the registry: -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run -HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices -HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run - -Reboot the computer or close Dcomcnofg.exe. - -Delete Dcomcnofg.exe from the windows system directory. - -If found, delete server.exe and kill the process called server.exe. - --- -Contributors: -Sourcefire Research Team -Ricky Macatee - --- -Additional References: - -Dark-E: -http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml - --- diff -Nru snort-2.9.0.1/doc/signatures/3084.txt snort-2.9.2/doc/signatures/3084.txt --- snort-2.9.0.1/doc/signatures/3084.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3084.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -3084 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with the Veritas Back Exec Agent Browser. - --- -Impact: -Serious. Execution of arbitrary commands may be possible. - --- -Detailed Information: - -The Veritas Backup Agent Browser is the server component of the Backup -Exec software employed to provide a backup solution. Client agents -communicate with the Backup Agent Browser. A registration request from -a client that contains an overly long hostname value can cause a buffer -overflow and the subsequent execution of arbitrary code on a vulnerable -server. - --- -Affected Systems: -Veritas Software Backup Exec 8.0, 8.5, 8.6, 9.0, 9.1 - --- -Attack Scenarios: -An attacker can craft a registration request that contains an overly -long hostname, causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current nonaffected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3085.txt snort-2.9.2/doc/signatures/3085.txt --- snort-2.9.0.1/doc/signatures/3085.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3085.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rules: - --- -Sid: -3085 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability -associated with AOL Instant Messenger (AIM) goaway message. - --- -Impact: -Serious. Execution of arbitrary commands may be possible. - --- -Detailed Information: -AIM is instant messaging software supplied by AOL Time Warner. A malicious -URL offered in an AIM message or web page that sends an AIM client an overly -long AIM "Away" message can cause a buffer overflow on a vulnerable client. -This can permit the execution of arbitrary code on the client host. - --- -Affected Systems: -AOL Instant Messenger 5.5, 5.5.3415 Beta, 5.5.3595 - --- -Attack Scenarios: -An attacker can send an overly long AIM "Away" message or a user could be -enticed to view a site that embeds such a message. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -A Metasploit attack that exploits this vulnerability uses an HTTP port of -8080. Other HTTP ports can be used for this attack as well. - --- -Corrective Action: -Upgrade to the most current nonaffected version of the software. - --- -Contributors: -Sourcefire Vulnerability Research Team -Judy Novak - --- -Additional References: - -iDefense: -http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities --- diff -Nru snort-2.9.0.1/doc/signatures/3086.txt snort-2.9.2/doc/signatures/3086.txt --- snort-2.9.0.1/doc/signatures/3086.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3086.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -3086 - --- -Summary: -This event is generated when an attempt is made to access the file -spp_sta.stm on a 3com wireless router. - --- - -Impact: -Intelligence gathering activity. - --- -Detailed Information: -The 3Com ADSL wireless router 3CRADSL72 is prone to an authentication -bypass issue that may allow a malicious third party to gain information -on the device and the networks it serves. It may also be possible for an -attacker to gain administrative privileges on the device. - --- -Affected Systems: - 3Com 3CRADSL72 ADSL wireless router - --- - -Attack Scenarios: -An attacker with access to the page can gain information on the networks -being served by the router and use the knowledge gained in further -attacks on the system. The attacker may also be able to gain -administrative access to the router. - --- -Ease of Attack: -Simple. No exploit software is required. - --- -False Positives: -None Known. - --- -False Negatives: -The address of the router should be added to the $HTTP_SERVERS variable -if the rule is used in the default form. Otherwise a $WIRELESS_ROUTERS -variable could be used in both the snort.conf and the rule to eliminate -any possible false positives. - --- -Corrective Action: -Apply the appropriate vendor supplied patch. - --- -Contributors: -Sourcefire Research Team -Matt Watchinski -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/3087.txt snort-2.9.2/doc/signatures/3087.txt --- snort-2.9.0.1/doc/signatures/3087.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3087.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -3087 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow in Microsoft Browser Client Context Tool (W3Who.dll). - --- -Impact: -Denial of service or remote access. If the exploit is successful, -an attacker can gain remote access to the host with system privileges. - --- -Detailed Information: -W3Who is an Internet Server Application Programming Interface (ISAPI) -application dynamic-link library (DLL) that works within a Web page to -display information about the calling context of the client browser and -the configuration of the host server. W3Who is included in the Windows -2000 Server Resource Kit. - -A boundary error within the processing of parameters can be exploited -to cause a buffer overflow by passing an overly long parameter. - --- -Affected Systems: -Microsoft IIS with W3Who.dll. (W3Who.dll is not automatically installed -with IIS.) - --- -Attack Scenarios: -An attacker can send a malformed HTTP request with an overly long -parameter to W3Who DLL, subsequently causing a buffer overflow. - --- -Ease of Attack: -Simple - --- -False Positives: -Any overly large request URI with a reference to w3who.dll will be -detected. - --- -False Negatives: -This rule only detects the attack when the parameters are passed -as part of the URI (GET method). - --- -Corrective Action: -Disable the W3Who.dll ISAPI extension. - --- -Contributors: -nnposter@users.sourceforge.net - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323640 - --- diff -Nru snort-2.9.0.1/doc/signatures/3088.txt snort-2.9.2/doc/signatures/3088.txt --- snort-2.9.0.1/doc/signatures/3088.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3088.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -3088 - --- -Summary: -This event is generated when an attempt is made to exploit a client buffer -overflow associated with Winamp's processing of a filename with an -extension of .cda. - --- -Impact: -A successful attack may permit a buffer overflow that allows the execution -of arbitrary code at the privilege level of the user running Winamp. - --- -Detailed Information: -Winamp is a media file player for Windows developed by Nullsoft. A buffer -overflow exists because of insufficient bounds checking while handling the -name of a CD audio format file (.cda extension) or a playlist that contains -a filename with a .cda extension. An overly long name may cause the buffer -overflow permitting the execution of arbitrary code at the privilege level -of the user running Winamp. - --- -Affected Systems: - Winamp 3.x, and 5.x - --- -Attack Scenarios: -An attacker can create and send a malformed .cda filename that may cause -a buffer overflow and the subsequent execution of arbitrary code on the -vulnerable host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - --- diff -Nru snort-2.9.0.1/doc/signatures/3089.txt snort-2.9.2/doc/signatures/3089.txt --- snort-2.9.0.1/doc/signatures/3089.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3089.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -3089 - --- -Summary: -This event is generated when an attempt is made to exploit a denial of -service associated with Squid Web Cache Communication Protocol (WCCP). - --- -Impact: -A successful attack can cause the Squid web cache server process to -terminate. - --- -Detailed Information: -A vulnerability exists in the way that a Squid server handles a WCCP -message. A WCCP I_SEE_YOU message that contains an invalid number of -web cache entries can create an out-of-bounds array reference. This may -result in a read access violation of memory, causing a denial of service. - --- -Affected Systems: - Squid Web Proxy Cache 2.5 STABLE7 and prior versions - --- -Attack Scenarios: -An attacker can craft a WCCP I_SEE_YOU message with an invalid number of -web cache entries, causing the web cache server process to terminate. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - --- diff -Nru snort-2.9.0.1/doc/signatures/308.txt snort-2.9.2/doc/signatures/308.txt --- snort-2.9.0.1/doc/signatures/308.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/308.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: 308 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow condition in certain versions of NextFTP for Windows. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code. - --- -Detailed Information: -Certain versions of the NextFTP client from ToxSoft contain a programming error that allows an FTP server to issue commands on the client via exploit code in the server reply. - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Use Secure Shell (ssh) for file transfer as opposed to FTP. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0671 - -Bugtraq: -http://www.securityfocus.com/bid/572 - --- diff -Nru snort-2.9.0.1/doc/signatures/3090.txt snort-2.9.2/doc/signatures/3090.txt --- snort-2.9.0.1/doc/signatures/3090.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3090.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3090 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3091.txt snort-2.9.2/doc/signatures/3091.txt --- snort-2.9.0.1/doc/signatures/3091.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3091.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3091 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3092.txt snort-2.9.2/doc/signatures/3092.txt --- snort-2.9.0.1/doc/signatures/3092.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3092.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3092 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3093.txt snort-2.9.2/doc/signatures/3093.txt --- snort-2.9.0.1/doc/signatures/3093.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3093.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3093 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3094.txt snort-2.9.2/doc/signatures/3094.txt --- snort-2.9.0.1/doc/signatures/3094.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3094.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3094 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3095.txt snort-2.9.2/doc/signatures/3095.txt --- snort-2.9.0.1/doc/signatures/3095.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3095.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3095 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3096.txt snort-2.9.2/doc/signatures/3096.txt --- snort-2.9.0.1/doc/signatures/3096.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3096.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3096 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3097.txt snort-2.9.2/doc/signatures/3097.txt --- snort-2.9.0.1/doc/signatures/3097.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3097.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3097 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3098.txt snort-2.9.2/doc/signatures/3098.txt --- snort-2.9.0.1/doc/signatures/3098.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3098.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3098 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3099.txt snort-2.9.2/doc/signatures/3099.txt --- snort-2.9.0.1/doc/signatures/3099.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3099.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3099 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/309.txt snort-2.9.2/doc/signatures/309.txt --- snort-2.9.0.1/doc/signatures/309.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/309.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 309 - --- -Summary: -This event is generated when an attempt to overflow the buffer of a UNIX or Linux system via Sniffit is made. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. - --- -Detailed Information: -Sniffit is a network monitoring tool that can also be configured to log emails. If this is the case, some versions of the tool contain a vulnerability such that a stack overflow via this logging mechanism is possible by a remote attacker. - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply vendor supplied patches. - -Use alternate tools such as Snort. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0306 - -Bugtraq: -http://www.securityfocus.com/bid/2353 - --- diff -Nru snort-2.9.0.1/doc/signatures/3100.txt snort-2.9.2/doc/signatures/3100.txt --- snort-2.9.0.1/doc/signatures/3100.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3100.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3100 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3101.txt snort-2.9.2/doc/signatures/3101.txt --- snort-2.9.0.1/doc/signatures/3101.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3101.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3101 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3102.txt snort-2.9.2/doc/signatures/3102.txt --- snort-2.9.0.1/doc/signatures/3102.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3102.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3102 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3103.txt snort-2.9.2/doc/signatures/3103.txt --- snort-2.9.0.1/doc/signatures/3103.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3103.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3103 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3104.txt snort-2.9.2/doc/signatures/3104.txt --- snort-2.9.0.1/doc/signatures/3104.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3104.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3104 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3105.txt snort-2.9.2/doc/signatures/3105.txt --- snort-2.9.0.1/doc/signatures/3105.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3105.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3105 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3106.txt snort-2.9.2/doc/signatures/3106.txt --- snort-2.9.0.1/doc/signatures/3106.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3106.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3106 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3107.txt snort-2.9.2/doc/signatures/3107.txt --- snort-2.9.0.1/doc/signatures/3107.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3107.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3107 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3108.txt snort-2.9.2/doc/signatures/3108.txt --- snort-2.9.0.1/doc/signatures/3108.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3108.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3108 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3109.txt snort-2.9.2/doc/signatures/3109.txt --- snort-2.9.0.1/doc/signatures/3109.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3109.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3109 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/310.txt snort-2.9.2/doc/signatures/310.txt --- snort-2.9.0.1/doc/signatures/310.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/310.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: 310 - --- -Summary: -This event is generated when an attempt is made to exploit a vulnerability in SmartMax MailMax mailserver. - --- -Impact: -Serious. Execution of arbitrary code on the target server is possible. - --- -Detailed Information: -MailMax is an email server for Windows platforms. Certain versions of the software contain a vulnerability that can allow execution of arbitrary code on the server with the privileges of the user running MailMax. - -Affected Versions: - MailMax 1.0 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2312 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0404 - --- diff -Nru snort-2.9.0.1/doc/signatures/3110.txt snort-2.9.2/doc/signatures/3110.txt --- snort-2.9.0.1/doc/signatures/3110.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3110.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3110 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3111.txt snort-2.9.2/doc/signatures/3111.txt --- snort-2.9.0.1/doc/signatures/3111.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3111.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3111 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3112.txt snort-2.9.2/doc/signatures/3112.txt --- snort-2.9.0.1/doc/signatures/3112.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3112.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3112 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3113.txt snort-2.9.2/doc/signatures/3113.txt --- snort-2.9.0.1/doc/signatures/3113.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3113.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3113 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3114.txt snort-2.9.2/doc/signatures/3114.txt --- snort-2.9.0.1/doc/signatures/3114.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3114.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3114 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3115.txt snort-2.9.2/doc/signatures/3115.txt --- snort-2.9.0.1/doc/signatures/3115.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3115.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3115 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3116.txt snort-2.9.2/doc/signatures/3116.txt --- snort-2.9.0.1/doc/signatures/3116.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3116.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3116 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3117.txt snort-2.9.2/doc/signatures/3117.txt --- snort-2.9.0.1/doc/signatures/3117.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3117.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3117 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3118.txt snort-2.9.2/doc/signatures/3118.txt --- snort-2.9.0.1/doc/signatures/3118.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3118.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3118 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3119.txt snort-2.9.2/doc/signatures/3119.txt --- snort-2.9.0.1/doc/signatures/3119.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3119.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3119 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/311.txt snort-2.9.2/doc/signatures/311.txt --- snort-2.9.0.1/doc/signatures/311.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/311.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: 311 - --- -Summary: -Versions of the Netscape browser including and prior to 4.75 are vulnerable to a buffer overflow that may lead to arbitrary code execution on the victim host. It is also possible to open a root shell listening on a high port on the victim host. This event is generated when a request is made to a web site exploiting this vulnerability. - --- -Impact: -System compromize presenting the attacker with the opportunity to -execute arbitrary code on the victim host. - --- -Detailed Information: -A buffer overflow condition exists in the HTML parser on some versions of Netscape Navigator. It is possible for a remote attacker to execute arbitrary code on the victim host. - -It is possible to crash Netscape Communicator if a large number of characters is supplied in a command from an interactive web page. - -Affected Systems: - Netscape Navigator 4.75 and prior - --- -Attack Scenarios: -The attacker would need to supply a link on a web page or HTML email that triggers the overflow. It is also possible to cause the overflow via HTML email. - -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1187 - -Bugtraq: -http://www.securityfocus.com/bid/822 - --- diff -Nru snort-2.9.0.1/doc/signatures/3120.txt snort-2.9.2/doc/signatures/3120.txt --- snort-2.9.0.1/doc/signatures/3120.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3120.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3120 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3121.txt snort-2.9.2/doc/signatures/3121.txt --- snort-2.9.0.1/doc/signatures/3121.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3121.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3121 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3122.txt snort-2.9.2/doc/signatures/3122.txt --- snort-2.9.0.1/doc/signatures/3122.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3122.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3122 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3123.txt snort-2.9.2/doc/signatures/3123.txt --- snort-2.9.0.1/doc/signatures/3123.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3123.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3123 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3124.txt snort-2.9.2/doc/signatures/3124.txt --- snort-2.9.0.1/doc/signatures/3124.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3124.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3124 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3125.txt snort-2.9.2/doc/signatures/3125.txt --- snort-2.9.0.1/doc/signatures/3125.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3125.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3125 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3126.txt snort-2.9.2/doc/signatures/3126.txt --- snort-2.9.0.1/doc/signatures/3126.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3126.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3126 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3127.txt snort-2.9.2/doc/signatures/3127.txt --- snort-2.9.0.1/doc/signatures/3127.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3127.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3127 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3128.txt snort-2.9.2/doc/signatures/3128.txt --- snort-2.9.0.1/doc/signatures/3128.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3128.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3128 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3129.txt snort-2.9.2/doc/signatures/3129.txt --- snort-2.9.0.1/doc/signatures/3129.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3129.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3129 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft License Logging Service. - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft License Logging Service is used to manage licenses for -Microsoft server products. - -A vulnerability in the service exists due to a programming error such -that an unchecked buffer may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain administrative access to the target host. - -The unchecked buffer exists when processing the length of messages sent -to the logging service. - --- -Affected Systems: - Microsoft Windows Server 2003 - Microsoft Windows Server 2000 - Microsoft Windows NT Server - --- -Attack Scenarios: -An attacker can supply extra data in the message to the service -containing code of their choosing to be run on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/312.txt snort-2.9.2/doc/signatures/312.txt --- snort-2.9.0.1/doc/signatures/312.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/312.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: 312 - --- -Summary: -This event is generated when an attempt to exploit a buffer overflow condition in ntpd is made. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. - --- -Detailed Information: -Some versions of the Network Time Protocol Daemon (ntpd) are vulnerable to a buffer overflow condition which can present the attacker with a root shell. - -Ntp is used to synchronize system time with a time server. This may also be used on various network devices. - -Affected Versions: - ntpd versions prior to an including 4.0.99k - xntpd and xntp3 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0414 - -Bugtraq: -http://www.securityfocus.com/bid/2540 - --- diff -Nru snort-2.9.0.1/doc/signatures/3130.txt snort-2.9.2/doc/signatures/3130.txt --- snort-2.9.0.1/doc/signatures/3130.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3130.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3130 - --- -Summary: -This alert is generated when a malicious PNG file is sent to an MSN Messenger -client. Vulnerable clients which receive such a file are vulnerable to remote -code execution attacks. - --- -Impact: -Arbitrary code may be executed in the context of the user running MSN Messenger. -Their messenger client may or may not crash, depending upon the way the PNG file -is written. - --- -Detailed Information: -This vulnerability is due to a buffer overflow in the processing of tRNS chunks -of PNG files. In order to trigger the overflow, the color type field of the IHDR -chunk must be set to 0x03, and the length of the tRNS chunk must be greater than -256. - --- -Affected Systems: - MSN Messenger 6.1 - MSN Messenger 6.2 - --- -Attack Scenarios: -An attacker may send a malicious PNG through a direct file transfer, as a -thumbnail for a file transfer, as a custom emoticon, or by setting their buddy -icon to be the malicious PNG. In all cases, the PNG is sent via an MSN file -transfer. - --- -Ease of Attack: -Very simple. Example PNGs with shellcode are available on the web, and attacking -via all but the file transfer thumbnail vector is accomplished with simple, -everyday MSN Messenger tasks. - --- -False Positives: -None Known. - --- -False Negatives: -Thumbnails of image transfers are sent in an encoded format. As a result, they -cannot be detected. However, making the thumbnail contain malicious data is -exponentially more difficult than any of the other attack vectors, as an -attacker cannot manually specify the thumbnail to be sent. - --- -Corrective Action: -Apply the appropriate vendor supplied patch. - --- -Contributors: -Sourcefire Research Team -Alex Kirk - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3131.txt snort-2.9.2/doc/signatures/3131.txt --- snort-2.9.0.1/doc/signatures/3131.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3131.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -3131 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in GNU Mailman. - --- -Impact: -Information disclosure. - --- -Detailed Information: -GNU Mailman is used to manage mailing lists. It is written in Python and -is available on a variety of platforms. - -GNU Mailman when used with webservers that do not remove extra slashes -from URLs, is prone to a directory traversal attack that may allow an -attacker access to sensitive files on an affected system. - --- -Affected Systems: - GNU Mailman in conjunction with Apache 1.3.x - --- -Attack Scenarios: -An attacker can supply extra slashes and dots (....///) to a URL to -escape the web root and access other parts of the host filesystem. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3132.txt snort-2.9.2/doc/signatures/3132.txt --- snort-2.9.0.1/doc/signatures/3132.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3132.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3132 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the processing of a Portable Network Graphics (PNG) file by -the GD Graphics Library. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that software that handles PNG files, -libpng, allocates memory for PNG images. A maliciously formatted PNG -image sent to a vulnerable server may cause a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. A -PNG file with an excessively large image height, width, or depth, or -combination of these can cause a buffer overflow. - --- -Affected Systems: - GD Graphics Library 2.0.28 and earlier - --- -Attack Scenarios: -An attacker can create a malformed PNG file and upload it to a web server, -possibly causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3133.txt snort-2.9.2/doc/signatures/3133.txt --- snort-2.9.0.1/doc/signatures/3133.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3133.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3133 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the processing of a Portable Network Graphics (PNG) file by -the GD Graphics Library. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that software that handles PNG files, -libpng, allocates memory for PNG images. A maliciously formatted PNG -image sent to a vulnerable server may cause a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. A -PNG file with an excessively large image height, width, or depth, or -combination of these can cause a buffer overflow. - --- -Affected Systems: - GD Graphics Library 2.0.28 and earlier - --- -Attack Scenarios: -An attacker can create a malformed PNG file and upload it to a web server, -possibly causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3134.txt snort-2.9.2/doc/signatures/3134.txt --- snort-2.9.0.1/doc/signatures/3134.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3134.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3134 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow -associated with the processing of a Portable Network Graphics (PNG) file by -the GD Graphics Library. - --- -Impact: -A successful attack may cause a denial of service or a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. - --- -Detailed Information: -A vulnerability exists in the way that software that handles PNG files, -libpng, allocates memory for PNG images. A maliciously formatted PNG -image sent to a vulnerable server may cause a buffer overflow and the -subsequent execution of arbitrary code on a vulnerable server. A -PNG file with an excessively large image height, width, or depth, or -combination of these can cause a buffer overflow. - --- -Affected Systems: - GD Graphics Library 2.0.28 and earlier - --- -Attack Scenarios: -An attacker can create a malformed PNG file and upload it to a web server, -possibly causing a buffer overflow. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3135.txt snort-2.9.2/doc/signatures/3135.txt --- snort-2.9.0.1/doc/signatures/3135.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3135.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3135 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3136.txt snort-2.9.2/doc/signatures/3136.txt --- snort-2.9.0.1/doc/signatures/3136.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3136.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3136 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3137.txt snort-2.9.2/doc/signatures/3137.txt --- snort-2.9.0.1/doc/signatures/3137.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3137.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3137 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3138.txt snort-2.9.2/doc/signatures/3138.txt --- snort-2.9.0.1/doc/signatures/3138.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3138.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3138 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3139.txt snort-2.9.2/doc/signatures/3139.txt --- snort-2.9.0.1/doc/signatures/3139.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3139.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3139 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/313.txt snort-2.9.2/doc/signatures/313.txt --- snort-2.9.0.1/doc/signatures/313.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/313.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 313 - --- -Summary: -This event is generated when an attempt to exploit a buffer overflow condition in ntalkd is made. - --- -Impact: -Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. - --- -Detailed Information: -Some versions of the Network Talk Daemon (ntalkd) are vulnerable to a buffer overflow condition which can present the attacker with a root shell. - -Talk is used to communicate between users of UNIX based operating systems. A vulnerability exists such that a buffer overflow condition in talk can be exploited by a malicious user. This may then present the attacker with the opportunity to gain root access to the target system. - -Affected Versions: - Multiple vendors - --- -Attack Scenarios: -Once the overflow has been created, the attacker is able to supply incorrect hostname information to the target system and gain root access. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/210 - --- diff -Nru snort-2.9.0.1/doc/signatures/3140.txt snort-2.9.2/doc/signatures/3140.txt --- snort-2.9.0.1/doc/signatures/3140.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3140.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3140 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3141.txt snort-2.9.2/doc/signatures/3141.txt --- snort-2.9.0.1/doc/signatures/3141.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3141.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3141 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3142.txt snort-2.9.2/doc/signatures/3142.txt --- snort-2.9.0.1/doc/signatures/3142.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3142.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3142 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3143.txt snort-2.9.2/doc/signatures/3143.txt --- snort-2.9.0.1/doc/signatures/3143.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3143.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3143 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3144.txt snort-2.9.2/doc/signatures/3144.txt --- snort-2.9.0.1/doc/signatures/3144.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3144.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3144 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3145.txt snort-2.9.2/doc/signatures/3145.txt --- snort-2.9.0.1/doc/signatures/3145.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3145.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3145 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3146.txt snort-2.9.2/doc/signatures/3146.txt --- snort-2.9.0.1/doc/signatures/3146.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3146.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -3146 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft systems using Server Message Block (SMB). - --- -Impact: -Serious. Execution of arbitrary code leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -SMB is a client - server protocol used in sharing resources such as -files, printers, ports, named pipes and other things, between machines -on a network. - -A vulnerability in the Microsoft implementation of SMB exists due to a -programming error which may present an attacker with the opportunity to -exploit the service and run code of their choosing on an affected -system. The attacker may then cause a DoS condition in the service or -possibly gain unauthorized access to the target host. - -A malicious attacker can exploit the vulnerability by sending a -malicious response from a server in response to a client request using -SMB. - --- -Affected Systems: - Microsoft Windows 2003 - Microsoft Windows 2000 - Microsoft Windows XP - --- -Attack Scenarios: -An attacker can supply extra data in the message from the server -containing code of their choosing to be run on the client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Turn off windows file and print services. - -Use Samba as an alternative. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -eEye: -http://www.eeye.com/html/research/advisories/AD20050208.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3147.txt snort-2.9.2/doc/signatures/3147.txt --- snort-2.9.0.1/doc/signatures/3147.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3147.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -3147 - --- -Summary: -This event is generated when an attempt is made to exploit a known -buffer overflow vulnerability affecting "login" via Telnet. - --- -Impact: -Serious. Unauthorized administrative access to the target host. - --- -Detailed Information: -The login binary is used when establishing an interactive session on a -system. It is used locally and by protocols that allow remote access. A -buffer overflow condition exists in some versions of login that can be -triggered by the manipulation of environment variables. - -This event is generated when an attempt is made to overflow login via -telnet by manipulating the TTYPROMPT environment variable. - --- -Affected Systems: - Systems using Sys V derived login - --- -Attack Scenarios: -An attacker can overflow a buffer by inserting 6 bytes of data followed -by 65 characters and a newline into the TTYPROMPT variable. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3148.txt snort-2.9.2/doc/signatures/3148.txt --- snort-2.9.0.1/doc/signatures/3148.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3148.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -3148 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Microsoft Windows Help. - --- -Impact: -Serious. Code execution is possible leading to unauthorized -administrative access to the target host. - --- -Detailed Information: -Microsoft Windows Help can use ActiveX controls when dealing with -Windows Help files. - -A programming error in the processing of a buffer that handles the -"item" parameter of a help file can lead to the exposure of a buffer -overflow condition. An attacker may be able to overflow this buffer and -supply code of their choosing to be executed on the system with the -privileges of the administrative account. - -In addition, applications may treat Windows Help as a trusted program -and further exploitation and host firewall bypass may be possible. - --- -Affected Systems: - Systems using Microsoft Windows - --- -Attack Scenarios: -An attacker can overflow a buffer by inserting extra data into the input -parameter of a malicious help file. The attacker may then insert code of -their choosing to either run commands on the system or execute the code -with the privileges of the administrative account. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3149.txt snort-2.9.2/doc/signatures/3149.txt --- snort-2.9.0.1/doc/signatures/3149.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3149.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3149 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Microsoft Internet Explorer. - --- -Impact: -Serious. Code execution is possible leading to unauthorized -administrative access to the target host. - --- -Detailed Information: -Microsoft Internet Explorer uses the Object tag to identify ActiveX -controls sometimes used in web content. - -A programming error in the processing of a buffer that handles the -"item" parameter of an object tag can lead to the exposure of a buffer -overflow condition. An attacker may be able to overflow this buffer and -supply code of their choosing to be executed on the system with the -privileges of the administrative account. - -The procedure that checks the length of a buffer that handles the item -parameter may be bypassed by using the slash character either directly -or via encoding methods. This vulnerability may be exploited whenever -Internet Explorer is used to read HTML files. - --- -Affected Systems: - Systems using Microsoft Windows - --- -Attack Scenarios: -An attacker can overflow a buffer by inserting extra data into the input -parameter of a malicious html file. The attacker may then insert code of -their choosing to either run commands on the system or execute the code -with the privileges of the administrative account. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/314.txt snort-2.9.2/doc/signatures/314.txt --- snort-2.9.0.1/doc/signatures/314.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/314.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: --- -Sid: -303 - --- -Summary: -This event is generated when a specific inverse query is performed against your DNS server as a precursor to a possible TSIG (transaction signature) buffer overflow attack. - --- -Impact: -Intelligence gathering. This event generates as a result of an inverse query of the DNS server in an attempt to gain access to information required for the TSIG exploit. An attacker will usually attempt a buffer overflow exploit if there is a response to the inverse query. - --- -Detailed Information: -This is an attempt to perform a specific DNS inverse query against your DNS server. While this specific action is not harmful itself, it signals a precusor to a possible buffer overflow attack for a TSIG vulernability. The inverse query is performed as a reconnaissance for the TSIG attack. - --- -Affected Systems: -BIND Versions 4 and Versions 8 through 8.2 are susceptible to the inverse query information leak. - --- -Attack Scenarios: -If a DNS server responds to the inverse query and leaks information required for the actual attack, the attacker exploitsthe TSIG buffer overflow vulnerability. If this is successful, the attacker gains access to the DNS server at the privilege of the "named" daemon. - --- -Ease of Attack: -Easy. Code is available to exploit the vulnerability. - --- -False Positives: -None Known. - --- -False Negatives: -An attacker could change the exploit code. For instance, an attacker could change the DNS identification number in the code to be something other than 0xABCD and the rule would not fire. - --- -Corrective Action: -Update to BIND versions greater than 8.2 to prevent the information leak. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2302 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0010 - -Arachnids: -http://www.whitehats.com/info/IDS482 - - --- diff -Nru snort-2.9.0.1/doc/signatures/3150.txt snort-2.9.2/doc/signatures/3150.txt --- snort-2.9.0.1/doc/signatures/3150.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3150.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -3150 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Microsoft Windows SQL Server. - --- -Impact: -Serious. Code execution is possible leading to unauthorized -administrative access to the target host. Denial of Service (DoS) is -also possible. - --- -Detailed Information: -Microsoft Windows SQL Server 2000 uses the SQLXML component to process -database queries via XML. - -Due to a programming error a buffer overrun condition is present in the -SQLXML ISAPI component that processes the XML queries via HTTP. The -overrun condition can be exploited by manipulating the contenttype -variable used to control the Content-Type header. The ISAPI extension -does not correctly check the length of the contenttype parameter. It may -be possible for an attacker with user privileges on the target host to -exploit the condition by supplying extra data in the affected parameter. - --- -Affected Systems: - Microsoft SQL Server 2000 - --- -Attack Scenarios: -An attacker can overflow a buffer by inserting extra data into the -contenttype parameter of a malicious XML query. The attacker may then -insert code of their choosing to either run commands on the system or -execute the code with the privileges of the administrative account. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3151.txt snort-2.9.2/doc/signatures/3151.txt --- snort-2.9.0.1/doc/signatures/3151.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3151.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3151 - --- -Summary: -This event is generated when an attempt is made to access the host -filestem via fingerd. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event is generated when a specific attack against a vulnerable -version of the finger daemon is detected. - -The Finger daemon is used to provide information about users on a UNIX -system. A certain version of fingerd shipped with one release of FreeBSD -4.1.1 contained an added feature that allows a remote user to request -some files via the use of finger. This event indicates that such a -request has been made. - -The feature also allowed any file or directory structure on the host -readable by the "nobody" user to also be accessed, leading to -unauthorized information disclosure. - --- -Affected Systems: - FreeBSD 4.1.1 Release - --- -Attack Scenarios: -An attacker can use finger to read a directory structure or file by -making a request via finger. - --- -Ease of Attack: -Simple, no exploit software is required, just a specially formatted -finger query. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the finger daemon or limit the addresses that can access the -service via a firewall or TCP wrappers. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3152.txt snort-2.9.2/doc/signatures/3152.txt --- snort-2.9.0.1/doc/signatures/3152.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3152.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3152 - --- -Summary: -This event is generated when an attempt is made to access a host running -Microsoft SQL Server or utilizing MSDE via the default "sa" account. - --- -Impact: -Information disclosure. Unauthorized access to the host. - --- -Detailed Information: -This event is generated when an attempt is made to access a host via the -"sa" account using brute force techniques to guess a password. - -Microsoft SQL server and MSDE components use a default "sa" account with -a default password as the administrative user for the database -installation. This event indicates that numerous failed attempts have -been made to access the target host using this account. - --- -Affected Systems: - Microsoft SQL Server 2000 - Microsoft SQL Server 7.0 - Systems using Microsoft MSDE components - --- -Attack Scenarios: -An attacker can use an automated script to gain access to a host and the -database contents as an administrator by repeatly attempting to login -using the "sa" account and different passwords. - -Some worms also try to brute force entry using this methodology. - --- -Ease of Attack: -Simple, - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Change the default "sa" password - -Disable the "sa" account. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3153.txt snort-2.9.2/doc/signatures/3153.txt --- snort-2.9.0.1/doc/signatures/3153.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3153.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3153 - --- -Summary: -This event is generated when an inverse query attempt is made using TCP. - --- - -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -Bind 8 contains a programming error that may present an attacker with -the opportunity to execute code of their choosing on an affected server. - -The error occurs in the handling of malformed transactions. When using -TCP this can result in the attacker causing a heap overflow. - --- -Affected Systems: - Bind 8. - --- -Attack Scenarios: -An attacker needs to send a specially crafted and malformed query to an -affected server. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/3154.txt snort-2.9.2/doc/signatures/3154.txt --- snort-2.9.0.1/doc/signatures/3154.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3154.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -2922 - --- -Summary: -This event is generated when an inverse query attempt is made using UDP. - --- - -Impact: -Possible execution of arbitrary code. - --- -Detailed Information: -Bind 8 contains a programming error that may present an attacker with -the opportunity to execute code of their choosing on an affected server. - -The error occurs in the handling of malformed transactions. When using -UDP this can result in the attacker causing a heap overflow. - --- -Affected Systems: - Bind 8. - --- -Attack Scenarios: -An attacker needs to send a specially crafted and malformed query to an -affected server. - --- -Ease of Attack: -Moderate. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/3155.txt snort-2.9.2/doc/signatures/3155.txt --- snort-2.9.0.1/doc/signatures/3155.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3155.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,92 +0,0 @@ -Rule: - --- -Sid: -3155 - --- -Summary: -BackOrifice is a Trojan Horse. - -Server Port: 31337 although in later versions this port can be changed -to a value between 1 and 65535 Protocol: UDP although in later versions -TCP can also be used - --- -Impact: -Possible theft of data and control of the targeted machine leading to a -compromise of all resources the machine is connected to. This Trojan -also has the ability to delete data, steal passwords and disable the -machine. - --- -Detailed Information: -The Trojan changes system registry settings to add the BackOrifice sever -to programs normally started on boot. Due to the nature of this Trojan -it is unlikely that the attacker's client IP address has been spoofed. - -The default name of the server application is UMGR32, which can be -changed on first use. The new application may be installed in the system -or system32 direcory and the original may also be deleted. - --- -Affected Systems: - Windows 95 - Windows 98 - Windows ME - Windows NT - --- -Attack Scenarios: -This Trojan may be delivered to the target in a number of ways. This -event is indicative of an existing infection being activated. Initial -compromise can be in the form of a Win32 installation program that may -use the extension ".jpg" or ".bmp" when delivered via e-mail for -example. - --- -Ease of Attack: -This is Trojan activity, the target machine may already be compromised. -Updated virus definition files are essential in detecting this Trojan. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - -Edit the system registry to remove the extra keys or restore a -previously known good copy of the registry. - -Affected registry keys are: - - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services - -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ - -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices - -Registry keys added may vary, look for spurious entries in the above -locations. - -BackOrifice may hide the process from viewing inthe Windows task -manager. A reboot of the infected machine is recommended. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Symantec Security Response -http://www.symantec.com/avcenter/venc/data/back.orifice2000.trojan.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3156.txt snort-2.9.2/doc/signatures/3156.txt --- snort-2.9.0.1/doc/signatures/3156.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3156.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3156 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3157.txt snort-2.9.2/doc/signatures/3157.txt --- snort-2.9.0.1/doc/signatures/3157.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3157.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3157 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3158.txt snort-2.9.2/doc/signatures/3158.txt --- snort-2.9.0.1/doc/signatures/3158.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3158.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3158 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3159.txt snort-2.9.2/doc/signatures/3159.txt --- snort-2.9.0.1/doc/signatures/3159.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3159.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3159 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/315.txt snort-2.9.2/doc/signatures/315.txt --- snort-2.9.0.1/doc/signatures/315.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/315.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 315 - --- -Summary: -This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd. - --- -Impact: -System compromize presenting the attacker with escalated system privileges . - --- -Detailed Information: -Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem. - -The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used. - -Affected Systems: - Caldera OpenLinux Standard 1.2 - RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/121 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 - -CERT: -http://www.cert.org/advisories/CA-1998-12.html -http://www.cert.org/summaries/CS-98-08.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3160.txt snort-2.9.2/doc/signatures/3160.txt --- snort-2.9.0.1/doc/signatures/3160.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3160.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3160 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3161.txt snort-2.9.2/doc/signatures/3161.txt --- snort-2.9.0.1/doc/signatures/3161.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3161.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3161 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3162.txt snort-2.9.2/doc/signatures/3162.txt --- snort-2.9.0.1/doc/signatures/3162.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3162.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3162 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3163.txt snort-2.9.2/doc/signatures/3163.txt --- snort-2.9.0.1/doc/signatures/3163.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3163.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3163 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3164.txt snort-2.9.2/doc/signatures/3164.txt --- snort-2.9.0.1/doc/signatures/3164.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3164.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3164 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3165.txt snort-2.9.2/doc/signatures/3165.txt --- snort-2.9.0.1/doc/signatures/3165.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3165.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3165 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3166.txt snort-2.9.2/doc/signatures/3166.txt --- snort-2.9.0.1/doc/signatures/3166.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3166.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3166 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3167.txt snort-2.9.2/doc/signatures/3167.txt --- snort-2.9.0.1/doc/signatures/3167.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3167.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3167 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3168.txt snort-2.9.2/doc/signatures/3168.txt --- snort-2.9.0.1/doc/signatures/3168.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3168.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3168 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3169.txt snort-2.9.2/doc/signatures/3169.txt --- snort-2.9.0.1/doc/signatures/3169.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3169.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3169 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/316.txt snort-2.9.2/doc/signatures/316.txt --- snort-2.9.0.1/doc/signatures/316.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/316.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 316 - --- -Summary: -This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd. - --- -Impact: -System compromize presenting the attacker with escalated system privileges . - --- -Detailed Information: -Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem. - -The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used. - -Affected Systems: - Caldera OpenLinux Standard 1.2 - RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/121 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 - -CERT: -http://www.cert.org/advisories/CA-1998-12.html -http://www.cert.org/summaries/CS-98-08.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3170.txt snort-2.9.2/doc/signatures/3170.txt --- snort-2.9.0.1/doc/signatures/3170.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3170.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3170 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3171.txt snort-2.9.2/doc/signatures/3171.txt --- snort-2.9.0.1/doc/signatures/3171.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3171.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3171 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3172.txt snort-2.9.2/doc/signatures/3172.txt --- snort-2.9.0.1/doc/signatures/3172.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3172.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3172 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3173.txt snort-2.9.2/doc/signatures/3173.txt --- snort-2.9.0.1/doc/signatures/3173.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3173.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3173 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3174.txt snort-2.9.2/doc/signatures/3174.txt --- snort-2.9.0.1/doc/signatures/3174.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3174.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3174 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3175.txt snort-2.9.2/doc/signatures/3175.txt --- snort-2.9.0.1/doc/signatures/3175.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3175.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3175 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3176.txt snort-2.9.2/doc/signatures/3176.txt --- snort-2.9.0.1/doc/signatures/3176.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3176.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3176 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3177.txt snort-2.9.2/doc/signatures/3177.txt --- snort-2.9.0.1/doc/signatures/3177.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3177.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3177 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3178.txt snort-2.9.2/doc/signatures/3178.txt --- snort-2.9.0.1/doc/signatures/3178.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3178.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3178 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3179.txt snort-2.9.2/doc/signatures/3179.txt --- snort-2.9.0.1/doc/signatures/3179.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3179.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3179 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/317.txt snort-2.9.2/doc/signatures/317.txt --- snort-2.9.0.1/doc/signatures/317.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/317.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 317 - --- -Summary: -This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd. - --- -Impact: -System compromize presenting the attacker with escalated system privileges . - --- -Detailed Information: -Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem. - -The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used. - -Affected Systems: - Caldera OpenLinux Standard 1.2 - RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1 - --- -Attack Scenarios: -Exploit scripts are available - --- -Ease of Attack: -Simple. Exploits are available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/121 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 - -CERT: -http://www.cert.org/advisories/CA-1998-12.html -http://www.cert.org/summaries/CS-98-08.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3180.txt snort-2.9.2/doc/signatures/3180.txt --- snort-2.9.0.1/doc/signatures/3180.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3180.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3180 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3181.txt snort-2.9.2/doc/signatures/3181.txt --- snort-2.9.0.1/doc/signatures/3181.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3181.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3181 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3182.txt snort-2.9.2/doc/signatures/3182.txt --- snort-2.9.0.1/doc/signatures/3182.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3182.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3182 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3183.txt snort-2.9.2/doc/signatures/3183.txt --- snort-2.9.0.1/doc/signatures/3183.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3183.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3183 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3184.txt snort-2.9.2/doc/signatures/3184.txt --- snort-2.9.0.1/doc/signatures/3184.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3184.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3184 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3185.txt snort-2.9.2/doc/signatures/3185.txt --- snort-2.9.0.1/doc/signatures/3185.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3185.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3185 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3186.txt snort-2.9.2/doc/signatures/3186.txt --- snort-2.9.0.1/doc/signatures/3186.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3186.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3186 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3187.txt snort-2.9.2/doc/signatures/3187.txt --- snort-2.9.0.1/doc/signatures/3187.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3187.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3187 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3188.txt snort-2.9.2/doc/signatures/3188.txt --- snort-2.9.0.1/doc/signatures/3188.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3188.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3188 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3189.txt snort-2.9.2/doc/signatures/3189.txt --- snort-2.9.0.1/doc/signatures/3189.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3189.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3189 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/318.txt snort-2.9.2/doc/signatures/318.txt --- snort-2.9.0.1/doc/signatures/318.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/318.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -SID: -318 --- - -Rule: --- - -Summary: -This event is generated when an attempt is made to exploit a vulnerable -version of bootpd --- - -Impact: -If attack is successful, total system compromise from a remote attacker --- - -Detailed Information: -Due to improper handling of bounds checking in bootp request packets -Bootpd version 2.4.3(and earlier) is susceptible to several types of -buffer overflows. A successful exploit will result in complete -compromise of the attacked system. Any system running Bootpd version -Stanford University bootpd 2.4.3 should consider themselves vulnerable --- - -Affected Systems: - Debian Linux 1.1 - Debian Linux 1.2 - Debian Linux 1.3 - Debian Linux 1.3.1 - Debian Linux 2.0 - Stanford University bootpd 2.4.3 --- - -Attack Scenarios: -An attacker can exploit vulnerable bootpd servers and modify system -files as the root user or create a shell with root privileges --- - -Ease of Attack: -Simple, Sample code exists --- - -False Positives: -none --- - -False Negatives: -none --- - -Corrective Action: -Vendors have supplied patched versions of bootpd, upgrade --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3190.txt snort-2.9.2/doc/signatures/3190.txt --- snort-2.9.0.1/doc/signatures/3190.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3190.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3190 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3191.txt snort-2.9.2/doc/signatures/3191.txt --- snort-2.9.0.1/doc/signatures/3191.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3191.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3191 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3192.txt snort-2.9.2/doc/signatures/3192.txt --- snort-2.9.0.1/doc/signatures/3192.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3192.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -3192 - --- -Summary: -This event is generated when an attempt is made to exploit a host via a -vulnerability in Windows Media Player. - --- -Impact: -Serious. Code execution leading to unauthorized administrative access -to the target host. - --- -Detailed Information: -A directory traversal vulnerability in Windows Media Player can be -exploited via a malicious skin file downloaded from a remote machine. -This may allow an attacker to execute code of their choosing on an -affected host and gain administrative access to that host. - --- -Affected Systems: - Microsoft Windows Media Player 7.1 - Windows Media Player for Windows XP - --- -Attack Scenarios: -An attacker can create a malformed skin file and make it available for -automatic download and installation by a user. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Nigel Houghton -Brian Caswell - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3193.txt snort-2.9.2/doc/signatures/3193.txt --- snort-2.9.0.1/doc/signatures/3193.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3193.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -3193 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Information Server. - --- -Impact: -Serious. Code execution leading to unauthorized administrative access -on the target host. - --- -Detailed Information: -Microsoft IIS contains a programming error that may allow an attacker to -execute commands of their choosing on a vulnerable system. If a valid -request for an executable file on the system is made, the server will -honor the request and execute any commands sent to the system. It may be -possible for an attacker to execute system commands sent to cmd.exe or -an executable batch file (.bat) for example. - --- -Affected Systems: - Microsoft IIS 4.0 - Microsoft IIS 5.0 - --- -Attack Scenarios: -An attacker can send a request to an executable file on the system and -supply command arguments of their choice to the file. The server will -honor the request and execute the attackers commands. - -For example, http://www.target.com/scripts/cmd.bat"+&+somecommand - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3194.txt snort-2.9.2/doc/signatures/3194.txt --- snort-2.9.0.1/doc/signatures/3194.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3194.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -3194 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft Internet Information Server. - --- -Impact: -Serious. Code execution leading to unauthorized administrative access -on the target host. - --- -Detailed Information: -Microsoft IIS contains a programming error that may allow an attacker to -execute commands of their choosing on a vulnerable system. If a valid -request for an executable file on the system is made, the server will -honor the request and execute any commands sent to the system. It may be -possible for an attacker to execute system commands sent to cmd.exe or -an executable batch file (.bat) for example. - --- -Affected Systems: - Microsoft IIS 4.0 - Microsoft IIS 5.0 - --- -Attack Scenarios: -An attacker can send a request to an executable file on the system and -supply command arguments of their choice to the file. The server will -honor the request and execute the attackers commands. - -For example, http://www.target.com/scripts/cmd.bat"+&+somecommand - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3195.txt snort-2.9.2/doc/signatures/3195.txt --- snort-2.9.0.1/doc/signatures/3195.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3195.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3195 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft WINS. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft WINS such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows Server 2003 - --- -Attack Scenarios: -An attacker would need to send multiple malformed request to the WINS -service running on a host. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Uninstall the WINS service. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3196.txt snort-2.9.2/doc/signatures/3196.txt --- snort-2.9.0.1/doc/signatures/3196.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3196.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3196 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft WINS. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft WINS such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows Server 2003 - --- -Attack Scenarios: -An attacker would need to send multiple malformed request to the WINS -service running on a host. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Uninstall the WINS service. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3197.txt snort-2.9.2/doc/signatures/3197.txt --- snort-2.9.0.1/doc/signatures/3197.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3197.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,84 +0,0 @@ -Rule: - --- -Sid: -3197 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This event indicates that an attempt to exploit this vulnerability via -the ISystemActivator component has been made. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3198.txt snort-2.9.2/doc/signatures/3198.txt --- snort-2.9.0.1/doc/signatures/3198.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3198.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,84 +0,0 @@ -Rule: - --- -Sid: -3198 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - -This event indicates that an attempt to exploit this vulnerability via -the ISystemActivator component has been made. - -This vulnerability is also exploited by the Billy/Blaster worm. The worm -also uses the Trivial File Transfer Protocol (TFTP) to propagate. A -number of events generated by this rule may indicate worm activity. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. This is also exploited by a worm. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - -Block access to port 69 used by the worm to propogate. - -Block access to port 4444 used by the worm. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Symantec: -http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3199.txt snort-2.9.2/doc/signatures/3199.txt --- snort-2.9.0.1/doc/signatures/3199.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3199.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3199 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft WINS. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft WINS such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows Server 2003 - --- -Attack Scenarios: -An attacker would need to send multiple malformed request to the WINS -service running on a host. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Uninstall the WINS service. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/319.txt snort-2.9.2/doc/signatures/319.txt --- snort-2.9.0.1/doc/signatures/319.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/319.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -SID: -319 --- - -Rule: --- - -Summary: -This event is generated when an attempt is made to exploit a vulnerable -version of bootpd --- - -Impact: -If attack is successful, total system compromise from a remote attacker --- - -Detailed Information: -Due to improper handling of bounds checking in bootp request packets -Bootpd version 2.4.3(and earlier) is susceptible to several types of -buffer overflows. A successful exploit will result in complete -compromise of the attacked system. Any system running Bootpd version -Stanford University bootpd 2.4.3 should consider themselves vulnerable --- - -Affected Systems: - Debian Linux 1.1 - Debian Linux 1.2 - Debian Linux 1.3 - Debian Linux 1.3.1 - Debian Linux 2.0 - Stanford University bootpd 2.4.3 --- - -Attack Scenarios: -An attacker can exploit vulnerable bootpd servers and modify system -files as the root user or create a shell with root privileges --- - -Ease of Attack: -Simple, Sample code exists --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Vendors have supplied patched versions of bootpd, upgrade --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3200.txt snort-2.9.2/doc/signatures/3200.txt --- snort-2.9.0.1/doc/signatures/3200.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3200.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3200 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft WINS. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft WINS such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows Server 2003 - --- -Attack Scenarios: -An attacker would need to send multiple malformed request to the WINS -service running on a host. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Uninstall the WINS service. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3201.txt snort-2.9.2/doc/signatures/3201.txt --- snort-2.9.0.1/doc/signatures/3201.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3201.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -3201 - --- -Summary: -This event is generated when an attempt is made to access the file -httpodbc.dll. - --- -Impact: -Serious. Remote code execution is possible. - --- -Detailed Information: -Versions of Microsoft Internet Information Server (IIS) and Microsoft -Personal Web Server (PWS) are vulnerable to a directory traversal attack -that may lead to access of certain sensitive system files. - -This event is generated when an attempt is made to access the file -httpodbc.dll. This may indicate nimda worm activity. - --- -Affected Systems: - Microsoft IIS 3.0 - Microsoft IIS 4.0 - Microsoft PWS - --- -Attack Scenarios: -This may indicate worm activity. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3202.txt snort-2.9.2/doc/signatures/3202.txt --- snort-2.9.0.1/doc/signatures/3202.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3202.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3202 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3203.txt snort-2.9.2/doc/signatures/3203.txt --- snort-2.9.0.1/doc/signatures/3203.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3203.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3203 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3204.txt snort-2.9.2/doc/signatures/3204.txt --- snort-2.9.0.1/doc/signatures/3204.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3204.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3204 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3205.txt snort-2.9.2/doc/signatures/3205.txt --- snort-2.9.0.1/doc/signatures/3205.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3205.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3205 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3206.txt snort-2.9.2/doc/signatures/3206.txt --- snort-2.9.0.1/doc/signatures/3206.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3206.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3206 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3207.txt snort-2.9.2/doc/signatures/3207.txt --- snort-2.9.0.1/doc/signatures/3207.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3207.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3207 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3208.txt snort-2.9.2/doc/signatures/3208.txt --- snort-2.9.0.1/doc/signatures/3208.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3208.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3208 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3209.txt snort-2.9.2/doc/signatures/3209.txt --- snort-2.9.0.1/doc/signatures/3209.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3209.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3209 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/320.txt snort-2.9.2/doc/signatures/320.txt --- snort-2.9.0.1/doc/signatures/320.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/320.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 320 - --- -Summary: -This event is generated when access to a known UNIX backdoor deployed by attackers is attempted. In this case it may be a connection to a Trojaned version of fingerd. - --- - -Impact: -Remote system compromise leading to a compromise of all resources the host is connected to. - --- -Detailed Information: -The rule generates an event when access to a "fingerd" backdoor is attempted, this was often found on compromised UNIX machines in the late 1990s. The Trojan finger daemon runs as "root" and is started by inetd with parameters from inetd.conf file unlike the regular finger daemon which runs as "nobody" and replaces the regular "fingerd" binary. It allows its owner to execute several commands remotely by sending a finger request to a specific user. Particularly, the finger request for the user "cmd_rootsh" spawns a root shell bound to the finger port and allows remote command execution. - --- - -Attack Scenarios: -An attacker gains access to a UNIX machine via a remote exploit, then downloads and deploys the "fingerd" trojan. Next, the attacker only needs to send a finger request to gain root access with no password. - --- - -Ease of Attack: -The victim host is most likely already compromised. - --- - -False Positives: -None known - --- -False Negatives: -None known - --- - -Corrective Action: - -Restore the system from a known good backup. - -Reinstall the operating system. - --- -Contributors: -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10070 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0660 - -SANS: -http://www.sans.org/y2k/TFN_toolkit.htm -http://www.sans.org/y2k/fingerd.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/3210.txt snort-2.9.2/doc/signatures/3210.txt --- snort-2.9.0.1/doc/signatures/3210.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3210.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3210 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3211.txt snort-2.9.2/doc/signatures/3211.txt --- snort-2.9.0.1/doc/signatures/3211.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3211.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3211 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3212.txt snort-2.9.2/doc/signatures/3212.txt --- snort-2.9.0.1/doc/signatures/3212.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3212.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3212 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3213.txt snort-2.9.2/doc/signatures/3213.txt --- snort-2.9.0.1/doc/signatures/3213.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3213.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3213 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3214.txt snort-2.9.2/doc/signatures/3214.txt --- snort-2.9.0.1/doc/signatures/3214.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3214.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3214 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3215.txt snort-2.9.2/doc/signatures/3215.txt --- snort-2.9.0.1/doc/signatures/3215.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3215.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3215 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3216.txt snort-2.9.2/doc/signatures/3216.txt --- snort-2.9.0.1/doc/signatures/3216.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3216.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3216 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3217.txt snort-2.9.2/doc/signatures/3217.txt --- snort-2.9.0.1/doc/signatures/3217.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3217.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3217 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3218.txt snort-2.9.2/doc/signatures/3218.txt --- snort-2.9.0.1/doc/signatures/3218.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3218.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3218 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3219.txt snort-2.9.2/doc/signatures/3219.txt --- snort-2.9.0.1/doc/signatures/3219.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3219.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3219 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/321.txt snort-2.9.2/doc/signatures/321.txt --- snort-2.9.0.1/doc/signatures/321.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/321.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 321 - --- -Summary: -An information leak exploit against the old Solaris finger daemon - --- -Impact: -Intelligence gathering activity. The attacker may be trying to obtain a list of accounts on the victim host. - --- -Detailed Information: -The rule generates an event when an attempt is made to exploit a bug in the Solaris "fingerd" daemon. The bug allows the attacker to obtain the lists of accounts existing on the Sun system by issuing a specially crafted finger request. - -Obtaining a list of accounts may precipitate a password guessing attack, an email attack or other abuses against those accounts. - --- -Attack Scenarios: -An attacker may learn that a "guest" account exists on the system and has never been used. He might then guesse the password for this account and is now able to log in to the system remotely using telnet or ssh for example. This might then lead to further system compromise and escalated privileges for the attacker. - --- -Ease of Attack: -Simple -No exploit software required - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Look for other IDS events involving the same IP addresses - -Check system logs for suspicious logins to the affected system, - -Disable the fingerd daemon - -Apply a vendor patch that removes the vulnerability - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Nessus -http://cgi.nessus.org/plugins/dump.php3?id=10788 - -Securiteam -http://www.securiteam.com/unixfocus/6B00M0U2UW.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3220.txt snort-2.9.2/doc/signatures/3220.txt --- snort-2.9.0.1/doc/signatures/3220.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3220.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3220 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3221.txt snort-2.9.2/doc/signatures/3221.txt --- snort-2.9.0.1/doc/signatures/3221.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3221.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3221 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3222.txt snort-2.9.2/doc/signatures/3222.txt --- snort-2.9.0.1/doc/signatures/3222.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3222.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3222 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3223.txt snort-2.9.2/doc/signatures/3223.txt --- snort-2.9.0.1/doc/signatures/3223.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3223.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3223 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3224.txt snort-2.9.2/doc/signatures/3224.txt --- snort-2.9.0.1/doc/signatures/3224.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3224.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3224 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3225.txt snort-2.9.2/doc/signatures/3225.txt --- snort-2.9.0.1/doc/signatures/3225.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3225.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3225 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3226.txt snort-2.9.2/doc/signatures/3226.txt --- snort-2.9.0.1/doc/signatures/3226.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3226.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3226 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3227.txt snort-2.9.2/doc/signatures/3227.txt --- snort-2.9.0.1/doc/signatures/3227.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3227.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3227 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3228.txt snort-2.9.2/doc/signatures/3228.txt --- snort-2.9.0.1/doc/signatures/3228.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3228.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3228 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3229.txt snort-2.9.2/doc/signatures/3229.txt --- snort-2.9.0.1/doc/signatures/3229.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3229.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3229 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/322.txt snort-2.9.2/doc/signatures/322.txt --- snort-2.9.0.1/doc/signatures/322.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/322.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: 322 - --- -Summary: -This event is genrated when an attempt is made to query the finger daemon to ascertain a list of usernames on a system. - --- - -Impact: -Information gatthering, the attacker may obtain the list of some accounts existing on the victim system as a prelude to further compromize. - --- -Detailed Information: - -The rule is triggerred when an attempt to use a search feature in -"cfingerd" version of a finger daemon is attempted. The search feature -allows the attacker to obtain the lists of accounts existing on the -target system by issuing a specially crafted finger request to -"search" for information. Knowing the list of accounts might -facilitate a password guessing attacks, email attacks or other abuse. - --- - -Attack Scenarios: an attacker learns that "guest" account exists and -has never been used. He then guesses that the password for this -account and logs in to the system remotely using telnet. - --- - -Ease of Attack: -Simple, no exploit software required - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Look for other IDS events involving the same IP addresses. - -Look for suspicious logins to the affected system. - -Disable the finger daemon or apply a vendor patch that removes the vulnerability - --- -Contributors: -Original rule writer Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS375 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0259 - --- diff -Nru snort-2.9.0.1/doc/signatures/3230.txt snort-2.9.2/doc/signatures/3230.txt --- snort-2.9.0.1/doc/signatures/3230.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3230.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3230 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3231.txt snort-2.9.2/doc/signatures/3231.txt --- snort-2.9.0.1/doc/signatures/3231.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3231.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3231 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3232.txt snort-2.9.2/doc/signatures/3232.txt --- snort-2.9.0.1/doc/signatures/3232.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3232.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3232 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3233.txt snort-2.9.2/doc/signatures/3233.txt --- snort-2.9.0.1/doc/signatures/3233.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3233.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3233 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3234.txt snort-2.9.2/doc/signatures/3234.txt --- snort-2.9.0.1/doc/signatures/3234.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3234.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3234 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3235.txt snort-2.9.2/doc/signatures/3235.txt --- snort-2.9.0.1/doc/signatures/3235.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3235.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3235 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3236.txt snort-2.9.2/doc/signatures/3236.txt --- snort-2.9.0.1/doc/signatures/3236.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3236.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3236 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3237.txt snort-2.9.2/doc/signatures/3237.txt --- snort-2.9.0.1/doc/signatures/3237.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3237.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3237 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3238.txt snort-2.9.2/doc/signatures/3238.txt --- snort-2.9.0.1/doc/signatures/3238.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3238.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3238 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3239.txt snort-2.9.2/doc/signatures/3239.txt --- snort-2.9.0.1/doc/signatures/3239.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3239.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3239 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/323.txt snort-2.9.2/doc/signatures/323.txt --- snort-2.9.0.1/doc/signatures/323.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/323.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 323 - --- - -Summary: -This is an intelligence gathering activity. - --- - -Impact: -The attacker may obtain detailed information about the administrative super user account. - --- -Detailed Information: -This event is generated when an attempt to access information about the administrative account "root" on a UNIX system is made via the finger service. - -The information that can be collected includes time and source address of the last login and/or current login sessions, type of shell, path to home directory, mail forwarding address (often reflecting the name of the person administrering the system) and the time when "root" email was last read. This information can be used in planning further attacks against the host. - --- - -Attack Scenarios: -The attacker learns that "root" has not logged in for a long time. He hypothesizes that the system is not often used and thus not likely to be patched or secured and may therefore, be vulnerable to a number of other attacks. - --- - -Ease of Attack: -Simple, no exploit software required - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS376 - --- diff -Nru snort-2.9.0.1/doc/signatures/3240.txt snort-2.9.2/doc/signatures/3240.txt --- snort-2.9.0.1/doc/signatures/3240.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3240.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3240 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3241.txt snort-2.9.2/doc/signatures/3241.txt --- snort-2.9.0.1/doc/signatures/3241.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3241.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3241 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3242.txt snort-2.9.2/doc/signatures/3242.txt --- snort-2.9.0.1/doc/signatures/3242.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3242.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3242 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3243.txt snort-2.9.2/doc/signatures/3243.txt --- snort-2.9.0.1/doc/signatures/3243.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3243.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3243 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3244.txt snort-2.9.2/doc/signatures/3244.txt --- snort-2.9.0.1/doc/signatures/3244.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3244.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3244 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3245.txt snort-2.9.2/doc/signatures/3245.txt --- snort-2.9.0.1/doc/signatures/3245.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3245.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3245 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3246.txt snort-2.9.2/doc/signatures/3246.txt --- snort-2.9.0.1/doc/signatures/3246.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3246.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3246 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3247.txt snort-2.9.2/doc/signatures/3247.txt --- snort-2.9.0.1/doc/signatures/3247.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3247.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3247 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3248.txt snort-2.9.2/doc/signatures/3248.txt --- snort-2.9.0.1/doc/signatures/3248.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3248.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3248 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3249.txt snort-2.9.2/doc/signatures/3249.txt --- snort-2.9.0.1/doc/signatures/3249.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3249.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3249 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/324.txt snort-2.9.2/doc/signatures/324.txt --- snort-2.9.0.1/doc/signatures/324.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/324.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: - -324 - --- -Summary: -This event is generated when a null character in a Finger request is -detected. - --- -Impact: -Some systems will respond to a null finger request by supplying a list -of usernames present on the host. - -Disclosure of usernames is an Information Gathering risk. The remote -user can use this information in other exploits that require knowing -user names, or as a basis for social engineering. - --- -Detailed Information: -A packet is transmitted to server port 79 (Finger) with a null character -in the data. Some Unix finger commands will respond with a full list of -usernames. A remote attacker could use this information for other -exploits, including dictionary-based password attacks and social -engineering attempts. - --- -Affected Systems: - Some UNIX based systems - --- -Attack Scenarios: -See detailed information section above. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Disable the finger daemon in inetd.conf, or block untrusted access to -port 79 using a packet filtering firewall. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: CVE-1999-0612, - -Arachnids: -http://www.whitehats.com/info/IDS377 (Arachnids,377) - --- diff -Nru snort-2.9.0.1/doc/signatures/3250.txt snort-2.9.2/doc/signatures/3250.txt --- snort-2.9.0.1/doc/signatures/3250.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3250.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3250 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3251.txt snort-2.9.2/doc/signatures/3251.txt --- snort-2.9.0.1/doc/signatures/3251.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3251.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3251 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3252.txt snort-2.9.2/doc/signatures/3252.txt --- snort-2.9.0.1/doc/signatures/3252.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3252.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3252 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3253.txt snort-2.9.2/doc/signatures/3253.txt --- snort-2.9.0.1/doc/signatures/3253.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3253.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3253 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3254.txt snort-2.9.2/doc/signatures/3254.txt --- snort-2.9.0.1/doc/signatures/3254.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3254.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3254 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3255.txt snort-2.9.2/doc/signatures/3255.txt --- snort-2.9.0.1/doc/signatures/3255.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3255.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3255 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3256.txt snort-2.9.2/doc/signatures/3256.txt --- snort-2.9.0.1/doc/signatures/3256.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3256.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3256 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3257.txt snort-2.9.2/doc/signatures/3257.txt --- snort-2.9.0.1/doc/signatures/3257.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3257.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3257 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3258.txt snort-2.9.2/doc/signatures/3258.txt --- snort-2.9.0.1/doc/signatures/3258.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3258.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3258 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3259.txt snort-2.9.2/doc/signatures/3259.txt --- snort-2.9.0.1/doc/signatures/3259.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3259.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3259 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/325.txt snort-2.9.2/doc/signatures/325.txt --- snort-2.9.0.1/doc/signatures/325.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/325.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 325 - --- - -Summary: -This is an intelligence gathering activity. - --- - -Impact: -The attacker may obtain a list of accounts existing on the target host. - --- -Detailed Information: -This event is generated when an attempt is made to use a finger command against a host with a username of "0". A finger query against a vulnerable finger daemon may allow the attacker to obtain a list of accounts on the target system with some details for each account where present (such as time and source of the last login). - -Obtaining a list of accounts might precipitate further attacks such as password guessing, email attacks and other abuse. - --- - -Attack Scenarios: -An attacker learns that the "sys" account exists on the system. He then proceeds to guess the password and is then able to gain remote access to the system. - --- - -Ease of Attack: -Simple, no exploit software required - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS378 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0197 - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10069%20(Finger%20zero%20at%20host - --- diff -Nru snort-2.9.0.1/doc/signatures/3260.txt snort-2.9.2/doc/signatures/3260.txt --- snort-2.9.0.1/doc/signatures/3260.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3260.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3260 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3261.txt snort-2.9.2/doc/signatures/3261.txt --- snort-2.9.0.1/doc/signatures/3261.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3261.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3261 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3262.txt snort-2.9.2/doc/signatures/3262.txt --- snort-2.9.0.1/doc/signatures/3262.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3262.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3262 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3263.txt snort-2.9.2/doc/signatures/3263.txt --- snort-2.9.0.1/doc/signatures/3263.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3263.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3263 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3264.txt snort-2.9.2/doc/signatures/3264.txt --- snort-2.9.0.1/doc/signatures/3264.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3264.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3264 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3265.txt snort-2.9.2/doc/signatures/3265.txt --- snort-2.9.0.1/doc/signatures/3265.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3265.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3265 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3266.txt snort-2.9.2/doc/signatures/3266.txt --- snort-2.9.0.1/doc/signatures/3266.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3266.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3266 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3267.txt snort-2.9.2/doc/signatures/3267.txt --- snort-2.9.0.1/doc/signatures/3267.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3267.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3267 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3268.txt snort-2.9.2/doc/signatures/3268.txt --- snort-2.9.0.1/doc/signatures/3268.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3268.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3268 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3269.txt snort-2.9.2/doc/signatures/3269.txt --- snort-2.9.0.1/doc/signatures/3269.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3269.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3269 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/326.txt snort-2.9.2/doc/signatures/326.txt --- snort-2.9.0.1/doc/signatures/326.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/326.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: 326 - --- - -Summary: -This event is generated when a remote command execution exploit against -a finger daemon is attempted. - --- -Impact: -Serious. The attacker may be presented with the opportunity to run a -command of his choice on the target UNIX system - --- -Detailed Information: -This event is generated when a specific attack against a vulnerable -version of finger daemon is detected. - -The Finger daemon is used to provide information about users on a UNIX -system. It used to be installed and enabled by default on most -UNIX/Linux systems. The attack may allow an attacker to execute a -command remotely on a target system with the privileges of the user -running the "finger" daemon. The user is usually defined in the -/etc/inetd.conf file and is commonly designated as "nobody". - --- -Attack Scenarios: -An attacker may try the attack and then executes a command to download a -backdoor to the target system. He then connects to the system and may -attempt to escalate his privileges by exploiting a local SUID -application to gain "root" privileges. - --- -Ease of Attack: -Simple, no exploit software is required, just a specially formatted finger query - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the finger daemon or limit the addresses that can access the -service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS379 - -Bugtraq: -http://online.securityfocus.com/bid/974 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0150 - --- diff -Nru snort-2.9.0.1/doc/signatures/3270.txt snort-2.9.2/doc/signatures/3270.txt --- snort-2.9.0.1/doc/signatures/3270.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3270.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3270 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3271.txt snort-2.9.2/doc/signatures/3271.txt --- snort-2.9.0.1/doc/signatures/3271.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3271.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3271 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3273.txt snort-2.9.2/doc/signatures/3273.txt --- snort-2.9.0.1/doc/signatures/3273.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3273.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -3152 - --- -Summary: -This event is generated when an attempt is made to access a host running -Microsoft SQL Server or utilizing MSDE via the default "sa" account. - --- -Impact: -Information disclosure. Unauthorized access to the host. - --- -Detailed Information: -This event is generated when an attempt is made to access a host via the -"sa" account using brute force techniques to guess a password. - -Microsoft SQL server and MSDE components use a default "sa" account with -a default password as the administrative user for the database -installation. This event indicates that numerous failed attempts have -been made to access the target host using this account. - --- -Affected Systems: - Microsoft SQL Server 2000 - Microsoft SQL Server 7.0 - Systems using Microsoft MSDE components - --- -Attack Scenarios: -An attacker can use an automated script to gain access to a host and the -database contents as an administrator by repeatly attempting to login -using the "sa" account and different passwords. - -Some worms also try to brute force entry using this methodology. - --- -Ease of Attack: -Simple, - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Change the default "sa" password - -Disable the "sa" account. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3274.txt snort-2.9.2/doc/signatures/3274.txt --- snort-2.9.0.1/doc/signatures/3274.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3274.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -3274 - --- -Summary: -This event is generated when an attempt is made to exploit a known -buffer overflow vulnerability affecting "login" via Telnet. - --- -Impact: -Serious. Unauthorized administrative access to the target host. - --- -Detailed Information: -The login binary is used when establishing an interactive session on a -system. It is used locally and by protocols that allow remote access. A -buffer overflow condition exists in some versions of login that can be -triggered by the manipulation of environment variables. - -This event is generated when an attempt is made to overflow login via -telnet by manipulating the TTYPROMPT environment variable. - --- -Affected Systems: - Systems using Sys V derived login - --- -Attack Scenarios: -An attacker can overflow a buffer by inserting 6 bytes of data followed -by 65 characters and a newline into the TTYPROMPT variable. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3275.txt snort-2.9.2/doc/signatures/3275.txt --- snort-2.9.0.1/doc/signatures/3275.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3275.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3275 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3276.txt snort-2.9.2/doc/signatures/3276.txt --- snort-2.9.0.1/doc/signatures/3276.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3276.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3276 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3277.txt snort-2.9.2/doc/signatures/3277.txt --- snort-2.9.0.1/doc/signatures/3277.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3277.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3277 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3278.txt snort-2.9.2/doc/signatures/3278.txt --- snort-2.9.0.1/doc/signatures/3278.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3278.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3278 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3279.txt snort-2.9.2/doc/signatures/3279.txt --- snort-2.9.0.1/doc/signatures/3279.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3279.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3279 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/327.txt snort-2.9.2/doc/signatures/327.txt --- snort-2.9.0.1/doc/signatures/327.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/327.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 327 - --- - -Summary: -This event is generated when a remote command execution exploit against a finger daemon is attempted. - --- - -Impact: -Serious. The attacker may be presented with the opportunity to run a command of his choice on the target UNIX system - --- -Detailed Information: -This event is generated when a specific attack against a vulnerable version of the finger daemon is detected. - -The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack may allow an attacker to execute a command remotely on a target system with the privileges of the user running the "finger" daemon. The user is usually defined in the /etc/inetd.conf file and is commonly designated as "nobody". - --- -Attack Scenarios: -An attacker may try the attack and then executes a command to download a backdoor to the target system. He then connects to the system and may attempt to escalate his privileges by exploiting a local SUID application to gain "root" privileges. - --- - -Ease of Attack: -Simple, no exploit software is required, just a specially formatted finger query - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0152 - -Arachnids: -http://www.whitehats.com/info/IDS380 - -Bugtraq: -http://online.securityfocus.com/bid/2220 - --- diff -Nru snort-2.9.0.1/doc/signatures/3280.txt snort-2.9.2/doc/signatures/3280.txt --- snort-2.9.0.1/doc/signatures/3280.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3280.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3280 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3281.txt snort-2.9.2/doc/signatures/3281.txt --- snort-2.9.0.1/doc/signatures/3281.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3281.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3281 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3282.txt snort-2.9.2/doc/signatures/3282.txt --- snort-2.9.0.1/doc/signatures/3282.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3282.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3282 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3283.txt snort-2.9.2/doc/signatures/3283.txt --- snort-2.9.0.1/doc/signatures/3283.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3283.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3283 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3284.txt snort-2.9.2/doc/signatures/3284.txt --- snort-2.9.0.1/doc/signatures/3284.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3284.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3284 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3285.txt snort-2.9.2/doc/signatures/3285.txt --- snort-2.9.0.1/doc/signatures/3285.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3285.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3285 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3286.txt snort-2.9.2/doc/signatures/3286.txt --- snort-2.9.0.1/doc/signatures/3286.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3286.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3286 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3287.txt snort-2.9.2/doc/signatures/3287.txt --- snort-2.9.0.1/doc/signatures/3287.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3287.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3287 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3288.txt snort-2.9.2/doc/signatures/3288.txt --- snort-2.9.0.1/doc/signatures/3288.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3288.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3288 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3289.txt snort-2.9.2/doc/signatures/3289.txt --- snort-2.9.0.1/doc/signatures/3289.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3289.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3289 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/328.txt snort-2.9.2/doc/signatures/328.txt --- snort-2.9.0.1/doc/signatures/328.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/328.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 328 - --- - -Summary: -This event is generated when a Denial-of-Service (DoS) attack against a finger daemon is attempted. - --- - -Impact: -The attacker may overload the target machine or crash the finger daemon - --- -Detailed Information: -This event is generated when a specially crafted finger query is directed at a target UNIX host. - -The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack will crash or overload the vulnerable machines. - --- - -Attack Scenarios: -The attacker needs to send specially crafted packets to the finger daemon on a host. - --- - -Ease of Attack: -Moderate, no exploit software is required, just a specially formatted finger query - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0106 - -Arachnids: -http://www.whitehats.com/info/IDS381 - --- diff -Nru snort-2.9.0.1/doc/signatures/3290.txt snort-2.9.2/doc/signatures/3290.txt --- snort-2.9.0.1/doc/signatures/3290.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3290.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3290 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3291.txt snort-2.9.2/doc/signatures/3291.txt --- snort-2.9.0.1/doc/signatures/3291.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3291.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3291 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3292.txt snort-2.9.2/doc/signatures/3292.txt --- snort-2.9.0.1/doc/signatures/3292.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3292.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3292 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3293.txt snort-2.9.2/doc/signatures/3293.txt --- snort-2.9.0.1/doc/signatures/3293.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3293.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3293 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3294.txt snort-2.9.2/doc/signatures/3294.txt --- snort-2.9.0.1/doc/signatures/3294.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3294.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3294 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3295.txt snort-2.9.2/doc/signatures/3295.txt --- snort-2.9.0.1/doc/signatures/3295.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3295.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3295 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3296.txt snort-2.9.2/doc/signatures/3296.txt --- snort-2.9.0.1/doc/signatures/3296.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3296.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3296 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3297.txt snort-2.9.2/doc/signatures/3297.txt --- snort-2.9.0.1/doc/signatures/3297.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3297.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3297 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3298.txt snort-2.9.2/doc/signatures/3298.txt --- snort-2.9.0.1/doc/signatures/3298.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3298.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3298 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3299.txt snort-2.9.2/doc/signatures/3299.txt --- snort-2.9.0.1/doc/signatures/3299.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3299.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3299 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/329.txt snort-2.9.2/doc/signatures/329.txt --- snort-2.9.0.1/doc/signatures/329.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/329.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 329 - --- -Summary: -This is an intelligence gathering activity. This event is indicative of a connection laundering attack against the finger daemon - --- -Impact: -The attacker may obtain information about a third party host without making a direct connection to that host. - --- -Detailed Information: -The event is generated when an attempt to use a machine to run -finger queries against a third party UNIX system is attempted by the -Cybercop vulnerability scanner. - -The attack utilizes "finger forwarding" functionality, normally used to forward queries to a third party machine. The information is obtained without a direct connection to the said third party, since the target system performs a connection to the third party host for the attacker. - -The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack if successful, will confirm that the target host will try to forward queries. - --- - -Attack Scenarios: -An attacker uses the Cybercop vulnerability scanner to test for this weakness. - --- - -Ease of Attack: -Simple, performed by a scanner - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or upgrade to a daemon without finger forwarding functionality - - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0105 - -Arachnids: -http://www.whitehats.com/info/IDS11 - --- diff -Nru snort-2.9.0.1/doc/signatures/3300.txt snort-2.9.2/doc/signatures/3300.txt --- snort-2.9.0.1/doc/signatures/3300.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3300.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3300 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3301.txt snort-2.9.2/doc/signatures/3301.txt --- snort-2.9.0.1/doc/signatures/3301.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3301.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3301 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3302.txt snort-2.9.2/doc/signatures/3302.txt --- snort-2.9.0.1/doc/signatures/3302.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3302.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3302 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3303.txt snort-2.9.2/doc/signatures/3303.txt --- snort-2.9.0.1/doc/signatures/3303.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3303.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3303 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3304.txt snort-2.9.2/doc/signatures/3304.txt --- snort-2.9.0.1/doc/signatures/3304.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3304.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3304 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3305.txt snort-2.9.2/doc/signatures/3305.txt --- snort-2.9.0.1/doc/signatures/3305.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3305.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3305 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3306.txt snort-2.9.2/doc/signatures/3306.txt --- snort-2.9.0.1/doc/signatures/3306.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3306.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3306 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3307.txt snort-2.9.2/doc/signatures/3307.txt --- snort-2.9.0.1/doc/signatures/3307.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3307.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3307 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3308.txt snort-2.9.2/doc/signatures/3308.txt --- snort-2.9.0.1/doc/signatures/3308.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3308.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3308 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3309.txt snort-2.9.2/doc/signatures/3309.txt --- snort-2.9.0.1/doc/signatures/3309.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3309.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3309 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/330.txt snort-2.9.2/doc/signatures/330.txt --- snort-2.9.0.1/doc/signatures/330.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/330.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: 330 - --- -Summary: -This is an intelligence gathering activity. This event is indicative of a connection laundering attack against the finger daemon - --- -Impact: -The attacker may obtain information about a third party host without making a direct connection to that host. - --- -Detailed Information: -The event is generated when an attempt to use a machine to run -finger queries against a third party UNIX system is attempted. - -The attack utilizes "finger forwarding" functionality, normally used to forward queries to a third party machine. The information is obtained without a direct connection to the said third party, since the target system performs a connection to the third party host for the attacker. - -The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack if successful, will confirm that the target host will try to forward queries. - --- -Attack Scenarios: -An attacker runs a finger query and obtains information about the root account. He then proceeds to compromise the system using the obtained data as a basis for the compromise. - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the finger daemon or upgrade to a daemon without finger forwarding functionality - - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10073 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0105 - -Arachnids: -http://www.whitehats.com/info/IDS251 - --- diff -Nru snort-2.9.0.1/doc/signatures/3310.txt snort-2.9.2/doc/signatures/3310.txt --- snort-2.9.0.1/doc/signatures/3310.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3310.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3310 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3311.txt snort-2.9.2/doc/signatures/3311.txt --- snort-2.9.0.1/doc/signatures/3311.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3311.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3311 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3312.txt snort-2.9.2/doc/signatures/3312.txt --- snort-2.9.0.1/doc/signatures/3312.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3312.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3312 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3313.txt snort-2.9.2/doc/signatures/3313.txt --- snort-2.9.0.1/doc/signatures/3313.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3313.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3313 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3314.txt snort-2.9.2/doc/signatures/3314.txt --- snort-2.9.0.1/doc/signatures/3314.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3314.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3314 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3315.txt snort-2.9.2/doc/signatures/3315.txt --- snort-2.9.0.1/doc/signatures/3315.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3315.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3315 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3316.txt snort-2.9.2/doc/signatures/3316.txt --- snort-2.9.0.1/doc/signatures/3316.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3316.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3316 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3317.txt snort-2.9.2/doc/signatures/3317.txt --- snort-2.9.0.1/doc/signatures/3317.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3317.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3317 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3318.txt snort-2.9.2/doc/signatures/3318.txt --- snort-2.9.0.1/doc/signatures/3318.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3318.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3318 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3319.txt snort-2.9.2/doc/signatures/3319.txt --- snort-2.9.0.1/doc/signatures/3319.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3319.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3319 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/331.txt snort-2.9.2/doc/signatures/331.txt --- snort-2.9.0.1/doc/signatures/331.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/331.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: -reference:arachnids,132; reference:cve,CVE-1999-0612; -classtype:attempted-recon; sid:331; rev:6;) - --- -Sid: 331 - --- - -Summary: -This is an intelligence gathering activity. This event is indicative of an information leak attempt against a finger daemon performed by a vulnerability scanner - --- - -Impact: -The attacker may obtain information about user accounts on the target system. - --- -Detailed Information: -This event is generated when an attempt to query the finger daemon is attempted by the Cybercop vulnerability scanner. - -The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The scan will confirm that the target host will respond to finger queries. - --- - -Attack Scenarios: -An attacker uses the Cybercop vulnerability scanner to test for this weakness. - --- - -Ease of Attack: -Simple, performed by a scanner - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via a firewall or TCP wrappers. - - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS132 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0612 - --- diff -Nru snort-2.9.0.1/doc/signatures/3320.txt snort-2.9.2/doc/signatures/3320.txt --- snort-2.9.0.1/doc/signatures/3320.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3320.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3320 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3321.txt snort-2.9.2/doc/signatures/3321.txt --- snort-2.9.0.1/doc/signatures/3321.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3321.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3321 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3322.txt snort-2.9.2/doc/signatures/3322.txt --- snort-2.9.0.1/doc/signatures/3322.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3322.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3322 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3323.txt snort-2.9.2/doc/signatures/3323.txt --- snort-2.9.0.1/doc/signatures/3323.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3323.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3323 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3324.txt snort-2.9.2/doc/signatures/3324.txt --- snort-2.9.0.1/doc/signatures/3324.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3324.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3324 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3325.txt snort-2.9.2/doc/signatures/3325.txt --- snort-2.9.0.1/doc/signatures/3325.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3325.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3325 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3326.txt snort-2.9.2/doc/signatures/3326.txt --- snort-2.9.0.1/doc/signatures/3326.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3326.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3326 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3327.txt snort-2.9.2/doc/signatures/3327.txt --- snort-2.9.0.1/doc/signatures/3327.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3327.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3327 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3328.txt snort-2.9.2/doc/signatures/3328.txt --- snort-2.9.0.1/doc/signatures/3328.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3328.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3328 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3329.txt snort-2.9.2/doc/signatures/3329.txt --- snort-2.9.0.1/doc/signatures/3329.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3329.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3329 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/332.txt snort-2.9.2/doc/signatures/332.txt --- snort-2.9.0.1/doc/signatures/332.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/332.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: 332 - --- - -Summary: -An intelligence gathering attack against the finger daemon - --- - -Impact: -The attacker may obtain information about user accounts on the target system. - --- -Detailed Information: -This event is generated when an attempt is made to use a finger command against a host with a username of "0". A finger query against a vulnerable finger daemon may allow the attacker to obtain a list of accounts on the target system with some details for each account where present (such as time and source of the last login). - -Obtaining a list of accounts might precipitate further attacks such as password guessing, email attacks and other abuse. - --- - -Attack Scenarios: -An attacker learns that the "sys" account exists on the system. He then proceeds to guess the password and is then able to gain remote access to the system. - --- - -Ease of Attack: -Simple, no exploit software required - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers. - --- -Contributors: -Original rule written by Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS378 -http://www.whitehats.com/info/IDS131 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0197 - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10069%20(Finger%20zero%20at%20host - --- diff -Nru snort-2.9.0.1/doc/signatures/3330.txt snort-2.9.2/doc/signatures/3330.txt --- snort-2.9.0.1/doc/signatures/3330.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3330.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3330 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3331.txt snort-2.9.2/doc/signatures/3331.txt --- snort-2.9.0.1/doc/signatures/3331.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3331.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3331 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3332.txt snort-2.9.2/doc/signatures/3332.txt --- snort-2.9.0.1/doc/signatures/3332.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3332.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3332 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3333.txt snort-2.9.2/doc/signatures/3333.txt --- snort-2.9.0.1/doc/signatures/3333.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3333.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3333 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3334.txt snort-2.9.2/doc/signatures/3334.txt --- snort-2.9.0.1/doc/signatures/3334.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3334.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3334 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3335.txt snort-2.9.2/doc/signatures/3335.txt --- snort-2.9.0.1/doc/signatures/3335.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3335.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3335 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3336.txt snort-2.9.2/doc/signatures/3336.txt --- snort-2.9.0.1/doc/signatures/3336.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3336.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3336 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3337.txt snort-2.9.2/doc/signatures/3337.txt --- snort-2.9.0.1/doc/signatures/3337.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3337.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3337 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3338.txt snort-2.9.2/doc/signatures/3338.txt --- snort-2.9.0.1/doc/signatures/3338.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3338.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3338 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3339.txt snort-2.9.2/doc/signatures/3339.txt --- snort-2.9.0.1/doc/signatures/3339.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3339.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3339 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/333.txt snort-2.9.2/doc/signatures/333.txt --- snort-2.9.0.1/doc/signatures/333.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/333.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -333 - --- -Summary: -This event is generated when a remote user sends a finger request to .@hostname. This may indicate an attempt to discover information about users on the system. - --- -Impact: -Information gathering. - --- -Detailed Information: -Finger is a directory service on UNIX and Linux operating systems that allows users to obtain basic information about other users, including account name, home directory, and login status. A malicious user could use the string "finger .@hostname" to obtain a list of each user on the system. This may enable the attacker to view unused or inactive accounts, which are more likely to have default passwords that are relatively easy to guess or susceptible to brute force password attempts. - --- -Affected Systems: -Any UNIX/Linux distribution with older versions of finger enabled. - --- -Attack Scenarios: -An attacker issues a finger .@host to the vulnerable server and views a list of users. The attacker then attempts to guess passwords for users with the "Never logged in" status. - --- -Ease of Attack: -Simple. - --- -False Positives: -A non-malicious user using finger to obtain a user list will cause this rule to trigger. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable finger support on your servers or upgrade to a more recent version of the finger daemon. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3340.txt snort-2.9.2/doc/signatures/3340.txt --- snort-2.9.0.1/doc/signatures/3340.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3340.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3340 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3341.txt snort-2.9.2/doc/signatures/3341.txt --- snort-2.9.0.1/doc/signatures/3341.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3341.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3341 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3342.txt snort-2.9.2/doc/signatures/3342.txt --- snort-2.9.0.1/doc/signatures/3342.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3342.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3342 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3343.txt snort-2.9.2/doc/signatures/3343.txt --- snort-2.9.0.1/doc/signatures/3343.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3343.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3343 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3344.txt snort-2.9.2/doc/signatures/3344.txt --- snort-2.9.0.1/doc/signatures/3344.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3344.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3344 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3345.txt snort-2.9.2/doc/signatures/3345.txt --- snort-2.9.0.1/doc/signatures/3345.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3345.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3345 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3346.txt snort-2.9.2/doc/signatures/3346.txt --- snort-2.9.0.1/doc/signatures/3346.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3346.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3346 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3347.txt snort-2.9.2/doc/signatures/3347.txt --- snort-2.9.0.1/doc/signatures/3347.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3347.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3347 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3348.txt snort-2.9.2/doc/signatures/3348.txt --- snort-2.9.0.1/doc/signatures/3348.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3348.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3348 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3349.txt snort-2.9.2/doc/signatures/3349.txt --- snort-2.9.0.1/doc/signatures/3349.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3349.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3349 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/334.txt snort-2.9.2/doc/signatures/334.txt --- snort-2.9.0.1/doc/signatures/334.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/334.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 334 - --- -Summary: -This event is generated when an attempt to copy a specific file to an FTP server is made. - --- - -Impact: -Serious. The attacker might gain the ability to execute commands remotely with the privileges of the affected user. - --- -Detailed Information: -This event is generated when an attempt to copy a ".forward" file to a victim host is made. A ".forward"file is used to configure email forwarding on UNIX systems. Usually it contains the email addresses where incoming email is forwarded. However, ".forward" file can also be used to forward email to programs (for example, "|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 anton") and thus cause program execution triggered by arriving email messages. - -This functionality can be used to activate a backdoor or start a daemon that listens for connections on a high port, launch a terminal session on the attacker's machine or initiate a reverse shell session. - -This attack requires an established FTP session. - --- - -Attack Scenarios: -The attacker uploads a ".forward" file with commands to launch an "xterm" window on his machine into the user's home directory. Then he sends an email to the user whose ".forward" file was modified. That triggers the command in ".forward" and causes the xterm windows to be opened, providing shell access to a system with the privileges assigned to that user. - --- - -Ease of Attack: -The attack requires an access to a users home directory via FTP. This means that anonymous FTP access cannot be used for such an attack and a valid username and password is required. Additionally, the ability to upload files via FTP is required for a successful attack. - --- - -False Positives: -If the string ".forward" is contained within the filename that is being uploaded to a server or within other FTP client responses, the rule will generate an event. - --- -False Negatives: -None Known - --- - -Corrective Action: -Locate the uploaded ".forward" file and check it for signs of suspicious entries. - -Check the server logs for other suspicious events that might have occurred within the same FTP session - -Disallow uploading of files via FTP and use Secure Shell (SSH) for transferring files by users. - --- -Contributors: -Original rule writer Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS319 - --- diff -Nru snort-2.9.0.1/doc/signatures/3350.txt snort-2.9.2/doc/signatures/3350.txt --- snort-2.9.0.1/doc/signatures/3350.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3350.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3350 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3351.txt snort-2.9.2/doc/signatures/3351.txt --- snort-2.9.0.1/doc/signatures/3351.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3351.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3351 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3352.txt snort-2.9.2/doc/signatures/3352.txt --- snort-2.9.0.1/doc/signatures/3352.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3352.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3352 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3353.txt snort-2.9.2/doc/signatures/3353.txt --- snort-2.9.0.1/doc/signatures/3353.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3353.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3353 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3354.txt snort-2.9.2/doc/signatures/3354.txt --- snort-2.9.0.1/doc/signatures/3354.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3354.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3354 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3355.txt snort-2.9.2/doc/signatures/3355.txt --- snort-2.9.0.1/doc/signatures/3355.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3355.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3355 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3356.txt snort-2.9.2/doc/signatures/3356.txt --- snort-2.9.0.1/doc/signatures/3356.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3356.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3356 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3357.txt snort-2.9.2/doc/signatures/3357.txt --- snort-2.9.0.1/doc/signatures/3357.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3357.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3357 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3358.txt snort-2.9.2/doc/signatures/3358.txt --- snort-2.9.0.1/doc/signatures/3358.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3358.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3358 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3359.txt snort-2.9.2/doc/signatures/3359.txt --- snort-2.9.0.1/doc/signatures/3359.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3359.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3359 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/335.txt snort-2.9.2/doc/signatures/335.txt --- snort-2.9.0.1/doc/signatures/335.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/335.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: 335 - --- -Summary: -This event is generated when an attempt to copy a specific file to an FTP server is made. - --- - -Impact: -Serious. An attacker might gain the ability to remotely connect to a server via r-commands without using a password. - --- -Detailed Information: -This event is generated when an attempt to copy an ".rhosts" file to a server. An ".rhosts" file is used to configure remote access via r-commands (rlogin, rsh, rcp, rexec). - -Specifically, the file might contain IP addresses (hostnames) or usernames that are allowed to connect to a server in the following format: "hostname [username]", where either can be a "+" character, indicating all hostnames or usernames. - -The file might also contain a string "+ +" that indicates that everybody from any IP address is allowed to connect to server without using a password. The file is located in user's home directory. - --- - -Attack Scenarios: -An attacker uploads a ".hosts" file with "+ +" in it in the user's directory on the machine. He is then able to connect to a host via an "rlogin" command without entering a password, resulting in a shell session. If this is done in roots home driectory the attacker will have control of the victim host. - --- - -Ease of Attack: -The attack requires an access to any user's home directory via FTP. This means that anonymous FTP access cannot be used for such an attack and a valid username and password is required. Additionally, the ability to upload files via FTP is required for a successful attack. - --- - -False Positives: -If the string ".rhosts" is contained within the filename that is being uploaded to a server or within other FTP client responses, the rule will generate an event. - --- -False Negatives: -None Known - --- - -Corrective Action: -Locate the uploaded ".rhosts" file and check it for signs of suspicious entries. - -Check the server logs for other suspicious events that might have occurred within the same FTP session - -Disallow uploading of files via FTP and use Secure Shell (SSH) for transferring files by users. - -Disallow the use of r-commands for file transfer and login procedures. - --- -Contributors: -Original rule writer Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS328 - --- diff -Nru snort-2.9.0.1/doc/signatures/3360.txt snort-2.9.2/doc/signatures/3360.txt --- snort-2.9.0.1/doc/signatures/3360.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3360.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3360 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3361.txt snort-2.9.2/doc/signatures/3361.txt --- snort-2.9.0.1/doc/signatures/3361.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3361.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3361 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3362.txt snort-2.9.2/doc/signatures/3362.txt --- snort-2.9.0.1/doc/signatures/3362.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3362.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3362 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3363.txt snort-2.9.2/doc/signatures/3363.txt --- snort-2.9.0.1/doc/signatures/3363.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3363.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3363 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3364.txt snort-2.9.2/doc/signatures/3364.txt --- snort-2.9.0.1/doc/signatures/3364.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3364.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3364 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3365.txt snort-2.9.2/doc/signatures/3365.txt --- snort-2.9.0.1/doc/signatures/3365.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3365.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3365 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3366.txt snort-2.9.2/doc/signatures/3366.txt --- snort-2.9.0.1/doc/signatures/3366.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3366.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3366 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3367.txt snort-2.9.2/doc/signatures/3367.txt --- snort-2.9.0.1/doc/signatures/3367.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3367.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3367 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3368.txt snort-2.9.2/doc/signatures/3368.txt --- snort-2.9.0.1/doc/signatures/3368.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3368.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3368 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3369.txt snort-2.9.2/doc/signatures/3369.txt --- snort-2.9.0.1/doc/signatures/3369.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3369.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3369 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/336.txt snort-2.9.2/doc/signatures/336.txt --- snort-2.9.0.1/doc/signatures/336.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/336.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: -Sid: -336 --- -Summary: -This event is generated when an attempt is made to access roots home -directory in an ftp session. - --- -Impact: -Serious. Information disclosure. - --- -Detailed Information: -An ftp command to change directories to root's home directory has been -made. If roots home directory is world readable and is within the ftp -root, the contents may be viewed or downloaded in an ftp session. - -Under normal ftp usage (by non-root users), this should never occur. - --- -Affected Systems: - --- -Attack Scenarios: -Scenario A: -1. Remote attacker has gained root password/access, or is able to access root's home directory. -2. Attacker will be able to replace important system files at their will, possibly gaining shell access as root. - -Scenario B: -1. System administrator (root) connects to the system via un-encrypted ftp. -2. An attacker, listening in on the tcp/ip traffic, gains root's password since it was transmitted in 'clear-text'. -3. The attacker can now log in as root. - -Scenario C: -1. The ~root directory is world readable. -2. Sensitive files that may exist in this directory can now be accessed by anyone. --- -Ease of Attack: -Scenario A: depends on how the attacker gained root's password -Scenario B: trivial for someone on the same network or on the route to the comprimiseable system. -Scenario C: easy. --- -False Positives: -None Known -The administrator has legitimately logged into this machine from a remote location. -Note: this still has the potential for a security breach (see Scenario B). --- -False Negatives: -None Known -Accessing other system critical directories other than ~root (for example, /etc, where passwd/shadow files are kept) could indicate the same comprimise. --- -Corrective Action: - - Dissallow ftp login for root, consider using something more secure than ftp for root file transfers. - - Make sure root's home directory is NOT world readable. - - Root's password may have been discovered, take apropriate action. --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Snort documentation contributed by Jeremy Stashewsky - --- -Additional References: -CVE CVE-1999-0082 -RFC 959: File Transfer Protocol http://www.ietf.org/rfc/rfc959.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/3370.txt snort-2.9.2/doc/signatures/3370.txt --- snort-2.9.0.1/doc/signatures/3370.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3370.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3370 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3371.txt snort-2.9.2/doc/signatures/3371.txt --- snort-2.9.0.1/doc/signatures/3371.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3371.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3371 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3372.txt snort-2.9.2/doc/signatures/3372.txt --- snort-2.9.0.1/doc/signatures/3372.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3372.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3372 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3373.txt snort-2.9.2/doc/signatures/3373.txt --- snort-2.9.0.1/doc/signatures/3373.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3373.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3373 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3374.txt snort-2.9.2/doc/signatures/3374.txt --- snort-2.9.0.1/doc/signatures/3374.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3374.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3374 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3375.txt snort-2.9.2/doc/signatures/3375.txt --- snort-2.9.0.1/doc/signatures/3375.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3375.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3375 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3376.txt snort-2.9.2/doc/signatures/3376.txt --- snort-2.9.0.1/doc/signatures/3376.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3376.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3376 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3377.txt snort-2.9.2/doc/signatures/3377.txt --- snort-2.9.0.1/doc/signatures/3377.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3377.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3377 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3378.txt snort-2.9.2/doc/signatures/3378.txt --- snort-2.9.0.1/doc/signatures/3378.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3378.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3378 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3379.txt snort-2.9.2/doc/signatures/3379.txt --- snort-2.9.0.1/doc/signatures/3379.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3379.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3379 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/337.txt snort-2.9.2/doc/signatures/337.txt --- snort-2.9.0.1/doc/signatures/337.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/337.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -337 - --- -Summary: -This event is generated when a remote attacker attempts to exploit a buffer overflow vulnerability in the IBM AIX FTP daemon. - --- -Impact: -Remote execution of arbitrary code leading to remote root compromise. - --- -Detailed Information: -The IBM AIX 4.3.x FTP daemon contains a buffer overflow vulnerability. An attacker can send an overly long string in the CEL command, causing a buffer overflow condition and allowing the attacker to execute arbitrary code. - --- -Affected Systems: -IBM AIX 4.3.x - --- -Attack Scenarios: -An attacker sends a suspiciously large amount of data to the FTP server in the CEL command, causing a buffer overflow condition. The attacker can then execute arbitrary code to obtain root privileges. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Install the patch provided by IBM. See http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/ERS-SVA-E01-1999.004.1/$file/sva004.txt for an advisory and information about obtaining the patch. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -IBM -http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/ERS-SVA-E01-1999.004.1/$file/sva004.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/3380.txt snort-2.9.2/doc/signatures/3380.txt --- snort-2.9.0.1/doc/signatures/3380.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3380.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3380 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3381.txt snort-2.9.2/doc/signatures/3381.txt --- snort-2.9.0.1/doc/signatures/3381.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3381.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3381 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3382.txt snort-2.9.2/doc/signatures/3382.txt --- snort-2.9.0.1/doc/signatures/3382.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3382.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3382 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3383.txt snort-2.9.2/doc/signatures/3383.txt --- snort-2.9.0.1/doc/signatures/3383.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3383.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3383 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3384.txt snort-2.9.2/doc/signatures/3384.txt --- snort-2.9.0.1/doc/signatures/3384.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3384.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3384 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3385.txt snort-2.9.2/doc/signatures/3385.txt --- snort-2.9.0.1/doc/signatures/3385.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3385.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3385 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3386.txt snort-2.9.2/doc/signatures/3386.txt --- snort-2.9.0.1/doc/signatures/3386.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3386.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3386 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3387.txt snort-2.9.2/doc/signatures/3387.txt --- snort-2.9.0.1/doc/signatures/3387.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3387.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3387 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3388.txt snort-2.9.2/doc/signatures/3388.txt --- snort-2.9.0.1/doc/signatures/3388.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3388.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3388 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3389.txt snort-2.9.2/doc/signatures/3389.txt --- snort-2.9.0.1/doc/signatures/3389.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3389.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3389 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/338.txt snort-2.9.2/doc/signatures/338.txt --- snort-2.9.0.1/doc/signatures/338.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/338.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -SID: -338 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible remote execution of commands on the affected server as the root user --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) does not perform proper -checking in its SITE EXEC implementation, and allows user input to be -sent directly to printf. This allows an attacker to overwrite data and -eventually execute code on the server. - --- - -Affected Systems: -Any system running wu-ftpd 2.6 .0 or below --- - -Attack Scenarios: -A remote attacker will attempt to execute commands on the ftp server -with root user privileges, over writing or modifying system files. This -can be done with anonymous and real user logins. --- - -Ease of Attack: -Simple, Exploits exist --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3390.txt snort-2.9.2/doc/signatures/3390.txt --- snort-2.9.0.1/doc/signatures/3390.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3390.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3390 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3391.txt snort-2.9.2/doc/signatures/3391.txt --- snort-2.9.0.1/doc/signatures/3391.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3391.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3391 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3392.txt snort-2.9.2/doc/signatures/3392.txt --- snort-2.9.0.1/doc/signatures/3392.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3392.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3392 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3393.txt snort-2.9.2/doc/signatures/3393.txt --- snort-2.9.0.1/doc/signatures/3393.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3393.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3393 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3394.txt snort-2.9.2/doc/signatures/3394.txt --- snort-2.9.0.1/doc/signatures/3394.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3394.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3394 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3395.txt snort-2.9.2/doc/signatures/3395.txt --- snort-2.9.0.1/doc/signatures/3395.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3395.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3395 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3396.txt snort-2.9.2/doc/signatures/3396.txt --- snort-2.9.0.1/doc/signatures/3396.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3396.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3396 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3397.txt snort-2.9.2/doc/signatures/3397.txt --- snort-2.9.0.1/doc/signatures/3397.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3397.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3397 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3398.txt snort-2.9.2/doc/signatures/3398.txt --- snort-2.9.0.1/doc/signatures/3398.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3398.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3398 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3399.txt snort-2.9.2/doc/signatures/3399.txt --- snort-2.9.0.1/doc/signatures/3399.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3399.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3399 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/339.txt snort-2.9.2/doc/signatures/339.txt --- snort-2.9.0.1/doc/signatures/339.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/339.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,95 +0,0 @@ -Rule: - --- -Sid: -339 - --- -Summary: - --- -Impact: -Severe; This is a remote exploit that could result in a root compromise. - --- -Detailed Information: -There is an off-by-one error in the replydirname() function in the BSD FTP deamon which is also present in many derivitave works. This vulnerability allows an attacker to overflow the buffer by one byte, overwriting the first byte of the return pointer on the stack. - --- -Affected Systems: - BSD ftpd 0.3.2 - + Progeny Debian 1.0 - David A. Holland linux-ftpd 0.17 - + Progeny Debian 1.0 - David Madore ftpd-BSD 0.2.3 - - Caldera OpenLinux 2.2 - - Caldera OpenLinux 2.3 - - Caldera OpenLinux 2.4 - - Debian Linux 2.0 - - Debian Linux 2.1 - - Debian Linux 2.2 - - Debian Linux 2.3 - - MandrakeSoft Linux Mandrake 6.0 - - MandrakeSoft Linux Mandrake 6.1 - - MandrakeSoft Linux Mandrake 7.0 - - MandrakeSoft Linux Mandrake 7.1 - - MandrakeSoft Linux Mandrake 7.2 - - RedHat Linux 5.0 - - RedHat Linux 6.0 x - - RedHat Linux 7.0 - - Slackware Linux 4.0 - - Slackware Linux 7.0 - - Slackware Linux 7.1 - NetBSD NetBSD 1.4 - NetBSD NetBSD 1.4.1 - NetBSD NetBSD 1.4.2 - NetBSD NetBSD 1.5 - OpenBSD 2.4 - OpenBSD 2.5 - OpenBSD 2.6 - OpenBSD 2.7 - OpenBSD 2.8 -Note: OpenBSD ships with the FTP daemon turned off, so this is not on by default. - --- -Attack Scenarios: -The attacker could log into a vulnerable OpenBSD anonymous FTP server, calculate the buffer size, fill the buffer and over write the lowest byte on the base pointer with a null byte. This would result in the attacker controling that space on the stack, with full access to control the host at will. - --- -Ease of Attack: -Simple; there are script versions of this exploit in the wild. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Update your machine to the latest version of OpenBSD. If you are running OpenBSD 2.8, use the following patch: http://www.securityfocus.com/data/vulnerabilities/patches/005_ftpd.patch - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Mike Poor - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS446 - -Bugtraq -http://www.securityfocus.com/bid/2124 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0053 - -OpenBSD -http://www.openbsd.org/errata28.html#ftpd - --- diff -Nru snort-2.9.0.1/doc/signatures/3400.txt snort-2.9.2/doc/signatures/3400.txt --- snort-2.9.0.1/doc/signatures/3400.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3400.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3400 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3401.txt snort-2.9.2/doc/signatures/3401.txt --- snort-2.9.0.1/doc/signatures/3401.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3401.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3401 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3402.txt snort-2.9.2/doc/signatures/3402.txt --- snort-2.9.0.1/doc/signatures/3402.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3402.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3402 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3403.txt snort-2.9.2/doc/signatures/3403.txt --- snort-2.9.0.1/doc/signatures/3403.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3403.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3403 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3404.txt snort-2.9.2/doc/signatures/3404.txt --- snort-2.9.0.1/doc/signatures/3404.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3404.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3404 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3405.txt snort-2.9.2/doc/signatures/3405.txt --- snort-2.9.0.1/doc/signatures/3405.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3405.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3405 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3406.txt snort-2.9.2/doc/signatures/3406.txt --- snort-2.9.0.1/doc/signatures/3406.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3406.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3406 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3407.txt snort-2.9.2/doc/signatures/3407.txt --- snort-2.9.0.1/doc/signatures/3407.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3407.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3407 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3408.txt snort-2.9.2/doc/signatures/3408.txt --- snort-2.9.0.1/doc/signatures/3408.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3408.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3408 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3409.txt snort-2.9.2/doc/signatures/3409.txt --- snort-2.9.0.1/doc/signatures/3409.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3409.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3409 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3410.txt snort-2.9.2/doc/signatures/3410.txt --- snort-2.9.0.1/doc/signatures/3410.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3410.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3410 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3411.txt snort-2.9.2/doc/signatures/3411.txt --- snort-2.9.0.1/doc/signatures/3411.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3411.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3411 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3412.txt snort-2.9.2/doc/signatures/3412.txt --- snort-2.9.0.1/doc/signatures/3412.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3412.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3412 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3413.txt snort-2.9.2/doc/signatures/3413.txt --- snort-2.9.0.1/doc/signatures/3413.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3413.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3413 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3414.txt snort-2.9.2/doc/signatures/3414.txt --- snort-2.9.0.1/doc/signatures/3414.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3414.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3414 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3415.txt snort-2.9.2/doc/signatures/3415.txt --- snort-2.9.0.1/doc/signatures/3415.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3415.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3415 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3416.txt snort-2.9.2/doc/signatures/3416.txt --- snort-2.9.0.1/doc/signatures/3416.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3416.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3416 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3417.txt snort-2.9.2/doc/signatures/3417.txt --- snort-2.9.0.1/doc/signatures/3417.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3417.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3417 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3418.txt snort-2.9.2/doc/signatures/3418.txt --- snort-2.9.0.1/doc/signatures/3418.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3418.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3418 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3419.txt snort-2.9.2/doc/signatures/3419.txt --- snort-2.9.0.1/doc/signatures/3419.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3419.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3419 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3420.txt snort-2.9.2/doc/signatures/3420.txt --- snort-2.9.0.1/doc/signatures/3420.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3420.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3420 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3421.txt snort-2.9.2/doc/signatures/3421.txt --- snort-2.9.0.1/doc/signatures/3421.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3421.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3421 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3422.txt snort-2.9.2/doc/signatures/3422.txt --- snort-2.9.0.1/doc/signatures/3422.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3422.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3422 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3423.txt snort-2.9.2/doc/signatures/3423.txt --- snort-2.9.0.1/doc/signatures/3423.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3423.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3423 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3424.txt snort-2.9.2/doc/signatures/3424.txt --- snort-2.9.0.1/doc/signatures/3424.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3424.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3424 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3425.txt snort-2.9.2/doc/signatures/3425.txt --- snort-2.9.0.1/doc/signatures/3425.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3425.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3425 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3426.txt snort-2.9.2/doc/signatures/3426.txt --- snort-2.9.0.1/doc/signatures/3426.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3426.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3426 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3427.txt snort-2.9.2/doc/signatures/3427.txt --- snort-2.9.0.1/doc/signatures/3427.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3427.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3427 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3428.txt snort-2.9.2/doc/signatures/3428.txt --- snort-2.9.0.1/doc/signatures/3428.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3428.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3428 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3429.txt snort-2.9.2/doc/signatures/3429.txt --- snort-2.9.0.1/doc/signatures/3429.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3429.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3429 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/342.txt snort-2.9.2/doc/signatures/342.txt --- snort-2.9.0.1/doc/signatures/342.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/342.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -342 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd on Solaris 8 - --- - -Impact: -Possible remote execution of commands on the affected server as the root user --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) does not perform proper -checking in its SITE EXEC implementation, and allows user input to be -sent directly to printf. This allows an attacker to overwrite data and -eventually execute code on the server. - --- - -Affected Systems: -Any system running wu-ftpd 2.6 .0 or below --- - -Attack Scenarios: -A remote attacker will attempt to execute commands on the ftp server -with root user privileges, over writing or modifying system files. This -can be done with anonymous and real user logins. --- - -Ease of Attack: -Simple, Exploit code exists --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure. -Restrict access to ftp at the firewall to known hosts only --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3430.txt snort-2.9.2/doc/signatures/3430.txt --- snort-2.9.0.1/doc/signatures/3430.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3430.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3430 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3431.txt snort-2.9.2/doc/signatures/3431.txt --- snort-2.9.0.1/doc/signatures/3431.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3431.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3431 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3432.txt snort-2.9.2/doc/signatures/3432.txt --- snort-2.9.0.1/doc/signatures/3432.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3432.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3432 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3433.txt snort-2.9.2/doc/signatures/3433.txt --- snort-2.9.0.1/doc/signatures/3433.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3433.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3433 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3434.txt snort-2.9.2/doc/signatures/3434.txt --- snort-2.9.0.1/doc/signatures/3434.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3434.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3434 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3435.txt snort-2.9.2/doc/signatures/3435.txt --- snort-2.9.0.1/doc/signatures/3435.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3435.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3435 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3436.txt snort-2.9.2/doc/signatures/3436.txt --- snort-2.9.0.1/doc/signatures/3436.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3436.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3436 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3437.txt snort-2.9.2/doc/signatures/3437.txt --- snort-2.9.0.1/doc/signatures/3437.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3437.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3437 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3438.txt snort-2.9.2/doc/signatures/3438.txt --- snort-2.9.0.1/doc/signatures/3438.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3438.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3438 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3439.txt snort-2.9.2/doc/signatures/3439.txt --- snort-2.9.0.1/doc/signatures/3439.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3439.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3439 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/343.txt snort-2.9.2/doc/signatures/343.txt --- snort-2.9.0.1/doc/signatures/343.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/343.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -SID: -343 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd running on FreeBSD --- - -Impact: -Possible remote execution of commands on the affected server as the root user --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) does not perform proper -checking in its SITE EXEC implementation, and allows user input to be -sent directly to printf. This allows an attacker to overwrite data and -eventually execute code on the server. - --- - -Affected Systems: -Any system running wu-ftpd 2.6 .0 or below --- - -Attack Scenarios: -A remote attacker will attempt to execute commands on the ftp server -with root user privileges, over writing or modifying system files. This -can be done with anonymous and real user logins. --- - -Ease of Attack: -Simple, Exploits exist --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3440.txt snort-2.9.2/doc/signatures/3440.txt --- snort-2.9.0.1/doc/signatures/3440.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3440.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -3440 - --- -Summary: -This rule generates an event when an attempt is made to exploit a known -vulnerability in Microsoft RPC DCOM. - --- -Impact: -Execution of arbitrary code leading to full administrator access of the -machine. Denial of Service (DoS). - --- -Detailed Information: -A vulnerability exists in Microsoft RPC DCOM such that execution of -arbitrary code or a Denial of Service condition can be issued against a -host by sending malformed data via RPC. - -The Distributed Component Object Model (DCOM) handles DCOM requests sent -by clients to a server using RPC. A malformed request to an RPC port -will result in a buffer overflow condition that will present the -attacker with the opportunity to execute arbitrary code with the -privileges of the local system account. - --- -Affected Systems: - Windows NT 4.0 - Windows NT 4.0 Terminal Server Edition - Windows 2000 - Windows XP - Windows Server 2003 - --- -Attack Scenarios: -An attacker may make a request for a file with an overly long filename -via a network share. - --- -Ease of Attack: -Simple. Expoit code exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Block access to RPC ports 135, 139 and 445 for both TCP and UDP -protocols from external sources using a packet filtering firewall. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3441.txt snort-2.9.2/doc/signatures/3441.txt --- snort-2.9.0.1/doc/signatures/3441.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3441.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -3441 - --- -Summary: -This event is generated when an attempt is made to use the PORT command -in an FTP session. - --- -Impact: -Serious. Unauthorized access to the target host. Information disclosure. - --- -Detailed Information: -The PORT command can be used in an FTP PORT bounce attack to establish -a connection between the FTP server and another machine listening on -an alternative port. - -This may lead to unauthorized access to a target host listening on a -port not available from outside the protected network. - --- -Affected Systems: - Systems using FTP - --- -Attack Scenarios: -An attacker can issue a PORT command from an FTP session to connect to -another machine listening on an alternate port. For example, from an -FTP session an attacker could connect to an internal host listening on -an alternate web port meant only for internal sessions. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/tech_tips/ftp_port_attacks.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3442.txt snort-2.9.2/doc/signatures/3442.txt --- snort-2.9.0.1/doc/signatures/3442.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3442.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3442 - --- -Summary: -This event is generated when an attempt is made exploit a known -vulnerability in Microsoft Windows TCP/IP print services. - --- -Impact: -Serious. Denial of Service (DoS). - --- -Detailed Information: -Microsoft Windows TCP/IP print services are used to share printers -attached to Windows based machines with other UNIX based hosts. - -Microsoft Windows TCP/IP print services are vulnerable to a DoS when -processing malformed print requests. Other services may also be affected -and may need to be restarted to regain functionality should this attack -be sucessful. - --- -Affected Systems: - Microsoft Windows TCP/IP print services for Windows NT - Microsoft Windows TCP/IP print services for Windows 2000 - --- -Attack Scenarios: -An attacker can send a malformed print request to port 515 on the server -hosting the print services and cause the DoS condition. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3443.txt snort-2.9.2/doc/signatures/3443.txt --- snort-2.9.0.1/doc/signatures/3443.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3443.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3443 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3444.txt snort-2.9.2/doc/signatures/3444.txt --- snort-2.9.0.1/doc/signatures/3444.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3444.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3444 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3445.txt snort-2.9.2/doc/signatures/3445.txt --- snort-2.9.0.1/doc/signatures/3445.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3445.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3445 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3446.txt snort-2.9.2/doc/signatures/3446.txt --- snort-2.9.0.1/doc/signatures/3446.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3446.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3446 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3447.txt snort-2.9.2/doc/signatures/3447.txt --- snort-2.9.0.1/doc/signatures/3447.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3447.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3447 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3448.txt snort-2.9.2/doc/signatures/3448.txt --- snort-2.9.0.1/doc/signatures/3448.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3448.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3448 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3449.txt snort-2.9.2/doc/signatures/3449.txt --- snort-2.9.0.1/doc/signatures/3449.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3449.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3449 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/344.txt snort-2.9.2/doc/signatures/344.txt --- snort-2.9.0.1/doc/signatures/344.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/344.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: - -344 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Wu-ftpd. - --- -Impact: - -Serious. Full system compromise is possible. - --- -Detailed Information: -Some versions of Wu-ftpd contain an exploitable vulnerability in SITE -EXEC command, which can trigger a buffer overflow enabling an attacker -to gain root privileges. Anonymous access is enough for this exploit to -work. - --- -Affected Systems: - - Any version of Linux running wu-ftpd 2.6.0 and lower - --- -Attack Scenarios: -An attacker tries to connect to the server on port 21 anonymously. Then -he creates special directories using the MKD (make directory) command, -and then change its current FTP path into them using the CWD (change -current directory) command followed by a SITE EXEC on that directory. - - --- -Ease of Attack: - -Simple. Exploit scripts are available. - --- -False Positives: - -None known. - --- -False Negatives: - -None known. - --- -Corrective Action: -Disable anonymous FTP access to your site. - -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-2000-13.html - --- diff -Nru snort-2.9.0.1/doc/signatures/3450.txt snort-2.9.2/doc/signatures/3450.txt --- snort-2.9.0.1/doc/signatures/3450.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3450.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3450 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3451.txt snort-2.9.2/doc/signatures/3451.txt --- snort-2.9.0.1/doc/signatures/3451.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3451.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3451 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3452.txt snort-2.9.2/doc/signatures/3452.txt --- snort-2.9.0.1/doc/signatures/3452.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3452.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -3452 - --- -Summary: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Impact: -Unknown. - --- -Detailed Information: -This rule does not generate an event. It is used in conjunction with -other rules to reduce the possibility of false postives from occuring. - --- -Affected Systems: - NA - --- -Attack Scenarios: -NA - --- -Ease of Attack: -NA - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -NA - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3453.txt snort-2.9.2/doc/signatures/3453.txt --- snort-2.9.0.1/doc/signatures/3453.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3453.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3453 - --- -Summary: -This event is generated when an attempt is made to probe for -information on a host running Arkeia Client Backup server. - --- -Impact: -This may be reconnaissance to find version or operating -system information about the Arkeia Client Backup server -to later run an appropriate exploit. - --- -Detailed Information: -By default, Arkeia Client Backup servers do not require any -authentication for informational requests. An attacker who -may be planning to exploit a vulnerable version of the software -may attempt to request file or system information. - --- -Affected Systems: - Arkeia version 5.3 and prior. - --- -Attack Scenarios: -An attacker can attempt to query an Arkeia Client Backup -server for system or file information. - --- -Ease of Attack: -Simple. Exploits are publicly available. - --- -False Positives: -None known. If you run Arkeia Client Backup on your network, -make sure that your the variable $EXTERNAL_NET is configured -to reflect IP addresses outside of your network. Otherwise, -this rule will alert on valid internal traffic. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Metasploit: -http://metasploit.com/research/arkeia_agent - --- diff -Nru snort-2.9.0.1/doc/signatures/3454.txt snort-2.9.2/doc/signatures/3454.txt --- snort-2.9.0.1/doc/signatures/3454.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3454.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3454 - --- -Summary: -This event is generated when an attempt is made to probe for -information on a host running Arkeia Client Backup server. - --- -Impact: -This may be reconnaissance to find version or operating -system information about the Arkeia Client Backup server -to later run an appropriate exploit. - --- -Detailed Information: -By default, Arkeia Client Backup servers do not require any -authentication for informational requests. An attacker who -may be planning to exploit a vulnerable version of the software -may attempt to request file or system information. - --- -Affected Systems: - Arkeia version 5.3 and prior. - --- -Attack Scenarios: -An attacker can attempt to query an Arkeia Client Backup -server for system or file information. - --- -Ease of Attack: -Simple. Exploits are publicly available. - --- -False Positives: -None known. If you run Arkeia Client Backup on your network, -make sure that your the variable $EXTERNAL_NET is configured -to reflect IP addresses outside of your network. Otherwise, -this rule will alert on valid internal traffic. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Metasploit: -http://metasploit.com/research/arkeia_agent - --- diff -Nru snort-2.9.0.1/doc/signatures/3455.txt snort-2.9.2/doc/signatures/3455.txt --- snort-2.9.0.1/doc/signatures/3455.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3455.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -3455 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the Bontago Game Server. - --- -Impact: -Serious. Code execution and Denial of Service (DoS) are possible. - --- -Detailed Information: -The Bontago game server does not properly sanitize user nicknames. -Sucessful exploitation of this error may present an attacker with the -opportunity to overflow a buffer which may then lead to remote code -execution and possible DoS. - --- -Affected Systems: - Bontago Game Server 1.1 and prior - --- -Attack Scenarios: -An attacker can supply a nickname to the server that exceeds the static -buffer length assigned to handle this value. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3456.txt snort-2.9.2/doc/signatures/3456.txt --- snort-2.9.0.1/doc/signatures/3456.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3456.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -3456 - --- - -Summary: -This event is generated when the user "root" logs in to a MySQL database from an external source. - --- -Impact: -Serious. An attacker may have gained superuser access to the system. - --- -Detailed Information: -This event is generated when someone using the name "root" logs in to a MySQL database. - -The 'root' user may have access to all databases on the system, with full privileges to add users, delete data, add information, etc. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. The user logs in with the username 'root', full access is then granted to that user for all databases served by the MySQL daemon. The attacker may then continue to gain sensitive information from any database in the system. - --- - -Ease of Attack: -Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. - --- - -False Positives: -This event may be generated by a database administrator logging in as the root user from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3457.txt snort-2.9.2/doc/signatures/3457.txt --- snort-2.9.0.1/doc/signatures/3457.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3457.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3457 - --- -Summary: -This event is generated when an attempt is made to exploit -a buffer overflow associated with the Arkeia Client Backup -server. - --- -Impact: -A successful attack may cause a buffer overflow and the -subsequent execution of arbitrary code at the privilege -level of the vulnerable service. - --- -Detailed Information: -A vulnerability exists in the Arkeia Client Backup server -software for a type 77 request. This may cause a buffer -overflow and the subsequent execution of arbitrary code -on a vulnerable server. The vulnerability is caused by -an overly long message length. - --- -Affected Systems: - Arkeia version 5.3 and prior. - --- -Attack Scenarios: -An attacker craft a malicious type 77 request and send -it to a vulnerable server. - --- -Ease of Attack: -Simple. Exploits are publicly available. - --- -False Positives: -None known. - --- -False Negatives: -There can be multiple messages in one transfer. The event is generated -on the first message only. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Metasploit: -http://metasploit.com/research/arkeia_agent - --- diff -Nru snort-2.9.0.1/doc/signatures/3458.txt snort-2.9.2/doc/signatures/3458.txt --- snort-2.9.0.1/doc/signatures/3458.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3458.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3458 - --- -Summary: -This event is generated when an attempt is made to exploit -a buffer overflow associated with the Arkeia Client Backup -server. - --- -Impact: -A successful attack may cause a buffer overflow and the -subsequent execution of arbitrary code at the privilege -level of the vulnerable service. - --- -Detailed Information: -A vulnerability exists in the Arkeia Client Backup server -software for a type 84 request. This may cause a buffer -overflow and the subsequent execution of arbitrary code -on a vulnerable server. The vulnerability is caused by -an overly long message length. - --- -Affected Systems: - Arkeia version 5.3 and prior. - --- -Attack Scenarios: -An attacker craft a malicious type 84 request and send -it to a vulnerable server. - --- -Ease of Attack: -Simple. Exploits are publicly available. - --- -False Positives: -None known. - --- -False Negatives: -There can be multiple messages in one transfer. The event is generated -on the first message only. - --- -Corrective Action: -Upgrade to the most current non-affected version of the product. - --- -Contributors: -Sourcefire Research Team -Judy Novak - --- -Additional References - -Metasploit: -http://metasploit.com/research/arkeia_agent - --- diff -Nru snort-2.9.0.1/doc/signatures/3459.txt snort-2.9.2/doc/signatures/3459.txt --- snort-2.9.0.1/doc/signatures/3459.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3459.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -3459 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This -may be against corporate policy. p2p clients connect to other p2p -clients to share files, commonly music and video files but can be -configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to -transfer company confidential information to unauthorized hosts external -to the protected network bypassing other security measures in place. - -This rule detects activity from Manolito p2p client applications. - --- -Affected Systems: - Any host using a Manolito p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/345.txt snort-2.9.2/doc/signatures/345.txt --- snort-2.9.0.1/doc/signatures/345.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/345.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -SID: -345 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible remote execution of commands on the affected server as the root user --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) does not perform proper -checking in its SITE EXEC implementation, and allows user input to be -sent directly to printf. This allows an attacker to overwrite data and -eventually execute code on the server. - --- - -Affected Systems: -Any system running wu-ftpd 2.6 .0 or below --- - -Attack Scenarios: -A remote attacker will attempt to execute commands on the ftp server -with root user privileges, over writing or modifying system files. This -can be done with anonymous and real user logins. --- - -Ease of Attack: -Simple, Exploits exist --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3460.txt snort-2.9.2/doc/signatures/3460.txt --- snort-2.9.0.1/doc/signatures/3460.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3460.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3460 - --- -Summary: -This event is generated when a numeric argument to the REST command is -detected. - --- -Impact: -Information disclosure. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is generated -when a numeric argument to the REST command is detected. - -If a numeric argument is supplied to the REST command on an affected -HP-UX system, it may be possible for an attacker to discover the -contents of a particular memory location identified by the argument. -This may in turn lead to the disclosure of sensitive information on the -host. - --- -Affected Systems: - HP-UX 11.0 utilizing HP-UX ftpd 1.1.214 .4 - --- -Attack Scenarios: - --- -Ease of Attack: -Simple. Exploit code is not needed but code does exist. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3461.txt snort-2.9.2/doc/signatures/3461.txt --- snort-2.9.0.1/doc/signatures/3461.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3461.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3461 - --- -Summary: -This event is generated when an attempt is made to overflow a buffer -using the Content-Type parameter. - --- -Impact: -Serious. Code execution is possible. - --- -Detailed Information: -Internet Explorer does not correctly handle Content-Type or -Content-Encoding headers returned from a server. It is possible to -overflow a static buffer in urlmon.dll by supplying more than 300 bytes -of data in the parameter for those headers. - -Specifically the error occurs when an image tag is used to pass -the excess data to both those header fields in a server response. Since -some email clients use Internet Explorer to process HTML email messages, -it is also possible to cause this overflow to occur via email. - --- -Affected Systems: - Microsoft Windows systems - --- -Attack Scenarios: -An attacker can supply a malicious HTML file to a mail client containing -excess data in the Content-Type and Content-Encoding headers that will -overflow the buffer presenting them with the opportunity to write to -various parts of memory and possibly execute code of their choosing. - --- -Ease of Attack: -Simple. Exploit code is publicly available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References - --- diff -Nru snort-2.9.0.1/doc/signatures/3462.txt snort-2.9.2/doc/signatures/3462.txt --- snort-2.9.0.1/doc/signatures/3462.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3462.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -3462 - --- -Summary: -This event is generated when an attempt is made to overflow a buffer -using the Content-Encoding parameter. - --- -Impact: -Serious. Code execution is possible. - --- -Detailed Information: -Internet Explorer does not correctly handle Content-Type or -Content-Encoding headers returned from a server. It is possible to -overflow a static buffer in urlmon.dll by supplying more than 300 bytes -of data in the parameter for those headers. - -Specifically the error occurs when an image tag is used to pass -the excess data to both those header fields in a server response. Since -some email clients use Internet Explorer to process HTML email messages, -it is also possible to cause this overflow to occur via email. - --- -Affected Systems: - Microsoft Windows systems - --- -Attack Scenarios: -An attacker can supply a malicious HTML file to a mail client containing -excess data in the Content-Type and Content-Encoding headers that will -overflow the buffer presenting them with the opportunity to write to -various parts of memory and possibly execute code of their choosing. - --- -Ease of Attack: -Simple. Exploit code is publicly available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References - --- diff -Nru snort-2.9.0.1/doc/signatures/3463.txt snort-2.9.2/doc/signatures/3463.txt --- snort-2.9.0.1/doc/signatures/3463.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3463.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -3463 - --- -Summary: -This event is generated when an attempt is made to access the cgi script -awstats.pl. - --- -Impact: -Possible execution of system commands. - --- -Detailed Information: -Adavanced Web Statistics (awstats) is used to process web server log -files and produces reports of web server usage. - -Some versions of awstats do not correctly sanitize user input. This may -present an attacker with the opportunity to supply system commands via -the "logfile" parameter. For the attack to be sucessful the "update" -parameter must also have the value set to "1". This event indicates that -an attempt has been made to access the awstats.pl cgi script. - --- -Affected Systems: - Awstats 6.1 and prior - --- -Attack Scenarios: -An attacker can supply commands of their choosing as a value for the -logfile parameter by enclosing the commands in pipe charecters. For -example: - - http://www.foo.com/cgi-bin/awstats.pl?update=1&logfile=|| - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software. - -Disallow access to awstats.pl as a CGI script. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3464.txt snort-2.9.2/doc/signatures/3464.txt --- snort-2.9.0.1/doc/signatures/3464.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3464.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -3464 - --- -Summary: -This event is generated when an attempt is made to execute system -commands via the cgi script awstats.pl. - --- -Impact: -Possible execution of system commands. - --- -Detailed Information: -Adavanced Web Statistics (awstats) is used to process web server log -files and produces reports of web server usage. - -Some versions of awstats do not correctly sanitize user input. This may -present an attacker with the opportunity to supply system commands via -the "logfile" parameter. For the attack to be sucessful the "update" -parameter must also have the value set to "1". This event indicates that -an attempt has been made to pass a system command as a value to the -"logfile" parameter the awstats.pl cgi script. - --- -Affected Systems: - Awstats 6.1 and prior - --- -Attack Scenarios: -An attacker can supply commands of their choosing as a value for the -logfile parameter by enclosing the commands in pipe charecters. For -example: - - http://www.foo.com/cgi-bin/awstats.pl?update=1&logfile=|| - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software. - -Disallow access to awstats.pl as a CGI script. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/3465.txt snort-2.9.2/doc/signatures/3465.txt --- snort-2.9.0.1/doc/signatures/3465.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/3465.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -3465 - --- -Summary: -This event is generated when an attempt is made to access the cgi script -show.pl. - --- -Impact: -Use of script as an open proxy. - --- -Detailed Information: -RiSearch is a collection of cgi scripts written in Perl to facilitate -web site search functionality. Some versions of the script show.pl do -not correctly sanitize user input. This may present an attacker with the -opportunity to use the script as an open proxy server, possibly in -attempts to execute web attacks against other systems anonymously. - -Specifically, it may be possible for an attacker to supply their own -input to the "uri" parameter. - --- -Affected Systems: - RiSearch 0.99.8 and prior - RiSearch Pro 3.2.6 - --- -Attack Scenarios: -An attacker can supply a URI of their choosing as a value for the -uri parameter - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software. - --- -Contributors: -Sourcefire Research Team -Alex Kirk -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/348.txt snort-2.9.2/doc/signatures/348.txt --- snort-2.9.0.1/doc/signatures/348.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/348.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -SID: -348 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible remote execution of commands on the affected server as the root user --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) does not perform proper -checking in its SITE EXEC implementation, and allows user input to be -sent directly to printf. This allows an attacker to overwrite data and -eventually execute code on the server. - -This rule detects code from a published exploit called bobek.c --- - -Affected Systems: -Any system running wu-ftpd 2.6 .0 or below --- - -Attack Scenarios: -A remote attacker will attempt to execute commands on the ftp server -with root user privileges, over writing or modifying system files. This -can be done with anonymous and real user logins. --- - -Ease of Attack: -Simple, Exploits exist --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/349.txt snort-2.9.2/doc/signatures/349.txt --- snort-2.9.0.1/doc/signatures/349.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/349.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -SID: -349 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible execution of commands on the affected server as with elevated user privileges --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) has a problem with very -log directory names. There is insufficent checking on directories -created by users allowing possible insertion of data into the stack.This -can lead to execution of code with root / elevated user privileges. --- - -Affected Systems: -NcFTP Software NcFTPD 2.3.5 -Washington University wu-ftpd 2.4.2 (beta 18) VR10 -RedHat wu-ftpd 2.4.2 b18-2 -Washington University wu-ftpd 2.4.2 academ[BETA-18] -Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit. --- - -Attack Scenarios: -A local attacker will attempt to create long named directories on the -ftp server wich are not checked correctly in the server code. This can -allow commands to be executed with elevated user privileges --- - -Ease of Attack: -simple --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to newest version of wuftpd, or replace with something more secure. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/350.txt snort-2.9.2/doc/signatures/350.txt --- snort-2.9.0.1/doc/signatures/350.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/350.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -SID: -350 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible execution of commands on the affected server as with elevated user privileges --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) has a problem with very -log directory names. There is insufficent checking on directories -created by users allowing possible insertion of data into the stack.This -can lead to execution of code with root / elevated user privileges. --- - -Affected Systems: -NcFTP Software NcFTPD 2.3.5 -Washington University wu-ftpd 2.4.2 (beta 18) VR10 -RedHat wu-ftpd 2.4.2 b18-2 -Washington University wu-ftpd 2.4.2 academ[BETA-18] -Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit. --- - -Attack Scenarios: -A local attacker will attempt to create long named directories on the -ftp server wich are not checked correctly in the server code. This can -allow commands to be executed with elevated user privileges --- - -Ease of Attack: -simple, Exploit code exists --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to newest version of wuftpd, or replace with something more secure. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/351.txt snort-2.9.2/doc/signatures/351.txt --- snort-2.9.0.1/doc/signatures/351.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/351.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -SID: -351 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible execution of commands on the affected server as with elevated -user privileges --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) has a problem with very -log directory names. There is insufficent checking on directories -created by users allowing possible insertion of data into the stack.This -can lead to execution of code with root / elevated user privileges. --- - -Affected Systems: -NcFTP Software NcFTPD 2.3.5 -Washington University wu-ftpd 2.4.2 (beta 18) VR10 -RedHat wu-ftpd 2.4.2 b18-2 -Washington University wu-ftpd 2.4.2 academ[BETA-18] -Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit. --- - -Attack Scenarios: -A local attacker will attempt to create long named directories on the -ftp server wich are not checked correctly in the server code. This can -allow commands to be executed with elevated user privileges --- - -Ease of Attack: -simple, Exploit code exists --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to newest version of wuftpd, or replace with something more secure. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/352.txt snort-2.9.2/doc/signatures/352.txt --- snort-2.9.0.1/doc/signatures/352.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/352.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -SID: -352 --- - -Rule: --- - -Summary: -This event is generated when an attack attempt is made against an ftp -server possibly running a vulnerable ftpd --- - -Impact: -Possible execution of commands on the affected server as with elevated -user privileges --- - -Detailed Information: -The Washington University ftp daemon (wu-ftpd) has a problem with very -log directory names. There is insufficent checking on directories -created by users allowing possible insertion of data into the stack.This -can lead to execution of code with root / elevated user privileges. --- - -Affected Systems: - NcFTP Software NcFTPD 2.3.5 - Washington University wu-ftpd 2.4.2 (beta 18) VR10 RedHat wu-ftpd 2.4.2 b18-2 - Washington University wu-ftpd 2.4.2 academ[BETA-18] - Probably others as well, suspect anything under - Washington University wu-ftpd 2.6.0 for this particular exploit. --- - -Attack Scenarios: -A local attacker will attempt to create long named directories on the -ftp server wich are not checked correctly in the server code. This can -allow commands to be executed with elevated user privileges --- - -Ease of Attack: -simple, Exploit code exists --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Upgrade to newest version of wuftpd, or replace with something more secure. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/353.txt snort-2.9.2/doc/signatures/353.txt --- snort-2.9.0.1/doc/signatures/353.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/353.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -353 - --- -Summary: -This event is generated when a remote user attempts to anonymously log into an internal FTP server with a suspicious password, indicating that an attacker may be scanning the FTP server for vulnerabilities using the ADMhack scanning tool. - --- -Impact: -Information gathering, possible unauthorized access. - --- -Detailed Information: -ADMhack is a security scanner that scans for exploitable network vulnerabilities. When the scanner encounters an FTP server, it attempts to log in using "ddd@ " as a password. - --- -Affected Systems: -Computers running anonymous FTP servers. - --- -Attack Scenarios: -An attacker scans the network for vulnerable FTP servers using ADMhack scanner. When an FTP server is found, the tool attempts to log into the server. If vulnerabilities exist on the server, this may allow the attacker access to the FTP server in order to exploit them. - --- -Ease of Attack: -Simple. ADMhack is freely available on the Internet. - --- -False Positives: -If a legitimate remote anonymous user uses the same password, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable anonymous FTP access. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/354.txt snort-2.9.2/doc/signatures/354.txt --- snort-2.9.0.1/doc/signatures/354.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/354.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: - --- - -Rule: --- -Sid: -354 - --- - -Summary: -This event is generated when an attempt is made to login anonymously -into an ftp server using a suspicious password (-iss@iss) - --- - -Impact: -Possible unauthorized access. Information gathering. - --- - -Detailed Information: -ISS Scanner is a security scanner which checks for common -vulnerabilities. When it detects an open ftp server, it tries to log in -anonymously using the password '-iss@iss' - --- - -Affected Systems: -Machines running anonymous ftp servers. - --- - -Attack Scenarios: -An attacker scans a range of IPs using the ISS Scanner, checking for -known vulnerabilities. If the scanner encounters a ftp server, it tries -to log in . - --- - -Ease of Attack: -Simple. - --- - -False Positives: -A user may be using that same password for a legitimate -anonymous login. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable anonymous FTP access. - --- - -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Chaos - --- - -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS331 - --- diff -Nru snort-2.9.0.1/doc/signatures/355.txt snort-2.9.2/doc/signatures/355.txt --- snort-2.9.0.1/doc/signatures/355.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/355.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -355 - --- -Summary: -This event is generated when a password of "wh00t" is used to login to an File Transfer Protocol (FTP) server. - --- -Impact: -Remote root access. The attack may indicate that the FTP server has been compromised. - --- -Detailed Information: -The password "wh00t" is a common backdoor password associated with a compromised root account. If this password is observed, it may indicate that the FTP server has been compromised and a backdoor root account with a password of "wh00t" has been created. Alternately, this may indicate a failed attempt of an attacker attempting to locate FTP servers compromised by others. - --- -Affected Systems: -FTP servers. - --- -Attack Scenarios: -An attacker may compromise a host and create a backdoor account. An attacker may attempt to locate FTP servers with a backdoor account. - --- -Ease of Attack: -Simple - --- -False Positives: -It is very remotely possible that a legitimate password of "wh00t" exists. - --- -False Negatives: -None known. - --- -Corrective Action: -Examine the suspected compromised host for unauthorized changes. - -Make sure that the suspected compromised host has all security patches applied. - -Log activity to and from the suspected compromised host. - -Examine other systems on the network for evidence of compromise. - -If a compromised is discovered, reinstall the operating system. - --- -Contributors: -Orignal rule written by Ron Gula -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS324 - --- diff -Nru snort-2.9.0.1/doc/signatures/356.txt snort-2.9.2/doc/signatures/356.txt --- snort-2.9.0.1/doc/signatures/356.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/356.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 356 - --- - -Summary: -This event is generated when an attempt to retrieve a specific file, in this case the systems user database from an FTP server is made. - --- -Impact: -Serious. The attacker may obtain a valid list of user names and/or encrypted passwords from the server. - --- -Detailed Information: -This event is generated when an attempt to download a copy of the "passwd" file from the server is made. - -The UNIX "passwd" file (typically located in "/etc/" directory) is used to hold the authentication information for system logins. This file needs to be readable by all system users. - -Where shadow passwords are used, the actual encrypted passwords are stored in a separate file, only readable by root. It is possible to use various password cracking tools to obtain unencrypted passwords either by trying random character combinations, a predefined word list or a combination of public user information. The attacker may use the information contained in the passwd file to launch a dictionary attack against the victim host or other hosts the same users may have access to. - --- -Attack Scenarios: -The attacker downloads a "passwd" file from a machine that does not use shadowed passwords and uses a tool like John-the-Ripper to crack the passwords used for several accounts. He then proceeds to login to the system remotely and possibly gain escalated privileges via a local exploit on the system. - --- - -Ease of Attack: -Simple. The attack usually requires FTP access to the /etc/ directory either by system misconfiguration or via a directory traversal technique. Also, in the rare circumstances the system administrator may have accidentally left a copy of a "passwd" file in a directory accessible for anonymous or other FTP users, which presents a high security risk and simplifies the attack. - --- - -False Positives: -If the string "passwd" is contained within an otherwise innocuous filename being retrieved from a server, the rule will generate an event. - -Also, the anonymous FTP account often has a separate password file within the chrooted anonymous FTP directory (e.g. /var/ftp/etc/passwd). This file does not usually contain valid system usernames and passwords. While technically not a false positive, this may be considered a false alarm. - --- - -False Negatives: -None Known - --- - -Corrective Action: -Identify the downloaded file and confirm that it indeed a valid system password file. Change the user passwords on the system and notify the users. - -Ensure that FTP access to sensitive system files is not allowed. - --- -Contributors: -Original rule writer Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS319 - --- diff -Nru snort-2.9.0.1/doc/signatures/357.txt snort-2.9.2/doc/signatures/357.txt --- snort-2.9.0.1/doc/signatures/357.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/357.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -357 - --- -Summary: -This event is generated when activity relating to spurious ftp traffic is detected on the network. - --- -Impact: -Varies from information gathering to a serious compromise of an ftp server. - --- -Detailed Information: -FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts. - -The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party using FTP. - -An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow access to FTP resources from hosts external to the protected network. - -Use secure shell (ssh) to transfer files as a replacement for FTP. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/358.txt snort-2.9.2/doc/signatures/358.txt --- snort-2.9.0.1/doc/signatures/358.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/358.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -358 - --- - -Summary: -This event is generated when an attempt is made to login anonymously -into an ftp server using a suspicious password (-saint) - --- - -Impact: -Possible unauthorized access. Information gathering. - --- - -Detailed Information: -Saint is an open-source security scanner which checks for common -vulnerabilities. When it detects an open ftp server, it tries to log in -anonymously using the password '-saint' - --- - -Affected Systems: -Machines running anonymous ftp servers. - --- - -Attack Scenarios: -An attacker scans a range of IPs using the Saint Scanner, checking for -known vulnerabilities. If the scanner encounters a ftp server, it tries -to log in . - --- - -Ease of Attack: -Simple. - --- - -False Positives: -A user may be using that same password for a legitimate -anonymous login. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable anonymous FTP access. - --- - -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Chaos - --- - -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS330 - --- diff -Nru snort-2.9.0.1/doc/signatures/359.txt snort-2.9.2/doc/signatures/359.txt --- snort-2.9.0.1/doc/signatures/359.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/359.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -359 - --- - -Summary: -This event is generated when an attempt is made to login anonymously -into an ftp server using a suspicious password (-satan) - --- - -Impact: -Possible unauthorized access. Information gathering. - --- - -Detailed Information: -Satan is an open-source security scanner,a predecessor to Saint, which -checks for common vulnerabilities. When it detects an open ftp server, -it tries to log in anonymously using the password '-satan' - --- - -Affected Systems: -Machines running anonymous ftp servers. - --- - -Attack Scenarios: -An attacker scans a range of IPs using the Satan Scanner, checking for -known vulnerabilities. If the scanner encounters a ftp server, it tries -to log in . - --- - -Ease of Attack: -Simple. - --- - -False Positives: -A user may be using that same password for a legitimate -anonymous login. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable anonymous FTP access. - --- - -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Chaos - --- - -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS329 - --- diff -Nru snort-2.9.0.1/doc/signatures/360.txt snort-2.9.2/doc/signatures/360.txt --- snort-2.9.0.1/doc/signatures/360.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/360.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -360 - --- -Summary: -This event is generated when an attempt is made to exploit a known vulnerability in Serv-U FTP from CatSoft. - --- -Impact: -Possible theft of data and control of the targeted machine leading to a -compromise of all resources the machine is connected to. - --- -Detailed Information: -Serv-U FTP from CatSoft is an FTP server for Windows 2000, NT and 9x systems. - -An attacker can download and upload files on the same partition as the ftp root. The attacker can use a standard user account with write and read access to a home folder. - -The vulnerability appears in Catsoft Serv-U FTP Server version 2.5a-h. A Unicode support implementation error was made, which allows an attacker to submit %20..%20.. to receive a "..", which allows an attacker to traverse the directory structure of the server. - --- -Affected Systems: -CatSoft Serv-U 2.4 -CatSoft Serv-U 2.5 -Note: CatSoft Serv-U 2.5i is not affected. - --- -Attack Scenarios: -Any standard user can break into the system root and access any file. An attacker could also guess a login and weak password, login and use the directory traversal to gain the Serv-U FTP Server's configuration file. The configuration file can be modified to give "execute" rights, uploaded using %20. directory traversal and trojans can be installed. - --- -Ease of Attack: -Simple. No exploit code is required. - --- -False Positives: -None Known. - --- -False Negatives: -None Known - --- -Corrective Action: -Upgrade to the latest non-affected version of the software. - -Check FTP log files for signs of compromise. - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Ueli Kistler, -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/361.txt snort-2.9.2/doc/signatures/361.txt --- snort-2.9.0.1/doc/signatures/361.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/361.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -361 - --- -Summary: -This event is generated when a remote user executes the SITE EXEC command in a session with an internal FTP server. This may indicate an attempt to exploit a vulnerability in the SITE EXEC command in wu-ftpd version 2.4.1. - --- -Impact: -Arbitrary code execution, leading to remote root compromise. The attacker must have a valid, non-anonymous FTP account on the server to attempt this exploit. - --- -Detailed Information: -A misconfiguration in the pathnames.h configuration file in wu-ftpd 2.4.1 allows users to execute commands from /bin instead of ~username/bin. An attacker with a valid FTP account on the server can exploit this vulnerability to execute arbitrary shell code using the SITE EXEC command. - --- -Affected Systems: -Servers running Washington University wu-ftpd version 2.4.1 or earlier. - --- -Attack Scenarios: -An attacker logs into the system using a valid FTP account, and then executes arbitrary shell code to obtain root access to the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user uses the SITE EXEC command, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to a later version of the wu-ftp daemon. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0080 - -CERT -http://www.cert.org/advisories/CA-1995-16.html - --- diff -Nru snort-2.9.0.1/doc/signatures/362.txt snort-2.9.2/doc/signatures/362.txt --- snort-2.9.0.1/doc/signatures/362.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/362.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: 362 - --- - -Summary: -This event is generated when an attempt to abuse an FTP servers functionality and configuration weaknesses is attempted. - --- -Impact: -Serious. The attacker may have the ability to execute commands remotely within an FTP session. - --- -Detailed Information: -This event is generated when an attempt to abuse the built-in archive decompression functionality of the FTP server is attempted. - -Some FTP servers allow the user to compress/archive files on the fly whilst they are being uploaded or downloaded. For example, the user may be able to "tar" and download an entire directory in one command simply by requesting the "directory_name.tar". Additionally, the user may be able to specify the command the "tar" archiver will use for compression (normally, "gzip", "bzip2", etc) and have an FTP server erroneously accept this command. - -If this command is a shell, an interactive session will be started. The string " --use-compress-program" is an indicator that such a parameter is being given to "tar" utility. The attack requires an established FTP session. - --- - -Attack Scenarios: -An FTP-only user with no shell access can connect to a server and execute a "/bin/bash" shell via this exploit. This will present the attacker with interactive access to a system. - --- - -Ease of Attack: -Simple. The attack requires an access via FTP to the target server. In the case of an anonymous FTP connection, the attack will only permit execution of software from within the chrooted anonymous FTP home. - -If the session is that of a regular FTP user, any binary or executable file can be executed. No special exploit software is required. - --- - -False Positives: -Highly unlikely, but the legitimate use of this functionality might trigger a false alarm - --- - -False Negatives: -None Known - --- - -Corrective Action: -Upgrade the FTP server software to a non-vulnerable version - -Restrict access to the FTP server to trusted users/IP addresses, - -Disallow automatic file archival - -Disable FTP server and use secure shell (SSH) for transferring files. - --- -Contributors: -Original rule writer Max Vision -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS134 - -Bugtraq: -http://online.securityfocus.com/bid/2240 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0202 - --- diff -Nru snort-2.9.0.1/doc/signatures/363.txt snort-2.9.2/doc/signatures/363.txt --- snort-2.9.0.1/doc/signatures/363.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/363.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -363 - --- -Summary: -This event is generated when an external server sends an ICMP IRDP router advertisement message to an internal server. This may indicate an attempt to cause a denial of service by adding spoofed router information to an IRDP-enabled host's routing table. - --- -Impact: -Denial of service. - --- -Detailed Information: -The ICMP Router Discovery Protocol (IRDP) is enabled by default on some Microsoft Windows and Sun Solaris operating systems. IRDP messages broadcast network routing information, and computers with IRDP enabled will store this routing information in their default routing tables. There is no way to determine whether the IRDP broadcast is authentic or spoofed, and some hosts will use the routes that appear in their local routing tables before using routes discovered via DHCP. - -An attacker can exploit this behavior by broadcasting IRDP messages with erroneous routing information to a target network. This will cause some IRDP-enabled hosts on that network to route traffic through the route advertised in the spoofed IRDP message. If the spoofed IRDP message contains nonexistent/inaccessible routing addresses, the target will not be able to connect to external networks, causing a denial of service. This may also facilitate man-in-the-middle attacks or interception of data by an attacker. - -Note that if an attacker is on the internal network, he/she can use valid routing addresses in the spoofed IRDP messages to passively monitor other machines or to perform "man-in-the-middle" attacks. - --- -Affected Systems: -Microsoft Windows 95 -Microsoft Windows 98 -Microsoft Windows 98SE -Sun Solaris 2.6 - --- -Attack Scenarios: -An attacker crafts spoofed IRDP broadcast messages and forwards them to a target network. If the messages are not filtered by the firewall and are broadcast to the internal network, some IRDP-enabled hosts begin routing traffic through the routes advertised in the IRDP broadcast message, which can cause a denial of service condition. - --- -Ease of Attack: -Simple. A proof-of-concept exists. - --- -False Positives: -This rule may generate an alert if legitimate ICMP traffic of type 9 is sent from an external server to an internal server. - --- -False Negatives: -None known. - --- -Corrective Action: -For vulnerable Windows computers, disable IRDP on the system (see http://support.microsoft.com/support/kb/articles/q216/1/41.asp). - -For vulnerable Solaris 2.6 computers, install the patch provided by Sun (see http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access). - -Use a packet filtering firewall to block ICMP type 9 packets from entering the internal network. - --- -Contributors: -Original rule written by Max Vision . -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey -Additional information from Anton Chuvakin - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0875 - -Arachnids: -http://www.whitehats.com/info/IDS174 - -Bugtraq: -http://www.securityfocus.com/bid/578 - -RFC: -http://www.cotse.com/CIE/RFC/Orig/rfc1256.txt - - --- diff -Nru snort-2.9.0.1/doc/signatures/364.txt snort-2.9.2/doc/signatures/364.txt --- snort-2.9.0.1/doc/signatures/364.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/364.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -364 - --- -Summary: -This event is generated when an external server sends an ICMP IRDP router advertisement message to an internal server. This may indicate an attempt to cause a denial of service by adding spoofed router information to an IRDP-enabled host's routing table. - --- -Impact: -Denial of service. - --- -Detailed Information: -The ICMP Router Discovery Protocol (IRDP) is enabled by default on some Microsoft Windows and Sun Solaris operating systems. IRDP messages broadcast network routing information, and computers with IRDP enabled will store this routing information in their default routing tables. There is no way to determine whether the IRDP broadcast is authentic or spoofed, and some hosts will use the routes that appear in their local routing tables before using routes discovered via DHCP. - -An attacker can exploit this behavior by broadcasting IRDP messages with erroneous routing information to a target network. This will cause some IRDP-enabled hosts on that network to route traffic through the route advertised in the spoofed IRDP message. If the spoofed IRDP message contains nonexistent/inaccessible routing addresses, the target will not be able to connect to external networks, causing a denial of service. This may also facilitate man-in-the-middle attacks or interception of data by an attacker. - -Note that if an attacker is on the internal network, he/she can use valid routing addresses in the spoofed IRDP messages to passively monitor other machines or to perform "man-in-the-middle" attacks. - --- -Affected Systems: -Microsoft Windows 95 -Microsoft Windows 98 -Microsoft Windows 98SE -Sun Solaris 2.6 - --- -Attack Scenarios: -An attacker crafts spoofed IRDP broadcast messages and forwards them to a target network. If the messages are not filtered by the firewall and are broadcast to the internal network, some IRDP-enabled hosts begin routing traffic through the routes advertised in the IRDP broadcast message, which can cause a denial of service condition. - --- -Ease of Attack: -Simple. A proof-of-concept exists. - --- -False Positives: -This rule may generate an alert if legitimate ICMP traffic of type 10 is sent from an external server to an internal server. - --- -False Negatives: -None known. - --- -Corrective Action: -For vulnerable Windows computers, disable IRDP on the vulnerable system (see http://support.microsoft.com/support/kb/articles/q216/1/41.asp). - -For vulnerable Solaris 2.6 computers, install the patch provided by Sun (see http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access). - -Use a packet filtering firewall to block ICMP type 9 packets from entering the internal network. - --- -Contributors: -Original rule written by Max Vision . -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey -Additional information from Anton Chuvakin - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0875 - -Arachnids: -http://www.whitehats.com/info/IDS174 - -Bugtraq: -http://www.securityfocus.com/bid/578 - -RFC: -http://www.cotse.com/CIE/RFC/Orig/rfc1256.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/365.txt snort-2.9.2/doc/signatures/365.txt --- snort-2.9.0.1/doc/signatures/365.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/365.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -365 - --- -Summary: -This event is generated when an external user pings an internal server using an echo request ICMP type. This may indicate an attempt to scan the network or cause a denial of service using a "ping flood." - --- -Impact: -Possible information gathering or denial of service attempt. - --- -Detailed Information: -An ICMP ping may indicate a scanning attempt, a ping flood, or a remote user attempting to see if the network responds. - --- -Affected Systems: -Any system that responds to a ping request. - --- -Attack Scenarios: -An attacker can use a scanner that pings a system to find out more information about the network, or the attacker can use a tool to send a large number of pings in an attempt to "flood" the network and create a denial of service condition. - --- -Ease of Attack: -Simple. Scanning and ping-based DoS tools are freely available. - --- -False Positives: -This rule will generate an alert if a legitimate remote user pings an internal server. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a packet filtering firewall to block ICMP ping packets with an ICMP type value of 8. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/366.txt snort-2.9.2/doc/signatures/366.txt --- snort-2.9.0.1/doc/signatures/366.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/366.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -366 - --- -Summary: -ping is a standard networking utility that determines if a target host -is up. This rule indicates that the ping originated from a host running -Unix. - --- -Impact: -Information Disclosure. Ping can be used as a reconnaissance tool. - --- -Detailed Information: -ping sends an ICMP Echo Request packet to an IP address. If a host is -up at that address it will reply with an ICMP Echo Reply. The reply -includes the data portion of the echo packet. The data included in the -Echo Request varies across different operating system implementations. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker will often ping a machine to make sure it is up before -attacking. - --- -Ease of Attack: -Simple. - --- -False Positives: -This program is also used legitimately by users and/or network -administrators to troubleshoot problems. It is possible to emulate this -ping signature using another ping utility. - --- -False Negatives: -None known. - --- -Corrective Action: -ICMP packets can be blocked with a packet filtering firewall. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/368.txt snort-2.9.2/doc/signatures/368.txt --- snort-2.9.0.1/doc/signatures/368.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/368.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -368 - --- -Summary: -This event is generated when an ICMP echo request is made from a Berkeley Systems Development (BSD) host. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running a BSD TCP/IP networking stack such as FreeBSD, NetBSD, or OpenBSD, will contain a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS152 - --- diff -Nru snort-2.9.0.1/doc/signatures/369.txt snort-2.9.2/doc/signatures/369.txt --- snort-2.9.0.1/doc/signatures/369.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/369.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -369 - --- -Summary: -This event is generated when an ICMP echo request is made from a BayRS Router. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a BayRS router contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: - -Original rule written by Doug@Minderhout.com -Modified by Brian Caswell -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.whitehats.com/info/IDS444 - --- diff -Nru snort-2.9.0.1/doc/signatures/370.txt snort-2.9.2/doc/signatures/370.txt --- snort-2.9.0.1/doc/signatures/370.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/370.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -370 - --- -Summary: -This event is generated when an ICMP echo request is made from a host running BeOS4.x. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running BeOS4.x contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS151 - --- diff -Nru snort-2.9.0.1/doc/signatures/371.txt snort-2.9.2/doc/signatures/371.txt --- snort-2.9.0.1/doc/signatures/371.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/371.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ -Rule: --- -Sid: -371 - --- -Summary: -This event is generated when an ICMP echo request is made from a Cisco IOS 9.x system. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a system running Cisco IOS 9.x contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS153 - --- diff -Nru snort-2.9.0.1/doc/signatures/372.txt snort-2.9.2/doc/signatures/372.txt --- snort-2.9.0.1/doc/signatures/372.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/372.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -372 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running Delphi software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Delphi software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS155 - --- diff -Nru snort-2.9.0.1/doc/signatures/373.txt snort-2.9.2/doc/signatures/373.txt --- snort-2.9.0.1/doc/signatures/373.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/373.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -373 - --- -Summary: -This event is generated when an ICMP echo request is made from a Flowpoint 2200 DSL router. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Flowpoint 2200 DSL router contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS156 - --- diff -Nru snort-2.9.0.1/doc/signatures/374.txt snort-2.9.2/doc/signatures/374.txt --- snort-2.9.0.1/doc/signatures/374.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/374.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -374 - --- - -Summary: -This event is generated when an ICMP echo request is made from a MacIntosh host running IPNetMonitor. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a MacIntosh host running IPNetMonitor contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS157 - --- diff -Nru snort-2.9.0.1/doc/signatures/375.txt snort-2.9.2/doc/signatures/375.txt --- snort-2.9.0.1/doc/signatures/375.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/375.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -375 - --- -Summary: -This event is generated when an ICMP echo request is made from a Linux or Berkeley Systems Development (BSD) host running the reconnaissance tool SING. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running Linux or BSD using the SING reconnaissance tool contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Ofir Arkin < ofir@sys-security.com> -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS447 - --- diff -Nru snort-2.9.0.1/doc/signatures/376.txt snort-2.9.2/doc/signatures/376.txt --- snort-2.9.0.1/doc/signatures/376.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/376.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: --- - -Sid: -376 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS159 - --- diff -Nru snort-2.9.0.1/doc/signatures/377.txt snort-2.9.2/doc/signatures/377.txt --- snort-2.9.0.1/doc/signatures/377.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/377.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -377 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running Network Toolbox 3 software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Network Toolbox 3 software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS161 - --- diff -Nru snort-2.9.0.1/doc/signatures/378.txt snort-2.9.2/doc/signatures/378.txt --- snort-2.9.0.1/doc/signatures/378.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/378.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -378 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running Ping-O-Meter software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Ping-O-Meter software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS164 - --- diff -Nru snort-2.9.0.1/doc/signatures/379.txt snort-2.9.2/doc/signatures/379.txt --- snort-2.9.0.1/doc/signatures/379.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/379.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -379 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running "pinger" software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running "pinger" software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS165 - --- diff -Nru snort-2.9.0.1/doc/signatures/380.txt snort-2.9.2/doc/signatures/380.txt --- snort-2.9.0.1/doc/signatures/380.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/380.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -380 - -Summary: -This event is generated when an ICMP echo request is made from a Windows host running "Seer" software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running "Seer" software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS166 - --- diff -Nru snort-2.9.0.1/doc/signatures/381.txt snort-2.9.2/doc/signatures/381.txt --- snort-2.9.0.1/doc/signatures/381.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/381.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -381 - --- -Summary: -This event is generated when an ICMP echo request is made from a Solaris host running SING software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Solaris host running SING software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS448 - --- diff -Nru snort-2.9.0.1/doc/signatures/382.txt snort-2.9.2/doc/signatures/382.txt --- snort-2.9.0.1/doc/signatures/382.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/382.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -382 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows 9x or 2000 host. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows 9x or 2000 host contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS169 - --- diff -Nru snort-2.9.0.1/doc/signatures/384.txt snort-2.9.2/doc/signatures/384.txt --- snort-2.9.0.1/doc/signatures/384.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/384.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -384 - --- -Summary: -This event is generated when an generic ICMP echo request is made. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/385.txt snort-2.9.2/doc/signatures/385.txt --- snort-2.9.0.1/doc/signatures/385.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/385.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -385 - --- -Summary: -This event is generated when a Windows traceroute (tracert) is detected. - --- -Impact: -Information gathering. A traceroute can be used to discover live hosts and network topologies. - --- -Detailed Information: -A Windows traceroute command uses an ICMP echo request with a lower than normal Time to Live (TTL) value to identify live hosts and network topolgies. The TTL value is manipulated by the sending host to discover all routers traversed from the source host to the destination host. Eventually, a TTL value of 1 is observed, which elicits an ICMP error message of time exceeded in-transit. A router sends this ICMP error message to the host running traceroute. The traceroute host will record this as a router and continue to incrementally manipulate the TTL until the destination host is reached. - -Additionally There are at least three different implementations of -traceroute. In one implementation traceroute works by sending an ICMP -Echo Request packet to a destination host with a TTL value of 1. If the -host is more than one hop away, the first route that receives the back -will send back an ICMP packet indicating that the TTL was exceeded. The -address of this router is then listed as the first hop. The packet is -then sent out again with a TTL of 2. This continues until the -destination host is able to reply or some maximum TTL value is reached. - -The other two implementations use the same TTL-based concept with an -ICMP type of 30(traceroute) or with an UDP packet destined for an -ephemeral port. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may use a traceroute to discover live hosts and routers on a target network in preparation for an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -The traceroute command may be used to legitimately troubleshoot networking problems. - --- -False Negatives: -None known - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Judy Novak -Nigel Houghton -Snort documentation contributed by by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS118 - --- diff -Nru snort-2.9.0.1/doc/signatures/386.txt snort-2.9.2/doc/signatures/386.txt --- snort-2.9.0.1/doc/signatures/386.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/386.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -386 - --- -Summary: -This event is generated when an internal server replies to an external request for network subnet mask information, which may allow an attacker to learn information about the network for use in later attacks. - --- -Impact: -Information gathering. - --- -Detailed Information: -If an attacker sends an ICMP request to an internal server for address mask information (SID 388 should trigger when this activity is seen), an internal server may reply with subnet mask information. This can provide an attacker with information about subnet mask configuration that can be useful for future attacks. - --- -Affected Systems: -Any system that responds to ICMP address mask requests. - --- -Attack Scenarios: -An attacker can send an ICMP request for subnet mask information to the internal network. The server replies, providing the attacker with information about network subnet configuration. - --- -Ease of Attack: -Simple. Tools that use this method of information gathering are freely available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a packet filtering firewall that restricts ICMP type 17 (address mask requests) from entering the protected network, and restricts ICMP type 18 packets (address mask replies) from exiting the protected network. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0524 - -ArachNIDS -http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids216 - --- diff -Nru snort-2.9.0.1/doc/signatures/387.txt snort-2.9.2/doc/signatures/387.txt --- snort-2.9.0.1/doc/signatures/387.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/387.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -387 - --- -Summary: -This event is generated when an internal server replies to an external request for network subnet mask information, which may allow an attacker to learn information about the network for use in later attacks. - --- -Impact: -Information gathering. - --- -Detailed Information: -If an attacker sends an ICMP request to an internal server for address mask information (SID 389 should trigger when this activity is seen), an internal server may reply with subnet mask information. This can provide an attacker with information about subnet mask configuration that can be useful for future attacks. - --- -Affected Systems: -Any system that responds to ICMP address mask requests. - --- -Attack Scenarios: -An attacker can send an ICMP request for subnet mask information to the internal network. The server replies, providing the attacker with information about network subnet configuration. - --- -Ease of Attack: -Simple. Tools that use this method of information gathering are freely available. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a packet filtering firewall that restricts ICMP type 17 (address mask requests) from entering the protected network, and restricts ICMP type 18 packets (address mask replies) from exiting the protected network. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0524 - -ArachNIDS -http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids216 - --- diff -Nru snort-2.9.0.1/doc/signatures/388.txt snort-2.9.2/doc/signatures/388.txt --- snort-2.9.0.1/doc/signatures/388.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/388.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- - -Sid: -388 - --- - -Summary: -This event is generated when an ICMP Address Mask Request message is found on the network. ICMP Address Mask Requests are used for automatically determining the 32-bit subnet mask for the network. - --- - -Impact: -Attacks may use an ICMP address Mask Request to determine the subnet mask of the network. This information can be used to help develope a network diagram in lue of more focused attacks. --- - -Detailed Information: -ICMP Address Mask Requests are defined in RFC 950 as the third method hosts may support for determing the address mask correspoding to its IP address. In most implementations this method is not supported, and should not be normal traffic on most networks. - --- - -Attack Scenarios: -Attackers may use this ICMP Type to gather information about the subnet masks of a given network. - --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Address Mask Requests. --- - -False Positives: -Legitimate uses of ICMP Address Mask Requests exist. Some hosts my implement this method as the final fall back option after static configuration and dynamic address mask configuration has failed. --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 17 should be blocked at the upstream firewall. This type of ICMP request should never originate from a host outside of the protected network. --- - -Contributors: -Original Rule wirter unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/389.txt snort-2.9.2/doc/signatures/389.txt --- snort-2.9.0.1/doc/signatures/389.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/389.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- - -Sid: -389 - --- - -Summary: -This event is generated when an ICMP Address Mask Request message is found on the network with an invalid ICMP Code. ICMP Address Mask Requests are used for automatically determining the 32-bit subnet mask for the network. RFC 950 definesthe Code for ICMP Type 17 datagram to be 0, if this field is not 0 it could be an indication of an attack attempt. - --- - -Impact: -Attacks may use an ICMP address Mask Request to determine the subnet mask of the network. This information can be used to help develope a network diagram in lue of more focused attacks. --- - -Detailed Information: -ICMP Address Mask Requests are defined in RFC 950 as the third method hosts may support for determing the address mask correspoding to its IP address. In most implementations this method is not supported, and should not be normal traffic on most networks. - --- - -Attack Scenarios: -Attackers may use this ICMP Type to gather information about the subnet masks of a given network subnet. - --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Address Mask Requests. --- - -False Positives: -None known. ICMP Type 17 datagrams should never be generated with a code other than 0. --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 17 should be blocked at the upstream firewall. This type of ICMP request should never originate from a host outside of the protected network. --- - -Contributors: -Original Rule wirter unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/390.txt snort-2.9.2/doc/signatures/390.txt --- snort-2.9.0.1/doc/signatures/390.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/390.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -390 - --- - -Summary: -This event is generated when an ICMP Alternate Host Address datagram is detected on the network. This ICMP Type is not documented in an RFC, but may be implemented by routing equipment to direct hosts to the correct IP address or neighboring hosts. - --- - -Impact: -This ICMP Type is not implemented in most standard operating systems and is a potential indication of information gathering activities. - --- - -Detailed Information: -ICMP Type 6 (Alternate Host Address) is not defined in an RFC and should not be considered legitimate network traffic. - --- - -Attack Scenarios: -Attackers may use this ICMP Type to gather information about the network. --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Alternate Host Address datagrams. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 6 datagrams should be blocked at the firewall. - --- - -Contributors: -Original Rule wirter unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/391.txt snort-2.9.2/doc/signatures/391.txt --- snort-2.9.0.1/doc/signatures/391.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/391.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -391 - --- - -Summary: -This event is generated when an ICMP Alternate Host Address datagram is detected on the network with an invalid ICMP code. This ICMP Type is not documented in an RFC, but may be implemented by routing equipment to direct hosts to the correct IP address of neighboring hosts. - --- - -Impact: -This ICMP Type is not implemented in most standard operating systems and is a potential indication of information gathering activities. - --- - -Detailed Information: -ICMP Type 6 (Alternate Host Address) is not defined in an RFC and should not be considered legitimate network traffic. - --- - -Attack Scenarios: -Attackers may use this ICMP Type to gather information about the network. --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Alternate Host Address datagrams with invalid ICMP codes. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 6 datagrams should be blocked at the firewall. - --- - -Contributors: -Original Rule wirter unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/392.txt snort-2.9.2/doc/signatures/392.txt --- snort-2.9.0.1/doc/signatures/392.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/392.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -392 - --- - -Summary: -This event is generated when an ICMP Datagram Conversion Error message is detected on the network. ICMP Datagram Conversion Error messages were developed with the introduction of IPv6 to give information about invalid datagram conversions between IPv4 and IPv6. - --- - -Impact: -No known attack vectors are known that use ICMP type 31 datagrams. This is purely an informational message that detects errors on the network. - --- - -Detailed Information: -ICMP Type 31 was developed to return information about datagram conversion errors between IPv4 and IPv6 as data is converted between them. - --- - -Attack Scenarios: -None known --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Datagram Conversion Error messages. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 31 datagrams should be blocked at the firewall. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/393.txt snort-2.9.2/doc/signatures/393.txt --- snort-2.9.0.1/doc/signatures/393.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/393.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -393 - --- - -Summary: -This event is generated when an ICMP Datagram Conversion Error message is detected on the network with an invalid ICMP code. ICMP Datagram Conversion Error messages were developed with the introduction of IPv6 to give information about invalid datagram conversions between IPv4 and IPv6. - --- - -Impact: -No known attack vectors are known that use ICMP type 31 datagrams. This is purely an informational message that detects errors on the network. Only ICMP Codes 0 through 11 have been defined by IANA, ICMP Type 31 datagrams with ICMP Codes other than these values are invalid. - --- - -Detailed Information: -ICMP Type 31 was developed to return information about datagram conversion errors between IPv4 and IPv6 as data is converted between them. - --- - -Attack Scenarios: -None known --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Datagram Conversion Error messages. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 31 datagrams should be blocked at the firewall. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/394.txt snort-2.9.2/doc/signatures/394.txt --- snort-2.9.0.1/doc/signatures/394.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/394.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -394 - --- - -Summary: -This event is generated when an ICMP Destination Host Unknown datagram is detected on the network. Gateway devices normally generate these ICMP messages when the destination's IP address is unreachable. - --- - -Impact: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems or faulty routing devices. - --- - -Detailed Information: -This ICMP message will be generated when the destination host specified in the datagram is unreachable. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no correct action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/395.txt snort-2.9.2/doc/signatures/395.txt --- snort-2.9.0.1/doc/signatures/395.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/395.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -395 - --- - -Summary: -This event is generated when an ICMP Destination Network Unknown datagram is detected on the network. Gateway devices normally generate these ICMP messages when the destination network is unreachable. - --- - -Impact: -This ICMP message will be generated when the destination network specified in the datagram is unreachable. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems or faulty routing -devices. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no correct action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/396.txt snort-2.9.2/doc/signatures/396.txt --- snort-2.9.0.1/doc/signatures/396.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/396.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -396 - --- - -Summary: -This event is generated when an ICMP Destination Unreachable Fragmentation Needed datagram is detected on the network. Gateway devices normally generate these ICMP messages when the destination network requires fragmentation before the datagram can be forwarded by a gateway. - --- - -Impact: -This ICMP message will be generated when the destination network specified in the datagram requires fragmentation and the DF bit is set on the datagram. This could be an indication of improperly configured network hosts. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/397.txt snort-2.9.2/doc/signatures/397.txt --- snort-2.9.0.1/doc/signatures/397.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/397.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -397 - --- - -Summary: -This event is generated when An ICMP Host Precedence Violation is sent by the first hop router to a host to indicate that a requested precedence is not permitted for the particular combination of source and destination host, network destination, upper layer protocol, or source/destination port. - --- - -Impact: -Routers will generate this message when the requested precedent is not permitted to transverse the network. This could be an indication of an improperly configured routing device or a improperly configured host on the network. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/398.txt snort-2.9.2/doc/signatures/398.txt --- snort-2.9.0.1/doc/signatures/398.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/398.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -398 - --- - -Summary: -This event is generated when An ICMP Host Unreachable for Type of Server datagram is detected on the network. - --- - -Impact: -Routers will generate this message when the requested TOS (Type of Service) is not permitted to transverse the network. This could be an indication of an improperly configured routing device or a improperly configured host on the network. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/399.txt snort-2.9.2/doc/signatures/399.txt --- snort-2.9.0.1/doc/signatures/399.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/399.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -399 - --- - -Summary: -This event is generated when An ICMP Host Unreachable datagram is detected on the network. - --- - -Impact: -Routers will generate this message when the route to the destination host on a directly connected network is not available. This occurs when no ARP response is received from the destination network. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/400.txt snort-2.9.2/doc/signatures/400.txt --- snort-2.9.0.1/doc/signatures/400.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/400.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -400 - --- - -Summary: -This event is generated when An ICMP Network Unreachable For Type Of Service datagram is detected on the network. - --- - -Impact: -Routers will generate this message when the route to the destination network does not support the Type of Service requested in the datagram or the default TOS. This could be an indication or routing problems or excessive packet loss. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/401.txt snort-2.9.2/doc/signatures/401.txt --- snort-2.9.0.1/doc/signatures/401.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/401.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -401 - --- - -Summary: -This event is generated when An ICMP Network Unreachable datagram is detected on the network. - --- - -Impact: -Routers will generate this message when the route to the destination network is not available. This could be an indication of routing problems on the network. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/402.txt snort-2.9.2/doc/signatures/402.txt --- snort-2.9.0.1/doc/signatures/402.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/402.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -402 - --- -Summary: -This event is generated when an ICMP Port Unreachable message was detected. - --- -Impact: -Unknown. - --- -Detailed Information: -An ICMP Port Unreachable is not an attack, but may indicate that the source -of the packet was the target of a scan or other malicious activity. - -An ICMP Port Unreachable (ICMP type 3 code 3) indicates that someone or -something tried to connect to a port on a system that was not available -(i.e., no service was running on that port). - -This is analagous to RST packets in TCP. Since UDP does not have an -equivalent, it relies upon ICMP Port Unreachable for this. This often -indicates someone was scanning for UDP services. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -An attacker may use a port scanner to determine possible attack vectors -as a prelude to a directed attack against a system. - --- -Ease of Attack: -Simple. - --- -False Positives: -This kind of packet is common on networks, and may be generated by simple -misconfigurations on either the source or destination, or service outage. - --- -False Negatives: -Not all operating systems will respond with ICMP Port Unreachable -messages when no service is running. - --- -Corrective Action: -Examine the activity of the recipient of this packet to see if the -recipient was responsible for scanning or other behavior. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -References: - -RFC 792: -http://www.faqs.org/rfcs/rfc792.html - --- diff -Nru snort-2.9.0.1/doc/signatures/403.txt snort-2.9.2/doc/signatures/403.txt --- snort-2.9.0.1/doc/signatures/403.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/403.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -403 - --- - -Summary: -This event is generated when An ICMP Precedence Cutoff In Effect datagram is detected on the network. - --- - -Impact: -Routers will generate this message when a minimum precedence level has been configured for the network. This could be an indication of improperly configured routing equipment or network host. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/404.txt snort-2.9.2/doc/signatures/404.txt --- snort-2.9.0.1/doc/signatures/404.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/404.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -404 - --- - -Summary: -This event is generated when An ICMP Protocol Unreachable datagram is detected on the network. - --- - -Impact: -This could be an indication of improperly configured routing equipment or network host. - --- - -Detailed Information: -This rule generates informational events about the network. Routers will generate this message when the transport protocol designated in the datagram is not supported in the transport layer of the final destination. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/405.txt snort-2.9.2/doc/signatures/405.txt --- snort-2.9.0.1/doc/signatures/405.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/405.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -405 - --- - -Summary: -This event is generated when An ICMP Source Host Isolated datagram is detected on the network. - --- - -Impact: -This is an indication of improperly configured routing equipment or network host. RFC 1812 indicates that ICMP Type 3 ICMP Code 8 messages should never be generated. - --- - -Detailed Information: -This rule generates informational events about the network. Routers should never generate ICMP Type 11 Code 8 as they are in violation of RFC1812. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/406.txt snort-2.9.2/doc/signatures/406.txt --- snort-2.9.0.1/doc/signatures/406.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/406.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -406 - --- - -Summary: -This event is generated when An ICMP Source Route Failed datagram is detected on the network. - --- - -Impact: -The datagram that generated with ICMP datagram failed to transverse the network. This could be an indication of routing or network problems. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None Known - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/407.txt snort-2.9.2/doc/signatures/407.txt --- snort-2.9.0.1/doc/signatures/407.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/407.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -407 - --- - -Summary: -This event is generated when An ICMP Destination Unreachable datagram is detected on the network with an undefined ICMP Code. - --- - -Impact: -ICMP Codes for Destination Unreachable datagrams are defined in RFC 792 and RFC 1812. The datagram that generated this event is not defined in either of these RFCs. This could be an indication of a DoS (Denial of Service) attempt against the network. - --- - -Detailed Information: -This rule generates informational events about the network. Large numbers of these messages on the network could indication routing problems, faulty routing devices, improperly configured hosts, or an attempted DoS. - --- - -Attack Scenarios: -Invalid or undefined ICMP codes should never be seen in normal network conditions. A remote attacker could be generating these packets in an attempt to cause an DoS. - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None Known - --- - -False Negatives: -None Known - --- - -Corrective Action: -This rule detects informational network information, no corrective action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/408.txt snort-2.9.2/doc/signatures/408.txt --- snort-2.9.0.1/doc/signatures/408.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/408.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -408 - --- - -Summary: -This event is generated when a network host generates an ICMP Echo Reply in response to an ICMP Echo Request message. - --- - -Impact: -Information-gathering. An ICMP Echo Reply message is sent in response to an ICMP REcho Request message. If the ICMP Echo Reply message reaches the requesting host it indicates that the replying host is alive. - --- - -Detailed Information: -ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Echo Reply datagrams. This type of message is used to determine if a host is active on the network. - --- - -Attack Scenarios: -A remote attacker may use ICMP Echo Request datagrams to determine active hosts on the network in prelude of further attacks. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to prevent ICMP Type 0 Code 8 messages from entering the network. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/409.txt snort-2.9.2/doc/signatures/409.txt --- snort-2.9.0.1/doc/signatures/409.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/409.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -409 - --- - -Summary: -This event is generated when a network host generates an ICMP Echo Reply with an invalid or undefined ICMP Code. - --- - -Impact: -Information-gathering. An ICMP Echo Reply message is sent in response to an ICMP Echo Request message. If the ICMP Echo Reply message reaches the requesting host it indicates that the replying host is alive. Most OS's (operating systems) will accept an ICMP Echo Reply message with an invalid or undefined ICMP code set as a valid ICMP Echo Reply. - --- - -Detailed Information: -ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Echo Reply datagrams. This type of message is used to determine if a host is active on the network. - --- - -Attack Scenarios: -Remote attackers my generate ICMP Echo Reply datagrams with invalid ICMP Codes in an attempt to cause faults in the applications or hosts generating ICMP Echo Requests. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to prevent ICMP Type 0 messages from entering the network. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/410.txt snort-2.9.2/doc/signatures/410.txt --- snort-2.9.0.1/doc/signatures/410.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/410.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -410 - --- - -Summary: -This event is generated when a network host generates an ICMP Fragment Reassembly Time Exceeded message. - --- - -Impact: -This could be an indication of an improperly configured routing device or networked host. - --- - -Detailed Information: -ICMP Type 11 Code 1 is the RFC defined messaging type for ICMP Fragment Reassembly Time exceeded datagrams. If a host fails to reassemble a fragmented datagram before the TTL of the datagram is expires an ICMP Fragment Reassembly Time Exceeded datagram is generated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Fragment reassembly Time Exceeded messages are normally and indication of improperly configured hosts or routing equipment. The configurations of the devices causing these ICMP datagrams to be created should be checked for errors. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/411.txt snort-2.9.2/doc/signatures/411.txt --- snort-2.9.0.1/doc/signatures/411.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/411.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -411 - --- - -Summary: -This event is generated when a network host generates an ICMP IPV6 I-Am-Here datagram. - --- - -Impact: -ICMP Type 34 datagrams are not expected network traffic. Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity. - --- - -Detailed Information: -ICMP Type 34 is an undocumented extension to RFC 1812 and RFC 792. Its current use it not defined by an approved RFC. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/412.txt snort-2.9.2/doc/signatures/412.txt --- snort-2.9.0.1/doc/signatures/412.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/412.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -412 - --- - -Summary: -This event is generated when a network host generates an ICMP IPV6 I-Am-Here datagram with an undefined ICMP code. - --- - -Impact: -ICMP Type 34 datagrams are not expected network traffic. Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity. - --- - -Detailed Information: -ICMP Type 34 is an undocumented extension to RFC 1812 and RFC 792. Its current use it not defined by an approved RFC. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Hosts generating ICMP Type 34 datagrams should be investigated for hostile activity. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/413.txt snort-2.9.2/doc/signatures/413.txt --- snort-2.9.0.1/doc/signatures/413.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/413.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -413 - --- - -Summary: -This event is generated when a network host generates an ICMP IPV6 Where-Are-You datagram. - --- - -Impact: -ICMP Type 33 datagrams are not expected network traffic. Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity. - --- - -Detailed Information: -ICMP Type 33 is an undocumented extension to RFC 1812 and RFC 792. Its current use it not defined by an approved RFC. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/414.txt snort-2.9.2/doc/signatures/414.txt --- snort-2.9.0.1/doc/signatures/414.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/414.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -414 - --- - -Summary: -This event is generated when a network host generates an ICMP IPV6 Where-Are-You datagram with an undefined ICMP Code. - --- - -Impact: -ICMP Type 33 datagrams are not expected network traffic. Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity. - --- - -Detailed Information: -ICMP Type 33 is an undocumented extension to RFC 1812 and RFC 792. Its current use it not defined by an approved RFC. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Hosts generating ICMP Type 33 datagrams should be investigated for hostile activity. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/415.txt snort-2.9.2/doc/signatures/415.txt --- snort-2.9.0.1/doc/signatures/415.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/415.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -415 - --- - -Summary: -This event is generated when a network host generates an ICMP Information Reply datagram. - --- - -Impact: -ICMP Information Reply datagrams contain the network number of the network segment the datagram was generated on. This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in. - --- - -Detailed Information: -This message is generated in response to an ICMP Information Request Message. Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 16 datagrams are not normal network activity. Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/416.txt snort-2.9.2/doc/signatures/416.txt --- snort-2.9.0.1/doc/signatures/416.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/416.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -416 - --- - -Summary: -This event is generated when a network host generates an ICMP Information Reply datagram with an undefined ICMP Code. - --- - -Impact: -ICMP Information Reply datagrams contain the network number of the network segment the datagram was generated on. This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in. - -Undefined ICMP Code values should never been seen on the network. This could be an indication of nefarious activity on the network. - --- - -Detailed Information: -This message is generated in response to an ICMP Information Request Message. Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on. In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 16 datagrams are not normal network activity. Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/417.txt snort-2.9.2/doc/signatures/417.txt --- snort-2.9.0.1/doc/signatures/417.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/417.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -417 - --- - -Summary: -This event is generated when a network host generates an ICMP Information Request datagram. - --- - -Impact: -ICMP Information Request datagrams attempt to locate the network number of the network segment the datagram was generated on. This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in. - --- - -Detailed Information: -This message is generated when a host attempts to locate the network number of the network segment it is located on.. Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on. In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 15 datagrams are not normal network activity. Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/418.txt snort-2.9.2/doc/signatures/418.txt --- snort-2.9.0.1/doc/signatures/418.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/418.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -418 - --- - -Summary: -This event is generated when a network host generates an ICMP Information Request datagram with an undefined ICMP code. - --- - -Impact: -ICMP Information Request datagrams attempt to locate the network number of the network segment the datagram was generated on. This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in. - -Undefined ICMP Code values should never be seen on the network. This could be an indication of nefarious activity on the network. - --- - -Detailed Information: -This message is generated when a host attempts to locate the network number of the network segment it is located on.. Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on. In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 15 datagrams are not normal network activity. Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/419.txt snort-2.9.2/doc/signatures/419.txt --- snort-2.9.0.1/doc/signatures/419.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/419.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -419 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Host Redirect datagram. - --- - -Impact: -ICMP Mobile Host Redirect Messages alert base-stations to the movements of IP based mobile hosts, such as notebooks and palmtop computers. - --- - -Detailed Information: -The Transparent Internet Routing for IP Mobile Hosts IETF draft defines ICMP Type 32 Code 0 as an ICMP Mobile Host Redirect Message. This message was intended to be used by mobile computers to inform base-stations of their location on the network as they move from base-station to base-station. - -This IETF draft was never ratified, and no hardware is known to exist that generates this type of ICMP datagram - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 32 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/420.txt snort-2.9.2/doc/signatures/420.txt --- snort-2.9.0.1/doc/signatures/420.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/420.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- - -Sid: -420 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Host Redirect datagram with an undefined ICMP code. - --- - -Impact: - -Undefined ICMP Code values should never be seen on the network. This could be an indication of nefarious activity on the network. - --- - -Detailed Information: -The Transparent Internet Routing for IP Mobile Hosts IETF draft defines ICMP Type 32 Code 0 as an ICMP Mobile Host Redirect Message. This message was intended to be used by mobile computers to inform base-stations of their location on the network as they move from base-station to base-station. In normal situations the ICMP Code should be set to 0, values other than 0 are undefined and should never be used. - -This IETF draft was never ratified, and no hardware is known to exist that generates this type of ICMP datagram - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 32 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/421.txt snort-2.9.2/doc/signatures/421.txt --- snort-2.9.0.1/doc/signatures/421.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/421.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -421 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Registration Reply datagram. - --- - -Impact: -ICMP Mobile Registration Reply were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 36 datagrams should never be seen in normal network conditions. - --- - -Detailed Information: -ICMP Mobile Registration Reply datagrams were developed before the approval of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 36 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/422.txt snort-2.9.2/doc/signatures/422.txt --- snort-2.9.0.1/doc/signatures/422.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/422.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -422 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Registration Reply datagram with an undefined ICMP Code. - --- - -Impact: -ICMP Mobile Registration Reply were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 36 datagrams with an ICMP Code other than 0, should never be seen in normal network conditions. - --- - -Detailed Information: -ICMP Mobile Registration Reply datagrams were developed before the approval of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 36 datagrams with undefined ICMP Codes are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/423.txt snort-2.9.2/doc/signatures/423.txt --- snort-2.9.0.1/doc/signatures/423.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/423.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -423 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Registration Request datagram. - --- - -Impact: -ICMP Mobile Registration Requests were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 35 datagrams should never be seen in normal network conditions. - --- - -Detailed Information: -ICMP Mobile Registration Request datagrams were developed before the development of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 35 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/424.txt snort-2.9.2/doc/signatures/424.txt --- snort-2.9.0.1/doc/signatures/424.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/424.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -424 - --- - -Summary: -This event is generated when a network host generates an ICMP Mobile Registration Request datagram with an undefined ICMP Code. - --- - -Impact: -ICMP Mobile Registration Requests were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 35 datagrams should never be seen in normal network conditions. - --- - -Detailed Information: -ICMP Mobile Registration Request datagrams were developed before the development of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 35 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/425.txt snort-2.9.2/doc/signatures/425.txt --- snort-2.9.0.1/doc/signatures/425.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/425.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -425 - --- - -Summary: -This event is generated when a router generates and ICMP Parameter Problem Bad Length datagram. - --- - -Impact: -This could be an indication of a protocol error by a previous hop router. Normally this datagram would only be generated with the datagram was truncated before it reached its final destination. - --- - -Detailed Information: -A router generates a Parameter Problem message for any error not specifically covered by another ICMP message. An ICMP Parameter Problem Bad Length datagram indicates that the datagram was truncated before it reached its final destination. This could be an indication of routing problems on the network, or malfunctioning routing hardware. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 12 Code 2 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/426.txt snort-2.9.2/doc/signatures/426.txt --- snort-2.9.0.1/doc/signatures/426.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/426.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -426 - --- - -Summary: -This event is generated when a router generates and ICMP Parameter Problem Required Option Missing datagram. - --- - -Impact: -This could be an indication of a protocol error by a previous hop router. Normally this datagram would only be generated when the IP datagram is truncated or damaged before it reaches its final destination. - --- - -Detailed Information: -A router generates a Parameter Problem message for any error not specifically covered by another ICMP message. An ICMP Parameter Problem Required Option Missing datagram indicates that the IP datagram is invalid or contains invalid IP options. This could be an indication of routing problems on the network, or malfunctioning routing hardware. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 12 Code 1 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/427.txt snort-2.9.2/doc/signatures/427.txt --- snort-2.9.0.1/doc/signatures/427.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/427.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -427 - --- - -Summary: -This event is generated when a router generates and ICMP Parameter Problem Unspecified Error datagram. - --- - -Impact: -This could be an indication of a protocol error by a previous hop router. Normally this datagram would only be generated with the datagram was truncated or damaged before it reached its final destination. - --- - -Detailed Information: -A router generates a Parameter Problem message for any error not specifically covered by another ICMP message. This could be an indication of routing problems on the network, or malfunctioning routing hardware. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 12 Code 0 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/428.txt snort-2.9.2/doc/signatures/428.txt --- snort-2.9.0.1/doc/signatures/428.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/428.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -428 - --- - -Summary: -This event is generated when a host generates and ICMP Parameter Problem datagram with an undefined ICMP Code. - --- - -Impact: -ICMP datagrams should never contain undefined ICMP Codes. This is normally an indication of nefarious activity occurring on the network. - --- - -Detailed Information: -A router generates a Parameter Problem message for any error not specifically covered by another ICMP message. This could be an indication of routing problems on the network, or malfunctioning routing hardware. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 12 datagrams with undefined ICMP Codes are not normal network activity. Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/429.txt snort-2.9.2/doc/signatures/429.txt --- snort-2.9.0.1/doc/signatures/429.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/429.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -429 - --- - -Summary: -This event is generated when a host generates and ICMP Bad SPI datagram. - --- - -Impact: -ICMP Type 40 Code 0 datagrams are an indication that a received datagram has an invalid SPI that is invalid or has expired. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. - --- - -Detailed Information: -Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 0 datagrams are generated when a received datagram includes a SPI (Security Parameters Index) that is invalid or has expired. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC2521 - - --- diff -Nru snort-2.9.0.1/doc/signatures/430.txt snort-2.9.2/doc/signatures/430.txt --- snort-2.9.0.1/doc/signatures/430.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/430.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -430 - --- - -Summary: -This event is generated when a host generates and ICMP Type 40 Code 1 Authentication Failed datagram. - --- - -Impact: -ICMP Type 40 Code 1 datagrams are an indication that a received datagram failed the authenticity or integrity check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. - --- - -Detailed Information: -Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 1 datagrams are generated when a received datagram failed the authenticity or integrity check for a given SPI (Security Parameters Index). In some situations this may be an indication that an outer Encapsulation Security Protocol is in use, and the Authentication Header SPI is hidden inside the encapsulation. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC2521 - - --- diff -Nru snort-2.9.0.1/doc/signatures/431.txt snort-2.9.2/doc/signatures/431.txt --- snort-2.9.0.1/doc/signatures/431.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/431.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -431 - --- - -Summary: -This event is generated when a host generates and ICMP Type 40 Code 2 Decompression Failed datagram. - --- - -Impact: -ICMP Type 40 Code 2 datagrams are an indication that a received datagram failed a decompression check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. - --- - -Detailed Information: -Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 2 datagrams are generated when a received datagram fails the decompression check for a given SPI (Security Parameters Index). - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC2521 - - --- diff -Nru snort-2.9.0.1/doc/signatures/432.txt snort-2.9.2/doc/signatures/432.txt --- snort-2.9.0.1/doc/signatures/432.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/432.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -432 - --- - -Summary: -This event is generated when a host generates and ICMP Type 40 Code 3 Decryption Failed datagram. - --- - -Impact: -ICMP Type 40 Code 3 datagrams are an indication that a received datagram failed a decryption check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. - --- - -Detailed Information: -Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 3 datagrams are generated when a received datagram fails the decryption check for a given SPI (Security Parameters Index). - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC2521 - - --- diff -Nru snort-2.9.0.1/doc/signatures/433.txt snort-2.9.2/doc/signatures/433.txt --- snort-2.9.0.1/doc/signatures/433.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/433.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- - -Sid: -433 - --- - -Summary: -This event is generated when a host generates and ICMP Type 40 datagram with an undefined ICMP Code. - --- - -Impact: -ICMP Type 40 datagrams are an indication that a received datagram failed a integrity check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. - --- - -Detailed Information: -Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 datagrams are generated when a received datagram fails an integrity check for a given SPI (Security Parameters Index). ICMP Type 40 datagrams should never be generated with an undefined ICMP Code, this could be an indication of nefarious network activity. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known - --- - -Corrective Action: -ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC2521 - - --- diff -Nru snort-2.9.0.1/doc/signatures/436.txt snort-2.9.2/doc/signatures/436.txt --- snort-2.9.0.1/doc/signatures/436.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/436.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -436 - --- - -Summary: -This event is generated when a network host generates an ICMP Redirect for the Type of Service and Host datagram. - --- - -Impact: -Redirect messages are normally an indication that a shorter route to a particular destination exists. - --- - -Detailed Information: -ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device. - --- - -Attack Scenarios: -Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists. - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC792 - - --- diff -Nru snort-2.9.0.1/doc/signatures/437.txt snort-2.9.2/doc/signatures/437.txt --- snort-2.9.0.1/doc/signatures/437.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/437.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -437 - --- - -Summary: -This event is generated when a network host generates an ICMP Redirect for the Type of Service and Network datagram. - --- - -Impact: -Redirect messages are normally an indication that a shorter route to a particular destination exists. - --- - -Detailed Information: -ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device. - --- - -Attack Scenarios: -Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists. - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC792 - - --- diff -Nru snort-2.9.0.1/doc/signatures/438.txt snort-2.9.2/doc/signatures/438.txt --- snort-2.9.0.1/doc/signatures/438.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/438.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -438 - --- - -Summary: -This event is generated when a network host generates an ICMP Redirect with an undefined ICMP code. - --- - -Impact: -Redirect messages are normally an indication that a shorter route to a particular destination exists. - --- - -Detailed Information: -ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device. - -ICMP datagrams with undefined codes should never be seen on the network. This could be an indication of nefarious activity on the network. - --- - -Attack Scenarios: -Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists. - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC792 - - --- diff -Nru snort-2.9.0.1/doc/signatures/439.txt snort-2.9.2/doc/signatures/439.txt --- snort-2.9.0.1/doc/signatures/439.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/439.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- - -Sid: -439 - --- - -Summary: -This event is generated when an ICMP Type 19 Code 0 (ICMP Reserved for Security) datagram is detected on the network. - --- - -Impact: -ICMP Type 19 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 19 is not defined for use and is not expected network activity. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 19 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/440.txt snort-2.9.2/doc/signatures/440.txt --- snort-2.9.0.1/doc/signatures/440.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/440.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- - -Sid: -440 - --- - -Summary: -This event is generated when an ICMP Type 19 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 19 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 19 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 19 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/441.txt snort-2.9.2/doc/signatures/441.txt --- snort-2.9.0.1/doc/signatures/441.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/441.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- - -Sid: -441 - --- - -Summary: -This event is generated when an ICMP Router Advertisement message is found on the network. - --- - -Impact: - --- - -Detailed Information: -Routers may use ICMP protocol 9 to advertise their information and presence on a network. Clients normally recieve this information from DNS if they use DHCP. Clients with statically assigned addresses do not need this information from an external source. - -It may be possible for an attacker to craft a packet of this type in such a way as to change the routing information on a DHCP enabled client. - --- - -Affected Systems: - Microsoft Windows 98 - Sun Solaris 2.6, Sun OS 5. - --- - -Attack Scenarios: - --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Address Mask Requests. - --- - -False Positives: -Legitimate uses of ICMP type 9 messages are common. - --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 9 should be blocked at the upstream firewall. This type of ICMP request should never originate from a host outside of the protected network. - --- - -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/443.txt snort-2.9.2/doc/signatures/443.txt --- snort-2.9.0.1/doc/signatures/443.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/443.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- - -Sid: -443 - --- - -Summary: -This event is generated when an ICMP Router Selection message is found on the network. - --- - -Impact: - --- - -Detailed Information: -ICMP Address Mask Requests are defined in RFC 950 as the third method hosts may support for determing the address mask correspoding to its IP address. In most implementations this method is not supported, and should not be normal traffic on most networks. - --- - -Attack Scenarios: -Attackers may use this ICMP Type to gather information about the subnet masks of a given network. - --- - -Ease of Attack: -Numerous tools and scripts can generate ICMP Address Mask Requests. --- - -False Positives: -Legitimate uses of ICMP Address Mask Requests exist. Some hosts my implement this method as the final fall back option after static configuration and dynamic address mask configuration has failed. --- - -False Negatives: -None known --- - -Corrective Action: -ICMP Type 17 should be blocked at the upstream firewall. This type of ICMP request should never originate from a host outside of the protected network. --- - -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/445.txt snort-2.9.2/doc/signatures/445.txt --- snort-2.9.0.1/doc/signatures/445.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/445.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -445 - --- -Summary: -This event is generated when an ICMP "SKIP" message is generated. - --- -Impact: -Informational. This indicates that an error condition was encountered when requesting the Simple Key Management Protocol for IP (SKIP) protocol to provide keying material. - --- -Detailed Information: -An ICMP "SKIP" message is issued when a SKIP request to provide keying material fails. This may occur when the sender makes a request via a SKIP packet for some kind of algorithm, such as encryption, that is not supported by the receiver. The receiver responds with this ICMP message to indicate that the requested algorithm is not supported. - --- -Affected Systems: -This traffic should have no adverse impact. - --- -Attack Scenarios: -This is not an attack unless these messages are sent in volume for an attempted denial of service. - --- -Ease of Attack: -Simple. There are many packages available to generate ICMP messages. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -None. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/446.txt snort-2.9.2/doc/signatures/446.txt --- snort-2.9.0.1/doc/signatures/446.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/446.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,53 +0,0 @@ -Rule: - --- -Sid: -446 - --- -Summary: -This event is generated when an ICMP "SKIP" message is generated with a non-zero ICMP code. - --- -Impact: -Informational. This may indicate that the ICMP message has been crafted. - --- -Detailed Information: -An ICMP "SKIP" message is issued when a SKIP request to provide keying material fails. The ICMP code value for this message should be 0. If a non-zero code for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value. - - --- -Affected Systems: -This traffic should have no adverse impact. - --- -Attack Scenarios: -An attacker may craft an ICMP "SKIP" message with an invalid ICMP code. A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated. - --- -Ease of Attack: -Simple. There are many packages available to generate ICMP messages. - --- -False Positives: -Although it should be rare, it is possible to observe an ICMP "SKIP" message with an ICMP code greater than 0 if it is generated by software that does not conform to standards. - --- -False Negatives: -None Known. - --- -Corrective Action: -None. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/448.txt snort-2.9.2/doc/signatures/448.txt --- snort-2.9.0.1/doc/signatures/448.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/448.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -448 - --- -Summary: -This event is generated when an ICMP "Source Quench" message is -generated that has a non-zero ICMP code. - --- -Impact: -Informational. This may indicate that the ICMP message has been -crafted. - --- -Detailed Information: -An ICMP "Source Quench" message is issued by a network device that -cannot handle the current volume of traffic. The ICMP code value for -this message should be 0. If a non-zero ICMP code is observed, it may -be an indication that the packet was crafted with an invalid value. - -ICMP Source Quench messages may be normally sent by either a gateway or -a host as a congestion control mechanism. A gateway would send them if -it is running out of buffer space (needed to queue datagrams for output -to the next hop) or by a host that is receiving datagrams too fast to -process. Maliciously crafted ICMP Source Quench Messages may be used to -force a remote host to slow down its transmission rate and causing a -Denial of Service. - --- -Affected Systems: -This traffic should have no adverse impact. - --- -Attack Scenarios: -An attacker may craft an ICMP "Source Quench" message with an invalid -ICMP code. A single packet itself is not harmful, but the unusual ICMP -code my indicate that this packet was abnormally generated. - --- -Ease of Attack: -Simple. There are many packages available to generate ICMP messages. - --- -False Positives: -Although rare, it is possible to observe an ICMP "Source Quench" message -with a non-zero type code generated by software that does not conform to standards. - --- -False Negatives: -None Known. - --- -Corrective Action: -If a routing device in your network is generating this message, investigate why it does not have a standard ICMP code of 0. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Judy Novak -Additional information by Jose Hernandez - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/449.txt snort-2.9.2/doc/signatures/449.txt --- snort-2.9.0.1/doc/signatures/449.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/449.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -449 - --- -Summary: -This event is generated when a routing device detects that a packet has exceeded the maximum number of allowable hops. - --- -Impact: -Informational. This indicates that a packet has been expired by an internal router. This may be an indication of an attacker attempting a traceroute of a host in your network. - --- -Detailed Information: -Each packet is assigned an initial Time To Live (TTL) value before being sent. This value is usually determined by the operating system of the given TCP/IP stack. The TTL value represents the maximum number of hops a packet may take before being expired by a routing device. This is done to banish lost or misguided packets from the network. The traceroute utility assigns its own TTL values to dictate the number of hops a packet takes, to discover all the routing devices that are traversed by a packet. During the process, an ICMP "Time Exceeded in Transit" message may be observed. If a router in your network sends this message, it may be an indication that an attacker is attempting a traceroute of a host in your network. - --- -Affected Systems: -Any device that expires a packet will generate this ICMP message. - --- -Attack Scenarios: -An attacker may attempt a traceroute to discover your routing devices and network topology. - --- -Ease of Attack: -Simple. The UNIX traceroute and Windows tracert are provided utilities. - --- -False Positives: -It is possible to observe an ICMP "Time Exceeded in Transit" message sent outbound if any inbound packet has exceeded the maximum allowable hops. This may be a indication of a lost packet or routing problems such as a routing loop. - --- -False Negatives: -None Known. - --- -Corrective Action: -Sites may elect to disable this ICMP message on the outbound interface to prevent releasing potentially value reconnaissance about the network topology. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/450.txt snort-2.9.2/doc/signatures/450.txt --- snort-2.9.0.1/doc/signatures/450.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/450.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -450 - --- -Summary: -This event is generated when an ICMP "Time Exceeded" message is generated that has an invalid ICMP code. - --- -Impact: -Informational. This may indicate that the ICMP message has been crafted. - --- -Detailed Information: -An ICMP "Time Exceeded" message is issued when either the maximum number of hops has been exceeded or a timer has expired before all fragments have been received. The ICMP code value for this message should be 0 or 1. If a value of greater than 1 for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value. - --- -Affected Systems: -This traffic should have no adverse impact. - --- -Attack Scenarios: -An attacker may craft an ICMP "Time Exceeded" message with an invalid ICMP code. A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated. - --- -Ease of Attack: -Simple. There are many packages available to generate ICMP messages. - --- -False Positives: -Although rare, it is possible to observe an ICMP "Time Exceeded" message with an ICMP code greater than 1 if it is generated by software that does not conform to standards. - --- -False Negatives: -None Known. - --- -Corrective Action: -If a host or device in your network is generating this message, investigate why it does not have a standard ICMP code. - --- -Contributors: -Original rule writer unknown. -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/451.txt snort-2.9.2/doc/signatures/451.txt --- snort-2.9.0.1/doc/signatures/451.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/451.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- - -Sid: -408 - --- - -Summary: -This event is generated when a network host generates an ICMP Timestamp Reply in response to an ICMP Timestamp Request message. - --- - -Impact: -Information-gathering. An ICMP Timestamp Reply message is sent in response to an ICMP RTimestamp Request message. If the ICMP Timestamp Reply message reaches the requesting host it indicates that the replying host is alive. - --- - -Detailed Information: -ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Timestamp Reply datagrams. This type of message is used to determine if a host is active on the network. - -If ICMP type 8 (echo) traffic is filtered at a firewall, an attacker may try to use type 14 (timestamp) as an alternative. - --- - -Attack Scenarios: -A remote attacker may use ICMP Timestamp Request datagrams to determine active hosts on the network in prelude of further attacks. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to prevent ICMP Type 0 Code 8 messages from entering the network. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/452.txt snort-2.9.2/doc/signatures/452.txt --- snort-2.9.0.1/doc/signatures/452.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/452.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- - -Sid: -452 - --- - -Summary: -This event is generated when a network host generates an ICMP Timestamp Reply with an invalid or undefined ICMP Code. - --- - -Impact: -Information-gathering. An ICMP Timestamp Reply message is sent in response to an ICMP Timestamp Request message. If the ICMP Timestamp Reply message reaches the requesting host it indicates that the replying host is alive. Most OS's (operating systems) will accept an ICMP Timestamp Reply message with an invalid or undefined ICMP code set as a valid ICMP Timestamp Reply. - --- - -Detailed Information: -ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Timestamp Reply datagrams. This type of message is used to determine if a host is active on the network. - -If ICMP type 8 (echo) traffic is filtered at a firewall, an attacker may try to use type 14 (timestamp) as an alternative. - --- - -Attack Scenarios: -Remote attackers my generate ICMP Timestamp Reply datagrams with invalid ICMP Codes in an attempt to cause faults in the applications or hosts generating ICMP Timestamp Requests. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to prevent ICMP Type 0 messages from entering the network. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/453.txt snort-2.9.2/doc/signatures/453.txt --- snort-2.9.0.1/doc/signatures/453.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/453.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -453 - --- -Summary: -This event is generated when an ICMP Timestamp request is made. - --- -Impact: -Information gathering. An ICMP Timestamp request can determine if a host is active. - --- -Detailed Information: -An ICMP Timestamp request is used by the ping command to elicit an ICMP Timestamp reply from a listening live host. This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules. - -If ICMP type 8 (echo) traffic is filtered at a firewall, and attacker may try to use type 13 (timestamp) as an alternative. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP Timestamp request may be used to legitimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP Timestamp requests. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak -Additional information by Steven Alexander - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/454.txt snort-2.9.2/doc/signatures/454.txt --- snort-2.9.0.1/doc/signatures/454.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/454.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -454 - --- -Summary: -This event is generated when an ICMP Timestamp request is made with an invalid or undefined ICMP Code. - --- -Impact: -Information gathering. An ICMP Timestamp request can determine if a host is active. - --- -Detailed Information: -An ICMP Timestamp request is used by the ping command to elicit an ICMP Timestamp reply from a listening live host. This rule alerts on a generic ICMP request where no payload is included in the message or the payload does not match more specific rules. - -If ICMP type 8 (echo) traffic is filtered at a firewall, an attacker may try to use type 13 (timestamp) as an alternative. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP Timestamp request may be used to legitimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP Timestamp requests. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak -Additional information by Steven Alexander - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/456.txt snort-2.9.2/doc/signatures/456.txt --- snort-2.9.0.1/doc/signatures/456.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/456.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -456 - --- -Summary: -This event is generated when an attempt is made to use ICMP as a -reconnaisance tool. - --- -Impact: -Can be used as a reconnaissance tool. Traceroute reveals information -about the layout of a network. - --- -Detailed Information: -There are at least three different implementations of traceroute. In -one implementation traceroute works by sending an ICMP Echo Request -packet to a destination host with a TTL value of 1. If the host is more -than one hop away, the first route that receives the back will send back -an ICMP packet indicating that the TTL was exceeded. The address of -this router is then listed as the first hop. The packet is then sent -out again with a TTL of 2. This continues until the destination host is -able to reply or some maximum TTL value is reached. - -The other two implementations use the same TTL-based concept with an -ICMP type of 30(traceroute) or with an UDP packet destined for an -ephemeral port. - --- -Affected Systems: -All - --- -Attack Scenarios: - -Traceroute is often used against machines on a network prior to an -attack. - --- -Ease of Attack: -Simple - --- -False Positives: - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP type 30 messages. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Judy Novak -Nigel Houghton -Snort documentation contributed by by Steven Alexander - --- -Additional References: - -Miscellaneous -http://www.faqs.org/rfcs/rfc1393.html - - - - - --- diff -Nru snort-2.9.0.1/doc/signatures/457.txt snort-2.9.2/doc/signatures/457.txt --- snort-2.9.0.1/doc/signatures/457.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/457.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -457 - --- -Summary: -This event is generated when an ICMP type 14 is detected that does not -include the necessary code in the packet. - - --- -Impact: - -Can be used as a reconnaissance tool. Traceroute reveals information -about the layout of a network. - --- -Detailed Information: -There are at least three different implementations of traceroute. In -one implementation traceroute works by sending an ICMP Echo Request -packet to a destination host with a TTL value of 1. If the host is more -than one hop away, the first route that receives the back will send back -an ICMP packet indicating that the TTL was exceeded. The address of -this router is then listed as the first hop. The packet is then sent -out again with a TTL of 2. This continues until the destination host is -able to reply or some maximum TTL value is reached. - -The other two implementations use the same TTL-based concept with an -ICMP type of 30(traceroute) or with an UDP packet destined for an -ephemeral port. - --- -Affected Systems: -All - --- -Attack Scenarios: - -Traceroute is often used against machines on a network prior to an -attack. - --- -Ease of Attack: -Simple - --- -False Positives: - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP type 30 messages. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Judy Novak -Nigel Houghton -Snort documentation contributed by by Steven Alexander - --- -Additional References: - -Miscellaneous -http://www.faqs.org/rfcs/rfc1393.html - - - - - --- diff -Nru snort-2.9.0.1/doc/signatures/458.txt snort-2.9.2/doc/signatures/458.txt --- snort-2.9.0.1/doc/signatures/458.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/458.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -458 - --- - -Summary: -This event is generated when an ICMP Type 1 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 1 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 1 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 1 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/459.txt snort-2.9.2/doc/signatures/459.txt --- snort-2.9.0.1/doc/signatures/459.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/459.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -459 - --- - -Summary: -This event is generated when an ICMP Type 1 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 1 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 1 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 1 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/460.txt snort-2.9.2/doc/signatures/460.txt --- snort-2.9.0.1/doc/signatures/460.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/460.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -460 - --- - -Summary: -This event is generated when an ICMP Type 2 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 2 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 2 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 2 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/461.txt snort-2.9.2/doc/signatures/461.txt --- snort-2.9.0.1/doc/signatures/461.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/461.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -461 - --- - -Summary: -This event is generated when an ICMP Type 2 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 2 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 2 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 2 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/462.txt snort-2.9.2/doc/signatures/462.txt --- snort-2.9.0.1/doc/signatures/462.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/462.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -462 - --- - -Summary: -This event is generated when an ICMP Type 7 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 7 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 7 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 7 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/463.txt snort-2.9.2/doc/signatures/463.txt --- snort-2.9.0.1/doc/signatures/463.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/463.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -463 - --- - -Summary: -This event is generated when an ICMP Type 7 datagram with an undefined ICMP Code is detected on the network. - --- - -Impact: -ICMP Type 7 datagrams are not currently used by any known devices. - --- - -Detailed Information: -ICMP Type 7 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. - --- - -Attack Scenarios: -None known - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -None known - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 7 datagrams --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) -Nigel Houghton - --- - -Additional References: -None - - --- diff -Nru snort-2.9.0.1/doc/signatures/465.txt snort-2.9.2/doc/signatures/465.txt --- snort-2.9.0.1/doc/signatures/465.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/465.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -465 - --- -Summary: -This event is generated when an ICMP echo request is made from a host running the Internet Security Scanner tool. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running Internet Security Scanner "pinger" software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: -http://www.whitehats.com/info/IDS158 - --- diff -Nru snort-2.9.0.1/doc/signatures/466.txt snort-2.9.2/doc/signatures/466.txt --- snort-2.9.0.1/doc/signatures/466.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/466.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -466 - --- -Summary: -This event is generated when an ICMP echo request is made from a host running the L3 "Retriever 1.5" security scanner. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running the L3 "Retriever 1.5" security scanner contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: -http://www.whitehats.com/info/IDS311 - --- diff -Nru snort-2.9.0.1/doc/signatures/467.txt snort-2.9.2/doc/signatures/467.txt --- snort-2.9.0.1/doc/signatures/467.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/467.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -467 - --- -Summary: -This event is generated when an ICMP echo request is made from a host running Nemesis v1.1 software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a host running Nemesis v1.1 software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: -http://www.whitehats.com/info/IDS449 - --- diff -Nru snort-2.9.0.1/doc/signatures/469.txt snort-2.9.2/doc/signatures/469.txt --- snort-2.9.0.1/doc/signatures/469.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/469.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,84 +0,0 @@ --- -Rule: - --- -Sid: -469 - --- -Summary: -This event is generated when an ICMP ping typically generated by nmap is detected. - --- -Impact: -This could indicate a full scan by nmap which is sometimes indicative of -potentially malicious behavior. - --- -Detailed Information: -Nmap's ICMP ping, by default, sends zero data as part of the ping. -Nmap typically pings the host via icmp if the user has root -privileges, and uses a tcp-ping otherwise. - --- -Attack Scenarios: -As part of an information gathering attempt, an attacker may use nmap -to see what hosts are alive on a given network. If nmap is used for -portscanning as root, the icmp ping will occur by default unless the -user specifies otherwise (via '-P0'). - --- -Ease of Attack: -Trivial. Nmap requires little or no skill to operate. - --- -False Positives: -Possible. The only current identifying feature of nmap's ICMP ping is -that the data size is 0. It is entirely possible that other tools may -send icmp pings with zero data. - -Kontiki delivery manager used on windows platforms to download -multimedia files is known to produce ICMP pings that can cause this -rule to generate many events. - -avast! antivirus update feature is reported to produce ICMP pings with -zero data when connecting to the avast servers. This can occur every 40 -seconds if no reply is received by the client. - -The avast! client attempts to ping one of the following servers: - -URL: http://www.asw.cz/iavs4pro -IP: 195.70.130.34 - -URL: http://www.avast.com/iavs4pro -IP: 66.98.166.72 - -URL: http://www.iavs.net/iavs4pro -IP: 207.44.156.15 - -URL: http://www.iavs.cz/iavs4pro -IP: 62.168.45.69 - --- -False Negatives: -None currently. - --- -Corrective Action: -If you detect other suspicous traffic from this host (i.e., a -portscan), follow standard procedure to assess what threat this may -pose. If you only detect the icmp ping, this may have simply been a -'ping sweep' and may be ignored. - --- -Contributors: -warchild@spoofed.org -Sourcefire Research Team -Nigel Houghton - --- -Additional References: -www.insecure.org - - --- diff -Nru snort-2.9.0.1/doc/signatures/471.txt snort-2.9.2/doc/signatures/471.txt --- snort-2.9.0.1/doc/signatures/471.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/471.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- - -Sid: -471 - --- - -Summary: -This event is generated when Icmpenum v1.1.1 generates an ICMP datagram. - --- - -Impact: -ICMP echo requests are used to determine if a host is running at a -specific IP address. A remote attacker can scan a large range of hosts -using ICMP echo requests to determine what hosts are operational on the -network. - --- - -Detailed Information: -Icmpenum v1.1.1 generates an ICMP Type 0 datagram with an ICMP ID of 666, an ICMP -sequence number of 0, and an ICMP datagram size of 0. - --- - -Attack Scenarios: -A remote attacker might scan a large range of hosts using ICMP echo -requests to determine what hosts are operational on the network. - --- - -Ease of Attack: -Simple. Packet generation tools can generate this type of ICMP packet - --- - -False Positives: -None known - --- - -False Negatives: -Packet generation tools can generate ICMP Echo requests with -user-defined payloads that emulate this application. - --- - -Corrective Action: -To prevent information gathering, use ingress filtering to block -incoming ICMP Type 8 Code 0 traffic. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -http://www.whitehats.com/info/IDS450 - - --- diff -Nru snort-2.9.0.1/doc/signatures/472.txt snort-2.9.2/doc/signatures/472.txt --- snort-2.9.0.1/doc/signatures/472.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/472.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- - -Sid: -472 - --- - -Summary: -This event is generated when a network host generates an ICMP Redirect for Host datagram. - --- - -Impact: -Redirect messages are normally an indication that a shorter route to a particular destination exists. - --- - -Detailed Information: -ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a gateway device receives an Internet datagram from a host on the same network a check is performed to determine the address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device. - --- - -Attack Scenarios: -Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of ICMP datagram. - --- - -False Positives: -ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists. - --- - -False Negatives: -None known --- - -Corrective Action: -Ingress filtering should be utilized to block incoming ICMP Type 5 datagrams - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -RFC792 - - --- diff -Nru snort-2.9.0.1/doc/signatures/473.txt snort-2.9.2/doc/signatures/473.txt --- snort-2.9.0.1/doc/signatures/473.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/473.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: - --- -Sid: -473 - --- -Summary: -This event is generated when an ICMP Redirect Network message was -detected in network traffic. - --- -Impact: -Unknown. Possible system crash, Denial of Service (DoS) for some -embedded operating systems. - --- -Detailed Information: -Several susceptible IP Stack implementations may result in the system -hanging or crashing when malformed or corrupted ICMP Redirect Network -(Type 5, Code 0) packets are sent to them. This vulnerability was first -discovered in 1997. - -Under normal network conditions ICMP Redirect Network packets will occur -in a number of situations. One such situation is when a host is on a -subnet with more than one router. The host can only have one default -gateway, and forwards all traffic for networks outside its own subnet to -this gateway. If the default gateway detects that the gateway for this -route is on the same subnet as the originating host, the default gateway -forwards the packet onto this gateway and sends an ICMP Redirect Network -to the originating host. - -This funtionality exists primarily to save network administrators from -having to keep extensive routing tables on hosts, the host will remember -the route learned from the ICMP Redirect Network message for a period of -time, and will forward any traffic directly while it has the route in -its cache. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -A malicious user may send corrupted ICMP Redirect Net messages to -networks in an attempt to crash a system. - --- -Ease of Attack: -Simple. - --- -False Positives: -Any ICMP Network Redirect will generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Patches for Microsoft Windows NT 4.0 were included in SP4, and also -release as a post SP3 fix - teardrop2-fix. Fixes are also available for -Windows 95 and various embedded systems. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -Microsoft KB, Q154174 --- diff -Nru snort-2.9.0.1/doc/signatures/474.txt snort-2.9.2/doc/signatures/474.txt --- snort-2.9.0.1/doc/signatures/474.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/474.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: --- -Sid: -474 - --- -Summary: -This event is generated when an ICMP Echo Request from the Windows based -scanner SuperScan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -SuperScan is a freely available Windows based scanner from Foundstone. -The scanners default behavior is to send an ICMP Echo Request before -starting the scan. This ICMP packet has a special payload of eight (8) bytes, -consisting of the number zero (0). - -This scanner is fairly popular among Windows users. - --- -Affected Systems: - All - --- -Attack Scenarios: -SuperScan may be used as an information gathering tool to detect active hosts -on a network by sending icmp echo requests. - --- -Ease of Attack: -Simple. SuperScan is widely available. - --- -False Positives: -Tools other than SuperScan may generate echo requests with the same content. - --- -False Negatives: -None Known - --- -Corrective Action: - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Johan Augustsson - and Josh Gray -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -Foundstone -http://www.foundstone.com/ - -McAfee: -http://vil.nai.com/vil/content/v_103727.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/475.txt snort-2.9.2/doc/signatures/475.txt --- snort-2.9.0.1/doc/signatures/475.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/475.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- - -Sid: -475 - --- - -Summary: -This event is generated when a network host generates an ICMP datagram -with Record Route IP options. - --- - -Impact: -Packets containing IP Record Route options are used to emulate the functionality -of traceroute. - --- - -Detailed Information: -The Record Route IP option is used to store routing information about the -path a datagram takes to its destination. ICMP ECHO packets with an IP header -utilizing the Record Route option are used to emulate the functionality of -traceroute. - --- - -Attack Scenarios: -A remote attacker may attempt to use the Record Route IP option to determine -routing information if traceroute fails. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of datagram. - --- - -False Positives: -Network diagnostic tools may generate these types of datagrams. - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to block incoming datagrams with the IP Record Route option. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -http://www.whitehats.com/info/IDS238 - - --- diff -Nru snort-2.9.0.1/doc/signatures/476.txt snort-2.9.2/doc/signatures/476.txt --- snort-2.9.0.1/doc/signatures/476.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/476.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: - --- - -Sid: -476 - --- - -Summary: -This event is generated when Webtrends Security Scanner generates an ICMP echo -request message. - --- - -Impact: -ICMP echo requests are used to determine if a host is running at a -specific IP address. A remote attacker can scan a large range of hosts -using ICMP echo requests to determine what hosts are operational on the -network. - --- - -Detailed Information: -Webtrends Ecurity Scanner generates a ICMP Echo Request message containing the -following hex signature: - -|00000000454545454545454545454545| - -By searching for this string in a packet, it is possible to determine -the type of host that generated the request. - --- - -Attack Scenarios: -A remote attacker might scan a large range of hosts using ICMP echo -requests to determine what hosts are operational on the network. - --- - -Ease of Attack: -Simple. The "ping" utility found on most operating systems can generate -these types of ICMP messages. - --- - -False Positives: -None known - --- - -False Negatives: -Packet generation tools can generate ICMP Echo requests with -user-defined payloads. This could allow attackers to replace this -signature with binary values and conceal their operating system. - --- - -Corrective Action: -To prevent information gathering, use a firewall to block incoming ICMP -Type 8 Code 0 traffic. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -http://www.whitehats.com/info/IDS307 - - --- diff -Nru snort-2.9.0.1/doc/signatures/477.txt snort-2.9.2/doc/signatures/477.txt --- snort-2.9.0.1/doc/signatures/477.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/477.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- - -Sid: -477 - --- - -Summary: -This event is generated when a network host generates an ICMP source quench -datagram. - --- - -Impact: -ICMP source quench message are generated by gateway devices that no longer -have the buffer space needed to queue datagrams for output to the next route. -This could be an indication of a routing problem, network capacity problem, -or on going Denial of Service attack. - --- - -Detailed Information: -ICMP source quench messasges are generated when a gateway device runs out -of buffer space to process incoming network traffic. This is an informational -message that is generated in an attempt to inform the remote host generating -the traffic to limit the speed at which it is sending network traffic to -the remote host. - --- - -Attack Scenarios: -Denial of Service. Attackers could potenially use ICMP source quench datagrams -to rate limit a remote host that listens to unsolicited ICMP source quench -datagrams. - --- - -Ease of Attack: -Numerous tools and scripts can generate this type of datagram. - --- - -False Positives: -Legitimate source quench datagrams will trigger this rule. - --- - -False Negatives: -None known --- - -Corrective Action: -Use ingress filtering to block incoming ICMP source quench datagrams. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -http://www.whitehats.com/info/IDS238 - - --- diff -Nru snort-2.9.0.1/doc/signatures/478.txt snort-2.9.2/doc/signatures/478.txt --- snort-2.9.0.1/doc/signatures/478.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/478.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- - -Sid: -478 - --- - -Summary: -This event is generated when Broadscan Smurf Scanner generates an ICMP echo -request message. - --- - -Impact: -ICMP echo requests are used to determine if a host is running at a -specific IP address. A remote attacker can scan a large range of hosts -using ICMP echo requests to determine what hosts are operational on the -network. - --- - -Detailed Information: -The Broadscan Smurf Scanner generates an ICMP echo packet with a specific -datagram signature. - --- - -Attack Scenarios: -A remote attacker might scan a large range of hosts using ICMP echo -requests to determine what hosts are operational on the network. - --- - -Ease of Attack: -Simple. Packet generation tools can generate this type of ICMP packet - --- - -False Positives: -None known - --- - -False Negatives: -Packet generation tools can generate ICMP echo requests with -user-defined payloads. This could allow attackers to replace this -signature with binary values and conceal their operating system. - --- - -Corrective Action: -To prevent information gathering, use a firewall to block incoming ICMP -Type 8 Code 0 traffic. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/480.txt snort-2.9.2/doc/signatures/480.txt --- snort-2.9.0.1/doc/signatures/480.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/480.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -480 - --- -Summary: -This event is generated when a benevolent ping used by SpeedEra.net to -find the closest cache to a host is detected. - --- -Impact: -Unknown. - --- -Detailed Information: -After visiting certain speedera.net sites, several pings will be -received by the host. These pings are sent so that speedera can find the -closest cache to the host. This rule is intended to distinguish the -usually benevolent speedera pings from normal, possibly malevolent pings. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -This is not really an attack. However an attacker could disguise their -pings as speedera pings, but this is unlikely. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -None required. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Drew Hintz ( http://guh.nu ) -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -Linux Security: -http://www.linuxsecurity.com/articles/firewalls_article-2064.html - --- diff -Nru snort-2.9.0.1/doc/signatures/481.txt snort-2.9.2/doc/signatures/481.txt --- snort-2.9.0.1/doc/signatures/481.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/481.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -481 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running TJPingPro 1.1 Build 2 software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running TJPingPro 1.1 Build 2 software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS167 - --- diff -Nru snort-2.9.0.1/doc/signatures/482.txt snort-2.9.2/doc/signatures/482.txt --- snort-2.9.0.1/doc/signatures/482.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/482.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -482 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running Whatsup Gold software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Whatsup Gold software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS168 - --- diff -Nru snort-2.9.0.1/doc/signatures/483.txt snort-2.9.2/doc/signatures/483.txt --- snort-2.9.0.1/doc/signatures/483.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/483.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -483 - --- -Summary: -This event is generated when an ICMP echo request is made from a Windows host running CyberKit 2.2 software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running CyberKit 2.2 software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: -http://www.whitehats.com/info/IDS154 - --- diff -Nru snort-2.9.0.1/doc/signatures/484.txt snort-2.9.2/doc/signatures/484.txt --- snort-2.9.0.1/doc/signatures/484.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/484.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,51 +0,0 @@ -Rule: --- -Sid: -484 - --- -Summary: -This event is generated when an ICMP echo request is made from a host running Sniffer Pro/NetXRay software. - --- -Impact: -Information gathering. An ICMP echo request can determine if a host is active. - --- -Detailed Information: -An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Sniffer Pro/NetXRay software contains a unique payload in the message request. - --- -Affected Systems: -All - --- -Attack Scenarios: -An attacker may attempt to determine live hosts in a network prior to launching an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -An ICMP echo request may be used to legimately troubleshoot networking problems. - --- -False Negatives: -None known. - --- -Corrective Action: -Block inbound ICMP echo requests. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/485.txt snort-2.9.2/doc/signatures/485.txt --- snort-2.9.0.1/doc/signatures/485.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/485.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -485 - --- -Summary: -This event is generated when a router was unable to forward a packet due -to filtering and used the Internet Control Message Protocol to alert -involved hosts. - --- -Impact: -Unknown. This particular message is meant only to be informative but can be -indicative of malicious activity (spoofed traffic, DoS). - --- -Detailed Information: -A packet sent between two points on a network was administratively -prohibited via filtering of some sort. The host or device performing the -filtering returned an ICMP message informing the apparent source host -that filtering had been done. - --- -Affected Systems: - All systems. - --- -Attack Scenarios: -In a DoS attack it is common to to use spoofed source addresses. If -and when the traffic gets filtered and an ICMP message is returned, -the spoofed source address will be the recipient of the ICMP message. -A similar situation may occur when a large portscan is occuring and an -attempt is made to mask the true source of the scan by using spoofed -source addresses. - --- -Ease of Attack: -Simple. Tools are readily available that can craft arbitrary ICMP -packets. It is also possible to spoof packets using arbitrary -addresses potentially causing intermediary routers to generate ICMP -messages. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -None needed unless messages become excessive or appear to be invalid. - -Determine what traffic caused this particular ICMP message to be -generated and act accordingly. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -RFC 1812: -ftp://ftp.isi.edu/in-notes/rfc1812.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/486.txt snort-2.9.2/doc/signatures/486.txt --- snort-2.9.0.1/doc/signatures/486.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/486.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- - -Sid: -486 - --- - -Summary: -This event is generated when an ICMP destination unreachable -(Communication with Destination Host is Administratively Prohibited) -datagram is detected on the network. - --- - -Impact: -This message is generated when a datagram failed to traverse the -network. This could be an indication of routing or network problems. - --- - -Detailed Information: -This rule generates informational events about the network. Large -numbers of these messages on the network could indication routing -problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None known. - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -This rule detects informational network information, so no corrective -action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None. - - --- diff -Nru snort-2.9.0.1/doc/signatures/487.txt snort-2.9.2/doc/signatures/487.txt --- snort-2.9.0.1/doc/signatures/487.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/487.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- - -Sid: -486 - --- - -Summary: -This event is generated when an ICMP destination unreachable -(Communication with Destination Host is Administratively Prohibited) -datagram is detected on the network. - --- - -Impact: -This message is generated when a datagram failed to traverse the -network. This could be an indication of routing or network problems. - --- - -Detailed Information: -This rule generates informational events about the network. Large -numbers of these messages on the network could indication routing -problems, faulty routing devices, or improperly configured hosts. - --- - -Attack Scenarios: -None known. - --- - -Ease of Attack: -Numerous tools and scripts can generate these types of ICMP datagrams. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -This rule detects informational network information, so no corrective -action is necessary. - --- - -Contributors: -Original Rule writer unknown -Sourcefire Research Team -Matthew Watchinski (matt.watchinski@sourcefire.com) - --- - -Additional References: -None. - - --- diff -Nru snort-2.9.0.1/doc/signatures/488.txt snort-2.9.2/doc/signatures/488.txt --- snort-2.9.0.1/doc/signatures/488.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/488.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -488 - --- -Summary: -This event is generated when a connection is closed from a resource -external to the protected network. - --- -Impact: -Unknown. - --- -Detailed Information: -This event indicates that an established connection has been closed -from a source external to the protected network. Since the external -connection port is 80, this is unusual behavior. It may be that an -attacker is using port 80 on the external machine to initiate a -connection to a machine on the protected network in an attempt to bypass -firewall protection. When this connection is terminated, this rule will -generate an event. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -An attacker can use port 80 from a compromised machine to connect to -another compromised host in an attempt to bypass firewall restrictions -by imitating normal web traffic. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Investigate the host for signs of system compromise. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/489.txt snort-2.9.2/doc/signatures/489.txt --- snort-2.9.0.1/doc/signatures/489.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/489.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- - -Rule: --- -Sid: -489 - --- - -Summary: -This event is generated when an attempt is made to log into an ftp -server with an empty password. - --- - -Impact: -Possible unauthorized access, invalid login attempt. - --- - -Detailed Information: -An attempt was made to log into an ftp server with an empty password. -This is an unusual behavior as every ftp login usually has a password, -even anonymous ones. An empty password might mean the system was already -compromised and a username exists with no password. - --- - -Affected Systems: -Machines running ftp servers. - --- - -Attack Scenarios: -An attacker gains access to the system via a vulnerability, creates a -login without a password and then tries to ftp to the system with that -login. - --- - -Ease of Attack: -Simple, no exploit software required. - --- - -False Positives: -There might be legitimate users on the system with empty passwords, but -not very likely. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Check all the usernames on the system for empty passwords. - --- - -Contributors: -Original Rule Writer Max Vision -Snort documentation contributed by Chaos - --- - -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS322 - --- diff -Nru snort-2.9.0.1/doc/signatures/490.txt snort-2.9.2/doc/signatures/490.txt --- snort-2.9.0.1/doc/signatures/490.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/490.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -490 - --- - -Summary: -This event is generated when network traffic containing the string -BattleMail is observed. - --- - -Impact: -Unknown - --- - -Detailed Information: -Email communications containing the string "BattleMail" has been -detected in network traffic going to a mail server on the protected -network. This may indicate participation in an email gaming system by -the recipient. - --- - -Affected Systems: - All email servers - --- - -Attack Scenarios: -Not applicable - --- - -Ease of Attack: -Simple, no exploit software required. - --- - -False Positives: -None known - --- - -False Negatives: -None known. - --- - -Corrective Action: -Not applicable - --- - -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: - -Battlemail: -http://www.thaicybersoft.com/download/internet/e-mail/BattleMail/ - --- diff -Nru snort-2.9.0.1/doc/signatures/491.txt snort-2.9.2/doc/signatures/491.txt --- snort-2.9.0.1/doc/signatures/491.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/491.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: --- -Sid: -491 - --- -Summary: -This event is generated when a failed attempt to login to an FTP server -is detected. - --- -Impact: -Unknown. Multiple events may indicate an attempt to enumerate accounts -and passwords using brute force methodology. - --- -Detailed Information: -This event is generated when a failed attempt to login to an FTP server -is detected. - -Multiple events may indicate an attempt to enumerate accounts -and passwords using brute force methodology. - --- -Affected Systems: - All FTP Servers - --- -Attack Scenarios: - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Check FTP logs for access attempts. - -Disallow FTP access from sources external to the protected network. - -Consider using Secure Shell as a replacement for FTP services. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -RFC: -http://www.faqs.org/rfcs/rfc959.html - --- diff -Nru snort-2.9.0.1/doc/signatures/492.txt snort-2.9.2/doc/signatures/492.txt --- snort-2.9.0.1/doc/signatures/492.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/492.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,102 +0,0 @@ -Rule: - --- - -Rule: --- -Sid: -492 - --- - -Summary: -This event is generated when an unsuccessful login attempt was made via telnet. - --- - -Impact: -Possible unauthorized access via password brute-forcing - -An attacker may have attempted to gain access to a valid user's account -via the telnet service, but did not succeed. The telnet service is -running, which uses insecure authentication mechanisms. - --- - -Detailed Information: -A user tried to log on to a system via telnet, but has been rejected, -either due to invalid username, password, or both. This could mean -someone is trying to log on without proper password (if there are -multiple unsuccessful logins) or they may have just mistyped the -username or the password. - -The telnet server typically runs on TCP port 23. Upon access to the -server, account access is granted based on an unencrypted user name and -password. Upon a failed login (resulting from either an invalid account -or an incorrect password), a login failure message will be returned. -This rule matches the common text "Login failed". - --- - -Affected Systems: -Any system running a telnet server. - --- - -Attack Scenarios: -Attackers can, particularly when armed with a valid account name, -attempt to use guessing attacks or brute-force means to gain access via -the telnet service. Many successive events of this type would likely be -indicative of such an attack. - -The use of a telnet server allows the passive attack of traffic -sniffing, which can extract a username and password from any valid -login. - --- - -Ease of Attack: -Simple. - -This event indicates it is possible to perform a brute-force attack; the -ease of such an attack is dependent upon the strength of passwords, and -rate-limiting techniques employed by the telnet server in question. - --- - -False Positives: -This event will match any badly-typed or -remembered password, and will -therefore generate a false positive. Look for rapid successive events. - --- - -False Negatives: -If a password is correctly guessed, no failure will be noted. - --- - -Corrective Action: -Check how many invalid attempts occurred, change the password of the -user that tried to log in. - -It is best to avoid using telnet whenever possible; its authentication -system is lacking, and encryption is generally unavailable. If your -telnet server can be configured to temporarily disable access after -rapid successive failures, it as advised that you do so. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos and Nick Black, Reflex Security -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: - -Telnet RFC: -http://www.faqs.org/rfcs/rfc854.html - --- diff -Nru snort-2.9.0.1/doc/signatures/493.txt snort-2.9.2/doc/signatures/493.txt --- snort-2.9.0.1/doc/signatures/493.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/493.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: 493 - --- -Summary: -This event is generated when an attempt is made to access the psyBNC IRC -"bouncer". - --- -Impact: - - --- -Detailed Information: -The psyBNC IRC bouncer was designed to hold a connection to an IRC server. As part -of the connection process, a psyBNC server will respond with -"Welcome!psyBNC@lam3rz.de". - --- -Affected Systems: - All systems using psyBNC. - --- -Attack Scenarios: -The psyBNC server itself is not necessarily a risk in itself, but this may be a -violation of corporate policy. Furthermore, psyBNC has found it's way into a large number -of rootkits, both as an IRC bouncer and as remote control agent for dDOS networks. - --- -Ease of Attack: -Simple. Any user can install psyBNC. - --- -False Positives: -None Known - --- -False Negatives: -A modified psyBNC server will not respond with "Welcome!psyBNC@lam3rz.de" and could -easily evade this rule. - -SSL encryption between client and server is possible. - --- -Corrective Action: -Check the originating host IP and source port and investigate the possibility of a -listening psyBNC server and possible system comprimise. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - -psyBNC: -http://www.psychoid.lam3rz.de/ -http://www.psychoid.net/ - --- diff -Nru snort-2.9.0.1/doc/signatures/494.txt snort-2.9.2/doc/signatures/494.txt --- snort-2.9.0.1/doc/signatures/494.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/494.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: 494 - --- -Summary: -This event is generated by a successful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell. - --- - -Impact: -Serious. An attacker may have the ability to execute commands remotely - --- -Detailed Information: -This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "The command completed successfully". For example, it is generated in Windows 2000/XP after the "net" command (such as "net use") is used. The net commands are used for a wide variety of system tasks of interest to attackers and can be started from the windows shell (cmd.exe, command.com). - -Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has sucessfully executed a command. Note that the source address of this event is actually the victim and not that of the attacker. - --- - -Attack Scenarios: -An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to map the DMZ network via "net use" commands. - --- - -Ease of Attack: -Simple. This post-attack behavior can accompany different attacks. - --- - -False Positives: -This rule will generate an event if the string "Command completed" appears in the content distributed by the web server, in which case the rule should be tuned. - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate the web server for signs of compromise. - -Look for other IDS events involving the same IP addresses. - --- -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft Technet: -http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/FAQW2KCP.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/495.txt snort-2.9.2/doc/signatures/495.txt --- snort-2.9.0.1/doc/signatures/495.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/495.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 495 - --- - -Summary: -This event is generated by an unsuccessful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell. - --- - -Impact: -Serious. An attacker may have the ability to execute commands remotely - --- -Detailed Information: -This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "Bad command or filename". For example, it is generated by the Windows operating system if the executable file to be run from the command line is not found. - -Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has tried to execute a command. Note that the source address of this event is actually -the victim and not that of the attacker. - --- - -Attack Scenarios: -An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then tries to run other commands on the machine. - --- - -Ease of Attack: -Simple. This post-attack behavior can accompany different attacks. - --- - -False Positives: -This rule will generate an event if the string "Bad command -or filename" appears in the content distributed by a web server, in -which case the rule should be tuned. - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate the web server for signs of compromise. - -Look for other IDS events involving the same IP addresses. - --- -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/496.txt snort-2.9.2/doc/signatures/496.txt --- snort-2.9.0.1/doc/signatures/496.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/496.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 496 - --- -Summary: -This event is generated by the successful completion of a directory listing operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for listing directory contents. - --- -Impact: -Serious. An attacker may have the ability to execute commands remotely - --- -Detailed Information: -This event is generated when a standard Windows command for listing directories is executed. The string "Directory of" is typically shown in front of the directory listing on Windows NT/2000/XP. - -Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed at least one command to list the contents of a directory directory. Note that the source address of this event is actually -the victim and not that of the attacker. - --- - -Attack Scenarios: -An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to look for interesting files on the compromised server via the "dir" command. - --- - -Ease of Attack: -Simple. This post-attack behavior can accompany different attacks. - --- - -False Positives: -This rule will generate an event if the string "Directory of" appears in the content distributed by a web server, in which case the rule should be tuned. - --- -False Negatives: -None Known - --- - -Corrective Action: -Investigate the web server for signs of compromise. - -Look for other IDS events involving the same IP addresses. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/497.txt snort-2.9.2/doc/signatures/497.txt --- snort-2.9.0.1/doc/signatures/497.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/497.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: 497 - --- -Summary: -This event is generated by the successful completion of a file transfer operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for copying files. - --- -Impact: -Serious. An attacker may have the ability to transfer files from the victim host. - --- -Detailed Information: -This event indicates that a file was successfully copied using Windows command line shell. The string "1 file(s) copied" is shown after the successful completion of a Windows "copy" command. - -Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed the copy command. Note that the source address of this event is actually the victim and not that of the attacker. - --- - -Attack Scenarios: -An attacker gains an access to a Windows web server via an IIS vulnerability and then copies "cmd.exe" into the directory accessible by the web server, thus creating a backdoor to access the system. - --- - -Ease of Attack: -Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. - --- - -False Positives: -None Known - --- -False Negatives: -None Known - --- - -Corrective Action: -Investigate the web server for other signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/498.txt snort-2.9.2/doc/signatures/498.txt --- snort-2.9.0.1/doc/signatures/498.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/498.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,82 +0,0 @@ -Rule: - --- -Sid: -498 - --- - -Summary: -This event is generated by the use of a UNIX "id" command. This may be -indicative of post-compromise behavior where the attacker is checking -for super user privileges gained by a sucessful exploit against a -vulnerable system. - --- -Impact: -Serious. An attacker may have gained super user access to the system. - --- -Detailed Information: -This event is generated when a UNIX "id" command is used to confirm the -user name of the currenly logged in user over an unencrypted connection. -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - -The string "uid=0(root)" is an output of an "id" command indicating that -the user has "root" privileges. Seeing such a response indicates that -some user, connected over the network to a target server, has root privileges. - --- - -Attack Scenarios: -A buffer overflow exploit against an FTP server results in "/bin/sh" -being executed. An automated script performing an attack, checks for the -success of the exploit via an "id" command. - --- - -Ease of Attack: -Simple. This may be post-attack behavior and can be indicative of the -successful exploitation of a vulnerable system. - --- - -False Positives: -This rule will generate an event if a legitimate system administrator -executes the "id" command over an unencrypted connection to verify the -privilege level available to him. - -This rule may also generate event by viewing the documentation on -snort.org or any other security related web site which may contain -details on this issue. - -The web site www.bugtraq.org serves a non-standard HTTP header of the -form "X-Mandatory-Snort-Alert: *GOBBLE* uid=65534(nobody) uid=0(root)" -browsing this site will generate an event. - --- -False Negatives: -None Known - --- - -Corrective Action: -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton -Additional false positive information contributed by Arnd Fischer - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/499.txt snort-2.9.2/doc/signatures/499.txt --- snort-2.9.0.1/doc/signatures/499.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/499.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: --- - -Sid: -499 - --- - -Summary: -This event is generated when a large ICMP packet is detected. Also known -as the "Ping of Death". - --- -Impact: -Denial of Service (DoS) by system crash or bandwidth utilisation. - --- -Detailed Information: -Some implementations of the IP stack may result in a system crash -or may hang when a large ICMP packet is sent to them. Alternatively -a large number of these packets may result in link saturation, -especially where bandwidth is limited. - -This attack was prevalent a number of years ago when the TCP/IP stack of -a number of operating systems could not handle large packet payloads. - --- -Affected Systems: - Multiple older systems. - --- -Attack Scenarios: -A malicious individual may send a series of large ICMP packets -to a host with the intention of either crashing or hanging the host, -or to saturate the available bandwidth. - --- -Ease of Attack: -Simple. - --- -False Positives: -A number of load balancing applications use 1500 byte ICMP packets to -determine the most efficent route to a host by measuring the latency -of multiple paths. - -HP-UX systems configured with PMTU discovery will send echo requests -in response to several types of network connections. PMTU Discovery -is enabled in HP-UX 10.30 and 11.0x by default. - -Windows 2000 uses large ICMP payloads to determine the speed of a link -when utilizing a Windows domain controller. - --- -False Negatives: -None Known - --- -Corrective Action: - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - -ICMP Traffic - Seth Stein -http://www.wfu.edu/~steinsj5/work/icmp.html - --- diff -Nru snort-2.9.0.1/doc/signatures/500.txt snort-2.9.2/doc/signatures/500.txt --- snort-2.9.0.1/doc/signatures/500.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/500.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -500 --- -Summary: -This event is generated when an IPv4 packet has the loose source record -route IP option set. --- -Impact: -Information could be gathered about network topology, and machines -routing packets onto trusted links could be abused. --- -Detailed Information: -Loose source record routing specifies a series of machines which must be -used in the routing of a datagram. This can be useful to map out routes -using the traceroute program by adding discovered intermediary routers -one at a time. Furthermore, while a machine may normally be unreachable -due to default gateways, a compliant router can be forced to hand off -source routed packets to an intermediary capable of speaking both to the -outside world and target machines; the packet may then be forwarded on -to its destination. --- -Affected Systems: -Any machine fully implementing RFC 791 set up as a router. --- -Attack Scenarios: -By incrementing the TTL of successive packets, the topology of routes to -a host can be determined. Each compliant node along the way will reply -with an ICMP Time Exceeded bearing their address and the recorded route. --- -Ease of Attack: -Tools are readily available to employ source routing for the purpose of -network discovery; the bounce attack described is unlikely to surface in -a properly configured network. --- -False Positives: -None known. --- -False Negatives: -Network discovery can be done using other means than source routing. --- -Corrective Action: -Redesign network topologies so that routers are kept to a minimum; -disable routing by other machines. To prevent network mapping, don't -allow source-routed packets at all. --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Nick Black, Reflex Security --- -Additional References: - -IP RFC: -http://www.faqs.org/rfcs/rfc791.html - --- diff -Nru snort-2.9.0.1/doc/signatures/501.txt snort-2.9.2/doc/signatures/501.txt --- snort-2.9.0.1/doc/signatures/501.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/501.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -501 - --- -Summary: -This event is generated when a packet is discovered with loose source routing set in the IP options. - --- -Impact: -Loose source routing permits the dictation of a route to and from the destination rather than relying on standard dynamic routing. - --- -Detailed Information: -Loose source routing instructs the packet to traverse identified routers in transit to and from the desired destination. Normal routing sends a packet one hop at a time allowing each interim router to determine the next hop. This may permit an attacker to spoof a source IP yet receive the response by sniffing from a network associated with an identified loose source router. A vulnerability exist in Windows 95, 98, and NT hosts that permits a vulernable destination host to accept a specially crafted source routed packet even though the host has a registry setting to drop it. - --- -Affected Systems: -Unless loose source routing is disabled, all hosts can accept them. - --- -Attack Scenarios: -An attacker can craft a special source routed packet to cause Windows 95, 98, and NT hosts to accept them even though a registry setting exists to drop source routed packets. - --- -Ease of Attack: -Simple. - --- -False Positives: -This even will trigger if you allow loose source routed packets into your network. - --- -False Negatives: -None Known. - --- -Corrective Action: -Block all source routed (loose or strict) packets from entering your network. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/646 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0909 - -Whitehats -www.whitehats.com/info/IDS470 - --- diff -Nru snort-2.9.0.1/doc/signatures/502.txt snort-2.9.2/doc/signatures/502.txt --- snort-2.9.0.1/doc/signatures/502.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/502.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -502 - --- -Summary: -This event is generated when an IPv4 packet set the strict source record -route IP option. - --- -Impact: -Information could be gathered about network topology, and machines -routing packets onto trusted links could be abused. - --- -Detailed Information: -Strict source record routing specifies a series of machines which must -be exclusively used in the routing of a datagram. This can be useful to -map out routes ala the traceroute program by adding discovered -intermediary routers one at a time. Furthermore, while a machine may -normally be unreachable due to default gateways, a compliant router can -be forced to hand off source routed packets to an intermediary capable -of speaking both to the outside world and target machines; the packet -may then be forwarded on to its destination. - --- -Affected Systems: -Any machine fully implementing RFC 791 set up as a router. - --- -Attack Scenarios: -By incrementing the TTL of successive packets, the topology of routes to -a host can be determined. Each compliant node along the way will reply -with an ICMP Time Exceeded bearing their address and the recorded route. - --- -Ease of Attack: -Tools are readily available to employ source routing for the purpose of -network discovery; the bounce attack described is unlikely to surface in -a properly configured network. - --- -False Positives: -None - --- -False Negatives: -Network discovery can be done using other means than source routing. - --- -Corrective Action: -Redesign network topologies so that routers are kept to a minimum; -disable routing by other machines. To prevent network mapping, don't -allow source-routed packets at all. - --- -Contributors: -Snort documentation contributed by by Nick Black, Reflex Security -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -IP RFC: -www.faqs.org/rfcs/rfc791.html - --- diff -Nru snort-2.9.0.1/doc/signatures/503.txt snort-2.9.2/doc/signatures/503.txt --- snort-2.9.0.1/doc/signatures/503.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/503.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -503 - --- -Summary: -This event is generated when possible non-legitimate traffic is detected -that should not be allowed through a firewall. - --- -Impact: -This can be used to pass through a poorly configured firewall. - --- -Detailed Information: -Traffic from port 20 is normally FTP traffic. Commands are passed to an -FTP server over port 21. In order to download files, a client tells the -FTP server to connect to the client on port 'X' where 'X' is a port -above 1023. The FTP server then connects to the client on the given -port using the source port of 20. Ports below 1024 are privileged, a -legitimate connection from an ftp server should always be to a port -above 1023. Some misconfigured firewalls may blindly allow connections -to any port from a source port of 20. - --- -Affected Systems: - -All - --- -Attack Scenarios: -An attacker could use a source port of 20 for TCP connections to bypass -a poorly configured firewall. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Connections from port 20 should only be allowed to ports >=1024. A -better solution would be block this traffic entirely and force FTP -clients inside the firewall to use PASV mode. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS06 - --- diff -Nru snort-2.9.0.1/doc/signatures/504.txt snort-2.9.2/doc/signatures/504.txt --- snort-2.9.0.1/doc/signatures/504.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/504.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -504 - --- -Summary: -This event is generated when possible non-legitimate traffic is detected -that should not be allowed through a firewall. - --- -Impact: -This can be used to pass through a poorly configured firewall. - --- -Detailed Information: - -Traffic from TCP port 53 is used by DNS servers for zone transfers. -Normal DNS traffic uses the UDP protocol. An attacker could use a TCP -source port of 53 to pass through a poorly configured firewall. DNS -traffic from port 53 using either UDP or TCP should be to a port above -1023. Ports 1023 and below are privileged. - --- -Affected Systems: - -All - --- -Attack Scenarios: -An attacker could use a source port of 53 for TCP connections to bypass -a poorly configured firewall. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Incoming connections from TCP port 53 should only be allowed to machines -that need the ability to do zone tranfers. - -Connections from TCP port 53 should only be allowed to ports >=1024 on -these machines. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS07 - --- diff -Nru snort-2.9.0.1/doc/signatures/505.txt snort-2.9.2/doc/signatures/505.txt --- snort-2.9.0.1/doc/signatures/505.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/505.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -SID: -505 - --- -Summary: -This event is generated when an attempt is made to login to a Timbuktu server using an unencrypted link. - --- -Impact: -Serious. Unauthorized access to the server. - --- -Detailed information: -Looks at the initial hex code of a Timbuktu client login and captures the login and password combination. - -This is a poor security practice over the open internet and on untrusted network links. This is a Timbuktu login going over plaintext to the Timbuktu server. - -That means that anyone sniffing the wire can now use the login and password used to gain access to the Timbuktu server. - --- -Affected Systems: - Windows all versions - Mac OS 7.5.3 and later - --- -Attack Scenario: -An attacker can use a sniffer to gain the user login credentials and use the information to gain unauthorized access to the machine. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -Timbuktu may use a port other than 1417 - --- -Corrective Action: -Use Timbuktu over encrypted links or only on local LANs - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Jake Babbin - --- -References: - -Arachnids: -arachnids 229 - --- diff -Nru snort-2.9.0.1/doc/signatures/506.txt snort-2.9.2/doc/signatures/506.txt --- snort-2.9.0.1/doc/signatures/506.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/506.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -506 - --- -Summary: -This event is generated when the Ramen worm attempts to retrieve a copy of the worm from a host. - --- -Impact: -Severe. The Ramen worm is already on the host and is currently propagating from the source ip address. - --- -Detailed Information: -The Ramen worm is a set of exploits that uses synscan to grab banners before exploiting new hosts. - -It scans automatically for random class B IP addresses and attacks them if possible. Another feature is the automatic defacement of index(.htm/html) files. The exploits are used to attack vulnerable WuFTPd servers, vulnerable RPC services (statd format string exploit) or vulnerable LPRng services. The RPC statd exploit binds suid shell on port 39168 which is used for further host compromise. - --- -Affected Systems: -Various Linux systems - --- -Attack Scenarios: -The RPC, WuFTP or LPRng printer spooler service was vulnerable and attacked by Ramen worm. The host is then back-doored on port 39168 and propagates to other vulnerable hosts in a class B/C network. - --- -Ease of Attack: -Simple. This is Worm activity - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -- rm -rf /usr/src/.poop (it contains the worm files) -- rm -rf /tmp/ramen.tar.gz (Ramen worm files with exploits and shellscripts) -- Delete line "/user/src/.poop/start*.sh" in /etc/rc.d/rc.sysinit -- ps -Af | grep "asp" (Search PID of asp service port webserver) -- kill -9 %PID_you_just_saw% -- rm /sbin/asp (backdoor webserver, which binds to 27374) -- Service startup: - - Using Inetd (Redhat 6): remove line "asp stream tcp nowait root" form /etc/inetd.conf and restart inetd service - - Using XInet.d (Redhat 7): rm -rf /etc/xinet.d/asp -- Update /etc/hosts.deny because Ramen worm deletes the file or modifies it -- Check index(.htm/html) files since they may be modified by the worm -- Update WuFTPd server, NFS service, LPRng service -- Reboot the host - --- -Contributors: -Snort documentation contributed by Ueli Kistler, -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/507.txt snort-2.9.2/doc/signatures/507.txt --- snort-2.9.0.1/doc/signatures/507.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/507.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -507 - --- -Summary: -This event is generated when an attempt is made to gain administrative -rights to a PC running pcAnywhere - --- -Impact: -Serious. By the very nature of pcAnywhere, without a strong administrative -password, a successful attack will allow the attacker to gain total -control of the machine. - --- -Detailed Information: -pcAnywhere is a remote control administrative software package produced -by Symantec (http://www.symantec.com/pcanywhere/Consumer/features.html) -it allows control of a system via network or RAS connection. - --- -Affected Systems: - Windows XP Home and Professional - Windows 2000 Professional/Server - Windows NT Workstation and Server 4.0 - Windows 98/Me - --- -Attack Scenarios: -With a copy of pcAnywhere, and attacker can scan a network (port 22) or -war-dial a series of modems, looking for pcAnywhere signatures. - --- -Ease of Attack: -Simple. All that is required is an install of pcAnywhere and a host -to connect to. - --- -False Positives: -Since pcAnywhere uses the same port as SSH (22) a simple open port scan -can show hosts that my not have pcAnywhere installed - --- -False Negatives: -None Known - --- -Corrective Action: -Make sure only servers and workstations that require remote control have -pcAnywhere installed. -Make sure that a strong password is required for any level of access, -this ideally should be coupled with some for of alternate -authentication, such as SecurID, modem callback or be blocked at the -external firewall so that the remote control functionality is only -available on the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Snort documentation contributed by Mike Rivett ebiz@rivett.org - --- -Additional References: -Symantec PC Anywhere Home Page -http://www.symantec.com/pcanywhere/Consumer/ - -RSA: -RSA SecurID (www.rsasecurity.com/products/securid/) - -Arachnids: -http://www.whitehats.com/info/IDS240 - --- diff -Nru snort-2.9.0.1/doc/signatures/508.txt snort-2.9.2/doc/signatures/508.txt --- snort-2.9.0.1/doc/signatures/508.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/508.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -508 - --- -Summary: -This event is generated when a Gopher server is used as a proxy to connect to an FTP server. - --- -Impact: -This allows a user to assume the source IP of the Gopher server when connecting to an FTP server. - --- -Detailed Information: -A Gopher server may support proxy connections to FTP servers. This allows a user to assume the source IP of the Gopher server when connecting to an FTP server. This may be used to bypass FTP access restrictions based on source IP's. - --- -Affected Systems: -Any Gopher server that supports proxy connections to FTP servers. - --- -Attack Scenarios: -A user who is normally restricted access to an FTP server based on the originating IP may attempt to circumvent this by attempting access from a Gopher server that supports proxy connections to FTP servers. - --- -Ease of Attack: -Simple. - --- -False Positives: -This even will trigger if a Gopher server suuports proxy connections to FTP servers. - --- -False Negatives: -None Known. - --- -Corrective Action: -Disable the use of Gopher server. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Whitehats -www.whitehats.com/info/IDS409 - --- diff -Nru snort-2.9.0.1/doc/signatures/509.txt snort-2.9.2/doc/signatures/509.txt --- snort-2.9.0.1/doc/signatures/509.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/509.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -509 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/510.txt snort-2.9.2/doc/signatures/510.txt --- snort-2.9.0.1/doc/signatures/510.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/510.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -510 - --- -Summary: -This event is generated when an attempt is made to change the message on -the LCD display on a JetDirect enabled HP printer. - --- -Impact: -User confusion and comedy, mostly. - --- -Detailed Information: -HP JetDirect printers allow remote machines to change the message that -is displayed on the LCD panel via the PJL command. This event indicates -that this command has been used in network traffic. - --- -Affected Systems: - HP JetDirect enabled printers - --- -Attack Scenarios: -As part of an attempt to confuse and annoy users, an attacker may -attempt to change the message displayed on the printers LCD screen. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Update to the latest JetDirect, and investigate the possibility of -restricting access to a central print-server using the "allow: -" directive in a printer config file. - -Disallow printer use from hosts outside the protected network. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/511.txt snort-2.9.2/doc/signatures/511.txt --- snort-2.9.0.1/doc/signatures/511.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/511.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -511 - --- -Summary: -This event is generated when an attempt is made to gain access to a PC -running pcAnywhere - --- -Impact: -Serious. By the very nature of pcAnywhere, without a strong administrative -password, a successful attack will allow the attacker to gain total -control of the machine. - --- -Detailed Information: -pcAnywhere is a remote control administrative software package produced -by Symantec (http://www.symantec.com/pcanywhere/Consumer/features.html) -it allows control of a system via network or RAS connection. - --- -Affected Systems: - Windows XP Home and Professional - Windows 2000 Professional/Server - Windows NT Workstation and Server 4.0 - Windows 98/Me - --- -Attack Scenarios: -With a copy of pcAnywhere, and attacker can scan a network (port 22) or -war-dial a series of modems, looking for pcAnywhere signatures. - --- -Ease of Attack: -Simple. All that is required is an install of pcAnywhere and a host -to connect to. - --- -False Positives: -Since pcAnywhere uses the same port as SSH (22) a simple open port scan -can show hosts that my not have pcAnywhere installed - --- -False Negatives: -None Known - --- -Corrective Action: -Make sure only servers and workstations that require remote control have -pcAnywhere installed. -Make sure that a strong password is required for any level of access, -this ideally should be coupled with some for of alternate -authentication, such as SecurID, modem callback or be blocked at the -external firewall so that the remote control functionality is only -available on the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Snort documentation contributed by Mike Rivett ebiz@rivett.org - --- -Additional References: - -RSA: -RSA SecurID (www.rsasecurity.com/products/securid/) - -Arachnids: -http://www.whitehats.com/info/IDS240 - --- diff -Nru snort-2.9.0.1/doc/signatures/512.txt snort-2.9.2/doc/signatures/512.txt --- snort-2.9.0.1/doc/signatures/512.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/512.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -512 - --- -Summary: -This event is generated when an attempt is made to gain access to a PC -running pcAnywhere - --- -Impact: -Serious. By the very nature of pcAnywhere, without a strong administrative -password, a successful attack will allow the attacker to gain total -control of the machine. - --- -Detailed Information: -pcAnywhere is a remote control administrative software package produced -by Symantec (http://www.symantec.com/pcanywhere/Consumer/features.html) -it allows control of a system via network or RAS connection. - --- -Affected Systems: - Windows XP Home and Professional - Windows 2000 Professional/Server - Windows NT Workstation and Server 4.0 - Windows 98/Me - --- -Attack Scenarios: -With a copy of pcAnywhere, and attacker can scan a network (port 22) or -war-dial a series of modems, looking for pcAnywhere signatures. - --- -Ease of Attack: -Simple. All that is required is an install of pcAnywhere and a host -to connect to. - --- -False Positives: -Since pcAnywhere uses the same port as SSH (22) a simple open port scan -can show hosts that my not have pcAnywhere installed - --- -False Negatives: -None Known - --- -Corrective Action: -Make sure only servers and workstations that require remote control have -pcAnywhere installed. -Make sure that a strong password is required for any level of access, -this ideally should be coupled with some for of alternate -authentication, such as SecurID, modem callback or be blocked at the -external firewall so that the remote control functionality is only -available on the protected network. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Snort documentation contributed by Mike Rivett ebiz@rivett.org - --- -Additional References: -Symantec PC Anywhere Home Page -http://www.symantec.com/pcanywhere/Consumer/ - -RSA: -RSA SecurID (www.rsasecurity.com/products/securid/) - -Arachnids: -http://www.whitehats.com/info/IDS240 - --- diff -Nru snort-2.9.0.1/doc/signatures/513.txt snort-2.9.2/doc/signatures/513.txt --- snort-2.9.0.1/doc/signatures/513.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/513.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -513 - --- -Summary: -This event is generated when a Cisco Catalyst switch responds to an external connection that it is listening on the remote management port. - --- -Impact: -Denial of service. A successful connection to the remote management port may allow an attacker access to the switch. - --- -Detailed Information: -TCP port 7161 is the remote management port for Cisco Catalyst switches. A vulnerability exists that may allow a user to connect to this port on an affected switch and cause the supervisor module to reload, disabling service while in progress. - - --- -Affected Systems: -Cisco switches: - - The Catalyst 12xx family, running supervisor software versions up to and including 4.29. - - The Catalyst 29xx family (but not the Catalyst 2900XL), running supervisor software versions up to and including 2.1(5), 2.1(501), and 2.1(502). - - The Catalyst 5xxx series (including the Catalyst 55xx family), running supervisor software versions up to and including 2.1(5), 2.1(501), and 2.1(502). - --- -Attack Scenarios: -An attacker can exploit a vulnerability associated with the remote management port of Cisco switches, causing a denial of service. - --- -Ease of Attack: -Unknown. - --- -False Positives: -This event is generated if any host on the internal network is listening on TCP port 7161 and responds to an external connection request. - --- -False Negatives: -None Known. - --- -Corrective Action: -Disable external access to the Cisco switch remote management port. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Whitehats -www.whitehats.com/info/IDS129 - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0430 - --- diff -Nru snort-2.9.0.1/doc/signatures/514.txt snort-2.9.2/doc/signatures/514.txt --- snort-2.9.0.1/doc/signatures/514.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/514.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -514 - --- -Summary: -This activity is a sign of a host that has been compromised by the ramen worm, which is attempting to retrieve the worm binaries from a remote system. - --- -Impact: -Severe; this host issued a request to a malicious web server to download the ramen worm binaries. After the binaries are downloaded, the compromised host acts as a scanner and could be used to attack other hosts. - --- -Detailed Information: -This rule looks for GET requests to a compromised webserver running on TCP port 27374. The compromised webserver serves up the ramen binaries required to continue the propagation of the malicious code. After the host is compromised, a random number generator selects IP address ranges to scan for other vulnerable hosts. The ramen worm is wide spread, and affects vulnerable Red Hat Linux 6.2 and 7.0 machines. The worm exploited well-known vulnerabilities in LPRng, rpc.statd, and wu-ftpd. - --- -Attack Scenarios: -This is a worm; after it is released, it self-propagates. Once a vulnerable machine is found, worm binaries are downloaded and the newly compromised machine becomes a scanning agent to further the worm's propagation. - --- -Ease of Attack: -Simple execution of worm code. - --- -False Positives: -None known - --- -False Negatives: -If the worm code is changed to contact a port other than 27374 tcp, then this rule would not catch the activity. - --- -Corrective Action: - --- -Contributors: -Original rule writer Max Vision -Sourcefire Research Team -Mike Poor - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS461 - -CIAC: -http://www.ciac.org/ciac/bulletins/l-040.shtml - -SANS: -http://www.sans.org/y2k/ramen.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/516.txt snort-2.9.2/doc/signatures/516.txt --- snort-2.9.0.1/doc/signatures/516.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/516.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Nigel - added new references to the rule and bumped up revision number. -Rule: - --- -Sid: -516 - --- -Summary: -This event is generated when an attempt is made by Simple Network Management Protocol (SNMP) to enumerate Server Message Block (SMB) users on the host. - --- -Impact: -Reconnaissance. An attacker may obtain SMB usernames of the remote host. - --- -Detailed Information: -Server Message Block is a network file sharing protocol used between Windows hosts and Unix and between Windows hosts that communicate via Samba. SNMP can be used to query a remote host that listens for SNMP requests and supports SMB, to list the SMB usernames. This provides reconnaissance of valid usernames and may be followed by a brute force attack to guess passwords. - --- -Affected Systems: -Hosts that run SMB and listen for SNMP requests. - --- -Attack Scenarios: -An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users. - --- -Ease of Attack: -A Nessus script exists to list current SMB users. - --- -False Positives: -None. - --- -False Negatives: -None Known. - --- -Corrective Action: -Block inbound SNMP traffic. - -Disable SNMP as a listening service on the remote host unless it is required. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS333 - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10546 - --- diff -Nru snort-2.9.0.1/doc/signatures/517.txt snort-2.9.2/doc/signatures/517.txt --- snort-2.9.0.1/doc/signatures/517.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/517.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -517 - --- -Summary: -This event is generated when an attempt is made to query the XDMCP -service. - --- -Impact: -Serious. Information disclosure. Unauthorized access to the system. - --- -Detailed Information: -An XDMCP query can provide a wealth of information about a host such as -a login screen, a list of users on the host, and to bypass access -control restrictions used by tcpwrapper and to bypass the restriction of -login by user "root" on the box. - --- -Affected Systems: - Any UNIX based server running XDMCP. - --- -Attack Scenarios: -An attacker can use this to find out information about the machine and -then either launch a specific attack or connect to the X windows server -using XDMCP. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable XDMCP if not needed. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS476 - --- diff -Nru snort-2.9.0.1/doc/signatures/518.txt snort-2.9.2/doc/signatures/518.txt --- snort-2.9.0.1/doc/signatures/518.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/518.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- - -Sid: -518 - --- - -Summary: -This event is generated when a TFTP PUT request is made. This is an indication that someone is attempting to create or place a file on the server. - --- - -Impact: -A TFTP PUT requests allows a remote attacker to create, modify, or replace files on the server running TFTP. If the TFTP server allows anonymous TFTP PUT requests it could be possible to upload malicious files and payloads to the server. - --- - -Detailed Information: -This rule will generate an event on in-bound TFTP PUT requests. Attackers my use TFTP to upload and download files from a server that is properly or improperly configured. This could result in malicious payload being uploaded to the server or sensitive files being downloaded. - --- - -Attack Scenarios: -Attackers may use TFTP to upload and download files from server that are properly or improperly configured. Normally attackers attempt to locate TFTP servers using automated scanners and tools. Once a TFTP server is located an attempt to write files and get files from the TFTP server is made. Depending on the results of those tests attackers may attempt to further exploit that system, by overwriting system files or downloading password files to access the system. - --- - -Ease of Attack: -Simple: Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers. - --- - -False Positives: -Legitimate TFTP PUT requests for updating routers or other access devices may trigger this rule. - --- - -False Negatives: -None known - --- - -Corrective Action: -The TFTP server should be configured to only allow PUT requests from trusted locations. - --- - -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski Matt.Watchinski@sourcefire.com - --- - -Additional References -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0183 -http://www.whitehats.com/info/IDS148 - - --- diff -Nru snort-2.9.0.1/doc/signatures/519.txt snort-2.9.2/doc/signatures/519.txt --- snort-2.9.0.1/doc/signatures/519.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/519.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -519 - --- -Summary: -This event is generated when a TFTP request is made with a parent directory designation of "..". This may be an indication of an attempt to request or place files on the TFTP server outside the root directory configured for the TFTP server. - --- -Impact: -TFTP servers that allow files to be placed outside the configured root directory for the server may allow remote attackers to execute arbitrary commands on the system. Additionally if the TFTP server allows directory transversal using the ".." designator it may be possible to retrieve files from other directories on the system. - --- -Detailed Information: -This rule searches for ".." payload in TFTP requests. Vulnerable TFTP servers may allow remote attackers to transfer files to directories outside the normal root directory configured for the TFTP server. This could result in sensitive files being transfered off the system or arbitrary files being upload to the system. - --- -Attack Scenarios: -Using the ".." designator it may be possible to fool vulnerable TFTP server into placing files or retrieving files from outside the TFTP configured root directory. Normally an attacker will attempt to retrieve sensitive system files such as "../../etc/passwd" or "../../shadow" after determining if this attack vector is successful. - --- -Ease of Attack: -Simple: Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers. - --- -False Positives: -None Known - --- -False Negatives -None Known - --- -Corrective Action: -Upgrade to the current version of your TFTP server solutation, or contact the product vendor for patch information. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski Matt.Watchinski@sourcefire.com - --- -Additional References - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0183 - -Arachnids: -http://www.whitehats.com/info/IDS137 - --- diff -Nru snort-2.9.0.1/doc/signatures/520.txt snort-2.9.2/doc/signatures/520.txt --- snort-2.9.0.1/doc/signatures/520.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/520.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: - --- -Sid: -520 - --- -Summary: -This event is generated when a TFTP request is made with a directory designation of "/". This may be an indication of an attempt to request or place files on the TFTP server outside the root directory configured for the TFTP server. - --- -Impact: -TFTP servers that allow files to be placed outside the configured root directory for the server may allow remote attackers to execute arbitrary commands on the system. Additionally if the TFTP server allows directory transversal using the "/" designator it may be possible to retrieve files from other directories on the system. - --- -Detailed Information: -This rule searches for a "/" payload in TFTP requests. Vulnerable TFTP servers may allow remote attackers to transfer files to directories outside the normal root directory configured for the TFTP server. This could result in sensitive files being transfered off the system or arbitrary files being upload to the system. - --- -Attack Scenarios: -Using the "/" designator it may be possible to fool vulnerable TFTP server into placing files or retrieving files from outside the TFTP configured root directory. Normally an attacker will attempt to retrieve sensitive system files such as "/etc/passwd" or "/etc/shadow" after determining if this attack vector is successful. - --- -Ease of Attack: -Simple: Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers. - --- -False Positives: -None Known - --- -False Negatives -None Known - --- -Corrective Action: -Upgrade to the current version of your TFTP server solution, or contact the product vendor for patch information. - -Contributers: -Original rule writer unknown -Sourcefire Research Team -Matthew Watchinski Matt.Watchinski@sourcefire.com - -Additional References - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0183 - -Arachnids: -http://www.whitehats.com/info/IDS138 - --- diff -Nru snort-2.9.0.1/doc/signatures/521.txt snort-2.9.2/doc/signatures/521.txt --- snort-2.9.0.1/doc/signatures/521.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/521.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: --- -Sid: -521 - --- -Summary: -This event is generated when an overly large UDP packet is observed. - --- -Impact: -Possible denial of service. UDP packet payloads are typically smaller than 4000 bytes. One possible explanation of a payload of greater than 4000 bytes is an attempted denial of service. - --- -Detailed Information: -UDP payloads are typically smaller than 4000 bytes since the UDP protocol is intended to be used for the transmission of smaller payloads. When a large payload is observed, it may be a sign or anomalous activity, perhaps an attempted denial of service against the remote host. - --- -Affected Systems: -Any system that listens for a UDP service. - --- -Attack Scenarios: -An attacker may craft large UDP payloads in an attempt to cause a denial of service against a remote host. - --- -Ease of Attack: -Simple. - --- -False Positives: -There may be UDP services offered that naturally support large payload sizes. - --- -False Negatives: -None Known. - --- -Corrective Action: -Allow only known UDP protocols inbound. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS521 - --- diff -Nru snort-2.9.0.1/doc/signatures/522.txt snort-2.9.2/doc/signatures/522.txt --- snort-2.9.0.1/doc/signatures/522.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/522.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,86 +0,0 @@ -Rule: - --- -Sid: -522 - --- -Summary: -This event is generated when an IPv4 fragment of dubiously small nature -was detected. - --- -Impact: -Many IDSes are known to have issues regarding the reassembly of IP -fragments, and could miss an attack carried over such means. Firewalls -suffer from the same issues, and can be tricked into allowing packets -through that should normally be rejected. Furthermore, there is a small -history of OS issues related to unorthodox fragmentation. - --- -Detailed Information: -IPv4 manages to adapt to various link layer protocols on a route via the -fragmentation mechanism outlined in its RFC. A router connecting two -carrying media of varying MTU (Maximum Transmission Unit) can fragment -packets of size too large to transmit on one wire before dispatch. When -datagrams stay within one MTU, the maximum packet sizes possible can be -used without fragmentation, thus pairing flexibility with efficiency. - -Historically, handling of fragmentation has been less than stellar in -both IP stacks and the IDS systems designed to protect them. While the -limited number of attacks based on fragmentation are easily picked up by -anomaly- or signature-based system, IDSes which fail to properly -reassemble fragments can miss any attack which is so fragmented. -Firewalls have often proved susceptible to fragmented TCP or UDP -headers, allowing traffic which should have been filtered to pass -through. - --- -Affected Systems: -Any IDS/firewall lacking proper IPv4 fragment reassembly. - --- -Attack Scenarios: -An attacker may pass a fragment containing a TCP/UDP header which is -allowed to pass through a firewall, then follow this up with a fragment -which overwrites the previous headers, but is allowed due to poor -connection tracking. - -An attacker may fragment an exploit, so that it is not detected by IPS -nor filtered by IPS products. - --- -Ease of Attack: -Tools have been written to trivially fragment traffic; Dug Song's -fragrouter program is a well-known example. - --- -False Positives: -It is unlikely that such a fragment would be seen in standard use of -IPv4; while the last fragment in a series is typically smaller than the -others, this signature explicilty matches the More Fragments bit. -Nonetheless, a pedantic reading of the IPv4 RFC allows this, so long as -the data length is a multiple of 8. - --- -False Negatives: -Attacks may still be fragmented into larger chunks. - --- -Corrective Action: -None - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Nick Black, Reflex Security - --- -Additional References: - -IPv4 RFC: -http://www.faqs.org/rfcs/rfc791.html - --- diff -Nru snort-2.9.0.1/doc/signatures/523.txt snort-2.9.2/doc/signatures/523.txt --- snort-2.9.0.1/doc/signatures/523.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/523.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 523 - --- -Summary: -This event is generated when packets on the network have the reserved -bit set. - --- -Impact: -Possible prelude to system compromise. - --- -Detailed Information: -Under normal circumstances IP packets do not use the reserved bit. - -This may be an indicator of the use of the reserved bit by a malicious -user to instigate covert channel communications. - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - --- -Affected Systems: - All - --- -Attack Scenarios: -The attacker may send specially crafted packets with the reserved bit -set. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Use a packet filtering device to reject packets with this bit set. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/524.txt snort-2.9.2/doc/signatures/524.txt --- snort-2.9.0.1/doc/signatures/524.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/524.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 524 - --- -Summary: -This event is generated when TCP traffic to port 0 is detected. This -should not be seen in normal TCP communications. - --- -Impact: -Possible reconnaisance. This may be an attempt to verify the existance -of a host or hosts at a particular address or address range. - --- -Detailed Information: -TCP traffic to port 0 is not valid under normal circumstances. - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - --- -Affected Systems: - Any - --- -Attack Scenarios: -The attacker could send packets to a host with a destination port of 0. -The attacker might also be using hping to verify the existance of a host -as a prelude to an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow TCP traffic to port 0. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/525.txt snort-2.9.2/doc/signatures/525.txt --- snort-2.9.0.1/doc/signatures/525.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/525.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: 525 - --- -Summary: -This event is generated when UDP traffic to port 0 is detected. This -should not be seen in normal UDP communications. - --- -Impact: -Denial of Service against Checkpoint Firewall 1 devices. Possible -reconnaisance. This may be an attempt to verify the existance -of a host or hosts at a particular address or address range. - --- -Detailed Information: -UDP traffic to port 0 is not valid under normal circumstances. - -Certain versions of Checkpoints Firewall 1 are subject to a Denial of -Service attack when UDP packets to port 0 are sent via VPN-1. - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - --- -Affected Systems: - Any - --- -Attack Scenarios: -The attacker could send packets to a host with a destination port of 0. -The attacker might also be using hping to verify the existance of a host -as a prelude to an attack. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow UDP traffic to port 0. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0675 - --- diff -Nru snort-2.9.0.1/doc/signatures/526.txt snort-2.9.2/doc/signatures/526.txt --- snort-2.9.0.1/doc/signatures/526.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/526.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 526 - --- -Summary: -This event is generated when SYN packets contain data greater than what -is normally expected. - --- -Impact: -Possible Denial of Service attack (DoS) or IDS evasion. - --- -Detailed Information: -Under normal circumstances TCP SYN packets are exchanged between hosts -to synchronize the TCP sequence numbers in a transaction. A SYN packet -with a datagram size larger than 6 bytes may be an indication of a -Denial of Service attack or an attempt to evade IDS. - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - --- -Affected Systems: - Any - --- -Attack Scenarios: -The attacker would need to send specially crafted packets with the SYN -flag set with a datagram size larger than 6 bytes. This may be achieved -using a script or tool. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/incident_notes/IN-99-07.html - --- diff -Nru snort-2.9.0.1/doc/signatures/527.txt snort-2.9.2/doc/signatures/527.txt --- snort-2.9.0.1/doc/signatures/527.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/527.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,80 +0,0 @@ -Rule: - --- -Sid: 527 - --- -Summary: -This event is generated when traffic on the network is using the same -source and destination IP address. - --- -Impact: -Possible Denial of Service. - --- -Detailed Information: -Under normal circumstances traffic to and from the same IP address -should not be seen on the network. This may be an indicator for the Land -attack tool. - -Some TCP/IP stacks hang or even crash when presented with a TCP SYN -packet containing the same source and destination IP address. Some -target hosts will crash others will be temporarily disabled. - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - -A packet that has the same source and destination IP addresses directed to TCP -port 7007 or 7778 can cause a denial of service for Windows Media Station or -Windows Media Monitor on Windows 2000 hosts SP2, SP3, SP4 running Windows Media -services 4.0 or 4.1 will also generate an event from this rule. - --- -Affected Systems: - Multiple systems from multiple vendors. - --- -Attack Scenarios: -The attacker may send traffic from a spoofed source address, in this -case the victims IP address. - -The attacker may be using the Land attack tool. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Employ egress filtering at the border router or firewall. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton -Judy Novak - --- -Additional References: - -SANS: -http://www.sans.org/rr/firewall/egress.php - -CERT: -http://www.cert.org/advisories/CA-1997-28.html - -Bugtraq: -http://www.securityfocus.com/bid/9825 - --- diff -Nru snort-2.9.0.1/doc/signatures/528.txt snort-2.9.2/doc/signatures/528.txt --- snort-2.9.0.1/doc/signatures/528.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/528.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 528 - --- -Summary: -This event is generated when loopback traffic is seen on the network. - --- -Impact: -Possible reconnaisance. - --- -Detailed Information: -Under normal circumstances traffic to the localhost (127.0.0.0/8) should -only be seen on the loopback interface (lo0). - -an indicator of unauthorized network use, reconnaisance activity or -system compromise. These rules may also generate an event due to -improperly configured network devices. - --- -Affected Systems: - Any - --- -Attack Scenarios: -The attacker may send traffic from a spoofed source address, in this -case the localhost. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Employ egress filtering at the firewall. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -SANS: -http://www.sans.org/rr/firewall/egress.php - --- diff -Nru snort-2.9.0.1/doc/signatures/529.txt snort-2.9.2/doc/signatures/529.txt --- snort-2.9.0.1/doc/signatures/529.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/529.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -529 - --- -Summary: -This event is generated when an attempt is made to issue a Denial of -Service (DoS) attack against a host using the RFPoison tool. - --- -Impact: -Serious. Denial of Service. - --- -Detailed Information: -The Microsoft Local Security Authority (LSA) service does not handle -certain malformed requests correctly. This service allows for the -manipulation of user privileges on the host. A specially crafted -malformed request sent to the LSA service will cause the system to -become unresponsive. - --- -Affected Systems: - Microsoft Windows NT Workstation - Microsoft Windows NT Server - Microsoft Windows NT Terminal Server - --- -Attack Scenarios: -An attacker can use the RFPoison tool against a host to generate the -request necessary to cause the DoS. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -RFP: -http://www.wiretrip.net/rfp/txt/rfp9906.txt - -Microsoft: -http://support.microsoft.com/support/kb/articles/Q231/4/57.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/530.txt snort-2.9.2/doc/signatures/530.txt --- snort-2.9.0.1/doc/signatures/530.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/530.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -530 - --- -Summary: -This event is generated when an attacker sends a blank username and blank password in an attempt to connect to the IPC$ (Interprocess Communication) pipe. - --- -Impact: -Information gathering. This attack can permit the disclosure of sensitive information about the target host. - --- -Detailed Information: -Null sessions allow browsing of Windows hosts by the "Network Neighborhood" and other functions. A Null session permits access to a host using a blank user name and password. At attacker may attempt to perform a Null session connection, disclosing sensitive information about the target host such as available shares and user names. - --- -Affected Systems: -Microsoft Windows hosts - --- - -Attack Scenarios: -An attacker can send a blank username and blank password to try to connect to the IPC$ hidden share on the target computer. - --- -Ease of Attack: -Simple. - --- -False Positives: -Null sessions may be used by legitimate processes in the same Windows domain. - --- -False Negatives: -None Known - --- -Corrective Action: -On Windows NT, 2000, XP set the registry key /System/CurrentControlSet/Control/LSA/RestrictAnonymous value to 1. - --- -Contributors: -Original rule written by Ian Viket -Documented by Nawapong Nakjang -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS204 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0519 - --- diff -Nru snort-2.9.0.1/doc/signatures/532.txt snort-2.9.2/doc/signatures/532.txt --- snort-2.9.0.1/doc/signatures/532.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/532.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -532 - --- -Summary: -This event is generated when an attempt is made to access an administrative share on a Windows machine. - --- -Impact: -Serious. Possible administrator access on the victim machine. - --- -Detailed Information: -This rule generates an event when the hidden Netbios share Admin$, which is the Winnt directory, is accessed via SMB. - -This is a poor security practice or an indication that a machine is being accessed remotely. - --- -Affected Systems: - Windows 9x - Windows 2000 - Windows XP - --- -Attack Scenario: -This can be accessed from GUI "map network drive" remotely - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use a packet filtering firewall to disallow Netbios access from the unprotected network. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Jake Babbin - --- -References: - -arachnids 340 - --- diff -Nru snort-2.9.0.1/doc/signatures/533.txt snort-2.9.2/doc/signatures/533.txt --- snort-2.9.0.1/doc/signatures/533.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/533.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -533 - --- -Summary: -This event is generated when an attempt is made to access the C$ default -administrative share of a Windows host. - --- -Impact: -Serious. Possible administrator access to the host. Information -disclosure. - --- -Detailed Information: -By default, Windows hosts have default administrative shares of the -local hard drives using the format %DRIVE_LETTER% + $. Anybody with -administrative rights can remotely access the share. - --- -Affected Systems: - Windows hosts. - --- -Attack Scenarios: -An attacker may be attempting to access files located on the C drive of -the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow Netbios access from external networks (tcp port 139). - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS339 - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 - --- diff -Nru snort-2.9.0.1/doc/signatures/534.txt snort-2.9.2/doc/signatures/534.txt --- snort-2.9.0.1/doc/signatures/534.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/534.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -534 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/535.txt snort-2.9.2/doc/signatures/535.txt --- snort-2.9.0.1/doc/signatures/535.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/535.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -535 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/536.txt snort-2.9.2/doc/signatures/536.txt --- snort-2.9.0.1/doc/signatures/536.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/536.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -536 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/537.txt snort-2.9.2/doc/signatures/537.txt --- snort-2.9.0.1/doc/signatures/537.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/537.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -537 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/538.txt snort-2.9.2/doc/signatures/538.txt --- snort-2.9.0.1/doc/signatures/538.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/538.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -538 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/539.txt snort-2.9.2/doc/signatures/539.txt --- snort-2.9.0.1/doc/signatures/539.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/539.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -539 - --- -Summary: -This event is generated when an attempt is made to gain access to -private resources using Samba. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server. - --- -Detailed Information: -This event is generated when an attempt is made to use Samba to gain -access to private or administrative shares on a host. - --- -Affected Systems: - All systems using Samba for file sharing. - All systems using file and print sharing for Windows. - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -direct access to Windows adminsitrative shares. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Check the host logfiles and application logs for signs of compromise. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/540.txt snort-2.9.2/doc/signatures/540.txt --- snort-2.9.0.1/doc/signatures/540.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/540.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 540 - --- -Summary: -This event is generated when activity relating to network chat clients is detected. - --- -Impact: -Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations. - --- -Detailed Information: -Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. - -Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client. - -An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -MSN Protocol -http://www.hypothetic.org/docs/msn/ -Devarticles -http://www.devarticles.com/index2.php?option=content&task=view&id=225&pop=1&hide_ads=1&page=1 -MSN Messenger Protocol -http://www.venkydude.com/articles/msn.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/541.txt snort-2.9.2/doc/signatures/541.txt --- snort-2.9.0.1/doc/signatures/541.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/541.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,51 +0,0 @@ -Rule: - --- -Sid: 541 - --- -Summary: -This event is generated when activity relating to network chat clients is detected. - --- -Impact: -Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations. - --- -Detailed Information: -Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. - -Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client. - -An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/542.txt snort-2.9.2/doc/signatures/542.txt --- snort-2.9.0.1/doc/signatures/542.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/542.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -542 - --- -Summary: -This event is generated when activity relating to network chat clients -is detected. - --- -Impact: -Policy Violation. Use of chat clients to communicate with unkown -external sources may be against the policy of many organizations. - --- -Detailed Information: -Instant Messaging (IM) and other chat related client software can allow -users to transfer files directly between hosts. This can allow malicious -users to circumvent the protection offered by a network firewall. - -Vulnerabilities in these clients may also allow remote attackers to gain -unauthorized access to a host. - -This event indicates that an IRC nickname change has been made from a -client originating from the protected network to an IRC server external -to the protected network. - --- -Attack Scenarios: -A user may transfer sensitive company information to an external party -using the file transfer capabilities of an IM client. - -An attacker might utilize a vulnerability in an IM client to gain access -to a host, then upload a Trojan Horse program to gain control of that -host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disallow the use of IM clients on the protected network and enforce or -implement an organization wide policy on the use of IM clients. - --- -Contributors: -Sourcefire Vulnerability Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -IRC Protocol: -http://www.irchelp.org/irchelp/rfc/ - --- diff -Nru snort-2.9.0.1/doc/signatures/543.txt snort-2.9.2/doc/signatures/543.txt --- snort-2.9.0.1/doc/signatures/543.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/543.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -543 - --- -Summary: -This event is generated when an attempt is made to store a file named -"1mb" on an ftp server. - --- -Impact: -Possible abuse ftp behavior by hordes of warez sites, and the -existance of (potentially) illegal files/software on an ftp server. - --- -Detailed Information: -Warez sites have been known to name "warez" files by their size. Large -files are split into smaller, more manageable chunks, and allow warez -sites to store large files on ftp sites in a semi-organized manner. - --- -Affected Systems: - All FTP servers - --- -Attack Scenarios: -As part of an attempt to store elite warez on an ftp server, an -attacker named the file "1mb" to indicate it's size. This file is -likely part of an archive that represents a larger, most likely -illegal copy of media. - --- -Ease of Attack: -Simple. Exploit software is not required - --- -False Positives: -If a legitimate user has a legitimate file named "1mb", this rule may -generate an event. - --- -False Negatives: -This will detect only files named 1mb. If a warez site decides to -start naming their files in a different way this rule will not generate -an event. - --- -Corrective Action: -Inspect the ftp server for a file named 1mb. If it exists, determine -if the file is legitimate, or if it was deposited by someone attempting -to use the server to distribute non-legitimate files. - -Furthermore, evaluate the need for ftp write access. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/544.txt snort-2.9.2/doc/signatures/544.txt --- snort-2.9.0.1/doc/signatures/544.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/544.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -544 - --- -Summary: -This event is generated when an attempt is made to retrieve a file named -"1mb" from an ftp server. - --- -Impact: -Possible abuse ftp behavior by hordes of warez sites, and the -existance of (potentially) illegal files/software on an ftp server. - --- -Detailed Information: -Warez sites have been known to name "warez" files by their size. Large -files are split into smaller, more manageable chunks, and allow warez -sites to store large files on ftp sites in a semi-organized manner. -Once these files are uploaded, it is common practice for other warez -users to attempt to retrieve them. - --- -Affected Systems: - All FTP servers - --- -Attack Scenarios: -As part of an attempt to store elite warez on an ftp server, an -attacker named the file "1mb" to indicate it's size. This file is -likely part of an archive that represents a larger, most likely -illegal copy of media. - --- -Ease of Attack: -Simple. Exploit software is not required - --- -False Positives: -If a legitimate user has a legitimate file named "1mb", this rule may -generate an event. - --- -False Negatives: -This will detect only files named 1mb. If a warez site decides to -start naming their files in a different way this rule will not generate -an event. - --- -Corrective Action: -Inspect the ftp server for a file named 1mb. If it exists, determine -if the file is legitimate, or if it was deposited by someone attempting -to use the server to distribute non-legitimate files. - -Furthermore, evaluate the need for ftp write access. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/545.txt snort-2.9.2/doc/signatures/545.txt --- snort-2.9.0.1/doc/signatures/545.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/545.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -545 - --- -Summary: -This event is generated when an attempt is made to navigate in an FTP sessions to a hidden directory named "/ ". - --- -Impact: -Unauthorized file storage. An attacker may attempt to navigate on an FTP server to the "/ " directory to list or store unauthorized files such as unlicensed software. - --- -Detailed Information: -An attacker may attempt to hide unauthorized files in a hidden directory named "/ ". This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. - --- -Affected Systems: -FTP servers - --- -Attack Scenarios: -An attacker may navigate to the hidden directory named "/ " to list or store unauthorized files. - --- -Ease of Attack: -Simple. - --- -False Positives: -It is remotely possible that an authorized directory exists named "/ ". - --- -False Negatives: -Hidden directories other than those named "/ " may be used to store "warez" files. - --- -Corrective Action: -Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. - -Regularly monitor directories for sudden or drastic increased use of space. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/546.txt snort-2.9.2/doc/signatures/546.txt --- snort-2.9.0.1/doc/signatures/546.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/546.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -546 - --- -Summary: -This event is generated when an attempt is made to navigate in an FTP session to a hidden directory name that begins with a space. - --- -Impact: -Unauthorized file storage. An attacker may attempt to navigate on an FTP server to a directory name that begins with a space to list or store unauthorized files such as unlicensed software. - --- -Detailed Information: -An attacker may attempt to hide unauthorized files in a hidden directory name that begins with a space. This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. - --- -Affected Systems: -FTP servers - --- -Attack Scenarios: -An attacker may navigate to the hidden directory name that begins with a space to list or store unauthorized files. - --- -Ease of Attack: -Simple - --- -False Positives: -It is remotely possible that an authorized directory exists with a name that begins with a space. - --- -False Negatives: -Hidden directories other than those with names that begin with a space may be used to store "warez" files. - --- -Corrective Action: -Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. - -Regularly monitor directories for sudden or drastic increased use of space. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/547.txt snort-2.9.2/doc/signatures/547.txt --- snort-2.9.0.1/doc/signatures/547.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/547.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -547 - --- -Summary: -This event is generated when an attempt is made to create a directory name that begins with a space on an FTP server. - --- -Impact: -Unauthorized file storage. An attacker may attempt to create a directory name that begins with a space on an FTP server, possibly in preparation to store unauthorized files. - - --- -Detailed Information: -An attacker may attempt to create a hidden directory name that begins with a space on an FTP server . This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. - - --- -Affected Systems: -FTP servers - --- -Attack Scenarios: -An attacker may attempt to create a hidden directory name that begins with a space to store unauthorized files. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known. - --- -False Negatives: -Hidden directories other than those with a name that begins with a space may be created to store "warez" files. - --- -Corrective Action: -Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. - -Regularly monitor directories for sudden or drastic increased use of space. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/548.txt snort-2.9.2/doc/signatures/548.txt --- snort-2.9.0.1/doc/signatures/548.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/548.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -547 - --- -Summary: -This event is generated when an attempt is made to create a directory name that begins with a period on an FTP server. - --- -Impact: -Unauthorized file storage. An attacker may attempt to create a directory name that begins with a period on an FTP server, possibly in preparation to store unauthorized files. - - --- -Detailed Information: -An attacker may attempt to create a hidden directory name that begins with a period on an FTP server . This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. - --- -Affected Systems: -FTP servers - --- -Attack Scenarios: -An attacker may attempt to create a hidden directory name that begins with a period to store unauthorized files. - --- -Ease of Attack: -Simple - --- -False Positives: -It is remotely possible that an authorized directory exists with a name that begins with a period. - --- -False Negatives: -Hidden directories other than those with a name that begins with a period may be created to store "warez" files. - --- -Corrective Action: -Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. - -Regularly monitor directories for sudden or drastic increased use of space. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/549.txt snort-2.9.2/doc/signatures/549.txt --- snort-2.9.0.1/doc/signatures/549.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/549.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -549 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using a p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - - --- diff -Nru snort-2.9.0.1/doc/signatures/550.txt snort-2.9.2/doc/signatures/550.txt --- snort-2.9.0.1/doc/signatures/550.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/550.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -550 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using a p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - - --- diff -Nru snort-2.9.0.1/doc/signatures/551.txt snort-2.9.2/doc/signatures/551.txt --- snort-2.9.0.1/doc/signatures/551.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/551.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -551 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using a p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - - --- diff -Nru snort-2.9.0.1/doc/signatures/552.txt snort-2.9.2/doc/signatures/552.txt --- snort-2.9.0.1/doc/signatures/552.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/552.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -552 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using a p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - - --- diff -Nru snort-2.9.0.1/doc/signatures/553.txt snort-2.9.2/doc/signatures/553.txt --- snort-2.9.0.1/doc/signatures/553.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/553.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -553 - --- -Summary: -The event is generated when an attempt is made to log on to an FTP server with the username of "anonymous". - --- -Impact: -Information gathering or remote access. This activity may be a precursor to navigating through the accessible directories on the anonymous FTP server to do reconnaissance of the server. Alternately, this may be a precursor of attempting an exploit, such as a buffer overflow, that may permit remote access to the vulnerable FTP server. - --- -Detailed Information: -FTP servers may permit anonymous user access to share authorized public files. FTP servers must have tighly restricted permissions to prevent anonymous users from navigating or writing to unauthorized directories. If permissions are incorrectly assigned, an attacker may attempt to store unauthorized "warez" files of pirated software. Alternately, anonymous access to a vulnerable FTP server may permit an attacker to exploit a buffer overflow, permitting execution of arbitrary commands on the host. - --- -Affected Systems: -FTP servers allowing anonymous user access - --- -Attack Scenarios: -An attacker may employ anonymous user access to do reconnaissance, store unauthorized files, or attempt an exploit on a vulnerable FTP server. - --- -Ease of Attack: -Simple - --- -False Positives: -If anonymous user access is knowingly permitted, this rule may fire. Consider disabling this rule to anonymous FTP server. - --- -False Negatives: -An attacker may use the username "ftp" instead of "anonymous" to gain anonymous access. - --- -Corrective Action: -Disable anonymous access on the FTP server if it is not required. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/554.txt snort-2.9.2/doc/signatures/554.txt --- snort-2.9.0.1/doc/signatures/554.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/554.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -554 - --- -Summary: -This event is generated when an attempt is made to create a directory name that begins with a "/ " on an FTP server. - - --- -Impact: -Unauthorized file storage. An attacker may attempt to create a directory name that begins with "/ " on an FTP server, possibly in preparation to store unauthorized files. - --- -Detailed Information: -An attacker may attempt to create a hidden directory name that begins with "/ " on an FTP server . This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. - --- -Affected Systems: -FTP servers - --- -Attack Scenarios: -An attacker may attempt to create a hidden directory name that begins with "/ " to store unauthorized files. - - --- -Ease of Attack: -Simple - --- -False Positives: -None Known. - --- -False Negatives: -Hidden directories other than those with a name that begins with a "/ " may be created to store "warez" files. - --- -Corrective Action: -Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. - -Regularly monitor directories for sudden or drastic increased use of space. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/555.txt snort-2.9.2/doc/signatures/555.txt --- snort-2.9.0.1/doc/signatures/555.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/555.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -555 - --- -Summary: -This event is generated when activity by Peer-to-Peer (p2p) clients is detected. - --- -Impact: -Informational event. Unauthorized use of a p2p client may be in progress. - --- -Detailed Information: -This event indicates that use of a p2p client has been detected. This may be against corporate policy. p2p clients connect to other p2p clients to share files, commonly music and video files but can be configured to share any file on the local machine. - -This activity may not only use bandwidth but may also be used to transfer company confidential information to unauthorized hosts external to the protected network bypassing other security measures in place. - --- -Affected Systems: -Any host using a p2p client. - --- -Attack Scenarios: -This is indicative of the use of a p2p client. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Check the host and uninstall any p2p client found. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/556.txt snort-2.9.2/doc/signatures/556.txt --- snort-2.9.0.1/doc/signatures/556.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/556.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,93 +0,0 @@ -Rule: - --- - -Sid: - -556 - --- - -Summary: - -A network-internal client has connected to an external GNUTella server -and issued a connect attempt to begin communications. - --- - -Impact: - -Possible policy violation. - --- - -Detailed Information: - -GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary -files. Depending on your site's policies, using it may be a policy -violation. - -If not properly configured, GNUTella clients may accidentally share out -confidential files. GNUTella worms (which use deceptive names to -encourage download) and viruses may also be accidentally downloaded by a -client. - -This rule being triggered means that a GNUTella client has been detected -on your network. - --- - -Affected Systems: - -Any system with a GNUTella client installed (available for most -platforms) - --- - -Attack Scenarios: -It is possible for an inside attack to take place by using peer-to-peer -clients to transfer corporate data from an internal resource to an -external third party. - --- - -Ease of Attack: -Simple. This is peer-to-peer activity. - --- - -False Positives: - -This rule detects the term "GNUTELLA CONNECT" on all ports. As a -result, any email, web page, or other network content that discusses the -protocol and its messages will trigger this alert. - --- - -False Negatives: - -None known. - --- - -Corrective Action: - -Depends on acceptable use policies. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) - --- - -Additional References: - -GNUTella -http://www.gnutella.com - -Gnutella Protocol -http://rfc-gnutella.sourceforge.net/developer/testing/ - --- diff -Nru snort-2.9.0.1/doc/signatures/557.txt snort-2.9.2/doc/signatures/557.txt --- snort-2.9.0.1/doc/signatures/557.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/557.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,93 +0,0 @@ -Rule: - --- - -Sid: - -557 - --- - -Summary: - -A network-internal server has authenticated an external GNUTella client -connection attempt and they have begun communications. - --- - -Impact: - -Possible policy violation. - --- - -Detailed Information: - -GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary -files. Depending on your site's policies, using it may be a policy -violation. - -If not properly configured, GNUTella clients may accidentally share out -confidential files. GNUTella worms (which use deceptive names to -encourage download) and viruses may also be accidentally downloaded by a -client. - -This rule being triggered means that a GNUTella server has been detected -on the protected network. - --- - -Affected Systems: - -Any system with a GNUTella server installed (available for most -platforms) - --- - -Attack Scenarios: -It is possible for an inside attack to take place by using peer-to-peer -clients to transfer corporate data from an internal resource to an -external third party. - --- - -Ease of Attack: -Simple. This is peer-to-peer activity. - --- - -False Positives: - -This rule detects the term "GNUTELLA OK" on all ports. As a result, any -email, web page, or other network content that discusses the protocol -and its messages will trigger this alert. - --- - -False Negatives: - -None known. - --- - -Corrective Action: - -Depends on acceptable use policies. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) - --- - -Additional References: - -GNUTella -http://www.gnutella.com - -Gnutella Protocol -http://rfc-gnutella.sourceforge.net/developer/testing/ - --- diff -Nru snort-2.9.0.1/doc/signatures/558.txt snort-2.9.2/doc/signatures/558.txt --- snort-2.9.0.1/doc/signatures/558.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/558.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,90 +0,0 @@ -Rule: - --- - -Sid: - -558 - --- - -Summary: - -A network-external server has authenticated an internal GNUTella client -connection attempt and they have begun communications. - --- - -Impact: - -Possible policy violation. - --- - -Detailed Information: - -GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary -files. Depending on your site's policies, using it may be a policy -violation. - -If not properly configured, GNUTella clients may accidentally share out -confidential files. GNUTella worms (which use deceptive names to -encourage download) and viruses may also be accidentally downloaded by a -client. - -This rule being triggered means that a GNUTella client has been detected -on the protected network. - --- - -Affected Systems: - -Any system with a GNUTella client installed (available for most -platforms) - --- - -Attack Scenarios: - -N/A - --- - -Ease of Attack: - -N/A - --- - -False Positives: - -This rule detects the term "GNUTELLA OK" on all ports. As a result, any -email, web page, or other network content that discusses the protocol -and its messages will trigger this alert. - --- - -False Negatives: - -None known. - --- - -Corrective Action: - -Depends on acceptable use policies. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) - --- - -Additional References: - -GNUTella -http://www.gnutella.com - --- diff -Nru snort-2.9.0.1/doc/signatures/559.txt snort-2.9.2/doc/signatures/559.txt --- snort-2.9.0.1/doc/signatures/559.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/559.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,91 +0,0 @@ -Rule: - --- - -Sid: - -559 - --- - -Summary: - -A network-external client has connected to an internal GNUTella server -and issued a connect attempt to begin communications. - --- - -Impact: - -Possible policy violation; possible excess network load. - --- - -Detailed Information: - -GNUTella is a P2P (Peer-to-Peer) protocol for exchanging arbitrary -files. Depending on your site's policies, using it may be a policy -violation. - -If not properly configured, GNUTella clients may accidentally share out -confidential files. GNUTella worms (which use deceptive names to -encourage download) and viruses may also be accidentally downloaded by a -client. - -This rule being triggered means that a GNUTella server has been detected -on the protected network. - --- - -Affected Systems: - -Any system with a GNUTella client installed (available for most -platforms) - --- - -Attack Scenarios: - -N/A - --- - -Ease of Attack: - -N/A - --- - -False Positives: - -This rule detects the term "GNUTELLA CONNECT" on all ports. As a -result, any email, web page, or other network content that discusses the -protocol and its messages will trigger this alert. - --- - -False Negatives: - -None known. - --- - -Corrective Action: - -Depends on acceptable use policies. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) - --- - -Additional References: - -GNUTella -http://www.gnutella.com - - --- diff -Nru snort-2.9.0.1/doc/signatures/560.txt snort-2.9.2/doc/signatures/560.txt --- snort-2.9.0.1/doc/signatures/560.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/560.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -560 - --- -Summary: -This event is generated when network traffic indicating the use of an -application or service that may violate a corporate security policy. - --- -Impact: -This may be a violation of corporate policy since some applications can -be used to bypass security measures designed to restrict the flow of -corporate information to destinations external to the corporation. In -some instances this event may indicate behavior contrary to best -security practices. - -In this case the event is generated when a VNC server response is -detected. This traffic indicates that a VNC client has made an attempt -to connect to a VNC server. - -Virtual Network Computing (VNC) allows users to connect machines across -a network. It allows full control of the connected machine to take -place, the user can access all resources on the machine and any other -resources that machine is connected to. - --- -Detailed Information: -This event may indicate a violation of corporate policy. It may also -indicate the use of services or applications that may be the antithesis -of best security practices. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -Violation of corporate security policy can manifest serious risk to -company assets. - --- -Ease of Attack: -Not applicable - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure adherence to best security practices and strict adherence to -corporate policy - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/561.txt snort-2.9.2/doc/signatures/561.txt --- snort-2.9.0.1/doc/signatures/561.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/561.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -561 - --- -Summary: -This event is generated when a known response to a sucessful attack is -detected. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when a known response to a sucessful attack is -detected. Some applications do not perform stringent checks when validating -the credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can be -compromised and trust relationships between the victim server and other -hosts can be exploited by the attacker. - -Events generated by rules in attack-responses.rules may indicate that an -attack against a host has been sucessful. - --- -Affected Systems: - Any vulnerable host. - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. An attacker might also exploit a -weakness in a particular application or piece of software that will -present the opportunity to gain access to the host. - --- -Ease of Attack: -Simple. Many exploits exist for various systems and software. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Care should be taken to investigate the source of the event. Check for -signs of system compromise in log files. Check for listening services on -high ports. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/562.txt snort-2.9.2/doc/signatures/562.txt --- snort-2.9.0.1/doc/signatures/562.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/562.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -562 - --- -Summary: -This event is generated when a known response to a sucessful attack is -detected. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when a known response to a sucessful attack is -detected. Some applications do not perform stringent checks when validating -the credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can be -compromised and trust relationships between the victim server and other -hosts can be exploited by the attacker. - -Events generated by rules in attack-responses.rules may indicate that an -attack against a host has been sucessful. - --- -Affected Systems: - Any vulnerable host. - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. An attacker might also exploit a -weakness in a particular application or piece of software that will -present the opportunity to gain access to the host. - --- -Ease of Attack: -Simple. Many exploits exist for various systems and software. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Care should be taken to investigate the source of the event. Check for -signs of system compromise in log files. Check for listening services on -high ports. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/563.txt snort-2.9.2/doc/signatures/563.txt --- snort-2.9.0.1/doc/signatures/563.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/563.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -563 - --- -Summary: -This event is generated when a known response to a sucessful attack is -detected. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when a known response to a sucessful attack is -detected. Some applications do not perform stringent checks when validating -the credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can be -compromised and trust relationships between the victim server and other -hosts can be exploited by the attacker. - -Events generated by rules in attack-responses.rules may indicate that an -attack against a host has been sucessful. - --- -Affected Systems: - Any vulnerable host. - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. An attacker might also exploit a -weakness in a particular application or piece of software that will -present the opportunity to gain access to the host. - --- -Ease of Attack: -Simple. Many exploits exist for various systems and software. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Care should be taken to investigate the source of the event. Check for -signs of system compromise in log files. Check for listening services on -high ports. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/564.txt snort-2.9.2/doc/signatures/564.txt --- snort-2.9.0.1/doc/signatures/564.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/564.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -564 - --- -Summary: -This event is generated when a known response to a sucessful attack is -detected. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when a known response to a sucessful attack is -detected. Some applications do not perform stringent checks when validating -the credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can be -compromised and trust relationships between the victim server and other -hosts can be exploited by the attacker. - -Events generated by rules in attack-responses.rules may indicate that an -attack against a host has been sucessful. - --- -Affected Systems: - Any vulnerable host. - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. An attacker might also exploit a -weakness in a particular application or piece of software that will -present the opportunity to gain access to the host. - --- -Ease of Attack: -Simple. Many exploits exist for various systems and software. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Care should be taken to investigate the source of the event. Check for -signs of system compromise in log files. Check for listening services on -high ports. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/565.txt snort-2.9.2/doc/signatures/565.txt --- snort-2.9.0.1/doc/signatures/565.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/565.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -565 - --- -Summary: -This event is generated when a known response to a sucessful attack is -detected. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when a known response to a sucessful attack is -detected. Some applications do not perform stringent checks when validating -the credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can be -compromised and trust relationships between the victim server and other -hosts can be exploited by the attacker. - -Events generated by rules in attack-responses.rules may indicate that an -attack against a host has been sucessful. - --- -Affected Systems: - Any vulnerable host. - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. An attacker might also exploit a -weakness in a particular application or piece of software that will -present the opportunity to gain access to the host. - --- -Ease of Attack: -Simple. Many exploits exist for various systems and software. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Care should be taken to investigate the source of the event. Check for -signs of system compromise in log files. Check for listening services on -high ports. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -OpenNap Specification -http://opennap.sourceforge.net/napster.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/566.txt snort-2.9.2/doc/signatures/566.txt --- snort-2.9.0.1/doc/signatures/566.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/566.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -566 - --- -Summary: -This event is generated when network traffic indicating the use of an -application or service that may violate a corporate security policy. - --- -Impact: -This may be a violation of corporate policy since some applications can -be used to bypass security measures designed to restrict the flow of -corporate information to destinations external to the corporation. In -some instances this event may indicate behavior contrary to best -security practices. - --- -Detailed Information: -This event may indicate a violation of corporate policy. It may also -indicate the use of services or applications that may be the antithesis -of best security practices. - --- -Affected Systems: - All systems - --- -Attack Scenarios: -Violation of corporate security policy can manifest serious risk to -company assets. - --- -Ease of Attack: -Not applicable - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure adherence to best security practices and strict adherence to -corporate policy - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -Symantec PC Anywhere Home Page -http://www.symantec.com/pcanywhere/Consumer/ - --- diff -Nru snort-2.9.0.1/doc/signatures/567.txt snort-2.9.2/doc/signatures/567.txt --- snort-2.9.0.1/doc/signatures/567.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/567.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -567 - --- -Summary: -This event is generated when a failed attempt is made to use a Simple Mail Transfer Protocol (SMTP) server to relay mail to a third party. - --- -Impact: -Rejected of unauthorized use. This event indicates that an SMTP server is properly configured to reject mail relay attempts. - - --- -Detailed Information: -An attacker may attempt to use an improperly configured SMTP server to relay mail, reflecting the origin of the mail to be the relay SMTP server instead of the actual sender. A poorly configured SMTP server may be used to relay spam and other undesirable mail. If an SMTP server rejects relay attempts, it will return an error message indicating the failure. - --- -Affected Systems: -SMTP servers - --- -Attack Scenarios: -An attacker may attempt to relay mail through an improperly configured SMTP server. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -An SMTP server may reject mail using other errors. - --- -Corrective Action: -Configure an SMTP server to reject relayed mail. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Snort documentation contributed by Chaos -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS249 - -Miscellaneous -http://mail-abuse.org/tsi/ar-fix.html - --- diff -Nru snort-2.9.0.1/doc/signatures/568.txt snort-2.9.2/doc/signatures/568.txt --- snort-2.9.0.1/doc/signatures/568.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/568.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -568 - --- -Summary: -This event is generated when an attempt is made to change the message on -the LCD display on a JetDirect enabled HP printer. - --- -Impact: -User confusion and comedy, mostly. - --- -Detailed Information: -HP JetDirect printers allow remote machines to change the message that -is displayed on the LCD panel via the PJL command. This event indicates -that this command has been used in network traffic. - --- -Affected Systems: - HP JetDirect enabled printers - --- -Attack Scenarios: -As part of an attempt to confuse and annoy users, an attacker may -attempt to change the message displayed on the printers LCD screen. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Update to the latest JetDirect, and investigate the possibility of -restricting access to a central print-server using the "allow: -" directive in a printer config file. - -Disallow printer use from hosts outside the protected network. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/569.txt snort-2.9.2/doc/signatures/569.txt --- snort-2.9.0.1/doc/signatures/569.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/569.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,94 +0,0 @@ -Rule: - --- -Sid: -569 - --- -Summary: -The snmpXdmi daemon is used on Sun Solaris systems to map Simple Network -Management Protocol (SNMP) management requests to and from the Desktop -Management Interface (DMI). - -This daemon contains a boundary condition error that could result in a -buffer overflow that will present the attacker with super user access to -the target host. - --- -Impact: -Complete control of the target machine. - --- -Detailed Information: -The snmpXdmi daemon is installed and enabled by default on the affected -systems below. - -DMI is used to manage components on client machines across a network. It -can be used in conjunction with SNMP via a daemon such as snmpXdmi. - -A number of exploits for this vulnerability exist and are in use. The result of a sucessful attack is a complete root compromise of the victim host. - -Compromised systems are reported to display a number of commonalities such as: - - A core file for snmpXdmi on / - Two instances of inetd running - Telnet and SSH backdoors running on high ports - An instance of an IRC proxy - System binaries replaced by rootkit versions - Network sniffers installed - Log files changed - -The system binaries 'ps' and 'netstat' cannot be trusted to show all -running processes since they may have been replaced by rootkit versions -specially modified so as to hide evidence of the compromise. - --- -Affected Systems: -Sun Solaris 2.6, 7.0, 8.0 for SPARC and Intel architectures - --- -Attack Scenarios: -The attacker must send specially crafted packets to the snmpXdmi daemon -or use one of the widely available exploits. - --- -Ease of Attack: -Simple - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the snmpXdmi service. - -Apply the appropriate patches for each affected system. - -Disallow all RPC requests from external sources and use a firewall to -block access to RPC ports from outside the LAN. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2417 - -CERT: -http://www.cert.org/advisories/CA-2001-05.html -http://www.kb.cert.org/vuls/id/648304 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0236 - --- diff -Nru snort-2.9.0.1/doc/signatures/570.txt snort-2.9.2/doc/signatures/570.txt --- snort-2.9.0.1/doc/signatures/570.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/570.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -SID: -570 --- - -Rule: --- - -Summary: -This event indicates an attempt to exploit the tool talk RPC database -service --- - -Impact: -Possible unauthorized administrative access to the server or application -or a denial of service to the affected application --- - -Detailed Information: -ToolTalk RPC database service (rpc.ttdbserverd) does not perform -adequate input validation or provide a format string specifier argument -when writing to syslog. This means a specifically crafted RPC request to -the ToolTalk RPC database service overwriting specific locations in -memory and therefore allowing execution of code with the same permission -level as the user running ttdbserverd, usually root. --- - -Affected Systems: - HP-UX 10.10 - 11.0 - AIX 4.1 - 4.3 - IRIX 5.2 - 6.4 - Solaris 1.1 - 2.6 - TriTeal TED CDE 4.3 - Xi Graphics Maximum CDE 1.2.3 - -Possibly other vendors, if you are running Tool Talk (rpc.ttdbserverd) check with your vendor. --- - -Attack Scenarios: -An attacker will send a specially crafted RPC call to the -rpc.ttdbserverd daemon running on an affected system. A sucessful -attack will then run code on the server with the access level of the -root user. --- - -Ease of Attack: -Simple, Exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Updates packages and patches are available from vendors, install them or -disable the service if not needed. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/571.txt snort-2.9.2/doc/signatures/571.txt --- snort-2.9.0.1/doc/signatures/571.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/571.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -SID: -571 --- - -Rule: --- - -Summary: -This event indicates an attempt to exploit the tool talk RPC database -service --- - -Impact: -Possible unauthorized administrative access to the server or application -or a denial of service to the affected application running on a Solaris -system --- - -Detailed Information: -ToolTalk RPC database service (rpc.ttdbserverd) does not perform -adequate input validation or provide a format string specifier argument -when writing to syslog. This means a specifically crafted RPC request to -the ToolTalk RPC database service overwriting specific locations in -memory and therefore allowing execution of code with the same permission -level as the user running ttdbserverd, usually root. --- - -Affected Systems: - Solaris 1.1 - 2.6 -Possibly other vendors, if you are running Tool Talk (rpc.ttdbserverd) check with your vendor. --- - -Attack Scenarios: -An attacker will send a specially crafted RPC call to the -rpc.ttdbserverd daemon running on an affected system. A sucessful -attack will then run code on the server with the access level of the -root user. --- - -Ease of Attack: -Simple, Exploit code is available. --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Updates packages and patches are available from vendors, install them or -disable the service if not needed. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/572.txt snort-2.9.2/doc/signatures/572.txt --- snort-2.9.0.1/doc/signatures/572.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/572.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -572 - --- -Summary: -This event is generated when an attempt is made to disable the rpc.ttdbservd service. - --- -Impact: -Denial of service. A successful attack may kill the ToolTalk database server. - --- -Detailed Information: -The ttdbserverd RPC service, more commonly known as the ToolTalk database server, allows applications to communicate in the Common Desktop Environment (CDE). The ToolTalk service receives ToolTalk messages created and sent by applications and delivers them to the appropriate recipient applications. The ToolTalk database server is enabled by default on hosts with CDE. Due to an implementation fault in rpc.ttdbserverd, it is possible for a malicious remote client to formulate an RPC message that will cause the server to crash. - --- -Affected Systems: -HP HP-UX 10.10, 10.20, 10.30, 11.0 -IBM AIX 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2, 4.2.1, 4.3 -SGI IRIX 5.2, 5.3, 6.0, 6.0.1, 6.2, 6.3, 6.4 -Sun Solaris 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.5.1, 2.6 - --- -Attack Scenarios: -An attacker can attempt a denial of service attack by causing a vulnerable ToolTalk database server to crash. - --- -Ease of Attack: -Easy. Exploit scripts are freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0003 - -Bugtraq -http://www.securityfocus.com/bid/122 - -Arachnids: -http://www.whitehats.com/info/IDS241 - --- diff -Nru snort-2.9.0.1/doc/signatures/574.txt snort-2.9.2/doc/signatures/574.txt --- snort-2.9.0.1/doc/signatures/574.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/574.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -574 - --- -Summary: -This event is generated when a request is made to Network File System (NFS) to list all exported file systems and which clients are permitted to mount each file system. - --- -Impact: -Information disclosure. This can allow an attacker to discover exported NFS file systems and client mount permissions. - --- -Detailed Information: -The mountd Remote Procedure Call (RPC) implements the NFS mount protocol. When an NFS client requests a mount of an NFS file system, mountd examines the list of exported file systems. If the NFS client is permitted access to the requested file system, mountd returns a file handle for the requested directory. An attacker or legitimate NFS client may request a list of exported file systems and client mount permissions. - --- -Affected Systems: -All systems running NFS. - --- -Attack Scenarios: -An attacker may attempt to list the exported NFS file systems as a precursor to mounting them to read or change a specific file. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to list exported NFS file systems, this rule may trigger. - --- -False Negatives: -None Known. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: -http://www.whitehats.com/info/IDS26 - - --- diff -Nru snort-2.9.0.1/doc/signatures/575.txt snort-2.9.2/doc/signatures/575.txt --- snort-2.9.0.1/doc/signatures/575.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/575.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -575 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) admind is listening. - --- -Impact: -Information disclosure. This request is used to discover which port admind is using. Attackers can also learn what versions of the admind protocol are accepted by admind. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as admind run. The admind RPC service is used by some UNIX hosts to perform remote distributed system administration tasks such as adding new users. If weak authentication is used, it may be possible for a malicious user to perform remote administration. - --- -Affected Systems: -Any host running admind with weak authentication. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where admind runs. This may be a precursor to accessing admind. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access admind, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for admind, not probes of the admind service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the admind service itself. An attacker may attempt to go directly to the admind port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS18 - - --- diff -Nru snort-2.9.0.1/doc/signatures/576.txt snort-2.9.2/doc/signatures/576.txt --- snort-2.9.0.1/doc/signatures/576.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/576.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -576 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) amountd (also known as autofsd) is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port amountd is using. Attackers can also learn what versions of the amountd protocol are accepted by amountd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as amountd run. The amountd RPC service is used by UNIX hosts to automatically mount and unmount autofs files. It can use name service maps to find file systems to be mounted. A vulnerability is present in autofsd that allows an attacker to execute arbitrary commands. The attacker requests a map name that is executable, followed by a malformed client key and commands to be executed. The server improperly interprets the input and executes the commands. - --- -Affected Systems: -IBM AIX 4.3, SGI IRIX 6.2, 6.3, 6.4, 6.5, and 6.5.1. - --- -Attack Scenarios: -An attacker can craft an amountd request that executes arbitrary commands on the remote file system. - --- -Ease of Attack: -Easy. Exploit code is widely available. - --- -False Positives: -If a legitimate remote user is allowed to access amountd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for amountd, not probes of the amountd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the amountd service itself. An attacker may attempt to go directly to the amountd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/332/info/ - -Arachnids: -http://www.whitehats.com/info/IDS19 - - --- diff -Nru snort-2.9.0.1/doc/signatures/577.txt snort-2.9.2/doc/signatures/577.txt --- snort-2.9.0.1/doc/signatures/577.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/577.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -577 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) bootparam is listening. - --- -Impact: -Information disclosure. This request is used to discover which port bootparam is using. Attackers can also learn what versions of the bootparam protocol are accepted by bootparam. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as bootparam run. The bootparam RPC service is used by some diskless workstations to query a server to discover the information required to boot. The client will issue a bootparam whoami request to the server. The server response will include the Network Information Systems (NIS) domain name. If no authentication is used, an attacker can send a bootparam request. The domain name provides valuable information that can be used to break into an NIS environment. - --- -Affected Systems: -Any host running bootparam with no authentication. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where bootparam runs. This may be a precursor to accessing bootparam. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access bootparam, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for bootparam, not probes of the bootparam service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the bootparam service itself. An attacker may attempt to go directly to the bootparam port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0647 - -Arachnids -http://www.whitehats.com/info/IDS16 - - --- diff -Nru snort-2.9.0.1/doc/signatures/578.txt snort-2.9.2/doc/signatures/578.txt --- snort-2.9.0.1/doc/signatures/578.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/578.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - -Sid: -578 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) cmsd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port cmsd is using. Attackers can also learn what versions of the cmsd protocol are accepted by cmsd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as cmsd run. The cmsd RPC service implements the Calendar Manager Service daemon that is often distributed with the Common Desktop Environment (CDE) and OpenWindows. Several buffer overflow vulnerabilities have been associated with cmsd. - --- -Affected Systems: -Any host running the RPC service cmsd. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where cmsd runs. This may be a precursor to accessing cmsd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access cmsd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for cmsd, not probes of the cmsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the cmsd service itself. An attacker may attempt to go directly to the cmsd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS17 - - --- diff -Nru snort-2.9.0.1/doc/signatures/579.txt snort-2.9.2/doc/signatures/579.txt --- snort-2.9.0.1/doc/signatures/579.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/579.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -579 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) mountd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port mountd is using. Attackers can also learn what versions of the mountd protocol are accepted by mountd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as mountd run. The mountd RPC service allows remote file system access through Network File System (NFS). A vulnerability exists in the code that logs NFS mount activity that can cause a buffer overflow, allowing the execution of arbitrary code with root privileges. - --- -Affected Systems: -Caldera OpenLinux Standard 1.2 -RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1 - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where mountd runs. This may be a precursor to accessing mountd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access mountd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for mountd, not probes of the mountd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the mountd service itself. An attacker may attempt to go directly to the mountd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/121 - -CERT -http://www.cert.org/advisories/CA-1998-12.html - -Arachnids -http://www.whitehats.com/info/IDS13 - - --- diff -Nru snort-2.9.0.1/doc/signatures/580.txt snort-2.9.2/doc/signatures/580.txt --- snort-2.9.0.1/doc/signatures/580.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/580.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -580 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) nisd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port nisd is using. Attackers can also learn what versions of the nisd protocol are accepted by nisd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as nisd run. The nisd RPC service implements Network Information Systems (NIS and NIS+). NIS and NIS+ provide centralized management and distribution of information about resources, such as users and hosts, in a network domain. A buffer overflow exists because of improper bounds checking, which can lead to execution of arbitrary commands on the host. - --- -Affected Systems: -Solaris 2.3 - 2.6 hosts running NIS+. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where nisd runs. This may be a precursor to accessing nisd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access nisd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for nisd, not probes of the nisd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the nisd service itself. An attacker may attempt to go directly to the nisd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/677 - -CERT -http://www.cert.org/advisories/CA-98.06.nisd.html - -Arachnids -http://www.whitehats.com/info/IDS21 - - --- diff -Nru snort-2.9.0.1/doc/signatures/581.txt snort-2.9.2/doc/signatures/581.txt --- snort-2.9.0.1/doc/signatures/581.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/581.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -581 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) pcnfsd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port pcnfsd is using. Attackers can also learn what versions of the pcnfsd protocol are accepted by pcnfsd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as pcnfsd run. The pcnfsd RPC service handles printing and authentication over the network. A vulnerability exists because of improper argument checking that allows execution of arbitrary commands with root privileges. - --- -Affected Systems: -BSDI BSD/OS 2.1 -HP HP-UX 10.1, 10.10, 10.20, 11.0 -IBM AIX 3.2, 4.0, 4.1, 4.2 -SCO Open Server 5.0 -SCO Unixware 2.0, 2.0.3, 2.1 -SGI IRIX 6.5, 6.5.1 - 6.5.16 -Sun Solaris 2.4, 2.5 -Sun SunOS 4.1, 4.1.1 - 4.1.4 - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where pcnfsd runs. This may be a precursor to accessing pcnfsd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access pcnfsd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for pcnfsd, not probes of the pcnfsd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the pcnfsd service itself. An attacker may attempt to go directly to the pcnfsd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/5378 - -CERT -http://www.cert.org/advisories/CA-1996-08.html - -Arachnids -http://www.whitehats.com/info/IDS22 - - --- diff -Nru snort-2.9.0.1/doc/signatures/582.txt snort-2.9.2/doc/signatures/582.txt --- snort-2.9.0.1/doc/signatures/582.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/582.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -582 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rexd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port rexd is using. Attackers can also learn what versions of the rexd protocol are accepted by rexd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rexd run. The rexd RPC service allows remote program execution. If weak authentication is used, an attacker may run arbitrary commands as a user other than root. - --- -Affected Systems: -AIX 4.0 -Compaq Tru64 UNIX (Any version) -HP-UX 10.20 -HP-UX 11 -Red Hat Linux 6.0 -Red Hat Linux 7.x -Solaris 2.5.1 -Solaris 2.6 -Solaris 7 -Solaris 8 - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where rexd runs. This may be a precursor to accessing rexd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access rexd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for rexd, not probes of the rexd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rexd service itself. An attacker may attempt to go directly to the rexd port without querying the portmapper service which, would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/37 - -CERT -http://www.cert.org/advisories/CA-1992-05.html - -Arachnids -http://www.whitehats.com/info/IDS23 - - --- diff -Nru snort-2.9.0.1/doc/signatures/583.txt snort-2.9.2/doc/signatures/583.txt --- snort-2.9.0.1/doc/signatures/583.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/583.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -583 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rstatd is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port rstatd is using. Attackers can also learn what versions of the rstatd protocol are accepted by rstatd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rstatd run. The rstatd RPC service can be queried for performance statistics obtained from the kernel including network, disk, and CPU. This can provide valuable information to determine which host may make a suitable target to participate in a particular attack. - --- -Affected Systems: -All hosts running the UNIX portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where rstatd runs. This may be a precursor to querying rstatd for usage statistics. - --- -Ease of Attack: -Easy. - --- -False Positives: -If a legitimate remote user is allowed to access rstatd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for rstatd, not probes of the rstatd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rstatd service itself. An attacker may attempt to go directly to the rstatd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS10 - - --- diff -Nru snort-2.9.0.1/doc/signatures/584.txt snort-2.9.2/doc/signatures/584.txt --- snort-2.9.0.1/doc/signatures/584.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/584.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -584 - --- -Summary: -This event is generated when an attempt is made to probe a host for the -rusers RPC service. - --- -Impact: -Information gathering. - --- -Detailed Information: -The rusers RPC service is used to remotely list all logged in users on a -machine. This information may be useful to an attacker when targeting a -remote host. - --- -Affected Systems: - All systems running the rusers RPC service - --- -Attack Scenarios: -An attacker runs a vulnerability assessment tool, or the standard Unix -rusers command. The attacker may use information gleaned from this to -better target his attacks. - --- -Ease of Attack: -Simple. Tools to probe the rusers service come standard with most Unix variants. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Disable the rusers service. - -Disallow access to RPC services from hosts external to the protected -network - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/585.txt snort-2.9.2/doc/signatures/585.txt --- snort-2.9.0.1/doc/signatures/585.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/585.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -585 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) sadmind is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port sadmind is using. Attackers can also learn what versions of the sadmind protocol are accepted by sadmind. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as sadmind run. The sadmind RPC service is used by Solaris hosts to remotely perform distributed system administration tasks such as adding new users. There is a vulnerability associated with sadmind that may cause a buffer overflow, allowing an attacker to execute abitrary code with the privileges of sadmind, possibly root. - --- -Affected Systems: -Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6, and 7. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where sadmind runs. This may be a precursor to an attack to exploit the sadmind buffer overflow. - --- -Ease of Attack: -Simple. Exploit scripts are freely available. A worm was observed in 2001 that used the sadmind exploit (and an IIS vulnerability) to compromise systems and deface web pages. - --- -False Positives: -If a legitimate remote user is allowed to access sadmind, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for sadmind, not probes of the sadmind service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the sadmind service itself. An attacker may attempt to go directly to the sadmind port without querying the portmapper service which, would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Original rule modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/866 - -CERT: -http://www.cert.org/advisories/CA-1999-16.html - -Arachnids: -http://www.whitehats.com/info/IDS20 - - --- diff -Nru snort-2.9.0.1/doc/signatures/586.txt snort-2.9.2/doc/signatures/586.txt --- snort-2.9.0.1/doc/signatures/586.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/586.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: - --- -Sid: -586 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) selection_svc is listening. - --- -Impact: -Information disclosure. This request is used to discover which port selection_svc is using. Attackers can also learn what versions of the selection_svc protocol are accepted by selection_svc. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as selection_svc run. The selection_svc RPC service is used by SunView, an old windowing system from Sun. A vulnerability exists in selection_svc that allows a remote user to read files that are readable by SunView. - --- -Affected Systems: -Sun SunOS 3.5 -Sun SunOS 4.0 -Sun SunOS 4.0.1 -Sun SunOS 4.0.2 -Sun SunOS 4.0.3 -Sun SunOS 4.1 -Sun SunOS 4.1.1 - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where selection_svc runs. This may be a precursor to accessing selection_svc. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access selection_svc, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for selection_svc, not probes of the selection_svc service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the selection_svc service itself. An attacker may attempt to go directly to the selection_svc port without querying the portmapper service which, would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/8 - -CERT -http://www.cert.org/advisories/CA-1990-05.html - -Arachnids -http://www.whitehats.com/info/IDS25 - - --- diff -Nru snort-2.9.0.1/doc/signatures/587.txt snort-2.9.2/doc/signatures/587.txt --- snort-2.9.0.1/doc/signatures/587.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/587.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - -Sid: -587 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) statd is listening. - --- -Impact: -Information disclosure. This request is used to discover which port statd is using. Attackers can also learn what versions of the statd protocol are accepted by statd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as statd run. The statd RPC service manages Network File System (NFS) locks for exclusive access to a remote file. Multiple vulnerabilities that have allowed execution of arbitrary commands as root have been associated with statd. - --- -Affected Systems: -Multiple; refer to your vendor for specific information. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where statd runs. This may be a precursor to accessing statd. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access statd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for statd, not probes of the statd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the statd service itself. An attacker may attempt to go directly to the statd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids -http://www.whitehats.com/info/IDS15 - - --- diff -Nru snort-2.9.0.1/doc/signatures/588.txt snort-2.9.2/doc/signatures/588.txt --- snort-2.9.0.1/doc/signatures/588.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/588.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -588 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ttdbserverd is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port ttdbserverd is using. Attackers can also learn what versions of the ttdbserverd protocol are accepted by ttdbserverd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ttdbserverd run. The ttdbserverd RPC service, more commonly known as the ToolTalk database server, allows applications used in Common Desktop Environment (CDE) to communicate. The ToolTalk service receives ToolTalk messages created and sent by applications and delivers them to the appropriate recipient applications. The ToolTalk database server comes enabled on hosts with CDE. Multiple vulernabilities have been associated with the ToolTalk database server. - --- -Affected Systems: -All hosts running the UNIX portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where ttdbserverd runs. This may be a precursor to accessing ttdbserverd. - --- -Ease of Attack: -Easy. - --- -False Positives: -If a legitimate remote user is allowed to access ttdbserverd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for ttdbserverd, not probes of the ttdbserverd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ttdbserverd service itself. An attacker may attempt to go directly to the ttdbserverd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0003 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0687 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1075 - - --- diff -Nru snort-2.9.0.1/doc/signatures/589.txt snort-2.9.2/doc/signatures/589.txt --- snort-2.9.0.1/doc/signatures/589.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/589.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -589 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) yppasswd is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port yppasswd is using. Attackers can also learn what versions of the yppasswd protocol are accepted by yppasswd. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as yppasswd run. The yppasswd RPC service handles password change requests from the yppasswd client program. This client program is used to change a user password in Network Information Service (NIS) environments where a centralized database exists to distribute passwords throughout a network. Multiple vulnerabilities are associated with the yppasswd RPC service. - --- -Affected Systems: -All hosts running the UNIX portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where yppasswd runs. This may be a precursor to querying yppasswd for usage statistics. - --- -Ease of Attack: -Easy. - --- -False Positives: -If a legitimate remote user is allowed to access yppasswd, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for yppasswd, not probes of the yppasswd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the yppasswd service itself. An attacker may attempt to go directly to the yppasswd port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS14 - - --- diff -Nru snort-2.9.0.1/doc/signatures/590.txt snort-2.9.2/doc/signatures/590.txt --- snort-2.9.0.1/doc/signatures/590.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/590.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -590 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypserv is listening. - - --- -Impact: -Information disclosure. This request is used to discover which port ypserv is using. Attackers can also learn what versions of the ypserv protocol are accepted by ypserv. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypserv run. The ypserv RPC service looks up information in the local Network Information Service (NIS) maps. The ypserv program provides the server function for Yellow Pages (YP) by providing clients information from NIS maps. Multiple vulnerabilities are associated with the ypserv RPC program. - --- -Affected Systems: -All hosts running the UNIX portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where ypserv runs. This may be a precursor to accessing ypserv. - --- -Ease of Attack: -Easy. - --- -False Positives: -If a legitimate remote user is allowed to access ypserv, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for ypserv, not probes of the ypserv service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ypserv service itself. An attacker may attempt to go directly to the ypserv port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/6016 -http://www.securityfocus.com/bid/5914 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1042 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1043 - -Arachnids: -http://www.whitehats.com/info/IDS12 - - --- diff -Nru snort-2.9.0.1/doc/signatures/591.txt snort-2.9.2/doc/signatures/591.txt --- snort-2.9.0.1/doc/signatures/591.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/591.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -591 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypupdated is listening. - --- -Impact: -Information disclosure. This request is used to discover which port ypupdated is using. Attackers can also learn what versions of the ypupdated protocol are accepted by ypupdated. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypupdated run. The ypupdated RPC service allows clients to update maps for Network Information Service (NIS), formerly known as Sun Yellow Pages. A vulnerability exists with improper validation associated with the 'make' command used to update changes, allowing the execution of arbitrary commands as root. - --- -Affected Systems: -HP HP-UX 10.1, 10.10, 10.20 -IBM AIX 3.2, 4.1 -NEC EWS-UX/V, UP-UX/V -SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3, 6.0.1 -Sun SunOS 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4 - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where ypupdated runs. This may be a precursor to accessing ypupdated. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access ypupdated, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for ypupdated, not probes of the ypupdated service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ypupdated service itself. An attacker may attempt to go directly to the ypupdated port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/1749 - -CERT -http://www.cert.org/advisories/CA-1995-17.html - -Arachnids -http://www.whitehats.com/info/IDS125 - - --- diff -Nru snort-2.9.0.1/doc/signatures/593.txt snort-2.9.2/doc/signatures/593.txt --- snort-2.9.0.1/doc/signatures/593.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/593.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -593 - --- -Summary: -This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) snmpXdmi is listening. - --- -Impact: -Information disclosure. This request is used to discover which port snmpXdmi is using. Attackers can also learn what versions of the snmpXdmi protocol are accepted by snmpXdmi. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as snmpXdmi run. Simple Network Management Protocol (SNMP) and Desktop Management Interface (DMI) are remote management protocols. The snmpXdmi RPC service translates between SNMP and DMI, allowing the use of either or both. There is a buffer overflow when translating DMI to SNMP that allows access with the privilege level of snmpXdmi. - --- -Affected Systems: -Sun Solaris 2.6, 7.0, and 8.0. - --- -Attack Scenarios: -An attacker can query the portmapper to discover the port where snmpXdmi runs. This may be a precursor to accessing snmpXdmi. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to access snmpXdmi, this rule may trigger. - --- -False Negatives: -This rule detects probes of the portmapper service for snmpXdmi, not probes of the snmpXdmi service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the snmpXdmi service itself. An attacker may attempt to go directly to the snmpXdmi port without querying the portmapper service, which would not trigger the rule. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0236 - -CERT -http://www.cert.org/advisories/CA-2001-05.html - -Bugtraq -http://www.securityfocus.com/bid/2417 - - - --- diff -Nru snort-2.9.0.1/doc/signatures/595.txt snort-2.9.2/doc/signatures/595.txt --- snort-2.9.0.1/doc/signatures/595.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/595.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: -595 - --- -Summary: -Embedded Support Partner (ESP) is an integral part of the SGI IRIX -operating system to enable remote support for the operating system - -A vulnerability exists in the Embedded Support Partner Daemon (ESP) that -could lead to arbitrary commands being executed on a target host. - --- -Impact: -Remote super user access leading to a compromise of the target machine -along with any network resources that machine is connected to. - --- -Detailed Information: -The ESP daemon is an RPC (Remote Procedure Call) resource used on SGI -IRIX systems. The ESP daemon runs with the privileges of the root user. -IRIX version 6.5.8 and prior are susceptible to a buffer overflow of the -ESP daemon leading to a remote root compromise of the affected host. - --- -Affected Systems: -SGI IRIX 6.5.8 and earlier. - --- -Attack Scenarios: -The attacker would need to craft a packet that would lead to the buffer -overflow. No current exploits are available. - --- -Ease of Attack: -Difficult - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -All systems running vulnerable versions of rpc.espd should have the appropriate patch applied. - -Additionally, the ESP daemon should be disabled where not needed by -commenting out the appropriate line in inetd.conf. The daemon itself can -be made non-executable by removal of the x bit (chmod -x rpc.espd). - -RPC services should not be available outside the local area network, -filter RPC ports at the firewall to ensure access is denied to RPC -enabled machines. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0331 - -Bugtraq: -http://www.securityfocus.com/bid/2714 - --- diff -Nru snort-2.9.0.1/doc/signatures/598.txt snort-2.9.2/doc/signatures/598.txt --- snort-2.9.0.1/doc/signatures/598.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/598.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -598 - --- -Summary: -This event is generated when an attempt is made dump entries from the portmapper. - --- -Impact: -Information disclosure. This request can discover what Remote Procedure Call (RPC) services are offered and on which ports they listen. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried for all RPC services running, the RPC program name and version, the protocol (TCP or UDP), and the port where the service listens. This can provide an attacker with valuable information about what RPC services are offered and on which ports. - --- -Affected Systems: -All hosts running portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover RPC services and their associated listening ports. - --- -Ease of Attack: -Simple. Execute 'rpcinfo -p hostname/IP'. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS429 - - --- diff -Nru snort-2.9.0.1/doc/signatures/599.txt snort-2.9.2/doc/signatures/599.txt --- snort-2.9.0.1/doc/signatures/599.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/599.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -599 - --- -Summary: -This event is generated when an attempt is made dump entries from the portmapper on a Solaris host. - --- -Impact: -Information disclosure. This request can discover what Remote Procedure Call (RPC) services are offered and on which ports they listen. - --- -Detailed Information: -The portmapper service registers all RPC services on UNIX hosts. It can be queried for all RPC services running, the RPC program name and version, the protocol (TCP or UDP), and the port where the service listens. This can provide an attacker with valuable information about what RPC services are offered and on which ports. - --- -Affected Systems: -All Solaris hosts running portmapper. - --- -Attack Scenarios: -An attacker can query the portmapper to discover RPC services and their associated listening ports. - --- -Ease of Attack: -Simple. Execute 'rpcinfo -p hostname/IP'. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC service. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS429 - - --- diff -Nru snort-2.9.0.1/doc/signatures/601.txt snort-2.9.2/doc/signatures/601.txt --- snort-2.9.0.1/doc/signatures/601.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/601.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -601 - --- -Summary: -This event is generated when an attempt is made to exploit a -machine using Network Information Services (NIS). - --- -Impact: -Unknown. This is traffic that should not be seen when using NIS and -remote login services. - --- -Detailed Information: -This event is generated when spurious data is sent to the rlogin service -running on a machine that is using NIS. - --- -Attack Scenarios: -An attacker needs to generate this traffic and send it directly to a -machine. This is not normal network behavior. - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None known. - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/602.txt snort-2.9.2/doc/signatures/602.txt --- snort-2.9.0.1/doc/signatures/602.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/602.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 602 - --- -Summary: -This event is generated when an attempt to login using the "bin" account is made. - --- -Impact: -An attacker may have gained the ability to initiate a remote interactive session on the server. - --- -Detailed Information: -This event is generated when a connection using the "bin" account via "rsh" is attempted. - -This activity is indicative of attempts to abuse hosts using a default configuration. - -Some UNIX systems used to ship with "bin" account enabled and no password required. Similarly, the "rshd" service was also enabled. This allowed an attacker to connect to the machine and establish an interactive session using the "bin" account. - --- -Attack Scenarios: -An attacker finds a machine with default account "bin" and "rshd" service running and connects to it, then escalates his privileges to "root" - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -If a local username is not the same as the remote one ("bin"), the rule will not generate an event. - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -http://www.whitehats.com/info/IDS384 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 - --- diff -Nru snort-2.9.0.1/doc/signatures/603.txt snort-2.9.2/doc/signatures/603.txt --- snort-2.9.0.1/doc/signatures/603.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/603.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 603 - --- -Summary: -This event is generated when an attempt to modify access control permissions for remote shell logins is attempted. - --- -Impact: -An attacker may have modified remote login permissions such that any host is allowed to initiate a remote session on the target host. - --- -Detailed Information: -The rule generates an event when system reconfiguration is attempted via "rsh". - -The command "echo + +" is used to relax access control permissions for r-services to allow access from any site without the need for password authentication. - -This activity is indicative of attempts to abuse hosts using a default configuration. - -Some UNIX systems use the "rsh" service to allow a connection to the machine for establishing an interactive session. - --- -Attack Scenarios: -An attacker finds a machine with "rsh" enabled and reconfigures it to allow access from any location - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS385 - --- diff -Nru snort-2.9.0.1/doc/signatures/604.txt snort-2.9.2/doc/signatures/604.txt --- snort-2.9.0.1/doc/signatures/604.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/604.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 604 - --- -Summary: -This event is generated due to the use of a suspicious login attempt - --- -Impact: -Serious. If successful the attacker may have gained superuser access to the host. - --- -Detailed Information: -This rule generates an event when a connection is made using "rsh" whilst passing the parameter "-froot". - -A bug in some implementations of the "rsh" daemon software allowed remote root access using the "-froot" parameter for the "rsh command" - --- -Attack Scenarios: -If a UNIX machine has the "rsh" service running and is vulnerable to this bug, in can be exploited simply by running the "rsh" command with "-froot" flag. For example, rlogin host.foo.com -l -froot - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - -Disable the "rsh" service if not used, apply a patch if appropriate. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113 - -Arachnids: -http://www.whitehats.com/info/IDS387 - --- diff -Nru snort-2.9.0.1/doc/signatures/605.txt snort-2.9.2/doc/signatures/605.txt --- snort-2.9.0.1/doc/signatures/605.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/605.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: 605 - --- -Summary: -This event is generated when a remote login attempt using rlogin fails. - --- -Impact: -Someone has tried to login using rlogin and failed - --- -Detailed Information: -This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution. - -Multiple events may indicate that an attacker is attempting a brute force password guessing attack. - --- -Attack Scenarios: -An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times. - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -A legitimate user may generate an event by entering an incorrect password. - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 - -Arachnids: -http://www.whitehats.com/info/IDS393 - --- diff -Nru snort-2.9.0.1/doc/signatures/606.txt snort-2.9.2/doc/signatures/606.txt --- snort-2.9.0.1/doc/signatures/606.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/606.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 606 - --- -Summary: -This event is generated when an attempt to login as the superuser is attempted using rlogin. - --- -Impact: -Serious. If successful the attacker may have gained superuser access to the host. - --- -Detailed Information: -This rule generates an event when a connection is made using "rlogin" with the username "root". Such activity is indicative of attempts to abuse insecure machines with a known default configuration. - -Some UNIX systems use the "rlogin" daemon which permits remote "root" logins. This may allow an attacker to connect to the machine and establish an interactive session. - --- -Attack Scenarios: -An attacker finds a machine with the "rlogin" service running and connects to it, then proceeds to guess the "root" password - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -A system administrator may be logging in to a host using the username "root" - --- -False Negatives: -If a local username is not the same as the remote one ("root"), the rule will not generate an event. - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - -Deny remote root logins to the host, use a normal user and "sudo" or give the user the ability to "su" to root where appropriate. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS389 - --- diff -Nru snort-2.9.0.1/doc/signatures/607.txt snort-2.9.2/doc/signatures/607.txt --- snort-2.9.0.1/doc/signatures/607.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/607.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 607 - --- -Summary: -This event is generated when an attempt to login using the "bin" account is made. - --- -Impact: -An attacker may have gained the ability to initiate a remote interactive session on the server. - --- -Detailed Information: -This event is generated when a connection using the "bin" account via "rsh" is attempted. - -This activity is indicative of attempts to abuse hosts using a default configuration. - -Some UNIX systems used to ship with "bin" account enabled and no password required. Similarly, the "rshd" service was also enabled. This allowed an attacker to connect to the machine and establish an interactive session using the "bin" account. - --- -Attack Scenarios: -An attacker finds a machine with default account "bin" and "rshd" service running and connects to it, then escalates his privileges to "root" - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -If a local username is not the same as the remote one ("bin"), the rule will not generate an event. - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS384 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 - --- diff -Nru snort-2.9.0.1/doc/signatures/608.txt snort-2.9.2/doc/signatures/608.txt --- snort-2.9.0.1/doc/signatures/608.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/608.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: 608 - --- -Summary: -This event is generated when an attempt to modify access control permissions for remote shell logins is attempted. - --- -Impact: -An attacker may have modified remote login permissions such that any host is allowed to initiate a remote session on the target host. - --- -Detailed Information: -The rule generates an event when system reconfiguration is attempted via "rsh". - -The command "echo + +" is used to relax access control permissions for r-services to allow access from any site without the need for password authentication. - -This activity is indicative of attempts to abuse hosts using a default configuration. - -Some UNIX systems use the "rsh" service to allow a connection to the machine for establishing an interactive session. - --- -Attack Scenarios: -An attacker finds a machine with "rsh" enabled and reconfigures it to allow access from any location - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -http://www.whitehats.com/info/IDS388 - --- diff -Nru snort-2.9.0.1/doc/signatures/609.txt snort-2.9.2/doc/signatures/609.txt --- snort-2.9.0.1/doc/signatures/609.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/609.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 609 - --- -Summary: -This event is generated due to the use of a suspicious login attempt - --- -Impact: -Serious. If successful the attacker may have gained superuser access to the host. - --- -Detailed Information: -This rule generates an event when a connection is made using "rsh" whilst passing the parameter "-froot". - -A bug in some implementations of the "rsh" daemon software allowed remote root access using the "-froot" parameter for the "rsh command" - --- -Attack Scenarios: -If a UNIX machine has the "rsh" service running and is vulnerable to this bug, in can be exploited simply by running the "rsh" command with "-froot" flag. For example, rlogin host.foo.com -l -froot - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - -Disable the "rsh" service if not used, apply a patch if appropriate. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113 - -Arachnids: -http://www.whitehats.com/info/IDS387 - --- diff -Nru snort-2.9.0.1/doc/signatures/610.txt snort-2.9.2/doc/signatures/610.txt --- snort-2.9.0.1/doc/signatures/610.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/610.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: 610 - --- -Summary: -This event is generated when an attempt to login as the superuser is attempted using rsh. - --- -Impact: -Serious. If successful the attacker may have gained superuser access to the host. - --- -Detailed Information: -This rule generates an event when a connection is made using "rsh" with the username "root". Such activity is indicative of attempts to abuse insecure machines with a known default configuration. - -Some UNIX systems use the "rsh" daemon which permits remote "root" logins. This may allow an attacker to connect to the machine and establish an interactive session. - --- -Attack Scenarios: -An attacker finds a machine with the "rsh" service running and connects to it, then proceeds to guess the "root" password - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -A system administrator may be logging in to a host using the username "root" - --- -False Negatives: -If a local username is not the same as the remote one ("root"), the rule will not generate an event. - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rsh. - -Deny remote root logins to the host, use a normal user and "sudo" or give the user the ability to "su" to root where appropriate. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS391 - --- diff -Nru snort-2.9.0.1/doc/signatures/611.txt snort-2.9.2/doc/signatures/611.txt --- snort-2.9.0.1/doc/signatures/611.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/611.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: 611 - --- -Summary: -This event is generated when a remote login attempt using rlogin fails. - --- -Impact: -Someone has tried to login using rlogin and failed - --- -Detailed Information: -This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution. - -Multiple events may indicate that an attacker is attempting a brute force password guessing attack. - --- -Attack Scenarios: -An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times. - --- -Ease of Attack: -Simple, no exploit software required - --- -False Positives: -A legitimate user may generate an event by entering an incorrect password. - --- -False Negatives: -None Known - --- -Corrective Action: -Investigate logs on the target host for further details and more signs of suspicious activity - -Use ssh for remote access instead of rlogin. - --- -Contributors: -Original rule by Max Vision modified from a signature written by Ron Gula -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 - -Arachnids: -http://www.whitehats.com/info/IDS392 - --- diff -Nru snort-2.9.0.1/doc/signatures/612.txt snort-2.9.2/doc/signatures/612.txt --- snort-2.9.0.1/doc/signatures/612.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/612.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -612 - --- -Summary: -This event is generated when a request is made via Remote Procedure Call (RPC) to list the logged in users. - --- -Impact: -Reconnaissance. A response to this request provides valid user names that can connect to the host. - --- -Detailed Information: -The rusers RPC query is used to discover the users currently logged on to the host. A response to this request provides valid user names that can connect to the host. This information can be used to attempt a brute force guessing of associated passwords. - --- -Affected Systems: -All systems running rusers. - --- -Attack Scenarios: -An attacker may attempt to list all logged in users to gather information for a future brute force password attack. - --- -Ease of Attack: -Simple. - --- -False Positives: -If a legitimate remote user is allowed to list users, this will generate a false positive. - --- -False Negatives: -None Known. - --- -Corrective Action: -Limit remote access to RPC services. - -Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. - -Disable unneeded RPC services. - --- -Contributors: -Original rule written by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: -www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0626 - --- diff -Nru snort-2.9.0.1/doc/signatures/613.txt snort-2.9.2/doc/signatures/613.txt --- snort-2.9.0.1/doc/signatures/613.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/613.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -613 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/614.txt snort-2.9.2/doc/signatures/614.txt --- snort-2.9.0.1/doc/signatures/614.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/614.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,94 +0,0 @@ -Rule: - --- -Sid: -614 - --- -Summary: -hack-a-tack is a Trojan Horse. - --- -Impact: -Possible theft of data via download, upload of files, execution of files and reboot the targeted machine. - --- -Detailed Information: -This Trojan affects the following operating systems: - - Windows 95 - Windows 98 - Windows ME - Windows NT - Windows 2000 - Windows XP - -The Trojan changes system registry settings to add the hack-a-tack server to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed. - - SID Message - --- ------- - 141 HackAttack 1.20 Connect - 614 hack-a-tack attempt - -This Trojan is commonly used to install other Trojan programs. - -The server portion opens TCP ports 31785 and 31787 and UDP ports 31789 and 31791 by default to establish a connection between client and server. The ports may then be configured by the attacker to use something other than these defaults. - --- -Attack Scenarios: -This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. - --- -Ease of Attack: -This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. - -The Trojan server is located at :\WINDOWS\Expl32.exe. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - -Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. - -Affected registry keys are: - - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ - -Registry keys added are: - - Explorer32 =":\windows\Expl32.exe" - Configuration Wizard = ":\windows=cfgwiz32.exe" - -Removal of this entry is required. - -Delete the file(s) :\WINDOWS\Expl32.exe and :\windows=cfgwiz32.exe - -Ending the Trojan process is also necessary. A reboot of the infected machine is recommended. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Whitehats arachNIDS -http://www.whitehats.com/info/IDS314 -http://www.whitehats.com/info/IDS504 - -Hackfix.org -http://www.hackfix.org/miscfix/hackatack.shtml - -Commodon Communications -http://www.commodon.com/threat/threat-hack.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/615.txt snort-2.9.2/doc/signatures/615.txt --- snort-2.9.0.1/doc/signatures/615.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/615.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,94 +0,0 @@ -Rule: - --- - -Sid: - -615 - --- - -Summary: - -An external host has requested to start communications with your host on -port 1080. - --- - -Impact: - -Network reconnaissance. - --- - -Detailed Information: - -Improperly-configured SOCKS proxies can be abused to allow a hostile -user to launch attacks and make them appear to come from your site. - -Additionally, if the proxy is behind a firewall or is a trusted host, it -can be used to gain further access into your network and other hosts. - --- - -Affected Systems: - -Any system with a SOCKS proxy server installed. - --- - -Attack Scenarios: - -Attacker utilizes your misconfigured proxy to anonymize their other -illegitimate activities or gain further access to your network. - --- - -Ease of Attack: - -Trivial or extremely difficult, depending on proxy configuration. - --- - -False Positives: -Non-proxy applications running on port 1080, regardless of purpose, will -trigger this alert every time any session begins. - -Ftp clients open a source tcp port greater than 1023 (an 'ephemeral' port). If the -client opens port 1080 for the data connection, this rule will be triggered by return -packets from the ftp server. One way to cut down on these false -positives for this rule might be to preceed it with a pass rule for -'established' connections to 1080. This would only work with passive ftp -transactions, where the client initiates both control and data sessions. Normal ftp -requires the server to initiate a connection to the client for data transfers after the client -sets up a control session. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Allow only internal users to connect to the proxy, or configure strong -access control. - --- - -Contributors: -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -False positive information contributed by jaffeld@duwamish.net - --- - -Additional References: - -UnderNet: -http://help.undernet.org/proxyscan/ - - --- diff -Nru snort-2.9.0.1/doc/signatures/616.txt snort-2.9.2/doc/signatures/616.txt --- snort-2.9.0.1/doc/signatures/616.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/616.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -616 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/618.txt snort-2.9.2/doc/signatures/618.txt --- snort-2.9.0.1/doc/signatures/618.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/618.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -618 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. Then the attacker might find out that the FTP service is vulnerable to a particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/619.txt snort-2.9.2/doc/signatures/619.txt --- snort-2.9.0.1/doc/signatures/619.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/619.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -619 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/620.txt snort-2.9.2/doc/signatures/620.txt --- snort-2.9.0.1/doc/signatures/620.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/620.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -620 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/621.txt snort-2.9.2/doc/signatures/621.txt --- snort-2.9.0.1/doc/signatures/621.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/621.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: --- -Sid: -621 --- -Summary: -A tcp packet with only it's FIN flag set was detected. - --- -Impact: -Information regarding firewall rulesets, open/closed ports, ACLs, and -possibly even OS type may be disclosed. This technique can also be -used to bypass certain firewalls or traffic filtering/shaping devices. - --- -Detailed Information: -A tcp packet with only it's FIN flag set was detected. Most Windows -machines will respond with an ACK-RST regardless of whether or not the -port is open. Most *nix systems will respond with an ACK-RST if the -port is closed and will not respond at all if the port is open. -Actual responses may vary. - --- -Affected Systems: - --- -Attack Scenarios: -As part of information gathering leading up to another (more directed) -attack, an attacker may attempt to figure out what ports are -open/closed on a remote machine. - --- -Ease of Attack: -Intermediate. To initiate an attack of this type, an attacker either -needs a tool that can send packets with only the FIN flag set or -the ability to craft their own packets. The former is easy, the later -requires a more advanced skillset. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Determine if this particular port would have responded as being open -or closed. If open, watch for more attacks on this particular service -or from the remote machine that sent the packet. If closed, simply -watch for more traffic from this host. Consider filtering this type -of traffic at the ingress points of your network. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/622.txt snort-2.9.2/doc/signatures/622.txt --- snort-2.9.0.1/doc/signatures/622.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/622.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -622 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/623.txt snort-2.9.2/doc/signatures/623.txt --- snort-2.9.0.1/doc/signatures/623.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/623.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: --- -Sid: -623 --- -Summary: -A tcp packet with none of it's control bits set was detected. - --- -Impact: -Information regarding firewall rulesets, open/closed ports, ACLs, and -possibly even OS type is possible. This technique can also be used to -bypass certain firewalls or traffic filtering/shaping devices. - --- -Detailed Information: -A tcp packet with none of it's control bits (URG, ACK, PSH, RST, SYN, -FIN) was detected. Additionally, both the sequence number and -acknowledgement number were set to 0. An open port will generally not -respond at all, whereas a closed port will generally respond with an -ACK RST. The particular response varies between operating systems, -and is also governed by any filtering that may be done between the two -hosts. - --- -Affected Systems: - --- -Attack Scenarios: -As part of information gathering leading up to another (more directed) -attack, an attacker may attempt to figure out what ports are -open/closed on a remote machine. - --- -Ease of Attack: -Intermediate. To initiate an attack of this type, an attacker either -needs a tool that can send tcp packets with no control bits set or -the ability to craft their own packets. The former is easy, the later -requires a more advanced skillset. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Determine if this particular port would have responded as being open -or closed. If open, watch for more attacks on this particular service -or from the remote machine that sent the packet. If closed, simply -watch for more traffic from this host. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/624.txt snort-2.9.2/doc/signatures/624.txt --- snort-2.9.0.1/doc/signatures/624.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/624.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: --- -Sid: -624 - --- -Summary: -A tcp packet with it's SYN and FIN flags set was detected. - --- -Impact: -Information regarding firewall rulesets, open/closed ports, ACLs, and -possibly even OS type is possible. This technique can also be used to -bypass certain firewalls or traffic filtering/shaping devices. - --- -Detailed Information: -A tcp packet with it's SYN and FIN flags set was detected. Most -stacks will respond with an ACK SYN indicating that the port was open, -whereas a closed port will illicit an ACK RST. - --- -Affected Systems: - --- -Attack Scenarios: -As part of information gathering leading up to another (more directed) -attack, an attacker may attempt to figure out what ports are -open/closed on a remote machine. - --- -Ease of Attack: -Intermediate. To initiate an attack of this type, an attacker either -needs a tool that can send packets with the SYN and FIN flags set or -the ability to craft their own packets. The former is easy, the later -requires a more advanced skillset. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Determine if this particular port would have responded as being open -or closed. If open, watch for more attacks on this particular service -or from the remote machine that sent the packet. If closed, simply -watch for more traffic from this host. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/625.txt snort-2.9.2/doc/signatures/625.txt --- snort-2.9.0.1/doc/signatures/625.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/625.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: --- -Sid: -625 - -Summary: --- -A TCP packet with all of the (unreserved) control bits set was -detected as being destined for your machine. - --- -Impact: -System recon. Different operating-systems will respond in different -ways depending on their particular stack implementation. This allows -attackers to determine things such as open/closed ports, ACLs, and the -like. - --- -Detailed Information: -The ACK, FIN, PSH, RST, SYN, and URG control bits were set in a TCP -packet. - --- -Affected Systems: - --- -Attack Scenarios: -As part of a recon mission that may be an indicator to upcoming -attacks, an attacker may attempt to determine what ports are listening -on a given machine by sending a TCP packet with all of its control -bits "lit up", hence the name XMAS scan -- its "lit up like a -christmas tree." -__ -Ease of Attack: -Trivial. Many of the popular portscanners/vulnerability testers, most -notably nmap, allow anyone to inititiate an XMAS scan. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Determine what information an attacker may have gleaned from this -attack. Would your ports show as open or closed? Consider -implementing a stateful firewall on the victim machine, or at ingress -points on your network. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: -http://rr.sans.org/firewall/egress.php - --- diff -Nru snort-2.9.0.1/doc/signatures/626.txt snort-2.9.2/doc/signatures/626.txt --- snort-2.9.0.1/doc/signatures/626.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/626.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: - -626 - --- -Summary: -This event is generated when the Cybercop vulnerability scanner is used -against a host. - --- -Impact: -Cybercop can be used to identify vulnerabilities on host systems. - --- -Detailed Information: -This particular packet is a part of Cybercop's OS identification. -Specially crafted packets are able to elicit different responses from -different operating systems. This packet is likely to be part of a full -Cybercop scan rather than an isolated event. Having PUSH, ACK and -reserve bits 1 and 2 set at the same time is unusual. While this rule -performs content as well as header checking to avoid false positives, -this flag combination in the TCP header is possible is possible in a -legitimate situation because of the addition of Explicit Congestion -Notification (ECN). - --- -Affected Systems: -All - --- -Attack Scenarios: -Cybercop can be used by attackers to determine vulnerabilities present -on a host or network of hosts that could be used as attack vectors. - --- -Ease of Attack: -Simple - --- -False Positives: -This tool can be used legitimately by a system and network -administrators. - -False positives from ECN enabled systems are possible. - --- -False Negatives: -None known. - --- -Corrective Action: -TCP packets with PUSH, ACK and reserved bits 1 and 2 set at the same -time are unusual but possible with Explicit Congestion Notification -(ECN). It is advisable to block TCP packets with these flags set that -do not have the ECT bit (TOS bit 6) set in the IP header. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS149 - -Security Focus: -http://www.securityfocus.com/infocus/1205 - -RFC: -http://www.ietf.org/rfc/rfc2481.txt?number=2481 - --- diff -Nru snort-2.9.0.1/doc/signatures/627.txt snort-2.9.2/doc/signatures/627.txt --- snort-2.9.0.1/doc/signatures/627.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/627.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -627 - --- -Summary: -This event is generated when the Cybercop vulnerability scanner is used -against a host. - --- -Impact: -Cybercop can be used to identify vulnerabilities on host systems. - --- -Detailed Information: -This particular packet is a part of Cybercop's OS identification. -Specially crafted packets are able to elicit different responses from -different operating systems. This packet is likely to be part of a full -Cybercop scan rather than an isolated event. Having SYN, FIN, URG and -reserve bits 1 and 2 set at the same time is abnormal. - --- -Affected Systems: -All - --- -Attack Scenarios: -Cybercop can be used by attackers to determine vulnerabilities present -on a host or network of hosts that could be used as attack vectors. - --- -Ease of Attack: -Simple - --- -False Positives: -This tool can be used legitimately by system and network administrators. -Other vulnerability scanners may display the same behavior. - --- -False Negatives: -None known. - --- -Corrective Action: -TCP packets with SYN, FIN, URG and reserved bits 1 and 2 set at the same -time are abnormal, use a packet filtering firewall to block them. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS150 - --- diff -Nru snort-2.9.0.1/doc/signatures/628.txt snort-2.9.2/doc/signatures/628.txt --- snort-2.9.0.1/doc/signatures/628.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/628.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -628 - --- -Summary: -This event is generated when the nmap port scanner and reconnaissance -tool is used against a host. - --- -Impact: -This could be part of a full scan by nmap and could indicate -potential malicious reconnaissance of the targeted network or host. - --- -Detailed Information: -Some versions of Nmap's TCP ping, if selected, sends a TCP ACK with an -ACK number = 0. - -Nmap can use TCP ping as a second alternative to ICMP Ping. - --- -Affected Systems: -All systems not protected by a stateful firewall are affected. The TCP -Ping targeted port does not need to be open on the host being probed to -determine if the machine is alive or not. - --- -Attack Scenarios: -The first thing an attacker does is to gather some information about its -target, he may use Nmap to see if the potential target is alive on -certain network. Included as part of the "pinging" technique used by -Nmap, a TCP ping can be used on certain networks that don't allow the -ICMP Protocol. - --- -Ease of Attack: -Simple. Nmap requires no specialized experience to use it. - --- -False Positives: -This particular Nmap TCP Ping uses a TCP ACK with an ACK Number = 0. It -is possible that other tools may also send a TCP ACK with an ACK number -of Zero. - --- -False Negatives: -None known. - --- -Corrective Action: -Any stateful firewall should be enough to protect a host from being "TCP -ACK probed". If you have more suspicious/malicious activity from the -host doing the portscan, follow your standard procedure to asess the -potential threat. If you only detect TCP Pings, that may be just a TCP -Ping Sweep and it is not a real threat. - --- -Contributors: -Original Rule Writer Unknown (prime suspect is Marty Roesch) -Snort documentation contributed by Jose Hernandez -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: -arachnids: ids28 - --- diff -Nru snort-2.9.0.1/doc/signatures/629.txt snort-2.9.2/doc/signatures/629.txt --- snort-2.9.0.1/doc/signatures/629.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/629.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -629 - --- -Summary: -This event is generated when the nmap port scanner and reconnaissance -tool is used against a host. - -When run with the '-O' option, it attempts to identify the remote -operating system. - --- -Impact: -Can provide useful reconnaissance information to an attacker. Has been -known to cause a denial of service on some older hosts. - --- -Detailed Information: -nmap attempts to identify the remote operating system by looking for -different services that are common or specific to particular operating -systems. It also sends a variety of abnormal packets that are often -handled differently by different operating systems so that it can -differentiate between them based on the responses. - --- -Affected Systems: -All - --- -Attack Scenarios: -nmap is often used before an attempt to gain access to a system. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. The signature may be produced by other scanners but is -unlikely to be used for legitimate activity. - --- -False Negatives: -None known. - --- -Corrective Action: -Block any TCP packets that have the SYN, FIN, PUSH and URGENT flags set -using a firewall. Block only packets that have all four of the flags -set as they are individually and in other combinations necessary for -normal TCP traffic. If you block them individually or in other -combinations your network will not function correctly. - --- -Contributors: -Original Rule Writer Unknown (prime suspect is Marty Roesch) -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Steven Alexander --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS05 - -Nmap scanner: -http://www.insecure.org - --- diff -Nru snort-2.9.0.1/doc/signatures/630.txt snort-2.9.2/doc/signatures/630.txt --- snort-2.9.0.1/doc/signatures/630.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/630.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,51 +0,0 @@ -Rule: - --- -Sid:630 - --- -Summary: -A host has scanned the network looking for vulnerable servers. - --- -Impact: -Information leak, reconnaisance, preperation for automated attack such as worm propagation - - --- -Detailed Information: -Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner. - --- -Attack Scenarios: -This is a scanning tool that is often the precursor to a worm infection. - - --- -Ease of Attack: -This scanner is fast and easy to use. It is readily available and was included with several worms. - - --- -False Positives: -sscan, mscan, and several other tools used ID=39426 but the use of SYNFIN is unique to synscan [1.5|1.6] - --- -False Negatives: -This rule will not generate an event if recent versions of synScan, such as 1.6a, are used because synScan now uses random IP IDs. - --- -Corrective Action: -Run flexresp with synscan kill. - --- -Contributors: -Don Smith Initial Research -Josh Gray Edits - --- -Additional References: - - - --- diff -Nru snort-2.9.0.1/doc/signatures/631.txt snort-2.9.2/doc/signatures/631.txt --- snort-2.9.0.1/doc/signatures/631.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/631.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -631 - --- -Summary: -This event is generated when an external user scans an internal SMTP -server using Network Associates' Cybercop vulnerability scanner. - --- -Impact: -Information gathering. - --- -Detailed Information: -Cybercop Scanner is scanning software that searches for system -vulnerabilities. As one of its scanning procedures, it sends an EHLO -command to SMTP server ports to determine if the SMTP server will return -a list of remote commands that it accepts. - --- -Affected Systems: -Any SMTP server that returns a list of acceptable commands for remote mailers. - --- -Attack Scenarios: -An attacker may run Cybercop Scanner against SMTP servers in order to -determine vulnerabilities that can later be exploited. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure that your SMTP server does not provide more information than is -necessary when it receives an EHLO request. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - -General Cybercop information: -http://www.securityfocus.com/products/126 - --- diff -Nru snort-2.9.0.1/doc/signatures/632.txt snort-2.9.2/doc/signatures/632.txt --- snort-2.9.0.1/doc/signatures/632.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/632.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -632 - --- -Summary: -This event is generated when an external user scans an internal SMTP server using Network Associates' Cybercop vulnerability scanner. - --- -Impact: -Information gathering. - --- -Detailed Information: -Cybercop Scanner is scanning software that searches for system vulnerabilities. As one of its scanning procedures, it sends an expn command to SMTP server ports to determine if the SMTP server will return a list of email addresses, aliases, and distribution lists. - --- -Affected Systems: -Any SMTP server that returns a list of email addresses, aliases, and distribution lists when queried with the expn command. - --- -Attack Scenarios: -An attacker may run Cybercop Scanner against SMTP servers in order to determine vulnerabilities that can later be exploited. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable expn on your mail server. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/634.txt snort-2.9.2/doc/signatures/634.txt --- snort-2.9.0.1/doc/signatures/634.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/634.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -634 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. Then the attacker might find out that the FTP service is vulnerable to a particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/635.txt snort-2.9.2/doc/signatures/635.txt --- snort-2.9.0.1/doc/signatures/635.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/635.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -635 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/636.txt snort-2.9.2/doc/signatures/636.txt --- snort-2.9.0.1/doc/signatures/636.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/636.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -636 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/637.txt snort-2.9.2/doc/signatures/637.txt --- snort-2.9.0.1/doc/signatures/637.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/637.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -637 - --- -Summary: -This event is generated when a scan is detected. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to scan a host. - -This may be the prelude to an attack. Scanners are used to ascertain -which ports a host may be listening on, whether or not the ports are -filtered by a firewall and if the host is vulnerable to a particular -exploit. - --- -Affected Systems: -Any host. - --- -Attack Scenarios: -An attacker can determine if ports 21 and 20 are being used for FTP. -Then the attacker might find out that the FTP service is vulnerable to a -particular attack and is then able to compromise the host. - --- -Ease of Attack: -Simple. - --- -False Positives: -A scanner may be used in a security audit. - --- -False Negatives: -None Known. - --- -Corrective Action: -Determine whether or not the scan was legitimate then look for other -events concerning the attacking IP address. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/638.txt snort-2.9.2/doc/signatures/638.txt --- snort-2.9.0.1/doc/signatures/638.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/638.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: 638 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS356 - -Phrack.com: -http://www.phrack.com/show.php?p=56&a=15 - --- diff -Nru snort-2.9.0.1/doc/signatures/639.txt snort-2.9.2/doc/signatures/639.txt --- snort-2.9.0.1/doc/signatures/639.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/639.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: 639 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS357 - --- diff -Nru snort-2.9.0.1/doc/signatures/640.txt snort-2.9.2/doc/signatures/640.txt --- snort-2.9.0.1/doc/signatures/640.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/640.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: 640 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/641.txt snort-2.9.2/doc/signatures/641.txt --- snort-2.9.0.1/doc/signatures/641.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/641.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 641 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing Digital UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS352 - --- diff -Nru snort-2.9.0.1/doc/signatures/642.txt snort-2.9.2/doc/signatures/642.txt --- snort-2.9.0.1/doc/signatures/642.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/642.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 642 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing HP-UX UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS358 - --- diff -Nru snort-2.9.0.1/doc/signatures/643.txt snort-2.9.2/doc/signatures/643.txt --- snort-2.9.0.1/doc/signatures/643.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/643.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: 643 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing HP-UX UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS359 - --- diff -Nru snort-2.9.0.1/doc/signatures/644.txt snort-2.9.2/doc/signatures/644.txt --- snort-2.9.0.1/doc/signatures/644.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/644.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 644 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing Sparc Solaris/SunOS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS345 - --- diff -Nru snort-2.9.0.1/doc/signatures/645.txt snort-2.9.2/doc/signatures/645.txt --- snort-2.9.0.1/doc/signatures/645.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/645.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 645 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing Sparc Solaris/SunOS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS353 - --- diff -Nru snort-2.9.0.1/doc/signatures/646.txt snort-2.9.2/doc/signatures/646.txt --- snort-2.9.0.1/doc/signatures/646.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/646.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: 646 - --- -Summary: -This event is generated when a buffer overflow attack is attempted against a target machine. - --- -Impact: -Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. - - --- -Detailed Information: -This rule tracks the bit combination which may occur in network packets aimed at overflowing Sparc Solaris/SunOS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. - -A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. - --- -Attack Scenarios: -An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. - --- -Ease of Attack: -Simple - - --- -False Positives: -This event may be generated by legitimate traffic to the specified port. - - --- -False Negatives: -This event is specific to the shell code defined in the rule. -Other shell code sequences may not be detected. - --- -Corrective Action: -Check the target host for other signs of compromise. - -Look for other events concerning the target host. - -Apply vendor supplied patches and keep the operating system up to date. - --- -Contributors: -Original Rule Writer Unkown -Snort documentation contributed by Anton Chuvakin -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS355 - --- diff -Nru snort-2.9.0.1/doc/signatures/647.txt snort-2.9.2/doc/signatures/647.txt --- snort-2.9.0.1/doc/signatures/647.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/647.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -647 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/648.txt snort-2.9.2/doc/signatures/648.txt --- snort-2.9.0.1/doc/signatures/648.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/648.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,77 +0,0 @@ -Rule: --- -Sid: -648 - --- -Summary: -A series of NOP instructions for Intel's x86 architecure was detected. - --- -Impact: -As part of an attack on a remote service, an attacker may attempt to -take advantage of insecure coding practices in hopes of executing -arbitrary code. This procedure generally makes use of NOPs. - --- -Detailed Information: -The NOP allows an attacker to fill an address space with a large -number of NOPs followed by his or her code of choice. This allows -"sledding" into the attackers shellcode. - --- -Affected Systems: - All x86 based systems - --- -Attack Scenarios: -If a particular service was written using unsafe functions without -bounds checking (strcpy(), strcat(), sprintf() etc...), it is possible -to write arbitrary data to the address space of the service. -Normally, this may just cause the program to die a horrible death. -However, if you can get the return address to point to the beginning -of the newly written data, it is possible to execute code of your -choice. This requires that the newly written data is actual -executable data. Since calculating exactly where the return address -may point to is no small task, a popular technique is to pad the space -leading up to your shellcode with NOPs. This way, if the return -address points anywhere in the series of NOPS, execution will slide -down into your shellcode. - --- -Ease of Attack: -Not-so trivial. This particular technique requires a knowledge of x86 -assembly coding, memory, and usually an intimate understanding of the -code that one is attempting to exploit. Unfortunately, there are -hundreds upon hundreds of canned exploits that nearly anyone with the -ability point-and-click can use and wreak havok with. - --- -False Positives: -The x86 NOP can frequently be found in day-to-day traffic, -particularly when transfering large files. - --- -False Negatives: -There are other techniques to emulate a NOP. Additionally, if -the attackers NOP sled is small enough (< 15), this particular attack -may slip by. Fortunately, NOP sleds are generally quite large. - --- -Corrective Action: -Determine if this NOP was part of an attack or simply part of an -innocent stream of data. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/649.txt snort-2.9.2/doc/signatures/649.txt --- snort-2.9.0.1/doc/signatures/649.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/649.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: --- -Sid: -649 --- -Summary: -Shellcode to set the group identity to 0 (root) was detected. - --- -Impact: -If this code is executed successfully, it is possible for the current -process to inherity root group privledges. - - --- -Detailed Information: -Snort detected data resembling the x86 assembly code to change the -group identity to 0. - - --- -Affected Systems: - --- -Attack Scenarios: -As part of an attack on a remote service, an attacker may attempt to -take advantage of insecure coding practices and execute code of his or -her choosing through techniques known as 'buffer-overflows', -'format-strings' and others. Such attacks may contain code to change -the identity of the current group to that of the root group (setgid -0). - --- -Ease of Attack: -Non-trivial. Shellcode (and just x86 assembly code in general) -requires a fairly intimate knowledge of computer architecture, memory -structures, and many concepts that are part of the more arcane areas -of computing. Furthermore, if this was in fact an attack, the -attacker needs to have a good idea of the design of the both the -program and the system that he or she is attacking. The x86 setgid -call itself is not particularly difficult, and by itself is not -harmful. However, combined with other carefuly aimed shellcode, it -can be quite lethal. - --- -False Positives: -Fairly high. Large binary transfers, certain web traffic, and even -mail traffic can trigger this rule, but are not necessarily indicative -of actual setgid code. - --- -False Negatives: -None Known - --- -Corrective Action: -Determine what stream of traffic generated this particular alert. If -you only have the alert but not the entire packet, examine system for -pecularities. If you are smart and have the entire packet (or better -yet, all your traffic for the past n hours), attempt to determine if -this particular sequence of characters was part of an innocent stream -of data (large binary transfers, for example) or part of a malicious -act against your machine. In either case, check for other activity -from the host in question -- both currently collected traffic and -traffic in the future. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/650.txt snort-2.9.2/doc/signatures/650.txt --- snort-2.9.0.1/doc/signatures/650.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/650.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,82 +0,0 @@ -Rule: --- -Sid: -650 - --- -Summary: -Shellcode to set the user identity to 0 (root) was detected. - --- -Impact: -If this code is executed successfully, it is possible for the current -process to inherity root privledges. However, setuid(2) requires root -privledges to be executed in the first place if the current uid is -attempting to get a higher priviledge level. - --- -Detailed Information: -Snort detected data resembling the x86 assembly code to change the -user identity to 0. - - --- -Affected Systems: - --- -Attack Scenarios: -As part of an attack on a remote service, an attacker may attempt to -take advantage of insecure coding practices and execute code of his or -her choosing through techniques known as 'buffer-overflows', -'format-strings' and others. Such attacks may contain code to change -the identity of the current user to that of the root account (setuid -0). - --- -Ease of Attack: -Non-trivial. Shellcode (and just x86 assembly code in general) -requires a fairly intimate knowledge of computer architecture, memory -structures, and many concepts that are part of the more arcane areas -of computing. Furthermore, if this was in fact an attack, the -attacker needs to have a good idea of the design of the both the -program and the system that he or she is attacking. The x86 setuid -call itself is not particularly difficult, and by itself is not -harmful. However, combined with other carefuly aimed shellcode, it -can be quite lethal. - --- -False Positives: -None Known -Fairly high. Large binary transfers, certain web traffic, and even -mail traffic can trigger this rule, but are not necessarily indicative -of actualy setuid code. - --- -False Negatives: -None Known -Unknown, but probably possible. - --- -Corrective Action: -Determine what stream of traffic generated this particular alert. If -you only have the alert but not the entire packet, examine system for -pecularities. If you are smart and have the entire packet (or better -yet, all your traffic for the past n hours), attempt to determine if -this particular sequence of characters was part of an innocent stream -of data (large binary transfers, for example) or part of a malicious -act against your machine. In either case, check for other activity -from the host in question -- both currently collected traffic and -traffic in the future. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Jon Hart - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/651.txt snort-2.9.2/doc/signatures/651.txt --- snort-2.9.0.1/doc/signatures/651.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/651.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ -Rule: --- -Sid: -651 - --- -Summary: -Binary data in the packet matched one kind of byte sequence used as filler in buffer overflow attacks. - --- -Impact: -It is possible someone was attempting a buffer overflow to gain unauthorized access to one of your servers. - --- -Detailed Information: -This rule triggers when a binary pattern appears in the packet contents which matches one form of filler-bytes used in buffer overflow attacks. Buffer overflows allow execution of arbitrary code with the privlege level of the affected server process. A very detailed discussion of how basic buffer overflows work can be found in the text of "Smashing the stack for fun and profit" by Aleph One in Phrack #49. - --- -Affected Systems: - --- -Attack Scenarios: -If the attacker suspects you have a server which is vulnerable to buffer overflow, they will attempt to exploit this vulnerability to gain access. - - --- -Ease of Attack: -Tools that use buffer overflows with stealth nop are widely available. - --- -False Positives: -This byte pattern can naturally occur in almost any binary data, so file downloads, streaming media, etc can cause this to false positive. If this traffic appears to be coming from a web or ftp server outside your network to one of your client machines, it is likely a false alert caused by someone downloading a binary file. If this was directed at a port on one of your machines which is running a server process, you may want to check to see if it has been exploited. - --- -False Negatives: -None Known - --- -Corrective Action: - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Matt Kettler mkettler@evi-inc.com Initial Research -Josh Gray Edits - --- -Additional References: -http://online.securityfocus.com/library/14 - - --- diff -Nru snort-2.9.0.1/doc/signatures/652.txt snort-2.9.2/doc/signatures/652.txt --- snort-2.9.0.1/doc/signatures/652.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/652.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -652 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/653.txt snort-2.9.2/doc/signatures/653.txt --- snort-2.9.0.1/doc/signatures/653.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/653.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -653 - --- -Summary: -This event is generated when suspicious shell code is detected in -network traffic. - --- -Impact: -Denial of Service (DoS) possible execution of arbitrary code. - --- -Detailed Information: -This event is generated when suspicious shell code is detected. Many -buffer overflow attacks contain large numbers of NOOP instrucions to pad -out the request. Other attacks contain specific shell code sequences -directed at certain applications or services. - -The shellcode in question may also use Unicode encoding. - --- -Affected Systems: - Any software running on x86 architecture. - --- -Attack Scenarios: -An attacker may exploit a DCERPC service by sending shellcode in the RPC -data stream. Sending large amounts of data to the Microsoft Workstation -service can cause a buffer overflow condition in the logging function -thus presenting an attacker with the opportunity to issue a DoS attack -or in some cases, to execute code of their choosing. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -False positives may be generated by binary file transfers. - --- -False Negatives: -None known - --- -Corrective Action: -Make sure the target host has all current patches applied and has the -latest software versions installed. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/654.txt snort-2.9.2/doc/signatures/654.txt --- snort-2.9.0.1/doc/signatures/654.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/654.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: --- -Sid: -654 - --- -Summary: -When connecting to port 25 (SMTP) on a computer running a vunarable SMTP server it is possible to perform a DoS attack. In some cases it might be possible to perform a security breach as well. - --- -Impact: -Depending on the vunerable software you may need to restart the SMTP server or perform some level of incident response. - --- -Detailed Information: -Vulnerable systems: - Avirt Mail 4.0 (build 4124) - Avirt Mail 4.2 (build 4807) - PakMail SMTP/POP3 - Netscape Messaging Server 3.54/3.55/3.6 - -More details can be found on the various sites listed below as the impact and details vary from system to system. - --- -Affected Systems: - --- -Attack Scenarios: -Supply a large amount of data after the RCPT TO: header in your SMTP flow. - --- -Ease of Attack: -DoS: rather easy -Security breach: probably hard - --- -False Positives: -These will occur rather frequently with the given rule. They are most common when subscribed to mailinglists. - --- -False Negatives: -None Known - - --- -Corrective Action: -Upgrade software according to the instructions of your software manufacturer. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton -Hugo van der Kooij -Josh Gray Edits - --- -Additional References: -http://www.securiteam.com/exploits/6C00O1F00Y.html -http://www.synnergy.net/downloads/advisories/SLA-2000-01.pakmail.txt -http://online.securityfocus.com/bid/748 - --- diff -Nru snort-2.9.0.1/doc/signatures/655.txt snort-2.9.2/doc/signatures/655.txt --- snort-2.9.0.1/doc/signatures/655.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/655.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -655 - --- -Summary: -This event is generated when a buffer overflow is attempted on a Sendmail 8.6.9 server. - --- -Impact: -Attempted administrator access. A successful buffer overflow attack can allow a remote attacker access to the Sendmail server at the privilege level of the user ID associated with Sendmail. - --- -Detailed Information: -A vulnerability exists in Sendmail version 8.6.9 that can be exploited by a buffer overflow attack. This allows the attacker access to the Sendmail server at the privilege level of the user ID associated with Sendmail. This attack can occur when a Sendmail server connects back to the ident service of the client requesting the Sendmail connection. Because it is improperly validated by the Sendmail server, a malicious response can cause a buffer overflow. - --- -Affected Systems: -Sendmail version 8.6.9. - --- -Attack Scenarios: -An attacker can request a connection to a Sendmail server, listen for the request for the ident service, and respond with a malicious payload to exploit the vulnerability. - --- -Ease of Attack: -Easy. Exploit code is available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the appropriate patch or upgrade to a Sendmail version greater than 8.6.9. - --- -Contributors: -Original rule written by Max Vision -Rule updated by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 - - --- diff -Nru snort-2.9.0.1/doc/signatures/657.txt snort-2.9.2/doc/signatures/657.txt --- snort-2.9.0.1/doc/signatures/657.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/657.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ -Rule: - --- -Sid: -657 - --- -Summary: -This event is generated when an external user sends a HELP command with specific syntax to an internal SMTP server, which may indicate an attempt to exploit a buffer overflow vulnerability in NetManage Chameleon SMTP server. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -NetManage Chameleon SMTP server contains a buffer overflow vulnerability in the HELP command. If the HELP command is used with an argument longer than 514 characters, a buffer overflow condition occurs, allowing the execution of arbitrary code. - --- -Affected Systems: -Systems running NetManage Chameleon Unix 97 or NetManage Chameleon 4.5. - --- -Attack Scenarios: -An attacker sends an overly long string to a vulnerable NetManage Chameleon SMTP server in the HELP command. This causes a buffer overflow condition, allowing the attacker to execute arbitrary code on the server and obtain root privileges on the mail server. - --- -Ease of Attack: -Simple. - --- -alse Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of NetManage Chameleon SMTP server. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/658.txt snort-2.9.2/doc/signatures/658.txt --- snort-2.9.0.1/doc/signatures/658.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/658.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -658 - --- -Summary: -This event is generated when a denial of service is attempted on a Microsoft Exchange mail server. - --- -Impact: -Denial of service. This will cause the Exchange server to fail. - --- -Detailed Information: -A vulnerability exists in Microsoft Exchange 5.5 that causes a denial of service if a MIME header contains the string 'charset = ""'. The Exchange server does not properly handle this MIME header string, causing it to crash. - --- -Affected Systems: -Microsoft Exchange server 5.5 - --- -Attack Scenarios: -An attacker can supply a malicious string in the MIME header causing the Exchange server to fail. - --- -Ease of Attack: -Easy. An attacker can telnet to port 25 of the Exchange server, start a dialogue with the server, and supply the malicious string in the MIME header. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the appropriate patch or upgrade to Exchange 5.5 service Pack 4. - --- -Contributors: -Original rule writer unknown -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Microsoft: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-082.asp - -Miscellaneous: -http://packetstormsecurity.nl/0011-exploits/exchange.dos.txt - - --- diff -Nru snort-2.9.0.1/doc/signatures/659.txt snort-2.9.2/doc/signatures/659.txt --- snort-2.9.0.1/doc/signatures/659.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/659.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: --- -Sid: -659 - --- -Summary: -This event is generated when a probe is sent to an SMTP server to determine if the decode alias is supported. - --- -Impact: -Intelligence gathering activity. This event could be an indication of reconnaissance or an actual attempt to overwrite a sensitive file. If the decode alias is present on the SMTP server, an attacker may use it to overwrite files. - --- -Detailed Information: -The decode alias was included to allow email to be sent to a username of decode to process the email content through the uudecode program. A malicious user could attempt to email a uuencoded file that would overwrite an existing sensitive file. - --- -Affected Systems: -Older UNIX Sendmail versions (~1990-1996) - --- -Attack Scenarios: -An attacker can email a uuencoded file to the decode username to overwrite an existing sensitive file. - --- -Ease of Attack: -Simple. Send email containing a uuencoded file to the username decode to overwrite an existing sensitive file. --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove decode in /etc/aliases. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS32 - - --- diff -Nru snort-2.9.0.1/doc/signatures/660.txt snort-2.9.2/doc/signatures/660.txt --- snort-2.9.0.1/doc/signatures/660.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/660.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ - --- -Sid: -660 - --- -Summary: -This event is generated when an attempt is made to expand the alias of root on a Sendmail server. - --- -Impact: -Reconnaissance. This is an attempt to discover email addresses associated with the alias of root for a Sendmail server. - --- -Detailed Information: -An attacker may probe for email addresses associated with the alias of root on a Sendmail server. The "expn" command expands the alias into a list of actual recipients associated with the alias. This command can be used to determine who reads the mail sent to the administrator. It may be used by spammers to get valid email accounts or may be used to discover valid accounts on the Sendmail server. - --- -Affected Systems: -Versions of Sendmail that do not disable expn. - --- -Attack Scenarios: -An attacker can telnet to the Sendmail server and issue the command "expn root" to gather email addresses associated with the alias of root. - --- -Ease of Attack: -Easy. Telnet to the Sendmail server and issue the command "expn root". - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Edit the /etc/sendmail.cf file to disable expn by setting PrivacyOptions=noexpn. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS31 - - --- diff -Nru snort-2.9.0.1/doc/signatures/661.txt snort-2.9.2/doc/signatures/661.txt --- snort-2.9.0.1/doc/signatures/661.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/661.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -661 - --- -Summary: -This event is generated when an attempt is made to exploit a problem with Majordomo software that allows arbitrary commands to be executed on the server. - --- -Impact: -Attempted administrator access. This is an attempt to execute a command on a server where Majordomo is installed. - --- -Detailed Information: -Majordomo is an application that automates mailing list management. An input validation error allows attackers to use a malformed email header as a command that will be executed on the host. To be vulnerable, the server must use a list or a hidden list and the configuration file must specify an advertise or noadvertise option. This has been documented as either a local or remote attack on the host. - --- -Affected Systems: -Majordomo versions up to and including 1.94.4. - --- -Attack Scenarios: -An attacker can send a malformed e-mail header to the Majordomo host. The host executes a command that facilitates access to the host. - - --- -Ease of Attack: -Simple. Use an appropriate malformed header and supply a command that enables access to the host. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to Majordomo version 1.94.5 or higher. --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2310 - -Arachnids: -http://www.whitehats.com/info/IDS143 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0207 - - --- diff -Nru snort-2.9.0.1/doc/signatures/662.txt snort-2.9.2/doc/signatures/662.txt --- snort-2.9.0.1/doc/signatures/662.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/662.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -662 - --- -Summary: -This event is generated when maliciously formatted "mail from" text is supplied. - --- -Impact: -Attempted administrator access. A successful attack can allow remote execution of commands with root privileges. - --- -Detailed Information: -A vulnerability exists in older versions of Sendmail that incorrectly parses message headers. This vulnerability can allow anattacker to execute arbitrary commands as root. - --- -Affected Systems: -Sendmail versions prior to 8.6.10 and any version based on 5.x. - --- -Attack Scenarios: -An attacker can craft a malicious mail header that executes a command. - --- -Ease of Attack: -Easy. Use a maliciously formatted header. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to version 8.6.10 or higher of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2308 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203 - -Arachnids: -http://www.whitehats.com/info/IDS119 - - --- diff -Nru snort-2.9.0.1/doc/signatures/663.txt snort-2.9.2/doc/signatures/663.txt --- snort-2.9.0.1/doc/signatures/663.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/663.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -663 - --- -Summary: -This event is generated when the string "|sed -e '1,/^$/'" is found in the payload of a packet sent to a Sendmail server. This may be an attempt to exploit a problem in older versions of Sendmail. - --- -Impact: -Attempted administrator access. A successful attack can allow remote execution of commands at the privilege level of Sendmail, usually root. - --- -Detailed Information: -A vulnerability exists in older versions of Sendmail associated with the debug mode. Malformed text specifying the recipient could be a command that would execute at the privilege level of Sendmail, often times root. The "sed" command is used to strip off the mail headers before executing the supplied command. This vulnerability was exploited by the Morris worm. - --- -Affected Systems: -Sendmail versions prior to 5.5.9. - --- -Attack Scenarios: -An attacker can craft a recipient name that is a command. This command executes arbitrary code on the server. - --- -Ease of Attack: -Easy. An attacker can telnet to port 25 of a vulnerable server, enter debug mode, and craft a malicious recipient containing a command to be executed. - --- -False Positives: -It is possible that this event may be generated by text in the DATA section of a pipelined SMTP transaction. - --- -False Negatives: -This rule generates an event based on a specific string in the packet payload. An attacker could craft payloads with other malicious commands. - --- -Corrective Action: -Upgrade to Sendmail version 5.5.9 or higher. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/1 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095 - -Arachnids: -http://www.whitehats.com/info/IDS172 - - --- diff -Nru snort-2.9.0.1/doc/signatures/664.txt snort-2.9.2/doc/signatures/664.txt --- snort-2.9.0.1/doc/signatures/664.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/664.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -664 - --- -Summary: -This event is generated when maliciously formatted "rcpt to" text is supplied to Sendmail. - --- -Impact: -Attempted administrator access. A successful attack can allow remote execution of commands with root privleges. - --- -Detailed Information: -A vulnerability exists in older versions of Sendmail that incorrectly parses message headers. This can allow a malicious user to execute arbitrary commands as root. - --- -Affected Systems: -Sendmail versions prior to 8.6.10 and any version based on 5.x. - --- -Attack Scenarios: -An attacker can craft a malicious mail header that executes a command. - --- -Ease of Attack: -Easy. Use a maliciously formatted header. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to version 8.6.10 or higher of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2308 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203 - - --- diff -Nru snort-2.9.0.1/doc/signatures/665.txt snort-2.9.2/doc/signatures/665.txt --- snort-2.9.0.1/doc/signatures/665.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/665.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -665 - --- -Summary: -This event is generated when a remote user attempts to exploit a Sendmail vulnerability where a remote user can execute arbitrary code on an server running older versions of Sendmail. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -Earlier versions of Sendmail contain a vulnerability in message header parsing. This vulnerability can be exploited by a remote user who sends an email message with a malformed MAIL FROM value to a vulnerable Sendmail implementation. The server then executes any arbitrary shell code included in the text of the email. - --- -Affected Systems: -Systems running Sendmail versions lower than 8.6.10. - --- -Attack Scenarios: -An attacker sends an email using |usr/bin/tail|usr/bin/sh as the MAIL FROM value. Arbitrary shell code placed in the text of the email message is executed by the mail server with the security context of Sendmail. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to Sendmail version 8.6.10 or higher. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203 - -Bugtraq -http://www.securityfocus.com/bid/2308 - -CERT -http://www.cert.org/advisories/CA-1995-08.html - --- diff -Nru snort-2.9.0.1/doc/signatures/667.txt snort-2.9.2/doc/signatures/667.txt --- snort-2.9.0.1/doc/signatures/667.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/667.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -667 - --- -Summary: -This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail where newline characters in ident messages are not properly parsed. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of newline characters (\n) in commands passed from ident to Sendmail. An attacker can use a specially crafted command with newlines in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. - --- -Affected Systems: -Systems running unpatched versions of Sendmail 8.6.10 or earlier. - --- -Attack Scenarios: -An attacker sends an email with newline characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. - --- -Ease of Attack: -Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 - -Bugtraq -http://www.securityfocus.com/bid/2311 - --- diff -Nru snort-2.9.0.1/doc/signatures/668.txt snort-2.9.2/doc/signatures/668.txt --- snort-2.9.0.1/doc/signatures/668.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/668.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -668 - --- -Summary: -This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where tab characters in ident messages are not properly parsed. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of tab characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with tabs in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. - --- -Affected Systems: -Systems running unpatched versions of Sendmail 8.6.10 or earlier. - --- -Attack Scenarios: -An attacker sends an email with tab characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. - --- -Ease of Attack: -Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203 - -Bugtraq -http://www.securityfocus.com/bid/2311 - --- diff -Nru snort-2.9.0.1/doc/signatures/669.txt snort-2.9.2/doc/signatures/669.txt --- snort-2.9.0.1/doc/signatures/669.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/669.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -669 - --- -Summary: -This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where linefeed characters in ident messages are not properly parsed. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of linefeed characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with linefeeds in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. - --- -Affected Systems: -Systems running unpatched versions of Sendmail 8.6.10 or earlier. - --- -Attack Scenarios: -An attacker sends an email with linefeed characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. - --- -Ease of Attack: -Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 - -Bugtraq -http://www.securityfocus.com/bid/2311 - --- diff -Nru snort-2.9.0.1/doc/signatures/670.txt snort-2.9.2/doc/signatures/670.txt --- snort-2.9.0.1/doc/signatures/670.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/670.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -670 - --- -Summary: -This event is generated when an external attacker attempts to use a specific exploit against Sendmail that allows the attacker to execute remote commands on the server, and to email files from the server to a remote email account. - --- -Impact: -Severe. Remote execution of arbitrary code, possibly leading to remote root compromise, or at the very least, information disclosure. - --- -Detailed Information: -Sendmail 8.6.9 and earlier contain a vulnerability related to the parsing of commands passed from ident to Sendmail. An attacker can use a specific exploit to send a message through the mail server. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. The exploit in question allows the attacker to execute commands to email files from the server to a remote email account. - --- -Affected Systems: -Systems running unpatched versions of Sendmail 8.6.9 or earlier. - --- -Attack Scenarios: -An attacker sends an email generated by the exploit, and customizes it to mail the server's password file to a remote email account. The attacker then cracks the passwords in the password file and is able to access the server directly. - --- -Ease of Attack: -Simple. An exploit exists. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to Sendmail 8.6.10 or higher. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 - -Bugtraq -http://www.securityfocus.com/bid/2311 - --- diff -Nru snort-2.9.0.1/doc/signatures/671.txt snort-2.9.2/doc/signatures/671.txt --- snort-2.9.0.1/doc/signatures/671.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/671.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -671 - --- -Summary: -This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where unexpected characters in ident messages are not properly parsed. - --- -Impact: -Severe. Remote execution of arbitrary code, leading to remote root compromise. - --- -Detailed Information: -Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of unexpected characters (in this case, newline characters and a carriage return) in commands passed from ident to Sendmail. An attacker can use a specially crafted command with unexpected characters in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. - --- -Affected Systems: -Systems running unpatched versions of Sendmail 8.6.10 or earlier. - --- -Attack Scenarios: -An attacker sends an email with newline characters and a carriage return, including a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. - --- -Ease of Attack: -Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to the latest version of Sendmail. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 - -Bugtraq -http://www.securityfocus.com/bid/2311 - --- diff -Nru snort-2.9.0.1/doc/signatures/672.txt snort-2.9.2/doc/signatures/672.txt --- snort-2.9.0.1/doc/signatures/672.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/672.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -672 - --- -Summary: -This event is generated when a remote user attempts to scan for a vulnerability in the VRFY command on internal SMTP servers. - --- -Impact: -Information gathering, possibly leading to a future attack and system compromise. - --- -Detailed Information: -If the decode alias on the Sendmail server is enabled, an attacker may be able to send messages to the decode alias email address, creating or overwriting files on the server. Vulnerability scanners use the "vrfy decode" command to verify that a decode alias is enabled. - --- -Affected Systems: -Systems running Sendmail. - --- -Attack Scenarios: -An attacker scans the server to determine that the decode alias exists. The attacker then sends an email address to the decode alias on the server, with directives to overwrite or create files on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable the decode alias by commenting out the "decode |/usr/bin/uudecode" line in your Sendmail aliases file. - --- -Contributors: -Original rule written by Max Vision -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Jen Harvey - --- -Additional References: -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0096 - --- diff -Nru snort-2.9.0.1/doc/signatures/673.txt snort-2.9.2/doc/signatures/673.txt --- snort-2.9.0.1/doc/signatures/673.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/673.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -NGSSoftware Advisory: -http://www.nextgenss.com/advisories/mssql-jobs2.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/674.txt snort-2.9.2/doc/signatures/674.txt --- snort-2.9.0.1/doc/signatures/674.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/674.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -674 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/675.txt snort-2.9.2/doc/signatures/675.txt --- snort-2.9.0.1/doc/signatures/675.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/675.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -675 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/676.txt snort-2.9.2/doc/signatures/676.txt --- snort-2.9.0.1/doc/signatures/676.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/676.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -NGSSoftware Advisory: -http://www.nextgenss.com/advisories/mssql-jobs2.txt - --- diff -Nru snort-2.9.0.1/doc/signatures/677.txt snort-2.9.2/doc/signatures/677.txt --- snort-2.9.0.1/doc/signatures/677.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/677.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -677 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sp_pa-pz_5x44.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/678.txt snort-2.9.2/doc/signatures/678.txt --- snort-2.9.0.1/doc/signatures/678.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/678.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: -678 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- -Affected Systems: - Microsoft SQL Servers - --- -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_da-di_8nas.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/679.txt snort-2.9.2/doc/signatures/679.txt --- snort-2.9.0.1/doc/signatures/679.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/679.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- -Affected Systems: - Microsoft SQL Servers - --- -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_addp_0awi.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/680.txt snort-2.9.2/doc/signatures/680.txt --- snort-2.9.0.1/doc/signatures/680.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/680.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/681.txt snort-2.9.2/doc/signatures/681.txt --- snort-2.9.0.1/doc/signatures/681.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/681.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,80 +0,0 @@ -Rule: - --- -Sid: -681 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- -Affected Systems: - Microsoft SQL Servers - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/en-us/tsqlref/ts_xp_aa-sz_4jxo.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/682.txt snort-2.9.2/doc/signatures/682.txt --- snort-2.9.0.1/doc/signatures/682.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/682.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/683.txt snort-2.9.2/doc/signatures/683.txt --- snort-2.9.0.1/doc/signatures/683.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/683.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -683 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sp_pa-pz_5x44.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/684.txt snort-2.9.2/doc/signatures/684.txt --- snort-2.9.0.1/doc/signatures/684.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/684.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -684 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft SQL Command summary: -http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sp_da-di_8nas.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/685.txt snort-2.9.2/doc/signatures/685.txt --- snort-2.9.0.1/doc/signatures/685.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/685.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,80 +0,0 @@ -Rule: - --- -Sid: -685 - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- -Affected Systems: - Microsoft SQL Servers - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Microsoft MSDN: -http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_addp_0awi.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/686.txt snort-2.9.2/doc/signatures/686.txt --- snort-2.9.0.1/doc/signatures/686.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/686.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/687.txt snort-2.9.2/doc/signatures/687.txt --- snort-2.9.0.1/doc/signatures/687.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/687.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,75 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database -server that may result in a serious compromise of the data stored on -that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an -SQL database that may result in a serious compromise of all data stored -on that system. - -Such commands may be used to gain access to a system with the privileges -of an administrator, delete data, add data, add users, delete users, -return sensitive information or gain intelligence on the server software -for further system compromise. - -This connection can either be a legitimate telnet connection or the -result of spawning a remote shell as a consequence of a successful -network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and -issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the -protected network. - -Ensure that this event was not generated by a legitimate session then -investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/incident_notes/IN-2002-04.html - --- diff -Nru snort-2.9.0.1/doc/signatures/688.txt snort-2.9.2/doc/signatures/688.txt --- snort-2.9.0.1/doc/signatures/688.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/688.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/689.txt snort-2.9.2/doc/signatures/689.txt --- snort-2.9.0.1/doc/signatures/689.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/689.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/690.txt snort-2.9.2/doc/signatures/690.txt --- snort-2.9.0.1/doc/signatures/690.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/690.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -690 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/691.txt snort-2.9.2/doc/signatures/691.txt --- snort-2.9.0.1/doc/signatures/691.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/691.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/692.txt snort-2.9.2/doc/signatures/692.txt --- snort-2.9.0.1/doc/signatures/692.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/692.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/693.txt snort-2.9.2/doc/signatures/693.txt --- snort-2.9.0.1/doc/signatures/693.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/693.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/694.txt snort-2.9.2/doc/signatures/694.txt --- snort-2.9.0.1/doc/signatures/694.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/694.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: - --- - -Summary: -This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. - --- -Impact: -Serious. An attacker may have gained administrator access to the system. - --- -Detailed Information: -This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. - -Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. - -This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. - --- - -Attack Scenarios: -Simple. These are SQL database commands. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. - --- -False Negatives: -None Known - --- - -Corrective Action: -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/695.txt snort-2.9.2/doc/signatures/695.txt --- snort-2.9.0.1/doc/signatures/695.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/695.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -695 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/696.txt snort-2.9.2/doc/signatures/696.txt --- snort-2.9.0.1/doc/signatures/696.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/696.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -696 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/697.txt snort-2.9.2/doc/signatures/697.txt --- snort-2.9.0.1/doc/signatures/697.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/697.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -697 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/698.txt snort-2.9.2/doc/signatures/698.txt --- snort-2.9.0.1/doc/signatures/698.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/698.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -698 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/699.txt snort-2.9.2/doc/signatures/699.txt --- snort-2.9.0.1/doc/signatures/699.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/699.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -699 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/700.txt snort-2.9.2/doc/signatures/700.txt --- snort-2.9.0.1/doc/signatures/700.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/700.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -700 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/701.txt snort-2.9.2/doc/signatures/701.txt --- snort-2.9.0.1/doc/signatures/701.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/701.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -701 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/702.txt snort-2.9.2/doc/signatures/702.txt --- snort-2.9.0.1/doc/signatures/702.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/702.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -702 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/703.txt snort-2.9.2/doc/signatures/703.txt --- snort-2.9.0.1/doc/signatures/703.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/703.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -703 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/704.txt snort-2.9.2/doc/signatures/704.txt --- snort-2.9.0.1/doc/signatures/704.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/704.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -704 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/705.txt snort-2.9.2/doc/signatures/705.txt --- snort-2.9.0.1/doc/signatures/705.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/705.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -705 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/706.txt snort-2.9.2/doc/signatures/706.txt --- snort-2.9.0.1/doc/signatures/706.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/706.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: - -706 - --- -Summary: -This event is generated when an attempt is made to exploit a -vulnerability in Microsoft SQL Server and Data Engine. - --- -Impact: -Serious. Full system compromise is possible. - --- -Detailed Information: -A buffer overflow condition in the xp_peekqueue variable exists which -may allow the execution of an arbitary command with administrative -priviledge. - -The vulnerability occurs in API Srv_paraminfo(), which is implemented by -Extended Stored Procedures (XPs) in Microsoft SQL Server and Data -Engine. It may also be possible for attackers to execute arbitrary code -on the host running SQL Server. - - --- -Affected Systems: - - Microsoft SQL Server 7.0 - Microsoft SQL Server 2000 - Microsoft Data Engine 1.0 - Microsoft Data Engine 2000 - - --- -Attack Scenarios: - -An attacker can pass an overly long string to the XP xp_peekqueue, -a buffer overflow can occur due to an unsafe memory copy. This can cause -SQL Server to crash. - - --- -Ease of Attack: - -Simple. Exploit scripts are available. - --- -False Positives: - -None known - --- -False Negatives: - -None known - --- -Corrective Action: - -Apply the appropriate vendor supplied patch -(Microsoft Patch Q280380 , Microsoft Patch Q280380) - --- -Contributors: -Original Rule Writer Unknown -Nawapong Nakjang (tony@ksc.net, tonie@thai.com) -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2040/ --- diff -Nru snort-2.9.0.1/doc/signatures/707.txt snort-2.9.2/doc/signatures/707.txt --- snort-2.9.0.1/doc/signatures/707.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/707.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -707 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in Microsoft SQL. - --- -Impact: -Information gathering and data integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to an implementation of Microsoft SQL server or client. This can -lead to unauthorized access and possibly escalated privileges to that of -the administrator. Data stored on the machine can be compromised and -trust relationships between the victim server and other hosts can be -exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/708.txt snort-2.9.2/doc/signatures/708.txt --- snort-2.9.0.1/doc/signatures/708.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/708.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: 708 - --- - -Summary: -This event is generated when an attempt is made to overflow a buffer in the Microsoft SQL Server and Data Engine. - --- -Impact: -Serious. A Denial of Service condition or execution of arbitrary code is possible. - --- -Detailed Information: -A buffer overflow condition exists in some versions of Microsoft SQL Server and Data Engine that may allow an attacker to execute arbitrary code with system privileges or crash the SQL Server. - -The attacker must gain access to the SQL Server to exploit this vulnerability. - --- - -Attack Scenarios: -Exploit code exists. - --- - -Ease of Attack: -Simple. Exploit code exists. - --- - -False Positives: -None Known. - --- -False Negatives: -None Known - --- - -Corrective Action: -Apply the appropriate vendor supplied patches. - -Disallow direct access to the SQL server from sources external to the protected network. - -Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise - -Look for other events generated by the same IP addresses. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1082 - -Bugtraq: -http://www.securityfocus.com/bid/2031 - -Microsoft: -http://www.microsoft.com/technet/security/bulletin/ms00-092.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/709.txt snort-2.9.2/doc/signatures/709.txt --- snort-2.9.0.1/doc/signatures/709.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/709.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -709 - --- -Summary: -This event is generated after an attempted login to a telnet server -using the username 4Dgifts. - --- -Impact: -Unauthorized remote access. - --- -Detailed Information: -This event is generated when an attempt is made to login to a server -using the username 4Dgifts via Telnet. This is a default account on some -SGI based machines. The password may also be 4Dgifts or it may not have -a password assigned. - -Repeated events from this rule may indicate a determined effort to guess -the password for this account. - --- -Affected Systems: - SGI Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to connect to a telnet server using the username -4Dgifts. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable the 4Dgifts account. - -Use ssh as an alternative to Telnet - -Block inbound telnet access if it is not required. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/710.txt snort-2.9.2/doc/signatures/710.txt --- snort-2.9.0.1/doc/signatures/710.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/710.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,71 +0,0 @@ -Rule: - --- -Sid: -710 - --- -Summary: -This event is generated after an attempted login to a telnet server -using the username OutOfBox. - --- -Impact: -Unauthorized remote access. - --- -Detailed Information: -Some SGI machines are shipped with an easy setup group of scripts to -assist the user when setting up the host. This group of programs is -called EZsetup and may install some passwordless default accounts on the -machine. - -This event is generated when an attempt is made to login to a server -using the username OutOfBox via Telnet. This is a default account on some -SGI based machines. The password may also be OutOfBox or it may not have -a password assigned. - -Repeated events from this rule may indicate a determined effort to guess -the password for this account. - --- -Affected Systems: - SGI Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to connect to a telnet server using the username -OutOfBox. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable the OutOfBox account. - -Choose the most secure options when using EZsetup. - -Use ssh as an alternative to Telnet - -Block inbound telnet access if it is not required. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/711.txt snort-2.9.2/doc/signatures/711.txt --- snort-2.9.0.1/doc/signatures/711.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/711.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -711 - --- -Summary: -This event is generated when an attempt is made to exploit a flaw in SGI IRIX's telnetd. - --- -Impact: -Serious. Arbitrary code execution. Possible remote root compromise of -the host. - --- -Detailed Information: -When setting one of the _RDL environment variables, IRIX's telnetd logs -the information via syslog. When telnetd calls syslog, it is possible to -manipulate the variable to overwrite values on the stack so that code -given is executed as the user telnetd is run as, typically root. - --- -Affected Systems: - SGI IRIX versions 6.2 to 6.5.8 - SGI IRIX versions 5.2 to 6.1 with patches 1010 and 1020. - --- -Attack Scenarios: -An attacker can gain a root shell with this attack. - --- -Ease of Attack: -Simple. Exploit code exisits and is readily available. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Apply patch from SGI. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS304 - -Bugtraq: -http://www.securityfocus.com/bid/1572 - --- diff -Nru snort-2.9.0.1/doc/signatures/712.txt snort-2.9.2/doc/signatures/712.txt --- snort-2.9.0.1/doc/signatures/712.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/712.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -712 - --- -Summary: -This event is generated when an attempt is made to set an environment -variable in a Telnet session to a server. - --- -Impact: -Unauthorized superuser access. - --- -Detailed Information: -This event is generated when an attempt is made to use the environment -variable ld_library_path in a Telnet session. - --- -Affected Systems: - Telnet servers. - --- -Attack Scenarios: -An attacker can attempt to set the environment variable ld_library_path -and then attempt to exploit a known vulnerability in some SunOS based -systems. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Use ssh as an alternative to Telnet - -Block inbound telnet access if it is not required. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/43 - --- diff -Nru snort-2.9.0.1/doc/signatures/713.txt snort-2.9.2/doc/signatures/713.txt --- snort-2.9.0.1/doc/signatures/713.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/713.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: --- -Sid: -713 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a Lucent/Livingston Portmaster router. - --- -Impact: -Denial of Service (DoS). - --- -Detailed Information: -This event is generated when an attempt is made to issue a Denial of -Service (DoS) attack against a Livingston/Lucent router. In some -situations malformed data sent to the Telnet service on the router can -cause the DoS to occur. - -Lucent Portmaster routers were previously known as Livingston Portmaster -from Livingston Technologies. - --- -Affected Systems: - Lucent Portmaster 1.0 - Lucent Portmaster 2.0 - Lucent Portmaster 3.0 - --- -Attack Scenarios: -The attacker can use one of the publicly available exploit scripts. - --- -Ease of Attack: -Simple. Exploit code exists. - --- -False Positives: -None known - --- -False Negatives: -None known. - --- -Corrective Action: -The Portmaster series of routers is no longer available. - -Disable the Telnet service if possible. - -Reboot the router to regain the service - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2225 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0218 - --- diff -Nru snort-2.9.0.1/doc/signatures/714.txt snort-2.9.2/doc/signatures/714.txt --- snort-2.9.0.1/doc/signatures/714.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/714.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,90 +0,0 @@ -Rule: -resolv_host_conf"; flow:to_server,established; -content:"resolv_host_conf"; reference:arachnids,369; -reference:url,www.securityfocus.com/bid/2181; classtype:attempted-admin; -sid:714; rev:4;) - --- - -Sid: - -714 - --- - -Summary: - -The RESOLV_HOST_CONF variable is being manipulated on your Telnet host. - --- - -Impact: - -Elevated priviledges (file reads). - --- - -Detailed Information: - -The RESOLV_HOST_CONF variable, used by suid and sgid applications, isn't -properly validated in some versions of glibc. As a result, an attacker -can use an suid or sgid root program to gain access to files they're not -supposed to have. - --- - -Affected Systems: - -UNIX systems with unpatched glibc 2.1.x or 2.2.x implementations. - --- - -Attack Scenarios: - -Attacker sets the RESOLVE_HOST_CONF variable to the filename of any -protected file (for example, /etc/shadow), and then runs an suid or sgid -root program. The contents of the protected file are then echoed to the -console in a series of error messages. - --- - -Ease of Attack: - -Simple. - --- - -False Positives: - -None known. - --- - -False Negatives: - -None known. - --- - -Corrective Action: - -Install the latest vendor-supplied glibc implementation. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com) - --- - -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS369 - -Bugtraq: -http://www.securityfocus.com/bid/2181 - - --- diff -Nru snort-2.9.0.1/doc/signatures/715.txt snort-2.9.2/doc/signatures/715.txt --- snort-2.9.0.1/doc/signatures/715.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/715.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -715 - --- -Summary: -This event is generated when a telnet server sends an error message regarding a failed user attempt to issue the 'su' command to get root privileges. - --- -Impact: -Failed root access. This attack occurs when a user attempts to get root privileges using the su command. - --- -Detailed Information: -An attacker may attempt to gain root privileges by issuing the su command. This implies that the attacker has successfully connected to the telnet server with an account other than root. A failed attempt will cause an error message to be generated indicating that the user is not a member of an authorized group to obtain root privileges. - --- -Affected Systems: -All telnet servers. - --- -Attack Scenarios: -At attacker may attempt to gain root privileges on a telnet server. - --- -Ease of Attack: -Simple - --- -False Positives: -It is remotely possible that a legitimate user with multiple user accounts may attempt to issue su command from the wrong account. - --- -False Negatives: -None known. - --- -Corrective Action: -Use ssh instead of telnet to prevent su passwords from being sniffed. - -Tightly restric su access to authorized users. - -Block inbound telnet access if it is not required. - --- -Contributors: -Original rule writer unknown -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/716.txt snort-2.9.2/doc/signatures/716.txt --- snort-2.9.0.1/doc/signatures/716.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/716.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -716 - --- -Summary: -This event is generated when a remote user successfully connects to a telnet server. - --- -Impact: -Remote access. This event may be an indication of a successful telnet connection by an authorized or unauthorized user. - --- -Detailed Information: -A message is generated by a telnet server after a successful connection. This particular event occurs when a remote user who does not belong to the internal network successfully connects to a telnet server. This may be a legimate connection by an authorized user or a undesired connection by an unauthorized user. Since telnet connections are not encrypted, it is possible that user accounts and passwords may be sniffed and used by attackers. Telnet connections are not considered to be secure especially over the Internet. Secure shell is the recommended service for remote connectivity since it uses encrypted sessions. - --- -Affected Systems: -Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to connect to a telnet server after sniffing a username and password. - --- -Ease of Attack: -Simple - --- -False Positives: -If authorized users are allowed to connect remotely using telnet, disable this rule. - --- -False Negatives: -None known. - --- -Corrective Action: - -Consider using Secure Shell instead of telnet. - -Block inbound telnet connections if it is not required. - --- -Contributors: -Original rule written by Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0619 - -Arachnids: -http://www.whitehats.com/info/IDS08 - --- diff -Nru snort-2.9.0.1/doc/signatures/717.txt snort-2.9.2/doc/signatures/717.txt --- snort-2.9.0.1/doc/signatures/717.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/717.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -717 - --- -Summary: -This event is generated when a failed remote telnet connection occurs using the root account. - --- -Impact: -Failed root access. This event indicates that an attacker tried an failed to connect to a telnet server using the root account. - - --- -Detailed Information: -Telnet servers can be configured to disallow connections using the root account. If root privileges are required, the root user must log on to the telnet server's console directly. A failed telnet connection using the root account will generate an error message. - --- -Affected Systems: -Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to log on to a telnet server using the root account. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: - -Disable root logins using telnet. - -Consider using Secure Shell instead of telnet. - -Block inbound telnet access if it is not required. - --- -Contributors: -Original rule written by Ron Gula -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS365 - --- diff -Nru snort-2.9.0.1/doc/signatures/718.txt snort-2.9.2/doc/signatures/718.txt --- snort-2.9.0.1/doc/signatures/718.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/718.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -718 - --- -Summary: -This event is generated when an attempted telnet login fails from a remote user. - --- -Impact: -Attempted remote access. This event may indicate that an attacker is attempting to guess username and password combinations. Alternately, it may indicate that an authorized user has entered an incorrect username and password combination. - --- -Detailed Information: -A telnet server will issue an error message after a failed login attempt. This may be an indication of an attacker attempting brute force guessing of username and password combinations. It is also possible that an authorized user has incorrectly entered a legitimate username and password combination. Telnet traffic is passed in clear text so it is not recommended for remote connections. Secure Shell is considered to be a more secure alternative. - --- -Affected Systems: -Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to guess username and password combinations. - --- -Ease of Attack: -Simple - --- -False Positives: -This event may be triggered by a failed telnet login attempt from a remote user. - --- -False Negatives: -None known. - --- -Corrective Action: -Consider using Secure Shell instead of telnet. - -Block inbound telnet access if it is not required. - --- -Contributors: -Original rule writer Max Vision -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS127 - --- diff -Nru snort-2.9.0.1/doc/signatures/719.txt snort-2.9.2/doc/signatures/719.txt --- snort-2.9.0.1/doc/signatures/719.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/719.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -719 - --- -Summary: -This event is generated after an attempted login to a telnet server -using the username root. - --- -Impact: -Remote root access. This may or may not indicate a successful root -login to a telnet server. - --- -Detailed Information: -This event is generated after a telnet server observes an attempted -login with the username root. It is not possible to tell from this -event alone whether or not the attempt was successful. If this is -followed by a login failure event, the root login did not succeeed. -However, if no failure message is observed and the rule with SID 718 is -enabled, this may indicate that the root login succeeded. - --- -Affected Systems: -Telnet servers. - --- -Attack Scenarios: -An attacker may attempt to connect to a telnet server using the username -of root. - --- -Ease of Attack: -Simple - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Consider using Secure Shell instead of telnet. - -Disable root logins to telnet. - - -Block inbound telnet access if it is not required. - --- -Contributors: -Original rule writer unknown. -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/720.txt snort-2.9.2/doc/signatures/720.txt --- snort-2.9.0.1/doc/signatures/720.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/720.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -Rule: - --- -Sid: -720 - --- -Summary: -This event is generated when email is received from a Post Office Protocol (POP) server that may contain an attachment with the Snow White worm. - --- -Impact: -Possible system compromise. The worm can alter system files and registry key settings. - --- -Detailed Information: -The Snow White worm, also known as Hybris, may contain text with a unique misspelling of "Suddlently". This worm attempts to write to the wsock32.dll library. It may also attempt to alter registry key settings. - --- -Affected Systems: -Microsoft Win32 systems. - --- -Attack Scenarios: -The worm is spread by e-mail and attempts to infect other hosts when a user opens the e-mail attachment. - --- -Ease of Attack: -Simple - --- -False Positives: -This event is triggered when an e-mail is received from a POP server that contains the misspelled word "Suddlently". - --- -False Negatives: -None known. - --- -Corrective Action: -Make sure that the suspected infected host has the most current anti-virus software. - -Run a virus scan on the suspected infected host. - --- -Contributors: -Original rule writer unknown. -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - -F-Secure: -http://www.f-secure.com/v-descs/hybris.shtml - --- diff -Nru snort-2.9.0.1/doc/signatures/721.txt snort-2.9.2/doc/signatures/721.txt --- snort-2.9.0.1/doc/signatures/721.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/721.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -721 - --- -Summary: -This event is generated when network activity indicating possible virus -infection is detected. - --- -Impact: -Malicious code infection. This event may indicate that an internal host -may be infected with some kind of malicious code. - --- -Detailed Information: -This event may indicate a possible virus infection of a host on the -protected network. - --- -Affected Systems: - Various systems - --- -Attack Scenarios: -Viruses may propogate in many different ways. Many arrive in the form of -email attachments that an unsuspecting user may trigger by opening the -attachment. Once infected, many viruses have the ability to use the -infected host as a means of spreading copies of itself to other machines -on the protected and external networks. - --- -Ease of Attack: -Simple - --- -False Positives: -None known - --- -False Negatives: -None known. - --- -Corrective Action: -Use antivirus software on hosts to terminate infectors. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/724.txt snort-2.9.2/doc/signatures/724.txt --- snort-2.9.0.1/doc/signatures/724.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/724.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,90 +0,0 @@ -Rule: - --- -Sid: -724 - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/725.txt snort-2.9.2/doc/signatures/725.txt --- snort-2.9.0.1/doc/signatures/725.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/725.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,91 +0,0 @@ -Rule: - --- -Sid: -725 - - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/726.txt snort-2.9.2/doc/signatures/726.txt --- snort-2.9.0.1/doc/signatures/726.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/726.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,91 +0,0 @@ -Rule: - --- -Sid: -726 - - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/727.txt snort-2.9.2/doc/signatures/727.txt --- snort-2.9.0.1/doc/signatures/727.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/727.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,91 +0,0 @@ -Rule: - --- -Sid: -727 - - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/728.txt snort-2.9.2/doc/signatures/728.txt --- snort-2.9.0.1/doc/signatures/728.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/728.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,91 +0,0 @@ -Rule: - --- -Sid: -728 - - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/729.txt snort-2.9.2/doc/signatures/729.txt --- snort-2.9.0.1/doc/signatures/729.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/729.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -729 - --- -Summary: -This event is generated when network traffic indicating the use of a -multimedia application is detected. - --- -Impact: -This may be a violation of corporate policy since these applications can -be used to bypass security measures designed to restrict the flow of -corporate information to destinations external to the corporation. - --- -Detailed Information: -Multimedia client applications can be used to view movies and listen to -music files. Some also include file sharing facilities. Use of these -programs may constitute a violation of company policy. - -Clients may also contain vulnerabilities that can give an attacker an -attack vector for delivering Trojan horse programs and viruses. - --- -Affected Systems: - All systems running multimedia applications - --- -Attack Scenarios: -A user can download files from a source external to the protected -network that may contain malicious code hidden in the file giving an -attacker the opportunity to gain access to a host inside the protected -network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/730.txt snort-2.9.2/doc/signatures/730.txt --- snort-2.9.0.1/doc/signatures/730.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/730.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -730 - --- -Summary: -This event is generated when network traffic indicating the use of a -multimedia application is detected. - --- -Impact: -This may be a violation of corporate policy since these applications can -be used to bypass security measures designed to restrict the flow of -corporate information to destinations external to the corporation. - --- -Detailed Information: -Multimedia client applications can be used to view movies and listen to -music files. Some also include file sharing facilities. Use of these -programs may constitute a violation of company policy. - -Clients may also contain vulnerabilities that can give an attacker an -attack vector for delivering Trojan horse programs and viruses. - --- -Affected Systems: - All systems running multimedia applications - --- -Attack Scenarios: -A user can download files from a source external to the protected -network that may contain malicious code hidden in the file giving an -attacker the opportunity to gain access to a host inside the protected -network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/731.txt snort-2.9.2/doc/signatures/731.txt --- snort-2.9.0.1/doc/signatures/731.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/731.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,97 +0,0 @@ -Rule: - --- -Sid: -731 - --- -Summary: -QAZ is a Trojan Horse. - --- -Impact: -Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. - --- -Detailed Information: -This Trojan affects the following operating systems: - - Windows 95 - Windows 98 - Windows ME - Windows NT - Windows 2000 - Windows XP - -No other systems are affected. This is a windows exceutable that makes changes to the system registry. - -The Trojan changes system startup files and registry settings to add the QAZ sever to programs normally started on boot. - - SID Message - --- ------- - 108 QAZ Worm Client Login access - 731 Virus - Possible QAZ Worm (Indicates worm activity) - 775 Virus - Possible QAZ Worm Infection (Indicates worm activity) - 733 Virus - Possible QAZ Worm Calling Home (Indicates the worm is trying to send mail) - --- -Attack Scenarios: -This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. - --- -Ease of Attack: -This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - -This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator. - -Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. - -Affected registry keys are: - - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run - -Registry keys added are: - - StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq - -This will start the Trojan each time notepad is executed. - -Look for the existence of the file note.com. The file notepad.exe may have been replaced with a Trojaned version that is approximately 120 kb in size (the original is 52 kb). - -A machine reboot is required to clear the existing process from running in memory. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Whitehats arachNIDS -http://www.whitehats.com/info/IDS501 -http://www.whitehats.com/info/IDS498 -http://www.whitehats.com/info/IDS499 - -McAfee -http://vil.nai.com/vil/content/v_98775.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html - -Diamond Computer Systems Security Advisory -http://www.diamondcs.com.au/web/alerts/qaz.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/732.txt snort-2.9.2/doc/signatures/732.txt --- snort-2.9.0.1/doc/signatures/732.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/732.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -732 - --- -Summary: -This event is generated when network traffic indicating the use of a -multimedia application is detected. - --- -Impact: -This may be a violation of corporate policy since these applications can -be used to bypass security measures designed to restrict the flow of -corporate information to destinations external to the corporation. - --- -Detailed Information: -Multimedia client applications can be used to view movies and listen to -music files. Some also include file sharing facilities. Use of these -programs may constitute a violation of company policy. - -Clients may also contain vulnerabilities that can give an attacker an -attack vector for delivering Trojan horse programs and viruses. - --- -Affected Systems: - All systems running multimedia applications - --- -Attack Scenarios: -A user can download files from a source external to the protected -network that may contain malicious code hidden in the file giving an -attacker the opportunity to gain access to a host inside the protected -network. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/733.txt snort-2.9.2/doc/signatures/733.txt --- snort-2.9.0.1/doc/signatures/733.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/733.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,97 +0,0 @@ -Rule: - --- -Sid: -733 - --- -Summary: -QAZ is a Trojan Horse. - --- -Impact: -Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. - --- -Detailed Information: -This Trojan affects the following operating systems: - - Windows 95 - Windows 98 - Windows ME - Windows NT - Windows 2000 - Windows XP - -No other systems are affected. This is a windows exceutable that makes changes to the system registry. - -The Trojan changes system startup files and registry settings to add the QAZ sever to programs normally started on boot. - - SID Message - --- ------- - 108 QAZ Worm Client Login access - 731 Virus - Possible QAZ Worm (Indicates worm activity) - 775 Virus - Possible QAZ Worm Infection (Indicates worm activity) - 733 Virus - Possible QAZ Worm Calling Home (Indicates the worm is trying to send mail) - --- -Attack Scenarios: -This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. - --- -Ease of Attack: -This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - -This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator. - -Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. - -Affected registry keys are: - - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run - -Registry keys added are: - - StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq - -This will start the Trojan each time notepad is executed. - -Look for the existence of the file note.com. The file notepad.exe may have been replaced with a Trojaned version that is approximately 120 kb in size (the original is 52 kb). - -A machine reboot is required to clear the existing process from running in memory. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Whitehats arachNIDS -http://www.whitehats.com/info/IDS501 -http://www.whitehats.com/info/IDS498 -http://www.whitehats.com/info/IDS499 - -McAfee -http://vil.nai.com/vil/content/v_98775.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html - -Diamond Computer Systems Security Advisory -http://www.diamondcs.com.au/web/alerts/qaz.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/734.txt snort-2.9.2/doc/signatures/734.txt --- snort-2.9.0.1/doc/signatures/734.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/734.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Rule: - --- -Sid: -734 - --- -Summary: -This event is generated when Matrix worm activity is detected. - --- -Impact: -Severe - Windows system files can be deleted/replaced/infected -(Wsock32.dll, Explorer.exe and Rundll32.exe). - -The virus propagation is done when a user sends e-mail, but variants may -exist that display other characteristics. - --- -Detailed Information: -Matrix worm is distributed via e-mail when a user sends some e-mail to a recipient. The attachement name is random. File suffixes can be .exe, .com, .bat, .pif, .scr, .jpg.pif.. etc. The worm code uses plugins which can make the virus really dangerous (e.x. installing backdoors). Removal could be difficult, but free removal tools exist (see below). - --- -Attack Scenarios: -An attacker sends the Matrix worm using a MIME exploit which executes the virus code automatically. The worm can now distribute itself using the mail client of the user and can install backdoors and infect EXE files. - --- -Ease of Attack: -Simple. The worm does all the distribution work. - --- -False Positives: -E-Mail that contains the body "Software provide by [MATRiX]" - --- -False Negatives: -None known - --- -Corrective Action: -Symantec W95.MTX removal tool: http://www.sarc.com/avcenter/venc/data/w95.mtx.fix.tool.html - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Ueli Kistler, - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/735.txt snort-2.9.2/doc/signatures/735.txt --- snort-2.9.0.1/doc/signatures/735.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/735.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,91 +0,0 @@ -Rule: - --- -Sid: -735 - - --- -Summary: -This event is generated when worm activity is detected. More specifcally -this event indicates possible "My Romeo" propogation. - --- -Impact: -Serious. The victim host may be infected with a worm. - --- -Detailed Information: -This worm propogates via electronic mail and exploits a known -vulnerability in the way that versions of Microsoft Outlook and Internet -Explorer handle trusted HTML pages. The worm is launched via a compiled -HTML file (.chm) which is used by Microsoft WIndows Help. - -The executable part of the worm is called from within the trusted -compiled HTML file. The worm attempts to propagate using hard coded -addresses of SMTP servers. - -This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A - --- -Affected Systems: - Microsoft Windows 9x - Microsoft Windows 2000 - --- -Attack Scenarios: -Symantec Anti-Virus center states that the worm arrives as an email -message that has an HTML body and two attachments named Myjuliet.chm -and Myromeo.exe. The subject of the email is selected at random from -the following set: - -Romeo&Juliet -hello world -subject -ble bla, bee -I Love You ;) -sorry... -Hey you ! -Matrix has you... -my picture -from shake-beer - --- -Ease of Attack: -Simple. This is worm activity. - --- -False Positives: -Legitimate electronic mail containing the known subject lines used by -MyRomeo may cause this rule to generate an event. - --- -False Negatives: -None Known - --- -Corrective Action: -Apply the appropriate vendor supplied patches and service packs. - -Use Anti-Virus software to detect and delete virus laden email. - -This worm makes changes to the system registry, removal of the affected -registry keys should be done using an appropriate virus removal tool or -by an experienced Windows administrator. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -McAfee -http://vil.nai.com/vil/content/v_98894.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html - --- diff -Nru snort-2.9.0.1/doc/signatures/772.txt snort-2.9.2/doc/signatures/772.txt --- snort-2.9.0.1/doc/signatures/772.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/772.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: - -772 - --- -Summary: -This event is generated when the PrettyPark virus attempts to spread. - --- -Impact: -Possible virus infection. Attempt to spread a virus/trojan. - --- -Detailed Information: -Prettypark is a Win32 based Internet worm. This spreads through the Internet by attaching itself to email messages. - -When the attached file is executed, it checks for the existence of Prettypark in memory, if it is not present it then installs Prettypark. After infecting it sends messages to all the email addresses listed in the address book with an attachment containing the virus. - -Prettypark is capable of revealing passwords and connects to IRC channels. System access is possible. - --- -Affected Systems: -Windows 95, 98 and NT - --- -Attack Scenarios: -This is virus propogation activity. - --- -Ease of Attack: - -Simple. - --- -False Positives: - -Possible in certain mail content - --- -False Negatives: - -None known - --- -Corrective Action: - -Use an Anti-Virus tool to remove it. - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -http://www.nwinternet.com/~pchelp/bo/prettypark.htm --- diff -Nru snort-2.9.0.1/doc/signatures/775.txt snort-2.9.2/doc/signatures/775.txt --- snort-2.9.0.1/doc/signatures/775.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/775.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,97 +0,0 @@ -Rule: - --- -Sid: -775 - --- -Summary: -QAZ is a Trojan Horse. - --- -Impact: -Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. - --- -Detailed Information: -This Trojan affects the following operating systems: - - Windows 95 - Windows 98 - Windows ME - Windows NT - Windows 2000 - Windows XP - -No other systems are affected. This is a windows exceutable that makes changes to the system registry. - -The Trojan changes system startup files and registry settings to add the QAZ sever to programs normally started on boot. - - SID Message - --- ------- - 108 QAZ Worm Client Login access - 731 Virus - Possible QAZ Worm (Indicates worm activity) - 775 Virus - Possible QAZ Worm Infection (Indicates worm activity) - 733 Virus - Possible QAZ Worm Calling Home (Indicates the worm is trying to send mail) - --- -Attack Scenarios: -This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. - --- -Ease of Attack: -This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: - -This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator. - -Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. - -Affected registry keys are: - - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run - -Registry keys added are: - - StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq - -This will start the Trojan each time notepad is executed. - -Look for the existence of the file note.com. The file notepad.exe may have been replaced with a Trojaned version that is approximately 120 kb in size (the original is 52 kb). - -A machine reboot is required to clear the existing process from running in memory. - --- -Contributors: -Original Rule Writer Max Vision -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -Whitehats arachNIDS -http://www.whitehats.com/info/IDS501 -http://www.whitehats.com/info/IDS498 -http://www.whitehats.com/info/IDS499 - -McAfee -http://vil.nai.com/vil/content/v_98775.htm - -Symantec Security Response -http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html - -Diamond Computer Systems Security Advisory -http://www.diamondcs.com.au/web/alerts/qaz.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/793.txt snort-2.9.2/doc/signatures/793.txt --- snort-2.9.0.1/doc/signatures/793.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/793.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,57 +0,0 @@ -Rule: - --- -Sid: -793 - --- -Summary: -This event is generated when an internal mail server sends an e-mail out of the network that may contain a Visual Basic Script (VBS) attachment. - --- -Impact: -Malicious code infection. This event may indicate that an internal host may be infected with some kind of malicious code. - --- -Detailed Information: -An outbound e-mail message that contains an attachment with a file name ending in ".vbs" may indicate that an internal host has been infected by some kind of malicious code. A ".vbs" extension typically means that an attachment file is a Visual Basic Script. A VBS attachment may contain executable code for a worm, virus, or trojan. - --- -Affected Systems: -Microsoft Windows hosts. - --- -Attack Scenarios: -Malicious code may be spread by e-mail containing attachments with files ending in ".vbs". - --- -Ease of Attack: -Simple - --- -False Positives: -This alert will be triggered if e-mail is sent containing a legitimate VBS attachment. - --- -False Negatives: -None known. - --- -Corrective Action: -Make sure that the suspected infected host has the most current anti-virus software. - -Run a virus scan on the suspected infected host. - -Configure your mail server to block attachments that contain executable code, such as those with extensions of ".vbs", ".exe", etc. - --- -Contributors: -Original rule writer unknown. -Documented by Steven Alexander -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/795.txt snort-2.9.2/doc/signatures/795.txt --- snort-2.9.0.1/doc/signatures/795.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/795.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ - -Rule: - --- -Sid: -795 - --- -Summary: -This rule has been placed in deleted.rules. It has been superceded by -sid 721. - --- -Impact: -Mail worms may spread rapidly because users execute them. - --- -Detailed Information: -Windows systems are often configured not to display file extensions. -By adding a second extension, users get confused and think that an -executable is a text - e.g. loveletter.txt.vbs gets displayed as -loveletter.txt but is a visual basic script and not a plain text. - --- -Affected Systems: - --- -Attack Scenarios: -Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. - --- -Ease of Attack: -Very easy. One needs to attach a file and hope that it gets executed. - --- -False Positives: -None Known -Could be an error on sender's side. - --- -False Negatives: -None Known -- - --- -Corrective Action: -Use antivirus software. Configure mail clients securely, especially when -using windows desktops. Educate your mail users. Deny all attachments at -the gateway if you can. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by tobias.haecker@to.com -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -See websites of antivirus companies. - --- diff -Nru snort-2.9.0.1/doc/signatures/796.txt snort-2.9.2/doc/signatures/796.txt --- snort-2.9.0.1/doc/signatures/796.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/796.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ - -Rule: - --- -Sid: -796 - --- -Summary: -This rule has been placed in deleted.rules. It has been superceded by -sid 721. - --- -Impact: -Mail worms may spread rapidly because users execute them. - --- -Detailed Information: -Windows systems are often configured not to display file extensions. -By adding a second extension, users get confused and think that an -executable is an EXCEL spreadsheet - e.g. businnesplan.xls.vbs gets displayed as -businessplan.xls but is a visual basic script and not an EXCEL spreadsheet. - --- -Affected Systems: - --- -Attack Scenarios: -Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. Warning: -An EXCEL spreadsheet is in now way more secure than a visual basic script. -Wrongly configured antivirus software my ignore this files and -let a macro virus pass. - --- -Ease of Attack: -Very easy. One needs to attach a file and hope that it gets executed. - --- -False Positives: -None Known -Could be an error on sender's side. - --- -False Negatives: -None Known -- - --- -Corrective Action: -Use antivirus software. Configure mail clients securely, especially when -using windows desktops. Educate your mail users. Deny all attachments at -the gateway if you can. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by tobias.haecker@to.com -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -See websites of antivirus companies. - --- diff -Nru snort-2.9.0.1/doc/signatures/797.txt snort-2.9.2/doc/signatures/797.txt --- snort-2.9.0.1/doc/signatures/797.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/797.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ - -Rule: - --- -Sid: -797 - --- -Summary: -This rule has been placed in deleted.rules. It has been superceded by -sid 721. - --- -Impact: -Mail worms may spread rapidly because users execute them. - --- -Detailed Information: -Windows systems are often configured not to display file extensions. -By adding a second extension, users get confused and think that an -executable is a picture - e.g. niceboy.jpg.vbs gets displayed as -nicegboy.jpg but is a visual basic script and not a picture. - --- -Affected Systems: - --- -Attack Scenarios: -Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. - --- -Ease of Attack: -Very easy. One needs to attach a file and hope that it gets executed. - --- -False Positives: -None Known -Could be an error on sender's side. - --- -False Negatives: -None Known -- - --- -Corrective Action: -Use antivirus software. Configure mail clients securely, especially when -using windows desktops. Educate your mail users. Deny all attachments at -the gateway if you can. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by tobias.haecker@to.com -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -See websites of antivirus companies. - --- diff -Nru snort-2.9.0.1/doc/signatures/798.txt snort-2.9.2/doc/signatures/798.txt --- snort-2.9.0.1/doc/signatures/798.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/798.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ - -Rule: - --- -Sid: -798 - --- -Summary: -This rule has been placed in deleted.rules. It has been superceded by -sid 721. - --- -Impact: -Mail worms may spread rapidly because users execute them. - --- -Detailed Information: -Windows systems are often configured not to display file extensions. -By adding a second extension, users get confused and think that an -executable is a picture - e.g. nicegirl.gif.vbs gets displayed as -nicegirl.gif but is a visual basic script and not a picture. - --- -Affected Systems: - --- -Attack Scenarios: -Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. - --- -Ease of Attack: -Very easy. One needs to attach a file and hope that it gets executed. - --- -False Positives: -None Known -Could be an error on sender's side. - --- -False Negatives: -None Known -- - --- -Corrective Action: -Use antivirus software. Configure mail clients securely, especially when -using windows desktops. Educate your mail users. Deny all attachments at -the gateway if you can. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by tobias.haecker@to.com -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -See websites of antivirus companies. - --- diff -Nru snort-2.9.0.1/doc/signatures/801.txt snort-2.9.2/doc/signatures/801.txt --- snort-2.9.0.1/doc/signatures/801.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/801.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -801 - --- -Summary: -This rule has been placed in deleted.rules. It has been superceded by -sid 721. - --- -Impact: -Mail worms may spread rapidly because users execute them. - --- -Detailed Information: -Windows systems are often configured not to display file extensions. -By adding a second extension, users get confused and think that an -executable is a WORD document - e.g. resume.doc.vbs gets displayed as -resume.doc but is a visual basic script and not a WORD document. - --- -Affected Systems: - --- -Attack Scenarios: -Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. Warning: -A WORD document is in now way more secure than a visual basic script. -Wrongly configured antivirus software my ignore this files and -let a macro virus pass. - --- -Ease of Attack: -Very easy. One needs to attach a file and hope that it gets executed. - --- -False Positives: -Could be an error on sender's side. - --- -False Negatives: -None Known -- - --- -Corrective Action: -Use antivirus software. Configure mail clients securely, especially when -using windows desktops. Educate your mail users. Deny all attachments at -the gateway if you can. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by tobias.haecker@to.com -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/803.txt snort-2.9.2/doc/signatures/803.txt --- snort-2.9.0.1/doc/signatures/803.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/803.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -803 - --- -Summary: -This event is generated when an attempt is made to access hsx.cgi and -then utilize a directory traversal technique to read files outside the -root directory of the web server. This indicates an attempt to exploit a -vulnerability in the Hyperseek 2000 search engine that allows -read-access to directory listings and files. - - --- -Impact: -Information gathering. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit a directory traversal vulnerability in HyperSeek 2000. When directory traversal techniques such as ../../ are used as arguments to hsx.cgi, an unauthorized user can navigate to directories and access files that are normally hidden. - --- -Affected Systems: -Web servers running iWeb Systems HyperSeek 2000 are vulnerable. - --- -Attack Scenarios: -An attacker can use a directory traversal technique when executing hsx.cgi to view hidden directories and files on the web server. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Apply the appropriate vendor supplied patches. - -Uprade to the latest non-affected version of the software. - --- -Contributors: -Original rule writer unknown -Rule modified by Brian Caswell -Nigel Houghton -Sourcefire Technical Publications Team - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/2314 - -CERT/CC -http://www.kb.cert.org/vuls/id/146704 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0253 - -Nessus -http://cgi.nessus.org/plugins/dump.php3?id=10602 - --- diff -Nru snort-2.9.0.1/doc/signatures/804.txt snort-2.9.2/doc/signatures/804.txt --- snort-2.9.0.1/doc/signatures/804.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/804.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -804 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer -overflow vulnerability in SWSoft ASPSeek search engine software. - --- -Impact: -Arbitrary code execution. - --- -Detailed Information: -SWSoft ASPSeek search engine software contains a buffer overflow -vulnerability where, if a sufficiently long string is sent to the s.cgi -script using the template (tmpl) variable, a buffer overflow condition -can occur. This may allow the execution of arbitrary code. - --- -Affected Systems: -All Apache web servers running SWSoft ASPSeek 1.0.3 and earlier are -vulnerable. - --- -Attack Scenarios: -An attacker can send a crafted query to the s.cgi script, creating a -buffer overflow condition. This could then allow the attacker to execute -arbitrary code from the system's command shell. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -If a legitimate remote user accesses s.cgi where the "tmpl" variable is -invoked, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade to SWSoft ASPSeek 1.04 or later. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/2492 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0476 - --- diff -Nru snort-2.9.0.1/doc/signatures/805.txt snort-2.9.2/doc/signatures/805.txt --- snort-2.9.0.1/doc/signatures/805.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/805.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,80 +0,0 @@ -Rule: - --- -Sid: -805 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in the WebSpeed WSIS Messenger -Administration Utility. - --- -Impact: -Information gathering and system integrity. Unauthorized administrative -access to the to the WebSpeed configuration utility can allow an -attacker to view and change WebSpeed configuration, and possibly stop -WebSpeed services. - --- -Detailed Information: -The WSIS Messenger Administration Utility is a web-based administration -utility provided with the Progress WebSpeed 3.0 development environment -and transaction server. It allows WebSpeed administrators to remotely -manage the WebSpeed system. The configuration utility has a -vulnerability that allows unauthenticated users to configure services -when the WSMAdmin function is invoked using wsisa.dll. - --- -Affected Systems: -Any system running Progress WebSpeed 3.0 WSIS Messenger Administration -Utility. - --- -Attack Scenarios: -An attacker can access the WSIS Messenger Administration Utility, which -can then be used to view and change WebSpeed configuration. The attacker -can potentially stop WebSpeed services. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -If a legitimate remote user accesses the web-based administration -utility, this rule may generate an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Disable the WSIS Messenger Administration Utility. - -Install the appropriate patch. Patches can be found at -http://www.progress.com/patches/patchlst/availpatche.html. - -Disallow access to the WSIS Messenger Administration Utilility from -sources external to the protected network. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Sourcefire Technical Publications Team -Nigel Houghton - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/969 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0127 - --- diff -Nru snort-2.9.0.1/doc/signatures/806.txt snort-2.9.2/doc/signatures/806.txt --- snort-2.9.0.1/doc/signatures/806.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/806.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: - -806 - --- -Summary: -This event is generated when an attempt is made to access a file outside the root directory of a webserver running YaBB.cgi. - - --- -Impact: - -Information disclosure. - --- -Detailed Information: - -YaBB.cgi is widely used web-based BBS script. Due to input validation problems in YaBB, a remote attacker can traverse the directory structure and view any files and view any file that a webserver has access to. - -This event indicates that a remote attacker has attempted to view a file outside the webservers root directory. - --- -Affected Systems: - -YaBB YaBB 9.1.2000 - --- -Attack Scenarios: - -An attacker issues the following command on port 80 of the webserver: - -GET http://target/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00 HTTP/1.0 - --- -Ease of Attack: - -Simple. No exploit software required. - --- -False Positives: - -None known. - --- -False Negatives: - -None known. - --- -Corrective Action: - -Update to the latest non-affected version of the software. - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/807.txt snort-2.9.2/doc/signatures/807.txt --- snort-2.9.0.1/doc/signatures/807.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/807.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - -Sid: -807 - --- - -Summary: -This event is generated when an attempt is made to download the wwwboard password file - --- -Impact: -Information disclosure. -An attacker could crack the encrypted password and gain access to the wwwboard -administrator account - --- -Detailed Information: -Releases of WWWBoard (Matt Wright's CGI webboard application) before -version 2.0 Alpha 2.1 place the encrypted password for the web -application's administrator in a file called "passwd.txt" accessible -from the web root. - --- -Affected Systems: - --- -Attack Scenarios: -Attacker downloads the passwd.txt file and then launches a password -cracker to brute force the password (the password is encypted via -crypt(3), and password crackers for this format are ubiquitous). If -the password is successfully cracked (due to weak passwords or -significant cracking resources), the attacker will have administrative -access to the wwwboard web application. - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -None Known - --- -False Negatives: -None Known - --- -Corrective Action: -Inspect packet to insure that it was an attempt to download the -password file and not just a webpage discussing WWWBoard. -Insure that local installations of WWWBoard are current and properly -configured to not save the password file into a publically-accessible -area. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -CVE: CVE-1999-0953 -Bugtraq: BID 649 -Arachnids: 463 - --- diff -Nru snort-2.9.0.1/doc/signatures/808.txt snort-2.9.2/doc/signatures/808.txt --- snort-2.9.0.1/doc/signatures/808.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/808.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -808 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/809.txt snort-2.9.2/doc/signatures/809.txt --- snort-2.9.0.1/doc/signatures/809.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/809.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -809 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/810.txt snort-2.9.2/doc/signatures/810.txt --- snort-2.9.0.1/doc/signatures/810.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/810.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -810 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/811.txt snort-2.9.2/doc/signatures/811.txt --- snort-2.9.0.1/doc/signatures/811.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/811.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -811 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/812.txt snort-2.9.2/doc/signatures/812.txt --- snort-2.9.0.1/doc/signatures/812.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/812.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -812 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/813.txt snort-2.9.2/doc/signatures/813.txt --- snort-2.9.0.1/doc/signatures/813.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/813.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -813 - --- -Summary: -This event is generated when an attempt is made to execute a directory -traversal attack. - --- -Impact: -Information disclosure. This is a directory traversal attempt which can -lead to information disclosure and possible exposure of sensitive -system information. - --- -Detailed Information: -Directory traversal attacks usually target web, web applications and ftp -servers that do not correctly check the path to a file when requested by -the client. - -This can lead to the disclosure of sensitive system information which may -be used by an attacker to further compromise the system. - --- -Affected Systems: - --- -Attack Scenarios: -An authorized user or anonymous user can use the directory traversal -technique, to browse folders outside the ftp root directory. Information -gathered may be used in further attacks against the host. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade the software to the latest non-affected version. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/815.txt snort-2.9.2/doc/signatures/815.txt --- snort-2.9.0.1/doc/signatures/815.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/815.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -815 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/817.txt snort-2.9.2/doc/signatures/817.txt --- snort-2.9.0.1/doc/signatures/817.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/817.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -817 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/818.txt snort-2.9.2/doc/signatures/818.txt --- snort-2.9.0.1/doc/signatures/818.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/818.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -818 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/819.txt snort-2.9.2/doc/signatures/819.txt --- snort-2.9.0.1/doc/signatures/819.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/819.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -819 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/820.txt snort-2.9.2/doc/signatures/820.txt --- snort-2.9.0.1/doc/signatures/820.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/820.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -820 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/821.txt snort-2.9.2/doc/signatures/821.txt --- snort-2.9.0.1/doc/signatures/821.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/821.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -821 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/823.txt snort-2.9.2/doc/signatures/823.txt --- snort-2.9.0.1/doc/signatures/823.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/823.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -823 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/824.txt snort-2.9.2/doc/signatures/824.txt --- snort-2.9.0.1/doc/signatures/824.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/824.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -824 - --- -Summary: -A remote user has tried access the php.cgi script. Some versions -of this script can allow access to any file the -server can read. - --- -Impact: -Information disclosure. - --- -Detailed Information: -Because of a design problem in this version of PHP/FI, remote users are -able to access any file that the UID of the http process has access to. -The exploit is a simple web request for the file and can be used with -malicious intent. - --- -Affected Systems: - PHP/FI 2.0 - --- -Attack Scenarios: -An attacker can simply pass a file name to the script -and be able to view the file if the web server has access -to it. This can be used to obtain passwords or other sensitive -information. - -Example: http://somewebserver/php.cgi?/path/to/desired/file - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Upgrade or remove the file php.cgix - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Josh Sakofsky - --- -Additional References: - -Arachnids: -http://www.whitehats.com/info/IDS232 - -Bugraq: -http://www.securityfocus.com/bid/2250 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0238 - --- diff -Nru snort-2.9.0.1/doc/signatures/825.txt snort-2.9.2/doc/signatures/825.txt --- snort-2.9.0.1/doc/signatures/825.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/825.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -825 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/826.txt snort-2.9.2/doc/signatures/826.txt --- snort-2.9.0.1/doc/signatures/826.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/826.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -826 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/827.txt snort-2.9.2/doc/signatures/827.txt --- snort-2.9.0.1/doc/signatures/827.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/827.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -827 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/828.txt snort-2.9.2/doc/signatures/828.txt --- snort-2.9.0.1/doc/signatures/828.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/828.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -828 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/829.txt snort-2.9.2/doc/signatures/829.txt --- snort-2.9.0.1/doc/signatures/829.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/829.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -829 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/830.txt snort-2.9.2/doc/signatures/830.txt --- snort-2.9.0.1/doc/signatures/830.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/830.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -830 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/832.txt snort-2.9.2/doc/signatures/832.txt --- snort-2.9.0.1/doc/signatures/832.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/832.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -832 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/833.txt snort-2.9.2/doc/signatures/833.txt --- snort-2.9.0.1/doc/signatures/833.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/833.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -833 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/834.txt snort-2.9.2/doc/signatures/834.txt --- snort-2.9.0.1/doc/signatures/834.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/834.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -834 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/835.txt snort-2.9.2/doc/signatures/835.txt --- snort-2.9.0.1/doc/signatures/835.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/835.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: --- -Sid: -835 - --- -Summary: -This event is generated when an attempt is made to -access to the cgi script test-cgi. - --- -Impact: -Information disclosure. - --- -Detailed Information: -The test-cgi script is provided as part of the Apache web server to -test that cgi scripts are working. It can provide vital information -about the configuration of your webserver that may be invaluable to a -potential attacker. - --- -Affected Systems: - All versions of Apache. - --- -Attack Scenarios: -A standard web request using a browser. - -lynx http://victim/cgi-bin/test-cgi - -$ telnet victim 80 -Trying 192.168.0.2... -Connected to victim. -Escape character is '^]'. -GET /cgi-bin/test-cgi HTTP/1.0 - --- -Ease of Attack: -Simple. Exploit software is not required. - --- -False Positives: -This may trigger on urls containing test-cgi, but are not necessarily -indicative of an attack. For example, -http://myhost.org/home/foobar/test-cgi.txt would trigger this rule. - --- -False Negatives: -None Known - --- -Corrective Action: -Determine the need for this script, and remove it if there is no need. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Jon Hart -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/836.txt snort-2.9.2/doc/signatures/836.txt --- snort-2.9.0.1/doc/signatures/836.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/836.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -836 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/837.txt snort-2.9.2/doc/signatures/837.txt --- snort-2.9.0.1/doc/signatures/837.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/837.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -837 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/838.txt snort-2.9.2/doc/signatures/838.txt --- snort-2.9.0.1/doc/signatures/838.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/838.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -838 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/839.txt snort-2.9.2/doc/signatures/839.txt --- snort-2.9.0.1/doc/signatures/839.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/839.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -839 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running on a web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/840.txt snort-2.9.2/doc/signatures/840.txt --- snort-2.9.0.1/doc/signatures/840.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/840.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -840 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/841.txt snort-2.9.2/doc/signatures/841.txt --- snort-2.9.0.1/doc/signatures/841.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/841.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -841 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/842.txt snort-2.9.2/doc/signatures/842.txt --- snort-2.9.0.1/doc/signatures/842.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/842.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -842 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/843.txt snort-2.9.2/doc/signatures/843.txt --- snort-2.9.0.1/doc/signatures/843.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/843.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -843 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/844.txt snort-2.9.2/doc/signatures/844.txt --- snort-2.9.0.1/doc/signatures/844.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/844.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -844 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/845.txt snort-2.9.2/doc/signatures/845.txt --- snort-2.9.0.1/doc/signatures/845.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/845.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -845 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/846.txt snort-2.9.2/doc/signatures/846.txt --- snort-2.9.0.1/doc/signatures/846.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/846.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -846 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/847.txt snort-2.9.2/doc/signatures/847.txt --- snort-2.9.0.1/doc/signatures/847.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/847.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -847 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/848.txt snort-2.9.2/doc/signatures/848.txt --- snort-2.9.0.1/doc/signatures/848.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/848.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -848 - --- -Summary: -This event is generated when an attempt is made to execute a directory -traversal attack. - --- -Impact: -Information disclosure. This is a directory traversal attempt which can -lead to information disclosure and possible exposure of sensitive -system information. - --- -Detailed Information: -Directory traversal attacks usually target web, web applications and ftp -servers that do not correctly check the path to a file when requested by -the client. - -This can lead to the disclosure of sensitive system information which may -be used by an attacker to further compromise the system. - --- -Affected Systems: - --- -Attack Scenarios: -An authorized user or anonymous user can use the directory traversal -technique, to browse folders outside the ftp root directory. Information -gathered may be used in further attacks against the host. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade the software to the latest non-affected version. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/849.txt snort-2.9.2/doc/signatures/849.txt --- snort-2.9.0.1/doc/signatures/849.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/849.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -849 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/850.txt snort-2.9.2/doc/signatures/850.txt --- snort-2.9.0.1/doc/signatures/850.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/850.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -850 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/851.txt snort-2.9.2/doc/signatures/851.txt --- snort-2.9.0.1/doc/signatures/851.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/851.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -851 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/852.txt snort-2.9.2/doc/signatures/852.txt --- snort-2.9.0.1/doc/signatures/852.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/852.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -852 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/853.txt snort-2.9.2/doc/signatures/853.txt --- snort-2.9.0.1/doc/signatures/853.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/853.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -853 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/854.txt snort-2.9.2/doc/signatures/854.txt --- snort-2.9.0.1/doc/signatures/854.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/854.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -854 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/856.txt snort-2.9.2/doc/signatures/856.txt --- snort-2.9.0.1/doc/signatures/856.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/856.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -856 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/857.txt snort-2.9.2/doc/signatures/857.txt --- snort-2.9.0.1/doc/signatures/857.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/857.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -857 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/858.txt snort-2.9.2/doc/signatures/858.txt --- snort-2.9.0.1/doc/signatures/858.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/858.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -858 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/859.txt snort-2.9.2/doc/signatures/859.txt --- snort-2.9.0.1/doc/signatures/859.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/859.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -859 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/860.txt snort-2.9.2/doc/signatures/860.txt --- snort-2.9.0.1/doc/signatures/860.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/860.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -860 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/861.txt snort-2.9.2/doc/signatures/861.txt --- snort-2.9.0.1/doc/signatures/861.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/861.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -861 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/862.txt snort-2.9.2/doc/signatures/862.txt --- snort-2.9.0.1/doc/signatures/862.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/862.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -862 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/863.txt snort-2.9.2/doc/signatures/863.txt --- snort-2.9.0.1/doc/signatures/863.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/863.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -863 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/864.txt snort-2.9.2/doc/signatures/864.txt --- snort-2.9.0.1/doc/signatures/864.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/864.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -864 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/865.txt snort-2.9.2/doc/signatures/865.txt --- snort-2.9.0.1/doc/signatures/865.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/865.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -865 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/866.txt snort-2.9.2/doc/signatures/866.txt --- snort-2.9.0.1/doc/signatures/866.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/866.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -866 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/867.txt snort-2.9.2/doc/signatures/867.txt --- snort-2.9.0.1/doc/signatures/867.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/867.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -867 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/868.txt snort-2.9.2/doc/signatures/868.txt --- snort-2.9.0.1/doc/signatures/868.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/868.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -868 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/869.txt snort-2.9.2/doc/signatures/869.txt --- snort-2.9.0.1/doc/signatures/869.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/869.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -869 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/870.txt snort-2.9.2/doc/signatures/870.txt --- snort-2.9.0.1/doc/signatures/870.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/870.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -870 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/871.txt snort-2.9.2/doc/signatures/871.txt --- snort-2.9.0.1/doc/signatures/871.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/871.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -871 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/872.txt snort-2.9.2/doc/signatures/872.txt --- snort-2.9.0.1/doc/signatures/872.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/872.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -872 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/873.txt snort-2.9.2/doc/signatures/873.txt --- snort-2.9.0.1/doc/signatures/873.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/873.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -873 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/875.txt snort-2.9.2/doc/signatures/875.txt --- snort-2.9.0.1/doc/signatures/875.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/875.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -875 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/877.txt snort-2.9.2/doc/signatures/877.txt --- snort-2.9.0.1/doc/signatures/877.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/877.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -877 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/878.txt snort-2.9.2/doc/signatures/878.txt --- snort-2.9.0.1/doc/signatures/878.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/878.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -878 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/879.txt snort-2.9.2/doc/signatures/879.txt --- snort-2.9.0.1/doc/signatures/879.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/879.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -879 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/880.txt snort-2.9.2/doc/signatures/880.txt --- snort-2.9.0.1/doc/signatures/880.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/880.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -880 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/881.txt snort-2.9.2/doc/signatures/881.txt --- snort-2.9.0.1/doc/signatures/881.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/881.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -881 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Guide to network resource tools: -http://www.acad.bg/beginner/gnrt/specialist/archie.html - --- diff -Nru snort-2.9.0.1/doc/signatures/882.txt snort-2.9.2/doc/signatures/882.txt --- snort-2.9.0.1/doc/signatures/882.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/882.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -882 - --- -Summary: -This event is generated when an attempt is made to access a web -application that may lead to exploitation of the application. - --- -Impact: -Potentially harmful execution of binaries through perl open() - --- -Detailed Information: -An open source calendar perl script by Matt Kruse, Allows commands to be executed without input verification using the perl open() function. ie /cgi-bin/calendar_admin.pl place the string "|ping 127.0.0.1|" in the configuration file field, this executes the command "ping 127.0.0.1" - --- -Affected Systems: -Any web server running the application. - --- -Attack Scenarios: -An unauthenticated user can execute arbitrary programs on the server by accessing calendar_admin.pl and inputting commands such as "|mail /etc/passwd|" into the configuration file field. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -If your webserver has pages by the name of calendar* this rule will -fire often. Many sites now use calendar applications and this rule may -generate a large number of false positives, it does not distinguish -between perl cgi applications and php scripts. Consider tuning this rule -for your site if it is generating a large number of false positives. If -you use a calendar application, consider changing the name of the script -to something other than "calendar". - --- -False Negatives: -None known. - --- -Corrective Action: -Download a newer version of the cgi - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Aaron Navratil (Initial Research) -Snort documentation contributed by Josh Gray (Edits) -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0432 - -Bugtraq: -http://online.securityfocus.com/bid/1215 - --- diff -Nru snort-2.9.0.1/doc/signatures/883.txt snort-2.9.2/doc/signatures/883.txt --- snort-2.9.0.1/doc/signatures/883.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/883.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -883 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/884.txt snort-2.9.2/doc/signatures/884.txt --- snort-2.9.0.1/doc/signatures/884.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/884.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -884 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the CGI web application Formmail running on a server. - --- -Impact: -Several vulnerabilities include server access, information -disclosure, spam relaying and mail anonymizing. - --- -Detailed Information: -This event is generated when an attempt is made to access the perl cgi -script Formmail. Early versions (1.6 and prior) had several vulnerabilities -(Spam engine, ability to run commands under server id and set -environment variables) and should be upgraded immediately. Newer -versions can still be used by spammers for anonymizing email and -defeating email relay controls. - --- -Affected Systems: - All systems running Formmail - --- -Attack Scenarios: -Information can be appended to the URL to use your -mail gateway avoiding SMTP relay controls. HTTP header information can -be manipulated to avoid access control methods in script. Allows SMTP -exploits that are normally available only to trusted (local) users such -as Sendmail % hack. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -Legitimate use of the script can cause alerts. Verify -packet payload and watch web/mailserver logfiles. - --- -False Negatives: -If the name of the script has been changed this rule will not generate -an event. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Snort documentation contributed by Kevin Binsfield (IDS@Safedge.com) - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/885.txt snort-2.9.2/doc/signatures/885.txt --- snort-2.9.0.1/doc/signatures/885.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/885.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -885 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/886.txt snort-2.9.2/doc/signatures/886.txt --- snort-2.9.0.1/doc/signatures/886.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/886.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -886 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/887.txt snort-2.9.2/doc/signatures/887.txt --- snort-2.9.0.1/doc/signatures/887.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/887.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -887 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -WWW-SQL: -http://grox.net/doc/web/www-sql.html - --- diff -Nru snort-2.9.0.1/doc/signatures/888.txt snort-2.9.2/doc/signatures/888.txt --- snort-2.9.0.1/doc/signatures/888.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/888.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -888 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/889.txt snort-2.9.2/doc/signatures/889.txt --- snort-2.9.0.1/doc/signatures/889.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/889.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -889 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/890.txt snort-2.9.2/doc/signatures/890.txt --- snort-2.9.0.1/doc/signatures/890.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/890.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -890 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running on a web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/891.txt snort-2.9.2/doc/signatures/891.txt --- snort-2.9.0.1/doc/signatures/891.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/891.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -891 - --- -Summary: -This event is generated when an attempt is made to access the file -upload.pl via a web browser. - --- -Impact: -Information gathering. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited -by the attacker. - -This event indicates an attempt to access the CGI application upload.pl, -this perl script can be used to upload files to a system and may be used -by an attacker to place files of their choosing onto a server for -further use. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - -Ensure that access controls are in place to limit access to the -application to authorized users only. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/892.txt snort-2.9.2/doc/signatures/892.txt --- snort-2.9.0.1/doc/signatures/892.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/892.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -892 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/893.txt snort-2.9.2/doc/signatures/893.txt --- snort-2.9.0.1/doc/signatures/893.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/893.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -893 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in the CGI web application webdist.cgi running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited -by the attacker. - -In particular this event is generated when an attempt is made to access -"MachineInfo" using the CGI application webdist.cgi, distributed with -IRIX operating systems using the package IRIX Mindshare OutBox. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - IRIX 5.x - IRIX 6.x - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -CERT: -http://www.cert.org/advisories/CA-1997-12.html - --- diff -Nru snort-2.9.0.1/doc/signatures/894.txt snort-2.9.2/doc/signatures/894.txt --- snort-2.9.0.1/doc/signatures/894.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/894.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -Rule: --- -Sid: -894 - --- -Summary: -This event is generated when an attempt is made to display historical -information from a Big Brother system monitor host. - --- -Impact: -Information Disclosure. - --- -Detailed Information: -Big Brother is a monitoring system used by many organisations. It records both current and historical information about monitored hosts on a network. Access to the system status is via a series of web pages and CGI scripts. Version 1.09b & 1.09c contained a bug in bb-hist.sh that could be made to display files accessible by the user under which the CGI script is run. - --- -Attack Scenarios: -A malicious user could use this vulnerability to gain more information about the Big Brother host. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known. - --- -False Negatives: -None known - --- -Corrective Action: -Upgrade to a later version of Big Brother at least 1.09d - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -url,http://bb4.com/ -cve,CAN-1999-1462 - - --- diff -Nru snort-2.9.0.1/doc/signatures/895.txt snort-2.9.2/doc/signatures/895.txt --- snort-2.9.0.1/doc/signatures/895.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/895.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -895 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/896.txt snort-2.9.2/doc/signatures/896.txt --- snort-2.9.0.1/doc/signatures/896.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/896.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -896 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/897.txt snort-2.9.2/doc/signatures/897.txt --- snort-2.9.0.1/doc/signatures/897.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/897.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -897 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/898.txt snort-2.9.2/doc/signatures/898.txt --- snort-2.9.0.1/doc/signatures/898.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/898.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -898 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/899.txt snort-2.9.2/doc/signatures/899.txt --- snort-2.9.0.1/doc/signatures/899.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/899.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -899 - --- -Summary: -This event is generated when an attempt is made to execute a directory -traversal attack. - --- -Impact: -Information disclosure. This is a directory traversal attempt which can -lead to information disclosure and possible exposure of sensitive -system information. - --- -Detailed Information: -Directory traversal attacks usually target web, web applications and ftp -servers that do not correctly check the path to a file when requested by -the client. - -This can lead to the disclosure of sensitive system information which may -be used by an attacker to further compromise the system. - --- -Affected Systems: - --- -Attack Scenarios: -An authorized user or anonymous user can use the directory traversal -technique, to browse folders outside the ftp root directory. Information -gathered may be used in further attacks against the host. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade the software to the latest non-affected version. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/900.txt snort-2.9.2/doc/signatures/900.txt --- snort-2.9.0.1/doc/signatures/900.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/900.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -Rule: - --- -Sid: -900 - --- -Summary: -This event is generated when an attempt is made to execute a directory -traversal attack. - --- -Impact: -Information disclosure. This is a directory traversal attempt which can -lead to information disclosure and possible exposure of sensitive -system information. - --- -Detailed Information: -Directory traversal attacks usually target web, web applications and ftp -servers that do not correctly check the path to a file when requested by -the client. - -This can lead to the disclosure of sensitive system information which may -be used by an attacker to further compromise the system. - --- -Affected Systems: - --- -Attack Scenarios: -An authorized user or anonymous user can use the directory traversal -technique, to browse folders outside the ftp root directory. Information -gathered may be used in further attacks against the host. - --- -Ease of Attack: -Simple. No exploit software required. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -Apply the appropriate vendor supplied patches - -Upgrade the software to the latest non-affected version. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/901.txt snort-2.9.2/doc/signatures/901.txt --- snort-2.9.0.1/doc/signatures/901.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/901.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -901 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/902.txt snort-2.9.2/doc/signatures/902.txt --- snort-2.9.0.1/doc/signatures/902.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/902.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -Rule: - --- -Sid: -902 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a CGI web application running on a server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a CGI application running ona web server. Some applications do -not perform stringent checks when validating the credentials of a client -host connecting to the services offered on a host server. This can lead -to unauthorized access and possibly escalated privileges to that of the -administrator. Data stored on the machine can be compromised and trust -relationships between the victim server and other hosts can be exploited by the attacker. - -If stringent input checks are not performed by the CGI application, it -may also be possible for an attacker to execute system binaries or -malicious code of the attackers choosing. - --- -Affected Systems: - All systems running CGI applications - --- -Attack Scenarios: -An attacker can access an authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator by supplying input of -their choosing to the underlying CGI script. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/903.txt snort-2.9.2/doc/signatures/903.txt --- snort-2.9.0.1/doc/signatures/903.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/903.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -903 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/904.txt snort-2.9.2/doc/signatures/904.txt --- snort-2.9.0.1/doc/signatures/904.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/904.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -904 - --- -Summary: -This event is generated when an attempt is made to access an Example -application on a Coldfusion 4.x server. - --- -Impact: -Serious. The vulnerability is not limited to files in the webspace, so -system files or additional unexecuted code files could be retrieved and -examined for vulnerabilities. - --- -Detailed Information: -ColdFusion (Macromedia, formerly Allaire) web servers have several -default Example applications installed that have vulnerabilities. The -email application can be exploited to allow remote viewing of arbitrary -files. - --- -Affected Systems: -ColdFusion versions 4.0 thru 4.5 (4.5.1 is not vulnerable), on all -supported platforms - --- -Attack Scenarios: -The file at cfdocs/exampleapp/email/application.cfm includes a page, -cfdocs/exampleapp/email/getfile.cfm, that can accept URL-mangled -requests like: - -http://www.server.com/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini - -This allows trivial remote retrieval of any file on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -If ColdFusion 4.x's example code is being used, This rule will generate -an event. - --- -False Negatives: -None known - --- -Corrective Action: -Delete all example code. This is one of several significant -vulnerabilities that are exploitable if the example code is left on a -production server. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: CAN-2001-0535 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0535 - --- diff -Nru snort-2.9.0.1/doc/signatures/905.txt snort-2.9.2/doc/signatures/905.txt --- snort-2.9.0.1/doc/signatures/905.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/905.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -905 - --- -Summary: -This event is generated when an attempt is made to access an Example -application on a Coldfusion 4.x server. - -This 'Web Publish Example Script' can be exploited to allow the attacker -to upload arbitrary files to the server. - --- -Impact: -Serious: The vulnerability allows custom code to be uploaded to the -server. - --- -Detailed Information: -ColdFusion (Macromedia, formerly Allaire) web servers have several -default Example applications installed that have vulnerabilities. The -'Web Publish Example script' application can be exploited to allow the -uploading of arbitrary files. - -See Macromedia Security Bulletin (MPSB01-08) for complete information. - - --- -Affected Systems: - ColdFusion versions 2.x, 3.x, 4.x for Windows - ColdFusion versions 4.x for Solaris, HP-UX - ColdFusion versions 4.5.x for Linux - Expression Evaluator Patch (ASB99-01) - --- -Attack Scenarios: -The web application allows file uploading via a URL like this: - -http://www.target.com/CFDOCS/exampleapps/publish/admin/application.cfm - -Once the file has been uploaded, it can be executed by crafting a 2nd -URL to the uploaded file. - --- -Ease of Attack: -Simple. - --- -False Positives: -If ColdFusion 4.x's example code is being used, This rule will generate -an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Delete all example code. This is one of several significant -vulnerabilities that are exploitable if the example code is left on a -production server. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: - -Macromedia Security Bulletin (MPSB01-08) -http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html - --- diff -Nru snort-2.9.0.1/doc/signatures/906.txt snort-2.9.2/doc/signatures/906.txt --- snort-2.9.0.1/doc/signatures/906.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/906.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: - --- -Sid: -906 - --- -Summary: -This event is generated when an attempt is made to access an Example -application on a Coldfusion 4.x server. - --- -Impact: -Serious. The vulnerability is not limited to files in the webspace, so -system files or additional unexecuted code files could be retrieved and -examined for vulnerabilities. - --- -Detailed Information: -ColdFusion (Macromedia, formerly Allaire) web servers have several -default Example applications installed that have vulnerabilities. The -email application can be exploited to allow remote viewing of arbitrary -files. - - --- -Affected Systems: - ColdFusion versions 2.x, 3.x, 4.x for Windows - ColdFusion versions 4.x for Solaris, HP-UX - ColdFusion versions 4.5.x for Linux - --- -Attack Scenarios: -The example application file cfdocs/exampleapp/email/getfile.cfm can -accept URL-mangled requests like: - -http://www.server.com/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini - -This allows trivial remote retrieval of any file on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -If ColdFusion 4.x's example code is being used, This rule will generate -an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Delete all example code. This is one of several significant -vulnerabilities that are exploitable if the example code is left on a -production server. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: - -CAN-2001-0535 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0535 - -Macromedia Security Bulletin (MPSB01-08) -http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html - --- diff -Nru snort-2.9.0.1/doc/signatures/907.txt snort-2.9.2/doc/signatures/907.txt --- snort-2.9.0.1/doc/signatures/907.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/907.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,79 +0,0 @@ -Rule: - --- -Sid: -907 - --- -Summary: -This event is generated when an attempt is made to access an Example -application on a Coldfusion 4.x server. The 'Web Publish Example Script' -can be exploited to allow the attacker to upload an arbitrary file to -the server. - --- -Impact: -Serious. The vulnerability allows custom code to be uploaded to the -server. - --- -Detailed Information: -ColdFusion (Macromedia, formerly Allaire) web servers have several -default Example applications installed that have vulnerabilities. The -'Web Publish Example script' application can be exploited to allow the -uploading of arbitrary files. - -See Macromedia Security Bulletin (MPSB01-08) for complete information. - --- -Affected Systems: - ColdFusion versions 2.x, 3.x, 4.x for Windows - ColdFusion versions 4.x for Solaris, HP-UX - ColdFusion versions 4.5.x for Linux - Expression Evaluator Patch (ASB99-01) - --- -Attack Scenarios: -The web application allows file uploading via a URL like this: - -http://www.target.com/CFDOCS/exampleapps/publish/admin/addcontent.cfm - -Once the file has been uploaded, it can be executed by crafting a 2nd -URL to the uploaded file. - --- -Ease of Attack: -Simple. - --- -False Positives: -If ColdFusion 4.x's example code is being used, This rule will generate -an event. - --- -False Negatives: -None known. - --- -Corrective Action: -Delete all example code. This is one of several significant -vulnerabilities that are exploitable if the example code is left on a -production server. - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: - -Macromedia Security Bulletin (MPSB01-08) -http://www.macromedia.com/devnet/security/security_zone/mpsb01-08.html - -CAN-2001-0535 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0535 - --- diff -Nru snort-2.9.0.1/doc/signatures/908.txt snort-2.9.2/doc/signatures/908.txt --- snort-2.9.0.1/doc/signatures/908.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/908.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,81 +0,0 @@ -Rule: - --- -Sid: -908 - --- -Summary: -This event is generated when an attempt is made to access the -administrator screens for Coldfusion server. A long password can cause -a Denial-of-Service. - --- -Impact: -Denial of Service (DoS). While the risk as a target for password attacks is minor, the administrator login mechanism can be jammed by long passwords, leading to a DoS for the server. - --- -Detailed Information: -ColdFusion's administrator interface is reachable via: - -http://www.target.com/CFIDE/administrator/index.cfm - -It is recommended that access to these pages be restricted to trusted -IP addresses to prevent them being targets for password attacks. - -Further, long passwords create a Denial-of-Service state in the server -temporarily. - -See Macromedia Security Bulletin (MPSB01-08) for complete information. - --- -Affected Systems: -ColdFusion versions 4.x for Windows, Solaris, HP-UX, Linux - --- -Attack Scenarios: -The attacker can access the administration interface for the server and -gain control of the application. - --- -Ease of Attack: -Simple. - --- -False Positives: -None known - --- -False Negatives: -None known - --- -Corrective Action: -At minimum, restrict access to the administrator mechanism from within -the ColdFusion administrator screens. Only internal, trusted users -should be allowed access. For further protections, use the security -capabilities of the webserver or the OS to restrict access to the -CFIDE/administrator directory when not needed, or copy/remove the -CFIDE/administrator directory completely off the server when not in use -(it will be necessary to reload the directory before accessing admin -functions, of course). - -http://www.macromedia.com/support/coldfusion/ts/documents/tn17254.htm - --- -Contributors: -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton -Snort documentation contributed by Darryl Davidson - --- -Additional References: - -Allaire Security Bulletin (ASB00-14) -http://www.macromedia.com/devnet/security/security_zone/asb00-14.html - -CVE-2000-0538 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0538 - --- diff -Nru snort-2.9.0.1/doc/signatures/909.txt snort-2.9.2/doc/signatures/909.txt --- snort-2.9.0.1/doc/signatures/909.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/909.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -909 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/910.txt snort-2.9.2/doc/signatures/910.txt --- snort-2.9.0.1/doc/signatures/910.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/910.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -910 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/911.txt snort-2.9.2/doc/signatures/911.txt --- snort-2.9.0.1/doc/signatures/911.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/911.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -911 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/912.txt snort-2.9.2/doc/signatures/912.txt --- snort-2.9.0.1/doc/signatures/912.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/912.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -912 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/913.txt snort-2.9.2/doc/signatures/913.txt --- snort-2.9.0.1/doc/signatures/913.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/913.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -913 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/914.txt snort-2.9.2/doc/signatures/914.txt --- snort-2.9.0.1/doc/signatures/914.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/914.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -914 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/915.txt snort-2.9.2/doc/signatures/915.txt --- snort-2.9.0.1/doc/signatures/915.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/915.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -915 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/916.txt snort-2.9.2/doc/signatures/916.txt --- snort-2.9.0.1/doc/signatures/916.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/916.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -916 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/917.txt snort-2.9.2/doc/signatures/917.txt --- snort-2.9.0.1/doc/signatures/917.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/917.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -917 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/918.txt snort-2.9.2/doc/signatures/918.txt --- snort-2.9.0.1/doc/signatures/918.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/918.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -918 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/919.txt snort-2.9.2/doc/signatures/919.txt --- snort-2.9.0.1/doc/signatures/919.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/919.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -919 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/920.txt snort-2.9.2/doc/signatures/920.txt --- snort-2.9.0.1/doc/signatures/920.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/920.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -920 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/921.txt snort-2.9.2/doc/signatures/921.txt --- snort-2.9.0.1/doc/signatures/921.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/921.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -921 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/922.txt snort-2.9.2/doc/signatures/922.txt --- snort-2.9.0.1/doc/signatures/922.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/922.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -922 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/923.txt snort-2.9.2/doc/signatures/923.txt --- snort-2.9.0.1/doc/signatures/923.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/923.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -923 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/924.txt snort-2.9.2/doc/signatures/924.txt --- snort-2.9.0.1/doc/signatures/924.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/924.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -924 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/925.txt snort-2.9.2/doc/signatures/925.txt --- snort-2.9.0.1/doc/signatures/925.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/925.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -925 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/926.txt snort-2.9.2/doc/signatures/926.txt --- snort-2.9.0.1/doc/signatures/926.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/926.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -926 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/927.txt snort-2.9.2/doc/signatures/927.txt --- snort-2.9.0.1/doc/signatures/927.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/927.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -927 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/928.txt snort-2.9.2/doc/signatures/928.txt --- snort-2.9.0.1/doc/signatures/928.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/928.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -928 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/929.txt snort-2.9.2/doc/signatures/929.txt --- snort-2.9.0.1/doc/signatures/929.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/929.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -SID: -929 --- - -Rule: --- - -Summary: -This even indicates an attempt to exploit undocumented CFML tags on a -Allaire ColdFusion Server --- - -Impact: -Extensive server data retrieval including settings and passwords --- - -Detailed Information: -Undocumented CFML tags allow reading and decryption of sensitive data -contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This -data can be accesses by constructing a hosted application that accesses -these undocumented tags with the possibility of changing values on the -server and reading admin and studio passwords --- - -Affected Systems: - Allaire ColdFusion Server 2.0 - 4.0.1 --- - -Attack Scenarios: -A user with permission to create pages on the server installs an -application that accesses the undocumented CFML tags, accessing this -application would allow viewing and possible modifications of these -settings --- - -Ease of Attack: -Medium, Attackers need the ability to add files to the server. No "In -the Wild" exploits were available at type of writing --- - -False Positives: -None known --- - -False Negatives: -None known --- - -Corrective Action: -Patches are available from Allaire, install them. --- - -Contributors: -Snort documentation contributed by matthew harvey -Original Rule Writer Unknown -Sourcefire Research Team -Nigel Houghton - --- -References: - --- diff -Nru snort-2.9.0.1/doc/signatures/930.txt snort-2.9.2/doc/signatures/930.txt --- snort-2.9.0.1/doc/signatures/930.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/930.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -930 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/931.txt snort-2.9.2/doc/signatures/931.txt --- snort-2.9.0.1/doc/signatures/931.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/931.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -931 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/932.txt snort-2.9.2/doc/signatures/932.txt --- snort-2.9.0.1/doc/signatures/932.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/932.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -932 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/933.txt snort-2.9.2/doc/signatures/933.txt --- snort-2.9.0.1/doc/signatures/933.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/933.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -933 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/935.txt snort-2.9.2/doc/signatures/935.txt --- snort-2.9.0.1/doc/signatures/935.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/935.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -935 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/936.txt snort-2.9.2/doc/signatures/936.txt --- snort-2.9.0.1/doc/signatures/936.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/936.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -936 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a ColdFusion web server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Coldfusion. Many known vulnerabilities exist for this platform and -the attack scenarios are legion. - --- -Affected Systems: - All systems running ColdFusion - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/937.txt snort-2.9.2/doc/signatures/937.txt --- snort-2.9.0.1/doc/signatures/937.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/937.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -937 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/939.txt snort-2.9.2/doc/signatures/939.txt --- snort-2.9.0.1/doc/signatures/939.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/939.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -939 - --- - -Summary: -This event is generated when an attempt is made to use a Frontpage -client to connect and/or publish content to a Frontpage Server -Extensions-enabled IIS web server. - --- - -Impact: -An attacker can modify your web content, access privileged files or -modify other users' privileges on the Frontpage-enabled virtual host. - --- - -Detailed Information: -Microsoft Frontpage is a web-content managing and publishing -application, which also comes with server extensions for Microsoft IIS -and Apache web servers. The extensions enable the servers to display -dynamic content, as well as perform certain levels of web-server -administration. - --- - -Affected Systems: -All systems running FPSE on IIS. - --- - -Attack Scenarios: -An attacker can gain the FPSE username and password via sniffing, social -engineering or brute force guessing. After successfully logging on to -the system, the attacker can alter web contents, modify login -information for other users and generally control the web server. - --- - -Ease of Attack: -After gaining the login credentials the attack is trivial. - --- - -False Positives: -If FrontPage authoring is allowed from resources external to the -protected network this rule will generate an event. - --- - -False Negatives: -not known. - --- - -Corrective Action: -Disable FPSE if it is not needed for web-content management. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: - -eEye Digital Security: -http://www.eeye.com/html/research/advisories/AD20001222.html - --- diff -Nru snort-2.9.0.1/doc/signatures/940.txt snort-2.9.2/doc/signatures/940.txt --- snort-2.9.0.1/doc/signatures/940.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/940.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -940 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/941.txt snort-2.9.2/doc/signatures/941.txt --- snort-2.9.0.1/doc/signatures/941.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/941.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -941 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/942.txt snort-2.9.2/doc/signatures/942.txt --- snort-2.9.0.1/doc/signatures/942.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/942.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -942 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/943.txt snort-2.9.2/doc/signatures/943.txt --- snort-2.9.0.1/doc/signatures/943.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/943.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -943 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - -In this case an attempt is being made to access the executable file -fpsvradm.exe from resources external to the protected network. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/resources/documentation/office/2000/all/reskit/en-us/75t4_3.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/944.txt snort-2.9.2/doc/signatures/944.txt --- snort-2.9.0.1/doc/signatures/944.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/944.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -944 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - -In this case an attempt is being made to access the executable file -fpremadm.exe from resources external to the protected network. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://www.microsoft.com/resources/documentation/office/2000/all/reskit/en-us/75t4_5.mspx - --- diff -Nru snort-2.9.0.1/doc/signatures/945.txt snort-2.9.2/doc/signatures/945.txt --- snort-2.9.0.1/doc/signatures/945.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/945.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: -945 - --- -Summary: -This event is generated when an attempt is made to exploit an -authentication vulnerability in a web server or an application running -on that server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. - --- -Detailed Information: -This event is generated when an attempt is made to gain unauthorized -access to a web server or an application running ona web server. Some -applications do not perform stringent checks when validating the -credentials of a client host connecting to the services offered on a -host server. This can lead to unauthorized access and possibly escalated -privileges to that of the administrator. Data stored on the machine can -be compromised and trust relationships between the victim server and -other hosts can be exploited by the attacker. - --- -Affected Systems: - --- -Attack Scenarios: -An attacker can access the authentication mechanism and supply his/her -own credentials to gain access. Alternatively the attacker can exploit -weaknesses to gain access as the administrator. - --- -Ease of Attack: -Simple. Exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Disallow administrative access from sources external to the protected -network. - -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/946.txt snort-2.9.2/doc/signatures/946.txt --- snort-2.9.0.1/doc/signatures/946.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/946.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -946 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/947.txt snort-2.9.2/doc/signatures/947.txt --- snort-2.9.0.1/doc/signatures/947.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/947.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -947 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/948.txt snort-2.9.2/doc/signatures/948.txt --- snort-2.9.0.1/doc/signatures/948.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/948.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,72 +0,0 @@ -Rule: - --- -Sid: -948 - --- - -Summary: -This event is generated when an attempt is made to access a file with -Microsoft Frontpage form results. - --- - -Impact: -If successful, the attacker can read sensitive data users have posted -via forms within the Frontpage web. - --- - -Detailed Information: -On systems running Microsoft Frontpage Extensions on IIS or Apache web -servers users can insert forms into web pages and have their data saved -into a text file (/_private/form_results.txt) which can later be read or -emailed to the user. If direct access to the file is possible, the -attacker may read the sensitive data posted from the form. - --- - -Affected Systems: -All systems running FPSE. - --- - -Attack Scenarios: -An attacker can request the file from its standard location, entering -the exact URL. - --- - -Ease of Attack: -Simple. No exploit software required. - --- - -False Positives: -None known - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable direct access to the file /_private/form_results.txt - -Restrict access to the file using password protection. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos - --- - -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/949.txt snort-2.9.2/doc/signatures/949.txt --- snort-2.9.0.1/doc/signatures/949.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/949.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -949 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/950.txt snort-2.9.2/doc/signatures/950.txt --- snort-2.9.0.1/doc/signatures/950.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/950.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -950 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/951.txt snort-2.9.2/doc/signatures/951.txt --- snort-2.9.0.1/doc/signatures/951.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/951.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,83 +0,0 @@ -Rule: - --- -Sid: -951 - --- - -Summary: -This event is generated when an attempt is made to access a file with -Microsoft Personal Web Server login information. - --- - -Impact: -If successful, the attacker can log into the system and modify web -content. - --- - -Detailed Information: -On systems running Microsoft Personal Web Server the file authors.pwd -contains usernames and encrypted passwords for users who can author the -contents on this server. The attacker can guess the exact URL of this -file and request it, hence gaining insecure information. - --- - -Affected Systems: -Certain versions of Microsoft Windows 95 or Windows 98 running Personal -Web Server 4.0. Windows NT installations are not affected. - --- - -Attack Scenarios: -An attacker can request the file from its standard location, entering -the exact URL, and gain access to the system after cracking the -passwords found in the file. - --- - -Ease of Attack: -Simple. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Apply the appropriate vendor supplied patch. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos - --- - -Additional References: - -Official fix: -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-010.asp - - -Nessus: -http://cgi.nessus.org/plugins/dump.php3?id=10078 - -CVE: -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0386 - - - - --- diff -Nru snort-2.9.0.1/doc/signatures/952.txt snort-2.9.2/doc/signatures/952.txt --- snort-2.9.0.1/doc/signatures/952.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/952.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -Rule: - --- -Sid: -952 - --- - -Summary: -This event is generated when an attempt is made to use a Frontpage -client to connect and/or publish content to a web server with Frontpage -Server Extensions-enabled. - --- - -Impact: -An attacker can modify web content, access privileged files or modify -other users' privileges on the Frontpage-enabled virtual host. - --- - -Detailed Information: -Microsoft Frontpage is a web-content managing and publishing -application, which also comes with server extensions for Microsoft IIS -and Apache web servers. The extensions enable the servers to display -dynamic content, as well as perform certain levels of web-server -administration. - --- - -Affected Systems: -All systems running FPSE. - --- - -Attack Scenarios: -An attacker can gain the FPSE username and password via sniffing, social -engineering or brute force guessing. After successfully logging on to -the system, the attacker can alter web contents, modify login -information for other users and generally control the web server. - --- - -Ease of Attack: -After gaining the login credentials the attack is trivial. - --- - -False Positives: -If FrontPage authoring is allowed from resources external to the -protected network this rule will generate an event. - --- - -False Negatives: -Not known. - --- - -Corrective Action: -Disable FPSE if it is not needed for web-content management. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/2144 - --- diff -Nru snort-2.9.0.1/doc/signatures/953.txt snort-2.9.2/doc/signatures/953.txt --- snort-2.9.0.1/doc/signatures/953.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/953.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,80 +0,0 @@ -Rule: - --- -Sid: -953 - --- - -Summary: -This event is generated when an attempt is made to access a file with -Microsoft Personal Server administration information. - --- - -Impact: -If successful, the attacker can log into the system and modify web -content, as well as modify other users' credentials. - --- - -Detailed Information: -On systems running Microsoft Personal Web Server the file -administrators.pwd contains usernames and encrypted passwords for users -who can author contents and administer this server. The attacker can -guess the exact URL of this file and request it, hence gaining this -information. - --- - -Affected Systems: -Certain versions of Microsoft Windows 95 or Windows 98 running Frontpage -1.1 or Frontpage 98 Server Extensions. Windows NT installations are not -affected. - --- - -Attack Scenarios: -An attacker can request the file from its standard location, entering -the exact URL, and gain access to the system after cracking the -passwords found in the file. - --- - -Ease of Attack: -Simple. No exploit software required. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable the Personal Web Server. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos -Sourcefire Research Team -Nigel Houghton - --- - -Additional References: - -Bugtraq: -http://www.securityfocus.com/bid/1205/info/ - - - - --- diff -Nru snort-2.9.0.1/doc/signatures/954.txt snort-2.9.2/doc/signatures/954.txt --- snort-2.9.0.1/doc/signatures/954.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/954.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -954 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/955.txt snort-2.9.2/doc/signatures/955.txt --- snort-2.9.0.1/doc/signatures/955.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/955.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -955 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - Systems using Microsoft FrontPage Server Extensions 98 - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1 - --- diff -Nru snort-2.9.0.1/doc/signatures/956.txt snort-2.9.2/doc/signatures/956.txt --- snort-2.9.0.1/doc/signatures/956.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/956.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -956 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/957.txt snort-2.9.2/doc/signatures/957.txt --- snort-2.9.0.1/doc/signatures/957.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/957.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -957 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/958.txt snort-2.9.2/doc/signatures/958.txt --- snort-2.9.0.1/doc/signatures/958.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/958.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,76 +0,0 @@ -Rule: --- -Sid: -958 - --- - -Summary: -This event is generated when an attempt is made to access a file with -sensitive information on a webserver with Microsoft Frontpage extensions -enabled. - --- - -Impact: -If successful, the attacker can read sensitive data about the Frontpage web. - --- - -Detailed Information: -On systems running Microsoft Frontpage Extensions on IIS or Apache web -servers the file _vti_pvt/service.cnf exists which may contain sensitive -information about the web server. This file is meant to be only used -internally by FPSE and never directly by the user. - --- - -Affected Systems: - Systems using Microsoft FrontPage Server Extensions 98 - --- - -Attack Scenarios: -An attacker can request the file from its standard location, entering the exact URL. - --- - -Ease of Attack: -Simple. No exploit software required. - --- - -False Positives: -None known. - --- - -False Negatives: -None known. - --- - -Corrective Action: -Disable direct access to the file /_vti_pvt/service.cnf. - --- - -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Chaos -Sourcefire Vulnerability Research Team -Nigel Houghton - --- - -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1 - - - - - - --- diff -Nru snort-2.9.0.1/doc/signatures/959.txt snort-2.9.2/doc/signatures/959.txt --- snort-2.9.0.1/doc/signatures/959.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/959.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -959 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/960.txt snort-2.9.2/doc/signatures/960.txt --- snort-2.9.0.1/doc/signatures/960.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/960.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,70 +0,0 @@ -Rule: - --- -Sid: -960 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - -This event is generated when an attempt is made to retrieve the file -service.stp. This file contains sensitive information concerning the -location of other sensitive files that contain group and password -information. - --- -Affected Systems: - CERN and NCSA servers using Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Special FrontPage directories and Storage Locations: -http://www.rtr.com/fpsupport/serk4.0/apndx05.htm - --- diff -Nru snort-2.9.0.1/doc/signatures/961.txt snort-2.9.2/doc/signatures/961.txt --- snort-2.9.0.1/doc/signatures/961.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/961.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -961 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - Systems using Microsoft FrontPage Server Extensions 98 - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1 - --- diff -Nru snort-2.9.0.1/doc/signatures/962.txt snort-2.9.2/doc/signatures/962.txt --- snort-2.9.0.1/doc/signatures/962.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/962.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -962 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/963.txt snort-2.9.2/doc/signatures/963.txt --- snort-2.9.0.1/doc/signatures/963.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/963.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -Rule: - --- -Sid: -963 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - -This event indicates that an attempt has been made to access the file -svcacl.cnf which may contain sensitive information about the host and -applications using the FrontPage extensions. - -Svcacl.cnf contains data about permissions and IP address restrictions -on all of the sub-webs. This information would be very valuable to a -hacker and could be used to plan future attacks. - --- -Affected Systems: - Systems using Microsoft FrontPage Server Extensions 98 - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton -Ricky McAtee - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1 - --- diff -Nru snort-2.9.0.1/doc/signatures/964.txt snort-2.9.2/doc/signatures/964.txt --- snort-2.9.0.1/doc/signatures/964.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/964.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,68 +0,0 @@ -Rule: - --- -Sid: -964 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - -This event is generated when an attempt is made to retrieve the file -users.pwd. This file contains user password information. - --- -Affected Systems: - Windows 98 using Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=kb;en-us;144190 - --- diff -Nru snort-2.9.0.1/doc/signatures/965.txt snort-2.9.2/doc/signatures/965.txt --- snort-2.9.0.1/doc/signatures/965.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/965.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -965 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - Systems using Microsoft FrontPage Server Extensions 98 - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1 - --- diff -Nru snort-2.9.0.1/doc/signatures/966.txt snort-2.9.2/doc/signatures/966.txt --- snort-2.9.0.1/doc/signatures/966.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/966.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -966 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/967.txt snort-2.9.2/doc/signatures/967.txt --- snort-2.9.0.1/doc/signatures/967.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/967.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -Rule: --- -Sid: -967 - --- -Summary: -dvwssr.dll is a component installed with Windows NT Option Pack 4.0, -Personal Web Server for Windows 95 and 98 and Front Page 98 Server -Extensions. This component is vulnerable to a buffer overflow which -may allow for the execution of arbitrary code that would run in the -context of the system account. - --- -Impact: -Serious. Execution of arbitrary code and Denial of Service (DoS). - --- -Detailed Information: -As with an abundance of other exploits related to Microsoft's Internet -Information Services and web server based implementations, it is -possible for an attacker to run code of choice against the vulnerable -web server. It is also possible to use this exploit to stop the remote -server from responding which would result in a DoS. - --- -Attack Scenarios: - - --- -Ease of Attack: -This attack would require for both the dvwssr.dll file to reside on the -web server and for the correct permissions to be in place in order for -the attack to be successful. Using a script to send continued requests -for the file dvwssr.dll would make a denial of service attack fairly -easy. - --- -False Positives: -Web requests or web based applications which use dvwssr.dll in a context -which in not malicious in nature. - --- -False Negatives: -None Known - --- -Corrective Action: -Remove dvwssr.dll from the web server and test all necessary -functionality. See additional references for more information. - --- -Contributors: -Original rule writer unknown -Snort documentation contributed by Chris Arsenault and Josh Gray -Sourcefire Vulnerability Research Team -Nigel Houghton - - --- -Additional References: - -Security Focus BugTraq ID -http://www.securityfocus.com/bid/1109 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0260 - -Microsoft ms00-025 -http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-025.asp - - --- diff -Nru snort-2.9.0.1/doc/signatures/968.txt snort-2.9.2/doc/signatures/968.txt --- snort-2.9.0.1/doc/signatures/968.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/968.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -968 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft FrontPage -Server Extensions. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft FrontPage Server Extensions. Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft FrontPage Server Extensions 98 - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - -Microsoft: -http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1 - --- diff -Nru snort-2.9.0.1/doc/signatures/969.txt snort-2.9.2/doc/signatures/969.txt --- snort-2.9.0.1/doc/signatures/969.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/969.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Rule: - --- -Sid: -969 - --- -Summary: -This event is generated when an attempt is made to request a file by the HTTP LOCK method. - --- -Impact: -Denial of service. Repeated successful attempts can consume all CPU resources subsequently crashing the victim server. - --- -Detailed Information: -The WebDAV (Web Distributed Authoring and Versioning) component of Microsoft's Internet Information Services (IIS) provides extensions to the HTTP protocol allowing users to edit and manage files on the remote web server. A specially crafted request processed by WebDAV can consume CPU resources on the web server host causing it to crash. - --- -Affected Systems: -Windows 2000 systems running IIS 5.0. - --- -Attack Scenarios: -An attacker can craft an HTTP request processed by WebDAV that exhausts CPU resources and causes the system to crash. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Consider using the IIS Lockdown Tool to disable WebDAV if it is not necessary. - -Download and install the appropriate patch mentioned in the Microsoft bulletin. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/2736 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms01-016.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/970.txt snort-2.9.2/doc/signatures/970.txt --- snort-2.9.0.1/doc/signatures/970.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/970.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -Rule: - --- -Sid: -1283 - --- -Summary: -This event is generated when an attempt is made to cause a denial of service of WWW Publishing Service and IIS Administration software. - --- -Impact: -Denial of service. This attack may cause a vulnerable server to stop. - --- -Detailed Information: -Outlook Web Access (OWA) is an optional feature of Microsoft Exchange Server that allows a user to access mail through a web interface supported by Internet Information Services (IIS). A denial of service of the support software WWW Publishing service and IIS Administration can occur when a user enters a long string of '%' characters in the Log On field in OWA and enters these characcters in the username and password field received in the NT challenge dialog. - --- -Affected Systems: -Microsoft Exchange Server 5.5 and Microsoft Exchange Server 5.5 SP1, SP2, SP3, SP4 - --- -Attack Scenarios: -An attacker can enter a long string of '%' characters in OWA Log On and challenge fields to cause a denial of service against a vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to the most current version of Microsoft Exchange Server. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/3223 - --- diff -Nru snort-2.9.0.1/doc/signatures/971.txt snort-2.9.2/doc/signatures/971.txt --- snort-2.9.0.1/doc/signatures/971.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/971.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: --- -Sid: -971 - --- - -Summary: -This event is generated when an attempt is made to compromise a web -server running IIS 5.0 by exploiting the ".printer" bug. - --- -Impact: -Serious. Remote unauthorized administrative access. - --- -Detailed Information: -With the increasing pervasion of the Internet, vendors are adding -features into their software to support the networked world. -Microsoft's initial implementation of one such feature were the -".printer" extensions on IIS 5.0 that first shipped with Windows 2000. - -A bug exsisted in the initial release that could result in remote system -level access to the web server. A patch has been released that fixes -this bug. - --- -Attack Scenarios: -A hacker could use this vulnerability to get a remote, system level -command prompt on the server. - --- -Ease of Attack: -Simple. Exploit software exists. - --- -False Positives: -There are legitimate uses of the ".printer" feature, though it is -unknown how widely it is used. You should know if this feature is -implemented on your web servers. - --- -False Negatives: -None Known - --- -Corrective Action: -Install latest patches from the vendor, or disable the ".printer" extensions using the IIS administration tool. - --- -Contributors: -Original rule writer unknown -Original document author unkown -Sourcefire Vulnerability Research Team -Nigel Houghton - --- -Additional References: -Vendor Security Bulletin: MS01-023 -Bugtraq Archive: url,http://www.securityfocus.com/archive/1/181937 - --- diff -Nru snort-2.9.0.1/doc/signatures/972.txt snort-2.9.2/doc/signatures/972.txt --- snort-2.9.0.1/doc/signatures/972.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/972.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Will be obsolete when httpinspect is used -Rule: - --- -Sid: -972 - --- -Summary: -This event is generated when an attempt is made to access an Active Server Page (ASP) .asp file when the period is hex encoded as "%2e". - --- -Impact: -Intelligence gathering activity. A vulnerability exists that discloses the .asp file contents when it is reference using the "%2e" hex encoding. - --- -Detailed Information: -Microsoft Internet Information Service (IIS) uses Active Server Page to supply HTML and server-side scripting. ASP files use a .asp extension. When the period of the .asp is hex-encoded with a "%2e" to reference an ASP file, the contents of the file are disclosed. - --- -Affected Systems: -Hosts running IIS 3.0 - --- -Attack Scenarios: -An attacker can attempt use the hex-encoded reference to the .asp file to see the contents of the file. Sensitive information may by disclosed depending on the selected file. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of IIS. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0253 - -Bugtraq: -http://www.securityfocus.com/bid/1814 - - --- diff -Nru snort-2.9.0.1/doc/signatures/973.txt snort-2.9.2/doc/signatures/973.txt --- snort-2.9.0.1/doc/signatures/973.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/973.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,59 +0,0 @@ -Rule: - --- -Sid: -973 - --- -Summary: -This event is generated when an attempt is made to exploit a buffer overflow associated with a file with a .idc extension. - --- -Impact: -Remote access. This attack may permit the execution of arbitrary commands on the victim server. - --- -Detailed Information: -Microsoft Internet Information Service (IIS) supports files extensions including .idc that call the ISM.DLL. A buffer overflow vulnerability exists in ISM.DLL code when it receives a malformed request, permitting the execution of arbitrary code. - --- -Affected Systems: -IIS 4.0 hosts - --- -Attack Scenarios: -An attacker can send a malformed request of a .idc file that causes a buffer overflow. - --- -Ease of Attack: -Simple. Exploit code is freely available. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of IIS. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0874 - -Bugtraq: -http://www.securityfocus.com/bid/307 - --- diff -Nru snort-2.9.0.1/doc/signatures/974.txt snort-2.9.2/doc/signatures/974.txt --- snort-2.9.0.1/doc/signatures/974.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/974.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -Comment - move to deleted rules - applies to IIS 1.0 and decode/inspect should now find this. -Rule: - - --- -Sid: -974 - --- -Summary: -This event is generated when an attempt is made to peform a denial of service against Internet Information Service (IIS) 1.0 hosts. - --- -Impact: -Denial of service. This attack may cause an IIS 1.0 server to crash. - --- -Detailed Information: -IIS 1.0 servers are vulnerable to a denial of service attack when a malformed request containing "..\.." is sent to the server. The service must be restarted to restore functionality. - --- -Affected Systems: -IIS 1.0 Servers - --- -Attack Scenarios: -An attacker can send a malformed request to a vulnerable IIS server to cause a denial of service. - --- -Ease of Attack: -Simple. Send a request similar to this: GET ..\.. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of IIS. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229 - -Bugtraq: -http://www.securityfocus.com/bid/2218 - --- diff -Nru snort-2.9.0.1/doc/signatures/975.txt snort-2.9.2/doc/signatures/975.txt --- snort-2.9.0.1/doc/signatures/975.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/975.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Should be obsolete when httpinspect is used -Rule: - --- -Sid: -975 - --- -Summary: -This event is generated when an attempt is made to access an Active Server Page (ASP) .asp file to disclose its contents. - --- -Impact: -Intelligence gathering activity. A vulnerability exists that discloses the .asp file contents when the file name is appended with "::$DATA". - --- -Detailed Information: -Microsoft Internet Information Service (IIS) uses Active Server Page to supply HTML and server-side scripting. ASP files use a .asp extension. When the file name is appended with "::$DATA", the contents of the file are disclosed instead of executing the .asp file. - --- -Affected Systems: -Hosts running IIS 3.0, IIS 4.0 - --- -Attack Scenarios: -An attacker can attempt to reference a .asp file appended with "::$DATA" to see the contents of the file. Sensitive information may by disclosed depending on the selected file. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of IIS. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Microsoft -http://support.microsoft.com/default.aspx?scid=kb;EN-US;q188806 - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0278 - -Bugtraq -http://www.securityfocus.com/bid/149 - -Nessus -http://cgi.nessus.org/plugins/dump.php3?id=10362 - --- diff -Nru snort-2.9.0.1/doc/signatures/976.txt snort-2.9.2/doc/signatures/976.txt --- snort-2.9.0.1/doc/signatures/976.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/976.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -Rule: - --- -Sid: -976 - --- -Summary: -This event is generated when an attempt is made to reference a .bat file to execute arbitrary commands on an Internet Information Services (IIS) server. - --- -Impact: -Remote access. This attack can execute arbitrary commands on the IIS server with the privileges of the user running IIS. - --- -Detailed Information: -Microsoft Internet Information Service (IIS) uses .bat and .cmd to execute code using the Common Gateway Interface (CGI). A .bat file or .cmd file can be passed a malicious command to be executed on the server. This is accomplished by preceding the malicious command with an ampersand. This allows execution of arbitrary commands with the privileges of the user running IIS. - --- -Affected Systems: -Hosts running IIS 1.0 - --- -Attack Scenarios: -An attacker can pass a .bat or .cmd file a malicious command to be executed. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of IIS. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Microsoft -http://support.microsoft.com/support/kb/articles/Q148/1/88.asp -http://support.microsoft.com/support/kb/articles/Q155/0/56.asp - -CVE -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0233 - -Bugtraq -http://www.securityfocus.com/bid/2023 - -Nessus -http://cgi.nessus.org/plugins/dump.php3?id=10362 - --- diff -Nru snort-2.9.0.1/doc/signatures/977.txt snort-2.9.2/doc/signatures/977.txt --- snort-2.9.0.1/doc/signatures/977.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/977.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 977 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/978.txt snort-2.9.2/doc/signatures/978.txt --- snort-2.9.0.1/doc/signatures/978.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/978.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Will %20 disappear with httpinspect? -Rule: - --- -Sid: -978 - --- -Summary: -This event is generated when an attempt is made to disclose the contents of a file on an Internet Information Service (IIS) host. - --- -Impact: -Intelligence gathering activity. This attack can display the contents of an Activer Server Page (ASP) file or other files located on the server. - --- -Detailed Information: -A vulnerability exists in Windows NT 4.0 Option Pack and Windows 2000 Index Server. The Index Server is a search engine used by IIS that allows a user's browser to search for text in HTML and other documents. The Index Server has a Hit-Hightlighting component that highlights the text that satisifies the user's query. A vulnerability exists in the webhits.dll file that allows disclosure of file contents when a URL is crafted to contain a hex-encoded space "%20" after the file name passed to webhits.dll and setting 'CiHiliteType' to 'Full' and 'CiRestriction' to 'none' - --- -Affected Systems: -Hosts running Microsoft Index Server 2.0 - --- -Attack Scenarios: -An attacker can attempt to disclose the contents of a file by crafting a special URL to access the Hit-Highlighting component of the Index Server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch discussed in the referenced Microsoft Bulletin. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/1084 - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0302 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-006.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/979.txt snort-2.9.2/doc/signatures/979.txt --- snort-2.9.0.1/doc/signatures/979.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/979.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -979 - --- -Summary: -This event is generated when an attempt is made to exploit a cross-site scripting vulnerability associated with a file having a .htw extension. - --- -Impact: -Cross-site scripting. This attack may allow the execution of arbitrary commands on a victim host that visits a vulnerable server. - --- -Detailed Information: -The Microsoft Indexing Service is vulnerable to a cross-site scripting exploit because of a failure to properly filter user input associated with files with a .htw extension. This vulnerability is associated with Indexing Service component (CiWebHitsFile). This may allow an attacker to execute abitrary code on the victim host that visits the vulnerable server. - --- - -Affected Systems: -Microsoft Indexing Services for Windows NT 4.0 and Windows 2000 - - --- -Attack Scenarios: -An attacker can inject malicious code in a vulernable server. This may allow execution of arbitrary code on the victim host that visits the vulnerable server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch discussed in the referenced Microsoft Bulletin. - - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/1861 - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0942 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-084.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/980.txt snort-2.9.2/doc/signatures/980.txt --- snort-2.9.0.1/doc/signatures/980.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/980.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - - --- -Sid: -980 - --- -Summary: -This event is generated when an attempt is made to disclose the contents of a file on an host running Stalkerlab's CGIMail server. - --- -Impact: -Intelligence gathering activity. This attack can display the contents of a file on the server. - --- -Detailed Information: - -Stalkerlab's CGIMail is a CGI program that permits an HTTP server to send SMTP mail using the data from the HTLM form. A vulnerability exits in the CGImail.exe program that can disclose the contents of files on the web server. This can be accomplished by locally modifying the Web page that sends data to the SMTP server. The modifications would include setting specific variable values to file names that the attacker wishes to examine. - - --- -Affected Systems: -Hosts running Stalkerlab CGIMail 1.1.2 - --- -Attack Scenarios: -An attacker can modify an HTML form used by Stalkerlab CGIMail that passes data to the SMTP server. This can permit disclosure of file contents on the server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -No known remedy or patch is available. - - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -Bugtraq -http://www.securityfocus.com/bid/1623 - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0726 - --- diff -Nru snort-2.9.0.1/doc/signatures/981.txt snort-2.9.2/doc/signatures/981.txt --- snort-2.9.0.1/doc/signatures/981.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/981.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -981 - --- -Summary: -This event is generated when an attempt is made use a unicode encoded representaion of a "/" in a URL request. This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server. - --- -Impact: -Remote access. This attack can allow an attacker to execute commands a vulnerable IIS server. - --- -Detailed Information: -User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server. Attackers who attempt to perform directory traversals outside the web root should be denied access. A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when unicode encoding of specific characters is used. This particular attack uses the unicode encoding of the "/" to escape the web root. This may permit an attacker to execute commands on the vulnerable server. - --- -Affected Systems: -IIS 4.0, 5.0 servers - --- -Attack Scenarios: -An attacker can unicode encode a directory traversal character permitting execution of commands on the IIS server. - --- -Ease of Attack: -Simple. -GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch referenced in the Microsoft link. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0084 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-078.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/982.txt snort-2.9.2/doc/signatures/982.txt --- snort-2.9.0.1/doc/signatures/982.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/982.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -982 - --- -Summary: -This event is generated when an attempt is made use a unicode encoded representaion of a "\" in a URL request. This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server. - --- -Impact: -Remote access. This attack can allow an attacker to execute commands a vulnerable IIS server. - --- -Detailed Information: -User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server. Attackers who attempt to perform directory traversals outside the web root should be denied access. A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when unicode encoding of specific characters is used. This particular attack uses the unicode encoding of the "\" to escape the web root. This may permit an attacker to execute commands on the vulnerable server. - --- -Affected Systems: -IIS 4.0, 5.0 servers - --- -Attack Scenarios: -An attacker can unicode encode a directory traversal character permitting execution of commands on the IIS server. - --- -Ease of Attack: -Simple. -GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch referenced in the Microsoft link. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0084 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-078.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/983.txt snort-2.9.2/doc/signatures/983.txt --- snort-2.9.0.1/doc/signatures/983.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/983.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -983 - --- -Summary: -This event is generated when an attempt is made use a unicode encoded representaion of a "\" in a URL request. This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server. - --- -Impact: -Remote access. This attack can allow an attacker to execute commands a vulnerable IIS server. - --- -Detailed Information: -User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server. Attackers who attempt to perform directory traversals outside the web root should be denied access. A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when unicode encoding of specific characters is used. This particular attack uses the unicode encoding of the "\" to escape the web root. This may permit an attacker to execute commands on the vulnerable server. - --- -Affected Systems: -IIS 4.0, 5.0 servers - --- -Attack Scenarios: -An attacker can unicode encode a directory traversal character permitting execution of commands on the IIS server. - --- -Ease of Attack: -Simple. -GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch referenced in the Microsoft link. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0084 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-078.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/984.txt snort-2.9.2/doc/signatures/984.txt --- snort-2.9.0.1/doc/signatures/984.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/984.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -984 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft Internet Information -Server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft Internet Information Server (IIS). Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft IIS - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/985.txt snort-2.9.2/doc/signatures/985.txt --- snort-2.9.0.1/doc/signatures/985.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/985.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,62 +0,0 @@ -Rule: - --- -Sid: -985 - --- -Summary: -This event is generated when an attempt is made to exploit a known -vulnerability in a web server running Microsoft Internet Information -Server. - --- -Impact: -Information gathering and system integrity compromise. Possible unauthorized -administrative access to the server or application. Possible execution -of arbitrary code of the attackers choosing in some cases. Denial of -Service is possible. - --- -Detailed Information: -This event is generated when an attempt is made to compromise a host -running Microsoft Internet Information Server (IIS). Many known -vulnerabilities exist for this platform and the attack scenarios are -legion. - --- -Affected Systems: - All systems running Microsoft IIS - --- -Attack Scenarios: -Many attack vectors are possible from simple directory traversal to -exploitation of buffer overflow conditions. - --- -Ease of Attack: -Simple. Many exploits exist. - --- -False Positives: -None known. - --- -False Negatives: -None known. - --- -Corrective Action: -Ensure the system is using an up to date version of the software and has -had all vendor supplied patches applied. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/986.txt snort-2.9.2/doc/signatures/986.txt --- snort-2.9.0.1/doc/signatures/986.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/986.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 986 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/987.txt snort-2.9.2/doc/signatures/987.txt --- snort-2.9.0.1/doc/signatures/987.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/987.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,65 +0,0 @@ -Rule: - --- -Sid: -987 - --- -Summary: -This event is generated when an attempt is made to disclose the contents of an Active Server Page (ASP) using a malformed HTR request. - --- -Impact: -Information gathering. Fragments of the source code of an ASP may be returned possibly disclosing sensitive information. - --- -Detailed Information: -HTR is an older scripting language still supported by Internet Information Service (IIS). HTR requests are preocessed by ISM.DLL that improperly evaluates malformed HTR requests. This may disclose parts of the source code associated with a .asp file referenced in the request. - --- -Affected Systems: - -Microsoft IIS 4.0, 5.0 - --- -Attack Scenarios: -An attacker can craft a malformed request to disclose source code possibly revealing sensitive information. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch referenced in the Microsoft link. - -Consider running the IIS Lockdown Tool to disable HTR functionality. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0063 - -Bugtraq -http://www.securityfocus.com/bid/1488 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-031.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/988.txt snort-2.9.2/doc/signatures/988.txt --- snort-2.9.0.1/doc/signatures/988.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/988.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,60 +0,0 @@ -Rule: - --- -Sid: -988 --- -Summary: -This event is generated when an attempt is made to access the Windows Security Accounts Manager (SAM) password file via a web request. - --- -Impact: -Information gathering - An attacker tried to get the Windows password file - --- -Detailed Information: -The SAM password file contains Windows logins which are NTLM or LANMAN hashes on Windows NT/2K/XP hosts. - -The hash algorithms are weak and can be cracked within few minutes/hours if passwords are weak. - --- -Affected Systems: -Windows NT 3.x and 4.0 - --- -Attack Scenarios: -If an attacker can get the real SAM file and is able to gain clear text passwords, the host can be compromised using the Administrator's login. - --- -Ease of Attack: -Simple. Exploit scripts are available. The host may be already compromised depending on the password strength used on the server. - --- -False Positives: -None Known - --- -False Negatives: -None known - --- -Corrective Action: -Change all Windows passwords. - -Apply appropriate vendor supplied patches. - -Upgrade to the latest non-affected version of the software. - --- -Contributors: -Original Rule Writer Unknown -Snort documentation contributed by Ueli Kistler, -Sourcefire Research Team -Nigel Houghton - --- -Additional References: - - - --- diff -Nru snort-2.9.0.1/doc/signatures/989.txt snort-2.9.2/doc/signatures/989.txt --- snort-2.9.0.1/doc/signatures/989.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/989.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Changed message since it really didn't reflect what was happening -Rule: - --- -Sid: -989 - --- -Summary: -This event is generated when an attempt is made to access the sensepost.exe file. - --- -Impact: -Remote access. This attack may permit the execution of arbitrary commands on the vulnerable server. - --- -Detailed Information: -A vulnerability associated Microsoft Internet Information Services (IIS) servers allows an attacker to escape the web root directory (inetpub) permitting navigation to unauthorized directories. This vulnerability is exploitable by encoding characters in unicode because unauthorized directory traversal is not examined after the unicode decoding. A widely available script exploits this vulnerability and copies the \winnt\system32\cmd.exe file to \inetpub\scripts\sensepost.exe, essentially allowing an attacker to execute arbitrary commands on the vulnerable host even after the patch has been applied. - --- -Affected Systems: -Microsoft IIS 4.0, 5.0 - --- -Attack Scenarios: -An attacker can attempt to access the sensepost.exe file to execute arbitrary commands on the exploited server. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply the patch referenced in the Microsoft link. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884 - -Bugtraq -http://www.securityfocus.com/bid/1806 - -Microsoft -http://www.microsoft.com/technet/security/bulletin/ms00-078.asp - --- diff -Nru snort-2.9.0.1/doc/signatures/990.txt snort-2.9.2/doc/signatures/990.txt --- snort-2.9.0.1/doc/signatures/990.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/990.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -Can't find affected system versions -Rule: - --- -Sid: -990 - --- -Summary: -This event is generated when an attempt is made to access a file with '_vti_inf' in the name. - --- -Impact: -Information gathering. This attack can leak the version number and scripting paths of Microsoft FrontPage. - --- -Detailed Information: -Microsoft FrontPage provides software for web designers to generate and administer web pages. The file '_vti_inf.html' contains FrontPage configuration information of version number and scripting paths that is normally used by a FrontPage client to communicate with the server. An attacker can craft a URL to access this file to disclose the version number and scripting paths. - --- -Affected Systems: -??? - --- -Attack Scenarios: -An attacker can craft a URL to access the '_vti_inf' file to learn the version and scripting paths of FrontPage. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Apply patches and upgrade to most current version of FrontPage. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - --- diff -Nru snort-2.9.0.1/doc/signatures/991.txt snort-2.9.2/doc/signatures/991.txt --- snort-2.9.0.1/doc/signatures/991.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/991.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -991 - - --- -Summary: -This event is generated when an attempt is made to request an HTTP-based password change. - --- -Impact: -Information gathering/remote access. Error messages from failed password changes can indicate whether a given account exists on the server. Successful password changes can allow remote access to the server. - --- -Detailed Information: -Microsoft Internet Information Services (IIS) Version 4 supplies a feature to allow users to make remote password changes. The iisadmpwd directory has several .HTR files that are used to implement the password changes. An attacker can request a change and use a returned form to supply an account name, existing password, and new password either to brute force changes or discover whether a specific account name exist. - --- -Affected Systems: - -Microsoft IIS 4.0 - --- -Attack Scenarios: -An attacker can request password changes to discover existing accounts or brute force password changes. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove the IISADMPWD virtual directory to disable remote password changes. - -Consider running the IIS Lockdown Tool to disable HTR functionality. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0407 - -Bugtraq -http://www.securityfocus.com/bid/2110 - --- diff -Nru snort-2.9.0.1/doc/signatures/992.txt snort-2.9.2/doc/signatures/992.txt --- snort-2.9.0.1/doc/signatures/992.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/992.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 992 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/993.txt snort-2.9.2/doc/signatures/993.txt --- snort-2.9.0.1/doc/signatures/993.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/993.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 993 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/994.txt snort-2.9.2/doc/signatures/994.txt --- snort-2.9.0.1/doc/signatures/994.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/994.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 994 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/995.txt snort-2.9.2/doc/signatures/995.txt --- snort-2.9.0.1/doc/signatures/995.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/995.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule - --- -Sid: -995 - - --- -Summary: -This event is generated when an attempt is made to request an HTTP-based password change. - --- -Impact: -Information gathering/remote access. Error messages from failed password changes can indicate whether a given account exists on the server. Successful password changes can allow remote access to the server. - --- -Detailed Information: -Microsoft Internet Information Services (IIS) Version 4 servers that were upgraded from IIS 2 or 3 have a legacy ism.dll file that allows web-based administration. Upon sending a request to ism.dll, the user will be prompted for a userid and password. An attacker can attempt to brute force guess a password, allowing remote access to the server. - --- -Affected Systems: - -Microsoft IIS 4.0 servers upgraded from IIS 2.0 or 3.0 - --- -Attack Scenarios: -An attacker can request password changes to discover existing accounts or brute force password changes. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Upgrade to a more current version of ISS. - -Consider running the IIS Lockdown Tool to disable unnecessary functionality. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1538 - -Bugtraq -http://www.securityfocus.com/bid/189 - --- diff -Nru snort-2.9.0.1/doc/signatures/996.txt snort-2.9.2/doc/signatures/996.txt --- snort-2.9.0.1/doc/signatures/996.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/996.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -Rule: - --- -Sid: -996 - - --- -Summary: -This event is generated when an attempt is made to request an HTTP-based password change. - --- -Impact: -Information gathering/remote access. Error messages from failed password changes can indicate whether a given account exists on the server. Successful password changes can allow remote access to the server. - --- -Detailed Information: -Microsoft Internet Information Services (IIS) Version 4 supplies a feature to allow users to make remote password changes. The iisadmpwd directory has several .HTR files that are used to implement the password changes. An attacker can request a change and use a returned form to supply an account name, existing password, and new password either to brute force changes or discover whether a specific account name exist. - --- -Affected Systems: - -Microsoft IIS 4.0 - --- -Attack Scenarios: -An attacker can request password changes to discover existing accounts or brute force password changes. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Remove the IISADMPWD virtual directory to disable remote password changes. - -Consider running the IIS Lockdown Tool to disable HTR functionality. - --- -Contributors: -Original rule writer unknown -Modified by Brian Caswell -Sourcefire Research Team -Judy Novak - --- -Additional References: - -CVE -http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0407 - -Bugtraq -http://www.securityfocus.com/bid/2110 - --- diff -Nru snort-2.9.0.1/doc/signatures/997.txt snort-2.9.2/doc/signatures/997.txt --- snort-2.9.0.1/doc/signatures/997.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/997.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 997 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/998.txt snort-2.9.2/doc/signatures/998.txt --- snort-2.9.0.1/doc/signatures/998.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/998.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 998 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/999.txt snort-2.9.2/doc/signatures/999.txt --- snort-2.9.0.1/doc/signatures/999.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/999.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,67 +0,0 @@ -Rule: - --- -Sid: 999 - - --- -Summary: -This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). - --- -Impact: -Information gathering possible administrator access. - --- -Detailed Information: -This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. - -The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. - -The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. - -Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. - --- -Affected Systems: -Any host using IIS. - --- -Attack Scenarios: -An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. - --- -Ease of Attack: -Simple. - --- -False Positives: -None Known. - --- -False Negatives: -None Known. - --- -Corrective Action: -Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. - -Ensure that the IIS implementation is fully patched. - -Ensure that the underlying operating system is fully patched. - -Employ strategies to harden the IIS implementation and operating system. - -Check the host for signs of compromise. - --- -Contributors: -Sourcefire Research Team -Brian Caswell -Nigel Houghton - --- -Additional References: - - --- diff -Nru snort-2.9.0.1/doc/signatures/snort-sid-template.txt snort-2.9.2/doc/signatures/snort-sid-template.txt --- snort-2.9.0.1/doc/signatures/snort-sid-template.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/signatures/snort-sid-template.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,48 +0,0 @@ -# This is a template for submitting snort signature descriptions to -# the snort.org website -# -# Ensure that your descriptions are your own -# and not the work of others. References in the rules themselves -# should be used for linking to other's work. -# -# If you are unsure of some part of a rule, use that as a commentary -# and someone else perhaps will be able to fix it. -# -# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $ -# -# - -Rule: - --- -Sid: - --- -Summary: - --- -Impact: - --- -Detailed Information: - --- -Attack Scenarios: - --- -Ease of Attack: - --- -False Positives: - --- -False Negatives: - --- -Corrective Action: - --- -Contributors: - --- -Additional References: Binary files /tmp/ecXKC_j_f4/snort-2.9.0.1/doc/snort_manual.pdf and /tmp/wllGJXgrVI/snort-2.9.2/doc/snort_manual.pdf differ diff -Nru snort-2.9.0.1/doc/snort_manual.tex snort-2.9.2/doc/snort_manual.tex --- snort-2.9.0.1/doc/snort_manual.tex 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/doc/snort_manual.tex 2011-12-07 11:24:50.000000000 -0800 @@ -16,7 +16,7 @@ %\IfFileExists{url.sty}{\usepackage{url}} % {\newcommand{\url}{\texttt}} -\usepackage{hyperref} +\usepackage{html} % \makeatletter @@ -71,18 +71,18 @@ } %\end{latexonly} -%\begin{htmlonly} -%\newenvironment{note}{ -% \begin{rawhtml} -%

-% Note:   -% \end{rawhtml} -%}{ -% \begin{rawhtml} -%

-% \end{rawhtml} -%} -%\end{htmlonly} +\begin{htmlonly} +\newenvironment{note}{ + \begin{rawhtml} +

+ Note:   + \end{rawhtml} +}{ + \begin{rawhtml} +

+ \end{rawhtml} +} +\end{htmlonly} \usepackage{babel} @@ -101,7 +101,7 @@ \begin{document} -\title{SNORT\textsuperscript{\textregistered} Users Manual\\2.9.0} +\title{SNORT\textsuperscript{\textregistered} Users Manual\\2.9.2} \author{The Snort Project} @@ -113,7 +113,7 @@ Copyright \copyright 2001-2003 Chris Green -Copyright \copyright 2003-2010 Sourcefire, Inc. +Copyright \copyright 2003-2011 Sourcefire, Inc. \tableofcontents{} @@ -479,6 +479,23 @@ requiring changes to Snort. It is possible to select the DAQ type and mode when invoking Snort to perform PCAP readback or inline operation, etc. +\begin{note} + +Some network cards have features named "Large Receive Offload" (lro) and "Generic +Receieve Offload" (gro). With these features enabled, the network card performs +packet reassembly before they're processed by the kernel. + +By default, Snort will truncate packets larger than the default snaplen of 1518 +bytes. In addition, LRO and GRO may cause issues with Stream5 target-based +reassembly. We recommend that you turn off LRO and GRO. On linux systems, you can run: + +\begin{verbatim} + $ ethtool -K eth1 gro off + $ ethtool -K eth1 lro off +\end{verbatim} + +\end{note} + \subsection{Configuration} Assuming that you did not disable static modules or change the default DAQ @@ -1103,6 +1120,9 @@ \item Event Limit counts events not alerted due to \texttt{event\_filter} limits. + +\item Alert Limit counts events were not alerted because they already +were triggered on the session. \end{itemize} Verdicts are rendered by Snort on each packet: @@ -1140,10 +1160,12 @@ Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) -Match Limit: 0 -Queue Limit: 0 - Log Limit: 0 -Event Limit: 0 +Limits: + Match: 0 + Queue: 0 + Log: 0 + Event: 0 + Alert: 0 Verdicts: Allow: 3716022 (100.000%) Block: 0 ( 0.000%) @@ -1248,7 +1270,7 @@ \subsection{Running in Rule Stub Creation Mode} -If you need to dump the shared object rules stub to a directory, you might need to use the --dump-dynamic-rules option. These rule stub files are used in conjunction with the shared object rules. The path can be relative or absolute. +If you need to dump the shared object rules stub to a directory, you must use the --dump-dynamic-rules command line option. These rule stub files are used in conjunction with the shared object rules. The path can be relative or absolute. \begin{verbatim} /usr/local/bin/snort -c /usr/local/etc/snort.conf \ @@ -1373,49 +1395,129 @@ \texttt{Behavior of different modes with rules actions} -\begin{tabular}{|l|c|c|p{6cm}|} +\begin{tabular}{|l|c|c|c|} \hline Adapter Mode & Snort args & config policy\_mode & Drop Rule Handling\\ \hline \hline -Passive & \texttt{snort --treat-drop-as-alert} & tap & Alert\\ +Passive & \texttt{ --treat-drop-as-alert} & tap & Alert\\ \hline -Passive & \texttt{snort} & tap & Not Loaded\\ +Passive & \texttt{ no args} & tap & Not Loaded\\ \hline -Passive & \texttt{snort --treat-drop-as-alert} & inline\_test & Alert\\ +Passive & \texttt{ --treat-drop-as-alert} & inline\_test & Alert\\ \hline -Passive & \texttt{snort} & inline\_test & Would Drop\\ +Passive & \texttt{ no args} & inline\_test & Would Drop\\ \hline -Passive & \texttt{snort --treat-drop-as-alert} & inline & Alert\\ +Passive & \texttt{ --treat-drop-as-alert} & inline & Alert\\ \hline -Passive & \texttt{snort} & inline & Not loaded + warning\\ +Passive & \texttt{no args} & inline & Not loaded + warning\\ \hline -Inline Test & \texttt{snort --enable-inline-test --treat-drop-as-alert} & tap & Alert\\ +Inline Test & \texttt{ --enable-inline-test --treat-drop-as-alert} & tap & Alert\\ \hline -Inline Test & \texttt{snort --enable-inline-test} & tap & Would Drop\\ +Inline Test & \texttt{ --enable-inline-test} & tap & Would Drop\\ \hline -Inline Test & \texttt{snort --enable-inline-test --treat-drop-as-alert} & inline\_test & Alert\\ +Inline Test & \texttt{ --enable-inline-test --treat-drop-as-alert} & inline\_test & Alert\\ \hline -Inline Test & \texttt{snort --enable-inline-test} & inline\_test & Would Drop\\ +Inline Test & \texttt{ --enable-inline-test} & inline\_test & Would Drop\\ \hline -Inline Test & \texttt{snort --enable-inline-test --treat-drop-as-alert} & inline & Alert\\ +Inline Test & \texttt{ --enable-inline-test --treat-drop-as-alert} & inline & Alert\\ \hline -Inline Test & \texttt{snort --enable-inline-test} & inline & Would Drop\\ +Inline Test & \texttt{ --enable-inline-test} & inline & Would Drop\\ \hline -Inline & \texttt{snort -Q --treat-drop-as-alert} & tap & Alert\\ +Inline & \texttt{ -Q --treat-drop-as-alert} & tap & Alert\\ \hline -Inline & \texttt{snort -Q} & tap & Alert\\ +Inline & \texttt{ -Q} & tap & Alert\\ \hline -Inline & \texttt{snort -Q --treat-drop-as-alert} & inline\_test & Alert\\ +Inline & \texttt{ -Q --treat-drop-as-alert} & inline\_test & Alert\\ \hline -Inline & \texttt{snort -Q} & inline\_test & Would Drop\\ +Inline & \texttt{ -Q} & inline\_test & Would Drop\\ \hline -Inline & \texttt{snort -Q --treat-drop-as-alert} & inline & Alert\\ +Inline & \texttt{ -Q --treat-drop-as-alert} & inline & Alert\\ \hline -Inline & \texttt{snort -Q} & inline & Drop\\ +Inline & \texttt{ -Q} & inline & Drop\\ \hline \end{tabular} +\section{Control socket} +\label{control_socket} +Snort can be configured to provide a Unix socket that can be used to issue commands +to the running process. You must build snort with the +\texttt{--enable-control-socket} option. The control socket +functionality is supported on Linux only.\\ + +Snort can be configured to use control socket using the command line argument \texttt{--cs-dir } + and snort config option \texttt{cs\_dir} as follows: + +\begin{verbatim} + snort --cs-dir + config cs_dir: +\end{verbatim} + +\texttt{} specifies the directory for snort to creat the socket. If relative path is used, +the path is relative to pid path specified. If there is no pid path specified, it is relative to +current working directory. + +A command \texttt{snort\_control} is made and installed along with snort in the same +bin directory when configured with the \texttt{--enable-control-socket} option. + +\section{Configure signal value} +\label{configure_signal} +On some systems, signal used by snort might be used by other functions. To avoid conflicts, +users can change the default signal value through \texttt{./configure} options for non-Windows system. + +These signals can be changed: +\begin{itemize} +\item \texttt{SIGNAL\_SNORT\_RELOAD} +\item \texttt{SIGNAL\_SNORT\_DUMP\_STATS} +\item \texttt{SIGNAL\_SNORT\_ROTATE\_STATS} +\item \texttt{SIGNAL\_SNORT\_READ\_ATTR\_TBL} +\end{itemize} + +Syntax: + +\begin{verbatim} + ./configure SIGNAL_SNORT_RELOAD= SIGNAL_SNORT_DUMP_STATS=\ + SIGNAL_SNORT_READ_ATTR_TBL= SIGNAL_SNORT_ROTATE_STATS= +\end{verbatim} + +You can set those signals to user defined values or known signal names in the system. +The following example changes the rotate stats signal to 31 and reload attribute table to +signal SIGUSR2 : + +\begin{verbatim} + ./configure SIGNAL_SNORT_ROTATE_STATS=31 SIGNAL_SNORT_READ_ATTR_TBL=SIGUSR2 +\end{verbatim} + +If the same signal is assigned more than once a warning will be logged +during snort initialization. If a signal handler cannot be installed a warning +will be logged and that has to be fixed, otherwise the functionality will be lost. + +\texttt{Signals used in snort} + +\begin{tabular}{|l|l|l|} +\hline +Signal name & Default value & Action \\ +\hline +\hline +SIGTERM & SIGTERM & exit \\ +\hline +SIGINT & SIGINT & exit \\ +\hline +SIGQUIT & SIGQUIT & exit \\ +\hline +SIGPIPE & SIGPIPE & ignore \\ +\hline +SIGNAL\_SNORT\_RELOAD & SIGHUP & reload snort \\ +\hline +SIGNAL\_SNORT\_DUMP\_STATS & SIGUSR1 & dump stats \\ +\hline +SIGNAL\_SNORT\_ROTATE\_STATS & SIGUSR2 & rotate stats \\ +\hline +SIGNAL\_SNORT\_READ\_ATTR\_TBL & SIGURG & reload attribute table \\ +\hline +SIGNAL\_SNORT\_CHILD\_READY & SIGCHLD & internal use in daemon mode \\ +\hline +\end{tabular} \section{More Information} @@ -1779,6 +1881,11 @@ \ref{Snort Default Classifications} for a list of classifications.\\ \hline +\texttt{config cs\_dir: } & configure snort to provide a Unix socket in the path +that can be used to issue commands to the running process. See Section +\ref{control_socket} for more details.\\ + +\hline \texttt{config daemon} & Forks as a daemon (\texttt{snort -D}). \\ \hline @@ -1817,6 +1924,13 @@ DAQ directory options to look in multiple directories. \\ \hline +\texttt{config decode\_esp: [enable | disable]} & Enable or disable the decoding of +Encapsulated Security Protocol (ESP). This is disabled by default. +Some networks use ESP for authentication without encryption, allowing their +content to be inspected. Encrypted ESP may cause some false positives if this +option is enabled.\\ + +\hline \texttt{config detection: [search-method ]} & Select type of fast pattern matcher algorithm to use. \begin{itemize} @@ -1910,7 +2024,8 @@ \end{itemize} \item \texttt{max\_queue\_events } \begin{itemize} -\item Specifies the maximum number of events to queue per packet. Default is 5 events. +\item Specifies the maximum number of matching fast-pattern states to queue per packet. +Default is 5 events. \end{itemize} \item \texttt{enable-single-rule-group} \begin{itemize} @@ -2060,11 +2175,11 @@ mode).\\ \hline -\texttt{enable\_tcpopt\_ttcp\_drops} & Enables the dropping of bad packets with +\texttt{config enable\_tcpopt\_ttcp\_drops} & Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode).\\ \hline -\texttt{enable\_ttcp\_drops} & Enables the dropping of bad packets with T/TCP +\texttt{config enable\_ttcp\_drops} & Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode).\\ \hline @@ -2124,6 +2239,10 @@ \\ \hline +\texttt{config log\_ipv6\_extra\_data} & Set Snort to log IPv6 source and destination +addresses as unified2 extra data events. \\ + +\hline \texttt{config max\_attribute\_hosts: } & Sets a limit on the maximum number of hosts to read from the attribute table. Minimum value is 32 and the maximum is 524288 (512k). The default is 10000. If the number of hosts in the @@ -2233,7 +2352,7 @@ -g}). \\ \hline -\texttt{set\_uid: } & Sets UID to $<$id$>$ (\texttt{snort -u}). \\ +\texttt{config set\_uid: } & Sets UID to $<$id$>$ (\texttt{snort -u}). \\ \hline \texttt{config show\_year} & Shows year in timestamps (\texttt{snort -y}). \\ @@ -2243,6 +2362,13 @@ \texttt{-P $<$snaplen$>$} or \texttt{--snaplen $<$snaplen$>$} options.\\ \hline +\texttt{config so\_rule\_memcap: } & Set global memcap in bytes for +so rules that dynamically allocate memory for storing session data in the +stream preprocessor. A value of 0 disables the memcap. Default is 0. +Maximum value is the maximum value an unsigned 32 bit integer can hold +which is 4294967295 or 4GB.\\ + +\hline \texttt{config stateful} & Sets assurance mode for stream (stream is established). \\ @@ -2256,13 +2382,6 @@ the packet limit. \\ \hline -\texttt{config so\_rule\_memcap: } & Set global memcap in bytes for -so rules that dynamically allocate memory for storing session data in the -stream preprocessor. A value of 0 disables the memcap. Default is 0. -Maximum value is the maximum value an unsigned 32 bit integer can hold -which is 4294967295 or 4GB.\\ - -\hline \texttt{config threshold: memcap } & Set global memcap in bytes for thresholding. Default is 1048576 bytes (1 megabyte). (This is deprecated. Use config event\_filter instead.)\\ @@ -2287,6 +2406,9 @@ \\ \hline +\texttt{config vlan\_agnostic} & Causes Snort to ignore vlan headers for the purposes of connection tracking. This option is only valid in the base configuration when using multiple configurations, and the default is off. \\ + +\hline \texttt{config policy\_mode: tap|inline|inline\_test} & Sets the policy mode to either \texttt{passive}, \texttt{inline} or \texttt{inline\_test}. \\ \hline @@ -2312,23 +2434,17 @@ \label{frag3 section} The frag3 preprocessor is a target-based IP defragmentation module for Snort. -Frag3 is intended as a replacement for the frag2 defragmentation module and was -designed with the following goals: +Frag3 is designed with the following goals: \begin{slist} -\item Faster execution than frag2 with less complex data management. +\item Fast execution with less complex data management. \item Target-based host modeling anti-evasion techniques. \end{slist} -The frag2 preprocessor used splay trees extensively for managing the data -structures associated with defragmenting packets. Splay trees are excellent -data structures to use when you have some assurance of locality of reference -for the data that you are handling but in high speed, heavily fragmented -environments the nature of the splay trees worked against the system and -actually hindered performance. Frag3 uses the sfxhash data structure and -linked lists for data handling internally which allows it to have much more -predictable and deterministic performance in any environment which should aid -us in managing heavily fragmented environments. +Frag3 uses the sfxhash data structure and linked lists for data handling +internally which allows it to have much more predictable and deterministic +performance in any environment which should aid us in managing heavily +fragmented environments. Target-based analysis is a relatively new concept in network-based intrusion detection. The idea of a target-based system is to model the actual targets on @@ -2370,11 +2486,10 @@ \subsubsection{Frag 3 Configuration} -Frag3 configuration is somewhat more complex than frag2. There are at least -two preprocessor directives required to activate frag3, a global configuration -directive and an engine instantiation. There can be an arbitrary number of -engines defined at startup with their own configuration, but only one global -configuration. +There are at least two preprocessor directives required to activate frag3, +a global configuration directive and an engine instantiation. There can +be an arbitrary number of engines defined at startup with their own +configuration, but only one global configuration. \textbf{Global Configuration} @@ -2393,12 +2508,21 @@ \item \texttt{memcap $<$bytes$>$} - Memory cap for self preservation. Default is 4MB. -\item \texttt{prealloc\_frags $<$number$>$} - Alternate memory management mode. -Use preallocated fragment nodes (faster in some situations). - -\item \texttt{disabled} - Option to turn off the preprocessor. By default this -option is turned off. When the preprocessor is disabled only the options memcap, -prealloc\_memcap, and prealloc\_frags are applied when specified with the configuration. +\item \texttt{prealloc\_memcap $<$bytes$>$} - alternate memory management mode, +use preallocated fragment nodes based on a memory cap (faster in some +situations). + +\item \texttt{prealloc\_frags $<$number$>$} - Alternate memory management mode, +use preallocated fragment nodes (faster in some situations). + +\item \texttt{disabled} - This optional keyword is allowed with any +policy to avoid packet processing. This option disables the preprocessor +for this config, but not for other instances of multiple configurations. +Use the disable keyword in the base configuration to specify values for the +options \texttt{memcap}, \texttt{prealloc\_memcap}, and \texttt{prealloc\_frags} +without having the preprocessor inspect traffic for traffic applying to the base +configuration. The other options are parsed but not used. Any valid +configuration may have "disabled" added to it. \end{itemize} \end{itemize} @@ -2440,7 +2564,8 @@ must be configured for this option to take effect. \item \texttt{policy $<$type$>$} - Select a target-based defragmentation mode. -Available types are first, last, bsd, bsd-right, linux. Default type is bsd. +Available types are first, last, bsd, bsd-right, linux, windows and solaris. +Default type is bsd. The Paxson Active Mapping paper introduced the terminology frag3 is using to describe policy types. The known mappings are as follows. Anyone who develops @@ -2514,7 +2639,7 @@ \hline Vax/VMS & BSD \\ \hline - Windows (95/98/NT4/W2K/XP) & First\\ + Windows (95/98/NT4/W2K/XP) & Windows\\ \hline \end{tabular} @@ -2593,6 +2718,21 @@ For example, a few operating systems allow data in TCP SYN packets, while others do not. +\subsubsection{Protocol Aware Flushing} + +Protocol aware flushing of HTTP, SMB and DCE/RPC can be enabled with this option: + +\begin{verbatim} +config paf_max: +\end{verbatim} + +where \texttt{} is between zero (off) and 63780. This allows Snort to +statefully scan a stream and reassemble a complete PDU regardless of +segmentation. For example, multiple PDUs within a single TCP segment, as well +as one PDU spanning multiple TCP segments will be reassembled into one PDU per +packet for each PDU. PDUs larger than the configured maximum will be split +into multiple packets. + \subsubsection{Stream5 Global Configuration} Global settings for the Stream5 preprocessor. @@ -2603,6 +2743,7 @@ [memcap ], \ [track_udp ], [max_udp ], \ [track_icmp ], [max_icmp ], \ + [track_ip ], [max_ip ], \ [flush_on_alert], [show_rebuilt_packets], \ [prune_log_max ], [disabled] \end{verbatim} @@ -2653,6 +2794,18 @@ Maximum simultaneous ICMP sessions tracked. The default is "65536", maximum is "1048576", minimum is "1".\\ +\hline +\texttt{track\_ip } & + +Track sessions for IP. The default is "no". Note that "IP" includes all +non-TCP/UDP traffic over IP including ICMP if ICMP not otherwise configured.\\ + +\hline +\texttt{max\_ip } & + +Maximum simultaneous IP sessions tracked. The default is "16384", maximum is +"1048576", minimum is "1".\\ + \hline \texttt{disabled} & @@ -2699,6 +2852,7 @@ [check_session_hijacking], [use_static_footprint_sizes], \ [dont_store_large_packets], [dont_reassemble_async], \ [max_queued_bytes ], [max_queued_segs ], \ + [small_segments bytes [ignore_ports number [number]*]], \ [ports ], \ [protocol ], \ [ignore_any_rules], [flush_factor ] @@ -2854,6 +3008,18 @@ enforced.\\ \hline +\texttt{small\_segments bytes [ignore\_ports ]} & + +Configure the maximum small segments queued. This feature requires that +detect\_anomalies be enabled. The first number is the number of consecutive segments +that will trigger the detection rule. The default value is "0" (disabled), with a +maximum of "2048". The second number is the minimum bytes for a segment to be +considered "small". The default value is "0" (disabled), with a maximum of "2048". +ignore\_ports is optional, defines the list of ports in which will be ignored for +this rule. The number of ports can be up to "65535". A message is written to +console/syslog when this limit is enforced.\\ + +\hline \texttt{ports } & @@ -2993,6 +3159,39 @@ \end{tabular} \end{center} +\subsubsection{Stream5 IP Configuration} + +Configuration for IP session tracking. Since there is no target based +binding, there should be only one occurrence of the IP configuration. + +\begin{note} + +"IP" includes all non-TCP/UDP traffic over IP including ICMP if ICMP +not otherwise configured. It is not turned on by default. + +\end{note} + +\begin{verbatim} + preprocessor stream5_ip: [timeout ] +\end{verbatim} + +\begin{center} +\begin{tabular}{| l | p{4.5in} |} + +\hline +\textbf{Option} & \textbf{Description}\\ +\hline + +\hline +\texttt{timeout } & + +Session timeout. The default is "30", the minimum is "1", and the maximum is +"86400" (approximately 1 day).\\ + +\hline +\end{tabular} +\end{center} + \subsubsection{Example Configurations} \begin{enumerate} @@ -3028,25 +3227,6 @@ \end{enumerate} -\subsubsection{Alerts} - -Stream5 uses generator ID 129. It is capable of alerting on 8 (eight) -anomalies, all of which relate to TCP anomalies. There are no anomalies -detected relating to UDP or ICMP. - -The list of SIDs is as follows: - -\begin{enumerate} -\item{SYN on established session} -\item{Data on SYN packet} -\item{Data sent on stream not accepting data} -\item{TCP Timestamp is outside of PAWS window} -\item{Bad segment, overlap adjusted size less than/equal 0} -\item{Window size (after scaling) larger than policy allows} -\item{Limit on number of overlapping TCP packets reached} -\item{Data after Reset packet} -\end{enumerate} - \subsection{sfPortscan} The sfPortscan module, developed by Sourcefire, is designed to detect the first @@ -3617,6 +3797,9 @@ \item KPkts/Sec (combined) \end{itemize} +There are over 100 individual statistics included. A header line is output at startup and +rollover that labels each column. + The following options can be used with the performance monitor: \begin{itemize} @@ -3695,6 +3878,27 @@ mentioned above, as well as the IP addresses of the host pairs in human-readable format, are included. +Each line in the file will have its values correspond (in order) to those below: +\begin{itemize} +\item IP Address A (String) +\item IP Address B (String) +\item TCP Packets from A to B +\item TCP Traffic in Bytes from A to B +\item TCP Packets from B to A +\item TCP Traffic in Bytes from B to A +\item UDP Packets from A to B +\item UDP Traffic in Bytes from A to B +\item UDP Packets from B to A +\item UDP Traffic in Bytes from B to A +\item Other IP Packets from A to B +\item Other IP Traffic in Bytes from A to B +\item Other IP Packets from B to A +\item Other IP Traffic in Bytes from B to A +\item TCP Sessions Established +\item TCP Sessions Closed +\item UDP Sessions Created +\end{itemize} + \item \texttt{flow-ip-memcap} - Sets the memory cap on the hash table used to store IP traffic statistics for host pairs. Once the cap has been reached, the table will start to prune the statistics for the least recently seen host pairs @@ -3748,9 +3952,10 @@ codemap \ [detect_anomalous_servers] \ [proxy_alert] \ - [max_gzip_mem ] \ - [compress_depth ] [decompress_depth ] \ - disabled + [max_gzip_mem ] \ + [compress_depth ] [decompress_depth ] \ + [memcap ] \ + disabled \end{verbatim} You can only have a single global configuration, you'll get an error if you try @@ -3806,12 +4011,32 @@ This option specifies the maximum amount of packet payload to decompress. This value can be set from 1 to 65535. The default for this option is 1460. +\begin{note} + +Please note, in case of multiple policies, the value specified in the default policy +is used and this value overwrites the values specified in the other policies. In case +of \texttt{unlimited\_decompress} this should be set to its max value. This value should +be specified in the default policy even when the HTTP inspect preprocessor is turned off +using the \texttt{disabled} keyword. + +\end{note} + \item \texttt{decompress\_depth $<$integer$>$} This option specifies the maximum amount of decompressed data to obtain from the compressed packet payload. This value can be set from 1 to 65535. The default for this option is 2920. -\item \texttt{max\_gzip\_mem} +\begin{note} + +Please note, in case of multiple policies, the value specified in the default policy +is used and this value overwrites the values specified in the other policies. In case +of \texttt{unlimited\_decompress} this should be set to its max value. This value should +be specified in the default policy even when the HTTP inspect preprocessor is turned off +using the \texttt{disabled} keyword. + +\end{note} + +\item \texttt{max\_gzip\_mem $<$integer$>$} This option determines (in bytes) the maximum amount of memory the HTTP Inspect preprocessor will use for decompression. This value can be set from 3276 bytes @@ -3821,19 +4046,41 @@ \begin{note} -It is suggested to set this value such that the max gzip session calculated as -follows is at least 1. +This value should be specified in the default policy even when the HTTP inspect preprocessor +is turned off using the \texttt{disabled} keyword. It is suggested to set this value such that +the max gzip session calculated as follows is at least 1. max gzip session = \texttt{max\_gzip\_mem} /(\texttt{decompress\_depth} + \texttt{compress\_depth}) \end{note} +\item \texttt{memcap $<$integer$>$} + +This option determines (in bytes) the maximum amount of memory the HTTP Inspect preprocessor +will use for logging the URI and Hostname data. This value can be set from 2304 to 603979776 (576 MB). +This option along with the maximum uri and hostname logging size (which is defined in snort) will +determine the maximum HTTP sessions that will log the URI and hostname data at any given instant. The +maximum size for logging URI data is 2048 and for hostname is 256. The default value for this +option is 150994944 (144 MB). + +\begin {note} + +This value should be specified in the default policy even when the HTTP inspect preprocessor is turned off +using the \texttt{disabled} keyword. In case of multiple policies, the value specified in the +default policy will overwrite the value specified in other policies. + +max http sessions logged = memcap /( max uri logging size + max hostname logging size ) +max uri logging size defined in snort : 2048 +max hostname logging size defined in snort : 256 + +\end{note} + \item \texttt{disabled} This optional keyword is allowed with any policy to avoid packet processing. This option disables the preprocessor. When the preprocessor is disabled -only the "max\_gzip\_mem", "compress\_depth" and "decompress\_depth" options -are applied when specified with the configuration. Other options are +only the "memcap", "max\_gzip\_mem", "compress\_depth" and "decompress\_depth" +options are applied when specified with the configuration. Other options are parsed but not used. Any valid configuration may have "disabled" added to it. \end{slist} @@ -3964,6 +4211,8 @@ \hline max\_header\_length & 0, header length not checked\\ \hline +max\_spaces & 200 \\ +\hline max\_headers & 0, number of headers not checked\\ \hline @@ -4016,6 +4265,8 @@ \hline max\_header\_length & 0, header length not checked\\ \hline +max\_spaces & 200 \\ +\hline max\_headers & 0, number of headers not checked\\ \hline @@ -4078,6 +4329,8 @@ \hline max\_header\_length & 0, header length not checked\\ \hline +max\_spaces & 200 \\ +\hline max\_headers & 0, number of headers not checked\\ \hline @@ -4113,8 +4366,8 @@ server\_flow\_depth & 300 \\ \hline client\_flow\_depth & 300 \\ -post\_depth & -1 \\ \hline +post\_depth & -1 \\ \hline chunk encoding & alert on chunks larger than 500000 bytes\\ \hline @@ -4138,8 +4391,9 @@ \hline max\_header\_length & 0, header length not checked\\ \hline -max\_headers & 0, number of headers not checked\\ +max\_spaces & 200 \\ \hline +max\_headers & 0, number of headers not checked\\ \hline \end{tabular} \end{center} @@ -4162,13 +4416,19 @@ \item \texttt{normalize\_cookies} \item \texttt{normalize\_utf} \item \texttt{max\_header\_length} +\item \texttt{max\_spaces} \item \texttt{max\_headers} \item \texttt{extended\_response\_inspection} \item \texttt{enable\_cookie} \item \texttt{inspect\_gzip} \item \texttt{unlimited\_decompress} +\item \texttt{normalize\_javascript} +\item \texttt{max\_javascript\_whitespaces} \item \texttt{enable\_xff} \item \texttt{http\_methods} +\item \texttt{log\_uri} +\item \texttt{log\_hostname} +\item \texttt{small\_chunk\_length} \end{itemize} These options must be specified after the \texttt{profile} option. @@ -4205,6 +4465,7 @@ ms\_unicode\_generator outputs. \item \texttt{extended\_response\_inspection} + This enables the extended HTTP response inspection. The default http response inspection does not inspect the various fields of a HTTP response. By turning this option the HTTP response will be thoroughly inspected. The different fields @@ -4224,10 +4485,25 @@ \end{note} \item \texttt{enable\_cookie} + This options turns on the cookie extraction from HTTP requests and HTTP response. -By default the cookie inspection and extraction will be turned off. +By default the cookie inspection and extraction will be turned off. The cookie from +the \texttt{Cookie} header line is extracted and stored in HTTP Cookie buffer for +HTTP requests and cookie from the \texttt{Set-Cookie} is extracted and stored in +HTTP Cookie buffer for HTTP responses. The \texttt{Cookie:} and \texttt{Set-Cookie:} +header names itself along with leading spaces and the CRLF terminating the header +line are stored in the HTTP header buffer and are not stored in the HTTP cookie buffer. + +\begin{verbatim} +Ex: Set-Cookie: mycookie \r\n + +In this case, Set-Cookie: \r\n will be in the HTTP header buffer and the pattern +mycookie will be in the HTTP cookie buffer. + +\end{verbatim} \item \texttt{inspect\_gzip} + This option specifies the HTTP inspect module to uncompress the compressed data(gzip/deflate) in HTTP response. You should select the config option "extended\_response\_inspection" before configuring this option. Decompression @@ -4240,6 +4516,10 @@ Also the amount of decompressed data that will be inspected depends on the 'server\_flow\_depth' configured. +Http Inspect generates a preprocessor alert with gid 120 and sid 6 when the decompression +fails. When the decompression fails due to a CRC error encountered by zlib, HTTP Inspect +will also provide the detection module with the data that was decompressed by zlib. + \begin{note} To enable compression of HTTP server response, Snort should be configured @@ -4248,12 +4528,81 @@ \end{note} \item \texttt{unlimited\_decompress} + This option enables the user to decompress unlimited gzip data (across multiple packets).Decompression will stop when the compressed data ends or when a out of -sequence packet is received. To ensure unlimited decompression, it is suggested -to set the 'compress\_depth' and 'decompress\_depth' to its maximum values. The -decompression in a single packet is still limited by the 'compress\_depth' and -'decompress\_depth'. +sequence packet is received. To ensure unlimited decompression, user should set +the 'compress\_depth' and 'decompress\_depth' to its maximum values in the default +policy. The decompression in a single packet is still limited by the 'compress\_depth' +and 'decompress\_depth'. + +\item \texttt{normalize\_javascript} +This option enables the normalization of Javascript within the HTTP response body. +You should select the config option \texttt{extended\_response\_inspection} before configuring +this option. When this option is turned on, Http Inspect searches for a Javascript within the +HTTP response body by searching for the + + + +\end{verbatim} + +The above javascript will generate the preprocessor alert with SID 9 and GIDF 120 when \texttt{normalize\_javascript} +is turned on. + +Http Inspect will also generate a preprocessor alert with GID 120 and SID 11 when there are more than one type +of encodings within the escaped/encoded data. + +\begin{verbatim} + +For example: + +unescape("%48\x65%6C%6C%6F%2C%20%73%6E%6F%72%74%20%74%65%61%6D%21"); +String.fromCharCode(0x48, 0x65, 0x6c, 0x6c, 111, 44, 32, 115, 110, 111, 114, 116, 32, 116, 101, 97, 109, 33) + +\\end{verbatim} + +The above obfuscation will generate the preprocessor alert with GID 120 and SID 11. + +This option is turned off by default in HTTP Inspect. + +\item \texttt{max\_javascript\_whitespaces $<$positive integer up to 65535$>$} +This option takes an integer as an argument. The integer determines the maximum number +of consecutive whitespaces allowed within the Javascript obfuscated data in a HTTP +response body. The config option \texttt{normalize\_javascript} should be turned on before configuring + this config option. When the whitespaces in the javascript obfuscated data is equal to or more +than this value a preprocessor alert with GID 120 and SID 10 is generated. The default value for +this option is 200. To enable, specify an integer argument to \texttt{max\_javascript\_spaces} of 1 to 65535. +Specifying a value of 0 is treated as disabling the alert. \item \texttt{enable\_xff} @@ -4272,23 +4621,36 @@ \item \texttt{server\_flow\_depth $<$integer$>$} -This specifies the amount of server response payload to inspect. This option -significantly increases IDS performance because we are ignoring a large part of -the network traffic (HTTP server response payloads). A small percentage of -Snort rules are targeted at this traffic and a small flow\_depth value may -cause false negatives in some of these rules. Most of these rules target -either the HTTP header, or the content that is likely to be in the first -hundred or so bytes of non-header data. Headers are usually under 300 bytes -long, but your mileage may vary. - -This value can be set from -1 to 2920. A value of -1 causes Snort to ignore all -server side traffic for ports defined in \texttt{ports}. Inversely, a value of -0 causes Snort to inspect all HTTP server payloads defined in \texttt{ports} -(note that this will likely slow down IDS performance). Values above 0 tell -Snort the number of bytes to inspect in the first packet of the server -response.It is suggested to set the 'server\_flow\_depth' to its maximum value or -the 'decompress\_depth' (if 'decompress\_depth' is less than 2920) when 'inspect\_gzip' -is enabled. +This specifies the amount of server response payload to inspect. When +\texttt{extended\_response\_inspection} is turned on, it is applied to the HTTP response +body (decompressed data when \texttt{inspect\_gzip} is turned on) and not the HTTP headers. +When \texttt{extended\_response\_inspection} is turned off the \texttt{server\_flow\_depth} +is applied to the entire HTTP response (including headers). Unlike \texttt{client\_flow\_depth} +this option is applied per TCP session. This option can be used to balance the needs of +IDS performance and level of inspection of HTTP server response data. Snort rules are +targeted at HTTP server response traffic and when used with a small flow\_depth value +may cause false negatives. Most of these rules target either the HTTP header, or +the content that is likely to be in the first hundred or so bytes of non-header data. +Headers are usually under 300 bytes long, but your mileage may vary. +It is suggested to set the \texttt{server\_flow\_depth} to its maximum value. + +This value can be set from -1 to 65535. A value of -1 causes Snort +to ignore all server side traffic for ports defined in \texttt{ports} when +\texttt{extended\_response\_inspection} is turned off. When the \texttt{extended\_response\_inspection} + is turned on, value of -1 causes Snort to ignore the HTTP response body data and + not the HTTP headers. Inversely, a value of 0 causes Snort to inspect all HTTP server +payloads defined in "ports" (note that this will likely slow down IDS +performance). Values above 0 tell Snort the number of bytes to +inspect of the server response (excluding the HTTP headers when \texttt{extended\_response\_inspection} +is turned on) in a given HTTP session. Only packets payloads starting with 'HTTP' will +be considered as the first packet of a server response. If less than flow\_depth bytes +are in the payload of the HTTP response packets in a given session, the entire payload will be +inspected. If more than flow\_depth bytes are in the payload of the HTTP response packet in a session +only flow\_depth bytes of the payload will be inspected for that session. Rules that are meant to +inspect data in the payload of the HTTP response packets in a session beyond 65535 bytes will be +ineffective unless flow\_depth is set to 0. The default value for \texttt{server\_flow\_depth} is 300. +Note that the 65535 byte maximum flow\_depth applies to stream reassembled packets as well. +It is suggested to set the \texttt{server\_flow\_depth} to its maximum value. \begin{note} @@ -4299,10 +4661,24 @@ \item \texttt{client\_flow\_depth $<$integer$>$} -This specifies the amount of raw client request payload to inspect. It is -similar to \texttt{server\_flow\_depth} (above), and has a default value of -300. This option can be set from -1 to 1460. It primarily eliminates Snort -from inspecting larger HTTP Cookies that appear at the end of many client request Headers. +This specifies the amount of raw client request payload to inspect. This +value can be set from -1 to 1460. Unlike \texttt{server\_flow\_depth} this value is applied +to the first packet of the HTTP request. It is not a session based flow depth. +It has a default value of 300. It primarily eliminates Snort from inspecting +larger HTTP Cookies that appear at the end of many client request Headers. + +A value of -1 causes Snort to ignore all client side traffic for ports +defined in "ports." Inversely, a value of 0 causes Snort to inspect all HTTP client + side traffic defined in "ports" (note that this will likely slow down IDS +performance). Values above 0 tell Snort the number of bytes to +inspect in the first packet of the client request. If less than flow\_depth bytes +are in the TCP payload (HTTP request) of the first packet, the entire payload will be inspected. +If more than flow\_depth bytes are in the payload of the first packet only flow\_depth +bytes of the payload will be inspected. Rules that are meant to +inspect data in the payload of the first packet of a client request beyond 1460 bytes +will be ineffective unless flow\_depth is set to 0. Note that the 1460 byte +maximum flow\_depth applies to stream reassembled packets as well. It is +suggested to set the \texttt{client\_flow\_depth} to its maximum value. \item \texttt{post\_depth $<$integer$>$} @@ -4360,18 +4736,6 @@ The alert on this decoding should be enabled, because there are no legitimate clients that encode UTF-8 this way since it is non-standard. -\item \texttt{base36 $<$yes$|$no$>$} - -This is an option to decode base36 encoded chars. This option is based on -info from: - -\url{http://www.yk.rim.or.jp/~shikap/patch/spp\_http\_decode.patch}. - -If \%u encoding is enabled, this option will not work. You have to use the -\texttt{base36} option with the \texttt{utf\_8} option. Don't use the \%u -option, because base36 won't work. When \texttt{base36} is enabled, ASCII -encoding is also enabled to enforce correct behavior. - \item \texttt{iis\_unicode $<$yes$|$no$>$} The \texttt{iis\_unicode} option turns on the Unicode codepoint mapping. If @@ -4470,6 +4834,23 @@ picks up the Apache chunk encoding exploits, and may also alert on HTTP tunneling that uses chunk encoding. +\item \texttt{small\_chunk\_length \{ $<$chunk size$>$ $<$consecutive chunks$>$ \} } + +This option is an evasion detector for consecutive small chunk sizes when +either the client or server use \texttt{Transfer-Encoding: chunked}. +$<$chunk size$>$ specifies the maximum chunk size for which a chunk will be +considered small. $<$consecutive chunks$>$ specifies the number of consecutive +small chunks $<$= $<$chunk size$>$ before an event will be generated. This option +is turned off by default. Maximum values for each are 255 and a $<$chunk size$>$ of 0 +disables. Events generated are gid:119, sid:26 for client small +chunks and gid:120, sid:7 for server small chunks. + +Example: +\begin{verbatim} +small_chunk_length { 10 5 } +\end{verbatim} +Meaning alert if we see 5 consecutive chunk sizes of 10 or less. + \item \texttt{no\_pipeline\_req} This option turns HTTP pipeline decoding off, and is a performance enhancement @@ -4542,6 +4923,16 @@ enable, specify an integer argument to max\_header\_length of 1 to 65535. Specifying a value of 0 is treated as disabling the alert. +\item \texttt{max\_spaces $<$positive integer up to 65535$>$} + +This option takes an integer as an argument. The integer determines the maximum number +of whitespaces allowed with HTTP client request line folding. Requests headers +folded with whitespaces equal to or more than this value will cause a +"Space Saturation" alert with SID 26 and GID 119. The default value for this +option is 200. To enable, specify an integer argument to \texttt{max\_spaces} of 1 to 65535. +Specifying a value of 0 is treated as disabling the alert. + + \item \texttt{webroot $<$yes$|$no$>$} This option generates an alert when a directory traversal traverses past the @@ -4599,7 +4990,41 @@ \begin{note} -Please note the maximum length for a method name is 7 +Please note the maximum length for a method name is 256. + +\end{note} + +\item \texttt{log\_uri} + +This option enables HTTP Inspect preprocessor to parse the URI data from the +HTTP request and log it along with all the generated events for that session. +Stream5 reassembly needs to be turned on HTTP ports to enable the logging. +If there are multiple HTTP requests in the session, the URI data of the most recent +HTTP request during the alert will be logged. The maximum URI logged is 2048. + +\begin{note} + +Please note, this is logged only with the unified2 output and is not logged +with console output (-A cmg). \texttt{u2spewfoo} can be used to read this data from +the unified2. + +\end{note} + +\item \texttt{log\_hostname} + +This option enables HTTP Inspect preprocessor to parse the hostname data from the +"Host" header of the HTTP request and log it along with all the generated events +for that session. Stream5 reassembly needs to be turned on HTTP ports to enable +the logging. If there are multiple HTTP requests in the session, the Hostname data +of the most recent HTTP request during the alert will be logged. In case of +multiple "Host" headers within one HTTP request, a preprocessor alert with sid 24 is +generated. The maximum hostname length logged is 256. + +\begin{note} + +Please note, this is logged only with the unified2 output and is not logged +with console output (-A cmg). \texttt{u2spewfoo} can be used to read this data from +the unified2. \end{note} @@ -4758,9 +5183,90 @@ \item \texttt{disabled} -Disables the SMTP preprocessor in a policy. This is useful when specifying -the \texttt{max\_mime\_depth} and \texttt{max\_mime\_mem} in default policy -without turning on the SMTP preprocessor. +Disables the SMTP preprocessor in a config. This is useful when specifying +the decoding depths such as \texttt{b64\_decode\_depth}, \texttt{qp\_decode\_depth}, +\texttt{uu\_decode\_depth}, \texttt{bitenc\_decode\_depth} or the memcap used for +decoding \texttt{max\_mime\_mem} in default config without turning on the SMTP preprocessor. + +\item \texttt{b64\_decode\_depth} + +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A SMTP preprocessor +alert with sid 10 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +This option replaces the deprecated options, \texttt{enable\_mime\_decoding} and +\texttt{max\_mime\_depth}. It is recommended that user inputs a value that is a +multiple of 4. When the value specified is not a multiple of 4, the SMTP preprocessor +will round it up to the next multiple of 4. + +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +\item \texttt{qp\_decode\_depth} + +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A SMTP +preprocessor alert with sid 11 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{bitenc\_decode\_depth} + +This config option is used to turn off/on or set the 7bit/8bit/binary/text extraction +depth used to extract the 7bit/8bit/binary encoded or plain text MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A SMTP +preprocessor alert with sid 12 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary/text MIME attachments/data across multiple packets are extracted too. + +The extracted data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{uu\_decode\_depth} + +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of SMTP attachments. +The value of 0 sets the decoding of UU encoded SMTP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU SMTP attachments. A SMTP +preprocessor alert with sid 13 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded SMTP attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. \item \texttt{enable\_mime\_decoding} @@ -4771,32 +5277,114 @@ \texttt{max\_mime\_depth} or maximum MIME sessions (calculated using \texttt{max\_mime\_depth} and \texttt{max\_mime\_mem}) is reached or when the encoded data ends. The decoded data is available for detection using the rule option -\texttt{file\_data:mime}. See \ref{sub:file_data} rule option for more details. +\texttt{file\_data}. See \ref{sub:file_data} rule option for more details. + +This option is deprecated. Use the option \texttt{b64\_decode\_depth} to turn off +or on the base64 decoding instead. \item \texttt{max\_mime\_depth } Specifies the maximum number of base64 encoded data to decode per SMTP session. -The option take values ranging from 5 to 20480 bytes. The default value for this +The option take values ranging from 4 to 20480 bytes. The default value for this in snort in 1460 bytes. +It is recommended that user inputs a value that is a multiple of 4. When the value +specified is not a multiple of 4, the SMTP preprocessor will round it up to the next +multiple of 4. + +This option is deprecated. Use the option \texttt{b64\_decode\_depth} to turn off +or on the base64 decoding instead. + \item \texttt{max\_mime\_mem } This option determines (in bytes) the maximum amount of memory the SMTP preprocessor -will use for decoding base64 encode MIME attachments/data. This value can be set from -3276 bytes to 100MB. This option along with \texttt{max\_mime\_depth} determines the -base64 encoded MIME/SMTP sessions that will be decoded at any given instant. -The default value for this option is 838860. - -Note: It is suggested to set this value such that the max mime session calculated as -follows is atleast 1. +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. -max mime session = \texttt{max\_mime\_mem} /(\texttt{max\_mime\_depth} + max decoded bytes) +This option along with the maximum of the decoding depths will determine the SMTP +sessions that will be decoded at any given instant. The default value for this option +is 838860. -max decoded bytes = (\texttt{max\_mime\_depth}/4)*3 +Note: It is suggested to set this value such that the max smtp session calculated as +follows is atleast 1. -Also note that these values for \texttt{max\_mime\_mem} and \texttt{max\_mime\_depth} need -to be same across all policy. Hence user needs to define it in the default policy with -the new keyword disabled (used to disable SMTP preprocessor in a policy) +max smtp session = \texttt{max\_mime\_mem} /(2 * max of (\texttt{b64\_decode\_depth}, + \texttt{uu\_decode\_depth}, \texttt{qp\_decode\_depth} + or \texttt{bitenc\_decode\_depth})) + +For example, if \texttt{b64\_decode\_depth} is 0 (indicates unlimited decoding) and +\texttt{qp\_decode\_depth} is 100, then + +max smtp session = \texttt{max\_mime\_mem}/2*65535 (max value for \texttt{b64\_decode\_depth}) + +In case of multiple configs, the \texttt{max\_mime\_mem} of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable SMTP preprocessor in a config). + +When the memcap for decoding (\texttt{max\_mime\_mem}) is exceeded the SMTP preprocessor alert with sid 9 is +generated (when enabled) + +\item \texttt{log\_mailfrom} +This option enables SMTP preprocessor to parse and log the sender's email address extracted +from the "MAIL FROM" command along with all the generated events for that session. The maximum +number of bytes logged for this option is 1024. + +Please note, this is logged only with the unified2 output and is not logged with console output (-A cmg). +u2spewfoo can be used to read this data from the unified2. + +\item \texttt{log\_rcptto} +This option enables SMTP preprocessor to parse and log the recipient's email addresses +extracted from the "RCPT TO" command along with all the generated events for that session. +Multiple recipients are appended with commas. The maximum number of bytes logged for this option is 1024. + +Please note, this is logged only with the unified2 output and is not logged with console output (-A cmg). + u2spewfoo can be used to read this data from the unified2. + +\item \texttt{log\_filename} +This option enables SMTP preprocessor to parse and log the MIME attachment filenames extracted +from the Content-Disposition header within the MIME body along with all the generated events +for that session. Multiple filenames are appended with commas. The maximum number of bytes logged +for this option is 1024. + +Please note, this is logged only with the unified2 output and is not logged with the +console output (-A cmg). u2spewfoo can be used to read this data from the unified2. + +\item \texttt{log\_email\_hdrs} +This option enables SMTP preprocessor to parse and log the SMTP email headers extracted from +SMTP data along with all generated events for that session. The number of bytes extracted and +logged depends upon the \texttt{email\_hdrs\_log\_depth}. + +Please note, this is logged only with the unified2 output and is not logged with the console output (-A cmg). +u2spewfoo can be used to read this data from the unified2. + +\item \texttt{email\_hdrs\_log\_depth } +This option specifies the depth for logging email headers. The allowed range for this option is +0 - 20480. A value of 0 will disable email headers logging. The default value for this option is 1464. + +Please note, in case of multiple policies, the value specified in the default policy is used and the values +specified in the targeted policies are overwritten by the default value. +This option must be configured in the default policy even if the SMTP configuration is disabled. + +\item \texttt{memcap } +This option determines in bytes the maximum amount of memory the SMTP preprocessor will +use for logging of filename, MAIL FROM addresses, RCPT TO addresses and email headers. This value +along with the buffer size used to log MAIL FROM, RCPT TO, filenames and \texttt{email\_hdrs\_log\_depth} +will determine the maximum SMTP sessions that will log the email headers at any given time. When this memcap +is reached SMTP will stop logging the filename, MAIL FROM address, RCPT TO addresses and email headers +until memory becomes available. + +Max SMTP sessions logging email headers at any given time + = memcap/(1024 + 1024 + 1024 + \texttt{email\_hdrs\_log\_depth}) + +The size 1024 is the maximum buffer size used for logging filename, RCPTTO and MAIL FROM addresses. + +Default value for this option is 838860. The allowed range for this option is 3276 to 104857600. +The value specified in the default config is used when this option is specified in multiple configs. +This option must be configured in the default config even if the SMTP configuration is disabled. + +Please note, in case of multiple policies, the value specified in the default policy is used and the values +specified in the targeted policies are overwritten by the default value. +This option must be configured in the default policy even if the SMTP configuration is disabled. \end{slist} @@ -4818,11 +5406,19 @@ invalid_cmds { } \ valid_cmds { } \ xlink2state { disable } \ - print_cmds + print_cmds \ + log_filename \ + log_email_hdrs \ + log_mailfrom \ + log_rcptto \ + email_hdrs_log_depth 2920 \ + memcap 6000 preprocessor SMTP: \ - max_mime_depth 100 \ - max_mime_mem 1000 \ + b64_decode_depth 0\ + max_mime_mem 4000 \ + memcap 6000 \ + email_hdrs_log_depth 2920 \ disabled \end{verbatim} @@ -4847,52 +5443,398 @@ respectively. Within the code, the preprocessor actually maps RCPT and MAIL to the correct command name. -\subsection{FTP/Telnet Preprocessor} -\label{sub:ftptelnet} +\subsection{POP Preprocessor} +\label{POP} -FTP/Telnet is an improvement to the Telnet decoder and provides stateful -inspection capability for both FTP and Telnet data streams. FTP/Telnet will -decode the stream, identifying FTP commands and responses and Telnet escape -sequences and normalize the fields. FTP/Telnet works on both client requests -and server responses. +POP is an POP3 decoder for user applications. Given a data buffer, +POP will decode the buffer and find POP3 commands and responses. +It will also mark the command, data header data body sections and +extract the POP3 attachments and decode it appropriately. + +POP will handle stateful processing. It saves state between individual +packets. However maintaining correct state is dependent on the resassembly +of the server side of the stream (ie, a loss of coherent stream data results +in a loss of state). -FTP/Telnet has the capability to handle stateless processing, meaning it only -looks for information on a packet-by-packet basis. +Stream5 should be turned on for POP. Please ensure that the POP ports are added + to the stream5 ports for proper reassembly. -The default is to run FTP/Telnet in stateful inspection mode, meaning it looks -for information and handles reassembled data correctly. +The POP preprocessor uses GID 142 to register events. -FTP/Telnet has a very ``rich'' user configuration, similar to that of HTTP -Inspect (See \ref{sub:http-inspect}). Users can configure individual FTP -servers and clients with a variety of options, which should allow the user to -emulate any type of FTP server or FTP Client. Within FTP/Telnet, there are -four areas of configuration: Global, Telnet, FTP Client, and FTP Server. +\subsubsection{Configuration} -\begin{note} +The configuration options are described below: -Some configuration options have an argument of \texttt{yes} or \texttt{no}. -This argument specifies whether the user wants the configuration option to -generate a ftptelnet alert or not. The presence of the option indicates the -option itself is on, while the \texttt{yes/no} argument applies to the alerting -functionality associated with that option. +\begin{slist} -\end{note} +\item \texttt{ports \{ [] ... \}} -\subsubsection{Global Configuration} +This specifies on what ports to check for POP data. Typically, this will +include 110. Default ports if none are specified are 110 . -The global configuration deals with configuration options that determine the -global functioning of FTP/Telnet. The following example gives the generic -global configuration format: +\item \texttt{disabled} -\subsubsection{Format} +Disables the POP preprocessor in a config. This is useful when specifying +the decoding depths such as \texttt{b64\_decode\_depth}, \texttt{qp\_decode\_depth}, +\texttt{uu\_decode\_depth}, \texttt{bitenc\_decode\_depth} or the memcap used for +decoding \texttt{memcap} in default config without turning on the POP preprocessor. -\begin{verbatim} - preprocessor ftp_telnet: \ - global \ - inspection_type stateful \ - encrypted_traffic yes \ - check_encrypted -\end{verbatim} +\item \texttt{b64\_decode\_depth} + +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A POP preprocessor +alert with sid 4 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +It is recommended that user inputs a value that is a multiple of 4. When the value specified +is not a multiple of 4, the POP preprocessor will round it up to the next multiple of 4. + +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +\item \texttt{qp\_decode\_depth} + +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A POP +preprocessor alert with sid 5 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{bitenc\_decode\_depth} + +This config option is used to turn off/on or set the 7bit/8bit/binary extraction +depth used to extract the 7bit/8bit/binary encoded MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A POP +preprocessor alert with sid 6 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary MIME attachments/data across multiple packets are extracted too. + +The extracted data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{uu\_decode\_depth} + +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of POP attachments. +The value of 0 sets the decoding of UU encoded POP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU POP attachments. A POP +preprocessor alert with sid 7 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded POP attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{memcap } + +This option determines (in bytes) the maximum amount of memory the POP preprocessor +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. + +This option along with the maximum of the decoding depths will determine the POP +sessions that will be decoded at any given instant. The default value for this option +is 838860. + +Note: It is suggested to set this value such that the max pop session calculated as +follows is atleast 1. + +max pop session = \texttt{memcap} /(2 * max of (\texttt{b64\_decode\_depth}, + \texttt{uu\_decode\_depth}, \texttt{qp\_decode\_depth} + or \texttt{bitenc\_decode\_depth})) + +For example, if \texttt{b64\_decode\_depth} is 0 (indicates unlimited decoding) and +\texttt{qp\_decode\_depth} is 100, then + +max pop session = \texttt{memcap}/2*65535 (max value for \texttt{b64\_decode\_depth}) + +In case of multiple configs, the \texttt{memcap} of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable POP preprocessor in a config). + +When the memcap for decoding (\texttt{memcap}) is exceeded the POP preprocessor alert with sid 3 is +generated (when enabled). + +\end{slist} + +\subsubsection{Example} + +\begin{verbatim} + preprocessor pop: \ + ports { 110 } \ + memcap 1310700 \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 + + + preprocessor pop: \ + memcap 1310700 \ + qp_decode_depth 0 \ + disabled +\end{verbatim} + +\subsubsection{Default} + +\begin{verbatim} + preprocessor pop: \ + ports { 110 } \ + b64_decode_depth 1460 \ + qp_decode_depth 1460 \ + bitenc_decode_depth 1460 \ + uu_decode_depth 1460 +\end{verbatim} + +\subsection{IMAP Preprocessor} +\label{IMAP} + +IMAP is an IMAP4 decoder for user applications. Given a data buffer, +IMAP will decode the buffer and find IMAP4 commands and responses. +It will also mark the command, data header data body sections and +extract the IMAP4 attachments and decode it appropriately. + +IMAP will handle stateful processing. It saves state between individual +packets. However maintaining correct state is dependent on the resassembly +of the server side of the stream (ie, a loss of coherent stream data results +in a loss of state). + +Stream5 should be turned on for IMAP. Please ensure that the IMAP ports are added + to the stream5 ports for proper reassembly. + +The IMAP preprocessor uses GID 141 to register events. + +\subsubsection{Configuration} + +The configuration options are described below: + +\begin{slist} + +\item \texttt{ports \{ [] ... \}} + +This specifies on what ports to check for IMAP data. Typically, this will +include 143. Default ports if none are specified are 143 . + +\item \texttt{disabled} + +Disables the IMAP preprocessor in a config. This is useful when specifying +the decoding depths such as \texttt{b64\_decode\_depth}, \texttt{qp\_decode\_depth}, +\texttt{uu\_decode\_depth}, \texttt{bitenc\_decode\_depth} or the memcap used for +decoding \texttt{memcap} in default config without turning on the IMAP preprocessor. + +\item \texttt{b64\_decode\_depth} + +This config option is used to turn off/on or set the base64 decoding depth used to +decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. +A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 +sets the decoding of base64 encoded MIME attachments to unlimited. A value other +than 0 or -1 restricts the decoding of base64 MIME attachments. A IMAP preprocessor +alert with sid 4 is generated (if enabled) when the decoding fails or when this +decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the base64 encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +It is recommended that user inputs a value that is a multiple of 4. When the value specified +is not a multiple of 4, the IMAP preprocessor will round it up to the next multiple of 4. + +In case of multiple configs, the value specified in the non-default config cannot +exceed the value specified in the default config. + +\item \texttt{qp\_decode\_depth} + +This config option is used to turn off/on or set the Quoted-Printable decoding depth +used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges +from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. +The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A +value other than 0 or -1 restricts the decoding of QP MIME attachments. A IMAP +preprocessor alert with sid 5 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{bitenc\_decode\_depth} + +This config option is used to turn off/on or set the 7bit/8bit/binary extraction +depth used to extract the 7bit/8bit/binary encoded MIME attachments. The +value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME +attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. +A value other than 0 or -1 restricts the extraction of these MIME attachments. A IMAP +preprocessor alert with sid 6 is generated (if enabled) when this extraction depth is exceeded. + +Multiple MIME attachments/data in one packet are pipelined. When stateful inspection +is turned on the 7bit/8bit/binary MIME attachments/data across multiple packets are extracted too. + +The extracted data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{uu\_decode\_depth} + +This config option is used to turn off/on or set the Unix-to-Unix decoding depth +used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges +from -1 to 65535. A value of -1 turns off the UU decoding of IMAP attachments. +The value of 0 sets the decoding of UU encoded IMAP attachments to unlimited. A +value other than 0 or -1 restricts the decoding of UU IMAP attachments. A IMAP +preprocessor alert with sid 7 is generated (if enabled) when the decoding fails +or when this decode depth is exceeded. + +Multiple UU attachments/data in one packet are pipelined. When stateful inspection +is turned on the UU encoded IMAP attachments/data across multiple packets are decoded too. + +The decoded data is available for detection using the rule option \texttt{file\_data}. +See \ref{sub:file_data} rule option for more details. + +In case of multiple configs, the value specified in the non-default config cannot exceed +the value specified in the default config. + +\item \texttt{memcap } + +This option determines (in bytes) the maximum amount of memory the IMAP preprocessor +will use for decoding base64 encoded/quoted-printable/7bit/8bit/binary MIME attachments/data +or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. + +This option along with the maximum of the decoding depths will determine the IMAP +sessions that will be decoded at any given instant. The default value for this option +is 838860. + +Note: It is suggested to set this value such that the max imap session calculated as +follows is atleast 1. + +max imap session = \texttt{memcap} /(2 * max of (\texttt{b64\_decode\_depth}, + \texttt{uu\_decode\_depth}, \texttt{qp\_decode\_depth} + or \texttt{bitenc\_decode\_depth})) + +For example, if \texttt{b64\_decode\_depth} is 0 (indicates unlimited decoding) and +\texttt{qp\_decode\_depth} is 100, then + +max imap session = \texttt{memcap}/2*65535 (max value for \texttt{b64\_decode\_depth}) + +In case of multiple configs, the \texttt{memcap} of the non-default configs will be overwritten by the +default config's value. Hence user needs to define it in the default config with the new keyword +disabled (used to disable IMAP preprocessor in a config). + +When the memcap for decoding (\texttt{memcap}) is exceeded the IMAP preprocessor alert with sid 3 is +generated (when enabled). + +\end{slist} + +\subsubsection{Example} + +\begin{verbatim} + preprocessor imap: \ + ports { 110 } \ + memcap 1310700 \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 + + + preprocessor imap: \ + memcap 1310700 \ + qp_decode_depth 0 \ + disabled +\end{verbatim} + +\subsubsection{Default} + +\begin{verbatim} + preprocessor imap: \ + ports { 110 } \ + b64_decode_depth 1460 \ + qp_decode_depth 1460 \ + bitenc_decode_depth 1460 \ + uu_decode_depth 1460 +\end{verbatim} + +\subsection{FTP/Telnet Preprocessor} +\label{sub:ftptelnet} + +FTP/Telnet is an improvement to the Telnet decoder and provides stateful +inspection capability for both FTP and Telnet data streams. FTP/Telnet will +decode the stream, identifying FTP commands and responses and Telnet escape +sequences and normalize the fields. FTP/Telnet works on both client requests +and server responses. + +FTP/Telnet has the capability to handle stateless processing, meaning it only +looks for information on a packet-by-packet basis. + +The default is to run FTP/Telnet in stateful inspection mode, meaning it looks +for information and handles reassembled data correctly. + +FTP/Telnet has a very ``rich'' user configuration, similar to that of HTTP +Inspect (See \ref{sub:http-inspect}). Users can configure individual FTP +servers and clients with a variety of options, which should allow the user to +emulate any type of FTP server or FTP Client. Within FTP/Telnet, there are +four areas of configuration: Global, Telnet, FTP Client, and FTP Server. + +\begin{note} + +Some configuration options have an argument of \texttt{yes} or \texttt{no}. +This argument specifies whether the user wants the configuration option to +generate a ftptelnet alert or not. The presence of the option indicates the +option itself is on, while the \texttt{yes/no} argument applies to the alerting +functionality associated with that option. + +\end{note} + +\subsubsection{Global Configuration} + +The global configuration deals with configuration options that determine the +global functioning of FTP/Telnet. The following example gives the generic +global configuration format: + +\subsubsection{Format} + +\begin{verbatim} + preprocessor ftp_telnet: \ + global \ + inspection_type stateful \ + encrypted_traffic yes \ + check_encrypted +\end{verbatim} You can only have a single global configuration, you'll get an error if you try otherwise. The FTP/Telnet global configuration must appear before the other @@ -5618,7 +6560,7 @@ identifiers are OR'ed together. The option will match if any one of the OR'ed versions are used in the SSL -connection. To check for two SSL versions in use simultaneously, multiple +connection. To check for two or more SSL versions in use simultaneously, multiple \texttt{ssl\_version} rule options should be used. \textit{Syntax} @@ -5632,9 +6574,9 @@ \textit{Examples} \begin{verbatim} - ssl_version: sslv3 - ssl_version: tls1.0,tls1.1,tls1.2 - ssl_version: !sslv2 + ssl_version:sslv3; + ssl_version:tls1.0,tls1.1,tls1.2; + ssl_version:!sslv2; \end{verbatim} \end{itemize} @@ -5663,9 +6605,9 @@ \textit{Examples} \begin{verbatim} - ssl_state: client_hello - ssl_state: client_keyx,server_keyx - ssl_state: !server_hello + ssl_state:client_hello; + ssl_state:client_keyx,server_keyx; + ssl_state:!server_hello; \end{verbatim} \end{itemize} @@ -6776,8 +7718,8 @@ \begin{itemize} \item[] \begin{verbatim} - byte_test: dce - byte_jump: dce + byte_test:dce + byte_jump:dce \end{verbatim} \end{itemize} @@ -6824,7 +7766,7 @@ \textit{Syntax} \footnotesize \begin{verbatim} - [ ',' ] [ ',' "any_frag" ] + dce_iface:[, ][, any_frag]; uuid = hexlong '-' hexshort '-' hexshort '-' 2hexbyte '-' 6hexbyte hexlong = 4hexbyte @@ -6837,10 +7779,10 @@ \textit{Examples} \footnotesize \begin{verbatim} - dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188; - dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,<2; - dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,any_frag; - dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,=1,any_frag; + dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; + dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188, <2; + dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188, any_frag; + dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188, =1, any_frag; \end{verbatim} \normalsize @@ -6926,7 +7868,7 @@ \textit{Syntax} \footnotesize \begin{verbatim} - + dce_opnum:; opnum-list = opnum-item | opnum-item ',' opnum-list opnum-item = opnum | opnum-range @@ -6937,10 +7879,10 @@ \textit{Examples} \footnotesize \begin{verbatim} - dce_opnum: 15; - dce_opnum: 15-18; - dce_opnum: 15,18-20; - dce_opnum: 15,17,20-22; + dce_opnum:15; + dce_opnum:15-18; + dce_opnum:15, 18-20; + dce_opnum:15, 17, 20-22; \end{verbatim} \normalsize @@ -6992,12 +7934,11 @@ \item[] \textit{Syntax} \footnotesize \begin{verbatim} - ',' [ '!' ] ',' [ ',' [ ',' "relative" ]] \ - ',' "dce" + byte_test:, [!], , [, relative], dce; convert = 1 | 2 | 4 (only with option "dce") operator = '<' | '=' | '>' | '&' | '^' - value = 0-4294967295 + value = 0 - 4294967295 offset = -65535 to 65535 \end{verbatim} \normalsize @@ -7005,8 +7946,8 @@ \textit{Examples} \footnotesize \begin{verbatim} - byte_test: 4,>,35000,0,relative,dce; - byte_test: 2,!=,2280,-10,relative,dce; + byte_test:4, >, 35000, 0, relative, dce; + byte_test:2, !=, 2280, -10, relative, dce; \end{verbatim} \normalsize @@ -7020,13 +7961,13 @@ \item[] \textit{Syntax} \footnotesize \begin{verbatim} - ',' [ ',' "relative" ] [ ',' "multiplier" ] \ - [ ',' "align" ] [ ',' "post_offet" ] ',' "dce" + byte_jump:, [, relative][, multiplier ] \ + [, align][, post_offet ], dce; convert = 1 | 2 | 4 (only with option "dce") offset = -65535 to 65535 - mult-value = 0-65535 - adjustment-value = -65535 to 65535 + mult_value = 0 - 65535 + adjustment_value = -65535 to 65535 \end{verbatim} \normalsize @@ -7174,12 +8115,12 @@ \textit{Syntax} \begin{verbatim} - sd_pattern: , + sd_pattern:, ; \end{verbatim} \footnotesize \begin{verbatim} - count = 1-255 + count = 1 - 255 pattern = any string \end{verbatim} \normalsize @@ -7336,7 +8277,7 @@ IP4 normalizations are enabled with: \begin{verbatim} - preprocessor normalize_ip4: [df], [rf] + preprocessor normalize_ip4: [df], [rf], [tos], [trim] \end{verbatim} Base normalizations enabled with "preprocessor \texttt{normalize\_ip4}" include: @@ -7364,6 +8305,14 @@ \item \texttt{rf} reserved flag: clear this bit on incoming packets. + +\item \texttt{tos} +type of service (differentiated services): clear this byte. + +\item \texttt{trim} +truncate packets with excess payload to the datagram length specified in the +IP header + the layer 2 header (eg ethernet), but don't truncate below minimum +frame length. This is automatically disabled if the DAQ can't inject packets. \end{itemize} \subsubsection{IP6 Normalizations} @@ -7408,7 +8357,7 @@ \begin{verbatim} preprocessor normalize_tcp: \ - [ips] [urp] \ + [ips], [urp], [trim], \ [ecn ], \ [opts [allow +]] @@ -7474,6 +8423,18 @@ urgent pointer: don't adjust the urgent pointer if it is greater than payload length. +\item \texttt{trim} +remove data on SYN. + +\item \texttt{trim} +remove any data from RST packet. + +\item \texttt{trim} +trim data to window. + +\item \texttt{trim} +trim data to MSS. + \item \texttt{ecn packet} clear ECN flags on a per packet basis (regardless of negotiation). @@ -7505,10 +8466,6 @@ MSS and window scale options are NOP'd if SYN flag is not set. -\item \texttt{opts} - -trim payload length to MSS if longer. - \end{itemize} \subsubsection{TTL Normalization} @@ -7538,85 +8495,2291 @@ When TTL normalization is turned on the \texttt{new\_ttl} is set to 5 by default. -\section{Decoder and Preprocessor Rules} +\subsection{SIP Preprocessor} +\label{sub:sip} +Session Initiation Protocol (SIP) is an application-layer control (signaling) +protocol for creating, modifying, and terminating sessions with one or more +participants. These sessions include Internet telephone calls, multimedia +distribution, and multimedia conferences. SIP Preprocessor provides ways to +tackle Common Vulnerabilities and Exposures (CVEs) related with SIP found over +the past few years. It also makes detecting new attacks easier. -Decoder and preprocessor rules allow one to enable and disable decoder and -preprocessor events on a rule by rule basis. They also allow one to specify -the rule type or action of a decoder or preprocessor event on a rule by rule -basis. +\subsubsection{Dependency Requirements} -Decoder config options will still determine whether or not to generate decoder -events. For example, if \texttt{config disable\_decode\_alerts} is in -\texttt{snort.conf}, decoder events will not be generated regardless of whether -or not there are corresponding rules for the event. Also note that if the -decoder is configured to enable drops, e.g. \texttt{config -enable\_decode\_drops}, these options will take precedence over the event type -of the rule. A packet will be dropped if either a decoder config drop option -is in \texttt{snort.conf} or the decoder or preprocessor rule type is -\texttt{drop}. Of course, the drop cases only apply if Snort is running -inline. See \texttt{doc/README.decode} for config options that control decoder -events. +For proper functioning of the preprocessor: -\subsection{Configuring} +\begin{itemize} -The following options to configure will enable decoder and preprocessor rules: +\item Stream session tracking must be enabled, i.e. stream5. Both TCP and UDP must be + enabled in stream5. The preprocessor requires a session tracker to keep its + data. In addition, Stream API is able to provide correct support for ignoring + audio/video data channel. + +\item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. +\end{itemize} + +\subsubsection{Configuration} +The preprocessor configuration name is \texttt{sip}.\\ \begin{verbatim} - $ ./configure --enable-decoder-preprocessor-rules + preprocessor sip \end{verbatim} +\textit{Option syntax} +\begin{itemize} -The decoder and preprocessor rules are located in the \texttt{preproc\_rules/} -directory in the top level source tree, and have the names -\texttt{decoder.rules} and \texttt{preprocessor.rules} respectively. These -files are updated as new decoder and preprocessor events are added to Snort. - -To enable these rules in \texttt{snort.conf}, define the path to where the -rules are located and uncomment the \texttt{include} lines in -\texttt{snort.conf} that reference the rules files. +\item[] +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Option & Argument & Required & Default\\ +\hline +\hline +\texttt{disabled} & NONE & NO & OFF\\ +\hline +\texttt{max\_sessions} & \texttt{} & NO & \texttt{max\_sessions 10000}\\ +\hline +\texttt{ports} & \texttt{} & NO & \texttt{ports \{ 5060 5061 \} }\\ +\hline +\texttt{methods} & \texttt{} & NO & \texttt{methods \{ invite cancel ack bye + register options \} }\\ +\hline +\texttt{max\_uri\_len} & \texttt{} & NO & \texttt{max\_uri\_len 256 }\\ +\hline +\texttt{max\_call\_id\_len} & \texttt{} & NO & \texttt{max\_call\_id\_len 256 }\\ +\hline +\texttt{max\_requestName\_len} & \texttt{} & NO & \texttt{max\_requestName\_len 20 }\\ +\hline +\texttt{max\_from\_len} & \texttt{} & NO & \texttt{max\_from\_len 256 }\\ +\hline +\texttt{max\_to\_len} & \texttt{} & NO & \texttt{max\_to\_len 256 }\\ +\hline +\texttt{max\_via\_len} & \texttt{} & NO & \texttt{max\_via\_len 1024 }\\ +\hline +\texttt{max\_contact\_len} & \texttt{} & NO & \texttt{max\_contact\_len 256 }\\ +\hline +\texttt{max\_content\_len} & \texttt{} & NO & \texttt{max\_content\_len 1024 }\\ +\hline +\texttt{ignore\_call\_channel} & NONE & NO & OFF\\ +\hline +\end{tabular} +\end{itemize} +\footnotesize +\begin{verbatim} + max_sessions = 1024-4194303 + methods = "invite"|"cancel"|"ack"|"bye"|"register"| "options"\ + |"refer" |"subscribe"|"update"|"join"|"info"|"message"\ + |"notify"|"prack" + max_uri_len = 0-65535 + max_call_id_len = 0-65535 + max_requestName_len = 0-65535 + max_from_len = 0-65535 + max_to_len = 0-65535 + max_via_len = 0-65535 + max_contact_len = 0-65535 + max_content_len = 0-65535 +\end{verbatim} +\normalsize +\textit{Option explanations} +\begin{itemize} +\item[] \texttt{disabled} +\begin{itemize} +\item[] SIP dynamic preprocessor can be enabled/disabled through configuration. + By default this value is turned off. When the preprocessor is disabled, + only the max\_sessions option is applied when specified with the configuration. +\end{itemize} +\item[] \texttt{max\_sessions} +\begin{itemize} +\item[] This specifies the maximum number of sessions that can be allocated. + Those sessions are stream sessions, so they are bounded by maximum number of + stream sessions. Default is 10000. +\end{itemize} +\item[] \texttt{ports} +\begin{itemize} +\item[] This specifies on what ports to check for SIP messages. Typically, this will + include 5060, 5061. +\item[] \textit{Syntax} +\begin{verbatim} + ports { [< ... >] } +\end{verbatim} +\item[] \textit{Examples} +\begin{verbatim} + ports { 5060 5061 } +\end{verbatim} +\item[] Note: there are spaces before and after `\{' and `\}'. +\end{itemize} + \item[] \texttt{methods} +\begin{itemize} + \item[] This specifies on what methods to check for SIP messages: (1) invite, + (2) cancel, (3) ack, (4) bye, (5) register, (6) options, (7) refer, + (8) subscribe, (9) update (10) join (11) info (12) message (13) notify + (14) prack. + Note: those 14 methods are up to date list (Feb. 2011). New methods can be + added to the list. Up to 32 methods supported. +\item[] \textit{Syntax} \begin{verbatim} - var PREPROC_RULE_PATH /path/to/preproc_rules - ... - include $PREPROC_RULE_PATH/preprocessor.rules - include $PREPROC_RULE_PATH/decoder.rules + methods { } + method-list = method|method method-list + methods = "invite"|"cancel"|"ack"|"bye"|"register"| "options"\ + |"refer"|"subscribe"|"update"|"join"|"info"|"message"\ + |"notify"|"prack" \end{verbatim} +\item[] \textit{Examples} +\begin{verbatim} + methods { invite cancel ack bye register options } + methods { invite cancel ack bye register options information } +\end{verbatim} +\item[] Note: there are spaces before and after `\{' and `\}'. +\end{itemize} +\item[] \texttt{max\_uri\_len} +\begin{itemize} + \item[] This specifies the maximum Request URI field size. If the Request URI field + is greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} + +\item[] \texttt{max\_call\_id\_len} +\begin{itemize} + \item[] This specifies the maximum Call-ID field size. If the Call-ID field is + greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} + +\item[] \texttt{max\_requestName\_len} +\begin{itemize} + \item[] This specifies the maximum request name size that is part of the CSeq ID. + If the request name is greater than this size, an alert is generated. + Default is set to 20. The allowed range for this option is 0 - 65535. + ``0'' means never alert. +\end{itemize} + +\item[] \texttt{max\_from\_len} +\begin{itemize} + \item[] This specifies the maximum From field size. If the From field is greater + than this size, an alert is generated. Default is set to 256. The allowed + range for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} + +\item[] \texttt{max\_to\_len} +\begin{itemize} + \item[] This specifies the maximum To field size. If the To field is greater than + this size, an alert is generated. Default is set to 256. The allowed range + for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} + +\item[] \texttt{max\_via\_len} +\begin{itemize} + \item[] This specifies the maximum Via field size. If the Via field is greater than + this size, an alert is generated. Default is set to 1024. The allowed range + for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} +\item[] \texttt{max\_contact\_len} +\begin{itemize} + \item[] This specifies the maximum Contact field size. If the Contact field is + greater than this size, an alert is generated. Default is set to 256. + The allowed range for this option is 0 - 65535. ``0'' means never alert. +\end{itemize} +\item[] \texttt{max\_content\_len} +\begin{itemize} + \item[] This specifies the maximum content length of the message body. If the + content length is greater than this number, an alert is generated. + Default is set to 1024. The allowed range for this option is 0 - 65535. + ``0'' means never alert. +\end{itemize} +\item[] \texttt{ignore\_call\_channel} +\begin{itemize} + \item[] This enables the support for ignoring audio/video data channel + (through Stream API). By default, this is disabled. +\end{itemize} + +\end{itemize} +\textit{Option examples} +\footnotesize +\begin{verbatim} + max_sessions 30000 + disabled + ports { 5060 5061 } + methods { invite cancel ack bye register options } + methods { invite cancel ack bye register options information } + max_uri_len 1024 + max_call_id_len 1024 + max_requestName_len 10 + max_from_len 1024 + max_to_len 1024 + max_via_len 1024 + max_contact_len 1024 + max_content_len 1024 + max_content_len + ignore_call_channel +\end{verbatim} +\normalsize + +\textit{Configuration examples} +\footnotesize +\begin{verbatim} + preprocessor sip + preprocessor sip: max_sessions 500000 + preprocessor sip: max_contact_len 512, max_sessions 300000, methods { invite \ + cancel ack bye register options } , ignore_call_channel + preprocessor sip: ports { 5060 49848 36780 10270 }, max_call_id_len 200, \ + max_from_len 100, max_to_len 200, max_via_len 1000, \ + max_requestName_len 50, max_uri_len 100, ignore_call_channel,\ + max_content_len 1000 + preprocessor sip: disabled + preprocessor sip: ignore_call_channel +\end{verbatim} +\normalsize + +\textit{Default configuration} +\footnotesize +\begin{verbatim} + preprocessor sip +\end{verbatim} +\normalsize +\subsubsection{Events} +The preprocessor uses GID 140 to register events. +\begin{longtable}{|r|p{13.5cm}|} + +\hline +SID & Description\\ +\hline + 1 & If the memory cap is reached and the preprocessor is configured to alert, + this alert will be created. \\ +\hline + 2 & Request URI is required. When Request URI is empty, this alert will be created. \\ +\hline + 3 & The Request URI is larger than the defined length in configuration.\\ +\hline + 4 & When Call-ID is empty, this alert will be created.\\ +\hline + 5 & The Call-ID is larger than the defined length in configuration.\\ +\hline + 6 & The sequence e number value MUST be expressible as a 32-bit unsigned integer + and MUST be less than $2^{31}$.\\ +\hline + 7 & The request name in the CSeq is larger than the defined length in configuration.\\ +\hline + 8 & From field is empty.\\ +\hline + 9 & From field is larger than the defined length in configuration.\\ +\hline + 10 & To field is empty.\\ +\hline + 11 & To field is larger than the defined length in configuration.\\ +\hline + 12 & Via filed is empty.\\ +\hline + 13 & Via filed is larger than the defined length in configuration.\\ +\hline + 14 & Contact is empty, but it is required non-empty for the message.\\ +\hline + 15 & The Contact is larger than the defined length in configuration. \\ +\hline + 16 & The content length is larger than the defined length in configuration or is negative. \\ +\hline + 17 & There are multiple requests in a single packet. Old SIP protocol supports + multiple sip messages within one packet.\\ +\hline + 18 & There are inconsistencies between Content-Length in SIP header and + actual body data.\\ +\hline + 19 & Request name is invalid in response.\\ +\hline + 20 & Authenticated invite message received, but no challenge from server received. + This is the case of InviteReplay billing attack.\\ +\hline + 21 & Authenticated invite message received, but session information has been changed. + This is different from re-INVITE, where the dialog has been established. + and authenticated. This is can prevent FakeBusy billing attack.\\ +\hline + 22 & Response status code is not a 3 digit number.\\ +\hline + 23 & Content type header field is required if the message body is not empty.\\ +\hline + 24 & SIP version other than 2.0, 1.0, and 1.1 is invalid \\ +\hline + 25 & Mismatch in Method of request and the CSEQ header\\ +\hline + 26 & The method is unknown \\ +\hline +\end{longtable} +\subsubsection{Rule Options} +New rule options are supported by enabling the \texttt{sip} preprocessor: +\begin{itemize} +\item[] +\begin{verbatim} + sip_method + sip_stat_code + sip_header + sip_body +\end{verbatim} +\end{itemize} +Overload modifiers to existing \texttt{pcre} rule options: +\begin{itemize} +\item[] H: Match SIP request or SIP response header, Similar to \texttt{sip\_header}. +\item[] P: Match SIP request or SIP response body, Similar to \texttt{sip\_body}. +\end{itemize} +\texttt{sip\_method} +\label{sip:sip_method} +\begin{itemize} + \item[] The \texttt{sip\_method} keyword is used to check for specific SIP request methods. + The list of methods is: invite, cancel, ack, bye, register, options, refer, + subscribe, update, join, info, message, notify, prack. More than one method + can be specified, via a comma separated list, and are OR'ed together. + It will be applied in fast pattern match if available. If the method used in + this rule is not listed in the preprocessor configuration, it will be added + to the preprocessor configuration for the associated policy.\\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + sip_method:; + method-list = method|method, method-list + method = ["!"] "invite"|"cancel"|"ack"|"bye"|"register"| "options"\ + |"refer"|"subscribe"|"update"|"join"|"info"|"message"\ + |"notify"|"prack" + Note: if "!" is used, only one method is allowed in sip_method. +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + sip_method:invite, cancel + sip_method:!invite + + Note: If a user wants to use "and", they can use something like this: + sip_method:!invite; sip_method:!bye +\end{verbatim} +\normalsize +\end{itemize} + +\texttt{sip\_stat\_code} +\label{sip:sip_stat_code} +\begin{itemize} + \item[] The \texttt{sip\_stat\_code} is used to check the SIP response status code. This option + matches if any one of the state codes specified matches the status codes of + the SIP response.\\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + sip_stat_code: ; + code_list = state_code|state_code, code_list + code = "100-999"|"1-9" +\end{verbatim} + \item[] Note: 1,2,3,4,5,6... mean to check for "1xx", "2xx", '3xx', '4xx', '5xx', + '6xx'... reponses. \\ +\normalsize + +\textit{Examples} +\footnotesize +\begin{verbatim} + sip_stat_code:200 + sip_stat_code: 2 + sip_stat_code: 200, 180 +\end{verbatim} +\normalsize +\end{itemize} + +\texttt{sip\_header} +\label{sip:sip_header} +\begin{itemize} + \item[] The \texttt{sip\_header} keyword restricts the search to the extracted Header fields of + a SIP message request or a response. This works similar to \texttt{file\_data}. \\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + sip_header; +\end{verbatim} +\normalsize + +\textit{Examples} +\footnotesize +\begin{verbatim} + alert udp any any -> any 5060 (sip_header; content:"CSeq"; ) +\end{verbatim} +\normalsize +\end{itemize} + +\texttt{sip\_body} +\label{sip:sip_body} +\begin{itemize} + \item[] The \texttt{sip\_body} keyword places the cursor at the beginning of the Body fields + of a SIP message. This works similar to \texttt{file\_data} and \texttt{dce\_stub\_data}. The message + body includes channel information using SDP protocol (Session Description Protocol).\\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + sip_body; +\end{verbatim} +\normalsize + +\textit{Examples} +\footnotesize +\begin{verbatim} + alert udp any any -> any 5060 (sip_body; content:"C=IN 0.0.0.0"; within 100;) +\end{verbatim} +\normalsize +\end{itemize} +\texttt{pcre} +\label{sip:pcre} +\begin{itemize} + \item[] SIP overloads two options for \texttt{pcre}:\\ +\begin{itemize} +\item H: Match SIP header for request or response , Similar to \texttt{sip\_header}.\\ +\item P: Match SIP body for request or response , Similar to \texttt{sip\_body}.\\ +\end{itemize} +\textit{Examples} +\footnotesize +\begin{verbatim} + alert udp any any -> any 5060 (pcre:"/INVITE/H"; sid:1000000;) + alert udp any any -> any 5060 (pcre:"/m=/P"; sid:2000000;) +\end{verbatim} +\normalsize +\end{itemize} + +\subsection{Reputation Preprocessor} +\label{sub:reputation} +Reputation preprocessor provides basic IP blacklist/whitelist capabilities, to +block/drop/pass traffic from IP addresses listed. In the past, we use standard +Snort rules to implement Reputation-based IP blocking. This preprocessor will +address the performance issue and make the IP reputation management easier. +This preprocessor runs before other preprossors. +\subsubsection{Configuration} +The preprocessor configuration name is \texttt{repuation}.\\ + +\begin{verbatim} + preprocessor reputation +\end{verbatim} +\textit{Option syntax} +\begin{itemize} + +\item[] +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Option & Argument & Required & Default\\ +\hline +\hline +\texttt{memcap} & \texttt{} & NO & \texttt{memcap 500}\\ +\hline +\texttt{scan\_local} & NONE & NO & OFF\\ +\hline +\texttt{blacklist} & \texttt{} & NO & NONE\\ +\hline +\texttt{whitelist} & \texttt{} & NO & NONE\\ +\hline +\texttt{priority} & [blacklist whitelist] & NO & \texttt{priority whitelist}\\ +\hline +\texttt{nested\_ip} & [inner outer both] & NO & \texttt{nested\_ip inner}\\ +\hline +\end{tabular} +\end{itemize} +\footnotesize +\begin{verbatim} + memcap = 1-4095 Mbytes +\end{verbatim} +\normalsize +\textit{Option explanations} +\begin{itemize} + +\item[] \texttt{memcap} +\begin{itemize} +\item[] Maximum total memory supported. It can be set up to 4095 Mbytes. +\end{itemize} + +\item[] \texttt{scan\_local} +\begin{itemize} +\item[] Enable to inspect local address defined in RFC 1918: +\begin{itemize} + \item[] 10.0.0.0 - 10.255.255.255 (10/8 prefix) + \item[] 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) + \item[] 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) +\end{itemize} +\end{itemize} + +\item[] \texttt{blacklist/whitelist} +\begin{itemize} +\item[] The IP lists are loaded from external files. It supports relative + paths for inclusion and \$variables for path. Multiple blacklists or + whitelists are supported. + + \item[] Note: if the same IP is redefined later, it will overwrite the + previous one. In other words, IP lists always favors the last file or + entry processed. +\end{itemize} + +\item[] \texttt{priority} +\begin{itemize} +\item[] Specify either blacklist or whitelist has higher priority when + source/destination is on blacklist while destination/source is on + whitelist. By default, whitelist has higher priority. In other words, + the packet will be passed when either source or destination is + whitelisted. + +\item[] Note: this only defines priority when there is a decision conflict, + during run-time. During initialization time, if the same IP address + is defined in whitelist and blacklist, whoever the last one defined + will be the final one. Priority does not work on this case. +\end{itemize} + +\item[] \texttt{nested\_ip} +\begin{itemize} +\item[] Specify which IP address to be used when there is IP + encapsulation. +\end{itemize} + +\end{itemize} + +\textit{Configuration examples} +\footnotesize +\begin{verbatim} + preprocessor reputation:\ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + + preprocessor reputation: \ + nested_ip both, \ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + + preprocessor reputation: \ + memcap 4095, scan_local, nested_ip both, \ + priority whitelist, \ + blacklist /etc/snort/default.blacklist, \ + whitelist /etc/snort/default.whitelist + + $REP_BLACK_FILE1 = ../dshield.list + $REP_BLACK_FILE2 = ../snort.org.list + preprocessor reputation: \ + blacklist $REP_BLACK_FILE1,\ + blacklist $REP_BLACK_FILE2 + +\end{verbatim} +\normalsize +\textit{IP List File Format} +\begin{itemize} + +\item[] \texttt{Syntax} +\begin{itemize} +\item[] The IP list file has 1 entry per line. The entry can be either IP entry or + comment. +\end{itemize} + +\begin{itemize} +\item[] \texttt{IP Entry} +\begin{itemize} +\item[] CIDR notation $<$comments$>$ line break. +\item[] Example: +\footnotesize +\begin{verbatim} + 172.16.42.32/32 + 172.33.42.32/16 +\end{verbatim} +\normalsize +\end{itemize} + +\item[] \texttt{Comment} +\begin{itemize} +\item[] The comment start with \# +\item[] \# $<$comments$>$ +\item[] Example +\footnotesize +\begin{verbatim} + # This is a full line comment + 172.33.42.32/16 # This is a in-line comment +\end{verbatim} +\normalsize +\end{itemize} + +\end{itemize} + +\item[] \texttt{IP List File Example} +\begin{itemize} + +\item[] +\footnotesize +\begin{verbatim} + # This is a full line comment + 172.16.42.32/32 # This is an inline comment, line with single CIDR block + 172.33.42.32/16 +\end{verbatim} +\normalsize +\end{itemize} +\end{itemize} + +\textit{Use case} +\begin{itemize} + \item[] A user wants to protect his/her network from unwanted/unknown IPs, only allowing + some trusted IPs. Here is the configuration: +\item[] \footnotesize +\begin{verbatim} + preprocessor reputation: \ + blacklist /etc/snort/default.blacklist + whitelist /etc/snort/default.whitelist + + In file "default.blacklist" + # These two entries will match all ipv4 addresses + 1.0.0.0/1 + 128.0.0.0/1 + + In file "default.whitelist" + 68.177.102.22 # sourcefire.com + 74.125.93.104 # google.com +\end{verbatim} +\end{itemize} +\normalsize + +\subsubsection{Events} +Reputation preprocessor uses GID 136 to register events. +\begin{longtable}{|r|p{13.5cm}|} + +\hline +SID & Description\\ +\hline + 1 & Packet is blacklisted. \\ +\hline + 2 & Packet is whitelisted. \\ +\hline +\end{longtable} +\subsubsection{Shared memory support} + +\begin{itemize} + \item[] + In order to minimize memory consumption when multiple Snort instances are + running concurrently, we introduce the support of shared memory. After + configured, all the snort instances share the same IP tables in shared memory. + + \item[]\textit{System requirement} +\begin{itemize} + \item[]This feature is supported only in Linux. +\end{itemize} + + \item[]\textit{Build configuration} + + \begin{itemize} \item[]A new option, \texttt{--enable-shared-rep} is introduced to + \texttt{./configure} command. + This option enables the support for shared memory. +\end{itemize} + \item[]\textit{Configuration} + +\begin{itemize} + + \item[]\texttt{shared\_mem} +\begin{itemize} + + \item[] If the build supports shared memory, this configuration will enable shared + memory. If this option isn't set, standard memory is used. This option must + specify a path or directory where IP lists will be loaded in shared memory. + One snort instance will create and maintain the shared IP lists. + We use instance ID 1, specified in the snort \texttt{-G} option to be the master snort. + All the other snort instances are clients (readers). + + \item[] \textit{Syntax} + \begin{verbatim} + shared_mem: path + \end{verbatim} + \item[] \textit{Examples} + \begin{verbatim} + shared_mem /user/reputation/iplists + \end{verbatim} +\end{itemize} + \item[]\texttt{shared\_refresh} + +\begin{itemize} + \item[]This option changes the period of checking new shared memory segment, in the unit of second. + By default, the refresh rate is $60$ seconds. + + \item[]\textit{Syntax} + \begin{verbatim} + shared_refresh + period = "1 - 4294967295" + \end{verbatim} + \item[]\textit{Examples} + \begin{verbatim} + shared_refresh 60 + \end{verbatim} +\end{itemize} +\end{itemize} + + \item[]\textit{Steps to configure shared memory} + +\begin{itemize} + + \item When building Snort, add option \texttt{--enable-shared-rep} to \texttt{./configure}\\ + For example: + \begin{verbatim} + ./configure --enable-gre --enable-sourcefire --enable-flexresp3 + --enable-dynamicplugin --enable-pthread --enable-linux-smp-stats + --enable-targetbased --enable-shared-rep --enable-control-socket + \end{verbatim} + \item Put your IP list file into a directory, where snort has full access. \\ + For example: + + \begin{verbatim} + /user/reputation/iplists + \end{verbatim} + + In order to separate whitelist with blacklist, you need to specify + whitelist with \texttt{.wlf} extension and blacklist with \texttt{.blf} extension. + \item In snort config file, specify shared memory support with the path to IP files.\\ + For example: + + \begin{verbatim} + shared_mem /user/reputation/iplists + \end{verbatim} + + If you want to change the period of checking new IP lists, add refresh period.\\ + For example: + + \begin{verbatim} + shared_refresh 300 + \end{verbatim} + + \item Start shared memory master(writer) with \texttt{-G} 1 option. Note: only one master + should be enabled. + \item Start shared memory clients (readers) with \texttt{-G} 2 or other IDs. Note: for + one ID, only one snort instance should be enabled. + \item You will see the IP lists got loaded and shared across snort instances! +\end{itemize} + + \item[]\textit{Reload IP lists using control socket} +\begin{itemize} + \item Run snort using command line with option \texttt{--cs-dir } + or configure snort with: + \begin{verbatim} + config cs_dir: + \end{verbatim} + \item (Optional) you can create a version file named ``IPRVersion.dat'' in the IP list + directory. This file helps managing reloading IP lists, by specifying a version. + When the version isn't changed, IP lists will not be reloaded if they are + already in shared memory. \\ + For example: + \begin{verbatim} + VERSION=1 + \end{verbatim} + \item In the \texttt{/src/tools/control} directory, you will find \texttt{snort\_control} command if + built with \texttt{--enable-control-socket} option. + \item Type the following command to reload IP lists. Before typing this command, + make sure to update version file if you are using version file. + The \texttt{} is the same path in first step.\\ + \begin{verbatim} + /src/tools/control 1361 + \end{verbatim} +\end{itemize} +\end{itemize} +\subsection{GTP Decoder and Preprocessor} +\label{sub:gtp} +GTP (GPRS Tunneling Protocol) is used in core communication networks to establish +a channel between GSNs (GPRS Serving Node). GTP decoding preprocessor provides +ways to tackle intrusion attempts to those networks through GTP. It also makes +detecting new attacks easier. + +Two components are developed: GTP decoder and GTP preprocessor. +\begin{itemize} +\item GTP decoder extracts payload inside GTP PDU; +\item GTP preprocessor inspects all the signaling messages and provide keywords for +further inspection +\end{itemize} + +\subsubsection{Dependency Requirements} + +For proper functioning of the preprocessor: +\begin{itemize} + +\item Stream session tracking must be enabled, i.e. stream5. UDP must be + enabled in stream5. The preprocessor requires a session tracker to keep its + data. + +\item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. + +\end{itemize} + +\subsubsection{GTP Data Channel Decoder Configuration} +GTP decoder extracts payload from GTP PDU. The following configuration sets +GTP decoding: +\begin{verbatim} +config enable_gtp +\end{verbatim} +By default, GTP decoder uses port number $2152$ (GTPv1) and $3386$ (GTPv0). +If users want to change those values, they can use \texttt{portvar GTP\_PORTS}: + +\begin{verbatim} +portvar GTP_PORTS [2152,3386] +\end{verbatim} + +\subsubsection{GTP Control Channel Preprocessor Configuration} + +Different from GTP decoder, GTP preprocessor examines all signaling messages. +The preprocessor configuration name is \texttt{gtp}. +\begin{verbatim} +preprocessor sip +\end{verbatim} +\textit{Option syntax} +\begin{itemize} +\item[] +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Option & Argument & Required & Default\\ +\hline +\hline +\texttt{ports} & \texttt{} & NO & \texttt{ports \{ 2123 3386 \} }\\ +\hline +\end{tabular} +\end{itemize} +\normalsize +\textit{Option explanations} +\begin{itemize} +\item[] \texttt{ports} +\begin{itemize} +\item[] This specifies on what ports to check for SIP messages. Typically, + this will include 5060, 5061. +\item[] \textit{Syntax} +\begin{verbatim} + ports { [< ... >] } +\end{verbatim} +\item[] \textit{Examples} +\begin{verbatim} + ports { 2123 3386 2152 } +\end{verbatim} +\item[] Note: there are spaces before and after `\{' and `\}'. +\end{itemize} +\end{itemize} +\normalsize + +\textit{Default configuration} +\footnotesize +\begin{verbatim} + preprocessor gtp +\end{verbatim} +\normalsize +\subsubsection{GTP Decoder Events} +\begin{longtable}{|r|p{13.5cm}|} +\hline +SID & Description\\ +\hline + 297 & Two or more GTP encapsulation layers present \\ +\hline + 298 & GTP header length is invalid \\ +\hline +\end{longtable} + +\subsubsection{GTP Preprocessor Events} +\begin{longtable}{|r|p{13.5cm}|} +\hline +SID & Description\\ +\hline + 1 & Message length is invalid. \\ +\hline + 2 & Information element length is invalid. \\ +\hline + 3 & Information elements are out of order. \\ +\hline +\end{longtable} +\subsubsection{Rule Options} +New rule options are supported by enabling the \texttt{gtp} preprocessor: +\begin{itemize} +\item[] +\begin{verbatim} + gtp_type + gtp_info + gtp_version +\end{verbatim} +\end{itemize} + +\texttt{gtp\_type} +\label{gtp:gtp_method} +\begin{itemize} + \item[] The \texttt{gtp\_type} keyword is used to check for specific GTP types. + User can input message type value, an integer in [0, 255], or a string defined + in the Table below. More than one type can be specified, via a comma separated + list, and are OR'ed together. If the type used in a rule is not listed in the + preprocessor configuration, an error will be thrown. + + \item[] A message type can have different type value in different GTP + versions. For example, \texttt{sgsn\_\-context\_\-request} has message type + value $50$ in GTPv0 and GTPv1, but $130$ in GTPv2. \texttt{gtp\_type} will + match to a different value depending on the version number in the packet. + In this example, evaluating a GTPv0 or GTPv1 packet will check whether the + message type value is $50$; evaluating a GTPv2 packet will check whether the + message type value is $130$. When a message type is not defined in a version, + any packet in that version will always return ``No match''. + + \item[] If an integer is used to specify message type, every GTP packet is + evaluated, no matter what version the packet is. If the message type matches + the value in packet, it will return ``Match''. \\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + gtp_type:; + type-list = type|type, type-list + type = "0-255"| + | "echo_request" | "echo_response" ... +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + gtp_type:10, 11, echo_request; +\end{verbatim} +\normalsize + +\textit{GTP message types} +\small +\begin{longtable}{|r|c|c|c|p{13.5cm}|} +\hline +Type & GTPv0 & GTPv1 & GTPv2\\ +\hline +0 & N/A & N/A & N/A\\ +\hline +1 & echo\_request & echo\_request & echo\_request\\ +\hline +2 & echo\_response & echo\_response & echo\_response\\ +\hline +3 & version\_not\_supported & version\_not\_supported & version\_not\_supported\\ +\hline +4 & node\_alive\_request & node\_alive\_request & N/A\\ +\hline +5 & node\_alive\_response & node\_alive\_response & N/A\\ +\hline +6 & redirection\_request & redirection\_request & N/A\\ +\hline +7 & redirection\_response & redirection\_response & N/A \\ +\hline +16 & create\_pdp\_context\_request & create\_pdp\_context\_request & N/A\\ +\hline +17 & create\_pdp\_context\_response & create\_pdp\_context\_response & N/A \\ +\hline +18 & update\_pdp\_context\_request & update\_pdp\_context\_request & N/A\\ +\hline +19 & update\_pdp\_context\_response & update\_pdp\_context\_response & N/A\\ +\hline +20 & delete\_pdp\_context\_request & delete\_pdp\_context\_request & N/A\\ +\hline +21 & delete\_pdp\_context\_response & delete\_pdp\_context\_response & N/A\\ +\hline +22 & create\_aa\_pdp\_context\_request & init\_pdp\_context\_activation\_request & N/A\\ +\hline +23 & create\_aa\_pdp\_context\_response & init\_pdp\_context\_activation\_response & N/A\\ +\hline +24 & delete\_aa\_pdp\_context\_request & N/A & N/A\\ +\hline +25 & delete\_aa\_pdp\_context\_response & N/A & N/A\\ +\hline +26 & error\_indication & error\_indication & N/A\\ +\hline +27 & pdu\_notification\_request & pdu\_notification\_request & N/A\\ +\hline +28 & pdu\_notification\_response & pdu\_notification\_response & N/A\\ +\hline +29 & pdu\_notification\_reject\_request & pdu\_notification\_reject\_request & N/A\\ +\hline +30 & pdu\_notification\_reject\_response & pdu\_notification\_reject\_response & N/A\\ +\hline +31 & N/A & supported\_ext\_header\_notification & N/A \\ +\hline +32 & send\_routing\_info\_request & send\_routing\_info\_request & create\_session\_request \\ +\hline +33 & send\_routing\_info\_response & send\_routing\_info\_response & create\_session\_response \\ +\hline +34 & failure\_report\_request & failure\_report\_request & modify\_bearer\_request \\ +\hline +35 & failure\_report\_response & failure\_report\_response & modify\_bearer\_response \\ +\hline +36 & note\_ms\_present\_request & note\_ms\_present\_request & delete\_session\_request \\ +\hline +37 & note\_ms\_present\_response & note\_ms\_present\_response & delete\_session\_response \\ +\hline +38 & N/A & N/A & change\_notification\_request \\ +\hline +39 & N/A & N/A & change\_notification\_response \\ +\hline +48 & identification\_request & identification\_request & N/A \\ +\hline +49 & identification\_response & identification\_response & N/A \\ +\hline +50 & sgsn\_context\_request & sgsn\_context\_request & N/A \\ +\hline +51 & sgsn\_context\_response & sgsn\_context\_response & N/A \\ +\hline +52 & sgsn\_context\_ack & sgsn\_context\_ack & N/A \\ +\hline +53 & N/A & forward\_relocation\_request & N/A \\ +\hline +54 & N/A & forward\_relocation\_response & N/A \\ +\hline +55 & N/A & forward\_relocation\_complete & N/A \\ +\hline +56 & N/A & relocation\_cancel\_request & N/A \\ +\hline +57 & N/A & relocation\_cancel\_response & N/A \\ +\hline +58 & N/A & forward\_srns\_contex & N/A \\ +\hline +59 & N/A & forward\_relocation\_complete\_ack & N/A \\ +\hline +60 & N/A & forward\_srns\_contex\_ack & N/A \\ +\hline +64 & N/A & N/A & modify\_bearer\_command \\ +\hline +65 & N/A & N/A & modify\_bearer\_failure\_indication \\ +\hline +66 & N/A & N/A & delete\_bearer\_command \\ +\hline +67 & N/A & N/A & delete\_bearer\_failure\_indication \\ +\hline +68 & N/A & N/A & bearer\_resource\_command \\ +\hline +69 & N/A & N/A & bearer\_resource\_failure\_indication \\ +\hline +70 & N/A & ran\_info\_relay & downlink\_failure\_indication \\ +\hline +71 & N/A & N/A & trace\_session\_activation \\ +\hline +72 & N/A & N/A & trace\_session\_deactivation \\ +\hline +73 & N/A & N/A & stop\_paging\_indication \\ +\hline +95 & N/A & N/A & create\_bearer\_request \\ +\hline +96 & N/A & mbms\_notification\_request & create\_bearer\_response \\ +\hline +97 & N/A & mbms\_notification\_response & update\_bearer\_request \\ +\hline +98 & N/A & mbms\_notification\_reject\_request & update\_bearer\_response \\ +\hline +99 & N/A & mbms\_notification\_reject\_response & delete\_bearer\_request \\ +\hline +100 & N/A & create\_mbms\_context\_request & delete\_bearer\_response \\ +\hline +101 & N/A & create\_mbms\_context\_response & delete\_pdn\_request \\ +\hline +102 & N/A & update\_mbms\_context\_request & delete\_pdn\_response \\ +\hline +103 & N/A & update\_mbms\_context\_response & N/A \\ +\hline +104 & N/A & delete\_mbms\_context\_request & N/A \\ +\hline +105 & N/A & delete\_mbms\_context\_response & N/A \\ +\hline +112 & N/A & mbms\_register\_request & N/A \\ +\hline +113 & N/A & mbms\_register\_response & N/A \\ +\hline +114 & N/A & mbms\_deregister\_request & N/A \\ +\hline +115 & N/A & mbms\_deregister\_response & N/A \\ +\hline +116 & N/A & mbms\_session\_start\_request & N/A \\ +\hline +117 & N/A & mbms\_session\_start\_response & N/A \\ +\hline +118 & N/A & mbms\_session\_stop\_request & N/A \\ +\hline +119 & N/A & mbms\_session\_stop\_response & N/A \\ +\hline +120 & N/A & mbms\_session\_update\_request & N/A \\ +\hline +121 & N/A & mbms\_session\_update\_response & N/A \\ +\hline +128 & N/A & ms\_info\_change\_request & identification\_request \\ +\hline +129 & N/A & ms\_info\_change\_response & identification\_response \\ +\hline +130 & N/A & N/A & sgsn\_context\_request \\ +\hline +131 & N/A & N/A & sgsn\_context\_response \\ +\hline +132 & N/A & N/A & sgsn\_context\_ack \\ +\hline +133 & N/A & N/A & forward\_relocation\_request \\ +\hline +134 & N/A & N/A & forward\_relocation\_response \\ +\hline +135 & N/A & N/A & forward\_relocation\_complete \\ +\hline +136 & N/A & N/A & forward\_relocation\_complete\_ack \\ +\hline +137 & N/A & N/A & forward\_access \\ +\hline +138 & N/A & N/A & forward\_access\_ack \\ +\hline +139 & N/A & N/A & relocation\_cancel\_request \\ +\hline +140 & N/A & N/A & relocation\_cancel\_response \\ +\hline +141 & N/A & N/A & configuration\_transfer\_tunnel \\ +\hline +149 & N/A & N/A & detach \\ +\hline +150 & N/A & N/A & detach\_ack \\ +\hline +151 & N/A & N/A & cs\_paging \\ +\hline +152 & N/A & N/A & ran\_info\_relay \\ +\hline +153 & N/A & N/A & alert\_mme \\ +\hline +154 & N/A & N/A & alert\_mme\_ack \\ +\hline +155 & N/A & N/A & ue\_activity \\ +\hline +156 & N/A & N/A & ue\_activity\_ack \\ +\hline +160 & N/A & N/A & create\_forward\_tunnel\_request \\ +\hline +161 & N/A & N/A & create\_forward\_tunnel\_response \\ +\hline +162 & N/A & N/A & suspend \\ +\hline +163 & N/A & N/A & suspend\_ack \\ +\hline +164 & N/A & N/A & resume \\ +\hline +165 & N/A & N/A & resume\_ack \\ +\hline +166 & N/A & N/A & create\_indirect\_forward\_tunnel\_request \\ +\hline +167 & N/A & N/A & create\_indirect\_forward\_tunnel\_response \\ +\hline +168 & N/A & N/A & delete\_indirect\_forward\_tunnel\_request \\ +\hline +169 & N/A & N/A & delete\_indirect\_forward\_tunnel\_response \\ +\hline +170 & N/A & N/A & release\_access\_bearer\_request \\ +\hline +171 & N/A & N/A & release\_access\_bearer\_response \\ +\hline +176 & N/A & N/A & downlink\_data \\ +\hline +177 & N/A & N/A & downlink\_data\_ack \\ +\hline +178 & N/A & N/A & N/A \\ +\hline +179 & N/A & N/A & pgw\_restart \\ +\hline +199 & N/A & N/A & pgw\_restart\_ack \\ +\hline +200 & N/A & N/A & update\_pdn\_request \\ +\hline +201 & N/A & N/A & update\_pdn\_response \\ +\hline +211 & N/A & N/A & modify\_access\_bearer\_request \\ +\hline +212 & N/A & N/A & modify\_access\_bearer\_response \\ +\hline +231 & N/A & N/A & mbms\_session\_start\_request \\ +\hline +232 & N/A & N/A & mbms\_session\_start\_response \\ +\hline +233 & N/A & N/A & mbms\_session\_update\_request \\ +\hline +234 & N/A & N/A & mbms\_session\_update\_response \\ +\hline +235 & N/A & N/A & mbms\_session\_stop\_request \\ +\hline +236 & N/A & N/A & mbms\_session\_stop\_response \\ +\hline +240 & data\_record\_transfer\_request & data\_record\_transfer\_request & N/A \\ +\hline +241 & data\_record\_transfer\_response & data\_record\_transfer\_response & N/A \\ +\hline +254 & N/A & end\_marker & N/A \\ +\hline +255 & pdu & pdu & N/A \\ +\hline +\end{longtable} +\end{itemize} + +\texttt{gtp\_info} +\label{gtp:gtp_info} +\begin{itemize} +\item[] The \texttt{gtp\_info} keyword is used to check for specific GTP + information element. This keyword restricts the search to the information + element field. User can input information element value, an integer in + $[0, 255]$, or a string defined in the Table below. If the information + element used in this rule is not listed in the preprocessor configuration, + an error will be thrown. + +\item[] When there are several information elements with the same type in the + message, this keyword restricts the search to the total consecutive buffer. + Because the standard requires same types group together, this feature will be + available for all valid messages. In the case of ``out of order information + elements'', this keyword restricts the search to the last buffer. + +\item[] Similar to message type, same information element might have different + information element value in different GTP versions. For example, + \texttt{cause} has value $1$ in GTPv0 and GTPv1, but $2$ in GTPv2. + \texttt{gtp\_info} will match to a different + value depending on the version number in the packet. When an information + element is not defined in a version, any packet in that version will always + return ``No match''. + + If an integer is used to specify information element type, every GTP packet + is evaluated, no matter what version the packet is. If the message type + matches the value in packet, it will return ``Match''.\\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + gtp_info:; + ie = "0-255"| + "rai" | "tmsi"... +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + gtp_info: 16; + gtp_info: tmsi +\end{verbatim} +\normalsize +\textit{GTP information elements} +\small +\begin{longtable}{|r|c|c|c|p{13.5cm}|} +\hline +Type & GTPv0 & GTPv1 & GTPv2\\ +\hline +0 & N/A & N/A & N/A \\ +\hline +1 & cause & cause & imsi\\ +\hline +2 & imsi & imsi & cause \\ +\hline +3 & rai & rai & recovery\\ +\hline +4 & tlli & tlli & N/A\\ +\hline +5 & p\_tmsi & p\_tmsi & N/A\\ +\hline +6 & qos & N/A & N/A\\ +\hline +7 & N/A & N/A & N/A \\ +\hline +8 & recording\_required & recording\_required & N/A\\ +\hline +9 & authentication & authentication & N/A\\ +\hline +10 & N/A & N/A & N/A\\ +\hline +11 & map\_cause & map\_cause & N/A\\ +\hline +12 & p\_tmsi\_sig & p\_tmsi\_sig & N/A\\ +\hline +13 & ms\_validated & ms\_validated & N/A\\ +\hline +14 & recovery & recovery & N/A\\ +\hline +15 & selection\_mode & selection\_mode & N/A\\ +\hline +16 & flow\_label\_data\_1 & teid\_1 & N/A\\ +\hline +17 & flow\_label\_signalling & teid\_control & N/A\\ +\hline +18 & flow\_label\_data\_2 & teid\_2 & N/A\\ +\hline +19 & ms\_unreachable & teardown\_ind & N/A\\ +\hline +20 & N/A & nsapi & N/A\\ +\hline +21 & N/A & ranap & N/A\\ +\hline +22 & N/A & rab\_context & N/A\\ +\hline +23 & N/A & radio\_priority\_sms & N/A\\ +\hline +24 & N/A & radio\_priority & N/A\\ +\hline +25 & N/A & packet\_flow\_id & N/A\\ +\hline +26 & N/A & charging\_char & N/A\\ +\hline +27 & N/A & trace\_ref & N/A\\ +\hline +28 & N/A & trace\_type & N/A\\ +\hline +29 & N/A & ms\_unreachable & N/A\\ +\hline +71 & N/A & N/A & apn\\ +\hline +72 & N/A & N/A & ambr\\ +\hline +73 & N/A & N/A & ebi\\ +\hline +74 & N/A & N/A & ip\_addr\\ +\hline +75 & N/A & N/A & mei\\ +\hline +76 & N/A & N/A & msisdn\\ +\hline +77 & N/A & N/A & indication\\ +\hline +78 & N/A & N/A & pco\\ +\hline +79 & N/A & N/A & paa\\ +\hline +80 & N/A & N/A & bearer\_qos\\ +\hline +81 & N/A & N/A & flow\_qos\\ +\hline +82 & N/A & N/A & rat\_type\\ +\hline +83 & N/A & N/A & serving\_network\\ +\hline +84 & N/A & N/A & bearer\_tft\\ +\hline +85 & N/A & N/A & tad\\ +\hline +86 & N/A & N/A & uli\\ +\hline +87 & N/A & N/A & f\_teid\\ +\hline +88 & N/A & N/A & tmsi\\ +\hline +89 & N/A & N/A & cn\_id\\ +\hline +90 & N/A & N/A & s103pdf\\ +\hline +91 & N/A & N/A & s1udf\\ +\hline +92 & N/A & N/A & delay\_value\\ +\hline +93 & N/A & N/A & bearer\_context\\ +\hline +94 & N/A & N/A & charging\_id\\ +\hline +95 & N/A & N/A & charging\_char\\ +\hline +96 & N/A & N/A & trace\_info\\ +\hline +97 & N/A & N/A & bearer\_flag\\ +\hline +98 & N/A & N/A & N/A\\ +\hline +99 & N/A & N/A & pdn\_type\\ +\hline +100 & N/A & N/A & pti\\ +\hline +101 & N/A & N/A & drx\_parameter\\ +\hline +102 & N/A & N/A & N/A\\ +\hline +103 & N/A & N/A & gsm\_key\_tri\\ +\hline +104 & N/A & N/A & umts\_key\_cipher\_quin\\ +\hline +105 & N/A & N/A & gsm\_key\_cipher\_quin\\ +\hline +106 & N/A & N/A & umts\_key\_quin\\ +\hline +107 & N/A & N/A & eps\_quad\\ +\hline +108 & N/A & N/A & umts\_key\_quad\_quin\\ +\hline +109 & N/A & N/A & pdn\_connection\\ +\hline +110 & N/A & N/A & pdn\_number\\ +\hline +111 & N/A & N/A & p\_tmsi\\ +\hline +112 & N/A & N/A & p\_tmsi\_sig\\ +\hline +113 & N/A & N/A & hop\_counter\\ +\hline +114 & N/A & N/A & ue\_time\_zone\\ +\hline +115 & N/A & N/A & trace\_ref\\ +\hline +116 & N/A & N/A & complete\_request\_msg\\ +\hline +117 & N/A & N/A & guti\\ +\hline +118 & N/A & N/A & f\_container\\ +\hline +119 & N/A & N/A & f\_cause\\ +\hline +120 & N/A & N/A & plmn\_id\\ +\hline +121 & N/A & N/A & target\_id\\ +\hline +122 & N/A & N/A & N/A\\ +\hline +123 & N/A & N/A & packet\_flow\_id\\ +\hline +124 & N/A & N/A & rab\_contex\\ +\hline +125 & N/A & N/A & src\_rnc\_pdcp\\ +\hline +126 & N/A & N/A & udp\_src\_port\\ +\hline +127 & charge\_id & charge\_id & apn\_restriction\\ +\hline +128 & end\_user\_address & end\_user\_address & selection\_mode\\ +\hline +129 & mm\_context & mm\_context & src\_id\\ +\hline +130 & pdp\_context & pdp\_context & N/A\\ +\hline +131 & apn & apn & change\_report\_action\\ +\hline +132 & protocol\_config & protocol\_config & fq\_csid\\ +\hline +133 & gsn & gsn & channel\\ +\hline +134 & msisdn & msisdn & emlpp\_pri\\ +\hline +135 & N/A & qos & node\_type\\ +\hline +136 & N/A & authentication\_qu & fqdn\\ +\hline +137 & N/A & tft & ti\\ +\hline +138 & N/A & target\_id & mbms\_session\_duration\\ +\hline +139 & N/A & utran\_trans & mbms\_service\_area\\ +\hline +140 & N/A & rab\_setup & mbms\_session\_id\\ +\hline +141 & N/A & ext\_header & mbms\_flow\_id\\ +\hline +142 & N/A & trigger\_id & mbms\_ip\_multicast\\ +\hline +143 & N/A & omc\_id & mbms\_distribution\_ack\\ +\hline +144 & N/A & ran\_trans & rfsp\_index\\ +\hline +145 & N/A & pdp\_context\_pri & uci\\ +\hline +146 & N/A & addi\_rab\_setup & csg\_info\\ +\hline +147 & N/A & sgsn\_number & csg\_id\\ +\hline +148 & N/A & common\_flag & cmi\\ +\hline +149 & N/A & apn\_restriction & service\_indicator\\ +\hline +150 & N/A & radio\_priority\_lcs & detach\_type\\ +\hline +151 & N/A & rat\_type & ldn\\ +\hline +152 & N/A & user\_loc\_info & node\_feature\\ +\hline +153 & N/A & ms\_time\_zone & mbms\_time\_to\_transfer\\ +\hline +154 & N/A & imei\_sv & throttling\\ +\hline +155 & N/A & camel & arp\\ +\hline +156 & N/A & mbms\_ue\_context & epc\_timer\\ +\hline +157 & N/A & tmp\_mobile\_group\_id & signalling\_priority\_indication\\ +\hline +158 & N/A & rim\_routing\_addr & tmgi\\ +\hline +159 & N/A & mbms\_config & mm\_srvcc\\ +\hline +160 & N/A & mbms\_service\_area & flags\_srvcc\\ +\hline +161 & N/A & src\_rnc\_pdcp & mmbr\\ +\hline +162 & N/A & addi\_trace\_info & N/A\\ +\hline +163 & N/A & hop\_counter & N/A\\ +\hline +164 & N/A & plmn\_id & N/A\\ +\hline +165 & N/A & mbms\_session\_id & N/A\\ +\hline +166 & N/A & mbms\_2g3g\_indicator & N/A\\ +\hline +167 & N/A & enhanced\_nsapi & N/A\\ +\hline +168 & N/A & mbms\_session\_duration & N/A\\ +\hline +169 & N/A & addi\_mbms\_trace\_info & N/A\\ +\hline +170 & N/A & mbms\_session\_repetition\_num & N/A\\ +\hline +171 & N/A & mbms\_time\_to\_data & N/A\\ +\hline +173 & N/A & bss & N/A\\ +\hline +174 & N/A & cell\_id & N/A\\ +\hline +175 & N/A & pdu\_num & N/A\\ +\hline +176 & N/A & N/A & N/A\\ +\hline +177 & N/A & mbms\_bearer\_capab & N/A\\ +\hline +178 & N/A & rim\_routing\_disc & N/A\\ +\hline +179 & N/A & list\_pfc & N/A\\ +\hline +180 & N/A & ps\_xid & N/A\\ +\hline +181 & N/A & ms\_info\_change\_report & N/A\\ +\hline +182 & N/A & direct\_tunnel\_flags & N/A\\ +\hline +183 & N/A & correlation\_id & N/A\\ +\hline +184 & N/A & bearer\_control\_mode & N/A\\ +\hline +185 & N/A & mbms\_flow\_id & N/A\\ +\hline +186 & N/A & mbms\_ip\_multicast & N/A\\ +\hline +187 & N/A & mbms\_distribution\_ack & N/A\\ +\hline +188 & N/A & reliable\_inter\_rat\_handover & N/A\\ +\hline +189 & N/A & rfsp\_index & N/A\\ +\hline +190 & N/A & fqdn & N/A\\ +\hline +191 & N/A & evolved\_allocation1 & N/A\\ +\hline +192 & N/A & evolved\_allocation2 & N/A\\ +\hline +193 & N/A & extended\_flags & N/A\\ +\hline +194 & N/A & uci & N/A\\ +\hline +195 & N/A & csg\_info & N/A\\ +\hline +196 & N/A & csg\_id & N/A\\ +\hline +197 & N/A & cmi & N/A\\ +\hline +198 & N/A & apn\_ambr & N/A\\ +\hline +199 & N/A & ue\_network & N/A\\ +\hline +200 & N/A & ue\_ambr & N/A\\ +\hline +201 & N/A & apn\_ambr\_nsapi & N/A\\ +\hline +202 & N/A & ggsn\_backoff\_timer & N/A\\ +\hline +203 & N/A & signalling\_priority\_indication & N/A\\ +\hline +204 & N/A & signalling\_priority\_indication\_nsapi & N/A\\ +\hline +205 & N/A & high\_bitrate & N/A\\ +\hline +206 & N/A & max\_mbr & N/A\\ +\hline +250 & N/A & N/A & N/A\\ +\hline + & N/A & N/A & N/A\\ +\hline +251 & charging\_gateway\_addr & charging\_gateway\_addr & N/A\\ +\hline +255 & private\_extension & private\_extension & private\_extension\\ +\hline +\end{longtable} +\end{itemize} +\texttt{gtp\_version} +\label{gtp:gtp_version} +\begin{itemize} + \item[] The \texttt{gtp\_version} keyword is used to check for specific +GTP version. + \item[] Because different GTP version defines different message types and + information elements, this keyword should combine with \texttt{gtp\_type} +and \texttt{gtp\_info.}\\ + +\textit{Syntax} +\footnotesize +\begin{verbatim} + gtp_version:; + version = "0, 1, 2' +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + gtp_version: 1; +\end{verbatim} +\normalsize +\end{itemize} + +\subsection{Modbus Preprocessor} +\label{sub:modbus} +The Modbus preprocessor is a Snort module that decodes the Modbus protocol. +It also provides rule options to access certain protocol fields. +This allows a user to write rules for Modbus packets without decoding the protocol +with a series of "content" and "byte\_test" options. + +Modbus is a protocol used in SCADA networks. If your network does not contain any +Modbus-enabled devices, we recommend leaving this preprocessor turned off. + +\subsubsection{Dependency Requirements} + +For proper functioning of the preprocessor: +\begin{itemize} + +\item Stream session tracking must be enabled, i.e. stream5. TCP must be + enabled in stream5. The preprocessor requires a session tracker to keep its + data. + +\item Protocol Aware Flushing (PAF) must be enabled. + +\item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. + +\end{itemize} + +\subsubsection{Preprocessor Configuration} +To get started, the Modbus preprocessor must be enabled. +The preprocessor name is \texttt{modbus}. +\begin{verbatim} +preprocessor modbus +\end{verbatim} +\textit{Option syntax} +\begin{itemize} +\item[] +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Option & Argument & Required & Default\\ +\hline +\hline +\texttt{ports} & \texttt{} & NO & \texttt{ports \{ 502 \} }\\ +\hline +\end{tabular} +\end{itemize} +\normalsize +\textit{Option explanations} +\begin{itemize} +\item[] \texttt{ports} +\begin{itemize} +\item[] This specifies on what ports to check for Modbus messages. Typically, + this will include 502. +\item[] \textit{Syntax} +\begin{verbatim} + ports { [< ... >] } +\end{verbatim} +\item[] \textit{Examples} +\begin{verbatim} + ports { 1237 3945 5067 } +\end{verbatim} +\item[] Note: there are spaces before and after `\{' and `\}'. +\end{itemize} +\end{itemize} +\normalsize + +\textit{Default configuration} +\footnotesize +\begin{verbatim} + preprocessor modbus +\end{verbatim} +\normalsize + +\subsubsection{Rule Options} +The Modbus preprocessor adds 3 new rule options. These rule options match on +various pieces of the Modbus headers: + +\begin{itemize} +\item[] +\begin{verbatim} + modbus_func + modbus_unit + modbus_data +\end{verbatim} +\end{itemize} + +The preprocessor must be enabled for these rule option to work. + +\texttt{modbus\_func} +\label{modbus:modbus_func} +\begin{itemize} + \item[] This option matches against the Function Code inside of a Modbus + header. The code may be a number (in decimal format), or a string from the + list provided below. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + modbus_func: + + code = 0-255 | + "read_coils" | + "read_discrete_inputs" | + "read_holding_registers" | + "read_input_registers" | + "write_single_coil" | + "write_single_register" | + "read_exception_status" | + "diagnostics" | + "get_comm_event_counter" | + "get_comm_event_log" | + "write_multiple_coils" | + "write_multiple_registers" | + "report_slave_id" | + "read_file_record" | + "write_file_record" | + "mask_write_register" | + "read_write_multiple_registers" | + "read_fifo_queue" | + "encapsulated_interface_transport" +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + modbus_func:1; + modbus_func:write_multiple_coils; +\end{verbatim} +\normalsize + +\texttt{modbus\_unit} +\label{modbus:modbus_unit} +\begin{itemize} + \item[] This option matches against the Unit ID field in a Modbus header. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + modbus_unit: + + unit = 0-255 +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + modbus_unit:1; +\end{verbatim} +\normalsize + +\texttt{modbus\_data} +\label{modbus:modbus_data} +\begin{itemize} + \item[] This rule option sets the cursor at the beginning of the Data field + in a Modbus request/response. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + modbus_data; +\end{verbatim} +\normalsize + +\textit{Examples} +\footnotesize +\begin{verbatim} + modbus_data; content:"badstuff"; +\end{verbatim} +\normalsize + +\subsubsection{Preprocessor Events} +The Modbus preprocessor uses GID 144 for its preprocessor events. +\begin{longtable}{|r|p{13.5cm}|} + +\hline +SID & Description\\ +\hline + 1 & The length in the Modbus header does not match the length needed \\ + & by the Modbus function code. \\ +&\\ + & Each Modbus function has an expected format for requests and responses. \\ + & If the length of the message does not match the expected format, this \\ + & alert is generated. \\ +\hline + 2 & Modbus protocol ID is non-zero. \\ +&\\ + & The protocol ID field is used for multiplexing other protocols with \\ + & Modbus. Since the preprocessor cannot handle these other protocols, \\ + & this alert is generated instead. \\ +\hline + 3 & Reserved Modbus function code in use. \\ +\hline +\end{longtable} + +\subsection{DNP3 Preprocessor} +\label{sub:dnp3} +The DNP3 preprocessor is a Snort module that decodes the DNP3 protocol. +It also provides rule options to access certain protocol fields. +This allows a user to write rules for DNP3 packets without decoding the protocol +with a series of "content" and "byte\_test" options. + +DNP3 is a protocol used in SCADA networks. If your network does not contain any +DNP3-enabled devices, we recommend leaving this preprocessor turned off. + +\subsubsection{Dependency Requirements} + +For proper functioning of the preprocessor: +\begin{itemize} + +\item Stream session tracking must be enabled, i.e. stream5. TCP or UDP must be + enabled in stream5. The preprocessor requires a session tracker to keep its + data. + +\item Protocol Aware Flushing (PAF) must be enabled. + +\item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be + enabled and configured. + +\end{itemize} + +\subsubsection{Preprocessor Configuration} +To get started, the DNP3 preprocessor must be enabled. +The preprocessor name is \texttt{dnp3}. +\begin{verbatim} +preprocessor dnp3 +\end{verbatim} +\textit{Option syntax} +\begin{itemize} +\item[] +\begin{tabular}{|l|c|c|p{6cm}|} +\hline +Option & Argument & Required & Default\\ +\hline +\hline +\texttt{ports} & \texttt{} & NO & \texttt{ports \{ 20000 \} }\\ +\texttt{memcap} & \texttt{ [< ... >] } +\end{verbatim} +\item[] \textit{Examples} +\begin{verbatim} + ports { 1237 3945 5067 } +\end{verbatim} +\item[] Note: there are spaces before and after `\{' and `\}'. +\end{itemize} + +\item[] \texttt{memcap} +\begin{itemize} +\item[] This sets a maximum to the amount of memory allocated to the DNP3 + preprocessor for session-tracking purposes. The argument is given + in bytes. + Each session requires about 4 KB to track, and the default is 256 kB. + This gives the preprocessor the ability to track 63 DNP3 sessions + simultaneously. + Setting the memcap below 4144 bytes will cause a fatal error. + When multiple configs are used, the memcap in the non-default configs + will be overwritten by the memcap in the default config. If the default + config isn't intended to inspect DNP3 traffic, use the "disabled" + keyword. +\end{itemize} + +\item[] \texttt{check\_crc} +\begin{itemize} +\item[] This option makes the preprocessor validate the checksums contained in + DNP3 Link-Layer Frames. Frames with invalid checksums will be ignored. + If the corresponding preprocessor rule is enabled, invalid checksums + will generate alerts. + The corresponding rule is GID 145, SID 1. +\end{itemize} + +\item[] \texttt{disabled} +\begin{itemize} +\item[] This option is used for loading the preprocessor without inspecting + any DNP3 traffic. The \texttt{disabled} keyword is only useful when the DNP3 + preprocessor is turned on in a separate policy. +\end{itemize} +\end{itemize} +\normalsize + +\textit{Default configuration} +\footnotesize +\begin{verbatim} + preprocessor dnp3 +\end{verbatim} +\normalsize + +\subsubsection{Rule Options} +The DNP3 preprocessor adds 4 new rule options. These rule options match on +various pieces of the DNP3 headers: + +\begin{itemize} +\item[] +\begin{verbatim} + dnp3_func + dnp3_obj + dnp3_ind + dnp3_data +\end{verbatim} +\end{itemize} + +The preprocessor must be enabled for these rule option to work. + +\texttt{dnp3\_func} +\label{dnp3:dnp3_func} +\begin{itemize} + \item[] This option matches against the Function Code inside of a DNP3 + Application-Layer request/response header. The code may be a number + (in decimal format), or a string from the list provided below. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + dnp3_func: + + code = 0-255 | + "confirm" | + "read" | + "write" | + "select" | + "operate" | + "direct_operate" | + "direct_operate_nr" | + "immed_freeze" | + "immed_freeze_nr" | + "freeze_clear" | + "freeze_clear_nr" | + "freeze_at_time" | + "freeze_at_time_nr" | + "cold_restart" | + "warm_restart" | + "initialize_data" | + "initialize_appl" | + "start_appl" | + "stop_appl" | + "save_config" | + "enable_unsolicited" | + "disable_unsolicited" | + "assign_class" | + "delay_measure" | + "record_current_time" | + "open_file" | + "close_file" | + "delete_file" | + "get_file_info" | + "authenticate_file" | + "abort_file" | + "activate_config" | + "authenticate_req" | + "authenticate_err" | + "response" | + "unsolicited_response" | + "authenticate_resp" + +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + dnp3_func:1; + dnp3_func:delete_file; +\end{verbatim} +\normalsize + +\texttt{dnp3\_ind} +\label{dnp3:dnp3_ind} +\begin{itemize} + \item[] This option matches on the Internal Indicators flags present in a + DNP3 Application Response Header. Much like the TCP flags rule option, + providing multiple flags in one option will cause the rule to fire if \emph{ANY} + one of the flags is set. To alert on a combination of flags, use multiple rule + options. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + dnp3_ind:{,...] + + flag = "all_stations" + "class_1_events" + "class_2_events" + "class_3_events" + "need_time" + "local_control" + "defice_trouble" + "device_restart" + "no_func_code_support" + "object_unknown" + "parameter_error" + "event_buffer_overflow" + "already_executing" + "config_corrupt" + "reserved_2" + "reserved_1" +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + # Alert on reserved_1 OR reserved_2 + dnp3_ind:reserved_1,reserved_2; + + # Alert on class_1 AND class_2 AND class_3 events + dnp3_ind:class_1_events; dnp3_ind:class_2_events; dnp3_ind:class_3_events; +\end{verbatim} +\normalsize + +\texttt{dnp3\_obj} +\label{dnp3:dnp3_obj} +\begin{itemize} + \item[] This option matches on DNP3 object headers present in a request or response. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + dnp3_obj:, + + group = 0 - 255 + var = 0 - 255 +\end{verbatim} +\normalsize +\textit{Examples} +\footnotesize +\begin{verbatim} + # Alert on DNP3 "Date and Time" object + dnp3_obj:50,1; +\end{verbatim} +\normalsize + +\texttt{dnp3\_data} +\label{dnp3:dnp3_data} +\begin{itemize} + \item[] As Snort processes DNP3 packets, the DNP3 preprocessor collects + Link-Layer Frames and reassembles them back into Application-Layer Fragments. + This rule option sets the cursor to the beginning of an Application-Layer + Fragment, so that other rule options can work on the reassembled data. + + With the dnp3\_data rule option, you can write rules based on the data within + Fragments without splitting up the data and adding CRCs every 16 bytes. +\end{itemize} + +\textit{Syntax} +\footnotesize +\begin{verbatim} + dnp3_data; +\end{verbatim} +\normalsize + +\textit{Examples} +\footnotesize +\begin{verbatim} + dnp3_data; content:"badstuff_longer_than_16chars"; +\end{verbatim} +\normalsize + +\subsubsection{Preprocessor Events} +The DNP3 preprocessor uses GID 145 for its preprocessor events. +\begin{longtable}{|r|p{13.5cm}|} + +\hline +SID & Description\\ +\hline + 1 & A Link-Layer Frame contained an invalid CRC. \\ + & (Enable \texttt{check\_crc} in the preprocessor config to get this alert.) \\ +\hline + 2 & A DNP3 Link-Layer Frame was dropped, due to an invalid length. \\ +\hline + 3 & A Transport-Layer Segment was dropped during reassembly. \\ + & This happens when segments have invalid sequence numbers. \\ +\hline + 4 & The DNP3 Reassembly buffer was cleared before a complete fragment could \\ + & be reassembled. \\ + & This happens when a segment carrying the "FIR" flag appears after some \\ + & other segments have been queued. \\ +\hline + 5 & A DNP3 Link-Layer Frame is larger than 260 bytes. \\ +\hline + 6 & A DNP3 Link-Layer Frame uses an address that is reserved. \\ +\hline + 7 & A DNP3 request or response uses a reserved function code. \\ +\hline +\end{longtable} + + + + +\section{Decoder and Preprocessor Rules} + +Decoder and preprocessor rules allow one to enable and disable decoder and +preprocessor events on a rule by rule basis. They also allow one to specify +the rule type or action of a decoder or preprocessor event on a rule by rule +basis. + +Decoder config options will still determine whether or not to generate decoder +events. For example, if \texttt{config disable\_decode\_alerts} is in +\texttt{snort.conf}, decoder events will not be generated regardless of whether +or not there are corresponding rules for the event. Also note that if the +decoder is configured to enable drops, e.g. \texttt{config +enable\_decode\_drops}, these options will take precedence over the event type +of the rule. A packet will be dropped if either a decoder config drop option +is in \texttt{snort.conf} or the decoder or preprocessor rule type is +\texttt{drop}. Of course, the drop cases only apply if Snort is running +inline. See \texttt{doc/README.decode} for config options that control decoder +events. + +\subsection{Configuring} + +The following options to configure will enable decoder and preprocessor rules: + +\begin{verbatim} + $ ./configure --enable-decoder-preprocessor-rules +\end{verbatim} + +The decoder and preprocessor rules are located in the \texttt{preproc\_rules/} +directory in the top level source tree, and have the names +\texttt{decoder.rules} and \texttt{preprocessor.rules} respectively. These +files are updated as new decoder and preprocessor events are added to Snort. +The \texttt{gen-msg.map} under \texttt{etc} directory is also updated with +new decoder and preprocessor rules. + +To enable these rules in \texttt{snort.conf}, define the path to where the +rules are located and uncomment the \texttt{include} lines in +\texttt{snort.conf} that reference the rules files. + +\begin{verbatim} + var PREPROC_RULE_PATH /path/to/preproc_rules + ... + include $PREPROC_RULE_PATH/preprocessor.rules + include $PREPROC_RULE_PATH/decoder.rules +\end{verbatim} + +To disable any rule, just comment it with a \texttt{\#} or remove the rule +completely from the file (commenting is recommended). + +To change the rule type or action of a decoder/preprocessor rule, just replace +\texttt{alert} with the desired rule type. Any one of the following rule types +can be used: + +\begin{verbatim} + alert + log + pass + drop + sdrop + reject +\end{verbatim} + +For example one can change: + +\begin{verbatim} + alert ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \ + metadata: rule-type decode ; classtype:protocol-command-decode;) +\end{verbatim} + +to + +\begin{verbatim} + drop ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \ + metadata: rule-type decode ; classtype:protocol-command-decode;) +\end{verbatim} + +to drop (as well as alert on) packets where the Ethernet protocol is IPv4 but +version field in IPv4 header has a value other than 4. + +See \texttt{README.decode}, \texttt{README.gre} and the various preprocessor +READMEs for descriptions of the rules in \texttt{decoder.rules} and +\texttt{preprocessor.rules}. + +The generator ids ( gid ) for different preprocessors and the decoder are as follows: + +\begin{table}[h] +\begin{center} +\begin{tabular}{| l | l |} + +\hline +\textbf{Generator Id} & \textbf{Module}\\ +\hline + +\hline +\texttt{105} & Back Orifice preprocessor \\ + +\hline +\texttt{106} & RPC Decode preprocessor \\ + +\hline +\texttt{112} & Arpspoof preprocessor \\ + +\hline +\texttt{116} & Snort Decoder \\ + +\hline +\texttt{119} & HTTP Inspect preprocessor ( Client ) \\ + +\hline +\texttt{120} & HTTP Inspect preprocessor ( Server ) \\ + +\hline +\texttt{122} & Portscan preprocessor \\ + +\hline +\texttt{123} & Frag3 preprocessor \\ + +\hline +\texttt{124} & SMTP preprocessor \\ + +\hline +\texttt{125} & FTP (FTP) preprocessor \\ + +\hline +\texttt{126} & FTP (Telnet) preprocessor \\ + +\hline +\texttt{127} & ISAKMP preprocessor \\ + +\hline +\texttt{128} & SSH preprocessor \\ + +\hline +\texttt{129} & Stream5 preprocessor \\ + +\hline +\texttt{131} & DNS preprocessor \\ -To disable any rule, just comment it with a \texttt{\#} or remove the rule -completely from the file (commenting is recommended). +\hline +\texttt{132} & Skype preprocessor \\ -To change the rule type or action of a decoder/preprocessor rule, just replace -\texttt{alert} with the desired rule type. Any one of the following rule types -can be used: +\hline +\texttt{133} & DceRpc2 preprocessor \\ -\begin{verbatim} - alert - log - pass - drop - sdrop - reject -\end{verbatim} +\hline +\texttt{134} & PPM preprocessor \\ -For example one can change: +\hline +\texttt{136} & Reputation preprocessor \\ -\begin{verbatim} - alert ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \ - metadata: rule-type decode ; classtype:protocol-command-decode;) -\end{verbatim} +\hline +\texttt{137} & SSL preprocessor \\ -to +\hline +\texttt{139} & SDF preprocessor \\ -\begin{verbatim} - drop ( msg: "DECODE_NOT_IPV4_DGRAM"; sid: 1; gid: 116; rev: 1; \ - metadata: rule-type decode ; classtype:protocol-command-decode;) -\end{verbatim} +\hline +\texttt{140} & SIP preprocessor \\ -to drop (as well as alert on) packets where the Ethernet protocol is IPv4 but -version field in IPv4 header has a value other than 4. +\hline +\texttt{141} & IMAP preprocessor \\ + +\hline +\texttt{142} & POP preprocessor \\ + +\hline +\texttt{143} & GTP preprocessor \\ +\hline +\end{tabular} +\end{center} +\end{table} -See \texttt{README.decode}, \texttt{README.gre} and the various preprocessor -READMEs for descriptions of the rules in \texttt{decoder.rules} and -\texttt{preprocessor.rules}. \subsection{Reverting to original behavior} @@ -8313,57 +11476,46 @@ \begin{figure} \footnotesize{ \begin{verbatim} -Preprocessor Profile Statistics (all) +Preprocessor Profile Statistics (worst 10) ========================================================== Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total === ============ ===== ====== ===== ========= ========= ============= ============ - 1 ftptelnet_ftp 0 2697 2697 135720 50.32 0.20 0.20 - 2 detect 0 930237 930237 31645670 34.02 47.20 47.20 - 1 rule eval 1 1347969 1347969 26758596 19.85 84.56 39.91 - 1 rule tree eval 2 1669390 1669390 26605086 15.94 99.43 39.68 - 1 pcre 3 488652 488652 18994719 38.87 71.40 28.33 - 2 asn1 3 1 1 8 8.56 0.00 0.00 - 3 uricontent 3 647122 647122 2638614 4.08 9.92 3.94 - 4 content 3 1043099 1043099 3154396 3.02 11.86 4.70 - 5 ftpbounce 3 23 23 19 0.87 0.00 0.00 - 6 byte_jump 3 9007 9007 3321 0.37 0.01 0.00 - 7 byte_test 3 239015 239015 64401 0.27 0.24 0.10 - 8 icmp_seq 3 2 2 0 0.16 0.00 0.00 - 9 fragbits 3 65259 65259 10168 0.16 0.04 0.02 - 10 isdataat 3 5085 5085 757 0.15 0.00 0.00 - 11 flags 3 4147 4147 517 0.12 0.00 0.00 - 12 flowbits 3 2002630 2002630 212231 0.11 0.80 0.32 - 13 ack 3 4042 4042 261 0.06 0.00 0.00 - 14 flow 3 1347822 1347822 79002 0.06 0.30 0.12 - 15 icode 3 75538 75538 4280 0.06 0.02 0.01 - 16 itype 3 27009 27009 1524 0.06 0.01 0.00 - 17 icmp_id 3 41150 41150 1618 0.04 0.01 0.00 - 18 ip_proto 3 142625 142625 5004 0.04 0.02 0.01 - 19 ipopts 3 13690 13690 457 0.03 0.00 0.00 - 2 rtn eval 2 55836 55836 22763 0.41 0.09 0.03 - 2 mpse 1 492836 492836 4135697 8.39 13.07 6.17 - 3 frag3 0 76925 76925 1683797 21.89 2.51 2.51 - 1 frag3insert 1 70885 70885 434980 6.14 25.83 0.65 - 2 frag3rebuild 1 5419 5419 6280 1.16 0.37 0.01 - 4 dcerpc 0 127332 127332 2426830 19.06 3.62 3.62 - 5 s5 0 809682 809682 14195602 17.53 21.17 21.17 - 1 s5tcp 1 765281 765281 14128577 18.46 99.53 21.07 - 1 s5TcpState 2 742464 742464 13223585 17.81 93.59 19.72 - 1 s5TcpFlush 3 51987 51987 92918 1.79 0.70 0.14 - 1 s5TcpProcessRebuilt 4 47355 47355 14548497 307.22 15657.23 21.70 - 2 s5TcpBuildPacket 4 47360 47360 41711 0.88 44.89 0.06 - 2 s5TcpData 3 250035 250035 141490 0.57 1.07 0.21 - 1 s5TcpPktInsert 4 88173 88173 110136 1.25 77.84 0.16 - 2 s5TcpNewSess 2 60880 60880 81779 1.34 0.58 0.12 - 6 eventq 0 2089428 2089428 26690209 12.77 39.81 39.81 - 7 httpinspect 0 296030 296030 1862359 6.29 2.78 2.78 - 8 smtp 0 137653 137653 227982 1.66 0.34 0.34 - 9 decode 0 1057635 1057635 1162456 1.10 1.73 1.73 - 10 ftptelnet_telnet 0 175 175 175 1.00 0.00 0.00 - 11 sfportscan 0 881153 881153 518655 0.59 0.77 0.77 - 12 backorifice 0 35369 35369 4875 0.14 0.01 0.01 - 13 dns 0 16639 16639 1346 0.08 0.00 0.00 - total total 0 1018323 1018323 67046412 65.84 0.00 0.00 + 1 detect 0 338181 338181 9054573 26.77 64.62 64.62 + 1 rule eval 1 256978 256978 2570596 10.00 28.39 18.35 + 1 rule tree eval 2 399860 399860 2520629 6.30 98.06 17.99 + 1 pcre 3 51328 51328 505636 9.85 20.06 3.61 + 2 byte_jump 3 6 6 7 1.30 0.00 0.00 + 3 content 3 1077588 1077588 1123373 1.04 44.57 8.02 + 4 uricontent 3 106498 106498 79685 0.75 3.16 0.57 + 5 byte_test 3 9951 9951 5709 0.57 0.23 0.04 + 6 isdataat 3 8486 8486 3192 0.38 0.13 0.02 + 7 flowbits 3 135739 135739 35365 0.26 1.40 0.25 + 8 flags 3 2 2 0 0.20 0.00 0.00 + 9 preproc_rule_options 3 15499 15499 1939 0.13 0.08 0.01 + 10 flow 3 394817 394817 36420 0.09 1.44 0.26 + 11 file_data 3 15957 15957 1264 0.08 0.05 0.01 + 12 ack 3 4 4 0 0.07 0.00 0.00 + 2 rtn eval 2 36928 36928 17500 0.47 0.68 0.12 + 2 mpse 1 646528 646528 5840244 9.03 64.50 41.68 + 2 s5 0 310080 310080 3270702 10.55 23.34 23.34 + 1 s5tcp 1 310080 310080 2993020 9.65 91.51 21.36 + 1 s5TcpState 2 304484 304484 2559085 8.40 85.50 18.26 + 1 s5TcpFlush 3 22148 22148 70681 3.19 2.76 0.50 + 1 s5TcpProcessRebuilt 4 22132 22132 2018748 91.21 2856.11 14.41 + 2 s5TcpBuildPacket 4 22132 22132 34965 1.58 49.47 0.25 + 2 s5TcpData 3 184186 184186 120794 0.66 4.72 0.86 + 1 s5TcpPktInsert 4 46249 46249 89299 1.93 73.93 0.64 + 2 s5TcpNewSess 2 5777 5777 37958 6.57 1.27 0.27 + 3 httpinspect 0 204751 204751 1814731 8.86 12.95 12.95 + 4 ssl 0 10780 10780 16283 1.51 0.12 0.12 + 5 decode 0 312638 312638 437860 1.40 3.12 3.12 + 6 DceRpcMain 0 155358 155358 186061 1.20 1.33 1.33 + 1 DceRpcSession 1 155358 155358 156193 1.01 83.95 1.11 + 7 backorifice 0 77 77 42 0.55 0.00 0.00 + 8 smtp 0 45197 45197 17126 0.38 0.12 0.12 + 9 ssh 0 26453 26453 7195 0.27 0.05 0.05 + 10 dns 0 28 28 5 0.18 0.00 0.00 + total total 0 311202 311202 14011946 45.03 0.00 0.00 \end{verbatim} } \caption{Preprocessor Profiling Example Output} @@ -8373,8 +11525,8 @@ Configuration line used to print the above table: \begin{verbatim} - config profile_rules: \ - print 3, sort total_ticks + config profile_preprocs: \ + print 10, sort total_ticks \end{verbatim} The columns represent: @@ -8859,6 +12011,12 @@ \subsection{database} \label{database section} +\begin{note} +The database output plugins are considered deprecated as of Snort 2.9.2 and +will be removed in Snort 2.9.3. +The recommended approach to logging is to use unified2 with barnyard2 or similar. +\end{note} + This module from Jed Pickel sends Snort data to a variety of SQL databases. More information on installing and configuring this module can be found on the {[}91{]}incident.org web page. The arguments to this plugin are the name of the @@ -9134,6 +12292,11 @@ \subsection{alert\_prelude} \begin{note} +The \texttt{alert\_prelude} output plugin is considered deprecated as of Snort 2.9.2 and +will be removed in Snort 2.9.3. +\end{note} + +\begin{note} support to use alert\_prelude is not built in by default. To use alert\_prelude, snort must be built with the --enable-prelude argument passed @@ -9188,6 +12351,11 @@ \subsection{alert\_aruba\_action} \begin{note} +The \texttt{alert\_aruba\_action} output plugin is considered deprecated as of Snort 2.9.2 and +will be removed in Snort 2.9.3. +\end{note} + +\begin{note} Support to use alert\_aruba\_action is not built in by default. To use alert\_aruba\_action, snort must be built with the --enable-aruba argument @@ -9646,6 +12814,9 @@ \begin{note} This functionality is not currently supported in Windows. + +Caveat : When Snort is run on the primary network interface of an OpenBSD system, the reload and failopen operations may not function as expected. + \end{note} @@ -9974,9 +13145,22 @@ \begin{verbatim} ./configure --enable-active-response - config response: attempts + config response: [device ] [dst_mac ] attempts + ::= ip | eth0 | etc. ::= (1..20) + ::= nn:nn:nn:nn:nn:nn + (n is a hex number from 0-F) +\end{verbatim} + +device ip will perform network layer injection. It is probably a better choice +to specify an interface and avoid kernel routing tables, etc. + +dst\_mac will change response destination MAC address, if the device is eth0, eth1, eth2 etc. +Otherwise, response destination MAC address is derived from packet. +Example: +\begin{verbatim} + config response: device eth0 dst_mac 00:06:76:DD:5F:E3 attempts 2 \end{verbatim} \subsection{Flexresp} @@ -10254,7 +13438,7 @@ \begin{figure} \begin{verbatim} alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 \ - (content: "|00 01 86 a5|"; msg: "external mountd access";) + (content:"|00 01 86 a5|"; msg:"external mountd access";) \end{verbatim} \caption{\label{Example Negation} Example IP Address Negation Rule} @@ -10275,8 +13459,8 @@ \begin{figure} \begin{verbatim} alert tcp ![192.168.1.0/24,10.1.1.0/24] any -> \ - [192.168.1.0/24,10.1.1.0/24] 111 (content: "|00 01 86 a5|"; \ - msg: "external mountd access";) + [192.168.1.0/24,10.1.1.0/24] 111 (content:"|00 01 86 a5|"; \ + msg:"external mountd access";) \end{verbatim} \caption{\label{IP list usage}IP Address Lists} @@ -10385,10 +13569,10 @@ \begin{figure} \begin{verbatim} - activate tcp !$HOME_NET any -> $HOME_NET 143 (flags: PA; \ - content: "|E8C0FFFFFF|/bin"; activates: 1; \ - msg: "IMAP buffer overflow!";) - dynamic tcp !$HOME_NET any -> $HOME_NET 143 (activated_by: 1; count: 50;) + activate tcp !$HOME_NET any -> $HOME_NET 143 (flags:PA; \ + content:"|E8C0FFFFFF|/bin"; activates:1; \ + msg:"IMAP buffer overflow!";) + dynamic tcp !$HOME_NET any -> $HOME_NET 143 (activated_by:1; count:50;) \end{verbatim} \caption{Activate/Dynamic Rule Example} @@ -10439,7 +13623,7 @@ \subsubsection{Format} \begin{verbatim} - msg: ""; + msg:""; \end{verbatim} \subsection{reference} @@ -10483,7 +13667,11 @@ \hline mcafee& -http://vil.nai.com/vil/dispVirus.asp?virus\_k=\\ +http://vil.nai.com/vil/content/v\_\\ + +\hline +osvdb& +http://osvdb.org/show/osvdb/\\ \hline url& @@ -10497,7 +13685,7 @@ \subsubsection{Format} \begin{verbatim} - reference: ,; [reference: ,;] + reference:, ; [reference:, ;] \end{verbatim} \subsubsection{Examples} @@ -10534,7 +13722,7 @@ \subsubsection{Format} \begin{verbatim} - gid: ; + gid:; \end{verbatim} \subsubsection{Example} @@ -10565,7 +13753,7 @@ \subsubsection{Format} \begin{verbatim} - sid: ; + sid:; \end{verbatim} \subsubsection{Example} @@ -10587,7 +13775,7 @@ \subsubsection{Format} \begin{verbatim} - rev: ; + rev:; \end{verbatim} \subsubsection{Example} @@ -10609,7 +13797,7 @@ \subsubsection{Format} \begin{verbatim} - classtype: ; + classtype:; \end{verbatim} \subsubsection{Example} @@ -10760,17 +13948,17 @@ \subsubsection{Format} \begin{verbatim} - priority: ; + priority:; \end{verbatim} \subsubsection{Examples} \begin{verbatim} - alert TCP any any -> any 80 (msg: "WEB-MISC phf attempt"; flags:A+; \ - content: "/cgi-bin/phf"; priority:10;) + alert tcp any any -> any 80 (msg:"WEB-MISC phf attempt"; flags:A+; \ + content:"/cgi-bin/phf"; priority:10;) alert tcp any any -> any 80 (msg:"EXPLOIT ntpdx overflow"; \ - dsize: >128; classtype:attempted-admin; priority:10 ); + dsize:>128; classtype:attempted-admin; priority:10 ); \end{verbatim} \subsection{metadata} @@ -10826,20 +14014,20 @@ keys separated by commas. \begin{verbatim} - metadata: key1 value1; - metadata: key1 value1, key2 value2; + metadata:key1 value1; + metadata:key1 value1, key2 value2; \end{verbatim} \subsubsection{Examples} \begin{verbatim} - alert tcp any any -> any 80 (msg: "Shared Library Rule Example"; \ + alert tcp any any -> any 80 (msg:"Shared Library Rule Example"; \ metadata:engine shared; metadata:soid 3|12345;) - alert tcp any any -> any 80 (msg: "Shared Library Rule Example"; \ + alert tcp any any -> any 80 (msg:"Shared Library Rule Example"; \ metadata:engine shared, soid 3|12345;) - alert tcp any any -> any 80 (msg: "HTTP Service Rule Example"; \ + alert tcp any any -> any 80 (msg:"HTTP Service Rule Example"; \ metadata:service http;) \end{verbatim} @@ -10941,7 +14129,7 @@ \subsubsection{Format} \begin{verbatim} - content: [!] ""; + content:[!]""; \end{verbatim} \subsubsection{Examples} @@ -11041,7 +14229,7 @@ The nocase keyword allows the rule writer to specify that the Snort should look for the specific pattern, ignoring case. nocase modifies the previous -'content' keyword in the rule. +\texttt{content} keyword in the rule. \subsubsection{Format} @@ -11062,6 +14250,13 @@ decoding that was done by preprocessors. This acts as a modifier to the previous content \ref{sub:content} option. +Several preprocessors, such as Telnet, RPC, and SMTP, use decoded/normalized data for +content match by default, if \texttt{rawbytes} is not specified explicitly. Therefore, +\texttt{rawbytes} should be specified in order to inspect raw data for those traffic. + +HTTP Inspect has a set of keywords to use raw data, such as +\texttt{http\_raw\_cookie}, \texttt{http\_raw\_header}, \texttt{http\_raw\_uri} etc. + \subsubsection{format} \begin{verbatim} @@ -11074,7 +14269,7 @@ instead of the decoded traffic provided by the Telnet decoder. \begin{verbatim} - alert tcp any any -> any 21 (msg: "Telnet NOP"; content: "|FF F1|"; rawbytes;) + alert tcp any any -> any 21 (msg:"Telnet NOP"; content:"|FF F1|"; rawbytes;) \end{verbatim} \subsection{depth} @@ -11087,16 +14282,20 @@ A depth of 5 would tell Snort to only look for the specified pattern within the first 5 bytes of the payload. -As the depth keyword is a modifier to the previous `content' keyword, there -must be a content in the rule before `depth' is specified. +As the depth keyword is a modifier to the previous \texttt{content} keyword, there +must be a content in the rule before \texttt{depth} is specified. + +This keyword allows values greater than or equal to the pattern length being +searched. The minimum allowed value is 1. The maximum allowed value for this +keyword is 65535. -This keyword allows values equal to 0 or values greater than or equal to the pattern -length being searched. The maximum allowed value for this keyword is 65535. +The value can also be set to a string value referencing a variable extracted by the +\texttt{byte\_extract} keyword in the same rule. \subsubsection{Format} \begin{verbatim} - depth: ; + depth:[|]; \end{verbatim} \subsection{offset} @@ -11109,15 +14308,18 @@ An offset of 5 would tell Snort to start looking for the specified pattern after the first 5 bytes of the payload. -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'offset' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{offset} is specified. This keyword allows values from -65535 to 65535. +The value can also be set to a string value referencing a variable extracted by the +\texttt{byte\_extract} keyword in the same rule. + \subsubsection{Format} \begin{verbatim} - offset: ; + offset:[|]; \end{verbatim} \subsubsection{Example} @@ -11126,7 +14328,7 @@ rule. \begin{verbatim} - alert tcp any any -> any 80 (content: "cgi-bin/phf"; offset:4; depth:20;) + alert tcp any any -> any 80 (content:"cgi-bin/phf"; offset:4; depth:20;) \end{verbatim} \subsection{distance} @@ -11142,10 +14344,13 @@ This keyword allows values from -65535 to 65535. +The value can also be set to a string value referencing a variable extracted by the +\texttt{byte\_extract} keyword in the same rule. + \subsubsection{Format} \begin{verbatim} - distance: ; + distance:[|]; \end{verbatim} \subsubsection{Example} @@ -11153,7 +14358,7 @@ The rule below maps to a regular expression of /ABC.\{1\}DEF/. \begin{verbatim} - alert tcp any any -> any any (content:"ABC"; content: "DEF"; distance:1;) + alert tcp any any -> any any (content:"ABC"; content:"DEF"; distance:1;) \end{verbatim} \subsection{within} @@ -11167,10 +14372,13 @@ This keyword allows values greater than or equal to pattern length being searched. The maximum allowed value for this keyword is 65535. +The value can also be set to a string value referencing a variable extracted by the +\texttt{byte\_extract} keyword in the same rule. + \subsubsection{Format} \begin{verbatim} - within: ; + within:[|]; \end{verbatim} \subsubsection{Examples} @@ -11178,7 +14386,7 @@ This rule constrains the search of EFG to not go past 10 bytes past the ABC match. \begin{verbatim} - alert tcp any any -> any any (content:"ABC"; content: "EFG"; within:10;) + alert tcp any any -> any any (content:"ABC"; content:"EFG"; within:10;) \end{verbatim} \subsection{http\_client\_body} @@ -11187,7 +14395,7 @@ The http\_client\_body keyword is a content modifier that restricts the search to the body of an HTTP client request. -As this keyword is a modifier to the previous 'content' keyword, there must be +As this keyword is a modifier to the previous \texttt{content} keyword, there must be a content in the rule before 'http\_client\_body' is specified. The amount of data that is inspected with this option depends on the \texttt{post\_depth} @@ -11206,7 +14414,7 @@ an HTTP client request. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_client_body;) + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_client_body;) \end{verbatim} \begin{note} @@ -11218,13 +14426,19 @@ \label{sub:HttpCookie} The http\_cookie keyword is a content modifier that restricts the search to the -extracted Cookie Header field of a HTTP client request or a HTTP server -response (per the configuration of HttpInspect \ref{sub:http-inspect}). +extracted Cookie Header field (excluding the header name itself and the CRLF terminating +the header line) of a HTTP client request or a HTTP server response (per the configuration +of HttpInspect \ref{sub:http-inspect}). The Cookie buffer does not include the header +names (\texttt{Cookie:} for HTTP requests or \texttt{Set-Cookie:} for HTTP responses) +or leading spaces and the CRLF terminating the header line. These are included in the HTTP +header buffer. -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_cookie' is specified. This keyword is dependent -on the 'enable\_cookie' config option. The Cookie Header field will be extracted only -when this option is configured. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_cookie} is specified. This keyword is dependent +on the \texttt{enable\_cookie} config option. The Cookie Header field will be extracted only +when this option is configured. If \texttt{enable\_cookie} is not specified, the cookie +still ends up in HTTP header. When \texttt{enable\_cookie} is not specified, using +\texttt{http\_cookie} is the same as using \texttt{http\_header}. The extracted Cookie Header field may be NORMALIZED, per the configuration of HttpInspect (see \ref{sub:http-inspect}). @@ -11241,7 +14455,7 @@ Header field of a HTTP client request. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_cookie;) + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_cookie;) \end{verbatim} \begin{note} @@ -11258,9 +14472,9 @@ extracted UNNORMALIZED Cookie Header field of a HTTP client request or a HTTP server response (per the configuration of HttpInspect \ref{sub:http-inspect}). -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_raw\_cookie' is specified. This keyword is dependent -on the 'enable\_cookie' config option. The Cookie Header field will be extracted only +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_raw\_cookie} is specified. This keyword is dependent +on the \texttt{enable\_cookie} config option. The Cookie Header field will be extracted only when this option is configured. \subsubsection{Format} @@ -11275,7 +14489,7 @@ Cookie Header field of a HTTP client request. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_raw_cookie;) + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_raw_cookie;) \end{verbatim} \begin{note} @@ -11293,8 +14507,8 @@ extracted Header fields of a HTTP client request or a HTTP server response (per the configuration of HttpInspect \ref{sub:http-inspect}). -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_header' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_header} is specified. The extracted Header fields may be NORMALIZED, per the configuration of HttpInspect (see \ref{sub:http-inspect}). @@ -11311,7 +14525,7 @@ fields of a HTTP client request or a HTTP server response. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_header;) + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_header;) \end{verbatim} \begin{note} @@ -11328,8 +14542,8 @@ extracted UNNORMALIZED Header fields of a HTTP client request or a HTTP server response (per the configuration of HttpInspect \ref{sub:http-inspect}). -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_raw\_header' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_raw\_header} is specified. \subsubsection{Format} @@ -11343,7 +14557,7 @@ of a HTTP client request or a HTTP server response. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_raw_header;) + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_raw_header;) \end{verbatim} \begin{note} @@ -11360,8 +14574,8 @@ The http\_method keyword is a content modifier that restricts the search to the extracted Method from a HTTP client request. -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_method' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_method} is specified. \subsubsection{Format} @@ -11375,13 +14589,13 @@ from a HTTP client request. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "GET"; http_method;) + alert tcp any any -> any 80 (content:"ABC"; content:"GET"; http_method;) \end{verbatim} \begin{note} The \texttt{http\_method} modifier is not allowed to be used with the -\texttt{rawbytes} modifier for the same content. +\texttt{rawbytes} or \texttt{fast\_pattern} modifiers for the same content. \end{note} @@ -11393,8 +14607,8 @@ by a http\_uri modifier is the same as using a uricontent by itself (see: \ref{sub:UriContent}). -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_uri' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_uri} is specified. \subsubsection{Format} @@ -11407,7 +14621,7 @@ This rule constrains the search for the pattern "EFG" to the NORMALIZED URI. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_uri;) + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_uri;) \end{verbatim} \begin{note} @@ -11422,8 +14636,8 @@ The http\_raw\_uri keyword is a content modifier that restricts the search to the UNNORMALIZED request \textsc{URI} field . -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_raw\_uri' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_raw\_uri} is specified. \subsubsection{Format} @@ -11436,7 +14650,7 @@ This rule constrains the search for the pattern "EFG" to the UNNORMALIZED URI. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_raw_uri;) + alert tcp any any -> any 80 (content:"ABC"; content:"EFG"; http_raw_uri;) \end{verbatim} \begin{note} @@ -11452,8 +14666,8 @@ The http\_stat\_code keyword is a content modifier that restricts the search to the extracted Status code field from a HTTP server response. -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_stat\_code' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_stat\_code} is specified. The Status Code field will be extracted only if the extended\_reponse\_inspection is configured for the HttpInspect (see \ref{sub:http-inspect}). @@ -11470,7 +14684,7 @@ of a HTTP server response. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "200"; http_stat_code;) + alert tcp any any -> any 80 (content:"ABC"; content:"200"; http_stat_code;) \end{verbatim} \begin{note} @@ -11486,8 +14700,8 @@ The http\_stat\_msg keyword is a content modifier that restricts the search to the extracted Status Message field from a HTTP server response. -As this keyword is a modifier to the previous 'content' keyword, there must be -a content in the rule before 'http\_stat\_msg' is specified. +As this keyword is a modifier to the previous \texttt{content} keyword, there must be +a content in the rule before \texttt{http\_stat\_msg} is specified. The Status Message field will be extracted only if the extended\_reponse\_inspection is configured for the HttpInspect (see \ref{sub:http-inspect}). @@ -11504,7 +14718,7 @@ Message field of a HTTP server response. \begin{verbatim} - alert tcp any any -> any 80 (content:"ABC"; content: "Not Found"; http_stat_msg;) + alert tcp any any -> any 80 (content:"ABC"; content:"Not Found"; http_stat_msg;) \end{verbatim} \begin{note} @@ -11521,11 +14735,11 @@ in a HTTP client request or a HTTP server response (per the configuration of HttpInspect \ref{sub:http-inspect}). -There are nine keywords associated with \texttt{http\_encode}. The keywords +There are several keywords associated with \texttt{http\_encode}. The keywords 'uri', 'header' and 'cookie' determine the HTTP fields used to search for a particular encoding type. The keywords 'utf8', 'double\_encode', 'non\_ascii', -'base36', 'uencode' and 'bare\_byte' determine the encoding type which would -trigger the alert. These keywords can be combined using a OR operation. +'uencode', 'iis\_encode', 'ascii' and 'bare\_byte' determine the encoding +type which would trigger the alert. These keywords can be combined using a OR operation. Negation is allowed on these keywords. The config option 'normalize\_headers' needs to be turned on for rules to work @@ -11553,22 +14767,21 @@ \hline \texttt{non\_ascii} & Check for non-ASCII encoding in the specified buffer\\ \hline -\texttt{base36} & Check for base36 encoding in the specified buffer\\ -\hline \texttt{uencode} & Check for u-encoding in the specified buffer\\ \hline \texttt{bare\_byte} & Check for bare byte encoding in the specified buffer\\ \hline -\hline \texttt{ascii} & Check for ascii encoding in the specified buffer\\ \hline +\texttt{iis\_encode} & Check for IIS Unicode encoding in the specified buffer\\ +\hline \end{tabular} \subsubsection{Format} \begin{verbatim} - http_encode: , [!] - http_encode: [uri|header|cookie], [!][]; + http_encode:, [!] + http_encode:[uri|header|cookie], [!][]; \end{verbatim} \subsubsection{Examples} @@ -11611,11 +14824,8 @@ \begin{note} The \texttt{fast\_pattern} modifier cannot be used with the following http content modifiers: \texttt{http\_cookie}, \texttt{http\_raw\_uri}, -\texttt{http\_raw\_header}, \texttt{http\_raw\_cookie}, -\texttt{http\_stat\_code}, \texttt{http\_stat\_msg}. Note, however, that -it is okay to use the \texttt{fast\_pattern} modifier if another http content -modifier not mentioned above is used in combination with one of the above -to modify the same content. +\texttt{http\_raw\_header}, \texttt{http\_raw\_cookie}, \texttt{http\_method}, +\texttt{http\_stat\_code}, \texttt{http\_stat\_msg}. \end{note} \begin{note} @@ -11687,10 +14897,11 @@ \label{sub:UriContent} The \texttt{uricontent} keyword in the Snort rule language searches the -NORMALIZED request \textsc{URI} field. This means that if you are writing -rules that include things that are normalized, such as \%2f or directory -traversals, these rules will not alert. The reason is that the things you are -looking for are normalized out of the URI buffer. +NORMALIZED request \textsc{URI} field. This is equivalent to using the +\texttt{http\_uri} modifier to a \texttt{content} keyword. As such if you +are writing rules that include things that are normalized, such as \%2f or +directory traversals, these rules will not alert. The reason is that the +things you are looking for are normalized out of the URI buffer. For example, the URI: @@ -11723,8 +14934,42 @@ You can write rules that look for the non-normalized content by using the content option. (See Section \ref{sub:content}) -For a description of the parameters to this function, see the content rule -options in Section \ref{sub:content}. +\texttt{uricontent} can be used with several of the modifiers available to the +\texttt{content} keyword. These include: + +\begin{table}[h] +\begin{center} +\caption{Uricontent Modifiers} +\label{Uricontent Modifiers} +\begin{tabular}{|p{1in}|p{1in}|} + +\hline +Modifier & Section \\ +\hline + +\hline +nocase & \ref{sub:nocase} \\ + +\hline +depth & \ref{sub:depth} \\ + +\hline +offset & \ref{sub:offset} \\ + +\hline +distance & \ref{sub:Distance} \\ + +\hline +within & \ref{sub:Within} \\ + +\hline +fast\_pattern & \ref{sub:FastPattern} \\ + +\hline +\end{tabular} +\end{center} +\end{table} + This option works in conjunction with the HTTP Inspect preprocessor specified in Section \ref{sub:http-inspect}. @@ -11732,12 +14977,15 @@ \subsubsection{Format} \begin{verbatim} - uricontent:[!]; + uricontent:[!]""; \end{verbatim} \begin{note} -\texttt{uricontent} cannot be modified by a \texttt{rawbytes} modifier. +\texttt{uricontent} cannot be modified by a \texttt{rawbytes} modifier or any +of the other HTTP modifiers. If you wish to search the UNNORMALIZED +request \textsc{URI} field, use the \texttt{http\_raw\_uri} modifier with a +\texttt{content} option. \end{note} @@ -11745,32 +14993,50 @@ The \texttt{urilen} keyword in the Snort rule language specifies the exact length, the minimum length, the maximum length, or range of URI lengths to -match. +match. By default the raw uri buffer will be used. With the optional +\texttt{} argument, you can specify whether the raw or normalized +buffer are used. \subsubsection{Format} \begin{verbatim} - urilen: int<>int; - urilen: [<,>] ; + urilen:min<>max[,]; + urilen:[<|>][,]; + + : "norm" | "raw" \end{verbatim} The following example will match URIs that are 5 bytes long: \begin{verbatim} - urilen: 5 + urilen:5; \end{verbatim} The following example will match URIs that are shorter than 5 bytes: \begin{verbatim} - urilen: < 5 + urilen:<5; \end{verbatim} The following example will match URIs that are greater than 5 bytes and less than 10 bytes: \begin{verbatim} - urilen: 5<>10 + urilen:5<>10; +\end{verbatim} + +The following example will match URIs that are greater than 500 bytes using the +normalized URI buffer: + +\begin{verbatim} + urilen:>500,norm; +\end{verbatim} + +The following example will match URIs that are greater than 500 bytes explicitly +stating to use the raw URI buffer: + +\begin{verbatim} + urilen:>500,raw; \end{verbatim} This option works in conjunction with the HTTP Inspect preprocessor specified @@ -11784,7 +15050,7 @@ \subsubsection{Format} \begin{verbatim} - isdataat:[!] [,relative|rawbytes]; + isdataat:[!][, relative|rawbytes]; \end{verbatim} \subsubsection{Example} @@ -11909,13 +15175,16 @@ \hline P & -Match unnormalized HTTP request body (Similar to \texttt{http\_client\_body}) \\ +Match unnormalized HTTP request body (Similar to \texttt{http\_client\_body}).\\ + + & For SIP message, match SIP body for request or response (Similar to \texttt{sip\_body}). \\ \hline H & Match normalized HTTP request or HTTP response header (Similar to \texttt{http\_header}). This modifier is not allowed with the unnormalized HTTP request or HTTP response header modifier(D) for the same content. \\ + & For SIP message, match SIP header for request or response (Similar to \texttt{sip\_header}). \\ \hline D & @@ -11983,43 +15252,80 @@ \end{note} +\subsection{pkt\_data} +\label{sub:pkt_data} +This option sets the cursor used for detection to the raw transport payload. + +Any relative or absolute content matches (without HTTP modifiers or rawbytes) and other +payload detecting rule options that follow \texttt{pkt\_data} in a rule will apply to the +raw TCP/UDP payload or the normalized buffers (in case of telnet, smtp normalization) until +the cursor (used for detection) is set again. + +This rule option can be used several times in a rule. + +\subsubsection{Format} + +\begin{verbatim} + pkt_data; +\end{verbatim} + +\subsubsection{Example} + +\begin{verbatim} + + alert tcp any any -> any any(msg:"Absolute Match"; pkt_data; content:"BLAH"; offset:0; depth:10;) + alert tcp any any -> any any(msg:"PKT DATA"; pkt_data; content:"foo"; within:10;) + alert tcp any any -> any any(msg:"PKT DATA"; pkt_data; content:"foo";) + alert tcp any any -> any any(msg:"PKT DATA"; pkt_data; pcre:"/foo/i";) + +\end{verbatim} + \subsection{file\_data} \label{sub:file_data} -This option is used to place the cursor (used to walk the packet payload in -rules processing) at the beginning of either the entity body of a HTTP -response or the SMTP body data. For this option to work with HTTP response, -certain HTTP Inspect options such as \texttt{extended\_response\_inspection} -and \texttt{inspect\_gzip} (for decompressed gzip data) needs to be turned on. -See \ref{sub:http-inspect} for more details. - -When used with argument \texttt{mime} it places the cursor at the beginning -of the base64 decoded MIME attachment or base64 decoded MIME body. This is -dependent on the SMTP config option \texttt{enable\_mime\_decoding}. See -\ref{SMTP} for more details. +This option sets the cursor used for detection to one of the following buffers: +1. When the traffic being detected is HTTP it sets the buffer to, + a. HTTP response body (without chunking/compression/normalization) + b. HTTP de-chunked response body + c. HTTP decompressed response body (when \texttt{inspect\_gzip} is turned on) + d. HTTP normalized response body (when \texttt{normalized\_javascript} is turned on) + e. HTTP UTF normalized response body (when \texttt{normalize\_utf} is turned on) + f. All of the above +2. When the traffic being detected is SMTP/POP/IMAP it sets the buffer to, + a. SMTP/POP/IMAP data body (including Email headers and MIME when decoding + is turned off) + b. Base64 decoded MIME attachment (when \texttt{b64\_decode\_depth} is greater than -1) + c. 7bit/8bit/binary/text MIME attachment (when \texttt{bitenc\_decode\_depth} is greater than -1) + d. Quoted-Printable decoded MIME attachment (when \texttt{qp\_decode\_depth} is greater than -1) + e. Unix-to-Unix decoded attachment (when \texttt{uu\_decode\_depth} is greater than -1) + +Any relative or absolute content matches (without HTTP modifiers or rawbytes) and payload detecting +rule options that follow \texttt{file\_data} in a rule will apply to this buffer until explicitly reset +by other rule options. + +This rule option can be used several time in a rule. + +The argument \texttt{mime} to \texttt{file\_data} is deprecated. The rule options \texttt{file\_data} will +itself point to the decoded MIME attachment. \subsubsection{Format} \begin{verbatim} file_data; - file_data:mime; \end{verbatim} -This option matches if there is HTTP response body or SMTP body or SMTP MIME base64 decoded -data. This option will operate similarly to the \texttt{dce\_stub\_data} option added with DCE/RPC2, -in that it simply sets a reference for other relative rule options ( byte test, byte jump, pcre) -to use. This \texttt{file\_data} can point to either a file or a block of data. - -\begin{note} -Multiple base64 encoded attachments in one packet are pipelined. -\end{note} - \subsubsection{Example} \begin{verbatim} - alert tcp any 80 -> any any(msg:"foo at the start of http response body"; \ - file_data; content:"foo"; nocase; within:3;) - alert tcp any any -> any any(msg:"MIME BASE64 Encoded Data";\ - file_data:mime; content:"foo"; within:10;) + alert tcp any any -> any any(msg:"Absolute Match"; file_data; content:"BLAH"; offset:0; depth:10;) + alert tcp any any -> any any(msg:"FILE DATA"; file_data; content:"foo"; within:10;) + alert tcp any any -> any any(msg:"FILE DATA"; file_data; content:"foo";) + alert tcp any any -> any any(msg:"FILE DATA"; file_data; pcre:"/foo/i";) + + The following rule searches for content "foo" within the file_data buffer and content "bar" within the + entire packet payload. The rule option pkt_data will reset the cursor used for detection to the + TCP payload. + alert tcp any any -> any any(msg:"FILE DATA"; file_data; content:"foo"; pkt_data; content:"bar";) + \end{verbatim} @@ -12033,7 +15339,7 @@ \subsubsection{Format} \begin{verbatim} - base64_decode[: [bytes ][, ][offset [, relative]]] + base64_decode[:[bytes ][, ][offset [, relative]]]; \end{verbatim} \begin{tabular}{| l | p{4.5in} |} @@ -12070,7 +15376,7 @@ or both without a following space or tab. This option needs to be used in conjunction with \texttt{base64\_data} for any other -relative rule options to work on base64 decoded buffer. +payload detecting rule options to work on base64 decoded buffer. \end{note} \subsubsection{Examples} @@ -12082,19 +15388,20 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg:"Authorization NTLM"; content:"Authorization: NTLM"; - base64_decode:relative; base64_data; content:"NTLMSSP"; \ - within:20;) + base64_decode:relative; base64_data; content:"NTLMSSP"; ) alert tcp any any -> any any (msg:"Authorization NTLM"; \ content:"Authorization:"; http_header; \ - base64_decode: bytes 12, offset 6,relative ; base64_data; \ - content:"NTLMSSP";within:8; ) + base64_decode:bytes 12, offset 6, relative; base64_data; \ + content:"NTLMSSP"; within:8;) \end{verbatim} \subsection{base64\_data} \label{sub:base64_data} -This option is used to place the cursor (used to walk the packet payload in -rules processing) at the beginning of the base64 decode buffer if present. +This option is similar to the rule option \texttt{file\_data} and is used +to set the corsor used for detection to the beginning of the base64 decoded +buffer if present. + This option does not take any arguments. The rule option \texttt{base64\_decode} needs to be specified before the \texttt{base64\_data} option. @@ -12104,13 +15411,9 @@ base64_data; \end{verbatim} -This option matches if there is base64 decoded buffer. This option will operate -similarly to the \texttt{file\_data} option, in that it simply sets a reference -for other relative rule options ( byte test, byte jump, pcre) to use. +This option matches if there is base64 decoded buffer. \begin{note} -Any non-relative rule options in the rule will reset the cursor(doe\_ptr) from -base64 decode buffer. Fast pattern content matches are not allowed with this buffer. \end{note} @@ -12121,8 +15424,8 @@ \begin{verbatim} alert tcp any any -> any any (msg:"Authorization NTLM"; \ content:"Authorization:"; http_header; \ - base64_decode: bytes 12, offset 6,relative ; base64_data; \ - content:"NTLMSSP";within:8; ) + base64_decode:bytes 12, offset 6, relative; base64_data; \ + content:"NTLMSSP"; within:8;) \end{verbatim} @@ -12140,12 +15443,12 @@ \footnotesize \begin{verbatim} - byte_test: , [!], , \ - [,relative] [,] [,, string]; + byte_test:, [!], , \ + [, relative][, ][, string, ][, dce]; - convert = 1 - 10 + bytes = 1 - 10 operator = '<' | '=' | '>' | '&' | '^' - value = 0-4294967295 + value = 0 - 4294967295 offset = -65535 to 65535 \end{verbatim} @@ -12165,7 +15468,6 @@ \item \textless{} - less than \item \textgreater{} - greater than \item = - equal -\item ! - not \item \& - bitwise AND \item \textasciicircum{} - bitwise OR \end{itemize}\\ @@ -12203,8 +15505,7 @@ Any of the operators can also include \emph{!} to check if the operator is not true. If \emph{!} is specified without an operator, then the operator is set -to \emph{=}. Please note that the \emph{!} operator cannot be used with itself. -For example, \emph{!!} is not allowed. +to \emph{=}. \begin{note} @@ -12218,36 +15519,36 @@ \begin{verbatim} alert udp $EXTERNAL_NET any -> $HOME_NET any \ - (msg:"AMD procedure 7 plog overflow "; \ - content: "|00 04 93 F3|"; \ - content: "|00 00 00 07|"; distance: 4; within: 4; \ - byte_test: 4,>, 1000, 20, relative;) + (msg:"AMD procedure 7 plog overflow"; \ + content:"|00 04 93 F3|"; \ + content:"|00 00 00 07|"; distance:4; within:4; \ + byte_test:4, >, 1000, 20, relative;) alert tcp $EXTERNAL_NET any -> $HOME_NET any \ - (msg:"AMD procedure 7 plog overflow "; \ - content: "|00 04 93 F3|"; \ - content: "|00 00 00 07|"; distance: 4; within: 4; \ - byte_test: 4, >,1000, 20, relative;) + (msg:"AMD procedure 7 plog overflow"; \ + content:"|00 04 93 F3|"; \ + content:"|00 00 00 07|"; distance:4; within:4; \ + byte_test:4, >, 1000, 20, relative;) alert udp any any -> any 1234 \ - (byte_test: 4, =, 1234, 0, string, dec; \ - msg: "got 1234!";) + (byte_test:4, =, 1234, 0, string, dec; \ + msg:"got 1234!";) alert udp any any -> any 1235 \ - (byte_test: 3, =, 123, 0, string, dec; \ - msg: "got 123!";) + (byte_test:3, =, 123, 0, string, dec; \ + msg:"got 123!";) alert udp any any -> any 1236 \ - (byte_test: 2, =, 12, 0, string, dec; \ - msg: "got 12!";) + (byte_test:2, =, 12, 0, string, dec; \ + msg:"got 12!";) alert udp any any -> any 1237 \ - (byte_test: 10, =, 1234567890, 0, string, dec; \ - msg: "got 1234567890!";) + (byte_test:10, =, 1234567890, 0, string, dec; \ + msg:"got 1234567890!";) alert udp any any -> any 1238 \ - (byte_test: 8, =, 0xdeadbeef, 0, string, hex; \ - msg: "got DEADBEEF!";) + (byte_test:8, =, 0xdeadbeef, 0, string, hex; \ + msg:"got DEADBEEF!";) \end{verbatim} \subsection{byte\_jump} @@ -12270,14 +15571,15 @@ \subsubsection{Format} \begin{verbatim} - byte_jump: , \ - [,relative] [,multiplier ] [,big] [,little][,string]\ - [,hex] [,dec] [,oct] [,align] [,from_beginning] [,post_offset ]; - - convert = 1 - 10 - operator = '<' | '=' | '>' | '&' | '^' - value = 0-4294967295 - offset = -65535 to 65535 + byte_jump:, \ + [, relative][, multiplier ][, ][, string, ]\ + [, align][, from_beginning][, post_offset ][, dce]; + + bytes = 1 - 10 + offset = -65535 to 65535 + mult_value = 0 - 65535 + post_offset = -65535 to 65535 + \end{verbatim} \begin{tabular}{| l | p{4.5in} |} @@ -12327,11 +15629,11 @@ \subsubsection{Example} \begin{verbatim} - alert udp any any -> any 32770:34000 (content: "|00 01 86 B8|"; \ - content: "|00 00 00 01|"; distance: 4; within: 4; \ - byte_jump: 4, 12, relative, align; \ - byte_test: 4, >, 900, 20, relative; \ - msg: "statd format string buffer overflow";) + alert udp any any -> any 32770:34000 (content:"|00 01 86 B8|"; \ + content:"|00 00 00 01|"; distance:4; within:4; \ + byte_jump:4, 12, relative, align; \ + byte_test:4, >, 900, 20, relative; \ + msg:"statd format string buffer overflow";) \end{verbatim} \subsection{byte\_extract} @@ -12352,9 +15654,9 @@ \subsubsection{Format} \begin{verbatim} - byte_extract: , , \ - [,relative] [,multiplier ] [,big] [,little] [,dce]\ - [,string] [,hex] [,dec] [,oct] [,align ] + byte_extract:, , \ + [, relative][, multiplier ][, ]\ + [, string][, hex][, dec][, oct][, align ][, dce] \end{verbatim} \begin{tabular}{| l | p{4.5in} |} @@ -12406,15 +15708,13 @@ {\bf Rule Option} & {\bf Arguments that Take Variables}\\ \hline \hline -\texttt{content} & \texttt{offset}, \texttt{depth}, \texttt{distance}, -\texttt{within}\\ +\texttt{content}/\texttt{uricontent} & \texttt{offset}, \texttt{depth}, +\texttt{distance}, \texttt{within}\\ \hline \texttt{byte\_test} & \texttt{offset}, \texttt{value}\\ \hline \texttt{byte\_jump} & \texttt{offset}\\ \hline -\texttt{byte\_extract} & \texttt{offset}\\ -\hline \texttt{isdataat} & \texttt{offset}\\ \hline \end{tabular} @@ -12429,10 +15729,10 @@ \end{itemize} \begin{verbatim} - alert tcp any any -> any any (byte_extract: 1, 0, str_offset; \ - byte_extract: 1, 1, str_depth; \ - content: "bad stuff"; offset: str_offset; depth: str_depth; \ - msg: "Bad Stuff detected within field";) + alert tcp any any -> any any (byte_extract:1, 0, str_offset; \ + byte_extract:1, 1, str_depth; \ + content:"bad stuff"; offset:str_offset; depth:str_depth; \ + msg:"Bad Stuff detected within field";) \end{verbatim} \subsection{ftpbounce} @@ -12471,7 +15771,7 @@ \subsubsection{Format} \begin{verbatim} - asn1: option[ argument][, option[ argument]] . . . + asn1:[bitstring_overflow][, double_overflow][, oversize_length ][, absolute_offset |relative_offset ]; \end{verbatim} \begin{tabular}{| l | p{4.5in} |} @@ -12514,7 +15814,7 @@ This is the relative offset from the last content match or byte\_test/jump. \texttt{relative\_offset} has one argument, the offset number. So if you wanted to start decoding and ASN.1 sequence right after the content ``foo'', -you would specify \verb!'content:"foo"; asn1: bitstring_overflow, relative_offset 0'!. +you would specify \verb!'content:"foo"; asn1:bitstring_overflow, relative_offset 0'!. Offset values may be positive or negative. \\ \hline @@ -12524,10 +15824,10 @@ \begin{verbatim} alert udp any any -> any 161 (msg:"Oversize SNMP Length"; \ - asn1: oversize_length 10000, absolute_offset 0;) + asn1:oversize_length 10000, absolute_offset 0;) alert tcp any any -> any 80 (msg:"ASN1 Relative Foo"; content:"foo"; \ - asn1: bitstring_overflow, relative_offset 0;) + asn1:bitstring_overflow, relative_offset 0;) \end{verbatim} \subsection{cvs} @@ -12587,6 +15887,41 @@ See the DCE/RPC 2 Preprocessor section \ref{sub:dcerpc2} for a description and examples of using this rule option. +\subsection{sip\_method} + +See the SIP Preprocessor section \ref{sub:sip} for a description and +examples of using this rule option. + +\subsection{sip\_stat\_code} + +See the SIP Preprocessor section \ref{sub:sip} for a description and +examples of using this rule option. + +\subsection{sip\_header} + +See the SIP Preprocessor section \ref{sub:sip} for a description and +examples of using this rule option. + +\subsection{sip\_body} + +See the SIP Preprocessor section \ref{sub:sip} for a description and +examples of using this rule option. + +\subsection{gtp\_type} + +See the GTP Preprocessor section \ref{sub:gtp} for a description and +examples of using this rule option. + +\subsection{gtp\_info} + +See the GTP Preprocessor section \ref{sub:gtp} for a description and +examples of using this rule option. + +\subsection{gtp\_version} + +See the GTP Preprocessor section \ref{sub:gtp} for a description and +examples of using this rule option. + %\subsection{content-list} % %The content-list keyword is broken and should not be used. @@ -12736,6 +16071,41 @@ See the DCE/RPC 2 Preprocessor section \ref{dcerpc2:dce_stub_data}. \\ \hline +\texttt{sip\_method} & + +See the SIP Preprocessor section \ref{sub:sip}. \\ + +\hline +\texttt{sip\_stat\_code} & + +See the SIP Preprocessor section \ref{sub:sip}.\\ + +\hline +\texttt{sip\_header} & + +See the SIP Preprocessor section \ref{sub:sip}.\\ + +\hline +\texttt{sip\_body} & + +See the SIP Preprocessor section \ref{sub:sip}.\\ + +\hline +\texttt{gtp\_type} & + +See the GTP Preprocessor section \ref{sub:gtp}.\\ + +\hline +\texttt{gtp\_info} & + +See the GTP Preprocessor section \ref{sub:gtp}.\\ + +\hline +\texttt{gtp\_version} & + +See the GTP Preprocessor section \ref{sub:gtp}.\\ + +\hline \end{longtable} \end{center} @@ -12758,7 +16128,7 @@ \begin{verbatim} alert ip any any -> any any \ - (msg: "First Fragment"; fragbits: M; fragoffset: 0;) + (msg:"First Fragment"; fragbits:M; fragoffset:0;) \end{verbatim} \subsection{ttl} @@ -12770,7 +16140,8 @@ \subsubsection{Format} \begin{verbatim} - ttl:[[-]><=]; + ttl:[<, >, =, <=, >=]; + ttl:[]-[]; \end{verbatim} \subsubsection{Example} @@ -12869,7 +16240,8 @@ \item [ts] - Time Stamp \item [sec] - IP Security \item [esec] - IP Extended Security -\item [lsrr] - Loose Source Routing +\item [lsrr] - Loose Source Routing +\item [lsrre] - Loose Source Routing (For MS99-038 and CVE-1999-0909) \item [ssrr] - Strict Source Routing \item [satid] - Stream identifier \item [any] - any IP options are set @@ -12881,7 +16253,7 @@ \subsubsection{Format} \begin{verbatim} - ipopts:; + ipopts:; \end{verbatim} \subsubsection{Example} @@ -12935,13 +16307,13 @@ \subsection{dsize} The dsize keyword is used to test the packet payload size. This may be used to -check for abnormally sized packets. In many cases, it is useful for detecting -buffer overflows. +check for abnormally sized packets that might cause buffer overflows. \subsubsection{Format} \begin{verbatim} - dsize: [<>][<>]; + dsize:min<>max; + dsize:[<|>]; \end{verbatim} \subsubsection{Example} @@ -12954,8 +16326,10 @@ \subsubsection{Warning} -dsize will fail on stream rebuilt packets, regardless of the size of the -payload. +Note that segmentation makes dsize less reliable for TCP based protocols such +as HTTP. Furthermore, dsize will fail on stream rebuilt packets, regardless of +the size of the payload, unless protocol aware flushing (PAF) marks this packet +as the start of a message. \subsection{flags} @@ -12964,14 +16338,14 @@ The following bits may be checked: \begin{description} -\item [F] - FIN (LSB in TCP Flags byte) -\item [S] - SYN -\item [R] - RST -\item [P] - PSH -\item [A] - ACK -\item [U] - URG -\item [1] - Reserved bit 1 (MSB in TCP Flags byte) -\item [2] - Reserved bit 2 +\item [F] - FIN - Finish (LSB in TCP Flags byte) +\item [S] - SYN - Synchronize sequence numbers +\item [R] - RST - Reset +\item [P] - PSH - Push +\item [A] - ACK - Acknowledgment +\item [U] - URG - Urgent +\item [C] - CWR - Congestion Window Reduced (MSB in TCP Flags byte) +\item [E] - ECE - ECN-Echo (If SYN, then ECN capable. Else, CE flag in IP header is set) \item [0] - No TCP Flags Set \end{description} @@ -12984,26 +16358,34 @@ \end{description} To handle writing rules for session initiation packets such as ECN where a SYN -packet is sent with the previously reserved bits 1 and 2 set, an option mask -may be specified. A rule could check for a flags value of S,12 if one wishes to +packet is sent with CWR and ECE set, an option mask +may be specified. A rule could check for a flags value of S,CE if one wishes to find packets with just the syn bit, regardless of the values of the reserved bits. \subsubsection{Format} \begin{verbatim} - flags:[!|*|+][,]; + flags:[!|*|+][,]; \end{verbatim} \subsubsection{Example} -This example checks if just the SYN and the FIN bits are set, ignoring reserved -bit 1 and reserved bit 2. +This example checks if just the SYN and the FIN bits are set, ignoring CWR (reserved +bit 1) and ECN (reserved bit 2). \begin{verbatim} - alert tcp any any -> any any (flags:SF,12;) + alert tcp any any -> any any (flags:SF,CE;) \end{verbatim} + +\begin{note} +The reserved bits '1' and '2' have been replaced with 'C' and 'E', respectively, +to match RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP". +The old values of '1' and '2' are still valid for the \texttt{flag} keyword, but +are now deprecated. + +\end{note} \subsection{flow} \label{flow section} @@ -13015,7 +16397,7 @@ related to \$HOME\_NET clients viewing web pages to be distinguished from servers running in the \$HOME\_NET. -The established keyword will replace the \texttt{flags: A+} used in many places +The established keyword will replace the \texttt{flags:+A} used in many places to show established TCP connections. \subsubsection*{Options} @@ -13035,6 +16417,8 @@ \hline \texttt{established} & Trigger only on established TCP connections\\ \hline +\texttt{not\_established} & Trigger only when no TCP connection is established\\ +\hline \texttt{stateless} & Trigger regardless of the state of the stream processor (useful for packets that are designed to cause machines to crash)\\ \hline @@ -13044,14 +16428,19 @@ \texttt{only\_stream} & Only trigger on rebuilt stream packets\\ \hline +\texttt{no\_frag} & Do not trigger on rebuilt frag packets\\ +\hline +\texttt{only\_frag} & Only trigger on rebuilt frag packets\\ +\hline \end{tabular} \subsubsection{Format} \begin{verbatim} - flow: [(established|stateless)] + flow:[(established|not_established|stateless)] [,(to_client|to_server|from_client|from_server)] - [,(no_stream|only_stream)]; + [,(no_stream|only_stream)] + [,(no_frag|only_frag)]; \end{verbatim} \subsubsection{Examples} @@ -13060,7 +16449,7 @@ alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"cd incoming detected"; \ flow:from_client; content:"CWD incoming"; nocase;) - alert tcp !$HOME_NET 0 -> $HOME_NET 0 (msg: "Port 0 TCP traffic"; \ + alert tcp !$HOME_NET 0 -> $HOME_NET 0 (msg:"Port 0 TCP traffic"; \ flow:stateless;) \end{verbatim} @@ -13102,12 +16491,14 @@ \hline \texttt{noalert} & Cause the rule to not generate an alert, regardless of the rest of the detection options.\\ \hline +\texttt{reset} & Reset all states on a given flow.\\ +\hline \end{tabular} \subsubsection{Format} \begin{verbatim} - flowbits: [set|unset|toggle|isset|reset|noalert][,][,]; + flowbits:[set|unset|toggle|isset|isnotset|noalert|reset][, ][, ]; \end{verbatim} \subsubsection{Examples} @@ -13147,7 +16538,7 @@ \subsubsection{Format} \begin{verbatim} - ack: ; + ack:; \end{verbatim} \subsubsection{Example} @@ -13183,7 +16574,8 @@ \subsubsection{Format} \begin{verbatim} - itype:[<|>][<>]; + itype:min<>max; + itype:[<|>]; \end{verbatim} \subsubsection{Example} @@ -13201,7 +16593,8 @@ \subsubsection{Format} \begin{verbatim} - icode: [<|>][<>]; + icode:min<>max; + icode:[<|>]; \end{verbatim} \subsubsection{Example} @@ -13209,7 +16602,7 @@ This example looks for an ICMP code greater than 30. \begin{verbatim} - code:>30; + icode:>30; \end{verbatim} \subsection{icmp\_id} @@ -13266,7 +16659,7 @@ \subsubsection{Format} \begin{verbatim} - rpc: , [|*], [|*]>; + rpc:, [|*], [|*]>; \end{verbatim} \subsubsection{Example} @@ -13274,7 +16667,7 @@ The following example looks for an RPC portmap GETPORT request. \begin{verbatim} - alert tcp any any -> any 111 (rpc: 100000,*,3;); + alert tcp any any -> any 111 (rpc:100000, *, 3;); \end{verbatim} \subsubsection{Warning} @@ -13336,7 +16729,7 @@ \subsubsection{Format} \begin{verbatim} - stream_reassemble:, [,noalert] [,fastpath] + stream_reassemble:, [, noalert][, fastpath]; \end{verbatim} \begin{itemize} @@ -13352,7 +16745,7 @@ HTTP 200 Ok Response message, use: \begin{verbatim} - alert tcp any 80 -> any any (flow:to_client,established; content:"200 OK"; + alert tcp any 80 -> any any (flow:to_client, established; content:"200 OK"; stream_reassemble:disable,client,noalert;) \end{verbatim} @@ -13371,7 +16764,7 @@ \subsubsection{Format} \begin{verbatim} - stream_size:,, + stream_size:, , ; \end{verbatim} Where the operator is one of the following: @@ -13380,7 +16773,7 @@ \item $<$ - less than \item $>$ - greater than \item = - equal -\item != - not +\item != - not equal \item $<$= - less than or equal \item $>$= - greater than or equal \end{itemize} @@ -13533,17 +16926,18 @@ many cases where seeing what users are typing in telnet, rlogin, ftp, or even web sessions is very useful. -There are two available argument keywords for the session rule option, -printable or all. The printable keyword only prints out data that the user -would normally see or be able to type. +There are three available argument keywords for the session rule option: +\texttt{printable}, \texttt{binary}, or \texttt{all}. -The all keyword substitutes non-printable characters with their hexadecimal -equivalents. +The \texttt{printable} keyword only prints out data that the user +would normally see or be able to type. The \texttt{binary} keyword prints out data in a +binary format. The \texttt{all} keyword substitutes non-printable characters with +their hexadecimal equivalents. \subsubsection{Format} \begin{verbatim} - session: [printable|all]; + session:[printable|binary|all]; \end{verbatim} \subsubsection{Example} @@ -13554,11 +16948,22 @@ log tcp any any <> any 23 (session:printable;) \end{verbatim} +Given an FTP data session on port 12345, this example logs the payload bytes +in binary form. + +\begin{verbatim} + log tcp any any <> any 12345 (metadata:service ftp-data; session:binary;) +\end{verbatim} + \subsubsection{Warnings} Using the session keyword can slow Snort down considerably, so it should not be used in heavy load situations. The session keyword is best suited for -post-processing binary (pcap) log files. +post-processing binary (pcap) log files. + +The \texttt{binary} keyword does not log any protocol headers below the +application layer, and Stream reassembly will cause duplicate data when +the reassembled packets are logged. \subsection{resp} @@ -13587,7 +16992,7 @@ \subsubsection{Format} \begin{verbatim} - tag: , , , [direction]; + tag:, , [, direction]; \end{verbatim} \begin{description}{} @@ -13635,8 +17040,9 @@ reset. \begin{verbatim} - alert tcp any any <> 10.1.1.1 any (flowbits:isnotset,tagged; - flowbits:set,tagged; tag:host,600,seconds,src;) + alert tcp any any <> 10.1.1.1 any \ + (flowbits:isnotset,tagged; content:"foobar"; nocase; \ + flowbits:set,tagged; tag:host,600,seconds,src;) \end{verbatim} Also note that if you have a tag option in a rule that uses a metric other than @@ -13666,7 +17072,7 @@ (whichever comes first) of any telnet session. \begin{verbatim} - alert tcp any any -> any 23 (flags:s,12; tag:session,10,seconds;) + alert tcp any any -> any 23 (flags:S,CE; tag:session,10,seconds;) \end{verbatim} \subsection{activates} @@ -13678,7 +17084,7 @@ \subsubsection{Format} \begin{verbatim} - activates: 1; + activates:1; \end{verbatim} \subsection{activated\_by} @@ -13690,7 +17096,7 @@ \subsubsection{Format} \begin{verbatim} - activated_by: 1; + activated_by:1; \end{verbatim} \subsection{count} @@ -13703,7 +17109,7 @@ \subsubsection{Format} \begin{verbatim} - activated_by: 1; count: 50; + activated_by:1; count:50; \end{verbatim} \subsection{replace} @@ -13715,7 +17121,7 @@ can have multiple replacements within a rule, one per content. \begin{verbatim} - replace: ; + replace:""; \end{verbatim} \subsection{detection\_filter} @@ -13776,7 +17182,7 @@ msg:"SSH Brute Force Attempt"; flow:established,to_server; \ content:"SSH"; nocase; offset:0; depth:4; \ - detection_filter: track by_src, count 30, seconds 60; \ + detection_filter:track by_src, count 30, seconds 60; \ sid:1000001; rev:1;) \end{verbatim} @@ -13935,8 +17341,8 @@ alert tcp $external_net any -> $http_servers $http_ports \ (msg:"web-misc robots.txt access"; flow:to_server, established; \ uricontent:"/robots.txt"; nocase; reference:nessus,10302; \ - classtype:web-application-activity; threshold: type limit, track \ - by_src, count 1 , seconds 60 ; sid:1000852; rev:1;) + classtype:web-application-activity; threshold:type limit, track \ + by_src, count 1 , seconds 60; sid:1000852; rev:1;) \end{verbatim} This rule logs every 10th event on this SID during a 60 second interval. So if @@ -13947,7 +17353,7 @@ alert tcp $external_net any -> $http_servers $http_ports \ (msg:"web-misc robots.txt access"; flow:to_server, established; \ uricontent:"/robots.txt"; nocase; reference:nessus,10302; \ - classtype:web-application-activity; threshold: type threshold, \ + classtype:web-application-activity; threshold:type threshold, \ track by_dst, count 10 , seconds 60 ; sid:1000852; rev:1;) \end{verbatim} @@ -13958,8 +17364,8 @@ alert tcp $external_net any -> $http_servers $http_ports \ (msg:"web-misc robots.txt access"; flow:to_server, established; \ uricontent:"/robots.txt"; nocase; reference:nessus,10302; \ - classtype:web-application-activity; threshold: type both , track \ - by_dst, count 10 , seconds 60 ; sid:1000852; rev:1;) + classtype:web-application-activity; threshold:type both, track \ + by_dst, count 10, seconds 60; sid:1000852; rev:1;) \end{verbatim} \section{Writing Good Rules} @@ -14903,20 +18309,45 @@ \subsection{Preprocessors} -Each dynamic preprocessor library must define the following functions. These -are defined in the file \texttt{sf\_dynamic\_preproc\_lib.c}. The metadata and -setup function for the preprocessor should be defined -\texttt{sf\_preproc\_info.h}. +Each dynamic preprocessor must define the following items. These must be defined +in the global scope of a source file (e.g. spp\_example.c). \begin{itemize} -\item {\em int LibVersion(DynamicPluginMeta *)} +\item {\em const int MAJOR\_VERSION} -This function returns the metadata for the shared library. +This specifies the major version of the preprocessor. + +\item {\em const int MINOR\_VERSION} + +This specifies the minor version of the preprocessor. + +\item {\em const int BUILD\_VERSION} + +This specifies the build version of the preprocessor. + +\item {\em const char *PREPROC\_NAME} -\item {\em int InitializePreprocessor(DynamicPreprocessorData *)} +This specifies the display name of the preprocessor. -This function initializes the data structure for use by the preprocessor into a -library global variable, \texttt{\_dpd} and invokes the setup function. +\item {\em void DYNAMIC\_PREPROC\_SETUP(void)} + +This function is called to register the preprocessor to be called with packets data. + +\end{itemize} + +The preprocessor must be built with the same macros defined as the Snort binary and +linked with the dynamic preprocessor library that was created during the Snort build. +A package configuration file is exported as part of the Snort build and can be accessed +using the following commands with PKG\_CONFIG\_PATH=$<$snort build prefix/lib/pkgconfig$>$: + +\begin{itemize} +\item {\em pkg-config --cflags snort\_preproc} + +Returns the macros and include path needed to compile the dynamic preprocessor. + +\item {\em pkg-config --libs snort\_preproc} + +Returns the library and library path needed to link the dynamic preprocessor. \end{itemize} @@ -15104,34 +18535,29 @@ \subsection{Preprocessor Example} The following is an example of a simple preprocessor. This preprocessor always -alerts on a Packet if the TCP port matches the one configured. +alerts on a packet if the TCP port matches the one configured. -This assumes the the files {\em sf\_dynamic\_preproc\_lib.c} and {\em -sf\_dynamic\_preproc\_lib.h} are used. +The following code is defined in {\em spp\_example.c} and is compiled +together with {\em libsf\_dynamic\_preproc.a}, using pkg-config, into +lib\_sfdynamic\_preprocessor\_example.so. -This is the metadata for this preprocessor, defined in {\em -sf\_preproc\_info.h}. +Define the required meta data variables. \begin{verbatim} -#define MAJOR_VERSION 1 -#define MINOR_VERSION 0 -#define BUILD_VERSION 0 -#define PREPROC_NAME "SF_Dynamic_Example_Preprocessor" +#define GENERATOR_EXAMPLE 256 +extern DynamicPreprocessorData _dpd; -#define DYNAMIC_PREPROC_SETUP ExampleSetup -extern void ExampleSetup(); -\end{verbatim} +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 0; +const int BUILD_VERSION = 0; +const char *PREPROC_NAME = "SF_Dynamic_Example_Preprocessor"; -The remainder of the code is defined in {\em spp\_example.c} and is compiled -together with {\em sf\_dynamic\_preproc\_lib.c} into -lib\_sfdynamic\_preprocessor\_example.so. +#define ExampleSetup DYNAMIC_PREPROC_SETUP +\end{verbatim} Define the Setup function to register the initialization function. \begin{verbatim} -#define GENERATOR_EXAMPLE 256 -extern DynamicPreprocessorData _dpd; - void ExampleInit(unsigned char *); void ExampleProcess(void *, void *); @@ -15459,39 +18885,83 @@ \\ \textbf{Lead Snort Developers} & Steve Sturges\\ -& Todd Wease\\ +& Bhagyashree Bantwal\\ +& Hui Cao\\ & Russ Combs\\ & Ryan Jordan\\ -& Bhagyashree Bantwal\\ +& Todd Wease\\ +\\ +\textbf{Snort QA Team} +& Matt Donnan\\ +& Andrew Blunck\\ +& Victor Roemer\\ +& Scott Czajkowski\\ \\ \textbf{Snort Rules Team} & Matt Watchinski\\ -& Lurene Grenier\\ -& Sojeong Hong\\ +& Nathan Benson\\ +& Christoph Cordes\\ +& Joel Esler\\ +& William Freeman\\ +& Ethan Gulla\\ +& Luca Gibelli\\ & Nigel Houghton\\ +& Richard Johnson\\ +& Tom Judge\\ +& Alex Kambis\\ & Alex Kirk\\ +& Tomasz Kojm\\ +& Chris Marshall\\ +& Christopher McBee\\ +& Kevin Miklavcic\\ & Patrick Mullen\\ & Matt Olney\\ & Ryan Pentney\\ -& Alain Zidoemba\\ +& David Shyu\\ +& Edvin Torok\\ +& Andy Walker\\ +& Alberto Wu\\ +& Alain Zidouemba\\ \\ \textbf{Win32 Maintainer} & Snort Team\\ \\ +\textbf{Snort Product Manager} +& Steve Kane\\ +\\ +\textbf{Snort Community Manager} +& Joel Esler\\ +\\ +\textbf{Snort Web Team} +& Aaron Norling\\ +& Sarah Zelechoski\\ +\\ +\end{tabular} + +\begin{tabular}{p{3in} p{3in}} \textbf{Major Contributors} & Erek Adams\\ +& Michael Altizer\\ & Andrew Baker\\ & Scott Campbell\\ & Brian Caswell\\ & Dilbagh Chahal\\ +& JJ Cummings\\ & Roman D.\\ & Michael Davis\\ +& Ron Dempster\\ & Chris Green\\ +& Lurene Grenier\\ +& Mike Guiterman\\ & Jed Haile\\ +& Justin Heath\\ +& Patrick Harper\\ & Jeremy Hewlett\\ & Victor Julien\\ & Glenn Mansfield Keeni\\ & Adam Keeton\\ +& Keith Konecnik\\ +& Veronica Kovah\\ & Chad Kreimendahl\\ & Kevin Liu\\ & Rob McMillen\\ @@ -15502,13 +18972,19 @@ & Judy Novak\\ & Andreas Ostling\\ & Chris Reid\\ +& Marcos Rodriguez\\ & Daniel Roelker\\ & Dragos Ruiu\\ +& Chris Sherwin\\ +& Matt Smith\\ +& Jennifer Steffens\\ & JP Vossen\\ +& Leon Ward\\ & Daniel Wittenberg\\ & Phil Wood\\ & Fyodor Yarochkin\\ \end{tabular} + \appendix \begin{thebibliography}{99} diff -Nru snort-2.9.0.1/etc/classification.config snort-2.9.2/etc/classification.config --- snort-2.9.0.1/etc/classification.config 2010-04-06 07:05:46.000000000 -0700 +++ snort-2.9.2/etc/classification.config 2011-06-07 17:33:04.000000000 -0700 @@ -65,3 +65,6 @@ config classification: policy-violation,Potential Corporate Privacy Violation,1 config classification: default-login-attempt,Attempt to login by a default username and password,2 config classification: sdf,Senstive Data,2 +config classification: file-format,Known malicious file or file based exploit,1 +config classification: malware-cnc,Known malware command and control traffic,1 +config classification: client-side-exploit,Known client side exploit attempt,1 diff -Nru snort-2.9.0.1/etc/community-sid-msg.map snort-2.9.2/etc/community-sid-msg.map --- snort-2.9.0.1/etc/community-sid-msg.map 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/etc/community-sid-msg.map 1969-12-31 16:00:00.000000000 -0800 @@ -1,837 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# This file is licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# Id SID -> MSG map - -100000100 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit || cve,2004-0629 || bugtraq,10947 -100000101 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit || cve,2004-0629 || bugtraq,10947 -100000102 || COMMUNITY GAME Halocon Denial of Service Empty UDP Packet || bugtraq,12281 -100000103 || COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet || bugtraq,12262 -100000104 || COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet || bugtraq,12192 -100000105 || COMMUNITY INAPPROPRIATE lolita sex -100000106 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx -100000107 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx -100000108 || COMMUNITY SQL-INJECTION OpenBB board.php || bugtraq,7404 -100000109 || COMMUNITY SQL-INJECTION OpenBB member.php || bugtraq,7404 -100000110 || COMMUNITY VIRUS Dabber PORT overflow attempt port 5554 || MCAFEE,125300 -100000111 || COMMUNITY VIRUS Dabber PORT overflow attempt port 1023 || MCAFEE,125300 -100000112 || COMMUNITY WEB-CGI Readfile.tcl Access || bugtraq,7426 -100000113 || COMMUNITY WEB-CGI HappyMall Command Execution member_html.cgi || bugtraq,7530 || cve,2003-0243 -100000114 || COMMUNITY WEB-CGI HappyMall Command Execution normal_html.cgi || bugtraq,7530 || cve,2003-0243 -100000115 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Null CID || bugtraq,7589 -100000116 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Non-Numeric CID || bugtraq,7589 -100000117 || COMMUNITY WEB-CGI VBulliten Remote Command Execution Attempt || bugtraq,12542 -100000118 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -100000119 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -100000121 || COMMUNITY WEB-MISC Test Script Access -100000122 || COMMUNITY WEB-MISC mod_jrun overflow attempt || bugtraq,11245 || cve,2004-0646 -100000123 || COMMUNITY INAPPROPRIATE preteen sex -100000124 || COMMUNITY INAPPROPRIATE girls gone wild -100000125 || COMMUNITY MISC Sentinel License Manager overflow attempt || cve,CAN-2005-0353 || bugtraq,12742 -100000126 || COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt || cve,2005-0768 || url,unsecure.altervista.org/security/goodtechtelnet.htm -100000127 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack formmail.inc.php || bugtraq,12735 -100000128 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack download_center_lite.inc.php || bugtraq,12735 -100000129 || COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS || bugtraq,10014 || url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml -100000130 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS || bugtraq,12778 -100000131 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access || bugtraq,12778 -100000132 || COMMUNITY WEB-MISC Proxy Server Access -100000133 || COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request || bugtraq,7398 || url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1 -100000134 || COMMUNITY DOS Tcpdump rsvp attack || cve,2005-1280 || cve,2005-1281 || bugtraq,13391 -100000135 || COMMUNITY IMAP GNU Mailutils request tag format string vulnerability || cve,CAN-2005-1523 || bugtraq,13764 -100000136 || COMMUNITY IMAP GNU imapd search format string attempt || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 || cve,2005-2878 -100000137 || COMMUNITY MISC BAD-SSL tcp detect -100000138 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost || cve,2005-2678 -100000139 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP || cve,2005-2678 -100000140 || COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow || cve,2005-0684 || url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities -100000141 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000142 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000143 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000144 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000145 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000146 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000148 || COMMUNITY WEB-MISC Barracuda img.pl attempt || bugtraq,14712 || bugtraq,14710 || cve,2005-2848 -100000149 || COMMUNITY WEB-MISC Jboss % attempt || bugtraq,13985 || cve,2005-2006 || url,www.osvdb.org/displayvuln.php?osvdb_id=17403 -100000150 || COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt || bugtraq,13873 || bugtraq,14106 || cve,2005-2088 || cve,2005-2089 || cve,2005-2090 || cve,2005-2091 || cve,2005-2092 || cve,2005-2093 || cve,2005-2094 || url,www.osvdb.org/displayvuln.php?osvdb_id=17738 || nessus,18337 -100000151 || COMMUNITY WEB-PHP piranha default passwd attempt || bugtraq,1148 || cve,2000-0248 || nessus,10381 -100000152 || COMMUNITY IMAP MDaemon authentication protocol decode -100000153 || COMMUNITY IMAP MDaemon authentication multiple packet overflow attempt || bugtraq,14317 -100000154 || COMMUNITY IMAP MDaemon authentication okay protocol decode -100000155 || COMMUNITY IMAP MDaemon authentication overflow single packet attempt || bugtraq,14317 -100000156 || COMMUNITY WEB-CGI Twiki shell command execution || bugtraq,14834 || cve,2005-2877 || url,twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev -100000157 || COMMUNITY WEB-CGI ATutor password_reminder.php SQL injection attempt || bugtraq,14831 -100000158 || COMMUNITY SIP INVITE message flooding -100000159 || COMMUNITY SIP REGISTER message flooding -100000160 || COMMUNITY SIP TCP/IP message flooding directed to SIP proxy -100000161 || COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses -100000162 || COMMUNITY SIP 401 Unauthorized Flood -100000163 || COMMUNITY SIP 407 Proxy Authentication Required Flood -100000164 || COMMUNITY ICMP Linux DoS sctp Exploit || nessus,19777 -100000165 || COMMUNITY EXPLOIT Sentinel LM exploit || bugtraq,12742 || cve,2005-0353 || url,www.osvdb.org/displayvuln.php?osvdb_id=14605 || nessus,17326 -100000166 || COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt || bugtraq,15032 || url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html -100000167 || COMMUNITY SMTP Hydra Activity Detected || url,www.thc.org/releases.php -100000168 || COMMUNITY WEB-ATTACKS Hydra Activity Detected || url,www.thc.org/releases.php -100000169 || COMMUNITY WEB-ATTACKS Amap fingerprint attempt || url,www.thc.org/releases.php -100000170 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926 -100000171 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926 -100000172 || COMMUNITY NNTP Lynx overflow attempt || cve,2005-3120 || bugtraq,15117 || url,www.osvdb.org/displayvuln.php?osvdb_id=20019 || nessus,20035 -100000173 || COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt -100000174 || COMMUNITY WEB-IIS RSA WebAgent access || cve,2005-1118 || bugtraq,13168 -100000175 || COMMUNITY DOS Ethereal slimp overflow attempt || cve,2005-3243 || url,www.ethereal.com/docs/release-notes/ethereal-0.10.13.html -100000176 || COMMUNITY EXPLOIT HPUX LPD overflow attempt || cve,2005-3277 || bugtraq,15136 -100000177 || COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt || bugtraq,14822 || cve,2005-2799 || nessus,20096 || url,www.osvdb.org/displayvuln.php?osvdb_id=19389 -100000178 || COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt || bugtraq,15225 || nessus,20097 -100000179 || COMMUNITY WEB-MISC SMC TRACE access || url,www.kb.cert.org/vuls/id/867593 -100000180 || COMMUNITY EXPLOIT SIP UDP spoof attempt || bugtraq,14174 || cve,2005-2182 || url,www.osvdb.org/displayvuln.php?osvdb_id=17838 -100000181 || COMMUNITY GAME FlatFrag game dos exploit || bugtraq,15287 || cve,2005-3492 -100000182 || COMMUNITY GAME Battle Carry attempt || cve,2005-3493 || bugtraq,15282 -100000183 || COMMUNITY WEB-ATTACKS SAP WAS syscmd access || url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf -100000184 || COMMUNITY WEB-MISC JBoss JMXInvokerServlet access || url,online.securityfocus.com/archive/1/415707 -100000185 || COMMUNITY WEB-MISC apache directory list attempt || bugtraq,3009 || cve,2001-0731 -100000186 || COMMUNITY WEB-PHP phpinfo access || bugtraq,5789 || cve,2002-1149 || url,www.osvdb.org/displayvuln.php?osvdb_id=3356 -100000187 || COMMUNITY WEB-PHP XSS attempt -100000188 || COMMUNITY WEB-PHP Vubb Path attempt || cve,2005-3513 || url,marc.theaimsgroup.com/?l=bugtraq&m=113087965608496&w=2 -100000189 || COMMUNITY MISC streaming RTSP - realplayer || url,www.rtsp.org -100000190 || COMMUNITY MISC streaming Windows Mediaplayer || url,www.microsoft.com -100000191 || COMMUNITY SMTP Gnu Mailman utf8 attachement access || bugtraq,15408 || cve,2005-3573 || url,www.osvdb.org/displayvuln.php?osvdb_id=20819 -100000192 || COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20846 -100000193 || COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20845 -100000194 || COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20847 -100000195 || COMMUNITY WEB-PHP _SERVER HTTP_ACCEPT_LANGUAGE access || bugtraq,15414 || cve,2005-3347 -100000196 || COMMUNITY IMAP Qualcomm WorldMail SELECT dot dot attempt || cve,2005-3189 || bugtraq,15488 -100000197 || COMMUNITY ICMP undefined code -100000198 || COMMUNITY MISC Ntp fingerprint detect || url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1 -100000199 || COMMUNITY MISC Novell eDirectory iMonitor access || bugtraq,14548 || cve,2005-2551 || nessus,19248 || url,www.osvdb.org/displayvuln.php?osvdb_id=18703 -100000200 || COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt || nessus,19598 || url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html -100000201 || COMMUNITY WEB-PHP CuteNews flood.db.php access || bugtraq,14869 || cve,2005-3010 || nessus,19756 || url,www.osvdb.org/displayvuln.php?osvdb_id=19478 -100000202 || COMMUNITY WEB-PHP DeluxeBB topic.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19404 -100000203 || COMMUNITY WEB-PHP DeluxeBB misc.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19405 -100000204 || COMMUNITY WEB-PHP DeluxeBB pm.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19407 -100000205 || COMMUNITY WEB-PHP DeluxeBB forums.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19406 -100000206 || COMMUNITY WEB-PHP DeluxeBB newpost.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19408 -100000207 || COMMUNITY IMAP GNU Mailutils imap4d hex attempt || cve,2005-2878 || bugtraq,14794 || nessus,19605 || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 -100000208 || COMMUNITY MISC Tunneling IP over DNS with NSTX || url,nstx.dereference.de/nstx/ || url,slashdot.org/articles/00/09/10/2230242.shtml -100000209 || COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt || bugtraq,14367 || cve,2005-2420 || nessus,19300 || url,www.osvdb.org/displayvuln.php?osvdb_id=18305 -100000210 || COMMUNITY WEB-MISC generic cmd pipe after = attempt -100000211 || COMMUNITY WEB-PHP Gallery g2_itemId access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000212 || COMMUNITY WEB-PHP Gallery g2_return access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000213 || COMMUNITY WEB-PHP Gallery g2_view access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000214 || COMMUNITY WEB-PHP Gallery g2_subView access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000215 || COMMUNITY DOS Trend Micro ServerProtect EarthAgent attempt || cve,2005-1928 || url,www.idefense.com/application/poi/display?id=356&type=vulnerabilities -100000216 || COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access || cve,2005-1929 || url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities -100000217 || COMMUNITY WEB-MISC man2web cmd exec attempt || cve,2005-2812 || bugtraq,14747 || nessus,19591 -100000218 || COMMUNITY WEB-PHP MailGust SQL Injection email attempt || bugtraq,14933 || cve,2005-3063 || nessus,19947 -100000219 || COMMUNITY SMTP MIME-Type ms-tnef access || bugtraq,16197 || cve,2006-0002 || url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx -100000220 || COMMUNITY WEB-PHP PHP-Nuke admin_styles.php phpbb_root_path access || url,www.autistici.org/anacron-group-italy/file/txt/sile002adv.txt || url,www.osvdb.org/displayvuln.php?osvdb_id=16244 -100000221 || COMMUNITY WEB-PHP AppServ main.php appserv_root param access || url,www.osvdb.org/displayvuln.php?osvdb_id=22228 -100000222 || COMMUNITY MISC TFTP32 Get Format string attempt || url,www.securityfocus.com/archive/1/422405/30/0/threaded || url,www.critical.lt/?vulnerabilities/200 -100000223 || COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt || bugtraq,16213 || cve,2006-0189 -100000224 || COMMUNITY SMTP Mozilla filename overflow attempt || bugtraq,16271 -100000225 || COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access || cve,2006-0192 -100000226 || COMMUNITY VIRUS Possible BlackWorm or Nymex infected host || url,www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm || url,cme.mitre.org/data/list.html#24 || url,isc.sans.org/blackworm -100000227 || COMMUNITY MISC SNMP trap Format String detected || bugtraq,16267 || cve,2006-0250 || url,www.osvdb.org/displayvuln.php?osvdb_id=22493 -100000228 || COMMUNITY WEB-CLIENT Winamp PlayList buffer overflow attempt || bugtraq,16410 || cve,2006-0476 || url,www.frsirt.com/english/advisories/2006/0361 -100000229 || COMMUNITY MISC Lotus Domino LDAP attack || bugtraq,16523 || cve,2006-0580 || url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html -100000230 || COMMUNITY MISC Jabber/Google Talk Outgoing Traffic || url,www.google.com/talk/ -100000231 || COMMUNITY MISC Jabber/Google Talk Outgoing Auth || url,www.google.com/talk/ -100000232 || COMMUNITY MISC Google Talk Logon || url,www.google.com/talk/ -100000233 || COMMUNITY MISC Jabber/Google Talk Outoing Message || url,www.google.com/talk/ -100000234 || COMMUNITY MISC Jabber/Google Talk Log Out || url,www.google.com/talk/ -100000235 || COMMUNITY MISC Jabber/Google Talk Logon Success || url,www.google.com/talk/ -100000236 || COMMUNITY MISC Jabber/Google Talk Incoming Message || url,www.google.com/talk/ -100000237 || COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language || url,www.boingboing.net/2006/02/22/argonne_national_lab.html -100000238 || COMMUNITY WEB-CLIENT IE mulitple event handler heap overflow attempt || bugtraq,17131 || cve,2006-1245 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx -100000239 || COMMUNITY WEB-CLIENT IE createTextRange overflow attempt || bugtraq,17196 || cve,2006-1359 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx -100000240 || COMMUNITY BOT IRC Traffic Detected By Nick Change -100000241 || COMMUNITY BOT Internal IRC server detected -100000242 || COMMUNITY BOT Agobot/PhatBot bot.about command -100000243 || COMMUNITY BOT Agobot/PhatBot bot.die command -100000244 || COMMUNITY BOT Agobot/PhatBot bot.dns command -100000245 || COMMUNITY BOT Agobot/PhatBot bot.execute command -100000246 || COMMUNITY BOT Agobot/PhatBot bot.id command -100000247 || COMMUNITY BOT Agobot/PhatBot bot.nick command -100000248 || COMMUNITY BOT Agobot/PhatBot bot.open command -100000249 || COMMUNITY BOT Agobot/PhatBot bot.remove command -100000250 || COMMUNITY BOT Agobot/PhatBot bot.removeallbut command -100000251 || COMMUNITY BOT Agobot/PhatBot bot.rndnick command -100000252 || COMMUNITY BOT Agobot/PhatBot bot.status command -100000253 || COMMUNITY BOT Agobot/PhatBot bot.sysinfo command -100000254 || COMMUNITY BOT Agobot/PhatBot bot.longuptime command -100000255 || COMMUNITY BOT Agobot/PhatBot bot.highspeed command -100000256 || COMMUNITY BOT Agobot/PhatBot bot.quit command -100000257 || COMMUNITY BOT Agobot/PhatBot bot.flushdns command -100000258 || COMMUNITY BOT Agobot/PhatBot bot.secure command -100000259 || COMMUNITY BOT Agobot/PhatBot bot.unsecure command -100000260 || COMMUNITY BOT Agobot/PhatBot bot.command command -100000261 || COMMUNITY BOT SDBot killthread command -100000262 || COMMUNITY BOT SDBot cdkey command -100000263 || COMMUNITY BOT SDBot getcdkey command -100000264 || COMMUNITY BOT SDBot rndnick command -100000265 || COMMUNITY BOT SDBot c_rndnick command -100000266 || COMMUNITY BOT SDBot c_nick command -100000267 || COMMUNITY BOT SpyBot stopspy command -100000268 || COMMUNITY BOT SpyBot redirectspy command -100000269 || COMMUNITY BOT SpyBot loadclones command -100000270 || COMMUNITY BOT SpyBot killclones command -100000271 || COMMUNITY BOT SpyBot rawclones command -100000272 || COMMUNITY BOT GTBot ver command -100000273 || COMMUNITY BOT GTBot info command -100000274 || COMMUNITY BOT GTBot scan command -100000275 || COMMUNITY BOT GTBot portscan command -100000276 || COMMUNITY BOT GTBot stopscan command -100000277 || COMMUNITY BOT GTBot packet command -100000278 || COMMUNITY BOT GTBot bnc command -100000279 || COMMUNITY SMTP Incoming WAB attachment || cve,2006-0014 || url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx -100000281 || COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials -100000282 || COMMUNITY VIRUS Nugache connect -100000283 || COMMUNITY VIRUS Nugache data || url,securityresponse.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html -100000284 || COMMUNITY WEB-CLIENT RealMedia invalid chunk size heap overflow attempt || bugtraq,17202 || cve,2005-2922 || url,service.real.com/realplayer/security/03162006_player/en/ -100000285 || COMMUNITY WEB-PHP ldap_var.inc.php remote file include attempt || bugtraq,17915 -100000286 || COMMUNITY WEB-PHP X Poll admin access || url,marc.theaimsgroup.com/?l=bugtraq&m=114710173409997&w=2 -100000287 || COMMUNITY WEB-PHP Claroline ldap.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000288 || COMMUNITY WEB-PHP Claroline atutor.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000289 || COMMUNITY WEB-PHP Claroline db-generic.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000290 || COMMUNITY WEB-PHP Claroline docebo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000291 || COMMUNITY WEB-PHP Claroline dokeos.1.6.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000292 || COMMUNITY WEB-PHP Claroline dokeos.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000293 || COMMUNITY WEB-PHP Claroline ganesha.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000294 || COMMUNITY WEB-PHP Claroline mambo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000295 || COMMUNITY WEB-PHP Claroline moodle.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000296 || COMMUNITY WEB-PHP Claroline phpnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000297 || COMMUNITY WEB-PHP Claroline postnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000298 || COMMUNITY WEB-PHP Claroline spip.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000299 || COMMUNITY WEB-PHP Claroline event/init_event_manager.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000300 || COMMUNITY WEB-PHP Claroline export_exe_tracking.class.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000301 || COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt || bugtraq,16742 || cve,2006-0559 -100000302 || COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access || bugtraq,17964 -100000303 || COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access || bugtraq,17964 -100000304 || COMMUNITY WEB-PHP Gphoto index.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000305 || COMMUNITY WEB-PHP Gphoto index.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000306 || COMMUNITY WEB-PHP Gphoto diapho.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000307 || COMMUNITY WEB-PHP Gphoto diapho.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000308 || COMMUNITY WEB-PHP Gphoto affich.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000309 || COMMUNITY WEB-PHP Gphoto affich.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000310 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - scfzf.xicp.net || url,vil.nai.com/vil/content/v_139545.htm -100000311 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - localhosts.3322.org || url,vil.nai.com/vil/content/v_139545.htm -100000312 || COMMUNITY VIRUS Ginwui.B POST attempt || url,vil.nai.com/vil/content/v_139545.htm -100000313 || COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal || bugtraq,14715 || cve,2005-2020 -100000314 || COMMUNITY WEB-MISC MediaWiki parser script insertion attempt || cve,2006-2611 -100000315 || COMMUNITY WEB-MISC HTTP PUT Request || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html -100000316 || COMMUNITY WEB-MISC HTTP PUT Request Successful || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html -100000317 || COMMUNITY WEB-MISC phpBazar classified_right.php remote file include || bugtraq,18052 -100000318 || COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access || bugtraq,18053 || cve,2006-2527 -100000319 || COMMUNITY WEB-MISC ActualScripts direct.php remote file include || bugtraq,17597 -100000320 || COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include || bugtraq,18027 -100000321 || COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include || bugtraq,18027 -100000322 || COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include || bugtraq,18027 -100000323 || COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include || bugtraq,18027 -100000324 || COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include || bugtraq,18027 -100000325 || COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include || bugtraq,18027 -100000326 || COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include || bugtraq,18027 -100000327 || COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include || bugtraq,18027 -100000328 || COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include || bugtraq,18027 -100000329 || COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include || bugtraq,18040 -100000330 || COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include || bugtraq,18040 -100000331 || COMMUNITY WEB-MISC ZixForum settings.asp access || bugtraq,18043 -100000332 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047 -100000333 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047 -100000334 || COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include || bugtraq,18076 -100000335 || COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include || bugtraq,18076 -100000336 || COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include || cve,2006-2521 -100000337 || COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include || cve,2006-2521 -100000338 || COMMUNITY WEB-MISC phpMyDirectory header.php remote file include || cve,2006-2521 -100000339 || COMMUNITY WEB-MISC V-Webmail core.php remote file include || url,secunia.com/advisories/20297/ -100000340 || COMMUNITY WEB-MISC V-Webmail pop3.php remote file include || url,secunia.com/advisories/20297/ -100000341 || COMMUNITY WEB-MISC DoceboLMS help.php remote file include || bugtraq,18110 -100000342 || COMMUNITY WEB-MISC DoceboLMS business.php remote file include || bugtraq,18110 -100000343 || COMMUNITY WEB-MISC DoceboLMS credits.php remote file include || bugtraq,18110 -100000344 || COMMUNITY WEB-MISC SocketMail index.php remote file include || url,secunia.com/advisories/20273/ -100000345 || COMMUNITY WEB-MISC SocketMail inc-common.php remote file include || url,secunia.com/advisories/20273/ -100000346 || COMMUNITY WEB-MISC Plume CMS prepend.php remote file include || bugtraq,16662 -100000347 || COMMUNITY WEB-MISC Ezupload Pro form.php remote file include || bugtraq,18135 -100000348 || COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include || bugtraq,18135 -100000349 || COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include || bugtraq,18135 -100000350 || COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include || url,www.nukedx.com/?viewdoc=40 -100000351 || COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include || url,www.nukedx.com/?viewdoc=40 -100000352 || COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include || bugtraq,18153 || url,www.nukedx.com/?viewdoc=41 -100000353 || COMMUNITY WEB-MISC tinyBB footers.php remote file include || bugtraq,18147 -100000354 || COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include || bugtraq,18155 -100000355 || COMMUNITY WEB-MISC eSyndiCat cron.php remote file include || url,secunia.com/advisories/20218/ -100000356 || COMMUNITY WEB-MISC BASE base_qry_common.php remote file include || url,secunia.com/advisories/20300/ -100000357 || COMMUNITY WEB-MISC BASE base_stat_common.php remote file include || url,secunia.com/advisories/20300/ -100000358 || COMMUNITY WEB-MISC BASE base_include.inc.php remote file include || url,secunia.com/advisories/20300/ -100000359 || COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include || bugtraq,18163 -100000360 || COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include || bugtraq,18163 -100000361 || COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include || bugtraq,18163 -100000362 || COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include || bugtraq,18163 -100000363 || COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include || bugtraq,18163 -100000364 || COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include || bugtraq,18163 -100000365 || COMMUNITY WEB-MISC phpNuke index.php remote file include || bugtraq,18186 -100000366 || COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include || bugtraq,18186 -100000367 || COMMUNITY WEB-MISC phpNuke admin_board.php remote file include || bugtraq,18186 -100000368 || COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include || bugtraq,18186 -100000369 || COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include || bugtraq,18186 -100000370 || COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include || bugtraq,18186 -100000371 || COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include || bugtraq,18186 -100000372 || COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include || bugtraq,18186 -100000373 || COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include || bugtraq,18186 -100000374 || COMMUNITY WEB-MISC phpNuke admin_words.php remote file include || bugtraq,18186 -100000375 || COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include || bugtraq,18186 -100000376 || COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include || bugtraq,18186 -100000377 || COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include || bugtraq,18186 -100000378 || COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include || bugtraq,18186 -100000379 || COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include || bugtraq,18186 -100000380 || COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include || bugtraq,18186 -100000381 || COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include || bugtraq,18186 -100000382 || COMMUNITY WEB-MISC phpNuke admin_users.php remote file include || bugtraq,18186 -100000383 || COMMUNITY WEB-MISC OsTicket open_form.php remote file include || bugtraq,18190 -100000384 || COMMUNITY WEB-MISC Ottoman index.php remote file include || bugtraq,18208 -100000385 || COMMUNITY WEB-MISC Ottoman error.php remote file include || bugtraq,18208 -100000386 || COMMUNITY WEB-MISC Ottoman main_class.php remote file include || bugtraq,18208 -100000387 || COMMUNITY WEB-MISC Ovidentia index.php remote file include || bugtraq,18232 -100000388 || COMMUNITY WEB-MISC Ovidentia topman.php remote file include || bugtraq,18232 -100000389 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232 -100000390 || COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include || bugtraq,18232 -100000391 || COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include || bugtraq,18232 -100000392 || COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include || bugtraq,18232 -100000393 || COMMUNITY WEB-MISC Ovidentia start.php remote file include || bugtraq,18232 -100000394 || COMMUNITY WEB-MISC Ovidentia search.php remote file include || bugtraq,18232 -100000395 || COMMUNITY WEB-MISC Ovidentia posts.php remote file include || bugtraq,18232 -100000396 || COMMUNITY WEB-MISC Ovidentia options.php remote file include || bugtraq,18232 -100000397 || COMMUNITY WEB-MISC Ovidentia login.php remote file include || bugtraq,18232 -100000398 || COMMUNITY WEB-MISC Ovidentia frchart.php remote file include || bugtraq,18232 -100000399 || COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include || bugtraq,18232 -100000400 || COMMUNITY WEB-MISC Ovidentia fileman.php remote file include || bugtraq,18232 -100000401 || COMMUNITY WEB-MISC Ovidentia faq.php remote file include || bugtraq,18232 -100000402 || COMMUNITY WEB-MISC Ovidentia event.php remote file include || bugtraq,18232 -100000403 || COMMUNITY WEB-MISC Ovidentia directory.php remote file include || bugtraq,18232 -100000404 || COMMUNITY WEB-MISC Ovidentia articles.php remote file include || bugtraq,18232 -100000405 || COMMUNITY WEB-MISC Ovidentia artedit.php remote file include || bugtraq,18232 -100000406 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232 -100000407 || COMMUNITY WEB-MISC Ovidentia calday.php remote file include || bugtraq,18232 -100000408 || COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include || bugtraq,18220 -100000409 || COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include || bugtraq,18220 -100000410 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000411 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000412 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000413 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000414 || COMMUNITY WEB-MISC REDAXO community.inc.php remote file include || bugtraq,18229 -100000415 || COMMUNITY WEB-MISC Bytehoard server.php remote file include || bugtraq,18234 -100000416 || COMMUNITY WEB-MISC MyBloggie admin.php remote file include || bugtraq,18241 -100000417 || COMMUNITY WEB-MISC MyBloggie scode.php remote file include || bugtraq,18241 -100000418 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include || bugtraq,18248 -100000419 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include || bugtraq,18248 -100000420 || COMMUNITY WEB-MISC Informium common-menu.php remote file include || bugtraq,18249 -100000421 || COMMUNITY WEB-MISC Igloo wiki.php remote file include || bugtraq,18250 -100000422 || COMMUNITY WEB-MISC phpBB template.php remote file include || bugtraq,18255 -100000423 || COMMUNITY WEB-MISC DotWidget CMS index.php remote file include || bugtraq,18258 -100000424 || COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include || bugtraq,18258 -100000425 || COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include || bugtraq,18258 -100000426 || COMMUNITY WEB-MISC DotClear prepend.php remote file include || bugtraq,18259 -100000427 || COMMUNITY WEB-MISC JBoss jmx-console html adaptor access || url,jboss.org/wiki/Wiki.jsp?page=JMXConsole -100000428 || COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2 -100000429 || COMMUNITY WEB-MISC JBoss web-console access || url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole -100000430 || COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include || bugtraq,18261 -100000431 || COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include || bugtraq,18261 -100000432 || COMMUNITY WEB-MISC BlueShoes file.php remote file include || bugtraq,18261 -100000433 || COMMUNITY WEB-MISC BlueShoes viewer.php remote file include || bugtraq,18261 -100000434 || COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include || bugtraq,18261 -100000435 || COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include || bugtraq,18261 -100000436 || COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include || bugtraq,18261 -100000437 || COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include || bugtraq,18263 -100000438 || COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include || bugtraq,18265 -100000439 || COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include || bugtraq,18265 -100000440 || COMMUNITY WEB-MISC CyBoards common.php remote file include || bugtraq,18272 -100000441 || COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include || bugtraq,18291 -100000442 || COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include || bugtraq,18313 -100000443 || COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include || bugtraq,18313 -100000444 || COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include || bugtraq,18313 -100000445 || COMMUNITY WEB-PHP Particle Gallery Viewimage PHP Variable Injection Attempt || bugtraq,18270 -100000446 || COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt || bugtraq,18273 -100000447 || COMMUNITY WEB-CLIENT Mozilla Firefox DOMNodeRemoved attack attempt || bugtraq,18228 || cve,2006-2779 -100000448 || COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt || bugtraq,18367 -100000449 || COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt || bugtraq,18367 -100000450 || COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt || bugtraq,18368 -100000451 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379 -100000452 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379 -100000453 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379 -100000454 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379 -100000455 || COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt || bugtraq,18473 -100000456 || COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt || bugtraq,18482 -100000457 || COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt || bugtraq,18512 -100000458 || COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt || bugtraq,18526 -100000459 || COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt || bugtraq,18564 -100000460 || COMMUNITY WEB-MISC AZureus index.tmpl xss attempt || bugtraq,18596 -100000461 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598 -100000462 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598 -100000463 || COMMUNITY WEB-PHP Joomla joomla.php remote file include || bugtraq,18363 -100000464 || COMMUNITY WEB-PHP LoveCompass AEPartner design.inc.php remote file include || bugtraq,18370 -100000465 || COMMUNITY WEB-PHP Empris sql_fcnsOLD.php remote file include || bugtraq,18371 -100000466 || COMMUNITY WEB-PHP Free QBoard post.php remote file include || bugtraq,18373 -100000467 || COMMUNITY WEB-PHP WebprojectDB nav.php remote file include || bugtraq,18378 -100000468 || COMMUNITY WEB-PHP WebprojectDB lang.php remote file include || bugtraq,18378 -100000469 || COMMUNITY WEB-PHP iFoto index.php xss attempt || bugtraq,18391 -100000470 || COMMUNITY WEB-PHP Foing manage_songs.php remote file include || bugtraq,18392 -100000471 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403 -100000472 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403 -100000473 || COMMUNITY WEB-PHP VBZoom language.php SQL injection attempt || bugtraq,18403 -100000474 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000475 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000476 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000477 || COMMUNITY WEB-PHP VBZoom subject.php SQL injection attempt || bugtraq,18403 -100000478 || COMMUNITY WEB-PHP aWebNews visview.php remote file include || bugtraq,18406 -100000479 || COMMUNITY WEB-PHP CzarNews headlines.php remote file include || bugtraq,18411 -100000480 || COMMUNITY WEB-PHP Somery team.php remote file include || bugtraq,18412 -100000481 || COMMUNITY WEB-PHP Hinton Design PHPHG signed.php remote file include || bugtraq,18413 -100000482 || COMMUNITY WEB-PHP BoastMachine vote.php remote file include || bugtraq,18415 -100000483 || COMMUNITY WEB-PHP Wheatblog view_links.php remote file include || bugtraq,18416 -100000484 || COMMUNITY WEB-PHP Confixx ftp_index.php xss attempt || bugtraq,18426 -100000485 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18435 -100000486 || COMMUNITY WEB-PHP PhpBlueDragon CMS template.php remote file include || bugtraq,18440 -100000487 || COMMUNITY WEB-PHP ISPConfig server.inc.php remote file include || bugtraq,18441 -100000488 || COMMUNITY WEB-PHP ISPConfig app.inc.php remote file include || bugtraq,18441 -100000489 || COMMUNITY WEB-PHP ISPConfig login.php remote file include || bugtraq,18441 -100000490 || COMMUNITY WEB-PHP ISPConfig trylogin.php remote file include || bugtraq,18441 -100000491 || COMMUNITY WEB-PHP DeluxeBB posting.php remote file include || bugtraq,18455 -100000492 || COMMUNITY WEB-PHP DeluxeBB newpm.php remote file include || bugtraq,18455 -100000493 || COMMUNITY WEB-PHP DeluxeBB postreply.php remote file include || bugtraq,18455 -100000494 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458 -100000495 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458 -100000496 || COMMUNITY WEB-PHP Chipmailer index.php SQL injection attempt || bugtraq,18463 -100000497 || COMMUNITY WEB-PHP Calendarix cal_event.php SQL injection attempt || bugtraq,18469 -100000498 || COMMUNITY WEB-PHP Calendarix cal_popup.php SQL injection attempt || bugtraq,18469 -100000499 || COMMUNITY WEB-PHP PictureDis thumstbl.php remote file include || bugtraq,18471 -100000500 || COMMUNITY WEB-PHP PictureDis wpfiles.php remote file include || bugtraq,18471 -100000501 || COMMUNITY WEB-PHP PictureDis wallpapr.php remote file include || bugtraq,18471 -100000502 || COMMUNITY WEB-PHP Ji-Takz tag.class.php remote file include || bugtraq,18474 -100000503 || COMMUNITY WEB-PHP Nucleus CMS action.php remote file include || bugtraq,18475 -100000504 || COMMUNITY WEB-PHP Nucleus CMS media.php remote file include || bugtraq,18475 -100000505 || COMMUNITY WEB-PHP Nucleus CMS server.php remote file include || bugtraq,18475 -100000506 || COMMUNITY WEB-PHP Nucleus CMS api_metaweblog.inc.php remote file include || bugtraq,18475 -100000507 || COMMUNITY WEB-PHP FlashChat adminips.php remote file include || bugtraq,18480 -100000508 || COMMUNITY WEB-PHP Wikkawiki wakka.php access || bugtraq,18481 -100000509 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18490 -100000510 || COMMUNITY WEB-PHP VBZoom rank.php SQL injection attempt || bugtraq,18497 -100000511 || COMMUNITY WEB-PHP VBZoom message.php SQL injection attempt || bugtraq,18497 -100000512 || COMMUNITY WEB-PHP VBZoom lng.php SQL injection attempt || bugtraq,18497 -100000513 || COMMUNITY WEB-PHP SAPHPLesson showcat.php SQL injection attempt || bugtraq,18501 -100000514 || COMMUNITY WEB-PHP SAPHPLesson misc.php SQL injection attempt || bugtraq,18501 -100000515 || COMMUNITY WEB-PHP CMS Faethon header.php xss attempt || bugtraq,18505 -100000516 || COMMUNITY WEB-PHP CMS Faethon footer.php xss attempt || bugtraq,18505 -100000517 || COMMUNITY WEB-PHP e107 search.php xss attempt || bugtraq,18508 -100000518 || COMMUNITY WEB-PHP PHP Live Helper initiate.php remote file include || bugtraq,18509 -100000519 || COMMUNITY WEB-PHP VUBB index.php SQL injection attempt || bugtraq,18516 -100000520 || COMMUNITY WEB-PHP Xarancms xaramcms_haupt.php SQL injection attempt || bugtraq,18520 -100000521 || COMMUNITY WEB-PHP TPL Design TplShop category.php SQL injection attempt || bugtraq,18524 -100000522 || COMMUNITY WEB-PHP The Edge eCommerce Shop productDetail.php xss attempt || bugtraq,18528 -100000523 || COMMUNITY WEB-PHP CavoxCms index.php SQL injection attempt || bugtraq,18533 -100000524 || COMMUNITY WEB-PHP Micro CMS microcms-include.php remote file include || bugtraq,18537 -100000525 || COMMUNITY WEB-PHP PHPMyDirectory offer-pix.php xss attempt || bugtraq,18539 -100000526 || COMMUNITY WEB-PHP PHPMyDirectory index.php xss attempt || bugtraq,18539 -100000527 || COMMUNITY WEB-PHP AssoCIateD index.php xss attempt || bugtraq,18541 -100000528 || COMMUNITY WEB-PHP PHPMyForum topic.php xss attempt || bugtraq,18542 -100000529 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546 -100000530 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546 -100000531 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549 -100000532 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549 -100000533 || COMMUNITY WEB-PHP VUBB functions.php SQL injection attempt || bugtraq,18561 -100000534 || COMMUNITY WEB-PHP VUBB english.php xss attempt || bugtraq,18562 -100000535 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566 -100000536 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566 -100000537 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567 -100000538 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567 -100000539 || COMMUNITY WEB-PHP thinkWMS printarticle.php SQL injection attempt || bugtraq,18567 -100000540 || COMMUNITY WEB-PHP Enterprise Groupware index.php xss attempt || bugtraq,18590 -100000541 || COMMUNITY WEB-PHP Dating Agent picture.php SQL injection attempt || bugtraq,18607 -100000542 || COMMUNITY WEB-PHP Dating Agent mem.php SQL injection attempt || bugtraq,18607 -100000543 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607 -100000544 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607 -100000545 || COMMUNITY WEB-PHP PHP Blue Dragon CMS team_admin.php remote file include || bugtraq,18609 -100000546 || COMMUNITY WEB-PHP PHP Blue Dragon CMS rss_admin.php remote file include || bugtraq,18609 -100000547 || COMMUNITY WEB-PHP PHP Blue Dragon CMS manual_admin.php remote file include || bugtraq,18609 -100000548 || COMMUNITY WEB-PHP PHP Blue Dragon CMS forum_admin.php remote file include || bugtraq,18609 -100000549 || COMMUNITY WEB-PHP Custom Datin Biz user_view.php xss attempt || bugtraq,18626 -100000550 || COMMUNITY WEB-PHP Project Eros BBSEngine comment.php access || bugtraq,18627 -100000551 || COMMUNITY WEB-PHP Project Eros BBSEngine aolbonics.php access || bugtraq,18627 -100000552 || COMMUNITY WEB-PHP SmartSiteCMS inc_foot.php remote file include || bugtraq,18628 -100000553 || COMMUNITY WEB-PHP PHPMySMS gateway.php remote file include || bugtraq,18633 -100000554 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000555 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000556 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000557 || COMMUNITY WEB-PHP VebiMiau index.php xss attempt || bugtraq,18643 -100000558 || COMMUNITY WEB-PHP VebiMiau messages.php xss attempt || bugtraq,18643 -100000559 || COMMUNITY WEB-PHP Infinite Core Technologies ICT index.php SQL injection attempt || bugtraq,18644 -100000560 || COMMUNITY WEB-PHP eNpaper1 root_header.php remote file include || bugtraq,18649 -100000561 || COMMUNITY WEB-PHP dotProject ui.class.php xss attempt || bugtraq,18650 -100000562 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000563 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000564 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000565 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000566 || COMMUNITY WEB-PHP XennoBB messages.php xss attempt || bugtraq,18652 -100000567 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653 -100000568 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653 -100000569 || COMMUNITY WEB-PHP Indexu app_change_email.php remote file include || bugtraq,18477 -100000570 || COMMUNITY WEB-PHP Indexu app_change_pwd.php remote file include || bugtraq,18477 -100000571 || COMMUNITY WEB-PHP Indexu app_mod_rewrite.php remote file include || bugtraq,18477 -100000572 || COMMUNITY WEB-PHP Indexu app_page_caching.php remote file include || bugtraq,18477 -100000573 || COMMUNITY WEB-PHP Indexu app_setup.php remote file include || bugtraq,18477 -100000574 || COMMUNITY WEB-PHP Indexu cat_add.php remote file include || bugtraq,18477 -100000575 || COMMUNITY WEB-PHP Indexu cat_delete.php remote file include || bugtraq,18477 -100000576 || COMMUNITY WEB-PHP Indexu cat_edit.php remote file include || bugtraq,18477 -100000577 || COMMUNITY WEB-PHP Indexu cat_path_update.php remote file include || bugtraq,18477 -100000578 || COMMUNITY WEB-PHP Indexu cat_search.php remote file include || bugtraq,18477 -100000579 || COMMUNITY WEB-PHP Indexu cat_struc.php remote file include || bugtraq,18477 -100000580 || COMMUNITY WEB-PHP Indexu cat_view.php remote file include || bugtraq,18477 -100000581 || COMMUNITY WEB-PHP Indexu cat_view_hidden.php remote file include || bugtraq,18477 -100000582 || COMMUNITY WEB-PHP Indexu cat_view_hierarchy.php remote file include || bugtraq,18477 -100000583 || COMMUNITY WEB-PHP Indexu cat_view_registered_only.php remote file include || bugtraq,18477 -100000584 || COMMUNITY WEB-PHP Indexu checkurl_web.php remote file include || bugtraq,18477 -100000585 || COMMUNITY WEB-PHP Indexu db_alter.php remote file include || bugtraq,18477 -100000586 || COMMUNITY WEB-PHP Indexu db_alter_change.php remote file include || bugtraq,18477 -100000587 || COMMUNITY WEB-PHP Indexu db_backup.php remote file include || bugtraq,18477 -100000588 || COMMUNITY WEB-PHP Indexu db_export.php remote file include || bugtraq,18477 -100000589 || COMMUNITY WEB-PHP Indexu db_import.php remote file include || bugtraq,18477 -100000590 || COMMUNITY WEB-PHP Indexu editor_add.php remote file include || bugtraq,18477 -100000591 || COMMUNITY WEB-PHP Indexu editor_delete.php remote file include || bugtraq,18477 -100000592 || COMMUNITY WEB-PHP Indexu editor_validate.php remote file include || bugtraq,18477 -100000593 || COMMUNITY WEB-PHP Indexu head.php remote file include || bugtraq,18477 -100000594 || COMMUNITY WEB-PHP Indexu index.php remote file include || bugtraq,18477 -100000595 || COMMUNITY WEB-PHP Indexu inv_config.php remote file include || bugtraq,18477 -100000596 || COMMUNITY WEB-PHP Indexu inv_config_payment.php remote file include || bugtraq,18477 -100000597 || COMMUNITY WEB-PHP Indexu inv_create.php remote file include || bugtraq,18477 -100000598 || COMMUNITY WEB-PHP Indexu inv_delete.php remote file include || bugtraq,18477 -100000599 || COMMUNITY WEB-PHP Indexu inv_edit.php remote file include || bugtraq,18477 -100000600 || COMMUNITY WEB-PHP Indexu inv_markpaid.php remote file include || bugtraq,18477 -100000601 || COMMUNITY WEB-PHP Indexu inv_markunpaid.php remote file include || bugtraq,18477 -100000602 || COMMUNITY WEB-PHP Indexu inv_overdue.php remote file include || bugtraq,18477 -100000603 || COMMUNITY WEB-PHP Indexu inv_paid.php remote file include || bugtraq,18477 -100000604 || COMMUNITY WEB-PHP Indexu inv_send.php remote file include || bugtraq,18477 -100000605 || COMMUNITY WEB-PHP Indexu inv_unpaid.php remote file include || bugtraq,18477 -100000606 || COMMUNITY WEB-PHP Indexu lang_modify.php remote file include || bugtraq,18477 -100000607 || COMMUNITY WEB-PHP Indexu link_add.php remote file include || bugtraq,18477 -100000608 || COMMUNITY WEB-PHP Indexu link_bad.php remote file include || bugtraq,18477 -100000609 || COMMUNITY WEB-PHP Indexu link_bad_delete.php remote file include || bugtraq,18477 -100000610 || COMMUNITY WEB-PHP Indexu link_checkurl.php remote file include || bugtraq,18477 -100000611 || COMMUNITY WEB-PHP Indexu link_delete.php remote file include || bugtraq,18477 -100000612 || COMMUNITY WEB-PHP Indexu link_duplicate.php remote file include || bugtraq,18477 -100000613 || COMMUNITY WEB-PHP Indexu link_edit.php remote file include || bugtraq,18477 -100000614 || COMMUNITY WEB-PHP Indexu link_premium_listing.php remote file include || bugtraq,18477 -100000615 || COMMUNITY WEB-PHP Indexu link_premium_sponsored.php remote file include || bugtraq,18477 -100000616 || COMMUNITY WEB-PHP Indexu link_search.php remote file include || bugtraq,18477 -100000617 || COMMUNITY WEB-PHP Indexu link_sponsored_listing.php remote file include || bugtraq,18477 -100000618 || COMMUNITY WEB-PHP Indexu link_validate.php remote file include || bugtraq,18477 -100000619 || COMMUNITY WEB-PHP Indexu link_validate_edit.php remote file include || bugtraq,18477 -100000620 || COMMUNITY WEB-PHP Indexu link_view.php remote file include || bugtraq,18477 -100000621 || COMMUNITY WEB-PHP Indexu log_search.php remote file include || bugtraq,18477 -100000622 || COMMUNITY WEB-PHP Indexu mail_modify.php remote file include || bugtraq,18477 -100000623 || COMMUNITY WEB-PHP Indexu menu.php remote file include || bugtraq,18477 -100000624 || COMMUNITY WEB-PHP Indexu message_create.php remote file include || bugtraq,18477 -100000625 || COMMUNITY WEB-PHP Indexu message_delete.php remote file include || bugtraq,18477 -100000626 || COMMUNITY WEB-PHP Indexu message_edit.php remote file include || bugtraq,18477 -100000627 || COMMUNITY WEB-PHP Indexu message_send.php remote file include || bugtraq,18477 -100000628 || COMMUNITY WEB-PHP Indexu message_subscriber.php remote file include || bugtraq,18477 -100000629 || COMMUNITY WEB-PHP Indexu message_view.php remote file include || bugtraq,18477 -100000630 || COMMUNITY WEB-PHP Indexu review_validate.php remote file include || bugtraq,18477 -100000631 || COMMUNITY WEB-PHP Indexu review_validate_edit.php remote file include || bugtraq,18477 -100000632 || COMMUNITY WEB-PHP Indexu summary.php remote file include || bugtraq,18477 -100000633 || COMMUNITY WEB-PHP Indexu template_active.php remote file include || bugtraq,18477 -100000634 || COMMUNITY WEB-PHP Indexu template_add_custom.php remote file include || bugtraq,18477 -100000635 || COMMUNITY WEB-PHP Indexu template_delete.php remote file include || bugtraq,18477 -100000636 || COMMUNITY WEB-PHP Indexu template_delete_file.php remote file include || bugtraq,18477 -100000637 || COMMUNITY WEB-PHP Indexu template_duplicate.php remote file include || bugtraq,18477 -100000638 || COMMUNITY WEB-PHP Indexu template_export.php remote file include || bugtraq,18477 -100000639 || COMMUNITY WEB-PHP Indexu template_import.php remote file include || bugtraq,18477 -100000640 || COMMUNITY WEB-PHP Indexu template_manager.php remote file include || bugtraq,18477 -100000641 || COMMUNITY WEB-PHP Indexu template_modify.php remote file include || bugtraq,18477 -100000642 || COMMUNITY WEB-PHP Indexu template_modify_file.php remote file include || bugtraq,18477 -100000643 || COMMUNITY WEB-PHP Indexu template_rename.php remote file include || bugtraq,18477 -100000644 || COMMUNITY WEB-PHP Indexu user_add.php remote file include || bugtraq,18477 -100000645 || COMMUNITY WEB-PHP Indexu user_delete.php remote file include || bugtraq,18477 -100000646 || COMMUNITY WEB-PHP Indexu user_edit.php remote file include || bugtraq,18477 -100000647 || COMMUNITY WEB-PHP Indexu user_search.php remote file include || bugtraq,18477 -100000648 || COMMUNITY WEB-PHP Indexu whos.php remote file include || bugtraq,18477 -100000649 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000650 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000651 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000652 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000653 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000654 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000655 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000656 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000657 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000658 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000659 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000660 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000661 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000662 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000663 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000664 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000665 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000666 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614 -100000667 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614 -100000668 || COMMUNITY WEB-PHP Harpia pheader.php remote file include || bugtraq,18614 -100000669 || COMMUNITY WEB-PHP Harpia headlines.php remote file include || bugtraq,18614 -100000670 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614 -100000671 || COMMUNITY WEB-PHP Harpia preload.php remote file include || bugtraq,18614 -100000672 || COMMUNITY WEB-PHP Harpia users.php remote file include || bugtraq,18614 -100000673 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614 -100000674 || COMMUNITY WEB-PHP Harpia footer.php remote file include || bugtraq,18614 -100000675 || COMMUNITY WEB-PHP Harpia pfooter.php remote file include || bugtraq,18614 -100000676 || COMMUNITY WEB-PHP Harpia missing.php remote file include || bugtraq,18614 -100000677 || COMMUNITY WEB-PHP Harpia topics.php remote file include || bugtraq,18614 -100000678 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614 -100000679 || COMMUNITY WEB-PHP Harpia index.php remote file include || bugtraq,18614 -100000680 || COMMUNITY WEB-PHP Harpia search.php remote file include || bugtraq,18614 -100000681 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614 -100000682 || COMMUNITY WEB-PHP Harpia email.php remote file include || bugtraq,18614 -100000683 || COMMUNITY WEB-PHP cPanel select.html xss attempt || bugtraq,18655 -100000684 || COMMUNITY VIRUS OutBound Dremn Trojan Beacon || url,symantec.com/avcenter/venc/data/trojan.dremn.html -100000685 || COMMUNITY VIRUS Answering Dremn Trojan Server || url,symantec.com/avcenter/venc/data/trojan.dremn.html -100000686 || COMMUNITY DOS EnergyMech parse_notice vulnerability - inbound || bugtraq,18664 -100000687 || COMMUNITY DOS EnergyMech parse_notice vulnerability - outbound || bugtraq,18664 -100000688 || COMMUNITY POLICY Ajax Remote Desktop Connection || url,www.peterdamen.com/ajaxrd/ -100000689 || COMMUNITY SMTP Mytob MAIL FROM Attempt || url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html -100000690 || COMMUNITY SQL-INJECTION BXCP Sql Injection attempt || bugtraq,18765 || url,www.milw0rm.com/exploits/1975 -100000691 || COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt || bugtraq,18760 -100000692 || COMMUNITY WEB-CLIENT midi file download attempt || bugtraq,18507 -100000693 || COMMUNITY WEB-CLIENT winamp midi file header overflow attempt || bugtraq,18507 -100000694 || COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt || bugtraq,18699 -100000695 || COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt || bugtraq,18699 -100000696 || COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt || bugtraq,18699 -100000697 || COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt || bugtraq,18699 -100000698 || COMMUNITY WEB-MISC BXCP index.php SQL injection attempt || bugtraq,18765 -100000699 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775 -100000700 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775 -100000701 || COMMUNITY WEB-MISC WordPress index.php SQL injection attempt || bugtraq,18779 -100000702 || COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt || bugtraq,18899 -100000703 || COMMUNITY WEB-PHP Horde index.php show XSS attempt || bugtraq,18845 -100000704 || COMMUNITY WEB-PHP SmartSiteCMS comment.php remote file include || bugtraq,18697 -100000705 || COMMUNITY WEB-PHP SmartSiteCMS test.php remote file include || bugtraq,18697 -100000706 || COMMUNITY WEB-PHP SmartSiteCMS index.php remote file include || bugtraq,18697 -100000707 || COMMUNITY WEB-PHP SmartSiteCMS inc_adminfoot.php remote file include || bugtraq,18697 -100000708 || COMMUNITY WEB-PHP SmartSiteCMS comedit.php remote file include || bugtraq,18697 -100000709 || COMMUNITY WEB-PHP SquirrelMail search.php xss attempt || bugtraq,18700 -100000710 || COMMUNITY WEB-PHP Xoops MyAds Module annonces-p-f.php SQL injection attempt || bugtraq,18718 -100000711 || COMMUNITY WEB-PHP PHPRaid raids.php remote file include || bugtraq,18719 -100000712 || COMMUNITY WEB-PHP PHPRaid register.php remote file include || bugtraq,18719 -100000713 || COMMUNITY WEB-PHP PHPRaid roster.php remote file include || bugtraq,18719 -100000714 || COMMUNITY WEB-PHP PHPRaid view.php remote file include || bugtraq,18719 -100000715 || COMMUNITY WEB-PHP PHPRaid logs.php remote file include || bugtraq,18719 -100000716 || COMMUNITY WEB-PHP PHPRaid users.php remote file include || bugtraq,18719 -100000717 || COMMUNITY WEB-PHP PHPRaid configuration.php remote file include || bugtraq,18719 -100000718 || COMMUNITY WEB-PHP PHPRaid guilds.php remote file include || bugtraq,18719 -100000719 || COMMUNITY WEB-PHP PHPRaid index.php remote file include || bugtraq,18719 -100000720 || COMMUNITY WEB-PHP PHPRaid locations.php remote file include || bugtraq,18719 -100000721 || COMMUNITY WEB-PHP PHPRaid login.php remote file include || bugtraq,18719 -100000722 || COMMUNITY WEB-PHP PHPRaid lua_output.php remote file include || bugtraq,18719 -100000723 || COMMUNITY WEB-PHP PHPRaid permissions.php remote file include || bugtraq,18719 -100000724 || COMMUNITY WEB-PHP PHPRaid profile.php remote file include || bugtraq,18719 -100000725 || COMMUNITY WEB-PHP PHPRaid view.php SQL injection attempt || bugtraq,18720 -100000726 || COMMUNITY WEB-PHP Vincent-Leclercq News diver.php SQL injection attempt || bugtraq,18729 -100000727 || COMMUNITY WEB-PHP Softbiz Banner Exchange insertmember.php xss attempt || bugtraq,18735 -100000728 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000729 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000730 || COMMUNITY WEB-PHP Geeklog BlackList.Examine.class.php remote file include || bugtraq,18740 -100000731 || COMMUNITY WEB-PHP Geeklog DeleteComment.Action.class.php remote file include || bugtraq,18740 -100000732 || COMMUNITY WEB-PHP Geeklog EditIPofURL.Admin.class.php remote file include || bugtraq,18740 -100000733 || COMMUNITY WEB-PHP Geeklog MTBlackList.Examine.class.php remote file include || bugtraq,18740 -100000734 || COMMUNITY WEB-PHP Geeklog MassDelete.Admin.class.php remote file include || bugtraq,18740 -100000735 || COMMUNITY WEB-PHP Geeklog MailAdmin.Action.class.php remote file include || bugtraq,18740 -100000736 || COMMUNITY WEB-PHP Geeklog MassDelTrackback.Admin.class.php remote file include || bugtraq,18740 -100000737 || COMMUNITY WEB-PHP Geeklog EditHeader.Admin.class.php remote file include || bugtraq,18740 -100000738 || COMMUNITY WEB-PHP Geeklog EditIP.Admin.class.php remote file include || bugtraq,18740 -100000739 || COMMUNITY WEB-PHP Geeklog IPofUrl.Examine.class.php remote file include || bugtraq,18740 -100000740 || COMMUNITY WEB-PHP Geeklog Import.Admin.class.php remote file include || bugtraq,18740 -100000741 || COMMUNITY WEB-PHP Geeklog LogView.Admin.class.php remote file include || bugtraq,18740 -100000742 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000743 || COMMUNITY WEB-PHP Plume CMS dbinstall.php remote file include || bugtraq,18750 -100000744 || COMMUNITY WEB-PHP MyNewsGroups tree.php SQL injection attempt || bugtraq,18757 -100000745 || COMMUNITY WEB-PHP Diesel Joke Site category.php SQL injection attempt || bugtraq,18760 -100000746 || COMMUNITY WEB-PHP Randshop header.inc.php remote file include || bugtraq,18763 -100000747 || COMMUNITY WEB-PHP Plume CMS index.php remote file include || bugtraq,18780 -100000748 || COMMUNITY WEB-PHP Plume CMS rss.php remote file include || bugtraq,18780 -100000749 || COMMUNITY WEB-PHP Plume CMS search.php remote file include || bugtraq,18780 -100000750 || COMMUNITY WEB-PHP Free QBoard index.php remote file include || bugtraq,18788 -100000751 || COMMUNITY WEB-PHP Free QBoard about.php remote file include || bugtraq,18788 -100000752 || COMMUNITY WEB-PHP Free QBoard contact.php remote file include || bugtraq,18788 -100000753 || COMMUNITY WEB-PHP Free QBoard delete.php remote file include || bugtraq,18788 -100000754 || COMMUNITY WEB-PHP Free QBoard faq.php remote file include || bugtraq,18788 -100000755 || COMMUNITY WEB-PHP Free QBoard features.php remote file include || bugtraq,18788 -100000756 || COMMUNITY WEB-PHP Free QBoard history.php remote file include || bugtraq,18788 -100000757 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000758 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000759 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000760 || COMMUNITY WEB-PHP The Banner Engine top.php xss attempt || bugtraq,18793 -100000761 || COMMUNITY WEB-PHP PHPWebGallery comments.php xss attempt || bugtraq,18798 -100000762 || COMMUNITY WEB-PHP Randshop index.php remote file include || bugtraq,18809 -100000763 || COMMUNITY WEB-PHP Kamikaze-QSCM config.inc access || bugtraq,18816 -100000764 || COMMUNITY WEB-PHP MyPHP CMS global_header.php remote file include || bugtraq,18834 -100000765 || COMMUNITY WEB-PHP LifeType index.php SQL injection attempt || bugtraq,18835 -100000766 || COMMUNITY WEB-PHP Blog CMS thumb.php remote file include || bugtraq,18837 -100000767 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000768 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000769 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000770 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000771 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000772 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000773 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000774 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000775 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000776 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000777 || COMMUNITY WEB-PHP Blog CMS action.php SQL injection attempt || bugtraq,18839 -100000778 || COMMUNITY WEB-PHP PHPMailList maillist.php xss attempt || bugtraq,18840 -100000779 || COMMUNITY WEB-PHP Horde index.php xss attempt || bugtraq,18845 -100000780 || COMMUNITY WEB-PHP Horde problem.php xss attempt || bugtraq,18845 -100000781 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845 -100000782 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845 -100000783 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857 -100000784 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857 -100000785 || COMMUNITY WEB-PHP ATutor password_reminder.php xss attempt || bugtraq,18857 -100000786 || COMMUNITY WEB-PHP ATutor browse.php xss attempt || bugtraq,18857 -100000787 || COMMUNITY WEB-PHP ATutor fix_content.php xss attempt || bugtraq,18857 -100000788 || COMMUNITY WEB-PHP FreeWebshop search.php xss attempt || bugtraq,18878 -100000789 || COMMUNITY WEB-PHP FreeWebshop details.php SQL injection attempt || bugtraq,18878 -100000790 || COMMUNITY WEB-PHP Pivot edit_new.php remote file include || bugtraq,18881 -100000791 || COMMUNITY WEB-PHP Pivot pv_core.php access || bugtraq,18881 -100000792 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000793 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000794 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000795 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000796 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000797 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000798 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000799 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000800 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881 -100000801 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881 -100000802 || COMMUNITY WEB-PHP BosClassifieds index.php remote file include || bugtraq,18883 -100000803 || COMMUNITY WEB-PHP BosClassifieds recent.php remote file include || bugtraq,18883 -100000804 || COMMUNITY WEB-PHP BosClassifieds account.php remote file include || bugtraq,18883 -100000805 || COMMUNITY WEB-PHP BosClassifieds classified.php remote file include || bugtraq,18883 -100000806 || COMMUNITY WEB-PHP BosClassifieds search.php remote file include || bugtraq,18883 -100000807 || COMMUNITY WEB-PHP CommonSense search.php SQL injection attempt || bugtraq,18893 -100000808 || COMMUNITY WEB-PHP AjaxPortal ajaxp.php SQL injection attempt || bugtraq,18897 -100000809 || COMMUNITY WEB-PHP RW Download stats.php remote file include || bugtraq,18901 -100000810 || COMMUNITY WEB-PHP PHPBB download.php remote file include || bugtraq,18914 -100000811 || COMMUNITY WEB-PHP PHPBB attach_rules.php remote file include || bugtraq,18914 -100000812 || COMMUNITY WEB-PHP SimpleBoard SBP index.php remote file include || bugtraq,18917 -100000813 || COMMUNITY WEB-PHP SimpleBoard SBP file_upload.php remote file include || bugtraq,18917 -100000814 || COMMUNITY WEB-PHP SimpleBoard SBP image_upload.php remote file include || bugtraq,18917 -100000815 || COMMUNITY WEB-PHP SimpleBoard SBP performs.php remote file include || bugtraq,18917 -100000816 || COMMUNITY WEB-PHP PC_CookBook pccookbook.php remote file include || bugtraq,18919 -100000817 || COMMUNITY WEB-PHP SMF Forum smf.php remote file include || bugtraq,18924 -100000818 || COMMUNITY WEB-PHP Graffiti Forums topics.php SQL injection attempt || bugtraq,18928 -100000819 || COMMUNITY DELETED PhpWebGallery XSS attempt -100000820 || COMMUNITY WEB-PHP SaPHPLesson add.php SQL injection attempt || bugtraq,18934 -100000821 || COMMUNITY WEB-PHP VBZooM sub-join.php SQL injection attempt || bugtraq,18937 -100000822 || COMMUNITY WEB-PHP VBZooM reply.php SQL injection attempt || bugtraq,18937 -100000823 || COMMUNITY WEB-PHP VBZooM ignore-pm.php SQL injection attempt || bugtraq,18937 -100000824 || COMMUNITY WEB-PHP VBZooM sendmail.php SQL injection attempt || bugtraq,18937 -100000825 || COMMUNITY WEB-PHP Phorum posting.php xss attempt || bugtraq,18941 -100000826 || COMMUNITY WEB-PHP Phorum search.php SQL injection attempt || bugtraq,18941 -100000827 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000828 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000829 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000830 || COMMUNITY WEB-PHP HiveMail index.php xss attempt || bugtraq,18949 -100000831 || COMMUNITY WEB-PHP HiveMail compose.email.php xss attempt || bugtraq,18949 -100000832 || COMMUNITY WEB-PHP HiveMail read.markas.php xss attempt || bugtraq,18949 -100000833 || COMMUNITY WEB-PHP HiveMail search.results.php SQL injection attempt || bugtraq,18949 -100000834 || COMMUNITY WEB-PHP Lazarus codes-english.php xss attempt || bugtraq,18956 -100000835 || COMMUNITY WEB-PHP Lazarus picture.php xss attempt || bugtraq,18956 -100000836 || COMMUNITY WEB-PHP MiniBB com_minibb.php remote file include || bugtraq,18998 -100000837 || COMMUNITY WEB-PHP MiniBB index.php remote file include || bugtraq,18998 -100000838 || COMMUNITY WEB-PHP PhotoCycle photocycle.php xss attempt || bugtraq,18964 -100000839 || COMMUNITY WEB-PHP PHP Event Calendar calendar.php remote file include || bugtraq,18965 -100000840 || COMMUNITY WEB-PHP FlatNuke index.php remote file include || bugtraq,18966 -100000841 || COMMUNITY WEB-PHP PerForms performs.php remote file include || bugtraq,18968 -100000842 || COMMUNITY WEB-PHP PHPBB 3 memberlist.php SQL injection attempt || bugtraq,18969 -100000843 || COMMUNITY WEB-PHP Koobi Pro index.php xss attempt || bugtraq,18970 -100000844 || COMMUNITY WEB-PHP Koobi Pro index.php SQL injection attempt || bugtraq,18970 -100000845 || COMMUNITY WEB-PHP Invision Power Board ipsclass.php SQL injection attempt || bugtraq,18984 -100000846 || COMMUNITY WEB-PHP Subberz Lite user-func.php remote file include || bugtraq,18990 -100000847 || COMMUNITY WEB-PHP Sitemap sitemap.xml.php remote file include || bugtraq,18991 -100000848 || COMMUNITY DELETED PhpWebGallery XSS attempt || bugtraq,18798 -100000849 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000850 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000851 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000852 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000853 || COMMUNITY WEB-PHP IceWarp settings.html remote file include || bugtraq,19007 -100000854 || COMMUNITY WEB-PHP ListMessenger listmessenger.php remote file include || bugtraq,19014 -100000855 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000856 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000857 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000858 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000859 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000860 || COMMUNITY WEB-PHP Francisco Charrua Photo-Gallery room.php SQL injection attempt || bugtraq,19020 -100000861 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023 -100000862 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023 -100000863 || COMMUNITY WEB-PHP PHPMyRing view_com.php SQL injection attempt || url,secunia.com/advisories/21451/ -100000864 || COMMUNITY WEB-CLIENT tsuserex.dll COM Object Instantiation Vulnerability || url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14 -100000865 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s01 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000866 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s02 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000867 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s03 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000868 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s04 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000869 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit sid variant || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000870 || COMMUNITY WEB-PHP powergap remote file inclusion exploit sid variant 2 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000871 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html -100000872 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html -100000873 || COMMUNITY WEB-PHP discloser 0.0.4 Remote File Inclusion -100000874 || COMMUNITY MISC DLR-TOR Directory server response || url,tor.eff.org -100000875 || COMMUNITY MISC DLR-TOR Client Traffic || url,tor.eff.org -100000876 || COMMUNITY MISC Google Talk Version Check -100000877 || COMMUNITY MISC Google Talk Startup -100000878 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000879 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000880 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000881 || COMMUNITY WEB-CLIENT ImageMagick SGI ZSIZE Header Information Overflow Attempt || bugtraq,19507 || cve,2006-4144 -100000882 || COMMUNITY WEB-PHP PHP Live Helper globals.php remote file include || bugtraq,19349 -100000883 || COMMUNITY WEB-PHP Inlink remote file inclusion exploit || url,milw0rm.com/exploits/2295 -100000884 || COMMUNITY WEB-MISC SimpleBlog Remote SQL Injection attempt || url,milw0rm.com/exploits/2296 -100000885 || COMMUNITY WEB-PHP pHNews access attempt || url,milw0rm.com/exploits/2298 -100000886 || COMMUNITY WEB-PHP Proxima access attempt || url,milw0rm.com/exploits/2299 -100000887 || COMMUNITY WEB-PHP pmwiki exploit attempt || url,milw0rm.com/exploits/2291 -100000888 || COMMUNITY WEB-PHP tikiwiki exploit attempt || url,milw0rm.com/exploits/2288 -100000889 || COMMUNITY WEB-PHP yappa-ng exploit attempt || url,milw0rm.com/exploits/2292 -100000890 || COMMUNITY WEB-MISC Webmin null char attempt || bugtraq,19820 || nessus,22300 -100000891 || COMMUNITY WEB-MISC Usermin null char attempt || bugtraq,19820 || nessus,22300 -100000892 || COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow || url,www.ethereal.com/news/item_20050504_01.html || url,www.elook.org/internet/126.html -100000893 || COMMUNITY POLICY Weather Channel Desktop App Installer -100000894 || COMMUNITY POLICY Weather Channel Desktop App -100000895 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000896 || COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000897 || COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000898 || COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000899 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000900 || COMMUNITY BOT Mytob IRC DCC file transfer request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000901 || COMMUNITY BOT Mytob IRC DCC chat request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000902 || COMMUNITY BOT Mytob IRC channel join || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000903 || COMMUNITY BOT Mytob IRC dns request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000904 || COMMUNITY BOT Mytob IRC dns response || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000905 || COMMUNITY BOT Mytob IRC nick change || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000906 || COMMUNITY WEB-PHP UBB.threads remote file include -100000907 || COMMUNITY WEB-PHP phpMyWebmin change_preferences2 script remote file include || url,www.securityfocus.com/bid/20281/info -100000908 || COMMUNITY WEB-PHP phpMyWebmin create_file script remote file include || url,www.securityfocus.com/bid/20281/info -100000909 || COMMUNITY WEB-PHP phpMyWebmin upload_local script remote file include || url,www.securityfocus.com/bid/20281/info -100000910 || COMMUNITY WEB-PHP phpMyWebmin upload_multi script remote file include || url,www.securityfocus.com/bid/20281/info -100000911 || COMMUNITY WEB-PHP Dayfox Blog adminlog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000912 || COMMUNITY WEB-PHP Dayfox Blog postblog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000913 || COMMUNITY WEB-PHP Dayfox Blog index.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000914 || COMMUNITY WEB-PHP Dayfox Blog index2.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000915 || COMMUNITY WEB-PHP Somery Include.php remote file include || bugtraq,19912 -100000916 || COMMUNITY WEB-PHP MyBulletinBoard Functions_Post.php xss attempt || bugtraq,19770 -100000917 || COMMUNITY WEB-PHP PHP-Dimension functions_kb.php remote file include attempt || bugtraq,20367 -100000918 || COMMUNITY WEB-PHP PHP-Dimension themen_portal_mitte.php remote include attempt || bugtraq,20367 -100000919 || COMMUNITY WEB-PHP Segue CMS themesettings.inc.php remote file include attempt || bugtraq,20640 || cve,2006-5497 || url,osvdb.org/29904 || nessus,22922 || url,www.milw0rm.com/exploits/2600 -100000920 || COMMUNITY WEB-PHP MiniBB bb_func_txt.php pathToFiles variable remote file include || bugtraq,20757 || url,osvdb.org/29971 || nessus,22926 -100000921 || COMMUNITY WEB-PHP PunBB register.php language variable remote file include || bugtraq,20786 || cve,2006-5735 || url,osvdb.org/30132 || nessus,22932 -100000922 || COMMUNITY WEB-PHP Etomite CMS index.php id variable SQL injection || bugtraq,21135 || url,osvdb.org/30442 || url,secunia.com/advisories/22885 -100000923 || COMMUNITY DOS Single-Byte UDP Flood -100000924 || COMMUNITY POLICY Google SafeSearch off -100000925 || COMMUNITY-WEB-PHP ADP Forum Attempted Password Recon || url,www.milw0rm.com/exploits/3053 -100000926 || COMMUNITY-WEB-PHP EasyNews PRO News Attempted Password Recon || url,www.milw0rm.com/exploits/3039 -100000927 || COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry || url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx -100000928 || COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow || bugtraq,23483 || cve,2007-1674 -100000929 || COMMUNITY WEB-PHP Xoops module Articles SQL Injection Exploit || url,www.securityfocus.com/archive/1/463916 -100000930 || COMMUNITY WEB-PHP Drake CMS 404.php Local File Include Vulnerability || bugtraq,23215 -100000931 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203 -100000932 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203 -100000933 || COMMUNITY WEB-PHP Aardvark button/settings_sql.php File Include Vulnerability || url,securityfocus.com/archive/1/464351 -100000934 || COMMUNITY WEB-PHP Aardvark button/new_day.php File Include Vulnerability || url,securityfocus.com/archive/1/464351 diff -Nru snort-2.9.0.1/etc/gen-msg.map snort-2.9.2/etc/gen-msg.map --- snort-2.9.0.1/etc/gen-msg.map 2010-10-25 12:48:57.000000000 -0700 +++ snort-2.9.2/etc/gen-msg.map 2011-11-21 12:15:24.000000000 -0800 @@ -40,7 +40,7 @@ 111 || 5 || spp_stream4: Data on SYN Packet 111 || 6 || spp_stream4: Full XMAS Stealth Scan 111 || 7 || spp_stream4: SAPU Stealth Scan -111 || 8 || spp_stream4: FIN Stealth Scan +111 || 8 || spp_stream4: FIN Stealth Scan 111 || 9 || spp_stream4: NULL Stealth Scan 111 || 10 || spp_stream4: NMAP XMAS Stealth Scan 111 || 11 || spp_stream4: VECNA Stealth Scan @@ -81,45 +81,45 @@ 115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow 115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow 115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length -116 || 1 || snort_decoder: WARNING: Not IPv4 datagram! -116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN! -116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len! +116 || 1 || snort_decoder: WARNING: Not IPv4 datagram +116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN +116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len 116 || 4 || snort_decoder: WARNING: Bad IPv4 Options 116 || 5 || snort_decoder: WARNING: Truncated IPv4 Options -116 || 6 || snort_decoder: WARNING: IP dgm len > captured len! -116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes! -116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5! -116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload! +116 || 6 || snort_decoder: WARNING: IP dgm len > captured len +116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes +116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5 +116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload 116 || 54 || snort_decoder: WARNING: Tcp Options found with bad lengths 116 || 55 || snort_decoder: WARNING: Truncated Tcp Options 116 || 56 || snort_decoder: WARNING: T/TCP Detected 116 || 57 || snort_decoder: WARNING: Obsolete TCP options 116 || 58 || snort_decoder: WARNING: Experimental TCP options 116 || 59 || snort_decoder: WARNING: TCP Window Scale Option Scale Invalid (> 14) -116 || 95 || snort_decoder: WARNING: Truncated UDP Header! +116 || 95 || snort_decoder: WARNING: Truncated UDP Header 116 || 96 || snort_decoder: WARNING: Invalid UDP header, length field < 8 116 || 97 || snort_decoder: WARNING: Short UDP packet, length field > payload length 116 || 98 || snort_decoder: WARNING: Long UDP packet, length field < payload length -116 || 105 || snort_decoder: WARNING: ICMP Header Truncated! -116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated! -116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated! -116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem! -116 || 109 || snort_decoder: WARNING: Truncated ARP Packet! -116 || 110 || snort_decoder: WARNING: Truncated EAP Header! -116 || 111 || snort_decoder: WARNING: EAP Key Truncated! -116 || 112 || snort_decoder: WARNING: EAP Header Truncated! -116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected! -116 || 130 || snort_decoder: WARNING: Bad VLAN Frame! -116 || 131 || snort_decoder: WARNING: Bad LLC header! -116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info! -116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header! -116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info! -116 || 140 || snort_decoder: WARNING: Bad Token Ring Header! -116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header! -116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header! -116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header! -116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP! -116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP! +116 || 105 || snort_decoder: WARNING: ICMP Header Truncated +116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated +116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated +116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem +116 || 109 || snort_decoder: WARNING: Truncated ARP Packet +116 || 110 || snort_decoder: WARNING: Truncated EAP Header +116 || 111 || snort_decoder: WARNING: EAP Key Truncated +116 || 112 || snort_decoder: WARNING: EAP Header Truncated +116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected +116 || 130 || snort_decoder: WARNING: Bad VLAN Frame +116 || 131 || snort_decoder: WARNING: Bad LLC header +116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info +116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header +116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info +116 || 140 || snort_decoder: WARNING: Bad Token Ring Header +116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header +116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header +116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header +116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP +116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP 116 || 160 || snort_decoder: WARNING: GRE header length > payload length 116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet 116 || 162 || snort_decoder: WARNING: Invalid GRE version @@ -133,18 +133,18 @@ 116 || 174 || snort_decoder: WARNING: Bad use of label 3 116 || 175 || snort_decoder: WARNING: MPLS Label 4, 5,.. or 15 Appears in Header 116 || 176 || snort_decoder: WARNING: Too Many MPLS headers -116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated! -116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4! -116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length! -116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits! -116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes! -116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0! +116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated +116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4 +116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length +116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits +116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes +116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0 116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit 116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6 116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header 116 || 273 || snort_decoder: WARNING: IPV6 truncated header -116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len! -116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len! +116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len +116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len 116 || 276 || snort_decoder: WARNING: IPv6 packet with destination address ::0 116 || 277 || snort_decoder: WARNING: IPv6 packet with multicast source address 116 || 278 || snort_decoder: WARNING: IPv6 packet with reserved multicast destination address @@ -165,9 +165,11 @@ 116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header 116 || 295 || snort_decoder: WARNING: IPv6 header includes an option which is too big for the containing header. 116 || 296 || snort_decoder: WARNING: IPv6 packet includes out-of-order extension headers -116 || 400 || snort_decoder: WARNING: XMAS Attack Detected! -116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected! -116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected! +116 || 297 || snort_decoder: WARNING: Two or more GTP encapsulation layers are present +116 || 298 || snort_decoder: WARNING: GTP header length is invalid +116 || 400 || snort_decoder: WARNING: XMAS Attack Detected +116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected +116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected 116 || 403 || snort_decoder: WARNING: Bad Traffic SYN to multicast address 116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL 116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set) @@ -218,8 +220,12 @@ 116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol 116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt 116 || 452 || snort_decoder: WARNING: BAD-TRAFFIC linux ICMP header dos attempt -117 || 1 || spp_portscan2: Portscan detected! -118 || 1 || spp_conversation: Bad IP protocol! +116 || 453 || snort_decoder: WARNING: IPV6 ISATAP spoof +116 || 454 || snort_decoder: WARNING: PGM NAK overflow +116 || 455 || snort_decoder: WARNING: IGMP options dos +116 || 456 || snort_decoder: WARNING: too many IPV6 extension headers +117 || 1 || spp_portscan2: Portscan detected +118 || 1 || spp_conversation: Bad IP protocol 119 || 1 || http_inspect: ASCII ENCODING 119 || 2 || http_inspect: DOUBLE DECODING ATTACK 119 || 3 || http_inspect: U ENCODING @@ -243,11 +249,24 @@ 119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS 119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED 119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER +119 || 24 || http_inspect: MULTIPLE HOST HEADERS DETECTED +119 || 25 || http_inspect: HOSTNAME EXCEEDS 255 CHARACTERS +119 || 26 || http_inspect: HEADER PARSING SPACE SATURATION +119 || 27 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS +119 || 28 || http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS +119 || 29 || http_inspect: MULTIPLE TRUE IPS IN A SESSION +119 || 30 || http_inspect: BOTH TRUE_CLIENT_IP AND XFF HDRS PRESENT 120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT 120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE 120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE 120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET +120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED +120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS +120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE +120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 +120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED +120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA 121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded 121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded 121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded @@ -300,6 +319,11 @@ 124 || 6 || smtp: Illegal command 124 || 7 || smtp: Attempted header name buffer overflow 124 || 8 || smtp: Attempted X-Link2State command buffer overflow +124 || 9 || smtp: No memory available for decoding. Max Mime Mem exceeded. +124 || 10 || smtp: Base64 Decoding failed +124 || 11 || smtp: Quoted-Printable Decoding failed +124 || 12 || smtp: 7bit/8bit/binary/text Extraction failed +124 || 13 || smtp: Unix-to-Unix Decoding failed 125 || 1 || ftp_pp: Telnet command on FTP command channel 125 || 2 || ftp_pp: Invalid FTP command 125 || 3 || ftp_pp: FTP parameter length overflow @@ -312,8 +336,8 @@ 126 || 1 || telnet_pp: Telnet consecutive AYT overflow 126 || 2 || telnet_pp: Telnet data encrypted 126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End -128 || 1 || ssh: Gobbles exploit -128 || 2 || ssh: SSH1 CRC32 exploit +128 || 1 || ssh: Gobbles exploit +128 || 2 || ssh: SSH1 CRC32 exploit 128 || 3 || ssh: Server version string overflow 128 || 4 || ssh: Protocol mismatch 128 || 5 || ssh: Bad message direction @@ -329,7 +353,7 @@ 129 || 8 || stream5: Data sent on stream after TCP Reset 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address -129 || 11 || stream5: TCP Data with no TCP Flags set +129 || 11 || stream5: TCP Data with no TCP Flags set 129 || 12 || stream5: TCP Small Segment Threshold Exceeded 129 || 13 || stream5: TCP 4-way handshake detected 129 || 14 || stream5: TCP Timestamp is missing @@ -385,15 +409,17 @@ 133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type 133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size 133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number -133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen -133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen -133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding -133 || 47 || dcerpc2: SMB - Excessive command compounding +#133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen +#133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen +#133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding +#133 || 47 || dcerpc2: SMB - Excessive command compounding 134 || 1 || ppm: rule tree disabled 134 || 2 || ppm: rule tree enabled 135 || 1 || internal: syn received 135 || 2 || internal: session established 135 || 3 || internal: session cleared +136 || 1 || reputation: Packet is blacklisted +136 || 2 || reputation: Packet is whitelisted 137 || 1 || ssp_ssl: Invalid Client HELLO after Server HELLO Detected 137 || 2 || ssp_ssl: Invalid Server HELLO without Client HELLO Detected 138 || 2 || sensitive_data: sensitive data - Credit card numbers @@ -402,3 +428,55 @@ 138 || 5 || sensitive_data: sensitive data - eMail addresses 138 || 6 || sensitive_data: sensitive data - U.S. phone numbers 139 || 1 || sensitive_data: sensitive data global threshold exceeded +140 || 1 || sip: Maximum sessions reached +140 || 2 || sip: Empty request URI +140 || 3 || sip: URI is too long +140 || 4 || sip: Empty call-Id +140 || 5 || sip: Call-Id is too long +140 || 6 || sip: CSeq number is too large or negative +140 || 7 || sip: Request name in CSeq is too long +140 || 8 || sip: Empty From header +140 || 9 || sip: From header is too long +140 || 10 || sip: Empty To header +140 || 11 || sip: To header is too long +140 || 12 || sip: Empty Via header +140 || 13 || sip: Via header is too long +140 || 14 || sip: Empty Contact +140 || 15 || sip: Contact is too long +140 || 16 || sip: Content length is too large or negative +140 || 17 || sip: Multiple SIP messages in a packet +140 || 18 || sip: Content length mismatch +140 || 19 || sip: Request name is invalid +140 || 20 || sip: Invite replay attack +140 || 21 || sip: Illegal session information modification +140 || 22 || sip: Response status code is not a 3 digit number +140 || 23 || sip: Empty Content type +140 || 24 || sip: SIP version other than 2.0, 1.0, and 1.1 are invalid +140 || 25 || sip: Mismatch in Method of request and the CSEQ header +140 || 26 || sip: The method is unknown +141 || 1 || imap: Unknown IMAP4 command +141 || 2 || imap: Unknown IMAP4 response +141 || 3 || imap: No memory available for decoding. Memcap exceeded. +141 || 4 || imap: Base64 Decoding failed +141 || 5 || imap: Quoted-Printable Decoding failed +141 || 6 || imap: 7bit/8bit/binary/text Extraction failed +141 || 7 || imap: Unix-to-Unix Decoding failed +142 || 1 || pop: Unknown POP3 command +142 || 2 || pop: Unknown POP3 response +142 || 3 || pop: No memory available for decoding. Memcap exceeded. +142 || 4 || pop: Base64 Decoding failed +142 || 5 || pop: Quoted-Printable Decoding failed +142 || 6 || pop: 7bit/8bit/binary/text Extraction failed +142 || 7 || pop: Unix-to-Unix Decoding failed +143 || 1 || gtp: Message length is invalid +143 || 2 || gtp: Information element length is invalid +143 || 3 || gtp: Information elements are out of order +144 || 1 || modbus: Length in Modbus MBAP header does not match the length needed for the given Modbus function. +144 || 2 || modbus: Modbus protocol ID is non-zero. +144 || 3 || modbus: Reserved Modbus function code in use. +145 || 1 || dnp3: DNP3 Link-Layer Frame contains bad CRC. +145 || 2 || dnp3: DNP3 Link-Layer Frame was dropped. +145 || 3 || dnp3: DNP3 Transport-Layer Segment was dropped during reassembly. +145 || 4 || dnp3: DNP3 Reassembly Buffer was cleared without reassembling a complete message. +145 || 5 || dnp3: DNP3 Link-Layer Frame uses a reserved address. +145 || 6 || dnp3: DNP3 Application-Layer Fragment uses a reserved function code. diff -Nru snort-2.9.0.1/etc/Makefile.in snort-2.9.2/etc/Makefile.in --- snort-2.9.0.1/etc/Makefile.in 2010-10-08 02:56:52.000000000 -0700 +++ snort-2.9.2/etc/Makefile.in 2011-12-07 11:23:17.000000000 -0800 @@ -58,7 +58,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -73,6 +75,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -109,13 +112,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/etc/snort.conf snort-2.9.2/etc/snort.conf --- snort-2.9.0.1/etc/snort.conf 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/etc/snort.conf 2011-12-07 11:24:50.000000000 -0800 @@ -10,10 +10,16 @@ # Snort bugs: bugs@snort.org # # Compatible with Snort Versions: -# VERSIONS : 2.9.0 +# VERSIONS : 2.9.2.0 # # Snort build options: -# OPTIONS : --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib +# OPTIONS : --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 +# +# Additional information: +# This configuration file enables active response, to run snort in +# test mode -T you are required to supply an interface -i +# or test mode will fail to fully validate the configuration and +# exit with a FATAL error #-------------------------------------------------- ################################################### @@ -27,6 +33,8 @@ # 5) Configure preprocessors # 6) Configure output plugins # 7) Customize your rule set +# 8) Customize preprocessor and decoder rule set +# 9) Customize shared object rule set ################################################### ################################################### @@ -34,32 +42,37 @@ ################################################### # Setup the network addresses you are protecting -var HOME_NET any +ipvar HOME_NET any # Set up the external network addresses. Leave as "any" in most situations -var EXTERNAL_NET any -#var EXTERNAL_NET !$HOME_NET +ipvar EXTERNAL_NET any # List of DNS servers on your network -var DNS_SERVERS $HOME_NET +ipvar DNS_SERVERS $HOME_NET # List of SMTP servers on your network -var SMTP_SERVERS $HOME_NET +ipvar SMTP_SERVERS $HOME_NET # List of web servers on your network -var HTTP_SERVERS $HOME_NET +ipvar HTTP_SERVERS $HOME_NET # List of sql servers on your network -var SQL_SERVERS $HOME_NET +ipvar SQL_SERVERS $HOME_NET # List of telnet servers on your network -var TELNET_SERVERS $HOME_NET +ipvar TELNET_SERVERS $HOME_NET # List of ssh servers on your network -var SSH_SERVERS $HOME_NET +ipvar SSH_SERVERS $HOME_NET + +# List of ftp servers on your network +ipvar FTP_SERVERS $HOME_NET + +# List of sip servers on your network +ipvar SIP_SERVERS $HOME_NET # List of ports you run web servers on -portvar HTTP_PORTS [80,311,591,593,901,1220,1414,2301,2381,2809,3128,3702,7777,7779,8000,8008,8028,8080,8118,8123,8180,8243,8280,8888,9443,9999,11371] +portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,5250,7001,7777,7779,8000,8008,8028,8080,8088,8118,8123,8180,8181,8243,8280,8888,9090,9091,9443,9999,11371] # List of ports you want to look for SHELLCODE on. portvar SHELLCODE_PORTS !80 @@ -70,15 +83,21 @@ # List of ports you want to look for SSH connections on: portvar SSH_PORTS 22 +# List of ports you run ftp servers on +portvar FTP_PORTS [21,2100,3535] + +# List of ports you run SIP servers on +portvar SIP_PORTS [5060,5061,5600] + # other variables, these should not be modified -var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] +ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules -var RULE_PATH /etc/snort/rules -var SO_RULE_PATH /etc/snort/so_rules -var PREPROC_RULE_PATH /etc/snort/preproc_rules +var RULE_PATH ../rules +var SO_RULE_PATH ../so_rules +var PREPROC_RULE_PATH ../preproc_rules ################################################### # Step #2: Configure the decoder. For more information, see README.decode @@ -118,13 +137,47 @@ # config ignore_ports: tcp 21 6667:6671 1356 # config ignore_ports: udp 1:17 53 +# Configure active response for non inline operation. For more information, see REAMDE.active +# config response: eth0 attempts 2 + +# Configure DAQ related options for inline operation. For more information, see README.daq +# +# config daq: +# config daq_dir: +# config daq_mode: +# config daq_var: +# +# ::= pcap | afpacket | dump | nfq | ipq | ipfw +# ::= read-file | passive | inline +# ::= arbitrary = ::= path as to where to look for DAQ module so's + +# Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options +# +# config set_gid: +# config set_uid: + +# Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README +# +# config snaplen: +# + +# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F) +# +# config bpf_file: +# + +# Configure default log directory for snort to log to. For more information see snort -h command line options (-l) +# +# config logdir: + ################################################### # Step #3: Configure the base detection engine. For more information, see README.decode ################################################### # Configure PCRE match limitations -config pcre_match_limit: 1500 +config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 # Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config @@ -133,11 +186,8 @@ # Configure the event queue. For more information, see README.event_queue config event_queue: max_queue 8 log 3 order_events content_length -# Configure Inline Resets. See README.INLINE -# config layer2resets: 00:06:76:DD:5F:E3 - ################################################### -# Inline latency enforcement +# Per packet and rule latency enforcement # For more information see README.ppm ################################################### @@ -154,70 +204,94 @@ # rule-log alert ################################################### +# Configure Perf Profiling for debugging +# For more information see README.PerfProfiling +################################################### + +#config profile_rules: print all, sort avg_ticks +#config profile_preprocs: print all, sort avg_ticks + +################################################### # Step #4: Configure dynamic loaded libraries. # For more information, see Snort Manual, Configuring Snort - Dynamic Modules ################################################### # path to dynamic preprocessor libraries -dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ +dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ # path to base preprocessor engine -dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so +dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so # path to dynamic rules libraries -# dynamicdetection directory /usr/lib/snort_dynamicrules +dynamicdetection directory /usr/local/lib/snort_dynamicrules ################################################### # Step #5: Configure preprocessors # For more information, see the Snort Manual, Configuring Snort - Preprocessors ################################################### +# Inline packet normalization. For more information, see README.normalize +# Does nothing in IDS mode +preprocessor normalize_ip4 +preprocessor normalize_tcp: ips ecn stream +preprocessor normalize_icmp4 +preprocessor normalize_ip6 +preprocessor normalize_icmp6 + # Target-based IP defragmentation. For more inforation, see README.frag3 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180 # Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 -preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no +preprocessor stream5_global: track_tcp yes, \ + track_udp yes, \ + track_icmp no, \ + max_tcp 262144, \ + max_udp 131072, \ + max_active_responses 2, \ + min_response_seconds 5 preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \ - 161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667 6668 6669 \ - 7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ - ports both 80 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 2301 2381 2809 3128 3702 6907 7702 7777 7779 \ + 161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666 6667 6668 6669 \ + 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ + ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 5250 7907 7001 7802 7777 7779 \ 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \ - 7917 7918 7919 7920 8000 8008 8028 8080 8118 8123 8180 8243 8280 8888 9443 9999 11371 + 7917 7918 7919 7920 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371 preprocessor stream5_udp: timeout 180 # performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 # HTTP normalization and anomaly detection. For more information, see README.http_inspect -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480 +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ chunk_length 500000 \ server_flow_depth 0 \ client_flow_depth 0 \ post_depth 65495 \ - oversize_dir_length 500 \ + oversize_dir_length 500 \ max_header_length 750 \ max_headers 100 \ - ports { 80 311 591 593 901 1220 1414 2301 2381 2809 3128 3702 7777 7779 8000 8008 8028 8080 8118 8123 8180 8243 8280 8888 9443 9999 11371 } \ + ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181 8243 8280 8888 9090 9091 9443 9999 11371 } \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ enable_cookie \ extended_response_inspection \ inspect_gzip \ + normalize_utf \ + unlimited_decompress \ apache_whitespace no \ ascii no \ bare_byte no \ - directory no \ - double_decode no \ - iis_backslash no \ - iis_delimiter no \ - iis_unicode no \ - multi_slash no \ - non_strict \ - u_encode yes \ - webroot no + directory no \ + double_decode no \ + iis_backslash no \ + iis_delimiter no \ + iis_unicode no \ + multi_slash no \ + utf_8 no \ + u_encode yes \ + webroot no # ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete @@ -260,7 +334,7 @@ chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ cmd_validity ALLO < int [ char R int ] > \ - cmd_validity EPSV < { char 12|string } > \ + cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ cmd_validity MACB < string > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity MODE < char ASBCZ > \ @@ -278,6 +352,14 @@ # SMTP normalization and anomaly detection. For more information, see README.SMTP preprocessor smtp: ports { 25 465 587 691 } \ inspection_type stateful \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 \ + log_mailfrom \ + log_rcptto \ + log_filename \ + log_email_hdrs \ normalize cmds \ normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ @@ -318,17 +400,66 @@ preprocessor dcerpc2_server: default, policy WinXP, \ detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3 + smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] # DNS anomaly detection. For more information, see README.dns preprocessor dns: ports { 53 } enable_rdata_overflow # SSL anomaly detection and traffic bypass. For more information, see README.ssl -preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted +preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted # SDF sensitive data preprocessor. For more information see README.sensitive_data preprocessor sensitive_data: alert_threshold 25 +# SIP Session Initiation Protocol preprocessor. For more information see README.sip +preprocessor sip: max_sessions 10000, \ + ports { 5060 5061 5600 }, \ + methods { invite \ + cancel \ + ack \ + bye \ + register \ + options \ + refer \ + subscribe \ + update \ + join \ + info \ + message \ + notify \ + benotify \ + do \ + qauth \ + sprack \ + publish \ + service \ + unsubscribe \ + prack }, \ + max_uri_len 512, \ + max_call_id_len 80, \ + max_requestName_len 20, \ + max_from_len 256, \ + max_to_len 256, \ + max_via_len 1024, \ + max_contact_len 512, \ + max_content_len 1024 + +# IMAP preprocessor. For more information see README.imap +preprocessor imap: \ + ports { 143 } \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + +# POP preprocessor. For more information see README.pop +preprocessor pop: \ + ports { 110 } \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + ################################################### # Step #6: Configure output plugins # For more information, see Snort Manual, Configuring Snort - Output Modules @@ -346,19 +477,11 @@ # output alert_syslog: LOG_AUTH LOG_ALERT # pcap -output log_tcpdump: tcpdump.log +# output log_tcpdump: tcpdump.log # database # output database: alert, , user= password= test dbname= host= # output database: log, , user= password= test dbname= host= -# -# On Debian Systems, the database configuration is kept in a separate file: -# /etc/snort/database.conf. -# This file can be empty, if you are not using any database information -# If you are using databases, please edit that file instead of this one, to -# ensure smoother upgrades to future versions of this package. -include database.conf -# # prelude # output alert_prelude @@ -381,47 +504,38 @@ include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules +include $RULE_PATH/blacklist.rules +include $RULE_PATH/botnet-cnc.rules include $RULE_PATH/chat.rules include $RULE_PATH/content-replace.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/dos.rules -include $RULE_PATH/community-dos.rules include $RULE_PATH/exploit.rules -include $RULE_PATH/community-exploit.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules -include $RULE_PATH/community-ftp.rules include $RULE_PATH/icmp.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/imap.rules -include $RULE_PATH/community-imap.rules include $RULE_PATH/info.rules include $RULE_PATH/misc.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/mysql.rules include $RULE_PATH/netbios.rules include $RULE_PATH/nntp.rules -include $RULE_PATH/community-nntp.rules include $RULE_PATH/oracle.rules -include $RULE_PATH/community-oracle.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/p2p.rules +include $RULE_PATH/phishing-spam.rules include $RULE_PATH/policy.rules -# include $RULE_PATH/community-policy.rules -# include $RULE_PATH/community-inappropriate.rules -# include $RULE_PATH/community-game.rules -# include $RULE_PATH/community-misc.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules -# include $RULE_PATH/scada.rules +include $RULE_PATH/scada.rules include $RULE_PATH/scan.rules -# Note: this rule is extremely chatty, enable with care include $RULE_PATH/shellcode.rules include $RULE_PATH/smtp.rules -include $RULE_PATH/community-smtp.rules include $RULE_PATH/snmp.rules include $RULE_PATH/specific-threats.rules include $RULE_PATH/spyware-put.rules @@ -429,12 +543,8 @@ include $RULE_PATH/telnet.rules include $RULE_PATH/tftp.rules include $RULE_PATH/virus.rules -include $RULE_PATH/community-virus.rules -include $RULE_PATH/community-bot.rules include $RULE_PATH/voip.rules -include $RULE_PATH/community-sip.rules -# Specific web server rules: -# include $RULE_PATH/web-activex.rules +include $RULE_PATH/web-activex.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-client.rules @@ -443,13 +553,6 @@ include $RULE_PATH/web-iis.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules -include $RULE_PATH/web-attacks.rules -include $RULE_PATH/community-sql-injection.rules -include $RULE_PATH/community-web-client.rules -include $RULE_PATH/community-web-dos.rules -include $RULE_PATH/community-web-iis.rules -include $RULE_PATH/community-web-misc.rules -include $RULE_PATH/community-web-php.rules include $RULE_PATH/x11.rules ################################################### @@ -478,8 +581,11 @@ # include $SO_RULE_PATH/multimedia.rules # include $SO_RULE_PATH/netbios.rules # include $SO_RULE_PATH/nntp.rules +# include $SO_RULE_PATH/pop3.rules # include $SO_RULE_PATH/p2p.rules # include $SO_RULE_PATH/smtp.rules +# include $SO_RULE_PATH/snmp.rules +# include $SO_RULE_PATH/specific-threats.rules # include $SO_RULE_PATH/sql.rules # include $SO_RULE_PATH/web-activex.rules # include $SO_RULE_PATH/web-client.rules diff -Nru snort-2.9.0.1/etc/unicode.map snort-2.9.2/etc/unicode.map --- snort-2.9.0.1/etc/unicode.map 2003-10-20 08:03:04.000000000 -0700 +++ snort-2.9.2/etc/unicode.map 2011-07-13 15:43:17.000000000 -0700 @@ -1,104 +1,408 @@ -# Windows Version: 5.00.2195 -# OEM codepage: 437 -# ACP codepage: 1252 - -# INSTALLED CODEPAGES -10000 (MAC - Roman) - - -10079 (MAC - Icelandic) - - -1250 (ANSI - Central Europe) -00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1251 (ANSI - Cyrillic) -00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1252 (ANSI - Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1253 (ANSI - Greek) -00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1254 (ANSI - Turkish) -00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1255 (ANSI - Hebrew) -0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1256 (ANSI - Arabic) -00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1257 (ANSI - Baltic) -ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1258 (ANSI/OEM - Viet Nam) -ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -#INVALID CODEPAGE: 1361 -20127 (US-ASCII) -00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -20261 (T.61) -f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f - -20866 (Russian - KOI8) -00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e - -28591 (ISO 8859-1 Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -28592 (ISO 8859-2 Central Europe) -00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -#INVALID CODEPAGE: 28595 -#INVALID CODEPAGE: 28597 -28605 (ISO 8859-15 Latin 9) -00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -37 (IBM EBCDIC - U.S./Canada) -0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f - -437 (OEM - United States) -00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -500 (IBM EBCDIC - International) -0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 - -850 (OEM - Multilingual Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -860 (OEM - Portuguese) -00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -861 (OEM - Icelandic) -00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -863 (OEM - Canadian French) -00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -865 (OEM - Nordic) -00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 - -874 (ANSI/OEM - Thai) -00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -932 (ANSI/OEM - Japanese Shift-JIS) -00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 - -936 (ANSI/OEM - Simplified Chinese GBK) -00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 - -949 (ANSI/OEM - Korean) -00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c - -950 (ANSI/OEM - Traditional Chinese Big5) -00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 - -65000 (UTF-7) - - -65001 (UTF-8) - - +# Windows Version: 6.01.7601 +# OEM codepage: 437 +# ACP codepage: 1252 + +# INSTALLED CODEPAGES +10081 (MAC - Turkish) + + +1254 (ANSI - Turkish) +00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +857 (OEM - Turkish) +00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bb:27 02bc:27 02c4:5e 02c6:5e 02c7:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02d8:5e 02dc:7e 0300:60 0302:5e 0303:7e 0306:5e 030c:5e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2033:22 2035:22 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a4:4c 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:2d 2215:2f 2216:5c 2217:2a 2219:07 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 275b:27 275c:27 275d:22 275e:22 3000:20 3008:3c 3009:3e 301a:5b 301b:7d 301d:22 301e:22 301f:22 30fb:07 30fc:5f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20905 (IBM EBCDIC - Turkish) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:68 005e:5f 005f:6d 007b:48 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c0:64 00c1:65 00c2:62 00c4:63 00c7:4a 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7b 00dc:7f 00df:59 00e0:44 00e1:45 00e2:42 00e4:43 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 010a:67 010b:47 011e:5a 0130:5b 0131:79 015e:7c 015f:6a ff01:4f ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:68 ff3e:5f ff3f:6d ff5b:48 + +28593 (ISO 8859-3 Latin 3) +00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b9:31 00ba:6f 00bb:3e 00c3:41 00c5:41 00c6:41 00d0:44 00d5:4f 00d8:4f 00dd:59 00e3:61 00e5:61 00e6:61 00f5:6f 00f8:6f 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 0122:47 0123:67 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1026 (IBM EBCDIC - Turkish (Latin-5)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:68 005e:5f 005f:6d 007b:48 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:4a 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7b 00dc:7f 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 011e:5a 0130:5b 0131:79 015e:7c 015f:6a ff01:4f ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:68 ff3e:5f ff3f:6d ff5b:48 + +10003 (MAC - Korean) +00a6:7c 00ae:52 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c + +949 (ANSI/OEM - Korean) +00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c + +1361 (Korean - Johab) +20a9:5c + +20833 (IBM EBCDIC - Korean Extended) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:70 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a2:4a 00a6:6a 00ac:5f ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:70 ff3f:6d ff40:79 ff5c:4f ffa0:42 ffa1:43 ffa2:44 ffa3:45 ffa4:46 ffa5:47 ffa6:48 ffa7:49 ffa8:52 ffa9:53 ffaa:54 ffab:55 ffac:56 ffad:57 ffae:58 ffaf:59 ffb0:62 ffb1:63 ffb2:64 ffb3:65 ffb4:66 ffb5:67 ffb6:68 ffb7:69 ffb8:72 ffb9:73 ffba:74 ffbb:75 ffbc:76 ffbd:77 ffbe:78 + +00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c + +50225 (ISO-2022 Korean) + + +51949 (EUC-Korean) +00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c + +500 (IBM EBCDIC - International) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 + +10004 (MAC - Arabic) + + +1256 (ANSI - Arabic) +00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 0660:30 0661:31 0662:32 0663:33 0664:34 0665:35 0666:36 0667:37 0668:38 0669:39 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +720 (Arabic - Transparent ASMO) +ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +708 (Arabic - ASMO) + + +864 (OEM - Arabic) +00a7:15 00b6:14 066a:25 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 2550:05 2551:06 2554:0d 2557:0c 255a:0e 255d:0f 2560:0a 2563:08 2566:09 2569:0b 256c:07 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 263a:01 263c:04 266a:02 266b:03 + +20420 (IBM EBCDIC - Arabic) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 060c:79 0621:46 0622:47 0623:49 0624:52 0626:55 0627:56 0628:58 0629:62 062a:63 062b:65 062c:67 062d:69 062e:71 062f:73 0630:74 0631:75 0632:76 0633:77 0640:44 0651:42 066a:6c 066c:4b 066d:5c f8f6:77 f8fc:45 fe7c:42 fe7d:43 fe80:46 fe81:47 fe82:48 fe83:49 fe84:51 fe85:52 fe86:52 fe8b:55 fe8c:55 fe8d:56 fe8e:57 fe8f:58 fe90:58 fe91:59 fe92:59 fe93:62 fe94:62 fe95:63 fe96:63 fe97:64 fe98:64 fe99:65 fe9a:65 fe9b:66 fe9c:66 fe9d:67 fe9e:67 fe9f:68 fea0:68 fea1:69 fea2:69 fea3:70 fea4:70 fea5:71 fea6:71 fea7:72 fea8:72 fea9:73 feaa:73 feab:74 feac:74 fead:75 feae:75 feaf:76 feb0:76 feb3:78 feb4:78 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff5c:4f + +28596 (ISO 8859-6 Arabic) +00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +10008 (MAC - Simplified Chinese GB 2312) + + +936 (ANSI/OEM - Simplified Chinese GBK) +00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 + +52936 (HZ-GB2312 Simplified Chinese) + + +54936 (GB18030 Simplified Chinese) + + +20936 (Simplified Chinese GB2312) + + +50227 (ISO-2022 Simplified Chinese) + + +10029 (MAC - Latin II) + + +775 (OEM - Baltic) +00a1:21 00a5:59 00aa:61 00ba:6f 00c0:41 00c3:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d9:55 00db:55 00e0:61 00e3:61 00e8:63 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f9:75 00fb:75 00ff:79 0108:43 0109:63 010a:43 010b:63 0114:45 0115:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012c:49 012d:69 0130:49 0131:69 0134:4a 0135:6a 014e:4f 014f:6f 0152:4f 0153:6f 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016c:55 016d:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bb:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 03bc:75 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 201a:27 2022:07 2024:07 2026:07 2030:25 2032:27 2033:22 2035:22 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a4:4c 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:2d 2213:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 275b:27 275c:27 275d:22 275e:22 3000:20 3008:3c 3009:3e 301a:5b 301b:5d 301d:22 301e:22 301f:22 30fb:07 30fc:5f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1257 (ANSI - Baltic) +ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +28594 (ISO 8859-4 Baltic) +00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c7:43 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d9:55 00dd:59 00e0:61 00e7:63 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f9:75 00fd:79 00ff:79 0102:41 0103:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010e:44 010f:64 0114:45 0115:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0124:48 0125:68 0126:48 0127:68 012c:49 012d:69 0130:49 0131:69 0134:4a 0135:6a 0139:4c 013a:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0147:4e 0148:6e 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +28603 (ISO 8859-13 Latin 7) +00aa:61 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c7:43 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d9:55 00da:55 00db:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e7:63 00e8:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f4:6f 00f9:75 00fa:75 00fb:75 00fd:79 00ff:79 0102:41 0103:61 0108:43 0109:63 010a:43 010b:63 010e:44 010f:64 0114:45 0115:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0124:48 0125:68 0128:49 0129:69 012c:49 012d:69 0130:49 0134:4a 0135:6a 0139:4c 013a:6c 013d:4c 013e:6c 0147:4e 0148:6e 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0158:52 0159:72 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0168:55 0169:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0174:57 0175:77 0176:59 0177:79 0178:59 017f:73 01a0:4f 01a1:6f 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01e0:41 01e1:61 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 01f4:47 01f5:67 01f8:4e 01f9:6e 0200:41 0201:61 0202:41 0203:61 0204:45 0205:65 0206:45 0207:65 0208:49 0209:69 020a:49 020b:69 020c:4f 020d:6f 020e:4f 020f:6f 0210:52 0211:72 0212:52 0213:72 0214:55 0215:75 0216:55 0217:75 0218:53 0219:73 021a:54 021b:74 021e:48 021f:68 0226:41 0227:61 0228:45 0229:65 022e:4f 022f:6f 0230:4f 0231:6f 0232:59 0233:79 02b0:68 02b2:6a 02b3:72 02b7:77 02b8:79 02e1:6c 02e2:73 02e3:78 037e:3b 1e00:41 1e01:61 1e02:42 1e03:62 1e04:42 1e05:62 1e06:42 1e07:62 1e08:43 1e09:63 1e0a:44 1e0b:64 1e0c:44 1e0d:64 1e0e:44 1e0f:64 1e10:44 1e11:64 1e12:44 1e13:64 1e18:45 1e19:65 1e1a:45 1e1b:65 1e1c:45 1e1d:65 1e1e:46 1e1f:66 1e20:47 1e21:67 1e22:48 1e23:68 1e24:48 1e25:68 1e26:48 1e27:68 1e28:48 1e29:68 1e2a:48 1e2b:68 1e2c:49 1e2d:69 1e2e:49 1e2f:69 1e30:4b 1e31:6b 1e32:4b 1e33:6b 1e34:4b 1e35:6b 1e36:4c 1e37:6c 1e38:4c 1e39:6c 1e3a:4c 1e3b:6c 1e3c:4c 1e3d:6c 1e3e:4d 1e3f:6d 1e40:4d 1e41:6d 1e42:4d 1e43:6d 1e44:4e 1e45:6e 1e46:4e 1e47:6e 1e48:4e 1e49:6e 1e4a:4e 1e4b:6e 1e54:50 1e55:70 1e56:50 1e57:70 1e58:52 1e59:72 1e5a:52 1e5b:72 1e5c:52 1e5d:72 1e5e:52 1e5f:72 1e60:53 1e61:73 1e62:53 1e63:73 1e68:53 1e69:73 1e6a:54 1e6b:74 1e6c:54 1e6d:74 1e6e:54 1e6f:74 1e70:54 1e71:74 1e72:55 1e73:75 1e74:55 1e76:55 1e77:75 1e78:55 1e79:75 1e7c:56 1e7d:76 1e7e:56 1e7f:76 1e80:57 1e81:77 1e82:57 1e83:77 1e84:57 1e85:77 1e86:57 1e87:77 1e88:57 1e89:77 1e8a:58 1e8b:78 1e8c:58 1e8d:78 1e8e:59 1e8f:79 1e90:5a 1e91:7a 1e92:5a 1e93:7a 1e94:5a 1e95:7a 1e96:68 1e97:74 1e98:77 1e99:79 1e9b:73 1ea0:41 1ea1:61 1ea2:41 1ea3:61 1ea4:41 1ea5:61 1ea6:41 1ea7:61 1ea8:41 1ea9:61 1eaa:41 1eab:61 1eac:41 1ead:61 1eae:41 1eaf:61 1eb0:41 1eb1:61 1eb2:41 1eb3:61 1eb4:41 1eb5:61 1eb6:41 1eb7:61 1eb8:45 1eb9:65 1eba:45 1ebb:65 1ebc:45 1ebd:65 1ebe:45 1ebf:65 1ec0:45 1ec1:65 1ec2:45 1ec3:65 1ec4:45 1ec5:65 1ec6:45 1ec7:65 1ec8:49 1ec9:69 1eca:49 1ecb:69 1ecc:4f 1ecd:6f 1ece:4f 1ecf:6f 1ed0:4f 1ed1:6f 1ed2:4f 1ed3:6f 1ed4:4f 1ed5:6f 1ed6:4f 1ed7:6f 1ed8:4f 1ed9:6f 1eda:4f 1edb:6f 1edc:4f 1edd:6f 1ede:4f 1edf:6f 1ee0:4f 1ee1:6f 1ee2:4f 1ee3:6f 1ee4:55 1ee5:75 1ee6:55 1ee7:75 1ee8:55 1ee9:75 1eea:55 1eeb:75 1eec:55 1eed:75 1eee:55 1eef:75 1ef0:55 1ef1:75 1ef2:59 1ef3:79 1ef4:59 1ef5:79 1ef6:59 1ef7:79 1ef8:59 1ef9:79 1fef:60 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2007:20 2008:20 2009:20 200a:20 2024:2e 202f:20 205f:20 2070:30 2071:69 2074:34 2075:35 2076:36 2077:37 2078:38 2079:39 207a:2b 207c:3d 207d:28 207e:29 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 208a:2b 208c:3d 208d:28 208e:29 2102:43 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212f:65 2130:45 2131:46 2133:4d 2134:6f 2139:69 2145:44 2146:64 2147:65 2148:69 2149:6a 2160:49 2164:56 2169:58 216c:4c 216d:43 216e:44 216f:4d 2170:69 2174:76 2179:78 217c:6c 217d:63 217e:64 217f:6d 2260:3d 226e:3c 226f:3e 2460:31 2461:32 2462:33 2463:34 2464:35 2465:36 2466:37 2467:38 2468:39 24b6:41 24b7:42 24b8:43 24b9:44 24ba:45 24bb:46 24bc:47 24bd:48 24be:49 24bf:4a 24c0:4b 24c1:4c 24c2:4d 24c3:4e 24c4:4f 24c5:50 24c6:51 24c7:52 24c8:53 24c9:54 24ca:55 24cb:56 24cc:57 24cd:58 24ce:59 24cf:5a 24d0:61 24d1:62 24d2:63 24d3:64 24d4:65 24d5:66 24d6:67 24d7:68 24d8:69 24d9:6a 24da:6b 24db:6c 24dc:6d 24dd:6e 24de:6f 24df:70 24e0:71 24e1:72 24e2:73 24e3:74 24e4:75 24e5:76 24e6:77 24e7:78 24e8:79 24e9:7a 24ea:30 3000:20 fb29:2b fe33:5f fe34:5f fe35:28 fe36:29 fe37:7b fe38:7d fe4d:5f fe4e:5f fe4f:5f fe50:2c fe52:2e fe54:3b fe55:3a fe57:21 fe59:28 fe5a:29 fe5b:7b fe5c:7d fe5f:23 fe60:26 fe61:2a fe62:2b fe63:2d fe64:3c fe65:3e fe66:3d fe68:5c fe69:24 fe6a:25 fe6b:40 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +10001 (MAC - Japanese) +00a1:21 00a6:7c 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 + +932 (ANSI/OEM - Japanese Shift-JIS) +00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 + +20290 (IBM EBCDIC - Japanese Katakana Extended) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:70 005f:6d 0060:79 0061:62 0062:63 0063:64 0064:65 0065:66 0066:67 0067:68 0068:69 0069:71 006a:72 006b:73 006c:74 006d:75 006e:76 006f:77 0070:78 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a3:4a 00a5:5b 00ac:5f ff01:5a ff02:7f ff03:7b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:70 ff3f:6d ff40:79 ff41:62 ff42:63 ff43:64 ff44:65 ff45:66 ff46:67 ff47:68 ff48:69 ff49:71 ff4a:72 ff4b:73 ff4c:74 ff4d:75 ff4e:76 ff4f:77 ff50:78 ff5c:4f ff61:41 ff62:42 ff63:43 ff64:44 ff65:45 ff66:46 ff67:47 ff68:48 ff69:49 ff6a:51 ff6b:52 ff6c:53 ff6d:54 ff6e:55 ff6f:56 ff70:58 + +20932 (JIS X 0208-1990 & 0212-1990) + + +50220 (ISO-2022 Japanese with no halfwidth Katakana) + + +50221 (ISO-2022 Japanese with halfwidth Katakana) + + +50222 (ISO-2022 Japanese JIS X 0201-1989) + + +21027 (Ext Alpha Lowercase) +0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 00a2:4a 00ac:5f f8c4:20 f8c5:21 f8c6:22 f8c7:23 f8c8:24 f8c9:25 f8ca:26 f8cb:27 f8cc:28 f8cd:29 f8ce:2a f8cf:2b f8d0:2c f8d1:2d f8d2:2e f8d3:2f f8d4:30 f8d5:31 f8d6:32 f8d7:33 f8d8:34 f8d9:35 f8da:36 f8db:37 f8dc:38 f8dd:39 f8de:3a f8df:3b f8e0:3c f8e1:3d f8e2:3f f8e3:68 f8e4:7e ff61:42 ff62:43 ff63:44 ff64:45 ff65:46 ff66:47 ff67:48 ff68:49 ff69:51 ff6a:52 ff6b:53 ff6c:54 ff6d:55 ff6e:56 ff6f:57 ff70:58 ff71:59 ff72:62 ff73:63 ff74:64 ff75:65 ff76:66 ff77:67 ff78:68 ff79:69 ff7a:70 ff7b:71 ff7c:72 ff7d:73 ff7e:74 ff7f:75 ff80:76 ff81:77 ff82:78 + +10007 (MAC - Cyrillic) + + +1251 (ANSI - Cyrillic) +00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +866 (OEM - Russian) +00a7:15 00a9:63 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +855 (OEM - Cyrillic) +00a9:63 00ac:2d 00ae:52 00b0:6f 00b1:2b 00b5:75 00b6:14 00b7:07 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2020:2b 2021:2b 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2219:07 221a:76 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:7f 2663:7f 2665:7f 2666:7f 266a:64 266b:64 + +20880 (IBM EBCDIC - Cyrillic (Russian)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00ad:73 0401:63 0402:59 0403:62 0404:64 0405:65 0406:66 0407:67 0408:68 0409:69 040a:70 040b:71 040c:72 040e:74 040f:75 042a:57 0430:77 0431:78 044e:76 0451:44 0452:42 0453:43 0454:45 0455:46 0456:47 0457:48 0458:49 0459:51 045a:52 045b:53 045c:54 045e:55 045f:56 2116:58 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a + +28595 (ISO 8859-5 Cyrillic) +00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20866 (Russian - KOI8) +00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e + +21866 (Ukrainian - KOI8-U) +00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e + +21025 (IBM EBCDIC - Cyrillic (Serbian, Bulgarian)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00ad:73 0401:63 0402:59 0403:62 0404:64 0405:65 0406:66 0407:67 0408:68 0409:69 040a:70 040b:71 040c:72 040e:74 040f:75 042a:57 0430:77 0431:78 044e:76 0451:44 0452:42 0453:43 0454:45 0455:46 0456:47 0457:48 0458:49 0459:51 045a:52 045b:53 045c:54 045e:55 045f:56 2116:58 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a + +57002 (ISCII - Devanagari) + + +57003 (ISCII - Bengali) + + +57004 (ISCII - Tamil) + + +57005 (ISCII - Telugu) + + +57006 (ISCII - Assamese) + + +57007 (ISCII - Oriya) + + +57008 (ISCII - Kannada) + + +57009 (ISCII - Malayalam) + + +57011 (ISCII - Punjabi (Gurmukhi)) + + +57010 (ISCII - Gujarati) + + +10010 (MAC - Romania) + + +10017 (MAC - Ukraine) + + +10082 (MAC - Croatia) + + +1250 (ANSI - Central Europe) +00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +852 (OEM - Latin II) +00a1:21 00a2:63 00a3:4c 00a5:59 00a6:7c 00a9:63 00aa:61 00ae:52 00b1:2b 00b2:32 00b3:33 00b5:75 00b6:14 00b7:07 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:63 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bb:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 03bc:75 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2033:22 2035:22 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a4:4c 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:2d 2213:2d 2215:2f 2216:5c 2217:2a 2219:07 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 275b:27 275c:27 275d:22 275e:22 3000:20 3008:3c 3009:3e 301a:5b 301b:5d 301d:22 301e:22 301f:22 30fb:07 30fc:5f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +28592 (ISO 8859-2 Central Europe) +00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +10000 (MAC - Roman) + + +437 (OEM - United States) +00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +850 (OEM - Multilingual Latin I) +0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +858 (OEM - Multilingual Latin I + Euro) +0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1252 (ANSI - Latin I) +0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +37 (IBM EBCDIC - U.S./Canada) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f + +20285 (IBM EBCDIC - United Kingdom) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:4a 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:5b 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:4a ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f + +28591 (ISO 8859-1 Latin I) +0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20127 (US-ASCII) +00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20269 (ISO 6937 Non-Spacing Accent) +f8f6:7f + +20105 (IA5 IRV International Alphabet No.5) +00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 203e:7e 2122:54 2207:7f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20106 (IA5 German) +00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a7:40 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:5b 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:5c 00d8:4f 00d9:55 00da:55 00db:55 00dc:5d 00dd:59 00df:7e 00e0:61 00e1:61 00e2:61 00e3:61 00e4:7b 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:7c 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:7d 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5e:7e + +20107 (IA5 Swedish) +00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:5b 00c5:5d 00c6:41 00c7:43 00c8:45 00c9:40 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:5c 00d8:4f 00d9:55 00da:55 00db:55 00dc:5e 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:7b 00e5:7d 00e6:61 00e7:63 00e8:65 00e9:60 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:7c 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:7e 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c8:27 02cd:5f 02dc:7e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3f:5f ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5e:7e + +20108 (IA5 Norwegian) +007c:7e 00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7e 00a7:23 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:5d 00c6:5b 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:5c 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:7d 00e6:7b 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:7c 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a + +865 (OEM - Nordic) +00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 + +863 (OEM - Canadian French) +00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 + +861 (OEM - Icelandic) +00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 + +860 (OEM - Portuguese) +00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 + +10079 (MAC - Icelandic) + + +1047 (IBM EBCDIC - Latin-1/Open System) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:15 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005e:5f 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:25 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3e:5f ff3f:6d ff40:79 ff5c:4f + +1140 (IBM EBCDIC - U.S./Canada (37 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f + +1141 (IBM EBCDIC - Germany (20273 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:63 005e:5f 005f:6d 0060:79 007b:43 007e:59 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a7:7c 00c0:64 00c1:65 00c2:62 00c3:66 00c4:4a 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00dc:5a 00e0:44 00e1:45 00e2:42 00e3:46 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:63 ff3e:5f ff3f:6d ff40:79 ff5b:43 ff5e:59 + +1142 (IBM EBCDIC - Denmark/Norway (20277 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:4a 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005e:5f 005f:6d 0060:79 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:70 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:5b 00c6:7b 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d8:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:6a 20ac:5a ff01:4f ff02:7f ff03:4a ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3e:5f ff3f:6d ff40:79 ff5d:47 + +1143 (IBM EBCDIC - Finland/Sweden (20278 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:63 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:71 005e:5f 005f:6d 0060:51 007b:43 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a7:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:7b 00c5:5b 00c7:68 00c8:74 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e7:48 00e8:54 00e9:79 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 20ac:5a ff01:4f ff02:7f ff03:63 ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:71 ff3e:5f ff3f:6d ff40:51 ff5b:43 ff5d:47 + +1144 (IBM EBCDIC - Italy (20280 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:48 005d:51 005e:5f 005f:6d 007b:44 007d:54 007e:58 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:7c 00b0:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e9:5a 00ea:52 00eb:53 00ed:55 00ee:56 00ef:57 00f1:49 00f2:6a 00f8:70 00f9:79 ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:48 ff3d:51 ff3e:5f ff3f:6d ff5b:44 ff5d:54 ff5e:58 + +1145 (IBM EBCDIC - Latin America/Spain (20284 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0022:7f 0023:69 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:49 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:7b 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:6a 00f8:70 ff02:7f ff03:69 ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3f:6d ff40:79 ff5c:4f + +1146 (IBM EBCDIC - United Kingdom (20285 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:4a 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:5b 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:4a ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f + +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:44 005c:48 005e:5f 005f:6d 007b:51 007d:54 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:5a 00b0:4a 00b5:79 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:7c 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 00f9:6a ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:44 ff3c:48 ff3e:5f ff3f:6d ff5b:51 ff5d:54 + +1148 (IBM EBCDIC - International (500 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 + +1149 (IBM EBCDIC - Icelandic (20871 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005f:6d 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c6:5a 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d0:7c 00d1:69 00d6:5f 00de:4a 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f0:79 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3f:6d + +20277 (IBM EBCDIC - Denmark/Norway) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:4a 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005e:5f 005f:6d 0060:79 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a4:5a 00a6:70 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:5b 00c6:7b 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d8:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:6a ff01:4f ff02:7f ff03:4a ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3e:5f ff3f:6d ff40:79 ff5d:47 + +20278 (IBM EBCDIC - Finland/Sweden) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:63 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:71 005e:5f 005f:6d 0060:51 007b:43 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a4:5a 00a7:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:7b 00c5:5b 00c7:68 00c8:74 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e7:48 00e8:54 00e9:79 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 ff01:4f ff02:7f ff03:63 ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:71 ff3e:5f ff3f:6d ff40:51 ff5b:43 ff5d:47 + +20280 (IBM EBCDIC - Italy) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:48 005d:51 005e:5f 005f:6d 007b:44 007d:54 007e:58 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:7c 00b0:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e9:5a 00ea:52 00eb:53 00ed:55 00ee:56 00ef:57 00f1:49 00f2:6a 00f8:70 00f9:79 ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:48 ff3d:51 ff3e:5f ff3f:6d ff5b:44 ff5d:54 ff5e:58 + +20284 (IBM EBCDIC - Latin America/Spain) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0022:7f 0023:69 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:49 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:7b 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:6a 00f8:70 ff02:7f ff03:69 ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3f:6d ff40:79 ff5c:4f + +20297 (IBM EBCDIC - France) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:44 005c:48 005e:5f 005f:6d 007b:51 007d:54 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:5a 00b0:4a 00b5:79 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:7c 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 00f9:6a ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:44 ff3c:48 ff3e:5f ff3f:6d ff5b:51 ff5d:54 + +20871 (IBM EBCDIC - Icelandic) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005f:6d 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c6:5a 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d0:7c 00d1:69 00d6:5f 00de:4a 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f0:79 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3f:6d + +20924 (IBM EBCDIC - Latin-1/Open System (1047 + Euro)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:15 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005e:5f 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:25 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00dd:4a 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 0160:6a ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3e:5f ff3f:6d ff40:79 ff5c:4f + +28599 (ISO 8859-9 Latin 5) +00d0:44 00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +28605 (ISO 8859-15 Latin 9) +00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +870 (IBM EBCDIC - Multilingual/ROECE (Latin-2)) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c1:65 00c2:62 00c4:63 00c7:68 00c9:71 00cb:73 00cd:75 00ce:76 00df:59 00e1:45 00e2:42 00e4:43 00e7:48 00e9:51 00eb:53 00ed:55 00ee:56 0102:66 0103:46 0106:69 0107:49 010c:67 010d:47 0118:72 0119:52 0139:78 013a:58 013d:77 013e:57 0163:44 016e:74 016f:54 02c7:70 02dd:64 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a + +10021 (MAC - Thai) + + +874 (ANSI/OEM - Thai) +00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20838 (IBM EBCDIC - Thai) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:49 005d:59 005e:69 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 0e01:42 0e02:43 0e03:44 0e04:45 0e05:46 0e06:47 0e07:48 0e08:52 0e09:53 0e0a:54 0e0b:55 0e0c:56 0e0d:57 0e0e:58 0e0f:62 0e10:63 0e11:64 0e12:65 0e13:66 0e14:67 0e15:68 0e16:72 0e17:73 0e18:74 0e19:75 0e1a:76 0e1b:77 0e1c:78 0e3f:70 0e4e:71 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:49 ff3d:59 ff3e:69 ff3f:6d ff40:79 ff5c:4f + +10005 (MAC - Hebrew) + + +1255 (ANSI - Hebrew) +0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +862 (OEM - Hebrew) +00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +28598 (ISO 8859-8 Hebrew: Visual Ordering) +00a1:21 00aa:61 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +38598 (ISO 8859-8 Hebrew: Logical Ordering) +00a1:21 00aa:61 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20424 (IBM EBCDIC - Hebrew) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:74 00a2:4a 00a6:6a 00ac:5f 05d0:41 05d1:42 05d2:43 05d3:44 05d4:45 05d5:46 05d6:47 05d7:48 05d8:49 05d9:51 05da:52 05db:53 05dc:54 05dd:55 05de:56 05df:57 05e0:58 05e1:59 05e2:62 05e3:63 05e4:64 05e5:65 05e6:66 05e7:67 05e8:68 05e9:69 05ea:71 2017:78 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f + +10006 (MAC - Greek I) + + +1253 (ANSI - Greek) +00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +737 (OEM - Greek 437G) +00a7:15 00b6:14 037e:3b 2022:07 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +869 (OEM - Modern Greek) +00a4:6f 00a5:59 00ae:52 00b6:14 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 2013:16 2014:16 201c:22 201d:22 201e:22 2020:2b 2021:2b 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e + +20273 (IBM EBCDIC - Germany) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:63 005e:5f 005f:6d 0060:79 007b:43 007e:59 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a7:7c 00c0:64 00c1:65 00c2:62 00c3:66 00c4:4a 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00dc:5a 00e0:44 00e1:45 00e2:42 00e3:46 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:63 ff3e:5f ff3f:6d ff40:79 ff5b:43 ff5e:59 + +28597 (ISO 8859-7 Greek) +00a1:21 00a2:63 00a4:24 00a5:59 00aa:61 00ae:52 00b8:2c 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20423 (IBM EBCDIC - Greek) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:74 00a3:7b 00a7:7c 0386:71 0388:72 0389:73 038a:75 038c:76 038e:77 038f:78 0391:41 0392:42 0393:43 0394:44 0395:45 0396:46 0397:47 0398:48 0399:49 039a:51 039b:52 039c:53 039d:54 039e:55 039f:56 03a0:57 03a1:58 03a3:59 03a4:62 03a5:63 03a6:64 03a7:65 03a8:66 03a9:67 ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a + +875 (IBM EBCDIC - Modern Greek) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:74 00a8:70 0386:71 0388:72 0389:73 038a:75 038c:76 038e:77 038f:78 0391:41 0392:42 0393:43 0394:44 0395:45 0396:46 0397:47 0398:48 0399:49 039a:51 039b:52 039c:53 039d:54 039e:55 039f:56 03a0:57 03a1:58 03a3:59 03a4:62 03a5:63 03a6:64 03a7:65 03a8:66 03a9:67 03aa:68 03ab:69 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a + +1258 (ANSI/OEM - Viet Nam) +ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +10002 (MAC - Traditional Chinese Big5) +00a1:21 00a6:7c 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 + +950 (ANSI/OEM - Traditional Chinese Big5) +00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 + +20000 (CNS - Taiwan) + + +20001 (TCA - Taiwan) + + +20002 (Eten - Taiwan) + + +20003 (IBM5550 - Taiwan) + + +20004 (TeleText - Taiwan) + + +20005 (Wang - Taiwan) + + +20261 (T.61) +f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f + +50229 (ISO-2022 Traditional Chinese) + + +65000 (UTF-7) + + +65001 (UTF-8) + + diff -Nru snort-2.9.0.1/install-sh snort-2.9.2/install-sh --- snort-2.9.0.1/install-sh 2000-08-06 19:41:44.000000000 -0700 +++ snort-2.9.2/install-sh 2011-12-07 11:23:17.000000000 -0800 @@ -1,250 +1,520 @@ #!/bin/sh -# # install - install a program, script, or datafile -# This comes from X11R5 (mit/util/scripts/install.sh). + +scriptversion=2009-04-28.21; # UTC + +# This originates from X11R5 (mit/util/scripts/install.sh), which was +# later released in X11R6 (xc/config/util/install.sh) with the +# following copyright and license. +# +# Copyright (C) 1994 X Consortium +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to +# deal in the Software without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +# sell copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- +# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +# +# Except as contained in this notice, the name of the X Consortium shall not +# be used in advertising or otherwise to promote the sale, use or other deal- +# ings in this Software without prior written authorization from the X Consor- +# tium. # -# Copyright 1991 by the Massachusetts Institute of Technology # -# Permission to use, copy, modify, distribute, and sell this software and its -# documentation for any purpose is hereby granted without fee, provided that -# the above copyright notice appear in all copies and that both that -# copyright notice and this permission notice appear in supporting -# documentation, and that the name of M.I.T. not be used in advertising or -# publicity pertaining to distribution of the software without specific, -# written prior permission. M.I.T. makes no representations about the -# suitability of this software for any purpose. It is provided "as is" -# without express or implied warranty. +# FSF changes to this file are in the public domain. # # Calling this script install-sh is preferred over install.sh, to prevent # `make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written -# from scratch. It can only install one file at a time, a restriction -# shared with many OS's install programs. +# from scratch. +nl=' +' +IFS=" "" $nl" # set DOITPROG to echo to test this script # Don't use :- since 4.3BSD and earlier shells don't like it. -doit="${DOITPROG-}" +doit=${DOITPROG-} +if test -z "$doit"; then + doit_exec=exec +else + doit_exec=$doit +fi + +# Put in absolute file names if you don't have them in your path; +# or use environment vars. +chgrpprog=${CHGRPPROG-chgrp} +chmodprog=${CHMODPROG-chmod} +chownprog=${CHOWNPROG-chown} +cmpprog=${CMPPROG-cmp} +cpprog=${CPPROG-cp} +mkdirprog=${MKDIRPROG-mkdir} +mvprog=${MVPROG-mv} +rmprog=${RMPROG-rm} +stripprog=${STRIPPROG-strip} + +posix_glob='?' +initialize_posix_glob=' + test "$posix_glob" != "?" || { + if (set -f) 2>/dev/null; then + posix_glob= + else + posix_glob=: + fi + } +' + +posix_mkdir= -# put in absolute paths if you don't have them in your path; or use env. vars. +# Desired mode of installed file. +mode=0755 -mvprog="${MVPROG-mv}" -cpprog="${CPPROG-cp}" -chmodprog="${CHMODPROG-chmod}" -chownprog="${CHOWNPROG-chown}" -chgrpprog="${CHGRPPROG-chgrp}" -stripprog="${STRIPPROG-strip}" -rmprog="${RMPROG-rm}" -mkdirprog="${MKDIRPROG-mkdir}" - -transformbasename="" -transform_arg="" -instcmd="$mvprog" -chmodcmd="$chmodprog 0755" -chowncmd="" -chgrpcmd="" -stripcmd="" +chgrpcmd= +chmodcmd=$chmodprog +chowncmd= +mvcmd=$mvprog rmcmd="$rmprog -f" -mvcmd="$mvprog" -src="" -dst="" -dir_arg="" - -while [ x"$1" != x ]; do - case $1 in - -c) instcmd="$cpprog" - shift - continue;; - - -d) dir_arg=true - shift - continue;; - - -m) chmodcmd="$chmodprog $2" - shift - shift - continue;; - - -o) chowncmd="$chownprog $2" - shift - shift - continue;; - - -g) chgrpcmd="$chgrpprog $2" - shift - shift - continue;; - - -s) stripcmd="$stripprog" - shift - continue;; - - -t=*) transformarg=`echo $1 | sed 's/-t=//'` - shift - continue;; - - -b=*) transformbasename=`echo $1 | sed 's/-b=//'` - shift - continue;; +stripcmd= - *) if [ x"$src" = x ] - then - src=$1 - else - # this colon is to work around a 386BSD /bin/sh bug - : - dst=$1 - fi - shift - continue;; - esac -done +src= +dst= +dir_arg= +dst_arg= -if [ x"$src" = x ] -then - echo "install: no input file specified" - exit 1 -else - true -fi +copy_on_change=false +no_target_directory= -if [ x"$dir_arg" != x ]; then - dst=$src - src="" - - if [ -d $dst ]; then - instcmd=: - else - instcmd=mkdir - fi -else +usage="\ +Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE + or: $0 [OPTION]... SRCFILES... DIRECTORY + or: $0 [OPTION]... -t DIRECTORY SRCFILES... + or: $0 [OPTION]... -d DIRECTORIES... -# Waiting for this to be detected by the "$instcmd $src $dsttmp" command -# might cause directories to be created, which would be especially bad -# if $src (and thus $dsttmp) contains '*'. - - if [ -f $src -o -d $src ] - then - true - else - echo "install: $src does not exist" - exit 1 - fi - - if [ x"$dst" = x ] - then - echo "install: no destination specified" - exit 1 - else - true - fi +In the 1st form, copy SRCFILE to DSTFILE. +In the 2nd and 3rd, copy all SRCFILES to DIRECTORY. +In the 4th, create DIRECTORIES. -# If destination is a directory, append the input filename; if your system -# does not like double slashes in filenames, you may need to add some logic +Options: + --help display this help and exit. + --version display version info and exit. - if [ -d $dst ] - then - dst="$dst"/`basename $src` - else - true - fi -fi + -c (ignored) + -C install only if different (preserve the last data modification time) + -d create directories instead of installing files. + -g GROUP $chgrpprog installed files to GROUP. + -m MODE $chmodprog installed files to MODE. + -o USER $chownprog installed files to USER. + -s $stripprog installed files. + -t DIRECTORY install into DIRECTORY. + -T report an error if DSTFILE is a directory. -## this sed command emulates the dirname command -dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` +Environment variables override the default commands: + CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG + RMPROG STRIPPROG +" -# Make sure that the destination directory exists. -# this part is taken from Noah Friedman's mkinstalldirs script +while test $# -ne 0; do + case $1 in + -c) ;; -# Skip lots of stat calls in the usual case. -if [ ! -d "$dstdir" ]; then -defaultIFS=' -' -IFS="${IFS-${defaultIFS}}" + -C) copy_on_change=true;; -oIFS="${IFS}" -# Some sh's can't handle IFS=/ for some reason. -IFS='%' -set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` -IFS="${oIFS}" - -pathcomp='' - -while [ $# -ne 0 ] ; do - pathcomp="${pathcomp}${1}" - shift - - if [ ! -d "${pathcomp}" ] ; - then - $mkdirprog "${pathcomp}" - else - true - fi + -d) dir_arg=true;; - pathcomp="${pathcomp}/" -done -fi + -g) chgrpcmd="$chgrpprog $2" + shift;; -if [ x"$dir_arg" != x ] -then - $doit $instcmd $dst && - - if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && - if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && - if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && - if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi -else + --help) echo "$usage"; exit $?;; -# If we're going to rename the final executable, determine the name now. + -m) mode=$2 + case $mode in + *' '* | *' '* | *' +'* | *'*'* | *'?'* | *'['*) + echo "$0: invalid mode: $mode" >&2 + exit 1;; + esac + shift;; - if [ x"$transformarg" = x ] - then - dstfile=`basename $dst` - else - dstfile=`basename $dst $transformbasename | - sed $transformarg`$transformbasename - fi + -o) chowncmd="$chownprog $2" + shift;; -# don't allow the sed command to completely eliminate the filename + -s) stripcmd=$stripprog;; - if [ x"$dstfile" = x ] - then - dstfile=`basename $dst` - else - true - fi + -t) dst_arg=$2 + shift;; + + -T) no_target_directory=true;; + + --version) echo "$0 $scriptversion"; exit $?;; + + --) shift + break;; + + -*) echo "$0: invalid option: $1" >&2 + exit 1;; -# Make a temp file name in the proper directory. + *) break;; + esac + shift +done - dsttmp=$dstdir/#inst.$$# +if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then + # When -d is used, all remaining arguments are directories to create. + # When -t is used, the destination is already specified. + # Otherwise, the last argument is the destination. Remove it from $@. + for arg + do + if test -n "$dst_arg"; then + # $@ is not empty: it contains at least $arg. + set fnord "$@" "$dst_arg" + shift # fnord + fi + shift # arg + dst_arg=$arg + done +fi -# Move or copy the file name to the temp name +if test $# -eq 0; then + if test -z "$dir_arg"; then + echo "$0: no input file specified." >&2 + exit 1 + fi + # It's OK to call `install-sh -d' without argument. + # This can happen when creating conditional directories. + exit 0 +fi - $doit $instcmd $src $dsttmp && +if test -z "$dir_arg"; then + trap '(exit $?); exit' 1 2 13 15 - trap "rm -f ${dsttmp}" 0 && + # Set umask so as not to create temps with too-generous modes. + # However, 'strip' requires both read and write access to temps. + case $mode in + # Optimize common cases. + *644) cp_umask=133;; + *755) cp_umask=22;; + + *[0-7]) + if test -z "$stripcmd"; then + u_plus_rw= + else + u_plus_rw='% 200' + fi + cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; + *) + if test -z "$stripcmd"; then + u_plus_rw= + else + u_plus_rw=,u+rw + fi + cp_umask=$mode$u_plus_rw;; + esac +fi -# and set any options; do chmod last to preserve setuid bits +for src +do + # Protect names starting with `-'. + case $src in + -*) src=./$src;; + esac + + if test -n "$dir_arg"; then + dst=$src + dstdir=$dst + test -d "$dstdir" + dstdir_status=$? + else + + # Waiting for this to be detected by the "$cpprog $src $dsttmp" command + # might cause directories to be created, which would be especially bad + # if $src (and thus $dsttmp) contains '*'. + if test ! -f "$src" && test ! -d "$src"; then + echo "$0: $src does not exist." >&2 + exit 1 + fi + + if test -z "$dst_arg"; then + echo "$0: no destination specified." >&2 + exit 1 + fi + + dst=$dst_arg + # Protect names starting with `-'. + case $dst in + -*) dst=./$dst;; + esac -# If any of these fail, we abort the whole thing. If we want to -# ignore errors from any of these, just make sure not to ignore -# errors from the above "$doit $instcmd $src $dsttmp" command. + # If destination is a directory, append the input filename; won't work + # if double slashes aren't ignored. + if test -d "$dst"; then + if test -n "$no_target_directory"; then + echo "$0: $dst_arg: Is a directory" >&2 + exit 1 + fi + dstdir=$dst + dst=$dstdir/`basename "$src"` + dstdir_status=0 + else + # Prefer dirname, but fall back on a substitute if dirname fails. + dstdir=` + (dirname "$dst") 2>/dev/null || + expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$dst" : 'X\(//\)[^/]' \| \ + X"$dst" : 'X\(//\)$' \| \ + X"$dst" : 'X\(/\)' \| . 2>/dev/null || + echo X"$dst" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q' + ` + + test -d "$dstdir" + dstdir_status=$? + fi + fi + + obsolete_mkdir_used=false + + if test $dstdir_status != 0; then + case $posix_mkdir in + '') + # Create intermediate dirs using mode 755 as modified by the umask. + # This is like FreeBSD 'install' as of 1997-10-28. + umask=`umask` + case $stripcmd.$umask in + # Optimize common cases. + *[2367][2367]) mkdir_umask=$umask;; + .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; + + *[0-7]) + mkdir_umask=`expr $umask + 22 \ + - $umask % 100 % 40 + $umask % 20 \ + - $umask % 10 % 4 + $umask % 2 + `;; + *) mkdir_umask=$umask,go-w;; + esac + + # With -d, create the new directory with the user-specified mode. + # Otherwise, rely on $mkdir_umask. + if test -n "$dir_arg"; then + mkdir_mode=-m$mode + else + mkdir_mode= + fi - if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && - if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && - if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && - if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && + posix_mkdir=false + case $umask in + *[123567][0-7][0-7]) + # POSIX mkdir -p sets u+wx bits regardless of umask, which + # is incompatible with FreeBSD 'install' when (umask & 300) != 0. + ;; + *) + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 -# Now rename the file to the real destination. + if (umask $mkdir_umask && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writeable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + ls_ld_tmpdir=`ls -ld "$tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/d" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null + fi + trap '' 0;; + esac;; + esac - $doit $rmcmd -f $dstdir/$dstfile && - $doit $mvcmd $dsttmp $dstdir/$dstfile + if + $posix_mkdir && ( + umask $mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" + ) + then : + else + + # The umask is ridiculous, or mkdir does not conform to POSIX, + # or it failed possibly due to a race condition. Create the + # directory the slow way, step by step, checking for races as we go. + + case $dstdir in + /*) prefix='/';; + -*) prefix='./';; + *) prefix='';; + esac + + eval "$initialize_posix_glob" + + oIFS=$IFS + IFS=/ + $posix_glob set -f + set fnord $dstdir + shift + $posix_glob set +f + IFS=$oIFS + + prefixes= + + for d + do + test -z "$d" && continue + + prefix=$prefix$d + if test -d "$prefix"; then + prefixes= + else + if $posix_mkdir; then + (umask=$mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break + # Don't fail if two instances are running concurrently. + test -d "$prefix" || exit 1 + else + case $prefix in + *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; + *) qprefix=$prefix;; + esac + prefixes="$prefixes '$qprefix'" + fi + fi + prefix=$prefix/ + done -fi && + if test -n "$prefixes"; then + # Don't fail if two instances are running concurrently. + (umask $mkdir_umask && + eval "\$doit_exec \$mkdirprog $prefixes") || + test -d "$dstdir" || exit 1 + obsolete_mkdir_used=true + fi + fi + fi + + if test -n "$dir_arg"; then + { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && + { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && + { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || + test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 + else + + # Make a couple of temp file names in the proper directory. + dsttmp=$dstdir/_inst.$$_ + rmtmp=$dstdir/_rm.$$_ + + # Trap to clean up those temp files at exit. + trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 + + # Copy the file name to the temp name. + (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && + + # and set any options; do chmod last to preserve setuid bits. + # + # If any of these fail, we abort the whole thing. If we want to + # ignore errors from any of these, just make sure not to ignore + # errors from the above "$doit $cpprog $src $dsttmp" command. + # + { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } && + { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } && + { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } && + { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && + + # If -C, don't bother to copy if it wouldn't change the file. + if $copy_on_change && + old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && + new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && + + eval "$initialize_posix_glob" && + $posix_glob set -f && + set X $old && old=:$2:$4:$5:$6 && + set X $new && new=:$2:$4:$5:$6 && + $posix_glob set +f && + + test "$old" = "$new" && + $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 + then + rm -f "$dsttmp" + else + # Rename the file to the real destination. + $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || + + # The rename failed, perhaps because mv can't rename something else + # to itself, or perhaps because mv is so ancient that it does not + # support -f. + { + # Now remove or move aside any old file at destination location. + # We try this two ways since rm can't unlink itself on some + # systems and the destination file might be busy for other + # reasons. In this case, the final cleanup might fail but the new + # file should still install successfully. + { + test ! -f "$dst" || + $doit $rmcmd -f "$dst" 2>/dev/null || + { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && + { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } + } || + { echo "$0: cannot unlink or rename $dst" >&2 + (exit 1); exit 1 + } + } && + + # Now rename the file to the real destination. + $doit $mvcmd "$dsttmp" "$dst" + } + fi || exit 1 + trap '' 0 + fi +done -exit 0 +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" +# End: diff -Nru snort-2.9.0.1/m4/Makefile.in snort-2.9.2/m4/Makefile.in --- snort-2.9.0.1/m4/Makefile.in 2010-10-08 02:56:52.000000000 -0700 +++ snort-2.9.2/m4/Makefile.in 2011-12-07 11:23:17.000000000 -0800 @@ -58,7 +58,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -73,6 +75,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -109,13 +112,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/Makefile.in snort-2.9.2/Makefile.in --- snort-2.9.0.1/Makefile.in 2010-10-08 02:56:56.000000000 -0700 +++ snort-2.9.2/Makefile.in 2011-12-07 11:23:23.000000000 -0800 @@ -141,7 +141,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -156,6 +158,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -192,13 +195,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/missing snort-2.9.2/missing --- snort-2.9.0.1/missing 2007-07-06 08:57:46.000000000 -0700 +++ snort-2.9.2/missing 2011-12-07 11:23:17.000000000 -0800 @@ -1,13 +1,16 @@ #! /bin/sh # Common stub for a few missing GNU programs while installing. -# Copyright 1996, 1997, 1999, 2000 Free Software Foundation, Inc. + +scriptversion=2009-04-28.21; # UTC + +# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006, +# 2008, 2009 Free Software Foundation, Inc. # Originally by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License Version 2 as -# published by the Free Software Foundation. You may not use, modify or -# distribute this program under any other version of the GNU General -# Public License. +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -15,9 +18,7 @@ # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. +# along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -30,6 +31,8 @@ fi run=: +sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p' +sed_minuso='s/.* -o \([^ ]*\).*/\1/p' # In the cases where this matters, `missing' is being run in the # srcdir already. @@ -39,18 +42,24 @@ configure_ac=configure.in fi -case "$1" in +msg="missing on your system" + +case $1 in --run) # Try to run requested program, and just exit if it succeeds. run= shift "$@" && exit 0 + # Exit code 63 means version mismatch. This often happens + # when the user try to use an ancient version of a tool on + # a file that requires a minimum version. In this case we + # we should proceed has if the program had been absent, or + # if --run hadn't been passed. + if test $? = 63; then + run=: + msg="probably too old" + fi ;; -esac - -# If it does not exist, or fails to run (possibly an outdated version), -# try to emulate it. -case "$1" in -h|--h|--he|--hel|--help) echo "\ @@ -68,6 +77,7 @@ aclocal touch file \`aclocal.m4' autoconf touch file \`configure' autoheader touch file \`config.h.in' + autom4te touch the output file, or create a stub one automake touch all \`Makefile.in' files bison create \`y.tab.[ch]', if possible, from existing .[ch] flex create \`lex.yy.c', if possible, from existing .c @@ -75,11 +85,18 @@ lex create \`lex.yy.c', if possible, from existing .c makeinfo touch the output file tar try tar, gnutar, gtar, then tar without non-portable flags - yacc create \`y.tab.[ch]', if possible, from existing .[ch]" + yacc create \`y.tab.[ch]', if possible, from existing .[ch] + +Version suffixes to PROGRAM as well as the prefixes \`gnu-', \`gnu', and +\`g' are ignored when checking the name. + +Send bug reports to ." + exit $? ;; -v|--v|--ve|--ver|--vers|--versi|--versio|--version) - echo "missing 0.3 - GNU automake" + echo "missing $scriptversion (GNU Automake)" + exit $? ;; -*) @@ -88,27 +105,69 @@ exit 1 ;; - aclocal) +esac + +# normalize program name to check for. +program=`echo "$1" | sed ' + s/^gnu-//; t + s/^gnu//; t + s/^g//; t'` + +# Now exit if we have it, but it failed. Also exit now if we +# don't have it and --version was passed (most likely to detect +# the program). This is about non-GNU programs, so use $1 not +# $program. +case $1 in + lex*|yacc*) + # Not GNU programs, they don't have --version. + ;; + + tar*) + if test -n "$run"; then + echo 1>&2 "ERROR: \`tar' requires --run" + exit 1 + elif test "x$2" = "x--version" || test "x$2" = "x--help"; then + exit 1 + fi + ;; + + *) + if test -z "$run" && ($1 --version) > /dev/null 2>&1; then + # We have it, but it failed. + exit 1 + elif test "x$2" = "x--version" || test "x$2" = "x--help"; then + # Could not run --version or --help. This is probably someone + # running `$TOOL --version' or `$TOOL --help' to check whether + # $TOOL exists and not knowing $TOOL uses missing. + exit 1 + fi + ;; +esac + +# If it does not exist, or fails to run (possibly an outdated version), +# try to emulate it. +case $program in + aclocal*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified \`acinclude.m4' or \`${configure_ac}'. You might want to install the \`Automake' and \`Perl' packages. Grab them from any GNU archive site." touch aclocal.m4 ;; - autoconf) + autoconf*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified \`${configure_ac}'. You might want to install the \`Autoconf' and \`GNU m4' packages. Grab them from any GNU archive site." touch configure ;; - autoheader) + autoheader*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified \`acconfig.h' or \`${configure_ac}'. You might want to install the \`Autoconf' and \`GNU m4' packages. Grab them from any GNU archive site." @@ -116,7 +175,7 @@ test -z "$files" && files="config.h" touch_files= for f in $files; do - case "$f" in + case $f in *:*) touch_files="$touch_files "`echo "$f" | sed -e 's/^[^:]*://' -e 's/:.*//'`;; *) touch_files="$touch_files $f.in";; @@ -125,9 +184,9 @@ touch $touch_files ;; - automake) + automake*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'. You might want to install the \`Automake' and \`Perl' packages. Grab them from any GNU archive site." @@ -136,128 +195,153 @@ while read f; do touch "$f"; done ;; - bison|yacc) + autom4te*) + echo 1>&2 "\ +WARNING: \`$1' is needed, but is $msg. + You might have modified some files without having the + proper tools for further handling them. + You can get \`$1' as part of \`Autoconf' from any GNU + archive site." + + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` + if test -f "$file"; then + touch $file + else + test -z "$file" || exec >$file + echo "#! /bin/sh" + echo "# Created by GNU Automake missing as a replacement of" + echo "# $ $@" + echo "exit 0" + chmod +x $file + exit 1 + fi + ;; + + bison*|yacc*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' $msg. You should only need it if you modified a \`.y' file. You may need the \`Bison' package in order for those modifications to take effect. You can get \`Bison' from any GNU archive site." rm -f y.tab.c y.tab.h - if [ $# -ne 1 ]; then + if test $# -ne 1; then eval LASTARG="\${$#}" - case "$LASTARG" in + case $LASTARG in *.y) SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'` - if [ -f "$SRCFILE" ]; then + if test -f "$SRCFILE"; then cp "$SRCFILE" y.tab.c fi SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'` - if [ -f "$SRCFILE" ]; then + if test -f "$SRCFILE"; then cp "$SRCFILE" y.tab.h fi ;; esac fi - if [ ! -f y.tab.h ]; then + if test ! -f y.tab.h; then echo >y.tab.h fi - if [ ! -f y.tab.c ]; then + if test ! -f y.tab.c; then echo 'main() { return 0; }' >y.tab.c fi ;; - lex|flex) + lex*|flex*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified a \`.l' file. You may need the \`Flex' package in order for those modifications to take effect. You can get \`Flex' from any GNU archive site." rm -f lex.yy.c - if [ $# -ne 1 ]; then + if test $# -ne 1; then eval LASTARG="\${$#}" - case "$LASTARG" in + case $LASTARG in *.l) SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'` - if [ -f "$SRCFILE" ]; then + if test -f "$SRCFILE"; then cp "$SRCFILE" lex.yy.c fi ;; esac fi - if [ ! -f lex.yy.c ]; then + if test ! -f lex.yy.c; then echo 'main() { return 0; }' >lex.yy.c fi ;; - help2man) + help2man*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified a dependency of a manual page. You may need the \`Help2man' package in order for those modifications to take effect. You can get \`Help2man' from any GNU archive site." - file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'` - if test -z "$file"; then - file=`echo "$*" | sed -n 's/.*--output=\([^ ]*\).*/\1/p'` - fi - if [ -f "$file" ]; then + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` + if test -f "$file"; then touch $file else test -z "$file" || exec >$file echo ".ab help2man is required to generate this page" - exit 1 + exit $? fi ;; - makeinfo) - if test -z "$run" && (makeinfo --version) > /dev/null 2>&1; then - # We have makeinfo, but it failed. - exit 1 - fi - + makeinfo*) echo 1>&2 "\ -WARNING: \`$1' is missing on your system. You should only need it if +WARNING: \`$1' is $msg. You should only need it if you modified a \`.texi' or \`.texinfo' file, or any other file indirectly affecting the aspect of the manual. The spurious call might also be the consequence of using a buggy \`make' (AIX, DU, IRIX). You might want to install the \`Texinfo' package or the \`GNU make' package. Grab either from any GNU archive site." - file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'` + # The file to touch is that specified with -o ... + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` if test -z "$file"; then - file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` - file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file` - fi + # ... or it is the one specified with @setfilename ... + infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` + file=`sed -n ' + /^@setfilename/{ + s/.* \([^ ]*\) *$/\1/ + p + q + }' $infile` + # ... or it is derived from the source name (dir/f.texi becomes f.info) + test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info + fi + # If the file does not exist, the user really needs makeinfo; + # let's fail without touching anything. + test -f $file || exit 1 touch $file ;; - tar) + tar*) shift - if test -n "$run"; then - echo 1>&2 "ERROR: \`tar' requires --run" - exit 1 - fi # We have already tried tar in the generic part. # Look for gnutar/gtar before invocation to avoid ugly error # messages. if (gnutar --version > /dev/null 2>&1); then - gnutar ${1+"$@"} && exit 0 + gnutar "$@" && exit 0 fi if (gtar --version > /dev/null 2>&1); then - gtar ${1+"$@"} && exit 0 + gtar "$@" && exit 0 fi firstarg="$1" if shift; then - case "$firstarg" in + case $firstarg in *o*) firstarg=`echo "$firstarg" | sed s/o//` - tar "$firstarg" ${1+"$@"} && exit 0 + tar "$firstarg" "$@" && exit 0 ;; esac - case "$firstarg" in + case $firstarg in *h*) firstarg=`echo "$firstarg" | sed s/h//` - tar "$firstarg" ${1+"$@"} && exit 0 + tar "$firstarg" "$@" && exit 0 ;; esac fi @@ -271,10 +355,10 @@ *) echo 1>&2 "\ -WARNING: \`$1' is needed, and you do not seem to have it handy on your - system. You might have modified some files without having the +WARNING: \`$1' is needed, and is $msg. + You might have modified some files without having the proper tools for further handling them. Check the \`README' file, - it often tells you about the needed prerequirements for installing + it often tells you about the needed prerequisites for installing this package. You may also peek at any GNU archive site, in case some other package would contain this missing \`$1' program." exit 1 @@ -282,3 +366,11 @@ esac exit 0 + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" +# End: diff -Nru snort-2.9.0.1/preproc_rules/decoder.rules snort-2.9.2/preproc_rules/decoder.rules --- snort-2.9.0.1/preproc_rules/decoder.rules 2010-10-25 12:48:57.000000000 -0700 +++ snort-2.9.2/preproc_rules/decoder.rules 2011-10-26 11:28:52.000000000 -0700 @@ -7,7 +7,7 @@ alert ( msg:"DECODE_TCP_DGRAM_LT_TCPHDR"; sid:45; gid:116; rev:1; metadata:rule-type decode;classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCP_INVALID_OFFSET"; sid:46; gid:116; rev:1; metadata:rule-type decode; reference:cve,2004-0816; classtype:bad-unknown; ) alert ( msg:"DECODE_TCP_LARGE_OFFSET"; sid:47; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) -alert ( msg:"DECODE_TCPOPT_BADLEN"; sid:54; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_TCPOPT_BADLEN"; sid:54; gid:116; rev:1; metadata:rule-type decode; reference:bugtraq,14811; classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCPOPT_TRUNCATED"; sid:55; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCPOPT_TTCP"; sid:56; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCPOPT_OBSOLETE"; sid:57; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) @@ -75,6 +75,8 @@ alert ( msg:"DECODE_ESP_HEADER_TRUNC"; sid:294; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_BAD_OPT_LEN"; sid:295; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_UNORDERED_EXTENSIONS"; sid:296; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_GTP_MULTIPLE_ENCAPSULATION"; sid:297; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) +alert ( msg:"DECODE_GTP_BAD_LEN_STR"; sid:298; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_BAD_MPLS"; sid:170; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_BAD_MPLS_LABEL0"; sid:171; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_BAD_MPLS_LABEL1"; sid:172; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) @@ -104,7 +106,7 @@ alert ( msg:"DECODE_TCP_SYN_FIN"; sid:420; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_TCP_SYN_RST"; sid:421; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_TCP_MUST_ACK"; sid:422; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) -alert ( msg:"DECODE_TCP_NO_SYN_ACK_RST"; sid:423; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) +alert ( msg:"DECODE_TCP_NO_SYN_ACK_RST"; sid:423; gid:116; rev:1; metadata:rule-type decode; reference:arachnids,4; reference:arachnids,27; classtype:misc-activity; ) alert ( msg:"DECODE_ETH_HDR_TRUNC"; sid:424; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP4_HDR_TRUNC"; sid:425; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_ICMP4_HDR_TRUNC"; sid:426; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) @@ -134,3 +136,7 @@ alert ( msg:"DECODE_IP_BAD_PROTO"; sid:450; gid:116; rev:1; metadata:rule-type decode; classtype: non-standard-protocol; ) alert ( msg:"DECODE_ICMP_PATH_MTU_DOS"; sid:451; gid:116; rev:1; metadata:rule-type decode; reference:bugtraq,13124; reference:cve,2004-1060; classtype:attempted-dos;) alert ( msg:"DECODE_ICMP_DOS_ATTEMPT"; sid:452; gid:116; rev:1; metadata:rule-type decode; reference:url,www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.3; reference:cve,2006-0454; reference:bugtraq,16532; classtype:denial-of-service;) +alert ( msg:"DECODE_IPV6_ISATAP_SPOOF"; sid:453; gid:116; rev:1; metadata:rule-type decode; reference:cve,2010-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS10-029.mspx; classtype:misc-attack; ) +alert ( msg:"DECODE_PGM_NAK_OVERFLOW"; sid:454; gid:116; rev:1; metadata:rule-type decode; reference:url,www.microsoft.com/technet/security/bulletin/ms06-052.mspx; reference:cve,2006-3442; reference:bugtraq,19922; classtype:attempted-admin; ) +alert ( msg:"DECODE_IGMP_OPTIONS_DOS"; sid:455; gid:116; rev:1; metadata:rule-type decode; reference:url,www.microsoft.com/technet/security/bulletin/ms06-007.mspx; reference:cve,2006-0021; reference:bugtraq,16645; classtype:attempted-dos; ) +alert ( msg:"DECODE_IP6_EXCESS_EXT_HDR"; sid:456; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) diff -Nru snort-2.9.0.1/preproc_rules/Makefile.in snort-2.9.2/preproc_rules/Makefile.in --- snort-2.9.0.1/preproc_rules/Makefile.in 2010-10-08 02:56:52.000000000 -0700 +++ snort-2.9.2/preproc_rules/Makefile.in 2011-12-07 11:23:17.000000000 -0800 @@ -58,7 +58,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -73,6 +75,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -109,13 +112,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/preproc_rules/preprocessor.rules snort-2.9.2/preproc_rules/preprocessor.rules --- snort-2.9.0.1/preproc_rules/preprocessor.rules 2010-10-25 12:48:57.000000000 -0700 +++ snort-2.9.2/preproc_rules/preprocessor.rules 2011-11-21 12:15:24.000000000 -0800 @@ -16,7 +16,6 @@ alert ( msg: "HI_CLIENT_DOUBLE_DECODE"; sid: 2; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2009-1122; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; ) alert ( msg: "HI_CLIENT_U_ENCODE"; sid: 3; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; ) alert ( msg: "HI_CLIENT_BARE_BYTE"; sid: 4; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; ) -alert ( msg: "HI_CLIENT_BASE36"; sid: 5; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; ) alert ( msg: "HI_CLIENT_UTF_8"; sid: 6; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2008-2938; reference:cve,2009-1535; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; ) alert ( msg: "HI_CLIENT_IIS_UNICODE"; sid: 7; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2009-1535; ) alert ( msg: "HI_CLIENT_MULTI_SLASH"; sid: 8; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; ) @@ -26,20 +25,33 @@ alert ( msg: "HI_CLIENT_APACHE_WS"; sid: 12; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; ) alert ( msg: "HI_CLIENT_IIS_DELIMITER"; sid: 13; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; ) alert ( msg: "HI_CLIENT_NON_RFC_CHAR"; sid: 14; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; ) -alert ( msg: "HI_CLIENT_OVERSIZE_DIR"; sid: 15; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2007-0774; reference:bugtraq,22791;) +alert ( msg: "HI_CLIENT_OVERSIZE_DIR"; sid: 15; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2007-0774; reference:bugtraq,22791; reference:cve,2010-3281; reference:bugtraq,43338; ) alert ( msg: "HI_CLIENT_LARGE_CHUNK"; sid: 16; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:attempted-admin; ) alert ( msg: "HI_CLIENT_PROXY_USE"; sid: 17; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:protocol-command-decode; ) alert ( msg: "HI_CLIENT_WEBROOT_DIR"; sid: 18; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2001-0333; reference:cve,2002-1744; reference:cve,2008-5515; ) -alert ( msg: "HI_CLIENT_LONG_HEADER"; sid: 19; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; ) +alert ( msg: "HI_CLIENT_LONG_HEADER"; sid: 19; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2009-4873; ) alert ( msg: "HI_CLIENT_MAX_HEADERS"; sid: 20; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_MULTIPLE_CONTLEN"; sid: 21; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CHUNK_SIZE_MISMATCH"; sid: 22; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_INVALID_TRUEIP"; sid:23; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_MULTIPLE_HOST_HDRS"; sid:24; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_LONG_HOSTNAME"; sid:25; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_EXCEEDS_SPACES"; sid:26; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos;reference:cve,2004-0942; ) +alert ( msg: "HI_CLIENT_CONSECUTIVE_SMALL_CHUNK_SIZES"; sid: 27; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_UNBOUNDED POST"; sid: 28; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_MULTIPLE_TRUEIP_IN_SESSION"; sid: 29; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLIENT_BOTH_TRUEIP_XFF_HDRS"; sid: 30; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_ANOM_SERVER_ALERT"; sid: 1; gid: 120; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; ) alert ( msg: "HI_SERVER_INVALID_STATCODE"; sid: 2; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_UTF_NORM_FAIL"; sid: 4; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_UTF7"; sid: 5; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_DECOMPR_FAILED"; sid: 6; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_CONSECUTIVE_SMALL_CHUNK_SIZES"; sid: 7; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"; sid: 8; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_JS_OBFUSCATION_EXCD"; sid: 9; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_JS_EXCESS_WS"; sid: 10; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) +alert ( msg: "HI_SERVER_MIXED_ENCODINGS "; sid: 11; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "PSNG_TCP_PORTSCAN"; sid: 1; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_TCP_DECOY_PORTSCAN"; sid: 2; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_TCP_PORTSWEEP"; sid: 3; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) @@ -81,21 +93,27 @@ alert ( msg: "FRAG3_EXCESSIVE_OVERLAP"; sid: 12; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) alert ( msg: "FRAG3_TINY_FAGMENT"; sid: 13; gid: 123; rev: 1; metadata: rule-type preproc ; reference:cve,2005-0209; classtype:attempted-dos; ) alert ( msg: "SMTP_COMMAND_OVERFLOW"; sid: 1; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0260; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) -alert ( msg: "SMTP_DATA_HDR_OVERFLOW"; sid: 2; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2002-1337; ) +alert ( msg: "SMTP_DATA_HDR_OVERFLOW"; sid: 2; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2002-1337; reference:cve,2010-4344; ) alert ( msg: "SMTP_RESPONSE_OVERFLOW"; sid: 3; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-user; reference:cve,2002-1090; ) -alert ( msg: "SMTP_SPECIFIC_CMD_OVERFLOW"; sid: 4; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) +alert ( msg: "SMTP_SPECIFIC_CMD_OVERFLOW"; sid: 4; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) alert ( msg: "SMTP_UNKNOWN_CMD"; sid: 5; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; ) alert ( msg: "SMTP_ILLEGAL_CMD"; sid: 6; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; ) alert ( msg: "SMTP_HEADER_NAME_OVERFLOW"; sid: 7; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0105; ) alert ( msg: "SMTP_XLINK2STATE_OVERFLOW"; sid: 8; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) -alert ( msg: "FTPP_FTP_TELNET_CMD"; sid: 1; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; ) -alert ( msg: "FTPP_FTP_INVALID_CMD"; sid: 2; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; ) -alert ( msg: "FTPP_FTP_PARAMETER_LENGTH_OVERFLOW"; sid: 3; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0286; reference:url,www.kb.cert.org/vuls/id/276653; reference:cve,1999-0368; reference:bugtraq,113; reference:bugtraq,2242; ) +alert ( msg: "SMTP_DECODE_MEMCAP_EXCEEDED"; sid: 9; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) +alert ( msg: "SMTP_B64_DECODING_FAILED"; sid: 10; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) +alert ( msg: "SMTP_QP_DECODING_FAILED"; sid: 11; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) +alert ( msg: "SMTP_BITENC_DECODING_FAILED"; sid: 12; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) +alert ( msg: "SMTP_UU_DECODING_FAILED"; sid: 13; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) +alert ( msg: "FTPP_FTP_TELNET_CMD"; sid: 1; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; reference:cve,2010-3867; reference:cve,2010-3972; reference:cve,2010-4221; reference:url,www.microsoft.com/technet/security/bulletin/MS11-004.mspx; ) +alert ( msg: "FTPP_FTP_INVALID_CMD"; sid: 2; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; reference:cve,2010-4221; ) +alert ( msg: "FTPP_FTP_PARAMETER_LENGTH_OVERFLOW"; sid: 3; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0286; reference:url,www.kb.cert.org/vuls/id/276653; reference:cve,1999-0368; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,2006-5815; reference:bugtraq,20992; ) alert ( msg: "FTPP_FTP_MALFORMED_PARAMETER"; sid: 4; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; ) alert ( msg: "FTPP_FTP_PARAMETER_STR_FORMAT"; sid: 5; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2000-0573; ) alert ( msg: "FTPP_FTP_RESPONSE_LENGTH_OVERFLOW"; sid: 6; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-user; reference:cve,2007-3161; reference:cve,2010-1465; reference:url,www.kb.cert.org/vuls/id/276653; ) alert ( msg: "FTPP_FTP_ENCRYPTED"; sid: 7; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; ) alert ( msg: "FTPP_FTP_BOUNCE"; sid: 8; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; reference:cve,1999-0017; reference:url,www.kb.cert.org/vuls/id/276653; ) +alert ( msg: "FTPP_FTP_EVASIVE_TELNET_CMD"; sid: 9; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; ) alert ( msg: "FTPP_TELNET_AYT_OVERFLOW"; sid: 1; gid: 126; rev: 1; metadata: rule-type preproc, service telnet, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0554; ) alert ( msg: "FTPP_TELNET_ENCRYPTED"; sid: 2; gid: 126; rev: 1; metadata: rule-type preproc, service telnet ; classtype:protocol-command-decode;) alert ( msg: "FTPP_TELNET_SUBNEG_BEGIN_NO_END"; sid: 3; gid: 126; rev: 1; metadata: rule-type preproc, service telnet ; classtype:protocol-command-decode; ) @@ -107,9 +125,9 @@ alert ( msg: "SSH_EVENT_PAYLOAD_SIZE"; sid: 6; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:bad-unknown;) alert ( msg: "SSH_EVENT_VERSION"; sid: 7; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:non-standard-protocol;) alert ( msg: "STREAM5_SYN_ON_EST"; sid: 1; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "STREAM5_DATA_ON_SYN"; sid: 2; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) +alert ( msg: "STREAM5_DATA_ON_SYN"; sid: 2; gid: 129; rev: 1; metadata: rule-type preproc ; reference: cve,2009-1157; reference: bugtraq, 34429; classtype:protocol-command-decode; ) alert ( msg: "STREAM5_DATA_ON_CLOSED"; sid: 3; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) -alert ( msg: "STREAM5_BAD_TIMESTAMP"; sid: 4; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) +alert ( msg: "STREAM5_BAD_TIMESTAMP"; sid: 4; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; reference:cve,2009-1925; ) alert ( msg: "STREAM5_BAD_SEGMENT"; sid: 5; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_WINDOW_TOO_LARGE"; sid: 6; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_EXCESSIVE_TCP_OVERLAPS"; sid: 7; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) @@ -176,6 +194,60 @@ alert ( msg: "INTERNAL_EVENT_SYN_RECEIVED"; sid: 1; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; ) alert ( msg: "INTERNAL_EVENT_SESSION_ADD"; sid: 2; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; ) alert ( msg: "INTERNAL_EVENT_SESSION_DEL"; sid: 3; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; ) -alert ( msg: "SSL: INVALID CLIENT HELLO AFTER SERVER HELLO"; sid: 1; gid: 137; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) -alert ( msg: "SSL: INVALID SERVER HELLO WITHOUT CLIENT HELLO"; sid: 2; gid: 137; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SSL_INVALID_CLIENT_HELLO"; sid: 1; gid: 137; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-011; reference:cve,2004-0120; reference:bugtraq,10115; ) +alert ( msg: "SSL_INVALID_SERVER_HELLO"; sid: 2; gid: 137; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SDF_COMBO_ALERT"; sid: 1; gid: 139; rev: 1; metadata: rule-type preproc ; classtype:sdf; ) +alert ( msg: "SIP_EVENT_MAX_SESSIONS"; sid: 1; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_REQUEST_URI"; sid: 2; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2007-1306; ) +alert ( msg: "SIP_EVENT_BAD_URI"; sid: 3; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_CALL_ID"; sid: 4; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_CALL_ID"; sid: 5; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_CSEQ_NUM"; sid: 6; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_CSEQ_NAME"; sid: 7; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_FROM"; sid: 8; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_FROM"; sid: 9; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_TO"; sid: 10; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_TO"; sid: 11; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_VIA"; sid: 12; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:bugtraq,25446; ) +alert ( msg: "SIP_EVENT_BAD_VIA"; sid: 13; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_CONTACT"; sid: 14; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_CONTACT"; sid: 15; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_CONTENT_LEN"; sid: 16; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_MULTI_MSGS"; sid: 17; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_MISMATCH_CONTENT_LEN"; sid: 18; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_INVALID_CSEQ_NAME"; sid: 19; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK"; sid: 20; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_AUTH_INVITE_DIFF_SESSION"; sid: 21; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_BAD_STATUS_CODE"; sid: 22; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_EMPTY_CONTENT_TYPE"; sid: 23; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:bugtraq,25300; ) +alert ( msg: "SIP_EVENT_INVALID_VERSION"; sid: 24; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_MISMATCH_METHOD"; sid: 25; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_UNKOWN_METHOD"; sid: 26; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "IMAP_UNKNOWN_CMD"; sid: 1; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) +alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) +alert ( msg: "IMAP_MEMCAP_EXCEEDED"; sid: 3; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "IMAP_B64_DECODING_FAILED"; sid: 4; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "IMAP_QP_DECODING_FAILED"; sid: 5; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "IMAP_BITENC_DECODING_FAILED"; sid: 6; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "IMAP_UU_DECODING_FAILED"; sid: 7; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "POP_UNKNOWN_CMD"; sid: 1; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) +alert ( msg: "POP_UNKNOWN_RESP"; sid: 2; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) +alert ( msg: "POP_MEMCAP_EXCEEDED"; sid: 3; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "POP_B64_DECODING_FAILED"; sid: 4; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "POP_QP_DECODING_FAILED"; sid: 5; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "POP_BITENC_DECODING_FAILED"; sid: 6; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "POP_UU_DECODING_FAILED"; sid: 7; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) +alert ( msg: "GTP_EVENT_BAD_MSG_LEN"; sid: 1; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; ) +alert ( msg: "GTP_EVENT_BAD_IE_LEN"; sid: 2; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; ) +alert ( msg: "GTP_EVENT_OUT_OF_ORDER_IE"; sid: 3; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; ) +alert ( msg: "MODBUS_BAD_LENGTH"; sid:1; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "MODBUS_BAD_PROTO_ID"; sid:2; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "MODBUS_RESERVED_FUNCTION"; sid:3; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_BAD_CRC"; sid:1; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_DROPPED_FRAME"; sid:2; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_DROPPED_SEGMENT"; sid:3; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_REASSEMBLY_BUFFER_CLEARED"; sid:4; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_RESERVED_ADDRESS"; sid:5; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) +alert ( msg: "DNP3_RESERVED_FUNCTION"; sid:6; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) diff -Nru snort-2.9.0.1/RELEASE.NOTES snort-2.9.2/RELEASE.NOTES --- snort-2.9.0.1/RELEASE.NOTES 2010-10-25 12:48:55.000000000 -0700 +++ snort-2.9.2/RELEASE.NOTES 2011-12-07 09:58:22.000000000 -0800 @@ -1,56 +1,51 @@ -2010-11-01 - Snort 2.9.0.1 - -[*] Improvements - * Fixed maximum flowbits configuration parsing to specify the number - of bits in accordance with the Snort manual, rather than number of - bytes. If you have 'config flowbits_size' in your snort.conf, - double check that it has the correct setting. - - * Fixed a packet size issue with the IPQ and NFQ DAQs. - - * Updated the version of LibPCRE bundled with the Windows installer. - This update fixes a bug that caused some PCRE matches to fail on Windows. - - -2010-10-04 - Snort 2.9.0 - +2011-12-14 - Snort 2.9.2 [*] New Additions - * Feature rich IPS mode including improvements to Stream for - inline deployments. Additionally a common active response API is - used for all packet responses, including those from Stream, - Respond, or React. A new response module, respond3, supports the - syntax of both resp & resp2, including strafing for passive - deployments. When Snort is deployed inline, a new preprocessor - has been added to handle packet normalization to allow Snort - to interpret a packet the same way as the receiving host. - - * Use of a Data Acquisition API (DAQ) that supports many different - packet access methods including libpcap, netfilterq, IPFW, and - afpacket. For libpcap, version 1.0 or higher is now required. - The DAQ library can be updated independently from Snort and is - a separate module that Snort links to. - - * A new rule option 'byte_extract' that allows extracted values to - be used in subsequent rule options for isdataat, byte_test, - byte_jump, and content distance/within/depth/offset. - - * Two new rule options to support base64 decoding of certain pieces - of data and inspection of the base64 data via subsequent rule - options. - - * Added a new pattern matcher that supports Intel's Quick Assist - Technology for improved performance on supported hardware - platforms. Visit http://www.intel.com to find out more about - Intel Quick Assist. - -[*] Improvements - * Updates to HTTP Inspect to extract and log IP addresses from - X-Forward-For and True-Client-IP header fields when Snort generates - events on HTTP traffic. + * SCADA (DNP3 and Modbus) preprocessors. Added two new preprocessors + to support writing rules for detecting attacks for control systems. + New rule keywords are supported, and DNP3 leverages Stream5 PAF + support for TCP reassembly. See the Snort Manual, README.dnp3 and + README.modbus for details of the configurations and new rule + options. + + * GTP decoding and preprocessor. Updated the Snort packet decoders + and added a preprocessor to support detecting attacks over GTP (GPRS + Tunneling Protocol). Snort's GTP support handles multiple versions + of GTP and has a rich configuration set. See the Snort Manual and + README.GTP for details. + + * Updates to the HTTP preprocessor to normalize HTTP responses that + include javascript escaped data in the HTTP response body. This + expands Snort's coverage in detecting HTTP client-side attacks. + See the Snort Manual and README.http_inspect for configuration + details. - * Updates to SMTP preprocessor to support MIME attachment decoding - across multiple packets. - - * Updates to the Snort packet decoders for IPv6 for improvements to - anomaly detection. + * Added Protocol-Aware Flushing (PAF) support for FTP. +[*] Improvements + * Updates to Stream preprocessor to be able to track and store + "stream" data for non TCP/UDP flows. Also improvements to handle + when memory associated with a blocked stream is released and usable + for other connections. + + * Updates to dce_stub_data to make it act the same as file_data + and pkt_data rule option keywords in how it interacts with + subsequent content/pcre/etc rule options. + + * Updates to how Snort handles and processes signals received + from the OS. + + * Enabled logging of normalized JavaScript to unified2 without the + use of the --enable-sourcefire configuration option. + + * Improved handling of gaps and overlaps for "first" and "vista" + policies in Stream5. + + * Added support for signal handler customization. At compile-time, + Snort can be customized to use different signal numbers. + This allows problems with overlapping signals to be fixed on a + per-platform basis, which is especially helpful for the BSDs. + See the Snort Manual for more details. + + * Perfmonitor's output files ("now" files) are now created after + Snort drops privileges. Output files will now be owned by the + user and group specified with "-u" and "-g" at the command line. diff -Nru snort-2.9.0.1/rpm/Makefile.in snort-2.9.2/rpm/Makefile.in --- snort-2.9.0.1/rpm/Makefile.in 2010-10-08 02:56:52.000000000 -0700 +++ snort-2.9.2/rpm/Makefile.in 2011-12-07 11:23:17.000000000 -0800 @@ -58,7 +58,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -73,6 +75,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -109,13 +112,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/rpm/snort.spec snort-2.9.2/rpm/snort.spec --- snort-2.9.0.1/rpm/snort.spec 2010-10-08 02:58:33.000000000 -0700 +++ snort-2.9.2/rpm/snort.spec 2011-12-07 11:24:50.000000000 -0800 @@ -91,14 +91,14 @@ Name: %{realname}%{inlinetext} %{?_with_inline:%define Name: %{realname}-inline } -Version: 2.9.0.1 +Version: 2.9.2 Epoch: 1 Release: %{release} Summary: An open source Network Intrusion Detection System (NIDS) Group: Applications/Internet License: GPL Url: http://www.snort.org/ -Source0: http://www.snort.org/dl/2.9.0.1/%{realname}-%{version}.tar.gz +Source0: http://www.snort.org/snort-downloads/2.9.1/%{realname}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Packager: Official Snort.org %{for_distro} @@ -346,20 +346,13 @@ %__mkdir_p -m 0755 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor %__install -p -m 0755 plain/src/dynamic-plugins/sf_engine/.libs/libsf_engine.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicengine %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicengine/libsf_engine.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicengine/libsf_engine.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_smtp_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_smtp_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ftptelnet_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dns_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dns_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssh_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssh_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssl_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssl_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dce2_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dce2_preproc.so - %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor - %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_sdf_preproc.so.0 $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_sdf_preproc.so + %__install -p -m 0755 plain/src/dynamic-preprocessors/build/%{_prefix}/lib/snort_dynamicpreprocessor/*.so* $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor + + for file in $RPM_BUILD_ROOT%{_libdir}/%{realname}-%{version}_dynamicpreprocessor/*.so; do + preprocessor=`basename $file` + %__ln_s -f %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/$preprocessor.0 $file + done + %__install -p -m 0644 snort.8 $RPM_BUILD_ROOT%{_mandir}/man8 %__gzip $RPM_BUILD_ROOT%{_mandir}/man8/snort.8 %__install -p -m 0755 rpm/snortd $RPM_BUILD_ROOT%{_initrddir} @@ -529,13 +522,8 @@ %attr(0755,root,root) %dir %{_libdir}/%{realname}-%{version}_dynamicengine %attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicengine/libsf_engine.* %attr(0755,root,root) %dir %{_libdir}/%{realname}-%{version}_dynamicpreprocessor -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_smtp_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ftptelnet_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dns_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssh_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_ssl_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_dce2_preproc.* -%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_sdf_preproc.* +%attr(0755,root,root) %{_libdir}/%{realname}-%{version}_dynamicpreprocessor/libsf_*_preproc.* + %dir %{_docdir}/%{realname}-%{version} %docdir %{_docdir}/%{realname}-%{version} diff -Nru snort-2.9.0.1/rules/attack-responses.rules snort-2.9.2/rules/attack-responses.rules --- snort-2.9.0.1/rules/attack-responses.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/attack-responses.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,44 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: attack-responses.rules,v 1.32.2.3.2.2 2005/07/22 19:19:54 mwatchinski Exp $ -# ---------------- -# ATTACK RESPONSES -# ---------------- -# These signatures are those when they happen, its usually because a machine -# has been compromised. These should not false that often and almost always -# mean a compromise. - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; flow:established; content:"Volume Serial Number"; classtype:bad-unknown; sid:1292; rev:9;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command completed"; flow:established; content:"Command completed"; nocase; reference:bugtraq,1806; classtype:bad-unknown; sid:494; rev:10;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command error"; flow:established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:495; rev:8;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES file copied ok"; flow:established; content:"1 file|28|s|29| copied"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:12;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:1200; rev:10;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:5;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;) - -alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;) -alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:10;) - -alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES oracle one hour install"; flow:from_server,established; content:"Oracle Applications One-Hour Install"; reference:nessus,10737; classtype:bad-unknown; sid:1464; rev:5;) -alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:10;) -alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:10;) -alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"; flow:from_server,established; content:"*GOBBLE*"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:successful-admin; sid:1810; rev:12;) -alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1811; rev:8;) -alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; reference:bugtraq,7459; classtype:unsuccessful-user; sid:2104; rev:5;) -alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; classtype:successful-user; sid:2412; rev:3;) diff -Nru snort-2.9.0.1/rules/backdoor.rules snort-2.9.2/rules/backdoor.rules --- snort-2.9.0.1/rules/backdoor.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/backdoor.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,119 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: backdoor.rules,v 1.44.2.6.2.3 2005/05/31 17:13:02 mwatchinski Exp $ -#--------------- -# BACKDOOR RULES -#--------------- -# - -alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flow:to_server,established; content:"|0D 0A|[RPL]002|0D 0A|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:7;) -alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:6;) - - -alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4;) - -alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection established"; flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity; sid:115; rev:9;) - -# 3150, 4120 -alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1980; rev:4;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:195; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1981; rev:3;) -alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1982; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1983; rev:3;) -alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1984; rev:3;) - - -alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; reference:arachnids,312; classtype:misc-activity; sid:119; rev:5;) -alert tcp $HOME_NET 1015 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; classtype:trojan-activity; sid:1985; rev:2;) - - -alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:16; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:104; rev:7;) -alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:7;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; flow:stateless; ack:101058054; flags:A,12; seq:101058054; reference:arachnids,445; classtype:misc-activity; sid:106; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:108; rev:6;) - - -alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; reference:arachnids,315; classtype:misc-activity; sid:117; rev:6;) -alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:established,from_server; content:"Remote|3A| You are connected to me."; reference:arachnids,316; classtype:misc-activity; sid:118; rev:5;) -alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; flow:established,from_server; content:"WHATISIT"; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:120; rev:8;) -alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:121; rev:8;) - -alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; classtype:misc-activity; sid:141; rev:5;) - -alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; reference:arachnids,98; classtype:misc-activity; sid:145; rev:5;) -alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:146; rev:5;) -alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; reference:arachnids,99; classtype:misc-activity; sid:147; rev:5;) -alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; classtype:misc-activity; sid:152; rev:6;) -alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; reference:mcafee,98575; classtype:misc-activity; sid:153; rev:6;) -alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; classtype:misc-activity; sid:157; rev:5;) -alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; classtype:misc-activity; sid:158; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;) -# alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flow:stateless; flags:A+; reference:arachnids,79; classtype:misc-activity; sid:160; rev:6;) -alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; classtype:misc-activity; sid:161; rev:4;) -alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; classtype:misc-activity; sid:162; rev:4;) -alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; reference:arachnids,36; classtype:misc-activity; sid:163; rev:9;) -alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; dsize:>1; itype:0; reference:arachnids,202; classtype:misc-activity; sid:183; rev:4;) -alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; flow:stateless; dsize:>1; flags:A+; reference:arachnids,203; classtype:misc-activity; sid:184; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; reference:arachnids,263; classtype:misc-activity; sid:185; rev:5;) - - -alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse"; classtype:misc-activity; sid:208; rev:5;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:3;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; classtype:attempted-admin; sid:211; rev:3;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; classtype:attempted-admin; sid:212; rev:3;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:6;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; classtype:attempted-admin; sid:217; rev:3;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; classtype:attempted-user; sid:218; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; classtype:misc-activity; sid:219; rev:6;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; classtype:misc-activity; sid:220; rev:6;) -alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:8;) -alert ip any any -> 216.80.99.202 any (msg:"BACKDOOR fragroute trojan connection attempt"; reference:bugtraq,4898; classtype:trojan-activity; sid:1791; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"BACKDOOR win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:6;) - - -# NOTES: this string should be within the first 3 bytes of the connection -alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:6;) -alert tcp any any -> 212.146.0.34 1963 (msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:5;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; reference:mcafee,10566; reference:nessus,10409; classtype:misc-activity; sid:2100; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flow:stateless; flags:S,12; window:55808; reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice file upload attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BACKDOOR sensepost.exe command shell attempt"; flow:to_server,established; uricontent:"/sensepost.exe"; nocase; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:11;) -alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3015; rev:3;) -alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established port 63536"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3016; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get system directory attempt"; flow:to_server,established; content:"SYSDIR"; depth:6; classtype:misc-activity; sid:3011; rev:1;) -alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"BACKDOOR Asylum 0.1 connection established"; flow:from_server,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; classtype:misc-activity; sid:3014; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get windows directory attempt"; flow:to_server,established; content:"WINDIR"; depth:6; classtype:misc-activity; sid:3010; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"BACKDOOR Asylum 0.1 connection request"; flow:to_server,established; content:"RQS"; depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; classtype:misc-activity; sid:3013; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; classtype:misc-activity; sid:3009; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick upload/execute arbitrary file attempt"; flow:to_server,established; content:"ABCJZDATEIV"; depth:11; classtype:misc-activity; sid:3012; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:3063; rev:2;) -alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"BACKDOOR Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:3064; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; content:"getclient"; depth:9; flowbits:isset,backdoor.y3krat_15.connect; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; classtype:misc-activity; sid:3082; rev:1;) -alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connect"; flow:from_server,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; classtype:misc-activity; sid:3081; rev:1;) -alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:from_server, established; content:"client"; depth:6; flowbits:isset, backdoor.y3krat_15.client.response; classtype:misc-activity; sid:3083; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; classtype:trojan-activity; sid:3155; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"BACKDOOR mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:3272; rev:2;) diff -Nru snort-2.9.0.1/rules/bad-traffic.rules snort-2.9.2/rules/bad-traffic.rules --- snort-2.9.0.1/rules/bad-traffic.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/bad-traffic.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,41 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: bad-traffic.rules,v 1.31.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#------------------ -# BAD TRAFFIC RULES -#------------------ -# These signatures are representitive of traffic that should never be seen on -# any network. None of these signatures include datagram content checking -# and are extremely quick signatures -# - -alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;) -alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flow:stateless; dsize:>6; flags:S,12; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:11;) -alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;) -alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;) -# linux happens. Blah -# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; classtype:misc-activity; sid:1322; rev:7;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3;) -alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flow:stateless; flags:S+; classtype:bad-unknown; sid:1431; rev:9;) -alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2186; rev:3;) -alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2187; rev:3;) -alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2188; rev:3;) -alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2189; rev:3;) diff -Nru snort-2.9.0.1/rules/cgi-bin.list snort-2.9.2/rules/cgi-bin.list --- snort-2.9.0.1/rules/cgi-bin.list 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/cgi-bin.list 1969-12-31 16:00:00.000000000 -0800 @@ -1,16 +0,0 @@ -# (C) Copyright 2001,2002 Brian Caswell, et al. All rights reserved. -# $Id: cgi-bin.list,v 1.3 2002/08/18 20:28:43 cazz Exp $ -#-------------- -# cgi-bin list -#-------------- -# if content-list actually worked, this would be our content-list for -# the different CGI bin directories we would check for. - -"/cgi-bin/" -"/cgi/" -"/cgi-local/" -"/perl/" -"/mod_perl/" -"/scripts/" -"/comps/" -"/cgi-bin-sdb/" diff -Nru snort-2.9.0.1/rules/chat.rules snort-2.9.2/rules/chat.rules --- snort-2.9.0.1/rules/chat.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/chat.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,63 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: chat.rules,v 1.25.2.2.2.4 2005/07/22 19:19:54 mwatchinski Exp $ -#------------- -# CHAT RULES -#------------- -# These signatures look for people using various types of chat programs (for -# example: AIM, ICQ, and IRC) which may be against corporate policy - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:541; rev:9;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; nocase; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:7;) - -alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; classtype:policy-violation; sid:1986; rev:6;) -alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; classtype:policy-violation; sid:1988; rev:5;) -alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:1989; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:1991; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content:"NICK "; offset:0; nocase; classtype:policy-violation; sid:542; rev:11;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC SEND"; nocase; classtype:policy-violation; sid:1639; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC CHAT chat"; nocase; classtype:policy-violation; sid:1640; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN |3A| |23|"; offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; offset:0; nocase; classtype:policy-violation; sid:1789; rev:3;) -alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:1790; rev:4;) - -alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; classtype:policy-violation; sid:1631; rev:8;) -alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:1632; rev:6;) -alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:1633; rev:6;) - - - -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2450; rev:3;) -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2451; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2452; rev:4;) - -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2453; rev:3;) -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2454; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2455; rev:3;) - -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2456; rev:4;) -alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; classtype:policy-violation; sid:2457; rev:2;) - -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2459; rev:4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"CHAT Yahoo IM conference request"; flow:to_server,established; content:" $HOME_NET any (msg:"CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2461; rev:4;) diff -Nru snort-2.9.0.1/rules/classification.config snort-2.9.2/rules/classification.config --- snort-2.9.0.1/rules/classification.config 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/classification.config 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -# $Id: classification.config,v 1.11 2003/10/20 15:03:03 chrisgreen Exp $ -# The following includes information for prioritizing rules -# -# Each classification includes a shortname, a description, and a default -# priority for that classification. -# -# This allows alerts to be classified and prioritized. You can specify -# what priority each classification has. Any rule can override the default -# priority for that rule. -# -# Here are a few example rules: -# -# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; -# dsize: > 128; classtype:attempted-admin; priority:10; -# -# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \ -# content:"expn root"; nocase; classtype:attempted-recon;) -# -# The first rule will set its type to "attempted-admin" and override -# the default priority for that type to 10. -# -# The second rule set its type to "attempted-recon" and set its -# priority to the default for that type. -# - -# -# config classification:shortname,short description,priority -# - -config classification: not-suspicious,Not Suspicious Traffic,3 -config classification: unknown,Unknown Traffic,3 -config classification: bad-unknown,Potentially Bad Traffic, 2 -config classification: attempted-recon,Attempted Information Leak,2 -config classification: successful-recon-limited,Information Leak,2 -config classification: successful-recon-largescale,Large Scale Information Leak,2 -config classification: attempted-dos,Attempted Denial of Service,2 -config classification: successful-dos,Denial of Service,2 -config classification: attempted-user,Attempted User Privilege Gain,1 -config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 -config classification: successful-user,Successful User Privilege Gain,1 -config classification: attempted-admin,Attempted Administrator Privilege Gain,1 -config classification: successful-admin,Successful Administrator Privilege Gain,1 - - -# NEW CLASSIFICATIONS -config classification: rpc-portmap-decode,Decode of an RPC Query,2 -config classification: shellcode-detect,Executable code was detected,1 -config classification: string-detect,A suspicious string was detected,3 -config classification: suspicious-filename-detect,A suspicious filename was detected,2 -config classification: suspicious-login,An attempted login using a suspicious username was detected,2 -config classification: system-call-detect,A system call was detected,2 -config classification: tcp-connection,A TCP connection was detected,4 -config classification: trojan-activity,A Network Trojan was detected, 1 -config classification: unusual-client-port-connection,A client was using an unusual port,2 -config classification: network-scan,Detection of a Network Scan,3 -config classification: denial-of-service,Detection of a Denial of Service Attack,2 -config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 -config classification: protocol-command-decode,Generic Protocol Command Decode,3 -config classification: web-application-activity,access to a potentially vulnerable web application,2 -config classification: web-application-attack,Web Application Attack,1 -config classification: misc-activity,Misc activity,3 -config classification: misc-attack,Misc Attack,2 -config classification: icmp-event,Generic ICMP event,3 -config classification: kickass-porn,SCORE! Get the lotion!,1 -config classification: policy-violation,Potential Corporate Privacy Violation,1 -config classification: default-login-attempt,Attempt to login by a default username and password,2 diff -Nru snort-2.9.0.1/rules/community-bot.rules snort-2.9.2/rules/community-bot.rules --- snort-2.9.0.1/rules/community-bot.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-bot.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,117 +0,0 @@ -# Copyright 2006 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-bot.rules,v 1.5 2006/10/23 12:49:52 akirk Exp $ - - -# Some rules to look for botnets using popular bot software. -# Contributed by David J. Bianco -# -# A more detailed writeup can be found at: -# -#http://infosecpotpourri.blogspot.com/2006/03/detecting-common-botnets-with-snort.html -# -# -# This rule merely looks for IRC traffic on any TCP port (by detecting -# NICK change events, which occur at the beginning of the session) and -# sets the is_proto_irc flowbit. It does not actually generate any alerts -# itself. -alert tcp any any -> any any (msg:"COMMUNITY BOT IRC Traffic Detected By Nick Change"; flow: to_server,established; content:"NICK "; nocase; offset: 0; depth: 5; flowbits:set,community_is_proto_irc; flowbits: noalert; classtype:misc-activity; sid:100000240; rev:3;) - -# Using the aforementioned is_proto_irc flowbits, do some IRC checks. -# This one looks for IRC servers running on the $HOME_NET -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY BOT Internal IRC server detected"; flow: to_server,established; flowbits:isset,community_is_proto_irc; classtype: policy-violation; sid:100000241; rev:2;) - -# These rules look for specific Agobot/PhatBot commands on an IRC session -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.about command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.about"; classtype: trojan-activity; sid:100000242; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.die command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.die"; classtype: trojan-activity; sid:100000243; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.dns command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.dns"; classtype: trojan-activity; sid:100000244; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.execute command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.execute"; classtype: trojan-activity; sid:100000245; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.id command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.id"; classtype: trojan-activity; sid:100000246; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.nick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.nick"; classtype: trojan-activity; sid:100000247; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.open command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.open"; classtype: trojan-activity; sid:100000248; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.remove command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.remove"; classtype: trojan-activity; sid:100000249; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.removeallbut command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.removeallbut"; classtype: trojan-activity; sid:100000250; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.rndnick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.rndnick"; classtype: trojan-activity; sid:100000251; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.status command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.status"; classtype: trojan-activity; sid:100000252; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.sysinfo command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.sysinfo"; classtype: trojan-activity; sid:100000253; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.longuptime command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.longuptime"; classtype: trojan-activity; sid:100000254; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.highspeed command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.highspeed"; classtype: trojan-activity; sid:100000255; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.quit command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.quit"; classtype: trojan-activity; sid:100000256; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.flushdns command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.flushdns"; classtype: trojan-activity; sid:100000257; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.secure command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.secure"; classtype: trojan-activity; sid:100000258; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.unsecure command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.unsecure"; classtype: trojan-activity; sid:100000259; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.command command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.command"; classtype: trojan-activity; sid:100000260; rev:2;) - -# Now some rules to look for SDBot traffic, also on established IRC sessions. -# There are fewer of these, since the commands themselves aren't so distinctive -# (don't want a lot of false positives on regular IRC conversations). -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot killthread command"; flow: established; flowbits:isset,community_is_proto_irc; content:"killthread"; pcre:"/killthread\s+\d+\b/"; classtype: trojan-activity; sid:100000261; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot cdkey command"; flow: established; flowbits:isset,community_is_proto_irc; content:"cdkey"; classtype: trojan-activity; sid:100000262; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot getcdkey command"; flow: established; flowbits:isset,community_is_proto_irc; content:"getcdkey"; classtype: trojan-activity; sid:100000263; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot rndnick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"rndnick"; classtype: trojan-activity; sid:100000264; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot c_rndnick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"c_rndnick"; classtype: trojan-activity; sid:100000265; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot c_nick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"c_nick"; classtype: trojan-activity; sid:100000266; rev:2;) - -# Ok, on to SpyBot rules - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot stopspy command"; flow: established; flowbits:isset,community_is_proto_irc; content:"stopspy"; classtype: trojan-activity; sid:100000267; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot redirectspy command"; flow: established; flowbits:isset,community_is_proto_irc; content:"redirectspy"; classtype: trojan-activity; sid:100000268; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot loadclones command"; flow: established; flowbits:isset,community_is_proto_irc; content:"loadclones"; classtype: trojan-activity; sid:100000269; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot killclones command"; flow: established; flowbits:isset,community_is_proto_irc; content:"killclones"; classtype: trojan-activity; sid:100000270; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot rawclones command"; flow: established; flowbits:isset,community_is_proto_irc; content:"rawclones"; classtype: trojan-activity; sid:100000271; rev:2;) - -# Finally GT Bot rules. These try to account for the case where the bot -# herder has redifined the command character away from the default '!'. -# The only bug here is that this won't detect the ':' as the cmdchar. IRC -# uses the colon as part of the protocol message, and it was confusing -# any message the started with (e.g.) "portscan" at the beginning of the line -# and bot commands in the form of ":portscan". -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot ver command"; flow: established; flowbits:isset,community_is_proto_irc; content:"ver"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot info command"; flow: established; flowbits:isset,community_is_proto_irc; content:"info"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot scan command"; flow: established; flowbits:isset,community_is_proto_irc; content:"scan"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot portscan command"; flow: established; flowbits:isset,community_is_proto_irc; content:"portscan"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot stopscan command"; flow: established; flowbits:isset,community_is_proto_irc; content:"stopscan"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot packet command"; flow: established; flowbits:isset,community_is_proto_irc; content:"packet"; pcre:"/(? $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot bnc command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bnc"; pcre:"/(? $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC DCC file transfer request"; flow:established,to_server; content:"PRIVMSG "; nocase; content:" |3A|.DCC SEND"; nocase; distance:0; pcre:"/^\s*PRIVMSG/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000900; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC DCC chat request"; flow:established,to_server; content:"PRIVMSG "; nocase; content:" |3A|.DCC CHAT chat"; nocase; distance:0; pcre:"/^\s*PRIVMSG/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000901; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC channel join"; flow:established,to_server; content:"JOIN "; nocase; pcre:"/^\s*JOIN/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000902; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC dns request"; flow:established,to_server; content:"USERHOST "; nocase; pcre:"/^\s*USERHOST/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000903; rev:1;) -alert tcp $EXTERNAL_NET 8585 -> $HOME_NET any (msg:"COMMUNITY BOT Mytob IRC dns response"; flow:established,to_client; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000904; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC nick change"; flow:established,to_server; content:"NICK "; nocase; pcre:"/^\s*NICK/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000905; rev:1;) diff -Nru snort-2.9.0.1/rules/community-deleted.rules snort-2.9.2/rules/community-deleted.rules --- snort-2.9.0.1/rules/community-deleted.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-deleted.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,7 +0,0 @@ -# Copyright 2006 Sourcefire, Inc. All Rights Reserved. # These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-deleted.rules,v 1.3 2006/12/05 20:32:48 akirk Exp $ - -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments.php"; nocase; uricontent:"keyword="; nocase; classtype:web-application-attack; sid:100000819; rev:2;) -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments"; nocase; uricontent:"|2E|php"; nocase; uricontent:"|3F|keyword"; nocase; reference:bugtraq,18798; classtype:web-application-attack; sid:100000848; rev:2;) -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000381; rev:3;) diff -Nru snort-2.9.0.1/rules/community-dos.rules snort-2.9.2/rules/community-dos.rules --- snort-2.9.0.1/rules/community-dos.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-dos.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,16 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-dos.rules,v 1.7 2007/02/22 20:44:35 akirk Exp $ - -#Rule submitted by rmkml -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY DOS Tcpdump rsvp attack"; ip_proto:46; content:"|00 08 14 01 03 00 00 00|"; reference:cve,2005-1280; reference:cve,2005-1281; reference:bugtraq,13391; classtype:attempted-dos; sid:100000134; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1069 (msg:"COMMUNITY DOS Ethereal slimp overflow attempt"; content:"|6C C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 FF FF 00 00 01 00 00 00 56 57 F7|"; reference:cve,2005-3243; reference:url,www.ethereal.com/docs/release-notes/ethereal-0.10.13.html; classtype:attempted-dos; sid:100000175; rev:1;) -alert tcp $EXTERNAL_NET any <> $HOME_NET 5005 (msg:"COMMUNITY DOS Trend Micro ServerProtect EarthAgent attempt"; flow:stateless; content:"|21 43 65 87|"; reference:cve,2005-1928; reference:url,www.idefense.com/application/poi/display?id=356&type=vulnerabilities; classtype:attempted-dos; sid:100000215; rev:2;) - -#Rules submitted by the Verisign MSS Operations Team -alert tcp $EXTERNAL_NET any -> $HOME_NET 6667:7000 (msg:"COMMUNITY DOS EnergyMech parse_notice vulnerability - inbound"; flow:to_server,established; content:"NOTICE|20|"; content:!"|5c|"; within:11; reference:bugtraq,18664; classtype:attempted-dos; sid:100000686; rev:2;) -alert tcp $HOME_NET 6667:7000 -> $EXTERNAL_NET any (msg:"COMMUNITY DOS EnergyMech parse_notice vulnerability - outbound"; flow:to_server,established; content:"NOTICE|20|"; content:!"|5c|"; within:11; reference:bugtraq,18664; classtype:attempted-dos; sid:100000687; rev:2;) - -#Rule submitted by Dan Protich -alert udp $EXTERNAL_NET !53 <> $HOME_NET !53 (msg:"COMMUNITY DOS Single-Byte UDP Flood"; content:"0"; dsize:1; classtype:attempted-dos; threshold: type threshold, track by_dst, count 200, seconds 60; sid:100000923; rev:1;) diff -Nru snort-2.9.0.1/rules/community-exploit.rules snort-2.9.2/rules/community-exploit.rules --- snort-2.9.0.1/rules/community-exploit.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-exploit.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,11 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-exploit.rules,v 1.17 2006/08/18 19:38:06 akirk Exp $ - -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit"; flow:to_server,established; pcre:"/.{1050,}/U"; flowbits:set,community_uri.size.1050; flowbits:noalert; reference:cve,2004-0629; reference: bugtraq,10947; classtype:attempted-user; sid: 100000100; rev:2;) -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2f(pdf|vnd\x2efdf|vnd\x2eadobe\x2exfdf|vnd\x2eadobe\x2exdp+xml|vnd\x2e\ adobe\x2exfd+xml)/smi"; flowbits:isset,community_uri.size.1050; reference:cve,2004-0629; reference:bugtraq,10947; classtype:attempted-user; sid:100000101; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY EXPLOIT Sentinel LM exploit"; dsize:2048; reference:bugtraq,12742; reference:cve,2005-0353; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=14605; reference:nessus,17326; classtype:attempted-dos; sid:100000165; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"COMMUNITY EXPLOIT HPUX LPD overflow attempt"; flow:to_server,established; content:"|24 7B 49 46 53 7D|"; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-dos; sid:100000176; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP spoof attempt"; content:"|3B|branch|3D 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0A|"; nocase; reference:bugtraq,14174; reference:cve,2005-2182; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17838; classtype:attempted-dos; sid:100000180; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; dsize:>268; reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;) diff -Nru snort-2.9.0.1/rules/community-ftp.rules snort-2.9.2/rules/community-ftp.rules --- snort-2.9.0.1/rules/community-ftp.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-ftp.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,4 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-ftp.rules,v 1.6 2005/03/08 14:41:42 bmc Exp $ diff -Nru snort-2.9.0.1/rules/community-game.rules snort-2.9.2/rules/community-game.rules --- snort-2.9.0.1/rules/community-game.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-game.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,10 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-game.rules,v 1.8 2005/11/10 14:15:43 akirk Exp $ - -alert udp $EXTERNAL_NET any -> $HOME_NET 2305 (msg:"COMMUNITY GAME Halocon Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12281; sid:100000102; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 7649 (msg:"COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12262; sid:100000103; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 27777 (msg:"COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12192; sid:100000104; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 29000 (msg:"COMMUNITY GAME FlatFrag game dos exploit"; fragbits:D; id:1; content:"|61 61 61|"; dsize:99; reference:bugtraq,15287; reference:cve,2005-3492; classtype:attempted-dos; sid:100000181; rev:1;) -alert udp $EXTERNAL_NET any <> $HOME_NET 7000 (msg:"COMMUNITY GAME Battle Carry attempt"; dsize:>8192; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; reference:cve,2005-3493; reference:bugtraq,15282; classtype:attempted-dos; sid:100000182; rev:1;) diff -Nru snort-2.9.0.1/rules/community-icmp.rules snort-2.9.2/rules/community-icmp.rules --- snort-2.9.0.1/rules/community-icmp.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-icmp.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,8 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-icmp.rules,v 1.4 2006/06/01 15:51:28 akirk Exp $ - -#Rule submitted by rmkml -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP Linux DoS sctp Exploit"; icode:2; itype:3; content:"|28 00 00 50 00 00 00 00 F9 57 1F 30 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:nessus,19777; classtype:attempted-user; sid:100000164; rev:2;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP undefined code"; icode:>18; classtype:misc-activity; sid:100000197; rev:1;) diff -Nru snort-2.9.0.1/rules/community-imap.rules snort-2.9.2/rules/community-imap.rules --- snort-2.9.0.1/rules/community-imap.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-imap.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,15 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-imap.rules,v 1.7 2006/04/07 13:34:06 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP GNU Mailutils request tag format string vulnerability"; flow:to_server,established; content:"|25|"; pcre:"/^\S*\x25\S*\s/sm"; reference:cve,CAN-2005-1523; reference:bugtraq,13764; classtype:attempted-admin; sid:100000135; rev:1;) -#Rule submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP GNU imapd search format string attempt"; flow:established,to_server; pcre:"/\sSEARCH.*\%/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; reference:cve,2005-2878; classtype:misc-attack; sid:100000136; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP MDaemon authentication protocol decode"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5|LOGIN]/smi"; flowbits:set,community_imap.auth; flowbits:noalert; classtype:protocol-command-decode; sid:100000152; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP MDaemon authentication multiple packet overflow attempt"; flow:to_server,established; flowbits:isset,community_imap.auth; isdataat:342; pcre:"/[^\x0A]{342,}/"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000153; rev:3;) -alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"COMMUNITY IMAP MDaemon authentication okay protocol decode"; flow:to_client,established; content:"AUTHENTICATE"; nocase; pcre:"/\sOK\sAUTHENTICATE/smi"; flowbits:unset,community_imap.auth; flowbits:noalert; classtype:protocol-command-decode; sid:100000154; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP MDaemon authentication overflow single packet attempt"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5|LOGIN][^\n]*\n[^\n]{342}/smi"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000155; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP Qualcomm WorldMail SELECT dot dot attempt"; flow:established,to_server; content:"SELECT"; content:"|2E 2E|"; nocase; pcre:"/^\d*\s*SELECT\s*\.\./smi"; reference:cve,2005-3189; reference:bugtraq,15488; classtype:misc-attack; sid:100000196; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP GNU Mailutils imap4d hex attempt"; flow:established,to_server; content:"SEARCH TOPIC %"; reference:cve,2005-2878; reference:bugtraq,14794; reference:nessus,19605; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; classtype:misc-attack; sid:100000207; rev:2;) diff -Nru snort-2.9.0.1/rules/community-inappropriate.rules snort-2.9.2/rules/community-inappropriate.rules --- snort-2.9.0.1/rules/community-inappropriate.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-inappropriate.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,8 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-inappropriate.rules,v 1.8 2005/04/01 17:16:23 akirk Exp $ - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE lolita sex"; content:"lolita"; nocase; content:"sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000105; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE preteen sex"; content:"teen"; nocase; pcre:"/pre-?teen/i"; flow:to_client,established; classtype:kickass-porn; sid:100000123; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE girls gone wild"; content:"girls"; nocase; content:"gone"; nocase; content:"wild"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000124; rev:1;) diff -Nru snort-2.9.0.1/rules/community-mail-client.rules snort-2.9.2/rules/community-mail-client.rules --- snort-2.9.0.1/rules/community-mail-client.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-mail-client.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,4 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-mail-client.rules,v 1.6 2005/03/08 14:41:42 bmc Exp $ diff -Nru snort-2.9.0.1/rules/community-misc.rules snort-2.9.2/rules/community-misc.rules --- snort-2.9.0.1/rules/community-misc.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-misc.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,48 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-misc.rules,v 1.25 2007/03/05 15:22:49 akirk Exp $ - -alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY MISC Sentinel License Manager overflow attempt"; dsize:>1000; reference:cve,CAN-2005-0353; reference:bugtraq,12742; classtype:attempted-user; sid:100000125; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2380 (msg:"COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt"; flow:to_server,established; pcre:"/[^\r\n]{1000,}/i"; reference:cve,2005-0768; reference:url,unsecure.altervista.org/security/goodtechtelnet.htm; classtype:attempted-dos; sid:100000126; rev:1;) -#Rule submitted by rmkml -alert tcp any any -> any !139 (msg:"COMMUNITY MISC BAD-SSL tcp detect"; flow:stateless; content:"|00 0E|"; depth:4; offset:0; classtype:misc-activity; sid:100000137; rev:1;) -#Rules submitted by Thierry Chich -alert tcp any any -> any any (msg:"COMMUNITY MISC streaming RTSP - realplayer"; flow:established; content:"PLAY rtsp|3A 2F 2F|"; depth: 12; classtype:policy-violation; reference:url,www.rtsp.org; sid:100000189; rev:2;) -alert tcp any any -> any any (msg:"COMMUNITY MISC streaming Windows Mediaplayer"; flow:established; content:"|01 00 00 00 ce fa 0b b0|"; depth: 8; content:"MMS"; distance:4; within:4; classtype:policy-violation; reference:url,www.microsoft.com; sid:100000190; rev:2;) -#alert udp $EXTERNAL_NET 1023: -> $HOME_NET 123 (msg:"COMMUNITY MISC Ntp fingerprint detect"; dsize:48; content:"|BE 78 2F 1D 19 BA 00 00|"; reference:url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1; classtype:attempted-dos; sid:100000198; rev:1;) -#Rule submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8008 (msg:"COMMUNITY MISC Novell eDirectory iMonitor access"; flow:to_server,established; uricontent:"/nds/"; nocase; reference:bugtraq,14548; reference:cve,2005-2551; reference:nessus,19248; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18703; classtype:web-application-attack; sid:100000199; rev:1;) -#Rule submitted jointly by Romain Chartier, Sylvain Sarmejeanne, and Pierre Lalet -alert udp any any -> any 53 (msg:"COMMUNITY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:100000208; rev:1;) -#Rules submitted by Crusoe Researches Team -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"COMMUNITY MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:100000222; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"COMMUNITY MISC SNMP trap Format String detected"; content:"%s"; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:100000227; rev:1;) -#Rule submitted by Nigel Houghton -alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"COMMUNITY MISC Lotus Domino LDAP attack"; flow:established; content:"|30 0c 02 01 01 60 07 02 00 03 04 00 80 00|"; reference:bugtraq,16523; reference:cve,2006-0580; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html; classtype:misc-attack; sid:100000229; rev:2;) - -#Jabber/Google Talk traffic from the client submitted by Steven Alexander -alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Logon"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outoing Message"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Log Out"; flow:to_server,established; content:" $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Logon Success"; flow:to_client,established; content:" $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Incoming Message"; flow:to_client,established; content:" $HOME_NET 1364 (msg:"COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials"; flow:stateless; content:"SVTM056I"; nocase; classtype:bad-unknown; sid:100000281; rev:2;) - -# TOR Rules by Dan Ramaswami -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY MISC DLR-TOR Directory server response"; flow:established,to_client; content:"|54 4f 52|"; offset:109; depth:3; content:"|06 03 55 04 03|"; distance:4; within:5; content:"|20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:2; within:30; reference:url,tor.eff.org; classtype:policy-violation; sid:100000874; rev:2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY MISC DLR-TOR Client Traffic"; flow:established,to_server;content:"|54 4f 52|"; content:"|06 03 55 04 03 14|"; distance:4; within:6; content:"|63 6c 69 65 6e 74 20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:1; within:17; classtype:policy-violation; reference:url,tor.eff.org; sid:100000875; rev:1;) - -# Additional GoogleTalk Rules by Will Young -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY MISC Google Talk Version Check"; flow: established,to_server; uricontent:"/googletalk/google-talk-versioncheck.txt?"; nocase; classtype: policy-violation; sid:100000876; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; classtype:policy-violation; threshold: type limit, track by_src, count 1, seconds 300; sid:100000877; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow"; flow:established; content:"|08|"; depth:1; byte_test:1,>,4,1; classtype:attempted-dos; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.elook.org/internet/126.html; sid:100000892; rev:1;) - -# Rule submitted by dprotich@sagonet.com -alert udp $EXTERNAL_NET any <> $HOME_NET 1025:1026 (msg:"COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry"; content:"FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!"; classtype:misc-activity; reference:url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx; sid:100000927; rev:1;) diff -Nru snort-2.9.0.1/rules/community-nntp.rules snort-2.9.2/rules/community-nntp.rules --- snort-2.9.0.1/rules/community-nntp.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-nntp.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,6 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-nntp.rules,v 1.3 2006/02/16 15:51:19 akirk Exp $ - -alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"COMMUNITY NNTP Lynx overflow attempt"; flow:to_server,established; content:"Subject"; nocase; pcre:"/^Subject\x3a[^\r\n]{100,}/smi"; reference:cve,2005-3120; reference:bugtraq,15117; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20019; reference:nessus,20035; classtype:attempted-admin; sid:100000172; rev:2;) diff -Nru snort-2.9.0.1/rules/community-oracle.rules snort-2.9.2/rules/community-oracle.rules --- snort-2.9.0.1/rules/community-oracle.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-oracle.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,6 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-oracle.rules,v 1.2 2005/10/13 14:16:06 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3339 (msg:"COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt"; flow:to_server,established; content:"isqlplus"; nocase; content:"COMMAND"; nocase; distance:0; content:"STOP"; nocase; distance:0; content:"LISTENER"; nocase; distance:0; pcre:"/isqlplus\x2F[^\r\n]*COMMAND\s*\x3D\s*STOP[^\r\n\x26]*LISTENER/si"; reference:bugtraq,15032; reference:url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html; classtype:attempted-user; sid:100000166; rev:1;) diff -Nru snort-2.9.0.1/rules/community-policy.rules snort-2.9.2/rules/community-policy.rules --- snort-2.9.0.1/rules/community-policy.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-policy.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,11 +0,0 @@ -# Copyright 2006 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-policy.rules,v 1.5 2007/03/05 14:39:58 akirk Exp $ - -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY POLICY Ajax Remote Desktop Connection"; flow:from_server,established; content:""; content:"AJAX Remote Desktop Viewer"; distance:0; reference:url,www.peterdamen.com/ajaxrd/; classtype:policy-violation; sid:100000688; rev:2;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY POLICY Weather Channel Desktop App Installer"; flow: established,to_server; uricontent:"/desktopfw"; nocase; uricontent:"/stubinstaller.txt?"; nocase; classtype:policy-violation; sid:100000893; rev:1;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY POLICY Weather Channel Desktop App"; flow: established,to_server; uricontent:"/weather/local/"; nocase; content:"Host|3A|"; nocase; content:"desktopfw.weather.com"; nocase; distance:0; pcre:"/^Host\x3A\s+desktopfw\x2Eweather\x2Ecom/smi"; classtype:policy-violation; sid:100000894; rev:1;) -# alert ip 169.254.0.0/16 any <> any any (msg:"COMMUNITY POLICY Link Local IP addresses traffic seen"; threshold:type limit, track by_src, count 1, seconds 60; classtype:bad-unknown;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY POLICY Google SafeSearch off"; flow:to_server,established; content:"/images?"; nocase; content:"&safe=off"; nocase; content:"&q="; nocase; classtype:policy-violation; sid:100000924; rev:1;) diff -Nru snort-2.9.0.1/rules/community-sid-msg.map snort-2.9.2/rules/community-sid-msg.map --- snort-2.9.0.1/rules/community-sid-msg.map 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-sid-msg.map 1969-12-31 16:00:00.000000000 -0800 @@ -1,837 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# This file is licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# Id SID -> MSG map - -100000100 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit || cve,2004-0629 || bugtraq,10947 -100000101 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit || cve,2004-0629 || bugtraq,10947 -100000102 || COMMUNITY GAME Halocon Denial of Service Empty UDP Packet || bugtraq,12281 -100000103 || COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet || bugtraq,12262 -100000104 || COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet || bugtraq,12192 -100000105 || COMMUNITY INAPPROPRIATE lolita sex -100000106 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx -100000107 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx -100000108 || COMMUNITY SQL-INJECTION OpenBB board.php || bugtraq,7404 -100000109 || COMMUNITY SQL-INJECTION OpenBB member.php || bugtraq,7404 -100000110 || COMMUNITY VIRUS Dabber PORT overflow attempt port 5554 || MCAFEE,125300 -100000111 || COMMUNITY VIRUS Dabber PORT overflow attempt port 1023 || MCAFEE,125300 -100000112 || COMMUNITY WEB-CGI Readfile.tcl Access || bugtraq,7426 -100000113 || COMMUNITY WEB-CGI HappyMall Command Execution member_html.cgi || bugtraq,7530 || cve,2003-0243 -100000114 || COMMUNITY WEB-CGI HappyMall Command Execution normal_html.cgi || bugtraq,7530 || cve,2003-0243 -100000115 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Null CID || bugtraq,7589 -100000116 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Non-Numeric CID || bugtraq,7589 -100000117 || COMMUNITY WEB-CGI VBulliten Remote Command Execution Attempt || bugtraq,12542 -100000118 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -100000119 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -100000121 || COMMUNITY WEB-MISC Test Script Access -100000122 || COMMUNITY WEB-MISC mod_jrun overflow attempt || bugtraq,11245 || cve,2004-0646 -100000123 || COMMUNITY INAPPROPRIATE preteen sex -100000124 || COMMUNITY INAPPROPRIATE girls gone wild -100000125 || COMMUNITY MISC Sentinel License Manager overflow attempt || cve,CAN-2005-0353 || bugtraq,12742 -100000126 || COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt || cve,2005-0768 || url,unsecure.altervista.org/security/goodtechtelnet.htm -100000127 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack formmail.inc.php || bugtraq,12735 -100000128 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack download_center_lite.inc.php || bugtraq,12735 -100000129 || COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS || bugtraq,10014 || url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml -100000130 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS || bugtraq,12778 -100000131 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access || bugtraq,12778 -100000132 || COMMUNITY WEB-MISC Proxy Server Access -100000133 || COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request || bugtraq,7398 || url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1 -100000134 || COMMUNITY DOS Tcpdump rsvp attack || cve,2005-1280 || cve,2005-1281 || bugtraq,13391 -100000135 || COMMUNITY IMAP GNU Mailutils request tag format string vulnerability || cve,CAN-2005-1523 || bugtraq,13764 -100000136 || COMMUNITY IMAP GNU imapd search format string attempt || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 || cve,2005-2878 -100000137 || COMMUNITY MISC BAD-SSL tcp detect -100000138 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost || cve,2005-2678 -100000139 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP || cve,2005-2678 -100000140 || COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow || cve,2005-0684 || url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities -100000141 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000142 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000143 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000144 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000145 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000146 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252 -100000148 || COMMUNITY WEB-MISC Barracuda img.pl attempt || bugtraq,14712 || bugtraq,14710 || cve,2005-2848 -100000149 || COMMUNITY WEB-MISC Jboss % attempt || bugtraq,13985 || cve,2005-2006 || url,www.osvdb.org/displayvuln.php?osvdb_id=17403 -100000150 || COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt || bugtraq,13873 || bugtraq,14106 || cve,2005-2088 || cve,2005-2089 || cve,2005-2090 || cve,2005-2091 || cve,2005-2092 || cve,2005-2093 || cve,2005-2094 || url,www.osvdb.org/displayvuln.php?osvdb_id=17738 || nessus,18337 -100000151 || COMMUNITY WEB-PHP piranha default passwd attempt || bugtraq,1148 || cve,2000-0248 || nessus,10381 -100000152 || COMMUNITY IMAP MDaemon authentication protocol decode -100000153 || COMMUNITY IMAP MDaemon authentication multiple packet overflow attempt || bugtraq,14317 -100000154 || COMMUNITY IMAP MDaemon authentication okay protocol decode -100000155 || COMMUNITY IMAP MDaemon authentication overflow single packet attempt || bugtraq,14317 -100000156 || COMMUNITY WEB-CGI Twiki shell command execution || bugtraq,14834 || cve,2005-2877 || url,twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev -100000157 || COMMUNITY WEB-CGI ATutor password_reminder.php SQL injection attempt || bugtraq,14831 -100000158 || COMMUNITY SIP INVITE message flooding -100000159 || COMMUNITY SIP REGISTER message flooding -100000160 || COMMUNITY SIP TCP/IP message flooding directed to SIP proxy -100000161 || COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses -100000162 || COMMUNITY SIP 401 Unauthorized Flood -100000163 || COMMUNITY SIP 407 Proxy Authentication Required Flood -100000164 || COMMUNITY ICMP Linux DoS sctp Exploit || nessus,19777 -100000165 || COMMUNITY EXPLOIT Sentinel LM exploit || bugtraq,12742 || cve,2005-0353 || url,www.osvdb.org/displayvuln.php?osvdb_id=14605 || nessus,17326 -100000166 || COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt || bugtraq,15032 || url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html -100000167 || COMMUNITY SMTP Hydra Activity Detected || url,www.thc.org/releases.php -100000168 || COMMUNITY WEB-ATTACKS Hydra Activity Detected || url,www.thc.org/releases.php -100000169 || COMMUNITY WEB-ATTACKS Amap fingerprint attempt || url,www.thc.org/releases.php -100000170 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926 -100000171 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926 -100000172 || COMMUNITY NNTP Lynx overflow attempt || cve,2005-3120 || bugtraq,15117 || url,www.osvdb.org/displayvuln.php?osvdb_id=20019 || nessus,20035 -100000173 || COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt -100000174 || COMMUNITY WEB-IIS RSA WebAgent access || cve,2005-1118 || bugtraq,13168 -100000175 || COMMUNITY DOS Ethereal slimp overflow attempt || cve,2005-3243 || url,www.ethereal.com/docs/release-notes/ethereal-0.10.13.html -100000176 || COMMUNITY EXPLOIT HPUX LPD overflow attempt || cve,2005-3277 || bugtraq,15136 -100000177 || COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt || bugtraq,14822 || cve,2005-2799 || nessus,20096 || url,www.osvdb.org/displayvuln.php?osvdb_id=19389 -100000178 || COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt || bugtraq,15225 || nessus,20097 -100000179 || COMMUNITY WEB-MISC SMC TRACE access || url,www.kb.cert.org/vuls/id/867593 -100000180 || COMMUNITY EXPLOIT SIP UDP spoof attempt || bugtraq,14174 || cve,2005-2182 || url,www.osvdb.org/displayvuln.php?osvdb_id=17838 -100000181 || COMMUNITY GAME FlatFrag game dos exploit || bugtraq,15287 || cve,2005-3492 -100000182 || COMMUNITY GAME Battle Carry attempt || cve,2005-3493 || bugtraq,15282 -100000183 || COMMUNITY WEB-ATTACKS SAP WAS syscmd access || url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf -100000184 || COMMUNITY WEB-MISC JBoss JMXInvokerServlet access || url,online.securityfocus.com/archive/1/415707 -100000185 || COMMUNITY WEB-MISC apache directory list attempt || bugtraq,3009 || cve,2001-0731 -100000186 || COMMUNITY WEB-PHP phpinfo access || bugtraq,5789 || cve,2002-1149 || url,www.osvdb.org/displayvuln.php?osvdb_id=3356 -100000187 || COMMUNITY WEB-PHP XSS attempt -100000188 || COMMUNITY WEB-PHP Vubb Path attempt || cve,2005-3513 || url,marc.theaimsgroup.com/?l=bugtraq&m=113087965608496&w=2 -100000189 || COMMUNITY MISC streaming RTSP - realplayer || url,www.rtsp.org -100000190 || COMMUNITY MISC streaming Windows Mediaplayer || url,www.microsoft.com -100000191 || COMMUNITY SMTP Gnu Mailman utf8 attachement access || bugtraq,15408 || cve,2005-3573 || url,www.osvdb.org/displayvuln.php?osvdb_id=20819 -100000192 || COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20846 -100000193 || COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20845 -100000194 || COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20847 -100000195 || COMMUNITY WEB-PHP _SERVER HTTP_ACCEPT_LANGUAGE access || bugtraq,15414 || cve,2005-3347 -100000196 || COMMUNITY IMAP Qualcomm WorldMail SELECT dot dot attempt || cve,2005-3189 || bugtraq,15488 -100000197 || COMMUNITY ICMP undefined code -100000198 || COMMUNITY MISC Ntp fingerprint detect || url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1 -100000199 || COMMUNITY MISC Novell eDirectory iMonitor access || bugtraq,14548 || cve,2005-2551 || nessus,19248 || url,www.osvdb.org/displayvuln.php?osvdb_id=18703 -100000200 || COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt || nessus,19598 || url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html -100000201 || COMMUNITY WEB-PHP CuteNews flood.db.php access || bugtraq,14869 || cve,2005-3010 || nessus,19756 || url,www.osvdb.org/displayvuln.php?osvdb_id=19478 -100000202 || COMMUNITY WEB-PHP DeluxeBB topic.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19404 -100000203 || COMMUNITY WEB-PHP DeluxeBB misc.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19405 -100000204 || COMMUNITY WEB-PHP DeluxeBB pm.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19407 -100000205 || COMMUNITY WEB-PHP DeluxeBB forums.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19406 -100000206 || COMMUNITY WEB-PHP DeluxeBB newpost.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19408 -100000207 || COMMUNITY IMAP GNU Mailutils imap4d hex attempt || cve,2005-2878 || bugtraq,14794 || nessus,19605 || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 -100000208 || COMMUNITY MISC Tunneling IP over DNS with NSTX || url,nstx.dereference.de/nstx/ || url,slashdot.org/articles/00/09/10/2230242.shtml -100000209 || COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt || bugtraq,14367 || cve,2005-2420 || nessus,19300 || url,www.osvdb.org/displayvuln.php?osvdb_id=18305 -100000210 || COMMUNITY WEB-MISC generic cmd pipe after = attempt -100000211 || COMMUNITY WEB-PHP Gallery g2_itemId access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000212 || COMMUNITY WEB-PHP Gallery g2_return access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000213 || COMMUNITY WEB-PHP Gallery g2_view access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000214 || COMMUNITY WEB-PHP Gallery g2_subView access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034 -100000215 || COMMUNITY DOS Trend Micro ServerProtect EarthAgent attempt || cve,2005-1928 || url,www.idefense.com/application/poi/display?id=356&type=vulnerabilities -100000216 || COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access || cve,2005-1929 || url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities -100000217 || COMMUNITY WEB-MISC man2web cmd exec attempt || cve,2005-2812 || bugtraq,14747 || nessus,19591 -100000218 || COMMUNITY WEB-PHP MailGust SQL Injection email attempt || bugtraq,14933 || cve,2005-3063 || nessus,19947 -100000219 || COMMUNITY SMTP MIME-Type ms-tnef access || bugtraq,16197 || cve,2006-0002 || url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx -100000220 || COMMUNITY WEB-PHP PHP-Nuke admin_styles.php phpbb_root_path access || url,www.autistici.org/anacron-group-italy/file/txt/sile002adv.txt || url,www.osvdb.org/displayvuln.php?osvdb_id=16244 -100000221 || COMMUNITY WEB-PHP AppServ main.php appserv_root param access || url,www.osvdb.org/displayvuln.php?osvdb_id=22228 -100000222 || COMMUNITY MISC TFTP32 Get Format string attempt || url,www.securityfocus.com/archive/1/422405/30/0/threaded || url,www.critical.lt/?vulnerabilities/200 -100000223 || COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt || bugtraq,16213 || cve,2006-0189 -100000224 || COMMUNITY SMTP Mozilla filename overflow attempt || bugtraq,16271 -100000225 || COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access || cve,2006-0192 -100000226 || COMMUNITY VIRUS Possible BlackWorm or Nymex infected host || url,www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm || url,cme.mitre.org/data/list.html#24 || url,isc.sans.org/blackworm -100000227 || COMMUNITY MISC SNMP trap Format String detected || bugtraq,16267 || cve,2006-0250 || url,www.osvdb.org/displayvuln.php?osvdb_id=22493 -100000228 || COMMUNITY WEB-CLIENT Winamp PlayList buffer overflow attempt || bugtraq,16410 || cve,2006-0476 || url,www.frsirt.com/english/advisories/2006/0361 -100000229 || COMMUNITY MISC Lotus Domino LDAP attack || bugtraq,16523 || cve,2006-0580 || url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html -100000230 || COMMUNITY MISC Jabber/Google Talk Outgoing Traffic || url,www.google.com/talk/ -100000231 || COMMUNITY MISC Jabber/Google Talk Outgoing Auth || url,www.google.com/talk/ -100000232 || COMMUNITY MISC Google Talk Logon || url,www.google.com/talk/ -100000233 || COMMUNITY MISC Jabber/Google Talk Outoing Message || url,www.google.com/talk/ -100000234 || COMMUNITY MISC Jabber/Google Talk Log Out || url,www.google.com/talk/ -100000235 || COMMUNITY MISC Jabber/Google Talk Logon Success || url,www.google.com/talk/ -100000236 || COMMUNITY MISC Jabber/Google Talk Incoming Message || url,www.google.com/talk/ -100000237 || COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language || url,www.boingboing.net/2006/02/22/argonne_national_lab.html -100000238 || COMMUNITY WEB-CLIENT IE mulitple event handler heap overflow attempt || bugtraq,17131 || cve,2006-1245 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx -100000239 || COMMUNITY WEB-CLIENT IE createTextRange overflow attempt || bugtraq,17196 || cve,2006-1359 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx -100000240 || COMMUNITY BOT IRC Traffic Detected By Nick Change -100000241 || COMMUNITY BOT Internal IRC server detected -100000242 || COMMUNITY BOT Agobot/PhatBot bot.about command -100000243 || COMMUNITY BOT Agobot/PhatBot bot.die command -100000244 || COMMUNITY BOT Agobot/PhatBot bot.dns command -100000245 || COMMUNITY BOT Agobot/PhatBot bot.execute command -100000246 || COMMUNITY BOT Agobot/PhatBot bot.id command -100000247 || COMMUNITY BOT Agobot/PhatBot bot.nick command -100000248 || COMMUNITY BOT Agobot/PhatBot bot.open command -100000249 || COMMUNITY BOT Agobot/PhatBot bot.remove command -100000250 || COMMUNITY BOT Agobot/PhatBot bot.removeallbut command -100000251 || COMMUNITY BOT Agobot/PhatBot bot.rndnick command -100000252 || COMMUNITY BOT Agobot/PhatBot bot.status command -100000253 || COMMUNITY BOT Agobot/PhatBot bot.sysinfo command -100000254 || COMMUNITY BOT Agobot/PhatBot bot.longuptime command -100000255 || COMMUNITY BOT Agobot/PhatBot bot.highspeed command -100000256 || COMMUNITY BOT Agobot/PhatBot bot.quit command -100000257 || COMMUNITY BOT Agobot/PhatBot bot.flushdns command -100000258 || COMMUNITY BOT Agobot/PhatBot bot.secure command -100000259 || COMMUNITY BOT Agobot/PhatBot bot.unsecure command -100000260 || COMMUNITY BOT Agobot/PhatBot bot.command command -100000261 || COMMUNITY BOT SDBot killthread command -100000262 || COMMUNITY BOT SDBot cdkey command -100000263 || COMMUNITY BOT SDBot getcdkey command -100000264 || COMMUNITY BOT SDBot rndnick command -100000265 || COMMUNITY BOT SDBot c_rndnick command -100000266 || COMMUNITY BOT SDBot c_nick command -100000267 || COMMUNITY BOT SpyBot stopspy command -100000268 || COMMUNITY BOT SpyBot redirectspy command -100000269 || COMMUNITY BOT SpyBot loadclones command -100000270 || COMMUNITY BOT SpyBot killclones command -100000271 || COMMUNITY BOT SpyBot rawclones command -100000272 || COMMUNITY BOT GTBot ver command -100000273 || COMMUNITY BOT GTBot info command -100000274 || COMMUNITY BOT GTBot scan command -100000275 || COMMUNITY BOT GTBot portscan command -100000276 || COMMUNITY BOT GTBot stopscan command -100000277 || COMMUNITY BOT GTBot packet command -100000278 || COMMUNITY BOT GTBot bnc command -100000279 || COMMUNITY SMTP Incoming WAB attachment || cve,2006-0014 || url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx -100000281 || COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials -100000282 || COMMUNITY VIRUS Nugache connect -100000283 || COMMUNITY VIRUS Nugache data || url,securityresponse.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html -100000284 || COMMUNITY WEB-CLIENT RealMedia invalid chunk size heap overflow attempt || bugtraq,17202 || cve,2005-2922 || url,service.real.com/realplayer/security/03162006_player/en/ -100000285 || COMMUNITY WEB-PHP ldap_var.inc.php remote file include attempt || bugtraq,17915 -100000286 || COMMUNITY WEB-PHP X Poll admin access || url,marc.theaimsgroup.com/?l=bugtraq&m=114710173409997&w=2 -100000287 || COMMUNITY WEB-PHP Claroline ldap.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000288 || COMMUNITY WEB-PHP Claroline atutor.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000289 || COMMUNITY WEB-PHP Claroline db-generic.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000290 || COMMUNITY WEB-PHP Claroline docebo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000291 || COMMUNITY WEB-PHP Claroline dokeos.1.6.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000292 || COMMUNITY WEB-PHP Claroline dokeos.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000293 || COMMUNITY WEB-PHP Claroline ganesha.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000294 || COMMUNITY WEB-PHP Claroline mambo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000295 || COMMUNITY WEB-PHP Claroline moodle.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000296 || COMMUNITY WEB-PHP Claroline phpnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000297 || COMMUNITY WEB-PHP Claroline postnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000298 || COMMUNITY WEB-PHP Claroline spip.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000299 || COMMUNITY WEB-PHP Claroline event/init_event_manager.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000300 || COMMUNITY WEB-PHP Claroline export_exe_tracking.class.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2 -100000301 || COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt || bugtraq,16742 || cve,2006-0559 -100000302 || COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access || bugtraq,17964 -100000303 || COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access || bugtraq,17964 -100000304 || COMMUNITY WEB-PHP Gphoto index.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000305 || COMMUNITY WEB-PHP Gphoto index.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000306 || COMMUNITY WEB-PHP Gphoto diapho.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000307 || COMMUNITY WEB-PHP Gphoto diapho.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000308 || COMMUNITY WEB-PHP Gphoto affich.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000309 || COMMUNITY WEB-PHP Gphoto affich.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2 -100000310 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - scfzf.xicp.net || url,vil.nai.com/vil/content/v_139545.htm -100000311 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - localhosts.3322.org || url,vil.nai.com/vil/content/v_139545.htm -100000312 || COMMUNITY VIRUS Ginwui.B POST attempt || url,vil.nai.com/vil/content/v_139545.htm -100000313 || COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal || bugtraq,14715 || cve,2005-2020 -100000314 || COMMUNITY WEB-MISC MediaWiki parser script insertion attempt || cve,2006-2611 -100000315 || COMMUNITY WEB-MISC HTTP PUT Request || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html -100000316 || COMMUNITY WEB-MISC HTTP PUT Request Successful || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html -100000317 || COMMUNITY WEB-MISC phpBazar classified_right.php remote file include || bugtraq,18052 -100000318 || COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access || bugtraq,18053 || cve,2006-2527 -100000319 || COMMUNITY WEB-MISC ActualScripts direct.php remote file include || bugtraq,17597 -100000320 || COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include || bugtraq,18027 -100000321 || COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include || bugtraq,18027 -100000322 || COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include || bugtraq,18027 -100000323 || COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include || bugtraq,18027 -100000324 || COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include || bugtraq,18027 -100000325 || COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include || bugtraq,18027 -100000326 || COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include || bugtraq,18027 -100000327 || COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include || bugtraq,18027 -100000328 || COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include || bugtraq,18027 -100000329 || COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include || bugtraq,18040 -100000330 || COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include || bugtraq,18040 -100000331 || COMMUNITY WEB-MISC ZixForum settings.asp access || bugtraq,18043 -100000332 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047 -100000333 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047 -100000334 || COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include || bugtraq,18076 -100000335 || COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include || bugtraq,18076 -100000336 || COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include || cve,2006-2521 -100000337 || COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include || cve,2006-2521 -100000338 || COMMUNITY WEB-MISC phpMyDirectory header.php remote file include || cve,2006-2521 -100000339 || COMMUNITY WEB-MISC V-Webmail core.php remote file include || url,secunia.com/advisories/20297/ -100000340 || COMMUNITY WEB-MISC V-Webmail pop3.php remote file include || url,secunia.com/advisories/20297/ -100000341 || COMMUNITY WEB-MISC DoceboLMS help.php remote file include || bugtraq,18110 -100000342 || COMMUNITY WEB-MISC DoceboLMS business.php remote file include || bugtraq,18110 -100000343 || COMMUNITY WEB-MISC DoceboLMS credits.php remote file include || bugtraq,18110 -100000344 || COMMUNITY WEB-MISC SocketMail index.php remote file include || url,secunia.com/advisories/20273/ -100000345 || COMMUNITY WEB-MISC SocketMail inc-common.php remote file include || url,secunia.com/advisories/20273/ -100000346 || COMMUNITY WEB-MISC Plume CMS prepend.php remote file include || bugtraq,16662 -100000347 || COMMUNITY WEB-MISC Ezupload Pro form.php remote file include || bugtraq,18135 -100000348 || COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include || bugtraq,18135 -100000349 || COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include || bugtraq,18135 -100000350 || COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include || url,www.nukedx.com/?viewdoc=40 -100000351 || COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include || url,www.nukedx.com/?viewdoc=40 -100000352 || COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include || bugtraq,18153 || url,www.nukedx.com/?viewdoc=41 -100000353 || COMMUNITY WEB-MISC tinyBB footers.php remote file include || bugtraq,18147 -100000354 || COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include || bugtraq,18155 -100000355 || COMMUNITY WEB-MISC eSyndiCat cron.php remote file include || url,secunia.com/advisories/20218/ -100000356 || COMMUNITY WEB-MISC BASE base_qry_common.php remote file include || url,secunia.com/advisories/20300/ -100000357 || COMMUNITY WEB-MISC BASE base_stat_common.php remote file include || url,secunia.com/advisories/20300/ -100000358 || COMMUNITY WEB-MISC BASE base_include.inc.php remote file include || url,secunia.com/advisories/20300/ -100000359 || COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include || bugtraq,18163 -100000360 || COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include || bugtraq,18163 -100000361 || COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include || bugtraq,18163 -100000362 || COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include || bugtraq,18163 -100000363 || COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include || bugtraq,18163 -100000364 || COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include || bugtraq,18163 -100000365 || COMMUNITY WEB-MISC phpNuke index.php remote file include || bugtraq,18186 -100000366 || COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include || bugtraq,18186 -100000367 || COMMUNITY WEB-MISC phpNuke admin_board.php remote file include || bugtraq,18186 -100000368 || COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include || bugtraq,18186 -100000369 || COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include || bugtraq,18186 -100000370 || COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include || bugtraq,18186 -100000371 || COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include || bugtraq,18186 -100000372 || COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include || bugtraq,18186 -100000373 || COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include || bugtraq,18186 -100000374 || COMMUNITY WEB-MISC phpNuke admin_words.php remote file include || bugtraq,18186 -100000375 || COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include || bugtraq,18186 -100000376 || COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include || bugtraq,18186 -100000377 || COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include || bugtraq,18186 -100000378 || COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include || bugtraq,18186 -100000379 || COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include || bugtraq,18186 -100000380 || COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include || bugtraq,18186 -100000381 || COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include || bugtraq,18186 -100000382 || COMMUNITY WEB-MISC phpNuke admin_users.php remote file include || bugtraq,18186 -100000383 || COMMUNITY WEB-MISC OsTicket open_form.php remote file include || bugtraq,18190 -100000384 || COMMUNITY WEB-MISC Ottoman index.php remote file include || bugtraq,18208 -100000385 || COMMUNITY WEB-MISC Ottoman error.php remote file include || bugtraq,18208 -100000386 || COMMUNITY WEB-MISC Ottoman main_class.php remote file include || bugtraq,18208 -100000387 || COMMUNITY WEB-MISC Ovidentia index.php remote file include || bugtraq,18232 -100000388 || COMMUNITY WEB-MISC Ovidentia topman.php remote file include || bugtraq,18232 -100000389 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232 -100000390 || COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include || bugtraq,18232 -100000391 || COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include || bugtraq,18232 -100000392 || COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include || bugtraq,18232 -100000393 || COMMUNITY WEB-MISC Ovidentia start.php remote file include || bugtraq,18232 -100000394 || COMMUNITY WEB-MISC Ovidentia search.php remote file include || bugtraq,18232 -100000395 || COMMUNITY WEB-MISC Ovidentia posts.php remote file include || bugtraq,18232 -100000396 || COMMUNITY WEB-MISC Ovidentia options.php remote file include || bugtraq,18232 -100000397 || COMMUNITY WEB-MISC Ovidentia login.php remote file include || bugtraq,18232 -100000398 || COMMUNITY WEB-MISC Ovidentia frchart.php remote file include || bugtraq,18232 -100000399 || COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include || bugtraq,18232 -100000400 || COMMUNITY WEB-MISC Ovidentia fileman.php remote file include || bugtraq,18232 -100000401 || COMMUNITY WEB-MISC Ovidentia faq.php remote file include || bugtraq,18232 -100000402 || COMMUNITY WEB-MISC Ovidentia event.php remote file include || bugtraq,18232 -100000403 || COMMUNITY WEB-MISC Ovidentia directory.php remote file include || bugtraq,18232 -100000404 || COMMUNITY WEB-MISC Ovidentia articles.php remote file include || bugtraq,18232 -100000405 || COMMUNITY WEB-MISC Ovidentia artedit.php remote file include || bugtraq,18232 -100000406 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232 -100000407 || COMMUNITY WEB-MISC Ovidentia calday.php remote file include || bugtraq,18232 -100000408 || COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include || bugtraq,18220 -100000409 || COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include || bugtraq,18220 -100000410 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000411 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000412 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000413 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229 -100000414 || COMMUNITY WEB-MISC REDAXO community.inc.php remote file include || bugtraq,18229 -100000415 || COMMUNITY WEB-MISC Bytehoard server.php remote file include || bugtraq,18234 -100000416 || COMMUNITY WEB-MISC MyBloggie admin.php remote file include || bugtraq,18241 -100000417 || COMMUNITY WEB-MISC MyBloggie scode.php remote file include || bugtraq,18241 -100000418 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include || bugtraq,18248 -100000419 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include || bugtraq,18248 -100000420 || COMMUNITY WEB-MISC Informium common-menu.php remote file include || bugtraq,18249 -100000421 || COMMUNITY WEB-MISC Igloo wiki.php remote file include || bugtraq,18250 -100000422 || COMMUNITY WEB-MISC phpBB template.php remote file include || bugtraq,18255 -100000423 || COMMUNITY WEB-MISC DotWidget CMS index.php remote file include || bugtraq,18258 -100000424 || COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include || bugtraq,18258 -100000425 || COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include || bugtraq,18258 -100000426 || COMMUNITY WEB-MISC DotClear prepend.php remote file include || bugtraq,18259 -100000427 || COMMUNITY WEB-MISC JBoss jmx-console html adaptor access || url,jboss.org/wiki/Wiki.jsp?page=JMXConsole -100000428 || COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2 -100000429 || COMMUNITY WEB-MISC JBoss web-console access || url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole -100000430 || COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include || bugtraq,18261 -100000431 || COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include || bugtraq,18261 -100000432 || COMMUNITY WEB-MISC BlueShoes file.php remote file include || bugtraq,18261 -100000433 || COMMUNITY WEB-MISC BlueShoes viewer.php remote file include || bugtraq,18261 -100000434 || COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include || bugtraq,18261 -100000435 || COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include || bugtraq,18261 -100000436 || COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include || bugtraq,18261 -100000437 || COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include || bugtraq,18263 -100000438 || COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include || bugtraq,18265 -100000439 || COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include || bugtraq,18265 -100000440 || COMMUNITY WEB-MISC CyBoards common.php remote file include || bugtraq,18272 -100000441 || COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include || bugtraq,18291 -100000442 || COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include || bugtraq,18313 -100000443 || COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include || bugtraq,18313 -100000444 || COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include || bugtraq,18313 -100000445 || COMMUNITY WEB-PHP Particle Gallery Viewimage PHP Variable Injection Attempt || bugtraq,18270 -100000446 || COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt || bugtraq,18273 -100000447 || COMMUNITY WEB-CLIENT Mozilla Firefox DOMNodeRemoved attack attempt || bugtraq,18228 || cve,2006-2779 -100000448 || COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt || bugtraq,18367 -100000449 || COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt || bugtraq,18367 -100000450 || COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt || bugtraq,18368 -100000451 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379 -100000452 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379 -100000453 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379 -100000454 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379 -100000455 || COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt || bugtraq,18473 -100000456 || COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt || bugtraq,18482 -100000457 || COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt || bugtraq,18512 -100000458 || COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt || bugtraq,18526 -100000459 || COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt || bugtraq,18564 -100000460 || COMMUNITY WEB-MISC AZureus index.tmpl xss attempt || bugtraq,18596 -100000461 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598 -100000462 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598 -100000463 || COMMUNITY WEB-PHP Joomla joomla.php remote file include || bugtraq,18363 -100000464 || COMMUNITY WEB-PHP LoveCompass AEPartner design.inc.php remote file include || bugtraq,18370 -100000465 || COMMUNITY WEB-PHP Empris sql_fcnsOLD.php remote file include || bugtraq,18371 -100000466 || COMMUNITY WEB-PHP Free QBoard post.php remote file include || bugtraq,18373 -100000467 || COMMUNITY WEB-PHP WebprojectDB nav.php remote file include || bugtraq,18378 -100000468 || COMMUNITY WEB-PHP WebprojectDB lang.php remote file include || bugtraq,18378 -100000469 || COMMUNITY WEB-PHP iFoto index.php xss attempt || bugtraq,18391 -100000470 || COMMUNITY WEB-PHP Foing manage_songs.php remote file include || bugtraq,18392 -100000471 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403 -100000472 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403 -100000473 || COMMUNITY WEB-PHP VBZoom language.php SQL injection attempt || bugtraq,18403 -100000474 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000475 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000476 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403 -100000477 || COMMUNITY WEB-PHP VBZoom subject.php SQL injection attempt || bugtraq,18403 -100000478 || COMMUNITY WEB-PHP aWebNews visview.php remote file include || bugtraq,18406 -100000479 || COMMUNITY WEB-PHP CzarNews headlines.php remote file include || bugtraq,18411 -100000480 || COMMUNITY WEB-PHP Somery team.php remote file include || bugtraq,18412 -100000481 || COMMUNITY WEB-PHP Hinton Design PHPHG signed.php remote file include || bugtraq,18413 -100000482 || COMMUNITY WEB-PHP BoastMachine vote.php remote file include || bugtraq,18415 -100000483 || COMMUNITY WEB-PHP Wheatblog view_links.php remote file include || bugtraq,18416 -100000484 || COMMUNITY WEB-PHP Confixx ftp_index.php xss attempt || bugtraq,18426 -100000485 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18435 -100000486 || COMMUNITY WEB-PHP PhpBlueDragon CMS template.php remote file include || bugtraq,18440 -100000487 || COMMUNITY WEB-PHP ISPConfig server.inc.php remote file include || bugtraq,18441 -100000488 || COMMUNITY WEB-PHP ISPConfig app.inc.php remote file include || bugtraq,18441 -100000489 || COMMUNITY WEB-PHP ISPConfig login.php remote file include || bugtraq,18441 -100000490 || COMMUNITY WEB-PHP ISPConfig trylogin.php remote file include || bugtraq,18441 -100000491 || COMMUNITY WEB-PHP DeluxeBB posting.php remote file include || bugtraq,18455 -100000492 || COMMUNITY WEB-PHP DeluxeBB newpm.php remote file include || bugtraq,18455 -100000493 || COMMUNITY WEB-PHP DeluxeBB postreply.php remote file include || bugtraq,18455 -100000494 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458 -100000495 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458 -100000496 || COMMUNITY WEB-PHP Chipmailer index.php SQL injection attempt || bugtraq,18463 -100000497 || COMMUNITY WEB-PHP Calendarix cal_event.php SQL injection attempt || bugtraq,18469 -100000498 || COMMUNITY WEB-PHP Calendarix cal_popup.php SQL injection attempt || bugtraq,18469 -100000499 || COMMUNITY WEB-PHP PictureDis thumstbl.php remote file include || bugtraq,18471 -100000500 || COMMUNITY WEB-PHP PictureDis wpfiles.php remote file include || bugtraq,18471 -100000501 || COMMUNITY WEB-PHP PictureDis wallpapr.php remote file include || bugtraq,18471 -100000502 || COMMUNITY WEB-PHP Ji-Takz tag.class.php remote file include || bugtraq,18474 -100000503 || COMMUNITY WEB-PHP Nucleus CMS action.php remote file include || bugtraq,18475 -100000504 || COMMUNITY WEB-PHP Nucleus CMS media.php remote file include || bugtraq,18475 -100000505 || COMMUNITY WEB-PHP Nucleus CMS server.php remote file include || bugtraq,18475 -100000506 || COMMUNITY WEB-PHP Nucleus CMS api_metaweblog.inc.php remote file include || bugtraq,18475 -100000507 || COMMUNITY WEB-PHP FlashChat adminips.php remote file include || bugtraq,18480 -100000508 || COMMUNITY WEB-PHP Wikkawiki wakka.php access || bugtraq,18481 -100000509 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18490 -100000510 || COMMUNITY WEB-PHP VBZoom rank.php SQL injection attempt || bugtraq,18497 -100000511 || COMMUNITY WEB-PHP VBZoom message.php SQL injection attempt || bugtraq,18497 -100000512 || COMMUNITY WEB-PHP VBZoom lng.php SQL injection attempt || bugtraq,18497 -100000513 || COMMUNITY WEB-PHP SAPHPLesson showcat.php SQL injection attempt || bugtraq,18501 -100000514 || COMMUNITY WEB-PHP SAPHPLesson misc.php SQL injection attempt || bugtraq,18501 -100000515 || COMMUNITY WEB-PHP CMS Faethon header.php xss attempt || bugtraq,18505 -100000516 || COMMUNITY WEB-PHP CMS Faethon footer.php xss attempt || bugtraq,18505 -100000517 || COMMUNITY WEB-PHP e107 search.php xss attempt || bugtraq,18508 -100000518 || COMMUNITY WEB-PHP PHP Live Helper initiate.php remote file include || bugtraq,18509 -100000519 || COMMUNITY WEB-PHP VUBB index.php SQL injection attempt || bugtraq,18516 -100000520 || COMMUNITY WEB-PHP Xarancms xaramcms_haupt.php SQL injection attempt || bugtraq,18520 -100000521 || COMMUNITY WEB-PHP TPL Design TplShop category.php SQL injection attempt || bugtraq,18524 -100000522 || COMMUNITY WEB-PHP The Edge eCommerce Shop productDetail.php xss attempt || bugtraq,18528 -100000523 || COMMUNITY WEB-PHP CavoxCms index.php SQL injection attempt || bugtraq,18533 -100000524 || COMMUNITY WEB-PHP Micro CMS microcms-include.php remote file include || bugtraq,18537 -100000525 || COMMUNITY WEB-PHP PHPMyDirectory offer-pix.php xss attempt || bugtraq,18539 -100000526 || COMMUNITY WEB-PHP PHPMyDirectory index.php xss attempt || bugtraq,18539 -100000527 || COMMUNITY WEB-PHP AssoCIateD index.php xss attempt || bugtraq,18541 -100000528 || COMMUNITY WEB-PHP PHPMyForum topic.php xss attempt || bugtraq,18542 -100000529 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546 -100000530 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546 -100000531 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549 -100000532 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549 -100000533 || COMMUNITY WEB-PHP VUBB functions.php SQL injection attempt || bugtraq,18561 -100000534 || COMMUNITY WEB-PHP VUBB english.php xss attempt || bugtraq,18562 -100000535 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566 -100000536 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566 -100000537 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567 -100000538 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567 -100000539 || COMMUNITY WEB-PHP thinkWMS printarticle.php SQL injection attempt || bugtraq,18567 -100000540 || COMMUNITY WEB-PHP Enterprise Groupware index.php xss attempt || bugtraq,18590 -100000541 || COMMUNITY WEB-PHP Dating Agent picture.php SQL injection attempt || bugtraq,18607 -100000542 || COMMUNITY WEB-PHP Dating Agent mem.php SQL injection attempt || bugtraq,18607 -100000543 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607 -100000544 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607 -100000545 || COMMUNITY WEB-PHP PHP Blue Dragon CMS team_admin.php remote file include || bugtraq,18609 -100000546 || COMMUNITY WEB-PHP PHP Blue Dragon CMS rss_admin.php remote file include || bugtraq,18609 -100000547 || COMMUNITY WEB-PHP PHP Blue Dragon CMS manual_admin.php remote file include || bugtraq,18609 -100000548 || COMMUNITY WEB-PHP PHP Blue Dragon CMS forum_admin.php remote file include || bugtraq,18609 -100000549 || COMMUNITY WEB-PHP Custom Datin Biz user_view.php xss attempt || bugtraq,18626 -100000550 || COMMUNITY WEB-PHP Project Eros BBSEngine comment.php access || bugtraq,18627 -100000551 || COMMUNITY WEB-PHP Project Eros BBSEngine aolbonics.php access || bugtraq,18627 -100000552 || COMMUNITY WEB-PHP SmartSiteCMS inc_foot.php remote file include || bugtraq,18628 -100000553 || COMMUNITY WEB-PHP PHPMySMS gateway.php remote file include || bugtraq,18633 -100000554 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000555 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000556 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643 -100000557 || COMMUNITY WEB-PHP VebiMiau index.php xss attempt || bugtraq,18643 -100000558 || COMMUNITY WEB-PHP VebiMiau messages.php xss attempt || bugtraq,18643 -100000559 || COMMUNITY WEB-PHP Infinite Core Technologies ICT index.php SQL injection attempt || bugtraq,18644 -100000560 || COMMUNITY WEB-PHP eNpaper1 root_header.php remote file include || bugtraq,18649 -100000561 || COMMUNITY WEB-PHP dotProject ui.class.php xss attempt || bugtraq,18650 -100000562 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000563 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000564 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000565 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651 -100000566 || COMMUNITY WEB-PHP XennoBB messages.php xss attempt || bugtraq,18652 -100000567 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653 -100000568 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653 -100000569 || COMMUNITY WEB-PHP Indexu app_change_email.php remote file include || bugtraq,18477 -100000570 || COMMUNITY WEB-PHP Indexu app_change_pwd.php remote file include || bugtraq,18477 -100000571 || COMMUNITY WEB-PHP Indexu app_mod_rewrite.php remote file include || bugtraq,18477 -100000572 || COMMUNITY WEB-PHP Indexu app_page_caching.php remote file include || bugtraq,18477 -100000573 || COMMUNITY WEB-PHP Indexu app_setup.php remote file include || bugtraq,18477 -100000574 || COMMUNITY WEB-PHP Indexu cat_add.php remote file include || bugtraq,18477 -100000575 || COMMUNITY WEB-PHP Indexu cat_delete.php remote file include || bugtraq,18477 -100000576 || COMMUNITY WEB-PHP Indexu cat_edit.php remote file include || bugtraq,18477 -100000577 || COMMUNITY WEB-PHP Indexu cat_path_update.php remote file include || bugtraq,18477 -100000578 || COMMUNITY WEB-PHP Indexu cat_search.php remote file include || bugtraq,18477 -100000579 || COMMUNITY WEB-PHP Indexu cat_struc.php remote file include || bugtraq,18477 -100000580 || COMMUNITY WEB-PHP Indexu cat_view.php remote file include || bugtraq,18477 -100000581 || COMMUNITY WEB-PHP Indexu cat_view_hidden.php remote file include || bugtraq,18477 -100000582 || COMMUNITY WEB-PHP Indexu cat_view_hierarchy.php remote file include || bugtraq,18477 -100000583 || COMMUNITY WEB-PHP Indexu cat_view_registered_only.php remote file include || bugtraq,18477 -100000584 || COMMUNITY WEB-PHP Indexu checkurl_web.php remote file include || bugtraq,18477 -100000585 || COMMUNITY WEB-PHP Indexu db_alter.php remote file include || bugtraq,18477 -100000586 || COMMUNITY WEB-PHP Indexu db_alter_change.php remote file include || bugtraq,18477 -100000587 || COMMUNITY WEB-PHP Indexu db_backup.php remote file include || bugtraq,18477 -100000588 || COMMUNITY WEB-PHP Indexu db_export.php remote file include || bugtraq,18477 -100000589 || COMMUNITY WEB-PHP Indexu db_import.php remote file include || bugtraq,18477 -100000590 || COMMUNITY WEB-PHP Indexu editor_add.php remote file include || bugtraq,18477 -100000591 || COMMUNITY WEB-PHP Indexu editor_delete.php remote file include || bugtraq,18477 -100000592 || COMMUNITY WEB-PHP Indexu editor_validate.php remote file include || bugtraq,18477 -100000593 || COMMUNITY WEB-PHP Indexu head.php remote file include || bugtraq,18477 -100000594 || COMMUNITY WEB-PHP Indexu index.php remote file include || bugtraq,18477 -100000595 || COMMUNITY WEB-PHP Indexu inv_config.php remote file include || bugtraq,18477 -100000596 || COMMUNITY WEB-PHP Indexu inv_config_payment.php remote file include || bugtraq,18477 -100000597 || COMMUNITY WEB-PHP Indexu inv_create.php remote file include || bugtraq,18477 -100000598 || COMMUNITY WEB-PHP Indexu inv_delete.php remote file include || bugtraq,18477 -100000599 || COMMUNITY WEB-PHP Indexu inv_edit.php remote file include || bugtraq,18477 -100000600 || COMMUNITY WEB-PHP Indexu inv_markpaid.php remote file include || bugtraq,18477 -100000601 || COMMUNITY WEB-PHP Indexu inv_markunpaid.php remote file include || bugtraq,18477 -100000602 || COMMUNITY WEB-PHP Indexu inv_overdue.php remote file include || bugtraq,18477 -100000603 || COMMUNITY WEB-PHP Indexu inv_paid.php remote file include || bugtraq,18477 -100000604 || COMMUNITY WEB-PHP Indexu inv_send.php remote file include || bugtraq,18477 -100000605 || COMMUNITY WEB-PHP Indexu inv_unpaid.php remote file include || bugtraq,18477 -100000606 || COMMUNITY WEB-PHP Indexu lang_modify.php remote file include || bugtraq,18477 -100000607 || COMMUNITY WEB-PHP Indexu link_add.php remote file include || bugtraq,18477 -100000608 || COMMUNITY WEB-PHP Indexu link_bad.php remote file include || bugtraq,18477 -100000609 || COMMUNITY WEB-PHP Indexu link_bad_delete.php remote file include || bugtraq,18477 -100000610 || COMMUNITY WEB-PHP Indexu link_checkurl.php remote file include || bugtraq,18477 -100000611 || COMMUNITY WEB-PHP Indexu link_delete.php remote file include || bugtraq,18477 -100000612 || COMMUNITY WEB-PHP Indexu link_duplicate.php remote file include || bugtraq,18477 -100000613 || COMMUNITY WEB-PHP Indexu link_edit.php remote file include || bugtraq,18477 -100000614 || COMMUNITY WEB-PHP Indexu link_premium_listing.php remote file include || bugtraq,18477 -100000615 || COMMUNITY WEB-PHP Indexu link_premium_sponsored.php remote file include || bugtraq,18477 -100000616 || COMMUNITY WEB-PHP Indexu link_search.php remote file include || bugtraq,18477 -100000617 || COMMUNITY WEB-PHP Indexu link_sponsored_listing.php remote file include || bugtraq,18477 -100000618 || COMMUNITY WEB-PHP Indexu link_validate.php remote file include || bugtraq,18477 -100000619 || COMMUNITY WEB-PHP Indexu link_validate_edit.php remote file include || bugtraq,18477 -100000620 || COMMUNITY WEB-PHP Indexu link_view.php remote file include || bugtraq,18477 -100000621 || COMMUNITY WEB-PHP Indexu log_search.php remote file include || bugtraq,18477 -100000622 || COMMUNITY WEB-PHP Indexu mail_modify.php remote file include || bugtraq,18477 -100000623 || COMMUNITY WEB-PHP Indexu menu.php remote file include || bugtraq,18477 -100000624 || COMMUNITY WEB-PHP Indexu message_create.php remote file include || bugtraq,18477 -100000625 || COMMUNITY WEB-PHP Indexu message_delete.php remote file include || bugtraq,18477 -100000626 || COMMUNITY WEB-PHP Indexu message_edit.php remote file include || bugtraq,18477 -100000627 || COMMUNITY WEB-PHP Indexu message_send.php remote file include || bugtraq,18477 -100000628 || COMMUNITY WEB-PHP Indexu message_subscriber.php remote file include || bugtraq,18477 -100000629 || COMMUNITY WEB-PHP Indexu message_view.php remote file include || bugtraq,18477 -100000630 || COMMUNITY WEB-PHP Indexu review_validate.php remote file include || bugtraq,18477 -100000631 || COMMUNITY WEB-PHP Indexu review_validate_edit.php remote file include || bugtraq,18477 -100000632 || COMMUNITY WEB-PHP Indexu summary.php remote file include || bugtraq,18477 -100000633 || COMMUNITY WEB-PHP Indexu template_active.php remote file include || bugtraq,18477 -100000634 || COMMUNITY WEB-PHP Indexu template_add_custom.php remote file include || bugtraq,18477 -100000635 || COMMUNITY WEB-PHP Indexu template_delete.php remote file include || bugtraq,18477 -100000636 || COMMUNITY WEB-PHP Indexu template_delete_file.php remote file include || bugtraq,18477 -100000637 || COMMUNITY WEB-PHP Indexu template_duplicate.php remote file include || bugtraq,18477 -100000638 || COMMUNITY WEB-PHP Indexu template_export.php remote file include || bugtraq,18477 -100000639 || COMMUNITY WEB-PHP Indexu template_import.php remote file include || bugtraq,18477 -100000640 || COMMUNITY WEB-PHP Indexu template_manager.php remote file include || bugtraq,18477 -100000641 || COMMUNITY WEB-PHP Indexu template_modify.php remote file include || bugtraq,18477 -100000642 || COMMUNITY WEB-PHP Indexu template_modify_file.php remote file include || bugtraq,18477 -100000643 || COMMUNITY WEB-PHP Indexu template_rename.php remote file include || bugtraq,18477 -100000644 || COMMUNITY WEB-PHP Indexu user_add.php remote file include || bugtraq,18477 -100000645 || COMMUNITY WEB-PHP Indexu user_delete.php remote file include || bugtraq,18477 -100000646 || COMMUNITY WEB-PHP Indexu user_edit.php remote file include || bugtraq,18477 -100000647 || COMMUNITY WEB-PHP Indexu user_search.php remote file include || bugtraq,18477 -100000648 || COMMUNITY WEB-PHP Indexu whos.php remote file include || bugtraq,18477 -100000649 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000650 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000651 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000652 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000653 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000654 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582 -100000655 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000656 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000657 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000658 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000659 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000660 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582 -100000661 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000662 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000663 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000664 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000665 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582 -100000666 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614 -100000667 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614 -100000668 || COMMUNITY WEB-PHP Harpia pheader.php remote file include || bugtraq,18614 -100000669 || COMMUNITY WEB-PHP Harpia headlines.php remote file include || bugtraq,18614 -100000670 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614 -100000671 || COMMUNITY WEB-PHP Harpia preload.php remote file include || bugtraq,18614 -100000672 || COMMUNITY WEB-PHP Harpia users.php remote file include || bugtraq,18614 -100000673 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614 -100000674 || COMMUNITY WEB-PHP Harpia footer.php remote file include || bugtraq,18614 -100000675 || COMMUNITY WEB-PHP Harpia pfooter.php remote file include || bugtraq,18614 -100000676 || COMMUNITY WEB-PHP Harpia missing.php remote file include || bugtraq,18614 -100000677 || COMMUNITY WEB-PHP Harpia topics.php remote file include || bugtraq,18614 -100000678 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614 -100000679 || COMMUNITY WEB-PHP Harpia index.php remote file include || bugtraq,18614 -100000680 || COMMUNITY WEB-PHP Harpia search.php remote file include || bugtraq,18614 -100000681 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614 -100000682 || COMMUNITY WEB-PHP Harpia email.php remote file include || bugtraq,18614 -100000683 || COMMUNITY WEB-PHP cPanel select.html xss attempt || bugtraq,18655 -100000684 || COMMUNITY VIRUS OutBound Dremn Trojan Beacon || url,symantec.com/avcenter/venc/data/trojan.dremn.html -100000685 || COMMUNITY VIRUS Answering Dremn Trojan Server || url,symantec.com/avcenter/venc/data/trojan.dremn.html -100000686 || COMMUNITY DOS EnergyMech parse_notice vulnerability - inbound || bugtraq,18664 -100000687 || COMMUNITY DOS EnergyMech parse_notice vulnerability - outbound || bugtraq,18664 -100000688 || COMMUNITY POLICY Ajax Remote Desktop Connection || url,www.peterdamen.com/ajaxrd/ -100000689 || COMMUNITY SMTP Mytob MAIL FROM Attempt || url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html -100000690 || COMMUNITY SQL-INJECTION BXCP Sql Injection attempt || bugtraq,18765 || url,www.milw0rm.com/exploits/1975 -100000691 || COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt || bugtraq,18760 -100000692 || COMMUNITY WEB-CLIENT midi file download attempt || bugtraq,18507 -100000693 || COMMUNITY WEB-CLIENT winamp midi file header overflow attempt || bugtraq,18507 -100000694 || COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt || bugtraq,18699 -100000695 || COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt || bugtraq,18699 -100000696 || COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt || bugtraq,18699 -100000697 || COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt || bugtraq,18699 -100000698 || COMMUNITY WEB-MISC BXCP index.php SQL injection attempt || bugtraq,18765 -100000699 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775 -100000700 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775 -100000701 || COMMUNITY WEB-MISC WordPress index.php SQL injection attempt || bugtraq,18779 -100000702 || COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt || bugtraq,18899 -100000703 || COMMUNITY WEB-PHP Horde index.php show XSS attempt || bugtraq,18845 -100000704 || COMMUNITY WEB-PHP SmartSiteCMS comment.php remote file include || bugtraq,18697 -100000705 || COMMUNITY WEB-PHP SmartSiteCMS test.php remote file include || bugtraq,18697 -100000706 || COMMUNITY WEB-PHP SmartSiteCMS index.php remote file include || bugtraq,18697 -100000707 || COMMUNITY WEB-PHP SmartSiteCMS inc_adminfoot.php remote file include || bugtraq,18697 -100000708 || COMMUNITY WEB-PHP SmartSiteCMS comedit.php remote file include || bugtraq,18697 -100000709 || COMMUNITY WEB-PHP SquirrelMail search.php xss attempt || bugtraq,18700 -100000710 || COMMUNITY WEB-PHP Xoops MyAds Module annonces-p-f.php SQL injection attempt || bugtraq,18718 -100000711 || COMMUNITY WEB-PHP PHPRaid raids.php remote file include || bugtraq,18719 -100000712 || COMMUNITY WEB-PHP PHPRaid register.php remote file include || bugtraq,18719 -100000713 || COMMUNITY WEB-PHP PHPRaid roster.php remote file include || bugtraq,18719 -100000714 || COMMUNITY WEB-PHP PHPRaid view.php remote file include || bugtraq,18719 -100000715 || COMMUNITY WEB-PHP PHPRaid logs.php remote file include || bugtraq,18719 -100000716 || COMMUNITY WEB-PHP PHPRaid users.php remote file include || bugtraq,18719 -100000717 || COMMUNITY WEB-PHP PHPRaid configuration.php remote file include || bugtraq,18719 -100000718 || COMMUNITY WEB-PHP PHPRaid guilds.php remote file include || bugtraq,18719 -100000719 || COMMUNITY WEB-PHP PHPRaid index.php remote file include || bugtraq,18719 -100000720 || COMMUNITY WEB-PHP PHPRaid locations.php remote file include || bugtraq,18719 -100000721 || COMMUNITY WEB-PHP PHPRaid login.php remote file include || bugtraq,18719 -100000722 || COMMUNITY WEB-PHP PHPRaid lua_output.php remote file include || bugtraq,18719 -100000723 || COMMUNITY WEB-PHP PHPRaid permissions.php remote file include || bugtraq,18719 -100000724 || COMMUNITY WEB-PHP PHPRaid profile.php remote file include || bugtraq,18719 -100000725 || COMMUNITY WEB-PHP PHPRaid view.php SQL injection attempt || bugtraq,18720 -100000726 || COMMUNITY WEB-PHP Vincent-Leclercq News diver.php SQL injection attempt || bugtraq,18729 -100000727 || COMMUNITY WEB-PHP Softbiz Banner Exchange insertmember.php xss attempt || bugtraq,18735 -100000728 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000729 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000730 || COMMUNITY WEB-PHP Geeklog BlackList.Examine.class.php remote file include || bugtraq,18740 -100000731 || COMMUNITY WEB-PHP Geeklog DeleteComment.Action.class.php remote file include || bugtraq,18740 -100000732 || COMMUNITY WEB-PHP Geeklog EditIPofURL.Admin.class.php remote file include || bugtraq,18740 -100000733 || COMMUNITY WEB-PHP Geeklog MTBlackList.Examine.class.php remote file include || bugtraq,18740 -100000734 || COMMUNITY WEB-PHP Geeklog MassDelete.Admin.class.php remote file include || bugtraq,18740 -100000735 || COMMUNITY WEB-PHP Geeklog MailAdmin.Action.class.php remote file include || bugtraq,18740 -100000736 || COMMUNITY WEB-PHP Geeklog MassDelTrackback.Admin.class.php remote file include || bugtraq,18740 -100000737 || COMMUNITY WEB-PHP Geeklog EditHeader.Admin.class.php remote file include || bugtraq,18740 -100000738 || COMMUNITY WEB-PHP Geeklog EditIP.Admin.class.php remote file include || bugtraq,18740 -100000739 || COMMUNITY WEB-PHP Geeklog IPofUrl.Examine.class.php remote file include || bugtraq,18740 -100000740 || COMMUNITY WEB-PHP Geeklog Import.Admin.class.php remote file include || bugtraq,18740 -100000741 || COMMUNITY WEB-PHP Geeklog LogView.Admin.class.php remote file include || bugtraq,18740 -100000742 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740 -100000743 || COMMUNITY WEB-PHP Plume CMS dbinstall.php remote file include || bugtraq,18750 -100000744 || COMMUNITY WEB-PHP MyNewsGroups tree.php SQL injection attempt || bugtraq,18757 -100000745 || COMMUNITY WEB-PHP Diesel Joke Site category.php SQL injection attempt || bugtraq,18760 -100000746 || COMMUNITY WEB-PHP Randshop header.inc.php remote file include || bugtraq,18763 -100000747 || COMMUNITY WEB-PHP Plume CMS index.php remote file include || bugtraq,18780 -100000748 || COMMUNITY WEB-PHP Plume CMS rss.php remote file include || bugtraq,18780 -100000749 || COMMUNITY WEB-PHP Plume CMS search.php remote file include || bugtraq,18780 -100000750 || COMMUNITY WEB-PHP Free QBoard index.php remote file include || bugtraq,18788 -100000751 || COMMUNITY WEB-PHP Free QBoard about.php remote file include || bugtraq,18788 -100000752 || COMMUNITY WEB-PHP Free QBoard contact.php remote file include || bugtraq,18788 -100000753 || COMMUNITY WEB-PHP Free QBoard delete.php remote file include || bugtraq,18788 -100000754 || COMMUNITY WEB-PHP Free QBoard faq.php remote file include || bugtraq,18788 -100000755 || COMMUNITY WEB-PHP Free QBoard features.php remote file include || bugtraq,18788 -100000756 || COMMUNITY WEB-PHP Free QBoard history.php remote file include || bugtraq,18788 -100000757 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000758 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000759 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791 -100000760 || COMMUNITY WEB-PHP The Banner Engine top.php xss attempt || bugtraq,18793 -100000761 || COMMUNITY WEB-PHP PHPWebGallery comments.php xss attempt || bugtraq,18798 -100000762 || COMMUNITY WEB-PHP Randshop index.php remote file include || bugtraq,18809 -100000763 || COMMUNITY WEB-PHP Kamikaze-QSCM config.inc access || bugtraq,18816 -100000764 || COMMUNITY WEB-PHP MyPHP CMS global_header.php remote file include || bugtraq,18834 -100000765 || COMMUNITY WEB-PHP LifeType index.php SQL injection attempt || bugtraq,18835 -100000766 || COMMUNITY WEB-PHP Blog CMS thumb.php remote file include || bugtraq,18837 -100000767 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000768 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000769 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000770 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000771 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000772 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000773 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000774 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000775 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000776 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839 -100000777 || COMMUNITY WEB-PHP Blog CMS action.php SQL injection attempt || bugtraq,18839 -100000778 || COMMUNITY WEB-PHP PHPMailList maillist.php xss attempt || bugtraq,18840 -100000779 || COMMUNITY WEB-PHP Horde index.php xss attempt || bugtraq,18845 -100000780 || COMMUNITY WEB-PHP Horde problem.php xss attempt || bugtraq,18845 -100000781 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845 -100000782 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845 -100000783 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857 -100000784 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857 -100000785 || COMMUNITY WEB-PHP ATutor password_reminder.php xss attempt || bugtraq,18857 -100000786 || COMMUNITY WEB-PHP ATutor browse.php xss attempt || bugtraq,18857 -100000787 || COMMUNITY WEB-PHP ATutor fix_content.php xss attempt || bugtraq,18857 -100000788 || COMMUNITY WEB-PHP FreeWebshop search.php xss attempt || bugtraq,18878 -100000789 || COMMUNITY WEB-PHP FreeWebshop details.php SQL injection attempt || bugtraq,18878 -100000790 || COMMUNITY WEB-PHP Pivot edit_new.php remote file include || bugtraq,18881 -100000791 || COMMUNITY WEB-PHP Pivot pv_core.php access || bugtraq,18881 -100000792 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000793 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000794 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000795 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000796 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000797 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000798 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000799 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881 -100000800 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881 -100000801 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881 -100000802 || COMMUNITY WEB-PHP BosClassifieds index.php remote file include || bugtraq,18883 -100000803 || COMMUNITY WEB-PHP BosClassifieds recent.php remote file include || bugtraq,18883 -100000804 || COMMUNITY WEB-PHP BosClassifieds account.php remote file include || bugtraq,18883 -100000805 || COMMUNITY WEB-PHP BosClassifieds classified.php remote file include || bugtraq,18883 -100000806 || COMMUNITY WEB-PHP BosClassifieds search.php remote file include || bugtraq,18883 -100000807 || COMMUNITY WEB-PHP CommonSense search.php SQL injection attempt || bugtraq,18893 -100000808 || COMMUNITY WEB-PHP AjaxPortal ajaxp.php SQL injection attempt || bugtraq,18897 -100000809 || COMMUNITY WEB-PHP RW Download stats.php remote file include || bugtraq,18901 -100000810 || COMMUNITY WEB-PHP PHPBB download.php remote file include || bugtraq,18914 -100000811 || COMMUNITY WEB-PHP PHPBB attach_rules.php remote file include || bugtraq,18914 -100000812 || COMMUNITY WEB-PHP SimpleBoard SBP index.php remote file include || bugtraq,18917 -100000813 || COMMUNITY WEB-PHP SimpleBoard SBP file_upload.php remote file include || bugtraq,18917 -100000814 || COMMUNITY WEB-PHP SimpleBoard SBP image_upload.php remote file include || bugtraq,18917 -100000815 || COMMUNITY WEB-PHP SimpleBoard SBP performs.php remote file include || bugtraq,18917 -100000816 || COMMUNITY WEB-PHP PC_CookBook pccookbook.php remote file include || bugtraq,18919 -100000817 || COMMUNITY WEB-PHP SMF Forum smf.php remote file include || bugtraq,18924 -100000818 || COMMUNITY WEB-PHP Graffiti Forums topics.php SQL injection attempt || bugtraq,18928 -100000819 || COMMUNITY DELETED PhpWebGallery XSS attempt -100000820 || COMMUNITY WEB-PHP SaPHPLesson add.php SQL injection attempt || bugtraq,18934 -100000821 || COMMUNITY WEB-PHP VBZooM sub-join.php SQL injection attempt || bugtraq,18937 -100000822 || COMMUNITY WEB-PHP VBZooM reply.php SQL injection attempt || bugtraq,18937 -100000823 || COMMUNITY WEB-PHP VBZooM ignore-pm.php SQL injection attempt || bugtraq,18937 -100000824 || COMMUNITY WEB-PHP VBZooM sendmail.php SQL injection attempt || bugtraq,18937 -100000825 || COMMUNITY WEB-PHP Phorum posting.php xss attempt || bugtraq,18941 -100000826 || COMMUNITY WEB-PHP Phorum search.php SQL injection attempt || bugtraq,18941 -100000827 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000828 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000829 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949 -100000830 || COMMUNITY WEB-PHP HiveMail index.php xss attempt || bugtraq,18949 -100000831 || COMMUNITY WEB-PHP HiveMail compose.email.php xss attempt || bugtraq,18949 -100000832 || COMMUNITY WEB-PHP HiveMail read.markas.php xss attempt || bugtraq,18949 -100000833 || COMMUNITY WEB-PHP HiveMail search.results.php SQL injection attempt || bugtraq,18949 -100000834 || COMMUNITY WEB-PHP Lazarus codes-english.php xss attempt || bugtraq,18956 -100000835 || COMMUNITY WEB-PHP Lazarus picture.php xss attempt || bugtraq,18956 -100000836 || COMMUNITY WEB-PHP MiniBB com_minibb.php remote file include || bugtraq,18998 -100000837 || COMMUNITY WEB-PHP MiniBB index.php remote file include || bugtraq,18998 -100000838 || COMMUNITY WEB-PHP PhotoCycle photocycle.php xss attempt || bugtraq,18964 -100000839 || COMMUNITY WEB-PHP PHP Event Calendar calendar.php remote file include || bugtraq,18965 -100000840 || COMMUNITY WEB-PHP FlatNuke index.php remote file include || bugtraq,18966 -100000841 || COMMUNITY WEB-PHP PerForms performs.php remote file include || bugtraq,18968 -100000842 || COMMUNITY WEB-PHP PHPBB 3 memberlist.php SQL injection attempt || bugtraq,18969 -100000843 || COMMUNITY WEB-PHP Koobi Pro index.php xss attempt || bugtraq,18970 -100000844 || COMMUNITY WEB-PHP Koobi Pro index.php SQL injection attempt || bugtraq,18970 -100000845 || COMMUNITY WEB-PHP Invision Power Board ipsclass.php SQL injection attempt || bugtraq,18984 -100000846 || COMMUNITY WEB-PHP Subberz Lite user-func.php remote file include || bugtraq,18990 -100000847 || COMMUNITY WEB-PHP Sitemap sitemap.xml.php remote file include || bugtraq,18991 -100000848 || COMMUNITY DELETED PhpWebGallery XSS attempt || bugtraq,18798 -100000849 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000850 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000851 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000852 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007 -100000853 || COMMUNITY WEB-PHP IceWarp settings.html remote file include || bugtraq,19007 -100000854 || COMMUNITY WEB-PHP ListMessenger listmessenger.php remote file include || bugtraq,19014 -100000855 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000856 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000857 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000858 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000859 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019 -100000860 || COMMUNITY WEB-PHP Francisco Charrua Photo-Gallery room.php SQL injection attempt || bugtraq,19020 -100000861 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023 -100000862 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023 -100000863 || COMMUNITY WEB-PHP PHPMyRing view_com.php SQL injection attempt || url,secunia.com/advisories/21451/ -100000864 || COMMUNITY WEB-CLIENT tsuserex.dll COM Object Instantiation Vulnerability || url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14 -100000865 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s01 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000866 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s02 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000867 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s03 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000868 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s04 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000869 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit sid variant || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000870 || COMMUNITY WEB-PHP powergap remote file inclusion exploit sid variant 2 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html -100000871 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html -100000872 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html -100000873 || COMMUNITY WEB-PHP discloser 0.0.4 Remote File Inclusion -100000874 || COMMUNITY MISC DLR-TOR Directory server response || url,tor.eff.org -100000875 || COMMUNITY MISC DLR-TOR Client Traffic || url,tor.eff.org -100000876 || COMMUNITY MISC Google Talk Version Check -100000877 || COMMUNITY MISC Google Talk Startup -100000878 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000879 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000880 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045 -100000881 || COMMUNITY WEB-CLIENT ImageMagick SGI ZSIZE Header Information Overflow Attempt || bugtraq,19507 || cve,2006-4144 -100000882 || COMMUNITY WEB-PHP PHP Live Helper globals.php remote file include || bugtraq,19349 -100000883 || COMMUNITY WEB-PHP Inlink remote file inclusion exploit || url,milw0rm.com/exploits/2295 -100000884 || COMMUNITY WEB-MISC SimpleBlog Remote SQL Injection attempt || url,milw0rm.com/exploits/2296 -100000885 || COMMUNITY WEB-PHP pHNews access attempt || url,milw0rm.com/exploits/2298 -100000886 || COMMUNITY WEB-PHP Proxima access attempt || url,milw0rm.com/exploits/2299 -100000887 || COMMUNITY WEB-PHP pmwiki exploit attempt || url,milw0rm.com/exploits/2291 -100000888 || COMMUNITY WEB-PHP tikiwiki exploit attempt || url,milw0rm.com/exploits/2288 -100000889 || COMMUNITY WEB-PHP yappa-ng exploit attempt || url,milw0rm.com/exploits/2292 -100000890 || COMMUNITY WEB-MISC Webmin null char attempt || bugtraq,19820 || nessus,22300 -100000891 || COMMUNITY WEB-MISC Usermin null char attempt || bugtraq,19820 || nessus,22300 -100000892 || COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow || url,www.ethereal.com/news/item_20050504_01.html || url,www.elook.org/internet/126.html -100000893 || COMMUNITY POLICY Weather Channel Desktop App Installer -100000894 || COMMUNITY POLICY Weather Channel Desktop App -100000895 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000896 || COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000897 || COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000898 || COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000899 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt || url,www.kb.cert.org/vuls/id/425861 -100000900 || COMMUNITY BOT Mytob IRC DCC file transfer request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000901 || COMMUNITY BOT Mytob IRC DCC chat request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000902 || COMMUNITY BOT Mytob IRC channel join || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000903 || COMMUNITY BOT Mytob IRC dns request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000904 || COMMUNITY BOT Mytob IRC dns response || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000905 || COMMUNITY BOT Mytob IRC nick change || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99 -100000906 || COMMUNITY WEB-PHP UBB.threads remote file include -100000907 || COMMUNITY WEB-PHP phpMyWebmin change_preferences2 script remote file include || url,www.securityfocus.com/bid/20281/info -100000908 || COMMUNITY WEB-PHP phpMyWebmin create_file script remote file include || url,www.securityfocus.com/bid/20281/info -100000909 || COMMUNITY WEB-PHP phpMyWebmin upload_local script remote file include || url,www.securityfocus.com/bid/20281/info -100000910 || COMMUNITY WEB-PHP phpMyWebmin upload_multi script remote file include || url,www.securityfocus.com/bid/20281/info -100000911 || COMMUNITY WEB-PHP Dayfox Blog adminlog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000912 || COMMUNITY WEB-PHP Dayfox Blog postblog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000913 || COMMUNITY WEB-PHP Dayfox Blog index.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000914 || COMMUNITY WEB-PHP Dayfox Blog index2.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded -100000915 || COMMUNITY WEB-PHP Somery Include.php remote file include || bugtraq,19912 -100000916 || COMMUNITY WEB-PHP MyBulletinBoard Functions_Post.php xss attempt || bugtraq,19770 -100000917 || COMMUNITY WEB-PHP PHP-Dimension functions_kb.php remote file include attempt || bugtraq,20367 -100000918 || COMMUNITY WEB-PHP PHP-Dimension themen_portal_mitte.php remote include attempt || bugtraq,20367 -100000919 || COMMUNITY WEB-PHP Segue CMS themesettings.inc.php remote file include attempt || bugtraq,20640 || cve,2006-5497 || url,osvdb.org/29904 || nessus,22922 || url,www.milw0rm.com/exploits/2600 -100000920 || COMMUNITY WEB-PHP MiniBB bb_func_txt.php pathToFiles variable remote file include || bugtraq,20757 || url,osvdb.org/29971 || nessus,22926 -100000921 || COMMUNITY WEB-PHP PunBB register.php language variable remote file include || bugtraq,20786 || cve,2006-5735 || url,osvdb.org/30132 || nessus,22932 -100000922 || COMMUNITY WEB-PHP Etomite CMS index.php id variable SQL injection || bugtraq,21135 || url,osvdb.org/30442 || url,secunia.com/advisories/22885 -100000923 || COMMUNITY DOS Single-Byte UDP Flood -100000924 || COMMUNITY POLICY Google SafeSearch off -100000925 || COMMUNITY-WEB-PHP ADP Forum Attempted Password Recon || url,www.milw0rm.com/exploits/3053 -100000926 || COMMUNITY-WEB-PHP EasyNews PRO News Attempted Password Recon || url,www.milw0rm.com/exploits/3039 -100000927 || COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry || url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx -100000928 || COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow || bugtraq,23483 || cve,2007-1674 -100000929 || COMMUNITY WEB-PHP Xoops module Articles SQL Injection Exploit || url,www.securityfocus.com/archive/1/463916 -100000930 || COMMUNITY WEB-PHP Drake CMS 404.php Local File Include Vulnerability || bugtraq,23215 -100000931 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203 -100000932 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203 -100000933 || COMMUNITY WEB-PHP Aardvark button/settings_sql.php File Include Vulnerability || url,securityfocus.com/archive/1/464351 -100000934 || COMMUNITY WEB-PHP Aardvark button/new_day.php File Include Vulnerability || url,securityfocus.com/archive/1/464351 diff -Nru snort-2.9.0.1/rules/community-sip.rules snort-2.9.2/rules/community-sip.rules --- snort-2.9.0.1/rules/community-sip.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-sip.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,19 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-sip.rules,v 1.5 2006/06/01 15:51:28 akirk Exp $ - -#Rules submitted by Jiri Markl -#Rule for alerting of INVITE flood attack: -alert ip any any -> any 5060 (msg:"COMMUNITY SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000158; rev:2;) -#Rule for alerting of REGISTER flood attack: -alert ip any any -> any 5060 (msg:"COMMUNITY SIP REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000159; rev:2;) -#Rule for alerting common TCP/UDP flood attack: -alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; threshold: type both, track by_src, count 300, seconds 60; classtype:attempted-dos; sid:100000160; rev:2;) -#Rule for alerting attack using unresolvable DNS names: -alert udp $DNS_SERVERS 53 -> any any (msg:"COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses"; content:"|83|"; offset:3; depth:1; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:100000161; rev:2;) -#Threshold rule for unauthorized responses: -alert ip any any -> any 5060 (msg:"COMMUNITY SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000162; rev:2;) -alert ip any any -> any 5060 (msg:"COMMUNITY SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000163; rev:2;) -#Rule submitted by rmkml -alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:100000223; rev:1;) diff -Nru snort-2.9.0.1/rules/community-smtp.rules snort-2.9.2/rules/community-smtp.rules --- snort-2.9.0.1/rules/community-smtp.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-smtp.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,14 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-smtp.rules,v 1.9 2006/07/14 13:36:01 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Hydra Activity Detected"; flow:to_server,established; content:"hydra"; nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;) -#Rule submitted by rmkml -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Gnu Mailman utf8 attachement access"; flow:to_server,established; content:"Content-Disposition|3A 20|attachement"; nocase; content:"filename|2A 3D|utf|2D|8"; nocase; content:"Content-Transfer-Encoding|3A 20|base64"; nocase; reference:bugtraq,15408; reference:cve,2005-3573; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20819; classtype:attempted-dos; sid:100000191; rev:1;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP MIME-Type ms-tnef access"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"application/ms-tnef"; nocase; reference:bugtraq,16197; reference:cve,2006-0002; reference:url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx; classtype:attempted-admin; sid:100000219; rev:1;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Mozilla filename overflow attempt"; flow:to_server,established; content:"filename|3D 22|"; nocase; pcre:"/^\s*filename\=\"[^\n]{100,}\.(exe|lnk)/smi"; reference:bugtraq,16271; classtype:attempted-admin; sid:100000224; rev:1;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Incoming WAB attachment"; flow:to_server, established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=\s*.*\x2ewab/smi"; reference:cve,2006-0014; reference:url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx; classtype:suspicious-filename-detect; sid:100000279; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt"; flow:to_server,established; content:"RCPT"; nocase; pcre:"/^RCPT\s+TO\x3a\s+[^\r\n]*\x25/smi"; reference:bugtraq,16742; reference:cve,2006-0559; classtype:attempted-admin; sid:100000301; rev:1;) -# Enable only if SMTP_SERVERS is not any -# alert tcp !$SMTP_SERVERS any -> any 25 (msg:"COMMUNITY SMTP Mytob MAIL FROM Attempt"; flow:established,to_server; content:"MAIL FROM|3A|"; nocase; pcre:"/MAIL\s+FROM\s*\x3A\s*\x3C?(spm|fcnz|www|secur|abuse)@/i"; reference:url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html; classtype:misc-attack; sid:100000689; rev:1;) diff -Nru snort-2.9.0.1/rules/community-sql-injection.rules snort-2.9.2/rules/community-sql-injection.rules --- snort-2.9.0.1/rules/community-sql-injection.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-sql-injection.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,15 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-sql-injection.rules,v 1.10 2006/10/19 20:19:34 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/rawdocdata.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000106; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/RawCustomSearchField.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000107; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB board.php"; flow:to_server,established; uricontent:"/board.php"; pcre:"/board.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000108; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB member.php"; flow:to_server,established; uricontent:"/member.php"; pcre:"/member.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000109; rev:1;) -#Rules submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumTopicDetails.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20846; classtype:web-application-attack; sid:100000192; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumAuthDetails.php"; nocase; uricontent:"AuthID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20845; classtype:web-application-attack; sid:100000193; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumReply.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20847; classtype:web-application-attack; sid:100000194; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION BXCP Sql Injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; pcre:"/\x2b\w*\x54\w*/"; reference:bugtraq,18765; reference:url,www.milw0rm.com/exploits/1975; classtype:web-application-attack; sid:100000690; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"id="; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"admin"; nocase; reference:bugtraq,18760; classtype:web-application-attack; sid:100000691; rev:2;) diff -Nru snort-2.9.0.1/rules/community-virus.rules snort-2.9.2/rules/community-virus.rules --- snort-2.9.0.1/rules/community-virus.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-virus.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,21 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-virus.rules,v 1.15 2006/10/19 20:20:29 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HOME_NET 5554 (msg:"COMMUNITY VIRUS Dabber PORT overflow attempt port 5554"; flow:to_server,established,no_stream; content:"PORT"; nocase; isdataat:100,relative; pcre:"/^PORT\s[^\n]{100}/smi"; reference:MCAFEE,125300; classtype:attempted-admin; sid:100000110; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"COMMUNITY VIRUS Dabber PORT overflow attempt port 1023"; flow:to_server,established,no_stream; content:"PORT"; nocase; isdataat:100,relative; pcre:"/^PORT\s[^\n]{100}/smi"; reference:MCAFEE,125300; classtype:attempted-admin; sid:100000111; rev:1;) -alert tcp $HOME_NET any -> 207.172.16.155 80 (msg:"COMMUNITY VIRUS Possible BlackWorm or Nymex infected host"; flow:to_server,established; uricontent:"/cgi-bin/Count.cgi?df=765247"; reference:url,www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm; reference:url,cme.mitre.org/data/list.html#24; reference:url,isc.sans.org/blackworm; classtype:trojan-activity; sid:100000226; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 8 (msg:"COMMUNITY VIRUS Nugache connect"; flow:to_server,established; content:"|00 02|"; flowbits:set,nugache.connection; flowbits:noalert; classtype:trojan-activity; sid:100000282; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8 (msg:"COMMUNITY VIRUS Nugache data"; flow:to_server,established; flowbits:isset,nugache.connection; dsize:64; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; classtype:trojan-activity; sid:100000283; rev:1;) - -# DNS Rules submitted by urleet@gmail.com -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS Ginwui.B command server dns query attempt - scfzf.xicp.net"; content:"|01 00|"; offset:2; depth:2; content:"|05|scfzf|04|xicp|03|net";threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000310; rev:2;) -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS Ginwui.B command server dns query attempt - localhosts.3322.org"; content:"|01 00|"; offset:2; depth:2; content:"|0A|localhosts|04|3322|03|org";threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000311; rev:2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY VIRUS Ginwui.B POST attempt"; flow:to_server,established; content:"POST|20 2F|"; nocase; depth:6; content:"Host|3a|"; nocase; content:"scfzf.xicp.net"; nocase; pcre:"/Host\x3A[^\n\r]+scfzf.xicp.net/smi"; content:"Content-Length|3a 20|0"; nocase; content:"Connection|3a| Keep-Alive"; nocase; threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000312; rev:3;) - - -alert udp !$DNS_SERVERS any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS OutBound Dremn Trojan Beacon"; content:"|00 00 01|"; offset:3; depth:3; content:"aaaaaaaaaaaaaaaaaaaaa"; within:50; pcre:"/((X|Y)m(A|B)(i)?...a{21})/"; reference:url,symantec.com/avcenter/venc/data/trojan.dremn.html; classtype:trojan-activity; sid:100000684; rev:1;) -alert udp $EXTERNAL_NET 53 -> !$DNS_SERVERS any (msg: "COMMUNITY VIRUS Answering Dremn Trojan Server"; content:"|80 00 01|"; offset:3; depth:3; content:"aa"; within:50; pcre:"/((X|Y)m(A|B)(i)?...aa)/"; reference:url,symantec.com/avcenter/venc/data/ trojan.dremn.html; classtype:trojan-activity; sid:100000685; rev:1;) - diff -Nru snort-2.9.0.1/rules/community-web-attacks.rules snort-2.9.2/rules/community-web-attacks.rules --- snort-2.9.0.1/rules/community-web-attacks.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-web-attacks.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,10 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-attacks.rules,v 1.6 2005/12/13 14:24:48 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Hydra Activity Detected"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Hydra"; nocase; distance:0; pcre:"/^User-Agent\s*\x3A\s*Mozilla\x2f4\.0 (Hydra)/smi"; nocase; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000168; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Amap fingerprint attempt"; flow:to_server,established; content:"|80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05 00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 80 63 b9 b9 19 c0 2b ae 90 74 4c 73 eb 8b cf d8 55 ea d0 69 82 1b ef 23 c3 39 9b 8e b2 49 3c 5a 79|"; depth:130; classtype:web-application-activity; reference:url,www.thc.org/releases.php; sid:100000169; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter"; flow:to_server,established; content:"Host"; nocase; pcre:"/^Host[^\r\n]{100,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000170; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter"; flow:to_server,established; content:"Accept"; nocase; pcre:"/^Accept[^\r\n]{200,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000171; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS SAP WAS syscmd access"; flow:to_server,established; uricontent:"/sap/bc/BSp/sap/menu/frameset.htm"; nocase; uricontent:"sap-syscmd"; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:100000183; rev:1;) diff -Nru snort-2.9.0.1/rules/community-web-cgi.rules snort-2.9.2/rules/community-web-cgi.rules --- snort-2.9.0.1/rules/community-web-cgi.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-web-cgi.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,22 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-cgi.rules,v 1.20 2006/09/19 13:46:50 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Readfile.tcl Access"; flow:to_server,established; uricontent:"/readfile.tcl?file="; nocase; classtype:web-application-attack; reference:bugtraq,7426; sid:100000112; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI HappyMall Command Execution member_html.cgi"; flow:to_server,established; uricontent:"/member_html.cgi?"; pcre:"/member_html.cgi\x3F[^\r\n]*\s*file\x3D(\x3B|\x7C)/Ui"; classtype:web-application-attack; reference:bugtraq,7530; reference:cve,2003-0243; sid:100000113; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI HappyMall Command Execution normal_html.cgi"; flow:to_server,established; uricontent:"/normal_html.cgi?"; pcre:"/normal_html.cgi\x3F[^\r\n]*\s*file\x3D(\x3B|\x7C)/Ui"; classtype:web-application-attack; reference:bugtraq,7530; reference:cve,2003-0243; sid:100000114; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Null CID"; flow:to_server,established; uricontent:"modules.php?"; nocase; uricontent:"op=modload"; nocase; uricontent:"name=Web_Links"; nocase; uricontent:"file=index"; nocase; uricontent:"l_op=viewlink"; nocase; uricontent:!"cid="; classtype:web-application-attack; reference:bugtraq,7589; sid:100000115; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Non-Numeric CID"; flow:to_server,established; uricontent:"modules.php?"; nocase; uricontent:"op=modload"; nocase; uricontent:"name=Web_Links"; nocase; uricontent:"file=index"; nocase; uricontent:"l_op=viewlink"; nocase; uricontent:"cid="; pcre:"/cid=[^0-9]+/Ui"; classtype:web-application-attack; reference:bugtraq,7589; sid:100000116; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI VBulliten Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/forumdisplay.php?"; nocase; uricontent:"comma="; nocase; pcre:"/forumdisplay.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui"; classtype:web-application-attack; reference:bugtraq,12542; sid:100000117; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack formmail.inc.php"; flow:to_server,established; uricontent:"/formmail.inc.php"; nocase; uricontent:"script_root"; nocase; pcre:"/formmail.inc.php\x3F[^\r\n]*script_root\x3D\s*http/Ui"; reference:bugtraq,12735; classtype:web-application-attack; sid:100000127; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack download_center_lite.inc.php"; flow:to_server,established; uricontent:"/download_center_lite.inc.php"; nocase; uricontent:"script_root"; nocase; pcre:"/download_center_lite.inc.php\x3F[^\r\n]*script_root\x3D\s*http/Ui"; reference:bugtraq,12735; classtype:web-application-attack; sid:100000128; rev:1;) -#Rule submitted by Chas Tomlin -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Twiki shell command execution"; flow:to_server,established; uricontent:"/TwikiUsers?"; nocase; pcre:"/rev=\d*\s*\x7C/Ui"; classtype:web-application-activity; reference:bugtraq,14834; reference:cve,2005-2877; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev; sid:100000156; rev:2;) -#Rule submitted by David Maciejak -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-CGI ATutor password_reminder.php SQL injection attempt"; flow: to_server,established; uricontent:"/password_reminder.php?"; nocase; pcre:"/form_email=[^\r\n\x26]+UNION\s+SELECT/Ui"; reference:bugtraq,14831; classtype:web-application-attack; sid:100000157; rev:1;) - -#Rules submitted by Avinash Shenoi (Cenzic Inc. CIA Research Team) -alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; content:"POST"; nocase; depth:4; content:"method=post"; nocase; pcre:"/(name|email|url)=[^\r\n]*\x3Cscript\x3E/smi"; reference:bugtraq,20045; classtype:web-application-activity; sid:100000878; rev:2;) -alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; content:"POST"; nocase; depth:4; content:"method=preview"; nocase; content:"content="; nocase; distance:0; reference:bugtraq,20045; classtype:web-application-activity; sid:100000879; rev:2;) -alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; uricontent:"/sitesearch.do"; nocase; uricontent:"q="; nocase; uricontent:"<script>"; nocase; reference:bugtraq,20045; classtype:web-application-activity; sid:100000880; rev:2;) diff -Nru snort-2.9.0.1/rules/community-web-client.rules snort-2.9.2/rules/community-web-client.rules --- snort-2.9.0.1/rules/community-web-client.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-web-client.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,25 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-client.rules,v 1.21 2006/10/20 13:22:38 akirk Exp $ - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/Content-Type\x3A[^\r\n]{300,}/i"; classtype:attempted-admin; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; sid:100000118; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt"; flow:to_client,established; content:"Content-Encoding|3A|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; classtype:attempted-admin; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; sid:100000119; rev:2;) -#Rule submitted by Crusoe Researches Team -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Winamp PlayList buffer overflow attempt"; flow:from_server,established; content:"playlist"; nocase; content:"\\\\"; reference:bugtraq,16410; reference:cve,2006-0476; reference:url,www.frsirt.com/english/advisories/2006/0361; classtype:attempted-admin; sid:100000228; rev:2;) - -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT IE mulitple event handler heap overflow attempt"; flow:established; content:"on"; nocase; pcre:"/<[^>]*?(on[^>]*?=[\d\w]+\s+){30,}/smi"; reference:bugtraq,17131; reference:cve,2006-1245; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx; classtype:attempted-user; sid:100000238; rev:3;) -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT IE createTextRange overflow attempt"; flow:to_client,established; content:".createTextRange"; nocase; classtype:attempted-user; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx; sid:100000239; rev:2;) - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT RealMedia invalid chunk size heap overflow attempt"; flow:to_client,established; content:"Transfer-Encoding|3a|"; nocase; content:"chunked"; nocase; content:"Content-Type|3a|"; nocase; distance:0; content:"realvideo"; nocase; pcre:"/\r\n[0-9A-Fa-f]{9}/Ri"; reference:bugtraq,17202; reference:cve,2005-2922; reference:url,service.real.com/realplayer/security/03162006_player/en/; classtype:attempted-user; sid:100000284; rev:2;) - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Mozilla Firefox DOMNodeRemoved attack attempt"; flow:to_client,established; content:"document|2e|addEventListener|28 22|DOMNodeRemoved|22|"; nocase; content:"document|2e|body|2e|appendChild|28|document|2e|getElementById|28|"; reference:bugtraq,18228; reference:cve,2006-2779; classtype:attempted-user; sid:100000447; rev:1;) - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT midi file download attempt"; flow:to_client,established; content:"Content-Type|3a|"; nocase; content:"audio|2f|midi"; nocase; distance:0; pcre:"/^Content-Type\s*\x3A\s*audio\x2Fmidi/smi"; flowbits:set,midi.download; flowbits:noalert; reference:bugtraq,18507; classtype:misc-activity; sid:100000692; rev:2;) - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT winamp midi file header overflow attempt"; flow:to_client,established; flowbits:isset,midi.download; content:"|4d 54 68 64 00 00 00 06 00 00 00 01 00 60 4d 54 72 6b 00 00 00|"; nocase; flowbits:unset,midi.download; reference:bugtraq,18507; classtype:attempted-user; sid:100000693; rev:2;) - -# Rule by <urleet@gmail.com> -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT tsuserex.dll COM Object Instantiation Vulnerability"; flow:from_server,established; content:"E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29"; nocase; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14; classtype:attempted-user; sid:100000864; rev:2;) - -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT ImageMagick SGI ZSIZE Header Information Overflow Attempt"; content:"|01 da|"; byte_test: 2,>,4,9,relative; classtype: attempted-user; reference:bugtraq,19507; reference:cve,2006-4144; sid:100000881; rev:1;) diff -Nru snort-2.9.0.1/rules/community-web-dos.rules snort-2.9.2/rules/community-web-dos.rules --- snort-2.9.0.1/rules/community-web-dos.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-web-dos.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,5 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-dos.rules,v 1.8 2005/03/08 14:41:42 bmc Exp $ - diff -Nru snort-2.9.0.1/rules/community-web-iis.rules snort-2.9.2/rules/community-web-iis.rules --- snort-2.9.0.1/rules/community-web-iis.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-web-iis.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,10 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-iis.rules,v 1.2 2005/10/20 13:49:44 akirk Exp $ - -#Rules submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost"; flow:to_server,established; content:"localhost"; nocase; pcre:"/http\x3A\/\/localhost\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000138; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000139; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; pcre:"/\x3fRedirect\x3f[^\s]{100,}/smi"; classtype:web-application-activity; sid:100000173; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent access"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; reference:cve,2005-1118; reference:bugtraq,13168; classtype:web-application-activity; sid:100000174; rev:1;) diff -Nru snort-2.9.0.1/rules/community-web-misc.rules snort-2.9.2/rules/community-web-misc.rules --- snort-2.9.0.1/rules/community-web-misc.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-web-misc.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,215 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-misc.rules,v 1.45 2007/04/20 13:28:50 akirk Exp $ - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Test Script Access"; flow:to_server,established; uricontent:"/test"; nocase; pcre:"/test\.(pl|php|cgi|asp|jsp)/Ui"; classtype:web-application-activity; sid:100000121; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-MISC mod_jrun overflow attempt"; flow:to_server,established; content:"|3A|"; pcre:"/^.*\x3a[^\n]{1000}/sm"; reference:bugtraq,11245; reference:cve,2004-0646; classtype:web-application-attack; sid:100000122; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS"; flow:to_server,established; uricontent:"?/ "; reference:bugtraq,10014; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype:successful-dos; sid:100000129; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS"; flow:to_server,established; uricontent:"/Filelist.html"; nocase; reference:bugtraq,12778; classtype:attempted-dos; sid:100000130; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access"; flow:to_server,established; uricontent:"/A|3A|"; nocase; pcre:"/A\x3A[^\r\n]?\.[^\r\n]?[\r\n]/Ui"; reference:bugtraq,12778; classtype:attempted-dos; sid:100000131; rev:1;) -# Following rule submitted by Alexandru Ionica <gremlin@networked.ro>, and revised by Jason Haar <Jason.Haar@trimble.co.nz> -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC Proxy Server Access"; flow:established,from_server; content:"Proxy-Connection"; nocase; content:"Via"; nocase; content:"HTTP"; nocase; content: !"ERR_ACCESS_DENIED"; nocase; classtype:misc-activity; sid:100000132; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request"; flow:to_server,established; pcre:"/GET \/\?{250,}/i"; reference:bugtraq,7398; reference:url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1; classtype:attempted-dos; sid:100000133; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow"; flow:to_server,established; content:"GET"; nocase; depth:3; content:"/%"; distance:0; pcre:"/^GET\s+\/\%[^\r\n]{215,}/smi"; reference:cve,2005-0684; reference:url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities; classtype:attempted-admin; sid:100000140; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt"; flow:to_server,established; content:".jsp"; pcre:"/.jsp\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000141; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt"; flow:to_server,established; content:".jpg"; pcre:"/.jpg\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000142; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt"; flow:to_server,established; content:".gif"; pcre:"/.gif\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000143; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt"; flow:to_server,established; content:".wav"; pcre:"/.wav\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252;classtype:attempted-recon; sid:100000144; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt"; flow:to_server,established; content:".css"; pcre:"/.css\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000145; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt"; flow:to_server,established; content:".htm"; pcre:"/.htm\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000146; rev:1;) -#Rules submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000 (msg:"COMMUNITY WEB-MISC Barracuda img.pl attempt"; flow:to_server,established; uricontent:"/cgi-bin/img.pl?f=.."; reference:bugtraq,14712; reference:bugtraq,14710; reference:cve,2005-2848; classtype:web-application-attack; sid:100000148; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC Jboss % attempt"; flow:to_server,established; content:"GET %"; reference:bugtraq,13985; reference:cve,2005-2006; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17403; classtype:attempted-recon; sid:100000149; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; content:"chunked"; content:"Content-Length|3A|"; nocase; reference:bugtraq,13873; reference:bugtraq,14106; reference:cve,2005-2088; reference:cve,2005-2089; reference:cve,2005-2090; reference:cve,2005-2091; reference:cve,2005-2092; reference:cve,2005-2093; reference:cve,2005-2094; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17738; reference:nessus,18337; classtype:attempted-admin; sid:100000150; rev:1;) -alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt"; flow:to_server,established; uricontent:"/apply.cgi"; content:"Content-Length|3A|"; pcre:"/Content-Length\x3A\s*[^\r\n]{1000,}/smi"; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt"; flow:to_server,established; uricontent:"..\:..\:..\:.."; reference:bugtraq,15225; reference:nessus,20097; classtype:attempted-dos; sid:100000178; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 898 (msg:"COMMUNITY WEB-MISC SMC TRACE access"; flow:to_server,established; content:"TRACE"; depth:5; reference:url,www.kb.cert.org/vuls/id/867593; classtype:attempted-recon; sid:100000179; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"COMMUNITY WEB-MISC JBoss JMXInvokerServlet access"; flow:to_server,established; uricontent:"/invoker/JMXInvokerServlet"; reference:url,online.securityfocus.com/archive/1/415707; classtype:misc-activity; sid:100000184; rev:1;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC apache directory list attempt"; flow:to_client,established; content:"HTTP/1.1 200 OK"; depth:15; content:"Index of /"; nocase; within:200; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:100000185; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 41080 (msg:"COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt"; flow:to_server,established; uricontent:"/brightmail/viewLogin.do"; nocase; uricontent:"user|3D|admin"; nocase; uricontent:"pass|3D|symantec"; nocase; reference:nessus,19598; reference:url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html; classtype:web-application-attack; sid:100000200; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt"; flow:to_server,established; uricontent:"/flsearch.pl"; nocase; uricontent:"cmd|3D|exec_flsearch"; nocase; reference:bugtraq,14367; reference:cve,2005-2420; reference:nessus,19300; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18305; classtype:web-application-attack; sid:100000209; rev:2;) -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC generic cmd pipe after = attempt"; flow:to_server,established; uricontent:"|3D 7C|"; nocase; classtype:web-application-attack; sid:100000210; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access"; flow:to_server,established; content:"POST"; nocase; depth:4; uricontent:"/ControlManager/cgi-bin/VA/isaNVWRequest.dll"; nocase; reference:cve,2005-1929; reference:url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities; classtype:web-application-attack; sid:100000216; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC man2web cmd exec attempt"; flow:to_server,established; uricontent:"/man2web"; nocase; uricontent:"|2D|P"; reference:cve,2005-2812; reference:bugtraq,14747; reference:nessus,19591; classtype:web-application-attack; sid:100000217; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access"; flow:to_server,established; uricontent:"/Login_Validate.asp"; nocase; uricontent:"Password|3D|"; nocase; reference:cve,2006-0192; classtype:web-application-activity; sid:100000225; rev:1;) - -#Rule to detect use of Google's translation feature to bypass content monitor submitted by David Bianco -alert tcp any any -> any $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language"; flow:established, to_server; uricontent:"/translate?"; pcre:"/translate\?.*langpair=([a-zA-Z]+)(%7C|\|)\1\&/Ui"; classtype: policy-violation; reference:url,www.boingboing.net/2006/02/22/argonne_national_lab.html; sid:100000237; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sRedirectUrl="; nocase; pcre:"/sRedirectUrl=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000302; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sCancelURL="; nocase; pcre:"/sCancelURL=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000303; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21700 (msg:"COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal"; flow:to_server,established; content:"GET"; nocase; pcre:"/GET[^\r\n]*?\x2e\x2e(\x2f|\x5c)[^\r\n]*?HTTP[^\r\n]*?\r\n/msi"; reference:bugtraq,14715; reference:cve,2005-2020; classtype:web-application-attack; sid:100000313; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MediaWiki parser script insertion attempt"; flow:to_server,established; content:"POST"; nocase; content:"|7B 7B 7B|"; pcre:"/\x7B\x7B\x7B[^\r\n]*\x3C[^\r\n]*\x7C[^\r\n]*\x3E[^\r\n]*\x7D\x7D\x7D/"; reference:cve,2006-2611; classtype:attempted-user; sid:100000314; rev:1;) - -#Rules for detecting HTTP PUT requests, successful or not, submitted by David Bianco; enable only after reading the rule documentation for these two SIDs -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP PUT Request"; flow:to_server,established; content:"PUT "; depth:4; flowbits:set,http.put; flowbits:noalert; classtype:misc-activity; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000315; rev:1;) -#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC HTTP PUT Request Successful"; flow:from_server,established; flowbits:isset,http.put; content:"HTTP/"; nocase; depth:5; content:"200"; within:7; classtype:web-application-attack; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000316; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar classified_right.php remote file include"; flow:to_server,established; uricontent:"/classified_right.php"; nocase; uricontent:"language_dir="; nocase; pcre:"/language_dir=(https?|ftp)/Ui"; reference:bugtraq,18052; classtype:web-application-attack; sid:100000317; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access"; flow:to_server,established; uricontent:"/admin/admin.php"; nocase; uricontent:"action=edit_member&value=1"; nocase; reference:bugtraq,18053; reference:cve,2006-2527; classtype:web-application-attack; sid:100000318; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ActualScripts direct.php remote file include"; flow:to_server,established; uricontent:"/direct.php"; nocase; uricontent:"rf="; nocase; pcre:"/rf=(https?|ftp)/Ui"; reference:bugtraq,17597; classtype:web-application-attack; sid:100000319; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include"; flow:to_server,established; uricontent:"/functions.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000320; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include"; flow:to_server,established; uricontent:"/help.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000321; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include"; flow:to_server,established; uricontent:"/mail.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000322; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include"; flow:to_server,established; uricontent:"/news.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000323; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000324; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_cats.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000325; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_edit.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000326; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_import.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000327; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_templates.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000328; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include"; flow:to_server,established; uricontent:"/classes/post/class_post.php"; nocase; uricontent:"post_icon="; nocase; pcre:"/post_icon=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000329; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include"; flow:to_server,established; uricontent:"/action_public/moderate.php"; nocase; uricontent:"df="; nocase; pcre:"/df=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000330; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ZixForum settings.asp access"; flow:to_server,established; uricontent:"/settings.asp"; nocase; uricontent:"layid="; nocase; reference:bugtraq,18043; classtype:web-application-attack; sid:100000331; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"email="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000332; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"logfile="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000333; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include"; flow:to_server,established; uricontent:"/reconfig.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000334; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include"; flow:to_server,established; uricontent:"/srxclr.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000335; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include"; flow:to_server,established; uricontent:"/footer.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000336; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include"; flow:to_server,established; uricontent:"/defaults_setup.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000337; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000338; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail core.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3/core.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000339; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail pop3.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000340; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS help.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/help.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000341; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS business.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/business.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000342; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS credits.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/credits.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000343; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000344; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail inc-common.php remote file include"; flow:to_server,established; uricontent:"/inc-common.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000345; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Plume CMS prepend.php remote file include"; flow:to_server,established; uricontent:"/manager/frontinc/prepend.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config[manager_path]=(https?|ftp)/Ui"; reference:bugtraq,16662; classtype:web-application-attack; sid:100000346; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro form.php remote file include"; flow:to_server,established; uricontent:"/form.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000347; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include"; flow:to_server,established; uricontent:"/customize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000348; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include"; flow:to_server,established; uricontent:"/initialize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000349; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include"; flow:to_server,established; uricontent:"/ubbt.inc.php"; nocase; uricontent:"GLOBALS[thispath]="; nocase; pcre:"/GLOBALS[thispath]=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000350; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include"; flow:to_server,established; uricontent:"/includepollresults.php?config[cookieprefix]"; nocase; uricontent:"w3t_language="; nocase; pcre:"/w3t_language=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000351; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include"; flow:to_server,established; uricontent:"/blend_data/blend_common.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18153; reference:url,www.nukedx.com/?viewdoc=41; classtype:web-application-attack; sid:100000352; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC tinyBB footers.php remote file include"; flow:to_server,established; uricontent:"/footers.php"; nocase; uricontent:"tinybb_footers="; nocase; pcre:"/tinybb_footers=(https?|ftp)/Ui"; reference:bugtraq,18147; classtype:web-application-attack; sid:100000353; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include"; flow:to_server,established; uricontent:"/lang_activity.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18155; classtype:web-application-attack; sid:100000354; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC eSyndiCat cron.php remote file include"; flow:to_server,established; uricontent:"/admin/cron.php"; nocase; uricontent:"path_to_config="; nocase; pcre:"/path_to_config=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20218/; classtype:web-application-attack; sid:100000355; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_qry_common.php remote file include"; flow:to_server,established; uricontent:"/base_qry_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000356; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_stat_common.php remote file include"; flow:to_server,established; uricontent:"/base_stat_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000357; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_include.inc.php remote file include"; flow:to_server,established; uricontent:"/base_include.inc.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000358; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include"; flow:to_server,established; uricontent:"/drucken.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000359; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include"; flow:to_server,established; uricontent:"/drucken2.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000360; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include"; flow:to_server,established; uricontent:"/email_an_benutzer.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000361; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include"; flow:to_server,established; uricontent:"/rechnung.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000362; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000363; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000364; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke index.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/index.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000365; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000366; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_board.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_board.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000367; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_disallow.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000368; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forumauth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000369; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_groups.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000370; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ranks.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000371; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_styles.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000372; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_user_ban.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000373; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_words.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_words.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000374; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_avatar.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000375; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_db_utilities.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000376; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forum_prune.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000377; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forums.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000378; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_mass_email.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000379; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_smilies.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000380; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_users.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_users.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000382; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OsTicket open_form.php remote file include"; flow:to_server,established; uricontent:"/open_form.php"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=(https?|ftp)/Ui"; reference:bugtraq,18190; classtype:web-application-attack; sid:100000383; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000384; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman error.php remote file include"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000385; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman main_class.php remote file include"; flow:to_server,established; uricontent:"/classes/main_class.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000386; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia index.php remote file include"; flow:to_server,established; uricontent:"/orid/index.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000387; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia topman.php remote file include"; flow:to_server,established; uricontent:"/orid/topman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000388; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/orid/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000389; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadmb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000390; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadma.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000391; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadm.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000392; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia start.php remote file include"; flow:to_server,established; uricontent:"/orid/start.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000393; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia search.php remote file include"; flow:to_server,established; uricontent:"/orid/search.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000394; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia posts.php remote file include"; flow:to_server,established; uricontent:"/orid/posts.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000395; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia options.php remote file include"; flow:to_server,established; uricontent:"/orid/options.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000396; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia login.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/login.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000397; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia frchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/frchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000398; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/flbchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000399; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia fileman.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/fileman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000400; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia faq.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/faq.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000401; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia event.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/event.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000402; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia directory.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/directory.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000403; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia articles.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/articles.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000404; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia artedit.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/artedit.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000405; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000406; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia calday.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/calday.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000407; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include"; flow:to_server,established; uricontent:"/cache_mngt.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000408; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include"; flow:to_server,established; uricontent:"/gallery_functions.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000409; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/image_resize/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000410; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/simple_user/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000411; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/stats/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000412; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/import_export/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000413; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO community.inc.php remote file include"; flow:to_server,established; uricontent:"/include/pages/community.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000414; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Bytehoard server.php remote file include"; flow:to_server,established; uricontent:"/includes/webdav/server.php"; nocase; uricontent:"bhconfig[bhfilepath]="; nocase; pcre:"/bhconfig[bhfilepath]=(https?|ftp)/Ui"; reference:bugtraq,18234; classtype:web-application-attack; sid:100000415; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000416; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie scode.php remote file include"; flow:to_server,established; uricontent:"/scode.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000417; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include"; flow:to_server,established; uricontent:"/ashheadlines.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000418; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include"; flow:to_server,established; uricontent:"/ashnews.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000419; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Informium common-menu.php remote file include"; flow:to_server,established; uricontent:"/admin/common-menu.php"; nocase; uricontent:"CONF[local_path]="; nocase; pcre:"/CONF[local_path]=(https?|ftp)/Ui"; reference:bugtraq,18249; classtype:web-application-attack; sid:100000420; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Igloo wiki.php remote file include"; flow:to_server,established; uricontent:"/wiki.php"; nocase; uricontent:"c_node[class_path]="; nocase; pcre:"/c_node[class_path]=(https?|ftp)/Ui"; reference:bugtraq,18250; classtype:web-application-attack; sid:100000421; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"page="; nocase; pcre:"/page=(https?|ftp)/Ui"; reference:bugtraq,18255; classtype:web-application-attack; sid:100000422; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000423; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include"; flow:to_server,established; uricontent:"/feedback.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000424; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include"; flow:to_server,established; uricontent:"/printfriendly.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000425; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotClear prepend.php remote file include"; flow:to_server,established; uricontent:"/prepend.php"; nocase; uricontent:"blog_dc_path="; nocase; pcre:"/blog_dc_path=(https?|ftp)/Ui"; reference:bugtraq,18259; classtype:web-application-attack; sid:100000426; rev:2;) - -# JBoss Rules from Jon Hart <jhart@spoofed.org> -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss jmx-console html adaptor access"; flow:to_server,established; uricontent:"/jmx-console/HtmlAdaptor"; reference:url,jboss.org/wiki/Wiki.jsp?page=JMXConsole; classtype:misc-activity; sid:100000427; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:100000428; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss web-console access"; flow:to_server,established; uricontent:"/web-console"; reference:url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole; classtype:misc-activity; sid:100000429; rev:1;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include"; flow:to_server,established; uricontent:"/applications/faq/Bs_Faq.class.php"; nocase; uricontent:"APP[path][applications]="; nocase; pcre:"/APP\[path\]\[applications\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000430; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include"; flow:to_server,established; uricontent:"/applications/filebrowser/fileBrowserInner.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000431; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes file.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/file.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000432; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes viewer.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/viewer.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000433; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include"; flow:to_server,established; uricontent:"/applications/imagearchive/Bs_ImageArchive.class.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000434; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include"; flow:to_server,established; uricontent:"/applications/mailinglist/Bs_Ml_User.class.php"; nocase; uricontent:"GLOBALS[APP][path][core]="; nocase; pcre:"/GLOBALS\[APP\]\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000435; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include"; flow:to_server,established; uricontent:"/applications/websearchengine/Bs_Wse_Profile.class.php"; nocase; uricontent:"APP[path][plugins]="; nocase; pcre:"/APP\[path\]\[plugins\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000436; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include"; flow:to_server,established; uricontent:"/class.cs_phpmailer.php"; nocase; uricontent:"classes_dir="; nocase; pcre:"/classes_dir=(https?|ftp)/Ui"; reference:bugtraq,18263; classtype:web-application-attack; sid:100000437; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/mambo.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000438; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/postnuke.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000439; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CyBoards common.php remote file include"; flow:to_server,established; uricontent:"/include/common.php"; nocase; uricontent:"script_path="; nocase; pcre:"/script_path=(https?|ftp)/Ui"; reference:bugtraq,18272; classtype:web-application-attack; sid:100000440; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include"; flow:to_server,established; uricontent:"/wk_lang.php"; nocase; uricontent:"WK[wkpath]="; nocase; pcre:"/WK\[wkpath\]=(https?|ftp)/Ui"; reference:bugtraq,18291; classtype:web-application-attack; sid:100000441; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include"; flow:to_server,established; uricontent:"/pcltar.lib.php"; nocase; uricontent:"g_pcltar_lib_dir="; nocase; pcre:"/g_pcltar_lib_dir=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000442; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include"; flow:to_server,established; uricontent:"/galimage.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000443; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include"; flow:to_server,established; uricontent:"/galsecurity.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000444; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"sqlType="; nocase; pcre:"/sqlType(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000448; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/files.asp"; nocase; uricontent:"Project="; nocase; pcre:"/Project(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000449; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"username="; nocase; pcre:"/username(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18368; classtype:web-application-attack; sid:100000450; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000451; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"albumid="; nocase; pcre:"/albumid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000452; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"apage="; nocase; pcre:"/apage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000453; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"New Category="; nocase; pcre:"/New Category(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000454; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt"; flow:to_server,established; uricontent:"/viewposts.cfm"; nocase; uricontent:"startrow="; nocase; pcre:"/startrow(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18473; classtype:web-application-attack; sid:100000455; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt"; flow:to_server,established; uricontent:"/index.cfm"; nocase; uricontent:"message="; nocase; pcre:"/message(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18482; classtype:web-application-attack; sid:100000456; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/pages.asp"; nocase; uricontent:"order="; nocase; pcre:"/order(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18512; classtype:web-application-attack; sid:100000457; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt"; flow:to_server,established; uricontent:"/details.cfm"; nocase; uricontent:"image="; nocase; pcre:"/image(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18526; classtype:web-application-attack; sid:100000458; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"host/yeni_host.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18564; classtype:web-application-attack; sid:100000459; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AZureus index.tmpl xss attempt"; flow:to_server,established; uricontent:"/index.tmpl"; nocase; uricontent:"search="; nocase; pcre:"/search(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18596; classtype:web-application-attack; sid:100000460; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"To="; nocase; pcre:"/To(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000461; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"From="; nocase; pcre:"/From(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000462; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt"; flow:to_server,established; uricontent:"/gbrowse.php"; nocase; uricontent:"cat_id="; nocase; pcre:"/cat_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000694; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt"; flow:to_server,established; uricontent:"/rating.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000695; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt"; flow:to_server,established; uricontent:"/create.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000696; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"event_id="; nocase; pcre:"/event_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000697; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BXCP index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; pcre:"/where(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18765; classtype:web-application-attack; sid:100000698; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000699; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"disable="; nocase; pcre:"/disable(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000700; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WordPress index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"paged="; nocase; pcre:"/paged(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18779; classtype:web-application-attack; sid:100000701; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/SayfalaAltList.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18899; classtype:web-application-attack; sid:100000702; rev:1;) - -# Rules submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"COMMUNITY WEB-MISC Webmin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000890; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 20000 (msg:"COMMUNITY WEB-MISC Usermin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000891; rev:1;) - -# Rule submitted by Avinash Shenoi (Cenzic Inc. CIA Research Team) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt"; flow:to_server; content:"blog-category-description"; nocase; pcre:"/blog-category-description(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000895; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt"; flow:to_server; content:"blog-entry-title"; nocase; pcre:"/blog-entry-title(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000896; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt"; flow:to_server; content:"rss-enclosure-url"; nocase; pcre:"/rss-enclosure-url(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000897; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt"; flow:to_server; content:"technorati-tags"; nocase; pcre:"/technorati-tags(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000898; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt"; flow:to_server; content:"blog-category-name"; nocase; pcre:"/blog-category-name(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000899; rev:1;) diff -Nru snort-2.9.0.1/rules/community-web-php.rules snort-2.9.2/rules/community-web-php.rules --- snort-2.9.0.1/rules/community-web-php.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/community-web-php.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,474 +0,0 @@ -# Copyright 2005 Sourcefire, Inc. All Rights Reserved. # These rules are licensed under the GNU General Public License. -# Please see the file LICENSE in this directory for more details. -# $Id: community-web-php.rules,v 1.32 2007/02/22 20:44:35 akirk Exp $ - -#Rules submitted by rmkml -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP piranha default passwd attempt"; flow:to_server,established; uricontent:"/piranha/secure/control.php3"; content:"Authorization|3A| Basic cGlyYW5oYTp"; reference:bugtraq,1148; reference:cve,2000-0248; reference:nessus,10381; classtype:attempted-recon; sid:100000151; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpinfo access"; flow:to_server,established; uricontent:"/phpinfo.php"; nocase; reference:bugtraq,5789; reference:cve,2002-1149; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=3356; classtype:successful-recon-limited; sid:100000186; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP XSS attempt"; flow:to_server,established; uricontent:"|2E|php"; nocase; uricontent:"|3C|script|3E|"; nocase; uricontent:"|3C 2F|script|3E|"; nocase; classtype:web-application-attack; sid:100000187; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Vubb Path attempt"; flow:to_server,established; uricontent:"/forum/index.php"; nocase; content:"|26 66 3D 27|"; reference:cve,2005-3513; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=113087965608496&w=2; classtype:web-application-attack; sid:100000188; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP _SERVER HTTP_ACCEPT_LANGUAGE access"; flow:to_server,established; content:"GET"; nocase; depth:3; uricontent:"|2E|php"; nocase; uricontent:"|5F|SERVER|5B|HTTP|5F|ACCEPT|5F|LANGUAGE|5D|"; nocase; reference:bugtraq,15414; reference:cve,2005-3347; classtype:web-application-attack; sid:100000195; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CuteNews flood.db.php access"; flow:to_server,established; uricontent:"/data/flood.db.php"; nocase; reference:bugtraq,14869; reference:cve,2005-3010; reference:nessus,19756; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19478; classtype:web-application-attack; sid:100000201; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB topic.php access"; flow:to_server,established; uricontent:"/topic.php"; nocase; uricontent:"tid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19404; classtype:web-application-attack; sid:100000202; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB misc.php access"; flow:to_server,established; uricontent:"/misc.php"; nocase; uricontent:"uid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19405; classtype:web-application-attack; sid:100000203; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB pm.php access"; flow:to_server,established; uricontent:"/pm.php"; nocase; uricontent:"uid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19407; classtype:web-application-attack; sid:100000204; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB forums.php access"; flow:to_server,established; uricontent:"/forums.php"; nocase; uricontent:"fid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19406; classtype:web-application-attack; sid:100000205; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB newpost.php access"; flow:to_server,established; uricontent:"/newpost.php"; nocase; uricontent:"fid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19408; classtype:web-application-attack; sid:100000206; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_itemId access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_itemId|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000211; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_return access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_return|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000212; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_view access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_view|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000213; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_subView access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_subView|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000214; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MailGust SQL Injection email attempt"; flow:to_server,established; uricontent:"method|3D|remind_password"; nocase; uricontent:"list|3D|maillistuser"; nocase; uricontent:"email|3D 27|"; nocase; reference:bugtraq,14933; reference:cve,2005-3063; reference:nessus,19947; classtype:web-application-attack; sid:100000218; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP-Nuke admin_styles.php phpbb_root_path access"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_styles.php"; nocase; uricontent:"phpbb_root_path|3D|"; nocase; reference:url,www.autistici.org/anacron-group-italy/file/txt/sile002adv.txt; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=16244; classtype:web-application-attack; sid:100000220; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP AppServ main.php appserv_root param access"; flow:to_server,established; uricontent:"/appserv/main.php"; nocase; uricontent:"appserv_root|3D|"; nocase; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22228; classtype:web-application-attack; sid:100000221; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ldap_var.inc.php remote file include attempt"; flow:to_server,established; uricontent:"ldap_var.inc.php"; nocase; uricontent:"includePath="; nocase; pcre:"/includePath=(https?|ftp)/Ui"; reference:bugtraq,17915; classtype:web-application-attack; sid:100000285; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP X Poll admin access"; flow:to_server,established; uricontent:"/admin/images/add.php"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114710173409997&w=2; classtype:web-application-attack; sid:100000286; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline ldap.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/ldap.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000287; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline atutor.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/atutor.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000288; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline db-generic.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/db-generic.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000289; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline docebo.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/docebo.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000290; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline dokeos.1.6.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/dokeos.1.6.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000291; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline dokeos.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/dokeos.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000292; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline ganesha.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/ganesha.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000293; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline mambo.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/mambo.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000294; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline moodle.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/moodle.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000295; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline phpnuke.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/phpnuke.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000296; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline postnuke.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/postnuke.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000297; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline spip.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/spip.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000298; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline event/init_event_manager.inc.php access"; flow:to_server,established; uricontent:"claroline/inc/lib/event/init_event_manager.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000299; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline export_exe_tracking.class.php access"; flow:to_server,established; uricontent:"claroline/inc/lib/export_exe_tracking.class.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000300; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto index.php rep parameter remote file include attempt"; flow:to_server,established; uricontent:"index.php"; nocase; uricontent:"rep="; nocase; pcre:"/rep=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000304; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto index.php image parameter remote file include attempt"; flow:to_server,established; uricontent:"index.php"; nocase; uricontent:"image="; nocase; pcre:"/image=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000305; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto diapho.php rep parameter remote file include attempt"; flow:to_server,established; uricontent:"diapho.php"; nocase; uricontent:"rep="; nocase; pcre:"/rep=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000306; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto diapho.php image parameter remote file include attempt"; flow:to_server,established; uricontent:"diapho.php"; nocase; uricontent:"image="; nocase; pcre:"/image=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000307; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto affich.php rep parameter remote file include attempt"; flow:to_server,established; uricontent:"affich.php"; nocase; uricontent:"rep="; nocase; pcre:"/rep=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000308; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto affich.php image parameter remote file include attempt"; flow:to_server,established; uricontent:"affich.php"; nocase; uricontent:"image="; nocase; pcre:"/image=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000309; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Particle Gallery Viewimage PHP Variable Injection Attempt"; flow:to_server,established; uricontent:"viewimage.php?imageid="; nocase; pcre:"/viewimage\.php\?imageid=(![\d]+[\sa-zA-Z_]+)|([\d]+[\sa-zA-Z_]+)/Ui"; reference:bugtraq,18270; classtype:web-application-attack; sid:100000445; rev:1;) -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt"; flow:to_server,established; uricontent:"version="; nocase; pcre:"/[\x3f\x26\x3b]version=(![\d]+[\sa-zA-Z_]+)|([\d]+[\sa-zA-Z_]+)/Ui"; reference:bugtraq,18273; classtype:web-application-attack; sid:100000446; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Joomla joomla.php remote file include"; flow:to_server,established; uricontent:"/joomla.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18363; classtype:web-application-attack; sid:100000463; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP LoveCompass AEPartner design.inc.php remote file include"; flow:to_server,established; uricontent:"/design.inc.php"; nocase; uricontent:"dir[data]="; nocase; pcre:"/dir\[data\]=(https?|ftp)/Ui"; reference:bugtraq,18370; classtype:web-application-attack; sid:100000464; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Empris sql_fcnsOLD.php remote file include"; flow:to_server,established; uricontent:"/sql_fcnsOLD.php"; nocase; uricontent:"phormationdir="; nocase; pcre:"/phormationdir=(https?|ftp)/Ui"; reference:bugtraq,18371; classtype:web-application-attack; sid:100000465; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard post.php remote file include"; flow:to_server,established; uricontent:"/post.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18373; classtype:web-application-attack; sid:100000466; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP WebprojectDB nav.php remote file include"; flow:to_server,established; uricontent:"/nav.php"; nocase; uricontent:"INCDIR="; nocase; pcre:"/INCDIR=(https?|ftp)/Ui"; reference:bugtraq,18378; classtype:web-application-attack; sid:100000467; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP WebprojectDB lang.php remote file include"; flow:to_server,established; uricontent:"/lang.php"; nocase; uricontent:"INCDIR="; nocase; pcre:"/INCDIR=(https?|ftp)/Ui"; reference:bugtraq,18378; classtype:web-application-attack; sid:100000468; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP iFoto index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"dir="; nocase; pcre:"/dir(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18391; classtype:web-application-attack; sid:100000469; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Foing manage_songs.php remote file include"; flow:to_server,established; uricontent:"/manage_songs.php"; nocase; uricontent:"foing_root_path="; nocase; pcre:"/foing_root_path=(https?|ftp)/Ui"; reference:bugtraq,18392; classtype:web-application-attack; sid:100000470; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"objectID="; nocase; pcre:"/objectID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000471; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"MAINID="; nocase; pcre:"/MAINID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000472; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom language.php SQL injection attempt"; flow:to_server,established; uricontent:"/language.php"; nocase; uricontent:"Action="; nocase; pcre:"/Action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000473; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt"; flow:to_server,established; uricontent:"/meaning.php"; nocase; uricontent:"QuaranID="; nocase; pcre:"/QuaranID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000474; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt"; flow:to_server,established; uricontent:"/meaning.php"; nocase; uricontent:"ShowByQuranID="; nocase; pcre:"/ShowByQuranID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000475; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt"; flow:to_server,established; uricontent:"/meaning.php"; nocase; uricontent:"Action="; nocase; pcre:"/Action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000476; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom subject.php SQL injection attempt"; flow:to_server,established; uricontent:"/subject.php"; nocase; uricontent:"MainID="; nocase; pcre:"/MainID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000477; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP aWebNews visview.php remote file include"; flow:to_server,established; uricontent:"/visview.php"; nocase; uricontent:"path_to_news="; nocase; pcre:"/path_to_news=(https?|ftp)/Ui"; reference:bugtraq,18406; classtype:web-application-attack; sid:100000478; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CzarNews headlines.php remote file include"; flow:to_server,established; uricontent:"/headlines.php"; nocase; uricontent:"tpath="; nocase; pcre:"/tpath=(https?|ftp)/Ui"; reference:bugtraq,18411; classtype:web-application-attack; sid:100000479; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Somery team.php remote file include"; flow:to_server,established; uricontent:"/team.php"; nocase; uricontent:"checkauth="; nocase; pcre:"/checkauth=(https?|ftp)/Ui"; reference:bugtraq,18412; classtype:web-application-attack; sid:100000480; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Hinton Design PHPHG signed.php remote file include"; flow:to_server,established; uricontent:"/signed.php"; nocase; uricontent:"phphg_real_path="; nocase; pcre:"/phphg_real_path=(https?|ftp)/Ui"; reference:bugtraq,18413; classtype:web-application-attack; sid:100000481; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BoastMachine vote.php remote file include"; flow:to_server,established; uricontent:"/vote.php"; nocase; uricontent:"bmc_dir="; nocase; pcre:"/bmc_dir=(https?|ftp)/Ui"; reference:bugtraq,18415; classtype:web-application-attack; sid:100000482; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Wheatblog view_links.php remote file include"; flow:to_server,established; uricontent:"/view_links.php"; nocase; uricontent:"wb_inc_dir="; nocase; pcre:"/wb_inc_dir=(https?|ftp)/Ui"; reference:bugtraq,18416; classtype:web-application-attack; sid:100000483; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Confixx ftp_index.php xss attempt"; flow:to_server,established; uricontent:"/ftp_index.php"; nocase; uricontent:"lpath="; nocase; pcre:"/lpath(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18426; classtype:web-application-attack; sid:100000484; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP RahnemaCo page.php remote file include"; flow:to_server,established; uricontent:"/page.php"; nocase; uricontent:"osCsid="; nocase; pcre:"/osCsid=(https?|ftp)/Ui"; reference:bugtraq,18435; classtype:web-application-attack; sid:100000485; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PhpBlueDragon CMS template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"vsDragonRootPath="; nocase; pcre:"/vsDragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18440; classtype:web-application-attack; sid:100000486; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig server.inc.php remote file include"; flow:to_server,established; uricontent:"/server.inc.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000487; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig app.inc.php remote file include"; flow:to_server,established; uricontent:"/app.inc.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000488; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig login.php remote file include"; flow:to_server,established; uricontent:"/login.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000489; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig trylogin.php remote file include"; flow:to_server,established; uricontent:"/trylogin.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000490; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB posting.php remote file include"; flow:to_server,established; uricontent:"/posting.php"; nocase; uricontent:"templatefolder="; nocase; pcre:"/templatefolder=(https?|ftp)/Ui"; reference:bugtraq,18455; classtype:web-application-attack; sid:100000491; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB newpm.php remote file include"; flow:to_server,established; uricontent:"/newpm.php"; nocase; uricontent:"templatefolder="; nocase; pcre:"/templatefolder=(https?|ftp)/Ui"; reference:bugtraq,18455; classtype:web-application-attack; sid:100000492; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB postreply.php remote file include"; flow:to_server,established; uricontent:"/postreply.php"; nocase; uricontent:"templatefolder="; nocase; pcre:"/templatefolder=(https?|ftp)/Ui"; reference:bugtraq,18455; classtype:web-application-attack; sid:100000493; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt"; flow:to_server,established; uricontent:"/write_ok.php"; nocase; uricontent:"$s_file_name="; nocase; pcre:"/$s_file_name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18458; classtype:web-application-attack; sid:100000494; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt"; flow:to_server,established; uricontent:"/write_ok.php"; nocase; uricontent:"$file_name="; nocase; pcre:"/$file_name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18458; classtype:web-application-attack; sid:100000495; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Chipmailer index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"anfang="; nocase; pcre:"/anfang(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18463; classtype:web-application-attack; sid:100000496; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Calendarix cal_event.php SQL injection attempt"; flow:to_server,established; uricontent:"/cal_event.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18469; classtype:web-application-attack; sid:100000497; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Calendarix cal_popup.php SQL injection attempt"; flow:to_server,established; uricontent:"/cal_popup.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18469; classtype:web-application-attack; sid:100000498; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PictureDis thumstbl.php remote file include"; flow:to_server,established; uricontent:"/thumstbl.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18471; classtype:web-application-attack; sid:100000499; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PictureDis wpfiles.php remote file include"; flow:to_server,established; uricontent:"/wpfiles.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18471; classtype:web-application-attack; sid:100000500; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PictureDis wallpapr.php remote file include"; flow:to_server,established; uricontent:"/wallpapr.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18471; classtype:web-application-attack; sid:100000501; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Ji-Takz tag.class.php remote file include"; flow:to_server,established; uricontent:"/tag.class.php"; nocase; uricontent:"mycfg="; nocase; pcre:"/mycfg=(https?|ftp)/Ui"; reference:bugtraq,18474; classtype:web-application-attack; sid:100000502; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS action.php remote file include"; flow:to_server,established; uricontent:"/action.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000503; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS media.php remote file include"; flow:to_server,established; uricontent:"/media.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000504; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS server.php remote file include"; flow:to_server,established; uricontent:"/server.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000505; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS api_metaweblog.inc.php remote file include"; flow:to_server,established; uricontent:"/api_metaweblog.inc.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000506; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlashChat adminips.php remote file include"; flow:to_server,established; uricontent:"/adminips.php"; nocase; uricontent:"banned_file="; nocase; pcre:"/banned_file=(https?|ftp)/Ui"; reference:bugtraq,18480; classtype:web-application-attack; sid:100000507; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Wikkawiki wakka.php access"; flow:to_server,established; uricontent:"/wakka.php"; nocase; uricontent:"="; nocase; reference:bugtraq,18481; classtype:web-application-activity; sid:100000508; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP RahnemaCo page.php remote file include"; flow:to_server,established; uricontent:"/page.php"; nocase; uricontent:"pageid="; nocase; pcre:"/pageid=(https?|ftp)/Ui"; reference:bugtraq,18490; classtype:web-application-attack; sid:100000509; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom rank.php SQL injection attempt"; flow:to_server,established; uricontent:"/rank.php"; nocase; uricontent:"MemberID="; nocase; pcre:"/MemberID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18497; classtype:web-application-attack; sid:100000510; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom message.php SQL injection attempt"; flow:to_server,established; uricontent:"/message.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18497; classtype:web-application-attack; sid:100000511; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom lng.php SQL injection attempt"; flow:to_server,established; uricontent:"/lng.php"; nocase; uricontent:"QuranID="; nocase; pcre:"/QuranID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18497; classtype:web-application-attack; sid:100000512; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SAPHPLesson showcat.php SQL injection attempt"; flow:to_server,established; uricontent:"/showcat.php"; nocase; uricontent:"forumid="; nocase; pcre:"/forumid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18501; classtype:web-application-attack; sid:100000513; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SAPHPLesson misc.php SQL injection attempt"; flow:to_server,established; uricontent:"/misc.php"; nocase; uricontent:"action="; nocase; pcre:"/action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18501; classtype:web-application-attack; sid:100000514; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CMS Faethon header.php xss attempt"; flow:to_server,established; uricontent:"data/header.php"; nocase; uricontent:"mainpath="; nocase; pcre:"/mainpath(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18505; classtype:web-application-attack; sid:100000515; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CMS Faethon footer.php xss attempt"; flow:to_server,established; uricontent:"data/footer.php"; nocase; uricontent:"mainpath="; nocase; pcre:"/mainpath(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18505; classtype:web-application-attack; sid:100000516; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP e107 search.php xss attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"ep="; nocase; pcre:"/ep(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18508; classtype:web-application-attack; sid:100000517; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Live Helper initiate.php remote file include"; flow:to_server,established; uricontent:"/initiate.php"; nocase; uricontent:"abs_path="; nocase; pcre:"/abs_path=(https?|ftp)/Ui"; reference:bugtraq,18509; classtype:web-application-attack; sid:100000518; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VUBB index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"user="; nocase; pcre:"/user(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18516; classtype:web-application-attack; sid:100000519; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Xarancms xaramcms_haupt.php SQL injection attempt"; flow:to_server,established; uricontent:"/xaramcms_haupt.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18520; classtype:web-application-attack; sid:100000520; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP TPL Design TplShop category.php SQL injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"first_row="; nocase; pcre:"/first_row(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18524; classtype:web-application-attack; sid:100000521; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP The Edge eCommerce Shop productDetail.php xss attempt"; flow:to_server,established; uricontent:"/productDetail.php"; nocase; uricontent:"cart_id="; nocase; pcre:"/cart_id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18528; classtype:web-application-attack; sid:100000522; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CavoxCms index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"page="; nocase; pcre:"/page(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18533; classtype:web-application-attack; sid:100000523; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Micro CMS microcms-include.php remote file include"; flow:to_server,established; uricontent:"/microcms-include.php"; nocase; uricontent:"microcms_path="; nocase; pcre:"/microcms_path=(https?|ftp)/Ui"; reference:bugtraq,18537; classtype:web-application-attack; sid:100000524; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyDirectory offer-pix.php xss attempt"; flow:to_server,established; uricontent:"/offer-pix.php"; nocase; uricontent:"PIC="; nocase; pcre:"/PIC(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18539; classtype:web-application-attack; sid:100000525; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyDirectory index.php xss attempt"; flow:to_server,established; uricontent:"cp/index.php"; nocase; uricontent:"from="; nocase; pcre:"/from(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18539; classtype:web-application-attack; sid:100000526; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP AssoCIateD index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"menu="; nocase; pcre:"/menu(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18541; classtype:web-application-attack; sid:100000527; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyForum topic.php xss attempt"; flow:to_server,established; uricontent:"/topic.php"; nocase; uricontent:"highlight="; nocase; pcre:"/highlight(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18542; classtype:web-application-attack; sid:100000528; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP NC Linklist index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18546; classtype:web-application-attack; sid:100000529; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP NC Linklist index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"view="; nocase; pcre:"/view(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18546; classtype:web-application-attack; sid:100000530; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt"; flow:to_server,established; uricontent:"/torrents.php"; nocase; uricontent:"by="; nocase; pcre:"/by(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18549; classtype:web-application-attack; sid:100000531; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt"; flow:to_server,established; uricontent:"/torrents.php"; nocase; uricontent:"order="; nocase; pcre:"/order(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18549; classtype:web-application-attack; sid:100000532; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VUBB functions.php SQL injection attempt"; flow:to_server,established; uricontent:"includes/functions.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18561; classtype:web-application-attack; sid:100000533; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VUBB english.php xss attempt"; flow:to_server,established; uricontent:"language/english.php"; nocase; uricontent:"user="; nocase; pcre:"/user(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18562; classtype:web-application-attack; sid:100000534; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt"; flow:to_server,established; uricontent:"/galeria.php"; nocase; uricontent:"start="; nocase; pcre:"/start(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18566; classtype:web-application-attack; sid:100000535; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt"; flow:to_server,established; uricontent:"/galeria.php"; nocase; uricontent:"sort="; nocase; pcre:"/sort(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18566; classtype:web-application-attack; sid:100000536; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18567; classtype:web-application-attack; sid:100000537; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"catid="; nocase; pcre:"/catid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18567; classtype:web-application-attack; sid:100000538; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP thinkWMS printarticle.php SQL injection attempt"; flow:to_server,established; uricontent:"/printarticle.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18567; classtype:web-application-attack; sid:100000539; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Enterprise Groupware index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"module="; nocase; pcre:"/module(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18590; classtype:web-application-attack; sid:100000540; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent picture.php SQL injection attempt"; flow:to_server,established; uricontent:"/picture.php"; nocase; uricontent:"pid="; nocase; pcre:"/pid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000541; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent mem.php SQL injection attempt"; flow:to_server,established; uricontent:"/mem.php"; nocase; uricontent:"mid="; nocase; pcre:"/mid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000542; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"sex="; nocase; pcre:"/sex(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000543; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"relationship="; nocase; pcre:"/relationship(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000544; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS team_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/team_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000545; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS rss_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/rss_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000546; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS manual_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/manual_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000547; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS forum_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/forum_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000548; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Custom Datin Biz user_view.php xss attempt"; flow:to_server,established; uricontent:"/user_view.php"; nocase; uricontent:"u="; nocase; pcre:"/u(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18626; classtype:web-application-attack; sid:100000549; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Project Eros BBSEngine comment.php access"; flow:to_server,established; uricontent:"/comment.php"; nocase; uricontent:"="; nocase; reference:bugtraq,18627; classtype:web-application-activity; sid:100000550; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Project Eros BBSEngine aolbonics.php access"; flow:to_server,established; uricontent:"/aolbonics.php"; nocase; uricontent:"="; nocase; reference:bugtraq,18627; classtype:web-application-activity; sid:100000551; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS inc_foot.php remote file include"; flow:to_server,established; uricontent:"include/inc_foot.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18628; classtype:web-application-attack; sid:100000552; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMySMS gateway.php remote file include"; flow:to_server,established; uricontent:"sms_config/gateway.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:bugtraq,18633; classtype:web-application-attack; sid:100000553; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau error.php xss attempt"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"tid="; nocase; pcre:"/tid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000554; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau error.php xss attempt"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"lid="; nocase; pcre:"/lid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000555; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau error.php xss attempt"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"sid="; nocase; pcre:"/sid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000556; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"f_user="; nocase; pcre:"/f_user(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000557; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau messages.php xss attempt"; flow:to_server,established; uricontent:"/messages.php"; nocase; uricontent:"pag="; nocase; pcre:"/pag(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000558; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Infinite Core Technologies ICT index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"post="; nocase; pcre:"/post(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18644; classtype:web-application-attack; sid:100000559; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP eNpaper1 root_header.php remote file include"; flow:to_server,established; uricontent:"/root_header.php"; nocase; uricontent:"ppath="; nocase; pcre:"/ppath=(https?|ftp)/Ui"; reference:bugtraq,18649; classtype:web-application-attack; sid:100000560; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP dotProject ui.class.php xss attempt"; flow:to_server,established; uricontent:"/ui.class.php"; nocase; uricontent:"login="; nocase; pcre:"/login(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18650; classtype:web-application-attack; sid:100000561; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"sort="; nocase; pcre:"/sort(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000562; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"page="; nocase; pcre:"/page(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000563; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"search="; nocase; pcre:"/search(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000564; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"action="; nocase; pcre:"/action(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000565; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP XennoBB messages.php xss attempt"; flow:to_server,established; uricontent:"/messages.php"; nocase; uricontent:"tid="; nocase; pcre:"/tid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18652; classtype:web-application-attack; sid:100000566; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Qdig index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"pre_gallery="; nocase; pcre:"/pre_gallery(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18653; classtype:web-application-attack; sid:100000567; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Qdig index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"post_gallery="; nocase; pcre:"/post_gallery(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18653; classtype:web-application-attack; sid:100000568; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_change_email.php remote file include"; flow:to_server,established; uricontent:"admin/app_change_email.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000569; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_change_pwd.php remote file include"; flow:to_server,established; uricontent:"admin/app_change_pwd.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000570; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_mod_rewrite.php remote file include"; flow:to_server,established; uricontent:"admin/app_mod_rewrite.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000571; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_page_caching.php remote file include"; flow:to_server,established; uricontent:"admin/app_page_caching.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000572; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_setup.php remote file include"; flow:to_server,established; uricontent:"admin/app_setup.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000573; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_add.php remote file include"; flow:to_server,established; uricontent:"admin/cat_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000574; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_delete.php remote file include"; flow:to_server,established; uricontent:"admin/cat_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000575; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_edit.php remote file include"; flow:to_server,established; uricontent:"admin/cat_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000576; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_path_update.php remote file include"; flow:to_server,established; uricontent:"admin/cat_path_update.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000577; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_search.php remote file include"; flow:to_server,established; uricontent:"admin/cat_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000578; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_struc.php remote file include"; flow:to_server,established; uricontent:"admin/cat_struc.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000579; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000580; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view_hidden.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view_hidden.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000581; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view_hierarchy.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view_hierarchy.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000582; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view_registered_only.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view_registered_only.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000583; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu checkurl_web.php remote file include"; flow:to_server,established; uricontent:"admin/checkurl_web.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000584; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_alter.php remote file include"; flow:to_server,established; uricontent:"admin/db_alter.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000585; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_alter_change.php remote file include"; flow:to_server,established; uricontent:"admin/db_alter_change.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000586; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_backup.php remote file include"; flow:to_server,established; uricontent:"admin/db_backup.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000587; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_export.php remote file include"; flow:to_server,established; uricontent:"admin/db_export.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000588; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_import.php remote file include"; flow:to_server,established; uricontent:"admin/db_import.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000589; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu editor_add.php remote file include"; flow:to_server,established; uricontent:"admin/editor_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000590; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu editor_delete.php remote file include"; flow:to_server,established; uricontent:"admin/editor_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000591; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu editor_validate.php remote file include"; flow:to_server,established; uricontent:"admin/editor_validate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000592; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu head.php remote file include"; flow:to_server,established; uricontent:"admin/head.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000593; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu index.php remote file include"; flow:to_server,established; uricontent:"admin/index.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000594; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_config.php remote file include"; flow:to_server,established; uricontent:"admin/inv_config.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000595; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_config_payment.php remote file include"; flow:to_server,established; uricontent:"admin/inv_config_payment.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000596; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_create.php remote file include"; flow:to_server,established; uricontent:"admin/inv_create.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000597; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_delete.php remote file include"; flow:to_server,established; uricontent:"admin/inv_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000598; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_edit.php remote file include"; flow:to_server,established; uricontent:"admin/inv_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000599; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_markpaid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_markpaid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000600; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_markunpaid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_markunpaid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000601; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_overdue.php remote file include"; flow:to_server,established; uricontent:"admin/inv_overdue.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000602; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_paid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_paid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000603; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_send.php remote file include"; flow:to_server,established; uricontent:"admin/inv_send.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000604; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_unpaid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_unpaid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000605; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu lang_modify.php remote file include"; flow:to_server,established; uricontent:"admin/lang_modify.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000606; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_add.php remote file include"; flow:to_server,established; uricontent:"admin/link_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000607; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_bad.php remote file include"; flow:to_server,established; uricontent:"admin/link_bad.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000608; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_bad_delete.php remote file include"; flow:to_server,established; uricontent:"admin/link_bad_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000609; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_checkurl.php remote file include"; flow:to_server,established; uricontent:"admin/link_checkurl.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000610; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_delete.php remote file include"; flow:to_server,established; uricontent:"admin/link_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000611; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_duplicate.php remote file include"; flow:to_server,established; uricontent:"admin/link_duplicate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000612; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_edit.php remote file include"; flow:to_server,established; uricontent:"admin/link_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000613; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_premium_listing.php remote file include"; flow:to_server,established; uricontent:"admin/link_premium_listing.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000614; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_premium_sponsored.php remote file include"; flow:to_server,established; uricontent:"admin/link_premium_sponsored.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000615; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_search.php remote file include"; flow:to_server,established; uricontent:"admin/link_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000616; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_sponsored_listing.php remote file include"; flow:to_server,established; uricontent:"admin/link_sponsored_listing.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000617; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_validate.php remote file include"; flow:to_server,established; uricontent:"admin/link_validate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000618; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_validate_edit.php remote file include"; flow:to_server,established; uricontent:"admin/link_validate_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000619; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_view.php remote file include"; flow:to_server,established; uricontent:"admin/link_view.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000620; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu log_search.php remote file include"; flow:to_server,established; uricontent:"admin/log_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000621; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu mail_modify.php remote file include"; flow:to_server,established; uricontent:"admin/mail_modify.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000622; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu menu.php remote file include"; flow:to_server,established; uricontent:"admin/menu.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000623; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_create.php remote file include"; flow:to_server,established; uricontent:"admin/message_create.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000624; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_delete.php remote file include"; flow:to_server,established; uricontent:"admin/message_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000625; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_edit.php remote file include"; flow:to_server,established; uricontent:"admin/message_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000626; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_send.php remote file include"; flow:to_server,established; uricontent:"admin/message_send.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000627; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_subscriber.php remote file include"; flow:to_server,established; uricontent:"admin/message_subscriber.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000628; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_view.php remote file include"; flow:to_server,established; uricontent:"admin/message_view.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000629; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu review_validate.php remote file include"; flow:to_server,established; uricontent:"admin/review_validate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000630; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu review_validate_edit.php remote file include"; flow:to_server,established; uricontent:"admin/review_validate_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000631; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu summary.php remote file include"; flow:to_server,established; uricontent:"admin/summary.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000632; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_active.php remote file include"; flow:to_server,established; uricontent:"admin/template_active.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000633; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_add_custom.php remote file include"; flow:to_server,established; uricontent:"admin/template_add_custom.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000634; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_delete.php remote file include"; flow:to_server,established; uricontent:"admin/template_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000635; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_delete_file.php remote file include"; flow:to_server,established; uricontent:"admin/template_delete_file.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000636; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_duplicate.php remote file include"; flow:to_server,established; uricontent:"admin/template_duplicate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000637; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_export.php remote file include"; flow:to_server,established; uricontent:"admin/template_export.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000638; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_import.php remote file include"; flow:to_server,established; uricontent:"admin/template_import.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000639; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_manager.php remote file include"; flow:to_server,established; uricontent:"admin/template_manager.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000640; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_modify.php remote file include"; flow:to_server,established; uricontent:"admin/template_modify.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000641; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_modify_file.php remote file include"; flow:to_server,established; uricontent:"admin/template_modify_file.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000642; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_rename.php remote file include"; flow:to_server,established; uricontent:"admin/template_rename.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000643; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_add.php remote file include"; flow:to_server,established; uricontent:"admin/user_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000644; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_delete.php remote file include"; flow:to_server,established; uricontent:"admin/user_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000645; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_edit.php remote file include"; flow:to_server,established; uricontent:"admin/user_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000646; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_search.php remote file include"; flow:to_server,established; uricontent:"admin/user_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000647; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu whos.php remote file include"; flow:to_server,established; uricontent:"admin/whos.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000648; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"comment="; nocase; pcre:"/comment(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000649; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000650; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"homepage="; nocase; pcre:"/homepage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000651; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000652; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000653; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000654; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"comment="; nocase; pcre:"/comment(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000655; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000656; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"homepage="; nocase; pcre:"/homepage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000657; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"number="; nocase; pcre:"/number(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000658; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000659; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000660; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000661; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"homepage="; nocase; pcre:"/homepage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000662; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"icq="; nocase; pcre:"/icq(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000663; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000664; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000665; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia files.php remote file include"; flow:to_server,established; uricontent:"/files.php"; nocase; uricontent:"footer_prog="; nocase; pcre:"/footer_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000666; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia files.php remote file include"; flow:to_server,established; uricontent:"/files.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000667; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia pheader.php remote file include"; flow:to_server,established; uricontent:"/pheader.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000668; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia headlines.php remote file include"; flow:to_server,established; uricontent:"/headlines.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000669; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include"; flow:to_server,established; uricontent:"/web_statsConfig.php"; nocase; uricontent:"mod_dir="; nocase; pcre:"/mod_dir=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000670; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia preload.php remote file include"; flow:to_server,established; uricontent:"/preload.php"; nocase; uricontent:"func_prog="; nocase; pcre:"/func_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000671; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia users.php remote file include"; flow:to_server,established; uricontent:"/users.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000672; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include"; flow:to_server,established; uricontent:"/web_statsConfig.php"; nocase; uricontent:"php_ext="; nocase; pcre:"/php_ext=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000673; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia footer.php remote file include"; flow:to_server,established; uricontent:"/footer.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000674; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia pfooter.php remote file include"; flow:to_server,established; uricontent:"/pfooter.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000675; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia missing.php remote file include"; flow:to_server,established; uricontent:"/missing.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000676; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia topics.php remote file include"; flow:to_server,established; uricontent:"/topics.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000677; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"mod_root="; nocase; pcre:"/mod_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000678; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"func_prog="; nocase; pcre:"/func_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000679; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000680; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000681; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia email.php remote file include"; flow:to_server,established; uricontent:"/email.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000682; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP cPanel select.html xss attempt"; flow:to_server,established; uricontent:"/select.html"; nocase; uricontent:"file="; nocase; pcre:"/file(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18655; classtype:web-application-attack; sid:100000683; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde index.php show XSS attempt"; flow:established,to_server; uricontent:"/services/help/index.php"; nocase; uricontent:"show="; nocase; uricontent:"URL=javascript"; nocase; reference:bugtraq,18845; classtype:web-application-attack; sid:100000703; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS comment.php remote file include"; flow:to_server,established; uricontent:"/comment.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000704; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS test.php remote file include"; flow:to_server,established; uricontent:"admin/test.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000705; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS index.php remote file include"; flow:to_server,established; uricontent:"admin/index.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000706; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS inc_adminfoot.php remote file include"; flow:to_server,established; uricontent:"admin/include/inc_adminfoot.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000707; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS comedit.php remote file include"; flow:to_server,established; uricontent:"admin/comedit.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000708; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SquirrelMail search.php xss attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"mailbox="; nocase; pcre:"/mailbox(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18700; classtype:web-application-attack; sid:100000709; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Xoops MyAds Module annonces-p-f.php SQL injection attempt"; flow:to_server,established; uricontent:"/annonces-p-f.php"; nocase; uricontent:"lid="; nocase; pcre:"/lid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18718; classtype:web-application-attack; sid:100000710; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid raids.php remote file include"; flow:to_server,established; uricontent:"/raids.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000711; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid register.php remote file include"; flow:to_server,established; uricontent:"/register.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000712; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid roster.php remote file include"; flow:to_server,established; uricontent:"/roster.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000713; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid view.php remote file include"; flow:to_server,established; uricontent:"/view.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000714; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid logs.php remote file include"; flow:to_server,established; uricontent:"/logs.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000715; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid users.php remote file include"; flow:to_server,established; uricontent:"/users.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000716; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid configuration.php remote file include"; flow:to_server,established; uricontent:"/configuration.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000717; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid guilds.php remote file include"; flow:to_server,established; uricontent:"/guilds.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000718; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000719; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid locations.php remote file include"; flow:to_server,established; uricontent:"/locations.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000720; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid login.php remote file include"; flow:to_server,established; uricontent:"/login.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000721; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid lua_output.php remote file include"; flow:to_server,established; uricontent:"/lua_output.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000722; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid permissions.php remote file include"; flow:to_server,established; uricontent:"/permissions.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000723; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid profile.php remote file include"; flow:to_server,established; uricontent:"/profile.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000724; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid view.php SQL injection attempt"; flow:to_server,established; uricontent:"/view.php"; nocase; uricontent:"raid_id="; nocase; pcre:"/raid_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18720; classtype:web-application-attack; sid:100000725; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Vincent-Leclercq News diver.php SQL injection attempt"; flow:to_server,established; uricontent:"/diver.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18729; classtype:web-application-attack; sid:100000726; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Softbiz Banner Exchange insertmember.php xss attempt"; flow:to_server,established; uricontent:"/insertmember.php"; nocase; uricontent:"city="; nocase; pcre:"/city(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18735; classtype:web-application-attack; sid:100000727; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/links/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000728; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/polls/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000729; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog BlackList.Examine.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/BlackList.Examine.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000730; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog DeleteComment.Action.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/DeleteComment.Action.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000731; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog EditIPofURL.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/EditIPofURL.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000732; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MTBlackList.Examine.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MTBlackList.Examine.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000733; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MassDelete.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MassDelete.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000734; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MailAdmin.Action.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MailAdmin.Action.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000735; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MassDelTrackback.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MassDelTrackback.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000736; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog EditHeader.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/EditHeader.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000737; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog EditIP.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/EditIP.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000738; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog IPofUrl.Examine.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/IPofUrl.Examine.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000739; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog Import.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/Import.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000740; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog LogView.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/LogView.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000741; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/staticpages/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000742; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS dbinstall.php remote file include"; flow:to_server,established; uricontent:"/dbinstall.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18750; classtype:web-application-attack; sid:100000743; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyNewsGroups tree.php SQL injection attempt"; flow:to_server,established; uricontent:"/tree.php"; nocase; uricontent:"grp_id="; nocase; pcre:"/grp_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18757; classtype:web-application-attack; sid:100000744; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Diesel Joke Site category.php SQL injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18760; classtype:web-application-attack; sid:100000745; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Randshop header.inc.php remote file include"; flow:to_server,established; uricontent:"/header.inc.php"; nocase; uricontent:"dateiPfad="; nocase; pcre:"/dateiPfad=(https?|ftp)/Ui"; reference:bugtraq,18763; classtype:web-application-attack; sid:100000746; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18780; classtype:web-application-attack; sid:100000747; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS rss.php remote file include"; flow:to_server,established; uricontent:"/rss.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18780; classtype:web-application-attack; sid:100000748; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18780; classtype:web-application-attack; sid:100000749; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000750; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard about.php remote file include"; flow:to_server,established; uricontent:"/about.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000751; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard contact.php remote file include"; flow:to_server,established; uricontent:"/contact.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000752; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard delete.php remote file include"; flow:to_server,established; uricontent:"/delete.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000753; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard faq.php remote file include"; flow:to_server,established; uricontent:"/faq.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000754; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard features.php remote file include"; flow:to_server,established; uricontent:"/features.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000755; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard history.php remote file include"; flow:to_server,established; uricontent:"/history.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000756; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt"; flow:to_server,established; uricontent:"/qtofm.php"; nocase; uricontent:"delete="; nocase; pcre:"/delete(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18791; classtype:web-application-attack; sid:100000757; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt"; flow:to_server,established; uricontent:"/qtofm.php"; nocase; uricontent:"pathext="; nocase; pcre:"/pathext(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18791; classtype:web-application-attack; sid:100000758; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt"; flow:to_server,established; uricontent:"/qtofm.php"; nocase; uricontent:"edit="; nocase; pcre:"/edit(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18791; classtype:web-application-attack; sid:100000759; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP The Banner Engine top.php xss attempt"; flow:to_server,established; uricontent:"/top.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18793; classtype:web-application-attack; sid:100000760; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPWebGallery comments.php xss attempt"; flow:to_server,established; uricontent:"/comments.php"; nocase; uricontent:"keyword="; nocase; pcre:"/keyword(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18798; classtype:web-application-attack; sid:100000761; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Randshop index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"incl="; nocase; pcre:"/incl=(https?|ftp)/Ui"; reference:bugtraq,18809; classtype:web-application-attack; sid:100000762; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Kamikaze-QSCM config.inc access"; flow:to_server,established; uricontent:"/config.inc"; nocase; uricontent:"="; nocase; reference:bugtraq,18816; classtype:web-application-activity; sid:100000763; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP CMS global_header.php remote file include"; flow:to_server,established; uricontent:"/global_header.php"; nocase; uricontent:"domain="; nocase; pcre:"/domain=(https?|ftp)/Ui"; reference:bugtraq,18834; classtype:web-application-attack; sid:100000764; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP LifeType index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"date="; nocase; pcre:"/date(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18835; classtype:web-application-attack; sid:100000765; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS thumb.php remote file include"; flow:to_server,established; uricontent:"/thumb.php"; nocase; uricontent:"gallery="; nocase; pcre:"/gallery=(https?|ftp)/Ui"; reference:bugtraq,18837; classtype:web-application-attack; sid:100000766; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"item="; nocase; pcre:"/item(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000767; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"blog="; nocase; pcre:"/blog(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000768; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"member="; nocase; pcre:"/member(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000769; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"typeface="; nocase; pcre:"/typeface(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000770; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"results="; nocase; pcre:"/results(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000771; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"DokiWiki="; nocase; pcre:"/DokiWiki(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000772; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"archives="; nocase; pcre:"/archives(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000773; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"category="; nocase; pcre:"/category(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000774; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"PHPSESSID="; nocase; pcre:"/PHPSESSID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000775; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"query="; nocase; pcre:"/query(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000776; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS action.php SQL injection attempt"; flow:to_server,established; uricontent:"/action.php"; nocase; uricontent:"action="; nocase; pcre:"/action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000777; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMailList maillist.php xss attempt"; flow:to_server,established; uricontent:"/maillist.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18840; classtype:web-application-attack; sid:100000778; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde index.php xss attempt"; flow:to_server,established; uricontent:"services/help/index.php"; nocase; uricontent:"show="; nocase; pcre:"/show(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000779; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde problem.php xss attempt"; flow:to_server,established; uricontent:"services/problem.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000780; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde go.php xss attempt"; flow:to_server,established; uricontent:"services/go.php"; nocase; uricontent:"untrusted="; nocase; pcre:"/untrusted(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000781; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde go.php xss attempt"; flow:to_server,established; uricontent:"services/go.php"; nocase; uricontent:"url="; nocase; pcre:"/url(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000782; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor create_course.php xss attempt"; flow:to_server,established; uricontent:"/create_course.php"; nocase; uricontent:"show_courses="; nocase; pcre:"/show_courses(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000783; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor create_course.php xss attempt"; flow:to_server,established; uricontent:"/create_course.php"; nocase; uricontent:"current_cat="; nocase; pcre:"/current_cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000784; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor password_reminder.php xss attempt"; flow:to_server,established; uricontent:"/password_reminder.php"; nocase; uricontent:"forgot="; nocase; pcre:"/forgot(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000785; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor browse.php xss attempt"; flow:to_server,established; uricontent:"/browse.php"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000786; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor fix_content.php xss attempt"; flow:to_server,established; uricontent:"/fix_content.php"; nocase; uricontent:"submit="; nocase; pcre:"/submit(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000787; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FreeWebshop search.php xss attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"page="; nocase; pcre:"/page(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18878; classtype:web-application-attack; sid:100000788; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FreeWebshop details.php SQL injection attempt"; flow:to_server,established; uricontent:"/details.php"; nocase; uricontent:"prod="; nocase; pcre:"/prod(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18878; classtype:web-application-attack; sid:100000789; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot edit_new.php remote file include"; flow:to_server,established; uricontent:"/edit_new.php"; nocase; uricontent:"Paths[extensions_path]="; nocase; pcre:"/Paths\[extensions_path\]=(https?|ftp)/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000790; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot pv_core.php access"; flow:to_server,established; uricontent:"/pv_core.php"; nocase; uricontent:"="; nocase; reference:bugtraq,18881; classtype:web-application-activity; sid:100000791; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"fg="; nocase; pcre:"/fg(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000792; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"line1="; nocase; pcre:"/line1(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000793; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"line2="; nocase; pcre:"/line2(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000794; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"bg="; nocase; pcre:"/bg(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000795; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c1="; nocase; pcre:"/c1(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000796; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c2="; nocase; pcre:"/c2(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000797; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c3="; nocase; pcre:"/c3(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000798; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c4="; nocase; pcre:"/c4(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000799; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt"; flow:to_server,established; uricontent:"/editor_menu.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000800; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt"; flow:to_server,established; uricontent:"/editor_menu.php"; nocase; uricontent:"js_name="; nocase; pcre:"/js_name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000801; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000802; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds recent.php remote file include"; flow:to_server,established; uricontent:"/recent.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000803; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds account.php remote file include"; flow:to_server,established; uricontent:"/account.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000804; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds classified.php remote file include"; flow:to_server,established; uricontent:"/classified.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000805; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000806; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CommonSense search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"q="; nocase; pcre:"/q(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18893; classtype:web-application-attack; sid:100000807; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP AjaxPortal ajaxp.php SQL injection attempt"; flow:to_server,established; uricontent:"/ajaxp.php"; nocase; uricontent:"username="; nocase; pcre:"/username(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18897; classtype:web-application-attack; sid:100000808; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP RW Download stats.php remote file include"; flow:to_server,established; uricontent:"/stats.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18901; classtype:web-application-attack; sid:100000809; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPBB download.php remote file include"; flow:to_server,established; uricontent:"/download.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18914; classtype:web-application-attack; sid:100000810; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPBB attach_rules.php remote file include"; flow:to_server,established; uricontent:"/attach_rules.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18914; classtype:web-application-attack; sid:100000811; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000812; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP file_upload.php remote file include"; flow:to_server,established; uricontent:"/file_upload.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000813; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP image_upload.php remote file include"; flow:to_server,established; uricontent:"/image_upload.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000814; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP performs.php remote file include"; flow:to_server,established; uricontent:"/performs.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000815; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PC_CookBook pccookbook.php remote file include"; flow:to_server,established; uricontent:"/pccookbook.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18919; classtype:web-application-attack; sid:100000816; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SMF Forum smf.php remote file include"; flow:to_server,established; uricontent:"/smf.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18924; classtype:web-application-attack; sid:100000817; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Graffiti Forums topics.php SQL injection attempt"; flow:to_server,established; uricontent:"/topics.php"; nocase; uricontent:"f="; nocase; pcre:"/f(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18928; classtype:web-application-attack; sid:100000818; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SaPHPLesson add.php SQL injection attempt"; flow:to_server,established; uricontent:"/add.php"; nocase; uricontent:"forumid="; nocase; pcre:"/forumid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18934; classtype:web-application-attack; sid:100000820; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM sub-join.php SQL injection attempt"; flow:to_server,established; uricontent:"/sub-join.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000821; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM reply.php SQL injection attempt"; flow:to_server,established; uricontent:"/reply.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000822; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM ignore-pm.php SQL injection attempt"; flow:to_server,established; uricontent:"/ignore-pm.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000823; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM sendmail.php SQL injection attempt"; flow:to_server,established; uricontent:"/sendmail.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000824; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Phorum posting.php xss attempt"; flow:to_server,established; uricontent:"/posting.php"; nocase; uricontent:"mode="; nocase; pcre:"/mode(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18941; classtype:web-application-attack; sid:100000825; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Phorum search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"mode="; nocase; pcre:"/mode(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18941; classtype:web-application-attack; sid:100000826; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail address.view.php xss attempt"; flow:to_server,established; uricontent:"/address.view.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000827; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail address.view.php xss attempt"; flow:to_server,established; uricontent:"/address.view.php"; nocase; uricontent:"cond="; nocase; pcre:"/cond(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000828; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail address.view.php xss attempt"; flow:to_server,established; uricontent:"/address.view.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000829; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"dayprune="; nocase; pcre:"/dayprune(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000830; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail compose.email.php xss attempt"; flow:to_server,established; uricontent:"/compose.email.php"; nocase; uricontent:"data[to]="; nocase; pcre:"/data\[to\](=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000831; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail read.markas.php xss attempt"; flow:to_server,established; uricontent:"/read.markas.php"; nocase; uricontent:"markas="; nocase; pcre:"/markas(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000832; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail search.results.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.results.php"; nocase; uricontent:"fields[]="; nocase; pcre:"/fields\[\](=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000833; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Lazarus codes-english.php xss attempt"; flow:to_server,established; uricontent:"/codes-english.php"; nocase; uricontent:"show="; nocase; pcre:"/show(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18956; classtype:web-application-attack; sid:100000834; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Lazarus picture.php xss attempt"; flow:to_server,established; uricontent:"/picture.php"; nocase; uricontent:"img="; nocase; pcre:"/img(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18956; classtype:web-application-attack; sid:100000835; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MiniBB com_minibb.php remote file include"; flow:to_server,established; uricontent:"/com_minibb.php"; nocase; uricontent:"absolute_path="; nocase; pcre:"/absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18998; classtype:web-application-attack; sid:100000836; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MiniBB index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"absolute_path="; nocase; pcre:"/absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18998; classtype:web-application-attack; sid:100000837; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PhotoCycle photocycle.php xss attempt"; flow:to_server,established; uricontent:"/photocycle.php"; nocase; uricontent:"phppage="; nocase; pcre:"/phppage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18964; classtype:web-application-attack; sid:100000838; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Event Calendar calendar.php remote file include"; flow:to_server,established; uricontent:"/calendar.php"; nocase; uricontent:"path_to_calendar="; nocase; pcre:"/path_to_calendar=(https?|ftp)/Ui"; reference:bugtraq,18965; classtype:web-application-attack; sid:100000839; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlatNuke index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"mod="; nocase; pcre:"/mod=(https?|ftp)/Ui"; reference:bugtraq,18966; classtype:web-application-attack; sid:100000840; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PerForms performs.php remote file include"; flow:to_server,established; uricontent:"/performs.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18968; classtype:web-application-attack; sid:100000841; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPBB 3 memberlist.php SQL injection attempt"; flow:to_server,established; uricontent:"/memberlist.php"; nocase; uricontent:"ip="; nocase; pcre:"/ip(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18969; classtype:web-application-attack; sid:100000842; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Koobi Pro index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"showtopic="; nocase; pcre:"/showtopic(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18970; classtype:web-application-attack; sid:100000843; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Koobi Pro index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"showtopic="; nocase; pcre:"/showtopic(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18970; classtype:web-application-attack; sid:100000844; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Invision Power Board ipsclass.php SQL injection attempt"; flow:to_server,established; uricontent:"/ipsclass.php"; nocase; uricontent:"HTTP_CLIENT_IP="; nocase; pcre:"/HTTP_CLIENT_IP(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18984; classtype:web-application-attack; sid:100000845; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Subberz Lite user-func.php remote file include"; flow:to_server,established; uricontent:"/user-func.php"; nocase; uricontent:"myadmindir="; nocase; pcre:"/myadmindir=(https?|ftp)/i"; reference:bugtraq,18990; classtype:web-application-attack; sid:100000846; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Sitemap sitemap.xml.php remote file include"; flow:to_server,established; uricontent:"components/com_sitemap/sitemap.xml.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18991; classtype:web-application-attack; sid:100000847; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"accounts/inc/include.php"; nocase; uricontent:"language="; nocase; pcre:"/language=(https?|ftp)/i"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000849; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"accounts/inc/include.php"; nocase; uricontent:"lang_settings="; nocase; pcre:"/lang_settings=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000850; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"admin/inc/include.php"; nocase; uricontent:"language="; nocase; pcre:"/language=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000851; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"admin/inc/include.php"; nocase; uricontent:"lang_settings="; nocase; pcre:"/lang_settings=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000852; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp settings.html remote file include"; flow:to_server,established; uricontent:"mail/settings.html"; nocase; uricontent:"language="; nocase; pcre:"/language=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000853; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ListMessenger listmessenger.php remote file include"; flow:to_server,established; uricontent:"/listmessenger.php"; nocase; uricontent:"lm_path="; nocase; pcre:"/lm_path=(https?|ftp)/Ui"; reference:bugtraq,19014; classtype:web-application-attack; sid:100000854; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000855; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"mail="; nocase; pcre:"/mail(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000856; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"ip="; nocase; pcre:"/ip(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000857; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000858; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"hidemail="; nocase; pcre:"/hidemail(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000859; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Francisco Charrua Photo-Gallery room.php SQL injection attempt"; flow:to_server,established; uricontent:"/room.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19020; classtype:web-application-attack; sid:100000860; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include"; flow:to_server,established; uricontent:"Include/editor/rich_files/class.rich.php"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path=(https?|ftp)/Ui"; reference:bugtraq,19023; classtype:web-application-attack; sid:100000861; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include"; flow:to_server,established; uricontent:"Include/editor/class.rich.php"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path=(https?|ftp)/Ui"; reference:bugtraq,19023; classtype:web-application-attack; sid:100000862; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyRing view_com.php SQL injection attempt"; flow:to_server,established; uricontent:"/view_com.php"; nocase; uricontent:"idsite="; nocase; pcre:"/idsite(=|\x3f)?\w*\x27/Ui"; reference:url,secunia.com/advisories/21451/; classtype:web-application-attack; sid:100000863; rev:1;) - -# Rules from <urleet@gmail.com> -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s01"; flow:to_server,established; uricontent:"/s01.php|3f|shopid|3d|"; nocase; pcre:"/s01.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000865; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s02"; flow:to_server,established; uricontent:"/s02.php|3f|shopid|3d|"; nocase; pcre:"/s02.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000866; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s03"; flow:to_server,established; uricontent:"/s03.php|3f|shopid|3d|"; nocase; pcre:"/s03.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000867; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s04"; flow:to_server,established; uricontent:"/s04.php|3f|shopid|3d|"; nocase; pcre:"/s04.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000868; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit sid variant"; flow:to_server,established; uricontent:"/sid|3d|"; nocase; content:"|26|shopid|3d|"; nocase; within:20; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000869; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file inclusion exploit sid variant 2"; flow:to_server,established; uricontent:"/sid|3d|"; nocase; pcre:"/sid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000870; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CubeCart XSS attack"; flow:to_server,established; uricontent:"/admin/filemanager/preview.php?file="; nocase; pcre:"/((1)?&(x|y)=)?/Ri"; reference:url,retrogod.altervista.org/cubecart_3011_adv.html; classtype:web-application-attack; sid:100000871; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CubeCart XSS attack"; flow:to_server,established; uricontent:"/admin/login.php?email="; nocase; reference:url,retrogod.altervista.org/cubecart_3011_adv.html; classtype:web-application-attack; sid:100000872; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP discloser 0.0.4 Remote File Inclusion"; flow:to_server,established; uricontent:"/plugins/plugins.php?type="; nocase; pcre:"/type\x3d(https?|ftp)/Ui"; classtype:web-application-attack; sid:100000873; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Live Helper globals.php remote file include"; flow:to_server,established; uricontent:"/globals.php"; nocase; uricontent:"abs_path="; nocase; pcre:"/abs_path=(https?|ftp)/Ui"; reference:bugtraq,19349; classtype:web-application-attack; sid:100000882; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Inlink remote file inclusion exploit"; flow:to_server,established; uricontent:"/includes/adodb/back/adodb-postgres7.inc.php"; nocase; reference:url,milw0rm.com/exploits/2295; classtype:web-application-attack; sid:100000883; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SimpleBlog Remote SQL Injection attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; content:"view=plink"; nocase; reference:url,milw0rm.com/exploits/2296; classtype:web-application-attack; sid:100000884; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP pHNews access attempt"; flow:to_server,established; uricontent:"/modules/commens.php"; nocase; content:"templates_dir"; nocase; content:"cmd="; nocase; reference:url,milw0rm.com/exploits/2298; classtype:web-application-attack; sid:100000885; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Proxima access attempt"; flow:to_server,established; uricontent:"/modules/Forums/bb_smilies.php"; nocase; content:"name="; nocase; content:"cmd="; nocase; reference:url,milw0rm.com/exploits/2299; classtype:web-application-attack; sid:100000886; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP pmwiki exploit attempt"; flow:to_server,established; content:"POST"; nocase; depth:4; content:"pmwiki.php"; nocase; distance:0; content:"n=PmWiki.BasicEditing"; nocase; distance:0; content:"action=edit"; nocase; distance:0; reference:url,milw0rm.com/exploits/2291; classtype:web-application-attack; sid:100000887; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP tikiwiki exploit attempt"; flow:to_server,established; content:"POST"; nocase; depth:4; content:"jhot.php"; nocase; distance:0; reference:url,milw0rm.com/exploits/2288; classtype:web-application-attack; sid:100000888; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP yappa-ng exploit attempt"; flow:to_server,established; uricontent:"/admin_modules/admin_module_deldir.inc.php"; nocase; content:"config"; nocase; reference:url,milw0rm.com/exploits/2292; classtype:web-application-attack; sid:100000889; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP UBB.threads remote file include"; flow:to_server,established; uricontent:"addpost_newpoll.php?"; nocase; uricontent:"thispath="; nocase; pcre:"/addpost_newpoll\x2Ephp\x3F[^\r\n]*thispath=(https?|ftp)/Ui"; classtype:web-application-attack; sid:100000906; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin change_preferences2 script remote file include"; flow:to_server,established; uricontent:"change_preferences.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000907; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin create_file script remote file include"; flow:to_server,established; uricontent:"create_file.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000908; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin upload_local script remote file include"; flow:to_server,established; uricontent:"upload_local.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000909; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin upload_multi script remote file include"; flow:to_server,established; uricontent:"upload_multi.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000910; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog adminlog.php module remote file include"; flow:to_server,established; uricontent:"/edit/adminlog.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000911; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog postblog.php module remote file include"; flow:to_server,established; uricontent:"/edit/postblog.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000912; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog index.php module remote file include"; flow:to_server,established; uricontent:"/edit/index.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000913; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog index2.php module remote file include"; flow:to_server,established; uricontent:"/edit/index2.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000914; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Somery Include.php remote file include"; flow:established,to_server; uricontent:"/include.php"; nocase; content:"skindir="; nocase; pcre:"/skindir=(https?|ftp)/Ui"; reference:bugtraq,19912; classtype:web-application-attack; sid:100000915; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyBulletinBoard Functions_Post.php xss attempt"; flow:established,to_server; uricontent:"/functions_post.php?"; nocase; content:"script="; nocase; pcre:"/script(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,19770; classtype:web-application-attack; sid:100000916; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP-Dimension functions_kb.php remote file include attempt";flow:established,to_server; uricontent:"/includes/functions_kb.php?"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,20367; classtype:web-application-attack; sid:100000917; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP-Dimension themen_portal_mitte.php remote include attempt"; flow:established,to_server; uricontent:"/includes/themen_portal_mitte.php?"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,20367; classtype:web-application-attack; sid:100000918; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Segue CMS themesettings.inc.php remote file include attempt"; flow:established,to_server; uricontent:"themesettings.inc.php"; uricontent:"themesdir="; pcre:"/themesdir=(https?|ftp|\x2F)/Ui"; reference:bugtraq,20640; reference:cve,2006-5497; reference:url,osvdb.org/29904; reference:nessus,22922; reference:url,www.milw0rm.com/exploits/2600; classtype:web-application-attack; sid:100000919; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MiniBB bb_func_txt.php pathToFiles variable remote file include"; flow:to_server,established; uricontent:"/bb_func_txt.php"; nocase; uricontent:"pathToFiles="; nocase; pcre:"/pathToFiles=(https?|ftp|\x2F)/Ui"; reference:bugtraq,20757; reference:url,osvdb.org/29971; reference:nessus,22926; classtype:web-application-attack; sid:100000920; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PunBB register.php language variable remote file include"; flow:to_server,established; content:"register.php"; nocase; content:"language="; nocase; pcre:"/language=(\x2F|\x2E)/Ui"; reference:bugtraq,20786; reference:cve,2006-5735; reference:url,osvdb.org/30132; reference:nessus,22932; classtype:web-application-attack; sid:100000921; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Etomite CMS index.php id variable SQL injection"; flow:to_server,established; uricontent:"/etomite/index.php"; nocase; uricontent:"id="; nocase; pcre:"/id=[A-Za-z0-9]{1,}\'/Ui"; reference:bugtraq,21135; reference:url,osvdb.org/30442; reference:url,secunia.com/advisories/22885; classtype:web-application-attack; sid:100000922; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY-WEB-PHP ADP Forum Attempted Password Recon"; uricontent:"/users/admin.txt"; nocase; reference:url,www.milw0rm.com/exploits/3053; classtype:web-application-attack; sid:100000925; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY-WEB-PHP EasyNews PRO News Attempted Password Recon"; uricontent:"/newsboard/data/users.txt"; nocase; reference:url,www.milw0rm.com/exploits/3039; classtype:web-application-attack; sid:100000926; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Xoops module Articles SQL Injection Exploit"; flow:to_server,established; uricontent:"/modules/articles/index.php"; nocase; uricontent:"cat_id="; nocase; reference:url,www.securityfocus.com/archive/1/463916; classtype:web-application-attack; sid:100000929; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Drake CMS 404.php Local File Include Vulnerability"; flow:established,to_server; uricontent:"404.php?"; nocase; uricontent:"d_private="; nocase; reference:bugtraq,23215; classtype:web-application-attack; sid:100000930; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt";flow:established,to_server; uricontent:"/lib/timesheet.class.php?"; nocase; uricontent:"lib_dir="; nocase; pcre:"/lib_dir=(https?|ftp)/Ui"; classtype:web-application-attack; reference:bugtraq,23203; sid:100000931; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt";flow:established,to_server; uricontent:"/lib/timesheet.class.php?"; nocase; uricontent:"inc_dir="; nocase; pcre:"/inc_dir=(https?|ftp)/Ui"; classtype:web-application-attack; reference:bugtraq,23203; sid:100000932; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Aardvark button/settings_sql.php File Include Vulnerability"; flow:established,to_server; uricontent:"/button/settings_sql.php"; nocase; content:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; priority:3; reference:url,securityfocus.com/archive/1/464351; classtype:web-application-attack; sid:100000933; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Aardvark button/new_day.php File Include Vulnerability"; flow:established,to_server; uricontent:"/button/new_day.php"; nocase; content:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; priority:3; reference:url,securityfocus.com/archive/1/464351; classtype:web-application-attack; sid:100000934; rev:1;) diff -Nru snort-2.9.0.1/rules/ddos.rules snort-2.9.2/rules/ddos.rules --- snort-2.9.0.1/rules/ddos.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/ddos.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,66 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: ddos.rules,v 1.23.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#----------- -# DDOS RULES -#----------- - -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; icmp_id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG"; reference:arachnids,187; classtype:attempted-recon; sid:223; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:3;) - - -alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; reference:arachnids,254; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; content:"alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; content:"alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:2;) -# alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flow:stateless; flags:S,12; seq:674711609; reference:arachnids,253; reference:cve,2000-0138; classtype:attempted-dos; sid:241; rev:10;) - - - - -alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186; classtype:attempted-dos; sid:231; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:6;) - - - -alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; content:"newserver"; classtype:attempted-dos; sid:243; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; content:"stream/"; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent"; content:"ping"; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler"; content:"pong"; classtype:attempted-dos; sid:246; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:4;) -alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flow:stateless; flags:S,12; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:8;) -alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:3;) - - -alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:3;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:6;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:5;) -alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:7;) -alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:7;) -alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:7;) diff -Nru snort-2.9.0.1/rules/deleted.rules snort-2.9.2/rules/deleted.rules --- snort-2.9.0.1/rules/deleted.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/deleted.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,451 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: deleted.rules,v 1.37.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#------------- -# DELETED RULES -#------------- -# These signatures have been deleted for various reasons, but we are keeping -# them here for historical purposes. - -# Duplicate to 332 -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0 attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:325; rev:4;) - -# Duplicate of 512 -alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:511; rev:5;) - -# Duplicate of 514 -alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flow:established; content:"GET "; depth:8; nocase; reference:arachnids,460; classtype:bad-unknown; sid:506; rev:4;) - -# Duplicate of 557 -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;) - -# Duplicate of 559 -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;) - -# Duplicate of 844 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat access"; flow:to_server,established; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; sid:1121; rev:5;) - -# Yeah, so the one site that was vulnerable to edit.pl aint no more. -# http://packetstorm.widexs.nl/new-exploits/freestats-cgi.txt -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access"; flow:to_server,established; uricontent:"/edit.pl"; nocase; reference:bugtraq,2713; classtype:attempted-recon; sid:855; rev:6;) - -# duplicate of 987 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,4474; reference:cve,2002-0071; reference:nessus,10932; classtype:web-application-activity; sid:1619; rev:8;) - -# webmasters suck, so this happens ever so often. Its really not that bad, -# so lets disable it. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114; rev:6;) - -# dup of 1660 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; uricontent:"/traace.axd"; nocase; classtype:web-application-attack; sid:1749; rev:4;) - -# dup -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet ../../ DOS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/../../../../../../../../../../../"; reference:bugtraq,2282; reference:cve,2001-0252; classtype:web-application-attack; sid:1049; rev:11;) - - -# Falses WAAAYYY too often. -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; flow:from_server,established; content:"Directory of"; nocase; classtype:unknown; sid:496; rev:8;) - -# Replaced with 1801,1802,1803,1804 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1768; rev:7;) - -# duplicate of sid:1673 -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:4;) - -# Port based only sigs suck, this is why stream4 has flow logs -alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;) - -# basically duplicate of 330 -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:8;) - -# duplicate of 1478 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc attempt"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1477; rev:5;) - -# duplicate of 1248 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>258; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-attack; sid:1246; rev:14;) - -# duplicate of 1249 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>259; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:11;) - -# duplicate of 1755 -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1780; rev:9;) - -# duplicate of 1538 -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;) - -# This rule looks for the exploit for w3-msql, but very badly -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86 access"; flow:to_server,established; uricontent:"/bin/shA-cA/usr/openwin"; nocase; reference:arachnids,211; reference:cve,1999-0276; classtype:attempted-recon; sid:874; rev:7;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"echo netrjs stre"; reference:bugtraq,324; reference:cve,1999-0914; classtype:attempted-admin; sid:318; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5;) - - -# duplicate of 109 -alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags:A+; flow:established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:114; rev:5;) - -# duplicate of 110 -alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:5;) - - -# we have a backorifice preprocessor -alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags:A+; flow:established; content:"server|3A| BO/"; reference:arachnids,400; classtype:misc-activity; sid:112; rev:6;) - -# we have a backorifice preprocessor -alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:5;) - - - -alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; classtype:misc-activity; sid:164; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:165; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; classtype:misc-activity; sid:166; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32"; reference:arachnids,106; classtype:misc-activity; sid:167; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33"; reference:arachnids,106; classtype:misc-activity; sid:168; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; classtype:misc-activity; sid:169; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110"; reference:arachnids,106; classtype:misc-activity; sid:170; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35"; reference:arachnids,106; classtype:misc-activity; sid:171; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; classtype:misc-activity; sid:172; rev:6;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; classtype:misc-activity; sid:173; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31"; reference:arachnids,106; classtype:misc-activity; sid:174; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; classtype:misc-activity; sid:175; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04"; reference:arachnids,106; classtype:misc-activity; sid:176; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down"; reference:arachnids,106; classtype:misc-activity; sid:177; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21"; reference:arachnids,106; classtype:misc-activity; sid:179; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64"; reference:arachnids,106; classtype:misc-activity; sid:180; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; classtype:misc-activity; sid:181; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; classtype:misc-activity; sid:182; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; classtype:misc-activity; sid:122; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; classtype:misc-activity; sid:124; rev:5;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving"; reference:arachnids,106; classtype:misc-activity; sid:125; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12"; reference:arachnids,106; classtype:misc-activity; sid:126; rev:5;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; classtype:misc-activity; sid:127; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; classtype:misc-activity; sid:128; rev:5;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - "; reference:arachnids,106; classtype:misc-activity; sid:129; rev:5;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; classtype:misc-activity; sid:130; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130"; reference:arachnids,106; classtype:misc-activity; sid:131; rev:5;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; classtype:misc-activity; sid:132; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; classtype:misc-activity; sid:133; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17"; reference:arachnids,106; classtype:misc-activity; sid:134; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; classtype:misc-activity; sid:135; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; classtype:misc-activity; sid:136; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911"; reference:arachnids,106; classtype:misc-activity; sid:137; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; classtype:misc-activity; sid:138; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88"; reference:arachnids,106; classtype:misc-activity; sid:140; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content:"40"; reference:arachnids,106; classtype:misc-activity; sid:142; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; classtype:misc-activity; sid:143; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:149; rev:5;) -alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:150; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; reference:arachnids,106; classtype:misc-activity; sid:151; rev:5;) -alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; classtype:misc-activity; sid:154; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; classtype:misc-activity; sid:156; rev:5;) -alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content:"--Ahhhhhhhhhh"; reference:arachnids,405; classtype:misc-activity; sid:113; rev:6;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07"; reference:arachnids,106; classtype:misc-activity; sid:186; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; classtype:misc-activity; sid:187; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38"; reference:arachnids,106; classtype:misc-activity; sid:188; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23"; reference:arachnids,106; classtype:misc-activity; sid:189; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24"; reference:arachnids,106; classtype:misc-activity; sid:190; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; classtype:misc-activity; sid:191; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26"; reference:arachnids,106; classtype:misc-activity; sid:192; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; classtype:misc-activity; sid:193; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; classtype:misc-activity; sid:194; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30"; reference:arachnids,106; classtype:misc-activity; sid:196; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; classtype:misc-activity; sid:197; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; classtype:misc-activity; sid:198; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; classtype:misc-activity; sid:199; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; classtype:misc-activity; sid:200; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15"; reference:arachnids,106; classtype:misc-activity; sid:201; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100"; reference:arachnids,106; classtype:misc-activity; sid:202; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117"; reference:arachnids,106; classtype:misc-activity; sid:203; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118"; reference:arachnids,106; classtype:misc-activity; sid:204; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199"; reference:arachnids,106; classtype:misc-activity; sid:205; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; classtype:misc-activity; sid:206; rev:5;) -alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; classtype:misc-activity; sid:207; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:arachnids,277; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:7;) -alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:148; rev:5;) - -# The following ftp rules look for specific exploits, which are not needed now -# that initial protocol decoding is available. - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:338; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:339; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"PWD|0A|/i"; classtype:attempted-admin; sid:340; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"XXXXX/"; classtype:attempted-admin; sid:341; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:342; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:343; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:344; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:346; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:349; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|C0|1|DB B0 17 CD 80|1|C0 B0 17 CD 80|"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:350; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|DB 89 D8 B0 17 CD 80 EB|,"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:351; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 EC 04|^|83 C6|p|83 C6 28 D5 E0 C0|"; reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352; rev:6;) - -# duplicate of 475 -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:455; rev:7;) - - -# not needed thanks to 1964 and 1965 -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:8;) - -# dup of 589 -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;) -# dup of 1275 -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;) - -# dup of 1280 -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;) - -# dup of 1281 -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:6;) - -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:5;) - -# this has been replaced with sid 1905 and 1906 -alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content:"|80 00 04|,L|15|u[|00 00 00 00 00 00 00 02|"; depth:32; reference:arachnids,217; reference:cve,1999-0704; classtype:attempted-admin; sid:573; rev:8;) - -# these have been replaced by 1915, 1916, 1914, and 1913 -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:5;) - -# duplicate of 1088 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi?page=../.."; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1094; rev:10;) - - -# these are obsolete -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89 D8|@|CD 80 E8 C8 FF FF FF|/"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:295; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|4^|8D 1E 89|^|0B|1|D2 89|V|07|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:296; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|5^|80|F|01|0|80|F|02|0|80|F|03|0"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:297; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|8^|89 F3 89 D8 80|F|01| |80|F|02|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:298; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|X^1|DB 83 C3 08 83 C3 02 88|^&"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:6;) - -# what is this rule? we have no idea... -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:4;) - -# These have been replaced by better rules (1915,1916,1913,1914) -alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:592; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:1278; rev:5;) - -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:1883; rev:5;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; classtype:bad-unknown; sid:1884; rev:5;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:1885; rev:5;) -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:1886; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; reference:nessus,11110; sid:2102; rev:9;) - -# specific example for sid:1549 -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|EB|S|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,895; reference:cve,2000-0042; classtype:attempted-admin; sid:656; rev:8;) - -# this is properly caught by sid:527 -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; flags:S; id:3868; seq:3868; flow:stateless; reference:bugtraq,2666; reference:cve,1999-0016; classtype:attempted-dos; sid:269; rev:9;) - -# duplicate of 1546 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content:" /%%"; depth:16; reference:arachnids,275; classtype:attempted-dos; sid:1138; rev:7;) - -# these are obsoleted by cleaning up 663 -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3A| |7C| sed '1,/^|24|/d'|7C|"; nocase; reference:arachnids,120; classtype:attempted-user; sid:666; rev:7;) - -# dup of 588 -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:15;) -# dup of 1274 -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:14;) - -# these virus rules suck. -alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; flow:established; content:"Suddlently"; classtype:misc-activity; sid:720; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; flow:established; content:"NAVIDAD.EXE"; nocase; classtype:misc-activity; sid:722; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myjuliet.chm"; nocase; classtype:misc-activity; sid:724; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"ble bla"; nocase; classtype:misc-activity; sid:725; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"I Love You"; classtype:misc-activity; sid:726; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Sorry... Hey you !"; classtype:misc-activity; sid:727; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"my picture from shake-beer"; classtype:misc-activity; sid:728; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:731; rev:7;) -alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; flow:established; content:"nongmin_cn"; reference:MCAFEE,98775; classtype:misc-activity; sid:733; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; flow:established; content:"Software provide by [MATRiX]"; nocase; classtype:misc-activity; sid:734; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Matrix has you..."; classtype:misc-activity; sid:735; rev:6;) -alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; flow:established; content:"funguscrack@hotmail.com"; nocase; classtype:misc-activity; sid:736; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; flow:established; content:"filename="; content:"eurocalculator.exe"; nocase; classtype:misc-activity; sid:737; rev:6;) -alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; flow:established; content:"Pikachu Pokemon"; reference:MCAFEE,98696; classtype:misc-activity; sid:738; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; flow:established; content:"filename=|22|666TEST.VBS|22|"; nocase; reference:MCAFEE,10389; classtype:misc-activity; sid:739; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; flow:established; content:"filename=|22|tune.vbs|22|"; nocase; reference:MCAFEE,10497; classtype:misc-activity; sid:740; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Market share tipoff"; reference:MCAFEE,10109; classtype:misc-activity; sid:741; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"name =|22|WWIII!"; reference:MCAFEE,10109; classtype:misc-activity; sid:742; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"New Developments"; reference:MCAFEE,10109; classtype:misc-activity; sid:743; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Good Times"; reference:MCAFEE,10109; classtype:misc-activity; sid:744; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; flow:established; content:"filename=|22|XPASS.XLS|22|"; nocase; reference:MCAFEE,10145; classtype:misc-activity; sid:745; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; flow:established; content:"LINKS.VBS"; reference:MCAFEE,10225; classtype:misc-activity; sid:746; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; flow:established; content:"filename=|22|SETUP.EXE|22|"; nocase; classtype:misc-activity; sid:747; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; flow:established; content:"name =|22|BADASS.EXE|22|"; reference:MCAFEE,10388; classtype:misc-activity; sid:748; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; flow:established; content:"name =|22|File_zippati.exe|22|"; reference:MCAFEE,10471; classtype:misc-activity; sid:749; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; flow:established; content:"filename=|22|KAK.HTA|22|"; nocase; reference:MCAFEE,10509; classtype:misc-activity; sid:751; rev:7;) -alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; flow:established; content:"filename=|22|Suppl.doc|22|"; nocase; reference:MCAFEE,10361; classtype:misc-activity; sid:752; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; flow:established; content:"filename=|22|THEOBBQ.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:753; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|MONEY.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:754; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; flow:established; content:"filename=|22|irok.exe|22|"; nocase; reference:MCAFEE,98552; classtype:misc-activity; sid:755; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; flow:established; content:"filename=|22|Fix2001.exe|22|"; nocase; reference:MCAFEE,10355; classtype:misc-activity; sid:756; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; flow:established; content:"filename=|22|Y2K.EXE|22|"; nocase; reference:MCAFEE,10505; classtype:misc-activity; sid:757; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; flow:established; content:"filename=|22|THE_FLY.CHM|22|"; nocase; reference:MCAFEE,10478; classtype:misc-activity; sid:758; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|DINHEIRO.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:759; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; flow:established; content:"filename=|22|ICQ_GREETINGS.EXE|22|"; nocase; reference:MCAFEE,10467; classtype:misc-activity; sid:760; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; flow:established; content:"filename=|22|COOLER3.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:761; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; flow:established; content:"filename=|22|PARTY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:762; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; flow:established; content:"filename=|22|HOG.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:763; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; flow:established; content:"filename=|22|GOAL1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:764; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; flow:established; content:"filename=|22|PIRATE.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:765; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; flow:established; content:"filename=|22|VIDEO.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:766; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; flow:established; content:"filename=|22|BABY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:767; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; flow:established; content:"filename=|22|COOLER1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:768; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; flow:established; content:"filename=|22|BOSS.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:769; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; flow:established; content:"filename=|22|G-ZILLA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:770; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; flow:established; content:"filename=|22|Toadie.exe|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:771; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; flow:established; content:"|5C|CoolProgs|5C|"; depth:750; offset:300; reference:MCAFEE,10175; classtype:misc-activity; sid:772; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; flow:established; content:"X-Spanska|3A|Yes"; reference:MCAFEE,10144; classtype:misc-activity; sid:773; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; flow:established; content:"name =|22|links.vbs|22|"; classtype:misc-activity; sid:774; rev:5;) -alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; flow:established; content:"BubbleBoy is back!"; reference:MCAFEE,10418; classtype:misc-activity; sid:775; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; flow:established; content:"filename=|22|COPIER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:776; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; flow:established; content:"name =|22|pics4you.exe|22|"; reference:MCAFEE,10467; classtype:misc-activity; sid:777; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; flow:established; content:"name =|22|X-MAS.EXE|22|"; reference:MCAFEE,10461; classtype:misc-activity; sid:778; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; flow:established; content:"filename=|22|GADGET.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:779; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; flow:established; content:"filename=|22|IRNGLANT.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:780; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; flow:established; content:"filename=|22|CASPER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:781; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; flow:established; content:"filename=|22|FBORFW.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:782; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; flow:established; content:"filename=|22|SADDAM.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:783; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; flow:established; content:"filename=|22|BBOY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:784; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; flow:established; content:"filename=|22|MONICA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:785; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; flow:established; content:"filename=|22|GOAL.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:786; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; flow:established; content:"filename=|22|PANTHER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:787; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; flow:established; content:"filename=|22|CHESTBURST.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:788; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; flow:established; content:"name =|22|THE_FLY.CHM|22|"; classtype:misc-activity; sid:790; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; flow:established; content:"filename=|22|CUPID2.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:791; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|RESUME1.DOC|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:792; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|Explorer.doc|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:794; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Worm - txt.vbs file"; flow:established; content:"filename="; content:".txt.vbs"; nocase; classtype:misc-activity; sid:795; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; flow:established; content:"filename="; content:".xls.vbs"; nocase; classtype:misc-activity; sid:796; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; flow:established; content:"filename="; content:".jpg.vbs"; nocase; classtype:misc-activity; sid:797; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible Worm - gif.vbs file"; flow:established; content:"filename="; content:".gif.vbs"; nocase; classtype:misc-activity; sid:798; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; flow:established; content:"filename=|22|TIMOFONICA.TXT.vbs|22|"; nocase; reference:MCAFEE,98674; classtype:misc-activity; sid:799; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|NORMAL.DOT|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:800; rev:7;) -alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; flow:established; content:"filename="; content:".doc.vbs"; nocase; classtype:misc-activity; sid:801; rev:6;) -alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; flow:established; content:"filename=|22|FARTER.EXE|22|"; nocase; reference:MCAFEE,1054; classtype:misc-activity; sid:789; rev:7;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; dsize:>120; flow:to_server,established; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:4;) -# pcre makes this not needed -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2254; rev:3;) - -# historical reference... this used to be here... -alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; flow:established; content:"name =|22|Zipped_Files.EXE|22|"; reference:MCAFEE,10450; classtype:misc-activity; sid:802; rev:7;) - -# taken care of by http_inspect now -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS multiple decode attempt"; flow:to_server,established; uricontent:"%5c"; uricontent:".."; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-attack; reference:nessus,10671; sid:970; rev:11;) - -# better rule for 1054 caused these rules to not be needed -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238; rev:6;) - -# these rules are dumb. sid:857 looks for the access, and thats all we can do -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey attempt full path"; flow:to_server,established; uricontent:"/faxsurvey?/"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1647; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey arbitrary file read attempt"; flow:to_server,established; uricontent:"/faxsurvey?cat%20"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1609; rev:7;) - -# dup of 2061 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:1055; rev:9;) - - - -# squash all of the virus rules into one rule. go PCRE! -alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:732; rev:8;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".shs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:7;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".exe|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".doc|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vbs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:7;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hta|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".chm|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".reg|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".ini|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".bat|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".diz|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".cpp|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".dll|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vxd|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".sys|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".com|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:4;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".scr|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:7;) -alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hsq|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:4;) - -# uh, yeah this happens quite a bit. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?open access"; flow:to_server,established; uricontent:"?open"; nocase; classtype:web-application-activity; sid:1561; rev:5;) - -# dup of 1485 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1665; rev:6;) - -# dup of 2339 -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2336; rev:3;) - -# these happen. more research = more better rules -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2503; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2506; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2499; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2498; rev:8;) - - -#nmap is no longer as dumb as it once was... -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:6;) - -# dup of 553 -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:1449; rev:7;) - -# dup of 2417, which is a better rule anyways -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; classtype:attempted-admin; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; sid:1530; rev:12;) - -# ans1 goodness takes care of this one for us -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2385; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2384; rev:10;) - - -# because this rule sucks -alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; flow:stateless; reference:arachnids,129; reference:bugtraq,705; reference:cve,1999-0430; classtype:bad-unknown; sid:513; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:620; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:618; rev:9;) - - -# http inspect does a better job than these rules do -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:981; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:982; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:983; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:1945; rev:6;) - -# dup of 1672 -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:1728; rev:7;) - -# dup of 1229 -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:3;) - -# dup of 1757 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 access"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; classtype:web-application-attack; reference:bugtraq,4673; reference:cve,2002-0734; sid:1758; rev:6;) - -# dup of 653 -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2314; rev:2;) - -# converted to a dup by 1437 moving to regex -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1438; rev:7;) - -# handled by 1212 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC order.log access"; flow:to_server,established; uricontent:"/admin_files/order.log"; nocase; classtype:attempted-recon; sid:1176; rev:6;) - diff -Nru snort-2.9.0.1/rules/dns.rules snort-2.9.2/rules/dns.rules --- snort-2.9.0.1/rules/dns.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/dns.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: dns.rules,v 1.38.2.3.2.3 2005/05/31 17:13:02 mwatchinski Exp $ -#---------- -# DNS RULES -#---------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:13;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:7;) - - - -alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:253; rev:4;) -alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:254; rev:4;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:303; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; classtype:attempted-admin; sid:262; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; classtype:attempted-admin; sid:264; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; classtype:attempted-admin; sid:265; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; classtype:attempted-admin; sid:266; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; classtype:attempted-admin; sid:267; rev:5;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2922; rev:1;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query"; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2921; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:2;) diff -Nru snort-2.9.0.1/rules/dos.rules snort-2.9.2/rules/dos.rules --- snort-2.9.0.1/rules/dos.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/dos.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,45 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: dos.rules,v 1.39.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $ -#---------- -# DOS RULES -#---------- - -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;) -# alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:5;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:272; rev:10;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:273; rev:8;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:5;) -# alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flow:stateless; flags:S; id:413; seq:6060842; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:276; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:277; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:5;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; flow:to_server,established; dsize:>1445; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flow:stateless; flags:U+; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flow:to_server,established; dsize:>1023; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; classtype:misc-attack; sid:1605; rev:6;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"DOS DB2 dos attempt"; flow:to_server,established; dsize:1; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; flow:to_server,established; dsize:1; content:"|13|"; classtype:web-application-attack; sid:1545; rev:8;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;) -alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:7;) - -alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"DOS squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:2;) -# alert tcp $EXTERNAL_NET !721:731 -> $HOME_NET 515 (msg:"DOS WIN32 TCP print service denial of service attempt"; flow:to_server,established; dsize:>600; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx; classtype:attempted-dos; sid:3442; rev:3;) diff -Nru snort-2.9.0.1/rules/experimental.rules snort-2.9.2/rules/experimental.rules --- snort-2.9.0.1/rules/experimental.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/experimental.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,27 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: experimental.rules,v 1.78.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -# --------------- -# EXPERIMENTAL RULES -# --------------- -# These signatures are experimental, new and may trigger way too often. -# -# Be forwarned, this is our testing ground. We put new signatures here for -# testing before incorporating them into the default signature set. This is -# for bleeding edge stuff only. -# diff -Nru snort-2.9.0.1/rules/exploit.rules snort-2.9.2/rules/exploit.rules --- snort-2.9.0.1/rules/exploit.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/exploit.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,121 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: exploit.rules,v 1.63.2.7.2.7 2005/07/22 19:19:54 mwatchinski Exp $ -#-------------- -# EXPLOIT RULES -#-------------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,215; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 Solaris overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; reference:bugtraq,2319; classtype:attempted-admin; sid:300; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; flow:to_server,established; dsize:>1000; content:"whois|3A|//"; nocase; reference:arachnids,267; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,2000-0766; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:9;) -alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"EXPLOIT NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; flow:stateless; dsize:>512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; reference:arachnids,273; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:10;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:8;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,214; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:312; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 Linux overflow"; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; reference:bugtraq,1252; reference:cve,2000-0446; classtype:attempted-admin; sid:1240; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1812; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:7;) - -alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:1838; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:9;) -alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:9;) -alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:4;) -alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:4;) -alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:4;) -alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:6;) - -alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:7;) -alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:7;) -alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:"<STREAMQUOTE>"; nocase; isdataat:1024,relative; content:!"</STREAMQUOTE>"; within:1054; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2489; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>"; nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>"; within:1052; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2490; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"EXPLOIT AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:4;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT winamp XM module name overflow"; flow:established,from_server; content:"Extended module|3A|"; nocase; isdataat:20,relative; content:!"|1A|"; within:21; reference:url,www.nextgenss.com/advisories/winampheap.txt; classtype:attempted-user; sid:2550; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2554; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2555; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2556; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2557; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2558; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:2;) -alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"EXPLOIT eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:3017; rev:6;) -alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"EXPLOIT Volition Freespace 2 buffer overflow attempt"; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:2;) -alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"EXPLOIT AIM goaway message buffer overflow attempt"; flow:established,from_server; content:"goaway?message="; nocase; isdataat:500,relative; pcre:"/goaway\?message=[^\s]{500}/smi"; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"EXPLOIT Veritas backup overflow attempt"; flow:established,to_server; content:"|02 00|"; depth:2; content:"|00|"; depth:1; offset:3; isdataat:60; content:!"|00|"; depth:66; offset:6; reference:bugtraq,11974; reference:cve,2004-1172; classtype:misc-attack; sid:3084; rev:3;) -alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"EXPLOIT MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3130; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3200; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 84 overflow attempt"; flow:established,to_server; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3458; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"EXPLOIT Bontago Game Server Nickname Buffer Overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; reference:bugtraq,12603; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3199; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 77 overflow attempt"; flow:established,to_server; content:"|00|M"; depth:2; byte_test:2,>,23,6; isdataat:31; content:!"|00|"; depth:23; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3457; rev:2;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client domain overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3475; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow"; content:"|9C|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3485; rev:3;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3479; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve discovery service overflow"; dsize:>966; reference:bugtraq,12491; reference:can,2005-0260; classtype:attempted-admin; sid:3472; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow"; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3484; rev:2;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3476; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client domain overflow"; content:"|98|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3481; rev:3;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow"; content:"|9B|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3483; rev:3;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3477; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client name overflow"; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3480; rev:2;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client name overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3474; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow"; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3482; rev:2;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3478; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow"; content:"|99|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3531; rev:2;) -# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client name overflow"; content:"|99|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3530; rev:2;) diff -Nru snort-2.9.0.1/rules/finger.rules snort-2.9.2/rules/finger.rules --- snort-2.9.0.1/rules/finger.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/finger.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,37 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: finger.rules,v 1.26.2.2.2.2 2005/05/31 17:13:02 mwatchinski Exp $ -#------------- -# FINGER RULES -#------------- -# - -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search query"; flow:to_server,established; content:"search"; reference:arachnids,375; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:323; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER redirection attempt"; flow:to_server,established; content:"@"; reference:arachnids,251; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop query"; flow:to_server,established; content:"|0A| "; depth:10; reference:arachnids,132; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER 0 query"; flow:to_server,established; content:"0"; reference:arachnids,131; reference:arachnids,378; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query"; flow:to_server,established; content:"."; reference:arachnids,130; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER version query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:1541; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:3;) diff -Nru snort-2.9.0.1/rules/ftp.rules snort-2.9.2/rules/ftp.rules --- snort-2.9.0.1/rules/ftp.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/ftp.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,112 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: ftp.rules,v 1.57.2.7.2.6 2005/07/22 19:19:54 mwatchinski Exp $ -#---------- -# FTP RULES -#---------- - - -# protocol verification -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2374; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; pcre:"/^ALLO\s[^\n]{100}/smi"; reference:bugtraq,9953; classtype:attempted-admin; sid:2449; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2389; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; classtype:attempted-admin; sid:2391; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2392; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; reference:cve,2000-0133; classtype:attempted-admin; sid:2343; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:arachnids,257; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:337; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,11542; reference:bugtraq,8704; classtype:attempted-admin; sid:2344; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:1919; rev:22;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1621; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:bugtraq,2120; reference:cve,2001-0065; classtype:attempted-admin; sid:1562; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:1971; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; classtype:attempted-admin; sid:1734; rev:30;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; classtype:attempted-admin; sid:1972; rev:16;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; reference:bugtraq,819; classtype:attempted-admin; sid:1942; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:nessus,12108; classtype:attempted-admin; sid:1973; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1974; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:1975; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:1976; rev:9;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:1623; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large PWD command"; flow:to_server,established; dsize:10; content:"PWD"; nocase; classtype:protocol-command-decode; sid:1624; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large SYST command"; flow:to_server,established; dsize:10; content:"SYST"; nocase; classtype:protocol-command-decode; sid:1625; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:8;) - - - - -# bad ftp commands -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:7;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:1777; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x3f/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:1778; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:12;) - -# bad directories -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; nocase; pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:11;) - -# vulnerabilities against specific implementations of ftp -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u directory transversal"; flow:to_server,established; content:".%20."; nocase; reference:bugtraq,2052; reference:cve,2001-0054; classtype:bad-unknown; sid:360; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt ["; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1377; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1378; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:1622; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:1748; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:8;) - - -# BAD FILES -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; flow:to_server,established; content:".forward"; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:1927; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:3;) - -# suspicious login attempts -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:144; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:353; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; reference:arachnids,331; classtype:suspicious-login; sid:354; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; reference:arachnids,324; classtype:suspicious-login; sid:355; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; classtype:suspicious-login; sid:357; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan"; flow:to_server,established; content:"pass -saint"; reference:arachnids,330; classtype:suspicious-login; sid:358; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan"; flow:to_server,established; content:"pass -satan"; reference:arachnids,329; classtype:suspicious-login; sid:359; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2178; rev:16;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; classtype:misc-attack; sid:2179; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s[^\n]{100,}/smi"; reference:bugtraq,10181; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx; classtype:misc-attack; sid:2338; rev:13;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2272; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; nocase; pcre:"/^USER\s+y049575046/smi"; reference:bugtraq,9072; classtype:suspicious-login; sid:2334; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2416; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%"; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2417; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2574; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:3077; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:3441; rev:1;) diff -Nru snort-2.9.0.1/rules/generators snort-2.9.2/rules/generators --- snort-2.9.0.1/rules/generators 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/generators 1969-12-31 16:00:00.000000000 -0800 @@ -1,39 +0,0 @@ -# Master Registry of Snort Generator Ids -# -# -# This file is used to maintain unique generator ids for files even if -# the default snort configuration doesn't include some patch that is -# required for a specific preprocessor to work -# -# -# -# Maintainer: Chris Green <cmg@sourcefire.com> -# -# Contact cmg@sourcefire.com for an assignment - -rules_subsystem 1 # Snort Rules Engine -tag_subsystem 2 # Tagging Subsystem -portscan 100 # Portscan1 -minfrag 101 # Minfrag [ removed ] -http_decode 102 # HTTP decode 1/2 -defrag 103 # First defragmenter [ removed ] -spade 104 # SPADE [ not included anymore ] -bo 105 # Back Orifice -rpc_decode 106 # RPC Preprocessor -stream2 107 # 2nd stream preprocessor [removed] -stream3 108 # 3rd stream preprocessor (AVL nightmare) [ removed ] -telnet_neg 109 # telnet option decoder -unidecode 110 # unicode decoder -stream4 111 # Stream4 preprocessor -arpspoof 112 # Arp Spoof detector -frag2 113 # 2nd fragment preprocessor -fnord 114 # NOP detector [ removed ] -asn1 115 # ASN.1 Validator [ removed ] -decode 116 # Snort Internal Decoder -scan2 117 # portscan2 -conversation 118 # conversation -reserved 119 # TBA -reserved 120 # TBA -snmp 121 # Andrew Baker's newer SNMP decoder -sfportscan 122 # Dan Roelkers portscan -frag3 123 # Marty Roesch's ip frag reassembler diff -Nru snort-2.9.0.1/rules/gen-msg.map snort-2.9.2/rules/gen-msg.map --- snort-2.9.0.1/rules/gen-msg.map 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/gen-msg.map 1969-12-31 16:00:00.000000000 -0800 @@ -1,175 +0,0 @@ -# $Id: gen-msg.map,v 1.16.2.2.2.2 2005/04/22 22:11:53 jhewlett Exp $ -# GENERATORS -> msg map -# Format: generatorid || alertid || MSG - -1 || 1 || snort general alert -2 || 1 || tag: Tagged Packet -100 || 1 || spp_portscan: Portscan Detected -100 || 2 || spp_portscan: Portscan Status -100 || 3 || spp_portscan: Portscan Ended -101 || 1 || spp_minfrag: minfrag alert -102 || 1 || http_decode: Unicode Attack -102 || 2 || http_decode: CGI NULL Byte Attack -102 || 3 || http_decode: large method attempted -102 || 4 || http_decode: missing uri -102 || 5 || http_decode: double encoding detected -102 || 6 || http_decode: illegal hex values detected -102 || 7 || http_decode: overlong character detected -103 || 1 || spp_defrag: Fragmentation Overflow Detected -103 || 2 || spp_defrag: Stale Fragments Discarded -104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded -104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted -105 || 1 || spp_bo: Back Orifice Traffic Detected -105 || 2 || spp_bo: Back Orifice Client Traffic Detected -105 || 3 || spp_bo: Back Orifice Server Traffic Detected -106 || 1 || spp_rpc_decode: Fragmented RPC Records -106 || 2 || spp_rpc_decode: Multiple Records in one packet -106 || 3 || spp_rpc_decode: Large RPC Record Fragment -106 || 4 || spp_rpc_decode: Incomplete RPC segment -110 || 1 || spp_unidecode: CGI NULL Attack -110 || 2 || spp_unidecode: Directory Traversal -110 || 3 || spp_unidecode: Unknown Mapping -110 || 4 || spp_unidecode: Invalid Mapping -111 || 1 || spp_stream4: Stealth Activity Detected -111 || 2 || spp_stream4: Evasive Reset Packet -111 || 3 || spp_stream4: Retransmission -111 || 4 || spp_stream4: Window Violation -111 || 5 || spp_stream4: Data on SYN Packet -111 || 6 || spp_stream4: Full XMAS Stealth Scan -111 || 7 || spp_stream4: SAPU Stealth Scan -111 || 8 || spp_stream4: FIN Stealth Scan -111 || 9 || spp_stream4: NULL Stealth Scan -111 || 10 || spp_stream4: NMAP XMAS Stealth Scan -111 || 11 || spp_stream4: VECNA Stealth Scan -111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection -111 || 13 || spp_stream4: SYN FIN Stealth Scan -111 || 14 || spp_stream4: TCP forward overlap detected -111 || 15 || spp_stream4: TTL Evasion attempt -111 || 16 || spp_stream4: Evasive retransmitited data attempt -111 || 17 || spp_stream4: Evasive retransmitited data with the data split attempt -111 || 18 || spp_stream4: Multiple acked -111 || 19 || spp_stream4: Shifting to Emegency Session Mode -111 || 20 || spp_stream4: Shifting to Suspend Mode -111 || 21 || spp_stream4: TCP Timestamp option has value of zero -111 || 22 || spp_stream4: Too many overlapping TCP packets -111 || 23 || spp_stream4: Packet in established TCP stream missing ACK -112 || 1 || spp_arpspoof: Directed ARP Request -112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC -112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST -112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack -113 || 1 || spp_frag2: Oversized Frag -113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack -113 || 3 || spp_frag2: TTL evasion detected -113 || 4 || spp_frag2: overlap detected -113 || 5 || spp_frag2: Duplicate first fragments -113 || 6 || spp_frag2: memcap exceeded -113 || 7 || spp_frag2: Out of order fragments -113 || 8 || spp_frag2: IP Options on Fragmented Packet -113 || 9 || spp_frag2: Shifting to Emegency Session Mode -113 || 10 || spp_frag2: Shifting to Suspend Mode -114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected -114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected -114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected -114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected -115 || 1 || spp_asn1: Indefinite ASN.1 length encoding -115 || 2 || spp_asn1: Invalid ASN.1 length encoding -115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow -115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow -115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length -116 || 1 || snort_decoder: Not IPv4 datagram! -116 || 2 || snort_decoder: WARNING: Not IPv4 datagram! -116 || 3 || snort_decoder: WARNING: hlen < IP_HEADER_LEN! -116 || 4 || snort_decoder: Bad IPv4 Options -116 || 5 || snort_decoder: Truncated IPv4 Options -116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes! -116 || 46 || snort_decoder: TCP Data Offset is less than 5! -116 || 47 || snort_decoder: TCP Data Offset is longer than payload! -116 || 54 || snort_decoder: Tcp Options found with bad lengths -116 || 55 || snort_decoder: Truncated Tcp Options -116 || 56 || snort_decoder: T/TCP Detected -116 || 57 || snort_decoder: Obsolete TCP options -116 || 58 || snort_decoder: Experimental TCP options -116 || 95 || snort_decoder: Truncated UDP Header! -116 || 96 || snort_decoder: Invalid UDP header, length field < 8 -116 || 97 || snort_decoder: Short UDP packet, length field > payload length -116 || 105 || snort_decoder: ICMP Header Truncated! -116 || 106 || snort_decoder: ICMP Timestamp Header Truncated! -116 || 107 || snort_decoder: ICMP Address Header Truncated! -116 || 108 || snort_decoder: Unknown Datagram decoding problem! -116 || 109 || snort_decoder: Truncated ARP Packet! -116 || 110 || snort_decoder: Truncated EAP Header! -116 || 111 || snort_decoder: EAP Key Truncated! -116 || 112 || snort_decoder: EAP Header Truncated! -116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected! -116 || 130 || snort_decoder: WARNING: Bad VLAN Frame! -116 || 131 || snort_decoder: WARNING: Bad LLC header! -116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info! -116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header! -116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info! -116 || 140 || snort_decoder: WARNING: Bad Token Ring Header! -116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header! -116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header! -116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header! -116 || 150 || snort_decoder: Bad Traffic Loopback IP! -116 || 151 || snort_decoder: Bad Traffic Same Src/Dst IP! -117 || 1 || spp_portscan2: Portscan detected! -118 || 1 || spp_conversation: Bad IP protocol! -119 || 1 || http_inspect: ASCII ENCODING -119 || 2 || http_inspect: DOUBLE DECODING ATTACK -119 || 3 || http_inspect: U ENCODING -119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING -119 || 5 || http_inspect: BASE36 ENCODING -119 || 6 || http_inspect: UTF-8 ENCODING -119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING -119 || 8 || http_inspect: MULTI_SLASH ENCODING -119 || 9 || http_inspect: IIS BACKSLASH EVASION -119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL -119 || 11 || http_inspect: DIRECTORY TRAVERSAL -119 || 12 || http_inspect: APACHE WHITESPACE (TAB) -119 || 13 || http_inspect: NON-RFC HTTP DELIMITER -119 || 14 || http_inspect: NON-RFC DEFINED CHAR -119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY -119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING -119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED -119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL -120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT -121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded -121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded -121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded -121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded -122 || 1 || portscan: TCP Portscan -122 || 2 || portscan: TCP Decoy Portscan -122 || 3 || portscan: TCP Portsweep -122 || 4 || portscan: TCP Distributed Portscan -122 || 5 || portscan: TCP Filtered Portscan -122 || 6 || portscan: TCP Filtered Decoy Portscan -122 || 7 || portscan: TCP Filtered Portsweep -122 || 8 || portscan: TCP Filtered Distributed Portscan -122 || 9 || portscan: IP Protocol Scan -122 || 10 || portscan: IP Decoy Protocol Scan -122 || 11 || portscan: IP Protocol Sweep -122 || 12 || portscan: IP Distributed Protocol Scan -122 || 13 || portscan: IP Filtered Protocol Scan -122 || 14 || portscan: IP Filtered Decoy Protocol Scan -122 || 15 || portscan: IP Filtered Protocol Sweep -122 || 16 || portscan: IP Filtered Distributed Protocol Scan -122 || 17 || portscan: UDP Portscan -122 || 18 || portscan: UDP Decoy Portscan -122 || 19 || portscan: UDP Portsweep -122 || 20 || portscan: UDP Distributed Portscan -122 || 21 || portscan: UDP Filtered Portscan -122 || 22 || portscan: UDP Filtered Decoy Portscan -122 || 23 || portscan: UDP Filtered Portsweep -122 || 24 || portscan: UDP Filtered Distributed Portscan -122 || 25 || portscan: ICMP Sweep -122 || 26 || portscan: ICMP Filtered Sweep -122 || 27 || portscan: Open Port -123 || 1 || frag3: IP Options on fragmented packet -123 || 2 || frag3: Teardrop attack -123 || 3 || frag3: Short fragment, possible DoS attempt -123 || 4 || frag3: Fragment packet ends after defragmented packet -123 || 5 || frag3: Zero-byte fragment -123 || 6 || frag3: Bad fragment size, packet size is negative -123 || 7 || frag3: Bad fragment size, packet size is greater than 65536 -123 || 8 || frag3: Fragmentation overlap -124 || 1 || xlink2state: X-Link2State length greater than 1024 diff -Nru snort-2.9.0.1/rules/icmp-info.rules snort-2.9.2/rules/icmp-info.rules --- snort-2.9.0.1/rules/icmp-info.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/icmp-info.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,122 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: icmp-info.rules,v 1.23.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#-------------- -# ICMP-INFO -#-------------- -# -# Description: -# These rules are standard ICMP traffic. They include OS pings, as well -# as normal routing done by ICMP. There are a number of "catch all" rules -# that will alert on unknown ICMP types. -# -# Potentially "BAD" ICMP rules are included in icmp.rules - -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:366; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; classtype:misc-activity; sid:368; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; reference:arachnids,438; reference:arachnids,444; classtype:misc-activity; sid:369; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; reference:arachnids,151; classtype:misc-activity; sid:370; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; reference:arachnids,153; classtype:misc-activity; sid:371; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; reference:arachnids,155; classtype:misc-activity; sid:372; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; reference:arachnids,156; classtype:misc-activity; sid:373; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; reference:arachnids,157; classtype:misc-activity; sid:374; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity; sid:375; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; reference:arachnids,159; classtype:misc-activity; sid:376; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; reference:arachnids,161; classtype:misc-activity; sid:377; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; reference:arachnids,164; classtype:misc-activity; sid:378; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:379; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Seer Windows"; itype:8; content:"|88 04| "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:380; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:382; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:386; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:387; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:388; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request undefined code"; icode:>0; itype:17; classtype:misc-activity; sid:389; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address"; icode:0; itype:6; classtype:misc-activity; sid:390; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address undefined code"; icode:>0; itype:6; classtype:misc-activity; sid:391; rev:8;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error"; icode:0; itype:31; classtype:misc-activity; sid:392; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; classtype:misc-activity; sid:393; rev:8;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:394; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity; sid:395; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:misc-activity; sid:396; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity; sid:397; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:misc-activity; sid:398; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; classtype:misc-activity; sid:399; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:misc-activity; sid:400; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; classtype:misc-activity; sid:401; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:402; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity; sid:403; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:404; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:405; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:406; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; classtype:misc-activity; sid:407; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:408; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:409; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:411; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:412; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:413; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:414; rev:7;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply"; icode:0; itype:16; classtype:misc-activity; sid:415; rev:5;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply undefined code"; icode:>0; itype:16; classtype:misc-activity; sid:416; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request"; icode:0; itype:15; classtype:misc-activity; sid:417; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request undefined code"; icode:>0; itype:15; classtype:misc-activity; sid:418; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect"; icode:0; itype:32; classtype:misc-activity; sid:419; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; classtype:misc-activity; sid:420; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply"; icode:0; itype:36; classtype:misc-activity; sid:421; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; classtype:misc-activity; sid:422; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:423; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; classtype:misc-activity; sid:424; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12; classtype:misc-activity; sid:425; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; classtype:misc-activity; sid:426; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; classtype:misc-activity; sid:427; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem undefined Code"; icode:>2; itype:12; classtype:misc-activity; sid:428; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Reserved"; icode:0; itype:40; classtype:misc-activity; sid:429; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; classtype:misc-activity; sid:430; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; classtype:misc-activity; sid:431; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; classtype:misc-activity; sid:432; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris undefined code!"; icode:>3; itype:40; classtype:misc-activity; sid:433; rev:8;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:436; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Network"; icode:2; itype:5; classtype:misc-activity; sid:437; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect undefined code"; icode:>3; itype:5; classtype:misc-activity; sid:438; rev:9;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19"; icode:0; itype:19; classtype:misc-activity; sid:439; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; classtype:misc-activity; sid:440; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:441; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Selection"; icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:443; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP"; icode:0; itype:39; classtype:misc-activity; sid:445; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP undefined code"; icode:>0; itype:39; classtype:misc-activity; sid:446; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:448; rev:7;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;) -alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450; rev:8;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:451; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:452; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request"; icode:0; itype:13; classtype:misc-activity; sid:453; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request undefined code"; icode:>0; itype:13; classtype:misc-activity; sid:454; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute"; icode:0; itype:30; classtype:misc-activity; sid:456; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute undefined code"; icode:>0; itype:30; classtype:misc-activity; sid:457; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1"; icode:0; itype:1; classtype:misc-activity; sid:458; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1 undefined code"; itype:1; classtype:misc-activity; sid:459; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2"; icode:0; itype:2; classtype:misc-activity; sid:460; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2 undefined code"; itype:2; classtype:misc-activity; sid:461; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7"; icode:0; itype:7; classtype:misc-activity; sid:462; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7 undefined code"; itype:7; classtype:misc-activity; sid:463; rev:7;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING undefined code"; icode:>0; itype:8; classtype:misc-activity; sid:365; rev:8;) diff -Nru snort-2.9.0.1/rules/icmp.rules snort-2.9.2/rules/icmp.rules --- snort-2.9.0.1/rules/icmp.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/icmp.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,50 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: icmp.rules,v 1.25.2.1.2.2 2005/05/16 22:17:51 mwatchinski Exp $ -#----------- -# ICMP RULES -#----------- -# -# Description: -# These rules are potentially bad ICMP traffic. They include most of the -# ICMP scanning tools and other "BAD" ICMP traffic (Such as redirect host) -# -# Other ICMP rules are included in icmp-info.rules - -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:474; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:3;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:480; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:481; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:482; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:483; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:484; rev:4;) -alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;) -alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;) -alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; classtype:misc-activity; sid:1813; rev:5;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;) diff -Nru snort-2.9.0.1/rules/imap.rules snort-2.9.2/rules/imap.rules --- snort-2.9.0.1/rules/imap.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/imap.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,73 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: imap.rules,v 1.24.2.7.2.5 2005/06/15 23:02:33 mwatchinski Exp $ -#-------------- -# IMAP RULES -#-------------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:14;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:11;) - -# auth is an imap2 function and only accepts literal usage -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:1930; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2330; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:7;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:8;) - -# FIND does not accept a literal command -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:7;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1755; rev:14;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2046; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:3;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute force attempt"; flow:to_server,established; content:"LOGIN"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2273; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:9;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:13;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2529; rev:6;) -alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2530; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2531; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2665; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2664; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:3007; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:3008; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3074; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3076; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3075; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3066; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:3058; rev:1;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP append literal overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3065; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:3072; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3070; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3067; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3069; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3073; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3071; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3068; rev:1;) diff -Nru snort-2.9.0.1/rules/info.rules snort-2.9.2/rules/info.rules --- snort-2.9.0.1/rules/info.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/info.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,32 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: info.rules,v 1.27.2.3.2.2 2005/05/31 17:13:02 mwatchinski Exp $ -#----------- -# INFO RULES -#----------- - -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login incorrect"; flow:from_server,established; content:"Login incorrect"; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:9;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:716; rev:13;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INFO battle-mail traffic"; flow:to_server,established; content:"BattleMail"; classtype:policy-violation; sid:490; rev:7;) -alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:492; rev:9;) -alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; classtype:bad-unknown; sid:1251; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC@lam3rz.de"; classtype:bad-unknown; sid:493; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INFO web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; distance:0; nocase; content:"|01 00 01 00|"; within:4; distance:3; content:","; distance:0; content:"|01 00 01 00|"; within:4; distance:4; classtype:misc-activity; sid:2925; rev:3;) diff -Nru snort-2.9.0.1/rules/LICENSE snort-2.9.2/rules/LICENSE --- snort-2.9.0.1/rules/LICENSE 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/LICENSE 1969-12-31 16:00:00.000000000 -0800 @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - <one line to give the program's name and a brief idea of what it does.> - Copyright (C) 19yy <name of author> - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) 19yy name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - <signature of Ty Coon>, 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff -Nru snort-2.9.0.1/rules/local.rules snort-2.9.2/rules/local.rules --- snort-2.9.0.1/rules/local.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/local.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,6 +0,0 @@ -# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $ -# ---------------- -# LOCAL RULES -# ---------------- -# This file intentionally does not come with signatures. Put your local -# additions here. diff -Nru snort-2.9.0.1/rules/misc.rules snort-2.9.2/rules/misc.rules --- snort-2.9.0.1/rules/misc.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/misc.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,119 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: misc.rules,v 1.53.2.7.2.4 2005/07/22 19:19:54 mwatchinski Exp $ -#----------- -# MISC RULES -#----------- - -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:500; rev:5;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:501; rev:5;) -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;) -alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:7;) -alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"MISC gopher proxy"; flow:to_server,established; content:"ftp|3A|"; nocase; content:"@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:7;) -alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"MISC SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1;) - -# once we get response, check for content:"|00 01 00|"; offset:0; depth:3; -alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:1;) -# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;) -# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:522; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;) -alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;) -alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"MISC AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:10;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:3;) -alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:5;) - - -# once we get response, check for content:"|03|"; offset:0; depth:1; -alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request RDP"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1447; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1448; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:4;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"MISC Alcatel PABX 4400 connection attempt"; flow:established,to_server; content:"|00 01|C"; depth:3; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:7;) - -alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:2;) -alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2043; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2047; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2048; rev:6;) - - -# This rule needs some work since you don't have to pass BEGIN and END -# anywhere near each other. -# -#! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \ -#! msg:"MISC CVS username overflow attempt"; flow:to_server,established; \ -#! content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \ -#! within:255; classtype:misc-attack;) - - -# normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2010; rev:4;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2011; rev:4;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:2;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2;) -alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2317; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2318; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:2;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; dsize:>156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; reference:url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx; classtype:attempted-admin; sid:2126; rev:8;) - -# this rule is specificly not looking for flow, since tcpdump handles lengths wrong -alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:8;) -alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2159; rev:11;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:5;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:12;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2532; rev:6;) -alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2533; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2547; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2548; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:1;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"MISC distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:3061; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"MISC Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:3453; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup generic info probe"; flow:established,to_server; content:"ARKFS|00|root|00|root"; nocase; reference:bugtraq,12594; classtype:attempted-recon; sid:3454; rev:1;) diff -Nru snort-2.9.0.1/rules/multimedia.rules snort-2.9.2/rules/multimedia.rules --- snort-2.9.0.1/rules/multimedia.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/multimedia.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,36 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: multimedia.rules,v 1.13.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#------------- -# MULTIMEDIA RULES -#------------- -# These signatures look for people using streaming multimedia technologies. -# Using streaming media may be a violation of corporate policies. - - -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi"; classtype:policy-violation; sid:1437; rev:6;) - -alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; nocase; classtype:policy-violation; sid:1436; rev:5;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-scpls"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1439; rev:5;) -alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-mpegurl"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1440; rev:5;) -alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; classtype:misc-activity; sid:1428; rev:5;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .ram playlist download attempt"; flow:to_server,established; uricontent:".ram"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2419; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rmp playlist download attempt"; flow:to_server,established; uricontent:".rmp"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2420; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .smi playlist download attempt"; flow:to_server,established; uricontent:".smi"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2421; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rt playlist download attempt"; flow:to_server,established; uricontent:".rt"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2422; rev:3;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rp playlist download attempt"; flow:to_server,established; uricontent:".rp"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2423; rev:3;) diff -Nru snort-2.9.0.1/rules/mysql.rules snort-2.9.2/rules/mysql.rules --- snort-2.9.0.1/rules/mysql.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/mysql.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,31 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: mysql.rules,v 1.10.2.2.2.3 2005/05/31 17:13:02 mwatchinski Exp $ -#---------- -# MYSQL RULES -#---------- -# -# These signatures detect unusual and potentially malicious mysql traffic. -# -# These signatures are not enabled by default as they may generate false -# positive alarms on networks that do mysql development. -# - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; within:1; distance:3; content:"root|00|"; within:5; distance:5; nocase; classtype:protocol-command-decode; sid:3456; rev:2;) diff -Nru snort-2.9.0.1/rules/netbios.rules snort-2.9.2/rules/netbios.rules --- snort-2.9.0.1/rules/netbios.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/netbios.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,512 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: netbios.rules,v 1.46.2.9.2.7 2005/07/22 19:19:54 mwatchinski Exp $ -#-------------- -# NETBIOS RULES -#-------------- - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:537; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:538; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2465; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2466; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:536; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2467; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2468; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2469; rev:7;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:533; rev:15;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2470; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2471; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2472; rev:9;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:532; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2473; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2474; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2475; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2174; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2175; rev:8;) - -# where did these come from? I don't know. lets disable them for real for now -# and deal with it later... -### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;) -### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2476; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2477; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2478; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2479; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2480; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2481; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2482; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2483; rev:7;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:529; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2176; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2177; rev:4;) - - - -# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess"; flow:to_server,established; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2101; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:9;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2190; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2191; rev:3;) -alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; within:1; content:"|0C|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00 00|"; within:2; distance:33; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2350; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2351; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2352; rev:9;) - - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2192; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2193; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2491; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2492; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2493; rev:7;) - - - - - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:14;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:14;) -alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2257; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2258; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2308; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2309; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2310; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2311; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2315; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2316; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2349; rev:5;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2382; rev:18;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2383; rev:18;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2401; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2402; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2403; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2404; rev:5;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2494; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2495; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2496; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2507; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2524; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2508; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2509; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2510; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2525; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:9;) - - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2512; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2526; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:7;) -alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:4;) -alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; reference:bugtraq,10334; reference:bugtraq,10335; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:4;) -alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2924; rev:3;) -alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2923; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2932; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2994; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2976; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2939; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2958; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2937; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2988; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2971; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2989; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2944; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2972; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2936; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2953; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2984; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2979; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2961; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2960; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2948; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2949; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2930; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2931; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2970; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2965; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2951; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2997; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2985; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2947; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2954; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2943; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2998; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2935; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2962; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2977; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2955; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2981; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2993; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2942; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2969; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2973; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2999; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2952; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2966; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2940; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2996; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2963; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2959; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2990; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2992; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2986; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2929; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2956; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2946; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2934; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2978; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2982; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2967; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2957; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2941; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2995; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2950; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2974; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2987; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2938; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2964; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2980; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2983; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2991; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2933; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2945; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2928; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2968; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2975; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3004; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3003; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3005; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3002; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3000; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3001; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3051; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3036; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3025; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3027; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3044; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3047; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3054; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3057; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3048; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3050; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3026; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3035; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3041; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3046; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3053; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3043; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3042; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3019; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3034; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3029; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3052; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3023; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3039; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3037; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3045; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3031; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3028; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3056; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3055; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3040; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3049; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3033; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3109; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3092; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3111; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3100; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3114; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3119; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3127; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3096; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3123; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3110; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3117; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3108; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3098; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3095; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3121; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3103; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3102; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3099; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3126; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3118; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3124; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3116; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3113; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3120; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3129; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3091; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3094; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3105; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3107; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3115; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3125; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3093; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3112; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3101; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3097; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3128; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3090; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3122; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3104; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3106; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3135; rev:2;) -alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3144; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3141; rev:2;) -alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3143; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3140; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3139; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3137; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3142; rev:2;) -alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3146; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3136; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3138; rev:2;) -alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3145; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3163; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3185; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3256; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3431; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3421; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_test:4,>,128,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3238; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_test:4,>,128,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3239; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3241; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3419; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3260; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3413; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:3218; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC msqueue little endian bind attempt"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3157; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3180; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3406; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3251; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3205; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3211; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3384; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3234; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3397; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3217; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3416; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3170; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3160; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3377; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3428; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:3233; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3435; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3178; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3183; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3248; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3245; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3412; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3386; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3166; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3392; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3409; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3270; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3227; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3203; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3226; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3208; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3255; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:3196; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3430; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3389; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3174; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IActivation bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:3275; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3265; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3415; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3268; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC msqueue bind attempt"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3156; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3439; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3162; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3186; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3230; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3383; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3250; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3231; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3216; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3378; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3171; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3427; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3402; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3264; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3423; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3222; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3204; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3210; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3240; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3396; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3247; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3259; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3411; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3223; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3405; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3244; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3385; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3380; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3184; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3440; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3426; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3235; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3189; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3179; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3254; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:3195; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3175; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3167; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3432; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3228; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3202; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3420; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3269; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3401; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3390; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3172; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3207; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3391; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3232; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3158; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3224; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3258; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3176; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3379; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3213; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3422; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3262; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3436; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3190; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3165; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3243; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3425; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3418; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3395; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3246; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3408; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3253; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3198; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3215; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3394; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3263; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3433; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3187; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC irot bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3236; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3181; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3168; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3414; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3388; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3382; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3229; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IActivation little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:3276; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3429; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3220; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3404; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3219; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3398; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3212; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3206; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3399; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3159; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3169; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3261; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3257; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3417; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3410; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3249; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3271; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3437; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3252; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3173; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3161; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3400; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3266; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3225; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3214; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 5C|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3197; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3434; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3393; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3424; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3221; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3242; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3182; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3267; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3177; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3387; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3403; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3209; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3407; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3381; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3191; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3438; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC irot little endian bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3237; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3164; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3188; rev:2;) diff -Nru snort-2.9.0.1/rules/nntp.rules snort-2.9.2/rules/nntp.rules --- snort-2.9.0.1/rules/nntp.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/nntp.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,35 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: nntp.rules,v 1.12.2.4.2.1 2005/05/16 22:17:51 mwatchinski Exp $ -#---------- -# NNTP RULES -#---------- - -alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; flow:to_server,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:1792; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:1538; rev:13;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2424; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2425; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2426; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2427; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2428; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2429; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2430; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2431; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2432; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2927; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH"; nocase; pcre:"/^SEARCH\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:3078; rev:1;) diff -Nru snort-2.9.0.1/rules/oracle.rules snort-2.9.2/rules/oracle.rules --- snort-2.9.0.1/rules/oracle.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/oracle.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,375 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: oracle.rules,v 1.17.2.3.2.4 2005/05/31 17:13:03 mwatchinski Exp $ -#---------- -# ORACLE RULES -#---------- -# -# These signatures detect unusual and potentially malicious oracle traffic. -# These signatures are based from signatures written by Hank Leininger -# <hlein@progressive-comp.com> for Enterasys's Dragon IDS that he released -# publicly. -# -# These signatures are not enabled by default as they may generate false -# positive alarms on networks that do oracle development. If you use an -# Oracle based web application, you should set the destination port to -# 80 to catch attackers attempting to exploit your web application. -# - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:1674; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; flow:from_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:1675; rev:4;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select union attempt"; flow:to_server,established; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; sid:1676; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt"; flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; classtype:protocol-command-decode; sid:1678; rev:7;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE describe attempt"; flow:to_server,established; content:"describe "; nocase; classtype:protocol-command-decode; sid:1679; rev:6;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints"; nocase; classtype:protocol-command-decode; sid:1680; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_views access"; flow:to_server,established; content:"all_views"; nocase; classtype:protocol-command-decode; sid:1681; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_source access"; flow:to_server,established; content:"all_source"; nocase; classtype:protocol-command-decode; sid:1682; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tables access"; flow:to_server,established; content:"all_tables"; nocase; classtype:protocol-command-decode; sid:1683; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1684; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; sid:1685; rev:6;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; sid:1686; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase; classtype:protocol-command-decode; sid:1687; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace"; nocase; classtype:protocol-command-decode; sid:1688; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase; classtype:protocol-command-decode; sid:1689; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; sid:1691; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop table attempt"; flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1692; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; sid:1693; rev:6;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter table attempt"; flow:to_server,established; content:"alter table"; nocase; classtype:protocol-command-decode; sid:1694; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table"; nocase; classtype:protocol-command-decode; sid:1695; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create database attempt"; flow:to_server,established; content:"create database"; nocase; classtype:protocol-command-decode; sid:1696; rev:5;) -# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter database attempt"; flow:to_server,established; content:"alter database"; nocase; classtype:protocol-command-decode; sid:1697; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2576; rev:6;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2599; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22 ]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2600; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2601; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2602; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2604; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2607; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2609; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2610; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE LINK metadata buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"DATABASE"; nocase; content:"LINK"; nocase; pcre:"/USING\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:bugtraq,7453; reference:cve,2003-0222; reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html; classtype:attempted-user; sid:2611; rev:3;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2613; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2616; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2618; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2620; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2622; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2623; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2625; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2626; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2628; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2630; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2631; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2632; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2634; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2635; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2636; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2638; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2640; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2641; rev:3;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2642; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2645; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2646; rev:1;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2647; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2648; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2649; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt"; flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL"; distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt; reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt; classtype:attempted-user; sid:2651; rev:2;) - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2652; rev:2;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2653; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2699; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2676; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2690; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2686; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2683; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2694; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2674; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2677; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2696; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2689; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2682; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2691; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2678; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2681; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2695; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2688; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2692; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2697; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2675; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2680; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2679; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2687; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2685; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2693; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2684; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2698; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2700; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2915; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2754; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2864; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2907; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2710; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2845; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2719; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2727; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2808; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2910; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2745; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2736; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2723; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2853; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2796; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2814; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2733; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2882; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2765; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2820; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2774; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2763; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2833; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2712; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2876; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2847; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2865; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2782; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2827; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2758; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2792; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2893; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2801; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2886; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2715; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2791; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2815; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2751; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2911; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2769; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2806; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2860; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2857; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2837; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2787; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2824; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2739; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2909; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2730; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2867; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2871; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2777; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2800; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2825; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2897; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2846; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2855; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2890; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2728; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2807; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2838; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2883; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2753; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2841; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2775; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2863; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2848; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2764; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2797; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2744; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2762; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2711; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2735; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2854; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2888; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2908; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2813; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2724; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2734; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2750; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2818; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2912; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2877; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2828; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2783; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2879; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2757; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2887; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2903; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2786; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2768; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2742; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2872; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2778; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2805; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2839; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2916; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2793; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2894; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2858; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2720; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2898; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2812; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2830; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2725; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2721; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2831; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2718; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2843; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2889; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2767; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2776; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2901; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2785; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2870; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2859; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2849; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2795; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2798; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2874; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2856; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2752; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2761; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2780; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2842; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2900; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2866; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2905; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2817; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2891; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2804; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2731; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2738; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2770; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2851; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2835; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2869; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2834; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2821; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2714; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2741; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2772; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2794; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2708; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2789; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2850; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2779; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2878; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2748; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2862; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2884; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2717; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2756; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2904; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2826; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2709; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2913; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2895; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2784; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2746; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2749; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2743; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2799; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2868; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2811; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2899; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2722; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2829; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2902; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2844; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2832; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2803; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2875; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2810; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2781; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2760; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2881; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2713; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2880; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2740; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2788; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2773; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2790; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2819; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2771; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2759; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2840; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2892; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2737; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2822; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2914; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2906; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2732; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2852; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2836; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2816; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2802; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2823; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2896; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2809; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2766; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2747; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2755; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2729; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2861; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2885; rev:1;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2716; rev:1;) diff -Nru snort-2.9.0.1/rules/other-ids.rules snort-2.9.2/rules/other-ids.rules --- snort-2.9.0.1/rules/other-ids.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/other-ids.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,37 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: other-ids.rules,v 1.10.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -# --------------- -# OTHER-IDS RULES -# --------------- -# These signatures look for uses of other IDSs. -# -# These signatures serve two purposes. -# 1) If you are "IDS GUY" for a company, and someone else sets up an IDS -# without letting you know, thats bad. -# 2) If you are "pen-tester", this is a good way to find out what IDS -# systems your target is using after you have gained access to their -# network. -# - - -alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1760; rev:3;) -alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 daemon connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1761; rev:3;) - -# To limit false positives, limit to the default port of 975 -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OTHER-IDS SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:1629; rev:6;) diff -Nru snort-2.9.0.1/rules/p2p.rules snort-2.9.2/rules/p2p.rules --- snort-2.9.0.1/rules/p2p.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/p2p.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,43 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: p2p.rules,v 1.17.2.3.2.3 2005/06/15 23:02:34 mwatchinski Exp $ -#------------- -# P2P RULES -#------------- -# These signatures look for usage of P2P protocols, which are usually -# against corporate policy - -alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 02 00|"; depth:3; offset:1; classtype:policy-violation; sid:549; rev:8;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 06 00|"; depth:3; offset:1; classtype:policy-violation; sid:550; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 CB 00|"; depth:3; offset:1; classtype:policy-violation; sid:551; rev:7;) -alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00|_|02|"; depth:3; offset:1; classtype:policy-violation; sid:552; rev:7;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:1432; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:561; rev:6;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data"; flow:to_server,established; content:".mp3"; nocase; classtype:policy-violation; sid:562; rev:5;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:563; rev:6;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:564; rev:7;) -alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server Login"; flow:established; content:"anon@napster.com"; classtype:policy-violation; sid:565; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack kazaa/morpheus GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.kazaa.com; reference:url,www.musiccity.com/technology.htm; classtype:policy-violation; sid:1383; rev:6;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET"; depth:3; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:1699; rev:7;) -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent announce request"; flow:to_server,established; content:"GET"; depth:4; content:"/announce"; distance:1; content:"info_hash="; offset:4; content:"event=started"; offset:4; classtype:policy-violation; sid:2180; rev:2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2181; rev:2;) -alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"P2P eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2586; rev:2;) -alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey server response"; flow:established,from_server; content:"Server|3A| eMule"; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:2;) -alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito Search Query"; content:"|01 02 00 14|"; depth:4; offset:16; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:3;) diff -Nru snort-2.9.0.1/rules/policy.rules snort-2.9.2/rules/policy.rules --- snort-2.9.0.1/rules/policy.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/policy.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,55 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: policy.rules,v 1.38.2.2.2.3 2005/07/22 19:19:54 mwatchinski Exp $ -#------------- -# POLICY RULES -#------------- -# - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:553; rev:7;) - -alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY WinGate telnet server response"; flow:from_server,established; content:"WinGate>"; reference:arachnids,366; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:8;) - - -# we have started to see multiple versions of this beyond 003.003, so we have -# expanded this signature to take that into account. -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;) - -alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"POLICY PCAnywhere server response"; content:"ST"; depth:2; reference:arachnids,239; classtype:misc-activity; sid:566; rev:4;) -alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:8;) -alert ip 66.151.158.177 any -> $HOME_NET any (msg:"POLICY poll.gotomypc.com access"; reference:url,www.gotomypc.com/help2.tmpl; classtype:misc-activity; sid:1429; rev:3;) - -# NOTES: This signature would be better off using uricontent, and having the -# http decoder looking at 5800 and 5802, but that is on by default -alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:4;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:1445; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:543; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:544; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD "; depth:5; nocase; classtype:misc-activity; sid:546; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD ' possible warez site"; flow:to_Server,established; content:"MKD "; depth:5; nocase; classtype:misc-activity; sid:547; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:548; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:545; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2044; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2040; rev:3;) -alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2042; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:6;) diff -Nru snort-2.9.0.1/rules/pop2.rules snort-2.9.2/rules/pop2.rules --- snort-2.9.0.1/rules/pop2.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/pop2.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,26 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: pop2.rules,v 1.11.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#-------------- -# POP2 RULES -#-------------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:1934; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:1935; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:284; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:285; rev:8;) diff -Nru snort-2.9.0.1/rules/pop3.rules snort-2.9.2/rules/pop3.rules --- snort-2.9.0.1/rules/pop3.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/pop3.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: pop3.rules,v 1.22.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $ -#-------------- -# POP3 RULES -#-------------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2121; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2122; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:13;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:13;) - -# bsd-qpopper.c -# overflow in the reading of a line in qpopper -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:11;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:287; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:288; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+[^\n]*?%/smi"; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:5;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2274; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:10;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:13;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2535; rev:6;) -alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2536; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2666; rev:1;) diff -Nru snort-2.9.0.1/rules/porn.rules snort-2.9.2/rules/porn.rules --- snort-2.9.0.1/rules/porn.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/porn.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,51 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: porn.rules,v 1.12.6.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#------------- -# PORN RULES -#------------- -# - -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.erotica"; flow:to_client,established; content:"alt.binaries.pictures.erotica"; nocase; classtype:kickass-porn; sid:1836; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:kickass-porn; sid:1837; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN free XXX"; content:"FREE XXX"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1310; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore anal"; content:"hardcore anal"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1311; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude cheerleader"; content:"nude cheerleader"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1312; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN up skirt"; content:"up skirt"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1313; rev:5;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN young teen"; content:"young teen"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1314; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hot young sex"; content:"hot young sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1315; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck fuck fuck"; content:"fuck fuck fuck"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1316; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN anal sex"; content:"anal sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1317; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore rape"; content:"hardcore rape"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1318; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN real snuff"; content:"real snuff"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1319; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck movies"; content:"fuck movies"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1320; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN dildo"; content:"dildo"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1781; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nipple clamp"; content:"nipple"; nocase; content:"clamp"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1782; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN oral sex"; content:"oral sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1783; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude celeb"; content:"nude celeb"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1784; rev:1;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN voyeur"; content:"voyeur"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1785; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN raw sex"; content:"raw sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1786; rev:1;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fetish"; content:"fetish"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1793; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN masturbation"; content:"masturbat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1794; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN ejaculation"; content:"ejaculat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1795; rev:1;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin"; content:"virgin "; nocase; flow:to_client,established; classtype:kickass-porn; sid:1796; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM"; content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1797; rev:1;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN erotica"; content:"erotic"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1798; rev:1;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fisting"; content:"fisting"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1799; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN naked lesbians"; content:"naked lesbians"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1833; rev:1;) - diff -Nru snort-2.9.0.1/rules/purge-non-gpl.sh snort-2.9.2/rules/purge-non-gpl.sh --- snort-2.9.0.1/rules/purge-non-gpl.sh 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/purge-non-gpl.sh 1969-12-31 16:00:00.000000000 -0800 @@ -1,23 +0,0 @@ -#!/bin/sh -# Purges non-GPL rules from a common set - -if [ -z "$1" ] ; then - echo "Usage: $0 directory_with_rules" -fi - -if [ ! -d "$1" ] ; then - echo "ERROR: $1 is not a directory" - exit 1 -fi - -for file in $1/*rules; do - if [ -r "$file" ] ; then - name=`basename $file` - if [ ! -e "$name" ] ; then - cat $file |perl remove-non-gpl.pl >$name - else - echo "ERROR: Cowardly refusing to overwrite $name" - fi - fi -done - diff -Nru snort-2.9.0.1/rules/reference.config snort-2.9.2/rules/reference.config --- snort-2.9.0.1/rules/reference.config 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/reference.config 1969-12-31 16:00:00.000000000 -0800 @@ -1,14 +0,0 @@ -# $Id: reference.config,v 1.4 2003/10/20 15:03:04 chrisgreen Exp $ -# The following defines URLs for the references found in the rules -# -# config reference: system URL - -config reference: bugtraq http://www.securityfocus.com/bid/ -config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= -config reference: arachNIDS http://www.whitehats.com/info/IDS - -# Note, this one needs a suffix as well.... lets add that in a bit. -config reference: McAfee http://vil.nai.com/vil/content/v_ -config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id= -config reference: url http:// - diff -Nru snort-2.9.0.1/rules/remove-non-gpl.pl snort-2.9.2/rules/remove-non-gpl.pl --- snort-2.9.0.1/rules/remove-non-gpl.pl 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/remove-non-gpl.pl 1969-12-31 16:00:00.000000000 -0800 @@ -1,37 +0,0 @@ -#!/usr/bin/perl -# -# Give a rules file, remove all alerts which are not GPL. Based on -# Sourcefire's VRT Certified Rules License Agreement -# (http://www.snort.org/about_snort/licenses/vrt_license.html) -# this means that the rule's sid must be outside the 3,465 - 1,000,000 range -# -# This program is copyright 2007 by Javier Fernandez-Sanguino <jfs@debian.org> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# For more information please see -# http://www.gnu.org/licenses/licenses.html#GPL -# - -while (<STDIN>) { - if ( ! /^alert/ ) { - print ; - } elsif ( /sid:(\d+)[^\d]/ ) { - print if ( $1 < 3465 || $1 > 1000000 ); - } else { - print "WARN: Alert without sid, will not print\n"; - } -} - diff -Nru snort-2.9.0.1/rules/rpc.rules snort-2.9.2/rules/rpc.rules --- snort-2.9.0.1/rules/rpc.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/rpc.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,234 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: rpc.rules,v 1.58.2.2.2.5 2005/06/29 15:35:04 mwatchinski Exp $ -#---------- -# RPC RULES -#---------- - - -# portmap specific stuff. - -## bleck. Not happy about this. because of the non-rule ordering foo, I'm -## checking the first byte in the version, which should always be 0. When we -## alert multiple times on a packet, I'll put these rules back to: -## content:"|0a 01 86 a0|"; offset:16; depth:4; content:"|00 00 00 05|"; -## distance:4; within:4; -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2093; rev:5;) -# this rule makes me not happy as well. see above. -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2092; rev:5;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1922; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1923; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:1280; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1949; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1950; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:7;) - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1746; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1747; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1732; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1733; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:577; rev:13;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:1264; rev:13;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:12;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:10;) - - -# rusers -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:14;) -# XXX - Need to find out if rusers exists on TCP and if so, implement one of -# these for TCP... -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:6;) - - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:10;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:18;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:14;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:14;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 01 87 99|"; depth:4; offset:12; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:8;) - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:16;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1890; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1891; rev:8;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:8;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2184; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2185; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:1951; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:1952; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2018; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2019; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2020; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2021; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2022; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2023; rev:4;) - - -# amd -alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1953; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1954; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1955; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:1956; rev:8;) - -# cmsd -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:9;) - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1907; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2094; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2095; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:12;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:10;) - - -# sadmind -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:10;) -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:9;) - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:5;) - - -# statd -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1913; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1914; rev:10;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1915; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1916; rev:9;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:10;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:misc-attack; sid:2088; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:misc-attack; sid:2089; rev:5;) - -# NFS -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1959; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1960; rev:7;) - - -# rquota -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1961; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1962; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:8;) - - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:17;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:17;) - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1964; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1965; rev:8;) - -# not sure what this rule is looking for, other than the procedure 15 -# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; reference:arachnids,241; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:9;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:10;) - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2027; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2028; rev:6;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2025; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2026; rev:9;) - - - -# XXX - These need re-verified -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2029; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2030; rev:7;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2031; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2032; rev:6;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:12;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:14;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2033; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:Cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2034; rev:7;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2035; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2036; rev:6;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2037; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2038; rev:5;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2079; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2080; rev:6;) - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:9;) - -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:8;) - - -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:10;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2255; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2256; rev:3;) diff -Nru snort-2.9.0.1/rules/rservices.rules snort-2.9.2/rules/rservices.rules --- snort-2.9.0.1/rules/rservices.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/rservices.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,35 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: rservices.rules,v 1.22.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#---------------- -# RSERVICES RULES -#---------------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:601; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:602; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:603; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:604; rev:5;) -alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:611; rev:7;) -alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:605; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:606; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:607; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:608; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:609; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:610; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2113; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2114; rev:3;) diff -Nru snort-2.9.0.1/rules/scan.rules snort-2.9.2/rules/scan.rules --- snort-2.9.0.1/rules/scan.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/scan.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,48 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: scan.rules,v 1.29.2.3.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#----------- -# SCAN RULES -#----------- -# These signatures are representitive of network scanners. These include -# port scanning, ip mapping, and various application scanners. -# -# NOTE: This does NOT include web scanners such as whisker. Those are -# in web* -# - -alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8;) -alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:2;) -alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; reference:arachnids,408; classtype:bad-unknown; sid:635; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363; classtype:bad-unknown; sid:636; rev:1;) -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; reference:arachnids,308; classtype:attempted-recon; sid:637; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:1917; rev:6;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;) diff -Nru snort-2.9.0.1/rules/shellcode.rules snort-2.9.2/rules/shellcode.rules --- snort-2.9.0.1/rules/shellcode.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/shellcode.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,50 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: shellcode.rules,v 1.25.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -# --------------- -# SHELLCODE RULES -# --------------- -# These signatures are based on shellcode that is common ammong multiple -# publicly available exploits. -# -# Because these signatures check ALL traffic for shellcode, these signatures -# are disabled by default. There is a LARGE performance hit by enabling -# these signatures. -# - -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:647; rev:6;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:649; rev:8;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:8;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:638; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:639; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:640; rev:6;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:641; rev:6;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:642; rev:6;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:643; rev:7;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:644; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:645; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:8;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:9;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:9;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"aaaaaaaaaaaaaaaaaaaaa"; classtype:shellcode-detect; sid:1394; rev:5;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:6;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2312; rev:2;) -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2313; rev:2;) diff -Nru snort-2.9.0.1/rules/sid snort-2.9.2/rules/sid --- snort-2.9.0.1/rules/sid 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/sid 1969-12-31 16:00:00.000000000 -0800 @@ -1 +0,0 @@ -3827 diff -Nru snort-2.9.0.1/rules/sid-msg.map snort-2.9.2/rules/sid-msg.map --- snort-2.9.0.1/rules/sid-msg.map 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/sid-msg.map 1969-12-31 16:00:00.000000000 -0800 @@ -1,3544 +0,0 @@ -103 || BACKDOOR subseven 22 || arachnids,485 || url,www.hackfix.org/subseven/ -104 || BACKDOOR - Dagger_1.4.0_client_connect || arachnids,483 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html -105 || BACKDOOR - Dagger_1.4.0 || arachnids,484 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html -106 || BACKDOOR ACKcmdC trojan scan || arachnids,445 -107 || BACKDOOR subseven DEFCON8 2.1 access -108 || BACKDOOR QAZ Worm Client Login access || MCAFEE,98775 -109 || BACKDOOR netbus active || arachnids,401 -110 || BACKDOOR netbus getinfo || arachnids,403 -111 || BACKDOOR netbus getinfo || arachnids,403 -112 || BACKDOOR BackOrifice access || arachnids,400 -113 || BACKDOOR DeepThroat access || arachnids,405 -114 || BACKDOOR netbus active || arachnids,401 -115 || BACKDOOR NetBus Pro 2.0 connection established -116 || BACKDOOR BackOrifice access || arachnids,399 -117 || BACKDOOR Infector.1.x || arachnids,315 -118 || BACKDOOR SatansBackdoor.2.0.Beta || arachnids,316 -119 || BACKDOOR Doly 2.0 access || arachnids,312 -120 || BACKDOOR Infector 1.6 Server to Client || cve,1999-0660 || nessus,11157 -121 || BACKDOOR Infector 1.6 Client to Server Connection Request || cve,1999-0660 || nessus,11157 -122 || BACKDOOR DeepThroat 3.1 System Info Client Request || arachnids,106 -124 || BACKDOOR DeepThroat 3.1 FTP Status Client Request || arachnids,106 -125 || BACKDOOR DeepThroat 3.1 E-Mail Info From Server || arachnids,106 -126 || BACKDOOR DeepThroat 3.1 E-Mail Info Client Request || arachnids,106 -127 || BACKDOOR DeepThroat 3.1 Server Status From Server || arachnids,106 -128 || BACKDOOR DeepThroat 3.1 Server Status Client Request || arachnids,106 -129 || BACKDOOR DeepThroat 3.1 Drive Info From Server || arachnids,106 -130 || BACKDOOR DeepThroat 3.1 System Info From Server || arachnids,106 -131 || BACKDOOR DeepThroat 3.1 Drive Info Client Request || arachnids,106 -132 || BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server || arachnids,106 -133 || BACKDOOR DeepThroat 3.1 Cached Passwords Client Request || arachnids,106 -134 || BACKDOOR DeepThroat 3.1 RAS Passwords Client Request || arachnids,106 -135 || BACKDOOR DeepThroat 3.1 Server Password Change Client Request || arachnids,106 -136 || BACKDOOR DeepThroat 3.1 Server Password Remove Client Request || arachnids,106 -137 || BACKDOOR DeepThroat 3.1 Rehash Client Request || arachnids,106 -138 || BACKDOOR DeepThroat 3.1 Server Rehash Client Request || arachnids,106 -140 || BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request || arachnids,106 -141 || BACKDOOR HackAttack 1.20 Connect -142 || BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request || arachnids,106 -143 || BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request || arachnids,106 -144 || FTP ADMw0rm ftp login attempt || arachnids,01 -145 || BACKDOOR GirlFriendaccess || arachnids,98 -146 || BACKDOOR NetSphere access || arachnids,76 -147 || BACKDOOR GateCrasher || arachnids,99 -148 || BACKDOOR DeepThroat 3.1 Keylogger Active on Network || arachnids,106 -149 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 -150 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 -151 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 -152 || BACKDOOR BackConstruction 2.1 Connection -153 || BACKDOOR DonaldDick 1.53 Traffic || mcafee,98575 -154 || BACKDOOR DeepThroat 3.1 Wrong Password || arachnids,106 -155 || BACKDOOR NetSphere 1.31.337 access || arachnids,76 -156 || BACKDOOR DeepThroat 3.1 Visible Window List Client Request || arachnids,106 -157 || BACKDOOR BackConstruction 2.1 Client FTP Open Request -158 || BACKDOOR BackConstruction 2.1 Server FTP Open Reply -159 || BACKDOOR NetMetro File List || arachnids,79 -160 || BACKDOOR NetMetro Incoming Traffic || arachnids,79 -161 || BACKDOOR Matrix 2.0 Client connect || arachnids,83 -162 || BACKDOOR Matrix 2.0 Server access || arachnids,83 -163 || BACKDOOR WinCrash 1.0 Server Active || arachnids,36 -164 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 -165 || BACKDOOR DeepThroat 3.1 Keylogger on Server ON || arachnids,106 -166 || BACKDOOR DeepThroat 3.1 Show Picture Client Request || arachnids,106 -167 || BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request || arachnids,106 -168 || BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request || arachnids,106 -169 || BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request || arachnids,106 -170 || BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request || arachnids,106 -171 || BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request || arachnids,106 -172 || BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request || arachnids,106 -173 || BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request || arachnids,106 -174 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 -175 || BACKDOOR DeepThroat 3.1 Resolution Change Client Request || arachnids,106 -176 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 -177 || BACKDOOR DeepThroat 3.1 Keylogger on Server OFF || arachnids,106 -179 || BACKDOOR DeepThroat 3.1 FTP Server Port Client Request || arachnids,106 -180 || BACKDOOR DeepThroat 3.1 Process List Client request || arachnids,106 -181 || BACKDOOR DeepThroat 3.1 Close Port Scan Client Request || arachnids,106 -182 || BACKDOOR DeepThroat 3.1 Registry Add Client Request || arachnids,106 -183 || BACKDOOR SIGNATURE - Q ICMP || arachnids,202 -184 || BACKDOOR Q access || arachnids,203 -185 || BACKDOOR CDK || arachnids,263 -186 || BACKDOOR DeepThroat 3.1 Monitor on/off Client Request || arachnids,106 -187 || BACKDOOR DeepThroat 3.1 Delete File Client Request || arachnids,106 -188 || BACKDOOR DeepThroat 3.1 Kill Window Client Request || arachnids,106 -189 || BACKDOOR DeepThroat 3.1 Disable Window Client Request || arachnids,106 -190 || BACKDOOR DeepThroat 3.1 Enable Window Client Request || arachnids,106 -191 || BACKDOOR DeepThroat 3.1 Change Window Title Client Request || arachnids,106 -192 || BACKDOOR DeepThroat 3.1 Hide Window Client Request || arachnids,106 -193 || BACKDOOR DeepThroat 3.1 Show Window Client Request || arachnids,106 -194 || BACKDOOR DeepThroat 3.1 Send Text to Window Client Request || arachnids,106 -195 || BACKDOOR DeepThroat 3.1 Server Response || arachnids,106 || mcafee,98574 || nessus,10053 -196 || BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request || arachnids,106 -197 || BACKDOOR DeepThroat 3.1 Create Directory Client Request || arachnids,106 -198 || BACKDOOR DeepThroat 3.1 All Window List Client Request || arachnids,106 -199 || BACKDOOR DeepThroat 3.1 Play Sound Client Request || arachnids,106 -200 || BACKDOOR DeepThroat 3.1 Run Program Normal Client Request || arachnids,106 -201 || BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request || arachnids,106 -202 || BACKDOOR DeepThroat 3.1 Get NET File Client Request || arachnids,106 -203 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 -204 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 -205 || BACKDOOR DeepThroat 3.1 HUP Modem Client Request || arachnids,106 -206 || BACKDOOR DeepThroat 3.1 CD ROM Open Client Request || arachnids,106 -207 || BACKDOOR DeepThroat 3.1 CD ROM Close Client Request || arachnids,106 -208 || BACKDOOR PhaseZero Server Active on Network -209 || BACKDOOR w00w00 attempt || arachnids,510 -210 || BACKDOOR attempt -211 || BACKDOOR MISC r00t attempt -212 || BACKDOOR MISC rewt attempt -213 || BACKDOOR MISC Linux rootkit attempt -214 || BACKDOOR MISC Linux rootkit attempt lrkr0x -215 || BACKDOOR MISC Linux rootkit attempt -216 || BACKDOOR MISC Linux rootkit satori attempt || arachnids,516 -217 || BACKDOOR MISC sm4ck attempt -218 || BACKDOOR MISC Solaris 2.5 attempt -219 || BACKDOOR HidePak backdoor attempt -220 || BACKDOOR HideSource backdoor attempt -221 || DDOS TFN Probe || arachnids,443 -222 || DDOS tfn2k icmp possible communication || arachnids,425 -223 || DDOS Trin00 Daemon to Master PONG message detected || arachnids,187 -224 || DDOS Stacheldraht server spoof || arachnids,193 -225 || DDOS Stacheldraht gag server response || arachnids,195 -226 || DDOS Stacheldraht server response || arachnids,191 -227 || DDOS Stacheldraht client spoofworks || arachnids,192 -228 || DDOS TFN client command BE || arachnids,184 -229 || DDOS Stacheldraht client check skillz || arachnids,190 -230 || DDOS shaft client login to handler || arachnids,254 || url,security.royans.net/info/posts/bugtraq_ddos3.shtml -231 || DDOS Trin00 Daemon to Master message detected || arachnids,186 -232 || DDOS Trin00 Daemon to Master *HELLO* message detected || arachnids,185 || url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm -233 || DDOS Trin00 Attacker to Master default startup password || arachnids,197 -234 || DDOS Trin00 Attacker to Master default password -235 || DDOS Trin00 Attacker to Master default mdie password -236 || DDOS Stacheldraht client check gag || arachnids,194 -237 || DDOS Trin00 Master to Daemon default password attempt || arachnids,197 -238 || DDOS TFN server response || arachnids,182 -239 || DDOS shaft handler to agent || arachnids,255 -240 || DDOS shaft agent to handler || arachnids,256 -241 || DDOS shaft synflood || arachnids,253 || cve,2000-0138 -243 || DDOS mstream agent to handler -244 || DDOS mstream handler to agent || cve,2000-0138 -245 || DDOS mstream handler ping to agent || cve,2000-0138 -246 || DDOS mstream agent pong to handler -247 || DDOS mstream client to handler || cve,2000-0138 -248 || DDOS mstream handler to client || cve,2000-0138 -249 || DDOS mstream client to handler || arachnids,111 || cve,2000-0138 -250 || DDOS mstream handler to client || cve,2000-0138 -251 || DDOS - TFN client command LE || arachnids,183 -252 || DNS named iquery attempt || arachnids,277 || bugtraq,134 || cve,1999-0009 || url,www.rfc-editor.org/rfc/rfc1035.txt -253 || DNS SPOOF query response PTR with TTL of 1 min. and no authority -254 || DNS SPOOF query response with TTL of 1 min. and no authority -255 || DNS zone transfer TCP || arachnids,212 || cve,1999-0532 || nessus,10595 -256 || DNS named authors attempt || arachnids,480 || nessus,10728 -257 || DNS named version attempt || arachnids,278 || nessus,10028 -258 || DNS EXPLOIT named 8.2->8.2.1 || bugtraq,788 || cve,1999-0833 -259 || DNS EXPLOIT named overflow ADM || bugtraq,788 || cve,1999-0833 -260 || DNS EXPLOIT named overflow ADMROCKS || bugtraq,788 || cve,1999-0833 || url,www.cert.org/advisories/CA-1999-14.html -261 || DNS EXPLOIT named overflow attempt || url,www.cert.org/advisories/CA-1998-05.html -262 || DNS EXPLOIT x86 Linux overflow attempt -264 || DNS EXPLOIT x86 Linux overflow attempt -265 || DNS EXPLOIT x86 Linux overflow attempt ADMv2 -266 || DNS EXPLOIT x86 FreeBSD overflow attempt -267 || DNS EXPLOIT sparc overflow attempt -268 || DOS Jolt attack || cve,1999-0345 -269 || DOS Land attack || bugtraq,2666 || cve,1999-0016 -270 || DOS Teardrop attack || bugtraq,124 || cve,1999-0015 || nessus,10279 || url,www.cert.org/advisories/CA-1997-28.html -271 || DOS UDP echo+chargen bomb || cve,1999-0103 || cve,1999-0635 -272 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 || url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx -273 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 -274 || DOS ath || arachnids,264 || cve,1999-1228 -275 || DOS NAPTHA || bugtraq,2022 || cve,2000-1039 || url,razor.bindview.com/publish/advisories/adv_NAPTHA.html || url,www.cert.org/advisories/CA-2000-21.html || url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx -276 || DOS Real Audio Server || arachnids,411 || bugtraq,1288 || cve,2000-0474 -277 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 -278 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 -279 || DOS Bay/Nortel Nautica Marlin || bugtraq,1009 || cve,2000-0221 -281 || DOS Ascend Route || arachnids,262 || bugtraq,714 || cve,1999-0060 -282 || DOS arkiea backup || arachnids,261 || bugtraq,662 || cve,1999-0788 -283 || EXPLOIT Netscape 4.7 client overflow || arachnids,215 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 -284 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130 -285 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130 -286 || POP3 EXPLOIT x86 BSD overflow || bugtraq,133 || cve,1999-0006 || nessus,10196 -287 || POP3 EXPLOIT x86 BSD overflow -288 || POP3 EXPLOIT x86 Linux overflow -289 || POP3 EXPLOIT x86 SCO overflow || bugtraq,156 || cve,1999-0006 -290 || POP3 EXPLOIT qpopper overflow || bugtraq,830 || cve,1999-0822 || nessus,10184 -291 || NNTP Cassandra Overflow || arachnids,274 || bugtraq,1156 || cve,2000-0341 -292 || EXPLOIT x86 Linux samba overflow || bugtraq,1816 || bugtraq,536 || cve,1999-0182 || cve,1999-0811 -293 || IMAP EXPLOIT overflow -295 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -296 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -297 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -298 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -299 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 -300 || EXPLOIT nlps x86 Solaris overflow || bugtraq,2319 -301 || EXPLOIT LPRng overflow || bugtraq,1712 || cve,2000-0917 -302 || EXPLOIT Redhat 7.0 lprd overflow || bugtraq,1712 || cve,2000-0917 -303 || DNS EXPLOIT named tsig overflow attempt || arachnids,482 || bugtraq,2302 || cve,2001-0010 -304 || EXPLOIT SCO calserver overflow || bugtraq,2353 || cve,2000-0306 -305 || EXPLOIT delegate proxy overflow || arachnids,267 || bugtraq,808 || cve,2000-0165 -306 || EXPLOIT VQServer admin || bugtraq,1610 || cve,2000-0766 || url,www.vqsoft.com/vq/server/docs/other/control.html -307 || EXPLOIT CHAT IRC topic overflow || bugtraq,573 || cve,1999-0672 -308 || EXPLOIT NextFTP client overflow || bugtraq,572 || cve,1999-0671 -309 || EXPLOIT sniffit overflow || arachnids,273 || bugtraq,1158 || cve,2000-0343 -310 || EXPLOIT x86 windows MailMax overflow || bugtraq,2312 || cve,1999-0404 -311 || EXPLOIT Netscape 4.7 unsucessful overflow || arachnids,214 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 -312 || EXPLOIT ntpdx overflow attempt || arachnids,492 || bugtraq,2540 || cve,2001-0414 -313 || EXPLOIT ntalkd x86 Linux overflow || bugtraq,210 -314 || DNS EXPLOIT named tsig overflow attempt || bugtraq,2303 || cve,2001-0010 -315 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 -316 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 -317 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 -318 || EXPLOIT bootp x86 bsd overfow || bugtraq,324 || cve,1999-0914 -319 || EXPLOIT bootp x86 linux overflow || cve,1999-0389 || cve,1999-0798 || cve,1999-0799 -320 || FINGER cmd_rootsh backdoor attempt || nessus,10070 || url,www.sans.org/y2k/TFN_toolkit.htm || url,www.sans.org/y2k/fingerd.htm -321 || FINGER account enumeration attempt || nessus,10788 -322 || FINGER search query || arachnids,375 || cve,1999-0259 -323 || FINGER root query || arachnids,376 -324 || FINGER null request || arachnids,377 -325 || FINGER probe 0 attempt || arachnids,378 -326 || FINGER remote command execution attempt || arachnids,379 || bugtraq,974 || cve,1999-0150 -327 || FINGER remote command pipe execution attempt || arachnids,380 || bugtraq,2220 || cve,1999-0152 -328 || FINGER bomb attempt || arachnids,381 || cve,1999-0106 -329 || FINGER cybercop redirection || arachnids,11 -330 || FINGER redirection attempt || arachnids,251 || cve,1999-0105 || nessus,10073 -331 || FINGER cybercop query || arachnids,132 || cve,1999-0612 -332 || FINGER 0 query || arachnids,131 || arachnids,378 || cve,1999-0197 || nessus,10069 -333 || FINGER . query || arachnids,130 || cve,1999-0198 || nessus,10072 -334 || FTP .forward || arachnids,319 -335 || FTP .rhosts || arachnids,328 -336 || FTP CWD ~root attempt || arachnids,318 || cve,1999-0082 -337 || FTP CEL overflow attempt || arachnids,257 || bugtraq,679 || cve,1999-0789 || nessus,10009 -338 || FTP EXPLOIT format string || arachnids,453 || bugtraq,1387 || cve,2000-0573 -339 || FTP EXPLOIT OpenBSD x86 ftpd || arachnids,446 || bugtraq,2124 || cve,2001-0053 -340 || FTP EXPLOIT overflow -341 || FTP EXPLOIT overflow -342 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 || arachnids,451 || bugtraq,1387 || cve,2000-0573 -343 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD || arachnids,228 || bugtraq,1387 || cve,2000-0573 -344 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux || arachnids,287 || bugtraq,1387 || cve,2000-0573 -345 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic || arachnids,285 || bugtraq,1387 || cve,2000-0573 || nessus,10452 -346 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check || arachnids,286 || bugtraq,1387 || cve,2000-0573 -348 || FTP EXPLOIT wu-ftpd 2.6.0 || arachnids,440 || bugtraq,1387 -349 || FTP EXPLOIT MKD overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 -350 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 -351 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 -352 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || cve,1999-0368 -353 || FTP adm scan || arachnids,332 -354 || FTP iss scan || arachnids,331 -355 || FTP pass wh00t || arachnids,324 -356 || FTP passwd retrieval attempt || arachnids,213 -357 || FTP piss scan -358 || FTP saint scan || arachnids,330 -359 || FTP satan scan || arachnids,329 -360 || FTP serv-u directory transversal || bugtraq,2052 || cve,2001-0054 -361 || FTP SITE EXEC attempt || arachnids,317 || bugtraq,2241 || cve,1999-0080 || cve,1999-0955 -362 || FTP tar parameters || arachnids,134 || bugtraq,2240 || cve,1999-0202 || cve,1999-0997 -363 || ICMP IRDP router advertisement || arachnids,173 || bugtraq,578 || cve,1999-0875 -364 || ICMP IRDP router selection || arachnids,174 || bugtraq,578 || cve,1999-0875 -365 || ICMP PING undefined code -366 || ICMP PING *NIX -368 || ICMP PING BSDtype || arachnids,152 -369 || ICMP PING BayRS Router || arachnids,438 || arachnids,444 -370 || ICMP PING BeOS4.x || arachnids,151 -371 || ICMP PING Cisco Type.x || arachnids,153 -372 || ICMP PING Delphi-Piette Windows || arachnids,155 -373 || ICMP PING Flowpoint2200 or Network Management Software || arachnids,156 -374 || ICMP PING IP NetMonitor Macintosh || arachnids,157 -375 || ICMP PING LINUX/*BSD || arachnids,447 -376 || ICMP PING Microsoft Windows || arachnids,159 -377 || ICMP PING Network Toolbox 3 Windows || arachnids,161 -378 || ICMP PING Ping-O-MeterWindows || arachnids,164 -379 || ICMP PING Pinger Windows || arachnids,163 -380 || ICMP PING Seer Windows || arachnids,166 -381 || ICMP PING Sun Solaris || arachnids,448 -382 || ICMP PING Windows || arachnids,169 -384 || ICMP PING -385 || ICMP traceroute || arachnids,118 -386 || ICMP Address Mask Reply -387 || ICMP Address Mask Reply undefined code -388 || ICMP Address Mask Request -389 || ICMP Address Mask Request undefined code -390 || ICMP Alternate Host Address -391 || ICMP Alternate Host Address undefined code -392 || ICMP Datagram Conversion Error -393 || ICMP Datagram Conversion Error undefined code -394 || ICMP Destination Unreachable Destination Host Unknown -395 || ICMP Destination Unreachable Destination Network Unknown -396 || ICMP Destination Unreachable Fragmentation Needed and DF bit was set -397 || ICMP Destination Unreachable Host Precedence Violation -398 || ICMP Destination Unreachable Host Unreachable for Type of Service -399 || ICMP Destination Unreachable Host Unreachable -400 || ICMP Destination Unreachable Network Unreachable for Type of Service -401 || ICMP Destination Unreachable Network Unreachable -402 || ICMP Destination Unreachable Port Unreachable -403 || ICMP Destination Unreachable Precedence Cutoff in effect -404 || ICMP Destination Unreachable Protocol Unreachable -405 || ICMP Destination Unreachable Source Host Isolated -406 || ICMP Destination Unreachable Source Route Failed -407 || ICMP Destination Unreachable cndefined code -408 || ICMP Echo Reply -409 || ICMP Echo Reply undefined code -410 || ICMP Fragment Reassembly Time Exceeded -411 || ICMP IPV6 I-Am-Here -412 || ICMP IPV6 I-Am-Here undefined code -413 || ICMP IPV6 Where-Are-You -414 || ICMP IPV6 Where-Are-You undefined code -415 || ICMP Information Reply -416 || ICMP Information Reply undefined code -417 || ICMP Information Request -418 || ICMP Information Request undefined code -419 || ICMP Mobile Host Redirect -420 || ICMP Mobile Host Redirect undefined code -421 || ICMP Mobile Registration Reply -422 || ICMP Mobile Registration Reply undefined code -423 || ICMP Mobile Registration Request -424 || ICMP Mobile Registration Request undefined code -425 || ICMP Parameter Problem Bad Length -426 || ICMP Parameter Problem Missing a Required Option -427 || ICMP Parameter Problem Unspecified Error -428 || ICMP Parameter Problem undefined Code -429 || ICMP Photuris Reserved -430 || ICMP Photuris Unknown Security Parameters Index -431 || ICMP Photuris Valid Security Parameters, But Authentication Failed -432 || ICMP Photuris Valid Security Parameters, But Decryption Failed -433 || ICMP Photuris undefined code! -436 || ICMP Redirect for TOS and Host -437 || ICMP Redirect for TOS and Network -438 || ICMP Redirect undefined code -439 || ICMP Reserved for Security Type 19 -440 || ICMP Reserved for Security Type 19 undefined code -441 || ICMP Router Advertisement || arachnids,173 -443 || ICMP Router Selection || arachnids,174 -445 || ICMP SKIP -446 || ICMP SKIP undefined code -448 || ICMP Source Quench undefined code -449 || ICMP Time-To-Live Exceeded in Transit -450 || ICMP Time-To-Live Exceeded in Transit undefined code -451 || ICMP Timestamp Reply -452 || ICMP Timestamp Reply undefined code -453 || ICMP Timestamp Request -454 || ICMP Timestamp Request undefined code -455 || ICMP Traceroute ipopts || arachnids,238 -456 || ICMP Traceroute -457 || ICMP Traceroute undefined code -458 || ICMP unassigned type 1 -459 || ICMP unassigned type 1 undefined code -460 || ICMP unassigned type 2 -461 || ICMP unassigned type 2 undefined code -462 || ICMP unassigned type 7 -463 || ICMP unassigned type 7 undefined code -465 || ICMP ISS Pinger || arachnids,158 -466 || ICMP L3retriever Ping || arachnids,311 -467 || ICMP Nemesis v1.1 Echo || arachnids,449 -469 || ICMP PING NMAP || arachnids,162 -471 || ICMP icmpenum v1.1.1 || arachnids,450 -472 || ICMP redirect host || arachnids,135 || cve,1999-0265 -473 || ICMP redirect net || arachnids,199 || cve,1999-0265 -474 || ICMP superscan echo -475 || ICMP traceroute ipopts || arachnids,238 -476 || ICMP webtrends scanner || arachnids,307 -477 || ICMP Source Quench -478 || ICMP Broadscan Smurf Scanner -480 || ICMP PING speedera -481 || ICMP TJPingPro1.1Build 2 Windows || arachnids,167 -482 || ICMP PING WhatsupGold Windows || arachnids,168 -483 || ICMP PING CyberKit 2.2 Windows || arachnids,154 -484 || ICMP PING Sniffer Pro/NetXRay network scan -485 || ICMP Destination Unreachable Communication Administratively Prohibited -486 || ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited -487 || ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited -488 || INFO Connection Closed MSG from Port 80 -489 || INFO FTP no password || arachnids,322 -490 || INFO battle-mail traffic -491 || INFO FTP Bad login -492 || INFO TELNET login failed -493 || INFO psyBNC access -494 || ATTACK-RESPONSES command completed || bugtraq,1806 -495 || ATTACK-RESPONSES command error -496 || ATTACK RESPONSES directory listing -497 || ATTACK-RESPONSES file copied ok || bugtraq,1806 || cve,2000-0884 -498 || ATTACK-RESPONSES id check returned root -499 || ICMP Large ICMP Packet || arachnids,246 -500 || MISC source route lssr || arachnids,418 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx -501 || MISC source route lssre || arachnids,420 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx -502 || MISC source route ssrr || arachnids,422 -503 || MISC Source Port 20 to <1024 || arachnids,06 -504 || MISC source port 53 to <1024 || arachnids,07 -505 || MISC Insecure TIMBUKTU Password || arachnids,229 -506 || MISC ramen worm incoming || arachnids,460 -507 || MISC PCAnywhere Attempted Administrator Login -508 || MISC gopher proxy || arachnids,409 -509 || WEB-MISC PCCS mysql database admin tool access || arachnids,300 || bugtraq,1557 || cve,2000-0707 || nessus,10783 -510 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 -511 || MISC Invalid PCAnywhere Login -512 || MISC PCAnywhere Failed Login || arachnids,240 -513 || MISC Cisco Catalyst Remote Access || arachnids,129 || bugtraq,705 || cve,1999-0430 -514 || MISC ramen worm || arachnids,461 -516 || MISC SNMP NT UserList || nessus,10546 -517 || MISC xdmcp query || arachnids,476 -518 || TFTP Put || arachnids,148 || cve,1999-0183 -519 || TFTP parent directory || arachnids,137 || cve,1999-0183 || cve,2002-1209 -520 || TFTP root directory || arachnids,138 || cve,1999-0183 -521 || MISC Large UDP Packet || arachnids,247 -522 || MISC Tiny Fragments -523 || BAD-TRAFFIC ip reserved bit set -524 || BAD-TRAFFIC tcp port 0 traffic -525 || BAD-TRAFFIC udp port 0 traffic || bugtraq,576 || cve,1999-0675 || nessus,10074 -526 || BAD-TRAFFIC data in TCP SYN packet || url,www.cert.org/incident_notes/IN-99-07.html -527 || BAD-TRAFFIC same SRC/DST || bugtraq,2666 || cve,1999-0016 || url,www.cert.org/advisories/CA-1997-28.html -528 || BAD-TRAFFIC loopback traffic || url,rr.sans.org/firewall/egress.php -529 || NETBIOS DOS RFPoison || arachnids,454 -530 || NETBIOS NT NULL session || arachnids,204 || bugtraq,1163 || cve,2000-0347 -532 || NETBIOS SMB ADMIN$ share access -533 || NETBIOS SMB C$ share access -534 || NETBIOS SMB CD.. || arachnids,338 -535 || NETBIOS SMB CD... || arachnids,337 -536 || NETBIOS SMB D$ share access -537 || NETBIOS SMB IPC$ share access -538 || NETBIOS SMB IPC$ unicode share access -539 || NETBIOS Samba clientaccess || arachnids,341 -540 || CHAT MSN message -541 || CHAT ICQ access -542 || CHAT IRC nick change -543 || POLICY FTP 'STOR 1MB' possible warez site -544 || POLICY FTP 'RETR 1MB' possible warez site -545 || POLICY FTP 'CWD / ' possible warez site -546 || POLICY FTP 'CWD ' possible warez site -547 || POLICY FTP 'MKD ' possible warez site -548 || POLICY FTP 'MKD .' possible warez site -549 || P2P napster login -550 || P2P napster new user login -551 || P2P napster download attempt -552 || P2P napster upload request -553 || POLICY FTP anonymous login attempt -554 || POLICY FTP 'MKD / ' possible warez site -555 || POLICY WinGate telnet server response || arachnids,366 || cve,1999-0657 -556 || P2P Outbound GNUTella client request -557 || P2P GNUTella client request -558 || INFO Outbound GNUTella client request -559 || P2P Inbound GNUTella client request -560 || POLICY VNC server response -561 || P2P Napster Client Data -562 || P2P Napster Client Data -563 || P2P Napster Client Data -564 || P2P Napster Client Data -565 || P2P Napster Server Login -566 || POLICY PCAnywhere server response || arachnids,239 -567 || POLICY SMTP relaying denied || arachnids,249 || url,mail-abuse.org/tsi/ar-fix.html -568 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 -569 || RPC snmpXdmi overflow attempt TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -570 || RPC EXPLOIT ttdbserv solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html -571 || RPC EXPLOIT ttdbserv Solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html -572 || RPC DOS ttdbserv Solaris || arachnids,241 || bugtraq,122 || cve,1999-0003 -573 || RPC AMD Overflow || arachnids,217 || cve,1999-0704 -574 || RPC mountd TCP export request || arachnids,26 -575 || RPC portmap admind request UDP || arachnids,18 -576 || RPC portmap amountd request UDP || arachnids,19 -577 || RPC portmap bootparam request UDP || arachnids,16 || cve,1999-0647 -578 || RPC portmap cmsd request UDP || arachnids,17 -579 || RPC portmap mountd request UDP || arachnids,13 -580 || RPC portmap nisd request UDP || arachnids,21 -581 || RPC portmap pcnfsd request UDP || arachnids,22 -582 || RPC portmap rexd request UDP || arachnids,23 -583 || RPC portmap rstatd request UDP || arachnids,10 -584 || RPC portmap rusers request UDP || arachnids,133 || cve,1999-0626 -585 || RPC portmap sadmind request UDP || arachnids,20 -586 || RPC portmap selection_svc request UDP || arachnids,25 -587 || RPC portmap status request UDP || arachnids,15 -588 || RPC portmap ttdbserv request UDP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -589 || RPC portmap yppasswd request UDP || arachnids,14 -590 || RPC portmap ypserv request UDP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 -591 || RPC portmap ypupdated request TCP || arachnids,125 -592 || RPC rstatd query || arachnids,9 -593 || RPC portmap snmpXdmi request TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -595 || RPC portmap espd request TCP || bugtraq,2714 || cve,2001-0331 -596 || RPC portmap listing || arachnids,429 -597 || RPC portmap listing || arachnids,429 -598 || RPC portmap listing TCP 111 || arachnids,428 -599 || RPC portmap listing TCP 32771 || arachnids,429 -600 || RPC EXPLOIT statdx || arachnids,442 -601 || RSERVICES rlogin LinuxNIS -602 || RSERVICES rlogin bin || arachnids,384 -603 || RSERVICES rlogin echo++ || arachnids,385 -604 || RSERVICES rsh froot || arachnids,387 -605 || RSERVICES rlogin login failure || arachnids,393 -606 || RSERVICES rlogin root || arachnids,389 -607 || RSERVICES rsh bin || arachnids,390 -608 || RSERVICES rsh echo + + || arachnids,388 -609 || RSERVICES rsh froot || arachnids,387 -610 || RSERVICES rsh root || arachnids,391 -611 || RSERVICES rlogin login failure || arachnids,392 -612 || RPC rusers query UDP || cve,1999-0626 -613 || SCAN myscan || arachnids,439 -614 || BACKDOOR hack-a-tack attempt || arachnids,314 -615 || SCAN SOCKS Proxy attempt || url,help.undernet.org/proxyscan/ -616 || SCAN ident version request || arachnids,303 -617 || SCAN ssh-research-scanner -618 || SCAN Squid Proxy attempt -619 || SCAN cybercop os probe || arachnids,146 -620 || SCAN Proxy Port 8080 attempt -621 || SCAN FIN || arachnids,27 -622 || SCAN ipEye SYN scan || arachnids,236 -623 || SCAN NULL || arachnids,4 -624 || SCAN SYN FIN || arachnids,198 -625 || SCAN XMAS || arachnids,144 -626 || SCAN cybercop os PA12 attempt || arachnids,149 -627 || SCAN cybercop os SFU12 probe || arachnids,150 -628 || SCAN nmap TCP || arachnids,28 -629 || SCAN nmap fingerprint attempt || arachnids,05 -630 || SCAN synscan portscan || arachnids,441 -631 || SMTP ehlo cybercop attempt || arachnids,372 -632 || SMTP expn cybercop attempt || arachnids,371 -634 || SCAN Amanda client version request -635 || SCAN XTACACS logout || arachnids,408 -636 || SCAN cybercop udp bomb || arachnids,363 -637 || SCAN Webtrends Scanner UDP Probe || arachnids,308 -638 || SHELLCODE SGI NOOP || arachnids,356 -639 || SHELLCODE SGI NOOP || arachnids,357 -640 || SHELLCODE AIX NOOP -641 || SHELLCODE Digital UNIX NOOP || arachnids,352 -642 || SHELLCODE HP-UX NOOP || arachnids,358 -643 || SHELLCODE HP-UX NOOP || arachnids,359 -644 || SHELLCODE sparc NOOP || arachnids,345 -645 || SHELLCODE sparc NOOP || arachnids,353 -646 || SHELLCODE sparc NOOP || arachnids,355 -647 || SHELLCODE sparc setuid 0 || arachnids,282 -648 || SHELLCODE x86 NOOP || arachnids,181 -649 || SHELLCODE x86 setgid 0 || arachnids,284 -650 || SHELLCODE x86 setuid 0 || arachnids,436 -651 || SHELLCODE x86 stealth NOOP || arachnids,291 -652 || SHELLCODE Linux shellcode || arachnids,343 -653 || SHELLCODE x86 0x90 unicode NOOP -654 || SMTP RCPT TO overflow || bugtraq,2283 || bugtraq,9696 || cve,2001-0260 -655 || SMTP sendmail 8.6.9 exploit || arachnids,140 || bugtraq,2311 || cve,1999-0204 -656 || SMTP EXPLOIT x86 windows CSMMail overflow || bugtraq,895 || cve,2000-0042 -657 || SMTP chameleon overflow || arachnids,266 || bugtraq,2387 || cve,1999-0261 -658 || SMTP exchange mime DOS || bugtraq,1869 || cve,2000-1006 || nessus,10558 || url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx -659 || SMTP expn decode || arachnids,32 || cve,1999-0096 || nessus,10248 -660 || SMTP expn root || arachnids,31 || cve,1999-0531 || nessus,10249 -661 || SMTP majordomo ifs || arachnids,143 || bugtraq,2310 || cve,1999-0207 -662 || SMTP sendmail 5.5.5 exploit || arachnids,119 || cve,1999-0203 || nessus,10258 -663 || SMTP rcpt to command attempt || arachnids,172 || bugtraq,1 || cve,1999-0095 -664 || SMTP RCPT TO decode attempt || arachnids,121 || bugtraq,2308 || cve,1999-0203 -665 || SMTP sendmail 5.6.5 exploit || arachnids,122 || bugtraq,2308 || cve,1999-0203 -666 || SMTP sendmail 8.4.1 exploit || arachnids,120 -667 || SMTP sendmail 8.6.10 exploit || arachnids,123 || bugtraq,2311 || cve,1999-0204 -668 || SMTP sendmail 8.6.10 exploit || arachnids,124 || bugtraq,2311 || cve,1999-0204 -669 || SMTP sendmail 8.6.9 exploit || arachnids,142 || bugtraq,2311 || cve,1999-0204 -670 || SMTP sendmail 8.6.9 exploit || arachnids,139 || bugtraq,2311 || cve,1999-0204 -671 || SMTP sendmail 8.6.9c exploit || arachnids,141 || bugtraq,2311 || cve,1999-0204 -672 || SMTP vrfy decode || arachnids,373 || bugtraq,10248 || cve,1999-0096 -673 || MS-SQL sp_start_job - program execution -674 || MS-SQL xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -675 || MS-SQL xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -676 || MS-SQL/SMB sp_start_job - program execution -677 || MS-SQL/SMB sp_password password change -678 || MS-SQL/SMB sp_delete_alert log file deletion -679 || MS-SQL/SMB sp_adduser database user creation -680 || MS-SQL/SMB sa login failed || bugtraq,4797 || cve,2000-1209 -681 || MS-SQL/SMB xp_cmdshell program execution -682 || MS-SQL xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -683 || MS-SQL sp_password - password change -684 || MS-SQL sp_delete_alert log file deletion -685 || MS-SQL sp_adduser - database user creation -686 || MS-SQL xp_reg* - registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 -687 || MS-SQL xp_cmdshell - program execution -688 || MS-SQL sa login failed || bugtraq,4797 || cve,2000-1209 || nessus,10673 -689 || MS-SQL/SMB xp_reg* registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 -690 || MS-SQL/SMB xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -691 || MS-SQL shellcode attempt -692 || MS-SQL/SMB shellcode attempt -693 || MS-SQL shellcode attempt -694 || MS-SQL/SMB shellcode attempt -695 || MS-SQL/SMB xp_sprintf possible buffer overflow || bugtraq,1204 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx -696 || MS-SQL/SMB xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -697 || MS-SQL/SMB xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -698 || MS-SQL/SMB xp_proxiedmetadata possible buffer overflow || bugtraq,2042 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -699 || MS-SQL xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -700 || MS-SQL/SMB xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -701 || MS-SQL xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -702 || MS-SQL/SMB xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -703 || MS-SQL/SMB xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -704 || MS-SQL xp_sprintf possible buffer overflow || bugtraq,1204 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx -705 || MS-SQL xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -706 || MS-SQL xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -707 || MS-SQL xp_proxiedmetadata possible buffer overflow || bugtraq,2024 || cve,1999-0287 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -708 || MS-SQL/SMB xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx -709 || TELNET 4Dgifts SGI account attempt || cve,1999-0501 || nessus,11243 -710 || TELNET EZsetup account attempt || cve,1999-0501 || nessus,11244 -711 || TELNET SGI telnetd format bug || arachnids,304 || bugtraq,1572 || cve,2000-0733 -712 || TELNET ld_library_path || arachnids,367 || bugtraq,459 || cve,1999-0073 -713 || TELNET livingston DOS || arachnids,370 || bugtraq,2225 || cve,1999-0218 -714 || TELNET resolv_host_conf || arachnids,369 || bugtraq,2181 || cve,2001-0170 -715 || TELNET Attempted SU from wrong group -716 || INFO TELNET access || arachnids,08 || cve,1999-0619 || nessus,10280 -717 || TELNET not on console || arachnids,365 -718 || INFO TELNET login incorrect || arachnids,127 -719 || TELNET root login -720 || Virus - SnowWhite Trojan Incoming -721 || VIRUS OUTBOUND bad file attachment -722 || Virus - Possible NAVIDAD Worm -723 || Virus - Possible MyRomeo Worm -724 || Virus - Possible MyRomeo Worm -725 || Virus - Possible MyRomeo Worm -726 || Virus - Possible MyRomeo Worm -727 || Virus - Possible MyRomeo Worm -728 || Virus - Possible MyRomeo Worm -729 || VIRUS OUTBOUND .scr file attachment -730 || VIRUS OUTBOUND .shs file attachment -731 || Virus - Possible QAZ Worm || MCAFEE,98775 -732 || Virus - Possible QAZ Worm Infection || MCAFEE,98775 -733 || Virus - Possible QAZ Worm Calling Home || MCAFEE,98775 -734 || Virus - Possible Matrix worm -735 || Virus - Possible MyRomeo Worm -736 || Virus - Successful eurocalculator execution -737 || Virus - Possible eurocalculator.exe file -738 || Virus - Possible Pikachu Pokemon Virus || MCAFEE,98696 -739 || Virus - Possible Triplesix Worm || MCAFEE,10389 -740 || Virus - Possible Tune.vbs || MCAFEE,10497 -741 || Virus - Possible NAIL Worm || MCAFEE,10109 -742 || Virus - Possible NAIL Worm || MCAFEE,10109 -743 || Virus - Possible NAIL Worm || MCAFEE,10109 -744 || Virus - Possible NAIL Worm || MCAFEE,10109 -745 || Virus - Possible Papa Worm || MCAFEE,10145 -746 || Virus - Possible Freelink Worm || MCAFEE,10225 -747 || Virus - Possible Simbiosis Worm -748 || Virus - Possible BADASS Worm || MCAFEE,10388 -749 || Virus - Possible ExploreZip.B Worm || MCAFEE,10471 -751 || Virus - Possible wscript.KakWorm || MCAFEE,10509 -752 || Virus Possible Suppl Worm || MCAFEE,10361 -753 || Virus - Possible NewApt.Worm - theobbq.exe || MCAFEE,10540 -754 || Virus - Possible Word Macro - VALE || MCAFEE,10502 -755 || Virus - Possible IROK Worm || MCAFEE,98552 -756 || Virus - Possible Fix2001 Worm || MCAFEE,10355 -757 || Virus - Possible Y2K Zelu Trojan || MCAFEE,10505 -758 || Virus - Possible The_Fly Trojan || MCAFEE,10478 -759 || Virus - Possible Word Macro - VALE || MCAFEE,10502 -760 || Virus - Possible Passion Worm || MCAFEE,10467 -761 || Virus - Possible NewApt.Worm - cooler3.exe || MCAFEE,10540 -762 || Virus - Possible NewApt.Worm - party.exe || MCAFEE,10540 -763 || Virus - Possible NewApt.Worm - hog.exe || MCAFEE,10540 -764 || Virus - Possible NewApt.Worm - goal1.exe || MCAFEE,10540 -765 || Virus - Possible NewApt.Worm - pirate.exe || MCAFEE,10540 -766 || Virus - Possible NewApt.Worm - video.exe || MCAFEE,10540 -767 || Virus - Possible NewApt.Worm - baby.exe || MCAFEE,10540 -768 || Virus - Possible NewApt.Worm - cooler1.exe || MCAFEE,10540 -769 || Virus - Possible NewApt.Worm - boss.exe || MCAFEE,10540 -770 || Virus - Possible NewApt.Worm - g-zilla.exe || MCAFEE,10540 -771 || Virus - Possible ToadieE-mail Trojan || MCAFEE,10540 -772 || Virus - Possible PrettyPark Trojan || MCAFEE,10175 -773 || Virus - Possible Happy99 Virus || MCAFEE,10144 -774 || Virus - Possible CheckThis Trojan -775 || Virus - Possible Bubbleboy Worm || MCAFEE,10418 -776 || Virus - Possible NewApt.Worm - copier.exe || MCAFEE,10540 -777 || Virus - Possible MyPics Worm || MCAFEE,10467 -778 || Virus - Possible Babylonia - X-MAS.exe || MCAFEE,10461 -779 || Virus - Possible NewApt.Worm - gadget.exe || MCAFEE,10540 -780 || Virus - Possible NewApt.Worm - irnglant.exe || MCAFEE,10540 -781 || Virus - Possible NewApt.Worm - casper.exe || MCAFEE,10540 -782 || Virus - Possible NewApt.Worm - fborfw.exe || MCAFEE,10540 -783 || Virus - Possible NewApt.Worm - saddam.exe || MCAFEE,10540 -784 || Virus - Possible NewApt.Worm - bboy.exe || MCAFEE,10540 -785 || Virus - Possible NewApt.Worm - monica.exe || MCAFEE,10540 -786 || Virus - Possible NewApt.Worm - goal.exe || MCAFEE,10540 -787 || Virus - Possible NewApt.Worm - panther.exe || MCAFEE,10540 -788 || Virus - Possible NewApt.Worm - chestburst.exe || MCAFEE,10540 -789 || Virus - Possible NewApt.Worm - farter.exe || MCAFEE,1054 -790 || Virus - Possible Common Sense Worm -791 || Virus - Possible NewApt.Worm - cupid2.exe || MCAFEE,10540 -792 || Virus - Possible Resume Worm || MCAFEE,98661 -793 || VIRUS OUTBOUND .vbs file attachment -794 || Virus - Possible Resume Worm || MCAFEE,98661 -795 || Virus - Possible Worm - txt.vbs file -796 || Virus - Possible Worm - xls.vbs file -797 || Virus - Possible Worm - jpg.vbs file -798 || Virus - Possible Worm - gif.vbs file -799 || Virus - Possible Timofonica Worm || MCAFEE,98674 -800 || Virus - Possible Resume Worm || MCAFEE,98661 -801 || Virus - Possible Worm - doc.vbs file -802 || Virus - Possbile Zipped Files Trojan || MCAFEE,10450 -803 || WEB-CGI HyperSeek hsx.cgi directory traversal attempt || bugtraq,2314 || cve,2001-0253 || nessus,10602 -804 || WEB-CGI SWSoft ASPSeek Overflow attempt || bugtraq,2492 || cve,2001-0476 -805 || WEB-CGI webspeed access || arachnids,467 || bugtraq,969 || cve,2000-0127 || nessus,10304 -806 || WEB-CGI yabb directory traversal attempt || arachnids,462 || bugtraq,1668 || cve,2000-0853 -807 || WEB-CGI /wwwboard/passwd.txt access || arachnids,463 || bugtraq,649 || cve,1999-0953 || cve,1999-0954 || nessus,10321 -808 || WEB-CGI webdriver access || arachnids,473 || bugtraq,2166 || nessus,10592 -809 || WEB-CGI whois_raw.cgi arbitrary command execution attempt || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 -810 || WEB-CGI whois_raw.cgi access || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 -811 || WEB-CGI websitepro path access || arachnids,468 || bugtraq,932 || cve,2000-0066 -812 || WEB-CGI webplus version access || arachnids,470 || bugtraq,1102 || cve,2000-0282 -813 || WEB-CGI webplus directory traversal || arachnids,471 || bugtraq,1102 || cve,2000-0282 -815 || WEB-CGI websendmail access || arachnids,469 || bugtraq,2077 || cve,1999-0196 || nessus,10301 -817 || WEB-CGI dcboard.cgi invalid user addition attempt || bugtraq,2728 || cve,2001-0527 || nessus,10583 -818 || WEB-CGI dcforum.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 -819 || WEB-CGI mmstdod.cgi access || bugtraq,2063 || cve,2001-0021 || nessus,10566 -820 || WEB-CGI anaconda directory transversal attempt || bugtraq,2338 || bugtraq,2388 || cve,2000-0975 || cve,2001-0308 -821 || WEB-CGI imagemap.exe overflow attempt || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 -823 || WEB-CGI cvsweb.cgi access || bugtraq,1469 || cve,2000-0670 || nessus,10465 -824 || WEB-CGI php.cgi access || arachnids,232 || bugtraq,2250 || bugtraq,712 || cve,1999-0238 || cve,1999-058 || nessus,10178 -825 || WEB-CGI glimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 -826 || WEB-CGI htmlscript access || bugtraq,2001 || cve,1999-0264 || nessus,10106 -827 || WEB-CGI info2www access || bugtraq,1995 || cve,1999-0266 || nessus,10127 -828 || WEB-CGI maillist.pl access -829 || WEB-CGI nph-test-cgi access || arachnids,224 || bugtraq,686 || cve,1999-0045 || nessus,10165 -830 || WEB-CGI NPH-publish access || cve,1999-1177 || nessus,10164 -832 || WEB-CGI perl.exe access || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html -833 || WEB-CGI rguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 -834 || WEB-CGI rwwwshell.pl access || url,www.itsecurity.com/papers/p37.htm -835 || WEB-CGI test-cgi access || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 -836 || WEB-CGI textcounter.pl access || bugtraq,2265 || cve,1999-1479 || nessus,11451 -837 || WEB-CGI uploader.exe access || bugtraq,1611 || cve,1999-0177 || cve,2000-0769 || nessus,10291 -838 || WEB-CGI webgais access || arachnids,472 || bugtraq,2058 || cve,1999-0176 || nessus,10300 -839 || WEB-CGI finger access || arachnids,221 || cve,1999-0612 || nessus,10071 -840 || WEB-CGI perlshop.cgi access || cve,1999-1374 -841 || WEB-CGI pfdisplay.cgi access || bugtraq,64 || cve,1999-0270 || nessus,10174 -842 || WEB-CGI aglimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 -843 || WEB-CGI anform2 access || arachnids,225 || bugtraq,719 || cve,1999-0066 -844 || WEB-CGI args.bat access || cve,1999-1180 || nessus,11465 -845 || WEB-CGI AT-admin.cgi access || cve,1999-1072 -846 || WEB-CGI bnbform.cgi access || bugtraq,2147 || cve,1999-0937 -847 || WEB-CGI campas access || bugtraq,1975 || cve,1999-0146 || nessus,10035 -848 || WEB-CGI view-source directory traversal || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 -849 || WEB-CGI view-source access || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 -850 || WEB-CGI wais.pl access -851 || WEB-CGI files.pl access || cve,1999-1081 -852 || WEB-CGI wguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 -853 || WEB-CGI wrap access || arachnids,234 || bugtraq,373 || cve,1999-0149 || nessus,10317 -854 || WEB-CGI classifieds.cgi access || bugtraq,2020 || cve,1999-0934 -855 || WEB-CGI edit.pl access || bugtraq,2713 -856 || WEB-CGI environ.cgi access -857 || WEB-CGI faxsurvey access || bugtraq,2056 || cve,1999-0262 || nessus,10067 -858 || WEB-CGI filemail access || cve,1999-1154 -859 || WEB-CGI man.sh access || bugtraq,2276 || cve,1999-1179 -860 || WEB-CGI snork.bat access || arachnids,220 || bugtraq,1053 || cve,2000-0169 -861 || WEB-CGI w3-msql access || arachnids,210 || bugtraq,591 || bugtraq,898 || cve,1999-0276 || cve,1999-0753 || cve,2000-0012 || nessus,10296 -862 || WEB-CGI csh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -863 || WEB-CGI day5datacopier.cgi access || cve,1999-1232 -864 || WEB-CGI day5datanotifier.cgi access || cve,1999-1232 -865 || WEB-CGI ksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -866 || WEB-CGI post-query access || bugtraq,6752 || cve,2001-0291 -867 || WEB-CGI visadmin.exe access || bugtraq,1808 || cve,1999-0970 || cve,1999-1970 || nessus,10295 -868 || WEB-CGI rsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -869 || WEB-CGI dumpenv.pl access || cve,1999-1178 || nessus,10060 -870 || WEB-CGI snorkerz.cmd access -871 || WEB-CGI survey.cgi access || bugtraq,1817 || cve,1999-0936 -872 || WEB-CGI tcsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -873 || WEB-CGI scriptalias access || arachnids,227 || bugtraq,2300 || cve,1999-0236 -874 || WEB-CGI w3-msql solaris x86 access || arachnids,211 || cve,1999-0276 -875 || WEB-CGI win-c-sample.exe access || arachnids,231 || bugtraq,2078 || cve,1999-0178 || nessus,10008 -877 || WEB-CGI rksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -878 || WEB-CGI w3tvars.pm access -879 || WEB-CGI admin.pl access || bugtraq,3839 || url,online.securityfocus.com/archive/1/249355 -880 || WEB-CGI LWGate access || url,www.netspace.org/~dwb/lwgate/lwgate-history.html || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm -881 || WEB-CGI archie access -882 || WEB-CGI calendar access -883 || WEB-CGI flexform access || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm -884 || WEB-CGI formmail access || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 -885 || WEB-CGI bash access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -886 || WEB-CGI phf access || arachnids,128 || bugtraq,629 || cve,1999-0067 -887 || WEB-CGI www-sql access || url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2 -888 || WEB-CGI wwwadmin.pl access -889 || WEB-CGI ppdscgi.exe access || bugtraq,491 || nessus,10187 || url,online.securityfocus.com/archive/1/16878 -890 || WEB-CGI sendform.cgi access || bugtraq,5286 || cve,2002-0710 || url,www.scn.org/help/sendform.txt -891 || WEB-CGI upload.pl access -892 || WEB-CGI AnyForm2 access || bugtraq,719 || cve,1999-0066 || nessus,10277 -893 || WEB-CGI MachineInfo access || cve,1999-1067 -894 || WEB-CGI bb-hist.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 -895 || WEB-CGI redirect access || bugtraq,1179 || cve,2000-0382 -896 || WEB-CGI way-board access || bugtraq,2370 || cve,2001-0214 || nessus,10610 -897 || WEB-CGI pals-cgi access || bugtraq,2372 || cve,2001-0216 || cve,2001-0217 || nessus,10611 -898 || WEB-CGI commerce.cgi access || bugtraq,2361 || cve,2001-0210 || nessus,10612 -899 || WEB-CGI Amaya templates sendtemp.pl directory traversal attempt || bugtraq,2504 || cve,2001-0272 -900 || WEB-CGI webspirs.cgi directory traversal attempt || bugtraq,2362 || cve,2001-0211 || nessus,10616 -901 || WEB-CGI webspirs.cgi access || bugtraq,2362 || cve,2001-0211 || nessus,10616 -902 || WEB-CGI tstisapi.dll access || bugtraq,2381 || cve,2001-0302 -903 || WEB-COLDFUSION cfcache.map access || bugtraq,917 || cve,2000-0057 -904 || WEB-COLDFUSION exampleapp application.cfm || bugtraq,1021 || cve,2000-0189 -905 || WEB-COLDFUSION application.cfm access || bugtraq,1021 || cve,2000-0189 -906 || WEB-COLDFUSION getfile.cfm access || bugtraq,229 || cve,1999-0800 -907 || WEB-COLDFUSION addcontent.cfm access -908 || WEB-COLDFUSION administrator access || bugtraq,1314 || cve,2000-0538 -909 || WEB-COLDFUSION datasource username attempt || bugtraq,550 -910 || WEB-COLDFUSION fileexists.cfm access || bugtraq,550 -911 || WEB-COLDFUSION exprcalc access || bugtraq,115 || bugtraq,550 || cve,1999-0455 -912 || WEB-COLDFUSION parks access || bugtraq,550 -913 || WEB-COLDFUSION cfappman access || bugtraq,550 -914 || WEB-COLDFUSION beaninfo access || bugtraq,550 -915 || WEB-COLDFUSION evaluate.cfm access || bugtraq,550 -916 || WEB-COLDFUSION getodbcdsn access || bugtraq,550 -917 || WEB-COLDFUSION db connections flush attempt || bugtraq,550 -918 || WEB-COLDFUSION expeval access || bugtraq,550 || cve,1999-0477 -919 || WEB-COLDFUSION datasource passwordattempt || bugtraq,550 -920 || WEB-COLDFUSION datasource attempt || bugtraq,550 -921 || WEB-COLDFUSION admin encrypt attempt || bugtraq,550 -922 || WEB-COLDFUSION displayfile access || bugtraq,550 -923 || WEB-COLDFUSION getodbcin attempt || bugtraq,550 -924 || WEB-COLDFUSION admin decrypt attempt || bugtraq,550 -925 || WEB-COLDFUSION mainframeset access || bugtraq,550 -926 || WEB-COLDFUSION set odbc ini attempt || bugtraq,550 -927 || WEB-COLDFUSION settings refresh attempt || bugtraq,550 -928 || WEB-COLDFUSION exampleapp access -929 || WEB-COLDFUSION CFUSION_VERIFYMAIL access || bugtraq,550 -930 || WEB-COLDFUSION snippets attempt || bugtraq,550 -931 || WEB-COLDFUSION cfmlsyntaxcheck.cfm access || bugtraq,550 -932 || WEB-COLDFUSION application.cfm access || arachnids,268 || bugtraq,550 || cve,2000-0189 -933 || WEB-COLDFUSION onrequestend.cfm access || arachnids,269 || bugtraq,550 || cve,2000-0189 -935 || WEB-COLDFUSION startstop DOS access || bugtraq,247 -936 || WEB-COLDFUSION gettempdirectory.cfm access || bugtraq,550 -937 || WEB-FRONTPAGE _vti_rpc access || bugtraq,2144 || cve,2001-0096 || nessus,10585 -939 || WEB-FRONTPAGE posting || bugtraq,2144 || cve,2001-0096 || nessus,10585 || url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx -940 || WEB-FRONTPAGE shtml.dll access || arachnids,292 || bugtraq,1174 || bugtraq,1594 || bugtraq,1595 || cve,2000-0413 || cve,2000-0746 || nessus,11395 || url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx -941 || WEB-FRONTPAGE contents.htm access -942 || WEB-FRONTPAGE orders.htm access -943 || WEB-FRONTPAGE fpsrvadm.exe access -944 || WEB-FRONTPAGE fpremadm.exe access -945 || WEB-FRONTPAGE fpadmin.htm access -946 || WEB-FRONTPAGE fpadmcgi.exe access -947 || WEB-FRONTPAGE orders.txt access -948 || WEB-FRONTPAGE form_results access || cve,1999-1052 -949 || WEB-FRONTPAGE registrations.htm access -950 || WEB-FRONTPAGE cfgwiz.exe access -951 || WEB-FRONTPAGE authors.pwd access || bugtraq,989 || cve,1999-0386 || nessus,10078 -952 || WEB-FRONTPAGE author.exe access -953 || WEB-FRONTPAGE administrators.pwd access || bugtraq,1205 -954 || WEB-FRONTPAGE form_results.htm access || cve,1999-1052 -955 || WEB-FRONTPAGE access.cnf access || bugtraq,4078 || nessus,10575 -956 || WEB-FRONTPAGE register.txt access -957 || WEB-FRONTPAGE registrations.txt access -958 || WEB-FRONTPAGE service.cnf access || bugtraq,4078 || nessus,10575 -959 || WEB-FRONTPAGE service.pwd || bugtraq,1205 -960 || WEB-FRONTPAGE service.stp access -961 || WEB-FRONTPAGE services.cnf access || bugtraq,4078 || nessus,10575 -962 || WEB-FRONTPAGE shtml.exe access || bugtraq,1174 || bugtraq,1608 || bugtraq,5804 || cve,2000-0413 || cve,2000-0709 || cve,2002-0692 || nessus,10405 || nessus,11311 -963 || WEB-FRONTPAGE svcacl.cnf access || bugtraq,4078 || nessus,10575 -964 || WEB-FRONTPAGE users.pwd access -965 || WEB-FRONTPAGE writeto.cnf access || bugtraq,4078 || nessus,10575 -966 || WEB-FRONTPAGE .... request || arachnids,248 || bugtraq,989 || cve,1999-0386 || cve,2000-0153 || nessus,10142 -967 || WEB-FRONTPAGE dvwssr.dll access || arachnids,271 || bugtraq,1108 || bugtraq,1109 || cve,2000-0260 || url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx -968 || WEB-FRONTPAGE register.htm access -969 || WEB-IIS WebDAV file lock attempt || bugtraq,2736 -970 || WEB-IIS multiple decode attempt || bugtraq,2708 || cve,2001-0333 || nessus,10671 -971 || WEB-IIS ISAPI .printer access || arachnids,533 || bugtraq,2674 || cve,2001-0241 || nessus,10661 || url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx -972 || WEB-IIS %2E-asp access || bugtraq,1814 || cve,1999-0253 -973 || WEB-IIS *.idc attempt || bugtraq,1448 || cve,1999-0874 || cve,2000-0661 -974 || WEB-IIS Directory transversal attempt || bugtraq,2218 || cve,1999-0229 -975 || WEB-IIS Alternate Data streams ASP file access attempt || bugtraq,149 || cve,1999-0278 || nessus,10362 || url,support.microsoft.com/default.aspx?scid=kb\ -976 || WEB-IIS .bat? access || bugtraq,2023 || cve,1999-0233 || url,support.microsoft.com/support/kb/articles/Q148/1/88.asp || url,support.microsoft.com/support/kb/articles/Q155/0/56.asp -977 || WEB-IIS .cnf access || bugtraq,4078 || nessus,10575 -978 || WEB-IIS ASP contents view || bugtraq,1084 || cve,2000-0302 || nessus,10356 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx -979 || WEB-IIS ASP contents view || bugtraq,1861 || cve,2000-0942 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx -980 || WEB-IIS CGImail.exe access || bugtraq,1623 || cve,2000-0726 -981 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -982 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -983 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -984 || WEB-IIS JET VBA access || bugtraq,307 || cve,1999-0874 || nessus,10116 -985 || WEB-IIS JET VBA access || bugtraq,286 || cve,1999-0874 -986 || WEB-IIS MSProxy access || url,support.microsoft.com/?kbid=331066 -987 || WEB-IIS .htr access || bugtraq,1488 || cve,2000-0630 || nessus,10680 -988 || WEB-IIS SAM Attempt || url,www.ciac.org/ciac/bulletins/h-45.shtml -989 || BACKDOOR sensepost.exe command shell attempt || nessus,11003 -990 || WEB-FRONTPAGE _vti_inf.html access || nessus,11455 -991 || WEB-IIS achg.htr access || bugtraq,2110 || cve,1999-0407 -992 || WEB-IIS adctest.asp access -993 || WEB-IIS iisadmin access || bugtraq,189 || cve,1999-1538 || nessus,11032 -994 || WEB-IIS /scripts/iisadmin/default.htm access -995 || WEB-IIS ism.dll access || bugtraq,189 || cve,1999-1538 || cve,2000-0630 -996 || WEB-IIS anot.htr access || bugtraq,2110 || cve,1999-0407 -997 || WEB-IIS asp-dot attempt || bugtraq,1814 || nessus,10363 -998 || WEB-IIS asp-srch attempt -999 || WEB-IIS bdir access || bugtraq,2280 -1000 || WEB-IIS bdir.htr access || bugtraq,2280 || nessus,10577 -1001 || WEB-MISC carbo.dll access || bugtraq,2126 || cve,1999-1069 -1002 || WEB-IIS cmd.exe access -1003 || WEB-IIS cmd? access -1004 || WEB-IIS codebrowser Exair access || cve,1999-0499 || cve,1999-0815 -1005 || WEB-IIS codebrowser SDK access || bugtraq,167 || cve,1999-0736 -1007 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 || url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx -1008 || WEB-IIS del attempt -1009 || WEB-IIS directory listing || nessus,10573 -1010 || WEB-IIS encoding access || arachnids,200 || bugtraq,886 || cve,2000-0024 || url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx -1011 || WEB-IIS exec-src access -1012 || WEB-IIS fpcount attempt || bugtraq,2252 || cve,1999-1376 -1013 || WEB-IIS fpcount access || bugtraq,2252 || cve,1999-1376 -1015 || WEB-IIS getdrvs.exe access -1016 || WEB-IIS global.asa access || cve,2000-0778 || nessus,10491 || nessus,10991 -1017 || WEB-IIS idc-srch attempt || cve,1999-0874 -1018 || WEB-IIS iisadmpwd attempt || bugtraq,2110 || cve,1999-0407 -1019 || IIS Malformed Hit-Highlighting Argument File Access Attempt || bugtraq,950 || cve,2000-0097 || url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx || url,www.securityfocus.com/archive/1/43762 -1020 || WEB-IIS isc$data attempt || bugtraq,307 || cve,1999-0874 || nessus,10116 -1021 || WEB-IIS ism.dll attempt || bugtraq,1193 || cve,2000-0457 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx -1022 || WEB-IIS jet vba access || bugtraq,286 || cve,1999-0874 -1023 || WEB-IIS msadcs.dll access || bugtraq,529 || cve,1999-1011 || nessus,10357 -1024 || WEB-IIS newdsn.exe access || bugtraq,1818 || cve,1999-0191 || nessus,10360 -1025 || WEB-IIS perl access -1026 || WEB-IIS perl-browse newline attempt || bugtraq,6833 -1027 || WEB-IIS perl-browse space attempt || bugtraq,6833 -1028 || WEB-IIS query.asp access || bugtraq,193 || cve,1999-0449 -1029 || WEB-IIS scripts-browse access || nessus,11032 -1030 || WEB-IIS search97.vts access || bugtraq,162 -1031 || WEB-IIS /SiteServer/Publishing/viewcode.asp access || nessus,10576 -1032 || WEB-IIS showcode access || nessus,10576 -1033 || WEB-IIS showcode access || nessus,10576 -1034 || WEB-IIS showcode access || nessus,10576 -1035 || WEB-IIS showcode access || nessus,10576 -1036 || WEB-IIS showcode access || nessus,10576 -1037 || WEB-IIS showcode.asp access || bugtraq,167 || cve,1999-0736 || nessus,10007 || url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx -1038 || WEB-IIS site server config access || bugtraq,256 || cve,1999-1520 -1039 || WEB-IIS srch.htm access -1040 || WEB-IIS srchadm access || nessus,11032 -1041 || WEB-IIS uploadn.asp access || bugtraq,1811 || cve,1999-0360 -1042 || WEB-IIS view source via translate header || arachnids,305 || bugtraq,1578 || cve,2000-0778 -1043 || WEB-IIS viewcode.asp access || cve,1999-0737 || nessus,10576 -1044 || WEB-IIS webhits access || arachnids,237 || bugtraq,950 || cve,2000-0097 -1045 || WEB-IIS Unauthorized IP Access Attempt -1046 || WEB-IIS site/iisamples access || nessus,10370 -1047 || WEB-MISC Netscape Enterprise DOS || bugtraq,2294 || cve,2001-0251 -1048 || WEB-MISC Netscape Enterprise directory listing attempt || bugtraq,2285 || cve,2001-0250 -1049 || WEB-MISC iPlanet ../../ DOS attempt || bugtraq,2282 || cve,2001-0252 -1050 || WEB-MISC iPlanet GETPROPERTIES attempt || bugtraq,2732 || cve,2001-0746 -1051 || WEB-CGI technote main.cgi file directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584 -1052 || WEB-CGI technote print.cgi directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584 -1053 || WEB-CGI ads.cgi command execution attempt || bugtraq,2103 || cve,2001-0025 || nessus,11464 -1054 || WEB-MISC weblogic/tomcat .jsp view source attempt || bugtraq,2527 -1055 || WEB-MISC Tomcat directory traversal attempt || bugtraq,2518 -1056 || WEB-MISC Tomcat view source attempt || bugtraq,2527 || cve,2001-0590 -1057 || WEB-MISC ftp attempt -1058 || WEB-MISC xp_enumdsn attempt -1059 || WEB-MISC xp_filelist attempt -1060 || WEB-MISC xp_availablemedia attempt -1061 || WEB-MISC xp_cmdshell attempt -1062 || WEB-MISC nc.exe attempt -1064 || WEB-MISC wsh attempt -1065 || WEB-MISC rcmd attempt -1066 || WEB-MISC telnet attempt -1067 || WEB-MISC net attempt -1068 || WEB-MISC tftp attempt -1069 || WEB-MISC xp_regread attempt -1070 || WEB-MISC WebDAV search access || arachnids,474 || bugtraq,1756 || cve,2000-0951 -1071 || WEB-MISC .htpasswd access -1072 || WEB-MISC Lotus Domino directory traversal || bugtraq,2173 || cve,2001-0009 || nessus,12248 -1073 || WEB-MISC webhits.exe access || bugtraq,950 || cve,2000-0097 -1075 || WEB-IIS postinfo.asp access || bugtraq,1811 || cve,1999-0360 -1076 || WEB-IIS repost.asp access || nessus,10372 -1077 || WEB-MISC queryhit.htm access || nessus,10370 -1078 || WEB-MISC counter.exe access || bugtraq,267 || cve,1999-1030 -1079 || WEB-MISC WebDAV propfind access || bugtraq,1656 || cve,2000-0869 -1080 || WEB-MISC unify eWave ServletExec upload || bugtraq,1868 || bugtraq,1876 || cve,2000-1024 || cve,2000-1025 || nessus,10570 -1081 || WEB-MISC Netscape Servers suite DOS || bugtraq,1868 || cve,2000-1025 -1082 || WEB-MISC amazon 1-click cookie theft || bugtraq,1194 || cve,2000-0439 -1083 || WEB-MISC unify eWave ServletExec DOS || bugtraq,1868 || cve,2000-1025 -1084 || WEB-MISC Allaire JRUN DOS attempt || bugtraq,2337 || cve,2000-1049 -1085 || WEB-PHP strings overflow || arachnids,431 || bugtraq,802 -1086 || WEB-PHP strings overflow || arachnids,430 || bugtraq,1786 || cve,2000-0967 -1087 || WEB-MISC whisker tab splice attack || arachnids,415 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1088 || WEB-CGI eXtropia webstore directory traversal || bugtraq,1774 || cve,2000-1005 || nessus,10532 -1089 || WEB-CGI shopping cart directory traversal || bugtraq,1777 || cve,2000-0921 -1090 || WEB-CGI Allaire Pro Web Shell attempt -1091 || WEB-MISC ICQ Webfront HTTP DOS || bugtraq,1463 || cve,2000-1078 -1092 || WEB-CGI Armada Style Master Index directory traversal || bugtraq,1772 || cve,2000-0924 || nessus,10562 || url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt -1093 || WEB-CGI cached_feed.cgi moreover shopping cart directory traversal || bugtraq,1762 || cve,2000-0906 -1094 || WEB-CGI webstore directory traversal || bugtraq,1774 || cve,2000-1005 -1095 || WEB-MISC Talentsoft Web+ Source Code view access || bugtraq,1722 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html -1096 || WEB-MISC Talentsoft Web+ internal IP Address access || bugtraq,1720 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html -1097 || WEB-CGI Talentsoft Web+ exploit attempt || bugtraq,1725 -1098 || WEB-MISC SmartWin CyberOffice Shopping Cart access || bugtraq,1734 || cve,2000-0925 -1099 || WEB-MISC cybercop scan || arachnids,374 -1100 || WEB-MISC L3retriever HTTP Probe || arachnids,310 -1101 || WEB-MISC Webtrends HTTP probe || arachnids,309 -1102 || WEB-MISC nessus 1.X 404 probe || arachnids,301 -1103 || WEB-MISC Netscape admin passwd || bugtraq,1579 || nessus,10468 -1104 || WEB-MISC whisker space splice attack || arachnids,296 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1105 || WEB-MISC BigBrother access || bugtraq,1455 || cve,2000-0638 || nessus,10460 -1106 || WEB-CGI Poll-it access || bugtraq,1431 || cve,2000-0590 || nessus,10459 -1107 || WEB-MISC ftp.pl access || bugtraq,1471 || cve,2000-0674 || nessus,10467 -1108 || WEB-MISC Tomcat server snoop access || bugtraq,1532 || cve,2000-0760 -1109 || WEB-MISC ROXEN directory list attempt || bugtraq,1510 || cve,2000-0671 -1110 || WEB-MISC apache source.asp file access || bugtraq,1457 || cve,2000-0628 || nessus,10480 -1111 || WEB-MISC Tomcat server exploit access || bugtraq,1548 || cve,2000-0672 || nessus,10477 -1112 || WEB-MISC http directory traversal || arachnids,298 -1113 || WEB-MISC http directory traversal || arachnids,297 -1114 || WEB-MISC prefix-get // -1115 || WEB-MISC ICQ webserver DOS || cve,1999-0474 || url,www.securiteam.com/exploits/2ZUQ1QAQOG.html -1116 || WEB-MISC Lotus DelDoc attempt -1117 || WEB-MISC Lotus EditDoc attempt || url,www.securiteam.com/exploits/5NP080A1RE.html -1118 || WEB-MISC ls%20-l -1119 || WEB-MISC mlog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 -1120 || WEB-MISC mylog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 -1121 || WEB-MISC O'Reilly args.bat access -1122 || WEB-MISC /etc/passwd -1123 || WEB-MISC ?PageServices access || bugtraq,1063 || bugtraq,7621 || cve,1999-0269 -1124 || WEB-MISC Ecommerce check.txt access -1125 || WEB-MISC webcart access || cve,1999-0610 || nessus,10298 -1126 || WEB-MISC AuthChangeUrl access || bugtraq,2110 || cve,1999-0407 -1127 || WEB-MISC convert.bas access || bugtraq,2025 || cve,1999-0175 -1128 || WEB-MISC cpshost.dll access || bugtraq,1811 || bugtraq,4002 || cve,1999-0360 -1129 || WEB-MISC .htaccess access -1130 || WEB-MISC .wwwacl access -1131 || WEB-MISC .wwwacl access -1132 || WEB-MISC Netscape Unixware overflow || arachnids,180 || bugtraq,908 || cve,1999-0744 -1133 || SCAN cybercop os probe || arachnids,145 -1134 || WEB-PHP Phorum admin access || arachnids,205 || bugtraq,2271 -1136 || WEB-MISC cd.. -1137 || WEB-PHP Phorum authentication access || arachnids,206 || bugtraq,2274 -1138 || WEB-MISC Cisco Web DOS attempt || arachnids,275 -1139 || WEB-MISC whisker HEAD/./ || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1140 || WEB-MISC guestbook.pl access || arachnids,228 || bugtraq,776 || cve,1999-0237 || cve,1999-1053 || nessus,10099 -1141 || WEB-MISC handler access || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 -1142 || WEB-MISC /.... access -1143 || WEB-MISC ///cgi-bin access || nessus,11032 -1144 || WEB-MISC /cgi-bin/// access || nessus,11032 -1145 || WEB-MISC /~root access -1146 || WEB-MISC Ecommerce import.txt access -1147 || WEB-MISC cat%20 access || bugtraq,374 || cve,1999-0039 -1148 || WEB-MISC Ecommerce import.txt access -1149 || WEB-CGI count.cgi access || bugtraq,128 || cve,1999-0021 || nessus,10049 -1150 || WEB-MISC Domino catalog.nsf access || nessus,10629 -1151 || WEB-MISC Domino domcfg.nsf access || nessus,10629 -1152 || WEB-MISC Domino domlog.nsf access || nessus,10629 -1153 || WEB-MISC Domino log.nsf access || nessus,10629 -1154 || WEB-MISC Domino names.nsf access || nessus,10629 -1155 || WEB-MISC Ecommerce checks.txt access || bugtraq,2281 -1156 || WEB-MISC apache directory disclosure attempt || bugtraq,2503 -1157 || WEB-MISC Netscape PublishingXpert access || cve,2000-1196 || nessus,10364 -1158 || WEB-MISC windmail.exe access || arachnids,465 || bugtraq,1073 || cve,2000-0242 || nessus,10365 -1159 || WEB-MISC webplus access || bugtraq,1174 || bugtraq,1720 || bugtraq,1722 || bugtraq,1725 || cve,2000-1005 -1160 || WEB-MISC Netscape dir index wp || arachnids,270 || bugtraq,1063 || cve,2000-0236 -1161 || WEB-PHP piranha passwd.php3 access || arachnids,272 || bugtraq,1149 || cve,2000-0322 -1162 || WEB-MISC cart 32 AdminPwd access || bugtraq,1153 || cve,2000-0429 -1163 || WEB-CGI webdist.cgi access || bugtraq,374 || cve,1999-0039 || nessus,10299 -1164 || WEB-MISC shopping cart access || bugtraq,1983 || bugtraq,2049 || cve,1999-0607 || cve,2000-1188 -1165 || WEB-MISC Novell Groupwise gwweb.exe access || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 -1166 || WEB-MISC ws_ftp.ini access || bugtraq,547 || cve,1999-1078 -1167 || WEB-MISC rpm_query access || bugtraq,1036 || cve,2000-0192 || nessus,10340 -1168 || WEB-MISC mall log order access || bugtraq,2266 || cve,1999-0606 -1171 || WEB-MISC whisker HEAD with large datagram || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html -1172 || WEB-CGI bigconf.cgi access || bugtraq,778 || cve,1999-1550 || nessus,10027 -1173 || WEB-MISC architext_query.pl access || bugtraq,2248 || cve,1999-0279 || nessus,10064 || url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt -1174 || WEB-CGI /cgi-bin/jj access || bugtraq,2002 || cve,1999-0260 || nessus,10131 -1175 || WEB-MISC wwwboard.pl access || bugtraq,1795 || bugtraq,649 || cve,1999-0930 || cve,1999-0954 -1176 || WEB-MISC order.log access -1177 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 -1178 || WEB-PHP Phorum read access || arachnids,208 -1179 || WEB-PHP Phorum violation access || arachnids,209 || bugtraq,2272 -1180 || WEB-MISC get32.exe access || arachnids,258 || bugtraq,1485 || bugtraq,770 || cve,1999-0885 || nessus,10011 -1181 || WEB-MISC Annex Terminal DOS attempt || arachnids,260 || cve,1999-1070 || nessus,10017 -1182 || WEB-MISC cgitest.exe attempt || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 -1183 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 || nessus,10352 -1184 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1185 || WEB-CGI bizdbsearch attempt || bugtraq,1104 || cve,2000-0287 || nessus,10383 -1186 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1187 || WEB-MISC SalesLogix Eviewer web command attempt || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 -1188 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1189 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1190 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1191 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1192 || WEB-MISC Trend Micro OfficeScan access || bugtraq,1057 -1193 || WEB-MISC oracle web arbitrary command execution attempt || bugtraq,1053 || cve,2000-0169 || nessus,10348 -1194 || WEB-CGI sojourn.cgi File attempt || bugtraq,1052 || cve,2000-0180 || nessus,10349 -1195 || WEB-CGI sojourn.cgi access || bugtraq,1052 || cve,2000-0180 || nessus,10349 -1196 || WEB-CGI SGI InfoSearch fname attempt || arachnids,290 || bugtraq,1031 || cve,2000-0207 -1197 || WEB-PHP Phorum code access || arachnids,207 -1198 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 -1199 || WEB-MISC Compaq Insight directory traversal || arachnids,244 || bugtraq,282 || cve,1999-0771 -1200 || ATTACK-RESPONSES Invalid URL || url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx -1201 || ATTACK-RESPONSES 403 Forbidden -1202 || WEB-MISC search.vts access || bugtraq,162 -1204 || WEB-CGI ax-admin.cgi access -1205 || WEB-CGI axs.cgi access -1206 || WEB-CGI cachemgr.cgi access || bugtraq,2059 || cve,1999-0710 || nessus,10034 -1207 || WEB-MISC htgrep access || cve,2000-0832 -1208 || WEB-CGI responder.cgi access || bugtraq,3155 -1209 || WEB-MISC .nsconfig access || url,www.osvdb.org/5709 -1211 || WEB-CGI web-map.cgi access -1212 || WEB-MISC Admin_files access -1213 || WEB-MISC backup access -1214 || WEB-MISC intranet access || nessus,11626 -1215 || WEB-CGI ministats admin access -1216 || WEB-MISC filemail access || cve,1999-1154 || cve,1999-1155 || url,www.securityfocus.com/archive/1/11175 -1217 || WEB-MISC plusmail access || bugtraq,2653 || cve,2000-0074 || nessus,10181 -1218 || WEB-MISC adminlogin access || bugtraq,1164 || bugtraq,1175 || nessus,11748 -1219 || WEB-CGI dfire.cgi access || bugtraq,564 || cve,1999-0913 -1220 || WEB-MISC ultraboard access || bugtraq,1164 || bugtraq,1175 || nessus,11748 -1221 || WEB-MISC musicat empower access || bugtraq,2374 || cve,2001-0224 || nessus,10609 -1222 || WEB-CGI pals-cgi arbitrary file access attempt || bugtraq,2372 || cve,2001-0217 || nessus,10611 -1224 || WEB-MISC ROADS search.pl attempt || bugtraq,2371 || cve,2001-0215 || nessus,10627 -1225 || X11 MIT Magic Cookie detected || arachnids,396 -1226 || X11 xopen || arachnids,395 -1227 || X11 outbound client connection detected || arachnids,126 -1228 || SCAN nmap XMAS || arachnids,30 -1229 || FTP CWD ... || bugtraq,9237 -1230 || WEB-MISC VirusWall FtpSave access || bugtraq,2808 || cve,2001-0432 || nessus,10733 -1231 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 -1232 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 -1233 || WEB-CLIENT Outlook EML access || nessus,10767 -1234 || WEB-MISC VirusWall FtpSaveCSP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 -1235 || WEB-MISC VirusWall FtpSaveCVP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 -1236 || WEB-MISC Tomcat sourecode view -1237 || WEB-MISC Tomcat sourecode view -1238 || WEB-MISC Tomcat sourecode view -1239 || NETBIOS RFParalyze Attempt || bugtraq,1163 || cve,2000-0347 || nessus,10392 -1240 || EXPLOIT MDBMS overflow || bugtraq,1252 || cve,2000-0446 -1241 || WEB-MISC SWEditServlet directory traversal attempt || bugtraq,2868 || cve,2001-0555 -1242 || WEB-IIS ISAPI .ida access || arachnids,552 || bugtraq,1065 || cve,2000-0071 -1243 || WEB-IIS ISAPI .ida attempt || arachnids,552 || bugtraq,1065 || cve,2000-0071 -1244 || WEB-IIS ISAPI .idq attempt || arachnids,553 || bugtraq,1065 || bugtraq,968 || cve,2000-0071 || cve,2000-0126 || nessus,10115 -1245 || WEB-IIS ISAPI .idq access || arachnids,553 || bugtraq,1065 || cve,2000-0071 -1246 || WEB-FRONTPAGE rad overflow attempt || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx -1247 || WEB-FRONTPAGE rad overflow attempt || bugtraq,2906 || cve,2001-0341 -1248 || WEB-FRONTPAGE rad fp30reg.dll access || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx -1249 || WEB-FRONTPAGE frontpage rad fp4areg.dll access || bugtraq,2906 || cve,2001-0341 -1250 || WEB-MISC Cisco IOS HTTP configuration attempt || bugtraq,2936 || cve,2001-0537 -1251 || INFO TELNET Bad Login -1252 || TELNET bsd telnet exploit response || bugtraq,3064 || cve,2001-0554 || nessus,10709 -1253 || TELNET bsd exploit client finishing || bugtraq,3064 || cve,2001-0554 || nessus,10709 -1254 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 -1255 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 -1256 || WEB-IIS CodeRed v2 root.exe access || url,www.cert.org/advisories/CA-2001-19.html -1257 || DOS Winnuke attack || bugtraq,2010 || cve,1999-0153 -1258 || WEB-MISC HP OpenView Manager DOS || bugtraq,2845 || cve,2001-0552 -1259 || WEB-MISC SWEditServlet access || bugtraq,2868 -1260 || WEB-MISC long basic authorization string || bugtraq,3230 || cve,2001-1067 -1261 || EXPLOIT AIX pdnsd overflow || bugtraq,3237 || bugtraq,590 || cve,1999-0745 -1262 || RPC portmap admind request TCP || arachnids,18 -1263 || RPC portmap amountd request TCP || arachnids,19 -1264 || RPC portmap bootparam request TCP || arachnids,16 || cve,1999-0647 -1265 || RPC portmap cmsd request TCP || arachnids,17 -1266 || RPC portmap mountd request TCP || arachnids,13 -1267 || RPC portmap nisd request TCP || arachnids,21 -1268 || RPC portmap pcnfsd request TCP || arachnids,22 -1269 || RPC portmap rexd request TCP || arachnids,23 -1270 || RPC portmap rstatd request TCP || arachnids,10 -1271 || RPC portmap rusers request TCP || arachnids,133 || cve,1999-0626 -1272 || RPC portmap sadmind request TCP || arachnids,20 -1273 || RPC portmap selection_svc request TCP || arachnids,25 -1274 || RPC portmap ttdbserv request TCP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -1275 || RPC portmap yppasswd request TCP || arachnids,14 -1276 || RPC portmap ypserv request TCP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 -1277 || RPC portmap ypupdated request UDP || arachnids,125 -1278 || RPC rstatd query || arachnids,9 -1279 || RPC portmap snmpXdmi request UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -1280 || RPC portmap listing UDP 111 || arachnids,428 -1281 || RPC portmap listing UDP 32771 || arachnids,429 -1282 || RPC EXPLOIT statdx || arachnids,442 -1283 || WEB-IIS outlook web dos || bugtraq,3223 -1284 || WEB-CLIENT readme.eml download attempt || url,www.cert.org/advisories/CA-2001-26.html -1285 || WEB-IIS msdac access || nessus,11032 -1286 || WEB-IIS _mem_bin access || nessus,11032 -1287 || WEB-IIS scripts access -1288 || WEB-FRONTPAGE /_vti_bin/ access || nessus,11032 -1289 || TFTP GET Admin.dll || url,www.cert.org/advisories/CA-2001-26.html -1290 || WEB-CLIENT readme.eml autoload attempt || url,www.cert.org/advisories/CA-2001-26.html -1291 || WEB-MISC sml3com access || bugtraq,2721 || cve,2001-0740 -1292 || ATTACK-RESPONSES directory listing -1293 || NETBIOS nimda .eml || url,www.f-secure.com/v-descs/nimda.shtml -1294 || NETBIOS nimda .nws || url,www.f-secure.com/v-descs/nimda.shtml -1295 || NETBIOS nimda RICHED20.DLL || url,www.f-secure.com/v-descs/nimda.shtml -1296 || RPC portmap request yppasswdd || bugtraq,2763 -1297 || RPC portmap request yppasswdd || bugtraq,2763 -1298 || RPC portmap tooltalk request TCP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -1299 || RPC portmap tooltalk request UDP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html -1300 || WEB-PHP admin.php file upload attempt || bugtraq,3361 || cve,2001-1032 -1301 || WEB-PHP admin.php access || bugtraq,3361 || bugtraq,7532 || bugtraq,9270 || cve,2001-1032 -1302 || WEB-MISC console.exe access || bugtraq,3375 || cve,2001-1252 -1303 || WEB-MISC cs.exe access || bugtraq,3375 || cve,2001-1252 -1304 || WEB-CGI txt2html.cgi access -1305 || WEB-CGI txt2html.cgi directory traversal attempt -1306 || WEB-CGI store.cgi product directory traversal attempt || bugtraq,2385 || cve,2001-0305 -1307 || WEB-CGI store.cgi access || bugtraq,2385 || cve,2001-0305 || nessus,10639 -1308 || WEB-CGI sendmessage.cgi access || bugtraq,3673 || cve,2001-1100 -1309 || WEB-CGI zsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html -1321 || BAD-TRAFFIC 0 ttl || url,support.microsoft.com/default.aspx?scid=kb\ || url,www.isi.edu/in-notes/rfc1122.txt -1322 || BAD-TRAFFIC bad frag bits -1323 || EXPLOIT rwhoisd format string attempt || bugtraq,3474 || cve,2001-0838 -1324 || EXPLOIT ssh CRC32 overflow /bin/sh || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1325 || EXPLOIT ssh CRC32 overflow filler || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1326 || EXPLOIT ssh CRC32 overflow NOOP || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1327 || EXPLOIT ssh CRC32 overflow || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 -1328 || WEB-ATTACKS /bin/ps command attempt -1329 || WEB-ATTACKS ps command attempt -1330 || WEB-ATTACKS wget command attempt || bugtraq,10361 -1331 || WEB-ATTACKS uname -a command attempt -1332 || WEB-ATTACKS /usr/bin/id command attempt -1333 || WEB-ATTACKS id command attempt -1334 || WEB-ATTACKS echo command attempt -1335 || WEB-ATTACKS kill command attempt -1336 || WEB-ATTACKS chmod command attempt -1337 || WEB-ATTACKS chgrp command attempt -1338 || WEB-ATTACKS chown command attempt -1339 || WEB-ATTACKS chsh command attempt -1340 || WEB-ATTACKS tftp command attempt -1341 || WEB-ATTACKS /usr/bin/gcc command attempt -1342 || WEB-ATTACKS gcc command attempt -1343 || WEB-ATTACKS /usr/bin/cc command attempt -1344 || WEB-ATTACKS cc command attempt -1345 || WEB-ATTACKS /usr/bin/cpp command attempt -1346 || WEB-ATTACKS cpp command attempt -1347 || WEB-ATTACKS /usr/bin/g++ command attempt -1348 || WEB-ATTACKS g++ command attempt -1349 || WEB-ATTACKS bin/python access attempt -1350 || WEB-ATTACKS python access attempt -1351 || WEB-ATTACKS bin/tclsh execution attempt -1352 || WEB-ATTACKS tclsh execution attempt -1353 || WEB-ATTACKS bin/nasm command attempt -1354 || WEB-ATTACKS nasm command attempt -1355 || WEB-ATTACKS /usr/bin/perl execution attempt -1356 || WEB-ATTACKS perl execution attempt -1357 || WEB-ATTACKS nt admin addition attempt -1358 || WEB-ATTACKS traceroute command attempt -1359 || WEB-ATTACKS ping command attempt -1360 || WEB-ATTACKS netcat command attempt -1361 || WEB-ATTACKS nmap command attempt -1362 || WEB-ATTACKS xterm command attempt -1363 || WEB-ATTACKS X application to remote host attempt -1364 || WEB-ATTACKS lsof command attempt -1365 || WEB-ATTACKS rm command attempt -1366 || WEB-ATTACKS mail command attempt -1367 || WEB-ATTACKS mail command attempt -1368 || WEB-ATTACKS /bin/ls| command attempt -1369 || WEB-ATTACKS /bin/ls command attempt -1370 || WEB-ATTACKS /etc/inetd.conf access -1371 || WEB-ATTACKS /etc/motd access -1372 || WEB-ATTACKS /etc/shadow access -1373 || WEB-ATTACKS conf/httpd.conf attempt -1374 || WEB-MISC .htgroup access -1375 || WEB-MISC sadmind worm access || url,www.cert.org/advisories/CA-2001-11.html -1376 || WEB-MISC jrun directory browse attempt || bugtraq,3592 -1377 || FTP wu-ftp bad file completion attempt [ || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 -1378 || FTP wu-ftp bad file completion attempt { || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 -1379 || FTP STAT overflow attempt || bugtraq,3507 || bugtraq,8542 || cve,2001-0325 || cve,2001-1021 || url,labs.defcom.com/adv/2001/def-2001-31.txt -1380 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 -1381 || WEB-MISC Trend Micro OfficeScan attempt || bugtraq,1057 -1382 || EXPLOIT CHAT IRC Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt -1383 || P2P Fastrack kazaa/morpheus GET request || url,www.kazaa.com || url,www.musiccity.com/technology.htm -1384 || MISC UPnP malformed advertisement || bugtraq,3723 || cve,2001-0876 || cve,2001-0877 || url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx -1385 || WEB-MISC mod-plsql administration access || bugtraq,3726 || bugtraq,3727 || cve,2001-1216 || cve,2001-1217 || nessus,10849 -1386 || MS-SQL/SMB raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx -1387 || MS-SQL raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || nessus,11217 -1388 || MISC UPnP Location overflow || bugtraq,3723 || cve,2001-0876 -1389 || WEB-MISC viewcode.jse access || bugtraq,3715 -1390 || SHELLCODE x86 inc ebx NOOP -1391 || WEB-MISC Phorecast remote code execution attempt || bugtraq,3388 || cve,2001-1049 -1392 || WEB-CGI lastlines.cgi access || bugtraq,3754 || bugtraq,3755 || cve,2001-1205 || cve,2001-1206 -1393 || MISC AIM AddGame attempt || bugtraq,3769 || cve,2002-0005 || url,www.w00w00.org/files/w00aimexp/ -1394 || SHELLCODE x86 NOOP -1395 || WEB-CGI zml.cgi attempt || bugtraq,3759 || cve,2001-1209 -1396 || WEB-CGI zml.cgi access || bugtraq,3759 || cve,2001-1209 -1397 || WEB-CGI wayboard attempt || bugtraq,2370 || cve,2001-0214 -1398 || EXPLOIT CDE dtspcd exploit attempt || bugtraq,3517 || cve,2001-0803 || url,www.cert.org/advisories/CA-2002-01.html -1399 || WEB-PHP PHP-Nuke remote file include attempt || bugtraq,3889 || cve,2002-0206 -1400 || WEB-IIS /scripts/samples/ access || nessus,10370 -1401 || WEB-IIS /msadc/samples/ access || bugtraq,167 || cve,1999-0736 || nessus,1007 -1402 || WEB-IIS iissamples access || nessus,11032 -1403 || WEB-MISC viewcode access || cve,1999-0737 || nessus,10576 || nessus,12048 -1404 || WEB-MISC showcode access || bugtraq,167 || cve,1999-0736 || nessus,10007 -1405 || WEB-CGI AHG search.cgi access || bugtraq,3985 -1406 || WEB-CGI agora.cgi access || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 -1407 || WEB-PHP smssend.php access || bugtraq,3982 || cve,2002-0220 -1408 || DOS MSDTC attempt || bugtraq,4006 || cve,2002-0224 || nessus,10939 -1409 || SNMP community string buffer overflow attempt || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html -1410 || WEB-CGI dcboard.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 -1411 || SNMP public access udp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 -1412 || SNMP public access tcp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || bugtraq,7212 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 -1413 || SNMP private access udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || bugtraq,7212 || cve,2002-0012 || cve,2002-0013 -1414 || SNMP private access tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1415 || SNMP Broadcast request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1416 || SNMP broadcast trap || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1417 || SNMP request udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1418 || SNMP request tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1419 || SNMP trap udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1420 || SNMP trap tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1421 || SNMP AgentX/tcp request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 -1422 || SNMP community string buffer overflow attempt with evasion || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html -1423 || WEB-PHP content-disposition memchr overflow || bugtraq,4183 || cve,2002-0081 || nessus,10867 -1424 || SHELLCODE x86 0xEB0C NOOP -1425 || WEB-PHP content-disposition || bugtraq,4183 || cve,2002-0081 || nessus,10867 -1426 || SNMP PROTOS test-suite-req-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html -1427 || SNMP PROTOS test-suite-trap-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html -1428 || MULTIMEDIA audio galaxy keepalive -1429 || POLICY poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl -1430 || TELNET Solaris memory mismanagement exploit attempt -1431 || BAD-TRAFFIC syn to multicast address -1432 || P2P GNUTella client request -1433 || WEB-MISC .history access -1434 || WEB-MISC .bash_history access || bugtraq,337 || cve,1999-0408 -1435 || DNS named authors attempt || arachnids,480 || nessus,10728 -1436 || MULTIMEDIA Quicktime User Agent access -1437 || MULTIMEDIA Windows Media download -1438 || MULTIMEDIA Windows Media Video download -1439 || MULTIMEDIA Shoutcast playlist redirection -1440 || MULTIMEDIA Icecast playlist redirection -1441 || TFTP GET nc.exe -1442 || TFTP GET shadow -1443 || TFTP GET passwd -1444 || TFTP Get -1445 || POLICY FTP file_id.diz access possible warez site -1446 || SMTP vrfy root -1447 || MISC MS Terminal server request RDP || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx -1448 || MISC MS Terminal server request || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx -1449 || POLICY FTP anonymous ftp login attempt -1450 || SMTP expn *@ || cve,1999-1200 -1451 || WEB-CGI NPH-publish access || bugtraq,2563 || cve,2001-0400 -1452 || WEB-CGI args.cmd access || cve,1999-1180 || nessus,11465 -1453 || WEB-CGI AT-generated.cgi access || cve,1999-1072 -1454 || WEB-CGI wwwwais access || cve,2001-0223 || nessus,10597 -1455 || WEB-CGI calendar.pl access || bugtraq,1215 || cve,2000-0432 -1456 || WEB-CGI calender_admin.pl access || cve,2000-0432 -1457 || WEB-CGI user_update_admin.pl access || bugtraq,1486 || cve,2000-0627 -1458 || WEB-CGI user_update_passwd.pl access || bugtraq,1486 || cve,2000-0627 -1459 || WEB-CGI bb-histlog.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 -1460 || WEB-CGI bb-histsvc.sh access || bugtraq,142 || cve,1999-1462 -1461 || WEB-CGI bb-rep.sh access || bugtraq,142 || cve,1999-1462 -1462 || WEB-CGI bb-replog.sh access || bugtraq,142 || cve,1999-1462 -1463 || CHAT IRC message -1464 || ATTACK-RESPONSES oracle one hour install || nessus,10737 -1465 || WEB-CGI auktion.cgi access || bugtraq,2367 || cve,2001-0212 || nessus,10638 -1466 || WEB-CGI cgiforum.pl access || bugtraq,1963 || cve,2000-1171 || nessus,10552 -1467 || WEB-CGI directorypro.cgi access || bugtraq,2793 || cve,2001-0780 -1468 || WEB-CGI Web Shopper shopper.cgi attempt || bugtraq,1776 || cve,2000-0922 -1469 || WEB-CGI Web Shopper shopper.cgi access || bugtraq,1776 || cve,2000-0922 -1470 || WEB-CGI listrec.pl access || bugtraq,3328 || cve,2001-0997 -1471 || WEB-CGI mailnews.cgi access || bugtraq,2391 || cve,2001-0271 || nessus,10641 -1472 || WEB-CGI book.cgi access || bugtraq,3178 || cve,2001-1114 || nessus,10721 -1473 || WEB-CGI newsdesk.cgi access || bugtraq,2172 || cve,2001-0232 -1474 || WEB-CGI cal_make.pl access || bugtraq,2663 || cve,2001-0463 || nessus,10664 -1475 || WEB-CGI mailit.pl access || nessus,10417 -1476 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2001-1130 || nessus,10503 || nessus,10720 -1477 || WEB-CGI swc attempt -1478 || WEB-CGI swc access || nessus,10493 -1479 || WEB-CGI ttawebtop.cgi arbitrary file attempt || bugtraq,2890 || cve,2001-0805 || nessus,10696 -1480 || WEB-CGI ttawebtop.cgi access || bugtraq,2890 || cve,2001-0805 || nessus,10696 -1481 || WEB-CGI upload.cgi access || nessus,10290 -1482 || WEB-CGI view_source access || bugtraq,2251 || cve,1999-0174 || nessus,10294 -1483 || WEB-CGI ustorekeeper.pl access || cve,2001-0466 || nessus,10645 -1484 || WEB-IIS /isapi/tstisapi.dll access || bugtraq,2381 || cve,2001-0302 -1485 || WEB-IIS mkilog.exe access || nessus,10359 || url,www.osvdb.org/274 -1486 || WEB-IIS ctss.idc access || nessus,10359 -1487 || WEB-IIS /iisadmpwd/aexp2.htr access || bugtraq,2110 || bugtraq,4236 || cve,1999-0407 || cve,2002-0421 || nessus,10371 -1488 || WEB-CGI store.cgi directory traversal attempt || bugtraq,2385 || cve,2001-0305 || nessus,10639 -1489 || WEB-MISC /~nobody access || nessus,10484 -1490 || WEB-PHP Phorum /support/common.php attempt || bugtraq,1997 -1491 || WEB-PHP Phorum /support/common.php access || bugtraq,1997 || bugtraq,9361 -1492 || WEB-MISC RBS ISP /newuser directory traversal attempt || bugtraq,1704 || cve,2000-1036 || nessus,10521 -1493 || WEB-MISC RBS ISP /newuser access || bugtraq,1704 || cve,2000-1036 || nessus,10521 -1494 || WEB-CGI SIX webboard generate.cgi attempt || bugtraq,3175 || cve,2001-1115 || nessus,10725 -1495 || WEB-CGI SIX webboard generate.cgi access || bugtraq,3175 || cve,2001-1115 -1496 || WEB-CGI spin_client.cgi access || nessus,10393 -1497 || WEB-MISC cross site scripting attempt -1498 || WEB-MISC PIX firewall manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819 -1499 || WEB-MISC SiteScope Service access || nessus,10778 -1500 || WEB-MISC ExAir access || bugtraq,193 || cve,1999-0449 || nessus,10002 || nessus,10003 || nessus,10004 -1501 || WEB-CGI a1stats a1disp3.cgi directory traversal attempt || bugtraq,2705 || cve,2001-0561 || nessus,10669 -1502 || WEB-CGI a1stats a1disp3.cgi access || bugtraq,2705 || cve,2001-0561 || nessus,10669 -1503 || WEB-CGI admentor admin.asp access || bugtraq,4152 || cve,2002-0308 || nessus,10880 || url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html -1504 || MISC AFS access || nessus,10441 -1505 || WEB-CGI alchemy http server PRN arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 -1506 || WEB-CGI alchemy http server NUL arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 -1507 || WEB-CGI alibaba.pl arbitrary command execution attempt || bugtraq,770 || cve,1999-0885 || nessus,10013 -1508 || WEB-CGI alibaba.pl access || bugtraq,770 || cve ,CAN-1999-0885 || nessus,10013 -1509 || WEB-CGI AltaVista Intranet Search directory traversal attempt || bugtraq,896 || cve,2000-0039 || nessus,10015 -1510 || WEB-CGI test.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1511 || WEB-CGI test.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1512 || WEB-CGI input.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1513 || WEB-CGI input.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1514 || WEB-CGI input2.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1515 || WEB-CGI input2.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1516 || WEB-CGI envout.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 -1517 || WEB-CGI envout.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 -1518 || WEB-MISC nstelemetry.adp access || nessus,10753 -1519 || WEB-MISC apache ?M=D directory list attempt || bugtraq,3009 || cve,2001-0731 -1520 || WEB-MISC server-info access || url,httpd.apache.org/docs/mod/mod_info.html -1521 || WEB-MISC server-status access || url,httpd.apache.org/docs/mod/mod_info.html -1522 || WEB-MISC ans.pl attempt || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 -1523 || WEB-MISC ans.pl access || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 -1524 || WEB-MISC AxisStorpoint CD attempt || bugtraq,1025 || cve,2000-0191 || nessus,10023 -1525 || WEB-MISC Axis Storpoint CD access || bugtraq,1025 || cve,2000-0191 || nessus,10023 -1526 || WEB-MISC basilix sendmail.inc access || bugtraq,2198 || cve,2001-1044 || nessus,10601 -1527 || WEB-MISC basilix mysql.class access || bugtraq,2198 || cve,2001-1044 || nessus,10601 -1528 || WEB-MISC BBoard access || bugtraq,1459 || cve,2000-0629 || nessus,10507 -1529 || FTP SITE overflow attempt || cve,1999-0838 || cve,2001-0755 || cve,2001-0770 -1530 || FTP format string attempt || bugtraq,1387 || bugtraq,2240 || bugtraq,726 || cve,1999-0997 || cve,2000-0573 || nessus,10452 -1531 || WEB-CGI bb-hist.sh attempt || bugtraq,142 || cve,1999-1462 || nessus,10025 -1532 || WEB-CGI bb-hostscv.sh attempt || bugtraq,1455 || cve,2000-0638 || nessus,10460 -1533 || WEB-CGI bb-hostscv.sh access || bugtraq,1455 || cve,2000-0638 || nessus,10460 -1534 || WEB-CGI agora.cgi attempt || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 -1535 || WEB-CGI bizdbsearch access || bugtraq,1104 || cve,2000-0287 || nessus,10383 -1536 || WEB-CGI calendar_admin.pl arbitrary command execution attempt || cve,2000-0432 -1537 || WEB-CGI calendar_admin.pl access || cve,2000-0432 -1538 || NNTP AUTHINFO USER overflow attempt || arachnids,274 || bugtraq,1156 || cve,2000-0341 -1539 || WEB-CGI /cgi-bin/ls access || bugtraq,936 || cve,2000-0079 -1540 || WEB-COLDFUSION ?Mode=debug attempt || nessus,10797 -1541 || FINGER version query -1542 || WEB-CGI cgimail access || bugtraq,1623 || cve,2000-0726 || nessus,11721 -1543 || WEB-CGI cgiwrap access || bugtraq,1238 || bugtraq,3084 || bugtraq,777 || cve,1999-1530 || cve,2000-0431 || cve,2001-0987 || nessus,10041 -1544 || WEB-MISC Cisco Catalyst command execution attempt || bugtraq,1846 || cve,2000-0945 || nessus,10545 -1545 || DOS Cisco attempt -1546 || WEB-MISC Cisco /%% DOS attempt || bugtraq,1154 || cve,2000-0380 -1547 || WEB-CGI csSearch.cgi arbitrary command execution attempt || bugtraq,4368 || cve,2002-0495 || nessus,10924 -1548 || WEB-CGI csSearch.cgi access || bugtraq,4368 || cve,2002-0495 || nessus,10924 -1549 || SMTP HELO overflow attempt || bugtraq,7726 || bugtraq,895 || cve,2000-0042 || nessus,10324 || nessus,11674 -1550 || SMTP ETRN overflow attempt || bugtraq,1297 || bugtraq,7515 || cve,2000-0490 || nessus,10438 -1551 || WEB-MISC /CVS/Entries access || nessus,10922 || nessus,11032 -1552 || WEB-MISC cvsweb version access || cve,2000-0670 -1553 || WEB-CGI /cart/cart.cgi access || bugtraq,1115 || cve,2000-0252 -1554 || WEB-CGI dbman db.cgi access || bugtraq,1178 || cve,2000-0381 || nessus,10403 -1555 || WEB-CGI DCShop access || bugtraq,2889 || cve,2001-0821 -1556 || WEB-CGI DCShop orders.txt access || bugtraq,2889 || cve,2001-0821 -1557 || WEB-CGI DCShop auth_user_file.txt access || bugtraq,2889 || cve,2001-0821 -1558 || WEB-MISC Delegate whois overflow attempt || cve,2000-0165 -1559 || WEB-MISC /doc/packages access || bugtraq,1707 || cve,2000-1016 || nessus,10518 || nessus,11032 -1560 || WEB-MISC /doc/ access || bugtraq,318 || cve,1999-0678 -1561 || WEB-MISC ?open access -1562 || FTP SITE CHOWN overflow attempt || bugtraq,2120 || cve,2001-0065 -1563 || WEB-MISC login.htm attempt || bugtraq,665 || cve,1999-1533 -1564 || WEB-MISC login.htm access || bugtraq,665 || cve,1999-1533 -1565 || WEB-CGI eshop.pl arbitrary commane execution attempt || bugtraq,3340 || cve,2001-1014 -1566 || WEB-CGI eshop.pl access || bugtraq,3340 || cve,2001-1014 -1567 || WEB-IIS /exchange/root.asp attempt || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 || url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx -1568 || WEB-IIS /exchange/root.asp access || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 -1569 || WEB-CGI loadpage.cgi directory traversal attempt || bugtraq,2109 || cve,2000-1092 -1570 || WEB-CGI loadpage.cgi access || bugtraq,2109 || cve,2000-1092 -1571 || WEB-CGI dcforum.cgi directory traversal attempt || bugtraq,2611 || cve,2001-0436 || cve,2001-0437 -1572 || WEB-CGI commerce.cgi arbitrary file access attempt || bugtraq,2361 || cve,2001-0210 || nessus,10612 -1573 || WEB-CGI cgiforum.pl attempt || bugtraq,1963 || cve,2000-1171 || nessus,10552 -1574 || WEB-CGI directorypro.cgi attempt || bugtraq,2793 || cve,2001-0780 -1575 || WEB-MISC Domino mab.nsf access || bugtraq,4022 || nessus,10953 -1576 || WEB-MISC Domino cersvr.nsf access || nessus,10629 -1577 || WEB-MISC Domino setup.nsf access || nessus,10629 -1578 || WEB-MISC Domino statrep.nsf access || nessus,10629 -1579 || WEB-MISC Domino webadmin.nsf access || bugtraq,9900 || bugtraq,9901 || nessus,10629 -1580 || WEB-MISC Domino events4.nsf access || nessus,10629 -1581 || WEB-MISC Domino ntsync4.nsf access || nessus,10629 -1582 || WEB-MISC Domino collect4.nsf access || nessus,10629 -1583 || WEB-MISC Domino mailw46.nsf access || nessus,10629 -1584 || WEB-MISC Domino bookmark.nsf access || nessus,10629 -1585 || WEB-MISC Domino agentrunner.nsf access || nessus,10629 -1586 || WEB-MISC Domino mail.box access || bugtraq,881 || nessus,10629 -1587 || WEB-MISC cgitest.exe access || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 || nessus,11131 -1588 || WEB-MISC SalesLogix Eviewer access || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 -1589 || WEB-MISC musicat empower attempt || bugtraq,2374 || cve,2001-0224 || nessus,10609 -1590 || WEB-CGI faqmanager.cgi arbitrary file access attempt || bugtraq,3810 || nessus,10837 -1591 || WEB-CGI faqmanager.cgi access || bugtraq,3810 || nessus,10837 -1592 || WEB-CGI /fcgi-bin/echo.exe access || nessus,10838 -1593 || WEB-CGI FormHandler.cgi external site redirection attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 -1594 || WEB-CGI FormHandler.cgi access || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 -1595 || WEB-IIS htimage.exe access || bugtraq,1117 || bugtraq,964 || cve,2000-0122 || cve,2000-0256 || nessus,10376 -1597 || WEB-CGI guestbook.cgi access || cve,1999-0237 || nessus,10098 -1598 || WEB-CGI Home Free search.cgi directory traversal attempt || bugtraq,921 || cve,2000-0054 -1599 || WEB-CGI search.cgi access || bugtraq,921 || cve,2000-0054 -1600 || WEB-CGI htsearch arbitrary configuration file attempt || cve,2000-0208 -1601 || WEB-CGI htsearch arbitrary file read attempt || bugtraq,1026 || cve,2000-0208 || nessus,10105 -1602 || WEB-CGI htsearch access || bugtraq,1026 || cve,2000-0208 || nessus,10105 -1603 || WEB-MISC DELETE attempt || nessus,10498 -1604 || WEB-MISC iChat directory traversal attempt || cve,1999-0897 -1605 || DOS iParty DOS attempt || bugtraq,6844 || cve,1999-1566 -1606 || WEB-CGI icat access || cve,1999-1069 -1607 || WEB-CGI HyperSeek hsx.cgi access || bugtraq,2314 || cve,2001-0253 || nessus,10602 -1608 || WEB-CGI htmlscript attempt || bugtraq,2001 || cve,1999-0264 || nessus,10106 -1609 || WEB-CGI faxsurvey arbitrary file read attempt || bugtraq,2056 || cve,1999-0262 || nessus,10067 -1610 || WEB-CGI formmail arbitrary command execution attempt || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 -1611 || WEB-CGI eXtropia webstore access || bugtraq,1774 || cve,2000-1005 || nessus,10532 -1612 || WEB-MISC ftp.pl attempt || bugtraq,1471 || cve,2000-0674 || nessus,10467 -1613 || WEB-MISC handler attempt || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 -1614 || WEB-MISC Novell Groupwise gwweb.exe attempt || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 -1615 || WEB-MISC htgrep attempt || cve,2000-0832 -1616 || DNS named version attempt || arachnids,278 || nessus,10028 -1617 || WEB-CGI Bugzilla doeditvotes.cgi access || bugtraq,3800 || cve,2002-0011 -1618 || WEB-IIS .asp chunked Transfer-Encoding || bugtraq,4474 || bugtraq,4485 || cve,2002-0071 || cve,2002-0079 || nessus,10932 -1619 || EXPERIMENTAL WEB-IIS .htr request || bugtraq,4474 || cve,2002-0071 || nessus,10932 -1620 || BAD TRAFFIC Non-Standard IP protocol -1621 || FTP CMD overflow attempt -1622 || FTP RNFR ././ attempt -1623 || FTP invalid MODE -1624 || FTP large PWD command -1625 || FTP large SYST command -1626 || WEB-IIS /StoreCSVS/InstantOrder.asmx request -1627 || BAD-TRAFFIC Unassigned/Reserved IP protocol || url,www.iana.org/assignments/protocol-numbers -1628 || WEB-CGI FormHandler.cgi directory traversal attempt attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 -1629 || OTHER-IDS SecureNetPro traffic -1631 || CHAT AIM login -1632 || CHAT AIM send message -1633 || CHAT AIM receive message -1634 || POP3 PASS overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10325 -1635 || POP3 APOP overflow attempt || bugtraq,1652 || cve,2000-0840 || cve,2000-0841 || nessus,10559 -1636 || MISC Xtramail Username overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10323 -1637 || WEB-CGI yabb access || arachnids,462 || bugtraq,1668 || cve,2000-0853 -1638 || SCAN SSH Version map attempt -1639 || CHAT IRC DCC file transfer request -1640 || CHAT IRC DCC chat request -1641 || DOS DB2 dos attempt || bugtraq,3010 || cve,2001-1143 || nessus,10871 -1642 || WEB-CGI document.d2w access || bugtraq,2017 || cve,2000-1110 -1643 || WEB-CGI db2www access || cve,2000-0677 -1644 || WEB-CGI test-cgi attempt || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 -1645 || WEB-CGI testcgi access || bugtraq,7214 || nessus,11610 -1646 || WEB-CGI test.cgi access -1647 || WEB-CGI faxsurvey attempt full path || bugtraq,2056 || cve,1999-0262 || nessus,10067 -1648 || WEB-CGI perl.exe command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html -1649 || WEB-CGI perl command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html -1650 || WEB-CGI tst.bat access || bugtraq,770 || cve,1999-0885 || nessus,10014 -1651 || WEB-CGI environ.pl access -1652 || WEB-CGI campus attempt || bugtraq,1975 || cve,1999-0146 || nessus,10035 -1653 || WEB-CGI campus access || bugtraq,1975 || cve,1999-0146 || nessus,10035 -1654 || WEB-CGI cart32.exe access || bugtraq,1153 -1655 || WEB-CGI pfdispaly.cgi arbitrary command execution attempt || cve,1999-0270 || nessus,10174 -1656 || WEB-CGI pfdispaly.cgi access || cve,1999-0270 || nessus,10174 -1657 || WEB-CGI pagelog.cgi directory traversal attempt || bugtraq,1864 || cve,2000-0940 || nessus,10591 -1658 || WEB-CGI pagelog.cgi access || bugtraq,1864 || cve,2000-0940 || nessus,10591 -1659 || WEB-COLDFUSION sendmail.cfm access -1660 || WEB-IIS trace.axd access || nessus,10993 -1661 || WEB-IIS cmd32.exe access -1662 || WEB-MISC /~ftp access -1663 || WEB-MISC *%0a.pl access || nessus,11007 || url,www.securityfocus.com/archive/1/149482 -1664 || WEB-MISC mkplog.exe access -1665 || WEB-MISC mkilog.exe access -1666 || ATTACK-RESPONSES index of /cgi-bin/ response || nessus,10039 -1667 || WEB-MISC cross site scripting HTML Image tag set to javascript attempt || bugtraq,4858 || cve,2002-0902 -1668 || WEB-CGI /cgi-bin/ access -1669 || WEB-CGI /cgi-dos/ access -1670 || WEB-MISC /home/ftp access || nessus,11032 -1671 || WEB-MISC /home/www access || nessus,11032 -1672 || FTP CWD ~ attempt || bugtraq,2601 || bugtraq,9215 || cve,2001-0421 -1673 || ORACLE EXECUTE_SYSTEM attempt -1674 || ORACLE connect_data remote version detection attempt -1675 || ORACLE misparsed login response -1676 || ORACLE select union attempt -1677 || ORACLE select like '%' attempt -1678 || ORACLE select like '%' attempt backslash escaped -1679 || ORACLE describe attempt -1680 || ORACLE all_constraints access -1681 || ORACLE all_views access -1682 || ORACLE all_source access -1683 || ORACLE all_tables access -1684 || ORACLE all_tab_columns access -1685 || ORACLE all_tab_privs access -1686 || ORACLE dba_tablespace access -1687 || ORACLE dba_tables access -1688 || ORACLE user_tablespace access -1689 || ORACLE sys.all_users access -1690 || ORACLE grant attempt -1691 || ORACLE ALTER USER attempt -1692 || ORACLE drop table attempt -1693 || ORACLE create table attempt -1694 || ORACLE alter table attempt -1695 || ORACLE truncate table attempt -1696 || ORACLE create database attempt -1697 || ORACLE alter database attempt -1698 || ORACLE execute_system attempt -1699 || P2P Fastrack kazaa/morpheus traffic || url,www.kazaa.com -1700 || WEB-CGI imagemap.exe access || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 -1701 || WEB-CGI calendar-admin.pl access || bugtraq,1215 -1702 || WEB-CGI Amaya templates sendtemp.pl access || bugtraq,2504 || cve,2001-0272 -1703 || WEB-CGI auktion.cgi directory traversal attempt || bugtraq,2367 || cve,2001-0212 || nessus,10638 -1704 || WEB-CGI cal_make.pl directory traversal attempt || bugtraq,2663 || cve,2001-0463 || nessus,10664 -1705 || WEB-CGI echo.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1706 || WEB-CGI echo.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1707 || WEB-CGI hello.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1708 || WEB-CGI hello.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 -1709 || WEB-CGI ad.cgi access || bugtraq,2103 || cve,2001-0025 || nessus,11464 -1710 || WEB-CGI bbs_forum.cgi access || bugtraq,2177 || cve,2001-0123 || url,www.cgisecurity.com/advisory/3.1.txt -1711 || WEB-CGI bsguest.cgi access || bugtraq,2159 || cve,2001-0099 -1712 || WEB-CGI bslist.cgi access || bugtraq,2160 || cve,2001-0100 -1713 || WEB-CGI cgforum.cgi access || bugtraq,1951 || cve,2000-1132 -1714 || WEB-CGI newdesk access -1715 || WEB-CGI register.cgi access || bugtraq,2157 || cve,2001-0076 -1716 || WEB-CGI gbook.cgi access || bugtraq,1940 || cve,2000-1131 -1717 || WEB-CGI simplestguest.cgi access || bugtraq,2106 || cve,2001-0022 -1718 || WEB-CGI statsconfig.pl access || bugtraq,2211 || cve,2001-0113 -1719 || WEB-CGI talkback.cgi directory traversal attempt || bugtraq,2547 || cve,2001-0420 -1720 || WEB-CGI talkback.cgi access || bugtraq,2547 || cve,2001-0420 -1721 || WEB-CGI adcycle access || bugtraq,3741 || cve,2001-1226 -1722 || WEB-CGI MachineInfo access || cve,1999-1067 -1723 || WEB-CGI emumail.cgi NULL attempt || bugtraq,5824 || cve,2002-1526 -1724 || WEB-CGI emumail.cgi access || bugtraq,5824 || cve,2002-1526 -1725 || WEB-IIS +.htr code fragment attempt || bugtraq,1488 || cve,2000-0630 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx -1726 || WEB-IIS doctodep.btr access -1727 || WEB-CGI SGI InfoSearch fname access || arachnids,290 || bugtraq,1031 || cve,2000-0207 -1728 || FTP CWD ~<CR><NEWLINE> attempt || bugtraq,2601 || cve,2001-0421 -1729 || CHAT IRC channel join -1730 || WEB-CGI ustorekeeper.pl directory traversal attempt || bugtraq,2536 || cve,2001-0466 || nessus,10645 -1731 || WEB-CGI a1stats access || bugtraq,2705 || cve,2001-0561 || nessus,10669 -1732 || RPC portmap rwalld request UDP -1733 || RPC portmap rwalld request TCP -1734 || FTP USER overflow attempt || bugtraq,10078 || bugtraq,1227 || bugtraq,1504 || bugtraq,1690 || bugtraq,4638 || bugtraq,7307 || bugtraq,8376 || cve,1999-1510 || cve,1999-1514 || cve,1999-1519 || cve,1999-1539 || cve,2000-0479 || cve,2000-0656 || cve,2000-0761 || cve,2000-0943 || cve,2000-1035 || cve,2000-1194 || cve,2001-0256 || cve,2001-0794 || cve,2001-0826 || cve,2002-0126 || cve,2002-1522 || cve,2003-0271 || cve,2004-0286 -1735 || WEB-CLIENT XMLHttpRequest attempt || bugtraq,4628 || cve,2002-0354 -1736 || WEB-PHP squirrel mail spell-check arbitrary command attempt || bugtraq,3952 -1737 || WEB-PHP squirrel mail theme arbitrary command attempt || bugtraq,4385 || cve,2002-0516 -1738 || WEB-MISC global.inc access || bugtraq,4612 || cve,2002-0614 -1739 || WEB-PHP DNSTools administrator authentication bypass attempt || bugtraq,4617 || cve,2002-0613 -1740 || WEB-PHP DNSTools authentication bypass attempt || bugtraq,4617 || cve,2002-0613 -1741 || WEB-PHP DNSTools access || bugtraq,4617 || cve,2002-0613 -1742 || WEB-PHP Blahz-DNS dostuff.php modify user attempt || bugtraq,4618 || cve,2002-0599 -1743 || WEB-PHP Blahz-DNS dostuff.php access || bugtraq,4618 || cve,2002-0599 -1744 || WEB-MISC SecureSite authentication bypass attempt || bugtraq,4621 -1745 || WEB-PHP Messagerie supp_membre.php access || bugtraq,4635 -1746 || RPC portmap cachefsd request UDP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 -1747 || RPC portmap cachefsd request TCP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 -1748 || FTP command overflow attempt || bugtraq,4638 || cve,2002-0606 -1749 || EXPERIMENTAL WEB-IIS .NET trace.axd access -1750 || WEB-IIS users.xml access -1751 || EXPLOIT cachefsd buffer overflow attempt || bugtraq,4631 || cve,2002-0084 || nessus,10951 -1752 || MISC AIM AddExternalApp attempt || url,www.w00w00.org/files/w00aimexp/ -1753 || WEB-IIS as_web.exe access || bugtraq,4670 -1754 || WEB-IIS as_web4.exe access || bugtraq,4670 -1755 || IMAP partial body buffer overflow attempt || bugtraq,4713 || cve,2002-0379 -1756 || WEB-IIS NewsPro administration authentication attempt || bugtraq,4672 -1757 || WEB-MISC b2 arbitrary command execution attempt || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667 -1758 || WEB-MISC b2 access || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667 -1759 || MS-SQL xp_cmdshell program execution 445 -1760 || OTHER-IDS ISS RealSecure 6 event collector connection attempt -1761 || OTHER-IDS ISS RealSecure 6 daemon connection attempt -1762 || WEB-CGI phf arbitrary command execution attempt || arachnids,128 || bugtraq,629 || cve,1999-0067 -1763 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 -1764 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 -1765 || WEB-CGI Nortel Contivity cgiproc access || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 -1766 || WEB-MISC search.dll directory listing attempt || bugtraq,1684 || cve,2000-0835 || nessus,10514 -1767 || WEB-MISC search.dll access || bugtraq,1684 || cve,2000-0835 || nessus,10514 -1768 || WEB-IIS header field buffer overflow attempt || bugtraq,4476 || cve,2002-0150 -1769 || WEB-MISC .DS_Store access || url,www.macintouch.com/mosxreaderreports46.html -1770 || WEB-MISC .FBCIndex access || url,www.securiteam.com/securitynews/5LP0O005FS.html -1771 || POLICY IPSec PGPNet connection attempt -1772 || WEB-IIS pbserver access || cve,2000-1089 || url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx -1773 || WEB-PHP php.exe access || url,www.securitytracker.com/alerts/2002/Jan/1003104.html -1774 || WEB-PHP bb_smilies.php access || url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html -1775 || MYSQL root login attempt -1776 || MYSQL show databases attempt -1777 || FTP EXPLOIT STAT * dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1778 || FTP EXPLOIT STAT ? dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1779 || FTP CWD .... attempt || bugtraq,4884 -1780 || IMAP EXPLOIT partial body overflow attempt || bugtraq,4713 || cve,2002-0379 -1787 || WEB-CGI csPassword.cgi access || bugtraq,4885 || bugtraq,4886 || bugtraq,4887 || bugtraq,4889 || cve,2002-0917 || cve,2002-0918 -1788 || WEB-CGI csPassword password.cgi.tmp access || bugtraq,4889 || cve,2002-0920 -1789 || CHAT IRC dns request -1790 || CHAT IRC dns response -1791 || BACKDOOR fragroute trojan connection attempt || bugtraq,4898 -1792 || NNTP return code buffer overflow attempt || bugtraq,4900 || cve,2002-0909 -1800 || VIRUS Klez Incoming -1801 || WEB-IIS .asp HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1802 || WEB-IIS .asa HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1803 || WEB-IIS .cer HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1804 || WEB-IIS .cdx HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx -1805 || WEB-CGI Oracle reports CGI access || bugtraq,4848 || cve,2002-0947 -1806 || WEB-IIS .htr chunked Transfer-Encoding || bugtraq,4855 || bugtraq,5003 || cve,2002-0364 -1807 || WEB-MISC Chunked-Encoding transfer attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 -1808 || WEB-MISC apache chunked encoding memory corruption exploit attempt || bugtraq,5033 || cve,2002-0392 -1809 || WEB-MISC Apache Chunked-Encoding worm attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 -1810 || ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 -1811 || ATTACK-RESPONSES successful gobbles ssh exploit uname || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 -1812 || EXPLOIT gobbles SSH exploit attempt || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 -1813 || ICMP digital island bandwidth query -1814 || WEB-MISC CISCO VoIP DOS ATTEMPT || bugtraq,4794 || cve,2002-0882 || nessus,11013 -1815 || WEB-PHP directory.php arbitrary command attempt || bugtraq,4278 || cve,2002-0434 -1816 || WEB-PHP directory.php access || bugtraq,4278 || cve,2002-0434 -1817 || WEB-IIS MS Site Server default login attempt || nessus,11018 -1818 || WEB-IIS MS Site Server admin attempt || nessus,11018 -1819 || MISC Alcatel PABX 4400 connection attempt || nessus,11019 -1820 || WEB-MISC IBM Net.Commerce orderdspc.d2w access || bugtraq,2350 || cve,2001-0319 || nessus,11020 -1821 || EXPLOIT LPD dvips remote command execution attempt || bugtraq,3241 || cve,2001-1002 || nessus,11023 -1822 || WEB-CGI alienform.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1823 || WEB-CGI AlienForm af.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1824 || WEB-CGI alienform.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1825 || WEB-CGI AlienForm af.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 -1826 || WEB-MISC WEB-INF access || bugtraq,1830 || bugtraq,5119 || cve,2000-1050 || cve,2001-0179 || nessus,11037 -1827 || WEB-MISC Tomcat servlet mapping cross site scripting attempt || bugtraq,5193 || cve,2002-0682 || nessus,11041 -1828 || WEB-MISC iPlanet Search directory traversal attempt || bugtraq,5191 || cve,2002-1042 || nessus,11043 -1829 || WEB-MISC Tomcat TroubleShooter servlet access || bugtraq,4575 || nessus,11046 -1830 || WEB-MISC Tomcat SnoopServlet servlet access || bugtraq,4575 || nessus,11046 -1831 || WEB-MISC jigsaw dos attempt || nessus,11047 -1832 || CHAT ICQ forced user addition || bugtraq,3226 || cve,2001-1305 -1834 || WEB-PHP PHP-Wiki cross site scripting attempt || bugtraq,5254 || cve,2002-1070 -1835 || WEB-MISC Macromedia SiteSpring cross site scripting attempt || bugtraq,5249 || cve,2002-1027 -1838 || EXPLOIT SSH server banner overflow || bugtraq,5287 || cve,2002-1059 -1839 || WEB-MISC mailman cross site scripting attempt || bugtraq,5298 || cve,2002-0855 -1840 || WEB-CLIENT Javascript document.domain attempt || bugtraq,5346 || cve,2002-0815 -1841 || WEB-CLIENT Javascript URL host spoofing attempt || bugtraq,5293 -1842 || IMAP login buffer overflow attempt || bugtraq,13727 || bugtraq,502 || cve,1999-0005 || cve,1999-1557 || cve,2005-1255 || nessus,10123 || nessus,10125 -1843 || BACKDOOR trinity connection attempt || cve,2000-0138 || nessus,10501 -1844 || IMAP authenticate overflow attempt || bugtraq,12995 || bugtraq,130 || cve,1999-0005 || cve,1999-0042 || nessus,10292 -1845 || IMAP list literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1846 || POLICY vncviewer Java applet download attempt || nessus,10758 -1847 || WEB-MISC webalizer access || bugtraq,3473 || cve,2001-0835 || nessus,10816 -1848 || WEB-MISC webcart-lite access || cve,1999-0610 || nessus,10298 -1849 || WEB-MISC webfind.exe access || bugtraq,1487 || cve,2000-0622 || nessus,10475 -1850 || WEB-CGI way-board.cgi access || nessus,10610 -1851 || WEB-MISC active.log access || bugtraq,1497 || cve,2000-0642 || nessus,10470 -1852 || WEB-MISC robots.txt access || nessus,10302 -1853 || BACKDOOR win-trin00 connection attempt || cve,2000-0138 || nessus,10307 -1854 || DDOS Stacheldraht handler->agent niggahbitch || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis -1855 || DDOS Stacheldraht agent->handler skillz || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis -1856 || DDOS Stacheldraht handler->agent ficken || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis -1857 || WEB-MISC robot.txt access || nessus,10302 -1858 || WEB-MISC CISCO PIX Firewall Manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819 -1859 || WEB-MISC Sun JavaServer default password login attempt || cve,1999-0508 || nessus,10995 -1860 || WEB-MISC Linksys router default password login attempt || nessus,10999 -1861 || WEB-MISC Linksys router default username and password login attempt || nessus,10999 -1862 || WEB-CGI mrtg.cgi directory traversal attempt || bugtraq,4017 || cve,2002-0232 || nessus,11001 -1864 || FTP SITE NEWER attempt || cve,1999-0880 || nessus,10319 -1865 || WEB-CGI webdist.cgi arbitrary command attempt || bugtraq,374 || cve,1999-0039 || nessus,10299 -1866 || POP3 USER overflow attempt || bugtraq,11256 || bugtraq,789 || cve,1999-0494 || nessus,10311 -1867 || MISC xdmcp info query || nessus,10891 -1868 || WEB-CGI story.pl arbitrary file read attempt || bugtraq,3028 || cve,2001-0804 || nessus,10817 -1869 || WEB-CGI story.pl access || bugtraq,3028 || cve,2001-0804 || nessus,10817 -1870 || WEB-CGI siteUserMod.cgi access || bugtraq,951 || cve,2000-0117 || nessus,10253 -1871 || WEB-MISC Oracle XSQLConfig.xml access || bugtraq,4290 || cve,2002-0568 || nessus,10855 -1872 || WEB-MISC Oracle Dynamic Monitoring Services dms access || nessus,10848 -1873 || WEB-MISC globals.jsa access || bugtraq,4034 || cve,2002-0562 || nessus,10850 -1874 || WEB-MISC Oracle Java Process Manager access || nessus,10851 -1875 || WEB-CGI cgicso access || bugtraq,6141 || nessus,10779 || nessus,10780 -1876 || WEB-CGI nph-publish.cgi access || cve,1999-1177 || nessus,10164 -1877 || WEB-CGI printenv access || bugtraq,1658 || cve,2000-0868 || nessus,10188 || nessus,10503 -1878 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2000-0868 || nessus,10503 -1879 || WEB-CGI book.cgi arbitrary command execution attempt || bugtraq,3178 || cve,2001-1114 || nessus,10721 -1880 || WEB-MISC oracle web application server access || bugtraq,1053 || cve,2000-0169 || nessus,10348 -1881 || WEB-MISC bad HTTP/1.1 request, Potentially worm attack || url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html -1882 || ATTACK-RESPONSES id check returned userid -1883 || ATTACK-RESPONSES id check returned nobody -1884 || ATTACK-RESPONSES id check returned web -1885 || ATTACK-RESPONSES id check returned http -1886 || ATTACK-RESPONSES id check returned apache -1887 || MISC OpenSSL Worm traffic || url,www.cert.org/advisories/CA-2002-27.html -1888 || FTP SITE CPWD overflow attempt || bugtraq,5427 || cve,2002-0826 -1889 || MISC slapper worm admin traffic || url,isc.incidents.org/analysis.html?id=167 || url,www.cert.org/advisories/CA-2002-27.html -1890 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 -1891 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 -1892 || SNMP null community string attempt || bugtraq,2112 || bugtraq,8974 || cve,1999-0517 -1893 || SNMP missing community string attempt || bugtraq,2112 || cve,1999-0517 -1894 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1895 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1896 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1897 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1898 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1899 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1900 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1901 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 -1902 || IMAP lsub literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1903 || IMAP rename overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1904 || IMAP find overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -1905 || RPC AMD UDP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 -1906 || RPC AMD TCP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 -1907 || RPC CMSD UDP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 -1908 || RPC CMSD TCP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 -1909 || RPC CMSD TCP CMSD_INSERT buffer overflow attempt || bugtraq,524 || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html -1910 || RPC CMSD udp CMSD_INSERT buffer overflow attempt || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html -1911 || RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,866 || cve,1999-0977 -1912 || RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,0866 || bugtraq,866 || cve,1999-0977 -1913 || RPC STATD UDP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1914 || RPC STATD TCP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1915 || RPC STATD UDP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1916 || RPC STATD TCP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 -1917 || SCAN UPnP service discover attempt -1918 || SCAN SolarWinds IP scan attempt -1919 || FTP CWD overflow attempt || bugtraq,11069 || bugtraq,1227 || bugtraq,1690 || bugtraq,6869 || bugtraq,7251 || bugtraq,7950 || cve,1999-0219 || cve,1999-1058 || cve,1999-1510 || cve,2000-1035 || cve,2000-1194 || cve,2001-0781 || cve,2002-0126 || cve,2002-0405 -1920 || FTP SITE NEWER overflow attempt || bugtraq,229 || cve,1999-0800 -1921 || FTP SITE ZIPCHK overflow attempt || cve,2000-0040 -1922 || RPC portmap proxy attempt TCP -1923 || RPC portmap proxy attempt UDP -1924 || RPC mountd UDP export request || arachnids,26 -1925 || RPC mountd TCP exportall request || arachnids,26 -1926 || RPC mountd UDP exportall request || arachnids,26 -1927 || FTP authorized_keys -1928 || FTP shadow retrieval attempt -1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com -1930 || IMAP auth literal overflow attempt || cve,1999-0005 -1931 || WEB-CGI rpc-nlog.pl access || cve,1999-1278 || url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2 || url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2 -1932 || WEB-CGI rpc-smb.pl access || cve,1999-1278 -1933 || WEB-CGI cart.cgi access || bugtraq,1115 || cve,2000-0252 || nessus,10368 -1934 || POP2 FOLD overflow attempt || bugtraq,283 || cve,1999-0920 || nessus,10130 -1935 || POP2 FOLD arbitrary file attempt -1936 || POP3 AUTH overflow attempt || bugtraq,830 || cve,1999-0822 || nessus,10184 -1937 || POP3 LIST overflow attempt || bugtraq,948 || cve,2000-0096 || nessus,10197 -1938 || POP3 XTND overflow attempt -1939 || MISC bootp hardware address length overflow || cve,1999-0798 -1940 || MISC bootp invalid hardware type || cve,1999-0798 -1941 || TFTP GET filename overflow attempt || bugtraq,5328 || cve,2002-0813 -1942 || FTP RMDIR overflow attempt || bugtraq,819 -1943 || WEB-MISC /Carello/add.exe access || bugtraq,1245 || cve,2000-0396 || nessus,11776 -1944 || WEB-MISC /ecscripts/ecware.exe access || bugtraq,6066 -1945 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 -1946 || WEB-MISC answerbook2 admin attempt || bugtraq,5383 || cve,2000-0696 -1947 || WEB-MISC answerbook2 arbitrary command execution attempt || bugtraq,1556 || cve,2000-0697 -1948 || DNS zone transfer UDP || arachnids,212 || cve,1999-0532 || nessus,10595 -1949 || RPC portmap SET attempt TCP 111 -1950 || RPC portmap SET attempt UDP 111 -1951 || RPC mountd TCP mount request -1952 || RPC mountd UDP mount request -1953 || RPC AMD TCP pid request -1954 || RPC AMD UDP pid request -1955 || RPC AMD TCP version request -1956 || RPC AMD UDP version request || bugtraq,1554 || cve,2000-0696 -1957 || RPC sadmind UDP PING || bugtraq,866 -1958 || RPC sadmind TCP PING || bugtraq,866 -1959 || RPC portmap NFS request UDP -1960 || RPC portmap NFS request TCP -1961 || RPC portmap RQUOTA request UDP -1962 || RPC portmap RQUOTA request TCP -1963 || RPC RQUOTA getquota overflow attempt UDP || bugtraq,864 || cve,1999-0974 -1964 || RPC tooltalk UDP overflow attempt || bugtraq,122 || cve,1999-0003 -1965 || RPC tooltalk TCP overflow attempt || bugtraq,122 || cve,1999-0003 -1966 || MISC GlobalSunTech Access Point Information Disclosure attempt || bugtraq,6100 -1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173 -1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173 -1969 || WEB-MISC ion-p access || bugtraq,6091 || cve,2002-1559 -1970 || WEB-IIS MDAC Content-Type overflow attempt || bugtraq,6214 || cve,2002-1142 || url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337 || url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx || url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx -1971 || FTP SITE EXEC format string attempt -1972 || FTP PASS overflow attempt || bugtraq,10078 || bugtraq,10720 || bugtraq,1690 || bugtraq,3884 || bugtraq,8601 || bugtraq,9285 || cve,1999-1519 || cve,1999-1539 || cve,2000-1035 || cve,2002-0126 || cve,2002-0895 -1973 || FTP MKD overflow attempt || bugtraq,612 || bugtraq,7278 || bugtraq,9872 || cve,1999-0911 || nessus,12108 -1974 || FTP REST overflow attempt || bugtraq,2972 || cve,2001-0826 -1975 || FTP DELE overflow attempt || bugtraq,2972 || cve,2001-0826 || cve,2001-1021 -1976 || FTP RMD overflow attempt || bugtraq,2972 || cve,2000-0133 || cve,2001-0826 || cve,2001-1021 -1977 || WEB-MISC xp_regwrite attempt -1978 || WEB-MISC xp_regdeletekey attempt -1979 || WEB-MISC perl post attempt || bugtraq,5520 || cve,2002-1436 || nessus,11158 -1980 || BACKDOOR DeepThroat 3.1 Connection attempt || mcafee,98574 || nessus,10053 -1981 || BACKDOOR DeepThroat 3.1 Connection attempt [3150] || mcafee,98574 || nessus,10053 -1982 || BACKDOOR DeepThroat 3.1 Server Response [3150] || arachnids,106 || mcafee,98574 || nessus,10053 -1983 || BACKDOOR DeepThroat 3.1 Connection attempt [4120] || mcafee,98574 || nessus,10053 -1984 || BACKDOOR DeepThroat 3.1 Server Response [4120] || arachnids,106 || mcafee,98574 || nessus,10053 -1985 || BACKDOOR Doly 1.5 server response -1986 || CHAT MSN outbound file transfer request -1987 || MISC xfs overflow attempt || bugtraq,6241 || cve,2002-1317 || nessus,11188 -1988 || CHAT MSN outbound file transfer accept -1989 || CHAT MSN outbound file transfer rejected -1990 || CHAT MSN user search -1991 || CHAT MSN login attempt -1992 || FTP LIST directory traversal attempt || bugtraq,2618 || cve,2001-0680 || cve,2002-1054 || nessus,11112 -1993 || IMAP login literal buffer overflow attempt || bugtraq,6298 -1994 || WEB-CGI vpasswd.cgi access || bugtraq,6038 || nessus,11165 -1995 || WEB-CGI alya.cgi access || nessus,11118 -1996 || WEB-CGI viralator.cgi access || bugtraq,3495 || cve,2001-0849 || nessus,11107 -1997 || WEB-PHP read_body.php access attempt || bugtraq,6302 || cve,2002-1341 -1998 || WEB-PHP calendar.php access || bugtraq,5820 || bugtraq,9353 || nessus,11179 -1999 || WEB-PHP edit_image.php access || bugtraq,3288 || cve,2001-1020 || nessus,11104 -2000 || WEB-PHP readmsg.php access || cve,2001-1408 || nessus,11073 -2001 || WEB-CGI smartsearch.cgi access || bugtraq,7133 -2002 || WEB-PHP remote include path -2003 || MS-SQL Worm propagation attempt || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm -2004 || MS-SQL Worm propagation attempt OUTBOUND || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm -2005 || RPC portmap kcms_server request UDP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 -2006 || RPC portmap kcms_server request TCP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 -2007 || RPC kcms_server directory traversal attempt || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 -2008 || MISC CVS invalid user authentication response -2009 || MISC CVS invalid repository response -2010 || MISC CVS double free exploit attempt response || bugtraq,6650 || cve,2003-0015 -2011 || MISC CVS invalid directory response || bugtraq,6650 || cve,2003-0015 -2012 || MISC CVS missing cvsroot response -2013 || MISC CVS invalid module response -2014 || RPC portmap UNSET attempt TCP 111 || bugtraq,1892 -2015 || RPC portmap UNSET attempt UDP 111 || bugtraq,1892 -2016 || RPC portmap status request TCP || arachnids,15 -2017 || RPC portmap espd request UDP || bugtraq,2714 || cve,2001-0331 -2018 || RPC mountd TCP dump request -2019 || RPC mountd UDP dump request -2020 || RPC mountd TCP unmount request -2021 || RPC mountd UDP unmount request -2022 || RPC mountd TCP unmountall request -2023 || RPC mountd UDP unmountall request -2024 || RPC RQUOTA getquota overflow attempt TCP || bugtraq,864 || cve,1999-0974 -2025 || RPC yppasswd username overflow attempt UDP || bugtraq,2763 || cve,2001-0779 -2026 || RPC yppasswd username overflow attempt TCP || bugtraq,2763 || cve,2001-0779 -2027 || RPC yppasswd old password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 -2028 || RPC yppasswd old password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 -2029 || RPC yppasswd new password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 -2030 || RPC yppasswd new password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 -2031 || RPC yppasswd user update UDP || bugtraq,2763 || cve,2001-0779 -2032 || RPC yppasswd user update TCP || bugtraq,2763 || cve,2001-0779 -2033 || RPC ypserv maplist request UDP || bugtraq,5914 || bugtraq,6016 || cve,2002-1232 -2034 || RPC ypserv maplist request TCP || Cve,CAN-2002-1232 || bugtraq,5914 || bugtraq,6016 -2035 || RPC portmap network-status-monitor request UDP -2036 || RPC portmap network-status-monitor request TCP -2037 || RPC network-status-monitor mon-callback request UDP -2038 || RPC network-status-monitor mon-callback request TCP -2039 || MISC bootp hostname format string attempt || bugtraq,4701 || cve,2002-0702 || nessus,11312 -2040 || POLICY xtacacs login attempt -2041 || MISC xtacacs failed login response -2042 || POLICY xtacacs accepted login response -2043 || MISC isakmp login failed -2044 || POLICY PPTP Start Control Request attempt -2045 || RPC snmpXdmi overflow attempt UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html -2046 || IMAP partial body.peek buffer overflow attempt || bugtraq,4713 || cve,2002-0379 -2047 || MISC rsyncd module list access -2048 || MISC rsyncd overflow attempt || bugtraq,9153 || cve,2003-0962 || nessus,11943 -2049 || MS-SQL ping attempt || nessus,10674 -2050 || MS-SQL version overflow attempt || bugtraq,5310 || cve,2002-0649 || nessus,10674 -2051 || WEB-CGI cached_feed.cgi moreover shopping cart access || bugtraq,1762 || cve,2000-0906 -2052 || WEB-CGI overflow.cgi access || bugtraq,6326 || cve,2002-1361 || nessus,11190 || url,www.cert.org/advisories/CA-2002-35.html -2053 || WEB-CGI process_bug.cgi access || bugtraq,3272 || cve,2002-0008 -2054 || WEB-CGI enter_bug.cgi arbitrary command attempt || bugtraq,3272 || cve,2002-0008 -2055 || WEB-CGI enter_bug.cgi access || bugtraq,3272 || cve,2002-0008 -2056 || WEB-MISC TRACE attempt || bugtraq,9561 || nessus,11213 || url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf -2057 || WEB-MISC helpout.exe access || bugtraq,6002 || cve,2002-1169 || nessus,11162 -2058 || WEB-MISC MsmMask.exe attempt || nessus,11163 -2059 || WEB-MISC MsmMask.exe access || nessus,11163 -2060 || WEB-MISC DB4Web access || nessus,11180 -2061 || WEB-MISC Tomcat null byte directory listing attempt || bugtraq,2518 || bugtraq,6721 || cve,2003-0042 -2062 || WEB-MISC iPlanet .perf access || nessus,11220 -2063 || WEB-MISC Demarc SQL injection attempt || bugtraq,4520 || cve,2002-0539 -2064 || WEB-MISC Lotus Notes .csp script source download attempt || bugtraq,6841 -2065 || WEB-MISC Lotus Notes .csp script source download attempt -2066 || WEB-MISC Lotus Notes .pl script source download attempt || bugtraq,6841 -2067 || WEB-MISC Lotus Notes .exe script source download attempt || bugtraq,6841 -2068 || WEB-MISC BitKeeper arbitrary command attempt || bugtraq,6588 -2069 || WEB-MISC chip.ini access || bugtraq,2755 || bugtraq,2775 || cve,2001-0749 || cve,2001-0771 -2070 || WEB-MISC post32.exe arbitrary command attempt || bugtraq,1485 -2071 || WEB-MISC post32.exe access || bugtraq,1485 -2072 || WEB-MISC lyris.pl access || bugtraq,1584 || cve,2000-0758 -2073 || WEB-MISC globals.pl access || bugtraq,2671 || cve,2001-0330 -2074 || WEB-PHP Mambo uploadimage.php upload php file attempt || bugtraq,6572 -2075 || WEB-PHP Mambo upload.php upload php file attempt || bugtraq,6572 -2076 || WEB-PHP Mambo uploadimage.php access || bugtraq,6572 -2077 || WEB-PHP Mambo upload.php access || bugtraq,6572 -2078 || WEB-PHP phpBB privmsg.php access || bugtraq,6634 -2079 || RPC portmap nlockmgr request UDP || bugtraq,1372 || cve,2000-0508 -2080 || RPC portmap nlockmgr request TCP || bugtraq,1372 || cve,2000-0508 -2081 || RPC portmap rpc.xfsmd request UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2082 || RPC portmap rpc.xfsmd request TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2083 || RPC rpc.xfsmd xfs_export attempt UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2084 || RPC rpc.xfsmd xfs_export attempt TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 -2085 || WEB-CGI parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 -2086 || WEB-CGI streaming server parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 -2087 || SMTP From comment overflow attempt || bugtraq,6991 || cve,2002-1337 || url,www.kb.cert.org/vuls/id/398025 -2088 || RPC ypupdated arbitrary command attempt UDP -2089 || RPC ypupdated arbitrary command attempt TCP -2090 || WEB-IIS WEBDAV exploit attempt || bugtraq,7116 || bugtraq,7716 || cve,2003-0109 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx -2091 || WEB-IIS WEBDAV nessus safe scan attempt || bugtraq,7116 || cve,2003-0109 || nessus,11412 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx -2092 || RPC portmap proxy integer overflow attempt UDP || bugtraq,7123 || cve,2003-0028 -2093 || RPC portmap proxy integer overflow attempt TCP || bugtraq,7123 || cve,2003-0028 -2094 || RPC CMSD UDP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 -2095 || RPC CMSD TCP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 -2100 || BACKDOOR SubSeven 2.1 Gold server connection response || mcafee,10566 || nessus,10409 -2101 || NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx -2102 || NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx -2103 || NETBIOS SMB trans2open buffer overflow attempt || bugtraq,7294 || cve,2003-0201 || url,www.digitaldefense.net/labs/advisories/DDI-1013.txt -2104 || ATTACK-RESPONSES rexec username too long response || bugtraq,7459 -2105 || IMAP authenticate literal overflow attempt || cve,1999-0042 || nessus,10292 -2106 || IMAP lsub overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -2107 || IMAP create buffer overflow attempt || bugtraq,7446 -2108 || POP3 CAPA overflow attempt -2109 || POP3 TOP overflow attempt -2110 || POP3 STAT overflow attempt -2111 || POP3 DELE overflow attempt -2112 || POP3 RSET overflow attempt -2113 || RSERVICES rexec username overflow attempt -2114 || RSERVICES rexec password overflow attempt -2115 || WEB-CGI album.pl access || bugtraq,7444 || nessus,11581 -2116 || WEB-CGI chipcfg.cgi access || bugtraq,2767 || cve,2001-1341 || url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html -2117 || WEB-IIS Battleaxe Forum login.asp access || bugtraq,7416 || cve,2003-0215 -2118 || IMAP list overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -2119 || IMAP rename literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 -2120 || IMAP create literal buffer overflow attempt || bugtraq,7446 -2121 || POP3 DELE negative argument attempt || bugtraq,6053 || bugtraq,7445 || cve,2002-1539 -2122 || POP3 UIDL negative argument attempt || bugtraq,6053 || cve,2002-1539 || nessus,11570 -2123 || ATTACK-RESPONSES Microsoft cmd.exe banner || nessus,11633 -2124 || BACKDOOR Remote PC Access connection attempt || nessus,11673 -2125 || FTP CWD Root directory transversal attempt || bugtraq,7674 || cve,2003-0392 || nessus,11677 -2126 || MISC Microsoft PPTP Start Control Request buffer overflow attempt || bugtraq,5807 || cve,2002-1214 || url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx -2127 || WEB-CGI ikonboard.cgi access || bugtraq,7361 || nessus,11605 -2128 || WEB-CGI swsrv.cgi access || bugtraq,7510 || cve,2003-0217 || nessus,11608 -2129 || WEB-IIS nsiislog.dll access || bugtraq,8035 || cve,2003-0227 || cve,2003-0349 || nessus,11664 || url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx -2130 || WEB-IIS IISProtect siteadmin.asp access || bugtraq,7675 || cve,2003-0377 || nessus,11662 -2131 || WEB-IIS IISProtect access || nessus,11661 -2132 || WEB-IIS Synchrologic Email Accelerator userid list access attempt || nessus,11657 -2133 || WEB-IIS MS BizTalk server access || bugtraq,7469 || bugtraq,7470 || cve,2003-0117 || cve,2003-0118 || nessus,11638 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx -2134 || WEB-IIS register.asp access || nessus,11621 -2135 || WEB-MISC philboard.mdb access || nessus,11682 -2136 || WEB-MISC philboard_admin.asp authentication bypass attempt || bugtraq,7739 || nessus,11675 -2137 || WEB-MISC philboard_admin.asp access || bugtraq,7739 || nessus,11675 -2138 || WEB-MISC logicworks.ini access || bugtraq,6996 || nessus,11639 -2139 || WEB-MISC /*.shtml access || bugtraq,1517 || cve,2000-0683 || nessus,11604 -2140 || WEB-PHP p-news.php access || nessus,11669 -2141 || WEB-PHP shoutbox.php directory traversal attempt || nessus,11668 -2142 || WEB-PHP shoutbox.php access || nessus,11668 -2143 || WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt || nessus,11667 -2144 || WEB-PHP b2 cafelog gm-2-b2.php access || nessus,11667 -2145 || WEB-PHP TextPortal admin.php default password admin attempt || bugtraq,7673 || nessus,11660 -2146 || WEB-PHP TextPortal admin.php default password 12345 attempt || bugtraq,7673 || nessus,11660 -2147 || WEB-PHP BLNews objects.inc.php4 remote file include attempt || bugtraq,7677 || cve,2003-0394 || nessus,11647 -2148 || WEB-PHP BLNews objects.inc.php4 access || bugtraq,7677 || cve,2003-0394 || nessus,11647 -2149 || WEB-PHP Turba status.php access || nessus,11646 -2150 || WEB-PHP ttCMS header.php remote file include attempt || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 -2151 || WEB-PHP ttCMS header.php access || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 -2152 || WEB-PHP test.php access || nessus,11617 -2153 || WEB-PHP autohtml.php directory traversal attempt || nessus,11630 -2154 || WEB-PHP autohtml.php access || nessus,11630 -2155 || WEB-PHP ttforum remote file include attempt || bugtraq,7542 || bugtraq,7543 || nessus,11615 -2156 || WEB-MISC mod_gzip_status access || nessus,11685 -2157 || WEB-IIS IISProtect globaladmin.asp access || nessus,11661 -2158 || MISC BGP invalid length || bugtraq,6213 || cve,2002-1350 || url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575 -2159 || MISC BGP invalid type 0 || bugtraq,6213 || cve,2002-1350 -2160 || VIRUS OUTBOUND .exe file attachment -2161 || VIRUS OUTBOUND .doc file attachment -2162 || VIRUS OUTBOUND .hta file attachment -2163 || VIRUS OUTBOUND .chm file attachment -2164 || VIRUS OUTBOUND .reg file attachment -2165 || VIRUS OUTBOUND .ini file attachment -2166 || VIRUS OUTBOUND .bat file attachment -2167 || VIRUS OUTBOUND .diz file attachment -2168 || VIRUS OUTBOUND .cpp file attachment -2169 || VIRUS OUTBOUND .dll file attachment -2170 || VIRUS OUTBOUND .vxd file attachment -2171 || VIRUS OUTBOUND .sys file attachment -2172 || VIRUS OUTBOUND .com file attachment -2173 || VIRUS OUTBOUND .hsq file attachment -2174 || NETBIOS SMB winreg create tree attempt -2175 || NETBIOS SMB winreg unicode create tree attempt -2176 || NETBIOS SMB startup folder access -2177 || NETBIOS SMB startup folder unicode access -2178 || FTP USER format string attempt || bugtraq,7474 || bugtraq,7776 || bugtraq,9262 || bugtraq,9402 || bugtraq,9600 || bugtraq,9800 || cve,2004-0277 || nessus,10041 || nessus,11687 -2179 || FTP PASS format string attempt || bugtraq,7474 || bugtraq,9262 || bugtraq,9800 || cve,2000-0699 -2180 || P2P BitTorrent announce request -2181 || P2P BitTorrent transfer -2182 || BACKDOOR typot trojan traffic || mcafee,100406 -2183 || SMTP Content-Transfer-Encoding overflow attempt || cve,2003-0161 || url,www.cert.org/advisories/CA-2003-12.html -2184 || RPC mountd TCP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 -2185 || RPC mountd UDP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 -2186 || BAD-TRAFFIC IP Proto 53 SWIPE || bugtraq,8211 || cve,2003-0567 -2187 || BAD-TRAFFIC IP Proto 55 IP Mobility || bugtraq,8211 || cve,2003-0567 -2188 || BAD-TRAFFIC IP Proto 77 Sun ND || bugtraq,8211 || cve,2003-0567 -2189 || BAD-TRAFFIC IP Proto 103 PIM || bugtraq,8211 || cve,2003-0567 -2190 || NETBIOS DCERPC invalid bind attempt -2191 || NETBIOS SMB DCERPC invalid bind attempt -2192 || NETBIOS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2193 || NETBIOS SMB-DS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2194 || WEB-CGI CSMailto.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-0749 || nessus,11748 -2195 || WEB-CGI alert.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 -2196 || WEB-CGI catgy.cgi access || bugtraq,3714 || bugtraq,4579 || cve,2001-1212 || nessus,11748 -2197 || WEB-CGI cvsview2.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 -2198 || WEB-CGI cvslog.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 -2199 || WEB-CGI multidiff.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 -2200 || WEB-CGI dnewsweb.cgi access || bugtraq,1172 || bugtraq,4579 || cve,2000-0423 || nessus,11748 -2201 || WEB-CGI download.cgi access || bugtraq,4579 || cve,1999-1377 || nessus,11748 -2202 || WEB-CGI edit_action.cgi access || bugtraq,3698 || bugtraq,4579 || cve,2001-1196 || nessus,11748 -2203 || WEB-CGI everythingform.cgi access || bugtraq,2101 || bugtraq,4579 || cve,2001-0023 || nessus,11748 -2204 || WEB-CGI ezadmin.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 -2205 || WEB-CGI ezboard.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 -2206 || WEB-CGI ezman.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 -2207 || WEB-CGI fileseek.cgi access || bugtraq,4579 || bugtraq,6784 || cve,2002-0611 || nessus,11748 -2208 || WEB-CGI fom.cgi access || bugtraq,4579 || cve,2002-0230 || nessus,11748 -2209 || WEB-CGI getdoc.cgi access || bugtraq,4579 || cve,2000-0288 || nessus,11748 -2210 || WEB-CGI global.cgi access || bugtraq,4579 || cve,2000-0952 || nessus,11748 -2211 || WEB-CGI guestserver.cgi access || bugtraq,4579 || cve,2001-0180 || nessus,11748 -2212 || WEB-CGI imageFolio.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-1334 || nessus,11748 -2213 || WEB-CGI mailfile.cgi access || bugtraq,1807 || bugtraq,4579 || cve,2000-0977 || nessus,11748 -2214 || WEB-CGI mailview.cgi access || bugtraq,1335 || bugtraq,4579 || cve,2000-0526 || nessus,11748 -2215 || WEB-CGI nsManager.cgi access || bugtraq,1710 || bugtraq,4579 || cve,2000-1023 || nessus,11748 -2216 || WEB-CGI readmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 -2217 || WEB-CGI printmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 -2218 || WEB-CGI service.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 -2219 || WEB-CGI setpasswd.cgi access || bugtraq,2212 || bugtraq,4579 || cve,2001-0133 || nessus,11748 -2220 || WEB-CGI simplestmail.cgi access || bugtraq,2106 || bugtraq,4579 || cve,2001-0022 || nessus,11748 -2221 || WEB-CGI ws_mail.cgi access || bugtraq,2861 || bugtraq,4579 || cve,2001-1343 || nessus,11748 -2222 || WEB-CGI nph-exploitscanget.cgi access || bugtraq,7910 || bugtraq,7911 || bugtraq,7913 || cve,2003-0434 || nessus,11740 -2223 || WEB-CGI csNews.cgi access || bugtraq,4994 || cve,2002-0923 || nessus,11726 -2224 || WEB-CGI psunami.cgi access || bugtraq,6607 || nessus,11750 -2225 || WEB-CGI gozila.cgi access || bugtraq,6086 || cve,2002-1236 || nessus,11773 -2226 || WEB-PHP pmachine remote file include attempt || bugtraq,7919 || nessus,11739 -2227 || WEB-PHP forum_details.php access || bugtraq,7933 || nessus,11760 -2228 || WEB-PHP phpMyAdmin db_details_importdocsql.php access || bugtraq,7962 || bugtraq,7965 || nessus,11761 -2229 || WEB-PHP viewtopic.php access || bugtraq,7979 || cve,2003-0486 || nessus,11767 -2230 || WEB-MISC NetGear router default password login attempt admin/password || nessus,11737 -2231 || WEB-MISC register.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2232 || WEB-MISC ContentFilter.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2233 || WEB-MISC SFNofitication.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2234 || WEB-MISC TOP10.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2235 || WEB-MISC SpamExcp.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2236 || WEB-MISC spamrule.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 -2237 || WEB-MISC cgiWebupdate.exe access || bugtraq,3216 || cve,2001-1150 || nessus,11722 -2238 || WEB-MISC WebLogic ConsoleHelp view source attempt || bugtraq,1518 || cve,2000-0682 || nessus,11724 -2239 || WEB-MISC redirect.exe access || bugtraq,1256 || cve,2000-0401 -2240 || WEB-MISC changepw.exe access || bugtraq,1256 || cve,2000-0401 -2241 || WEB-MISC cwmail.exe access || bugtraq,4093 || cve,2002-0273 || nessus,11727 -2242 || WEB-MISC ddicgi.exe access || bugtraq,1657 || cve,2000-0826 || nessus,11728 -2243 || WEB-MISC ndcgi.exe access || bugtraq,3583 || cve,2001-0922 || nessus,11730 -2244 || WEB-MISC VsSetCookie.exe access || bugtraq,3784 || cve,2002-0236 || nessus,11731 -2245 || WEB-MISC Webnews.exe access || bugtraq,4124 || cve,2002-0290 || nessus,11732 -2246 || WEB-MISC webadmin.dll access || bugtraq,7438 || bugtraq,7439 || bugtraq,8024 || cve,2003-0471 || nessus,11771 -2247 || WEB-IIS UploadScript11.asp access || cve,2001-0938 -2248 || WEB-IIS DirectoryListing.asp access || cve,2001-0938 -2249 || WEB-IIS /pcadmin/login.asp access || bugtraq,8103 || nessus,11785 -2250 || POP3 USER format string attempt || bugtraq,10976 || bugtraq,7667 || cve,2003-0391 || nessus,11742 -2251 || NETBIOS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx -2252 || NETBIOS SMB-DS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx -2253 || SMTP XEXCH50 overflow attempt || bugtraq,8838 || cve,2003-0714 || nessus,11889 || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx -2254 || SMTP XEXCH50 overflow with evasion attempt || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx -2255 || RPC sadmind query with root credentials attempt TCP -2256 || RPC sadmind query with root credentials attempt UDP -2257 || NETBIOS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx -2258 || NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx -2259 || SMTP EXPN overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 -2260 || SMTP VRFY overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 -2261 || SMTP SEND FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 || nessus,11316 -2262 || SMTP SEND FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2263 || SMTP SAML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2264 || SMTP SAML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2265 || SMTP SOML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2266 || SMTP SOML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2267 || SMTP MAIL FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2268 || SMTP MAIL FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2269 || SMTP RCPT TO sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 -2270 || SMTP RCPT TO sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 -2271 || BACKDOOR FsSniffer connection attempt || nessus,11854 -2272 || FTP LIST integer overflow attempt || bugtraq,8875 || cve,2003-0853 || cve,2003-0854 -2273 || IMAP login brute force attempt -2274 || POP3 login brute force attempt -2275 || SMTP AUTH LOGON brute force attempt -2276 || WEB-MISC oracle portal demo access || nessus,11918 -2277 || WEB-MISC PeopleSoft PeopleBooks psdoccgi access || bugtraq,9037 || bugtraq,9038 || cve,2003-0626 || cve,2003-0627 -2278 || WEB-MISC client negative Content-Length attempt || bugtraq,9098 || bugtraq,9476 || bugtraq,9576 || cve,2004-0095 -2279 || WEB-PHP UpdateClasses.php access || bugtraq,9057 -2280 || WEB-PHP Title.php access || bugtraq,9057 -2281 || WEB-PHP Setup.php access || bugtraq,9057 -2282 || WEB-PHP GlobalFunctions.php access || bugtraq,9057 -2283 || WEB-PHP DatabaseFunctions.php access || bugtraq,9057 -2284 || WEB-PHP rolis guestbook remote file include attempt || bugtraq,9057 -2285 || WEB-PHP rolis guestbook access || bugtraq,9057 -2286 || WEB-PHP friends.php access || bugtraq,9088 -2287 || WEB-PHP Advanced Poll admin_comment.php access || bugtraq,8890 || nessus,11487 -2288 || WEB-PHP Advanced Poll admin_edit.php access || bugtraq,8890 || nessus,11487 -2289 || WEB-PHP Advanced Poll admin_embed.php access || bugtraq,8890 || nessus,11487 -2290 || WEB-PHP Advanced Poll admin_help.php access || bugtraq,8890 || nessus,11487 -2291 || WEB-PHP Advanced Poll admin_license.php access || bugtraq,8890 || nessus,11487 -2292 || WEB-PHP Advanced Poll admin_logout.php access || bugtraq,8890 || nessus,11487 -2293 || WEB-PHP Advanced Poll admin_password.php access || bugtraq,8890 || nessus,11487 -2294 || WEB-PHP Advanced Poll admin_preview.php access || bugtraq,8890 || nessus,11487 -2295 || WEB-PHP Advanced Poll admin_settings.php access || bugtraq,8890 || nessus,11487 -2296 || WEB-PHP Advanced Poll admin_stats.php access || bugtraq,8890 || nessus,11487 -2297 || WEB-PHP Advanced Poll admin_templates_misc.php access || bugtraq,8890 || nessus,11487 -2298 || WEB-PHP Advanced Poll admin_templates.php access || bugtraq,8890 || nessus,11487 -2299 || WEB-PHP Advanced Poll admin_tpl_misc_new.php access || bugtraq,8890 || nessus,11487 -2300 || WEB-PHP Advanced Poll admin_tpl_new.php access || bugtraq,8890 || nessus,11487 -2301 || WEB-PHP Advanced Poll booth.php access || bugtraq,8890 || nessus,11487 -2302 || WEB-PHP Advanced Poll poll_ssi.php access || bugtraq,8890 || nessus,11487 -2303 || WEB-PHP Advanced Poll popup.php access || bugtraq,8890 || nessus,11487 -2304 || WEB-PHP files.inc.php access || bugtraq,8910 -2305 || WEB-PHP chatbox.php access || bugtraq,8930 -2306 || WEB-PHP gallery remote file include attempt || bugtraq,8814 || nessus,11876 -2307 || WEB-PHP PayPal Storefront remote file include attempt || bugtraq,8791 || nessus,11873 -2308 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2309 || NETBIOS SMB DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2310 || NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2311 || NETBIOS SMB-DS DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2312 || SHELLCODE x86 0x71FB7BAB NOOP -2313 || SHELLCODE x86 0x71FB7BAB NOOP unicode -2314 || SHELLCODE x86 0x90 NOOP unicode -2315 || NETBIOS DCERPC Workstation Service direct service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2316 || NETBIOS DCERPC Workstation Service direct service access attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx -2317 || MISC CVS non-relative path error response || bugtraq,9178 || cve,2003-0977 -2318 || MISC CVS non-relative path access attempt || bugtraq,9178 || cve,2003-0977 -2319 || EXPLOIT ebola PASS overflow attempt || bugtraq,9156 -2320 || EXPLOIT ebola USER overflow attempt || bugtraq,9156 -2321 || WEB-IIS foxweb.exe access || nessus,11939 -2322 || WEB-IIS foxweb.dll access || nessus,11939 -2323 || WEB-CGI quickstore.cgi access || bugtraq,9282 || nessus,11975 -2324 || WEB-IIS VP-ASP shopsearch.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 -2325 || WEB-IIS VP-ASP ShopDisplayProducts.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 -2326 || WEB-IIS sgdynamo.exe access || bugtraq,4720 || cve,2002-0375 || nessus,11955 -2327 || WEB-MISC bsml.pl access || bugtraq,9311 || nessus,11973 -2328 || WEB-PHP authentication_index.php access || cve,2004-0032 || nessus,11982 -2329 || MS-SQL probe response overflow attempt || bugtraq,9407 || cve,2003-0903 || url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx -2330 || IMAP auth overflow attempt || bugtraq,8861 -2331 || WEB-PHP MatrikzGB privilege escalation attempt || bugtraq,8430 -2332 || FTP MKDIR format string attempt || bugtraq,9262 -2333 || FTP RENAME format string attempt || bugtraq,9262 -2334 || FTP Yak! FTP server default account login attempt || bugtraq,9072 -2335 || FTP RMD / attempt || bugtraq,9159 -2336 || TFTP NULL command attempt || bugtraq,7575 -2337 || TFTP PUT filename overflow attempt || bugtraq,7819 || bugtraq,8505 || cve,2003-0380 -2338 || FTP LIST buffer overflow attempt || bugtraq,10181 || bugtraq,6869 || bugtraq,7251 || bugtraq,7861 || bugtraq,8486 || bugtraq,9675 || cve,1999-0349 || cve,1999-1510 || cve,2000-0129 || url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx -2339 || TFTP NULL command attempt || bugtraq,7575 -2340 || FTP SITE CHMOD overflow attempt || bugtraq,10181 || bugtraq,9483 || bugtraq,9675 || cve,1999-0838 || nessus,12037 -2341 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 -2342 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 -2343 || FTP STOR overflow attempt || bugtraq,8668 || cve,2000-0133 -2344 || FTP XCWD overflow attempt || bugtraq,11542 || bugtraq,8704 -2345 || WEB-PHP PhpGedView search.php access || bugtraq,9369 || cve,2004-0032 -2346 || WEB-PHP myPHPNuke chatheader.php access || bugtraq,6544 -2347 || WEB-PHP myPHPNuke partner.php access || bugtraq,6544 -2348 || NETBIOS SMB-DS DCERPC print spool bind attempt -2349 || NETBIOS SMB-DS DCERPC enumerate printers request attempt -2350 || NETBIOS DCERPC ISystemActivator bind accept || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2351 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2352 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -2353 || WEB-PHP IdeaBox cord.php file include || bugtraq,7488 -2354 || WEB-PHP IdeaBox notification.php file include || bugtraq,7488 -2355 || WEB-PHP Invision Board emailer.php file include || bugtraq,7204 -2356 || WEB-PHP WebChat db_mysql.php file include || bugtraq,7000 -2357 || WEB-PHP WebChat english.php file include || bugtraq,7000 -2358 || WEB-PHP Typo3 translations.php file include || bugtraq,6984 -2359 || WEB-PHP Invision Board ipchat.php file include || bugtraq,6976 -2360 || WEB-PHP myphpPagetool pt_config.inc file include || bugtraq,6744 -2361 || WEB-PHP news.php file include || bugtraq,6674 -2362 || WEB-PHP YaBB SE packages.php file include || bugtraq,6663 -2363 || WEB-PHP Cyboards default_header.php access || bugtraq,6597 -2364 || WEB-PHP Cyboards options_form.php access || bugtraq,6597 -2365 || WEB-PHP newsPHP Language file include attempt || bugtraq,8488 -2366 || WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 -2367 || WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 -2368 || WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 -2369 || WEB-MISC ISAPISkeleton.dll access || bugtraq,9516 -2370 || WEB-MISC BugPort config.conf file access || bugtraq,9542 -2371 || WEB-MISC Sample_showcode.html access || bugtraq,9555 -2372 || WEB-PHP Photopost PHP Pro showphoto.php access || bugtraq,9557 -2373 || FTP XMKD overflow attempt || bugtraq,7909 || cve,2000-0133 || cve,2001-1021 -2374 || FTP NLST overflow attempt || bugtraq,10184 || bugtraq,7909 || bugtraq,9675 || cve,1999-1544 -2375 || BACKDOOR DoomJuice file upload attempt || url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html -2376 || EXPLOIT ISAKMP first payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2377 || EXPLOIT ISAKMP second payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2378 || EXPLOIT ISAKMP third payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2379 || EXPLOIT ISAKMP forth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2380 || EXPLOIT ISAKMP fifth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 -2381 || WEB-MISC schema overflow attempt || bugtraq,9581 || cve,2004-0039 || nessus,12084 -2382 || NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -2383 || NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -2384 || NETBIOS SMB NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 -2385 || NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 -2386 || WEB-IIS NTLM ASN.1 vulnerability scan attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12055 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -2387 || WEB-CGI view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 -2388 || WEB-CGI streaming server view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 -2389 || FTP RNTO overflow attempt || bugtraq,8315 || cve,2000-0133 || cve,2001-1021 || cve,2003-0466 -2390 || FTP STOU overflow attempt || bugtraq,8315 || cve,2003-0466 -2391 || FTP APPE overflow attempt || bugtraq,8315 || bugtraq,8542 || cve,2000-0133 || cve,2003-0466 -2392 || FTP RETR overflow attempt || bugtraq,8315 || cve,2003-0466 || cve,2004-0287 || cve,2004-0298 -2393 || WEB-PHP /_admin access || bugtraq,9537 || nessus,12032 -2394 || WEB-MISC Compaq web-based management agent denial of service attempt || bugtraq,8014 -2395 || WEB-MISC InteractiveQuery.jsp access || bugtraq,8938 || cve,2003-0624 -2396 || WEB-CGI CCBill whereami.cgi arbitrary command execution attempt || bugtraq,8095 || url,secunia.com/advisories/9191/ -2397 || WEB-CGI CCBill whereami.cgi access || bugtraq,8095 || url,secunia.com/advisories/9191/ -2398 || WEB-PHP WAnewsletter newsletter.php file include attempt || bugtraq,6965 -2399 || WEB-PHP WAnewsletter db_type.php access || bugtraq,6964 -2400 || WEB-MISC edittag.pl access || bugtraq,6675 -2401 || NETBIOS SMB Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2402 || NETBIOS SMB-DS Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2403 || NETBIOS SMB Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2404 || NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html -2405 || WEB-PHP phptest.php access || bugtraq,9737 -2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681 || cve,2004-0311 || nessus,12066 -2407 || WEB-MISC util.pl access || bugtraq,9748 -2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766 -2409 || POP3 APOP USER overflow attempt || bugtraq,9794 -2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773 -2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || bugtraq,8476 || url,www.service.real.com/help/faq/security/rootexploit091103.html -2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt -2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 -2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 -2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 -2416 || FTP invalid MDTM command attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 -2417 || FTP format string attempt -2418 || MISC MS Terminal Server no encryption session initiation attempt || url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx -2419 || MULTIMEDIA realplayer .ram playlist download attempt -2420 || MULTIMEDIA realplayer .rmp playlist download attempt -2421 || MULTIMEDIA realplayer .smi playlist download attempt -2422 || MULTIMEDIA realplayer .rt playlist download attempt -2423 || MULTIMEDIA realplayer .rp playlist download attempt -2424 || NNTP sendsys overflow attempt || bugtraq,9382 || cve,2004-0045 -2425 || NNTP senduuname overflow attempt || bugtraq,9382 || cve,2004-0045 -2426 || NNTP version overflow attempt || bugtraq,9382 || cve,2004-0045 -2427 || NNTP checkgroups overflow attempt || bugtraq,9382 || cve,2004-0045 -2428 || NNTP ihave overflow attempt || bugtraq,9382 || cve,2004-0045 -2429 || NNTP sendme overflow attempt || bugtraq,9382 || cve,2004-0045 -2430 || NNTP newgroup overflow attempt || bugtraq,9382 || cve,2004-0045 -2431 || NNTP rmgroup overflow attempt || bugtraq,9382 || cve,2004-0045 -2432 || NNTP article post without path attempt -2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317 || url,secunia.com/advisories/10512/ -2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317 || url,secunia.com/advisories/10512/ -2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9378 || cve,2003-0726 -2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579 || cve,2004-0258 -2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579 || cve,2004-0258 -2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 || cve,2004-0258 -2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319 -2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || bugtraq,9735 || cve,2004-0169 -2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt || cve,2004-0362 || url,www.eeye.com/html/Research/Advisories/AD20040318.html -2447 || WEB-MISC ServletManager access || bugtraq,3697 || cve,2001-1195 || nessus,12122 -2448 || WEB-MISC setinfo.hts access || bugtraq,9973 || nessus,12120 -2449 || FTP ALLO overflow attempt || bugtraq,9953 -2450 || CHAT Yahoo IM successful logon -2451 || CHAT Yahoo IM voicechat -2452 || CHAT Yahoo IM ping -2453 || CHAT Yahoo IM conference invitation -2454 || CHAT Yahoo IM conference logon success -2455 || CHAT Yahoo IM conference message -2456 || CHAT Yahoo Messenger File Transfer Receive Request -2457 || CHAT Yahoo IM message -2458 || CHAT Yahoo IM successful chat join -2459 || CHAT Yahoo IM conference offer invitation -2460 || CHAT Yahoo IM conference request -2461 || CHAT Yahoo IM conference watch -2462 || EXPLOIT IGMP IGAP account overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 -2463 || EXPLOIT IGMP IGAP message overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 -2464 || EXPLOIT EIGRP prefix length overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 -2465 || NETBIOS SMB-DS IPC$ share access -2466 || NETBIOS SMB-DS IPC$ unicode share access -2467 || NETBIOS SMB D$ unicode share access -2468 || NETBIOS SMB-DS D$ share access -2469 || NETBIOS SMB-DS D$ unicode share access -2470 || NETBIOS SMB C$ unicode share access -2471 || NETBIOS SMB-DS C$ share access -2472 || NETBIOS SMB-DS C$ unicode share access -2473 || NETBIOS SMB ADMIN$ unicode share access -2474 || NETBIOS SMB-DS ADMIN$ share access -2475 || NETBIOS SMB-DS ADMIN$ unicode share access -2476 || NETBIOS SMB-DS winreg create tree attempt -2477 || NETBIOS SMB-DS winreg unicode create tree attempt -2478 || NETBIOS SMB-DS winreg bind attempt -2479 || NETBIOS SMB-DS winreg unicode bind attempt -2480 || NETBIOS SMB-DS InitiateSystemShutdown unicode attempt -2481 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt -2482 || NETBIOS SMB-DS InitiateSystemShutdown attempt -2483 || NETBIOS SMB-DS InitiateSystemShutdown little endian attempt -2484 || WEB-MISC source.jsp access || nessus,12119 -2485 || WEB-CLIENT Norton antivirus sysmspam.dll load attempt || bugtraq,9916 || cve,2004-0363 -2486 || DOS ISAKMP invalid identification payload attempt || bugtraq,10004 || cve,2004-0184 -2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 -2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 -2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978 -2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978 -2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2494 || NETBIOS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2497 || IMAP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2498 || IMAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2499 || MISC LDAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2500 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2501 || POP3 SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2502 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2503 || SMTP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2504 || SMTP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2505 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2506 || WEB-MISC SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2507 || NETBIOS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2508 || NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2509 || NETBIOS SMB DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2510 || NETBIOS SMB DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2511 || NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2512 || NETBIOS SMB-DS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2513 || NETBIOS SMB-DS DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2514 || NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2515 || WEB-MISC PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2516 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2517 || IMAP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2518 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2520 || WEB-MISC SSLv3 Client_Hello request -2521 || WEB-MISC SSLv3 Server_Hello request -2522 || WEB-MISC SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2523 || DOS BGP spoofed connection reset attempt || bugtraq,10183 || cve,2004-0230 || url,www.uniras.gov.uk/vuls/2004/236929/index.htm -2524 || NETBIOS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2525 || NETBIOS SMB DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2526 || NETBIOS SMB-DS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2527 || SMTP STARTTLS attempt -2528 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2529 || IMAP SSLv3 Client_Hello request -2530 || IMAP SSLv3 Server_Hello request -2531 || IMAP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2532 || POP3 SSLv3 Client_Hello request -2533 || POP3 SSLv3 Server_Hello request -2534 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2535 || POP3 SSLv3 Client_Hello request -2536 || POP3 SSLv3 Server_Hello request -2537 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2541 || SMTP TLS SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2542 || SMTP SSLv3 Client_Hello request -2543 || SMTP TLS SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2544 || SMTP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -2545 || EXPLOIT AFP FPLoginExt username buffer overflow attempt || bugtraq,10271 || cve,2004-0430 || url,www.atstake.com/research/advisories/2004/a050304-1.txt -2546 || FTP MDTM overflow attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 || nessus,12080 -2547 || MISC HP Web JetAdmin remote file upload attempt || bugtraq,9978 -2548 || MISC HP Web JetAdmin setinfo access || bugtraq,9972 -2549 || MISC HP Web JetAdmin file write attempt || bugtraq,9973 -2550 || EXPLOIT winamp XM module name overflow || url,www.nextgenss.com/advisories/winampheap.txt -2551 || EXPLOIT Oracle Web Cache GET overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2552 || EXPLOIT Oracle Web Cache HEAD overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2553 || EXPLOIT Oracle Web Cache PUT overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2554 || EXPLOIT Oracle Web Cache POST overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2555 || EXPLOIT Oracle Web Cache TRACE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2556 || EXPLOIT Oracle Web Cache DELETE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2557 || EXPLOIT Oracle Web Cache LOCK overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2558 || EXPLOIT Oracle Web Cache MKCOL overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2559 || EXPLOIT Oracle Web Cache COPY overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2560 || EXPLOIT Oracle Web Cache MOVE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 -2561 || MISC rsync backup-dir directory traversal attempt || bugtraq,10247 || cve,2004-0426 || nessus,12230 -2562 || WEB-MISC McAfee ePO file upload attempt || bugtraq,10200 || cve,2004-0038 -2563 || NETBIOS NS lookup response name overflow attempt || bugtraq,10333 || bugtraq,10334 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512A.html -2564 || NETBIOS NS lookup short response attempt || bugtraq,10334 || bugtraq,10335 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512C.html -2565 || WEB-PHP modules.php access || bugtraq,9879 -2566 || WEB-PHP PHPBB viewforum.php access || bugtraq,9865 || bugtraq,9866 || nessus,12093 -2567 || WEB-CGI Emumail init.emu access || bugtraq,9861 || nessus,12095 -2568 || WEB-CGI Emumail emumail.fcgi access || bugtraq,9861 || nessus,12095 -2569 || WEB-MISC cPanel resetpass access || bugtraq,9848 -2570 || WEB-MISC Invalid HTTP Version String || bugtraq,9809 || nessus,11593 -2571 || WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access || bugtraq,9805 -2572 || WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt || bugtraq,9805 -2573 || WEB-IIS SmarterTools SmarterMail frmCompose.asp access || bugtraq,9805 -2574 || FTP RETR format string attempt || bugtraq,9800 -2575 || WEB-PHP Opt-X header.php remote file include attempt || bugtraq,9732 -2576 || ORACLE dbms_repcat.generate_replication_support buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck93.html -2577 || WEB-CLIENT local resource redirection attempt || cve,2004-0549 || url,www.kb.cert.org/vuls/id/713878 -2578 || EXPLOIT kerberos principal name overflow UDP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt -2579 || EXPLOIT kerberos principal name overflow TCP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt -2580 || WEB-MISC server negative Content-Length attempt || cve,2004-0492 || url,www.guninski.com/modproxy1.html -2581 || WEB-MISC Crystal Reports crystalimagehandler.aspx access || cve,2004-0204 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx -2582 || WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt || bugtraq,10260 || cve,2004-0204 || nessus,12271 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx -2583 || MISC CVS Max-dotdot integer overflow attempt || bugtraq,10499 || cve,2004-0417 -2584 || EXPLOIT eMule buffer overflow attempt || bugtraq,10039 || nessus,12233 -2585 || WEB-MISC nessus 2.x 404 probe || nessus,10386 -2586 || P2P eDonkey transfer || url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html -2587 || P2P eDonkey server response || url,www.emule-project.net -2588 || WEB-PHP TUTOS path disclosure attempt || bugtraq,10129 || url,www.securiteam.com/unixfocus/5FP0J15CKE.html -2589 || WEB-CLIENT Content-Disposition CLSID command attempt || bugtraq,9510 || cve,2004-0420 || url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx -2590 || SMTP MAIL FROM overflow attempt || bugtraq,10290 || bugtraq,7506 || cve,2004-0399 || url,www.guninski.com/exim1.html -2591 || SMTP From command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2592 || SMTP ReplyTo command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2593 || SMTP Sender command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2594 || SMTP To command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2595 || SMTP CC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2596 || SMTP BCC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html -2597 || WEB-MISC Samba SWAT Authorization overflow attempt || bugtraq,10780 -2598 || WEB-MISC Samba SWAT Authorization port 901 overflow attempt || bugtraq,10780 -2599 || ORACLE dbms_repcat.add_grouped_column buffer overflow attempt -2600 || ORACLE add_grouped_column ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2601 || ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt -2602 || ORACLE drop_master_repgroup ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck87.html -2603 || ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2604 || ORACLE create_mview_repgroup ordered fname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2605 || ORACLE dbms_repcat.compare_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html -2606 || ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2607 || ORACLE comment_on_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2608 || ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2609 || ORACLE dbms_repcat.cancel_statistics buffer overflow attempt -2610 || ORACLE cancel_statistics ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html -2611 || ORACLE LINK metadata buffer overflow attempt || bugtraq,7453 || cve,2003-0222 || url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html -2612 || ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2613 || ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2614 || ORACLE time_zone buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_time_zone.txt -2615 || ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2616 || ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2617 || ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2618 || ORACLE alter_mview_propagation ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2619 || ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2620 || ORACLE alter_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2621 || ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2622 || ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2623 || ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2624 || ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2625 || ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2626 || ORACLE dbms_repcat.send_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html -2627 || ORACLE dbms_repcat.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2628 || ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2629 || ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2630 || ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html -2631 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2632 || ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2633 || ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2634 || ORACLE rectifier_diff ordered sname1 buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2635 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2636 || ORACLE snapshot.end_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2637 || ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2638 || ORACLE drop_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html -2639 || ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2640 || ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html -2641 || ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt -2642 || ORACLE drop_site_instantiation ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck629.html -2643 || ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck96.html -2644 || ORACLE from_tz buffer overflow attempt || url,www.nextgenss.com/advisories/ora_from_tz.txt -2645 || ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt -2646 || ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck630.html -2647 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt -2648 || ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck631.html -2649 || ORACLE service_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck52.html -2650 || ORACLE user name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck62.html -2651 || ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_numtodsinterval.txt || url,www.nextgenss.com/advisories/ora_numtoyminterval.txt -2652 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2653 || ORACLE og.begin_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html -2654 || WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt || bugtraq,7193 -2655 || MISC HP Web JetAdmin ExecuteFile admin access || bugtraq,10224 -2656 || WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt -2657 || WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt -2658 || WEB-MISC SSLv2 Client_Hello request -2659 || WEB-MISC SSLv2 Client_Hello with pad request -2660 || WEB-MISC SSLv2 Server_Hello request -2661 || WEB-MISC TLSv1 Client_Hello request -2662 || WEB-MISC TLSv1 Server_Hello request -2663 || WEB-CGI WhatsUpGold instancename overflow attempt || bugtraq,11043 || cve,2004-0798 -2664 || IMAP login format string attempt || bugtraq,10976 -2665 || IMAP login literal format string attempt || bugtraq,10976 -2666 || POP3 PASS format string attempt || bugtraq,10976 -2667 || WEB-IIS ping.asp access || nessus,10968 -2668 || WEB-CGI processit access || nessus,10649 -2669 || WEB-CGI ibillpm.pl access || bugtraq,3476 || nessus,11083 -2670 || WEB-CGI pgpmail.pl access || bugtraq,3605 || cve,2001-0937 || nessus,11070 -2671 || WEB-CLIENT bitmap BitmapOffset integer overflow attempt || bugtraq,9663 || cve,2004-0566 -2672 || WEB-MISC sresult.exe access || bugtraq,10837 || nessus,14186 -2673 || WEB-CLIENT libpng tRNS overflow attempt || bugtraq,10872 || cve,2004-0597 -2674 || ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt -2675 || ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt -2676 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt -2677 || ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt -2678 || ORACLE ctx_output.start_log buffer overflow attempt -2679 || ORACLE sys.dbms_system.ksdwrt buffer overflow attempt -2680 || ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt -2681 || ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt -2682 || ORACLE mdsys.md2.validate_geom buffer overflow attempt -2683 || ORACLE mdsys.md2.sdo_code_size buffer overflow attempt -2684 || ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt -2685 || ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt -2686 || ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html -2687 || ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt -2688 || ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt -2689 || ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt -2690 || ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt -2691 || ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt -2692 || ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt -2693 || ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt -2694 || ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt -2695 || ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt -2696 || ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt -2697 || ORACLE alter file buffer overflow attempt -2698 || ORACLE create file buffer overflow attempt -2699 || ORACLE TO_CHAR buffer overflow attempt -2700 || ORACLE numtoyminterval buffer overflow attempt -2701 || WEB-MISC Oracle iSQLPlus sid overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt -2702 || WEB-MISC Oracle iSQLPlus username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt -2703 || WEB-MISC Oracle iSQLPlus login.uix username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt -2704 || WEB-MISC Oracle 10g iSQLPlus login.unix connectID overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt -2705 || WEB-CLIENT JPEG parser heap overflow attempt || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx -2706 || WEB-CLIENT JPEG transfer -2707 || WEB-CLIENT JPEG parser multipacket heap overflow || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx -2708 || ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2709 || ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2710 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2711 || ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2712 || ORACLE dbms_offline_og.end_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2713 || ORACLE dbms_offline_og.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2714 || ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2715 || ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2716 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2717 || ORACLE dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2718 || ORACLE dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2719 || ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2720 || ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2721 || ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2722 || ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2723 || ORACLE dbms_repcat.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2724 || ORACLE dbms_repcat.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2725 || ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2726 || ORACLE dbms_repcat.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2727 || ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2728 || ORACLE dbms_repcat.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2729 || ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2730 || ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2731 || ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2732 || ORACLE dbms_repcat.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2733 || ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2734 || ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2735 || ORACLE dbms_repcat.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2736 || ORACLE dbms_repcat.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2737 || ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2738 || ORACLE dbms_repcat.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2739 || ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2740 || ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2741 || ORACLE dbms_repcat.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2742 || ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2743 || ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2744 || ORACLE dbms_repcat.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2745 || ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2746 || ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2747 || ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2748 || ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2749 || ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2750 || ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2751 || ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2752 || ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2753 || ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2754 || ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2755 || ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2756 || ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2757 || ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2758 || ORACLE dbms_repcat.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2759 || ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2760 || ORACLE dbms_repcat.define_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2761 || ORACLE dbms_repcat.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2762 || ORACLE dbms_repcat.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2763 || ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2764 || ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2765 || ORACLE dbms_repcat.drop_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2766 || ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2767 || ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2768 || ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2769 || ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2770 || ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2771 || ORACLE dbms_repcat.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2772 || ORACLE dbms_repcat.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2773 || ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2774 || ORACLE dbms_repcat.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2775 || ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2776 || ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2777 || ORACLE dbms_repcat.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2778 || ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2779 || ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2780 || ORACLE dbms_repcat.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2781 || ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2782 || ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2783 || ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2784 || ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2785 || ORACLE dbms_repcat.execute_ddl buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2786 || ORACLE dbms_repcat.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2787 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2788 || ORACLE dbms_repcat.make_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2789 || ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2790 || ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2791 || ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2792 || ORACLE dbms_repcat.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2793 || ORACLE dbms_repcat.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2794 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2795 || ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2796 || ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2797 || ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2798 || ORACLE dbms_repcat.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2799 || ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2800 || ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2801 || ORACLE dbms_repcat.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2802 || ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2803 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2804 || ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2805 || ORACLE dbms_repcat.set_columns buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2806 || ORACLE dbms_repcat.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2807 || ORACLE dbms_repcat.specify_new_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2808 || ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2809 || ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2810 || ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2811 || ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2812 || ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2813 || ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2814 || ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2815 || ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2816 || ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2817 || ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2818 || ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2819 || ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2820 || ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2821 || ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2822 || ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2823 || ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2824 || ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2825 || ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2826 || ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2827 || ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2828 || ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2829 || ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2830 || ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2831 || ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2832 || ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2833 || ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2834 || ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2835 || ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2836 || ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2837 || ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2838 || ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2839 || ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2840 || ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2841 || ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2842 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2843 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2844 || ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2845 || ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2846 || ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2847 || ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2848 || ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2849 || ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2850 || ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2851 || ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2852 || ORACLE dbms_repcat.generate_mview_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2853 || ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2854 || ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2855 || ORACLE dbms_repcat.remove_master_databases buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2856 || ORACLE dbms_repcat.switch_mview_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2857 || ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2858 || ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2859 || ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2860 || ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2861 || ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2862 || ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2863 || ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2864 || ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2865 || ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2866 || ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2867 || ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2868 || ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2869 || ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2870 || ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2871 || ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2872 || ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2873 || ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2874 || ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2875 || ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2876 || ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2877 || ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2878 || ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2879 || ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2880 || ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2881 || ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2882 || ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2883 || ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2884 || ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2885 || ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2886 || ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2887 || ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2888 || ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2889 || ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2890 || ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2891 || ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2892 || ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2893 || ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2894 || ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2895 || ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2896 || ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2897 || ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2898 || ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2899 || ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2900 || ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2901 || ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2902 || ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2903 || ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2904 || ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2905 || ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2906 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2907 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2908 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2909 || ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2910 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2911 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2912 || ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2913 || ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2914 || ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2915 || ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2916 || ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2917 || ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2918 || ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2919 || ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html -2921 || DNS UDP inverse query || bugtraq,2302 || cve,2001-0010 -2922 || DNS TCP inverse query || bugtraq,2302 || cve,2001-0010 -2923 || NETBIOS SMB repeated logon failure -2924 || NETBIOS SMB-DS repeated logon failure -2925 || INFO web bug 0x0 gif attempt -2926 || WEB-PHP PhpGedView PGV base directory manipulation || bugtraq,9368 -2927 || NNTP XPAT pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx -2928 || NETBIOS SMB nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 -2929 || NETBIOS SMB nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 -2930 || NETBIOS SMB-DS nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 -2931 || NETBIOS SMB-DS nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 -2932 || NETBIOS SMB nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 -2933 || NETBIOS SMB nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 -2934 || NETBIOS SMB-DS nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 -2935 || NETBIOS SMB-DS nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 -2936 || NETBIOS SMB NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 -2937 || NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 -2938 || NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 -2939 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 -2940 || NETBIOS SMB winreg bind attempt -2941 || NETBIOS SMB winreg unicode bind attempt -2942 || NETBIOS SMB InitiateSystemShutdown attempt -2943 || NETBIOS SMB InitiateSystemShutdown little endian attempt -2944 || NETBIOS SMB InitiateSystemShutdown unicode attempt -2945 || NETBIOS SMB InitiateSystemShutdown unicode little endian attempt -2946 || NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 -2947 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 -2948 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 -2949 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 -2950 || NETBIOS SMB too many stacked requests -2951 || NETBIOS SMB-DS too many stacked requests -2952 || NETBIOS SMB IPC$ andx share access -2953 || NETBIOS SMB IPC$ unicode andx share access -2954 || NETBIOS SMB-DS IPC$ andx share access -2955 || NETBIOS SMB-DS IPC$ unicode andx share access -2956 || NETBIOS SMB nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 -2957 || NETBIOS SMB nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 -2958 || NETBIOS SMB-DS nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 -2959 || NETBIOS SMB-DS nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 -2960 || NETBIOS SMB nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 -2961 || NETBIOS SMB nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 -2962 || NETBIOS SMB-DS nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 -2963 || NETBIOS SMB-DS nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 -2964 || NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2965 || NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2966 || NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2967 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2968 || NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2969 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2970 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2971 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 -2972 || NETBIOS SMB D$ andx share access -2973 || NETBIOS SMB D$ unicode andx share access -2974 || NETBIOS SMB-DS D$ andx share access -2975 || NETBIOS SMB-DS D$ unicode andx share access -2976 || NETBIOS SMB C$ andx share access -2977 || NETBIOS SMB C$ unicode andx share access -2978 || NETBIOS SMB-DS C$ andx share access -2979 || NETBIOS SMB-DS C$ unicode andx share access -2980 || NETBIOS SMB ADMIN$ andx share access -2981 || NETBIOS SMB ADMIN$ unicode andx share access -2982 || NETBIOS SMB-DS ADMIN$ andx share access -2983 || NETBIOS SMB-DS ADMIN$ unicode andx share access -2984 || NETBIOS SMB winreg andx create tree attempt -2985 || NETBIOS SMB winreg unicode andx create tree attempt -2986 || NETBIOS SMB-DS winreg andx create tree attempt -2987 || NETBIOS SMB-DS winreg unicode andx create tree attempt -2988 || NETBIOS SMB winreg andx bind attempt -2989 || NETBIOS SMB winreg unicode andx bind attempt -2990 || NETBIOS SMB-DS winreg andx bind attempt -2991 || NETBIOS SMB-DS winreg unicode andx bind attempt -2992 || NETBIOS SMB InitiateSystemShutdown andx attempt -2993 || NETBIOS SMB InitiateSystemShutdown little endian andx attempt -2994 || NETBIOS SMB InitiateSystemShutdown unicode andx attempt -2995 || NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt -2996 || NETBIOS SMB-DS InitiateSystemShutdown andx attempt -2997 || NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt -2998 || NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt -2999 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt -3000 || NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3001 || NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3002 || NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3003 || NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3004 || NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3005 || NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx -3006 || EXPLOIT Volition Freespace 2 buffer overflow attempt || bugtraq,9785 -3007 || IMAP delete overflow attempt || bugtraq,11675 -3008 || IMAP delete literal overflow attempt || bugtraq,11675 -3009 || BACKDOOR NetBus Pro 2.0 connection request -3010 || BACKDOOR RUX the Tick get windows directory attempt -3011 || BACKDOOR RUX the Tick get system directory attempt -3012 || BACKDOOR RUX the Tick upload/execute arbitrary file attempt -3013 || BACKDOOR Asylum 0.1 connection request -3014 || BACKDOOR Asylum 0.1 connection established -3015 || BACKDOOR Insane Network 4.0 connection established -3016 || BACKDOOR Insane Network 4.0 connection established port 63536 -3017 || EXPLOIT WINS overflow attempt || bugtraq,11763 || cve,2004-1080 || url,www.immunitysec.com/downloads/instantanea.pdf || url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx -3018 || NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 -3019 || NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 -3020 || NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 -3021 || NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 -3022 || NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 -3023 || NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 -3024 || NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 -3025 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 -3026 || NETBIOS SMB NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 -3027 || NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 -3028 || NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 -3029 || NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 -3030 || NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 -3031 || NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 -3032 || NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 -3033 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 -3034 || NETBIOS SMB NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 -3035 || NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 -3036 || NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 -3037 || NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 -3038 || NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 -3039 || NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 -3040 || NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 -3041 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 -3042 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt -3043 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt -3044 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt -3045 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt -3046 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt -3047 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt -3048 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt -3049 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt -3050 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt -3051 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt -3052 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt -3053 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt -3054 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt -3055 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt -3056 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt -3057 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt -3058 || IMAP copy literal overflow attempt || bugtraq,1110 -3059 || WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request -3061 || MISC distccd command execution attempt || url,distcc.samba.org/security.html -3062 || WEB-CGI NetScreen SA 5000 delhomepage.cgi access || bugtraq,9791 -3063 || BACKDOOR Vampire 1.2 connection request -3064 || BACKDOOR Vampire 1.2 connection confirmation -3065 || IMAP append literal overflow attempt || bugtraq,11775 -3066 || IMAP append overflow attempt || bugtraq,11775 -3067 || IMAP examine literal overflow attempt || bugtraq,11775 -3068 || IMAP examine overflow attempt || bugtraq,11775 -3069 || IMAP fetch literal overflow attempt || bugtraq,11775 -3070 || IMAP fetch overflow attempt || bugtraq,11775 -3071 || IMAP status literal overflow attempt || bugtraq,11775 -3072 || IMAP status overflow attempt || bugtraq,11775 || bugtraq,13727 || cve,2005-1256 -3073 || IMAP subscribe literal overflow attempt || bugtraq,11775 -3074 || IMAP subscribe overflow attempt || bugtraq,11775 -3075 || IMAP unsubscribe literal overflow attempt || bugtraq,11775 -3076 || IMAP unsubscribe overflow attempt || bugtraq,11775 -3077 || FTP RNFR overflow attempt -3078 || NNTP SEARCH pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx -3079 || WEB-CLIENT Microsoft ANI file parsing overflow || cve,2004-1049 -3080 || MISC Unreal Tournament secure overflow attempt || bugtraq,10570 || cve,2004-0608 -3081 || BACKDOOR Y3KRAT 1.5 Connect -3082 || BACKDOOR Y3KRAT 1.5 Connect Client Response -3083 || BACKDOOR Y3KRAT 1.5 Connection confirmation -3084 || EXPLOIT Veritas backup overflow attempt || bugtraq,11974 || cve,2004-1172 -3085 || EXPLOIT AIM goaway message buffer overflow attempt || bugtraq,10889 || cve,2004-0636 -3086 || WEB-MISC 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt || bugtraq,11408 -3087 || WEB-IIS w3who.dll buffer overflow attempt || bugtraq,11820 || cve,2004-1134 -3088 || WEB-CLIENT winamp .cda file name overflow attempt || bugtraq,11730 -3089 || DOS squid WCCP I_SEE_YOU message overflow attempt || bugtraq,12275 || cve,2005-0095 -3090 || NETBIOS SMB llsrpc create tree attempt -3091 || NETBIOS SMB llsrpc unicode create tree attempt -3092 || NETBIOS SMB llsrpc andx create tree attempt -3093 || NETBIOS SMB llsrpc unicode andx create tree attempt -3094 || NETBIOS SMB-DS llsrpc create tree attempt -3095 || NETBIOS SMB-DS llsrpc unicode create tree attempt -3096 || NETBIOS SMB-DS llsrpc andx create tree attempt -3097 || NETBIOS SMB-DS llsrpc unicode andx create tree attempt -3098 || NETBIOS SMB llsrpc bind attempt -3099 || NETBIOS SMB llsrpc little endian bind attempt -3100 || NETBIOS SMB llsrpc unicode bind attempt -3101 || NETBIOS SMB llsrpc unicode little endian bind attempt -3102 || NETBIOS SMB llsrpc andx bind attempt -3103 || NETBIOS SMB llsrpc little endian andx bind attempt -3104 || NETBIOS SMB llsrpc unicode andx bind attempt -3105 || NETBIOS SMB llsrpc unicode little endian andx bind attempt -3106 || NETBIOS SMB-DS llsrpc bind attempt -3107 || NETBIOS SMB-DS llsrpc little endian bind attempt -3108 || NETBIOS SMB-DS llsrpc unicode bind attempt -3109 || NETBIOS SMB-DS llsrpc unicode little endian bind attempt -3110 || NETBIOS SMB-DS llsrpc andx bind attempt -3111 || NETBIOS SMB-DS llsrpc little endian andx bind attempt -3112 || NETBIOS SMB-DS llsrpc unicode andx bind attempt -3113 || NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt -3114 || NETBIOS SMB llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3115 || NETBIOS SMB llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3116 || NETBIOS SMB llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3117 || NETBIOS SMB llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3118 || NETBIOS SMB llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3119 || NETBIOS SMB llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3120 || NETBIOS SMB llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3121 || NETBIOS SMB llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3122 || NETBIOS SMB-DS llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3123 || NETBIOS SMB-DS llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3124 || NETBIOS SMB-DS llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3125 || NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3126 || NETBIOS SMB-DS llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3127 || NETBIOS SMB-DS llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3128 || NETBIOS SMB-DS llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3129 || NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx -3130 || EXPLOIT MSN Messenger png overflow || bugtraq,10872 || cve,2004-0957 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx -3131 || WEB-CGI mailman directory traversal attempt || cve,2005-0202 -3132 || WEB-CLIENT PNG large image width download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx -3133 || WEB-CLIENT PNG large image height download attempt || bugtraq,11481 || bugtraq,11523 || cve,2004-0599 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx -3134 || WEB-CLIENT PNG large colour depth download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx -3135 || NETBIOS SMB Trans2 QUERY_FILE_INFO attempt -3136 || NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt -3137 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt -3138 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt -3139 || NETBIOS SMB Trans2 FIND_FIRST2 attempt -3140 || NETBIOS SMB Trans2 FIND_FIRST2 andx attempt -3141 || NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt -3142 || NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt -3143 || NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx -3144 || NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx -3145 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx -3146 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx -3147 || TELNET login buffer overflow attempt || bugtraq,3681 || cve,2001-0797 -3148 || WEB-CLIENT winhelp clsid attempt || bugtraq,4857 || cve,2002-0823 || url,www.ngssoftware.com/advisories/ms-winhlp.txt -3149 || WEB-CLIENT object type overflow attempt || cve,2003-0344 || url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx -3150 || WEB-IIS SQLXML content type overflow || bugtraq,5004 || cve,2002-0186 || url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx || url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt -3151 || FINGER / execution attempt || cve,1999-0612 || cve,2000-0915 -3152 || MS-SQL sa brute force failed login attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 -3153 || DNS TCP inverse query overflow || bugtraq,134 || cve,1999-0009 -3154 || DNS UDP inverse query overflow || bugtraq,134 || cve,1999-0009 -3155 || BACKDOOR BackOrifice 2000 Inbound Traffic -3156 || NETBIOS DCERPC msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3157 || NETBIOS DCERPC msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3158 || NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3159 || NETBIOS DCERPC CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3160 || NETBIOS SMB msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3161 || NETBIOS SMB msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3162 || NETBIOS SMB msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3163 || NETBIOS SMB msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3164 || NETBIOS SMB msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3165 || NETBIOS SMB msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3166 || NETBIOS SMB msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3167 || NETBIOS SMB msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3168 || NETBIOS SMB-DS msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3169 || NETBIOS SMB-DS msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3170 || NETBIOS SMB-DS msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3171 || NETBIOS SMB-DS msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3172 || NETBIOS SMB-DS msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3173 || NETBIOS SMB-DS msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3174 || NETBIOS SMB-DS msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3175 || NETBIOS SMB-DS msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3176 || NETBIOS SMB CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3177 || NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3178 || NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3179 || NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3180 || NETBIOS SMB CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3181 || NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3182 || NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3183 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3184 || NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3185 || NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3186 || NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3187 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3188 || NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3189 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3190 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3191 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3192 || WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt || bugtraq,7517 || cve,2003-0228 || url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx -3193 || WEB-IIS .cmd executable file parsing attack || bugtraq,1912 || cve,2000-0886 -3194 || WEB-IIS .bat executable file parsing attack || bugtraq,1912 || cve,2000-0886 -3195 || NETBIOS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 -3196 || NETBIOS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 -3197 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3198 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx -3199 || EXPLOIT WINS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx -3200 || EXPLOIT WINS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx -3201 || WEB-IIS httpodbc.dll access - nimda || bugtraq,2708 || cve,2001-0333 -3202 || NETBIOS SMB winreg bind attempt -3203 || NETBIOS SMB winreg little endian bind attempt -3204 || NETBIOS SMB winreg unicode bind attempt -3205 || NETBIOS SMB winreg unicode little endian bind attempt -3206 || NETBIOS SMB winreg andx bind attempt -3207 || NETBIOS SMB winreg little endian andx bind attempt -3208 || NETBIOS SMB winreg unicode andx bind attempt -3209 || NETBIOS SMB winreg unicode little endian andx bind attempt -3210 || NETBIOS SMB-DS winreg bind attempt -3211 || NETBIOS SMB-DS winreg little endian bind attempt -3212 || NETBIOS SMB-DS winreg unicode bind attempt -3213 || NETBIOS SMB-DS winreg unicode little endian bind attempt -3214 || NETBIOS SMB-DS winreg andx bind attempt -3215 || NETBIOS SMB-DS winreg little endian andx bind attempt -3216 || NETBIOS SMB-DS winreg unicode andx bind attempt -3217 || NETBIOS SMB-DS winreg unicode little endian andx bind attempt -3218 || NETBIOS SMB OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx -3219 || NETBIOS SMB OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 -3220 || NETBIOS SMB OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 -3221 || NETBIOS SMB OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 -3222 || NETBIOS SMB OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3223 || NETBIOS SMB OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3224 || NETBIOS SMB OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3225 || NETBIOS SMB OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3226 || NETBIOS SMB-DS OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 -3227 || NETBIOS SMB-DS OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 -3228 || NETBIOS SMB-DS OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 -3229 || NETBIOS SMB-DS OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 -3230 || NETBIOS SMB-DS OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3231 || NETBIOS SMB-DS OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3232 || NETBIOS SMB-DS OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 -3233 || NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx -3234 || NETBIOS Messenger message little endian overflow attempt || bugtraq,8826 || cve,2003-0717 -3235 || NETBIOS Messenger message overflow attempt || bugtraq,8826 || cve,2003-0717 -3236 || NETBIOS DCERPC irot bind attempt -3237 || NETBIOS DCERPC irot little endian bind attempt -3238 || NETBIOS DCERPC IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3239 || NETBIOS DCERPC IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3240 || NETBIOS SMB irot bind attempt -3241 || NETBIOS SMB irot little endian bind attempt -3242 || NETBIOS SMB irot unicode bind attempt -3243 || NETBIOS SMB irot unicode little endian bind attempt -3244 || NETBIOS SMB irot andx bind attempt -3245 || NETBIOS SMB irot little endian andx bind attempt -3246 || NETBIOS SMB irot unicode andx bind attempt -3247 || NETBIOS SMB irot unicode little endian andx bind attempt -3248 || NETBIOS SMB-DS irot bind attempt -3249 || NETBIOS SMB-DS irot little endian bind attempt -3250 || NETBIOS SMB-DS irot unicode bind attempt -3251 || NETBIOS SMB-DS irot unicode little endian bind attempt -3252 || NETBIOS SMB-DS irot andx bind attempt -3253 || NETBIOS SMB-DS irot little endian andx bind attempt -3254 || NETBIOS SMB-DS irot unicode andx bind attempt -3255 || NETBIOS SMB-DS irot unicode little endian andx bind attempt -3256 || NETBIOS SMB IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3257 || NETBIOS SMB IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3258 || NETBIOS SMB IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3259 || NETBIOS SMB IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3260 || NETBIOS SMB IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3261 || NETBIOS SMB IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3262 || NETBIOS SMB IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3263 || NETBIOS SMB IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3264 || NETBIOS SMB-DS IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3265 || NETBIOS SMB-DS IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3266 || NETBIOS SMB-DS IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3267 || NETBIOS SMB-DS IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3268 || NETBIOS SMB-DS IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3269 || NETBIOS SMB-DS IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3270 || NETBIOS SMB-DS IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3271 || NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx -3272 || BACKDOOR mydoom.a backdoor upload/execute attempt -3273 || MS-SQL sa brute force failed login unicode attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 -3274 || TELNET login buffer non-evasive overflow attempt || bugtraq,3681 || cve,2001-0797 -3275 || NETBIOS DCERPC IActivation bind attempt -3276 || NETBIOS DCERPC IActivation little endian bind attempt -3377 || NETBIOS SMB IActivation bind attempt -3378 || NETBIOS SMB IActivation little endian bind attempt -3379 || NETBIOS SMB IActivation unicode bind attempt -3380 || NETBIOS SMB IActivation unicode little endian bind attempt -3381 || NETBIOS SMB IActivation andx bind attempt -3382 || NETBIOS SMB IActivation little endian andx bind attempt -3383 || NETBIOS SMB IActivation unicode andx bind attempt -3384 || NETBIOS SMB IActivation unicode little endian andx bind attempt -3385 || NETBIOS SMB-DS IActivation bind attempt -3386 || NETBIOS SMB-DS IActivation little endian bind attempt -3387 || NETBIOS SMB-DS IActivation unicode bind attempt -3388 || NETBIOS SMB-DS IActivation unicode little endian bind attempt -3389 || NETBIOS SMB-DS IActivation andx bind attempt -3390 || NETBIOS SMB-DS IActivation little endian andx bind attempt -3391 || NETBIOS SMB-DS IActivation unicode andx bind attempt -3392 || NETBIOS SMB-DS IActivation unicode little endian andx bind attempt -3393 || NETBIOS SMB ISystemActivator bind attempt -3394 || NETBIOS SMB ISystemActivator little endian bind attempt -3395 || NETBIOS SMB ISystemActivator unicode bind attempt -3396 || NETBIOS SMB ISystemActivator unicode little endian bind attempt -3397 || NETBIOS SMB ISystemActivator andx bind attempt -3398 || NETBIOS SMB ISystemActivator little endian andx bind attempt -3399 || NETBIOS SMB ISystemActivator unicode andx bind attempt -3400 || NETBIOS SMB ISystemActivator unicode little endian andx bind attempt -3401 || NETBIOS SMB-DS ISystemActivator bind attempt -3402 || NETBIOS SMB-DS ISystemActivator little endian bind attempt -3403 || NETBIOS SMB-DS ISystemActivator unicode bind attempt -3404 || NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt -3405 || NETBIOS SMB-DS ISystemActivator andx bind attempt -3406 || NETBIOS SMB-DS ISystemActivator little endian andx bind attempt -3407 || NETBIOS SMB-DS ISystemActivator unicode andx bind attempt -3408 || NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt -3409 || NETBIOS SMB RemoteActivation attempt -3410 || NETBIOS SMB RemoteActivation little endian attempt -3411 || NETBIOS SMB RemoteActivation unicode attempt -3412 || NETBIOS SMB RemoteActivation unicode little endian attempt -3413 || NETBIOS SMB RemoteActivation andx attempt -3414 || NETBIOS SMB RemoteActivation little endian andx attempt -3415 || NETBIOS SMB RemoteActivation unicode andx attempt -3416 || NETBIOS SMB RemoteActivation unicode little endian andx attempt -3417 || NETBIOS SMB-DS RemoteActivation attempt -3418 || NETBIOS SMB-DS RemoteActivation little endian attempt -3419 || NETBIOS SMB-DS RemoteActivation unicode attempt -3420 || NETBIOS SMB-DS RemoteActivation unicode little endian attempt -3421 || NETBIOS SMB-DS RemoteActivation andx attempt -3422 || NETBIOS SMB-DS RemoteActivation little endian andx attempt -3423 || NETBIOS SMB-DS RemoteActivation unicode andx attempt -3424 || NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt -3425 || NETBIOS SMB CoGetInstanceFromFile attempt -3426 || NETBIOS SMB CoGetInstanceFromFile little endian attempt -3427 || NETBIOS SMB CoGetInstanceFromFile unicode attempt -3428 || NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt -3429 || NETBIOS SMB CoGetInstanceFromFile andx attempt -3430 || NETBIOS SMB CoGetInstanceFromFile little endian andx attempt -3431 || NETBIOS SMB CoGetInstanceFromFile unicode andx attempt -3432 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt -3433 || NETBIOS SMB-DS CoGetInstanceFromFile attempt -3434 || NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt -3435 || NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt -3436 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt -3437 || NETBIOS SMB-DS CoGetInstanceFromFile andx attempt -3438 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt -3439 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt -3440 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt -3441 || FTP PORT bounce attempt -3442 || DOS WIN32 TCP print service denial of service attempt || bugtraq,1082 || cve,2000-0232 || url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx -3443 || MS-SQL DNS query with 1 requests -3444 || MS-SQL DNS query with 2 requests -3445 || MS-SQL DNS query with 3 requests -3446 || MS-SQL DNS query with 4 requests -3447 || MS-SQL DNS query with 5 requests -3448 || MS-SQL DNS query with 6 requests -3449 || MS-SQL DNS query with 7 requests -3450 || MS-SQL DNS query with 8 requests -3451 || MS-SQL DNS query with 9 requests -3452 || MS-SQL DNS query with 10 requests -3453 || MISC Arkeia client backup system info probe || bugtraq,12594 -3454 || MISC Arkeia client backup generic info probe || bugtraq,12594 -3455 || EXPLOIT Bontago Game Server Nickname Buffer Overflow || bugtraq,12603 || url,aluigi.altervista.org/adv/bontagobof-adv.txt -3456 || MYSQL 4.0 root login attempt -3457 || EXPLOIT Arkeia backup client type 77 overflow attempt || bugtraq,12594 -3458 || EXPLOIT Arkeia backup client type 84 overflow attempt || bugtraq,12594 -3459 || P2P Manolito Search Query || url,openlito.sourceforge.net || url,www.blubster.com -3460 || FTP REST with numeric argument || bugtraq,7825 -3461 || SMTP Content-Type overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -3462 || SMTP Content-Encoding overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx -3463 || WEB-CGI awstats access || bugtraq,12572 -3464 || WEB-CGI awstats.pl command execution attempt || bugtraq,12572 -3465 || WEB-CGI RiSearch show.pl proxy attempt || bugtraq,10812 -3466 || WEB-MISC Authorization Basic overflow attempt || bugtraq,8375 || cve,2003-0727 -3467 || WEB-MISC CISCO VoIP Portinformation access || bugtraq,4798 || cve,2002-0882 -3468 || WEB-CGI math_sum.mscgi access || bugtraq,10831 || nessus,14182 -3469 || WEB-CGI Ipswitch WhatsUp Gold dos attempt || bugtraq,11110 || cve,2004-0799 || url,www.idefense.com/application/poi/display?id=142&type=vulnerabilities || url,www.ipswitch.com/Support/WhatsUp/patch-upgrades.html || url,www.secunia.com/advisories/12578/ -3470 || WEB-CLIENT RealPlayer VIDORV30 header length buffer overflow || bugtraq,11309 || url,www.eeye.com/html/research/advisories/AD20041001.html -3471 || WEB-CLIENT iTunes playlist URL overflow attempt || bugtraq,12238 || cve,2005-0043 -3472 || EXPLOIT ARCserve discovery service overflow || bugtraq,12491 || can,2005-0260 -3473 || WEB-CLIENT RealPlayer SMIL file overflow attempt || bugtraq,12698 || cve,2005-0455 -3474 || EXPLOIT ARCserve backup TCP slot info msg client name overflow || bugtraq,12563 -3475 || EXPLOIT ARCserve backup TCP slot info msg client domain overflow || bugtraq,12563 -3476 || EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow || bugtraq,12563 -3477 || EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow || bugtraq,12563 -3478 || EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow || bugtraq,12563 -3479 || EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow || bugtraq,12563 -3480 || EXPLOIT ARCserve backup UDP slot info msg client name overflow || bugtraq,12563 -3481 || EXPLOIT ARCserve backup UDP slot info msg client domain overflow || bugtraq,12563 -3482 || EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow || bugtraq,12563 -3483 || EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow || bugtraq,12563 -3484 || EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow || bugtraq,12563 -3485 || EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow || bugtraq,12563 -3486 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -3487 || IMAP SSLv2 Client_Hello request -3488 || IMAP SSLv2 Client_Hello with pad request -3489 || IMAP TLSv1 Client_Hello request -3490 || IMAP TLSv1 Client_Hello via SSLv2 handshake request -3491 || IMAP SSLv2 Server_Hello request -3492 || IMAP TLSv1 Server_Hello request -3493 || SMTP SSLv2 Client_Hello request -3494 || SMTP SSLv2 Client_Hello with pad request -3495 || SMTP TLSv1 Client_Hello request -3496 || SMTP TLSv1 Client_Hello via SSLv2 handshake request -3497 || SMTP SSLv2 Server_Hello request -3498 || SMTP TLSv1 Server_Hello request -3499 || POP3 SSLv2 Client_Hello request -3500 || POP3 SSLv2 Client_Hello with pad request -3501 || POP3 TLSv1 Client_Hello request -3502 || POP3 TLSv1 Client_Hello via SSLv2 handshake request -3503 || POP3 SSLv2 Server_Hello request -3504 || POP3 TLSv1 Server_Hello request -3505 || POP3 SSLv2 Client_Hello request -3506 || POP3 SSLv2 Client_Hello with pad request -3507 || POP3 TLSv1 Client_Hello request -3508 || POP3 TLSv1 Client_Hello via SSLv2 handshake request -3509 || POP3 SSLv2 Server_Hello request -3510 || POP3 TLSv1 Server_Hello request -3511 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx -3512 || ORACLE utl_file.fcopy directory traversal attempt || bugtraq,12749 -3513 || ORACLE utl_file.fopen_nchar directory traversal attempt || bugtraq,12749 -3514 || ORACLE utl_file.fopen directory traversal attempt || bugtraq,12749 -3515 || ORACLE utl_file.fremove directory traversal attempt || bugtraq,12749 -3516 || ORACLE utl_file.frename directory traversal attempt || bugtraq,12749 -3517 || EXPLOIT Computer Associates license PUTOLF overflow attempt || bugtraq,12705 || cve,2005-0581 -3518 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow || bugtraq,12265 -3519 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow default port || bugtraq,12265 -3520 || EXPLOIT Computer Associates license GCR NETWORK overflow attempt || bugtraq,12705 || cve,2005-0581 -3521 || EXPLOIT Computer Associates license GCR CHECKSUMS overflow attempt || bugtraq,12705 || cve,2005-0581 -3522 || EXPLOIT Computer Associates license GETCONFIG server overflow attempt || bugtraq,12705 || cve,2005-0581 -3523 || FTP SITE INDEX format string attempt -3524 || EXPLOIT Computer Associates license invalid GCR CHECKSUMS attempt || bugtraq,12705 || cve,2005-0581 -3525 || EXPLOIT Computer Associates license invalid GCR NETWORK attempt || bugtraq,12705 || cve,2005-0581 -3526 || ORACLE XDB FTP UNLOCK overflow attempt || bugtraq,8375 || cve,2003-0727 -3527 || EXPLOIT Solaris LPD overflow attempt || bugtraq,3274 -3528 || MYSQL CREATE FUNCTION attempt || bugtraq,12781 || cve,2005-0709 -3529 || EXPLOIT Computer Associates license GETCONFIG client overflow attempt || bugtraq,12705 || cve,2005-0581 -3530 || EXPLOIT ARCserve backup UDP msg 0x99 client name overflow || bugtraq,12563 -3531 || EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow || bugtraq,12563 -3532 || FTP ORACLE password buffer overflow attempt || bugtraq,8375 -3533 || TELNET client LINEMODE SLC overflow attempt || bugtraq,12918 || cve,2005-0469 -3534 || WEB-CLIENT Mozilla GIF heap overflow || bugtraq,12881 || cve,2005-0399 -3535 || WEB-CLIENT GIF transfer -3536 || WEB-CLIENT Mozilla GIF multipacket heap overflow || bugtraq,12881 || cve,2005-0399 -3537 || TELNET client ENV OPT escape overflow attempt || bugtraq,12918 || cve,2005-0469 -3538 || EXPLOIT RADIUS registration MSID overflow attempt || bugtraq,12759 || cve,2005-0699 -3539 || EXPLOIT RADIUS MSID overflow attempt || bugtraq,12759 || cve,2005-0699 -3540 || EXPLOIT RADIUS registration vendor ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699 -3541 || EXPLOIT RADIUS ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699 -3542 || MS-SQL SA brute force login attempt || cve,2000-1209 || nessus,10673 -3543 || MS-SQL SA brute force login attempt TDS v7/8 || cve,2000-1209 || nessus,10673 -3544 || WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt || bugtraq,12592 || cve,2005-0481 -3545 || WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure || bugtraq,12592 || cve,2005-0481 -3546 || WEB-MISC TrackerCam User-Agent buffer overflow attempt || bugtraq,12592 || cve,2005-0481 -3547 || WEB-MISC TrackerCam overly long php parameter overflow attempt || bugtraq,12592 || cve,2005-0481 -3548 || WEB-MISC TrackerCam negative Content-Length attempt || bugtraq,12592 || cve,2005-0481 -3549 || WEB-CLIENT HTML DOM invalid element creation attempt || cve,2005-0553 -3550 || WEB-CLIENT HTML http scheme hostname overflow attempt || cve,2005-0553 -3551 || WEB-CLIENT .hta download attempt -3552 || WEB-CLIENT OLE32 MSHTA masquerade attempt || cve,2005-0063 -3553 || WEB-CLIENT HTML DOM null element insertion attempt || cve,2005-0553 -3554 || NETBIOS DCERPC-DIRECT mqqm bind attempt -3555 || NETBIOS DCERPC-DIRECT mqqm little endian bind attempt -3556 || NETBIOS DCERPC mqqm bind attempt -3557 || NETBIOS DCERPC mqqm little endian bind attempt -3558 || NETBIOS SMB mqqm WriteAndX andx bind attempt -3559 || NETBIOS SMB mqqm WriteAndX bind attempt -3560 || NETBIOS SMB mqqm WriteAndX little endian andx bind attempt -3561 || NETBIOS SMB mqqm WriteAndX little endian bind attempt -3562 || NETBIOS SMB mqqm WriteAndX unicode andx bind attempt -3563 || NETBIOS SMB mqqm WriteAndX unicode bind attempt -3564 || NETBIOS SMB mqqm WriteAndX unicode little endian andx bind attempt -3565 || NETBIOS SMB mqqm WriteAndX unicode little endian bind attempt -3566 || NETBIOS SMB mqqm andx bind attempt -3567 || NETBIOS SMB mqqm bind attempt -3568 || NETBIOS SMB mqqm little endian andx bind attempt -3569 || NETBIOS SMB mqqm little endian bind attempt -3570 || NETBIOS SMB mqqm unicode andx bind attempt -3571 || NETBIOS SMB mqqm unicode bind attempt -3572 || NETBIOS SMB mqqm unicode little endian andx bind attempt -3573 || NETBIOS SMB mqqm unicode little endian bind attempt -3574 || NETBIOS SMB-DS mqqm WriteAndX andx bind attempt -3575 || NETBIOS SMB-DS mqqm WriteAndX bind attempt -3576 || NETBIOS SMB-DS mqqm WriteAndX little endian andx bind attempt -3577 || NETBIOS SMB-DS mqqm WriteAndX little endian bind attempt -3578 || NETBIOS SMB-DS mqqm WriteAndX unicode andx bind attempt -3579 || NETBIOS SMB-DS mqqm WriteAndX unicode bind attempt -3580 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian andx bind attempt -3581 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian bind attempt -3582 || NETBIOS SMB-DS mqqm andx bind attempt -3583 || NETBIOS SMB-DS mqqm bind attempt -3584 || NETBIOS SMB-DS mqqm little endian andx bind attempt -3585 || NETBIOS SMB-DS mqqm little endian bind attempt -3586 || NETBIOS SMB-DS mqqm unicode andx bind attempt -3587 || NETBIOS SMB-DS mqqm unicode bind attempt -3588 || NETBIOS SMB-DS mqqm unicode little endian andx bind attempt -3589 || NETBIOS SMB-DS mqqm unicode little endian bind attempt -3590 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3591 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3592 || NETBIOS DCERPC mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3593 || NETBIOS DCERPC mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3594 || NETBIOS SMB mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3595 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3596 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3597 || NETBIOS SMB mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3598 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3599 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3600 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3601 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3602 || NETBIOS SMB mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3603 || NETBIOS SMB mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3604 || NETBIOS SMB mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3605 || NETBIOS SMB mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3606 || NETBIOS SMB mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3607 || NETBIOS SMB mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3608 || NETBIOS SMB mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3609 || NETBIOS SMB mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3610 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3611 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3612 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3613 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3614 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3615 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3616 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3617 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3618 || NETBIOS SMB-DS mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3619 || NETBIOS SMB-DS mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3620 || NETBIOS SMB-DS mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3621 || NETBIOS SMB-DS mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3622 || NETBIOS SMB-DS mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3623 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3624 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3625 || NETBIOS SMB-DS mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx -3626 || ICMP PATH MTU denial of service || cve,2004-1060 -3627 || POLICY X-LINK2STATE CHUNK attempt || url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx -3628 || POLICY IDA Pro startup license check attempt -3629 || WEB-MISC sambar /search/results.stm access || bugtraq,7975 -3630 || FTP ORACLE TEST command buffer overflow attempt || bugtraq,8375 -3631 || FTP ORACLE user name buffer overflow attempt || bugtraq,8375 -3632 || WEB-CLIENT Mozilla bitmap width integer overflow attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067 -3633 || WEB-CLIENT bitmap transfer -3634 || WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067 -3635 || BACKDOOR Amanda 2.0 connection established -3636 || BACKDOOR Crazzy Net 5.0 connection established -3637 || EXPLOIT Computer Associates license PUTOLF directory traversal attempt || bugtraq,12705 || cve,2005-0581 -3638 || WEB-CGI SoftCart.exe CGI buffer overflow attempt || bugtraq,10926 -3639 || NETBIOS SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3640 || NETBIOS SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3641 || NETBIOS SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3642 || NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3643 || NETBIOS SMB-DS Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3644 || NETBIOS SMB-DS Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3645 || NETBIOS SMB-DS Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3646 || NETBIOS SMB-DS Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3647 || NETBIOS-DG SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3648 || NETBIOS-DG SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3649 || NETBIOS-DG SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3650 || NETBIOS-DG SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html -3651 || EXPLOIT CVS rsh annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 -3652 || EXPLOIT CVS pserver annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 -3653 || SMTP SAML overflow attempt || bugtraq,11238 -3654 || SMTP SOML overflow attempt || bugtraq,11238 -3655 || SMTP SEND overflow attempt || bugtraq,11238 -3656 || SMTP MAIL overflow attempt || bugtraq,11238 -3657 || ORACLE ctxsys.driload attempt || bugtraq,11099 || cve,2004-0637 -3658 || EXPLOIT ARCserve backup universal agent option 1000 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3659 || EXPLOIT ARCserve backup universal agent option 1000 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3660 || EXPLOIT ARCserve backup universal agent option 00 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3661 || EXPLOIT ARCserve backup universal agent option 00 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3662 || EXPLOIT ARCserve backup universal agent option 03 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3663 || EXPLOIT ARCserve backup universal agent option 03 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 -3664 || EXPLOIT PPTP echo request buffer overflow attempt || bugtaq,7316 || cve,2003-0213 -3665 || MYSQL server greeting || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3666 || MYSQL server greeting finished || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt, -3667 || MYSQL protocol 41 client authentication bypass attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3668 || MYSQL client authentication bypass attempt || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt, -3669 || MYSQL protocol 41 secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3670 || MYSQL secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3671 || MYSQL protocol 41 client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3672 || MYSQL client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt -3673 || MISC Microsoft SMS remote control client DoS overly long length attempt || bugtraq,10726 || cve,2004-0728 -3674 || WEB-CGI db4web_c directory traversal attempt || bugtraq,5723 || cve,2002-1483 || nessus,11182 -3675 || MISC IBM DB2 DTS empty format string dos attempt || bugtraq,11400 || url,www-1.ibm.com/support/docview.wss?uid=swg1IY61781 -3676 || WEB-MISC newsscript.pl admin attempt || bugtraq,12761 -3677 || EXPLOIT SIP UDP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html -3678 || EXPLOIT SIP TCP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html -3679 || WEB-CLIENT Firefox IFRAME src javascript code execution || bugtraq,13544 || cve,2005-1476 -3680 || P2P AOL Instant Messenger Message Send -3681 || P2P AOL Instant Messenger Message Receive -3682 || SMTP spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx -3683 || WEB-CLIENT spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx -3684 || WEB-CLIENT Bitmap Transfer -3685 || WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt || bugtraq,9663 || cve,2004-0566 -3686 || WEB-CLIENT Internet Explorer Content Advisor attempted overflow || bugtraq,13117 || cve,2005-0555 -3687 || TELNET client ENV OPT USERVAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx -3688 || TELNET client ENV OPT VAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx -3689 || WEB-CLIENT Internet Explorer tRNS overflow attempt || bugtraq,13941 || cve,2005-1211 || url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx -3690 || WEB-CGI Nucleus CMS action.php itemid SQL injection || bugtraq,10798 || nessus,14194 -3691 || CHAT Yahoo Messenger Message -3692 || CHAT Yahoo Messenger File Transfer Initiation Request -3693 || WEB-MISC IBM WebSphere j_security_check overflow attempt || bugtraq,13853 -3694 || WEB-MISC Squid content length cache poisoning attempt || bugtraq,12412 || cve,2005-0174 -3695 || EXPLOIT Veritas Backup Agent password overflow attempt || cve,2005-0773 -3696 || EXPLOIT Veritas Backup Agent DoS attempt || bugtraq,14201 || cve,2005-0772 -3697 || NETBIOS DCERPC DIRECT veritas alter context attempt -3698 || NETBIOS DCERPC DIRECT veritas bind attempt -3699 || NETBIOS DCERPC DIRECT veritas little endian alter context attempt -3700 || NETBIOS DCERPC DIRECT veritas little endian bind attempt -3701 || NETBIOS DCERPC NCACN-IP-TCP veritas alter context attempt -3702 || NETBIOS DCERPC NCACN-IP-TCP veritas bind attempt -3703 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian alter context attempt -3704 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian bind attempt -3705 || NETBIOS SMB veritas WriteAndX alter context attempt -3706 || NETBIOS SMB veritas WriteAndX andx alter context attempt -3707 || NETBIOS SMB veritas WriteAndX andx bind attempt -3708 || NETBIOS SMB veritas WriteAndX bind attempt -3709 || NETBIOS SMB veritas WriteAndX little endian alter context attempt -3710 || NETBIOS SMB veritas WriteAndX little endian andx alter context attempt -3711 || NETBIOS SMB veritas WriteAndX little endian andx bind attempt -3712 || NETBIOS SMB veritas WriteAndX little endian bind attempt -3713 || NETBIOS SMB veritas WriteAndX unicode alter context attempt -3714 || NETBIOS SMB veritas WriteAndX unicode andx alter context attempt -3715 || NETBIOS SMB veritas WriteAndX unicode andx bind attempt -3716 || NETBIOS SMB veritas WriteAndX unicode bind attempt -3717 || NETBIOS SMB veritas WriteAndX unicode little endian alter context attempt -3718 || NETBIOS SMB veritas WriteAndX unicode little endian andx alter context attempt -3719 || NETBIOS SMB veritas WriteAndX unicode little endian andx bind attempt -3720 || NETBIOS SMB veritas WriteAndX unicode little endian bind attempt -3721 || NETBIOS SMB veritas alter context attempt -3722 || NETBIOS SMB veritas andx alter context attempt -3723 || NETBIOS SMB veritas andx bind attempt -3724 || NETBIOS SMB veritas bind attempt -3725 || NETBIOS SMB veritas little endian alter context attempt -3726 || NETBIOS SMB veritas little endian andx alter context attempt -3727 || NETBIOS SMB veritas little endian andx bind attempt -3728 || NETBIOS SMB veritas little endian bind attempt -3729 || NETBIOS SMB veritas unicode alter context attempt -3730 || NETBIOS SMB veritas unicode andx alter context attempt -3731 || NETBIOS SMB veritas unicode andx bind attempt -3732 || NETBIOS SMB veritas unicode bind attempt -3733 || NETBIOS SMB veritas unicode little endian alter context attempt -3734 || NETBIOS SMB veritas unicode little endian andx alter context attempt -3735 || NETBIOS SMB veritas unicode little endian andx bind attempt -3736 || NETBIOS SMB veritas unicode little endian bind attempt -3737 || NETBIOS SMB-DS veritas WriteAndX alter context attempt -3738 || NETBIOS SMB-DS veritas WriteAndX andx alter context attempt -3739 || NETBIOS SMB-DS veritas WriteAndX andx bind attempt -3740 || NETBIOS SMB-DS veritas WriteAndX bind attempt -3741 || NETBIOS SMB-DS veritas WriteAndX little endian alter context attempt -3742 || NETBIOS SMB-DS veritas WriteAndX little endian andx alter context attempt -3743 || NETBIOS SMB-DS veritas WriteAndX little endian andx bind attempt -3744 || NETBIOS SMB-DS veritas WriteAndX little endian bind attempt -3745 || NETBIOS SMB-DS veritas WriteAndX unicode alter context attempt -3746 || NETBIOS SMB-DS veritas WriteAndX unicode andx alter context attempt -3747 || NETBIOS SMB-DS veritas WriteAndX unicode andx bind attempt -3748 || NETBIOS SMB-DS veritas WriteAndX unicode bind attempt -3749 || NETBIOS SMB-DS veritas WriteAndX unicode little endian alter context attempt -3750 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx alter context attempt -3751 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx bind attempt -3752 || NETBIOS SMB-DS veritas WriteAndX unicode little endian bind attempt -3753 || NETBIOS SMB-DS veritas alter context attempt -3754 || NETBIOS SMB-DS veritas andx alter context attempt -3755 || NETBIOS SMB-DS veritas andx bind attempt -3756 || NETBIOS SMB-DS veritas bind attempt -3757 || NETBIOS SMB-DS veritas little endian alter context attempt -3758 || NETBIOS SMB-DS veritas little endian andx alter context attempt -3759 || NETBIOS SMB-DS veritas little endian andx bind attempt -3760 || NETBIOS SMB-DS veritas little endian bind attempt -3761 || NETBIOS SMB-DS veritas unicode alter context attempt -3762 || NETBIOS SMB-DS veritas unicode andx alter context attempt -3763 || NETBIOS SMB-DS veritas unicode andx bind attempt -3764 || NETBIOS SMB-DS veritas unicode bind attempt -3765 || NETBIOS SMB-DS veritas unicode little endian alter context attempt -3766 || NETBIOS SMB-DS veritas unicode little endian andx alter context attempt -3767 || NETBIOS SMB-DS veritas unicode little endian andx bind attempt -3768 || NETBIOS SMB-DS veritas unicode little endian bind attempt -3769 || NETBIOS DCERPC NCACN-HTTP veritas alter context attempt -3770 || NETBIOS DCERPC NCACN-HTTP veritas bind attempt -3771 || NETBIOS DCERPC NCACN-HTTP veritas little endian alter context attempt -3772 || NETBIOS DCERPC NCACN-HTTP veritas little endian bind attempt -3773 || NETBIOS DCERPC DIRECT-UDP veritas alter context attempt -3774 || NETBIOS DCERPC DIRECT-UDP veritas bind attempt -3775 || NETBIOS DCERPC DIRECT-UDP veritas little endian alter context attempt -3776 || NETBIOS DCERPC DIRECT-UDP veritas little endian bind attempt -3777 || NETBIOS DCERPC NCADG-IP-UDP veritas alter context attempt -3778 || NETBIOS DCERPC NCADG-IP-UDP veritas bind attempt -3779 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian alter context attempt -3780 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian bind attempt -3781 || NETBIOS-DG SMB veritas WriteAndX alter context attempt -3782 || NETBIOS-DG SMB veritas WriteAndX andx alter context attempt -3783 || NETBIOS-DG SMB veritas WriteAndX andx bind attempt -3784 || NETBIOS-DG SMB veritas WriteAndX bind attempt -3785 || NETBIOS-DG SMB veritas WriteAndX little endian alter context attempt -3786 || NETBIOS-DG SMB veritas WriteAndX little endian andx alter context attempt -3787 || NETBIOS-DG SMB veritas WriteAndX little endian andx bind attempt -3788 || NETBIOS-DG SMB veritas WriteAndX little endian bind attempt -3789 || NETBIOS-DG SMB veritas WriteAndX unicode alter context attempt -3790 || NETBIOS-DG SMB veritas WriteAndX unicode andx alter context attempt -3791 || NETBIOS-DG SMB veritas WriteAndX unicode andx bind attempt -3792 || NETBIOS-DG SMB veritas WriteAndX unicode bind attempt -3793 || NETBIOS-DG SMB veritas WriteAndX unicode little endian alter context attempt -3794 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx alter context attempt -3795 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx bind attempt -3796 || NETBIOS-DG SMB veritas WriteAndX unicode little endian bind attempt -3797 || NETBIOS-DG SMB veritas alter context attempt -3798 || NETBIOS-DG SMB veritas andx alter context attempt -3799 || NETBIOS-DG SMB veritas andx bind attempt -3800 || NETBIOS-DG SMB veritas bind attempt -3801 || NETBIOS-DG SMB veritas little endian alter context attempt -3802 || NETBIOS-DG SMB veritas little endian andx alter context attempt -3803 || NETBIOS-DG SMB veritas little endian andx bind attempt -3804 || NETBIOS-DG SMB veritas little endian bind attempt -3805 || NETBIOS-DG SMB veritas unicode alter context attempt -3806 || NETBIOS-DG SMB veritas unicode andx alter context attempt -3807 || NETBIOS-DG SMB veritas unicode andx bind attempt -3808 || NETBIOS-DG SMB veritas unicode bind attempt -3809 || NETBIOS-DG SMB veritas unicode little endian alter context attempt -3810 || NETBIOS-DG SMB veritas unicode little endian andx alter context attempt -3811 || NETBIOS-DG SMB veritas unicode little endian andx bind attempt -3812 || NETBIOS-DG SMB veritas unicode little endian bind attempt -3813 || WEB-CGI awstats.pl configdir command execution attempt || bugtraq,12298 || cve,2005-0116 -3814 || WEB-CLIENT IE javaprxy.dll COM access || bugtraq,14087 || cve,2005-2087 -3815 || SMTP eXchange POP3 mail server overflow attempt || bugtraq,10180 -3816 || WEB-MISC BadBlue ext.dll buffer overflow attempt || bugtraq,7387 -3817 || TFTP GET transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812 -3818 || TFTP PUT transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812 -3819 || WEB-CLIENT multipacket CHM file transfer start || bugtraq,13953 || cve,2005-1208 || nessus,18482 -3820 || WEB-CLIENT multipacket CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482 -3821 || WEB-CLIENT CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482 -3822 || WEB-MISC Real Player realtext long URI request -3823 || WEB-MISC Real Player realtext file bad version buffer overflow attempt || bugtraq,14048 || cve,2005-1766 -3824 || SMTP AUTH user overflow attempt || bugtraq,13772 -3825 || POLICY AOL Instant Messenger Message Send -3826 || POLICY AOL Instant Messenger Message Receive -3827 || WEB-PHP xmlrpc.php post attempt || bugtraq,14088 || cve,2005-1921 diff -Nru snort-2.9.0.1/rules/smtp.rules snort-2.9.2/rules/smtp.rules --- snort-2.9.0.1/rules/smtp.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/smtp.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,94 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: smtp.rules,v 1.44.2.4.2.6 2005/07/22 19:19:54 mwatchinski Exp $ -#----------- -# SMTP RULES -#----------- - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:654; rev:14;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; reference:arachnids,266; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:12;) -alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"charset = |22 22|"; nocase; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx; classtype:attempted-dos; sid:658; rev:11;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:9;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:10;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:5;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; reference:arachnids,143; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:9;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; nocase; reference:arachnids,119; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:14;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi"; reference:arachnids,121; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:15;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; nocase; reference:arachnids,122; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; reference:arachnids,123; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; reference:arachnids,124; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; reference:arachnids,142; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; reference:arachnids,139; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:7;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; reference:arachnids,141; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:9;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:5;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:17;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:15;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; reference:bugtraq,6991; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:8;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding|3A|"; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:7;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:5;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:5;) - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; reference:nessus,11316; classtype:attempted-admin; sid:2261; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2262; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2264; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2266; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2267; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2268; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2269; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2270; rev:5;) -alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-type buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2487; rev:7;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-disposition buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2488; rev:7;) - - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:9;) - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:9;) - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2538; rev:5;) -alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2539; rev:5;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2540; rev:5;) - - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS|0D 0A|"; within:10; flowbits:set,starttls.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2527; rev:3;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:7;) - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:13;) - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2542; rev:6;) -alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2543; rev:6;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2590; rev:4;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From command overflow attempt"; flow:to_server,established; content:"From"; nocase; pcre:"/^From\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2591; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ReplyTo command overflow attempt"; flow:to_server,established; content:"ReplyTo"; nocase; pcre:"/^ReplyTo\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2592; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Sender command overflow attempt"; flow:to_server,established; content:"Sender"; nocase; pcre:"/^Sender\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2593; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP To command overflow attempt"; flow:to_server,established; content:"To"; nocase; pcre:"/^To\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2594; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP CC command overflow attempt"; flow:to_server,established; content:"CC"; nocase; pcre:"/^CC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2595; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP BCC command overflow attempt"; flow:to_server,established; content:"BCC"; nocase; pcre:"/^BCC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2596; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Encoding overflow attempt"; flow:to_server,established; content:"Content-Encoding|3A|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3462; rev:2;) -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Type overflow attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; pcre:"/Content-Type\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3461; rev:2;) diff -Nru snort-2.9.0.1/rules/snmp.rules snort-2.9.2/rules/snmp.rules --- snort-2.9.0.1/rules/snmp.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/snmp.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,39 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: snmp.rules,v 1.17.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -# --------------- -# SNMP RULES -# --------------- -# -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:10;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:10;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access udp"; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access udp"; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:10;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:11;) -alert udp any any -> 255.255.255.255 161 (msg:"SNMP Broadcast request"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:9;) -alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:9;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:11;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp request"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:11;) -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:4;) diff -Nru snort-2.9.0.1/rules/snort.conf snort-2.9.2/rules/snort.conf --- snort-2.9.0.1/rules/snort.conf 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/snort.conf 1969-12-31 16:00:00.000000000 -0800 @@ -1,753 +0,0 @@ -#-------------------------------------------------- -# http://www.snort.org Snort 2.4.0 config file -# Contact: snort-sigs@lists.sourceforge.net -#-------------------------------------------------- -# $Id: snort.conf,v 1.144.2.9.2.10 2005/07/22 15:10:16 roesch Exp $ -# -################################################### -# This file contains a sample snort configuration. -# You can take the following steps to create your own custom configuration: -# -# 1) Set the variables for your network -# 2) Configure preprocessors -# 3) Configure output plugins -# 4) Add any runtime config directives -# 5) Customize your rule set -# -################################################### -# Step #1: Set the network variables: -# -# You must change the following variables to reflect your local network. The -# variable is currently setup for an RFC 1918 address space. -# -# You can specify it explicitly as: -# -# var HOME_NET 10.1.1.0/24 -# -# or use global variable $<interfacename>_ADDRESS which will be always -# initialized to IP address and netmask of the network interface which you run -# snort at. Under Windows, this must be specified as -# $(<interfacename>_ADDRESS), such as: -# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) -# -# var HOME_NET $eth0_ADDRESS -# -# You can specify lists of IP addresses for HOME_NET -# by separating the IPs with commas like this: -# -# var HOME_NET [10.1.1.0/24,192.168.1.0/24] -# -# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! -# -# or you can specify the variable to be any IP address -# like this: - -var HOME_NET any - -# Set up the external network addresses as well. A good start may be "any" -var EXTERNAL_NET any - -# Configure your server lists. This allows snort to only look for attacks to -# systems that have a service up. Why look for HTTP attacks if you are not -# running a web server? This allows quick filtering based on IP addresses -# These configurations MUST follow the same configuration scheme as defined -# above for $HOME_NET. - -# List of DNS servers on your network -var DNS_SERVERS $HOME_NET - -# List of SMTP servers on your network -var SMTP_SERVERS $HOME_NET - -# List of web servers on your network -var HTTP_SERVERS $HOME_NET - -# List of sql servers on your network -var SQL_SERVERS $HOME_NET - -# List of telnet servers on your network -var TELNET_SERVERS $HOME_NET - -# List of snmp servers on your network -var SNMP_SERVERS $HOME_NET - -# Configure your service ports. This allows snort to look for attacks destined -# to a specific application only on the ports that application runs on. For -# example, if you run a web server on port 8081, set your HTTP_PORTS variable -# like this: -# -# var HTTP_PORTS 8081 -# -# Port lists must either be continuous [eg 80:8080], or a single port [eg 80]. -# We will adding support for a real list of ports in the future. - -# Ports you run web servers on -# -# Please note: [80,8080] does not work. -# If you wish to define multiple HTTP ports, -# -## var HTTP_PORTS 80 -## include somefile.rules -## var HTTP_PORTS 8080 -## include somefile.rules -var HTTP_PORTS 80 - -# Ports you want to look for SHELLCODE on. -var SHELLCODE_PORTS !80 - -# Ports you do oracle attacks on -var ORACLE_PORTS 1521 - -# other variables -# -# AIM servers. AOL has a habit of adding new AIM servers, so instead of -# modifying the signatures when they do, we add them to this list of servers. -var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] - -# Path to your rules files (this can be a relative path) -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\rules -var RULE_PATH ../rules - -# Configure the snort decoder -# ============================ -# -# Snort's decoder will alert on lots of things such as header -# truncation or options of unusual length or infrequently used tcp options -# -# -# Stop generic decode events: -# -# config disable_decode_alerts -# -# Stop Alerts on experimental TCP options -# -# config disable_tcpopt_experimental_alerts -# -# Stop Alerts on obsolete TCP options -# -# config disable_tcpopt_obsolete_alerts -# -# Stop Alerts on T/TCP alerts -# -# In snort 2.0.1 and above, this only alerts when a TCP option is detected -# that shows T/TCP being actively used on the network. If this is normal -# behavior for your network, disable the next option. -# -# config disable_tcpopt_ttcp_alerts -# -# Stop Alerts on all other TCPOption type events: -# -# config disable_tcpopt_alerts -# -# Stop Alerts on invalid ip options -# -# config disable_ipopt_alerts - -# Configure the detection engine -# =============================== -# -# Use a different pattern matcher in case you have a machine with very limited -# resources: -# -# config detection: search-method lowmem - -# Configure Inline Resets -# ======================== -# -# If running an iptables firewall with snort in InlineMode() we can now -# perform resets via a physical device. We grab the indev from iptables -# and use this for the interface on which to send resets. This config -# option takes an argument for the src mac address you want to use in the -# reset packet. This way the bridge can remain stealthy. If the src mac -# option is not set we use the mac address of the indev device. If we -# don't set this option we will default to sending resets via raw socket, -# which needs an ipaddress to be assigned to the int. -# -# config layer2resets: 00:06:76:DD:5F:E3 - -################################################### -# Step #2: Configure preprocessors -# -# General configuration for preprocessors is of -# the form -# preprocessor <name_of_processor>: <configuration_options> - -# Configure Flow tracking module -# ------------------------------- -# -# The Flow tracking module is meant to start unifying the state keeping -# mechanisms of snort into a single place. Right now, only a portscan detector -# is implemented but in the long term, many of the stateful subsystems of -# snort will be migrated over to becoming flow plugins. This must be enabled -# for flow-portscan to work correctly. -# -# See README.flow for additional information -# -preprocessor flow: stats_interval 0 hash 2 - -# frag2: IP defragmentation support -# ------------------------------- -# This preprocessor performs IP defragmentation. This plugin will also detect -# people launching fragmentation attacks (usually DoS) against hosts. No -# arguments loads the default configuration of the preprocessor, which is a 60 -# second timeout and a 4MB fragment buffer. - -# The following (comma delimited) options are available for frag2 -# timeout [seconds] - sets the number of [seconds] that an unfinished -# fragment will be kept around waiting for completion, -# if this time expires the fragment will be flushed -# memcap [bytes] - limit frag2 memory usage to [number] bytes -# (default: 4194304) -# -# min_ttl [number] - minimum ttl to accept -# -# ttl_limit [number] - difference of ttl to accept without alerting -# will cause false positves with router flap -# -# Frag2 uses Generator ID 113 and uses the following SIDS -# for that GID: -# SID Event description -# ----- ------------------- -# 1 Oversized fragment (reassembled frag > 64k bytes) -# 2 Teardrop-type attack - -#preprocessor frag2 - -# frag3: Target-based IP defragmentation -# -------------------------------------- -# -# Frag3 is a brand new IP defragmentation preprocessor that is capable of -# performing "target-based" processing of IP fragments. Check out the -# README.frag3 file in the doc directory for more background and configuration -# information. -# -# Frag3 configuration is a two step process, a global initialization phase -# followed by the definition of a set of defragmentation engines. -# -# Global configuration defines the number of fragmented packets that Snort can -# track at the same time and gives you options regarding the memory cap for the -# subsystem or, optionally, allows you to preallocate all the memory for the -# entire frag3 system. -# -# frag3_global options: -# max_frags: Maximum number of frag trackers that may be active at once. -# Default value is 8192. -# memcap: Maximum amount of memory that frag3 may access at any given time. -# Default value is 4MB. -# prealloc_frags: Maximum number of individual fragments that may be processed -# at once. This is instead of the memcap system, uses static -# allocation to increase performance. No default value. Each -# preallocated fragment eats ~1550 bytes. -# -# Target-based behavior is attached to an engine as a "policy" for handling -# overlaps and retransmissions as enumerated in the Paxson paper. There are -# currently five policy types available: "BSD", "BSD-right", "First", "Linux" -# and "Last". Engines can be bound to bound to standard Snort CIDR blocks or -# IP lists. -# -# frag3_engine options: -# timeout: Amount of time a fragmented packet may be active before expiring. -# Default value is 60 seconds. -# ttl_limit: Limit of delta allowable for TTLs of packets in the fragments. -# Based on the initial received fragment TTL. -# min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this -# value will be discarded. Default value is 0. -# detect_anomalies: Activates frag3's anomaly detection mechanisms. -# policy: Target-based policy to assign to this engine. Default is BSD. -# bind_to: IP address set to bind this engine to. Default is all hosts. -# -# Frag3 configuration example: -#preprocessor frag3_global: max_frags 65536 prealloc_frags 262144 -#preprocessor frag3_engine: policy linux \ -# bind_to [10.1.1.12/32,10.1.1.13/32] \ -# detect_anomalies -#preprocessor frag3_engine: policy first \ -# bind_to 10.2.1.0/24 \ -# detect_anomalies -#preprocessor frag3_engine: policy last \ -# bind_to 10.3.1.0/24 -#preprocessor frag3_engine: policy bsd - -preprocessor frag3_global: max_frags 65536 -preprocessor frag3_engine: policy first detect_anomalies - - -# stream4: stateful inspection/stream reassembly for Snort -#---------------------------------------------------------------------- -# Use in concert with the -z [all|est] command line switch to defeat stick/snot -# against TCP rules. Also performs full TCP stream reassembly, stateful -# inspection of TCP streams, etc. Can statefully detect various portscan -# types, fingerprinting, ECN, etc. - -# stateful inspection directive -# no arguments loads the defaults (timeout 30, memcap 8388608) -# options (options are comma delimited): -# detect_scans - stream4 will detect stealth portscans and generate alerts -# when it sees them when this option is set -# detect_state_problems - detect TCP state problems, this tends to be very -# noisy because there are a lot of crappy ip stack -# implementations out there -# -# disable_evasion_alerts - turn off the possibly noisy mitigation of -# overlapping sequences. -# -# -# min_ttl [number] - set a minium ttl that snort will accept to -# stream reassembly -# -# ttl_limit [number] - differential of the initial ttl on a session versus -# the normal that someone may be playing games. -# Routing flap may cause lots of false positives. -# -# keepstats [machine|binary] - keep session statistics, add "machine" to -# get them in a flat format for machine reading, add -# "binary" to get them in a unified binary output -# format -# noinspect - turn off stateful inspection only -# timeout [number] - set the session timeout counter to [number] seconds, -# default is 30 seconds -# max_sessions [number] - limit the number of sessions stream4 keeps -# track of -# memcap [number] - limit stream4 memory usage to [number] bytes -# log_flushed_streams - if an event is detected on a stream this option will -# cause all packets that are stored in the stream4 -# packet buffers to be flushed to disk. This only -# works when logging in pcap mode! -# server_inspect_limit [bytes] - Byte limit on server side inspection. -# flush_behavior [number] - -# number > 0 use old static flushpoints (default) -# number = 0 use new larger static flushpoints -# number < 0 use random flushpoints defined by flush_base, flush_seed -# and flush_range -# flush_base [number] - lowest allowed random flushpoint (512 by default) -# flush_range [number] - number is the space within which random flushpoints -# are generated (default 1213) -# flush_seed [number] - seed for the random number generator, defaults to -# Snort PID + time -# -# Using the default random flushpoints, the smallest flushpoint is 512, -# and the largest is 1725 bytes. -# -# Stream4 uses Generator ID 111 and uses the following SIDS -# for that GID: -# SID Event description -# ----- ------------------- -# 1 Stealth activity -# 2 Evasive RST packet -# 3 Evasive TCP packet retransmission -# 4 TCP Window violation -# 5 Data on SYN packet -# 6 Stealth scan: full XMAS -# 7 Stealth scan: SYN-ACK-PSH-URG -# 8 Stealth scan: FIN scan -# 9 Stealth scan: NULL scan -# 10 Stealth scan: NMAP XMAS scan -# 11 Stealth scan: Vecna scan -# 12 Stealth scan: NMAP fingerprint scan stateful detect -# 13 Stealth scan: SYN-FIN scan -# 14 TCP forward overlap - -preprocessor stream4: disable_evasion_alerts - -# tcp stream reassembly directive -# no arguments loads the default configuration -# Only reassemble the client, -# Only reassemble the default list of ports (See below), -# Give alerts for "bad" streams -# -# Available options (comma delimited): -# clientonly - reassemble traffic for the client side of a connection only -# serveronly - reassemble traffic for the server side of a connection only -# both - reassemble both sides of a session -# noalerts - turn off alerts from the stream reassembly stage of stream4 -# ports [list] - use the space separated list of ports in [list], "all" -# will turn on reassembly for all ports, "default" will turn -# on reassembly for ports 21, 23, 25, 42, 53, 80, 110, -# 111, 135, 136, 137, 139, 143, 445, 513, 1433, 1521, -# and 3306 -# favor_old - favor an old segment (based on sequence number) over a new one. -# This is the default. -# favor_new - favor an new segment (based on sequence number) over an old one. -preprocessor stream4_reassemble - -# Performance Statistics -# ---------------------- -# Documentation for this is provided in the Snort Manual. You should read it. -# It is included in the release distribution as doc/snort_manual.pdf -# -preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 - -# http_inspect: normalize and detect HTTP traffic and protocol anomalies -# -# lots of options available here. See doc/README.http_inspect. -# unicode.map should be wherever your snort.conf lives, or given -# a full path to where snort can find it. -preprocessor http_inspect: global \ - iis_unicode_map unicode.map 1252 - -preprocessor http_inspect_server: server default \ - profile all ports { 80 8080 8180 } oversize_dir_length 500 - -# -# Example unqiue server configuration -# -#preprocessor http_inspect_server: server 1.1.1.1 \ -# ports { 80 3128 8080 } \ -# flow_depth 0 \ -# ascii no \ -# double_decode yes \ -# non_rfc_char { 0x00 } \ -# chunk_length 500000 \ -# non_strict \ -# oversize_dir_length 300 \ -# no_alerts - - -# rpc_decode: normalize RPC traffic -# --------------------------------- -# RPC may be sent in alternate encodings besides the usual 4-byte encoding -# that is used by default. This plugin takes the port numbers that RPC -# services are running on as arguments - it is assumed that the given ports -# are actually running this type of service. If not, change the ports or turn -# it off. -# The RPC decode preprocessor uses generator ID 106 -# -# arguments: space separated list -# alert_fragments - alert on any rpc fragmented TCP data -# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet -# no_alert_large_fragments - don't alert when the fragmented -# sizes exceed the current packet size -# no_alert_incomplete - don't alert when a single segment -# exceeds the current packet size - -preprocessor rpc_decode: 111 32771 - -# bo: Back Orifice detector -# ------------------------- -# Detects Back Orifice traffic on the network. Takes no arguments in 2.0. -# -# The Back Orifice detector uses Generator ID 105 and uses the -# following SIDS for that GID: -# SID Event description -# ----- ------------------- -# 1 Back Orifice traffic detected - -preprocessor bo - -# telnet_decode: Telnet negotiation string normalizer -# --------------------------------------------------- -# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp -# traffic. It works in much the same way as the http_decode preprocessor, -# searching for traffic that breaks up the normal data stream of a protocol and -# replacing it with a normalized representation of that traffic so that the -# "content" pattern matching keyword can work without requiring modifications. -# This preprocessor requires no arguments. -# Portscan uses Generator ID 109 and does not generate any SID currently. - -preprocessor telnet_decode - -# sfPortscan -# ---------- -# Portscan detection module. Detects various types of portscans and -# portsweeps. For more information on detection philosophy, alert types, -# and detailed portscan information, please refer to the README.sfportscan. -# -# -configuration options- -# proto { tcp udp icmp ip_proto all } -# The arguments to the proto option are the types of protocol scans that -# the user wants to detect. Arguments should be separated by spaces and -# not commas. -# scan_type { portscan portsweep decoy_portscan distributed_portscan all } -# The arguments to the scan_type option are the scan types that the -# user wants to detect. Arguments should be separated by spaces and not -# commas. -# sense_level { low|medium|high } -# There is only one argument to this option and it is the level of -# sensitivity in which to detect portscans. The 'low' sensitivity -# detects scans by the common method of looking for response errors, such -# as TCP RSTs or ICMP unreachables. This level requires the least -# tuning. The 'medium' sensitivity level detects portscans and -# filtered portscans (portscans that receive no response). This -# sensitivity level usually requires tuning out scan events from NATed -# IPs, DNS cache servers, etc. The 'high' sensitivity level has -# lower thresholds for portscan detection and a longer time window than -# the 'medium' sensitivity level. Requires more tuning and may be noisy -# on very active networks. However, this sensitivity levels catches the -# most scans. -# memcap { positive integer } -# The maximum number of bytes to allocate for portscan detection. The -# higher this number the more nodes that can be tracked. -# logfile { filename } -# This option specifies the file to log portscan and detailed portscan -# values to. If there is not a leading /, then snort logs to the -# configured log directory. Refer to README.sfportscan for details on -# the logged values in the logfile. -# watch_ip { Snort IP List } -# ignore_scanners { Snort IP List } -# ignore_scanned { Snort IP List } -# These options take a snort IP list as the argument. The 'watch_ip' -# option specifies the IP(s) to watch for portscan. The -# 'ignore_scanners' option specifies the IP(s) to ignore as scanners. -# Note that these hosts are still watched as scanned hosts. The -# 'ignore_scanners' option is used to tune alerts from very active -# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option -# specifies the IP(s) to ignore as scanned hosts. Note that these hosts -# are still watched as scanner hosts. The 'ignore_scanned' option is -# used to tune alerts from very active hosts such as syslog servers, etc. -# -preprocessor sfportscan: proto { all } \ - memcap { 10000000 } \ - sense_level { low } - -# arpspoof -#---------------------------------------- -# Experimental ARP detection code from Jeff Nathan, detects ARP attacks, -# unicast ARP requests, and specific ARP mapping monitoring. To make use of -# this preprocessor you must specify the IP and hardware address of hosts on -# the same layer 2 segment as you. Specify one host IP MAC combo per line. -# Also takes a "-unicast" option to turn on unicast ARP request detection. -# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: - -# SID Event description -# ----- ------------------- -# 1 Unicast ARP request -# 2 Etherframe ARP mismatch (src) -# 3 Etherframe ARP mismatch (dst) -# 4 ARP cache overwrite attack - -#preprocessor arpspoof -#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 - -# X-Link2State mini-preprocessor -# ------------------------------ -# This preprocessor will catch the X-Link2State vulnerability -# (www.microsoft.com/technet/security/bulletin/MS05-021.mspx). -# -# Format: -# preprocessor xlink2state: ports { <port> [<port> <...>] } [drop] -# -# "drop" will drop the attack if in Inline-mode. - -# SID Event description -# ----- ------------------- -# 1 X-Link2State length greater than 1024 - -preprocessor xlink2state: ports { 25 691 } - -#################################################################### -# Step #3: Configure output plugins -# -# Uncomment and configure the output plugins you decide to use. General -# configuration for output plugins is of the form: -# -# output <name_of_plugin>: <configuration_options> -# -# alert_syslog: log alerts to syslog -# ---------------------------------- -# Use one or more syslog facilities as arguments. Win32 can also optionally -# specify a particular hostname/port. Under Win32, the default hostname is -# '127.0.0.1', and the default port is 514. -# -# [Unix flavours should use this format...] -# output alert_syslog: LOG_AUTH LOG_ALERT -# -# [Win32 can use any of these formats...] -# output alert_syslog: LOG_AUTH LOG_ALERT -# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT -# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT - -# log_tcpdump: log packets in binary tcpdump format -# ------------------------------------------------- -# The only argument is the output file name. -# -# output log_tcpdump: tcpdump.log - -# database: log to a variety of databases -# --------------------------------------- -# See the README.database file for more information about configuring -# and using this plugin. -# -# output database: log, mysql, user=root password=test dbname=db host=localhost -# output database: alert, postgresql, user=snort dbname=snort -# output database: log, odbc, user=snort dbname=snort -# output database: log, mssql, dbname=snort user=snort password=test -# output database: log, oracle, dbname=snort user=snort password=test - -# unified: Snort unified binary format alerting and logging -# ------------------------------------------------------------- -# The unified output plugin provides two new formats for logging and generating -# alerts from Snort, the "unified" format. The unified format is a straight -# binary format for logging data out of Snort that is designed to be fast and -# efficient. Used with barnyard (the new alert/log processor), most of the -# overhead for logging and alerting to various slow storage mechanisms such as -# databases or the network can now be avoided. -# -# Check out the spo_unified.h file for the data formats. -# -# Two arguments are supported. -# filename - base filename to write to (current time_t is appended) -# limit - maximum size of spool file in MB (default: 128) -# -# output alert_unified: filename snort.alert, limit 128 -# output log_unified: filename snort.log, limit 128 - - -# prelude: log to the Prelude Hybrid IDS system -# --------------------------------------------- -# -# output prelude: profile=snort -# profile = Name of the Prelude profile to use (default is snort). -# config = Optional name of a specific prelude configuration file to use for snort. -# -# Snort priority to IDMEF severity mappings: -# high < medium < low < info -# -# info = 4 -# low = 3 -# medium = 2 -# high = anything below medium -# -# These are the default mapped from classification.config. -# -# output alert_prelude - - -# You can optionally define new rule types and associate one or more output -# plugins specifically to that type. -# -# This example will create a type that will log to just tcpdump. -# ruletype suspicious -# { -# type log -# output log_tcpdump: suspicious.log -# } -# -# EXAMPLE RULE FOR SUSPICIOUS RULETYPE: -# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) -# -# This example will create a rule type that will log to syslog and a mysql -# database: -# ruletype redalert -# { -# type alert -# output alert_syslog: LOG_AUTH LOG_ALERT -# output database: log, mysql, user=snort dbname=snort host=localhost -# } -# -# EXAMPLE RULE FOR REDALERT RULETYPE: -# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ -# (msg:"Someone is being LEET"; flags:A+;) - -# -# Include classification & priority settings -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\etc\classification.config -# - -include classification.config - -# -# Include reference systems -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\etc\reference.config -# - -include reference.config - -#################################################################### -# Step #4: Configure snort with config statements -# -# See the snort manual for a full set of configuration references -# -# config flowbits_size: 64 -# -# New global ignore_ports config option from Andy Mullican -# -# config ignore_ports: <tcp|udp> <list of ports separated by whitespace> -# config ignore_ports: tcp 21 6667:6671 1356 -# config ignore_ports: udp 1:17 53 - - -#################################################################### -# Step #5: Customize your rule set -# -# Up to date snort rules are available at http://www.snort.org -# -# The snort web site has documentation about how to write your own custom snort -# rules. - -#========================================= -# Include all relevant rulesets here -# -# The following rulesets are disabled by default: -# -# web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus, -# chat, multimedia, and p2p -# -# These rules are either site policy specific or require tuning in order to not -# generate false positive alerts in most enviornments. -# -# Please read the specific include file for more information and -# README.alert_order for how rule ordering affects how alerts are triggered. -#========================================= - -include $RULE_PATH/local.rules -include $RULE_PATH/bad-traffic.rules -include $RULE_PATH/exploit.rules -include $RULE_PATH/scan.rules -include $RULE_PATH/finger.rules -include $RULE_PATH/ftp.rules -include $RULE_PATH/telnet.rules -include $RULE_PATH/rpc.rules -include $RULE_PATH/rservices.rules -include $RULE_PATH/dos.rules -include $RULE_PATH/ddos.rules -include $RULE_PATH/dns.rules -include $RULE_PATH/tftp.rules - -include $RULE_PATH/web-cgi.rules -include $RULE_PATH/web-coldfusion.rules -include $RULE_PATH/web-iis.rules -include $RULE_PATH/web-frontpage.rules -include $RULE_PATH/web-misc.rules -include $RULE_PATH/web-client.rules -include $RULE_PATH/web-php.rules - -include $RULE_PATH/sql.rules -include $RULE_PATH/x11.rules -include $RULE_PATH/icmp.rules -include $RULE_PATH/netbios.rules -include $RULE_PATH/misc.rules -include $RULE_PATH/attack-responses.rules -include $RULE_PATH/oracle.rules -include $RULE_PATH/mysql.rules -include $RULE_PATH/snmp.rules - -include $RULE_PATH/smtp.rules -include $RULE_PATH/imap.rules -include $RULE_PATH/pop2.rules -include $RULE_PATH/pop3.rules - -include $RULE_PATH/nntp.rules -include $RULE_PATH/other-ids.rules -# include $RULE_PATH/web-attacks.rules -# include $RULE_PATH/backdoor.rules -# include $RULE_PATH/shellcode.rules -# include $RULE_PATH/policy.rules -# include $RULE_PATH/porn.rules -# include $RULE_PATH/info.rules -# include $RULE_PATH/icmp-info.rules - include $RULE_PATH/virus.rules -# include $RULE_PATH/chat.rules -# include $RULE_PATH/multimedia.rules -# include $RULE_PATH/p2p.rules -include $RULE_PATH/experimental.rules - -# Include any thresholding or suppression commands. See threshold.conf in the -# <snort src>/etc directory for details. Commands don't necessarily need to be -# contained in this conf, but a separate conf makes it easier to maintain them. -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\etc\threshold.conf -# Uncomment if needed. -# include threshold.conf diff -Nru snort-2.9.0.1/rules/sql.rules snort-2.9.2/rules/sql.rules --- snort-2.9.0.1/rules/sql.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/sql.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,78 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: sql.rules,v 1.28.2.3.2.4 2005/07/22 19:19:54 mwatchinski Exp $ -#---------- -# SQL RULES -#---------- - -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:677; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:678; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:679; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:708; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:1386; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:702; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:703; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:681; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:11;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:690; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:692; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:694; rev:6;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:695; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:696; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:697; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:698; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:700; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:673; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:674; rev:8;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:675; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:682; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:683; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:684; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:685; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:687; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:691; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:693; rev:5;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:699; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:701; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:704; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:705; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:706; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:707; rev:10;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217; classtype:attempted-user; sid:1387; rev:9;) -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"MS-SQL xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:1759; rev:5;) -alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:10;) -alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:680; rev:9;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:8;) -alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:7;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping attempt"; content:"|02|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL version overflow attempt"; flowbits:isnotset,ms_sql_seen_dns; dsize:>100; content:"|04|"; depth:1; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; classtype:misc-activity; sid:2050; rev:8;) -alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2329; rev:6;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 4 requests"; content:"|00 04|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3446; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 9 requests"; content:"|00 09|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3451; rev:3;) -alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3273; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 5 requests"; content:"|00 05|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3447; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 2 requests"; content:"|00 02|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3444; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 1 requests"; content:"|00 01|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3443; rev:3;) -alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3152; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 10 requests"; content:"|00 0A|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3452; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 6 requests"; content:"|00 06|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3448; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 3 requests"; content:"|00 03|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3445; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 8 requests"; content:"|00 08|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3450; rev:3;) -# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 7 requests"; content:"|00 07|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3449; rev:3;) diff -Nru snort-2.9.0.1/rules/telnet.rules snort-2.9.2/rules/telnet.rules --- snort-2.9.0.1/rules/telnet.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/telnet.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,42 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: telnet.rules,v 1.35.2.4.2.5 2005/06/29 15:35:04 mwatchinski Exp $ -#------------- -# TELNET RULES -#------------- -# -# These signatures are based on various telnet exploits and unpassword -# protected accounts. -# - - -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:7;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; content:"bin/sh"; reference:arachnids,304; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:8;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; reference:arachnids,367; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:8;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; rawbytes; reference:arachnids,370; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:10;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; reference:arachnids,369; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:7;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flow:from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flow:from_server,established; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root"; classtype:suspicious-login; sid:719; rev:7;) -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit response"; flow:from_server,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:15;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; flow:to_client,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:13;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:9;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:9;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; classtype:suspicious-login; sid:2406; rev:4;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3274; rev:3;) -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|TTYPROMPT|01|"; rawbytes; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3147; rev:3;) diff -Nru snort-2.9.0.1/rules/tftp.rules snort-2.9.2/rules/tftp.rules --- snort-2.9.0.1/rules/tftp.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/tftp.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,39 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: tftp.rules,v 1.19.2.1.2.2 2005/07/22 19:19:54 mwatchinski Exp $ -#----------- -# TFTP RULES -#----------- -# -# These signatures are based on TFTP traffic. These include malicious files -# that are distributed via TFTP. -# -# The last two signatures refer to generic GET and PUT via TFTP, which is -# generally frowned upon on most networks, but may be used in some enviornments - -alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:1941; rev:9;) -alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2337; rev:8;) -alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;) -alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;) -alert udp any any -> any 69 (msg:"TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;) -alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;) -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; offset:2; reference:arachnids,137; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:519; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"|00 01|/"; depth:3; reference:arachnids,138; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:5;) -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00 02|"; depth:2; reference:arachnids,148; reference:cve,1999-0183; classtype:bad-unknown; sid:518; rev:6;) -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;) -alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:2;) diff -Nru snort-2.9.0.1/rules/threshold.conf snort-2.9.2/rules/threshold.conf --- snort-2.9.0.1/rules/threshold.conf 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/threshold.conf 1969-12-31 16:00:00.000000000 -0800 @@ -1,61 +0,0 @@ -# Configure Thresholding and Suppression -# ====================================== -# -# Thresholding: -# -# This feature is used to reduce the number of logged alerts for noisy rules. -# This can be tuned to significantly reduce false alarms, and it can also be -# used to write a newer breed of rules. Thresholding commands limit the number -# of times a particular event is logged during a specified time interval. -# There are 3 types of thresholding: -# -# 1) Limit -# Alert on the 1st M events during the time interval, then ignore -# events -# for the rest of the time interval. -# 2) Threshold -# Alert every M times we see this event during the time interval. -# 3) Both -# Alert once per time interval after seeing M occurrences of the -# event, -# then ignore any additional events during the time interval. -# -# Threshold commands are formatted as: -# threshold gen_id gen-id, sig_id sig-id, type limit|threshold|both, track -# by_src|by_dst, count n , seconds m -# -# Limit to logging 1 event per 60 seconds -# threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds -# 60 - -# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering -# each rule (rules are gen_id 1). -# threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60 - -# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering -# any alert for any event generator -# threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60 -# -# Thresholding does not need to be a stand-alone command, and can instead be -# written directly into a rule. Please see README.thresholding for more -# information on thresholding. -# -# Suppression: -# -# Suppression commands are standalone commands that reference generators and -# sids and IP addresses via a CIDR block. This allows a rule to be completely -# suppressed, or suppressed when the causitive traffic is going to or comming -# from a specific IP or group of IP addresses. -# -# Suppress this event completely -# -# suppress gen_id 1, sig_id 1852 -# -# Suppress this event from this IP -# -# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54 -# -# Suppress this event to this CIDR block -# -# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24 - diff -Nru snort-2.9.0.1/rules/unicode.map snort-2.9.2/rules/unicode.map --- snort-2.9.0.1/rules/unicode.map 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/unicode.map 1969-12-31 16:00:00.000000000 -0800 @@ -1,104 +0,0 @@ -# Windows Version: 5.00.2195 -# OEM codepage: 437 -# ACP codepage: 1252 - -# INSTALLED CODEPAGES -10000 (MAC - Roman) - - -10079 (MAC - Icelandic) - - -1250 (ANSI - Central Europe) -00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1251 (ANSI - Cyrillic) -00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1252 (ANSI - Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1253 (ANSI - Greek) -00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1254 (ANSI - Turkish) -00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1255 (ANSI - Hebrew) -0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1256 (ANSI - Arabic) -00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1257 (ANSI - Baltic) -ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -1258 (ANSI/OEM - Viet Nam) -ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -#INVALID CODEPAGE: 1361 -20127 (US-ASCII) -00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -20261 (T.61) -f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f - -20866 (Russian - KOI8) -00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e - -28591 (ISO 8859-1 Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -28592 (ISO 8859-2 Central Europe) -00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -#INVALID CODEPAGE: 28595 -#INVALID CODEPAGE: 28597 -28605 (ISO 8859-15 Latin 9) -00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -37 (IBM EBCDIC - U.S./Canada) -0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f - -437 (OEM - United States) -00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -500 (IBM EBCDIC - International) -0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 - -850 (OEM - Multilingual Latin I) -0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -860 (OEM - Portuguese) -00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -861 (OEM - Icelandic) -00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -863 (OEM - Canadian French) -00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 - -865 (OEM - Nordic) -00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 - -874 (ANSI/OEM - Thai) -00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e - -932 (ANSI/OEM - Japanese Shift-JIS) -00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 - -936 (ANSI/OEM - Simplified Chinese GBK) -00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 - -949 (ANSI/OEM - Korean) -00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c - -950 (ANSI/OEM - Traditional Chinese Big5) -00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 - -65000 (UTF-7) - - -65001 (UTF-8) - - diff -Nru snort-2.9.0.1/rules/virus.rules snort-2.9.2/rules/virus.rules --- snort-2.9.0.1/rules/virus.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/virus.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,35 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: virus.rules,v 1.28.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#------------ -# VIRUS RULES -#------------ -# -# We don't care about virus rules anymore. BUT, you people won't stop asking -# us for virus rules. So... here ya go. -# -# There is now one rule that looks for any of the following attachment types: -# -# ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, dot, emf, -# eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi, msp, -# nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, shs, swf, sys, vb, -# vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, wsf, wsh, -# xlt, xlw -# - -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:8;) diff -Nru snort-2.9.0.1/rules/VRT-License.txt snort-2.9.2/rules/VRT-License.txt --- snort-2.9.0.1/rules/VRT-License.txt 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/VRT-License.txt 1969-12-31 16:00:00.000000000 -0800 @@ -1,326 +0,0 @@ - SOURCEFIRE, INC. - VRT CERTIFIED RULES LICENSE AGREEMENT - VERSION 1.1 - -THE VRT CERTIFIED RULES ARE LICENSED TO YOU BY SOURCEFIRE, INC. -("SOURCEFIRE") UNDER THE TERMS OF THIS VRT CERTIFIED RULES LICENSE -AGREEMENT (THE "AGREEMENT"). BY CLICKING THE "ACCEPT" BUTTON BELOW, OR -BY INSTALLING OR USING THE VRT CERTIFIED RULES, YOU ARE CONSENTING TO BE -BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS AND -CONDITIONS OF THIS AGREEMENT, DO NOT CLICK THE "ACCEPT" BUTTON, AND DO -NOT INSTALL OR USE ANY PART OF THE VRT CERTIFIED RULES. - -1. Definitions. - - 1.1. "Commercial Purpose" means the use, reproduction or distribution of - (i) the VRT Certified Rules or any Modification, or any portion of the - foregoing, or (ii) a Compilation that includes, in whole or in part, the - VRT Certified Rules or any Modification that in either case is intended - to result in a direct or indirect pecuniary gain or any other - consideration or economic benefit to any person or entity involved in - such use, reproduction or distribution. Examples of a Commercial - Purpose, include without limitation, (v) integrating the VRT Certified - Rules with other software or hardware for sale, (w) licensing the VRT - Certified Rules for a fee, (x) using the VRT Certified Rules to provide - a service to a third party, (y) selling the VRT Certified Rules, or (z) - distributing the VRT Certified Rules for use with other products or - other services. - - 1.2. "Compilation" means a work which combines the VRT Certified Rules - or any Modification or portions thereof with any services, programs, - code or other products not governed by the terms of this Agreement. - - 1.3. "Improvements" shall mean a Modification to a VRT Certified Rule - (or to a modified VRT Certified Rule) that corrects a bug, defect, or - error in such rule without affecting the overall functionality of such - VRT Certified Rule (or Modification thereof). - - 1.4. "Modifications" means any alteration, addition to or deletion from - the substance or structure of the VRT Certified Rules or any - Modifications of such, including, without limitation, - - (a) any addition to or deletion from the contents of a file - containing a VRT Certified Rule or a Modification; - (b) any derivative of the VRT Certified Rule or of any Modification; - or - (c) any new file that contains any part of the VRT Certified Rule or - Modifications. - - 1.5. "Permitted Use" shall have the meaning given such term in Section 2.1. - - 1.6. "Restricted Activities" shall have the meaning given such term in - Section 2.1. - - 1.7. "Snort(r) Registered User" shall mean an individual who has - registered or subscribed on www.snort.org to use the VRT Certified Rules. - - 1.8. "VRT Certified Rules" means those Snort(r) rules (in text form, - source code form, object code form and all documentation related - thereto) that have been created, developed, tested and officially - approved by Sourcefire. These rules are designated with SIDs of 3465 - - 1,000,000, except as otherwise noted in the license file. - - 1.9. "You" (or "your") means an individual exercising rights under this - Agreement. For legal entities, "you'' includes any entity which - controls, is controlled by, or is under common control with you or any - such entity you are acting on behalf of. For purposes of this - definition, "control'' means (a) the power, direct or indirect, to cause - the direction or management of such entity, whether by contract or - otherwise, or (b) ownership of more than forty percent (40%) of the - outstanding shares or beneficial ownership of such entity. - -2. Sourcefire License Grant. - - 2.1. Grant of License; Permitted Use. Subject to the terms and - conditions of this Agreement, Sourcefire hereby grants you a world-wide, - non-exclusive license to do any of the following with respect to the VRT - Certified Rules: - - (a) use and deploy the VRT Certified Rules on management consoles and - sensors that you manage (over which you have administrative control); - - (b) use and deploy the VRT Certified Rules on behalf of your employer - on its internal management consoles and sensors (e.g., where a valid - employer-employee relationship exists between you and a legal entity); - - (c) modify the VRT Certified Rules and use those Modifications - consistent with paragraphs (a) and (b) above; - - (d) distribute those VRT Certified Rules and any Modifications - generally available to Snort(r) Registered Users on a limited basis - to other Snort(r) Registered Users; - - (e) distribute any Improvement generally available to Snort(r) - Registered Users on mailing lists commonly used by the Snort(r) user - community as a whole; - - (f) reproduce the VRT Certified Rules as strictly necessary in - exercising your rights under this Section 2.1; and - - (g) Make the VRT Certified Rules (or any Modification) available to - your or your employer's consultants, agents and subcontractors for - the limited purpose of exercising your rights under this Section 2.1 - provided that such use is in compliance with this Agreement. - - Paragraphs (a) though (g) of this Section 2.1 are collectively referred - to as the "Permitted Uses". All rights not granted under this Agreement - are reserved by Sourcefire. - - 2.2. Limitations on License; Restricted Activities. You recognize and - agree that the VRT Certified Rules are the property of Sourcefire, - contain valuable assets and proprietary information and property of - Sourcefire, and are provided to you under the terms and conditions of - this Agreement. Notwithstanding anything to the contrary in this - Agreement, You agree that you shall NOT do any of the following without - Sourcefire's prior written consent: - - (a) use, deploy, perform, modify, license, display, reproduce or - distribute the VRT Certified Rules or Modifications (even if merged - with other materials as a Compilation) other than as allowed under a - Permitted Use; - - (b) sell, license, transfer, rent, loan, use, modify, reproduce or - disclose the VRT Certified Rules or any Modifications (in whole or in - part and whether done independently or as part of a Compilation) for - a Commercial Purpose; - - (c) post or make generally available any VRT Certified Rule (in whole - or in part or any Modifications thereto) to individuals or a group of - individuals who have not agreed to the terms and conditions of this - Agreement, provided, however, that nothing in this Section 2.2(c) - shall preclude the Permitted Use in Section 2.1(e); - - (d) share any user authentication information and/or password - provided to you by Sourcefire with any third party to allow such - party access your snort.org account or to otherwise access the VRT - Certified Rules; - - (e) alter or remove any copyright notice or proprietary legend - contained in or on the VRT Certified Rules. - - Paragraphs (a) though (e) of this Section 2.2 are collectively referred - to as the "Restricted Activities"). - - 2.3. Reproduction Obligations. You agree that any embodiment of the VRT - Certified Rules permitted under this Agreement will contain the notices - set forth in Exhibit A. In addition, to the extent you make any copies - of or distribute the VRT Certified Rules or any Modifications under this - Agreement, you agree to ensure that any and all such copies shall contain: - - (a) a copy of an appropriate copyright notice and all other - applicable proprietary legends; - - (b) a disclaimer of any warranty consistent with this Agreement; and - - (c) any and all notices referencing this Agreement and absence of warranties. - -3. Modifications; Derivative Works. In the event you create a -Modification, the use, reproduction and distribution of such -Modifications shall be governed by the terms and conditions of this -Agreement. Additionally, you hereby grant Sourcefire and any other -licensee of the VRT Certified Rules an irrevocable, perpetual, fully -paid-up, world-wide, royalty-free, non-exclusive license to use, -reproduce, modify, display, perform and distribute such Modifications -(and the source code thereto), provided, however, that you and any -recipient of such Modifications must include: - - (a) the original copyright notice and all other applicable - proprietary legends; - - (b) the original warranty disclaimer; - - (c) the original notices referencing this Agreement and absence of - warranties; and - - (d) a prominent notice stating that you changed the VRT Certified - Rule (or any Modification thereto) and the date of any change. - -4. Distribution Obligations. - - 4.1. General. The source code version of the VRT Certified Rules (or - any Modification thereof) may be distributed only under the terms of - this Agreement, and you must include a copy of this Agreement with every - copy of the VRT Certified Rules you distribute. - - 4.2. Required Notices. You must duplicate the notice in Exhibit A in - each file of the source code. If it is not possible to put such notice - in a particular source code file due to its structure, then you must - include such notice in a location (such as a relevant directory) where a - user would be likely to look for such a notice. If you created one or - more Modification(s) you may add your name as a contributor to the - notice described in Exhibit A. You must also duplicate this Agreement in - any documentation for the source code where you describe recipients' - rights or ownership rights relating to the VRT Certified Rules. To the - extent you offer additional warranty, support, indemnity or liability - obligations, you may do so only on your own behalf, and not on behalf of - Sourcefire. You must make it absolutely clear that any such warranty, - support, indemnity or liability obligation is offered by you alone, and - you hereby agree to indemnify and hold Sourcefire harmless for any - liability incurred by Sourcefire as a result of any warranty, support, - indemnity or liability terms you offer. - -5. Inability to Comply Due to Statute or Regulation. If it is -impossible for you to comply with any of the terms of this Agreement -with respect to some or all of the VRT Certified Rules due to statute, -judicial order, or regulation then you must: (a) comply with the terms -of this Agreement to the maximum extent possible; and (b) describe the -limitations and the code they affect. Such description must be included -with all distributions of the source code. Except to the extent -prohibited by statute or regulation, such description must be -sufficiently detailed for a recipient of ordinary skill to be able to -understand it. - -6. Application of this Agreement. This Agreement also applies to code -to which Sourcefire has attached the notice in Exhibit A and to related -Modifications created under Section 3. - -7. Versions of the Agreement. - - 7.1. New Versions. Sourcefire may publish revised and/or new versions - of the Agreement from time to time. Each version will be given a - distinguishing version number. - - 7.2. Effect of New Versions. Once a VRT Certified Rule has been - published under a particular version of the Agreement, you may always - continue to use it under the terms of that version. You may also choose - to use such VRT Certified Rule under the terms of any subsequent version - of the Agreement published by Sourcefire. No one other than Sourcefire - has the right to modify the terms applicable to a VRT Certified Rule. - -8. DISCLAIMER OF WARRANTY. THE VRT CERTIFIED RULES AND MODIFICATIONS IS -ARE PROVIDED UNDER THIS AGREEMENT ON AN "AS IS" BASIS, WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, -WARRANTIES THAT THE VRT CERTIFIED RULES OR THE MODIFICATIONS ARE FREE OF -DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. -THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE VRT CERTIFIED -RULES AND MODIFICATIONS IS WITH YOU. SHOULD THE VRT CERTIFIED RULES OR -MODIFICATIONS PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT SOURCEFIRE) -ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS -DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. -NO USE OF ANY VRT CERTIFIED RULE OR ANY MODIFICATION IS AUTHORIZED -HEREUNDER EXCEPT UNDER THIS DISCLAIMER. - -9. Termination. This Agreement and the rights granted hereunder will -terminate automatically if you fail to comply with any or all of the -terms herein and fail to cure such breach within 30 days of becoming -aware of the breach. All sublicenses to the VRT Certified Rules, which -are properly granted, shall survive any termination of this Agreement. -Provisions which, by their nature, must remain in effect beyond the -termination of this Agreement shall survive. - -10. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL -THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, -SHALL YOU OR SOURCEFIRE BE LIABLE TO ANY PERSON FOR ANY INDIRECT, -SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER -INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK -STOPPAGE, SECURITY BREACHES OR FAILURES, COMPUTER FAILURE OR -MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR LOSSES, EVEN IF SUCH PARTY -SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS -LIMITATION OF LIABILITY SHALL NOT APPLY TO THE EXTENT APPLICABLE LAW -PROHIBITS SUCH LIMITATIONS. SOME JURISDICTIONS DO NOT ALLOW THE -EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS -EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. - -11. Audit Rights. You will, from time to time and as requested by -Sourcefire, provide assurances to Sourcefire that you are using the VRT -Certified Rules consistent with a Permitted Use, and you grant -Sourcefire access, at reasonable times and in a reasonable manner, to -the VRT Certified Rules in your possession or control, and to your -books, records and facilities to permit Sourcefire to verify appropriate -use of the VRT Certified Rules and compliance with this Agreement. -Sourcefire's non-exercise of this right, or its failure to discover or -object to any inappropriate use or other breach of this Agreement by -you, shall not constitute its consent thereto or waiver of Sourcefire's -rights hereunder or under law. In the event your use of the VRT -Certified Rules is not in compliance with a Permitted Use, or if you -otherwise violate the terms of this Agreement, Sourcefire may, since -remedies at law may be inadequate, in addition to its other remedies: -(a) demand return of the VRT Certified Rules; (b) forbid and enjoin your -further use of the VRT Certified Rules; (c) assess you the cost of -Sourcefire's inspection and enforcement efforts (including attorney -fees); and/or (d) assess you a use fee appropriate to your actual use of -the VRT Certified Rules. - -12. United States Government Users. If the VRT Certified Rules or -Modifications are being acquired by or on behalf of the U.S. Government -or by a U.S. Government prime contractor or subcontractor (at any tier), -then the Government's rights in the VRT Certified Rules and -Modifications shall be subject to Sourcefire's standard commercial terms -and only as set forth in this Agreement; and only with "Limited Rights" -and "Restricted Rights" as defined the federal regulations if the -commercial terms are deemed not to apply.. - -13. Miscellaneous. This Agreement represents the complete agreement -concerning subject matter hereof. If any provision of this Agreement is -held to be unenforceable, such provision shall be reformed only to the -extent necessary to make it enforceable. This Agreement shall be -governed by Maryland law provisions (except to the extent applicable -law, if any, provides otherwise), excluding its conflict-of-law -provisions. Any litigation relating to this Agreement shall be subject -to the jurisdiction of the state and Federal Courts serving Greenbelt, -Maryland, with the losing party responsible for costs, including without -limitation, court costs and reasonable attorneys' fees and expenses. -You hereby submit to jurisdiction and venue in such courts. The -application of the United Nations Convention on Contracts for the -International Sale of Goods is expressly excluded. Any law or regulation -which provides that the language of a contract shall be construed -against the drafter shall not apply to this Agreement. Headings and -section references are used for reference only and shall not be used -define, limit or describe such section. - -EXHIBIT A - VRT Certified Rules License Agreement -The contents of this file are subject to the VRT Certified Rules License -Agreement 1.1 (the "Agreement"). You may not use this file except in -compliance with the Agreement. You may obtain a copy of the Agreement -at www.snort.org. -Software distributed under the Agreement is distributed on an "AS IS" -basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the -Agreement for the specific language governing rights and limitations -under the Agreement. -The developer of the VRT Certified Rules is Sourcefire, Inc., a Delaware -corporation. -Contributor: -2005(c) Sourcefire, Inc. All Rights Reserved. Snort(r), Sourcefire(tm), -the Snort(r) logo and the Sourcefire logo are trademarks of Sourcefire. - -Note: A printer friendly version of this Agreement is available in PDF format. diff -Nru snort-2.9.0.1/rules/web-attacks.rules snort-2.9.2/rules/web-attacks.rules --- snort-2.9.0.1/rules/web-attacks.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/web-attacks.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-attacks.rules,v 1.18.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -# ---------------- -# WEB ATTACKS -# ---------------- -# These signatures are generic signatures that will catch common commands -# used to exploit form variable vulnerabilities. These signatures should -# not false very often. -# -# Please email example PCAP log dumps to snort-sigs@lists.sourceforge.net -# if you find one of these signatures to be too false possitive. - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; classtype:web-application-attack; sid:1328; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"ps%20"; nocase; classtype:web-application-attack; sid:1329; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS wget command attempt"; flow:to_server,established; content:"wget%20"; nocase; classtype:web-application-attack; reference:bugtraq,10361; sid:1330; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS uname -a command attempt"; flow:to_server,established; content:"uname%20-a"; nocase; classtype:web-application-attack; sid:1331; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flow:to_server,established; content:"|3B|id"; nocase; classtype:web-application-attack; sid:1333; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; classtype:web-application-attack; sid:1334; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS kill command attempt"; flow:to_server,established; content:"/bin/kill"; nocase; classtype:web-application-attack; sid:1335; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; classtype:web-application-attack; sid:1336; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chgrp command attempt"; flow:to_server,established; content:"/chgrp"; nocase; classtype:web-application-attack; sid:1337; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown command attempt"; flow:to_server,established; content:"/chown"; nocase; classtype:web-application-attack; sid:1338; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh command attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase; classtype:web-application-attack; sid:1339; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:1340; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; nocase; classtype:web-application-attack; sid:1341; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; classtype:web-application-attack; sid:1342; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cc command attempt"; flow:to_server,established; content:"/usr/bin/cc"; nocase; classtype:web-application-attack; sid:1343; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cc command attempt"; flow:to_server,established; content:"cc%20"; nocase; classtype:web-application-attack; sid:1344; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cpp command attempt"; flow:to_server,established; content:"/usr/bin/cpp"; nocase; classtype:web-application-attack; sid:1345; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cpp command attempt"; flow:to_server,established; content:"cpp%20"; nocase; classtype:web-application-attack; sid:1346; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/g++ command attempt"; flow:to_server,established; content:"/usr/bin/g++"; nocase; classtype:web-application-attack; sid:1347; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS g++ command attempt"; flow:to_server,established; content:"g++%20"; nocase; classtype:web-application-attack; sid:1348; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/python access attempt"; flow:to_server,established; content:"bin/python"; nocase; classtype:web-application-attack; sid:1349; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS python access attempt"; flow:to_server,established; content:"python%20"; nocase; classtype:web-application-attack; sid:1350; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/tclsh execution attempt"; flow:to_server,established; content:"bin/tclsh"; nocase; classtype:web-application-attack; sid:1351; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tclsh execution attempt"; flow:to_server,established; content:"tclsh8%20"; nocase; classtype:web-application-attack; sid:1352; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/nasm command attempt"; flow:to_server,established; content:"bin/nasm"; nocase; classtype:web-application-attack; sid:1353; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nasm command attempt"; flow:to_server,established; content:"nasm%20"; nocase; classtype:web-application-attack; sid:1354; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; nocase; classtype:web-application-attack; sid:1355; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nt admin addition attempt"; flow:to_server,established; content:"net localgroup administrators /add"; nocase; classtype:web-application-attack; sid:1357; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS traceroute command attempt"; flow:to_server,established; content:"traceroute%20"; nocase; classtype:web-application-attack; sid:1358; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ping command attempt"; flow:to_server,established; content:"/bin/ping"; nocase; classtype:web-application-attack; sid:1359; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat command attempt"; flow:to_server,established; content:"nc%20"; nocase; classtype:web-application-attack; sid:1360; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nmap command attempt"; flow:to_server,established; content:"nmap%20"; nocase; classtype:web-application-attack; sid:1361; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS xterm command attempt"; flow:to_server,established; content:"/usr/X11R6/bin/xterm"; nocase; classtype:web-application-attack; sid:1362; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS X application to remote host attempt"; flow:to_server,established; content:"%20-display%20"; nocase; classtype:web-application-attack; sid:1363; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS lsof command attempt"; flow:to_server,established; content:"lsof%20"; nocase; classtype:web-application-attack; sid:1364; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail"; nocase; classtype:web-application-attack; sid:1366; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20"; nocase; classtype:web-application-attack; sid:1367; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls| command attempt"; flow:to_server,established; uricontent:"/bin/ls|7C|"; nocase; classtype:web-application-attack; sid:1368; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls command attempt"; flow:to_server,established; uricontent:"/bin/ls"; nocase; classtype:web-application-attack; sid:1369; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; classtype:web-application-activity; sid:1371; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS conf/httpd.conf attempt"; flow:to_server,established; content:"conf/httpd.conf"; nocase; classtype:web-application-activity; sid:1373; rev:6;) diff -Nru snort-2.9.0.1/rules/web-cgi.rules snort-2.9.2/rules/web-cgi.rules --- snort-2.9.0.1/rules/web-cgi.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/web-cgi.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,396 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-cgi.rules,v 1.77.2.7.2.6 2005/07/22 19:19:54 mwatchinski Exp $ -#-------------- -# WEB-CGI RULES -#-------------- -# - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; distance:1; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi access"; flow:to_server,established; uricontent:"/hsx.cgi"; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-activity; sid:1607; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SWSoft ASPSeek Overflow attempt"; flow:to_server,established; uricontent:"/s.cgi"; nocase; content:"tmpl="; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspeed access"; flow:to_server,established; uricontent:"/wsisa.dll/WService="; nocase; content:"WSMadmin"; nocase; reference:arachnids,467; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb directory traversal attempt"; flow:to_server,established; uricontent:"/YaBB"; nocase; content:"../"; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:806; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb access"; flow:to_server,established; uricontent:"/YaBB"; nocase; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:1637; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /wwwboard/passwd.txt access"; flow:to_server,established; uricontent:"/wwwboard/passwd.txt"; nocase; reference:arachnids,463; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdriver access"; flow:to_server,established; uricontent:"/webdriver"; nocase; reference:arachnids,473; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whois_raw.cgi?"; content:"|0A|"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:web-application-attack; sid:809; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi access"; flow:to_server,established; uricontent:"/whois_raw.cgi"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websitepro path access"; flow:to_server,established; content:" /HTTP/1."; nocase; reference:arachnids,468; reference:bugtraq,932; reference:cve,2000-0066; classtype:attempted-recon; sid:811; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus version access"; flow:to_server,established; uricontent:"/webplus?about"; nocase; reference:arachnids,470; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus directory traversal"; flow:to_server,established; uricontent:"/webplus?script"; nocase; content:"../"; reference:arachnids,471; reference:bugtraq,1102; reference:cve,2000-0282; classtype:web-application-attack; sid:813; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websendmail access"; flow:to_server,established; uricontent:"/websendmail"; nocase; reference:arachnids,469; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/dcforum.cgi"; content:"forum=../.."; reference:bugtraq,2611; reference:cve,2001-0436; reference:cve,2001-0437; classtype:web-application-attack; sid:1571; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi access"; flow:to_server,established; uricontent:"/dcforum.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi invalid user addition attempt"; flow:to_server,established; uricontent:"/dcboard.cgi"; content:"command=register"; content:"%7cadmin"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi access"; flow:to_server,established; uricontent:"/dcboard.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mmstdod.cgi access"; flow:to_server,established; uricontent:"/mmstdod.cgi"; nocase; reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566; classtype:attempted-recon; sid:819; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anaconda directory transversal attempt"; flow:to_server,established; uricontent:"/apexec.pl"; content:"template=../"; nocase; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; classtype:web-application-attack; sid:820; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe overflow attempt"; flow:to_server,established; uricontent:"/imagemap.exe?"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe access"; flow:to_server,established; uricontent:"/imagemap.exe"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-activity; sid:1700; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsweb.cgi access"; flow:to_server,established; uricontent:"/cvsweb.cgi"; nocase; reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465; classtype:attempted-recon; sid:823; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI php.cgi access"; flow:to_server,established; uricontent:"/php.cgi"; nocase; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI glimpse access"; flow:to_server,established; uricontent:"/glimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:825; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript attempt"; flow:to_server,established; uricontent:"/htmlscript?../.."; nocase; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:web-application-attack; sid:1608; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript access"; flow:to_server,established; uricontent:"/htmlscript"; nocase; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:attempted-recon; sid:826; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI info2www access"; flow:to_server,established; uricontent:"/info2www"; nocase; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI maillist.pl access"; flow:to_server,established; uricontent:"/maillist.pl"; nocase; classtype:attempted-recon; sid:828; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-test-cgi access"; flow:to_server,established; uricontent:"/nph-test-cgi"; nocase; reference:arachnids,224; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-maillist.pl"; nocase; reference:bugtraq,2563; reference:cve,2001-0400; classtype:attempted-recon; sid:1451; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-publish"; nocase; reference:cve,1999-1177; reference:nessus,10164; classtype:attempted-recon; sid:830; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rguest.exe access"; flow:to_server,established; uricontent:"/rguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:833; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rwwwshell.pl access"; flow:to_server,established; uricontent:"/rwwwshell.pl"; nocase; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi attempt"; flow:to_server,established; uricontent:"/test-cgi/*?*"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi access"; flow:to_server,established; uricontent:"/test-cgi"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:9;) -# testcgi is *one* of many scripts to look for. this *ALSO* triggers on testcgi.exe. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI testcgi access"; flow:to_server,established; uricontent:"/testcgi"; nocase; reference:bugtraq,7214; reference:nessus,11610; classtype:web-application-activity; sid:1645; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.cgi access"; flow:to_server,established; uricontent:"/test.cgi"; nocase; classtype:web-application-activity; sid:1646; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI textcounter.pl access"; flow:to_server,established; uricontent:"/textcounter.pl"; nocase; reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451; classtype:attempted-recon; sid:836; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI uploader.exe access"; flow:to_server,established; uricontent:"/uploader.exe"; nocase; reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webgais access"; flow:to_server,established; uricontent:"/webgais"; nocase; reference:arachnids,472; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established; uricontent:"/finger"; nocase; reference:arachnids,221; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perlshop.cgi access"; flow:to_server,established; uricontent:"/perlshop.cgi"; nocase; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdisplay.cgi access"; flow:to_server,established; uricontent:"/pfdispaly.cgi"; nocase; reference:bugtraq,64; reference:cve,1999-0270; reference:nessus,10174; classtype:attempted-recon; sid:841; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI aglimpse access"; flow:to_server,established; uricontent:"/aglimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anform2 access"; flow:to_server,established; uricontent:"/AnForm2"; nocase; reference:arachnids,225; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.bat access"; flow:to_server,established; uricontent:"/args.bat"; nocase; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:844; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.cmd access"; flow:to_server,established; uricontent:"/args.cmd"; nocase; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:1452; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-admin.cgi access"; flow:to_server,established; uricontent:"/AT-admin.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-generated.cgi access"; flow:to_server,established; uricontent:"/AT-generated.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bnbform.cgi access"; flow:to_server,established; uricontent:"/bnbform.cgi"; nocase; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campas access"; flow:to_server,established; uricontent:"/campas"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon; sid:847; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source directory traversal"; flow:to_server,established; uricontent:"/view-source"; nocase; content:"../"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source access"; flow:to_server,established; uricontent:"/view-source"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wais.pl access"; flow:to_server,established; uricontent:"/wais.pl"; nocase; classtype:attempted-recon; sid:850; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwwais access"; flow:to_server,established; uricontent:"/wwwwais"; nocase; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI files.pl access"; flow:to_server,established; uricontent:"/files.pl"; nocase; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wguest.exe access"; flow:to_server,established; uricontent:"/wguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wrap access"; flow:to_server,established; uricontent:"/wrap"; reference:arachnids,234; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI classifieds.cgi access"; flow:to_server,established; uricontent:"/classifieds.cgi"; nocase; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.cgi access"; flow:to_server,established; uricontent:"/environ.cgi"; nocase; classtype:attempted-recon; sid:856; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey access"; flow:to_server,established; uricontent:"/faxsurvey"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI filemail access"; flow:to_server,established; uricontent:"/filemail.pl"; nocase; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI man.sh access"; flow:to_server,established; uricontent:"/man.sh"; nocase; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snork.bat access"; flow:to_server,established; uricontent:"/snork.bat"; nocase; reference:arachnids,220; reference:bugtraq,1053; reference:cve,2000-0169; classtype:attempted-recon; sid:860; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql access"; flow:to_server,established; uricontent:"/w3-msql/"; nocase; reference:arachnids,210; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datacopier.cgi access"; flow:to_server,established; uricontent:"/day5datacopier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datanotifier.cgi access"; flow:to_server,established; uricontent:"/day5datanotifier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI post-query access"; flow:to_server,established; uricontent:"/post-query"; nocase; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI visadmin.exe access"; flow:to_server,established; uricontent:"/visadmin.exe"; nocase; reference:bugtraq,1808; reference:cve,1999-0970; reference:cve,1999-1970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dumpenv.pl access"; flow:to_server,established; uricontent:"/dumpenv.pl"; nocase; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/calendar_admin.pl?config=|7C|"; reference:cve,2000-0432; classtype:web-application-attack; sid:1536; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl access"; flow:to_server,established; uricontent:"/calendar_admin.pl"; reference:cve,2000-0432; classtype:web-application-activity; sid:1537; rev:6;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender_admin.pl access"; flow:to_server,established; uricontent:"/calender_admin.pl"; nocase; reference:cve,2000-0432; classtype:attempted-recon; sid:1456; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar.pl access"; flow:to_server,established; uricontent:"calendar"; nocase; pcre:"/calendar(|[-_]admin)\.pl/Ui"; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar access"; flow:to_server,established; uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_admin.pl access"; flow:to_server,established; uricontent:"/user_update_admin.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_passwd.pl access"; flow:to_server,established; uricontent:"/user_update_passwd.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snorkerz.cmd access"; flow:to_server,established; uricontent:"/snorkerz.cmd"; nocase; classtype:attempted-recon; sid:870; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI survey.cgi access"; flow:to_server,established; uricontent:"/survey.cgi"; nocase; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI scriptalias access"; flow:to_server,established; uricontent:"///"; reference:arachnids,227; reference:bugtraq,2300; reference:cve,1999-0236; classtype:attempted-recon; sid:873; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI win-c-sample.exe access"; flow:to_server,established; uricontent:"/win-c-sample.exe"; nocase; reference:arachnids,231; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3tvars.pm access"; flow:to_server,established; uricontent:"/w3tvars.pm"; nocase; classtype:attempted-recon; sid:878; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admin.pl access"; flow:to_server,established; uricontent:"/admin.pl"; nocase; reference:bugtraq,3839; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI LWGate access"; flow:to_server,established; uricontent:"/LWGate"; nocase; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI archie access"; flow:to_server,established; uricontent:"/archie"; nocase; classtype:attempted-recon; sid:881; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI flexform access"; flow:to_server,established; uricontent:"/flexform"; nocase; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail arbitrary command execution attempt"; flow:to_server,established; uricontent:"/formmail"; nocase; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:1610; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail access"; flow:to_server,established; uricontent:"/formmail"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:884; rev:14;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf arbitrary command execution attempt"; flow:to_server,established; uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a"; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf access"; flow:to_server,established; uricontent:"/phf"; nocase; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI www-sql access"; flow:to_server,established; uricontent:"/www-sql"; nocase; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwadmin.pl access"; flow:to_server,established; uricontent:"/wwwadmin.pl"; nocase; classtype:attempted-recon; sid:888; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ppdscgi.exe access"; flow:to_server,established; uricontent:"/ppdscgi.exe"; nocase; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendform.cgi access"; flow:to_server,established; uricontent:"/sendform.cgi"; nocase; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.pl access"; flow:to_server,established; uricontent:"/upload.pl"; nocase; classtype:attempted-recon; sid:891; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AnyForm2 access"; flow:to_server,established; uricontent:"/AnyForm2"; nocase; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; reference:cve,1999-1067; classtype:attempted-recon; sid:893; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh attempt"; flow:to_server,established; uricontent:"/bb-hist.sh?HISTFILE=../.."; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh access"; flow:to_server,established; uricontent:"/bb-hist.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histlog.sh access"; flow:to_server,established; uricontent:"/bb-histlog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histsvc.sh access"; flow:to_server,established; uricontent:"/bb-histsvc.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh attempt"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC?../.."; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh"; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-rep.sh access"; flow:to_server,established; uricontent:"/bb-rep.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-replog.sh access"; flow:to_server,established; uricontent:"/bb-replog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI redirect access"; flow:to_server,established; uricontent:"/redirect"; nocase; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wayboard attempt"; flow:to_server,established; uricontent:"/way-board/way-board.cgi"; content:"db="; content:"../.."; nocase; reference:bugtraq,2370; reference:cve,2001-0214; classtype:web-application-attack; sid:1397; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board access"; flow:to_server,established; uricontent:"/way-board"; nocase; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; content:"documentName="; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi access"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/commerce.cgi"; content:"page="; content:"/../"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:1572; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi access"; flow:to_server,established; uricontent:"/commerce.cgi"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; content:"templ="; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-attack; sid:899; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl access"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-activity; sid:1702; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; content:"../../"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi access"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tstisapi.dll access"; flow:to_server,established; uricontent:"tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendmessage.cgi access"; flow:to_server,established; uricontent:"/sendmessage.cgi"; nocase; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI lastlines.cgi access"; flow:to_server,established; uricontent:"/lastlines.cgi"; nocase; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi attempt"; flow:to_server,established; uricontent:"/zml.cgi"; content:"file=../"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1395; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi access"; flow:to_server,established; uricontent:"/zml.cgi"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1396; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AHG search.cgi access"; flow:to_server,established; uricontent:"/publisher/search.cgi"; nocase; content:"template="; nocase; reference:bugtraq,3985; classtype:web-application-activity; sid:1405; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi attempt"; flow:to_server,established; uricontent:"/store/agora.cgi?cart_id=<SCRIPT>"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-attack; sid:1534; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi access"; flow:to_server,established; uricontent:"/store/agora.cgi"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:11;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rksh access"; flow:to_server,established; uricontent:"/rksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access"; flow:to_server,established; uricontent:"/bash"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe command attempt"; flow:to_server,established; uricontent:"/perl.exe?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1648; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe access"; flow:to_server,established; uricontent:"/perl.exe"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl command attempt"; flow:to_server,established; uricontent:"/perl?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1649; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zsh access"; flow:to_server,established; uricontent:"/zsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csh access"; flow:to_server,established; uricontent:"/csh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tcsh access"; flow:to_server,established; uricontent:"/tcsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rsh access"; flow:to_server,established; uricontent:"/rsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ksh access"; flow:to_server,established; uricontent:"/ksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; content:"menue=../../"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-attack; sid:1703; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi access"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl attempt"; flow:to_server,established; uricontent:"/cgiforum.pl?thesection=../.."; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-attack; sid:1573; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl access"; flow:to_server,established; uricontent:"/cgiforum.pl"; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi attempt"; flow:to_server,established; uricontent:"/directorypro.cgi"; content:"show="; content:"../.."; distance:1; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-attack; sid:1574; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi access"; flow:to_server,established; uricontent:"/directorypro.cgi"; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-activity; sid:1467; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi attempt"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; content:"newpage=../"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:web-application-attack; sid:1468; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi access"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon; sid:1469; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI listrec.pl access"; flow:to_server,established; uricontent:"/listrec.pl"; nocase; reference:bugtraq,3328; reference:cve,2001-0997; classtype:attempted-recon; sid:1470; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailnews.cgi access"; flow:to_server,established; uricontent:"/mailnews.cgi"; nocase; reference:bugtraq,2391; reference:cve,2001-0271; reference:nessus,10641; classtype:attempted-recon; sid:1471; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/book.cgi"; nocase; content:"current=|7C|"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-attack; sid:1879; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi access"; flow:to_server,established; uricontent:"/book.cgi"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-activity; sid:1472; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newsdesk.cgi access"; flow:to_server,established; uricontent:"/newsdesk.cgi"; nocase; reference:bugtraq,2172; reference:cve,2001-0232; classtype:attempted-recon; sid:1473; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl directory traversal attempt"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; content:"p0=../../"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-attack; sid:1704; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl access"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-activity; sid:1474; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailit.pl access"; flow:to_server,established; uricontent:"/mailit.pl"; nocase; reference:nessus,10417; classtype:attempted-recon; sid:1475; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; nocase; reference:bugtraq,1658; reference:cve,2001-1130; reference:nessus,10503; reference:nessus,10720; classtype:attempted-recon; sid:1476; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc access"; flow:to_server,established; uricontent:"/swc"; nocase; reference:nessus,10493; classtype:attempted-recon; sid:1478; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; content:"pg=../"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi access"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.cgi access"; flow:to_server,established; uricontent:"/upload.cgi"; nocase; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_source access"; flow:to_server,established; uricontent:"/view_source"; nocase; reference:bugtraq,2251; reference:cve,1999-0174; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl directory traversal attempt"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; content:"file=../../"; nocase; reference:bugtraq,2536; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-attack; sid:1730; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl access"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-activity; sid:1483; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI icat access"; flow:to_server,established; uricontent:"/icat"; reference:cve,1999-1069; classtype:web-application-activity; sid:1606; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Bugzilla doeditvotes.cgi access"; flow:to_server,established; uricontent:"/doeditvotes.cgi"; reference:bugtraq,3800; reference:cve,2002-0011; classtype:web-application-activity; sid:1617; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary configuration file attempt"; flow:to_server,established; uricontent:"/htsearch?-c"; nocase; reference:cve,2000-0208; classtype:web-application-attack; sid:1600; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary file read attempt"; flow:to_server,established; uricontent:"/htsearch?exclude=`"; nocase; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-attack; sid:1601; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch access"; flow:to_server,established; uricontent:"/htsearch"; nocase; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-activity; sid:1602; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/a1disp3.cgi?/../../"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi access"; flow:to_server,established; uricontent:"/a1disp3.cgi"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats access"; flow:to_server,established; uricontent:"/a1stats/"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1731; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admentor admin.asp access"; flow:to_server,established; uricontent:"/admentor/admin/admin.asp"; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; uricontent:"/PRN/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1505; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; uricontent:"/NUL/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1506; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/alibaba.pl|7C|"; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl access"; flow:to_server,established; uricontent:"/alibaba.pl"; reference:bugtraq,770; reference:cve ,CAN-1999-0885; reference:nessus,10013; classtype:web-application-activity; sid:1508; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AltaVista Intranet Search directory traversal attempt"; flow:to_server,established; uricontent:"/query?mss=.."; reference:bugtraq,896; reference:cve,2000-0039; reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/test.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1510; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat access"; flow:to_server,established; uricontent:"/test.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1511; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat access"; flow:to_server,established; uricontent:"/input.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1513; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input2.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat access"; flow:to_server,established; uricontent:"/input2.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/envout.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat access"; flow:to_server,established; uricontent:"/envout.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/echo.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1705; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat access"; flow:to_server,established; uricontent:"/echo.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1706; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/hello.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1707; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat access"; flow:to_server,established; uricontent:"/hello.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1708; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tst.bat access"; flow:to_server,established; uricontent:"/tst.bat"; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10014; classtype:web-application-activity; sid:1650; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ls access"; flow:to_server,established; uricontent:"/cgi-bin/ls"; nocase; reference:bugtraq,936; reference:cve,2000-0079; classtype:web-application-activity; sid:1539; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgimail access"; flow:to_server,established; uricontent:"/cgimail"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:1542; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiwrap access"; flow:to_server,established; uricontent:"/cgiwrap"; nocase; reference:bugtraq,1238; reference:bugtraq,3084; reference:bugtraq,777; reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,2001-0987; reference:nessus,10041; classtype:web-application-activity; sid:1543; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/csSearch.cgi"; content:"setup="; content:"`"; content:"`"; distance:1; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-attack; sid:1547; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi access"; flow:to_server,established; uricontent:"/csSearch.cgi"; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-activity; sid:1548; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cart/cart.cgi access"; flow:to_server,established; uricontent:"/cart/cart.cgi"; reference:bugtraq,1115; reference:cve,2000-0252; classtype:web-application-activity; sid:1553; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dbman db.cgi access"; flow:to_server,established; uricontent:"/dbman/db.cgi"; reference:bugtraq,1178; reference:cve,2000-0381; reference:nessus,10403; classtype:web-application-activity; sid:1554; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop access"; flow:to_server,established; uricontent:"/dcshop"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1555; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop orders.txt access"; flow:to_server,established; uricontent:"/orders/orders.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1556; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop auth_user_file.txt access"; flow:to_server,established; uricontent:"/auth_data/auth_user_file.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1557; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl arbitrary commane execution attempt"; flow:to_server,established; uricontent:"/eshop.pl?seite=|3B|"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-attack; sid:1565; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl access"; flow:to_server,established; uricontent:"/eshop.pl"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-activity; sid:1566; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/loadpage.cgi"; content:"file=../"; nocase; reference:bugtraq,2109; reference:cve,2000-1092; classtype:web-application-attack; sid:1569; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi access"; flow:to_server,established; uricontent:"/loadpage.cgi"; nocase; reference:bugtraq,2109; reference:cve,2000-1092; classtype:web-application-activity; sid:1570; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/faqmanager.cgi?toc="; uricontent:"|00|"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-attack; sid:1590; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi access"; flow:to_server,established; uricontent:"/faqmanager.cgi"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-activity; sid:1591; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /fcgi-bin/echo.exe access"; flow:to_server,established; uricontent:"/fcgi-bin/echo.exe"; nocase; reference:nessus,10838; classtype:web-application-activity; sid:1592; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi directory traversal attempt attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"reply_message_attach="; nocase; content:"/../"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1628; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi external site redirection attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"redirect=http"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1593; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi access"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-activity; sid:1594; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestbook.cgi access"; flow:to_server,established; uricontent:"/guestbook.cgi"; nocase; reference:cve,1999-0237; reference:nessus,10098; classtype:web-application-activity; sid:1597; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Home Free search.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/search.cgi"; content:"letter=../.."; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-attack; sid:1598; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI search.cgi access"; flow:to_server,established; uricontent:"/search.cgi"; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-activity; sid:1599; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.pl access"; flow:to_server,established; uricontent:"/environ.pl"; nocase; classtype:web-application-activity; sid:1651; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus attempt"; flow:to_server,established; uricontent:"/campus?|0A|"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-attack; sid:1652; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus access"; flow:to_server,established; uricontent:"/campus"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-activity; sid:1653; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart32.exe access"; flow:to_server,established; uricontent:"/cart32.exe"; nocase; reference:bugtraq,1153; classtype:web-application-activity; sid:1654; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/pfdispaly.cgi?'"; nocase; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-attack; sid:1655; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi access"; flow:to_server,established; uricontent:"/pfdispaly.cgi"; nocase; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-activity; sid:1656; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; content:"name=../"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1657; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi access"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1658; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ad.cgi access"; flow:to_server,established; uricontent:"/ad.cgi"; nocase; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-activity; sid:1709; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bbs_forum.cgi access"; flow:to_server,established; uricontent:"/bbs_forum.cgi"; nocase; reference:bugtraq,2177; reference:cve,2001-0123; reference:url,www.cgisecurity.com/advisory/3.1.txt; classtype:web-application-activity; sid:1710; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bsguest.cgi access"; flow:to_server,established; uricontent:"/bsguest.cgi"; nocase; reference:bugtraq,2159; reference:cve,2001-0099; classtype:web-application-activity; sid:1711; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bslist.cgi access"; flow:to_server,established; uricontent:"/bslist.cgi"; nocase; reference:bugtraq,2160; reference:cve,2001-0100; classtype:web-application-activity; sid:1712; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgforum.cgi access"; flow:to_server,established; uricontent:"/cgforum.cgi"; nocase; reference:bugtraq,1951; reference:cve,2000-1132; classtype:web-application-activity; sid:1713; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newdesk access"; flow:to_server,established; uricontent:"/newdesk"; nocase; classtype:web-application-activity; sid:1714; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI register.cgi access"; flow:to_server,established; uricontent:"/register.cgi"; nocase; reference:bugtraq,2157; reference:cve,2001-0076; classtype:web-application-activity; sid:1715; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gbook.cgi access"; flow:to_server,established; uricontent:"/gbook.cgi"; nocase; reference:bugtraq,1940; reference:cve,2000-1131; classtype:web-application-activity; sid:1716; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestguest.cgi access"; flow:to_server,established; uricontent:"/simplestguest.cgi"; nocase; reference:bugtraq,2106; reference:cve,2001-0022; classtype:web-application-activity; sid:1717; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI statsconfig.pl access"; flow:to_server,established; uricontent:"/statsconfig.pl"; nocase; reference:bugtraq,2211; reference:cve,2001-0113; classtype:web-application-activity; sid:1718; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; content:"article=../../"; nocase; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-attack; sid:1719; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi access"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-activity; sid:1720; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI adcycle access"; flow:to_server,established; uricontent:"/adcycle"; nocase; reference:bugtraq,3741; reference:cve,2001-1226; classtype:web-application-activity; sid:1721; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; reference:cve,1999-1067; classtype:web-application-activity; sid:1722; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi NULL attempt"; flow:to_server,established; uricontent:"/emumail.cgi"; content:"type="; nocase; content:"%00"; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1723; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi access"; flow:to_server,established; uricontent:"/emumail.cgi"; nocase; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1724; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI document.d2w access"; flow:to_server,established; uricontent:"/document.d2w"; reference:bugtraq,2017; reference:cve,2000-1110; classtype:web-application-activity; sid:1642; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI db2www access"; flow:to_server,established; uricontent:"/db2www"; reference:cve,2000-0677; classtype:web-application-activity; sid:1643; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ access"; flow:to_server,established; uricontent:"/cgi-bin/"; content:"/cgi-bin/ HTTP"; nocase; classtype:web-application-attack; sid:1668; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-dos/ access"; flow:to_server,established; uricontent:"/cgi-dos/"; content:"/cgi-dos/ HTTP"; nocase; classtype:web-application-attack; sid:1669; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote main.cgi file directory traversal attempt"; flow:to_server,established; uricontent:"/technote/main.cgi"; nocase; content:"filename="; nocase; content:"../../"; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1051; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote print.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/technote/print.cgi"; nocase; content:"board="; nocase; content:"../../"; content:"%00"; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1052; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ads.cgi command execution attempt"; flow:to_server,established; uricontent:"/ads.cgi"; nocase; content:"file="; nocase; content:"../../"; content:"|7C|"; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-attack; sid:1053; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi"; content:"page=../"; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore access"; flow:to_server,established; uricontent:"/web_store.cgi"; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-activity; sid:1611; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI shopping cart directory traversal"; flow:to_server,established; uricontent:"/shop.cgi"; content:"page=../"; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Allaire Pro Web Shell attempt"; flow:to_server,established; uricontent:"/authenticate.cgi?PASSWORD"; content:"config.ini"; classtype:web-application-attack; sid:1090; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Armada Style Master Index directory traversal"; flow:to_server,established; uricontent:"/search.cgi?keys"; content:"catigory=../"; reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562; reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt; classtype:web-application-attack; sid:1092; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; uricontent:"/cached_feed.cgi"; content:"../"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart access"; flow:to_server,established; uricontent:"/cached_feed.cgi"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-activity; sid:2051; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Talentsoft Web+ exploit attempt"; flow:to_server,established; uricontent:"/webplus.cgi?Script=/webplus/webping/webping.wml"; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Poll-it access"; flow:to_server,established; uricontent:"/pollit/Poll_It_SSI_v2.0.cgi"; nocase; reference:bugtraq,1431; reference:cve,2000-0590; reference:nessus,10459; classtype:web-application-activity; sid:1106; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI count.cgi access"; flow:to_server,established; uricontent:"/count.cgi"; nocase; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; content:"distloc=|3B|"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-attack; sid:1865; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi access"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bigconf.cgi access"; flow:to_server,established; uricontent:"/bigconf.cgi"; nocase; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/jj access"; flow:to_server,established; uricontent:"/cgi-bin/jj"; nocase; reference:bugtraq,2002; reference:cve,1999-0260; reference:nessus,10131; classtype:web-application-activity; sid:1174; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch attempt"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; content:"mail"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-attack; sid:1185; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch access"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-activity; sid:1535; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi File attempt"; flow:to_server,established; uricontent:"/sojourn.cgi?cat="; content:"%00"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-attack; sid:1194; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi access"; flow:to_server,established; uricontent:"/sojourn.cgi"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-activity; sid:1195; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname attempt"; flow:to_server,established; uricontent:"/infosrch.cgi?"; content:"fname="; nocase; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-attack; sid:1196; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname access"; flow:to_server,established; uricontent:"/infosrch.cgi"; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:1727; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ax-admin.cgi access"; flow:to_server,established; uricontent:"/ax-admin.cgi"; classtype:web-application-activity; sid:1204; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI axs.cgi access"; flow:to_server,established; uricontent:"/axs.cgi"; classtype:web-application-activity; sid:1205; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cachemgr.cgi access"; flow:to_server,established; uricontent:"/cachemgr.cgi"; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI responder.cgi access"; flow:to_server,established; uricontent:"/responder.cgi"; reference:bugtraq,3155; classtype:web-application-activity; sid:1208; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI web-map.cgi access"; flow:to_server,established; uricontent:"/web-map.cgi"; classtype:web-application-activity; sid:1211; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ministats admin access"; flow:to_server,established; uricontent:"/ministats/admin.cgi"; nocase; classtype:web-application-activity; sid:1215; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dfire.cgi access"; flow:to_server,established; uricontent:"/dfire.cgi"; nocase; reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity; sid:1219; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; content:"/../../../../"; classtype:web-application-attack; sid:1305; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi access"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; classtype:web-application-activity; sid:1304; rev:7;) -# do we really need two of these? -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi product directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"product="; content:"../.."; reference:bugtraq,2385; reference:cve,2001-0305; classtype:web-application-attack; sid:1306; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"../"; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi access"; flow:to_server,established; uricontent:"/store.cgi"; nocase; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi attempt"; flow:to_server,established; uricontent:"/generate.cgi"; content:"content=../"; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-attack; sid:1494; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi access"; flow:to_server,established; uricontent:"/generate.cgi"; reference:bugtraq,3175; reference:cve,2001-1115; classtype:web-application-activity; sid:1495; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI spin_client.cgi access"; flow:to_server,established; uricontent:"/spin_client.cgi"; reference:nessus,10393; classtype:web-application-activity; sid:1496; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword.cgi access"; flow:to_server,established; uricontent:"/csPassword.cgi"; reference:bugtraq,4885; reference:bugtraq,4886; reference:bugtraq,4887; reference:bugtraq,4889; reference:cve,2002-0917; reference:cve,2002-0918; classtype:web-application-activity; sid:1787; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword password.cgi.tmp access"; flow:to_server,established; uricontent:"/password.cgi.tmp"; reference:bugtraq,4889; reference:cve,2002-0920; classtype:web-application-activity; sid:1788; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?Nocfile="; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1763; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?|24|"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1764; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc access"; flow:to_server,established; uricontent:"/cgiproc"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-activity; sid:1765; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Oracle reports CGI access"; flow:to_server,established; uricontent:"/rwcgi60"; content:"setauth="; reference:bugtraq,4848; reference:cve,2002-0947; classtype:web-application-activity; sid:1805; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/alienform.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1822; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/af.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1823; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi access"; flow:established,to_server; uricontent:"/alienform.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1824; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi access"; flow:established,to_server; uricontent:"/af.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1825; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl arbitrary file read attempt"; flow:to_server,established; uricontent:"/story.pl"; content:"next=../"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1868; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl access"; flow:to_server,established; uricontent:"/story.pl"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1869; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI siteUserMod.cgi access"; flow:to_server,established; uricontent:"/.cobalt/siteUserMod/siteUserMod.cgi"; reference:bugtraq,951; reference:cve,2000-0117; reference:nessus,10253; classtype:web-application-activity; sid:1870; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgicso access"; flow:to_server,established; uricontent:"/cgicso"; reference:bugtraq,6141; reference:nessus,10779; reference:nessus,10780; classtype:web-application-activity; sid:1875; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-publish.cgi access"; flow:to_server,established; uricontent:"/nph-publish.cgi"; reference:cve,1999-1177; reference:nessus,10164; classtype:web-application-activity; sid:1876; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printenv access"; flow:to_server,established; uricontent:"/printenv"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:1877; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1878; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-nlog.pl access"; flow:to_server,established; uricontent:"/rpc-nlog.pl"; reference:cve,1999-1278; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2; classtype:web-application-activity; sid:1931; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-smb.pl access"; flow:to_server,established; uricontent:"/rpc-smb.pl"; reference:cve,1999-1278; classtype:web-application-activity; sid:1932; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart.cgi access"; flow:to_server,established; uricontent:"/cart.cgi"; reference:bugtraq,1115; reference:cve,2000-0252; reference:nessus,10368; classtype:web-application-activity; sid:1933; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI vpasswd.cgi access"; flow:to_server,established; uricontent:"/vpasswd.cgi"; reference:bugtraq,6038; reference:nessus,11165; classtype:web-application-activity; sid:1994; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alya.cgi access"; flow:to_server,established; uricontent:"/alya.cgi"; reference:nessus,11118; classtype:web-application-activity; sid:1995; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI viralator.cgi access"; flow:to_server,established; uricontent:"/viralator.cgi"; reference:bugtraq,3495; reference:cve,2001-0849; reference:nessus,11107; classtype:web-application-activity; sid:1996; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI smartsearch.cgi access"; flow:to_server,established; uricontent:"/smartsearch.cgi"; reference:bugtraq,7133; classtype:web-application-activity; sid:2001; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/mrtg.cgi"; content:"cfg=/../"; reference:bugtraq,4017; reference:cve,2002-0232; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI overflow.cgi access"; flow:to_server,established; uricontent:"/overflow.cgi"; reference:bugtraq,6326; reference:cve,2002-1361; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:5;) - -# NOTES: this signature looks for someone accessing the web application -# "way-board.cgi". This application allows attackers to view arbitrary -# files that are readable with the privilages of the web server. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board.cgi access"; flow:to_server,established; uricontent:"/way-board.cgi"; nocase; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:3;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI process_bug.cgi access"; flow:to_server,established; uricontent:"/process_bug.cgi"; nocase; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2053; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; content:"who="; content:"|3B|"; distance:0; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-attack; sid:2054; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi access"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2055; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI parse_xml.cgi access"; flow:to_server,established; uricontent:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2085; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2086; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI album.pl access"; flow:to_server,established; content:"/album.pl"; nocase; reference:bugtraq,7444; reference:nessus,11581; classtype:web-application-activity; sid:2115; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI chipcfg.cgi access"; flow:to_server,established; uricontent:"/chipcfg.cgi"; nocase; reference:bugtraq,2767; reference:cve,2001-1341; reference:url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html; classtype:web-application-activity; sid:2116; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ikonboard.cgi access"; flow:to_server,established; uricontent:"/ikonboard.cgi"; nocase; reference:bugtraq,7361; reference:nessus,11605; classtype:web-application-activity; sid:2127; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swsrv.cgi access"; flow:to_server,established; uricontent:"/swsrv.cgi"; nocase; reference:bugtraq,7510; reference:cve,2003-0217; reference:nessus,11608; classtype:web-application-activity; sid:2128; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CSMailto.cgi access"; flow:to_server,established; uricontent:"/CSMailto.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-0749; reference:nessus,11748; classtype:web-application-activity; sid:2194; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alert.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2195; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI catgy.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,3714; reference:bugtraq,4579; reference:cve,2001-1212; reference:nessus,11748; classtype:web-application-activity; sid:2196; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsview2.cgi access"; flow:to_server,established; uricontent:"/cvsview2.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvslog.cgi access"; flow:to_server,established; uricontent:"/cvslog.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2198; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI multidiff.cgi access"; flow:to_server,established; uricontent:"/multidiff.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2199; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dnewsweb.cgi access"; flow:to_server,established; uricontent:"/dnewsweb.cgi"; nocase; reference:bugtraq,1172; reference:bugtraq,4579; reference:cve,2000-0423; reference:nessus,11748; classtype:web-application-activity; sid:2200; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI download.cgi access"; flow:to_server,established; uricontent:"/download.cgi"; nocase; reference:bugtraq,4579; reference:cve,1999-1377; reference:nessus,11748; classtype:web-application-activity; sid:2201; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI edit_action.cgi access"; flow:to_server,established; uricontent:"/edit_action.cgi"; nocase; reference:bugtraq,3698; reference:bugtraq,4579; reference:cve,2001-1196; reference:nessus,11748; classtype:web-application-activity; sid:2202; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI everythingform.cgi access"; flow:to_server,established; uricontent:"/everythingform.cgi"; nocase; reference:bugtraq,2101; reference:bugtraq,4579; reference:cve,2001-0023; reference:nessus,11748; classtype:web-application-activity; sid:2203; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezadmin.cgi access"; flow:to_server,established; uricontent:"/ezadmin.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2204; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezboard.cgi access"; flow:to_server,established; uricontent:"/ezboard.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2205; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezman.cgi access"; flow:to_server,established; uricontent:"/ezman.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2206; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fileseek.cgi access"; flow:to_server,established; uricontent:"/fileseek.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6784; reference:cve,2002-0611; reference:nessus,11748; classtype:web-application-activity; sid:2207; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fom.cgi access"; flow:to_server,established; uricontent:"/fom.cgi"; nocase; reference:bugtraq,4579; reference:cve,2002-0230; reference:nessus,11748; classtype:web-application-activity; sid:2208; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI getdoc.cgi access"; flow:to_server,established; uricontent:"/getdoc.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0288; reference:nessus,11748; classtype:web-application-activity; sid:2209; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI global.cgi access"; flow:to_server,established; uricontent:"/global.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0952; reference:nessus,11748; classtype:web-application-activity; sid:2210; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestserver.cgi access"; flow:to_server,established; uricontent:"/guestserver.cgi"; nocase; reference:bugtraq,4579; reference:cve,2001-0180; reference:nessus,11748; classtype:web-application-activity; sid:2211; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imageFolio.cgi access"; flow:to_server,established; uricontent:"/imageFolio.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-1334; reference:nessus,11748; classtype:web-application-activity; sid:2212; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailfile.cgi access"; flow:to_server,established; uricontent:"/mailfile.cgi"; nocase; reference:bugtraq,1807; reference:bugtraq,4579; reference:cve,2000-0977; reference:nessus,11748; classtype:web-application-activity; sid:2213; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailview.cgi access"; flow:to_server,established; uricontent:"/mailview.cgi"; nocase; reference:bugtraq,1335; reference:bugtraq,4579; reference:cve,2000-0526; reference:nessus,11748; classtype:web-application-activity; sid:2214; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nsManager.cgi access"; flow:to_server,established; uricontent:"/nsManager.cgi"; nocase; reference:bugtraq,1710; reference:bugtraq,4579; reference:cve,2000-1023; reference:nessus,11748; classtype:web-application-activity; sid:2215; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI readmail.cgi access"; flow:to_server,established; uricontent:"/readmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2216; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printmail.cgi access"; flow:to_server,established; uricontent:"/printmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2217; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI service.cgi access"; flow:to_server,established; uricontent:"/service.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2218; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI setpasswd.cgi access"; flow:to_server,established; uricontent:"/setpasswd.cgi"; nocase; reference:bugtraq,2212; reference:bugtraq,4579; reference:cve,2001-0133; reference:nessus,11748; classtype:web-application-activity; sid:2219; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestmail.cgi access"; flow:to_server,established; uricontent:"/simplestmail.cgi"; nocase; reference:bugtraq,2106; reference:bugtraq,4579; reference:cve,2001-0022; reference:nessus,11748; classtype:web-application-activity; sid:2220; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ws_mail.cgi access"; flow:to_server,established; uricontent:"/ws_mail.cgi"; nocase; reference:bugtraq,2861; reference:bugtraq,4579; reference:cve,2001-1343; reference:nessus,11748; classtype:web-application-activity; sid:2221; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-exploitscanget.cgi access"; flow:to_server,established; uricontent:"/nph-exploitscanget.cgi"; nocase; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7913; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csNews.cgi access"; flow:to_server,established; uricontent:"/csNews.cgi"; nocase; reference:bugtraq,4994; reference:cve,2002-0923; reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI psunami.cgi access"; flow:to_server,established; uricontent:"/psunami.cgi"; nocase; reference:bugtraq,6607; reference:nessus,11750; classtype:web-application-activity; sid:2224; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gozila.cgi access"; flow:to_server,established; uricontent:"/gozila.cgi"; nocase; reference:bugtraq,6086; reference:cve,2002-1236; reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI quickstore.cgi access"; flow:to_server,established; uricontent:"/quickstore.cgi"; nocase; reference:bugtraq,9282; reference:nessus,11975; classtype:web-application-activity; sid:2323; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2387; rev:4;) -# when we get por lists... merge this with 2387... -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2388; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whereami.cgi?g="; nocase; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-attack; sid:2396; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi access"; flow:to_server,established; uricontent:"/whereami.cgi"; nocase; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-activity; sid:2397; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3000 (msg:"WEB-CGI MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; uricontent:"/form2raw.cgi"; nocase; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; reference:bugtraq,9317; reference:url,secunia.com/advisories/10512/; classtype:web-application-attack; sid:2433; rev:3;) -# the prevous rule looks for the attack, but we still want to catch the -# scanners. if we had port lists, this rule would be HTTP_PORTS and 3000 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi"; nocase; reference:bugtraq,9317; reference:url,secunia.com/advisories/10512/; classtype:web-application-activity; sid:2434; rev:3;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail init.emu access"; flow:to_server,established; uricontent:"/init.emu"; nocase; reference:bugtraq,9861; reference:nessus,12095; classtype:web-application-activity; sid:2567; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail emumail.fcgi access"; flow:to_server,established; uricontent:"/emumail.fcgi"; nocase; reference:bugtraq,9861; reference:nessus,12095; classtype:web-application-activity; sid:2568; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pgpmail.pl access"; flow:to_server,established; uricontent:"/pgpmail.pl"; reference:bugtraq,3605; reference:cve,2001-0937; reference:nessus,11070; classtype:web-application-activity; sid:2670; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI processit access"; flow:to_server,established; uricontent:"/processit.pl"; nocase; reference:nessus,10649; classtype:web-application-activity; sid:2668; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI WhatsUpGold instancename overflow attempt"; flow:to_server,established; uricontent:"/_maincfgret.cgi"; nocase; pcre:"/instancename=[^&\x3b\r\n]{513}/smi"; reference:bugtraq,11043; reference:cve,2004-0798; classtype:web-application-attack; sid:2663; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ibillpm.pl access"; flow:to_server,established; uricontent:"/ibillpm.pl"; nocase; reference:bugtraq,3476; reference:nessus,11083; classtype:web-application-activity; sid:2669; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; uricontent:"/delhomepage.cgi"; reference:bugtraq,9791; classtype:web-application-activity; sid:3062; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailman directory traversal attempt"; flow:to_server,established; uricontent:"/mailman/"; uricontent:".../"; reference:cve,2005-0202; classtype:web-application-attack; sid:3131; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI awstats.pl command execution attempt"; flow:to_server,established; uricontent:"/awstats.pl?"; nocase; uricontent:"update="; pcre:"/update=[^\r\n\x26]+/Ui"; uricontent:"logfile="; nocase; pcre:"/awstats.pl?[^\r\n]*logfile=\x7C/Ui"; reference:bugtraq,12572; classtype:web-application-attack; sid:3464; rev:1;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Ipswitch WhatsUp Gold dos attempt"; flow:to_server,established; uricontent:"/prn"; nocase; pcre:"/\/prn\.(asp|cgi|html?)/Ui"; reference:bugtraq,11110; reference:cve,2004-0799; reference:url,www.idefense.com/application/poi/display?id=142&type=vulnerabilities; reference:url,www.ipswitch.com/Support/WhatsUp/patch-upgrades.html; reference:url,www.secunia.com/advisories/12578/; classtype:attempted-dos; sid:3469; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI awstats access"; flow:to_server,established; uricontent:"/awstats.pl"; nocase; reference:bugtraq,12572; classtype:web-application-activity; sid:3463; rev:1;) diff -Nru snort-2.9.0.1/rules/web-client.rules snort-2.9.2/rules/web-client.rules --- snort-2.9.0.1/rules/web-client.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/web-client.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,54 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-client.rules,v 1.20.2.8.2.7 2005/07/22 19:19:54 mwatchinski Exp $ -#--------------- -# WEB-CLIENT RULES -#--------------- -# -# These signatures look for two things: -# * bad things coming from our users -# * attacks against our web users - -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Outlook EML access"; flow:from_client,established; uricontent:".eml"; reference:nessus,10767; classtype:attempted-user; sid:1233; rev:11;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft emf metafile access"; flow:from_client,established; uricontent:".emf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2435; rev:5;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft wmf metafile access"; flow:from_client,established; uricontent:".wmf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2436; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:7;) -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:10;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT readme.eml autoload attempt"; flow:to_client,established; content:"window.open|28 22|readme.eml|22|"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:10;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:7;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript|3A|//"; nocase; reference:bugtraq,5293; classtype:attempted-user; sid:1841; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:7;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2438; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2439; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2440; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2485; rev:5;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; classtype:attempted-user; sid:2589; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2673; rev:4;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:2671; rev:4;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2705; rev:4;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:2;) -# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2707; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:3079; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; classtype:attempted-user; sid:3088; rev:1;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image width download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,0,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3132; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3134; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image height download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,4,relative; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3133; rev:4;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT object type overflow attempt"; flow:from_server,established; content:"<OBJECT"; nocase; pcre:"/<OBJECT\s+[^>]*type\s*=[\x22\x27]\x2f{32}/smi"; reference:cve,2003-0344; reference:url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx; classtype:attempted-user; sid:3149; rev:3;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:3192; rev:2;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:4;) diff -Nru snort-2.9.0.1/rules/web-coldfusion.rules snort-2.9.2/rules/web-coldfusion.rules --- snort-2.9.0.1/rules/web-coldfusion.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/web-coldfusion.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-coldfusion.rules,v 1.27.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#--------------------- -# WEB-COLDFUSION RULES -#--------------------- -# - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfcache.map access"; flow:to_server,established; uricontent:"/cfcache.map"; nocase; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp application.cfm"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:904; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:905; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getfile.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-recon; sid:906; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION addcontent.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; nocase; classtype:attempted-recon; sid:907; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION administrator access"; flow:to_server,established; uricontent:"/cfide/administrator/index.cfm"; nocase; reference:bugtraq,1314; reference:cve,2000-0538; classtype:attempted-recon; sid:908; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION fileexists.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/fileexists.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:910; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exprcalc access"; flow:to_server,established; uricontent:"/cfdocs/expeval/exprcalc.cfm"; nocase; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; classtype:attempted-recon; sid:911; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION parks access"; flow:to_server,established; uricontent:"/cfdocs/examples/parks/detail.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:912; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfappman access"; flow:to_server,established; uricontent:"/cfappman/index.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:913; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION beaninfo access"; flow:to_server,established; uricontent:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:914; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION evaluate.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/evaluate.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:916; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:917; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION expeval access"; flow:to_server,established; uricontent:"/cfdocs/expeval/"; nocase; reference:bugtraq,550; reference:cve,1999-0477; classtype:attempted-user; sid:918; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:921; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION displayfile access"; flow:to_server,established; uricontent:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:922; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:924; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION mainframeset access"; flow:to_server,established; uricontent:"/cfdocs/examples/mainframeset.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:925; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:926; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:927; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/"; nocase; classtype:attempted-recon; sid:928; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; nocase; reference:bugtraq,550; classtype:attempted-user; sid:929; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION snippets attempt"; flow:to_server,established; uricontent:"/cfdocs/snippets/"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:930; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"; flow:to_server,established; uricontent:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:931; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/application.cfm"; nocase; reference:arachnids,268; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION onrequestend.cfm access"; flow:to_server,established; uricontent:"/onrequestend.cfm"; nocase; reference:arachnids,269; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION startstop DOS access"; flow:to_server,established; uricontent:"/cfide/administrator/startstop.html"; nocase; reference:bugtraq,247; classtype:web-application-attack; sid:935; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION gettempdirectory.cfm access "; flow:to_server,established; uricontent:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:936; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION sendmail.cfm access"; flow:to_server,established; uricontent:"/sendmail.cfm"; nocase; classtype:attempted-recon; sid:1659; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION ?Mode=debug attempt"; flow:to_server,established; uricontent:"Mode=debug"; nocase; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:7;) diff -Nru snort-2.9.0.1/rules/web-frontpage.rules snort-2.9.2/rules/web-frontpage.rules --- snort-2.9.0.1/rules/web-frontpage.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/web-frontpage.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,58 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-frontpage.rules,v 1.32.2.2.2.2 2005/06/29 15:35:05 mwatchinski Exp $ -#-------------------- -# WEB-FRONTPAGE RULES -#-------------------- - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad fp30reg.dll access"; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-activity; sid:1248; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE frontpage rad fp4areg.dll access"; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-activity; sid:1249; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_rpc access"; flow:to_server,established; uricontent:"/_vti_rpc"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE posting"; flow:to_server,established; content:"POST"; uricontent:"/author.dll"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx; classtype:web-application-activity; sid:939; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.dll access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.dll"; nocase; reference:arachnids,292; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx; classtype:web-application-activity; sid:940; rev:15;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE contents.htm access"; flow:to_server,established; uricontent:"/admcgi/contents.htm"; nocase; classtype:web-application-activity; sid:941; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.htm access"; flow:to_server,established; uricontent:"/_private/orders.htm"; nocase; classtype:web-application-activity; sid:942; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpsrvadm.exe access"; flow:to_server,established; uricontent:"/fpsrvadm.exe"; nocase; classtype:web-application-activity; sid:943; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpremadm.exe access"; flow:to_server,established; uricontent:"/fpremadm.exe"; nocase; classtype:web-application-activity; sid:944; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmin.htm access"; flow:to_server,established; uricontent:"/admisapi/fpadmin.htm"; nocase; classtype:web-application-activity; sid:945; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmcgi.exe access"; flow:to_server,established; uricontent:"/scripts/Fpadmcgi.exe"; nocase; classtype:web-application-activity; sid:946; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.txt access"; flow:to_server,established; uricontent:"/_private/orders.txt"; nocase; classtype:web-application-activity; sid:947; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results access"; flow:to_server,established; uricontent:"/_private/form_results.txt"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.htm access"; flow:to_server,established; uricontent:"/_private/registrations.htm"; nocase; classtype:web-application-activity; sid:949; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE cfgwiz.exe access"; flow:to_server,established; uricontent:"/cfgwiz.exe"; nocase; classtype:web-application-activity; sid:950; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE authors.pwd access"; flow:to_server,established; uricontent:"/authors.pwd"; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE author.exe access"; flow:to_server,established; uricontent:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:952; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE administrators.pwd access"; flow:to_server,established; uricontent:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results.htm access"; flow:to_server,established; uricontent:"/_private/form_results.htm"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE access.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/access.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.txt access"; flow:to_server,established; uricontent:"/_private/register.txt"; nocase; classtype:web-application-activity; sid:956; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.txt access"; flow:to_server,established; uricontent:"/_private/registrations.txt"; nocase; classtype:web-application-activity; sid:957; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/service.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.pwd"; flow:to_server,established; uricontent:"/service.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.stp access"; flow:to_server,established; uricontent:"/_vti_pvt/service.stp"; nocase; classtype:web-application-activity; sid:960; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE services.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/services.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.exe access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.exe"; nocase; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE svcacl.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/svcacl.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE users.pwd access"; flow:to_server,established; uricontent:"/users.pwd"; nocase; classtype:web-application-activity; sid:964; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE writeto.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/writeto.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE .... request"; flow:to_server,established; uricontent:"..../"; nocase; reference:arachnids,248; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE dvwssr.dll access"; flow:to_server,established; uricontent:"/dvwssr.dll"; nocase; reference:arachnids,271; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx; classtype:web-application-activity; sid:967; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.htm access"; flow:to_server,established; uricontent:"/_private/register.htm"; nocase; classtype:web-application-activity; sid:968; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE /_vti_bin/ access"; flow:to_server,established; uricontent:"/_vti_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_inf.html access"; flow:to_server,established; uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:9;) - diff -Nru snort-2.9.0.1/rules/web-iis.rules snort-2.9.2/rules/web-iis.rules --- snort-2.9.0.1/rules/web-iis.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/web-iis.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,167 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-iis.rules,v 1.78.2.5.2.6 2005/07/22 19:19:54 mwatchinski Exp $ -#-------------- -# WEB-IIS RULES -#-------------- - - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; content:"Content-Type|3A|"; nocase; isdataat:50,relative; content:!"|0A|"; within:50; pcre:"/^POST\s/smi"; reference:bugtraq,6214; reference:cve,2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; reference:url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx; classtype:web-application-attack; sid:1970; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS repost.asp access"; flow:to_server,established; uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; uricontent:".htr"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; classtype:web-application-attack; sid:1806; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; uricontent:".asp"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:16;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; uricontent:"/StoreCSVS/InstantOrder.asmx"; nocase; classtype:web-application-activity; sid:1626; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS users.xml access"; flow:to_server,established; uricontent:"/users.xml"; nocase; classtype:web-application-activity; sid:1750; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web.exe access"; flow:to_server,established; uricontent:"/as_web.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1753; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web4.exe access"; flow:to_server,established; uricontent:"/as_web4.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1754; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; reference:bugtraq,4672; classtype:web-application-activity; sid:1756; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS pbserver access"; flow:to_server,established; uricontent:"/pbserver/pbserver.dll"; nocase; reference:cve,2000-1089; reference:url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx; classtype:web-application-activity; sid:1772; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS trace.axd access"; flow:to_server,established; uricontent:"/trace.axd"; nocase; reference:nessus,10993; classtype:web-application-activity; sid:1660; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /isapi/tstisapi.dll access"; flow:to_server,established; uricontent:"/isapi/tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:web-application-activity; sid:1484; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; reference:nessus,10359; reference:url,www.osvdb.org/274; classtype:web-application-activity; sid:1485; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ctss.idc access"; flow:to_server,established; uricontent:"/ctss.idc"; nocase; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/aexp2.htr"; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:971; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; flow:to_server,established; uricontent:".ida"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq attempt"; flow:to_server,established; uricontent:".idq?"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:14;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq access"; flow:to_server,established; uricontent:".idq"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; content:"%2easp"; nocase; reference:bugtraq,1814; reference:cve,1999-0253; classtype:web-application-activity; sid:972; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS *.idc attempt"; flow:to_server,established; uricontent:"/*.idc"; nocase; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:10;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Directory transversal attempt"; flow:to_server,established; content:"..|5C|.."; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; uricontent:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:12;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat? access"; flow:to_server,established; uricontent:".bat?"; nocase; reference:bugtraq,2023; reference:cve,1999-0233; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cnf access"; flow:to_server,established; uricontent:".cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; nocase; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:978; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; uricontent:".htw?CiWebHitsFile"; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:979; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CGImail.exe access"; flow:to_server,established; uricontent:"/scripts/CGImail.exe"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; classtype:web-application-activity; sid:980; rev:7;) - -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:10;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/details.idc"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MSProxy access"; flow:to_server,established; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS +.htr code fragment attempt"; flow:to_server,established; uricontent:"+.htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx; classtype:web-application-attack; sid:1725; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr access"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:987; rev:14;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SAM Attempt"; flow:to_server,established; content:"sam._"; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS achg.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/achg.htr"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS adctest.asp access"; flow:to_server,established; uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:web-application-activity; sid:992; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; uricontent:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:994; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll access"; flow:to_server,established; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS anot.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-dot attempt"; flow:to_server,established; uricontent:".asp."; nocase; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-srch attempt"; flow:to_server,established; uricontent:"|23|filename=*.asp"; nocase; classtype:web-application-attack; sid:998; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir access"; flow:to_server,established; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir.htr access"; flow:to_server,established; uricontent:"/bdir.htr"; nocase; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:1661; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; classtype:web-application-attack; sid:1003; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser Exair access"; flow:to_server,established; uricontent:"/iissamples/exair/howitworks/codebrws.asp"; nocase; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser SDK access"; flow:to_server,established; uricontent:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_JScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx; classtype:web-application-attack; sid:1007; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_VBScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; classtype:web-application-attack; sid:1380; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; nocase; classtype:web-application-attack; sid:1008; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS directory listing"; flow:to_server,established; uricontent:"/ServerVariables_Jscript.asp"; nocase; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS encoding access"; flow:to_server,established; content:"%1u"; reference:arachnids,200; reference:bugtraq,886; reference:cve,2000-0024; reference:url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx; classtype:web-application-activity; sid:1010; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; nocase; classtype:web-application-activity; sid:1011; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount attempt"; flow:to_server,established; uricontent:"/fpcount.exe"; content:"Digits="; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount access"; flow:to_server,established; uricontent:"/fpcount.exe"; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS getdrvs.exe access"; flow:to_server,established; uricontent:"/scripts/tools/getdrvs.exe"; nocase; classtype:web-application-activity; sid:1015; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS global.asa access"; flow:to_server,established; uricontent:"/global.asa"; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:1016; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; nocase; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmpwd attempt"; flow:to_server,established; uricontent:"/iisadmpwd/aexp"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:1018; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; uricontent:"CiWebHitsFile="; nocase; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; uricontent:"CiRestriction=none"; nocase; uricontent:"ciHiliteType=Full"; nocase; reference:bugtraq,950; reference:cve,2000-0097; reference:url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:15;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt"; flow:to_server,established; uricontent:".idc|3A 3A 24|data"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; uricontent:" .htr"; nocase; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx; classtype:web-application-attack; sid:1021; rev:14;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS jet vba access"; flow:to_server,established; uricontent:"/advworks/equipment/catalog_type.asp"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:1022; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msadcs.dll access"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:1023; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS newdsn.exe access"; flow:to_server,established; uricontent:"/scripts/tools/newdsn.exe"; nocase; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl access"; flow:to_server,established; uricontent:"/scripts/perl"; nocase; classtype:web-application-activity; sid:1025; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse newline attempt"; flow:to_server,established; uricontent:"|0A|.pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1026; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse space attempt"; flow:to_server,established; uricontent:" .pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1027; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS query.asp access"; flow:to_server,established; uricontent:"/issamples/query.asp"; nocase; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts-browse access"; flow:to_server,established; uricontent:"/scripts/ "; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS search97.vts access"; flow:to_server,established; uricontent:"/search97.vts"; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; uricontent:"/SiteServer/Publishing/viewcode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1032; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1033; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1034; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1035; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1036; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode.asp access"; flow:to_server,established; uricontent:"/showcode.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx; classtype:web-application-activity; sid:1037; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site server config access"; flow:to_server,established; uricontent:"/adsamples/config/site.csc"; nocase; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srch.htm access"; flow:to_server,established; uricontent:"/samples/isapi/srch.htm"; nocase; classtype:web-application-activity; sid:1039; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srchadm access"; flow:to_server,established; uricontent:"/srchadm"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS uploadn.asp access"; flow:to_server,established; uricontent:"/scripts/uploadn.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,1578; reference:cve,2000-0778; classtype:web-application-activity; sid:1042; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS viewcode.asp access"; flow:to_server,established; uricontent:"/viewcode.asp"; nocase; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS webhits access"; flow:to_server,established; uricontent:".htw"; reference:arachnids,237; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS doctodep.btr access"; flow:to_server,established; uricontent:"doctodep.btr"; classtype:web-application-activity; sid:1726; rev:4;) -# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-IIS Unauthorized IP Access Attempt"; flow:to_server,established; content:"403"; content:"Forbidden|3A|"; classtype:web-application-attack; sid:1045; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site/iisamples access"; flow:to_server,established; uricontent:"/site/iisamples"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS outlook web dos"; flow:to_server,established; uricontent:"/exchange/LogonFrm.asp?"; nocase; content:"mailbox="; nocase; content:"%%%"; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/samples/ access"; flow:to_server,established; uricontent:"/scripts/samples/"; nocase; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /msadc/samples/ access"; flow:to_server,established; uricontent:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iissamples access"; flow:to_server,established; uricontent:"/iissamples/"; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmin access"; flow:to_server,established; uricontent:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msdac access"; flow:to_server,established; uricontent:"/msdac/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS _mem_bin access"; flow:to_server,established; uricontent:"/_mem_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts access"; flow:to_server,established; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS htimage.exe access"; flow:to_server,established; uricontent:"/htimage.exe"; nocase; reference:bugtraq,1117; reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256; reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server default login attempt"; flow:to_server,established; uricontent:"/SiteServer/Admin/knowledge/persmbr/"; nocase; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:1817; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server admin attempt"; flow:to_server,established; uricontent:"/Site Server/Admin/knowledge/persmbr/"; nocase; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; reference:url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx; classtype:web-application-attack; sid:1567; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; classtype:web-application-activity; sid:1568; rev:11;) - -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asa HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asa"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1802; rev:8;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cer HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cer"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1803; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cdx"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1804; rev:9;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asp"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1801; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2091; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Battleaxe Forum login.asp access"; flow:to_server,established; uricontent:"myaccount/login.asp"; nocase; reference:bugtraq,7416; reference:cve,2003-0215; classtype:web-application-activity; sid:2117; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx; classtype:web-application-activity; sid:2129; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect siteadmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/SiteAdmin.asp"; nocase; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect access"; flow:to_server,established; uricontent:"/iisprotect/admin/"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; uricontent:"/en/admin/aggregate.asp"; nocase; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS BizTalk server access"; flow:to_server,established; uricontent:"/biztalkhttpreceive.dll"; nocase; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-0117; reference:cve,2003-0118; reference:nessus,11638; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; classtype:web-application-activity; sid:2133; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS register.asp access"; flow:to_server,established; uricontent:"/register.asp"; nocase; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS UploadScript11.asp access"; flow:to_server,established; uricontent:"/UploadScript11.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2247; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DirectoryListing.asp access"; flow:to_server,established; uricontent:"/DirectoryListing.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2248; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /pcadmin/login.asp access"; flow:to_server,established; uricontent:"/pcadmin/login.asp"; nocase; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.exe access"; flow:to_server,established; uricontent:"/foxweb.exe"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.dll access"; flow:to_server,established; uricontent:"/foxweb.dll"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; uricontent:"/shopsearch.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2324; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; uricontent:"/ShopDisplayProducts.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS sgdynamo.exe access"; flow:to_server,established; uricontent:"/sgdynamo.exe"; nocase; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2386; rev:9;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established; uricontent:"/frmGetAttachment.aspx"; nocase; reference:bugtraq,9805; classtype:web-application-activity; sid:2571; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"; flow:to_server,established; uricontent:"/login.aspx"; nocase; content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase; reference:bugtraq,9805; classtype:web-application-attack; sid:2572; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established; uricontent:"/frmCompose.aspx"; reference:bugtraq,9805; classtype:web-application-activity; sid:2573; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ping.asp access"; flow:to_server,established; uricontent:"/ping.asp"; nocase; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS w3who.dll buffer overflow attempt"; flow:to_server,established; uricontent:"/w3who.dll?"; nocase; pcre:"/w3who.dll\x3F[^\r\n]{519}/i"; reference:bugtraq,11820; reference:cve,2004-1134; classtype:attempted-admin; sid:3087; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cmd executable file parsing attack"; flow:established,to_server; uricontent:".cmd|22|"; nocase; pcre:"/.cmd\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat executable file parsing attack"; flow:established,to_server; uricontent:".bat|22|"; nocase; pcre:"/.bat\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3194; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS httpodbc.dll access - nimda"; flow:to_server,established; uricontent:"/httpodbc.dll"; nocase; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-activity; sid:3201; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SQLXML content type overflow"; flow:to_server,established; pcre:"/\.x[sm]l/Ui"; uricontent:"contenttype="; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; reference:bugtraq,5004; reference:cve,2002-0186; reference:url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx; reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt; classtype:attempted-admin; sid:3150; rev:4;) diff -Nru snort-2.9.0.1/rules/web-misc.rules snort-2.9.2/rules/web-misc.rules --- snort-2.9.0.1/rules/web-misc.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/web-misc.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,443 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-misc.rules,v 1.118.2.8.2.6 2005/07/22 19:19:54 mwatchinski Exp $ -#--------------- -# WEB-MISC RULES -#--------------- - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; byte_test:2,<,768,4; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,10; classtype:attempted-admin; sid:2657; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; byte_test:2,<,768,3; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,9; classtype:attempted-admin; sid:2656; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; content:"img src=javascript"; nocase; reference:bugtraq,4858; reference:cve,2002-0902; classtype:web-application-attack; sid:1667; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; flow:to_server,established; uricontent:"/level/"; uricontent:"/exec/"; reference:bugtraq,2936; reference:cve,2001-0537; classtype:web-application-attack; sid:1250; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / "; depth:9; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX "; depth:6; reference:bugtraq,2285; reference:cve,2001-0250; classtype:web-application-attack; sid:1048; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES"; depth:13; reference:bugtraq,2732; reference:cve,2001-0746; classtype:web-application-attack; sid:1050; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat view source attempt"; flow:to_server,established; uricontent:"%252ejsp"; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:1056; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp attempt"; flow:to_server,established; content:"ftp.exe"; nocase; classtype:web-application-activity; sid:1057; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nc.exe attempt"; flow:to_server,established; content:"nc.exe"; nocase; classtype:web-application-activity; sid:1062; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wsh attempt"; flow:to_server,established; content:"wsh.exe"; nocase; classtype:web-application-activity; sid:1064; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rcmd attempt"; flow:to_server,established; uricontent:"rcmd.exe"; nocase; classtype:web-application-activity; sid:1065; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC telnet attempt"; flow:to_server,established; content:"telnet.exe"; nocase; classtype:web-application-activity; sid:1066; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC net attempt"; flow:to_server,established; content:"net.exe"; nocase; classtype:web-application-activity; sid:1067; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tftp attempt"; flow:to_server,established; content:"tftp.exe"; nocase; classtype:web-application-activity; sid:1068; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:1069; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; nocase; classtype:web-application-activity; sid:1977; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; nocase; classtype:web-application-activity; sid:1978; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV search access"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; reference:arachnids,474; reference:bugtraq,1756; reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:1071; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus Domino directory traversal"; flow:to_server,established; uricontent:".nsf/"; uricontent:"../"; nocase; reference:bugtraq,2173; reference:cve,2001-0009; reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:11;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webhits.exe access"; flow:to_server,established; uricontent:"/scripts/samples/search/webhits.exe"; nocase; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC queryhit.htm access"; flow:to_server,established; uricontent:"/samples/search/queryhit.htm"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:1077; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC counter.exe access"; flow:to_server,established; uricontent:"/counter.exe"; nocase; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV propfind access"; flow:to_server,established; content:"propfind"; nocase; pcre:"/<a\x3a\s*propfind.*?xmlns\x3a\s*a=[\x21\x22]?DAV[\x21\x22]?>/iR"; reference:bugtraq,1656; reference:cve,2000-0869; classtype:web-application-activity; sid:1079; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec upload"; flow:to_server,established; uricontent:"/servlet/com.unify.servletexec.UploadServlet"; nocase; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; reference:nessus,10570; classtype:web-application-attack; sid:1080; rev:15;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Servers suite DOS"; flow:to_server,established; uricontent:"/dsgw/bin/search?context="; nocase; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript"; nocase; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec DOS"; flow:to_server,established; uricontent:"/servlet/ServletExec"; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-activity; sid:1083; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRUN DOS attempt"; flow:to_server,established; uricontent:"servlet/......."; nocase; reference:bugtraq,2337; reference:cve,2000-1049; classtype:web-application-attack; sid:1084; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ Webfront HTTP DOS"; flow:to_server,established; uricontent:"??????????"; reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack; sid:1091; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ Source Code view access"; flow:to_server,established; uricontent:"/webplus.exe?script=test.wml"; reference:bugtraq,1722; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-attack; sid:1095; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ internal IP Address access"; flow:to_server,established; uricontent:"/webplus.exe?about"; reference:bugtraq,1720; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-activity; sid:1096; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; uricontent:"_private/shopping_cart.mdb"; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cybercop scan"; flow:to_server,established; uricontent:"/cybercop"; nocase; reference:arachnids,374; classtype:web-application-activity; sid:1099; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; reference:arachnids,310; classtype:web-application-activity; sid:1100; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; reference:arachnids,309; classtype:web-application-activity; sid:1101; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nessus 1.X 404 probe"; flow:to_server,established; uricontent:"/nessus_is_probing_you_"; depth:32; reference:arachnids,301; classtype:web-application-attack; sid:1102; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nessus 2.x 404 probe"; flow:to_server,established; uricontent:"/NessusTest"; nocase; reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase; reference:bugtraq,1579; reference:nessus,10468; classtype:web-application-attack; sid:1103; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BigBrother access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC"; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl attempt"; flow:to_server,established; uricontent:"/ftp.pl?dir=../.."; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-attack; sid:1612; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl access"; flow:to_server,established; uricontent:"/ftp.pl"; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server snoop access"; flow:to_server,established; uricontent:"/jsp/snp/"; uricontent:".snp"; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:1108; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROXEN directory list attempt"; flow:to_server,established; uricontent:"/%00"; reference:bugtraq,1510; reference:cve,2000-0671; classtype:attempted-recon; sid:1109; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache source.asp file access"; flow:to_server,established; uricontent:"/site/eg/source.asp"; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server exploit access"; flow:to_server,established; uricontent:"/contextAdmin/contextAdmin.html"; nocase; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"..|5C|"; reference:arachnids,298; classtype:attempted-recon; sid:1112; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ webserver DOS"; flow:to_server,established; uricontent:".html/......"; nocase; reference:cve,1999-0474; reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html; classtype:attempted-dos; sid:1115; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus DelDoc attempt"; flow:to_server,established; uricontent:"?DeleteDocument"; nocase; classtype:attempted-recon; sid:1116; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus EditDoc attempt"; flow:to_server,established; uricontent:"?EditDocument"; nocase; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:1118; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mlog.phtml access"; flow:to_server,established; uricontent:"/mlog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mylog.phtml access"; flow:to_server,established; uricontent:"/mylog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase; classtype:attempted-recon; sid:1122; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?PageServices access"; flow:to_server,established; uricontent:"?PageServices"; nocase; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce check.txt access"; flow:to_server,established; uricontent:"/config/check.txt"; nocase; classtype:attempted-recon; sid:1124; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart access"; flow:to_server,established; uricontent:"/webcart/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AuthChangeUrl access"; flow:to_server,established; uricontent:"_AuthChangeUrl?"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon; sid:1126; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC convert.bas access"; flow:to_server,established; uricontent:"/scripts/convert.bas"; nocase; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cpshost.dll access"; flow:to_server,established; uricontent:"/scripts/cpshost.dll"; nocase; reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360; classtype:attempted-recon; sid:1128; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htaccess access"; flow:to_server,established; uricontent:".htaccess"; nocase; classtype:attempted-recon; sid:1129; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".wwwacl"; nocase; classtype:attempted-recon; sid:1130; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".www_acl"; nocase; classtype:attempted-recon; sid:1131; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cd.."; flow:to_server,established; content:"cd.."; nocase; classtype:attempted-recon; sid:1136; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC guestbook.pl access"; flow:to_server,established; uricontent:"/guestbook.pl"; nocase; reference:arachnids,228; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler attempt"; flow:to_server,established; uricontent:"/handler"; uricontent:"|7C|"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-attack; sid:1613; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler access"; flow:to_server,established; uricontent:"/handler"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /.... access"; flow:to_server,established; content:"/...."; classtype:attempted-recon; sid:1142; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~root access"; flow:to_server,established; uricontent:"/~root"; nocase; classtype:attempted-recon; sid:1145; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~ftp access"; flow:to_server,established; uricontent:"/~ftp"; nocase; classtype:attempted-recon; sid:1662; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/config/import.txt"; nocase; classtype:attempted-recon; sid:1146; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cat%20 access"; flow:to_server,established; content:"cat%20"; nocase; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/orders/import.txt"; nocase; classtype:attempted-recon; sid:1148; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino catalog.nsf access"; flow:to_server,established; uricontent:"/catalog.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1150; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domcfg.nsf access"; flow:to_server,established; uricontent:"/domcfg.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1151; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domlog.nsf access"; flow:to_server,established; uricontent:"/domlog.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1152; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino log.nsf access"; flow:to_server,established; uricontent:"/log.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1153; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino names.nsf access"; flow:to_server,established; uricontent:"/names.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1154; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mab.nsf access"; flow:to_server,established; uricontent:"/mab.nsf"; nocase; reference:bugtraq,4022; reference:nessus,10953; classtype:attempted-recon; sid:1575; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino cersvr.nsf access"; flow:to_server,established; uricontent:"/cersvr.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1576; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino setup.nsf access"; flow:to_server,established; uricontent:"/setup.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1577; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino statrep.nsf access"; flow:to_server,established; uricontent:"/statrep.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1578; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino webadmin.nsf access"; flow:to_server,established; uricontent:"/webadmin.nsf"; nocase; reference:bugtraq,9900; reference:bugtraq,9901; reference:nessus,10629; classtype:attempted-recon; sid:1579; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino events4.nsf access"; flow:to_server,established; uricontent:"/events4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1580; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino ntsync4.nsf access"; flow:to_server,established; uricontent:"/ntsync4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1581; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino collect4.nsf access"; flow:to_server,established; uricontent:"/collect4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1582; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mailw46.nsf access"; flow:to_server,established; uricontent:"/mailw46.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1583; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino bookmark.nsf access"; flow:to_server,established; uricontent:"/bookmark.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1584; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino agentrunner.nsf access"; flow:to_server,established; uricontent:"/agentrunner.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1585; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mail.box access"; flow:to_server,established; uricontent:"/mail.box"; nocase; reference:bugtraq,881; reference:nessus,10629; classtype:attempted-recon; sid:1586; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce checks.txt access"; flow:to_server,established; uricontent:"/orders/checks.txt"; nocase; reference:bugtraq,2281; classtype:attempted-recon; sid:1155; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache directory disclosure attempt"; flow:to_server,established; content:"////////"; reference:bugtraq,2503; classtype:attempted-dos; sid:1156; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape PublishingXpert access"; flow:to_server,established; uricontent:"/PSUser/PSCOErrPage.htm"; nocase; reference:cve,2000-1196; reference:nessus,10364; classtype:web-application-activity; sid:1157; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC windmail.exe access"; flow:to_server,established; uricontent:"/windmail.exe"; nocase; reference:arachnids,465; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webplus access"; flow:to_server,established; uricontent:"/webplus?script"; nocase; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape dir index wp"; flow:to_server,established; uricontent:"?wp-"; nocase; reference:arachnids,270; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1160; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cart 32 AdminPwd access"; flow:to_server,established; uricontent:"/c32web.exe/ChangeAdminPassword"; nocase; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC shopping cart access"; flow:to_server,established; uricontent:"/quikstore.cfg"; nocase; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe attempt"; flow:to_server,established; uricontent:"/GWWEB.EXE?HELP="; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1614; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ws_ftp.ini access"; flow:to_server,established; uricontent:"/ws_ftp.ini"; nocase; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rpm_query access"; flow:to_server,established; uricontent:"/rpm_query"; nocase; reference:bugtraq,1036; reference:cve,2000-0192; reference:nessus,10340; classtype:attempted-recon; sid:1167; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mall log order access"; flow:to_server,established; uricontent:"/mall_log_files/order.log"; nocase; reference:bugtraq,2266; reference:cve,1999-0606; classtype:attempted-recon; sid:1168; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC architext_query.pl access"; flow:to_server,established; uricontent:"/ews/architext_query.pl"; nocase; reference:bugtraq,2248; reference:cve,1999-0279; reference:nessus,10064; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; classtype:attempted-recon; sid:1173; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wwwboard.pl access"; flow:to_server,established; uricontent:"/wwwboard.pl"; nocase; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-verify-link"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1177; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC get32.exe access"; flow:to_server,established; uricontent:"/get32.exe"; nocase; reference:arachnids,258; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10011; classtype:attempted-recon; sid:1180; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Annex Terminal DOS attempt"; flow:to_server,established; uricontent:"/ping?query="; reference:arachnids,260; reference:cve,1999-1070; reference:nessus,10017; classtype:attempted-dos; sid:1181; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe attempt"; flow:to_server,established; uricontent:"/cgitest.exe|0D 0A|user"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; classtype:web-application-attack; sid:1182; rev:17;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe access"; flow:to_server,established; uricontent:"/cgitest.exe"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; reference:nessus,11131; classtype:web-application-activity; sid:1587; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-cs-dump"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1183; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-info"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1184; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-diff"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1186; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer web command attempt"; flow:to_server,established; uricontent:"/slxweb.dll/admin?command="; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-attack; sid:1187; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer access"; flow:to_server,established; uricontent:"/slxweb.dll"; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-activity; sid:1588; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-start-ver"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1188; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-stop-ver"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1189; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-uncheckout"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1190; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-html-rend"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1191; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan attempt"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe?"; nocase; uricontent:"domain="; nocase; uricontent:"event="; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan access"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe"; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web arbitrary command execution attempt"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; uricontent:"?&"; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web application server access"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-activity; sid:1880; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-usr-prop"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-attack; sid:1198; rev:8;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.vts access"; flow:to_server,established; uricontent:"/search.vts"; reference:bugtraq,162; classtype:attempted-recon; sid:1202; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep attempt"; flow:to_server,established; uricontent:"/htgrep"; content:"hdr=/"; reference:cve,2000-0832; classtype:web-application-attack; sid:1615; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep access"; flow:to_server,established; uricontent:"/htgrep"; reference:cve,2000-0832; classtype:web-application-activity; sid:1207; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .nsconfig access"; flow:to_server,established; uricontent:"/.nsconfig"; reference:url,www.osvdb.org/5709; classtype:attempted-recon; sid:1209; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Admin_files access"; flow:to_server,established; uricontent:"/admin_files"; nocase; classtype:attempted-recon; sid:1212; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC backup access"; flow:to_server,established; uricontent:"/backup"; nocase; classtype:attempted-recon; sid:1213; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC intranet access"; flow:to_server,established; uricontent:"/intranet/"; nocase; reference:nessus,11626; classtype:attempted-recon; sid:1214; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC filemail access"; flow:to_server,established; uricontent:"/filemail"; nocase; reference:cve,1999-1154; reference:cve,1999-1155; reference:url,www.securityfocus.com/archive/1/11175; classtype:attempted-recon; sid:1216; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; reference:bugtraq,2653; reference:cve,2000-0074; reference:nessus,10181; classtype:attempted-recon; sid:1217; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC adminlogin access"; flow:to_server,established; uricontent:"/adminlogin"; nocase; reference:bugtraq,1164; reference:bugtraq,1175; reference:nessus,11748; classtype:attempted-recon; sid:1218; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ultraboard access"; flow:to_server,established; uricontent:"/ultraboard"; nocase; reference:bugtraq,1164; reference:bugtraq,1175; reference:nessus,11748; classtype:attempted-recon; sid:1220; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower attempt"; flow:to_server,established; uricontent:"/empower?DB="; nocase; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-attack; sid:1589; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower access"; flow:to_server,established; uricontent:"/empower"; nocase; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-activity; sid:1221; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROADS search.pl attempt"; flow:to_server,established; uricontent:"/ROADS/cgi-bin/search.pl"; content:"form="; nocase; reference:bugtraq,2371; reference:cve,2001-0215; reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSave access"; flow:to_server,established; uricontent:"/FtpSave.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCSP access"; flow:to_server,established; uricontent:"/FtpSaveCSP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCVP access"; flow:to_server,established; uricontent:"/FtpSaveCVP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC weblogic/tomcat .jsp view source attempt"; flow:to_server,established; uricontent:".jsp"; nocase; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet directory traversal attempt"; flow:to_server,established; uricontent:"/SWEditServlet"; content:"template=../../../"; reference:bugtraq,2868; reference:cve,2001-0555; classtype:attempted-user; sid:1241; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet access"; flow:to_server,established; uricontent:"/SWEditServlet"; reference:bugtraq,2868; classtype:attempted-recon; sid:1259; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC HP OpenView Manager DOS"; flow:to_server,established; uricontent:"/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid="; nocase; reference:bugtraq,2845; reference:cve,2001-0552; classtype:misc-activity; sid:1258; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC long basic authorization string"; flow:to_server,established; content:"Authorization|3A|"; pcre:"/^Authorization\x3a\s*Basic\s[^\n]{512}/smi"; reference:bugtraq,3230; reference:cve,2001-1067; classtype:attempted-dos; sid:1260; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sml3com access"; flow:to_server,established; uricontent:"/graphics/sml3com"; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC carbo.dll access"; flow:to_server,established; uricontent:"/carbo.dll"; content:"icatcommand="; nocase; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC console.exe access"; flow:to_server,established; uricontent:"/cgi-bin/console.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1302; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cs.exe access"; flow:to_server,established; uricontent:"/cgi-bin/cs.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1303; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0"; depth:15; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jrun directory browse attempt"; flow:to_server,established; uricontent:"/?.jsp"; reference:bugtraq,3592; classtype:web-application-attack; sid:1376; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mod-plsql administration access"; flow:to_server,established; uricontent:"/admin_/"; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:11;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode.jse access"; flow:to_server,established; uricontent:"/viewcode.jse"; reference:bugtraq,3715; classtype:web-application-activity; sid:1389; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorecast remote code execution attempt"; flow:to_server,established; content:"includedir="; reference:bugtraq,3388; reference:cve,2001-1049; classtype:web-application-attack; sid:1391; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode access"; flow:to_server,established; uricontent:"/viewcode"; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:1403; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC showcode access"; flow:to_server,established; uricontent:"/showcode"; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; classtype:web-application-attack; sid:1404; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .history access"; flow:to_server,established; uricontent:"/.history"; classtype:web-application-attack; sid:1433; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .bash_history access"; flow:to_server,established; uricontent:"/.bash_history"; reference:bugtraq,337; reference:cve,1999-0408; classtype:web-application-attack; sid:1434; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~nobody access"; flow:to_server,established; uricontent:"/~nobody"; reference:nessus,10484; classtype:web-application-attack; sid:1489; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser directory traversal attempt"; flow:to_server,established; uricontent:"/newuser?Image=../.."; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-attack; sid:1492; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser access"; flow:to_server,established; uricontent:"/newuser"; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-activity; sid:1493; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC *%0a.pl access"; flow:to_server,established; uricontent:"/*|0A|.pl"; nocase; reference:nessus,11007; reference:url,www.securityfocus.com/archive/1/149482; classtype:web-application-attack; sid:1663; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkplog.exe access"; flow:to_server,established; uricontent:"/mkplog.exe"; nocase; classtype:web-application-activity; sid:1664; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; reference:arachnids,300; reference:bugtraq,1557; reference:cve,2000-0707; reference:nessus,10783; classtype:web-application-attack; sid:509; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .DS_Store access"; flow:to_server,established; uricontent:"/.DS_Store"; reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:web-application-activity; sid:1769; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .FBCIndex access"; flow:to_server,established; uricontent:"/.FBCIndex"; reference:url,www.securiteam.com/securitynews/5LP0O005FS.html; classtype:web-application-activity; sid:1770; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ExAir access"; flow:to_server,established; uricontent:"/exair/search/"; reference:bugtraq,193; reference:cve,1999-0449; reference:nessus,10002; reference:nessus,10003; reference:nessus,10004; classtype:web-application-activity; sid:1500; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache ?M=D directory list attempt"; flow:to_server,established; uricontent:"/?M=D"; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:1519; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-info access"; flow:to_server,established; uricontent:"/server-info"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl attempt"; flow:to_server,established; uricontent:"/ans.pl?p=../../"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl access"; flow:to_server,established; uricontent:"/ans.pl"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:10;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AxisStorpoint CD attempt"; flow:to_server,established; uricontent:"/cd/../config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Axis Storpoint CD access"; flow:to_server,established; uricontent:"/config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-activity; sid:1525; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix sendmail.inc access"; flow:to_server,established; uricontent:"/inc/sendmail.inc"; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1526; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix mysql.class access"; flow:to_server,established; uricontent:"/class/mysql.class"; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1527; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BBoard access"; flow:to_server,established; uricontent:"/servlet/sunexamples.BBoardServlet"; reference:bugtraq,1459; reference:cve,2000-0629; reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Catalyst command execution attempt"; flow:to_server,established; uricontent:"/exec/show/config/cr"; nocase; reference:bugtraq,1846; reference:cve,2000-0945; reference:nessus,10545; classtype:web-application-activity; sid:1544; rev:7;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%"; reference:bugtraq,1154; reference:cve,2000-0380; classtype:web-application-attack; sid:1546; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /CVS/Entries access"; flow:to_server,established; uricontent:"/CVS/Entries"; reference:nessus,10922; reference:nessus,11032; classtype:web-application-activity; sid:1551; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cvsweb version access"; flow:to_server,established; uricontent:"/cvsweb/version"; reference:cve,2000-0670; classtype:web-application-activity; sid:1552; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/packages access"; flow:to_server,established; uricontent:"/doc/packages"; nocase; reference:bugtraq,1707; reference:cve,2000-1016; reference:nessus,10518; reference:nessus,11032; classtype:web-application-activity; sid:1559; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/ access"; flow:to_server,established; uricontent:"/doc/"; nocase; reference:bugtraq,318; reference:cve,1999-0678; classtype:web-application-activity; sid:1560; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm attempt"; flow:to_server,established; uricontent:"/login.htm?password="; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1563; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm access"; flow:to_server,established; uricontent:"/login.htm"; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1564; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC DELETE attempt"; flow:to_server,established; content:"DELETE "; depth:7; nocase; reference:nessus,10498; classtype:web-application-activity; sid:1603; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/ftp access"; flow:to_server,established; uricontent:"/home/ftp"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1670; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/www access"; flow:to_server,established; uricontent:"/home/www"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1671; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC global.inc access"; flow:to_server,established; uricontent:"/global.inc"; nocase; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:1738; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; reference:bugtraq,4621; classtype:web-application-attack; sid:1744; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 arbitrary command execution attempt"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; reference:bugtraq,4673; reference:cve,2002-0734; reference:cve,2002-1466; reference:nessus,11667; classtype:web-application-attack; sid:1757; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll directory listing attempt"; flow:to_server,established; uricontent:"/search.dll"; content:"query=%00"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-attack; sid:1766; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll access"; flow:to_server,established; uricontent:"/search.dll"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-activity; sid:1767; rev:6;) - - -# The following signatures are for non-standard ports. When ports lists work, -# then these will be converted to use HTTP_PORTS & HTTP_SERVERS -alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC PIX firewall manager directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:web-application-attack; sid:1498; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"WEB-MISC iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:cve,1999-0897; classtype:web-application-activity; sid:1604; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Delegate whois overflow attempt"; flow:to_server,established; content:"whois|3A|//"; nocase; reference:cve,2000-0165; classtype:web-application-activity; sid:1558; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"WEB-MISC nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; reference:nessus,10753; classtype:web-application-activity; sid:1518; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"WEB-MISC Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:8;) - -# uricontent would be nice, but we can't be sure we are running http decoding -# on 2301. oh for rna integration... -alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq Insight directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:11;) - - -# when we get real ports list, we will merge these sigs. so for now, keep the -# message the same. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; uricontent:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:8;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:8;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1809; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Chunked-Encoding transfer attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1807; rev:10;) - - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC CISCO VoIP DOS ATTEMPT"; flow:to_server,established; uricontent:"/StreamingStatistics"; reference:bugtraq,4794; reference:cve,2002-0882; reference:nessus,11013; classtype:misc-attack; sid:1814; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC IBM Net.Commerce orderdspc.d2w access"; flow:established,to_server; uricontent:"/ncommerce3/ExecMacro/orderdspc.d2w"; reference:bugtraq,2350; reference:cve,2001-0319; reference:nessus,11020; classtype:web-application-activity; sid:1820; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WEB-INF access"; flow:established,to_server; uricontent:"/WEB-INF"; nocase; reference:bugtraq,1830; reference:bugtraq,5119; reference:cve,2000-1050; reference:cve,2001-0179; reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; uricontent:"/servlet/"; uricontent:"/org.apache."; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:1827; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet Search directory traversal attempt"; flow:established,to_server; uricontent:"/search"; content:"NS-query-pat="; content:"../../"; reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043; classtype:web-application-attack; sid:1828; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat TroubleShooter servlet access"; flow:established,to_server; uricontent:"/examples/servlet/TroubleShooter"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1829; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat SnoopServlet servlet access"; flow:established,to_server; uricontent:"/examples/servlet/SnoopServlet"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1830; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jigsaw dos attempt"; flow:established,to_server; uricontent:"/servlet/con"; reference:nessus,11047; classtype:web-application-attack; sid:1831; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Macromedia SiteSpring cross site scripting attempt"; flow:established,to_server; uricontent:"/error/500error.jsp"; nocase; uricontent:"et="; uricontent:"<script"; nocase; reference:bugtraq,5249; reference:cve,2002-1027; classtype:web-application-attack; sid:1835; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mailman cross site scripting attempt"; flow:established,to_server; uricontent:"/mailman/"; nocase; uricontent:"?"; uricontent:"info="; uricontent:"<script"; nocase; reference:bugtraq,5298; reference:cve,2002-0855; classtype:web-application-attack; sid:1839; rev:4;) - - - -# NOTES: this signature looks for access to common webalizer output directories. -# Webalizer is a http server log reporting program. By allowing anyone on the -# internet to view the web access logs, attackers can gain information about -# your customers that probably should not be made public. webalizer had cross -# site scripting bugs prior to version 2.01-09. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webalizer access"; flow:established,to_server; uricontent:"/webalizer/"; nocase; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:1847; rev:9;) - - -# NOTES: this signature looks for someone accessing the directory webcart-lite. -# webcart-lite allows users to access world readable plain text customer -# information databases. To correct this issue, users should make the -# data directories and databases not world readable, move the files outside of -# WEBROOT if possible, and verify that a compromise of customer information has -# not occured. -# SIMILAR RULES: sid:1125 -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart-lite access"; flow:to_server,established; uricontent:"/webcart-lite/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:web-application-activity; sid:1848; rev:5;) - - -# NOTES: this signature looks for someone accessing the web application -# "webfind.exe". This application has a buffer overflow in the keywords -# argument. An attacker can use this vulnerability to execute arbitrary -# code on the web server. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webfind.exe access"; flow:to_server,established; uricontent:"/webfind.exe"; nocase; reference:bugtraq,1487; reference:cve,2000-0622; reference:nessus,10475; classtype:web-application-activity; sid:1849; rev:7;) - -# NOTES: this signature looks for someone accessing the file "active.log" via -# a web server. By allowing anyone on the internet to view the web access -# logs, attackers can gain information about your customers that probably -# should not be made public. -# -# This logfile is made available from the WebActive webserver. This webserver -# is no longer maintained and should be replaced with an actively maintained -# webserver. If converting to another webserver is not possible, remove read -# access to this file. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC active.log access"; flow:to_server,established; uricontent:"/active.log"; nocase; reference:bugtraq,1497; reference:cve,2000-0642; reference:nessus,10470; classtype:web-application-activity; sid:1851; rev:6;) - - - -# NOTES: this signature looks for someone accessing the file "robots.txt" via -# web server. This file is used to make web spider agents (including search -# engines) more efficient. robots.txt is often used to inform a web spider -# which directories that the spider should ignore because the content may be -# dynamic or restricted. An attacker can use this information to gain insite -# into directories that may have been deemed sensitive. -# -# Verify that the robots.txt does not include any sensitive information. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robot.txt access"; flow:to_server,established; uricontent:"/robot.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:3;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:1858; rev:5;) - - -alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"WEB-MISC Sun JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:1859; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+OmFkbWlu/smi"; reference:nessus,10999; classtype:default-login-attempt; sid:1860; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default username and password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46YWRtaW4/smi"; reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:9;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/smi"; reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle XSQLConfig.xml access"; flow:to_server,established; uricontent:"/XSQLConfig.xml"; reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855; classtype:web-application-activity; sid:1871; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Dynamic Monitoring Services dms access"; flow:to_server,established; uricontent:"/dms0"; reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC globals.jsa access"; flow:to_server,established; uricontent:"/globals.jsa"; reference:bugtraq,4034; reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-activity; sid:1873; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Java Process Manager access"; flow:to_server,established; uricontent:"/oprocmgr-status"; reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bad HTTP/1.1 request, Potentially worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|"; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:6;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD with large datagram"; flow:to_server,established,no_stream; dsize:>512; content:"HEAD"; depth:4; nocase; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1171; rev:10;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker space splice attack"; flow:to_server,established; dsize:1; content:" "; reference:arachnids,296; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1104; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker tab splice attack"; flow:to_server,established; dsize:<5; content:"|09|"; reference:arachnids,415; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1087; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:1808; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /Carello/add.exe access"; flow:to_server,established; uricontent:"/Carello/add.exe"; nocase; reference:bugtraq,1245; reference:cve,2000-0396; reference:nessus,11776; classtype:web-application-activity; sid:1943; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /ecscripts/ecware.exe access"; flow:to_server,established; uricontent:"/ecscripts/ecware.exe"; nocase; reference:bugtraq,6066; classtype:web-application-activity; sid:1944; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ion-p access"; flow:to_server,established; uricontent:"/ion-p"; nocase; reference:bugtraq,6091; reference:cve,2002-1559; classtype:web-application-activity; sid:1969; rev:3;) - -# uricontent would be nice, but we can't be sure we are running http decoding -# on 8888. oh for rna integration... -alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:1946; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:1947; rev:9;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC perl post attempt"; flow:to_server,established; content:"POST"; depth:4; uricontent:"/perl/"; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:1979; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC TRACE attempt"; flow:to_server,established; content:"TRACE"; depth:5; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2056; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC helpout.exe access"; flow:to_server,established; uricontent:"/helpout.exe"; reference:bugtraq,6002; reference:cve,2002-1169; reference:nessus,11162; classtype:web-application-activity; sid:2057; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe attempt"; flow:to_server,established; uricontent:"/MsmMask.exe"; content:"mask="; reference:nessus,11163; classtype:web-application-attack; sid:2058; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe access"; flow:to_server,established; uricontent:"/MsmMask.exe"; reference:nessus,11163; classtype:web-application-activity; sid:2059; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC DB4Web access"; flow:to_server,established; uricontent:"/DB4Web/"; reference:nessus,11180; classtype:web-application-activity; sid:2060; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Tomcat null byte directory listing attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2061; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC iPlanet .perf access"; flow:to_server,established; uricontent:"/.perf"; reference:nessus,11220; classtype:web-application-activity; sid:2062; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Demarc SQL injection attempt"; flow:to_server,established; uricontent:"/dm/demarc"; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; reference:bugtraq,4520; reference:cve,2002-0539; classtype:web-application-activity; sid:2063; rev:6;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp"; content:".csp"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2064; rev:4;) -# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp."; classtype:web-application-attack; sid:2065; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .pl script source download attempt"; flow:to_server,established; uricontent:".pl"; content:".pl"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2066; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .exe script source download attempt"; flow:to_server,established; uricontent:".exe"; content:".exe"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2067; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC BitKeeper arbitrary command attempt"; flow:to_server,established; uricontent:"/diffs/"; content:"'"; content:"|3B|"; distance:0; content:"'"; distance:1; reference:bugtraq,6588; classtype:web-application-attack; sid:2068; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC chip.ini access"; flow:to_server,established; uricontent:"/chip.ini"; reference:bugtraq,2755; reference:bugtraq,2775; reference:cve,2001-0749; reference:cve,2001-0771; classtype:web-application-activity; sid:2069; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe arbitrary command attempt"; flow:to_server,established; uricontent:"/post32.exe|7C|"; reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe access"; flow:to_server,established; uricontent:"/post32.exe"; reference:bugtraq,1485; classtype:web-application-activity; sid:2071; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC lyris.pl access"; flow:to_server,established; uricontent:"/lyris.pl"; reference:bugtraq,1584; reference:cve,2000-0758; classtype:web-application-activity; sid:2072; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC globals.pl access"; flow:to_server,established; uricontent:"/globals.pl"; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2073; rev:3;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard.mdb access"; flow:to_server,established; uricontent:"/philboard.mdb"; reference:nessus,11682; classtype:web-application-activity; sid:2135; rev:1;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp authentication bypass attempt"; flow:to_server,established; uricontent:"/philboard_admin.asp"; content:"Cookie"; nocase; content:"philboard_admin=True"; distance:0; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-attack; sid:2136; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp access"; flow:to_server,established; uricontent:"/philboard_admin.asp"; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-activity; sid:2137; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC logicworks.ini access"; flow:to_server,established; uricontent:"/logicworks.ini"; reference:bugtraq,6996; reference:nessus,11639; classtype:web-application-activity; sid:2138; rev:2;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC /*.shtml access"; flow:to_server,established; uricontent:"/*.shtml"; reference:bugtraq,1517; reference:cve,2000-0683; reference:nessus,11604; classtype:web-application-activity; sid:2139; rev:5;) -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC mod_gzip_status access"; flow:to_server,established; uricontent:"/mod_gzip_status"; reference:nessus,11685; classtype:web-application-activity; sid:2156; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC register.dll access"; flow:to_server,established; uricontent:"/register.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2231; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ContentFilter.dll access"; flow:to_server,established; uricontent:"/ContentFilter.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SFNofitication.dll access"; flow:to_server,established; uricontent:"/SFNofitication.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC TOP10.dll access"; flow:to_server,established; uricontent:"/TOP10.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2234; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SpamExcp.dll access"; flow:to_server,established; uricontent:"/SpamExcp.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2235; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC spamrule.dll access"; flow:to_server,established; uricontent:"/spamrule.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2236; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgiWebupdate.exe access"; flow:to_server,established; uricontent:"/cgiWebupdate.exe"; nocase; reference:bugtraq,3216; reference:cve,2001-1150; reference:nessus,11722; classtype:web-application-activity; sid:2237; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebLogic ConsoleHelp view source attempt"; flow:to_server,established; uricontent:"/ConsoleHelp/"; nocase; uricontent:".jsp"; nocase; reference:bugtraq,1518; reference:cve,2000-0682; reference:nessus,11724; classtype:web-application-attack; sid:2238; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC redirect.exe access"; flow:to_server,established; uricontent:"/redirect.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2239; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC changepw.exe access"; flow:to_server,established; uricontent:"/changepw.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2240; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cwmail.exe access"; flow:to_server,established; uricontent:"/cwmail.exe"; nocase; reference:bugtraq,4093; reference:cve,2002-0273; reference:nessus,11727; classtype:web-application-activity; sid:2241; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ddicgi.exe access"; flow:to_server,established; uricontent:"/ddicgi.exe"; nocase; reference:bugtraq,1657; reference:cve,2000-0826; reference:nessus,11728; classtype:web-application-activity; sid:2242; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ndcgi.exe access"; flow:to_server,established; uricontent:"/ndcgi.exe"; nocase; reference:bugtraq,3583; reference:cve,2001-0922; reference:nessus,11730; classtype:web-application-activity; sid:2243; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VsSetCookie.exe access"; flow:to_server,established; uricontent:"/VsSetCookie.exe"; nocase; reference:bugtraq,3784; reference:cve,2002-0236; reference:nessus,11731; classtype:web-application-activity; sid:2244; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webnews.exe access"; flow:to_server,established; uricontent:"/Webnews.exe"; nocase; reference:bugtraq,4124; reference:cve,2002-0290; reference:nessus,11732; classtype:web-application-activity; sid:2245; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webadmin.dll access"; flow:to_server,established; uricontent:"/webadmin.dll"; nocase; reference:bugtraq,7438; reference:bugtraq,7439; reference:bugtraq,8024; reference:cve,2003-0471; reference:nessus,11771; classtype:web-application-activity; sid:2246; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle portal demo access"; flow:to_server,established; uricontent:"/pls/portal/PORTAL_DEMO"; nocase; reference:nessus,11918; classtype:web-application-activity; sid:2276; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PeopleSoft PeopleBooks psdoccgi access"; flow:to_server,established; uricontent:"/psdoccgi"; nocase; reference:bugtraq,9037; reference:bugtraq,9038; reference:cve,2003-0626; reference:cve,2003-0627; classtype:web-application-activity; sid:2277; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC client negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; classtype:misc-attack; sid:2278; rev:8;) -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2580; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bsml.pl access"; flow:to_server,established; uricontent:"/bsml.pl"; nocase; reference:bugtraq,9311; reference:nessus,11973; classtype:web-application-activity; sid:2327; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ISAPISkeleton.dll access"; flow:to_server,established; uricontent:"/ISAPISkeleton.dll"; nocase; reference:bugtraq,9516; classtype:web-application-activity; sid:2369; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BugPort config.conf file access"; flow:to_server,established; uricontent:"/config.conf"; nocase; reference:bugtraq,9542; classtype:attempted-recon; sid:2370; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Sample_showcode.html access"; flow:to_server,established; uricontent:"/Sample_showcode.html"; nocase; content:"fname"; reference:bugtraq,9555; classtype:web-application-activity; sid:2371; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC schema overflow attempt"; flow:to_server,established; uricontent:"|3A|//"; pcre:"/^[^\/]{14,}?\x3a\/\//U"; reference:bugtraq,9581; reference:cve,2004-0039; reference:nessus,12084; classtype:attempted-admin; sid:2381; rev:7;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq web-based management agent denial of service attempt"; flow:to_server,established; content:"<!"; depth:75; content:">"; within:50; reference:bugtraq,8014; classtype:web-application-attack; sid:2394; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC InteractiveQuery.jsp access"; flow:to_server,established; uricontent:"/InteractiveQuery.jsp"; nocase; reference:bugtraq,8938; reference:cve,2003-0624; classtype:web-application-activity; sid:2395; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC edittag.pl access"; flow:to_server,established; uricontent:"/edittag.pl"; nocase; reference:bugtraq,6675; classtype:web-application-activity; sid:2400; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC util.pl access"; flow:to_server,established; uricontent:"/util.pl"; nocase; reference:bugtraq,9748; classtype:web-application-activity; sid:2407; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invision Power Board search.pl access"; flow:to_server,established; uricontent:"/search.pl"; content:"st="; nocase; reference:bugtraq,9766; classtype:web-application-activity; sid:2408; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 554 (msg:"WEB-MISC Real Server DESCRIBE buffer overflow attempt"; flow:to_server,established; content:"DESCRIBE"; nocase; content:"../"; distance:1; pcre:"/^DESCRIBE\s[^\n]{300}/smi"; reference:bugtraq,8476; reference:url,www.service.real.com/help/faq/security/rootexploit091103.html; classtype:web-application-attack; sid:2411; rev:5;) - -# YES, the contents are logically backwards as to how the contents are seen on -# the wire. snort picks up the first of the longest pattern. login=0 happens -# MUCH less than Cookie. so we do this for speed. -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0"; nocase; content:"Cookie|3A|"; nocase; pcre:"/^Cookie\x3a[^\n]*?login=0/smi"; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:3;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000:8001 (msg:"WEB-MISC Quicktime User-Agent buffer overflow attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; pcre:"/^User-Agent\x3a[^\n]{244,255}/smi"; reference:bugtraq,9735; reference:cve,2004-0169; classtype:web-application-attack; sid:2442; rev:6;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC source.jsp access"; flow:to_server,established; uricontent:"/source.jsp"; nocase; reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ServletManager access"; flow:to_server,established; uricontent:"/servlet/ServletManager"; nocase; reference:bugtraq,3697; reference:cve,2001-1195; reference:nessus,12122; classtype:web-application-activity; sid:2447; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC setinfo.hts access"; flow:to_server,established; uricontent:"/setinfo.hts"; nocase; reference:bugtraq,9973; reference:nessus,12120; classtype:web-application-activity; sid:2448; rev:2;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2520; rev:10;) -alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2521; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2522; rev:10;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:13;) - -# one of these days, we will have port lists... -alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"WEB-MISC McAfee ePO file upload attempt"; flow:to_server,established; content:"/spipe/repl_file"; nocase; content:"Command=BEGIN"; nocase; reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin; sid:2562; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cPanel resetpass access"; flow:to_server,established; uricontent:"/resetpass"; nocase; reference:bugtraq,9848; classtype:web-application-activity; sid:2569; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invalid HTTP Version String"; flow:to_server,established; content:"HTTP/"; nocase; isdataat:6,relative; content:!"|0A|"; within:5; reference:bugtraq,9809; reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:7;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Crystal Reports crystalimagehandler.aspx access"; flow:to_server,established; uricontent:"/crystalimagehandler.aspx"; nocase; reference:cve,2004-0204; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-activity; sid:2581; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt"; flow:to_server,established; uricontent:"/crystalimagehandler.aspx"; nocase; content:"dynamicimage=../"; nocase; reference:bugtraq,10260; reference:cve,2004-0204; reference:nessus,12271; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-attack; sid:2582; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2597; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 901 (msg:"WEB-MISC Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2598; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2658; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2661; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2659; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sresult.exe access"; flow:to_server,established; uricontent:"/sresult.exe"; nocase; reference:bugtraq,10837; reference:nessus,14186; classtype:web-application-activity; sid:2672; rev:1;) -alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv2 Server_Hello request"; flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2660; rev:4;) -alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2662; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus username overflow attempt"; flow:to_server,established; uricontent:"/isqlplus"; nocase; pcre:"/username=[^&\x3b\r\n]{255}/si"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2702; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; uricontent:"/login.uix"; nocase; pcre:"/username=[^&\x3b\r\n]{250}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2703; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle 10g iSQLPlus login.unix connectID overflow attempt"; flow:to_server,established; uricontent:"/login.uix"; nocase; pcre:"/connectID=[^&\x3b\r\n]{255}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2704; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus sid overflow attempt"; flow:to_server,established; uricontent:"/isqlplus"; nocase; pcre:"/sid=[^&\x3b\r\n]{255}/si"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2701; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htgroup access"; flow:to_server,established; uricontent:".htgroup"; nocase; classtype:web-application-activity; sid:1374; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLS1 Client_Hello with pad via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tls1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|03 01|"; depth:2; offset:4; flowbits:set,tls1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3060; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3059; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt"; flow:to_server,established; uricontent:"/app_sta.stm"; nocase; reference:bugtraq,11408; classtype:web-application-activity; sid:3086; rev:1;) diff -Nru snort-2.9.0.1/rules/web-php.rules snort-2.9.2/rules/web-php.rules --- snort-2.9.0.1/rules/web-php.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/web-php.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,162 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: web-php.rules,v 1.21.2.2.2.2 2005/07/22 19:19:54 mwatchinski Exp $ -#-------------- -# WEB-PHP RULES -#-------------- - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP bb_smilies.php access"; flow:to_server,established; uricontent:"/bb_smilies.php"; nocase; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"name=|22 CC CC CC CC CC|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:14;) -# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"form-data|3B|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:13;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content:"SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:6;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools access"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; uricontent:"/dostuff.php?action=modify_user"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php access"; flow:to_server,established; uricontent:"/dostuff.php"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Messagerie supp_membre.php access"; flow:to_server,established; uricontent:"/supp_membre.php"; nocase; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP php.exe access"; flow:to_server,established; uricontent:"/php.exe"; nocase; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:3;) - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php arbitrary command attempt"; flow:to_server,established; uricontent:"/directory.php"; content:"dir="; content:"|3B|"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1815; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php access"; flow:to_server,established; uricontent:"/directory.php"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Wiki cross site scripting attempt"; flow:established,to_server; uricontent:"/modules.php?"; uricontent:"name=Wiki"; nocase; uricontent:"<script"; nocase; reference:bugtraq,5254; reference:cve,2002-1070; classtype:web-application-attack; sid:1834; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php arbitrary command attempt"; flow:established,to_server; uricontent:"/quick-reply.php"; content:"phpbb_root_path="; distance:1; reference:bugtraq,6173; classtype:web-application-attack; sid:1967; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php access"; flow:established,to_server; uricontent:"/quick-reply.php"; reference:bugtraq,6173; classtype:web-application-activity; sid:1968; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP read_body.php access attempt"; flow:established,to_server; uricontent:"/read_body.php"; reference:bugtraq,6302; reference:cve,2002-1341; classtype:web-application-activity; sid:1997; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:bugtraq,5820; reference:bugtraq,9353; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP edit_image.php access"; flow:established,to_server; uricontent:"/edit_image.php"; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:3;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path"; flow:established,to_server; uricontent:".php"; content:"path="; pcre:"/path=(http|https|ftp)/i"; classtype:web-application-attack; sid:2002; rev:5;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:arachnids,205; reference:bugtraq,2271; classtype:attempted-recon; sid:1134; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent:"/passwd.php3"; reference:arachnids,272; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase; reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:arachnids,209; reference:bugtraq,2272; classtype:attempted-recon; sid:1179; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase; reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"file="; pcre:"/file=(http|https|ftp)/i"; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:11;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; reference:bugtraq,1997; reference:bugtraq,9361; classtype:web-application-attack; sid:1491; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase; reference:arachnids,206; reference:bugtraq,2274; classtype:attempted-recon; sid:1137; rev:9;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; reference:arachnids,431; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:12;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1254; rev:8;) -alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:8;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP p-news.php access"; flow:to_server,established; uricontent:"/p-news.php"; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php directory traversal attempt"; flow:to_server,established; uricontent:"/shoutbox.php"; content:"conf="; content:"../"; distance:0; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php access"; flow:to_server,established; uricontent:"/shoutbox.php"; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; uricontent:"/gm-2-b2.php"; content:"b2inc="; pcre:"/b2inc=(http|https|ftp)/i"; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php access"; flow:to_server,established; uricontent:"/gm-2-b2.php"; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password admin attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=admin"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2145; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=12345"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2146; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; uricontent:"/objects.inc.php4"; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(http|https|ftp)/"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 access"; flow:to_server,established; uricontent:"/objects.inc.php4"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Turba status.php access"; flow:to_server,established; uricontent:"/turba/status.php"; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file include attempt"; flow:to_server,established; uricontent:"/admin/templates/header.php"; content:"admin_root="; pcre:"/admin_root=(http|https|ftp)/"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:7;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php access"; flow:to_server,established; uricontent:"/admin/templates/header.php"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP test.php access"; flow:to_server,established; uricontent:"/test.php"; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php directory traversal attempt"; flow:to_server,established; uricontent:"/autohtml.php"; content:"name="; content:"../../"; distance:0; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php access"; flow:to_server,established; uricontent:"/autohtml.php"; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include attempt"; flow:to_server,established; uricontent:"forum/index.php"; content:"template="; pcre:"/template=(http|https|ftp)/i"; reference:bugtraq,7542; reference:bugtraq,7543; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include attempt"; flow:to_server,established; uricontent:"lib.inc.php"; content:"pm_path="; pcre:"/pm_path=(http|https|ftp)/"; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:5;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP forum_details.php access"; flow:to_server,established; uricontent:"forum_details.php"; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; uricontent:"db_details_importdocsql.php"; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; uricontent:"viewtopic.php"; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP UpdateClasses.php access"; flow:to_server,established; uricontent:"/UpdateClasses.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Title.php access"; flow:to_server,established; uricontent:"/Title.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Setup.php access"; flow:to_server,established; uricontent:"/Setup.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2281; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP GlobalFunctions.php access"; flow:to_server,established; uricontent:"/GlobalFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DatabaseFunctions.php access"; flow:to_server,established; uricontent:"/DatabaseFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook remote file include attempt"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; content:"path="; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook access"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP friends.php access"; flow:to_server,established; uricontent:"/friends.php"; nocase; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_comment.php access"; flow:to_server,established; uricontent:"/admin_comment.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_edit.php access"; flow:to_server,established; uricontent:"/admin_edit.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_embed.php access"; flow:to_server,established; uricontent:"/admin_embed.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_help.php access"; flow:to_server,established; uricontent:"/admin_help.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_license.php access"; flow:to_server,established; uricontent:"/admin_license.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_logout.php access"; flow:to_server,established; uricontent:"/admin_logout.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_password.php access"; flow:to_server,established; uricontent:"/admin_password.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_preview.php access"; flow:to_server,established; uricontent:"/admin_preview.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_settings.php access"; flow:to_server,established; uricontent:"/admin_settings.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_stats.php access"; flow:to_server,established; uricontent:"/admin_stats.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; uricontent:"/admin_templates_misc.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates.php access"; flow:to_server,established; uricontent:"/admin_templates.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_misc_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll booth.php access"; flow:to_server,established; uricontent:"/booth.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll poll_ssi.php access"; flow:to_server,established; uricontent:"/poll_ssi.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; flow:to_server,established; uricontent:"/popup.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP files.inc.php access"; flow:to_server,established; uricontent:"/files.inc.php"; nocase; reference:bugtraq,8910; classtype:web-application-activity; sid:2304; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP chatbox.php access"; flow:to_server,established; uricontent:"/chatbox.php"; nocase; reference:bugtraq,8930; classtype:web-application-activity; sid:2305; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include attempt"; flow:to_server,established; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attempt"; flow:to_server,established; content:"do=ext"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:6;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP authentication_index.php access"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:3;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/editor/editor.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/lib.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"ideaDir"; nocase; content:"cord.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox notification.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"gorumDir"; nocase; content:"notification.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board emailer.php file include"; flow:to_server,established; uricontent:"/ad_member.php"; nocase; content:"emailer.php"; nocase; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat db_mysql.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"db_mysql.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2356; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat english.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"english.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2357; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Typo3 translations.php file include"; flow:to_server,established; uricontent:"/translations.php"; nocase; content:"ONLY"; nocase; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board ipchat.php file include"; flow:to_server,established; uricontent:"/ipchat.php"; nocase; content:"root_path"; nocase; content:"conf_global.php"; nocase; reference:bugtraq,6976; classtype:web-application-attack; sid:2359; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myphpPagetool pt_config.inc file include"; flow:to_server,established; uricontent:"/doc/admin"; nocase; content:"ptinclude"; nocase; content:"pt_config.inc"; nocase; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP news.php file include"; flow:to_server,established; uricontent:"/news.php"; nocase; content:"template"; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP YaBB SE packages.php file include"; flow:to_server,established; uricontent:"/packages.php"; nocase; content:"packer.php"; nocase; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards default_header.php access"; flow:to_server,established; uricontent:"/default_header.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards options_form.php access"; flow:to_server,established; uricontent:"/options_form.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP newsPHP Language file include attempt"; flow:to_server,established; uricontent:"/nphpd.php"; nocase; content:"LangFile"; nocase; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/functions.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/config_gedcom.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:4;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Photopost PHP Pro showphoto.php access"; flow:to_server,established; uricontent:"/showphoto.php"; nocase; reference:bugtraq,9557; classtype:web-application-activity; sid:2372; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP /_admin access"; flow:to_server,established; uricontent:"/_admin/"; nocase; reference:bugtraq,9537; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; uricontent:"newsletter.php"; nocase; content:"waroot"; nocase; content:"start.php"; nocase; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter db_type.php access"; flow:to_server,established; uricontent:"/sql/db_type.php"; nocase; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:1;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phptest.php access"; flow:to_server,established; uricontent:"/phptest.php"; nocase; reference:bugtraq,9737; classtype:web-application-activity; sid:2405; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; uricontent:"/page.php"; nocase; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:2;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP modules.php access"; flow:to_server,established; uricontent:"/modules.php"; nocase; reference:bugtraq,9879; classtype:web-application-activity; sid:2565; rev:1;) - - - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPBB viewforum.php access"; flow:to_server,established; uricontent:"/viewforum.php"; nocase; reference:bugtraq,9865; reference:bugtraq,9866; reference:nessus,12093; classtype:web-application-activity; sid:2566; rev:4;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file include attempt"; flow:to_server,established; uricontent:"/header.php"; nocase; content:"systempath="; pcre:"/systempath=(http|https|ftp)/i"; reference:bugtraq,9732; classtype:web-application-attack; sid:2575; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TUTOS path disclosure attempt"; flow:to_server,established; uricontent:"/note_overview.php"; content:"id="; reference:bugtraq,10129; reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-application-activity; sid:2588; rev:1;) - -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:2;) -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV base directory manipulation"; flow:to_server,established; uricontent:"_conf.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; classtype:web-application-attack; sid:2926; rev:1;) diff -Nru snort-2.9.0.1/rules/x11.rules snort-2.9.2/rules/x11.rules --- snort-2.9.0.1/rules/x11.rules 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/rules/x11.rules 1969-12-31 16:00:00.000000000 -0800 @@ -1,24 +0,0 @@ -# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved -# -# This file may contain proprietary rules that were created, tested and -# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as -# rules that were created by Sourcefire and other third parties and -# distributed under the GNU General Public License (the "GPL Rules"). The -# VRT Certified Rules contained in this file are the property of -# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. -# The GPL Rules created by Sourcefire, Inc. are the property of -# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights -# Reserved. All other GPL Rules are owned and copyrighted by their -# respective owners (please see www.snort.org/contributors for a list of -# owners and their respective copyrights). In order to determine what -# rules are VRT Certified Rules or GPL Rules, please refer to the VRT -# Certified Rules License Agreement. -# -# -# $Id: x11.rules,v 1.19.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ -#---------- -# X11 RULES -#---------- - -alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:4;) -alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:4;) diff -Nru snort-2.9.0.1/schemas/Makefile.in snort-2.9.2/schemas/Makefile.in --- snort-2.9.0.1/schemas/Makefile.in 2010-10-08 02:56:52.000000000 -0700 +++ snort-2.9.2/schemas/Makefile.in 2011-12-07 11:23:17.000000000 -0800 @@ -58,7 +58,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -73,6 +75,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -109,13 +112,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/snort.8 snort-2.9.2/snort.8 --- snort-2.9.0.1/snort.8 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/snort.8 2011-12-07 09:58:22.000000000 -0800 @@ -2,11 +2,11 @@ .\" groff -man -Tascii snort.8 .\" .\" $Id$ -.TH SNORT 8 "February 2009" +.TH SNORT 8 "December 2011" .SH NAME Snort \- open source network intrusion detection system .SH SYNOPSIS -.B snort [-bCdDeEfHIMNoOpqQsTUvVwWxXy?] [-A +.B snort [-bCdDeEfHIMNOpqQsTUvVwWxXy?] [-A .I alert-mode .B ] [-B .I address-conversion-mask @@ -15,15 +15,13 @@ .B ] [-F .I bpf-file .B ] [-g -.I grpname +.I group-name .B ] [-G .I id .B ] [-h .I home-net .B ] [-i .I interface -.B ] [-J -.I port .B ] [-k .I checksum-mode .B ] [-K @@ -37,7 +35,7 @@ .B ] [-n .I packet-count .B ] [-P -.I snap-length +.I snap-length .B ] [-r .I tcpdump-file .B ] [-R @@ -47,7 +45,7 @@ .B ] [-t .I chroot_directory .B ] [-u -.I usrname +.I user-name .B ] [-Z .I pathname .B ] [--logid @@ -57,7 +55,7 @@ .B ] [--pid-path .I pathname .B ] [--snaplen -.I snap-length +.I snap-length .B ] [--help .B ] [--version .B ] [--dynamic-engine-lib @@ -76,10 +74,11 @@ .I directory .B ] [--alert-before-pass .B ] [--treat-drop-as-alert +.B ] [--treat-drop-as-ignore .B ] [--process-all-events +.B ] [--enable-inline-test .B ] [--create-pidfile .B ] [--nolock-pidfile -.B ] [--disable-inline-initialization .B ] [--pcap-single= .I tcpdump-file .B ] [--pcap-filter= @@ -93,74 +92,87 @@ .B ] [--pcap-no-filter .B ] [--pcap-reset .B ] [--pcap-show +.B ] [--exit-check .I count .B ] [--conf-error-out .B ] [--require-rule-sid +.B ] [--daq +.I type +.B ] [--daq-mode +.I mode +.B ] [--daq-var +.I name=value +.B ] [--daq-dir +.I dir +.B ] [--daq-list +.I [dir] +.B ] [--cs-dir +.I dir .B ] .I expression .SH DESCRIPTION .B Snort -is an open source network intrusion detection system, capable of performing -real-time traffic analysis and packet logging on IP networks. It can perform -protocol analysis, content searching/matching and can be used to detect a -variety of attacks and probes, such as buffer overflows, stealth port scans, +is an open source network intrusion detection system, capable of performing +real-time traffic analysis and packet logging on IP networks. It can perform +protocol analysis, content searching/matching and can be used to detect a +variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses -a flexible rules language to describe traffic that it should collect or pass, +a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort also has a modular real-time alerting capability, incorporating alerting -and logging plugins for syslog, a ASCII text files, UNIX sockets, database +and logging plugins for syslog, a ASCII text files, UNIX sockets, database (Mysql/PostgreSQL/Oracle/ODBC) or XML. .PP Snort has three primary uses. It can be used as a straight packet sniffer like .BR tcpdump (1), -a packet logger (useful for network traffic debugging, etc), or as a full +a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system. .PP -Snort logs packets in +Snort logs packets in .BR tcpdump (1) -binary format, to a database or in Snort's decoded ASCII format to a hierarchy -of logging directories that are named based on the IP address of the "foreign" +binary format, to a database or in Snort's decoded ASCII format to a hierarchy +of logging directories that are named based on the IP address of the "foreign" host. .SH OPTIONS .IP "-A alert-mode" Alert using the specified .I alert-mode. -Valid alert modes include +Valid alert modes include .B fast, full, none, and .B unsock. -.B Fast +.B Fast writes alerts to the default "alert" file in a single-line, syslog style alert -message. -.B Full -writes the alert to the "alert" file with the full decoded header as well as -the alert message. +message. +.B Full +writes the alert to the "alert" file with the full decoded header as well as +the alert message. .B None -turns off alerting. -.B Unsock +turns off alerting. +.B Unsock is an experimental mode that sends the alert information out over a UNIX socket to another process that attaches to that socket. .IP -b Log packets in a .BR tcpdump (1) formatted file. All packets are logged in their native binary state to a -tcpdump formatted log file named with the snort start timestamp and +tcpdump formatted log file named with the snort start timestamp and "snort.log". This option results in much faster operation of the program since it doesn't have to spend time in the packet binary->text converters. Snort can keep up pretty well with 100Mbps networks in '-b' mode. To choose an alternate name for the binary log file, use the '-L' switch. .IP "-B address-conversion-mask" Convert all IP addresses in -.I home-net +.I home-net to addresses specified by -.I address-conversion-mask. +.I address-conversion-mask. Used to obfuscate IP addresses within binary logs. Specify .I home-net with the '-h' switch. Note this is .B not the same as $HOME_NET. .IP "-c config-file" -Use the rules located in file +Use the rules located in file .I config-file. .IP -C Print the character data from the packet payload only (no hex). @@ -168,7 +180,7 @@ Dump the application layer data when displaying packets in verbose or packet logging mode. .IP -D -Run Snort in daemon mode. Alerts are sent to /var/log/snort/alert unless +Run Snort in daemon mode. Alerts are sent to /var/log/snort/alert unless otherwise specified. .IP -e Display/log the link layer packet headers. @@ -178,79 +190,77 @@ .IP -f Activate PCAP line buffering .IP "-F bpf-file" -Read BPF filters from +Read BPF filters from .I bpf-file. This is handy for people running Snort as a SHADOW replacement or with a love -Of super complex BPF filters. See the "expressions" section of this man page -for more info on writing BPF fileters. +Of super complex BPF filters. See the "expressions" section of this man page +for more info on writing BPF filters. .IP "-g group" -Change the group/GID Snort runs under to +Change the group/GID Snort runs under to .I group -after initialization. This switch allows Snort to drop root priveleges after +after initialization. This switch allows Snort to drop root privileges after it's initialization phase has completed as a security measure. .IP "-G id" Use id as a base event ID when logging events. Useful for distinguishing events logged to the same database from multiple snort instances. .IP "-h home-net" -Set the "home network" to +Set the "home network" to .I home-net. The format of this address variable is a network prefix plus a CIDR block, such as 192.168.1.0/24. Once this variable is set, all decoded packet logging will be done relative to the home network address space. This is useful because of -the way that Snort formats its ASCII log data. With this value set to the +the way that Snort formats its ASCII log data. With this value set to the local network, all decoded output will be logged into decode directories with the address of the foreign computer as the directory name, which is -very useful during traffic analysis. +very useful during traffic analysis. This option does not change "$HOME_NET" in +IDS mode. .IP "-H" Force hash tables to be deterministic instead of using a random number generator for the seed & scale. Useful for testing and generating repeatable results with the same traffic. .IP "-i interface" -Sniff packets on +Sniff packets on .I interface. .IP "-I" Print out the receiving interface name in alerts. -.IP "-J port" -Use port to read packets when running inline mode on system with divert -socket. .IP "-k checksum-mode" Tune the internal checksum verification functionality with .I alert-mode. -Valid checksum modes include +Valid checksum modes include .B all, noip, notcp, noudp, noicmp, and .B none. -.B All +.B All activates checksum verification for all supported protocols. .B Noip -turns off IP checksum verification, which is handy if the gateway router is +turns off IP checksum verification, which is handy if the gateway router is already dropping packets that fail their IP checksum checks. .B Notcp -turns off TCP checksum verification, all other checksum modes are +turns off TCP checksum verification, all other checksum modes are .B on. .B noudp turns off UDP checksum verification. .B Noicmp -turns off ICMP checksum verification. +turns off ICMP checksum verification. .B None turns off the entire checksum verification subsystem. .IP "-K logging-mode" Select a packet logging mode. The default is pcap. .I logging-mode. -Valid logging modes include +Valid logging modes include .B pcap, ascii, and .B none. -.B Pcap +.B Pcap logs packets through the pcap library into pcap (tcpdump) format. -.B Ascii +.B Ascii logs packets in the old "directories and files" format with packet printouts in each file. .B None Turns off packet logging. .IP "-l log-dir" -Set the output logging directory to +Set the output logging directory to .I log-dir. -All plain text alerts and packet logs go into this directory. If this option +All plain text alerts and packet logs go into this directory. If this option is not specified, the default logging directory is set to /var/log/snort. .IP "-L binary-log-file" Set the filename of the binary log file to @@ -258,13 +268,13 @@ If this switch is not used, the default name is a timestamp for the time that the file is created plus "snort.log". .IP "-m umask" -Set the file mode creation mask to +Set the file mode creation mask to .I umask .IP "-M" Log console messages to syslog when not running daemon mode. This switch has no impact on logging of alerts. .IP "-n packet-count" -Process +Process .I packet-count packets and exit. .IP -N @@ -278,18 +288,18 @@ .IP -p Turn off promiscuous mode sniffing. .IP "-P snap-length" -Set the packet snaplen to -.I snap-length -\&. By default, this is set to 1514. +Set the packet snaplen to +.I snap-length. +By default, this is set to 1514. .IP "-q" Quiet operation. Don't display banner and initialization information. .IP "-Q" -Read packets from iptables/IPQ (Linux only) when running in-line mode. +Enable inline mode operation. .IP "-r tcpdump-file" -Read the tcpdump-formatted file +Read the tcpdump-formatted file .I tcpdump-file. This will cause Snort to read and process the file fed to it. This is -useful if, for instance, you've got a bunch of SHADOW files that you want to +useful if, for instance, you've got a bunch of SHADOW files that you want to process for content, or even if you've got a bunch of reassembled packet fragments which have been written into a tcpdump formatted file. .IP "-R name" @@ -298,13 +308,13 @@ Send alert messages to syslog. On linux boxen, they will appear in /var/log/secure, /var/log/messages on many other platforms. .IP "-S variable=value" -Set variable name "variable" to value "value". This is useful for setting the -value of a defined variable name in a Snort rules file to a command line -specified value. For instance, if you define a HOME_NET variable name inside -of a Snort rules file, you can set this value from it's predefined value at the +Set variable name "variable" to value "value". This is useful for setting the +value of a defined variable name in a Snort rules file to a command line +specified value. For instance, if you define a HOME_NET variable name inside +of a Snort rules file, you can set this value from it's predefined value at the command line. .IP "-t chroot" -Changes Snort's root directory to +Changes Snort's root directory to .I chroot after initialization. Please note that all log/alert filenames are relative to the chroot directory if chroot is used. @@ -314,14 +324,14 @@ indicating that everything is ready to proceed. This is a good switch to use if daemon mode is going to be used, it verifies that the Snort configuration that is about to be used is valid and won't fail at -run time. Note, Snort looks for either /etc/snort.conf or ./snort.conf. -If your config lives elsewhere, use the -c option to specify a valid +run time. Note, Snort looks for either /etc/snort.conf or ./snort.conf. +If your config lives elsewhere, use the -c option to specify a valid .I config-file. .IP "-u user" Change the user/UID Snort runs under to .I user after initialization. -.IP -U +.IP -U Changes the timestamp in all logs to be in UTC .IP -v Be verbose. Prints packets out to the console. There is one big problem with @@ -333,7 +343,7 @@ .IP -V Show the version number and exit. .IP "-w" -Show management frames if runnong on an 802.11 (wireless) network. +Show management frames if running on an 802.11 (wireless) network. .IP "-W" .B *WIN32 ONLY* Enumerate the network interfaces available. @@ -381,27 +391,27 @@ Default is pass before alert, drop, etc. .IP "--treat-drop-as-alert" Converts drop, sdrop, and reject rules into alert rules during startup. +.IP "--treat-drop-as-ignore" +Use drop, sdrop, and reject rules to ignore session traffic when not inline. .IP "--process-all-events" Process all triggered events in group order, per Rule Ordering configuration. Default stops after first group. +.IP "--enable-inline-test" +Enable Inline-Test Mode Operation. .IP "--pid-path directory" Specify the path for Snort's PID file. .IP "--create-pidfile" Create PID file, even when not in Daemon mode. .IP "--nolock-pidfile" Do not try to lock Snort PID file. -.IP "--disable-inline-initialization" -Do not initialize IPTables when in inline mode. To be used with -T -to test for a valid configuration without requiring opening inline -devices and adversely affecting traffic flow. .IP "--pcap-single=\fItcpdump-file\fP" Same as -r. Added for completeness. .IP "--pcap-filter=\fIfilter\fP" Shell style filter to apply when getting pcaps from file or directory. This filter will apply to any --pcap-file or --pcap-dir arguments following. Use ---pcap-no-filter to delete filter for following ---pcap-file or --pcap-dir arguments or specifiy +--pcap-no-filter to delete filter for following +--pcap-file or --pcap-dir arguments or specify --pcap-filter again to forget previous filter and to apply to following --pcap-file or --pcap-dir arguments. .IP "--pcap-list=\fI""list""\fP" @@ -409,7 +419,7 @@ .IP "--pcap-dir=\fIdirectory\fP" A directory to recurse to look for pcaps. Sorted in ascii order. .IP "--pcap-file=\fIfile\fP" -File that contains a list of pcaps to read. Can specifiy path to +File that contains a list of pcaps to read. Can specify path to pcap or directory to recurse to get pcaps. .IP "--pcap-no-filter" Reset to use no filter when getting pcaps from file or directory. @@ -420,12 +430,24 @@ .IP "--pcap-show" Print a line saying what pcap is currently being read. .IP "--exit-check=\fIcount\fP" -Signal termination after <count> callbacks from pcap_dispatch(), showing the -time it takes from signaling until pcap_close() is called. +Signal termination after <count> callbacks from DAQ_Acquire(), showing the +time it takes from signaling until DAQ_Stop() is called. .IP "--conf-error-out" Same as -x. .IP "--require-rule-sid" -Require an SID for every rule to be correctly hreshold all rules. +Require an SID for every rule to be correctly threshold all rules. +.IP "--daq <type>" +Select packet acquisition module (default is pcap). +.IP "--daq-mode <mode>" +Select the DAQ operating mode. +.IP "--daq-var <name=value>" +Specify extra DAQ configuration variable. +.IP "--daq-dir <dir>" +Tell Snort where to find desired DAQ. +.IP "--daq-list [<dir>]" +List packet acquisition modules available in dir. +.IP "--cs-dir <dir>" +Tell Snort to use control socket and create the socket in dir. .IP "\fI expression\fP" .RS @@ -523,7 +545,7 @@ which may be either an address or a name. .IP "\fBsrc host \fIhost\fR" True if the IP source field of the packet is \fIhost\fP. -.IP "\fBhost \fIhost\fP +.IP "\fBhost \fIhost\fP" True if either the IP source or destination of the packet is \fIhost\fP. Any of the above host expressions can be prepended with the keywords, \fBip\fP, \fBarp\fP, or \fBrarp\fP as in: @@ -540,16 +562,16 @@ .in -.5i If \fIhost\fR is a name with multiple IP addresses, each address will be checked for a match. -.IP "\fBether dst \fIehost\fP +.IP "\fBether dst \fIehost\fP" True if the ethernet destination address is \fIehost\fP. \fIEhost\fP may be either a name from /etc/ethers or a number (see .IR ethers (3N) for numeric format). -.IP "\fBether src \fIehost\fP +.IP "\fBether src \fIehost\fP" True if the ethernet source address is \fIehost\fP. -.IP "\fBether host \fIehost\fP +.IP "\fBether host \fIehost\fP" True if either the ethernet source or destination address is \fIehost\fP. -.IP "\fBgateway\fP \fIhost\fP +.IP "\fBgateway\fP \fIhost\fP" True if the packet used \fIhost\fP as a gateway. I.e., the ethernet source or destination address was \fIhost\fP but neither the IP source nor the IP destination was \fIhost\fP. \fIHost\fP must be a name and @@ -764,7 +786,7 @@ easier to pass it as a single, quoted argument. Multiple arguments are concatenated with spaces before being parsed. .SH READING PCAPS -Instead of having Snort listen on an interface, you can give it a packet +Instead of having Snort listen on an interface, you can give it a packet capture to read. Snort will read and analyze the packets as if they came off the wire. This can be useful for testing and debugging Snort. @@ -791,7 +813,7 @@ $ snort --pcap-file=foo.txt This will read foo1.pcap, foo2.pcap and all files under /home/foo/pcaps. -Note that Snort will not try to determine whether the files under that +Note that Snort will not try to determine whether the files under that directory are really pcap files or not. .RE 0 @@ -846,7 +868,7 @@ In this example, the first filter will be applied to foo.txt, then no filter will be applied to the files found under /home/foo/pcaps, -so all files found under /home/foo/pcaps will be included. +so all files found under /home/foo/pcaps will be included. $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \\ .PP @@ -857,7 +879,7 @@ In this example, the first filter will be applied to foo.txt, then no filter will be applied to the files found under /home/foo/pcaps, so all files found under /home/foo/pcaps will be included, then the -filter "*.cap" will be applied to files found under /home/foo/pcaps2. +filter "*.cap" will be applied to files found under /home/foo/pcaps2. .RE 0 \fBResetting state\fR @@ -865,8 +887,8 @@ .RS 5 $ snort --pcap-dir=/home/foo/pcaps --pcap-reset -The above example will read all of the files under /home/foo/pcaps, but -after each pcap is read, Snort will be reset to a post-configuration +The above example will read all of the files under /home/foo/pcaps, but +after each pcap is read, Snort will be reset to a post-configuration state, meaning all buffers will be flushed, statistics reset, etc. For each pcap, it will be like Snort is seeing traffic for the first time. @@ -881,28 +903,34 @@ .RE 0 .PD .SH RULES -Snort uses a simple but flexible rules language to describe network packet +Snort uses a simple but flexible rules language to describe network packet signatures and associate them with actions. The current rules document can -be found at http://www.snort.org/snort_rules.html. +be found at http://www.snort.org/snort-rules. .SH NOTES The following signals have the specified effect when sent to the daemon process using the \fBkill(1)\fR command: .PP .IP SIGHUP Causes the daemon to close all opened files and restart. Please \fBnote\fR that this will only work if the \fBfull\fR pathname is -used to invoke snort in daemon mode, otherwise snort will just exit with an -error message being sent to -.B syslogd(8) -. -.PP +used to invoke snort in daemon mode, otherwise snort will just exit with an +error message being sent to \fBsyslogd(8)\fR. +.PP .IP SIGUSR1 Causes the program to dump its current packet statistical information to the -console or -.B syslogd(8) -if in daemon mode. -. +console or \fBsyslogd(8)\fR if in daemon mode. +.PP +.IP SIGUSR2 +Causes the program to rotate Perfmonitor statistical information to the +console or \fBsyslogd(8)\fR if in daemon mode. +.PP +.IP SIGURG +Causes the program to reload attribute table. +.PP +.IP SIGCHLD +Used internally. .PP -Any other signal causes the daemon to close all opened files and exit. +Please refer to manual for more details. Any other signal might cause the +daemon to close all opened files and exit. .SH HISTORY .B Snort diff -Nru snort-2.9.0.1/snort-common.postrm snort-2.9.2/snort-common.postrm --- snort-2.9.0.1/snort-common.postrm 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/snort-common.postrm 1969-12-31 16:00:00.000000000 -0800 @@ -1,39 +0,0 @@ -#! /bin/sh -# postrm script for snort -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * <postrm> `remove' -# * <postrm> `purge' -# * <old-postrm> `upgrade' <new-version> -# * <new-postrm> `failed-upgrade' <old-version> -# * <new-postrm> `abort-install' -# * <new-postrm> `abort-install' <old-version> -# * <new-postrm> `abort-upgrade' <old-version> -# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version> -# for details, see /usr/doc/packaging-manual/ - - -case "$1" in - purge) - # on installation we touch this file to ensure it's there - # if it's still there and emmpty, we can remove it - # if it's not empty, snort-{mysql,pgsql} have added content and - # should deal with it themselve on purge - if [ -e /etc/snort/database.conf ] && [ ! -s /etc/snort/database.conf ] - then - rm -f /etc/snort/database.conf - fi - ;; - remove|upgrade|failed-upgrade|abort-install|abort-upgrade) - # nothing -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - diff -Nru snort-2.9.0.1/snort-common.preinst snort-2.9.2/snort-common.preinst --- snort-2.9.0.1/snort-common.preinst 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/snort-common.preinst 1969-12-31 16:00:00.000000000 -0800 @@ -1,74 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# * <new-preinst> `install' -# * <new-preinst> `install' <old-version> -# * <new-preinst> `upgrade' <old-version> -# * <old-preinst> `abort-upgrade' <new-version> - -DBCONF="/etc/snort/database.conf" -GENCONF="/etc/snort/snort.conf" - -case "$1" in - install) - # make sure database configuration file exists - touch $DBCONF - # TODO: Having an empty file here is a little bit weird for sysadmins - # it might be better to have a file with just a comment saying - # that it does nothing, but then it makes it difficult for - # snort-common to detect if he has to purge it on postrm - ;; - upgrade) - # earlier versions modified /etc/snort/snort.conf directly for the - # DB stuff, we splitt it off in a sepperate file, to ensure smooth - # upgrades - if dpkg --compare-versions "$2" le "2.8.5.2-2"; - then - GENCONF_TEMPFILE=`mktemp` - DBCONF_TEMPFILE=`mktemp` - WRITE_DB=0 - WRITE_GEN=1 - cat $GENCONF | while read LINE - do - if [ "$LINE" = "# (#DBEND#)" ] - then - WRITE_DB=0 - WRITE_GEN=1 - fi - if [ $WRITE_DB -eq 1 ] - then - echo $LINE >> $DBCONF_TEMPFILE - fi - if [ $WRITE_GEN -eq 1 ] - then - echo $LINE >> $GENCONF_TEMPFILE - fi - if [ "$LINE" = "# (#DBSTART#)" ] - then - WRITE_DB=1 - WRITE_GEN=0 - fi - done - mv $DBCONF_TEMPFILE $DBCONF - mv $GENCONF_TEMPFILE $DBCONF - fi - ;; - configure) - ;; - abort-upgrade) - ;; - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 0 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 - diff -Nru snort-2.9.0.1/snort.pc.in snort-2.9.2/snort.pc.in --- snort-2.9.0.1/snort.pc.in 2009-07-06 17:39:45.000000000 -0700 +++ snort-2.9.2/snort.pc.in 2011-06-07 17:32:59.000000000 -0700 @@ -3,6 +3,7 @@ bindir=@bindir@ libdir=@libdir@ includedir=@includedir@ +datarootdir=@datarootdir@ datadir=@datadir@ mandir=@infodir@ infodir=@infodir@ diff -Nru snort-2.9.0.1/src/active.c snort-2.9.2/src/active.c --- snort-2.9.0.1/src/active.c 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/src/active.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -20,11 +20,18 @@ * ****************************************************************************/ +// @file active.c +// @author Russ Combs <rcombs@sourcefire.com> + #ifdef HAVE_CONFIG_H #include "config.h" #endif -#include "dumbnet.h" +#ifdef HAVE_DUMBNET_H +#include <dumbnet.h> +#else +#include <dnet.h> +#endif #include "active.h" #include "stream_api.h" @@ -40,7 +47,7 @@ // these can't be pkt flags because we do the handling // of these flags following all processing and the drop // or response may have been produced by a pseudopacket. -int active_drop_pkt = 0; +tActiveDrop active_drop_pkt = ACTIVE_ALLOW; int active_drop_ssn = 0; // TBD consider performance of replacing active_drop_pkt/ssn // with a active_verdict. change over if it is a wash or better. @@ -69,7 +76,7 @@ static send_t s_send = DAQ_Inject; static uint64_t s_injects = 0; -static INLINE PROTO_ID GetInnerProto (const Packet* p) +static inline PROTO_ID GetInnerProto (const Packet* p) { if ( !p->next_layer ) return PROTO_MAX; return ( p->layers[p->next_layer-1].proto ); @@ -102,7 +109,7 @@ } // helper function -static INLINE void Active_ClearQueue (void) +static inline void Active_ClearQueue (void) { s_rejFunc = s_rspFunc = NULL; s_rejData = s_rspData = NULL; @@ -143,17 +150,17 @@ EncodeFlags flags = pf ? *pf : ENC_FLAG_FWD; switch ( GET_IPH_PROTO(p) ) - { + { case IPPROTO_TCP: Active_SendReset(p, 0); if ( flags & ENC_FLAG_FWD ) Active_SendReset(p, ENC_FLAG_FWD); break; - case IPPROTO_UDP: + default: Active_SendUnreach(p, ENC_UNR_PORT); break; - } + } } //-------------------------------------------------------------------- @@ -166,12 +173,18 @@ if ( s_enabled && (!DAQ_CanInject() || sc->respond_device) ) { + if ( ScReadMode() || Active_Open(sc->respond_device) ) { LogMessage("WARNING: active responses disabled since DAQ " "can't inject packets.\n"); +#ifndef REG_TEST s_attempts = s_enabled = 0; +#endif } + + if (NULL != sc->eth_dst) + Encode_SetDstMAC(sc->eth_dst); } return 0; } @@ -186,7 +199,7 @@ void Active_SetEnabled (int on_off) { s_enabled = on_off; } -static INLINE uint32_t GetFlags (void) +static inline uint32_t GetFlags (void) { uint32_t flags = ENC_FLAG_ID; if ( DAQ_RawInjection() || s_ipnet ) flags |= ENC_FLAG_RAW; @@ -222,21 +235,10 @@ uint32_t len; const uint8_t* rej; uint32_t flags = GetFlags(); - PROTO_ID proto; if ( !s_attempts ) return; - // do not send ICMP responses to ICMP packets - proto = GetInnerProto(p); - - if ( (proto == IPPROTO_ICMP) || (proto == IPPROTO_ICMPV6) ) - { - ErrorMessage( - "Active_SendUnreach: ignoring UNR for ICMP packet.\n"); - return; - } - rej = Encode_Reject(type, flags, p, &len); if ( !rej ) return; @@ -250,7 +252,7 @@ flags |= GetFlags(); for ( i = 0; i < s_attempts; i++ ) - { + { uint32_t plen = 0; const uint8_t* seg; @@ -261,7 +263,7 @@ if ( !seg ) return; s_send(p->pkth, !(flags & ENC_FLAG_FWD), seg, plen); - } + } } //-------------------------------------------------------------------- @@ -274,7 +276,7 @@ if ( !p->tcph ) return 0; - /* + /* ** This ensures that we don't reset packets that we just ** spoofed ourselves, thus inflicting a self-induced DOS ** attack. @@ -284,12 +286,15 @@ int Active_IsUNRCandidate(const Packet* p) { + // FIXTHIS allow unr to tcp/udp/icmp4/icmp6 only or for all switch ( GetInnerProto(p) ) { - case PROTO_TCP: - return ( p->tcph != NULL ); - case PROTO_UDP: - return ( p->udph != NULL ); + case PROTO_TCP: + case PROTO_ICMP4: +#ifdef SUP_IP6 + case PROTO_ICMP6: +#endif + return 1; default: break; @@ -342,10 +347,8 @@ //-------------------------------------------------------------------- // support for decoder and rule actions -int Active_IgnoreSession (Packet* p) +static inline void _Active_DoIgnoreSession(Packet *p) { - Active_DropPacket(); - if ( ScInlineMode() || ScTreatDropAsIgnore() ) { if (p->ssnptr && stream_api) @@ -356,35 +359,69 @@ //drop this and all following fragments frag3DropAllFragments(p); } - return 0; } +int Active_IgnoreSession (Packet* p) +{ + Active_DropPacket(); -int Active_DropAction (Packet* p) + _Active_DoIgnoreSession(p); + + return 0; +} + +int Active_ForceDropAction(Packet *p) { - Active_IgnoreSession(p); + // explicitly drop packet + Active_ForceDropPacket(); + _Active_DoIgnoreSession(p); + return 0; +} + +static inline int _Active_DoReset(Packet *p) +{ #ifdef ACTIVE_RESPONSE if ( !Active_IsEnabled() ) return 0; + if ( !IPH_IS_VALID(p) ) + return 0; + switch ( GET_IPH_PROTO(p) ) - { + { case IPPROTO_TCP: if ( Active_IsRSTCandidate(p) ) - Active_QueueReject(); + Active_QueueReject(); break; + // FIXTHIS send unr to udp/icmp4/icmp6 only or for all non-tcp? case IPPROTO_UDP: + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: if ( Active_IsUNRCandidate(p) ) - Active_QueueReject(); + Active_QueueReject(); break; - } + } #endif return 0; } +int Active_DropAction (Packet* p) +{ + Active_IgnoreSession(p); + + return _Active_DoReset(p); +} + +int Active_ForceDropResetAction(Packet *p) +{ + Active_ForceDropAction(p); + + return _Active_DoReset(p); +} + //-------------------------------------------------------------------- // support for non-DAQ injection @@ -392,23 +429,23 @@ static int Active_Open (const char* dev) { if ( dev && strcasecmp(dev, "ip") ) - { + { s_link = eth_open(dev); if ( !s_link ) FatalError("%s: can't open %s!\n", "Active response", dev); s_send = Active_SendEth; - } + } else - { + { s_ipnet = ip_open(); if ( !s_ipnet ) FatalError("%s: can't open ip!\n", "Active response"); s_send = Active_SendIp; - } + } return ( s_link || s_ipnet ) ? 0 : -1; } diff -Nru snort-2.9.0.1/src/active.h snort-2.9.2/src/active.h --- snort-2.9.0.1/src/active.h 2010-06-09 15:50:08.000000000 -0700 +++ snort-2.9.2/src/active.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,6 +19,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ + +// @file active.h +// @author Russ Combs <rcombs@sourcefire.com> + #ifndef __ACTIVE_H__ #define __ACTIVE_H__ @@ -56,55 +60,75 @@ void Active_SetEnabled(int on_off); #endif // ACTIVE_RESPONSE -extern int active_drop_pkt; +typedef enum { + ACTIVE_ALLOW = 0, + ACTIVE_DROP = 1, + ACTIVE_WOULD_DROP = 2, + ACTIVE_FORCE_DROP = 3 +} tActiveDrop; +extern tActiveDrop active_drop_pkt; extern int active_drop_ssn; #ifdef ACTIVE_RESPONSE extern int active_have_rsp; #endif -static INLINE void Active_Reset (void) +static inline void Active_Reset (void) { - active_drop_pkt = active_drop_ssn = 0; + active_drop_pkt = ACTIVE_ALLOW; + active_drop_ssn = 0; #ifdef ACTIVE_RESPONSE active_have_rsp = 0; #endif } -static INLINE void Active_DropPacket (void) +static inline void Active_ForceDropPacket (void) { - if ( ScInlineMode() ) - { - active_drop_pkt = 1; - } - else if (ScInlineTestMode()) + active_drop_pkt = ACTIVE_FORCE_DROP; +} + +static inline void Active_DropPacket (void) +{ + if ( active_drop_pkt != ACTIVE_FORCE_DROP ) { - active_drop_pkt = 2; + if ( ScInlineMode() ) + { + active_drop_pkt = ACTIVE_DROP; + } + else if (ScInlineTestMode()) + { + active_drop_pkt = ACTIVE_WOULD_DROP; + } } } -static INLINE void Active_DropSession (void) +static inline void Active_DropSession (void) { active_drop_ssn = 1; Active_DropPacket(); } -static INLINE int Active_PacketWasDropped (void) +static inline int Active_PacketWouldBeDropped (void) { - return ( active_drop_pkt == 1 ); + return (active_drop_pkt == ACTIVE_WOULD_DROP ); } -static INLINE int Active_PacketWouldBeDropped (void) +static inline int Active_PacketForceDropped (void) { - return (active_drop_pkt == 2 ); + return (active_drop_pkt == ACTIVE_FORCE_DROP ); } -static INLINE int Active_SessionWasDropped (void) +static inline int Active_PacketWasDropped (void) +{ + return ( active_drop_pkt == ACTIVE_DROP ) || Active_PacketForceDropped(); +} + +static inline int Active_SessionWasDropped (void) { return ( active_drop_ssn != 0 ); } #ifdef ACTIVE_RESPONSE -static INLINE int Active_ResponseQueued (void) +static inline int Active_ResponseQueued (void) { return ( active_have_rsp != 0 ); } @@ -118,5 +142,13 @@ // for rules with custom response = resp3 | react int Active_IgnoreSession(Packet*); +// force drops the current session w/o active response invoked +// ignores policy/inline test mode and treat drop as alert +int Active_ForceDropAction(Packet *p); + +// force drops the current session with active response invoked +// ignores policy/inline test mode and treat drop as alert +int Active_ForceDropResetAction(Packet *p); + #endif // __ACTIVE_H__ diff -Nru snort-2.9.0.1/src/bounds.h snort-2.9.2/src/bounds.h --- snort-2.9.0.1/src/bounds.h 2010-01-26 10:09:10.000000000 -0800 +++ snort-2.9.2/src/bounds.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,182 +0,0 @@ -#ifndef _BOUNDS_H -#define _BOUNDS_H -/* -** Copyright (C) 2003-2010 Sourcefire, Inc. -** Chris Green <cmg@sourcefire.com> -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -** -*/ - - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#ifdef OSF1 -#include <sys/bitypes.h> -#endif - -#include <string.h> -#include <stdio.h> -#include <stdlib.h> -#include <sys/types.h> -#include <assert.h> -#include <unistd.h> - -#define SAFEMEM_ERROR 0 -#define SAFEMEM_SUCCESS 1 - -#include "debug.h" -#ifndef DEBUG - #define ERRORRET return SAFEMEM_ERROR; -#else - #define ERRORRET assert(0==1) -#endif /* DEBUG */ - -#include "sf_types.h" - - -/* - * Check to make sure that p is less than or equal to the ptr range - * pointers - * - * 1 means it's in bounds, 0 means it's not - */ -static INLINE int inBounds(const uint8_t *start, const uint8_t *end, const uint8_t *p) -{ - if ((p >= start) && (p < end)) - return 1; - return 0; -} - -static INLINE int SafeMemCheck(void *dst, size_t n, - const void *start, const void *end) -{ - void *tmp; - - if (n < 1) - return SAFEMEM_ERROR; - - if ((dst == NULL) || (start == NULL) || (end == NULL)) - return SAFEMEM_ERROR; - - tmp = ((uint8_t *)dst) + (n - 1); - if (tmp < dst) - return SAFEMEM_ERROR; - - if (!inBounds(start, end, dst) || !inBounds(start, end, tmp)) - return SAFEMEM_ERROR; - - return SAFEMEM_SUCCESS; -} - -/** - * A Safer Memcpy - * - * @param dst where to copy to - * @param src where to copy from - * @param n number of bytes to copy - * @param start start of the dest buffer - * @param end end of the dst buffer - * - * @return SAFEMEM_ERROR on failure, SAFEMEM_SUCCESS on success - */ -static INLINE int SafeMemcpy(void *dst, const void *src, size_t n, const void *start, const void *end) -{ - if (SafeMemCheck(dst, n, start, end) != SAFEMEM_SUCCESS) - ERRORRET; - if (src == NULL) - ERRORRET; - memcpy(dst, src, n); - return SAFEMEM_SUCCESS; -} - -/** - * A Safer Memmove - * dst and src can be in the same buffer - * - * @param dst where to copy to - * @param src where to copy from - * @param n number of bytes to copy - * @param start start of the dest buffer - * @param end end of the dst buffer - * - * @return SAFEMEM_ERROR on failure, SAFEMEM_SUCCESS on success - */ -static INLINE int SafeMemmove(void *dst, const void *src, size_t n, const void *start, const void *end) -{ - if (SafeMemCheck(dst, n, start, end) != SAFEMEM_SUCCESS) - ERRORRET; - if (src == NULL) - ERRORRET; - memmove(dst, src, n); - return SAFEMEM_SUCCESS; -} - -/** - * A Safer Memset - * dst and src can be in the same buffer - * - * @param dst where to copy to - * @param c character to set memory with - * @param n number of bytes to set - * @param start start of the dst buffer - * @param end end of the dst buffer - * - * @return SAFEMEM_ERROR on failure, SAFEMEM_SUCCESS on success - */ -static INLINE int SafeMemset(void *dst, uint8_t c, size_t n, const void *start, const void *end) -{ - if (SafeMemCheck(dst, n, start, end) != SAFEMEM_SUCCESS) - ERRORRET; - memset(dst, c, n); - return SAFEMEM_SUCCESS; -} - -/** - * A Safer *a = *b - * - * @param start start of the dst buffer - * @param end end of the dst buffer - * @param dst the location to write to - * @param src the source to read from - * - * @return 0 on failure, 1 on success - */ -static INLINE int SafeWrite(uint8_t *start, uint8_t *end, uint8_t *dst, uint8_t *src) -{ - if(!inBounds(start, end, dst)) - { - ERRORRET; - } - - *dst = *src; - return 1; -} - -static INLINE int SafeRead(uint8_t *start, uint8_t *end, uint8_t *src, uint8_t *read) -{ - if(!inBounds(start,end, src)) - { - ERRORRET; - } - - *read = *start; - return 1; -} - -#endif /* _BOUNDS_H */ diff -Nru snort-2.9.0.1/src/build.h snort-2.9.2/src/build.h --- snort-2.9.0.1/src/build.h 2010-10-25 12:48:58.000000000 -0700 +++ snort-2.9.2/src/build.h 2011-12-08 08:49:14.000000000 -0800 @@ -1 +1 @@ -#define BUILD "82" +#define BUILD "78" diff -Nru snort-2.9.0.1/src/byte_extract.c snort-2.9.2/src/byte_extract.c --- snort-2.9.0.1/src/byte_extract.c 2010-01-26 10:09:11.000000000 -0800 +++ snort-2.9.2/src/byte_extract.c 2011-06-07 17:33:05.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2003-2010 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** Chris Green <cmg@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -21,6 +21,12 @@ ** */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "snort.h" + #include <sys/types.h> #include <stdlib.h> #include <ctype.h> @@ -29,18 +35,18 @@ #endif #include <errno.h> -#include "bounds.h" +#include "snort_bounds.h" #include "byte_extract.h" -#include "debug.h" +#include "snort_debug.h" #define TEXTLEN (PARSELEN + 1) - -/** + +/** * Grab a binary representation of data from a buffer * * This method will read either a big or little endian value in binary - * data from the packet and return an uint32_t value. - * + * data from the packet and return an uint32_t value. + * * @param endianess value to read the byte as * @param bytes_to_grab how many bytes should we grab from the packet * @param data pointer to where to grab the data from @@ -65,11 +71,11 @@ { return -3; } - + if(!inBounds(start,end,ptr)) { return -3; - } + } /* * We only support grabbing 1, 2, or 4 bytes of binary data. @@ -130,9 +136,9 @@ return 0; } -/** +/** * Grab a string representation of data from a buffer - * + * * @param base base representation for data: -> man stroul() * @param bytes_to_grab how many bytes should we grab from the packet * @param data pointer to where to grab the data from @@ -160,11 +166,11 @@ { return -3; } - + if(!inBounds(start,end,ptr)) { return -3; - } + } for(x=0;x<bytes_to_grab; x++) { @@ -172,22 +178,22 @@ } byte_array[bytes_to_grab] = '\0'; - + *value = strtoul(byte_array, &parse_helper, base); - + if(byte_array == parse_helper) { return -1; } -#ifdef TEST_BYTE_EXTRACT +#ifdef TEST_BYTE_EXTRACT printf("[----]\n"); for(x=0;(x<=TEXTLEN) && (byte_array[x] != '\0');x++) printf("%c", byte_array[x]); printf("\n"); - + printf("converted value: 0x%08X (%u) %s\n", *value, *value, (char *) byte_array); -#endif /* TEST_BYTE_EXTRACT */ +#endif /* TEST_BYTE_EXTRACT */ return(parse_helper - byte_array); /* Return the number of bytes actually extracted */ } @@ -199,8 +205,8 @@ { int i; uint32_t ret; - - uint8_t value1[2]; + + uint8_t value1[2]; uint8_t value2[2]; uint8_t value3[4]; @@ -233,7 +239,7 @@ printf("test 2: value: %x %u\n", ret, ret); } - + if(byte_extract(LITTLE, 2, value1 + 2, value1, value1 + 2, &ret)) { printf("test 3 failed correctly\n"); @@ -262,7 +268,7 @@ printf("test 2: value: %x %u\n", ret, ret); } - + if(byte_extract(LITTLE, 2, value2 + 2, value2, value2 + 2, &ret)) { printf("test 3 failed correctly\n"); @@ -291,7 +297,7 @@ printf("test 2: value: %x %u\n", ret, ret); } - + if(byte_extract(LITTLE, 4, value3 + 2, value3, value3 + 4, &ret)) { printf("test 3 failed correctly\n"); @@ -310,7 +316,7 @@ printf("[loop] %d failed correctly\n", i); } else - { + { printf("[loop] value: %x %x\n", ret, *(uint32_t *) &value3); } } @@ -321,7 +327,7 @@ char *stringdata = "21212312412"; int datalen = strlen(stringdata); uint32_t ret; - + if(string_extract(4, 10, stringdata, stringdata, stringdata + datalen, &ret) < 0) { printf("TS1: Failed\n"); @@ -349,7 +355,7 @@ printf("TS3: value %x %u\n", ret, ret); } - + if(string_extract(19, 10, stringdata, stringdata, stringdata + datalen, &ret) < 0) { printf("TS4: Failed Normally\n"); diff -Nru snort-2.9.0.1/src/byte_extract.h snort-2.9.2/src/byte_extract.h --- snort-2.9.0.1/src/byte_extract.h 2010-08-25 13:22:36.000000000 -0700 +++ snort-2.9.2/src/byte_extract.h 2011-02-09 15:22:45.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/checksum.h snort-2.9.2/src/checksum.h --- snort-2.9.0.1/src/checksum.h 2010-06-09 15:04:50.000000000 -0700 +++ snort-2.9.2/src/checksum.h 2011-06-07 17:33:05.000000000 -0700 @@ -3,7 +3,7 @@ ** Copyright (C) 2000,2001 Christopher Cramer <cec@ee.duke.edu> ** Snort is Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton <mnorton@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -35,7 +35,7 @@ #include "config.h" #endif -#include "debug.h" +#include "snort_debug.h" #include <sys/types.h> /* @@ -43,9 +43,9 @@ * * w - short words of data * blen - byte length -* +* */ -static INLINE unsigned short in_chksum_ip( unsigned short * w, int blen ) +static inline unsigned short in_chksum_ip( unsigned short * w, int blen ) { unsigned int cksum; @@ -74,7 +74,7 @@ cksum = (cksum >> 16) + (cksum & 0x0000ffff); cksum += (cksum >> 16); - + return (unsigned short) (~cksum); } @@ -86,7 +86,7 @@ * dlen - length of tcp hdr + payload in bytes * */ -static INLINE unsigned short in_chksum_tcp( unsigned short *h, unsigned short * d, int dlen ) +static inline unsigned short in_chksum_tcp( unsigned short *h, unsigned short * d, int dlen ) { unsigned int cksum; unsigned short answer=0; @@ -112,7 +112,7 @@ cksum += d[9]; dlen -= 20; /* bytes */ - d += 10; /* short's */ + d += 10; /* short's */ while(dlen >=32) { @@ -136,13 +136,13 @@ dlen -= 32; } - while(dlen >=8) + while(dlen >=8) { cksum += d[0]; cksum += d[1]; cksum += d[2]; cksum += d[3]; - d += 4; + d += 4; dlen -= 8; } @@ -152,19 +152,19 @@ dlen -= 2; } - if( dlen == 1 ) - { + if( dlen == 1 ) + { /* printf("new checksum odd byte-packet\n"); */ *(unsigned char*)(&answer) = (*(unsigned char*)d); /* cksum += (uint16_t) (*(uint8_t*)d); */ - + cksum += answer; } - + cksum = (cksum >> 16) + (cksum & 0x0000ffff); cksum += (cksum >> 16); - + return (unsigned short)(~cksum); } /* @@ -175,7 +175,7 @@ * dlen - length of tcp hdr + payload in bytes * */ -static INLINE unsigned short in_chksum_tcp6( unsigned short *h, unsigned short * d, int dlen ) +static inline unsigned short in_chksum_tcp6( unsigned short *h, unsigned short * d, int dlen ) { unsigned int cksum; unsigned short answer=0; @@ -213,7 +213,7 @@ cksum += d[9]; dlen -= 20; /* bytes */ - d += 10; /* short's */ + d += 10; /* short's */ while(dlen >=32) { @@ -237,13 +237,13 @@ dlen -= 32; } - while(dlen >=8) + while(dlen >=8) { cksum += d[0]; cksum += d[1]; cksum += d[2]; cksum += d[3]; - d += 4; + d += 4; dlen -= 8; } @@ -253,19 +253,19 @@ dlen -= 2; } - if( dlen == 1 ) - { + if( dlen == 1 ) + { /* printf("new checksum odd byte-packet\n"); */ *(unsigned char*)(&answer) = (*(unsigned char*)d); /* cksum += (uint16_t) (*(uint8_t*)d); */ - + cksum += answer; } - + cksum = (cksum >> 16) + (cksum & 0x0000ffff); cksum += (cksum >> 16); - + return (unsigned short)(~cksum); } @@ -277,7 +277,7 @@ * dlen - length of payload in bytes * */ -static INLINE unsigned short in_chksum_udp6( unsigned short *h, unsigned short * d, int dlen ) +static inline unsigned short in_chksum_udp6( unsigned short *h, unsigned short * d, int dlen ) { unsigned int cksum; unsigned short answer=0; @@ -309,9 +309,9 @@ cksum += d[3]; dlen -= 8; /* bytes */ - d += 4; /* short's */ + d += 4; /* short's */ - while(dlen >=32) + while(dlen >=32) { cksum += d[0]; cksum += d[1]; @@ -339,31 +339,31 @@ cksum += d[1]; cksum += d[2]; cksum += d[3]; - d += 4; + d += 4; dlen -= 8; } - while(dlen > 1) + while(dlen > 1) { cksum += *d++; dlen -= 2; } - if( dlen == 1 ) - { + if( dlen == 1 ) + { *(unsigned char*)(&answer) = (*(unsigned char*)d); cksum += answer; } - + cksum = (cksum >> 16) + (cksum & 0x0000ffff); cksum += (cksum >> 16); - + return (unsigned short)(~cksum); } -static INLINE unsigned short in_chksum_udp( unsigned short *h, unsigned short * d, int dlen ) +static inline unsigned short in_chksum_udp( unsigned short *h, unsigned short * d, int dlen ) { unsigned int cksum; unsigned short answer=0; @@ -383,9 +383,9 @@ cksum += d[3]; dlen -= 8; /* bytes */ - d += 4; /* short's */ + d += 4; /* short's */ - while(dlen >=32) + while(dlen >=32) { cksum += d[0]; cksum += d[1]; @@ -413,37 +413,37 @@ cksum += d[1]; cksum += d[2]; cksum += d[3]; - d += 4; + d += 4; dlen -= 8; } - while(dlen > 1) + while(dlen > 1) { cksum += *d++; dlen -= 2; } - if( dlen == 1 ) - { + if( dlen == 1 ) + { *(unsigned char*)(&answer) = (*(unsigned char*)d); cksum += answer; } - + cksum = (cksum >> 16) + (cksum & 0x0000ffff); cksum += (cksum >> 16); - + return (unsigned short)(~cksum); } /* * checksum icmp */ -static INLINE unsigned short in_chksum_icmp( unsigned short * w, int blen ) +static inline unsigned short in_chksum_icmp( unsigned short * w, int blen ) { unsigned short answer=0; unsigned int cksum = 0; - while(blen >=32) + while(blen >=32) { cksum += w[0]; cksum += w[1]; @@ -465,7 +465,7 @@ blen -= 32; } - while(blen >=8) + while(blen >=8) { cksum += w[0]; cksum += w[1]; @@ -475,13 +475,13 @@ blen -= 8; } - while(blen > 1) + while(blen > 1) { cksum += *w++; blen -= 2; } - if( blen == 1 ) + if( blen == 1 ) { *(unsigned char*)(&answer) = (*(unsigned char*)w); cksum += answer; @@ -497,7 +497,7 @@ /* * checksum icmp6 */ -static INLINE unsigned short in_chksum_icmp6( unsigned short *h, unsigned short *w, int blen ) +static inline unsigned short in_chksum_icmp6( unsigned short *h, unsigned short *w, int blen ) { unsigned short answer=0; unsigned int cksum = 0; @@ -522,7 +522,7 @@ cksum += h[16]; cksum += h[17]; - while(blen >=32) + while(blen >=32) { cksum += w[0]; cksum += w[1]; @@ -544,7 +544,7 @@ blen -= 32; } - while(blen >=8) + while(blen >=8) { cksum += w[0]; cksum += w[1]; @@ -554,13 +554,13 @@ blen -= 8; } - while(blen > 1) + while(blen > 1) { cksum += *w++; blen -= 2; } - if( blen == 1 ) + if( blen == 1 ) { *(unsigned char*)(&answer) = (*(unsigned char*)w); cksum += answer; diff -Nru snort-2.9.0.1/src/control/Makefile.am snort-2.9.2/src/control/Makefile.am --- snort-2.9.0.1/src/control/Makefile.am 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/control/Makefile.am 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,8 @@ +AUTOMAKE_OPTIONS=foreign no-dependencies + +noinst_LIBRARIES = libsfcontrol.a + +libsfcontrol_a_SOURCES = sfcontrol.c sfcontrol.h sfcontrol_funcs.h + +INCLUDES = @INCLUDES@ + diff -Nru snort-2.9.0.1/src/control/Makefile.in snort-2.9.2/src/control/Makefile.in --- snort-2.9.0.1/src/control/Makefile.in 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/control/Makefile.in 2011-12-07 11:23:17.000000000 -0800 @@ -0,0 +1,468 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/control +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +LIBRARIES = $(noinst_LIBRARIES) +ARFLAGS = cru +libsfcontrol_a_AR = $(AR) $(ARFLAGS) +libsfcontrol_a_LIBADD = +am_libsfcontrol_a_OBJECTS = sfcontrol.$(OBJEXT) +libsfcontrol_a_OBJECTS = $(am_libsfcontrol_a_OBJECTS) +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsfcontrol_a_SOURCES) +DIST_SOURCES = $(libsfcontrol_a_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = @INCLUDES@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +noinst_LIBRARIES = libsfcontrol.a +libsfcontrol_a_SOURCES = sfcontrol.c sfcontrol.h sfcontrol_funcs.h +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/control/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/control/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLIBRARIES: + -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) +libsfcontrol.a: $(libsfcontrol_a_OBJECTS) $(libsfcontrol_a_DEPENDENCIES) + -rm -f libsfcontrol.a + $(libsfcontrol_a_AR) libsfcontrol.a $(libsfcontrol_a_OBJECTS) $(libsfcontrol_a_LIBADD) + $(RANLIB) libsfcontrol.a + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LIBRARIES) +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLIBRARIES ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.9.0.1/src/control/sfcontrol.c snort-2.9.2/src/control/sfcontrol.c --- snort-2.9.0.1/src/control/sfcontrol.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/control/sfcontrol.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,640 @@ +/* +** +** sfcontrol.c +** +** Copyright (C) 2002-2011 Sourcefire, Inc. +** Author(s): Ron Dempster <rdempster@sourcefire.com> +** +** NOTES +** 5.16.11 - Initial Source Code. Dempster +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +** +*/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <stdio.h> +#include <ctype.h> + +#include "snort.h" +#include "sfcontrol_funcs.h" +#include "sfcontrol.h" + +#ifdef CONTROL_SOCKET + +#ifndef WIN32 +#include <sys/select.h> +#include <sys/socket.h> +#include <sys/un.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/time.h> +#include <signal.h> +#include <unistd.h> +#include <pthread.h> +#include <netinet/in.h> +#endif + +static char config_unix_socket_fn[PATH_MAX]; +static int config_unix_socket; +static volatile int stop_processing = 0; + +typedef struct _CS_RESPONSE_MESSAGE +{ + CSMessageHeader hdr; + char msg[1024]; +} CSResponseMessage; + +typedef struct _CS_MESSAGE +{ + CSMessageHeader hdr; + uint8_t *data; +} CSMessage; + +typedef struct _CS_MESSAGE_HANDLER +{ + struct _CS_MESSAGE_HANDLER *next; + uint32_t type; + OOBPreControlFunc oobpre; + IBControlFunc ibcontrol; + OOBPostControlFunc oobpost; + pthread_mutex_t mutex; + void *new_context; + void *old_context; + volatile int handled; + volatile int ib_rval; +} CSMessageHandler; + +#define CS_MAX_WORK 3 +#define CS_MAX_IDLE_WORK 10 + +static unsigned s_work_to_do = 0; +static unsigned s_work_done = 0; + +static pthread_mutex_t work_mutex = PTHREAD_MUTEX_INITIALIZER; +static CSMessageHandler *work_queue; +static CSMessageHandler *work_queue_tail; + +static CSMessageHandler *msg_handlers[CS_TYPE_MAX]; +static pthread_mutex_t msg_handler_mutex = PTHREAD_MUTEX_INITIALIZER; + +typedef struct _THREAD_ELEMENT +{ + struct _THREAD_ELEMENT *next; + int socket_fd; + volatile int stop_processing; +} ThreadElement; + +static ThreadElement *thread_list; +static pthread_mutex_t thread_mutex = PTHREAD_MUTEX_INITIALIZER; +static pthread_t thread_id; +static pthread_t *p_thread_id; + +void ControlSocketConfigureDirectory(const char *optarg) +{ + const char *sep; + ssize_t len; + + if (!optarg || config_unix_socket_fn[0]) + return; + + len = strlen(optarg); + if (len && optarg[len - 1] == '/') + sep = ""; + else + sep = "/"; + snprintf(config_unix_socket_fn, sizeof(config_unix_socket_fn), "%s%s%s", optarg, sep, CONTROL_FILE); +} + +int ControlSocketRegisterHandler(uint16_t type, OOBPreControlFunc oobpre, IBControlFunc ib, + OOBPostControlFunc oobpost) +{ + if (type > CS_TYPE_MAX) + return -1; + pthread_mutex_lock(&msg_handler_mutex); + if (msg_handlers[type]) + { + pthread_mutex_unlock(&msg_handler_mutex); + return -1; + } + if ((msg_handlers[type] = calloc(1, sizeof(*msg_handlers[type]))) == NULL) + { + pthread_mutex_unlock(&msg_handler_mutex); + return -1; + } + pthread_mutex_init(&msg_handlers[type]->mutex, NULL); + msg_handlers[type]->type = type; + msg_handlers[type]->oobpre = oobpre; + msg_handlers[type]->ibcontrol = ib; + msg_handlers[type]->oobpost = oobpost; + pthread_mutex_unlock(&msg_handler_mutex); + return 0; +} + +static void SendResponse(ThreadElement *t, const CSResponseMessage *resp, uint32_t len) +{ + ssize_t numsent; + unsigned total_len = sizeof(resp->hdr) + len; + unsigned total = 0; + + do + { + numsent = write(t->socket_fd, (*(uint8_t **)&resp) + total, total_len - total); + if (!numsent) + return; + else if (numsent > 0) + total += numsent; + else if (errno != EINTR && errno != EAGAIN) + return; + } while (total < total_len && !t->stop_processing); +} + +static int ReadHeader(ThreadElement *t, CSMessageHeader *hdr) +{ + ssize_t numread; + unsigned total = 0; + + do + { + numread = read(t->socket_fd, (*(uint8_t **)&hdr) + total, sizeof(*hdr) - total); + if (!numread) + return 0; + else if (numread > 0) + total += numread; + else if (errno != EINTR && errno != EAGAIN) + return -1; + } while (total < sizeof(*hdr) && !t->stop_processing); + + if (total < sizeof(*hdr)) + return 0; + + hdr->length = ntohl(hdr->length); + hdr->type = ntohs(hdr->type); + hdr->version = ntohs(hdr->version); + return 1; +} + +static int ReadData(ThreadElement *t, uint8_t *buffer, uint32_t length) +{ + ssize_t numread; + unsigned total = 0; + + do + { + numread = read(t->socket_fd, buffer + total, length - total); + if (!numread) + return 0; + else if (numread > 0) + total += numread; + else if (errno != EINTR && errno != EAGAIN) + return -1; + } while (total < length && !t->stop_processing); + + if (total < length) + return 0; + + return 1; +} + +static void *ControlSocketProcessThread(void *arg) +{ + CSResponseMessage response; + ThreadElement *t = (ThreadElement *)arg; + int fd; + pthread_t tid = pthread_self(); + CSMessageHeader hdr; + uint32_t len; + uint8_t *data = NULL; + ThreadElement **it; + int rval; + + if (t == NULL) + { + ErrorMessage("Control Socket: Invalid process thread parameter\n"); + return NULL; + } + if ((fd = t->socket_fd) == -1) + { + ErrorMessage("Control Socket: Invalid process thread socket\n"); + return NULL; + } + + for (;;) + { + if ((rval = ReadHeader(t, &hdr)) == 0) + goto done; + else if (rval < 0) + goto done; + + if (hdr.version != CS_HEADER_VERSION) + { + static const char * const bad_version = "Bad message header version"; + + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", bad_version); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + goto done; + } + + if (hdr.length > 4096) + { + static const char * const bad_data = "Bad message data"; + + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", bad_data); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + goto done; + } + + if (hdr.length) + { + if ((data = malloc(hdr.length)) == NULL) + goto done; + + if ((rval = ReadData(t, data, hdr.length)) == 0) + goto done; + else if (rval < 0) + goto done; + } + + if (hdr.type > CS_TYPE_MAX) + { + static const char invalid_type[] = "Invalid type. Must be 0-2047 inclusive."; + + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", invalid_type); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + } + else + { + CSMessageHandler *handler; + + pthread_mutex_lock(&msg_handler_mutex); + handler = msg_handlers[hdr.type]; + pthread_mutex_unlock(&msg_handler_mutex); + if (handler) + { + static const char failed[] = "Failed to process the command."; + + pthread_mutex_lock(&handler->mutex); + + handler->handled = 0; + handler->new_context = NULL; + handler->old_context = NULL; + handler->next = NULL; + if (handler->oobpre && handler->oobpre(hdr.type, data, hdr.length, &handler->new_context)) + { + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", failed); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + pthread_mutex_unlock(&handler->mutex); + goto next; + } + if (handler->ibcontrol) + { + pthread_mutex_lock(&work_mutex); + if (work_queue_tail) + work_queue_tail->next = handler; + work_queue_tail = handler; + if (!work_queue) + work_queue = handler; + s_work_to_do++; + pthread_mutex_unlock(&work_mutex); + while (!handler->handled) + usleep(100000); + if (handler->ib_rval) + { + if (handler->oobpost && handler->new_context) + handler->oobpost(hdr.type, handler->new_context); + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", failed); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + pthread_mutex_unlock(&handler->mutex); + goto next; + } + } + if (handler->oobpost) + handler->oobpost(hdr.type, handler->old_context); + + pthread_mutex_unlock(&handler->mutex); + + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0000); + response.hdr.length = 0; + SendResponse(t, &response, 0); + } + else + { + static const char no_handler[] = "No handler for the command."; + + response.hdr.version = htons(CS_HEADER_VERSION); + response.hdr.type = htons(0x0002); + len = snprintf(response.msg, sizeof(response.msg), "%s", no_handler); + response.hdr.length = htonl(len); + SendResponse(t, &response, len); + } + } +next:; + if (data) + free(data); + data = NULL; + } + +done:; + if (data) + free(data); + close(fd); + pthread_mutex_lock(&thread_mutex); + for (it=&thread_list; *it; it=&(*it)->next) + { + if (t == *it) + { + *it = t->next; + free(t); + break; + } + } + pthread_mutex_unlock(&thread_mutex); + pthread_detach(tid); + return NULL; +} + +static void *ControlSocketThread(void *arg) +{ + ThreadElement *t; + fd_set rfds; + int rval; + struct timeval to; + int socket; + struct sockaddr_un sunaddr; + socklen_t addrlen = sizeof(sunaddr); + pthread_t tid; + + if (config_unix_socket < 0) + { + ErrorMessage("Control Socket: Invalid socket in thread - %d\n", config_unix_socket); + goto bail; + } + nice(2); + + while (!stop_processing) + { + to.tv_sec = 2; + to.tv_usec = 0; + FD_ZERO(&rfds); + FD_SET(config_unix_socket, &rfds); + rval = select(config_unix_socket + 1, &rfds, NULL, NULL, &to); + if (rval > 0) + { + memset(&sunaddr, 0, sizeof(sunaddr)); + if ((socket = accept(config_unix_socket, (struct sockaddr *)&sunaddr, &addrlen)) == -1) + { + if (errno != EINTR) + { + ErrorMessage("Control Socket: Accept failed: %s\n", strerror(errno)); + goto bail; + } + } + else + { + DEBUG_WRAP( DebugMessage(DEBUG_INIT, "Control Socket: Creating a processing thread for %d\n", + socket);); + if ((t = calloc(1, sizeof(*t))) == NULL) + { + close(socket); + ErrorMessage("Control Socket: Failed to allocate a thread struct"); + goto bail; + } + t->socket_fd = socket; + if ((rval = pthread_create(&tid, NULL, &ControlSocketProcessThread, (void *)t)) != 0) + { + close(socket); + ErrorMessage("Control Socket: Unable to create a processing thread: %s", strerror(rval)); + goto bail; + } + pthread_mutex_lock(&thread_mutex); + t->next = thread_list; + thread_list = t; + pthread_mutex_unlock(&thread_mutex); + } + } + else if (rval < 0) + { + if (errno != EINTR) + { + ErrorMessage("Control Socket: Select failed: %s\n", strerror(errno)); + goto bail; + } + } + } + +bail:; + close(config_unix_socket); + DEBUG_WRAP( DebugMessage(DEBUG_INIT, "Control Socket: Thread exiting\n");); + return NULL; +} + +static void SetupUnixSocket(const char * const name, int * const psock, const int listen_backlog) +{ + struct sockaddr_un sunaddr; + int sock = -1; + int yes = 1; + int rval; + + memset(&sunaddr, 0, sizeof(sunaddr)); + + rval = snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path), "%s", name); + if (rval < 0 || (size_t)rval >= sizeof(sunaddr.sun_path)) + FatalError("Control Socket: Socket name '%s' is too long\n", name); + + sunaddr.sun_family = AF_UNIX; + + unlink(name); /* remove existing file */ + + /* open the socket */ + if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) + { + FatalError("Control Socket: Error opening socket %s: %s\n", name, strerror(errno)); + } + + if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) == -1) + { + WarningMessage("Control Socket: setsockopt failed for %s: %s", name, strerror(errno)); + } + + if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1) + { + rval = errno; + close(sock); + FatalError("Control Socket: Unable to bind to %s: %s\n", name, strerror(rval)); + } + + if (chmod(name, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IWGRP | S_IXGRP)) + { + rval = errno; + close(sock); + FatalError("Control Socket: Error changing the mode for socket %s: %s", name, strerror(rval)); + } + + /* listen on the socket */ + if (listen(sock, listen_backlog) == -1) + { + rval = errno; + close(sock); + FatalError("Control Socket: Unable to listen on UNIX socket %s: %s\n", name, strerror(rval)); + } + + *psock = sock; +} + +void ControlSocketInit(void) +{ + int rval; + sigset_t mask; + + if (!config_unix_socket_fn[0]) + return; + + SetupUnixSocket(config_unix_socket_fn, &config_unix_socket, 10); + + sigemptyset(&mask); + sigaddset(&mask, SIGTERM); + sigaddset(&mask, SIGQUIT); + sigaddset(&mask, SIGPIPE); + sigaddset(&mask, SIGINT); + sigaddset(&mask, SIGNAL_SNORT_RELOAD); + sigaddset(&mask, SIGNAL_SNORT_DUMP_STATS); + sigaddset(&mask, SIGUSR1); + sigaddset(&mask, SIGUSR2); + sigaddset(&mask, SIGNAL_SNORT_ROTATE_STATS); + sigaddset(&mask, SIGNAL_SNORT_CHILD_READY); +#ifdef TARGET_BASED + sigaddset(&mask, SIGNAL_SNORT_READ_ATTR_TBL); + sigaddset(&mask, SIGVTALRM); +#endif + pthread_sigmask(SIG_SETMASK, &mask, NULL); + + if((rval=pthread_create(&thread_id, NULL, &ControlSocketThread, NULL)) != 0) + { + sigemptyset(&mask); + pthread_sigmask(SIG_SETMASK, &mask, NULL); + FatalError("Control Socket: Unable to create thread: %s\n", strerror(rval)); + } + p_thread_id = &thread_id; + sigemptyset(&mask); + pthread_sigmask(SIG_SETMASK, &mask, NULL); +} + +void ControlSocketCleanUp(void) +{ + ThreadElement *t; + int rval; + int done = 0; + + if (p_thread_id != NULL) + { + stop_processing = 1; + + if ((rval=pthread_join(*p_thread_id, NULL)) != 0) + WarningMessage("Thread termination returned an error: %s\n", strerror(rval)); + } + + if (config_unix_socket_fn[0]) + unlink(config_unix_socket_fn); + + for (t = thread_list; t; t = t->next) + t->stop_processing = 1; + + rval = 50; + do + { + pthread_mutex_lock(&thread_mutex); + done = thread_list ? 0:1; + pthread_mutex_unlock(&thread_mutex); + if (!done) + { + usleep(100000); + rval--; + } + } while (!done && rval > 0); + + pthread_mutex_lock(&work_mutex); + if (work_queue) + WarningMessage("%s\n", "Work queue is not emtpy during termination"); + pthread_mutex_unlock(&work_mutex); +} + +void ControlSocketDoWork(int idle) +{ + unsigned max_work; + CSMessageHandler *handler; + + if ( s_work_done == s_work_to_do ) + return; + + max_work = idle ? CS_MAX_IDLE_WORK : CS_MAX_WORK; + pthread_mutex_lock(&work_mutex); + + for (; work_queue && max_work; max_work--) + { + handler = work_queue; + work_queue = handler->next; + if (!work_queue) + work_queue_tail = NULL; + handler->ib_rval = handler->ibcontrol(handler->type, handler->new_context, &handler->old_context); + handler->handled = 1; + s_work_done++; + } + + pthread_mutex_unlock(&work_mutex); +} + +#else + +void ControlSocketConfigureDirectory(const char *optarg) +{ + FatalError("%s\n", "Control socket is not available."); +} + +int ControlSocketRegisterHandler(uint16_t type, OOBPreControlFunc oobpre, IBControlFunc ib, + OOBPostControlFunc oobpost) +{ + return 0; +} + +void ControlSocketInit(void) +{ +} + +void ControlSocketCleanUp(void) +{ +} + +#endif + diff -Nru snort-2.9.0.1/src/control/sfcontrol_funcs.h snort-2.9.2/src/control/sfcontrol_funcs.h --- snort-2.9.0.1/src/control/sfcontrol_funcs.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/control/sfcontrol_funcs.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,19 @@ +#ifndef __SF_CONTROL_FUNCS_H__ +#define __SF_CONTROL_FUNCS_H__ + +#include "sfcontrol.h" + +void ControlSocketConfigureDirectory(const char *optarg); +void ControlSocketInit(void); +void ControlSocketCleanUp(void); +int ControlSocketRegisterHandler(uint16_t type, OOBPreControlFunc oobpre, IBControlFunc ib, + OOBPostControlFunc oobpost); + +#ifdef CONTROL_SOCKET +void ControlSocketDoWork(int idle); +#else +#define ControlSocketDoWork(idle) do {} while(0) +#endif + +#endif + diff -Nru snort-2.9.0.1/src/control/sfcontrol.h snort-2.9.2/src/control/sfcontrol.h --- snort-2.9.0.1/src/control/sfcontrol.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/control/sfcontrol.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,23 @@ +#ifndef __SF_CONTROL_H__ +#define __SF_CONTROL_H__ + +#define CONTROL_FILE "SNORT.sock" + +#define CS_TYPE_HUP_DAQ 0x0001 +#define CS_TYPE_MAX 0x1FFF +#define CS_HEADER_VERSION 0x0001 + +typedef struct _CS_MESSAGE_HEADER +{ + /* All values must be in network byte order */ + uint16_t version; + uint16_t type; + uint32_t length; /* Does not include the header */ +} CSMessageHeader; + +typedef int (*OOBPreControlFunc)(uint16_t type, const uint8_t *data, uint32_t length, void **new_context); +typedef int (*IBControlFunc)(uint16_t type, void *new_context, void **old_context); +typedef void (*OOBPostControlFunc)(uint16_t type, void *old_context); + +#endif + diff -Nru snort-2.9.0.1/src/cpuclock.h snort-2.9.2/src/cpuclock.h --- snort-2.9.0.1/src/cpuclock.h 2010-01-26 10:09:11.000000000 -0800 +++ snort-2.9.2/src/cpuclock.h 2011-06-07 17:33:05.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2006-2010 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -20,13 +20,6 @@ #ifndef CPU_CLOCK_TICKS_H #define CPU_CLOCK_TICKS_H -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "debug.h" -#include "sf_types.h" /* for uint64_t */ - /* Assembly to find clock ticks. */ #ifdef WIN32 #include <windows.h> @@ -92,7 +85,7 @@ #else /* SPARC */ #ifdef SPARCV9 -#ifdef _LP64 +#ifdef _LP64 #define get_clockticks(val) \ { \ __asm__ __volatile__("rd %%tick, %0" : "=r"(val)); \ @@ -116,7 +109,7 @@ #endif /* I386 || AMD64 || X86_64 */ #endif /* WIN32 */ -static INLINE double get_ticks_per_usec (void) +static inline double get_ticks_per_usec (void) { uint64_t start = 0, end = 0; get_clockticks(start); diff -Nru snort-2.9.0.1/src/debug.c snort-2.9.2/src/debug.c --- snort-2.9.0.1/src/debug.c 2010-01-26 10:09:11.000000000 -0800 +++ snort-2.9.2/src/debug.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -27,15 +27,15 @@ #include <stdarg.h> #include <stdlib.h> #include <stdio.h> -#include "debug.h" +#include "sf_types.h" +#include "snort_debug.h" #include "snort.h" -#ifdef DEBUG -int debuglevel = DEBUG_ALL; +#ifdef DEBUG_MSGS char *DebugMessageFile = NULL; int DebugMessageLine = 0; -int DebugThis(int level) +int DebugThis(uint64_t level) { if (!(level & GetDebugLevel())) return 0; @@ -43,30 +43,34 @@ return 1; } -int GetDebugLevel(void) +uint64_t GetDebugLevel(void) { static int debug_init = 0; - static unsigned int debug_level = 0; + static uint64_t debug_level = 0; - // declared here for compatibility with older compilers - // not initialized here cuz the next step is done once const char* key; - if (debug_init) + if ( debug_init ) return debug_level; - key = getenv(DEBUG_VARIABLE); + key = getenv(DEBUG_PP_VAR); if ( key ) debug_level = strtoul(key, NULL, 0); - else - debug_level = 0; + + debug_level <<= 32; + + key = getenv(DEBUG_VARIABLE); + + if ( key ) + debug_level |= strtoul(key, NULL, 0); debug_init = 1; + return debug_level; } -void DebugMessageFunc(int level, char *fmt, ...) +void DebugMessageFunc(uint64_t level, char *fmt, ...) { va_list ap; @@ -74,7 +78,7 @@ return; va_start(ap, fmt); - + if ((snort_conf != NULL) && ScDaemonMode()) { char buf[STD_BUF]; @@ -105,8 +109,8 @@ va_end(ap); } -#ifdef HAVE_WCHAR_H -void DebugWideMessageFunc(int level, wchar_t *fmt, ...) +#ifdef SF_WCHAR +void DebugWideMessageFunc(uint64_t level, wchar_t *fmt, ...) { va_list ap; wchar_t buf[STD_BUF+1]; @@ -117,13 +121,13 @@ return; } buf[STD_BUF]= (wchar_t)0; - + /* filename and line number information */ if (DebugMessageFile != NULL) printf("%s:%d: ", DebugMessageFile, DebugMessageLine); va_start(ap, fmt); - + if (ScDaemonMode()) { #ifdef WIN32 @@ -145,13 +149,13 @@ va_end(ap); } #endif -#else -void DebugMessageFunc(int level, char *fmt, ...) +#else /* DEBUG_MSGS */ +void DebugMessageFunc(uint64_t level, char *fmt, ...) { } -#ifdef HAVE_WCHAR_H -void DebugWideMessageFunc(int level, wchar_t *fmt, ...) +#ifdef SF_WCHAR +void DebugWideMessageFunc(uint64_t level, wchar_t *fmt, ...) { } #endif -#endif /* DEBUG */ +#endif /* DEBUG_MSGS */ diff -Nru snort-2.9.0.1/src/debug.h snort-2.9.2/src/debug.h --- snort-2.9.0.1/src/debug.h 2010-06-09 15:04:50.000000000 -0700 +++ snort-2.9.2/src/debug.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,120 +0,0 @@ -/* $Id$ */ -/* -** Copyright (C) 2002-2010 Sourcefire, Inc. -** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - - -#ifndef DEBUG_H -#define DEBUG_H - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#if !defined(INLINE) -#ifdef WIN32 -#define INLINE __inline -#else /* WIN32 */ -#define INLINE inline -#endif /* WIN32 */ -#endif /* !def INLINE */ - -#include <ctype.h> -#ifdef HAVE_WCHAR_H -/* ISOC99 is defined to get required prototypes */ -#ifndef __USE_ISOC99 -#define __USE_ISOC99 -#endif -#include <wchar.h> -#endif - -#define DEBUG_VARIABLE "SNORT_DEBUG" - -#define DEBUG_ALL 0xffffffff /* 4294967295 */ -#define DEBUG_INIT 0x00000001 /* 1 */ -#define DEBUG_CONFIGRULES 0x00000002 /* 2 */ -#define DEBUG_PLUGIN 0x00000004 /* 4 */ -#define DEBUG_DATALINK 0x00000008 /* 8 */ -//#define DEBUG_IP 0x00000010 /* 16 */ -//#define DEBUG_TCPUDP 0x00000020 /* 32 */ -#define DEBUG_DECODE 0x00000040 /* 64 */ -#define DEBUG_LOG 0x00000080 /* 128 */ -#define DEBUG_MSTRING 0x00000100 /* 256 */ -#define DEBUG_PARSER 0x00000200 /* 512 */ -#define DEBUG_PLUGBASE 0x00000400 /* 1024 */ -#define DEBUG_RULES 0x00000800 /* 2048 */ -#define DEBUG_FLOW 0x00001000 /* 4096 */ -#define DEBUG_STREAM 0x00002000 /* 8192 */ -#define DEBUG_PATTERN_MATCH 0x00004000 /* 16384 */ -#define DEBUG_DETECT 0x00008000 /* 32768 */ -#define DEBUG_SKYPE 0x00010000 /* 65536 */ -#define DEBUG_FRAG 0x00020000 /* 131072 */ -#define DEBUG_HTTP_DECODE 0x00040000 /* 262144 */ -//#define DEBUG_PORTSCAN2 0x00080000 /* 524288 / (+ conv2 ) 589824 */ -#define DEBUG_RPC 0x00100000 /* 1048576 */ -//#define DEBUG_FLOWSYS 0x00200000 /* 2097152 */ -#define DEBUG_HTTPINSPECT 0x00400000 /* 4194304 */ -#define DEBUG_STREAM_STATE 0x00800000 /* 8388608 */ -#define DEBUG_ASN1 0x01000000 /* 16777216 */ -#define DEBUG_FTPTELNET 0x02000000 /* 33554432 */ -#define DEBUG_SMTP 0x04000000 /* 67108864 */ -//#define DEBUG_DCERPC 0x08000000 /* 134217728 */ -#define DEBUG_DNS 0x10000000 /* 268435456 */ -#define DEBUG_ATTRIBUTE 0x20000000 /* 536870912 */ -#define DEBUG_PORTLISTS 0x40000000 /* 1073741824 */ -#define DEBUG_SSL 0x80000000 /* 2147483648 */ - -void DebugMessageFunc(int dbg,char *fmt, ...); -#ifdef HAVE_WCHAR_H -void DebugWideMessageFunc(int dbg,wchar_t *fmt, ...); -#endif - -#ifdef DEBUG - - extern char *DebugMessageFile; - extern int DebugMessageLine; - - #define DebugMessage DebugMessageFile = __FILE__; DebugMessageLine = __LINE__; DebugMessageFunc - #define DebugWideMessage DebugMessageFile = __FILE__; DebugMessageLine = __LINE__; DebugWideMessageFunc - - int GetDebugLevel (void); - int DebugThis(int level); -#else - -#ifdef WIN32 -/* Visual C++ uses the keyword "__inline" rather than "__inline__" */ - #define __inline__ __inline -#endif - -#endif /* DEBUG */ - - -#ifdef DEBUG -#define DEBUG_WRAP(code) code -void DebugMessageFunc(int dbg,char *fmt, ...); -#ifdef HAVE_WCHAR_H -void DebugWideMessageFunc(int dbg,wchar_t *fmt, ...); -#endif -#else -#define DEBUG_WRAP(code) -/* I would use DebugMessage(dbt,fmt...) but that only works with GCC */ - -#endif - -#endif /* DEBUG_H */ diff -Nru snort-2.9.0.1/src/decode.c snort-2.9.2/src/decode.c --- snort-2.9.0.1/src/decode.c 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/src/decode.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -31,11 +31,15 @@ #include <string.h> #include <stdlib.h> +#ifdef HAVE_DUMBNET_H #include <dumbnet.h> +#else +#include <dnet.h> +#endif #include "decode.h" #include "snort.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "detect.h" #include "checksum.h" @@ -44,7 +48,7 @@ #include "event_queue.h" #include "active.h" #include "sfxhash.h" -#include "bounds.h" +#include "snort_bounds.h" #include "strlcpyu.h" #include "sf_iph.h" #include "fpdetect.h" @@ -62,17 +66,11 @@ PreprocStats decodePerfStats; #endif -// Array to check if the decoder rules are enabled in atleast one policy +// Array to check if the decoder rules are enabled in at least one policy static uint8_t decodeRulesArray[DECODE_INDEX_MAX]; -#ifndef SUP_IP6 -Packet *BsdPseudoPacket; -/* For the BSD fragmentation vulnerability */ -SFXHASH *ipv6_frag_hash; -#endif - #ifdef SUP_IP6 -IPH_API ip4 = +IPH_API ip4 = { ip4_ret_src, ip4_ret_dst, @@ -125,16 +123,20 @@ }; #endif +//-------------------------------------------------------------------- +// decode.c::event support +//-------------------------------------------------------------------- + #ifdef NORMALIZER -static INLINE int ScNormalDrop (NormFlags nf) +static inline int ScNormalDrop (NormFlags nf) { - return !Normalize_IsEnabled(snort_conf, nf); + return !Normalize_IsEnabled(snort_conf, nf); } #else #define ScNormalDrop(nf) 1 #endif -static INLINE void queueExecDrop( +static inline void queueExecDrop( void (*callback)(void *), Packet* p) { int ret = sfActionQueueAdd( decoderActionQ, callback, (void*)p); @@ -144,34 +146,34 @@ } } -// no harm declaring the exec*Drop()s as INLINE, but since +// no harm declaring the exec*Drop()s as inline, but since // the only use is via pointer, these won't get inlined. -static INLINE void execDecoderDrop (void *data) +static inline void execDecoderDrop (void *data) { if ( ScDecoderAlerts() && ScDecoderDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); Active_DropSession(); } } -static INLINE void execIpOptDrop (void *data) +static inline void execIpOptDrop (void *data) { if ( ScDecoderIpOptDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet (IP opts)\n");); Active_DropPacket(); } } -static INLINE void execTtlDrop (void *data) +static inline void execTtlDrop (void *data) { if ( ScNormalDrop(NORM_IP4_TTL) ) { Packet* p = (Packet*)data; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet (IP4 TTL)\n");); p->error_flags |= PKT_ERR_BAD_TTL; Active_DropPacket(); @@ -179,12 +181,12 @@ } #ifdef SUP_IP6 -static INLINE void execHopDrop (void *data) +static inline void execHopDrop (void *data) { if ( ScNormalDrop(NORM_IP6_TTL) ) { Packet* p = (Packet*)data; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet (IP6 hop limit)\n");); p->error_flags |= PKT_ERR_BAD_TTL; Active_DropPacket(); @@ -192,37 +194,37 @@ } #endif -static INLINE void execTcpOptDrop (void *data) +static inline void execTcpOptDrop (void *data) { if ( ScDecoderTcpOptDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet (TCP opts)\n");); Active_DropPacket(); } } -static INLINE void execTcpOptExpDrop (void *data) +static inline void execTcpOptExpDrop (void *data) { if ( ScDecoderTcpOptExpDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet (TCP exp opts)\n");); Active_DropPacket(); } } -static INLINE void execTcpOptObsDrop (void *data) +static inline void execTcpOptObsDrop (void *data) { if ( ScDecoderTcpOptObsDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet (TCP obs opts)\n");); Active_DropPacket(); } } -static INLINE void execTcpOptTTcpDrop (void *data) +static inline void execTcpOptTTcpDrop (void *data) { if ( ScDecoderTcpOptTTcpDrops() ) { @@ -232,43 +234,43 @@ } } -static INLINE void execIpChksmDrop (void *data) +static inline void execIpChksmDrop (void *data) { // TBD only set policy csum drop if policy inline // and delete this inline mode check if( ScInlineMode() && ScIpChecksumDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet (IP checksum)\n");); Active_DropPacket(); } } -static INLINE void execTcpChksmDrop (void *data) +static inline void execTcpChksmDrop (void *data) { if( ScInlineMode() && ScTcpChecksumDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet (TCP checksum)\n");); Active_DropPacket(); } } -static INLINE void execUdpChksmDrop (void *data) +static inline void execUdpChksmDrop (void *data) { if( ScInlineMode() && ScUdpChecksumDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet (UDP checksum)\n");); Active_DropPacket(); } } -static INLINE void execIcmpChksmDrop (void *data) +static inline void execIcmpChksmDrop (void *data) { if( ScInlineMode() && ScIcmpChecksumDrops() ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet (ICMP checksum)\n");); Active_DropPacket(); } @@ -312,17 +314,17 @@ if ( add ) { - SnortEventqAdd(en->gid, en->sid, en->rev, en->classification, + SnortEventqAdd(en->gid, en->sid, en->rev, en->classification, en->priority, en->msg, en->rule_info); } mempool_free(&decoderAlertMemPool, alertBucket); } void queueDecoderEvent( - unsigned int gid, - unsigned int sid, - unsigned int rev, - unsigned int classification, + unsigned int gid, + unsigned int sid, + unsigned int rev, + unsigned int classification, unsigned int pri, char *msg, void *rule_info) @@ -352,15 +354,15 @@ } } -static INLINE void DecoderEvent ( - Packet *p, int sid, char *str, int event_flag, int drop_flag) +static inline void DecoderEvent ( + Packet *p, int sid, char *str, int event_flag, int drop_flag) { if ( ScLogVerbose() ) ErrorMessage("%s\n", str); - if (ScIdsMode() && event_flag) + if (ScIdsMode() && event_flag) { - queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1, + queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1, DECODE_CLASS, 3, str, 0); if ( drop_flag ) @@ -370,16 +372,16 @@ } } -static INLINE void DecoderOptEvent ( +static inline void DecoderOptEvent ( Packet *p, int sid, char *str, int event_flag, int drop_flag, void (*callback)(void*) ) { if ( ScLogVerbose() ) ErrorMessage("%s\n", str); - if (ScIdsMode() && event_flag) + if (ScIdsMode() && event_flag) { - queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1, + queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1, DECODE_CLASS, 3, str, 0); if ( drop_flag ) @@ -389,15 +391,15 @@ } } -static INLINE void DecoderEventDrop ( +static inline void DecoderEventDrop ( Packet *p, int sid, char *str, int event_flag, int drop_flag) { if ( ScLogVerbose() ) ErrorMessage("%s\n", str); - if (ScIdsMode() && event_flag) + if (ScIdsMode() && event_flag) { - queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1, + queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1, DECODE_CLASS, 3, str, 0); if ( drop_flag ) @@ -407,16 +409,179 @@ } } +void DecoderAlertEncapsulated( + Packet *p, int type, const char *str, const uint8_t *pkt, uint32_t len) +{ + DecoderEvent(p, type, (char*)str, 1, 1); + + p->data = pkt; + p->dsize = (uint16_t)len; + + p->greh = NULL; +} + #define EVARGS(ID) DECODE_ ## ID, DECODE_ ## ID ## _STR -static INLINE int Event_Enabled(int sid) +static inline int Event_Enabled(int sid) { return ( decodeRulesArray[sid] ); } +//-------------------------------------------------------------------- +// decode.c::miscellaneous public methods and helper functions +//-------------------------------------------------------------------- + +#if defined(WORDS_MUSTALIGN) && !defined(__GNUC__) +uint32_t EXTRACT_32BITS (u_char *p) +{ + uint32_t __tmp; + + memmove(&__tmp, p, sizeof(uint32_t)); + return (uint32_t) ntohl(__tmp); +} +#endif /* WORDS_MUSTALIGN && !__GNUC__ */ + +void InitSynToMulticastDstIp( void ) +{ +#ifdef SUP_IP6 + extern SnortConfig *snort_conf_for_parsing; + snort_conf_for_parsing = snort_conf; +#endif + SynToMulticastDstIp = IpAddrSetParse("[232.0.0.0/8,233.0.0.0/8,239.0.0.0/8]"); + + if( SynToMulticastDstIp == NULL ) + { + FatalError("Could not initialize SynToMulticastDstIp\n"); + } +#ifdef SUP_IP6 + snort_conf_for_parsing = NULL; +#endif +} + +void SynToMulticastDstIpDestroy( void ) +{ + + if( SynToMulticastDstIp ) + { + IpAddrSetDestroy(SynToMulticastDstIp); +#ifndef SUP_IP6 + free(SynToMulticastDstIp); + SynToMulticastDstIp = NULL; +#endif + } +} + +static inline void CheckIPv4_MinTTL(Packet *p, uint8_t ttl) +{ + + // this sequence of tests is best for the "normal" case where + // the packet ttl is >= the configured min (the default is 1) + if( ttl < ScMinTTL() ) + { + if ( Event_Enabled(DECODE_ZERO_TTL) && (ttl == 0) ) + { + DecoderOptEvent(p, DECODE_ZERO_TTL, DECODE_ZERO_TTL_STR, + 1, 1, execTtlDrop); + } + else if ( Event_Enabled(DECODE_IP4_MIN_TTL) ) + { + DecoderOptEvent(p, DECODE_IP4_MIN_TTL, DECODE_IP4_MIN_TTL_STR, + 1, 1, execTtlDrop); + } + } +} + +#ifdef SUP_IP6 +static inline void CheckIPv6_MinTTL(Packet *p, uint8_t hop_limit) +{ + // this sequence of tests is best for the "normal" case where + // the packet ttl is >= the configured min (the default is 1) + if( hop_limit < ScMinTTL() ) + { + if ( Event_Enabled(DECODE_IP6_ZERO_HOP_LIMIT) && (hop_limit == 0) ) + { + DecoderOptEvent(p, DECODE_IP6_ZERO_HOP_LIMIT, + DECODE_IP6_ZERO_HOP_LIMIT_STR, 1, 1, execHopDrop); + } + else if ( Event_Enabled(DECODE_IPV6_MIN_TTL) ) + { + DecoderOptEvent(p, DECODE_IPV6_MIN_TTL, + DECODE_IPV6_MIN_TTL_STR, 1, 1, execHopDrop); + } + } +} +#endif + +/* Decoding of ttl/hop_limit is based on the policy min_ttl */ +static inline void DecodeIP_MinTTL(Packet *p) +{ +# ifndef SUP_IP6 + if(p->outer_iph) + { + CheckIPv4_MinTTL( p, p->outer_iph->ip_ttl ); + return; + + } + else if(p->iph) + { + CheckIPv4_MinTTL( p, GET_IPH_TTL(p) ); + return; + } +#else + switch(p->outer_family) + { + case AF_INET: + CheckIPv4_MinTTL( p, p->outer_ip4h.ip_ttl); + return; + + case AF_INET6: + CheckIPv6_MinTTL( p, p->outer_ip6h.hop_lmt); + return; + + default: + break; + } + + switch(p->family) + { + case AF_INET: + CheckIPv4_MinTTL( p, p->ip4h->ip_ttl); + return; + + case AF_INET6: + CheckIPv6_MinTTL( p, p->ip6h->hop_lmt); + return; + + default: + break; + } +#endif + + return; +} + +/* Any policy specific decoding should be done in this function which is called by ProcessPacket*/ +void DecodePolicySpecific(Packet *p) +{ + DecodeIP_MinTTL(p); +} + +/* This function enables or disables the decoder rule. value can only be 0 or 1*/ +void UpdateDecodeRulesArray(uint32_t sid, int value, int all_rules) +{ + int i; + if(all_rules) + { + for(i=0; i<DECODE_INDEX_MAX ; i++) + decodeRulesArray[i] = ( value != 0 ); + } + else + decodeRulesArray[sid] = ( value != 0 ); +} + // this must be called iff the layer is successfully decoded because, when // enabled, the normalizer assumes that the encoding is structurally sound -static INLINE void PushLayer(PROTO_ID type, Packet* p, const uint8_t* hdr, uint32_t len) +static inline void PushLayer(PROTO_ID type, Packet* p, const uint8_t* hdr, uint32_t len) { if ( p->next_layer < LAYER_MAX ) { @@ -428,29 +593,72 @@ else { LogMessage("WARNING: decoder got too many layers;" - " next proto is %u\n", type); + " next proto is %u.\n", type); } } +//-------------------------------------------------------------------- +// decode.c::ARP +//-------------------------------------------------------------------- + /* - * Function: DecodeEthPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * Function: DecodeARP(uint8_t *, uint32_t, Packet *) * - * Purpose: Decode those fun loving ethernet packets, one at a time! + * Purpose: Decode ARP stuff * - * Arguments: p => pointer to the decoded packet struct - * user => Utility pointer (unused) + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to decoded packet struct + * + * Returns: void function + */ +void DecodeARP(const uint8_t * pkt, uint32_t len, Packet * p) +{ + pc.arp++; + +#ifdef GRE + if (p->greh != NULL) + pc.gre_arp++; +#endif + + p->ah = (EtherARP *) pkt; + + if(len < sizeof(EtherARP)) + { + DecoderEvent(p, DECODE_ARP_TRUNCATED, + DECODE_ARP_TRUNCATED_STR, 1, 1); + + pc.discards++; + return; + } + + p->proto_bits |= PROTO_BIT__ARP; + PushLayer(PROTO_ARP, p, pkt, sizeof(*p->ah)); +} + +//-------------------------------------------------------------------- +// decode.c::NULL and Loopback +//-------------------------------------------------------------------- + +/* + * Function: DecodeNullPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decoding on loopback devices. + * + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused * pkthdr => ptr to the packet header * pkt => pointer to the real live packet data * * Returns: void function */ -void DecodeEthPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +void DecodeNullPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { uint32_t cap_len = pkthdr->caplen; PROFILE_VARS; - + PREPROC_PROFILE_START(decodePerfStats); - pc.eth++; + pc.total_processed++; memset(p, 0, PKT_ZERO_LEN); @@ -458,41 +666,114 @@ p->pkth = pkthdr; p->pkt = pkt; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkthdr->pktlen); - ); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); ); /* do a little validation */ - if(cap_len < ETHERNET_HEADER_LEN) + if(cap_len < NULL_HDRLEN) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "WARNING: Truncated eth header (%d bytes)\n", cap_len);); - - if ( Event_Enabled(DECODE_ETH_HDR_TRUNC) ) - DecoderEvent(p, EVARGS(ETH_HDR_TRUNC), 1, 1); + if (ScLogVerbose()) + { + ErrorMessage("NULL header length < captured len! (%d bytes)\n", + cap_len); + } - p->iph = NULL; - pc.discards++; - pc.ethdisc++; PREPROC_PROFILE_END(decodePerfStats); return; } - /* lay the ethernet structure over the packet data */ - p->eh = (EtherHdr *) pkt; - PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh)); + DecodeIP(p->pkt + NULL_HDRLEN, cap_len - NULL_HDRLEN, p); + PREPROC_PROFILE_END(decodePerfStats); +} - DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X\n", - p->eh->ether_src[0], - p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], - p->eh->ether_src[4], p->eh->ether_src[5], p->eh->ether_dst[0], - p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3], - p->eh->ether_dst[4], p->eh->ether_dst[5]); +/* + * Function: DecodeEthLoopback(uint8_t *, uint32_t) + * + * Purpose: Just like IPX, it's just for counting. + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * + * Returns: void function + */ +void DecodeEthLoopback(const uint8_t *pkt, uint32_t len, Packet *p) +{ + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "EthLoopback is not supported.\n");); + + pc.ethloopback++; + +#ifdef GRE + if (p->greh != NULL) + pc.gre_loopback++; +#endif + + return; +} + +//-------------------------------------------------------------------- +// decode.c::Ethernet +//-------------------------------------------------------------------- + +/* + * Function: DecodeEthPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decode those fun loving ethernet packets, one at a time! + * + * Arguments: p => pointer to the decoded packet struct + * user => Utility pointer (unused) + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodeEthPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; + + PREPROC_PROFILE_START(decodePerfStats); + pc.eth++; + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len, (unsigned long)pkthdr->pktlen); + ); + + /* do a little validation */ + if(cap_len < ETHERNET_HEADER_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated eth header (%d bytes).\n", cap_len);); + + if ( Event_Enabled(DECODE_ETH_HDR_TRUNC) ) + DecoderEvent(p, EVARGS(ETH_HDR_TRUNC), 1, 1); + + p->iph = NULL; + pc.discards++; + pc.ethdisc++; + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + /* lay the ethernet structure over the packet data */ + p->eh = (EtherHdr *) pkt; + PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh)); + + DEBUG_WRAP( + DebugMessage(DEBUG_DECODE, "%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X\n", + p->eh->ether_src[0], + p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], + p->eh->ether_src[4], p->eh->ether_src[5], p->eh->ether_dst[0], + p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3], + p->eh->ether_dst[4], p->eh->ether_dst[5]); ); DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "type:0x%X len:0x%X\n", + DebugMessage(DEBUG_DECODE, "type:0x%X len:0x%X\n", ntohs(p->eh->ether_type), p->pkth->pktlen) ); @@ -501,12 +782,12 @@ { case ETHERNET_TYPE_IP: DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, + DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be %lu bytes\n", (unsigned long)(cap_len - ETHERNET_HEADER_LEN)); ); - DecodeIP(p->pkt + ETHERNET_HEADER_LEN, + DecodeIP(p->pkt + ETHERNET_HEADER_LEN, cap_len - ETHERNET_HEADER_LEN, p); PREPROC_PROFILE_END(decodePerfStats); @@ -514,59 +795,56 @@ case ETHERNET_TYPE_ARP: case ETHERNET_TYPE_REVARP: - DecodeARP(p->pkt + ETHERNET_HEADER_LEN, + DecodeARP(p->pkt + ETHERNET_HEADER_LEN, cap_len - ETHERNET_HEADER_LEN, p); PREPROC_PROFILE_END(decodePerfStats); return; case ETHERNET_TYPE_IPV6: - DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN, + DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN, (cap_len - ETHERNET_HEADER_LEN), p); PREPROC_PROFILE_END(decodePerfStats); return; -#ifndef NO_NON_ETHER_DECODER case ETHERNET_TYPE_PPPoE_DISC: case ETHERNET_TYPE_PPPoE_SESS: - DecodePPPoEPkt(p, pkthdr, pkt); + DecodePPPoEPkt(p->pkt + ETHERNET_HEADER_LEN, + (cap_len - ETHERNET_HEADER_LEN), p); PREPROC_PROFILE_END(decodePerfStats); return; +#ifndef NO_NON_ETHER_DECODER case ETHERNET_TYPE_IPX: - DecodeIPX(p->pkt + ETHERNET_HEADER_LEN, + DecodeIPX(p->pkt + ETHERNET_HEADER_LEN, (cap_len - ETHERNET_HEADER_LEN), p); PREPROC_PROFILE_END(decodePerfStats); return; #endif case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(p->pkt + ETHERNET_HEADER_LEN, + DecodeEthLoopback(p->pkt + ETHERNET_HEADER_LEN, (cap_len - ETHERNET_HEADER_LEN), p); PREPROC_PROFILE_END(decodePerfStats); - return; + return; case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + ETHERNET_HEADER_LEN, + DecodeVlan(p->pkt + ETHERNET_HEADER_LEN, cap_len - ETHERNET_HEADER_LEN, p); PREPROC_PROFILE_END(decodePerfStats); - return; + return; #ifdef MPLS case ETHERNET_TYPE_MPLS_MULTICAST: if(!ScMplsMulticast()) { //additional check for DecoderAlerts will be done now. - DecoderEvent(p, DECODE_BAD_MPLS, DECODE_MULTICAST_MPLS_STR, 1, 1); + DecoderEvent(p, DECODE_BAD_MPLS, DECODE_MULTICAST_MPLS_STR, 1, 1); } case ETHERNET_TYPE_MPLS_UNICAST: - { - DAQ_PktHdr_t pkthdrTmp; - pkthdrTmp.caplen = cap_len - ETHERNET_HEADER_LEN; - pkthdrTmp.pktlen = pkthdr->pktlen - ETHERNET_HEADER_LEN; - DecodeMPLS(p->pkt + ETHERNET_HEADER_LEN, &pkthdrTmp, p); + DecodeMPLS(p->pkt + ETHERNET_HEADER_LEN, + cap_len - ETHERNET_HEADER_LEN, p); PREPROC_PROFILE_END(decodePerfStats); return; - } -#endif +#endif default: // TBD add decoder drop event for unknown eth type pc.other++; @@ -578,227 +856,111 @@ return; } - -#ifndef NO_NON_ETHER_DECODER -#ifdef DLT_IEEE802_11 +#ifdef GRE /* - * Function: DecodeIEEE80211Pkt(Packet *, char *, DAQ_PktHdr_t*, - * uint8_t*) + * Function: DecodeTransBridging(uint8_t *, const uint32_t, Packet) * - * Purpose: Decode those fun loving wireless LAN packets, one at a time! + * Purpose: Decode Transparent Ethernet Bridging + * + * Arguments: pkt => pointer to the real live packet data + * len => length of remaining data in packet + * p => pointer to the decoded packet struct * - * Arguments: p => pointer to the decoded packet struct - * user => Utility pointer (unused) - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data * * Returns: void function + * + * Note: This is basically the code from DecodeEthPkt but the calling + * convention needed to be changed and the stuff at the beginning + * wasn't needed since we are already deep into the packet */ -void DecodeIEEE80211Pkt(Packet * p, const DAQ_PktHdr_t * pkthdr, - const uint8_t * pkt) +void DecodeTransBridging(const uint8_t *pkt, const uint32_t len, Packet *p) { - uint32_t cap_len = pkthdr->caplen; - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - - pc.total_processed++; - - memset(p, 0, PKT_ZERO_LEN); - - p->pkth = pkthdr; - p->pkt = pkt; - - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); + pc.gre_eth++; - /* do a little validation */ - if(cap_len < MINIMAL_IEEE80211_HEADER_LEN) + if(len < ETHERNET_HEADER_LEN) { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < IEEE 802.11 header length! " - "(%d bytes)\n", cap_len); - } - - PREPROC_PROFILE_END(decodePerfStats); + DecoderAlertEncapsulated(p, DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR, + DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR_STR, + pkt, len); return; } - /* lay the wireless structure over the packet data */ - p->wifih = (WifiHdr *) pkt; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%X %X\n", *p->wifih->addr1, - *p->wifih->addr2);); + /* The Packet struct's ethernet header will now point to the inner ethernet + * header of the packet + */ + p->eh = (EtherHdr *)pkt; + PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh)); - /* determine frame type */ - switch(p->wifih->frame_control & 0x00ff) + switch (ntohs(p->eh->ether_type)) { - /* management frames */ - case WLAN_TYPE_MGMT_ASREQ: - case WLAN_TYPE_MGMT_ASRES: - case WLAN_TYPE_MGMT_REREQ: - case WLAN_TYPE_MGMT_RERES: - case WLAN_TYPE_MGMT_PRREQ: - case WLAN_TYPE_MGMT_PRRES: - case WLAN_TYPE_MGMT_BEACON: - case WLAN_TYPE_MGMT_ATIM: - case WLAN_TYPE_MGMT_DIS: - case WLAN_TYPE_MGMT_AUTH: - case WLAN_TYPE_MGMT_DEAUTH: - pc.wifi_mgmt++; - break; + case ETHERNET_TYPE_IP: + DecodeIP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; - /* Control frames */ - case WLAN_TYPE_CONT_PS: - case WLAN_TYPE_CONT_RTS: - case WLAN_TYPE_CONT_CTS: - case WLAN_TYPE_CONT_ACK: - case WLAN_TYPE_CONT_CFE: - case WLAN_TYPE_CONT_CFACK: - pc.wifi_control++; - break; - /* Data packets without data */ - case WLAN_TYPE_DATA_NULL: - case WLAN_TYPE_DATA_CFACK: - case WLAN_TYPE_DATA_CFPL: - case WLAN_TYPE_DATA_ACKPL: + case ETHERNET_TYPE_ARP: + case ETHERNET_TYPE_REVARP: + DecodeARP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; - pc.wifi_data++; - break; - case WLAN_TYPE_DATA_DTCFACK: - case WLAN_TYPE_DATA_DTCFPL: - case WLAN_TYPE_DATA_DTACKPL: - case WLAN_TYPE_DATA_DATA: - pc.wifi_data++; + case ETHERNET_TYPE_IPV6: + DecodeIPV6(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; - if(cap_len < IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc)) - { - DecoderEvent(p, DECODE_BAD_80211_ETHLLC, - DECODE_BAD_80211_ETHLLC_STR, 1, 1); +#ifndef NO_NON_ETHER_DECODER + case ETHERNET_TYPE_IPX: + DecodeIPX(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; +#endif - PREPROC_PROFILE_END(decodePerfStats); - return; - } + case ETHERNET_TYPE_LOOP: + DecodeEthLoopback(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; - p->ehllc = (EthLlc *) (pkt + IEEE802_11_DATA_HDR_LEN); + case ETHERNET_TYPE_8021Q: + DecodeVlan(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + return; -#ifdef DEBUG - PrintNetData(stdout,(uint8_t *) p->ehllc, sizeof(EthLlc), NULL); - //ClearDumpBuf(); + default: + // TBD add decoder drop event for unknown xbrdg/eth type + pc.other++; + p->data = pkt + ETHERNET_HEADER_LEN; + p->dsize = (uint16_t)(len - ETHERNET_HEADER_LEN); + return; + } +} +#endif /* GRE */ - printf("LLC Header:\n"); - printf(" DSAP: 0x%X\n", p->ehllc->dsap); - printf(" SSAP: 0x%X\n", p->ehllc->ssap); -#endif +//-------------------------------------------------------------------- +// decode.c::MPLS +//-------------------------------------------------------------------- - if(p->ehllc->dsap == ETH_DSAP_IP && p->ehllc->ssap == ETH_SSAP_IP) - { - if(cap_len < IEEE802_11_DATA_HDR_LEN + - sizeof(EthLlc) + sizeof(EthLlcOther)) - { - DecoderEvent(p, DECODE_BAD_80211_OTHER, - DECODE_BAD_80211_OTHER_STR, 1, 1); - - PREPROC_PROFILE_END(decodePerfStats); - return; - } - - p->ehllcother = (EthLlcOther *) (pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc)); -#ifdef DEBUG - PrintNetData(stdout,(uint8_t *) p->ehllcother, sizeof(EthLlcOther), NULL ); - //ClearDumpBuf(); - printf("LLC Other Header:\n"); - printf(" CTRL: 0x%X\n", p->ehllcother->ctrl); - printf(" ORG: 0x%02X%02X%02X\n", p->ehllcother->org_code[0], - p->ehllcother->org_code[1], p->ehllcother->org_code[2]); - printf(" PROTO: 0x%04X\n", ntohs(p->ehllcother->proto_id)); -#endif - - switch(ntohs(p->ehllcother->proto_id)) - { - case ETHERNET_TYPE_IP: - DecodeIP(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + - sizeof(EthLlcOther), - cap_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - - sizeof(EthLlcOther), p); - PREPROC_PROFILE_END(decodePerfStats); - return; - - case ETHERNET_TYPE_ARP: - case ETHERNET_TYPE_REVARP: - DecodeARP(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + - sizeof(EthLlcOther), - cap_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - - sizeof(EthLlcOther), p); - PREPROC_PROFILE_END(decodePerfStats); - return; - case ETHERNET_TYPE_EAPOL: - DecodeEapol(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + - sizeof(EthLlcOther), - cap_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - - sizeof(EthLlcOther), p); - PREPROC_PROFILE_END(decodePerfStats); - return; - case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + IEEE802_11_DATA_HDR_LEN , - cap_len - IEEE802_11_DATA_HDR_LEN , p); - PREPROC_PROFILE_END(decodePerfStats); - return; - - case ETHERNET_TYPE_IPV6: - DecodeIPV6(p->pkt + IEEE802_11_DATA_HDR_LEN, - cap_len - IEEE802_11_DATA_HDR_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; - - default: - // TBD add decoder drop event for unknown wifi/eth type - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; - } - } - break; - default: - // TBD add decoder drop event for unknown wlan frame type - pc.other++; - break; - } - - PREPROC_PROFILE_END(decodePerfStats); - return; -} -#endif // DLT_IEEE802_11 -#endif // NO_NON_ETHER_DECODER - -#ifdef MPLS -/* - * check if reserved labels are used properly - */ -static int checkMplsHdr(uint32_t label, uint8_t exp, uint8_t bos, uint8_t ttl, Packet *p) -{ - int iRet = 0; - switch(label) - { - case 0: - case 2: - /* check if this label is the bottom of the stack */ - if(bos) - { - if ( label == 0 ) - iRet = MPLS_PAYLOADTYPE_IPV4; - else if ( label == 2 ) - iRet = MPLS_PAYLOADTYPE_IPV6; +#ifdef MPLS +/* + * check if reserved labels are used properly + */ +static int checkMplsHdr(uint32_t label, uint8_t exp, uint8_t bos, uint8_t ttl, Packet *p) +{ + int iRet = 0; + switch(label) + { + case 0: + case 2: + /* check if this label is the bottom of the stack */ + if(bos) + { + if ( label == 0 ) + iRet = MPLS_PAYLOADTYPE_IPV4; + else if ( label == 2 ) + iRet = MPLS_PAYLOADTYPE_IPV6; - /* when label == 2, IPv6 is expected; + /* when label == 2, IPv6 is expected; * when label == 0, IPv4 is expected */ if((label&&(ScMplsPayloadType() != MPLS_PAYLOADTYPE_IPV6)) ||((!label)&&(ScMplsPayloadType() != MPLS_PAYLOADTYPE_IPV4))) { if( !label ) - DecoderEvent(p, DECODE_BAD_MPLS_LABEL0, + DecoderEvent(p, DECODE_BAD_MPLS_LABEL0, DECODE_BAD_MPLS_LABEL0_STR, 1, 1); else DecoderEvent(p, DECODE_BAD_MPLS_LABEL2, @@ -812,10 +974,10 @@ * and move on to the next one. */ if( !label ) - DecoderEvent(p, DECODE_BAD_MPLS_LABEL0, + DecoderEvent(p, DECODE_BAD_MPLS_LABEL0, DECODE_BAD_MPLS_LABEL0_STR, 1, 1); else - DecoderEvent(p, DECODE_BAD_MPLS_LABEL2, + DecoderEvent(p, DECODE_BAD_MPLS_LABEL2, DECODE_BAD_MPLS_LABEL2_STR, 1, 1); pc.discards++; @@ -828,8 +990,8 @@ break; case 1: if(!bos) break; - - DecoderEvent(p, DECODE_BAD_MPLS_LABEL1, + + DecoderEvent(p, DECODE_BAD_MPLS_LABEL1, DECODE_BAD_MPLS_LABEL1_STR, 1, 1); pc.discards++; @@ -839,9 +1001,9 @@ #endif iRet = MPLS_PAYLOADTYPE_ERROR; break; - + case 3: - DecoderEvent(p, DECODE_BAD_MPLS_LABEL3, + DecoderEvent(p, DECODE_BAD_MPLS_LABEL3, DECODE_BAD_MPLS_LABEL3_STR, 1, 1); pc.discards++; @@ -863,12 +1025,12 @@ case 13: case 14: case 15: - DecoderEvent(p, DECODE_MPLS_RESERVED_LABEL, + DecoderEvent(p, DECODE_MPLS_RESERVED_LABEL, DECODE_MPLS_RESERVEDLABEL_STR, 1, 1); break; - default: + default: break; - } + } if ( !iRet ) { iRet = ScMplsPayloadType(); @@ -876,26 +1038,28 @@ return iRet; } -void DecodeMPLS(const uint8_t * pkt, DAQ_PktHdr_t * pkthdr, Packet * p) +void DecodeMPLS(const uint8_t* pkt, const uint32_t len, Packet* p) { - uint32_t cap_len = pkthdr->caplen; - uint32_t *tmpMplsHdr; - uint32_t mpls_h; - uint32_t label; - uint32_t len = 0; - uint8_t exp; - uint8_t bos = 0; - uint8_t ttl; - uint8_t chainLen = 0; - int iRet = 0; - + uint32_t* tmpMplsHdr; + uint32_t mpls_h; + uint32_t label; + uint32_t mlen = 0; + + uint8_t exp; + uint8_t bos = 0; + uint8_t ttl; + uint8_t chainLen = 0; + + int iRet = 0; + pc.mpls++; - UpdateMPLSStats(&sfBase, cap_len, Active_PacketWasDropped()); + UpdateMPLSStats(&sfBase, len, Active_PacketWasDropped()); tmpMplsHdr = (uint32_t *) pkt; p->mpls = NULL; - while (!bos) + + while (!bos) { - if(cap_len < MPLS_HEADER_LEN) + if(len < MPLS_HEADER_LEN) { DecoderEvent(p, DECODE_BAD_MPLS, DECODE_BAD_MPLS_STR, 1, 1); @@ -906,17 +1070,17 @@ #endif return; } - + mpls_h = ntohl(*tmpMplsHdr); ttl = (uint8_t)(mpls_h & 0x000000FF); mpls_h = mpls_h>>8; bos = (uint8_t)(mpls_h & 0x00000001); exp = (uint8_t)(mpls_h & 0x0000000E); label = (mpls_h>>4) & 0x000FFFFF; - + if((label<NUM_RESERVED_LABELS)&&((iRet = checkMplsHdr(label, exp, bos, ttl, p)) < 0)) return; - + if( bos ) { p->mplsHdr.label = label; @@ -935,8 +1099,8 @@ tmpMplsHdr++; if ((ScMplsStackDepth() != -1) && (chainLen++ >= ScMplsStackDepth())) - { - DecoderEvent(p, DECODE_MPLS_LABEL_STACK, + { + DecoderEvent(p, DECODE_MPLS_LABEL_STACK, DECODE_MPLS_LABEL_STACK_STR, 1, 1); pc.discards++; @@ -947,50 +1111,42 @@ return; } } /* while bos not 1, peel off more labels */ - len = (uint8_t*)tmpMplsHdr - pkt; - PushLayer(PROTO_MPLS, p, pkt, len); - len = cap_len - len; + + mlen = (uint8_t*)tmpMplsHdr - pkt; + PushLayer(PROTO_MPLS, p, pkt, mlen); + mlen = len - mlen; switch (iRet) { case MPLS_PAYLOADTYPE_IPV4: - DecodeIP((uint8_t *)tmpMplsHdr, len, p); + DecodeIP((uint8_t *)tmpMplsHdr, mlen, p); break; case MPLS_PAYLOADTYPE_IPV6: - DecodeIPV6((uint8_t *)tmpMplsHdr, len, p); + DecodeIPV6((uint8_t *)tmpMplsHdr, mlen, p); break; - + case MPLS_PAYLOADTYPE_ETHERNET: - DecodeEthOverMPLS(p, pkthdr, (uint8_t *)tmpMplsHdr); + DecodeEthOverMPLS((uint8_t *)tmpMplsHdr, mlen, p); break; - + default: - break; + break; } - return; } -// FIXTHIS not changing pkthdr->caplen,len prolly broke below ... -void DecodeEthOverMPLS(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +void DecodeEthOverMPLS(const uint8_t* pkt, const uint32_t len, Packet* p) { - uint32_t cap_len = pkthdr->caplen; - - memset(p, 0, PKT_ZERO_LEN); - - p->pkth = pkthdr; - p->pkt = pkt; - /* do a little validation */ - if(cap_len < ETHERNET_HEADER_LEN) + if(len < ETHERNET_HEADER_LEN) { if (ScLogVerbose()) { ErrorMessage("Captured data length < Ethernet header length!" - " (%d bytes)\n", cap_len); + " (%d bytes)\n", len); } - + p->iph = NULL; // TBD add decoder drop event for eth over MPLS cap len issue pc.discards++; @@ -999,11 +1155,11 @@ } /* lay the ethernet structure over the packet data */ - p->eh = (EtherHdr *) pkt; + p->eh = (EtherHdr *) pkt; // FIXTHIS squashes outer eth! PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh)); DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "%X %X\n", + DebugMessage(DEBUG_DECODE, "%X %X\n", *p->eh->ether_src, *p->eh->ether_dst); ); @@ -1012,49 +1168,50 @@ { case ETHERNET_TYPE_IP: DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, + DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be %lu bytes\n", - (unsigned long)(cap_len - ETHERNET_HEADER_LEN)); + (unsigned long)(len - ETHERNET_HEADER_LEN)); ); - DecodeIP(p->pkt + ETHERNET_HEADER_LEN, - cap_len - ETHERNET_HEADER_LEN, p); + DecodeIP(p->pkt + ETHERNET_HEADER_LEN, + len - ETHERNET_HEADER_LEN, p); return; case ETHERNET_TYPE_ARP: case ETHERNET_TYPE_REVARP: - DecodeARP(p->pkt + ETHERNET_HEADER_LEN, - cap_len - ETHERNET_HEADER_LEN, p); + DecodeARP(p->pkt + ETHERNET_HEADER_LEN, + len - ETHERNET_HEADER_LEN, p); return; case ETHERNET_TYPE_IPV6: - DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN, - (cap_len - ETHERNET_HEADER_LEN), p); + DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN, + (len - ETHERNET_HEADER_LEN), p); return; -#ifndef NO_NON_ETHER_DECODER case ETHERNET_TYPE_PPPoE_DISC: case ETHERNET_TYPE_PPPoE_SESS: - DecodePPPoEPkt(p, pkthdr, pkt); + DecodePPPoEPkt(p->pkt + ETHERNET_HEADER_LEN, + (len - ETHERNET_HEADER_LEN), p); return; +#ifndef NO_NON_ETHER_DECODER case ETHERNET_TYPE_IPX: - DecodeIPX(p->pkt + ETHERNET_HEADER_LEN, - (cap_len - ETHERNET_HEADER_LEN), p); + DecodeIPX(p->pkt + ETHERNET_HEADER_LEN, + (len - ETHERNET_HEADER_LEN), p); return; #endif case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(p->pkt + ETHERNET_HEADER_LEN, - (cap_len - ETHERNET_HEADER_LEN), p); - return; + DecodeEthLoopback(p->pkt + ETHERNET_HEADER_LEN, + (len - ETHERNET_HEADER_LEN), p); + return; case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + ETHERNET_HEADER_LEN, - cap_len - ETHERNET_HEADER_LEN, p); - return; - + DecodeVlan(p->pkt + ETHERNET_HEADER_LEN, + len - ETHERNET_HEADER_LEN, p); + return; + default: // TBD add decoder drop event for unknown mpls/eth type pc.other++; @@ -1063,7 +1220,32 @@ return; } -#endif + +int isPrivateIP(uint32_t addr) +{ + switch (addr & 0xff) + { + case 0x0a: + return 1; + break; + case 0xac: + if ((addr & 0xf000) == 0x1000) + return 1; + break; + case 0xc0: + if (((addr & 0xff00) ) == 0xa800) + return 1; + break; + } + return 0; +} +#endif // MPLS + +//-------------------------------------------------------------------- +// decode.c::VLAN +//-------------------------------------------------------------------- + +#define LEN_VLAN_LLC_OTHER (sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther)) void DecodeVlan(const uint8_t * pkt, const uint32_t len, Packet * p) { @@ -1077,7 +1259,7 @@ if(len < sizeof(VlanTagHdr)) { DecoderEvent(p, DECODE_BAD_VLAN, DECODE_BAD_VLAN_STR, 1, 1); - + // TBD add decoder drop event for VLAN hdr len issue pc.discards++; p->iph = NULL; @@ -1088,14 +1270,14 @@ } p->vh = (VlanTagHdr *) pkt; - + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Vlan traffic:\n"); - DebugMessage(DEBUG_DECODE, " Priority: %d(0x%X)\n", + DebugMessage(DEBUG_DECODE, " Priority: %d(0x%X)\n", VTH_PRIORITY(p->vh), VTH_PRIORITY(p->vh)); DebugMessage(DEBUG_DECODE, " CFI: %d\n", VTH_CFI(p->vh)); - DebugMessage(DEBUG_DECODE, " Vlan ID: %d(0x%04X)\n", + DebugMessage(DEBUG_DECODE, " Vlan ID: %d(0x%04X)\n", VTH_VLAN(p->vh), VTH_VLAN(p->vh)); - DebugMessage(DEBUG_DECODE, " Vlan Proto: 0x%04X\n", + DebugMessage(DEBUG_DECODE, " Vlan Proto: 0x%04X\n", ntohs(p->vh->vth_proto)); ); @@ -1106,7 +1288,7 @@ { if(len < sizeof(VlanTagHdr) + sizeof(EthLlc)) { - DecoderEvent(p, DECODE_BAD_VLAN_ETHLLC, + DecoderEvent(p, DECODE_BAD_VLAN_ETHLLC, DECODE_BAD_VLAN_ETHLLC_STR, 1, 1); pc.discards++; @@ -1114,9 +1296,9 @@ #ifdef SUP_IP6 p->family = NO_IP; #endif - return; + return; } - + p->ehllc = (EthLlc *) (pkt + sizeof(VlanTagHdr)); DEBUG_WRAP( @@ -1127,30 +1309,30 @@ if(p->ehllc->dsap == ETH_DSAP_IP && p->ehllc->ssap == ETH_SSAP_IP) { - if(len < sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther)) + if ( len < LEN_VLAN_LLC_OTHER ) { - DecoderEvent(p, DECODE_BAD_VLAN_OTHER, + DecoderEvent(p, DECODE_BAD_VLAN_OTHER, DECODE_BAD_VLAN_OTHER_STR, 1, 1); - + pc.discards++; p->iph = NULL; #ifdef SUP_IP6 p->family = NO_IP; #endif - return; + return; } p->ehllcother = (EthLlcOther *) (pkt + sizeof(VlanTagHdr) + sizeof(EthLlc)); DEBUG_WRAP( DebugMessage(DEBUG_DECODE, "LLC Other Header:\n"); - DebugMessage(DEBUG_DECODE, " CTRL: 0x%X\n", + DebugMessage(DEBUG_DECODE, " CTRL: 0x%X\n", p->ehllcother->ctrl); - DebugMessage(DEBUG_DECODE, " ORG: 0x%02X%02X%02X\n", - p->ehllcother->org_code[0], p->ehllcother->org_code[1], + DebugMessage(DEBUG_DECODE, " ORG: 0x%02X%02X%02X\n", + p->ehllcother->org_code[0], p->ehllcother->org_code[1], p->ehllcother->org_code[2]); - DebugMessage(DEBUG_DECODE, " PROTO: 0x%04X\n", + DebugMessage(DEBUG_DECODE, " PROTO: 0x%04X\n", ntohs(p->ehllcother->proto_id)); ); @@ -1159,67 +1341,57 @@ switch(ntohs(p->ehllcother->proto_id)) { case ETHERNET_TYPE_IP: - DecodeIP(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeIP(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; case ETHERNET_TYPE_ARP: case ETHERNET_TYPE_REVARP: - DecodeARP(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeARP(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; case ETHERNET_TYPE_IPV6: - DecodeIPV6(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeIPV6(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; case ETHERNET_TYPE_8021Q: pc.nested_vlan++; - DecodeVlan(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeVlan(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeEthLoopback(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; #ifndef NO_NON_ETHER_DECODER case ETHERNET_TYPE_IPX: - DecodeIPX(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), - len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther), p); + DecodeIPX(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); return; +#endif - /* Add these after DecodePPPoEPkt() has been reimplemented */ case ETHERNET_TYPE_PPPoE_DISC: case ETHERNET_TYPE_PPPoE_SESS: - { - DAQ_PktHdr_t pkthdrTmp; - pkthdrTmp.caplen = len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther); - pkthdrTmp.pktlen = len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther); - DecodePPPoEPkt(p,&pkthdrTmp, p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther)); - return; - } -#endif + DecodePPPoEPkt(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); + return; #ifdef MPLS case ETHERNET_TYPE_MPLS_MULTICAST: if(!ScMplsMulticast()) { - DecoderEvent(p, DECODE_BAD_MPLS, + DecoderEvent(p, DECODE_BAD_MPLS, DECODE_MULTICAST_MPLS_STR, 1, 1); } case ETHERNET_TYPE_MPLS_UNICAST: - { - DAQ_PktHdr_t pkthdrTmp; - pkthdrTmp.caplen = len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther); - pkthdrTmp.pktlen = len - sizeof(VlanTagHdr) - sizeof(EthLlc) - sizeof(EthLlcOther); - DecodeMPLS(p->pkt + sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther), &pkthdrTmp, p); - return; - } + DecodeMPLS(p->pkt + LEN_VLAN_LLC_OTHER, + len - LEN_VLAN_LLC_OTHER, p); + return; #endif - default: // TBD add decoder drop event for unknown vlan/eth type pc.other++; @@ -1234,47 +1406,44 @@ switch(ntohs(p->vh->vth_proto)) { case ETHERNET_TYPE_IP: - DecodeIP(pkt + sizeof(VlanTagHdr), + DecodeIP(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; case ETHERNET_TYPE_ARP: case ETHERNET_TYPE_REVARP: - DecodeARP(pkt + sizeof(VlanTagHdr), + DecodeARP(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; case ETHERNET_TYPE_IPV6: - DecodeIPV6(pkt +sizeof(VlanTagHdr), + DecodeIPV6(pkt +sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; case ETHERNET_TYPE_8021Q: pc.nested_vlan++; - DecodeVlan(pkt + sizeof(VlanTagHdr), + DecodeVlan(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(pkt + sizeof(VlanTagHdr), + DecodeEthLoopback(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; #ifndef NO_NON_ETHER_DECODER case ETHERNET_TYPE_IPX: - DecodeIPX(pkt + sizeof(VlanTagHdr), + DecodeIPX(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; +#endif -#if 0 - /* Add these after DecodePPPoEPkt() has been reimplemented */ case ETHERNET_TYPE_PPPoE_DISC: case ETHERNET_TYPE_PPPoE_SESS: - DecodePPPoEPkt(pkt + sizeof(VlanTagHdr), + DecodePPPoEPkt(pkt + sizeof(VlanTagHdr), len - sizeof(VlanTagHdr), p); return; -#endif -#endif #ifdef MPLS case ETHERNET_TYPE_MPLS_MULTICAST: @@ -1283,13 +1452,9 @@ SnortEventqAdd(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS, 1, DECODE_CLASS, 3, DECODE_MULTICAST_MPLS_STR, 0); } case ETHERNET_TYPE_MPLS_UNICAST: - { - DAQ_PktHdr_t pkthdrTmp; - pkthdrTmp.caplen = len - sizeof(VlanTagHdr); - pkthdrTmp.pktlen = len - sizeof(VlanTagHdr); - DecodeMPLS(pkt + sizeof(VlanTagHdr), &pkthdrTmp, p); - return; - } + DecodeMPLS(pkt + sizeof(VlanTagHdr), + len - sizeof(VlanTagHdr), p); + return; #endif default: // TBD add decoder drop event for unknown vlan/eth type @@ -1303,418 +1468,407 @@ return; } +//-------------------------------------------------------------------- +// decode.c::PPP related +//-------------------------------------------------------------------- + /* - * Function: DecodeNullPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * Function: DecodePPPoEPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) * - * Purpose: Decoding on loopback devices. + * Purpose: Decode those fun loving ethernet packets, one at a time! * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused + * Arguments: p => pointer to the decoded packet struct + * user => Utility pointer (unused) * pkthdr => ptr to the packet header * pkt => pointer to the real live packet data * * Returns: void function + * + * see http://www.faqs.org/rfcs/rfc2516.html + * */ -void DecodeNullPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +void DecodePPPoEPkt(const uint8_t* pkt, const uint32_t len, Packet* p) { - uint32_t cap_len = pkthdr->caplen; - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - - pc.total_processed++; - - memset(p, 0, PKT_ZERO_LEN); - - p->pkth = pkthdr; - p->pkt = pkt; + const PPPoEHdr* pppoep = NULL; + //PPPoE_Tag *ppppoe_tag=0; + //PPPoE_Tag tag; /* needed to avoid alignment problems */ - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); ); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "PPPoE with len: %lu\n", + (unsigned long)len);); /* do a little validation */ - if(cap_len < NULL_HDRLEN) + if(len < PPPOE_HEADER_LEN) { - if (ScLogVerbose()) - { - ErrorMessage("NULL header length < captured len! (%d bytes)\n", - cap_len); - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Captured data length < PPPoE header length! " + "(%d bytes)\n", len);); + + DecoderEvent(p, DECODE_BAD_PPPOE, DECODE_BAD_PPPOE_STR, 1, 1); - PREPROC_PROFILE_END(decodePerfStats); return; } - DecodeIP(p->pkt + NULL_HDRLEN, cap_len - NULL_HDRLEN, p); - PREPROC_PROFILE_END(decodePerfStats); -} - -#ifndef NO_NON_ETHER_DECODER -/* - * Function: DecodeTRPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) - * - * Purpose: Decode Token Ring packets! - * - * Arguments: p=> pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodeTRPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) -{ - uint32_t cap_len = pkthdr->caplen; - uint32_t dataoff; /* data offset is variable here */ - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - - pc.total_processed++; - - memset(p, 0, PKT_ZERO_LEN); - - p->pkth = pkthdr; - p->pkt = pkt; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%X %X\n", + *p->eh->ether_src, *p->eh->ether_dst);); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len,(unsigned long) pkthdr->pktlen); - ); + /* lay the PPP over ethernet structure over the packet data */ + pppoep = p->pppoeh = (PPPoEHdr *)pkt; - if(cap_len < sizeof(Trh_hdr)) + /* grab out the network type */ + switch(ntohs(p->eh->ether_type)) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Captured data length < Token Ring header length! " - "(%d < %d bytes)\n", cap_len, TR_HLEN);); + case ETHERNET_TYPE_PPPoE_DISC: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Discovery) ");); + break; - DecoderEvent(p, DECODE_BAD_TRH, DECODE_BAD_TRH_STR, 1, 1); + case ETHERNET_TYPE_PPPoE_SESS: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Session) ");); + break; - PREPROC_PROFILE_END(decodePerfStats); - return; + default: + return; } - /* lay the tokenring header structure over the packet data */ - p->trh = (Trh_hdr *) pkt; - - /* - * according to rfc 1042: - * - * The presence of a Routing Information Field is indicated by the Most - * Significant Bit (MSB) of the source address, called the Routing - * Information Indicator (RII). If the RII equals zero, a RIF is - * not present. If the RII equals 1, the RIF is present. - * .. - * However the MSB is already zeroed by this moment, so there's no - * real way to figure out whether RIF is presented in packet, so we are - * doing some tricks to find IPARP signature.. - */ - - /* - * first I assume that we have single-ring network with no RIF - * information presented in frame - */ - if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc))) +#ifdef DEBUG_MSGS + switch(pppoep->code) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Captured data length < Token Ring header length! " - "(%d < %d bytes)\n", cap_len, - (sizeof(Trh_hdr) + sizeof(Trh_llc)));); - - DecoderEvent(p, DECODE_BAD_TR_ETHLLC, DECODE_BAD_TR_ETHLLC_STR, 1, 1); - - PREPROC_PROFILE_END(decodePerfStats); - return; - } + case PPPoE_CODE_PADI: + /* The Host sends the PADI packet with the DESTINATION_ADDR set + * to the broadcast address. The CODE field is set to 0x09 and + * the SESSION_ID MUST be set to 0x0000. + * + * The PADI packet MUST contain exactly one TAG of TAG_TYPE + * Service-Name, indicating the service the Host is requesting, + * and any number of other TAG types. An entire PADI packet + * (including the PPPoE header) MUST NOT exceed 1484 octets so + * as to leave sufficient room for a relay agent to add a + * Relay-Session-Id TAG. + */ + DebugMessage(DEBUG_DECODE, "Active Discovery Initiation (PADI)\n"); + break; - - p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr)); + case PPPoE_CODE_PADO: + /* When the Access Concentrator receives a PADI that it can + * serve, it replies by sending a PADO packet. The + * DESTINATION_ADDR is the unicast address of the Host that + * sent the PADI. The CODE field is set to 0x07 and the + * SESSION_ID MUST be set to 0x0000. + * + * The PADO packet MUST contain one AC-Name TAG containing the + * Access Concentrator's name, a Service-Name TAG identical to + * the one in the PADI, and any number of other Service-Name + * TAGs indicating other services that the Access Concentrator + * offers. If the Access Concentrator can not serve the PADI + * it MUST NOT respond with a PADO. + */ + DebugMessage(DEBUG_DECODE, "Active Discovery Offer (PADO)\n"); + break; - if(p->trhllc->dsap != IPARP_SAP && p->trhllc->ssap != IPARP_SAP) - { - /* - * DSAP != SSAP != 0xAA .. either we are having frame which doesn't - * carry IP datagrams or has RIF information present. We assume - * lattest ... - */ + case PPPoE_CODE_PADR: + /* Since the PADI was broadcast, the Host may receive more than + * one PADO. The Host looks through the PADO packets it receives + * and chooses one. The choice can be based on the AC-Name or + * the Services offered. The Host then sends one PADR packet + * to the Access Concentrator that it has chosen. The + * DESTINATION_ADDR field is set to the unicast Ethernet address + * of the Access Concentrator that sent the PADO. The CODE + * field is set to 0x19 and the SESSION_ID MUST be set to 0x0000. + * + * The PADR packet MUST contain exactly one TAG of TAG_TYPE + * Service-Name, indicating the service the Host is requesting, + * and any number of other TAG types. + */ + DebugMessage(DEBUG_DECODE, "Active Discovery Request (PADR)\n"); + break; - if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr))) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Captured data length < Token Ring header length! " - "(%d < %d bytes)\n", cap_len, - (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr)));); - - DecoderEvent(p, DECODE_BAD_TRHMR, DECODE_BAD_TRHMR_STR, 1, 1); - - PREPROC_PROFILE_END(decodePerfStats); - return; - } - - p->trhmr = (Trh_mr *) (pkt + sizeof(Trh_hdr)); + case PPPoE_CODE_PADS: + /* When the Access Concentrator receives a PADR packet, it + * prepares to begin a PPP session. It generates a unique + * SESSION_ID for the PPPoE session and replies to the Host with + * a PADS packet. The DESTINATION_ADDR field is the unicast + * Ethernet address of the Host that sent the PADR. The CODE + * field is set to 0x65 and the SESSION_ID MUST be set to the + * unique value generated for this PPPoE session. + * + * The PADS packet contains exactly one TAG of TAG_TYPE + * Service-Name, indicating the service under which Access + * Concentrator has accepted the PPPoE session, and any number + * of other TAG types. + * + * If the Access Concentrator does not like the Service-Name in + * the PADR, then it MUST reply with a PADS containing a TAG of + * TAG_TYPE Service-Name-Error (and any number of other TAG + * types). In this case the SESSION_ID MUST be set to 0x0000. + */ + DebugMessage(DEBUG_DECODE, "Active Discovery " + "Session-confirmation (PADS)\n"); + break; - - if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc) + - sizeof(Trh_mr) + TRH_MR_LEN(p->trhmr))) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Captured data length < Token Ring header length! " - "(%d < %d bytes)\n", cap_len, - (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr)));); + case PPPoE_CODE_PADT: + /* This packet may be sent anytime after a session is established + * to indicate that a PPPoE session has been terminated. It may + * be sent by either the Host or the Access Concentrator. The + * DESTINATION_ADDR field is a unicast Ethernet address, the + * CODE field is set to 0xa7 and the SESSION_ID MUST be set to + * indicate which session is to be terminated. No TAGs are + * required. + * + * When a PADT is received, no further PPP traffic is allowed to + * be sent using that session. Even normal PPP termination + * packets MUST NOT be sent after sending or receiving a PADT. + * A PPP peer SHOULD use the PPP protocol itself to bring down a + * PPPoE session, but the PADT MAY be used when PPP can not be + * used. + */ + DebugMessage(DEBUG_DECODE, "Active Discovery Terminate (PADT)\n"); + break; - DecoderEvent(p, DECODE_BAD_TR_MR_LEN, DECODE_BAD_TR_MR_LEN_STR, 1, 1); + case PPPoE_CODE_SESS: + DebugMessage(DEBUG_DECODE, "Session Packet (SESS)\n"); + break; - PREPROC_PROFILE_END(decodePerfStats); - return; - } - - p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr) + TRH_MR_LEN(p->trhmr)); - dataoff = sizeof(Trh_hdr) + TRH_MR_LEN(p->trhmr) + sizeof(Trh_llc); + default: + DebugMessage(DEBUG_DECODE, "(Unknown)\n"); + break; + } +#endif + if (ntohs(p->eh->ether_type) != ETHERNET_TYPE_PPPoE_DISC) + { + PushLayer(PROTO_PPPOE, p, pkt, PPPOE_HEADER_LEN); + DecodePppPktEncapsulated(pkt + PPPOE_HEADER_LEN, len - PPPOE_HEADER_LEN, p); + return; } else { - p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr)); - dataoff = sizeof(Trh_hdr) + sizeof(Trh_llc); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Returning early on PPPOE discovery packet\n");); + return; } - /* - * ideally we would need to check both SSAP, DSAP, and protoid fields: IP - * datagrams and ARP requests and replies are transmitted in standard - * 802.2 LLC Type 1 Unnumbered Information format, control code 3, with - * the DSAP and the SSAP fields of the 802.2 header set to 170, the - * assigned global SAP value for SNAP [6]. The 24-bit Organization Code - * in the SNAP is zero, and the remaining 16 bits are the EtherType from - * Assigned Numbers [7] (IP = 2048, ARP = 2054). .. but we would check - * SSAP and DSAP and assume this would be enough to trust. - */ - if(p->trhllc->dsap != IPARP_SAP && p->trhllc->ssap != IPARP_SAP) +#if 0 + ppppoe_tag = (PPPoE_Tag *)(pkt + sizeof(PPPoEHdr)); + + while (ppppoe_tag < (PPPoE_Tag *)(pkt + len)) { + if (((char*)(ppppoe_tag)+(sizeof(PPPoE_Tag)-1)) > (char*)(pkt + len)) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Not enough data in packet for PPPOE Tag\n");); + break; + } + + /* no guarantee in PPPoE spec that ppppoe_tag is aligned at all... */ + memcpy(&tag, ppppoe_tag, sizeof(tag)); + DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "DSAP and SSAP arent set to SNAP\n"); - ); - p->trhllc = NULL; - PREPROC_PROFILE_END(decodePerfStats); - return; - } + DebugMessage(DEBUG_DECODE, "\tPPPoE tag:\ntype: %04x length: %04x ", + ntohs(tag.type), ntohs(tag.length));); - switch(htons(p->trhllc->ethertype)) - { - case ETHERNET_TYPE_IP: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding IP\n");); - DecodeIP(p->pkt + dataoff, cap_len - dataoff, p); - PREPROC_PROFILE_END(decodePerfStats); - return; +#ifdef DEBUG_MSGS + switch(ntohs(tag.type)) + { + case PPPoE_TAG_END_OF_LIST: + DebugMessage(DEBUG_DECODE, "(End of list)\n\t"); + break; + case PPPoE_TAG_SERVICE_NAME: + DebugMessage(DEBUG_DECODE, "(Service name)\n\t"); + break; + case PPPoE_TAG_AC_NAME: + DebugMessage(DEBUG_DECODE, "(AC Name)\n\t"); + break; + case PPPoE_TAG_HOST_UNIQ: + DebugMessage(DEBUG_DECODE, "(Host Uniq)\n\t"); + break; + case PPPoE_TAG_AC_COOKIE: + DebugMessage(DEBUG_DECODE, "(AC Cookie)\n\t"); + break; + case PPPoE_TAG_VENDOR_SPECIFIC: + DebugMessage(DEBUG_DECODE, "(Vendor Specific)\n\t"); + break; + case PPPoE_TAG_RELAY_SESSION_ID: + DebugMessage(DEBUG_DECODE, "(Relay Session ID)\n\t"); + break; + case PPPoE_TAG_SERVICE_NAME_ERROR: + DebugMessage(DEBUG_DECODE, "(Service Name Error)\n\t"); + break; + case PPPoE_TAG_AC_SYSTEM_ERROR: + DebugMessage(DEBUG_DECODE, "(AC System Error)\n\t"); + break; + case PPPoE_TAG_GENERIC_ERROR: + DebugMessage(DEBUG_DECODE, "(Generic Error)\n\t"); + break; + default: + DebugMessage(DEBUG_DECODE, "(Unknown)\n\t"); + break; + } +#endif - case ETHERNET_TYPE_ARP: - case ETHERNET_TYPE_REVARP: - DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "Decoding ARP\n"); - ); - pc.arp++; +#ifdef DEBUG_MSGS + if (ntohs(tag.length) > 0) + { + char *buf; + int i; - PREPROC_PROFILE_END(decodePerfStats); - return; + switch (ntohs(tag.type)) + { + case PPPoE_TAG_SERVICE_NAME: + case PPPoE_TAG_AC_NAME: + case PPPoE_TAG_SERVICE_NAME_ERROR: + case PPPoE_TAG_AC_SYSTEM_ERROR: + case PPPoE_TAG_GENERIC_ERROR: * ascii data * + buf = (char *)SnortAlloc(ntohs(tag.length) + 1); + strlcpy(buf, (char *)(ppppoe_tag+1), ntohs(tag.length)); + DebugMessage(DEBUG_DECODE, "data (UTF-8): %s\n", buf); + free(buf); + break; - case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + dataoff, cap_len - dataoff, p); - PREPROC_PROFILE_END(decodePerfStats); - return; + case PPPoE_TAG_HOST_UNIQ: + case PPPoE_TAG_AC_COOKIE: + case PPPoE_TAG_RELAY_SESSION_ID: + DebugMessage(DEBUG_DECODE, "data (bin): "); + for (i = 0; i < ntohs(tag.length); i++) + DebugMessage(DEBUG_DECODE, + "%02x", *(((unsigned char *)ppppoe_tag) + + sizeof(PPPoE_Tag) + i)); + DebugMessage(DEBUG_DECODE, "\n"); + break; - default: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown network protocol: %d\n", - htons(p->trhllc->ethertype))); - // TBD add decoder drop event for unknown tr/eth type - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; + default: + DebugMessage(DEBUG_DECODE, "unrecognized data\n"); + break; + } + } +#endif + + ppppoe_tag = (PPPoE_Tag *)((char *)(ppppoe_tag+1)+ntohs(tag.length)); } - PREPROC_PROFILE_END(decodePerfStats); +#endif /* #if 0 */ + return; } - /* - * Function: DecodeFDDIPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * Function: DecodePppPktEncapsulated(Packet *, const uint32_t len, uint8_t*) * - * Purpose: Mainly taken from CyberPsycotic's Token Ring Code -worm5er + * Purpose: Decode PPP traffic (RFC1661 framing). * * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header + * len => length of data to process * pkt => pointer to the real live packet data * * Returns: void function */ -void DecodeFDDIPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +void DecodePppPktEncapsulated(const uint8_t* pkt, const uint32_t len, Packet* p) { - uint32_t cap_len = pkthdr->caplen; - uint32_t dataoff = sizeof(Fddi_hdr) + sizeof(Fddi_llc_saps); - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); + static int had_vj = 0; + uint16_t protocol; + uint32_t hlen = 1; /* HEADER - try 1 then 2 */ - pc.total_processed++; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "PPP Packet!\n");); - memset(p, 0, PKT_ZERO_LEN); +#ifdef WORDS_MUSTALIGN + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet with PPP header. " + "PPP is only 1 or 2 bytes and will throw off " + "alignment on this architecture when decoding IP, " + "causing a bus error - stop decoding packet.\n");); - p->pkth = pkthdr; - p->pkt = pkt; + p->data = pkt; + p->dsize = (uint16_t)len; + return; +#endif /* WORDS_MUSTALIGN */ - DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long) cap_len,(unsigned long) pkthdr->pktlen); - ); +#ifdef GRE + if (p->greh != NULL) + pc.gre_ppp++; +#endif /* GRE */ - /* Bounds checking (might not be right yet -worm5er) */ - if(cap_len < dataoff) + /* do a little validation: + * + */ + if(len < 2) { if (ScLogVerbose()) { - ErrorMessage("Captured data length < FDDI header length! " - "(%d %d bytes)\n", cap_len, dataoff); - PREPROC_PROFILE_END(decodePerfStats); - return; + ErrorMessage("Length not big enough for even a single " + "header or a one byte payload\n"); } + return; } - /* let's put this in as the fddi header structure */ - p->fddihdr = (Fddi_hdr *) pkt; - p->fddisaps = (Fddi_llc_saps *) (pkt + sizeof(Fddi_hdr)); - /* First we'll check and see if it's an IP/ARP Packet... */ - /* Then we check to see if it's a SNA packet */ - /* - * Lastly we'll declare it none of the above and just slap something - * generic on it to discard it with (I know that sucks, but heck we're - * only looking for IP/ARP type packets currently... -worm5er - */ - if((p->fddisaps->dsap == FDDI_DSAP_IP) && (p->fddisaps->ssap == FDDI_SSAP_IP)) - { - dataoff += sizeof(Fddi_llc_iparp); - - if(cap_len < dataoff) - { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < FDDI header length! " - "(%d %d bytes)\n", cap_len, dataoff); - PREPROC_PROFILE_END(decodePerfStats); - return; - } - } - - p->fddiiparp = (Fddi_llc_iparp *) (pkt + sizeof(Fddi_hdr) + sizeof(Fddi_llc_saps)); - } - else if((p->fddisaps->dsap == FDDI_DSAP_SNA) && - (p->fddisaps->ssap == FDDI_SSAP_SNA)) + if(pkt[0] & 0x01) { - dataoff += sizeof(Fddi_llc_sna); - - if(cap_len < dataoff) - { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < FDDI header length! " - "(%d %d bytes)\n", cap_len, dataoff); - PREPROC_PROFILE_END(decodePerfStats); - return; - } - } - - p->fddisna = (Fddi_llc_sna *) (pkt + sizeof(Fddi_hdr) + - sizeof(Fddi_llc_saps)); + /* Check for protocol compression rfc1661 section 5 + * + */ + hlen = 1; + protocol = pkt[0]; } else { - dataoff += sizeof(Fddi_llc_other); - p->fddiother = (Fddi_llc_other *) (pkt + sizeof(Fddi_hdr) + - sizeof(Fddi_llc_other)); - - if(cap_len < dataoff) - { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < FDDI header length! " - "(%d %d bytes)\n", cap_len, dataoff); - PREPROC_PROFILE_END(decodePerfStats); - return; - } - } + protocol = ntohs(*((uint16_t *)pkt)); + hlen = 2; } /* - * Now let's see if we actually care about the packet... If we don't, - * throw it out!!! + * We only handle uncompressed packets. Handling VJ compression would mean + * to implement a PPP state machine. */ - if((p->fddisaps->dsap != FDDI_DSAP_IP) && - (p->fddisaps->ssap != FDDI_SSAP_IP)) - { - DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, - "This FDDI Packet isn't an IP/ARP packet...\n"); - ); - PREPROC_PROFILE_END(decodePerfStats); - return; - } - - cap_len -= dataoff; - - switch(htons(p->fddiiparp->ethertype)) + switch (protocol) { - case ETHERNET_TYPE_IP: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding IP\n");); - DecodeIP(p->pkt + dataoff, cap_len, p); - PREPROC_PROFILE_END(decodePerfStats); - return; - - case ETHERNET_TYPE_ARP: - case ETHERNET_TYPE_REVARP: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding ARP\n");); - pc.arp++; - - PREPROC_PROFILE_END(decodePerfStats); - return; - - case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + dataoff, cap_len, p); - PREPROC_PROFILE_END(decodePerfStats); - return; + case PPP_VJ_COMP: + if (!had_vj) + ErrorMessage("PPP link seems to use VJ compression, " + "cannot handle compressed packets!\n"); + had_vj = 1; + break; + case PPP_VJ_UCOMP: + /* VJ compression modifies the protocol field. It must be set + * to tcp (only TCP packets can be VJ compressed) */ + if(len < (hlen + IP_HEADER_LEN)) + { + if (ScLogVerbose()) + ErrorMessage("PPP VJ min packet length > captured len! " + "(%d bytes)\n", len); + return; + } + ((IPHdr *)(pkt + hlen))->ip_proto = IPPROTO_TCP; + /* fall through */ - default: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown network protocol: %d\n", - htons(p->fddiiparp->ethertype)); - ); - // TBD add decoder drop event for unknown fddi/eth type - pc.other++; + case PPP_IP: + PushLayer(PROTO_PPP_ENCAP, p, pkt, hlen); + DecodeIP(pkt + hlen, len - hlen, p); + break; - PREPROC_PROFILE_END(decodePerfStats); - return; +#ifndef NO_NON_ETHER_DECODER + case PPP_IPX: + PushLayer(PROTO_PPP_ENCAP, p, pkt, hlen); + DecodeIPX(pkt + hlen, len - hlen, p); + break; +#endif } - - PREPROC_PROFILE_END(decodePerfStats); - return; } -#ifdef DLT_LINUX_SLL +//-------------------------------------------------------------------- +// decode.c::Raw packets +//-------------------------------------------------------------------- + /* - * Function: DecodeLinuxSLLPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * Function: DecodeRawPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) * - * Purpose: Decode those fun loving LinuxSLL (linux cooked sockets) - * packets, one at a time! + * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and + * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks + * by me. * - * Arguments: p => pointer to the decoded packet struct - * user => Utility pointer (unused) + * Arguments: p => pointer to decoded packet struct * pkthdr => ptr to the packet header * pkt => pointer to the real live packet data * * Returns: void function */ - -void DecodeLinuxSLLPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +void DecodeRawPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - uint32_t cap_len = pkthdr->caplen; PROFILE_VARS; PREPROC_PROFILE_START(decodePerfStats); @@ -1726,2558 +1880,2659 @@ p->pkth = pkthdr; p->pkt = pkt; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Raw IP4 Packet!\n");); - /* do a little validation */ - if(cap_len < SLL_HDR_LEN) - { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < SLL header length (your " - "libpcap is broken?)! (%d bytes)\n", cap_len); - } - PREPROC_PROFILE_END(decodePerfStats); - return; - } - /* lay the ethernet structure over the packet data */ - p->sllh = (SLLHdr *) pkt; + DecodeIP(pkt, p->pkth->caplen, p); - /* grab out the network type */ - switch(ntohs(p->sllh->sll_protocol)) - { - case ETHERNET_TYPE_IP: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "IP datagram size calculated to be %lu bytes\n", - (unsigned long)(cap_len - SLL_HDR_LEN));); + PREPROC_PROFILE_END(decodePerfStats); + return; +} - DecodeIP(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; +// raw packets are predetermined to be ip4 (above) or ip6 (below) by the DLT - case ETHERNET_TYPE_ARP: - case ETHERNET_TYPE_REVARP: - DecodeARP(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; +void DecodeRawPkt6(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + PROFILE_VARS; + PREPROC_PROFILE_START(decodePerfStats); - case ETHERNET_TYPE_IPV6: - DecodeIPV6(p->pkt + SLL_HDR_LEN, (cap_len - SLL_HDR_LEN), p); - PREPROC_PROFILE_END(decodePerfStats); - return; + pc.total_processed++; + memset(p, 0, PKT_ZERO_LEN); - case ETHERNET_TYPE_IPX: - DecodeIPX(p->pkt + SLL_HDR_LEN, (cap_len - SLL_HDR_LEN), p); - PREPROC_PROFILE_END(decodePerfStats); - return; + p->pkth = pkthdr; + p->pkt = pkt; - case LINUX_SLL_P_802_3: - DEBUG_WRAP(DebugMessage(DEBUG_DATALINK, - "Linux SLL P 802.3 is not supported.\n");); - // TBD add decoder drop event for unsupported linux sll p 802.3 - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Raw IP6 Packet!\n");); - case LINUX_SLL_P_802_2: - DEBUG_WRAP(DebugMessage(DEBUG_DATALINK, - "Linux SLL P 802.2 is not supported.\n");); - // TBD add decoder drop event for unsupported linux sll p 802.2 - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; + DecodeIPV6(pkt, p->pkth->caplen, p); - case ETHERNET_TYPE_8021Q: - DecodeVlan(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; + PREPROC_PROFILE_END(decodePerfStats); + return; +} - default: - /* shouldn't go here unless pcap library changes again */ - /* should be a DECODE generated alert */ - DEBUG_WRAP(DebugMessage(DEBUG_DATALINK,"(Unknown) %X is not supported. " - "(need tcpdump snapshots to test. Please contact us)\n", - p->sllh->sll_protocol);); - // TBD add decoder drop event for unknown sll encapsulation - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; - } - - PREPROC_PROFILE_END(decodePerfStats); - return; -} -#endif /* DLT_LINUX_SLL */ +//-------------------------------------------------------------------- +// decode.c::IP4 misc +//-------------------------------------------------------------------- /* - * Function: DecodeOldPflog(Packet *, DAQ_PktHdr_t *, uint8_t *) - * - * Purpose: Pass old pflog format device packets off to IP or IP6 -fleck - * - * Arguments: p => pointer to the decoded packet struct - * pkthdr => ptr to the packet header - * pkt => pointer to the packet data - * - * Returns: void function - * + * Some IP Header tests + * Land Attack(same src/dst ip) + * Loopback (src or dst in 127/8 block) + * Modified: 2/22/05-man for High Endian Architecture. */ -void DecodeOldPflog(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) -{ - uint32_t cap_len = pkthdr->caplen; - PROFILE_VARS; +#define IP4_THIS_NET 0x00 // msb +#define IP4_MULTICAST 0x0E // ms nibble +#define IP4_RESERVED 0x0F // ms nibble +#define IP4_LOOPBACK 0x7F // msb +#define IP4_BROADCAST 0xffffffff - PREPROC_PROFILE_START(decodePerfStats); +void IP4AddrTests (Packet* p) +{ + uint8_t msb_src, msb_dst; - pc.total_processed++; + // check all 32 bits ... + if( p->iph->ip_src.s_addr == p->iph->ip_dst.s_addr ) + { + DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST, + DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, 1, 1); - memset(p, 0, PKT_ZERO_LEN); + } - p->pkth = pkthdr; - p->pkt = pkt; + // check all 32 bits ... + if ( Event_Enabled(DECODE_IP4_SRC_BROADCAST ) ) + if ( p->iph->ip_src.s_addr == IP4_BROADCAST ) + DecoderEvent(p, EVARGS(IP4_SRC_BROADCAST), 1, 1); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); + if ( Event_Enabled(DECODE_IP4_DST_BROADCAST ) ) + if ( p->iph->ip_dst.s_addr == IP4_BROADCAST ) + DecoderEvent(p, EVARGS(IP4_DST_BROADCAST), 1, 1); - /* do a little validation */ - if(cap_len < PFLOG1_HDRLEN) + /* Loopback traffic - don't use htonl for speed reasons - + * s_addr is always in network order */ +#ifdef WORDS_BIGENDIAN + msb_src = (p->iph->ip_src.s_addr >> 24); + msb_dst = (p->iph->ip_dst.s_addr >> 24); +#else + msb_src = (uint8_t)(p->iph->ip_src.s_addr & 0xff); + msb_dst = (uint8_t)(p->iph->ip_dst.s_addr & 0xff); +#endif + // check the msb ... + if ( msb_src == IP4_LOOPBACK || msb_dst == IP4_LOOPBACK ) { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < Pflog header length! " - "(%d bytes)\n", cap_len); - } - PREPROC_PROFILE_END(decodePerfStats); - return; + DecoderEvent(p, DECODE_BAD_TRAFFIC_LOOPBACK, + DECODE_BAD_TRAFFIC_LOOPBACK_STR, 1, 1); } + // check the msb ... + if ( Event_Enabled(DECODE_IP4_SRC_THIS_NET ) ) + if ( msb_src == IP4_THIS_NET ) + DecoderEvent(p, EVARGS(IP4_SRC_THIS_NET), 1, 1); - /* lay the pf header structure over the packet data */ - p->pf1h = (Pflog1Hdr*)pkt; - - /* get the network type - should only be AF_INET or AF_INET6 */ - switch(ntohl(p->pf1h->af)) - { - case AF_INET: /* IPv4 */ - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be %lu " - "bytes\n", (unsigned long)(cap_len - PFLOG1_HDRLEN));); + if ( Event_Enabled(DECODE_IP4_DST_THIS_NET ) ) + if ( msb_dst == IP4_THIS_NET ) + DecoderEvent(p, EVARGS(IP4_DST_THIS_NET), 1, 1); - DecodeIP(p->pkt + PFLOG1_HDRLEN, cap_len - PFLOG1_HDRLEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; + // check the 'msn' (most significant nibble) ... + msb_src >>= 4; + msb_dst >>= 4; -#if defined(AF_INET6) || defined(SUP_IP6) - case AF_INET6: /* IPv6 */ - DecodeIPV6(p->pkt + PFLOG1_HDRLEN, cap_len - PFLOG1_HDRLEN, p); - PREPROC_PROFILE_END(decodePerfStats); - return; -#endif + if ( Event_Enabled(DECODE_IP4_SRC_MULTICAST) ) + if ( msb_src == IP4_MULTICAST ) + DecoderEvent(p, EVARGS(IP4_SRC_MULTICAST), 1, 1); - default: - /* To my knowledge, pflog devices can only - * pass IP and IP6 packets. -fleck - */ - // TBD add decoder drop event for unknown old pflog network type - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; - } + if ( Event_Enabled(DECODE_IP4_SRC_RESERVED) ) + if ( msb_src == IP4_RESERVED ) + DecoderEvent(p, EVARGS(IP4_SRC_RESERVED), 1, 1); - PREPROC_PROFILE_END(decodePerfStats); - return; + if ( Event_Enabled(DECODE_IP4_DST_RESERVED) ) + if ( msb_dst == IP4_RESERVED ) + DecoderEvent(p, EVARGS(IP4_DST_RESERVED), 1, 1); } -/* - * Function: DecodePflog(Packet *, DAQ_PktHdr_t *, uint8_t *) - * - * Purpose: Pass pflog device packets off to IP or IP6 -fleck - * - * Arguments: p => pointer to the decoded packet struct - * pkthdr => ptr to the packet header - * pkt => pointer to the packet data - * - * Returns: void function - * - */ -void DecodePflog(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +static inline void ICMP4AddrTests (Packet* p) { - uint32_t cap_len = pkthdr->caplen; - uint8_t af, pflen; - uint32_t hlen; - PROFILE_VARS; + uint8_t msb_dst; - PREPROC_PROFILE_START(decodePerfStats); +#ifdef SUP_IP6 + uint32_t dst = GET_DST_IP(p)->ip32[0]; +#else + uint32_t dst = GET_DST_IP(p); +#endif - pc.total_processed++; + // check all 32 bits; all set so byte order is irrelevant ... + if ( Event_Enabled(DECODE_ICMP4_DST_BROADCAST ) ) + if ( dst == IP4_BROADCAST ) + DecoderEvent(p, EVARGS(ICMP4_DST_BROADCAST), 1, 1); - memset(p, 0, PKT_ZERO_LEN); + /* - don't use htonl for speed reasons - + * s_addr is always in network order */ +#ifdef WORDS_BIGENDIAN + msb_dst = (uint8_t)(dst >> 24); +#else + msb_dst = (uint8_t)(dst & 0xff); +#endif - p->pkth = pkthdr; - p->pkt = pkt; + // check the 'msn' (most significant nibble) ... + msb_dst >>= 4; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); + if ( Event_Enabled(DECODE_ICMP4_DST_MULTICAST) ) + if ( msb_dst == IP4_MULTICAST ) + DecoderEvent(p, EVARGS(ICMP4_DST_MULTICAST), 1, 1); +} - /* do a little validation */ - if(cap_len < PFLOG2_HDRMIN) +static inline void ICMP4MiscTests (Packet *p) +{ + if ( Event_Enabled(DECODE_ICMP_PING_NMAP) ) { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < minimum Pflog length! " - "(%d < %lu)\n", cap_len, PFLOG2_HDRMIN); - } - PREPROC_PROFILE_END(decodePerfStats); - return; + if ((p->dsize == 0) && + (p->icmph->type == ICMP_ECHO)) + DecoderEvent(p, EVARGS(ICMP_PING_NMAP), 1, 1); } - /* lay the pf header structure over the packet data */ - if ( *((uint8_t*)pkt) < PFLOG3_HDRMIN ) + + if ( Event_Enabled(DECODE_ICMP_ICMPENUM) ) { - p->pf2h = (Pflog2Hdr*)pkt; - pflen = p->pf2h->length; - hlen = PFLOG2_HDRLEN; - af = p->pf2h->af; + if ((p->dsize == 0) && + (p->icmph->s_icmp_seq == 666)) + DecoderEvent(p, EVARGS(ICMP_ICMPENUM), 1, 1); } - else + + if ( Event_Enabled(DECODE_ICMP_REDIRECT_HOST) ) { - p->pf3h = (Pflog3Hdr*)pkt; - pflen = p->pf3h->length; - hlen = PFLOG3_HDRLEN; - af = p->pf3h->af; + if ((p->icmph->code == 1) && + (p->icmph->type == ICMP_REDIRECT)) + DecoderEvent(p, EVARGS(ICMP_REDIRECT_HOST), 1, 1); } - /* now that we know a little more, do a little more validation */ - if(cap_len < hlen) + + if ( Event_Enabled(DECODE_ICMP_REDIRECT_NET) ) { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < Pflog header length! " - "(%d < %d)\n", cap_len, hlen); - } - PREPROC_PROFILE_END(decodePerfStats); - return; + if ((p->icmph->type == ICMP_REDIRECT) && + (p->icmph->code == 0)) + DecoderEvent(p, EVARGS(ICMP_REDIRECT_NET), 1, 1); } - /* note that the pflen may exclude the padding which is always present */ - if(pflen < hlen - PFLOG_PADLEN || pflen > hlen) + + if ( Event_Enabled(DECODE_ICMP_TRACEROUTE_IPOPTS) ) { - if (ScLogVerbose()) + if (p->icmph->type == ICMP_ECHOREPLY) { - ErrorMessage("Bad Pflog header length! (%d bytes)\n", pflen); + int i; + for (i = 0; i < p->ip_option_count; i++) + { + if (p->ip_options[i].code == IPOPT_RR) + DecoderEvent(p, EVARGS(ICMP_TRACEROUTE_IPOPTS), 1, 1); + } } - PREPROC_PROFILE_END(decodePerfStats); - return; } - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be " - "%lu bytes\n", (unsigned long)(cap_len - hlen));); - /* check the network type - should only be AF_INET or AF_INET6 */ - switch(af) + if ( Event_Enabled(DECODE_ICMP_SOURCE_QUENCH) ) { - case AF_INET: /* IPv4 */ - DecodeIP(p->pkt + hlen, cap_len - hlen, p); - PREPROC_PROFILE_END(decodePerfStats); - return; - -#if defined(AF_INET6) || defined(SUP_IP6) - case AF_INET6: /* IPv6 */ - DecodeIPV6(p->pkt + hlen, cap_len - hlen, p); - PREPROC_PROFILE_END(decodePerfStats); - return; -#endif - - default: - /* To my knowledge, pflog devices can only - * pass IP and IP6 packets. -fleck - */ - // TBD add decoder drop event for unknown pflog network type - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; + if ((p->icmph->type == ICMP_SOURCE_QUENCH) && + (p->icmph->code == 0)) + DecoderEvent(p, DECODE_ICMP_SOURCE_QUENCH, + DECODE_ICMP_SOURCE_QUENCH_STR, 1, 1); } - PREPROC_PROFILE_END(decodePerfStats); - return; -} + if ( Event_Enabled(DECODE_ICMP_BROADSCAN_SMURF_SCANNER) ) + { + if ((p->dsize == 4) && + (p->icmph->type == ICMP_ECHO) && + (p->icmph->s_icmp_seq == 0) && + (p->icmph->code == 0)) + DecoderEvent(p, EVARGS(ICMP_BROADSCAN_SMURF_SCANNER), 1, 1); + } -/* - * Function: DecodePPPoEPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) - * - * Purpose: Decode those fun loving ethernet packets, one at a time! - * - * Arguments: p => pointer to the decoded packet struct - * user => Utility pointer (unused) - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - * - * see http://www.faqs.org/rfcs/rfc2516.html - * - */ -void DecodePPPoEPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) -{ - uint32_t cap_len = pkthdr->caplen; - const PPPoEHdr *ppppoep=NULL; - //PPPoE_Tag *ppppoe_tag=0; - //PPPoE_Tag tag; /* needed to avoid alignment problems */ + if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED) ) + { + if ((p->icmph->type == ICMP_DEST_UNREACH) && + (p->icmph->code == 13)) + DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_ADMIN_PROHIBITED), 1, 1); + } - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); - DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", - (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); + if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED) ) + { + if ((p->icmph->type == ICMP_DEST_UNREACH) && + (p->icmph->code == 10)) + DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_DST_HOST_PROHIBITED), 1, 1); + } - /* do a little validation */ - if(cap_len < PPPOE_HEADER_LEN) + if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED) ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Captured data length < Ethernet header length! " - "(%d bytes)\n", cap_len);); - - DecoderEvent(p, DECODE_BAD_PPPOE, DECODE_BAD_PPPOE_STR, 1, 1); - - return; + if ((p->icmph->type == ICMP_DEST_UNREACH) && + (p->icmph->code == 9)) + DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_DST_NET_PROHIBITED), 1, 1); } - /* XXX - MFR - * This code breaks the decode model that Snort uses, we should - * reimplement it properly ASAP - */ - /* - * Not sure how long ago the above comment was added, but - * it is now fixed. It may or may not fall under the 'ASAP' - * category. - */ +} - /* lay the ethernet structure over the packet data */ - /* Don't need to do this. It is already done in the decoding - * of the ethernet header, which then calls this function for - * PPP over Ethernet. - p->eh = (EtherHdr *) pkt; - */ +/* IPv4-layer decoder rules */ +static inline void IPMiscTests(Packet *p) +{ + if ( Event_Enabled(DECODE_ICMP_DOS_ATTEMPT) ) + { + /* Yes, it's an ICMP-related vuln in IP options. */ + uint8_t i, length, pointer; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%X %X\n", - *p->eh->ether_src, *p->eh->ether_dst);); + /* Alert on IP packets with either 0x07 (Record Route) or 0x44 (Timestamp) + options that are specially crafted. */ + for (i = 0; i < p->ip_option_count; i++) + { + if (p->ip_options[i].data == NULL) + continue; - /* lay the PPP over ethernet structure over the packet data */ - ppppoep = p->pppoeh = (PPPoEHdr *)pkt; + if (p->ip_options[i].code == IPOPT_RR) + { + length = p->ip_options[i].len; + if (length < 1) + continue; - /* grab out the network type */ - switch(ntohs(p->eh->ether_type)) - { - case ETHERNET_TYPE_PPPoE_DISC: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Discovery) ");); - break; + pointer = p->ip_options[i].data[0]; - case ETHERNET_TYPE_PPPoE_SESS: - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Session) ");); - break; + /* If the pointer goes past the end of the data, then the data + is full. That's okay. */ + if (pointer >= length + 2) + continue; + /* If the remaining space in the option isn't a multiple of 4 + bytes, alert. */ + if (((length + 3) - pointer) % 4) + DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1); + } + else if (p->ip_options[i].code == IPOPT_TS) + { + length = p->ip_options[i].len; + if (length < 2) + continue; - default: - return; + pointer = p->ip_options[i].data[0]; + + /* If the pointer goes past the end of the data, then the data + is full. That's okay. */ + if (pointer >= length + 2) + continue; + /* If the remaining space in the option isn't a multiple of 4 + bytes, alert. */ + if (((length + 3) - pointer) % 4) + DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1); + /* If there is a timestamp + address, we need a multiple of 8 + bytes instead. */ + if ((p->ip_options[i].data[1] & 0x01) && /* address flag */ + (((length + 3) - pointer) % 8)) + DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1); + } + } + } + if ( Event_Enabled(DECODE_IP_OPTION_SET) ) + { + if (p->ip_option_count > 0) + DecoderEvent(p, EVARGS(IP_OPTION_SET), 1, 1); } -#ifdef DEBUG - switch(ppppoep->code) + if ( Event_Enabled(DECODE_IP_RESERVED_FRAG_BIT) ) { - case PPPoE_CODE_PADI: - /* The Host sends the PADI packet with the DESTINATION_ADDR set - * to the broadcast address. The CODE field is set to 0x09 and - * the SESSION_ID MUST be set to 0x0000. - * - * The PADI packet MUST contain exactly one TAG of TAG_TYPE - * Service-Name, indicating the service the Host is requesting, - * and any number of other TAG types. An entire PADI packet - * (including the PPPoE header) MUST NOT exceed 1484 octets so - * as to leave sufficient room for a relay agent to add a - * Relay-Session-Id TAG. - */ - DebugMessage(DEBUG_DECODE, "Active Discovery Initiation (PADI)\n"); - break; + if (p->rf) + DecoderEvent(p, EVARGS(IP_RESERVED_FRAG_BIT), 1, 1); + } +} - case PPPoE_CODE_PADO: - /* When the Access Concentrator receives a PADI that it can - * serve, it replies by sending a PADO packet. The - * DESTINATION_ADDR is the unicast address of the Host that - * sent the PADI. The CODE field is set to 0x07 and the - * SESSION_ID MUST be set to 0x0000. - * - * The PADO packet MUST contain one AC-Name TAG containing the - * Access Concentrator's name, a Service-Name TAG identical to - * the one in the PADI, and any number of other Service-Name - * TAGs indicating other services that the Access Concentrator - * offers. If the Access Concentrator can not serve the PADI - * it MUST NOT respond with a PADO. - */ - DebugMessage(DEBUG_DECODE, "Active Discovery Offer (PADO)\n"); - break; +//-------------------------------------------------------------------- +// decode.c::IP4 vulnerabilities +//-------------------------------------------------------------------- - case PPPoE_CODE_PADR: - /* Since the PADI was broadcast, the Host may receive more than - * one PADO. The Host looks through the PADO packets it receives - * and chooses one. The choice can be based on the AC-Name or - * the Services offered. The Host then sends one PADR packet - * to the Access Concentrator that it has chosen. The - * DESTINATION_ADDR field is set to the unicast Ethernet address - * of the Access Concentrator that sent the PADO. The CODE - * field is set to 0x19 and the SESSION_ID MUST be set to 0x0000. - * - * The PADR packet MUST contain exactly one TAG of TAG_TYPE - * Service-Name, indicating the service the Host is requesting, - * and any number of other TAG types. - */ - DebugMessage(DEBUG_DECODE, "Active Discovery Request (PADR)\n"); - break; +/* This PGM NAK function started off as an SO rule, sid 8351. */ +static inline int pgm_nak_detect (uint8_t *data, uint16_t length) { + uint16_t data_left; + uint16_t checksum; + PGM_HEADER *header; - case PPPoE_CODE_PADS: - /* When the Access Concentrator receives a PADR packet, it - * prepares to begin a PPP session. It generates a unique - * SESSION_ID for the PPPoE session and replies to the Host with - * a PADS packet. The DESTINATION_ADDR field is the unicast - * Ethernet address of the Host that sent the PADR. The CODE - * field is set to 0x65 and the SESSION_ID MUST be set to the - * unique value generated for this PPPoE session. - * - * The PADS packet contains exactly one TAG of TAG_TYPE - * Service-Name, indicating the service under which Access - * Concentrator has accepted the PPPoE session, and any number - * of other TAG types. - * - * If the Access Concentrator does not like the Service-Name in - * the PADR, then it MUST reply with a PADS containing a TAG of - * TAG_TYPE Service-Name-Error (and any number of other TAG - * types). In this case the SESSION_ID MUST be set to 0x0000. - */ - DebugMessage(DEBUG_DECODE, "Active Discovery " - "Session-confirmation (PADS)\n"); - break; + if (NULL == data) { + return PGM_NAK_ERR; + } - case PPPoE_CODE_PADT: - /* This packet may be sent anytime after a session is established - * to indicate that a PPPoE session has been terminated. It may - * be sent by either the Host or the Access Concentrator. The - * DESTINATION_ADDR field is a unicast Ethernet address, the - * CODE field is set to 0xa7 and the SESSION_ID MUST be set to - * indicate which session is to be terminated. No TAGs are - * required. - * - * When a PADT is received, no further PPP traffic is allowed to - * be sent using that session. Even normal PPP termination - * packets MUST NOT be sent after sending or receiving a PADT. - * A PPP peer SHOULD use the PPP protocol itself to bring down a - * PPPoE session, but the PADT MAY be used when PPP can not be - * used. - */ - DebugMessage(DEBUG_DECODE, "Active Discovery Terminate (PADT)\n"); - break; + /* request must be bigger than 44 bytes to cause vuln */ + if (length <= sizeof(PGM_HEADER)) { + return PGM_NAK_ERR; + } - case PPPoE_CODE_SESS: - DebugMessage(DEBUG_DECODE, "Session Packet (SESS)\n"); - break; + header = (PGM_HEADER *) data; - default: - DebugMessage(DEBUG_DECODE, "(Unknown)\n"); - break; + if (8 != header->type) { + return PGM_NAK_ERR; } -#endif - if (ntohs(p->eh->ether_type) != ETHERNET_TYPE_PPPoE_DISC) - { - DecodePppPktEncapsulated(p, cap_len - PPPOE_HEADER_LEN, pkt + PPPOE_HEADER_LEN); - return; - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Returning early on PPPOE discovery packet\n");); - return; + if (2 != header->nak.opt.type) { + return PGM_NAK_ERR; } -#if 0 - ppppoe_tag = (PPPoE_Tag *)(pkt + sizeof(PPPoEHdr)); - while (ppppoe_tag < (PPPoE_Tag *)(pkt + cap_len)) - { - if (((char*)(ppppoe_tag)+(sizeof(PPPoE_Tag)-1)) > (char*)(pkt + cap_len)) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Not enough data in packet for PPPOE Tag\n");); - break; - } + /* + * alert if the amount of data after the options is more than the length + * specified. + */ - /* no guarantee in PPPoE spec that ppppoe_tag is aligned at all... */ - memcpy(&tag, ppppoe_tag, sizeof(tag)); - DEBUG_WRAP( - DebugMessage(DEBUG_DECODE, "\tPPPoE tag:\ntype: %04x length: %04x ", - ntohs(tag.type), ntohs(tag.length));); + data_left = length - 36; + if (data_left > header->nak.opt.len) { -#ifdef DEBUG - switch(ntohs(tag.type)) - { - case PPPoE_TAG_END_OF_LIST: - DebugMessage(DEBUG_DECODE, "(End of list)\n\t"); - break; - case PPPoE_TAG_SERVICE_NAME: - DebugMessage(DEBUG_DECODE, "(Service name)\n\t"); - break; - case PPPoE_TAG_AC_NAME: - DebugMessage(DEBUG_DECODE, "(AC Name)\n\t"); - break; - case PPPoE_TAG_HOST_UNIQ: - DebugMessage(DEBUG_DECODE, "(Host Uniq)\n\t"); - break; - case PPPoE_TAG_AC_COOKIE: - DebugMessage(DEBUG_DECODE, "(AC Cookie)\n\t"); - break; - case PPPoE_TAG_VENDOR_SPECIFIC: - DebugMessage(DEBUG_DECODE, "(Vendor Specific)\n\t"); - break; - case PPPoE_TAG_RELAY_SESSION_ID: - DebugMessage(DEBUG_DECODE, "(Relay Session ID)\n\t"); - break; - case PPPoE_TAG_SERVICE_NAME_ERROR: - DebugMessage(DEBUG_DECODE, "(Service Name Error)\n\t"); - break; - case PPPoE_TAG_AC_SYSTEM_ERROR: - DebugMessage(DEBUG_DECODE, "(AC System Error)\n\t"); - break; - case PPPoE_TAG_GENERIC_ERROR: - DebugMessage(DEBUG_DECODE, "(Generic Error)\n\t"); - break; - default: - DebugMessage(DEBUG_DECODE, "(Unknown)\n\t"); - break; + /* checksum is expensive... do that only if the length is bad */ + if (header->checksum != 0) { + checksum = in_chksum_ip((unsigned short*)data, (int)length); + if (checksum != 0) + return PGM_NAK_ERR; } -#endif - if (ntohs(tag.length) > 0) - { -#ifdef DEBUG - char *buf; - int i; + return PGM_NAK_VULN; + } - switch (ntohs(tag.type)) - { - case PPPoE_TAG_SERVICE_NAME: - case PPPoE_TAG_AC_NAME: - case PPPoE_TAG_SERVICE_NAME_ERROR: - case PPPoE_TAG_AC_SYSTEM_ERROR: - case PPPoE_TAG_GENERIC_ERROR: * ascii data * - buf = (char *)SnortAlloc(ntohs(tag.length) + 1); - strlcpy(buf, (char *)(ppppoe_tag+1), ntohs(tag.length)); - DebugMessage(DEBUG_DECODE, "data (UTF-8): %s\n", buf); - free(buf); - break; + return PGM_NAK_OK; +} - case PPPoE_TAG_HOST_UNIQ: - case PPPoE_TAG_AC_COOKIE: - case PPPoE_TAG_RELAY_SESSION_ID: - DebugMessage(DEBUG_DECODE, "data (bin): "); - for (i = 0; i < ntohs(tag.length); i++) - DebugMessage(DEBUG_DECODE, - "%02x", *(((unsigned char *)ppppoe_tag) + - sizeof(PPPoE_Tag) + i)); - DebugMessage(DEBUG_DECODE, "\n"); - break; +static inline void CheckPGMVuln(Packet *p) +{ + if ( pgm_nak_detect((uint8_t *)p->data, p->dsize) == PGM_NAK_VULN ) + DecoderEvent(p, EVARGS(PGM_NAK_OVERFLOW), 1, 1); +} - default: - DebugMessage(DEBUG_DECODE, "unrecognized data\n"); - break; +/* This function is a port of an old .so rule, sid 3:8092. */ +static inline void CheckIGMPVuln(Packet *p) +{ + int i, alert = 0; + + if (p->dsize >= 1 && p->data[0] == 0x11) + { + if (p->ip_options_data != NULL) { + if (p->ip_options_len >= 2) { + if (*(p->ip_options_data) == 0 && *(p->ip_options_data+1) == 0) + { + DecoderEvent(p, EVARGS(IGMP_OPTIONS_DOS), 1, 1); + return; + } } -#endif } - ppppoe_tag = (PPPoE_Tag *)((char *)(ppppoe_tag+1)+ntohs(tag.length)); - } + for(i=0; i< (int) p->ip_option_count; i++) { + /* All IGMPv2 packets contain IP option code 148 (router alert). + This vulnerability only applies to IGMPv3, so return early. */ + if (p->ip_options[i].code == 148) { + return; /* No alert. */ + } -#endif /* #if 0 */ + if (p->ip_options[i].len == 1) { + alert++; + } + } - return; + if (alert > 0) + DecoderEvent(p, EVARGS(IGMP_OPTIONS_DOS), 1, 1); + } } -#endif // NO_NON_ETHER_DECODER +//-------------------------------------------------------------------- +// decode.c::IP4 decoder +//-------------------------------------------------------------------- /* - * Function: DecodePppPktEncapsulated(Packet *, const uint32_t len, uint8_t*) + * Function: DecodeIP(uint8_t *, const uint32_t, Packet *) * - * Purpose: Decode PPP traffic (RFC1661 framing). + * Purpose: Decode the IP network layer * - * Arguments: p => pointer to decoded packet struct - * len => length of data to process - * pkt => pointer to the real live packet data + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to the packet decode struct * * Returns: void function */ -void DecodePppPktEncapsulated(Packet * p, const uint32_t len, const uint8_t * pkt) +void DecodeIP(const uint8_t * pkt, const uint32_t len, Packet * p) { - static int had_vj = 0; - uint16_t protocol; - uint32_t hlen = 1; /* HEADER - try 1 then 2 */ - - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "PPP Packet!\n");); - -#ifdef WORDS_MUSTALIGN - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet with PPP header. " - "PPP is only 1 or 2 bytes and will throw off " - "alignment on this architecture when decoding IP, " - "causing a bus error - stop decoding packet.\n");); + uint32_t ip_len; /* length from the start of the ip hdr to the pkt end */ + uint32_t hlen; /* ip header length */ - p->data = pkt; - p->dsize = (uint16_t)len; - return; -#endif /* WORDS_MUSTALIGN */ + pc.ip++; #ifdef GRE if (p->greh != NULL) - pc.gre_ppp++; -#endif /* GRE */ + pc.gre_ip++; +#endif - /* do a little validation: - * - */ - if(len < 2) + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + + /* do a little validation */ + if(len < IP_HEADER_LEN) { - if (ScLogVerbose()) - { - ErrorMessage("Length not big enough for even a single " - "header or a one byte payload\n"); - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated IP4 header (%d bytes).\n", len);); + + if ( Event_Enabled(DECODE_IP4_HDR_TRUNC) && ((p->packet_flags & PKT_UNSURE_ENCAP) == 0)) + DecoderEvent(p, EVARGS(IP4_HDR_TRUNC), 1, 1); + + p->iph = NULL; + pc.discards++; + pc.ipdisc++; + +#ifdef SUP_IP6 + p->family = NO_IP; +#endif return; } - - if(pkt[0] & 0x01) - { - /* Check for protocol compression rfc1661 section 5 - * - */ - hlen = 1; - protocol = pkt[0]; - } - else +#ifndef SUP_IP6 + if (p->iph != NULL) +#else + if (p->family != NO_IP) +#endif /* SUP_IP6 */ { - protocol = ntohs(*((uint16_t *)pkt)); - hlen = 2; + if (p->encapsulated) + { + DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION, + DECODE_IP_MULTIPLE_ENCAPSULATION_STR, + pkt, len); + return; + } + else + { + p->encapsulated = 1; + p->outer_iph = p->iph; + p->outer_ip_data = p->ip_data; + p->outer_ip_dsize = p->ip_dsize; + } } - - /* - * We only handle uncompressed packets. Handling VJ compression would mean - * to implement a PPP state machine. + + /* lay the IP struct over the raw data */ + p->inner_iph = p->iph = (IPHdr *)pkt; + + /* + * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP. + * So we are just ignoring non IP datagrams */ - switch (protocol) + if(IP_VER(p->iph) != 4) { - case PPP_VJ_COMP: - if (!had_vj) - ErrorMessage("PPP link seems to use VJ compression, " - "cannot handle compressed packets!\n"); - had_vj = 1; - break; - case PPP_VJ_UCOMP: - /* VJ compression modifies the protocol field. It must be set - * to tcp (only TCP packets can be VJ compressed) */ - if(len < (hlen + IP_HEADER_LEN)) - { - if (ScLogVerbose()) - ErrorMessage("PPP VJ min packet length > captured len! " - "(%d bytes)\n", len); - return; - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Not IPv4 datagram! ([ver: 0x%x][len: 0x%x])\n", + IP_VER(p->iph), p->iph->ip_len);); - ((IPHdr *)(pkt + hlen))->ip_proto = IPPROTO_TCP; - /* fall through */ + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_NOT_IPV4_DGRAM, + DECODE_NOT_IPV4_DGRAM_STR, 1, 1); - case PPP_IP: - PushLayer(PROTO_PPP, p, pkt, hlen); - DecodeIP(pkt + hlen, len - hlen, p); - break; + p->iph = NULL; + pc.discards++; + pc.ipdisc++; -#ifndef NO_NON_ETHER_DECODER - case PPP_IPX: - PushLayer(PROTO_PPP, p, pkt, hlen); - DecodeIPX(pkt + hlen, len - hlen, p); - break; +#ifdef SUP_IP6 + p->family = NO_IP; #endif + return; } -} +#ifdef SUP_IP6 + sfiph_build(p, p->iph, AF_INET); +#endif -/* - * Function: DecodePppPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) - * - * Purpose: Decode PPP traffic (either RFC1661 or RFC1662 framing). - * This really is intended to handle IPCP - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodePppPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) -{ - uint32_t cap_len = pkthdr->caplen; - int hlen = 0; - PROFILE_VARS; +// p->ip_payload_len = p->iph->ip_len; +// p->ip_payload_off = p->ip_payload_len + (int)pkt; - PREPROC_PROFILE_START(decodePerfStats); + /* get the IP datagram length */ + ip_len = ntohs(p->iph->ip_len); - pc.total_processed++; + /* get the IP header length */ + hlen = IP_HLEN(p->iph) << 2; - memset(p, 0, PKT_ZERO_LEN); + /* header length sanity check */ + if(hlen < IP_HEADER_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Bogus IP header length of %i bytes\n", hlen);); - p->pkth = pkthdr; - p->pkt = pkt; + DecoderEvent(p, DECODE_IPV4_INVALID_HEADER_LEN, + DECODE_IPV4_INVALID_HEADER_LEN_STR, 1, 1); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + p->iph = NULL; + pc.discards++; + pc.ipdisc++; +#ifdef SUP_IP6 + p->family = NO_IP; +#endif + return; + } - if(cap_len < 2) + if (ip_len > len) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "IP Len field is %d bytes bigger than captured length.\n" + " (ip.len: %lu, cap.len: %lu)\n", + ip_len - len, ip_len, len);); + + DecoderEventDrop(p, DECODE_IPV4_DGRAM_GT_CAPLEN, + DECODE_IPV4_DGRAM_GT_CAPLEN_STR, + ScDecoderOversizedAlerts(), + ScDecoderOversizedDrops()); + + p->iph = NULL; + pc.discards++; + pc.ipdisc++; +#ifdef SUP_IP6 + p->family = NO_IP; +#endif + return; + } +#if 0 + // There is no need to alert when (ip_len < len). + // Libpcap will capture more bytes than are part of the IP payload. + // These could be Ethernet trailers, ESP trailers, etc. + // This code is left in, commented, to keep us from re-writing it later. + else if (ip_len < len) { if (ScLogVerbose()) - { - ErrorMessage("Length not big enough for even a single " - "header or a one byte payload\n"); - } - PREPROC_PROFILE_END(decodePerfStats); + ErrorMessage("IP Len field is %d bytes " + "smaller than captured length.\n" + " (ip.len: %lu, cap.len: %lu)\n", + len - ip_len, ip_len, len); + } +#endif + + if(ip_len < hlen) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "IP dgm len (%d bytes) < IP hdr " + "len (%d bytes), packet discarded\n", ip_len, hlen);); + + DecoderEvent(p, DECODE_IPV4_DGRAM_LT_IPHDR, + DECODE_IPV4_DGRAM_LT_IPHDR_STR, 1, 1); + + p->iph = NULL; + pc.discards++; + pc.ipdisc++; +#ifdef SUP_IP6 + p->family = NO_IP; +#endif return; } - if(pkt[0] == CHDLC_ADDR_BROADCAST && pkt[1] == CHDLC_CTRL_UNNUMBERED) + /* + * IP Header tests: Land attack, and Loop back test + */ + if(ScIdsMode()) { - /* - * Check for full HDLC header (rfc1662 section 3.2) - */ - hlen = 2; + IP4AddrTests(p); } - DecodePppPktEncapsulated(p, cap_len - hlen, p->pkt + hlen); - PREPROC_PROFILE_END(decodePerfStats); - return; -} - -#ifndef NO_NON_ETHER_DECODER -/* - * Function: DecodePppSerialPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) - * - * Purpose: Decode Mixed PPP/CHDLC traffic. The PPP frames will always have the - * full HDLC header. - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodePppSerialPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) -{ - uint32_t cap_len = pkthdr->caplen; - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); + if (ScIpChecksums()) + { + /* routers drop packets with bad IP checksums, we don't really + * need to check them (should make this a command line/config + * option + */ + int16_t csum = in_chksum_ip((u_short *)p->iph, hlen); - pc.total_processed++; + if(csum) + { + p->error_flags |= PKT_ERR_CKSUM_IP; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad IP checksum\n");); - memset(p, 0, PKT_ZERO_LEN); + if ( ScIdsMode() ) + queueExecDrop(execIpChksmDrop, p); + } +#ifdef DEBUG_MSGS + else + { + DebugMessage(DEBUG_DECODE, "IP Checksum: OK\n"); + } +#endif /* DEBUG */ + } - p->pkth = pkthdr; - p->pkt = pkt; + PushLayer(PROTO_IP4, p, pkt, hlen); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + /* test for IP options */ + p->ip_options_len = (uint16_t)(hlen - IP_HEADER_LEN); - if(cap_len < PPP_HDRLEN) + if(p->ip_options_len > 0) { - if (ScLogVerbose()) + p->ip_options_data = pkt + IP_HEADER_LEN; + DecodeIPOptions((pkt + IP_HEADER_LEN), p->ip_options_len, p); + } + else + { +#ifdef GRE + /* If delivery header for GRE encapsulated packet is IP and it + * had options, the packet's ip options will be refering to this + * outer IP's options + * Zero these options so they aren't associated with this inner IP + * since p->iph will be pointing to this inner IP + */ + if (p->encapsulated) { - ErrorMessage("Captured data length < PPP header length" - " (%d bytes)\n", cap_len); + p->ip_options_data = NULL; + p->ip_options_len = 0; + p->ip_lastopt_bad = 0; } - PREPROC_PROFILE_END(decodePerfStats); - return; +#endif + p->ip_option_count = 0; } - if(pkt[0] == CHDLC_ADDR_BROADCAST && pkt[1] == CHDLC_CTRL_UNNUMBERED) - { - DecodePppPktEncapsulated(p, cap_len - 2, p->pkt + 2); - } else { - DecodeChdlcPkt(p, pkthdr, pkt); - } + /* set the real IP length for logging */ + p->actual_ip_len = (uint16_t) ip_len; - PREPROC_PROFILE_END(decodePerfStats); - return; -} + /* set the remaining packet length */ + ip_len -= hlen; + /* check for fragmented packets */ + p->frag_offset = ntohs(p->iph->ip_off); -/* - * Function: DecodeSlipPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) - * - * Purpose: Decode SLIP traffic - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodeSlipPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) -{ - uint32_t cap_len = pkthdr->caplen; - PROFILE_VARS; + /* + * get the values of the reserved, more + * fragments and don't fragment flags + */ + p->rf = (uint8_t)((p->frag_offset & 0x8000) >> 15); + p->df = (uint8_t)((p->frag_offset & 0x4000) >> 14); + p->mf = (uint8_t)((p->frag_offset & 0x2000) >> 13); - PREPROC_PROFILE_START(decodePerfStats); + /* mask off the high bits in the fragment offset field */ + p->frag_offset &= 0x1FFF; - pc.total_processed++; + if ( Event_Enabled(DECODE_IP4_DF_OFFSET) ) + if ( p->df && p->frag_offset ) + DecoderEvent(p, EVARGS(IP4_DF_OFFSET), 1, 1); - memset(p, 0, PKT_ZERO_LEN); + if ( Event_Enabled(DECODE_IP4_LEN_OFFSET) ) + if ( p->frag_offset + p->actual_ip_len > IP_MAXPACKET ) + DecoderEvent(p, EVARGS(IP4_LEN_OFFSET), 1, 1); - p->pkth = pkthdr; - p->pkt = pkt; + if(p->frag_offset || p->mf) + { + /* set the packet fragment flag */ + p->frag_flag = 1; + p->ip_frag_start = pkt + hlen; + p->ip_frag_len = (uint16_t)ip_len; + pc.frags++; + } + else + { + p->frag_flag = 0; + } - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + if(Event_Enabled(DECODE_BAD_FRAGBITS)) + { - /* do a little validation */ - if(cap_len < SLIP_HEADER_LEN) + if( p->mf && p->df ) + { + DecoderEvent(p, DECODE_BAD_FRAGBITS, + DECODE_BAD_FRAGBITS_STR, 1, 1); + } + } + + /* Set some convienience pointers */ + p->ip_data = pkt + hlen; + p->ip_dsize = (u_short) ip_len; + + if (ScIdsMode()) { - ErrorMessage("SLIP header length < captured len! (%d bytes)\n", - cap_len); - PREPROC_PROFILE_END(decodePerfStats); - return; + /* See if there are any ip_proto only rules that match */ + fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p); + p->proto_bits |= PROTO_BIT__IP; } - DecodeIP(p->pkt + SLIP_HEADER_LEN, cap_len - SLIP_HEADER_LEN, p); - PREPROC_PROFILE_END(decodePerfStats); -} -#endif // NO_NON_ETHER_DECODER + IPMiscTests(p); + /* if this packet isn't a fragment + * or if it is, its a UDP packet and offset is 0 */ + if(!(p->frag_flag) || + (p->frag_flag && (p->frag_offset == 0) && + (p->iph->ip_proto == IPPROTO_UDP))) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP header length: %lu\n", + (unsigned long)hlen);); + switch(p->iph->ip_proto) + { + case IPPROTO_TCP: + pc.tcp++; + DecodeTCP(pkt + hlen, ip_len, p); + //ClearDumpBuf(); + return; -/* - * Function: DecodeRawPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) - * - * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and - * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks - * by me. - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodeRawPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) -{ - PROFILE_VARS; + case IPPROTO_UDP: + pc.udp++; + DecodeUDP(pkt + hlen, ip_len, p); + //ClearDumpBuf(); + return; - PREPROC_PROFILE_START(decodePerfStats); + case IPPROTO_ICMP: + pc.icmp++; + DecodeICMP(pkt + hlen, ip_len, p); + //ClearDumpBuf(); + return; - pc.total_processed++; +#ifdef GRE + case IPPROTO_IPV6: + if (ip_len < 40) + { + /* Insufficient size for IPv6 Header. */ + /* This could be an attempt to exploit Linux kernel + * vulnerability, so log an alert */ + DecoderEvent(p, DECODE_IPV6_TUNNELED_IPV4_TRUNCATED, + DECODE_IPV6_TUNNELED_IPV4_TRUNCATED_STR, + 1, 1); + } + pc.ip4ip6++; + DecodeIPV6(pkt + hlen, ip_len, p); + return; - memset(p, 0, PKT_ZERO_LEN); + case IPPROTO_GRE: + pc.gre++; + DecodeGRE(pkt + hlen, ip_len, p); + //ClearDumpBuf(); + return; - p->pkth = pkthdr; - p->pkt = pkt; + case IPPROTO_IPIP: + pc.ip4ip4++; + DecodeIP(pkt + hlen, ip_len, p); + return; +#endif - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + case IPPROTO_ESP: + if (ScESPDecoding()) + DecodeESP(pkt + hlen, ip_len, p); + return; - DecodeIP(pkt, p->pkth->caplen, p); + case IPPROTO_SWIPE: + case IPPROTO_IP_MOBILITY: + case IPPROTO_SUN_ND: + case IPPROTO_PIM: + if ( Event_Enabled(DECODE_IP_BAD_PROTO) ) + DecoderEvent(p, EVARGS(IP_BAD_PROTO), 1, 1); + pc.other++; + p->data = pkt + hlen; + p->dsize = (u_short) ip_len; + return; - PREPROC_PROFILE_END(decodePerfStats); - return; -} + case IPPROTO_PGM: + pc.other++; + p->data = pkt + hlen; + p->dsize = (u_short) ip_len; + if ( Event_Enabled(DECODE_PGM_NAK_OVERFLOW) ) + CheckPGMVuln(p); + return; + case IPPROTO_IGMP: + pc.other++; + p->data = pkt + hlen; + p->dsize = (u_short) ip_len; -#ifndef NO_NON_ETHER_DECODER -/* - * Function: DecodeI4LRawIPPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) - * - * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and - * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks - * by me. - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodeI4LRawIPPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) -{ - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - - pc.total_processed++; - - memset(p, 0, PKT_ZERO_LEN); - - p->pkth = pkthdr; - p->pkt = pkt; + if ( Event_Enabled(DECODE_IGMP_OPTIONS_DOS) ) + CheckIGMPVuln(p); + return; - if(p->pkth->pktlen < 2) + default: + if ( Event_Enabled(DECODE_IP_UNASSIGNED_PROTO) ) + { + if (GET_IPH_PROTO(p) >= MIN_UNASSIGNED_IP_PROTO) + DecoderEvent(p, EVARGS(IP_UNASSIGNED_PROTO), 1, 1); + } + pc.other++; + p->data = pkt + hlen; + p->dsize = (u_short) ip_len; + //ClearDumpBuf(); + return; + } + } + else { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "What the hell is this?\n");); - // TBD add decoder drop event for bad i4l raw pkt - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); - return; + /* set the payload pointer and payload size */ + p->data = pkt + hlen; + p->dsize = (u_short) ip_len; } - - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - DecodeIP(pkt + 2, p->pkth->pktlen - 2, p); - - PREPROC_PROFILE_END(decodePerfStats); - return; } - +//-------------------------------------------------------------------- +// decode.c::ICMP +//-------------------------------------------------------------------- /* - * Function: DecodeI4LCiscoIPPkt(Packet *, char *, - * DAQ_PktHdr_t*, uint8_t*) + * Function: DecodeICMP(uint8_t *, const uint32_t, Packet *) * - * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and - * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks - * by me. + * Purpose: Decode the ICMP transport layer * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to the decoded packet struct * * Returns: void function */ -void DecodeI4LCiscoIPPkt(Packet *p, const DAQ_PktHdr_t *pkthdr, const uint8_t *pkt) +void DecodeICMP(const uint8_t * pkt, const uint32_t len, Packet * p) { - PROFILE_VARS; - - PREPROC_PROFILE_START(decodePerfStats); - - pc.total_processed++; + if(len < ICMP_HEADER_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated ICMP4 header (%d bytes).\n", len);); - memset(p, 0, PKT_ZERO_LEN); + if ( Event_Enabled(DECODE_ICMP4_HDR_TRUNC) ) + DecoderEvent(p, EVARGS(ICMP4_HDR_TRUNC), 1, 1); - p->pkth = pkthdr; - p->pkt = pkt; + p->icmph = NULL; + pc.discards++; + pc.icmpdisc++; - if(p->pkth->pktlen < 4) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "What the hell is this?\n");); - // TBD add decoder drop event for bad i4l cisco pkt - pc.other++; - PREPROC_PROFILE_END(decodePerfStats); return; } + /* set the header ptr first */ + p->icmph = (ICMPHdr *) pkt; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + switch (p->icmph->type) + { + // fall through ... + case ICMP_SOURCE_QUENCH: + case ICMP_DEST_UNREACH: + case ICMP_REDIRECT: + case ICMP_TIME_EXCEEDED: + case ICMP_PARAMETERPROB: + case ICMP_ECHOREPLY: + case ICMP_ECHO: + case ICMP_ROUTER_ADVERTISE: + case ICMP_ROUTER_SOLICIT: + case ICMP_INFO_REQUEST: + case ICMP_INFO_REPLY: + if (len < 8) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Truncated ICMP header(%d bytes)\n", len);); - DecodeIP(pkt + 4, p->pkth->caplen - 4, p); + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - PREPROC_PROFILE_END(decodePerfStats); - return; -} + p->icmph = NULL; + pc.discards++; + pc.icmpdisc++; -/* - * Function: DecodeChdlcPkt(Packet *, char *, - * DAQ_PktHdr_t*, uint8_t*) - * - * Purpose: Decodes Cisco HDLC encapsulated packets, f.ex. from SONET. - * - * Arguments: p => pointer to decoded packet struct - * user => Utility pointer, unused - * pkthdr => ptr to the packet header - * pkt => pointer to the real live packet data - * - * Returns: void function - */ -void DecodeChdlcPkt(Packet *p, const DAQ_PktHdr_t *pkthdr, const uint8_t *pkt) -{ - uint32_t cap_len = pkthdr->caplen; - PROFILE_VARS; + return; + } + break; - PREPROC_PROFILE_START(decodePerfStats); + case ICMP_TIMESTAMP: + case ICMP_TIMESTAMPREPLY: + if (len < 20) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Truncated ICMP header(%d bytes)\n", len);); - pc.total_processed++; + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR, + DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR, 1, 1); - memset(p, 0, PKT_ZERO_LEN); + p->icmph = NULL; + pc.discards++; + pc.icmpdisc++; - p->pkth = pkthdr; - p->pkt = pkt; + return; + } + break; - if(cap_len < CHDLC_HEADER_LEN) - { - if (ScLogVerbose()) - { - ErrorMessage("Captured data length < CHDLC header length" - " (%d bytes)\n", cap_len); - } - PREPROC_PROFILE_END(decodePerfStats); - return; - } + case ICMP_ADDRESS: + case ICMP_ADDRESSREPLY: + if (len < 12) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Truncated ICMP header(%d bytes)\n", len);); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - if ((pkt[0] == CHDLC_ADDR_UNICAST || pkt[0] == CHDLC_ADDR_MULTICAST) && - ntohs(*(uint16_t *)&pkt[2]) == ETHERNET_TYPE_IP) - { - DecodeIP(p->pkt + CHDLC_HEADER_LEN, - cap_len - CHDLC_HEADER_LEN, p); - } else { - // TBD add decoder drop event for unsupported chdlc encapsulation - pc.other++; - } + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ADDRHDR, + DECODE_ICMP_DGRAM_LT_ADDRHDR_STR, 1, 1); - PREPROC_PROFILE_END(decodePerfStats); - return; -} -#endif // NO_NON_ETHER_DECODER + p->icmph = NULL; + pc.discards++; + pc.icmpdisc++; -/* - * Some IP Header tests - * Land Attack(same src/dst ip) - * Loopback (src or dst in 127/8 block) - * Modified: 2/22/05-man for High Endian Architecture. - */ -#define IP4_THIS_NET 0x00 // msb -#define IP4_MULTICAST 0x0E // ms nibble -#define IP4_RESERVED 0x0F // ms nibble -#define IP4_LOOPBACK 0x7F // msb -#define IP4_BROADCAST 0xffffffff + return; + } + break; -void IP4AddrTests (Packet* p) -{ - uint8_t msb_src, msb_dst; + default: + if ( Event_Enabled(DECODE_ICMP4_TYPE_OTHER) ) + DecoderEvent(p, EVARGS(ICMP4_TYPE_OTHER), 1, 1); + break; + } - // check all 32 bits ... - if( p->iph->ip_src.s_addr == p->iph->ip_dst.s_addr ) + + if (ScIcmpChecksums()) { - DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST, - DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, 1, 1); + uint16_t csum = in_chksum_icmp((uint16_t *)p->icmph, len); + + if(csum) + { + p->error_flags |= PKT_ERR_CKSUM_ICMP; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n");); + if ( ScIdsMode() ) + queueExecDrop(execIcmpChksmDrop, p); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n");); + } } - // check all 32 bits ... - if ( Event_Enabled(DECODE_IP4_SRC_BROADCAST ) ) - if ( p->iph->ip_src.s_addr == IP4_BROADCAST ) - DecoderEvent(p, EVARGS(IP4_SRC_BROADCAST), 1, 1); + p->dsize = (u_short)(len - ICMP_HEADER_LEN); + p->data = pkt + ICMP_HEADER_LEN; - if ( Event_Enabled(DECODE_IP4_DST_BROADCAST ) ) - if ( p->iph->ip_dst.s_addr == IP4_BROADCAST ) - DecoderEvent(p, EVARGS(IP4_DST_BROADCAST), 1, 1); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d code: %d\n", + p->icmph->type, p->icmph->code);); - /* Loopback traffic - don't use htonl for speed reasons - - * s_addr is always in network order */ -#ifdef WORDS_BIGENDIAN - msb_src = (p->iph->ip_src.s_addr >> 24); - msb_dst = (p->iph->ip_dst.s_addr >> 24); -#else - msb_src = (uint8_t)(p->iph->ip_src.s_addr & 0xff); - msb_dst = (uint8_t)(p->iph->ip_dst.s_addr & 0xff); -#endif - // check the msb ... - if ( msb_src == IP4_LOOPBACK || msb_dst == IP4_LOOPBACK ) + switch(p->icmph->type) { - DecoderEvent(p, DECODE_BAD_TRAFFIC_LOOPBACK, - DECODE_BAD_TRAFFIC_LOOPBACK_STR, 1, 1); - } - // check the msb ... - if ( Event_Enabled(DECODE_IP4_SRC_THIS_NET ) ) - if ( msb_src == IP4_THIS_NET ) - DecoderEvent(p, EVARGS(IP4_SRC_THIS_NET), 1, 1); + case ICMP_ECHO: + ICMP4AddrTests(p); + // fall through ... - if ( Event_Enabled(DECODE_IP4_DST_THIS_NET ) ) - if ( msb_dst == IP4_THIS_NET ) - DecoderEvent(p, EVARGS(IP4_DST_THIS_NET), 1, 1); + case ICMP_ECHOREPLY: + /* setup the pkt id and seq numbers */ + p->dsize -= sizeof(struct idseq); /* add the size of the + * echo ext to the data + * ptr and subtract it + * from the data size */ + p->data += sizeof(struct idseq); + PushLayer(PROTO_ICMP4, p, pkt, ICMP_NORMAL_LEN); + break; - // check the 'msn' (most significant nibble) ... - msb_src >>= 4; - msb_dst >>= 4; + case ICMP_DEST_UNREACH: + if ((p->icmph->code == ICMP_FRAG_NEEDED) + && (ntohs(p->icmph->s_icmp_nextmtu) < 576)) + { + if ( Event_Enabled(DECODE_ICMP_PATH_MTU_DOS) ) + DecoderEvent(p, EVARGS(ICMP_PATH_MTU_DOS), 1, 1); + } - if ( Event_Enabled(DECODE_IP4_SRC_MULTICAST) ) - if ( msb_src == IP4_MULTICAST ) - DecoderEvent(p, EVARGS(IP4_SRC_MULTICAST), 1, 1); + /* Fall through */ - if ( Event_Enabled(DECODE_IP4_SRC_RESERVED) ) - if ( msb_src == IP4_RESERVED ) - DecoderEvent(p, EVARGS(IP4_SRC_RESERVED), 1, 1); + case ICMP_SOURCE_QUENCH: + case ICMP_REDIRECT: + case ICMP_TIME_EXCEEDED: + case ICMP_PARAMETERPROB: + /* account for extra 4 bytes in header */ + p->dsize -= 4; + p->data += 4; - if ( Event_Enabled(DECODE_IP4_DST_RESERVED) ) - if ( msb_dst == IP4_RESERVED ) - DecoderEvent(p, EVARGS(IP4_DST_RESERVED), 1, 1); + PushLayer(PROTO_ICMP4, p, pkt, ICMP_NORMAL_LEN); + DecodeICMPEmbeddedIP(p->data, p->dsize, p); + break; + + default: + PushLayer(PROTO_ICMP4, p, pkt, ICMP_HEADER_LEN); + break; + } + + /* Run a bunch of ICMP decoder rules */ + ICMP4MiscTests(p); + + p->proto_bits |= PROTO_BIT__ICMP; } -static INLINE void ICMP4AddrTests (Packet* p) +/* + * Function: DecodeICMPEmbeddedIP(uint8_t *, const uint32_t, Packet *) + * + * Purpose: Decode the ICMP embedded IP header + 64 bits payload + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to dummy packet decode struct + * + * Returns: void function + */ +void DecodeICMPEmbeddedIP(const uint8_t *pkt, const uint32_t len, Packet *p) { - uint8_t msb_dst; + uint32_t ip_len; /* length from the start of the ip hdr to the + * pkt end */ + uint32_t hlen; /* ip header length */ + uint16_t orig_frag_offset; + + /* do a little validation */ + if(len < IP_HEADER_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "ICMP: IP short header (%d bytes)\n", len);); + + DecoderEvent(p, DECODE_ICMP_ORIG_IP_TRUNCATED, + DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 1, 1); #ifdef SUP_IP6 - uint32_t dst = GET_DST_IP(p)->ip32[0]; -#else - uint32_t dst = GET_DST_IP(p); + p->orig_family = NO_IP; #endif + p->orig_iph = NULL; + return; + } - // check all 32 bits; all set so byte order is irrelevant ... - if ( Event_Enabled(DECODE_ICMP4_DST_BROADCAST ) ) - if ( dst == IP4_BROADCAST ) - DecoderEvent(p, EVARGS(ICMP4_DST_BROADCAST), 1, 1); - - /* - don't use htonl for speed reasons - - * s_addr is always in network order */ -#ifdef WORDS_BIGENDIAN - msb_dst = (uint8_t)(dst >> 24); -#else - msb_dst = (uint8_t)(dst & 0xff); + /* lay the IP struct over the raw data */ +#ifdef SUP_IP6 + sfiph_orig_build(p, pkt, AF_INET); #endif + p->orig_iph = (IPHdr *) pkt; - // check the 'msn' (most significant nibble) ... - msb_dst >>= 4; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP: ip header" + " starts at: %p, length is %lu\n", p->orig_iph, + (unsigned long) len);); + /* + * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP. + * So we are just ignoring non IP datagrams + */ + if((GET_ORIG_IPH_VER(p) != 4) && !IS_IP6(p)) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "ICMP: not IPv4 datagram ([ver: 0x%x][len: 0x%x])\n", + GET_ORIG_IPH_VER(p), GET_ORIG_IPH_LEN(p));); - if ( Event_Enabled(DECODE_ICMP4_DST_MULTICAST) ) - if ( msb_dst == IP4_MULTICAST ) - DecoderEvent(p, EVARGS(ICMP4_DST_MULTICAST), 1, 1); -} + DecoderEvent(p, DECODE_ICMP_ORIG_IP_VER_MISMATCH, + DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR, 1, 1); -static INLINE void ICMP4MiscTests (Packet *p) -{ - if ( Event_Enabled(DECODE_ICMP_PING_NMAP) ) - { - if ((p->dsize == 0) && - (p->icmph->type == ICMP_ECHO)) - DecoderEvent(p, EVARGS(ICMP_PING_NMAP), 1, 1); +#ifdef SUP_IP6 + p->orig_family = NO_IP; +#endif + p->orig_iph = NULL; + return; } - if ( Event_Enabled(DECODE_ICMP_ICMPENUM) ) - { - if ((p->dsize == 0) && - (p->icmph->s_icmp_seq == 666)) - DecoderEvent(p, EVARGS(ICMP_ICMPENUM), 1, 1); - } + /* set the IP datagram length */ + ip_len = ntohs(GET_ORIG_IPH_LEN(p)); - if ( Event_Enabled(DECODE_ICMP_REDIRECT_HOST) ) - { - if ((p->icmph->code == 1) && - (p->icmph->type == ICMP_REDIRECT)) - DecoderEvent(p, EVARGS(ICMP_REDIRECT_HOST), 1, 1); - } + /* set the IP header length */ +#ifdef SUP_IP6 + hlen = (p->orig_ip4h->ip_verhl & 0x0f) << 2; +#else + hlen = IP_HLEN(p->orig_iph) << 2; +#endif - if ( Event_Enabled(DECODE_ICMP_REDIRECT_NET) ) + if(len < hlen) { - if ((p->icmph->type == ICMP_REDIRECT) && - (p->icmph->code == 0)) - DecoderEvent(p, EVARGS(ICMP_REDIRECT_NET), 1, 1); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "ICMP: IP len (%d bytes) < IP hdr len (%d bytes), packet discarded\n", + ip_len, hlen);); + + DecoderEvent(p, DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP, + DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR, 1, 1); + +#ifdef SUP_IP6 + p->orig_family = NO_IP; +#endif + p->orig_iph = NULL; + return; } - if ( Event_Enabled(DECODE_ICMP_TRACEROUTE_IPOPTS) ) + /* set the remaining packet length */ + ip_len = len - hlen; + + orig_frag_offset = ntohs(GET_ORIG_IPH_OFF(p)); + orig_frag_offset &= 0x1FFF; + + if (orig_frag_offset == 0) { - if (p->icmph->type == ICMP_ECHOREPLY) + /* Original IP payload should be 64 bits */ + if (ip_len < 8) { - int i; - for (i = 0; i < p->ip_option_count; i++) - { - if (p->ip_options[i].code == IPOPT_RR) - DecoderEvent(p, EVARGS(ICMP_TRACEROUTE_IPOPTS), 1, 1); - } + DecoderEvent(p, DECODE_ICMP_ORIG_PAYLOAD_LT_64, + DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR, 1, 1); + + return; + } + /* ICMP error packets could contain as much of original payload + * as possible, but not exceed 576 bytes + */ + else if (ntohs(GET_IPH_LEN(p)) > 576) + { + DecoderEvent(p, DECODE_ICMP_ORIG_PAYLOAD_GT_576, + DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR, 1, 1); } } - - if ( Event_Enabled(DECODE_ICMP_SOURCE_QUENCH) ) + else { - if ((p->icmph->type == ICMP_SOURCE_QUENCH) && - (p->icmph->code == 0)) - DecoderEvent(p, DECODE_ICMP_SOURCE_QUENCH, - DECODE_ICMP_SOURCE_QUENCH_STR, 1, 1); + /* RFC states that only first frag will get an ICMP response */ + DecoderEvent(p, DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET, + DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR, 1, 1); + return; } - if ( Event_Enabled(DECODE_ICMP_BROADSCAN_SMURF_SCANNER) ) - { - if ((p->dsize == 4) && - (p->icmph->type == ICMP_ECHO) && - (p->icmph->s_icmp_seq == 0) && - (p->icmph->code == 0)) - DecoderEvent(p, EVARGS(ICMP_BROADSCAN_SMURF_SCANNER), 1, 1); - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP Unreachable IP header length: " + "%lu\n", (unsigned long)hlen);); - if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED) ) + switch(GET_ORIG_IPH_PROTO(p)) { - if ((p->icmph->type == ICMP_DEST_UNREACH) && - (p->icmph->code == 13)) - DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_ADMIN_PROHIBITED), 1, 1); - } + case IPPROTO_TCP: /* decode the interesting part of the header */ + p->orig_tcph = (TCPHdr *)(pkt + hlen); - if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED) ) - { - if ((p->icmph->type == ICMP_DEST_UNREACH) && - (p->icmph->code == 10)) - DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_DST_HOST_PROHIBITED), 1, 1); - } + /* stuff more data into the printout data struct */ + p->orig_sp = ntohs(p->orig_tcph->th_sport); + p->orig_dp = ntohs(p->orig_tcph->th_dport); - if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED) ) - { - if ((p->icmph->type == ICMP_DEST_UNREACH) && - (p->icmph->code == 9)) - DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_DST_NET_PROHIBITED), 1, 1); - } + break; -} + case IPPROTO_UDP: + p->orig_udph = (UDPHdr *)(pkt + hlen); + /* fill in the printout data structs */ + p->orig_sp = ntohs(p->orig_udph->uh_sport); + p->orig_dp = ntohs(p->orig_udph->uh_dport); -#ifdef DLT_ENC -/* see http://sourceforge.net/mailarchive/message.php?msg_id=1000380 */ -/* - * Function: DecodeEncPkt(Packet *, DAQ_PktHdr_t *, uint8_t *) - * - * Purpose: Decapsulate packets of type DLT_ENC. - * XXX Are these always going to be IP in IP? - * - * Arguments: p => pointer to decoded packet struct - * pkthdr => pointer to the packet header - * pkt => pointer to the real live packet data - */ -void DecodeEncPkt(Packet *p, const DAQ_PktHdr_t *pkthdr, const uint8_t *pkt) -{ - uint32_t cap_len = pkthdr->caplen; - struct enc_header *enc_h; - PROFILE_VARS; + break; - PREPROC_PROFILE_START(decodePerfStats); + case IPPROTO_ICMP: + p->orig_icmph = (ICMPHdr *)(pkt + hlen); + break; + } - pc.total_processed++; + return; +} - memset(p, 0, PKT_ZERO_LEN); - p->pkth = pkthdr; - p->pkt = pkt; +//-------------------------------------------------------------------- +// decode.c::NON SUP_IP6 IP6 vulnerabilities +//-------------------------------------------------------------------- - if (cap_len < ENC_HEADER_LEN) +#ifndef SUP_IP6 +/* For the BSD fragmentation vulnerability */ +SFXHASH *ipv6_frag_hash; + +static inline void FragEvent ( + Packet *p, int gid, char *str, int event_flag, int drop_flag) +{ + if(ScIdsMode() && event_flag) { - if (ScLogVerbose()) + queueDecoderEvent(GENERATOR_SPP_FRAG3, gid, 1, + DECODE_CLASS, 3, str, 0); + + if ( drop_flag ) { - ErrorMessage("Captured data length < Encap header length! (%d bytes)\n", - cap_len); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); + Active_DropSession(); } - PREPROC_PROFILE_END(decodePerfStats); - return; } +} - enc_h = (struct enc_header *)p->pkt; - if (enc_h->af == AF_INET) - { - DecodeIP(p->pkt + ENC_HEADER_LEN + IP_HEADER_LEN, - cap_len - ENC_HEADER_LEN - IP_HEADER_LEN, p); - } - else +void BsdFragHashCleanup(void) +{ + if (ipv6_frag_hash) { - ErrorMessage("[!] WARNING: Unknown address family! (af: 0x%x)\n", - enc_h->af); + sfxhash_delete(ipv6_frag_hash); + ipv6_frag_hash = NULL; } - PREPROC_PROFILE_END(decodePerfStats); - return; } -#endif /* DLT_ENC */ -/* IPv4-layer decoder rules */ -static INLINE void IPMiscTests(Packet *p) +void BsdFragHashReset(void) { - if ( Event_Enabled(DECODE_ICMP_DOS_ATTEMPT) ) - { - /* Yes, it's an ICMP-related vuln in IP options. */ - uint8_t i, length, pointer; - - /* Alert on IP packets with either 0x07 (Record Route) or 0x44 (Timestamp) - options that are specially crafted. */ - for (i = 0; i < p->ip_option_count; i++) - { - if (p->ip_options[i].data == NULL) - continue; - - if (p->ip_options[i].code == IPOPT_RR) - { - length = p->ip_options[i].len; - if (length < 1) - continue; - - pointer = p->ip_options[i].data[0]; - - /* If the pointer goes past the end of the data, then the data - is full. That's okay. */ - if (pointer >= length + 2) - continue; - /* If the remaining space in the option isn't a multiple of 4 - bytes, alert. */ - if (((length + 3) - pointer) % 4) - DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1); - } - else if (p->ip_options[i].code == IPOPT_TS) - { - length = p->ip_options[i].len; - if (length < 2) - continue; + if (ipv6_frag_hash != NULL) + sfxhash_make_empty(ipv6_frag_hash); +} - pointer = p->ip_options[i].data[0]; +void BsdFragHashInit(int max) +{ + int rows = sfxhash_calcrows((int) (max * 1.4)); - /* If the pointer goes past the end of the data, then the data - is full. That's okay. */ - if (pointer >= length + 2) - continue; - /* If the remaining space in the option isn't a multiple of 4 - bytes, alert. */ - if (((length + 3) - pointer) % 4) - DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1); - /* If there is a timestamp + address, we need a multiple of 8 - bytes instead. */ - if ((p->ip_options[i].data[1] & 0x01) && /* address flag */ - (((length + 3) - pointer) % 8)) - DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1); - } - } - } - if ( Event_Enabled(DECODE_IP_OPTION_SET) ) - { - if (p->ip_option_count > 0) - DecoderEvent(p, EVARGS(IP_OPTION_SET), 1, 1); - } + ipv6_frag_hash = sfxhash_new( + /* one row per element in table, when possible */ + rows, + 40, /* key size padded for 64 bit alignment */ + sizeof(time_t), /* data size */ + /* Set max to the sizeof a hash node, plus the size of + * the stored data, plus the size of the key (32), plus + * this size of a node pointer plus max rows plus 1. */ + max * (40 + sizeof(SFXHASH_NODE) + sizeof(time_t) + sizeof(SFXHASH_NODE*)) + + (rows+1) * sizeof(SFXHASH_NODE*), + 1, /* enable AutoNodeRecovery */ + NULL, /* provide a function to let user know we want to kill a node */ + NULL, /* provide a function to release user memory */ + 1); /* Recycle nodes */ - if ( Event_Enabled(DECODE_IP_RESERVED_FRAG_BIT) ) - { - if (p->rf) - DecoderEvent(p, EVARGS(IP_RESERVED_FRAG_BIT), 1, 1); + if (!ipv6_frag_hash) { + FatalError("could not allocate ipv6_frag_hash"); } } +#endif // !SUP_IP6 + +//-------------------------------------------------------------------- +// decode.c::NON SUP_IP6 IP6 decoder +//-------------------------------------------------------------------- /* - * Function: DecodeIP(uint8_t *, const uint32_t, Packet *) + * Function: DecodeIPV6(uint8_t *, uint32_t) * - * Purpose: Decode the IP network layer + * Purpose: Decoding IPv6 headers * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet - * p => pointer to the packet decode struct * * Returns: void function */ -void DecodeIP(const uint8_t * pkt, const uint32_t len, Packet * p) -{ - uint32_t ip_len; /* length from the start of the ip hdr to the pkt end */ - uint32_t hlen; /* ip header length */ - - pc.ip++; +#ifndef SUP_IP6 +Packet *BsdPseudoPacket; -#ifdef GRE - if (p->greh != NULL) - pc.gre_ip++; -#endif +/* This is the Snort-IPv4 version of the IPv6 BSD frag checking code */ +enum { + IPV6_FRAG_NO_ALERT = 0, + IPV6_FRAG_ALERT, + IPV6_FRAG_BAD_PKT, + IPV6_IS_NOT, + IPV6_TRUNCATED_EXT, + IPV6_TRUNCATED, - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + IPV6_NEXT +}; - /* do a little validation */ - if(len < IP_HEADER_LEN) +int CheckIPV6Frag (char *data, uint32_t size, Packet *p) +{ + typedef struct _IP6HdrChain { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "WARNING: Truncated IP4 header (%d bytes)\n", len);); + uint8_t next_header; + uint8_t length; + } IP6HdrChain; - if ( Event_Enabled(DECODE_IP4_HDR_TRUNC) && ((p->packet_flags & PKT_UNSURE_ENCAP) == 0)) - DecoderEvent(p, EVARGS(IP4_HDR_TRUNC), 1, 1); + IP6RawHdr *hdr; + IP6Frag *frag; + IP6HdrChain *chain; + uint8_t next_header; + uint32_t offset; + unsigned int header_length; + unsigned short frag_data; + char key[40]; /* Two 16 bit IP addresses and one fragmentation ID plus pad */ + SFXHASH_NODE *hash_node; - p->iph = NULL; - pc.discards++; - pc.ipdisc++; + if (sizeof(IP6RawHdr) > size) + return IPV6_TRUNCATED; -#ifdef SUP_IP6 - p->family = NO_IP; -#endif - return; - } + hdr = (IP6RawHdr *) data; -#ifndef SUP_IP6 - if (p->iph != NULL) -#else - if (p->family != NO_IP) -#endif /* SUP_IP6 */ - { - IPHdr *tmp = (IPHdr *)pkt; + if ((hdr->ip6vfc >> 4) != 6) + return IPV6_IS_NOT; - if (p->encapsulated || - ((tmp->ip_proto == IPPROTO_IPIP) || (tmp->ip_proto == IPPROTO_GRE)) -#ifdef SUP_IP6 - || (tmp->ip_proto == IPPROTO_IPV6) -#endif - ) - { - DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION, - DECODE_IP_MULTIPLE_ENCAPSULATION_STR, - pkt, len); - return; - } - else - { - p->encapsulated = 1; - p->outer_iph = p->iph; - p->outer_ip_data = p->ip_data; - p->outer_ip_dsize = p->ip_dsize; - } - } + if (sizeof(IP6RawHdr) + ntohs(hdr->ip6plen) > size) + return IPV6_TRUNCATED; - /* lay the IP struct over the raw data */ - p->inner_iph = p->iph = (IPHdr *)pkt; + next_header = hdr->ip6nxt; + offset = sizeof(IP6RawHdr); - /* - * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP. - * So we are just ignoring non IP datagrams - */ - if(IP_VER(p->iph) != 4) + while (offset < size) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Not IPv4 datagram! ([ver: 0x%x][len: 0x%x])\n", - IP_VER(p->iph), p->iph->ip_len);); + switch (next_header) { + case IP_PROTO_IPV6: + return CheckIPV6Frag(data + offset, size - offset, p); - if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) - DecoderEvent(p, DECODE_NOT_IPV4_DGRAM, - DECODE_NOT_IPV4_DGRAM_STR, 1, 1); + case IP_PROTO_HOPOPTS: + case IP_PROTO_DSTOPTS: + case IP_PROTO_ROUTING: + case IP_PROTO_AH: + if (sizeof(IP6HdrChain) + offset > size) + return IPV6_TRUNCATED_EXT; - p->iph = NULL; - pc.discards++; - pc.ipdisc++; + chain = (IP6HdrChain* ) (data + offset); -#ifdef SUP_IP6 - p->family = NO_IP; -#endif - return; - } + next_header = chain->next_header; + header_length = 8 + (8 * chain->length); -#ifdef SUP_IP6 - sfiph_build(p, p->iph, AF_INET); -#endif + if (offset + header_length > size) + return IPV6_TRUNCATED_EXT; -// p->ip_payload_len = p->iph->ip_len; -// p->ip_payload_off = p->ip_payload_len + (int)pkt; + offset += header_length; + break; - /* get the IP datagram length */ - ip_len = ntohs(p->iph->ip_len); + case IP_PROTO_FRAGMENT: + if (offset + sizeof(IP6Frag) > size) + return IPV6_TRUNCATED_EXT; - /* get the IP header length */ - hlen = IP_HLEN(p->iph) << 2; + frag = (IP6Frag *) (data + offset); + frag_data = frag->ip6f_offlg; - /* header length sanity check */ - if(hlen < IP_HEADER_LEN) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Bogus IP header length of %i bytes\n", hlen);); + /* srcip / dstip */ + memcpy(key, (data + 8), 32); + *(uint32_t*)(key+32) = frag->ip6f_ident; + *(uint32_t*)(key+36) = 0; /* zero out pad */ - DecoderEvent(p, DECODE_IPV4_INVALID_HEADER_LEN, - DECODE_IPV4_INVALID_HEADER_LEN_STR, 1, 1); + hash_node = sfxhash_find_node(ipv6_frag_hash, key); - p->iph = NULL; - pc.discards++; - pc.ipdisc++; -#ifdef SUP_IP6 - p->family = NO_IP; -#endif - return; - } + /* Check if the frag offset mask is set. + * If it is, we're not looking at the exploit in question */ + if(IP6F_OFFSET(frag) != 0) + { + /* If this arrives before the two 0 offset frags, we will + * still add them as though they were the first, and false + * positive */ + if(hash_node) sfxhash_free_node(ipv6_frag_hash, hash_node); + return IPV6_FRAG_NO_ALERT; + } - if (ip_len > len) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "IP Len field is %d bytes bigger than captured length.\n" - " (ip.len: %lu, cap.len: %lu)\n", - ip_len - len, ip_len, len);); + /* Check if there are no more frags */ + if(!IP6F_MF(frag)) + { + /* At this point, we've seen a frag header with no offset + * that doesn't have the more flags set. Need to see if + * this follows a packet that did have the more flag set. */ + if(hash_node) + { + /* Check if the first packet timed out */ + if((p->pkth->ts.tv_sec - *(time_t *)hash_node->data) > (time_t)ScIpv6FragTimeout()) + { + sfxhash_free_node(ipv6_frag_hash, hash_node); + return IPV6_FRAG_BAD_PKT; + } - DecoderEventDrop(p, DECODE_IPV4_DGRAM_GT_CAPLEN, - DECODE_IPV4_DGRAM_GT_CAPLEN_STR, - ScDecoderOversizedAlerts(), - ScDecoderOversizedDrops()); + if(size - offset > 100) + { + return IPV6_FRAG_ALERT; + } - p->iph = NULL; - pc.discards++; - pc.ipdisc++; -#ifdef SUP_IP6 - p->family = NO_IP; -#endif - return; - } -#if 0 - // There is no need to alert when (ip_len < len). - // Libpcap will capture more bytes than are part of the IP payload. - // These could be Ethernet trailers, ESP trailers, etc. - // This code is left in, commented, to keep us from re-writing it later. - else if (ip_len < len) - { - if (ScLogVerbose()) - ErrorMessage("IP Len field is %d bytes " - "smaller than captured length.\n" - " (ip.len: %lu, cap.len: %lu)\n", - len - ip_len, ip_len, len); - } -#endif + sfxhash_free_node(ipv6_frag_hash, hash_node); - if(ip_len < hlen) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "IP dgm len (%d bytes) < IP hdr " - "len (%d bytes), packet discarded\n", ip_len, hlen);); + return IPV6_FRAG_BAD_PKT; + } - DecoderEvent(p, DECODE_IPV4_DGRAM_LT_IPHDR, - DECODE_IPV4_DGRAM_LT_IPHDR_STR, 1, 1); + /* We never saw the first packet, but this one is still bogus */ + return IPV6_FRAG_BAD_PKT; + } - p->iph = NULL; - pc.discards++; - pc.ipdisc++; -#ifdef SUP_IP6 - p->family = NO_IP; -#endif - return; + /* At this point, we've seen a header with no offset and a + * more flag */ + if(!hash_node) + { + /* There are more frags remaining, add current to hash */ + if(sfxhash_add(ipv6_frag_hash, key, (void *)&p->pkth->ts.tv_sec) + == SFXHASH_NOMEM) + { + return -1; + } + } + else + { + /* Update this node's timestamp */ + *(time_t *)hash_node->data = p->pkth->ts.tv_sec; + } + + default: + return IPV6_FRAG_NO_ALERT; + } } - /* - * IP Header tests: Land attack, and Loop back test - */ - if(ScIdsMode()) + return IPV6_FRAG_NO_ALERT; +} + +void DecodeIPV6(const uint8_t *pkt, uint32_t len, Packet *p) +{ + static uint8_t pseudopacket_buf[SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET]; + static Packet pseudopacket; + static DAQ_PktHdr_t pseudopkt_header; + IP6RawHdr *ip6h; + int alert_status; + + pc.ipv6++; + +#ifdef GRE + if (p->greh != NULL) + pc.gre_ipv6++; +#endif + + alert_status = CheckIPV6Frag((char *) pkt, len, p); + + if(alert_status == IPV6_FRAG_NO_ALERT) { - IP4AddrTests(p); + return; } + p->packet_flags |= PKT_NO_DETECT; - if (ScIpChecksums()) + /* Need to set up a fake IP header for logging purposes. First make sure + * there is room */ + if(sizeof(IP6RawHdr) <= len) { - /* routers drop packets with bad IP checksums, we don't really - * need to check them (should make this a command line/config - * option - */ - int16_t csum = in_chksum_ip((u_short *)p->iph, hlen); + pseudopkt_header.ts.tv_sec = p->pkth->ts.tv_sec; + pseudopkt_header.ts.tv_usec = p->pkth->ts.tv_usec; - if(csum) + BsdPseudoPacket = &pseudopacket; + pseudopacket.pkt = pseudopacket_buf + SPARC_TWIDDLE; + pseudopacket.pkth = &pseudopkt_header; + + if(p->eh) { - p->error_flags |= PKT_ERR_CKSUM_IP; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad IP checksum\n");); + SafeMemcpy(pseudopacket_buf + SPARC_TWIDDLE, p->eh, + ETHERNET_HEADER_LEN, + pseudopacket_buf, + pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET); - if ( ScIdsMode() ) - queueExecDrop(execIpChksmDrop, p); + pseudopkt_header.pktlen = IP_HEADER_LEN + ETHERNET_HEADER_LEN; + + pseudopacket.eh = (EtherHdr*)(pseudopacket_buf + SPARC_TWIDDLE); + pseudopacket.iph = (IPHdr*)(pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN); + ((EtherHdr*)pseudopacket.eh)->ether_type = htons(ETHERNET_TYPE_IP); } -#ifdef DEBUG else { - DebugMessage(DEBUG_DECODE, "IP Checksum: OK\n"); + SafeMemcpy(pseudopacket_buf, p->pkt, + (pkt - p->pkt), + pseudopacket_buf, + pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET); + + pseudopkt_header.pktlen = IP_HEADER_LEN + (pkt - p->pkt); + + pseudopacket.iph = (IPHdr*)(pseudopacket_buf + (pkt - p->pkt)); + pseudopacket.eh = NULL; } -#endif /* DEBUG */ - } - PushLayer(PROTO_IP4, p, pkt, hlen); + pseudopkt_header.caplen = pseudopkt_header.pktlen; - /* test for IP options */ - p->ip_options_len = (uint16_t)(hlen - IP_HEADER_LEN); + /* Need IP addresses for packet logging -- for now, just using the + * lowest 4 bytes of the IPv6 addresses */ + memset((IPHdr *)pseudopacket.iph, 0, sizeof(IPHdr)); - if(p->ip_options_len > 0) - { - p->ip_options_data = pkt + IP_HEADER_LEN; - DecodeIPOptions((pkt + IP_HEADER_LEN), p->ip_options_len, p); + ((IPHdr *)pseudopacket.iph)->ip_len = htons(IP_HEADER_LEN); + SET_IP_VER((IPHdr *)pseudopacket.iph, 0x4); + SET_IP_HLEN((IPHdr *)pseudopacket.iph, 0x5); + + ip6h = (IP6RawHdr*)pkt; + +#ifdef WORDS_BIGENDIAN + ((IPHdr *)pseudopacket.iph)->ip_src.s_addr = + ip6h->ip6_src.s6_addr[13] << 16 | ip6h->ip6_src.s6_addr[14] << 8 | ip6h->ip6_src.s6_addr[15]; + ((IPHdr *)pseudopacket.iph)->ip_dst.s_addr = + ip6h->ip6_dst.s6_addr[13] << 16 | ip6h->ip6_dst.s6_addr[14] << 8 | ip6h->ip6_dst.s6_addr[15]; +#else + ((IPHdr *)pseudopacket.iph)->ip_src.s_addr = + ip6h->ip6_src.s6_addr[15] << 24 | ip6h->ip6_src.s6_addr[14] << 16 | ip6h->ip6_src.s6_addr[13] << 8; + ((IPHdr *)pseudopacket.iph)->ip_dst.s_addr = + ip6h->ip6_dst.s6_addr[15] << 24 | ip6h->ip6_dst.s6_addr[14] << 16 | ip6h->ip6_dst.s6_addr[13] << 8; +#endif } else { -#ifdef GRE - /* If delivery header for GRE encapsulated packet is IP and it - * had options, the packet's ip options will be refering to this - * outer IP's options - * Zero these options so they aren't associated with this inner IP - * since p->iph will be pointing to this inner IP - */ - if (p->encapsulated) - { - p->ip_options_data = NULL; - p->ip_options_len = 0; - p->ip_lastopt_bad = 0; - } -#endif - p->ip_option_count = 0; + p->iph = NULL; } - /* set the real IP length for logging */ - p->actual_ip_len = (uint16_t) ip_len; - - /* set the remaining packet length */ - ip_len -= hlen; + switch(alert_status) { + case IPV6_FRAG_ALERT: + FragEvent(p, FRAG3_IPV6_BSD_ICMP_FRAG, + FRAG3_IPV6_BSD_ICMP_FRAG_STR, + ScDecoderIpv6BsdIcmpFragAlerts(), + ScDecoderIpv6BsdIcmpFragDrops()); + break; - /* check for fragmented packets */ - p->frag_offset = ntohs(p->iph->ip_off); + case IPV6_FRAG_BAD_PKT: + FragEvent(p, FRAG3_IPV6_BAD_FRAG_PKT, + FRAG3_IPV6_BAD_FRAG_PKT_STR, + ScDecoderIpv6BadFragAlerts(), + ScDecoderIpv6BadFragDrops()); + break; - /* - * get the values of the reserved, more - * fragments and don't fragment flags - */ - p->rf = (uint8_t)((p->frag_offset & 0x8000) >> 15); - p->df = (uint8_t)((p->frag_offset & 0x4000) >> 14); - p->mf = (uint8_t)((p->frag_offset & 0x2000) >> 13); + case IPV6_IS_NOT: + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_IPV6_IS_NOT, + DECODE_IPV6_IS_NOT_STR, 1, 1); + break; - /* mask off the high bits in the fragment offset field */ - p->frag_offset &= 0x1FFF; + case IPV6_TRUNCATED_EXT: + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, 1, 1); + break; - if ( Event_Enabled(DECODE_IP4_DF_OFFSET) ) - if ( p->df && p->frag_offset ) - DecoderEvent(p, EVARGS(IP4_DF_OFFSET), 1, 1); + case IPV6_TRUNCATED: + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_IPV6_TRUNCATED, + DECODE_IPV6_TRUNCATED_STR, 1, 1); + }; - if ( Event_Enabled(DECODE_IP4_LEN_OFFSET) ) - if ( p->frag_offset + p->actual_ip_len > IP_MAXPACKET ) - DecoderEvent(p, EVARGS(IP4_LEN_OFFSET), 1, 1); + BsdPseudoPacket = NULL; + pc.discards++; + return; +} +#endif // !SUP_IP6 - if(p->frag_offset || p->mf) +//-------------------------------------------------------------------- +// decode.c::IP6 misc +//-------------------------------------------------------------------- +#ifdef SUP_IP6 + +#define IP6_MULTICAST 0xFF // first/most significant octet +#define IP6_MULTICAST_SCOPE_RESERVED 0x00 +#define IP6_MULTICAST_SCOPE_INTERFACE 0x01 +#define IP6_MULTICAST_SCOPE_LINK 0x02 +#define IP6_MULTICAST_SCOPE_ADMIN 0x04 +#define IP6_MULTICAST_SCOPE_SITE 0x05 +#define IP6_MULTICAST_SCOPE_ORG 0x08 +#define IP6_MULTICAST_SCOPE_GLOBAL 0x0E + +/* Check for multiple IPv6 Multicast-related alerts */ +static void CheckIPV6Multicast(Packet *p) +{ + uint8_t multicast_scope; + + if ( p->ip6h->ip_src.ip.u6_addr8[0] == IP6_MULTICAST ) { - /* set the packet fragment flag */ - p->frag_flag = 1; - p->ip_frag_start = pkt + hlen; - p->ip_frag_len = (uint16_t)ip_len; - pc.frags++; - } - else + DecoderEvent(p, DECODE_IPV6_SRC_MULTICAST, + DECODE_IPV6_SRC_MULTICAST_STR, 1, 1); + } + if ( p->ip6h->ip_dst.ip.u6_addr8[0] != IP6_MULTICAST ) { - p->frag_flag = 0; + return; } - if(Event_Enabled(DECODE_BAD_FRAGBITS)) + multicast_scope = p->ip6h->ip_dst.ip.u6_addr8[1] & 0x0F; + switch (multicast_scope) { + case IP6_MULTICAST_SCOPE_RESERVED: + case IP6_MULTICAST_SCOPE_INTERFACE: + case IP6_MULTICAST_SCOPE_LINK: + case IP6_MULTICAST_SCOPE_ADMIN: + case IP6_MULTICAST_SCOPE_SITE: + case IP6_MULTICAST_SCOPE_ORG: + case IP6_MULTICAST_SCOPE_GLOBAL: + break; - if( p->mf && p->df ) - { - DecoderEvent(p, DECODE_BAD_FRAGBITS, - DECODE_BAD_FRAGBITS_STR, 1, 1); - } + default: + DecoderEvent(p, DECODE_IPV6_BAD_MULTICAST_SCOPE, + DECODE_IPV6_BAD_MULTICAST_SCOPE_STR, 1, 1); } - /* Set some convienience pointers */ - p->ip_data = pkt + hlen; - p->ip_dsize = (u_short) ip_len; + /* Check against assigned multicast addresses. These are listed at: + http://www.iana.org/assignments/ipv6-multicast-addresses/ */ - if (ScIdsMode()) + /* Multicast addresses only specify the first 16 and last 40 bits. + Others should be zero. */ + if ((p->ip6h->ip_dst.ip.u6_addr16[1] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[2] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[3] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[4] != 0) || + (p->ip6h->ip_dst.ip.u6_addr8[10] != 0)) { - /* See if there are any ip_proto only rules that match */ - fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p); - p->proto_bits |= PROTO_BIT__IP; + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); + return; } - IPMiscTests(p); - - /* if this packet isn't a fragment - * or if it is, its a UDP packet and offset is 0 */ - if(!(p->frag_flag) || - (p->frag_flag && (p->frag_offset == 0) && - (p->iph->ip_proto == IPPROTO_UDP))) + if (p->ip6h->ip_dst.ip.u6_addr8[1] == IP6_MULTICAST_SCOPE_INTERFACE) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP header length: %lu\n", - (unsigned long)hlen);); - - switch(p->iph->ip_proto) + // Node-local scope + if ((p->ip6h->ip_dst.ip.u6_addr16[1] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[2] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[3] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[4] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[5] != 0) || + (p->ip6h->ip_dst.ip.u6_addr16[6] != 0)) { - case IPPROTO_TCP: - pc.tcp++; - DecodeTCP(pkt + hlen, ip_len, p); - //ClearDumpBuf(); - return; - - case IPPROTO_UDP: - pc.udp++; - DecodeUDP(pkt + hlen, ip_len, p); - //ClearDumpBuf(); - return; - case IPPROTO_ICMP: - pc.icmp++; - DecodeICMP(pkt + hlen, ip_len, p); - //ClearDumpBuf(); - return; - -#ifdef GRE - case IPPROTO_IPV6: - if (ip_len < 40) + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); + } + else + { + switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) + { + case 0x00000001: // All Nodes + case 0x00000002: // All Routers + case 0x000000FB: // mDNSv6 + break; + default: + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); + } + } + } + else if (p->ip6h->ip_dst.ip.u6_addr8[1] == IP6_MULTICAST_SCOPE_LINK) + { + // Link-local scope + switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) + { + case 0x00000001: // All Nodes + case 0x00000002: // All Routers + case 0x00000004: // DVMRP Routers + case 0x00000005: // OSPFIGP + case 0x00000006: // OSPFIGP Designated Routers + case 0x00000007: // ST Routers + case 0x00000008: // ST Hosts + case 0x00000009: // RIP Routers + case 0x0000000A: // EIGRP Routers + case 0x0000000B: // Mobile-Agents + case 0x0000000C: // SSDP + case 0x0000000D: // All PIMP Routers + case 0x0000000E: // RSVP-ENCAPSULATION + case 0x0000000F: // UPnP + case 0x00000012: // VRRP + case 0x00000016: // All MLDv2-capable routers + case 0x0000006A: // All-Snoopers + case 0x0000006B: // PTP-pdelay + case 0x0000006C: // Saratoga + case 0x0000006D: // LL-MANET-Routers + case 0x0000006E: // IGRS + case 0x0000006F: // iADT Discovery + case 0x000000FB: // mDNSv6 + case 0x00010001: // Link Name + case 0x00010002: // All-dhcp-agents + case 0x00010003: // Link-local Multicast Name Resolution + case 0x00010004: // DTCP Announcement + break; + default: + if ((p->ip6h->ip_dst.ip.u6_addr8[11] == 1) && + (p->ip6h->ip_dst.ip.u6_addr8[12] == 0xFF)) { - /* Insufficient size for IPv6 Header. */ - /* This could be an attempt to exploit Linux kernel - * vulnerability, so log an alert */ - DecoderEvent(p, DECODE_IPV6_TUNNELED_IPV4_TRUNCATED, - DECODE_IPV6_TUNNELED_IPV4_TRUNCATED_STR, - 1, 1); + break; // Solicited-Node Address } - pc.ip4ip6++; - DecodeIPV6(pkt + hlen, ip_len, p); - return; - - case IPPROTO_GRE: - pc.gre++; - DecodeGRE(pkt + hlen, ip_len, p); - //ClearDumpBuf(); - return; - - case IPPROTO_IPIP: - pc.ip4ip4++; - DecodeIP(pkt + hlen, ip_len, p); - return; -#endif - - case IPPROTO_ESP: - DecodeESP(pkt + hlen, ip_len, p); - return; - - case IPPROTO_SWIPE: - case IPPROTO_IP_MOBILITY: - case IPPROTO_SUN_ND: - case IPPROTO_PIM: - if ( Event_Enabled(DECODE_IP_BAD_PROTO) ) - DecoderEvent(p, EVARGS(IP_BAD_PROTO), 1, 1); - pc.other++; - p->data = pkt + hlen; - p->dsize = (u_short) ip_len; - return; - - default: - if ( Event_Enabled(DECODE_IP_UNASSIGNED_PROTO) ) + if ((p->ip6h->ip_dst.ip.u6_addr8[11] == 2) && + (p->ip6h->ip_dst.ip.u6_addr8[12] == 0xFF)) { - if (GET_IPH_PROTO(p) >= MIN_UNASSIGNED_IP_PROTO) - DecoderEvent(p, EVARGS(IP_UNASSIGNED_PROTO), 1, 1); + break; // Node Information Queries } - pc.other++; - p->data = pkt + hlen; - p->dsize = (u_short) ip_len; - //ClearDumpBuf(); - return; + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); } } - else - { - /* set the payload pointer and payload size */ - p->data = pkt + hlen; - p->dsize = (u_short) ip_len; - } -} - - -/* TCP-layer decoder alerts */ -static INLINE void TCPMiscTests(Packet *p) -{ - if ( Event_Enabled(DECODE_TCP_SHAFT_SYNFLOOD) ) + else if (p->ip6h->ip_dst.ip.u6_addr8[1] == IP6_MULTICAST_SCOPE_SITE) { - if ( ((p->tcph->th_flags & TH_NORESERVED) == TH_SYN ) && - (p->tcph->th_seq == htonl(674711609)) ) - DecoderEvent(p, EVARGS(TCP_SHAFT_SYNFLOOD), 1, 1); + // Site-local scope + switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) + { + case 0x00000002: // All Routers + case 0x000000FB: // mDNSv6 + case 0x00010003: // All-dhcp-servers + case 0x00010004: // Deprecated + break; + default: + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); + } } - - if ( Event_Enabled(DECODE_TCP_PORT_ZERO) ) + else if ((p->ip6h->ip_dst.ip.u6_addr8[1] & 0xF0) == 0) { - if (p->sp == 0 || p->dp == 0) - DecoderEvent(p, EVARGS(TCP_PORT_ZERO), 1, 1); - } -} - -/* - * Function: DecodeTCP(uint8_t *, const uint32_t, Packet *) - * - * Purpose: Decode the TCP transport layer - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => Pointer to packet decode struct - * - * Returns: void function + // Variable scope + switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) + { + case 0x0000000C: // SSDP + case 0x000000FB: // mDNSv6 + case 0x00000181: // PTP-primary + case 0x00000182: // PTP-alternate1 + case 0x00000183: // PTP-alternate2 + case 0x00000184: // PTP-alternate3 + case 0x0000018C: // All ACs multicast address + case 0x00000201: // "rwho" Group (BSD) + case 0x00000202: // SUN RPC PMAPPROC_CALLIT + case 0x00000204: // All C1222 Nodes + case 0x00000300: // Mbus/IPv6 + case 0x00027FFE: // SAPv1 Announcements + case 0x00027FFF: // SAPv0 Announcements + break; + default: + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00000100) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x00000136)) + { + break; // Several addresses assigned in a contiguous block + } + + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00000140) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x0000014F)) + { + break; // EPSON-disc-set + } + + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00020000) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x00027FFD)) + { + break; // Multimedia Conference Calls + } + + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00011000) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x000113FF)) + { + break; // Service Location, Version 2 + } + + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00028000) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x0002FFFF)) + { + break; // SAP Dynamic Assignments + } + + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); + } + } + else if ((p->ip6h->ip_dst.ip.u6_addr8[1] & 0xF0) == 3) + { + // Source-Specific Multicast block + if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x40000001) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x7FFFFFFF)) + { + return; // IETF consensus + } + else if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x80000000) && + (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0xFFFFFFFF)) + { + return; // Dynamiclly allocated by hosts when needed + } + else + { + // Other addresses in this block are reserved. + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); + } + } + else + { + /* Addresses not listed above are reserved. */ + DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, + DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); + } +} + +/* Teredo packets need to have one of their IPs use either the Teredo prefix, + or a link-local prefix (in the case of Router Solicitation messages) */ +static inline int CheckTeredoPrefix(IP6RawHdr *hdr) +{ + /* Check if src address matches 2001::/32 */ + if ((hdr->ip6_src.s6_addr[0] == 0x20) && + (hdr->ip6_src.s6_addr[1] == 0x01) && + (hdr->ip6_src.s6_addr[2] == 0x00) && + (hdr->ip6_src.s6_addr[3] == 0x00)) + return 1; + + /* Check if src address matches fe80::/64 */ + if ((hdr->ip6_src.s6_addr[0] == 0xfe) && + (hdr->ip6_src.s6_addr[1] == 0x80) && + (hdr->ip6_src.s6_addr[2] == 0x00) && + (hdr->ip6_src.s6_addr[3] == 0x00) && + (hdr->ip6_src.s6_addr[4] == 0x00) && + (hdr->ip6_src.s6_addr[5] == 0x00) && + (hdr->ip6_src.s6_addr[6] == 0x00) && + (hdr->ip6_src.s6_addr[7] == 0x00)) + return 1; + + /* Check if dst address matches 2001::/32 */ + if ((hdr->ip6_dst.s6_addr[0] == 0x20) && + (hdr->ip6_dst.s6_addr[1] == 0x01) && + (hdr->ip6_dst.s6_addr[2] == 0x00) && + (hdr->ip6_dst.s6_addr[3] == 0x00)) + return 1; + + /* Check if dst address matches fe80::/64 */ + if ((hdr->ip6_dst.s6_addr[0] == 0xfe) && + (hdr->ip6_dst.s6_addr[1] == 0x80) && + (hdr->ip6_dst.s6_addr[2] == 0x00) && + (hdr->ip6_dst.s6_addr[3] == 0x00) && + (hdr->ip6_dst.s6_addr[4] == 0x00) && + (hdr->ip6_dst.s6_addr[5] == 0x00) && + (hdr->ip6_dst.s6_addr[6] == 0x00) && + (hdr->ip6_dst.s6_addr[7] == 0x00)) + return 1; + + /* No Teredo prefix found. */ + return 0; +} + +/* Function: IPV6MiscTests(Packet *p) + * + * Purpose: A bunch of IPv6 decoder alerts + * + * Arguments: p => the Packet to check + * + * Returns: void function */ -void DecodeTCP(const uint8_t * pkt, const uint32_t len, Packet * p) +static inline void IPV6MiscTests(Packet *p) { - struct pseudoheader6 /* pseudo header for TCP checksum calculations */ + /* + * Some IP Header tests + * Land Attack(same src/dst ip) + * Loopback (src or dst in 127/8 block) + * Modified: 2/22/05-man for High Endian Architecture. + * + * some points in the code assume an IP of 0.0.0.0 matches anything, but + * that is not so here. The sfip_compare makes that assumption for + * compatibility, but sfip_contains does not. Hence, sfip_contains + * is used here in the interrim. */ + if( sfip_contains(&p->ip6h->ip_src, &p->ip6h->ip_dst) == SFIP_CONTAINS) { - uint32_t sip[4], dip[4]; /* IP addr */ - uint8_t zero; /* checksum placeholder */ - uint8_t protocol; /* protocol number */ - uint16_t tcplen; /* tcp packet length */ - }; + DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST, + DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, + 1,1); + } - struct pseudoheader /* pseudo header for TCP checksum calculations */ + if(sfip_is_loopback(&p->ip6h->ip_src) || sfip_is_loopback(&p->ip6h->ip_dst)) { - uint32_t sip, dip; /* IP addr */ - uint8_t zero; /* checksum placeholder */ - uint8_t protocol; /* protocol number */ - uint16_t tcplen; /* tcp packet length */ - }; - uint32_t hlen; /* TCP header length */ + DecoderEvent(p, DECODE_BAD_TRAFFIC_LOOPBACK, + DECODE_BAD_TRAFFIC_LOOPBACK_STR, + 1,1); + } - if(len < TCP_HEADER_LEN) + /* Other decoder alerts for IPv6 addresses + Added: 5/24/10 (Snort 2.9.0) */ + if (!sfip_is_set(&p->ip6h->ip_dst)) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "TCP packet (len = %d) cannot contain " "20 byte header\n", len);); + DecoderEvent(p, DECODE_IPV6_DST_ZERO, DECODE_IPV6_DST_ZERO_STR, 1, 1); + } - DecoderEvent(p, DECODE_TCP_DGRAM_LT_TCPHDR, - DECODE_TCP_DGRAM_LT_TCPHDR_STR, 1, 1); + CheckIPV6Multicast(p); - p->tcph = NULL; - pc.discards++; - pc.tdisc++; + if ( Event_Enabled(DECODE_IPV6_ISATAP_SPOOF) ) + { + /* Only check for IPv6 over IPv4 */ + if (p->ip4h && p->ip4h->ip_proto == IPPROTO_IPV6) + { + uint32_t isatap_interface_id = ntohl(p->ip6h->ip_src.ip.u6_addr32[2]) & 0xFCFFFFFF; - return; + /* ISATAP uses address with prefix fe80:0000:0000:0000:0200:5efe or + fe80:0000:0000:0000:0000:5efe, followed by the IPv4 address. */ + if (isatap_interface_id == 0x00005EFE) + { + if (p->ip4h->ip_src.ip.u6_addr32[0] != p->ip6h->ip_src.ip.u6_addr32[3]) + DecoderEvent(p, EVARGS(IPV6_ISATAP_SPOOF), 1, 1); + } + } } +} +#endif // SUP_IP6 - /* lay TCP on top of the data cause there is enough of it! */ - p->tcph = (TCPHdr *) pkt; +//-------------------------------------------------------------------- +// decode.c::IP6 extensions +//-------------------------------------------------------------------- - /* multiply the payload offset value by 4 */ - hlen = TCP_OFFSET(p->tcph) << 2; +#ifdef SUP_IP6 +static inline int IPV6ExtensionOrder(uint8_t type) +{ + switch (type) + { + case IPPROTO_HOPOPTS: return 1; + case IPPROTO_DSTOPTS: return 2; + case IPPROTO_ROUTING: return 3; + case IPPROTO_FRAGMENT: return 4; + case IPPROTO_AH: return 5; + case IPPROTO_ESP: return 6; + default: return 7; + } +} - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "TCP th_off is %d, passed len is %lu\n", - TCP_OFFSET(p->tcph), (unsigned long)len);); +void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p); - if(hlen < TCP_HEADER_LEN) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "TCP Data Offset (%d) < hlen (%d) \n", - TCP_OFFSET(p->tcph), hlen);); +static inline int CheckIPV6HopOptions(const uint8_t *pkt, uint32_t len, Packet *p) +{ + IP6Extension *exthdr = (IP6Extension *)pkt; + uint32_t total_octets = (exthdr->ip6e_len * 8) + 8; + const uint8_t *hdr_end = pkt + total_octets; + uint8_t type, oplen; - DecoderEvent(p, DECODE_TCP_INVALID_OFFSET, - DECODE_TCP_INVALID_OFFSET_STR, 1, 1); + if (len < total_octets) + DecoderEvent(p, EVARGS(IPV6_TRUNCATED_EXT), 1, 1); - p->tcph = NULL; - pc.discards++; - pc.tdisc++; + /* Skip to the options */ + pkt += 2; - return; + /* Iterate through the options, check for bad ones */ + while (pkt < hdr_end) + { + type = *pkt; + switch (type) + { + case IP6_OPT_PAD1: + pkt++; + break; + case IP6_OPT_PADN: + case IP6_OPT_JUMBO: + case IP6_OPT_RTALERT: + case IP6_OPT_TUNNEL_ENCAP: + case IP6_OPT_QUICK_START: + case IP6_OPT_CALIPSO: + case IP6_OPT_HOME_ADDRESS: + case IP6_OPT_ENDPOINT_IDENT: + oplen = *(++pkt); + if ((pkt + oplen + 1) > hdr_end) + { + DecoderEvent(p, EVARGS(IPV6_BAD_OPT_LEN), 1, 1); + return -1; + } + pkt += oplen + 1; + break; + default: + DecoderEvent(p, EVARGS(IPV6_BAD_OPT_TYPE), 1, 1); + return -1; + } } - if(hlen > len) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "TCP Data Offset(%d) < longer than payload(%d)!\n", - TCP_OFFSET(p->tcph) << 2, len);); + return 0; +} - DecoderEventDrop(p, DECODE_TCP_LARGE_OFFSET, - DECODE_TCP_LARGE_OFFSET_STR, - ScDecoderOversizedAlerts(), - ScDecoderOversizedDrops()); +void DecodeIPV6Options(int type, const uint8_t *pkt, uint32_t len, Packet *p) +{ + IP6Extension *exthdr; + uint32_t hdrlen = 0; - p->tcph = NULL; - pc.discards++; - pc.tdisc++; + /* This should only be called by DecodeIPV6 or DecodeIPV6Extensions + * so no validation performed. Otherwise, uncomment the following: */ + /* if(IPH_IS_VALID(p)) return */ + pc.ipv6opts++; + + /* Need at least two bytes, one for next header, one for len. */ + /* But size is an integer multiple of 8 octets, so 8 is min. */ + if(len < sizeof(IP6Extension)) + { + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); return; } - if(Event_Enabled(DECODE_TCP_XMAS) || Event_Enabled(DECODE_TCP_NMAP_XMAS)) + if ( p->ip6_extension_count >= IP6_EXTMAX ) { - if(TCP_ISFLAGSET(p->tcph, (TH_FIN|TH_PUSH|TH_URG))) - { - if(TCP_ISFLAGSET(p->tcph, (TH_SYN|TH_ACK|TH_RST))) + DecoderEvent(p, DECODE_IP6_EXCESS_EXT_HDR, + DECODE_IP6_EXCESS_EXT_HDR_STR, + 1, 1); + return; + } + + exthdr = (IP6Extension *)pkt; + + p->ip6_extensions[p->ip6_extension_count].type = type; + p->ip6_extensions[p->ip6_extension_count].data = pkt; + + // TBD add layers for other ip6 ext headers + switch (type) + { + case IPPROTO_HOPOPTS: + if (len < sizeof(IP6HopByHop)) { - DecoderEvent(p, DECODE_TCP_XMAS, DECODE_TCP_XMAS_STR, 1, 1); + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); + return; } - else + hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); + + if ( CheckIPV6HopOptions(pkt, len, p) == 0 ) + PushLayer(PROTO_IP6_HOP_OPTS, p, pkt, hdrlen); + break; + + case IPPROTO_DSTOPTS: + if (len < sizeof(IP6Dest)) { - DecoderEvent(p, DECODE_TCP_NMAP_XMAS, DECODE_TCP_NMAP_XMAS_STR, 1, 1); + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); + return; } - // Allowing this packet for further processing - // (in case there is a valid data inside it). - /*p->tcph = NULL; - pc.discards++; - pc.tdisc++; - return;*/ - } - } + if (exthdr->ip6e_nxt == IPPROTO_ROUTING) + { + DecoderEvent(p, DECODE_IPV6_DSTOPTS_WITH_ROUTING, + DECODE_IPV6_DSTOPTS_WITH_ROUTING_STR, + 1, 1); + } + hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - if(TCP_ISFLAGSET(p->tcph, (TH_SYN))) - { - /* check if only SYN is set */ - if( p->tcph->th_flags == TH_SYN ) - { - if( Event_Enabled(DECODE_DOS_NAPTHA) ) + if ( CheckIPV6HopOptions(pkt, len, p) == 0 ) + PushLayer(PROTO_IP6_DST_OPTS, p, pkt, hdrlen); + break; + + case IPPROTO_ROUTING: + if (len < sizeof(IP6Route)) { - if( p->tcph->th_seq == 6060842 ) - { - if( GET_IPH_ID(p) == 413 ) - { - DecoderEvent(p, DECODE_DOS_NAPTHA, - DECODE_DOS_NAPTHA_STR, 1, 1); - } - } + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); + return; } - } - - if( Event_Enabled(DECODE_SYN_TO_MULTICAST) ) - { - if( IpAddrSetContains(SynToMulticastDstIp, GET_DST_ADDR(p)) ) + if (exthdr->ip6e_nxt == IPPROTO_HOPOPTS) { - DecoderEvent(p, DECODE_SYN_TO_MULTICAST, - DECODE_SYN_TO_MULTICAST_STR, 1, 1); + DecoderEvent(p, DECODE_IPV6_ROUTE_AND_HOPBYHOP, + DECODE_IPV6_ROUTE_AND_HOPBYHOP_STR, + 1, 1); } - } - if ( Event_Enabled(DECODE_TCP_SYN_RST) ) - if ( (p->tcph->th_flags & TH_RST) ) - DecoderEvent(p, EVARGS(TCP_SYN_RST), 1, 1); - - if ( Event_Enabled(DECODE_TCP_SYN_FIN) ) - if ( (p->tcph->th_flags & TH_FIN) ) - DecoderEvent(p, EVARGS(TCP_SYN_FIN), 1, 1); - } - else - { // we already know there is no SYN - if ( Event_Enabled(DECODE_TCP_NO_SYN_ACK_RST) ) - if ( !(p->tcph->th_flags & (TH_ACK|TH_RST)) ) - DecoderEvent(p, EVARGS(TCP_NO_SYN_ACK_RST), 1, 1); - } - - if ( Event_Enabled(DECODE_TCP_MUST_ACK) ) - if ( (p->tcph->th_flags & (TH_FIN|TH_PUSH|TH_URG)) && - !(p->tcph->th_flags & TH_ACK) ) - DecoderEvent(p, EVARGS(TCP_MUST_ACK), 1, 1); - - /* stuff more data into the printout data struct */ - p->sp = ntohs(p->tcph->th_sport); - p->dp = ntohs(p->tcph->th_dport); + if (exthdr->ip6e_nxt == IPPROTO_ROUTING) + { + DecoderEvent(p, DECODE_IPV6_TWO_ROUTE_HEADERS, + DECODE_IPV6_TWO_ROUTE_HEADERS_STR, + 1, 1); + } + hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); + break; - if (ScTcpChecksums()) - { - uint16_t csum; -#ifdef SUP_IP6 - if(IS_IP4(p)) - { - struct pseudoheader ph; - ph.sip = *p->ip4h->ip_src.ip32; - ph.dip = *p->ip4h->ip_dst.ip32; -#else - struct pseudoheader ph; - ph.sip = (uint32_t)(p->iph->ip_src.s_addr); - ph.dip = (uint32_t)(p->iph->ip_dst.s_addr); -#endif - /* setup the pseudo header for checksum calculation */ - ph.zero = 0; - ph.protocol = GET_IPH_PROTO(p); - ph.tcplen = htons((u_short)len); - - /* if we're being "stateless" we probably don't care about the TCP - * checksum, but it's not bad to keep around for shits and giggles */ - /* calculate the checksum */ - csum = in_chksum_tcp((uint16_t *)&ph, (uint16_t *)(p->tcph), len); -#ifdef SUP_IP6 - } - /* IPv6 traffic */ - else - { - struct pseudoheader6 ph6; - COPY4(ph6.sip, p->ip6h->ip_src.ip32); - COPY4(ph6.dip, p->ip6h->ip_dst.ip32); - ph6.zero = 0; - ph6.protocol = GET_IPH_PROTO(p); - ph6.tcplen = htons((u_short)len); + case IPPROTO_FRAGMENT: + if (len < sizeof(IP6Frag)) + { + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); + return; + } + else + { + IP6Frag *ip6frag_hdr = (IP6Frag *)pkt; + /* If this is an IP Fragment, set some data... */ + p->ip6_frag_index = p->ip6_extension_count; + p->ip_frag_start = pkt + sizeof(IP6Frag); + p->frag_flag = 1; + pc.frag6++; + + p->df = 0; + p->rf = IP6F_RES(ip6frag_hdr); + p->mf = IP6F_MF(ip6frag_hdr); + p->frag_offset = IP6F_OFFSET(ip6frag_hdr); + } + hdrlen = sizeof(IP6Frag); + p->ip_frag_len = (uint16_t)(len - hdrlen); + + if ( (p->frag_offset > 0) || + (exthdr->ip6e_nxt != IPPROTO_UDP) ) + { + /* For non-zero offset frags, we stop decoding after the + Frag header. According to RFC 2460, the "Next Header" + value may differ from that of the offset zero frag, + but only the Next Header of the original frag is used. */ + // check DecodeIP(); we handle frags the same way here + p->ip6_extension_count++; + return; + } + break; - csum = in_chksum_tcp6((uint16_t *)&ph6, (uint16_t *)(p->tcph), len); - } -#endif - - if(csum) - { - p->error_flags |= PKT_ERR_CKSUM_TCP; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n", - "0x%x versus 0x%x\n", csum, - ntohs(p->tcph->th_sum));); + case IPPROTO_AH: + /* Auth Headers work in both IPv4 & IPv6, and their lengths are + given in 4-octet increments instead of 8-octet increments. */ + hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 2); + break; - if ( ScIdsMode() ) - queueExecDrop(execTcpChksmDrop, p); - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"TCP Checksum: OK\n");); - } + default: + hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); + break; } - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "tcp header starts at: %p\n", p->tcph);); - - PushLayer(PROTO_TCP, p, pkt, hlen); - - /* if options are present, decode them */ - p->tcp_options_len = (uint16_t)(hlen - TCP_HEADER_LEN); - - if(p->tcp_options_len > 0) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%lu bytes of tcp options....\n", - (unsigned long)(p->tcp_options_len));); + p->ip6_extension_count++; - p->tcp_options_data = pkt + TCP_HEADER_LEN; - DecodeTCPOptions((uint8_t *) (pkt + TCP_HEADER_LEN), p->tcp_options_len, p); - } - else + if(hdrlen > len) { - p->tcp_option_count = 0; + DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, + DECODE_IPV6_TRUNCATED_EXT_STR, + 1, 1); + return; } - /* set the data pointer and size */ - p->data = (uint8_t *) (pkt + hlen); - - if(hlen < len) + if ( hdrlen > 0 ) { - p->dsize = (u_short)(len - hlen); + DecodeIPV6Extensions(*pkt, pkt + hdrlen, len - hdrlen, p); } +#ifdef DEBUG_MSGS else { - p->dsize = 0; - } - - if ( Event_Enabled(DECODE_TCP_BAD_URP) ) - if ( (p->tcph->th_flags & TH_URG) && - (!p->dsize || ntohs(p->tcph->th_urp) > p->dsize) ) - DecoderEvent(p, EVARGS(TCP_BAD_URP), 1, 1); - - TCPMiscTests(p); - - /* Drop packet if we ignore this port */ - if (ScIgnoreTcpPort(p->sp) || ScIgnoreTcpPort(p->dp)) - { - /* Ignore all preprocessors for this packet */ - p->packet_flags |= PKT_IGNORE_PORT; - } - - p->proto_bits |= PROTO_BIT__TCP; -} - -/* UDP-layer decoder alerts */ -static INLINE void UDPMiscTests(Packet *p) -{ - if ( Event_Enabled(DECODE_UDP_LARGE_PACKET) ) - { - if (p->dsize > 4000) - DecoderEvent(p, EVARGS(UDP_LARGE_PACKET), 1, 1); - } - - if ( Event_Enabled(DECODE_UDP_PORT_ZERO) ) - { - if (p->sp == 0 || p->dp == 0) - DecoderEvent(p, EVARGS(UDP_PORT_ZERO), 1, 1); + DebugMessage(DEBUG_DECODE, "WARNING - no next ip6 header decoded\n"); } +#endif } -/* - * Function: DecodeUDP(uint8_t *, const uint32_t, Packet *) - * - * Purpose: Decode the UDP transport layer - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to decoded packet struct - * - * Returns: void function - */ -void DecodeUDP(const uint8_t * pkt, const uint32_t len, Packet * p) +/* Check for out-of-order IPv6 Extension Headers */ +static inline void CheckIPv6ExtensionOrder(Packet *p) { - struct pseudoheader6 - { - uint32_t sip[4], dip[4]; - uint8_t zero; - uint8_t protocol; - uint16_t udplen; - }; + int routing_seen = 0; + int current_type_order, next_type_order, i; - struct pseudoheader + if (Event_Enabled(DECODE_IPV6_UNORDERED_EXTENSIONS)) { - uint32_t sip, dip; - uint8_t zero; - uint8_t protocol; - uint16_t udplen; - }; - uint16_t uhlen; - u_char fragmented_udp_flag = 0; + if (p->ip6_extension_count > 0) + current_type_order = IPV6ExtensionOrder(p->ip6_extensions[0].type); - if(len < sizeof(UDPHdr)) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Truncated UDP header (%d bytes)\n", len);); + for (i = 1; i < (p->ip6_extension_count); i++) + { + next_type_order = IPV6ExtensionOrder(p->ip6_extensions[i].type); - DecoderEvent(p, DECODE_UDP_DGRAM_LT_UDPHDR, - DECODE_UDP_DGRAM_LT_UDPHDR_STR, 1, 1); + if (p->ip6_extensions[i].type == IPPROTO_ROUTING) + routing_seen = 1; - p->udph = NULL; - pc.discards++; - pc.udisc++; + if (next_type_order <= current_type_order) + { + /* A second "Destination Options" header is allowed iff: + 1) A routing header was already seen, and + 2) The second destination header is the last one before the upper layer. + */ + if (!routing_seen || + !(p->ip6_extensions[i].type == IPPROTO_DSTOPTS) || + !(i+1 == p->ip6_extension_count)) + { + DecoderEvent(p, EVARGS(IPV6_UNORDERED_EXTENSIONS), 1, 1); + } + } - return; + current_type_order = next_type_order; + } } +} - if (p->proto_bits & PROTO_BIT__TEREDO) - p->outer_udph = p->udph; +void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p) +{ + pc.ip6ext++; - /* set the ptr to the start of the UDP header */ - p->inner_udph = p->udph = (UDPHdr *) pkt; +#ifdef GRE + if (p->greh != NULL) + pc.gre_ipv6ext++; +#endif - if (!p->frag_flag) - { - uhlen = ntohs(p->udph->uh_len); - } - else + /* XXX might this introduce an issue if the "next" field is invalid? */ + p->ip6h->next = next; + + if (ScIdsMode()) { - if(IS_IP6(p)) - { - uint16_t ip_len = ntohs(GET_IPH_LEN(p)); - /* subtract the distance from udp header to 1st ip6 extension */ - /* This gives the length of the UDP "payload", when fragmented */ - uhlen = ip_len - ((u_char *)p->udph - (u_char *)p->ip6_extensions[0].data); - } - else - { - uint16_t ip_len = ntohs(GET_IPH_LEN(p)); - /* Don't forget, IP_HLEN is a word - multiply x 4 */ - uhlen = ip_len - (GET_IPH_HLEN(p) * 4 ); - } - fragmented_udp_flag = 1; + /* See if there are any ip_proto only rules that match */ + fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p); + p->proto_bits |= PROTO_BIT__IP; } - - /* verify that the header len is a valid value */ - if(uhlen < UDP_HEADER_LEN) + + switch(next) { + case IPPROTO_TCP: + pc.tcp6++; + CheckIPv6ExtensionOrder(p); + DecodeTCP(pkt, len, p); + return; + case IPPROTO_UDP: + pc.udp6++; + CheckIPv6ExtensionOrder(p); + DecodeUDP(pkt, len, p); + return; + case IPPROTO_ICMPV6: + pc.icmp6++; + CheckIPv6ExtensionOrder(p); + DecodeICMP6(pkt , len, p); + return; + case IPPROTO_NONE: + CheckIPv6ExtensionOrder(p); + p->dsize = 0; + return; + case IPPROTO_HOPOPTS: + case IPPROTO_DSTOPTS: + case IPPROTO_ROUTING: + case IPPROTO_FRAGMENT: + case IPPROTO_AH: + DecodeIPV6Options(next, pkt, len, p); + // Anything special to do here? just return? + return; +#ifdef GRE + case IPPROTO_GRE: + pc.gre++; + CheckIPv6ExtensionOrder(p); + DecodeGRE(pkt, len, p); + return; + case IPPROTO_IPIP: + pc.ip6ip4++; + CheckIPv6ExtensionOrder(p); + DecodeIP(pkt, len, p); + return; + case IPPROTO_IPV6: + pc.ip6ip6++; + CheckIPv6ExtensionOrder(p); + DecodeIPV6(pkt, len, p); + return; + case IPPROTO_ESP: + CheckIPv6ExtensionOrder(p); + if (ScESPDecoding()) + DecodeESP(pkt, len, p); + return; +#endif + default: + // There may be valid headers after this unsupported one, + // need to decode this header, set "next" and continue + // looping. + + DecoderEvent(p, DECODE_IPV6_BAD_NEXT_HEADER, + DECODE_IPV6_BAD_NEXT_HEADER_STR, 1, 1); + + pc.other++; + p->data = pkt; + p->dsize = (uint16_t)len; + break; + }; +} +#endif /* SUP_IP6 */ + +//-------------------------------------------------------------------- +// decode.c::IP6 decoder +//-------------------------------------------------------------------- + +#ifdef SUP_IP6 +void DecodeIPV6(const uint8_t *pkt, uint32_t len, Packet *p) +{ + IP6RawHdr *hdr; + uint32_t payload_len; + + pc.ipv6++; + +#ifdef GRE + if (p->greh != NULL) + pc.gre_ipv6++; +#endif + + hdr = (IP6RawHdr*)pkt; + + if(len < IP6_HDR_LEN) { - DecoderEvent(p, DECODE_UDP_DGRAM_INVALID_LENGTH, - DECODE_UDP_DGRAM_INVALID_LENGTH_STR, 1, 1); + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_IPV6_TRUNCATED, DECODE_IPV6_TRUNCATED_STR, + 1, 1); - p->udph = NULL; - pc.udisc++; - pc.discards++; + goto decodeipv6_fail; + } - return; + /* Verify version in IP6 Header agrees */ + if((hdr->ip6vfc >> 4) != 6) + { + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_IPV6_IS_NOT, DECODE_IPV6_IS_NOT_STR, + 1, 1); + + goto decodeipv6_fail; } - /* make sure there are enough bytes as designated by length field */ - if(len < uhlen) + if (p->family != NO_IP) { - DecoderEvent(p, DECODE_UDP_DGRAM_SHORT_PACKET, - DECODE_UDP_DGRAM_SHORT_PACKET_STR, 1, 1); + /* Snort currently supports only 2 IP layers. Any more will fail to be + decoded. */ + if (p->encapsulated) + { - p->udph = NULL; - pc.discards++; - pc.udisc++; + DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION, + DECODE_IP_MULTIPLE_ENCAPSULATION_STR, + pkt, len); + goto decodeipv6_fail; + } + else + { + p->encapsulated = 1; + p->outer_iph = p->iph; + p->outer_ip_data = p->ip_data; + p->outer_ip_dsize = p->ip_dsize; + } + } + payload_len = ntohs(hdr->ip6plen) + IP6_HDR_LEN; - return; - } - else if(len > uhlen) + if(payload_len != len) { - DecoderEventDrop(p, DECODE_UDP_DGRAM_LONG_PACKET, - DECODE_UDP_DGRAM_LONG_PACKET_STR, - ScDecoderOversizedAlerts(), - ScDecoderOversizedDrops()); + if (payload_len > len) + { + if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) + DecoderEvent(p, DECODE_IPV6_DGRAM_GT_CAPLEN, + DECODE_IPV6_DGRAM_GT_CAPLEN_STR, + ScDecoderOversizedAlerts(), ScDecoderOversizedDrops()); - p->udph = NULL; - pc.discards++; - pc.udisc++; + goto decodeipv6_fail; + } + } + + /* Teredo packets should always use the 2001:0000::/32 prefix, or in some + cases the link-local prefix fe80::/64. + Source: RFC 4380, section 2.6 & section 5.2.1 + + Checking the addresses will save us from numerous false positives + when UDP clients use 3544 as their ephemeral port, or "Deep Teredo + Inspection" is turned on. + + If we ever start decoding more than 2 layers of IP in a packet, this + check against p->proto_bits will need to be refactored. */ + if ((p->proto_bits & PROTO_BIT__TEREDO) && (CheckTeredoPrefix(hdr) == 0)) + { + goto decodeipv6_fail; + } + + /* lay the IP struct over the raw data */ + // this is ugly but necessary to keep the rest of the code happy + p->inner_iph = p->iph = (IPHdr *)pkt; + + /* Build Packet structure's version of the IP6 header */ + sfiph_build(p, hdr, AF_INET6); + +#ifdef GRE + /* Remove outer IP options */ + if (p->encapsulated) + { + p->ip_options_data = NULL; + p->ip_options_len = 0; + p->ip_lastopt_bad = 0; + } +#endif + p->ip_option_count = 0; + + /* set the real IP length for logging */ + p->actual_ip_len = ntohs(p->ip6h->len); + p->ip_data = pkt + IP6_HDR_LEN; + p->ip_dsize = ntohs(p->ip6h->len); + + PushLayer(PROTO_IP6, p, pkt, sizeof(*hdr)); + + IPV6MiscTests(p); + + DecodeIPV6Extensions(GET_IPH_PROTO(p), pkt + IP6_HDR_LEN, ntohs(p->ip6h->len), p); + return; +decodeipv6_fail: + /* If this was Teredo, back up and treat the packet as normal UDP. */ + if (p->proto_bits & PROTO_BIT__TEREDO) + { + pc.ipv6--; + pc.teredo--; + p->proto_bits &= ~PROTO_BIT__TEREDO; +#ifdef GRE + if (p->greh != NULL) + pc.gre_ipv6--; +#endif return; } - /* fill in the printout data structs */ - p->sp = ntohs(p->udph->uh_sport); - p->dp = ntohs(p->udph->uh_dport); + pc.discards++; + pc.ipv6disc++; +} +#endif /* SUP_IP6 */ - if (ScUdpChecksums()) +//-------------------------------------------------------------------- +// decode.c::ICMP6 +//-------------------------------------------------------------------- + +#ifdef SUP_IP6 +void DecodeICMP6(const uint8_t *pkt, uint32_t len, Packet *p) +{ + struct pseudoheader6 + { + uint32_t sip[4], dip[4]; + uint8_t zero; + uint8_t protocol; + uint16_t icmplen; + }; + if(len < ICMP6_MIN_HEADER_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated ICMP6 header (%d bytes).\n", len);); + + if ( Event_Enabled(DECODE_ICMP6_HDR_TRUNC) ) + DecoderEvent(p, EVARGS(ICMP6_HDR_TRUNC), 1, 1); + + pc.discards++; + return; + } + + p->icmph = (ICMPHdr*)pkt; + /* Do checksums */ + if (ScIcmpChecksums()) { - /* look at the UDP checksum to make sure we've got a good packet */ uint16_t csum; + #ifdef SUP_IP6 - if(IS_IP4(p)) + if(IS_IP4(p)) { - struct pseudoheader ph; - ph.sip = *p->ip4h->ip_src.ip32; - ph.dip = *p->ip4h->ip_dst.ip32; -#else - struct pseudoheader ph; - ph.sip = (uint32_t)(p->iph->ip_src.s_addr); - ph.dip = (uint32_t)(p->iph->ip_dst.s_addr); #endif - ph.zero = 0; - ph.protocol = GET_IPH_PROTO(p); - ph.udplen = p->udph->uh_len; - /* Don't do checksum calculation if - * 1) Fragmented, OR - * 2) UDP header chksum value is 0. - */ - if( !fragmented_udp_flag && p->udph->uh_chk ) - { - csum = in_chksum_udp((uint16_t *)&ph, - (uint16_t *)(p->udph), uhlen); - } - else - { - csum = 0; - } + csum = in_chksum_icmp((uint16_t *)(p->icmph), len); #ifdef SUP_IP6 } - else + /* IPv6 traffic */ + else { struct pseudoheader6 ph6; COPY4(ph6.sip, p->ip6h->ip_src.ip32); COPY4(ph6.dip, p->ip6h->ip_dst.ip32); ph6.zero = 0; ph6.protocol = GET_IPH_PROTO(p); - ph6.udplen = htons((u_short)len); + ph6.icmplen = htons((u_short)len); - /* Alert on checksum value 0 for ipv6 packets */ - if(!p->udph->uh_chk) - { - csum = 1; - DecoderEvent(p, DECODE_UDP_IPV6_ZERO_CHECKSUM, - DECODE_UDP_IPV6_ZERO_CHECKSUM_STR, 1, 1); - } - /* Don't do checksum calculation if - * 1) Fragmented - * (UDP checksum is not optional in IP6) - */ - else if( !fragmented_udp_flag ) - { - csum = in_chksum_udp6((uint16_t *)&ph6, - (uint16_t *)(p->udph), uhlen); - } - else - { - csum = 0; - } + csum = in_chksum_icmp6((uint16_t *)&ph6, (uint16_t *)(p->icmph), len); } #endif if(csum) { - p->error_flags |= PKT_ERR_CKSUM_UDP; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad UDP Checksum\n");); + p->error_flags |= PKT_ERR_CKSUM_ICMP; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n");); if ( ScIdsMode() ) - queueExecDrop(execUdpChksmDrop, p); + queueExecDrop(execIcmpChksmDrop, p); } else { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP Checksum: OK\n");); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n");); } } - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP header starts at: %p\n", p->udph);); + p->dsize = (u_short)(len - ICMP6_MIN_HEADER_LEN); + p->data = pkt + ICMP6_MIN_HEADER_LEN; - PushLayer(PROTO_UDP, p, pkt, sizeof(*p->udph)); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d code: %d\n", + p->icmph->type, p->icmph->code);); - p->data = (uint8_t *) (pkt + UDP_HEADER_LEN); - - /* length was validated up above */ - p->dsize = uhlen - UDP_HEADER_LEN; - - /* Drop packet if we ignore this port */ - if (ScIgnoreUdpPort(p->sp) || ScIgnoreUdpPort(p->dp)) + switch(p->icmph->type) { - /* Ignore all preprocessors for this packet */ - p->packet_flags |= PKT_IGNORE_PORT; - } + case ICMP6_ECHO: + case ICMP6_REPLY: + if (p->dsize >= sizeof(struct idseq)) + { + p->icmp6h = (ICMP6Hdr *)pkt; + /* Set data pointer to that of the "echo message" */ + /* add the size of the echo ext to the data + * ptr and subtract it from the data size */ + p->dsize -= sizeof(struct idseq); + p->data += sizeof(struct idseq); - p->proto_bits |= PROTO_BIT__UDP; + if ( Event_Enabled(DECODE_ICMP6_DST_MULTICAST) ) + if ( p->ip6h->ip_dst.ip.u6_addr8[0] == IP6_MULTICAST ) + DecoderEvent(p, EVARGS(ICMP6_DST_MULTICAST), 1, 1); - UDPMiscTests(p); + PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated ICMP Echo header (%d bytes).\n", len);); -#ifdef SUP_IP6 - if (p->sp == TEREDO_PORT || - p->dp == TEREDO_PORT || - ScDeepTeredoInspection()) - { - DecodeTeredo(pkt + sizeof(UDPHdr), - len - sizeof(UDPHdr), p); - } -#endif -} + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); + p->icmp6h = NULL; + pc.discards++; + pc.icmpdisc++; + return; + } + break; + case ICMP6_BIG: + if (p->dsize >= sizeof(ICMP6TooBig)) + { + ICMP6TooBig *too_big = (ICMP6TooBig *)pkt; + p->icmp6h = (ICMP6Hdr *)pkt; + /* Set data pointer past MTU */ + p->data += 4; + p->dsize -= 4; -/* - * Function: DecodeICMP(uint8_t *, const uint32_t, Packet *) - * - * Purpose: Decode the ICMP transport layer - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to the decoded packet struct - * - * Returns: void function - */ -void DecodeICMP(const uint8_t * pkt, const uint32_t len, Packet * p) -{ - if(len < ICMP_HEADER_LEN) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "WARNING: Truncated ICMP4 header (%d bytes)\n", len);); + if (ntohl(too_big->mtu) < 1280) + { + DecoderEvent(p, DECODE_ICMPV6_TOO_BIG_BAD_MTU, + DECODE_ICMPV6_TOO_BIG_BAD_MTU_STR, 1, 1); + } - if ( Event_Enabled(DECODE_ICMP4_HDR_TRUNC) ) - DecoderEvent(p, EVARGS(ICMP4_HDR_TRUNC), 1, 1); + PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN); + DecodeICMPEmbeddedIP6(p->data, p->dsize, p); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "WARNING: Truncated ICMP header (%d bytes).\n", len);); - p->icmph = NULL; - pc.discards++; - pc.icmpdisc++; + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - return; - } + p->icmp6h = NULL; + pc.discards++; + pc.icmpdisc++; + return; + } + break; - /* set the header ptr first */ - p->icmph = (ICMPHdr *) pkt; + case ICMP6_TIME: + case ICMP6_PARAMS: + case ICMP6_UNREACH: + if (p->dsize >= 4) + { + p->icmp6h = (ICMP6Hdr *)pkt; + /* Set data pointer past the 'unused/mtu/pointer block */ + p->data += 4; + p->dsize -= 4; - switch (p->icmph->type) - { - // fall through ... - case ICMP_SOURCE_QUENCH: - case ICMP_DEST_UNREACH: - case ICMP_REDIRECT: - case ICMP_TIME_EXCEEDED: - case ICMP_PARAMETERPROB: - case ICMP_ECHOREPLY: - case ICMP_ECHO: - case ICMP_ROUTER_ADVERTISE: - case ICMP_ROUTER_SOLICIT: - case ICMP_INFO_REQUEST: - case ICMP_INFO_REPLY: - if (len < 8) + if ((p->icmp6h->type == ICMP6_UNREACH) && (p->icmp6h->code == 2)) + { + DecoderEvent(p, DECODE_ICMPV6_UNREACHABLE_BAD_CODE, + DECODE_ICMPV6_UNREACHABLE_BAD_CODE_STR, 1, 1); + } + + PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN); + DecodeICMPEmbeddedIP6(p->data, p->dsize, p); + } + else { DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Truncated ICMP header(%d bytes)\n", len);); + "WARNING: Truncated ICMP header (%d bytes).\n", len);); - DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - p->icmph = NULL; + p->icmp6h = NULL; pc.discards++; pc.icmpdisc++; - return; } break; - case ICMP_TIMESTAMP: - case ICMP_TIMESTAMPREPLY: - if (len < 20) + case ICMP6_ADVERTISEMENT: + if (p->dsize >= (sizeof(ICMP6RouterAdvertisement) - ICMP6_MIN_HEADER_LEN)) + { + ICMP6RouterAdvertisement *ra = (ICMP6RouterAdvertisement *)pkt; + p->icmp6h = (ICMP6Hdr *)pkt; + if (p->icmp6h->code != 0) + { + DecoderEvent(p, DECODE_ICMPV6_ADVERT_BAD_CODE, + DECODE_ICMPV6_ADVERT_BAD_CODE_STR, 1, 1); + } + if (ntohl(ra->reachable_time) > 3600000) + { + DecoderEvent(p, DECODE_ICMPV6_ADVERT_BAD_REACHABLE, + DECODE_ICMPV6_ADVERT_BAD_REACHABLE_STR, 1, 1); + } + PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN); + } + else { DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Truncated ICMP header(%d bytes)\n", len);); + "WARNING: Truncated ICMP header (%d bytes).\n", len);); - DecoderEvent(p, DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR, - DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR, 1, 1); + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - p->icmph = NULL; + p->icmp6h = NULL; pc.discards++; pc.icmpdisc++; - return; } break; - case ICMP_ADDRESS: - case ICMP_ADDRESSREPLY: - if (len < 12) + case ICMP6_SOLICITATION: + if (p->dsize >= (sizeof(ICMP6RouterSolicitation) - ICMP6_MIN_HEADER_LEN)) + { + ICMP6RouterSolicitation *rs = (ICMP6RouterSolicitation *)pkt; + p->icmp6h = (ICMP6Hdr *)pkt; + if (rs->code != 0) + { + DecoderEvent(p, DECODE_ICMPV6_SOLICITATION_BAD_CODE, + DECODE_ICMPV6_SOLICITATION_BAD_CODE_STR, 1, 1); + } + if (ntohl(rs->reserved) != 0) + { + DecoderEvent(p, DECODE_ICMPV6_SOLICITATION_BAD_RESERVED, + DECODE_ICMPV6_SOLICITATION_BAD_RESERVED_STR, 1, 1); + } + PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN); + } + else { DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "Truncated ICMP header(%d bytes)\n", len);); + "WARNING: Truncated ICMP header (%d bytes).\n", len);); + DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, + DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ADDRHDR, - DECODE_ICMP_DGRAM_LT_ADDRHDR_STR, 1, 1); - - p->icmph = NULL; + p->icmp6h = NULL; pc.discards++; pc.icmpdisc++; - return; } break; default: - if ( Event_Enabled(DECODE_ICMP4_TYPE_OTHER) ) - DecoderEvent(p, EVARGS(ICMP4_TYPE_OTHER), 1, 1); + if ( Event_Enabled(DECODE_ICMP6_TYPE_OTHER) ) + DecoderEvent(p, EVARGS(ICMP6_TYPE_OTHER), 1, 1); + + PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN); break; } + p->proto_bits |= PROTO_BIT__ICMP; +} - if (ScIcmpChecksums()) +/* + * Function: DecodeICMPEmbeddedIP6(uint8_t *, const uint32_t, Packet *) + * + * Purpose: Decode the ICMP embedded IP6 header + payload + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to dummy packet decode struct + * + * Returns: void function + */ +void DecodeICMPEmbeddedIP6(const uint8_t *pkt, const uint32_t len, Packet *p) +{ + uint16_t orig_frag_offset; + + /* lay the IP struct over the raw data */ + IP6RawHdr* hdr = (IP6RawHdr*)pkt; + pc.embdip++; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP6: ip header" + " starts at: %p, length is %lu\n", hdr, + (unsigned long) len);); + + /* do a little validation */ + if ( len < IP6_HDR_LEN ) { - uint16_t csum = in_chksum_icmp((uint16_t *)p->icmph, len); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "ICMP6: IP short header (%d bytes)\n", len);); - if(csum) - { - p->error_flags |= PKT_ERR_CKSUM_ICMP; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n");); + DecoderEvent(p, DECODE_ICMP_ORIG_IP_TRUNCATED, + DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 1, 1); - if ( ScIdsMode() ) - queueExecDrop(execIcmpChksmDrop, p); - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n");); - } + pc.discards++; + return; } - p->dsize = (u_short)(len - ICMP_HEADER_LEN); - p->data = pkt + ICMP_HEADER_LEN; + /* + * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP. + * So we are just ignoring non IP datagrams + */ + if ( (hdr->ip6vfc >> 4) != 6 ) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "ICMP: not IPv6 datagram ([ver: 0x%x][len: 0x%x])\n", + (hdr->ip6vfc >> 4), len);); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d code: %d\n", - p->icmph->code, p->icmph->type);); + DecoderEvent(p, DECODE_ICMP_ORIG_IP_VER_MISMATCH, + DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR, 1, 1); - switch(p->icmph->type) - { - case ICMP_ECHO: - ICMP4AddrTests(p); - // fall through ... + pc.discards++; + return; + } - case ICMP_ECHOREPLY: - /* setup the pkt id and seq numbers */ - p->dsize -= sizeof(struct idseq); /* add the size of the - * echo ext to the data - * ptr and subtract it - * from the data size */ - p->data += sizeof(struct idseq); - PushLayer(PROTO_ICMP4, p, pkt, ICMP_NORMAL_LEN); - break; - - case ICMP_DEST_UNREACH: - if ((p->icmph->code == ICMP_FRAG_NEEDED) - && (ntohs(p->icmph->s_icmp_nextmtu) < 576)) - { - if ( Event_Enabled(DECODE_ICMP_PATH_MTU_DOS) ) - DecoderEvent(p, EVARGS(ICMP_PATH_MTU_DOS), 1, 1); - } - - /* Fall through */ - - case ICMP_SOURCE_QUENCH: - case ICMP_REDIRECT: - case ICMP_TIME_EXCEEDED: - case ICMP_PARAMETERPROB: - /* account for extra 4 bytes in header */ - p->dsize -= 4; - p->data += 4; - - PushLayer(PROTO_ICMP4, p, pkt, ICMP_NORMAL_LEN); - DecodeICMPEmbeddedIP(p->data, p->dsize, p); - break; - - default: - PushLayer(PROTO_ICMP4, p, pkt, ICMP_HEADER_LEN); - break; - } - - /* Run a bunch of ICMP decoder rules */ - ICMP4MiscTests(p); - - p->proto_bits |= PROTO_BIT__ICMP; -} - -/* - * Function: DecodeICMPEmbeddedIP(uint8_t *, const uint32_t, Packet *) - * - * Purpose: Decode the ICMP embedded IP header + 64 bits payload - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to dummy packet decode struct - * - * Returns: void function - */ -void DecodeICMPEmbeddedIP(const uint8_t *pkt, const uint32_t len, Packet *p) -{ - uint32_t ip_len; /* length from the start of the ip hdr to the - * pkt end */ - uint32_t hlen; /* ip header length */ - uint16_t orig_frag_offset; - - /* do a little validation */ - if(len < IP_HEADER_LEN) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "ICMP: IP short header (%d bytes)\n", len);); - - DecoderEvent(p, DECODE_ICMP_ORIG_IP_TRUNCATED, - DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 1, 1); - -#ifdef SUP_IP6 - p->orig_family = NO_IP; -#endif - p->orig_iph = NULL; - return; - } - - /* lay the IP struct over the raw data */ -#ifdef SUP_IP6 - sfiph_orig_build(p, pkt, AF_INET); -#endif - p->orig_iph = (IPHdr *) pkt; - - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP: ip header" - " starts at: %p, length is %lu\n", p->orig_iph, - (unsigned long) len);); - /* - * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP. - * So we are just ignoring non IP datagrams - */ - if((GET_ORIG_IPH_VER(p) != 4) && !IS_IP6(p)) + if ( len < IP6_HDR_LEN ) { DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "ICMP: not IPv4 datagram ([ver: 0x%x][len: 0x%x])\n", - GET_ORIG_IPH_VER(p), GET_ORIG_IPH_LEN(p));); + "ICMP6: IP6 len (%d bytes) < IP6 hdr len (%d bytes), packet discarded\n", + len, IP6_HDR_LEN);); - DecoderEvent(p, DECODE_ICMP_ORIG_IP_VER_MISMATCH, - DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR, 1, 1); + DecoderEvent(p, DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP, + DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR, 1, 1); -#ifdef SUP_IP6 - p->orig_family = NO_IP; -#endif - p->orig_iph = NULL; + pc.discards++; return; } - - /* set the IP datagram length */ - ip_len = ntohs(GET_ORIG_IPH_LEN(p)); - - /* set the IP header length */ -#ifdef SUP_IP6 - hlen = (p->orig_ip4h->ip_verhl & 0x0f) << 2; -#else - hlen = IP_HLEN(p->orig_iph) << 2; -#endif - - if(len < hlen) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "ICMP: IP len (%d bytes) < IP hdr len (%d bytes), packet discarded\n", - ip_len, hlen);); - - DecoderEvent(p, DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP, - DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR, 1, 1); - #ifdef SUP_IP6 - p->orig_family = NO_IP; + sfiph_orig_build(p, pkt, AF_INET6); #endif - p->orig_iph = NULL; - return; - } - - /* set the remaining packet length */ - ip_len = len - hlen; orig_frag_offset = ntohs(GET_ORIG_IPH_OFF(p)); orig_frag_offset &= 0x1FFF; - if (orig_frag_offset == 0) - { - /* Original IP payload should be 64 bits */ - if (ip_len < 8) - { - DecoderEvent(p, DECODE_ICMP_ORIG_PAYLOAD_LT_64, - DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR, 1, 1); - - return; - } - /* ICMP error packets could contain as much of original payload - * as possible, but not exceed 576 bytes - */ - else if (ntohs(GET_IPH_LEN(p)) > 576) - { - DecoderEvent(p, DECODE_ICMP_ORIG_PAYLOAD_GT_576, - DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR, 1, 1); - } - } - else - { - /* RFC states that only first frag will get an ICMP response */ - DecoderEvent(p, DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET, - DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR, 1, 1); - return; - } + // XXX NOT YET IMPLEMENTED - fragments inside ICMP payload - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP Unreachable IP header length: " - "%lu\n", (unsigned long)hlen);); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP6 Unreachable IP6 header length: " + "%lu\n", (unsigned long)IP6_HDR_LEN);); switch(GET_ORIG_IPH_PROTO(p)) { case IPPROTO_TCP: /* decode the interesting part of the header */ - p->orig_tcph = (TCPHdr *)(pkt + hlen); + p->orig_tcph = (TCPHdr *)(pkt + IP6_HDR_LEN); /* stuff more data into the printout data struct */ p->orig_sp = ntohs(p->orig_tcph->th_sport); @@ -4286,7 +4541,7 @@ break; case IPPROTO_UDP: - p->orig_udph = (UDPHdr *)(pkt + hlen); + p->orig_udph = (UDPHdr *)(pkt + IP6_HDR_LEN); /* fill in the printout data structs */ p->orig_sp = ntohs(p->orig_udph->uh_sport); @@ -4295,2768 +4550,2839 @@ break; case IPPROTO_ICMP: - p->orig_icmph = (ICMPHdr *)(pkt + hlen); + p->orig_icmph = (ICMPHdr *)(pkt + IP6_HDR_LEN); break; } return; } +#endif -/* - * Function: DecodeARP(uint8_t *, uint32_t, Packet *) - * - * Purpose: Decode ARP stuff +//-------------------------------------------------------------------- +// decode.c::Teredo +//-------------------------------------------------------------------- + +/* Function: DecodeTeredo(uint8_t *, uint32_t, Packet *) * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to decoded packet struct + * Teredo is IPv6 layered over UDP, with optional "indicators" in between. + * Decode these (if present) and go to DecodeIPv6. * - * Returns: void function */ -void DecodeARP(const uint8_t * pkt, uint32_t len, Packet * p) + +#ifdef SUP_IP6 +void DecodeTeredo(const uint8_t *pkt, uint32_t len, Packet *p) { - pc.arp++; + if (len < TEREDO_MIN_LEN) + return; -#ifdef GRE - if (p->greh != NULL) - pc.gre_arp++; -#endif + /* Decode indicators. If both are present, Auth always comes before Origin. */ + if (ntohs(*(uint16_t *)pkt) == TEREDO_INDICATOR_AUTH) + { + uint8_t client_id_length, auth_data_length; - p->ah = (EtherARP *) pkt; + if (len < TEREDO_INDICATOR_AUTH_MIN_LEN) + return; - if(len < sizeof(EtherARP)) + client_id_length = *(pkt + 2); + auth_data_length = *(pkt + 3); + + if (len < (uint32_t)(TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length)) + return; + + pkt += (TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length); + len -= (TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length); + } + + if (ntohs(*(uint16_t *)pkt) == TEREDO_INDICATOR_ORIGIN) { - DecoderEvent(p, DECODE_ARP_TRUNCATED, - DECODE_ARP_TRUNCATED_STR, 1, 1); + if (len < TEREDO_INDICATOR_ORIGIN_LEN) + return; - pc.discards++; - return; + pkt += TEREDO_INDICATOR_ORIGIN_LEN; + len -= TEREDO_INDICATOR_ORIGIN_LEN; } - p->proto_bits |= PROTO_BIT__ARP; - PushLayer(PROTO_ARP, p, pkt, sizeof(*p->ah)); + /* If this is an IPv6 datagram, the first 4 bits will be the number 6. */ + if (( (*pkt & 0xF0) >> 4) == 6) + { + p->proto_bits |= PROTO_BIT__TEREDO; + pc.teredo++; + + if (ScDeepTeredoInspection() && (p->sp != TEREDO_PORT) && (p->dp != TEREDO_PORT)) + p->packet_flags |= PKT_UNSURE_ENCAP; + + DecodeIPV6(pkt, len, p); + + p->packet_flags &= ~PKT_UNSURE_ENCAP; + } + + /* Otherwise, we treat this as normal UDP traffic. */ + return; } +#endif + +//-------------------------------------------------------------------- +// decode.c::ESP +//-------------------------------------------------------------------- -#ifndef NO_NON_ETHER_DECODER /* - * Function: DecodeEapol(uint8_t *, uint32_t, Packet *) + * Function: DecodeESP(const uint8_t *, uint32_t, Packet *) * - * Purpose: Decode 802.1x eapol stuff + * Purpose: Attempt to decode Encapsulated Security Payload. + * The contents are probably encrypted, but ESP is sometimes used + * with "null" encryption, solely for Authentication. + * This is more of a heuristic -- there is no ESP field that specifies + * the encryption type (or lack thereof). * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet - * p => pointer to decoded packet struct + * p => ptr to the Packet struct being filled out * * Returns: void function */ -void DecodeEapol(const uint8_t * pkt, uint32_t len, Packet * p) +void DecodeESP(const uint8_t *pkt, uint32_t len, Packet *p) { - p->eplh = (EtherEapol *) pkt; - pc.eapol++; - if(len < sizeof(EtherEapol)) - { - DecoderEvent(p, DECODE_EAPOL_TRUNCATED, - DECODE_EAPOL_TRUNCATED_STR, 1, 1); + uint8_t next_header; + uint8_t pad_length; + const uint8_t *esp_payload; - pc.discards++; + /* The ESP header contains a crypto Initialization Vector (IV) and + a sequence number. Skip these. */ + if (len < (ESP_HEADER_LEN + ESP_AUTH_DATA_LEN + ESP_TRAILER_LEN)) + { + /* Truncated ESP traffic. Bail out here and inspect the rest as payload. */ + DecoderEvent(p, EVARGS(ESP_HEADER_TRUNC), 1, 1); + p->data = pkt; + p->dsize = (uint16_t) len; return; } - if (p->eplh->eaptype == EAPOL_TYPE_EAP) { - DecodeEAP(pkt + sizeof(EtherEapol), len - sizeof(EtherEapol), p); - } - else if(p->eplh->eaptype == EAPOL_TYPE_KEY) { - DecodeEapolKey(pkt + sizeof(EtherEapol), len - sizeof(EtherEapol), p); - } - return; -} + esp_payload = pkt + ESP_HEADER_LEN; -/* - * Function: DecodeEapolKey(uint8_t *, uint32_t, Packet *) - * - * Purpose: Decode 1x key setup - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to decoded packet struct - * - * Returns: void function - */ -void DecodeEapolKey(const uint8_t * pkt, uint32_t len, Packet * p) -{ - p->eapolk = (EapolKey *) pkt; - if(len < sizeof(EapolKey)) - { - DecoderEvent(p, DECODE_EAPKEY_TRUNCATED, - DECODE_EAPKEY_TRUNCATED_STR, 1, 1); + /* The Authentication Data at the end of the packet is variable-length. + RFC 2406 says that Encryption and Authentication algorithms MUST NOT + both be NULL, so we assume NULL Encryption and some other Authentication. - pc.discards++; + The mandatory algorithms for Authentication are HMAC-MD5-96 and + HMAC-SHA-1-96, so we assume a 12-byte authentication data at the end. */ + len -= (ESP_HEADER_LEN + ESP_AUTH_DATA_LEN + ESP_TRAILER_LEN); + + pad_length = *(esp_payload + len); + next_header = *(esp_payload + len + 1); + + /* Adjust the packet length to account for the padding. + If the padding length is too big, this is probably encrypted traffic. */ + if (pad_length < len) + { + len -= (pad_length); + } + else + { + p->data = esp_payload; + p->dsize = (u_short) len; return; } - return; + /* Attempt to decode the inner payload. + There is a small chance that an encrypted next_header would become a + different valid next_header. The PKT_UNSURE_ENCAP flag tells the next + decoder stage to silently ignore invalid headers. */ + + p->packet_flags |= PKT_UNSURE_ENCAP; + switch (next_header) + { + case IPPROTO_IPIP: + DecodeIP(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; + + case IPPROTO_IPV6: + DecodeIPV6(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; + + case IPPROTO_TCP: + pc.tcp++; + DecodeTCP(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; + + case IPPROTO_UDP: + pc.udp++; + DecodeUDP(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; + + case IPPROTO_ICMP: + pc.icmp++; + DecodeICMP(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; + +#ifdef GRE + case IPPROTO_GRE: + pc.gre++; + DecodeGRE(esp_payload, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; + return; +#endif + + default: + /* If we didn't get a valid next_header, this packet is probably + encrypted. Start data here and treat it as an IP datagram. */ + p->data = esp_payload; + p->dsize = (u_short) len; + p->packet_flags &= ~PKT_UNSURE_ENCAP; + } } +//-------------------------------------------------------------------- +// decode.c::GRE +//-------------------------------------------------------------------- + +#ifdef GRE /* - * Function: DecodeEAP(uint8_t *, uint32_t, Packet *) + * Function: DecodeGRE(uint8_t *, uint32_t, Packet *) * - * Purpose: Decode Extensible Authentication Protocol + * Purpose: Decode Generic Routing Encapsulation Protocol + * This will decode normal GRE and PPTP GRE. * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet * p => pointer to decoded packet struct * * Returns: void function + * + * Notes: see RFCs 1701, 2784 and 2637 */ -void DecodeEAP(const uint8_t * pkt, const uint32_t len, Packet * p) +void DecodeGRE(const uint8_t *pkt, const uint32_t len, Packet *p) { - p->eaph = (EAPHdr *) pkt; - if(len < sizeof(EAPHdr)) - { - DecoderEvent(p, DECODE_EAP_TRUNCATED, - DECODE_EAP_TRUNCATED_STR, 1, 1); + uint32_t hlen; /* GRE header length */ + uint32_t payload_len; - pc.discards++; + if (len < GRE_HEADER_LEN) + { + DecoderAlertEncapsulated(p, DECODE_GRE_DGRAM_LT_GREHDR, + DECODE_GRE_DGRAM_LT_GREHDR_STR, + pkt, len); return; } - if (p->eaph->code == EAP_CODE_REQUEST || - p->eaph->code == EAP_CODE_RESPONSE) { - p->eaptype = pkt + sizeof(EAPHdr); - } - return; -} -#endif // NO_NON_ETHER_DECODER -#ifndef SUP_IP6 -static INLINE void FragEvent ( - Packet *p, int gid, char *str, int event_flag, int drop_flag) -{ - if(ScIdsMode() && event_flag) + if (p->encapsulated) { - queueDecoderEvent(GENERATOR_SPP_FRAG3, gid, 1, - DECODE_CLASS, 3, str, 0); - - if ( drop_flag ) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");); - Active_DropSession(); - } + /* discard packet - multiple GRE encapsulation */ + /* not sure if this is ever used but I am assuming it is not */ + DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION, + DECODE_IP_MULTIPLE_ENCAPSULATION_STR, + pkt, len); + return; } -} -void BsdFragHashCleanup(void) -{ - if (ipv6_frag_hash) + /* Note: Since GRE doesn't have a field to indicate header length and + * can contain a few options, we need to walk through the header to + * figure out the length + */ + + p->greh = (GREHdr *)pkt; + hlen = GRE_HEADER_LEN; + + switch (GRE_VERSION(p->greh)) { - sfxhash_delete(ipv6_frag_hash); - ipv6_frag_hash = NULL; - } -} + case 0x00: + /* these must not be set */ + if (GRE_RECUR(p->greh) || GRE_FLAGS(p->greh)) + { + DecoderAlertEncapsulated(p, DECODE_GRE_INVALID_HEADER, + DECODE_GRE_INVALID_HEADER_STR, + pkt, len); + return; + } -void BsdFragHashReset(void) -{ - if (ipv6_frag_hash != NULL) - sfxhash_make_empty(ipv6_frag_hash); -} + if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh)) + hlen += GRE_CHKSUM_LEN + GRE_OFFSET_LEN; -void BsdFragHashInit(int max) -{ - int rows = sfxhash_calcrows((int) (max * 1.4)); + if (GRE_KEY(p->greh)) + hlen += GRE_KEY_LEN; - ipv6_frag_hash = sfxhash_new( - /* one row per element in table, when possible */ - rows, - 40, /* key size padded for 64 bit alignment */ - sizeof(time_t), /* data size */ - /* Set max to the sizeof a hash node, plus the size of - * the stored data, plus the size of the key (32), plus - * this size of a node pointer plus max rows plus 1. */ - max * (40 + sizeof(SFXHASH_NODE) + sizeof(time_t) + sizeof(SFXHASH_NODE*)) - + (rows+1) * sizeof(SFXHASH_NODE*), - 1, /* enable AutoNodeRecovery */ - NULL, /* provide a function to let user know we want to kill a node */ - NULL, /* provide a function to release user memory */ - 1); /* Recycle nodes */ + if (GRE_SEQ(p->greh)) + hlen += GRE_SEQ_LEN; - if (!ipv6_frag_hash) { - FatalError("could not allocate ipv6_frag_hash"); - } -} + /* if this flag is set, we need to walk through all of the + * Source Route Entries */ + if (GRE_ROUTE(p->greh)) + { + uint16_t sre_addrfamily; + uint8_t sre_offset; + uint8_t sre_length; + const uint8_t *sre_ptr; -static INLINE void BsdFragVulnCheck(Packet *p, const uint8_t *data, uint32_t size) -{ - IP6Frag *frag; - unsigned short frag_data; - char key[40]; /* Two 16 bit IP addresses and one fragmentation ID plus pad */ - SFXHASH_NODE *hash_node; + sre_ptr = pkt + hlen; - if(sizeof(IP6Frag) > size) - { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; - } + while (1) + { + hlen += GRE_SRE_HEADER_LEN; + if (hlen > len) + break; - frag = (IP6Frag *)data; - frag_data = frag->ip6f_offlg; + sre_addrfamily = ntohs(*((uint16_t *)sre_ptr)); + sre_ptr += sizeof(sre_addrfamily); - /* Source and dest IPs */ - memcpy(key, (u_char*)p->iph + 8, 32); - *(uint32_t*)(key+32) = frag->ip6f_ident; - *(uint32_t*)(key+36) = 0; /* zero out the pad */ + sre_offset = *((uint8_t *)sre_ptr); + sre_ptr += sizeof(sre_offset); - hash_node = sfxhash_find_node(ipv6_frag_hash, key); + sre_length = *((uint8_t *)sre_ptr); + sre_ptr += sizeof(sre_length); - /* Check if the frag offset mask is set. - * If it is, we're not looking at the exploit in question */ - if(IP6F_OFFSET(frag) != 0) - { - /* If this arrives before the two 0 offset frags, we will - * still add them as though they were the first, and false - * positive */ - if(hash_node) - sfxhash_free_node(ipv6_frag_hash, hash_node); + if ((sre_addrfamily == 0) && (sre_length == 0)) + break; - return; - } + hlen += sre_length; + sre_ptr += sre_length; + } + } - /* Check if there are no more frags */ - if(!IP6F_MF(frag)) - { - /* At this point, we've seen a frag header with no offset - * that doesn't have the more flags set. Need to see if - * this follows a packet that did have the more flag set. */ - if(hash_node) - { - /* Check if the first packet timed out */ - if ((p->pkth->ts.tv_sec - *(time_t *)hash_node->data) > (time_t)ScIpv6FragTimeout()) + break; + + /* PPTP */ + case 0x01: + /* these flags should never be present */ + if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh) || GRE_SSR(p->greh) || + GRE_RECUR(p->greh) || GRE_V1_FLAGS(p->greh)) { - sfxhash_free_node(ipv6_frag_hash, hash_node); + DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER, + DECODE_GRE_V1_INVALID_HEADER_STR, + pkt, len); + return; + } - FragEvent(p, FRAG3_IPV6_BAD_FRAG_PKT, - FRAG3_IPV6_BAD_FRAG_PKT_STR , - ScDecoderIpv6BadFragAlerts(), - ScDecoderIpv6BadFragDrops()); + /* protocol must be 0x880B - PPP */ + if (GRE_PROTO(p->greh) != GRE_TYPE_PPP) + { + DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER, + DECODE_GRE_V1_INVALID_HEADER_STR, + pkt, len); return; } - if(size > 100) + /* this flag should always be present */ + if (!(GRE_KEY(p->greh))) { - /* XXX One of the alert message or alert type is mixed up? */ - FragEvent(p, FRAG3_IPV6_BSD_ICMP_FRAG, - FRAG3_IPV6_BSD_ICMP_FRAG_STR, - ScDecoderIpv6BadFragAlerts(), - ScDecoderIpv6BadFragDrops()); + DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER, + DECODE_GRE_V1_INVALID_HEADER_STR, + pkt, len); return; } - sfxhash_free_node(ipv6_frag_hash, hash_node); - - FragEvent(p, FRAG3_IPV6_BAD_FRAG_PKT, - FRAG3_IPV6_BAD_FRAG_PKT_STR , - ScDecoderIpv6BadFragAlerts(), - ScDecoderIpv6BadFragDrops()); - return; - } - - /* We never saw the first packet, but this one is still bogus */ - FragEvent(p, FRAG3_IPV6_BAD_FRAG_PKT, - FRAG3_IPV6_BAD_FRAG_PKT_STR , - ScDecoderIpv6BadFragAlerts(), - ScDecoderIpv6BadFragDrops()); - return; + hlen += GRE_KEY_LEN; + + if (GRE_SEQ(p->greh)) + hlen += GRE_SEQ_LEN; + + if (GRE_V1_ACK(p->greh)) + hlen += GRE_V1_ACK_LEN; + + break; + + default: + DecoderAlertEncapsulated(p, DECODE_GRE_INVALID_VERSION, + DECODE_GRE_INVALID_VERSION_STR, + pkt, len); + return; } - - /* At this point, we've seen a header with no offset and a - * more flag */ - if(!hash_node) + + if (hlen > len) { - /* There are more frags remaining, add current to hash */ - if(sfxhash_add(ipv6_frag_hash, key, (void *)&p->pkth->ts.tv_sec) - == SFXHASH_NOMEM) - { - return; - } + DecoderAlertEncapsulated(p, DECODE_GRE_DGRAM_LT_GREHDR, + DECODE_GRE_DGRAM_LT_GREHDR_STR, + pkt, len); + return; } - else + + PushLayer(PROTO_GRE, p, pkt, hlen); + payload_len = len - hlen; + + /* Send to next protocol decoder */ + /* As described in RFC 2784 the possible protocols are listed in + * RFC 1700 under "ETHER TYPES" + * See also "Current List of Protocol Types" in RFC 1701 + */ + switch (GRE_PROTO(p->greh)) { - /* Update this node's timestamp */ - *(time_t *)hash_node->data = p->pkth->ts.tv_sec; + case ETHERNET_TYPE_IP: + DecodeIP(pkt + hlen, payload_len, p); + return; + + case GRE_TYPE_TRANS_BRIDGING: + DecodeTransBridging(pkt + hlen, payload_len, p); + return; + + case ETHERNET_TYPE_ARP: + case ETHERNET_TYPE_REVARP: + /* clear outer IP headers */ + p->iph = NULL; +#ifdef SUP_IP6 + p->family = NO_IP; +#endif + DecodeARP(pkt + hlen, payload_len, p); + return; + + case ETHERNET_TYPE_IPV6: + DecodeIPV6(pkt + hlen, payload_len, p); + return; + + case GRE_TYPE_PPP: + DecodePppPktEncapsulated(pkt + hlen, payload_len, p); + return; + +#ifndef NO_NON_ETHER_DECODER + case ETHERNET_TYPE_IPX: + DecodeIPX(pkt + hlen, payload_len, p); + return; +#endif + + case ETHERNET_TYPE_LOOP: + DecodeEthLoopback(pkt + hlen, payload_len, p); + return; + + /* not sure if this occurs, but 802.1q is an Ether type */ + case ETHERNET_TYPE_8021Q: + DecodeVlan(pkt + hlen, payload_len, p); + return; + + default: + // TBD add decoder drop event for unknown gre/eth type + pc.other++; + p->data = pkt + hlen; + p->dsize = (uint16_t)payload_len; + return; } } -#endif +#endif // GRE +//-------------------------------------------------------------------- +// decode.c::GTP +//-------------------------------------------------------------------- -#ifdef SUP_IP6 -/* - * Function: DecodeICMPEmbeddedIP6(uint8_t *, const uint32_t, Packet *) +/* Function: DecodeGTP(uint8_t *, uint32_t, Packet *) * - * Purpose: Decode the ICMP embedded IP6 header + payload - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to dummy packet decode struct + * GTP (GPRS Tunneling Protocol) is layered over UDP. + * Decode these (if present) and go to DecodeIPv6/DecodeIP. * - * Returns: void function */ -void DecodeICMPEmbeddedIP6(const uint8_t *pkt, const uint32_t len, Packet *p) + +void DecodeGTP(const uint8_t *pkt, uint32_t len, Packet *p) { - uint16_t orig_frag_offset; + uint32_t header_len; + uint8_t next_hdr_type; + uint8_t version; + uint8_t ip_ver; + GTPHdr *hdr; - /* lay the IP struct over the raw data */ - IP6RawHdr* hdr = (IP6RawHdr*)pkt; - pc.embdip++; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Start GTP decoding.\n");); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP6: ip header" - " starts at: %p, length is %lu\n", hdr, - (unsigned long) len);); + hdr = (GTPHdr *) pkt; - /* do a little validation */ - if ( len < IP6_HDR_LEN ) + if (p->GTPencapsulated) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "ICMP6: IP short header (%d bytes)\n", len);); - - DecoderEvent(p, DECODE_ICMP_ORIG_IP_TRUNCATED, - DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 1, 1); - - pc.discards++; + DecoderAlertEncapsulated(p, DECODE_GTP_MULTIPLE_ENCAPSULATION, + DECODE_GTP_MULTIPLE_ENCAPSULATION_STR, + pkt, len); return; } + else + { + p->GTPencapsulated = 1; + } + /*Check the length*/ + if (len < GTP_MIN_LEN) + return; + /* We only care about PDU*/ + if ( hdr->type != 255) + return; + /*Check whether this is GTP or GTP', Exit if GTP'*/ + if (!(hdr->flag & 0x10)) + return; - /* - * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP. - * So we are just ignoring non IP datagrams - */ - if ( (hdr->ip6vfc >> 4) != 6 ) + /*The first 3 bits are version number*/ + version = (hdr->flag & 0xE0) >> 5; + switch (version) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "ICMP: not IPv6 datagram ([ver: 0x%x][len: 0x%x])\n", - (hdr->ip6vfc >> 4), len);); + case 0: /*GTP v0*/ + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "GTP v0 packets.\n");); - DecoderEvent(p, DECODE_ICMP_ORIG_IP_VER_MISMATCH, - DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR, 1, 1); + header_len = GTP_V0_HEADER_LEN; + /*Check header fields*/ + if (len < header_len) + { + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); + return; + } - pc.discards++; - return; - } + p->proto_bits |= PROTO_BIT__GTP; - if ( len < IP6_HDR_LEN ) - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "ICMP6: IP6 len (%d bytes) < IP6 hdr len (%d bytes), packet discarded\n", - len, IP6_HDR_LEN);); + /*Check the length field. */ + if (len != ((unsigned int)ntohs(hdr->length) + header_len)) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Calculated length %d != %d in header.\n", + len - header_len, ntohs(hdr->length));); + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); + return; + } - DecoderEvent(p, DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP, - DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR, 1, 1); + break; + case 1: /*GTP v1*/ + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "GTP v1 packets.\n");); - pc.discards++; - return; - } -#ifdef SUP_IP6 - sfiph_orig_build(p, pkt, AF_INET6); -#endif + /*Check the length based on optional fields and extension header*/ + if (hdr->flag & 0x07) + { - orig_frag_offset = ntohs(GET_ORIG_IPH_OFF(p)); - orig_frag_offset &= 0x1FFF; + header_len = GTP_V1_HEADER_LEN; - // XXX NOT YET IMPLEMENTED - fragments inside ICMP payload + /*Check optional fields*/ + if (len < header_len) + { + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); + return; + } + next_hdr_type = *(pkt + header_len - 1); - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP6 Unreachable IP6 header length: " - "%lu\n", (unsigned long)IP6_HDR_LEN);); + /*Check extension headers*/ + while (next_hdr_type) + { + /*check length before reading data*/ + if (len < header_len + 4) + { + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); + return; + } + /*Extension header length is a unit of 4 octets*/ + header_len += *(pkt + header_len) * 4; - switch(GET_ORIG_IPH_PROTO(p)) - { - case IPPROTO_TCP: /* decode the interesting part of the header */ - p->orig_tcph = (TCPHdr *)(pkt + IP6_HDR_LEN); + /*check length before reading data*/ + if (len < header_len) + { + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); + return; + } + next_hdr_type = *(pkt + header_len - 1); + } + } + else + header_len = GTP_MIN_LEN; - /* stuff more data into the printout data struct */ - p->orig_sp = ntohs(p->orig_tcph->th_sport); - p->orig_dp = ntohs(p->orig_tcph->th_dport); + p->proto_bits |= PROTO_BIT__GTP; - break; + /*Check the length field. */ + if (len != ((unsigned int)ntohs(hdr->length) + GTP_MIN_LEN)) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Calculated length %d != %d in header.\n", + len - GTP_MIN_LEN, ntohs(hdr->length));); + DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1); + return; + } - case IPPROTO_UDP: - p->orig_udph = (UDPHdr *)(pkt + IP6_HDR_LEN); + break; + default: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown protocol version.\n");); + return; - /* fill in the printout data structs */ - p->orig_sp = ntohs(p->orig_udph->uh_sport); - p->orig_dp = ntohs(p->orig_udph->uh_dport); + } - break; + PushLayer(PROTO_GTP, p, pkt, header_len); - case IPPROTO_ICMP: - p->orig_icmph = (ICMPHdr *)(pkt + IP6_HDR_LEN); - break; + len -= header_len; + if (len > 0) + { + ip_ver = *(pkt+header_len) & 0xF0; + if (ip_ver == 0x40) + DecodeIP(pkt+header_len, len, p); + else if (ip_ver == 0x60) + DecodeIPV6(pkt+header_len, len, p); + p->packet_flags &= ~PKT_UNSURE_ENCAP; } - return; } -#define IP6_MULTICAST 0xFF // first/most significant octet -#define IP6_MULTICAST_SCOPE_RESERVED 0x00 -#define IP6_MULTICAST_SCOPE_INTERFACE 0x01 -#define IP6_MULTICAST_SCOPE_LINK 0x02 -#define IP6_MULTICAST_SCOPE_ADMIN 0x04 -#define IP6_MULTICAST_SCOPE_SITE 0x05 -#define IP6_MULTICAST_SCOPE_ORG 0x08 -#define IP6_MULTICAST_SCOPE_GLOBAL 0x0E +//-------------------------------------------------------------------- +// decode.c::UDP +//-------------------------------------------------------------------- -/* Check for multiple IPv6 Multicast-related alerts */ -static void CheckIPV6Multicast(Packet *p) +/* UDP-layer decoder alerts */ +static inline void UDPMiscTests(Packet *p) { - uint8_t multicast_scope; - - if ( p->ip6h->ip_src.ip.u6_addr8[0] == IP6_MULTICAST ) - { - DecoderEvent(p, DECODE_IPV6_SRC_MULTICAST, - DECODE_IPV6_SRC_MULTICAST_STR, 1, 1); - } - if ( p->ip6h->ip_dst.ip.u6_addr8[0] != IP6_MULTICAST ) + if ( Event_Enabled(DECODE_UDP_LARGE_PACKET) ) { - return; + if (p->dsize > 4000) + DecoderEvent(p, EVARGS(UDP_LARGE_PACKET), 1, 1); } - multicast_scope = p->ip6h->ip_dst.ip.u6_addr8[1] & 0x0F; - switch (multicast_scope) + if ( Event_Enabled(DECODE_UDP_PORT_ZERO) ) { - case IP6_MULTICAST_SCOPE_RESERVED: - case IP6_MULTICAST_SCOPE_INTERFACE: - case IP6_MULTICAST_SCOPE_LINK: - case IP6_MULTICAST_SCOPE_ADMIN: - case IP6_MULTICAST_SCOPE_SITE: - case IP6_MULTICAST_SCOPE_ORG: - case IP6_MULTICAST_SCOPE_GLOBAL: - break; - - default: - DecoderEvent(p, DECODE_IPV6_BAD_MULTICAST_SCOPE, - DECODE_IPV6_BAD_MULTICAST_SCOPE_STR, 1, 1); + if (p->sp == 0 || p->dp == 0) + DecoderEvent(p, EVARGS(UDP_PORT_ZERO), 1, 1); } +} - /* Check against assigned multicast addresses. These are listed at: - http://www.iana.org/assignments/ipv6-multicast-addresses/ */ +/* + * Function: DecodeUDP(uint8_t *, const uint32_t, Packet *) + * + * Purpose: Decode the UDP transport layer + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to decoded packet struct + * + * Returns: void function + */ +static inline void PopUdp (Packet* p) +{ + p->udph = p->outer_udph; + p->outer_udph = NULL; + pc.discards++; + pc.udisc++; - /* Multicast addresses only specify the first 16 and last 40 bits. - Others should be zero. */ - if ((p->ip6h->ip_dst.ip.u6_addr16[1] != 0) || - (p->ip6h->ip_dst.ip.u6_addr16[2] != 0) || - (p->ip6h->ip_dst.ip.u6_addr16[3] != 0) || - (p->ip6h->ip_dst.ip.u6_addr16[4] != 0) || - (p->ip6h->ip_dst.ip.u6_addr8[10] != 0)) - { - DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, - DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); - return; - } + // required for detect.c to short-circuit preprocessing + if ( !p->dsize ) + p->dsize = p->ip_dsize; +} - if (p->ip6h->ip_dst.ip.u6_addr8[1] == IP6_MULTICAST_SCOPE_INTERFACE) +void DecodeUDP(const uint8_t * pkt, const uint32_t len, Packet * p) +{ + struct pseudoheader6 { - // Node-local scope - if ((p->ip6h->ip_dst.ip.u6_addr16[1] != 0) || - (p->ip6h->ip_dst.ip.u6_addr16[2] != 0) || - (p->ip6h->ip_dst.ip.u6_addr16[3] != 0) || - (p->ip6h->ip_dst.ip.u6_addr16[4] != 0) || - (p->ip6h->ip_dst.ip.u6_addr16[5] != 0) || - (p->ip6h->ip_dst.ip.u6_addr16[6] != 0)) - { - - DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, - DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); - } - else - { - switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) - { - case 0x00000001: // All Nodes - case 0x00000002: // All Routers - case 0x000000FB: // mDNSv6 - break; - default: - DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, - DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); - } - } - } - else if (p->ip6h->ip_dst.ip.u6_addr8[1] == IP6_MULTICAST_SCOPE_LINK) - { - // Link-local scope - switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) - { - case 0x00000001: // All Nodes - case 0x00000002: // All Routers - case 0x00000004: // DVMRP Routers - case 0x00000005: // OSPFIGP - case 0x00000006: // OSPFIGP Designated Routers - case 0x00000007: // ST Routers - case 0x00000008: // ST Hosts - case 0x00000009: // RIP Routers - case 0x0000000A: // EIGRP Routers - case 0x0000000B: // Mobile-Agents - case 0x0000000C: // SSDP - case 0x0000000D: // All PIMP Routers - case 0x0000000E: // RSVP-ENCAPSULATION - case 0x0000000F: // UPnP - case 0x00000012: // VRRP - case 0x00000016: // All MLDv2-capable routers - case 0x0000006A: // All-Snoopers - case 0x0000006B: // PTP-pdelay - case 0x0000006C: // Saratoga - case 0x0000006D: // LL-MANET-Routers - case 0x0000006E: // IGRS - case 0x0000006F: // iADT Discovery - case 0x000000FB: // mDNSv6 - case 0x00010001: // Link Name - case 0x00010002: // All-dhcp-agents - case 0x00010003: // Link-local Multicast Name Resolution - case 0x00010004: // DTCP Announcement - break; - default: - if ((p->ip6h->ip_dst.ip.u6_addr8[11] == 1) && - (p->ip6h->ip_dst.ip.u6_addr8[12] == 0xFF)) - { - break; // Solicited-Node Address - } - if ((p->ip6h->ip_dst.ip.u6_addr8[11] == 2) && - (p->ip6h->ip_dst.ip.u6_addr8[12] == 0xFF)) - { - break; // Node Information Queries - } - DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, - DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); - } - } - else if (p->ip6h->ip_dst.ip.u6_addr8[1] == IP6_MULTICAST_SCOPE_SITE) - { - // Site-local scope - switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) - { - case 0x00000002: // All Routers - case 0x000000FB: // mDNSv6 - case 0x00010003: // All-dhcp-servers - case 0x00010004: // Deprecated - break; - default: - DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, - DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); - } - } - else if ((p->ip6h->ip_dst.ip.u6_addr8[1] & 0xF0) == 0) + uint32_t sip[4], dip[4]; + uint8_t zero; + uint8_t protocol; + uint16_t udplen; + }; + + struct pseudoheader { - // Variable scope - switch (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3])) - { - case 0x0000000C: // SSDP - case 0x000000FB: // mDNSv6 - case 0x00000181: // PTP-primary - case 0x00000182: // PTP-alternate1 - case 0x00000183: // PTP-alternate2 - case 0x00000184: // PTP-alternate3 - case 0x0000018C: // All ACs multicast address - case 0x00000201: // "rwho" Group (BSD) - case 0x00000202: // SUN RPC PMAPPROC_CALLIT - case 0x00000204: // All C1222 Nodes - case 0x00000300: // Mbus/IPv6 - case 0x00027FFE: // SAPv1 Announcements - case 0x00027FFF: // SAPv0 Announcements - break; - default: - if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00000100) && - (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x00000136)) - { - break; // Several addresses assigned in a contiguous block - } + uint32_t sip, dip; + uint8_t zero; + uint8_t protocol; + uint16_t udplen; + }; + uint16_t uhlen; + u_char fragmented_udp_flag = 0; - if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00000140) && - (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x0000014F)) - { - break; // EPSON-disc-set - } + if (p->proto_bits & (PROTO_BIT__TEREDO | PROTO_BIT__GTP)) + p->outer_udph = p->udph; - if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00020000) && - (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x00027FFD)) - { - break; // Multimedia Conference Calls - } + if(len < sizeof(UDPHdr)) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Truncated UDP header (%d bytes)\n", len);); - if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00011000) && - (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x000113FF)) - { - break; // Service Location, Version 2 - } + DecoderEvent(p, DECODE_UDP_DGRAM_LT_UDPHDR, + DECODE_UDP_DGRAM_LT_UDPHDR_STR, 1, 1); - if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x00028000) && - (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x0002FFFF)) - { - break; // SAP Dynamic Assignments - } + PopUdp(p); + return; + } - DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, - DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); - } + /* set the ptr to the start of the UDP header */ + p->inner_udph = p->udph = (UDPHdr *) pkt; + + if (!p->frag_flag) + { + uhlen = ntohs(p->udph->uh_len); } - else if ((p->ip6h->ip_dst.ip.u6_addr8[1] & 0xF0) == 3) + else { - // Source-Specific Multicast block - if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x40000001) && - (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0x7FFFFFFF)) - { - return; // IETF consensus - } - else if ((ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) >= 0x80000000) && - (ntohl(p->ip6h->ip_dst.ip.u6_addr32[3]) <= 0xFFFFFFFF)) + if(IS_IP6(p)) { - return; // Dynamiclly allocated by hosts when needed + uint16_t ip_len = ntohs(GET_IPH_LEN(p)); + /* subtract the distance from udp header to 1st ip6 extension */ + /* This gives the length of the UDP "payload", when fragmented */ + uhlen = ip_len - ((u_char *)p->udph - (u_char *)p->ip6_extensions[0].data); } else { - // Other addresses in this block are reserved. - DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, - DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); + uint16_t ip_len = ntohs(GET_IPH_LEN(p)); + /* Don't forget, IP_HLEN is a word - multiply x 4 */ + uhlen = ip_len - (GET_IPH_HLEN(p) * 4 ); } + fragmented_udp_flag = 1; } - else + + /* verify that the header len is a valid value */ + if(uhlen < UDP_HEADER_LEN) { - /* Addresses not listed above are reserved. */ - DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST, - DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1); - } -} + DecoderEvent(p, DECODE_UDP_DGRAM_INVALID_LENGTH, + DECODE_UDP_DGRAM_INVALID_LENGTH_STR, 1, 1); + PopUdp(p); + return; + } -void DecodeICMP6(const uint8_t *pkt, uint32_t len, Packet *p) -{ - struct pseudoheader6 - { - uint32_t sip[4], dip[4]; - uint8_t zero; - uint8_t protocol; - uint16_t icmplen; - }; - if(len < ICMP6_MIN_HEADER_LEN) + /* make sure there are enough bytes as designated by length field */ + if(uhlen > len) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "WARNING: Truncated ICMP6 header (%d bytes)\n", len);); + DecoderEventDrop(p, DECODE_UDP_DGRAM_SHORT_PACKET, + DECODE_UDP_DGRAM_SHORT_PACKET_STR, + ScDecoderOversizedAlerts(), + ScDecoderOversizedDrops()); - if ( Event_Enabled(DECODE_ICMP6_HDR_TRUNC) ) - DecoderEvent(p, EVARGS(ICMP6_HDR_TRUNC), 1, 1); + PopUdp(p); + return; + } + else if(uhlen < len) + { + DecoderEvent(p, DECODE_UDP_DGRAM_LONG_PACKET, + DECODE_UDP_DGRAM_LONG_PACKET_STR, 1, 1); - pc.discards++; + PopUdp(p); return; } - - p->icmph = (ICMPHdr*)pkt; - /* Do checksums */ - if (ScIcmpChecksums()) - { - uint16_t csum; + if (ScUdpChecksums()) + { + /* look at the UDP checksum to make sure we've got a good packet */ + uint16_t csum; #ifdef SUP_IP6 if(IS_IP4(p)) { + struct pseudoheader ph; + ph.sip = *p->ip4h->ip_src.ip32; + ph.dip = *p->ip4h->ip_dst.ip32; +#else + struct pseudoheader ph; + ph.sip = (uint32_t)(p->iph->ip_src.s_addr); + ph.dip = (uint32_t)(p->iph->ip_dst.s_addr); #endif - csum = in_chksum_icmp((uint16_t *)(p->icmph), len); + ph.zero = 0; + ph.protocol = GET_IPH_PROTO(p); + ph.udplen = p->udph->uh_len; + /* Don't do checksum calculation if + * 1) Fragmented, OR + * 2) UDP header chksum value is 0. + */ + if( !fragmented_udp_flag && p->udph->uh_chk ) + { + csum = in_chksum_udp((uint16_t *)&ph, + (uint16_t *)(p->udph), uhlen); + } + else + { + csum = 0; + } #ifdef SUP_IP6 } - /* IPv6 traffic */ else { struct pseudoheader6 ph6; COPY4(ph6.sip, p->ip6h->ip_src.ip32); COPY4(ph6.dip, p->ip6h->ip_dst.ip32); - ph6.zero = 0; + ph6.zero = 0; ph6.protocol = GET_IPH_PROTO(p); - ph6.icmplen = htons((u_short)len); - - csum = in_chksum_icmp6((uint16_t *)&ph6, (uint16_t *)(p->icmph), len); - } -#endif - if(csum) - { - p->error_flags |= PKT_ERR_CKSUM_ICMP; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n");); + ph6.udplen = htons((u_short)len); - if ( ScIdsMode() ) - queueExecDrop(execIcmpChksmDrop, p); - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n");); - } - } - - p->dsize = (u_short)(len - ICMP6_MIN_HEADER_LEN); - p->data = pkt + ICMP6_MIN_HEADER_LEN; - - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d code: %d\n", - p->icmph->code, p->icmph->type);); - - switch(p->icmph->type) - { - case ICMP6_ECHO: - case ICMP6_REPLY: - if (p->dsize >= sizeof(struct idseq)) + /* Alert on checksum value 0 for ipv6 packets */ + if(!p->udph->uh_chk) { - p->icmp6h = (ICMP6Hdr *)pkt; - /* Set data pointer to that of the "echo message" */ - /* add the size of the echo ext to the data - * ptr and subtract it from the data size */ - p->dsize -= sizeof(struct idseq); - p->data += sizeof(struct idseq); - - if ( Event_Enabled(DECODE_ICMP6_DST_MULTICAST) ) - if ( p->ip6h->ip_dst.ip.u6_addr8[0] == IP6_MULTICAST ) - DecoderEvent(p, EVARGS(ICMP6_DST_MULTICAST), 1, 1); - - PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN); + csum = 1; + DecoderEvent(p, DECODE_UDP_IPV6_ZERO_CHECKSUM, + DECODE_UDP_IPV6_ZERO_CHECKSUM_STR, 1, 1); } - else + /* Don't do checksum calculation if + * 1) Fragmented + * (UDP checksum is not optional in IP6) + */ + else if( !fragmented_udp_flag ) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "WARNING: Truncated ICMP Echo header (%d bytes)\n", len);); - - DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, - DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - - p->icmp6h = NULL; - pc.discards++; - pc.icmpdisc++; - return; + csum = in_chksum_udp6((uint16_t *)&ph6, + (uint16_t *)(p->udph), uhlen); } - break; - - case ICMP6_BIG: - if (p->dsize >= sizeof(ICMP6TooBig)) + else { - ICMP6TooBig *too_big = (ICMP6TooBig *)pkt; - p->icmp6h = (ICMP6Hdr *)pkt; - /* Set data pointer past MTU */ - p->data += 4; - p->dsize -= 4; - - if (ntohl(too_big->mtu) < 1280) - { - DecoderEvent(p, DECODE_ICMPV6_TOO_BIG_BAD_MTU, - DECODE_ICMPV6_TOO_BIG_BAD_MTU_STR, 1, 1); - } - - PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN); - DecodeICMPEmbeddedIP6(p->data, p->dsize, p); + csum = 0; } - else + } +#endif + if(csum) + { + /* Don't drop the packet if this was ESP or Teredo. + Just stop decoding. */ + if (p->packet_flags & PKT_UNSURE_ENCAP) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "WARNING: Truncated ICMP header (%d bytes)\n", len);); - - DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, - DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - - p->icmp6h = NULL; - pc.discards++; - pc.icmpdisc++; + PopUdp(p); return; } - break; - case ICMP6_TIME: - case ICMP6_PARAMS: - case ICMP6_UNREACH: - if (p->dsize >= 4) - { - p->icmp6h = (ICMP6Hdr *)pkt; - /* Set data pointer past the 'unused/mtu/pointer block */ - p->data += 4; - p->dsize -= 4; + p->error_flags |= PKT_ERR_CKSUM_UDP; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad UDP Checksum\n");); - if ((p->icmp6h->type == ICMP6_UNREACH) && (p->icmp6h->code == 2)) - { - DecoderEvent(p, DECODE_ICMPV6_UNREACHABLE_BAD_CODE, - DECODE_ICMPV6_UNREACHABLE_BAD_CODE_STR, 1, 1); - } + if ( ScIdsMode() ) + queueExecDrop(execUdpChksmDrop, p); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP Checksum: OK\n");); + } + } - PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN); - DecodeICMPEmbeddedIP6(p->data, p->dsize, p); - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "WARNING: Truncated ICMP header (%d bytes)\n", len);); + /* fill in the printout data structs */ + p->sp = ntohs(p->udph->uh_sport); + p->dp = ntohs(p->udph->uh_dport); - DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, - DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP header starts at: %p\n", p->udph);); - p->icmp6h = NULL; - pc.discards++; - pc.icmpdisc++; - return; - } - break; + PushLayer(PROTO_UDP, p, pkt, sizeof(*p->udph)); - case ICMP6_ADVERTISEMENT: - if (p->dsize >= (sizeof(ICMP6RouterAdvertisement) - ICMP6_MIN_HEADER_LEN)) - { - ICMP6RouterAdvertisement *ra = (ICMP6RouterAdvertisement *)pkt; - p->icmp6h = (ICMP6Hdr *)pkt; - if (p->icmp6h->code != 0) - { - DecoderEvent(p, DECODE_ICMPV6_ADVERT_BAD_CODE, - DECODE_ICMPV6_ADVERT_BAD_CODE_STR, 1, 1); - } - if (ntohl(ra->reachable_time) > 3600000) - { - DecoderEvent(p, DECODE_ICMPV6_ADVERT_BAD_REACHABLE, - DECODE_ICMPV6_ADVERT_BAD_REACHABLE_STR, 1, 1); - } - PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN); - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "WARNING: Truncated ICMP header (%d bytes)\n", len);); - - DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, - DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - - p->icmp6h = NULL; - pc.discards++; - pc.icmpdisc++; - return; - } - break; + p->data = (uint8_t *) (pkt + UDP_HEADER_LEN); - case ICMP6_SOLICITATION: - if (p->dsize >= (sizeof(ICMP6RouterSolicitation) - ICMP6_MIN_HEADER_LEN)) - { - ICMP6RouterSolicitation *rs = (ICMP6RouterSolicitation *)pkt; - p->icmp6h = (ICMP6Hdr *)pkt; - if (rs->code != 0) - { - DecoderEvent(p, DECODE_ICMPV6_SOLICITATION_BAD_CODE, - DECODE_ICMPV6_SOLICITATION_BAD_CODE_STR, 1, 1); - } - if (ntohl(rs->reserved) != 0) - { - DecoderEvent(p, DECODE_ICMPV6_SOLICITATION_BAD_RESERVED, - DECODE_ICMPV6_SOLICITATION_BAD_RESERVED_STR, 1, 1); - } - PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN); - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "WARNING: Truncated ICMP header (%d bytes)\n", len);); - - DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR, - DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1); - - p->icmp6h = NULL; - pc.discards++; - pc.icmpdisc++; - return; - } - break; + /* length was validated up above */ + p->dsize = uhlen - UDP_HEADER_LEN; - default: - if ( Event_Enabled(DECODE_ICMP6_TYPE_OTHER) ) - DecoderEvent(p, EVARGS(ICMP6_TYPE_OTHER), 1, 1); + p->proto_bits |= PROTO_BIT__UDP; - PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN); - break; + /* Drop packet if we ignore this port */ + if (ScIgnoreUdpPort(p->sp) || ScIgnoreUdpPort(p->dp)) + { + /* Ignore all preprocessors for this packet */ + p->packet_flags |= PKT_IGNORE_PORT; + return; } - p->proto_bits |= PROTO_BIT__ICMP; -} + UDPMiscTests(p); -static INLINE int IPV6ExtensionOrder(uint8_t type) -{ - switch (type) +#ifdef SUP_IP6 + if (p->sp == TEREDO_PORT || + p->dp == TEREDO_PORT || + ScDeepTeredoInspection()) { - case IPPROTO_HOPOPTS: return 1; - case IPPROTO_DSTOPTS: return 2; - case IPPROTO_ROUTING: return 3; - case IPPROTO_FRAGMENT: return 4; - case IPPROTO_AH: return 5; - case IPPROTO_ESP: return 6; - default: return 7; + if ( !p->frag_flag ) + DecodeTeredo(pkt + sizeof(UDPHdr), len - sizeof(UDPHdr), p); } -} - -void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p); - -static INLINE int CheckIPV6HopOptions(const uint8_t *pkt, uint32_t len, Packet *p) -{ - IP6Extension *exthdr = (IP6Extension *)pkt; - uint32_t total_octets = (exthdr->ip6e_len * 8) + 8; - const uint8_t *hdr_end = pkt + total_octets; - uint8_t type, oplen; - - if (len < total_octets) - DecoderEvent(p, EVARGS(IPV6_TRUNCATED_EXT), 1, 1); - - /* Skip to the options */ - pkt += 2; - - /* Iterate through the options, check for bad ones */ - while (pkt < hdr_end) +#endif + if (ScGTPDecoding() && + (ScIsGTPPort(p->sp)||ScIsGTPPort(p->dp))) { - type = *pkt; - switch (type) - { - case IP6_OPT_PAD1: - pkt++; - break; - case IP6_OPT_PADN: - case IP6_OPT_JUMBO: - case IP6_OPT_RTALERT: - case IP6_OPT_TUNNEL_ENCAP: - case IP6_OPT_QUICK_START: - case IP6_OPT_CALIPSO: - case IP6_OPT_HOME_ADDRESS: - case IP6_OPT_ENDPOINT_IDENT: - oplen = *(++pkt); - if ((pkt + oplen + 1) > hdr_end) - { - DecoderEvent(p, EVARGS(IPV6_BAD_OPT_LEN), 1, 1); - return -1; - } - pkt += oplen + 1; - break; - default: - DecoderEvent(p, EVARGS(IPV6_BAD_OPT_TYPE), 1, 1); - return -1; - } + if ( !p->frag_flag ) + DecodeGTP(pkt + sizeof(UDPHdr), len - sizeof(UDPHdr), p); } - return 0; } -void DecodeIPV6Options(int type, const uint8_t *pkt, uint32_t len, Packet *p) -{ - IP6Extension *exthdr; - uint32_t hdrlen = 0; - - /* This should only be called by DecodeIPV6 or DecodeIPV6Extensions - * so no validation performed. Otherwise, uncomment the following: */ - /* if(IPH_IS_VALID(p)) return */ - - pc.ipv6opts++; +//-------------------------------------------------------------------- +// decode.c::TCP +//-------------------------------------------------------------------- - /* Need at least two bytes, one for next header, one for len. */ - /* But size is an integer multiple of 8 octets, so 8 is min. */ - if(len < sizeof(IP6Extension)) +/* TCP-layer decoder alerts */ +static inline void TCPMiscTests(Packet *p) +{ + if ( Event_Enabled(DECODE_TCP_SHAFT_SYNFLOOD) ) { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; + if ( ((p->tcph->th_flags & TH_NORESERVED) == TH_SYN ) && + (p->tcph->th_seq == htonl(674711609)) ) + DecoderEvent(p, EVARGS(TCP_SHAFT_SYNFLOOD), 1, 1); } - exthdr = (IP6Extension *)pkt; - - if(p->ip6_extension_count < IP6_EXTMAX) + if ( Event_Enabled(DECODE_TCP_PORT_ZERO) ) { - p->ip6_extensions[p->ip6_extension_count].type = type; - p->ip6_extensions[p->ip6_extension_count].data = pkt; - - // TBD add layers for other ip6 ext headers - switch (type) - { - case IPPROTO_HOPOPTS: - if (len < sizeof(IP6HopByHop)) - { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; - } - hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - if (CheckIPV6HopOptions(pkt, len, p) == 0) - PushLayer(PROTO_IP6_HOP_OPTS, p, pkt, hdrlen); - break; - - case IPPROTO_DSTOPTS: - if (len < sizeof(IP6Dest)) - { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; - } - if (exthdr->ip6e_nxt == IPPROTO_ROUTING) - { - DecoderEvent(p, DECODE_IPV6_DSTOPTS_WITH_ROUTING, - DECODE_IPV6_DSTOPTS_WITH_ROUTING_STR, - 1, 1); - } - hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - if (CheckIPV6HopOptions(pkt, len, p) == 0) - PushLayer(PROTO_IP6_DST_OPTS, p, pkt, hdrlen); - break; + if (p->sp == 0 || p->dp == 0) + DecoderEvent(p, EVARGS(TCP_PORT_ZERO), 1, 1); + } +} - case IPPROTO_ROUTING: - if (len < sizeof(IP6Route)) - { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; - } - if (exthdr->ip6e_nxt == IPPROTO_HOPOPTS) - { - DecoderEvent(p, DECODE_IPV6_ROUTE_AND_HOPBYHOP, - DECODE_IPV6_ROUTE_AND_HOPBYHOP_STR, - 1, 1); - } - if (exthdr->ip6e_nxt == IPPROTO_ROUTING) - { - DecoderEvent(p, DECODE_IPV6_TWO_ROUTE_HEADERS, - DECODE_IPV6_TWO_ROUTE_HEADERS_STR, - 1, 1); - } - hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - break; +/* + * Function: DecodeTCP(uint8_t *, const uint32_t, Packet *) + * + * Purpose: Decode the TCP transport layer + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => Pointer to packet decode struct + * + * Returns: void function + */ +void DecodeTCP(const uint8_t * pkt, const uint32_t len, Packet * p) +{ + struct pseudoheader6 /* pseudo header for TCP checksum calculations */ + { + uint32_t sip[4], dip[4]; /* IP addr */ + uint8_t zero; /* checksum placeholder */ + uint8_t protocol; /* protocol number */ + uint16_t tcplen; /* tcp packet length */ + }; - case IPPROTO_FRAGMENT: - { - IP6Frag *ip6frag_hdr = (IP6Frag *)pkt; - if (len < sizeof(IP6Frag)) - { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); - return; - } - /* If this is an IP Fragment, set some data... */ - p->ip6_frag_index = p->ip6_extension_count; - p->ip_frag_start = pkt + sizeof(IP6Frag); - p->frag_flag = 1; - pc.frag6++; - - p->df = 0; - p->rf = IP6F_RES(ip6frag_hdr); - p->mf = IP6F_MF(ip6frag_hdr); - p->frag_offset = IP6F_OFFSET(ip6frag_hdr); - } - hdrlen = sizeof(IP6Frag); - p->ip_frag_len = (uint16_t)(len - hdrlen); + struct pseudoheader /* pseudo header for TCP checksum calculations */ + { + uint32_t sip, dip; /* IP addr */ + uint8_t zero; /* checksum placeholder */ + uint8_t protocol; /* protocol number */ + uint16_t tcplen; /* tcp packet length */ + }; + uint32_t hlen; /* TCP header length */ - if (p->frag_offset > 0) - { - /* For non-zero offset frags, we stop decoding after the - Frag header. According to RFC 2460, the "Next Header" - value may differ from that of the offset zero frag, - but only the Next Header of the original frag is used. */ - p->ip6_extension_count++; - return; - } - break; + if(len < TCP_HEADER_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "TCP packet (len = %d) cannot contain " "20 byte header\n", len);); - case IPPROTO_AH: - /* Auth Headers work in both IPv4 & IPv6, and their lengths are - given in 4-octet increments instead of 8-octet increments. */ - hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 2); - break; + DecoderEvent(p, DECODE_TCP_DGRAM_LT_TCPHDR, + DECODE_TCP_DGRAM_LT_TCPHDR_STR, 1, 1); - default: - hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); - break; - } + p->tcph = NULL; + pc.discards++; + pc.tdisc++; - p->ip6_extension_count++; + return; } - if(hdrlen > len) + /* lay TCP on top of the data cause there is enough of it! */ + p->tcph = (TCPHdr *) pkt; + + /* multiply the payload offset value by 4 */ + hlen = TCP_OFFSET(p->tcph) << 2; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "TCP th_off is %d, passed len is %lu\n", + TCP_OFFSET(p->tcph), (unsigned long)len);); + + if(hlen < TCP_HEADER_LEN) { - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, - 1, 1); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "TCP Data Offset (%d) < hlen (%d) \n", + TCP_OFFSET(p->tcph), hlen);); + + DecoderEvent(p, DECODE_TCP_INVALID_OFFSET, + DECODE_TCP_INVALID_OFFSET_STR, 1, 1); + + p->tcph = NULL; + pc.discards++; + pc.tdisc++; + return; } - DecodeIPV6Extensions(*pkt, pkt + hdrlen, len - hdrlen, p); -} + if(hlen > len) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "TCP Data Offset(%d) < longer than payload(%d)!\n", + TCP_OFFSET(p->tcph) << 2, len);); + DecoderEventDrop(p, DECODE_TCP_LARGE_OFFSET, + DECODE_TCP_LARGE_OFFSET_STR, + ScDecoderOversizedAlerts(), + ScDecoderOversizedDrops()); -/* Check for out-of-order IPv6 Extension Headers */ -static INLINE void CheckIPv6ExtensionOrder(Packet *p) -{ - int routing_seen = 0; - int current_type_order, next_type_order, i; - - if (Event_Enabled(DECODE_IPV6_UNORDERED_EXTENSIONS)) + p->tcph = NULL; + pc.discards++; + pc.tdisc++; + + return; + } + + /* Checksum code moved in front of the other decoder alerts. + If it's a bad checksum (maybe due to encrypted ESP traffic), the other + alerts could be false positives. */ + if (ScTcpChecksums()) { - if (p->ip6_extension_count > 0) - current_type_order = IPV6ExtensionOrder(p->ip6_extensions[0].type); + uint16_t csum; +#ifdef SUP_IP6 + if(IS_IP4(p)) + { + struct pseudoheader ph; + ph.sip = *p->ip4h->ip_src.ip32; + ph.dip = *p->ip4h->ip_dst.ip32; +#else + struct pseudoheader ph; + ph.sip = (uint32_t)(p->iph->ip_src.s_addr); + ph.dip = (uint32_t)(p->iph->ip_dst.s_addr); +#endif + /* setup the pseudo header for checksum calculation */ + ph.zero = 0; + ph.protocol = GET_IPH_PROTO(p); + ph.tcplen = htons((u_short)len); - for (i = 1; i < (p->ip6_extension_count); i++) + /* if we're being "stateless" we probably don't care about the TCP + * checksum, but it's not bad to keep around for shits and giggles */ + /* calculate the checksum */ + csum = in_chksum_tcp((uint16_t *)&ph, (uint16_t *)(p->tcph), len); +#ifdef SUP_IP6 + } + /* IPv6 traffic */ + else { - next_type_order = IPV6ExtensionOrder(p->ip6_extensions[i].type); + struct pseudoheader6 ph6; + COPY4(ph6.sip, p->ip6h->ip_src.ip32); + COPY4(ph6.dip, p->ip6h->ip_dst.ip32); + ph6.zero = 0; + ph6.protocol = GET_IPH_PROTO(p); + ph6.tcplen = htons((u_short)len); - if (p->ip6_extensions[i].type == IPPROTO_ROUTING) - routing_seen = 1; + csum = in_chksum_tcp6((uint16_t *)&ph6, (uint16_t *)(p->tcph), len); + } +#endif - if (next_type_order <= current_type_order) + if(csum) + { + /* Don't drop the packet if this is encapuslated in Teredo or ESP. + Just get rid of the TCP header and stop decoding. */ + if (p->packet_flags & PKT_UNSURE_ENCAP) { - /* A second "Destination Options" header is allowed iff: - 1) A routing header was already seen, and - 2) The second destination header is the last one before the upper layer. - */ - if (!routing_seen || - !(p->ip6_extensions[i].type == IPPROTO_DSTOPTS) || - !(i+1 == p->ip6_extension_count)) - { - DecoderEvent(p, EVARGS(IPV6_UNORDERED_EXTENSIONS), 1, 1); - } + p->tcph = NULL; + return; } - current_type_order = next_type_order; + p->error_flags |= PKT_ERR_CKSUM_TCP; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n", + "0x%x versus 0x%x\n", csum, + ntohs(p->tcph->th_sum));); + + if ( ScIdsMode() ) + queueExecDrop(execTcpChksmDrop, p); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"TCP Checksum: OK\n");); } } -} -void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p) -{ - pc.ip6ext++; + if(Event_Enabled(DECODE_TCP_XMAS) || Event_Enabled(DECODE_TCP_NMAP_XMAS)) + { + if(TCP_ISFLAGSET(p->tcph, (TH_FIN|TH_PUSH|TH_URG))) + { + if(TCP_ISFLAGSET(p->tcph, (TH_SYN|TH_ACK|TH_RST))) + { + DecoderEvent(p, DECODE_TCP_XMAS, DECODE_TCP_XMAS_STR, 1, 1); + } + else + { + DecoderEvent(p, DECODE_TCP_NMAP_XMAS, DECODE_TCP_NMAP_XMAS_STR, 1, 1); + } + // Allowing this packet for further processing + // (in case there is a valid data inside it). + /*p->tcph = NULL; + pc.discards++; + pc.tdisc++; + return;*/ + } + } -#ifdef GRE - if (p->greh != NULL) - pc.gre_ipv6ext++; -#endif + if(TCP_ISFLAGSET(p->tcph, (TH_SYN))) + { + /* check if only SYN is set */ + if( p->tcph->th_flags == TH_SYN ) + { + if( Event_Enabled(DECODE_DOS_NAPTHA) ) + { + if( p->tcph->th_seq == 6060842 ) + { + if( GET_IPH_ID(p) == 413 ) + { + DecoderEvent(p, DECODE_DOS_NAPTHA, + DECODE_DOS_NAPTHA_STR, 1, 1); + } + } + } + } - /* XXX might this introduce an issue if the "next" field is invalid? */ - p->ip6h->next = next; + if( Event_Enabled(DECODE_SYN_TO_MULTICAST) ) + { + if( IpAddrSetContains(SynToMulticastDstIp, GET_DST_ADDR(p)) ) + { + DecoderEvent(p, DECODE_SYN_TO_MULTICAST, + DECODE_SYN_TO_MULTICAST_STR, 1, 1); + } + } + if ( Event_Enabled(DECODE_TCP_SYN_RST) ) + if ( (p->tcph->th_flags & TH_RST) ) + DecoderEvent(p, EVARGS(TCP_SYN_RST), 1, 1); - if (ScIdsMode()) - { - /* See if there are any ip_proto only rules that match */ - fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p); - p->proto_bits |= PROTO_BIT__IP; + if ( Event_Enabled(DECODE_TCP_SYN_FIN) ) + if ( (p->tcph->th_flags & TH_FIN) ) + DecoderEvent(p, EVARGS(TCP_SYN_FIN), 1, 1); + } + else + { // we already know there is no SYN + if ( Event_Enabled(DECODE_TCP_NO_SYN_ACK_RST) ) + if ( !(p->tcph->th_flags & (TH_ACK|TH_RST)) ) + DecoderEvent(p, EVARGS(TCP_NO_SYN_ACK_RST), 1, 1); } - switch(next) { - case IPPROTO_TCP: - pc.tcp6++; - CheckIPv6ExtensionOrder(p); - DecodeTCP(pkt, len, p); - return; - case IPPROTO_UDP: - pc.udp6++; - CheckIPv6ExtensionOrder(p); - DecodeUDP(pkt, len, p); - return; - case IPPROTO_ICMPV6: - pc.icmp6++; - CheckIPv6ExtensionOrder(p); - DecodeICMP6(pkt , len, p); - return; -#ifndef SUP_IP6 - case IPPROTO_FRAGMENT: - /* This should later be moved into frag3 */ - BsdFragVulnCheck(p, pkt, len); - - // XXX - // Fragmentation not yet supported - // DecodeIPv6FragHdr(p, pkt); - // XXX - - p->frag_flag = 1; - pc.frag6++; - p->dsize = 0; - return; -#endif - case IPPROTO_NONE: - CheckIPv6ExtensionOrder(p); - p->dsize = 0; - return; - case IPPROTO_HOPOPTS: - case IPPROTO_DSTOPTS: - case IPPROTO_ROUTING: -#ifdef SUP_IP6 - case IPPROTO_FRAGMENT: -#endif - case IPPROTO_AH: - DecodeIPV6Options(next, pkt, len, p); - // Anything special to do here? just return? - return; -#ifdef GRE - case IPPROTO_GRE: - pc.gre++; - CheckIPv6ExtensionOrder(p); - DecodeGRE(pkt, len, p); - return; - case IPPROTO_IPIP: - pc.ip6ip4++; - CheckIPv6ExtensionOrder(p); - DecodeIP(pkt, len, p); - return; - case IPPROTO_IPV6: - pc.ip6ip6++; - CheckIPv6ExtensionOrder(p); - DecodeIPV6(pkt, len, p); - return; - case IPPROTO_ESP: - CheckIPv6ExtensionOrder(p); - DecodeESP(pkt, len, p); - return; -#endif - default: - // There may be valid headers after this unsupported one, - // need to decode this header, set "next" and continue - // looping. - - DecoderEvent(p, DECODE_IPV6_BAD_NEXT_HEADER, - DECODE_IPV6_BAD_NEXT_HEADER_STR, 1, 1); + if ( Event_Enabled(DECODE_TCP_MUST_ACK) ) + if ( (p->tcph->th_flags & (TH_FIN|TH_PUSH|TH_URG)) && + !(p->tcph->th_flags & TH_ACK) ) + DecoderEvent(p, EVARGS(TCP_MUST_ACK), 1, 1); - pc.other++; - p->data = pkt; - p->dsize = (uint16_t)len; - break; - }; -} -#endif /* SUP_IP6 */ + /* stuff more data into the printout data struct */ + p->sp = ntohs(p->tcph->th_sport); + p->dp = ntohs(p->tcph->th_dport); -#ifndef SUP_IP6 + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "tcp header starts at: %p\n", p->tcph);); -/* This is the Snort-IPv4 version of the IPv6 BSD frag checking code */ -enum { - IPV6_FRAG_NO_ALERT = 0, - IPV6_FRAG_ALERT, - IPV6_FRAG_BAD_PKT, - IPV6_IS_NOT, - IPV6_TRUNCATED_EXT, - IPV6_TRUNCATED, + PushLayer(PROTO_TCP, p, pkt, hlen); - IPV6_NEXT -}; + /* if options are present, decode them */ + p->tcp_options_len = (uint16_t)(hlen - TCP_HEADER_LEN); -int CheckIPV6Frag (char *data, uint32_t size, Packet *p) -{ - typedef struct _IP6HdrChain + if(p->tcp_options_len > 0) { - uint8_t next_header; - uint8_t length; - } IP6HdrChain; - - IP6RawHdr *hdr; - IP6Frag *frag; - IP6HdrChain *chain; - uint8_t next_header; - uint32_t offset; - unsigned int header_length; - unsigned short frag_data; - char key[40]; /* Two 16 bit IP addresses and one fragmentation ID plus pad */ - SFXHASH_NODE *hash_node; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%lu bytes of tcp options....\n", + (unsigned long)(p->tcp_options_len));); - if (sizeof(IP6RawHdr) > size) - return IPV6_TRUNCATED; + p->tcp_options_data = pkt + TCP_HEADER_LEN; + DecodeTCPOptions((uint8_t *) (pkt + TCP_HEADER_LEN), p->tcp_options_len, p); + } + else + { + p->tcp_option_count = 0; + } - hdr = (IP6RawHdr *) data; + /* set the data pointer and size */ + p->data = (uint8_t *) (pkt + hlen); - if ((hdr->ip6vfc >> 4) != 6) - return IPV6_IS_NOT; + if(hlen < len) + { + p->dsize = (u_short)(len - hlen); + } + else + { + p->dsize = 0; + } - if (sizeof(IP6RawHdr) + ntohs(hdr->ip6plen) > size) - return IPV6_TRUNCATED; + if ( Event_Enabled(DECODE_TCP_BAD_URP) ) + if ( (p->tcph->th_flags & TH_URG) && + (!p->dsize || ntohs(p->tcph->th_urp) > p->dsize) ) + DecoderEvent(p, EVARGS(TCP_BAD_URP), 1, 1); - next_header = hdr->ip6nxt; - offset = sizeof(IP6RawHdr); + p->proto_bits |= PROTO_BIT__TCP; - while (offset < size) + /* Drop packet if we ignore this port */ + if (ScIgnoreTcpPort(p->sp) || ScIgnoreTcpPort(p->dp)) { - switch (next_header) { - case IP_PROTO_IPV6: - return CheckIPV6Frag(data + offset, size - offset, p); + /* Ignore all preprocessors for this packet */ + p->packet_flags |= PKT_IGNORE_PORT; + return; + } - case IP_PROTO_HOPOPTS: - case IP_PROTO_DSTOPTS: - case IP_PROTO_ROUTING: - case IP_PROTO_AH: - if (sizeof(IP6HdrChain) + offset > size) - return IPV6_TRUNCATED_EXT; + TCPMiscTests(p); +} - chain = (IP6HdrChain* ) (data + offset); +//-------------------------------------------------------------------- +// decode.c::Option Handling +//-------------------------------------------------------------------- - next_header = chain->next_header; - header_length = 8 + (8 * chain->length); +/** + * Validate that the length is an expected length AND that it's in bounds + * + * EOL and NOP are handled separately + * + * @param option_ptr current location + * @param end the byte past the end of the decode list + * @param len_ptr the pointer to the length field + * @param expected_len the number of bytes we expect to see per rfc KIND+LEN+DATA, -1 means dynamic. + * @param tcpopt options structure to populate + * @param byte_skip distance to move upon completion + * + * @return returns 0 on success, < 0 on error + */ +static inline int OptLenValidate(const uint8_t *option_ptr, + const uint8_t *end, + const uint8_t *len_ptr, + int expected_len, + Options *tcpopt, + uint8_t *byte_skip) +{ + *byte_skip = 0; - if (offset + header_length > size) - return IPV6_TRUNCATED_EXT; + if(len_ptr == NULL) + { + return TCP_OPT_TRUNC; + } - offset += header_length; - break; + if(*len_ptr == 0 || expected_len == 0 || expected_len == 1) + { + return TCP_OPT_BADLEN; + } + else if(expected_len > 1) + { + if((option_ptr + expected_len) > end) + { + /* not enough data to read in a perfect world */ + return TCP_OPT_TRUNC; + } - case IP_PROTO_FRAGMENT: - if (offset + sizeof(IP6Frag) > size) - return IPV6_TRUNCATED_EXT; + if(*len_ptr != expected_len) + { + /* length is not valid */ + return TCP_OPT_BADLEN; + } + } + else /* expected_len < 0 (i.e. variable length) */ + { + if(*len_ptr < 2) + { + /* RFC sez that we MUST have atleast this much data */ + return TCP_OPT_BADLEN; + } - frag = (IP6Frag *) (data + offset); - frag_data = frag->ip6f_offlg; + if((option_ptr + *len_ptr) > end) + { + /* not enough data to read in a perfect world */ + return TCP_OPT_TRUNC; + } + } - /* srcip / dstip */ - memcpy(key, (data + 8), 32); - *(uint32_t*)(key+32) = frag->ip6f_ident; - *(uint32_t*)(key+36) = 0; /* zero out pad */ + tcpopt->len = *len_ptr - 2; - hash_node = sfxhash_find_node(ipv6_frag_hash, key); + if(*len_ptr == 2) + { + tcpopt->data = NULL; + } + else + { + tcpopt->data = option_ptr + 2; + } - /* Check if the frag offset mask is set. - * If it is, we're not looking at the exploit in question */ - if(IP6F_OFFSET(frag) != 0) - { - /* If this arrives before the two 0 offset frags, we will - * still add them as though they were the first, and false - * positive */ - if(hash_node) sfxhash_free_node(ipv6_frag_hash, hash_node); - return IPV6_FRAG_NO_ALERT; - } + *byte_skip = *len_ptr; - /* Check if there are no more frags */ - if(!IP6F_MF(frag)) - { - /* At this point, we've seen a frag header with no offset - * that doesn't have the more flags set. Need to see if - * this follows a packet that did have the more flag set. */ - if(hash_node) - { - /* Check if the first packet timed out */ - if((p->pkth->ts.tv_sec - *(time_t *)hash_node->data) > (time_t)ScIpv6FragTimeout()) - { - sfxhash_free_node(ipv6_frag_hash, hash_node); - return IPV6_FRAG_BAD_PKT; - } - - if(size - offset > 100) - { - return IPV6_FRAG_ALERT; - } - - sfxhash_free_node(ipv6_frag_hash, hash_node); - - return IPV6_FRAG_BAD_PKT; - } - - /* We never saw the first packet, but this one is still bogus */ - return IPV6_FRAG_BAD_PKT; - } - - /* At this point, we've seen a header with no offset and a - * more flag */ - if(!hash_node) - { - /* There are more frags remaining, add current to hash */ - if(sfxhash_add(ipv6_frag_hash, key, (void *)&p->pkth->ts.tv_sec) - == SFXHASH_NOMEM) - { - return -1; - } - } - else - { - /* Update this node's timestamp */ - *(time_t *)hash_node->data = p->pkth->ts.tv_sec; - } - - default: - return IPV6_FRAG_NO_ALERT; - } - } - - return IPV6_FRAG_NO_ALERT; -} - -#endif + return 0; +} /* - * Function: DecodeIPV6(uint8_t *, uint32_t) + * Function: DecodeTCPOptions(uint8_t *, uint32_t, Packet *) * - * Purpose: Decoding IPv6 headers + * Purpose: Fairly self explainatory name, don't you think? * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet + * TCP Option Header length validation is left to the caller + * + * For a good listing of TCP Options, + * http://www.iana.org/assignments/tcp-parameters + * + * ------------------------------------------------------------ + * From: "Kastenholz, Frank" <FKastenholz@unispherenetworks.com> + * Subject: Re: skeeter & bubba TCP options? + * + * ah, the sins of ones youth that never seem to be lost... + * + * it was something that ben levy and stev and i did at ftp many + * many moons ago. bridgham and stev were the instigators of it. + * the idea was simple, put a dh key exchange directly in tcp + * so that all tcp sessions could be encrypted without requiring + * any significant key management system. authentication was not + * a part of the idea, it was to be provided by passwords or + * whatever, which could now be transmitted over the internet + * with impunity since they were encrypted... we implemented + * a simple form of this (doing the math was non trivial on the + * machines of the day). it worked. the only failure that i + * remember was that it was vulnerable to man-in-the-middle + * attacks. + * + * why "skeeter" and "bubba"? well, that's known only to stev... + * ------------------------------------------------------------ + * + * 4.2.2.5 TCP Options: RFC-793 Section 3.1 + * + * A TCP MUST be able to receive a TCP option in any segment. A TCP + * MUST ignore without error any TCP option it does not implement, + * assuming that the option has a length field (all TCP options + * defined in the future will have length fields). TCP MUST be + * prepared to handle an illegal option length (e.g., zero) without + * crashing; a suggested procedure is to reset the connection and log + * the reason. + * + * Arguments: o_list => ptr to the option list + * o_len => length of the option list + * p => pointer to decoded packet struct * * Returns: void function */ -void DecodeIPV6(const uint8_t *pkt, uint32_t len, Packet *p) +void DecodeTCPOptions(const uint8_t *start, uint32_t o_len, Packet *p) { -#ifndef SUP_IP6 - static uint8_t pseudopacket_buf[SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET]; - static Packet pseudopacket; - static DAQ_PktHdr_t pseudopkt_header; - IP6RawHdr *ip6h; - int alert_status; - - pc.ipv6++; + const uint8_t *option_ptr = start; + const uint8_t *end_ptr = start + o_len; /* points to byte after last option */ + const uint8_t *len_ptr; + uint8_t opt_count = 0; + u_char done = 0; /* have we reached TCPOPT_EOL yet?*/ + u_char experimental_option_found = 0; /* are all options RFC compliant? */ + u_char obsolete_option_found = 0; + u_char ttcp_found = 0; -#ifdef GRE - if (p->greh != NULL) - pc.gre_ipv6++; -#endif + int code = 2; + uint8_t byte_skip; - alert_status = CheckIPV6Frag((char *) pkt, len, p); + /* Here's what we're doing so that when we find out what these + * other buggers of TCP option codes are, we can do something + * useful + * + * 1) get option code + * 2) check for enough space for current option code + * 3) set option data ptr + * 4) increment option code ptr + * + * TCP_OPTLENMAX = 40 because of + * (((2^4) - 1) * 4 - TCP_HEADER_LEN) + * + */ - if(alert_status == IPV6_FRAG_NO_ALERT) + if(o_len > TCP_OPTLENMAX) { + /* This shouldn't ever alert if we are doing our job properly + * in the caller */ + p->tcph = NULL; /* let's just alert */ + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "o_len(%u) > TCP_OPTLENMAX(%u)\n", + o_len, TCP_OPTLENMAX)); return; } - p->packet_flags |= PKT_NO_DETECT; - - /* Need to set up a fake IP header for logging purposes. First make sure - * there is room */ - if(sizeof(IP6RawHdr) <= len) + while((option_ptr < end_ptr) && (opt_count < TCP_OPTLENMAX) && (code >= 0) && !done) { - pseudopkt_header.ts.tv_sec = p->pkth->ts.tv_sec; - pseudopkt_header.ts.tv_usec = p->pkth->ts.tv_usec; - - BsdPseudoPacket = &pseudopacket; - pseudopacket.pkt = pseudopacket_buf + SPARC_TWIDDLE; - pseudopacket.pkth = &pseudopkt_header; + p->tcp_options[opt_count].code = *option_ptr; - if(p->eh) + if((option_ptr + 1) < end_ptr) { - SafeMemcpy(pseudopacket_buf + SPARC_TWIDDLE, p->eh, - ETHERNET_HEADER_LEN, - pseudopacket_buf, - pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET); - - pseudopkt_header.pktlen = IP_HEADER_LEN + ETHERNET_HEADER_LEN; - - pseudopacket.eh = (EtherHdr*)(pseudopacket_buf + SPARC_TWIDDLE); - pseudopacket.iph = (IPHdr*)(pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN); - ((EtherHdr*)pseudopacket.eh)->ether_type = htons(ETHERNET_TYPE_IP); + len_ptr = option_ptr + 1; } else { - SafeMemcpy(pseudopacket_buf, p->pkt, - (pkt - p->pkt), - pseudopacket_buf, - pseudopacket_buf + SPARC_TWIDDLE + ETHERNET_HEADER_LEN + IP_MAXPACKET); + len_ptr = NULL; + } - pseudopkt_header.pktlen = IP_HEADER_LEN + (pkt - p->pkt); + switch(*option_ptr) + { + case TCPOPT_EOL: + done = 1; /* fall through to the NOP case */ + case TCPOPT_NOP: + p->tcp_options[opt_count].len = 0; + p->tcp_options[opt_count].data = NULL; + byte_skip = 1; + code = 0; + break; + case TCPOPT_MAXSEG: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MAXSEG, + &p->tcp_options[opt_count], &byte_skip); + break; + case TCPOPT_SACKOK: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_SACKOK, + &p->tcp_options[opt_count], &byte_skip); + break; + case TCPOPT_WSCALE: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_WSCALE, + &p->tcp_options[opt_count], &byte_skip); + if (code == 0) + { + if ( + ((uint16_t) p->tcp_options[opt_count].data[0] > 14)) + { + /* LOG INVALID WINDOWSCALE alert */ + if (ScDecoderTcpOptAlerts()) + { + DecoderOptEvent(p, DECODE_TCPOPT_WSCALE_INVALID, + DECODE_TCPOPT_WSCALE_INVALID_STR, 1, 1, + execTcpOptDrop); + } + } + } + break; + case TCPOPT_ECHO: /* both use the same lengths */ + case TCPOPT_ECHOREPLY: + obsolete_option_found = 1; + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_ECHO, + &p->tcp_options[opt_count], &byte_skip); + break; + case TCPOPT_MD5SIG: + experimental_option_found = 1; + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MD5SIG, + &p->tcp_options[opt_count], &byte_skip); + break; + case TCPOPT_SACK: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, + &p->tcp_options[opt_count], &byte_skip); + if(p->tcp_options[opt_count].data == NULL) + code = TCP_OPT_BADLEN; - pseudopacket.iph = (IPHdr*)(pseudopacket_buf + (pkt - p->pkt)); - pseudopacket.eh = NULL; - } + break; + case TCPOPT_CC_ECHO: + ttcp_found = 1; + /* fall through */ + case TCPOPT_CC: /* all 3 use the same lengths / T/TCP */ + case TCPOPT_CC_NEW: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_CC, + &p->tcp_options[opt_count], &byte_skip); + break; + case TCPOPT_TRAILER_CSUM: + experimental_option_found = 1; + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_TRAILER_CSUM, + &p->tcp_options[opt_count], &byte_skip); + break; - pseudopkt_header.caplen = pseudopkt_header.pktlen; + case TCPOPT_TIMESTAMP: + code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_TIMESTAMP, + &p->tcp_options[opt_count], &byte_skip); + break; - /* Need IP addresses for packet logging -- for now, just using the - * lowest 4 bytes of the IPv6 addresses */ - memset((IPHdr *)pseudopacket.iph, 0, sizeof(IPHdr)); + case TCPOPT_SKEETER: + case TCPOPT_BUBBA: + case TCPOPT_UNASSIGNED: + obsolete_option_found = 1; + code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, + &p->tcp_options[opt_count], &byte_skip); + break; + default: + case TCPOPT_SCPS: + case TCPOPT_SELNEGACK: + case TCPOPT_RECORDBOUND: + case TCPOPT_CORRUPTION: + case TCPOPT_PARTIAL_PERM: + case TCPOPT_PARTIAL_SVC: + case TCPOPT_ALTCSUM: + case TCPOPT_SNAP: + experimental_option_found = 1; + code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, + &p->tcp_options[opt_count], &byte_skip); + break; + } - ((IPHdr *)pseudopacket.iph)->ip_len = htons(IP_HEADER_LEN); - SET_IP_VER((IPHdr *)pseudopacket.iph, 0x4); - SET_IP_HLEN((IPHdr *)pseudopacket.iph, 0x5); + if(code < 0) + { + if(code == TCP_OPT_BADLEN) + { + DecoderOptEvent(p, DECODE_TCPOPT_BADLEN, + DECODE_TCPOPT_BADLEN_STR, 1, 1, + execTcpOptDrop); + } + else if(code == TCP_OPT_TRUNC) + { + DecoderOptEvent(p, DECODE_TCPOPT_TRUNCATED, + DECODE_TCPOPT_TRUNCATED_STR, 1, 1, + execTcpOptDrop); + } - ip6h = (IP6RawHdr*)pkt; - -#ifdef WORDS_BIGENDIAN - ((IPHdr *)pseudopacket.iph)->ip_src.s_addr = - ip6h->ip6_src.s6_addr[13] << 16 | ip6h->ip6_src.s6_addr[14] << 8 | ip6h->ip6_src.s6_addr[15]; - ((IPHdr *)pseudopacket.iph)->ip_dst.s_addr = - ip6h->ip6_dst.s6_addr[13] << 16 | ip6h->ip6_dst.s6_addr[14] << 8 | ip6h->ip6_dst.s6_addr[15]; -#else - ((IPHdr *)pseudopacket.iph)->ip_src.s_addr = - ip6h->ip6_src.s6_addr[15] << 24 | ip6h->ip6_src.s6_addr[14] << 16 | ip6h->ip6_src.s6_addr[13] << 8; - ((IPHdr *)pseudopacket.iph)->ip_dst.s_addr = - ip6h->ip6_dst.s6_addr[15] << 24 | ip6h->ip6_dst.s6_addr[14] << 16 | ip6h->ip6_dst.s6_addr[13] << 8; -#endif - } - else - { - p->iph = NULL; - } + /* set the option count to the number of valid + * options found before this bad one + * some implementations (BSD and Linux) ignore + * the bad ones, but accept the good ones */ + p->tcp_option_count = opt_count; - switch(alert_status) { - case IPV6_FRAG_ALERT: - FragEvent(p, FRAG3_IPV6_BSD_ICMP_FRAG, - FRAG3_IPV6_BSD_ICMP_FRAG_STR, - ScDecoderIpv6BsdIcmpFragAlerts(), - ScDecoderIpv6BsdIcmpFragDrops()); - break; + return; + } - case IPV6_FRAG_BAD_PKT: - FragEvent(p, FRAG3_IPV6_BAD_FRAG_PKT, - FRAG3_IPV6_BAD_FRAG_PKT_STR, - ScDecoderIpv6BadFragAlerts(), - ScDecoderIpv6BadFragDrops()); - break; + opt_count++; - case IPV6_IS_NOT: - if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) - DecoderEvent(p, DECODE_IPV6_IS_NOT, - DECODE_IPV6_IS_NOT_STR, 1, 1); - break; + option_ptr += byte_skip; + } - case IPV6_TRUNCATED_EXT: - DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT, - DECODE_IPV6_TRUNCATED_EXT_STR, 1, 1); - break; + p->tcp_option_count = opt_count; - case IPV6_TRUNCATED: - if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) - DecoderEvent(p, DECODE_IPV6_TRUNCATED, - DECODE_IPV6_TRUNCATED_STR, 1, 1); - }; + if (experimental_option_found) + { + DecoderOptEvent(p, DECODE_TCPOPT_EXPERIMENT, + DECODE_TCPOPT_EXPERIMENT_STR, 1, 1, + execTcpOptExpDrop); + } + else if (obsolete_option_found) + { + DecoderOptEvent(p, DECODE_TCPOPT_OBSOLETE, + DECODE_TCPOPT_OBSOLETE_STR, 1, 1, + execTcpOptObsDrop); + } + else if (ttcp_found) + { + DecoderOptEvent(p, DECODE_TCPOPT_TTCP, + DECODE_TCPOPT_TTCP_STR, 1, 1, + execTcpOptTTcpDrop); + } - BsdPseudoPacket = NULL; - pc.discards++; return; -#else // SUP_IP6 follows ... - - IP6RawHdr *hdr; - uint32_t payload_len; +} - pc.ipv6++; -#ifdef GRE - if (p->greh != NULL) - pc.gre_ipv6++; -#endif +/* + * Function: DecodeIPOptions(uint8_t *, uint32_t, Packet *) + * + * Purpose: Once again, a fairly self-explainatory name + * + * Arguments: o_list => ptr to the option list + * o_len => length of the option list + * p => pointer to decoded packet struct + * + * Returns: void function + */ +void DecodeIPOptions(const uint8_t *start, uint32_t o_len, Packet *p) +{ + const uint8_t *option_ptr = start; + u_char done = 0; /* have we reached IP_OPTEOL yet? */ + const uint8_t *end_ptr = start + o_len; + uint8_t opt_count = 0; /* what option are we processing right now */ + uint8_t byte_skip; + const uint8_t *len_ptr; + int code = 0; /* negative error codes are returned from bad options */ - hdr = (IP6RawHdr*)pkt; - if(len < IP6_HDR_LEN) - { - if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) - DecoderEvent(p, DECODE_IPV6_TRUNCATED, DECODE_IPV6_TRUNCATED_STR, - 1, 1); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding %d bytes of IP options\n", o_len);); - goto decodeipv6_fail; - } - /* Verify version in IP6 Header agrees */ - if((hdr->ip6vfc >> 4) != 6) + while((option_ptr < end_ptr) && (opt_count < IP_OPTMAX) && (code >= 0)) { - if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) - DecoderEvent(p, DECODE_IPV6_IS_NOT, DECODE_IPV6_IS_NOT_STR, - 1, 1); - - goto decodeipv6_fail; - } + p->ip_options[opt_count].code = *option_ptr; - if (p->family != NO_IP) - { - if (p->encapsulated || - ((hdr->ip6nxt == IPPROTO_IPIP) || (hdr->ip6nxt == IPPROTO_GRE) || - (hdr->ip6nxt == IPPROTO_IPV6))) + if((option_ptr + 1) < end_ptr) { - - DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION, - DECODE_IP_MULTIPLE_ENCAPSULATION_STR, - pkt, len); - return; + len_ptr = option_ptr + 1; } else { - p->encapsulated = 1; - p->outer_iph = p->iph; - p->outer_ip_data = p->ip_data; - p->outer_ip_dsize = p->ip_dsize; + len_ptr = NULL; } - } - payload_len = ntohs(hdr->ip6plen) + IP6_HDR_LEN; - if(payload_len != len) - { - if (payload_len > len) + switch(*option_ptr) { - if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0) - DecoderEvent(p, DECODE_IPV6_DGRAM_GT_CAPLEN, - DECODE_IPV6_DGRAM_GT_CAPLEN_STR, - ScDecoderOversizedAlerts(), ScDecoderOversizedDrops()); - - goto decodeipv6_fail; - } - } - - /* lay the IP struct over the raw data */ - // this is ugly but necessary to keep the rest of the code happy - p->inner_iph = p->iph = (IPHdr *)pkt; - - /* Build Packet structure's version of the IP6 header */ - sfiph_build(p, hdr, AF_INET6); + case IPOPT_NOP: + case IPOPT_EOL: + /* if we hit an EOL, we're done */ + if(*option_ptr == IPOPT_EOL) + done = 1; - /* - * Some IP Header tests - * Land Attack(same src/dst ip) - * Loopback (src or dst in 127/8 block) - * Modified: 2/22/05-man for High Endian Architecture. - */ - if(ScIdsMode()) - { - /* some points in the code assume an IP of 0.0.0.0 matches anything, but - * that is not so here. The sfip_compare makes that assumption for - * compatibility, but sfip_contains does not. Hence, sfip_contains - * is used here in the interrim. */ - if( sfip_contains(&p->ip6h->ip_src, &p->ip6h->ip_dst) == SFIP_CONTAINS) - { - DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST, - DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, - 1,1); - } - - if(sfip_is_loopback(&p->ip6h->ip_src) || sfip_is_loopback(&p->ip6h->ip_dst)) - { - DecoderEvent(p, DECODE_BAD_TRAFFIC_LOOPBACK, - DECODE_BAD_TRAFFIC_LOOPBACK_STR, - 1,1); + p->ip_options[opt_count].len = 0; + p->ip_options[opt_count].data = NULL; + byte_skip = 1; + break; + default: + /* handle all the dynamic features */ + code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, + &p->ip_options[opt_count], &byte_skip); } - /* Other decoder alerts for IPv6 addresses - Added: 5/24/10 (Snort 2.9.0) */ - if (!sfip_is_set(&p->ip6h->ip_dst)) + if(code < 0) { - DecoderEvent(p, DECODE_IPV6_DST_ZERO, DECODE_IPV6_DST_ZERO_STR, 1, 1); + /* Yes, we use TCP_OPT_* for the IP option decoder. + */ + if(code == TCP_OPT_BADLEN) + { + DecoderOptEvent(p, DECODE_IPV4OPT_BADLEN, + DECODE_IPV4OPT_BADLEN_STR, 1, 1, + execIpOptDrop); + } + else if(code == TCP_OPT_TRUNC) + { + DecoderOptEvent(p, DECODE_IPV4OPT_TRUNCATED, + DECODE_IPV4OPT_TRUNCATED_STR, 1, 1, + execIpOptDrop); + } + return; } - CheckIPV6Multicast(p); - } + if(!done) + opt_count++; - { -#ifdef GRE - /* Remove outer IP options */ - if (p->encapsulated) - { - p->ip_options_data = NULL; - p->ip_options_len = 0; - p->ip_lastopt_bad = 0; - } -#endif - p->ip_option_count = 0; + option_ptr += byte_skip; } - /* set the real IP length for logging */ - p->actual_ip_len = ntohs(p->ip6h->len); - p->ip_data = pkt + IP6_HDR_LEN; - p->ip_dsize = ntohs(p->ip6h->len); - - PushLayer(PROTO_IP6, p, pkt, sizeof(*hdr)); + p->ip_option_count = opt_count; - DecodeIPV6Extensions(GET_IPH_PROTO(p), pkt + IP6_HDR_LEN, ntohs(p->ip6h->len), p); return; - -decodeipv6_fail: - /* If this was Teredo, back up and treat the packet as normal UDP. */ - if (p->proto_bits & PROTO_BIT__TEREDO) - { - pc.ipv6--; - pc.teredo--; - p->proto_bits &= ~PROTO_BIT__TEREDO; -#ifdef GRE - if (p->greh != NULL) - pc.gre_ipv6--; -#endif - return; - } - - pc.discards++; - pc.ipv6disc++; - -#endif /* SUP_IP6 */ } +//-------------------------------------------------------------------- +// decode.c::NON-ETHER STUFF +//-------------------------------------------------------------------- -/* Function: DecodeTeredo(uint8_t *, uint32_t, Packet *) +#ifndef NO_NON_ETHER_DECODER +#ifdef DLT_IEEE802_11 +/* + * Function: DecodeIEEE80211Pkt(Packet *, char *, DAQ_PktHdr_t*, + * uint8_t*) * - * Teredo is IPv6 layered over UDP, with optional "indicators" in between. - * Decode these (if present) and go to DecodeIPv6. + * Purpose: Decode those fun loving wireless LAN packets, one at a time! + * + * Arguments: p => pointer to the decoded packet struct + * user => Utility pointer (unused) + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data * + * Returns: void function */ - -void DecodeTeredo(const uint8_t *pkt, uint32_t len, Packet *p) +void DecodeIEEE80211Pkt(Packet * p, const DAQ_PktHdr_t * pkthdr, + const uint8_t * pkt) { - if (len < TEREDO_MIN_LEN) - return; + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; - /* Decode indicators. If both are present, Auth always comes before Origin. */ - if (ntohs(*(uint16_t *)pkt) == TEREDO_INDICATOR_AUTH) - { - uint8_t client_id_length, auth_data_length; + PREPROC_PROFILE_START(decodePerfStats); - if (len < TEREDO_INDICATOR_AUTH_MIN_LEN) - return; + pc.total_processed++; - client_id_length = *(pkt + 2); - auth_data_length = *(pkt + 3); + memset(p, 0, PKT_ZERO_LEN); - if (len < (uint32_t)(TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length)) - return; + p->pkth = pkthdr; + p->pkt = pkt; - pkt += (TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length); - len -= (TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length); - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); - if (ntohs(*(uint16_t *)pkt) == TEREDO_INDICATOR_ORIGIN) + /* do a little validation */ + if(cap_len < MINIMAL_IEEE80211_HEADER_LEN) { - if (len < TEREDO_INDICATOR_ORIGIN_LEN) - return; + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < IEEE 802.11 header length! " + "(%d bytes)\n", cap_len); + } - pkt += TEREDO_INDICATOR_ORIGIN_LEN; - len -= TEREDO_INDICATOR_ORIGIN_LEN; + PREPROC_PROFILE_END(decodePerfStats); + return; } + /* lay the wireless structure over the packet data */ + p->wifih = (WifiHdr *) pkt; - /* If this is an IPv6 datagram, the first 4 bits will be the number 6. */ - if (( (*pkt & 0xF0) >> 4) == 6) + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%X %X\n", *p->wifih->addr1, + *p->wifih->addr2);); + + /* determine frame type */ + switch(p->wifih->frame_control & 0x00ff) { - p->proto_bits |= PROTO_BIT__TEREDO; - pc.teredo++; + /* management frames */ + case WLAN_TYPE_MGMT_ASREQ: + case WLAN_TYPE_MGMT_ASRES: + case WLAN_TYPE_MGMT_REREQ: + case WLAN_TYPE_MGMT_RERES: + case WLAN_TYPE_MGMT_PRREQ: + case WLAN_TYPE_MGMT_PRRES: + case WLAN_TYPE_MGMT_BEACON: + case WLAN_TYPE_MGMT_ATIM: + case WLAN_TYPE_MGMT_DIS: + case WLAN_TYPE_MGMT_AUTH: + case WLAN_TYPE_MGMT_DEAUTH: + pc.wifi_mgmt++; + break; - if (ScDeepTeredoInspection() && (p->sp != TEREDO_PORT) && (p->dp != TEREDO_PORT)) - p->packet_flags |= PKT_UNSURE_ENCAP; + /* Control frames */ + case WLAN_TYPE_CONT_PS: + case WLAN_TYPE_CONT_RTS: + case WLAN_TYPE_CONT_CTS: + case WLAN_TYPE_CONT_ACK: + case WLAN_TYPE_CONT_CFE: + case WLAN_TYPE_CONT_CFACK: + pc.wifi_control++; + break; + /* Data packets without data */ + case WLAN_TYPE_DATA_NULL: + case WLAN_TYPE_DATA_CFACK: + case WLAN_TYPE_DATA_CFPL: + case WLAN_TYPE_DATA_ACKPL: - DecodeIPV6(pkt, len, p); + pc.wifi_data++; + break; + case WLAN_TYPE_DATA_DTCFACK: + case WLAN_TYPE_DATA_DTCFPL: + case WLAN_TYPE_DATA_DTACKPL: + case WLAN_TYPE_DATA_DATA: + pc.wifi_data++; - p->packet_flags &= ~PKT_UNSURE_ENCAP; + if(cap_len < IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc)) + { + DecoderEvent(p, DECODE_BAD_80211_ETHLLC, + DECODE_BAD_80211_ETHLLC_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + p->ehllc = (EthLlc *) (pkt + IEEE802_11_DATA_HDR_LEN); + +#ifdef DEBUG_MSGS + PrintNetData(stdout,(uint8_t *) p->ehllc, sizeof(EthLlc), NULL); + //ClearDumpBuf(); + + printf("LLC Header:\n"); + printf(" DSAP: 0x%X\n", p->ehllc->dsap); + printf(" SSAP: 0x%X\n", p->ehllc->ssap); +#endif + + if(p->ehllc->dsap == ETH_DSAP_IP && p->ehllc->ssap == ETH_SSAP_IP) + { + if(cap_len < IEEE802_11_DATA_HDR_LEN + + sizeof(EthLlc) + sizeof(EthLlcOther)) + { + DecoderEvent(p, DECODE_BAD_80211_OTHER, + DECODE_BAD_80211_OTHER_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + p->ehllcother = (EthLlcOther *) (pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc)); +#ifdef DEBUG_MSGS + PrintNetData(stdout,(uint8_t *) p->ehllcother, sizeof(EthLlcOther), NULL ); + //ClearDumpBuf(); + printf("LLC Other Header:\n"); + printf(" CTRL: 0x%X\n", p->ehllcother->ctrl); + printf(" ORG: 0x%02X%02X%02X\n", p->ehllcother->org_code[0], + p->ehllcother->org_code[1], p->ehllcother->org_code[2]); + printf(" PROTO: 0x%04X\n", ntohs(p->ehllcother->proto_id)); +#endif + + switch(ntohs(p->ehllcother->proto_id)) + { + case ETHERNET_TYPE_IP: + DecodeIP(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + + sizeof(EthLlcOther), + cap_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - + sizeof(EthLlcOther), p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_ARP: + case ETHERNET_TYPE_REVARP: + DecodeARP(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + + sizeof(EthLlcOther), + cap_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - + sizeof(EthLlcOther), p); + PREPROC_PROFILE_END(decodePerfStats); + return; + case ETHERNET_TYPE_EAPOL: + DecodeEapol(p->pkt + IEEE802_11_DATA_HDR_LEN + sizeof(EthLlc) + + sizeof(EthLlcOther), + cap_len - IEEE802_11_DATA_HDR_LEN - sizeof(EthLlc) - + sizeof(EthLlcOther), p); + PREPROC_PROFILE_END(decodePerfStats); + return; + case ETHERNET_TYPE_8021Q: + DecodeVlan(p->pkt + IEEE802_11_DATA_HDR_LEN , + cap_len - IEEE802_11_DATA_HDR_LEN , p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + case ETHERNET_TYPE_IPV6: + DecodeIPV6(p->pkt + IEEE802_11_DATA_HDR_LEN, + cap_len - IEEE802_11_DATA_HDR_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + + default: + // TBD add decoder drop event for unknown wifi/eth type + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; + } + } + break; + default: + // TBD add decoder drop event for unknown wlan frame type + pc.other++; + break; } - /* Otherwise, we treat this as normal UDP traffic. */ + PREPROC_PROFILE_END(decodePerfStats); return; } +#endif // DLT_IEEE802_11 /* - * Function: DecodeESP(const uint8_t *, uint32_t, Packet *) + * Function: DecodeTRPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) * - * Purpose: Attempt to decode Encapsulated Security Payload. - * The contents are probably encrypted, but ESP is sometimes used - * with "null" encryption, solely for Authentication. - * This is more of a heuristic -- there is no ESP field that specifies - * the encryption type (or lack thereof). + * Purpose: Decode Token Ring packets! * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => ptr to the Packet struct being filled out + * Arguments: p=> pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data * * Returns: void function */ -void DecodeESP(const uint8_t *pkt, uint32_t len, Packet *p) +void DecodeTRPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - uint8_t next_header; - uint8_t pad_length; - const uint8_t *esp_payload; + uint32_t cap_len = pkthdr->caplen; + uint32_t dataoff; /* data offset is variable here */ + PROFILE_VARS; - /* The ESP header contains a crypto Initialization Vector (IV) and - a sequence number. Skip these. */ - if (len < (ESP_HEADER_LEN + ESP_AUTH_DATA_LEN + ESP_TRAILER_LEN)) - { - DecoderEvent(p, EVARGS(ESP_HEADER_TRUNC), 1, 1); - } - esp_payload = pkt + ESP_HEADER_LEN; + PREPROC_PROFILE_START(decodePerfStats); - /* The Authentication Data at the end of the packet is variable-length. - RFC 2406 says that Encryption and Authentication algorithms MUST NOT - both be NULL, so we assume NULL Encryption and some other Authentication. + pc.total_processed++; - The mandatory algorithms for Authentication are HMAC-MD5-96 and - HMAC-SHA-1-96, so we assume a 12-byte authentication data at the end. */ - len -= (ESP_HEADER_LEN + ESP_AUTH_DATA_LEN + ESP_TRAILER_LEN); + memset(p, 0, PKT_ZERO_LEN); - pad_length = *(esp_payload + len); - next_header = *(esp_payload + len + 1); + p->pkth = pkthdr; + p->pkt = pkt; - /* Adjust the packet length to account for the padding. - If the padding length is too big, this is probably encrypted traffic. */ - if (pad_length < len) - { - len -= (pad_length); - } - else + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len,(unsigned long) pkthdr->pktlen); + ); + + if(cap_len < sizeof(Trh_hdr)) { - p->data = esp_payload; - p->dsize = (u_short) len; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Captured data length < Token Ring header length! " + "(%d < %d bytes)\n", cap_len, TR_HLEN);); + + DecoderEvent(p, DECODE_BAD_TRH, DECODE_BAD_TRH_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); return; } - /* Attempt to decode the inner payload. - There is a small chance that an encrypted next_header would become a - different valid next_header. The PKT_UNSURE_ENCAP flag tells the next - decoder stage to silently ignore invalid headers. */ + /* lay the tokenring header structure over the packet data */ + p->trh = (Trh_hdr *) pkt; - p->packet_flags |= PKT_UNSURE_ENCAP; - switch (next_header) - { - case IPPROTO_IPIP: - DecodeIP(esp_payload, len, p); - p->packet_flags &= ~PKT_UNSURE_ENCAP; - return; + /* + * according to rfc 1042: + * + * The presence of a Routing Information Field is indicated by the Most + * Significant Bit (MSB) of the source address, called the Routing + * Information Indicator (RII). If the RII equals zero, a RIF is + * not present. If the RII equals 1, the RIF is present. + * .. + * However the MSB is already zeroed by this moment, so there's no + * real way to figure out whether RIF is presented in packet, so we are + * doing some tricks to find IPARP signature.. + */ - case IPPROTO_IPV6: - DecodeIPV6(esp_payload, len, p); - p->packet_flags &= ~PKT_UNSURE_ENCAP; + /* + * first I assume that we have single-ring network with no RIF + * information presented in frame + */ + if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc))) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Captured data length < Token Ring header length! " + "(%d < %d bytes)\n", cap_len, + (sizeof(Trh_hdr) + sizeof(Trh_llc)));); + + DecoderEvent(p, DECODE_BAD_TR_ETHLLC, DECODE_BAD_TR_ETHLLC_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + + p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr)); + + if(p->trhllc->dsap != IPARP_SAP && p->trhllc->ssap != IPARP_SAP) + { + /* + * DSAP != SSAP != 0xAA .. either we are having frame which doesn't + * carry IP datagrams or has RIF information present. We assume + * lattest ... + */ + + if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr))) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Captured data length < Token Ring header length! " + "(%d < %d bytes)\n", cap_len, + (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr)));); + + DecoderEvent(p, DECODE_BAD_TRHMR, DECODE_BAD_TRHMR_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); return; + } - case IPPROTO_TCP: - pc.tcp++; - DecodeTCP(esp_payload, len, p); - p->packet_flags &= ~PKT_UNSURE_ENCAP; + p->trhmr = (Trh_mr *) (pkt + sizeof(Trh_hdr)); + + + if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc) + + sizeof(Trh_mr) + TRH_MR_LEN(p->trhmr))) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "Captured data length < Token Ring header length! " + "(%d < %d bytes)\n", cap_len, + (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr)));); + + DecoderEvent(p, DECODE_BAD_TR_MR_LEN, DECODE_BAD_TR_MR_LEN_STR, 1, 1); + + PREPROC_PROFILE_END(decodePerfStats); return; + } - case IPPROTO_UDP: - pc.udp++; - DecodeUDP(esp_payload, len, p); - p->packet_flags &= ~PKT_UNSURE_ENCAP; + p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr) + TRH_MR_LEN(p->trhmr)); + dataoff = sizeof(Trh_hdr) + TRH_MR_LEN(p->trhmr) + sizeof(Trh_llc); + + } + else + { + p->trhllc = (Trh_llc *) (pkt + sizeof(Trh_hdr)); + dataoff = sizeof(Trh_hdr) + sizeof(Trh_llc); + } + + /* + * ideally we would need to check both SSAP, DSAP, and protoid fields: IP + * datagrams and ARP requests and replies are transmitted in standard + * 802.2 LLC Type 1 Unnumbered Information format, control code 3, with + * the DSAP and the SSAP fields of the 802.2 header set to 170, the + * assigned global SAP value for SNAP [6]. The 24-bit Organization Code + * in the SNAP is zero, and the remaining 16 bits are the EtherType from + * Assigned Numbers [7] (IP = 2048, ARP = 2054). .. but we would check + * SSAP and DSAP and assume this would be enough to trust. + */ + if(p->trhllc->dsap != IPARP_SAP && p->trhllc->ssap != IPARP_SAP) + { + DEBUG_WRAP( + DebugMessage(DEBUG_DECODE, "DSAP and SSAP arent set to SNAP\n"); + ); + p->trhllc = NULL; + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + switch(htons(p->trhllc->ethertype)) + { + case ETHERNET_TYPE_IP: + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding IP\n");); + DecodeIP(p->pkt + dataoff, cap_len - dataoff, p); + PREPROC_PROFILE_END(decodePerfStats); return; - case IPPROTO_ICMP: - pc.icmp++; - DecodeICMP(esp_payload, len, p); - p->packet_flags &= ~PKT_UNSURE_ENCAP; + case ETHERNET_TYPE_ARP: + case ETHERNET_TYPE_REVARP: + DEBUG_WRAP( + DebugMessage(DEBUG_DECODE, "Decoding ARP\n"); + ); + pc.arp++; + + PREPROC_PROFILE_END(decodePerfStats); return; - -#ifdef GRE - case IPPROTO_GRE: - pc.gre++; - DecodeGRE(esp_payload, len, p); - p->packet_flags &= ~PKT_UNSURE_ENCAP; + + case ETHERNET_TYPE_8021Q: + DecodeVlan(p->pkt + dataoff, cap_len - dataoff, p); + PREPROC_PROFILE_END(decodePerfStats); return; -#endif default: - /* If we didn't get a valid next_header, this packet is probably - encrypted. Start data here and treat it as an IP datagram. */ - p->data = esp_payload; - p->dsize = (u_short) len; - p->packet_flags &= ~PKT_UNSURE_ENCAP; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown network protocol: %d\n", + htons(p->trhllc->ethertype))); + // TBD add decoder drop event for unknown tr/eth type + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; } -} - -/* - * Function: DecodeEthLoopback(uint8_t *, uint32_t) - * - * Purpose: Just like IPX, it's just for counting. - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * - * Returns: void function - */ -void DecodeEthLoopback(const uint8_t *pkt, uint32_t len, Packet *p) -{ - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "EthLoopback is not supported.\n");); - - pc.ethloopback++; - -#ifdef GRE - if (p->greh != NULL) - pc.gre_loopback++; -#endif + PREPROC_PROFILE_END(decodePerfStats); return; } -#ifndef NO_NON_ETHER_DECODER /* - * Function: DecodeIPX(uint8_t *, uint32_t) + * Function: DecodeFDDIPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) * - * Purpose: Well, it doesn't do much of anything right now... + * Purpose: Mainly taken from CyberPsycotic's Token Ring Code -worm5er * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data * * Returns: void function - * */ -void DecodeIPX(const uint8_t *pkt, uint32_t len, Packet *p) +void DecodeFDDIPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IPX is not supported.\n");); + uint32_t cap_len = pkthdr->caplen; + uint32_t dataoff = sizeof(Fddi_hdr) + sizeof(Fddi_llc_saps); + PROFILE_VARS; - pc.ipx++; + PREPROC_PROFILE_START(decodePerfStats); -#ifdef GRE - if (p->greh != NULL) - pc.gre_ipx++; -#endif + pc.total_processed++; - return; -} -#endif // NO_NON_ETHER_DECODER + memset(p, 0, PKT_ZERO_LEN); + p->pkth = pkthdr; + p->pkt = pkt; -#ifdef GRE -/* - * Function: DecodeGRE(uint8_t *, uint32_t, Packet *) - * - * Purpose: Decode Generic Routing Encapsulation Protocol - * This will decode normal GRE and PPTP GRE. - * - * Arguments: pkt => ptr to the packet data - * len => length from here to the end of the packet - * p => pointer to decoded packet struct - * - * Returns: void function - * - * Notes: see RFCs 1701, 2784 and 2637 - */ -void DecodeGRE(const uint8_t *pkt, const uint32_t len, Packet *p) -{ - uint32_t hlen; /* GRE header length */ - uint32_t payload_len; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long) cap_len,(unsigned long) pkthdr->pktlen); + ); - if (len < GRE_HEADER_LEN) + /* Bounds checking (might not be right yet -worm5er) */ + if(cap_len < dataoff) { - DecoderAlertEncapsulated(p, DECODE_GRE_DGRAM_LT_GREHDR, - DECODE_GRE_DGRAM_LT_GREHDR_STR, - pkt, len); - return; + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < FDDI header length! " + "(%d %d bytes)\n", cap_len, dataoff); + PREPROC_PROFILE_END(decodePerfStats); + return; + } } + /* let's put this in as the fddi header structure */ + p->fddihdr = (Fddi_hdr *) pkt; - if (p->encapsulated) - { - /* discard packet - multiple GRE encapsulation */ - /* not sure if this is ever used but I am assuming it is not */ - DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION, - DECODE_IP_MULTIPLE_ENCAPSULATION_STR, - pkt, len); - return; - } + p->fddisaps = (Fddi_llc_saps *) (pkt + sizeof(Fddi_hdr)); - /* Note: Since GRE doesn't have a field to indicate header length and - * can contain a few options, we need to walk through the header to - * figure out the length + /* First we'll check and see if it's an IP/ARP Packet... */ + /* Then we check to see if it's a SNA packet */ + /* + * Lastly we'll declare it none of the above and just slap something + * generic on it to discard it with (I know that sucks, but heck we're + * only looking for IP/ARP type packets currently... -worm5er */ - - p->greh = (GREHdr *)pkt; - hlen = GRE_HEADER_LEN; - - switch (GRE_VERSION(p->greh)) + if((p->fddisaps->dsap == FDDI_DSAP_IP) && (p->fddisaps->ssap == FDDI_SSAP_IP)) { - case 0x00: - /* these must not be set */ - if (GRE_RECUR(p->greh) || GRE_FLAGS(p->greh)) + dataoff += sizeof(Fddi_llc_iparp); + + if(cap_len < dataoff) + { + if (ScLogVerbose()) { - DecoderAlertEncapsulated(p, DECODE_GRE_INVALID_HEADER, - DECODE_GRE_INVALID_HEADER_STR, - pkt, len); + ErrorMessage("Captured data length < FDDI header length! " + "(%d %d bytes)\n", cap_len, dataoff); + PREPROC_PROFILE_END(decodePerfStats); return; } + } - if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh)) - hlen += GRE_CHKSUM_LEN + GRE_OFFSET_LEN; - - if (GRE_KEY(p->greh)) - hlen += GRE_KEY_LEN; - - if (GRE_SEQ(p->greh)) - hlen += GRE_SEQ_LEN; - - /* if this flag is set, we need to walk through all of the - * Source Route Entries */ - if (GRE_ROUTE(p->greh)) - { - uint16_t sre_addrfamily; - uint8_t sre_offset; - uint8_t sre_length; - const uint8_t *sre_ptr; - - sre_ptr = pkt + hlen; - - while (1) - { - hlen += GRE_SRE_HEADER_LEN; - if (hlen > len) - break; - - sre_addrfamily = ntohs(*((uint16_t *)sre_ptr)); - sre_ptr += sizeof(sre_addrfamily); - - sre_offset = *((uint8_t *)sre_ptr); - sre_ptr += sizeof(sre_offset); - - sre_length = *((uint8_t *)sre_ptr); - sre_ptr += sizeof(sre_length); - - if ((sre_addrfamily == 0) && (sre_length == 0)) - break; - - hlen += sre_length; - sre_ptr += sre_length; - } - } - - break; + p->fddiiparp = (Fddi_llc_iparp *) (pkt + sizeof(Fddi_hdr) + sizeof(Fddi_llc_saps)); + } + else if((p->fddisaps->dsap == FDDI_DSAP_SNA) && + (p->fddisaps->ssap == FDDI_SSAP_SNA)) + { + dataoff += sizeof(Fddi_llc_sna); - /* PPTP */ - case 0x01: - /* these flags should never be present */ - if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh) || GRE_SSR(p->greh) || - GRE_RECUR(p->greh) || GRE_V1_FLAGS(p->greh)) + if(cap_len < dataoff) + { + if (ScLogVerbose()) { - DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER, - DECODE_GRE_V1_INVALID_HEADER_STR, - pkt, len); + ErrorMessage("Captured data length < FDDI header length! " + "(%d %d bytes)\n", cap_len, dataoff); + PREPROC_PROFILE_END(decodePerfStats); return; } + } - /* protocol must be 0x880B - PPP */ - if (GRE_PROTO(p->greh) != GRE_TYPE_PPP) - { - DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER, - DECODE_GRE_V1_INVALID_HEADER_STR, - pkt, len); - return; - } + p->fddisna = (Fddi_llc_sna *) (pkt + sizeof(Fddi_hdr) + + sizeof(Fddi_llc_saps)); + } + else + { + dataoff += sizeof(Fddi_llc_other); + p->fddiother = (Fddi_llc_other *) (pkt + sizeof(Fddi_hdr) + + sizeof(Fddi_llc_other)); - /* this flag should always be present */ - if (!(GRE_KEY(p->greh))) + if(cap_len < dataoff) + { + if (ScLogVerbose()) { - DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER, - DECODE_GRE_V1_INVALID_HEADER_STR, - pkt, len); + ErrorMessage("Captured data length < FDDI header length! " + "(%d %d bytes)\n", cap_len, dataoff); + PREPROC_PROFILE_END(decodePerfStats); return; } - - hlen += GRE_KEY_LEN; - - if (GRE_SEQ(p->greh)) - hlen += GRE_SEQ_LEN; - - if (GRE_V1_ACK(p->greh)) - hlen += GRE_V1_ACK_LEN; - - break; - - default: - DecoderAlertEncapsulated(p, DECODE_GRE_INVALID_VERSION, - DECODE_GRE_INVALID_VERSION_STR, - pkt, len); - return; + } } - if (hlen > len) + /* + * Now let's see if we actually care about the packet... If we don't, + * throw it out!!! + */ + if((p->fddisaps->dsap != FDDI_DSAP_IP) && + (p->fddisaps->ssap != FDDI_SSAP_IP)) { - DecoderAlertEncapsulated(p, DECODE_GRE_DGRAM_LT_GREHDR, - DECODE_GRE_DGRAM_LT_GREHDR_STR, - pkt, len); + DEBUG_WRAP( + DebugMessage(DEBUG_DECODE, + "This FDDI Packet isn't an IP/ARP packet...\n"); + ); + PREPROC_PROFILE_END(decodePerfStats); return; } - PushLayer(PROTO_GRE, p, pkt, hlen); - payload_len = len - hlen; + cap_len -= dataoff; - /* Send to next protocol decoder */ - /* As described in RFC 2784 the possible protocols are listed in - * RFC 1700 under "ETHER TYPES" - * See also "Current List of Protocol Types" in RFC 1701 - */ - switch (GRE_PROTO(p->greh)) + switch(htons(p->fddiiparp->ethertype)) { case ETHERNET_TYPE_IP: - DecodeIP(pkt + hlen, payload_len, p); - return; - - case GRE_TYPE_TRANS_BRIDGING: - DecodeTransBridging(pkt + hlen, payload_len, p); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding IP\n");); + DecodeIP(p->pkt + dataoff, cap_len, p); + PREPROC_PROFILE_END(decodePerfStats); return; case ETHERNET_TYPE_ARP: case ETHERNET_TYPE_REVARP: - /* clear outer IP headers */ - p->iph = NULL; -#ifdef SUP_IP6 - p->family = NO_IP; -#endif - DecodeARP(pkt + hlen, payload_len, p); - return; - - case ETHERNET_TYPE_IPV6: - DecodeIPV6(pkt + hlen, payload_len, p); - return; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding ARP\n");); + pc.arp++; - case GRE_TYPE_PPP: - DecodePppPktEncapsulated(p, payload_len, pkt + hlen); + PREPROC_PROFILE_END(decodePerfStats); return; -#ifndef NO_NON_ETHER_DECODER - case ETHERNET_TYPE_IPX: - DecodeIPX(pkt + hlen, payload_len, p); + case ETHERNET_TYPE_8021Q: + DecodeVlan(p->pkt + dataoff, cap_len, p); + PREPROC_PROFILE_END(decodePerfStats); return; -#endif - case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(pkt + hlen, payload_len, p); - return; - - /* not sure if this occurs, but 802.1q is an Ether type */ - case ETHERNET_TYPE_8021Q: - DecodeVlan(pkt + hlen, payload_len, p); - return; default: - // TBD add decoder drop event for unknown gre/eth type + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown network protocol: %d\n", + htons(p->fddiiparp->ethertype)); + ); + // TBD add decoder drop event for unknown fddi/eth type pc.other++; - p->data = pkt + hlen; - p->dsize = (uint16_t)payload_len; + + PREPROC_PROFILE_END(decodePerfStats); return; } + + PREPROC_PROFILE_END(decodePerfStats); + return; } +#ifdef DLT_LINUX_SLL /* - * Function: DecodeTransBridging(uint8_t *, const uint32_t, Packet) + * Function: DecodeLinuxSLLPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) * - * Purpose: Decode Transparent Ethernet Bridging + * Purpose: Decode those fun loving LinuxSLL (linux cooked sockets) + * packets, one at a time! * - * Arguments: pkt => pointer to the real live packet data - * len => length of remaining data in packet - * p => pointer to the decoded packet struct - * + * Arguments: p => pointer to the decoded packet struct + * user => Utility pointer (unused) + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data * * Returns: void function - * - * Note: This is basically the code from DecodeEthPkt but the calling - * convention needed to be changed and the stuff at the beginning - * wasn't needed since we are already deep into the packet */ -void DecodeTransBridging(const uint8_t *pkt, const uint32_t len, Packet *p) + +void DecodeLinuxSLLPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - pc.gre_eth++; + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; - if(len < ETHERNET_HEADER_LEN) + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); + + /* do a little validation */ + if(cap_len < SLL_HDR_LEN) { - DecoderAlertEncapsulated(p, DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR, - DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR_STR, - pkt, len); + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < SLL header length (your " + "libpcap is broken?)! (%d bytes)\n", cap_len); + } + PREPROC_PROFILE_END(decodePerfStats); return; } + /* lay the ethernet structure over the packet data */ + p->sllh = (SLLHdr *) pkt; - /* The Packet struct's ethernet header will now point to the inner ethernet - * header of the packet - */ - p->eh = (EtherHdr *)pkt; - PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh)); - - switch (ntohs(p->eh->ether_type)) + /* grab out the network type */ + switch(ntohs(p->sllh->sll_protocol)) { case ETHERNET_TYPE_IP: - DecodeIP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, + "IP datagram size calculated to be %lu bytes\n", + (unsigned long)(cap_len - SLL_HDR_LEN));); + + DecodeIP(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); return; case ETHERNET_TYPE_ARP: case ETHERNET_TYPE_REVARP: - DecodeARP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + DecodeARP(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); return; case ETHERNET_TYPE_IPV6: - DecodeIPV6(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + DecodeIPV6(p->pkt + SLL_HDR_LEN, (cap_len - SLL_HDR_LEN), p); + PREPROC_PROFILE_END(decodePerfStats); return; -#ifndef NO_NON_ETHER_DECODER case ETHERNET_TYPE_IPX: - DecodeIPX(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); + DecodeIPX(p->pkt + SLL_HDR_LEN, (cap_len - SLL_HDR_LEN), p); + PREPROC_PROFILE_END(decodePerfStats); return; -#endif - case ETHERNET_TYPE_LOOP: - DecodeEthLoopback(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); - return; + case LINUX_SLL_P_802_3: + DEBUG_WRAP(DebugMessage(DEBUG_DATALINK, + "Linux SLL P 802.3 is not supported.\n");); + // TBD add decoder drop event for unsupported linux sll p 802.3 + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; + + case LINUX_SLL_P_802_2: + DEBUG_WRAP(DebugMessage(DEBUG_DATALINK, + "Linux SLL P 802.2 is not supported.\n");); + // TBD add decoder drop event for unsupported linux sll p 802.2 + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; case ETHERNET_TYPE_8021Q: - DecodeVlan(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p); - return; + DecodeVlan(p->pkt + SLL_HDR_LEN, cap_len - SLL_HDR_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; default: - // TBD add decoder drop event for unknown xbrdg/eth type + /* shouldn't go here unless pcap library changes again */ + /* should be a DECODE generated alert */ + DEBUG_WRAP(DebugMessage(DEBUG_DATALINK,"(Unknown) %X is not supported. " + "(need tcpdump snapshots to test. Please contact us)\n", + p->sllh->sll_protocol);); + // TBD add decoder drop event for unknown sll encapsulation pc.other++; - p->data = pkt + ETHERNET_HEADER_LEN; - p->dsize = (uint16_t)(len - ETHERNET_HEADER_LEN); + PREPROC_PROFILE_END(decodePerfStats); return; } -} -#endif /* GRE */ + PREPROC_PROFILE_END(decodePerfStats); + return; +} +#endif /* DLT_LINUX_SLL */ -void DecoderAlertEncapsulated( - Packet *p, int type, const char *str, const uint8_t *pkt, uint32_t len) +/* + * Function: DecodeOldPflog(Packet *, DAQ_PktHdr_t *, uint8_t *) + * + * Purpose: Pass old pflog format device packets off to IP or IP6 -fleck + * + * Arguments: p => pointer to the decoded packet struct + * pkthdr => ptr to the packet header + * pkt => pointer to the packet data + * + * Returns: void function + * + */ +void DecodeOldPflog(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - DecoderEvent(p, type, (char*)str, 1, 1); + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; - p->data = pkt; - p->dsize = (uint16_t)len; + PREPROC_PROFILE_START(decodePerfStats); - p->greh = NULL; -} + pc.total_processed++; + memset(p, 0, PKT_ZERO_LEN); + p->pkth = pkthdr; + p->pkt = pkt; -/** - * Validate that the length is an expected length AND that it's in bounds + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); + + /* do a little validation */ + if(cap_len < PFLOG1_HDRLEN) + { + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < Pflog header length! " + "(%d bytes)\n", cap_len); + } + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + /* lay the pf header structure over the packet data */ + p->pf1h = (Pflog1Hdr*)pkt; + + /* get the network type - should only be AF_INET or AF_INET6 */ + switch(ntohl(p->pf1h->af)) + { + case AF_INET: /* IPv4 */ + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be %lu " + "bytes\n", (unsigned long)(cap_len - PFLOG1_HDRLEN));); + + DecodeIP(p->pkt + PFLOG1_HDRLEN, cap_len - PFLOG1_HDRLEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + +#if defined(AF_INET6) || defined(SUP_IP6) + case AF_INET6: /* IPv6 */ + DecodeIPV6(p->pkt + PFLOG1_HDRLEN, cap_len - PFLOG1_HDRLEN, p); + PREPROC_PROFILE_END(decodePerfStats); + return; +#endif + + default: + /* To my knowledge, pflog devices can only + * pass IP and IP6 packets. -fleck + */ + // TBD add decoder drop event for unknown old pflog network type + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + PREPROC_PROFILE_END(decodePerfStats); + return; +} + +/* + * Function: DecodePflog(Packet *, DAQ_PktHdr_t *, uint8_t *) * - * EOL and NOP are handled separately - * - * @param option_ptr current location - * @param end the byte past the end of the decode list - * @param len_ptr the pointer to the length field - * @param expected_len the number of bytes we expect to see per rfc KIND+LEN+DATA, -1 means dynamic. - * @param tcpopt options structure to populate - * @param byte_skip distance to move upon completion + * Purpose: Pass pflog device packets off to IP or IP6 -fleck + * + * Arguments: p => pointer to the decoded packet struct + * pkthdr => ptr to the packet header + * pkt => pointer to the packet data + * + * Returns: void function * - * @return returns 0 on success, < 0 on error */ -static INLINE int OptLenValidate(const uint8_t *option_ptr, - const uint8_t *end, - const uint8_t *len_ptr, - int expected_len, - Options *tcpopt, - uint8_t *byte_skip) +void DecodePflog(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - *byte_skip = 0; - - if(len_ptr == NULL) + uint32_t cap_len = pkthdr->caplen; + uint8_t af, pflen; + uint32_t hlen; + PROFILE_VARS; + + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);); + + /* do a little validation */ + if(cap_len < PFLOG2_HDRMIN) { - return TCP_OPT_TRUNC; + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < minimum Pflog length! " + "(%d < %lu)\n", cap_len, PFLOG2_HDRMIN); + } + PREPROC_PROFILE_END(decodePerfStats); + return; } - - if(*len_ptr == 0 || expected_len == 0 || expected_len == 1) + /* lay the pf header structure over the packet data */ + if ( *((uint8_t*)pkt) < PFLOG3_HDRMIN ) { - return TCP_OPT_BADLEN; + p->pf2h = (Pflog2Hdr*)pkt; + pflen = p->pf2h->length; + hlen = PFLOG2_HDRLEN; + af = p->pf2h->af; } - else if(expected_len > 1) + else { - if((option_ptr + expected_len) > end) - { - /* not enough data to read in a perfect world */ - return TCP_OPT_TRUNC; - } - - if(*len_ptr != expected_len) - { - /* length is not valid */ - return TCP_OPT_BADLEN; - } + p->pf3h = (Pflog3Hdr*)pkt; + pflen = p->pf3h->length; + hlen = PFLOG3_HDRLEN; + af = p->pf3h->af; } - else /* expected_len < 0 (i.e. variable length) */ + /* now that we know a little more, do a little more validation */ + if(cap_len < hlen) { - if(*len_ptr < 2) + if (ScLogVerbose()) { - /* RFC sez that we MUST have atleast this much data */ - return TCP_OPT_BADLEN; + ErrorMessage("Captured data length < Pflog header length! " + "(%d < %d)\n", cap_len, hlen); } - - if((option_ptr + *len_ptr) > end) + PREPROC_PROFILE_END(decodePerfStats); + return; + } + /* note that the pflen may exclude the padding which is always present */ + if(pflen < hlen - PFLOG_PADLEN || pflen > hlen) + { + if (ScLogVerbose()) { - /* not enough data to read in a perfect world */ - return TCP_OPT_TRUNC; + ErrorMessage("Bad Pflog header length! (%d bytes)\n", pflen); } + PREPROC_PROFILE_END(decodePerfStats); + return; } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be " + "%lu bytes\n", (unsigned long)(cap_len - hlen));); - tcpopt->len = *len_ptr - 2; - - if(*len_ptr == 2) - { - tcpopt->data = NULL; - } - else + /* check the network type - should only be AF_INET or AF_INET6 */ + switch(af) { - tcpopt->data = option_ptr + 2; + case AF_INET: /* IPv4 */ + DecodeIP(p->pkt + hlen, cap_len - hlen, p); + PREPROC_PROFILE_END(decodePerfStats); + return; + +#if defined(AF_INET6) || defined(SUP_IP6) + case AF_INET6: /* IPv6 */ + DecodeIPV6(p->pkt + hlen, cap_len - hlen, p); + PREPROC_PROFILE_END(decodePerfStats); + return; +#endif + + default: + /* To my knowledge, pflog devices can only + * pass IP and IP6 packets. -fleck + */ + // TBD add decoder drop event for unknown pflog network type + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; } - *byte_skip = *len_ptr; - - return 0; + PREPROC_PROFILE_END(decodePerfStats); + return; } /* - * Function: DecodeTCPOptions(uint8_t *, uint32_t, Packet *) - * - * Purpose: Fairly self explainatory name, don't you think? - * - * TCP Option Header length validation is left to the caller - * - * For a good listing of TCP Options, - * http://www.iana.org/assignments/tcp-parameters - * - * ------------------------------------------------------------ - * From: "Kastenholz, Frank" <FKastenholz@unispherenetworks.com> - * Subject: Re: skeeter & bubba TCP options? - * - * ah, the sins of ones youth that never seem to be lost... - * - * it was something that ben levy and stev and i did at ftp many - * many moons ago. bridgham and stev were the instigators of it. - * the idea was simple, put a dh key exchange directly in tcp - * so that all tcp sessions could be encrypted without requiring - * any significant key management system. authentication was not - * a part of the idea, it was to be provided by passwords or - * whatever, which could now be transmitted over the internet - * with impunity since they were encrypted... we implemented - * a simple form of this (doing the math was non trivial on the - * machines of the day). it worked. the only failure that i - * remember was that it was vulnerable to man-in-the-middle - * attacks. - * - * why "skeeter" and "bubba"? well, that's known only to stev... - * ------------------------------------------------------------ - * - * 4.2.2.5 TCP Options: RFC-793 Section 3.1 + * Function: DecodePppPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) * - * A TCP MUST be able to receive a TCP option in any segment. A TCP - * MUST ignore without error any TCP option it does not implement, - * assuming that the option has a length field (all TCP options - * defined in the future will have length fields). TCP MUST be - * prepared to handle an illegal option length (e.g., zero) without - * crashing; a suggested procedure is to reset the connection and log - * the reason. + * Purpose: Decode PPP traffic (either RFC1661 or RFC1662 framing). + * This really is intended to handle IPCP * - * Arguments: o_list => ptr to the option list - * o_len => length of the option list - * p => pointer to decoded packet struct + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data * * Returns: void function */ -void DecodeTCPOptions(const uint8_t *start, uint32_t o_len, Packet *p) +// DecodePppPkt() and DecodePppSerialPkt() may be incorrect ... +// both skip past 2 byte protocol and then call DecodePppPktEncapsulated() +// which does the same thing. That one works inside DecodePPPoEPkt(); +void DecodePppPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) { - const uint8_t *option_ptr = start; - const uint8_t *end_ptr = start + o_len; /* points to byte after last option */ - const uint8_t *len_ptr; - uint8_t opt_count = 0; - u_char done = 0; /* have we reached TCPOPT_EOL yet?*/ - u_char experimental_option_found = 0; /* are all options RFC compliant? */ - u_char obsolete_option_found = 0; - u_char ttcp_found = 0; - - int code = 2; - uint8_t byte_skip; + uint32_t cap_len = pkthdr->caplen; + int hlen = 0; + PROFILE_VARS; - /* Here's what we're doing so that when we find out what these - * other buggers of TCP option codes are, we can do something - * useful - * - * 1) get option code - * 2) check for enough space for current option code - * 3) set option data ptr - * 4) increment option code ptr - * - * TCP_OPTLENMAX = 40 because of - * (((2^4) - 1) * 4 - TCP_HEADER_LEN) - * - */ + PREPROC_PROFILE_START(decodePerfStats); - if(o_len > TCP_OPTLENMAX) + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + + if(cap_len < 2) { - /* This shouldn't ever alert if we are doing our job properly - * in the caller */ - p->tcph = NULL; /* let's just alert */ - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, - "o_len(%u) > TCP_OPTLENMAX(%u)\n", - o_len, TCP_OPTLENMAX)); + if (ScLogVerbose()) + { + ErrorMessage("Length not big enough for even a single " + "header or a one byte payload\n"); + } + PREPROC_PROFILE_END(decodePerfStats); return; } - - while((option_ptr < end_ptr) && (opt_count < TCP_OPTLENMAX) && (code >= 0) && !done) - { - p->tcp_options[opt_count].code = *option_ptr; - if((option_ptr + 1) < end_ptr) - { - len_ptr = option_ptr + 1; - } - else - { - len_ptr = NULL; - } - - switch(*option_ptr) - { - case TCPOPT_EOL: - done = 1; /* fall through to the NOP case */ - case TCPOPT_NOP: - p->tcp_options[opt_count].len = 0; - p->tcp_options[opt_count].data = NULL; - byte_skip = 1; - code = 0; - break; - case TCPOPT_MAXSEG: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MAXSEG, - &p->tcp_options[opt_count], &byte_skip); - break; - case TCPOPT_SACKOK: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_SACKOK, - &p->tcp_options[opt_count], &byte_skip); - break; - case TCPOPT_WSCALE: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_WSCALE, - &p->tcp_options[opt_count], &byte_skip); - if (code == 0) - { - if ( - ((uint16_t) p->tcp_options[opt_count].data[0] > 14)) - { - /* LOG INVALID WINDOWSCALE alert */ - if (ScDecoderTcpOptAlerts()) - { - DecoderOptEvent(p, DECODE_TCPOPT_WSCALE_INVALID, - DECODE_TCPOPT_WSCALE_INVALID_STR, 1, 1, - execTcpOptDrop); - } - } - } - break; - case TCPOPT_ECHO: /* both use the same lengths */ - case TCPOPT_ECHOREPLY: - obsolete_option_found = 1; - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_ECHO, - &p->tcp_options[opt_count], &byte_skip); - break; - case TCPOPT_MD5SIG: - experimental_option_found = 1; - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MD5SIG, - &p->tcp_options[opt_count], &byte_skip); - break; - case TCPOPT_SACK: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, - &p->tcp_options[opt_count], &byte_skip); - if(p->tcp_options[opt_count].data == NULL) - code = TCP_OPT_BADLEN; + if(pkt[0] == CHDLC_ADDR_BROADCAST && pkt[1] == CHDLC_CTRL_UNNUMBERED) + { + /* + * Check for full HDLC header (rfc1662 section 3.2) + */ + hlen = 2; + } - break; - case TCPOPT_CC_ECHO: - ttcp_found = 1; - /* fall through */ - case TCPOPT_CC: /* all 3 use the same lengths / T/TCP */ - case TCPOPT_CC_NEW: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_CC, - &p->tcp_options[opt_count], &byte_skip); - break; - case TCPOPT_TRAILER_CSUM: - experimental_option_found = 1; - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_TRAILER_CSUM, - &p->tcp_options[opt_count], &byte_skip); - break; + DecodePppPktEncapsulated(p->pkt + hlen, cap_len - hlen, p); - case TCPOPT_TIMESTAMP: - code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_TIMESTAMP, - &p->tcp_options[opt_count], &byte_skip); - break; - - case TCPOPT_SKEETER: - case TCPOPT_BUBBA: - case TCPOPT_UNASSIGNED: - obsolete_option_found = 1; - code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, - &p->tcp_options[opt_count], &byte_skip); - break; - default: - case TCPOPT_SCPS: - case TCPOPT_SELNEGACK: - case TCPOPT_RECORDBOUND: - case TCPOPT_CORRUPTION: - case TCPOPT_PARTIAL_PERM: - case TCPOPT_PARTIAL_SVC: - case TCPOPT_ALTCSUM: - case TCPOPT_SNAP: - experimental_option_found = 1; - code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, - &p->tcp_options[opt_count], &byte_skip); - break; - } + PREPROC_PROFILE_END(decodePerfStats); + return; +} - if(code < 0) - { - if(code == TCP_OPT_BADLEN) - { - DecoderOptEvent(p, DECODE_TCPOPT_BADLEN, - DECODE_TCPOPT_BADLEN_STR, 1, 1, - execTcpOptDrop); - } - else if(code == TCP_OPT_TRUNC) - { - DecoderOptEvent(p, DECODE_TCPOPT_TRUNCATED, - DECODE_TCPOPT_TRUNCATED_STR, 1, 1, - execTcpOptDrop); - } +/* + * Function: DecodePppSerialPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decode Mixed PPP/CHDLC traffic. The PPP frames will always have the + * full HDLC header. + * + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodePppSerialPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; - /* set the option count to the number of valid - * options found before this bad one - * some implementations (BSD and Linux) ignore - * the bad ones, but accept the good ones */ - p->tcp_option_count = opt_count; + PREPROC_PROFILE_START(decodePerfStats); - return; - } + pc.total_processed++; - opt_count++; + memset(p, 0, PKT_ZERO_LEN); - option_ptr += byte_skip; - } + p->pkth = pkthdr; + p->pkt = pkt; - p->tcp_option_count = opt_count; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - if (experimental_option_found) + if(cap_len < PPP_HDRLEN) { - DecoderOptEvent(p, DECODE_TCPOPT_EXPERIMENT, - DECODE_TCPOPT_EXPERIMENT_STR, 1, 1, - execTcpOptExpDrop); + if (ScLogVerbose()) + { + ErrorMessage("Captured data length < PPP header length" + " (%d bytes)\n", cap_len); + } + PREPROC_PROFILE_END(decodePerfStats); + return; } - else if (obsolete_option_found) + + if(pkt[0] == CHDLC_ADDR_BROADCAST && pkt[1] == CHDLC_CTRL_UNNUMBERED) { - DecoderOptEvent(p, DECODE_TCPOPT_OBSOLETE, - DECODE_TCPOPT_OBSOLETE_STR, 1, 1, - execTcpOptObsDrop); + DecodePppPktEncapsulated(p->pkt + 2, cap_len - 2, p); + } else { + DecodeChdlcPkt(p, pkthdr, pkt); } - else if (ttcp_found) + + PREPROC_PROFILE_END(decodePerfStats); + return; +} + + +/* + * Function: DecodeSlipPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decode SLIP traffic + * + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodeSlipPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; + + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + + /* do a little validation */ + if(cap_len < SLIP_HEADER_LEN) { - DecoderOptEvent(p, DECODE_TCPOPT_TTCP, - DECODE_TCPOPT_TTCP_STR, 1, 1, - execTcpOptTTcpDrop); + ErrorMessage("SLIP header length < captured len! (%d bytes)\n", + cap_len); + PREPROC_PROFILE_END(decodePerfStats); + return; + } + + DecodeIP(p->pkt + SLIP_HEADER_LEN, cap_len - SLIP_HEADER_LEN, p); + PREPROC_PROFILE_END(decodePerfStats); +} + +/* + * Function: DecodeI4LRawIPPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and + * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks + * by me. + * + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodeI4LRawIPPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) +{ + PROFILE_VARS; + + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + if(p->pkth->pktlen < 2) + { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "What the hell is this?\n");); + // TBD add decoder drop event for bad i4l raw pkt + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); + DecodeIP(pkt + 2, p->pkth->pktlen - 2, p); + + PREPROC_PROFILE_END(decodePerfStats); return; } + /* - * Function: DecodeIPOptions(uint8_t *, uint32_t, Packet *) + * Function: DecodeI4LCiscoIPPkt(Packet *, char *, + * DAQ_PktHdr_t*, uint8_t*) * - * Purpose: Once again, a fairly self-explainatory name + * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and + * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks + * by me. * - * Arguments: o_list => ptr to the option list - * o_len => length of the option list - * p => pointer to decoded packet struct + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data * * Returns: void function */ -void DecodeIPOptions(const uint8_t *start, uint32_t o_len, Packet *p) +void DecodeI4LCiscoIPPkt(Packet *p, const DAQ_PktHdr_t *pkthdr, const uint8_t *pkt) { - const uint8_t *option_ptr = start; - u_char done = 0; /* have we reached IP_OPTEOL yet? */ - const uint8_t *end_ptr = start + o_len; - uint8_t opt_count = 0; /* what option are we processing right now */ - uint8_t byte_skip; - const uint8_t *len_ptr; - int code = 0; /* negative error codes are returned from bad options */ - + PROFILE_VARS; - DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Decoding %d bytes of IP options\n", o_len);); + PREPROC_PROFILE_START(decodePerfStats); + pc.total_processed++; - while((option_ptr < end_ptr) && (opt_count < IP_OPTMAX) && (code >= 0)) + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + if(p->pkth->pktlen < 4) { - p->ip_options[opt_count].code = *option_ptr; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "What the hell is this?\n");); + // TBD add decoder drop event for bad i4l cisco pkt + pc.other++; + PREPROC_PROFILE_END(decodePerfStats); + return; + } - if((option_ptr + 1) < end_ptr) - { - len_ptr = option_ptr + 1; - } - else - { - len_ptr = NULL; - } - switch(*option_ptr) - { - case IPOPT_NOP: - case IPOPT_EOL: - /* if we hit an EOL, we're done */ - if(*option_ptr == IPOPT_EOL) - done = 1; - - p->ip_options[opt_count].len = 0; - p->ip_options[opt_count].data = NULL; - byte_skip = 1; - break; - default: - /* handle all the dynamic features */ - code = OptLenValidate(option_ptr, end_ptr, len_ptr, -1, - &p->ip_options[opt_count], &byte_skip); - } + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - if(code < 0) + DecodeIP(pkt + 4, p->pkth->caplen - 4, p); + + PREPROC_PROFILE_END(decodePerfStats); + return; +} + +/* + * Function: DecodeChdlcPkt(Packet *, char *, + * DAQ_PktHdr_t*, uint8_t*) + * + * Purpose: Decodes Cisco HDLC encapsulated packets, f.ex. from SONET. + * + * Arguments: p => pointer to decoded packet struct + * user => Utility pointer, unused + * pkthdr => ptr to the packet header + * pkt => pointer to the real live packet data + * + * Returns: void function + */ +void DecodeChdlcPkt(Packet *p, const DAQ_PktHdr_t *pkthdr, const uint8_t *pkt) +{ + uint32_t cap_len = pkthdr->caplen; + PROFILE_VARS; + + PREPROC_PROFILE_START(decodePerfStats); + + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + + p->pkth = pkthdr; + p->pkt = pkt; + + if(cap_len < CHDLC_HEADER_LEN) + { + if (ScLogVerbose()) { - /* Yes, we use TCP_OPT_* for the IP option decoder. - */ - if(code == TCP_OPT_BADLEN) - { - DecoderOptEvent(p, DECODE_IPV4OPT_BADLEN, - DECODE_IPV4OPT_BADLEN_STR, 1, 1, - execIpOptDrop); - } - else if(code == TCP_OPT_TRUNC) - { - DecoderOptEvent(p, DECODE_IPV4OPT_TRUNCATED, - DECODE_IPV4OPT_TRUNCATED_STR, 1, 1, - execIpOptDrop); - } - return; + ErrorMessage("Captured data length < CHDLC header length" + " (%d bytes)\n", cap_len); } + PREPROC_PROFILE_END(decodePerfStats); + return; + } - if(!done) - opt_count++; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); - option_ptr += byte_skip; + if ((pkt[0] == CHDLC_ADDR_UNICAST || pkt[0] == CHDLC_ADDR_MULTICAST) && + ntohs(*(uint16_t *)&pkt[2]) == ETHERNET_TYPE_IP) + { + DecodeIP(p->pkt + CHDLC_HEADER_LEN, + cap_len - CHDLC_HEADER_LEN, p); + } else { + // TBD add decoder drop event for unsupported chdlc encapsulation + pc.other++; } - - p->ip_option_count = opt_count; + PREPROC_PROFILE_END(decodePerfStats); return; } -#if defined(WORDS_MUSTALIGN) && !defined(__GNUC__) -uint32_t -EXTRACT_32BITS (u_char *p) +/* + * Function: DecodeEapol(uint8_t *, uint32_t, Packet *) + * + * Purpose: Decode 802.1x eapol stuff + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to decoded packet struct + * + * Returns: void function + */ +void DecodeEapol(const uint8_t * pkt, uint32_t len, Packet * p) { - uint32_t __tmp; + p->eplh = (EtherEapol *) pkt; + pc.eapol++; + if(len < sizeof(EtherEapol)) + { + DecoderEvent(p, DECODE_EAPOL_TRUNCATED, + DECODE_EAPOL_TRUNCATED_STR, 1, 1); - memmove(&__tmp, p, sizeof(uint32_t)); - return (uint32_t) ntohl(__tmp); + pc.discards++; + return; + } + if (p->eplh->eaptype == EAPOL_TYPE_EAP) { + DecodeEAP(pkt + sizeof(EtherEapol), len - sizeof(EtherEapol), p); + } + else if(p->eplh->eaptype == EAPOL_TYPE_KEY) { + DecodeEapolKey(pkt + sizeof(EtherEapol), len - sizeof(EtherEapol), p); + } + return; } -#endif /* WORDS_MUSTALIGN && !__GNUC__ */ -#ifdef MPLS -int isPrivateIP(uint32_t addr) +/* + * Function: DecodeEapolKey(uint8_t *, uint32_t, Packet *) + * + * Purpose: Decode 1x key setup + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to decoded packet struct + * + * Returns: void function + */ +void DecodeEapolKey(const uint8_t * pkt, uint32_t len, Packet * p) { - switch (addr & 0xff) + p->eapolk = (EapolKey *) pkt; + if(len < sizeof(EapolKey)) { - case 0x0a: - return 1; - break; - case 0xac: - if ((addr & 0xf000) == 0x1000) - return 1; - break; - case 0xc0: - if (((addr & 0xff00) ) == 0xa800) - return 1; - break; + DecoderEvent(p, DECODE_EAPKEY_TRUNCATED, + DECODE_EAPKEY_TRUNCATED_STR, 1, 1); + + pc.discards++; + return; } - return 0; + + return; } -#endif -void InitSynToMulticastDstIp( void ) +/* + * Function: DecodeEAP(uint8_t *, uint32_t, Packet *) + * + * Purpose: Decode Extensible Authentication Protocol + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * p => pointer to decoded packet struct + * + * Returns: void function + */ +void DecodeEAP(const uint8_t * pkt, const uint32_t len, Packet * p) { -#ifdef SUP_IP6 - extern SnortConfig *snort_conf_for_parsing; - snort_conf_for_parsing = snort_conf; -#endif - SynToMulticastDstIp = IpAddrSetParse("[232.0.0.0/8,233.0.0.0/8,239.0.0.0/8]"); - - if( SynToMulticastDstIp == NULL ) + p->eaph = (EAPHdr *) pkt; + if(len < sizeof(EAPHdr)) { - FatalError("Could not initialize SynToMulticastDstIp\n"); + DecoderEvent(p, DECODE_EAP_TRUNCATED, + DECODE_EAP_TRUNCATED_STR, 1, 1); + + pc.discards++; + return; } -#ifdef SUP_IP6 - snort_conf_for_parsing = NULL; -#endif + if (p->eaph->code == EAP_CODE_REQUEST || + p->eaph->code == EAP_CODE_RESPONSE) { + p->eaptype = pkt + sizeof(EAPHdr); + } + return; } -void SynToMulticastDstIpDestroy( void ) +/* + * Function: DecodeIPX(uint8_t *, uint32_t) + * + * Purpose: Well, it doesn't do much of anything right now... + * + * Arguments: pkt => ptr to the packet data + * len => length from here to the end of the packet + * + * Returns: void function + * + */ +void DecodeIPX(const uint8_t *pkt, uint32_t len, Packet *p) { + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IPX is not supported.\n");); - if( SynToMulticastDstIp ) - { - IpAddrSetDestroy(SynToMulticastDstIp); -#ifndef SUP_IP6 - free(SynToMulticastDstIp); - SynToMulticastDstIp = NULL; + pc.ipx++; + +#ifdef GRE + if (p->greh != NULL) + pc.gre_ipx++; #endif - } + + return; } -static INLINE void CheckIPv4_MinTTL(Packet *p, uint8_t ttl) +#ifdef DLT_ENC +/* see http://sourceforge.net/mailarchive/message.php?msg_id=1000380 */ +/* + * Function: DecodeEncPkt(Packet *, DAQ_PktHdr_t *, uint8_t *) + * + * Purpose: Decapsulate packets of type DLT_ENC. + * XXX Are these always going to be IP in IP? + * + * Arguments: p => pointer to decoded packet struct + * pkthdr => pointer to the packet header + * pkt => pointer to the real live packet data + */ +void DecodeEncPkt(Packet *p, const DAQ_PktHdr_t *pkthdr, const uint8_t *pkt) { + uint32_t cap_len = pkthdr->caplen; + struct enc_header *enc_h; + PROFILE_VARS; - // this sequence of tests is best for the "normal" case where - // the packet ttl is >= the configured min (the default is 1) - if( ttl < ScMinTTL() ) - { - if ( Event_Enabled(DECODE_ZERO_TTL) && (ttl == 0) ) - { - DecoderOptEvent(p, DECODE_ZERO_TTL, DECODE_ZERO_TTL_STR, - 1, 1, execTtlDrop); - } - else if ( Event_Enabled(DECODE_IP4_MIN_TTL) ) - { - DecoderOptEvent(p, DECODE_IP4_MIN_TTL, DECODE_IP4_MIN_TTL_STR, - 1, 1, execTtlDrop); - } - } -} + PREPROC_PROFILE_START(decodePerfStats); -#ifdef SUP_IP6 -static INLINE void CheckIPv6_MinTTL(Packet *p, uint8_t hop_limit) -{ - // this sequence of tests is best for the "normal" case where - // the packet ttl is >= the configured min (the default is 1) - if( hop_limit < ScMinTTL() ) + pc.total_processed++; + + memset(p, 0, PKT_ZERO_LEN); + p->pkth = pkthdr; + p->pkt = pkt; + + if (cap_len < ENC_HEADER_LEN) { - if ( Event_Enabled(DECODE_IP6_ZERO_HOP_LIMIT) && (hop_limit == 0) ) - { - DecoderOptEvent(p, DECODE_IP6_ZERO_HOP_LIMIT, - DECODE_IP6_ZERO_HOP_LIMIT_STR, 1, 1, execHopDrop); - } - else if ( Event_Enabled(DECODE_IPV6_MIN_TTL) ) + if (ScLogVerbose()) { - DecoderOptEvent(p, DECODE_IPV6_MIN_TTL, - DECODE_IPV6_MIN_TTL_STR, 1, 1, execHopDrop); + ErrorMessage("Captured data length < Encap header length! (%d bytes)\n", + cap_len); } + PREPROC_PROFILE_END(decodePerfStats); + return; } -} -#endif -/* Decoding of ttl/hop_limit is based on the policy min_ttl */ -static INLINE void DecodeIP_MinTTL(Packet *p) -{ -# ifndef SUP_IP6 - if(p->outer_iph) + enc_h = (struct enc_header *)p->pkt; + if (enc_h->af == AF_INET) { - CheckIPv4_MinTTL( p, p->outer_iph->ip_ttl ); - return; - + DecodeIP(p->pkt + ENC_HEADER_LEN + IP_HEADER_LEN, + cap_len - ENC_HEADER_LEN - IP_HEADER_LEN, p); } - else if(p->iph) + else { - CheckIPv4_MinTTL( p, GET_IPH_TTL(p) ); - return; + ErrorMessage("WARNING: Unknown address family (af: 0x%x).\n", + enc_h->af); } -#else - switch(p->outer_family) - { - case AF_INET: - CheckIPv4_MinTTL( p, p->outer_ip4h.ip_ttl); - return; - - case AF_INET6: - CheckIPv6_MinTTL( p, p->outer_ip6h.hop_lmt); - return; - - default: - break; - } - - switch(p->family) - { - case AF_INET: - CheckIPv4_MinTTL( p, p->ip4h->ip_ttl); - return; - - case AF_INET6: - CheckIPv6_MinTTL( p, p->ip6h->hop_lmt); - return; - - default: - break; - } -#endif - + PREPROC_PROFILE_END(decodePerfStats); return; } +#endif /* DLT_ENC */ -/* Any policy specific decoding should be done in this function which is called by ProcessPacket*/ -void DecodePolicySpecific(Packet *p) -{ - DecodeIP_MinTTL(p); -} +#endif // NO_NON_ETHER_DECODER -/* This function enables or disables the decoder rule. value can only be 0 or 1*/ -void UpdateDecodeRulesArray(uint32_t sid, int value, int all_rules) -{ - int i; - if(all_rules) - { - for(i=0; i<DECODE_INDEX_MAX ; i++) - decodeRulesArray[i] = ( value != 0 ); - } - else - decodeRulesArray[sid] = ( value != 0 ); -} diff -Nru snort-2.9.0.1/src/decode.h snort-2.9.2/src/decode.h --- snort-2.9.0.1/src/decode.h 2010-10-25 12:48:58.000000000 -0700 +++ snort-2.9.2/src/decode.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -20,7 +20,6 @@ /* $Id$ */ - #ifndef __DECODE_H__ #define __DECODE_H__ @@ -51,7 +50,7 @@ #include "bitop.h" #include "ipv6_port.h" #include "sf_ip.h" -#include "protocols.h" +#include "sf_protocols.h" #include "sfdaq.h" #include "util.h" @@ -83,9 +82,10 @@ #define ETHERNET_HEADER_LEN 14 #define ETHERNET_MAX_LEN_ENCAP 1518 /* 802.3 (+LLC) or ether II ? */ -#define PPPOE_HEADER_LEN 20 /* ETHERNET_HEADER_LEN + 6 */ +#define PPPOE_HEADER_LEN 6 #define VLAN_HEADER_LEN 4 + #ifndef NO_NON_ETHER_DECODER #define MINIMAL_TOKENRING_HEADER_LEN 22 #define MINIMAL_IEEE80211_HEADER_LEN 10 /* Ack frames and others */ @@ -101,7 +101,7 @@ #define WLAN_TYPE_MGMT_REREQ 0x20 /* 0010 00 Reassoc. Req. */ #define WLAN_TYPE_MGMT_RERES 0x30 /* 0011 00 Reassoc. Resp. */ #define WLAN_TYPE_MGMT_PRREQ 0x40 /* 0100 00 Probe Request */ -#define WLAN_TYPE_MGMT_PRRES 0x50 /* 0101 00 Probe Response */ +#define WLAN_TYPE_MGMT_PRRES 0x50 /* 0101 00 Probe Response */ #define WLAN_TYPE_MGMT_BEACON 0x80 /* 1000 00 Beacon */ #define WLAN_TYPE_MGMT_ATIM 0x90 /* 1001 00 ATIM message */ #define WLAN_TYPE_MGMT_DIS 0xa0 /* 1010 00 Disassociation */ @@ -143,7 +143,7 @@ #define EAPOL_TYPE_ASF 0x04 /* EAPOL Encapsulated ASF-Alert */ /* Extensible Authentication Protocol Codes RFC 2284*/ -#define EAP_CODE_REQUEST 0x01 +#define EAP_CODE_REQUEST 0x01 #define EAP_CODE_RESPONSE 0x02 #define EAP_CODE_SUCCESS 0x03 #define EAP_CODE_FAILURE 0x04 @@ -172,6 +172,11 @@ #define TEREDO_INDICATOR_AUTH_MIN_LEN 13 #define TEREDO_MIN_LEN 2 +/* GTP values */ + +#define GTP_MIN_LEN 8 +#define GTP_V0_HEADER_LEN 20 +#define GTP_V1_HEADER_LEN 12 /* ESP constants */ #define ESP_HEADER_LEN 8 #define ESP_AUTH_DATA_LEN 12 @@ -224,9 +229,11 @@ #define ICMP_NORMAL_LEN 8 #define IP_OPTMAX 40 -#define IP6_EXTMAX 40 +#define IP6_EXTMAX 8 #define TCP_OPTLENMAX 40 /* (((2^4) - 1) * 4 - TCP_HEADER_LEN) */ +#define LOG_FUNC_MAX 32 + #ifndef IP_MAXPACKET #define IP_MAXPACKET 65535 /* maximum packet size */ #endif /* IP_MAXPACKET */ @@ -309,7 +316,7 @@ #define TCPOPT_BUBBA 17 /* Bubba [Knowles] */ #define TCPOPT_TRAILER_CSUM 18 /* Trailer Checksum Option [Subbu & Monroe] */ -#define TCPOLEN_TRAILER_CSUM 3 +#define TCPOLEN_TRAILER_CSUM 3 #define TCPOPT_MD5SIG 19 /* MD5 Signature Option [RFC2385] */ #define TCPOLEN_MD5SIG 18 @@ -348,7 +355,7 @@ #define TCP_MAXWIN 65535 /* largest value for (unscaled) window */ #endif -#ifndef TCP_MAX_WINSHIFT +#ifndef TCP_MAX_WINSHIFT #define TCP_MAX_WINSHIFT 14 /* maximum window shift */ #endif @@ -585,54 +592,64 @@ #define PKT_REBUILT_STREAM 0x00000002 /* is a rebuilt stream */ #define PKT_STREAM_UNEST_UNI 0x00000004 /* is from an unestablished stream and * we've only seen traffic in one direction */ -#define PKT_STREAM_UNEST_BI 0x00000008 /* is from an unestablished stream and - * we've seen traffic in both directions */ +#define PKT_STREAM_EST 0x00000008 /* is from an established stream */ -#define PKT_STREAM_EST 0x00000010 /* is from an established stream */ -#define PKT_STATELESS 0x00000020 /* Packet has matched a stateless rule */ +#define PKT_STREAM_INSERT 0x00000010 /* this packet has been queued for stream reassembly */ +#define PKT_STREAM_TWH 0x00000020 /* packet completes the 3-way handshake */ #define PKT_FROM_SERVER 0x00000040 /* this packet came from the server side of a connection (TCP) */ #define PKT_FROM_CLIENT 0x00000080 /* this packet came from the client side of a connection (TCP) */ -#define PKT_HTTP_DECODE 0x00000100 /* this packet has normalized http */ -/* Replaces PKT_OBFUSCATED which is no longer in use because we no longer - * modify the packet when doing IP obfuscation */ -#define PKT_PAYLOAD_OBFUSCATE 0x00000200 -#define PKT_STREAM_INSERT 0x00000400 /* this packet has been inserted into stream4 */ -#define PKT_ALT_DECODE 0x00000800 /* this packet has been normalized by telnet - - (only set when we must look at an alernative buffer) */ - -#define PKT_STREAM_TWH 0x00001000 -#define PKT_IGNORE_PORT 0x00002000 /* this packet should be ignored, based on port */ -#define PKT_PASS_RULE 0x00004000 /* this packet has matched a pass rule */ -#define PKT_NO_DETECT 0x00008000 /* this packet should not be preprocessed */ - -#define PKT_PREPROC_RPKT 0x00010000 /* set in original packet to indicate a preprocessor - * has a reassembled packet */ -#define PKT_DCE_RPKT 0x00020000 /* this packet is a DCE/RPC reassembled one */ +#define PKT_PDU_HEAD 0x00000100 /* start of PDU */ +#define PKT_PDU_TAIL 0x00000200 /* end of PDU */ +#define PKT_UNSURE_ENCAP 0x00000400 /* packet may have incorrect encapsulation layer. */ + /* don't alert if "next layer" is invalid. */ +#define PKT_HTTP_DECODE 0x00000800 /* this packet has normalized http */ + +#define PKT_IGNORE_PORT 0x00001000 /* this packet should be ignored, based on port */ +#define PKT_NO_DETECT 0x00002000 /* this packet should not be preprocessed */ +#define PKT_ALLOW_MULTIPLE_DETECT 0x00004000 /* packet has either pipelined mime attachements */ + /* or pipeline http requests */ +#define PKT_PAYLOAD_OBFUSCATE 0x00008000 + +#define PKT_STATELESS 0x00010000 /* Packet has matched a stateless rule */ +#define PKT_PASS_RULE 0x00020000 /* this packet has matched a pass rule */ #define PKT_IP_RULE 0x00040000 /* this packet is being evaluated against an IP rule */ #define PKT_IP_RULE_2ND 0x00080000 /* this packet is being evaluated against an IP rule */ -#define PKT_SMB_SEG 0x00100000 /* this is an SMB desegmented packet */ -#define PKT_DCE_SEG 0x00200000 /* this is a DCE/RPC desegmented packet */ -#define PKT_DCE_FRAG 0x00400000 /* this is a DCE/RPC defragmented packet */ -#define PKT_SMB_TRANS 0x00800000 /* this is an SMB Transact reassembled packet */ - -#define PKT_DCE_PKT 0x01000000 /* a DCE packet processed by DCE/RPC pp */ -#define PKT_RPC_PKT 0x02000000 /* an ONC RPC packet processed by rpc decode pp */ - -#define PKT_LOGGED 0x04000000 /* this packet has been logged */ +#define PKT_LOGGED 0x00100000 /* this packet has been logged */ +#define PKT_PSEUDO 0x00200000 /* is a pseudo packet */ +#define PKT_MODIFIED 0x00400000 /* packet had normalizations, etc. */ #ifdef NORMALIZER -#define PKT_RESIZED 0x08000000 /* packet has new size; must set modified too */ +#define PKT_RESIZED 0x00800000 /* packet has new size; must set modified too */ #endif -#define PKT_MODIFIED 0x10000000 /* packet had normalizations, etc. */ - -#define PKT_HTTP_RESP_BODY 0x20000000 /* packet has non-zipped HTTP response Body */ -#define PKT_ALLOW_MULTIPLE_DETECT 0x40000000 /* packet has either pipelined mime attachements or pipeline http requests */ -#define PKT_UNSURE_ENCAP 0x80000000 /* packet has a potentially incorrect encapsulation layer. don't alert if "next layer" is invalid. */ +// neither of these flags will be set for (full) retransmissions or non-data segments +// a partial overlap results in out of sequence condition +// out of sequence condition is sticky +#define PKT_STREAM_ORDER_OK 0x01000000 /* this segment is in order, w/o gaps */ +#define PKT_STREAM_ORDER_BAD 0x02000000 /* this stream had at last one gap */ +#define PKT_REASSEMBLED_OLD 0x04000000 /* for backwards compat with so rules */ + +// 0x0F800000 are available + +#define PKT_PDU_FULL (PKT_PDU_HEAD | PKT_PDU_TAIL) + +#define REASSEMBLED_PACKET_FLAGS (PKT_REBUILT_STREAM|PKT_REASSEMBLED_OLD) + +typedef enum { + PSEUDO_PKT_IP, + PSEUDO_PKT_TCP, + PSEUDO_PKT_DCE_RPKT, + PSEUDO_PKT_SMB_SEG, + PSEUDO_PKT_DCE_SEG, + PSEUDO_PKT_DCE_FRAG, + PSEUDO_PKT_SMB_TRANS, + PSEUDO_PKT_PS, + PSEUDO_PKT_SDF, + PSEUDO_PKT_MAX +} PseudoPacketType; /* error flags */ #define PKT_ERR_CKSUM_IP 0x01 @@ -643,19 +660,15 @@ #define PKT_ERR_CKSUM_ANY 0x1F #define PKT_ERR_BAD_TTL 0x20 -/* Only include application layer reassembled data - * flags here - no PKT_REBUILT_FRAG */ -#define REASSEMBLED_PACKET_FLAGS \ - (PKT_REBUILT_STREAM|PKT_SMB_SEG|PKT_DCE_SEG|PKT_DCE_FRAG|PKT_SMB_TRANS) - /* D A T A S T R U C T U R E S *********************************************/ +typedef int (*LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type); #ifndef NO_NON_ETHER_DECODER /* Start Token Ring Data Structures */ #ifdef _MSC_VER /* Visual C++ pragma to disable warning messages about nonstandard bit field type */ - #pragma warning( disable : 4214 ) + #pragma warning( disable : 4214 ) #endif /* LLC structure */ @@ -675,7 +688,7 @@ #ifdef _MSC_VER /* Visual C++ pragma to disable warning messages about nonstandard bit field type */ - #pragma warning( disable : 4214 ) + #pragma warning( disable : 4214 ) #endif @@ -688,9 +701,9 @@ uint16_t bcast:3, len:5, dir:1, lf:3, res:4; #else uint16_t len:5, length of RIF field, including RC itself - bcast:3, broadcast indicator - res:4, reserved - lf:3, largest frame size + bcast:3, broadcast indicator + res:4, reserved + lf:3, largest frame size dir:1; direction */ @@ -876,10 +889,10 @@ #ifdef _MSC_VER - /* Visual C++ pragma to disable warning messages - * about nonstandard bit field type + /* Visual C++ pragma to disable warning messages + * about nonstandard bit field type */ - #pragma warning( disable : 4214 ) + #pragma warning( disable : 4214 ) #endif #define VTH_PRIORITY(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0xe000) >> 13) @@ -919,7 +932,7 @@ #define SPARC_TWIDDLE 0 #endif -/* +/* * Ethernet header */ @@ -949,13 +962,13 @@ #endif // NO_NON_ETHER_DECODER -/* Can't add any fields not in the real header here +/* Can't add any fields not in the real header here because of how the decoder uses structure overlaying */ #ifdef _MSC_VER - /* Visual C++ pragma to disable warning messages - * about nonstandard bit field type + /* Visual C++ pragma to disable warning messages + * about nonstandard bit field type */ - #pragma warning( disable : 4214 ) + #pragma warning( disable : 4214 ) #endif /* tcpdump shows us the way to cross platform compatibility */ @@ -984,6 +997,9 @@ #ifndef IPPROTO_PIM #define IPPROTO_PIM 103 #endif +#ifndef IPPROTO_PGM +#define IPPROTO_PGM 113 +#endif typedef struct _IPHdr { @@ -1007,23 +1023,23 @@ uint16_t ip_id; /* identification */ uint16_t ip_off; /* fragment offset */ uint8_t ip_ttl; /* time to live field */ - uint8_t ip_proto; /* datagram protocol */ + uint8_t ip_proto; /* datagram protocol */ uint16_t ip_csum; /* checksum */ sfip_t ip_src; /* source IP */ sfip_t ip_dst; /* dest IP */ } IP4Hdr; typedef struct _IPv6Hdr -{ +{ uint32_t vcl; /* version, class, and label */ uint16_t len; /* length of the payload */ uint8_t next; /* next header * Uses the same flags as * the IPv4 protocol field */ - uint8_t hop_lmt; /* hop limit */ + uint8_t hop_lmt; /* hop limit */ sfip_t ip_src; sfip_t ip_dst; -} IP6Hdr; +} IP6Hdr; /* IPv6 address */ #ifndef s6_addr @@ -1201,73 +1217,73 @@ struct _Packet; /* IPHeader access calls */ -sfip_t * ip4_ret_src(struct _Packet *); -sfip_t * ip4_ret_dst(struct _Packet *); -uint16_t ip4_ret_tos(struct _Packet *); -uint8_t ip4_ret_ttl(struct _Packet *); -uint16_t ip4_ret_len(struct _Packet *); -uint32_t ip4_ret_id(struct _Packet *); -uint8_t ip4_ret_proto(struct _Packet *); -uint16_t ip4_ret_off(struct _Packet *); -uint8_t ip4_ret_ver(struct _Packet *); -uint8_t ip4_ret_hlen(struct _Packet *); - -sfip_t * orig_ip4_ret_src(struct _Packet *); -sfip_t * orig_ip4_ret_dst(struct _Packet *); -uint16_t orig_ip4_ret_tos(struct _Packet *); -uint8_t orig_ip4_ret_ttl(struct _Packet *); -uint16_t orig_ip4_ret_len(struct _Packet *); -uint32_t orig_ip4_ret_id(struct _Packet *); -uint8_t orig_ip4_ret_proto(struct _Packet *); -uint16_t orig_ip4_ret_off(struct _Packet *); -uint8_t orig_ip4_ret_ver(struct _Packet *); -uint8_t orig_ip4_ret_hlen(struct _Packet *); - -sfip_t * ip6_ret_src(struct _Packet *); -sfip_t * ip6_ret_dst(struct _Packet *); -uint16_t ip6_ret_toc(struct _Packet *); -uint8_t ip6_ret_hops(struct _Packet *); -uint16_t ip6_ret_len(struct _Packet *); -uint32_t ip6_ret_id(struct _Packet *); -uint8_t ip6_ret_next(struct _Packet *); -uint16_t ip6_ret_off(struct _Packet *); -uint8_t ip6_ret_ver(struct _Packet *); -uint8_t ip6_ret_hlen(struct _Packet *); - -sfip_t * orig_ip6_ret_src(struct _Packet *); -sfip_t * orig_ip6_ret_dst(struct _Packet *); -uint16_t orig_ip6_ret_toc(struct _Packet *); -uint8_t orig_ip6_ret_hops(struct _Packet *); -uint16_t orig_ip6_ret_len(struct _Packet *); -uint32_t orig_ip6_ret_id(struct _Packet *); -uint8_t orig_ip6_ret_next(struct _Packet *); -uint16_t orig_ip6_ret_off(struct _Packet *); -uint8_t orig_ip6_ret_ver(struct _Packet *); -uint8_t orig_ip6_ret_hlen(struct _Packet *); - -typedef struct _IPH_API -{ - sfip_t * (*iph_ret_src)(struct _Packet *); - sfip_t * (*iph_ret_dst)(struct _Packet *); - uint16_t (*iph_ret_tos)(struct _Packet *); - uint8_t (*iph_ret_ttl)(struct _Packet *); - uint16_t (*iph_ret_len)(struct _Packet *); - uint32_t (*iph_ret_id)(struct _Packet *); - uint8_t (*iph_ret_proto)(struct _Packet *); - uint16_t (*iph_ret_off)(struct _Packet *); - uint8_t (*iph_ret_ver)(struct _Packet *); - uint8_t (*iph_ret_hlen)(struct _Packet *); - - sfip_t * (*orig_iph_ret_src)(struct _Packet *); - sfip_t * (*orig_iph_ret_dst)(struct _Packet *); - uint16_t (*orig_iph_ret_tos)(struct _Packet *); - uint8_t (*orig_iph_ret_ttl)(struct _Packet *); - uint16_t (*orig_iph_ret_len)(struct _Packet *); - uint32_t (*orig_iph_ret_id)(struct _Packet *); - uint8_t (*orig_iph_ret_proto)(struct _Packet *); - uint16_t (*orig_iph_ret_off)(struct _Packet *); - uint8_t (*orig_iph_ret_ver)(struct _Packet *); - uint8_t (*orig_iph_ret_hlen)(struct _Packet *); +sfip_t * ip4_ret_src(const struct _Packet *); +sfip_t * ip4_ret_dst(const struct _Packet *); +uint16_t ip4_ret_tos(const struct _Packet *); +uint8_t ip4_ret_ttl(const struct _Packet *); +uint16_t ip4_ret_len(const struct _Packet *); +uint32_t ip4_ret_id(const struct _Packet *); +uint8_t ip4_ret_proto(const struct _Packet *); +uint16_t ip4_ret_off(const struct _Packet *); +uint8_t ip4_ret_ver(const struct _Packet *); +uint8_t ip4_ret_hlen(const struct _Packet *); + +sfip_t * orig_ip4_ret_src(const struct _Packet *); +sfip_t * orig_ip4_ret_dst(const struct _Packet *); +uint16_t orig_ip4_ret_tos(const struct _Packet *); +uint8_t orig_ip4_ret_ttl(const struct _Packet *); +uint16_t orig_ip4_ret_len(const struct _Packet *); +uint32_t orig_ip4_ret_id(const struct _Packet *); +uint8_t orig_ip4_ret_proto(const struct _Packet *); +uint16_t orig_ip4_ret_off(const struct _Packet *); +uint8_t orig_ip4_ret_ver(const struct _Packet *); +uint8_t orig_ip4_ret_hlen(const struct _Packet *); + +sfip_t * ip6_ret_src(const struct _Packet *); +sfip_t * ip6_ret_dst(const struct _Packet *); +uint16_t ip6_ret_toc(const struct _Packet *); +uint8_t ip6_ret_hops(const struct _Packet *); +uint16_t ip6_ret_len(const struct _Packet *); +uint32_t ip6_ret_id(const struct _Packet *); +uint8_t ip6_ret_next(const struct _Packet *); +uint16_t ip6_ret_off(const struct _Packet *); +uint8_t ip6_ret_ver(const struct _Packet *); +uint8_t ip6_ret_hlen(const struct _Packet *); + +sfip_t * orig_ip6_ret_src(const struct _Packet *); +sfip_t * orig_ip6_ret_dst(const struct _Packet *); +uint16_t orig_ip6_ret_toc(const struct _Packet *); +uint8_t orig_ip6_ret_hops(const struct _Packet *); +uint16_t orig_ip6_ret_len(const struct _Packet *); +uint32_t orig_ip6_ret_id(const struct _Packet *); +uint8_t orig_ip6_ret_next(const struct _Packet *); +uint16_t orig_ip6_ret_off(const struct _Packet *); +uint8_t orig_ip6_ret_ver(const struct _Packet *); +uint8_t orig_ip6_ret_hlen(const struct _Packet *); + +typedef struct _IPH_API +{ + sfip_t * (*iph_ret_src)(const struct _Packet *); + sfip_t * (*iph_ret_dst)(const struct _Packet *); + uint16_t (*iph_ret_tos)(const struct _Packet *); + uint8_t (*iph_ret_ttl)(const struct _Packet *); + uint16_t (*iph_ret_len)(const struct _Packet *); + uint32_t (*iph_ret_id)(const struct _Packet *); + uint8_t (*iph_ret_proto)(const struct _Packet *); + uint16_t (*iph_ret_off)(const struct _Packet *); + uint8_t (*iph_ret_ver)(const struct _Packet *); + uint8_t (*iph_ret_hlen)(const struct _Packet *); + + sfip_t * (*orig_iph_ret_src)(const struct _Packet *); + sfip_t * (*orig_iph_ret_dst)(const struct _Packet *); + uint16_t (*orig_iph_ret_tos)(const struct _Packet *); + uint8_t (*orig_iph_ret_ttl)(const struct _Packet *); + uint16_t (*orig_iph_ret_len)(const struct _Packet *); + uint32_t (*orig_iph_ret_id)(const struct _Packet *); + uint8_t (*orig_iph_ret_proto)(const struct _Packet *); + uint16_t (*orig_iph_ret_off)(const struct _Packet *); + uint8_t (*orig_iph_ret_ver)(const struct _Packet *); + uint8_t (*orig_iph_ret_hlen)(const struct _Packet *); char ver; } IPH_API; @@ -1278,7 +1294,7 @@ #define IPH_API_V4 4 #define IPH_API_V6 6 -#define iph_is_valid(p) (p->family != NO_IP) +#define iph_is_valid(p) ((p)->family != NO_IP) #define NO_IP 0 #endif @@ -1288,13 +1304,13 @@ #endif -/* Can't add any fields not in the real header here +/* Can't add any fields not in the real header here because of how the decoder uses structure overlaying */ #ifdef _MSC_VER - /* Visual C++ pragma to disable warning - * messages about nonstandard bit field type + /* Visual C++ pragma to disable warning + * messages about nonstandard bit field type */ - #pragma warning( disable : 4214 ) + #pragma warning( disable : 4214 ) #endif #ifndef IPPROTO_IPIP @@ -1369,8 +1385,8 @@ } TCPHdr; #ifdef _MSC_VER - /* Visual C++ pragma to enable warning messages - * about nonstandard bit field type + /* Visual C++ pragma to enable warning messages + * about nonstandard bit field type */ #pragma warning( default : 4214 ) #endif @@ -1410,13 +1426,13 @@ uint32_t sih_void; - struct pmtu + struct pmtu { uint16_t ipm_void; uint16_t nextmtu; } pmtu; - struct rtradv + struct rtradv { uint8_t num_addrs; uint8_t wpa; @@ -1435,24 +1451,24 @@ #define s_icmp_wpa icmp_hun.rtradv.wpa #define s_icmp_lifetime icmp_hun.rtradv.lifetime - union + union { /* timestamp */ - struct ts + struct ts { uint32_t otime; uint32_t rtime; uint32_t ttime; } ts; - + /* IP header for unreach */ - struct ih_ip + struct ih_ip { IPHdr *ip; /* options and then 64 bits of data */ } ip; - - struct ra_addr + + struct ra_addr { uint32_t addr; uint32_t preference; @@ -1531,7 +1547,6 @@ /* PPPoEHdr Header; EtherHdr plus the PPPoE Header */ typedef struct _PPPoEHdr { - EtherHdr ethhdr; /* ethernet header */ unsigned char ver_type; /* pppoe version/type */ unsigned char code; /* pppoe code CODE_* */ unsigned short session; /* session id */ @@ -1558,6 +1573,51 @@ uint8_t ttl; } MplsHdr; +#define PGM_NAK_ERR -1 +#define PGM_NAK_OK 0 +#define PGM_NAK_VULN 1 + +typedef struct _PGM_NAK_OPT +{ + uint8_t type; /* 02 = vuln */ + uint8_t len; + uint8_t res[2]; + uint32_t seq[1]; /* could be many many more, but 1 is sufficient */ +} PGM_NAK_OPT; + +typedef struct _PGM_NAK +{ + uint32_t seqnum; + uint16_t afil1; + uint16_t res1; + uint32_t src; + uint16_t afi2; + uint16_t res2; + uint32_t multi; + PGM_NAK_OPT opt; +} PGM_NAK; + +typedef struct _PGM_HEADER +{ + uint16_t srcport; + uint16_t dstport; + uint8_t type; + uint8_t opt; + uint16_t checksum; + uint8_t gsd[6]; + uint16_t length; + PGM_NAK nak; +} PGM_HEADER; + +/* GTP basic Header */ +typedef struct _GTPHdr +{ + uint8_t flag; /* flag: version (bit 6-8), PT (5), E (3), S (2), PN (1) */ + uint8_t type; /* message type */ + uint16_t length; /* length */ + +} GTPHdr; + #define LAYER_MAX 32 // REMEMBER match any changes you make here in: @@ -1577,6 +1637,7 @@ const VlanTagHdr *vh; EthLlc *ehllc; EthLlcOther *ehllcother; + const PPPoEHdr *pppoeh; /* Encapsulated PPP of Ether header */ const GREHdr *greh; uint32_t *mpls; @@ -1601,7 +1662,8 @@ void *fragtracker; /* for ip fragmentation tracking info... */ void *flow; /* for flow info */ void *streamptr; /* for tcp pkt dump */ - + void *policyEngineData; + //vvv----------------------------- IP4Hdr *ip4h, *orig_ip4h; /* SUP_IP6 members */ IP6Hdr *ip6h, *orig_ip6h; @@ -1632,11 +1694,9 @@ uint32_t preprocessor_bits; /* flags for preprocessors to check */ uint32_t preproc_reassembly_pkt_bits; - uint32_t caplen; uint32_t http_pipeline_count; /* Counter for HTTP pipelined requests */ uint32_t packet_flags; /* special flags for the packet */ uint16_t proto_bits; - uint16_t data_flags; //vvv----------------------------- uint16_t dsize; /* packet payload size */ @@ -1669,6 +1729,7 @@ uint8_t uri_count; /* number of URIs in this packet */ uint8_t error_flags; /* flags indicate checksum errors, bad TTLs, etc. */ uint8_t encapsulated; + uint8_t GTPencapsulated; uint8_t ip_option_count; /* number of options in this packet */ uint8_t tcp_option_count; @@ -1682,11 +1743,14 @@ uint8_t next_layer; /* index into layers for next encap */ + uint32_t xtradata_mask; + uint32_t per_packet_xtradata; + #ifndef NO_NON_ETHER_DECODER const Fddi_hdr *fddihdr; /* FDDI support headers */ Fddi_llc_saps *fddisaps; Fddi_llc_sna *fddisna; - Fddi_llc_iparp *fddiiparp; + Fddi_llc_iparp *fddiiparp; Fddi_llc_other *fddiother; const Trh_hdr *trh; /* Token Ring support headers */ @@ -1703,8 +1767,6 @@ #ifdef DLT_IEEE802_11 const WifiHdr *wifih; /* wireless LAN header */ #endif - const PPPoEHdr *pppoeh; /* Encapsulated PPP of Ether header */ - const EtherEapol *eplh; /* 802.1x EAPOL header */ const EAPHdr *eaph; const uint8_t *eaptype; @@ -1718,9 +1780,11 @@ const IP6RawHdr* raw_ip6h; // innermost raw ip6 header Layer layers[LAYER_MAX]; /* decoded encapsulations */ + + PseudoPacketType pseudo_type; // valid only when PKT_PSEUDO is set uint16_t max_dsize; - /**policyId provided in configuration file. Used for correlating configuration + /**policyId provided in configuration file. Used for correlating configuration * with event output */ uint16_t configPolicyId; @@ -1736,27 +1800,33 @@ #define PROTO_BIT__UDP 0x0008 #define PROTO_BIT__ICMP 0x0010 #define PROTO_BIT__TEREDO 0x0020 +#define PROTO_BIT__GTP 0x0040 #define PROTO_BIT__ALL 0xffff -#define DATA_FLAGS_TRUE_IP 0x0001 -#define DATA_FLAGS_GZIP 0x0002 -#define DATA_FLAGS_RESP_BODY 0x0004 - #define IsIP(p) (IPH_IS_VALID(p)) #define IsTCP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_TCP)) #define IsUDP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_UDP)) #define IsICMP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_ICMP)) #define GET_PKT_SEQ(p) (ntohl(p->tcph->th_seq)) -#ifdef SUP_IP6 -/* Sets the callbacks to point at the family selected by +/* Macros to deal with sequence numbers - p810 TCP Illustrated vol 2 */ +#define SEQ_LT(a,b) ((int)((a) - (b)) < 0) +#define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0) +#define SEQ_GT(a,b) ((int)((a) - (b)) > 0) +#define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0) +#define SEQ_EQ(a,b) ((int)((a) - (b)) == 0) + +#define BIT(i) (0x1 << (i-1)) + +#ifdef SUP_IP6 +/* Sets the callbacks to point at the family selected by * * "family". "family" is either AF_INET or AF_INET6 */ #define CALLBACK_IP 0 #define CALLBACK_ICMP_ORIG 1 -static INLINE void set_callbacks(struct _Packet *p, int family, char orig) +static inline void set_callbacks(struct _Packet *p, int family, char orig) { - if (p == NULL) + if (p == NULL) { ErrorMessage("%s(%d) Can't set iph api callback: Packet is NULL.\n", __FILE__, __LINE__); @@ -1792,15 +1862,15 @@ typedef struct s_pseudoheader { - uint32_t sip, dip; - uint8_t zero; - uint8_t protocol; - uint16_t len; + uint32_t sip, dip; + uint8_t zero; + uint8_t protocol; + uint16_t len; } PSEUDO_HDR; /* Default classification for decoder alerts */ -#define DECODE_CLASS 25 +#define DECODE_CLASS 25 typedef struct _DecoderFlags { @@ -1822,7 +1892,7 @@ /* To be moved to the frag preprocessor once it supports IPv6 */ char ipv6_bad_frag_pkt; char bsd_icmp_frag; - char drop_bad_ipv6_frag; + char drop_bad_ipv6_frag; } DecoderFlags; @@ -1833,27 +1903,29 @@ // root decoders void DecodeEthPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); -void DecodePppPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); void DecodeNullPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); void DecodeRawPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); -void DecodePPPoEPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodeRawPkt6(Packet *, const DAQ_PktHdr_t*, const uint8_t *); // chained decoders void DecodeARP(const uint8_t *, uint32_t, Packet *); void DecodeEthLoopback(const uint8_t *, uint32_t, Packet *); void DecodeVlan(const uint8_t *, const uint32_t, Packet *); -void DecodePppPktEncapsulated(Packet *, const uint32_t, const uint8_t *); +void DecodePppPktEncapsulated(const uint8_t *, const uint32_t, Packet *); +void DecodePPPoEPkt(const uint8_t *, const uint32_t, Packet *); void DecodeIP(const uint8_t *, const uint32_t, Packet *); void DecodeIPV6(const uint8_t *, uint32_t, Packet *); void DecodeTCP(const uint8_t *, const uint32_t, Packet *); void DecodeUDP(const uint8_t *, const uint32_t, Packet *); void DecodeICMP(const uint8_t *, const uint32_t, Packet *); +void DecodeICMP6(const uint8_t *, const uint32_t, Packet *); void DecodeICMPEmbeddedIP(const uint8_t *, const uint32_t, Packet *); void DecodeICMPEmbeddedIP6(const uint8_t *, const uint32_t, Packet *); void DecodeIPOptions(const uint8_t *, uint32_t, Packet *); void DecodeTCPOptions(const uint8_t *, uint32_t, Packet *); void DecodeTeredo(const uint8_t *, uint32_t, Packet *); void DecodeESP(const uint8_t *, uint32_t, Packet *); +void DecodeGTP(const uint8_t *, uint32_t, Packet *); #ifdef GRE void DecodeGRE(const uint8_t *, const uint32_t, Packet *); @@ -1863,11 +1935,12 @@ #ifdef MPLS int isPrivateIP(uint32_t addr); -void DecodeEthOverMPLS(Packet * p, const DAQ_PktHdr_t* pkthdr, const uint8_t * pkt); -void DecodeMPLS(const uint8_t * pkt, DAQ_PktHdr_t * pkthdr, Packet * p); +void DecodeEthOverMPLS(const uint8_t*, const uint32_t, Packet*); +void DecodeMPLS(const uint8_t*, const uint32_t, Packet*); #endif #ifndef NO_NON_ETHER_DECODER +// root decoders void DecodeTRPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); void DecodeFDDIPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); void DecodeLinuxSLLPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); @@ -1878,9 +1951,11 @@ void DecodeChdlcPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); void DecodePflog(Packet *, const DAQ_PktHdr_t*, const uint8_t *); void DecodeOldPflog(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +void DecodePppPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); void DecodePppSerialPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); void DecodeEncPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *); +// chained decoders void DecodeEAP(const uint8_t *, const uint32_t, Packet *); void DecodeEapol(const uint8_t *, uint32_t, Packet *); void DecodeEapolKey(const uint8_t *, uint32_t, Packet *); @@ -1914,12 +1989,36 @@ #define SFTARGET_UNKNOWN_PROTOCOL -1 -static INLINE int PacketWasCooked(Packet* p) +static inline int PacketWasCooked(Packet* p) +{ + return ( p->packet_flags & PKT_PSEUDO ) != 0; +} + +#ifdef ENABLE_PAF +static inline bool PacketHasFullPDU (const Packet* p) { - return ( p->packet_flags & - ( PKT_REBUILT_STREAM | PKT_REBUILT_FRAG | - PKT_DCE_RPKT | PKT_DCE_SEG | PKT_DCE_FRAG | - PKT_SMB_SEG | PKT_SMB_TRANS) ) != 0; + return ( (p->packet_flags & PKT_PDU_FULL) == PKT_PDU_FULL ); +} + +static inline bool PacketHasStartOfPDU (const Packet* p) +{ + return ( (p->packet_flags & PKT_PDU_HEAD) != 0 ); +} + +static inline bool PacketHasPAFPayload (const Packet* p) +{ + return ( (p->packet_flags & PKT_REBUILT_STREAM) || PacketHasFullPDU(p) ); +} +#endif + +static inline void SetLogFuncs(Packet *p, uint32_t id, uint8_t per_packet) +{ + if(!id) + return; + if(per_packet) + p->per_packet_xtradata |= BIT(id); + else + p->xtradata_mask |= BIT(id); } #endif /* __DECODE_H__ */ diff -Nru snort-2.9.0.1/src/detect.c snort-2.9.2/src/detect.c --- snort-2.9.0.1/src/detect.c 2010-10-25 12:48:58.000000000 -0700 +++ snort-2.9.2/src/detect.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /* ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** Marc Norton <mnorton@sourcefire.com> ** @@ -39,7 +39,7 @@ #include "snort.h" #include "detect.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" #include "tag.h" @@ -122,7 +122,7 @@ } } #endif - + // If the packet has errors, we won't analyze it. if ( p->error_flags ) { @@ -136,6 +136,10 @@ } else { + tSfPolicyId new_policy_id; + PreprocEvalFuncNode *new_idx; + PreprocEvalFuncNode *idx = policy->preproc_eval_funcs; + /* Not a completely ideal place for this since any entries added on the * PacketCallback -> ProcessPacket -> Preprocess trail will get * obliterated - right now there isn't anything adding entries there. @@ -152,35 +156,85 @@ ** Reset the appropriate application-layer protocol fields */ p->uri_count = 0; - /*UriBufs[0].decode_flags = 0;*/ - file_data_ptr = NULL; - base64_decode_size = 0; - doe_buf_flags = 0; - mime_decode_size = 0; - mime_present = 0; p->alt_dsize = 0; + DetectReset((uint8_t *)p->data, p->dsize); - /* Most preprocessor protocols are over TCP and 90+ percent of traffic in most - * environments is TCP so this check almost always passes. Initial performance - * tests indicate this check hinders performance slightly, but keep it here - * commented in case initial performance tests are wrong. Its main purpose is - * to filter out traffic that no preprocessors are going to look at thus - * avoiding iterating through each preprocessor */ - //if (p->proto_bits & preproc_proto_mask) - { - PreprocEvalFuncNode *idx = policy->preproc_eval_funcs; + /* Turn on all preprocessors */ + EnablePreprocessors(p); - /* Turn on all preprocessors */ - EnablePreprocessors(p); - - for (; (idx != NULL) && !(p->packet_flags & PKT_PASS_RULE); idx = idx->next) + if ( p->dsize ) + { + while ((idx != NULL) && !(p->packet_flags & PKT_PASS_RULE)) { - if (((p->proto_bits & idx->proto_mask) || (idx->proto_mask == PROTO_BIT__ALL)) && + if ( ((p->proto_bits & idx->proto_mask) || (idx->proto_mask == PROTO_BIT__ALL) ) && IsPreprocBitSet(p, idx->preproc_bit)) { idx->func(p, idx->context); + new_policy_id = getRuntimePolicy(); + if (new_policy_id != policy_id) + { + policy_id = new_policy_id; + policy = snort_conf->targeted_policies[policy_id]; + if (!policy) + break; + for (new_idx = policy->preproc_eval_funcs; new_idx; new_idx = new_idx->next) + { + if (new_idx->func == idx->func) + { + new_idx = new_idx->next; + break; + } + else if ((idx->next && new_idx->func == idx->next->func) || new_idx->priority > idx->priority) + break; + } + idx = new_idx; + } + else + idx = idx->next; } + else + idx = idx->next; + } + } + else + { + while ((idx != NULL) && !(p->packet_flags & PKT_PASS_RULE)) + { + // short-circuit here if no app data + if ( idx->priority >= PRIORITY_APPLICATION ) + { + break; + } + if ( ((p->proto_bits & idx->proto_mask) || (idx->proto_mask == PROTO_BIT__ALL) ) && + IsPreprocBitSet(p, idx->preproc_bit)) + { + idx->func(p, idx->context); + new_policy_id = getRuntimePolicy(); + if (new_policy_id != policy_id) + { + policy_id = new_policy_id; + policy = snort_conf->targeted_policies[policy_id]; + if (!policy) + break; + for (new_idx = policy->preproc_eval_funcs; new_idx; new_idx = new_idx->next) + { + if (new_idx->func == idx->func) + { + new_idx = new_idx->next; + break; + } + else if ((idx->next && new_idx->func == idx->next->func) || new_idx->priority > idx->priority) + break; + } + idx = new_idx; + } + else + idx = idx->next; + } + else + idx = idx->next; } + DisableDetect(p); } if ((do_detect) && (p->bytes_to_inspect != -1)) @@ -203,7 +257,7 @@ } check_tags_flag = 1; - + PREPROC_PROFILE_START(eventqPerfStats); retval = SnortEventqLog(snort_conf->event_queue, p); SnortEventqReset(); @@ -216,45 +270,6 @@ if (IPH_IS_VALID(p)) CheckTagging(p); - /* Simulate above behavior for preprocessor reassembled packets */ - if ((p->packet_flags & PKT_PREPROC_RPKT) && do_detect && (p->bytes_to_inspect != -1)) - { - PreprocReassemblyPktFuncNode *rpkt_idx = policy->preproc_reassembly_pkt_funcs; - - /* Loop through the preprocessors that have registered a - * function to get a reassembled packet */ - while (rpkt_idx != NULL) - { - Packet *pp = NULL; - - assert(rpkt_idx->func != NULL); - - /* If the preprocessor bit is set, get the reassembled packet */ - if (IsPreprocReassemblyPktBitSet(p, rpkt_idx->preproc_id)) - { - pp = (Packet *)rpkt_idx->func(); - } - - if (pp != NULL) - { - /* If the original packet's bytes to inspect is set, - * set it for the reassembled packet */ - if (p->bytes_to_inspect > 0) - pp->dsize = (uint16_t)p->bytes_to_inspect; - - if (Detect(pp)) - { - PREPROC_PROFILE_START(eventqPerfStats); - retval |= SnortEventqLog(snort_conf->event_queue, pp); - SnortEventqReset(); - PREPROC_PROFILE_END(eventqPerfStats); - } - } - - rpkt_idx = rpkt_idx->next; - } - } - otn_tmp = NULL; /* @@ -312,7 +327,7 @@ { Event event; - if(check_tags_flag == 1 && !(p->packet_flags & PKT_REBUILT_STREAM)) + if(check_tags_flag == 1 && !(p->packet_flags & PKT_REBUILT_STREAM)) { DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "calling CheckTagList\n");); @@ -325,7 +340,7 @@ * logging mechanism */ CallLogFuncs(p, "Tagged Packet", NULL, &event); - } + } } return 0; @@ -340,14 +355,16 @@ { OutputFuncNode *idx = NULL; - event->ref_time.tv_sec = p->pkth->ts.tv_sec; - event->ref_time.tv_usec = p->pkth->ts.tv_usec; - + if (event->sig_generator != GENERATOR_TAG) + { + event->ref_time.tv_sec = p->pkth->ts.tv_sec; + event->ref_time.tv_usec = p->pkth->ts.tv_usec; + } /* set the event number */ event->event_id = event_id | ScEventLogId(); #ifndef SUP_IP6 - if(BsdPseudoPacket) + if(BsdPseudoPacket) { p = BsdPseudoPacket; } @@ -361,7 +378,7 @@ } pc.log_pkts++; - + idx = head->LogList; if(idx == NULL) idx = LogList; @@ -420,7 +437,7 @@ event->event_reference = event->event_id; #ifndef SUP_IP6 - if(BsdPseudoPacket) + if(BsdPseudoPacket) { p = BsdPseudoPacket; } @@ -530,12 +547,12 @@ PPM_PACKET_TEST(); if( PPM_PACKET_ABORT_FLAG() ) - return 0; + return 0; } #endif /* - ** This is where we short circuit so + ** This is where we short circuit so ** that we can do IP checks. */ PREPROC_PROFILE_START(detectPerfStats); @@ -568,8 +585,8 @@ #else IpAddrSet *rule_addr, #endif - PortObject * po, - Packet *p, + PortObject * po, + Packet *p, uint32_t flags, int mode) { snort_ip_p pkt_addr; /* packet IP address */ @@ -625,7 +642,7 @@ } } - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "addr %lx, port %d ", pkt_addr, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "addr %lx, port %d ", pkt_addr, pkt_port);); if(!rule_addr) @@ -634,7 +651,7 @@ if(!(global_except_addr_flag)) /*modeled after Check{Src,Dst}IP function*/ { #ifdef SUP_IP6 - if(sfvar_ip_in(rule_addr, pkt_addr)) + if(sfvar_ip_in(rule_addr, pkt_addr)) ip_match = 1; #else ip_match = 0; @@ -643,40 +660,40 @@ { for(idx=rule_addr->iplist; idx; idx=idx->next) { - if(idx->ip_addr == (pkt_addr & idx->netmask)) + if(idx->ip_addr == (pkt_addr & idx->netmask)) { - ip_match = 1; + ip_match = 1; break; } } } - else + else ip_match = 1; - + if(ip_match) { for(idx=rule_addr->neg_iplist; idx; idx=idx->next) { - if(idx->ip_addr == (pkt_addr & idx->netmask)) + if(idx->ip_addr == (pkt_addr & idx->netmask)) { ip_match = 0; break; } } } - - if(ip_match) + + if(ip_match) goto bail; #endif } else { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, ", global exception flag set");); - /* global exception flag is up, we can't match on *any* - * of the source addresses + /* global exception flag is up, we can't match on *any* + * of the source addresses */ #ifdef SUP_IP6 - if(sfvar_ip_in(rule_addr, pkt_addr)) + if(sfvar_ip_in(rule_addr, pkt_addr)) return 0; ip_match=1; @@ -686,28 +703,28 @@ ip_match = 0; for(idx=rule_addr->iplist; idx; idx=idx->next) { - if(idx->ip_addr == (pkt_addr & idx->netmask)) + if(idx->ip_addr == (pkt_addr & idx->netmask)) { - ip_match = 1; + ip_match = 1; break; } } } - else + else ip_match = 1; - + if(ip_match) { for(idx=rule_addr->neg_iplist; idx; idx=idx->next) { - if(idx->ip_addr == (pkt_addr & idx->netmask)) + if(idx->ip_addr == (pkt_addr & idx->netmask)) { ip_match = 0; break; } } } - - if(!ip_match) + + if(!ip_match) return 0; #endif } @@ -721,7 +738,7 @@ } DEBUG_WRAP(DebugMessage(DEBUG_DETECT, ", addresses accepted");); - + /* if the any port flag is up, we're all done (success) */ if(any_port_flag) { @@ -785,7 +802,7 @@ * Purpose: print out the chain lists by header block node group * * Arguments: node => the head node - * + * * Returns: void function * ***************************************************************************/ @@ -810,7 +827,7 @@ if(negated) { - DEBUG_WRAP(DebugMessage(DEBUG_RULES, + DEBUG_WRAP(DebugMessage(DEBUG_RULES, " (EXCEPTION_FLAG Active)\n");); } else @@ -819,7 +836,7 @@ } idx = idx->next; - } + } } @@ -859,7 +876,7 @@ #define CHECK_ADDR_SRC_ARGS(x) (x)->src_portobject #define CHECK_ADDR_DST_ARGS(x) (x)->dst_portobject -int CheckBidirectional(Packet *p, struct _RuleTreeNode *rtn_idx, +int CheckBidirectional(Packet *p, struct _RuleTreeNode *rtn_idx, RuleFpList *fp_list, int check_ports) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "Checking bidirectional rule...\n");); @@ -913,7 +930,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " Dst->Src check passed\n");); - if(!CheckAddrPort(rtn_idx->sip, CHECK_ADDR_SRC_ARGS(rtn_idx), p, + if(!CheckAddrPort(rtn_idx->sip, CHECK_ADDR_SRC_ARGS(rtn_idx), p, rtn_idx->flags, CHECK_DST_IP | INVERSE | (check_ports ? CHECK_DST_PORT : 0))) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, @@ -927,7 +944,7 @@ } } else - { + { DEBUG_WRAP(DebugMessage(DEBUG_DETECT," Inverse test failed, " "testing next rule...\n");); return 0; @@ -962,24 +979,24 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"CheckSrcIPEqual: ");); #ifdef SUP_IP6 - if(!(rtn_idx->flags & EXCEPT_SRC_IP)) + if(!(rtn_idx->flags & EXCEPT_SRC_IP)) { if( sfvar_ip_in(rtn_idx->sip, GET_SRC_IP(p)) ) { // XXX NOT YET IMPLEMENTED - debugging in Snort6 #if 0 -#ifdef DEBUG +#ifdef DEBUG_MSGS sfip_t ip; if(idx->addr_flags & EXCEPT_IP) { DebugMessage(DEBUG_DETECT, " SIP exception match\n"); - } + } else { DebugMessage(DEBUG_DETECT, " SIP match\n"); } - + ip = *iph_ret_src(p); /* necessary due to referencing/dereferencing */ - DebugMessage(DEBUG_DETECT, "Rule: %s Packet: %s\n", + DebugMessage(DEBUG_DETECT, "Rule: %s Packet: %s\n", inet_ntoa(idx->ip_addr), inet_ntoa(ip)); #endif /* DEBUG */ #endif @@ -990,8 +1007,8 @@ } else { - /* global exception flag is up, we can't match on *any* - * of the source addresses + /* global exception flag is up, we can't match on *any* + * of the source addresses */ DEBUG_WRAP(DebugMessage(DEBUG_DETECT," global exception flag, \n");); @@ -1010,38 +1027,38 @@ { match = 0; - pos_idx = rtn_idx->sip->iplist; - neg_idx = rtn_idx->sip->neg_iplist; + pos_idx = rtn_idx->sip->iplist; + neg_idx = rtn_idx->sip->neg_iplist; - if(!pos_idx) + if(!pos_idx) { - for( ; neg_idx; neg_idx = neg_idx->next) + for( ; neg_idx; neg_idx = neg_idx->next) { - if(neg_idx->ip_addr == - (p->iph->ip_src.s_addr & neg_idx->netmask)) + if(neg_idx->ip_addr == + (p->iph->ip_src.s_addr & neg_idx->netmask)) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT," Mismatch on SIP\n");); return 0; } - } + } DEBUG_WRAP(DebugMessage(DEBUG_DETECT," SIP match\n");); return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); } - - while(pos_idx) + + while(pos_idx) { if(neg_idx) { - if(neg_idx->ip_addr == - (p->iph->ip_src.s_addr & neg_idx->netmask)) + if(neg_idx->ip_addr == + (p->iph->ip_src.s_addr & neg_idx->netmask)) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT," Mismatch on SIP\n");); return 0; } - + neg_idx = neg_idx->next; - } + } /* No more potential negations. Check if we've already matched. */ else if(match) { @@ -1049,10 +1066,10 @@ return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); } - if(!match) + if(!match) { - if(pos_idx->ip_addr == - (p->iph->ip_src.s_addr & pos_idx->netmask)) + if(pos_idx->ip_addr == + (p->iph->ip_src.s_addr & pos_idx->netmask)) { match = 1; } @@ -1061,7 +1078,7 @@ pos_idx = pos_idx->next; } } - } + } } DEBUG_WRAP(DebugMessage(DEBUG_DETECT," Mismatch on SIP\n");); @@ -1095,11 +1112,11 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "CheckDstIPEqual: ");) #ifdef SUP_IP6 - if(!(rtn_idx->flags & EXCEPT_DST_IP)) + if(!(rtn_idx->flags & EXCEPT_DST_IP)) { if( sfvar_ip_in(rtn_idx->dip, GET_DST_IP(p)) ) { -// #ifdef DEBUG +// #ifdef DEBUG_MSGS // XXX idx's equivalent is lost inside of sfvar_ip_in // DebugMessage(DEBUG_DETECT, "Rule: %s Packet: ", // inet_ntoa(idx->ip_addr)); @@ -1112,7 +1129,7 @@ } else { - /* global exception flag is up, we can't match on *any* + /* global exception flag is up, we can't match on *any* * of the source addresses */ DEBUG_WRAP(DebugMessage(DEBUG_DETECT," global exception flag, \n");); @@ -1128,38 +1145,38 @@ { match = 0; - pos_idx = rtn_idx->dip->iplist; - neg_idx = rtn_idx->dip->neg_iplist; + pos_idx = rtn_idx->dip->iplist; + neg_idx = rtn_idx->dip->neg_iplist; - if(!pos_idx) + if(!pos_idx) { - for( ; neg_idx; neg_idx = neg_idx->next) + for( ; neg_idx; neg_idx = neg_idx->next) { - if(neg_idx->ip_addr == - (p->iph->ip_dst.s_addr & neg_idx->netmask)) + if(neg_idx->ip_addr == + (p->iph->ip_dst.s_addr & neg_idx->netmask)) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT," Mismatch on DIP\n");); return 0; } - } + } DEBUG_WRAP(DebugMessage(DEBUG_DETECT," DIP match\n");); return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); } - while(pos_idx) + while(pos_idx) { if(neg_idx) { - if(neg_idx->ip_addr == - (p->iph->ip_dst.s_addr & neg_idx->netmask)) + if(neg_idx->ip_addr == + (p->iph->ip_dst.s_addr & neg_idx->netmask)) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " DIP exception match\n");); return 0; } - + neg_idx = neg_idx->next; - } + } /* No more potential negations. Check if we've already matched. */ else if(match) { @@ -1167,19 +1184,19 @@ return fp_list->next->RuleHeadFunc(p, rtn_idx, fp_list->next, check_ports); } - if(!match) + if(!match) { - if(pos_idx->ip_addr == - (p->iph->ip_dst.s_addr & pos_idx->netmask)) + if(pos_idx->ip_addr == + (p->iph->ip_dst.s_addr & pos_idx->netmask)) { match = 1; } - else + else { pos_idx = pos_idx->next; } } - } + } } DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " DIP exception match\n");); @@ -1188,7 +1205,7 @@ } -int CheckSrcPortEqual(Packet *p, struct _RuleTreeNode *rtn_idx, +int CheckSrcPortEqual(Packet *p, struct _RuleTreeNode *rtn_idx, RuleFpList *fp_list, int check_ports) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"CheckSrcPortEqual: ");); @@ -1224,7 +1241,7 @@ return 0; } -int CheckSrcPortNotEq(Packet *p, struct _RuleTreeNode *rtn_idx, +int CheckSrcPortNotEq(Packet *p, struct _RuleTreeNode *rtn_idx, RuleFpList *fp_list, int check_ports) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"CheckSrcPortNotEq: ");); @@ -1260,7 +1277,7 @@ return 0; } -int CheckDstPortEqual(Packet *p, struct _RuleTreeNode *rtn_idx, +int CheckDstPortEqual(Packet *p, struct _RuleTreeNode *rtn_idx, RuleFpList *fp_list, int check_ports) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"CheckDstPortEqual: ");); @@ -1296,7 +1313,7 @@ } -int CheckDstPortNotEq(Packet *p, struct _RuleTreeNode *rtn_idx, +int CheckDstPortNotEq(Packet *p, struct _RuleTreeNode *rtn_idx, RuleFpList *fp_list, int check_ports) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT,"CheckDstPortNotEq: ");); @@ -1365,23 +1382,23 @@ if (otn->OTN_activation_ptr == NULL) { LogMessage("WARNING: an activation rule with no " - "dynamic rules matched!\n"); + "dynamic rules matched.\n"); return 0; } otn->OTN_activation_ptr->active_flag = 1; - otn->OTN_activation_ptr->countdown = + otn->OTN_activation_ptr->countdown = otn->OTN_activation_ptr->activation_counter; otn->RTN_activation_ptr->active_flag = 1; - otn->RTN_activation_ptr->countdown += + otn->RTN_activation_ptr->countdown += otn->OTN_activation_ptr->activation_counter; snort_conf->active_dynamic_nodes++; DEBUG_WRAP(DebugMessage(DEBUG_DETECT," => Finishing activation packet!\n");); - + CallLogFuncs(p, otn->sigInfo.message, rtn->listhead, event); - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " => Activation packet finished, returning!\n");); return 1; @@ -1397,7 +1414,7 @@ /* Call OptTreeNode specific output functions */ if(otn->outputFuncs) CallSigOutputFuncs(p, otn, event); - + if (ScAlertPacketCount()) print_packet_count(); @@ -1433,14 +1450,14 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " <!!> Generating Alert and dropping! \"%s\"\n", otn->sigInfo.message);); - + if(stream_api && !stream_api->alert_inline_midstream_drops()) { - if(stream_api->get_session_flags(p->ssnptr) & SSNFLAG_MIDSTREAM) + if(stream_api->get_session_flags(p->ssnptr) & SSNFLAG_MIDSTREAM) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " <!!> Alert Came From Midstream Session Silently Drop! " - "\"%s\"\n", otn->sigInfo.message);); + "\"%s\"\n", otn->sigInfo.message);); Active_DropSession(); return 1; @@ -1490,7 +1507,7 @@ snort_conf->active_dynamic_nodes--; DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " <!!> Shutting down dynamic OTN node\n");); } - + rtn->countdown--; if( rtn->countdown <= 0 ) diff -Nru snort-2.9.0.1/src/detect.h snort-2.9.2/src/detect.h --- snort-2.9.0.1/src/detect.h 2010-06-09 15:04:52.000000000 -0700 +++ snort-2.9.2/src/detect.h 2011-06-07 17:33:05.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -27,7 +27,7 @@ #include "config.h" #endif -#include "debug.h" +#include "snort_debug.h" #include "decode.h" #include "rules.h" #include "treenodes.h" @@ -40,6 +40,7 @@ /* P R O T O T Y P E S ******************************************************/ extern int do_detect; extern int do_detect_content; +extern uint16_t event_id; /* rule match action functions */ int PassAction(void); @@ -84,13 +85,13 @@ void CallLogFuncs(Packet *, char *, ListHead *, Event *); void CallAlertFuncs(Packet *, char *, ListHead *, Event *); -static INLINE void DisableDetect(Packet *p) +static inline void DisableDetect(Packet *p) { DisablePreprocessors(p); do_detect_content = 0; } -static INLINE void DisableAllDetect(Packet *p) +static inline void DisableAllDetect(Packet *p) { DisablePreprocessors(p); do_detect = do_detect_content = 0; diff -Nru snort-2.9.0.1/src/detection_filter.c snort-2.9.2/src/detection_filter.c --- snort-2.9.0.1/src/detection_filter.c 2010-01-26 10:09:16.000000000 -0800 +++ snort-2.9.2/src/detection_filter.c 2011-06-07 17:33:05.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,11 +19,15 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #include <stdio.h> #include <stdlib.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "mstring.h" #include "util.h" #include "parser.h" @@ -101,7 +105,7 @@ } int detection_filter_test ( - void* pv, + void* pv, snort_ip_p sip, snort_ip_p dip, long curtime ) { diff -Nru snort-2.9.0.1/src/detection_filter.h snort-2.9.2/src/detection_filter.h --- snort-2.9.0.1/src/detection_filter.h 2010-01-26 10:09:16.000000000 -0800 +++ snort-2.9.2/src/detection_filter.h 2011-02-09 15:22:47.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/detection-plugins/detection_options.c snort-2.9.2/src/detection-plugins/detection_options.c --- snort-2.9.0.1/src/detection-plugins/detection_options.c 2010-10-25 12:49:00.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/detection_options.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -23,7 +23,7 @@ ** @file detection_options.c ** ** @author Steven Sturges -** +** ** @brief Support functions for rule option tree ** ** This implements tree processing for rule options, evaluating common @@ -31,6 +31,10 @@ ** */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sfutil/sfxhash.h" #include "sfutil/sfhashfcn.h" #include "detection_options.h" @@ -142,6 +146,8 @@ break; case RULE_OPTION_TYPE_BASE64_DATA: break; + case RULE_OPTION_TYPE_PKT_DATA: + break; case RULE_OPTION_TYPE_ICMP_CODE: hash = IcmpCodeCheckHash(key->option_data); break; @@ -294,6 +300,8 @@ break; case RULE_OPTION_TYPE_BASE64_DATA: break; + case RULE_OPTION_TYPE_PKT_DATA: + break; case RULE_OPTION_TYPE_ICMP_CODE: ret = IcmpCodeCheckCompare(key1->option_data, key2->option_data); break; @@ -429,6 +437,8 @@ break; case RULE_OPTION_TYPE_BASE64_DATA: break; + case RULE_OPTION_TYPE_PKT_DATA: + break; case RULE_OPTION_TYPE_ICMP_CODE: free(key->option_data); break; @@ -744,6 +754,7 @@ "RULE_OPTION_TYPE_FILE_DATA", "RULE_OPTION_TYPE_BASE64_DECODE", "RULE_OPTION_TYPE_BASE64_DATA", + "RULE_OPTION_TYPE_PKT_DATA", "RULE_OPTION_TYPE_CONTENT", "RULE_OPTION_TYPE_CONTENT_URI", "RULE_OPTION_TYPE_PCRE", @@ -834,13 +845,17 @@ PcreData dup_pcre_option_data; const uint8_t *dp = NULL; char continue_loop = 1; + char flowbits_setoperation = 0; int loop_count = 0; uint32_t tmp_byte_extract_vars[NUM_BYTE_EXTRACT_VARS]; + uint16_t save_dflags = 0; NODE_PROFILE_VARS; if (!node || !eval_data || !eval_data->p || !eval_data->pomd || !eval_data->otnx) return 0; + save_dflags = Get_DetectFlags(); + /* see if evaluated it before ... */ if (node->last_check.is_relative == 0) { @@ -850,13 +865,13 @@ (node->last_check.packet_number == rule_eval_pkt_count) && (node->last_check.pipeline_number == eval_data->p->http_pipeline_count) && (node->last_check.rebuild_flag == (eval_data->p->packet_flags & REBUILD_FLAGS)) && - (!(eval_data->p->packet_flags & (PKT_DCE_PKT|PKT_RPC_PKT|PKT_ALLOW_MULTIPLE_DETECT)))) + (!(eval_data->p->packet_flags & PKT_ALLOW_MULTIPLE_DETECT))) { /* eval'd this rule option before on this packet, * use the cached result. */ if ((node->last_check.flowbit_failed == 0) && !(eval_data->p->packet_flags & PKT_IP_RULE_2ND) && - !(eval_data->p->proto_bits & PROTO_BIT__TEREDO)) + !(eval_data->p->proto_bits & (PROTO_BIT__TEREDO | PROTO_BIT__GTP ))) { return node->last_check.result; } @@ -902,13 +917,15 @@ else /* if (dup_content_option_data.uri_buffer & (1 << HTTP_BUFFER_URI)) */ dp = (uint8_t *)UriBufs[HTTP_BUFFER_URI].uri; } - else if (dup_content_option_data.rawbytes == 0) + else if (dup_content_option_data.rawbytes == 0) { - if (IsBase64DecodeBuf(doe_ptr)) - dp = (uint8_t *)base64_decode_buf; - else if (IsMimeDecodeBuf(doe_ptr)) - dp = (uint8_t *)file_data_ptr; - else if ((eval_data->p->packet_flags & PKT_ALT_DECODE)) + /* If AltDetect is set by calling the rule options which set it, + * we should use the Alt Detect before checking for any other buffers. + * Alt Detect will take precedence over the Alt Decode and/or packet data. + */ + if(Is_DetectFlag(FLAG_ALT_DETECT)) + dp = (uint8_t *)DetectBuffer.data; + else if(Is_DetectFlag(FLAG_ALT_DECODE)) dp = (uint8_t *)DecodeBuffer.data; else dp = eval_data->p->data; @@ -947,11 +964,13 @@ } else if (!(dup_pcre_option_data.options & SNORT_PCRE_RAWBYTES)) { - if (IsBase64DecodeBuf(doe_ptr)) - dp = (uint8_t *)base64_decode_buf; - else if (IsMimeDecodeBuf(doe_ptr)) - dp = (uint8_t *)file_data_ptr; - else if ((eval_data->p->packet_flags & PKT_ALT_DECODE)) + /* If AltDetect is set by calling the rule options which set it, + * we should use the Alt Detect before checking for any other buffers. + * Alt Detect will take precedence over the Alt Decode and/or packet data. + */ + if(Is_DetectFlag(FLAG_ALT_DETECT)) + dp = (uint8_t *)DetectBuffer.data; + else if(Is_DetectFlag(FLAG_ALT_DECODE)) dp = (uint8_t *)DecodeBuffer.data; else dp = eval_data->p->data; @@ -1059,6 +1078,30 @@ rval = node->evaluate(&dup_pcre_option_data, eval_data->p); } break; + case RULE_OPTION_TYPE_PKT_DATA: + case RULE_OPTION_TYPE_FILE_DATA: + case RULE_OPTION_TYPE_BASE64_DATA: + if (node->evaluate) + { + save_dflags = Get_DetectFlags(); + rval = node->evaluate(node->option_data, eval_data->p); + } + break; + case RULE_OPTION_TYPE_FLOWBIT: + if (node->evaluate) + { + flowbits_setoperation = FlowBits_SetOperation(node->option_data); + if (!flowbits_setoperation) + { + rval = node->evaluate(node->option_data, eval_data->p); + } + else + { + /* set to match so we don't bail early. */ + rval = DETECTION_OPTION_MATCH; + } + } + break; case RULE_OPTION_TYPE_ASN1: case RULE_OPTION_TYPE_BYTE_TEST: case RULE_OPTION_TYPE_BYTE_JUMP: @@ -1067,11 +1110,8 @@ case RULE_OPTION_TYPE_CVS: case RULE_OPTION_TYPE_CONTENT_URI: case RULE_OPTION_TYPE_DSIZE: - case RULE_OPTION_TYPE_FLOWBIT: case RULE_OPTION_TYPE_FTPBOUNCE: - case RULE_OPTION_TYPE_FILE_DATA: case RULE_OPTION_TYPE_BASE64_DECODE: - case RULE_OPTION_TYPE_BASE64_DATA: case RULE_OPTION_TYPE_ICMP_CODE: case RULE_OPTION_TYPE_ICMP_ID: case RULE_OPTION_TYPE_ICMP_SEQ: @@ -1101,6 +1141,9 @@ #ifdef DYNAMIC_PLUGIN case RULE_OPTION_TYPE_HDR_OPT_CHECK: case RULE_OPTION_TYPE_PREPROCESSOR: + if (node->evaluate) + rval = node->evaluate(node->option_data, eval_data->p); + break; case RULE_OPTION_TYPE_DYNAMIC: #endif if (node->evaluate) @@ -1154,6 +1197,7 @@ NODE_PROFILE_END_MATCH(node); } node->last_check.result = result; + Reset_DetectFlags(save_dflags); return result; } } @@ -1165,13 +1209,15 @@ if (node->num_children) { const uint8_t *tmp_doe_ptr = doe_ptr; + const uint8_t tmp_doe_flags = doe_buf_flags; for (i=0;i<node->num_children; i++) { int j = 0; detection_option_tree_node_t *child_node = node->children[i]; - UpdateDoePtr(tmp_doe_ptr, 0); /* reset the DOE ptr for each child from here */ + /* reset the DOE ptr for each child from here */ + SetDoePtr(tmp_doe_ptr, tmp_doe_flags); for (j = 0; j < NUM_BYTE_EXTRACT_VARS; j++) { @@ -1246,6 +1292,7 @@ { /* bail if we exceeded time */ node->last_check.result = result; + Reset_DetectFlags(save_dflags); return result; } } @@ -1261,7 +1308,7 @@ if (result == node->num_children) continue_loop = 0; else - UpdateDoePtr(tmp_doe_ptr, 0); + SetDoePtr(tmp_doe_ptr, tmp_doe_flags); /* Don't need to reset since it's only checked after we've gone * through the loop at least once and the result will have @@ -1270,7 +1317,7 @@ // node->children[i]->result; } - if (result - prior_result > 0 + if (result - prior_result > 0 && node->option_type == RULE_OPTION_TYPE_CONTENT && Replace_OffsetStored(&dup_content_option_data) && ScInlineMode()) { @@ -1349,6 +1396,17 @@ } while (continue_loop); + if (flowbits_setoperation && (result == DETECTION_OPTION_MATCH)) + { + /* Do any setting/clearing/resetting/toggling of flowbits here + * given that other rule options matched. */ + rval = node->evaluate(node->option_data, eval_data->p); + if (rval != DETECTION_OPTION_MATCH) + { + result = rval; + } + } + if (eval_data->flowbit_failed) { /* something deeper in the tree failed a flowbit test, we may need to @@ -1365,6 +1423,8 @@ { NODE_PROFILE_END_MATCH(node); } + + Reset_DetectFlags(save_dflags); return result; } diff -Nru snort-2.9.0.1/src/detection-plugins/detection_options.h snort-2.9.2/src/detection-plugins/detection_options.h --- snort-2.9.0.1/src/detection-plugins/detection_options.h 2010-08-25 13:22:40.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/detection_options.h 2011-02-09 15:22:56.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/detection-plugins/Makefile.am snort-2.9.2/src/detection-plugins/Makefile.am --- snort-2.9.0.1/src/detection-plugins/Makefile.am 2010-06-09 15:04:57.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/Makefile.am 2011-06-07 17:33:09.000000000 -0700 @@ -5,11 +5,13 @@ BUILT_SOURCES = sf_snort_plugin_hdropts.c \ sf_snort_packet.h \ -sf_snort_plugin_api.h +sf_snort_plugin_api.h \ +sf_decompression.h nodist_libspd_a_SOURCES = sf_snort_plugin_hdropts.c \ sf_snort_packet.h \ -sf_snort_plugin_api.h +sf_snort_plugin_api.h \ +sf_decompression.h if BUILD_REACT REACT_SOURCE = sp_react.c sp_react.h @@ -58,7 +60,8 @@ sp_urilen_check.c sp_urilen_check.h \ sp_file_data.c sp_file_data.h \ sp_base64_decode.c sp_base64_decode.h \ -sp_base64_data.c sp_base64_data.h +sp_base64_data.c sp_base64_data.h \ +sp_pkt_data.c sp_pkt_data.h copy_files = \ if test -f $$dst_file; then \ @@ -94,6 +97,7 @@ -e "s/ICMP_ECHO_REQUEST/ICMP_ECHO/g" \ -e "s/icmph_union.echo.id/s_icmp_id/g" \ -e "s/icmph_union.echo.seq/s_icmp_seq/g" \ + -e "/sf_snort_detection_engine.h/d" \ $$src_file > $$dst_file; sf_snort_plugin_hdropts.c: ../dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c @@ -102,10 +106,13 @@ sf_snort_plugin_api.h: ../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_file=$?; dst_file=$@; $(copy_files) +sf_decompression.h: ../dynamic-plugins/sf_engine/sf_decompression.h + @src_file=$?; dst_file=$@; $(copy_files) + sf_snort_packet.h: ../dynamic-plugins/sf_engine/sf_snort_packet.h @src_file=$?; dst_file=$@; $(copy_files) clean-local: - rm -rf sf_snort_plugin_hdropts.c sf_snort_packet.h sf_snort_plugin_api.h + rm -rf sf_snort_plugin_hdropts.c sf_snort_packet.h sf_snort_plugin_api.h sf_decompression.h INCLUDES = @INCLUDES@ diff -Nru snort-2.9.0.1/src/detection-plugins/Makefile.in snort-2.9.2/src/detection-plugins/Makefile.in --- snort-2.9.0.1/src/detection-plugins/Makefile.in 2010-10-08 02:56:52.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/Makefile.in 2011-12-07 11:23:18.000000000 -0800 @@ -72,7 +72,7 @@ sp_tcp_win_check.h sp_ttl_check.c sp_ttl_check.h \ sp_urilen_check.c sp_urilen_check.h sp_file_data.c \ sp_file_data.h sp_base64_decode.c sp_base64_decode.h \ - sp_base64_data.c sp_base64_data.h + sp_base64_data.c sp_base64_data.h sp_pkt_data.c sp_pkt_data.h @BUILD_REACT_TRUE@am__objects_1 = sp_react.$(OBJEXT) @BUILD_RESPOND3_TRUE@am__objects_2 = sp_respond3.$(OBJEXT) am_libspd_a_OBJECTS = detection_options.$(OBJEXT) sp_asn1.$(OBJEXT) \ @@ -93,7 +93,8 @@ sp_tcp_flag_check.$(OBJEXT) sp_tcp_seq_check.$(OBJEXT) \ sp_tcp_win_check.$(OBJEXT) sp_ttl_check.$(OBJEXT) \ sp_urilen_check.$(OBJEXT) sp_file_data.$(OBJEXT) \ - sp_base64_decode.$(OBJEXT) sp_base64_data.$(OBJEXT) + sp_base64_decode.$(OBJEXT) sp_base64_data.$(OBJEXT) \ + sp_pkt_data.$(OBJEXT) nodist_libspd_a_OBJECTS = sf_snort_plugin_hdropts.$(OBJEXT) libspd_a_OBJECTS = $(am_libspd_a_OBJECTS) $(nodist_libspd_a_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) @@ -122,7 +123,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -137,6 +140,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -173,13 +177,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -241,11 +251,13 @@ noinst_LIBRARIES = libspd.a BUILT_SOURCES = sf_snort_plugin_hdropts.c \ sf_snort_packet.h \ -sf_snort_plugin_api.h +sf_snort_plugin_api.h \ +sf_decompression.h nodist_libspd_a_SOURCES = sf_snort_plugin_hdropts.c \ sf_snort_packet.h \ -sf_snort_plugin_api.h +sf_snort_plugin_api.h \ +sf_decompression.h @BUILD_REACT_TRUE@REACT_SOURCE = sp_react.c sp_react.h @BUILD_RESPOND3_TRUE@RESPOND3_SOURCE = sp_respond3.c sp_respond.h @@ -288,7 +300,8 @@ sp_urilen_check.c sp_urilen_check.h \ sp_file_data.c sp_file_data.h \ sp_base64_decode.c sp_base64_decode.h \ -sp_base64_data.c sp_base64_data.h +sp_base64_data.c sp_base64_data.h \ +sp_pkt_data.c sp_pkt_data.h copy_files = \ if test -f $$dst_file; then \ @@ -324,6 +337,7 @@ -e "s/ICMP_ECHO_REQUEST/ICMP_ECHO/g" \ -e "s/icmph_union.echo.id/s_icmp_id/g" \ -e "s/icmph_union.echo.seq/s_icmp_seq/g" \ + -e "/sf_snort_detection_engine.h/d" \ $$src_file > $$dst_file; all: $(BUILT_SOURCES) @@ -596,11 +610,14 @@ sf_snort_plugin_api.h: ../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_file=$?; dst_file=$@; $(copy_files) +sf_decompression.h: ../dynamic-plugins/sf_engine/sf_decompression.h + @src_file=$?; dst_file=$@; $(copy_files) + sf_snort_packet.h: ../dynamic-plugins/sf_engine/sf_snort_packet.h @src_file=$?; dst_file=$@; $(copy_files) clean-local: - rm -rf sf_snort_plugin_hdropts.c sf_snort_packet.h sf_snort_plugin_api.h + rm -rf sf_snort_plugin_hdropts.c sf_snort_packet.h sf_snort_plugin_api.h sf_decompression.h # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru snort-2.9.0.1/src/detection-plugins/sp_asn1.c snort-2.9.2/src/detection-plugins/sp_asn1.c --- snort-2.9.0.1/src/detection-plugins/sp_asn1.c 2010-10-25 12:49:02.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_asn1.c 2011-06-07 17:33:09.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2002-2010 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author: Daniel Roelker ** ** This program is free software; you can redistribute it and/or modify @@ -23,13 +23,13 @@ ** @file sp_asn1.c ** ** @author Daniel Roelker <droelker@sourcefire.com> -** +** ** @brief Decode and detect ASN.1 types, lengths, and data. ** ** This detection plugin adds ASN.1 detection functions on a per rule ** basis. ASN.1 detection plugins can be added by editing this file and ** providing an interface in the configuration code. -** +** ** Detection Plugin Interface: ** ** asn1: [detection function],[arguments],[offset type],[size] @@ -60,13 +60,14 @@ #include <ctype.h> #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "asn1.h" @@ -110,7 +111,7 @@ a += data->length; b += data->max_length; c += data->offset; - + mix(a,b,c); a += data->offset_type; @@ -128,7 +129,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if ((left->bs_overflow == right->bs_overflow) && (left->double_overflow == right->double_overflow) && (left->print == right->print) && @@ -208,7 +209,7 @@ { FatalError("%s(%d) => Negative size, underflow or overflow " "(of long int) to '%s' in 'asn1' detection plugin. " - "Must be positive or zero.\n", + "Must be positive or zero.\n", file_name, file_line, LENGTH_OPT); } @@ -229,7 +230,7 @@ if (endTok == pcTok) { FatalError("%s(%d) => Invalid parameter to '%s' in 'asn1' " - "detection plugin\n", + "detection plugin\n", file_name, file_line, ABS_OFFSET_OPT); } @@ -248,7 +249,7 @@ if (endTok == pcTok) { FatalError("%s(%d) => Invalid parameter to '%s' in 'asn1' " - "detection plugin\n", + "detection plugin\n", file_name, file_line, pcTok); } } @@ -309,9 +310,9 @@ void *ds_ptr_dup; OptFpList *ofl; - /* - * allocate the data structure and attach - * it to the rule's data struct list + /* + * allocate the data structure and attach + * it to the rule's data struct list */ asn1 = (ASN1_CTXT *)SnortAlloc(sizeof(ASN1_CTXT)); diff -Nru snort-2.9.0.1/src/detection-plugins/sp_asn1_detect.c snort-2.9.2/src/detection-plugins/sp_asn1_detect.c --- snort-2.9.0.1/src/detection-plugins/sp_asn1_detect.c 2010-01-26 10:09:36.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_asn1_detect.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2002-2010 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author: Daniel Roelker ** ** This program is free software; you can redistribute it and/or modify @@ -23,13 +23,13 @@ ** @file sp_asn1_detect.c ** ** @author Daniel Roelker <droelker@sourcefire.com> -** +** ** @brief Decode and detect ASN.1 types, lengths, and data. ** ** This detection plugin adds ASN.1 detection functions on a per rule ** basis. ASN.1 detection plugins can be added by editing this file and ** providing an interface in the configuration code. -** +** ** Detection Plugin Interface: ** ** asn1: [detection function],[arguments],[offset type],[size] @@ -59,15 +59,16 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" + #ifndef SF_SNORT_ENGINE_DLL -#include "debug.h" +#include "snort_debug.h" #else /* Ignore debug statements */ #include <stdint.h> #define DEBUG_WRAP(x) #endif -#include "sf_types.h" #include "sfutil/asn1.h" #include "sp_asn1_detect.h" #include "snort.h" @@ -78,14 +79,14 @@ * * 1 means it's in bounds, 0 means it's not */ -static INLINE int inBounds( +static inline int inBounds( const uint8_t *start, const uint8_t *end, const uint8_t *p) { if(p >= start && p < end) { return 1; } - + return 0; } @@ -118,7 +119,7 @@ */ if(asn1->ident.tag == SF_ASN1_TAG_BIT_STR && !asn1->ident.flag) { - if(asn1->len.size && asn1->data && + if(asn1->len.size && asn1->data && (((asn1->len.size - 1)<<3) < (unsigned int)asn1->data[0])) { return 1; @@ -176,7 +177,7 @@ if(asn1->ident.tag == SF_ASN1_TAG_REAL && !asn1->ident.flag) { if(asn1->len.size && asn1->data && - ((asn1->data[0] & 0xc0) == 0x00) && + ((asn1->data[0] & 0xc0) == 0x00) && (asn1->len.size > 256)) { return 1; @@ -212,7 +213,7 @@ ** This is the most generic of our ASN.1 detection functionalities. This ** will compare the ASN.1 type lengths against the user defined max ** length and alert if the length is greater than the user supplied length. -** +** ** @return integer ** ** @retval 0 failed @@ -270,7 +271,7 @@ /* ** Print first, before we do other detection. If print is the only ** option, then we want to evaluate this option as true and continue. - ** Otherwise, if another option is wrong, then we + ** Otherwise, if another option is wrong, then we */ if(ctxt->print) { @@ -302,7 +303,7 @@ /* ** If we didn't detect any oversize length in the decoded structs, ** that might be because we had a really overlong length that is - ** bigger than our data type could hold. In this case, it's + ** bigger than our data type could hold. In this case, it's ** overlong too. */ if(!iRet && dec_ret_val == ASN1_ERR_OVERLONG_LEN) @@ -360,11 +361,14 @@ "relative offset, so we are bailing.\n");); return 0; } - + /* ** Check that it is in bounds first. + ** Because rel_ptr can be "end" in the last match, + ** use end + 1 for upper bound + ** Bound checked also after offset is applied */ - if(!inBounds(start, end, rel_ptr)) + if(!inBounds(start, end + 1, rel_ptr)) { DEBUG_WRAP(DebugMessage(DEBUG_ASN1, "[*] ASN.1 bounds " "check failed for rel_ptr.\n");); diff -Nru snort-2.9.0.1/src/detection-plugins/sp_asn1_detect.h snort-2.9.2/src/detection-plugins/sp_asn1_detect.h --- snort-2.9.0.1/src/detection-plugins/sp_asn1_detect.h 2010-01-26 10:09:36.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_asn1_detect.h 2011-02-09 15:22:56.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/detection-plugins/sp_asn1.h snort-2.9.2/src/detection-plugins/sp_asn1.h --- snort-2.9.0.1/src/detection-plugins/sp_asn1.h 2010-01-26 10:09:35.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_asn1.h 2011-02-09 15:22:56.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/detection-plugins/sp_base64_data.c snort-2.9.2/src/detection-plugins/sp_base64_data.c --- snort-2.9.0.1/src/detection-plugins/sp_base64_data.c 2010-10-25 12:49:03.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_base64_data.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* - ** Copyright (C) 1998-2010 Sourcefire, Inc. + ** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ */ /* sp_base64_data - * + * */ #ifdef HAVE_CONFIG_H @@ -33,12 +33,13 @@ #endif #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" @@ -64,7 +65,7 @@ int Base64DataEval(void *option_data, Packet *p); /**************************************************************************** - * + * * Function: SetupBase64Data() * * Purpose: Load 'er up @@ -87,10 +88,10 @@ /**************************************************************************** - * + * * Function: Base64DataInit(char *, OptTreeNode *, int protocol) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -121,7 +122,7 @@ /**************************************************************************** - * + * * Function: Base64DataParse(char *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -145,7 +146,7 @@ /**************************************************************************** - * + * * Function: Base64DataEval(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -156,7 +157,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int Base64DataEval(void *option_data, Packet *p) @@ -166,13 +167,14 @@ PREPROC_PROFILE_START(base64DataPerfStats); - if ((p->dsize == 0) || (!IsTCP(p) && !IsUDP(p)) ) + if ((p->dsize == 0) || !base64_decode_size ) { PREPROC_PROFILE_END(base64DataPerfStats); return rval; } SetDoePtr(base64_decode_buf, DOE_BUF_STD); + SetAltDetect(base64_decode_buf, (uint16_t)base64_decode_size); rval = DETECTION_OPTION_MATCH; PREPROC_PROFILE_END(base64DataPerfStats); diff -Nru snort-2.9.0.1/src/detection-plugins/sp_base64_data.h snort-2.9.2/src/detection-plugins/sp_base64_data.h --- snort-2.9.0.1/src/detection-plugins/sp_base64_data.h 2010-06-09 15:04:58.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_base64_data.h 2011-02-09 15:22:56.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2003-2010 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_base64_decode.c snort-2.9.2/src/detection-plugins/sp_base64_decode.c --- snort-2.9.0.1/src/detection-plugins/sp_base64_decode.c 2010-10-25 12:49:03.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_base64_decode.c 2011-06-07 17:33:09.000000000 -0700 @@ -1,5 +1,5 @@ /* - ** Copyright (C) 1998-2010 Sourcefire, Inc. + ** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ */ /* sp_base64_decode - * + * */ #ifdef HAVE_CONFIG_H @@ -33,12 +33,13 @@ #endif #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" @@ -77,7 +78,7 @@ mix(a,b,c); a += RULE_OPTION_TYPE_BASE64_DECODE; - + final(a,b,c); return c; @@ -103,7 +104,7 @@ /**************************************************************************** - * + * * Function: SetupBase64Decode() * * Purpose: Load 'er up @@ -126,10 +127,10 @@ /**************************************************************************** - * + * * Function: Base64DecodeInit(char *, OptTreeNode *, int protocol) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -181,7 +182,7 @@ } /**************************************************************************** - * + * * Function: Base64DecodeParse(char *, Base64DecodeData *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -274,7 +275,7 @@ file_name, file_line); } - mSplitFree(&toks1,num_toks1); + mSplitFree(&toks1,num_toks1); i++; } @@ -285,7 +286,7 @@ /**************************************************************************** - * + * * Function: Base64DecodeEval(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -296,7 +297,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int Base64DecodeEval(void *option_data, Packet *p) @@ -316,7 +317,7 @@ { PREPROC_PROFILE_END(base64DecodePerfStats); return rval; - } + } idx = (Base64DecodeData *)option_data; @@ -350,7 +351,7 @@ return rval; } - if(sf_unfold_header(start_ptr, p->dsize, base64_buf, sizeof(base64_buf), &base64_size) != 0) + if(sf_unfold_header(start_ptr, p->dsize, base64_buf, sizeof(base64_buf), &base64_size, 0, 0) != 0) { PREPROC_PROFILE_END(base64DecodePerfStats); return rval; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_base64_decode.h snort-2.9.2/src/detection-plugins/sp_base64_decode.h --- snort-2.9.0.1/src/detection-plugins/sp_base64_decode.h 2010-06-09 15:04:59.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_base64_decode.h 2011-02-09 15:22:57.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2003-2010 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_byte_check.c snort-2.9.2/src/detection-plugins/sp_byte_check.c --- snort-2.9.0.1/src/detection-plugins/sp_byte_check.c 2010-10-25 12:49:03.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_byte_check.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2002-2010 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author: Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -19,8 +19,8 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* sp_byte_check - * +/* sp_byte_check + * * Purpose: * Test a byte field against a specific value (with operator). Capable * of testing binary values or converting represenative byte strings @@ -41,7 +41,7 @@ * ["hex"]: converted string data is represented in hexidecimal * ["dec"]: converted string data is represented in decimal * ["oct"]: converted string data is represented in octal - * + * * sample rules: * alert udp $EXTERNAL_NET any -> $HOME_NET any \ * (msg:"AMD procedure 7 plog overflow "; \ @@ -77,7 +77,7 @@ * * Effect: * - * Reads in the indicated bytes, converts them to an numeric + * Reads in the indicated bytes, converts them to an numeric * representation and then performs the indicated operation/test on * the data using the value field. Returns 1 if the operation is true, * 0 if it is not. @@ -100,14 +100,15 @@ #endif #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "byte_extract.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "mstring.h" @@ -180,14 +181,14 @@ { /* Cleanup warning because of cast from 64bit ptr to 32bit int * warning on 64bit OSs */ - u_int64_t ptr; /* Addresses are 64bits */ + uint64_t ptr; /* Addresses are 64bits */ - ptr = (u_int64_t) data->byte_order_func; + ptr = (uint64_t) data->byte_order_func; a += (ptr << 32) & 0XFFFFFFFF; b += (ptr & 0xFFFFFFFF); } #else - a += (u_int32_t)data->byte_order_func; + a += (uint32_t)data->byte_order_func; #endif final(a,b,c); @@ -202,7 +203,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (( left->bytes_to_compare == right->bytes_to_compare) && ( left->cmp_value == right->cmp_value) && ( left->operator == right->operator) && @@ -229,7 +230,7 @@ new->keyword = SnortStrdup(keyword); new->option = SnortStrdup(option); new->func = roo_func; - + new->next = byteTestOverrideFuncs; byteTestOverrideFuncs = new; } @@ -281,10 +282,10 @@ /**************************************************************************** - * + * * Function: ByteTestInit(char *, OptTreeNode *) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -308,11 +309,11 @@ if(idx == NULL) { - FatalError("%s(%d): Unable to allocate byte_test data node\n", + FatalError("%s(%d): Unable to allocate byte_test data node\n", file_name, file_line); } - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ override = ByteTestParse(data, idx, otn); if (override) @@ -325,7 +326,7 @@ fpl = AddOptFuncToList(ByteTest, otn); fpl->type = RULE_OPTION_TYPE_BYTE_TEST; - + if (add_detection_option(RULE_OPTION_TYPE_BYTE_TEST, (void *)idx, &idx_dup) == DETECTION_OPTION_EQUAL) { #ifdef DEBUG_RULE_OPTION_TREE @@ -336,14 +337,14 @@ idx->operator, idx->offset, idx->not_flag, idx->relative_flag, - idx->data_string_convert_flag, + idx->data_string_convert_flag, idx->endianess, idx->base, ((ByteTestData *)idx_dup)->bytes_to_compare, ((ByteTestData *)idx_dup)->cmp_value, ((ByteTestData *)idx_dup)->operator, ((ByteTestData *)idx_dup)->offset, ((ByteTestData *)idx_dup)->not_flag, ((ByteTestData *)idx_dup)->relative_flag, - ((ByteTestData *)idx_dup)->data_string_convert_flag, + ((ByteTestData *)idx_dup)->data_string_convert_flag, ((ByteTestData *)idx_dup)->endianess, ((ByteTestData *)idx_dup)->base); #endif free(idx); @@ -360,7 +361,7 @@ } /**************************************************************************** - * + * * Function: ByteTestParse(char *, ByteTestData *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -414,13 +415,13 @@ if(*cptr == '!') { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "enabling not flag\n");); idx->not_flag = 1; cptr++; } - - if (idx->not_flag && strlen(cptr) == 0) + + if (idx->not_flag && strlen(cptr) == 0) { idx->operator = BT_EQUALS; } @@ -455,7 +456,7 @@ break; default: FatalError("%s(%d): byte_test unknown " - "operator ('%c, %s')\n", file_name, file_line, + "operator ('%c, %s')\n", file_name, file_line, *cptr, toks[1]); } } @@ -497,7 +498,7 @@ /* set offset */ idx->offset = strtol(toks[3], &endp, 10); idx->offset_var = -1; - + if(toks[3] == endp) { FatalError("%s(%d): Unable to parse as offset value %s\n", @@ -518,7 +519,7 @@ } } - + i = 4; /* is it a relative offset? */ @@ -537,7 +538,7 @@ } else if(!strcasecmp(cptr, "string")) { - /* the data will be represented as a string that needs + /* the data will be represented as a string that needs * to be converted to an int, binary is assumed otherwise */ idx->data_string_convert_flag = 1; @@ -582,7 +583,7 @@ override = override->next; } - FatalError("%s(%d): unknown modifier \"%s\"\n", + FatalError("%s(%d): unknown modifier \"%s\"\n", file_name, file_line, cptr); } @@ -596,14 +597,14 @@ FatalError("%s(%d): hex, dec and oct modifiers must be used in conjunction \n" " with the 'string' modifier\n", file_name,file_line); } - + mSplitFree(&toks, num_toks); return NULL; } /**************************************************************************** - * + * * Function: ByteTest(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -614,7 +615,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int ByteTest(void *option_data, Packet *p) @@ -623,7 +624,6 @@ int rval = DETECTION_OPTION_NO_MATCH; uint32_t value = 0; int success = 0; - int use_alt_buffer = p->packet_flags & PKT_ALT_DECODE; int dsize; const char *base_ptr, *end_ptr, *start_ptr; uint32_t payload_bytes_grabbed = 0; @@ -632,26 +632,19 @@ PROFILE_VARS; PREPROC_PROFILE_START(byteTestPerfStats); - - if ( IsMimeDecodeBuf(doe_ptr) ) - { - dsize = mime_decode_size; - start_ptr = (char *)file_data_ptr; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using MIME Decode Buffer!\n");); - } - else if (IsBase64DecodeBuf(doe_ptr)) + + if (Is_DetectFlag(FLAG_ALT_DETECT)) { - dsize = base64_decode_size; - start_ptr = (char *)base64_decode_buf; + dsize = DetectBuffer.len; + start_ptr = (char *)DetectBuffer.data; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using Base64 Decode Buffer!\n");); + "Using Alternative Detect buffer!\n");); } - else if(use_alt_buffer) + else if(Is_DetectFlag(FLAG_ALT_DECODE)) { dsize = DecodeBuffer.len; start_ptr = (char *)DecodeBuffer.data; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } else @@ -665,7 +658,7 @@ base_ptr = start_ptr; end_ptr = start_ptr + dsize; - + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] byte test firing...\npayload starts at %p\n", start_ptr);); @@ -688,8 +681,13 @@ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Checking relative offset!\n");); - /* @todo: possibly degrade to use the other buffer, seems non-intuitive*/ - if(!inBounds((const uint8_t *)start_ptr, (const uint8_t *)end_ptr, doe_ptr)) + /* @todo: possibly degrade to use the other buffer, seems non-intuitive + * Because doe_ptr can be "end" in the last match, + * use end + 1 for upper bound + * Bound checked also after offset is applied + * (see byte_extract() and string_extract()) + */ + if(!inBounds((const uint8_t *)start_ptr, (const uint8_t *)end_ptr + 1, doe_ptr)) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] byte test bounds check failed..\n");); @@ -721,7 +719,7 @@ /* both of these functions below perform their own bounds checking within * byte_extract.c */ - + if(!btd->data_string_convert_flag) { if(byte_extract(btd->endianess, btd->bytes_to_compare, @@ -752,7 +750,7 @@ } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Grabbed %d bytes at offset %d, value = 0x%08X(%u)\n", payload_bytes_grabbed, btd->offset, value, value); ); @@ -801,7 +799,7 @@ if (btd->not_flag) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "checking for not success...flag\n");); if (!success) { diff -Nru snort-2.9.0.1/src/detection-plugins/sp_byte_check.h snort-2.9.2/src/detection-plugins/sp_byte_check.h --- snort-2.9.0.1/src/detection-plugins/sp_byte_check.h 2010-06-09 15:04:59.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_byte_check.h 2011-02-09 15:22:57.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_byte_extract.c snort-2.9.2/src/detection-plugins/sp_byte_extract.c --- snort-2.9.0.1/src/detection-plugins/sp_byte_extract.c 2010-10-25 12:49:03.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_byte_extract.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* - ** Copyright (C) 2010 Sourcefire, Inc. + ** Copyright (C) 2010-2011 Sourcefire, Inc. ** Author: Ryan Jordan <ryan.jordan@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -24,6 +24,11 @@ * */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "snort.h" #include "parser.h" #include "plugbase.h" @@ -74,15 +79,17 @@ } } +#ifdef DEBUG_MSGS /* Print a byte_extract option to console. For debugging purposes. */ void PrintByteExtract(ByteExtractData *data) { if (data == NULL) return; - printf("bytes_to_grab = %d, offset = %d, relative = %d, convert = %d," - "align = %d, endianess = %d, , base = %d," - "multiplier = %d, var_num = %d, name = %s", + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + "bytes_to_grab = %d, offset = %d, relative = %d, convert = %d, " + "align = %d, endianess = %d, base = %d, " + "multiplier = %d, var_num = %d, name = %s\n", data->bytes_to_grab, data->offset, data->relative_flag, @@ -92,8 +99,9 @@ data->base, data->multiplier, data->var_number, - data->name); + data->name);); } +#endif /* Hash functions. Make sure to update these when the data struct changes! */ uint32_t ByteExtractHash(void *d) @@ -121,16 +129,16 @@ { /* Cleanup warning because of cast from 64bit ptr to 32bit int * warning on 64bit OSs */ - u_int64_t ptr; /* Addresses are 64bits */ + uint64_t ptr; /* Addresses are 64bits */ - ptr = (u_int64_t) data->byte_order_func; + ptr = (uint64_t) data->byte_order_func; b += (ptr << 32) & 0XFFFFFFFF; c += (ptr & 0xFFFFFFFF); } #else - b += (u_int32_t)data->byte_order_func; + b += (uint32_t)data->byte_order_func; #endif - + final(a,b,c); return c; @@ -215,6 +223,13 @@ "Variable names must start with a letter."); } + if (data->base && !data->data_string_convert_flag) + { + ParseError("byte_extract rule option has a string converstion type " + "(\"dec\", \"hex\", or \"oct\") without the \"string\" " + "argument."); + } + return BYTE_EXTRACT_SUCCESS; } @@ -222,8 +237,8 @@ static int ByteExtractParse(ByteExtractData *data, char *args) { char *args_copy = SnortStrdup(args); - char *endptr, *saveptr; - char *token = strtok_r(args_copy, " ,", &saveptr); + char *endptr, *saveptr = args_copy; + char *token = strtok_r(args_copy, ",", &saveptr); RuleOptByteOrderFunc tmp_byte_order_func = NULL; /* set defaults / sentinels */ @@ -237,7 +252,7 @@ if (*endptr != '\0') ParseError("byte_extract rule option has non-digits in the " "\"bytes_to_extract\" field."); - token = strtok_r(NULL, " ,", &saveptr); + token = strtok_r(NULL, ",", &saveptr); } /* second: offset */ @@ -247,14 +262,14 @@ if (*endptr != '\0') ParseError("byte_extract rule option has non-digits in the " "\"offset\" field."); - token = strtok_r(NULL, " ,", &saveptr); + token = strtok_r(NULL, ",", &saveptr); } /* third: variable name */ if (token) { data->name = SnortStrdup(token); - token = strtok_r(NULL, " ,", &saveptr); + token = strtok_r(NULL, ",", &saveptr); } /* optional arguments */ @@ -265,12 +280,12 @@ data->relative_flag = 1; } - else if (strcmp(token, "align") == 0) + else if (strncmp(token, "align ", 6) == 0) { - token = strtok_r(NULL, " ,", &saveptr); + char *value = (token+6); if (data->align == 0) - data->align = (uint8_t)SnortStrtoul(token, &endptr, 10); + data->align = (uint8_t)SnortStrtoul(value, &endptr, 10); else ParseError("byte_extract rule option includes the " "\"align\" argument twice."); @@ -300,16 +315,16 @@ "or \"dce\"."); } - else if (strcmp(token, "multiplier") == 0) + else if (strncmp(token, "multiplier ", 11) == 0) { - token = strtok_r(NULL, " ,", &saveptr); + char *value = (token+11); if (token == NULL) ParseError("byte_extract rule option has a \"multiplier\" " "argument with no value specified."); if (data->multiplier == 1) { - data->multiplier = SnortStrtoul(token, &endptr, 10); + data->multiplier = SnortStrtoul(value, &endptr, 10); if (*endptr != '\0') ParseError("byte_extract rule option has non-digits in the " @@ -326,24 +341,37 @@ data->data_string_convert_flag = 1; else ParseError("byte_extract rule option has multiple " - "string conversion arguments. Use only one."); - - token = strtok_r(NULL, " ,", &saveptr); - if (token == NULL) - ParseError("byte_extract rule option has a \"string\" " - "argument with no value specified. Use either \"string dec\", " - "\"string hex\", or \"string oct\"."); + "\"string\" arguments. Use only one."); + } - if (strcmp(token, "dec") == 0) + else if (strcmp(token, "dec") == 0) + { + if (data->base == 0) data->base = 10; - else if (strcmp(token, "hex") == 0) + else + ParseError("byte_extract rule option has multiple arguments " + "specifying the type of string conversion. Use only " + "one of \"dec\", \"hex\", or \"oct\"."); + } + + else if (strcmp(token, "hex") == 0) + { + if (data->base == 0) data->base = 16; - else if (strcmp(token, "oct") == 0) + else + ParseError("byte_extract rule option has multiple arguments " + "specifying the type of string conversion. Use only " + "one of \"dec\", \"hex\", or \"oct\"."); + } + + else if (strcmp(token, "oct") == 0) + { + if (data->base == 0) data->base = 8; else - ParseError("byte_extract rule option has a \"string\" " - "argument with an invalid value. Use either \"string dec\", " - "\"string hex\", or \"string oct\"."); + ParseError("byte_extract rule option has multiple arguments " + "specifying the type of string conversion. Use only " + "one of \"dec\", \"hex\", or \"oct\"."); } else if ((tmp_byte_order_func = GetByteOrderFunc(token)) != NULL) @@ -366,7 +394,7 @@ ParseError("byte_extract rule option has invalid argument \"%s\".", token); } - token = strtok_r(NULL, " ,", &saveptr); + token = strtok_r(NULL, ",", &saveptr); } free(args_copy); @@ -381,7 +409,10 @@ /* Replace sentinels with defaults */ if (data->endianess == ENDIAN_NONE) data->endianess = BIG; - + + if (data->data_string_convert_flag && (data->base == 0)) + data->base = 10; + /* At this point you could verify the data and return something. */ return ByteExtractVerify(data); } @@ -393,7 +424,7 @@ if (name == NULL) return BYTE_EXTRACT_NO_VAR; - + for (i = 0; i < NUM_BYTE_EXTRACT_VARS; i++) { if (variable_names[i] != NULL && strcmp(variable_names[i], name) == 0) @@ -404,7 +435,7 @@ } /* If given an OptFpList with no byte_extracts, clear the variable_names array */ -static void ClearVarNames(OptFpList *fpl) +void ClearVarNames(OptFpList *fpl) { int i; @@ -424,9 +455,9 @@ } /* Add a variable's name to the variable_names array - Returns: variable index + Returns: variable index */ -static int8_t AddVarNameToList(ByteExtractData *data) +int8_t AddVarNameToList(ByteExtractData *data) { int i; @@ -459,7 +490,7 @@ /* Clear out the variable_names array if this is the first byte_extract in a rule. */ ClearVarNames(otn->opt_func); - + /* Parse the options */ ByteExtractParse(idx, data); @@ -469,7 +500,7 @@ { ParseError("Rule has more than %d byte_extract variables.", NUM_BYTE_EXTRACT_VARS); } -#ifdef DEBUG +#ifdef DEBUG_MSGS PrintByteExtract(idx); #endif @@ -510,20 +541,15 @@ } /* setup our fun pointers */ - if (IsBase64DecodeBuf(doe_ptr)) - { - dsize = base64_decode_size; - start = (uint8_t *)base64_decode_buf; - } - else if ( IsMimeDecodeBuf(doe_ptr) ) + if (Is_DetectFlag(FLAG_ALT_DETECT)) { - dsize = mime_decode_size; - start = (uint8_t *)file_data_ptr; + dsize = DetectBuffer.len; + start = DetectBuffer.data; } - else if (p->packet_flags & PKT_ALT_DECODE) + else if (Is_DetectFlag(FLAG_ALT_DECODE)) { dsize = DecodeBuffer.len; - start = (uint8_t *)DecodeBuffer.data; + start = DecodeBuffer.data; } else { diff -Nru snort-2.9.0.1/src/detection-plugins/sp_byte_extract.h snort-2.9.2/src/detection-plugins/sp_byte_extract.h --- snort-2.9.0.1/src/detection-plugins/sp_byte_extract.h 2010-06-09 15:04:59.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_byte_extract.h 2011-06-07 17:33:09.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2010 Sourcefire, Inc. +** Copyright (C) 2010-2011 Sourcefire, Inc. ** Author: Ryan Jordan <ryan.jordan@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -37,7 +37,7 @@ #define MIN_BYTE_EXTRACT_MULTIPLIER 1 #define MAX_BYTE_EXTRACT_MULTIPLIER 65535 -typedef struct _ByteExractData +typedef struct _ByteExtractData { uint32_t bytes_to_grab; int32_t offset; @@ -59,6 +59,8 @@ void ByteExtractFree(void *d); int8_t GetVarByName(char *name); +void ClearVarNames(OptFpList *fpl); +int8_t AddVarNameToList(ByteExtractData *data); int GetByteExtractValue(uint32_t *dst, int8_t var_number); int SetByteExtractValue(uint32_t value, int8_t var_number); diff -Nru snort-2.9.0.1/src/detection-plugins/sp_byte_jump.c snort-2.9.2/src/detection-plugins/sp_byte_jump.c --- snort-2.9.0.1/src/detection-plugins/sp_byte_jump.c 2010-10-25 12:49:03.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_byte_jump.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2002-2010 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author: Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -19,10 +19,10 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* sp_byte_jump - * +/* sp_byte_jump + * * Purpose: - * Grab some number of bytes, convert them to their numeric + * Grab some number of bytes, convert them to their numeric * representation, jump the doe_ptr up that many bytes (for * further pattern matching/byte_testing). * @@ -39,10 +39,10 @@ * ["hex"]: converted string data is represented in hexidecimal * ["dec"]: converted string data is represented in decimal * ["oct"]: converted string data is represented in octal - * ["align"]: round the number of converted bytes up to the next + * ["align"]: round the number of converted bytes up to the next * 32-bit boundry - * ["post_offset"]: number of bytes to adjust after applying - * + * ["post_offset"]: number of bytes to adjust after applying + * * sample rules: * alert udp any any -> any 32770:34000 (content: "|00 01 86 B8|"; \ * content: "|00 00 00 01|"; distance: 4; within: 4; \ @@ -52,7 +52,7 @@ * * Effect: * - * Reads in the indicated bytes, converts them to an numeric + * Reads in the indicated bytes, converts them to an numeric * representation and then jumps the doe_ptr up * that number of bytes. Returns 1 if the jump is in range (within the * packet) and 0 if it's not. @@ -75,13 +75,14 @@ #endif #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "mstring.h" @@ -131,17 +132,17 @@ b = data->offset; c = data->base; - mix(a,b,c); - + mix(a,b,c); + a += (data->relative_flag << 24 | data->data_string_convert_flag << 16 | data->from_beginning_flag << 8 | - data->align_flag); + data->align_flag); b += data->endianess; c += data->multiplier; mix(a,b,c); - + a += RULE_OPTION_TYPE_BYTE_JUMP; b += data->post_offset; c += data->offset_var; @@ -152,21 +153,21 @@ { /* Cleanup warning because of cast from 64bit ptr to 32bit int * warning on 64bit OSs */ - u_int64_t ptr; /* Addresses are 64bits */ + uint64_t ptr; /* Addresses are 64bits */ - ptr = (u_int64_t) data->byte_order_func; + ptr = (uint64_t) data->byte_order_func; a += (ptr << 32) & 0XFFFFFFFF; b += (ptr & 0xFFFFFFFF); } #else - a += (u_int32_t)data->byte_order_func; + a += (uint32_t)data->byte_order_func; #endif final(a,b,c); - + return c; -} - +} + int ByteJumpCompare(void *l, void *r) { ByteJumpData *left = (ByteJumpData *)l; @@ -201,7 +202,7 @@ new->keyword = strdup(keyword); new->option = strdup(option); new->func = roo_func; - + new->next = byteJumpOverrideFuncs; byteJumpOverrideFuncs = new; } @@ -229,7 +230,7 @@ } /**************************************************************************** - * + * * Function: SetupByteJump() * * Purpose: Load 'er up @@ -259,10 +260,10 @@ /**************************************************************************** - * + * * Function: ByteJumpInit(char *, OptTreeNode *) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -286,11 +287,11 @@ if(idx == NULL) { - FatalError("%s(%d): Unable to allocate byte_jump data node\n", + FatalError("%s(%d): Unable to allocate byte_jump data node\n", file_name, file_line); } - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ override = ByteJumpParse(data, idx, otn); if (override != NULL) @@ -343,7 +344,7 @@ } /**************************************************************************** - * + * * Function: ByteJumpParse(char *, ByteJumpData *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -429,7 +430,7 @@ } else if(!strcasecmp(cptr, "string")) { - /* the data will be represented as a string that needs + /* the data will be represented as a string that needs * to be converted to an int, binary is assumed otherwise */ idx->data_string_convert_flag = 1; @@ -473,7 +474,7 @@ } if ((factor <= 0) || (endp != cptr + multiplier_len)) { - FatalError("%s(%d): invalid length multiplier \"%s\"\n", + FatalError("%s(%d): invalid length multiplier \"%s\"\n", file_name, file_line, cptr); } idx->multiplier = factor; @@ -492,7 +493,7 @@ } if (endp != cptr + postoffset_len) { - FatalError("%s(%d): invalid post_offset \"%s\"\n", + FatalError("%s(%d): invalid post_offset \"%s\"\n", file_name, file_line, cptr); } idx->post_offset = factor; @@ -516,7 +517,7 @@ override = override->next; } - FatalError("%s(%d): unknown modifier \"%s\"\n", + FatalError("%s(%d): unknown modifier \"%s\"\n", file_name, file_line, cptr); } @@ -537,7 +538,7 @@ /**************************************************************************** - * + * * Function: ByteJump(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -548,7 +549,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int ByteJump(void *option_data, Packet *p) @@ -561,34 +562,25 @@ uint32_t extract_offset; int32_t offset, tmp = 0; int dsize; - int use_alt_buffer = p->packet_flags & PKT_ALT_DECODE; const uint8_t *base_ptr, *end_ptr, *start_ptr; uint8_t rst_doe_flags = 1; PROFILE_VARS; PREPROC_PROFILE_START(byteJumpPerfStats); - - if( IsMimeDecodeBuf(doe_ptr) ) - { - dsize = mime_decode_size; - start_ptr = file_data_ptr; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using MIME Decode Buffer!\n");); - } - else if( IsBase64DecodeBuf(doe_ptr)) + + if (Is_DetectFlag(FLAG_ALT_DETECT)) { - dsize = base64_decode_size; - start_ptr = base64_decode_buf; + dsize = DetectBuffer.len; + start_ptr = DetectBuffer.data; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using Base64 Decode Buffer!\n");); + "Using Alternative Detect buffer!\n");); } - else if(use_alt_buffer) + else if(Is_DetectFlag(FLAG_ALT_DECODE)) { dsize = DecodeBuffer.len; - start_ptr = DecodeBuffer.data; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + start_ptr = DecodeBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); - } else { @@ -620,8 +612,13 @@ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Checking relative offset!\n");); - /* @todo: possibly degrade to use the other buffer, seems non-intuitive*/ - if(!inBounds(start_ptr, end_ptr, doe_ptr)) + /* @todo: possibly degrade to use the other buffer, seems non-intuitive + * Because doe_ptr can be "end" in the last match, + * use end + 1 for upper bound + * Bound checked also after offset is applied + * (see byte_extract() and string_extract()) + */ + if(!inBounds(start_ptr, end_ptr + 1, doe_ptr)) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] byte jump bounds check failed..\n");); @@ -654,7 +651,7 @@ /* Both of the extraction functions contain checks to insure the data * is always inbounds */ - + if(!bjd->data_string_convert_flag) { if(byte_extract(bjd->endianess, bjd->bytes_to_grab, @@ -685,7 +682,7 @@ } DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "grabbed %d of %d bytes, value = %08X\n", + "grabbed %d of %d bytes, value = %08X\n", payload_bytes_grabbed, bjd->bytes_to_grab, value);); /* Adjust the jump_value (# bytes to jump forward) with the multiplier. */ @@ -695,7 +692,7 @@ jump_value = value; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "grabbed %d of %d bytes, after multiplier value = %08X\n", + "grabbed %d of %d bytes, after multiplier value = %08X\n", payload_bytes_grabbed, bjd->bytes_to_grab, jump_value);); @@ -704,7 +701,7 @@ */ if(bjd->align_flag) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "offset currently at %d\n", jump_value);); if ((jump_value % 4) != 0) { @@ -732,10 +729,8 @@ else { UpdateDoePtr((base_ptr + payload_bytes_grabbed + jump_value), rst_doe_flags); - - } - + /* now adjust using post_offset -- before bounds checking */ doe_ptr += bjd->post_offset; @@ -747,7 +742,7 @@ return rval; } else - { + { rval = DETECTION_OPTION_MATCH; } diff -Nru snort-2.9.0.1/src/detection-plugins/sp_byte_jump.h snort-2.9.2/src/detection-plugins/sp_byte_jump.h --- snort-2.9.0.1/src/detection-plugins/sp_byte_jump.h 2010-06-09 15:05:00.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_byte_jump.h 2011-02-09 15:22:57.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_clientserver.c snort-2.9.2/src/detection-plugins/sp_clientserver.c --- snort-2.9.0.1/src/detection-plugins/sp_clientserver.c 2010-06-09 15:05:00.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_clientserver.c 2011-07-13 15:44:51.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2002-2010 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author: Martin Roesch ** ** This program is free software; you can redistribute it and/or modify @@ -19,18 +19,18 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* sp_clientserver - * +/* sp_clientserver + * * Purpose: * - * Wouldn't be nice if we could tell a TCP rule to only apply if it's going - * to or from the client or server side of a connection? Think of all the + * Wouldn't be nice if we could tell a TCP rule to only apply if it's going + * to or from the client or server side of a connection? Think of all the * false alarms we could elminate! That's what we're doing with this one, * it allows you to write rules that only apply to client or server packets. * One thing though, you *must* have stream4 enabled for it to work! * * Arguments: - * + * * None. * * Effect: @@ -55,12 +55,13 @@ #include <string.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "snort.h" @@ -105,13 +106,13 @@ } int FlowCompare(void *l, void *r) -{ +{ ClientServerData *left = (ClientServerData *)l; ClientServerData *right = (ClientServerData *)r; if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (( left->from_server == right->from_server) && ( left->from_client == right->from_client) && ( left->ignore_reassembled == right->ignore_reassembled) && @@ -135,7 +136,7 @@ { if( csd->from_server ) return 1; } - return 0; + return 0; } int OtnFlowFromClient( OptTreeNode * otn ) { @@ -146,7 +147,7 @@ { if( csd->from_client ) return 1; } - return 0; + return 0; } int OtnFlowIgnoreReassembled( OptTreeNode * otn ) { @@ -157,7 +158,7 @@ { if( csd->ignore_reassembled ) return 1; } - return 0; + return 0; } int OtnFlowOnlyReassembled( OptTreeNode * otn ) { @@ -168,11 +169,11 @@ { if( csd->only_reassembled ) return 1; } - return 0; + return 0; } /**************************************************************************** - * + * * Function: SetupClientServer() * * Purpose: Generic detection engine plugin template. Registers the @@ -193,13 +194,13 @@ RegisterPreprocessorProfile("flow", &flowCheckPerfStats, 3, &ruleOTNEvalPerfStats); #endif - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Plugin: ClientServerName(Flow) Setup\n");); } /**************************************************************************** - * + * * Function: FlowInit(char *, OptTreeNode *) * * Purpose: Configure the flow init option to register the appropriate checks @@ -216,10 +217,10 @@ /* multiple declaration check */ if(otn->ds_list[PLUGIN_CLIENTSERVER]) { - FatalError("%s(%d): Multiple flow options in rule\n", file_name, + FatalError("%s(%d): Multiple flow options in rule\n", file_name, file_line); } - + InitFlowData(otn); ParseFlowArgs(data, otn); @@ -233,7 +234,7 @@ "for UDP traffic\n", file_name, file_line); } } - + if (protocol == IPPROTO_ICMP) { if ((csd->only_reassembled != ONLY_FRAG) && (csd->ignore_reassembled != IGNORE_FRAG)) @@ -245,7 +246,7 @@ } -static INLINE void CheckStream(char *token) +static inline void CheckStream(char *token) { if (!stream_api) { @@ -255,7 +256,7 @@ } /**************************************************************************** - * + * * Function: ParseFlowArgs(char *, OptTreeNode *) * * Purpose: parse the arguments to the flow plugin and alter the otn @@ -284,9 +285,9 @@ token = strtok(p, ","); - while(token) + while(token) { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "parsed %s,(%d)\n", token,strlen(token));); while(isspace((int)*token)) @@ -301,12 +302,12 @@ { CheckStream(token); csd->from_server = 1; - } + } else if(!strcasecmp(token, "from_server")) { CheckStream(token); csd->from_server = 1; - } + } else if(!strcasecmp(token, "from_client")) { CheckStream(token); @@ -364,13 +365,19 @@ "and flow_from server", file_name, file_line); } - if(csd->ignore_reassembled && csd->only_reassembled) + if((csd->ignore_reassembled & IGNORE_STREAM) && (csd->only_reassembled & ONLY_STREAM)) { FatalError("%s:%d: Can't use no_stream and" " only_stream", file_name,file_line); } - if(otn->stateless && (csd->from_client || csd->from_server)) + if((csd->ignore_reassembled & IGNORE_FRAG) && (csd->only_reassembled & ONLY_FRAG)) + { + FatalError("%s:%d: Can't use no_frag and" + " only_frag", file_name,file_line); + } + + if(otn->stateless && (csd->from_client || csd->from_server)) { FatalError("%s:%d: Can't use flow: stateless option with" " other options", file_name, file_line); @@ -417,12 +424,12 @@ fpl->type = RULE_OPTION_TYPE_FLOW; fpl->context = (void *)csd; } - + free(str); } /**************************************************************************** - * + * * Function: InitFlowData(OptTreeNode *) * * Purpose: calloc the clientserver data node @@ -437,10 +444,10 @@ /* allocate the data structure and attach it to the rule's data struct list */ - otn->ds_list[PLUGIN_CLIENTSERVER] = (ClientServerData *) + otn->ds_list[PLUGIN_CLIENTSERVER] = (ClientServerData *) calloc(sizeof(ClientServerData), sizeof(char)); - if(otn->ds_list[PLUGIN_CLIENTSERVER] == NULL) + if(otn->ds_list[PLUGIN_CLIENTSERVER] == NULL) { FatalError("FlowData calloc Failed!\n"); } @@ -458,7 +465,7 @@ { if ((csd->established == 1) && !(p->packet_flags & PKT_STREAM_EST)) { - /* + /* ** This option requires an established connection and it isn't ** in that state yet, so no match. */ @@ -481,7 +488,7 @@ { if (ScStateful()) { - if (!(p->packet_flags & PKT_FROM_CLIENT) && + if (!(p->packet_flags & PKT_FROM_CLIENT) && (p->packet_flags & PKT_FROM_SERVER)) { /* No match on from_client */ @@ -496,7 +503,7 @@ { if (ScStateful()) { - if (!(p->packet_flags & PKT_FROM_SERVER) && + if (!(p->packet_flags & PKT_FROM_SERVER) && (p->packet_flags & PKT_FROM_CLIENT)) { /* No match on from_server */ @@ -528,8 +535,11 @@ /* ...only_reassembled */ if (csd->only_reassembled & ONLY_STREAM) { - if (!(p->packet_flags & PKT_REBUILT_STREAM)) - { + if ( !(p->packet_flags & PKT_REBUILT_STREAM) +#ifdef ENABLE_PAF + && !PacketHasFullPDU(p) +#endif + ) { PREPROC_PROFILE_END(flowCheckPerfStats); return DETECTION_OPTION_NO_MATCH; } diff -Nru snort-2.9.0.1/src/detection-plugins/sp_clientserver.h snort-2.9.2/src/detection-plugins/sp_clientserver.h --- snort-2.9.0.1/src/detection-plugins/sp_clientserver.h 2010-01-26 10:09:38.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_clientserver.h 2011-02-09 15:22:58.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_cvs.c snort-2.9.2/src/detection-plugins/sp_cvs.c --- snort-2.9.0.1/src/detection-plugins/sp_cvs.c 2010-01-26 10:09:39.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_cvs.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -22,7 +22,7 @@ ** ** @author Taimur Aslam ** @author Todd Wease -** +** ** @brief Decode and detect CVS vulnerabilities ** ** This CVS detection plugin provides support for detecting published CVS vulnerabilities. The @@ -46,15 +46,16 @@ #include <sys/types.h> #include <errno.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" -#include "bounds.h" +#include "snort_bounds.h" #include "sp_cvs.h" @@ -99,7 +100,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (left->type == right->type) { return DETECTION_OPTION_EQUAL; @@ -110,18 +111,18 @@ /* ** NAME -** SetupCvs +** SetupCvs ** Register the CVS detection plugin. -** +** */ /** -** +** ** @return None ** */ void SetupCvs(void) -{ +{ RegisterRuleOption("cvs", CvsInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING @@ -137,10 +138,10 @@ ** NAME ** CvsInit ** Initialize the CVS context and set it up so we can detect commands. -** +** */ /** -** +** ** @return None ** */ @@ -152,7 +153,7 @@ OptFpList *ofl; cvs_rule_option = (CvsRuleOption *)SnortAlloc(sizeof(CvsRuleOption)); - + CvsRuleParse(data, cvs_rule_option); if (add_detection_option(RULE_OPTION_TYPE_CVS, (void *)cvs_rule_option, &ds_ptr_dup) == DETECTION_OPTION_EQUAL) @@ -175,7 +176,7 @@ ** Parse the CVS rules and set the threshold criteria. */ /** -** +** ** @return None ** */ @@ -186,7 +187,7 @@ int num_toks = 0; - toks = mSplit(rule_args, CVS_CONFIG_DELIMITERS, 2, &num_toks, 0); + toks = mSplit(rule_args, CVS_CONFIG_DELIMITERS, 2, &num_toks, 0); switch (num_toks) { @@ -211,7 +212,7 @@ break; } - mSplitFree(&toks, num_toks); + mSplitFree(&toks, num_toks); } @@ -219,10 +220,10 @@ ** NAME ** CvsDetect ** This function is called on a per rule basis for CVS detection. -** +** */ /** -** +** ** @return integer ** @retval CVS_NO_ALERT ** @retval CVS_ALERT @@ -267,10 +268,10 @@ ** NAME ** CvsDecode ** This main decode function. Decode the CVS commands and detect the vulnerabilities. -** +** */ /** -** +** ** @return integer ** */ @@ -314,8 +315,8 @@ { ret = CvsValidateEntry(command.cmd_arg, (command.cmd_arg + command.cmd_arg_len)); - - if (ret == CVS_ENTRY_INVALID) + + if ((ret == CVS_ENTRY_INVALID)&&(eol < end)) { return CVS_ALERT; } @@ -358,7 +359,7 @@ return 1; } - + /* ** NAME @@ -370,7 +371,7 @@ ** command member. A pointer to the rest of the string after ** the replacement '\0' is put into the structure's command ** argument member. If there isn't a space, the entire line -** is put in the command and the command argument is set to +** is put in the command and the command argument is set to ** NULL. ** */ @@ -405,7 +406,7 @@ { cmd->cmd_str_len = cmd_end - line; cmd->cmd_arg = cmd_end + 1; - cmd->cmd_arg_len = end - cmd_end; + cmd->cmd_arg_len = end - cmd_end - 1; } else { @@ -446,17 +447,17 @@ /* There should be exactly 5 slashes in the string */ while (entry_arg < end_arg) { - /* if on the 3rd slash, check for next char == '/' + /* if on the 3rd slash, check for next char == '/' or '+' * This is where the heap overflow on multiple Is-Modified * commands occurs */ if (slashes == 3) { - if (*entry_arg != '/') + if((*entry_arg != '/')&&(*entry_arg != '+')) { return CVS_ENTRY_INVALID; } } - else + if (*entry_arg != '/') { entry_arg = memchr(entry_arg, '/', end_arg - entry_arg); if (entry_arg == NULL) diff -Nru snort-2.9.0.1/src/detection-plugins/sp_cvs.h snort-2.9.2/src/detection-plugins/sp_cvs.h --- snort-2.9.0.1/src/detection-plugins/sp_cvs.h 2010-01-26 10:09:39.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_cvs.h 2011-02-09 15:22:59.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/detection-plugins/sp_dsize_check.c snort-2.9.2/src/detection-plugins/sp_dsize_check.c --- snort-2.9.0.1/src/detection-plugins/sp_dsize_check.c 2010-01-26 10:09:40.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_dsize_check.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -27,11 +27,12 @@ #include <stdlib.h> #include <string.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "parser.h" #include "plugin_enum.h" #include "util.h" @@ -89,7 +90,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (( left->dsize == right->dsize) && ( left->dsize2 == right->dsize2) && ( left->operator == right->operator)) @@ -101,7 +102,7 @@ } /**************************************************************************** - * + * * Function: SetupDsizeCheck() * * Purpose: Attach the dsize keyword to the rule parse function @@ -123,10 +124,10 @@ /**************************************************************************** - * + * * Function: DsizeCheckInit(char *, OptTreeNode *) * - * Purpose: Parse the rule argument and attach it to the rule data struct, + * Purpose: Parse the rule argument and attach it to the rule data struct, * then attach the detection function to the function list * * Arguments: data => rule arguments/data @@ -150,7 +151,7 @@ otn->ds_list[PLUGIN_DSIZE_CHECK] = (DsizeCheckData *) SnortAlloc(sizeof(DsizeCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseDsize(data, otn); @@ -161,11 +162,11 @@ /**************************************************************************** - * + * * Function: ParseDsize(char *, OptTreeNode *) * * Purpose: Parse the dsize function argument and attach the detection - * function to the rule list as well. + * function to the rule list as well. * * Arguments: data => argument data * otn => pointer to the current rule's OTN @@ -190,7 +191,7 @@ /* If a range is specified, put min in ds_ptr->dsize and max in ds_ptr->dsize2 */ - + if(isdigit((int)*data) && strchr(data, '<') && strchr(data, '>')) { pcTok = strtok(data, " <>"); @@ -230,9 +231,9 @@ ds_ptr->operator = DSIZE_RANGE; -#ifdef DEBUG - printf("min dsize: %d\n", ds_ptr->dsize); - printf("max dsize: %d\n", ds_ptr->dsize2); +#ifdef DEBUG_MSGS + DebugMessage(DEBUG_PLUGIN, "min dsize: %d\n", ds_ptr->dsize); + DebugMessage(DEBUG_PLUGIN, "max dsize: %d\n", ds_ptr->dsize2); #endif fpl = AddOptFuncToList(CheckDsize, otn); fpl->type = RULE_OPTION_TYPE_DSIZE; @@ -289,7 +290,7 @@ } /**************************************************************************** - * + * * Function: CheckDsizeEq(char *, OptTreeNode *) * * Purpose: Test the packet's payload size against the rule payload size value @@ -311,7 +312,10 @@ PREPROC_PROFILE_END(dsizePerfStats); /* fake packet dsizes are always wrong */ - if(p->packet_flags & PKT_REBUILT_STREAM) + /* (unless they are PDUs) */ + if ( + (p->packet_flags & PKT_REBUILT_STREAM) && + !(p->packet_flags & PKT_PDU_HEAD) ) { PREPROC_PROFILE_END(dsizePerfStats); return rval; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_dsize_check.h snort-2.9.2/src/detection-plugins/sp_dsize_check.h --- snort-2.9.0.1/src/detection-plugins/sp_dsize_check.h 2010-01-26 10:09:41.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_dsize_check.h 2011-02-09 15:22:59.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_file_data.c snort-2.9.2/src/detection-plugins/sp_file_data.c --- snort-2.9.0.1/src/detection-plugins/sp_file_data.c 2010-10-25 12:49:03.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_file_data.c 2011-07-13 15:44:51.000000000 -0700 @@ -1,5 +1,5 @@ /* - ** Copyright (C) 1998-2010 Sourcefire, Inc. + ** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ */ /* sp_file_data - * + * */ #ifdef HAVE_CONFIG_H @@ -33,12 +33,13 @@ #endif #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" @@ -93,7 +94,7 @@ /**************************************************************************** - * + * * Function: SetupFileData() * * Purpose: Load 'er up @@ -116,10 +117,10 @@ /**************************************************************************** - * + * * Function: FileDataInit(char *, OptTreeNode *, int protocol) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -155,18 +156,18 @@ free(idx); idx = idx_dup; } - + fpl = AddOptFuncToList(FileDataEval, otn); fpl->type = RULE_OPTION_TYPE_FILE_DATA; fpl->context = (void *)idx; - - return; + + return; } /**************************************************************************** - * + * * Function: FileDataParse(char *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -187,7 +188,7 @@ } else if(!strcasecmp("mime",data)) { - idx->mime_decode_flag = 1; + ParseWarning("The argument 'mime' to 'file_data' rule option is deprecated.\n"); } else { @@ -201,7 +202,7 @@ /**************************************************************************** - * + * * Function: FileDataEval(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -212,19 +213,24 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int FileDataEval(void *option_data, Packet *p) { int rval = DETECTION_OPTION_NO_MATCH; + uint8_t *data; + uint16_t len; FileData *idx; PROFILE_VARS; PREPROC_PROFILE_START(fileDataPerfStats); idx = (FileData *)option_data; - if ((p->dsize == 0) || (!IsTCP(p) && !IsUDP(p)) || (file_data_ptr == NULL) || !idx) + data = file_data_ptr.data; + len = file_data_ptr.len; + + if ((p->dsize == 0) || (data == NULL)|| (len == 0) || !idx) { PREPROC_PROFILE_END(fileDataPerfStats); return rval; @@ -235,7 +241,8 @@ else mime_present = 0; - SetDoePtr(file_data_ptr, DOE_BUF_STD); + SetDoePtr(data, DOE_BUF_STD); + SetAltDetect(data, len); rval = DETECTION_OPTION_MATCH; PREPROC_PROFILE_END(fileDataPerfStats); diff -Nru snort-2.9.0.1/src/detection-plugins/sp_file_data.h snort-2.9.2/src/detection-plugins/sp_file_data.h --- snort-2.9.0.1/src/detection-plugins/sp_file_data.h 2010-06-09 15:05:00.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_file_data.h 2011-02-09 15:22:59.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2003-2010 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_flowbits.c snort-2.9.2/src/detection-plugins/sp_flowbits.c --- snort-2.9.0.1/src/detection-plugins/sp_flowbits.c 2010-08-25 13:22:40.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_flowbits.c 2011-11-21 12:15:24.000000000 -0800 @@ -2,10 +2,10 @@ ** $Id$ ** ** sp_flowbits -** +** ** Purpose: ** -** Wouldn't it be nice if we could do some simple state tracking +** Wouldn't it be nice if we could do some simple state tracking ** across multiple packets? Well, this allows you to do just that. ** ** Effect: @@ -13,8 +13,8 @@ ** - [Un]set a bitmask stored with the session ** - Check the value of the bitmask ** -** Copyright (C) 2003-2010 Sourcefire, Inc. -** +** Copyright (C) 2003-2011 Sourcefire, Inc. +** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or @@ -36,12 +36,17 @@ #include <ctype.h> #include <sys/types.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "snort.h" @@ -80,7 +85,7 @@ /**************************************************************************** - * + * * Function: FlowBitsHashInit(void) * * Purpose: Initialize the hash table and queue storage for flowbits IDs @@ -122,7 +127,7 @@ FatalError("%s(%d) Could not create flowbits group hash.\n", __FILE__, __LINE__); } - + } void FlowItemFree(void *d) @@ -169,7 +174,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (( left->id == right->id) && ( left->type == right->type)) { @@ -180,7 +185,7 @@ } /**************************************************************************** - * + * * Function: SetupFlowBits() * * Purpose: Generic detection engine plugin template. Registers the @@ -210,7 +215,7 @@ /**************************************************************************** - * + * * Function: FlowBitsInit(char *, OptTreeNode *) * * Purpose: Configure the flow init option to register the appropriate checks @@ -231,19 +236,19 @@ * We avoid adding the flowbit twice by skipping it here. */ if (otn->sigInfo.generator == 3) return; - + /* Flow bits are handled by Stream5 if its enabled */ if( stream_api && stream_api->version != STREAM_API_VERSION5) { if (ScConfErrorOut()) { - FatalError("Warning: %s (%d) => flowbits without Stream5. " + FatalError("WARNING: %s (%d) => flowbits without Stream5. " "Stream5 must be enabled for this plugin.\n", file_name,file_line); } else { - LogMessage("Warning: %s (%d) => flowbits without Stream5. " + LogMessage("WARNING: %s (%d) => flowbits without Stream5. " "Stream5 must be enabled for this plugin.\n", file_name,file_line); } @@ -285,17 +290,17 @@ fpl->type = RULE_OPTION_TYPE_FLOWBIT; /* - * attach it to the context node so that we can call each instance + * attach it to the context node so that we can call each instance * individually */ - + fpl->context = (void *) flowbits; return; } /**************************************************************************** - * + * * Function: FlowBitsParse(char *, FlowBits *flowbits, OptTreeNode *) * * Purpose: parse the arguments to the flow plugin and alter the otn @@ -331,7 +336,7 @@ toks = mSplit(data, ",", 0, &num_toks, 0); if(num_toks < 1) { - FatalError("%s (%d): ParseFlowArgs: Must specify flowbits operation.\n", + FatalError("%s (%d): ParseFlowArgs: Must specify flowbits operation.\n", file_name, file_line); } token = toks[0]; @@ -339,7 +344,7 @@ if(!strcasecmp("set",token)) { flowbits->type = FLOWBITS_SET; - } + } else if(!strcasecmp("unset",token)) { flowbits->type = FLOWBITS_UNSET; @@ -355,7 +360,7 @@ else if(!strcasecmp("isnotset",token)) { flowbits->type = FLOWBITS_ISNOTSET; - } + } else if(!strcasecmp("noalert", token)) { if(num_toks > 1) @@ -382,7 +387,7 @@ flowbits->id = 0; mSplitFree(&toks, num_toks); return; - } + } else { FatalError("%s(%d) ParseFlowArgs: Invalid token %s\n", @@ -399,7 +404,7 @@ } token = toks[1]; pch = strtok(token, " ,\t" ); - + if(pch && (pch != token )) { FatalError("%s (%d): flowbits tag id cannot include spaces or " @@ -408,14 +413,14 @@ flowbits_item = (FLOWBITS_OBJECT *)sfghash_find(flowbits_hash, token); - if (flowbits_item != NULL) + if (flowbits_item != NULL) { id = flowbits_item->id; found = 1; } else { - flowbits_item = + flowbits_item = (FLOWBITS_OBJECT *)SnortAlloc(sizeof(FLOWBITS_OBJECT)); if (sfqueue_count(flowbits_bit_queue) > 0) @@ -439,7 +444,7 @@ } hstatus = sfghash_add(flowbits_hash, token, flowbits_item); - if(hstatus != SFGHASH_OK) + if(hstatus != SFGHASH_OK) { FatalError("Could not add flowbits key (%s) to hash.\n",token); } @@ -466,7 +471,7 @@ flowbits->id = id; flowbits->name = SnortStrdup(token); - + if(num_toks < 3) { if (flowbits->type == FLOWBITS_SET || flowbits->type == FLOWBITS_TOGGLE) @@ -506,8 +511,8 @@ { if (strcmp((flowbits_item->group), token) != 0) { - FatalError("%s(%d) Flowbits already belongs to a group\n", - __FILE__, __LINE__); + FatalError("%s(%d) Flowbits %s already belongs to a group %s\n", + file_name, file_line, flowbits->name, flowbits_item->group); } } else @@ -526,7 +531,7 @@ } -static INLINE int boSetGrpBit(BITOP *BitOp, char *group, unsigned int uiPos) +static inline int boSetGrpBit(BITOP *BitOp, char *group, unsigned int uiPos) { FLOWBITS_GRP *flowbits_grp; BITOP *GrpBitOp; @@ -534,10 +539,10 @@ flowbits_grp = (FLOWBITS_GRP *)sfghash_find(flowbits_grp_hash, group); if( flowbits_grp == NULL ) return 0; - if((BitOp == NULL) || (BitOp->uiMaxBits <= uiPos) || (BitOp->uiMaxBits <= flowbits_grp->max_id) || flowbits_grp->count <= 1) + if((BitOp == NULL) || (BitOp->uiMaxBits <= uiPos) || (BitOp->uiMaxBits <= flowbits_grp->max_id) || flowbits_grp->count <= 0) return 0; GrpBitOp = &(flowbits_grp->GrpBitOp); - BitOp->pucBitBuffer[uiPos >> 3] = 0; + boClearBit(BitOp, uiPos); for ( i = 0; i <= flowbits_grp->max_id ; i++ ) { BitOp->pucBitBuffer[i >> 3] &= GrpBitOp->pucBitBuffer[i >> 3]; @@ -546,10 +551,10 @@ } /**************************************************************************** - * + * * Function: FlowBitsCheck(Packet *, struct _OptTreeNode *, OptFpList *) * - * Purpose: Check flow bits foo + * Purpose: Check flow bits foo * * Arguments: data => argument data * otn => pointer to the current rule's OTN @@ -587,7 +592,7 @@ ); if(((flowbits->type == FLOWBITS_SET) || (((flowbits->type == FLOWBITS_TOGGLE) && - (!boIsBitSet(&(flowdata->boFlowbits),flowbits->id))))) && + (!boIsBitSet(&(flowdata->boFlowbits),flowbits->id))))) && (flowbits->group && (strcasecmp(flowbits->group, DEFAULT_FLOWBIT_GROUP) != 0 ))) { if ( (iRet = boSetGrpBit(&(flowdata->boFlowbits), flowbits->group, flowbits->id)) == 0 ) @@ -664,7 +669,7 @@ PREPROC_PROFILE_END(flowBitsPerfStats); return rval; } - + /* ** Now return what we found */ @@ -678,12 +683,12 @@ } /**************************************************************************** - * + * * Function: FlowBitsVerify() * * Purpose: Check flow bits foo to make sure its valid * - * Arguments: + * Arguments: * * Returns: 0 on failure * @@ -697,8 +702,8 @@ if (flowbits_hash == NULL) return; - for (n = sfghash_findfirst(flowbits_hash); - n != NULL; + for (n = sfghash_findfirst(flowbits_hash); + n != NULL; n= sfghash_findnext(flowbits_hash)) { fb = (FLOWBITS_OBJECT *)n->data; @@ -717,12 +722,12 @@ if ((fb->set > 0) && (fb->isset == 0)) { - LogMessage("Warning: flowbits key '%s' is set but not ever checked.\n", + LogMessage("WARNING: flowbits key '%s' is set but not ever checked.\n", (char*)n->key); } else if ((fb->isset > 0) && (fb->set == 0)) { - LogMessage("Warning: flowbits key '%s' is checked but not ever set.\n", + LogMessage("WARNING: flowbits key '%s' is checked but not ever set.\n", (char*)n->key); } else if ((fb->set == 0) && (fb->isset == 0)) @@ -735,7 +740,7 @@ flowbits_toggle ^= 1; - LogMessage("%d out of %d flowbits in use.\n", + LogMessage("%d out of %d flowbits in use.\n", num_flowbits, giFlowbitSize<<3); } diff -Nru snort-2.9.0.1/src/detection-plugins/sp_flowbits.h snort-2.9.2/src/detection-plugins/sp_flowbits.h --- snort-2.9.0.1/src/detection-plugins/sp_flowbits.h 2010-08-25 13:22:40.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_flowbits.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -25,11 +25,11 @@ #ifndef __SP_FLOWBITS_H__ #define __SP_FLOWBITS_H__ -#include "stream_api.h" #include "sfghash.h" #include "sf_types.h" #include "decode.h" #include "bitop_funcs.h" +#include "snort_debug.h" /* Normally exported functions, for plugin registration. */ void SetupFlowBits(void); @@ -83,8 +83,6 @@ BITOP GrpBitOp; } FLOWBITS_GRP; - - #define FLOWBITS_SET 0x01 #define FLOWBITS_UNSET 0x02 #define FLOWBITS_TOGGLE 0x04 @@ -93,4 +91,14 @@ #define FLOWBITS_RESET 0x20 #define FLOWBITS_NOALERT 0x40 +static inline int FlowBits_SetOperation(void *option_data) +{ + FLOWBITS_OP *flowbits = (FLOWBITS_OP*)option_data; + if (flowbits->type & (FLOWBITS_SET | FLOWBITS_UNSET | FLOWBITS_TOGGLE | FLOWBITS_RESET)) + { + return 1; + } + return 0; +} + #endif /* __SP_FLOWBITS_H__ */ diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ftpbounce.c snort-2.9.2/src/detection-plugins/sp_ftpbounce.c --- snort-2.9.0.1/src/detection-plugins/sp_ftpbounce.c 2010-10-25 12:49:03.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_ftpbounce.c 2011-06-07 17:33:09.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2005-2010 Sourcefire, Inc. + ** Copyright (C) 2005-2011 Sourcefire, Inc. ** Author: Steven Sturges ** ** This program is free software; you can redistribute it and/or modify @@ -19,8 +19,8 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* sp_ftpbounce - * +/* sp_ftpbounce + * * Purpose: * Checks the address listed (a,b,c,d format) in the packet * against the source address. @@ -32,7 +32,7 @@ * None * Optional: * None - * + * * sample rules: * alert tcp any any -> any 21 (content: "PORT"; \ * ftpbounce; @@ -60,13 +60,14 @@ #endif #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "mstring.h" @@ -108,7 +109,7 @@ } /**************************************************************************** - * + * * Function: SetupFTPBounce() * * Purpose: Load 'er up @@ -132,10 +133,10 @@ /**************************************************************************** - * + * * Function: FTPBounceInit(char *, OptTreeNode *) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -151,7 +152,7 @@ OptFpList *fpl; void *ds_ptr_dup; - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ FTPBounceParse(data, otn); @@ -172,7 +173,7 @@ /**************************************************************************** - * + * * Function: FTPBounceParse(char *, void *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -195,7 +196,7 @@ /**************************************************************************** - * + * * Function: FTPBounce(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -206,7 +207,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int FTPBounce(void *option_data, Packet *p) @@ -216,40 +217,31 @@ const uint8_t *this_param = doe_ptr; int dsize; - int use_alt_buffer = p->packet_flags & PKT_ALT_DECODE; const uint8_t *base_ptr, *end_ptr, *start_ptr; PROFILE_VARS; if (!doe_ptr) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] ftpbounce no doe_ptr set..\n");); return 0; } PREPROC_PROFILE_START(ftpBouncePerfStats); - - if( IsMimeDecodeBuf(doe_ptr) ) - { - dsize = mime_decode_size; - start_ptr = file_data_ptr; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using MIME Decode buffer!\n");); - } - else if( IsBase64DecodeBuf(doe_ptr)) + + if (Is_DetectFlag(FLAG_ALT_DETECT)) { - dsize = base64_decode_size; - start_ptr = base64_decode_buf; + dsize = DetectBuffer.len; + start_ptr = DetectBuffer.data; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using Base64 Decode buffer!\n");); + "Using Alternative Detect buffer!\n");); } - else if(use_alt_buffer) + else if(Is_DetectFlag(FLAG_ALT_DECODE)) { dsize = DecodeBuffer.len; - start_ptr = DecodeBuffer.data; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using Alternative Decode buffer!\n");); - + start_ptr = DecodeBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Decode buffer!\n");); } else { @@ -271,7 +263,7 @@ if(doe_ptr) { - /* @todo: possibly degrade to use the other buffer, seems non-intuitive*/ + /* @todo: possibly degrade to use the other buffer, seems non-intuitive*/ if(!inBounds(start_ptr, end_ptr, doe_ptr)) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, @@ -282,7 +274,7 @@ } while (isspace((int)*this_param) && (this_param < end_ptr)) this_param++; - + do { int value = 0; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ftpbounce.h snort-2.9.2/src/detection-plugins/sp_ftpbounce.h --- snort-2.9.0.1/src/detection-plugins/sp_ftpbounce.h 2010-01-26 10:09:42.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_ftpbounce.h 2011-02-09 15:23:01.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** Author: Steven Sturges <ssturges@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_hdr_opt_wrap.c snort-2.9.2/src/detection-plugins/sp_hdr_opt_wrap.c --- snort-2.9.0.1/src/detection-plugins/sp_hdr_opt_wrap.c 2010-01-26 10:09:43.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_hdr_opt_wrap.c 2011-06-07 17:33:09.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -21,6 +21,10 @@ /* Necessary hash/wrapper functions to put a .so rule's HdrOptCheck option * directly on the rule option tree. */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sp_hdr_opt_wrap.h" #include "sf_engine/sf_snort_plugin_api.h" diff -Nru snort-2.9.0.1/src/detection-plugins/sp_hdr_opt_wrap.h snort-2.9.2/src/detection-plugins/sp_hdr_opt_wrap.h --- snort-2.9.0.1/src/detection-plugins/sp_hdr_opt_wrap.h 2010-01-26 10:09:44.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_hdr_opt_wrap.h 2011-02-09 15:23:01.000000000 -0800 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/detection-plugins/sp_icmp_code_check.c snort-2.9.2/src/detection-plugins/sp_icmp_code_check.c --- snort-2.9.0.1/src/detection-plugins/sp_icmp_code_check.c 2010-01-26 10:09:44.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_icmp_code_check.c 2011-06-07 17:33:09.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,13 +28,14 @@ #include <string.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "plugin_enum.h" #include "sfhashfcn.h" @@ -103,7 +104,7 @@ } /**************************************************************************** - * + * * Function: SetupIcmpCodeCheck() * * Purpose: Register the icode keyword and configuration function @@ -126,7 +127,7 @@ /**************************************************************************** - * + * * Function: IcmpCodeCheckInit(char *, OptTreeNode *) * * Purpose: Initialize the rule data structs and parse the rule argument @@ -146,7 +147,7 @@ FatalError( "%s(%d): ICMP Options on non-ICMP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_ICMP_CODE]) { FatalError("%s(%d): Multiple icmp code options in rule\n", file_name, @@ -159,13 +160,13 @@ otn->ds_list[PLUGIN_ICMP_CODE] = (IcmpCodeCheckData *) SnortAlloc(sizeof(IcmpCodeCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIcmpCode(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ - + fpl = AddOptFuncToList(IcmpCodeCheck, otn); fpl->type = RULE_OPTION_TYPE_ICMP_CODE; fpl->context = otn->ds_list[PLUGIN_ICMP_CODE]; @@ -174,7 +175,7 @@ /**************************************************************************** - * + * * Function: ParseIcmpCode(char *, OptTreeNode *) * * Purpose: Process the icode argument and stick it in the data struct @@ -216,8 +217,8 @@ file_name, file_line); } - /* - * If a range is specified, put the min in icmp_code, and the max in + /* + * If a range is specified, put the min in icmp_code, and the max in * icmp_code2 */ @@ -304,7 +305,7 @@ /**************************************************************************** - * + * * Function: IcmpCodeCheck(Packet *p, OptTreeNode *, OptFpList *fp_list) * * Purpose: Test the packet's ICMP code field value against the option's @@ -326,7 +327,7 @@ /* return 0 if we don't have an icmp header */ if(!p->icmph) - return rval; + return rval; PREPROC_PROFILE_START(icmpCodePerfStats); @@ -345,7 +346,7 @@ rval = DETECTION_OPTION_MATCH; break; case ICMP_CODE_TEST_RG: - if (p->icmph->code > ds_ptr->icmp_code && + if (p->icmph->code > ds_ptr->icmp_code && p->icmph->code < ds_ptr->icmp_code2) rval = DETECTION_OPTION_MATCH; break; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_icmp_code_check.h snort-2.9.2/src/detection-plugins/sp_icmp_code_check.h --- snort-2.9.0.1/src/detection-plugins/sp_icmp_code_check.h 2010-01-26 10:09:44.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_icmp_code_check.h 2011-02-09 15:23:01.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_icmp_id_check.c snort-2.9.2/src/detection-plugins/sp_icmp_id_check.c --- snort-2.9.0.1/src/detection-plugins/sp_icmp_id_check.c 2010-06-09 15:05:02.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_icmp_id_check.c 2011-06-07 17:33:09.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -19,20 +19,20 @@ */ /* $Id$ */ -/* sp_icmp_id - * +/* sp_icmp_id + * * Purpose: * - * Test the ID field of ICMP ECHO and ECHO_REPLY packets for specified + * Test the ID field of ICMP ECHO and ECHO_REPLY packets for specified * values. This is useful for detecting TFN attacks, amongst others. * * Arguments: - * + * * The ICMP ID plugin takes a number as an option argument. * * Effect: * - * Tests ICMP ECHO and ECHO_REPLY packet ID field values and returns a + * Tests ICMP ECHO and ECHO_REPLY packet ID field values and returns a * "positive" detection result (i.e. passthrough) upon a value match. * * Comments: @@ -49,12 +49,13 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -109,7 +110,7 @@ } /**************************************************************************** - * + * * Function: SetupIcmpIdCheck() * * Purpose: Registers the configuration function and links it to a rule @@ -134,7 +135,7 @@ /**************************************************************************** - * + * * Function: IcmpIdCheckInit(char *, OptTreeNode *) * * Purpose: Handles parsing the rule information and attaching the associated @@ -154,7 +155,7 @@ FatalError("%s(%d): ICMP Options on non-ICMP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_ICMP_ID_CHECK]) { FatalError("%s(%d): Multiple icmp id options in rule\n", file_name, @@ -166,12 +167,12 @@ otn->ds_list[PLUGIN_ICMP_ID_CHECK] = (IcmpIdCheckData *) SnortAlloc(sizeof(IcmpIdCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIcmpId(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IcmpIdCheck, otn); fpl->type = RULE_OPTION_TYPE_ICMP_ID; @@ -181,7 +182,7 @@ /**************************************************************************** - * + * * Function: ParseIcmpId(char *, OptTreeNode *) * * Purpose: Convert the rule option argument to program data. @@ -224,7 +225,7 @@ /**************************************************************************** - * + * * Function: IcmpIdCheck(char *, OptTreeNode *) * * Purpose: Compare the ICMP ID field to the rule value. @@ -233,7 +234,7 @@ * otn => pointer to the current rule's OTN * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int IcmpIdCheck(void *option_data, Packet *p) @@ -247,11 +248,11 @@ PREPROC_PROFILE_START(icmpIdPerfStats); - if( (p->icmph->type == ICMP_ECHO || p->icmph->type == ICMP_ECHOREPLY) + if( (p->icmph->type == ICMP_ECHO || p->icmph->type == ICMP_ECHOREPLY) #ifdef SUP_IP6 - || (p->icmph->type == ICMP6_ECHO || p->icmph->type == ICMP6_REPLY) + || (p->icmph->type == ICMP6_ECHO || p->icmph->type == ICMP6_REPLY) #endif - ) + ) { /* test the rule ID value against the ICMP extension ID field */ if(icmpId->icmpid == p->icmph->s_icmp_id) diff -Nru snort-2.9.0.1/src/detection-plugins/sp_icmp_id_check.h snort-2.9.2/src/detection-plugins/sp_icmp_id_check.h --- snort-2.9.0.1/src/detection-plugins/sp_icmp_id_check.h 2010-01-26 10:09:44.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_icmp_id_check.h 2011-02-09 15:23:02.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_icmp_seq_check.c snort-2.9.2/src/detection-plugins/sp_icmp_seq_check.c --- snort-2.9.0.1/src/detection-plugins/sp_icmp_seq_check.c 2010-06-09 15:05:02.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_icmp_seq_check.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -19,20 +19,20 @@ */ /* $Id$ */ -/* sp_icmp_seq_check - * +/* sp_icmp_seq_check + * * Purpose: * - * Test the Sequence number field of ICMP ECHO and ECHO_REPLY packets for + * Test the Sequence number field of ICMP ECHO and ECHO_REPLY packets for * specified values. This is useful for detecting TFN attacks, amongst others. * * Arguments: - * + * * The ICMP Seq plugin takes a number as an option argument. * * Effect: * - * Tests ICMP ECHO and ECHO_REPLY packet Seq field values and returns a + * Tests ICMP ECHO and ECHO_REPLY packet Seq field values and returns a * "positive" detection result (i.e. passthrough) upon a value match. * * Comments: @@ -48,12 +48,13 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -71,7 +72,7 @@ { unsigned short icmpseq; -} IcmpSeqCheckData; +} IcmpSeqCheckData; void IcmpSeqCheckInit(char *, OptTreeNode *, int); void ParseIcmpSeq(char *, OptTreeNode *); @@ -110,7 +111,7 @@ /**************************************************************************** - * + * * Function: SetupIcmpSeqCheck() * * Purpose: Registers the configuration function and links it to a rule @@ -135,7 +136,7 @@ /**************************************************************************** - * + * * Function: IcmpSeqCheckInit(char *, OptTreeNode *) * * Purpose: Handles parsing the rule information and attaching the associated @@ -155,7 +156,7 @@ FatalError("%s(%d): ICMP Options on non-ICMP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_ICMP_SEQ_CHECK]) { FatalError("%s(%d): Multiple ICMP seq options in rule\n", file_name, @@ -167,11 +168,11 @@ otn->ds_list[PLUGIN_ICMP_SEQ_CHECK] = (IcmpSeqCheckData *) SnortAlloc(sizeof(IcmpSeqCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIcmpSeq(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IcmpSeqCheck, otn); fpl->type = RULE_OPTION_TYPE_ICMP_SEQ; @@ -181,7 +182,7 @@ /**************************************************************************** - * + * * Function: ParseIcmpSeq(char *, OptTreeNode *) * * Purpose: Convert the rule option argument to program data. @@ -213,7 +214,7 @@ file_name, file_line, data); } ds_ptr->icmpseq = htons(ds_ptr->icmpseq); - + if (add_detection_option(RULE_OPTION_TYPE_ICMP_SEQ, (void *)ds_ptr, &ds_ptr_dup) == DETECTION_OPTION_EQUAL) { free(ds_ptr); @@ -225,7 +226,7 @@ /**************************************************************************** - * + * * Function: IcmpSeqCheck(char *, OptTreeNode *) * * Purpose: Compare the ICMP Sequence field to the rule value. @@ -234,7 +235,7 @@ * otn => pointer to the current rule's OTN * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int IcmpSeqCheck(void *option_data, Packet *p) @@ -248,11 +249,11 @@ PREPROC_PROFILE_START(icmpSeqPerfStats); - if( (p->icmph->type == ICMP_ECHO || p->icmph->type == ICMP_ECHOREPLY) + if( (p->icmph->type == ICMP_ECHO || p->icmph->type == ICMP_ECHOREPLY) #ifdef SUP_IP6 - || (p->icmph->type == ICMP6_ECHO || p->icmph->type == ICMP6_REPLY) + || (p->icmph->type == ICMP6_ECHO || p->icmph->type == ICMP6_REPLY) #endif - ) + ) { /* test the rule ID value against the ICMP extension ID field */ if(icmpSeq->icmpseq == p->icmph->s_icmp_seq) diff -Nru snort-2.9.0.1/src/detection-plugins/sp_icmp_seq_check.h snort-2.9.2/src/detection-plugins/sp_icmp_seq_check.h --- snort-2.9.0.1/src/detection-plugins/sp_icmp_seq_check.h 2010-01-26 10:09:45.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_icmp_seq_check.h 2011-02-09 15:23:02.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_icmp_type_check.c snort-2.9.2/src/detection-plugins/sp_icmp_type_check.c --- snort-2.9.0.1/src/detection-plugins/sp_icmp_type_check.c 2010-01-26 10:09:45.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_icmp_type_check.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,12 +28,13 @@ #include <string.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "sp_icmp_type_check.h" @@ -45,7 +46,7 @@ PreprocStats icmpTypePerfStats; extern PreprocStats ruleOTNEvalPerfStats; #endif - + #include "sfhashfcn.h" #include "detection_options.h" @@ -90,7 +91,7 @@ } /**************************************************************************** - * + * * Function: SetupIcmpTypeCheck() * * Purpose: Register the itype keyword and configuration function @@ -112,7 +113,7 @@ /**************************************************************************** - * + * * Function: IcmpTypeCheckInit(char *, OptTreeNode *) * * Purpose: Initialize the rule data structs and parse the rule argument @@ -131,24 +132,24 @@ { FatalError("%s(%d): ICMP Options on non-ICMP rule\n", file_name, file_line); } - - /* multiple declaration check */ + + /* multiple declaration check */ if(otn->ds_list[PLUGIN_ICMP_TYPE]) { FatalError("%s(%d): Multiple ICMP type options in rule\n", file_name, file_line); } - + /* allocate the data structure and attach it to the rule's data struct list */ otn->ds_list[PLUGIN_ICMP_TYPE] = (IcmpTypeCheckData *) SnortAlloc(sizeof(IcmpTypeCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIcmpType(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IcmpTypeCheck, otn); fpl->type = RULE_OPTION_TYPE_ICMP_TYPE; @@ -158,7 +159,7 @@ /**************************************************************************** - * + * * Function: ParseIcmpType(char *, OptTreeNode *) * * Purpose: Process the itype argument and stick it in the data struct @@ -188,7 +189,7 @@ FatalError("%s (%d): No ICMP Type Specified\n", file_name, file_line); } - + /* get rid of spaces before the data */ while(isspace((int)*data)) data++; @@ -200,7 +201,7 @@ } /* - * if a range is specified, put the min in icmp_type, and the max in + * if a range is specified, put the min in icmp_type, and the max in * icmp_type2 */ @@ -287,7 +288,7 @@ } /**************************************************************************** - * + * * Function: IcmpTypeCheck(char *, OptTreeNode *) * * Purpose: Test the packet's ICMP type field value against the option's @@ -328,7 +329,7 @@ rval = DETECTION_OPTION_MATCH; break; case ICMP_TYPE_TEST_RG: - if (p->icmph->type > ds_ptr->icmp_type && + if (p->icmph->type > ds_ptr->icmp_type && p->icmph->type < ds_ptr->icmp_type2) rval = DETECTION_OPTION_MATCH; break; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_icmp_type_check.h snort-2.9.2/src/detection-plugins/sp_icmp_type_check.h --- snort-2.9.0.1/src/detection-plugins/sp_icmp_type_check.h 2010-01-26 10:09:45.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_icmp_type_check.h 2011-02-09 15:23:02.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ip_fragbits.c snort-2.9.2/src/detection-plugins/sp_ip_fragbits.c --- snort-2.9.0.1/src/detection-plugins/sp_ip_fragbits.c 2010-08-25 13:22:40.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_ip_fragbits.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -21,17 +21,17 @@ /* Snort Detection Plugin Source File for IP Fragment Bits plugin */ -/* sp_ip_fragbits - * +/* sp_ip_fragbits + * * Purpose: * * Check the fragmentation bits of the IP header for set values. Possible * bits are don't fragment (DF), more fragments (MF), and reserved (RB). * * Arguments: - * + * * The keyword to reference this plugin is "fragbits". Possible arguments are - * D, M and R for DF, MF and RB, respectively. + * D, M and R for DF, MF and RB, respectively. * * Effect: * @@ -52,12 +52,13 @@ #include <ctype.h> #include <string.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "plugbase.h" #include "decode.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -178,7 +179,7 @@ } /**************************************************************************** - * + * * Function: SetupFragBits() * * Purpose: Assign the keyword to the rules parser. @@ -201,7 +202,7 @@ /**************************************************************************** - * + * * Function: FragBitsInit(char *, OptTreeNode *) * * Purpose: Initialize the detection function and parse the arguments. @@ -216,29 +217,29 @@ void FragBitsInit(char *data, OptTreeNode *otn, int protocol) { OptFpList *fpl; - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_FRAG_BITS]) { FatalError("%s(%d): Multiple fragbits options in rule\n", file_name, file_line); } - + /* allocate the data structure and attach it to the rule's data struct list */ otn->ds_list[PLUGIN_FRAG_BITS] = (FragBitsData *) SnortAlloc(sizeof(FragBitsData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseFragBits(data, otn); - /* - * set the bitmask needed to mask off the IP offset field + /* + * set the bitmask needed to mask off the IP offset field * in the check function */ bitmask = htons(0xE000); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckFragBits, otn); fpl->type = RULE_OPTION_TYPE_IP_FRAGBITS; @@ -248,7 +249,7 @@ /**************************************************************************** - * + * * Function: ParseFragBits(char *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -301,7 +302,7 @@ case 'M': /* more frags bit */ ds_ptr->frag_bits |= FB_MF; break; - + case 'r': case 'R': /* reserved bit */ ds_ptr->frag_bits |= FB_RB; @@ -310,24 +311,24 @@ case '!': /* NOT flag, fire if flags are not set */ ds_ptr->mode = FB_NOT; break; - + case '*': /* ANY flag, fire on any of these bits */ ds_ptr->mode = FB_ANY; break; - + case '+': /* ALL flag, fire on these bits plus any others */ ds_ptr->mode = FB_ALL; break; default: FatalError("[!] Line %s (%d): Bad Frag Bits = \"%c\"\n" - " Valid options are: RDM+!*\n", file_name, + " Valid options are: RDM+!*\n", file_name, file_line, *fptr); } - + fptr++; } - + /* put the bits in network order for fast comparisons */ ds_ptr->frag_bits = htons(ds_ptr->frag_bits); @@ -342,7 +343,7 @@ /**************************************************************************** - * + * * Function: CheckFragBits(Packet *p, OptTreeNode *otn, OptFpList *fp_list) * * Purpose: This function checks the frag bits in the packets @@ -365,7 +366,7 @@ } PREPROC_PROFILE_START(fragBitsPerfStats); - + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, " <!!> CheckFragBits: "); DebugMessage(DEBUG_PLUGIN, "[rule: 0x%X:%d pkt: 0x%X] ", fb->frag_bits, fb->mode, (GET_IPH_OFF(p)&bitmask));); @@ -374,7 +375,7 @@ { case FB_NORMAL: /* check if the rule bits match the bits in the packet */ - if(fb->frag_bits == (GET_IPH_OFF(p)&bitmask)) + if(fb->frag_bits == (GET_IPH_OFF(p)&bitmask)) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Got Normal bits match\n");); rval = DETECTION_OPTION_MATCH; @@ -397,7 +398,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"NOT test failed\n");); } break; - + case FB_ALL: /* check if the rule bits are present in the packet */ if((fb->frag_bits & (GET_IPH_OFF(p)&bitmask)) == fb->frag_bits) @@ -410,7 +411,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"ALL test failed\n");); } break; - + case FB_ANY: /* check if any of the rule bits match the bits in the packet */ if((fb->frag_bits & (GET_IPH_OFF(p)&bitmask)) != 0) @@ -434,7 +435,7 @@ /**************************************************************************** - * + * * Function: SetupFragOffset() * * Purpose: Assign the keyword to the rules parser. @@ -456,7 +457,7 @@ } /**************************************************************************** - * + * * Function: FragOffsetInit(char *, OptTreeNode *) * * Purpose: Initialize the detection function and parse the arguments. @@ -464,7 +465,7 @@ * Arguments: data => rule arguments/data * otn => pointer to the current rule option list node * protocol => protocol that must be specified to use this plugin - * + * * Returns: void function * ****************************************************************************/ @@ -475,11 +476,11 @@ rule's data struct list */ otn->ds_list[PLUGIN_FRAG_OFFSET] = (FragOffsetData *)SnortAlloc(sizeof(FragOffsetData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseFragOffset(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckFragOffset, otn); fpl->type = RULE_OPTION_TYPE_IP_FRAG_OFFSET; @@ -488,7 +489,7 @@ /**************************************************************************** - * + * * Function: ParseFragOffset(char *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -535,7 +536,7 @@ { if(!ds_ptr->not_flag) { - ds_ptr->comparison_flag = GREATER_THAN; + ds_ptr->comparison_flag = GREATER_THAN; fptr++; } } @@ -544,7 +545,7 @@ { if(!ds_ptr->comparison_flag && !ds_ptr->not_flag) { - ds_ptr->comparison_flag = LESS_THAN; + ds_ptr->comparison_flag = LESS_THAN; fptr++; } } @@ -565,7 +566,7 @@ } /**************************************************************************** - * + * * Function: CheckFragOffset(char *, OptTreeNode *) * * Purpose: Use this function to perform the particular detection routine @@ -575,7 +576,7 @@ * otn => pointer to the current rule's OTN * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int CheckFragOffset(void *option_data, Packet *p) @@ -584,7 +585,7 @@ int p_offset = p->frag_offset * 8; int rval = DETECTION_OPTION_NO_MATCH; PROFILE_VARS; - + if(!IPH_IS_VALID(p)) { return rval; @@ -592,8 +593,8 @@ PREPROC_PROFILE_START(fragOffsetPerfStats); - -#ifdef DEBUG + +#ifdef DEBUG_MSGS DebugMessage(DEBUG_PLUGIN, "[!] Checking fragoffset %d against %d\n", ipd->offset, p->frag_offset * 8); @@ -636,7 +637,7 @@ } } } - + /* if the test isn't successful, this function *must* return 0 */ PREPROC_PROFILE_END(fragOffsetPerfStats); return rval; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ip_fragbits.h snort-2.9.2/src/detection-plugins/sp_ip_fragbits.h --- snort-2.9.0.1/src/detection-plugins/sp_ip_fragbits.h 2010-01-26 10:09:45.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_ip_fragbits.h 2011-02-09 15:23:02.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ip_id_check.c snort-2.9.2/src/detection-plugins/sp_ip_id_check.c --- snort-2.9.0.1/src/detection-plugins/sp_ip_id_check.c 2010-06-09 15:05:02.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_ip_id_check.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,12 +28,13 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "parser.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "plugin_enum.h" #include "util.h" @@ -88,7 +89,7 @@ } /**************************************************************************** - * + * * Function: SetupIpIdCheck() * * Purpose: Associate the id keyword with IpIdCheckInit @@ -111,7 +112,7 @@ /**************************************************************************** - * + * * Function: IpIdCheckInit(char *, OptTreeNode *) * * Purpose: Setup the id data struct and link the function into option @@ -126,23 +127,23 @@ void IpIdCheckInit(char *data, OptTreeNode *otn, int protocol) { OptFpList *fpl; - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_IP_ID_CHECK]) { FatalError("%s(%d): Multiple IP id options in rule\n", file_name, file_line); } - + /* allocate the data structure and attach it to the rule's data struct list */ otn->ds_list[PLUGIN_IP_ID_CHECK] = (IpIdCheckData *) SnortAlloc(sizeof(IpIdCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIpId(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IpIdCheckEq, otn); fpl->type = RULE_OPTION_TYPE_IP_ID; @@ -152,10 +153,10 @@ /**************************************************************************** - * + * * Function: ParseIpId(char *, OptTreeNode *) * - * Purpose: Convert the id option argument to data and plug it into the + * Purpose: Convert the id option argument to data and plug it into the * data structure * * Arguments: data => argument data @@ -200,7 +201,7 @@ /**************************************************************************** - * + * * Function: IpIdCheckEq(char *, OptTreeNode *) * * Purpose: Test the ip header's id field to see if its value is equal to the diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ip_id_check.h snort-2.9.2/src/detection-plugins/sp_ip_id_check.h --- snort-2.9.0.1/src/detection-plugins/sp_ip_id_check.h 2010-01-26 10:09:45.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_ip_id_check.h 2011-02-09 15:23:02.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ipoption_check.c snort-2.9.2/src/detection-plugins/sp_ipoption_check.c --- snort-2.9.0.1/src/detection-plugins/sp_ipoption_check.c 2010-01-26 10:09:46.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_ipoption_check.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,12 +28,13 @@ #include <ctype.h> #include <string.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -90,7 +91,7 @@ } /**************************************************************************** - * + * * Function: SetupTemplate() * * Purpose: Generic detection engine plugin template. Registers the @@ -113,10 +114,10 @@ /**************************************************************************** - * + * * Function: TemplateInit(char *, OptTreeNode *) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -129,7 +130,7 @@ void IpOptionInit(char *data, OptTreeNode *otn, int protocol) { OptFpList *fpl; - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_IPOPTION_CHECK]) { FatalError("%s(%d): Multiple ipopts options in rule\n", file_name, @@ -141,11 +142,11 @@ otn->ds_list[PLUGIN_IPOPTION_CHECK] = (IpOptionData *) SnortAlloc(sizeof(IpOptionData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIpOptionData(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckIpOptions, otn); fpl->type = RULE_OPTION_TYPE_IP_OPTION; @@ -155,7 +156,7 @@ /**************************************************************************** - * + * * Function: TemplateRuleParseFunction(char *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -182,7 +183,7 @@ } while(isspace((u_char)*data)) - data++; + data++; if(strcasecmp(data, "rr") == 0) @@ -246,7 +247,7 @@ /**************************************************************************** - * + * * Function: TemplateDetectorFunction(char *, OptTreeNode *) * * Purpose: Use this function to perform the particular detection routine diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ipoption_check.h snort-2.9.2/src/detection-plugins/sp_ipoption_check.h --- snort-2.9.0.1/src/detection-plugins/sp_ipoption_check.h 2010-01-26 10:09:46.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_ipoption_check.h 2011-02-09 15:23:03.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ip_proto.c snort-2.9.2/src/detection-plugins/sp_ip_proto.c --- snort-2.9.0.1/src/detection-plugins/sp_ip_proto.c 2010-01-26 10:09:45.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_ip_proto.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -20,19 +20,19 @@ * ****************************************************************************/ -/* sp_ip_proto - * +/* sp_ip_proto + * * Purpose: * * Check the IP header's protocol field value. * * Arguments: - * + * * Number, protocol name, ! for negation * * Effect: * - * Success on protocol match, failure otherwise + * Success on protocol match, failure otherwise * * Comments: * @@ -57,7 +57,7 @@ #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "sp_ip_proto.h" @@ -73,7 +73,7 @@ #include "detection_options.h" #define IP_PROTO__EQUAL 0 -#define IP_PROTO__NOT_EQUAL 1 +#define IP_PROTO__NOT_EQUAL 1 #define IP_PROTO__GREATER_THAN 2 #define IP_PROTO__LESS_THAN 3 @@ -122,7 +122,7 @@ /**************************************************************************** - * + * * Function: SetupIpProto() * * Purpose: Generic detection engine plugin ip_proto. Registers the @@ -146,10 +146,10 @@ /**************************************************************************** - * + * * Function: IpProtoInit(char *, OptTreeNode *) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -172,7 +172,7 @@ "\"ip\" rule.\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ /*if(otn->ds_list[PLUGIN_IP_PROTO_CHECK]) { FatalError("%s(%d): Multiple ip_proto options in rule\n", file_name, @@ -185,11 +185,11 @@ rule's data struct list */ //otn->ds_list[PLUGIN_IP_PROTO_CHECK] = (IpProtoData *) calloc(sizeof(IpProtoData), sizeof(char)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ IpProtoRuleParseFunction(data, ipd); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ ofl = AddOptFuncToList(IpProtoDetectorFunction, otn); ofl->type = RULE_OPTION_TYPE_IP_PROTO; @@ -212,7 +212,7 @@ /**************************************************************************** - * + * * Function: IpProtoRuleParseFunction(char *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -234,22 +234,22 @@ if (*data == '!') { - ds_ptr->comparison_flag = IP_PROTO__NOT_EQUAL; + ds_ptr->comparison_flag = IP_PROTO__NOT_EQUAL; data++; } else if (*data == '>') { - ds_ptr->comparison_flag = IP_PROTO__GREATER_THAN; + ds_ptr->comparison_flag = IP_PROTO__GREATER_THAN; data++; } else if (*data == '<') { - ds_ptr->comparison_flag = IP_PROTO__LESS_THAN; + ds_ptr->comparison_flag = IP_PROTO__LESS_THAN; data++; } else { - ds_ptr->comparison_flag = IP_PROTO__EQUAL; + ds_ptr->comparison_flag = IP_PROTO__EQUAL; } /* check for a number or a protocol name */ @@ -287,7 +287,7 @@ /**************************************************************************** - * + * * Function: IpProtoDetectorFunction(char *, OptTreeNode *) * * Purpose: Use this function to perform the particular detection routine @@ -297,7 +297,7 @@ * otn => pointer to the current rule's OTN * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int IpProtoDetectorFunction(void *option_data, Packet *p) @@ -316,12 +316,12 @@ switch (ipd->comparison_flag) { - case IP_PROTO__EQUAL: + case IP_PROTO__EQUAL: if (GET_IPH_PROTO(p) == ipd->protocol) rval = DETECTION_OPTION_MATCH; break; - case IP_PROTO__NOT_EQUAL: + case IP_PROTO__NOT_EQUAL: if (GET_IPH_PROTO(p) != ipd->protocol) rval = DETECTION_OPTION_MATCH; break; @@ -370,7 +370,7 @@ proto_array[ipd->protocol] = 1; break; - case IP_PROTO__NOT_EQUAL: + case IP_PROTO__NOT_EQUAL: for (i = 0; i < ipd->protocol; i++) proto_array[i] = 1; for (i = i + 1; i < NUM_IP_PROTOS; i++) @@ -397,7 +397,7 @@ } /* - * Extract the IP Protocol field. + * Extract the IP Protocol field. */ int GetOtnIpProto(OptTreeNode *otn) { @@ -405,9 +405,9 @@ if (otn == NULL) return -1; - + ipd = (IpProtoData *)otn->ds_list[PLUGIN_IP_PROTO_CHECK]; - + if ((ipd != NULL) && (ipd->comparison_flag == IP_PROTO__EQUAL)) return (int)ipd->protocol; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ip_proto.h snort-2.9.2/src/detection-plugins/sp_ip_proto.h --- snort-2.9.0.1/src/detection-plugins/sp_ip_proto.h 2010-01-26 10:09:46.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_ip_proto.h 2011-02-09 15:23:03.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ip_same_check.c snort-2.9.2/src/detection-plugins/sp_ip_same_check.c --- snort-2.9.0.1/src/detection-plugins/sp_ip_same_check.c 2010-01-26 10:09:46.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_ip_same_check.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2001 Phil Wood <cpw@lanl.gov> ** @@ -29,12 +29,13 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -80,7 +81,7 @@ /**************************************************************************** - * + * * Function: SetupIpSameCheck() * * Purpose: Associate the same keyword with IpSameCheckInit @@ -102,7 +103,7 @@ /**************************************************************************** - * + * * Function: IpSameCheckInit(char *, OptTreeNode *) * * Purpose: Setup the same data struct and link the function into option @@ -119,7 +120,7 @@ OptFpList *fpl; void *ds_ptr_dup; - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_IP_SAME_CHECK]) { FatalError("%s(%d): Multiple sameip options in rule\n", file_name, @@ -132,7 +133,7 @@ //otn->ds_list[PLUGIN_IP_SAME_CHECK] = (IpSameData *) // SnortAlloc(sizeof(IpSameData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIpSame(data, otn); @@ -141,7 +142,7 @@ //otn->ds_list[PLUGIN_IP_SAME_CHECK] = ds_ptr_dup; } - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IpSameCheck, otn); fpl->type = RULE_OPTION_TYPE_IP_SAME; @@ -150,10 +151,10 @@ /**************************************************************************** - * + * * Function: ParseIpSame(char *, OptTreeNode *) * - * Purpose: Convert the id option argument to data and plug it into the + * Purpose: Convert the id option argument to data and plug it into the * data structure * * Arguments: data => argument data @@ -186,7 +187,7 @@ /**************************************************************************** - * + * * Function: IpSameCheck(char *, OptTreeNode *) * * Purpose: Test the ip header's id field to see if its value is equal to the diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ip_same_check.h snort-2.9.2/src/detection-plugins/sp_ip_same_check.h --- snort-2.9.0.1/src/detection-plugins/sp_ip_same_check.h 2010-01-26 10:09:46.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_ip_same_check.h 2011-02-09 15:23:03.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2001 Phil Wood <cpw@lanl.gov> ** diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ip_tos_check.c snort-2.9.2/src/detection-plugins/sp_ip_tos_check.c --- snort-2.9.0.1/src/detection-plugins/sp_ip_tos_check.c 2010-06-09 15:05:03.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_ip_tos_check.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -33,12 +33,13 @@ #include <strings.h> #endif +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "plugin_enum.h" #include "util.h" @@ -97,7 +98,7 @@ /**************************************************************************** - * + * * Function: SetupIpTosCheck() * * Purpose: Associate the tos keyword with IpTosCheckInit @@ -119,7 +120,7 @@ /**************************************************************************** - * + * * Function: IpTosCheckInit(char *, OptTreeNode *) * * Purpose: Setup the tos data struct and link the function into option @@ -134,7 +135,7 @@ void IpTosCheckInit(char *data, OptTreeNode *otn, int protocol) { OptFpList *fpl; - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_IP_TOS_CHECK]) { FatalError("%s(%d): Multiple IP tos options in rule\n", file_name, @@ -146,11 +147,11 @@ otn->ds_list[PLUGIN_IP_TOS_CHECK] = (IpTosCheckData *) SnortAlloc(sizeof(IpTosCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseIpTos(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(IpTosCheckEq, otn); fpl->type = RULE_OPTION_TYPE_IP_TOS; @@ -160,10 +161,10 @@ /**************************************************************************** - * + * * Function: ParseIpTos(char *, OptTreeNode *) * - * Purpose: Convert the tos option argument to data and plug it into the + * Purpose: Convert the tos option argument to data and plug it into the * data structure * * Arguments: data => argument data @@ -238,7 +239,7 @@ /**************************************************************************** - * + * * Function: IpTosCheckEq(char *, OptTreeNode *) * * Purpose: Test the ip header's tos field to see if its value is equal to the @@ -272,7 +273,7 @@ /* you can put debug comments here or not */ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n");); } - + /* if the test isn't successful, return 0 */ PREPROC_PROFILE_END(ipTosPerfStats); return rval; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ip_tos_check.h snort-2.9.2/src/detection-plugins/sp_ip_tos_check.h --- snort-2.9.0.1/src/detection-plugins/sp_ip_tos_check.h 2010-01-26 10:09:46.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_ip_tos_check.h 2011-02-09 15:23:03.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_isdataat.c snort-2.9.2/src/detection-plugins/sp_isdataat.c --- snort-2.9.0.1/src/detection-plugins/sp_isdataat.c 2010-10-25 12:49:03.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_isdataat.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 1998-2010 Sourcefire, Inc. + ** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -19,7 +19,7 @@ */ /* sp_isdataat - * + * * Purpose: * Test a specific byte to see if there is data. (Basicly, rule keyword * into inBounds) @@ -29,7 +29,7 @@ * ["relative"] look for byte location relative to the end of the last * pattern match * ["rawbytes"] force use of the non-normalized buffer. - * + * * Sample: * alert tcp any any -> any 110 (msg:"POP3 user overflow"; \ * content:"USER"; isdataat:30,relative; content:!"|0a|"; within:30;) @@ -47,13 +47,14 @@ #endif #include <errno.h> -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" @@ -105,7 +106,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (( left->offset == right->offset) && ( left->flags == right->flags) && ( left->offset_var == right->offset_var) ) @@ -117,7 +118,7 @@ } /**************************************************************************** - * + * * Function: SetupIsDataAt() * * Purpose: Load 'er up @@ -140,10 +141,10 @@ /**************************************************************************** - * + * * Function: IsDataAt(char *, OptTreeNode *, int protocol) * - * Purpose: Generic rule configuration function. Handles parsing the rule + * Purpose: Generic rule configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -166,11 +167,11 @@ if(idx == NULL) { - FatalError("%s(%d): Unable to allocate IsDataAt data node\n", + FatalError("%s(%d): Unable to allocate IsDataAt data node\n", file_name, file_line); } - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ IsDataAtParse(data, idx, otn); @@ -182,7 +183,7 @@ fpl = AddOptFuncToList(IsDataAt, otn); fpl->type = RULE_OPTION_TYPE_IS_DATA_AT; - + /* attach it to the context node so that we can call each instance * individually */ @@ -195,7 +196,7 @@ /**************************************************************************** - * + * * Function: IsDataAt(char *, IsDataAtData *, OptTreeNode *) * * Purpose: This is the function that is used to process the option keyword's @@ -219,10 +220,10 @@ toks = mSplit(data, ",", 3, &num_toks, 0); - if(num_toks > 3) + if(num_toks > 3) FatalError("%s (%d): Bad arguments to IsDataAt: %s\n", file_name, file_line, data); - offset = toks[0]; + offset = toks[0]; if(*offset == '!') { idx->flags |= ISDATAAT_NOT_FLAG; @@ -285,7 +286,7 @@ /**************************************************************************** - * + * * Function: IsDataAt(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -296,7 +297,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int IsDataAt(void *option_data, Packet *p) @@ -326,29 +327,22 @@ /* Rawbytes specified, force use of that buffer */ dsize = p->dsize; start_ptr = p->data; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using RAWBYTES buffer!\n");); - } - else if( IsMimeDecodeBuf(doe_ptr) ) - { - dsize = mime_decode_size; - start_ptr = file_data_ptr; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using MIME Decode buffer!\n");); + "Using RAWBYTES buffer!\n");); } - else if( IsBase64DecodeBuf(doe_ptr) ) + else if (Is_DetectFlag(FLAG_ALT_DETECT)) { - dsize = base64_decode_size; - start_ptr = base64_decode_buf; + dsize = DetectBuffer.len; + start_ptr = DetectBuffer.data; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using Base64 Decode buffer!\n");); + "Using Alternative Detect buffer!\n");); } - else if(p->packet_flags & PKT_ALT_DECODE) + else if(Is_DetectFlag(FLAG_ALT_DECODE)) { /* If normalized buffer available, use it... */ dsize = DecodeBuffer.len; start_ptr = DecodeBuffer.data; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } else @@ -362,13 +356,18 @@ base_ptr = start_ptr; end_ptr = start_ptr + dsize; - + if((isdata->flags & ISDATAAT_RELATIVE_FLAG) && doe_ptr) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Checking relative offset!\n");); - if(!inBounds(start_ptr, end_ptr, doe_ptr)) + /* Because doe_ptr can be "end" in the last match, + * use end + 1 for upper bound + * Bound checked also after offset is applied + * + */ + if(!inBounds(start_ptr, end_ptr + 1, doe_ptr)) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "[*] isdataat bounds check failed..\n");); diff -Nru snort-2.9.0.1/src/detection-plugins/sp_isdataat.h snort-2.9.2/src/detection-plugins/sp_isdataat.h --- snort-2.9.0.1/src/detection-plugins/sp_isdataat.h 2010-06-09 15:05:04.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_isdataat.h 2011-02-09 15:23:03.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2003-2010 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** Brian Caswell <bmc@snort.org> ** diff -Nru snort-2.9.0.1/src/detection-plugins/sp_pattern_match.c snort-2.9.2/src/detection-plugins/sp_pattern_match.c --- snort-2.9.0.1/src/detection-plugins/sp_pattern_match.c 2010-10-25 12:49:03.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_pattern_match.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -19,7 +19,7 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* +/* * 06/07/2007 - tw * Commented out 'content-list' code since it's considered broken and there * are no plans to fix it @@ -33,19 +33,20 @@ #ifdef HAVE_STRINGS_H # include <strings.h> #endif -#ifdef DEBUG +#ifdef DEBUG_MSGS # include <assert.h> #endif +#include "sf_types.h" #include "sp_pattern_match.h" #include "sp_replace.h" -#include "bounds.h" +#include "snort_bounds.h" #include "rules.h" #include "treenodes.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "mstring.h" -#include "util.h" +#include "util.h" #include "parser.h" #include "plugin_enum.h" #include "checksum.h" @@ -109,22 +110,22 @@ static void PayloadSearchNocase(char *, OptTreeNode *, int); static void PayloadSearchRawbytes(char *, OptTreeNode *, int); static void PayloadSearchFastPattern(char *, OptTreeNode *, int); -static INLINE int HasFastPattern(OptTreeNode *, int); +static inline int HasFastPattern(OptTreeNode *, int); static int32_t ParseInt(const char *, const char *); -static INLINE PatternMatchData * GetLastPmdError(OptTreeNode *, int, const char *); -static INLINE PatternMatchData * GetLastPmd(OptTreeNode *, int); +static inline PatternMatchData * GetLastPmdError(OptTreeNode *, int, const char *); +static inline PatternMatchData * GetLastPmd(OptTreeNode *, int); static void ValidateHttpContentModifiers(PatternMatchData *); static void MovePmdToUriDsList(OptTreeNode *, PatternMatchData *); static char *PayloadExtractParameter(char *, int *); -static INLINE void ValidateContent(PatternMatchData *, int); +static inline void ValidateContent(PatternMatchData *, int); static unsigned int GetMaxJumpSize(char *, int); -static INLINE int computeWithin(int, PatternMatchData *); +static inline int computeWithin(int, PatternMatchData *); static int uniSearch(const char *, int, PatternMatchData *); static int uniSearchReal(const char *data, int dlen, PatternMatchData *pmd, int nocase); #if 0 /* Not currently used - DO NOT REMOVE */ -static INLINE int computeDepth(int dlen, PatternMatchData * pmd); +static inline int computeDepth(int dlen, PatternMatchData * pmd); static int uniSearchREG(char * data, int dlen, PatternMatchData * pmd); #endif @@ -181,7 +182,7 @@ RegisterPreprocessorProfile("content", &contentPerfStats, 3, &ruleOTNEvalPerfStats); RegisterPreprocessorProfile("uricontent", &uricontentPerfStats, 3, &ruleOTNEvalPerfStats); #endif - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Plugin: PatternMatch Initialized!\n");); } @@ -213,13 +214,6 @@ ParsePattern(opt_data, otn, PLUGIN_PATTERN_MATCH); next_opt = opt_data + opt_len; - /* Set default var values for offset, depth, distance, within. - This has to be done here because the arguments are optional. */ - pmd->offset_var = BYTE_EXTRACT_NO_VAR; - pmd->depth_var = BYTE_EXTRACT_NO_VAR; - pmd->distance_var = BYTE_EXTRACT_NO_VAR; - pmd->within_var = BYTE_EXTRACT_NO_VAR; - /* link the plugin function in to the current OTN */ fpl = AddOptFuncToList(CheckANDPatternMatch, otn); fpl->type = RULE_OPTION_TYPE_CONTENT; @@ -333,12 +327,13 @@ mSplitFree(&opts, num_opts); } + free(data_dup); if(pmd->use_doe == 1) fpl->isRelative = 1; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "OTN function PatternMatch Added to rule!\n");); } @@ -368,7 +363,7 @@ if (pmd->use_doe == 1) fpl->isRelative = 1; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "OTN function PatternMatch Added to rule!\n");); } @@ -479,11 +474,32 @@ MovePmdToUriDsList(otn, pmd); } +typedef enum { + CMF_DISTANCE = 0x1, CMF_WITHIN = 0x2, CMF_OFFSET = 0x4, CMF_DEPTH = 0x8 +} ContentModifierFlags; + +static unsigned GetCMF (PatternMatchData* pmd) +{ + unsigned cmf = 0; + if ( (pmd->distance != 0) || (pmd->distance_var != -1) ) cmf |= CMF_DISTANCE; + if ( (pmd->within != 0) || (pmd->within_var != -1) ) cmf |= CMF_WITHIN; + if ( (pmd->offset != 0) || (pmd->offset_var != -1) ) cmf |= CMF_OFFSET; + if ( (pmd->depth != 0) || (pmd->depth_var != -1) ) cmf |= CMF_DEPTH; + return cmf; +} + +#define BAD_DISTANCE (CMF_DISTANCE | CMF_OFFSET | CMF_DEPTH) +#define BAD_WITHIN (CMF_WITHIN | CMF_OFFSET | CMF_DEPTH) +#define BAD_OFFSET (CMF_OFFSET | CMF_DISTANCE | CMF_WITHIN) +#define BAD_DEPTH (CMF_DEPTH | CMF_DISTANCE | CMF_WITHIN) static void PayloadSearchOffset(char *data, OptTreeNode * otn, int protocol) { PatternMatchData *pmd = GetLastPmdError(otn, lastType, "offset"); + if ( GetCMF(pmd) & BAD_OFFSET ) + ParseError("offset can't be used with itself, distance, or within"); + if (data == NULL) ParseError("Missing argument to 'offset' option"); @@ -496,11 +512,11 @@ pmd->offset_var = GetVarByName(data); if (pmd->offset_var == BYTE_EXTRACT_NO_VAR) { - FatalError("%s (%d): %s\n", file_name, file_line, BYTE_EXTRACT_INVALID_ERR_STR); + ParseError(BYTE_EXTRACT_INVALID_ERR_STR); } } - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Pattern offset = %d\n", + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Pattern offset = %d\n", pmd->offset);); } @@ -508,6 +524,9 @@ { PatternMatchData *pmd = GetLastPmdError(otn, lastType, "depth"); + if ( GetCMF(pmd) & BAD_DEPTH ) + ParseError("depth can't be used with itself, distance, or within"); + if (data == NULL) ParseError("Missing argument to 'depth' option"); @@ -516,7 +535,7 @@ pmd->depth = ParseInt(data, "depth"); /* check to make sure that this the depth allows this rule to fire */ - if ((pmd->depth != 0) && (pmd->depth < (int)pmd->pattern_size)) + if (pmd->depth < (int)pmd->pattern_size) { ParseError("The depth (%d) is less than the size of the content(%u)!", pmd->depth, pmd->pattern_size); @@ -527,11 +546,11 @@ pmd->depth_var = GetVarByName(data); if (pmd->depth_var == BYTE_EXTRACT_NO_VAR) { - FatalError("%s (%d): %s\n", file_name, file_line, BYTE_EXTRACT_INVALID_ERR_STR); + ParseError(BYTE_EXTRACT_INVALID_ERR_STR); } } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern depth = %d\n", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern depth = %d\n", pmd->depth);); } @@ -539,6 +558,9 @@ { PatternMatchData *pmd = GetLastPmdError(otn, lastType, "distance"); + if ( GetCMF(pmd) & BAD_DISTANCE ) + ParseError("distance can't be used with itself, offset, or depth"); + if (data == NULL) ParseError("Missing argument to 'distance' option"); @@ -551,11 +573,11 @@ pmd->distance_var = GetVarByName(data); if (pmd->distance_var == BYTE_EXTRACT_NO_VAR) { - FatalError("%s (%d): %s\n", file_name, file_line, BYTE_EXTRACT_INVALID_ERR_STR); + ParseError(BYTE_EXTRACT_INVALID_ERR_STR); } } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern distance = %d\n", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern distance = %d\n", pmd->distance);); /* Only do a relative search if this is a normal content match. */ @@ -570,6 +592,9 @@ { PatternMatchData *pmd = GetLastPmdError(otn, lastType, "within"); + if ( GetCMF(pmd) & BAD_WITHIN ) + ParseError("within can't be used with itself, offset, or depth"); + if (data == NULL) ParseError("Missing argument to 'within' option"); @@ -585,11 +610,11 @@ pmd->within_var = GetVarByName(data); if (pmd->within_var == BYTE_EXTRACT_NO_VAR) { - FatalError("%s (%d): %s\n", file_name, file_line, BYTE_EXTRACT_INVALID_ERR_STR); + ParseError(BYTE_EXTRACT_INVALID_ERR_STR); } } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern within = %d\n", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern within = %d\n", pmd->within);); /* Only do a relative search if this is a normal content match. */ @@ -626,7 +651,7 @@ /* mark this as inspecting a raw pattern match rather than a * decoded application buffer */ - pmd->rawbytes = 1; + pmd->rawbytes = 1; } static void PayloadSearchFastPattern(char *data, OptTreeNode *otn, int protocol) @@ -713,7 +738,7 @@ } } -static INLINE int HasFastPattern(OptTreeNode *otn, int list_type) +static inline int HasFastPattern(OptTreeNode *otn, int list_type) { PatternMatchData *tmp; @@ -749,6 +774,12 @@ } } + /* Set any non-zero default values here. */ + pmd->offset_var = BYTE_EXTRACT_NO_VAR; + pmd->depth_var = BYTE_EXTRACT_NO_VAR; + pmd->distance_var = BYTE_EXTRACT_NO_VAR; + pmd->within_var = BYTE_EXTRACT_NO_VAR; + return pmd; } @@ -777,7 +808,7 @@ { int32_t value = 0; char *endptr = NULL; - + value = SnortStrtol(data, &endptr, 10); if (*endptr) @@ -795,7 +826,7 @@ /* Used for content modifiers that are used as rule options - need to get the * last pmd which is the one they are modifying. If there isn't a last pmd * error that a content must be specified before the modifier */ -static INLINE PatternMatchData * GetLastPmdError(OptTreeNode *otn, int type, const char *option) +static inline PatternMatchData * GetLastPmdError(OptTreeNode *otn, int type, const char *option) { PatternMatchData *pmd = GetLastPmd(otn, type); @@ -809,7 +840,7 @@ } /* Gets the last pmd in the ds_list specified */ -static INLINE PatternMatchData * GetLastPmd(OptTreeNode *otn, int type) +static inline PatternMatchData * GetLastPmd(OptTreeNode *otn, int type) { PatternMatchData *pmd; @@ -971,19 +1002,19 @@ a += pmd->distance; b += pmd->within; c += pmd->rawbytes; - + mix(a,b,c); a += pmd->nocase; b += pmd->use_doe; c += pmd->uri_buffer; - + mix(a,b,c); a += pmd->pattern_size; b += pmd->replace_size; c += pmd->pattern_max_jump_size; - + mix(a,b,c); for (i=0,j=0;i<pmd->pattern_size;i+=4) @@ -992,7 +1023,7 @@ k = pmd->pattern_size - i; if (k > 4) k=4; - + for (l=0;l<k;l++) { tmp |= *(pmd->pattern_buf + i + l) << l*8; @@ -1025,7 +1056,7 @@ k = pmd->replace_size - i; if (k > 4) k=4; - + for (l=0;l<k;l++) { tmp |= *(pmd->replace_buf + i + l) << l*8; @@ -1081,7 +1112,7 @@ b += pmd->distance_var; c += pmd->within_var; - final(a,b,c); + final(a,b,c); return c; } @@ -1211,7 +1242,7 @@ if (pmd == otn->ds_list[PLUGIN_PATTERN_MATCH_URI]) otn->ds_list[PLUGIN_PATTERN_MATCH_URI] = pmd_dup; } - + PatternMatchFree(pmd); opt_fp->context = pmd_dup; } @@ -1278,7 +1309,7 @@ /* Since each content modifier can be parsed as a rule option, do this check * after parsing the entire rule in FinalizeContentUniqueness() */ -static INLINE void ValidateContent(PatternMatchData *pmd, int type) +static inline void ValidateContent(PatternMatchData *pmd, int type) { if (pmd == NULL) return; @@ -1289,7 +1320,7 @@ { ParseError("Cannot use the fast_pattern content modifier for a lone " - "http cookie/http raw uri /http raw header /http raw cookie /status code / status msg buffer content."); + "http cookie/http raw uri /http raw header /http raw cookie /status code / status msg /http method buffer content."); } if (pmd->use_doe || (pmd->offset != 0) || (pmd->depth != 0)) @@ -1310,7 +1341,7 @@ if (pmd->fp_only) { if (pmd->replace_buf != NULL) - { + { ParseError("Fast pattern only contents cannot use " "replace modifier."); } @@ -1340,7 +1371,7 @@ static unsigned int GetMaxJumpSize(char *data, int data_len) { int i, j; - + j = 0; for ( i = 1; i < data_len; i++ ) { @@ -1557,8 +1588,8 @@ pending--; if(dummy_idx < dummy_end) - { - tmp_buf[dummy_size] = (u_char) + { + tmp_buf[dummy_size] = (u_char) strtol(hex_buf, (char **) NULL, 16)&0xFF; dummy_size++; @@ -1649,7 +1680,7 @@ ds_idx->pattern_size = dummy_size; ds_idx->search = uniSearch; - + make_precomp(ds_idx); ds_idx->exception_flag = exception_flag; @@ -1669,15 +1700,15 @@ * * pmd = the patterm match data struct for this test */ -static INLINE int computeWithin(int dlen, PatternMatchData *pmd) +static inline int computeWithin(int dlen, PatternMatchData *pmd) { /* do we want to check more bytes than there are in the buffer? */ if(pmd->within > (unsigned int)dlen) { - /* should we just return -1 here since the data might actually be within + /* should we just return -1 here since the data might actually be within * the stream but not the current packet's payload? */ - + /* if the buffer size is greater than the size of the pattern to match */ if(dlen >= (int)pmd->pattern_size) { @@ -1695,11 +1726,11 @@ return pmd->within; } -/* +/* * case sensitive search * * data = ptr to buffer to search - * dlen = distance to the back of the buffer being tested, validated + * dlen = distance to the back of the buffer being tested, validated * against offset + depth before function entry (not distance/within) * pmd = pointer to pattern match data struct */ @@ -1709,11 +1740,11 @@ return uniSearchReal(data, dlen, pmd, 0); } -/* +/* * case insensitive search * * data = ptr to buffer to search - * dlen = distance to the back of the buffer being tested, validated + * dlen = distance to the back of the buffer being tested, validated * against offset + depth before function entry (not distance/within) * pmd = pointer to pattern match data struct * @@ -1724,11 +1755,11 @@ return uniSearchReal(data, dlen, pmd, 1); } -/* - * single search function. +/* + * single search function. * * data = ptr to buffer to search - * dlen = distance to the back of the buffer being tested, validated + * dlen = distance to the back of the buffer being tested, validated * against offset + depth before function entry (not distance/within) * pmd = pointer to pattern match data struct * nocase = 0 means case sensitve, 1 means case insensitive @@ -1736,11 +1767,11 @@ * return 1 for found * return 0 for not found * return -1 for error (search out of bounds) - */ + */ static int uniSearchReal(const char *data, int dlen, PatternMatchData *pmd, int nocase) { - /* - * in theory computeDepth doesn't need to be called because the + /* + * in theory computeDepth doesn't need to be called because the * depth + offset adjustments have been made by the calling function */ int depth = dlen; @@ -1750,7 +1781,7 @@ const char *end_ptr = data + dlen; const char *base_ptr = start_ptr; uint32_t extract_offset, extract_depth, extract_distance, extract_within; - + DEBUG_WRAP(char *hexbuf;); @@ -1810,27 +1841,27 @@ base_ptr += pmd->offset; depth -= pmd->offset; } - + if(pmd->within != 0) { - /* + /* * calculate the "real" depth based on the current base and available * number of bytes in the buffer * - * this should account for the current base_ptr as it relates to + * this should account for the current base_ptr as it relates to * the back of the buffer being tested */ old_depth = depth; - + depth = computeWithin(depth, pmd); - + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Changing Depth from %d to %d\n", old_depth, depth);); } /* make sure we and in range */ if(!inBounds((const uint8_t *)start_ptr, (const uint8_t *)end_ptr, (const uint8_t *)base_ptr)) { - + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "returning because base_ptr" " is out of bounds start_ptr: %p end: %p base: %p\n", @@ -1843,7 +1874,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "returning because depth is negative (%d)\n", depth);); - return -1; + return -1; } if(depth > dlen) @@ -1862,7 +1893,7 @@ depth = pmd->depth; } - + /* make sure we end in range */ if(!inBounds((const uint8_t *)start_ptr, (const uint8_t *)end_ptr, (const uint8_t *)(base_ptr + depth - 1))) { @@ -1873,24 +1904,24 @@ return 0; } -#ifdef DEBUG +#ifdef DEBUG_MSGS assert(depth <= old_depth); DebugMessage(DEBUG_PATTERN_MATCH, "uniSearchReal:\n "); hexbuf = hex((u_char *)pmd->pattern_buf, pmd->pattern_size); DebugMessage(DEBUG_PATTERN_MATCH, " p->data: %p\n doe_ptr: %p\n " - "base_ptr: %p\n depth: %d\n searching for: %s\n", + "base_ptr: %p\n depth: %d\n searching for: %s\n", data, doe_ptr, base_ptr, depth, hexbuf); free(hexbuf); -#endif /* DEBUG */ - +#endif /* DEBUG_MSGS */ + if(nocase) { - success = mSearchCI(base_ptr, depth, + success = mSearchCI(base_ptr, depth, pmd->pattern_buf, pmd->pattern_size, - pmd->skip_stride, + pmd->skip_stride, pmd->shift_stride); } else @@ -1903,10 +1934,10 @@ } -#ifdef DEBUG +#ifdef DEBUG_MSGS if(success) { - DebugMessage(DEBUG_PATTERN_MATCH, "matched, doe_ptr: %p (%d)\n", + DebugMessage(DEBUG_PATTERN_MATCH, "matched, doe_ptr: %p (%d)\n", doe_ptr, ((char *)doe_ptr - data)); } #endif @@ -1931,65 +1962,46 @@ idx = (PatternMatchData *)option_data; origUseDoe = idx->use_doe; - - if(idx->rawbytes == 0) + + if(idx->rawbytes == 0) { - if(IsMimeDecodeBuf(doe_ptr)) + if(Is_DetectFlag(FLAG_ALT_DETECT)) { - dsize = mime_decode_size; - dp = (char *)file_data_ptr; + dsize = DetectBuffer.len; + dp = (char *) DetectBuffer.data; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using MIME Decode Buffer!\n");); + "Using Alternative Detect buffer!\n");); } - else if(IsBase64DecodeBuf(doe_ptr) ) - { - dsize = base64_decode_size; - dp = (char *)base64_decode_buf; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using Base64 Decode Buffer!\n");); - } - else if((p->packet_flags & PKT_ALT_DECODE)) + else if(Is_DetectFlag(FLAG_ALT_DECODE)) { dsize = DecodeBuffer.len; - dp = (char *) DecodeBuffer.data; /* decode.c */ - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + dp = (char *) DecodeBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } else { if(IsLimitedDetect(p)) - dsize = p->alt_dsize; - else - dsize = p->dsize; - dp = (char *) p->data; - } - } /*Check if the packet is a HTTP Response and is not compressed*/ - else if(p->packet_flags & PKT_HTTP_RESP_BODY) - { - u_char *end_of_packet = (u_char *) (p->data + p->dsize); - /* check if the file_data_ptr is within the server_flow_depth of HttpInspect */ - if(file_data_ptr <= end_of_packet) - { - if((end_of_packet - file_data_ptr) < p->alt_dsize ) { - dsize = end_of_packet - file_data_ptr; + dsize = p->alt_dsize; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Limited Packet Data!\n");); } else { - dsize = p->alt_dsize; + dsize = p->dsize; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Full Packet Data!\n");); } - dp = (char *)file_data_ptr; - } - else - { - PREPROC_PROFILE_END(contentPerfStats); - return rval; + dp = (char *) p->data; } } else { dsize = p->dsize; dp = (char *) p->data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Full Packet Data!\n");); } /* this now takes care of all the special cases where we'd run @@ -2050,7 +2062,7 @@ /* save start doe as beginning of this pattern + non-repeating length*/ start_doe = (char *)doe_ptr - idx->pattern_size + idx->pattern_max_jump_size; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match successful!\n");); + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match successful!\n");); DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Check next functions!\n");); /* PROFILING Don't count rest of options towards content */ PREPROC_PROFILE_TMPEND(contentPerfStats); @@ -2061,9 +2073,9 @@ /* PROFILING Don't count rest of options towards content */ PREPROC_PROFILE_TMPSTART(contentPerfStats); - if(next_found != 0) + if(next_found != 0) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Next functions matched!\n");); /* We found a successful match, return that this rule has fired off */ @@ -2083,7 +2095,7 @@ if(new_dsize <= 0 || new_dsize > dsize) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The new dsize is less than <= 0 or > " "the the original dsize;returning " "false\n");); @@ -2098,7 +2110,7 @@ if (((idx->distance != 0) && (start_doe - orig_doe > idx->distance)) || ((idx->offset != 0) && (start_doe - orig_doe > idx->offset)) ) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "distance;returning false\n");); @@ -2112,7 +2124,7 @@ ((idx->depth != 0) && (start_doe - orig_doe + idx->pattern_size > (unsigned int)idx->depth)) ) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "within;returning false\n");); @@ -2127,7 +2139,7 @@ if (((idx->distance != 0) && (start_doe - dp > idx->distance)) || ((idx->offset != 0) && (start_doe - dp > idx->offset)) ) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "distance;returning false\n");); @@ -2141,7 +2153,7 @@ ((idx->depth != 0) && (start_doe - dp + idx->pattern_size > (unsigned int)idx->depth)) ) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "The next starting point to search " "from is beyond the original " "within;returning false\n");); @@ -2151,19 +2163,19 @@ } } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "At least ONE of the next functions does to match!\n");); - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "At least ONE of the next functions does to match!\n");); + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Start search again from a next point!\n");); /* Start the search again from the last set of contents, with a new depth and dsize */ doe_ptr = (uint8_t *)start_doe; idx->use_doe = 1; found = (idx->search(start_doe, new_dsize,idx) ^ idx->exception_flag); - + /* ** If we haven't updated doe since we set it at the beginning - ** of the loop, then that means we have already done the exact + ** of the loop, then that means we have already done the exact ** same search previously, and have nothing else to gain from ** doing the same search again. */ @@ -2176,17 +2188,17 @@ } else { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Returning 0 because tmp_doe is NULL\n");); - + idx->use_doe = origUseDoe; PREPROC_PROFILE_END(contentPerfStats); return 0; } - + } #endif - + //idx->use_doe = origUseDoe; PREPROC_PROFILE_END(contentPerfStats); return rval; @@ -2233,10 +2245,10 @@ "buffer %d ", uri_buffer_name[i], i);); -#ifdef DEBUG /* for variable declaration */ +#ifdef DEBUG_MSGS /* for variable declaration */ { int j; - + DebugMessage(DEBUG_HTTP_DECODE,"Checking against HTTP data (%s): ", uri_buffer_name[idx->uri_buffer]); for(j=0; j<UriBufs[i].length; j++) { @@ -2244,26 +2256,28 @@ } DebugMessage(DEBUG_HTTP_DECODE,"\n"); } -#endif /* DEBUG */ +#endif /* DEBUG_MSGS */ - /* - * have to reset the doe_ptr for each new UriBuf + /* + * have to reset the doe_ptr for each new UriBuf */ if(idx->use_doe != 1) UpdateDoePtr(NULL, 0); + else if(!(doe_buf_flags & DOE_BUF_URI)) SetDoePtr(UriBufs[i].uri, DOE_BUF_URI); - + /* this now takes care of all the special cases where we'd run * over the buffer */ found = (idx->search((const char *)UriBufs[i].uri, UriBufs[i].length, idx) ^ idx->exception_flag); - + if(found > 0 ) { doe_buf_flags = DOE_BUF_URI; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match successful!\n");); /*if found print the normalized and unnormalized buffer */ -#ifdef DEBUG +#ifdef DEBUG_MSGS if ( idx->uri_buffer & (HTTP_SEARCH_URI | HTTP_SEARCH_COOKIE | HTTP_SEARCH_HEADER )) { DEBUG_WRAP( @@ -2345,7 +2359,7 @@ /* current_cursor should be the doe_ptr after this content rule option matched * orig_cursor is the place from where we first did evaluation of this content */ int PatternMatchAdjustRelativeOffsets(PatternMatchData *orig_pmd, PatternMatchData *dup_pmd, - const u_int8_t *current_cursor, const u_int8_t *orig_cursor) + const uint8_t *current_cursor, const uint8_t *orig_cursor) { /* Adjust for repeating patterns, e.g. ABAB * This is where the new search for this content should start */ @@ -2398,13 +2412,13 @@ #if 0 /* Not currently in use - DO NOT REMOVE */ -static INLINE int computeDepth(int dlen, PatternMatchData * pmd) +static inline int computeDepth(int dlen, PatternMatchData * pmd) { /* do some tests to make sure we stay in bounds */ if((pmd->depth + pmd->offset) > dlen) { /* we want to check only depth bytes anyway */ - int sub_depth = dlen - pmd->offset; + int sub_depth = dlen - pmd->offset; if((sub_depth > 0) && (sub_depth >= (int)pmd->pattern_size)) { @@ -2412,7 +2426,7 @@ } else { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match failed -- sub_depth: %d < " "(int)pmd->pattern_size: %d!\n", sub_depth, (int)pmd->pattern_size);); @@ -2421,7 +2435,7 @@ } } else - { + { if(pmd->depth && (dlen - pmd->offset > pmd->depth)) { return pmd->depth; @@ -2445,9 +2459,9 @@ return 0; /* XXX DESTROY ME */ - /*success = mSearchREG(data + pmd->offset + distance_adjustment, - depth_adjustment!=0?depth_adjustment:depth, - pmd->pattern_buf, pmd->pattern_size, pmd->skip_stride, + /*success = mSearchREG(data + pmd->offset + distance_adjustment, + depth_adjustment!=0?depth_adjustment:depth, + pmd->pattern_buf, pmd->pattern_size, pmd->skip_stride, pmd->shift_stride);*/ return success; @@ -2517,10 +2531,10 @@ int frazes_count; /* frazes counter */ -#ifdef DEBUG +#ifdef DEBUG_MSGS PatternMatchData *idx; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Opening content_list file: %s\n", file);); -#endif /* DEBUG */ +#endif /* DEBUG_MSGS */ /* open the list file */ thefp = fopen(file, "r"); if (thefp == NULL) @@ -2539,13 +2553,13 @@ /* inc the line counter */ list_file_line++; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Got line %d: %s", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Got line %d: %s", list_file_line, buf);); /* if it's not a comment or a <CR>, send it to the parser */ if((buf[0] != '#') && (buf[0] != 0x0a) && (buf[0] != ';')) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Adding content keyword: %s", buf);); frazes_count++; @@ -2560,10 +2574,10 @@ "Content keyword %s\" added!\n", buf);); } } -#ifdef DEBUG +#ifdef DEBUG_MSGS DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "%d frazes read...\n", frazes_count);); idx = (PatternMatchData *) otn->ds_list[PLUGIN_PATTERN_MATCH_OR]; - + if(idx == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "No patterns loaded\n");); @@ -2572,13 +2586,13 @@ { while(idx != NULL) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern = %s\n", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern = %s\n", idx->pattern_buf);); idx = idx->next; } } -#endif /* DEBUG */ - +#endif /* DEBUG_MSGS */ + fclose(thefp); return; @@ -2589,22 +2603,28 @@ int found = 0; int dsize; char *dp; - + PatternMatchData *idx; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "CheckPatternORMatch: ");); - + idx = otn_idx->ds_list[PLUGIN_PATTERN_MATCH_OR]; while(idx != NULL) { - - if((p->packet_flags & PKT_ALT_DECODE) && (idx->rawbytes == 0)) + if (Is_DetectFlag(FLAG_ALT_DETECT) && (idx->rawbytes == 0)) + { + dsize = DetectBuffer.len; + dp = (char *)DetectBufffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else if(Is_DetectFlag(FLAG_ALT_DECODE) && (idx->rawbytes == 0)) { dsize = DecodeBuffer.len; - dp = (char *) DecodeBuffer.data; /* decode.c */ - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + dp = (char *) DecodeBuffer.data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } else @@ -2615,29 +2635,29 @@ dsize = p->dsize; dp = (char *) p->data; } - + if(idx->offset > dsize) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Initial offset larger than payload!\n");); goto sizetoosmall; } else { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "testing pattern: %s\n", idx->pattern_buf);); found = idx->search(dp, dsize, idx); if(!found) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern Match failed!\n");); } } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Checking the results\n");); if(found) @@ -2650,11 +2670,11 @@ } else { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Pattern match failed\n");); } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Stepping to next content keyword\n");); sizetoosmall: @@ -2662,7 +2682,7 @@ idx = idx->next; } - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "No more keywords, exiting... \n");); return 0; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_pattern_match.h snort-2.9.2/src/detection-plugins/sp_pattern_match.h --- snort-2.9.0.1/src/detection-plugins/sp_pattern_match.h 2010-08-25 13:22:41.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_pattern_match.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -23,7 +23,7 @@ #define __SP_PATTERN_MATCH_H__ #include "snort.h" -#include "debug.h" +#include "snort_debug.h" #include "rules.h" /* needed for OptTreeNode defintion */ #include "treenodes.h" #include <ctype.h> @@ -45,7 +45,7 @@ #define HTTP_SEARCH_STAT_CODE 0x100 #define HTTP_SEARCH_STAT_MSG 0x200 /*Only these Http buffers are eligible for fast pattern match */ -#define FAST_PATTERN_HTTP_BUFS ( HTTP_SEARCH_URI | HTTP_SEARCH_HEADER | HTTP_SEARCH_CLIENT_BODY | HTTP_SEARCH_METHOD) +#define FAST_PATTERN_HTTP_BUFS ( HTTP_SEARCH_URI | HTTP_SEARCH_HEADER | HTTP_SEARCH_CLIENT_BODY ) /******************************************************************** * Data structures @@ -56,7 +56,7 @@ int depth; /* pattern search depth */ int distance; /* offset to start from based on last match */ - u_int within; /* this pattern must be found + u_int within; /* this pattern must be found within X bytes of last match*/ int8_t offset_var; /* byte_extract variable indices for offset, */ @@ -85,9 +85,9 @@ /* Needed to be able to set the isRelative flag */ /* Set if fast pattern matcher found a content in the packet, - but the rule option specifies a negated content. Only + but the rule option specifies a negated content. Only applies to negative contents that are not relative */ - struct + struct { struct timeval ts; uint64_t packet_number; @@ -127,7 +127,7 @@ int CheckUriPatternMatch(void *, Packet *); void PatternMatchDuplicatePmd(void *, PatternMatchData *); int PatternMatchAdjustRelativeOffsets(PatternMatchData *orig_pmd, PatternMatchData *dup_pmd, - const u_int8_t *current_cursor, const u_int8_t *orig_cursor); + const uint8_t *current_cursor, const uint8_t *orig_cursor); #if 0 /* Not implemented */ @@ -135,12 +135,12 @@ #endif -static INLINE int IsHttpBufFpEligible(int uri_buffer) +static inline int IsHttpBufFpEligible(int uri_buffer) { return uri_buffer & FAST_PATTERN_HTTP_BUFS; } -static INLINE PatternMatchData * RemovePmdFromList(PatternMatchData *pmd) +static inline PatternMatchData * RemovePmdFromList(PatternMatchData *pmd) { if (pmd == NULL) return NULL; @@ -156,7 +156,7 @@ return pmd; } -static INLINE int InsertPmdAtFront(PatternMatchData **head, PatternMatchData *ins) +static inline int InsertPmdAtFront(PatternMatchData **head, PatternMatchData *ins) { if (head == NULL) return -1; @@ -172,7 +172,7 @@ return 0; } -static INLINE int AppendPmdToList(PatternMatchData **head, PatternMatchData *ins) +static inline int AppendPmdToList(PatternMatchData **head, PatternMatchData *ins) { PatternMatchData *tmp; @@ -197,7 +197,7 @@ } -static INLINE void FreePmdList(PatternMatchData *pmd_list) +static inline void FreePmdList(PatternMatchData *pmd_list) { if (pmd_list == NULL) return; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_pcre.c snort-2.9.2/src/detection-plugins/sp_pcre.c --- snort-2.9.0.1/src/detection-plugins/sp_pcre.c 2010-10-25 12:49:03.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_pcre.c 2011-06-07 17:33:10.000000000 -0700 @@ -2,8 +2,8 @@ /* ** Copyright (C) 2003 Brian Caswell <bmc@snort.org> ** Copyright (C) 2003 Michael J. Pomraning <mjp@securepipe.com> -** Copyright (C) 2003-2010 Sourcefire, Inc. -** +** Copyright (C) 2003-2011 Sourcefire, Inc. +** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or @@ -20,14 +20,17 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +#include <sys/types.h> + #ifdef HAVE_CONFIG_H #include "config.h" #endif -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "rules.h" #include "treenodes.h" -#include "debug.h" +#include "snort_debug.h" #include "decode.h" #include "plugbase.h" #include "parser.h" @@ -35,7 +38,6 @@ #include "util.h" #include "mstring.h" #include "sfhashfcn.h" -#include <sys/types.h> #ifdef WIN32 #define PCRE_DEFINITION @@ -56,8 +58,8 @@ #include "detection_options.h" #include "detection_util.h" -/* - * we need to specify the vector length for our pcre_exec call. we only care +/* + * we need to specify the vector length for our pcre_exec call. we only care * about the first vector, which if the match is successful will include the * offset to the end of the full pattern match. If we decide to store other * matches, make *SURE* that this is a multiple of 3 as pcre requires it. @@ -194,7 +196,7 @@ OptFpList *fpl; void *pcre_dup; - /* + /* * allocate the data structure for pcre */ pcre_data = (PcreData *) SnortAlloc(sizeof(PcreData)); @@ -241,10 +243,10 @@ return; } -static INLINE void ValidatePcreHttpContentModifiers(PcreData *pcre_data) +static inline void ValidatePcreHttpContentModifiers(PcreData *pcre_data) { if( pcre_data->options & SNORT_PCRE_RELATIVE ) - FatalError("%s(%d): PCRE unsupported configuration : both relative & uri options specified\n", + FatalError("%s(%d): PCRE unsupported configuration : both relative & uri options specified\n", file_name, file_line); if( pcre_data->options & SNORT_PCRE_RAWBYTES ) @@ -276,9 +278,9 @@ int erroffset; int compile_flags = 0; - if(data == NULL) + if(data == NULL) { - FatalError("%s (%d): pcre requires a regular expression\n", + FatalError("%s (%d): pcre requires a regular expression\n", file_name, file_line); } @@ -289,7 +291,7 @@ while (isspace((int)re[strlen(re)-1])) re[strlen(re)-1] = '\0'; while (isspace((int)*re)) re++; - if(*re == '!') { + if(*re == '!') { pcre_data->options |= SNORT_PCRE_INVERT; re++; while(isspace((int)*re)) re++; @@ -307,24 +309,24 @@ printf("It isn't \"\n"); goto syntax; } - + /* remove the last quote from the string */ re[strlen(re) - 1] = '\0'; - + /* 'm//' or just '//' */ - + if(*re == 'm') { re++; if(! *re) goto syntax; - + /* Space as a ending delimiter? Uh, no. */ if(isspace((int)*re)) goto syntax; /* using R would be bad, as it triggers RE */ - if(*re == 'R') goto syntax; + if(*re == 'R') goto syntax; delimit = *re; - } + } else if(*re != delimit) goto syntax; @@ -345,10 +347,10 @@ case 's': compile_flags |= PCRE_DOTALL; break; case 'm': compile_flags |= PCRE_MULTILINE; break; case 'x': compile_flags |= PCRE_EXTENDED; break; - - /* + + /* * these are pcre specific... don't work with perl - */ + */ case 'A': compile_flags |= PCRE_ANCHORED; break; case 'E': compile_flags |= PCRE_DOLLAR_ENDONLY; break; case 'G': compile_flags |= PCRE_UNGREEDY; break; @@ -384,7 +386,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "pcre: compiling %s\n", re);); pcre_data->re = pcre_compile(re, compile_flags, &error, &erroffset, NULL); - if(pcre_data->re == NULL) + if(pcre_data->re == NULL) { FatalError("%s(%d) : pcre compile of \"%s\" failed at offset " "%d : %s\n", file_name, file_line, re, erroffset, error); @@ -426,7 +428,7 @@ } else { - if (!(pcre_data->options & SNORT_OVERRIDE_MATCH_LIMIT) && + if (!(pcre_data->options & SNORT_OVERRIDE_MATCH_LIMIT) && ((ScPcreMatchLimit() != -1) || (ScPcreMatchLimitRecursion() != -1))) { pcre_data->pe = (pcre_extra *)SnortAlloc(sizeof(pcre_extra)); @@ -435,7 +437,7 @@ pcre_data->pe->flags |= PCRE_EXTRA_MATCH_LIMIT; pcre_data->pe->match_limit = ScPcreMatchLimit(); } - + #ifdef PCRE_EXTRA_MATCH_LIMIT_RECURSION if (ScPcreMatchLimitRecursion() != -1) { @@ -446,9 +448,9 @@ } } - if(error != NULL) + if(error != NULL) { - FatalError("%s(%d) : pcre study failed : %s\n", file_name, + FatalError("%s(%d) : pcre study failed : %s\n", file_name, file_line, error); } @@ -461,7 +463,7 @@ syntax: if(free_me) free(free_me); - FatalError("%s Line %d => unable to parse pcre regex %s\n", + FatalError("%s Line %d => unable to parse pcre regex %s\n", file_name, file_line, data); } @@ -516,9 +518,9 @@ } } -/** +/** * Perform a search of the PCRE data. - * + * * @param pcre_data structure that options and patterns are passed in * @param buf buffer to search * @param len size of buffer @@ -538,7 +540,7 @@ int ovector[SNORT_PCRE_OVECTOR_SIZE]; int matched; int result; - + if(pcre_data == NULL || buf == NULL || len <= 0 @@ -573,7 +575,7 @@ * ovector[0] and ovector[1], identify the portion of the subject string matched by the entire pattern. * The next pair is used for the first capturing subpattern, and so on. The value returned by * pcre_exec() is the number of pairs that have been set. If there are no capturing subpatterns, the - * return value from a successful match is 1, indicating that just the first pair of offsets has been set. + * return value from a successful match is 1, indicating that just the first pair of offsets has been set. * * In Snort's case, the ovector size only allows for the first pair and a single int for scratch space. */ @@ -593,7 +595,7 @@ } /* invert sense of match */ - if(pcre_data->options & SNORT_PCRE_INVERT) + if(pcre_data->options & SNORT_PCRE_INVERT) { matched = !matched; } @@ -621,7 +623,7 @@ PREPROC_PROFILE_END(pcrePerfStats); return DETECTION_OPTION_NO_MATCH; } - + /* This is the HTTP case */ if(pcre_data->options & SNORT_PCRE_URI_BUFS) { @@ -684,7 +686,7 @@ UriBufs[i].length, 0, &found_offset); - + PREPROC_PROFILE_END(pcrePerfStats); if(matched) { @@ -698,26 +700,19 @@ /* end of the HTTP case */ if( !(pcre_data->options & SNORT_PCRE_RAWBYTES)) { - if( IsMimeDecodeBuf(doe_ptr) ) + if(Is_DetectFlag(FLAG_ALT_DETECT)) { - dsize = mime_decode_size; - start_ptr = file_data_ptr; + dsize = DetectBuffer.len; + start_ptr = DetectBuffer.data; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using MIME Decode Buffer in pcre!\n");); + "using alternative detect buffer in pcre!\n");); } - else if( IsBase64DecodeBuf(doe_ptr)) - { - dsize = base64_decode_size; - start_ptr = base64_decode_buf; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "Using Base64 Decode Buffer in pcre!\n");); - } - else if(p->packet_flags & PKT_ALT_DECODE) + else if(Is_DetectFlag(FLAG_ALT_DECODE)) { dsize = DecodeBuffer.len; start_ptr = DecodeBuffer.data; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "using alternative decode buffer in pcre!\n");); + "using alternative decode buffer in pcre!\n");); } else { @@ -742,12 +737,12 @@ { if(!inBounds(start_ptr, end_ptr, doe_ptr)) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "pcre bounds check failed on a relative content match\n");); PREPROC_PROFILE_END(pcrePerfStats); return DETECTION_OPTION_NO_MATCH; } - + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "pcre ... checking relative offset\n");); base_ptr = doe_ptr; @@ -761,7 +756,7 @@ } length = end_ptr - base_ptr; - + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "pcre ... base: %p start: %p end: %p doe: %p length: %d\n", base_ptr, start_ptr, end_ptr, doe_ptr, length);); diff -Nru snort-2.9.0.1/src/detection-plugins/sp_pcre.h snort-2.9.2/src/detection-plugins/sp_pcre.h --- snort-2.9.0.1/src/detection-plugins/sp_pcre.h 2010-01-26 10:09:47.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_pcre.h 2011-02-09 15:23:05.000000000 -0800 @@ -1,7 +1,7 @@ /* ** Copyright (C) 2003 Brian Caswell <bmc@snort.org> ** Copyright (C) 2003 Michael J. Pomraning <mjp@securepipe.com> -** Copyright (C) 2003-2010 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/detection-plugins/sp_pkt_data.c snort-2.9.2/src/detection-plugins/sp_pkt_data.c --- snort-2.9.0.1/src/detection-plugins/sp_pkt_data.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_pkt_data.c 2011-06-07 17:33:10.000000000 -0700 @@ -0,0 +1,169 @@ +/* + ** Copyright (C) 1998-2011 Sourcefire, Inc. + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* sp_pkt_data + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif +#include <errno.h> + +#include "sf_types.h" +#include "snort_bounds.h" +#include "rules.h" +#include "decode.h" +#include "plugbase.h" +#include "parser.h" +#include "snort_debug.h" +#include "util.h" +#include "mstring.h" + +#include "snort.h" +#include "profiler.h" +#include "sp_pkt_data.h" +#ifdef PERF_PROFILING +PreprocStats pktDataPerfStats; +extern PreprocStats ruleOTNEvalPerfStats; +#endif + +#include "detection_options.h" +#include "detection_util.h" + +extern char *file_name; /* this is the file name from rules.c, generally used + for error messages */ + +extern int file_line; /* this is the file line number from rules.c that is + used to indicate file lines for error messages */ + +static void PktDataInit(char *, OptTreeNode *, int); +void PktDataParse(char *, OptTreeNode *); +int PktDataEval(void *option_data, Packet *p); + +/**************************************************************************** + * + * Function: SetupPktData() + * + * Purpose: Load 'er up + * + * Arguments: None. + * + * Returns: void function + * + ****************************************************************************/ +void SetupPktData(void) +{ + /* map the keyword to an initialization/processing function */ + RegisterRuleOption("pkt_data", PktDataInit, NULL, OPT_TYPE_DETECTION, NULL); +#ifdef PERF_PROFILING + RegisterPreprocessorProfile("pkt_data", &pktDataPerfStats, 3, &ruleOTNEvalPerfStats); +#endif + + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: pkt_data Setup\n");); +} + + +/**************************************************************************** + * + * Function: PktDataInit(char *, OptTreeNode *, int protocol) + * + * Purpose: Generic rule configuration function. Handles parsing the rule + * information and attaching the associated detection function to + * the OTN. + * + * Arguments: data => rule arguments/data + * otn => pointer to the current rule option list node + * protocol => protocol the rule is on (we don't care in this case) + * + * Returns: void function + * + ****************************************************************************/ +static void PktDataInit(char *data, OptTreeNode *otn, int protocol) +{ + OptFpList *fpl; + + PktDataParse(data, otn); + + fpl = AddOptFuncToList(PktDataEval, otn); + fpl->type = RULE_OPTION_TYPE_PKT_DATA; + +} + + + +/**************************************************************************** + * + * Function: PktDataParse(char *, OptTreeNode *) + * + * Purpose: This is the function that is used to process the option keyword's + * arguments and attach them to the rule's data structures. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +void PktDataParse(char *data, OptTreeNode *otn) +{ + if (!IsEmptyStr(data)) + { + FatalError("%s(%d): pkt_data takes no arguments\n", + file_name, file_line); + } + +} + + +/**************************************************************************** + * + * Function: PktDataEval(char *, OptTreeNode *, OptFpList *) + * + * Purpose: Use this function to perform the particular detection routine + * that this rule keyword is supposed to encompass. + * + * Arguments: p => pointer to the decoded packet + * otn => pointer to the current rule's OTN + * fp_list => pointer to the function pointer list + * + * Returns: If the detection test fails, this function *must* return a zero! + * On success, it calls the next function in the detection list + * + ****************************************************************************/ +int PktDataEval(void *option_data, Packet *p) +{ + int rval = DETECTION_OPTION_MATCH; + PROFILE_VARS; + + PREPROC_PROFILE_START(pktDataPerfStats); + + SetDoePtr(NULL, DOE_BUF_STD); + DetectFlag_Disable(FLAG_ALT_DETECT); + + PREPROC_PROFILE_END(pktDataPerfStats); + return rval; +} diff -Nru snort-2.9.0.1/src/detection-plugins/sp_pkt_data.h snort-2.9.2/src/detection-plugins/sp_pkt_data.h --- snort-2.9.0.1/src/detection-plugins/sp_pkt_data.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_pkt_data.h 2011-06-07 17:33:10.000000000 -0700 @@ -0,0 +1,27 @@ +/* +** Copyright (C) 2003-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + + +#ifndef __SP_PKT_DATA_H__ +#define __SP_PKT_DATA_H__ + +void SetupPktData(void); + +#endif diff -Nru snort-2.9.0.1/src/detection-plugins/sp_react.c snort-2.9.2/src/detection-plugins/sp_react.c --- snort-2.9.0.1/src/detection-plugins/sp_react.c 2010-10-25 12:49:04.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_react.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -20,11 +20,14 @@ * ****************************************************************************/ +// @file sp_react.c +// @author Russ Combs <rcombs@sourcefire.com> + /* The original Snort React Plugin was contributed by Maciej Szarpak, Warsaw * University of Technology. The module has been entirely rewritten by * Sourcefire as part of the effort to overhaul active response. Some of the * changes include: - * + * * - elimination of unworkable warn mode * - elimination of proxy port (rule header has ports) * - integration with unified active response mechanism @@ -36,7 +39,7 @@ * * This version will send a web page to the client and then reset both * ends of the session. The web page may be configured or the default - * may be used. The web page can have the default warning message + * may be used. The web page can have the default warning message * inserted or the message from the rule. * * If you wish to just reset the session, use the resp keyword instead. @@ -55,7 +58,8 @@ #include <string.h> #include <ctype.h> -#include "debug.h" +#include "sf_types.h" +#include "snort_debug.h" #include "decode.h" #include "encode.h" #include "detection_options.h" @@ -78,11 +82,14 @@ static const char* MSG_KEY = "<>"; -static const char* DEFAULT_PAGE = +static const char* DEFAULT_HTTP = "HTTP/1.1 403 Forbidden\r\n" "Connection: close\r\n" "Content-Type: text/html; charset=utf-8\r\n" - "\r\n" + "Content-Length: %d\r\n" + "\r\n"; + +static const char* DEFAULT_HTML = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n" " \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\r\n" "<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\">\r\n" @@ -110,13 +117,14 @@ } ReactData; +static int s_init = 1; static int s_deprecated = 0; static char* s_page = NULL; // When React_Init() is called the rule msg keyword may not have // been processed. This necessitates two things: // -// * A unique instance id is used in the hash in lieu of the +// * A unique instance id is used in the hash in lieu of the // message text. The id starts at 1 since 0 is reserved for // the default msg. Assuming all rules have different msg // strings, the id is a valid proxy. @@ -158,7 +166,7 @@ unsigned int i,j,k,l; ReactData *data = (ReactData *)d; - const char* s = s_page ? s_page : DEFAULT_PAGE; + const char* s = s_page ? s_page : DEFAULT_HTML; unsigned n = strlen(s); a = data->rule_msg; @@ -173,7 +181,7 @@ k = n - i; if (k > 4) k=4; - + for (l=0;l<k;l++) { tmp |= s[i + l] << l*8; @@ -257,32 +265,36 @@ file_name, file_line); DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"In React_Init()\n");); - React_GetPage(); - rd = SnortAlloc(sizeof(*rd)); + if ( s_init ) + { + AddFuncToCleanExitList(React_Cleanup, NULL); + AddFuncToRestartList(React_Cleanup, NULL); + + React_GetPage(); + + Active_SetEnabled(1); + s_init = 0; + } /* parse the react keywords */ + rd = SnortAlloc(sizeof(*rd)); React_Parse(data, otn, rd); rd->otn = otn; - // this prevent multiple response options in rule - otn->ds_list[PLUGIN_RESPONSE] = rd; - if (add_detection_option(RULE_OPTION_TYPE_REACT, (void*)rd, &idx_dup) == DETECTION_OPTION_EQUAL) { free(rd); - return; + rd = idx_dup; } - - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ - AddFuncToPostConfigList(React_Config, rd); - AddFuncToCleanExitList(React_Cleanup, NULL); - AddFuncToRestartList(React_Cleanup, NULL); AddRspFuncToList(React_Queue, otn, (void*)rd); + AddFuncToPostConfigList(React_Config, rd); - Active_SetEnabled(1); + // this prevents multiple response options in rule + otn->ds_list[PLUGIN_RESPONSE] = rd; } static void React_Cleanup(int signal, void* data) @@ -292,6 +304,7 @@ free(s_page); s_page = NULL; } + s_init = 1; } //-------------------------------------------------------------------- @@ -316,7 +329,7 @@ FatalError("react: %s(%d) can't stat react page file '%s'.\n", file_name, file_line, sc->react_page); - s_page = SnortAlloc(fs.st_size); + s_page = SnortAlloc(fs.st_size+1); fd = fopen(sc->react_page, "r"); if ( !fd ) @@ -324,11 +337,13 @@ file_name, file_line, sc->react_page); n = fread(s_page, 1, fs.st_size, fd); + fclose(fd); if ( n != (size_t)fs.st_size ) FatalError("react: %s(%d) can't load react page file '%s'.\n", file_name, file_line, sc->react_page); + s_page[n] = '\0'; msg = strstr(s_page, MSG_KEY); if ( msg ) strncpy(msg, "%s", 2); } @@ -367,7 +382,7 @@ FatalError("%s(%d): invalid react option: %s\n", file_name, file_line, tok); - tok = strtok(NULL, ","); + tok = strtok(NULL, ","); /* get rid of spaces */ while ( tok && isspace((int)*tok) ) tok++; @@ -378,41 +393,37 @@ } //-------------------------------------------------------------------- +// format response buffer static void React_Config (int unused, void* data) { ReactData* rd = (ReactData*)data; - size_t len; - int ret; + size_t body_len, head_len, total_len; + char dummy; - // format response buffer - const char* page = s_page ? s_page : DEFAULT_PAGE; + const char* head = DEFAULT_HTTP; + const char* body = s_page ? s_page : DEFAULT_HTML; - if ( strstr(page, "%s") ) - { - const char* msg = rd->otn->sigInfo.message; - if ( !msg || !rd->rule_msg ) msg = DEFAULT_MSG; - len = strlen(page) + strlen(msg) - 1; // due to %s in page - rd->resp_buf = (char*)SnortAlloc(len); - ret = SnortSnprintf((char*)rd->resp_buf, len, page, msg); - } - else - { - len = strlen(page) + 1; // for \0 - rd->resp_buf = (char*)SnortAlloc(len); - ret = SnortSnprintf((char*)rd->resp_buf, len, "%s", page); - } + const char* msg = rd->otn->sigInfo.message; + if ( !msg || !rd->rule_msg ) msg = DEFAULT_MSG; + + body_len = snprintf(&dummy, 1, body, msg); + head_len = snprintf(&dummy, 1, head, body_len); + total_len = head_len + body_len + 1; - if ( ret != SNORT_SNPRINTF_SUCCESS ) - FatalError("%s(%d): SnortSnprintf failed\n", file_name, file_line); + rd->resp_buf = (char*)SnortAlloc(total_len); - // set actual length (should be len-1) + SnortSnprintf((char*)rd->resp_buf, head_len+1, head, body_len); + SnortSnprintf((char*)rd->resp_buf+head_len, body_len+1, body, msg); + + // set actual length + rd->resp_buf[total_len-1] = '\0'; rd->buf_len = strlen(rd->resp_buf); } //-------------------------------------------------------------------- -static int React_Queue (Packet* p, void* pv) +static int React_Queue (Packet* p, void* pv) { ReactData* rd = (ReactData*)pv; PROFILE_VARS; @@ -434,7 +445,7 @@ { ReactData* rd = (ReactData*)pv; EncodeFlags df = (p->packet_flags & PKT_FROM_SERVER) ? ENC_FLAG_FWD : 0; - EncodeFlags rf = ENC_FLAG_SEQ | (ENC_FLAG_VAL & rd->buf_len); + EncodeFlags rf = ENC_FLAG_SEQ | (ENC_FLAG_VAL & rd->buf_len); PROFILE_VARS; PREPROC_PROFILE_START(reactPerfStats); @@ -445,7 +456,7 @@ Active_SendReset(p, ENC_FLAG_FWD); PREPROC_PROFILE_END(reactPerfStats); -} +} #endif /* ENABLE_REACT */ diff -Nru snort-2.9.0.1/src/detection-plugins/sp_react.h snort-2.9.2/src/detection-plugins/sp_react.h --- snort-2.9.0.1/src/detection-plugins/sp_react.h 2010-06-09 15:05:06.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_react.h 2011-02-09 15:23:05.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_replace.c snort-2.9.2/src/detection-plugins/sp_replace.c --- snort-2.9.0.1/src/detection-plugins/sp_replace.c 2010-06-09 15:05:06.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_replace.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,8 +28,9 @@ #include <strings.h> #endif -#include "bounds.h" -#include "debug.h" +#include "sf_types.h" +#include "snort_bounds.h" +#include "snort_debug.h" #include "decode.h" #include "parser.h" #include "sp_replace.h" @@ -54,7 +55,7 @@ { if ( !warned ) { - LogMessage("Warning: payload replacements disabled because DAQ " + LogMessage("WARNING: payload replacements disabled because DAQ " " can't replace packets.\n"); warned = 1; } @@ -63,7 +64,7 @@ if ( lastType == PLUGIN_PATTERN_MATCH_URI ) { FatalError("%s(%d) => \"replace\" option is not supported " - "with uricontent, nor in conjunction with http_uri, " + "with uricontent, nor in conjunction with http_uri, " "http_header, http_method http_cookie," "http_raw_uri, http_raw_header, or " "http_raw_cookie modifiers.\n", @@ -181,28 +182,28 @@ switch(*idx) { case '|': - + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Got bar... ");); - + if(!literal) { - + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "not in literal mode... ");); - + if(!hexmode) { - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Entering hexmode\n");); hexmode = 1; } else { - - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Exiting hexmode\n");); - + hexmode = 0; pending = 0; } @@ -213,7 +214,7 @@ else { - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "literal set, Clearing\n");); literal = 0; @@ -224,21 +225,21 @@ break; case '\\': - + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Got literal char... ");); if(!literal) { - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Setting literal\n");); - + literal = 1; } else { - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Clearing literal\n");); - + tmp_buf[dummy_size] = start_ptr[cnt]; literal = 0; dummy_size++; @@ -316,10 +317,10 @@ { tmp_buf[dummy_size] = start_ptr[cnt]; dummy_size++; - - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Clearing literal\n");); - + literal = 0; } else @@ -364,7 +365,7 @@ file_name, file_line); } - ret = SafeMemcpy(ds_idx->replace_buf, tmp_buf, dummy_size, + ret = SafeMemcpy(ds_idx->replace_buf, tmp_buf, dummy_size, ds_idx->replace_buf, (ds_idx->replace_buf+dummy_size)); if (ret == SAFEMEM_ERROR) @@ -374,7 +375,7 @@ ds_idx->replace_size = dummy_size; - DEBUG_WRAP(DebugMessage(DEBUG_PARSER, + DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "ds_idx (%p) replace_size(%d) replace_buf(%s)\n", ds_idx, ds_idx->replace_size, ds_idx->replace_buf);); @@ -410,7 +411,7 @@ r->depth = pmd->replace_depth; } -static INLINE void Replace_ApplyChange(Packet *p, Replacement* r) +static inline void Replace_ApplyChange(Packet *p, Replacement* r) { int err; int rsize; @@ -426,7 +427,7 @@ if ( err == SAFEMEM_ERROR ) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Replace_Apply() => SafeMemcpy() failed\n");); return; } diff -Nru snort-2.9.0.1/src/detection-plugins/sp_replace.h snort-2.9.2/src/detection-plugins/sp_replace.h --- snort-2.9.0.1/src/detection-plugins/sp_replace.h 2010-01-26 10:09:48.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_replace.h 2011-06-07 17:33:10.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -31,17 +31,17 @@ extern void Replace_QueueChange(PatternMatchData*); extern void Replace_ModifyPacket(Packet*); -static INLINE void Replace_ResetOffset(PatternMatchData* pmd) +static inline void Replace_ResetOffset(PatternMatchData* pmd) { pmd->replace_depth = -1; } -static INLINE void Replace_StoreOffset(PatternMatchData* pmd, int detect_depth) +static inline void Replace_StoreOffset(PatternMatchData* pmd, int detect_depth) { pmd->replace_depth = detect_depth; } -static INLINE int Replace_OffsetStored(PatternMatchData* pmd) +static inline int Replace_OffsetStored(PatternMatchData* pmd) { return pmd->replace_depth >= 0; } diff -Nru snort-2.9.0.1/src/detection-plugins/sp_respond3.c snort-2.9.2/src/detection-plugins/sp_respond3.c --- snort-2.9.0.1/src/detection-plugins/sp_respond3.c 2010-08-25 13:22:41.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_respond3.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License Version 2 as published by @@ -47,15 +47,19 @@ * - if a resp3 rule is also a drop rule, the drop processing takes precedence. */ +// @file sp_respond3.c +// @author Russ Combs <rcombs@sourcefire.com> + #ifdef ENABLE_RESPONSE3 #ifdef HAVE_CONFIG_H #include "config.h" #endif -#include "bounds.h" +#include "sf_types.h" +#include "snort_bounds.h" #include "checksum.h" -#include "debug.h" +#include "snort_debug.h" #include "decode.h" #include "encode.h" #include "detection_options.h" @@ -95,6 +99,8 @@ uint32_t flags; } Resp3_Data; +static int s_init = 1; + // callback functions static void Resp3_Init(char* data, OptTreeNode*, int protocol); static void Resp3_Cleanup(int signal, void* data); @@ -149,7 +155,7 @@ //-------------------------------------------------------------------- // callback functions -static void Resp3_Init(char* data, OptTreeNode* otn, int protocol) +static void Resp3_Init(char* data, OptTreeNode* otn, int protocol) { Resp3_Data* rd = NULL; void* idx_dup; @@ -158,34 +164,32 @@ FatalError("%s(%d): Multiple response options in rule\n", file_name, file_line); -#if 0 - if ( !(protocol & (IPPROTO_ICMP | IPPROTO_TCP | IPPROTO_UDP)) ) - FatalError("%s: %s(%d): Can't respond to IP protocol rules.\n", - MOD_NAME, file_name, file_line); -#endif + if ( s_init ) + { + AddFuncToCleanExitList(Resp3_Cleanup, NULL); + AddFuncToRestartList(Resp3_Cleanup, NULL); + + Active_SetEnabled(1); + s_init = 0; + } rd = (Resp3_Data*)SnortAlloc(sizeof(*rd)); rd->mask = Resp3_Parse(data); - - // this prevent multiple response options in rule - otn->ds_list[PLUGIN_RESPONSE] = rd; if ( add_detection_option(RULE_OPTION_TYPE_RESPOND, rd, &idx_dup) == DETECTION_OPTION_EQUAL) { free(rd); - return; + rd = idx_dup; } - - AddFuncToCleanExitList(Resp3_Cleanup, NULL); - AddFuncToRestartList(Resp3_Cleanup, NULL); + // this prevents multiple response options in rule + otn->ds_list[PLUGIN_RESPONSE] = rd; AddRspFuncToList(Resp3_Queue, otn, rd); - - Active_SetEnabled(1); } static void Resp3_Cleanup(int signal, void* data) { + s_init = 1; } //-------------------------------------------------------------------- @@ -199,17 +203,8 @@ uint32_t flags = 0; int num_toks, i; - while (isspace((int)*type)) - type++; - - if (!type || !(*type)) - return 0; - - toks = mSplit(type, ",", 6, &num_toks, 0); - - if (num_toks < 1) - FatalError("%s (%d): Bad arguments to resp3: %s.\n", - file_name, file_line, type); + if ( type ) + toks = mSplit(type, ",", 6, &num_toks, 0); i = 0; while (i < num_toks) @@ -253,14 +248,14 @@ i++; } else - FatalError("%s: %s(%d): invalid resp modifier: %s\n", + FatalError("%s: %s(%d): invalid resp modifier: %s\n", MOD_NAME, file_name, file_line, toks[i]); } mSplitFree(&toks, num_toks); if ( !flags ) - FatalError("%s: %s(%d): invalid resp configuration: %s\n", + FatalError("%s: %s(%d): invalid resp configuration: %s\n", MOD_NAME, file_name, file_line, "no response specified"); return flags; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_respond.h snort-2.9.2/src/detection-plugins/sp_respond.h --- snort-2.9.0.1/src/detection-plugins/sp_respond.h 2010-06-09 15:05:06.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_respond.h 2011-02-09 15:23:05.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 1999,2000,2001 Christian Lademann <cal@zls.de> ** diff -Nru snort-2.9.0.1/src/detection-plugins/sp_rpc_check.c snort-2.9.2/src/detection-plugins/sp_rpc_check.c --- snort-2.9.0.1/src/detection-plugins/sp_rpc_check.c 2010-06-09 15:05:06.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_rpc_check.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -36,7 +36,7 @@ #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "sfhashfcn.h" @@ -54,7 +54,7 @@ /* * This is driven by 64-bit Solaris which doesn't * define _LONG - * + * */ #ifndef IXDR_GET_LONG @@ -118,7 +118,7 @@ /**************************************************************************** - * + * * Function: SetupRpcCheck() * * Purpose: Register the rpc option keyword with its setup function @@ -142,7 +142,7 @@ /**************************************************************************** - * + * * Function: RpcCheckInit(char *, OptTreeNode *) * * Purpose: Parse the rpc keyword arguments and link the detection module @@ -163,7 +163,7 @@ file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_RPC_CHECK]) { FatalError("%s(%d): Multiple rpc options in rule\n", file_name, @@ -175,11 +175,11 @@ otn->ds_list[PLUGIN_RPC_CHECK] = (RpcCheckData *) SnortAlloc(sizeof(RpcCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseRpc(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckRpc, otn); fpl->type = RULE_OPTION_TYPE_RPC_CHECK; @@ -188,7 +188,7 @@ /**************************************************************************** - * + * * Function: ParseRpc(char *, OptTreeNode *) * * Purpose: Parse the RPC keyword's arguments @@ -223,9 +223,9 @@ { FatalError("%s(%d): Invalid applicaion number in rpc rule option\n",file_name,file_line); } - + if(*tmp == '\0') return; - + data=++tmp; if(*data != '*') { @@ -256,7 +256,7 @@ /**************************************************************************** - * + * * Function: CheckRpc(char *, OptTreeNode *) * * Purpose: Test if the packet RPC equals the rule option's rpc @@ -274,7 +274,7 @@ u_long xid, rpcvers, prog, vers, proc; enum msg_type direction; int rval = DETECTION_OPTION_NO_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS int i; #endif PROFILE_VARS; @@ -309,7 +309,7 @@ } } -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_PLUGIN,"<---xid---> <---dir---> <---rpc--->" " <---prog--> <---vers--> <---proc-->\n"); for(i=0; i<24; i++) diff -Nru snort-2.9.0.1/src/detection-plugins/sp_rpc_check.h snort-2.9.2/src/detection-plugins/sp_rpc_check.h --- snort-2.9.0.1/src/detection-plugins/sp_rpc_check.h 2010-01-26 10:09:48.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_rpc_check.h 2011-02-09 15:23:06.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_session.c snort-2.9.2/src/detection-plugins/sp_session.c --- snort-2.9.0.1/src/detection-plugins/sp_session.c 2010-01-26 10:09:48.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_session.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -22,15 +22,15 @@ /* Snort Session Logging Plugin */ -/* sp_session - * +/* sp_session + * * Purpose: * - * Drops data (printable or otherwise) into a SESSION file. Useful for + * Drops data (printable or otherwise) into a SESSION file. Useful for * logging user sessions (telnet, http, ftp, etc). * * Arguments: - * + * * This plugin can take two arguments: * printable => only log the "printable" ASCII characters. * all => log all traffic in the session, logging non-printable @@ -71,7 +71,7 @@ #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "snort.h" @@ -122,7 +122,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if (left->session_flag == right->session_flag) { return DETECTION_OPTION_EQUAL; @@ -133,7 +133,7 @@ /**************************************************************************** - * + * * Function: SetupSession() * * Purpose: Init the session plugin module. @@ -155,7 +155,7 @@ /************************************************************************** - * + * * Function: SessionInit(char *, OptTreeNode *) * * Purpose: Initialize the sesion plugin, parsing the rule parameters and @@ -172,8 +172,8 @@ OptFpList *fpl; /* - * Theoretically we should only all this plugin to be used when there's a - * possibility of a session happening (i.e. TCP), but I get enough + * Theoretically we should only all this plugin to be used when there's a + * possibility of a session happening (i.e. TCP), but I get enough * requests that I'm going to pull the verifier so that things should work * for everyone */ @@ -183,7 +183,7 @@ file_name, file_line); }*/ - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_SESSION]) { FatalError("%s(%d): Multiple session options in rule\n", file_name, @@ -198,11 +198,11 @@ /* be sure to check that the protocol that is passed in matches the transport layer protocol that you're using for this rule! */ - /* this is where the keyword arguments are processed and placed into + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseSession(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(LogSessionData, otn); fpl->context = otn->ds_list[PLUGIN_SESSION]; @@ -212,7 +212,7 @@ /**************************************************************************** - * + * * Function: ParseSession(char *, OptTreeNode *) * * Purpose: Figure out how much of the session data we're collecting @@ -268,7 +268,7 @@ /**************************************************************************** - * + * * Function: LogSessionData(char *, OptTreeNode *) * * Purpose: Dumps the session data to the log file. @@ -289,8 +289,8 @@ PREPROC_PROFILE_START(sessionPerfStats); /* if there's data in this packet */ - if(p != NULL) - { + if(p != NULL) + { if((p->dsize != 0 && p->data != NULL) || p->frag_flag != 1) { session = OpenSessionFile(p); @@ -370,11 +370,11 @@ char session_file[STD_BUF]; /* name of session file */ #ifdef SUP_IP6 sfip_t *dst, *src; -#endif +#endif FILE *ret; - if(p->frag_flag) + if(p->frag_flag) { return NULL; } @@ -458,7 +458,7 @@ #endif } - + strncpy(filename, session_file, STD_BUF - 1); filename[STD_BUF - 1] = '\0'; diff -Nru snort-2.9.0.1/src/detection-plugins/sp_session.h snort-2.9.2/src/detection-plugins/sp_session.h --- snort-2.9.0.1/src/detection-plugins/sp_session.h 2010-01-26 10:09:48.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_session.h 2011-02-09 15:23:06.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_tcp_ack_check.c snort-2.9.2/src/detection-plugins/sp_tcp_ack_check.c --- snort-2.9.0.1/src/detection-plugins/sp_tcp_ack_check.c 2010-01-26 10:09:49.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_tcp_ack_check.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,12 +28,13 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -87,7 +88,7 @@ } /**************************************************************************** - * + * * Function: SetupTcpAckCheck() * * Purpose: Link the ack keyword to the initialization function @@ -109,7 +110,7 @@ /**************************************************************************** - * + * * Function: TcpAckCheckInit(char *, OptTreeNode *) * * Purpose: Attach the option data to the rule data struct and link in the @@ -130,7 +131,7 @@ FatalError("%s(%d) TCP Options on non-TCP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_TCP_ACK_CHECK]) { FatalError("%s(%d): Multiple TCP ack options in rule\n", file_name, @@ -142,11 +143,11 @@ otn->ds_list[PLUGIN_TCP_ACK_CHECK] = (TcpAckCheckData *) SnortAlloc(sizeof(TcpAckCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseTcpAck(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckTcpAckEq, otn); fpl->type = RULE_OPTION_TYPE_TCP_ACK; @@ -156,7 +157,7 @@ /**************************************************************************** - * + * * Function: ParseTcpAck(char *, OptTreeNode *) * * Purpose: Attach the option rule's argument to the data struct. @@ -191,7 +192,7 @@ /**************************************************************************** - * + * * Function: CheckTcpAckEq(char *, OptTreeNode *) * * Purpose: Check to see if the packet's TCP ack field is equal to the rule diff -Nru snort-2.9.0.1/src/detection-plugins/sp_tcp_ack_check.h snort-2.9.2/src/detection-plugins/sp_tcp_ack_check.h --- snort-2.9.0.1/src/detection-plugins/sp_tcp_ack_check.h 2010-01-26 10:09:49.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_tcp_ack_check.h 2011-02-09 15:23:06.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_tcp_flag_check.c snort-2.9.2/src/detection-plugins/sp_tcp_flag_check.c --- snort-2.9.0.1/src/detection-plugins/sp_tcp_flag_check.c 2010-01-26 10:09:49.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_tcp_flag_check.c 2011-07-13 15:44:51.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -29,12 +29,13 @@ #include <string.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" @@ -56,7 +57,7 @@ typedef struct _TCPFlagCheckData { u_char mode; - u_char tcp_flags; + u_char tcp_flags; u_char tcp_mask; /* Mask to take away from the flags check */ } TCPFlagCheckData; @@ -118,7 +119,7 @@ FatalError("Line %s (%d): TCP Options on non-TCP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_TCP_FLAG_CHECK]) { FatalError("%s(%d): Multiple TCP flags options in rule\n", file_name, @@ -150,7 +151,7 @@ * * Purpose: Figure out which TCP flags the current rule is interested in * - * Arguments: rule => the rule string + * Arguments: rule => the rule string * * Returns: void function * @@ -168,7 +169,7 @@ fptr = rule; /* make sure there is atleast a split pointer */ - if(fptr == NULL) + if(fptr == NULL) { FatalError("[!] Line %s (%d): Flags missing in TCP flag rule\n", file_name, file_line); } @@ -182,7 +183,7 @@ } /* find the end of the alert string */ - fend = fptr + strlen(fptr); + fend = fptr + strlen(fptr); idx->mode = M_NORMAL; /* this is the default, unless overridden */ @@ -225,18 +226,22 @@ break; case '1': /* reserved bit flags */ - idx->tcp_flags |= R_RES1; + case 'c': + case 'C': + idx->tcp_flags |= R_CWR; /* Congestion Window Reduced, RFC 3168 */ break; case '2': /* reserved bit flags */ - idx->tcp_flags |= R_RES2; + case 'e': + case 'E': + idx->tcp_flags |= R_ECE; /* ECN echo, RFC 3168 */ break; case '!': /* not, fire if all flags specified are not present, other are don't care */ idx->mode = M_NOT; break; - case '*': /* star or any, fire if any flags specified are + case '*': /* star or any, fire if any flags specified are present, other are don't care */ idx->mode = M_ANY; break; @@ -249,7 +254,7 @@ break; default: FatalError("%s(%d): bad TCP flag = \"%c\"\n" - "Valid otions: UAPRSF12 or 0 for NO flags (e.g. NULL scan)," + "Valid otions: UAPRSFCE or 0 for NO flags (e.g. NULL scan)," " and !, + or * for modifiers\n", file_name, file_line, *fptr); } @@ -260,7 +265,7 @@ while(isspace((u_char) *fptr)) fptr++; - + /* create the mask portion now */ while(fptr < fend && comma_set == 1) { @@ -285,26 +290,30 @@ case 'P': idx->tcp_mask |= R_PSH; break; - + case 'a': case 'A': idx->tcp_mask |= R_ACK; break; - + case 'u': case 'U': idx->tcp_mask |= R_URG; break; - + case '1': /* reserved bit flags */ - idx->tcp_mask |= R_RES1; + case 'c': + case 'C': + idx->tcp_mask |= R_CWR; /* Congestion Window Reduced, RFC 3168 */ break; case '2': /* reserved bit flags */ - idx->tcp_mask |= R_RES2; + case 'e': + case 'E': + idx->tcp_mask |= R_ECE; /* ECN echo, RFC 3168 */ break; default: - FatalError(" Line %s (%d): bad TCP flag = \"%c\"\n Valid otions: UAPRS12 \n", + FatalError(" Line %s (%d): bad TCP flag = \"%c\"\n Valid otions: UAPRSFCE \n", file_name, file_line, *fptr); } @@ -326,13 +335,13 @@ PROFILE_VARS; PREPROC_PROFILE_START(tcpFlagsPerfStats); - + if(!p->tcph) { /* if error appeared when tcp header was processed, * test fails automagically */ PREPROC_PROFILE_END(tcpFlagsPerfStats); - return rval; + return rval; } /* the flags we really want to check are all the ones diff -Nru snort-2.9.0.1/src/detection-plugins/sp_tcp_flag_check.h snort-2.9.2/src/detection-plugins/sp_tcp_flag_check.h --- snort-2.9.0.1/src/detection-plugins/sp_tcp_flag_check.h 2010-01-26 10:09:49.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_tcp_flag_check.h 2011-02-09 15:23:07.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_tcp_seq_check.c snort-2.9.2/src/detection-plugins/sp_tcp_seq_check.c --- snort-2.9.0.1/src/detection-plugins/sp_tcp_seq_check.c 2010-01-26 10:09:49.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_tcp_seq_check.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,13 +28,14 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "plugin_enum.h" #include "snort.h" @@ -88,7 +89,7 @@ } /**************************************************************************** - * + * * Function: SetupTcpSeqCheck() * * Purpose: Link the seq keyword to the initialization function @@ -111,7 +112,7 @@ /**************************************************************************** - * + * * Function: TcpSeqCheckInit(char *, OptTreeNode *) * * Purpose: Attach the option data to the rule data struct and link in the @@ -131,7 +132,7 @@ FatalError("Line %s (%d): TCP Options on non-TCP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_TCP_SEQ_CHECK]) { FatalError("%s(%d): Multiple TCP seq options in rule\n", file_name, @@ -143,11 +144,11 @@ otn->ds_list[PLUGIN_TCP_SEQ_CHECK] = (TcpSeqCheckData *) SnortAlloc(sizeof(TcpSeqCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseTcpSeq(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(CheckTcpSeqEq, otn); fpl->type = RULE_OPTION_TYPE_TCP_SEQ; @@ -157,7 +158,7 @@ /**************************************************************************** - * + * * Function: ParseTcpSeq(char *, OptTreeNode *) * * Purpose: Attach the option rule's argument to the data struct. @@ -180,7 +181,7 @@ ds_ptr->tcp_seq = strtoul(data, ep, 0); ds_ptr->tcp_seq = htonl(ds_ptr->tcp_seq); - + if (add_detection_option(RULE_OPTION_TYPE_TCP_SEQ, (void *)ds_ptr, &ds_ptr_dup) == DETECTION_OPTION_EQUAL) { otn->ds_list[PLUGIN_TCP_SEQ_CHECK] = ds_ptr_dup; @@ -193,7 +194,7 @@ /**************************************************************************** - * + * * Function: CheckTcpSeqEq(char *, OptTreeNode *) * * Purpose: Check to see if the packet's TCP ack field is equal to the rule @@ -221,7 +222,7 @@ { rval = DETECTION_OPTION_MATCH; } -#ifdef DEBUG +#ifdef DEBUG_MSGS else { /* you can put debug comments here or not */ diff -Nru snort-2.9.0.1/src/detection-plugins/sp_tcp_seq_check.h snort-2.9.2/src/detection-plugins/sp_tcp_seq_check.h --- snort-2.9.0.1/src/detection-plugins/sp_tcp_seq_check.h 2010-01-26 10:09:49.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_tcp_seq_check.h 2011-02-09 15:23:07.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_tcp_win_check.c snort-2.9.2/src/detection-plugins/sp_tcp_win_check.c --- snort-2.9.0.1/src/detection-plugins/sp_tcp_win_check.c 2010-06-09 15:05:07.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_tcp_win_check.c 2011-07-13 15:44:51.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -32,13 +32,14 @@ #endif #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" #include "parser.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "plugin_enum.h" #include "snort.h" @@ -96,7 +97,7 @@ /**************************************************************************** - * + * * Function: SetupTcpWinCheck() * * Purpose: Associate the window keyword with TcpWinCheckInit @@ -117,7 +118,7 @@ /**************************************************************************** - * + * * Function: TcpWinCheckInit(char *, OptTreeNode *) * * Purpose: Setup the window data struct and link the function into option @@ -134,27 +135,27 @@ OptFpList *fpl; if(protocol != IPPROTO_TCP) { - FatalError("%s(%d): TCP Options on non-TCP rule\n", + FatalError("%s(%d): TCP Options on non-TCP rule\n", file_name, file_line); } - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_TCP_WIN_CHECK]) { FatalError("%s(%d): Multiple TCP window options in rule\n", file_name, file_line); } - + /* allocate the data structure and attach it to the rule's data struct list */ otn->ds_list[PLUGIN_TCP_WIN_CHECK] = (TcpWinCheckData *) SnortAlloc(sizeof(TcpWinCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseTcpWin(data, otn); - /* finally, attach the option's detection function to the rule's + /* finally, attach the option's detection function to the rule's detect function pointer list */ fpl = AddOptFuncToList(TcpWinCheckEq, otn); fpl->type = RULE_OPTION_TYPE_TCP_WIN; @@ -164,10 +165,10 @@ /**************************************************************************** - * + * * Function: ParseTcpWin(char *, OptTreeNode *) * - * Purpose: Convert the tos option argument to data and plug it into the + * Purpose: Convert the tos option argument to data and plug it into the * data structure * * Arguments: data => argument data @@ -180,7 +181,7 @@ { TcpWinCheckData *ds_ptr; /* data struct pointer */ void *ds_ptr_dup; - int win_size; + int win_size = 0; char *endTok; char *start; @@ -234,8 +235,8 @@ ds_ptr->tcp_win = htons((uint16_t)win_size); -#ifdef DEBUG - printf("TCP Window set to 0x%X\n", ds_ptr->tcp_win); +#ifdef DEBUG_MSGS + DebugMessage(DEBUG_PLUGIN,"TCP Window set to 0x%X\n", ds_ptr->tcp_win); #endif if (add_detection_option(RULE_OPTION_TYPE_TCP_WIN, (void *)ds_ptr, &ds_ptr_dup) == DETECTION_OPTION_EQUAL) @@ -247,11 +248,11 @@ /**************************************************************************** - * + * * Function: TcpWinCheckEq(char *, OptTreeNode *) * * Purpose: Test the TCP header's window to see if its value is equal to the - * value in the rule. + * value in the rule. * * Arguments: data => argument data * otn => pointer to the current rule's OTN @@ -275,7 +276,7 @@ { rval = DETECTION_OPTION_MATCH; } -#ifdef DEBUG +#ifdef DEBUG_MSGS else { /* you can put debug comments here or not */ diff -Nru snort-2.9.0.1/src/detection-plugins/sp_tcp_win_check.h snort-2.9.2/src/detection-plugins/sp_tcp_win_check.h --- snort-2.9.0.1/src/detection-plugins/sp_tcp_win_check.h 2010-01-26 10:09:49.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_tcp_win_check.h 2011-02-09 15:23:07.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ttl_check.c snort-2.9.2/src/detection-plugins/sp_ttl_check.c --- snort-2.9.0.1/src/detection-plugins/sp_ttl_check.c 2010-10-25 12:49:04.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_ttl_check.c 2011-06-07 17:33:10.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -27,10 +27,11 @@ #include <stdlib.h> #include <ctype.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" #include "parser.h" #include "plugin_enum.h" @@ -66,7 +67,7 @@ int CheckTtl(void *option_data, Packet *p); /**************************************************************************** - * + * * Function: SetupTtlCheck() * * Purpose: Register the ttl option keyword with its setup function @@ -111,7 +112,7 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - + if ((left->ttl == right->ttl) && (left->h_ttl == right->h_ttl) && (left->oper == right->oper)) @@ -123,7 +124,7 @@ } /**************************************************************************** - * + * * Function: TtlCheckInit(char *, OptTreeNode *) * * Purpose: Parse the ttl keyword arguments and link the detection module @@ -137,7 +138,7 @@ ****************************************************************************/ void TtlCheckInit(char *data, OptTreeNode *otn, int protocol) { - /* multiple declaration check */ + /* multiple declaration check */ if(otn->ds_list[PLUGIN_TTL_CHECK]) { FatalError("%s(%d): Multiple IP ttl options in rule\n", file_name, @@ -149,7 +150,7 @@ otn->ds_list[PLUGIN_TTL_CHECK] = (TtlCheckData *) SnortAlloc(sizeof(TtlCheckData)); - /* this is where the keyword arguments are processed and placed into the + /* this is where the keyword arguments are processed and placed into the rule option's data structure */ ParseTtl(data, otn); @@ -160,7 +161,7 @@ /**************************************************************************** - * + * * Function: ParseTtl(char *, OptTreeNode *) * * Purpose: Parse the TTL keyword's arguments @@ -217,7 +218,7 @@ data++; rel_present = 1; break; - default: + default: ttlrel = '='; } while(isspace((int)*data)) data++; @@ -257,7 +258,7 @@ else ds_ptr->oper = TTL_CHECK_GT; break; - case '<': + case '<': fpl = AddOptFuncToList(CheckTtl, otn); if(equals_present) ds_ptr->oper = TTL_CHECK_LT_EQ; @@ -342,7 +343,7 @@ case TTL_CHECK_EQ: if (ttlCheckData->ttl == GET_IPH_TTL(p)) rval = DETECTION_OPTION_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS else { DebugMessage(DEBUG_PLUGIN, "CheckTtlEq: Not equal to %d\n", @@ -353,7 +354,7 @@ case TTL_CHECK_GT: if (ttlCheckData->ttl < GET_IPH_TTL(p)) rval = DETECTION_OPTION_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS else { DebugMessage(DEBUG_PLUGIN, "CheckTtlEq: Not greater than %d\n", @@ -364,7 +365,7 @@ case TTL_CHECK_LT: if (ttlCheckData->ttl > GET_IPH_TTL(p)) rval = DETECTION_OPTION_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS else { DebugMessage(DEBUG_PLUGIN, "CheckTtlEq: Not less than %d\n", @@ -375,7 +376,7 @@ case TTL_CHECK_GT_EQ: if (ttlCheckData->ttl <= GET_IPH_TTL(p)) rval = DETECTION_OPTION_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS else { DebugMessage(DEBUG_PLUGIN, "CheckTtlEq: Not greater than or equal to %d\n", @@ -386,7 +387,7 @@ case TTL_CHECK_LT_EQ: if (ttlCheckData->ttl >= GET_IPH_TTL(p)) rval = DETECTION_OPTION_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS else { DebugMessage(DEBUG_PLUGIN, "CheckTtlEq: Not less than or equal to %d\n", @@ -399,10 +400,10 @@ if ((ttlCheckData->ttl <= GET_IPH_TTL(p)) && (ttlCheckData->h_ttl >= GET_IPH_TTL(p))) rval = DETECTION_OPTION_MATCH; -#ifdef DEBUG +#ifdef DEBUG_MSGS else { - DebugMessage(DEBUG_PLUGIN, "CheckTtlLT: Not Within the range %d - %d (%d)\n", + DebugMessage(DEBUG_PLUGIN, "CheckTtlLT: Not Within the range %d - %d (%d)\n", ttlCheckData->ttl, ttlCheckData->h_ttl, GET_IPH_TTL(p)); diff -Nru snort-2.9.0.1/src/detection-plugins/sp_ttl_check.h snort-2.9.2/src/detection-plugins/sp_ttl_check.h --- snort-2.9.0.1/src/detection-plugins/sp_ttl_check.h 2010-01-26 10:09:50.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_ttl_check.h 2011-02-09 15:23:07.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/detection-plugins/sp_urilen_check.c snort-2.9.2/src/detection-plugins/sp_urilen_check.c --- snort-2.9.0.1/src/detection-plugins/sp_urilen_check.c 2010-10-25 12:49:04.000000000 -0700 +++ snort-2.9.2/src/detection-plugins/sp_urilen_check.c 2011-10-26 07:49:57.000000000 -0700 @@ -1,26 +1,25 @@ /* $Id */ -/* -** Copyright (C) 2005-2010 Sourcefire, Inc. -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if nto, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Bosotn, MA 02111-1307, USA. -*/ +/* + ** Copyright (C) 2005-2011 Sourcefire, Inc. + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if nto, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Bosotn, MA 02111-1307, USA. + */ /* - * sp_urilen_check.c: Detection plugin to expose URI length to - * user rules. + * sp_urilen_check.c: Detection plugin to expose URI length to user rules. */ #ifdef HAVE_CONFIG_H @@ -31,15 +30,17 @@ #include <stdlib.h> #include <string.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "parser.h" #include "plugin_enum.h" #include "util.h" #include "sfhashfcn.h" +#include "mstring.h" #include "sp_urilen_check.h" @@ -69,7 +70,8 @@ mix(a,b,c); - a += RULE_OPTION_TYPE_URILEN; + a += data->uri_buf; + b += RULE_OPTION_TYPE_URILEN; final(a,b,c); @@ -84,9 +86,10 @@ if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; - if ((left->urilen == right->urilen) && - (left->urilen2 == right->urilen2) && - (left->oper == right->oper)) + if ((left->urilen == right->urilen) + && (left->urilen2 == right->urilen2) + && (left->oper == right->oper) + && (left->uri_buf == right->uri_buf)) { return DETECTION_OPTION_EQUAL; } @@ -96,57 +99,53 @@ /* Called from plugbase to register any detection plugin keywords. -* + * * PARAMETERS: None. * * RETURNS: Nothing. */ -void -SetupUriLenCheck(void) +void SetupUriLenCheck(void) { - RegisterRuleOption("urilen", UriLenCheckInit, NULL, OPT_TYPE_DETECTION, NULL); + RegisterRuleOption("urilen", UriLenCheckInit, NULL, OPT_TYPE_DETECTION, NULL); #ifdef PERF_PROFILING RegisterPreprocessorProfile("urilen_check", &urilenCheckPerfStats, 3, &ruleOTNEvalPerfStats); #endif } -/* Parses the urilen rule arguments and attaches info to +/* Parses the urilen rule arguments and attaches info to * the rule data structure for later use. Attaches detection * function to OTN function list. - * - * PARAMETERS: + * + * PARAMETERS: * * argp: Rule arguments * otnp: Pointer to the current rule option list node - * protocol: Pointer specified for the rule currently being parsed + * protocol: Pointer specified for the rule currently being parsed * * RETURNS: Nothing. */ -void -UriLenCheckInit( char* argp, OptTreeNode* otnp, int protocol ) +void UriLenCheckInit( char* argp, OptTreeNode* otnp, int protocol ) { - /* Sanity check(s) */ - if ( !otnp ) - return; - - /* Check if there have been multiple urilen options specified - * in the same rule. - */ - if ( otnp->ds_list[PLUGIN_URILEN_CHECK] ) - { - FatalError("%s(%d): Multiple urilen options in rule\n", - file_name, file_line ); - } - - otnp->ds_list[PLUGIN_URILEN_CHECK] = - (UriLenCheckData*) SnortAlloc(sizeof(UriLenCheckData)); + /* Sanity check(s) */ + if ( !otnp ) + return; + + /* Check if there have been multiple urilen options specified + * in the same rule. + */ + if ( otnp->ds_list[PLUGIN_URILEN_CHECK] ) + { + FatalError("%s(%d): Multiple urilen options in rule\n", + file_name, file_line ); + } - ParseUriLen( argp, otnp ); + otnp->ds_list[PLUGIN_URILEN_CHECK] = SnortAlloc(sizeof(UriLenCheckData)); + ParseUriLen( argp, otnp ); } /* Parses the urilen rule arguments and attaches the resulting - * parameters to the rule data structure. Based on arguments, + * parameters to the rule data structure. Based on arguments, * attaches the appropriate callback/processing function * to be used when the OTN is evaluated. * @@ -158,141 +157,178 @@ * * RETURNS: Nothing. */ -void -ParseUriLen( char* argp, OptTreeNode* otnp ) +void ParseUriLen( char* argp, OptTreeNode* otnp ) { OptFpList *fpl; - UriLenCheckData* datap = NULL; + UriLenCheckData* datap = (UriLenCheckData*)otnp->ds_list[PLUGIN_URILEN_CHECK]; void *datap_dup; - char* curp = NULL; - char* cur_tokenp = NULL; - char* endp = NULL; - int val; - - /* Get the Urilen parameter block */ - datap = (UriLenCheckData*) - otnp->ds_list[PLUGIN_URILEN_CHECK]; - - curp = argp; - - while(isspace((int)*curp)) - curp++; - - /* Parse the string */ - if(isdigit((int)*curp) && strchr(curp, '<') && strchr(curp, '>')) - { - cur_tokenp = strtok(curp, " <>"); - if(!cur_tokenp) - { - FatalError("%s(%d): Invalid 'urilen' argument.\n", - file_name, file_line); - } - - val = strtol(cur_tokenp, &endp, 10); - if(val < 0 || *endp) - { - FatalError("%s(%d): Invalid 'urilen' argument.\n", - file_name, file_line); - } - - datap->urilen = (unsigned short)val; - - cur_tokenp = strtok(NULL, " <>"); - if(!cur_tokenp) - { - FatalError("%s(%d): Invalid 'urilen' argument.\n", - file_name, file_line); - } - - val = strtol(cur_tokenp, &endp, 10); - if(val < 0 || *endp) - { - FatalError("%s(%d): Invalid 'urilen' argument.\n", - file_name, file_line); - } + char* curp = NULL; + char **toks; + int num_toks; + + toks = mSplit(argp, ",", 2, &num_toks, '\\'); + if (!num_toks) + { + FatalError("%s(%d): 'urilen' requires arguments.\n", + file_name, file_line); + } + + curp = toks[0]; + + /* Parse the string */ + if (isdigit((int)*curp) && strstr(curp, "<>")) + { + char **mtoks; + int num_mtoks; + char* endp = NULL; + long int val; + + mtoks = mSplit(curp, "<>", 2, &num_mtoks, '\\'); + if (num_mtoks != 2) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + val = strtol(mtoks[0], &endp, 0); + if ((val < 0) || *endp || (val > UINT16_MAX)) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + datap->urilen = (uint16_t)val; + + val = strtol(mtoks[1], &endp, 0); + if ((val < 0) || *endp || (val > UINT16_MAX)) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + datap->urilen2 = (uint16_t)val; + + if (datap->urilen2 < datap->urilen) + { + uint16_t tmp = datap->urilen; + datap->urilen = datap->urilen2; + datap->urilen2 = tmp; + } - datap->urilen2 = (unsigned short)val; - fpl = AddOptFuncToList(CheckUriLen, otnp ); datap->oper = URILEN_CHECK_RG; - if (add_detection_option(RULE_OPTION_TYPE_URILEN, (void *)datap, &datap_dup) == DETECTION_OPTION_EQUAL) + + mSplitFree(&mtoks, num_mtoks); + } + else + { + char* endp = NULL; + long int val; + + if(*curp == '>') + { + curp++; + datap->oper = URILEN_CHECK_GT; + } + else if(*curp == '<') + { + curp++; + datap->oper = URILEN_CHECK_LT; + } + else + { + datap->oper = URILEN_CHECK_EQ; + } + + while(isspace((int)*curp)) curp++; + + if (!*curp) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + val = strtol(curp, &endp, 0); + if ((val < 0) || *endp || (val > UINT16_MAX)) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + if ((datap->oper == URILEN_CHECK_LT) && (val == 0)) { - otnp->ds_list[PLUGIN_URILEN_CHECK] = datap_dup; - free(datap); + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); } - fpl->type = RULE_OPTION_TYPE_URILEN; - fpl->context = otnp->ds_list[PLUGIN_URILEN_CHECK]; - return; - } - else if(*curp == '>') - { - curp++; - fpl = AddOptFuncToList(CheckUriLen, otnp ); - datap->oper = URILEN_CHECK_GT; - } - else if(*curp == '<') - { - curp++; - fpl = AddOptFuncToList(CheckUriLen, otnp ); - datap->oper = URILEN_CHECK_LT; - } - else - { - fpl = AddOptFuncToList(CheckUriLen, otnp ); - datap->oper = URILEN_CHECK_EQ; - } - - while(isspace((int)*curp)) curp++; - - val = strtol(curp, &endp, 10); - if(val < 0 || *endp) - { - FatalError("%s(%d): Invalid 'urilen' argument.\n", - file_name, file_line); - } + datap->urilen = (uint16_t)val; + } + + if (num_toks > 1) + { + if (!strcmp(toks[1], URI_LEN_BUF_NORM)) + datap->uri_buf = HTTP_BUFFER_URI; + else if (!strcmp(toks[1], URI_LEN_BUF_RAW)) + datap->uri_buf = HTTP_BUFFER_RAW_URI; + else + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + else + { + if (strchr(argp, ',')) + { + FatalError("%s(%d): Invalid 'urilen' argument.\n", + file_name, file_line); + } + + datap->uri_buf = HTTP_BUFFER_RAW_URI; + } + + mSplitFree(&toks, num_toks); + + fpl = AddOptFuncToList(CheckUriLen, otnp); + fpl->type = RULE_OPTION_TYPE_URILEN; - datap->urilen = (unsigned short)val; if (add_detection_option(RULE_OPTION_TYPE_URILEN, (void *)datap, &datap_dup) == DETECTION_OPTION_EQUAL) { otnp->ds_list[PLUGIN_URILEN_CHECK] = datap_dup; free(datap); } - fpl->type = RULE_OPTION_TYPE_URILEN; + fpl->context = otnp->ds_list[PLUGIN_URILEN_CHECK]; } -int -CheckUriLen(void *option_data, Packet *p) +int CheckUriLen(void *option_data, Packet *p) { - UriLenCheckData *urilenCheckData = (UriLenCheckData *)option_data; + UriLenCheckData *udata = (UriLenCheckData *)option_data; int rval = DETECTION_OPTION_NO_MATCH; + uint16_t uri_len = UriBufs[udata->uri_buf].length; PROFILE_VARS; PREPROC_PROFILE_START(urilenCheckPerfStats); - if ((p->packet_flags & PKT_REBUILT_STREAM) || ( !UriBufs[0].uri )) + if (!p->uri_count || !uri_len) { PREPROC_PROFILE_END(urilenCheckPerfStats); return rval; } - switch (urilenCheckData->oper) + switch (udata->oper) { case URILEN_CHECK_EQ: - if (urilenCheckData->urilen == UriBufs[0].length ) + if (udata->urilen == uri_len) rval = DETECTION_OPTION_MATCH; break; case URILEN_CHECK_GT: - if (urilenCheckData->urilen < UriBufs[0].length ) + if (udata->urilen < uri_len) rval = DETECTION_OPTION_MATCH; break; case URILEN_CHECK_LT: - if (urilenCheckData->urilen > UriBufs[0].length ) + if (udata->urilen > uri_len) rval = DETECTION_OPTION_MATCH; break; case URILEN_CHECK_RG: - if ((urilenCheckData->urilen <= UriBufs[0].length ) && - (urilenCheckData->urilen2 >= UriBufs[0].length )) + if ((udata->urilen <= uri_len) && (udata->urilen2 >= uri_len)) rval = DETECTION_OPTION_MATCH; break; default: diff -Nru snort-2.9.0.1/src/detection-plugins/sp_urilen_check.h snort-2.9.2/src/detection-plugins/sp_urilen_check.h --- snort-2.9.0.1/src/detection-plugins/sp_urilen_check.h 2010-01-26 10:09:50.000000000 -0800 +++ snort-2.9.2/src/detection-plugins/sp_urilen_check.h 2011-08-17 10:58:09.000000000 -0700 @@ -1,21 +1,21 @@ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ + ** Copyright (C) 2005-2011 Sourcefire, Inc. + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ /* * sp_urilen_check.h: Structure definitions/function prototype(s) @@ -24,23 +24,28 @@ /* $Id */ -#ifndef SP_URILEN_CHECK_H -#define SP_URILEN_CHECK_H +#ifndef _SP_URILEN_CHECK_H_ +#define _SP_URILEN_CHECK_H_ + +#define URI_LEN_BUF_NORM "norm" +#define URI_LEN_BUF_RAW "raw" + +#define URILEN_CHECK_EQ 1 +#define URILEN_CHECK_GT 2 +#define URILEN_CHECK_LT 3 +#define URILEN_CHECK_RG 4 /* Structure stored in the rule OTN struct for use by URILEN * detection plugin code. */ typedef struct _UriLenCheckData { - int urilen; - int urilen2; + uint16_t urilen; + uint16_t urilen2; char oper; -} UriLenCheckData; + int uri_buf; -#define URILEN_CHECK_EQ 1 -#define URILEN_CHECK_GT 2 -#define URILEN_CHECK_LT 3 -#define URILEN_CHECK_RG 4 +} UriLenCheckData; /* * Structure stored in the rule OTN struct for use by URINORMLEN @@ -57,4 +62,4 @@ uint32_t UriLenCheckHash(void *d); int UriLenCheckCompare(void *l, void *r); -#endif /* SP_URILEN_CHECK_H */ +#endif /* _SP_URILEN_CHECK_H_ */ diff -Nru snort-2.9.0.1/src/detection_util.c snort-2.9.2/src/detection_util.c --- snort-2.9.0.1/src/detection_util.c 2010-10-25 12:48:58.000000000 -0700 +++ snort-2.9.2/src/detection_util.c 2011-06-07 17:33:05.000000000 -0700 @@ -1,5 +1,5 @@ /* - ** Copyright (C) 2002-2010 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -18,20 +18,30 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <time.h> + #include "detection_util.h" +#include "sfutil/sf_textlog.h" +#include "rules.h" +#include "snort.h" -const uint8_t *file_data_ptr; uint8_t base64_decode_buf[DECODE_BLEN]; uint32_t base64_decode_size; -uint32_t mime_decode_size; uint8_t mime_present; const uint8_t *doe_ptr; uint8_t doe_buf_flags; +uint16_t detect_flags; HttpUri UriBufs[HTTP_BUFFER_MAX]; +DataPointer DetectBuffer; +DataPointer file_data_ptr; DataBuffer DecodeBuffer; #ifdef DEBUG @@ -50,3 +60,128 @@ }; #endif +static const char* rule_type[RULE_TYPE__MAX] = { + "none", "activate", "alert", "drop", "dynamic", + "log", "pass", "reject", "sdrop" +}; + +#define LOG_CHARS 16 + +static TextLog* tlog = NULL; +static unsigned nEvents = 0; + +static void LogBuffer (const char* s, const uint8_t* p, unsigned n) +{ + char hex[(3*LOG_CHARS)+1]; + char txt[LOG_CHARS+1]; + unsigned odx = 0, idx = 0, at = 0; + + if ( !p ) + return; + + if ( n > snort_conf->event_trace_max ) + n = snort_conf->event_trace_max; + + for ( idx = 0; idx < n; idx++) + { + uint8_t byte = p[idx]; + sprintf(hex + 3*odx, "%2.02X ", byte); + txt[odx++] = isprint(byte) ? byte : '.'; + + if ( odx == LOG_CHARS ) + { + txt[odx] = hex[3*odx] = '\0'; + TextLog_Print(tlog, "%s[%2u] %s %s\n", s, at, hex, txt); + at = idx + 1; + odx = 0; + } + } + if ( odx ) + { + txt[odx] = hex[3*odx] = '\0'; + TextLog_Print(tlog, "%s[%2u] %-48.48s %s\n", s, at, hex, txt); + } +} + +void EventTrace_Log (const Packet* p, OptTreeNode* otn, int action) +{ + int i; + const char* acts = (action < RULE_TYPE__MAX) ? rule_type[action] : "ERROR"; + + if ( !tlog ) + return; + + TextLog_Print(tlog, + "\nEvt=%u, Gid=%u, Sid=%u, Rev=%u, Act=%s\n", + event_id, otn->sigInfo.generator, + otn->sigInfo.id, otn->sigInfo.rev, acts + ); + TextLog_Print(tlog, + "Pkt=%lu, Sec=%u.%6u, Len=%u, Cap=%u\n", + pc.total_from_daq, p->pkth->ts.tv_sec, p->pkth->ts.tv_usec, + p->pkth->pktlen, p->pkth->caplen + ); + TextLog_Print(tlog, + "Pkt Bits: Flags=0x%X, PP=0x%X, PPR=0x%X, Proto=0x%X" + ", Err=0x%X\n", + p->packet_flags, p->preprocessor_bits, p->preproc_reassembly_pkt_bits, + (unsigned)p->proto_bits, (unsigned)p->error_flags + ); + TextLog_Print(tlog, + "Pkt Cnts: Dsz=%u, Alt=%u, Bytes2Insp=%d" + ", NUri=%u, NHttp=%u\n", + (unsigned)p->dsize, (unsigned)p->alt_dsize, p->bytes_to_inspect, + (unsigned)p->uri_count, p->http_pipeline_count + ); + TextLog_Print(tlog, "Detect: DoeFlags=0x%X, DetectFlags=0x%X, DetBuf=%u, B64=%u\n", + doe_buf_flags, detect_flags, DetectBuffer.len, base64_decode_size + ); + LogBuffer("Decode", DecodeBuffer.data, DecodeBuffer.len); + LogBuffer("Detect", DetectBuffer.data, DetectBuffer.len); + LogBuffer("FileData", file_data_ptr.data, file_data_ptr.len); + LogBuffer("Base64", base64_decode_buf, base64_decode_size); + if(mime_present) + LogBuffer("Mime", file_data_ptr.data, file_data_ptr.len); + + for ( i = 0; i < HTTP_BUFFER_MAX; i++ ) + { + if ( 0 == UriBufs[i].length ) + continue; + + TextLog_Print(tlog, "%s[%u] = 0x%X\n", + uri_buffer_name[i], UriBufs[i].length, UriBufs[i].encode_type); + + LogBuffer(uri_buffer_name[i], UriBufs[i].uri, UriBufs[i].length); + } + nEvents++; +} + +void EventTrace_Init (void) +{ + if ( snort_conf->event_trace_max > 0 ) + { + time_t now = time(NULL); + const char* ts = ctime(&now); + + char buf[STD_BUF]; + const char* dir = snort_conf->log_dir ? snort_conf->log_dir : "."; + snprintf(buf, sizeof(buf), "%s/%s", dir, snort_conf->event_trace_file); + + tlog = TextLog_Init (buf, 128, 8*1024*1024); + TextLog_Print(tlog, "\nTrace started at %s", ts); + TextLog_Print(tlog, "Trace max_data is %u bytes\n", snort_conf->event_trace_max); + } +} + +void EventTrace_Term (void) +{ + if ( tlog ) + { + time_t now = time(NULL); + const char* ts = ctime(&now); + TextLog_Print(tlog, "\nTraced %u events\n", nEvents); + TextLog_Print(tlog, "Trace stopped at %s", ts); + TextLog_Term(tlog); + } +} + diff -Nru snort-2.9.0.1/src/detection_util.h snort-2.9.2/src/detection_util.h --- snort-2.9.0.1/src/detection_util.h 2010-10-25 12:48:58.000000000 -0700 +++ snort-2.9.2/src/detection_util.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* - ** Copyright (C) 2002-2010 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -16,7 +16,7 @@ ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - ** + ** ** Description ** This file contains the utility functions used by rule options. ** @@ -26,11 +26,17 @@ #define __DETECTION_UTIL_H__ #include "sf_types.h" -#include "debug.h" +#include "decode.h" +#include "detect.h" +#include "snort.h" +#include "snort_debug.h" +#include "treenodes.h" #ifndef DECODE_BLEN #define DECODE_BLEN 65535 +#define MAX_URI 8192 + typedef enum { HTTP_BUFFER_URI, @@ -47,6 +53,12 @@ } HTTP_BUFFER; #endif +typedef enum { + FLAG_ALT_DECODE = 0x0001, + FLAG_ALT_DETECT = 0x0002, + FLAG_DETECT_ALL = 0xffff +} DetectFlagType; + #define DOE_BUF_URI 0x01 #define DOE_BUF_STD 0x02 @@ -62,45 +74,51 @@ #define HTTP_ENCODE_TYPE__ASCII 0x00000080 typedef struct _HttpUri -{ +{ const uint8_t *uri; - uint16_t length; + uint16_t length; uint32_t encode_type; } HttpUri; typedef struct { + uint8_t *data; + uint16_t len; +} DataPointer; + + +typedef struct { uint8_t data[DECODE_BLEN]; uint16_t len; } DataBuffer; - -extern const uint8_t *file_data_ptr; extern uint8_t base64_decode_buf[DECODE_BLEN]; extern uint32_t base64_decode_size; -extern uint32_t mime_decode_size; extern uint8_t mime_present; extern uint8_t doe_buf_flags; extern const uint8_t *doe_ptr; +extern uint16_t detect_flags; + extern HttpUri UriBufs[HTTP_BUFFER_MAX]; +extern DataPointer DetectBuffer; +extern DataPointer file_data_ptr; extern DataBuffer DecodeBuffer; -#ifdef DEBUG const char* uri_buffer_name[HTTP_BUFFER_MAX]; -#endif -#define SetAltDecode(pktPtr, altLen) \ +#define SetDetectLimit(pktPtr, altLen) \ { \ - pktPtr->packet_flags |= PKT_ALT_DECODE; \ - DecodeBuffer.len = altLen; \ + pktPtr->alt_dsize = altLen; \ } + #define IsLimitedDetect(pktPtr) (pktPtr->packet_flags & PKT_HTTP_DECODE) + /* * Function: setFileDataPtr * - * Purpose: Sets the file data pointer used by + * Purpose: Sets the file data pointer used by * file_data rule option. * * Arguments: ptr => pointer to the body data @@ -109,11 +127,10 @@ * */ -static INLINE void setFileDataPtr(const u_char *ptr, uint32_t decode_size) +static inline void setFileDataPtr(uint8_t *ptr, uint16_t decode_size) { - file_data_ptr = ptr; - mime_decode_size = decode_size; - + file_data_ptr.data = ptr; + file_data_ptr.len = decode_size; } /* @@ -129,11 +146,11 @@ * */ -static INLINE int IsBase64DecodeBuf(const uint8_t *p) +static inline int IsBase64DecodeBuf(const uint8_t *p) { if( base64_decode_size && p ) { - if ((p >= base64_decode_buf) && + if ((p >= base64_decode_buf) && (p < (base64_decode_buf + base64_decode_size))) { return 1; @@ -145,36 +162,20 @@ return 0; } -static INLINE int IsMimeDecodeBuf(const uint8_t *p) -{ - if( mime_present && file_data_ptr) - { - if ((p >= file_data_ptr) && - (p < (file_data_ptr + mime_decode_size))) - { - return 1; - } - else - return 0; - } - else - return 0; -} - /* * Function: SetDoePtr(const uint8_t *ptr, uint8_t type) * * Purpose: This function set the doe_ptr and sets the type of * buffer to which doe_ptr points. - * + * * Arguments: ptr => pointer * type => type of buffer - * + * * Returns: void * */ -static INLINE void SetDoePtr(const uint8_t *ptr, uint8_t type) +static inline void SetDoePtr(const uint8_t *ptr, uint8_t type) { doe_ptr = ptr; doe_buf_flags = type; @@ -185,20 +186,98 @@ * * Purpose: This function updates the doe_ptr and resets the type of * buffer to which doe_ptr points based on the update value. - * + * * Arguments: ptr => pointer * update => reset the buf flag if update is not zero. - * + * * Returns: void * */ -static INLINE void UpdateDoePtr(const uint8_t *ptr, uint8_t update) +static inline void UpdateDoePtr(const uint8_t *ptr, uint8_t update) { doe_ptr = ptr; if(update) doe_buf_flags = DOE_BUF_STD; } +void EventTrace_Init(void); +void EventTrace_Term(void); + +void EventTrace_Log(const Packet*, OptTreeNode*, int action); + +static inline int EventTrace_IsEnabled (void) +{ + return ( snort_conf->event_trace_max > 0 ); +} + +static inline void DetectFlag_Enable(DetectFlagType df) +{ + detect_flags |= df; +} + +static inline void DetectFlag_Disable(DetectFlagType df) +{ + detect_flags &= ~df; +} + +static inline int Is_DetectFlag(DetectFlagType df) +{ + return ( (detect_flags & df) != 0 ); +} + +static inline uint16_t Get_DetectFlags(void) +{ + return detect_flags; +} + +static inline void Reset_DetectFlags(uint16_t dflags) +{ + detect_flags = dflags; +} + +static inline int GetAltDetect(uint8_t **bufPtr, uint16_t *altLenPtr) +{ + if ( Is_DetectFlag(FLAG_ALT_DETECT) ) + { + *bufPtr = DetectBuffer.data; + *altLenPtr = DetectBuffer.len; + return 1; + } + + return 0; +} + +static inline void SetAltDetect(uint8_t *buf, uint16_t altLen) +{ + DetectFlag_Enable(FLAG_ALT_DETECT); + DetectBuffer.data = buf; + DetectBuffer.len = altLen; +} + +static inline void SetAltDecode(uint16_t altLen) +{ + DetectFlag_Enable(FLAG_ALT_DECODE); + DecodeBuffer.len = altLen; +} + +static inline void DetectReset(uint8_t *buf, uint16_t altLen) +{ + DetectBuffer.data = buf; + DetectBuffer.len = altLen; + + DetectFlag_Disable(FLAG_DETECT_ALL); + + /* Reset the values */ + + file_data_ptr.data = NULL; + file_data_ptr.len = 0; + base64_decode_size = 0; + doe_buf_flags = 0; + mime_present = 0; + DecodeBuffer.len = 0; +} + + #endif diff -Nru snort-2.9.0.1/src/dynamic-examples/dynamic-preprocessor/Makefile.in snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/Makefile.in --- snort-2.9.0.1/src/dynamic-examples/dynamic-preprocessor/Makefile.in 2010-10-08 02:56:52.000000000 -0700 +++ snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/Makefile.in 2011-12-07 11:23:18.000000000 -0800 @@ -104,7 +104,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -119,6 +121,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = -I../include INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -155,13 +158,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h --- snort-2.9.0.1/src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h 2008-02-25 11:27:43.000000000 -0800 +++ snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h 2011-02-09 15:23:07.000000000 -0800 @@ -1,8 +1,6 @@ -/* - * sf_preproc_info.h +/**************************************************************************** * - * Copyright (C) 2006-2008 Sourcefire,Inc - * Steven A. Sturges <ssturges@sourcefire.com> + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,6 +17,14 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ****************************************************************************/ +/* + * sf_preproc_info.h + * + * Author: + * + * Steven A. Sturges <ssturges@sourcefire.com> + * * Description: * * This file is part of an example of a dynamically loadable preprocessor. diff -Nru snort-2.9.0.1/src/dynamic-examples/dynamic-preprocessor/spp_example.c snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/spp_example.c --- snort-2.9.0.1/src/dynamic-examples/dynamic-preprocessor/spp_example.c 2010-08-25 13:22:41.000000000 -0700 +++ snort-2.9.2/src/dynamic-examples/dynamic-preprocessor/spp_example.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,8 +1,6 @@ -/* - * spp_example.c +/**************************************************************************** * - * Copyright (C) 2006-2009 Sourcefire,Inc - * Steven A. Sturges <ssturges@sourcefire.com> + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,6 +17,14 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ****************************************************************************/ +/* + * spp_example.c + * + * Author: + * + * Steven A. Sturges <ssturges@sourcefire.com> + * * Description: * * This file is part of an example of a dynamically loadable preprocessor. @@ -32,11 +38,16 @@ #include <ctype.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "preprocids.h" #include "sf_snort_packet.h" #include "sf_dynamic_preproc_lib.h" #include "sf_dynamic_preprocessor.h" -#include "debug.h" +#include "snort_debug.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" @@ -58,8 +69,6 @@ tSfPolicyUserContextId ex_swap_config = NULL; #endif -extern DynamicPreprocessorData _dpd; - static void ExampleInit(char *); static void ExampleProcess(void *, void *); static ExampleConfig * ExampleParse(char *); diff -Nru snort-2.9.0.1/src/dynamic-examples/dynamic-rule/detection_lib_meta.h snort-2.9.2/src/dynamic-examples/dynamic-rule/detection_lib_meta.h --- snort-2.9.0.1/src/dynamic-examples/dynamic-rule/detection_lib_meta.h 2008-02-25 11:27:43.000000000 -0800 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/detection_lib_meta.h 2011-02-09 15:23:07.000000000 -0800 @@ -1,8 +1,6 @@ -/* - * detection_lib_meta.h +/**************************************************************************** * - * Copyright (C) 2006-2008 Sourcefire,Inc - * Steven A. Sturges <ssturges@sourcefire.com> + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,6 +17,14 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ****************************************************************************/ +/* + * detection_lib_meta.h + * + * Author: + * + * Steven A. Sturges <ssturges@sourcefire.com> + * * Description: * * This file is part of an example of a dynamically loadable preprocessor. diff -Nru snort-2.9.0.1/src/dynamic-examples/dynamic-rule/Makefile.am snort-2.9.2/src/dynamic-examples/dynamic-rule/Makefile.am --- snort-2.9.0.1/src/dynamic-examples/dynamic-rule/Makefile.am 2007-10-11 09:07:25.000000000 -0700 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/Makefile.am 2011-06-07 17:33:10.000000000 -0700 @@ -7,11 +7,11 @@ noinst_lib_LTLIBRARIES = lib_sfdynamic_example_rule.la -lib_sfdynamic_example_rule_la_LDFLAGS = -export-dynamic +lib_sfdynamic_example_rule_la_LDFLAGS = -export-dynamic @XCCFLAGS@ BUILT_SOURCES = \ sfsnort_dynamic_detection_lib.c \ -sfsnort_dynamic_detection_lib.h +sfsnort_dynamic_detection_lib.h nodist_lib_sfdynamic_example_rule_la_SOURCES = \ sfsnort_dynamic_detection_lib.c \ diff -Nru snort-2.9.0.1/src/dynamic-examples/dynamic-rule/Makefile.in snort-2.9.2/src/dynamic-examples/dynamic-rule/Makefile.in --- snort-2.9.0.1/src/dynamic-examples/dynamic-rule/Makefile.in 2010-10-08 02:56:52.000000000 -0700 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/Makefile.in 2011-12-07 11:23:18.000000000 -0800 @@ -103,7 +103,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -118,6 +120,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = -I../include INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -154,13 +157,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -221,10 +230,10 @@ AUTOMAKE_OPTIONS = foreign no-dependencies noinst_libdir = ${exec_prefix}/lib/snort_dynamicrules noinst_lib_LTLIBRARIES = lib_sfdynamic_example_rule.la -lib_sfdynamic_example_rule_la_LDFLAGS = -export-dynamic +lib_sfdynamic_example_rule_la_LDFLAGS = -export-dynamic @XCCFLAGS@ BUILT_SOURCES = \ sfsnort_dynamic_detection_lib.c \ -sfsnort_dynamic_detection_lib.h +sfsnort_dynamic_detection_lib.h nodist_lib_sfdynamic_example_rule_la_SOURCES = \ sfsnort_dynamic_detection_lib.c \ diff -Nru snort-2.9.0.1/src/dynamic-examples/dynamic-rule/rules.c snort-2.9.2/src/dynamic-examples/dynamic-rule/rules.c --- snort-2.9.0.1/src/dynamic-examples/dynamic-rule/rules.c 2008-02-25 11:27:43.000000000 -0800 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/rules.c 2011-02-09 15:23:07.000000000 -0800 @@ -1,8 +1,6 @@ -/* - * rules.c +/**************************************************************************** * - * Copyright (C) 2006-2008 Sourcefire,Inc - * Steven A. Sturges <ssturges@sourcefire.com> + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,6 +17,14 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ****************************************************************************/ +/* + * rules.c + * + * Author: + * + * Steven A. Sturges <ssturges@sourcefire.com> + * * Description: * * This file is part of an example of a dynamically loadable rules library. diff -Nru snort-2.9.0.1/src/dynamic-examples/dynamic-rule/sid109.c snort-2.9.2/src/dynamic-examples/dynamic-rule/sid109.c --- snort-2.9.0.1/src/dynamic-examples/dynamic-rule/sid109.c 2010-08-25 13:22:41.000000000 -0700 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/sid109.c 2011-07-13 15:44:51.000000000 -0700 @@ -1,8 +1,6 @@ -/* - * sid109.c +/**************************************************************************** * - * Copyright (C) 2006-2008 Sourcefire,Inc - * Steven A. Sturges <ssturges@sourcefire.com> + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,13 +17,10 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Description: - * - * This file is part of an example of a dynamically loadable rules library. - * - * NOTES: - * - */ + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif #include "sf_snort_plugin_api.h" #include "sf_snort_packet.h" @@ -42,7 +37,7 @@ */ /* flow:established, from_server; */ -static FlowFlags sid109flow = +static FlowFlags sid109flow = { FLOW_ESTABLISHED|FLOW_TO_CLIENT }; @@ -56,7 +51,7 @@ }; /* content:"NetBus"; */ -static ContentInfo sid109content = +static ContentInfo sid109content = { (u_int8_t *)"NetBus", /* pattern to search for */ 0, /* depth */ @@ -68,10 +63,14 @@ 0, /* holder of increment length */ 0, /* holder for fp offset */ 0, /* holder for fp length */ - 0 /* holder for fp only */ + 0, /* holder for fp only */ + NULL, // offset_refId + NULL, // depth_refId + NULL, // offset_location + NULL // depth_location }; -static RuleOption sid109option2 = +static RuleOption sid109option2 = { OPTION_TYPE_CONTENT, { @@ -111,7 +110,7 @@ ANY_PORT /* destination port(s) */ }, /* metadata */ - { + { 3, /* genid -- use 3 to distinguish a C rule */ 109, /* sigid */ 5, /* revision */ diff -Nru snort-2.9.0.1/src/dynamic-examples/dynamic-rule/sid637.c snort-2.9.2/src/dynamic-examples/dynamic-rule/sid637.c --- snort-2.9.0.1/src/dynamic-examples/dynamic-rule/sid637.c 2010-08-25 13:22:41.000000000 -0700 +++ snort-2.9.2/src/dynamic-examples/dynamic-rule/sid637.c 2011-07-13 15:44:51.000000000 -0700 @@ -1,8 +1,6 @@ -/* - * sid637.c +/**************************************************************************** * - * Copyright (C) 2006-2008 Sourcefire,Inc - * Steven A. Sturges <ssturges@sourcefire.com> + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,13 +17,10 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Description: - * - * This file is part of an example of a dynamically loadable rules library. - * - * NOTES: - * - */ + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif #include "sf_snort_plugin_api.h" #include "sf_snort_packet.h" @@ -43,7 +38,7 @@ */ /* content:"|0A|help|0A|quite|0A|"; */ -static ContentInfo sid637content = +static ContentInfo sid637content = { (u_int8_t *)"|0A|help|0A|quite|0A|",/* pattern to search for */ 0, /* depth */ @@ -55,10 +50,14 @@ 0, /* holder of increment length */ 0, /* holder for fp offset */ 0, /* holder for fp length */ - 0 /* holder for fp only */ + 0, /* holder for fp only */ + NULL, // offset_refId + NULL, // depth_refId + NULL, // offset_location + NULL // depth_location }; -static RuleOption sid637option1 = +static RuleOption sid637option1 = { OPTION_TYPE_CONTENT, { @@ -97,7 +96,7 @@ ANY_PORT /* destination port(s) */ }, /* metadata */ - { + { 3, /* genid -- use 3 to distinguish a C rule */ 637, /* sigid */ 3, /* revision */ diff -Nru snort-2.9.0.1/src/dynamic-examples/Makefile.am snort-2.9.2/src/dynamic-examples/Makefile.am --- snort-2.9.0.1/src/dynamic-examples/Makefile.am 2010-01-22 15:59:31.000000000 -0800 +++ snort-2.9.2/src/dynamic-examples/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -2,8 +2,8 @@ AUTOMAKE_OPTIONS=foreign no-dependencies BUILT_SOURCES = \ - include/bounds.h \ - include/debug.h \ + include/snort_bounds.h \ + include/snort_debug.h \ include/preprocids.h \ include/profiler.h \ include/cpuclock.h \ @@ -25,6 +25,7 @@ include/sfsnort_dynamic_detection_lib.c \ include/sfsnort_dynamic_detection_lib.h \ include/sf_snort_packet.h \ + include/sf_protocols.h \ include/sf_snort_plugin_api.h \ include/pcap_pkthdr32.h \ include/stream_api.h \ @@ -43,7 +44,10 @@ include/plugin_enum.h \ include/obfuscation.h \ include/rule_option_types.h \ - include/event.h + include/event.h \ + include/attribute_table_api.h \ + include/sfcontrol.h \ + include/idle_processing.h sed_ipv6_headers = \ sed -e "s/->iph->ip_src/->ip4_header->source/" \ @@ -132,7 +136,7 @@ $$dst_header > $$dst_header.new; \ mv $$dst_header.new $$dst_header; \ fi - + copy_headers = \ mkdir -p include; \ mkdir -p build; \ @@ -167,25 +171,25 @@ fi # From main src tree -include/debug.h: $(srcdir)/../debug.h +include/snort_debug.h: $(srcdir)/../snort_debug.h @src_header=$?; dst_header=$@; $(copy_debug_header) include/preprocids.h: $(srcdir)/../preprocids.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/profiler.h: $(srcdir)/../profiler.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/cpuclock.h: $(srcdir)/../cpuclock.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/pcap_pkthdr32.h: $(srcdir)/../pcap_pkthdr32.h @src_header=$?; dst_header=$@; $(copy_headers) - -include/bounds.h: $(srcdir)/../bounds.h + +include/snort_bounds.h: $(srcdir)/../snort_bounds.h @src_header=$?; dst_header=$@; $(copy_headers) -include/ipv6_port.h: $(srcdir)/../ipv6_port.h +include/ipv6_port.h: $(srcdir)/../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) include/sf_types.h: $(srcdir)/../sf_types.h @@ -200,6 +204,12 @@ include/event.h: $(srcdir)/../event.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sfcontrol.h: $(srcdir)/../control/sfcontrol.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/idle_processing.h: $(srcdir)/../idle_processing.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins include/sf_dynamic_common.h: $(srcdir)/../dynamic-plugins/sf_dynamic_common.h @src_header=$?; dst_header=$@; $(copy_headers) @@ -216,6 +226,9 @@ include/sf_dynamic_preprocessor.h: $(srcdir)/../dynamic-plugins/sf_dynamic_preprocessor.h @src_header=$?; dst_header=$@; $(massage_headers) +include/attribute_table_api.h: $(srcdir)/../dynamic-plugins/attribute_table_api.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins/sf_preproc_example include/sf_dynamic_preproc_lib.c: $(srcdir)/../dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c @src_header=$?; dst_header=$@; $(copy_headers) @@ -262,10 +275,10 @@ include/sfPolicyUserData.c: $(srcdir)/../sfutil/sfPolicyUserData.c @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) - + include/sfPolicyUserData.h: $(srcdir)/../sfutil/sfPolicyUserData.h @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) - + include/sfPolicy.h: $(srcdir)/../sfutil/sfPolicy.h @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) @@ -280,6 +293,9 @@ include/sf_snort_packet.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_packet.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_protocols.h: $(srcdir)/../sf_protocols.h + @src_header=$?; dst_header=$@; $(copy_headers) + include/sf_snort_plugin_api.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_header=$?; dst_header=$@; $(copy_headers) @@ -299,7 +315,7 @@ include/plugin_enum.h: $(srcdir)/../plugin_enum.h @src_header=$?; dst_header=$@; $(copy_headers) -INCLUDES = @INCLUDES@ +INCLUDES = @INCLUDES@ if HAVE_DYNAMIC_PLUGINS if BUILD_DYNAMIC_EXAMPLES diff -Nru snort-2.9.0.1/src/dynamic-examples/Makefile.in snort-2.9.2/src/dynamic-examples/Makefile.in --- snort-2.9.0.1/src/dynamic-examples/Makefile.in 2010-10-08 02:56:52.000000000 -0700 +++ snort-2.9.2/src/dynamic-examples/Makefile.in 2011-12-07 11:23:18.000000000 -0800 @@ -98,7 +98,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -113,7 +115,8 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = @INCLUDES@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -149,13 +152,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -215,8 +224,8 @@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies BUILT_SOURCES = \ - include/bounds.h \ - include/debug.h \ + include/snort_bounds.h \ + include/snort_debug.h \ include/preprocids.h \ include/profiler.h \ include/cpuclock.h \ @@ -238,6 +247,7 @@ include/sfsnort_dynamic_detection_lib.c \ include/sfsnort_dynamic_detection_lib.h \ include/sf_snort_packet.h \ + include/sf_protocols.h \ include/sf_snort_plugin_api.h \ include/pcap_pkthdr32.h \ include/stream_api.h \ @@ -256,7 +266,10 @@ include/plugin_enum.h \ include/obfuscation.h \ include/rule_option_types.h \ - include/event.h + include/event.h \ + include/attribute_table_api.h \ + include/sfcontrol.h \ + include/idle_processing.h sed_ipv6_headers = \ sed -e "s/->iph->ip_src/->ip4_header->source/" \ @@ -733,7 +746,7 @@ # From main src tree -include/debug.h: $(srcdir)/../debug.h +include/snort_debug.h: $(srcdir)/../snort_debug.h @src_header=$?; dst_header=$@; $(copy_debug_header) include/preprocids.h: $(srcdir)/../preprocids.h @@ -748,10 +761,10 @@ include/pcap_pkthdr32.h: $(srcdir)/../pcap_pkthdr32.h @src_header=$?; dst_header=$@; $(copy_headers) -include/bounds.h: $(srcdir)/../bounds.h +include/snort_bounds.h: $(srcdir)/../snort_bounds.h @src_header=$?; dst_header=$@; $(copy_headers) -include/ipv6_port.h: $(srcdir)/../ipv6_port.h +include/ipv6_port.h: $(srcdir)/../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) include/sf_types.h: $(srcdir)/../sf_types.h @@ -766,6 +779,12 @@ include/event.h: $(srcdir)/../event.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sfcontrol.h: $(srcdir)/../control/sfcontrol.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/idle_processing.h: $(srcdir)/../idle_processing.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins include/sf_dynamic_common.h: $(srcdir)/../dynamic-plugins/sf_dynamic_common.h @src_header=$?; dst_header=$@; $(copy_headers) @@ -782,6 +801,9 @@ include/sf_dynamic_preprocessor.h: $(srcdir)/../dynamic-plugins/sf_dynamic_preprocessor.h @src_header=$?; dst_header=$@; $(massage_headers) +include/attribute_table_api.h: $(srcdir)/../dynamic-plugins/attribute_table_api.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins/sf_preproc_example include/sf_dynamic_preproc_lib.c: $(srcdir)/../dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c @src_header=$?; dst_header=$@; $(copy_headers) @@ -846,6 +868,9 @@ include/sf_snort_packet.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_packet.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_protocols.h: $(srcdir)/../sf_protocols.h + @src_header=$?; dst_header=$@; $(copy_headers) + include/sf_snort_plugin_api.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_header=$?; dst_header=$@; $(copy_headers) diff -Nru snort-2.9.0.1/src/dynamic-plugins/attribute_table_api.h snort-2.9.2/src/dynamic-plugins/attribute_table_api.h --- snort-2.9.0.1/src/dynamic-plugins/attribute_table_api.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/attribute_table_api.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,21 @@ +#ifndef _SF_ATTRIBUTE_TABLE_API_H +#define _SF_ATTRIBUTE_TABLE_API_H +#ifdef TARGET_BASED + +typedef struct +{ + int (*addHost)(snort_ip_p ip); + //int (*delHost)(snort_ip_p ip); + int (*updateOs)(snort_ip_p ip, char *os, char *vendor, char *version, char *fragPolicy, char *streamPolicy); + int (*addService)(snort_ip_p ip, uint16_t port, const char *ipproto, char *protocol, char *application, char *version, uint32_t confidence); + int (*delService)(snort_ip_p ip, uint16_t port); + //int (*addClient)( snort_ip_p ip, char *ipproto, char *protocol, char *application, char *version, uint32_t confidence); + //int (*delClient)( snort_ip_p ip, char *ipproto, char *protocol, char *application); + +} HostAttributeTableApi; + +extern HostAttributeTableApi *AttributeTableAPI; + +#endif +#endif // _SF_ATTRIBUTE_TABLE_API_H + diff -Nru snort-2.9.0.1/src/dynamic-plugins/Makefile.am snort-2.9.2/src/dynamic-plugins/Makefile.am --- snort-2.9.0.1/src/dynamic-plugins/Makefile.am 2009-05-06 15:28:40.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -18,7 +18,8 @@ sp_preprocopt.c \ sp_preprocopt.h \ sf_convert_dynamic.c \ -sf_convert_dynamic.h +sf_convert_dynamic.h \ +attribute_table_api.h INCLUDES = @INCLUDES@ diff -Nru snort-2.9.0.1/src/dynamic-plugins/Makefile.in snort-2.9.2/src/dynamic-plugins/Makefile.in --- snort-2.9.0.1/src/dynamic-plugins/Makefile.in 2010-10-08 02:56:52.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/Makefile.in 2011-12-07 11:23:18.000000000 -0800 @@ -117,7 +117,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -132,6 +134,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -168,13 +171,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -249,7 +258,8 @@ sp_preprocopt.c \ sp_preprocopt.h \ sf_convert_dynamic.c \ -sf_convert_dynamic.h +sf_convert_dynamic.h \ +attribute_table_api.h SUBDIRS = sf_engine sf_preproc_example all: all-recursive diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_convert_dynamic.c snort-2.9.2/src/dynamic-plugins/sf_convert_dynamic.c --- snort-2.9.0.1/src/dynamic-plugins/sf_convert_dynamic.c 2010-06-09 15:05:07.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_convert_dynamic.c 2011-07-13 15:44:51.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -22,6 +22,10 @@ #ifdef DYNAMIC_PLUGIN +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sf_engine/sf_snort_plugin_api.h" #include "detection_options.h" #include "rules.h" @@ -33,6 +37,7 @@ #include "sp_asn1_detect.h" #include "sp_byte_check.h" #include "sp_byte_jump.h" +#include "sp_byte_extract.h" #include "sp_clientserver.h" #include "sp_flowbits.h" #include "sp_isdataat.h" @@ -40,7 +45,10 @@ #include "sp_pcre.h" #include "sp_hdr_opt_wrap.h" #include "sp_file_data.h" +#include "sp_pkt_data.h" #include "sp_base64_decode.h" +#include "sp_base64_data.h" +#include "sp_preprocopt.h" extern void ParsePattern(char *, OptTreeNode *, int); // extern int PCRESetup(Rule *rule, PCREInfo *pcreInfo); @@ -56,9 +64,12 @@ extern int ByteJump(void *option_data, Packet *p); extern int IsDataAt(void *option_data, Packet *p); extern int FileDataEval(void *option_data, Packet *p); +extern int PktDataEval(void *option_data, Packet *p); +extern int Base64DataEval(void *option_data, Packet *p); extern int Base64DecodeEval(void *option_data, Packet *p) ; static int CheckConvertability(Rule *rule, OptTreeNode *otn); +static int ConvertPreprocessorOption(Rule *rule, int index, OptTreeNode *otn); static int ConvertContentOption(Rule *rule, int index, OptTreeNode *otn); static int ConvertPcreOption(Rule *rule, int index, OptTreeNode *otn); static int ConvertFlowbitOption(Rule *rule, int index, OptTreeNode *otn); @@ -72,6 +83,8 @@ static int ConvertSetCursorOption(Rule *rule, int index, OptTreeNode *otn); static int ConvertLoopOption(Rule *rule, int index, OptTreeNode *otn); static int ConvertFileDataOption(Rule *rule, int index, OptTreeNode *otn); +static int ConvertPktDataOption(Rule *rule, int index, OptTreeNode *otn); +static int ConvertBase64DataOption(Rule *rule, int index, OptTreeNode *otn); static int ConvertBase64DecodeOption(Rule *rule, int index, OptTreeNode *otn); /* Use an array of callbacks to handle varying option types @@ -82,7 +95,7 @@ static int (* OptionConverterArray[OPTION_TYPE_MAX]) (Rule *rule, int index, OptTreeNode *otn) = { - NULL, + ConvertPreprocessorOption, ConvertContentOption, ConvertPcreOption, ConvertFlowbitOption, @@ -96,6 +109,8 @@ ConvertSetCursorOption, ConvertLoopOption, ConvertFileDataOption, + ConvertPktDataOption, + ConvertBase64DataOption, ConvertBase64DecodeOption }; @@ -116,9 +131,9 @@ { int ret; int optype = rule->options[i]->optionType; - if (optype < OPTION_TYPE_CONTENT || optype >= OPTION_TYPE_MAX) + if (optype < OPTION_TYPE_PREPROCESSOR || optype >= OPTION_TYPE_MAX) return -1; // Invalid option type - + ret = OptionConverterArray[optype](rule, i, otn); if (ret < 0) return -1; @@ -127,7 +142,7 @@ if(otn->proto_nodes) { - for (policyId = 0; + for (policyId = 0; policyId < otn->proto_node_num;policyId++) { rtn = otn->proto_nodes[policyId]; @@ -146,6 +161,47 @@ return 1; } +/* A text-rule byte_extract option can only have NUM_BYTE_EXTRACT_VARS unique + variables. This function iterates through a Rule and counts the unique names. */ +static inline int CheckByteExtractVars(Rule *rule) +{ + unsigned int i, j, unique_names = 0; + char *names[NUM_BYTE_EXTRACT_VARS]; + + for (i = 0; i < rule->numOptions; i++) + { + ByteExtract *data; + int unique_name = 1; + + /* Only need byte_extract options */ + if (rule->options[i]->optionType != OPTION_TYPE_BYTE_EXTRACT) + continue; + + /* Check name against other unique names */ + data = rule->options[i]->option_u.byteExtract; + for (j = 0; j < unique_names; j++) + { + if (strcmp(names[j], data->refId) == 0) + { + unique_name = 0; + break; + } + } + + /* Add unique names to the array */ + if (unique_name) + { + if (unique_names == NUM_BYTE_EXTRACT_VARS) + return -1; /* Too many variables! */ + + names[unique_names] = data->refId; + unique_names++; + } + } + + return 0; +} + static int CheckConvertability(Rule *rule, OptTreeNode *otn) { /* We need to check for any conversion problems up-front. That way, @@ -170,19 +226,62 @@ switch (optype) { /* Option types not supported for conversion */ - case OPTION_TYPE_PREPROCESSOR: - case OPTION_TYPE_BYTE_EXTRACT: case OPTION_TYPE_SET_CURSOR: case OPTION_TYPE_LOOP: return -1; } } + /* Check for too many byte_extract variables. These can't be converted + because the detection plugin only supports a specific number per rule. */ + if (CheckByteExtractVars(rule) < 0) + return -1; + /* We're good! */ return 1; } /* Option-converting functions */ +static int ConvertPreprocessorOption(Rule *rule, int index, OptTreeNode *otn) +{ + PreprocessorOption *preprocOpt = rule->options[index]->option_u.preprocOpt; + PreprocessorOptionInfo *preprocOptInfo = SnortAlloc(sizeof(PreprocessorOptionInfo)); + OptFpList *fpl; + void *option_dup; + + preprocOptInfo->optionInit = preprocOpt->optionInit; + preprocOptInfo->optionEval = preprocOpt->optionEval; + preprocOptInfo->optionFpFunc = preprocOpt->optionFpFunc; + preprocOptInfo->data = preprocOpt->dataPtr; + + /* FreeOneRule() already calls the cleanup function. Left NULL here + to avoid a double-free. */ + preprocOptInfo->optionCleanup = NULL; + + preprocOptInfo->optionHash = NULL; + preprocOptInfo->optionKeyCompare = NULL; + preprocOptInfo->otnHandler = NULL; + + // Add to option chain with generic callback + fpl = AddOptFuncToList(PreprocessorOptionFunc, otn); + + /* + * attach custom info to the context node so that we can call each instance + * individually + */ + fpl->context = (void *) preprocOptInfo; + + if (add_detection_option(RULE_OPTION_TYPE_PREPROCESSOR, + (void *)preprocOptInfo, &option_dup) == DETECTION_OPTION_EQUAL) + { + PreprocessorRuleOptionsFreeFunc(preprocOptInfo); + fpl->context = preprocOptInfo = option_dup; + } + fpl->type = RULE_OPTION_TYPE_PREPROCESSOR; + + return 1; +} + static int ConvertContentOption(Rule *rule, int index, OptTreeNode *otn) { ContentInfo *content = rule->options[index]->option_u.content; @@ -224,10 +323,20 @@ } /* Initialize var numbers */ - pmd->offset_var = -1; - pmd->depth_var = -1; - pmd->distance_var = -1; - pmd->within_var = -1; + if (content->flags & CONTENT_RELATIVE) + { + pmd->distance_var = GetVarByName(content->offset_refId); + pmd->within_var = GetVarByName(content->depth_refId); + pmd->offset_var = -1; + pmd->depth_var = -1; + } + else + { + pmd->offset_var = GetVarByName(content->offset_refId); + pmd->depth_var = GetVarByName(content->depth_refId); + pmd->distance_var = -1; + pmd->within_var = -1; + } /* Set URI buffer flags */ if (content->flags & CONTENT_BUF_URI) @@ -378,8 +487,8 @@ if (pcre_info->flags & CONTENT_BUF_COOKIE) pcre_data->options |= SNORT_PCRE_HTTP_COOKIE; - if (pcre_info->flags & CONTENT_BUF_RAW_URI) - pcre_data->options |= SNORT_PCRE_HTTP_RAW_URI; + if (pcre_info->flags & CONTENT_BUF_URI) + pcre_data->options |= SNORT_PCRE_HTTP_URI; if (pcre_info->flags & CONTENT_BUF_STAT_CODE) pcre_data->options |= SNORT_PCRE_HTTP_STAT_CODE; @@ -477,13 +586,12 @@ csdata->only_reassembled |= ONLY_STREAM; if (flow->flags & FLOW_ESTABLISHED) csdata->established = 1; - else - csdata->unestablished = 1; csdata->stateless = 0; + csdata->unestablished = 0; - otn->stateless = csdata->stateless; otn->established = csdata->established; - otn->unestablished = csdata->unestablished; + otn->stateless = 0; + otn->unestablished = 0; if (add_detection_option(RULE_OPTION_TYPE_FLOW, (void *)csdata, &dup) == DETECTION_OPTION_EQUAL) { @@ -494,6 +602,7 @@ fpl = AddOptFuncToList(CheckFlow, otn); fpl->type = RULE_OPTION_TYPE_FLOW; fpl->context = (void *)csdata; + otn->ds_list[PLUGIN_CLIENTSERVER] = (void *)csdata; return 1; } @@ -538,7 +647,7 @@ void *dup; data->offset = cursor->offset; - data->offset_var = -1; + data->offset_var = GetVarByName(cursor->offset_refId); if (cursor->flags & CONTENT_RELATIVE) data->flags |= ISDATAAT_RELATIVE_FLAG; if (cursor->flags & CONTENT_BUF_RAW) @@ -589,9 +698,9 @@ byte_test->bytes_to_compare = byte->bytes; byte_test->cmp_value = byte->value; - byte_test->cmp_value_var = -1; + byte_test->cmp_value_var = GetVarByName(byte->value_refId); byte_test->offset = byte->offset; - byte_test->offset_var = -1; + byte_test->offset_var = GetVarByName(byte->offset_refId); if (byte->flags & NOT_FLAG) byte_test->not_flag = 1; @@ -611,7 +720,7 @@ byte_test->endianess = BIG; else byte_test->endianess = LITTLE; - + if (byte->flags & EXTRACT_AS_DEC) byte_test->base = 10; if (byte->flags & EXTRACT_AS_OCT) @@ -621,7 +730,7 @@ fpl = AddOptFuncToList(ByteTest, otn); fpl->type = RULE_OPTION_TYPE_BYTE_TEST; - + if (add_detection_option(RULE_OPTION_TYPE_BYTE_TEST, (void *)byte_test, &idx_dup) == DETECTION_OPTION_EQUAL) { free(byte_test); @@ -645,7 +754,7 @@ byte_jump->bytes_to_grab = byte->bytes; byte_jump->offset = byte->offset; - byte_jump->offset_var = -1; + byte_jump->offset_var = GetVarByName(byte->offset_refId); byte_jump->multiplier = byte->multiplier; byte_jump->post_offset = byte->post_offset; @@ -685,6 +794,63 @@ static int ConvertByteExtractOption(Rule *rule, int index, OptTreeNode *otn) { + ByteExtract *so_byte = rule->options[index]->option_u.byteExtract; + ByteExtractData *snort_byte = SnortAlloc(sizeof(ByteExtractData)); + OptFpList *fpl; + void *dup; + + /* Clear out sp_byte_extract.c's variable_names array if this is the first + byte_extract option in the rule. */ + ClearVarNames(otn->opt_func); + + /* Copy over the various struct members */ + snort_byte->bytes_to_grab = so_byte->bytes; + snort_byte->offset = so_byte->offset; + snort_byte->align = so_byte->align; + snort_byte->name = strdup(so_byte->refId); + + /* In an SO rule, setting multiplier to 0 means that the multiplier is + ignored. This is not the case in the text rule version of byte_extract. */ + if (so_byte->multiplier) + snort_byte->multiplier = so_byte->multiplier; + else + snort_byte->multiplier = 1; + + if (so_byte->flags & CONTENT_RELATIVE) + snort_byte->relative_flag = 1; + + if (so_byte->flags & EXTRACT_AS_STRING) + snort_byte->data_string_convert_flag = 1; + + if (so_byte->flags & BYTE_BIG_ENDIAN) + snort_byte->endianess = BIG; + else + snort_byte->endianess = LITTLE; + + if (so_byte->flags & EXTRACT_AS_HEX) + snort_byte->base = 16; + if (so_byte->flags & EXTRACT_AS_DEC) + snort_byte->base = 10; + if (so_byte->flags & EXTRACT_AS_OCT) + snort_byte->base = 8; + + snort_byte->var_number = AddVarNameToList(snort_byte); + snort_byte->byte_order_func = NULL; + + /* Add option to list */ + fpl = AddOptFuncToList(DetectByteExtract, otn); + fpl->type = RULE_OPTION_TYPE_BYTE_EXTRACT; + if (add_detection_option(RULE_OPTION_TYPE_BYTE_EXTRACT, (void *)snort_byte, &dup) == DETECTION_OPTION_EQUAL) + { + free(snort_byte->name); + free(snort_byte); + snort_byte = dup; + } + + fpl->context = (void *) snort_byte; + if (snort_byte->relative_flag) + fpl->isRelative = 1; + return 0; } @@ -723,6 +889,25 @@ return 1; } +static int ConvertPktDataOption(Rule *rule, int index, OptTreeNode *otn) +{ + OptFpList *fpl; + fpl = AddOptFuncToList(PktDataEval, otn); + fpl->type = RULE_OPTION_TYPE_PKT_DATA; + + return 1; +} + + +static int ConvertBase64DataOption(Rule *rule, int index, OptTreeNode *otn) +{ + OptFpList *fpl; + fpl = AddOptFuncToList(Base64DataEval, otn); + fpl->type = RULE_OPTION_TYPE_BASE64_DATA; + + return 1; +} + static int ConvertBase64DecodeOption(Rule *rule, int index, OptTreeNode *otn) { base64DecodeData *bData = rule->options[index]->option_u.bData; diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_convert_dynamic.h snort-2.9.2/src/dynamic-plugins/sf_convert_dynamic.h --- snort-2.9.0.1/src/dynamic-plugins/sf_convert_dynamic.h 2010-01-26 10:09:50.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/sf_convert_dynamic.h 2011-02-09 15:23:08.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_common.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_common.h --- snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_common.h 2010-10-25 12:49:04.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_common.h 2011-10-26 11:28:52.000000000 -0700 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * */ #ifndef _SF_DYNAMIC_COMMON_H_ @@ -26,10 +26,21 @@ #include <stdint.h> #endif +typedef enum { + SF_FLAG_ALT_DECODE = 0x0001, + SF_FLAG_ALT_DETECT = 0x0002, + SF_FLAG_DETECT_ALL = 0xffff +} SFDetectFlagType; + typedef void (*LogMsgFunc)(const char *, ...); -typedef void (*DebugMsgFunc)(int, char *, ...); -#ifdef HAVE_WCHAR_H -typedef void (*DebugWideMsgFunc)(int, wchar_t *, ...); +typedef void (*DebugMsgFunc)(uint64_t, char *, ...); +typedef int (*GetAltDetectFunc)(uint8_t **, uint16_t *); +typedef void (*SetAltDetectFunc)(uint8_t *,uint16_t ); +typedef int (*IsDetectFlagFunc)(SFDetectFlagType); +typedef void (*DetectFlagDisableFunc)(SFDetectFlagType); +#ifdef SF_WCHAR +#include <wchar.h> +typedef void (*DebugWideMsgFunc)(uint64_t, wchar_t *, ...); #endif #define STD_BUF 1024 @@ -61,20 +72,13 @@ } UriInfo; typedef struct { + uint8_t *data; + uint16_t len; +} SFDataPointer; + +typedef struct { uint8_t data[DECODE_BLEN]; uint16_t len; } SFDataBuffer; -#define SetAltBuffer(pktPtr, altLen) \ -{ \ - pktPtr->flags |= FLAG_ALT_DECODE; \ - _dpd.altBuffer->len = altLen; \ -} - -#define ResetAltBuffer(pktPtr) \ -{ \ - pktPtr->flags &= ~FLAG_ALT_DECODE; \ - _dpd.altBuffer->len = 0; \ -} - #endif /* _SF_DYNAMIC_COMMON_H_ */ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_define.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_define.h --- snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_define.h 2010-06-09 15:05:07.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_define.h 2011-06-07 17:33:10.000000000 -0700 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2007-2010 Sourcefire, Inc. + * Copyright (C) 2007-2011 Sourcefire, Inc. * * Author: Russ Combs * @@ -26,10 +26,6 @@ #ifndef _SF_DYNAMIC_DEFINE_H_ #define _SF_DYNAMIC_DEFINE_H_ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - /* the OPTION_TYPE_* and FLOW_* values * are used as args to the hasFunc() * which replaces the prior has*Func()s. @@ -52,12 +48,14 @@ OPTION_TYPE_SET_CURSOR, OPTION_TYPE_LOOP, OPTION_TYPE_FILE_DATA, + OPTION_TYPE_PKT_DATA, + OPTION_TYPE_BASE64_DATA, OPTION_TYPE_BASE64_DECODE, OPTION_TYPE_MAX } DynamicOptionType; // beware: these are redefined from sf_snort_packet.h FLAG_*! -#define FLOW_ESTABLISHED 0x0010 +#define FLOW_ESTABLISHED 0x0008 #define FLOW_FR_SERVER 0x0040 #define FLOW_TO_CLIENT 0x0040 /* Just for convenience */ #define FLOW_TO_SERVER 0x0080 @@ -86,7 +84,7 @@ # endif # define DLL_LOCAL #else -# ifdef HAVE_VISIBILITY +# ifdef SF_VISIBILITY # define SO_PUBLIC __attribute__ ((visibility("default"))) # define SO_PRIVATE __attribute__ ((visibility("hidden"))) # else @@ -96,5 +94,18 @@ #endif #endif +/* Parameters are rule info pointer, int to indicate URI or NORM, + * and list pointer */ +/* These need to match HTTP_SEARCH_xxx defined in sp_pattern_match.h + * for proper fast pattern match pattern selection */ +#define CONTENT_HTTP_URI 0x01 +#define CONTENT_HTTP_HEADER 0x04 +#define CONTENT_HTTP_CLIENT_BODY 0x10 +#define CONTENT_HTTP_METHOD 0x20 + +#define CONTENT_NORMAL 0x400 +#define CONTENT_HTTP (CONTENT_HTTP_URI|CONTENT_HTTP_HEADER|\ + CONTENT_HTTP_CLIENT_BODY|CONTENT_HTTP_METHOD) + #endif /* _SF_DYNAMIC_DEFINE_H_ */ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_detection.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_detection.h --- snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_detection.h 2010-01-26 10:09:51.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_detection.h 2011-02-09 15:23:08.000000000 -0800 @@ -15,7 +15,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_engine.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_engine.h --- snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_engine.h 2010-10-25 12:49:04.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_engine.h 2011-11-21 12:15:24.000000000 -0800 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -24,10 +24,6 @@ #ifndef _SF_DYNAMIC_ENGINE_H_ #define _SF_DYNAMIC_ENGINE_H_ -#ifdef HAVE_CONFIG_H -#include <config.h> -#endif - #ifndef WIN32 #include <sys/types.h> #else @@ -36,9 +32,8 @@ #include "sf_dynamic_define.h" #include "sf_dynamic_meta.h" -#include "sf_types.h" -/* specifies that a function does not return +/* specifies that a function does not return * used for quieting Visual Studio warnings */ #ifdef WIN32 @@ -71,44 +66,35 @@ char fp; char fp_only; char uri_buffer; - u_int16_t fp_offset; - u_int16_t fp_length; + uint16_t fp_offset; + uint16_t fp_length; struct _FPContentInfo *next; } FPContentInfo; -/* Parameters are rule info pointer, int to indicate URI or NORM, - * and list pointer */ -#define CONTENT_NORMAL 0x01 -#define CONTENT_HTTP_URI 0x02 -#define CONTENT_HTTP_HEADER 0x04 -#define CONTENT_HTTP_CLIENT_BODY 0x08 -#define CONTENT_HTTP_METHOD 0x10 -#define CONTENT_HTTP (CONTENT_HTTP_URI|CONTENT_HTTP_HEADER|\ - CONTENT_HTTP_CLIENT_BODY|CONTENT_HTTP_METHOD) typedef int (*GetDynamicContentsFunction)(void *, int, FPContentInfo **); typedef int (*GetDynamicPreprocOptFpContentsFunc)(void *, FPContentInfo **); typedef void (*RuleFreeFunc)(void *); /* ruleInfo is passed to OTNCheckFunction when the fast pattern matches. */ typedef int (*RegisterRule)( - u_int32_t, u_int32_t, void *, + uint32_t, uint32_t, void *, OTNCheckFunction, OTNHasFunction, int, GetDynamicContentsFunction, RuleFreeFunc, GetDynamicPreprocOptFpContentsFunc ); -typedef u_int32_t (*RegisterBit)(char *, int); +typedef uint32_t (*RegisterBit)(char *, int); typedef void (*UnregisterBit)(char *, int); -typedef int (*CheckFlowbit)(void *, int, u_int32_t); -typedef int (*DetectAsn1)(void *, void *, const u_int8_t *); -typedef int (*PreprocOptionEval)(void *p, const u_int8_t **cursor, void *dataPtr); +typedef int (*CheckFlowbit)(void *, int, uint32_t); +typedef int (*DetectAsn1)(void *, void *, const uint8_t *); +typedef int (*PreprocOptionEval)(void *p, const uint8_t **cursor, void *dataPtr); typedef int (*PreprocOptionInit)(char *, char *, void **dataPtr); typedef void (*PreprocOptionCleanup)(void *dataPtr); -typedef int (*SfUnfold)(const u_int8_t *, u_int32_t , u_int8_t *, u_int32_t , u_int32_t *); -typedef int (*SfBase64Decode)(u_int8_t *, u_int32_t , u_int8_t *, u_int32_t , u_int32_t *); +typedef int (*SfUnfold)(const uint8_t *, uint32_t , uint8_t *, uint32_t , uint32_t *); +typedef int (*SfBase64Decode)(uint8_t *, uint32_t , uint8_t *, uint32_t , uint32_t *); #define PREPROC_OPT_EQUAL 0 #define PREPROC_OPT_NOT_EQUAL 1 -typedef u_int32_t (*PreprocOptionHash)(void *); +typedef uint32_t (*PreprocOptionHash)(void *); typedef int (*PreprocOptionKeyCompare)(void *, void *); /* Function prototype for rule options that want to add patterns to the * fast pattern matcher */ @@ -152,7 +138,9 @@ { int version; - SFDataBuffer* altBuffer; + SFDataBuffer *altBuffer; + SFDataPointer *altDetect; + SFDataPointer *fileDataBuf; UriInfo *uriBuffers[HTTP_BUFFER_MAX]; RegisterRule ruleRegister; @@ -170,7 +158,7 @@ GetRuleData getRuleData; DebugMsgFunc debugMsg; -#ifdef HAVE_WCHAR_H +#ifdef SF_WCHAR DebugWideMsgFunc debugWideMsg; #endif @@ -180,10 +168,12 @@ PCRECompileFunc pcreCompile; PCREStudyFunc pcreStudy; PCREExecFunc pcreExec; - const u_char **fileDataBuf; - uint32_t *mime_size; SfUnfold sfUnfold; SfBase64Decode sfbase64decode; + GetAltDetectFunc GetAltDetect; + SetAltDetectFunc SetAltDetect; + IsDetectFlagFunc Is_DetectFlag; + DetectFlagDisableFunc DetectFlag_Disable; AllocRuleData allocRuleData; FreeRuleData freeRuleData; @@ -192,6 +182,8 @@ } DynamicEngineData; +extern DynamicEngineData _ded; + /* Function prototypes for Dynamic Engine Plugins */ void CloseDynamicEngineLibs(void); void LoadAllDynamicEngineLibs(char *path); diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_meta.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_meta.h --- snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_meta.h 2010-01-26 10:09:51.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_meta.h 2011-02-09 15:23:08.000000000 -0800 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_plugins.c snort-2.9.2/src/dynamic-plugins/sf_dynamic_plugins.c --- snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_plugins.c 2010-10-25 12:49:04.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_plugins.c 2011-11-21 12:15:24.000000000 -0800 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -52,7 +52,7 @@ /* Of course, WIN32 couldn't do things the unix way... * Define a few of these to get around portability issues. */ -#define getcwd _getcwd +#define getcwd _getcwd #ifndef PATH_MAX #define PATH_MAX MAX_PATH #endif @@ -63,7 +63,7 @@ #include "config.h" #include "decode.h" #include "encode.h" -#include "debug.h" +#include "snort_debug.h" #include "detect.h" #include "util.h" #include "snort.h" @@ -88,13 +88,15 @@ #include "event_wrapper.h" #include "util.h" #include "detection_util.h" +#include "sfcontrol_funcs.h" +#include "idle_processing_funcs.h" #ifdef TARGET_BASED #include "target-based/sftarget_protocol_reference.h" #include "target-based/sftarget_reader.h" #endif -#ifndef DEBUG +#ifndef DEBUG_MSGS char *no_file = "unknown"; int no_line = 0; #endif @@ -345,12 +347,12 @@ if ( count == 0 ) { - LogMessage("Warning: No dynamic libraries found in directory %s!\n", path); + LogMessage("WARNING: No dynamic libraries found in directory %s.\n", path); } } else { - LogMessage("Warning: Directory %s does not exist!\n", path); + LogMessage("WARNING: Directory %s does not exist.\n", path); } #else /* Find all shared library files in path */ @@ -463,7 +465,7 @@ int testNum = 0; DynamicEnginePlugin *curPlugin = loadedEngines; CompatibilityFunc versFunc = NULL; - + while( curPlugin != NULL) { versFunc = (CompatibilityFunc)curPlugin->versCheck; @@ -472,19 +474,19 @@ { DynamicDetectionPlugin *lib = loadedDetectionPlugins; while( lib != NULL) - { - if (lib->metaData.type == TYPE_DETECTION) + { + if (lib->metaData.type == TYPE_DETECTION) { RequiredEngineLibFunc engineFunc; DynamicPluginMeta reqEngineMeta; - + engineFunc = (RequiredEngineLibFunc) getSymbol(lib->handle, "EngineVersion", &(lib->metaData), 1); if( engineFunc != NULL) { engineFunc(&reqEngineMeta); } testNum = versFunc(&curPlugin->metaData, &reqEngineMeta); - if( testNum ) + if( testNum ) { FatalError("Dynamic detection lib %s %d.%d isn't compatible with the current dynamic engine library " "%s %d.%d.\n" @@ -500,8 +502,8 @@ if( testNum ) break; curPlugin = curPlugin->next; } - - return(testNum); + + return(testNum); } int LoadDynamicEngineLib(char *library_name, int indent) @@ -515,7 +517,7 @@ #if 0 #ifdef SUP_IP6 LogMessage("%sDynamic engine will not be loaded since dynamic detection " - "libraries are not yet supported with IPv6.\n", + "libraries are not yet supported with IPv6.\n", indent?" ":""); return 0; #endif @@ -538,10 +540,10 @@ CloseDynamicLibrary(handle); LogMessage("failed, not an Engine\n"); return 0; - } - + } + AddEnginePlugin(handle, engineInit, compatFunc, &metaData); - + LogMessage("done\n"); return 0; } @@ -994,7 +996,7 @@ detectionLibOkay = 1; break; } - + /* Major match, minor must be >= */ if (!strcmp(plugin->metaData.uniqueName, reqEngineMeta.uniqueName) && plugin->metaData.major == reqEngineMeta.major && @@ -1038,7 +1040,7 @@ { if (plugin->initFunc(info)) { - FatalError("Failed to initialize dynamic engine: %s version %d.%d.%d\n", + FatalError("Failed to initialize dynamic engine: %s version %d.%d.%d\n", plugin->metaData.uniqueName, plugin->metaData.major, plugin->metaData.minor, plugin->metaData.build); //return -1; @@ -1119,7 +1121,7 @@ if (stream_api && pkt && pkt->ssnptr) { DynamicRuleSessionData *head = - (DynamicRuleSessionData *)stream_api->get_application_data(pkt->ssnptr, PP_RULES); + (DynamicRuleSessionData *)stream_api->get_application_data(pkt->ssnptr, PP_SHARED_RULES); DynamicRuleSessionData *tmp = head; DynamicRuleSessionData *tail = NULL; @@ -1157,7 +1159,7 @@ if (head == NULL) { - if (stream_api->set_application_data(pkt->ssnptr, PP_RULES, + if (stream_api->set_application_data(pkt->ssnptr, PP_SHARED_RULES, (void *)tmp, DynamicRuleDataFreeSession) != 0) { DynamicRuleDataFree(tmp); @@ -1182,7 +1184,7 @@ if (stream_api && pkt && pkt->ssnptr) { DynamicRuleSessionData *head = - (DynamicRuleSessionData *)stream_api->get_application_data(pkt->ssnptr, PP_RULES); + (DynamicRuleSessionData *)stream_api->get_application_data(pkt->ssnptr, PP_SHARED_RULES); while (head != NULL) { @@ -1270,13 +1272,20 @@ return pcre_exec((const pcre *)code, (const pcre_extra *)extra, subj, len, start, options, ovec, ovecsize); } +static int setFlowId(const void* p, uint32_t id) +{ + return DAQ_ModifyFlow(p, id); +} + int InitDynamicEngines(char *dynamic_rules_path) { int i; DynamicEngineData engineData; engineData.version = ENGINE_DATA_VERSION; - engineData.altBuffer = (SFDataBuffer*)&DecodeBuffer; + engineData.altBuffer = (SFDataBuffer *)&DecodeBuffer; + engineData.altDetect = (SFDataPointer *)&DetectBuffer; + engineData.fileDataBuf = (SFDataPointer *)&file_data_ptr; for (i=0;i<HTTP_BUFFER_MAX;i++) engineData.uriBuffers[i] = (UriInfo*)&UriBufs[i]; @@ -1302,12 +1311,16 @@ engineData.sfUnfold = &DynamicsfUnfold; engineData.sfbase64decode = &Dynamicsfbase64decode; + engineData.GetAltDetect = &DynamicGetAltDetect; + engineData.SetAltDetect = &DynamicSetAltDetect; + engineData.Is_DetectFlag = &DynamicIsDetectFlag; + engineData.DetectFlag_Disable = &DynamicDetectFlagDisable; engineData.debugMsg = &DebugMessageFunc; -#ifdef HAVE_WCHAR_H +#ifdef SF_WCHAR engineData.debugWideMsg = &DebugWideMessageFunc; #endif -#ifdef DEBUG +#ifdef DEBUG_MSGS engineData.debugMsgFile = &DebugMessageFile; engineData.debugMsgLine = &DebugMessageLine; #else @@ -1318,8 +1331,6 @@ engineData.pcreStudy = &pcreStudy; engineData.pcreCompile = &pcreCompile; engineData.pcreExec = &pcreExec; - engineData.fileDataBuf = &file_data_ptr; - engineData.mime_size = &mime_decode_size; engineData.allocRuleData = &DynamicRuleDataAlloc; engineData.freeRuleData = &DynamicRuleDataFree; @@ -1340,7 +1351,7 @@ int i = plugin->initFunc(info); if (i) { - FatalError("Failed to initialize dynamic preprocessor: %s version %d.%d.%d (%d)\n", + FatalError("Failed to initialize dynamic preprocessor: %s version %d.%d.%d (%d)\n", plugin->metaData.uniqueName, plugin->metaData.major, plugin->metaData.minor, plugin->metaData.build, i); //return -1; @@ -1354,15 +1365,23 @@ /* Do this to avoid exposing Packet & PreprocessFuncNode from * snort to non-GPL code */ typedef void (*SnortPacketProcessFunc)(Packet *, void *); -void *AddPreprocessor(void (*pp_func)(void *, void *), u_int16_t priority, - u_int32_t preproc_id, u_int32_t proto_mask) +void *AddPreprocessor(void (*pp_func)(void *, void *), uint16_t priority, + uint32_t preproc_id, uint32_t proto_mask) { SnortPacketProcessFunc preprocessorFunc = (SnortPacketProcessFunc)pp_func; return (void *)AddFuncToPreprocList(preprocessorFunc, priority, preproc_id, proto_mask); } -void *AddDetection(void (*det_func)(void *, void *), u_int16_t priority, - u_int32_t det_id, u_int32_t proto_mask) +typedef void (*MetadataProcessFunc)(int, const uint8_t *); +void *AddMetaEval(void (*meta_eval_func)(int, const uint8_t *), uint16_t priority, + uint32_t preproc_id) +{ + MetadataProcessFunc metaEvalFunc = (MetadataProcessFunc)meta_eval_func; + return (void *)AddFuncToPreprocMetaEvalList(metaEvalFunc, priority, preproc_id); +} + +void *AddDetection(void (*det_func)(void *, void *), uint16_t priority, + uint32_t det_id, uint32_t proto_mask) { SnortPacketProcessFunc detectionFunc = (SnortPacketProcessFunc)det_func; return (void *)AddFuncToDetectionList(detectionFunc, priority, det_id, proto_mask); @@ -1388,19 +1407,29 @@ return Detect((Packet *)p); } -int DynamicSetPreprocessorBit(void *p, u_int32_t preprocId) +int DynamicSetPreprocessorBit(void *p, uint32_t preprocId) { return SetPreprocBit((Packet *)p, preprocId); } -int DynamicSetPreprocessorReassemblyPktBit(void *p, u_int32_t preprocId) +void DynamicDropReset(void *p) { - return SetPreprocReassemblyPktBit((Packet *)p, preprocId); + Active_DropSession(); } -void DynamicDropInline(void *p) +void DynamicForceDropPacket(void *p) { - Active_DropSession(); + Active_ForceDropAction((Packet *)p); +} + +void DynamicForceDropReset(void *p) +{ + Active_ForceDropResetAction((Packet *)p); +} + +void DynamicActiveSetEnabled(int on_off) +{ + Active_SetEnabled(on_off); } void *DynamicGetRuleClassByName(char *name) @@ -1413,7 +1442,7 @@ return (void *)ClassTypeLookupById(snort_conf, id); } -void DynamicRegisterPreprocessorProfile(char *keyword, void *stats, int layer, void *parent) +void DynamicRegisterPreprocessorProfile(const char *keyword, void *stats, int layer, void *parent) { #ifdef PERF_PROFILING RegisterPreprocessorProfile(keyword, (PreprocStats *)stats, layer, (PreprocStats *)parent); @@ -1445,7 +1474,7 @@ sfiph_build((Packet *)p, hdr, family); } -static INLINE void DynamicIP6SetCallbacks(void *p, int family, char orig) +static inline void DynamicIP6SetCallbacks(void *p, int family, char orig) { set_callbacks((Packet *)p, family, orig); } @@ -1471,6 +1500,18 @@ return getDefaultPolicy(); } +tSfPolicyId DynamicGetPolicyFromId(uint16_t id) +{ + return sfPolicyIdGetBinding(snort_conf->policy_config, id); +} + +void DynamicChangeRuntimePolicy(tSfPolicyId new_id, void *p) +{ + setRuntimePolicy(new_id); + ((Packet *)p)->configPolicyId = + snort_conf->targeted_policies[new_id]->configPolicyId; +} + static void* DynamicEncodeNew (void) { return (void*)Encode_New(); @@ -1481,9 +1522,9 @@ Encode_Delete((Packet*)p); } -static int DynamicEncodeFormat (uint32_t f, const void* p, void *c) +static int DynamicEncodeFormat (uint32_t f, const void* p, void *c, int t) { - return Encode_Format(f, (Packet*)p, (Packet*)c); + return Encode_Format(f, (Packet*)p, (Packet*)c, (PseudoPacketType)t); } static void DynamicEncodeUpdate (void* p) @@ -1491,16 +1532,34 @@ Encode_Update((Packet*)p); } +void DynamicSendBlockResponseMsg(void *p, const uint8_t* buffer, uint32_t buffer_len) +{ + Packet *packet = (Packet *)p; + EncodeFlags df = (packet->packet_flags & PKT_FROM_SERVER) ? ENC_FLAG_FWD:0; + Active_SendData(packet, df, buffer, buffer_len); +} + void DynamicSetParserPolicy(tSfPolicyId id) { setParserPolicy(id); } -void DynamicSetFileDataPtr(const u_char *ptr, uint32_t decode_size) +void DynamicSetFileDataPtr(uint8_t *ptr, uint16_t decode_size) { setFileDataPtr(ptr, decode_size); } +void DynamicDetectResetPtr(uint8_t *ptr, uint16_t decode_size) +{ + DetectReset(ptr, decode_size); +} + + +void DynamicSetAltDecode(uint16_t altLen) +{ + SetAltDecode(altLen); +} + int DynamicGetInlineMode(void) { return ScInlineMode(); @@ -1522,11 +1581,46 @@ } +const char *DynamicSnortStrcasestr(const char *s, int slen, const char *accept) +{ + return SnortStrcasestr(s, slen, accept); +} + +int DynamicSnortStrncpy(char *dst, const char *src, size_t dst_size) +{ + return SnortStrncpy(dst, src, dst_size); +} + +const char *DynamicSnortStrnPbrk(const char *s, int slen, const char *accept) +{ + return SnortStrnPbrk(s, slen, accept); +} + int DynamicEvalRTN(void *rtn, void *p, int check_ports) { return fpEvalRTN((RuleTreeNode *)rtn, (Packet *)p, check_ports); } +char *DynamicGetLogDirectory(void) +{ + return SnortStrdup(snort_conf->log_dir); +} + +uint32_t DynamicGetSnortInstance(void) +{ + return (snort_conf->event_log_id >> 16); +} + +bool DynamicIsPafEnabled(void) +{ + return ScPafEnabled(); +} + +int DynamicSnortIsStrEmpty(const char *s) +{ + return IsEmptyStr((char*)s); +} + int InitDynamicPreprocessors(void) { int i; @@ -1535,8 +1629,9 @@ preprocData.version = PREPROCESSOR_DATA_VERSION; preprocData.size = sizeof(DynamicPreprocessorData); - preprocData.altBuffer = (SFDataBuffer*)&DecodeBuffer; - preprocData.altBufferSize = sizeof(DecodeBuffer.data); + preprocData.altBuffer = (SFDataBuffer *)&DecodeBuffer; + preprocData.altDetect = (SFDataPointer *)&DetectBuffer; + preprocData.fileDataBuf = (SFDataPointer *)&file_data_ptr; for (i=0;i<HTTP_BUFFER_MAX;i++) preprocData.uriBuffers[i] = (UriInfo*)&UriBufs[i]; @@ -1545,13 +1640,14 @@ preprocData.errMsg = &ErrorMessage; preprocData.fatalMsg = &FatalError; preprocData.debugMsg = &DebugMessageFunc; -#ifdef HAVE_WCHAR_H +#ifdef SF_WCHAR preprocData.debugWideMsg = &DebugWideMessageFunc; #endif - + preprocData.registerPreproc = &RegisterPreprocessor; preprocData.addPreproc = &AddPreprocessor; - preprocData.addPreprocUnused = NULL; + preprocData.addMetaEval = &AddMetaEval; + preprocData.getSnortInstance = DynamicGetSnortInstance; preprocData.addPreprocExit = &AddFuncToPreprocCleanExitList; preprocData.addPreprocConfCheck = &AddPreprocessorCheck; preprocData.preprocOptRegister = &RegisterPreprocessorRuleOption; @@ -1566,7 +1662,7 @@ preprocData.alertAdd = &SnortEventqAdd; preprocData.genSnortEvent = &GenerateSnortEvent; preprocData.thresholdCheck = &sfthreshold_test; - preprocData.inlineDrop = &DynamicDropInline; + preprocData.inlineDropAndReset = &DynamicDropReset; preprocData.detect = &DynamicDetect; preprocData.disableDetect = &DynamicDisableDetection; @@ -1587,7 +1683,7 @@ preprocData.preprocess = &DynamicPreprocess; -#ifdef DEBUG +#ifdef DEBUG_MSGS preprocData.debugMsgFile = &DebugMessageFile; preprocData.debugMsgLine = &DebugMessageLine; #else @@ -1598,8 +1694,6 @@ preprocData.registerPreprocStats = &RegisterPreprocStats; preprocData.addPreprocReset = &AddFuncToPreprocResetList; preprocData.addPreprocResetStats = &AddFuncToPreprocResetStatsList; - preprocData.addPreprocReassemblyPkt = &AddFuncToPreprocReassemblyPktList; - preprocData.setPreprocReassemblyPktBit = &DynamicSetPreprocessorReassemblyPktBit; preprocData.disablePreprocessors = &DynamicDisablePreprocessors; #ifdef SUP_IP6 @@ -1631,9 +1725,18 @@ preprocData.getDefaultPolicy = DynamicGetDefaultPolicy; preprocData.setParserPolicy = DynamicSetParserPolicy; preprocData.setFileDataPtr = DynamicSetFileDataPtr; + preprocData.DetectReset = DynamicDetectResetPtr; + preprocData.SetAltDecode = &DynamicSetAltDecode; + preprocData.GetAltDetect = &DynamicGetAltDetect; + preprocData.SetAltDetect = &DynamicSetAltDetect; + preprocData.Is_DetectFlag = &DynamicIsDetectFlag; + preprocData.DetectFlag_Disable = &DynamicDetectFlagDisable; preprocData.SnortStrtol = DynamicSnortStrtol; preprocData.SnortStrtoul = DynamicSnortStrtoul; preprocData.SnortStrnStr = DynamicSnortStrnStr; + preprocData.SnortStrncpy = DynamicSnortStrncpy; + preprocData.SnortStrnPbrk = DynamicSnortStrnPbrk; + preprocData.SnortStrcasestr = DynamicSnortStrcasestr; preprocData.portObjectCharPortArray = PortObjectCharPortArray; preprocData.fpEvalRTN = DynamicEvalRTN; @@ -1649,6 +1752,27 @@ preprocData.addDetect = &AddDetection; + preprocData.getLogDirectory = DynamicGetLogDirectory; + + preprocData.controlSocketRegisterHandler = &ControlSocketRegisterHandler; + + preprocData.registerIdleHandler = &IdleProcessingRegisterHandler; + + preprocData.isPafEnabled = DynamicIsPafEnabled; + + preprocData.getPolicyFromId = &DynamicGetPolicyFromId; + preprocData.changeRuntimePolicy = &DynamicChangeRuntimePolicy; + + preprocData.inlineForceDropPacket = &DynamicForceDropPacket; + preprocData.inlineForceDropAndReset = &DynamicForceDropReset; + preprocData.activeSetEnabled = &DynamicActiveSetEnabled; + preprocData.SnortIsStrEmpty = DynamicSnortIsStrEmpty; + preprocData.dynamicSendBlockResponse = &DynamicSendBlockResponseMsg; + preprocData.dynamicSetFlowId = &setFlowId; + preprocData.addPeriodicCheck = &AddFuncToPeriodicCheckList; + preprocData.addPostConfigFunc = &AddFuncToPreprocPostConfigList; + preprocData.snort_conf_dir = &snort_conf_dir; + return InitDynamicPreprocessorPlugins(&preprocData); } @@ -1669,7 +1793,7 @@ if (plugin->initFunc()) { ErrorMessage("Failed to initialize dynamic detection library: " - "%s version %d.%d.%d\n", + "%s version %d.%d.%d\n", plugin->metaData.uniqueName, plugin->metaData.major, plugin->metaData.minor, @@ -1709,7 +1833,7 @@ { if (ruleDumpFunc()) { - LogMessage("Failed to dump the rules for Library %s %d.%d.%d\n", + LogMessage("Failed to dump the rules for Library %s %d.%d.%d\n", plugin->metaData.uniqueName, plugin->metaData.major, plugin->metaData.minor, @@ -1795,7 +1919,7 @@ return lib; } - return (void *) lib; + return (void *) lib; } void *GetNextDetectionPluginVersion(void *p) @@ -1816,7 +1940,7 @@ return lib; } - return (void *) lib; + return (void *) lib; } void *GetNextPreprocessorPluginVersion(void *p) @@ -1837,7 +1961,7 @@ return lib; } - return (void *) lib; + return (void *) lib; } DynamicPluginMeta *GetDetectionPluginMetaData(void *p) @@ -1847,7 +1971,7 @@ meta = &(lib->metaData); - return meta; + return meta; } DynamicPluginMeta *GetEnginePluginMetaData(void *p) @@ -1857,7 +1981,7 @@ meta = &(lib->metaData); - return meta; + return meta; } DynamicPluginMeta *GetPreprocessorPluginMetaData(void *p) @@ -1867,7 +1991,7 @@ meta = &(lib->metaData); - return meta; + return meta; } #endif /* DYNAMIC_PLUGIN */ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_preprocessor.h snort-2.9.2/src/dynamic-plugins/sf_dynamic_preprocessor.h --- snort-2.9.0.1/src/dynamic-plugins/sf_dynamic_preprocessor.h 2010-10-25 12:49:04.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_dynamic_preprocessor.h 2011-11-21 12:15:24.000000000 -0800 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -24,20 +24,15 @@ #ifndef _SF_DYNAMIC_PREPROCESSOR_H_ #define _SF_DYNAMIC_PREPROCESSOR_H_ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - #include <ctype.h> -#ifdef HAVE_WCHAR_H +#ifdef SF_WCHAR #include <wchar.h> #endif #include "sf_dynamic_meta.h" #include "ipv6_port.h" -#include "sf_types.h" #include "obfuscation.h" -/* specifies that a function does not return +/* specifies that a function does not return * used for quieting Visual Studio warnings */ #ifdef WIN32 @@ -67,12 +62,16 @@ #include "str_search.h" #include "obfuscation.h" #include "sfportobject.h" +#include "attribute_table_api.h" +#include "sfcontrol.h" +#include "idle_processing.h" #define MINIMUM_DYNAMIC_PREPROC_ID 10000 typedef void (*PreprocessorInitFunc)(char *); -typedef void * (*AddPreprocFunc)(void (*pp_func)(void *, void *), u_int16_t, u_int32_t, u_int32_t); -typedef void (*AddPreprocExit)(void (*pp_exit_func) (int, void *), void *arg, u_int16_t, u_int32_t); -typedef void (*AddPreprocUnused)(void (*pp_unused_func) (int, void *), void *arg, u_int16_t, u_int32_t); +typedef void * (*AddPreprocFunc)(void (*pp_func)(void *, void *), uint16_t, uint32_t, uint32_t); +typedef void * (*AddMetaEvalFunc)(void (*meta_eval_func)(int, const uint8_t *), uint16_t priority, uint32_t preproc_id); +typedef void (*AddPreprocExit)(void (*pp_exit_func) (int, void *), void *arg, uint16_t, uint32_t); +typedef void (*AddPreprocUnused)(void (*pp_unused_func) (int, void *), void *arg, uint16_t, uint32_t); typedef void (*AddPreprocConfCheck)(void (*pp_conf_chk_func) (void)); typedef int (*AlertQueueAdd)(unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, char *, void *); @@ -86,9 +85,9 @@ #endif #ifndef SNORT_RELOAD -typedef void (*PreprocRegisterFunc)(char *, PreprocessorInitFunc); +typedef void (*PreprocRegisterFunc)(const char *, PreprocessorInitFunc); #else -typedef void (*PreprocRegisterFunc)(char *, PreprocessorInitFunc, +typedef void (*PreprocRegisterFunc)(const char *, PreprocessorInitFunc, PreprocessorReloadFunc, PreprocessorReloadSwapFunc, PreprocessorReloadSwapFreeFunc); @@ -97,26 +96,27 @@ #endif typedef int (*ThresholdCheckFunc)(unsigned int, unsigned int, snort_ip_p, snort_ip_p, long); typedef void (*InlineDropFunc)(void *); +typedef void (*ActiveEnableFunc)(int); typedef void (*DisableDetectFunc)(void *); -typedef int (*SetPreprocBitFunc)(void *, u_int32_t); +typedef int (*SetPreprocBitFunc)(void *, uint32_t); typedef int (*DetectFunc)(void *); typedef void *(*GetRuleInfoByNameFunc)(char *); typedef void *(*GetRuleInfoByIdFunc)(int); typedef int (*printfappendfunc)(char *, int, const char *, ...); typedef char ** (*TokenSplitFunc)(const char *, const char *, const int, int *, const char); typedef void (*TokenFreeFunc)(char ***, int); -typedef void (*AddPreprocProfileFunc)(char *, void *, int, void *); +typedef void (*AddPreprocProfileFunc)(const char *, void *, int, void *); typedef int (*ProfilingFunc)(void); typedef int (*PreprocessFunc)(void *); -typedef void (*PreprocStatsRegisterFunc)(char *, void (*pp_stats_func)(int)); -typedef void (*AddPreprocReset)(void (*pp_rst_func) (int, void *), void *arg, u_int16_t, u_int32_t); -typedef void (*AddPreprocResetStats)(void (*pp_rst_stats_func) (int, void *), void *arg, u_int16_t, u_int32_t); -typedef void (*AddPreprocReassemblyPktFunc)(void * (*pp_reass_pkt_func)(void), u_int32_t); -typedef int (*SetPreprocReassemblyPktBitFunc)(void *, u_int32_t); +typedef void (*PreprocStatsRegisterFunc)(const char *, void (*pp_stats_func)(int)); +typedef void (*AddPreprocReset)(void (*pp_rst_func) (int, void *), void *arg, uint16_t, uint32_t); +typedef void (*AddPreprocResetStats)(void (*pp_rst_stats_func) (int, void *), void *arg, uint16_t, uint32_t); +typedef void (*AddPreprocReassemblyPktFunc)(void * (*pp_reass_pkt_func)(void), uint32_t); +typedef int (*SetPreprocReassemblyPktBitFunc)(void *, uint32_t); typedef void (*DisablePreprocessorsFunc)(void *); #ifdef TARGET_BASED -typedef int16_t (*FindProtocolReferenceFunc)(char *); -typedef int16_t (*AddProtocolReferenceFunc)(char *); +typedef int16_t (*FindProtocolReferenceFunc)(const char *); +typedef int16_t (*AddProtocolReferenceFunc)(const char *); typedef int (*IsAdaptiveConfiguredFunc)(tSfPolicyId, int); #endif #ifdef SUP_IP6 @@ -131,7 +131,7 @@ PreprocOptionFastPatternFunc); typedef void (*AddKeywordByteOrderFunc)(char *, PreprocOptionByteOrderFunc); -typedef int (*IsPreprocEnabledFunc)(u_int32_t); +typedef int (*IsPreprocEnabledFunc)(uint32_t); typedef char * (*PortArrayFunc)(char *, PortObject *, int *); @@ -139,17 +139,40 @@ typedef void (*AlertQueueControl)(void); // reset, push, and pop typedef tSfPolicyId (*GetPolicyFunc)(void); typedef void (*SetPolicyFunc)(tSfPolicyId); -typedef void (*SetFileDataPtrFunc)(const u_char *,uint32_t ); +typedef tSfPolicyId (*GetPolicyFromIdFunc)(uint16_t ); +typedef void (*ChangePolicyFunc)(tSfPolicyId, void *p); +typedef void (*SetFileDataPtrFunc)(uint8_t *,uint16_t ); +typedef void (*DetectResetFunc)(uint8_t *,uint16_t ); +typedef void (*SetAltDecodeFunc)(uint16_t ); +typedef void (*DetectFlagEnableFunc)(SFDetectFlagType); typedef long (*DynamicStrtol)(const char *, char **, int); typedef unsigned long(*DynamicStrtoul)(const char *, char **, int); typedef const char* (*DynamicStrnStr)(const char *, int, const char *); +typedef const char* (*DynamicStrcasestr)(const char *, int, const char *); +typedef int (*DynamicStrncpy)(char *, const char *, size_t ); +typedef const char* (*DynamicStrnPbrk)(const char *, int , const char *); typedef int (*EvalRTNFunc)(void *rtn, void *p, int check_ports); typedef void* (*EncodeNew)(void); typedef void (*EncodeDelete)(void*); typedef void (*EncodeUpdate)(void*); -typedef int (*EncodeFormat)(uint32_t, const void*, void*); +typedef int (*EncodeFormat)(uint32_t, const void*, void*, int); +typedef bool (*PafEnabledFunc)(void); + +typedef char* (*GetLogDirectory)(void); +typedef uint32_t (*GetSnortInstance)(void); + +typedef int (*ControlSocketRegisterHandlerFunc)(uint16_t, OOBPreControlFunc, IBControlFunc, + OOBPostControlFunc); + +typedef int (*RegisterIdleHandler)(IdleProcessingHandler); +typedef void (*DynamicSendBlockResponse)(void *packet, const uint8_t* buffer, uint32_t buffer_len); +typedef int (*DynamicSetFlowId)(const void* p, uint32_t id); + +typedef int (*DynamicIsStrEmpty)(const char * ); +typedef void (*AddPeriodicCheck)(void (*pp_check_func) (int, void *), void *arg, uint16_t, uint32_t, uint32_t); +typedef void (*AddPostConfigFuncs)(void (*pp_post_config_func) (void *), void *arg); #define ENC_DYN_FWD 0x80000000 #define ENC_DYN_NET 0x10000000 @@ -168,8 +191,9 @@ int version; int size; - SFDataBuffer* altBuffer; - unsigned int altBufferSize; + SFDataBuffer *altBuffer; + SFDataPointer *altDetect; + SFDataPointer *fileDataBuf; UriInfo *uriBuffers[HTTP_BUFFER_MAX]; LogMsgFunc logMsg; @@ -179,7 +203,7 @@ PreprocRegisterFunc registerPreproc; AddPreprocFunc addPreproc; - AddPreprocUnused addPreprocUnused; // this func ptr is available + GetSnortInstance getSnortInstance; AddPreprocExit addPreprocExit; AddPreprocConfCheck addPreprocConfCheck; RegisterPreprocRuleOpt preprocOptRegister; @@ -190,7 +214,8 @@ AlertQueueAdd alertAdd; GenSnortEvent genSnortEvent; ThresholdCheckFunc thresholdCheck; - InlineDropFunc inlineDrop; + InlineDropFunc inlineDropAndReset; + ActiveEnableFunc activeSetEnabled; DetectFunc detect; DisableDetectFunc disableDetect; @@ -209,7 +234,7 @@ GetRuleInfoByNameFunc getRuleInfoByName; GetRuleInfoByIdFunc getRuleInfoById; -#ifdef HAVE_WCHAR_H +#ifdef SF_WCHAR DebugWideMsgFunc debugWideMsg; #endif @@ -217,13 +242,10 @@ char **debugMsgFile; int *debugMsgLine; - + PreprocStatsRegisterFunc registerPreprocStats; AddPreprocReset addPreprocReset; AddPreprocResetStats addPreprocResetStats; - AddPreprocReassemblyPktFunc addPreprocReassemblyPkt; - SetPreprocReassemblyPktBitFunc setPreprocReassemblyPktBit; - DisablePreprocessorsFunc disablePreprocessors; #ifdef SUP_IP6 @@ -257,9 +279,18 @@ GetPolicyFunc getDefaultPolicy; SetPolicyFunc setParserPolicy; SetFileDataPtrFunc setFileDataPtr; + DetectResetFunc DetectReset; + SetAltDecodeFunc SetAltDecode; + GetAltDetectFunc GetAltDetect; + SetAltDetectFunc SetAltDetect; + IsDetectFlagFunc Is_DetectFlag; + DetectFlagDisableFunc DetectFlag_Disable; DynamicStrtol SnortStrtol; DynamicStrtoul SnortStrtoul; DynamicStrnStr SnortStrnStr; + DynamicStrncpy SnortStrncpy; + DynamicStrnPbrk SnortStrnPbrk; + DynamicStrcasestr SnortStrcasestr; EvalRTNFunc fpEvalRTN; ObfuscationApi *obApi; @@ -270,6 +301,28 @@ EncodeUpdate encodeUpdate; AddPreprocFunc addDetect; + PafEnabledFunc isPafEnabled; + +#ifdef TARGET_BASED + HostAttributeTableApi *hostAttributeTableApi; +#endif + + GetLogDirectory getLogDirectory; + + ControlSocketRegisterHandlerFunc controlSocketRegisterHandler; + RegisterIdleHandler registerIdleHandler; + + GetPolicyFromIdFunc getPolicyFromId; + ChangePolicyFunc changeRuntimePolicy; + InlineDropFunc inlineForceDropPacket; + InlineDropFunc inlineForceDropAndReset; + DynamicIsStrEmpty SnortIsStrEmpty; + AddMetaEvalFunc addMetaEval; + DynamicSendBlockResponse dynamicSendBlockResponse; + DynamicSetFlowId dynamicSetFlowId; + AddPeriodicCheck addPeriodicCheck; + AddPostConfigFuncs addPostConfigFunc; + char **snort_conf_dir; } DynamicPreprocessorData; @@ -287,4 +340,6 @@ */ NORETURN void DynamicPreprocessorFatalMessage(const char *format, ...); +extern DynamicPreprocessorData _dpd; + #endif /* _SF_DYNAMIC_PREPROCESSOR_H_ */ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/bmh.c snort-2.9.2/src/dynamic-plugins/sf_engine/bmh.c --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/bmh.c 2010-01-26 10:09:52.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/bmh.c 2011-06-07 17:33:11.000000000 -0700 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Marc Norton * @@ -30,12 +30,15 @@ #include <string.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "bmh.h" #include "sf_dynamic_engine.h" -extern DynamicEngineData _ded; - HBM_STATIC int hbm_prepx (HBM_STRUCT *p, unsigned char * pat, int m, int nocase ) { @@ -43,24 +46,24 @@ unsigned char *t; if( !m ) return 0; if( !p ) return 0; - + p->P = pat; p->M = m; p->nocase = nocase; - + if( nocase ) /* convert to uppercase */ { t = (unsigned char*)malloc(m); if ( !t ) return 0; memcpy(t,pat,m); - + for(i=0;i<m;i++) { t[i] = (unsigned char)toupper(t[i]); } p->Pnc = t; - } + } else { p->Pnc = 0; @@ -68,18 +71,18 @@ /* Compute normal Boyer-Moore Bad Character Shift */ for(k = 0; k < 256; k++) p->bcShift[k] = m; - + if( nocase ) { - for(k = 0; k < m; k++) + for(k = 0; k < m; k++) p->bcShift[ p->Pnc[k] ] = m - k - 1; } else { - for(k = 0; k < m; k++) + for(k = 0; k < m; k++) p->bcShift[ p->P[k] ] = m - k - 1; } - + return 1; } @@ -97,7 +100,7 @@ DynamicEngineFatalMessage("Failed to allocate memory for pattern matching."); } - if( !hbm_prepx( p, pat, m, nocase) ) + if( !hbm_prepx( p, pat, m, nocase) ) { DynamicEngineFatalMessage("Error initializing pattern matching. Check arguments."); } @@ -142,40 +145,40 @@ } m1 = px->M-1; bcShift= px->bcShift; - + //printf("bmh_match: pattern=%.*s, %d bytes \n",px->M,pat,px->M); - t = text + m1; - et = text + n; + t = text + m1; + et = text + n; /* Handle 1 Byte patterns - it's a faster loop */ if( !m1 ) { if( !px->nocase ) { - for( ;t<et; t++ ) + for( ;t<et; t++ ) if( *t == *pat ) return t; } else { - for( ;t<et; t++ ) + for( ;t<et; t++ ) if( toupper(*t) == *pat ) return t; } return 0; } if( !px->nocase ) - { + { /* Handle MultiByte Patterns */ while( t < et ) { /* Scan Loop - Bad Character Shift */ - do + do { t += bcShift[*t]; if( t >= et )return 0;; - t += (k=bcShift[*t]); + t += (k=bcShift[*t]); if( t >= et )return 0; } while( k ); @@ -201,21 +204,21 @@ NoMatch: t++; } - + } else /* NoCase - convert input string to upper case as we process it */ { - + /* Handle MultiByte Patterns */ while( t < et ) { /* Scan Loop - Bad Character Shift */ - do + do { t += bcShift[toupper(*t)]; if( t >= et )return 0;; - t += (k=bcShift[toupper(*t)]); + t += (k=bcShift[toupper(*t)]); if( t >= et )return 0; } while( k ); @@ -243,7 +246,7 @@ } } - + return 0; } diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/bmh.h snort-2.9.2/src/dynamic-plugins/sf_engine/bmh.h --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/bmh.h 2010-01-26 10:09:52.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/bmh.h 2011-02-09 15:23:10.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Marc Norton * diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/examples/Makefile.in snort-2.9.2/src/dynamic-plugins/sf_engine/examples/Makefile.in --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/examples/Makefile.in 2010-10-08 02:56:53.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/examples/Makefile.in 2011-12-07 11:23:18.000000000 -0800 @@ -58,7 +58,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -73,6 +75,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -109,13 +112,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c snort-2.9.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c 2006-01-23 12:55:22.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c 2011-06-07 17:33:11.000000000 -0700 @@ -1,4 +1,28 @@ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include "sf_dynamic_define.h" #include "sf_snort_plugin_api.h" #include "sf_dynamic_meta.h" #include "detection_lib_meta.h" @@ -8,12 +32,12 @@ extern Rule *rules[]; -DETECTION_LINKAGE int InitializeDetection() +DETECTION_LINKAGE int InitializeDetection(void) { return RegisterRules(rules); } -DETECTION_LINKAGE int DumpSkeletonRules() +DETECTION_LINKAGE int DumpSkeletonRules(void) { return DumpRules(DETECTION_LIB_NAME, rules); } diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h snort-2.9.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h 2006-01-23 12:55:22.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h 2011-02-09 15:23:11.000000000 -0800 @@ -1,15 +1,36 @@ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ #ifndef SFSNORT_DYNAMIC_DETECTION_LIB_H_ #define SFSNORT_DYNAMIC_DETECTION_LIB_H_ #ifdef WIN32 #ifdef SF_SNORT_DETECTION_DLL -#define DETECTION_LINKAGE __declspec(dllexport) +#define BUILDING_SO +#define DETECTION_LINKAGE SO_PUBLIC #else -#define DETECTION_LINKAGE __declspec(dllimport) +#define DETECTION_LINKAGE #endif #else /* WIN32 */ -#define DETECTION_LINKAGE -#endif /* WIN32 */ +#define DETECTION_LINKAGE SO_PUBLIC +#endif #endif /* SFSNORT_DYNAMIC_DETECTION_LIB_H_ */ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/Makefile.am snort-2.9.2/src/dynamic-plugins/sf_engine/Makefile.am --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/Makefile.am 2010-06-09 15:05:08.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/Makefile.am 2011-06-07 17:33:11.000000000 -0700 @@ -19,8 +19,9 @@ ipv6_port.h \ sf_ip.c \ sf_ip.h \ -debug.h \ -sf_types.h +snort_debug.h \ +sf_types.h \ +sf_protocols.h nodist_libsf_engine_la_SOURCES = \ sfhashfcn.c \ @@ -32,13 +33,15 @@ ipv6_port.h \ sf_ip.c \ sf_ip.h \ -debug.h \ -sf_types.h +snort_debug.h \ +sf_types.h \ +sf_protocols.h libsf_engine_la_SOURCES = \ bmh.c \ bmh.h \ sf_snort_detection_engine.c \ +sf_snort_detection_engine.h \ sf_snort_packet.h \ sf_snort_plugin_api.c \ sf_snort_plugin_api.h \ @@ -47,7 +50,9 @@ sf_snort_plugin_hdropts.c \ sf_snort_plugin_loop.c \ sf_snort_plugin_pcre.c \ -sf_snort_plugin_rc4.c +sf_snort_plugin_rc4.c \ +sf_decompression.c \ +sf_decompression.h copy_files = \ if test -f $$dst_file; then \ @@ -126,7 +131,7 @@ $(sed_ipv6_headers); \ fi -ipv6_port.h: ../../ipv6_port.h +ipv6_port.h: ../../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) sf_ip.h: ../../sfutil/sf_ip.h @@ -135,7 +140,7 @@ sf_ip.c: ../../sfutil/sf_ip.c @src_file=$?; dst_file=$@; $(copy_files) -debug.h: ../../debug.h +snort_debug.h: ../../snort_debug.h @src_file=$?; dst_file=$@; $(copy_debug_header) sfghash.h: ../../sfutil/sfghash.h @@ -159,7 +164,10 @@ sf_types.h: ../../sf_types.h @src_file=$?; dst_file=$@; $(copy_files) +sf_protocols.h: ../../sf_protocols.h + @src_file=$?; dst_file=$@; $(copy_files) + SUBDIRS = examples clean-local: - rm -rf sfhashfcn.c sfhashfcn.c.new sfghash.c sfprimetable.c sf_ip.c sf_ip.h ipv6_port.h debug.h debug.h.new sfprimetable.h sfghash.h ipv6_port.h.new sfhashfcn.h sf_types.h + rm -rf sfhashfcn.c sfhashfcn.c.new sfghash.c sfprimetable.c sf_ip.c sf_ip.h ipv6_port.h snort_debug.h snort_debug.h.new sfprimetable.h sfghash.h ipv6_port.h.new sfhashfcn.h sf_types.h sf_protocols.h diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/Makefile.in snort-2.9.2/src/dynamic-plugins/sf_engine/Makefile.in --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/Makefile.in 2010-10-08 02:56:53.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/Makefile.in 2011-12-07 11:23:18.000000000 -0800 @@ -73,7 +73,7 @@ sf_snort_plugin_api.lo sf_snort_plugin_byte.lo \ sf_snort_plugin_content.lo sf_snort_plugin_hdropts.lo \ sf_snort_plugin_loop.lo sf_snort_plugin_pcre.lo \ - sf_snort_plugin_rc4.lo + sf_snort_plugin_rc4.lo sf_decompression.lo nodist_libsf_engine_la_OBJECTS = sfhashfcn.lo sfghash.lo \ sfprimetable.lo sf_ip.lo libsf_engine_la_OBJECTS = $(am_libsf_engine_la_OBJECTS) \ @@ -145,7 +145,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -160,6 +162,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -196,13 +199,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -273,8 +282,9 @@ ipv6_port.h \ sf_ip.c \ sf_ip.h \ -debug.h \ -sf_types.h +snort_debug.h \ +sf_types.h \ +sf_protocols.h nodist_libsf_engine_la_SOURCES = \ sfhashfcn.c \ @@ -286,13 +296,15 @@ ipv6_port.h \ sf_ip.c \ sf_ip.h \ -debug.h \ -sf_types.h +snort_debug.h \ +sf_types.h \ +sf_protocols.h libsf_engine_la_SOURCES = \ bmh.c \ bmh.h \ sf_snort_detection_engine.c \ +sf_snort_detection_engine.h \ sf_snort_packet.h \ sf_snort_plugin_api.c \ sf_snort_plugin_api.h \ @@ -301,7 +313,9 @@ sf_snort_plugin_hdropts.c \ sf_snort_plugin_loop.c \ sf_snort_plugin_pcre.c \ -sf_snort_plugin_rc4.c +sf_snort_plugin_rc4.c \ +sf_decompression.c \ +sf_decompression.h copy_files = \ if test -f $$dst_file; then \ @@ -790,7 +804,7 @@ uninstall-libLTLIBRARIES -ipv6_port.h: ../../ipv6_port.h +ipv6_port.h: ../../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) sf_ip.h: ../../sfutil/sf_ip.h @@ -799,7 +813,7 @@ sf_ip.c: ../../sfutil/sf_ip.c @src_file=$?; dst_file=$@; $(copy_files) -debug.h: ../../debug.h +snort_debug.h: ../../snort_debug.h @src_file=$?; dst_file=$@; $(copy_debug_header) sfghash.h: ../../sfutil/sfghash.h @@ -823,8 +837,11 @@ sf_types.h: ../../sf_types.h @src_file=$?; dst_file=$@; $(copy_files) +sf_protocols.h: ../../sf_protocols.h + @src_file=$?; dst_file=$@; $(copy_files) + clean-local: - rm -rf sfhashfcn.c sfhashfcn.c.new sfghash.c sfprimetable.c sf_ip.c sf_ip.h ipv6_port.h debug.h debug.h.new sfprimetable.h sfghash.h ipv6_port.h.new sfhashfcn.h sf_types.h + rm -rf sfhashfcn.c sfhashfcn.c.new sfghash.c sfprimetable.c sf_ip.c sf_ip.h ipv6_port.h snort_debug.h snort_debug.h.new sfprimetable.h sfghash.h ipv6_port.h.new sfhashfcn.h sf_types.h sf_protocols.h # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_decompression.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_decompression.c --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_decompression.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_decompression.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,393 @@ +/* + * sf_decompression.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Date: 3/8/2011 + * + * Implementation of Decompression API for Snort Plugins. + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifdef DECOMPRESS_UNIT_TEST +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <zlib.h> + +#include "sf_decompression.h" +#else +#include <zlib.h> + +#include "sf_snort_plugin_api.h" +#include "sf_decompression.h" +#include "sf_types.h" +#endif /* DECOMPRESS_UNIT_TEST */ + +/* Implementation-Specific Defines */ +#define DEFLATE_RAW_WBITS -15 +#define DEFLATE_ZLIB_WBITS 15 +#define GZIP_ZLIB_WBITS 31 + +/* Decompression state is defined here so that + dynamic plugins don't access it directly. */ +typedef struct decompress_state +{ + compression_type_t type; + uint32_t flags; + void *lib_info; + int lib_return; + bool deflate_initialized; +} decompress_state_t; + +/* Decompression state flags */ +#define SNORT_ZLIB_INIT_NEEDED 0x00000001 + +/* Zlib-specific init function */ +static inline decompress_state_t * SnortDecompressInitZlib(compression_type_t type) +{ + decompress_state_t *state = calloc(1, sizeof(decompress_state_t) ); + z_stream *zlib_stream = calloc(1, sizeof(z_stream) ); + + if (state == NULL || zlib_stream == NULL) + DynamicEngineFatalMessage("Unable to allocate memory in SnortDecompressInitZlib()\n"); + + /* Setup Zlib memory management callbacks */ + zlib_stream->zalloc = NULL; + zlib_stream->zfree = NULL; + zlib_stream->opaque = NULL; + + /* Fill out state object */ + state->type = type; + state->lib_info = (void *) zlib_stream; + + /* Can't call inflateInit() until there's some data */ + state->flags |= SNORT_ZLIB_INIT_NEEDED; + + return state; +} + +/* Zlib-specific Destroy function */ +static inline int SnortDecompressDestroyZlib(decompress_state_t *state) +{ + z_streamp zlib_stream = (z_streamp) state->lib_info; + int ret; + + if (zlib_stream == NULL) + return SNORT_DECOMPRESS_BAD_ARGUMENT; + + ret = inflateEnd(zlib_stream); + + free(zlib_stream); + free(state); + + if (ret == Z_OK) + return SNORT_DECOMPRESS_OK; + + /* XXX: Only other possibility is Z_STREAM_ERROR. + Can't set state->lib_ret because we just freed the state. */ + return SNORT_DECOMPRESS_ERROR; +} + +/* Zlib-specific Decompression function. */ +static inline int SnortDecompressZlib(decompress_state_t *state, uint8_t *input, uint32_t input_len, + uint8_t *output, uint32_t output_bufsize, uint32_t *output_len) +{ + z_streamp zlib_stream = (z_streamp) state->lib_info; + int zlib_ret; + int snort_ret = SNORT_DECOMPRESS_OK; + + if (zlib_stream == NULL) + return SNORT_DECOMPRESS_BAD_ARGUMENT; // Uninitialized state object. + + /* The call to inflateInit() requires some data to be provided. + That's why the call isn't done in SnortDecompressInit(). */ + if (state->flags & SNORT_ZLIB_INIT_NEEDED) + { + if (input == NULL) + return SNORT_DECOMPRESS_BAD_ARGUMENT; + + zlib_stream->next_in = input; + zlib_stream->avail_in = input_len; + + /* Deflate can be either raw or with a zlib header so we'll + * just use the normal inflateInit and if inflate fails, add + * a dummy zlib header. Just like Chrome and Firefox do. + * gzip decompression requires adding 16 to zlibs MAX_WBITS + */ + if (state->type == COMPRESSION_TYPE_DEFLATE) + zlib_ret = inflateInit(zlib_stream); + else + zlib_ret = inflateInit2(zlib_stream, GZIP_ZLIB_WBITS); + state->lib_return = zlib_ret; + + state->flags &= ~SNORT_ZLIB_INIT_NEEDED; + } + /* If input is NULL, just continue decompressing from the last spot. + This is how a caller would handle truncated output. */ + else if (input) + { + zlib_stream->next_in = input; + zlib_stream->avail_in = input_len; + } + + zlib_stream->next_out = output; + zlib_stream->avail_out = output_bufsize; + + while (zlib_stream->avail_in > 0 && zlib_stream->avail_out > 0) + { + zlib_ret = inflate(zlib_stream, Z_SYNC_FLUSH); + + if ((zlib_ret == Z_DATA_ERROR) + && (state->type == COMPRESSION_TYPE_DEFLATE) + && (!state->deflate_initialized)) + { + /* Might not have zlib header - add one */ + static char zlib_header[2] = { 0x78, 0x01 }; + + inflateReset(zlib_stream); + zlib_stream->next_in = (Bytef *)zlib_header; + zlib_stream->avail_in = sizeof(zlib_header); + + zlib_ret = inflate(zlib_stream, Z_SYNC_FLUSH); + state->deflate_initialized = true; + + if (input) + { + zlib_stream->next_in = input; + zlib_stream->avail_in = input_len; + } + } + + state->lib_return = zlib_ret; + + if (zlib_ret == Z_STREAM_END) + break; // Not an error, just hit the end of compressed data. + + if (zlib_ret != Z_OK) + { + snort_ret = SNORT_DECOMPRESS_BAD_DATA; + break; + } + } + + if ((zlib_stream->avail_in > 0 && zlib_stream->avail_out == 0) && + (snort_ret != SNORT_DECOMPRESS_BAD_DATA)) + { + snort_ret = SNORT_DECOMPRESS_OUTPUT_TRUNC; + } + + *output_len = output_bufsize - zlib_stream->avail_out; + + return snort_ret; +} + +/* This function initializes a Decompression API state object. + It must be called first when using decompression. + + Arguments: type => Type of decompression to use (gzip, deflate) + Returns: void pointer to decompression state object +*/ +ENGINE_LINKAGE void * SnortDecompressInit(compression_type_t type) +{ + decompress_state_t *state = NULL; + + switch (type) + { + case COMPRESSION_TYPE_DEFLATE: + case COMPRESSION_TYPE_GZIP: + state = SnortDecompressInitZlib(type); + break; + case COMPRESSION_TYPE_MAX: + default: + /* invalid type... */ + return NULL; + } + + return (void *) state; +} + +/* This function destroys a Decompression API state object. + + Arguments: void *s => state object allocated by SnortDecompressInit(). + Returns: SNORT_DECOMPRESS_OK on success, negative on error. +*/ +ENGINE_LINKAGE int SnortDecompressDestroy(void *s) +{ + decompress_state_t *state = s; + + if (state == NULL) + return SNORT_DECOMPRESS_BAD_ARGUMENT; + + switch (state->type) + { + case COMPRESSION_TYPE_DEFLATE: + case COMPRESSION_TYPE_GZIP: + return SnortDecompressDestroyZlib(state); + case COMPRESSION_TYPE_MAX: + default: + break; + } + + /* Bad type. Was this constructed outside of SnortDecompressInit()? */ + return SNORT_DECOMPRESS_BAD_ARGUMENT; +} + +/* This is the function that decompresses data. + + Arguments: + void *state => pointer to state object allocated by SnortDecompressInit(). + uint8_t *input => pointer to buffer that stores compressed data. + pass NULL to continue decompressing the previous input. + uint32_t input_len => length of input to decompress. + ignored if "input" is set to NULL. + uint8_t *output => pointer to buffer where decompressed output will be stored. + uint32_t output_bufsize => available space in output buffer. + uint32_t *output_len => gets set to the actual amount of output generated. + Returns: + SNORT_DECOMPRESS_OK: success + SNORT_DECOMPRESS_BAD_ARGUMENT: Bad arguments passed in. Could be null pointers, + uninitialized state objects. + SNORT_DECOMPRESS_BAD_DATA: Error decompressing the data. Could be corrupted + input, or the wrong compression type was set. + SNORT_DECOMPRESS_OUTPUT_TRUNC: Decompression was successful, but the output + buffer filled up. Call SnortDecompress() again + with NULL input after consuming the output. +*/ +ENGINE_LINKAGE int SnortDecompress(void *state, uint8_t *input, uint32_t input_len, + uint8_t *output, uint32_t output_bufsize, uint32_t *output_len) +{ + decompress_state_t *internal_state; + + /* NULL "input" ptr is OK, it signals that we should continue decompressing the + last input. The caller should have consumed output and made more space. */ + if (state == NULL || output == NULL || output_len == NULL) + return SNORT_DECOMPRESS_BAD_ARGUMENT; + + internal_state = (decompress_state_t *) state; + + switch (internal_state->type) + { + case COMPRESSION_TYPE_DEFLATE: + case COMPRESSION_TYPE_GZIP: + return SnortDecompressZlib(internal_state, input, input_len, + output, output_bufsize, output_len); + case COMPRESSION_TYPE_MAX: + default: + break; + } + + return SNORT_DECOMPRESS_BAD_ARGUMENT; +} + + + +/* This section is a unit test meant to independently test the Decompression API. + Compile like so: + gcc -DDECOMPRESS_UNIT_TEST sf_decompression.c -o decompression_unit_test -lz + */ +#ifdef DECOMPRESS_UNIT_TEST +/* Driver program uses the Snort decompression API to read from a file and + spew decompressed data to stdout. */ +int main (int argc, char *argv[]) +{ + FILE *input; + void *zlib_state; + + uint8_t input_buffer[1024]; + uint8_t output_buffer[1024]; + size_t bytes_read; + compression_type_t type; + + if (argc != 3) + { + fprintf(stderr, "Usage: %s <filename> <deflate|gzip>\n", argv[0]); + exit(-1); + } + + input = fopen(argv[1], "r"); + + if (strcmp(argv[2], "deflate")) + type = COMPRESSION_TYPE_DEFLATE; + else if (strcmp(argv[2], "gzip")) + type = COMPRESSION_TYPE_GZIP; + else + { + fprintf(stderr, "Invalid compression type: %s. Valid values are " + "\"deflate\" and \"gzip\".\n", argv[2]); + exit(1); + } + + /* Step 1: Init */ + zlib_state = SnortDecompressInit( type ); + if (zlib_state == NULL) + { + fprintf(stderr, "Some bad stuff happened and SnortInit() returned NULL.\n"); + exit(-1); + } + + /* Step 2: Iterate over your input and call SnortDecompress */ + bytes_read = fread(input_buffer, 1, sizeof(input_buffer), input); + while (bytes_read > 0) + { + uint32_t output_bufsize = sizeof(output_buffer); + uint32_t output_len; + int ret; + + ret = SnortDecompress(zlib_state, input_buffer, bytes_read, + output_buffer, output_bufsize, &output_len); + + fwrite(output_buffer, 1, output_len, stdout); + + while (ret == SNORT_DECOMPRESS_OUTPUT_TRUNC) + { + /* Subsequent calls use NULL to signify that we want to continue + decompressing the last input. */ + ret = SnortDecompress(zlib_state, NULL, 0, output_buffer, output_bufsize, &output_len); + fwrite(output_buffer, 1, output_len, stdout); + } + + /* Handle your return codes */ + switch(ret) + { + case SNORT_DECOMPRESS_BAD_DATA: + fprintf(stderr, "SnortDecompress() returned BAD_DATA!\n"); + break; + case SNORT_DECOMPRESS_BAD_ARGUMENT: + fprintf(stderr, "SnortDecompress() returned BAD_ARGUMENT!\n"); + break; + } + + /* Get more data! */ + bytes_read = fread(input_buffer, 1, sizeof(input_buffer), input); + } + + /* Step 3: Destroy! */ + SnortDecompressDestroy(zlib_state); + fclose(input); + + return 0; +} + +#endif /* DECOMPRESS_UNIT_TEST */ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_decompression.h snort-2.9.2/src/dynamic-plugins/sf_engine/sf_decompression.h --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_decompression.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_decompression.h 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,93 @@ +/* + * sf_decompression.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Date: 3/8/2011 + * + * Decompression API for Snort Plugins. + * + */ + +#ifndef SF_DECOMPRESSION_H +#define SF_DECOMPRESSION_H + +#include <stdint.h> +#include "sf_snort_plugin_api.h" + +/* Types */ +typedef enum compression_type +{ + COMPRESSION_TYPE_DEFLATE = 1, + COMPRESSION_TYPE_GZIP, + COMPRESSION_TYPE_MAX +} compression_type_t; + +/* Return Codes */ +#define SNORT_DECOMPRESS_OK 0 +#define SNORT_DECOMPRESS_OUTPUT_TRUNC 1 +#define SNORT_DECOMPRESS_BAD_ARGUMENT (-1) +#define SNORT_DECOMPRESS_BAD_DATA (-2) +#define SNORT_DECOMPRESS_ERROR (-3) + + +/* API Functions */ + +/* This function initializes a Decompression API state object. + It must be called first when using decompression. + + Arguments: type => Type of decompression to use (gzip, deflate) + Returns: void pointer to decompression state object +*/ +ENGINE_LINKAGE void * SnortDecompressInit(compression_type_t type); + +/* This function destroys a Decompression API state object. + + Arguments: void *s => state object allocated by SnortDecompressInit(). + Returns: SNORT_DECOMPRESS_OK on success, negative on error. +*/ +ENGINE_LINKAGE int SnortDecompressDestroy(void *state); + +/* This is the function that decompresses data. + + Arguments: + void *state => pointer to state object allocated by SnortDecompressInit(). + uint8_t *input => pointer to buffer that stores compressed data. + pass NULL to continue decompressing the previous input. + uint32_t input_len => length of input to decompress. + ignored if "input" is set to NULL. + uint8_t *output => pointer to buffer where decompressed output will be stored. + uint32_t output_bufsize => available space in output buffer. + uint32_t *output_len => gets set to the actual amount of output generated. + Returns: + SNORT_DECOMPRESS_OK: success + SNORT_DECOMPRESS_BAD_ARGUMENT: Bad arguments passed in. Could be null pointers, + uninitialized state objects. + SNORT_DECOMPRESS_BAD_DATA: Error decompressing the data. Could be corrupted + input, or the wrong compression type was set. + SNORT_DECOMPRESS_OUTPUT_TRUNC: Decompression was successful, but the output + buffer filled up. Call SnortDecompress() again + with NULL input after consuming the output. +*/ +ENGINE_LINKAGE int SnortDecompress(void *state, uint8_t *input, uint32_t input_len, + uint8_t *output, uint32_t output_bufsize, uint32_t *output_len); + + +#endif /* SF_DECOMPRESSION_H */ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c 2010-10-25 12:49:04.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c 2011-11-21 12:15:24.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -35,7 +35,8 @@ #include <ctype.h> #include <sys/types.h> #include <stdarg.h> -#include "debug.h" +#include "sf_types.h" +#include "snort_debug.h" #include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" @@ -43,10 +44,11 @@ #include "sf_dynamic_engine.h" #include "sfghash.h" #include "bmh.h" +#include "sf_snort_detection_engine.h" #define MAJOR_VERSION 1 -#define MINOR_VERSION 12 -#define BUILD_VERSION 18 +#define MINOR_VERSION 15 +#define BUILD_VERSION 18 #define DETECT_NAME "SF_SNORT_DETECTION_ENGINE" #ifdef WIN32 @@ -79,13 +81,6 @@ exit(1); } -extern int BoyerContentSetup(Rule *rule, ContentInfo *content); -extern int PCRESetup(Rule *rule, PCREInfo *pcreInfo); -extern int ValidateHeaderCheck(Rule *rule, HdrOptCheck *optData); -extern void ContentSetup(void); -extern int ByteExtractInitialize(Rule *rule, ByteExtract *extractData); -extern int LoopInfoInitialize(Rule *rule, LoopInfo *loopInfo); - ENGINE_LINKAGE int InitializeEngine(DynamicEngineData *ded) { int i; @@ -96,6 +91,9 @@ _ded.version = ded->version; _ded.altBuffer = ded->altBuffer; + _ded.altDetect = ded->altDetect; + _ded.fileDataBuf = ded->fileDataBuf; + for (i=0;i<HTTP_BUFFER_MAX;i++) { _ded.uriBuffers[i] = ded->uriBuffers[i]; @@ -113,7 +111,7 @@ _ded.getRuleData = ded->getRuleData; _ded.debugMsg = ded->debugMsg; -#ifdef HAVE_WCHAR_H +#ifdef SF_WCHAR _ded.debugWideMsg = ded->debugWideMsg; #endif _ded.debugMsgFile = ded->debugMsgFile; @@ -122,10 +120,12 @@ _ded.pcreStudy = ded->pcreStudy; _ded.pcreCompile = ded->pcreCompile; _ded.pcreExec = ded->pcreExec; - _ded.fileDataBuf = ded->fileDataBuf; - _ded.mime_size = ded->mime_size; _ded.sfUnfold = ded->sfUnfold; _ded.sfbase64decode = ded->sfbase64decode; + _ded.GetAltDetect = ded->GetAltDetect; + _ded.SetAltDetect = ded->SetAltDetect; + _ded.Is_DetectFlag = ded->Is_DetectFlag; + _ded.DetectFlag_Disable = ded->DetectFlag_Disable; _ded.allocRuleData = ded->allocRuleData; _ded.freeRuleData = ded->freeRuleData; @@ -225,6 +225,8 @@ RuleOption *option; FPContentInfo *tail = NULL; int i = 0; + int base64_buf_flag = 0; + int mime_buf_flag = 0; if ((r == NULL) || (contents == NULL)) return -1; @@ -235,80 +237,113 @@ option != NULL; option = rule->options[++i]) { - if (option->optionType == OPTION_TYPE_CONTENT) + switch(option->optionType) { - FPContentInfo *fp_content; - ContentInfo *content = option->option_u.content; - int flags = content->flags; + case OPTION_TYPE_CONTENT: + { + FPContentInfo *fp_content; + ContentInfo *content = option->option_u.content; + int flags = content->flags; - switch (type) - { - case CONTENT_NORMAL: - if (!(flags & NORMAL_CONTENT_BUFS)) - continue; - break; - case CONTENT_HTTP: - if (!(flags & URI_CONTENT_BUFS) - || (!(flags & URI_FAST_PATTERN_BUFS))) - continue; - break; - default: - break; /* Just get them all */ - } + switch (type) + { + case CONTENT_NORMAL: + if (!(flags & NORMAL_CONTENT_BUFS)) + continue; + else if(base64_buf_flag || mime_buf_flag) + continue; + break; + case CONTENT_HTTP: + base64_buf_flag = 0; + mime_buf_flag = 0; + if (!(flags & URI_CONTENT_BUFS) + || (!(flags & URI_FAST_PATTERN_BUFS))) + continue; + break; + default: + break; /* Just get them all */ + } - fp_content = (FPContentInfo *)calloc(1, sizeof(FPContentInfo)); - if (fp_content == NULL) - DynamicEngineFatalMessage("Failed to allocate memory\n"); - - fp_content->length = content->patternByteFormLength; - fp_content->content = (char *)malloc(fp_content->length); - if (fp_content->content == NULL) - DynamicEngineFatalMessage("Failed to allocate memory\n"); - memcpy(fp_content->content, content->patternByteForm, fp_content->length); - fp_content->offset = content->offset; - fp_content->depth = content->depth; - if (content->flags & CONTENT_RELATIVE) - fp_content->is_relative = 1; - if (content->flags & CONTENT_NOCASE) - fp_content->noCaseFlag = 1; - if (content->flags & CONTENT_FAST_PATTERN) - fp_content->fp = 1; - if (content->flags & NOT_FLAG) - fp_content->exception_flag = 1; - if (content->flags & CONTENT_BUF_URI) - fp_content->uri_buffer |= CONTENT_HTTP_URI; - if (content->flags & CONTENT_BUF_HEADER) - fp_content->uri_buffer |= CONTENT_HTTP_HEADER; - if (content->flags & CONTENT_BUF_POST) - fp_content->uri_buffer |= CONTENT_HTTP_CLIENT_BODY; - if (content->flags & CONTENT_BUF_METHOD) - fp_content->uri_buffer |= CONTENT_HTTP_METHOD; - - /* Fast pattern only and specifying an offset and length are - * technically mutually exclusive - see - * detection-plugins/sp_pattern_match.c */ - if (option->option_u.content->flags & CONTENT_FAST_PATTERN_ONLY) - { - fp_content->fp_only = 1; - } - else - { - fp_content->fp_offset = option->option_u.content->fp_offset; - fp_content->fp_length = option->option_u.content->fp_length; - } + fp_content = (FPContentInfo *)calloc(1, sizeof(FPContentInfo)); + if (fp_content == NULL) + DynamicEngineFatalMessage("Failed to allocate memory\n"); + + fp_content->length = content->patternByteFormLength; + fp_content->content = (char *)malloc(fp_content->length); + if (fp_content->content == NULL) + DynamicEngineFatalMessage("Failed to allocate memory\n"); + memcpy(fp_content->content, content->patternByteForm, fp_content->length); + fp_content->offset = content->offset; + fp_content->depth = content->depth; + if (content->flags & CONTENT_RELATIVE) + fp_content->is_relative = 1; + if (content->flags & CONTENT_NOCASE) + fp_content->noCaseFlag = 1; + if (content->flags & CONTENT_FAST_PATTERN) + fp_content->fp = 1; + if (content->flags & NOT_FLAG) + fp_content->exception_flag = 1; + if (content->flags & CONTENT_BUF_URI) + fp_content->uri_buffer |= CONTENT_HTTP_URI; + if (content->flags & CONTENT_BUF_HEADER) + fp_content->uri_buffer |= CONTENT_HTTP_HEADER; + if (content->flags & CONTENT_BUF_POST) + fp_content->uri_buffer |= CONTENT_HTTP_CLIENT_BODY; + + /* Fast pattern only and specifying an offset and length are + * technically mutually exclusive - see + * detection-plugins/sp_pattern_match.c */ + if (option->option_u.content->flags & CONTENT_FAST_PATTERN_ONLY) + { + fp_content->fp_only = 1; + } + else + { + fp_content->fp_offset = option->option_u.content->fp_offset; + fp_content->fp_length = option->option_u.content->fp_length; + } - if (tail == NULL) - *contents = fp_content; - else - tail->next = fp_content; + if (tail == NULL) + *contents = fp_content; + else + tail->next = fp_content; - tail = fp_content; + tail = fp_content; + } + break; + + case OPTION_TYPE_BASE64_DECODE: + base64_buf_flag =1; + continue; + + case OPTION_TYPE_FILE_DATA: + { + CursorInfo *cursor = option->option_u.cursor; + if (cursor->flags & BUF_FILE_DATA_MIME) + { + mime_buf_flag = 1; + continue; + } + } + break; + + case OPTION_TYPE_PKT_DATA: + base64_buf_flag = 0; + mime_buf_flag = 0; + continue; + + case OPTION_TYPE_BASE64_DATA: + base64_buf_flag =1; + continue; + + default: + continue; } } if (*contents == NULL) return -1; - + return 0; } @@ -379,9 +414,9 @@ static int DecodeContentPattern(Rule *rule, ContentInfo *content) { int pat_len; - const u_int8_t *pat_begin = content->pattern; - const u_int8_t *pat_idx; - const u_int8_t *pat_end; + const uint8_t *pat_begin = content->pattern; + const uint8_t *pat_idx; + const uint8_t *pat_end; char tmp_buf[2048]; char *raw_idx; char *raw_end; @@ -437,7 +472,7 @@ if(!hex_len || hex_len % 2) { DynamicEngineFatalMessage("Content hexmode argument has invalid " - "number of hex digits for dynamic rule [%d:%d].\n", + "number of hex digits for dynamic rule [%d:%d].\n", rule->info.genID, rule->info.sigID); } @@ -501,8 +536,8 @@ pending--; if(raw_idx < raw_end) - { - tmp_buf[tmp_len] = (u_char) + { + tmp_buf[tmp_len] = (u_char) strtol(hex_encoded, (char **) NULL, 16)&0xFF; tmp_len++; @@ -526,7 +561,7 @@ "binary buffer for dynamic rule [%d:%d]? " "Valid hex values only please! " "(0x0 - 0xF) Position: %d\n", - (char) *pat_idx, (char) *pat_idx, + (char) *pat_idx, (char) *pat_idx, rule->info.genID, rule->info.sigID, char_count); } } @@ -564,7 +599,7 @@ else { DynamicEngineFatalMessage("character value out of range, try a " - "binary buffer for dynamic rule [%d:%d]\n", + "binary buffer for dynamic rule [%d:%d]\n", rule->info.genID, rule->info.sigID); } } @@ -577,9 +612,9 @@ pat_idx++; char_count++; } - + /* Now, tmp_buf contains the decoded ascii & raw binary from the patter */ - content->patternByteForm = (u_int8_t *)calloc(tmp_len, sizeof(u_int8_t)); + content->patternByteForm = (uint8_t *)calloc(tmp_len, sizeof(uint8_t)); if (content->patternByteForm == NULL) { DynamicEngineFatalMessage("Failed to allocate memory\n"); @@ -594,7 +629,7 @@ static unsigned int getNonRepeatingLength(char *data, int data_len) { int i, j; - + j = 0; for ( i = 1; i < data_len; i++ ) { @@ -745,13 +780,6 @@ "Base64Decode relative flag needs to 0 or 1"); } - if(content->bytes <= 0) - { - _ded.errMsg(content_error, - rule->info.genID, rule->info.sigID, - "Base64Decode bytes to decode cannot be negative or zero"); - return -1; - } return 0; } @@ -903,7 +931,38 @@ case OPTION_TYPE_BYTE_TEST: case OPTION_TYPE_BYTE_JUMP: + { + ByteData *byte = option->option_u.byte; + result = ByteDataInitialize(rule, byte); + + if (result) + { + rule->initialized = 0; + FreeOneRule(rule); + return -1; + } + } + + break; + + case OPTION_TYPE_CURSOR: + { + CursorInfo *cursor = option->option_u.cursor; + result = CursorInfoInitialize(rule, cursor); + + if (result) + { + rule->initialized = 0; + FreeOneRule(rule); + return -1; + } + } + + break; + case OPTION_TYPE_FILE_DATA: + case OPTION_TYPE_PKT_DATA: + case OPTION_TYPE_BASE64_DATA: default: /* nada */ break; @@ -1053,6 +1112,8 @@ case OPTION_TYPE_BYTE_TEST: case OPTION_TYPE_BYTE_JUMP: case OPTION_TYPE_FILE_DATA: + case OPTION_TYPE_PKT_DATA: + case OPTION_TYPE_BASE64_DATA: default: break; } @@ -1121,6 +1182,9 @@ case FLOWBIT_ISNOTSET: fprintf(fp, "isnotset,"); break; + case FLOWBIT_TOGGLE: + fprintf(fp, "toggle,"); + break; case FLOWBIT_RESET: fprintf(fp, "reset; "); print_name = 0; @@ -1196,7 +1260,7 @@ if ((strlen(_ded.dataDumpDirectory) + strlen(DIR_SEP) + strlen(rulesFileName) + strlen(".rules")) > PATH_MAX) return -1; - snprintf(ruleFile, PATH_MAX, "%s%s%s.rules", + snprintf(ruleFile, PATH_MAX, "%s%s%s.rules", _ded.dataDumpDirectory, DIR_SEP, rulesFileName); ruleFile[PATH_MAX] = '\0'; ruleFP = fopen(ruleFile, "w"); diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h 2011-06-07 17:33:11.000000000 -0700 @@ -0,0 +1,42 @@ +/* + * sf_snort_detection_engine.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Date: 4/2011 + * + * Common definitions for the Dyanmic Rule Engine + */ + +#ifndef SF_SNORT_DETECTION_ENGINE__H +#define SF_SNORT_DETECTION_ENGINE__H + +int BoyerContentSetup(Rule *rule, ContentInfo *content); +int PCRESetup(Rule *rule, PCREInfo *pcreInfo); +int ValidateHeaderCheck(Rule *rule, HdrOptCheck *optData); +void ContentSetup(void); +int ByteExtractInitialize(Rule *rule, ByteExtract *extractData); +int LoopInfoInitialize(Rule *rule, LoopInfo *loopInfo); +int ByteDataInitialize(Rule *rule, ByteData *byte); +int CursorInfoInitialize(Rule *rule, CursorInfo *cursor); + + + +#endif /* SF_SNORT_DETECTION_ENGINE__H */ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_packet.h snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_packet.h --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_packet.h 2010-09-27 08:28:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_packet.h 2011-11-21 12:15:24.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -30,10 +30,6 @@ #ifndef _SF_SNORT_PACKET_H_ #define _SF_SNORT_PACKET_H_ -#ifdef HAVE_CONFIG_H -#include <config.h> -#endif - #ifndef WIN32 #include <sys/types.h> #include <netinet/in.h> @@ -46,18 +42,21 @@ #include <sfbpf_dlt.h> #include "sf_ip.h" +#include "sf_protocols.h" #define VLAN_HDR_LEN 4 // for vrt backwards compatibility #define pcap_header pkt_header +typedef int (*LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type); + typedef DAQ_PktHdr_t SFDAQ_PktHdr_t; typedef struct _VlanHeader { - u_int16_t vth_pri_cfi_vlan; - u_int16_t vth_proto; /* protocol field... */ + uint16_t vth_pri_cfi_vlan; + uint16_t vth_proto; /* protocol field... */ } VlanHeader; @@ -69,9 +68,9 @@ typedef struct _EtherHeader { - u_int8_t ether_destination[6]; - u_int8_t ether_source[6]; - u_int16_t ethernet_type; + uint8_t ether_destination[6]; + uint8_t ether_source[6]; + uint16_t ethernet_type; } EtherHeader; @@ -99,20 +98,21 @@ typedef struct _IPV4Header { - u_int8_t version_headerlength; - u_int8_t type_service; - u_int16_t data_length; - u_int16_t identifier; - u_int16_t offset; - u_int8_t time_to_live; - u_int8_t proto; - u_int16_t checksum; + uint8_t version_headerlength; + uint8_t type_service; + uint16_t data_length; + uint16_t identifier; + uint16_t offset; + uint8_t time_to_live; + uint8_t proto; + uint16_t checksum; struct in_addr source; struct in_addr destination; } IPV4Header; +#define MAX_LOG_FUNC 32 #define MAX_IP_OPTIONS 40 -#define MAX_IP6_EXTENSIONS 40 +#define MAX_IP6_EXTENSIONS 8 /* ip option codes */ #define IPOPTION_EOL 0x00 #define IPOPTION_NOP 0x01 @@ -127,9 +127,9 @@ typedef struct _IPOptions { - u_int8_t option_code; - u_int8_t length; - u_int8_t *option_data; + uint8_t option_code; + uint8_t length; + uint8_t *option_data; } IPOptions; @@ -137,15 +137,15 @@ typedef struct _TCPHeader { - u_int16_t source_port; - u_int16_t destination_port; - u_int32_t sequence; - u_int32_t acknowledgement; - u_int8_t offset_reserved; - u_int8_t flags; - u_int16_t window; - u_int16_t checksum; - u_int16_t urgent_pointer; + uint16_t source_port; + uint16_t destination_port; + uint32_t sequence; + uint32_t acknowledgement; + uint8_t offset_reserved; + uint8_t flags; + uint16_t window; + uint16_t checksum; + uint16_t urgent_pointer; } TCPHeader; #define TCPHEADER_FIN 0x01 @@ -154,8 +154,8 @@ #define TCPHEADER_PUSH 0x08 #define TCPHEADER_ACK 0x10 #define TCPHEADER_URG 0x20 -#define TCPHEADER_RES2 0x40 -#define TCPHEADER_RES1 0x80 +#define TCPHEADER_ECE 0x40 +#define TCPHEADER_CWR 0x80 #define TCPHEADER_NORESERVED (TCPHEADER_FIN|TCPHEADER_SYN|TCPHEADER_RST \ |TCPHEADER_PUSH|TCPHEADER_ACK|TCPHEADER_URG) @@ -180,28 +180,28 @@ typedef struct _UDPHeader { - u_int16_t source_port; - u_int16_t destination_port; - u_int16_t data_length; - u_int16_t checksum; + uint16_t source_port; + uint16_t destination_port; + uint16_t data_length; + uint16_t checksum; } UDPHeader; typedef struct _ICMPSequenceID { - u_int16_t id; - u_int16_t seq; + uint16_t id; + uint16_t seq; } ICMPSequenceID; typedef struct _ICMPHeader { - u_int8_t type; - u_int8_t code; - u_int16_t checksum; + uint8_t type; + uint8_t code; + uint16_t checksum; union { /* type 12 */ - u_int8_t parameter_problem_ptr; + uint8_t parameter_problem_ptr; /* type 5 */ struct in_addr gateway_addr; @@ -211,25 +211,25 @@ /* type 13, 14 */ ICMPSequenceID timestamp; - + /* type 15, 16 */ ICMPSequenceID info; - + int voidInfo; /* type 3/code=4 (Path MTU, RFC 1191) */ struct path_mtu { - u_int16_t voidInfo; - u_int16_t next_mtu; + uint16_t voidInfo; + uint16_t next_mtu; } path_mtu; /* type 9 */ - struct router_advertisement + struct router_advertisement { - u_int8_t number_addrs; - u_int8_t entry_size; - u_int16_t lifetime; + uint8_t number_addrs; + uint8_t entry_size; + uint16_t lifetime; } router_advertisement; } icmp_header_union; @@ -247,32 +247,32 @@ #define icmp_ra_entry_size icmp_header_union.router_advertisement.entry_size #define icmp_ra_lifetime icmp_header_union.router_advertisement.lifetime - union + union { /* timestamp */ - struct timestamp + struct timestamp { - u_int32_t orig; - u_int32_t receive; - u_int32_t transmit; + uint32_t orig; + uint32_t receive; + uint32_t transmit; } timestamp; - + /* IP header for unreach */ - struct ipv4_header + struct ipv4_header { IPV4Header *ip; /* options and then 64 bits of data */ } ipv4_header; - - /* Router Advertisement */ - struct router_address + + /* Router Advertisement */ + struct router_address { - u_int32_t addr; - u_int32_t preference; + uint32_t addr; + uint32_t preference; } router_address; /* type 17, 18 */ - u_int32_t mask; + uint32_t mask; char data[1]; @@ -312,60 +312,60 @@ typedef struct _IPv6Extension { - u_int8_t option_type; - const u_int8_t *option_data; + uint8_t option_type; + const uint8_t *option_data; } IP6Extension; typedef struct _IPv4Hdr { - u_int8_t ip_verhl; /* version & header length */ - u_int8_t ip_tos; /* type of service */ - u_int16_t ip_len; /* datagram length */ - u_int16_t ip_id; /* identification */ - u_int16_t ip_off; /* fragment offset */ - u_int8_t ip_ttl; /* time to live field */ - u_int8_t ip_proto; /* datagram protocol */ - u_int16_t ip_csum; /* checksum */ + uint8_t ip_verhl; /* version & header length */ + uint8_t ip_tos; /* type of service */ + uint16_t ip_len; /* datagram length */ + uint16_t ip_id; /* identification */ + uint16_t ip_off; /* fragment offset */ + uint8_t ip_ttl; /* time to live field */ + uint8_t ip_proto; /* datagram protocol */ + uint16_t ip_csum; /* checksum */ sfip_t ip_src; /* source IP */ sfip_t ip_dst; /* dest IP */ } IP4Hdr; typedef struct _IP6RawHdr { - u_int32_t vcl; // version, class, and label */ - u_int16_t payload_len; // length of the payload */ - u_int8_t next_header; // same values as ip4 protocol field + new ip6 values - u_int8_t hop_limit; // same usage as ip4 ttl + uint32_t vcl; // version, class, and label */ + uint16_t payload_len; // length of the payload */ + uint8_t next_header; // same values as ip4 protocol field + new ip6 values + uint8_t hop_limit; // same usage as ip4 ttl struct in6_addr src_addr; struct in6_addr dst_addr; } IP6RawHdr; typedef struct _IPv6Hdr -{ - u_int32_t vcl; /* version, class, and label */ - u_int16_t len; /* length of the payload */ - u_int8_t next; /* next header +{ + uint32_t vcl; /* version, class, and label */ + uint16_t len; /* length of the payload */ + uint8_t next; /* next header * Uses the same flags as * the IPv4 protocol field */ - u_int8_t hop_lmt; /* hop limit */ + uint8_t hop_lmt; /* hop limit */ sfip_t ip_src; sfip_t ip_dst; -} IP6Hdr; +} IP6Hdr; -typedef struct _IP6FragHdr +typedef struct _IP6FragHdr { - u_int8_t ip6f_nxt; /* next header */ - u_int8_t ip6f_reserved; /* reserved field */ - u_int16_t ip6f_offlg; /* offset, reserved, and flag */ - u_int32_t ip6f_ident; /* identification */ + uint8_t ip6f_nxt; /* next header */ + uint8_t ip6f_reserved; /* reserved field */ + uint16_t ip6f_offlg; /* offset, reserved, and flag */ + uint32_t ip6f_ident; /* identification */ } IP6FragHdr; typedef struct _ICMP6 { - u_int8_t type; - u_int8_t code; - u_int16_t csum; + uint8_t type; + uint8_t code; + uint16_t csum; } ICMP6Hdr; @@ -383,76 +383,89 @@ /* IPHeader access calls */ -sfip_t * ip4_ret_src(struct _SFSnortPacket *); -sfip_t * ip4_ret_dst(struct _SFSnortPacket *); -u_int16_t ip4_ret_tos(struct _SFSnortPacket *); -u_int8_t ip4_ret_ttl(struct _SFSnortPacket *); -u_int16_t ip4_ret_len(struct _SFSnortPacket *); -u_int32_t ip4_ret_id(struct _SFSnortPacket *); -u_int8_t ip4_ret_proto(struct _SFSnortPacket *); -u_int16_t ip4_ret_off(struct _SFSnortPacket *); -u_int8_t ip4_ret_ver(struct _SFSnortPacket *); -u_int8_t ip4_ret_hlen(struct _SFSnortPacket *); - -sfip_t * orig_ip4_ret_src(struct _SFSnortPacket *); -sfip_t * orig_ip4_ret_dst(struct _SFSnortPacket *); -u_int16_t orig_ip4_ret_tos(struct _SFSnortPacket *); -u_int8_t orig_ip4_ret_ttl(struct _SFSnortPacket *); -u_int16_t orig_ip4_ret_len(struct _SFSnortPacket *); -u_int32_t orig_ip4_ret_id(struct _SFSnortPacket *); -u_int8_t orig_ip4_ret_proto(struct _SFSnortPacket *); -u_int16_t orig_ip4_ret_off(struct _SFSnortPacket *); -u_int8_t orig_ip4_ret_ver(struct _SFSnortPacket *); -u_int8_t orig_ip4_ret_hlen(struct _SFSnortPacket *); - -sfip_t * ip6_ret_src(struct _SFSnortPacket *); -sfip_t * ip6_ret_dst(struct _SFSnortPacket *); -u_int16_t ip6_ret_toc(struct _SFSnortPacket *); -u_int8_t ip6_ret_hops(struct _SFSnortPacket *); -u_int16_t ip6_ret_len(struct _SFSnortPacket *); -u_int32_t ip6_ret_id(struct _SFSnortPacket *); -u_int8_t ip6_ret_next(struct _SFSnortPacket *); -u_int16_t ip6_ret_off(struct _SFSnortPacket *); -u_int8_t ip6_ret_ver(struct _SFSnortPacket *); -u_int8_t ip6_ret_hlen(struct _SFSnortPacket *); - -sfip_t * orig_ip6_ret_src(struct _SFSnortPacket *); -sfip_t * orig_ip6_ret_dst(struct _SFSnortPacket *); -u_int16_t orig_ip6_ret_toc(struct _SFSnortPacket *); -u_int8_t orig_ip6_ret_hops(struct _SFSnortPacket *); -u_int16_t orig_ip6_ret_len(struct _SFSnortPacket *); -u_int32_t orig_ip6_ret_id(struct _SFSnortPacket *); -u_int8_t orig_ip6_ret_next(struct _SFSnortPacket *); -u_int16_t orig_ip6_ret_off(struct _SFSnortPacket *); -u_int8_t orig_ip6_ret_ver(struct _SFSnortPacket *); -u_int8_t orig_ip6_ret_hlen(struct _SFSnortPacket *); - -typedef struct _IPH_API -{ - sfip_t * (*iph_ret_src)(struct _SFSnortPacket *); - sfip_t * (*iph_ret_dst)(struct _SFSnortPacket *); - u_int16_t (*iph_ret_tos)(struct _SFSnortPacket *); - u_int8_t (*iph_ret_ttl)(struct _SFSnortPacket *); - u_int16_t (*iph_ret_len)(struct _SFSnortPacket *); - u_int32_t (*iph_ret_id)(struct _SFSnortPacket *); - u_int8_t (*iph_ret_proto)(struct _SFSnortPacket *); - u_int16_t (*iph_ret_off)(struct _SFSnortPacket *); - u_int8_t (*iph_ret_ver)(struct _SFSnortPacket *); - u_int8_t (*iph_ret_hlen)(struct _SFSnortPacket *); - - sfip_t * (*orig_iph_ret_src)(struct _SFSnortPacket *); - sfip_t * (*orig_iph_ret_dst)(struct _SFSnortPacket *); - u_int16_t (*orig_iph_ret_tos)(struct _SFSnortPacket *); - u_int8_t (*orig_iph_ret_ttl)(struct _SFSnortPacket *); - u_int16_t (*orig_iph_ret_len)(struct _SFSnortPacket *); - u_int16_t (*orig_iph_ret_id)(struct _SFSnortPacket *); - u_int8_t (*orig_iph_ret_proto)(struct _SFSnortPacket *); - u_int16_t (*orig_iph_ret_off)(struct _SFSnortPacket *); - u_int8_t (*orig_iph_ret_ver)(struct _SFSnortPacket *); - u_int8_t (*orig_iph_ret_hlen)(struct _SFSnortPacket *); +sfip_t * ip4_ret_src(const struct _SFSnortPacket *); +sfip_t * ip4_ret_dst(const struct _SFSnortPacket *); +uint16_t ip4_ret_tos(const struct _SFSnortPacket *); +uint8_t ip4_ret_ttl(const struct _SFSnortPacket *); +uint16_t ip4_ret_len(const struct _SFSnortPacket *); +uint32_t ip4_ret_id(const struct _SFSnortPacket *); +uint8_t ip4_ret_proto(const struct _SFSnortPacket *); +uint16_t ip4_ret_off(const struct _SFSnortPacket *); +uint8_t ip4_ret_ver(const struct _SFSnortPacket *); +uint8_t ip4_ret_hlen(const struct _SFSnortPacket *); + +sfip_t * orig_ip4_ret_src(const struct _SFSnortPacket *); +sfip_t * orig_ip4_ret_dst(const struct _SFSnortPacket *); +uint16_t orig_ip4_ret_tos(const struct _SFSnortPacket *); +uint8_t orig_ip4_ret_ttl(const struct _SFSnortPacket *); +uint16_t orig_ip4_ret_len(const struct _SFSnortPacket *); +uint32_t orig_ip4_ret_id(const struct _SFSnortPacket *); +uint8_t orig_ip4_ret_proto(const struct _SFSnortPacket *); +uint16_t orig_ip4_ret_off(const struct _SFSnortPacket *); +uint8_t orig_ip4_ret_ver(const struct _SFSnortPacket *); +uint8_t orig_ip4_ret_hlen(const struct _SFSnortPacket *); + +sfip_t * ip6_ret_src(const struct _SFSnortPacket *); +sfip_t * ip6_ret_dst(const struct _SFSnortPacket *); +uint16_t ip6_ret_toc(const struct _SFSnortPacket *); +uint8_t ip6_ret_hops(const struct _SFSnortPacket *); +uint16_t ip6_ret_len(const struct _SFSnortPacket *); +uint32_t ip6_ret_id(const struct _SFSnortPacket *); +uint8_t ip6_ret_next(const struct _SFSnortPacket *); +uint16_t ip6_ret_off(const struct _SFSnortPacket *); +uint8_t ip6_ret_ver(const struct _SFSnortPacket *); +uint8_t ip6_ret_hlen(const struct _SFSnortPacket *); + +sfip_t * orig_ip6_ret_src(const struct _SFSnortPacket *); +sfip_t * orig_ip6_ret_dst(const struct _SFSnortPacket *); +uint16_t orig_ip6_ret_toc(const struct _SFSnortPacket *); +uint8_t orig_ip6_ret_hops(const struct _SFSnortPacket *); +uint16_t orig_ip6_ret_len(const struct _SFSnortPacket *); +uint32_t orig_ip6_ret_id(const struct _SFSnortPacket *); +uint8_t orig_ip6_ret_next(const struct _SFSnortPacket *); +uint16_t orig_ip6_ret_off(const struct _SFSnortPacket *); +uint8_t orig_ip6_ret_ver(const struct _SFSnortPacket *); +uint8_t orig_ip6_ret_hlen(const struct _SFSnortPacket *); + +typedef struct _IPH_API +{ + sfip_t * (*iph_ret_src)(const struct _SFSnortPacket *); + sfip_t * (*iph_ret_dst)(const struct _SFSnortPacket *); + uint16_t (*iph_ret_tos)(const struct _SFSnortPacket *); + uint8_t (*iph_ret_ttl)(const struct _SFSnortPacket *); + uint16_t (*iph_ret_len)(const struct _SFSnortPacket *); + uint32_t (*iph_ret_id)(const struct _SFSnortPacket *); + uint8_t (*iph_ret_proto)(const struct _SFSnortPacket *); + uint16_t (*iph_ret_off)(const struct _SFSnortPacket *); + uint8_t (*iph_ret_ver)(const struct _SFSnortPacket *); + uint8_t (*iph_ret_hlen)(const struct _SFSnortPacket *); + + sfip_t * (*orig_iph_ret_src)(const struct _SFSnortPacket *); + sfip_t * (*orig_iph_ret_dst)(const struct _SFSnortPacket *); + uint16_t (*orig_iph_ret_tos)(const struct _SFSnortPacket *); + uint8_t (*orig_iph_ret_ttl)(const struct _SFSnortPacket *); + uint16_t (*orig_iph_ret_len)(const struct _SFSnortPacket *); + uint16_t (*orig_iph_ret_id)(const struct _SFSnortPacket *); + uint8_t (*orig_iph_ret_proto)(const struct _SFSnortPacket *); + uint16_t (*orig_iph_ret_off)(const struct _SFSnortPacket *); + uint8_t (*orig_iph_ret_ver)(const struct _SFSnortPacket *); + uint8_t (*orig_iph_ret_hlen)(const struct _SFSnortPacket *); char version; } IPH_API; +typedef enum { + PSEUDO_PKT_IP, + PSEUDO_PKT_TCP, + PSEUDO_PKT_DCE_RPKT, + PSEUDO_PKT_SMB_SEG, + PSEUDO_PKT_DCE_SEG, + PSEUDO_PKT_DCE_FRAG, + PSEUDO_PKT_SMB_TRANS, + PSEUDO_PKT_PS, + PSEUDO_PKT_SDF, + PSEUDO_PKT_MAX +} PseudoPacketType; + #ifdef SUP_IP6 #include "ipv6_port.h" @@ -465,7 +478,7 @@ extern IPH_API ip4; extern IPH_API ip6; -#define iph_is_valid(p) (p->family != NO_IP) +#define iph_is_valid(p) ((p)->family != NO_IP) #define NO_IP 0 @@ -474,25 +487,16 @@ typedef struct _MplsHdr { - u_int32_t label; - u_int8_t exp; - u_int8_t bos; - u_int8_t ttl; + uint32_t label; + uint8_t exp; + uint8_t bos; + uint8_t ttl; } MplsHdr; #define MAX_PROTO_LAYERS 32 -typedef enum { - PROTOCOL_ETH, - PROTOCOL_IP4, - PROTOCOL_ICMP4, - PROTOCOL_UDP, - PROTOCOL_TCP, - PROTOCOL_MAX -} PROTOCOL_ID; - typedef struct { - PROTOCOL_ID proto_id; + PROTO_ID proto_id; uint16_t proto_length; uint8_t* proto_start; } ProtoLayer; @@ -500,15 +504,16 @@ typedef struct _SFSnortPacket { const SFDAQ_PktHdr_t *pkt_header; /* Is this GPF'd? */ - const u_int8_t *pkt_data; + const uint8_t *pkt_data; void *ether_arp_header; const EtherHeader *ether_header; const void *vlan_tag_header; void *ether_header_llc; void *ether_header_other; + const void *ppp_over_ether_header; const void *gre_header; - u_int32_t *mpls; + uint32_t *mpls; const IPV4Header *ip4_header, *orig_ip4_header; const IPV4Header *inner_ip4_header; @@ -519,17 +524,18 @@ const UDPHeader *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */ const ICMPHeader *icmp_header, *orig_icmp_header; - const u_int8_t *payload; - const u_int8_t *ip_payload; - const u_int8_t *outer_ip_payload; - const u_int8_t *ip_frag_start; - const u_int8_t *ip4_options_data; - const u_int8_t *tcp_options_data; + const uint8_t *payload; + const uint8_t *ip_payload; + const uint8_t *outer_ip_payload; + const uint8_t *ip_frag_start; + const uint8_t *ip4_options_data; + const uint8_t *tcp_options_data; void *stream_session_ptr; void *fragmentation_tracking_ptr; void *flow_ptr; void *stream_ptr; + void *policyEngineData; IP4Hdr *ip4h, *orig_ip4h; IP6Hdr *ip6h, *orig_ip6h; @@ -555,51 +561,54 @@ //int ip_payload_length; //int ip_payload_offset; - u_int32_t preprocessor_bit_mask; - u_int32_t preproc_reassembly_pkt_bit_mask; + uint32_t preprocessor_bit_mask; + uint32_t preproc_reassembly_pkt_bit_mask; - u_int32_t pcap_cap_len; - u_int32_t http_pipeline_count; - u_int32_t flags; - u_int16_t proto_bits; - u_int16_t data_flags; - - u_int16_t payload_size; - u_int16_t ip_payload_size; - u_int16_t normalized_payload_size; - u_int16_t actual_ip_length; - u_int16_t outer_ip_payload_size; - - u_int16_t ip_fragment_offset; - u_int16_t ip_frag_length; - u_int16_t ip4_options_length; - u_int16_t tcp_options_length; - - u_int16_t src_port; - u_int16_t dst_port; - u_int16_t orig_src_port; - u_int16_t orig_dst_port; + uint32_t http_pipeline_count; + uint32_t flags; + uint16_t proto_bits; + + uint16_t payload_size; + uint16_t ip_payload_size; + uint16_t normalized_payload_size; + uint16_t actual_ip_length; + uint16_t outer_ip_payload_size; + + uint16_t ip_fragment_offset; + uint16_t ip_frag_length; + uint16_t ip4_options_length; + uint16_t tcp_options_length; + + uint16_t src_port; + uint16_t dst_port; + uint16_t orig_src_port; + uint16_t orig_dst_port; int16_t application_protocol_ordinal; - u_int8_t ip_fragmented; - u_int8_t ip_more_fragments; - u_int8_t ip_dont_fragment; - u_int8_t ip_reserved; - - u_int8_t num_uris; - u_int8_t invalid_flags; - u_int8_t encapsulated; - - u_int8_t num_ip_options; - u_int8_t num_tcp_options; - u_int8_t num_ip6_extensions; - u_int8_t ip6_frag_extension; + uint8_t ip_fragmented; + uint8_t ip_more_fragments; + uint8_t ip_dont_fragment; + uint8_t ip_reserved; + + uint8_t num_uris; + uint8_t invalid_flags; + uint8_t encapsulated; + uint8_t GTPencapsulated; + + uint8_t num_ip_options; + uint8_t num_tcp_options; + uint8_t num_ip6_extensions; + uint8_t ip6_frag_extension; u_char ip_last_option_invalid_flag; u_char tcp_last_option_invalid_flag; uint8_t next_layer_index; + + uint32_t xtradata_mask; + uint32_t per_packet_xtradata; + #ifndef NO_NON_ETHER_DECODER const void *fddi_header; void *fddi_saps; @@ -621,11 +630,9 @@ #ifdef DLT_IEEE802_11 const void *wifi_header; #endif - const void *ppp_over_ether_header; - const void *ether_eapol_header; const void *eapol_headear; - const u_int8_t *eapol_type; + const uint8_t *eapol_type; void *eapol_key; #endif @@ -635,9 +642,12 @@ const IP6RawHdr* raw_ip6_header; ProtoLayer proto_layers[MAX_PROTO_LAYERS]; + + PseudoPacketType pseudo_type; uint16_t max_payload; - /**policyId provided in configuration file. Used for correlating configuration + + /**policyId provided in configuration file. Used for correlating configuration * with event output */ uint16_t configPolicyId; @@ -654,10 +664,6 @@ #define PROTO_BIT__TEREDO 0x0020 #define PROTO_BIT__ALL 0xffff -#define DATA_FLAGS_TRUE_IP 0x0001 -#define DATA_FLAGS_GZIP 0x0002 -#define DATA_FLAGS_RESP_BODY 0x0004 - #define IsIP(p) (IPH_IS_VALID(p)) #define IsTCP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_TCP)) #define IsUDP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_UDP)) @@ -674,66 +680,93 @@ ((tcp_header)->offset_reserved = \ (unsigned char)(((tcp_header)->offset_reserved & 0x0f) | (value << 4))) -#define FLAG_REBUILT_FRAG 0x00000001 -#define FLAG_REBUILT_STREAM 0x00000002 -#define FLAG_STREAM_UNEST_UNI 0x00000004 -#define FLAG_STREAM_UNEST_BI 0x00000008 - -//-------------------------------------- -// beware: these are redefined in dynamic-plugins/sf_dynamic_define.h! -#define FLAG_STREAM_EST 0x00000010 -#define FLAG_STATELESS 0x00000020 /* packet has matched a stateless rule */ -#define FLAG_FROM_SERVER 0x00000040 -#define FLAG_FROM_CLIENT 0x00000080 -//-------------------------------------- - -#define FLAG_HTTP_DECODE 0x00000100 -#define FLAG_OBFUSCATED 0x00000200 -#define FLAG_STREAM_INSERT 0x00000400 -#define FLAG_ALT_DECODE 0x00000800 - -#define FLAG_STREAM_TWH 0x00001000 -#define FLAG_IGNORE_PORT 0x00002000 /* this packet should be ignored, based on port */ -#define FLAG_PASS_RULE 0x00004000 /* this packet has matched a pass rule */ -#define FLAG_NO_DETECT 0x00008000 /* this packet should not be preprocessed */ - -#define FLAG_PREPROC_RPKT 0x00010000 /* set in original packet to indicate a pp - * has a reassembled packet */ -#define FLAG_DCE_RPKT 0x00020000 /* this is a DCE/RPC reassembled packet */ -#define FLAG_IP_RULE 0x00040000 /* this packet being evaluated against an ip rule */ +#define BIT(i) (0x1 << (i-1)) + + +// beware: some flags are redefined in dynamic-plugins/sf_dynamic_define.h! +#define FLAG_REBUILT_FRAG 0x00000001 /* is a rebuilt fragment */ +#define FLAG_REBUILT_STREAM 0x00000002 /* is a rebuilt stream */ +#define FLAG_STREAM_UNEST_UNI 0x00000004 /* is from an unestablished stream and + * we've only seen traffic in one direction */ +#define FLAG_STREAM_EST 0x00000008 /* is from an established stream */ + +#define FLAG_STREAM_INSERT 0x00000010 /* this packet has been queued for stream reassembly */ +#define FLAG_STREAM_TWH 0x00000020 /* packet completes the 3-way handshake */ +#define FLAG_FROM_SERVER 0x00000040 /* this packet came from the server + side of a connection (TCP) */ +#define FLAG_FROM_CLIENT 0x00000080 /* this packet came from the client + side of a connection (TCP) */ + +#define FLAG_PDU_HEAD 0x00000100 /* start of PDU */ +#define FLAG_PDU_TAIL 0x00000200 /* end of PDU */ +#define FLAG_UNSURE_ENCAP 0x00000400 /* packet may have incorrect encapsulation layer. */ + /* don't alert if "next layer" is invalid. */ +#define FLAG_HTTP_DECODE 0x00000800 /* this packet has normalized http */ + +#define FLAG_IGNORE_PORT 0x00001000 /* this packet should be ignored, based on port */ +#define FLAG_NO_DETECT 0x00002000 /* this packet should not be preprocessed */ +#define FLAG_ALLOW_MULTIPLE_DETECT 0x00004000 /* packet has either pipelined mime attachements */ + /* or pipeline http requests */ +#define FLAG_PAYLOAD_OBFUSCATE 0x00008000 + +#define FLAG_STATELESS 0x00010000 /* Packet has matched a stateless rule */ +#define FLAG_PASS_RULE 0x00020000 /* this packet has matched a pass rule */ +#define FLAG_IP_RULE 0x00040000 /* this packet is being evaluated against an IP rule */ #define FLAG_IP_RULE_2ND 0x00080000 /* this packet is being evaluated against an IP rule */ -#define FLAG_SMB_SEG 0x00100000 /* this is an SMB desegmented packet */ -#define FLAG_DCE_SEG 0x00200000 /* this is a DCE/RPC desegmented packet */ -#define FLAG_DCE_FRAG 0x00400000 /* this is a DCE/RPC defragmented packet */ -#define FLAG_SMB_TRANS 0x00800000 /* this is an SMB Transact reassembled packet */ - -#define FLAG_DCE_PKT 0x01000000 /* a DCE packet processed by DCE/RPC pp */ -#define FLAG_RPC_PKT 0x02000000 /* an ONC RPC packet processed by rpc decode pp */ -#define FLAG_LOGGED 0x04000000 /* this packet has been logged */ +#define FLAG_LOGGED 0x00100000 /* this packet has been logged */ +#define FLAG_PSEUDO 0x00200000 /* is a pseudo packet */ +#define FLAG_MODIFIED 0x00400000 /* packet had normalizations, etc. */ #ifdef NORMALIZER -#define FLAG_RESIZED 0x08000000 /* packet has new size; must set modified too */ +#define FLAG_RESIZED 0x00800000 /* packet has new size; must set modified too */ #endif -#define FLAG_MODIFIED 0x10000000 /* packet had normalizations, etc. */ -#define FLAG_HTTP_RESP_BODY 0x20000000 /* packet contains non-zipped HTTP response Body */ -#define FLAG_ALLOW_MULTIPLE_DETECT 0x40000000 +// neither of these flags will be set for (full) retransmissions or non-data segments +// a partial overlap results in out of sequence condition +// out of sequence condition is sticky +#define FLAG_STREAM_ORDER_OK 0x01000000 /* this segment is in order, w/o gaps */ +#define FLAG_STREAM_ORDER_BAD 0x02000000 /* this stream had at least one gap */ +#define FLAG_REASSEMBLED_OLD 0x04000000 /* for backwards compat with so rules */ + +// 0x0F800000 are available +#define FLAG_PDU_FULL (FLAG_PDU_HEAD | FLAG_PDU_TAIL) + +#define REASSEMBLED_PACKET_FLAGS (FLAG_REBUILT_STREAM|FLAG_REASSEMBLED_OLD) #define SFTARGET_UNKNOWN_PROTOCOL -1 -static INLINE int PacketWasCooked(SFSnortPacket* p) +static inline int PacketWasCooked(const SFSnortPacket* p) +{ + return ( p->flags & FLAG_PSEUDO ) != 0; +} + +static inline void SetLogFuncs(SFSnortPacket *p, uint32_t id, uint8_t per_packet) { - return ( p->flags & - ( FLAG_REBUILT_STREAM | FLAG_REBUILT_FRAG | - FLAG_DCE_RPKT | FLAG_DCE_SEG | FLAG_DCE_FRAG | - FLAG_SMB_SEG | FLAG_SMB_TRANS) ) != 0; + if(!id) + return; + if(per_packet) + p->per_packet_xtradata |= BIT(id); + else + p->xtradata_mask |= BIT(id); } -/* Only include application layer reassembled data - * flags here - no PKT_REBUILT_FRAG */ -#define REASSEMBLED_PACKET_FLAGS \ - (FLAG_REBUILT_STREAM|FLAG_SMB_SEG|FLAG_DCE_SEG|FLAG_DCE_FRAG|FLAG_SMB_TRANS) +#ifdef ENABLE_PAF +static inline int PacketHasFullPDU (const SFSnortPacket* p) +{ + return ( (p->flags & FLAG_PDU_FULL) == FLAG_PDU_FULL ); +} + +static inline int PacketHasStartOfPDU (const SFSnortPacket* p) +{ + return ( (p->flags & FLAG_PDU_HEAD) != 0 ); +} + +static inline int PacketHasPAFPayload (const SFSnortPacket* p) +{ + return ( (p->flags & FLAG_REBUILT_STREAM) || PacketHasFullPDU(p) ); +} +#endif #endif /* _SF_SNORT_PACKET_H_ */ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c 2010-10-25 12:49:04.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c 2011-11-21 12:15:24.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -25,19 +25,49 @@ * * Dyanmic Rule Engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sf_dynamic_engine.h" +#include "sf_snort_detection_engine.h" +#include "sfghash.h" #define BLEN 65535 -const u_int8_t base64decodebuf[BLEN]; -u_int32_t base64decodesize; +const uint8_t base64decodebuf[BLEN]; +uint32_t base64decodesize; -/* Need access to the snort-isms that were passed to the engine */ -extern DynamicEngineData _ded; +int CursorInfoInitialize(Rule *rule, CursorInfo *cursor) +{ + void *memoryLocation; + /* Initialize byte_extract pointers */ + if (cursor->offset_refId) + { + if (!rule->ruleData) + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + cursor->offset_refId, rule->info.genID, rule->info.sigID); + } + + memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, cursor->offset_refId); + if (memoryLocation) + { + cursor->offset_location = memoryLocation; + } + else + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + cursor->offset_refId, rule->info.genID, rule->info.sigID); + } + } + + return 0; +} /* * Get the start and end of the buffer, as divined by the packet flags. @@ -47,13 +77,23 @@ * return 1 if successful * return < 0 if unsuccessful */ -ENGINE_LINKAGE int getBuffer(void *packet, int flags, const u_int8_t **start, const u_int8_t **end) +ENGINE_LINKAGE int getBuffer(void *packet, int flags, const uint8_t **start, const uint8_t **end) { SFSnortPacket *p = (SFSnortPacket *)packet; - if ((flags & CONTENT_BUF_NORMALIZED) && (p->flags & FLAG_ALT_DECODE)) + + if ((flags & CONTENT_BUF_NORMALIZED) && (_ded.Is_DetectFlag(SF_FLAG_DETECT_ALL))) { - *start = _ded.altBuffer->data; - *end = *start + _ded.altBuffer->len; + if(_ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + *start = _ded.altDetect->data; + *end = *start + _ded.altDetect->len; + } + else if(_ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + { + *start = _ded.altBuffer->data; + *end = *start + _ded.altBuffer->len; + } + } else if ((flags & CONTENT_BUF_RAW) || (flags & CONTENT_BUF_NORMALIZED)) { @@ -186,30 +226,6 @@ return CONTENT_TYPE_MISMATCH; } } - else if(flags & BUF_FILE_DATA) - { - if(p->flags & FLAG_ALT_DECODE) - { - *start = _ded.altBuffer->data; - *end = *start + _ded.altBuffer->len; - } - else - { - *start = *(_ded.fileDataBuf); - *end = *start + p->payload_size; - } - } - else if(flags & BUF_FILE_DATA_MIME) - { - *start = *(_ded.fileDataBuf); - *end = *start + *(_ded.mime_size); - } - else if(flags & BUF_BASE64_DECODE) - { - *start = base64decodebuf; - *end = *start+base64decodesize; - } - else { return CONTENT_TYPE_MISSING; @@ -219,7 +235,7 @@ } -int checkCursorSimple(const u_int8_t *cursor, int flags, const u_int8_t *start, const u_int8_t *end, int offset) +int checkCursorSimple(const uint8_t *cursor, int flags, const uint8_t *start, const uint8_t *end, int offset) { if ( cursor == NULL || !(flags & CONTENT_RELATIVE) ) cursor = start; @@ -231,10 +247,10 @@ } /* Returns one if cursor is within the buffer */ -int checkCursorInternal(void *p, int flags, int offset, const u_int8_t *cursor) +int checkCursorInternal(void *p, int flags, int offset, const uint8_t *cursor) { - const u_int8_t *start; - const u_int8_t *end; + const uint8_t *start; + const uint8_t *end; int ret; SFSnortPacket *sp = (SFSnortPacket *) p; @@ -243,15 +259,15 @@ if ( ret < 0 ) { return ret; - } - + } + return checkCursorSimple(cursor, flags, start, end, offset); } -int setCursorInternal(void *p, int flags, int offset, const u_int8_t **cursor) +int setCursorInternal(void *p, int flags, int offset, const uint8_t **cursor) { - const u_int8_t *start; - const u_int8_t *end; + const uint8_t *start; + const uint8_t *end; int ret; SFSnortPacket *sp = (SFSnortPacket *) p; @@ -265,7 +281,7 @@ if ( ret < 0 ) { return ret; - } + } if ( flags & JUMP_FROM_BEGINNING ) { @@ -301,23 +317,23 @@ /* API FUNCTIONS */ -/* +/* * Check cursor function - * + * * p: packet data structure, same as the one found in snort. * cursorInfo: data defined in the detection plugin for this rule cursor option * cursor: current position within buffer * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * < 0 : error * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) - * CURSOR_IN_BOUNDS - if content specifier is found within buffer - * CURSOR_OUT_OF_BOUNDS - if content specifier is not found within buffer - * + * CURSOR_IN_BOUNDS - if content specifier is found within buffer + * CURSOR_OUT_OF_BOUNDS - if content specifier is not found within buffer + * * Notes: * Since we are checking the cursor position within a buffer, relativity is assumed. * To check absolute position within a buffer, a NULL pointer can be passed in. @@ -330,30 +346,36 @@ * normalized(alt-decode) * raw * uri - * + * */ -ENGINE_LINKAGE int checkCursor(void *p, CursorInfo* cursorInfo, const u_int8_t *cursor) +ENGINE_LINKAGE int checkCursor(void *p, CursorInfo* cursorInfo, const uint8_t *cursor) { + /* Get byte_extracted offset if present */ + if (cursorInfo->offset_location) + { + cursorInfo->offset = *cursorInfo->offset_location; + } + return checkCursorInternal(p, cursorInfo->flags, cursorInfo->offset, cursor); } -/* +/* * Set cursor function - * + * * p: packet data structure, same as the one found in snort. * cursorInfo: data defined in the detection plugin for this rule cursor option * cursor: updated to point to offset bytes after the buffer start * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * < 0 : error * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) - * CURSOR_IN_BOUNDS - if content specifier is found within buffer - * CURSOR_OUT_OF_BOUNDS - if content specifier is not found within buffer - * + * CURSOR_IN_BOUNDS - if content specifier is found within buffer + * CURSOR_OUT_OF_BOUNDS - if content specifier is not found within buffer + * * Notes: * * Currently support: @@ -363,38 +385,38 @@ * normalized(alt-decode) * raw * uri - * + * */ -ENGINE_LINKAGE int setCursor(void *p, CursorInfo* cursorInfo, const u_int8_t **cursor) +ENGINE_LINKAGE int setCursor(void *p, CursorInfo* cursorInfo, const uint8_t **cursor) { return setCursorInternal(p, cursorInfo->flags, cursorInfo->offset, cursor); } -ENGINE_LINKAGE void setTempCursor(const u_int8_t **temp_cursor, const u_int8_t **cursor) +ENGINE_LINKAGE void setTempCursor(const uint8_t **temp_cursor, const uint8_t **cursor) { *temp_cursor = *cursor; } -ENGINE_LINKAGE void revertTempCursor(const u_int8_t **temp_cursor, const u_int8_t **cursor) +ENGINE_LINKAGE void revertTempCursor(const uint8_t **temp_cursor, const uint8_t **cursor) { *cursor = *temp_cursor; } -/* +/* * Check flow function - * + * * p: packet data structure, same as the one found in snort. * flowFlags: data defined in the detection plugin for this rule option * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) * RULE_MATCH - if packet flow matches rule - * RULE_NOMATCH - if packet flow does not match rule - * + * RULE_NOMATCH - if packet flow does not match rule + * */ ENGINE_LINKAGE int checkFlow(void *p, FlowFlags *flowFlags) { @@ -420,21 +442,21 @@ return RULE_MATCH; } -/* +/* * Process flowbits function - * + * * p: packet data structure, same as the one found in snort. * flowBits: data defined in the detection plugin for this rule option * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) * RULE_MATCH - if flowbit operation succeeded - * RULE_NOMATCH - if flowbit operation failed - * + * RULE_NOMATCH - if flowbit operation failed + * */ ENGINE_LINKAGE int processFlowbits(void *p, FlowBitsInfo *flowBits) { @@ -446,24 +468,24 @@ } -/* +/* * Detect ASN1 function - * + * * p: packet data structure, same as the one found in snort. * asn1: data defined in the detection plugin for this rule option * cursor: current position within buffer * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) - * RULE_MATCH - if asn1 specifier is found within buffer - * RULE_NOMATCH - if asn1 specifier is not found within buffer - * + * RULE_MATCH - if asn1 specifier is found within buffer + * RULE_NOMATCH - if asn1 specifier is not found within buffer + * */ -ENGINE_LINKAGE int detectAsn1(void *p, Asn1Context* asn1, const u_int8_t *cursor) +ENGINE_LINKAGE int detectAsn1(void *p, Asn1Context* asn1, const uint8_t *cursor) { /* asn1Detect returns non-zero if the options matched. */ if (_ded.asn1Detect(p, (void *) asn1, cursor)) @@ -472,13 +494,64 @@ return RULE_NOMATCH; } -ENGINE_LINKAGE int base64Decode(void *p, base64DecodeData *data, const u_int8_t *cursor) +ENGINE_LINKAGE int fileData(void *p, CursorInfo* cursorInfo, const uint8_t **cursor) { - const u_int8_t *start; - const u_int8_t *end; + int retVal = RULE_NOMATCH; + SFSnortPacket *sp = (SFSnortPacket *) p; + + if((sp->payload_size == 0) || (_ded.fileDataBuf->data == NULL) || (_ded.fileDataBuf->len == 0) ) + { + return RULE_NOMATCH; + } + _ded.SetAltDetect(_ded.fileDataBuf->data, _ded.fileDataBuf->len); + retVal = setCursor(p, cursorInfo, cursor); + + if( retVal > RULE_NOMATCH) + return RULE_MATCH; + + _ded.DetectFlag_Disable(SF_FLAG_ALT_DETECT); + + return retVal; +} + +ENGINE_LINKAGE int pktData(void *p, CursorInfo* cursorInfo, const uint8_t **cursor) +{ + int retVal = RULE_NOMATCH; + _ded.DetectFlag_Disable(SF_FLAG_ALT_DETECT); + cursorInfo->flags |= JUMP_FROM_BEGINNING; + retVal=setCursor(p, cursorInfo, cursor); + + return retVal; +} + +ENGINE_LINKAGE int base64Data(void *p, CursorInfo* cursorInfo, const uint8_t **cursor) +{ + int retVal = RULE_NOMATCH; + SFSnortPacket *sp = (SFSnortPacket *) p; + + if((sp->payload_size == 0) || !base64decodesize ) + return retVal; + + _ded.SetAltDetect((uint8_t *)base64decodebuf, (uint16_t)base64decodesize); + retVal = setCursor(p, cursorInfo, cursor); + + if( retVal > RULE_NOMATCH) + return RULE_MATCH; + + _ded.DetectFlag_Disable(SF_FLAG_ALT_DETECT); + return retVal; +} + + + + +ENGINE_LINKAGE int base64Decode(void *p, base64DecodeData *data, const uint8_t *cursor) +{ + const uint8_t *start; + const uint8_t *end; int ret; - const u_int8_t base64_encodebuf[BLEN]; - u_int32_t base64_encodesize = 0; + const uint8_t base64_encodebuf[BLEN]; + uint32_t base64_encodesize = 0; SFSnortPacket *sp = (SFSnortPacket *) p; ret = getBuffer(sp, CONTENT_BUF_RAW, &start, &end); @@ -501,7 +574,7 @@ if( start > end ) return RULE_NOMATCH; - if(_ded.sfUnfold(start, end-start, (u_int8_t *)base64_encodebuf, sizeof(base64_encodebuf), &base64_encodesize) != 0) + if(_ded.sfUnfold(start, end-start, (uint8_t *)base64_encodebuf, sizeof(base64_encodebuf), &base64_encodesize) != 0) { return RULE_NOMATCH; } @@ -511,7 +584,7 @@ base64_encodesize = data->bytes; } - if(_ded.sfbase64decode((u_int8_t *)base64_encodebuf, base64_encodesize, (u_int8_t *)base64decodebuf, BLEN, &base64decodesize) != 0) + if(_ded.sfbase64decode((uint8_t *)base64_encodebuf, base64_encodesize, (uint8_t *)base64decodebuf, BLEN, &base64decodesize) != 0) { return RULE_NOMATCH; } @@ -520,13 +593,33 @@ return RULE_MATCH; } -/* +ENGINE_LINKAGE int isDetectFlag(SFDetectFlagType df) +{ + return _ded.Is_DetectFlag(df); +} + +ENGINE_LINKAGE void detectFlagDisable(SFDetectFlagType df) +{ + _ded.DetectFlag_Disable(df); +} + +ENGINE_LINKAGE int getAltDetect(uint8_t **bufPtr, uint16_t *altLenPtr) +{ + return _ded.GetAltDetect(bufPtr, altLenPtr); +} + +ENGINE_LINKAGE void setAltDetect(uint8_t *buf, uint16_t altLen) +{ + _ded.SetAltDetect(buf, altLen); +} + +/* * Store Rule Specific session data - * + * * p: packet data structure, same as the one found in snort. * rule_data: data to store in the session * - * Returns: + * Returns: * nothing * */ @@ -539,12 +632,12 @@ return RULE_MATCH; } -/* +/* * Retrieve Rule Specific session data - * + * * p: packet data structure, same as the one found in snort. * - * Returns: + * Returns: * pointer to rule specific session data, NULL if none available * */ @@ -563,24 +656,24 @@ _ded.freeRuleData(data); } -/* +/* * Preprocessor Defined Detection - * + * * p: packet data structure, same as the one found in snort. * preprocOpt: data defined in the detection plugin for this rule preprocessor specific option * cursor: current position within buffer * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) * RULE_MATCH - if preprocessor indicates match * RULE_NOMATCH - if preprocessor indicates no match - * + * */ -ENGINE_LINKAGE int preprocOptionEval(void *p, PreprocessorOption *preprocOpt, const u_int8_t **cursor) +ENGINE_LINKAGE int preprocOptionEval(void *p, PreprocessorOption *preprocOpt, const uint8_t **cursor) { PreprocOptionEval evalFunc = (PreprocOptionEval)preprocOpt->optionEval; @@ -632,6 +725,8 @@ break; case OPTION_TYPE_HDR_CHECK: case OPTION_TYPE_FILE_DATA: + case OPTION_TYPE_PKT_DATA: + case OPTION_TYPE_BASE64_DATA: case OPTION_TYPE_PREPROCESSOR: /* Never relative */ break; @@ -640,34 +735,34 @@ return relative; } -/* +/* * ruleMatch - * + * * p: packet data structure, same as the one found in snort. * options: NULL terminated list of rule options * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) - * RULE_MATCH - if asn1 specifier is found within buffer - * RULE_NOMATCH - if asn1 specifier is not found within buffer - * + * RULE_MATCH - if asn1 specifier is found within buffer + * RULE_NOMATCH - if asn1 specifier is not found within buffer + * */ -int ruleMatchInternal(SFSnortPacket *p, Rule* rule, u_int32_t optIndex, const u_int8_t **cursor) +int ruleMatchInternal(SFSnortPacket *p, Rule* rule, uint32_t optIndex, const uint8_t **cursor) { - const u_int8_t *thisCursor = NULL, *startCursor = NULL; - const u_int8_t *tmpCursor = NULL; + const uint8_t *thisCursor = NULL, *startCursor = NULL; + const uint8_t *tmpCursor = NULL; int retVal = RULE_NOMATCH; - u_int32_t notFlag = 0; + uint32_t notFlag = 0; int thisType; ContentInfo *thisContentInfo = NULL; int startAdjust = 0; - u_int32_t origFlags = 0; + uint32_t origFlags = 0; int32_t origOffset = 0; - u_int32_t origDepth = 0; + uint32_t origDepth = 0; int continueLoop = 1; PCREInfo *thisPCREInfo = NULL; @@ -741,7 +836,15 @@ notFlag = rule->options[optIndex]->option_u.cursor->flags & NOT_FLAG; break; case OPTION_TYPE_FILE_DATA: - retVal = setCursor(p, rule->options[optIndex]->option_u.cursor, &thisCursor); + retVal = fileData(p, rule->options[optIndex]->option_u.cursor, &thisCursor); + notFlag = rule->options[optIndex]->option_u.cursor->flags & NOT_FLAG; + break; + case OPTION_TYPE_PKT_DATA: + retVal = pktData(p, rule->options[optIndex]->option_u.cursor, &thisCursor); + notFlag = rule->options[optIndex]->option_u.cursor->flags & NOT_FLAG; + break; + case OPTION_TYPE_BASE64_DATA: + retVal = base64Data(p, rule->options[optIndex]->option_u.cursor, &thisCursor); notFlag = rule->options[optIndex]->option_u.cursor->flags & NOT_FLAG; break; case OPTION_TYPE_BASE64_DECODE: @@ -853,7 +956,7 @@ /* And only if the next option is relative */ if (!isRelativeOption(rule->options[optIndex+1])) { - /* Match failed, next option is not relative. + /* Match failed, next option is not relative. * We're done. */ retVal = nestedRetVal; break; diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h 2010-09-27 08:28:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h 2011-11-21 12:15:24.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -29,10 +29,6 @@ #ifndef SF_SNORT_PLUGIN_API_H_ #define SF_SNORT_PLUGIN_API_H_ -#ifdef HAVE_CONFIG_H -#include <config.h> -#endif - #include "pcre.h" #include "stdio.h" @@ -59,7 +55,7 @@ # ifdef SF_SNORT_ENGINE_DLL # define ENGINE_LINKAGE SO_PUBLIC # else -# define ENGINE_LINKAGE +# define ENGINE_LINKAGE # endif #else /* WIN32 */ # define ENGINE_LINKAGE SO_PUBLIC @@ -102,20 +98,20 @@ #define CONTENT_BUF_RAW_HEADER 0x20000 #define CONTENT_BUF_RAW_COOKIE 0x40000 #define CONTENT_BUF_STAT_CODE 0x80000 -#define CONTENT_BUF_STAT_MSG 0x100000 +#define CONTENT_BUF_STAT_MSG 0x40 /* This option implies the fast pattern flag */ -#define CONTENT_FAST_PATTERN_ONLY 0x200000 +#define CONTENT_FAST_PATTERN_ONLY 0x80 #define BYTE_LITTLE_ENDIAN 0x0000 #define BYTE_BIG_ENDIAN 0x1000 -#define EXTRACT_AS_BYTE 0x010000 -#define EXTRACT_AS_STRING 0x020000 #define EXTRACT_AS_DEC 0x100000 #define EXTRACT_AS_OCT 0x200000 #define EXTRACT_AS_HEX 0x400000 #define EXTRACT_AS_BIN 0x800000 +#define EXTRACT_AS_BYTE 0x20000000 +#define EXTRACT_AS_STRING 0x40000000 #define JUMP_FROM_BEGINNING 0x01000000 #define JUMP_ALIGN 0x02000000 @@ -124,7 +120,7 @@ #define BUF_FILE_DATA_MIME 0x08000000 #define BUF_BASE64_DECODE 0x10000000 -#define NOT_FLAG 0x10000000 +#define NOT_FLAG 0x80000000 #define CHECK_EQ 0 #define CHECK_NEQ 1 @@ -143,28 +139,34 @@ | CONTENT_BUF_COOKIE | CONTENT_BUF_HEADER | CONTENT_BUF_METHOD \ | CONTENT_BUF_RAW_URI | CONTENT_BUF_RAW_HEADER | CONTENT_BUF_RAW_COOKIE \ | CONTENT_BUF_STAT_CODE | CONTENT_BUF_STAT_MSG ) -#define URI_FAST_PATTERN_BUFS ( CONTENT_BUF_URI | CONTENT_BUF_METHOD \ - | CONTENT_BUF_HEADER | CONTENT_BUF_POST ) +#define URI_FAST_PATTERN_BUFS ( CONTENT_BUF_URI | CONTENT_BUF_HEADER \ + | CONTENT_BUF_POST ) typedef struct _ContentInfo { - const u_int8_t *pattern; - u_int32_t depth; + const uint8_t *pattern; + uint32_t depth; int32_t offset; - u_int32_t flags; /* must include a CONTENT_BUF_X */ + uint32_t flags; /* must include a CONTENT_BUF_X */ void *boyer_ptr; - u_int8_t *patternByteForm; - u_int32_t patternByteFormLength; - u_int32_t incrementLength; - u_int16_t fp_offset; - u_int16_t fp_length; - u_int8_t fp_only; + uint8_t *patternByteForm; + uint32_t patternByteFormLength; + uint32_t incrementLength; + uint16_t fp_offset; + uint16_t fp_length; + uint8_t fp_only; + char *offset_refId; /* To match up with a DynamicElement refId */ + char *depth_refId; /* To match up with a DynamicElement refId */ + int32_t *offset_location; + uint32_t *depth_location; } ContentInfo; typedef struct _CursorInfo { int32_t offset; - u_int32_t flags; /* specify one of CONTENT_BUF_X */ + uint32_t flags; /* specify one of CONTENT_BUF_X */ + char *offset_refId; /* To match up with a DynamicElement refId */ + int32_t *offset_location; } CursorInfo; /* @@ -184,12 +186,12 @@ char *expr; void *compiled_expr; void *compiled_extra; - u_int32_t compile_flags; - u_int32_t flags; /* must include a CONTENT_BUF_X */ + uint32_t compile_flags; + uint32_t flags; /* must include a CONTENT_BUF_X */ int32_t offset; } PCREInfo; -#define FLOWBIT_SET 0x01 +#define FLOWBIT_SET 0x01 #define FLOWBIT_UNSET 0x02 #define FLOWBIT_TOGGLE 0x04 #define FLOWBIT_ISSET 0x08 @@ -200,35 +202,40 @@ typedef struct _FlowBitsInfo { char *flowBitsName; - u_int8_t operation; - u_int32_t id; - u_int32_t flags; + uint8_t operation; + uint32_t id; + uint32_t flags; } FlowBitsInfo; typedef struct _ByteData { - u_int32_t bytes; /* Number of bytes to extract */ - u_int32_t op; /* Type of byte comparison, for checkValue */ - u_int32_t value; /* Value to compare value against, for checkValue, or extracted value */ + uint32_t bytes; /* Number of bytes to extract */ + uint32_t op; /* Type of byte comparison, for checkValue */ + uint32_t value; /* Value to compare value against, for checkValue, or extracted value */ int32_t offset; /* Offset from cursor */ - u_int32_t multiplier; /* Used for byte jump -- 32bits is MORE than enough */ - u_int32_t flags; /* must include a CONTENT_BUF_X */ + uint32_t multiplier; /* Used for byte jump -- 32bits is MORE than enough */ + uint32_t flags; /* must include a CONTENT_BUF_X */ int32_t post_offset;/* Use for byte jump -- adjust cusor by this much after the jump */ + char *offset_refId; /* To match up with a DynamicElement refId */ + char *value_refId; /* To match up with a DynamicElement refId */ + int32_t *offset_location; + uint32_t *value_location; } ByteData; typedef struct _ByteExtract { - u_int32_t bytes; /* Number of bytes to extract */ + uint32_t bytes; /* Number of bytes to extract */ int32_t offset; /* Offset from cursor */ - u_int32_t multiplier; /* Multiply value by this (similar to byte jump) */ - u_int32_t flags; /* must include a CONTENT_BUF_X */ + uint32_t multiplier; /* Multiply value by this (similar to byte jump) */ + uint32_t flags; /* must include a CONTENT_BUF_X */ char *refId; /* To match up with a DynamicElement refId */ void *memoryLocation; /* Location to store the data extracted */ + uint8_t align; /* Align to 2 or 4 bit boundary after extraction */ } ByteExtract; typedef struct _FlowFlags { - u_int32_t flags; /* FLOW_* values */ + uint32_t flags; /* FLOW_* values */ } FlowFlags; @@ -244,7 +251,7 @@ unsigned int max_length; int offset; int offset_type; - u_int32_t flags; + uint32_t flags; } Asn1Context; #define IP_HDR_ID 0x0001 /* IP Header ID */ @@ -271,11 +278,11 @@ typedef struct _HdrOptCheck { - u_int16_t hdrField; /* Field to check */ - u_int32_t op; /* Type of comparison */ - u_int32_t value; /* Value to compare value against */ - u_int32_t mask_value; /* bits of value to ignore */ - u_int32_t flags; + uint16_t hdrField; /* Field to check */ + uint32_t op; /* Type of comparison */ + uint32_t value; /* Value to compare value against */ + uint32_t mask_value; /* bits of value to ignore */ + uint32_t flags; } HdrOptCheck; #define DYNAMIC_TYPE_INT_STATIC 1 @@ -298,27 +305,27 @@ DynamicElement *start; /* Starting value of FOR loop (i=start) */ DynamicElement *end; /* Ending value of FOR loop (i OP end) */ DynamicElement *increment; /* Increment value of FOR loop (i+= increment) */ - u_int32_t op; /* Type of comparison for loop termination */ + uint32_t op; /* Type of comparison for loop termination */ CursorInfo *cursorAdjust; /* How to move cursor each iteration of loop */ struct _Rule *subRule; /* Pointer to SubRule & options to evaluate within * the loop */ - u_int8_t initialized; /* Loop initialized properly (safeguard) */ - u_int32_t flags; /* can be used to negate loop results, specifies + uint8_t initialized; /* Loop initialized properly (safeguard) */ + uint32_t flags; /* can be used to negate loop results, specifies * relative. */ } LoopInfo; typedef struct _base64DecodeData { - u_int32_t bytes; - u_int32_t offset; - u_int8_t relative; + uint32_t bytes; + uint32_t offset; + uint8_t relative; }base64DecodeData; typedef struct _PreprocessorOption { const char *optionName; const char *optionParameters; - u_int32_t flags; + uint32_t flags; PreprocOptionInit optionInit; PreprocOptionEval optionEval; void *dataPtr; @@ -349,7 +356,7 @@ typedef struct _IPInfo { - u_int8_t protocol; + uint8_t protocol; char * src_addr; char * src_port; /* 0 for non TCP/UDP */ char direction; /* non-zero is bi-directional */ @@ -372,11 +379,11 @@ typedef struct _RuleInformation { - u_int32_t genID; - u_int32_t sigID; - u_int32_t revision; + uint32_t genID; + uint32_t sigID; + uint32_t revision; char *classification; /* String format of classification name */ - u_int32_t priority; + uint32_t priority; char *message; RuleReference **references; /* NULL terminated array of references */ RuleMetaData **meta; /* NULL terminated array of references */ @@ -388,13 +395,13 @@ { IPInfo ip; RuleInformation info; - + RuleOption **options; /* NULL terminated array of RuleOption union */ ruleEvalFunc evalFunc; char initialized; /* Rule Initialized, used internally */ - u_int32_t numOptions; /* Rule option count, used internally */ + uint32_t numOptions; /* Rule option count, used internally */ char noAlert; /* Flag with no alert, used internally */ void *ruleData; /* Hash table for dynamic data pointers */ @@ -404,35 +411,44 @@ ENGINE_LINKAGE int RegisterRules(Rule **rules); ENGINE_LINKAGE int DumpRules(char *rulesFileName, Rule **rules); -ENGINE_LINKAGE int contentMatch(void *p, ContentInfo* content, const u_int8_t **cursor); +ENGINE_LINKAGE int contentMatch(void *p, ContentInfo* content, const uint8_t **cursor); ENGINE_LINKAGE int checkFlow(void *p, FlowFlags *flowFlags); -ENGINE_LINKAGE int extractValue(void *p, ByteExtract *byteExtract, const u_int8_t *cursor); +ENGINE_LINKAGE int extractValue(void *p, ByteExtract *byteExtract, const uint8_t *cursor); ENGINE_LINKAGE int processFlowbits(void *p, FlowBitsInfo *flowBits); -ENGINE_LINKAGE int getBuffer(void *p, int flags, const u_int8_t **start, const u_int8_t **end); -ENGINE_LINKAGE int setCursor(void *p, CursorInfo *cursorInfo, const u_int8_t **cursor); -ENGINE_LINKAGE int checkCursor(void *p, CursorInfo *cursorInfo, const u_int8_t *cursor); -ENGINE_LINKAGE int checkValue(void *p, ByteData *byteData, u_int32_t value, const u_int8_t *cursor); +ENGINE_LINKAGE int getBuffer(void *p, int flags, const uint8_t **start, const uint8_t **end); +ENGINE_LINKAGE int setCursor(void *p, CursorInfo *cursorInfo, const uint8_t **cursor); +ENGINE_LINKAGE int fileData(void *p, CursorInfo* cursorInfo, const uint8_t **cursor); +ENGINE_LINKAGE int pktData(void *p, CursorInfo* cursorInfo, const uint8_t **cursor); +ENGINE_LINKAGE int base64Data(void *p, CursorInfo* cursorInfo, const uint8_t **cursor); +ENGINE_LINKAGE int base64Decode(void *p, base64DecodeData *data, const uint8_t *cursor); +ENGINE_LINKAGE int checkCursor(void *p, CursorInfo *cursorInfo, const uint8_t *cursor); +ENGINE_LINKAGE int checkValue(void *p, ByteData *byteData, uint32_t value, const uint8_t *cursor); /* Same as extractValue plus checkValue */ -ENGINE_LINKAGE int byteTest(void *p, ByteData *byteData, const u_int8_t *cursor); +ENGINE_LINKAGE int byteTest(void *p, ByteData *byteData, const uint8_t *cursor); /* Same as extractValue plus setCursor */ -ENGINE_LINKAGE int byteJump(void *p, ByteData *byteData, const u_int8_t **cursor); -ENGINE_LINKAGE int pcreMatch(void *p, PCREInfo* pcre, const u_int8_t **cursor); -ENGINE_LINKAGE int detectAsn1(void *p, Asn1Context* asn1, const u_int8_t *cursor); +ENGINE_LINKAGE int byteJump(void *p, ByteData *byteData, const uint8_t **cursor); +ENGINE_LINKAGE int pcreMatch(void *p, PCREInfo* pcre, const uint8_t **cursor); +ENGINE_LINKAGE int detectAsn1(void *p, Asn1Context* asn1, const uint8_t *cursor); ENGINE_LINKAGE int checkHdrOpt(void *p, HdrOptCheck *optData); -ENGINE_LINKAGE int loopEval(void *p, LoopInfo *loop, const u_int8_t **cursor); -ENGINE_LINKAGE int preprocOptionEval(void *p, PreprocessorOption *preprocOpt, const u_int8_t **cursor); -ENGINE_LINKAGE void setTempCursor(const u_int8_t **temp_cursor, const u_int8_t **cursor); -ENGINE_LINKAGE void revertTempCursor(const u_int8_t **temp_cursor, const u_int8_t **cursor); +ENGINE_LINKAGE int loopEval(void *p, LoopInfo *loop, const uint8_t **cursor); +ENGINE_LINKAGE int preprocOptionEval(void *p, PreprocessorOption *preprocOpt, const uint8_t **cursor); +ENGINE_LINKAGE void setTempCursor(const uint8_t **temp_cursor, const uint8_t **cursor); +ENGINE_LINKAGE void revertTempCursor(const uint8_t **temp_cursor, const uint8_t **cursor); ENGINE_LINKAGE int ruleMatch(void *p, Rule *rule); ENGINE_LINKAGE int MatchDecryptedRC4( - const u_int8_t *key, u_int16_t keylen, const u_int8_t *encrypted_data, - u_int8_t *plain_data, u_int16_t datalen + const uint8_t *key, uint16_t keylen, const uint8_t *encrypted_data, + uint8_t *plain_data, uint16_t datalen ); ENGINE_LINKAGE int storeRuleData(void *, void *, uint32_t, SessionDataFree); ENGINE_LINKAGE void *getRuleData(void *, uint32_t); ENGINE_LINKAGE void *allocRuleData(size_t); ENGINE_LINKAGE void freeRuleData(void *); +ENGINE_LINKAGE int isDetectFlag(SFDetectFlagType df); +ENGINE_LINKAGE void detectFlagDisable(SFDetectFlagType df); +ENGINE_LINKAGE int getAltDetect(uint8_t **bufPtr, uint16_t *altLenPtr); +ENGINE_LINKAGE void setAltDetect(uint8_t *buf, uint16_t altLen); + ENGINE_LINKAGE int pcreExecWrapper(const PCREInfo *pcre_info, const char *buf, int len, int start_offset, int options, int *ovector, int ovecsize); diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c 2010-06-09 15:05:09.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c 2011-11-21 12:15:24.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -26,30 +26,87 @@ * * Byte operations for dynamic rule engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <stdlib.h> + #include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" +#include "sfghash.h" +#include "sf_snort_detection_engine.h" -extern int checkCursorSimple(const u_int8_t *cursor, int flags, const u_int8_t *start, const u_int8_t *end, int offset); -extern int setCursorInternal(void *p, int flags, int offset, const u_int8_t **cursor); +extern int checkCursorSimple(const uint8_t *cursor, int flags, const uint8_t *start, const uint8_t *end, int offset); +extern int setCursorInternal(void *p, int flags, int offset, const uint8_t **cursor); #define BYTE_STRING_LEN 11 + +int ByteDataInitialize(Rule *rule, ByteData *byte) +{ + void *memoryLocation; + + /* Initialize byte_extract pointers */ + if (byte->offset_refId) + { + if (!rule->ruleData) + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + byte->offset_refId, rule->info.genID, rule->info.sigID); + } + + memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, byte->offset_refId); + if (memoryLocation) + { + byte->offset_location = memoryLocation; + } + else + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + byte->offset_refId, rule->info.genID, rule->info.sigID); + } + } + + if (byte->value_refId) + { + if (!rule->ruleData) + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + byte->value_refId, rule->info.genID, rule->info.sigID); + } + + memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, byte->value_refId); + if (memoryLocation) + { + byte->value_location = memoryLocation; + } + else + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + byte->value_refId, rule->info.genID, rule->info.sigID); + } + } + + return 0; +} + /* * extract byte value from data * * Return 1 if successfully extract value. * Return < 0 if fail to extract value. */ -int extractValueInternal(void *p, ByteData *byteData, u_int32_t *value, const u_int8_t *cursor) +int extractValueInternal(void *p, ByteData *byteData, uint32_t *value, const uint8_t *cursor) { char byteArray[BYTE_STRING_LEN]; - u_int32_t i; + uint32_t i; char *endPtr; - u_int32_t extracted = 0; + uint32_t extracted = 0; int base = 10; - const u_int8_t *start; - const u_int8_t *end; + const uint8_t *start; + const uint8_t *end; int ret; SFSnortPacket *sp = (SFSnortPacket *) p; @@ -58,7 +115,17 @@ if ( ret < 0 ) { return ret; - } + } + + /* Check for byte_extract variables and use them if present. */ + if (byteData->offset_location) + { + byteData->offset = *byteData->offset_location; + } + if (byteData->value_location) + { + byteData->value = *byteData->value_location; + } /* Check the start location */ if (checkCursorSimple(cursor, byteData->flags, start, end, byteData->offset) <= 0) @@ -73,9 +140,9 @@ { cursor = start; } - + if (byteData->flags & EXTRACT_AS_BYTE) - { + { if ( byteData->bytes != 1 && byteData->bytes != 2 && byteData->bytes != 4 ) { return -5; /* We only support 1, 2, or 4 bytes */ @@ -92,13 +159,13 @@ } } else - { + { for (i = 0; i < byteData->bytes; i++) { extracted |= *(cursor + byteData->offset + i) << 8*i; } } - + *value = extracted; return 1; } @@ -124,7 +191,7 @@ byteArray[i] = *(cursor + byteData->offset + i); } byteArray[i] = '\0'; - + extracted = strtoul(byteArray, &endPtr, base); if (endPtr == &byteArray[0]) @@ -142,23 +209,33 @@ * Return 1 if success * Return 0 if can't extract. */ -ENGINE_LINKAGE int extractValue(void *p, ByteExtract *byteExtract, const u_int8_t *cursor) +ENGINE_LINKAGE int extractValue(void *p, ByteExtract *byteExtract, const uint8_t *cursor) { ByteData byteData; int ret; - u_int32_t extracted = 0; - u_int32_t *location = (u_int32_t *)byteExtract->memoryLocation; + uint32_t extracted = 0; + uint32_t *location = (uint32_t *)byteExtract->memoryLocation; byteData.bytes = byteExtract->bytes; byteData.flags = byteExtract->flags; byteData.multiplier = byteExtract->multiplier; byteData.offset = byteExtract->offset; - byteData.op = 0; /* Not used */ - byteData.value = 0; /* Not used */ + + /* The following fields are not used, but must be zeroed out. */ + byteData.op = 0; + byteData.value = 0; + byteData.offset_refId = 0; + byteData.value_refId = 0; + byteData.offset_location = 0; + byteData.value_location = 0; ret = extractValueInternal(p, &byteData, &extracted, cursor); if (ret > 0) { + if ((byteExtract->align == 2) || (byteExtract->align == 4)) + { + extracted = extracted + byteExtract->align - (extracted % byteExtract->align); + } *location = extracted; } @@ -171,7 +248,7 @@ * Return 1 if check is true (e.g. value > byteData.value) * Return 0 if check is not true. */ -ENGINE_LINKAGE int checkValue(void *p, ByteData *byteData, u_int32_t value, const u_int8_t *cursor) +ENGINE_LINKAGE int checkValue(void *p, ByteData *byteData, uint32_t value, const uint8_t *cursor) { switch (byteData->op) { @@ -227,10 +304,10 @@ * Return 1 if check is true (e.g. value > byteData.value) * Return 0 if check is not true. */ -ENGINE_LINKAGE int byteTest(void *p, ByteData *byteData, const u_int8_t *cursor) +ENGINE_LINKAGE int byteTest(void *p, ByteData *byteData, const uint8_t *cursor) { int ret; - u_int32_t value; + uint32_t value; SFSnortPacket *sp = (SFSnortPacket *) p; ret = extractValueInternal(sp, byteData, &value, cursor); @@ -239,7 +316,7 @@ return 0; ret = checkValue(sp, byteData, value, cursor); - + return ret; } @@ -250,11 +327,11 @@ * Return 0 if cursor out of bounds * Return < 0 if error */ -ENGINE_LINKAGE int byteJump(void *p, ByteData *byteData, const u_int8_t **cursor) +ENGINE_LINKAGE int byteJump(void *p, ByteData *byteData, const uint8_t **cursor) { int ret; - u_int32_t readValue; - u_int32_t jumpValue; + uint32_t readValue; + uint32_t jumpValue; SFSnortPacket *sp = (SFSnortPacket *) p; ret = extractValueInternal(sp, byteData, &readValue, *cursor); @@ -283,6 +360,6 @@ jumpValue += byteData->post_offset; ret = setCursorInternal(sp, byteData->flags, jumpValue, cursor); - + return ret; } diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c 2010-10-25 12:49:05.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c 2011-11-21 12:15:24.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Marc Norton * Steve Sturges @@ -27,27 +27,34 @@ * * Content operations for dynamic rule engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "ctype.h" #include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sf_dynamic_engine.h" +#include "sfghash.h" +#include "sf_snort_detection_engine.h" #include "bmh.h" -extern DynamicEngineData _ded; /* sf_detection_engine.c */ -extern int checkCursorInternal(void *p, int flags, int offset, const u_int8_t *cursor); +extern int checkCursorInternal(void *p, int flags, int offset, const uint8_t *cursor); -static const u_int8_t *_buffer_end = NULL; -static const u_int8_t *_alt_buffer_end = NULL; -static const u_int8_t *_uri_buffer_end = NULL; +static const uint8_t *_buffer_end = NULL; +static const uint8_t *_alt_buffer_end = NULL; +static const uint8_t *_uri_buffer_end = NULL; +static const uint8_t *_alt_detect_end = NULL; void ContentSetup(void) { _buffer_end = NULL; _alt_buffer_end = NULL; _uri_buffer_end = NULL; + _alt_detect_end = NULL; } /* @@ -58,15 +65,17 @@ */ int BoyerContentSetup(Rule *rule, ContentInfo *content) { + void *memoryLocation; + /* XXX: need to precompile the B-M stuff */ - + if( !content->patternByteForm || !content->patternByteFormLength ) return 0; - + content->boyer_ptr = hbm_prep(content->patternByteForm, - content->patternByteFormLength, + content->patternByteFormLength, content->flags & CONTENT_NOCASE); - + if( !content->boyer_ptr ) { /* error doing compilation. */ @@ -75,29 +84,70 @@ return -1; } + /* Initialize byte_extract pointers */ + if (content->offset_refId) + { + if (!rule->ruleData) + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + content->offset_refId, rule->info.genID, rule->info.sigID); + } + + memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, content->offset_refId); + if (memoryLocation) + { + content->offset_location = memoryLocation; + } + else + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + content->offset_refId, rule->info.genID, rule->info.sigID); + } + } + + if (content->depth_refId) + { + if (!rule->ruleData) + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + content->depth_refId, rule->info.genID, rule->info.sigID); + } + + memoryLocation = sfghash_find((SFGHASH*)rule->ruleData, content->depth_refId); + if (memoryLocation) + { + content->depth_location = memoryLocation; + } + else + { + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", + content->depth_refId, rule->info.genID, rule->info.sigID); + } + } + return 0; } -/* +/* * Content Option processing function - * + * * p: packet data structure, same as the one found in snort. * content: data defined in the detection plugin for this rule content option * cursor: updated to point the 1st byte after the match * - * Returns: + * Returns: * > 0 : match found * = 0 : no match found * < 0 : error * - * Predefined constants: + * Predefined constants: * (see sf_snort_plugin_api.h for more values) - * CONTENT_MATCH - if content specifier is found within buffer - * CONTENT_NOMATCH - if content specifier is not found within buffer - * + * CONTENT_MATCH - if content specifier is found within buffer + * CONTENT_NOMATCH - if content specifier is not found within buffer + * * Notes: - * For multiple URI buffers, we scan each buffer, if any one of them + * For multiple URI buffers, we scan each buffer, if any one of them * contains the content we return a match. This is essentially an OR * operation. * @@ -111,13 +161,13 @@ * raw * uri * post - * + * */ -ENGINE_LINKAGE int contentMatch(void *p, ContentInfo* content, const u_int8_t **cursor) +ENGINE_LINKAGE int contentMatch(void *p, ContentInfo* content, const uint8_t **cursor) { - const u_int8_t * q = NULL; - const u_int8_t * buffer_start; - const u_int8_t * buffer_end = NULL; + const uint8_t * q = NULL; + const uint8_t * buffer_start = NULL; + const uint8_t * buffer_end = NULL; u_int buffer_len; int length; int i; @@ -134,10 +184,20 @@ if( !cursor || !(*cursor) ) { return CONTENT_NOMATCH; - } + } relative = 1; } + /* Check for byte_extract variables and use them if present. */ + if (content->offset_location) + { + content->offset = *content->offset_location; + } + if (content->depth_location) + { + content->depth = *content->depth_location; + } + if (content->flags & URI_CONTENT_BUFS) { for (i=0; i<sp->num_uris; i++) @@ -214,7 +274,7 @@ { continue; } - + /* Don't bother looking deeper than depth */ if ( content->depth != 0 && content->depth < buffer_len ) { @@ -247,15 +307,29 @@ return CONTENT_NOMATCH; } - if ((content->flags & CONTENT_BUF_NORMALIZED) && (sp->flags & FLAG_ALT_DECODE)) + if ((content->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_DETECT_ALL)) { - if (_alt_buffer_end) + if(_ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) { - buffer_end = _alt_buffer_end; + if (_alt_detect_end) + { + buffer_end = _alt_detect_end; + } + else + { + buffer_end = _ded.altDetect->data + _ded.altDetect->len; + } } - else - { - buffer_end = _ded.altBuffer->data + _ded.altBuffer->len; + else if(_ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + { + if (_alt_buffer_end) + { + buffer_end = _alt_buffer_end; + } + else + { + buffer_end = _ded.altBuffer->data + _ded.altBuffer->len; + } } } else @@ -277,16 +351,31 @@ } else { - if ((content->flags & CONTENT_BUF_NORMALIZED) && (sp->flags & FLAG_ALT_DECODE)) + if ((content->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_DETECT_ALL)) { - buffer_start = _ded.altBuffer->data + content->offset; - if (_alt_buffer_end) + if(_ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) { - buffer_end = _alt_buffer_end; + buffer_start = _ded.altDetect->data + content->offset; + if (_alt_detect_end) + { + buffer_end = _alt_detect_end; + } + else + { + buffer_end = _ded.altDetect->data + _ded.altDetect->len; + } } - else + else if(_ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) { - buffer_end = _ded.altBuffer->data + _ded.altBuffer->len; + buffer_start = _ded.altBuffer->data + content->offset; + if (_alt_buffer_end) + { + buffer_end = _alt_buffer_end; + } + else + { + buffer_end = _ded.altBuffer->data + _ded.altBuffer->len; + } } } else @@ -325,7 +414,11 @@ { if (content->flags & CONTENT_END_BUFFER) { - if ((content->flags & CONTENT_BUF_NORMALIZED) && (sp->flags & FLAG_ALT_DECODE)) + if((content->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + _alt_detect_end = q; + } + else if ((content->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) { _alt_buffer_end = q; } diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c 2010-06-09 15:05:10.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c 2011-11-21 12:15:24.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -26,13 +26,16 @@ * * Header Option operations for dynamic rule engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sf_dynamic_engine.h" #include "ipv6_port.h" - -extern DynamicEngineData _ded; /* sf_detection_engine.c */ +#include "sf_snort_detection_engine.h" int ValidateHeaderCheck(Rule *rule, HdrOptCheck *optData) { @@ -47,7 +50,7 @@ _ded.errMsg("Invalid operator for Check Header IP Options: %d " "for dynamic rule [%d:%d].\n" "Must be either CHECK_EQ (option present) or " - "CHECK_NEQ (not present).\n", + "CHECK_NEQ (not present).\n", optData->op, rule->info.genID, rule->info.sigID); retVal = -1; } @@ -59,7 +62,7 @@ _ded.errMsg("Invalid operator for Check Header IP Options: %d " "for dynamic rule [%d:%d].\n" "Must be either CHECK_EQ (option present) or " - "CHECK_NEQ (not present).\n", + "CHECK_NEQ (not present).\n", optData->op, rule->info.genID, rule->info.sigID); retVal = -1; } @@ -79,7 +82,7 @@ return retVal; } -int checkBits(u_int32_t value, u_int32_t op, u_int32_t bits) +int checkBits(uint32_t value, uint32_t op, uint32_t bits) { switch (op) { @@ -103,7 +106,7 @@ return RULE_NOMATCH; } -int checkOptions(u_int32_t value, int op, IPOptions options[], int numOptions) +int checkOptions(uint32_t value, int op, IPOptions options[], int numOptions) { int found = 0; int i; @@ -138,7 +141,7 @@ return RULE_NOMATCH; } -int checkField(int op, u_int32_t value1, u_int32_t value2) +int checkField(int op, uint32_t value1, uint32_t value2) { switch (op) { @@ -193,7 +196,7 @@ * 1 or 2 bytes, converted to host byte order, * and placed in a 4 byte value for easy comparison */ - u_int32_t value = 0; + uint32_t value = 0; if ((optData->hdrField & IP_HDR_OPTCHECK_MASK) && (!pkt->ip4_header)) return RULE_NOMATCH; @@ -210,7 +213,7 @@ { /* IP Header Checks */ case IP_HDR_ID: - value = IS_IP6(pkt) ? ntohl(GET_IPH_ID(pkt)) : ntohs((u_int16_t)GET_IPH_ID(pkt)); + value = IS_IP6(pkt) ? ntohl(GET_IPH_ID(pkt)) : ntohs((uint16_t)GET_IPH_ID(pkt)); break; case IP_HDR_PROTO: value = pkt->ip4_header->proto; diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c 2010-06-09 15:05:10.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c 2011-11-21 12:15:24.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -26,20 +26,23 @@ * * Loop Option operations for dynamic rule engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sfghash.h" #include "sf_dynamic_engine.h" - -extern DynamicEngineData _ded; +#include "sf_snort_detection_engine.h" /* From sf_snort_plugin_api.c -- not exported from shared lib, * but available to other code within the shared lib. */ extern int RegisterOneRule(Rule *rule, int registerRule); -extern int ruleMatchInternal(SFSnortPacket *p, Rule* rule, u_int32_t optIndex, const u_int8_t **cursor); +extern int ruleMatchInternal(SFSnortPacket *p, Rule* rule, uint32_t optIndex, const uint8_t **cursor); /* Initialize a byteExtract structure. */ int ByteExtractInitialize(Rule *rule, ByteExtract *extractData) @@ -69,7 +72,7 @@ //return -1; } - memoryLocation = calloc(sizeof(u_int32_t), 1); + memoryLocation = calloc(sizeof(uint32_t), 1); if (memoryLocation == NULL) { DynamicEngineFatalMessage("Failed to allocate memory\n"); @@ -95,7 +98,7 @@ if (!rule->ruleData) { - DynamicEngineFatalMessage("Runtime rule data location '%s' for rule [%d:%d] is unknown\n", + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", element->refId, rule->info.genID, rule->info.sigID); } @@ -110,7 +113,7 @@ else { element->data.dynamicInt = NULL; - DynamicEngineFatalMessage("Runtime rule data location '%s' for rule [%d:%d] is unknown\n", + DynamicEngineFatalMessage("ByteExtract variable '%s' in rule [%d:%d] is used before it is defined.\n", element->refId, rule->info.genID, rule->info.sigID); //return -1; } @@ -162,28 +165,28 @@ } -/* +/* * Get buffer size remaining - * + * * p: packet data structure, same as the one found in snort. * flags: defines what kind of content buffer to look at * cursor: current position within buffer * - * Returns: + * Returns: * > 0 : size of buffer remaining * = 0 : no buffer remaining * < 0 : error * */ -int getSizeRemaining(void *p, u_int32_t flags, const u_int8_t *cursor) +int getSizeRemaining(void *p, uint32_t flags, const uint8_t *cursor) { - const u_int8_t *start; - const u_int8_t *end; + const uint8_t *start; + const uint8_t *end; SFSnortPacket *sp = (SFSnortPacket *) p; int ret; int size; - ret = getBuffer((void *)sp, (int)flags, (const u_int8_t **)&start, (const u_int8_t **)&end); + ret = getBuffer((void *)sp, (int)flags, (const uint8_t **)&start, (const uint8_t **)&end); if ( ret < 0 ) return 0; @@ -203,14 +206,14 @@ return size; } -/* +/* * Get maximum loop iterations possible - * + * * p: packet data structure, same as the one found in snort. * loop: structure that defines buffer via flags, and has cursor increment * cursor: current position within buffer * - * Returns: + * Returns: * >= 0 : calculated max possible loop count * < 0 : error * @@ -221,7 +224,7 @@ * a cursor of NULL means look at the whole buffer. * */ -int32_t getLoopLimit(void *p, LoopInfo *loop, const u_int8_t *cursor) +int32_t getLoopLimit(void *p, LoopInfo *loop, const uint8_t *cursor) { int32_t loop_max; int size; @@ -242,7 +245,7 @@ return loop_max & 0xFFFF; } -int checkLoopEnd(u_int32_t op, int32_t index, int32_t end) +int checkLoopEnd(uint32_t op, int32_t index, int32_t end) { switch (op) { @@ -293,10 +296,10 @@ } /* Function to evaluate a loop (ie, a series of nested options) */ -ENGINE_LINKAGE int loopEval(void *p, LoopInfo *loop, const u_int8_t **cursor) +ENGINE_LINKAGE int loopEval(void *p, LoopInfo *loop, const uint8_t **cursor) { - const u_int8_t *startingCursor; - const u_int8_t *tmpCursor; + const uint8_t *startingCursor; + const uint8_t *tmpCursor; int32_t i; int32_t startValue; int32_t endValue; @@ -317,7 +320,7 @@ startValue = loop->start->data.staticInt; else startValue = *(loop->start->data.dynamicInt); - + if (loop->end->dynamicType == DYNAMIC_TYPE_INT_STATIC) endValue = loop->end->data.staticInt; else diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c 2010-10-25 12:49:05.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c 2011-11-21 12:15:24.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steve Sturges * Andy Mullican @@ -26,16 +26,21 @@ * * PCRE operations for dynamic rule engine */ -#include "debug.h" +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "pcre.h" +#include "sf_types.h" +#include "snort_debug.h" #include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" #include "sf_dynamic_engine.h" +#include "sf_snort_detection_engine.h" /* Need access to the snort-isms that were passed to the engine */ -extern DynamicEngineData _ded; /* sf_detection_engine.c */ -extern int checkCursorInternal(void *p, int flags, int offset, const u_int8_t *cursor); - +extern int checkCursorInternal(void *p, int flags, int offset, const uint8_t *cursor); int PCRESetup(Rule *rule, PCREInfo *pcreInfo) { @@ -116,17 +121,17 @@ return matched; } -/* - * we need to specify the vector length for our pcre_exec call. we only care +/* + * we need to specify the vector length for our pcre_exec call. we only care * about the first vector, which if the match is successful will include the * offset to the end of the full pattern match. If we decide to store other * matches, make *SURE* that this is a multiple of 3 as pcre requires it. */ #define SNORT_PCRE_OVECTOR_SIZE 3 -/** +/** * Perform a search of the PCRE data. - * + * * @param pcre_data structure that options and patterns are passed in * @param buf buffer to search * @param len size of buffer @@ -146,7 +151,7 @@ int ovector[SNORT_PCRE_OVECTOR_SIZE]; int matched; int result; - + if(pcre_info == NULL || buf == NULL || len <= 0 @@ -160,7 +165,7 @@ } *found_offset = -1; - + result = _ded.pcreExec(pcre_info->compiled_expr, /* result of pcre_compile() */ pcre_info->compiled_extra, /* result of pcre_study() */ buf, /* the subject string */ @@ -186,7 +191,7 @@ if (found_offset) { - *found_offset = ovector[1]; + *found_offset = ovector[1]; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Setting buffer and found_offset: %p %d\n", buf, found_offset);); @@ -195,10 +200,10 @@ return matched; } -ENGINE_LINKAGE int pcreMatch(void *p, PCREInfo* pcre_info, const u_int8_t **cursor) +ENGINE_LINKAGE int pcreMatch(void *p, PCREInfo* pcre_info, const uint8_t **cursor) { - const u_int8_t *buffer_start; - const u_int8_t *buffer_end; + const uint8_t *buffer_start; + const uint8_t *buffer_end; int buffer_len; int pcre_offset; int pcre_found; @@ -272,7 +277,7 @@ /* Uh, what buffer is this? */ return CONTENT_NOMATCH; } - + if (!_ded.uriBuffers[i]->uriBuffer || (_ded.uriBuffers[i]->uriLength == 0)) continue; @@ -291,7 +296,6 @@ { buffer_start = _ded.uriBuffers[i]->uriBuffer; buffer_len = _ded.uriBuffers[i]->uriLength; - buffer_end = buffer_start + buffer_len; } pcre_found = pcre_test(pcre_info, (const char *)buffer_start, buffer_len, 0, &pcre_offset); @@ -314,10 +318,18 @@ return RULE_NOMATCH; } - if ((pcre_info->flags & CONTENT_BUF_NORMALIZED) && (sp->flags & FLAG_ALT_DECODE)) + if ((pcre_info->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_DETECT_ALL)) { - buffer_start = _ded.altBuffer->data; - buffer_end = buffer_start + _ded.altBuffer->len; + if(_ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + buffer_start = _ded.altDetect->data; + buffer_end = buffer_start + _ded.altDetect->len; + } + else if(_ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + { + buffer_start = _ded.altBuffer->data; + buffer_end = buffer_start + _ded.altBuffer->len; + } } else { @@ -332,10 +344,18 @@ } else { - if ((pcre_info->flags & CONTENT_BUF_NORMALIZED) && (sp->flags & FLAG_ALT_DECODE)) + if ((pcre_info->flags & CONTENT_BUF_NORMALIZED) && _ded.Is_DetectFlag(SF_FLAG_DETECT_ALL)) { - buffer_start = _ded.altBuffer->data; - buffer_len = _ded.altBuffer->len; + if(_ded.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + buffer_start = _ded.altDetect->data; + buffer_len = _ded.altDetect->len; + } + else if(_ded.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + { + buffer_start = _ded.altBuffer->data; + buffer_len = _ded.altBuffer->len; + } } else { diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c --- snort-2.9.0.1/src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c 2010-06-09 15:05:11.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c 2011-06-07 17:33:11.000000000 -0700 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2006-2010 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * Author: Lurene Grunier * Andy Mullican @@ -26,6 +26,10 @@ * * RC4 Option operations for dynamic rule engine */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sf_dynamic_define.h" #include "sf_snort_packet.h" #include "sf_snort_plugin_api.h" @@ -33,9 +37,6 @@ #include "sf_dynamic_engine.h" -extern DynamicEngineData _ded; - - #define BYTESWAP(x,y) tmp = x; x = y; y = tmp; /* Artificially limit decrypted data size to 1024, for now */ @@ -43,11 +44,11 @@ /* Decode RC4 data. Return 1 if data matches decoded data. */ int MatchDecryptedRC4( - const u_int8_t *key, u_int16_t keylen, const u_int8_t *encrypted_data, + const u_int8_t *key, u_int16_t keylen, const u_int8_t *encrypted_data, u_int8_t *match_data, u_int16_t datalen ) { u_int16_t i; - u_int8_t t, tmp; + u_int8_t t, tmp; static char decrypted_data[MAX_DATA_LEN]; u_int8_t s[256] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_preproc_example/Makefile.in snort-2.9.2/src/dynamic-plugins/sf_preproc_example/Makefile.in --- snort-2.9.0.1/src/dynamic-plugins/sf_preproc_example/Makefile.in 2010-10-08 02:56:53.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_preproc_example/Makefile.in 2011-12-07 11:23:18.000000000 -0800 @@ -58,7 +58,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -73,6 +75,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -109,13 +112,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c snort-2.9.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c --- snort-2.9.0.1/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c 2010-08-25 13:22:42.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2005-2010 Sourcefire, Inc. + ** Copyright (C) 2005-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -24,6 +24,11 @@ #include <stdarg.h> #include <stdlib.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "sf_dynamic_define.h" #include "sf_preproc_info.h" #include "sf_snort_packet.h" @@ -50,6 +55,7 @@ exit(1); } + PREPROC_LINKAGE int InitializePreprocessor(DynamicPreprocessorData *dpd) { if (dpd->version < PREPROCESSOR_DATA_VERSION) @@ -61,7 +67,7 @@ if (dpd->size != sizeof(DynamicPreprocessorData)) { - printf("ERROR size %d != %lu\n", dpd->size, sizeof(*dpd)); + printf("ERROR size %d != %u\n", dpd->size, (unsigned)sizeof(*dpd)); return -2; } diff -Nru snort-2.9.0.1/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h snort-2.9.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h --- snort-2.9.0.1/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h 2010-01-27 13:50:12.000000000 -0800 +++ snort-2.9.2/src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h 2011-02-09 15:23:12.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** Author: Steven Sturges ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/dynamic-plugins/sp_dynamic.c snort-2.9.2/src/dynamic-plugins/sp_dynamic.c --- snort-2.9.0.1/src/dynamic-plugins/sp_dynamic.c 2010-09-27 08:28:12.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sp_dynamic.c 2011-11-21 12:15:24.000000000 -0800 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -57,13 +57,14 @@ #endif #include <errno.h> +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "decode.h" #include "bitop_funcs.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "plugin_enum.h" #include "sp_dynamic.h" @@ -75,6 +76,8 @@ #include "sfhashfcn.h" #include "sp_preprocopt.h" #include "sfutil/sf_base64decode.h" +#include "detection_util.h" +#include "stream_api.h" #include "snort.h" #include "profiler.h" @@ -87,7 +90,7 @@ extern const unsigned int giFlowbitSize; extern SFGHASH *flowbits_hash; extern SF_QUEUE *flowbits_bit_queue; -extern u_int32_t flowbits_count; +extern uint32_t flowbits_count; extern int flowbits_toggle; extern volatile int snort_initializing; extern DynamicRuleNode *dynamic_rules; @@ -97,47 +100,47 @@ void DynamicParse(char *, OptTreeNode *); int DynamicCheck(void *option_data, Packet *p); -u_int32_t DynamicRuleHash(void *d) +uint32_t DynamicRuleHash(void *d) { - u_int32_t a,b,c; + uint32_t a,b,c; DynamicData *dynData = (DynamicData *)d; #if (defined(__ia64) || defined(__amd64) || defined(_LP64)) { /* Cleanup warning because of cast from 64bit ptr to 32bit int * warning on 64bit OSs */ - u_int64_t ptr; /* Addresses are 64bits */ - ptr = (u_int64_t)dynData->contextData; + uint64_t ptr; /* Addresses are 64bits */ + ptr = (uint64_t)dynData->contextData; a = (ptr << 32) & 0XFFFFFFFF; b = (ptr & 0xFFFFFFFF); - - ptr = (u_int64_t)dynData->checkFunction; + + ptr = (uint64_t)dynData->checkFunction; c = (ptr << 32) & 0XFFFFFFFF; - + mix (a,b,c); - + a += (ptr & 0xFFFFFFFF); - ptr = (u_int64_t)dynData->hasOptionFunction; + ptr = (uint64_t)dynData->hasOptionFunction; b += (ptr << 32) & 0XFFFFFFFF; c += (ptr & 0xFFFFFFFF); - ptr = (u_int64_t)dynData->getDynamicContents; + ptr = (uint64_t)dynData->getDynamicContents; a += (ptr << 32) & 0XFFFFFFFF; b += (ptr & 0xFFFFFFFF); c += dynData->contentFlags; mix (a,b,c); - + a += RULE_OPTION_TYPE_DYNAMIC; } #else { - a = (u_int32_t)dynData->contextData; - b = (u_int32_t)dynData->checkFunction; - c = (u_int32_t)dynData->hasOptionFunction; + a = (uint32_t)dynData->contextData; + b = (uint32_t)dynData->checkFunction; + c = (uint32_t)dynData->hasOptionFunction; mix(a,b,c); - a += (u_int32_t)dynData->getDynamicContents; + a += (uint32_t)dynData->getDynamicContents; b += dynData->contentFlags; c += RULE_OPTION_TYPE_DYNAMIC; } @@ -169,7 +172,7 @@ } /**************************************************************************** - * + * * Function: SetupDynamic() * * Purpose: Load it up @@ -192,10 +195,10 @@ /**************************************************************************** - * + * * Function: DynamicInit(char *, OptTreeNode *) * - * Purpose: Configuration function. Handles parsing the rule + * Purpose: Configuration function. Handles parsing the rule * information and attaching the associated detection function to * the OTN. * @@ -230,7 +233,7 @@ } /**************************************************************************** - * + * * Function: DynamicCheck(char *, OptTreeNode *, OptFpList *) * * Purpose: Use this function to perform the particular detection routine @@ -241,7 +244,7 @@ * fp_list => pointer to the function pointer list * * Returns: If the detection test fails, this function *must* return a zero! - * On success, it calls the next function in the detection list + * On success, it calls the next function in the detection list * ****************************************************************************/ int DynamicCheck(void *option_data, Packet *p) @@ -286,8 +289,8 @@ } /**************************************************************************** - * - * Function: RegisterDynamicRule(u_int32_t, u_int32_t, char *, void *, + * + * Function: RegisterDynamicRule(uint32_t, uint32_t, char *, void *, * OTNCheckFunction, int, GetFPContentFunction) * * Purpose: A dynamically loaded detection engine library can use this @@ -297,7 +300,7 @@ * check the rule. * * Arguments: sid => Signature ID - * gid => Generator ID + * gid => Generator ID * info => context specific data * chkFunc => Function to call to check if the rule matches * has*Funcs => Functions used to categorize this rule @@ -308,8 +311,8 @@ * ****************************************************************************/ int RegisterDynamicRule( - u_int32_t sid, - u_int32_t gid, + uint32_t sid, + uint32_t gid, void *info, OTNCheckFunction chkFunc, OTNHasFunction hasFunc, @@ -371,7 +374,7 @@ } else { -#ifndef SOURCEFIRE +#ifndef SOURCEFIRE LogMessage("DynamicPlugin: Rule [%u:%u] not enabled in " "configuration, rule will not be used.\n", gid, sid); #endif @@ -558,9 +561,9 @@ return 0; } -u_int32_t DynamicFlowbitRegister(char *name, int op) +uint32_t DynamicFlowbitRegister(char *name, int op) { - u_int32_t retFlowId; /* ID */ + uint32_t retFlowId; /* ID */ int hashRet; FLOWBITS_OBJECT *flowbits_item; @@ -570,18 +573,18 @@ flowbits_item = sfghash_find(flowbits_hash, name); - if (flowbits_item != NULL) + if (flowbits_item != NULL) { retFlowId = flowbits_item->id; } else { - flowbits_item = + flowbits_item = (FLOWBITS_OBJECT *)SnortAlloc(sizeof(FLOWBITS_OBJECT)); if (sfqueue_count(flowbits_bit_queue) > 0) { - retFlowId = (u_int32_t)(uintptr_t)sfqueue_remove(flowbits_bit_queue); + retFlowId = (uint32_t)(uintptr_t)sfqueue_remove(flowbits_bit_queue); flowbits_item->id = retFlowId; } else @@ -590,7 +593,7 @@ flowbits_item->id = flowbits_count; hashRet = sfghash_add(flowbits_hash, name, flowbits_item); - if (hashRet != SFGHASH_OK) + if (hashRet != SFGHASH_OK) { FatalError("Could not add flowbits key (%s) to hash.\n", name); } @@ -662,7 +665,7 @@ } } -int DynamicFlowbitCheck(void *pkt, int op, u_int32_t id) +int DynamicFlowbitCheck(void *pkt, int op, uint32_t id) { StreamFlowData *flowdata; Packet *p = (Packet *)pkt; @@ -733,30 +736,51 @@ } -int DynamicAsn1Detect(void *pkt, void *ctxt, const u_int8_t *cursor) +int DynamicAsn1Detect(void *pkt, void *ctxt, const uint8_t *cursor) { Packet *p = (Packet *) pkt; - ASN1_CTXT *c = (ASN1_CTXT *) ctxt; - + ASN1_CTXT *c = (ASN1_CTXT *) ctxt; + /* Call same detection function that snort calls */ return Asn1DoDetect(p->data, p->dsize, c, cursor); } -int DynamicsfUnfold(const u_int8_t *inbuf, u_int32_t insize, u_int8_t *outbuf, u_int32_t outsize, u_int32_t *read) +int DynamicsfUnfold(const uint8_t *inbuf, uint32_t insize, uint8_t *outbuf, uint32_t outsize, uint32_t *read) { - return sf_unfold_header(inbuf, insize, outbuf, outsize, read); + return sf_unfold_header(inbuf, insize, outbuf, outsize, read, 0, 0); } -int Dynamicsfbase64decode(u_int8_t *inbuf, u_int32_t insize, u_int8_t *outbuf, u_int32_t outsize, u_int32_t *read) +int Dynamicsfbase64decode(uint8_t *inbuf, uint32_t insize, uint8_t *outbuf, uint32_t outsize, uint32_t *read) { return sf_base64decode(inbuf, insize, outbuf, outsize, read); } -static INLINE int DynamicHasOption( +int DynamicGetAltDetect(uint8_t **bufPtr, uint16_t *altLenPtr) +{ + return GetAltDetect(bufPtr, altLenPtr); +} + +void DynamicSetAltDetect(uint8_t *buf, uint16_t altLen) +{ + SetAltDetect(buf, altLen); +} + +int DynamicIsDetectFlag(SFDetectFlagType df) +{ + return Is_DetectFlag((DetectFlagType)df); +} + +void DynamicDetectFlagDisable(SFDetectFlagType df) +{ + DetectFlag_Disable((DetectFlagType)df); +} + + +static inline int DynamicHasOption( OptTreeNode *otn, DynamicOptionType optionType, int flowFlag ) { DynamicData *dynData; - + dynData = (DynamicData *)otn->ds_list[PLUGIN_DYNAMIC]; if (!dynData) { diff -Nru snort-2.9.0.1/src/dynamic-plugins/sp_dynamic.h snort-2.9.2/src/dynamic-plugins/sp_dynamic.h --- snort-2.9.0.1/src/dynamic-plugins/sp_dynamic.h 2010-08-25 13:22:42.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sp_dynamic.h 2011-11-21 12:15:24.000000000 -0800 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -32,6 +32,8 @@ #include "sf_engine/sf_snort_plugin_api.h" #include "detection-plugins/sp_pattern_match.h" +extern char *snort_conf_dir; + typedef struct _DynamicData { void *contextData; @@ -47,8 +49,8 @@ void SetupDynamic(void); int RegisterDynamicRule( - u_int32_t gid, - u_int32_t sid, + uint32_t gid, + uint32_t sid, void *info, OTNCheckFunction, OTNHasFunction, @@ -79,19 +81,24 @@ #endif int DynamicPreprocRuleOptInit(void *); -u_int32_t DynamicFlowbitRegister(char *name, int op); +uint32_t DynamicFlowbitRegister(char *name, int op); void DynamicFlowbitUnregister(char *name, int op); -int DynamicFlowbitCheck(void *pkt, int op, u_int32_t id); -int DynamicAsn1Detect(void *pkt, void *ctxt, const u_int8_t *cursor); -int DynamicsfUnfold(const u_int8_t *, u_int32_t , u_int8_t *, u_int32_t , u_int32_t *); -int Dynamicsfbase64decode(u_int8_t *, u_int32_t , u_int8_t *, u_int32_t , u_int32_t *); +int DynamicFlowbitCheck(void *pkt, int op, uint32_t id); +int DynamicAsn1Detect(void *pkt, void *ctxt, const uint8_t *cursor); +int DynamicsfUnfold(const uint8_t *, uint32_t , uint8_t *, uint32_t , uint32_t *); +int Dynamicsfbase64decode(uint8_t *, uint32_t , uint8_t *, uint32_t , uint32_t *); +int DynamicGetAltDetect(uint8_t **, uint16_t *); +void DynamicSetAltDetect(uint8_t *, uint16_t ); +int DynamicIsDetectFlag(SFDetectFlagType); +void DynamicDetectFlagDisable(SFDetectFlagType); + int DynamicHasFlow(OptTreeNode *otn); int DynamicHasFlowbit(OptTreeNode *otn); int DynamicHasContent(OptTreeNode *otn); int DynamicHasByteTest(OptTreeNode *otn); int DynamicHasPCRE(OptTreeNode *otn); -u_int32_t DynamicRuleHash(void *d); +uint32_t DynamicRuleHash(void *d); int DynamicRuleCompare(void *l, void *r); #endif /* __SP_DYNAMIC_H_ */ diff -Nru snort-2.9.0.1/src/dynamic-plugins/sp_preprocopt.c snort-2.9.2/src/dynamic-plugins/sp_preprocopt.c --- snort-2.9.0.1/src/dynamic-plugins/sp_preprocopt.c 2010-09-27 08:28:12.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sp_preprocopt.c 2011-11-21 12:15:24.000000000 -0800 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -55,11 +55,12 @@ #endif #include <errno.h> +#include "sf_types.h" #include "plugbase.h" #include "rules.h" #include "treenodes.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "sf_dynamic_engine.h" @@ -77,7 +78,7 @@ PreprocStats preprocRuleOptionPerfStats; #endif -extern const u_int8_t *doe_ptr; +extern const uint8_t *doe_ptr; SFGHASH * PreprocessorRuleOptionsNew(void) { @@ -204,16 +205,16 @@ return 1; } -u_int32_t PreprocessorRuleOptionHash(void *d) +uint32_t PreprocessorRuleOptionHash(void *d) { - u_int32_t a,b,c; + uint32_t a,b,c; PreprocessorOptionInfo *option_data = (PreprocessorOptionInfo *)d; - + #if (defined(__ia64) || defined(__amd64) || defined(_LP64)) { /* Cleanup warning because of cast from 64bit ptr to 32bit int * warning on 64bit OSs */ - u_int64_t ptr; /* Addresses are 64bits */ + uint64_t ptr; /* Addresses are 64bits */ if (option_data->optionHash != NULL) { @@ -222,18 +223,18 @@ } else { - ptr = (u_int64_t)option_data->data; + ptr = (uint64_t)option_data->data; a = (ptr << 32) & 0XFFFFFFFF; b = (ptr & 0xFFFFFFFF); } - ptr = (u_int64_t)option_data->optionInit; + ptr = (uint64_t)option_data->optionInit; c = (ptr << 32) & 0XFFFFFFFF; mix(a,b,c); a += (ptr & 0xFFFFFFFF); /* mix in the last half of optionInit */ - ptr = (u_int64_t)option_data->optionEval; + ptr = (uint64_t)option_data->optionEval; b += (ptr << 32) & 0XFFFFFFFF; c += (ptr & 0xFFFFFFFF); @@ -243,16 +244,16 @@ if (option_data->optionHash != NULL) a = option_data->optionHash(option_data->data); else - a = (u_int32_t)option_data->data; + a = (uint32_t)option_data->data; - b = (u_int32_t)option_data->optionInit; - c = (u_int32_t)option_data->optionEval; + b = (uint32_t)option_data->optionInit; + c = (uint32_t)option_data->optionEval; mix(a,b,c); #endif a += RULE_OPTION_TYPE_PREPROCESSOR; final(a,b,c); - + return c; } @@ -260,7 +261,7 @@ { PreprocessorOptionInfo *left = (PreprocessorOptionInfo *)l; PreprocessorOptionInfo *right = (PreprocessorOptionInfo *)r; - + if (!left || !right) return DETECTION_OPTION_NOT_EQUAL; @@ -279,7 +280,7 @@ return DETECTION_OPTION_EQUAL; } } - + return DETECTION_OPTION_NOT_EQUAL; } @@ -287,7 +288,7 @@ int PreprocessorOptionFunc(void *option_data, Packet *p) { PreprocessorOptionInfo *optionInfo = (PreprocessorOptionInfo *)option_data; - const u_int8_t *cursor = doe_ptr; + const uint8_t *cursor = doe_ptr; int rval; PROFILE_VARS; @@ -337,7 +338,7 @@ return 0; optionInfo = sfghash_find(p->preproc_rule_options, optionName); - + if (!optionInfo) return 0; diff -Nru snort-2.9.0.1/src/dynamic-plugins/sp_preprocopt.h snort-2.9.2/src/dynamic-plugins/sp_preprocopt.h --- snort-2.9.0.1/src/dynamic-plugins/sp_preprocopt.h 2010-06-09 15:05:08.000000000 -0700 +++ snort-2.9.2/src/dynamic-plugins/sp_preprocopt.h 2011-11-21 12:15:24.000000000 -0800 @@ -14,7 +14,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Steven Sturges * @@ -67,10 +67,11 @@ int AddPreprocessorRuleOption(char *, OptTreeNode *, void *, PreprocOptionEval); -u_int32_t PreprocessorRuleOptionHash(void *d); +uint32_t PreprocessorRuleOptionHash(void *d); int PreprocessorRuleOptionCompare(void *l, void *r); void PreprocessorRuleOptionsFreeFunc(void *); int GetPreprocFastPatterns(void *, int, int, FPContentInfo **); +int PreprocessorOptionFunc(void *option_data, Packet *p); #endif /* __SP_PREPROCOPT_H_ */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_cl.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_cl.c 2010-01-26 10:09:55.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.c 2011-06-07 17:33:11.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -27,6 +27,11 @@ * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_cl.h" #include "snort_dce2.h" #include "dce2_list.h" @@ -37,7 +42,7 @@ #include "dce2_event.h" #include "dcerpc.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" #include "profiler.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" @@ -50,7 +55,6 @@ /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_Stats dce2_stats; extern char *dce2_pdu_types[DCERPC_PDU_TYPE__MAX]; @@ -121,7 +125,7 @@ static void DCE2_ClFragReassemble(DCE2_SsnData*, DCE2_ClActTracker *, const DceRpcClHdr *); static void DCE2_ClResetFragTracker(DCE2_ClFragTracker *); -static INLINE void DCE2_ClSetRdata(DCE2_ClActTracker *, const DceRpcClHdr *, uint8_t *, uint16_t); +static inline void DCE2_ClSetRdata(DCE2_ClActTracker *, const DceRpcClHdr *, uint8_t *, uint16_t); /* Callbacks */ static int DCE2_ClFragCompare(const void *, const void *); @@ -172,7 +176,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_ClSetRdata(DCE2_ClActTracker *at, const DceRpcClHdr *pkt_cl_hdr, +static inline void DCE2_ClSetRdata(DCE2_ClActTracker *at, const DceRpcClHdr *pkt_cl_hdr, uint8_t *cl_ptr, uint16_t stub_len) { DCE2_ClFragTracker *ft = &at->frag_tracker; @@ -392,7 +396,7 @@ * Pointer to the connectionless header in the packet. * * Returns: - * DCE2_ClActTracker * + * DCE2_ClActTracker * * A valid pointer to an activity tracker on success. * NULL on error. * @@ -413,7 +417,7 @@ { /* Create a new activity tracker list */ clt->act_trackers = DCE2_ListNew(DCE2_LIST_TYPE__SPLAYED, DCE2_UuidCompare, - DCE2_ClActDataFree, DCE2_ClActKeyFree, + DCE2_ClActDataFree, DCE2_ClActKeyFree, DCE2_LIST_FLAG__NO_DUPS, DCE2_MEM_TYPE__CL_ACT); if (clt->act_trackers == NULL) return NULL; @@ -513,7 +517,7 @@ at->seq_num = seq_num; at->seq_num_invalid = 0; - /* If there are any fragments, the new sequence number invalidates + /* If there are any fragments, the new sequence number invalidates * all of the frags that might be currently stored. */ DCE2_ClResetFragTracker(&at->frag_tracker); } @@ -634,7 +638,7 @@ /* Create new list if we don't have one already */ ft->frags = DCE2_ListNew(DCE2_LIST_TYPE__SORTED, DCE2_ClFragCompare, DCE2_ClFragDataFree, NULL, DCE2_LIST_FLAG__NO_DUPS | DCE2_LIST_FLAG__INS_TAIL, - DCE2_MEM_TYPE__CL_FRAG); + DCE2_MEM_TYPE__CL_FRAG); if (ft->frags == NULL) { @@ -940,7 +944,7 @@ /******************************************************************** * Function: DCE2_ClCleanTracker() * - * Destroys all the activity tracker list, which cleans out and + * Destroys all the activity tracker list, which cleans out and * frees all data associated with each activity tracker in the * list. * @@ -977,7 +981,7 @@ static void DCE2_ClActDataFree(void *data) { DCE2_ClActTracker *at = (DCE2_ClActTracker *)data; - + if (at == NULL) return; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_cl.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_cl.h 2010-01-26 10:09:55.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_cl.h 2011-02-09 15:23:12.000000000 -0800 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_co.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_co.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_co.c 2010-06-09 15:05:12.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_co.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -23,9 +23,14 @@ * Sets appropriate data for use with the preprocessor rule options. * * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> - * + * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_co.h" #include "dce2_tcp.h" #include "dce2_smb.h" @@ -54,7 +59,6 @@ /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_Stats dce2_stats; extern char *dce2_pdu_types[DCERPC_PDU_TYPE__MAX]; @@ -121,31 +125,31 @@ const DceRpcCoHdr *, const uint8_t *, uint16_t); static void DCE2_CoHandleFrag(DCE2_SsnData *, DCE2_CoTracker *, const DceRpcCoHdr *, const uint8_t *, uint16_t); -static INLINE DCE2_Ret DCE2_CoHandleSegmentation(DCE2_CoSeg *, const uint8_t *, - uint16_t, uint16_t, uint16_t *); +static inline DCE2_Ret DCE2_CoHandleSegmentation( + DCE2_CoSeg *, const uint8_t *, uint16_t, uint16_t, uint16_t *, int); static void DCE2_CoReassemble(DCE2_SsnData *, DCE2_CoTracker *, DCE2_CoRpktType); -static INLINE void DCE2_CoFragReassemble(DCE2_SsnData *, DCE2_CoTracker *); -static INLINE void DCE2_CoSegReassemble(DCE2_SsnData *, DCE2_CoTracker *); +static inline void DCE2_CoFragReassemble(DCE2_SsnData *, DCE2_CoTracker *); +static inline void DCE2_CoSegReassemble(DCE2_SsnData *, DCE2_CoTracker *); static DCE2_Ret DCE2_CoSetIface(DCE2_SsnData *, DCE2_CoTracker *, uint16_t); static int DCE2_CoCtxCompare(const void *, const void *); static void DCE2_CoCtxFree(void *); -static INLINE void DCE2_CoSetRopts(DCE2_SsnData *, DCE2_CoTracker *, const DceRpcCoHdr *); -static INLINE void DCE2_CoSetRdata(DCE2_SsnData *, DCE2_CoTracker *, uint8_t *, uint16_t); -static INLINE void DCE2_CoResetFragTracker(DCE2_CoFragTracker *); -static INLINE void DCE2_CoResetTracker(DCE2_CoTracker *); -static INLINE void DCE2_CoResetForMissedPkts(DCE2_CoTracker *); -static INLINE DCE2_Ret DCE2_CoInitCtxStorage(DCE2_CoTracker *); -static INLINE int DCE2_CoAutodetect(const uint8_t *, uint16_t); -static INLINE void DCE2_CoEraseCtxIds(DCE2_CoTracker *); -static INLINE void DCE2_CoSegAlert(DCE2_SsnData *, DCE2_CoTracker *, DCE2_Event); -static INLINE SFSnortPacket * DCE2_CoGetSegRpkt(DCE2_SsnData *, const uint8_t *, uint32_t); -static INLINE DCE2_RpktType DCE2_CoGetRpktType(DCE2_SsnData *, DCE2_BufType); +static inline void DCE2_CoSetRopts(DCE2_SsnData *, DCE2_CoTracker *, const DceRpcCoHdr *); +static inline void DCE2_CoSetRdata(DCE2_SsnData *, DCE2_CoTracker *, uint8_t *, uint16_t); +static inline void DCE2_CoResetFragTracker(DCE2_CoFragTracker *); +static inline void DCE2_CoResetTracker(DCE2_CoTracker *); +static inline void DCE2_CoResetForMissedPkts(DCE2_CoTracker *); +static inline DCE2_Ret DCE2_CoInitCtxStorage(DCE2_CoTracker *); +static inline int DCE2_CoAutodetect(const uint8_t *, uint16_t); +static inline void DCE2_CoEraseCtxIds(DCE2_CoTracker *); +static inline void DCE2_CoSegAlert(DCE2_SsnData *, DCE2_CoTracker *, DCE2_Event); +static inline SFSnortPacket * DCE2_CoGetSegRpkt(DCE2_SsnData *, const uint8_t *, uint32_t); +static inline DCE2_RpktType DCE2_CoGetRpktType(DCE2_SsnData *, DCE2_BufType); static SFSnortPacket * DCE2_CoGetRpkt(DCE2_SsnData *, DCE2_CoTracker *, DCE2_CoRpktType, DCE2_RpktType *); -static INLINE DCE2_CoSeg * DCE2_CoGetSegPtr(DCE2_SsnData *, DCE2_CoTracker *); -static INLINE DCE2_Buffer * DCE2_CoGetFragBuf(DCE2_SsnData *, DCE2_CoFragTracker *); -static INLINE int DCE2_CoIsSegBuf(DCE2_SsnData *, DCE2_CoTracker *, const uint8_t *); +static inline DCE2_CoSeg * DCE2_CoGetSegPtr(DCE2_SsnData *, DCE2_CoTracker *); +static inline DCE2_Buffer * DCE2_CoGetFragBuf(DCE2_SsnData *, DCE2_CoFragTracker *); +static inline int DCE2_CoIsSegBuf(DCE2_SsnData *, DCE2_CoTracker *, const uint8_t *); static void DCE2_CoEarlyReassemble(DCE2_SsnData *, DCE2_CoTracker *); static DCE2_Ret DCE2_CoSegEarlyRequest(DCE2_CoTracker *, const uint8_t *, uint32_t); static int DCE2_CoGetAuthLen(DCE2_SsnData *, const DceRpcCoHdr *, @@ -192,16 +196,16 @@ * Arguments: * DCE2_CoTracker * * Pointer to the relevant connection-oriented tracker. - * uint8_t * + * uint8_t * * Pointer to the place in the reassembly packet where the * header starts. - * uint16_t + * uint16_t * The length of the stub data. * * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoSetRdata(DCE2_SsnData *sd, DCE2_CoTracker *cot, +static inline void DCE2_CoSetRdata(DCE2_SsnData *sd, DCE2_CoTracker *cot, uint8_t *co_ptr, uint16_t stub_len) { DceRpcCoHdr *co_hdr = (DceRpcCoHdr *)co_ptr; @@ -305,7 +309,7 @@ { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CO, "Not enough data in packet for CO header.\n")); - DCE2_CoHandleSegmentation(seg, data_ptr, data_len, sizeof(DceRpcCoHdr), &data_used); + DCE2_CoHandleSegmentation(seg, data_ptr, data_len, sizeof(DceRpcCoHdr), &data_used, 1); /* Just break out of loop in case early detect is enabled */ break; @@ -324,7 +328,7 @@ /* Set frag length so we don't have to check it again in seg code */ seg->frag_len = frag_len; - DCE2_CoHandleSegmentation(seg, data_ptr, data_len, frag_len, &data_used); + DCE2_CoHandleSegmentation(seg, data_ptr, data_len, frag_len, &data_used, 1); break; } @@ -337,10 +341,15 @@ * since we'll detect on reassembled */ if (!DCE2_GcDceDefrag() || ((num_frags == 1) && !co_reassembled)) DCE2_Detect(sd); + + /* Reset if this is a last frag */ + if (DceRpcCoLastFrag((DceRpcCoHdr *)frag_ptr)) + num_frags = 0; } else /* We've already buffered data */ { uint16_t data_used; + int append = 0; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CO, "Segmentation buffer has %u bytes\n", DCE2_BufferLength(seg->buf))); @@ -348,7 +357,8 @@ /* Need more data to get header */ if (DCE2_BufferLength(seg->buf) < sizeof(DceRpcCoHdr)) { - status = DCE2_CoHandleSegmentation(seg, data_ptr, data_len, sizeof(DceRpcCoHdr), &data_used); + append = 1; + status = DCE2_CoHandleSegmentation(seg, data_ptr, data_len, sizeof(DceRpcCoHdr), &data_used, append); /* Still not enough for header */ if (status != DCE2_RET__SUCCESS) @@ -359,8 +369,21 @@ if (DCE2_CoHdrChecks(sd, cot, (DceRpcCoHdr *)DCE2_BufferData(seg->buf)) != DCE2_RET__SUCCESS) { - DCE2_BufferEmpty(seg->buf); - return; + int data_back; + DCE2_BufferEmpty(seg->buf); + /* Move back to original packet header */ + data_back = -data_used; + DCE2_MOVE(data_ptr, data_len, data_back); + /*Check the original packet*/ + if (DCE2_CoHdrChecks(sd, cot, (DceRpcCoHdr *)data_ptr) != DCE2_RET__SUCCESS) + return; + else + { + /*Only use the original packet, ignore the data in seg_buffer*/ + num_frags = 0; + continue; + } + } seg->frag_len = DceRpcCoFragLen((DceRpcCoHdr *)DCE2_BufferData(seg->buf)); @@ -369,7 +392,7 @@ /* Need more data for full pdu */ if (DCE2_BufferLength(seg->buf) < seg->frag_len) { - status = DCE2_CoHandleSegmentation(seg, data_ptr, data_len, seg->frag_len, &data_used); + status = DCE2_CoHandleSegmentation(seg, data_ptr, data_len, seg->frag_len, &data_used, append); /* Still not enough */ if (status != DCE2_RET__SUCCESS) @@ -378,8 +401,16 @@ DCE2_MOVE(data_ptr, data_len, data_used); } + /* Do this before calling DCE2_CoSegDecode since it will empty + * seg buffer */ + if (DceRpcCoLastFrag((DceRpcCoHdr *)seg->buf->data)) + num_frags = 0; + /* Got the full DCE/RPC pdu. Need to create new packet before decoding */ DCE2_CoSegDecode(sd, cot, seg); + + if ( !data_used ) + break; } } @@ -391,7 +422,7 @@ * Function: DCE2_CoHandleSegmentation() * * Wrapper around DCE2_HandleSegmentation() to allocate a new - * buffer object if necessary. + * buffer object if necessary. * * Arguments: * DCE2_CoSeg * @@ -407,6 +438,8 @@ * Pointer to basically a return value for the amount of * data in the packet that was actually used for * desegmentation. + * int + * bool is true if we must append. * * Returns: * DCE2_Ret @@ -419,11 +452,14 @@ * i.e. the need length was met. * ********************************************************************/ -static INLINE DCE2_Ret DCE2_CoHandleSegmentation(DCE2_CoSeg *seg, const uint8_t *data_ptr, - uint16_t data_len, uint16_t need_len, uint16_t *data_used) +static inline DCE2_Ret DCE2_CoHandleSegmentation( + DCE2_CoSeg *seg, const uint8_t *data_ptr, + uint16_t data_len, uint16_t need_len, + uint16_t *data_used, int append) { DCE2_Ret status; PROFILE_VARS; + uint32_t offset; PREPROC_PROFILE_START(dce2_pstat_co_seg); @@ -448,7 +484,10 @@ DCE2_BufferSetMinAllocSize(seg->buf, need_len); } - status = DCE2_HandleSegmentation(seg->buf, data_ptr, data_len, need_len, data_used); + offset = DCE2_GetWriteOffset(need_len, append); + + status = DCE2_HandleSegmentation( + seg->buf, data_ptr, data_len, offset, need_len, data_used); PREPROC_PROFILE_END(dce2_pstat_co_seg); @@ -549,7 +588,7 @@ (pdu_type == DCERPC_PDU_TYPE__REQUEST) && ((int)frag_len < ((int)cot->max_xmit_frag - DCE2_MAX_XMIT_SIZE_FUZZ))) { - /* If client needs to fragment the DCE/RPC request, it shouldn't be less than the + /* If client needs to fragment the DCE/RPC request, it shouldn't be less than the * maximum xmit size negotiated. Only if it's not a last fragment. Make this alert * only if it is considerably less - have seen legitimate fragments that are just * slightly less the negotiated fragment size. */ @@ -572,7 +611,7 @@ * Main processing for the DCE/RPC pdu types. Most are not * implemented as, currently, they are not necessary and only * stats are kept for them. Important are the bind, alter context - * and request. + * and request. * * Arguments: * DCE2_SsnData * @@ -835,7 +874,7 @@ case DCE2_POLICY__SAMBA_3_0_20: /* Accepts multiple binds */ break; - + default: DCE2_Log(DCE2_LOG_TYPE__ERROR, "%s(%d) Invalid policy: %d", @@ -1310,7 +1349,7 @@ * If it's a first/last fragment, set relevant rule option * data and return. If it's a true fragment, do some target * based futzing to set the right opnum and context id for - * the to be reassembled packet. + * the to be reassembled packet. * * Arguments: * DCE2_SsnData * @@ -1368,7 +1407,10 @@ DCE2_MOVE(frag_ptr, frag_len, req_size); /* If for some reason we had some fragments queued */ - if (DceRpcCoFirstFrag(co_hdr) && !DCE2_BufferIsEmpty(cot->frag_tracker.cli_frag_buf)) + if ( + DceRpcCoFirstFrag(co_hdr) && + !DceRpcCoLastFrag(co_hdr) && + !DCE2_BufferIsEmpty(cot->frag_tracker.cli_frag_buf)) { DCE2_CoFragReassemble(sd, cot); DCE2_BufferEmpty(cot->frag_tracker.cli_frag_buf); @@ -1395,11 +1437,13 @@ dce2_stats.co_req_fragments++; +#ifdef DEBUG_MSGS DCE2_DEBUG_CODE(DCE2_DEBUG__CO, if (DceRpcCoFirstFrag(co_hdr)) DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CO, "First fragment.\n")); else if (DceRpcCoLastFrag(co_hdr)) DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CO, "Last fragment.\n")); else DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CO, "Middle fragment.\n")); DCE2_PrintPktData(frag_ptr, frag_len);); +#endif if (auth_len == -1) return; @@ -1789,7 +1833,7 @@ if (DceRpcCoLastFrag(co_hdr) || (DCE2_BufferLength(frag_buf) == max_frag_data)) mflag = DCE2_BUFFER_MIN_ADD_FLAG__IGNORE; - status = DCE2_BufferAddData(frag_buf, frag_ptr, frag_len, mflag); + status = DCE2_BufferAddData(frag_buf, frag_ptr, frag_len, 0, mflag); if (status != DCE2_RET__SUCCESS) { @@ -1844,7 +1888,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoFragReassemble(DCE2_SsnData *sd, DCE2_CoTracker *cot) +static inline void DCE2_CoFragReassemble(DCE2_SsnData *sd, DCE2_CoTracker *cot) { DCE2_CoReassemble(sd, cot, DCE2_CO_RPKT_TYPE__FRAG); } @@ -1865,7 +1909,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoSegReassemble(DCE2_SsnData *sd, DCE2_CoTracker *cot) +static inline void DCE2_CoSegReassemble(DCE2_SsnData *sd, DCE2_CoTracker *cot) { DCE2_CoReassemble(sd, cot, DCE2_CO_RPKT_TYPE__SEG); } @@ -1903,6 +1947,9 @@ rpkt = DCE2_CoGetRpkt(sd, cot, co_rtype, &rpkt_type); if (rpkt == NULL) { + DCE2_Log(DCE2_LOG_TYPE__ERROR, + "%s(%d) Could not create DCE/RPC frag reassembled packet.\n", + __FILE__, __LINE__); PREPROC_PROFILE_END(dce2_pstat_co_reass); return; } @@ -1994,9 +2041,9 @@ /******************************************************************** * Function: DCE2_CoSetIface() * - * Sets the interface UUID for the rules options. Looks in the + * Sets the interface UUID for the rules options. Looks in the * context id list. If nothing found there, it looks in the pending - * list (in case we never saw the server response because of + * list (in case we never saw the server response because of * missed packets) to see if something is there. * * Arguments: @@ -2162,7 +2209,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoResetFragTracker(DCE2_CoFragTracker *ft) +static inline void DCE2_CoResetFragTracker(DCE2_CoFragTracker *ft) { if (ft == NULL) return; @@ -2190,7 +2237,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoResetTracker(DCE2_CoTracker *cot) +static inline void DCE2_CoResetTracker(DCE2_CoTracker *cot) { if (cot == NULL) return; @@ -2217,7 +2264,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoResetForMissedPkts(DCE2_CoTracker *cot) +static inline void DCE2_CoResetForMissedPkts(DCE2_CoTracker *cot) { if (cot == NULL) return; @@ -2232,7 +2279,7 @@ /******************************************************************** * Function: DCE2_CoCleanTracker() * - * Destroys all dynamically allocated data associated with + * Destroys all dynamically allocated data associated with * connection-oriented tracker. * * Arguments: @@ -2282,13 +2329,13 @@ * uint16_t * Remaining length of the packet data. * - * Returns: + * Returns: * int * 1 if successfully autodetected * 0 if unsuccessful * ********************************************************************/ -static INLINE int DCE2_CoAutodetect(const uint8_t *data_ptr, uint16_t data_len) +static inline int DCE2_CoAutodetect(const uint8_t *data_ptr, uint16_t data_len) { if (data_len >= sizeof(DceRpcCoHdr)) { @@ -2319,7 +2366,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoEraseCtxIds(DCE2_CoTracker *cot) +static inline void DCE2_CoEraseCtxIds(DCE2_CoTracker *cot) { if (cot == NULL) return; @@ -2347,14 +2394,14 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoSegAlert(DCE2_SsnData *sd, DCE2_CoTracker *cot, DCE2_Event event) +static inline void DCE2_CoSegAlert(DCE2_SsnData *sd, DCE2_CoTracker *cot, DCE2_Event event) { SFSnortPacket *rpkt; DCE2_Buffer *buf; DceRpcCoHdr *co_hdr; uint16_t frag_len; DceRpcPduType pdu_type; - + if (DCE2_SsnFromClient(sd->wire_pkt)) buf = cot->cli_seg.buf; else @@ -2440,7 +2487,7 @@ * NULL on error. * ********************************************************************/ -static INLINE SFSnortPacket * DCE2_CoGetSegRpkt(DCE2_SsnData *sd, +static inline SFSnortPacket * DCE2_CoGetSegRpkt(DCE2_SsnData *sd, const uint8_t *data_ptr, uint32_t data_len) { SFSnortPacket *rpkt = NULL; @@ -2507,7 +2554,7 @@ * We were able to allocate and initialize new lists. * ********************************************************************/ -static INLINE DCE2_Ret DCE2_CoInitCtxStorage(DCE2_CoTracker *cot) +static inline DCE2_Ret DCE2_CoInitCtxStorage(DCE2_CoTracker *cot) { if (cot == NULL) return DCE2_RET__ERROR; @@ -2721,7 +2768,7 @@ DceRpcCoHdr *co_hdr = (DceRpcCoHdr *)seg_data; /* Don't use it if it's not a request and therefore doesn't - * belong with the frag data. This is an insanity check - + * belong with the frag data. This is an insanity check - * shouldn't have seg data that's not a request if there are * frags queued up */ if (DceRpcCoPduType(co_hdr) != DCERPC_PDU_TYPE__REQUEST) @@ -2816,7 +2863,11 @@ rpkt = DCE2_CoGetSegRpkt(sd, DCE2_BufferData(seg->buf), DCE2_BufferLength(seg->buf)); PREPROC_PROFILE_END(dce2_pstat_co_reass); - /* Done with this data */ + // FIXTHIS - don't toss data until success response to + // allow for retransmission of last segment of pdu. if + // we don't do it here 2 things break: + // (a) we can't alert on this packet; and + // (b) subsequent pdus aren't desegmented correctly. DCE2_BufferEmpty(seg->buf); if (rpkt == NULL) @@ -2853,7 +2904,6 @@ return; } - /* All is good. Decode the pdu */ DCE2_CoDecode(sd, cot, frag_ptr, frag_len); @@ -2884,7 +2934,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_CoSetRopts(DCE2_SsnData *sd, DCE2_CoTracker *cot, const DceRpcCoHdr *co_hdr) +static inline void DCE2_CoSetRopts(DCE2_SsnData *sd, DCE2_CoTracker *cot, const DceRpcCoHdr *co_hdr) { DCE2_CoFragTracker *ft = &cot->frag_tracker; int opnum = (ft->opnum != DCE2_SENTINEL) ? ft->opnum : cot->opnum; @@ -2924,7 +2974,7 @@ * given the transport and buffer type. * ********************************************************************/ -static INLINE DCE2_RpktType DCE2_CoGetRpktType(DCE2_SsnData *sd, DCE2_BufType btype) +static inline DCE2_RpktType DCE2_CoGetRpktType(DCE2_SsnData *sd, DCE2_BufType btype) { DCE2_RpktType rtype = DCE2_RPKT_TYPE__NULL; @@ -2999,7 +3049,7 @@ * 0 if the pointer is not within a segmentation buffer. * ********************************************************************/ -static INLINE int DCE2_CoIsSegBuf(DCE2_SsnData *sd, DCE2_CoTracker *cot, const uint8_t *ptr) +static inline int DCE2_CoIsSegBuf(DCE2_SsnData *sd, DCE2_CoTracker *cot, const uint8_t *ptr) { DCE2_Buffer *seg_buf; @@ -3024,7 +3074,7 @@ /******************************************************************** * Function: DCE2_CoSegEarlyRequest() * - * Used to set rule option data if we are doing an early + * Used to set rule option data if we are doing an early * reassembly on data in the segmentation buffer. If we are * taking directly from the segmentation buffer, none of the * rule option data will be set since processing doesn't get to @@ -3040,7 +3090,7 @@ * * Returns: * DCE2_Ret - * DCE2_RET__SUCCESS if there is enough data in buffer to + * DCE2_RET__SUCCESS if there is enough data in buffer to * set rule option data and we should continue processing. * DCE2_RET__ERROR if there is not enough data in segmentation * buffer to set rule option data and we should not @@ -3075,7 +3125,7 @@ cot->opnum = DceRpcCoOpnum(co_hdr, rhdr); cot->ctx_id = DceRpcCoCtxId(co_hdr, rhdr); cot->call_id = DceRpcCoCallId(co_hdr); - + return DCE2_RET__SUCCESS; } @@ -3095,7 +3145,7 @@ * Pointer to client or server segmenation buffer. * ********************************************************************/ -static INLINE DCE2_CoSeg * DCE2_CoGetSegPtr(DCE2_SsnData *sd, DCE2_CoTracker *cot) +static inline DCE2_CoSeg * DCE2_CoGetSegPtr(DCE2_SsnData *sd, DCE2_CoTracker *cot) { if (DCE2_SsnFromServer(sd->wire_pkt)) return &cot->srv_seg; @@ -3119,7 +3169,7 @@ * Pointer to client or server fragmentation buffer. * ********************************************************************/ -static INLINE DCE2_Buffer * DCE2_CoGetFragBuf(DCE2_SsnData *sd, DCE2_CoFragTracker *ft) +static inline DCE2_Buffer * DCE2_CoGetFragBuf(DCE2_SsnData *sd, DCE2_CoFragTracker *ft) { if (DCE2_SsnFromServer(sd->wire_pkt)) return ft->srv_frag_buf; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_co.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_co.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_co.h 2010-06-09 15:05:12.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_co.h 2011-02-09 15:23:12.000000000 -0800 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_config.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_config.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_config.c 2010-06-09 15:05:12.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_config.c 2011-07-13 15:44:51.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * **************************************************************************** * Parses and processes configuration set in snort.conf. - * + * * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> * ****************************************************************************/ @@ -27,6 +27,7 @@ #include "config.h" #endif +#include "sf_types.h" #include "dce2_config.h" #include "dce2_utils.h" #include "dce2_list.h" @@ -70,11 +71,6 @@ static char dce2_config_error[1024]; /******************************************************************** - * Extern variables - ********************************************************************/ -extern DynamicPreprocessorData _dpd; - -/******************************************************************** * Macros ********************************************************************/ #define DCE2_GOPT__MEMCAP "memcap" @@ -109,7 +105,7 @@ #define DCE2_SOPT__DETECT "detect" #define DCE2_SOPT__AUTODETECT "autodetect" #define DCE2_SARG__DETECT_NONE "none" -#define DCE2_SARG__DETECT_SMB "smb" +#define DCE2_SARG__DETECT_SMB "smb" #define DCE2_SARG__DETECT_TCP "tcp" #define DCE2_SARG__DETECT_UDP "udp" #define DCE2_SARG__DETECT_HTTP_PROXY "rpc-over-http-proxy" @@ -222,14 +218,14 @@ ********************************************************************/ static void DCE2_GcInitConfig(DCE2_GlobalConfig *gc); static DCE2_Ret DCE2_GcParseConfig(DCE2_GlobalConfig *, char *); -static INLINE DCE2_GcOptFlag DCE2_GcParseOption(char *, char *, int *); +static inline DCE2_GcOptFlag DCE2_GcParseOption(char *, char *, int *); static DCE2_Ret DCE2_GcParseMemcap(DCE2_GlobalConfig *, char **, char *); static DCE2_Ret DCE2_GcParseMaxFrag(DCE2_GlobalConfig *, char **, char *); static DCE2_Ret DCE2_GcParseEvents(DCE2_GlobalConfig *, char **, char *); -static INLINE void DCE2_GcSetEvent(DCE2_GlobalConfig *, DCE2_EventFlag); -static INLINE void DCE2_GcClearEvent(DCE2_GlobalConfig *, DCE2_EventFlag); -static INLINE void DCE2_GcClearAllEvents(DCE2_GlobalConfig *); -static INLINE DCE2_EventFlag DCE2_GcParseEvent(char *, char *, int *); +static inline void DCE2_GcSetEvent(DCE2_GlobalConfig *, DCE2_EventFlag); +static inline void DCE2_GcClearEvent(DCE2_GlobalConfig *, DCE2_EventFlag); +static inline void DCE2_GcClearAllEvents(DCE2_GlobalConfig *); +static inline DCE2_EventFlag DCE2_GcParseEvent(char *, char *, int *); static DCE2_Ret DCE2_GcParseReassembleThreshold(DCE2_GlobalConfig *, char **, char *); static void DCE2_GcPrintConfig(const DCE2_GlobalConfig *); static void DCE2_GcError(const char *, ...); @@ -237,19 +233,19 @@ static DCE2_Ret DCE2_ScInitConfig(DCE2_ServerConfig *); static DCE2_Ret DCE2_ScInitPortArray(DCE2_ServerConfig *, DCE2_DetectFlag, int); static DCE2_Ret DCE2_ScParseConfig(DCE2_Config *, DCE2_ServerConfig *, char *, DCE2_Queue *); -static INLINE DCE2_ScOptFlag DCE2_ScParseOption(char *, char *, int *); +static inline DCE2_ScOptFlag DCE2_ScParseOption(char *, char *, int *); static DCE2_Ret DCE2_ScParsePolicy(DCE2_ServerConfig *, char **, char *); static DCE2_Ret DCE2_ScParseDetect(DCE2_ServerConfig *, char **, char *, int); -static INLINE DCE2_DetectFlag DCE2_ScParseDetectType(char *, char *, int *); -static INLINE void DCE2_ScResetPortsArrays(DCE2_ServerConfig *, int); +static inline DCE2_DetectFlag DCE2_ScParseDetectType(char *, char *, int *); +static inline void DCE2_ScResetPortsArrays(DCE2_ServerConfig *, int); static DCE2_Ret DCE2_ScParseSmbShares(DCE2_ServerConfig *, char **, char *); static DCE2_Ret DCE2_ScParseSmbMaxChain(DCE2_ServerConfig *, char **, char *); static DCE2_Ret DCE2_ScParseSmb2MaxCompound(DCE2_ServerConfig *, char **, char *); static DCE2_Ret DCE2_ScParseValidSmbVersions(DCE2_ServerConfig *, char **, char *); -static INLINE DCE2_ValidSmbVersionFlag DCE2_ScParseValidSmbVersion(char *, char *, int *); -static INLINE void DCE2_ScSetValidSmbVersion(DCE2_ServerConfig *, DCE2_ValidSmbVersionFlag); -static INLINE void DCE2_ScClearValidSmbVersion(DCE2_ServerConfig *, DCE2_ValidSmbVersionFlag); -static INLINE void DCE2_ScClearAllValidSmbVersionFlags(DCE2_ServerConfig *); +static inline DCE2_ValidSmbVersionFlag DCE2_ScParseValidSmbVersion(char *, char *, int *); +static inline void DCE2_ScSetValidSmbVersion(DCE2_ServerConfig *, DCE2_ValidSmbVersionFlag); +static inline void DCE2_ScClearValidSmbVersion(DCE2_ServerConfig *, DCE2_ValidSmbVersionFlag); +static inline void DCE2_ScClearAllValidSmbVersionFlags(DCE2_ServerConfig *); static DCE2_Ret DCE2_ScAddToRoutingTable(DCE2_Config *, DCE2_ServerConfig *, DCE2_Queue *); static int DCE2_ScSmbShareCompare(const void *, const void *); static void DCE2_ScSmbShareFree(void *); @@ -491,7 +487,7 @@ * been configured. * ********************************************************************/ -static INLINE DCE2_GcOptFlag DCE2_GcParseOption(char *opt_start, char *opt_end, int *opt_mask) +static inline DCE2_GcOptFlag DCE2_GcParseOption(char *opt_start, char *opt_end, int *opt_mask) { DCE2_GcOptFlag opt_flag = DCE2_GC_OPT_FLAG__NULL; size_t opt_len = opt_end - opt_start; @@ -809,7 +805,7 @@ * Function: DCE2_GcParseEvent() * * Parses event type and returns flag indication the type of event. - * Checks and sets a bit in a mask to prevent multiple + * Checks and sets a bit in a mask to prevent multiple * configurations of the same event type. * * Arguments: @@ -830,7 +826,7 @@ * configuration of event type. * ********************************************************************/ -static INLINE DCE2_EventFlag DCE2_GcParseEvent(char *start, char *end, int *emask) +static inline DCE2_EventFlag DCE2_GcParseEvent(char *start, char *end, int *emask) { DCE2_EventFlag eflag = DCE2_EVENT_FLAG__NULL; size_t event_len = end - start; @@ -897,7 +893,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_GcSetEvent(DCE2_GlobalConfig *gc, DCE2_EventFlag eflag) +static inline void DCE2_GcSetEvent(DCE2_GlobalConfig *gc, DCE2_EventFlag eflag) { gc->event_mask |= eflag; } @@ -917,7 +913,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_GcClearEvent(DCE2_GlobalConfig *gc, DCE2_EventFlag eflag) +static inline void DCE2_GcClearEvent(DCE2_GlobalConfig *gc, DCE2_EventFlag eflag) { gc->event_mask &= ~eflag; } @@ -934,7 +930,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_GcClearAllEvents(DCE2_GlobalConfig *gc) +static inline void DCE2_GcClearAllEvents(DCE2_GlobalConfig *gc) { gc->event_mask = DCE2_EVENT_FLAG__NULL; } @@ -1565,7 +1561,7 @@ * been configured. * ********************************************************************/ -static INLINE DCE2_ScOptFlag DCE2_ScParseOption(char *opt_start, char *opt_end, int *opt_mask) +static inline DCE2_ScOptFlag DCE2_ScParseOption(char *opt_start, char *opt_end, int *opt_mask) { DCE2_ScOptFlag opt_flag = DCE2_SC_OPT_FLAG__NULL; size_t opt_len = opt_end - opt_start; @@ -2044,7 +2040,7 @@ /******************************************************************** * Function: DCE2_ScResetPortArrays() * - * Clears all of the port bits in the specified port array masks + * Clears all of the port bits in the specified port array masks * for the passed in server configuration. * * Arguments: @@ -2057,7 +2053,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_ScResetPortsArrays(DCE2_ServerConfig *sc, int autodetect) +static inline void DCE2_ScResetPortsArrays(DCE2_ServerConfig *sc, int autodetect) { if (!autodetect) { @@ -2101,7 +2097,7 @@ * already been configured. * ********************************************************************/ -static INLINE DCE2_DetectFlag DCE2_ScParseDetectType(char *start, char *end, int *dmask) +static inline DCE2_DetectFlag DCE2_ScParseDetectType(char *start, char *end, int *dmask) { DCE2_DetectFlag dflag = DCE2_DETECT_FLAG__NULL; size_t dtype_len = end - start; @@ -2652,7 +2648,7 @@ * Function: DCE2_ScParseValidSmbVersion() * * Parses smb version and returns flag indication the smb version. - * Checks and sets a bit in a mask to prevent multiple + * Checks and sets a bit in a mask to prevent multiple * configurations of the same event type. * * Arguments: @@ -2673,10 +2669,10 @@ * configuration of smb version. * ********************************************************************/ -static INLINE DCE2_ValidSmbVersionFlag DCE2_ScParseValidSmbVersion( +static inline DCE2_ValidSmbVersionFlag DCE2_ScParseValidSmbVersion( char *start, char *end, int *vmask) { - DCE2_EventFlag vflag = DCE2_EVENT_FLAG__NULL; + DCE2_ValidSmbVersionFlag vflag = DCE2_VALID_SMB_VERSION_FLAG__NULL; size_t version_len = end - start; if (version_len == strlen(DCE2_SARG__VALID_SMB_VERSIONS_V1) && @@ -2726,7 +2722,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_ScSetValidSmbVersion(DCE2_ServerConfig *sc, +static inline void DCE2_ScSetValidSmbVersion(DCE2_ServerConfig *sc, DCE2_ValidSmbVersionFlag vflag) { sc->valid_smb_versions_mask |= vflag; @@ -2747,7 +2743,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_ScClearValidSmbVersion(DCE2_ServerConfig *sc, +static inline void DCE2_ScClearValidSmbVersion(DCE2_ServerConfig *sc, DCE2_ValidSmbVersionFlag vflag) { sc->valid_smb_versions_mask &= ~vflag; @@ -2766,7 +2762,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_ScClearAllValidSmbVersionFlags(DCE2_ServerConfig *sc) +static inline void DCE2_ScClearAllValidSmbVersionFlags(DCE2_ServerConfig *sc) { sc->valid_smb_versions_mask = DCE2_VALID_SMB_VERSION_FLAG__NULL; } @@ -2885,7 +2881,7 @@ return DCE2_RET__ERROR; } - /* This is a count of the number of pointers or references to this + /* This is a count of the number of pointers or references to this * server configuration in the routing tables. */ sc->ref_count++; } @@ -3022,7 +3018,7 @@ /********************************************************************* * Function: DCE2_ScSmbShareFree() * - * Callback to the list used to hold the invalid smb shares for + * Callback to the list used to hold the invalid smb shares for * freeing the shares. * * Arguments: @@ -3067,6 +3063,10 @@ _dpd.logMsg("DCE/RPC 2 Preprocessor Configuration\n"); _dpd.logMsg(" Global Configuration\n"); + if(gc->disabled) + { + _dpd.logMsg(" DCE/RPC 2 Preprocessor: INACTIVE\n"); + } _dpd.logMsg(" DCE/RPC Defragmentation: %s\n", gc->dce_defrag == DCE2_CS__ENABLED ? "Enabled" : "Disabled"); if ((gc->dce_defrag == DCE2_CS__ENABLED) && (gc->max_frag_len != DCE2_SENTINEL)) @@ -3258,7 +3258,7 @@ /* Ascii string will be NULL terminated. Also alloc enough for space. * Note that if share is longer than the size of the buffer it will be - * put into, it will be truncated */ + * put into, it will be truncated */ tmp_share_len = strlen(share->ascii_str) + 2; tmp_share = (char *)DCE2_Alloc(tmp_share_len, DCE2_MEM_TYPE__CONFIG); if (tmp_share == NULL) @@ -3335,7 +3335,10 @@ pps[3].port_array = sc->http_server_ports; pps[4].port_array = sc->http_proxy_ports; - _dpd.logMsg(" Detect ports\n"); + if (_dpd.isPafEnabled()) + _dpd.logMsg(" Detect ports (PAF)\n"); + else + _dpd.logMsg(" Detect ports\n"); } else { @@ -3345,7 +3348,10 @@ pps[3].port_array = sc->auto_http_server_ports; pps[4].port_array = sc->auto_http_proxy_ports; - _dpd.logMsg(" Autodetect ports\n"); + if (_dpd.isPafEnabled()) + _dpd.logMsg(" Autodetect ports (PAF)\n"); + else + _dpd.logMsg(" Autodetect ports\n"); } for (pps_idx = 0; pps_idx < sizeof(pps) / sizeof(DCE2_PrintPortsStruct); pps_idx++) @@ -3672,7 +3678,7 @@ "%s(%d) Failed to allocate memory for IP structure.", __FILE__, __LINE__); return DCE2_RET__ERROR; - } + } memcpy((void *)ip_copy, (void *)&ip, sizeof(sfip_t)); @@ -3716,7 +3722,7 @@ "%s(%d) Failed to allocate memory for IP structure.", __FILE__, __LINE__); return DCE2_RET__ERROR; - } + } memcpy((void *)ip_copy, (void *)&ip, sizeof(sfip_t)); @@ -3891,7 +3897,7 @@ /******************************************************************** * Function: DCE2_ParsePortList() * - * Parses a port list and adds bits associated with the ports + * Parses a port list and adds bits associated with the ports * parsed to a bit array. * * Arguments: @@ -4087,7 +4093,7 @@ * Function: DCE2_ParseValue() * * Parses what should be an integer value and stores in memory - * passed in as an argument. This function will parse positive + * passed in as an argument. This function will parse positive * and negative values and decimal, octal or hexidecimal. The * positive and negative modifiers can only be used with * decimal values. @@ -4389,7 +4395,7 @@ /******************************************************************** * Function: DCE2_GcError() * - * Formats errors related to global configuration and puts in + * Formats errors related to global configuration and puts in * global error buffer. * * Arguments: @@ -4507,7 +4513,7 @@ ********************************************************************/ static int DCE2_FreeConfigsPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -4542,10 +4548,10 @@ * Arguments: * void * * Pointer to server configuration. - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ static void DCE2_ServerConfigCleanup(void *data) { DCE2_ServerConfig *sc = (DCE2_ServerConfig *)data; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_config.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_config.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_config.h 2010-06-09 15:05:12.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_config.h 2011-06-07 17:33:11.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * **************************************************************************** * Provides convenience functions for parsing and querying configuration. - * + * * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> * ****************************************************************************/ @@ -270,40 +270,40 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE uint32_t DCE2_GcMemcap(void); -static INLINE int DCE2_GcMaxFrag(void); -static INLINE uint16_t DCE2_GcMaxFragLen(void); -static INLINE int DCE2_GcAlertOnEvent(DCE2_EventFlag); -static INLINE int DCE2_GcReassembleEarly(void); -static INLINE uint16_t DCE2_GcReassembleThreshold(void); -static INLINE DCE2_CS DCE2_GcDceDefrag(void); -static INLINE DCE2_Policy DCE2_ScPolicy(const DCE2_ServerConfig *); -static INLINE int DCE2_ScIsDetectPortSet(const DCE2_ServerConfig *, const uint16_t, const DCE2_TransType); -static INLINE int DCE2_ScIsAutodetectPortSet(const DCE2_ServerConfig *, const uint16_t, const DCE2_TransType); -static INLINE DCE2_CS DCE2_ScAutodetectHttpProxyPorts(const DCE2_ServerConfig *); -static INLINE uint8_t DCE2_ScSmbMaxChain(const DCE2_ServerConfig *); -static INLINE DCE2_List * DCE2_ScSmbInvalidShares(const DCE2_ServerConfig *); -static INLINE uint8_t DCE2_ScSmb2MaxCompound(const DCE2_ServerConfig *); -static INLINE uint8_t DCE2_ScIsValidSmbVersion(const DCE2_ServerConfig *, DCE2_ValidSmbVersionFlag); - -static INLINE int DCE2_IsPortSet(const uint8_t *, const uint16_t); -static INLINE void DCE2_SetPort(uint8_t *, const uint16_t); -static INLINE void DCE2_SetPortRange(uint8_t *, uint16_t, uint16_t); -static INLINE void DCE2_ClearPorts(uint8_t *); - -static INLINE int DCE2_IsWordChar(const char, const DCE2_WordCharPosition); -static INLINE int DCE2_IsGraphChar(const char); -static INLINE int DCE2_IsQuoteChar(const char); -static INLINE int DCE2_IsListSepChar(const char); -static INLINE int DCE2_IsOptEndChar(const char); -static INLINE int DCE2_IsSpaceChar(const char); -static INLINE int DCE2_IsConfigEndChar(const char); -static INLINE int DCE2_IsPortChar(const char); -static INLINE int DCE2_IsPortRangeChar(const char); -static INLINE int DCE2_IsListStartChar(const char); -static INLINE int DCE2_IsListEndChar(const char); -static INLINE int DCE2_IsIpChar(const char); -static INLINE DCE2_Ret DCE2_CheckAndSetMask(int, int *); +static inline uint32_t DCE2_GcMemcap(void); +static inline int DCE2_GcMaxFrag(void); +static inline uint16_t DCE2_GcMaxFragLen(void); +static inline int DCE2_GcAlertOnEvent(DCE2_EventFlag); +static inline int DCE2_GcReassembleEarly(void); +static inline uint16_t DCE2_GcReassembleThreshold(void); +static inline DCE2_CS DCE2_GcDceDefrag(void); +static inline DCE2_Policy DCE2_ScPolicy(const DCE2_ServerConfig *); +static inline int DCE2_ScIsDetectPortSet(const DCE2_ServerConfig *, const uint16_t, const DCE2_TransType); +static inline int DCE2_ScIsAutodetectPortSet(const DCE2_ServerConfig *, const uint16_t, const DCE2_TransType); +static inline DCE2_CS DCE2_ScAutodetectHttpProxyPorts(const DCE2_ServerConfig *); +static inline uint8_t DCE2_ScSmbMaxChain(const DCE2_ServerConfig *); +static inline DCE2_List * DCE2_ScSmbInvalidShares(const DCE2_ServerConfig *); +static inline uint8_t DCE2_ScSmb2MaxCompound(const DCE2_ServerConfig *); +static inline uint8_t DCE2_ScIsValidSmbVersion(const DCE2_ServerConfig *, DCE2_ValidSmbVersionFlag); + +static inline int DCE2_IsPortSet(const uint8_t *, const uint16_t); +static inline void DCE2_SetPort(uint8_t *, const uint16_t); +static inline void DCE2_SetPortRange(uint8_t *, uint16_t, uint16_t); +static inline void DCE2_ClearPorts(uint8_t *); + +static inline int DCE2_IsWordChar(const char, const DCE2_WordCharPosition); +static inline int DCE2_IsGraphChar(const char); +static inline int DCE2_IsQuoteChar(const char); +static inline int DCE2_IsListSepChar(const char); +static inline int DCE2_IsOptEndChar(const char); +static inline int DCE2_IsSpaceChar(const char); +static inline int DCE2_IsConfigEndChar(const char); +static inline int DCE2_IsPortChar(const char); +static inline int DCE2_IsPortRangeChar(const char); +static inline int DCE2_IsListStartChar(const char); +static inline int DCE2_IsListEndChar(const char); +static inline int DCE2_IsIpChar(const char); +static inline DCE2_Ret DCE2_CheckAndSetMask(int, int *); /******************************************************************** * Public function prototypes @@ -338,7 +338,7 @@ * The memcap configured for the preprocessor. * ********************************************************************/ -static INLINE uint32_t DCE2_GcMemcap(void) +static inline uint32_t DCE2_GcMemcap(void) { return dce2_eval_config->gconfig->memcap; } @@ -357,7 +357,7 @@ * 0 if it was not configured. * ********************************************************************/ -static INLINE int DCE2_GcMaxFrag(void) +static inline int DCE2_GcMaxFrag(void) { if (dce2_eval_config->gconfig->max_frag_len != DCE2_SENTINEL) return 1; return 0; @@ -379,7 +379,7 @@ * UINT16_MAX if not configured. * ********************************************************************/ -static INLINE uint16_t DCE2_GcMaxFragLen(void) +static inline uint16_t DCE2_GcMaxFragLen(void) { if (DCE2_GcMaxFrag()) return (uint16_t)dce2_eval_config->gconfig->max_frag_len; @@ -403,7 +403,7 @@ * Zero if we are not configured to alert on this event type. * ********************************************************************/ -static INLINE int DCE2_GcAlertOnEvent(DCE2_EventFlag eflag) +static inline int DCE2_GcAlertOnEvent(DCE2_EventFlag eflag) { return dce2_eval_config->gconfig->event_mask & eflag; } @@ -424,7 +424,7 @@ * defragmentation. * ********************************************************************/ -static INLINE DCE2_CS DCE2_GcDceDefrag(void) +static inline DCE2_CS DCE2_GcDceDefrag(void) { return dce2_eval_config->gconfig->dce_defrag; } @@ -443,7 +443,7 @@ * 0 if it was not configured. * ********************************************************************/ -static INLINE int DCE2_GcReassembleEarly(void) +static inline int DCE2_GcReassembleEarly(void) { if (dce2_eval_config->gconfig->reassemble_threshold > 0) return 1; @@ -466,7 +466,7 @@ * UINT16_MAX if not configured. * ********************************************************************/ -static INLINE uint16_t DCE2_GcReassembleThreshold(void) +static inline uint16_t DCE2_GcReassembleThreshold(void) { if (DCE2_GcReassembleEarly()) return dce2_eval_config->gconfig->reassemble_threshold; @@ -489,7 +489,7 @@ * DCE2_POLICY__NONE if a NULL pointer is passed in. * ********************************************************************/ -static INLINE DCE2_Policy DCE2_ScPolicy(const DCE2_ServerConfig *sc) +static inline DCE2_Policy DCE2_ScPolicy(const DCE2_ServerConfig *sc) { if (sc == NULL) return DCE2_POLICY__NONE; return sc->policy; @@ -518,7 +518,7 @@ * is NULL. * *********************************************************************/ -static INLINE int DCE2_ScIsDetectPortSet(const DCE2_ServerConfig *sc, const uint16_t port, +static inline int DCE2_ScIsDetectPortSet(const DCE2_ServerConfig *sc, const uint16_t port, const DCE2_TransType ttype) { const uint8_t *port_array; @@ -573,7 +573,7 @@ * is NULL. * *********************************************************************/ -static INLINE int DCE2_ScIsAutodetectPortSet(const DCE2_ServerConfig *sc, const uint16_t port, +static inline int DCE2_ScIsAutodetectPortSet(const DCE2_ServerConfig *sc, const uint16_t port, const DCE2_TransType ttype) { const uint8_t *port_array; @@ -625,7 +625,7 @@ * rpc over http proxy ports. * ********************************************************************/ -static INLINE DCE2_CS DCE2_ScAutodetectHttpProxyPorts(const DCE2_ServerConfig *sc) +static inline DCE2_CS DCE2_ScAutodetectHttpProxyPorts(const DCE2_ServerConfig *sc) { if (sc == NULL) return DCE2_CS__ENABLED; return sc->autodetect_http_proxy_ports; @@ -647,7 +647,7 @@ * 0 is returned if the server configuration passed in is NULL. * ********************************************************************/ -static INLINE uint8_t DCE2_ScSmbMaxChain(const DCE2_ServerConfig *sc) +static inline uint8_t DCE2_ScSmbMaxChain(const DCE2_ServerConfig *sc) { if (sc == NULL) return 0; return sc->smb_max_chain; @@ -671,7 +671,7 @@ * configuration passed in is NULL. * ********************************************************************/ -static INLINE DCE2_List * DCE2_ScSmbInvalidShares(const DCE2_ServerConfig *sc) +static inline DCE2_List * DCE2_ScSmbInvalidShares(const DCE2_ServerConfig *sc) { if (sc == NULL) return NULL; return sc->smb_invalid_shares; @@ -693,7 +693,7 @@ * 0 is returned if the server configuration passed in is NULL. * ********************************************************************/ -static INLINE uint8_t DCE2_ScSmb2MaxCompound(const DCE2_ServerConfig *sc) +static inline uint8_t DCE2_ScSmb2MaxCompound(const DCE2_ServerConfig *sc) { if (sc == NULL) return 0; return sc->smb2_max_compound; @@ -716,7 +716,7 @@ * 0 if the flag is not set * ********************************************************************/ -static INLINE uint8_t DCE2_ScIsValidSmbVersion( +static inline uint8_t DCE2_ScIsValidSmbVersion( const DCE2_ServerConfig *sc, DCE2_ValidSmbVersionFlag vflag) { if (sc == NULL) return 0; @@ -741,7 +741,7 @@ * Zero if the port is not set. * *********************************************************************/ -static INLINE int DCE2_IsPortSet(const uint8_t *port_array, const uint16_t port) +static inline int DCE2_IsPortSet(const uint8_t *port_array, const uint16_t port) { return port_array[(port / 8)] & (1 << (port % 8)); } @@ -760,7 +760,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_SetPort(uint8_t *port_array, const uint16_t port) +static inline void DCE2_SetPort(uint8_t *port_array, const uint16_t port) { port_array[(port / 8)] |= (1 << (port % 8)); } @@ -782,7 +782,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_SetPortRange(uint8_t *port_array, uint16_t lo_port, uint16_t hi_port) +static inline void DCE2_SetPortRange(uint8_t *port_array, uint16_t lo_port, uint16_t hi_port) { unsigned int i; @@ -809,7 +809,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_ClearPorts(uint8_t *port_array) +static inline void DCE2_ClearPorts(uint8_t *port_array) { memset(port_array, 0, DCE2_PORTS__MAX_INDEX); } @@ -834,7 +834,7 @@ * 0 if not a valid word character. * ********************************************************************/ -static INLINE int DCE2_IsWordChar(const char c, const DCE2_WordCharPosition pos) +static inline int DCE2_IsWordChar(const char c, const DCE2_WordCharPosition pos) { if (pos == DCE2_WORD_CHAR_POSITION__START) { @@ -877,7 +877,7 @@ * 0 if not a valid list separator character. * ********************************************************************/ -static INLINE int DCE2_IsListSepChar(const char c) +static inline int DCE2_IsListSepChar(const char c) { if (c == DCE2_CFG_TOK__LIST_SEP) return 1; return 0; @@ -899,7 +899,7 @@ * 0 if not a valid option end character. * ********************************************************************/ -static INLINE int DCE2_IsOptEndChar(const char c) +static inline int DCE2_IsOptEndChar(const char c) { if (c == DCE2_CFG_TOK__OPT_SEP) return 1; return 0; @@ -921,7 +921,7 @@ * 0 if not a valid space character. * ********************************************************************/ -static INLINE int DCE2_IsSpaceChar(const char c) +static inline int DCE2_IsSpaceChar(const char c) { if (isspace((int)c)) return 1; return 0; @@ -944,7 +944,7 @@ * 0 if not a valid end of configuration character. * ********************************************************************/ -static INLINE int DCE2_IsConfigEndChar(const char c) +static inline int DCE2_IsConfigEndChar(const char c) { if (c == DCE2_CFG_TOK__END) return 1; return 0; @@ -966,7 +966,7 @@ * 0 if not a valid port character. * ********************************************************************/ -static INLINE int DCE2_IsPortChar(const char c) +static inline int DCE2_IsPortChar(const char c) { if (isdigit((int)c)) return 1; return 0; @@ -988,7 +988,7 @@ * 0 if not a valid port range character. * ********************************************************************/ -static INLINE int DCE2_IsPortRangeChar(const char c) +static inline int DCE2_IsPortRangeChar(const char c) { if (c == DCE2_CFG_TOK__PORT_RANGE) return 1; return 0; @@ -1011,7 +1011,7 @@ * 0 if not a valid DCE/RPC opnum character. * ********************************************************************/ -static INLINE int DCE2_IsOpnumChar(const char c) +static inline int DCE2_IsOpnumChar(const char c) { if (isdigit((int)c)) return 1; return 0; @@ -1033,7 +1033,7 @@ * 0 if not a valid DCE/RPC opnum range character. * ********************************************************************/ -static INLINE int DCE2_IsOpnumRangeChar(const char c) +static inline int DCE2_IsOpnumRangeChar(const char c) { if (c == DCE2_CFG_TOK__OPNUM_RANGE) return 1; return 0; @@ -1055,7 +1055,7 @@ * 0 if not a valid start of list character. * ********************************************************************/ -static INLINE int DCE2_IsListStartChar(const char c) +static inline int DCE2_IsListStartChar(const char c) { if (c == DCE2_CFG_TOK__LIST_START) return 1; return 0; @@ -1077,7 +1077,7 @@ * 0 if not a valid end of list character. * ********************************************************************/ -static INLINE int DCE2_IsListEndChar(const char c) +static inline int DCE2_IsListEndChar(const char c) { if (c == DCE2_CFG_TOK__LIST_END) return 1; return 0; @@ -1099,7 +1099,7 @@ * 0 if not a valid quote character. * ********************************************************************/ -static INLINE int DCE2_IsQuoteChar(const char c) +static inline int DCE2_IsQuoteChar(const char c) { if (c == DCE2_CFG_TOK__QUOTE) return 1; return 0; @@ -1121,7 +1121,7 @@ * 0 if not a valid IP character. * ********************************************************************/ -static INLINE int DCE2_IsIpChar(const char c) +static inline int DCE2_IsIpChar(const char c) { if (isxdigit((int)c) || (c == DCE2_CFG_TOK__IP6_TET_SEP) || @@ -1151,7 +1151,7 @@ * 0 if not a valid graphical character. * ********************************************************************/ -static INLINE int DCE2_IsGraphChar(const char c) +static inline int DCE2_IsGraphChar(const char c) { if (!DCE2_IsListStartChar(c) && !DCE2_IsListEndChar(c) && !DCE2_IsQuoteChar(c) && !DCE2_IsListSepChar(c) && @@ -1165,7 +1165,7 @@ * Function: DCE2_CheckAndSetMask() * * Checks to see if a flag passed in is already set in the mask - * passed in. If it is, error is returned. If it is not, the + * passed in. If it is, error is returned. If it is not, the * flag is set in the mask. * * Arguments: @@ -1180,7 +1180,7 @@ * DCE2_RET__SUCCESS if the flag is not already set in the mask. * *********************************************************************/ -static INLINE DCE2_Ret DCE2_CheckAndSetMask(int flag, int *mask) +static inline DCE2_Ret DCE2_CheckAndSetMask(int flag, int *mask) { if (*mask & flag) return DCE2_RET__ERROR; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_debug.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_debug.c 2010-01-26 10:09:56.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,22 +16,28 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Provides functions for debugging the preprocessor. * * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STDINT_H +#include <stdint.h> +#endif /* HAVE_CONFIG_H */ -#include "dce2_debug.h" -#include "dce2_utils.h" -#include "sf_types.h" #include <stdio.h> #include <stdarg.h> #include <stdlib.h> #include <errno.h> -extern DynamicPreprocessorData _dpd; +#include "sf_types.h" +#include "dce2_debug.h" +#include "dce2_utils.h" /******************************************************************** * Function: DCE2_GetDebugLevel() diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_debug.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_debug.h 2010-01-26 10:09:56.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_debug.h 2011-07-13 15:44:51.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Provides macros and functions for debugging the preprocessor. * If Snort is not configured to do debugging, macros are empty. * @@ -27,8 +27,6 @@ #ifndef _DCE2_DEBUG_H_ #define _DCE2_DEBUG_H_ -#include "debug.h" -#include "sf_types.h" #include <stdio.h> /******************************************************************** @@ -54,6 +52,7 @@ #define DCE2_DEBUG__MEMORY 0x00000040 #define DCE2_DEBUG__HTTP 0x00000080 #define DCE2_DEBUG__CL 0x00000100 +#define DCE2_DEBUG__PAF 0x00000200 #define DCE2_DEBUG__ALL 0xffffffff #define DCE2_DEBUG__START_MSG "DCE/RPC Start ********************************************" @@ -62,10 +61,14 @@ #ifdef DEBUG #include <assert.h> #define DCE2_ASSERT(code) assert(code) +#else +#define DCE2_ASSERT(code) +#endif + +#ifdef DEBUG_MSGS #define DCE2_DEBUG_VAR(code) code #define DCE2_DEBUG_CODE(level, code) { if (DCE2_DebugThis(level)) { code } } #else -#define DCE2_ASSERT(code) #define DCE2_DEBUG_VAR(code) #define DCE2_DEBUG_CODE(level, code) #endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_event.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_event.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_event.c 2010-06-09 15:05:12.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_event.c 2011-06-07 17:33:11.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,13 +16,18 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Handles processing of events generated by the preprocessor. * * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_event.h" #include "dce2_memory.h" #include "dce2_config.h" @@ -50,7 +55,6 @@ /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_Stats dce2_stats; /****************************************************************** @@ -59,10 +63,10 @@ * Initializes global data. * * Arguments: None - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ void DCE2_EventsInit(void) { DCE2_Event event; @@ -450,10 +454,10 @@ * The event type that was triggered. * ... * The arguments to the format for the event. - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ void DCE2_Alert(DCE2_SsnData *sd, DCE2_Event e, ...) { va_list ap; @@ -492,10 +496,10 @@ * Frees any global data that was dynamically allocated. * * Arguments: None - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ void DCE2_EventsFree(void) { unsigned int i; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_event.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_event.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_event.h 2010-06-09 15:05:12.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_event.h 2011-06-07 17:33:11.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Handles processing of events generated by the preprocessor. * * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> @@ -28,7 +28,7 @@ #include "dce2_session.h" #include "dce2_config.h" -#include "debug.h" +#include "snort_debug.h" #include "sf_types.h" /******************************************************************** @@ -118,7 +118,7 @@ /******************************************************************** * Inline Function Prototypes ********************************************************************/ -static INLINE int DCE2_SsnAlerted(DCE2_SsnData *, DCE2_Event); +static inline int DCE2_SsnAlerted(DCE2_SsnData *, DCE2_Event); /****************************************************************** * Function: DCE2_SsnAlerted() @@ -131,7 +131,7 @@ * The session data structure. * DCE2_Event * The event to check for. - * + * * Returns: * int * 1 if we have already alerted for this event type on this @@ -139,8 +139,8 @@ * 0 if we have not alerted for this event type on this * session. * - ******************************************************************/ -static INLINE int DCE2_SsnAlerted(DCE2_SsnData *sd, DCE2_Event e) + ******************************************************************/ +static inline int DCE2_SsnAlerted(DCE2_SsnData *sd, DCE2_Event e) { if (sd->alert_mask & (1 << e)) return 1; return 0; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_http.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_http.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_http.c 2010-01-26 10:09:56.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_http.c 2011-06-07 17:33:11.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,11 +18,16 @@ * **************************************************************************** * Provides session handling of an RPC over HTTP transport. - * + * * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_http.h" #include "snort_dce2.h" #include "dce2_co.h" @@ -34,7 +39,6 @@ /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_Stats dce2_stats; /******************************************************************** @@ -74,7 +78,7 @@ /******************************************************************** * Function: DCE2_HttpProxySsnInit() * - * Wrapper around main session data initialization. Adds + * Wrapper around main session data initialization. Adds * statistical info for a proxy specific rpc over http session. * * Arguments: None @@ -100,7 +104,7 @@ /******************************************************************** * Function: DCE2_HttpServerSsnInit() * - * Wrapper around main session data initialization. Adds + * Wrapper around main session data initialization. Adds * statistical info for a server specific rpc over http session. * * Arguments: None diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_http.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_http.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_http.h 2010-01-26 10:09:57.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_http.h 2011-06-07 17:33:11.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,9 +18,9 @@ * **************************************************************************** * Provides session handling of an RPC over HTTP transport. - * + * * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> - * + * ****************************************************************************/ #ifndef _DCE2_HTTP_H_ @@ -65,9 +65,9 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE DCE2_TransType DCE2_HttpAutodetectProxy(const SFSnortPacket *); -static INLINE DCE2_TransType DCE2_HttpAutodetectServer(const SFSnortPacket *); -static INLINE int DCE2_HttpDecode(const SFSnortPacket *); +static inline DCE2_TransType DCE2_HttpAutodetectProxy(const SFSnortPacket *); +static inline DCE2_TransType DCE2_HttpAutodetectServer(const SFSnortPacket *); +static inline int DCE2_HttpDecode(const SFSnortPacket *); /******************************************************************** * Public function prototypes @@ -95,7 +95,7 @@ * DCE2_TRANS_TYPE__NONE if a proxy is not autodetected. * ********************************************************************/ -static INLINE DCE2_TransType DCE2_HttpAutodetectProxy(const SFSnortPacket *p) +static inline DCE2_TransType DCE2_HttpAutodetectProxy(const SFSnortPacket *p) { const char *buf = NULL; int buf_len = 0; @@ -141,7 +141,7 @@ * DCE2_TRANS_TYPE__NONE if a server is not autodetected. * ********************************************************************/ -static INLINE DCE2_TransType DCE2_HttpAutodetectServer(const SFSnortPacket *p) +static inline DCE2_TransType DCE2_HttpAutodetectServer(const SFSnortPacket *p) { if (DCE2_SsnFromClient(p)) return DCE2_TRANS_TYPE__NONE; @@ -172,7 +172,7 @@ * Zero if the packet was not http_inspect decoded * ********************************************************************/ -static INLINE int DCE2_HttpDecode(const SFSnortPacket *p) +static inline int DCE2_HttpDecode(const SFSnortPacket *p) { return p->flags & FLAG_HTTP_DECODE; } diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_list.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_list.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_list.c 2010-01-26 10:09:57.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_list.c 2011-06-07 17:33:12.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,14 +16,19 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Provides list, queue and stack data structures and methods for use * with the preprocessor. - * + * * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_list.h" #include "dce2_memory.h" #include "dce2_debug.h" @@ -108,7 +113,7 @@ * * Returns: * void * - * If the key is found, the data associated with the node + * If the key is found, the data associated with the node * is returned. * NULL is returned if the item cannot be found given the key. * @@ -249,7 +254,7 @@ * in the list and no duplicates are allowed. * DCE2_RET__SUCCESS if a new node with key and data is * successfully inserted into the list. - * DCE2_RET__ERROR if memory cannot be allocated for the + * DCE2_RET__ERROR if memory cannot be allocated for the * new node or a NULL list object was passed in. * ********************************************************************/ @@ -329,7 +334,7 @@ /******************************************************************** * Function: DCE2_ListRemove() * - * Removes the node in the list with the specified key. If + * Removes the node in the list with the specified key. If * data free and key free functions were given with the creation * of the list object, they are called with the data and key * respectively. @@ -369,7 +374,7 @@ return DCE2_RET__ERROR; } } - + if (n == NULL) return DCE2_RET__ERROR; @@ -381,7 +386,7 @@ n->prev->next = n->next; if (n->next != NULL) n->next->prev = n->prev; - + if (list->key_free != NULL) list->key_free(n->key); @@ -432,7 +437,7 @@ * * Increments the current pointer in the list to the next node in * the list and returns the data associated with it. This in - * combination with DCE2_ListFirst is useful in a for loop to + * combination with DCE2_ListFirst is useful in a for loop to * iterate over the items in a list. * * Arguments: @@ -503,7 +508,7 @@ * * Puts the current pointer in the list to the previous node in * the list and returns the data associated with it. This in - * combination with DCE2_ListLast is useful in a for loop to + * combination with DCE2_ListLast is useful in a for loop to * iterate over the items in a list in backwards order. * * Arguments: @@ -574,7 +579,7 @@ list->current->prev->next = list->current->next; if (list->current->next != NULL) list->current->next->prev = list->current->prev; - + if (list->key_free != NULL) list->key_free(list->current->key); @@ -942,7 +947,7 @@ * * Increments the current pointer in the queue to the next node in * the queue and returns the data associated with it. This in - * combination with DCE2_QueueFirst is useful in a for loop to + * combination with DCE2_QueueFirst is useful in a for loop to * iterate over the items in a queue. * * Arguments: @@ -1007,7 +1012,7 @@ * * Puts the current pointer in the queue to the previous node in * the queue and returns the data associated with it. This in - * combination with DCE2_QueueLast is useful in a for loop to + * combination with DCE2_QueueLast is useful in a for loop to * iterate over the items in a queue in backwards order. * * Arguments: @@ -1261,7 +1266,7 @@ * * Increments the current pointer in the stack to the next node in * the stack and returns the data associated with it. This in - * combination with DCE2_StackFirst is useful in a for loop to + * combination with DCE2_StackFirst is useful in a for loop to * iterate over the items in a stack. * * Arguments: @@ -1326,7 +1331,7 @@ * * Puts the current pointer in the stack to the previous node in * the stack and returns the data associated with it. This in - * combination with DCE2_StackLast is useful in a for loop to + * combination with DCE2_StackLast is useful in a for loop to * iterate over the items in a stack in backwards order. * * Arguments: @@ -1418,7 +1423,7 @@ * Function: DCE2_CQueueNew() * * Creates and initializes a new circular queue object. The - * circular queue uses a fixed size array and uses indexes to + * circular queue uses a fixed size array and uses indexes to * indicate the start and end of the queue. This type of * queue can become full since it is a fixed size. Used for * performance reasons since new nodes do not need to be @@ -1446,7 +1451,7 @@ DCE2_CQueue * DCE2_CQueueNew(int size, DCE2_CQueueDataFree df, DCE2_MemType mtype) { DCE2_CQueue *cqueue; - + if (size <= 0) return NULL; @@ -1595,7 +1600,7 @@ * * Increments the current index in the queue to the next node in * the queue and returns the data associated with it. This in - * combination with DCE2_CQueueFirst is useful in a for loop to + * combination with DCE2_CQueueFirst is useful in a for loop to * iterate over the items in a queue. * * Arguments: @@ -1691,7 +1696,7 @@ * Function: DCE2_CStackNew() * * Creates and initializes a new static sized stack object. The - * static stack uses a fixed size array and uses indexes to + * static stack uses a fixed size array and uses indexes to * indicate the start and end of the stack. This type of * stack can become full since it is a fixed size. Used for * performance reasons since new nodes do not need to be @@ -1888,7 +1893,7 @@ * * Increments the current index in the stack to the next node in * the stack and returns the data associated with it. This in - * combination with DCE2_CStackFirst is useful in a for loop to + * combination with DCE2_CStackFirst is useful in a for loop to * iterate over the items in a stack. * * Arguments: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_list.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_list.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_list.h 2010-01-26 10:09:57.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_list.h 2011-06-07 17:33:12.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,10 +16,10 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * Provides list, queue and stack data structures and methods for use * with the preprocessor. - * + * * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> * ****************************************************************************/ @@ -30,7 +30,7 @@ #include "dce2_memory.h" #include "dce2_utils.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /******************************************************************** * Enumerations @@ -173,7 +173,7 @@ void * DCE2_ListLast(DCE2_List *); void * DCE2_ListPrev(DCE2_List *); void DCE2_ListRemoveCurrent(DCE2_List *); -static INLINE int DCE2_ListIsEmpty(DCE2_List *); +static inline int DCE2_ListIsEmpty(DCE2_List *); void DCE2_ListEmpty(DCE2_List *); void DCE2_ListDestroy(DCE2_List *); @@ -184,7 +184,7 @@ void * DCE2_QueueNext(DCE2_Queue *); void * DCE2_QueueLast(DCE2_Queue *); void * DCE2_QueuePrev(DCE2_Queue *); -static INLINE int DCE2_QueueIsEmpty(DCE2_Queue *); +static inline int DCE2_QueueIsEmpty(DCE2_Queue *); void DCE2_QueueEmpty(DCE2_Queue *); void DCE2_QueueDestroy(DCE2_Queue *); @@ -195,7 +195,7 @@ void * DCE2_StackNext(DCE2_Stack *); void * DCE2_StackLast(DCE2_Stack *); void * DCE2_StackPrev(DCE2_Stack *); -static INLINE int DCE2_StackIsEmpty(DCE2_Stack *); +static inline int DCE2_StackIsEmpty(DCE2_Stack *); void DCE2_StackEmpty(DCE2_Stack *); void DCE2_StackDestroy(DCE2_Stack *); @@ -204,7 +204,7 @@ void * DCE2_CQueueDequeue(DCE2_CQueue *); void * DCE2_CQueueFirst(DCE2_CQueue *); void * DCE2_CQueueNext(DCE2_CQueue *); -static INLINE int DCE2_CQueueIsEmpty(DCE2_CQueue *); +static inline int DCE2_CQueueIsEmpty(DCE2_CQueue *); void DCE2_CQueueEmpty(DCE2_CQueue *); void DCE2_CQueueDestroy(DCE2_CQueue *); @@ -214,7 +214,7 @@ void * DCE2_CStackTop(DCE2_CStack *); void * DCE2_CStackFirst(DCE2_CStack *); void * DCE2_CStackNext(DCE2_CStack *); -static INLINE int DCE2_CStackIsEmpty(DCE2_CStack *); +static inline int DCE2_CStackIsEmpty(DCE2_CStack *); void DCE2_CStackEmpty(DCE2_CStack *); void DCE2_CStackDestroy(DCE2_CStack *); @@ -235,7 +235,7 @@ * 0 if the list has one or more nodes in it. * ********************************************************************/ -static INLINE int DCE2_ListIsEmpty(DCE2_List *list) +static inline int DCE2_ListIsEmpty(DCE2_List *list) { if (list == NULL) return 1; if (list->num_nodes == 0) return 1; @@ -259,7 +259,7 @@ * 0 if the queue has one or more nodes in it. * ********************************************************************/ -static INLINE int DCE2_QueueIsEmpty(DCE2_Queue *queue) +static inline int DCE2_QueueIsEmpty(DCE2_Queue *queue) { if (queue == NULL) return 1; if (queue->num_nodes == 0) return 1; @@ -283,7 +283,7 @@ * 0 if the stack has one or more nodes in it. * ********************************************************************/ -static INLINE int DCE2_StackIsEmpty(DCE2_Stack *stack) +static inline int DCE2_StackIsEmpty(DCE2_Stack *stack) { if (stack == NULL) return 1; if (stack->num_nodes == 0) return 1; @@ -307,7 +307,7 @@ * 0 if the queue has one or more nodes in it. * ********************************************************************/ -static INLINE int DCE2_CQueueIsEmpty(DCE2_CQueue *cqueue) +static inline int DCE2_CQueueIsEmpty(DCE2_CQueue *cqueue) { if (cqueue == NULL) return 1; if (cqueue->num_nodes == 0) return 1; @@ -331,7 +331,7 @@ * 0 if the stack has one or more nodes in it. * ********************************************************************/ -static INLINE int DCE2_CStackIsEmpty(DCE2_CStack *cstack) +static inline int DCE2_CStackIsEmpty(DCE2_CStack *cstack) { if (cstack == NULL) return 1; if (cstack->num_nodes == 0) return 1; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_memory.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_memory.c 2010-01-26 10:09:57.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,10 +16,15 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_memory.h" #include "dce2_utils.h" #include "dce2_config.h" @@ -483,9 +488,6 @@ DCE2_UnRegMem(size, mtype); free(mem); - - if (dce2_mem_state == DCE2_MEM_STATE__MEMCAP) - dce2_mem_state = DCE2_MEM_STATE__OKAY; } /******************************************************************** diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_memory.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_memory.h 2010-01-26 10:09:57.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_memory.h 2011-06-07 17:33:12.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -23,8 +23,6 @@ #ifndef _DCE2_MEMORY_H_ #define _DCE2_MEMORY_H_ -#include "sf_types.h" - /******************************************************************** * Enumerations ********************************************************************/ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_paf.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_paf.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,502 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +#include "sf_types.h" +#include "sfPolicy.h" +#include "sf_dynamic_preprocessor.h" +#include "stream_api.h" +#include "dce2_utils.h" +#include "dce2_session.h" +#include "dce2_smb.h" +#include "snort_dce2.h" +#include "includes/dcerpc.h" +#include "includes/smb.h" + +#ifdef ENABLE_PAF + +#define DCE2_SMB_PAF_SHIFT(x64, x8) { x64 <<= 8; x64 |= (uint64_t)x8; } + +extern DCE2_ProtoIds dce2_proto_ids; + +// Enumerations for PAF states +typedef enum _DCE2_PafSmbStates +{ + DCE2_PAF_SMB_STATES__0 = 0, // NetBIOS type + DCE2_PAF_SMB_STATES__1, // Added bit of NetBIOS length + DCE2_PAF_SMB_STATES__2, // First byte of NetBIOS length + DCE2_PAF_SMB_STATES__3, // Second byte of NetBIOS length + // Junk states + DCE2_PAF_SMB_STATES__4, // 0xff + DCE2_PAF_SMB_STATES__5, // 'S' + DCE2_PAF_SMB_STATES__6, // 'M' + DCE2_PAF_SMB_STATES__7 // 'B' + +} DCE2_PafSmbStates; + +typedef enum _DCE2_PafTcpStates +{ + DCE2_PAF_TCP_STATES__0 = 0, + DCE2_PAF_TCP_STATES__1, + DCE2_PAF_TCP_STATES__2, + DCE2_PAF_TCP_STATES__3, + DCE2_PAF_TCP_STATES__4, // Byte order + DCE2_PAF_TCP_STATES__5, + DCE2_PAF_TCP_STATES__6, + DCE2_PAF_TCP_STATES__7, + DCE2_PAF_TCP_STATES__8, // First byte of fragment length + DCE2_PAF_TCP_STATES__9 // Second byte of fragment length + +} DCE2_PafTcpStates; + + +// State tracker for DCE/RPC over SMB PAF +typedef struct _DCE2_PafSmbState +{ + DCE2_PafSmbStates state; + uint64_t nb_hdr; // Enough for NetBIOS header and 4 bytes SMB header + +} DCE2_PafSmbState; + +// State tracker for DCE/RPC over TCP PAF +typedef struct _DCE2_PafTcpState +{ + DCE2_PafTcpStates state; + DceRpcBoFlag byte_order; + uint16_t frag_len; + +} DCE2_PafTcpState; + + +// Local function prototypes +static bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t, bool); +static PAF_Status DCE2_SmbPaf(void *, void **, const uint8_t *, uint32_t, uint32_t, uint32_t *); +static PAF_Status DCE2_TcpPaf(void *, void **, const uint8_t *, uint32_t, uint32_t, uint32_t *); + + +/********************************************************************* + * Function: DCE2_PafSmbIsValidNetbiosHdr() + * + * Purpose: Validates that the NetBIOS header is valid. If in + * junk states, header type must be Session Message. + * + * Arguments: + * uint32_t - the 4 bytes of the NetBIOS header + * bool - whether we're in a junk data state or not + * + * Returns: + * bool - true if valid, false if not + * + *********************************************************************/ +static bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t nb_hdr, bool junk) +{ + uint8_t type = (uint8_t)(nb_hdr >> 24); + uint8_t bit = (uint8_t)((nb_hdr & 0x00ff0000) >> 16); + + if (junk) + { + if (type != NBSS_SESSION_TYPE__MESSAGE) + return false; + } + else + { + switch (type) + { + case NBSS_SESSION_TYPE__MESSAGE: + case NBSS_SESSION_TYPE__REQUEST: + case NBSS_SESSION_TYPE__POS_RESPONSE: + case NBSS_SESSION_TYPE__NEG_RESPONSE: + case NBSS_SESSION_TYPE__RETARGET_RESPONSE: + case NBSS_SESSION_TYPE__KEEP_ALIVE: + break; + default: + return false; + } + } + + if ((bit != 0x00) && (bit != 0x01)) + return false; + + return true; +} + +/********************************************************************* + * Function: DCE2_SmbPaf() + * + * Purpose: The DCE/RPC over SMB PAF callback. + * Inspects a byte at a time changing state and shifting + * bytes onto the 64bit nb_hdr member. At state 3 + * determines if NetBIOS header is valid and if so sets + * flush point. If not valid goes to states 4-7 where + * there is the possibility that junk data was inserted + * before request/response. Needs to validate SMB ID at + * this point. At state 7 determines if NetBIOS header + * is valid and that the SMB ID is present. Stays in + * state 7 until this is the case. + * + * Arguments: + * void * - stream5 session pointer + * void ** - SMB state tracking structure + * const uint8_t * - payload data to inspect + * uint32_t - length of payload data + * uint32_t - flags to check whether client or server + * uint32_t * - pointer to set flush point + * + * Returns: + * PAF_Status - PAF_FLUSH if flush point found, PAF_SEARCH otherwise + * + *********************************************************************/ +PAF_Status DCE2_SmbPaf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp) +{ + DCE2_PafSmbState *ss = *(DCE2_PafSmbState **)user; + uint32_t n = 0; + PAF_Status ps = PAF_SEARCH; + uint32_t nb_hdr; + uint32_t nb_len; + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "\nIn DCE2_SmbPaf: %u bytes of data\n", len)); + +#ifdef DEBUG_MSGS + if (flags & FLAG_FROM_CLIENT) + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Client\n")); + else + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Server\n")); +#endif + + if (ss == NULL) + { + // beware - we allocate here but s5 calls free() directly + // so no pointers allowed + ss = calloc(1, sizeof(DCE2_PafSmbState)); + + if (ss == NULL) + return PAF_ABORT; + + *user = ss; + } + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Start state: %u\n", ss->state)); + + while (n < len) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "data[n]: 0x%02x", data[n])); + +#ifdef DEBUG_MSGS + if (isprint(data[n])) + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, " : %c\n", data[n])); + else + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "\n")); +#endif + + switch (ss->state) + { + case DCE2_PAF_SMB_STATES__0: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 0\n")); + ss->nb_hdr = (uint64_t)data[n]; + ss->state++; + break; + case DCE2_PAF_SMB_STATES__3: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 3\n")); + DCE2_SMB_PAF_SHIFT(ss->nb_hdr, data[n]); + if (DCE2_PafSmbIsValidNetbiosHdr((uint32_t)ss->nb_hdr, false)) + { + nb_hdr = htonl((uint32_t)ss->nb_hdr); + nb_len = NbssLen((const NbssHdr *)&nb_hdr); + *fp = (nb_len + sizeof(NbssHdr) + n) - ss->state; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Setting flush " + "point for non-junk data: %u\n\n", *fp)); + ss->state = DCE2_PAF_SMB_STATES__0; + return PAF_FLUSH; + } + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Invalid NetBIOS header - " + "entering junk data states.\n")); + ss->state++; + break; + case DCE2_PAF_SMB_STATES__7: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 7\n")); + DCE2_SMB_PAF_SHIFT(ss->nb_hdr, data[n]); + + if (!DCE2_PafSmbIsValidNetbiosHdr((uint32_t)(ss->nb_hdr >> 32), true)) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Invalid NetBIOS header - " + "staying in State 7.\n")); + break; + } + if ((uint32_t)ss->nb_hdr != DCE2_SMB_ID) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Invalid SMB ID - " + "staying in State 7.\n")); + break; + } + + nb_hdr = htonl((uint32_t)(ss->nb_hdr >> 32)); + nb_len = NbssLen((const NbssHdr *)&nb_hdr); + *fp = (nb_len + sizeof(NbssHdr) + n) - ss->state; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Setting flush point " + "for junk data: %u\n\n", *fp)); + ss->state = DCE2_PAF_SMB_STATES__0; + return PAF_FLUSH; + default: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State %u\n", ss->state)); + DCE2_SMB_PAF_SHIFT(ss->nb_hdr, data[n]); + ss->state++; + break; + } + + n++; + } + + return ps; +} + +/********************************************************************* + * Function: DCE2_TcpPaf() + * + * Purpose: The DCE/RPC over TCP PAF callback. + * Inspects a byte at a time changing state. At state 4 + * gets byte order of PDU. At states 8 and 9 gets + * fragment length and sets flush point if no more data. + * Otherwise accumulates flush points because there can + * be multiple PDUs in a single TCP segment (evasion case). + * + * Arguments: + * void * - stream5 session pointer + * void ** - TCP state tracking structure + * const uint8_t * - payload data to inspect + * uint32_t - length of payload data + * uint32_t - flags to check whether client or server + * uint32_t * - pointer to set flush point + * + * Returns: + * PAF_Status - PAF_FLUSH if flush point found, PAF_SEARCH otherwise + * + *********************************************************************/ +PAF_Status DCE2_TcpPaf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp) +{ + DCE2_PafTcpState *ds = *(DCE2_PafTcpState **)user; + uint32_t n = 0; + int start_state; + PAF_Status ps = PAF_SEARCH; + uint32_t tmp_fp = 0; + DCE2_SsnData *sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(ssn, PP_DCE2); + int num_requests = 0; + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "\nIn DCE2_TcpPaf: %u bytes of data\n", len)); + + if (sd == NULL) + { + // Need packet to see if it's an autodetect port then do an autodetect + // if autodetect port and not autodetected + // return PAF_ABORT + + bool cont = false; + +#ifdef TARGET_BASED + if (_dpd.isAdaptiveConfigured(_dpd.getRuntimePolicy(), 0)) + { + int16_t proto_id = _dpd.streamAPI->get_application_protocol_id(ssn); + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "No session data - checking adaptive " + "to see if it's DCE/RPC.\n")); + + if (proto_id == dce2_proto_ids.dcerpc) + cont = true; + } + else + { +#endif + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "No session data - autodetecting\n")); + + if (len >= sizeof(DceRpcCoHdr)) + { + DceRpcCoHdr *co_hdr = (DceRpcCoHdr *)data; + + if ((DceRpcCoVersMaj(co_hdr) == DCERPC_PROTO_MAJOR_VERS__5) && + (DceRpcCoVersMin(co_hdr) == DCERPC_PROTO_MINOR_VERS__0) && + ((DceRpcCoPduType(co_hdr) == DCERPC_PDU_TYPE__BIND) || + (DceRpcCoPduType(co_hdr) == DCERPC_PDU_TYPE__BIND_ACK)) && + (DceRpcCoFragLen(co_hdr) >= sizeof(DceRpcCoHdr))) + { + cont = true; + } + } + else if ((*data == DCERPC_PROTO_MAJOR_VERS__5) && (flags & FLAG_FROM_CLIENT)) + { + cont = true; + } +#ifdef TARGET_BASED + } +#endif + + if (!cont) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Couldn't autodetect - aborting\n")); + return PAF_ABORT; + } + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Autodetected!\n")); + } + + if (ds == NULL) + { + // beware - we allocate here but s5 calls free() directly + // so no pointers allowed + ds = calloc(1, sizeof(DCE2_PafTcpState)); + + if (ds == NULL) + return PAF_ABORT; + + *user = ds; + } + +#ifdef DEBUG_MSGS + if (flags & FLAG_FROM_CLIENT) + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Client\n")); + else + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Server\n")); +#endif + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Start state: %u\n", ds->state)); + start_state = (uint8_t)ds->state; // determines how many bytes already looked at + + while (n < len) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "data[n]: 0x%02x", data[n])); + +#ifdef DEBUG_MSGS + if (isprint(data[n])) + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, " : %c\n", data[n])); + else + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "\n")); +#endif + + switch (ds->state) + { + case DCE2_PAF_TCP_STATES__4: // Get byte order + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 4\n")); + ds->byte_order = DceRpcByteOrder(data[n]); + ds->state++; +#ifdef DEBUG_MSGS + if (ds->byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN) + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Got byte order: Little endian\n")); + else + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Got byte order: Big endian\n")); +#endif + break; + case DCE2_PAF_TCP_STATES__8: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 8\n")); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Getting first byte of frag length\n")); + if (ds->byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN) + ds->frag_len = data[n]; + else + ds->frag_len = data[n] << 8; + ds->state++; + break; + case DCE2_PAF_TCP_STATES__9: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State 9\n")); + if (ds->byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN) + ds->frag_len |= data[n] << 8; + else + ds->frag_len |= data[n]; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Getting second byte of frag length\n")); + + /* If we get a bad frag length abort */ + if (ds->frag_len < sizeof(DceRpcCoHdr)) + return PAF_ABORT; + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Got frag_len: %u\n", ds->frag_len)); + + /* Increment n here so we can continue */ + n += ds->frag_len - (uint8_t)ds->state; + num_requests++; + /* Might have multiple PDUs in one segment. If the last PDU is partial, + * flush just before it */ + if ((num_requests == 1) || (n <= len)) + tmp_fp += ds->frag_len; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Requests: %u\n", num_requests)); + ds->state = DCE2_PAF_TCP_STATES__0; + continue; // we incremented n already + default: + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "State %u\n", ds->state)); + ds->state++; + break; + } + + n++; + } + + if (tmp_fp != 0) + { + *fp = tmp_fp - start_state; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Setting flush point: %u\n", *fp)); + return PAF_FLUSH; + } + + return ps; +} + +#endif // ENABLE_PAF + +/********************************************************************* + * Function: DCE2_PafRegister() + * + * Purpose: Registers callbacks for interested ports. SMB and TCP + * ports are mutually exclusive so only one or the other + * will be registered for any given port. + * + * Arguments: + * uint16_t - port to register + * tSfPolicyId - the policy to register for + * DCE2_TransType - the type of DCE/RPC transport to register for. + * + * Returns: + * int - 0 for success. + * + *********************************************************************/ +int DCE2_PafRegister(uint16_t port, tSfPolicyId pid, DCE2_TransType trans) +{ +#ifdef ENABLE_PAF + if (!_dpd.isPafEnabled()) + return 0; + + //DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + // "%s: policy %u, port %u\n", __FUNCTION__, pid, port);); + + switch (trans) + { + case DCE2_TRANS_TYPE__SMB: + _dpd.streamAPI->register_paf_cb(pid, port, 0, DCE2_SmbPaf, true); + _dpd.streamAPI->register_paf_cb(pid, port, 1, DCE2_SmbPaf, true); + break; + case DCE2_TRANS_TYPE__TCP: + _dpd.streamAPI->register_paf_cb(pid, port, 0, DCE2_TcpPaf, true); + _dpd.streamAPI->register_paf_cb(pid, port, 1, DCE2_TcpPaf, true); + break; + default: + DCE2_Die("Invalid transport type sent to paf registration function"); + break; + } +#endif + + return 0; +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_paf.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_paf.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_paf.h 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,32 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +#ifndef __DCE2_PAF_H__ +#define __DCE2_PAF_H__ + +#include "sfPolicy.h" +#include "sf_types.h" +#include "stream_api.h" +#include "dce2_utils.h" + +int DCE2_PafRegister(uint16_t, tSfPolicyId, DCE2_TransType); + +#endif /* __DCE2_PAF_H__ */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_roptions.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_roptions.c 2010-09-27 08:28:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,9 +17,18 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ +#include <errno.h> +#include <string.h> +#include <stdarg.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_roptions.h" #include "dce2_memory.h" #include "dcerpc.h" @@ -32,14 +41,6 @@ #include "sf_snort_plugin_api.h" #include "sfhashfcn.h" #include "profiler.h" -#include <errno.h> -#include <string.h> -#include <stdarg.h> - -/******************************************************************** - * Extern variables - ********************************************************************/ -extern DynamicPreprocessorData _dpd; /******************************************************************** * Macros @@ -140,7 +141,7 @@ int iface_vers_maj; int iface_vers_min; DCE2_IfOp operator; - int any_frag; + int any_frag; } DCE2_IfaceData; @@ -195,9 +196,9 @@ static int DCE2_IfaceInit(char *, char *, void **); static int DCE2_OpnumInit(char *, char *, void **); static void DCE2_ParseOpnumList(char **, char *, uint8_t *); -static INLINE void DCE2_OpnumSet(uint8_t *, const uint16_t); -static INLINE void DCE2_OpnumSetRange(uint8_t *, uint16_t, uint16_t); -static INLINE int DCE2_OpnumIsSet(const uint8_t *, const uint16_t, const uint16_t, const uint16_t); +static inline void DCE2_OpnumSet(uint8_t *, const uint16_t); +static inline void DCE2_OpnumSetRange(uint8_t *, uint16_t, uint16_t); +static inline int DCE2_OpnumIsSet(const uint8_t *, const uint16_t, const uint16_t, const uint16_t); static int DCE2_StubDataInit(char *, char *, void **); static int DCE2_ByteTestInit(char *, char *, void **); static int DCE2_ByteJumpInit(char *, char *, void **); @@ -219,9 +220,9 @@ static int DCE2_OpnumKeyCompare(void *, void *); static int DCE2_ByteTestKeyCompare(void *, void *); static int DCE2_ByteJumpKeyCompare(void *, void *); -static INLINE int DCE2_RoptDoEval(SFSnortPacket *); +static inline int DCE2_RoptDoEval(SFSnortPacket *); static NORETURN void DCE2_RoptError(const char *, ...); -static INLINE void * DCE2_AllocFp(uint32_t); +static inline void * DCE2_AllocFp(uint32_t); static int DCE2_IfaceAddFastPatterns(void *, int, int, FPContentInfo **); /******************************************************************** @@ -259,7 +260,7 @@ * * XXX Connectionless uses a 32bit version, connection-oriented * a 16bit major version and 16bit minor version. Not likely to - * need to support versions greater than 65535, but may need to + * need to support versions greater than 65535, but may need to * support minor version. * * Arguments: @@ -667,7 +668,7 @@ } } -static INLINE void * DCE2_AllocFp(uint32_t size) +static inline void * DCE2_AllocFp(uint32_t size) { void *mem = calloc(1, (size_t)size); if (mem == NULL) @@ -724,8 +725,8 @@ //DCE2_IfaceData *iface_data = (DCE2_IfaceData *)rule_opt_data; FPContentInfo *big_fp = (FPContentInfo *)DCE2_AllocFp(sizeof(FPContentInfo)); FPContentInfo *little_fp = (FPContentInfo *)DCE2_AllocFp(sizeof(FPContentInfo)); - char *big_content = (char *)DCE2_AllocFp(sizeof(Uuid)); - char *little_content = (char *)DCE2_AllocFp(sizeof(Uuid)); + char *big_content = (char *)DCE2_AllocFp(sizeof(Uuid)); + char *little_content = (char *)DCE2_AllocFp(sizeof(Uuid)); uint32_t time32; uint16_t time16; int index = 0; @@ -1030,7 +1031,7 @@ * Returns: * ********************************************************************/ -static INLINE int DCE2_OpnumIsSet(const uint8_t *opnum_mask, const uint16_t opnum_lo, +static inline int DCE2_OpnumIsSet(const uint8_t *opnum_mask, const uint16_t opnum_lo, const uint16_t opnum_hi, const uint16_t opnum) { uint16_t otmp = opnum - opnum_lo; @@ -1051,7 +1052,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_OpnumSet(uint8_t *opnum_mask, const uint16_t opnum) +static inline void DCE2_OpnumSet(uint8_t *opnum_mask, const uint16_t opnum) { opnum_mask[(opnum / 8)] |= (1 << (opnum % 8)); } @@ -1066,7 +1067,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_OpnumSetRange(uint8_t *opnum_mask, uint16_t lo_opnum, uint16_t hi_opnum) +static inline void DCE2_OpnumSetRange(uint8_t *opnum_mask, uint16_t lo_opnum, uint16_t hi_opnum) { uint16_t i; @@ -1450,7 +1451,7 @@ if (arg == NULL) { DCE2_Free((void *)bj_data, sizeof(DCE2_ByteJumpData), DCE2_MEM_TYPE__ROPTION); - DCE2_RoptError("\"%s\" rule option: \"%s\" requires an argument.", + DCE2_RoptError("\"%s\" rule option: \"%s\" requires an argument.", DCE2_ROPT__BYTE_JUMP, DCE2_RARG__MULTIPLIER); } @@ -1658,7 +1659,7 @@ break; default: - break; + break; } return ret; @@ -1789,6 +1790,7 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Setting cursor to stub data: %p.\n", ropts->stub_data)); *cursor = ropts->stub_data; + _dpd.SetAltDetect((uint8_t *)ropts->stub_data, (uint16_t)(p->payload_size - (ropts->stub_data - p->payload))); return RULE_MATCH; } @@ -1811,6 +1813,8 @@ DCE2_SsnData *sd; DCE2_Roptions *ropts; DCE2_ByteTestData *bt_data; + const uint8_t *start_ptr; + uint16_t dsize; const uint8_t *bt_ptr; uint32_t pkt_value; DceRpcBoFlag byte_order; @@ -1852,11 +1856,23 @@ if (bt_data == NULL) return RULE_NOMATCH; + if (_dpd.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + _dpd.GetAltDetect((uint8_t **)&start_ptr, &dsize); + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else + { + start_ptr = p->payload; + dsize = p->payload_size; + } + /* Make sure we don't read past the end of the payload or before * beginning of payload */ if (bt_data->relative) { - if ((bt_data->offset < 0) && (*cursor + bt_data->offset) < p->payload) + if ((bt_data->offset < 0) && (*cursor + bt_data->offset) < start_ptr) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset is negative and puts cursor before beginning " @@ -1864,7 +1880,7 @@ return RULE_NOMATCH; } - if ((*cursor + bt_data->offset + bt_data->num_bytes) > (p->payload + p->payload_size)) + if ((*cursor + bt_data->offset + bt_data->num_bytes) > (start_ptr + dsize)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past " @@ -1883,7 +1899,7 @@ "not evaluating.\n")); return RULE_NOMATCH; } - else if ((p->payload + bt_data->offset + bt_data->num_bytes) > (p->payload + p->payload_size)) + else if ((start_ptr + bt_data->offset + bt_data->num_bytes) > (start_ptr + dsize)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past " @@ -1891,7 +1907,7 @@ return RULE_NOMATCH; } - bt_ptr = p->payload + bt_data->offset; + bt_ptr = start_ptr + bt_data->offset; } /* Determine which byte order to use */ @@ -2025,7 +2041,7 @@ return RULE_NOMATCH; } -#ifdef DEBUG +#ifdef DEBUG_MSGS if (ret == RULE_MATCH) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, @@ -2057,6 +2073,8 @@ DCE2_SsnData *sd; DCE2_Roptions *ropts; DCE2_ByteJumpData *bj_data; + const uint8_t *start_ptr; + uint16_t dsize; const uint8_t *bj_ptr; uint32_t jmp_value; DceRpcBoFlag byte_order; @@ -2097,11 +2115,23 @@ if (bj_data == NULL) return RULE_NOMATCH; + if (_dpd.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + _dpd.GetAltDetect((uint8_t **)&start_ptr, &dsize); + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else + { + start_ptr = p->payload; + dsize = p->payload_size; + } + /* Make sure we don't read past the end of the payload or before * beginning of payload */ if (bj_data->relative) { - if ((bj_data->offset < 0) && (*cursor + bj_data->offset) < p->payload) + if ((bj_data->offset < 0) && (*cursor + bj_data->offset) < start_ptr) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset is negative and puts cursor before beginning " @@ -2109,7 +2139,7 @@ return RULE_NOMATCH; } - if ((*cursor + bj_data->offset + bj_data->num_bytes) > (p->payload + p->payload_size)) + if ((*cursor + bj_data->offset + bj_data->num_bytes) > (start_ptr + dsize)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past " @@ -2128,7 +2158,7 @@ "not evaluating.\n")); return RULE_NOMATCH; } - else if ((p->payload + bj_data->offset + bj_data->num_bytes) > (p->payload + p->payload_size)) + else if ((start_ptr + bj_data->offset + bj_data->num_bytes) > (start_ptr + dsize)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past " @@ -2136,7 +2166,7 @@ return RULE_NOMATCH; } - bj_ptr = p->payload + bj_data->offset; + bj_ptr = start_ptr + bj_data->offset; } /* Determine which byte order to use */ @@ -2203,7 +2233,7 @@ } bj_ptr += bj_data->num_bytes + jmp_value + bj_data->post_offset; - if ((bj_ptr < p->payload) || (bj_ptr >= (p->payload + p->payload_size))) + if ((bj_ptr < start_ptr) || (bj_ptr >= (start_ptr + dsize))) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, "\"%s\" Fail. Jump puts us past end of payload.\n", @@ -2229,7 +2259,7 @@ * Returns: * ********************************************************************/ -static INLINE int DCE2_RoptDoEval(SFSnortPacket *p) +static inline int DCE2_RoptDoEval(SFSnortPacket *p) { if ((p->payload_size == 0) || (p->stream_session_ptr == NULL) || @@ -2712,7 +2742,7 @@ } else { - printf("Iface: %s\n", DCE2_UuidToStr(&ropts->iface, DCERPC_BO_FLAG__NONE)); + printf("Iface: %s\n", DCE2_UuidToStr(&ropts->iface, DCERPC_BO_FLAG__NONE)); printf("Iface version: %u\n", ropts->iface_vers_maj); } if (ropts->opnum == DCE2_SENTINEL) printf("Opnum: unset\n"); diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_roptions.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_roptions.h 2010-06-09 15:05:12.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_roptions.h 2011-02-09 15:23:14.000000000 -0800 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_session.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_session.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_session.h 2010-01-26 10:09:57.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_session.h 2011-06-07 17:33:12.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef _DCE2_SESSION_H_ @@ -33,11 +33,6 @@ #include "sf_dynamic_preprocessor.h" /******************************************************************** - * Extern variables - ********************************************************************/ -extern DynamicPreprocessorData _dpd; - -/******************************************************************** * Enumerations ********************************************************************/ typedef enum _DCE2_SsnFlag @@ -82,34 +77,34 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE int DCE2_SsnIsEstablished(const SFSnortPacket *); -static INLINE int DCE2_SsnIsMidstream(const SFSnortPacket *); -static INLINE void DCE2_SsnSetAppData(const SFSnortPacket *, void *, StreamAppDataFree); -static INLINE void * DCE2_SsnGetAppData(const SFSnortPacket *); -static INLINE int DCE2_SsnGetReassembly(const SFSnortPacket *); -static INLINE void DCE2_SsnSetReassembly(const SFSnortPacket *); -static INLINE int DCE2_SsnIsRebuilt(const SFSnortPacket *); -static INLINE int DCE2_SsnIsStreamInsert(const SFSnortPacket *); -static INLINE void DCE2_SsnFlush(SFSnortPacket *); -static INLINE int DCE2_SsnFromServer(const SFSnortPacket *); -static INLINE int DCE2_SsnFromClient(const SFSnortPacket *); -static INLINE int DCE2_SsnClientMissedInReassembled(const SFSnortPacket *); -static INLINE int DCE2_SsnServerMissedInReassembled(const SFSnortPacket *); -static INLINE void DCE2_SsnSetMissedPkts(DCE2_SsnData *); -static INLINE int DCE2_SsnMissedPkts(DCE2_SsnData *); -static INLINE void DCE2_SsnClearMissedPkts(DCE2_SsnData *); -static INLINE void DCE2_SsnSetSeenClient(DCE2_SsnData *); -static INLINE int DCE2_SsnSeenClient(DCE2_SsnData *); -static INLINE void DCE2_SsnSetSeenServer(DCE2_SsnData *); -static INLINE int DCE2_SsnSeenServer(DCE2_SsnData *); -static INLINE void DCE2_SsnSetAutodetected(DCE2_SsnData *, const SFSnortPacket *); -static INLINE int DCE2_SsnAutodetected(DCE2_SsnData *); -static INLINE int DCE2_SsnAutodetectDir(DCE2_SsnData *); -static INLINE void DCE2_SsnSetNoInspect(DCE2_SsnData *); -static INLINE int DCE2_SsnNoInspect(DCE2_SsnData *sd); +static inline int DCE2_SsnIsEstablished(const SFSnortPacket *); +static inline int DCE2_SsnIsMidstream(const SFSnortPacket *); +static inline void DCE2_SsnSetAppData(const SFSnortPacket *, void *, StreamAppDataFree); +static inline void * DCE2_SsnGetAppData(const SFSnortPacket *); +static inline int DCE2_SsnGetReassembly(const SFSnortPacket *); +static inline void DCE2_SsnSetReassembly(const SFSnortPacket *); +static inline int DCE2_SsnIsRebuilt(const SFSnortPacket *); +static inline int DCE2_SsnIsStreamInsert(const SFSnortPacket *); +static inline void DCE2_SsnFlush(SFSnortPacket *); +static inline int DCE2_SsnFromServer(const SFSnortPacket *); +static inline int DCE2_SsnFromClient(const SFSnortPacket *); +static inline int DCE2_SsnClientMissedInReassembled(const SFSnortPacket *); +static inline int DCE2_SsnServerMissedInReassembled(const SFSnortPacket *); +static inline void DCE2_SsnSetMissedPkts(DCE2_SsnData *); +static inline int DCE2_SsnMissedPkts(DCE2_SsnData *); +static inline void DCE2_SsnClearMissedPkts(DCE2_SsnData *); +static inline void DCE2_SsnSetSeenClient(DCE2_SsnData *); +static inline int DCE2_SsnSeenClient(DCE2_SsnData *); +static inline void DCE2_SsnSetSeenServer(DCE2_SsnData *); +static inline int DCE2_SsnSeenServer(DCE2_SsnData *); +static inline void DCE2_SsnSetAutodetected(DCE2_SsnData *, const SFSnortPacket *); +static inline int DCE2_SsnAutodetected(DCE2_SsnData *); +static inline int DCE2_SsnAutodetectDir(DCE2_SsnData *); +static inline void DCE2_SsnSetNoInspect(DCE2_SsnData *); +static inline int DCE2_SsnNoInspect(DCE2_SsnData *sd); -static INLINE uint16_t DCE2_SsnGetOverlap(DCE2_SsnData *); -static INLINE uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData *sd); +static inline uint16_t DCE2_SsnGetOverlap(DCE2_SsnData *); +static inline uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData *sd); /******************************************************************** * Function: DCE2_SsnIsEstablished() @@ -124,7 +119,7 @@ * zero if the session is not established. * ********************************************************************/ -static INLINE int DCE2_SsnIsEstablished(const SFSnortPacket *p) +static inline int DCE2_SsnIsEstablished(const SFSnortPacket *p) { return _dpd.streamAPI->get_session_flags (p->stream_session_ptr) & SSNFLAG_ESTABLISHED; @@ -144,7 +139,7 @@ * zero if the session was not picked up midstream. * ********************************************************************/ -static INLINE int DCE2_SsnIsMidstream(const SFSnortPacket *p) +static inline int DCE2_SsnIsMidstream(const SFSnortPacket *p) { return _dpd.streamAPI->get_session_flags (p->stream_session_ptr) & SSNFLAG_MIDSTREAM; @@ -167,7 +162,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetAppData(const SFSnortPacket *p, void *data, StreamAppDataFree sdfree) +static inline void DCE2_SsnSetAppData(const SFSnortPacket *p, void *data, StreamAppDataFree sdfree) { _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_DCE2, data, sdfree); } @@ -184,7 +179,7 @@ * void * - the data stored on the session. * ********************************************************************/ -static INLINE void * DCE2_SsnGetAppData(const SFSnortPacket *p) +static inline void * DCE2_SsnGetAppData(const SFSnortPacket *p) { return _dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); } @@ -202,7 +197,7 @@ * SSN_DIR_NONE, SSN_DIR_CLIENT, SSN_DIR_SERVER or SSN_DIR_BOTH * ********************************************************************/ -static INLINE int DCE2_SsnGetReassembly(const SFSnortPacket *p) +static inline int DCE2_SsnGetReassembly(const SFSnortPacket *p) { return (int)_dpd.streamAPI->get_reassembly_direction(p->stream_session_ptr); } @@ -220,7 +215,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetReassembly(const SFSnortPacket *p) +static inline void DCE2_SsnSetReassembly(const SFSnortPacket *p) { _dpd.streamAPI->set_reassembly(p->stream_session_ptr, STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_ABSOLUTE); @@ -240,7 +235,7 @@ * zero if the packet is not stream reassembled. * ********************************************************************/ -static INLINE int DCE2_SsnIsRebuilt(const SFSnortPacket *p) +static inline int DCE2_SsnIsRebuilt(const SFSnortPacket *p) { return p->flags & FLAG_REBUILT_STREAM; } @@ -259,7 +254,7 @@ * zero if the packet is not stream inserted. * ********************************************************************/ -static INLINE int DCE2_SsnIsStreamInsert(const SFSnortPacket *p) +static inline int DCE2_SsnIsStreamInsert(const SFSnortPacket *p) { return p->flags & FLAG_STREAM_INSERT; } @@ -276,7 +271,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnFlush(SFSnortPacket *p) +static inline void DCE2_SsnFlush(SFSnortPacket *p) { _dpd.streamAPI->response_flush_stream(p); } @@ -285,7 +280,7 @@ * Function: DCE2_SsnFromServer() * * Purpose: Returns whether or not this packet is from - * the server. + * the server. * * Arguments: * SFSnortPacket * - pointer to packet @@ -295,7 +290,7 @@ * zero if the packet is not from the server. * ********************************************************************/ -static INLINE int DCE2_SsnFromServer(const SFSnortPacket *p) +static inline int DCE2_SsnFromServer(const SFSnortPacket *p) { return p->flags & FLAG_FROM_SERVER; } @@ -304,7 +299,7 @@ * Function: DCE2_SsnFromClient() * * Purpose: Returns whether or not this packet is from - * the client. + * the client. * * Arguments: * SFSnortPacket * - pointer to packet @@ -314,7 +309,7 @@ * zero if the packet is not from the client. * ********************************************************************/ -static INLINE int DCE2_SsnFromClient(const SFSnortPacket *p) +static inline int DCE2_SsnFromClient(const SFSnortPacket *p) { return p->flags & FLAG_FROM_CLIENT; } @@ -334,7 +329,7 @@ * SSN_MISSING_BOTH or SSN_MISSING_NONE * ********************************************************************/ -static INLINE int DCE2_SsnClientMissedInReassembled(const SFSnortPacket *p) +static inline int DCE2_SsnClientMissedInReassembled(const SFSnortPacket *p) { return _dpd.streamAPI->missing_in_reassembled(p->stream_session_ptr, SSN_DIR_CLIENT); } @@ -354,7 +349,7 @@ * SSN_MISSING_BOTH or SSN_MISSING_NONE * ********************************************************************/ -static INLINE int DCE2_SsnServerMissedInReassembled(const SFSnortPacket *p) +static inline int DCE2_SsnServerMissedInReassembled(const SFSnortPacket *p) { return _dpd.streamAPI->missing_in_reassembled(p->stream_session_ptr, SSN_DIR_SERVER); } @@ -370,7 +365,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetMissedPkts(DCE2_SsnData *sd) +static inline void DCE2_SsnSetMissedPkts(DCE2_SsnData *sd) { sd->flags |= DCE2_SSN_FLAG__MISSED_PKTS; } @@ -389,7 +384,7 @@ * zero if no packets were missed * ********************************************************************/ -static INLINE int DCE2_SsnMissedPkts(DCE2_SsnData *sd) +static inline int DCE2_SsnMissedPkts(DCE2_SsnData *sd) { return sd->flags & DCE2_SSN_FLAG__MISSED_PKTS; } @@ -406,7 +401,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnClearMissedPkts(DCE2_SsnData *sd) +static inline void DCE2_SsnClearMissedPkts(DCE2_SsnData *sd) { sd->flags &= ~DCE2_SSN_FLAG__MISSED_PKTS; } @@ -423,7 +418,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetSeenClient(DCE2_SsnData *sd) +static inline void DCE2_SsnSetSeenClient(DCE2_SsnData *sd) { sd->flags |= DCE2_SSN_FLAG__SEEN_CLIENT; } @@ -442,7 +437,7 @@ * zero if we haven't seen the client * ********************************************************************/ -static INLINE int DCE2_SsnSeenClient(DCE2_SsnData *sd) +static inline int DCE2_SsnSeenClient(DCE2_SsnData *sd) { return sd->flags & DCE2_SSN_FLAG__SEEN_CLIENT; } @@ -459,7 +454,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetSeenServer(DCE2_SsnData *sd) +static inline void DCE2_SsnSetSeenServer(DCE2_SsnData *sd) { sd->flags |= DCE2_SSN_FLAG__SEEN_SERVER; } @@ -478,7 +473,7 @@ * zero if we haven't seen the server * ********************************************************************/ -static INLINE int DCE2_SsnSeenServer(DCE2_SsnData *sd) +static inline int DCE2_SsnSeenServer(DCE2_SsnData *sd) { return sd->flags & DCE2_SSN_FLAG__SEEN_SERVER; } @@ -495,7 +490,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnSetAutodetected(DCE2_SsnData *sd, const SFSnortPacket *p) +static inline void DCE2_SsnSetAutodetected(DCE2_SsnData *sd, const SFSnortPacket *p) { sd->flags |= DCE2_SSN_FLAG__AUTODETECTED; sd->autodetect_dir = p->flags & (FLAG_FROM_CLIENT | FLAG_FROM_SERVER); @@ -514,7 +509,7 @@ * zero if session was not autodetected * ********************************************************************/ -static INLINE int DCE2_SsnAutodetected(DCE2_SsnData *sd) +static inline int DCE2_SsnAutodetected(DCE2_SsnData *sd) { return sd->flags & DCE2_SSN_FLAG__AUTODETECTED; } @@ -533,7 +528,7 @@ * zero if session was not autodetected * ********************************************************************/ -static INLINE int DCE2_SsnAutodetectDir(DCE2_SsnData *sd) +static inline int DCE2_SsnAutodetectDir(DCE2_SsnData *sd) { return sd->autodetect_dir; } @@ -550,7 +545,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_SsnClearAutodetected(DCE2_SsnData *sd) +static inline void DCE2_SsnClearAutodetected(DCE2_SsnData *sd) { sd->flags &= ~DCE2_SSN_FLAG__AUTODETECTED; sd->autodetect_dir = 0; @@ -566,7 +561,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SsnSetNoInspect(DCE2_SsnData *sd) +static inline void DCE2_SsnSetNoInspect(DCE2_SsnData *sd) { sd->flags |= DCE2_SSN_FLAG__NO_INSPECT; } @@ -581,7 +576,7 @@ * Returns: * ********************************************************************/ -static INLINE int DCE2_SsnNoInspect(DCE2_SsnData *sd) +static inline int DCE2_SsnNoInspect(DCE2_SsnData *sd) { return sd->flags & DCE2_SSN_FLAG__NO_INSPECT; } @@ -599,7 +594,7 @@ * uint16_t - the number of overlapped bytes * ********************************************************************/ -static INLINE uint16_t DCE2_SsnGetOverlap(DCE2_SsnData *sd) +static inline uint16_t DCE2_SsnGetOverlap(DCE2_SsnData *sd) { if ((sd->cli_overlap_bytes != 0) && DCE2_SsnFromClient(sd->wire_pkt)) { @@ -625,7 +620,7 @@ * uint16_t - the number of overlapped bytes * ********************************************************************/ -static INLINE uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData *sd) +static inline uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData *sd) { if ((sd->cli_missed_bytes != 0) && DCE2_SsnFromClient(sd->wire_pkt)) { diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_smb.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_smb.c 2010-06-09 15:05:12.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,13 +17,14 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifdef HAVE_CONFIG_H #include "config.h" #endif +#include "sf_types.h" #include "dce2_smb.h" #include "dce2_tcp.h" #include "dce2_co.h" @@ -38,7 +39,7 @@ #include "sf_snort_packet.h" #include "sf_types.h" #include "profiler.h" -#include "debug.h" +#include "snort_debug.h" #include "sf_dynamic_preprocessor.h" #ifndef WIN32 @@ -54,7 +55,6 @@ * Extern variables ********************************************************************/ extern DCE2_Stats dce2_stats; -extern DynamicPreprocessorData _dpd; extern uint8_t dce2_smb_rbuf[]; #ifdef PERF_PROFILING @@ -81,6 +81,7 @@ static DCE2_Ret DCE2_NbssHdrChecks(DCE2_SmbSsnData *, const NbssHdr *); static DCE2_Ret DCE2_SmbHdrChecks(DCE2_SmbSsnData *, const SmbNtHdr *); static int DCE2_SmbInspect(DCE2_SmbSsnData *, const SmbNtHdr *); +static uint32_t DCE2_IgnoreJunkData(const uint8_t *, uint16_t, uint32_t); static void DCE2_SmbProcessData(DCE2_SmbSsnData *, const uint8_t *, uint32_t); static void DCE2_SmbHandleCom(DCE2_SmbSsnData *, const SmbNtHdr *, const uint8_t *, uint32_t); @@ -110,18 +111,18 @@ static int DCE2_SmbGetComSize(DCE2_SmbSsnData *, const SmbNtHdr *, const SmbCommon *, const int); static int DCE2_SmbGetBcc(DCE2_SmbSsnData *, const SmbNtHdr *, const SmbCommon *, const uint16_t, const int); -static INLINE DCE2_Ret DCE2_SmbCheckComSize(DCE2_SmbSsnData *, const uint32_t, const uint16_t, const int); -static INLINE DCE2_Ret DCE2_SmbCheckBcc(DCE2_SmbSsnData *, const uint32_t, const uint16_t, const int); -static INLINE DCE2_Ret DCE2_SmbCheckDsize(DCE2_SmbSsnData *, const uint32_t, +static inline DCE2_Ret DCE2_SmbCheckComSize(DCE2_SmbSsnData *, const uint32_t, const uint16_t, const int); +static inline DCE2_Ret DCE2_SmbCheckBcc(DCE2_SmbSsnData *, const uint32_t, const uint16_t, const int); +static inline DCE2_Ret DCE2_SmbCheckDsize(DCE2_SmbSsnData *, const uint32_t, const uint16_t, const uint16_t, const int); -static INLINE DCE2_Ret DCE2_SmbCheckTotDcnt(DCE2_SmbSsnData *, const uint16_t, const uint16_t, const int); -static INLINE DCE2_Ret DCE2_SmbCheckOffset(DCE2_SmbSsnData *, const uint8_t *, const uint8_t *, +static inline DCE2_Ret DCE2_SmbCheckTotDcnt(DCE2_SmbSsnData *, const uint16_t, const uint16_t, const int); +static inline DCE2_Ret DCE2_SmbCheckOffset(DCE2_SmbSsnData *, const uint8_t *, const uint8_t *, const uint32_t, const int); -static INLINE void DCE2_SmbInvalidShareCheck(DCE2_SmbSsnData *, const SmbNtHdr *, const uint8_t *, uint32_t); +static inline void DCE2_SmbInvalidShareCheck(DCE2_SmbSsnData *, const SmbNtHdr *, const uint8_t *, uint32_t); -static INLINE void DCE2_SmbSetReadFidNode(DCE2_SmbSsnData *, uint16_t, uint16_t, uint16_t, int); -static INLINE DCE2_SmbFidTrackerNode * DCE2_SmbGetReadFidNode(DCE2_SmbSsnData *); +static inline void DCE2_SmbSetReadFidNode(DCE2_SmbSsnData *, uint16_t, uint16_t, uint16_t, int); +static inline DCE2_SmbFidTrackerNode * DCE2_SmbGetReadFidNode(DCE2_SmbSsnData *); static void DCE2_SmbChained(DCE2_SmbSsnData *, const SmbNtHdr *, const SmbAndXCommon *, const int, const uint8_t *, uint32_t); @@ -147,20 +148,20 @@ const uint16_t, const uint16_t); static void DCE2_SmbRemoveFid(DCE2_SmbSsnData *, const uint16_t, const uint16_t, const uint16_t); -static INLINE DCE2_SmbPMNode * DCE2_SmbInsertPMNode(DCE2_SmbSsnData *, const SmbNtHdr *, +static inline DCE2_SmbPMNode * DCE2_SmbInsertPMNode(DCE2_SmbSsnData *, const SmbNtHdr *, DCE2_SmbFidNode *, const uint16_t); -static INLINE void DCE2_SmbRemovePMNode(DCE2_SmbSsnData *, const SmbNtHdr *); -static INLINE DCE2_SmbPMNode * DCE2_SmbFindPMNode(DCE2_SmbSsnData *, const SmbNtHdr *); -static INLINE DCE2_Ret DCE2_SmbAddDataToPMNode(DCE2_SmbSsnData *, DCE2_SmbPMNode *, const uint8_t *, +static inline void DCE2_SmbRemovePMNode(DCE2_SmbSsnData *, const SmbNtHdr *); +static inline DCE2_SmbPMNode * DCE2_SmbFindPMNode(DCE2_SmbSsnData *, const SmbNtHdr *); +static inline DCE2_Ret DCE2_SmbAddDataToPMNode(DCE2_SmbSsnData *, DCE2_SmbPMNode *, const uint8_t *, uint16_t, uint16_t); static void DCE2_SmbQueueTmpFid(DCE2_SmbSsnData *); static void DCE2_SmbInsertFidNode(DCE2_SmbSsnData *, const uint16_t, const uint16_t, const uint16_t, DCE2_SmbFidTrackerNode *); -static INLINE void DCE2_SmbCleanFidNode(DCE2_SmbFidTrackerNode *); -static INLINE void DCE2_SmbCleanUTNode(DCE2_SmbUTNode *); -static INLINE void DCE2_SmbCleanPMNode(DCE2_SmbPMNode *); +static inline void DCE2_SmbCleanFidNode(DCE2_SmbFidTrackerNode *); +static inline void DCE2_SmbCleanUTNode(DCE2_SmbUTNode *); +static inline void DCE2_SmbCleanPMNode(DCE2_SmbPMNode *); static int DCE2_SmbUTFCompare(const void *, const void *); static int DCE2_SmbUTPtreeCompare(const void *, const void *); @@ -171,15 +172,15 @@ static void DCE2_SmbFidTrackerDataFree(void *); static void DCE2_SmbPMDataFree(void *); -static INLINE void DCE2_SmbResetForMissedPkts(DCE2_SmbSsnData *); +static inline void DCE2_SmbResetForMissedPkts(DCE2_SmbSsnData *); static void DCE2_SmbSetMissedFids(DCE2_SmbSsnData *); -static INLINE DCE2_Ret DCE2_SmbHandleSegmentation(DCE2_SmbSeg *, const uint8_t *, uint16_t, uint32_t, uint16_t *); -static INLINE int DCE2_SmbIsSegBuf(DCE2_SmbSsnData *, const uint8_t *); -static INLINE void DCE2_SmbSegAlert(DCE2_SmbSsnData *, DCE2_Event); -static INLINE int DCE2_SmbIsRawData(DCE2_SmbSsnData *); +static inline DCE2_Ret DCE2_SmbHandleSegmentation(DCE2_SmbSeg *, const uint8_t *, uint16_t, uint32_t, uint16_t *, int); +static inline int DCE2_SmbIsSegBuf(DCE2_SmbSsnData *, const uint8_t *); +static inline void DCE2_SmbSegAlert(DCE2_SmbSsnData *, DCE2_Event); +static inline int DCE2_SmbIsRawData(DCE2_SmbSsnData *); -static INLINE DCE2_SmbSeg * DCE2_SmbGetSegPtr(DCE2_SmbSsnData *); -static INLINE uint32_t * DCE2_SmbGetIgnorePtr(DCE2_SmbSsnData *); +static inline DCE2_SmbSeg * DCE2_SmbGetSegPtr(DCE2_SmbSsnData *); +static inline uint32_t * DCE2_SmbGetIgnorePtr(DCE2_SmbSsnData *); /******************************************************************** * Function: @@ -435,6 +436,7 @@ uint32_t nb_len; uint16_t data_used; uint32_t nb_need; + DCE2_Ret nb_ret; /* Not enough data for NetBIOS header ... add data to segmentation buffer */ if (data_len < nb_hdr_need) @@ -442,7 +444,7 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Data len(%u) < NetBIOS SS header(%u). " "Queueing data.\n", data_len, nb_hdr_need)); - DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_hdr_need, &data_used); + DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_hdr_need, &data_used, 1); return; } @@ -451,11 +453,26 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "NetBIOS SS len: %u\n", nb_len)); /* Only look at session messages - these contain SMBs */ - if (DCE2_NbssHdrChecks(ssd, (NbssHdr *)data_ptr) != DCE2_RET__SUCCESS) + nb_ret = DCE2_NbssHdrChecks(ssd, (NbssHdr *)data_ptr); + if (nb_ret != DCE2_RET__SUCCESS) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Not a NetBIOS Session Message.\n")); - *ignore_bytes = nb_need; + if (nb_ret == DCE2_RET__IGNORE) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Valid NetBIOS header " + "type so ignoring NetBIOS length bytes.\n")); + *ignore_bytes = nb_need; + } + else // nb_ret == DCE2_RET__ERROR, i.e. invalid NetBIOS type + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Not a valid NetBIOS " + "header type so trying to find \\xffSMB to " + "determine how many bytes to ignore.\n")); + + *ignore_bytes = DCE2_IgnoreJunkData(data_ptr, data_len, nb_need); + } + dce2_stats.smb_ignored_bytes += *ignore_bytes; continue; } @@ -470,7 +487,7 @@ "Queueing data.\n", data_len, smb_hdr_need)); seg->nb_len = nb_len; - DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, smb_hdr_need, &data_used); + DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, smb_hdr_need, &data_used, 1); return; } @@ -515,7 +532,7 @@ "Queueing data.\n", data_len, nb_len)); seg->nb_len = nb_len; - DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_need, &data_used); + DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_need, &data_used, 1); return; } @@ -530,6 +547,8 @@ const NbssHdr *nb_hdr; uint16_t data_used; uint32_t nb_need; + int append = 0; + DCE2_Ret nb_ret; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Segmentation handling => current buffer " "length: %u\n", DCE2_BufferLength(seg->buf))); @@ -540,7 +559,8 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Seg buf len(%u) < NetBIOS SS header(%u). " "Queueing data.\n", DCE2_BufferLength(seg->buf), nb_hdr_need)); - status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_hdr_need, &data_used); + append = 1; + status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_hdr_need, &data_used, append); if (status != DCE2_RET__SUCCESS) return; @@ -551,11 +571,26 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "SEG: NetBIOS SS len: %u\n", seg->nb_len)); /* Only look at session messages - these contain SMBs */ - if (DCE2_NbssHdrChecks(ssd, (NbssHdr *)DCE2_BufferData(seg->buf)) != DCE2_RET__SUCCESS) + nb_ret = DCE2_NbssHdrChecks(ssd, (NbssHdr *)DCE2_BufferData(seg->buf)); + if (nb_ret != DCE2_RET__SUCCESS) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Not a NetBIOS Session Message.\n")); - *ignore_bytes = seg->nb_len; + if (nb_ret == DCE2_RET__IGNORE) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Valid NetBIOS header " + "type so ignoring NetBIOS length bytes.\n")); + *ignore_bytes = seg->nb_len; + } + else // nb_ret == DCE2_RET__ERROR, i.e. invalid NetBIOS type + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Not a valid NetBIOS " + "header type so trying to find \\xffSMB to " + "determine how many bytes to ignore.\n")); + + *ignore_bytes = DCE2_IgnoreJunkData(data_ptr, data_len, seg->nb_len); + } + dce2_stats.smb_ignored_bytes += *ignore_bytes; DCE2_BufferEmpty(seg->buf); continue; @@ -572,14 +607,14 @@ { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Seg buf len(%u) < NetBIOS SS header + SMB header(%u). " "Queueing data.\n", DCE2_BufferLength(seg->buf), smb_hdr_need)); - - status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, smb_hdr_need, &data_used); + append = 1; + status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, smb_hdr_need, &data_used, append); if (status != DCE2_RET__SUCCESS) return; /* Reset nb_hdr since the seg buffer probably needed to be realloc'ed */ - nb_hdr = (NbssHdr *)DCE2_BufferData(seg->buf); + nb_hdr = (NbssHdr *)DCE2_BufferData(seg->buf); /* We've got the SMB header */ DCE2_MOVE(data_ptr, data_len, data_used); @@ -614,7 +649,7 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Seg buf len(%u) < NetBIOS SS header + seg->nb_len(%u). " "Queueing data.\n", DCE2_BufferLength(seg->buf), seg->nb_len)); - status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_need, &data_used); + status = DCE2_SmbHandleSegmentation(seg, data_ptr, data_len, nb_need, &data_used, append); if (status != DCE2_RET__SUCCESS) return; @@ -629,6 +664,62 @@ } /******************************************************************** + * Function: DCE2_IgnoreJunkData() + * + * Purpose: + * An evasion technique can be to put a bunch of junk data before + * the actual SMB request and it seems the MS implementation has + * no problem with it and seems to just ignore the data. This + * function attempts to move past all the junk to get to the + * actual NetBIOS message request. + * + * Arguments: + * const uint8_t * - pointer to the current position in the data + * being inspected + * uint16_t - the amount of data left to look at + * uint32_t - the amount of data to ignore if there doesn't seem + * to be any junk data. Just use the length as if the bad + * NetBIOS header was good. + * + * Returns: + * uint32_t - the amount of bytes to ignore as junk. + * + ********************************************************************/ +static uint32_t DCE2_IgnoreJunkData(const uint8_t *data_ptr, uint16_t data_len, + uint32_t assumed_nb_len) +{ + const uint8_t *tmp_ptr = data_ptr; + uint32_t ignore_bytes = 0; + + /* Try to find \xffSMB and go back 8 bytes to beginning + * of what should be a Netbios header with type Session + * Message (\x00) - do appropriate buffer checks to make + * sure the index is in bounds. Ignore all intervening + * bytes */ + + while ((tmp_ptr + sizeof(uint32_t)) <= (data_ptr + data_len)) + { + if (SmbId((SmbNtHdr *)tmp_ptr) == DCE2_SMB_ID) + break; + tmp_ptr++; + } + + if ((tmp_ptr + sizeof(uint32_t)) > (data_ptr + data_len)) + { + ignore_bytes = data_len; + } + else + { + if ((tmp_ptr - sizeof(NbssHdr)) > data_ptr) + ignore_bytes = (tmp_ptr - data_ptr) - sizeof(NbssHdr); + else /* Just ignore whatever the bad NB header had as a length */ + ignore_bytes = assumed_nb_len; + } + + return ignore_bytes; +} + +/******************************************************************** * Function: * * Purpose: @@ -862,7 +953,7 @@ alert = 1; break; } - + break; case SMB_COM_LOGOFF_ANDX: @@ -1608,7 +1699,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbCheckComSize(DCE2_SmbSsnData *ssd, const uint32_t nb_len, +static inline DCE2_Ret DCE2_SmbCheckComSize(DCE2_SmbSsnData *ssd, const uint32_t nb_len, const uint16_t com_len, const int smb_com) { if (nb_len < com_len) @@ -1631,7 +1722,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbCheckBcc(DCE2_SmbSsnData *ssd, const uint32_t nb_len, +static inline DCE2_Ret DCE2_SmbCheckBcc(DCE2_SmbSsnData *ssd, const uint32_t nb_len, const uint16_t bcc, const int smb_com) { if (nb_len < bcc) @@ -1654,7 +1745,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbCheckDsize(DCE2_SmbSsnData *ssd, const uint32_t nb_len, +static inline DCE2_Ret DCE2_SmbCheckDsize(DCE2_SmbSsnData *ssd, const uint32_t nb_len, const uint16_t dsize, const uint16_t bcc, const int smb_com) { if (nb_len < dsize) @@ -1683,7 +1774,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbCheckTotDcnt(DCE2_SmbSsnData *ssd, const uint16_t dcnt, +static inline DCE2_Ret DCE2_SmbCheckTotDcnt(DCE2_SmbSsnData *ssd, const uint16_t dcnt, const uint16_t total_dcnt, const int smb_com) { if (total_dcnt < dcnt) @@ -1717,7 +1808,7 @@ * DCE2_RET__ERROR - Offset is bad. * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbCheckOffset(DCE2_SmbSsnData *ssd, const uint8_t *off_ptr, +static inline DCE2_Ret DCE2_SmbCheckOffset(DCE2_SmbSsnData *ssd, const uint8_t *off_ptr, const uint8_t *start_bound, const uint32_t length, const int smb_com) { @@ -1822,7 +1913,7 @@ else DCE2_Alert(&ssd->sd, DCE2_EVENT__SMB_BAD_NBSS_TYPE); - break; + return DCE2_RET__ERROR; } return DCE2_RET__IGNORE; @@ -2062,7 +2153,7 @@ is_ipc = (int)(uintptr_t)DCE2_CQueueDequeue(ssd->tc_queue); if (is_ipc != DCE2_TC__IPC) return DCE2_RET__SUCCESS; - + /* Didn't get a positive response */ if (SmbError(smb_hdr)) return DCE2_RET__SUCCESS; @@ -2096,7 +2187,7 @@ /* Have at least 4 bytes */ /* If unicode flag is set, strings, except possibly the service string - * are going to be unicode. The NT spec specifies that unicode strings + * are going to be unicode. The NT spec specifies that unicode strings * must be word aligned with respect to the beginning of the SMB and that for * type-prefixed strings (this case), the padding byte is found after the * type format byte */ @@ -2350,7 +2441,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbInvalidShareCheck(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr, +static inline void DCE2_SmbInvalidShareCheck(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr, const uint8_t *nb_ptr, uint32_t nb_len) { DCE2_List *share_list = DCE2_ScSmbInvalidShares(ssd->sd.sconfig); @@ -2385,7 +2476,7 @@ /* Test for share match */ for (i = 0; i < share_str_len; i++) { - /* All share strings should have been converted to upper case and + /* All share strings should have been converted to upper case and * should include null terminating bytes */ if ((nb_ptr[i] != share_str[i]) && (nb_ptr[i] != tolower((int)share_str[i]))) break; @@ -3000,6 +3091,27 @@ * Returns: * ********************************************************************/ +// the s_* are introduced to avoid having to make lots of changes +// to pass these values from DCE2_SmbWriteAndX() to the callers of +// DCE2_HandleSegmentation(). Should be refactored on rewrite. +static uint16_t s_remain = 0; +static uint32_t s_offset = 0; + +// if we return zero here, it means to append to the +// buffer when DCE2_BufferAddData() is called. +uint16_t DCE2_GetWriteOffset (uint32_t total, int append) +{ + // in header or segment with header + if ( append ) + return 0; + + // calc offset from remaining bytes and pdu total + if ( s_remain > 0 && total >= s_remain ) + return ((uint16_t)(total - s_remain)); + + // this is what was done originally + return 0; +} static void DCE2_SmbWriteAndX(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr, const uint8_t *nb_ptr, uint32_t nb_len) { @@ -3070,8 +3182,14 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Request fid: 0x%04x\n", fid)); + s_remain = SmbLm10_WriteAndXReqRemaining((SmbLm10_WriteAndXReq *)andx); + s_offset = SmbLm10_WriteAndXReqOffset((SmbLm10_WriteAndXReq *)andx); + DCE2_WriteCoProcess(ssd, smb_hdr, fid, nb_ptr, dsize); + s_remain = 0; + s_offset = 0; + DCE2_MOVE(nb_ptr, nb_len, dsize); } else @@ -3093,7 +3211,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_SmbPMNode * DCE2_SmbInsertPMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr, +static inline DCE2_SmbPMNode * DCE2_SmbInsertPMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr, DCE2_SmbFidNode *fid_node, const uint16_t total_dcnt) { DCE2_SmbPMNode *pm_node = NULL; @@ -3172,7 +3290,7 @@ } DCE2_DEBUG_CODE(DCE2_DEBUG__SMB, - if (pm_node == NULL) printf("Failed to insert pm_node\n");); + if (pm_node == NULL) printf("Failed to insert pm_node\n");); PREPROC_PROFILE_END(dce2_pstat_smb_trans); @@ -3189,7 +3307,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbAddDataToPMNode(DCE2_SmbSsnData *ssd, DCE2_SmbPMNode *pm_node, +static inline DCE2_Ret DCE2_SmbAddDataToPMNode(DCE2_SmbSsnData *ssd, DCE2_SmbPMNode *pm_node, const uint8_t *data_ptr, uint16_t data_len, uint16_t data_disp) { DCE2_Ret status; @@ -3223,12 +3341,12 @@ return DCE2_RET__ERROR; } - /* XXX Maybe this is alertable since this is overwriting previously written data + /* XXX Maybe this is alertable since this is overwriting previously written data * and servers don't seem to ever respond */ if (data_disp < DCE2_BufferLength(pm_node->buf)) DCE2_BufferSetLength(pm_node->buf, data_disp); - status = DCE2_BufferAddData(pm_node->buf, data_ptr, data_len, + status = DCE2_BufferAddData(pm_node->buf, data_ptr, data_len, 0, DCE2_BUFFER_MIN_ADD_FLAG__IGNORE); if (status != DCE2_RET__SUCCESS) @@ -3254,7 +3372,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_SmbPMNode * DCE2_SmbFindPMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr) +static inline DCE2_SmbPMNode * DCE2_SmbFindPMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr) { DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); DCE2_SmbPMNode *pm_node = NULL; @@ -3348,7 +3466,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbRemovePMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr) +static inline void DCE2_SmbRemovePMNode(DCE2_SmbSsnData *ssd, const SmbNtHdr *smb_hdr) { DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); uint16_t pid = SmbPid(smb_hdr); @@ -3812,7 +3930,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbSetReadFidNode(DCE2_SmbSsnData *ssd, uint16_t uid, +static inline void DCE2_SmbSetReadFidNode(DCE2_SmbSsnData *ssd, uint16_t uid, uint16_t tid, uint16_t fid, int smb_com) { if (ssd == NULL) @@ -3868,7 +3986,7 @@ * Returns: * ********************************************************************/ -static INLINE DCE2_SmbFidTrackerNode * DCE2_SmbGetReadFidNode(DCE2_SmbSsnData *ssd) +static inline DCE2_SmbFidTrackerNode * DCE2_SmbGetReadFidNode(DCE2_SmbSsnData *ssd) { DCE2_SmbFidNode *fid_node = NULL; uint16_t uid, tid, fid; @@ -4549,7 +4667,7 @@ default: break; } - + break; case SMB_COM_TREE_DIS: @@ -4721,7 +4839,7 @@ default: break; } - + break; case SMB_COM_TREE_CON: @@ -4905,7 +5023,7 @@ default: break; } - + break; case SMB_COM_TREE_CON: @@ -5087,7 +5205,7 @@ default: break; } - + break; case SMB_COM_TREE_CON: @@ -5281,7 +5399,7 @@ default: break; } - + break; case SMB_COM_TREE_CON: @@ -5445,7 +5563,7 @@ if (dsize != 0) DCE2_CoProcess(&ssd->sd, &ft_node->co_tracker, nb_ptr, dsize); - + if (!ft_node->used) ft_node->used = 1; } @@ -5614,8 +5732,8 @@ PREPROC_PROFILE_END(dce2_pstat_smb_uid); return; } - - /* Fall through for Windows 2000 since we're keeping a pipe tree for it + + /* Fall through for Windows 2000 since we're keeping a pipe tree for it * for use with a first request/write */ case DCE2_POLICY__WIN2003: @@ -5784,7 +5902,7 @@ return; } - /* Fall through for Windows 2000 since we're keeping a pipe tree for it + /* Fall through for Windows 2000 since we're keeping a pipe tree for it * for use with a first request/write */ case DCE2_POLICY__WIN2003: @@ -5880,7 +5998,7 @@ static void DCE2_SmbInsertFid(DCE2_SmbSsnData *ssd, const uint16_t uid, const uint16_t tid, const uint16_t fid) { - const DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); + const DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); DCE2_SmbUTNode *ut_node; DCE2_SmbFidTrackerNode *ft_node; PROFILE_VARS; @@ -6116,7 +6234,7 @@ static void DCE2_SmbInsertFidNode(DCE2_SmbSsnData *ssd, const uint16_t uid, const uint16_t tid, const uint16_t fid, DCE2_SmbFidTrackerNode *ft_node) { - const DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); + const DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); DCE2_SmbUTNode *ut_node; DCE2_SmbFidTrackerNode *tmp_ft_node; PROFILE_VARS; @@ -6171,7 +6289,7 @@ return; } - /* Need to copy data from passed in ft node into new ft node for + /* Need to copy data from passed in ft node into new ft node for * Windows 2000 */ tmp_ft_node = (DCE2_SmbFidTrackerNode *) DCE2_Alloc(sizeof(DCE2_SmbFidTrackerNode), DCE2_MEM_TYPE__SMB_FID); @@ -6353,7 +6471,7 @@ return NULL; } - /* Just return this fid node if we're not Win2000 or we've already + /* Just return this fid node if we're not Win2000 or we've already * used this fid once */ if ((policy != DCE2_POLICY__WIN2000) || ft_node->used) { @@ -6501,7 +6619,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbCleanFidNode(DCE2_SmbFidTrackerNode *ft_node) +static inline void DCE2_SmbCleanFidNode(DCE2_SmbFidTrackerNode *ft_node) { PROFILE_VARS; @@ -6533,7 +6651,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbCleanUTNode(DCE2_SmbUTNode *ut_node) +static inline void DCE2_SmbCleanUTNode(DCE2_SmbUTNode *ut_node) { if (ut_node == NULL) return; @@ -6564,7 +6682,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbCleanPMNode(DCE2_SmbPMNode *pm_node) +static inline void DCE2_SmbCleanPMNode(DCE2_SmbPMNode *pm_node) { PROFILE_VARS; @@ -6747,7 +6865,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbResetForMissedPkts(DCE2_SmbSsnData *ssd) +static inline void DCE2_SmbResetForMissedPkts(DCE2_SmbSsnData *ssd) { if (ssd == NULL) return; @@ -8244,7 +8362,7 @@ * Function: DCE2_SmbHandleSegmentation() * * Wrapper around DCE2_HandleSegmentation() to allocate a new - * buffer object if necessary. + * buffer object if necessary. * * Arguments: * DCE2_SmbSeg * @@ -8260,6 +8378,8 @@ * Pointer to basically a return value for the amount of * data in the packet that was actually used for * desegmentation. + * int + * bool is true if we must append. * * Returns: * DCE2_Ret @@ -8272,11 +8392,14 @@ * i.e. the need length was met. * ********************************************************************/ -static INLINE DCE2_Ret DCE2_SmbHandleSegmentation(DCE2_SmbSeg *seg, const uint8_t *data_ptr, - uint16_t data_len, uint32_t need_len, uint16_t *data_used) +static inline DCE2_Ret DCE2_SmbHandleSegmentation( + DCE2_SmbSeg *seg, const uint8_t *data_ptr, + uint16_t data_len, uint32_t need_len, + uint16_t *data_used, int append) { DCE2_Ret status; PROFILE_VARS; + uint32_t offset; PREPROC_PROFILE_START(dce2_pstat_smb_seg); @@ -8301,7 +8424,10 @@ DCE2_BufferSetMinAllocSize(seg->buf, need_len); } - status = DCE2_HandleSegmentation(seg->buf, data_ptr, data_len, need_len, data_used); + offset = DCE2_GetWriteOffset(need_len, append); + + status = DCE2_HandleSegmentation( + seg->buf, data_ptr, data_len, offset, need_len, data_used); PREPROC_PROFILE_END(dce2_pstat_smb_seg); @@ -8322,7 +8448,7 @@ * Pointer to client or server segmenation buffer. * ********************************************************************/ -static INLINE DCE2_SmbSeg * DCE2_SmbGetSegPtr(DCE2_SmbSsnData *ssd) +static inline DCE2_SmbSeg * DCE2_SmbGetSegPtr(DCE2_SmbSsnData *ssd) { if (DCE2_SsnFromServer(ssd->sd.wire_pkt)) return &ssd->srv_seg; @@ -8346,7 +8472,7 @@ * Pointer to the client or server ignore bytes. * ********************************************************************/ -static INLINE uint32_t * DCE2_SmbGetIgnorePtr(DCE2_SmbSsnData *ssd) +static inline uint32_t * DCE2_SmbGetIgnorePtr(DCE2_SmbSsnData *ssd) { if (DCE2_SsnFromServer(ssd->sd.wire_pkt)) return &ssd->srv_ignore_bytes; @@ -8363,7 +8489,7 @@ * Returns: * ********************************************************************/ -static INLINE int DCE2_SmbIsSegBuf(DCE2_SmbSsnData *ssd, const uint8_t *ptr) +static inline int DCE2_SmbIsSegBuf(DCE2_SmbSsnData *ssd, const uint8_t *ptr) { DCE2_Buffer *seg_buf; @@ -8395,7 +8521,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_SmbSegAlert(DCE2_SmbSsnData *ssd, DCE2_Event event) +static inline void DCE2_SmbSegAlert(DCE2_SmbSsnData *ssd, DCE2_Event event) { SFSnortPacket *rpkt; DCE2_Buffer *buf; @@ -8468,7 +8594,7 @@ * Returns: * ********************************************************************/ -static INLINE int DCE2_SmbIsRawData(DCE2_SmbSsnData *ssd) +static inline int DCE2_SmbIsRawData(DCE2_SmbSsnData *ssd) { if (ssd->br.smb_com == DCE2_SENTINEL) return 0; @@ -8564,6 +8690,7 @@ nb_len = rpkt->payload_size; dce2_stats.smb_seg_reassembled++; + DCE2_DEBUG_CODE(DCE2_DEBUG__MAIN, DCE2_PrintPktData(rpkt->payload, rpkt->payload_size);); } if (DCE2_SmbIsRawData(ssd)) diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_smb.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_smb.h 2010-01-26 10:09:58.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_smb.h 2011-06-07 17:33:13.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef _DCE2_SMB_H_ @@ -30,7 +30,7 @@ #include "smb.h" #include "sf_snort_packet.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /******************************************************************** * Macros @@ -99,7 +99,7 @@ int tid; DCE2_List *tids; - /* Co trackers for fids created on session using + /* Co trackers for fids created on session using * only IPC tids - specific for Samba and Win2000 */ DCE2_SmbFidTrackerNode ft_node; DCE2_List *fts; @@ -132,7 +132,7 @@ /* Client can send multiple tree connects before server responses. * Since for a Tree Connect we rely on the client to determine if * the tree will be IPC$ upon acceptance by server, we need to - * queue them up */ + * queue them up */ DCE2_CQueue *tc_queue; DCE2_SmbBlockRaw br; @@ -177,7 +177,7 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE DCE2_TransType DCE2_SmbAutodetect(const SFSnortPacket *); +static inline DCE2_TransType DCE2_SmbAutodetect(const SFSnortPacket *); /******************************************************************** * Public function prototypes @@ -202,7 +202,7 @@ * DCE2_TranType * *********************************************************************/ -static INLINE DCE2_TransType DCE2_SmbAutodetect(const SFSnortPacket *p) +static inline DCE2_TransType DCE2_SmbAutodetect(const SFSnortPacket *p) { if (p->payload_size >= sizeof(NbssHdr)) { diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_stats.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_stats.c 2010-01-26 10:09:58.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,9 +17,14 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_stats.h" #include "dce2_utils.h" #include "dce2_memory.h" @@ -35,7 +40,7 @@ /******************************************************************** * Private function prototypes ********************************************************************/ -static INLINE void DCE2_CreateTransStr(char **, DCE2_TransType, char *); +static inline void DCE2_CreateTransStr(char **, DCE2_TransType, char *); /******************************************************************** * Function: @@ -128,7 +133,7 @@ * Returns: * ********************************************************************/ -static INLINE void DCE2_CreateTransStr(char **trans_buf, DCE2_TransType ttype, char *trans_str) +static inline void DCE2_CreateTransStr(char **trans_buf, DCE2_TransType ttype, char *trans_str) { if ((trans_buf == NULL) || (trans_str == NULL)) return; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_stats.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_stats.h 2010-01-26 10:09:58.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_stats.h 2011-02-09 15:23:15.000000000 -0800 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_tcp.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_tcp.c 2010-01-26 10:09:58.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,9 +17,14 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_tcp.h" #include "snort_dce2.h" #include "dce2_co.h" @@ -31,7 +36,6 @@ /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_Stats dce2_stats; /******************************************************************** diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_tcp.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_tcp.h 2010-01-26 10:09:58.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_tcp.h 2011-06-07 17:33:13.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef _DCE2_TCP_H_ @@ -29,7 +29,7 @@ #include "dcerpc.h" #include "sf_snort_packet.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /******************************************************************** * Structures @@ -44,7 +44,7 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE DCE2_TransType DCE2_TcpAutodetect(const SFSnortPacket *); +static inline DCE2_TransType DCE2_TcpAutodetect(const SFSnortPacket *); /******************************************************************** * Public function prototypes @@ -68,7 +68,7 @@ * DCE2_TranType * *********************************************************************/ -static INLINE DCE2_TransType DCE2_TcpAutodetect(const SFSnortPacket *p) +static inline DCE2_TransType DCE2_TcpAutodetect(const SFSnortPacket *p) { if (p->payload_size >= sizeof(DceRpcCoHdr)) { diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_udp.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_udp.c 2010-01-26 10:09:58.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,9 +17,14 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "dce2_udp.h" #include "snort_dce2.h" #include "dce2_cl.h" @@ -59,7 +64,7 @@ /******************************************************************** * Function: DCE2_UdpProcess() * - * Purpose: Main entry point for DCE/RPC over UDP processing. + * Purpose: Main entry point for DCE/RPC over UDP processing. * * Arguments: * DCE2_UdpSsnData * - a pointer to the data structure associated diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_udp.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_udp.h 2010-01-26 10:09:58.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_udp.h 2011-06-07 17:33:13.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef _DCE2_UDP_H_ @@ -30,7 +30,7 @@ #include "dcerpc.h" #include "sf_snort_packet.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /******************************************************************** * Structures @@ -45,7 +45,7 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE DCE2_TransType DCE2_UdpAutodetect(const SFSnortPacket *); +static inline DCE2_TransType DCE2_UdpAutodetect(const SFSnortPacket *); /******************************************************************** * Public function prototypes @@ -69,7 +69,7 @@ * DCE2_TranType * *********************************************************************/ -static INLINE DCE2_TransType DCE2_UdpAutodetect(const SFSnortPacket *p) +static inline DCE2_TransType DCE2_UdpAutodetect(const SFSnortPacket *p) { if (p->payload_size >= sizeof(DceRpcClHdr)) { diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_utils.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_utils.c 2010-01-26 10:09:58.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,26 +16,27 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" #include "dce2_utils.h" #include "dce2_debug.h" #include "dce2_config.h" #include "snort_dce2.h" #include "sf_types.h" -#include "bounds.h" +#include "snort_bounds.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" #include <stdarg.h> /******************************************************************** - * Extern variables - ********************************************************************/ -extern DynamicPreprocessorData _dpd; - -/******************************************************************** * Function: * * Purpose: @@ -80,8 +81,10 @@ * Returns: * ********************************************************************/ -DCE2_Ret DCE2_BufferAddData(DCE2_Buffer *buf, const uint8_t *data, - uint32_t data_len, DCE2_BufferMinAddFlag mflag) +DCE2_Ret DCE2_BufferAddData( + DCE2_Buffer *buf, const uint8_t *data, + uint32_t data_len, uint32_t offset, + DCE2_BufferMinAddFlag mflag) { DCE2_Ret status; @@ -92,9 +95,12 @@ if (data_len == 0) return DCE2_RET__SUCCESS; + if ( !offset ) + offset = DCE2_BufferLength(buf); + if (buf->data == NULL) { - uint32_t size = data_len; + uint32_t size = offset + data_len; if ((size < buf->min_add_size) && (mflag == DCE2_BUFFER_MIN_ADD_FLAG__USE)) size = buf->min_add_size; @@ -105,10 +111,10 @@ buf->size = size; } - else if ((buf->len + data_len) > buf->size) + else if ((offset + data_len) > buf->size) { uint8_t *tmp; - uint32_t new_size = buf->len + data_len; + uint32_t new_size = offset + data_len; if (((new_size - buf->size) < buf->min_add_size) && (mflag == DCE2_BUFFER_MIN_ADD_FLAG__USE)) new_size += buf->min_add_size; @@ -121,7 +127,7 @@ buf->size = new_size; } - status = DCE2_Memcpy(buf->data + buf->len, data, data_len, buf->data, buf->data + buf->size); + status = DCE2_Memcpy(buf->data + offset, data, data_len, buf->data, buf->data + buf->size); if (status != DCE2_RET__SUCCESS) { DCE2_Log(DCE2_LOG_TYPE__ERROR, @@ -129,7 +135,7 @@ return DCE2_RET__ERROR; } - buf->len += data_len; + buf->len = offset + data_len; return DCE2_RET__SUCCESS; } @@ -271,8 +277,10 @@ * Returns: * ********************************************************************/ -DCE2_Ret DCE2_HandleSegmentation(DCE2_Buffer *seg_buf, const uint8_t *data_ptr, - uint16_t data_len, uint32_t need_len, uint16_t *data_used) +DCE2_Ret DCE2_HandleSegmentation( + DCE2_Buffer *seg_buf, const uint8_t *data_ptr, + uint16_t data_len, uint32_t offset, + uint32_t need_len, uint16_t *data_used) { uint32_t copy_len; DCE2_Ret status; @@ -286,11 +294,15 @@ /* Don't need anything - call it desegmented. Really return * an error - this shouldn't happen */ - if (need_len == 0) + if (need_len == 0 ) return DCE2_RET__ERROR; + /* Need to append, instead of jump when offset is malformed*/ + if (( !offset )|| (offset > DCE2_BufferLength(seg_buf))) + offset = DCE2_BufferLength(seg_buf); + /* Already have enough data for need */ - if (DCE2_BufferLength(seg_buf) >= need_len) + if (offset >= need_len) return DCE2_RET__SUCCESS; /* No data and need length > 0 - must still be segmented */ @@ -298,11 +310,13 @@ return DCE2_RET__SEG; /* Already know that need length is greater than buffer length */ - copy_len = need_len - DCE2_BufferLength(seg_buf); + copy_len = need_len - offset; if (copy_len > data_len) copy_len = data_len; - status = DCE2_BufferAddData(seg_buf, data_ptr, copy_len, DCE2_BUFFER_MIN_ADD_FLAG__USE); + status = DCE2_BufferAddData( + seg_buf, data_ptr, copy_len, offset, DCE2_BUFFER_MIN_ADD_FLAG__USE); + if (status != DCE2_RET__SUCCESS) return DCE2_RET__ERROR; @@ -410,7 +424,7 @@ ********************************************************************/ const char * DCE2_UuidToStr(const Uuid *uuid, DceRpcBoFlag byte_order) { -#define UUID_BUF_SIZE 50 +#define UUID_BUF_SIZE 50 static char uuid_buf1[UUID_BUF_SIZE]; static char uuid_buf2[UUID_BUF_SIZE]; static int buf_num = 0; @@ -441,6 +455,7 @@ return uuid_buf; } +#ifdef DEBUG_MSGS /******************************************************************** * Function: DCE2_PrintPktData() * @@ -559,4 +574,4 @@ printf("\n"); } - +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_utils.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/dce2_utils.h 2010-06-09 15:05:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/dce2_utils.h 2011-06-07 17:33:13.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * ****************************************************************************/ @@ -26,11 +26,11 @@ #include "dce2_debug.h" #include "dce2_memory.h" #include "dcerpc.h" -#include "sf_types.h" +//#include "sf_types.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" -#include "debug.h" -#include "bounds.h" +//#include "snort_debug.h" +#include "snort_bounds.h" /******************************************************************** * Macros @@ -40,9 +40,6 @@ #define DCE2_MOVE(data_ptr, data_len, amount) \ { data_ptr = (uint8_t *)data_ptr + (amount); data_len -= (amount); } -#define DCE2_PKT_SIZE (ETHER_HDR_LEN + SUN_SPARC_TWIDDLE + IP_MAXPKT + VLAN_HDR_LEN) -#define DCE2_PKTH_SIZE (sizeof(DAQ_PktHdr_t) + DCE2_PKT_SIZE) - /******************************************************************** * Enumerations ********************************************************************/ @@ -114,31 +111,35 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE int DCE2_BufferIsEmpty(DCE2_Buffer *); -static INLINE void DCE2_BufferEmpty(DCE2_Buffer *); -static INLINE uint32_t DCE2_BufferSize(DCE2_Buffer *); -static INLINE uint32_t DCE2_BufferLength(DCE2_Buffer *); -static INLINE void DCE2_BufferSetLength(DCE2_Buffer *, uint32_t); -static INLINE uint8_t * DCE2_BufferData(DCE2_Buffer *); -static INLINE uint32_t DCE2_BufferMinAllocSize(DCE2_Buffer *); -static INLINE void DCE2_BufferSetMinAllocSize(DCE2_Buffer *, uint32_t); - -static INLINE char * DCE2_PruneWhiteSpace(char *); -static INLINE int DCE2_IsEmptyStr(char *); -static INLINE DCE2_Ret DCE2_Memcpy(void *, const void *, uint32_t, const void *, const void *); -static INLINE DCE2_Ret DCE2_Memmove(void *, const void *, uint32_t, const void *, const void *); -static INLINE int DCE2_UuidCompare(const void *, const void *); -static INLINE void DCE2_CopyUuid(Uuid *, const Uuid *, const DceRpcBoFlag); +static inline int DCE2_BufferIsEmpty(DCE2_Buffer *); +static inline void DCE2_BufferEmpty(DCE2_Buffer *); +static inline uint32_t DCE2_BufferSize(DCE2_Buffer *); +static inline uint32_t DCE2_BufferLength(DCE2_Buffer *); +static inline void DCE2_BufferSetLength(DCE2_Buffer *, uint32_t); +static inline uint8_t * DCE2_BufferData(DCE2_Buffer *); +static inline uint32_t DCE2_BufferMinAllocSize(DCE2_Buffer *); +static inline void DCE2_BufferSetMinAllocSize(DCE2_Buffer *, uint32_t); + +static inline char * DCE2_PruneWhiteSpace(char *); +static inline int DCE2_IsEmptyStr(char *); +static inline DCE2_Ret DCE2_Memcpy(void *, const void *, uint32_t, const void *, const void *); +static inline DCE2_Ret DCE2_Memmove(void *, const void *, uint32_t, const void *, const void *); +static inline int DCE2_UuidCompare(const void *, const void *); +static inline void DCE2_CopyUuid(Uuid *, const Uuid *, const DceRpcBoFlag); /******************************************************************** * Public function prototypes ********************************************************************/ DCE2_Buffer * DCE2_BufferNew(uint32_t, uint32_t, DCE2_MemType); -DCE2_Ret DCE2_BufferAddData(DCE2_Buffer *, const uint8_t *, uint32_t, DCE2_BufferMinAddFlag); +DCE2_Ret DCE2_BufferAddData( + DCE2_Buffer*, const uint8_t*, uint32_t len, uint32_t offset, DCE2_BufferMinAddFlag); DCE2_Ret DCE2_BufferMoveData(DCE2_Buffer *, uint32_t, const uint8_t *, uint32_t); void DCE2_BufferDestroy(DCE2_Buffer *); -DCE2_Ret DCE2_HandleSegmentation(DCE2_Buffer *, const uint8_t *, uint16_t, uint32_t, uint16_t *); +uint16_t DCE2_GetWriteOffset(uint32_t total, int header); +DCE2_Ret DCE2_HandleSegmentation( + DCE2_Buffer*, const uint8_t*, uint16_t len, uint32_t offset, + uint32_t need_len, uint16_t* copied); NORETURN void DCE2_Die(const char *, ...); void DCE2_Log(DCE2_LogType, const char *, ...); const char * DCE2_UuidToStr(const Uuid *, DceRpcBoFlag); @@ -160,7 +161,7 @@ * 0 if not considered empty * *********************************************************************/ -static INLINE int DCE2_BufferIsEmpty(DCE2_Buffer *buf) +static inline int DCE2_BufferIsEmpty(DCE2_Buffer *buf) { if (buf == NULL) return 1; if ((buf->data == NULL) || (buf->len == 0)) return 1; @@ -180,7 +181,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_BufferEmpty(DCE2_Buffer *buf) +static inline void DCE2_BufferEmpty(DCE2_Buffer *buf) { if (buf == NULL) return; buf->len = 0; @@ -201,7 +202,7 @@ * object is NULL. * *********************************************************************/ -static INLINE uint32_t DCE2_BufferSize(DCE2_Buffer *buf) +static inline uint32_t DCE2_BufferSize(DCE2_Buffer *buf) { if (buf == NULL) return 0; return buf->size; @@ -223,7 +224,7 @@ * if buffer object is NULL. * *********************************************************************/ -static INLINE uint32_t DCE2_BufferLength(DCE2_Buffer *buf) +static inline uint32_t DCE2_BufferLength(DCE2_Buffer *buf) { if (buf == NULL) return 0; return buf->len; @@ -241,7 +242,7 @@ * Returns: None * *********************************************************************/ -static INLINE void DCE2_BufferSetLength(DCE2_Buffer *buf, uint32_t len) +static inline void DCE2_BufferSetLength(DCE2_Buffer *buf, uint32_t len) { if (buf == NULL) return; if (len > buf->size) buf->len = buf->size; @@ -264,19 +265,19 @@ * buffer object is NULL. * *********************************************************************/ -static INLINE uint8_t * DCE2_BufferData(DCE2_Buffer *buf) +static inline uint8_t * DCE2_BufferData(DCE2_Buffer *buf) { if (buf == NULL) return NULL; return buf->data; } -static INLINE uint32_t DCE2_BufferMinAllocSize(DCE2_Buffer *buf) +static inline uint32_t DCE2_BufferMinAllocSize(DCE2_Buffer *buf) { if (buf == NULL) return 0; return buf->min_add_size; } -static INLINE void DCE2_BufferSetMinAllocSize(DCE2_Buffer *buf, uint32_t size) +static inline void DCE2_BufferSetMinAllocSize(DCE2_Buffer *buf, uint32_t size) { if (buf == NULL) return; buf->min_add_size = size; @@ -289,7 +290,7 @@ * Prunes whitespace surrounding string. * String must be 0 terminated. * - * Arguments: + * Arguments: * char * * NULL terminated string to prune. * int @@ -303,7 +304,7 @@ * argument are replaced by NULL bytes. * ********************************************************************/ -static INLINE char * DCE2_PruneWhiteSpace(char *str) +static inline char * DCE2_PruneWhiteSpace(char *str) { char *end; @@ -339,7 +340,7 @@ * 0 otherwise * ********************************************************************/ -static INLINE int DCE2_IsEmptyStr(char *str) +static inline int DCE2_IsEmptyStr(char *str) { char *end; @@ -369,7 +370,7 @@ * DCE2_RET__SUCCESS - memcpy succeeded * ********************************************************************/ -static INLINE DCE2_Ret DCE2_Memcpy(void *dst, const void *src, uint32_t len, +static inline DCE2_Ret DCE2_Memcpy(void *dst, const void *src, uint32_t len, const void *dst_start, const void *dst_end) { if (SafeMemcpy(dst, src, (size_t)len, dst_start, dst_end) != SAFEMEM_SUCCESS) @@ -390,7 +391,7 @@ * DCE2_RET__SUCCESS - memmove succeeded * ********************************************************************/ -static INLINE DCE2_Ret DCE2_Memmove(void *dst, const void *src, uint32_t len, +static inline DCE2_Ret DCE2_Memmove(void *dst, const void *src, uint32_t len, const void *dst_start, const void *dst_end) { if (SafeMemmove(dst, src, (size_t)len, dst_start, dst_end) != SAFEMEM_SUCCESS) @@ -409,7 +410,7 @@ * Returns: * *********************************************************************/ -static INLINE int DCE2_UuidCompare(const void *data1, const void *data2) +static inline int DCE2_UuidCompare(const void *data1, const void *data2) { const Uuid *uuid1 = (Uuid *)data1; const Uuid *uuid2 = (Uuid *)data2; @@ -438,17 +439,17 @@ * order specified. * * Arguments: - * Uuid * + * Uuid * * Pointer to uuid to copy to. - * Uuid * + * Uuid * * Pointer to uuid to copy from. - * const int + * const int * The byte order to use. * * Returns: None * *********************************************************************/ -static INLINE void DCE2_CopyUuid(Uuid *dst_uuid, const Uuid *pkt_uuid, const DceRpcBoFlag byte_order) +static inline void DCE2_CopyUuid(Uuid *dst_uuid, const Uuid *pkt_uuid, const DceRpcBoFlag byte_order) { dst_uuid->time_low = DceRpcNtohl(&pkt_uuid->time_low, byte_order); dst_uuid->time_mid = DceRpcNtohs(&pkt_uuid->time_mid, byte_order); diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h 2010-01-26 10:09:59.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h 2011-06-07 17:33:13.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef DCERPC_H @@ -27,9 +27,6 @@ #include "config.h" /* For WORDS_BIGENDIAN */ #endif -#include "debug.h" /* For INLINE */ -#include "sf_types.h" - /******************************************************************** * Enumerations ********************************************************************/ @@ -72,7 +69,7 @@ } DceRpcPduType; -/* Version 4 is for Connectionless +/* Version 4 is for Connectionless * Version 5 is for Connection oriented */ typedef enum _DceRpcProtoMajorVers { @@ -473,7 +470,7 @@ typedef struct _DceRpcCoShutdown { // nothing - + } DceRpcCoShutdown; #endif @@ -527,52 +524,52 @@ /******************************************************************** * Inline functions prototypes ********************************************************************/ -static INLINE DceRpcBoFlag DceRpcByteOrder(const uint8_t); -static INLINE uint16_t DceRpcNtohs(const uint16_t *, const DceRpcBoFlag); -static INLINE uint16_t DceRpcHtons(const uint16_t *, const DceRpcBoFlag); -static INLINE uint32_t DceRpcNtohl(const uint32_t *, const DceRpcBoFlag); -static INLINE uint32_t DceRpcHtonl(const uint32_t *, const DceRpcBoFlag); +static inline DceRpcBoFlag DceRpcByteOrder(const uint8_t); +static inline uint16_t DceRpcNtohs(const uint16_t *, const DceRpcBoFlag); +static inline uint16_t DceRpcHtons(const uint16_t *, const DceRpcBoFlag); +static inline uint32_t DceRpcNtohl(const uint32_t *, const DceRpcBoFlag); +static inline uint32_t DceRpcHtonl(const uint32_t *, const DceRpcBoFlag); /* Connectionless */ -static INLINE uint8_t DceRpcClRpcVers(const DceRpcClHdr *); -static INLINE DceRpcBoFlag DceRpcClByteOrder(const DceRpcClHdr *); -static INLINE uint32_t DceRpcClIfaceVers(const DceRpcClHdr *); -static INLINE uint16_t DceRpcClOpnum(const DceRpcClHdr *); -static INLINE uint32_t DceRpcClSeqNum(const DceRpcClHdr *); -static INLINE uint16_t DceRpcClFragNum(const DceRpcClHdr *); -static INLINE int DceRpcClFragFlag(const DceRpcClHdr *); -static INLINE int DceRpcClLastFrag(const DceRpcClHdr *); -static INLINE int DceRpcClFirstFrag(const DceRpcClHdr *); -static INLINE uint16_t DceRpcClLen(const DceRpcClHdr *); -static INLINE int DceRpcClFrag(const DceRpcClHdr *); +static inline uint8_t DceRpcClRpcVers(const DceRpcClHdr *); +static inline DceRpcBoFlag DceRpcClByteOrder(const DceRpcClHdr *); +static inline uint32_t DceRpcClIfaceVers(const DceRpcClHdr *); +static inline uint16_t DceRpcClOpnum(const DceRpcClHdr *); +static inline uint32_t DceRpcClSeqNum(const DceRpcClHdr *); +static inline uint16_t DceRpcClFragNum(const DceRpcClHdr *); +static inline int DceRpcClFragFlag(const DceRpcClHdr *); +static inline int DceRpcClLastFrag(const DceRpcClHdr *); +static inline int DceRpcClFirstFrag(const DceRpcClHdr *); +static inline uint16_t DceRpcClLen(const DceRpcClHdr *); +static inline int DceRpcClFrag(const DceRpcClHdr *); /* Connection oriented */ -static INLINE uint8_t DceRpcCoVersMaj(const DceRpcCoHdr *); -static INLINE uint8_t DceRpcCoVersMin(const DceRpcCoHdr *); -static INLINE DceRpcPduType DceRpcCoPduType(const DceRpcCoHdr *); -static INLINE int DceRpcCoFirstFrag(const DceRpcCoHdr *); -static INLINE int DceRpcCoLastFrag(const DceRpcCoHdr *); -static INLINE int DceRpcCoObjectFlag(const DceRpcCoHdr *); -static INLINE DceRpcBoFlag DceRpcCoByteOrder(const DceRpcCoHdr *); -static INLINE uint16_t DceRpcCoFragLen(const DceRpcCoHdr *); -static INLINE uint16_t DceRpcCoAuthLen(const DceRpcCoHdr *); -static INLINE uint32_t DceRpcCoCallId(const DceRpcCoHdr *); -static INLINE uint16_t DceRpcCoCtxId(const DceRpcCoHdr *, const DceRpcCoRequest *); -static INLINE uint16_t DceRpcCoCtxIdResp(const DceRpcCoHdr *, const DceRpcCoResponse *); -static INLINE uint16_t DceRpcCoOpnum(const DceRpcCoHdr *, const DceRpcCoRequest *); -static INLINE uint16_t DceRpcCoBindMaxXmitFrag(const DceRpcCoHdr *, const DceRpcCoBind *); -static INLINE uint16_t DceRpcCoBindAckMaxRecvFrag(const DceRpcCoHdr *, const DceRpcCoBindAck *); -static INLINE uint8_t DceRpcCoNumCtxItems(const DceRpcCoBind *); -static INLINE uint16_t DceRpcCoContElemCtxId(const DceRpcCoHdr *, const DceRpcCoContElem *); -static INLINE uint8_t DceRpcCoContElemNumTransSyntaxes(const DceRpcCoContElem *); -static INLINE const Uuid * DceRpcCoContElemIface(const DceRpcCoContElem *); -static INLINE uint16_t DceRpcCoContElemIfaceVersMaj(const DceRpcCoHdr *, const DceRpcCoContElem *); -static INLINE uint16_t DceRpcCoContElemIfaceVersMin(const DceRpcCoHdr *, const DceRpcCoContElem *); -static INLINE uint16_t DceRpcCoSecAddrLen(const DceRpcCoHdr *, const DceRpcCoBindAck *); -static INLINE uint8_t DceRpcCoContNumResults(const DceRpcCoContResultList *); -static INLINE uint16_t DceRpcCoContRes(const DceRpcCoHdr *, const DceRpcCoContResult *); -static INLINE uint16_t DceRpcCoAuthPad(const DceRpcCoAuthVerifier *); -static INLINE uint8_t DceRpcCoAuthLevel(const DceRpcCoAuthVerifier *); +static inline uint8_t DceRpcCoVersMaj(const DceRpcCoHdr *); +static inline uint8_t DceRpcCoVersMin(const DceRpcCoHdr *); +static inline DceRpcPduType DceRpcCoPduType(const DceRpcCoHdr *); +static inline int DceRpcCoFirstFrag(const DceRpcCoHdr *); +static inline int DceRpcCoLastFrag(const DceRpcCoHdr *); +static inline int DceRpcCoObjectFlag(const DceRpcCoHdr *); +static inline DceRpcBoFlag DceRpcCoByteOrder(const DceRpcCoHdr *); +static inline uint16_t DceRpcCoFragLen(const DceRpcCoHdr *); +static inline uint16_t DceRpcCoAuthLen(const DceRpcCoHdr *); +static inline uint32_t DceRpcCoCallId(const DceRpcCoHdr *); +static inline uint16_t DceRpcCoCtxId(const DceRpcCoHdr *, const DceRpcCoRequest *); +static inline uint16_t DceRpcCoCtxIdResp(const DceRpcCoHdr *, const DceRpcCoResponse *); +static inline uint16_t DceRpcCoOpnum(const DceRpcCoHdr *, const DceRpcCoRequest *); +static inline uint16_t DceRpcCoBindMaxXmitFrag(const DceRpcCoHdr *, const DceRpcCoBind *); +static inline uint16_t DceRpcCoBindAckMaxRecvFrag(const DceRpcCoHdr *, const DceRpcCoBindAck *); +static inline uint8_t DceRpcCoNumCtxItems(const DceRpcCoBind *); +static inline uint16_t DceRpcCoContElemCtxId(const DceRpcCoHdr *, const DceRpcCoContElem *); +static inline uint8_t DceRpcCoContElemNumTransSyntaxes(const DceRpcCoContElem *); +static inline const Uuid * DceRpcCoContElemIface(const DceRpcCoContElem *); +static inline uint16_t DceRpcCoContElemIfaceVersMaj(const DceRpcCoHdr *, const DceRpcCoContElem *); +static inline uint16_t DceRpcCoContElemIfaceVersMin(const DceRpcCoHdr *, const DceRpcCoContElem *); +static inline uint16_t DceRpcCoSecAddrLen(const DceRpcCoHdr *, const DceRpcCoBindAck *); +static inline uint8_t DceRpcCoContNumResults(const DceRpcCoContResultList *); +static inline uint16_t DceRpcCoContRes(const DceRpcCoHdr *, const DceRpcCoContResult *); +static inline uint16_t DceRpcCoAuthPad(const DceRpcCoAuthVerifier *); +static inline uint8_t DceRpcCoAuthLevel(const DceRpcCoAuthVerifier *); /******************************************************************** * Function: @@ -584,7 +581,7 @@ * Returns: * ********************************************************************/ -static INLINE DceRpcBoFlag DceRpcByteOrder(const uint8_t value) +static inline DceRpcBoFlag DceRpcByteOrder(const uint8_t value) { if ((value & 0x10) >> 4) return DCERPC_BO_FLAG__LITTLE_ENDIAN; @@ -602,7 +599,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcNtohs(const uint16_t *ptr, const DceRpcBoFlag bo_flag) +static inline uint16_t DceRpcNtohs(const uint16_t *ptr, const DceRpcBoFlag bo_flag) { uint16_t value; @@ -638,7 +635,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcHtons(const uint16_t *ptr, const DceRpcBoFlag bo_flag) +static inline uint16_t DceRpcHtons(const uint16_t *ptr, const DceRpcBoFlag bo_flag) { return DceRpcNtohs(ptr, bo_flag); } @@ -653,7 +650,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t DceRpcNtohl(const uint32_t *ptr, const DceRpcBoFlag bo_flag) +static inline uint32_t DceRpcNtohl(const uint32_t *ptr, const DceRpcBoFlag bo_flag) { uint32_t value; @@ -691,7 +688,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t DceRpcHtonl(const uint32_t *ptr, const DceRpcBoFlag bo_flag) +static inline uint32_t DceRpcHtonl(const uint32_t *ptr, const DceRpcBoFlag bo_flag) { return DceRpcNtohl(ptr, bo_flag); } @@ -706,7 +703,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcClRpcVers(const DceRpcClHdr *cl) +static inline uint8_t DceRpcClRpcVers(const DceRpcClHdr *cl) { return cl->rpc_vers; } @@ -721,7 +718,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcClPduType(const DceRpcClHdr *cl) +static inline uint8_t DceRpcClPduType(const DceRpcClHdr *cl) { return cl->ptype; } @@ -736,7 +733,7 @@ * Returns: * ********************************************************************/ -static INLINE DceRpcBoFlag DceRpcClByteOrder(const DceRpcClHdr *cl) +static inline DceRpcBoFlag DceRpcClByteOrder(const DceRpcClHdr *cl) { return DceRpcByteOrder(cl->drep[0]); } @@ -751,7 +748,7 @@ * Returns: * ********************************************************************/ -static INLINE const Uuid * DceRpcClIface(const DceRpcClHdr *cl) +static inline const Uuid * DceRpcClIface(const DceRpcClHdr *cl) { return &cl->if_id; } @@ -766,7 +763,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t DceRpcClIfaceVers(const DceRpcClHdr *cl) +static inline uint32_t DceRpcClIfaceVers(const DceRpcClHdr *cl) { return DceRpcNtohl(&cl->if_vers, DceRpcClByteOrder(cl)); } @@ -781,7 +778,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcClOpnum(const DceRpcClHdr *cl) +static inline uint16_t DceRpcClOpnum(const DceRpcClHdr *cl) { return DceRpcNtohs(&cl->opnum, DceRpcClByteOrder(cl)); } @@ -796,7 +793,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t DceRpcClSeqNum(const DceRpcClHdr *cl) +static inline uint32_t DceRpcClSeqNum(const DceRpcClHdr *cl) { return DceRpcNtohl(&cl->seqnum, DceRpcClByteOrder(cl)); } @@ -811,7 +808,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcClFragNum(const DceRpcClHdr *cl) +static inline uint16_t DceRpcClFragNum(const DceRpcClHdr *cl) { return DceRpcNtohs(&cl->fragnum, DceRpcClByteOrder(cl)); } @@ -826,7 +823,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcClFragFlag(const DceRpcClHdr *cl) +static inline int DceRpcClFragFlag(const DceRpcClHdr *cl) { return cl->flags1 & DCERPC_CL_FLAGS1__FRAG; } @@ -841,7 +838,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcClLastFrag(const DceRpcClHdr *cl) +static inline int DceRpcClLastFrag(const DceRpcClHdr *cl) { return cl->flags1 & DCERPC_CL_FLAGS1__LASTFRAG; } @@ -856,7 +853,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcClFirstFrag(const DceRpcClHdr *cl) +static inline int DceRpcClFirstFrag(const DceRpcClHdr *cl) { return (DceRpcClFragFlag(cl) && (DceRpcClFragNum(cl) == 0)); } @@ -871,7 +868,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcClLen(const DceRpcClHdr *cl) +static inline uint16_t DceRpcClLen(const DceRpcClHdr *cl) { return DceRpcNtohs(&cl->len, DceRpcClByteOrder(cl)); } @@ -886,7 +883,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcClFrag(const DceRpcClHdr *cl) +static inline int DceRpcClFrag(const DceRpcClHdr *cl) { if (DceRpcClFragFlag(cl)) { @@ -909,7 +906,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcCoVersMaj(const DceRpcCoHdr *co) +static inline uint8_t DceRpcCoVersMaj(const DceRpcCoHdr *co) { return co->pversion.major; } @@ -924,7 +921,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcCoVersMin(const DceRpcCoHdr *co) +static inline uint8_t DceRpcCoVersMin(const DceRpcCoHdr *co) { return co->pversion.minor; } @@ -939,7 +936,7 @@ * Returns: * ********************************************************************/ -static INLINE DceRpcPduType DceRpcCoPduType(const DceRpcCoHdr *co) +static inline DceRpcPduType DceRpcCoPduType(const DceRpcCoHdr *co) { return (DceRpcPduType)co->ptype; } @@ -954,7 +951,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcCoFirstFrag(const DceRpcCoHdr *co) +static inline int DceRpcCoFirstFrag(const DceRpcCoHdr *co) { return co->pfc_flags & DCERPC_CO_PFC_FLAGS__FIRST_FRAG; } @@ -969,7 +966,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcCoLastFrag(const DceRpcCoHdr *co) +static inline int DceRpcCoLastFrag(const DceRpcCoHdr *co) { return co->pfc_flags & DCERPC_CO_PFC_FLAGS__LAST_FRAG; } @@ -984,7 +981,7 @@ * Returns: * ********************************************************************/ -static INLINE int DceRpcCoObjectFlag(const DceRpcCoHdr *co) +static inline int DceRpcCoObjectFlag(const DceRpcCoHdr *co) { return co->pfc_flags & DCERPC_CO_PFC_FLAGS__OBJECT_UUID; } @@ -999,7 +996,7 @@ * Returns: * ********************************************************************/ -static INLINE DceRpcBoFlag DceRpcCoByteOrder(const DceRpcCoHdr *co) +static inline DceRpcBoFlag DceRpcCoByteOrder(const DceRpcCoHdr *co) { return DceRpcByteOrder(co->packed_drep[0]); } @@ -1014,7 +1011,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoFragLen(const DceRpcCoHdr *co) +static inline uint16_t DceRpcCoFragLen(const DceRpcCoHdr *co) { return DceRpcNtohs(&co->frag_length, DceRpcCoByteOrder(co)); } @@ -1029,7 +1026,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoAuthLen(const DceRpcCoHdr *co) +static inline uint16_t DceRpcCoAuthLen(const DceRpcCoHdr *co) { return DceRpcNtohs(&co->auth_length, DceRpcCoByteOrder(co)); } @@ -1044,7 +1041,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t DceRpcCoCallId(const DceRpcCoHdr *co) +static inline uint32_t DceRpcCoCallId(const DceRpcCoHdr *co) { return DceRpcNtohl(&co->call_id, DceRpcCoByteOrder(co)); } @@ -1059,7 +1056,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoOpnum(const DceRpcCoHdr *co, const DceRpcCoRequest *cor) +static inline uint16_t DceRpcCoOpnum(const DceRpcCoHdr *co, const DceRpcCoRequest *cor) { return DceRpcNtohs(&cor->opnum, DceRpcCoByteOrder(co)); } @@ -1074,7 +1071,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoCtxId(const DceRpcCoHdr *co, const DceRpcCoRequest *cor) +static inline uint16_t DceRpcCoCtxId(const DceRpcCoHdr *co, const DceRpcCoRequest *cor) { return DceRpcNtohs(&cor->context_id, DceRpcCoByteOrder(co)); } @@ -1089,7 +1086,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoCtxIdResp(const DceRpcCoHdr *co, const DceRpcCoResponse *cor) +static inline uint16_t DceRpcCoCtxIdResp(const DceRpcCoHdr *co, const DceRpcCoResponse *cor) { return DceRpcNtohs(&cor->context_id, DceRpcCoByteOrder(co)); } @@ -1104,7 +1101,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoBindMaxXmitFrag(const DceRpcCoHdr *co, const DceRpcCoBind *cob) +static inline uint16_t DceRpcCoBindMaxXmitFrag(const DceRpcCoHdr *co, const DceRpcCoBind *cob) { return DceRpcNtohs(&cob->max_xmit_frag, DceRpcCoByteOrder(co)); } @@ -1119,7 +1116,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoBindAckMaxRecvFrag(const DceRpcCoHdr *co, const DceRpcCoBindAck *coba) +static inline uint16_t DceRpcCoBindAckMaxRecvFrag(const DceRpcCoHdr *co, const DceRpcCoBindAck *coba) { return DceRpcNtohs(&coba->max_recv_frag, DceRpcCoByteOrder(co)); } @@ -1134,7 +1131,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcCoNumCtxItems(const DceRpcCoBind *cob) +static inline uint8_t DceRpcCoNumCtxItems(const DceRpcCoBind *cob) { return cob->n_context_elem; } @@ -1149,7 +1146,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoContElemCtxId(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) +static inline uint16_t DceRpcCoContElemCtxId(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) { return DceRpcNtohs(&coce->p_cont_id, DceRpcCoByteOrder(co)); } @@ -1164,7 +1161,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcCoContElemNumTransSyntaxes(const DceRpcCoContElem *coce) +static inline uint8_t DceRpcCoContElemNumTransSyntaxes(const DceRpcCoContElem *coce) { return coce->n_transfer_syn; } @@ -1179,7 +1176,7 @@ * Returns: * ********************************************************************/ -static INLINE const Uuid * DceRpcCoContElemIface(const DceRpcCoContElem *coce) +static inline const Uuid * DceRpcCoContElemIface(const DceRpcCoContElem *coce) { return &coce->abstract_syntax.if_uuid; } @@ -1194,7 +1191,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoContElemIfaceVersMaj(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) +static inline uint16_t DceRpcCoContElemIfaceVersMaj(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) { return (uint16_t)(DceRpcNtohl(&coce->abstract_syntax.if_version, DceRpcCoByteOrder(co)) & 0x0000ffff); } @@ -1209,7 +1206,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoContElemIfaceVersMin(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) +static inline uint16_t DceRpcCoContElemIfaceVersMin(const DceRpcCoHdr *co, const DceRpcCoContElem *coce) { return (uint16_t)(DceRpcNtohl(&coce->abstract_syntax.if_version, DceRpcCoByteOrder(co)) >> 16); } @@ -1224,7 +1221,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoSecAddrLen(const DceRpcCoHdr *co, const DceRpcCoBindAck *coba) +static inline uint16_t DceRpcCoSecAddrLen(const DceRpcCoHdr *co, const DceRpcCoBindAck *coba) { return DceRpcNtohs(&coba->sec_addr_len, DceRpcCoByteOrder(co)); } @@ -1239,7 +1236,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcCoContNumResults(const DceRpcCoContResultList *cocrl) +static inline uint8_t DceRpcCoContNumResults(const DceRpcCoContResultList *cocrl) { return cocrl->n_results; } @@ -1254,7 +1251,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoContRes(const DceRpcCoHdr *co, const DceRpcCoContResult *cocr) +static inline uint16_t DceRpcCoContRes(const DceRpcCoHdr *co, const DceRpcCoContResult *cocr) { return DceRpcNtohs(&cocr->result, DceRpcCoByteOrder(co)); } @@ -1269,7 +1266,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t DceRpcCoAuthPad(const DceRpcCoAuthVerifier *coav) +static inline uint16_t DceRpcCoAuthPad(const DceRpcCoAuthVerifier *coav) { return coav->auth_pad_length; } @@ -1284,7 +1281,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t DceRpcCoAuthLevel(const DceRpcCoAuthVerifier *coav) +static inline uint8_t DceRpcCoAuthLevel(const DceRpcCoAuthVerifier *coav) { return coav->auth_level; } diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/includes/smb.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/includes/smb.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/includes/smb.h 2010-01-26 10:09:59.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/includes/smb.h 2011-06-07 17:33:13.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - **************************************************************************** + **************************************************************************** * ****************************************************************************/ @@ -27,7 +27,7 @@ #include "config.h" /* For WORDS_BIGENDIAN */ #endif -#include "debug.h" /* For INLINE */ +#include "snort_debug.h" /* For inline */ #include "sf_types.h" /******************************************************************** @@ -87,7 +87,7 @@ * NULL terminated ASCII strings unless Unicode is specified * in the NT LM 1.0 SMB header in which case they are NULL * terminated unicode strings - */ + */ #define SMB_FMT__DATA_BLOCK 1 #define SMB_FMT__ASCII 4 @@ -664,13 +664,13 @@ bit0 = 1, exclusive search bits supported */ uint16_t smb_bcc; /* min value = 3 */ #if 0 - uint8_t smb_nativefs[]; /* native file system for this connection */ + uint8_t smb_nativefs[]; /* native file system for this connection */ #endif } SmbLm21_TreeConnectAndXResp; /******************************************************************** - * Tree Disconnect :: smb_com = SMB_COM_TREE_DIS + * Tree Disconnect :: smb_com = SMB_COM_TREE_DIS * ********************************************************************/ typedef struct _SmbCore_TreeDisconnectReq /* smb_wct = 0 */ @@ -1363,82 +1363,82 @@ /******************************************************************** * Inline functions prototypes ********************************************************************/ -static INLINE uint32_t NbssLen(const NbssHdr *); -static INLINE uint8_t NbssType(const NbssHdr *); -static INLINE uint16_t SmbNtohs(const uint16_t *); -static INLINE uint32_t SmbNtohl(const uint32_t *); -static INLINE uint16_t SmbHtons(const uint16_t *); -static INLINE uint32_t SmbHtonl(const uint32_t *); +static inline uint32_t NbssLen(const NbssHdr *); +static inline uint8_t NbssType(const NbssHdr *); +static inline uint16_t SmbNtohs(const uint16_t *); +static inline uint32_t SmbNtohl(const uint32_t *); +static inline uint16_t SmbHtons(const uint16_t *); +static inline uint32_t SmbHtonl(const uint32_t *); -static INLINE uint32_t SmbId(const SmbNtHdr *); -static INLINE uint32_t SmbNtStatus(const SmbNtHdr *); -static INLINE int SmbError(const SmbNtHdr *); -static INLINE int SmbType(const SmbNtHdr *); -static INLINE uint8_t SmbCom(const SmbNtHdr *); -static INLINE int SmbUnicode(const SmbNtHdr *); -static INLINE uint16_t SmbUid(const SmbNtHdr *); -static INLINE uint16_t SmbTid(const SmbNtHdr *); -static INLINE uint16_t SmbPid(const SmbNtHdr *); -static INLINE uint16_t SmbMid(const SmbNtHdr *); +static inline uint32_t SmbId(const SmbNtHdr *); +static inline uint32_t SmbNtStatus(const SmbNtHdr *); +static inline int SmbError(const SmbNtHdr *); +static inline int SmbType(const SmbNtHdr *); +static inline uint8_t SmbCom(const SmbNtHdr *); +static inline int SmbUnicode(const SmbNtHdr *); +static inline uint16_t SmbUid(const SmbNtHdr *); +static inline uint16_t SmbTid(const SmbNtHdr *); +static inline uint16_t SmbPid(const SmbNtHdr *); +static inline uint16_t SmbMid(const SmbNtHdr *); -static INLINE uint8_t SmbWct(const SmbCommon *); -static INLINE uint16_t SmbBcc(const uint8_t *, uint16_t); -static INLINE uint8_t SmbAndXCom2(const SmbAndXCommon *); -static INLINE uint16_t SmbAndXOff2(const SmbAndXCommon *); -static INLINE uint8_t SmbEmptyComWct(const SmbEmptyCom *); -static INLINE uint16_t SmbEmptyComBcc(const SmbEmptyCom *); +static inline uint8_t SmbWct(const SmbCommon *); +static inline uint16_t SmbBcc(const uint8_t *, uint16_t); +static inline uint8_t SmbAndXCom2(const SmbAndXCommon *); +static inline uint16_t SmbAndXOff2(const SmbAndXCommon *); +static inline uint8_t SmbEmptyComWct(const SmbEmptyCom *); +static inline uint16_t SmbEmptyComBcc(const SmbEmptyCom *); -static INLINE uint16_t SmbGet16(const uint8_t *); -static INLINE uint32_t SmbGet32(const uint8_t *); +static inline uint16_t SmbGet16(const uint8_t *); +static inline uint32_t SmbGet32(const uint8_t *); -static INLINE uint16_t SmbLm10_TreeConAndXReqPassLen(const SmbLm10_TreeConnectAndXReq *); +static inline uint16_t SmbLm10_TreeConAndXReqPassLen(const SmbLm10_TreeConnectAndXReq *); -static INLINE uint16_t SmbCore_OpenRespFid(const SmbCore_OpenResp *); -static INLINE uint16_t SmbLm10_OpenAndXRespFid(const SmbLm10_OpenAndXResp *); +static inline uint16_t SmbCore_OpenRespFid(const SmbCore_OpenResp *); +static inline uint16_t SmbLm10_OpenAndXRespFid(const SmbLm10_OpenAndXResp *); -static INLINE uint16_t SmbNt10_NtCreateAndXRespFid(const SmbNt10_NtCreateAndXResp *); +static inline uint16_t SmbNt10_NtCreateAndXRespFid(const SmbNt10_NtCreateAndXResp *); -static INLINE uint16_t SmbCore_CloseReqFid(const SmbCore_CloseReq *); +static inline uint16_t SmbCore_CloseReqFid(const SmbCore_CloseReq *); -static INLINE uint16_t SmbCore_WriteReqFid(const SmbCore_WriteReq *); +static inline uint16_t SmbCore_WriteReqFid(const SmbCore_WriteReq *); -static INLINE uint16_t SmbLm10_WriteAndCloseReqFid(const SmbLm10_WriteAndCloseReq6 *); -static INLINE uint16_t SmbLm10_WriteAndCloseReqCount(const SmbLm10_WriteAndCloseReq6 *); +static inline uint16_t SmbLm10_WriteAndCloseReqFid(const SmbLm10_WriteAndCloseReq6 *); +static inline uint16_t SmbLm10_WriteAndCloseReqCount(const SmbLm10_WriteAndCloseReq6 *); -static INLINE uint16_t SmbLm10_WriteAndXReqFid(const SmbLm10_WriteAndXReq *); -static INLINE uint16_t SmbLm10_WriteAndXReqDoff(const SmbLm10_WriteAndXReq *); -static INLINE uint16_t SmbLm10_WriteAndXReqDsize(const SmbLm10_WriteAndXReq *); +static inline uint16_t SmbLm10_WriteAndXReqFid(const SmbLm10_WriteAndXReq *); +static inline uint16_t SmbLm10_WriteAndXReqDoff(const SmbLm10_WriteAndXReq *); +static inline uint16_t SmbLm10_WriteAndXReqDsize(const SmbLm10_WriteAndXReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeReqFunc(const SmbLm10_TransactNamedPipeReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeReqFid(const SmbLm10_TransactNamedPipeReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeReqDoff(const SmbLm10_TransactNamedPipeReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeReqTotalDcnt(const SmbLm10_TransactNamedPipeReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeReqDcnt(const SmbLm10_TransactNamedPipeReq *); +static inline uint16_t SmbLm10_TransactNamedPipeReqFunc(const SmbLm10_TransactNamedPipeReq *); +static inline uint16_t SmbLm10_TransactNamedPipeReqFid(const SmbLm10_TransactNamedPipeReq *); +static inline uint16_t SmbLm10_TransactNamedPipeReqDoff(const SmbLm10_TransactNamedPipeReq *); +static inline uint16_t SmbLm10_TransactNamedPipeReqTotalDcnt(const SmbLm10_TransactNamedPipeReq *); +static inline uint16_t SmbLm10_TransactNamedPipeReqDcnt(const SmbLm10_TransactNamedPipeReq *); -static INLINE uint16_t SmbLm10_TransactSecReqDoff(const SmbLm10_TransactionSecondaryReq *); -static INLINE uint16_t SmbLm10_TransactSecReqTotalDcnt(const SmbLm10_TransactionSecondaryReq *); -static INLINE uint16_t SmbLm10_TransactSecReqDcnt(const SmbLm10_TransactionSecondaryReq *); -static INLINE uint16_t SmbLm10_TransactSecReqTotalDdisp(const SmbLm10_TransactionSecondaryReq *); +static inline uint16_t SmbLm10_TransactSecReqDoff(const SmbLm10_TransactionSecondaryReq *); +static inline uint16_t SmbLm10_TransactSecReqTotalDcnt(const SmbLm10_TransactionSecondaryReq *); +static inline uint16_t SmbLm10_TransactSecReqDcnt(const SmbLm10_TransactionSecondaryReq *); +static inline uint16_t SmbLm10_TransactSecReqTotalDdisp(const SmbLm10_TransactionSecondaryReq *); -static INLINE uint16_t SmbLm10_TransactNamedPipeRespDoff(const SmbLm10_TransactNamedPipeResp *); -static INLINE uint16_t SmbLm10_TransactNamedPipeRespTotalDcnt(const SmbLm10_TransactNamedPipeResp *); -static INLINE uint16_t SmbLm10_TransactNamedPipeRespDcnt(const SmbLm10_TransactNamedPipeResp *); -static INLINE uint16_t SmbLm10_TransactNamedPipeRespTotalDdisp(const SmbLm10_TransactNamedPipeResp *); +static inline uint16_t SmbLm10_TransactNamedPipeRespDoff(const SmbLm10_TransactNamedPipeResp *); +static inline uint16_t SmbLm10_TransactNamedPipeRespTotalDcnt(const SmbLm10_TransactNamedPipeResp *); +static inline uint16_t SmbLm10_TransactNamedPipeRespDcnt(const SmbLm10_TransactNamedPipeResp *); +static inline uint16_t SmbLm10_TransactNamedPipeRespTotalDdisp(const SmbLm10_TransactNamedPipeResp *); -static INLINE uint16_t SmbLm10_TransRespParamCnt(const SmbLm10_TransactionResp *); +static inline uint16_t SmbLm10_TransRespParamCnt(const SmbLm10_TransactionResp *); -static INLINE uint16_t SmbCore_ReadReqFid(const SmbCore_ReadReq *); +static inline uint16_t SmbCore_ReadReqFid(const SmbCore_ReadReq *); -static INLINE uint16_t SmbLm10_ReadAndXReqFid(const SmbLm10_ReadAndXReq *); -static INLINE uint16_t SmbLm10_ReadAndXRespDoff(const SmbLm10_ReadAndXResp *); -static INLINE uint16_t SmbLm10_ReadAndXRespDsize(const SmbLm10_ReadAndXResp *); +static inline uint16_t SmbLm10_ReadAndXReqFid(const SmbLm10_ReadAndXReq *); +static inline uint16_t SmbLm10_ReadAndXRespDoff(const SmbLm10_ReadAndXResp *); +static inline uint16_t SmbLm10_ReadAndXRespDsize(const SmbLm10_ReadAndXResp *); -static INLINE uint16_t SmbLm10_WriteBlockRawReqTotCount(const SmbLm10_WriteBlockRawReq *); -static INLINE uint16_t SmbLm10_WriteBlockRawReqFid(const SmbLm10_WriteBlockRawReq *); -static INLINE uint16_t SmbLm10_WriteBlockRawReqDoff(const SmbLm10_WriteBlockRawReq *); -static INLINE uint16_t SmbLm10_WriteBlockRawReqDsize(const SmbLm10_WriteBlockRawReq *); +static inline uint16_t SmbLm10_WriteBlockRawReqTotCount(const SmbLm10_WriteBlockRawReq *); +static inline uint16_t SmbLm10_WriteBlockRawReqFid(const SmbLm10_WriteBlockRawReq *); +static inline uint16_t SmbLm10_WriteBlockRawReqDoff(const SmbLm10_WriteBlockRawReq *); +static inline uint16_t SmbLm10_WriteBlockRawReqDsize(const SmbLm10_WriteBlockRawReq *); -static INLINE uint16_t SmbLm10_ReadBlockRawReqFid(const SmbLm10_ReadBlockRawReq *); +static inline uint16_t SmbLm10_ReadBlockRawReqFid(const SmbLm10_ReadBlockRawReq *); /******************************************************************** * Function: @@ -1450,7 +1450,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t NbssLen(const NbssHdr *nb) +static inline uint32_t NbssLen(const NbssHdr *nb) { /* Treat first bit of flags as the upper byte to length */ return ((nb->flags & 0x01) << 16) | ntohs(nb->length); @@ -1466,7 +1466,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t NbssType(const NbssHdr *nb) +static inline uint8_t NbssType(const NbssHdr *nb) { return nb->type; } @@ -1481,7 +1481,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbNtohs(const uint16_t *ptr) +static inline uint16_t SmbNtohs(const uint16_t *ptr) { uint16_t value; @@ -1511,7 +1511,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t SmbNtohl(const uint32_t *ptr) +static inline uint32_t SmbNtohl(const uint32_t *ptr) { uint32_t value; @@ -1543,7 +1543,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbHtons(const uint16_t *ptr) +static inline uint16_t SmbHtons(const uint16_t *ptr) { return SmbNtohs(ptr); } @@ -1558,7 +1558,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t SmbHtonl(const uint32_t *ptr) +static inline uint32_t SmbHtonl(const uint32_t *ptr) { return SmbNtohl(ptr); } @@ -1573,7 +1573,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t SmbId(const SmbNtHdr *hdr) +static inline uint32_t SmbId(const SmbNtHdr *hdr) { #ifdef WORDS_MUSTALIGN uint8_t *idf = (uint8_t *)hdr->smb_idf; @@ -1593,7 +1593,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t SmbNtStatus(const SmbNtHdr *hdr) +static inline uint32_t SmbNtStatus(const SmbNtHdr *hdr) { return SmbNtohl(&hdr->smb_status.smb_nt_status); } @@ -1608,7 +1608,7 @@ * Returns: * ********************************************************************/ -static INLINE int SmbError(const SmbNtHdr *hdr) +static inline int SmbError(const SmbNtHdr *hdr) { if (SmbNtohs(&hdr->smb_flg2) & SMB_FLG2__NT_CODES) { @@ -1654,7 +1654,7 @@ * Returns: * ********************************************************************/ -static INLINE int SmbType(const SmbNtHdr *hdr) +static inline int SmbType(const SmbNtHdr *hdr) { if (hdr->smb_flg & SMB_FLG__TYPE) return SMB_TYPE__RESPONSE; @@ -1672,7 +1672,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t SmbCom(const SmbNtHdr *hdr) +static inline uint8_t SmbCom(const SmbNtHdr *hdr) { return hdr->smb_com; } @@ -1687,7 +1687,7 @@ * Returns: * ********************************************************************/ -static INLINE int SmbUnicode(const SmbNtHdr *hdr) +static inline int SmbUnicode(const SmbNtHdr *hdr) { return SmbNtohs(&hdr->smb_flg2) & SMB_FLG2__UNICODE; } @@ -1702,7 +1702,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbUid(const SmbNtHdr *hdr) +static inline uint16_t SmbUid(const SmbNtHdr *hdr) { return SmbNtohs(&hdr->smb_uid); } @@ -1717,7 +1717,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbTid(const SmbNtHdr *hdr) +static inline uint16_t SmbTid(const SmbNtHdr *hdr) { return SmbNtohs(&hdr->smb_tid); } @@ -1732,7 +1732,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbPid(const SmbNtHdr *hdr) +static inline uint16_t SmbPid(const SmbNtHdr *hdr) { return SmbNtohs(&hdr->smb_pid); } @@ -1747,7 +1747,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbMid(const SmbNtHdr *hdr) +static inline uint16_t SmbMid(const SmbNtHdr *hdr) { return SmbNtohs(&hdr->smb_mid); } @@ -1762,7 +1762,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t SmbWct(const SmbCommon *hdr) +static inline uint8_t SmbWct(const SmbCommon *hdr) { return hdr->smb_wct; } @@ -1777,7 +1777,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbBcc(const uint8_t *ptr, uint16_t com_size) +static inline uint16_t SmbBcc(const uint8_t *ptr, uint16_t com_size) { /* com_size must be at least the size of the command encasing */ if (com_size < sizeof(SmbEmptyCom)) @@ -1796,7 +1796,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t SmbAndXCom2(const SmbAndXCommon *andx) +static inline uint8_t SmbAndXCom2(const SmbAndXCommon *andx) { return andx->smb_com2; } @@ -1811,7 +1811,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbAndXOff2(const SmbAndXCommon *andx) +static inline uint16_t SmbAndXOff2(const SmbAndXCommon *andx) { return SmbNtohs(&andx->smb_off2); } @@ -1826,7 +1826,7 @@ * Returns: * ********************************************************************/ -static INLINE uint8_t SmbEmptyComWct(const SmbEmptyCom *ec) +static inline uint8_t SmbEmptyComWct(const SmbEmptyCom *ec) { return ec->smb_wct; } @@ -1841,7 +1841,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbEmptyComBcc(const SmbEmptyCom *ec) +static inline uint16_t SmbEmptyComBcc(const SmbEmptyCom *ec) { return SmbNtohs(&ec->smb_bcc); } @@ -1856,7 +1856,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbGet16(const uint8_t *ptr) +static inline uint16_t SmbGet16(const uint8_t *ptr) { return SmbNtohs((uint16_t *)ptr); } @@ -1871,7 +1871,7 @@ * Returns: * ********************************************************************/ -static INLINE uint32_t SmbGet32(const uint8_t *ptr) +static inline uint32_t SmbGet32(const uint8_t *ptr) { return SmbNtohl((uint32_t *)ptr); } @@ -1886,7 +1886,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TreeConAndXReqPassLen(const SmbLm10_TreeConnectAndXReq *tcx) +static inline uint16_t SmbLm10_TreeConAndXReqPassLen(const SmbLm10_TreeConnectAndXReq *tcx) { return SmbNtohs(&tcx->smb_spasslen); } @@ -1901,7 +1901,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbCore_OpenRespFid(const SmbCore_OpenResp *open) +static inline uint16_t SmbCore_OpenRespFid(const SmbCore_OpenResp *open) { return SmbNtohs(&open->smb_fid); } @@ -1916,7 +1916,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_OpenAndXRespFid(const SmbLm10_OpenAndXResp *openx) +static inline uint16_t SmbLm10_OpenAndXRespFid(const SmbLm10_OpenAndXResp *openx) { return SmbNtohs(&openx->smb_fid); } @@ -1931,7 +1931,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbNt10_NtCreateAndXRespFid(const SmbNt10_NtCreateAndXResp *ntx) +static inline uint16_t SmbNt10_NtCreateAndXRespFid(const SmbNt10_NtCreateAndXResp *ntx) { return SmbNtohs(&ntx->smb_fid); } @@ -1946,7 +1946,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbCore_CloseReqFid(const SmbCore_CloseReq *close) +static inline uint16_t SmbCore_CloseReqFid(const SmbCore_CloseReq *close) { return SmbNtohs(&close->smb_fid); } @@ -1961,7 +1961,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbCore_WriteReqFid(const SmbCore_WriteReq *write) +static inline uint16_t SmbCore_WriteReqFid(const SmbCore_WriteReq *write) { return SmbNtohs(&write->smb_fid); } @@ -1976,7 +1976,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteAndCloseReqFid(const SmbLm10_WriteAndCloseReq6 *wc) +static inline uint16_t SmbLm10_WriteAndCloseReqFid(const SmbLm10_WriteAndCloseReq6 *wc) { return SmbNtohs(&wc->smb_fid); } @@ -1991,7 +1991,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteAndCloseReqCount(const SmbLm10_WriteAndCloseReq6 *wc) +static inline uint16_t SmbLm10_WriteAndCloseReqCount(const SmbLm10_WriteAndCloseReq6 *wc) { return SmbNtohs(&wc->smb_count); } @@ -2006,7 +2006,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteAndXReqFid(const SmbLm10_WriteAndXReq *writex) +static inline uint16_t SmbLm10_WriteAndXReqFid(const SmbLm10_WriteAndXReq *writex) { return SmbNtohs(&writex->smb_fid); } @@ -2021,7 +2021,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteAndXReqDoff(const SmbLm10_WriteAndXReq *writex) +static inline uint16_t SmbLm10_WriteAndXReqDoff(const SmbLm10_WriteAndXReq *writex) { return SmbNtohs(&writex->smb_doff); } @@ -2036,7 +2036,37 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteAndXReqDsize(const SmbLm10_WriteAndXReq *writex) +static inline uint16_t SmbLm10_WriteAndXReqRemaining(const SmbLm10_WriteAndXReq *writex) +{ + return SmbNtohs(&writex->smb_countleft); +} + +/******************************************************************** + * Function: + * + * Purpose: + * + * Arguments: + * + * Returns: + * + ********************************************************************/ +static inline uint32_t SmbLm10_WriteAndXReqOffset(const SmbLm10_WriteAndXReq *writex) +{ + return SmbNtohl(&writex->smb_offset); +} + +/******************************************************************** + * Function: + * + * Purpose: + * + * Arguments: + * + * Returns: + * + ********************************************************************/ +static inline uint16_t SmbLm10_WriteAndXReqDsize(const SmbLm10_WriteAndXReq *writex) { return SmbNtohs(&writex->smb_dsize); } @@ -2051,7 +2081,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeReqFunc(const SmbLm10_TransactNamedPipeReq *trans) +static inline uint16_t SmbLm10_TransactNamedPipeReqFunc(const SmbLm10_TransactNamedPipeReq *trans) { return SmbNtohs(&trans->smb_setup1); } @@ -2067,7 +2097,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeReqFid(const SmbLm10_TransactNamedPipeReq *trans) +static inline uint16_t SmbLm10_TransactNamedPipeReqFid(const SmbLm10_TransactNamedPipeReq *trans) { return SmbNtohs(&trans->smb_setup2); } @@ -2082,7 +2112,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeReqDoff(const SmbLm10_TransactNamedPipeReq *trans) +static inline uint16_t SmbLm10_TransactNamedPipeReqDoff(const SmbLm10_TransactNamedPipeReq *trans) { return SmbNtohs(&trans->smb_dsoff); } @@ -2097,7 +2127,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeReqTotalDcnt(const SmbLm10_TransactNamedPipeReq *trans) +static inline uint16_t SmbLm10_TransactNamedPipeReqTotalDcnt(const SmbLm10_TransactNamedPipeReq *trans) { return SmbNtohs(&trans->smb_tdscnt); } @@ -2112,7 +2142,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeReqDcnt(const SmbLm10_TransactNamedPipeReq *trans) +static inline uint16_t SmbLm10_TransactNamedPipeReqDcnt(const SmbLm10_TransactNamedPipeReq *trans) { return SmbNtohs(&trans->smb_dscnt); } @@ -2127,7 +2157,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactSecReqDoff(const SmbLm10_TransactionSecondaryReq *trans) +static inline uint16_t SmbLm10_TransactSecReqDoff(const SmbLm10_TransactionSecondaryReq *trans) { return SmbNtohs(&trans->smb_dsoff); } @@ -2142,7 +2172,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactSecReqTotalDcnt(const SmbLm10_TransactionSecondaryReq *trans) +static inline uint16_t SmbLm10_TransactSecReqTotalDcnt(const SmbLm10_TransactionSecondaryReq *trans) { return SmbNtohs(&trans->smb_tdscnt); } @@ -2157,7 +2187,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactSecReqDcnt(const SmbLm10_TransactionSecondaryReq *trans) +static inline uint16_t SmbLm10_TransactSecReqDcnt(const SmbLm10_TransactionSecondaryReq *trans) { return SmbNtohs(&trans->smb_dscnt); } @@ -2172,7 +2202,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactSecReqTotalDdisp(const SmbLm10_TransactionSecondaryReq *trans) +static inline uint16_t SmbLm10_TransactSecReqTotalDdisp(const SmbLm10_TransactionSecondaryReq *trans) { return SmbNtohs(&trans->smb_dsdisp); } @@ -2187,7 +2217,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeRespDoff(const SmbLm10_TransactNamedPipeResp *trans) +static inline uint16_t SmbLm10_TransactNamedPipeRespDoff(const SmbLm10_TransactNamedPipeResp *trans) { return SmbNtohs(&trans->smb_droff); } @@ -2202,7 +2232,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeRespTotalDcnt(const SmbLm10_TransactNamedPipeResp *trans) +static inline uint16_t SmbLm10_TransactNamedPipeRespTotalDcnt(const SmbLm10_TransactNamedPipeResp *trans) { return SmbNtohs(&trans->smb_tdrcnt); } @@ -2217,7 +2247,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeRespDcnt(const SmbLm10_TransactNamedPipeResp *trans) +static inline uint16_t SmbLm10_TransactNamedPipeRespDcnt(const SmbLm10_TransactNamedPipeResp *trans) { return SmbNtohs(&trans->smb_drcnt); } @@ -2232,7 +2262,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransactNamedPipeRespTotalDdisp(const SmbLm10_TransactNamedPipeResp *trans) +static inline uint16_t SmbLm10_TransactNamedPipeRespTotalDdisp(const SmbLm10_TransactNamedPipeResp *trans) { return SmbNtohs(&trans->smb_drdisp); } @@ -2247,7 +2277,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_TransRespParamCnt(const SmbLm10_TransactionResp *trans) +static inline uint16_t SmbLm10_TransRespParamCnt(const SmbLm10_TransactionResp *trans) { return SmbNtohs(&trans->smb_prcnt); } @@ -2262,7 +2292,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbCore_ReadReqFid(const SmbCore_ReadReq *read) +static inline uint16_t SmbCore_ReadReqFid(const SmbCore_ReadReq *read) { return SmbNtohs(&read->smb_fid); } @@ -2277,7 +2307,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_ReadAndXReqFid(const SmbLm10_ReadAndXReq *readx) +static inline uint16_t SmbLm10_ReadAndXReqFid(const SmbLm10_ReadAndXReq *readx) { return SmbNtohs(&readx->smb_fid); } @@ -2292,7 +2322,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_ReadAndXRespDoff(const SmbLm10_ReadAndXResp *readx) +static inline uint16_t SmbLm10_ReadAndXRespDoff(const SmbLm10_ReadAndXResp *readx) { return SmbNtohs(&readx->smb_doff); } @@ -2307,7 +2337,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_ReadAndXRespDsize(const SmbLm10_ReadAndXResp *readx) +static inline uint16_t SmbLm10_ReadAndXRespDsize(const SmbLm10_ReadAndXResp *readx) { return SmbNtohs(&readx->smb_dsize); } @@ -2322,7 +2352,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteBlockRawReqTotCount(const SmbLm10_WriteBlockRawReq *wbr) +static inline uint16_t SmbLm10_WriteBlockRawReqTotCount(const SmbLm10_WriteBlockRawReq *wbr) { return SmbNtohs(&wbr->smb_tcount); } @@ -2337,7 +2367,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteBlockRawReqFid(const SmbLm10_WriteBlockRawReq *wbr) +static inline uint16_t SmbLm10_WriteBlockRawReqFid(const SmbLm10_WriteBlockRawReq *wbr) { return SmbNtohs(&wbr->smb_fid); } @@ -2352,7 +2382,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteBlockRawReqDoff(const SmbLm10_WriteBlockRawReq *wbr) +static inline uint16_t SmbLm10_WriteBlockRawReqDoff(const SmbLm10_WriteBlockRawReq *wbr) { return SmbNtohs(&wbr->smb_doff); } @@ -2367,7 +2397,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_WriteBlockRawReqDsize(const SmbLm10_WriteBlockRawReq *wbr) +static inline uint16_t SmbLm10_WriteBlockRawReqDsize(const SmbLm10_WriteBlockRawReq *wbr) { return SmbNtohs(&wbr->smb_dsize); } @@ -2382,7 +2412,7 @@ * Returns: * ********************************************************************/ -static INLINE uint16_t SmbLm10_ReadBlockRawReqFid(const SmbLm10_ReadBlockRawReq *rbr) +static inline uint16_t SmbLm10_ReadBlockRawReqFid(const SmbLm10_ReadBlockRawReq *rbr) { return SmbNtohs(&rbr->smb_fid); } diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/Makefile.am snort-2.9.2/src/dynamic-preprocessors/dcerpc2/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/Makefile.am 2010-06-09 15:05:11.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/Makefile.am 2011-07-13 15:44:51.000000000 -0700 @@ -1,27 +1,23 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include -I$(srcdir)/includes +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_dce2_preproc.la libsf_dce2_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c - +if SO_WITH_STATIC_LIB +libsf_dce2_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_dce2_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/sf_ip.c \ +../include/sfrt.c \ +../include/sfrt_dir.c \ +../include/sfPolicyUserData.c +endif libsf_dce2_preproc_la_SOURCES = \ includes/dcerpc.h \ @@ -59,28 +55,12 @@ dce2_cl.h \ dce2_http.c \ dce2_http.h \ -sf_preproc_info.h +dce2_paf.c \ +dce2_paf.h EXTRA_DIST = \ sf_dce2.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sf_ip.c: ../include/sf_ip.c - cp $? $@ - -sfrt.c: ../include/sfrt.c - cp $? $@ - -sfrt_dir.c: ../include/sfrt_dir.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f *~ sf_dynamic_preproc_lib.c sf_ip.c sfrt.c sfrt_dir.c sfPolicyUserData.c diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/Makefile.in snort-2.9.2/src/dynamic-preprocessors/dcerpc2/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/Makefile.in 2010-10-08 02:56:53.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/Makefile.in 2011-12-07 11:23:19.000000000 -0800 @@ -68,14 +68,17 @@ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_dce2_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_dce2_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_dce2_preproc_la_OBJECTS = dce2_debug.lo dce2_utils.lo \ dce2_list.lo dce2_memory.lo dce2_stats.lo dce2_event.lo \ dce2_config.lo dce2_roptions.lo spp_dce2.lo snort_dce2.lo \ dce2_smb.lo dce2_tcp.lo dce2_co.lo dce2_udp.lo dce2_cl.lo \ - dce2_http.lo -nodist_libsf_dce2_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sf_ip.lo sfrt.lo sfrt_dir.lo sfPolicyUserData.lo + dce2_http.lo dce2_paf.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dce2_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo sf_ip.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfrt.lo sfrt_dir.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_dce2_preproc_la_OBJECTS = $(am_libsf_dce2_preproc_la_OBJECTS) \ $(nodist_libsf_dce2_preproc_la_OBJECTS) libsf_dce2_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -108,7 +111,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -123,7 +128,8 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include -I$(srcdir)/includes +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -159,13 +165,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -226,19 +238,13 @@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_dce2_preproc.la libsf_dce2_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c - -nodist_libsf_dce2_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c +@SO_WITH_STATIC_LIB_TRUE@libsf_dce2_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dce2_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_ip.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt_dir.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_dce2_preproc_la_SOURCES = \ includes/dcerpc.h \ @@ -276,13 +282,13 @@ dce2_cl.h \ dce2_http.c \ dce2_http.h \ -sf_preproc_info.h +dce2_paf.c \ +dce2_paf.h EXTRA_DIST = \ sf_dce2.dsp -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -365,6 +371,21 @@ .c.lo: $(LTCOMPILE) -c -o $@ $< +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sf_ip.lo: ../include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_ip.lo `test -f '../include/sf_ip.c' || echo '$(srcdir)/'`../include/sf_ip.c + +sfrt.lo: ../include/sfrt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt.lo `test -f '../include/sfrt.c' || echo '$(srcdir)/'`../include/sfrt.c + +sfrt_dir.lo: ../include/sfrt_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt_dir.lo `test -f '../include/sfrt_dir.c' || echo '$(srcdir)/'`../include/sfrt_dir.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + mostlyclean-libtool: -rm -f *.lo @@ -454,15 +475,13 @@ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am +check: check-am all-am: Makefile $(LTLIBRARIES) all-local installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am +install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -487,10 +506,9 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am @@ -557,11 +575,11 @@ uninstall-am: uninstall-libLTLIBRARIES -.MAKE: all check install install-am install-strip +.MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -574,27 +592,9 @@ tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sf_ip.c: ../include/sf_ip.c - cp $? $@ - -sfrt.c: ../include/sfrt.c - cp $? $@ - -sfrt_dir.c: ../include/sfrt_dir.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f *~ sf_dynamic_preproc_lib.c sf_ip.c sfrt.c sfrt_dir.c sfPolicyUserData.c - # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp snort-2.9.2/src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp 2010-08-25 13:22:44.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I ".\includes" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /FR /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I ".\includes" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_dce2 - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I ".\includes" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /FR /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I ".\includes" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_dce2 - Win32 IPv6 Debug" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_dce2___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /FR /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I ".\includes" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /FR /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I ".\includes" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_dce2 - Win32 IPv6 Release" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_dce2___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -130,18 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /FR /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I ".\includes" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /FR /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I ".\includes" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ENDIF @@ -188,6 +188,10 @@ # End Source File # Begin Source File +SOURCE=.\dce2_paf.c +# End Source File +# Begin Source File + SOURCE=.\dce2_roptions.c # End Source File # Begin Source File @@ -288,6 +292,10 @@ # End Source File # Begin Source File +SOURCE=.\dce2_paf.h +# End Source File +# Begin Source File + SOURCE=.\dce2_roptions.h # End Source File # Begin Source File diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h 2010-01-26 10:09:59.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,42 +0,0 @@ -/**************************************************************************** - * Copyright (C) 2006-2010 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - **************************************************************************** - * Description: - * - * Standard dynamic preprocessor include file. - * - ****************************************************************************/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 0 -#define BUILD_VERSION 3 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_DCERPC2 (IPV6)" -#else -#define PREPROC_NAME "SF_DCERPC2" -#endif - -#define DYNAMIC_PREPROC_SETUP DCE2_RegisterPreprocessor -extern void DCE2_RegisterPreprocessor(void); - -#endif /* SF_PREPROC_INFO_H */ - diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/snort_dce2.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/snort_dce2.c 2010-06-09 15:05:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,10 +17,15 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #include <daq.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "snort_dce2.h" #include "dce2_config.h" #include "dce2_utils.h" @@ -57,7 +62,6 @@ /******************************************************************** * Extern variables ********************************************************************/ -extern DynamicPreprocessorData _dpd; extern DCE2_MemState dce2_mem_state; extern DCE2_Stats dce2_stats; @@ -136,7 +140,7 @@ case DCE2_TRANS_TYPE__NONE: DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not configured to look at this traffic " - "or unable to autodetect - not inspecting.\n")); + "or unable to autodetect - not inspecting.\n")); return NULL; default: @@ -189,12 +193,34 @@ if (!DCE2_SsnIsRebuilt(p)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet - flushing.\n")); - DCE2_SsnFlush(p); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet.\n")); if (DCE2_SsnIsStreamInsert(p)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); +#if 0 +#ifdef ENABLE_PAF + if (!_dpd.isPafEnabled()) +#endif + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Flushing opposite direction.\n")); + //DCE2_SsnFlush(p); // No need to flush since this is first data packet? + } +#endif + +#ifdef ENABLE_PAF + if (!_dpd.isPafEnabled() || !PacketHasFullPDU(p)) +#endif + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); + return NULL; + } + } + else if ((DCE2_SsnFromClient(p) && (rs_dir == SSN_DIR_SERVER)) + || (DCE2_SsnFromServer(p) && (rs_dir == SSN_DIR_CLIENT)) + || (rs_dir == SSN_DIR_BOTH)) + { + /* Reassembly was already set for this session, but stream + * decided not to use the packet so it's probably not good */ return NULL; } } @@ -251,15 +277,26 @@ } else if (IsTCP(p) && !DCE2_SsnIsRebuilt(p)) { - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet - flushing opposite direction.\n")); - DCE2_SsnFlush(p); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet\n")); if (DCE2_SsnIsStreamInsert(p)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); - PREPROC_PROFILE_END(dce2_pstat_session); - return DCE2_RET__NOT_INSPECTED; +#ifdef ENABLE_PAF + if (!_dpd.isPafEnabled()) +#endif + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Flushing opposite direction.\n")); + DCE2_SsnFlush(p); + } + +#ifdef ENABLE_PAF + if (!_dpd.isPafEnabled() || !PacketHasFullPDU(p)) +#endif + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); + PREPROC_PROFILE_END(dce2_pstat_session); + return DCE2_RET__NOT_INSPECTED; + } } else { @@ -304,7 +341,7 @@ return DCE2_RET__NOT_INSPECTED; } - p->flags |= FLAG_DCE_PKT; + p->flags |= FLAG_ALLOW_MULTIPLE_DETECT; dce2_detected = 0; PREPROC_PROFILE_END(dce2_pstat_session); @@ -336,10 +373,14 @@ if (!dce2_detected) DCE2_Detect(sd); + DCE2_ResetRopts(&sd->ropts); DCE2_PopPkt(); if (dce2_mem_state == DCE2_MEM_STATE__MEMCAP) + { DCE2_SetNoInspect(sd); + dce2_mem_state = DCE2_MEM_STATE__OKAY; + } if (DCE2_SsnAutodetected(sd)) return DCE2_RET__NOT_INSPECTED; @@ -412,6 +453,9 @@ if (DCE2_SsnFromClient(p) && !DCE2_SsnSeenClient(sd)) { +#if 0 + // This code should be obsoleted by the junk data check in dce2_smb.c + /* Check to make sure we can continue processing */ if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) { @@ -427,6 +471,7 @@ return DCE2_RET__NOT_INSPECTED; } +#endif DCE2_SsnSetSeenClient(sd); @@ -438,6 +483,9 @@ } else if (DCE2_SsnFromServer(p) && !DCE2_SsnSeenServer(sd)) { +#if 0 + // This code should be obsoleted by the junk data check in dce2_smb.c + /* Check to make sure we can continue processing */ if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) { @@ -453,6 +501,7 @@ return DCE2_RET__NOT_INSPECTED; } +#endif DCE2_SsnSetSeenServer(sd); @@ -478,6 +527,8 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Client last => seq: %u, next seq: %u\n", sd->cli_seq, sd->cli_nseq)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, next seq: %u\n", + pkt_seq, pkt_seq + p->payload_size)); } else { @@ -488,6 +539,8 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Server last => seq: %u, next seq: %u\n", sd->srv_seq, sd->srv_nseq)); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, next seq: %u\n", + pkt_seq, pkt_seq + p->payload_size)); } *overlap_bytes = 0; @@ -508,26 +561,29 @@ * reassembly on both sides and not looking at non-reassembled packets * Actually this can happen if the stream seg list is empty */ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Overlap => seq: %u, next seq: %u\n", - pkt_seq, pkt_seq + p->payload_size)); + pkt_seq, pkt_seq + p->payload_size)); if (DCE2_SsnMissedPkts(sd)) DCE2_SsnClearMissedPkts(sd); /* Do what we can and take the difference and only inspect what we * haven't already inspected */ - if ((pkt_seq + p->payload_size) > *ssn_nseq) + if ((pkt_seq + p->payload_size) > *ssn_nseq + || (pkt_seq + p->payload_size < pkt_seq)) { *overlap_bytes = (uint16_t)(*ssn_nseq - pkt_seq); dce2_stats.overlapped_bytes += *overlap_bytes; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, - "Setting overlap bytes: %u\n", *overlap_bytes)); + "Setting overlap bytes: %u\n", *overlap_bytes)); } else { return DCE2_RET__NOT_INSPECTED; } } + + DCE2_DEBUG_CODE(DCE2_DEBUG__MAIN, DCE2_PrintPktData(p->payload, p->payload_size);); } else if (DCE2_SsnMissedPkts(sd)) { @@ -545,14 +601,10 @@ if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Couldn't confirm transport - " - "not inspecting\n")); - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, next seq: %u\n" - "Setting current and next to the same thing, since we're " - "not inspecting this packet.\n", sd->cli_seq, sd->cli_nseq)); + "not inspecting\n")); *ssn_seq = pkt_seq; - *ssn_nseq = pkt_seq; + *ssn_nseq = pkt_seq + p->payload_size; return DCE2_RET__NOT_INSPECTED; } @@ -566,9 +618,6 @@ *ssn_seq = pkt_seq; *ssn_nseq = pkt_seq + p->payload_size; - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, next seq: %u\n", - *ssn_seq, *ssn_nseq)); } return DCE2_RET__SUCCESS; @@ -593,7 +642,7 @@ * * Returns: * DCE2_TransType - * DCE2_TRANS_TYPE__NONE if a transport could not be + * DCE2_TRANS_TYPE__NONE if a transport could not be * determined or target based labeled the session as * traffic we are not interested in. * DCE2_TRANS_TYPE__SMB if the traffic is determined to be @@ -893,7 +942,7 @@ * Arguments: * SFSnortPacket * - pointer to packet off wire * const uint8_t * - pointer to data to attach to reassembly packet - * uint16_t - length of data + * uint16_t - length of data * * Returns: * SFSnortPacket * - pointer to reassembly packet @@ -907,15 +956,13 @@ SFSnortPacket *rpkt; uint16_t payload_len = 0; uint16_t data_overhead = 0; - int rpkt_flag; rpkt = dce2_rpkt[rpkt_type]; - _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt); switch (rpkt_type) { case DCE2_RPKT_TYPE__SMB_SEG: - rpkt_flag = FLAG_SMB_SEG; + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_SMB_SEG); break; case DCE2_RPKT_TYPE__SMB_TRANS: @@ -924,13 +971,15 @@ // Better still pass in rpkt and let the init function update // payload, etc. Also, some memsets could probably be avoided // by explicitly setting the unitialized header fields. + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_SMB_TRANS); data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI; memset((void*)rpkt->payload, 0, data_overhead); DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_CLIENT); - rpkt_flag = FLAG_SMB_TRANS; break; case DCE2_RPKT_TYPE__SMB_CO_SEG: + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_SEG); + if (DCE2_SsnFromClient(wire_pkt)) { data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI; @@ -943,10 +992,11 @@ memset((void*)rpkt->payload, 0, data_overhead); DCE2_SmbInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER); } - rpkt_flag = FLAG_DCE_SEG; break; case DCE2_RPKT_TYPE__SMB_CO_FRAG: + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG); + if (DCE2_SsnFromClient(wire_pkt)) { data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI + DCE2_MOCK_HDR_LEN__CO_CLI; @@ -963,14 +1013,15 @@ DCE2_CoInitRdata((uint8_t *)rpkt->payload + DCE2_MOCK_HDR_LEN__SMB_SRV, FLAG_FROM_SERVER); } - rpkt_flag = FLAG_DCE_FRAG; break; case DCE2_RPKT_TYPE__TCP_CO_SEG: - rpkt_flag = FLAG_DCE_SEG; + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_SEG); break; case DCE2_RPKT_TYPE__TCP_CO_FRAG: + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG); + if (DCE2_SsnFromClient(wire_pkt)) { data_overhead = DCE2_MOCK_HDR_LEN__CO_CLI; @@ -983,14 +1034,13 @@ memset((void*)rpkt->payload, 0, data_overhead); DCE2_CoInitRdata((uint8_t *)rpkt->payload, FLAG_FROM_SERVER); } - rpkt_flag = FLAG_DCE_FRAG; break; case DCE2_RPKT_TYPE__UDP_CL_FRAG: + _dpd.encodeFormat(ENC_DYN_FWD, wire_pkt, rpkt, PSEUDO_PKT_DCE_FRAG); data_overhead = DCE2_MOCK_HDR_LEN__CL; memset((void*)rpkt->payload, 0, data_overhead); DCE2_ClInitRdata((uint8_t *)rpkt->payload); - rpkt_flag = FLAG_DCE_FRAG; break; default: @@ -1023,7 +1073,7 @@ #ifdef SUP_IP6 if (wire_pkt->family == AF_INET) - { + { rpkt->ip4h->ip_len = rpkt->ip4_header->data_length; } else @@ -1033,12 +1083,11 @@ } #endif - rpkt->flags = FLAG_STREAM_EST; + rpkt->flags |= (FLAG_STREAM_EST | FLAG_ALLOW_MULTIPLE_DETECT); if (DCE2_SsnFromClient(wire_pkt)) rpkt->flags |= FLAG_FROM_CLIENT; else rpkt->flags |= FLAG_FROM_SERVER; - rpkt->flags |= (rpkt_flag | FLAG_DCE_PKT); rpkt->stream_session_ptr = wire_pkt->stream_session_ptr; return rpkt; @@ -1130,7 +1179,7 @@ #ifdef SUP_IP6 if (rpkt->family == AF_INET) - { + { rpkt->ip4h->ip_len = rpkt->ip4_header->data_length; } else @@ -1330,10 +1379,10 @@ * Purpose: * * Arguments: - * + * * Returns: * - ******************************************************************/ + ******************************************************************/ void DCE2_FreeGlobals(void) { int i; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/snort_dce2.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/snort_dce2.h 2010-06-09 15:05:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/snort_dce2.h 2011-06-07 17:33:13.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ #ifndef _SNORT_DCE2_H_ @@ -27,7 +27,7 @@ #include "dce2_session.h" #include "sf_snort_packet.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /******************************************************************** * Macros @@ -78,8 +78,8 @@ /******************************************************************** * Inline function prototypes ********************************************************************/ -static INLINE void DCE2_ResetRopts(DCE2_Roptions *); -static INLINE void DCE2_DisableDetect(SFSnortPacket *); +static inline void DCE2_ResetRopts(DCE2_Roptions *); +static inline void DCE2_DisableDetect(SFSnortPacket *); /******************************************************************** * Function: @@ -91,7 +91,7 @@ * Returns: None * ********************************************************************/ -static INLINE void DCE2_ResetRopts(DCE2_Roptions *ropts) +static inline void DCE2_ResetRopts(DCE2_Roptions *ropts) { ropts->first_frag = DCE2_SENTINEL; ropts->opnum = DCE2_SENTINEL; @@ -110,7 +110,7 @@ * Returns: * *********************************************************************/ -static INLINE void DCE2_DisableDetect(SFSnortPacket *p) +static inline void DCE2_DisableDetect(SFSnortPacket *p) { _dpd.disableAllDetect(p); _dpd.setPreprocBit(p, PP_SFPORTSCAN); diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/spp_dce2.c snort-2.9.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.c --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/spp_dce2.c 2010-06-09 15:05:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -17,10 +17,16 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * **************************************************************************** - * + * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "spp_dce2.h" +#include "sf_preproc_info.h" #include "dce2_memory.h" #include "dce2_list.h" #include "dce2_utils.h" @@ -28,6 +34,7 @@ #include "dce2_roptions.h" #include "dce2_stats.h" #include "dce2_event.h" +#include "dce2_paf.h" #include "snort_dce2.h" #include "preprocids.h" #include "profiler.h" @@ -75,10 +82,20 @@ extern DCE2_Stats dce2_stats; extern DCE2_Memory dce2_memory; extern char **dce2_trans_strs; -extern DynamicPreprocessorData _dpd; extern DCE2_CStack *dce2_pkt_stack; extern DCE2_ProtoIds dce2_proto_ids; +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 0; +const int BUILD_VERSION = 3; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_DCERPC2 (IPV6)"; +#else +const char *PREPROC_NAME = "SF_DCERPC2"; +#endif + +#define DCE2_RegisterPreprocessor DYNAMIC_PREPROC_SETUP + /******************************************************************** * Macros ********************************************************************/ @@ -123,6 +140,11 @@ static void DCE2_ReloadSwapFree(void *); #endif +#ifdef ENABLE_PAF +static void DCE2_AddPortsToPaf(DCE2_Config *, tSfPolicyId); +static void DCE2_ScAddPortsToPaf(void *); +#endif + /******************************************************************** * Function: DCE2_RegisterPreprocessor() * @@ -162,6 +184,13 @@ DCE2_Config *pDefaultPolicyConfig = NULL; DCE2_Config *pCurrentPolicyConfig = NULL; + if ((_dpd.streamAPI == NULL) || (_dpd.streamAPI->version != STREAM_API_VERSION5)) + { + DCE2_Die("%s(%d) \"%s\" configuration: " + "Stream5 must be enabled with TCP and UDP tracking.", + *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); + } + if (dce2_config == NULL) { dce2_config = sfPolicyConfigCreate(); @@ -177,7 +206,7 @@ DCE2_EventsInit(); /* Initialize reassembly packet */ - DCE2_InitRpkts(); + DCE2_InitRpkts(); _dpd.addPreprocConfCheck(DCE2_CheckConfig); _dpd.registerPreprocStats(DCE2_GNAME, DCE2_PrintStats); @@ -250,15 +279,9 @@ if ( pCurrentPolicyConfig->gconfig->disabled ) return; - if ((_dpd.streamAPI == NULL) || (_dpd.streamAPI->version != STREAM_API_VERSION5)) - { - DCE2_Die("%s(%d) \"%s\" configuration: " - "Stream5 must be enabled with TCP and UDP tracking.", - *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); - } /* Register callbacks */ - _dpd.addPreproc(DCE2_Main, PRIORITY_APPLICATION, + _dpd.addPreproc(DCE2_Main, PRIORITY_APPLICATION, PP_DCE2, PROTO_BIT__TCP | PROTO_BIT__UDP); #ifdef TARGET_BASED @@ -302,7 +325,7 @@ static int DCE2_CheckConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -331,6 +354,8 @@ DCE2_ScCheckTransports(pPolicyConfig); } + DCE2_AddPortsToPaf(pPolicyConfig, policyId); + /* Register routing table memory */ if (pPolicyConfig->sconfigs != NULL) DCE2_RegMem(sfrt_usage(pPolicyConfig->sconfigs), DCE2_MEM_TYPE__RT); @@ -360,7 +385,7 @@ * * Arguments: * void * - pointer to packet structure - * void * - pointer to context + * void * - pointer to context * * Returns: None * @@ -374,7 +399,7 @@ sfPolicyUserPolicySet (dce2_config, _dpd.getRuntimePolicy()); -#ifdef DEBUG +#ifdef DEBUG_MSGS if (DCE2_SsnFromServer(p)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Packet from server.\n")); @@ -438,10 +463,10 @@ * * Arguments: * int - whether Snort is exiting or not - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ static void DCE2_PrintStats(int exiting) { _dpd.logMsg("dcerpc2 Preprocessor Statistics\n"); @@ -976,7 +1001,7 @@ _dpd.logMsg(" SMB other command responses: "STDu64"\n", dce2_stats.smb_other_resp); } -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current total: %u\n", dce2_memory.smb_total); _dpd.logMsg(" Maximum total: %u\n", dce2_memory.smb_total_max); @@ -1003,7 +1028,7 @@ _dpd.logMsg(" Total sessions: "STDu64"\n", dce2_stats.tcp_sessions); _dpd.logMsg(" Packet stats\n"); _dpd.logMsg(" Packets: "STDu64"\n", dce2_stats.tcp_pkts); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current total: %u\n", dce2_memory.tcp_total); _dpd.logMsg(" Maximum total: %u\n", dce2_memory.tcp_total_max); @@ -1018,7 +1043,7 @@ _dpd.logMsg(" Total sessions: "STDu64"\n", dce2_stats.udp_sessions); _dpd.logMsg(" Packet stats\n"); _dpd.logMsg(" Packets: "STDu64"\n", dce2_stats.udp_pkts); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current total: %u\n", dce2_memory.udp_total); _dpd.logMsg(" Maximum total: %u\n", dce2_memory.udp_total_max); @@ -1039,7 +1064,7 @@ _dpd.logMsg(" Server packets: "STDu64"\n", dce2_stats.http_server_pkts); if (dce2_stats.http_proxy_sessions > 0) _dpd.logMsg(" Proxy packets: "STDu64"\n", dce2_stats.http_proxy_pkts); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current total: %u\n", dce2_memory.http_total); _dpd.logMsg(" Maximum total: %u\n", dce2_memory.http_total_max); @@ -1108,7 +1133,7 @@ } _dpd.logMsg(" Client seg reassembled: "STDu64"\n", dce2_stats.co_cli_seg_reassembled); _dpd.logMsg(" Server seg reassembled: "STDu64"\n", dce2_stats.co_srv_seg_reassembled); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current segmentation buffering: %u\n", dce2_memory.co_seg); _dpd.logMsg(" Maximum segmentation buffering: %u\n", dce2_memory.co_seg_max); @@ -1158,7 +1183,7 @@ _dpd.logMsg(" Reassembled: "STDu64"\n", dce2_stats.cl_frag_reassembled); if (dce2_stats.cl_max_seqnum > 0) _dpd.logMsg(" Max seq num: "STDu64"\n", dce2_stats.cl_max_seqnum); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current activity tracker: %u\n", dce2_memory.cl_act); _dpd.logMsg(" Maximum activity tracker: %u\n", dce2_memory.cl_act_max); @@ -1174,7 +1199,7 @@ if (exiting) DCE2_StatsFree(); -#ifdef DEBUG +#ifdef DEBUG_MSGS _dpd.logMsg("\n"); _dpd.logMsg(" Memory stats (bytes)\n"); _dpd.logMsg(" Current total: %u\n", dce2_memory.total); @@ -1200,10 +1225,10 @@ * Arguments: * int - signal that caused the reset * void * - pointer to data - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ static void DCE2_Reset(int signal, void *data) { if (!DCE2_CStackIsEmpty(dce2_pkt_stack)) @@ -1224,10 +1249,10 @@ * Arguments: * int - signal that caused function to be called * void * - pointer to data - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ static void DCE2_ResetStats(int signal, void *data) { DCE2_StatsInit(); @@ -1241,12 +1266,12 @@ * Arguments: * int - signal that caused Snort to exit * void * - pointer to data - * + * * Returns: None * - ******************************************************************/ + ******************************************************************/ static void DCE2_CleanExit(int signal, void *data) -{ +{ DCE2_FreeConfigs(dce2_config); dce2_config = NULL; @@ -1270,11 +1295,18 @@ DCE2_Config *pDefaultPolicyConfig = NULL; DCE2_Config *pCurrentPolicyConfig = NULL; + if ((_dpd.streamAPI == NULL) || (_dpd.streamAPI->version != STREAM_API_VERSION5)) + { + DCE2_Die("%s(%d) \"%s\" configuration: " + "Stream5 must be enabled with TCP and UDP tracking.", + *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); + } + if (dce2_swap_config == NULL) { //create a context dce2_swap_config = sfPolicyConfigCreate(); - + if (dce2_swap_config == NULL) { DCE2_Die("%s(%d) \"%s\" configuration: Could not allocate memory " @@ -1315,12 +1347,6 @@ if ( pCurrentPolicyConfig->gconfig->disabled ) return; - if ((_dpd.streamAPI == NULL) || (_dpd.streamAPI->version != STREAM_API_VERSION5)) - { - DCE2_Die("%s(%d) \"%s\" configuration: " - "Stream5 must be enabled with TCP and UDP tracking.", - *_dpd.config_file, *_dpd.config_line, DCE2_GNAME); - } _dpd.addPreproc(DCE2_Main, PRIORITY_APPLICATION, PP_DCE2, PROTO_BIT__TCP | PROTO_BIT__UDP); @@ -1368,7 +1394,7 @@ static int DCE2_ReloadVerifyPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1400,6 +1426,8 @@ DCE2_ScCheckTransports(swap_config); } + DCE2_AddPortsToPaf(swap_config, policyId); + /* Register routing table memory */ if (swap_config->sconfigs != NULL) DCE2_RegMem(sfrt_usage(swap_config->sconfigs), DCE2_MEM_TYPE__RT); @@ -1443,7 +1471,7 @@ static int DCE2_ReloadSwapPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1495,3 +1523,81 @@ } #endif +#ifdef ENABLE_PAF + +// Used for iterate function below since we can't pass it +static tSfPolicyId dce2_paf_tmp_policy_id = 0; + +/********************************************************************* + * Function: DCE2_AddPortsToPaf() + * + * Add detect and autodetect ports to stream5 paf + * + * Arguments: + * DCE2_Config * + * Pointer to configuration structure. + * + * Returns: None + * + *********************************************************************/ +static void DCE2_AddPortsToPaf(DCE2_Config *config, tSfPolicyId policy_id) +{ + if (config == NULL) + return; + + dce2_paf_tmp_policy_id = policy_id; + + DCE2_ScAddPortsToPaf(config->dconfig); + + if (config->sconfigs != NULL) + sfrt_iterate(config->sconfigs, DCE2_ScAddPortsToPaf); + + dce2_paf_tmp_policy_id = 0; +} + +static void DCE2_ScAddPortsToPaf(void *data) +{ + DCE2_ServerConfig *sc = (DCE2_ServerConfig *)data; + unsigned int port; + tSfPolicyId policy_id = dce2_paf_tmp_policy_id; + + if (data == NULL) + return; + + for (port = 0; port < DCE2_PORTS__MAX; port++) + { + if (DCE2_IsPortSet(sc->smb_ports, (uint16_t)port)) + { + DCE2_PafRegister((uint16_t)port, policy_id, DCE2_TRANS_TYPE__SMB); + } + + if (DCE2_IsPortSet(sc->auto_smb_ports, (uint16_t)port)) + { + DCE2_PafRegister((uint16_t)port, policy_id, DCE2_TRANS_TYPE__SMB); + } + + if (DCE2_IsPortSet(sc->tcp_ports, (uint16_t)port)) + { + DCE2_PafRegister((uint16_t)port, policy_id, DCE2_TRANS_TYPE__TCP); + } + + if (DCE2_IsPortSet(sc->auto_tcp_ports, (uint16_t)port)) + { + DCE2_PafRegister((uint16_t)port, policy_id, DCE2_TRANS_TYPE__TCP); + } + +#if 0 + if (DCE2_IsPortSet(sc->http_proxy_ports, (uint16_t)port)) + { + /* TODO Implement PAF registration and callback. */ + } + + if (DCE2_IsPortSet(sc->http_server_ports, (uint16_t)port)) + { + /* TODO Implement PAF registration and callback. */ + } +#endif + } +} +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/spp_dce2.h snort-2.9.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.h --- snort-2.9.0.1/src/dynamic-preprocessors/dcerpc2/spp_dce2.h 2010-01-26 10:09:59.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dcerpc2/spp_dce2.h 2011-02-09 15:23:16.000000000 -0800 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_map.c snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_map.c --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_map.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_map.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,151 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Tables for DNP3 function & indicator definitions + * + */ + +#include <stdlib.h> +#include <string.h> +#include "dnp3_map.h" + +/* Name/value pair struct */ +typedef struct _dnp3_map_t +{ + char *name; + uint16_t value; +} dnp3_map_t; + +/* Mapping of name -> function code for "dnp3_func" option. */ +static dnp3_map_t func_map[] = +{ + {"confirm", 0}, + {"read", 1}, + {"write", 2}, + {"select", 3}, + {"operate", 4}, + {"direct_operate", 5}, + {"direct_operate_nr", 6}, + {"immed_freeze", 7}, + {"immed_freeze_nr", 8}, + {"freeze_clear", 9}, + {"freeze_clear_nr", 10}, + {"freeze_at_time", 11}, + {"freeze_at_time_nr", 12}, + {"cold_restart", 13}, + {"warm_restart", 14}, + {"initialize_data", 15}, + {"initialize_appl", 16}, + {"start_appl", 17}, + {"stop_appl", 18}, + {"save_config", 19}, + {"enable_unsolicited", 20}, + {"disable_unsolicited", 21}, + {"assign_class", 22}, + {"delay_measure", 23}, + {"record_current_time", 24}, + {"open_file", 25}, + {"close_file", 26}, + {"delete_file", 27}, + {"get_file_info", 28}, + {"authenticate_file", 29}, + {"abort_file", 30}, + {"activate_config", 31}, + {"authenticate_req", 32}, + {"authenticate_err", 33}, + {"response", 129}, + {"unsolicited_response", 130}, + {"authenticate_resp", 131} +}; + +/* Mapping of name -> indication bit for "dnp3_ind" option. */ +static dnp3_map_t indication_map[] = +{ + /* The order is strange, but this is the order in which the spec + lists them. */ + {"all_stations", 0x0100}, + {"class_1_events", 0x0200}, + {"class_2_events", 0x0400}, + {"class_3_events", 0x0800}, + {"need_time", 0x1000}, + {"local_control", 0x2000}, + {"device_trouble", 0x4000}, + {"device_restart", 0x8000}, + {"no_func_code_support", 0x0001}, + {"object_unknown", 0x0002}, + {"parameter_error", 0x0004}, + {"event_buffer_overflow", 0x0008}, + {"already_executing", 0x0010}, + {"config_corrupt", 0x0020}, + {"reserved_2", 0x0040}, + {"reserved_1", 0x0080}, +}; + +int DNP3FuncIsDefined(uint16_t code) +{ + size_t num_funcs = sizeof(func_map) / sizeof(func_map[0]); + size_t i; + int func_is_defined = 0; + + /* Check to see if code is higher than all codes in func map */ + if (code > func_map[num_funcs-1].value) + return func_is_defined; + + for (i = 0; i < num_funcs; i++) + { + /* This short-circuit check assumes that the function map remains + in-order. */ + if (code <= func_map[i].value) + break; + } + + if (code == func_map[i].value) + func_is_defined = 1; + + return func_is_defined; +} + +int DNP3FuncStrToCode(char *name) +{ + size_t num_funcs = sizeof(func_map) / sizeof(func_map[0]); + size_t i; + + for (i = 0; i < num_funcs; i++) + { + if (strcmp(name, func_map[i].name) == 0) + return func_map[i].value; + } + + return -1; +} + +int DNP3IndStrToCode(char *name) +{ + size_t num_indications = sizeof(indication_map) / sizeof(indication_map[0]); + size_t i; + + for (i = 0; i < num_indications; i++) + { + if (strcmp(name, indication_map[i].name) == 0) + return indication_map[i].value; + } + + return -1; +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_map.h snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_map.h --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_map.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_map.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,50 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Tables for DNP3 function & indicator definitions + * + */ + +#ifndef DNP3_MAP__H +#define DNP3_MAP__H + +#include <stdint.h> + +/* Check if "code" is in the function map. + * + * Returns: 1 on success, 0 on failure. + */ +int DNP3FuncIsDefined(uint16_t code); + +/* Return the DNP3 function code corresponding to "name". + * + * Returns: integer + * -1 on failure + */ +int DNP3FuncStrToCode(char *name); + +/* Return the DNP3 indication code corresponding to "name". + * + * Returns: integer + * -1 on failure + */ +int DNP3IndStrToCode(char *name); + +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_paf.c snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_paf.c --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_paf.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_paf.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,169 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Protocol Aware Flushing (PAF) code for DNP3 preprocessor. + * + */ + +#include "spp_dnp3.h" +#include "dnp3_paf.h" +#include "sf_dynamic_preprocessor.h" + +/* Forward declarations */ +int DNP3PafRegister(uint16_t port, tSfPolicyId policy_id); +PAF_Status DNP3Paf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp); + +/* State-tracking structs */ +typedef enum _dnp3_paf_state +{ + DNP3_PAF_STATE__START_1 = 0, + DNP3_PAF_STATE__START_2, + DNP3_PAF_STATE__LENGTH, + DNP3_PAF_STATE__SET_FLUSH +} dnp3_paf_state_t; + +typedef struct _dnp3_paf_data +{ + dnp3_paf_state_t state; + uint8_t dnp3_length; + uint16_t real_length; +} dnp3_paf_data_t; + +int DNP3PafRegister(uint16_t port, tSfPolicyId policy_id) +{ + if (!_dpd.isPafEnabled()) + return 0; + + _dpd.streamAPI->register_paf_cb(policy_id, port, 0, DNP3Paf, true); + _dpd.streamAPI->register_paf_cb(policy_id, port, 1, DNP3Paf, true); + + return 0; +} + +/* Function: DNP3Paf() + + Purpose: DNP3 PAF callback. + Statefully inspects DNP3 traffic from the start of a session, + Reads up until the length octet is found, then sets a flush point. + The flushed PDU is a DNP3 Link Layer frame, the preprocessor + handles reassembly of frames into Application Layer messages. + + Arguments: + void * - stream5 session pointer + void ** - DNP3 state tracking structure + const uint8_t * - payload data to inspect + uint32_t - length of payload data + uint32_t - flags to check whether client or server + uint32_t * - pointer to set flush point + + Returns: + PAF_Status - PAF_FLUSH if flush point found, PAF_SEARCH otherwise +*/ + +PAF_Status DNP3Paf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp) +{ + dnp3_paf_data_t *pafdata = *(dnp3_paf_data_t **)user; + uint32_t bytes_processed = 0; + + /* Allocate state object if it doesn't exist yet. */ + if (pafdata == NULL) + { + pafdata = calloc(1, sizeof(dnp3_paf_data_t)); + if (pafdata == NULL) + return PAF_ABORT; + + *user = pafdata; + } + + /* Process this packet 1 byte at a time */ + while (bytes_processed < len) + { + uint16_t user_data = 0; + uint16_t num_crcs = 0; + + switch (pafdata->state) + { + /* Check the Start bytes. If they are not \x05\x64, don't advance state. + Could be out of sync, junk data between frames, mid-stream pickup, etc. */ + case DNP3_PAF_STATE__START_1: + if (((uint8_t) *(data + bytes_processed)) == 0x05) + pafdata->state++; + break; + + case DNP3_PAF_STATE__START_2: + if (((uint8_t) *(data + bytes_processed)) == 0x64) + pafdata->state++; + else + pafdata->state = DNP3_PAF_STATE__START_1; + break; + + /* Read the length. */ + case DNP3_PAF_STATE__LENGTH: + pafdata->dnp3_length = (uint8_t) *(data + bytes_processed); + + /* DNP3 length only counts non-CRC octets following the + length field itself. Each CRC is two octets. One follows + the headers, a CRC is inserted for every 16 octets of user data, + plus a CRC for the last bit of user data (< 16 octets) */ + + if (pafdata->dnp3_length < DNP3_HEADER_REMAINDER_LEN) + { + /* XXX: Can we go about raising decoder alerts & dropping + packets within PAF? */ + return PAF_ABORT; + } + + user_data = pafdata->dnp3_length - DNP3_HEADER_REMAINDER_LEN; + num_crcs = 1 + (user_data/16) + (user_data % 16? 1 : 0); + pafdata->real_length = pafdata->dnp3_length + (2*num_crcs); + + pafdata->state++; + break; + + /* Set the flush point. */ + case DNP3_PAF_STATE__SET_FLUSH: + *fp = pafdata->real_length + bytes_processed; + pafdata->state = DNP3_PAF_STATE__START_1; + return PAF_FLUSH; + } + + bytes_processed++; + } + + return PAF_SEARCH; +} + +/* Take a DNP3 config + Snort policy, iterate through ports, register PAF callback. */ +int DNP3AddPortsToPaf(dnp3_config_t *config, tSfPolicyId policy_id) +{ + unsigned int i; + + for (i = 0; i < MAX_PORTS; i++) + { + if (config->ports[PORT_INDEX(i)] & CONV_PORT(i)) + { + DNP3PafRegister((uint16_t) i, policy_id); + } + } + + return DNP3_OK; +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_paf.h snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_paf.h --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_paf.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_paf.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,33 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Protocol Aware Flushing (PAF) code for DNP3 preprocessor. + * + */ + +#ifndef DNP3_PAF__H +#define DNP3_PAF__H + +#include "spp_dnp3.h" +#include "stream_api.h" + +int DNP3AddPortsToPaf(dnp3_config_t *config, tSfPolicyId policy_id); + +#endif /* DNP3_PAF__H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_reassembly.c snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.c --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_reassembly.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,442 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the DNP3 protocol + * + */ + +#include <string.h> +#include <stdint.h> + +#include "spp_dnp3.h" +#include "sf_types.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_packet.h" +#include "snort_bounds.h" + +#include "dnp3_map.h" +#include "dnp3_reassembly.h" +#include "dnp3_roptions.h" + +/* Minimum length of DNP3 "len" field in order to get a transport header. */ +#define DNP3_MIN_TRANSPORT_LEN 6 + +/* CRC look-up table, for computeCRC() below */ +static uint16_t crcLookUpTable[256] = +{ + 0x0000, 0x365E, 0x6CBC, 0x5AE2, 0xD978, 0xEF26, 0xB5C4, 0x839A, + 0xFF89, 0xC9D7, 0x9335, 0xA56B, 0x26F1, 0x10AF, 0x4A4D, 0x7C13, + 0xB26B, 0x8435, 0xDED7, 0xE889, 0x6B13, 0x5D4D, 0x07AF, 0x31F1, + 0x4DE2, 0x7BBC, 0x215E, 0x1700, 0x949A, 0xA2C4, 0xF826, 0xCE78, + 0x29AF, 0x1FF1, 0x4513, 0x734D, 0xF0D7, 0xC689, 0x9C6B, 0xAA35, + 0xD626, 0xE078, 0xBA9A, 0x8CC4, 0x0F5E, 0x3900, 0x63E2, 0x55BC, + 0x9BC4, 0xAD9A, 0xF778, 0xC126, 0x42BC, 0x74E2, 0x2E00, 0x185E, + 0x644D, 0x5213, 0x08F1, 0x3EAF, 0xBD35, 0x8B6B, 0xD189, 0xE7D7, + 0x535E, 0x6500, 0x3FE2, 0x09BC, 0x8A26, 0xBC78, 0xE69A, 0xD0C4, + 0xACD7, 0x9A89, 0xC06B, 0xF635, 0x75AF, 0x43F1, 0x1913, 0x2F4D, + 0xE135, 0xD76B, 0x8D89, 0xBBD7, 0x384D, 0x0E13, 0x54F1, 0x62AF, + 0x1EBC, 0x28E2, 0x7200, 0x445E, 0xC7C4, 0xF19A, 0xAB78, 0x9D26, + 0x7AF1, 0x4CAF, 0x164D, 0x2013, 0xA389, 0x95D7, 0xCF35, 0xF96B, + 0x8578, 0xB326, 0xE9C4, 0xDF9A, 0x5C00, 0x6A5E, 0x30BC, 0x06E2, + 0xC89A, 0xFEC4, 0xA426, 0x9278, 0x11E2, 0x27BC, 0x7D5E, 0x4B00, + 0x3713, 0x014D, 0x5BAF, 0x6DF1, 0xEE6B, 0xD835, 0x82D7, 0xB489, + 0xA6BC, 0x90E2, 0xCA00, 0xFC5E, 0x7FC4, 0x499A, 0x1378, 0x2526, + 0x5935, 0x6F6B, 0x3589, 0x03D7, 0x804D, 0xB613, 0xECF1, 0xDAAF, + 0x14D7, 0x2289, 0x786B, 0x4E35, 0xCDAF, 0xFBF1, 0xA113, 0x974D, + 0xEB5E, 0xDD00, 0x87E2, 0xB1BC, 0x3226, 0x0478, 0x5E9A, 0x68C4, + 0x8F13, 0xB94D, 0xE3AF, 0xD5F1, 0x566B, 0x6035, 0x3AD7, 0x0C89, + 0x709A, 0x46C4, 0x1C26, 0x2A78, 0xA9E2, 0x9FBC, 0xC55E, 0xF300, + 0x3D78, 0x0B26, 0x51C4, 0x679A, 0xE400, 0xD25E, 0x88BC, 0xBEE2, + 0xC2F1, 0xF4AF, 0xAE4D, 0x9813, 0x1B89, 0x2DD7, 0x7735, 0x416B, + 0xF5E2, 0xC3BC, 0x995E, 0xAF00, 0x2C9A, 0x1AC4, 0x4026, 0x7678, + 0x0A6B, 0x3C35, 0x66D7, 0x5089, 0xD313, 0xE54D, 0xBFAF, 0x89F1, + 0x4789, 0x71D7, 0x2B35, 0x1D6B, 0x9EF1, 0xA8AF, 0xF24D, 0xC413, + 0xB800, 0x8E5E, 0xD4BC, 0xE2E2, 0x6178, 0x5726, 0x0DC4, 0x3B9A, + 0xDC4D, 0xEA13, 0xB0F1, 0x86AF, 0x0535, 0x336B, 0x6989, 0x5FD7, + 0x23C4, 0x159A, 0x4F78, 0x7926, 0xFABC, 0xCCE2, 0x9600, 0xA05E, + 0x6E26, 0x5878, 0x029A, 0x34C4, 0xB75E, 0x8100, 0xDBE2, 0xEDBC, + 0x91AF, 0xA7F1, 0xFD13, 0xCB4D, 0x48D7, 0x7E89, 0x246B, 0x1235 +}; + +/* Append a DNP3 Transport segment to the reassembly buffer. + + Returns: + DNP3_OK: Segment queued successfully. + DNP3_FAIL: Data copy failed. Segment did not fit in reassembly buffer. +*/ +static int DNP3QueueSegment(dnp3_reassembly_data_t *rdata, char *buf, uint16_t buflen) +{ + if (rdata == NULL || buf == NULL) + return DNP3_FAIL; + + /* At first I was afraid, but we checked for DNP3_MAX_TRANSPORT_LEN earlier. */ + if (buflen + rdata->buflen > DNP3_BUFFER_SIZE) + return DNP3_FAIL; + + memcpy((rdata->buffer + rdata->buflen), buf, (size_t) buflen); + + rdata->buflen += buflen; + return DNP3_OK; +} + +/* Reset a DNP3 reassembly buffer */ +static void DNP3ReassemblyReset(dnp3_reassembly_data_t *rdata) +{ + rdata->buflen = 0; + rdata->state = DNP3_REASSEMBLY_STATE__IDLE; + rdata->last_seq = 0; +} + +/* DNP3 Transport-Layer reassembly state machine. + + Arguments: + rdata: DNP3 reassembly state object. + buf: DNP3 Transport Layer segment + buflen: Length of Transport Layer segment. + + Returns: + DNP3_FAIL: Segment was discarded. + DNP3_OK: Segment was queued. +*/ +static int DNP3ReassembleTransport(dnp3_reassembly_data_t *rdata, char *buf, uint16_t buflen) +{ + dnp3_transport_header_t *trans_header; + + if (rdata == NULL || buf == NULL || buflen < sizeof(dnp3_transport_header_t) || + (buflen > DNP3_MAX_TRANSPORT_LEN)) + { + return DNP3_FAIL; + } + + /* Take the first byte as a transport header, cut it off of the buffer. */ + trans_header = (dnp3_transport_header_t *)buf; + buf += sizeof(dnp3_transport_header_t); + buflen -= sizeof(dnp3_transport_header_t); + + + /* If the previously-existing state was DONE, we need to reset it back + to IDLE. */ + if (rdata->state == DNP3_REASSEMBLY_STATE__DONE) + DNP3ReassemblyReset(rdata); + + switch (rdata->state) + { + case DNP3_REASSEMBLY_STATE__IDLE: + /* Discard any non-first segment. */ + if ( DNP3_TRANSPORT_FIR(trans_header->control) == 0 ) + return DNP3_FAIL; + + /* Reset the buffer & queue the first segment */ + DNP3ReassemblyReset(rdata); + DNP3QueueSegment(rdata, buf, buflen); + rdata->last_seq = DNP3_TRANSPORT_SEQ(trans_header->control); + + if ( DNP3_TRANSPORT_FIN(trans_header->control) ) + rdata->state = DNP3_REASSEMBLY_STATE__DONE; + else + rdata->state = DNP3_REASSEMBLY_STATE__ASSEMBLY; + + break; + + case DNP3_REASSEMBLY_STATE__ASSEMBLY: + /* Reset if the FIR flag is set. */ + if ( DNP3_TRANSPORT_FIR(trans_header->control) ) + { + DNP3ReassemblyReset(rdata); + DNP3QueueSegment(rdata, buf, buflen); + rdata->last_seq = DNP3_TRANSPORT_SEQ(trans_header->control); + + if (DNP3_TRANSPORT_FIN(trans_header->control)) + rdata->state = DNP3_REASSEMBLY_STATE__DONE; + + /* Raise an alert so it's clear the buffer was reset. + Could signify device trouble. */ + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_REASSEMBLY_BUFFER_CLEARED, + 1, 0, 3, DNP3_REASSEMBLY_BUFFER_CLEARED_STR, 0); + } + else + { + /* Same seq but FIN is set. Discard segment, BUT finish reassembly. */ + if ((DNP3_TRANSPORT_SEQ(trans_header->control) == rdata->last_seq) && + (DNP3_TRANSPORT_FIN(trans_header->control))) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_DROPPED_SEGMENT, + 1, 0, 3, DNP3_DROPPED_SEGMENT_STR, 0); + rdata->state = DNP3_REASSEMBLY_STATE__DONE; + return DNP3_FAIL; + } + + /* Discard any other segments without the correct sequence. */ + if (DNP3_TRANSPORT_SEQ(trans_header->control) != + ((rdata->last_seq + 1) % 0x40 )) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_DROPPED_SEGMENT, + 1, 0, 3, DNP3_DROPPED_SEGMENT_STR, 0); + return DNP3_FAIL; + } + + /* Otherwise, queue it up! */ + DNP3QueueSegment(rdata, buf, buflen); + rdata->last_seq = DNP3_TRANSPORT_SEQ(trans_header->control); + + if (DNP3_TRANSPORT_FIN(trans_header->control)) + rdata->state = DNP3_REASSEMBLY_STATE__DONE; + else + rdata->state = DNP3_REASSEMBLY_STATE__ASSEMBLY; + } + + break; + + case DNP3_REASSEMBLY_STATE__DONE: + break; + } + + /* Set the Alt Decode buffer. This must be done during preprocessing + in order to stop the Fast Pattern matcher from using raw packet data + to evaluate the longest content in a rule. */ + if (rdata->state == DNP3_REASSEMBLY_STATE__DONE) + { + uint8_t *alt_buf = _dpd.altBuffer->data; + uint16_t alt_len = sizeof(_dpd.altBuffer->data); + int ret; + + ret = SafeMemcpy((void *)alt_buf, + (const void *)rdata->buffer, + (size_t)rdata->buflen, + (const void *)alt_buf, + (const void *)(alt_buf + alt_len)); + + if (ret == SAFEMEM_SUCCESS) + _dpd.SetAltDecode(alt_len); + } + + return DNP3_OK; +} + +/* Check for reserved application-level function codes. */ +static void DNP3CheckReservedFunction(dnp3_session_data_t *session) +{ + if ( DNP3FuncIsDefined( (uint16_t)session->func) ) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_RESERVED_FUNCTION, + 1, 0, 3, DNP3_RESERVED_FUNCTION_STR, 0); + } +} + +/* Decode a DNP3 Application-layer Fragment, fill out the relevant session data + for rule option evaluation. */ +static int DNP3ProcessApplication(dnp3_session_data_t *session) +{ + dnp3_reassembly_data_t *rdata = NULL; + + if (session == NULL) + return DNP3_FAIL; + + /* Master and Outstation use slightly different Application-layer headers. + Only the outstation sends Internal Indications. */ + if (session->direction == DNP3_CLIENT) + { + dnp3_app_request_header_t *request = NULL; + rdata = &(session->client_rdata); + + if (rdata->buflen < sizeof(dnp3_app_request_header_t)) + return DNP3_FAIL; /* TODO: Preprocessor Alert */ + + request = (dnp3_app_request_header_t *)(rdata->buffer); + + session->func = request->function; + } + else if (session->direction == DNP3_SERVER) + { + dnp3_app_response_header_t *response = NULL; + rdata = &(session->server_rdata); + + if (rdata->buflen < sizeof(dnp3_app_response_header_t)) + return DNP3_FAIL; /* TODO: Preprocessor Alert */ + + response = (dnp3_app_response_header_t *)(rdata->buffer); + + session->func = response->function; + session->indications = ntohs(response->indications); + } + + DNP3CheckReservedFunction(session); + + return DNP3_OK; +} + +/* Check a CRC in a single block. */ +/* This code is mostly lifted from the example in the DNP3 spec. */ + +static inline void computeCRC(unsigned char data, uint16_t *crcAccum) +{ + *crcAccum = + (*crcAccum >> 8) ^ crcLookUpTable[(*crcAccum ^ data) & 0xFF]; +} + +static int DNP3CheckCRC(unsigned char *buf, uint16_t buflen) +{ + uint16_t idx; + uint16_t crc = 0; + + /* Compute check code for data in received block */ + for (idx = 0; idx < buflen-2; idx++) + computeCRC(buf[idx], &crc); + crc = ~crc; /* Invert */ + + /* Check CRC at end of block */ + if (buf[idx++] == (unsigned char)crc && + buf[idx] == (unsigned char)(crc >> 8)) + return DNP3_OK; + else + return DNP3_FAIL; +} + +/* Check CRCs in a Link-Layer Frame, then fill a buffer containing just the user data */ +static int DNP3CheckRemoveCRC(dnp3_config_t *config, uint8_t *pdu_start, + uint16_t pdu_length, char *buf, uint16_t *buflen) +{ + char *cursor; + uint16_t bytes_left; + + /* Check Header CRC */ + if ((config->check_crc) && + (DNP3CheckCRC((unsigned char*)pdu_start, sizeof(dnp3_link_header_t)+2) == DNP3_FAIL)) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_BAD_CRC, 1, 0, 3, + DNP3_BAD_CRC_STR, 0); + return DNP3_FAIL; + } + + cursor = (char *)pdu_start + sizeof(dnp3_link_header_t) + 2; + bytes_left = pdu_length - sizeof(dnp3_link_header_t) - 2; + *buflen = 0; + + /* Process whole 16-byte chunks (plus 2-byte CRC) */ + while (bytes_left > 18) + { + if ((config->check_crc) && (DNP3CheckCRC((unsigned char*)cursor, 18) == DNP3_FAIL)) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_BAD_CRC, 1, 0, 3, + DNP3_BAD_CRC_STR, 0); + return DNP3_FAIL; + } + + memcpy((buf + *buflen), cursor, 16); + *buflen += 16; + cursor += 18; + bytes_left -= 18; + } + /* Process leftover chunk, under 16 bytes */ + if (bytes_left > 2) + { + if ((config->check_crc) && (DNP3CheckCRC((unsigned char*)cursor, bytes_left) == DNP3_FAIL)) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_BAD_CRC, 1, 0, 3, + DNP3_BAD_CRC_STR, 0); + return DNP3_FAIL; + } + + memcpy((buf + *buflen), cursor, (bytes_left - 2)); + *buflen += (bytes_left - 2); + cursor += bytes_left; + bytes_left = 0; + } + + return DNP3_OK; +} + +static int DNP3CheckReservedAddrs(dnp3_link_header_t *link) +{ + int bad_addr = 0; + + if ((link->src >= DNP3_MIN_RESERVED_ADDR) && (link->src <= DNP3_MAX_RESERVED_ADDR)) + bad_addr = 1; + + else if ((link->dest >= DNP3_MIN_RESERVED_ADDR) && (link->dest <= DNP3_MAX_RESERVED_ADDR)) + bad_addr = 1; + + if (bad_addr) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_RESERVED_ADDRESS, 1, 0, 3, + DNP3_RESERVED_ADDRESS_STR, 0); + return DNP3_FAIL; + } + + return DNP3_OK; +} + +/* Main DNP3 Reassembly function. Moved here to avoid circular dependency between + spp_dnp3 and dnp3_reassembly. */ +int DNP3FullReassembly(dnp3_config_t *config, dnp3_session_data_t *session, SFSnortPacket *packet, uint8_t *pdu_start, uint16_t pdu_length) +{ + char buf[256]; + uint16_t buflen; + dnp3_link_header_t *link; + dnp3_reassembly_data_t *rdata; + + if (pdu_length < (sizeof(dnp3_link_header_t) + sizeof(dnp3_transport_header_t) + 2)) + return DNP3_FAIL; + + if (session->direction == DNP3_CLIENT) + rdata = &(session->client_rdata); + else + rdata = &(session->server_rdata); + + /* Step 1: Decode header and skip to data */ + link = (dnp3_link_header_t *) pdu_start; + + if (link->len < DNP3_MIN_TRANSPORT_LEN) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_DROPPED_FRAME, 1, 0, 3, + DNP3_DROPPED_FRAME_STR, 0); + return DNP3_FAIL; + } + + /* Check reserved addresses */ + if ( DNP3CheckReservedAddrs(link) == DNP3_FAIL ) + return DNP3_FAIL; + + /* XXX: NEED TO TRACK SEPARATE DNP3 SESSIONS OVER SINGLE TCP SESSION */ + + /* Step 2: Remove CRCs */ + if ( DNP3CheckRemoveCRC(config, pdu_start, pdu_length, buf, &buflen) == DNP3_FAIL ) + return DNP3_FAIL; + + /* Step 3: Queue user data in frame for Transport-Layer reassembly */ + if (DNP3ReassembleTransport(rdata, buf, buflen) == DNP3_FAIL) + return DNP3_FAIL; + + /* Step 4: Decode Application-Layer */ + if (rdata->state == DNP3_REASSEMBLY_STATE__DONE) + { + int ret = DNP3ProcessApplication(session); + + /* To support multiple PDUs in UDP, we're going to call Detect() + on each individual PDU. The AltDecode buffer was set earlier. */ + if ((ret == DNP3_OK) && (packet->udp_header)) + _dpd.detect(packet); + else + return ret; + } + + return DNP3_OK; +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_reassembly.h snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.h --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_reassembly.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_reassembly.h 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,35 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the DNP3 protocol + * + */ + +#ifndef DNP3_REASSEMBLY__H +#define DNP3_REASSEMBLY__H + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "spp_dnp3.h" + + +int DNP3FullReassembly(dnp3_config_t *config, dnp3_session_data_t *session, SFSnortPacket *packet, uint8_t *pdu_start, uint16_t pdu_length); + +#endif /* DNP3_REASSEMBLY__H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_roptions.c snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.c --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_roptions.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,575 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Rule options for the DNP3 preprocessor + * + */ + +#include <string.h> + +#include "sf_types.h" +#include "sf_snort_plugin_api.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "mempool.h" + +#include "spp_dnp3.h" +#include "dnp3_map.h" +#include "dnp3_roptions.h" + +/* Object decoding constants */ +#define DNP3_OBJ_HDR_MIN_LEN 3 /* group, var, qualifier */ +#define DNP3_OBJ_QUAL_PREFIX(x) ((x & 0x70) >> 4) +#define DNP3_OBJ_QUAL_RANGE(x) (x & 0x0F) + +/* Object header prefix codes */ +#define DNP3_PREFIX_NO_PREFIX 0x00 +#define DNP3_PREFIX_1OCT_INDEX 0x01 +#define DNP3_PREFIX_2OCT_INDEX 0x02 +#define DNP3_PREFIX_4OCT_INDEX 0x03 +#define DNP3_PREFIX_1OCT_SIZE 0x04 +#define DNP3_PREFIX_2OCT_SIZE 0x05 +#define DNP3_PREFIX_4OCT_SIZE 0x06 +#define DNP3_PREFIX_RESERVED 0x07 + +/* Object header range specifiers -- 0x0A & 0x0C-0x0F are reserved */ +#define DNP3_RANGE_1OCT_INDICES 0x00 +#define DNP3_RANGE_2OCT_INDICES 0x01 +#define DNP3_RANGE_4OCT_INDICES 0x02 +#define DNP3_RANGE_1OCT_ADDRESSES 0x03 +#define DNP3_RANGE_2OCT_ADDRESSES 0x04 +#define DNP3_RANGE_4OCT_ADDRESSES 0x05 +#define DNP3_RANGE_NO_RANGE 0x06 +#define DNP3_RANGE_1OCT_COUNT 0x07 +#define DNP3_RANGE_2OCT_COUNT 0x08 +#define DNP3_RANGE_4OCT_COUNT 0x09 +#define DNP3_RANGE_VARIABLE 0x0B + +typedef enum _dnp3_option_type_t +{ + DNP3_FUNC = 0, + DNP3_OBJ, + DNP3_IND, + DNP3_DATA +} dnp3_option_type_t; + +typedef struct _dnp3_option_data_t +{ + dnp3_option_type_t type; + uint16_t arg; +} dnp3_option_data_t; + +/* Parsing functions */ +int DNP3FuncInit(char *name, char *params, void **data) +{ + char *endptr; + dnp3_option_data_t *dnp3_data; + long func_code; + + if (name == NULL || params == NULL || data == NULL) + return 0; + + if (strcmp(name, DNP3_FUNC_NAME) != 0) + return 0; + + dnp3_data = (dnp3_option_data_t *)calloc(1, sizeof(dnp3_option_data_t)); + if (dnp3_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "dnp3_func data structure.\n", __FILE__, __LINE__); + } + + /* Parsing time */ + if (isdigit(params[0])) + { + /* Function code given as integer */ + func_code = _dpd.SnortStrtol(params, &endptr, 10); + if ((func_code > 255) || (func_code < 0) || (*endptr != '\0')) + { + DynamicPreprocessorFatalMessage("%s(%d): dnp3_func requires a " + "number beween 0 and 255, or a valid function name.\n", + *_dpd.config_file, *_dpd.config_line); + } + } + else + { + func_code = DNP3FuncStrToCode(params); + + if (func_code == -1) + { + DynamicPreprocessorFatalMessage("%s(%d): dnp3_func requires a " + "number beween 0 and 255, or a valid function name.\n", + *_dpd.config_file, *_dpd.config_line); + } + } + + dnp3_data->type = DNP3_FUNC; + dnp3_data->arg = (uint16_t) func_code; + + *data = (void *)dnp3_data; + + return 1; +} + +NORETURN static inline void DNP3ObjError(void) +{ + DynamicPreprocessorFatalMessage("%s(%d) dnp3_obj requires two arguments," + "where each argument is a number between 0 and 255.\n", + *_dpd.config_file, *_dpd.config_line); +} + +int DNP3ObjInit(char *name, char *params, void **data) +{ + char *endptr, *token, *saveptr; + dnp3_option_data_t *dnp3_data; + unsigned int obj_group, obj_var; + + if (name == NULL || data == NULL) + return 0; + + if (strcmp(name, DNP3_OBJ_NAME) != 0) + return 0; + + if (params == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): No argument given for dnp3_obj. " + "dnp3_obj requires two arguments, where each argument is a number " + "between 0 and 255.\n", *_dpd.config_file, *_dpd.config_line); + } + + dnp3_data = (dnp3_option_data_t *)calloc(1, sizeof(dnp3_option_data_t)); + if (dnp3_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "dnp3_func data structure.\n", __FILE__, __LINE__); + } + + token = strtok_r(params, ",", &saveptr); + if (token == NULL) + DNP3ObjError(); + + /* First token: object group */ + obj_group = _dpd.SnortStrtoul(token, &endptr, 10); + if ((obj_group > 255) || (*endptr != '\0')) + DNP3ObjError(); + + token = strtok_r(NULL, ",", &saveptr); + if (token == NULL) + DNP3ObjError(); + + /* Second token: object var */ + obj_var = _dpd.SnortStrtoul(token, &endptr, 10); + if ((obj_var > 255) || (*endptr != '\0')) + DNP3ObjError(); + + /* pack the two arguments into one uint16_t */ + dnp3_data->type = DNP3_OBJ; + dnp3_data->arg = ((obj_group << 8) | (obj_var)); + + *data = dnp3_data; + + return 1; +} + +int DNP3IndInit(char *name, char *params, void **data) +{ + dnp3_option_data_t *dnp3_data; + char *token, *saveptr; + uint16_t flags = 0; + + if (name == NULL || params == NULL || data == NULL) + return 0; + + dnp3_data = (dnp3_option_data_t *)calloc(1, sizeof(dnp3_option_data_t)); + if (dnp3_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "dnp3_func data structure.\n", __FILE__, __LINE__); + } + + token = strtok_r(params, ",", &saveptr); + + while (token != NULL) + { + int flag = DNP3IndStrToCode(token); + + if (flag == -1) + { + DynamicPreprocessorFatalMessage("%s(%d): dnp3_ind requires a " + "valid indication flag name. '%s' is invalid.\n", + *_dpd.config_file, *_dpd.config_line, token); + } + + flags |= (uint16_t) flag; + token = strtok_r(NULL, ",", &saveptr); + } + + if (flags == 0) + { + DynamicPreprocessorFatalMessage("%s(%d): dnp3_ind requires a " + "valid indication flag name. No flags were given.\n", + *_dpd.config_file, *_dpd.config_line); + } + + dnp3_data->type = DNP3_IND; + dnp3_data->arg = flags; + + *data = (void *)dnp3_data; + + return 1; +} + +int DNP3DataInit(char *name, char *params, void **data) +{ + dnp3_option_data_t *dnp3_data; + + if (name == NULL || data == NULL) + return 0; + + /* nothing to parse. */ + if (params) + { + DynamicPreprocessorFatalMessage("%s(%d): dnp3_data does not take " + "any arguments.\n", *_dpd.config_file, *_dpd.config_line); + } + + dnp3_data = (dnp3_option_data_t *)calloc(1, sizeof(dnp3_option_data_t)); + if (dnp3_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "dnp3_data data structure.\n", __FILE__, __LINE__); + } + + dnp3_data->type = DNP3_DATA; + dnp3_data->arg = 0; + + *data = (void *)dnp3_data; + + return 1; +} + +/* Evaluation functions */ +int DNP3FuncEval(void *raw_packet, const uint8_t **cursor, void *data) +{ + SFSnortPacket *packet = (SFSnortPacket *)raw_packet; + MemBucket *tmp_bucket; + dnp3_option_data_t *rule_data = (dnp3_option_data_t *)data; + dnp3_session_data_t *session_data; + dnp3_reassembly_data_t *rdata; + + /* The preprocessor only evaluates PAF-flushed PDUs. If the rule options + don't check for this, they'll fire on stale session data when the + original packet goes through before flushing. */ + if (packet->tcp_header && !PacketHasFullPDU(packet)) + return RULE_NOMATCH; + + /* For UDP packets, there is no PAF so we use the Alt Decode buffer. */ + if (packet->udp_header && !_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + return RULE_NOMATCH; + + tmp_bucket = (MemBucket *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_DNP3); + + if ((packet->payload_size == 0) || (tmp_bucket == NULL)) + { + return RULE_NOMATCH; + } + + session_data = (dnp3_session_data_t *)tmp_bucket->data; + + if (session_data->direction == DNP3_CLIENT) + rdata = &(session_data->client_rdata); + else + rdata = &(session_data->server_rdata); + + /* Only evaluate rules against complete Application-layer fragments */ + if (rdata->state != DNP3_REASSEMBLY_STATE__DONE) + return RULE_NOMATCH; + + if (session_data->func == rule_data->arg) + return RULE_MATCH; + + return RULE_NOMATCH; +} + +static int DNP3DecodeObject(uint8_t *buf, uint16_t buflen, uint8_t rule_group, uint8_t rule_var) +{ + uint8_t group, var; + + /* XXX: uncomment these when fixing the below TODO regarding multiple objects + uint8_t qualifier, prefix_size, prefix_code, range_specifier; + uint32_t begin, end, num_objects; + */ + + if (buf == NULL || buflen < DNP3_OBJ_HDR_MIN_LEN) + return RULE_NOMATCH; + + /* Decode group */ + group = *buf; + buf++; + buflen--; + + /* Decode var */ + var = *buf; + buf++; + buflen--; + + /* Match the rule option here, quit decoding if we found the right header. */ + if ((group == rule_group) && (var == rule_var)) + return RULE_MATCH; + +/* TODO: Implement matching with multiple objects in a Request/Response. */ +#if 0 + /* Decode qualifier */ + qualifier = *buf; + prefix_code = DNP3_OBJ_QUAL_PREFIX(qualifier); + range_specifier = DNP3_OBJ_QUAL_RANGE(qualifier); + buf++; + buflen--; + + /* The size of object prefixes depends on the prefix code */ + switch (prefix_code) + { + case DNP3_PREFIX_NO_PREFIX: + prefix_size = 0; + break; + + case DNP3_PREFIX_1OCT_INDEX: + case DNP3_PREFIX_1OCT_SIZE: + prefix_size = 1; + break; + + case DNP3_PREFIX_2OCT_INDEX: + case DNP3_PREFIX_2OCT_SIZE: + prefix_size = 2; + break; + + case DNP3_PREFIX_4OCT_INDEX: + case DNP3_PREFIX_4OCT_SIZE: + prefix_size = 4; + break; + + default: + /* TODO: Preprocessor alert on reserved value */ + return DNP3_FAIL; + } + + /* Decoding of the range field depends on the Range Specifier */ + switch (range_specifier) + { + case DNP3_RANGE_1OCT_INDICES: + if (buflen < 2) + return DNP3_FAIL; + + /* Decode 8-bit indices for object prefixes */ + begin = *(uint8_t *)buf++; + end = *(uint8_t *)buf++; + buflen -= 2; + + /* Check that indices make sense */ + if (begin > end) + return DNP3_FAIL; /* TODO: Preprocessor alert */ + + num_objects = end - begin + 1; + break; + + case DNP3_RANGE_2OCT_INDICES: + if (buflen < 2) + return DNP3_FAIL; + + /* Decode 8-bit indices for object prefixes */ + begin = *(uint16_t *)buf++; + end = *(uint16_t *)buf++; + buflen -= 2; + + /* Check that indices make sense */ + if (begin > end) + return DNP3_FAIL; /* TODO: Preprocessor alert */ + + num_objects = end - begin + 1; + break; + + case DNP3_RANGE_4OCT_INDICES: + case DNP3_RANGE_1OCT_ADDRESSES: + case DNP3_RANGE_2OCT_ADDRESSES: + case DNP3_RANGE_4OCT_ADDRESSES: + case DNP3_RANGE_NO_RANGE: + case DNP3_RANGE_1OCT_COUNT: + case DNP3_RANGE_2OCT_COUNT: + case DNP3_RANGE_4OCT_COUNT: + case DNP3_RANGE_VARIABLE: + default: + } +#endif /* 0 */ + + return RULE_NOMATCH; +} + +int DNP3ObjEval(void *raw_packet, const uint8_t **cursor, void *data) +{ + SFSnortPacket *packet = (SFSnortPacket *)raw_packet; + MemBucket *tmp_bucket; + dnp3_option_data_t *rule_data = (dnp3_option_data_t *)data; + dnp3_session_data_t *session_data; + dnp3_reassembly_data_t *rdata; + uint8_t group, var; + uint8_t *obj_buffer; + uint16_t obj_buflen; + size_t header_size; + int rval = RULE_NOMATCH; + + /* The preprocessor only evaluates PAF-flushed PDUs. If the rule options + don't check for this, they'll fire on stale session data when the + original packet goes through before flushing. */ + if (packet->tcp_header && !PacketHasFullPDU(packet)) + return RULE_NOMATCH; + + /* For UDP packets, there is no PAF so we use the Alt Decode buffer. */ + if (packet->udp_header && !_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + return RULE_NOMATCH; + + tmp_bucket = (MemBucket *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_DNP3); + + if ((packet->payload_size == 0) || (tmp_bucket == NULL)) + { + return RULE_NOMATCH; + } + + session_data = (dnp3_session_data_t *)tmp_bucket->data; + + if (session_data->direction == DNP3_CLIENT) + { + rdata = &(session_data->client_rdata); + header_size = sizeof(dnp3_app_request_header_t); + } + else + { + rdata = &(session_data->server_rdata); + header_size = sizeof(dnp3_app_response_header_t); + } + + /* Only evaluate rules against complete Application-layer fragments */ + if (rdata->state != DNP3_REASSEMBLY_STATE__DONE) + return RULE_NOMATCH; + + /* Skip over the App request/response header. + They are different sizes, depending on whether it is a request or response! */ + if (rdata->buflen < header_size) + return RULE_NOMATCH; + + obj_buffer = (uint8_t *)rdata->buffer + header_size; + obj_buflen = rdata->buflen - header_size; + + /* Rule parsing code combined our two arguments into a single uint16_t */ + group = (rule_data->arg >> 8); + var = (rule_data->arg & 0x00FF); + + rval = DNP3DecodeObject(obj_buffer, obj_buflen, group, var); + + return rval; +} + +int DNP3IndEval(void *raw_packet, const uint8_t **cursor, void *data) +{ + SFSnortPacket *packet = (SFSnortPacket *)raw_packet; + MemBucket *tmp_bucket; + dnp3_option_data_t *rule_data = (dnp3_option_data_t *)data; + dnp3_session_data_t *session_data; + dnp3_reassembly_data_t *rdata; + + /* The preprocessor only evaluates PAF-flushed PDUs. If the rule options + don't check for this, they'll fire on stale session data when the + original packet goes through before flushing. */ + if (packet->tcp_header && !PacketHasFullPDU(packet)) + return RULE_NOMATCH; + + /* For UDP packets, there is no PAF so we use the Alt Decode buffer. */ + if (packet->udp_header && !_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + return RULE_NOMATCH; + + tmp_bucket = (MemBucket *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_DNP3); + + if ((packet->payload_size == 0) || (tmp_bucket == NULL)) + { + return RULE_NOMATCH; + } + + session_data = (dnp3_session_data_t *)tmp_bucket->data; + + /* Internal Indications only apply to DNP3 responses, not requests. */ + if (session_data->direction == DNP3_CLIENT) + return RULE_NOMATCH; + + rdata = &(session_data->server_rdata); + + /* Only evaluate rules against complete Application-layer fragments */ + if (rdata->state != DNP3_REASSEMBLY_STATE__DONE) + return RULE_NOMATCH; + + if (session_data->indications & rule_data->arg) + return RULE_MATCH; + + return RULE_NOMATCH; +} + +int DNP3DataEval(void *raw_packet, const uint8_t **cursor, void *data) +{ + SFSnortPacket *packet = (SFSnortPacket *)raw_packet; + MemBucket *tmp_bucket; + dnp3_session_data_t *session_data; + dnp3_reassembly_data_t *rdata; + + /* The preprocessor only evaluates PAF-flushed PDUs. If the rule options + don't check for this, they'll fire on stale session data when the + original packet goes through before flushing. */ + if (packet->tcp_header && !PacketHasFullPDU(packet)) + return RULE_NOMATCH; + + /* For UDP packets, there is no PAF so we use the Alt Decode buffer. */ + if (packet->udp_header && !_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + return RULE_NOMATCH; + + tmp_bucket = (MemBucket *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_DNP3); + + if ((packet->payload_size == 0) || (tmp_bucket == NULL)) + { + return RULE_NOMATCH; + } + + session_data = (dnp3_session_data_t *)tmp_bucket->data; + + if (session_data->direction == DNP3_CLIENT) + rdata = &(session_data->client_rdata); + else + rdata = &(session_data->server_rdata); + + /* Only evaluate rules against complete Application-layer fragments */ + if (rdata->state != DNP3_REASSEMBLY_STATE__DONE) + return RULE_NOMATCH; + + /* Set the cursor to the reassembled Application-layer buffer */ + *cursor = (uint8_t *)rdata->buffer; + _dpd.SetAltDetect((uint8_t *)rdata->buffer, rdata->buflen); + + return RULE_MATCH; +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_roptions.h snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.h --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/dnp3_roptions.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/dnp3_roptions.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,48 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Rule options for the DNP3 preprocessor + * + */ + +#ifndef DNP3_ROPTIONS__H +#define DNP3_ROPTIONS__H + +#include <stdint.h> + +/* option names */ +#define DNP3_FUNC_NAME "dnp3_func" +#define DNP3_OBJ_NAME "dnp3_obj" +#define DNP3_IND_NAME "dnp3_ind" +#define DNP3_DATA_NAME "dnp3_data" + +/* Rule registration functions */ +int DNP3FuncInit(char *name, char *params, void **data); +int DNP3ObjInit(char *name, char *params, void **data); +int DNP3IndInit(char *name, char *params, void **data); +int DNP3DataInit(char *name, char *params, void **data); + +/* Rule evaluation functions */ +int DNP3FuncEval(void *raw_packet, const uint8_t **cursor, void *data); +int DNP3ObjEval(void *raw_packet, const uint8_t **cursor, void *data); +int DNP3IndEval(void *raw_packet, const uint8_t **cursor, void *data); +int DNP3DataEval(void *raw_packet, const uint8_t **cursor, void *data); + +#endif /* DNP3_ROPTIONS__H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/Makefile.am snort-2.9.2/src/dynamic-preprocessors/dnp3/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/Makefile.am 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,38 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_dnp3_preproc.la + +libsf_dnp3_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_dnp3_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_dnp3_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c \ +../include/mempool.c \ +../include/sf_sdlist.c +endif + +libsf_dnp3_preproc_la_SOURCES = \ +spp_dnp3.c \ +spp_dnp3.h \ +dnp3_paf.c \ +dnp3_paf.h \ +dnp3_reassembly.c \ +dnp3_reassembly.h \ +dnp3_roptions.c \ +dnp3_roptions.h \ +dnp3_map.c \ +dnp3_map.h + +EXTRA_DIST = \ +sf_dnp3.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/Makefile.in snort-2.9.2/src/dynamic-preprocessors/dnp3/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/Makefile.in 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/Makefile.in 2011-12-07 11:23:19.000000000 -0800 @@ -0,0 +1,566 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/dnp3 +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_dnp3_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_dnp3_preproc_la_OBJECTS = spp_dnp3.lo dnp3_paf.lo \ + dnp3_reassembly.lo dnp3_roptions.lo dnp3_map.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dnp3_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo mempool.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_sdlist.lo +libsf_dnp3_preproc_la_OBJECTS = $(am_libsf_dnp3_preproc_la_OBJECTS) \ + $(nodist_libsf_dnp3_preproc_la_OBJECTS) +libsf_dnp3_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_dnp3_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_dnp3_preproc_la_SOURCES) \ + $(nodist_libsf_dnp3_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_dnp3_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_dnp3_preproc.la +libsf_dnp3_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_dnp3_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dnp3_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/mempool.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_sdlist.c + +libsf_dnp3_preproc_la_SOURCES = \ +spp_dnp3.c \ +spp_dnp3.h \ +dnp3_paf.c \ +dnp3_paf.h \ +dnp3_reassembly.c \ +dnp3_reassembly.h \ +dnp3_roptions.c \ +dnp3_roptions.h \ +dnp3_map.c \ +dnp3_map.h + +EXTRA_DIST = \ +sf_dnp3.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/dnp3/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/dnp3/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_dnp3_preproc.la: $(libsf_dnp3_preproc_la_OBJECTS) $(libsf_dnp3_preproc_la_DEPENDENCIES) + $(libsf_dnp3_preproc_la_LINK) -rpath $(libdir) $(libsf_dnp3_preproc_la_OBJECTS) $(libsf_dnp3_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mempool.lo: ../include/mempool.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mempool.lo `test -f '../include/mempool.c' || echo '$(srcdir)/'`../include/mempool.c + +sf_sdlist.lo: ../include/sf_sdlist.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_sdlist.lo `test -f '../include/sf_sdlist.c' || echo '$(srcdir)/'`../include/sf_sdlist.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/sf_dnp3.dsp snort-2.9.2/src/dynamic-preprocessors/dnp3/sf_dnp3.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/sf_dnp3.dsp 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/sf_dnp3.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,243 @@ +# Microsoft Developer Studio Project File - Name="sf_dnp3" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_dnp3 - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_dnp3.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_dnp3.mak" CFG="sf_dnp3 - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_dnp3 - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_dnp3 - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_dnp3 - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_dnp3 - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_dnp3 - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ELSEIF "$(CFG)" == "sf_dnp3 - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_dnp3 - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_dnp3___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_dnp3___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_dnp3 - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_dnp3___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_dnp3___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ENDIF + +# Begin Target + +# Name "sf_dnp3 - Win32 Release" +# Name "sf_dnp3 - Win32 Debug" +# Name "sf_dnp3 - Win32 IPv6 Debug" +# Name "sf_dnp3 - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=.\dnp3_map.c +# End Source File +# Begin Source File + +SOURCE=.\dnp3_paf.c +# End Source File +# Begin Source File + +SOURCE=.\dnp3_reassembly.c +# End Source File +# Begin Source File + +SOURCE=.\dnp3_roptions.c +# End Source File +# Begin Source File + +SOURCE=..\include\mempool.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\spp_dnp3.c +# End Source File +# Begin Source File + +SOURCE=..\include\strtok_r.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\dnp3_map.h +# End Source File +# Begin Source File + +SOURCE=.\dnp3_paf.h +# End Source File +# Begin Source File + +SOURCE=.\dnp3_reassembly.h +# End Source File +# Begin Source File + +SOURCE=.\dnp3_roptions.h +# End Source File +# Begin Source File + +SOURCE=..\include\mempool.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist_types.h +# End Source File +# Begin Source File + +SOURCE=.\spp_dnp3.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/spp_dnp3.c snort-2.9.2/src/dynamic-preprocessors/dnp3/spp_dnp3.c --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/spp_dnp3.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/spp_dnp3.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,912 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the DNP3 protocol + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#include <string.h> + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_plugin_api.h" +#include "snort_debug.h" +#include "mempool.h" + +#include "preprocids.h" +#include "spp_dnp3.h" +#include "sf_preproc_info.h" + +#include "dnp3_paf.h" +#include "dnp3_reassembly.h" +#include "dnp3_roptions.h" + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats dnp3PerfStats; +#endif + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_DNP3 (IPV6)"; +#else +const char *PREPROC_NAME = "SF_DNP3"; +#endif + +#define SetupDNP3 DYNAMIC_PREPROC_SETUP + +/* Preprocessor config objects */ +static tSfPolicyUserContextId dnp3_context_id = NULL; +#ifdef SNORT_RELOAD +static tSfPolicyUserContextId dnp3_swap_context_id = NULL; +#endif +static dnp3_config_t *dnp3_eval_config = NULL; + +static MemPool *dnp3_mempool = NULL; + + +/* Target-based app ID */ +#ifdef TARGET_BASED +int16_t dnp3_app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + +/* Prototypes */ +static void DNP3Init(char *argp); +static void DNP3OneTimeInit(void); +static dnp3_config_t * DNP3PerPolicyInit(tSfPolicyUserContextId); +static void DNP3RegisterPerPolicyCallbacks(dnp3_config_t *); + +static void ProcessDNP3(void *, void *); + +#ifdef SNORT_RELOAD +static void DNP3Reload(char *); +static int DNP3ReloadVerify(void); +static void * DNP3ReloadSwap(void); +static void DNP3ReloadSwapFree(void *); +#endif + +static void _addPortsToStream5Filter(dnp3_config_t *, tSfPolicyId); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif + +static void DNP3FreeConfig(tSfPolicyUserContextId context_id); +static void FreeDNP3Data(void *); +static void DNP3CheckConfig(void); +static void DNP3CleanExit(int, void *); + +static void ParseDNP3Args(dnp3_config_t *config, char *args); +static void PrintDNP3Config(dnp3_config_t *config); + +static int DNP3PortCheck(dnp3_config_t *config, SFSnortPacket *packet); +static MemBucket * DNP3CreateSessionData(SFSnortPacket *); + +/* Default memcap is defined as MAX_TCP_SESSIONS * .05 * 20 bytes */ +#define DNP3_DEFAULT_MEMCAP (256 * 1024) + +/* Register init callback */ +void SetupDNP3(void) +{ +#ifndef SNORT_RELOAD + _dpd.registerPreproc("dnp3", DNP3Init); +#else + _dpd.registerPreproc("dnp3", DNP3Init, DNP3Reload, + DNP3ReloadSwap, DNP3ReloadSwapFree); +#endif +} + +/* Allocate memory for preprocessor config, parse the args, set up callbacks */ +static void DNP3Init(char *argp) +{ + int first_init = 0; + dnp3_config_t *dnp3_policy = NULL; + + if (dnp3_context_id == NULL) + { + first_init = 1; + DNP3OneTimeInit(); + } + + dnp3_policy = DNP3PerPolicyInit(dnp3_context_id); + + ParseDNP3Args(dnp3_policy, argp); + + PrintDNP3Config(dnp3_policy); + + DNP3RegisterPerPolicyCallbacks(dnp3_policy); +} + +static inline void DNP3OneTimeInit() +{ + /* context creation & error checking */ + dnp3_context_id = sfPolicyConfigCreate(); + if (dnp3_context_id == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory for " + "DNP3 config.\n"); + } + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupDNP3(): The Stream preprocessor " + "must be enabled.\n"); + } + + /* callback registration */ + _dpd.addPreprocConfCheck(DNP3CheckConfig); + _dpd.addPreprocExit(DNP3CleanExit, NULL, PRIORITY_LAST, PP_DNP3); + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("dnp3", (void *)&dnp3PerfStats, 0, _dpd.totalPerfStats); +#endif + + /* Set up target-based app id */ +#ifdef TARGET_BASED + dnp3_app_id = _dpd.findProtocolReference("dnp3"); + if (dnp3_app_id == SFTARGET_UNKNOWN_PROTOCOL) + dnp3_app_id = _dpd.addProtocolReference("dnp3"); +#endif +} + +/* Responsible for allocating a DNP3 policy. Never returns NULL. */ +static inline dnp3_config_t * DNP3PerPolicyInit(tSfPolicyUserContextId context_id) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + dnp3_config_t *dnp3_policy = NULL; + + /* Check for existing policy & bail if found */ + sfPolicyUserPolicySet(context_id, policy_id); + dnp3_policy = (dnp3_config_t *)sfPolicyUserDataGetCurrent(context_id); + if (dnp3_policy != NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): DNP3 preprocessor can only be " + "configured once.\n", *_dpd.config_file, *_dpd.config_line); + } + + /* Allocate new policy */ + dnp3_policy = (dnp3_config_t *)calloc(1, sizeof(dnp3_config_t)); + if (!dnp3_policy) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "dnp3 preprocessor configuration.\n"); + } + + sfPolicyUserDataSetCurrent(context_id, dnp3_policy); + + return dnp3_policy; +} + +static void DNP3RegisterPerPolicyCallbacks(dnp3_config_t *dnp3_policy) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + + /* Callbacks should be avoided if the preproc is disabled. */ + if (dnp3_policy->disabled) + return; + + _dpd.addPreproc(ProcessDNP3, PRIORITY_APPLICATION, PP_DNP3, PROTO_BIT__TCP|PROTO_BIT__UDP); + _addPortsToStream5Filter(dnp3_policy, policy_id); +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif + DNP3AddPortsToPaf(dnp3_policy, policy_id); + + _dpd.preprocOptRegister(DNP3_FUNC_NAME, DNP3FuncInit, DNP3FuncEval, free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(DNP3_OBJ_NAME, DNP3ObjInit, DNP3ObjEval, free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(DNP3_IND_NAME, DNP3IndInit, DNP3IndEval, free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(DNP3_DATA_NAME, DNP3DataInit, DNP3DataEval, free, NULL, NULL, NULL, NULL); +} + +static void ParseSinglePort(dnp3_config_t *config, char *token) +{ + /* single port number */ + char *endptr; + unsigned long portnum = _dpd.SnortStrtoul(token, &endptr, 10); + + if ((*endptr != '\0') || (portnum >= MAX_PORTS)) + { + DynamicPreprocessorFatalMessage("%s(%d): Bad dnp3 port number: %s\n" + "Port number must be an integer between 0 and 65535.\n", + *_dpd.config_file, *_dpd.config_line, token); + } + + /* Good port number! */ + config->ports[PORT_INDEX(portnum)] |= CONV_PORT(portnum); +} + +static void ParseDNP3Args(dnp3_config_t *config, char *args) +{ + char *saveptr; + char *token; + + /* Set defaults */ + config->memcap = DNP3_DEFAULT_MEMCAP; + config->ports[PORT_INDEX(DNP3_PORT)] |= CONV_PORT(DNP3_PORT); + config->check_crc = 0; + + /* No arguments? Stick with defaults. */ + if (args == NULL) + return; + + token = strtok_r(args, " ,", &saveptr); + while (token != NULL) + { + if (strcmp(token, DNP3_PORTS_KEYWORD) == 0) + { + unsigned nPorts = 0; + + /* Un-set the default port */ + config->ports[PORT_INDEX(DNP3_PORT)] = 0; + + /* Parse ports */ + token = strtok_r(NULL, " ,", &saveptr); + + if (token == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): Missing argument for " + "DNP3 preprocessor 'ports' option.\n", + *_dpd.config_file, *_dpd.config_line); + } + + if (isdigit(token[0])) + { + ParseSinglePort(config, token); + nPorts++; + } + else if (*token == '{') + { + /* list of ports */ + token = strtok_r(NULL, " ,", &saveptr); + while (token != NULL && *token != '}') + { + ParseSinglePort(config, token); + nPorts++; + token = strtok_r(NULL, " ,", &saveptr); + } + } + + else + { + nPorts = 0; + } + if ( nPorts == 0 ) + { + DynamicPreprocessorFatalMessage("%s(%d): Bad DNP3 'ports' argument: '%s'\n" + "Argument to DNP3 'ports' must be an integer, or a list " + "enclosed in { } braces.\n", + *_dpd.config_file, *_dpd.config_line, token); + } + } + else if (strcmp(token, DNP3_MEMCAP_KEYWORD) == 0) + { + uint32_t memcap; + char *endptr; + + /* Parse memcap */ + token = strtok_r(NULL, " ", &saveptr); + + /* In a multiple policy scenario, the memcap from the default policy + overrides the memcap in any targeted policies. */ + if (_dpd.getParserPolicy() != _dpd.getDefaultPolicy()) + { + dnp3_config_t *default_config = + (dnp3_config_t *)sfPolicyUserDataGet(dnp3_context_id, + _dpd.getDefaultPolicy()); + + config->memcap = default_config->memcap; + } + else + { + if (token == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): Missing argument for DNP3 " + "preprocessor 'memcap' option.\n", + *_dpd.config_file, *_dpd.config_line); + } + + memcap = _dpd.SnortStrtoul(token, &endptr, 10); + + if ((token[0] == '-') || (*endptr != '\0') || + (memcap < MIN_DNP3_MEMCAP) || (memcap > MAX_DNP3_MEMCAP)) + { + DynamicPreprocessorFatalMessage("%s(%d): Bad DNP3 'memcap' argument: %s\n" + "Argument to DNP3 'memcap' must be an integer between " + "%d and %d.\n", *_dpd.config_file, *_dpd.config_line, + token, MIN_DNP3_MEMCAP, MAX_DNP3_MEMCAP); + } + + config->memcap = memcap; + } + } + else if (strcmp(token, DNP3_CHECK_CRC_KEYWORD) == 0) + { + /* Parse check_crc */ + config->check_crc = 1; + } + else if (strcmp(token, DNP3_DISABLED_KEYWORD) == 0) + { + /* TODO: if disabled, check that no other stuff is turned on except memcap */ + config->disabled = 1; + } + else + { + DynamicPreprocessorFatalMessage("%s(%d): Failed to parse dnp3 argument: " + "%s\n", *_dpd.config_file, *_dpd.config_line, token); + } + token = strtok_r(NULL, " ,", &saveptr); + } +} + +/* Print a DNP3 config */ +static void PrintDNP3Config(dnp3_config_t *config) +{ + int index, newline = 1; + + if (config == NULL) + return; + + _dpd.logMsg("DNP3 config: \n"); + + if (config->disabled) + _dpd.logMsg(" DNP3: INACTIVE\n"); + + _dpd.logMsg(" Memcap: %d\n", config->memcap); + _dpd.logMsg(" Check Link-Layer CRCs: %s\n", + config->check_crc ? + "ENABLED":"DISABLED"); + + _dpd.logMsg(" Ports:\n"); + + /* Loop through port array & print, 5 ports per line */ + for (index = 0; index < MAX_PORTS; index++) + { + if (config->ports[PORT_INDEX(index)] & CONV_PORT(index)) + { + _dpd.logMsg("\t%d", index); + if ( !((newline++) % 5) ) + { + _dpd.logMsg("\n"); + } + } + } + _dpd.logMsg("\n"); +} + +static int DNP3ProcessUDP(dnp3_config_t *dnp3_eval_config, + dnp3_session_data_t *sessp, SFSnortPacket *packetp) +{ + /* Possibly multiple PDUs in this UDP payload. + Split up and process individually. */ + + uint16_t bytes_processed = 0; + int truncated_pdu = 0; + + while (bytes_processed < packetp->payload_size) + { + uint8_t dnp3_length; + uint8_t *pdu_start; + uint16_t user_data, num_crcs, pdu_length; + + pdu_start = (uint8_t *)(packetp->payload + bytes_processed); + + /* Alert and stop if (a) there's not enough data to read a length, or + (b) the start bytes are not 0x0564 */ + /* XXX: DEFINE MAGIC NUMBERS */ + if ((packetp->payload_size - bytes_processed < 3) || + ((*pdu_start != 0x05) || (*(pdu_start+1) != 0x64))) + { + truncated_pdu = 1; + break; + } + + /* Read the length. DNP3 length only counts non-CRC octets + that follow the length field itself. Each CRC is two octets. + One follows the header, then one CRC follows every 16 bytes + of user data. */ + + dnp3_length = (uint8_t) *(packetp->payload + bytes_processed + 2); + + if (dnp3_length < DNP3_HEADER_REMAINDER_LEN) + { + truncated_pdu = 1; + break; + } + + /* Calculate the actual length of data to inspect */ + user_data = dnp3_length - DNP3_HEADER_REMAINDER_LEN; + num_crcs = 1 + (user_data/16) + (user_data % 16? 1 : 0); + pdu_length = 3 + dnp3_length + (2*num_crcs); + + if (bytes_processed + pdu_length > packetp->payload_size) + { + truncated_pdu = 1; + break; + } + + DNP3FullReassembly(dnp3_eval_config, sessp, packetp, pdu_start, + pdu_length); + + bytes_processed += pdu_length; + } + + if (truncated_pdu) + { + _dpd.alertAdd(GENERATOR_SPP_DNP3, DNP3_DROPPED_FRAME, 1, 0, 3, + DNP3_DROPPED_FRAME_STR, 0); + } + + /* All detection was done when DNP3FullReassembly() called Detect() + on the reassembled PDUs. Clear the flag to avoid double alerts + on the last PDU. */ + _dpd.DetectReset((uint8_t *)packetp->payload, packetp->payload_size); + + return DNP3_OK; +} + +/* Main runtime entry point */ +static void ProcessDNP3(void *ipacketp, void *contextp) +{ + SFSnortPacket *packetp = (SFSnortPacket *)ipacketp; + MemBucket *tmp_bucket = NULL; + dnp3_session_data_t *sessp = NULL; + PROFILE_VARS; + + /* Sanity checks. Should this preprocessor run? */ + if (( !packetp ) || + ( !packetp->payload ) || + ( !packetp->payload_size ) || + ( !IPH_IS_VALID(packetp) ) || + ( !packetp->tcp_header && !packetp->udp_header )) + { + return; + } + + /* If TCP, require that PAF flushes full PDUs first. */ + if (packetp->tcp_header && !PacketHasFullPDU(packetp)) + return; + + PREPROC_PROFILE_START(dnp3PerfStats); + + /* When pipelined DNP3 PDUs appear in a single TCP segment or UDP packet, + the detection engine caches the results of the rule options after + evaluating on the first PDU. Setting this flag stops the caching. */ + packetp->flags |= FLAG_ALLOW_MULTIPLE_DETECT; + + /* Fetch me a preprocessor config to use with this VLAN/subnet/etc.! */ + dnp3_eval_config = sfPolicyUserDataGetCurrent(dnp3_context_id); + + /* Look for a previously-allocated session data. */ + tmp_bucket = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_DNP3); + + if (tmp_bucket == NULL) + { + /* No existing session. Check those ports. */ + if (DNP3PortCheck(dnp3_eval_config, packetp) != DNP3_OK) + { + PREPROC_PROFILE_END(dnp3PerfStats); + return; + } + + /* Create session data and attach it to the Stream5 session */ + tmp_bucket = DNP3CreateSessionData(packetp); + + if (tmp_bucket == NULL) + { + /* Mempool was full, don't process this session. */ + static unsigned int times_mempool_alloc_failed = 0; + + /* Print a message, but only every 1000 times. + Don't want to flood the log if there's a lot of DNP3 traffic. */ + if (times_mempool_alloc_failed % 1000) + { + _dpd.logMsg("WARNING: DNP3 memcap exceeded.\n"); + } + times_mempool_alloc_failed++; + + PREPROC_PROFILE_END(dnp3PerfStats); + return; + } + } + + sessp = (dnp3_session_data_t *) tmp_bucket->data; + + /* Set reassembly direction */ + if (packetp->flags & FLAG_FROM_CLIENT) + sessp->direction = DNP3_CLIENT; + else + sessp->direction = DNP3_SERVER; + + /* Do preprocessor-specific detection stuff here */ + if (packetp->tcp_header) + { + /* Single PDU. PAF already split them up into separate pseudo-packets. */ + DNP3FullReassembly(dnp3_eval_config, sessp, packetp, + (uint8_t *)packetp->payload, packetp->payload_size); + } + else if (packetp->udp_header) + { + DNP3ProcessUDP(dnp3_eval_config, sessp, packetp); + } + + /* That's the end! */ + PREPROC_PROFILE_END(dnp3PerfStats); +} + +/* Check ports & services */ +static int DNP3PortCheck(dnp3_config_t *config, SFSnortPacket *packet) +{ +#ifdef TARGET_BASED + int16_t app_id = _dpd.streamAPI->get_application_protocol_id(packet->stream_session_ptr); + + /* call to get_application_protocol_id gave an error */ + if (app_id == SFTARGET_UNKNOWN_PROTOCOL) + return DNP3_FAIL; + + /* this is positively identified as something non-dnp3 */ + if (app_id && (app_id != dnp3_app_id)) + return DNP3_FAIL; + + /* this is identified as dnp3 */ + if (app_id == dnp3_app_id) + return DNP3_OK; + + /* fall back to port check */ +#endif + + if (config->ports[PORT_INDEX(packet->src_port)] & CONV_PORT(packet->src_port)) + return DNP3_OK; + + if (config->ports[PORT_INDEX(packet->dst_port)] & CONV_PORT(packet->dst_port)) + return DNP3_OK; + + return DNP3_FAIL; +} + +static MemBucket * DNP3CreateSessionData(SFSnortPacket *packet) +{ + MemBucket *tmp_bucket = NULL; + dnp3_session_data_t *data = NULL; + + /* Sanity Check */ + if (!packet || !packet->stream_session_ptr) + return NULL; + + /* data = (dnp3_session_data_t *)calloc(1, sizeof(dnp3_session_data_t)); */ + + tmp_bucket = mempool_alloc(dnp3_mempool); + if (!tmp_bucket) + return NULL; + + data = (dnp3_session_data_t *)tmp_bucket->data; + + if (!data) + return NULL; + + /* Attach to Stream5 session */ + _dpd.streamAPI->set_application_data(packet->stream_session_ptr, PP_DNP3, + tmp_bucket, FreeDNP3Data); + + /* Not sure when this reference counting stuff got added to the old preprocs */ + data->policy_id = _dpd.getRuntimePolicy(); + data->context_id = dnp3_context_id; + ((dnp3_config_t *)sfPolicyUserDataGetCurrent(dnp3_context_id))->ref_count++; + + return tmp_bucket; +} + + +/* Reload functions */ +#ifdef SNORT_RELOAD +/* Almost like DNP3Init, but not quite. */ +static void DNP3Reload(char *args) +{ + dnp3_config_t *dnp3_policy = NULL; + + if (dnp3_swap_context_id == NULL) + { + dnp3_swap_context_id = sfPolicyConfigCreate(); + if (dnp3_swap_context_id == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for DNP3 config.\n"); + } + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupDNP3(): The Stream preprocessor " + "must be enabled.\n"); + } + } + + dnp3_policy = DNP3PerPolicyInit(dnp3_swap_context_id); + + ParseDNP3Args(dnp3_policy, args); + + PrintDNP3Config(dnp3_policy); + + DNP3RegisterPerPolicyCallbacks(dnp3_policy); + + _dpd.addPreprocReloadVerify(DNP3ReloadVerify); +} + +/* Check that Stream5 is still running, and that the memcap didn't change. */ +static int DNP3ReloadVerify(void) +{ + dnp3_config_t *current_default_config, *new_default_config; + + if ((dnp3_context_id == NULL) || (dnp3_swap_context_id == NULL)) + return 0; + + current_default_config = + (dnp3_config_t *)sfPolicyUserDataGet(dnp3_context_id, _dpd.getDefaultPolicy()); + + new_default_config = + (dnp3_config_t *)sfPolicyUserDataGet(dnp3_swap_context_id, _dpd.getDefaultPolicy()); + + /* Sanity check. Shouldn't be possible. */ + if (current_default_config == NULL) + return 0; + + if (new_default_config == NULL) + { + DynamicPreprocessorFatalMessage("DNP3 reload: Changing the DNP3 configuration " + "requires a restart.\n"); + } + + /* Did memcap change? */ + if (current_default_config->memcap != new_default_config->memcap) + { + DynamicPreprocessorFatalMessage("DNP3 reload: Changing the DNP3 memcap " + "requires a restart.\n"); + } + + /* Did stream5 get turned off? */ + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("SetupDNP3(): The Stream preprocessor must be enabled.\n"); + } + + return 0; +} + +static int DNP3FreeUnusedConfigPolicy( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + dnp3_config_t *dnp3_config = (dnp3_config_t *)data; + + /* do any housekeeping before freeing dnp3 config */ + if (dnp3_config->ref_count == 0) + { + sfPolicyUserDataClear(context_id, policy_id); + free(dnp3_config); + } + + return 0; +} + +static void * DNP3ReloadSwap(void) +{ + tSfPolicyUserContextId old_context_id = dnp3_context_id; + + if (dnp3_swap_context_id == NULL) + return NULL; + + dnp3_context_id = dnp3_swap_context_id; + dnp3_swap_context_id = NULL; + + sfPolicyUserDataIterate(old_context_id, DNP3FreeUnusedConfigPolicy); + + if (sfPolicyUserPolicyGetActive(old_context_id) == 0) + { + /* No more outstanding configs - free the config array */ + return (void *)old_context_id; + } + + return NULL; +} + +static void DNP3ReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + DNP3FreeConfig( (tSfPolicyUserContextId)data ); +} +#endif + +/* Stream5 filter functions */ +static void _addPortsToStream5Filter(dnp3_config_t *config, tSfPolicyId policy_id) +{ + if (config == NULL) + return; + + if (_dpd.streamAPI) + { + int portNum; + + for (portNum = 0; portNum < MAX_PORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status( + IPPROTO_TCP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + _dpd.streamAPI->set_port_filter_status( + IPPROTO_UDP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + } + } + } + +} + +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(dnp3_app_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif + +static int DNP3FreeConfigPolicy( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + dnp3_config_t *dnp3_config = (dnp3_config_t *)data; + + /* do any housekeeping before freeing dnp3_config */ + + sfPolicyUserDataClear(context_id, policy_id); + free(dnp3_config); + return 0; +} + +static void DNP3FreeConfig(tSfPolicyUserContextId context_id) +{ + if (context_id == NULL) + return; + + sfPolicyUserDataIterate(context_id, DNP3FreeConfigPolicy); + sfPolicyConfigDelete(context_id); +} + +static int DNP3IsEnabled(tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, void *data) +{ + dnp3_config_t *config = (dnp3_config_t *)data; + + if ((data == NULL) || config->disabled) + return 0; + + return 1; +} + +/* Check an individual policy */ +static int DNP3CheckPolicyConfig( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + dnp3_config_t *config = (dnp3_config_t *)data; + + _dpd.setParserPolicy(policy_id); + + /* In a multiple-policy setting, the preprocessor can be turned on in + a "disabled" state. In this case, we don't require Stream5. */ + if (config->disabled) + return 0; + + /* Otherwise, require Stream5. */ + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("DNP3CheckPolicyConfig(): " + "The Stream preprocessor must be enabled.\n"); + } + return 0; +} + +/* Check configs & set up mempool. + Mempool stuff is in this function because we want to parse & check *ALL* + of the configs before allocating a mempool. */ +static void DNP3CheckConfig(void) +{ + unsigned int max_sessions; + + /* Get default configuration */ + dnp3_config_t *default_config = + (dnp3_config_t *)sfPolicyUserDataGetDefault(dnp3_context_id); + + /* Check all individual configurations */ + sfPolicyUserDataIterate(dnp3_context_id, DNP3CheckPolicyConfig); + + /* Set up MemPool, but only if a config exists that's not "disabled". */ + if (sfPolicyUserDataIterate(dnp3_context_id, DNP3IsEnabled) == 0) + return; + + max_sessions = default_config->memcap / sizeof(dnp3_session_data_t); + + dnp3_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + if (mempool_init(dnp3_mempool, max_sessions, sizeof(dnp3_session_data_t)) != 0) + { + DynamicPreprocessorFatalMessage("Unable to allocate DNP3 mempool.\n"); + } +} + +static void DNP3CleanExit(int signal, void *data) +{ + if (dnp3_context_id != NULL) + { + DNP3FreeConfig(dnp3_context_id); + dnp3_context_id = NULL; + } + + if ((dnp3_mempool) && (mempool_destroy(dnp3_mempool) == 0)) + { + free(dnp3_mempool); + dnp3_mempool = 0; + } +} + +static void FreeDNP3Data(void *bucket) +{ + MemBucket *tmp_bucket = (MemBucket *)bucket; + dnp3_session_data_t *session; + dnp3_config_t *config = NULL; + + if ((tmp_bucket == NULL) || (tmp_bucket->data == NULL)) + return; + + session = tmp_bucket->data; + + if (session->context_id != NULL) + { + config = (dnp3_config_t *)sfPolicyUserDataGet(session->context_id, session->policy_id); + } + + if (config != NULL) + { + config->ref_count--; + if ((config->ref_count == 0) && + (session->context_id != dnp3_context_id)) + { + sfPolicyUserDataClear(session->context_id, session->policy_id); + free(config); + + if (sfPolicyUserPolicyGetActive(session->context_id) == 0) + { + /* No more outstanding configs - free the config array */ + DNP3FreeConfig(session->context_id); + } + } + } + + mempool_free(dnp3_mempool, tmp_bucket); +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dnp3/spp_dnp3.h snort-2.9.2/src/dynamic-preprocessors/dnp3/spp_dnp3.h --- snort-2.9.0.1/src/dynamic-preprocessors/dnp3/spp_dnp3.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dnp3/spp_dnp3.h 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,185 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the DNP3 protocol + * + */ + +#ifndef SPP_DNP3_H +#define SPP_DNP3_H + +#include "config.h" +#include "sf_types.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +/* GIDs, SIDs, Messages */ +#define GENERATOR_SPP_DNP3 145 + +#define DNP3_BAD_CRC 1 +#define DNP3_DROPPED_FRAME 2 +#define DNP3_DROPPED_SEGMENT 3 +#define DNP3_REASSEMBLY_BUFFER_CLEARED 4 +#define DNP3_RESERVED_ADDRESS 5 +#define DNP3_RESERVED_FUNCTION 6 + +#define DNP3_BAD_CRC_STR "(spp_dnp3): DNP3 Link-Layer Frame contains bad CRC." +#define DNP3_DROPPED_FRAME_STR "(spp_dnp3): DNP3 Link-Layer Frame was dropped." +#define DNP3_DROPPED_SEGMENT_STR "(spp_dnp3): DNP3 Transport-Layer Segment was dropped during reassembly." +#define DNP3_REASSEMBLY_BUFFER_CLEARED_STR "(spp_dnp3): DNP3 Reassembly Buffer was cleared without reassembling a complete message." +#define DNP3_RESERVED_ADDRESS_STR "(spp_dnp3): DNP3 Link-Layer Frame uses a reserved address." +#define DNP3_RESERVED_FUNCTION_STR "(spp_dnp3): DNP3 Application-Layer Fragment uses a reserved function code." + +#define MAX_PORTS 65536 + +/* Default DNP3 port */ +#define DNP3_PORT 20000 + +/* Memcap limits. */ +#define MIN_DNP3_MEMCAP 4144 +#define MAX_DNP3_MEMCAP (100 * 1024 * 1024) + +/* Convert port value into an index for the dnp3_config->ports array */ +#define PORT_INDEX(port) port/8 + +/* Convert port value into a value for bitwise operations */ +#define CONV_PORT(port) 1<<(port%8) + +/* Packet directions */ +#define DNP3_CLIENT 0 +#define DNP3_SERVER 1 + +/* Session data flags */ +#define DNP3_FUNC_RULE_FIRED 0x0001 +#define DNP3_OBJ_RULE_FIRED 0x0002 +#define DNP3_IND_RULE_FIRED 0x0004 +#define DNP3_DATA_RULE_FIRED 0x0008 + +/* DNP3 minimum length: start (2 octets) + len (1 octet) */ +#define DNP3_MIN_LEN 3 +#define DNP3_LEN_OFFSET 2 + +/* Length of the rest of a DNP3 link-layer header: ctrl + src + dest */ +#define DNP3_HEADER_REMAINDER_LEN 5 + +/* Reassembly data types moved here to avoid circular dependency + with dnp3_sesion_data_t */ +#define DNP3_BUFFER_SIZE 2048 +typedef enum _dnp3_reassembly_state_t +{ + DNP3_REASSEMBLY_STATE__IDLE = 0, + DNP3_REASSEMBLY_STATE__ASSEMBLY, + DNP3_REASSEMBLY_STATE__DONE +} dnp3_reassembly_state_t; + +typedef struct _dnp3_reassembly_data_t +{ + char buffer[DNP3_BUFFER_SIZE]; + uint16_t buflen; + dnp3_reassembly_state_t state; + uint8_t last_seq; +} dnp3_reassembly_data_t; + + +/* DNP3 preprocessor configuration */ +typedef struct _dnp3_config +{ + uint32_t memcap; + char ports[MAX_PORTS/8]; + uint8_t check_crc; + int disabled; + + int ref_count; +} dnp3_config_t; + +/* DNP3 session data */ +typedef struct _dnp3_session_data +{ + /* Fields for rule option matching. */ + uint8_t direction; + uint8_t func; + uint8_t obj_group; + uint8_t obj_var; + uint16_t indications; + uint16_t flags; + + /* Reassembly stuff */ + dnp3_reassembly_data_t client_rdata; + dnp3_reassembly_data_t server_rdata; + + tSfPolicyId policy_id; + tSfPolicyUserContextId context_id; +} dnp3_session_data_t; + + +/* DNP3 header structures */ +typedef struct _dnp3_link_header_t +{ + uint16_t start; + uint8_t len; + uint8_t ctrl; + uint16_t dest; + uint16_t src; +} dnp3_link_header_t; + +#define DNP3_TRANSPORT_FIN(x) (x & 0x80) +#define DNP3_TRANSPORT_FIR(x) (x & 0x40) +#define DNP3_TRANSPORT_SEQ(x) (x & 0x3F) +#define DNP3_MAX_TRANSPORT_LEN 250 +typedef struct _dnp3_transport_header_t +{ + uint8_t control; +} dnp3_transport_header_t; + + +/* Yep, the locations of FIR and FIN are switched at this layer... */ +#define DNP3_APP_FIR(x) (x & 0x80) +#define DNP3_APP_FIN(x) (x & 0x40) +#define DNP3_APP_SEQ(x) (x & 0x0F) +typedef struct _dnp3_app_request_header_t +{ + uint8_t control; + uint8_t function; +} dnp3_app_request_header_t; + +typedef struct _dnp3_app_response_header_t +{ + uint8_t control; + uint8_t function; + uint16_t indications; +} dnp3_app_response_header_t; + +#define DNP3_CHECK_CRC_KEYWORD "check_crc" +#define DNP3_PORTS_KEYWORD "ports" +#define DNP3_MEMCAP_KEYWORD "memcap" +#define DNP3_DISABLED_KEYWORD "disabled" + +#define DNP3_OK 1 +#define DNP3_FAIL (-1) + +#ifdef WORDS_BIGENDIAN +#define DNP3_MIN_RESERVED_ADDR 0xF0FF +#define DNP3_MAX_RESERVED_ADDR 0xFBFF +#else +#define DNP3_MIN_RESERVED_ADDR 0xFFF0 +#define DNP3_MAX_RESERVED_ADDR 0xFFFB +#endif + +#endif /* SPP_DNP3_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dns/Makefile.am snort-2.9.2/src/dynamic-preprocessors/dns/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/dns/Makefile.am 2010-06-09 15:05:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dns/Makefile.am 2011-07-13 15:44:51.000000000 -0700 @@ -1,38 +1,28 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include +INCLUDES = -I../include -I${srcdir}/../libs libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_dns_preproc.la libsf_dns_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - +if SO_WITH_STATIC_LIB +libsf_dns_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_dns_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif libsf_dns_preproc_la_SOURCES = \ spp_dns.c \ -spp_dns.h \ -sf_preproc_info.h +spp_dns.h EXTRA_DIST = \ sf_dns.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c sfPolicyUserData.c diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dns/Makefile.in snort-2.9.2/src/dynamic-preprocessors/dns/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/dns/Makefile.in 2010-10-08 02:56:53.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dns/Makefile.in 2011-12-07 11:23:19.000000000 -0800 @@ -68,10 +68,12 @@ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_dns_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_dns_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_dns_preproc_la_OBJECTS = spp_dns.lo -nodist_libsf_dns_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sfPolicyUserData.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dns_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_dns_preproc_la_OBJECTS = $(am_libsf_dns_preproc_la_OBJECTS) \ $(nodist_libsf_dns_preproc_la_OBJECTS) libsf_dns_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -104,7 +106,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -119,7 +123,8 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -155,13 +160,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -222,24 +233,19 @@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_dns_preproc.la libsf_dns_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -nodist_libsf_dns_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +@SO_WITH_STATIC_LIB_TRUE@libsf_dns_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_dns_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_dns_preproc_la_SOURCES = \ spp_dns.c \ -spp_dns.h \ -sf_preproc_info.h +spp_dns.h EXTRA_DIST = \ sf_dns.dsp -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -322,6 +328,12 @@ .c.lo: $(LTCOMPILE) -c -o $@ $< +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + mostlyclean-libtool: -rm -f *.lo @@ -411,15 +423,13 @@ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am +check: check-am all-am: Makefile $(LTLIBRARIES) all-local installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am +install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -444,10 +454,9 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am @@ -514,11 +523,11 @@ uninstall-am: uninstall-libLTLIBRARIES -.MAKE: all check install install-am install-strip +.MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -531,18 +540,9 @@ tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c sfPolicyUserData.c - # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dns/sf_dns.dsp snort-2.9.2/src/dynamic-preprocessors/dns/sf_dns.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/dns/sf_dns.dsp 2010-08-25 13:22:44.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/dns/sf_dns.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_dns - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_dns - Win32 IPv6 Debug" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_dns___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_dns - Win32 IPv6 Release" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_dns___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -130,18 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ENDIF diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dns/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/dns/sf_preproc_info.h --- snort-2.9.0.1/src/dynamic-preprocessors/dns/sf_preproc_info.h 2010-01-26 10:09:59.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dns/sf_preproc_info.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,34 +0,0 @@ -/* Copyright (C) 2005-2010 Sourcefire, Inc. -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 1 -#define BUILD_VERSION 4 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_DNS (IPV6)" -#else -#define PREPROC_NAME "SF_DNS" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupDNS -extern void SetupDNS(void); - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dns/spp_dns.c snort-2.9.2/src/dynamic-preprocessors/dns/spp_dns.c --- snort-2.9.0.1/src/dynamic-preprocessors/dns/spp_dns.c 2010-01-26 10:10:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dns/spp_dns.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id */ /* -** Copyright (C) 2006-2010 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify @@ -28,7 +28,7 @@ * * Alert for DNS client rdata buffer overflow. * Alert for Obsolete or Experimental RData types (per RFC 1035) - * + * */ #ifdef HAVE_CONFIG_H @@ -39,13 +39,14 @@ #include <strings.h> #endif +#include "sf_types.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" -#include "sf_snort_plugin_api.h" #include "preprocids.h" -#include "debug.h" +#include "snort_debug.h" #include "spp_dns.h" +#include "sf_preproc_info.h" #include <stdio.h> #include <syslog.h> @@ -64,11 +65,23 @@ #include "sf_types.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" +#include "snort_bounds.h" #ifdef TARGET_BASED int16_t dns_app_id = SFTARGET_UNKNOWN_PROTOCOL; #endif +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 4; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_DNS (IPV6)"; +#else +const char *PREPROC_NAME = "SF_DNS"; +#endif + +#define SetupDNS DYNAMIC_PREPROC_SETUP + /* * Generator id. Define here the same as the official registry * in generators.h @@ -84,7 +97,7 @@ static void FreeDNSSessionData( void* ); static void ParseDNSArgs(DNSConfig *, u_char*); static void ProcessDNS( void*, void* ); -static INLINE int CheckDNSPort(DNSConfig *, uint16_t); +static inline int CheckDNSPort(DNSConfig *, uint16_t); static void DNSReset(int, void *); static void DNSResetStats(int, void *); static void _addPortsToStream5Filter(DNSConfig *, tSfPolicyId); @@ -107,8 +120,6 @@ #define DNS_RR_PTR 0xC0 -extern DynamicPreprocessorData _dpd; - static tSfPolicyUserContextId dns_config = NULL; DNSConfig *dns_eval_config = NULL; @@ -125,13 +136,13 @@ * to corresponding preprocessor initialization function. * * PARAMETERS: None. - * + * * RETURNS: Nothing. * */ void SetupDNS(void) { - /* Link preprocessor keyword to initialization function + /* Link preprocessor keyword to initialization function * in the preprocessor list. */ #ifndef SNORT_RELOAD _dpd.registerPreproc( "dns", DNSInit ); @@ -143,13 +154,13 @@ /* Initializes the DNS preprocessor module and registers * it in the preprocessor list. - * - * PARAMETERS: + * + * PARAMETERS: * * argp: Pointer to argument string to process for config * data. * - * RETURNS: Nothing. + * RETURNS: Nothing. */ static void DNSInit( char* argp ) { @@ -205,7 +216,7 @@ DynamicPreprocessorFatalMessage("Could not allocate memory for " "DNS configuration.\n"); } - + sfPolicyUserDataSetCurrent(dns_config, pPolicyConfig); ParseDNSArgs(pPolicyConfig, (u_char *)argp); @@ -217,13 +228,13 @@ #endif } -/* Parses and processes the configuration arguments +/* Parses and processes the configuration arguments * supplied in the DNS preprocessor rule. * - * PARAMETERS: + * PARAMETERS: * * argp: Pointer to string containing the config arguments. - * + * * RETURNS: Nothing. */ static void ParseDNSArgs(DNSConfig *config, u_char* argp) @@ -234,35 +245,35 @@ if (config == NULL) return; - + /* Set up default port to listen on */ config->ports[ PORT_INDEX( DNS_PORT ) ] |= CONV_PORT(DNS_PORT); - + /* Sanity check(s) */ if ( !argp ) { PrintDNSConfig(config); return; } - + argcpyp = strdup( (char*) argp ); - + if ( !argcpyp ) { DynamicPreprocessorFatalMessage("Could not allocate memory to parse DNS options.\n"); return; } - + cur_tokenp = strtok( argcpyp, " "); - + while ( cur_tokenp ) { if ( !strcmp( cur_tokenp, DNS_PORTS_KEYWORD )) { - /* If the user specified ports, remove 'DNS_PORT' for now since + /* If the user specified ports, remove 'DNS_PORT' for now since * it now needs to be set explicitely. */ config->ports[ PORT_INDEX( DNS_PORT ) ] = 0; - + /* Eat the open brace. */ cur_tokenp = strtok( NULL, " "); if (( !cur_tokenp ) || ( strcmp(cur_tokenp, "{" ))) @@ -274,13 +285,13 @@ //free(argcpyp); //return; } - + cur_tokenp = strtok( NULL, " "); while (( cur_tokenp ) && strcmp(cur_tokenp, "}" )) { if ( !isdigit( (int)cur_tokenp[0] )) { - DynamicPreprocessorFatalMessage("%s(%d) Bad port %s.\n", + DynamicPreprocessorFatalMessage("%s(%d) Bad port %s.\n", *(_dpd.config_file), *(_dpd.config_line), cur_tokenp ); //free(argcpyp); //return; @@ -288,7 +299,7 @@ else { port = atoi( cur_tokenp ); - if( port < 0 || port > MAX_PORTS ) + if( port < 0 || port > MAX_PORTS ) { DynamicPreprocessorFatalMessage("%s(%d) Port value illegitimate: %s\n", *(_dpd.config_file), *(_dpd.config_line), @@ -296,10 +307,10 @@ //free(argcpyp); //return; } - + config->ports[ PORT_INDEX( port ) ] |= CONV_PORT(port); } - + cur_tokenp = strtok( NULL, " "); } } @@ -326,16 +337,16 @@ DynamicPreprocessorFatalMessage("Invalid argument: %s\n", cur_tokenp); return; } - + cur_tokenp = strtok( NULL, " " ); } - + PrintDNSConfig(config); free(argcpyp); } -/* Display the configuration for the DNS preprocessor. - * +/* Display the configuration for the DNS preprocessor. + * * PARAMETERS: None. * * RETURNS: Nothing. @@ -346,11 +357,11 @@ if (config == NULL) return; - + _dpd.logMsg("DNS config: \n"); #if 0 - _dpd.logMsg(" Autodetection: %s\n", - config->autodetect ? + _dpd.logMsg(" Autodetection: %s\n", + config->autodetect ? "ENABLED":"DISABLED"); #endif _dpd.logMsg(" DNS Client rdata txt Overflow Alert: %s\n", @@ -362,10 +373,10 @@ _dpd.logMsg(" Experimental DNS RR Types Alert: %s\n", config->enabled_alerts & DNS_ALERT_EXPERIMENTAL_TYPES ? "ACTIVE" : "INACTIVE" ); - + /* Printing ports */ - _dpd.logMsg(" Ports:"); - for(index = 0; index < MAX_PORTS; index++) + _dpd.logMsg(" Ports:"); + for(index = 0; index < MAX_PORTS; index++) { if( config->ports[ PORT_INDEX(index) ] & CONV_PORT(index) ) { @@ -375,9 +386,9 @@ _dpd.logMsg("\n"); } -/* Retrieves the DNS data block registered with the stream +/* Retrieves the DNS data block registered with the stream * session associated w/ the current packet. If none exists, - * allocates it and registers it with the stream API. + * allocates it and registers it with the stream API. * * PARAMETERS: * @@ -423,21 +434,21 @@ memset(dnsSessionData, 0, sizeof(DNSSessionData)); return dnsSessionData; } - + /* More Sanity check(s) */ if ( !p->stream_session_ptr ) { return NULL; } - + dnsSessionData = calloc( 1, sizeof( DNSSessionData )); - + if ( !dnsSessionData ) return NULL; - + /*Register the new DNS data block in the stream session. */ - _dpd.streamAPI->set_application_data( - p->stream_session_ptr, + _dpd.streamAPI->set_application_data( + p->stream_session_ptr, PP_DNS, dnsSessionData, FreeDNSSessionData ); return dnsSessionData; @@ -446,7 +457,7 @@ /* Registered as a callback with the DNS data when they are * added to the stream session. Called by stream when a * session is about to be destroyed to free that data. - * + * * PARAMETERS: * * application_data: Pointer to the DNS data @@ -471,7 +482,7 @@ * RETURNS: DNS_TRUE, if the port is indeed an DNS server port. * DNS_FALSE, otherwise. */ -static INLINE int CheckDNSPort(DNSConfig *config, uint16_t port) +static inline int CheckDNSPort(DNSConfig *config, uint16_t port) { return config->ports[PORT_INDEX(port)] & CONV_PORT(port); } @@ -720,7 +731,7 @@ } break; } - + /* Go to the next portion of the name */ dnsSessionData->curr_txt.name_state = DNS_RESP_STATE_NAME_SIZE; } @@ -848,7 +859,7 @@ return bytes_unused; } } - + switch (dnsSessionData->curr_rec_state) { case DNS_RESP_STATE_RR_TYPE: @@ -906,7 +917,7 @@ while (dnsSessionData->bytes_seen_curr_rec < 4) { dnsSessionData->bytes_seen_curr_rec++; - dnsSessionData->curr_rr.ttl |= + dnsSessionData->curr_rr.ttl |= (uint8_t)*data << (4-dnsSessionData->bytes_seen_curr_rec)*8; data++; bytes_unused--; @@ -1042,7 +1053,7 @@ } break; } - + /* Go to the next portion of the name */ dnsSessionData->curr_txt.name_state = DNS_RESP_STATE_RR_NAME_SIZE; } @@ -1168,7 +1179,7 @@ } /* Print out the header (but only once -- when we're ready to parse the Questions */ -#ifdef DEBUG +#ifdef DEBUG_MSGS if ((dnsSessionData->curr_rec_state == DNS_RESP_STATE_Q_NAME) && (dnsSessionData->curr_rec == 0)) { @@ -1206,7 +1217,7 @@ dnsSessionData->curr_q.dns_class); ); dnsSessionData->curr_rec_state = DNS_RESP_STATE_Q_NAME; - dnsSessionData->curr_rec++; + dnsSessionData->curr_rec++; } if (bytes_unused > 0) { @@ -1242,7 +1253,7 @@ { case DNS_RESP_STATE_RR_RDATA_START: DEBUG_WRAP( - DebugMessage(DEBUG_DNS, + DebugMessage(DEBUG_DNS, "DNS ANSWER RR %d: type %d, class %d, " "ttl %d rdlength %d\n", i, dnsSessionData->curr_rr.type, @@ -1298,7 +1309,7 @@ { case DNS_RESP_STATE_RR_RDATA_START: DEBUG_WRAP( - DebugMessage(DEBUG_DNS, + DebugMessage(DEBUG_DNS, "DNS AUTH RR %d: type %d, class %d, " "ttl %d rdlength %d\n", i, dnsSessionData->curr_rr.type, @@ -1354,7 +1365,7 @@ { case DNS_RESP_STATE_RR_RDATA_START: DEBUG_WRAP( - DebugMessage(DEBUG_DNS, + DebugMessage(DEBUG_DNS, "DNS ADDITONAL RR %d: type %d, class %d, " "ttl %d rdlength %d\n", i, dnsSessionData->curr_rr.type, @@ -1400,12 +1411,12 @@ return; } -/* Main runtime entry point for DNS preprocessor. - * Analyzes DNS packets for anomalies/exploits. - * +/* Main runtime entry point for DNS preprocessor. + * Analyzes DNS packets for anomalies/exploits. + * * PARAMETERS: * - * p: Pointer to current packet to process. + * p: Pointer to current packet to process. * context: Pointer to context block, not used. * * RETURNS: Nothing. @@ -1416,7 +1427,7 @@ uint8_t src = 0; uint8_t dst = 0; uint8_t known_port = 0; - uint8_t direction = 0; + uint8_t direction = 0; SFSnortPacket* p; #ifdef TARGET_BASED int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL; @@ -1431,7 +1442,7 @@ return; dns_eval_config = config; - + p = (SFSnortPacket*) packetPtr; /* check if we have data to work with */ @@ -1440,7 +1451,7 @@ /* Attempt to get a previously allocated DNS block. If none exists, * allocate and register one with the stream layer. */ - dnsSessionData = _dpd.streamAPI->get_application_data( + dnsSessionData = _dpd.streamAPI->get_application_data( p->stream_session_ptr, PP_DNS ); if (dnsSessionData == NULL) @@ -1486,7 +1497,7 @@ return; } } - + /* For TCP, do a few extra checks... */ if (p->tcp_header) { @@ -1523,7 +1534,7 @@ } /* Get the direction of the packet. */ - direction = ( (p->flags & FLAG_FROM_SERVER ) ? + direction = ( (p->flags & FLAG_FROM_SERVER ) ? DNS_DIR_FROM_SERVER : DNS_DIR_FROM_CLIENT ); } else if (p->udp_header) @@ -1546,13 +1557,13 @@ } PREPROC_PROFILE_START(dnsPerfStats); - + /* Check the stream session. If it does not currently * have our DNS data-block attached, create one. */ if (dnsSessionData == NULL) dnsSessionData = GetDNSSessionData(p, config); - + if ( !dnsSessionData ) { /* Could not get/create the session data for this packet. */ @@ -1571,7 +1582,7 @@ { ParseDNSResponseMessage(p, dnsSessionData); } - + PREPROC_PROFILE_END(dnsPerfStats); } @@ -1615,7 +1626,7 @@ static int DnsFreeConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1705,7 +1716,7 @@ DynamicPreprocessorFatalMessage("Could not allocate memory for " "DNS configuration.\n"); } - + sfPolicyUserDataSetCurrent(dns_swap_config, pPolicyConfig); ParseDNSArgs(pPolicyConfig, (u_char *)argp); diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/dns/spp_dns.h snort-2.9.2/src/dynamic-preprocessors/dns/spp_dns.h --- snort-2.9.0.1/src/dynamic-preprocessors/dns/spp_dns.h 2010-01-26 10:10:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/dns/spp_dns.h 2011-02-09 15:23:17.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id */ /* -** Copyright (C) 2006-2010 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c 2010-01-26 10:10:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,12 +1,12 @@ /* * ftp_bounce_lookup.c * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> * Kevin Liu <kliu@sourcefire.com> - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -38,6 +38,10 @@ #include <stdio.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "ftpp_ui_config.h" #include "ftpp_return_codes.h" @@ -60,7 +64,7 @@ */ int ftp_bounce_lookup_init(BOUNCE_LOOKUP **BounceLookup) { - KMAP *km = KMapNew((KMapUserFreeFunc)FTPTelnetCleanupFTPBounceTo); + KMAP *km = KMapNew((KMapUserFreeFunc)FTPTelnetCleanupFTPBounceTo); *BounceLookup = km; if(*BounceLookup == NULL) { @@ -104,21 +108,21 @@ /* * Function: ftp_bounce_lookup_add(BOUNCE_LOOKUP *BounceLookup, - * char *ip, int len, + * char *ip, int len, * FTP_BOUNCE_TO *BounceTo) - * + * * Purpose: Add a bounce configuration to the list. IP is stored * in dot notation order. When the lookup happens, we * compare up to len bytes of the address. * * Arguments: BounceLookup => a pointer to the lookup structure - * IP => the ftp bounce address + * IP => the ftp bounce address * BounceTo => a pointer to the bounce configuration structure * * Returns: int => return code indicating error or success * */ -int ftp_bounce_lookup_add(BOUNCE_LOOKUP *BounceLookup, +int ftp_bounce_lookup_add(BOUNCE_LOOKUP *BounceLookup, snort_ip_p Ip, FTP_BOUNCE_TO *BounceTo) { int iRet; @@ -167,7 +171,7 @@ * */ FTP_BOUNCE_TO *ftp_bounce_lookup_find( - BOUNCE_LOOKUP *BounceLookup, snort_ip_p Ip, int *iError ) + BOUNCE_LOOKUP *BounceLookup, snort_ip_p Ip, int *iError ) { FTP_BOUNCE_TO *BounceTo = NULL; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h 2010-01-26 10:10:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h 2011-02-09 15:23:17.000000000 -0800 @@ -1,7 +1,7 @@ /* * ftp_bounce_lookup.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_client.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_client.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_client.h 2010-01-26 10:10:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_client.h 2011-02-09 15:23:17.000000000 -0800 @@ -1,7 +1,7 @@ /* * ftp_client.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c 2010-01-26 10:10:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,12 +1,12 @@ /* * ftp_cmd_lookup.c * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> * Kevin Liu <kliu@sourcefire.com> - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -38,6 +38,10 @@ #include <stdio.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "ftpp_ui_config.h" #include "ftpp_return_codes.h" @@ -60,7 +64,7 @@ */ int ftp_cmd_lookup_init(CMD_LOOKUP **CmdLookup) { - KMAP *km = KMapNew((KMapUserFreeFunc)FTPTelnetCleanupFTPCMDConf); + KMAP *km = KMapNew((KMapUserFreeFunc)FTPTelnetCleanupFTPCMDConf); *CmdLookup = km; if(*CmdLookup == NULL) { @@ -104,9 +108,9 @@ /* * Function: ftp_cmd_lookup_add(CMD_LOOKUP *CmdLookup, - * char *ip, int len, + * char *ip, int len, * FTP_CMD_CONF *FTPCmd) - * + * * Purpose: Add a cmd configuration to the list. * We add these keys like you would normally think to add * them, because on low endian machines the least significant @@ -122,7 +126,7 @@ * Returns: int => return code indicating error or success * */ -int ftp_cmd_lookup_add(CMD_LOOKUP *CmdLookup, char *cmd, int len, +int ftp_cmd_lookup_add(CMD_LOOKUP *CmdLookup, char *cmd, int len, FTP_CMD_CONF *FTPCmd) { int iRet; @@ -171,7 +175,7 @@ * matching IP if found, NULL otherwise. * */ -FTP_CMD_CONF *ftp_cmd_lookup_find(CMD_LOOKUP *CmdLookup, +FTP_CMD_CONF *ftp_cmd_lookup_find(CMD_LOOKUP *CmdLookup, const char *cmd, int len, int *iError) { FTP_CMD_CONF *FTPCmd = NULL; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h 2010-01-26 10:10:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h 2011-02-09 15:23:17.000000000 -0800 @@ -1,7 +1,7 @@ /* * ftp_cmd_lookup.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h 2010-01-26 10:10:01.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h 2011-02-09 15:23:18.000000000 -0800 @@ -1,7 +1,7 @@ /* * ftpp_eo_events.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_eo.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_eo.h 2010-01-26 10:10:01.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo.h 2011-02-09 15:23:18.000000000 -0800 @@ -1,7 +1,7 @@ /* * ftpp_eo.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c 2010-01-26 10:10:01.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,7 +1,7 @@ /* * ftpp_eo_log.c * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> @@ -23,13 +23,13 @@ * * Description: * - * This file contains the event output functionality that + * This file contains the event output functionality that * FTPTelnet uses to log events and data associated with * the events. * * Log events, retrieve events, and select events that HttpInspect * generates. - * + * * Logging Events: * Since the object behind this is no memset()s, we have to rely on the * stack interface to make sure we don't log the same event twice. So @@ -44,6 +44,10 @@ */ #include <stdlib.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "ftpp_si.h" #include "ftpp_eo.h" #include "ftpp_eo_events.h" @@ -64,7 +68,7 @@ * Any time that a new client event is added, we have to * add the event id and the priority here. If you want to * change either of those characteristics, you have to change - * them here. + * them here. */ static FTPP_EVENT_INFO ftp_event_info[FTP_EO_EVENT_NUM] = { { FTP_EO_TELNET_CMD, @@ -202,9 +206,9 @@ type->id; telnet_event_info[TELNET_EO_AYT_OVERFLOW].priority = type->priority; - telnet_event_info[TELNET_EO_SB_NO_SE].classification = + telnet_event_info[TELNET_EO_SB_NO_SE].classification = type->id; - telnet_event_info[TELNET_EO_SB_NO_SE].priority= + telnet_event_info[TELNET_EO_SB_NO_SE].priority= type->priority; } log_initialized = 1; @@ -314,7 +318,7 @@ gen_events.events = (FTPP_EVENT *)&(telnet_events->events); gen_events.stack = (int *)&(telnet_events->stack); gen_events.stack_count = telnet_events->stack_count; - event_info = &telnet_event_info[iEvent]; + event_info = &telnet_event_info[iEvent]; iRet = ftpp_eo_event_log(&gen_events, event_info, iEvent, data, free_data); @@ -362,7 +366,7 @@ gen_events.events = (FTPP_EVENT *)&(ftp_events->events); gen_events.stack = (int *)&(ftp_events->stack); gen_events.stack_count = ftp_events->stack_count; - event_info = &ftp_event_info[iEvent]; + event_info = &ftp_event_info[iEvent]; iRet = ftpp_eo_event_log(&gen_events, event_info, iEvent, data, free_data); diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h 2010-01-26 10:10:01.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h 2011-02-09 15:23:18.000000000 -0800 @@ -1,7 +1,7 @@ /* * ftpp_eo_log.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_include.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_include.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_include.h 2010-01-26 10:10:01.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_include.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,7 @@ /* * ftpp_include.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> @@ -32,13 +32,13 @@ #ifndef __FTP_INCLUDE_H__ #define __FTP_INCLUDE_H__ +#include "sf_types.h" #include "sf_ip.h" -#include "debug.h" +#include "snort_debug.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" #define GENERATOR_SPP_FTPP_FTP 125 #define GENERATOR_SPP_FTPP_TELNET 126 -extern DynamicPreprocessorData _dpd; #endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h 2010-01-26 10:10:01.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h 2011-02-09 15:23:18.000000000 -0800 @@ -1,7 +1,7 @@ /* * ftpp_return_codes.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_si.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_si.c 2010-01-26 10:10:01.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,12 +1,12 @@ /* * ftpp_si.c * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> * Kevin Liu <kliu@sourcefire.com> - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -27,8 +27,8 @@ * This file contains functions to select server configurations * and begin the FTPTelnet process. * - * The Session Inspection Module interfaces with the Stream Inspection - * Module and the User Interface Module to select the appropriate + * The Session Inspection Module interfaces with the Stream Inspection + * Module and the User Interface Module to select the appropriate * FTPTelnet configuration and in the case of stateful inspection the * Session Inspection Module retrieves the user-data from the Stream * Module. For stateless inspection, the Session Inspection Module uses @@ -47,6 +47,10 @@ #include <stdio.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "ftpp_return_codes.h" #include "ftpp_ui_config.h" #include "ftpp_ui_client_lookup.h" @@ -96,9 +100,9 @@ * Function: TelnetFreeSession(void *preproc_session) * * Purpose: This function frees the data that is associated with a session. - * + * * Arguments: preproc_session => pointer to the session to free - * + * * Returns: None */ static void TelnetFreeSession(void *preproc_session) @@ -135,13 +139,13 @@ * initialized for a new Session. I've tried to keep this to * a minimum, so we don't have to worry about initializing big * structures. - * + * * Arguments: Session => pointer to the session to reset - * + * * Returns: int => return code indicating error or success * */ -static INLINE int TelnetResetSession(TELNET_SESSION *Session) +static inline int TelnetResetSession(TELNET_SESSION *Session) { Session->ft_ssn.proto = FTPP_SI_PROTO_TELNET; Session->telnet_conf = NULL; @@ -256,7 +260,7 @@ return FTPP_SUCCESS; } - + /* * Function: TelnetSessionInspection(Packet *p, @@ -342,10 +346,10 @@ #endif /* - * We get the server configuration and the session structure differently - * depending on what type of inspection we are doing. In the case of + * We get the server configuration and the session structure differently + * depending on what type of inspection we are doing. In the case of * stateful processing, we may get the session structure from the Stream - * Reassembly module (which includes the server configuration) or the + * Reassembly module (which includes the server configuration) or the * structure will be allocated and added to the stream pointer for the * rest of the session. * @@ -377,7 +381,7 @@ * the packet is a server response packet. * * Arguments: p => pointer to the Packet - * + * * Returns: int => return code indicating the mode * */ @@ -385,8 +389,8 @@ { if (p->payload_size >= 3) { - if (isdigit(p->payload[0]) && - isdigit(p->payload[1]) && + if (isdigit(p->payload[0]) && + isdigit(p->payload[1]) && isdigit(p->payload[2]) ) { return FTPP_SI_SERVER_MODE; @@ -400,9 +404,9 @@ } /* - * Function: FTPInitConf(Packet *p, FTPTELNET_GLOBAL_CONF *GlobalConf, - * FTP_CLIENT_PROTO_CONF **ClientConf, - * FTP_SERVER_PROTO_CONF **ServerConf, + * Function: FTPInitConf(Packet *p, FTPTELNET_GLOBAL_CONF *GlobalConf, + * FTP_CLIENT_PROTO_CONF **ClientConf, + * FTP_SERVER_PROTO_CONF **ServerConf, * FTPP_SI_INPUT *SiInput, int *piInspectMode) * * Purpose: When a session is initialized, we must select the appropriate @@ -410,8 +414,8 @@ * on the source and destination ports. * * IMPORTANT NOTE: - * We should check to make sure that there are some unique configurations, - * otherwise we can just default to the global default and work some magic + * We should check to make sure that there are some unique configurations, + * otherwise we can just default to the global default and work some magic * that way. * * Arguments: p => pointer to the Packet/Session @@ -422,13 +426,13 @@ * config so we can set it. * SiInput => pointer to the packet info * piInspectMode => pointer so we can set the inspection mode - * + * * Returns: int => return code indicating error or success * */ -static int FTPInitConf(SFSnortPacket *p, FTPTELNET_GLOBAL_CONF *GlobalConf, - FTP_CLIENT_PROTO_CONF **ClientConf, - FTP_SERVER_PROTO_CONF **ServerConf, +static int FTPInitConf(SFSnortPacket *p, FTPTELNET_GLOBAL_CONF *GlobalConf, + FTP_CLIENT_PROTO_CONF **ClientConf, + FTP_SERVER_PROTO_CONF **ServerConf, FTPP_SI_INPUT *SiInput, int *piInspectMode) { FTP_CLIENT_PROTO_CONF *ClientConfSip; @@ -462,14 +466,14 @@ sip = ntohl(sip); dip = ntohl(dip); #endif - + /* * We find the client configurations for both the source and dest IPs. * There should be a check on the global configuration to see if there * is at least one unique client configuration. If there isn't then we * assume the global client configuration. */ - ClientConfDip = ftpp_ui_client_lookup_find(GlobalConf->client_lookup, + ClientConfDip = ftpp_ui_client_lookup_find(GlobalConf->client_lookup, #ifdef SUP_IP6 &dip, #else @@ -501,7 +505,7 @@ * is at least one unique client configuration. If there isn't then we * assume the global client configuration. */ - ServerConfDip = ftpp_ui_server_lookup_find(GlobalConf->server_lookup, + ServerConfDip = ftpp_ui_server_lookup_find(GlobalConf->server_lookup, #ifdef SUP_IP6 &dip, #else @@ -534,8 +538,8 @@ * is a sort of problem. We don't know which side is the client and which * side is the server so we have to assume one. * - * In stateful processing, we only do this stage on the startup of a - * session, so we can still assume that the initial packet is the client + * In stateful processing, we only do this stage on the startup of a + * session, so we can still assume that the initial packet is the client * talking. */ iServerDip = PortMatch((PROTO_CONF*)ServerConfDip, SiInput->dport); @@ -562,16 +566,16 @@ if (app_id == ftp_app_id || app_id == 0) { #endif - + /* - * We check for the case where both SIP and DIP + * We check for the case where both SIP and DIP * appear to be servers. In this case, we assume server * and process that way. */ if(iServerSip && iServerDip) { /* - * We check for the case where both SIP and DIP + * We check for the case where both SIP and DIP * appear to be servers. In this case, we look at * the first few bytes of the packet to try to * determine direction -- 3 digits indicate server @@ -583,7 +587,7 @@ * a server response mid-stream. */ *piInspectMode = FTPGetPacketDir(p); - if (*piInspectMode == FTPP_SI_SERVER_MODE) + if (*piInspectMode == FTPP_SI_SERVER_MODE) { /* Packet is from server --> src is Server */ *ClientConf = ClientConfDip; @@ -670,7 +674,7 @@ *ServerConf = NULL; break; } - + return iRet; } @@ -678,9 +682,9 @@ * Function: FTPFreeSession(void *preproc_session) * * Purpose: This function frees the data that is associated with a session. - * + * * Arguments: preproc_session => pointer to the session to free - * + * * Returns: None */ static void FTPFreeSession(void *preproc_session) @@ -718,14 +722,14 @@ * initialized for a new Session. I've tried to keep this to * a minimum, so we don't have to worry about initializing big * structures. - * + * * Arguments: FtpSession => pointer to the session to reset * first => indicator whether this is a new conf - * + * * Returns: int => return code indicating error or success * */ -static INLINE int FTPResetSession(FTP_SESSION *FtpSession) +static inline int FTPResetSession(FTP_SESSION *FtpSession) { FtpSession->ft_ssn.proto = FTPP_SI_PROTO_FTP; @@ -874,7 +878,7 @@ return FTPP_SUCCESS; } - + /* * Function: FTPSessionInspection(Packet *p, @@ -910,10 +914,10 @@ int iRet; /* - * We get the server configuration and the session structure differently - * depending on what type of inspection we are doing. In the case of + * We get the server configuration and the session structure differently + * depending on what type of inspection we are doing. In the case of * stateful processing, we may get the session structure from the Stream - * Reassembly module (which includes the server configuration) or the + * Reassembly module (which includes the server configuration) or the * structure will be allocated and added to the stream pointer for the * rest of the session. * diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_si.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_si.h 2010-01-26 10:10:01.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_si.h 2011-02-09 15:23:18.000000000 -0800 @@ -1,7 +1,7 @@ /* * ftpp_si.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c 2010-01-26 10:10:02.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,12 +1,12 @@ /* * ftpp_ui_client_lookup.c * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> * Kevin Liu <kliu@sourcefire.com> - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -38,6 +38,10 @@ #include <stdio.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "ftpp_ui_config.h" #include "ftpp_return_codes.h" @@ -104,9 +108,9 @@ /* * Function: ftpp_ui_client_lookup_add(CLIENT_LOOKUP *ClientLookup, - * char *ip, int len, + * char *ip, int len, * FTP_CLIENT_PROTO_CONF *ClientConf) - * + * * Purpose: Add a client configuration to the list. * We add these keys like you would normally think to add * them, because on low endian machines the least significant @@ -116,16 +120,16 @@ * * Arguments: ClientLookup => a pointer to the lookup structure * IP => the ftp client address - * len => Length of the address + * len => Length of the address * ClientConf => a pointer to the client configuration structure * * Returns: int => return code indicating error or success * */ int ftpp_ui_client_lookup_add( - CLIENT_LOOKUP *ClientLookup, + CLIENT_LOOKUP *ClientLookup, sfip_t* Ip, FTP_CLIENT_PROTO_CONF *ClientConf -) +) { int iRet; @@ -182,7 +186,7 @@ * */ -FTP_CLIENT_PROTO_CONF *ftpp_ui_client_lookup_find(CLIENT_LOOKUP *ClientLookup, +FTP_CLIENT_PROTO_CONF *ftpp_ui_client_lookup_find(CLIENT_LOOKUP *ClientLookup, snort_ip_p Ip, int *iError) { FTP_CLIENT_PROTO_CONF *ClientConf = NULL; @@ -214,7 +218,7 @@ } #if 0 -/** Obsoleted. After changing underlying KMAP to SFRT. SFRT provides an iterator with +/** Obsoleted. After changing underlying KMAP to SFRT. SFRT provides an iterator with * a callback function but does not support getFirst, getNext operations. */ /* @@ -301,11 +305,11 @@ return ClientConf; } -#endif +#endif -/**Free pData buffer, which may be referenced multiple times. ReferenceCount - * is the number of times the buffer is referenced. For freeing the buffer, - * we just decrement referenceCount till it reaches 0, at which time the +/**Free pData buffer, which may be referenced multiple times. ReferenceCount + * is the number of times the buffer is referenced. For freeing the buffer, + * we just decrement referenceCount till it reaches 0, at which time the * buffer is also freed. */ static void clientConfFree(void *pData) diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h 2010-01-26 10:10:02.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h 2011-02-09 15:23:18.000000000 -0800 @@ -1,7 +1,7 @@ /* * ftpp_ui_client_lookup.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c 2010-01-26 10:10:02.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,7 +1,7 @@ /* * ftpp_ui_config.c * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> @@ -42,6 +42,10 @@ #include <arpa/inet.h> #endif +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "ftpp_return_codes.h" #include "ftpp_ui_client_lookup.h" #include "ftpp_ui_server_lookup.h" @@ -88,7 +92,7 @@ * of FTPTelnet, you must change this function. * * Arguments: GlobalConf => pointer to the global configuration structure - * + * * Returns: int => return code indicating error or success * */ @@ -147,7 +151,7 @@ return FTPP_SUCCESS; } - + /* * Function: ftpp_ui_config_reset_telnet_proto(TELNET_PROTO_CONF *TelnetConf) * diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h 2010-01-26 10:10:02.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h 2011-06-07 17:33:13.000000000 -0700 @@ -1,12 +1,12 @@ /* * ftpp_ui_config.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> * Kevin Liu <kliu@sourcefire.com> - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -44,6 +44,7 @@ #include "hi_util_kmap.h" #include "ipv6_port.h" #include "sfrt.h" +#include "snort_bounds.h" /* * Defines @@ -116,7 +117,7 @@ * * If you need to check validity for a server that uses the TZ format, * use the following: - * + * * cmd_validity MDTM < [ date nnnnnnnnnnnnnn[{+|-}n[n]] ] string > * * Format uses the following: @@ -216,7 +217,7 @@ PROTO_CONF proto_ports; char *serverAddr; - + unsigned int def_max_param_len; unsigned int max_cmd_len; @@ -229,10 +230,10 @@ int data_chan; /**Counts references to this allocated data structure. Each additional - * reference should increment referenceCount. Each attempted free should - * decrement it. When reference count reaches 0, then this - * data structure should be freed. - */ + * reference should increment referenceCount. Each attempted free should + * decrement it. When reference count reaches 0, then this + * data structure should be freed. + */ int referenceCount; } FTP_SERVER_PROTO_CONF; @@ -266,10 +267,10 @@ BOUNCE_LOOKUP *bounce_lookup; /**Counts references to this allocated data structure. Each additional - * reference should increment referenceCount. Each attempted free should - * decrement it. When reference count reaches 0, then this - * data structure should be freed. - */ + * reference should increment referenceCount. Each attempted free should + * decrement it. When reference count reaches 0, then this + * data structure should be freed. + */ int referenceCount; } FTP_CLIENT_PROTO_CONF; @@ -289,7 +290,7 @@ int ayt_threshold; char detect_anomalies; - + } TELNET_PROTO_CONF; /* @@ -312,7 +313,7 @@ uint32_t ref_count; -} FTPTELNET_GLOBAL_CONF; +} FTPTELNET_GLOBAL_CONF; /* diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c 2010-01-26 10:10:02.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,10 +1,10 @@ /* * ftpp_ui_server_lookup.c * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Kevin Liu <kliu@sourcefire.com> - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -36,6 +36,10 @@ #include <stdio.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "ftpp_ui_config.h" #include "ftpp_return_codes.h" @@ -101,9 +105,9 @@ /* * Function: ftpp_ui_server_lookup_add(SERVER_LOOKUP *ServerLookup, - * char *ip, int len, + * char *ip, int len, * FTP_SERVER_PROTO_CONF *ServerConf) - * + * * Purpose: Add a server configuration to the list. * We add these keys like you would normally think to add * them, because on low endian machines the least significant @@ -113,14 +117,14 @@ * * Arguments: ServerLookup => a pointer to the lookup structure * IP => the ftp server address - * len => Length of the address + * len => Length of the address * ServerConf => a pointer to the server configuration structure * * Returns: int => return code indicating error or success * */ int ftpp_ui_server_lookup_add( - SERVER_LOOKUP *ServerLookup, sfip_t* Ip, FTP_SERVER_PROTO_CONF *ServerConf ) + SERVER_LOOKUP *ServerLookup, sfip_t* Ip, FTP_SERVER_PROTO_CONF *ServerConf ) { int iRet; @@ -163,7 +167,7 @@ */ FTP_SERVER_PROTO_CONF *ftpp_ui_server_lookup_find( SERVER_LOOKUP *ServerLookup, snort_ip_p Ip, int *iError -) +) { FTP_SERVER_PROTO_CONF *ServerConf = NULL; @@ -198,14 +202,14 @@ * all elements. * * @param ServerLookup => a pointer to the lookup structure - * @param userfunc => user defined callback function + * @param userfunc => user defined callback function * @param iError => a pointer to an error code * * @returns iError => return code indicating error or success * */ void ftpp_ui_server_iterate( - SERVER_LOOKUP *ServerLookup, + SERVER_LOOKUP *ServerLookup, sfrt_iterator_callback userfunc, int *iError ) @@ -227,7 +231,7 @@ } #if 0 -/** Obsoleted. After changing underlying KMAP to SFRT. SFRT provides an iterator with +/** Obsoleted. After changing underlying KMAP to SFRT. SFRT provides an iterator with * a callback function but does not support getFirst, getNext operations. */ @@ -315,11 +319,11 @@ return ServerConf; } -#endif +#endif -/**Free pData buffer, which may be referenced multiple times. ReferenceCount - * is the number of times the buffer is referenced. For freeing the buffer, - * we just decrement referenceCount till it reaches 0, at which time the +/**Free pData buffer, which may be referenced multiple times. ReferenceCount + * is the number of times the buffer is referenced. For freeing the buffer, + * we just decrement referenceCount till it reaches 0, at which time the * buffer is also freed. */ static void serverConfFree(void *pData) diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h 2010-01-26 10:10:02.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h 2011-02-09 15:23:19.000000000 -0800 @@ -1,7 +1,7 @@ /* * ftpp_ui_server_lookup.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Kevin Liu <kliu@sourcefire.com> * diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_server.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_server.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/ftp_server.h 2010-01-26 10:10:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/ftp_server.h 2011-02-09 15:23:17.000000000 -0800 @@ -1,7 +1,7 @@ /* * ftp_server.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c 2010-01-26 10:10:02.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,12 +18,12 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* * * kmap.c - a generic map library - maps key + data pairs -* -* Uses Lexical Keyword Trie +* +* Uses Lexical Keyword Trie * The tree uses linked lists to build the finite automata * * MapKeyFind(): Performs a setwise strcmp() equivalant. @@ -36,7 +36,7 @@ * and independent of the number of keys in the table. * May use more memory than a hash table, depends. * Memory is allocated as needed, so none is wasted. -* +* * Author: Marc Norton * */ @@ -45,12 +45,16 @@ #include <string.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "hi_util_xmalloc.h" //#define MEMASSERT(p) if(!p){printf("KMAP-No Memory: File: %s Line:%d!\n",__FILE__,__LINE__);exit(0);} -#define MEMASSERT(p) +#define MEMASSERT(p) #define LOWERCASE tolower /* @@ -59,11 +63,11 @@ static void * s_malloc( int n ) { void * p; - + p = xmalloc( n ); - + MEMASSERT(p); - + return p; } @@ -80,13 +84,13 @@ KMAP * KMapNew( KMapUserFreeFunc userfree ) { KMAP * km = (KMAP*) s_malloc( sizeof(KMAP) ); - + if( !km ) return 0; - - memset(km, 0, sizeof(KMAP)); - + + memset(km, 0, sizeof(KMAP)); + km->userfree = userfree; - + return km; } /* @@ -103,7 +107,7 @@ static int KMapFreeNodeList(KMAP * km ) { KEYNODE * k, *kold; - + for( k=km->keylist; k; ) { if( k->key ) @@ -112,13 +116,13 @@ } if( km->userfree && k->userdata ) { - km->userfree( k->userdata ); + km->userfree( k->userdata ); } kold = k; k = k->next; s_free(kold); } - + return 0; } /* @@ -130,14 +134,14 @@ { KMapFreeNode( km, r->sibling ); } - + if( r->child ) { KMapFreeNode( km, r->child ); } - + s_free( r ); -} +} /* * Free the KMAP and all of it's memory and nodes */ @@ -145,20 +149,20 @@ { KMAPNODE * r; int i; - + /* Free the tree - on root node at a time */ for(i=0;i<256;i++) { r = km->root[i]; if( r ) - { - KMapFreeNode(km,r); + { + KMapFreeNode(km,r); } } - + /* Free the node list */ KMapFreeNodeList( km ); - + s_free(km); } @@ -168,24 +172,24 @@ static KEYNODE * KMapAddKeyNode(KMAP * km,void * key, int n, void * userdata ) { KEYNODE * knode = (KEYNODE*) s_malloc( sizeof(KEYNODE) ); - - if( !knode || n < 0 ) + + if( !knode || n < 0 ) return 0; - - memset(knode, 0, sizeof(KEYNODE) ); - + + memset(knode, 0, sizeof(KEYNODE) ); + knode->key = (unsigned char*)s_malloc(n); // Alloc the key space - if( !knode->key ) + if( !knode->key ) { free(knode); return 0; } - + memcpy(knode->key,key,n); // Copy the key knode->nkey = n; knode->userdata = userdata; - - if( km->keylist ) // Insert at front of list + + if( km->keylist ) // Insert at front of list { knode->next = km->keylist; km->keylist = knode; @@ -194,7 +198,7 @@ { km->keylist = knode; } - + return knode; } /* @@ -203,14 +207,14 @@ static KMAPNODE * KMapCreateNode(KMAP * km) { KMAPNODE * mn=(KMAPNODE*)s_malloc( sizeof(KMAPNODE) ); - + if(!mn) return NULL; - + memset(mn,0,sizeof(KMAPNODE)); - + km->nchars++; - + return mn; } @@ -233,26 +237,26 @@ unsigned char *P = (unsigned char *)key; KMAPNODE *root; unsigned char xkey[256]; - + if( n <= 0 ) { n = strlen( (char*) key ); if( n > (int)sizeof(xkey) ) return -99; } - + if( km->nocase ) { for(i=0;i<n;i++) xkey[i] = LOWERCASE( P[i] ); P = xkey; } - + /* Save key size */ ksize = n; - + //printf("adding key='%.*s'\n",n,P); - + /* Make sure we at least have a root character for the tree */ if( !km->root[ *P ] ) { @@ -261,13 +265,13 @@ return -1; km->root[ *P ] = root; root->nodechar = *P; - + }else{ - + root = km->root[ *P ]; } - - /* Walk exisitng Patterns */ + + /* Walk exisitng Patterns */ while( n ) { if( root->nodechar == *P ) @@ -277,12 +281,12 @@ n--; if( n && root->child ) { - root=root->child; + root=root->child; } else /* cannot continue */ { type = 0; /* Expand the tree via the child */ - break; + break; } } else @@ -294,13 +298,13 @@ else /* cannot continue */ { type = 1; /* Expand the tree via the sibling */ - break; + break; } } } - - - /* + + + /* * Add the next char of the Keyword, if any */ if( n ) @@ -308,7 +312,7 @@ if( type == 0 ) { /* - * Start with a new child to finish this Keyword + * Start with a new child to finish this Keyword */ //printf("added child branch nodechar = %c \n",*P); root->child= KMapCreateNode( km ); @@ -320,9 +324,9 @@ n--; } else - { + { /* - * Start a new sibling bracnch to finish this Keyword + * Start a new sibling bracnch to finish this Keyword */ //printf("added sibling branch nodechar = %c \n",*P); root->sibling= KMapCreateNode( km ); @@ -334,7 +338,7 @@ n--; } } - + /* * Finish the keyword as child nodes */ @@ -349,24 +353,24 @@ P++; n--; } - - /* - * Iteration support - Add this key/data to the linked list - * This allows us to do a findfirst/findnext search of + + /* + * Iteration support - Add this key/data to the linked list + * This allows us to do a findfirst/findnext search of * all map nodes. */ if( root->knode ) /* Already present */ return 1; - + root->knode = KMapAddKeyNode( km, key, ksize, userdata ); if( !root->knode ) return -1; - + return 0; } /* -* Exact Keyword Match - unique keys, with just one piece of +* Exact Keyword Match - unique keys, with just one piece of * 'userdata' , for multiple entries, we could use a list * of 'userdata' nodes. */ @@ -376,27 +380,27 @@ KMAPNODE * root; unsigned char xkey[256]; int i; - + if( n <= 0 ) { n = strlen( (char*)key ); if( n > (int)sizeof(xkey) ) return 0; - + } if( ks->nocase ) { for(i=0;i<n;i++) xkey[i] = LOWERCASE( T[i] ); - + T = xkey; } //printf("finding key='%.*s'\n",n,T); - + /* Check if any keywords start with this character */ root = ks->root[ *T ]; if( !root ) return NULL; - + while( n ) { if( root->nodechar == *T ) @@ -405,11 +409,11 @@ n--; if( n && root->child ) { - root = root->child; + root = root->child; } else /* cannot continue -- match is over */ { - break; + break; } } else @@ -420,17 +424,17 @@ } else /* cannot continue */ { - break; + break; } } } - + if( !n ) { if (root && root->knode) return root->knode->userdata; /* success */ } - + return NULL; } /* @@ -439,12 +443,12 @@ KEYNODE * KMapFindFirstKey( KMAP * km ) { km->keynext = km->keylist; - + if(!km->keynext) { return NULL; } - + return km->keynext; } /* @@ -453,12 +457,12 @@ void * KMapFindFirst( KMAP * km ) { km->keynext = km->keylist; - + if(!km->keynext) { return NULL; } - + return km->keynext->userdata; } /* @@ -468,12 +472,12 @@ { if( !km->keynext ) return 0; - - km->keynext = km->keynext->next; - + + km->keynext = km->keynext->next; + if( !km->keynext ) return 0; - + return km->keynext; } /* @@ -483,12 +487,12 @@ { if( !km->keynext ) return 0; - - km->keynext = km->keynext->next; - + + km->keynext = km->keynext->next; + if( !km->keynext ) return 0; - + return km->keynext->userdata; } @@ -504,18 +508,18 @@ char str[80]; str[79] = '\0'; - + printf("usage: kmap nkeys (default=10)\n\n"); - + km = KMapNew( free ); /* use 'free' to free 'userdata' */ - + KMapSetNoCase(km,1); //need to add xlat.... - + if( argc > 1 ) { n = atoi(argv[1]); } - + for(i=1;i<=n;i++) { snprintf(str, sizeof(str) - 1, "KeyWord%d",i); @@ -523,7 +527,7 @@ printf("Adding Key=%s\n",str); } printf("xmem: %u bytes, %d chars\n",xmalloc_bytes(),km->nchars); - + printf("\nKey Find test...\n"); for(i=1;i<=n;i++) { @@ -532,7 +536,7 @@ if(p)printf("key=%s, data=%*s\n",str,strlen(str),p); else printf("'%s' NOT found.\n",str); } - + KMapSetNoCase(km,0); // this should fail all key searches printf("\nKey Find test2...\n"); for(i=1;i<=n;i++) @@ -542,19 +546,19 @@ if(p)printf("key=%s, data=%*s\n",str,strlen(str),p); else printf("'%s' NOT found.\n",str); } - + printf("\nKey FindFirst/Next test...\n"); for(p = (char*) KMapFindFirst(km); p; p=(char*)KMapFindNext(km) ) printf("data=%s\n",p); - + printf("\nKey FindFirst/Next test done.\n"); - + KMapDelete( km ); - + printf("xmem: %u bytes\n",xmalloc_bytes()); - + printf("normal pgm finish.\n"); - + return 0; } diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h 2010-01-26 10:10:03.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h 2011-02-09 15:23:19.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c 2010-01-26 10:10:03.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c 2011-06-07 17:33:13.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* ** util.c */ @@ -28,6 +28,10 @@ #include <time.h> #include <sys/types.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + //#define MDEBUG static unsigned msize=0; @@ -78,14 +82,14 @@ msize -= *q; free(q); - + #else - + free(p); #endif - + } void xshowmem(void) @@ -102,7 +106,7 @@ data_size = strlen(str) + 1; data = (char *)xmalloc(data_size); - + if(data == NULL) { return NULL; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h 2010-01-26 10:10:03.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h 2011-02-09 15:23:19.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * */ #ifndef __HI_UTIL_XMALLOC_H__ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/Makefile.am snort-2.9.2/src/dynamic-preprocessors/ftptelnet/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/Makefile.am 2010-06-09 15:05:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/Makefile.am 2011-07-13 15:44:51.000000000 -0700 @@ -1,27 +1,23 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include -I./includes +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_ftptelnet_preproc.la libsf_ftptelnet_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c - +if SO_WITH_STATIC_LIB +libsf_ftptelnet_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_ftptelnet_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/sf_ip.c \ +../include/sfrt.c \ +../include/sfrt_dir.c \ +../include/sfPolicyUserData.c +endif libsf_ftptelnet_preproc_la_SOURCES = \ ftp_bounce_lookup.c \ @@ -55,32 +51,11 @@ snort_ftptelnet.c \ snort_ftptelnet.h \ spp_ftptelnet.c \ -spp_ftptelnet.h \ -sf_preproc_info.h +spp_ftptelnet.h EXTRA_DIST = \ sf_ftptelnet.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sf_ip.c: ../include/sf_ip.c - cp $? $@ - -sfrt.c: ../include/sfrt.c - cp $? $@ - -sfrt_dir.c: ../include/sfrt_dir.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c sf_ip.c sfrt.c sfrt_dir.c sfPolicyUserData.c - -DIST_SUBDIRS = . - diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/Makefile.in snort-2.9.2/src/dynamic-preprocessors/ftptelnet/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/Makefile.in 2010-10-08 02:56:53.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/Makefile.in 2011-12-07 11:23:19.000000000 -0800 @@ -35,7 +35,6 @@ build_triplet = @build@ host_triplet = @host@ subdir = src/dynamic-preprocessors/ftptelnet -SUBDIRS = DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ @@ -69,14 +68,17 @@ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_ftptelnet_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_ftptelnet_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_ftptelnet_preproc_la_OBJECTS = ftp_bounce_lookup.lo \ ftp_cmd_lookup.lo ftpp_eo_log.lo ftpp_si.lo \ ftpp_ui_client_lookup.lo ftpp_ui_config.lo \ ftpp_ui_server_lookup.lo hi_util_kmap.lo hi_util_xmalloc.lo \ pp_ftp.lo pp_telnet.lo snort_ftptelnet.lo spp_ftptelnet.lo -nodist_libsf_ftptelnet_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sf_ip.lo sfrt.lo sfrt_dir.lo sfPolicyUserData.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ftptelnet_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo sf_ip.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfrt.lo sfrt_dir.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_ftptelnet_preproc_la_OBJECTS = \ $(am_libsf_ftptelnet_preproc_la_OBJECTS) \ $(nodist_libsf_ftptelnet_preproc_la_OBJECTS) @@ -99,46 +101,9 @@ SOURCES = $(libsf_ftptelnet_preproc_la_SOURCES) \ $(nodist_libsf_ftptelnet_preproc_la_SOURCES) DIST_SOURCES = $(libsf_ftptelnet_preproc_la_SOURCES) -RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ - html-recursive info-recursive install-data-recursive \ - install-dvi-recursive install-exec-recursive \ - install-html-recursive install-info-recursive \ - install-pdf-recursive install-ps-recursive install-recursive \ - installcheck-recursive installdirs-recursive pdf-recursive \ - ps-recursive uninstall-recursive -RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ - distclean-recursive maintainer-clean-recursive -AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ - $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ - distdir ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -am__relativize = \ - dir0=`pwd`; \ - sed_first='s,^\([^/]*\)/.*$$,\1,'; \ - sed_rest='s,^[^/]*/*,,'; \ - sed_last='s,^.*/\([^/]*\)$$,\1,'; \ - sed_butlast='s,/*[^/]*$$,,'; \ - while test -n "$$dir1"; do \ - first=`echo "$$dir1" | sed -e "$$sed_first"`; \ - if test "$$first" != "."; then \ - if test "$$first" = ".."; then \ - dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ - dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ - else \ - first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ - if test "$$first2" = "$$first"; then \ - dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ - else \ - dir2="../$$dir2"; \ - fi; \ - dir0="$$dir0"/"$$first"; \ - fi; \ - fi; \ - dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ - done; \ - reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AR = @AR@ @@ -148,7 +113,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -163,7 +130,8 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include -I./includes +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -199,13 +167,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -266,19 +240,13 @@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_ftptelnet_preproc.la libsf_ftptelnet_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c - -nodist_libsf_ftptelnet_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sf_ip.c \ -sfrt.c \ -sfrt_dir.c \ -sfPolicyUserData.c +@SO_WITH_STATIC_LIB_TRUE@libsf_ftptelnet_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ftptelnet_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_ip.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt_dir.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_ftptelnet_preproc_la_SOURCES = \ ftp_bounce_lookup.c \ @@ -312,15 +280,12 @@ snort_ftptelnet.c \ snort_ftptelnet.h \ spp_ftptelnet.c \ -spp_ftptelnet.h \ -sf_preproc_info.h +spp_ftptelnet.h EXTRA_DIST = \ sf_ftptelnet.dsp -DIST_SUBDIRS = . -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-recursive +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -403,82 +368,27 @@ .c.lo: $(LTCOMPILE) -c -o $@ $< +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sf_ip.lo: ../include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_ip.lo `test -f '../include/sf_ip.c' || echo '$(srcdir)/'`../include/sf_ip.c + +sfrt.lo: ../include/sfrt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt.lo `test -f '../include/sfrt.c' || echo '$(srcdir)/'`../include/sfrt.c + +sfrt_dir.lo: ../include/sfrt_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt_dir.lo `test -f '../include/sfrt_dir.c' || echo '$(srcdir)/'`../include/sfrt_dir.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs -# This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @fail= failcom='exit 1'; \ - for f in x $$MAKEFLAGS; do \ - case $$f in \ - *=* | --[!k]*);; \ - *k*) failcom='fail=yes';; \ - esac; \ - done; \ - dot_seen=no; \ - target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - dot_seen=yes; \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || eval $$failcom; \ - done; \ - if test "$$dot_seen" = "no"; then \ - $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ - fi; test -z "$$fail" - -$(RECURSIVE_CLEAN_TARGETS): - @fail= failcom='exit 1'; \ - for f in x $$MAKEFLAGS; do \ - case $$f in \ - *=* | --[!k]*);; \ - *k*) failcom='fail=yes';; \ - esac; \ - done; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || eval $$failcom; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done -ctags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ - done - ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ @@ -489,23 +399,10 @@ mkid -fID $$unique tags: TAGS -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) set x; \ here=`pwd`; \ - if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ - include_option=--etags-include; \ - empty_fix=.; \ - else \ - include_option=--include; \ - empty_fix=; \ - fi; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test ! -f $$subdir/TAGS || \ - set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ - fi; \ - done; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ @@ -524,7 +421,7 @@ fi; \ fi ctags: CTAGS -CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ @@ -574,53 +471,22 @@ || exit 1; \ fi; \ done - @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - test -d "$(distdir)/$$subdir" \ - || $(MKDIR_P) "$(distdir)/$$subdir" \ - || exit 1; \ - fi; \ - done - @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ - dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ - $(am__relativize); \ - new_distdir=$$reldir; \ - dir1=$$subdir; dir2="$(top_distdir)"; \ - $(am__relativize); \ - new_top_distdir=$$reldir; \ - echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ - echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ - ($(am__cd) $$subdir && \ - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$$new_top_distdir" \ - distdir="$$new_distdir" \ - am__remove_distdir=: \ - am__skip_length_check=: \ - am__skip_mode_fix=: \ - distdir) \ - || exit 1; \ - fi; \ - done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-recursive +check: check-am all-am: Makefile $(LTLIBRARIES) all-local -installdirs: installdirs-recursive -installdirs-am: +installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-recursive -install-exec: install-exec-recursive -install-data: install-data-recursive -uninstall: uninstall-recursive +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am -installcheck: installcheck-recursive +installcheck: installcheck-am install-strip: $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ @@ -637,118 +503,95 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -clean: clean-recursive +clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am -distclean: distclean-recursive +distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags -dvi: dvi-recursive +dvi: dvi-am dvi-am: -html: html-recursive +html: html-am html-am: -info: info-recursive +info: info-am info-am: install-data-am: -install-dvi: install-dvi-recursive +install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-libLTLIBRARIES -install-html: install-html-recursive +install-html: install-html-am install-html-am: -install-info: install-info-recursive +install-info: install-info-am install-info-am: install-man: -install-pdf: install-pdf-recursive +install-pdf: install-pdf-am install-pdf-am: -install-ps: install-ps-recursive +install-ps: install-ps-am install-ps-am: installcheck-am: -maintainer-clean: maintainer-clean-recursive +maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic -mostlyclean: mostlyclean-recursive +mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool -pdf: pdf-recursive +pdf: pdf-am pdf-am: -ps: ps-recursive +ps: ps-am ps-am: uninstall-am: uninstall-libLTLIBRARIES -.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all check \ - ctags-recursive install install-am install-strip \ - tags-recursive - -.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ - all all-am all-local check check-am clean clean-generic \ - clean-libLTLIBRARIES clean-libtool clean-local ctags \ - ctags-recursive distclean distclean-compile distclean-generic \ +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-libLTLIBRARIES install-man install-pdf \ install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs installdirs-am \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags tags-recursive uninstall uninstall-am \ - uninstall-libLTLIBRARIES - - -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_ip.c: ../include/sf_ip.c - cp $? $@ - -sfrt.c: ../include/sfrt.c - cp $? $@ - -sfrt_dir.c: ../include/sfrt_dir.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c sf_ip.c sfrt.c sfrt_dir.c sfPolicyUserData.c - # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/pp_ftp.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/pp_ftp.c 2010-10-25 12:49:05.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2004-2010 Sourcefire, Inc. + ** Copyright (C) 2004-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -18,15 +18,15 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* pp_ftp.c - * +/* pp_ftp.c + * * Purpose: FTP sessions contain commands and responses. Certain * commands are vectors of attack. This module checks * those FTP client commands and their parameter values, as * well as the server responses per the configuration. * * Arguments: None - * + * * Effect: Alerts may be raised * * Comments: @@ -63,7 +63,7 @@ #include "ftp_cmd_lookup.h" #include "ftp_bounce_lookup.h" //#include "decode.h" -#include "debug.h" +#include "snort_debug.h" #include "stream_api.h" //#include "plugbase.h" @@ -80,7 +80,7 @@ #endif /* * Used to keep track of pipelined commands and the last one - * that resulted in a + * that resulted in a */ static int ftp_cmd_pipe_index = 0; @@ -114,7 +114,7 @@ uint16_t port=0; int octet=0; const char *this_param = *ip_start; - + do { int value = 0; @@ -257,7 +257,7 @@ * af (address family) is the IP version. h# and p# are in network * byte order (high byte first). * - * This function is called for the LPSV response as well, which + * This function is called for the LPSV response as well, which * has this format: * * 228 <human readable text> (af,hal,h1,h2,h3,h4...,pal,p1,p2...) @@ -299,7 +299,7 @@ { uint32_t ip4_addr = 0; int n; - for ( n = 0; n < 4; n++ ) + for ( n = 0; n < 4; n++ ) ip4_addr = (ip4_addr << 8) | bytes[n+2]; #ifdef SUP_IP6 /* don't call sfip_set_raw() on raw bytes @@ -454,17 +454,17 @@ if ( ftyp == e_int && fieldMask == 4 ) /* TBD: do we need to check for bounce if addr present? */ return FTPP_SUCCESS; - + if ( ftyp == e_extd_host_port && fieldMask == 7 ) return FTPP_SUCCESS; - + return FTPP_INVALID_ARG; } static int getFTPip( FTP_PARAM_TYPE ftyp, const char **ip_start, const char *last_char, char *term_char, snort_ip *ipRet, uint16_t *portRet -) +) { if ( ftyp == e_host_port ) { @@ -823,9 +823,9 @@ break; } - if ( ThisFmt->type == e_extd_host_port && !IS_SET(ipAddr) ) + if ( ThisFmt->type == e_extd_host_port && !IP_IS_SET(ipAddr) ) { - // actually, we expect no addr in 229 responses, which is + // actually, we expect no addr in 229 responses, which is // understood to be server address, so we set that here #ifdef SUP_IP6 ipAddr = *GET_SRC_IP(p); @@ -863,7 +863,7 @@ } } } - + /* Alert on invalid IP address for PORT */ if (alert) { @@ -1032,7 +1032,7 @@ * * Purpose: Initializes the state machine for checking an FTP packet. * Does normalization checks. - * + * * Arguments: Session => Pointer to session info * p => pointer to the current packet struct * iMode => Mode indicating server or client checks @@ -1067,8 +1067,8 @@ } } return iRet; } - - if (p->flags & FLAG_ALT_DECODE) + + if (_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) { /* Normalized data will always be in decode buffer */ if ( ((Session->client_conf->telnet_cmds.alert) && @@ -1167,7 +1167,7 @@ { FTP_PARAM_TYPE ftyp = /* e_int is used in lieu of adding a new value to the - * enum because this case doesn't correspond to a + * enum because this case doesn't correspond to a * validation config option; it could effectively be * replaced with an additional bool arg to getFTPip() that * differentiated between commands and responses, but @@ -1181,14 +1181,39 @@ ); if (iRet == FTPP_SUCCESS) { + if (!IP_IS_SET(ipAddr)) + IP_COPY_VALUE(Session->serverIP, GET_SRC_IP(p)); + else + { #ifdef SUP_IP6 - Session->serverIP = ipAddr; + Session->serverIP = ipAddr; #else - Session->serverIP = htonl(ipAddr); + Session->serverIP = htonl(ipAddr); #endif + } Session->serverPort = port; - IP_CLEAR(Session->clientIP); + IP_COPY_VALUE(Session->clientIP, GET_DST_IP(p)); Session->clientPort = 0; + if (Session->server_conf->data_chan) + { + /* Call into Streams to mark data channel as something + * to ignore. */ + _dpd.streamAPI->ignore_session(IP_ARG(Session->clientIP), + Session->clientPort, IP_ARG(Session->serverIP), + Session->serverPort, (uint8_t)(GET_IPH_PROTO(p)), p->pkt_header->ts.tv_sec, + PP_FTPTELNET, SSN_DIR_BOTH, + 0 /* Not permanent */ ); + } +#ifdef TARGET_BASED + else + { + /* Call into Streams to mark data channel as ftp-data */ + _dpd.streamAPI->set_application_protocol_id_expected(IP_ARG(Session->clientIP), + Session->clientPort, IP_ARG(Session->serverIP), + Session->serverPort, (uint8_t)(GET_IPH_PROTO(p)), p->pkt_header->ts.tv_sec, + ftp_data_app_id, PP_FTPTELNET, NULL, NULL); + } +#endif } } else @@ -1215,6 +1240,43 @@ Session->data_chan_state &= ~DATA_CHAN_PORT_CMD_ISSUED; Session->data_chan_state |= DATA_CHAN_PORT_CMD_ACCEPT; Session->data_chan_index = -1; + if (IP_IS_SET(Session->clientIP)) + { + /* This means we're not in passive mode. */ + /* Server is listening/sending from its own IP, + * FTP Port -1 */ + /* Client IP, Port specified via PORT command */ + IP_COPY_VALUE(Session->serverIP, GET_SRC_IP(p)); + + /* Can't necessarily guarantee this, especially + * in the case of a proxy'd connection where the + * data channel might not be on port 20 (or server + * port-1). Comment it out for now. + */ + /* + Session->serverPort = ntohs(p->tcph->th_sport) -1; + */ + if (Session->server_conf->data_chan) + { + /* Call into Streams to mark data channel as something + * to ignore. */ + _dpd.streamAPI->ignore_session(IP_ARG(Session->clientIP), + Session->clientPort, IP_ARG(Session->serverIP), + Session->serverPort, (uint8_t)(GET_IPH_PROTO(p)), p->pkt_header->ts.tv_sec, + PP_FTPTELNET, SSN_DIR_BOTH, + 0 /* Not permanent */ ); + } +#ifdef TARGET_BASED + else + { + /* Call into Streams to mark data channel as ftp-data */ + _dpd.streamAPI->set_application_protocol_id_expected(IP_ARG(Session->clientIP), + Session->clientPort, IP_ARG(Session->serverIP), + Session->serverPort, (uint8_t)(GET_IPH_PROTO(p)), p->pkt_header->ts.tv_sec, + ftp_data_app_id, PP_FTPTELNET, NULL, NULL); + } +#endif + } } else if (ftp_cmd_pipe_index == Session->data_chan_index) { @@ -1234,59 +1296,6 @@ { Session->data_chan_state &= ~DATA_CHAN_XFER_CMD_ISSUED; Session->data_chan_state = DATA_CHAN_XFER_STARTED; - if (!IS_SET(Session->serverIP)) - { - /* This means we're not in passive mode. */ - /* Server is listening/sending from its own IP, - * FTP Port -1 */ - /* Client IP, Port specified via PORT command */ -#ifdef SUP_IP6 - IP_COPY_VALUE(Session->serverIP, GET_SRC_IP(p)); -#else - Session->serverIP = p->ip4_header->source.s_addr; -#endif - - /* Can't necessarily guarantee this, especially - * in the case of a proxy'd connection where the - * data channel might not be on port 20 (or server - * port-1). Comment it out for now. - */ - /* - Session->serverPort = ntohs(p->tcph->th_sport) -1; - */ - } - if (!IS_SET(Session->clientIP)) - { - /* This means we're in passive mode. */ - /* Server info is known. */ - /* Client IP is known from response packet, but - * port is unknown */ -#ifdef SUP_IP6 - IP_COPY_VALUE(Session->clientIP, GET_DST_IP(p)); -#else - Session->clientIP = p->ip4_header->destination.s_addr; -#endif - } - if (Session->server_conf->data_chan) - { - /* Call into Streams to mark data channel as something - * to ignore. */ - _dpd.streamAPI->ignore_session(IP_ARG(Session->clientIP), - Session->clientPort, IP_ARG(Session->serverIP), - Session->serverPort, - GET_IPH_PROTO(p), SSN_DIR_BOTH, - 0 /* Not permanent */ ); - } -#ifdef TARGET_BASED - else - { - /* Call into Streams to mark data channel as ftp-data */ - _dpd.streamAPI->set_application_protocol_id_expected(IP_ARG(Session->clientIP), - Session->clientPort, IP_ARG(Session->serverIP), - Session->serverPort, - GET_IPH_PROTO(p), ftp_data_app_id); - } -#endif } /* Clear the session info for next transfer --> * reset host/port */ @@ -1314,7 +1323,7 @@ ftp_eo_event_log(Session, FTP_EO_ENCRYPTED, NULL, NULL); } - DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, + DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "FTP stream is now TLS encrypted\n");); } break; @@ -1329,7 +1338,7 @@ ftp_eo_event_log(Session, FTP_EO_ENCRYPTED, NULL, NULL); } - DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, + DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "FTP stream is now SSL encrypted\n");); } break; @@ -1357,8 +1366,8 @@ * Function: check_ftp(FTP_SESSION *Session, Packet *p, int iMode) * * Purpose: Handle some trivial validation checks of an FTP packet. Namely, - * check argument length and some protocol enforcement. - * + * check argument length and some protocol enforcement. + * * Wishful: This results in exposing the FTP command (and looking * at the results) to the rules layer. * @@ -1396,7 +1405,7 @@ const unsigned char *read_ptr; const unsigned char *end = p->payload + p->payload_size; - if (p->flags & FLAG_ALT_DECODE) + if (_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) end = _dpd.altBuffer->data + _dpd.altBuffer->len; if (iMode == FTPP_SI_CLIENT_MODE) @@ -1419,9 +1428,9 @@ /* Starts at the beginning of the buffer/line, * so next up is a command */ read_ptr = (const unsigned char *)req->pipeline_req; - + /* but first we ignore leading white space */ - while ( (read_ptr < end) && + while ( (read_ptr < end) && (iMode == FTPP_SI_CLIENT_MODE) && isspace(*read_ptr) ) read_ptr++; @@ -1520,7 +1529,7 @@ } else { - /* + /* * Check the list of valid FTP commands as * supplied in ftpssn. */ @@ -1627,8 +1636,8 @@ isdigit(*(resp_begin+1)) && isdigit(*(resp_begin+2)) ) { - rsp_code = ( (*(resp_begin) - '0') * 100 + - (*(resp_begin+1) - '0') * 10 + + rsp_code = ( (*(resp_begin) - '0') * 100 + + (*(resp_begin+1) - '0') * 10 + (*(resp_begin+2) - '0') ); if (rsp_code == ftpssn->server.response.state) { @@ -1660,8 +1669,8 @@ isdigit(*(resp_begin+1)) && isdigit(*(resp_begin+2)) ) { - int resp_code = ( (*(resp_begin) - '0') * 100 + - (*(resp_begin+1) - '0') * 10 + + int resp_code = ( (*(resp_begin) - '0') * 100 + + (*(resp_begin+1) - '0') * 10 + (*(resp_begin+2) - '0') ); if (resp_code == ftpssn->server.response.state) { @@ -1697,7 +1706,7 @@ } /* If there is anything left... */ - + if (read_ptr < end) { /* Look for an LF --> implies no parameters/message */ @@ -1713,7 +1722,7 @@ "Missing LF from end of FTP command\n");); } else - { + { /* Now grab the command parameters/response message */ if (read_ptr < end) { @@ -1752,7 +1761,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "Missing LF from end of FTP command sans params\n");); } - + /* Set the pointer for the next request/response * in the pipeline. */ if (read_ptr < end) @@ -1774,7 +1783,7 @@ "FTP response: code: %.*s : M len %d : M %.*s\n", req->cmd_size, req->cmd_begin, req->param_size, req->param_size, req->param_begin)); - if ((ftpssn->client_conf->max_resp_len > 0) && + if ((ftpssn->client_conf->max_resp_len > 0) && (req->param_size > ftpssn->client_conf->max_resp_len)) { /* Alert on response message overflow */ @@ -1796,7 +1805,7 @@ "FTP response: continuation of code: %d : M len %d : M %.*s\n", ftpssn->server.response.state, req->param_size, req->param_size, req->param_begin)); - if ((ftpssn->client_conf->max_resp_len > 0) && + if ((ftpssn->client_conf->max_resp_len > 0) && (req->param_size > ftpssn->client_conf->max_resp_len)) { /* Alert on response message overflow */ @@ -1810,7 +1819,7 @@ "FTP response: final continue of code: %.*s : M len %d : " "M %.*s\n", req->cmd_size, req->cmd_begin, req->param_size, req->param_size, req->param_begin)); - if ((ftpssn->client_conf->max_resp_len > 0) && + if ((ftpssn->client_conf->max_resp_len > 0) && (req->param_size > ftpssn->client_conf->max_resp_len)) { /* Alert on response message overflow */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/pp_ftp.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/pp_ftp.h 2010-01-26 10:10:03.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_ftp.h 2011-02-09 15:23:19.000000000 -0800 @@ -1,7 +1,7 @@ /* * pp_ftp.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * * This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/pp_telnet.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/pp_telnet.c 2010-10-25 12:49:05.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2002-2010 Sourcefire, Inc. + * Copyright (C) 2002-2011 Sourcefire, Inc. * Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> * * This program is free software; you can redistribute it and/or modify @@ -21,10 +21,10 @@ /* Snort Preprocessor for Telnet Negotiation Normalization*/ /* $Id$ */ -/* pp_telnet.c - * - * Purpose: Telnet sessions can contain telnet negotiation strings - * that can disrupt pattern matching. This plugin detects +/* pp_telnet.c + * + * Purpose: Telnet sessions can contain telnet negotiation strings + * that can disrupt pattern matching. This plugin detects * negotiation strings in stream and "normalizes" them much like * the http_decode preprocessor normalizes encoded URLs * @@ -33,7 +33,7 @@ * http://www.iana.org/assignments/telnet-options * * Arguments: None - * + * * Effect: The telnet nogiation data is removed from the payload * * Comments: @@ -55,7 +55,7 @@ #include "ftpp_eo_log.h" #include "pp_telnet.h" #include "ftpp_return_codes.h" -#include "debug.h" +#include "snort_debug.h" #include "stream_api.h" #define NUL 0x00 @@ -76,7 +76,7 @@ * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function * @@ -93,7 +93,7 @@ const unsigned char *end; int normalization_required = 0; int consec_8bit_chars = 0; - + /* Telnet commands are handled in here. * They can be 2 bytes long -- ie, IAC NOP, IAC AYT, etc. * Sub-negotiation strings are at least 4 bytes, IAC SB x IAC SE */ @@ -103,11 +103,11 @@ tnssn->consec_ayt = 0; return FTPP_SUCCESS; } - + /* setup the pointers */ read_ptr = p->payload; end = p->payload + p->payload_size; - + /* look to see if we have any telnet negotiaion codes in the payload */ while(!normalization_required && (read_ptr < end)) { @@ -157,10 +157,10 @@ consec_8bit_chars = 0; } } - + read_ptr++; } - + if(!normalization_required) { DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "Nothing to process!\n");); @@ -168,25 +168,25 @@ tnssn->consec_ayt = 0; return FTPP_SUCCESS; } - + /* * if we found telnet negotiation strings OR backspace characters, * we're going to have to normalize the data * * Note that this is always ( now: 2002-08-12 ) done to a * alternative data buffer. - */ + */ /* rewind the data stream to p->data */ read_ptr = p->payload; - - /* setup for overwriting the negotaiation strings with + + /* setup for overwriting the negotaiation strings with * the follow-on data - */ - write_ptr = (unsigned char *) _dpd.altBuffer->data; - + */ + write_ptr = (unsigned char *) _dpd.altBuffer; + /* walk thru the remainder of the packet */ while((read_ptr < end) && - (write_ptr < ((unsigned char *) _dpd.altBuffer->data) + sizeof(_dpd.altBuffer->data))) + (write_ptr < ((unsigned char *) _dpd.altBuffer->data) + sizeof(_dpd.altBuffer->data))) { saw_ayt = 0; /* if the following byte isn't a subnegotiation initialization */ @@ -221,7 +221,7 @@ { /* Go to previous char */ write_ptr--; - + if ((*write_ptr == CR) && ((*(write_ptr+1) == NUL) || (*(write_ptr+1) == LF)) ) { @@ -358,7 +358,7 @@ } break; } - + /* find the end of the subneg -- this handles when there are * embedded IAC IACs within a sub negotiation. Just looking * for the TNC_SE could cause problems. Similarly, just looking @@ -396,13 +396,13 @@ continue; } - + /* Okay, found the IAC SE -- move past it */ if (read_ptr < end) { read_ptr += 2; } - + if (tnssn && iMode == FTPP_SI_CLIENT_MODE) tnssn->consec_ayt = 0; } @@ -410,9 +410,9 @@ { DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "overwriting %2X(%c) with %2X(%c)\n", - (unsigned char)(*write_ptr&0xFF), *write_ptr, + (unsigned char)(*write_ptr&0xFF), *write_ptr, (unsigned char)(*read_ptr & 0xFF), *read_ptr);); - + /* overwrite the negotiation bytes with the follow-on bytes */ switch(* ((unsigned char *)(read_ptr))) { @@ -429,15 +429,15 @@ *write_ptr++ = *read_ptr++; break; } - + if (tnssn && iMode == FTPP_SI_CLIENT_MODE) tnssn->consec_ayt = 0; } } - - SetAltBuffer(p, write_ptr - start); - - /* DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, + + _dpd.SetAltDecode((uint16_t)(write_ptr - start)); + + /* DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "Converted buffer after telnet normalization:\n"); PrintNetData(stdout, (char *) _dpd.altBuffer->data, _dpd.altBuffer->len);); */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/pp_telnet.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/pp_telnet.h 2010-01-26 10:10:03.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/pp_telnet.h 2011-02-09 15:23:20.000000000 -0800 @@ -1,7 +1,7 @@ /* * pp_telnet.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * * This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp snort-2.9.2/src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp 2010-08-25 13:22:44.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_ftptelnet - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_ftptelnet - Win32 IPv6 Release" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_ftptelnet___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /D "DYNAMIC_PLUGIN" /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_ftptelnet - Win32 IPv6 Debug" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_ftptelnet___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -130,18 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /D "DYNAMIC_PLUGIN" /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ENDIF diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h 2010-01-26 10:10:03.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,38 +0,0 @@ -/**************************************************************************** - * - * Copyright (C) 2005-2010 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - ****************************************************************************/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#include "spp_ftptelnet.h" - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 2 -#define BUILD_VERSION 13 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_FTPTELNET (IPV6)" -#else -#define PREPROC_NAME "SF_FTPTELNET" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupFTPTelnet - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c 2010-10-25 12:49:06.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,12 +1,12 @@ /* * snort_ftptelnet.c * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> * Kevin Liu <kliu@sourcefire.com> - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -37,7 +37,7 @@ * very detailed configuration parameters for each specified FTP client, * to provide detailed control over an internal network and robust control * of the external network. - * + * * The main functions of note are: * - FTPTelnetSnortConf() the configuration portion * - SnortFTPTelnet() the actual normalization & inspection @@ -48,6 +48,8 @@ * */ +#define _GNU_SOURCE + #ifdef HAVE_CONFIG_H #include "config.h" #endif @@ -70,21 +72,10 @@ #include <ctype.h> #endif - -//#include "snort.h" -//#include "detect.h" -//#include "decode.h" -//#include "log.h" -//#include "event.h" -//#include "generators.h" -#include "debug.h" -//#include "plugbase.h" -//#include "util.h" -//#include "event_queue.h" -//#include "mstring.h" - #define BUF_SIZE 1024 +#include "sf_types.h" +#include "snort_debug.h" #include "ftpp_return_codes.h" #include "ftpp_ui_config.h" #include "ftpp_ui_client_lookup.h" @@ -96,7 +87,6 @@ #include "pp_telnet.h" #include "pp_ftp.h" #include "snort_ftptelnet.h" -#include "sf_types.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" #include "stream_api.h" @@ -225,11 +215,11 @@ * * 2. Overrides CWD pathname to 256 characters * - * alt_max_param_len 256 { CWD } + * alt_max_param_len 256 { CWD } * * 3. Overrides PWD & SYST to no parameters * - * alt_max_param_len 0 { PWD SYST } + * alt_max_param_len 0 { PWD SYST } * */ @@ -260,18 +250,18 @@ * The default FTP server configuration for FTP command validation. * Most of this comes from RFC 959, with additional commands being * drawn from other RFCs/Internet Drafts that are in use. - * + * * Any of the below can be overridden in snort.conf. - * + * * This is here to eliminate most of it from snort.conf to * avoid an ugly configuration file. The default_max_param_len * is somewhat arbitrary, but is taken from the majority of * the snort FTP rules that limit parameter size to 100 * characters, as of 18 Sep 2004. - * + * * The data_chan_cmds, data_xfer_cmds are used to track open * data channel connections. - * + * * The login_cmds and dir_cmds are used to track state of username * and current directory. */ @@ -285,7 +275,7 @@ "ftp_cmds { USER PASS ACCT CWD CDUP SMNT QUIT REIN TYPE STRU" " MODE RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR" " DELE RMD MKD PWD LIST NLST SITE SYST STAT HELP NOOP } " - "ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } " + "ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } " "ftp_cmds { PORT PASV LPRT LPSV EPRT EPSV } " "ftp_cmds { FEAT OPTS } " "ftp_cmds { MDTM REST SIZE MLST MLSD } " @@ -337,7 +327,7 @@ char *maxToken = NULL; static tSfPolicyId ftp_current_policy = 0; -static void _addPortsToStream5(char *, tSfPolicyId); +static void _addPortsToStream5(char *, tSfPolicyId, int); static void _addFtpServerConfPortsToStream5(void *); char *NextToken(char *delimiters) @@ -439,7 +429,7 @@ return FTPP_SUCCESS; } -/* +/* * Function: ProcessInspectType(FTPTELNET_CONF_OPT *ConfOpt, * char *ErrorString, int ErrStrLen) * @@ -490,7 +480,7 @@ } /* - * Function: ProcessGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf, + * Function: ProcessFTPGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf, * char *ErrorString, int ErrStrLen) * * Purpose: This is where we process the global configuration for FTPTelnet. @@ -518,7 +508,7 @@ * >0 = non-fatal error, <0 = fatal error) * */ -int ProcessGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf, +int ProcessFTPGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf, char *ErrorString, int ErrStrLen) { FTPTELNET_CONF_OPT *ConfOpt; @@ -560,7 +550,7 @@ else { snprintf(ErrorString, ErrStrLen, - "Invalid keyword '%s' for '%s' configuration.", + "Invalid keyword '%s' for '%s' configuration.", pcToken, GLOBAL); return FTPP_FATAL_ERR; @@ -624,7 +614,7 @@ return FTPP_FATAL_ERR; } - + /* Unset the defaults */ for (iPort = 0;iPort<MAXPORTS;iPort++) protocol->ports[iPort] = 0; @@ -677,7 +667,7 @@ return FTPP_SUCCESS; } -/* +/* * Function: ProcessTelnetAYTThreshold(TELNET_PROTO_CONF *TelnetConf, * char *ErrorString, int ErrStrLen) * @@ -765,7 +755,7 @@ } _dpd.logMsg("%s\n", buf); - + _dpd.logMsg(" Are You There Threshold: %d\n", TelnetConf->ayt_threshold); _dpd.logMsg(" Normalize: %s\n", TelnetConf->normalize ? "YES" : "NO"); @@ -875,7 +865,7 @@ else { snprintf(ErrorString, ErrStrLen, - "Invalid keyword '%s' for '%s' configuration.", + "Invalid keyword '%s' for '%s' configuration.", pcToken, GLOBAL); return FTPP_FATAL_ERR; @@ -926,7 +916,7 @@ char *ErrorString, int ErrStrLen) { #ifdef SUP_IP6 - if(sfip_pton(addrString, ipAddr) != SFIP_SUCCESS) + if(sfip_pton(addrString, ipAddr) != SFIP_SUCCESS) #else *ipAddr = inet_addr(addrString); if (*ipAddr == INADDR_NONE) @@ -1023,7 +1013,7 @@ return FTPP_FATAL_ERR; } - + while ((pcToken = NextToken(CONF_SEPARATORS)) != NULL) { if(!strcmp(END_PORT_LIST, pcToken)) @@ -1137,7 +1127,7 @@ * */ static int ProcessFTPDataChanCmdsList(FTP_SERVER_PROTO_CONF *ServerConf, - char *confOption, + char *confOption, char *ErrorString, int ErrStrLen) { FTP_CMD_CONF *FTPCmd = NULL; @@ -1163,7 +1153,7 @@ return FTPP_FATAL_ERR; } - + while ((pcToken = NextToken(CONF_SEPARATORS)) != NULL) { if(!strcmp(END_PORT_LIST, pcToken)) @@ -1269,7 +1259,7 @@ * */ static int ProcessFTPDirCmdsList(FTP_SERVER_PROTO_CONF *ServerConf, - char *confOption, + char *confOption, char *ErrorString, int ErrStrLen) { FTP_CMD_CONF *FTPCmd = NULL; @@ -1297,7 +1287,7 @@ return FTPP_FATAL_ERR; } - + while ((pcToken = NextToken(CONF_SEPARATORS)) != NULL) { if(!strcmp(END_PORT_LIST, pcToken)) @@ -1323,7 +1313,7 @@ } strcpy(FTPCmd->cmd_name, cmd); - + FTPCmd->max_param_len = ServerConf->def_max_param_len; ftp_cmd_lookup_add(ServerConf->cmd_lookup, cmd, @@ -1450,7 +1440,7 @@ DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory\n", *(_dpd.config_file), *(_dpd.config_line)); } - + memcpy(ThisFmt->choices, choices, sizeof(FTP_PARAM_FMT *) * numChoices); } } @@ -1804,7 +1794,7 @@ DynamicPreprocessorFatalMessage("%s(%d) => Can't do memcpy - index out of range \n", *(_dpd.config_file), *(_dpd.config_line)); - memcpy(tmpChoices, ThisFmt->choices, + memcpy(tmpChoices, ThisFmt->choices, sizeof(FTP_PARAM_FMT*) * ThisFmt->numChoices); } NextFmt = (FTP_PARAM_FMT *)calloc(1, sizeof(FTP_PARAM_FMT)); @@ -1903,7 +1893,7 @@ { char* end = index(++fmt, *F_LITERAL); int len = end ? end - fmt : 0; - + if ( len < 1 ) { snprintf( @@ -1952,7 +1942,7 @@ return DoNextFormat(NextFmt, 0, ErrorString, ErrStrLen); } -/* +/* * Function: ProcessFTPCmdValidity(FTP_SERVER_PROTO_CONF *ServerConf, * char *ErrorString, int ErrStrLen) * @@ -2181,7 +2171,7 @@ } -/* +/* * Function: ProcessFTPMaxRespLen(FTP_CLIENT_PROTO_CONF *ClientConf, * char *ErrorString, int ErrStrLen) * @@ -2234,7 +2224,7 @@ return FTPP_SUCCESS; } -/* +/* * Function: ParseBounceTo(char *token, FTP_BOUNCE_TO*) * * Purpose: Extract the IP address, masking bits (CIDR format), and @@ -2315,7 +2305,7 @@ return FTPP_SUCCESS; } -/* +/* * Function: ProcessFTPAlowBounce(FTP_CLIENT_PROTO_CONF *ClientConf, * char *ErrorString, int ErrStrLen) * @@ -2380,7 +2370,7 @@ "Failed to allocate memory for Bounce"); return FTPP_FATAL_ERR; } - + iRet = ParseBounceTo(pcToken, newBounce); if (iRet) { @@ -2455,7 +2445,7 @@ } _dpd.logMsg(" FTP Client: %s\n", client); - + PrintConfOpt(&ClientConf->bounce, " Check for Bounce Attacks"); PrintConfOpt(&ClientConf->telnet_cmds, " Check for Telnet Cmds"); PrintConfOpt(&ClientConf->ignore_telnet_erase_cmds, " Ignore Telnet Cmd Operations"); @@ -2598,7 +2588,7 @@ else { snprintf(ErrorString, ErrStrLen, - "Invalid keyword '%s' for '%s' configuration.", + "Invalid keyword '%s' for '%s' configuration.", pcToken, GLOBAL); return FTPP_FATAL_ERR; @@ -2705,7 +2695,7 @@ } //ConfigParseResumePtr = pIpAddressList+strlen(pIpAddressList); - + pIpAddressList2 = strdup(pIpAddressList); if (!pIpAddressList2) { @@ -2718,9 +2708,9 @@ - for (client = strtok_r(pIpAddressList2, CONF_SEPARATORS, &brkt); - client; - client = strtok_r(NULL, CONF_SEPARATORS, &brkt)) + for (client = strtok_r(pIpAddressList2, CONF_SEPARATORS, &brkt); + client; + client = strtok_r(NULL, CONF_SEPARATORS, &brkt)) { if (sfip_pton(client, &ipAddr) != SFIP_SUCCESS) @@ -2750,7 +2740,7 @@ /* ** allocate the memory for the client configuration */ - if (firstIpAddress) + if (firstIpAddress) { // Write this IP into the buffer for printing snprintf(client_list, STD_BUF, "%s", client); @@ -2789,7 +2779,7 @@ //no IP address was found snprintf(ErrorString, ErrStrLen, "Invalid IP Address list in '%s' token.", CLIENT); - + retVal = FTPP_INVALID_ARG; goto _return; } @@ -2864,6 +2854,7 @@ */ static int PrintFTPServerConf(char * server, FTP_SERVER_PROTO_CONF *ServerConf) { + const char* spaf = ""; char buf[BUF_SIZE+1]; int iCtr; int iRet; @@ -2880,10 +2871,15 @@ printedFTPHeader = 1; } +#ifdef ENABLE_PAF + if ( _dpd.isPafEnabled() ) + spaf = " (PAF)"; +#endif + _dpd.logMsg(" FTP Server: %s\n", server); memset(buf, 0, BUF_SIZE+1); - snprintf(buf, BUF_SIZE, " Ports: "); + snprintf(buf, BUF_SIZE, " Ports%s: ", spaf); /* * Print out all the applicable ports. @@ -2897,7 +2893,7 @@ } _dpd.logMsg("%s\n", buf); - + PrintConfOpt(&ServerConf->telnet_cmds, " Check for Telnet Cmds"); PrintConfOpt(&ServerConf->ignore_telnet_erase_cmds, " Ignore Telnet Cmd Operations"); _dpd.logMsg(" Identify open data channels: %s\n", @@ -3071,7 +3067,7 @@ { if (data_chan_configured && ServerConf->data_chan == 0) { - snprintf(ErrorString, ErrStrLen, "Both 'data_chan' and " + snprintf(ErrorString, ErrStrLen, "Both 'data_chan' and " "'ignore_data_chan' configured with conflicting options."); return FTPP_FATAL_ERR; } @@ -3119,7 +3115,7 @@ else { snprintf(ErrorString, ErrStrLen, - "Invalid keyword '%s' for '%s' configuration.", + "Invalid keyword '%s' for '%s' configuration.", pcToken, GLOBAL); return FTPP_FATAL_ERR; @@ -3227,7 +3223,7 @@ //list begin didn't match so this must be an IP address pIpAddressList = server; } - + ConfigParseResumePtr = pIpAddressList+strlen(pIpAddressList); pIpAddressList2 = strdup(pIpAddressList); @@ -3240,9 +3236,9 @@ goto _return; } - for (server = strtok_r(pIpAddressList2, CONF_SEPARATORS, &brkt); - server; - server = strtok_r(NULL, CONF_SEPARATORS, &brkt)) + for (server = strtok_r(pIpAddressList2, CONF_SEPARATORS, &brkt); + server; + server = strtok_r(NULL, CONF_SEPARATORS, &brkt)) { if (sfip_pton(server, &ipAddr) != SFIP_SUCCESS) { @@ -3269,7 +3265,7 @@ ipAddr.ip.u6_addr32[0] = ntohl(ipAddr.ip.u6_addr32[0]); } - if (firstIpAddress) + if (firstIpAddress) { /* Write this IP into the buffer for printing */ snprintf(server_list, STD_BUF, "%s", server); @@ -3303,14 +3299,14 @@ } ftpp_ui_config_add_ftp_server(GlobalConf, &ipAddr, new_server_conf); - + //create a reference new_server_conf->referenceCount++; } if (firstIpAddress) { - //no IP address was found + //no IP address was found snprintf(ErrorString, ErrStrLen, "Invalid IP Address list in '%s' token.", CLIENT); @@ -3369,9 +3365,9 @@ * the specific server configuration. Quick hack/trick here: reset * the end of the client string to a conf separator, then call strtok. * That will reset strtok's internal pointer to the next token after - * the client name, which is what we're expecting it to be. + * the client name, which is what we're expecting it to be. */ - if (ConfigParseResumePtr < maxToken) + if (ConfigParseResumePtr < maxToken) { /* only if there is data after the server/client name */ if (ip_list) @@ -3409,7 +3405,7 @@ } /* - * Function: PrintGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf) + * Function: PrintFTPGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf) * * Purpose: Prints the FTPTelnet preprocessor global configuration * @@ -3419,7 +3415,7 @@ * >0 = non-fatal error, <0 = fatal error) * */ -int PrintGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf) +int PrintFTPGlobalConf(FTPTELNET_GLOBAL_CONF *GlobalConf) { _dpd.logMsg("FTPTelnet Config:\n"); @@ -3474,7 +3470,7 @@ static int FTPTelnetFreeConfigsPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -3529,7 +3525,7 @@ * Purpose: This checks that the FTP configuration provided has * options for CMDs that make sense: * -- check if max_len == 0 & there is a cmd_validity - * + * * Arguments: serverConf => pointer to Server Configuration * * Returns: 0 => no errors @@ -3541,7 +3537,7 @@ FTP_CMD_CONF *cmdConf; int iRet =0; int config_error = 0; - + cmdConf = ftp_cmd_lookup_first(serverConf->cmd_lookup, &iRet); while (cmdConf && (iRet == FTPP_SUCCESS)) { @@ -3556,7 +3552,7 @@ config_error = 1; } cmdConf = ftp_cmd_lookup_next(serverConf->cmd_lookup, &iRet); - } + } return config_error; } @@ -3565,7 +3561,7 @@ * Function: FTPTelnetCheckFTPServerConfigs(void) * * Purpose: This checks that the FTP server configurations are reasonable - * + * * Arguments: None * * Returns: None @@ -3603,7 +3599,7 @@ * * Purpose: This checks that the FTP configuration provided includes * the default configurations for Server & Client. - * + * * Arguments: None * * Returns: None @@ -3656,7 +3652,7 @@ static int FTPConfigCheckPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -3679,30 +3675,30 @@ * * Purpose: This is the routine that logs FTP/Telnet Preprocessor (FTPP) * alerts through Snort. - * + * * Every Session gets looked at for any logged events, and if * there are events to be logged then we select the one with the * highest priority. - * + * * We use a generic event structure that we set for each different * event structure. This way we can use the same code for event * logging regardless of what type of event strucure we are dealing * with. - * + * * The important things to know about this function is how to work * with the event queue. The number of unique events is contained * in the stack_count variable. So we loop through all the unique * events and find which one has the highest priority. During this * loop, we also re-initialize the individual event counts for the * next iteration, saving us time in a separate initialization phase. - * + * * After we've iterated through all the events and found the one * with the highest priority, we then log that event through snort. - * + * * We've mapped the FTPTelnet and the Snort alert IDs together, so * we can access them directly instead of having a more complex * mapping function. - * + * * Arguments: GenEvents => pointer a list of events * iGenerator => Generator ID (Telnet or FTP) * @@ -3710,7 +3706,7 @@ * >0 = non-fatal error, <0 = fatal error) * */ -static INLINE int LogFTPPEvents(FTPP_GEN_EVENTS *GenEvents, +static inline int LogFTPPEvents(FTPP_GEN_EVENTS *GenEvents, int iGenerator) { FTPP_EVENT *OrigEvent; @@ -3806,14 +3802,14 @@ * Purpose: This is the routine that logs FTP alerts through Snort. * It maps the event into a generic event and calls * LOGFTPPEvents(). - * + * * Arguments: FtpSession => pointer the session structure * * Returns: int => an error code integer (0 = success, * >0 = non-fatal error, <0 = fatal error) * */ -static INLINE int LogFTPEvents(FTP_SESSION *FtpSession) +static inline int LogFTPEvents(FTP_SESSION *FtpSession) { FTPP_GEN_EVENTS GenEvents; int iGenerator; @@ -3838,14 +3834,14 @@ * Purpose: This is the routine that logs Telnet alerts through Snort. * It maps the event into a generic event and calls * LOGFTPPEvents(). - * + * * Arguments: TelnetSession => pointer the session structure * * Returns: int => an error code integer (0 = success, * >0 = non-fatal error, <0 = fatal error) * */ -static INLINE int LogTelnetEvents(TELNET_SESSION *TelnetSession) +static inline int LogTelnetEvents(TELNET_SESSION *TelnetSession) { FTPP_GEN_EVENTS GenEvents; int iGenerator; @@ -3869,7 +3865,7 @@ * Purpose: This is the routine sets the source and destination IP * address and port pairs so as to determine the direction * of the FTP or telnet connection. - * + * * Arguments: SiInput => pointer the session input structure * p => pointer to the packet structure * @@ -3877,7 +3873,7 @@ * >0 = non-fatal error, <0 = fatal error) * */ -static INLINE int SetSiInput(FTPP_SI_INPUT *SiInput, SFSnortPacket *p) +static inline int SetSiInput(FTPP_SI_INPUT *SiInput, SFSnortPacket *p) { IP_COPY_VALUE(SiInput->sip, GET_SRC_IP(p)); IP_COPY_VALUE(SiInput->dip, GET_DST_IP(p)); @@ -3914,7 +3910,7 @@ * * Purpose: This is the routine that directly performs the rules checking * for each of the FTP & telnet preprocessing modules. - * + * * Arguments: p => pointer to the packet structure * * Returns: None @@ -3961,7 +3957,7 @@ * * Purpose: This is the routine that handles the protocol layer checks * for telnet. - * + * * Arguments: GlobalConf => pointer the global configuration * p => pointer to the packet structure * iInspectMode => indicator whether this is a client or server @@ -4024,6 +4020,15 @@ return FTPP_SUCCESS; } +static inline int InspectClientPacket (SFSnortPacket* p) +{ +#ifdef ENABLE_PAF + if ( _dpd.isPafEnabled() ) + return PacketHasPAFPayload(p); +#endif + + return !(p->flags & FLAG_STREAM_INSERT); +} /* * Function: SnortFTP(FTPTELNET_GLOBAL_CONF *GlobalConf, * Packet *p, @@ -4031,7 +4036,7 @@ * * Purpose: This is the routine that handles the protocol layer checks * for FTP. - * + * * Arguments: GlobalConf => pointer the global configuration * p => pointer to the packet structure * iInspectMode => indicator whether this is a client or server @@ -4047,14 +4052,14 @@ int iRet; PROFILE_VARS; - if (!FTPSession || + if (!FTPSession || FTPSession->server_conf == NULL || FTPSession->client_conf == NULL) { return FTPP_INVALID_SESSION; } - if (!GlobalConf->check_encrypted_data && + if (!GlobalConf->check_encrypted_data && ((FTPSession->encr_state == AUTH_TLS_ENCRYPTED) || (FTPSession->encr_state == AUTH_SSL_ENCRYPTED) || (FTPSession->encr_state == AUTH_UNKNOWN_ENCRYPTED)) ) @@ -4066,14 +4071,19 @@ if (iInspectMode == FTPP_SI_SERVER_MODE) { - /* Force flush of client side of stream */ DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "Server packet: %.*s\n", p->payload_size, p->payload)); - _dpd.streamAPI->response_flush_stream(p); + +#ifdef ENABLE_PAF + // FIXTHIS breaks target-based non-standard ports + //if ( !_dpd.isPafEnabled() ) +#endif + /* Force flush of client side of stream */ + _dpd.streamAPI->response_flush_stream(p); } else { - if (p->flags & FLAG_STREAM_INSERT) + if ( !InspectClientPacket(p) ) { DEBUG_WRAP(DebugMessage(DEBUG_FTPTELNET, "Client packet will be reassembled\n")); @@ -4152,7 +4162,7 @@ sfPolicyUserPolicySet (ftp_telnet_config, policy_id); GlobalConf = (FTPTELNET_GLOBAL_CONF *)sfPolicyUserDataGetCurrent(ftp_telnet_config); - + /* * Set up the FTPP_SI_INPUT pointer. This is what the session_inspection() * routines use to determine client and server traffic. Plus, this makes @@ -4230,7 +4240,7 @@ * FTPTelnet PACKET FLOW:: * * Determine Proto Module:: - * The Session Inspection Module retrieves the appropriate + * The Session Inspection Module retrieves the appropriate * configuration for sessions, and takes care of the stateless * vs. stateful processing in order to do this. Once this module * does it's magic, we're ready for the primetime. This means @@ -4239,7 +4249,7 @@ * Proto Specific Module:: * This is where we normalize the data. The Protocol specific module * handles what type of normalization to do (telnet, ftp) and does - * protocl related checks. + * protocol related checks. * */ if (ft_ssn == NULL) @@ -4290,7 +4300,7 @@ /**************************************************************************** - * + * * Function: FTPPBounce(void *pkt, uint8_t **cursor, void **dataPtr) * * Purpose: Use this function to perform the particular detection routine @@ -4313,17 +4323,23 @@ const char *this_param = *(const char **)cursor; int dsize; - int use_alt_buffer = p->flags & FLAG_ALT_DECODE; // TBD SUP_IP6 support if ( !p->ip4_header ) return 0; - if(use_alt_buffer) + if(_dpd.Is_DetectFlag(SF_FLAG_ALT_DETECT)) + { + dsize = _dpd.altDetect->len; + start_ptr = (char *) _dpd.altDetect->data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "Using Alternative Detect buffer!\n");); + } + else if(_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) { dsize = _dpd.altBuffer->len; - start_ptr = (char *) _dpd.altBuffer; - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + start_ptr = (char *) _dpd.altBuffer->data; + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using Alternative Decode buffer!\n");); } @@ -4343,7 +4359,7 @@ base_ptr = start_ptr; while (isspace((int)*this_param) && (this_param < end_ptr)) this_param++; - + do { int value = 0; @@ -4401,14 +4417,14 @@ "PORT command not being used in bounce\n");); return RULE_NOMATCH; } - + /* Never reached */ return RULE_NOMATCH; } #endif /* DYNAMIC_PLUGIN */ -/** Add ports configured for http preprocessor to stream5 port filtering so that if +/** Add ports configured for http preprocessor to stream5 port filtering so that if * any_any rules are being ignored them the the packet still reaches http-inspect. * * For ports in global_server configuration, server_lookup and server_lookupIpv6, @@ -4424,8 +4440,8 @@ /* For the server callback */ ftp_current_policy = policy_id; - _addPortsToStream5(config->telnet_config->proto_ports.ports, policy_id); - _addPortsToStream5(config->default_ftp_server->proto_ports.ports, policy_id); + _addPortsToStream5(config->telnet_config->proto_ports.ports, policy_id, 0); + _addPortsToStream5(config->default_ftp_server->proto_ports.ports, policy_id, 1); ftpp_ui_server_iterate(config->server_lookup, _addFtpServerConfPortsToStream5, &i); } @@ -4433,10 +4449,41 @@ static void _addFtpServerConfPortsToStream5(void *pData) { FTP_SERVER_PROTO_CONF *pConf = (FTP_SERVER_PROTO_CONF *)pData; - _addPortsToStream5(pConf->proto_ports.ports, ftp_current_policy); + _addPortsToStream5(pConf->proto_ports.ports, ftp_current_policy, 1); +} + +#ifdef ENABLE_PAF +// flush at last line feed in payload +// preproc will deal with any pipelined commands +static PAF_Status ftp_paf ( + void* ssn, void** pv, const uint8_t* data, uint32_t len, + uint32_t flags, uint32_t* fp) +{ +#ifdef HAVE_MEMRCHR + uint8_t* lf = memrchr(data, '\n', len); +#else + uint32_t n = len; + uint8_t* lf = NULL, * tmp = (uint8_t*) data; + + while ( (tmp = memchr(tmp, '\n', n)) ) + { + lf = tmp++; + n = len - (tmp - data); + } +#endif + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s[%d] '%*.*s'\n", __FUNCTION__, len, len, len, data)); + + if ( !lf ) + return PAF_SEARCH; + + *fp = lf - data + 1; + return PAF_FLUSH; } +#endif -static void _addPortsToStream5(char *ports, tSfPolicyId policy_id) +static void _addPortsToStream5(char *ports, tSfPolicyId policy_id, int ftp) { unsigned int i; @@ -4447,6 +4494,14 @@ //Add port the port _dpd.streamAPI->set_port_filter_status(IPPROTO_TCP, (uint16_t)i, PORT_MONITOR_SESSION, policy_id, 1); + +#ifdef ENABLE_PAF + if ( ftp && _dpd.isPafEnabled() ) + { + _dpd.streamAPI->register_paf_cb(policy_id, (uint16_t)i, true, ftp_paf, false); + _dpd.streamAPI->register_paf_cb(policy_id, (uint16_t)i, false, ftp_paf, false); + } +#endif } } } diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h 2010-01-26 10:10:04.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h 2011-06-07 17:33:14.000000000 -0700 @@ -1,7 +1,7 @@ /* * snort_ftptelnet.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> @@ -74,10 +74,10 @@ void FTPTelnetCheckFTPServerConfigs(FTPTELNET_GLOBAL_CONF *); void _FTPTelnetAddPortsOfInterest(FTPTELNET_GLOBAL_CONF *, tSfPolicyId); -int ProcessGlobalConf(FTPTELNET_GLOBAL_CONF *, char *, int); +int ProcessFTPGlobalConf(FTPTELNET_GLOBAL_CONF *, char *, int); int ProcessTelnetConf(FTPTELNET_GLOBAL_CONF *, char *, int); int ProcessFTPClientConf(FTPTELNET_GLOBAL_CONF *, char *, int); int ProcessFTPServerConf(FTPTELNET_GLOBAL_CONF *, char *, int); -int PrintGlobalConf(FTPTELNET_GLOBAL_CONF *); +int PrintFTPGlobalConf(FTPTELNET_GLOBAL_CONF *); int FTPTelnetCheckConfigs( void* , tSfPolicyId ); #endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c snort-2.9.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c 2010-04-06 07:05:47.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,12 +1,12 @@ /* * spp_ftptelnet.c * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> * Kevin Liu <kliu@sourcefire.com> - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or @@ -48,10 +48,8 @@ #include "config.h" #endif -//#include "decode.h" -//#include "plugbase.h" -#include "debug.h" -//#include "util.h" +#include "sf_types.h" +#include "snort_debug.h" #include "ftpp_ui_config.h" #ifdef CLIENT_READY @@ -59,16 +57,26 @@ #include "ftp_norm.h" #endif #include "snort_ftptelnet.h" +#include "spp_ftptelnet.h" +#include "sf_preproc_info.h" #include "profiler.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" -#ifdef DYNAMIC_PLUGIN -//#include "dynamic-plugins/sp_preprocopt.h" +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 2; +const int BUILD_VERSION = 13; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_FTPTELNET (IPV6)"; +#else +const char *PREPROC_NAME = "SF_FTPTELNET"; #endif +#define SetupFTPTelnet DYNAMIC_PREPROC_SETUP + + /* * Defines for preprocessor initialization */ @@ -268,7 +276,7 @@ pPolicyConfig = (FTPTELNET_GLOBAL_CONF *)sfPolicyUserDataGetCurrent(ftp_telnet_config); if (pPolicyConfig == NULL) { - if (strcasecmp(pcToken, GLOBAL) != 0) + if (strcasecmp(pcToken, GLOBAL) != 0) { DynamicPreprocessorFatalMessage("%s(%d) Must configure the " "ftptelnet global configuration first.\n", @@ -291,12 +299,12 @@ if (iRet == 0) { - iRet = ProcessGlobalConf(pPolicyConfig, + iRet = ProcessFTPGlobalConf(pPolicyConfig, ErrorString, iErrStrLen); if (iRet == 0) { - PrintGlobalConf(pPolicyConfig); + PrintFTPGlobalConf(pPolicyConfig); /* Add FTPTelnet into the preprocessor list */ _dpd.addPreproc(FTPTelnetChecks, PRIORITY_APPLICATION, PP_FTPTELNET, PROTO_BIT__TCP); @@ -359,7 +367,7 @@ */ if(*ErrorString) { - _dpd.errMsg("WARNING: %s(%d) => %s\n", + _dpd.errMsg("WARNING: %s(%d) => %s\n", *(_dpd.config_file), *(_dpd.config_line), ErrorString); } } @@ -370,7 +378,7 @@ */ if(*ErrorString) { - DynamicPreprocessorFatalMessage("%s(%d) => %s\n", + DynamicPreprocessorFatalMessage("%s(%d) => %s\n", *(_dpd.config_file), *(_dpd.config_line), ErrorString); } else @@ -380,12 +388,12 @@ */ if(iRet == -2) { - DynamicPreprocessorFatalMessage("%s(%d) => ErrorString is undefined.\n", + DynamicPreprocessorFatalMessage("%s(%d) => ErrorString is undefined.\n", *(_dpd.config_file), *(_dpd.config_line)); } else { - DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", + DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", *(_dpd.config_file), *(_dpd.config_line)); } } @@ -488,7 +496,7 @@ if (pPolicyConfig == NULL) { - if (strcasecmp(pcToken, GLOBAL) != 0) + if (strcasecmp(pcToken, GLOBAL) != 0) { DynamicPreprocessorFatalMessage("%s(%d) Must configure the " "ftptelnet global configuration first.\n", @@ -511,12 +519,12 @@ if (iRet == 0) { - iRet = ProcessGlobalConf(pPolicyConfig, + iRet = ProcessFTPGlobalConf(pPolicyConfig, ErrorString, iErrStrLen); if (iRet == 0) { - PrintGlobalConf(pPolicyConfig); + PrintFTPGlobalConf(pPolicyConfig); /* Add FTPTelnet into the preprocessor list */ _dpd.addPreproc(FTPTelnetChecks, PRIORITY_APPLICATION, PP_FTPTELNET, PROTO_BIT__TCP); @@ -568,7 +576,7 @@ */ if(*ErrorString) { - _dpd.errMsg("WARNING: %s(%d) => %s\n", + _dpd.errMsg("WARNING: %s(%d) => %s\n", *(_dpd.config_file), *(_dpd.config_line), ErrorString); } } @@ -579,7 +587,7 @@ */ if(*ErrorString) { - DynamicPreprocessorFatalMessage("%s(%d) => %s\n", + DynamicPreprocessorFatalMessage("%s(%d) => %s\n", *(_dpd.config_file), *(_dpd.config_line), ErrorString); } else @@ -589,12 +597,12 @@ */ if(iRet == -2) { - DynamicPreprocessorFatalMessage("%s(%d) => ErrorString is undefined.\n", + DynamicPreprocessorFatalMessage("%s(%d) => ErrorString is undefined.\n", *(_dpd.config_file), *(_dpd.config_line)); } else { - DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", + DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", *(_dpd.config_file), *(_dpd.config_line)); } } @@ -604,7 +612,7 @@ static int FtpTelnetReloadVerifyPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -624,7 +632,7 @@ static int FtpTelnetReloadSwapPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h snort-2.9.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h --- snort-2.9.0.1/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h 2010-01-26 10:10:04.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h 2011-02-09 15:23:20.000000000 -0800 @@ -1,7 +1,7 @@ /* * spp_ftptelnet.h * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_config.c snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_config.c --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_config.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_config.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,1009 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 7/17/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include <ctype.h> +#include <errno.h> +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "gtp_config.h" +#include "spp_gtp.h" +#include "gtp_debug.h" + +#define METHOD_NOT_FOUND (-1) +/* + * Default GTP port + */ +#define GTP_C_PORT (2123) +#define GTP_C_PORT_V0 (3386) + +/* + * Keyword strings for parsing configuration options. + */ +#define GTP_PORTS_KEYWORD "ports" + +#define GTP_CONFIG_SECTION_SEPERATORS ",;" +#define GTP_CONFIG_VALUE_SEPERATORS " " + +/* + * Message type defined + */ + +static GTP_MsgType GTPv0_MsgTypes[] = +{ + {1, 1, "echo_request"}, + {2, 1, "echo_response"}, + {3, 1, "version_not_supported"}, + {4, 1, "node_alive_request"}, + {5, 1, "node_alive_response"}, + {6, 1, "redirection_request"}, + {7, 1, "redirection_response"}, + + {16, 1,"create_pdp_context_request"}, + {17, 1,"create_pdp_context_response"}, + {18, 1,"update_pdp_context_request"}, + {19, 1,"update_pdp_context_response"}, + {20, 1,"delete_pdp_context_request"}, + {21, 1,"delete_pdp_context_response"}, + {22, 1,"create_aa_pdp_context_request"}, + {23, 1,"create_aa_pdp_context_response"}, + {24, 1,"delete_aa_pdp_context_request"}, + {25, 1,"delete_aa_pdp_context_response"}, + {26, 1,"error_indication"}, + {27, 1,"pdu_notification_request"}, + {28, 1,"pdu_notification_response"}, + {29, 1,"pdu_notification_reject_request"}, + {30, 1,"pdu_notification_reject_response"}, + + {32, 1,"send_routing_info_request"}, + {33, 1,"send_routing_info_response"}, + {34, 1,"failure_report_request"}, + {35, 1,"failure_report_response"}, + {36, 1,"note_ms_present_request"}, + {37, 1,"note_ms_present_response"}, + + {48, 1,"identification_request"}, + {49, 1,"identification_response"}, + {50, 1,"sgsn_context_request"}, + {51, 1,"sgsn_context_response"}, + {52, 1,"sgsn_context_ack"}, + + {240, 1,"data_record_transfer_request"}, + {241, 1,"data_record_transfer_response"}, + + {255, 1,"pdu"}, + {0, 0, NULL} +}; + +static GTP_MsgType GTPv1_MsgTypes[] = +{ + {1, 1, "echo_request"}, + {2, 1, "echo_response"}, + {3, 1, "version_not_supported"}, + {4, 1, "node_alive_request"}, + {5, 1, "node_alive_response"}, + {6, 1, "redirection_request"}, + {7, 1, "redirection_response"}, + + {16, 1,"create_pdp_context_request"}, + {17, 1,"create_pdp_context_response"}, + {18, 1,"update_pdp_context_request"}, + {19, 1,"update_pdp_context_response"}, + {20, 1,"delete_pdp_context_request"}, + {21, 1,"delete_pdp_context_response"}, + {22, 1,"init_pdp_context_activation_request"}, + {23, 1,"init_pdp_context_activation_response"}, + + {26, 1,"error_indication"}, + {27, 1,"pdu_notification_request"}, + {28, 1,"pdu_notification_response"}, + {29, 1,"pdu_notification_reject_request"}, + {30, 1,"pdu_notification_reject_response"}, + {31, 1,"supported_ext_header_notification"}, + {32, 1,"send_routing_info_request"}, + {33, 1,"send_routing_info_response"}, + {34, 1,"failure_report_request"}, + {35, 1,"failure_report_response"}, + {36, 1,"note_ms_present_request"}, + {37, 1,"note_ms_present_response"}, + + {48, 1,"identification_request"}, + {49, 1,"identification_response"}, + {50, 1,"sgsn_context_request"}, + {51, 1,"sgsn_context_response"}, + {52, 1,"sgsn_context_ack"}, + {53, 1,"forward_relocation_request"}, + {54, 1,"forward_relocation_response"}, + {55, 1,"forward_relocation_complete"}, + {56, 1,"relocation_cancel_request"}, + {57, 1,"relocation_cancel_response"}, + {58, 1,"forward_srns_contex"}, + {59, 1,"forward_relocation_complete_ack"}, + {60, 1,"forward_srns_contex_ack"}, + + {70, 1,"ran_info_relay"}, + + {96, 1,"mbms_notification_request"}, + {97, 1,"mbms_notification_response"}, + {98, 1,"mbms_notification_reject_request"}, + {99, 1,"mbms_notification_reject_response"}, + {100,1,"create_mbms_context_request"}, + {101,1,"create_mbms_context_response"}, + {102,1,"update_mbms_context_request"}, + {103,1,"update_mbms_context_response"}, + {104,1,"delete_mbms_context_request"}, + {105,1,"delete_mbms_context_response"}, + + {112,1,"mbms_register_request"}, + {113,1,"mbms_register_response"}, + {114,1,"mbms_deregister_request"}, + {115,1,"mbms_deregister_response"}, + {116,1,"mbms_session_start_request"}, + {117,1,"mbms_session_start_response"}, + {118,1,"mbms_session_stop_request"}, + {119,1,"mbms_session_stop_response"}, + {120,1,"mbms_session_update_request"}, + {121,1,"mbms_session_update_response"}, + + {128, 1,"ms_info_change_request"}, + {129, 1,"ms_info_change_response"}, + + {240, 1,"data_record_transfer_request"}, + {241, 1,"data_record_transfer_response"}, + + {254, 1,"end_marker"}, + {255, 1,"pdu"}, + {0, 0, NULL} +}; + +static GTP_MsgType GTPv2_MsgTypes[] = +{ + {1, 1, "echo_request"}, + {2, 1, "echo_response"}, + {3, 1, "version_not_supported"}, + + {32, 1,"create_session_request"}, + {33, 1,"create_session_response"}, + {34, 1,"modify_bearer_request"}, + {35, 1,"modify_bearer_response"}, + {36, 1,"delete_session_request"}, + {37, 1,"delete_session_response"}, + {38, 1,"change_notification_request"}, + {39, 1,"change_notification_response"}, + + {64, 1,"modify_bearer_command"}, + {65, 1,"modify_bearer_failure_indication"}, + {66, 1,"delete_bearer_command"}, + {67, 1,"delete_bearer_failure_indication"}, + {68, 1,"bearer_resource_command"}, + {69, 1,"bearer_resource_failure_indication"}, + {70, 1,"downlink_failure_indication"}, + {71, 1,"trace_session_activation"}, + {72, 1,"trace_session_deactivation"}, + {73, 1,"stop_paging_indication"}, + + {95, 1,"create_bearer_request"}, + {96, 1,"create_bearer_response"}, + {97, 1,"update_bearer_request"}, + {98, 1,"update_bearer_response"}, + {99, 1,"delete_bearer_request"}, + {100,1,"delete_bearer_response"}, + {101,1,"delete_pdn_request"}, + {102,1,"delete_pdn_response"}, + + {128, 1,"identification_request"}, + {129, 1,"identification_response"}, + {130, 1,"sgsn_context_request"}, + {131, 1,"sgsn_context_response"}, + {132, 1,"sgsn_context_ack"}, + {133, 1,"forward_relocation_request"}, + {134, 1,"forward_relocation_response"}, + {135, 1,"forward_relocation_complete"}, + {136, 1,"forward_relocation_complete_ack"}, + {137, 1,"forward_access"}, + {138, 1,"forward_access_ack"}, + {139, 1,"relocation_cancel_request"}, + {140, 1,"relocation_cancel_response"}, + {141, 1,"configuration_transfer_tunnel"}, + + {149, 1,"detach"}, + {150, 1,"detach_ack"}, + {151, 1,"cs_paging"}, + {152, 1,"ran_info_relay"}, + {153, 1,"alert_mme"}, + {154, 1,"alert_mme_ack"}, + {155, 1,"ue_activity"}, + {156, 1,"ue_activity_ack"}, + + {160,1,"create_forward_tunnel_request"}, + {161,1,"create_forward_tunnel_response"}, + {162, 1,"suspend"}, + {163, 1,"suspend_ack"}, + {164, 1,"resume"}, + {165, 1,"resume_ack"}, + {166,1,"create_indirect_forward_tunnel_request"}, + {167,1,"create_indirect_forward_tunnel_response"}, + {168,1,"delete_indirect_forward_tunnel_request"}, + {169,1,"delete_indirect_forward_tunnel_response"}, + {170,1,"release_access_bearer_request"}, + {171,1,"release_access_bearer_response"}, + + {176,1,"downlink_data"}, + {177,1,"downlink_data_ack"}, + + {179,1,"pgw_restart"}, + {180,1,"pgw_restart_ack"}, + + {200,1,"update_pdn_request"}, + {201,1,"update_pdn_response"}, + + {211,1,"modify_access_bearer_request"}, + {212,1,"modify_access_bearer_response"}, + + {231,1,"mbms_session_start_request"}, + {232,1,"mbms_session_start_response"}, + {233,1,"mbms_session_update_request"}, + {234,1,"mbms_session_update_response"}, + {235,1,"mbms_session_stop_request"}, + {236,1,"mbms_session_stop_response"}, + + {0, 0, NULL} +}; + +/* + * Information elements defined + */ + +static GTP_InfoElement GTPv0_InfoElements[] = +{ + {1, 1, "cause", 2}, + {2, 1, "imsi", 9}, + {3, 1, "rai", 7}, + {4, 1, "tlli", 5}, + {5, 1, "p_tmsi", 5}, + {6, 1, "qos", 4}, + + {8, 1, "recording_required", 2}, + {9, 1, "authentication", 29}, + + {11, 1, "map_cause", 2}, + {12, 1, "p_tmsi_sig", 4}, + {13, 1, "ms_validated", 2}, + {14, 1, "recovery", 2}, + {15, 1, "selection_mode", 2}, + {16, 1, "flow_label_data_1", 3}, + {17, 1, "flow_label_signalling", 3}, + {18, 1, "flow_label_data_2", 4}, + {19, 1, "ms_unreachable", 2}, + + {127, 1, "charge_id", 5}, + {128, 1, "end_user_address", 0}, + {129, 1, "mm_context", 0}, + {130, 1, "pdp_context", 0}, + {131, 1, "apn", 0}, + {132, 1, "protocol_config", 0}, + {133, 1, "gsn", 0}, + {134, 1, "msisdn", 0}, + + {251, 1, "charging_gateway_addr", 0}, + + {255, 1, "private_extension", 0}, + + {0, 0, NULL, 0}, +}; + +static GTP_InfoElement GTPv1_InfoElements[] = +{ + {1, 1, "cause", 2}, + {2, 1, "imsi", 9}, + {3, 1, "rai", 7}, + {4, 1, "tlli", 5}, + {5, 1, "p_tmsi", 5}, + + {8, 1, "recording_required", 2}, + {9, 1, "authentication", 29}, + + {11, 1, "map_cause", 2}, + {12, 1, "p_tmsi_sig", 4}, + {13, 1, "ms_validated", 2}, + {14, 1, "recovery", 2}, + {15, 1, "selection_mode", 2}, + {16, 1, "teid_1", 5}, + {17, 1, "teid_control", 5}, + {18, 1, "teid_2", 6}, + {19, 1, "teardown_ind", 2}, + {20, 1, "nsapi", 2}, + {21, 1, "ranap", 2}, + {22, 1, "rab_context", 10}, + {23, 1, "radio_priority_sms", 2}, + {24, 1, "radio_priority", 2}, + {25, 1, "packet_flow_id", 3}, + {26, 1, "charging_char", 3}, + {27, 1, "trace_ref", 3}, + {28, 1, "trace_type", 3}, + {29, 1, "ms_unreachable", 2}, + + {127, 1, "charge_id", 5}, + {128, 1, "end_user_address", 0}, + {129, 1, "mm_context", 0}, + {130, 1, "pdp_context", 0}, + {131, 1, "apn", 0}, + {132, 1, "protocol_config", 0}, + {133, 1, "gsn", 0}, + {134, 1, "msisdn", 0}, + {135, 1, "qos", 0}, + {136, 1, "authentication_qu", 0}, + {137, 1, "tft", 0}, + {138, 1, "target_id", 0}, + {139, 1, "utran_trans", 0}, + {140, 1, "rab_setup", 0}, + {141, 1, "ext_header", 0}, + {142, 1, "trigger_id", 0}, + {143, 1, "omc_id", 0}, + {144, 1, "ran_trans", 0}, + {145, 1, "pdp_context_pri", 0}, + {146, 1, "addi_rab_setup", 0}, + {147, 1, "sgsn_number", 0}, + {148, 1, "common_flag", 0}, + {149, 1, "apn_restriction", 0}, + {150, 1, "radio_priority_lcs", 4}, + {151, 1, "rat_type", 0}, + {152, 1, "user_loc_info", 0}, + {153, 1, "ms_time_zone", 0}, + {154, 1, "imei_sv", 0}, + {155, 1, "camel", 0}, + {156, 1, "mbms_ue_context", 0}, + {157, 1, "tmp_mobile_group_id", 0}, + {158, 1, "rim_routing_addr", 0}, + {159, 1, "mbms_config", 0}, + {160, 1, "mbms_service_area", 0}, + {161, 1, "src_rnc_pdcp", 0}, + {162, 1, "addi_trace_info", 0}, + {163, 1, "hop_counter", 0}, + {164, 1, "plmn_id", 0}, + {165, 1, "mbms_session_id", 0}, + {166, 1, "mbms_2g3g_indicator", 0}, + {167, 1, "enhanced_nsapi", 0}, + {168, 1, "mbms_session_duration", 0}, + {169, 1, "addi_mbms_trace_info", 0}, + {170, 1, "mbms_session_repetition_num", 0}, + {171, 1, "mbms_time_to_data", 0}, + + {173, 1, "bss", 0}, + {174, 1, "cell_id", 0}, + {175, 1, "pdu_num", 0}, + {177, 1, "mbms_bearer_capab", 0}, + {178, 1, "rim_routing_disc", 0}, + {179, 1, "list_pfc", 0}, + {180, 1, "ps_xid", 0}, + {181, 1, "ms_info_change_report", 4}, + {182, 1, "direct_tunnel_flags", 0}, + {183, 1, "correlation_id", 0}, + {184, 1, "bearer_control_mode", 0}, + {185, 1, "mbms_flow_id", 0}, + {186, 1, "mbms_ip_multicast", 0}, + {187, 1, "mbms_distribution_ack", 4}, + {188, 1, "reliable_inter_rat_handover", 0}, + {189, 1, "rfsp_index", 0}, + {190, 1, "fqdn", 0}, + {191, 1, "evolved_allocation1", 0}, + {192, 1, "evolved_allocation2", 0}, + {193, 1, "extended_flags", 0}, + {194, 1, "uci", 0}, + {195, 1, "csg_info", 0}, + {196, 1, "csg_id", 0}, + {197, 1, "cmi", 4}, + {198, 1, "apn_ambr", 0}, + {199, 1, "ue_network", 0}, + {200, 1, "ue_ambr", 0}, + {201, 1, "apn_ambr_nsapi", 0}, + {202, 1, "ggsn_backoff_timer", 0}, + {203, 1, "signalling_priority_indication", 0}, + {204, 1, "signalling_priority_indication_nsapi", 0}, + {205, 1, "high_bitrate", 4}, + {206, 1, "max_mbr", 0}, + + {251, 1, "charging_gateway_addr", 0}, + + {255, 1, "private_extension", 0}, + + {0, 0, NULL, 0}, +}; + +static GTP_InfoElement GTPv2_InfoElements[] = +{ + {1, 1, "imsi", 0}, + {2, 1, "cause", 0}, + {3, 1, "recovery", 0}, + + {71, 1, "apn", 0}, + {72, 1, "ambr", 0}, + {73, 1, "ebi", 0}, + {74, 1, "ip_addr", 0}, + {75, 1, "mei", 0}, + {76, 1, "msisdn", 0}, + {77, 1, "indication", 0}, + {78, 1, "pco", 0}, + {79, 1, "paa", 0}, + {80, 1, "bearer_qos", 0}, + {81, 1, "flow_qos", 0}, + {82, 1, "rat_type", 0}, + {83, 1, "serving_network", 0}, + {84, 1, "bearer_tft", 0}, + {85, 1, "tad", 0}, + {86, 1, "uli", 0}, + {87, 1, "f_teid", 0}, + {88, 1, "tmsi", 0}, + {89, 1, "cn_id", 0}, + {90, 1, "s103pdf", 0}, + {91, 1, "s1udf", 0}, + {92, 1, "delay_value", 0}, + {93, 1, "bearer_context", 0}, + {94, 1, "charging_id", 0}, + {95, 1, "charging_char", 0}, + {96, 1, "trace_info", 0}, + {97, 1, "bearer_flag", 0}, + + {99, 1, "pdn_type", 0}, + {100, 1, "pti", 0}, + {101, 1, "drx_parameter", 0}, + + {103, 1, "gsm_key_tri", 0}, + {104, 1, "umts_key_cipher_quin", 0}, + {105, 1, "gsm_key_cipher_quin", 0}, + {106, 1, "umts_key_quin", 0}, + {107, 1, "eps_quad", 0}, + {108, 1, "umts_key_quad_quin", 0}, + {109, 1, "pdn_connection", 0}, + {110, 1, "pdn_number", 0}, + {111, 1, "p_tmsi", 0}, + {112, 1, "p_tmsi_sig", 0}, + {113, 1, "hop_counter", 0}, + {114, 1, "ue_time_zone", 0}, + {115, 1, "trace_ref", 0}, + {116, 1, "complete_request_msg", 0}, + {117, 1, "guti", 0}, + {118, 1, "f_container", 0}, + {119, 1, "f_cause", 0}, + {120, 1, "plmn_id", 0}, + {121, 1, "target_id", 0}, + + {123, 1, "packet_flow_id", 0}, + {124, 1, "rab_contex", 0}, + {125, 1, "src_rnc_pdcp", 0}, + {126, 1, "udp_src_port", 0}, + {127, 1, "apn_restriction", 0}, + {128, 1, "selection_mode", 0}, + {129, 1, "src_id", 0}, + + {131, 1, "change_report_action", 0}, + {132, 1, "fq_csid", 0}, + {133, 1, "channel", 0}, + {134, 1, "emlpp_pri", 0}, + {135, 1, "node_type", 0}, + {136, 1, "fqdn", 0}, + {137, 1, "ti", 0}, + {138, 1, "mbms_session_duration", 0}, + {139, 1, "mbms_service_area", 0}, + {140, 1, "mbms_session_id", 0}, + {141, 1, "mbms_flow_id", 0}, + {142, 1, "mbms_ip_multicast", 0}, + {143, 1, "mbms_distribution_ack", 0}, + {144, 1, "rfsp_index", 0}, + {145, 1, "uci", 0}, + {146, 1, "csg_info", 0}, + {147, 1, "csg_id", 0}, + {148, 1, "cmi", 0}, + {149, 1, "service_indicator", 0}, + {150, 1, "detach_type", 0}, + {151, 1, "ldn", 0}, + {152, 1, "node_feature", 0}, + {153, 1, "mbms_time_to_transfer", 0}, + {154, 1, "throttling", 0}, + {155, 1, "arp", 0}, + {156, 1, "epc_timer", 0}, + {157, 1, "signalling_priority_indication", 0}, + {158, 1, "tmgi", 0}, + {159, 1, "mm_srvcc", 0}, + {160, 1, "flags_srvcc", 0}, + {161, 1, "mmbr", 0}, + + {255, 1, "private_extension", 0}, + + {0, 0, NULL, 0}, +}; + + +/* + * Function prototype(s) + */ +static void InitGTPInfoElementTable(GTPConfig *); +static void DisplayGTPConfig(GTPConfig *); +static void GTP_ParsePortList(char **, uint8_t *); + +/* Update the information elements table for one GTP version. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * GTP_InfoElement *: Information elements + * uint8_t: version number for information elements + * + * RETURNS: Nothing. + */ + +static void UpdateGTPInfoElementTable(GTPConfig *config, GTP_InfoElement *InfoElements, uint8_t version) +{ + int i = 0; + + while(NULL != InfoElements[i].name) + { + config->infoElementTable[version][InfoElements[i].type] = &InfoElements[i]; + i++; + } +} + +/* Update the information elements table for the GTP preprocessor. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * + * RETURNS: Nothing. + */ + +static void InitGTPInfoElementTable(GTPConfig *config) +{ + + GTP_InfoElement *InfoElements; + + + InfoElements = GTPv0_InfoElements; + UpdateGTPInfoElementTable(config,InfoElements, 0); + + InfoElements = GTPv1_InfoElements; + UpdateGTPInfoElementTable(config,InfoElements, 1); + + InfoElements = GTPv2_InfoElements; + UpdateGTPInfoElementTable(config,InfoElements, 2); + +} + +/* Update the message types table for one GTP version. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * GTP_MsgType *: message types + * uint8_t: version number for message types + * + * RETURNS: Nothing. + */ + +static void UpdateGTPMsgTypeTable(GTPConfig *config, GTP_MsgType *MsgTypes, uint8_t version) +{ + int i = 0; + + while(NULL != MsgTypes[i].name) + { + config->msgTypeTable[version][MsgTypes[i].type] = &MsgTypes[i]; + gtp_stats.msgTypeTable[version][MsgTypes[i].type] = &MsgTypes[i]; + i++; + } +} + +/* Update the message types table for the GTP preprocessor. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * + * RETURNS: Nothing. + */ + +static void InitGTPMsgTypeTable(GTPConfig *config) +{ + + GTP_MsgType *MsgTypes; + + + MsgTypes = GTPv0_MsgTypes; + UpdateGTPMsgTypeTable(config,MsgTypes, 0); + + MsgTypes = GTPv1_MsgTypes; + UpdateGTPMsgTypeTable(config,MsgTypes, 1); + + MsgTypes = GTPv2_MsgTypes; + UpdateGTPMsgTypeTable(config,MsgTypes, 2); + +} + +#ifdef DEBUG_MSGS +/* Display the message types for the GTP preprocessor. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * + * RETURNS: Nothing. + */ +static void DisplayMsgTypes(GTPConfig *config) +{ + int i, j; + + _dpd.logMsg(" Supported message types:\n"); + + for(i = 0; i < MAX_GTP_TYPE_CODE + 1; i++) + { + _dpd.logMsg("\t%3d ", i); + for (j = 0; j < MAX_GTP_VERSION_CODE + 1; j++) + { + if (config->msgTypeTable[j][i]) + { + _dpd.logMsg("%40s ", config->msgTypeTable[j][i]->name); + } + else + _dpd.logMsg("%40s ", "N/A"); + + } + _dpd.logMsg("\n"); + } +} +/* Display the information element for the GTP preprocessor. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * + * RETURNS: Nothing. + */ +static void DisplayInfoElements(GTPConfig *config) +{ + int i, j; + + _dpd.logMsg(" Supported information elements:\n"); + + for(i = 0; i < MAX_GTP_IE_CODE + 1; i++) + { + _dpd.logMsg("\t%3d ", i); + for (j = 0; j < MAX_GTP_VERSION_CODE + 1 ; j++) + { + if (config->infoElementTable[j][i]) + _dpd.logMsg(" %40s ", config->infoElementTable[j][i]->name); + else + _dpd.logMsg(" %40s ", "N/A"); + + } + _dpd.logMsg("\n"); + } +} +#endif + +/* Display the configuration for the GTP preprocessor. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * + * RETURNS: Nothing. + */ +static void DisplayGTPConfig(GTPConfig *config) +{ + int index; + int newline; + + if (config == NULL) + return; + + _dpd.logMsg("GTP config: \n"); + + /* Traverse list, printing ports, 5 per line */ + newline = 1; + _dpd.logMsg(" Ports:\n"); + for(index = 0; index < MAXPORTS; index++) + { + if( config->ports[ PORT_INDEX(index) ] & CONV_PORT(index) ) + { + _dpd.logMsg("\t%d", index); + if ( !((newline++)% 5) ) + _dpd.logMsg("\n"); + } + } + _dpd.logMsg("\n"); + DEBUG_WRAP(DisplayMsgTypes(config)); + DEBUG_WRAP(DisplayInfoElements(config)); + +} + + +/******************************************************************** + * Function: GTP_ParsePortList() + * + * Parses a port list and adds bits associated with the ports + * parsed to a bit array. + * + * Arguments: + * char ** + * Pointer to the pointer to the current position in the + * configuration line. This is updated to the current position + * after parsing the IP list. + * uint8_t * + * Pointer to the port array mask to set bits for the ports + * parsed. + * + * Returns: + * GTP_Ret + * GTP_SUCCESS if we were able to successfully parse the + * port list. + * GTP_FAILURE if an error occured in parsing the port list. + * + ********************************************************************/ +static void GTP_ParsePortList(char **ptr, uint8_t *port_array) +{ + long int port = -1; + char* cur_tokenp = *ptr; + /* If the user specified ports, remove GTP_C_PORT for now since + * it now needs to be set explicitly. */ + port_array[ PORT_INDEX( GTP_C_PORT ) ] = 0; + port_array[ PORT_INDEX( GTP_C_PORT_V0 ) ] = 0; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Port configurations: %s\n",*ptr );); + + /* Eat the open brace. */ + cur_tokenp = strtok( NULL, GTP_CONFIG_VALUE_SEPERATORS); + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Port token: %s\n",cur_tokenp );); + + /* Check the space after '{'*/ + if (( !cur_tokenp ) || ( 0 != strncmp (cur_tokenp, "{", 2 ))) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, make sure space before and after '{'.\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_PORTS_KEYWORD); + } + + cur_tokenp = strtok( NULL, GTP_CONFIG_VALUE_SEPERATORS); + while (( cur_tokenp ) && ( 0 != strncmp (cur_tokenp, "}", 2 ))) + { + char *endStr = NULL; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Port token: %s\n",cur_tokenp );); + + if ( !cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => No option to '%s'.\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_PORTS_KEYWORD); + } + + port = _dpd.SnortStrtol( cur_tokenp, &endStr, 10); + + if (*endStr) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_PORTS_KEYWORD, 1, MAXPORTS-1); + } + + if ((port < 0 || port > MAXPORTS-1) || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_PORTS_KEYWORD, 1, MAXPORTS-1); + } + port_array[ PORT_INDEX( port ) ] |= CONV_PORT(port); + + cur_tokenp = strtok( NULL, GTP_CONFIG_VALUE_SEPERATORS); + } + if ( NULL == cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, missing '}'.\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_PORTS_KEYWORD); + } + if ( -1 == port) + { + DynamicPreprocessorFatalMessage(" %s(%d) => No ports specified.\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_PORTS_KEYWORD); + } + *ptr = cur_tokenp; +} + +/* Parses and processes the configuration arguments + * supplied in the GTP preprocessor rule. + * + * PARAMETERS: + * + * GTPConfig *config: GTP preprocessor configuration. + * argp: Pointer to string containing the config arguments. + * + * RETURNS: Nothing. + */ +void ParseGTPArgs(GTPConfig *config, u_char* argp) +{ + char* cur_sectionp = NULL; + char* next_sectionp = NULL; + char* argcpyp = NULL; + + if (NULL == config) + return; + + /* Set up default port to listen on */ + config->ports[ PORT_INDEX( GTP_C_PORT ) ] |= CONV_PORT(GTP_C_PORT); + config->ports[ PORT_INDEX( GTP_C_PORT_V0 ) ] |= CONV_PORT(GTP_C_PORT_V0); + + InitGTPInfoElementTable(config); + InitGTPMsgTypeTable(config); + + /* Sanity check(s) */ + if (NULL == argp) + { + DisplayGTPConfig(config); + return; + } + + argcpyp = strdup( (char*) argp ); + + if ( !argcpyp ) + { + DynamicPreprocessorFatalMessage("Could not allocate memory to parse GTP options.\n"); + return; + } + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP configurations: %s\n",argcpyp );); + + cur_sectionp = strtok_r( argcpyp, GTP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Arguments token: %s\n",cur_sectionp );); + + while ( cur_sectionp ) + { + + char* cur_config; + char* cur_tokenp = strtok( cur_sectionp, GTP_CONFIG_VALUE_SEPERATORS); + + if (!cur_tokenp) + { + cur_sectionp = strtok_r( next_sectionp, GTP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + continue; + } + + cur_config = cur_tokenp; + + if ( !strcmp( cur_tokenp, GTP_PORTS_KEYWORD )) + { + GTP_ParsePortList(&cur_tokenp, config->ports); + + } + else + { + DynamicPreprocessorFatalMessage(" %s(%d) => Invalid argument: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp); + return; + } + /*Check whether too many parameters*/ + if (NULL != strtok( NULL, GTP_CONFIG_VALUE_SEPERATORS)) + { + DynamicPreprocessorFatalMessage("%s(%d) => To many arguments: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_config); + + } + cur_sectionp = strtok_r( next_sectionp, GTP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Arguments token: %s\n",cur_sectionp );); + } + + DisplayGTPConfig(config); + free(argcpyp); +} + +/* Search the message type information + * + * PARAMETERS: + * + * uint8_t: version number for the message type + * char* the message type name + * + * RETURNS: + * + * GTP_MsgType*: the message type, NULL if not found + */ + +GTP_MsgType* GetMsgTypeByName(uint8_t version, char *name) +{ + int i = 0; + GTP_MsgType *MsgTypes; + + switch (version) + { + case 0: + MsgTypes = GTPv0_MsgTypes; + break; + case 1: + MsgTypes = GTPv1_MsgTypes; + break; + case 2: + MsgTypes = GTPv2_MsgTypes; + break; + default: + return NULL; + } + + while(NULL != MsgTypes[i].name) + { + if ( MsgTypes[i].isKeyword + &&(strlen(MsgTypes[i].name) == strlen(name)) + && (0 == strncmp(MsgTypes[i].name, name, strlen(name)))) + return (&(MsgTypes[i])); + i++; + } + + return NULL; +} + + +/* Search the information element information + * + * PARAMETERS: + * + * uint8_t: version number for information elements + * char* the information element name + * + * RETURNS: + * + * GTP_InfoElement*: the information element, NULL if not found + */ +GTP_InfoElement* GetInfoElementByName(uint8_t version, char *name) +{ + int i = 0; + GTP_InfoElement *InfoElements; + + switch (version) + { + case 0: + InfoElements = GTPv0_InfoElements; + break; + case 1: + InfoElements = GTPv1_InfoElements; + break; + case 2: + InfoElements = GTPv2_InfoElements; + break; + default: + return NULL; + } + + while(NULL != InfoElements[i].name) + { + if (InfoElements[i].isKeyword + && (strlen(InfoElements[i].name) == strlen(name)) + && (0 == strncmp(InfoElements[i].name, name, strlen(name)))) + return (&InfoElements[i]); + i++; + } + + return NULL; +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_config.h snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_config.h --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_config.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_config.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,101 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 8/1/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifndef _GTP_CONFIG_H_ +#define _GTP_CONFIG_H_ + +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "gtp_debug.h" + +#define GTP_NAME "gtp" + +#define MAX_GTP_TYPE_CODE (255) +#define MIN_GTP_TYPE_CODE (0) +#define MAX_GTP_IE_CODE (255) +#define MIN_GTP_IE_CODE (0) +#define MAX_GTP_VERSION_CODE (2) +#define MIN_GTP_VERSION_CODE (0) + +/* + * Message type + */ +typedef struct _GTP_MsgType +{ + uint8_t type; /* the message type*/ + uint8_t isKeyword; /*whether the name can be used as keyword*/ + char *name; /*name of the type*/ + +}GTP_MsgType; + + +/* + * Information elements + */ +typedef struct _GTP_InfoElement +{ + uint8_t type; /* the IE type*/ + uint8_t isKeyword; /*whether the name can be used as keyword*/ + char *name; /*name of the IE*/ + uint16_t length; /* the length of IE; if 0, means variable length*/ + +}GTP_InfoElement; + + +/* + * One of these structures is kept for each configured + * server port. + */ +typedef struct _gtpPortlistNode +{ + uint16_t server_port; + struct _gtpPortlistNode* nextp; +} GTPPortNode; + +/* + * GTP preprocessor configuration. + * + * ports: Which ports to check for GTP messages + * infoElementTable: information elements table, for quick retrieve + * msgTypeTable: message type table, for quick retrieve + */ +typedef struct _gtpConfig +{ + + uint8_t ports[MAXPORTS/8]; + GTP_InfoElement* infoElementTable[MAX_GTP_VERSION_CODE + 1 ][MAX_GTP_IE_CODE + 1]; + GTP_MsgType *msgTypeTable[MAX_GTP_VERSION_CODE + 1][MAX_GTP_TYPE_CODE + 1]; + int ref_count; + +} GTPConfig; + +/******************************************************************** + * Public function prototypes + ********************************************************************/ +void ParseGTPArgs(GTPConfig *, u_char*); +GTP_MsgType* GetMsgTypeByName(uint8_t, char *); +GTP_InfoElement* GetInfoElementByName(uint8_t, char *); + +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_debug.h snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_debug.h --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_debug.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_debug.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,41 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides macros and functions for debugging the preprocessor. + * If Snort is not configured to do debugging, macros are empty. + * + * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> + * + ****************************************************************************/ + +#ifndef _GTP_DEBUG_H_ +#define _GTP_DEBUG_H_ + +#include <stdio.h> +#include "snort_debug.h" + +/******************************************************************** + * Macros + ********************************************************************/ + +#define GTP_DEBUG__START_MSG "GTP Start ********************************************" +#define GTP_DEBUG__END_MSG "GTP End **********************************************" + +#endif /* _GTP_DEBUG_H_ */ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_parser.c snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_parser.c --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_parser.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_parser.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,576 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 7/17/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifndef HAVE_PARSER_H +#include <ctype.h> +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "gtp_parser.h" +#include "spp_gtp.h" +#include "gtp_config.h" + + +#ifdef WIN32 +#pragma pack(push,gtp_hdrs,1) +#else +#pragma pack(1) +#endif + +/* GTP basic Header */ +typedef struct _GTP_C_Hdr +{ + uint8_t flag; /* flag: version (bit 6-8), PT (5), E (3), S (2), PN (1) */ + uint8_t type; /* message type */ + uint16_t length; /* length */ + +} GTP_C_Hdr; + + +typedef struct _GTP_C_Hdr_v0 +{ + GTP_C_Hdr hdr; + uint16_t sequence_num; + uint16_t flow_lable; + uint64_t tid; + +} GTP_C_Hdr_v0; + +/* GTP Information element Header */ +typedef struct _GTP_IE_Hdr +{ + uint8_t type; + uint16_t length; /* length */ + +} GTP_IE_Hdr; + + +#ifdef WIN32 +#pragma pack(pop,gtp_hdrs) +#else +#pragma pack() +#endif + +/* This table stores all the information elements in a packet + * To save memory, only one table for all packets, because we inspect + * one packet at a time + * The information in the table might from previous packet, + * use msg_id to find out whether the information is current. + * */ +GTP_IEData gtp_ies[MAX_GTP_IE_CODE + 1]; + +#define GTP_HEADER_LEN_V0 (20) +#define GTP_HEADER_LEN_V1 (12) +#define GTP_HEADER_LEN_V2 (8) +#define GTP_HEADER_LEN_EPC_V2 (12) +#define GTP_LENGTH_OFFSET_V0 (GTP_HEADER_LEN_V0) +#define GTP_LENGTH_OFFSET_V1 (8) +#define GTP_LENGTH_OFFSET_V2 (4) + +#define GTP_MIN_HEADER_LEN (8) + +static int gtp_processInfoElements(GTPMsg *msg, const char *, uint16_t ); + +/*Because different GTP versions have different format, + * they are processed separately*/ +static int gtp_parse_v0(GTPMsg *msg, const char *,uint16_t ); +static int gtp_parse_v1(GTPMsg *msg, const char *, uint16_t ); +static int gtp_parse_v2(GTPMsg *msg, const char *, uint16_t ); + +#ifdef DEBUG_MSGS +/*Display the content*/ +static void convertToHex( char *output, int outputSize, const char *input, int inputSize) +{ + int i = 0; + int length; + int numBytesInLine = 0; + int totalBytes = outputSize; + char *buf_ptr = output; + + while ((i < inputSize)&&(totalBytes > 0)) + { + length = snprintf(buf_ptr, totalBytes, "%.2x ", (uint8_t)input[i]); + buf_ptr += length; + totalBytes -= length; + if (totalBytes < 0) + break; + numBytesInLine += length; + + if (numBytesInLine > 80) + { + snprintf(buf_ptr++, totalBytes, "\n"); + totalBytes--; + numBytesInLine = 0; + } + i++; + } + return; +} +/* Display the information elements*/ +static void printInfoElements(GTP_IEData *info_elements, GTPMsg *msg) +{ + int i ; + + for (i=0; i < MAX_GTP_IE_CODE + 1; i++) + { + char buf[STD_BUF]; + if (info_elements[i].msg_id == msg->msg_id) + { + convertToHex( (char *)buf, sizeof(buf), + msg->gtp_header + info_elements[i].shift, info_elements[i].length); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Info type: %.3d, content: %s\n", i, buf);); + } + } +} +#endif + + +/******************************************************************** + * Function: gtp_processInfoElements() + * + * Process information elements + * + * Arguments: + * GTPMsg *: the GTP message + * + * char * + * Pointer to the current position in the GTP message. + * + * uint8_t * + * Pointer to the port array mask to set bits for the ports + * parsed. + * + * Returns: + * GTP_Ret + * GTP_SUCCESS if we were able to successfully parse the + * port list. + * GTP_FAILURE if an error occured in parsing the port list. + * + ********************************************************************/ +static int gtp_processInfoElements(GTPMsg *msg, const char *buff, uint16_t len ) +{ + char *start; + uint8_t type; + int32_t unprocessed_len; + uint8_t previous_type; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Information elements: length: %d\n", + len);); + + start = (char *)buff; + previous_type = (uint8_t) *start; + unprocessed_len = len; + + while ( unprocessed_len > 0) + { + GTP_InfoElement* ie; + uint16_t length; + + type = *start; + + if(previous_type > type) + { + ALERT(GTP_EVENT_OUT_OF_ORDER_IE,GTP_EVENT_OUT_OF_ORDER_IE_STR); + } + + ie = gtp_eval_config->infoElementTable[msg->version][type]; + + if ( NULL == ie ) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unsupported Information elements!\n");); + gtp_stats.unknownIEs++; + return GTP_FAILURE; + } + + /*For fixed length, use the table*/ + if (ie->length) + { + length = ie->length; + } + else /*For variable length, use the length field*/ + { + GTP_IE_Hdr *ieHdr; + /*check the length before reading*/ + if (sizeof(*ieHdr) > (unsigned) unprocessed_len) + { + ALERT(GTP_EVENT_BAD_IE_LEN,GTP_EVENT_BAD_IE_LEN_STR); + return GTP_FAILURE; + } + ieHdr = (GTP_IE_Hdr *)start; + length = ntohs(ieHdr->length); + /*Check the length */ + if (length > UINT16_MAX - GTP_MIN_HEADER_LEN - sizeof(*ieHdr)) + { + ALERT(GTP_EVENT_BAD_IE_LEN,GTP_EVENT_BAD_IE_LEN_STR); + return GTP_FAILURE; + } + + if (msg->version == 2) + length += 4; + else + length += 3; + } + + if (length > unprocessed_len ) + { + ALERT(GTP_EVENT_BAD_IE_LEN,GTP_EVENT_BAD_IE_LEN_STR); + return GTP_FAILURE; + + } + + /*Combine the same information element type into one buffer*/ + if ((previous_type == type) && (msg->info_elements[type].msg_id == msg->msg_id)) + { + msg->info_elements[type].length += length; + } + else + { + msg->info_elements[type].length = length; + msg->info_elements[type].shift = start - msg->gtp_header; + msg->info_elements[type].msg_id = msg->msg_id; + } + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP information element: %s(%d), length: %d\n", + ie->name, ie->type, length)); + start += length; + unprocessed_len -= length; + previous_type = type; + + } + DEBUG_WRAP(printInfoElements(msg->info_elements, msg);); + return GTP_SUCCESS; +} + +/******************************************************************** + * Function: gtp_parse_v0() + * + * process the GTP v0 message. + * + * Arguments: + * GTPMsg * - gtp message + * char* buff - start of the gtp message buffer + * uint16_t - length of the message + * + * Returns: + * GTP_FAILURE + * GTP_SUCCESS + * Bits + *Octets 8 7 6 5 4 3 2 1 + *1 Version PT 1 1 1 SNN + *2 Message Type + *3-4 Length + *5-6 Sequence Number + *7-8 Flow Label + *9 SNDCP N-PDULLC Number + *10 Spare ‘ 1 1 1 1 1 1 1 1 ‘ + *11 Spare ‘ 1 1 1 1 1 1 1 1 ‘ + *12 Spare ‘ 1 1 1 1 1 1 1 1 ‘ + *13-20 TID + * + ********************************************************************/ + +static int gtp_parse_v0(GTPMsg *msg, const char *buff, uint16_t gtp_len) +{ + GTP_C_Hdr *hdr; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "This is a GTP v0 packet.\n");); + + hdr = (GTP_C_Hdr *) buff; + + msg->header_len = GTP_HEADER_LEN_V0; + + /*Check the length field. */ + if (gtp_len != ((unsigned int)ntohs(hdr->length) + GTP_LENGTH_OFFSET_V0)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Calculated length %d != %d in header.\n", + gtp_len - GTP_LENGTH_OFFSET_V0, ntohs(hdr->length));); + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + + return GTP_SUCCESS; +} + +/******************************************************************** + * Function: gtp_parse_v1() + * + * process the GTP v1 message. + * + * Arguments: + * GTPMsg * - gtp message + * char* buff - start of the gtp message buffer + * uint16_t - length of the message + * + * Returns: + * GTP_FAILURE + * GTP_SUCCESS + * + * Octets 8 7 6 5 4 3 2 1 + * 1 Version PT (*) E S PN + * 2 Message Type + * 3 Length (1st Octet) + * 4 Length (2nd Octet) + * 5 Tunnel Endpoint Identifier (1st Octet) + * 6 Tunnel Endpoint Identifier (2nd Octet) + * 7 Tunnel Endpoint Identifier (3rd Octet) + * 8 Tunnel Endpoint Identifier (4th Octet) + * 9 Sequence Number (1st Octet) + * 10 Sequence Number (2nd Octet) + * 11 N-PDU Number + * 12 Next Extension Header Type + ********************************************************************/ +static int gtp_parse_v1(GTPMsg *msg, const char *buff, uint16_t gtp_len) +{ + uint8_t next_hdr_type; + GTP_C_Hdr *hdr; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "This ia a GTP v1 packet.\n");); + + hdr = (GTP_C_Hdr *) buff; + + /*Check the length based on optional fields and extension header*/ + if (hdr->flag & 0x07) + { + + msg->header_len = GTP_HEADER_LEN_V1; + /*Check optional fields*/ + if (gtp_len < msg->header_len) + { + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + + next_hdr_type = *(buff + msg->header_len - 1); + + /*Check extension headers*/ + while (next_hdr_type) + { + /*check length before reading data, at lease 4 bytes per extension header*/ + if (gtp_len < msg->header_len + 4) + { + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + /*Extension header length is a unit of 4 octets*/ + msg->header_len += *(buff + msg->header_len) * 4; + + /*check length before reading data*/ + if (gtp_len < msg->header_len) + { + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + next_hdr_type = *(buff + msg->header_len - 1); + } + } + else + msg->header_len = GTP_HEADER_LEN_V1; + + /*Check the length field. */ + if (gtp_len != ((unsigned int)ntohs(hdr->length) + GTP_LENGTH_OFFSET_V1)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Calculated length %d != %d in header.\n", + gtp_len - GTP_LENGTH_OFFSET_V1, ntohs(hdr->length));); + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + + return GTP_SUCCESS; +} + +/******************************************************************** + * Function: gtp_parse_v2() + * + * process the GTP v2 message. + * + * Arguments: + * GTPMsg * - gtp message + * char* buff - start of the gtp message buffer + * uint16_t - length of the message + * + * Returns: + * GTP_FAILURE + * GTP_SUCCESS + * + *Octets 8 7 6 5 4 3 2 1 + *1 Version P T Spare Spare Spare + *2 Message Type + *3 Message Length (1st Octet) + *4 Message Length (2nd Octet) + *m to k(m+3) If T flag is set to 1, then TEID shall be placed into octets 5-8. + * Otherwise, TEID field is not present at all. + *n to (n+2) Sequence Number + *(n+3) Spare + ********************************************************************/ +static int gtp_parse_v2(GTPMsg *msg, const char *buff, uint16_t gtp_len) +{ + + GTP_C_Hdr *hdr; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "This ia a GTP v2 packet.\n");); + + hdr = (GTP_C_Hdr *) buff; + + if (hdr->flag & 0x8) + msg->header_len = GTP_HEADER_LEN_EPC_V2; + else + msg->header_len = GTP_HEADER_LEN_V2; + + /*Check the length field. */ + if (gtp_len != ((unsigned int)ntohs(hdr->length) + GTP_LENGTH_OFFSET_V2)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Calculated length %d != %d in header.\n", + gtp_len - GTP_LENGTH_OFFSET_V2, ntohs(hdr->length));); + ALERT(GTP_EVENT_BAD_MSG_LEN,GTP_EVENT_BAD_MSG_LEN_STR); + return GTP_FAILURE; + } + + return GTP_SUCCESS; +} + +/******************************************************************** + * Function: gtp_parse() + * + * The main entry for parser: process the gtp messages. + * + * Arguments: + * GTPMsg * - gtp message + * char* buff - start of the gtp message buffer + * uint16_t - length of the message + * + * Returns: + * GTP_FAILURE + * GTP_SUCCESS + ********************************************************************/ +int gtp_parse(GTPMsg *msg, const char *buff, uint16_t gtp_len) +{ + + int status; + GTP_C_Hdr *hdr; + GTP_MsgType *msgType; + + /*Initialize key values*/ + + status = GTP_SUCCESS; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Start parsing...\n")); + + hdr = (GTP_C_Hdr *) buff; + + /*Check the length*/ + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Basic header length: %d\n", GTP_MIN_HEADER_LEN)); + if (gtp_len < GTP_MIN_HEADER_LEN) + return GTP_FAILURE; + + /*The first 3 bits are version number*/ + msg->version = (hdr->flag & 0xE0) >> 5; + msg->msg_type = hdr->type; + msg->gtp_header = (char *)buff; + + if (msg->version > MAX_GTP_VERSION_CODE) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unsupported GTP version: %d!\n",msg->version);); + return GTP_FAILURE; + } + /*Check whether this is GTP or GTP', Exit if GTP'*/ + if (!(hdr->flag & 0x10)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unsupported GTP'!\n");); + return GTP_FAILURE; + } + + msgType = gtp_eval_config->msgTypeTable[msg->version][msg->msg_type]; + + if ( NULL == msgType ) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unsupported GTP message type: %d!\n",msg->msg_type);); + gtp_stats.unknownTypes++; + return GTP_FAILURE; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP version: %d, message type: %s(%d)\n", + msg->version, msgType->name, msg->msg_type)); + } + + gtp_stats.messages[msg->version][msg->msg_type]++; + /* We only care about control types*/ + if ( hdr->type == 255) + return GTP_FAILURE; + + switch (msg->version) + { + case 0: /*GTP v0*/ + + status = gtp_parse_v0(msg, buff, gtp_len); + break; + case 1: /*GTP v1*/ + + status = gtp_parse_v1(msg, buff, gtp_len); + break; + + case 2:/*GTP v2 */ + status = gtp_parse_v2(msg, buff, gtp_len); + + break; + default: + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unknown protocol version.\n");); + return GTP_FAILURE; + + } + + /*Parse information elements*/ + if ((msg->header_len < gtp_len)&& (GTP_SUCCESS == status)) + { + msg->info_elements = gtp_ies; + buff += msg->header_len; + status = gtp_processInfoElements(msg, buff, (uint16_t)(gtp_len - msg->header_len)); + } + return status; +} +/******************************************************************** + * Function: gtp_cleanInfoElements() + * + * Clean up the shared information elements table + * + * Arguments: + * None + * + * Returns: + * None + ********************************************************************/ + +void gtp_cleanInfoElements(void) +{ + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Cleaned total bytes %d, length %d.\n", + (MAX_GTP_IE_CODE + 1) * sizeof(GTP_IEData), sizeof(gtp_ies));); + memset(gtp_ies, 0, sizeof(gtp_ies)); +} +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_parser.h snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_parser.h --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_parser.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_parser.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,36 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 2/17/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifndef _GTP_PARSER_H_ +#define _GTP_PARSE_H_ + +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "gtp_debug.h" +#include "spp_gtp.h" + +int gtp_parse(GTPMsg *, const char *, uint16_t); +void gtp_cleanInfoElements(void); +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_roptions.c snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_roptions.c --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_roptions.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_roptions.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,540 @@ +/**************************************************************************** + * Copyright (C) 20011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * This processes the rule options for this preprocessor + * + * Author: Hui Cao + * Date: 07-25-2011 + ****************************************************************************/ + +#include <errno.h> +#include <string.h> +#include <stdarg.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "gtp_roptions.h" +#include "spp_gtp.h" +#include "sf_types.h" +#include "sf_dynamic_preprocessor.h" +#include "stream_api.h" +#include "sf_dynamic_engine.h" +#include "sf_snort_plugin_api.h" +#include "sfhashfcn.h" +#include "profiler.h" +#include "gtp_debug.h" +#include "gtp_config.h" +#include "treenodes.h" + +#define GTP_ROPT__TYPE "gtp_type" +#define GTP_ROPT__IE "gtp_info" +#define GTP_ROPT__VERSION "gtp_version" + +#define GTP_VERSION_0_FLAG (0x01) +#define GTP_VERSION_1_FLAG (0x02) +#define GTP_VERSION_2_FLAG (0x04) + +#define GTP_VERSION_ALL_FLAG (GTP_VERSION_0_FLAG|GTP_VERSION_1_FLAG|GTP_VERSION_2_FLAG) + +/******************************************************************** + * Private function prototypes + ********************************************************************/ +static int GTP_TypeInit(char *, char *, void **); +static int GTP_TypeEval(void *, const uint8_t **, void *); +static int GTP_IEInit(char *, char *, void **); +static int GTP_IEEval(void *, const uint8_t **, void *); +static int GTP_VersionInit(char *, char *, void **); +static int GTP_VersionEval(void *, const uint8_t **, void *); + +static inline int GTP_RoptDoEval(SFSnortPacket *p) +{ + if ((p->payload_size == 0) || + (p->stream_session_ptr == NULL) || + (!IsUDP(p))) + { + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "No payload or no " + "session pointer or not TCP or UDP - not evaluating.\n")); + return 0; + } + + return 1; +} + +/*gtp type can be numbers*/ +static bool GTP_AddTypeByNumer(GTP_TypeRuleOptData *sdata, char *tok) +{ + char *endStr = NULL; + unsigned long gtpType; + + gtpType = _dpd.SnortStrtoul(tok, &endStr, 10); + + if ( *endStr) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d, OR a correct name.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__TYPE, MIN_GTP_TYPE_CODE, MAX_GTP_TYPE_CODE); + } + + if ((gtpType > MAX_GTP_TYPE_CODE) || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d, OR a correct name.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__TYPE, MIN_GTP_TYPE_CODE, MAX_GTP_TYPE_CODE); + } + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule GTP type: %d.\n",gtpType)); + + sdata->types[gtpType] = GTP_VERSION_ALL_FLAG; + + return true; +} + +/*gtp type can be names*/ +static bool GTP_AddTypeByKeword(GTP_TypeRuleOptData *sdata, char *name) +{ + GTP_MsgType *msgType; + int i; + bool found = false; + + for( i = 0; i < MAX_GTP_VERSION_CODE + 1; i++) + { + if (NULL != (msgType = GetMsgTypeByName((uint8_t)i, name))) + { + sdata->types[msgType->type] |= 1 << i; + found = true; + } + } + return found; +} + +/* Parsing for the rule option */ +static int GTP_TypeInit(char *name, char *params, void **data) +{ + char *nextPara = NULL; + char *tok; + GTP_TypeRuleOptData *sdata; + + if (strcasecmp(name, GTP_ROPT__TYPE) != 0) + return 0; + + /* Must have arguments */ + if (_dpd.SnortIsStrEmpty(params)) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to gtp_type keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + tok = strtok_r(params, ",", &nextPara); + + if(!tok) + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to gtp_type keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + + sdata = (GTP_TypeRuleOptData *)calloc(1, sizeof(*sdata)); + + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "gtp preprocessor rule option.\n"); + } + + while (NULL != tok) + { + + bool found; + + if ( isdigit(*tok)) + { + found = GTP_AddTypeByNumer(sdata, tok); + + } + else /*check keyword*/ + { + found = GTP_AddTypeByKeword(sdata, tok); + + } + + if (! found ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d, OR a correct name.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__TYPE, MIN_GTP_TYPE_CODE, MAX_GTP_TYPE_CODE); + + } + tok = strtok_r(NULL, ", ", &nextPara); + } + + *data = (void *)sdata; + return 1; + +} + +/* Rule option evaluation */ +static int GTP_TypeEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + GTPData *sd; + GTP_Roptions *ropts; + GTP_TypeRuleOptData *sdata = (GTP_TypeRuleOptData *)data; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Evaluating \"%s\" rule option.\n", GTP_ROPT__TYPE)); + + if (!GTP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (GTPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_GTP); + + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "GTP type in packet: %d \n", ropts->gtp_type)); + + /*Match the GTP type*/ + if ((1 << ropts->gtp_version) & sdata->types[ropts->gtp_type]) + return RULE_MATCH; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule No Match\n")); + return RULE_NOMATCH; +} + +/*gtp information element can be number*/ +static bool GTP_AddInfoElementByNumer(GTP_InfoRuleOptData *sdata, char *tok) +{ + char *end = NULL; + unsigned long gtpIE; + int i; + + gtpIE = _dpd.SnortStrtoul(tok, &end, 10); + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule GTP information element: %d.\n",gtpIE)); + + if ( *end) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d, OR a correct name.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__IE, MIN_GTP_IE_CODE, MAX_GTP_IE_CODE); + } + + if ((gtpIE > MAX_GTP_IE_CODE) || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage("%s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d," + "OR a correct name.\n ", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__IE, MIN_GTP_IE_CODE, MAX_GTP_IE_CODE); + } + + + for( i = 0; i < MAX_GTP_VERSION_CODE + 1; i++) + { + sdata->types[i] = (uint8_t)gtpIE; + } + + return true; + +} + +/*gtp information element can be name*/ +static bool GTP_AddInfoElementByKeyword(GTP_InfoRuleOptData *sdata, char *name) +{ + + int i; + bool found = false; + GTP_InfoElement* infoElement; + + for( i = 0; i < MAX_GTP_VERSION_CODE + 1; i++) + { + if (NULL != (infoElement = GetInfoElementByName((uint8_t)i, name))) + { + sdata->types[i] = infoElement->type; + found = true; + } + } + return found; +} + +/* Parsing for the rule option */ +static int GTP_IEInit(char *name, char *params, void **data) +{ + char *nextPara = NULL; + char *tok; + GTP_InfoRuleOptData *sdata; + bool found = false; + + + if (strcasecmp(name, GTP_ROPT__IE) != 0) + return 0; + + /* Must have arguments */ + if (_dpd.SnortIsStrEmpty(params)) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to %s keyword\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_ROPT__IE); + } + + tok = strtok_r(params, ",", &nextPara); + + if(!tok) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to %s keyword\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_ROPT__IE); + } + sdata = (GTP_InfoRuleOptData *)calloc(1, sizeof(*sdata)); + + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "gtp preprocessor rule option.\n"); + } + + if ( isdigit(*tok)) + { + found = GTP_AddInfoElementByNumer(sdata, tok); + + } + else + { + found = GTP_AddInfoElementByKeyword(sdata, tok); + + } + + if (! found ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d, OR a correct name.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__IE, MIN_GTP_IE_CODE, MAX_GTP_IE_CODE); + + } + + + if (!_dpd.SnortIsStrEmpty(nextPara)) + { + /* Must have only 1 argument*/ + DynamicPreprocessorFatalMessage("%s, %s(%d) => rule option: This option has no arguments.\n", + GTP_ROPT__IE, *(_dpd.config_file), *(_dpd.config_line)); + + } + + *data = (void *)sdata; + return 1; + +} + +/* Rule option evaluation */ +static int GTP_IEEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + GTPData *sd; + GTP_Roptions *ropts; + GTP_InfoRuleOptData *ie; + uint8_t ieType; + GTP_IEData *ieData; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Evaluating \"%s\" rule option.\n", GTP_ROPT__IE)); + + if (!GTP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (GTPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_GTP); + + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + if (NULL == ropts->gtp_infoElements) + return RULE_NOMATCH; + + /*Match the status code*/ + ie = (GTP_InfoRuleOptData *)data; + ieType = ie->types[ropts->gtp_version]; + if (!ieType) + { + return RULE_NOMATCH; + } + + ieData = &ropts->gtp_infoElements[ieType]; + + /*if the data is up to date*/ + if (ieData->msg_id == ropts->msg_id) + { + *cursor = ieData->shift + (uint8_t *)ropts->gtp_header; + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Setting cursor to IE data: %p.\n", *cursor)); + /*Limit the length*/ + _dpd.SetAltDetect((uint8_t *)*cursor, ieData->length); + return RULE_MATCH; + } + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule No Match\n")); + return RULE_NOMATCH; +} + +/* Parsing for the rule option */ +static int GTP_VersionInit(char *name, char *params, void **data) +{ + char *end = NULL; + char *nextPara = NULL; + char *tok; + uint8_t *sdata; + unsigned long gtpVersion; + + if (strcasecmp(name, GTP_ROPT__VERSION) != 0) + return 0; + + /* Must have arguments */ + if (_dpd.SnortIsStrEmpty(params)) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to %s keyword\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_ROPT__VERSION); + } + + tok = strtok_r(params, ",", &nextPara); + + if(!tok) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to %s keyword\n", + *(_dpd.config_file), *(_dpd.config_line), GTP_ROPT__VERSION); + } + + sdata = (uint8_t *)calloc(1, sizeof(*sdata)); + + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "gtp preprocessor rule option.\n"); + } + + + gtpVersion = _dpd.SnortStrtoul(tok, &end, 10); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule GTP version: %d.\n",gtpVersion)); + if ( *end) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__VERSION, MIN_GTP_VERSION_CODE, MAX_GTP_VERSION_CODE); + } + if ((gtpVersion > MAX_GTP_VERSION_CODE) || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage("%s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d\n ", + *(_dpd.config_file), *(_dpd.config_line), + GTP_ROPT__VERSION, MIN_GTP_VERSION_CODE, MAX_GTP_VERSION_CODE); + } + *sdata = (uint8_t) gtpVersion; + + if (!_dpd.SnortIsStrEmpty(nextPara)) + { + /* Must have only 1 argument*/ + DynamicPreprocessorFatalMessage("%s, %s(%d) => rule option: This option has only one argument.\n", + GTP_ROPT__IE, *(_dpd.config_file), *(_dpd.config_line)); + + } + + *data = (void *)sdata; + return 1; + +} + +/* Rule option evaluation */ +static int GTP_VersionEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + GTPData *sd; + GTP_Roptions *ropts; + + uint8_t version = *((uint8_t *)data); + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Evaluating \"%s\" rule option.\n", GTP_ROPT__VERSION)); + + if (!GTP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (GTPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_GTP); + + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + /*Match the status code*/ + + if (version == ropts->gtp_version) + { + return RULE_MATCH; + } + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, + "Rule No Match\n")); + return RULE_NOMATCH; +} + +/******************************************************************** + * Function: GTP_RegRuleOptions + * + * Purpose: Register rule options + * + * Arguments: void + * + * Returns: void + * + ********************************************************************/ +void GTP_RegRuleOptions(void) +{ + _dpd.preprocOptRegister(GTP_ROPT__TYPE, GTP_TypeInit, GTP_TypeEval, + free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(GTP_ROPT__IE, GTP_IEInit, GTP_IEEval, + free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(GTP_ROPT__VERSION, GTP_VersionInit, GTP_VersionEval, + free, NULL, NULL, NULL, NULL); +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_roptions.h snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_roptions.h --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/gtp_roptions.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/gtp_roptions.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,86 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * This processes the rule options for this preprocessor + * + * Author: Hui Cao + * Date: 07-25-2011 + ****************************************************************************/ + +#ifndef _GTP_ROPTIONS_H_ +#define _GTP_ROPTIONS_H_ + +#include "gtp_config.h" + + + +/******************************************************************** + * Structures + ********************************************************************/ +typedef struct _GTP_IEData +{ + uint16_t length; /*length of the data*/ + uint16_t shift; /*shift relative to the header*/ + uint32_t msg_id; /* used to associate to current msg */ + +}GTP_IEData; + +typedef struct _GTP_Roptions +{ + + /* gtp_type data*/ + uint8_t gtp_type; + /* gtp_version data*/ + uint8_t gtp_version; + char *gtp_header; + uint32_t msg_id; /* used to associate to current msg */ + /* gtp ie data */ + GTP_IEData *gtp_infoElements; + +} GTP_Roptions; + +/*For every value types[i], the bit mask show the version to be applied + * bit 1 is for version 0, + * bit 2 is for version 1, + * bit 3 is for version 2 + * */ +typedef struct _GTP_TypeRuleOptData +{ + /*Total 256 types*/ + uint8_t types[MAX_GTP_TYPE_CODE + 1]; +} GTP_TypeRuleOptData; + +/* + * byte 0 is for version 0, + * byte 1 is for version 1, + * byte 2 is for version 2 + * */ +typedef struct _GTP_InfoRuleOptData +{ + uint8_t types[MAX_GTP_VERSION_CODE + 1]; +} GTP_InfoRuleOptData; + +/******************************************************************** + * Public function prototypes + ********************************************************************/ +void GTP_RegRuleOptions(void); + + +#endif /* _GTP_ROPTIONS_H_ */ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/Makefile.am snort-2.9.2/src/dynamic-preprocessors/gtp/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/Makefile.am 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,35 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_gtp_preproc.la + +libsf_gtp_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_gtp_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_gtp_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif + +libsf_gtp_preproc_la_SOURCES = \ +spp_gtp.c \ +spp_gtp.h \ +gtp_config.c \ +gtp_config.h \ +gtp_parser.c \ +gtp_parser.h \ +gtp_roptions.c \ +gtp_roptions.h \ +gtp_debug.h + +EXTRA_DIST = \ +sf_gtp.dsp + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/Makefile.in snort-2.9.2/src/dynamic-preprocessors/gtp/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/Makefile.in 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/Makefile.in 2011-12-07 11:23:19.000000000 -0800 @@ -0,0 +1,556 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/gtp +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_gtp_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_gtp_preproc_la_OBJECTS = spp_gtp.lo gtp_config.lo \ + gtp_parser.lo gtp_roptions.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_gtp_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_gtp_preproc_la_OBJECTS = $(am_libsf_gtp_preproc_la_OBJECTS) \ + $(nodist_libsf_gtp_preproc_la_OBJECTS) +libsf_gtp_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_gtp_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_gtp_preproc_la_SOURCES) \ + $(nodist_libsf_gtp_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_gtp_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_gtp_preproc.la +libsf_gtp_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_gtp_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_gtp_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +libsf_gtp_preproc_la_SOURCES = \ +spp_gtp.c \ +spp_gtp.h \ +gtp_config.c \ +gtp_config.h \ +gtp_parser.c \ +gtp_parser.h \ +gtp_roptions.c \ +gtp_roptions.h \ +gtp_debug.h + +EXTRA_DIST = \ +sf_gtp.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/gtp/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/gtp/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_gtp_preproc.la: $(libsf_gtp_preproc_la_OBJECTS) $(libsf_gtp_preproc_la_DEPENDENCIES) + $(libsf_gtp_preproc_la_LINK) -rpath $(libdir) $(libsf_gtp_preproc_la_OBJECTS) $(libsf_gtp_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/sf_gtp.dsp snort-2.9.2/src/dynamic-preprocessors/gtp/sf_gtp.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/sf_gtp.dsp 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/sf_gtp.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,231 @@ +# Microsoft Developer Studio Project File - Name="sf_gtp" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_gtp - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_gtp.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_gtp.mak" CFG="sf_gtp - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_gtp - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_gtp - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_gtp - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_gtp - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_gtp - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ELSEIF "$(CFG)" == "sf_gtp - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_gtp - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_gtp___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_gtp___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_gtp - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_gtp___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_gtp___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ENDIF + +# Begin Target + +# Name "sf_gtp - Win32 Release" +# Name "sf_gtp - Win32 Debug" +# Name "sf_gtp - Win32 IPv6 Debug" +# Name "sf_gtp - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=.\gtp_config.c +# End Source File +# Begin Source File + +SOURCE=.\gtp_parser.c +# End Source File +# Begin Source File + +SOURCE=.\gtp_roptions.c +# End Source File +# Begin Source File + +SOURCE=..\include\inet_aton.c +# End Source File +# Begin Source File + +SOURCE=..\include\inet_pton.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_ip.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\spp_gtp.c +# End Source File +# Begin Source File + +SOURCE=..\include\strtok_r.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\gtp_config.h +# End Source File +# Begin Source File + +SOURCE=.\gtp_debug.h +# End Source File +# Begin Source File + +SOURCE=.\gtp_parser.h +# End Source File +# Begin Source File + +SOURCE=.\gtp_roptions.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=.\spp_gtp.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/spp_gtp.c snort-2.9.2/src/dynamic-preprocessors/gtp/spp_gtp.c --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/spp_gtp.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/spp_gtp.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,774 @@ +/* $Id */ + +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + + +/* + * GTP preprocessor + * + * This is the main entry point for this preprocessor + * + * Author: Hui Cao + * Date: 07-15-2011 + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_plugin_api.h" +#include "snort_debug.h" + +#include "preprocids.h" +#include "spp_gtp.h" +#include "gtp_config.h" +#include "gtp_roptions.h" +#include "gtp_parser.h" + +#include <assert.h> +#include <stdio.h> +#include <syslog.h> +#include <string.h> +#ifndef WIN32 +#include <strings.h> +#include <sys/time.h> +#endif +#include <stdlib.h> +#include <ctype.h> + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats gtpPerfStats; +#endif + +#include "sf_types.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; + +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_GTP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_GTP"; +#endif + +#define SetupGTP DYNAMIC_PREPROC_SETUP + +#ifdef TARGET_BASED +int16_t gtp_app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + +/* + * Session state flags for GTPData::state_flags + */ + +#define GTP_FLG_REASSEMBLY_SET (0x20000) +/* + * Function prototype(s) + */ +GTPData * GTPGetNewSession(SFSnortPacket *, tSfPolicyId); +static void GTPInit( char* ); +static void GTPCheckConfig(void); +static void FreeGTPData( void* ); +static inline int GTP_Process(SFSnortPacket *, GTPData*); +static void GTPmain( void*, void* ); +static inline int CheckGTPPort( uint16_t ); +static void GTPFreeConfig(tSfPolicyUserContextId); +static void _addPortsToStream5Filter(GTPConfig *, tSfPolicyId); +static void GTP_PrintStats(int); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif + +static void GTPCleanExit(int, void *); + +/******************************************************************** + * Global variables + ********************************************************************/ +uint32_t numSessions = 0; +GTP_Stats gtp_stats; +GTPConfig *gtp_eval_config; +tSfPolicyUserContextId gtp_config; + +#ifdef SNORT_RELOAD +static tSfPolicyUserContextId gtp_swap_config = NULL; +static void GTPReload(char *); +static int GTPReloadVerify(void); +static void * GTPReloadSwap(void); +static void GTPReloadSwapFree(void *); +#endif + + +/* Called at preprocessor setup time. Links preprocessor keyword + * to corresponding preprocessor initialization function. + * + * PARAMETERS: None. + * + * RETURNS: Nothing. + * + */ +void SetupGTP(void) +{ + /* Link preprocessor keyword to initialization function + * in the preprocessor list. */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc( "gtp", GTPInit ); +#else + _dpd.registerPreproc("gtp", GTPInit, GTPReload, + GTPReloadSwap, GTPReloadSwapFree); +#endif +} + +/* Initializes the GTP preprocessor module and registers + * it in the preprocessor list. + * + * PARAMETERS: + * + * argp: Pointer to argument string to process for config data. + * + * RETURNS: Nothing. + */ +static void GTPInit(char *argp) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + GTPConfig *pDefaultPolicyConfig = NULL; + GTPConfig *pPolicyConfig = NULL; + + + if (gtp_config == NULL) + { + /*create a context*/ + gtp_config = sfPolicyConfigCreate(); + if (gtp_config == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for GTP config.\n"); + } + + _dpd.addPreprocConfCheck(GTPCheckConfig); + _dpd.registerPreprocStats(GTP_NAME, GTP_PrintStats); + _dpd.addPreprocExit(GTPCleanExit, NULL, PRIORITY_LAST, PP_GTP); + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("gtp", (void *)>pPerfStats, 0, _dpd.totalPerfStats); +#endif + +#ifdef TARGET_BASED + gtp_app_id = _dpd.findProtocolReference("gtp"); + if (gtp_app_id == SFTARGET_UNKNOWN_PROTOCOL) + gtp_app_id = _dpd.addProtocolReference("gtp"); + +#endif + } + + sfPolicyUserPolicySet (gtp_config, policy_id); + pDefaultPolicyConfig = (GTPConfig *)sfPolicyUserDataGetDefault(gtp_config); + pPolicyConfig = (GTPConfig *)sfPolicyUserDataGetCurrent(gtp_config); + if ((pPolicyConfig != NULL) && (pDefaultPolicyConfig == NULL)) + { + DynamicPreprocessorFatalMessage("GTP preprocessor can only be " + "configured once.\n"); + } + + pPolicyConfig = (GTPConfig *)calloc(1, sizeof(GTPConfig)); + if (!pPolicyConfig) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "GTP preprocessor configuration.\n"); + } + + sfPolicyUserDataSetCurrent(gtp_config, pPolicyConfig); + + GTP_RegRuleOptions(); + + ParseGTPArgs(pPolicyConfig, (u_char *)argp); + + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupGTP(): The Stream preprocessor must be enabled.\n"); + } + + _dpd.addPreproc( GTPmain, PRIORITY_APPLICATION, PP_GTP, PROTO_BIT__UDP ); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +/********************************************************************* + * Main entry point for GTP processing. + * + * Arguments: + * SFSnortPacket * - pointer to packet structure + * + * Returns: + * int - GTP_SUCCESS + * GTP_FAILURE + * + *********************************************************************/ +static inline int GTP_Process(SFSnortPacket *p, GTPData* sessp) +{ + int status; + char* gtp_buff = (char*) p->payload; + static uint32_t msgId = 0; + + GTP_Roptions *pRopts; + GTPMsg gtpMsg; + + pRopts = &(sessp->ropts); + + memset(>pMsg, 0, GTPMSG_ZERO_LEN); + + /* msg_id is used to associate message with information elements + * If msg_id matches, the information element in the info_elements + * belongs to the message + * Using msg_id avoids initializing info_elements for every message + * Tabled based info_elements improves information element search performance */ + + /* To avoid id overlap, clean table when msgId resets*/ + if ( msgId == 0) + gtp_cleanInfoElements(); + gtpMsg.msg_id = ++msgId; + + + status = gtp_parse(>pMsg, gtp_buff, p->payload_size); + + /*Update the session data*/ + pRopts->gtp_type = gtpMsg.msg_type; + pRopts->gtp_version = gtpMsg.version; + pRopts->gtp_infoElements = gtpMsg.info_elements; + pRopts->gtp_header = gtpMsg.gtp_header; + pRopts->msg_id = gtpMsg.msg_id; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP message version: %d\n", + gtpMsg.version)); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP message type: %d\n", + gtpMsg.msg_type)); + + return status; +} +/* Main runtime entry point for GTP preprocessor. + * Analyzes GTP packets for anomalies/exploits. + * + * PARAMETERS: + * + * packetp: Pointer to current packet to process. + * contextp: Pointer to context block, not used. + * + * RETURNS: Nothing. + */ +static void GTPmain( void* ipacketp, void* contextp ) +{ + GTPData* sessp = NULL; + uint8_t source = 0; + uint8_t dest = 0; + + SFSnortPacket* packetp; +#ifdef TARGET_BASED + int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + PROFILE_VARS; + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__START_MSG)); + + packetp = (SFSnortPacket*) ipacketp; + sfPolicyUserPolicySet (gtp_config, policy_id); + + /* Make sure this preprocessor should run. */ + if (( !packetp ) || ( !packetp->payload ) ||( !packetp->payload_size )) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "No payload - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + return; + } + else if (!IsUDP(packetp)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not UDP - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + return; + } + + PREPROC_PROFILE_START(gtpPerfStats); + + gtp_eval_config = sfPolicyUserDataGetCurrent(gtp_config); + + /* Attempt to get a previously allocated GTP block. */ + sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_GTP); + if (sessp != NULL) + { + gtp_eval_config = sfPolicyUserDataGet(sessp->config, sessp->policy_id); + + } + + if (sessp == NULL) + { + /* If not doing autodetection, check the ports to make sure this is + * running on an GTP port, otherwise no need to examine the traffic. + */ +#ifdef TARGET_BASED + app_id = _dpd.streamAPI->get_application_protocol_id(packetp->stream_session_ptr); + if (app_id == SFTARGET_UNKNOWN_PROTOCOL) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unknown protocol - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(gtpPerfStats); + return; + } + + else if (app_id && (app_id != gtp_app_id)) + { + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not GTP - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(gtpPerfStats); + return; + } + + else if (!app_id) + { +#endif + source = (uint8_t)CheckGTPPort( packetp->src_port ); + dest = (uint8_t)CheckGTPPort( packetp->dst_port ); + + if ( !source && !dest ) + { + /* Not one of the ports we care about. */ + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not GTP ports - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(gtpPerfStats); + return; + } +#ifdef TARGET_BASED + } +#endif + /* Check the stream session. If it does not currently + * have our GTP data-block attached, create one. + */ + sessp = GTPGetNewSession(packetp, policy_id); + + if ( !sessp ) + { + /* Could not get/create the session data for this packet. */ + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Create session error - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(gtpPerfStats); + return; + } + + } + + + /* We're interested in this session. Turn on stream reassembly. */ + if ( !(sessp->state_flags & GTP_FLG_REASSEMBLY_SET )) + { + _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, + STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_ABSOLUTE); + sessp->state_flags |= GTP_FLG_REASSEMBLY_SET; + } + /* + * Start process PAYLOAD + */ + GTP_Process(packetp,sessp); + + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(gtpPerfStats); + +} + +/********************************************************************** + * Retrieves the GTP data block registered with the stream + * session associated w/ the current packet. If none exists, + * allocates it and registers it with the stream API. + * + * Arguments: + * + * packetp: Pointer to the packet from which/in which to + * retrieve/store the GTP data block. + * + * RETURNS: Pointer to an GTP data block, upon success. + * NULL, upon failure. + **********************************************************************/ +GTPData * GTPGetNewSession(SFSnortPacket *packetp, tSfPolicyId policy_id) +{ + GTPData* datap = NULL; + + /* Sanity check(s) */ + assert( packetp ); + if ( !packetp->stream_session_ptr ) + { + return NULL; + } + + datap = (GTPData *)calloc(1, sizeof(GTPData)); + + if ( !datap ) + return NULL; + + /*Register the new GTP data block in the stream session. */ + _dpd.streamAPI->set_application_data( + packetp->stream_session_ptr, + PP_GTP, datap, FreeGTPData ); + + datap->policy_id = policy_id; + datap->config = gtp_config; + ((GTPConfig *)sfPolicyUserDataGetCurrent(gtp_config))->ref_count++; + + gtp_stats.sessions++; + DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Number of sessions created: %u\n", gtp_stats.sessions)); + + return datap; +} + + +/*********************************************************************** + * Registered as a callback with our GTP data blocks when + * they are added to the underlying stream session. Called + * by the stream preprocessor when a session is about to be + * destroyed. + * + * PARAMETERS: + * + * idatap: Pointer to the moribund data. + * + * RETURNS: Nothing. + ***********************************************************************/ +static void FreeGTPData( void* idatap ) +{ + GTPData *ssn = (GTPData *)idatap; + GTPConfig *config = NULL; + + if (ssn == NULL) + return; + if (numSessions > 0) + numSessions--; + + /*Clean the configuration data*/ + if (ssn->config != NULL) + { + config = (GTPConfig *)sfPolicyUserDataGet(ssn->config, ssn->policy_id); + } + + if (config == NULL) + { + free(ssn); + return; + } + + config->ref_count--; + if ((config->ref_count == 0) && (ssn->config != gtp_config)) + { + sfPolicyUserDataClear (ssn->config, ssn->policy_id); + free(config); + + if (sfPolicyUserPolicyGetActive(ssn->config) == 0) + { + /* No more outstanding configs - free the config array */ + GTPFreeConfig(ssn->config); + } + + } + + free(ssn); +} +/* ********************************************************************** + * Validates given port as an GTP server port. + * + * PARAMETERS: + * + * port: Port to validate. + * + * RETURNS: GTP_TRUE, if the port is indeed an GTP server port. + * GTP_FALSE, otherwise. + ***********************************************************************/ +static inline int CheckGTPPort( uint16_t port ) +{ + if ( gtp_eval_config->ports[ PORT_INDEX(port) ] & CONV_PORT( port ) ) + { + return GTP_TRUE; + } + + return GTP_FALSE; +} + +/* ********************************************************************** + * Add ports in the configuration to stream5 filter. + * + * PARAMETERS: + * + * GTPConfig: configuration to be used. + * tSfPolicyId: policy ID + * + * RETURNS: None + ***********************************************************************/ + +static void _addPortsToStream5Filter(GTPConfig *config, tSfPolicyId policy_id) +{ + int portNum; + + assert(config); + assert(_dpd.streamAPI); + + for (portNum = 0; portNum < MAXPORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status(IPPROTO_UDP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + } + } + +} +#ifdef TARGET_BASED + +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(gtp_app_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif +static int GTPCheckPolicyConfig(tSfPolicyUserContextId config, tSfPolicyId policyId, void* pData) +{ + _dpd.setParserPolicy(policyId); + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("GTPCheckPolicyConfig(): The Stream preprocessor must be enabled.\n"); + } + return 0; +} +void GTPCheckConfig(void) +{ + sfPolicyUserDataIterate (gtp_config, GTPCheckPolicyConfig); +} + + +static void GTPCleanExit(int signal, void *data) +{ + if (gtp_config != NULL) + { + GTPFreeConfig(gtp_config); + gtp_config = NULL; + } +} + +static int GTPFreeConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + GTPConfig *pPolicyConfig = (GTPConfig *)pData; + + //do any housekeeping before freeing GTPConfig + + sfPolicyUserDataClear (config, policyId); + + free(pPolicyConfig); + + return 0; +} + +void GTPFreeConfig(tSfPolicyUserContextId config) +{ + if (config == NULL) + return; + + sfPolicyUserDataIterate (config, GTPFreeConfigPolicy); + sfPolicyConfigDelete(config); +} + +/****************************************************************** + * Print statistics being kept by the preprocessor. + * + * Arguments: + * int - whether Snort is exiting or not + * + * Returns: None + * + ******************************************************************/ +static void GTP_PrintStats(int exiting) +{ + int i, j; + _dpd.logMsg("GTP Preprocessor Statistics\n"); + _dpd.logMsg(" Total sessions: "STDu64"\n", gtp_stats.sessions); + if (gtp_stats.sessions < 1) + return; + + if (gtp_stats.events > 0) + _dpd.logMsg(" Preprocessor events: "STDu64"\n", gtp_stats.events); + + _dpd.logMsg(" Total reserved messages: "STDu64"\n", gtp_stats.unknownTypes); + _dpd.logMsg(" Packets with reserved information elements: "STDu64"\n", gtp_stats.unknownIEs); + + for (i = 0; i < MAX_GTP_VERSION_CODE + 1; i++ ) + { + uint64_t total_msgs = 0; + DEBUG_WRAP(_dpd.logMsg(" Messages of version %d:\n", i);); + for(j = 0; j < MAX_GTP_TYPE_CODE + 1; j++) + { + GTP_MsgType *msg = gtp_stats.msgTypeTable[i][j]; + if ( msg && msg->name) + { + DEBUG_WRAP(_dpd.logMsg("%39s: "STDu64"\n", msg->name, gtp_stats.messages[i][j]);); + } + total_msgs += gtp_stats.messages[i][j]; + + } + if (total_msgs > 0) + _dpd.logMsg(" Total messages of version %d: %u\n", i, total_msgs); + } +} +#ifdef SNORT_RELOAD +static void GTPReload(char *args) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + GTPConfig * pPolicyConfig = NULL; + + if (gtp_swap_config == NULL) + { + //create a context + gtp_swap_config = sfPolicyConfigCreate(); + if (gtp_swap_config == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for GTP config.\n"); + } + + } + + sfPolicyUserPolicySet (gtp_swap_config, policy_id); + pPolicyConfig = (GTPConfig *)sfPolicyUserDataGetCurrent(gtp_swap_config); + if (pPolicyConfig != NULL) + { + DynamicPreprocessorFatalMessage("GTP preprocessor can only be " + "configured once.\n"); + } + + pPolicyConfig = (GTPConfig *)calloc(1, sizeof(GTPConfig)); + if (!pPolicyConfig) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "GTP preprocessor configuration.\n"); + } + sfPolicyUserDataSetCurrent(gtp_swap_config, pPolicyConfig); + + GTP_RegRuleOptions(); + + ParseGTPArgs(pPolicyConfig, (u_char *)args); + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupGTP(): The Stream preprocessor must be enabled.\n"); + } + + _dpd.addPreproc( GTPmain, PRIORITY_APPLICATION, PP_GTP, PROTO_BIT__UDP ); + _dpd.addPreprocReloadVerify(GTPReloadVerify); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +static int GTPReloadVerify(void) +{ + GTPConfig * pPolicyConfig = NULL; + GTPConfig * pCurrentConfig = NULL; + + if (gtp_swap_config == NULL) + return 0; + + pPolicyConfig = (GTPConfig *)sfPolicyUserDataGet(gtp_swap_config, _dpd.getDefaultPolicy()); + + if (!pPolicyConfig) + return 0; + + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("SetupGTP(): The Stream preprocessor must be enabled.\n"); + } + + if (gtp_config != NULL) + { + pCurrentConfig = (GTPConfig *)sfPolicyUserDataGet(gtp_config, _dpd.getDefaultPolicy()); + } + + if (!pCurrentConfig) + return 0; + + + return 0; +} + +static int GTPFreeUnusedConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + GTPConfig *pPolicyConfig = (GTPConfig *)pData; + + //do any housekeeping before freeing GTPConfig + if (pPolicyConfig->ref_count == 0) + { + sfPolicyUserDataClear (config, policyId); + free(pPolicyConfig); + } + return 0; +} + +static void * GTPReloadSwap(void) +{ + tSfPolicyUserContextId old_config = gtp_config; + + if (gtp_swap_config == NULL) + return NULL; + + gtp_config = gtp_swap_config; + gtp_swap_config = NULL; + + sfPolicyUserDataIterate (old_config, GTPFreeUnusedConfigPolicy); + + if (sfPolicyUserPolicyGetActive(old_config) == 0) + { + /* No more outstanding configs - free the config array */ + return (void *)old_config; + } + + return NULL; +} + +static void GTPReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + GTPFreeConfig((tSfPolicyUserContextId)data); +} +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/gtp/spp_gtp.h snort-2.9.2/src/dynamic-preprocessors/gtp/spp_gtp.h --- snort-2.9.0.1/src/dynamic-preprocessors/gtp/spp_gtp.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/gtp/spp_gtp.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,130 @@ +/* $Id */ + +/* +** Copyright (C) 2011-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* + * spp_gtp.h: Definitions, structs, function prototype(s) for + * the GTP preprocessor. + * Author: Hui Cao + */ + +#ifndef SPP_GTP_H +#define SPP_GTP_H +#include <stddef.h> +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "gtp_roptions.h" + + +/* Convert port value into an index for the gtp_config->ports array */ +#define PORT_INDEX(port) port/8 + +/* Convert port value into a value for bitwise operations */ +#define CONV_PORT(port) 1<<(port%8) + +/* + * Boolean values. + */ +#define GTP_TRUE (1) +#define GTP_FALSE (0) + +/* + * Error codes. + */ +#define GTP_SUCCESS (1) +#define GTP_FAILURE (0) + + +/* + * Per-session data block containing current state + * of the GTP preprocessor for the session. + * + * state_flags: Bit vector describing the current state of the + * session. + */ +typedef struct _gtpData +{ + + uint32_t state_flags; + GTP_Roptions ropts; + tSfPolicyId policy_id; + tSfPolicyUserContextId config; + +} GTPData; + +typedef struct _GTPMsg +{ + uint8_t version; + uint8_t msg_type; + uint16_t msg_length; + uint16_t header_len; + char *gtp_header; + GTP_IEData *info_elements; + /* nothing after this point is zeroed ...*/ + uint32_t msg_id; /*internal state, new msg will have a new id*/ + +} GTPMsg; + +#define GTPMSG_ZERO_LEN offsetof(GTPMsg, msg_id) + +/* + * Generator id. Define here the same as the official registry + * in generators.h + */ +#define GENERATOR_SPP_GTP 143 + +/* Ultimately calls SnortEventqAdd */ +/* Arguments are: gid, sid, rev, classification, priority, message, rule_info */ +#define ALERT(x,y) { _dpd.alertAdd(GENERATOR_SPP_GTP, x, 1, 0, 3, y, 0 ); gtp_stats.events++; } + +/* + * GTP preprocessor alert types. + */ +#define GTP_EVENT_BAD_MSG_LEN (1) +#define GTP_EVENT_BAD_IE_LEN (2) +#define GTP_EVENT_OUT_OF_ORDER_IE (3) +/* + * GTP preprocessor alert strings. + */ +#define GTP_EVENT_BAD_MSG_LEN_STR "(spp_gtp) Message length is invalid" +#define GTP_EVENT_BAD_IE_LEN_STR "(spp_gtp) Information element length is invalid" +#define GTP_EVENT_OUT_OF_ORDER_IE_STR "(spp_gtp) Information elements are out of order" + +typedef struct _GTP_Stats +{ + uint64_t sessions; + uint64_t events; + uint64_t unknownTypes; + uint64_t unknownIEs; + uint64_t messages[MAX_GTP_VERSION_CODE + 1][MAX_GTP_TYPE_CODE + 1]; + GTP_MsgType *msgTypeTable[MAX_GTP_VERSION_CODE + 1][MAX_GTP_TYPE_CODE + 1]; + +} GTP_Stats; + +extern GTP_Stats gtp_stats; +extern GTPConfig *gtp_eval_config; +extern tSfPolicyUserContextId gtp_config; + +/* Prototypes for public interface */ +void SetupGTP(void); + +#endif /* SPP_GTP_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_config.c snort-2.9.2/src/dynamic-preprocessors/imap/imap_config.c --- snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_config.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_config.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,626 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/*************************************************************************** + * imap_config.c + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * Handle configuration of the IMAP preprocessor + * + * Entry point functions: + * + * IMAP_ParseArgs() + * + ***************************************************************************/ + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#include <string.h> +#include <stdio.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_imap.h" +#include "imap_config.h" +#include "snort_bounds.h" +#include "sf_dynamic_preprocessor.h" +#include "sfPolicy.h" + + +/* Global variable to hold configuration */ +extern IMAPConfig **imap_config; + +extern const IMAPToken imap_known_cmds[]; + +/* Private functions */ +static int ProcessPorts(IMAPConfig *, char *, int); +static int ProcessImapMemcap(IMAPConfig *, char *, int); +static int ProcessDecodeDepth(IMAPConfig *, char *, int, char *, DecodeType); + +/* + * Function: IMAP_ParseArgs(char *) + * + * Purpose: Process the preprocessor arguments from the rules file and + * initialize the preprocessor's data struct. This function doesn't + * have to exist if it makes sense to parse the args in the init + * function. + * + * Arguments: args => argument list + * + * Returns: void function + * + */ +void IMAP_ParseArgs(IMAPConfig *config, char *args) +{ + int ret = 0; + char *arg; + char errStr[ERRSTRLEN]; + int errStrLen = ERRSTRLEN; + + if ((config == NULL) || (args == NULL)) + return; + + config->ports[IMAP_DEFAULT_SERVER_PORT / 8] |= 1 << (IMAP_DEFAULT_SERVER_PORT % 8); + config->memcap = DEFAULT_IMAP_MEMCAP; + config->b64_depth = DEFAULT_DEPTH; + config->qp_depth = DEFAULT_DEPTH; + config->uu_depth = DEFAULT_DEPTH; + config->bitenc_depth = DEFAULT_DEPTH; + config->max_depth = MIN_DEPTH; + + *errStr = '\0'; + + arg = strtok(args, CONF_SEPARATORS); + + while ( arg != NULL ) + { + if ( !strcasecmp(CONF_PORTS, arg) ) + { + ret = ProcessPorts(config, errStr, errStrLen); + } + else if ( !strcasecmp(CONF_IMAP_MEMCAP, arg) ) + { + ret = ProcessImapMemcap(config, errStr, errStrLen); + } + else if ( !strcasecmp(CONF_B64_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_B64_DECODE, DECODE_B64); + } + else if ( !strcasecmp(CONF_QP_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_QP_DECODE, DECODE_QP); + } + else if ( !strcasecmp(CONF_UU_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_UU_DECODE, DECODE_UU); + } + else if ( !strcasecmp(CONF_BITENC_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_BITENC_DECODE, DECODE_BITENC); + } + else if ( !strcasecmp(CONF_DISABLED, arg) ) + { + config->disabled = 1; + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) => Unknown IMAP configuration option %s\n", + *(_dpd.config_file), *(_dpd.config_line), arg); + } + + if (ret == -1) + { + /* + ** Fatal Error, log error and exit. + */ + if (*errStr) + { + DynamicPreprocessorFatalMessage("%s(%d) => %s\n", + *(_dpd.config_file), *(_dpd.config_line), errStr); + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + } + + /* Get next token */ + arg = strtok(NULL, CONF_SEPARATORS); + } + +} + +int IMAP_IsDecodingEnabled(IMAPConfig *pPolicyConfig) +{ + if( (pPolicyConfig->b64_depth > -1) || (pPolicyConfig->qp_depth > -1) + || (pPolicyConfig->uu_depth > -1) || (pPolicyConfig->bitenc_depth > -1) ) + { + return 0; + } + else + return -1; + +} + +void IMAP_CheckConfig(IMAPConfig *pPolicyConfig, tSfPolicyUserContextId context) +{ + int max = -1; + IMAPConfig *defaultConfig = + (IMAPConfig *)sfPolicyUserDataGetDefault(context); + + if (pPolicyConfig == defaultConfig) + { + if (!pPolicyConfig->memcap) + pPolicyConfig->memcap = DEFAULT_IMAP_MEMCAP; + + if(!pPolicyConfig->b64_depth || !pPolicyConfig->qp_depth + || !pPolicyConfig->uu_depth || !pPolicyConfig->bitenc_depth) + { + pPolicyConfig->max_depth = MAX_DEPTH; + return; + } + else + { + if(max < pPolicyConfig->b64_depth) + max = pPolicyConfig->b64_depth; + + if(max < pPolicyConfig->qp_depth) + max = pPolicyConfig->qp_depth; + + if(max < pPolicyConfig->bitenc_depth) + max = pPolicyConfig->bitenc_depth; + + if(max < pPolicyConfig->uu_depth) + max = pPolicyConfig->uu_depth; + + pPolicyConfig->max_depth = max; + } + + } + else if (defaultConfig == NULL) + { + if (pPolicyConfig->memcap) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: memcap must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->b64_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: b64_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->qp_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: qp_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->uu_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: uu_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->bitenc_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: bitenc_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + } + else + { + pPolicyConfig->memcap = defaultConfig->memcap; + pPolicyConfig->max_depth = defaultConfig->max_depth; + if(pPolicyConfig->disabled) + { + pPolicyConfig->b64_depth = defaultConfig->b64_depth; + pPolicyConfig->qp_depth = defaultConfig->qp_depth; + pPolicyConfig->uu_depth = defaultConfig->uu_depth; + pPolicyConfig->bitenc_depth = defaultConfig->bitenc_depth; + return; + } + if(!pPolicyConfig->b64_depth && defaultConfig->b64_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: Cannot enable unlimited Base64 decoding" + " in non-default config without turning on unlimited Base64 decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->b64_depth && (pPolicyConfig->b64_depth > defaultConfig->b64_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: b64_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->b64_depth, defaultConfig->b64_depth); + } + + if(!pPolicyConfig->qp_depth && defaultConfig->qp_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: Cannot enable unlimited Quoted-Printable decoding" + " in non-default config without turning on unlimited Quoted-Printable decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->qp_depth && (pPolicyConfig->qp_depth > defaultConfig->qp_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: qp_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->qp_depth, defaultConfig->qp_depth); + } + + if(!pPolicyConfig->uu_depth && defaultConfig->uu_depth ) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: Cannot enable unlimited Unix-to-Unix decoding" + " in non-default config without turning on unlimited Unix-to-Unix decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->uu_depth && (pPolicyConfig->uu_depth > defaultConfig->uu_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: uu_decode_depth value %d in the non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line),pPolicyConfig->uu_depth, defaultConfig->uu_depth); + } + + if(!pPolicyConfig->bitenc_depth && defaultConfig->bitenc_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: Cannot enable unlimited 7bit/8bit/binary extraction" + " in non-default config without turning on unlimited 7bit/8bit/binary extraction in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->bitenc_depth && (pPolicyConfig->bitenc_depth > defaultConfig->bitenc_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => IMAP: bitenc_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->bitenc_depth, defaultConfig->bitenc_depth); + } + + } +} + +void IMAP_PrintConfig(IMAPConfig *config) +{ + int i; + int j = 0; + char buf[8192]; + + if (config == NULL) + return; + + memset(&buf[0], 0, sizeof(buf)); + + _dpd.logMsg("IMAP Config:\n"); + + if(config->disabled) + _dpd.logMsg(" IMAP: INACTIVE\n"); + + snprintf(buf, sizeof(buf) - 1, " Ports: "); + + for (i = 0; i < 65536; i++) + { + if (config->ports[i / 8] & (1 << (i % 8))) + { + j++; + _dpd.printfappend(buf, sizeof(buf) - 1, "%d ", i); + if(!(j%10)) + _dpd.printfappend(buf, sizeof(buf) - 1, "\n "); + } + } + + _dpd.logMsg("%s\n", buf); + + + _dpd.logMsg(" IMAP Memcap: %u\n", + config->memcap); + + if(config->b64_depth > -1) + { + _dpd.logMsg(" Base64 Decoding: %s\n", "Enabled"); + switch(config->b64_depth) + { + case 0: + _dpd.logMsg(" Base64 Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Base64 Decoding Depth: %d\n", config->b64_depth); + break; + } + } + else + _dpd.logMsg(" Base64 Decoding: %s\n", "Disabled"); + + if(config->qp_depth > -1) + { + _dpd.logMsg(" Quoted-Printable Decoding: %s\n","Enabled"); + switch(config->qp_depth) + { + case 0: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %d\n", config->qp_depth); + break; + } + } + else + _dpd.logMsg(" Quoted-Printable Decoding: %s\n", "Disabled"); + + if(config->uu_depth > -1) + { + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n","Enabled"); + switch(config->uu_depth) + { + case 0: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %d\n", config->uu_depth); + break; + } + } + else + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n", "Disabled"); + + if(config->bitenc_depth > -1) + { + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n","Enabled"); + switch(config->bitenc_depth) + { + case 0: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %d\n", config->bitenc_depth); + break; + } + } + else + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n", "Disabled"); + +} + +/* +** NAME +** ProcessPorts:: +*/ +/** +** Process the port list. +** +** This configuration is a list of valid ports and is ended by a +** delimiter. +** +** @param ErrorString error string buffer +** @param ErrStrLen the length of the error string buffer +** +** @return an error code integer +** (0 = success, >0 = non-fatal error, <0 = fatal error) +** +** @retval 0 successs +** @retval -1 generic fatal error +** @retval 1 generic non-fatal error +*/ +static int ProcessPorts(IMAPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *pcToken; + char *pcEnd; + int iPort; + int iEndPorts = 0; + int num_ports = 0; + + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "IMAP config is NULL.\n"); + return -1; + } + + pcToken = strtok(NULL, CONF_SEPARATORS); + if(!pcToken) + { + snprintf(ErrorString, ErrStrLen, "Invalid port list format."); + return -1; + } + + if(strcmp(CONF_START_LIST, pcToken)) + { + snprintf(ErrorString, ErrStrLen, + "Must start a port list with the '%s' token.", CONF_START_LIST); + + return -1; + } + + /* Since ports are specified, clear default ports */ + config->ports[IMAP_DEFAULT_SERVER_PORT / 8] &= ~(1 << (IMAP_DEFAULT_SERVER_PORT % 8)); + + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) + { + if(!strcmp(CONF_END_LIST, pcToken)) + { + iEndPorts = 1; + break; + } + + iPort = strtol(pcToken, &pcEnd, 10); + + /* + ** Validity check for port + */ + if(*pcEnd) + { + snprintf(ErrorString, ErrStrLen, + "Invalid port number."); + + return -1; + } + + if(iPort < 0 || iPort > MAXPORTS-1) + { + snprintf(ErrorString, ErrStrLen, + "Invalid port number. Must be between 0 and 65535."); + + return -1; + } + + config->ports[iPort / 8] |= (1 << (iPort % 8)); + num_ports++; + } + + if(!iEndPorts) + { + snprintf(ErrorString, ErrStrLen, + "Must end '%s' configuration with '%s'.", + CONF_PORTS, CONF_END_LIST); + + return -1; + } + else if(!num_ports) + { + snprintf(ErrorString, ErrStrLen, + "IMAP: Empty port list not allowed."); + return -1; + } + + return 0; +} + +static int ProcessImapMemcap(IMAPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *endptr; + char *value; + uint32_t imap_memcap = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "IMAP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for IMAP config option 'memcap'."); + return -1; + } + imap_memcap = strtoul(value, &endptr, 10); + + if((value[0] == '-') || (*endptr != '\0')) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for IMAP config option 'memcap'."); + return -1; + } + + if (imap_memcap < MIN_IMAP_MEMCAP || imap_memcap > MAX_IMAP_MEMCAP) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for memcap." + "It should range between %d and %d.", + MIN_IMAP_MEMCAP, MAX_IMAP_MEMCAP); + return -1; + } + + config->memcap = imap_memcap; + return 0; +} + + +static int ProcessDecodeDepth(IMAPConfig *config, char *ErrorString, int ErrStrLen, char *decode_type, DecodeType type) +{ + char *endptr; + char *value; + int decode_depth = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "IMAP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for IMAP config option '%s'.", decode_type); + return -1; + } + decode_depth = strtol(value, &endptr, 10); + + if(*endptr) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for IMAP config option '%s'.", decode_type); + return -1; + } + if(decode_depth < MIN_DEPTH || decode_depth > MAX_DEPTH) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for IMAP config option '%s'." + "It should range between %d and %d.", + decode_type, MIN_DEPTH, MAX_DEPTH); + return -1; + } + + switch(type) + { + case DECODE_B64: + if((decode_depth > 0) && (decode_depth & 3)) + { + decode_depth += 4 - (decode_depth & 3); + if(decode_depth > MAX_DEPTH ) + { + decode_depth = decode_depth - 4; + } + _dpd.logMsg("WARNING: %s(%d) => IMAP: 'b64_decode_depth' is not a multiple of 4. " + "Rounding up to the next multiple of 4. The new 'b64_decode_depth' is %d.\n", + *(_dpd.config_file), *(_dpd.config_line), decode_depth); + + } + config->b64_depth = decode_depth; + break; + case DECODE_QP: + config->qp_depth = decode_depth; + break; + case DECODE_UU: + config->uu_depth = decode_depth; + break; + case DECODE_BITENC: + config->bitenc_depth = decode_depth; + break; + default: + return -1; + } + + return 0; +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_config.h snort-2.9.2/src/dynamic-preprocessors/imap/imap_config.h --- snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_config.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_config.h 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,107 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/*************************************************************************** + * + * imap_config.h + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + ***************************************************************************/ + +#ifndef __IMAP_CONFIG_H__ +#define __IMAP_CONFIG_H__ + +#include "sfPolicyUserData.h" +#define CONF_SEPARATORS " \t\n\r" +#define CONF_PORTS "ports" +#define CONF_IMAP_MEMCAP "memcap" +#define CONF_B64_DECODE "b64_decode_depth" +#define CONF_QP_DECODE "qp_decode_depth" +#define CONF_BITENC_DECODE "bitenc_decode_depth" +#define CONF_UU_DECODE "uu_decode_depth" +#define CONF_DISABLED "disabled" +#define CONF_START_LIST "{" +#define CONF_END_LIST "}" + +/*These are temporary values*/ + +#define DEFAULT_IMAP_MEMCAP 838860 +#define DEFAULT_DEPTH 1464 +#define MAX_IMAP_MEMCAP 104857600 +#define MIN_IMAP_MEMCAP 3276 +#define MAX_DEPTH 65535 +#define MIN_DEPTH -1 +#define IMAP_DEFAULT_SERVER_PORT 143 /* IMAP normally runs on port 143 */ + +#define ERRSTRLEN 512 + +typedef struct _IMAPSearch +{ + char *name; + int name_len; + +} IMAPSearch; + +typedef struct _IMAPToken +{ + char *name; + int name_len; + int search_id; + +} IMAPToken; + +typedef struct _IMAPCmdConfig +{ + char alert; /* 1 if alert when seen */ + char normalize; /* 1 if we should normalize this command */ + int max_line_len; /* Max length of this particular command */ + +} IMAPCmdConfig; + +typedef struct _IMAPConfig +{ + char ports[8192]; + uint32_t memcap; + int max_depth; + int b64_depth; + int qp_depth; + int bitenc_depth; + int uu_depth; + IMAPToken *cmds; + IMAPSearch *cmd_search; + void *cmd_search_mpse; + int num_cmds; + int disabled; + + int ref_count; + +} IMAPConfig; + +/* Function prototypes */ +void IMAP_ParseArgs(IMAPConfig *, char *); +void IMAP_PrintConfig(IMAPConfig *config); + +void IMAP_CheckConfig(IMAPConfig *, tSfPolicyUserContextId); +int IMAP_IsDecodingEnabled(IMAPConfig *); + +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_log.c snort-2.9.2/src/dynamic-preprocessors/imap/imap_log.c --- snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_log.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_log.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,111 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * imap_log.c + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file handles IMAP alerts. + * + * Entry point functions: + * + * IMAP_GenerateAlert() + * + * + **************************************************************************/ + +#include <stdarg.h> +#include <stdio.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" +#include "imap_config.h" +#include "imap_log.h" +#include "snort_imap.h" +#include "sf_dynamic_preprocessor.h" + +extern IMAPConfig *imap_eval_config; +extern IMAP *imap_ssn; + +char imap_event[IMAP_EVENT_MAX][EVENT_STR_LEN]; + + +void IMAP_GenerateAlert(int event, char *format, ...) +{ + va_list ap; + + /* Only log a specific alert once per session */ + if (imap_ssn->alert_mask & (1 << event)) + { +#ifdef DEBUG_MSGS + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Already alerted on: %s - " + "ignoring event.\n", imap_event[event]);); +#endif + return; + } + + /* set bit for this alert so we don't alert on again + * in this session */ + imap_ssn->alert_mask |= (1 << event); + + va_start(ap, format); + + imap_event[event][0] = '\0'; + vsnprintf(&imap_event[event][0], EVENT_STR_LEN - 1, format, ap); + imap_event[event][EVENT_STR_LEN - 1] = '\0'; + + _dpd.alertAdd(GENERATOR_SPP_IMAP, event, 1, 0, 3, &imap_event[event][0], 0); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP Alert generated: %s\n", imap_event[event]);); + + va_end(ap); +} + +void IMAP_DecodeAlert(void) +{ + switch( imap_ssn->decode_state->decode_type ) + { + case DECODE_B64: + IMAP_GenerateAlert(IMAP_B64_DECODING_FAILED, "%s", IMAP_B64_DECODING_FAILED_STR); + break; + case DECODE_QP: + IMAP_GenerateAlert(IMAP_QP_DECODING_FAILED, "%s", IMAP_QP_DECODING_FAILED_STR); + break; + case DECODE_UU: + IMAP_GenerateAlert(IMAP_UU_DECODING_FAILED, "%s", IMAP_UU_DECODING_FAILED_STR); + break; + case DECODE_BITENC: + IMAP_GenerateAlert(IMAP_BITENC_DECODING_FAILED, "%s", IMAP_BITENC_DECODING_FAILED_STR); + break; + + default: + break; + } +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_log.h snort-2.9.2/src/dynamic-preprocessors/imap/imap_log.h --- snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_log.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_log.h 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,65 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * imap_log.h + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + **************************************************************************/ + +#ifndef __IMAP_LOG_H__ +#define __IMAP_LOG_H__ + + +#define GENERATOR_SPP_IMAP 141 + +/* Events for IMAP */ +#define IMAP_UNKNOWN_CMD 1 +#define IMAP_UNKNOWN_RESP 2 +#define IMAP_MEMCAP_EXCEEDED 3 +#define IMAP_B64_DECODING_FAILED 4 +#define IMAP_QP_DECODING_FAILED 5 +#define IMAP_BITENC_DECODING_FAILED 6 +#define IMAP_UU_DECODING_FAILED 7 + +#define IMAP_EVENT_MAX 8 + +/* Messages for each event */ +#define IMAP_UNKNOWN_CMD_STR "(IMAP) Unknown IMAP4 command" +#define IMAP_UNKNOWN_RESP_STR "(IMAP) Unknown IMAP4 response" +#define IMAP_MEMCAP_EXCEEDED_STR "(IMAP) No memory available for decoding. Memcap exceeded" +#define IMAP_B64_DECODING_FAILED_STR "(IMAP) Base64 Decoding failed." +#define IMAP_QP_DECODING_FAILED_STR "(IMAP) Quoted-Printable Decoding failed." +#define IMAP_BITENC_DECODING_FAILED_STR "(IMAP) 7bit/8bit/binary/text Extraction failed." +#define IMAP_UU_DECODING_FAILED_STR "(IMAP) Unix-to-Unix Decoding failed." + +#define EVENT_STR_LEN 256 + + +/* Function prototypes */ +void IMAP_GenerateAlert(int, char *, ...); +void IMAP_DecodeAlert(void); + + +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_util.c snort-2.9.2/src/dynamic-preprocessors/imap/imap_util.c --- snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_util.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_util.c 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,180 @@ +/* + * imap_util.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file contains IMAP helper functions. + * + * Entry point functions: + * + * safe_strchr() + * safe_strstr() + * copy_to_space() + * safe_sscanf() + * + * + */ + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#include <string.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" +#include "snort_bounds.h" + +#include "snort_imap.h" +#include "imap_util.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_packet.h" +#include "Unified2_common.h" + +extern IMAP *imap_ssn; + +void IMAP_GetEOL(const uint8_t *ptr, const uint8_t *end, + const uint8_t **eol, const uint8_t **eolm) +{ + const uint8_t *tmp_eol; + const uint8_t *tmp_eolm; + + /* XXX maybe should fatal error here since none of these + * pointers should be NULL */ + if (ptr == NULL || end == NULL || eol == NULL || eolm == NULL) + return; + + tmp_eol = (uint8_t *)memchr(ptr, '\n', end - ptr); + if (tmp_eol == NULL) + { + tmp_eol = end; + tmp_eolm = end; + } + else + { + /* end of line marker (eolm) should point to marker and + * end of line (eol) should point to end of marker */ + if ((tmp_eol > ptr) && (*(tmp_eol - 1) == '\r')) + { + tmp_eolm = tmp_eol - 1; + } + else + { + tmp_eolm = tmp_eol; + } + + /* move past newline */ + tmp_eol++; + } + + *eol = tmp_eol; + *eolm = tmp_eolm; +} + +void IMAP_DecodeType(const char *start, int length) +{ + const char *tmp = NULL; + + if(imap_ssn->decode_state->b64_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "base64"); + if( tmp != NULL ) + { + imap_ssn->decode_state->decode_type = DECODE_B64; + return; + } + } + + if(imap_ssn->decode_state->qp_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "quoted-printable"); + if( tmp != NULL ) + { + imap_ssn->decode_state->decode_type = DECODE_QP; + return; + } + } + + if(imap_ssn->decode_state->uu_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "uuencode"); + if( tmp != NULL ) + { + imap_ssn->decode_state->decode_type = DECODE_UU; + return; + } + } + + if(imap_ssn->decode_state->bitenc_state.depth > -1) + { + imap_ssn->decode_state->decode_type = DECODE_BITENC; + return; + } + + return; +} + + +#ifdef DEBUG_MSGS +char imap_print_buffer[65537]; + +const char * IMAP_PrintBuffer(SFSnortPacket *p) +{ + const uint8_t *ptr = NULL; + int len = 0; + int iorig, inew; + + ptr = p->payload; + len = p->payload_size; + + for (iorig = 0, inew = 0; iorig < len; iorig++, inew++) + { + if ((isascii((int)ptr[iorig]) && isprint((int)ptr[iorig])) || (ptr[iorig] == '\n')) + { + imap_print_buffer[inew] = ptr[iorig]; + } + else if (ptr[iorig] == '\r' && + ((iorig + 1) < len) && (ptr[iorig + 1] == '\n')) + { + iorig++; + imap_print_buffer[inew] = '\n'; + } + else if (isspace((int)ptr[iorig])) + { + imap_print_buffer[inew] = ' '; + } + else + { + imap_print_buffer[inew] = '.'; + } + } + + imap_print_buffer[inew] = '\0'; + + return &imap_print_buffer[0]; +} +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_util.h snort-2.9.2/src/dynamic-preprocessors/imap/imap_util.h --- snort-2.9.0.1/src/dynamic-preprocessors/imap/imap_util.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/imap_util.h 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,43 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************* + * + * imap_util.h + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + *************************************************************************/ + +#ifndef __IMAP_UTIL_H__ +#define __IMAP_UTIL_H__ + +#include "sf_snort_packet.h" + +void IMAP_GetEOL(const uint8_t *, const uint8_t *, const uint8_t **, const uint8_t **); +void IMAP_DecodeType(const char *start, int length); + +#ifdef DEBUG_MSGS +const char * IMAP_PrintBuffer(SFSnortPacket *); +#endif + +#endif /* __IMAP_UTIL_H__ */ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/Makefile.am snort-2.9.2/src/dynamic-preprocessors/imap/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/imap/Makefile.am 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/Makefile.am 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,41 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_imap_preproc.la + +libsf_imap_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_imap_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_imap_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/mempool.c \ +../include/sf_sdlist.c \ +../include/sf_base64decode.c \ +../include/util_unfold.c \ +../include/sf_email_attach_decode.c \ +../include/sfPolicyUserData.c +endif + +libsf_imap_preproc_la_SOURCES = \ +imap_config.c \ +imap_config.h \ +imap_log.c \ +imap_log.h \ +imap_util.c \ +imap_util.h \ +snort_imap.c \ +snort_imap.h \ +spp_imap.c \ +spp_imap.h + +EXTRA_DIST = \ +sf_imap.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/Makefile.in snort-2.9.2/src/dynamic-preprocessors/imap/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/imap/Makefile.in 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/Makefile.in 2011-12-07 11:23:19.000000000 -0800 @@ -0,0 +1,580 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/imap +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_imap_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_imap_preproc_la_OBJECTS = imap_config.lo imap_log.lo \ + imap_util.lo snort_imap.lo spp_imap.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_imap_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo mempool.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_sdlist.lo sf_base64decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ util_unfold.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_email_attach_decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_imap_preproc_la_OBJECTS = $(am_libsf_imap_preproc_la_OBJECTS) \ + $(nodist_libsf_imap_preproc_la_OBJECTS) +libsf_imap_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_imap_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_imap_preproc_la_SOURCES) \ + $(nodist_libsf_imap_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_imap_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_imap_preproc.la +libsf_imap_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_imap_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_imap_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/mempool.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_sdlist.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_base64decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/util_unfold.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_email_attach_decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +libsf_imap_preproc_la_SOURCES = \ +imap_config.c \ +imap_config.h \ +imap_log.c \ +imap_log.h \ +imap_util.c \ +imap_util.h \ +snort_imap.c \ +snort_imap.h \ +spp_imap.c \ +spp_imap.h + +EXTRA_DIST = \ +sf_imap.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/imap/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/imap/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_imap_preproc.la: $(libsf_imap_preproc_la_OBJECTS) $(libsf_imap_preproc_la_DEPENDENCIES) + $(libsf_imap_preproc_la_LINK) -rpath $(libdir) $(libsf_imap_preproc_la_OBJECTS) $(libsf_imap_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +mempool.lo: ../include/mempool.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mempool.lo `test -f '../include/mempool.c' || echo '$(srcdir)/'`../include/mempool.c + +sf_sdlist.lo: ../include/sf_sdlist.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_sdlist.lo `test -f '../include/sf_sdlist.c' || echo '$(srcdir)/'`../include/sf_sdlist.c + +sf_base64decode.lo: ../include/sf_base64decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_base64decode.lo `test -f '../include/sf_base64decode.c' || echo '$(srcdir)/'`../include/sf_base64decode.c + +util_unfold.lo: ../include/util_unfold.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o util_unfold.lo `test -f '../include/util_unfold.c' || echo '$(srcdir)/'`../include/util_unfold.c + +sf_email_attach_decode.lo: ../include/sf_email_attach_decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_email_attach_decode.lo `test -f '../include/sf_email_attach_decode.c' || echo '$(srcdir)/'`../include/sf_email_attach_decode.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/sf_imap.dsp snort-2.9.2/src/dynamic-preprocessors/imap/sf_imap.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/imap/sf_imap.dsp 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/sf_imap.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,252 @@ +# Microsoft Developer Studio Project File - Name="sf_imap" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_imap - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_imap.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_imap.mak" CFG="sf_imap - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_imap - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_imap - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_imap - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_imap - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_imap - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_IMAP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_imap - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_IMAP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_imap - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_imap___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_imap___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_imap - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_imap___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_imap___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_IMAP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# SUBTRACT LINK32 /pdb:none + +!ENDIF + +# Begin Target + +# Name "sf_imap - Win32 Release" +# Name "sf_imap - Win32 Debug" +# Name "sf_imap - Win32 IPv6 Debug" +# Name "sf_imap - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=.\imap_config.c +# End Source File +# Begin Source File + +SOURCE=.\imap_log.c +# End Source File +# Begin Source File + +SOURCE=.\imap_util.c +# End Source File +# Begin Source File + +SOURCE=..\include\mempool.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_base64decode.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_email_attach_decode.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\snort_imap.c +# End Source File +# Begin Source File + +SOURCE=.\spp_imap.c +# End Source File +# Begin Source File + +SOURCE=..\include\util_unfold.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\imap_config.h +# End Source File +# Begin Source File + +SOURCE=.\imap_log.h +# End Source File +# Begin Source File + +SOURCE=.\imap_util.h +# End Source File +# Begin Source File + +SOURCE=..\include\mempool.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_email_attach_decode.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.h +# End Source File +# Begin Source File + +SOURCE=.\snort_imap.h +# End Source File +# Begin Source File + +SOURCE=.\spp_imap.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/snort_imap.c snort-2.9.2/src/dynamic-preprocessors/imap/snort_imap.c --- snort-2.9.0.1/src/dynamic-preprocessors/imap/snort_imap.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/snort_imap.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,1730 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * snort_imap.c + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file handles IMAP protocol checking and normalization. + * + * Entry point functions: + * + * SnortIMAP() + * IMAP_Init() + * IMAP_Free() + * + **************************************************************************/ + + +/* Includes ***************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <sys/types.h> +#include <stdlib.h> +#include <string.h> +#include <ctype.h> +#include <pcre.h> + +#include "sf_types.h" +#include "snort_imap.h" +#include "imap_config.h" +#include "imap_util.h" +#include "imap_log.h" + +#include "sf_snort_packet.h" +#include "stream_api.h" +#include "snort_debug.h" +#include "profiler.h" +#include "snort_bounds.h" +#include "sf_dynamic_preprocessor.h" +#include "ssl.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +#ifdef DEBUG_MSGS +#include "sf_types.h" +#endif + +/**************************************************************************/ + + +/* Externs ****************************************************************/ + +#ifdef PERF_PROFILING +extern PreprocStats imapDetectPerfStats; +extern int imapDetectCalled; +#endif + +extern tSfPolicyUserContextId imap_config; +extern IMAPConfig *imap_eval_config; +extern MemPool *imap_mempool; + +#ifdef DEBUG_MSGS +extern char imap_print_buffer[]; +#endif + +/**************************************************************************/ + + +/* Globals ****************************************************************/ + +const IMAPToken imap_known_cmds[] = +{ + {"APPEND", 6, CMD_APPEND}, + {"AUTHENTICATE", 12, CMD_AUTHENTICATE}, + {"CAPABILITY", 10, CMD_CAPABILITY}, + {"CHECK", 5, CMD_CHECK}, + {"CLOSE", 5, CMD_CLOSE}, + {"COMPARATOR", 10, CMD_COMPARATOR}, + {"COMPRESS", 8, CMD_COMPRESS}, + {"CONVERSIONS", 11, CMD_CONVERSIONS}, + {"COPY", 4, CMD_COPY}, + {"CREATE", 6, CMD_CREATE}, + {"DELETE", 6, CMD_DELETE}, + {"DELETEACL", 9, CMD_DELETEACL}, + {"DONE", 4, CMD_DONE}, + {"EXAMINE", 7, CMD_EXAMINE}, + {"EXPUNGE", 7, CMD_EXPUNGE}, + {"FETCH", 5, CMD_FETCH}, + {"GETACL", 6, CMD_GETACL}, + {"GETMETADATA", 11, CMD_GETMETADATA}, + {"GETQUOTA", 8, CMD_GETQUOTA}, + {"GETQUOTAROOT", 12, CMD_GETQUOTAROOT}, + {"IDLE", 4, CMD_IDLE}, + {"LIST", 4, CMD_LIST}, + {"LISTRIGHTS", 10, CMD_LISTRIGHTS}, + {"LOGIN", 5, CMD_LOGIN}, + {"LOGOUT", 6, CMD_LOGOUT}, + {"LSUB", 4, CMD_LSUB}, + {"MYRIGHTS", 8, CMD_MYRIGHTS}, + {"NOOP", 4, CMD_NOOP}, + {"NOTIFY", 6, CMD_NOTIFY}, + {"RENAME", 6, CMD_RENAME}, + {"SEARCH", 6, CMD_SEARCH}, + {"SELECT", 6, CMD_SELECT}, + {"SETACL", 6, CMD_SETACL}, + {"SETMETADATA", 11, CMD_SETMETADATA}, + {"SETQUOTA", 8, CMD_SETQUOTA}, + {"SORT", 4, CMD_SORT}, + {"STARTTLS", 8, CMD_STARTTLS}, + {"STATUS", 6, CMD_STATUS}, + {"STORE", 5, CMD_STORE}, + {"SUBSCRIBE", 9, CMD_SUBSCRIBE}, + {"THREAD", 6, CMD_THREAD}, + {"UID", 3, CMD_UID}, + {"UNSELECT", 8, CMD_UNSELECT}, + {"UNSUBSCRIBE", 11, CMD_UNSUBSCRIBE}, + {"X", 1, CMD_X}, + {NULL, 0, 0} +}; + +const IMAPToken imap_resps[] = +{ + {"CAPABILITY", 10, RESP_CAPABILITY}, + {"LIST", 4, RESP_LIST}, + {"LSUB", 4, RESP_LSUB}, + {"STATUS", 6, RESP_STATUS}, + {"SEARCH", 6, RESP_SEARCH}, + {"FLAGS", 5, RESP_FLAGS}, + {"EXISTS", 6, RESP_EXISTS}, + {"RECENT", 6, RESP_RECENT}, + {"EXPUNGE", 7, RESP_EXPUNGE}, + {"FETCH", 5, RESP_FETCH}, + {"BAD", 3, RESP_BAD}, + {"BYE", 3, RESP_BYE}, + {"NO", 2, RESP_NO}, + {"OK", 2, RESP_OK}, + {"PREAUTH", 7, RESP_PREAUTH}, + {"ENVELOPE", 8, RESP_ENVELOPE}, + {"UID", 3, RESP_UID}, + {NULL, 0, 0} +}; + +const IMAPToken imap_hdrs[] = +{ + {"Content-type:", 13, HDR_CONTENT_TYPE}, + {"Content-Transfer-Encoding:", 26, HDR_CONT_TRANS_ENC}, + {NULL, 0, 0} +}; + +const IMAPToken imap_data_end[] = +{ + {"\r\n.\r\n", 5, DATA_END_1}, + {"\n.\r\n", 4, DATA_END_2}, + {"\r\n.\n", 4, DATA_END_3}, + {"\n.\n", 3, DATA_END_4}, + {NULL, 0, 0} +}; + +IMAP *imap_ssn = NULL; +IMAP imap_no_session; +IMAPPcre mime_boundary_pcre; +char imap_normalizing; +IMAPSearchInfo imap_search_info; + +#ifdef DEBUG_MSGS +uint64_t imap_session_counter = 0; +#endif + +#ifdef TARGET_BASED +int16_t imap_proto_id; +#endif + +void *imap_resp_search_mpse = NULL; +IMAPSearch imap_resp_search[RESP_LAST]; + +void *imap_hdr_search_mpse = NULL; +IMAPSearch imap_hdr_search[HDR_LAST]; + +void *imap_data_search_mpse = NULL; +IMAPSearch imap_data_end_search[DATA_END_LAST]; + +IMAPSearch *imap_current_search = NULL; + + +/**************************************************************************/ + + +/* Private functions ******************************************************/ + +static int IMAP_Setup(SFSnortPacket *p, IMAP *ssn); +static void IMAP_ResetState(void); +static void IMAP_SessionFree(void *); +static void IMAP_NoSessionFree(void); +static int IMAP_GetPacketDirection(SFSnortPacket *, int); +static void IMAP_ProcessClientPacket(SFSnortPacket *); +static void IMAP_ProcessServerPacket(SFSnortPacket *); +static void IMAP_DisableDetect(SFSnortPacket *); +static const uint8_t * IMAP_HandleCommand(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * IMAP_HandleData(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * IMAP_HandleHeader(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * IMAP_HandleDataBody(SFSnortPacket *, const uint8_t *, const uint8_t *); +static int IMAP_SearchStrFound(void *, void *, int, void *, void *); + +static int IMAP_BoundaryStrFound(void *, void *, int , void *, void *); +static int IMAP_GetBoundary(const char *, int); + +static int IMAP_Inspect(SFSnortPacket *); + +/**************************************************************************/ + +static void SetImapBuffers(IMAP *ssn) +{ + if ((ssn != NULL) && (ssn->decode_state == NULL) + && (!IMAP_IsDecodingEnabled(imap_eval_config))) + { + MemBucket *bkt = mempool_alloc(imap_mempool); + + if (bkt != NULL) + { + ssn->decode_state = (Email_DecodeState *)calloc(1, sizeof(Email_DecodeState)); + if( ssn->decode_state != NULL ) + { + ssn->decode_bkt = bkt; + SetEmailDecodeState(ssn->decode_state, bkt->data, imap_eval_config->max_depth, + imap_eval_config->b64_depth, imap_eval_config->qp_depth, + imap_eval_config->uu_depth, imap_eval_config->bitenc_depth); + } + else + { + /*free mempool if calloc fails*/ + mempool_free(imap_mempool, bkt); + } + } + else + { + IMAP_GenerateAlert(IMAP_MEMCAP_EXCEEDED, "%s", IMAP_MEMCAP_EXCEEDED_STR); + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "No memory available for decoding. Memcap exceeded \n");); + } + } +} + +void IMAP_InitCmds(IMAPConfig *config) +{ + const IMAPToken *tmp; + + if (config == NULL) + return; + + /* add one to CMD_LAST for NULL entry */ + config->cmds = (IMAPToken *)calloc(CMD_LAST + 1, sizeof(IMAPToken)); + if (config->cmds == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for imap " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + for (tmp = &imap_known_cmds[0]; tmp->name != NULL; tmp++) + { + config->cmds[tmp->search_id].name_len = tmp->name_len; + config->cmds[tmp->search_id].search_id = tmp->search_id; + config->cmds[tmp->search_id].name = strdup(tmp->name); + + if (config->cmds[tmp->search_id].name == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for imap " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + } + + /* initialize memory for command searches */ + config->cmd_search = (IMAPSearch *)calloc(CMD_LAST, sizeof(IMAPSearch)); + if (config->cmd_search == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for imap " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + config->num_cmds = CMD_LAST; +} + + +/* + * Initialize IMAP searches + * + * @param none + * + * @return none + */ +void IMAP_SearchInit(void) +{ + const char *error; + int erroffset; + const IMAPToken *tmp; + + /* Response search */ + imap_resp_search_mpse = _dpd.searchAPI->search_instance_new(); + if (imap_resp_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate IMAP " + "response search.\n"); + } + + for (tmp = &imap_resps[0]; tmp->name != NULL; tmp++) + { + imap_resp_search[tmp->search_id].name = tmp->name; + imap_resp_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(imap_resp_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(imap_resp_search_mpse); + + /* Header search */ + imap_hdr_search_mpse = _dpd.searchAPI->search_instance_new(); + if (imap_hdr_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate IMAP " + "header search.\n"); + } + + for (tmp = &imap_hdrs[0]; tmp->name != NULL; tmp++) + { + imap_hdr_search[tmp->search_id].name = tmp->name; + imap_hdr_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(imap_hdr_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(imap_hdr_search_mpse); + + /* Data end search */ + imap_data_search_mpse = _dpd.searchAPI->search_instance_new(); + if (imap_data_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate IMAP " + "data search.\n"); + } + + for (tmp = &imap_data_end[0]; tmp->name != NULL; tmp++) + { + imap_data_end_search[tmp->search_id].name = tmp->name; + imap_data_end_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(imap_data_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(imap_data_search_mpse); + + + /* create regex for finding boundary string - since it can be cut across multiple + * lines, a straight search won't do. Shouldn't be too slow since it will most + * likely only be acting on a small portion of data */ + //"^content-type:\\s*multipart.*boundary\\s*=\\s*\"?([^\\s]+)\"?" + //"^\\s*multipart.*boundary\\s*=\\s*\"?([^\\s]+)\"?" + //mime_boundary_pcre.re = pcre_compile("^.*boundary\\s*=\\s*\"?([^\\s\"]+)\"?", + //mime_boundary_pcre.re = pcre_compile("boundary(?:\n|\r\n)?=(?:\n|\r\n)?\"?([^\\s\"]+)\"?", + mime_boundary_pcre.re = pcre_compile("boundary\\s*=\\s*\"?([^\\s\"]+)\"?", + PCRE_CASELESS | PCRE_DOTALL, + &error, &erroffset, NULL); + if (mime_boundary_pcre.re == NULL) + { + DynamicPreprocessorFatalMessage("Failed to compile pcre regex for getting boundary " + "in a multipart IMAP message: %s\n", error); + } + + mime_boundary_pcre.pe = pcre_study(mime_boundary_pcre.re, 0, &error); + + if (error != NULL) + { + DynamicPreprocessorFatalMessage("Failed to study pcre regex for getting boundary " + "in a multipart IMAP message: %s\n", error); + } +} + +/* + * Initialize run-time boundary search + */ +static int IMAP_BoundarySearchInit(void) +{ + if (imap_ssn->mime_boundary.boundary_search != NULL) + _dpd.searchAPI->search_instance_free(imap_ssn->mime_boundary.boundary_search); + + imap_ssn->mime_boundary.boundary_search = _dpd.searchAPI->search_instance_new(); + + if (imap_ssn->mime_boundary.boundary_search == NULL) + return -1; + + _dpd.searchAPI->search_instance_add(imap_ssn->mime_boundary.boundary_search, + imap_ssn->mime_boundary.boundary, + imap_ssn->mime_boundary.boundary_len, BOUNDARY); + + _dpd.searchAPI->search_instance_prep(imap_ssn->mime_boundary.boundary_search); + + return 0; +} + + + +/* + * Reset IMAP session state + * + * @param none + * + * @return none + */ +static void IMAP_ResetState(void) +{ + if (imap_ssn->mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(imap_ssn->mime_boundary.boundary_search); + imap_ssn->mime_boundary.boundary_search = NULL; + } + + imap_ssn->state = STATE_UNKNOWN; + imap_ssn->data_state = STATE_DATA_INIT; + imap_ssn->state_flags = 0; + imap_ssn->body_read = imap_ssn->body_len = 0; + ClearEmailDecodeState(imap_ssn->decode_state); + memset(&imap_ssn->mime_boundary, 0, sizeof(IMAPMimeBoundary)); +} + + +/* + * Given a server configuration and a port number, we decide if the port is + * in the IMAP server port list. + * + * @param port the port number to compare with the configuration + * + * @return integer + * @retval 0 means that the port is not a server port + * @retval !0 means that the port is a server port + */ +int IMAP_IsServer(uint16_t port) +{ + if (imap_eval_config->ports[port / 8] & (1 << (port % 8))) + return 1; + + return 0; +} + +static IMAP * IMAP_GetNewSession(SFSnortPacket *p, tSfPolicyId policy_id) +{ + IMAP *ssn; + IMAPConfig *pPolicyConfig = NULL; + + pPolicyConfig = (IMAPConfig *)sfPolicyUserDataGetCurrent(imap_config); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Creating new session data structure\n");); + + ssn = (IMAP *)calloc(1, sizeof(IMAP)); + if (ssn == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate IMAP session data\n"); + } + + imap_ssn = ssn; + SetImapBuffers(ssn); + + _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_IMAP, + ssn, &IMAP_SessionFree); + + if (p->flags & SSNFLAG_MIDSTREAM) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Got midstream packet - " + "setting state to unknown\n");); + ssn->state = STATE_UNKNOWN; + } + +#ifdef DEBUG_MSGS + imap_session_counter++; + ssn->session_number = imap_session_counter; +#endif + + if (p->stream_session_ptr != NULL) + { + /* check to see if we're doing client reassembly in stream */ + if (_dpd.streamAPI->get_reassembly_direction(p->stream_session_ptr) & SSN_DIR_CLIENT) + ssn->reassembling = 1; + + if(!ssn->reassembling) + { + _dpd.streamAPI->set_reassembly(p->stream_session_ptr, + STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_CLIENT, STREAM_FLPOLICY_SET_ABSOLUTE); + ssn->reassembling = 1; + } + } + + ssn->body_read = ssn->body_len = 0; + + ssn->policy_id = policy_id; + ssn->config = imap_config; + pPolicyConfig->ref_count++; + + return ssn; +} + + +/* + * Do first-packet setup + * + * @param p standard Packet structure + * + * @return none + */ +static int IMAP_Setup(SFSnortPacket *p, IMAP *ssn) +{ + int flags = 0; + int pkt_dir; + + if (p->stream_session_ptr != NULL) + { + /* set flags to session flags */ + flags = _dpd.streamAPI->get_session_flags(p->stream_session_ptr); + } + + /* Figure out direction of packet */ + pkt_dir = IMAP_GetPacketDirection(p, flags); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Session number: "STDu64"\n", ssn->session_number);); + + /* Check to see if there is a reassembly gap. If so, we won't know + * what state we're in when we get the _next_ reassembled packet */ + if ((pkt_dir != IMAP_PKT_FROM_SERVER) && + (p->flags & FLAG_REBUILT_STREAM)) + { + int missing_in_rebuilt = + _dpd.streamAPI->missing_in_reassembled(p->stream_session_ptr, SSN_DIR_CLIENT); + + if (ssn->session_flags & IMAP_FLAG_NEXT_STATE_UNKNOWN) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Found gap in previous reassembly buffer - " + "set state to unknown\n");); + ssn->state = STATE_UNKNOWN; + ssn->session_flags &= ~IMAP_FLAG_NEXT_STATE_UNKNOWN; + } + + if (missing_in_rebuilt == SSN_MISSING_BOTH) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Found missing packets before and after " + "in reassembly buffer - set state to unknown and " + "next state to unknown\n");); + ssn->state = STATE_UNKNOWN; + ssn->session_flags |= IMAP_FLAG_NEXT_STATE_UNKNOWN; + } + else if (missing_in_rebuilt == SSN_MISSING_BEFORE) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Found missing packets before " + "in reassembly buffer - set state to unknown\n");); + ssn->state = STATE_UNKNOWN; + } + else if (missing_in_rebuilt == SSN_MISSING_AFTER) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Found missing packets after " + "in reassembly buffer - set next state to unknown\n");); + ssn->session_flags |= IMAP_FLAG_NEXT_STATE_UNKNOWN; + } + } + + return pkt_dir; +} + +/* + * Determine packet direction + * + * @param p standard Packet structure + * + * @return none + */ +static int IMAP_GetPacketDirection(SFSnortPacket *p, int flags) +{ + int pkt_direction = IMAP_PKT_FROM_UNKNOWN; + + if (flags & SSNFLAG_MIDSTREAM) + { + if (IMAP_IsServer(p->src_port) && + !IMAP_IsServer(p->dst_port)) + { + pkt_direction = IMAP_PKT_FROM_SERVER; + } + else if (!IMAP_IsServer(p->src_port) && + IMAP_IsServer(p->dst_port)) + { + pkt_direction = IMAP_PKT_FROM_CLIENT; + } + } + else + { + if (p->flags & FLAG_FROM_SERVER) + { + pkt_direction = IMAP_PKT_FROM_SERVER; + } + else if (p->flags & FLAG_FROM_CLIENT) + { + pkt_direction = IMAP_PKT_FROM_CLIENT; + } + + /* if direction is still unknown ... */ + if (pkt_direction == IMAP_PKT_FROM_UNKNOWN) + { + if (IMAP_IsServer(p->src_port) && + !IMAP_IsServer(p->dst_port)) + { + pkt_direction = IMAP_PKT_FROM_SERVER; + } + else if (!IMAP_IsServer(p->src_port) && + IMAP_IsServer(p->dst_port)) + { + pkt_direction = IMAP_PKT_FROM_CLIENT; + } + } + } + + return pkt_direction; +} + + +/* + * Free IMAP-specific related to this session + * + * @param v pointer to IMAP session structure + * + * + * @return none + */ +static void IMAP_SessionFree(void *session_data) +{ + IMAP *imap = (IMAP *)session_data; +#ifdef SNORT_RELOAD + IMAPConfig *pPolicyConfig = NULL; +#endif + + if (imap == NULL) + return; + +#ifdef SNORT_RELOAD + pPolicyConfig = (IMAPConfig *)sfPolicyUserDataGet(imap->config, imap->policy_id); + + if (pPolicyConfig != NULL) + { + pPolicyConfig->ref_count--; + if ((pPolicyConfig->ref_count == 0) && + (imap->config != imap_config)) + { + sfPolicyUserDataClear (imap->config, imap->policy_id); + IMAP_FreeConfig(pPolicyConfig); + + /* No more outstanding policies for this config */ + if (sfPolicyUserPolicyGetActive(imap->config) == 0) + IMAP_FreeConfigs(imap->config); + } + } +#endif + + if (imap->mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(imap->mime_boundary.boundary_search); + imap->mime_boundary.boundary_search = NULL; + } + + if(imap->decode_state != NULL) + { + mempool_free(imap_mempool, imap->decode_bkt); + free(imap->decode_state); + } + + free(imap); +} + + +static void IMAP_NoSessionFree(void) +{ + if (imap_no_session.mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(imap_no_session.mime_boundary.boundary_search); + imap_no_session.mime_boundary.boundary_search = NULL; + } +} + +static int IMAP_FreeConfigsPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + IMAPConfig *pPolicyConfig = (IMAPConfig *)pData; + + //do any housekeeping before freeing IMAPConfig + sfPolicyUserDataClear (config, policyId); + IMAP_FreeConfig(pPolicyConfig); + + return 0; +} + +void IMAP_FreeConfigs(tSfPolicyUserContextId config) +{ + if (config == NULL) + return; + + sfPolicyUserDataIterate (config, IMAP_FreeConfigsPolicy); + sfPolicyConfigDelete(config); +} + +void IMAP_FreeConfig(IMAPConfig *config) +{ + if (config == NULL) + return; + + if (config->cmds != NULL) + { + IMAPToken *tmp = config->cmds; + + for (; tmp->name != NULL; tmp++) + free(tmp->name); + + free(config->cmds); + } + + if (config->cmd_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(config->cmd_search_mpse); + + if (config->cmd_search != NULL) + free(config->cmd_search); + + free(config); +} + + +/* + * Free anything that needs it before shutting down preprocessor + * + * @param none + * + * @return none + */ +void IMAP_Free(void) +{ + IMAP_NoSessionFree(); + + IMAP_FreeConfigs(imap_config); + imap_config = NULL; + + if (imap_resp_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(imap_resp_search_mpse); + + if (imap_hdr_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(imap_hdr_search_mpse); + + if (imap_data_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(imap_data_search_mpse); + + if (mime_boundary_pcre.re ) + pcre_free(mime_boundary_pcre.re); + + if (mime_boundary_pcre.pe ) + pcre_free(mime_boundary_pcre.pe); +} + + +/* + * Callback function for string search + * + * @param id id in array of search strings from imap_config.cmds + * @param index index in array of search strings from imap_config.cmds + * @param data buffer passed in to search function + * + * @return response + * @retval 1 commands caller to stop searching + */ +static int IMAP_SearchStrFound(void *id, void *unused, int index, void *data, void *unused2) +{ + int search_id = (int)(uintptr_t)id; + + imap_search_info.id = search_id; + imap_search_info.index = index; + imap_search_info.length = imap_current_search[search_id].name_len; + + /* Returning non-zero stops search, which is okay since we only look for one at a time */ + return 1; +} + +/* + * Callback function for boundary search + * + * @param id id in array of search strings + * @param index index in array of search strings + * @param data buffer passed in to search function + * + * @return response + * @retval 1 commands caller to stop searching + */ +static int IMAP_BoundaryStrFound(void *id, void *unused, int index, void *data, void *unused2) +{ + int boundary_id = (int)(uintptr_t)id; + + imap_search_info.id = boundary_id; + imap_search_info.index = index; + imap_search_info.length = imap_ssn->mime_boundary.boundary_len; + + return 1; +} + +static int IMAP_GetBoundary(const char *data, int data_len) +{ + int result; + int ovector[9]; + int ovecsize = 9; + const char *boundary; + int boundary_len; + int ret; + char *mime_boundary; + int *mime_boundary_len; + + + mime_boundary = &imap_ssn->mime_boundary.boundary[0]; + mime_boundary_len = &imap_ssn->mime_boundary.boundary_len; + + /* result will be the number of matches (including submatches) */ + result = pcre_exec(mime_boundary_pcre.re, mime_boundary_pcre.pe, + data, data_len, 0, 0, ovector, ovecsize); + if (result < 0) + return -1; + + result = pcre_get_substring(data, ovector, result, 1, &boundary); + if (result < 0) + return -1; + + boundary_len = strlen(boundary); + if (boundary_len > MAX_BOUNDARY_LEN) + { + /* XXX should we alert? breaking the law of RFC */ + boundary_len = MAX_BOUNDARY_LEN; + } + + mime_boundary[0] = '-'; + mime_boundary[1] = '-'; + ret = SafeMemcpy(mime_boundary + 2, boundary, boundary_len, + mime_boundary + 2, mime_boundary + 2 + MAX_BOUNDARY_LEN); + + pcre_free_substring(boundary); + + if (ret != SAFEMEM_SUCCESS) + { + return -1; + } + + *mime_boundary_len = 2 + boundary_len; + mime_boundary[*mime_boundary_len] = '\0'; + + return 0; +} + + +/* + * Handle COMMAND state + * + * @param p standard Packet structure + * @param ptr pointer into p->payload buffer to start looking at data + * @param end points to end of p->payload buffer + * + * @return pointer into p->payload where we stopped looking at data + * will be end of line or end of packet + */ +static const uint8_t * IMAP_HandleCommand(SFSnortPacket *p, const uint8_t *ptr, const uint8_t *end) +{ + const uint8_t *eol; /* end of line */ + const uint8_t *eolm; /* end of line marker */ + int cmd_line_len; + int cmd_found; + + /* get end of line and end of line marker */ + IMAP_GetEOL(ptr, end, &eol, &eolm); + + /* calculate length of command line */ + cmd_line_len = eol - ptr; + + /* TODO If the end of line marker coincides with the end of payload we can't be + * sure that we got a command and not a substring which we could tell through + * inspection of the next packet. Maybe a command pending state where the first + * char in the next packet is checked for a space and end of line marker */ + + /* do not confine since there could be space chars before command */ + imap_current_search = &imap_eval_config->cmd_search[0]; + cmd_found = _dpd.searchAPI->search_instance_find + (imap_eval_config->cmd_search_mpse, (const char *)ptr, + eolm - ptr, 0, IMAP_SearchStrFound); + + /* if command not found, alert and move on */ + if (!cmd_found) + { + IMAP_GenerateAlert(IMAP_UNKNOWN_CMD, "%s", IMAP_UNKNOWN_CMD_STR); + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "No known command found\n");); + + return eol; + } + + /* At this point we have definitely found a legitimate command */ + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "%s\n", imap_eval_config->cmds[imap_search_info.id].name);); + + return eol; +} + + +static const uint8_t * IMAP_HandleData(SFSnortPacket *p, const uint8_t *ptr, const uint8_t *end) +{ + const uint8_t *data_end_marker = NULL; + const uint8_t *data_end = NULL; + int data_end_found; + + /* if we've just entered the data state, check for a dot + end of line + * if found, no data */ + if ((imap_ssn->data_state == STATE_DATA_INIT) || + (imap_ssn->data_state == STATE_DATA_UNKNOWN)) + { + if ((ptr < end) && (*ptr == '.')) + { + const uint8_t *eol = NULL; + const uint8_t *eolm = NULL; + + IMAP_GetEOL(ptr, end, &eol, &eolm); + + /* this means we got a real end of line and not just end of payload + * and that the dot is only char on line */ + if ((eolm != end) && (eolm == (ptr + 1))) + { + /* if we're normalizing and not ignoring data copy data end marker + * and dot to alt buffer */ + + IMAP_ResetState(); + + return eol; + } + } + + if (imap_ssn->data_state == STATE_DATA_INIT) + imap_ssn->data_state = STATE_DATA_HEADER; + + /* XXX A line starting with a '.' that isn't followed by a '.' is + * deleted (RFC 821 - 4.5.2. TRANSPARENCY). If data starts with + * '. text', i.e a dot followed by white space then text, some + * servers consider it data header and some data body. + * Postfix and Qmail will consider the start of data: + * . text\r\n + * . text\r\n + * to be part of the header and the effect will be that of a + * folded line with the '.' deleted. Exchange will put the same + * in the body which seems more reasonable. */ + } + + /* get end of data body + * TODO check last bytes of previous packet to see if we had a partial + * end of data */ + imap_current_search = &imap_data_end_search[0]; + data_end_found = _dpd.searchAPI->search_instance_find + (imap_data_search_mpse, (const char *)ptr, end - ptr, + 0, IMAP_SearchStrFound); + + if (data_end_found > 0) + { + data_end_marker = ptr + imap_search_info.index; + data_end = data_end_marker + imap_search_info.length; + } + else + { + data_end_marker = data_end = end; + } + + _dpd.setFileDataPtr((uint8_t*)ptr, (uint16_t)(data_end - ptr)); + + if ((imap_ssn->data_state == STATE_DATA_HEADER) || + (imap_ssn->data_state == STATE_DATA_UNKNOWN)) + { +#ifdef DEBUG_MSGS + if (imap_ssn->data_state == STATE_DATA_HEADER) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "DATA HEADER STATE ~~~~~~~~~~~~~~~~~~~~~~\n");); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "DATA UNKNOWN STATE ~~~~~~~~~~~~~~~~~~~~~\n");); + } +#endif + + ptr = IMAP_HandleHeader(p, ptr, data_end_marker); + if (ptr == NULL) + return NULL; + + } + + /* now we shouldn't have to worry about copying any data to the alt buffer + * only mime headers if we find them and only if we're ignoring data */ + + while ((ptr != NULL) && (ptr < data_end_marker)) + { + /* multiple MIME attachments in one single packet. + * Pipeline the MIME decoded data.*/ + if ( imap_ssn->state_flags & IMAP_FLAG_MULTIPLE_EMAIL_ATTACH) + { + _dpd.setFileDataPtr(imap_ssn->decode_state->decodePtr, (uint16_t)imap_ssn->decode_state->decoded_bytes); + _dpd.detect(p); + imap_ssn->state_flags &= ~IMAP_FLAG_MULTIPLE_EMAIL_ATTACH; + ResetEmailDecodeState(imap_ssn->decode_state); + p->flags |=FLAG_ALLOW_MULTIPLE_DETECT; + /* Reset the log count when a packet goes through detection multiple times */ + p->xtradata_mask = 0; + p->per_packet_xtradata = 0; + _dpd.DetectReset((uint8_t *)p->payload, p->payload_size); + } + switch (imap_ssn->data_state) + { + case STATE_MIME_HEADER: + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "MIME HEADER STATE ~~~~~~~~~~~~~~~~~~~~~~\n");); + ptr = IMAP_HandleHeader(p, ptr, data_end_marker); + break; + case STATE_DATA_BODY: + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "DATA BODY STATE ~~~~~~~~~~~~~~~~~~~~~~~~\n");); + ptr = IMAP_HandleDataBody(p, ptr, data_end_marker); + break; + } + } + + /* We have either reached the end of MIME header or end of MIME encoded data*/ + + if(imap_ssn->decode_state != NULL) + { + _dpd.setFileDataPtr(imap_ssn->decode_state->decodePtr, (uint16_t)imap_ssn->decode_state->decoded_bytes); + ResetDecodedBytes(imap_ssn->decode_state); + } + + /* if we got the data end reset state, otherwise we're probably still in the data + * to expect more data in next packet */ + if (data_end_marker != end) + { + IMAP_ResetState(); + } + + return data_end; +} + + +/* + * Handle Headers - Data or Mime + * + * @param packet standard Packet structure + * + * @param i index into p->payload buffer to start looking at data + * + * @return i index into p->payload where we stopped looking at data + */ +static const uint8_t * IMAP_HandleHeader(SFSnortPacket *p, const uint8_t *ptr, + const uint8_t *data_end_marker) +{ + const uint8_t *eol; + const uint8_t *eolm; + const uint8_t *colon; + const uint8_t *content_type_ptr = NULL; + const uint8_t *cont_trans_enc = NULL; + int header_found; + int ret; + const uint8_t *start_hdr; + + start_hdr = ptr; + + /* if we got a content-type in a previous packet and are + * folding, the boundary still needs to be checked for */ + if (imap_ssn->state_flags & IMAP_FLAG_IN_CONTENT_TYPE) + content_type_ptr = ptr; + + if (imap_ssn->state_flags & IMAP_FLAG_IN_CONT_TRANS_ENC) + cont_trans_enc = ptr; + + while (ptr < data_end_marker) + { + IMAP_GetEOL(ptr, data_end_marker, &eol, &eolm); + + /* got a line with only end of line marker should signify end of header */ + if (eolm == ptr) + { + /* reset global header state values */ + imap_ssn->state_flags &= + ~(IMAP_FLAG_FOLDING | IMAP_FLAG_IN_CONTENT_TYPE | IMAP_FLAG_DATA_HEADER_CONT + | IMAP_FLAG_IN_CONT_TRANS_ENC ); + + imap_ssn->data_state = STATE_DATA_BODY; + + /* if no headers, treat as data */ + if (ptr == start_hdr) + return eolm; + else + return eol; + } + + /* if we're not folding, see if we should interpret line as a data line + * instead of a header line */ + if (!(imap_ssn->state_flags & (IMAP_FLAG_FOLDING | IMAP_FLAG_DATA_HEADER_CONT))) + { + char got_non_printable_in_header_name = 0; + + /* if we're not folding and the first char is a space or + * colon, it's not a header */ + if (isspace((int)*ptr) || *ptr == ':') + { + imap_ssn->data_state = STATE_DATA_BODY; + return ptr; + } + + /* look for header field colon - if we're not folding then we need + * to find a header which will be all printables (except colon) + * followed by a colon */ + colon = ptr; + while ((colon < eolm) && (*colon != ':')) + { + if (((int)*colon < 33) || ((int)*colon > 126)) + got_non_printable_in_header_name = 1; + + colon++; + } + + /* If the end on line marker and end of line are the same, assume + * header was truncated, so stay in data header state */ + if ((eolm != eol) && + ((colon == eolm) || got_non_printable_in_header_name)) + { + /* no colon or got spaces in header name (won't be interpreted as a header) + * assume we're in the body */ + imap_ssn->state_flags &= + ~(IMAP_FLAG_FOLDING | IMAP_FLAG_IN_CONTENT_TYPE | IMAP_FLAG_DATA_HEADER_CONT + |IMAP_FLAG_IN_CONT_TRANS_ENC); + + imap_ssn->data_state = STATE_DATA_BODY; + + return ptr; + } + + if(tolower((int)*ptr) == 'c') + { + imap_current_search = &imap_hdr_search[0]; + header_found = _dpd.searchAPI->search_instance_find + (imap_hdr_search_mpse, (const char *)ptr, + eolm - ptr, 1, IMAP_SearchStrFound); + + /* Headers must start at beginning of line */ + if ((header_found > 0) && (imap_search_info.index == 0)) + { + switch (imap_search_info.id) + { + case HDR_CONTENT_TYPE: + /* for now we're just looking for the boundary in the data + * header section */ + if (imap_ssn->data_state != STATE_MIME_HEADER) + { + content_type_ptr = ptr + imap_search_info.length; + imap_ssn->state_flags |= IMAP_FLAG_IN_CONTENT_TYPE; + } + + break; + case HDR_CONT_TRANS_ENC: + cont_trans_enc = ptr + imap_search_info.length; + imap_ssn->state_flags |= IMAP_FLAG_IN_CONT_TRANS_ENC; + break; + + default: + break; + } + } + } + else if(tolower((int)*ptr) == 'e') + { + if((eolm - ptr) >= 9) + { + if(strncasecmp((const char *)ptr, "Encoding:", 9) == 0) + { + cont_trans_enc = ptr + 9; + imap_ssn->state_flags |= IMAP_FLAG_IN_CONT_TRANS_ENC; + } + } + } + } + else + { + imap_ssn->state_flags &= ~IMAP_FLAG_DATA_HEADER_CONT; + } + + + /* check for folding + * if char on next line is a space and not \n or \r\n, we are folding */ + if ((eol < data_end_marker) && isspace((int)eol[0]) && (eol[0] != '\n')) + { + if ((eol < (data_end_marker - 1)) && (eol[0] != '\r') && (eol[1] != '\n')) + { + imap_ssn->state_flags |= IMAP_FLAG_FOLDING; + } + else + { + imap_ssn->state_flags &= ~IMAP_FLAG_FOLDING; + } + } + else if (eol != eolm) + { + imap_ssn->state_flags &= ~IMAP_FLAG_FOLDING; + } + + /* check if we're in a content-type header and not folding. if so we have the whole + * header line/lines for content-type - see if we got a multipart with boundary + * we don't check each folded line, but wait until we have the complete header + * because boundary=BOUNDARY can be split across mulitple folded lines before + * or after the '=' */ + if ((imap_ssn->state_flags & + (IMAP_FLAG_IN_CONTENT_TYPE | IMAP_FLAG_FOLDING)) == IMAP_FLAG_IN_CONTENT_TYPE) + { + /* we got the full content-type header - look for boundary string */ + ret = IMAP_GetBoundary((const char *)content_type_ptr, eolm - content_type_ptr); + if (ret != -1) + { + ret = IMAP_BoundarySearchInit(); + if (ret != -1) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Got mime boundary: %s\n", + imap_ssn->mime_boundary.boundary);); + + imap_ssn->state_flags |= IMAP_FLAG_GOT_BOUNDARY; + } + } + + imap_ssn->state_flags &= ~IMAP_FLAG_IN_CONTENT_TYPE; + content_type_ptr = NULL; + } + else if ((imap_ssn->state_flags & + (IMAP_FLAG_IN_CONT_TRANS_ENC | IMAP_FLAG_FOLDING)) == IMAP_FLAG_IN_CONT_TRANS_ENC) + { + /* Check for Encoding Type */ + if( (!IMAP_IsDecodingEnabled(imap_eval_config)) && (imap_ssn->decode_state != NULL)) + { + IMAP_DecodeType((const char *)cont_trans_enc, eolm - cont_trans_enc ); + imap_ssn->state_flags |= IMAP_FLAG_EMAIL_ATTACH; + /* check to see if there are other attachments in this packet */ + if( imap_ssn->decode_state->decoded_bytes ) + imap_ssn->state_flags |= IMAP_FLAG_MULTIPLE_EMAIL_ATTACH; + } + imap_ssn->state_flags &= ~IMAP_FLAG_IN_CONT_TRANS_ENC; + + cont_trans_enc = NULL; + } + + /* if state was unknown, at this point assume we know */ + if (imap_ssn->data_state == STATE_DATA_UNKNOWN) + imap_ssn->data_state = STATE_DATA_HEADER; + + ptr = eol; + + if (ptr == data_end_marker) + imap_ssn->state_flags |= IMAP_FLAG_DATA_HEADER_CONT; + } + + return ptr; +} + + +/* + * Handle DATA_BODY state + * + * @param packet standard Packet structure + * + * @param i index into p->payload buffer to start looking at data + * + * @return i index into p->payload where we stopped looking at data + */ +static const uint8_t * IMAP_HandleDataBody(SFSnortPacket *p, const uint8_t *ptr, + const uint8_t *data_end_marker) +{ + int boundary_found = 0; + const uint8_t *boundary_ptr = NULL; + const uint8_t *attach_start = NULL; + const uint8_t *attach_end = NULL; + + if ( imap_ssn->state_flags & IMAP_FLAG_EMAIL_ATTACH ) + attach_start = ptr; + /* look for boundary */ + if (imap_ssn->state_flags & IMAP_FLAG_GOT_BOUNDARY) + { + boundary_found = _dpd.searchAPI->search_instance_find + (imap_ssn->mime_boundary.boundary_search, (const char *)ptr, + data_end_marker - ptr, 0, IMAP_BoundaryStrFound); + + if (boundary_found > 0) + { + boundary_ptr = ptr + imap_search_info.index; + + /* should start at beginning of line */ + if ((boundary_ptr == ptr) || (*(boundary_ptr - 1) == '\n')) + { + const uint8_t *eol; + const uint8_t *eolm; + const uint8_t *tmp; + + if (imap_ssn->state_flags & IMAP_FLAG_EMAIL_ATTACH ) + { + attach_end = boundary_ptr-1; + imap_ssn->state_flags &= ~IMAP_FLAG_EMAIL_ATTACH; + if(attach_start < attach_end) + { + if(EmailDecode( attach_start, attach_end, imap_ssn->decode_state) != DECODE_SUCCESS ) + { + IMAP_DecodeAlert(); + } + } + } + + + /* Check for end boundary */ + tmp = boundary_ptr + imap_search_info.length; + if (((tmp + 1) < data_end_marker) && (tmp[0] == '-') && (tmp[1] == '-')) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Mime boundary end found: %s--\n", + (char *)imap_ssn->mime_boundary.boundary);); + + /* no more MIME */ + imap_ssn->state_flags &= ~IMAP_FLAG_GOT_BOUNDARY; + + /* free boundary search */ + _dpd.searchAPI->search_instance_free(imap_ssn->mime_boundary.boundary_search); + imap_ssn->mime_boundary.boundary_search = NULL; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Mime boundary found: %s\n", + (char *)imap_ssn->mime_boundary.boundary);); + + imap_ssn->data_state = STATE_MIME_HEADER; + } + + /* get end of line - there could be spaces after boundary before eol */ + IMAP_GetEOL(boundary_ptr + imap_search_info.length, data_end_marker, &eol, &eolm); + + return eol; + } + } + } + + if ( imap_ssn->state_flags & IMAP_FLAG_EMAIL_ATTACH ) + { + attach_end = data_end_marker; + if(attach_start < attach_end) + { + if(EmailDecode( attach_start, attach_end, imap_ssn->decode_state) != DECODE_SUCCESS ) + { + IMAP_DecodeAlert(); + } + } + } + + return data_end_marker; +} + + +/* + * Process client packet + * + * @param packet standard Packet structure + * + * @return none + */ +static void IMAP_ProcessClientPacket(SFSnortPacket *p) +{ + const uint8_t *ptr = p->payload; + const uint8_t *end = p->payload + p->payload_size; + + ptr = IMAP_HandleCommand(p, ptr, end); + + +} + + + +/* + * Process server packet + * + * @param packet standard Packet structure + * + */ +static void IMAP_ProcessServerPacket(SFSnortPacket *p) +{ + int resp_found; + const uint8_t *ptr; + const uint8_t *end; + const uint8_t *data_end; + const uint8_t *eolm; + const uint8_t *eol; + int resp_line_len; + const char *tmp = NULL; + uint8_t *body_start, *body_end; + char *eptr; + uint32_t len = 0; + + body_start = body_end = NULL; + + ptr = p->payload; + end = p->payload + p->payload_size; + + while (ptr < end) + { + if(imap_ssn->state == STATE_DATA) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "DATA STATE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");); + if( imap_ssn->body_len > imap_ssn->body_read) + { + + len = imap_ssn->body_len - imap_ssn->body_read ; + if( (uint32_t)(end - ptr) < len ) + { + data_end = end; + len = data_end - ptr; + } + else + data_end = ptr + len; + + ptr = IMAP_HandleData(p, ptr, data_end); + + if( ptr < data_end) + len = len - (data_end - ptr); + + imap_ssn->body_read += len; + + continue; + } + else + { + imap_ssn->body_len = imap_ssn->body_read = 0; + IMAP_ResetState(); + } + } + IMAP_GetEOL(ptr, end, &eol, &eolm); + + resp_line_len = eol - ptr; + + /* Check for response code */ + imap_current_search = &imap_resp_search[0]; + resp_found = _dpd.searchAPI->search_instance_find + (imap_resp_search_mpse, (const char *)ptr, + resp_line_len, 0, IMAP_SearchStrFound); + + if (resp_found > 0) + { + const uint8_t *cmd_start = ptr + imap_search_info.index; + switch (imap_search_info.id) + { + case RESP_FETCH: + imap_ssn->body_len = imap_ssn->body_read = 0; + imap_ssn->state = STATE_DATA; + tmp = _dpd.SnortStrcasestr((const char *)cmd_start, (eol - cmd_start), "BODY"); + if(tmp != NULL) + imap_ssn->state = STATE_DATA; + else + { + tmp = _dpd.SnortStrcasestr((const char *)cmd_start, (eol - cmd_start), "RFC822"); + if(tmp != NULL) + imap_ssn->state = STATE_DATA; + else + imap_ssn->state = STATE_UNKNOWN; + } + break; + default: + break; + } + + if(imap_ssn->state == STATE_DATA) + { + body_start = (uint8_t *)memchr((char *)ptr, '{', (eol - ptr)); + if( body_start == NULL ) + { + imap_ssn->state = STATE_UNKNOWN; + } + else + { + if( (body_start + 1) < (uint8_t *)eol ) + { + len = (uint32_t)_dpd.SnortStrtoul((const char *)(body_start + 1), &eptr, 10); + if (*eptr != '}') + { + imap_ssn->state = STATE_UNKNOWN; + } + else + imap_ssn->body_len = len; + + len = 0; + } + else + imap_ssn->state = STATE_UNKNOWN; + + } + } + + } + else + { + if ( (*ptr != '*') && (*ptr !='+') && (*ptr != '\r') && (*ptr != '\n') ) + { + IMAP_GenerateAlert(IMAP_UNKNOWN_RESP, "%s", IMAP_UNKNOWN_RESP_STR); + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Server response not found\n");); + } + + } + + + ptr = eol; + + } + + return; +} + +/* For Target based + * If a protocol for the session is already identified and not one IMAP is + * interested in, IMAP should leave it alone and return without processing. + * If a protocol for the session is already identified and is one that IMAP is + * interested in, decode it. + * If the protocol for the session is not already identified and the preprocessor + * is configured to detect on one of the packet ports, detect. + * Returns 0 if we should not inspect + * 1 if we should continue to inspect + */ +static int IMAP_Inspect(SFSnortPacket *p) +{ +#ifdef TARGET_BASED + /* IMAP could be configured to be stateless. If stream isn't configured, assume app id + * will never be set and just base inspection on configuration */ + if (p->stream_session_ptr == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: No stream session.\n");); + + if ((IMAP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (IMAP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: Configured for this " + "traffic, so let's inspect.\n");); + return 1; + } + } + else + { + int16_t app_id = _dpd.streamAPI->get_application_protocol_id(p->stream_session_ptr); + + if (app_id != 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: App id: %u.\n", app_id);); + + if (app_id == imap_proto_id) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: App id is " + "set to \"%s\".\n", IMAP_PROTO_REF_STR);); + return 1; + } + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: Unknown protocol for " + "this session. See if we're configured.\n");); + + if ((IMAP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (IMAP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP: Target-based: IMAP port is configured.");); + return 1; + } + } + } + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP,"IMAP: Target-based: Not inspecting ...\n");); + +#else + /* Make sure it's traffic we're interested in */ + if ((IMAP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (IMAP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + return 1; + +#endif /* TARGET_BASED */ + + return 0; +} + +/* + * Entry point to snort preprocessor for each packet + * + * @param packet standard Packet structure + * + * @return none + */ +void SnortIMAP(SFSnortPacket *p) +{ + int detected = 0; + int pkt_dir; + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + + PROFILE_VARS; + + + imap_ssn = (IMAP *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_IMAP); + if (imap_ssn != NULL) + imap_eval_config = (IMAPConfig *)sfPolicyUserDataGet(imap_ssn->config, imap_ssn->policy_id); + else + imap_eval_config = (IMAPConfig *)sfPolicyUserDataGetCurrent(imap_config); + + if (imap_eval_config == NULL) + return; + + if (imap_ssn == NULL) + { + if (!IMAP_Inspect(p)) + return; + + imap_ssn = IMAP_GetNewSession(p, policy_id); + if (imap_ssn == NULL) + return; + } + + pkt_dir = IMAP_Setup(p, imap_ssn); + + if (pkt_dir == IMAP_PKT_FROM_CLIENT) + { + IMAP_ProcessClientPacket(p); + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP client packet\n");); + } + else + { +#ifdef DEBUG_MSGS + if (pkt_dir == IMAP_PKT_FROM_SERVER) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP server packet\n");); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP packet NOT from client or server! " + "Processing as a server packet\n");); + } +#endif + + if (p->flags & FLAG_STREAM_INSERT) + { + /* Packet will be rebuilt, so wait for it */ + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Client packet will be reassembled\n")); + return; + } + else if (imap_ssn->reassembling && !(p->flags & FLAG_REBUILT_STREAM)) + { + /* If this isn't a reassembled packet and didn't get + * inserted into reassembly buffer, there could be a + * problem. If we miss syn or syn-ack that had window + * scaling this packet might not have gotten inserted + * into reassembly buffer because it fell outside of + * window, because we aren't scaling it */ + imap_ssn->session_flags |= IMAP_FLAG_GOT_NON_REBUILT; + imap_ssn->state = STATE_UNKNOWN; + } + else if (imap_ssn->reassembling && (imap_ssn->session_flags & IMAP_FLAG_GOT_NON_REBUILT)) + { + /* This is a rebuilt packet. If we got previous packets + * that were not rebuilt, state is going to be messed up + * so set state to unknown. It's likely this was the + * beginning of the conversation so reset state */ + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "Got non-rebuilt packets before " + "this rebuilt packet\n");); + + imap_ssn->state = STATE_UNKNOWN; + imap_ssn->session_flags &= ~IMAP_FLAG_GOT_NON_REBUILT; + } + /* Process as a server packet */ + IMAP_ProcessServerPacket(p); + } + + + PREPROC_PROFILE_START(imapDetectPerfStats); + + detected = _dpd.detect(p); + +#ifdef PERF_PROFILING + imapDetectCalled = 1; +#endif + + PREPROC_PROFILE_END(imapDetectPerfStats); + + /* Turn off detection since we've already done it. */ + IMAP_DisableDetect(p); + + if (detected) + { + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP vulnerability detected\n");); + } +} + +static void IMAP_DisableDetect(SFSnortPacket *p) +{ + _dpd.disableAllDetect(p); + + _dpd.setPreprocBit(p, PP_SFPORTSCAN); + _dpd.setPreprocBit(p, PP_PERFMONITOR); + _dpd.setPreprocBit(p, PP_STREAM5); + _dpd.setPreprocBit(p, PP_SDF); +} + + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/snort_imap.h snort-2.9.2/src/dynamic-preprocessors/imap/snort_imap.h --- snort-2.9.0.1/src/dynamic-preprocessors/imap/snort_imap.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/snort_imap.h 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,265 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * **************************************************************************/ + +/************************************************************************** + * + * snort_imap.h + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file defines everything specific to the IMAP preprocessor. + * + **************************************************************************/ + +#ifndef __IMAP_H__ +#define __IMAP_H__ + + +/* Includes ***************************************************************/ + +#include <pcre.h> + +#include "sf_snort_packet.h" +#include "imap_config.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "mempool.h" +#include "sf_email_attach_decode.h" + +#ifdef DEBUG +#include "sf_types.h" +#endif + +/**************************************************************************/ + + +/* Defines ****************************************************************/ + +/* Direction packet is coming from, if we can figure it out */ +#define IMAP_PKT_FROM_UNKNOWN 0 +#define IMAP_PKT_FROM_CLIENT 1 +#define IMAP_PKT_FROM_SERVER 2 + +#define SEARCH_CMD 0 +#define SEARCH_RESP 1 +#define SEARCH_HDR 2 +#define SEARCH_DATA_END 3 +#define NUM_SEARCHES 4 + +#define BOUNDARY 0 + +#define MAX_BOUNDARY_LEN 70 /* Max length of boundary string, defined in RFC 2046 */ + +#define STATE_DATA 0 /* Data state */ +#define STATE_UNKNOWN 1 + +#define STATE_DATA_INIT 0 +#define STATE_DATA_HEADER 1 /* Data header section of data state */ +#define STATE_DATA_BODY 2 /* Data body section of data state */ +#define STATE_MIME_HEADER 3 /* MIME header section within data section */ +#define STATE_DATA_UNKNOWN 4 + +/* state flags */ +#define IMAP_FLAG_FOLDING 0x00000001 +#define IMAP_FLAG_IN_CONTENT_TYPE 0x00000002 +#define IMAP_FLAG_GOT_BOUNDARY 0x00000004 +#define IMAP_FLAG_DATA_HEADER_CONT 0x00000008 +#define IMAP_FLAG_IN_CONT_TRANS_ENC 0x00000010 +#define IMAP_FLAG_EMAIL_ATTACH 0x00000020 +#define IMAP_FLAG_MULTIPLE_EMAIL_ATTACH 0x00000040 + +/* session flags */ +#define IMAP_FLAG_NEXT_STATE_UNKNOWN 0x00000004 +#define IMAP_FLAG_GOT_NON_REBUILT 0x00000008 + +#define IMAP_SSL_ERROR_FLAGS (SSL_BOGUS_HS_DIR_FLAG | \ + SSL_BAD_VER_FLAG | \ + SSL_BAD_TYPE_FLAG | \ + SSL_UNKNOWN_FLAG) + +/* Maximum length of header chars before colon, based on Exim 4.32 exploit */ +#define MAX_HEADER_NAME_LEN 64 + +#define IMAP_PROTO_REF_STR "imap" + +/**************************************************************************/ + + +/* Data structures ********************************************************/ + +typedef enum _IMAPCmdEnum +{ + CMD_APPEND = 0, + CMD_AUTHENTICATE, + CMD_CAPABILITY, + CMD_CHECK, + CMD_CLOSE, + CMD_COMPARATOR, + CMD_COMPRESS, + CMD_CONVERSIONS, + CMD_COPY, + CMD_CREATE, + CMD_DELETE, + CMD_DELETEACL, + CMD_DONE, + CMD_EXAMINE, + CMD_EXPUNGE, + CMD_FETCH, + CMD_GETACL, + CMD_GETMETADATA, + CMD_GETQUOTA, + CMD_GETQUOTAROOT, + CMD_IDLE, + CMD_LIST, + CMD_LISTRIGHTS, + CMD_LOGIN, + CMD_LOGOUT, + CMD_LSUB, + CMD_MYRIGHTS, + CMD_NOOP, + CMD_NOTIFY, + CMD_RENAME, + CMD_SEARCH, + CMD_SELECT, + CMD_SETACL, + CMD_SETMETADATA, + CMD_SETQUOTA, + CMD_SORT, + CMD_STARTTLS, + CMD_STATUS, + CMD_STORE, + CMD_SUBSCRIBE, + CMD_THREAD, + CMD_UID, + CMD_UNSELECT, + CMD_UNSUBSCRIBE, + CMD_X, + CMD_LAST + +} IMAPCmdEnum; + +typedef enum _IMAPRespEnum +{ + RESP_CAPABILITY = 0, + RESP_LIST, + RESP_LSUB, + RESP_STATUS, + RESP_SEARCH, + RESP_FLAGS, + RESP_EXISTS, + RESP_RECENT, + RESP_EXPUNGE, + RESP_FETCH, + RESP_BAD, + RESP_BYE, + RESP_NO, + RESP_OK, + RESP_PREAUTH, + RESP_ENVELOPE, + RESP_UID, + RESP_LAST + +} IMAPRespEnum; + +typedef enum _IMAPHdrEnum +{ + HDR_CONTENT_TYPE = 0, + HDR_CONT_TRANS_ENC, + HDR_LAST + +} IMAPHdrEnum; + +typedef enum _IMAPDataEndEnum +{ + DATA_END_1 = 0, + DATA_END_2, + DATA_END_3, + DATA_END_4, + DATA_END_LAST + +} IMAPDataEndEnum; + +typedef struct _IMAPSearchInfo +{ + int id; + int index; + int length; + +} IMAPSearchInfo; + +typedef struct _IMAPMimeBoundary +{ + char boundary[2 + MAX_BOUNDARY_LEN + 1]; /* '--' + MIME boundary string + '\0' */ + int boundary_len; + void *boundary_search; + +} IMAPMimeBoundary; + +typedef struct _IMAPPcre +{ + pcre *re; + pcre_extra *pe; + +} IMAPPcre; + +typedef struct _IMAP +{ + int state; + int data_state; + int state_flags; + int session_flags; + int alert_mask; + int reassembling; + uint32_t body_len; + uint32_t body_read; +#ifdef DEBUG_MSGS + uint64_t session_number; +#endif + + MemBucket *decode_bkt; + IMAPMimeBoundary mime_boundary; + Email_DecodeState *decode_state; + + tSfPolicyId policy_id; + tSfPolicyUserContextId config; + +} IMAP; + + +/**************************************************************************/ + + +/* Function prototypes ****************************************************/ + +void IMAP_InitCmds(IMAPConfig *config); +void IMAP_SearchInit(void); +void IMAP_Free(void); +void SnortIMAP(SFSnortPacket *); +int IMAP_IsServer(uint16_t); +void IMAP_FreeConfig(IMAPConfig *); +void IMAP_FreeConfigs(tSfPolicyUserContextId); + +/**************************************************************************/ + +#endif /* __IMAP_H__ */ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/spp_imap.c snort-2.9.2/src/dynamic-preprocessors/imap/spp_imap.c --- snort-2.9.0.1/src/dynamic-preprocessors/imap/spp_imap.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/spp_imap.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,670 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * spp_imap.c + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file initializes IMAP as a Snort preprocessor. + * + * This file registers the IMAP initialization function, + * adds the IMAP function into the preprocessor list. + * + * In general, this file is a wrapper to IMAP functionality, + * by interfacing with the Snort preprocessor functions. The rest + * of IMAP should be separate from the preprocessor hooks. + * + **************************************************************************/ + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#include <string.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "spp_imap.h" +#include "sf_preproc_info.h" +#include "snort_imap.h" +#include "imap_config.h" +#include "imap_log.h" + +#include "preprocids.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "snort_debug.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats imapPerfStats; +PreprocStats imapDetectPerfStats; +int imapDetectCalled = 0; +#endif + +#include "sf_types.h" +#include "mempool.h" +#include "snort_bounds.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 0; +const int BUILD_VERSION = 1; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_IMAP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_IMAP"; +#endif + +#define SetupIMAP DYNAMIC_PREPROC_SETUP + +MemPool *imap_mempool = NULL; + +tSfPolicyUserContextId imap_config = NULL; +IMAPConfig *imap_eval_config = NULL; + +extern IMAP imap_no_session; +extern int16_t imap_proto_id; + +static void IMAPInit(char *); +static void IMAPDetect(void *, void *context); +static void IMAPCleanExitFunction(int, void *); +static void IMAPResetFunction(int, void *); +static void IMAPResetStatsFunction(int, void *); +static void _addPortsToStream5Filter(IMAPConfig *, tSfPolicyId); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif +static void IMAPCheckConfig(void); + +#ifdef SNORT_RELOAD +tSfPolicyUserContextId imap_swap_config = NULL; +static void IMAPReload(char *); +static int IMAPReloadVerify(void); +static void * IMAPReloadSwap(void); +static void IMAPReloadSwapFree(void *); +#endif + + +/* + * Function: SetupIMAP() + * + * Purpose: Registers the preprocessor keyword and initialization + * function into the preprocessor list. This is the function that + * gets called from InitPreprocessors() in plugbase.c. + * + * Arguments: None. + * + * Returns: void function + * + */ +void SetupIMAP(void) +{ + /* link the preprocessor keyword to the init function in the preproc list */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc("imap", IMAPInit); +#else + _dpd.registerPreproc("imap", IMAPInit, IMAPReload, + IMAPReloadSwap, IMAPReloadSwapFree); +#endif +} + + +/* + * Function: IMAPInit(char *) + * + * Purpose: Calls the argument parsing function, performs final setup on data + * structs, links the preproc function into the function list. + * + * Arguments: args => ptr to argument string + * + * Returns: void function + * + */ +static void IMAPInit(char *args) +{ + IMAPToken *tmp; + tSfPolicyId policy_id = _dpd.getParserPolicy(); + IMAPConfig * pPolicyConfig = NULL; + + if (imap_config == NULL) + { + //create a context + imap_config = sfPolicyConfigCreate(); + if (imap_config == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create IMAP " + "configuration.\n"); + } + + /* Initialize the searches not dependent on configuration. + * headers, reponsed, data, mime boundary regular expression */ + IMAP_SearchInit(); + + /* zero out static IMAP global used for stateless IMAP or if there + * is no session pointer */ + memset(&imap_no_session, 0, sizeof(IMAP)); + + /* Put the preprocessor function into the function list */ + /* _dpd.addPreproc(IMAPDetect, PRIORITY_APPLICATION, PP_IMAP, PROTO_BIT__TCP);*/ + _dpd.addPreprocExit(IMAPCleanExitFunction, NULL, PRIORITY_LAST, PP_IMAP); + _dpd.addPreprocReset(IMAPResetFunction, NULL, PRIORITY_LAST, PP_IMAP); + _dpd.addPreprocResetStats(IMAPResetStatsFunction, NULL, PRIORITY_LAST, PP_IMAP); + _dpd.addPreprocConfCheck(IMAPCheckConfig); + +#ifdef TARGET_BASED + imap_proto_id = _dpd.findProtocolReference(IMAP_PROTO_REF_STR); + if (imap_proto_id == SFTARGET_UNKNOWN_PROTOCOL) + imap_proto_id = _dpd.addProtocolReference(IMAP_PROTO_REF_STR); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP,"IMAP: Target-based: Proto id for %s: %u.\n", + IMAP_PROTO_REF_STR, imap_proto_id);); +#endif + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("imap", (void*)&imapPerfStats, 0, _dpd.totalPerfStats); +#endif + } + + sfPolicyUserPolicySet (imap_config, policy_id); + pPolicyConfig = (IMAPConfig *)sfPolicyUserDataGetCurrent(imap_config); + if (pPolicyConfig != NULL) + { + DynamicPreprocessorFatalMessage("Can only configure IMAP preprocessor once.\n"); + } + + pPolicyConfig = (IMAPConfig *)calloc(1, sizeof(IMAPConfig)); + if (pPolicyConfig == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create IMAP " + "configuration.\n"); + } + + sfPolicyUserDataSetCurrent(imap_config, pPolicyConfig); + + IMAP_InitCmds(pPolicyConfig); + IMAP_ParseArgs(pPolicyConfig, args); + + IMAP_CheckConfig(pPolicyConfig, imap_config); + IMAP_PrintConfig(pPolicyConfig); + + if(pPolicyConfig->disabled) + return; + + _dpd.addPreproc(IMAPDetect, PRIORITY_APPLICATION, PP_IMAP, PROTO_BIT__TCP); + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for IMAP preprocessor\n"); + } + + /* Command search - do this here because it's based on configuration */ + pPolicyConfig->cmd_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pPolicyConfig->cmd_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate IMAP " + "command search.\n"); + } + + for (tmp = pPolicyConfig->cmds; tmp->name != NULL; tmp++) + { + pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; + pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pPolicyConfig->cmd_search_mpse); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +/* + * Function: IMAPDetect(void *, void *) + * + * Purpose: Perform the preprocessor's intended function. This can be + * simple (statistics collection) or complex (IP defragmentation) + * as you like. Try not to destroy the performance of the whole + * system by trying to do too much.... + * + * Arguments: p => pointer to the current packet data struct + * + * Returns: void function + * + */ +static void IMAPDetect(void *pkt, void *context) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + PROFILE_VARS; + + if ((p->payload_size == 0) || !IsTCP(p) || (p->payload == NULL)) + return; + + PREPROC_PROFILE_START(imapPerfStats); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP Start (((((((((((((((((((((((((((((((((((((((\n");); + + sfPolicyUserPolicySet (imap_config, policy_id); + + SnortIMAP(p); + + DEBUG_WRAP(DebugMessage(DEBUG_IMAP, "IMAP End )))))))))))))))))))))))))))))))))))))))))\n\n");); + + PREPROC_PROFILE_END(imapPerfStats); +#ifdef PERF_PROFILING + if (PROFILING_PREPROCS && imapDetectCalled) + { + imapPerfStats.ticks -= imapDetectPerfStats.ticks; + /* And Reset ticks to 0 */ + imapDetectPerfStats.ticks = 0; + imapDetectCalled = 0; + } +#endif + +} + + +/* + * Function: IMAPCleanExitFunction(int, void *) + * + * Purpose: This function gets called when Snort is exiting, if there's + * any cleanup that needs to be performed (e.g. closing files) + * it should be done here. + * + * Arguments: signal => the code of the signal that was issued to Snort + * data => any arguments or data structs linked to this + * function when it was registered, may be + * needed to properly exit + * + * Returns: void function + */ +static void IMAPCleanExitFunction(int signal, void *data) +{ + IMAP_Free(); + if (mempool_destroy(imap_mempool) == 0) + { + free(imap_mempool); + imap_mempool = NULL; + } + +} + + +static void IMAPResetFunction(int signal, void *data) +{ + return; +} + +static void IMAPResetStatsFunction(int signal, void *data) +{ + return; +} + +static void _addPortsToStream5Filter(IMAPConfig *config, tSfPolicyId policy_id) +{ + unsigned int portNum; + + if (config == NULL) + return; + + for (portNum = 0; portNum < MAXPORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status(IPPROTO_TCP, (uint16_t)portNum, + PORT_MONITOR_SESSION, policy_id, 1); + } + } +} + +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(imap_proto_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif + +static int IMAPEnableDecoding(tSfPolicyUserContextId config, + tSfPolicyId policyId, void *pData) +{ + IMAPConfig *context = (IMAPConfig *)pData; + + if (pData == NULL) + return 0; + + if(context->disabled) + return 0; + + if(!IMAP_IsDecodingEnabled(context)) + return 1; + + return 0; +} + +static int IMAPCheckPolicyConfig( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + IMAPConfig *context = (IMAPConfig *)pData; + + _dpd.setParserPolicy(policyId); + + /* In a multiple-policy setting, the IMAP preproc can be turned on in a + "disabled" state. In this case, we don't require Stream5. */ + if (context->disabled) + return 0; + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for IMAP preprocessor\n"); + } + + return 0; +} + +static void IMAPCheckConfig(void) +{ + + IMAPConfig *defaultConfig = + (IMAPConfig *)sfPolicyUserDataGetDefault(imap_config); + + sfPolicyUserDataIterate (imap_config, IMAPCheckPolicyConfig); + + if (sfPolicyUserDataIterate(imap_config, IMAPEnableDecoding) != 0) + { + int encode_depth; + int max_sessions; + + if (defaultConfig == NULL) + { + /*error message */ + DynamicPreprocessorFatalMessage("IMAP: Must configure a default " + "configuration if you want to imap decoding.\n"); + } + + encode_depth = defaultConfig->max_depth; + + if (encode_depth & 7) + { + encode_depth += (8 - (encode_depth & 7)); + } + + max_sessions = defaultConfig->memcap / (2 * encode_depth ); + + imap_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + + if (mempool_init(imap_mempool, max_sessions, + (2 * encode_depth )) != 0) + { + DynamicPreprocessorFatalMessage("IMAP: Could not allocate IMAP mempool.\n"); + } + } + + +} + +#ifdef SNORT_RELOAD +static void IMAPReload(char *args) +{ + IMAPToken *tmp; + tSfPolicyId policy_id = _dpd.getParserPolicy(); + IMAPConfig *pPolicyConfig = NULL; + + if (imap_swap_config == NULL) + { + //create a context + imap_swap_config = sfPolicyConfigCreate(); + if (imap_swap_config == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create IMAP " + "configuration.\n"); + } + + _dpd.addPreprocReloadVerify(IMAPReloadVerify); + } + + sfPolicyUserPolicySet (imap_swap_config, policy_id); + pPolicyConfig = (IMAPConfig *)sfPolicyUserDataGetCurrent(imap_swap_config); + + if (pPolicyConfig != NULL) + DynamicPreprocessorFatalMessage("Can only configure IMAP preprocessor once.\n"); + + pPolicyConfig = (IMAPConfig *)calloc(1, sizeof(IMAPConfig)); + if (pPolicyConfig == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create IMAP " + "configuration.\n"); + } + + sfPolicyUserDataSetCurrent(imap_swap_config, pPolicyConfig); + + IMAP_InitCmds(pPolicyConfig); + IMAP_ParseArgs(pPolicyConfig, args); + + IMAP_CheckConfig(pPolicyConfig, imap_swap_config); + IMAP_PrintConfig(pPolicyConfig); + + if( pPolicyConfig->disabled ) + return; + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for IMAP preprocessor\n"); + } + + /* Command search - do this here because it's based on configuration */ + pPolicyConfig->cmd_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pPolicyConfig->cmd_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate IMAP " + "command search.\n"); + } + + for (tmp = pPolicyConfig->cmds; tmp->name != NULL; tmp++) + { + pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; + pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pPolicyConfig->cmd_search_mpse); + + _dpd.addPreproc(IMAPDetect, PRIORITY_APPLICATION, PP_IMAP, PROTO_BIT__TCP); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +static int IMAPReloadVerify(void) +{ + IMAPConfig *config = NULL; + IMAPConfig *configNext = NULL; + + if (imap_swap_config == NULL) + return 0; + + if (imap_config != NULL) + { + config = (IMAPConfig *)sfPolicyUserDataGet(imap_config, _dpd.getDefaultPolicy()); + } + + configNext = (IMAPConfig *)sfPolicyUserDataGet(imap_swap_config, _dpd.getDefaultPolicy()); + + if (config == NULL) + { + return 0; + } + + if (imap_mempool != NULL) + { + if (configNext == NULL) + { + _dpd.errMsg("IMAP reload: Changing the IMAP configuration requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + if (configNext->memcap != config->memcap) + { + _dpd.errMsg("IMAP reload: Changing the memcap requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + if(configNext->b64_depth != config->b64_depth) + { + _dpd.errMsg("IMAP reload: Changing the b64_decode_depth requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + if(configNext->qp_depth != config->qp_depth) + { + _dpd.errMsg("IMAP reload: Changing the qp_decode_depth requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + if(configNext->bitenc_depth != config->bitenc_depth) + { + _dpd.errMsg("IMAP reload: Changing the bitenc_decode_depth requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + if(configNext->uu_depth != config->uu_depth) + { + _dpd.errMsg("IMAP reload: Changing the uu_decode_depth requires a restart.\n"); + IMAP_FreeConfigs(imap_swap_config); + imap_swap_config = NULL; + return -1; + } + + } + else if(configNext != NULL) + { + if (sfPolicyUserDataIterate(imap_swap_config, IMAPEnableDecoding) != 0) + { + int encode_depth; + int max_sessions; + + + encode_depth = configNext->max_depth; + + if (encode_depth & 7) + { + encode_depth += (8 - (encode_depth & 7)); + } + + max_sessions = configNext->memcap / ( 2 * encode_depth); + + imap_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + + if (mempool_init(imap_mempool, max_sessions, + (2 * encode_depth)) != 0) + { + DynamicPreprocessorFatalMessage("IMAP: Could not allocate IMAP mempool.\n"); + } + } + + } + + + if ( configNext->disabled ) + return 0; + + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for IMAP preprocessor\n"); + } + + return 0; +} + +static int IMAPReloadSwapPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + IMAPConfig *pPolicyConfig = (IMAPConfig *)pData; + + if (pPolicyConfig->ref_count == 0) + { + sfPolicyUserDataClear (config, policyId); + IMAP_FreeConfig(pPolicyConfig); + } + + return 0; +} + +static void * IMAPReloadSwap(void) +{ + tSfPolicyUserContextId old_config = imap_config; + + if (imap_swap_config == NULL) + return NULL; + + imap_config = imap_swap_config; + imap_swap_config = NULL; + + sfPolicyUserDataIterate (old_config, IMAPReloadSwapPolicy); + + if (sfPolicyUserPolicyGetActive(old_config) == 0) + IMAP_FreeConfigs(old_config); + + return NULL; +} + +static void IMAPReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + IMAP_FreeConfigs((tSfPolicyUserContextId)data); +} +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/imap/spp_imap.h snort-2.9.2/src/dynamic-preprocessors/imap/spp_imap.h --- snort-2.9.0.1/src/dynamic-preprocessors/imap/spp_imap.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/imap/spp_imap.h 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,37 @@ + +/* + * spp_imap.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file defines the publicly available functions for the IMAP + * functionality for Snort. + * + */ + +#ifndef __SPP_IMAP_H__ +#define __SPP_IMAP_H__ + +void SetupIMAP(void); + +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/libs/Makefile.am snort-2.9.2/src/dynamic-preprocessors/libs/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/libs/Makefile.am 2007-11-15 10:00:06.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/libs/Makefile.am 2011-06-07 17:33:14.000000000 -0700 @@ -5,5 +5,17 @@ ssl.c \ ssl.h \ sfparser.c \ -sfcommon.h +sfcommon.h \ +sf_preproc_info.h \ +snort_preproc.pc.in +if HAVE_DYNAMIC_PLUGINS + +if SO_WITH_STATIC_LIB + +pkgconfigdir = $(libdir)/pkgconfig +pkgconfig_DATA = snort_preproc.pc + +endif + +endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/libs/Makefile.in snort-2.9.2/src/dynamic-preprocessors/libs/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/libs/Makefile.in 2010-10-08 02:56:53.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/libs/Makefile.in 2011-12-07 11:23:19.000000000 -0800 @@ -14,6 +14,7 @@ # PARTICULAR PURPOSE. @SET_MAKE@ + VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ @@ -34,7 +35,8 @@ build_triplet = @build@ host_triplet = @host@ subdir = src/dynamic-preprocessors/libs -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ + $(srcdir)/snort_preproc.pc.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ $(top_srcdir)/configure.in @@ -42,12 +44,35 @@ $(ACLOCAL_M4) mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = +CONFIG_CLEAN_FILES = snort_preproc.pc CONFIG_CLEAN_VPATH_FILES = depcomp = am__depfiles_maybe = SOURCES = DIST_SOURCES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(pkgconfigdir)" +DATA = $(pkgconfig_DATA) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -58,7 +83,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -73,6 +100,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -109,13 +137,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -179,8 +213,12 @@ ssl.c \ ssl.h \ sfparser.c \ -sfcommon.h +sfcommon.h \ +sf_preproc_info.h \ +snort_preproc.pc.in +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@pkgconfigdir = $(libdir)/pkgconfig +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@pkgconfig_DATA = snort_preproc.pc all: all-am .SUFFIXES: @@ -214,12 +252,34 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +snort_preproc.pc: $(top_builddir)/config.status $(srcdir)/snort_preproc.pc.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs +install-pkgconfigDATA: $(pkgconfig_DATA) + @$(NORMAL_INSTALL) + test -z "$(pkgconfigdir)" || $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)" + @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pkgconfigdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgconfigdir)" || exit $$?; \ + done + +uninstall-pkgconfigDATA: + @$(NORMAL_UNINSTALL) + @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(pkgconfigdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(pkgconfigdir)" && rm -f $$files tags: TAGS TAGS: @@ -259,8 +319,11 @@ done check-am: all-am check: check-am -all-am: Makefile +all-am: Makefile $(DATA) installdirs: + for dir in "$(DESTDIR)$(pkgconfigdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done install: install-am install-exec: install-exec-am install-data: install-data-am @@ -306,7 +369,7 @@ info-am: -install-data-am: +install-data-am: install-pkgconfigDATA install-dvi: install-dvi-am @@ -350,7 +413,7 @@ ps-am: -uninstall-am: +uninstall-am: uninstall-pkgconfigDATA .MAKE: install-am install-strip @@ -360,10 +423,11 @@ install-data install-data-am install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am + install-pdf-am install-pkgconfigDATA install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + uninstall uninstall-am uninstall-pkgconfigDATA # Tell versions [3.59,3.63) of GNU make to not export all variables. diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/libs/sfcommon.h snort-2.9.2/src/dynamic-preprocessors/libs/sfcommon.h --- snort-2.9.0.1/src/dynamic-preprocessors/libs/sfcommon.h 2010-01-26 10:10:04.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/libs/sfcommon.h 2011-06-07 17:33:14.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2007-2010 Sourcefire, Inc. + * Copyright (C) 2007-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -21,8 +21,8 @@ #ifndef DYN_PP_PARSER_H #define DYN_PP_PARSER_H -#include "sf_types.h" -#include "debug.h" +#include "snort_bounds.h" +#include "snort_debug.h" #define SFP_MIN_ERR_STR 128 @@ -41,9 +41,9 @@ typedef char SFP_errstr_t[SFP_MIN_ERR_STR + 1]; -static INLINE char *SFP_GET_ERR(SFP_errstr_t err) +static inline char *SFP_GET_ERR(SFP_errstr_t err) { - return (char*)err; + return (char*)err; } SFP_ret_t SFP_ports(ports_tbl_t ports, char *str, SFP_errstr_t errstr); diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp snort-2.9.2/src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp 2010-06-09 15:05:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp 2011-10-26 11:28:52.000000000 -0700 @@ -37,15 +37,16 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_MBCS" /D "_LIB" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /D "_AFXDLL" /FD /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo @@ -60,15 +61,16 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_MBCS" /D "_LIB" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\\" /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\\" /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "ENABLE_PAF" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /D "_AFXDLL" /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo @@ -83,15 +85,16 @@ # PROP BASE Output_Dir "sfdynamic_preproc_libs___Win32_IPv6_Debug" # PROP BASE Intermediate_Dir "sfdynamic_preproc_libs___Win32_IPv6_Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_LIB" /D "_DEBUG" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_WINDOWS" /D "_USRDLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_WINDOWS" /D "_USRDLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "ENABLE_PAF" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /D "_AFXDLL" /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo @@ -106,15 +109,16 @@ # PROP BASE Output_Dir "sfdynamic_preproc_libs___Win32_IPv6_Release" # PROP BASE Intermediate_Dir "sfdynamic_preproc_libs___Win32_IPv6_Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "_LIB" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "_WINDOWS" /D "_USRDLL" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "_WINDOWS" /D "_USRDLL" /D "ENABLE_PAF" /D "_LIB" /D "SF_SNORT_PREPROC_DLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ACTIVE_RESPONSE" /D "_AFXDLL" /FD /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/libs/sfparser.c snort-2.9.2/src/dynamic-preprocessors/libs/sfparser.c --- snort-2.9.0.1/src/dynamic-preprocessors/libs/sfparser.c 2010-01-26 10:10:04.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/libs/sfparser.c 2011-06-07 17:33:14.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2007-2010 Sourcefire, Inc. + * Copyright (C) 2007-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -27,6 +27,7 @@ #include <stdio.h> #include <stdarg.h> #include <errno.h> +#include "sf_types.h" #include "sfcommon.h" #include "ctype.h" @@ -38,7 +39,7 @@ /* tok exceeded errstr. Overwrite trailing characters for \ * printability */ \ strcpy(((char*)errstr) + SFP_MIN_ERR_STR-4, "..."); \ - } + } #define CLR_ERR() ((char*)errstr)[0] = 0; @@ -48,10 +49,10 @@ char end_brace_found = 0; char port_found = 0; - if(!str) + if(!str) { SET_ERR("%s", "Invalid pointer"); - return SFP_ERROR; + return SFP_ERROR; } if((tok = strtok_r(str, " ", &saveptr)) == NULL) @@ -61,7 +62,7 @@ } /* This string had better start with a '{' and end with a '}', or else! */ - if(strcmp(tok, "{")) + if(strcmp(tok, "{")) { SET_ERR("Malformed port list: %s. Expecting a leading '{ '", tok); return SFP_ERROR; @@ -104,7 +105,7 @@ port_tbl[ PORT_INDEX(port) ] |= CONV_PORT(port); port_found = 1; - } + } if(!end_brace_found) { diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/libs/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/libs/sf_preproc_info.h --- snort-2.9.0.1/src/dynamic-preprocessors/libs/sf_preproc_info.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/libs/sf_preproc_info.h 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,42 @@ +/* + * sf_preproc_info.h + * + * Copyright (C) 2006-2011 Sourcefire,Inc + * Steven A. Sturges <ssturges@sourcefire.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Description: + * + * This file is part of the dynamically loadable preprocessor library. The + * items must be globally defined within the source file of a given + * preprocessor. + * + * NOTES: + * + */ +#ifndef SF_PREPROC_INFO_H_ +#define SF_PREPROC_INFO_H_ + +extern const int MAJOR_VERSION; +extern const int MINOR_VERSION; +extern const int BUILD_VERSION; +extern const char *PREPROC_NAME; + +extern void DYNAMIC_PREPROC_SETUP(void); + +#endif /* SF_PREPROC_INFO_H_ */ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/libs/snort_preproc.pc.in snort-2.9.2/src/dynamic-preprocessors/libs/snort_preproc.pc.in --- snort-2.9.0.1/src/dynamic-preprocessors/libs/snort_preproc.pc.in 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/libs/snort_preproc.pc.in 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,18 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +bindir=@bindir@ +libdir=@libdir@ +package=@PACKAGE@ +includedir=@includedir@ +datarootdir=@datarootdir@ +datadir=@datadir@ +mandir=@infodir@ +infodir=@infodir@ + +Name: Snort +Description: Snort dynamic preprocessors +URL: www.snort.org +Version: @VERSION@ +Libs: -L${libdir}/${package}/dynamic_preproc -lsf_dynamic_preproc +Cflags: -I${includedir}/${package}/dynamic_preproc @CONFIGFLAGS@ @CCONFIGFLAGS@ @ICONFIGFLAGS@ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/libs/ssl.c snort-2.9.2/src/dynamic-preprocessors/libs/ssl.c --- snort-2.9.0.1/src/dynamic-preprocessors/libs/ssl.c 2010-06-23 21:02:23.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/libs/ssl.c 2011-02-09 15:23:21.000000000 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (C) 1998-2010 Sourcefire, Inc. + * Copyright (C) 1998-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/libs/ssl.h snort-2.9.2/src/dynamic-preprocessors/libs/ssl.h --- snort-2.9.0.1/src/dynamic-preprocessors/libs/ssl.h 2010-06-23 21:02:23.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/libs/ssl.h 2011-02-09 15:23:21.000000000 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (C) 1998-2010 Sourcefire, Inc. + * Copyright (C) 1998-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/Makefile.am snort-2.9.2/src/dynamic-preprocessors/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/Makefile.am 2010-06-09 15:05:11.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -1,9 +1,88 @@ ## $Id$ AUTOMAKE_OPTIONS=foreign no-dependencies +INCLUDES = -I${top_builddir}/src/dynamic-preprocessors/include -I${top_srcdir}/src/dynamic-preprocessors/libs + +if HAVE_DYNAMIC_PLUGINS + +if SO_WITH_STATIC_LIB + +preproclibdir=$(pkglibdir)/dynamic_preproc + +preproclib_LTLIBRARIES = libsf_dynamic_preproc.la +libsf_dynamic_preproc_la_CFLAGS = -fPIC -DPIC +libsf_dynamic_preproc_la_LDFLAGS = -static + +nodist_libsf_dynamic_preproc_la_SOURCES = \ +include/sf_dynamic_preproc_lib.c \ +include/sf_ip.c \ +include/sfrt.c \ +include/sfrt_dir.c \ +include/sfrt_flat.c \ +include/sfrt_flat_dir.c \ +include/segment_mem.c \ +include/mempool.c \ +include/sf_sdlist.c \ +include/sfPolicyUserData.c \ +include/util_unfold.c \ +include/sf_base64decode.c \ +include/sf_email_attach_decode.c + +libsf_dynamic_preproc_la_SOURCES = \ +libs/ssl.c \ +libs/sfparser.c + +preprocdir=$(pkgincludedir)/dynamic_preproc + +nodist_preproc_HEADERS = \ +libs/ssl.h \ +libs/sfcommon.h \ +libs/sf_preproc_info.h \ +include/sf_snort_packet.h \ +include/sf_protocols.h \ +include/sf_snort_plugin_api.h \ +include/sf_decompression.h \ +include/sfPolicyUserData.h \ +include/snort_debug.h \ +include/snort_bounds.h \ +include/cpuclock.h \ +include/profiler.h \ +include/bitop.h \ +include/mempool.h \ +include/sf_sdlist_types.h \ +include/sf_ip.h \ +include/sfrt_flat.h \ +include/sfrt_flat_dir.h \ +include/segment_mem.h \ +include/sf_dynamic_common.h \ +include/sf_dynamic_engine.h \ +include/sf_dynamic_define.h \ +include/sf_dynamic_meta.h \ +include/sf_dynamic_preprocessor.h \ +include/sf_dynamic_preproc_lib.h \ +include/ipv6_port.h \ +include/sfPolicy.h \ +include/sfrt.h \ +include/sfrt_dir.h \ +include/sfrt_trie.h \ +include/obfuscation.h \ +include/stream_api.h \ +include/str_search.h \ +include/preprocids.h \ +include/attribute_table_api.h \ +include/sfcontrol.h \ +include/idle_processing.h + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/build install-preproclibLTLIBRARIES + +endif + +endif + BUILT_SOURCES = \ - include/bounds.h \ - include/debug.h \ + include/snort_bounds.h \ + include/snort_debug.h \ include/preprocids.h \ include/profiler.h \ include/cpuclock.h \ @@ -25,7 +104,9 @@ include/sfsnort_dynamic_detection_lib.c \ include/sfsnort_dynamic_detection_lib.h \ include/sf_snort_packet.h \ + include/sf_protocols.h \ include/sf_snort_plugin_api.h \ + include/sf_decompression.h \ include/pcap_pkthdr32.h \ include/stream_api.h \ include/str_search.h \ @@ -34,22 +115,37 @@ include/sfrt.c \ include/sfrt_dir.h \ include/sfrt_dir.c \ + include/sfrt_flat.h \ + include/sfrt_flat.c \ + include/sfrt_flat_dir.h \ + include/sfrt_flat_dir.c \ include/sfrt_trie.h \ + include/segment_mem.h \ + include/segment_mem.c \ include/mempool.h \ include/mempool.c \ include/sf_sdlist.h \ + include/sf_sdlist_types.h \ include/sf_sdlist.c \ include/sfPolicyUserData.c \ include/sfPolicyUserData.h \ include/sfPolicy.h \ + include/util_unfold.h \ + include/util_unfold.c \ include/sf_base64decode.h \ include/sf_base64decode.c \ + include/sf_email_attach_decode.h \ + include/sf_email_attach_decode.c \ include/treenodes.h \ include/signature.h \ include/plugin_enum.h \ include/obfuscation.h \ include/rule_option_types.h \ - include/event.h + include/event.h \ + include/Unified2_common.h \ + include/attribute_table_api.h \ + include/sfcontrol.h \ + include/idle_processing.h sed_ipv6_headers = \ sed -e "s/->iph->ip_src/->ip4_header->source/" \ @@ -147,10 +243,11 @@ -e "/SharedObjectAddEnds/d" \ -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" \ -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" \ + -e "s/SnortStrnStr/_dpd.SnortStrnStr/" \ $$dst_header > $$dst_header.new; \ mv $$dst_header.new $$dst_header; \ fi - + copy_headers = \ mkdir -p include; \ mkdir -p build; \ @@ -185,25 +282,25 @@ fi # From main src tree -include/debug.h: $(srcdir)/../debug.h +include/snort_debug.h: $(srcdir)/../snort_debug.h @src_header=$?; dst_header=$@; $(copy_debug_header) include/preprocids.h: $(srcdir)/../preprocids.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/profiler.h: $(srcdir)/../profiler.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/cpuclock.h: $(srcdir)/../cpuclock.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/pcap_pkthdr32.h: $(srcdir)/../pcap_pkthdr32.h @src_header=$?; dst_header=$@; $(copy_headers) - -include/bounds.h: $(srcdir)/../bounds.h + +include/snort_bounds.h: $(srcdir)/../snort_bounds.h @src_header=$?; dst_header=$@; $(copy_headers) -include/ipv6_port.h: $(srcdir)/../ipv6_port.h +include/ipv6_port.h: $(srcdir)/../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) include/sf_types.h: $(srcdir)/../sf_types.h @@ -234,6 +331,9 @@ include/sf_dynamic_preprocessor.h: $(srcdir)/../dynamic-plugins/sf_dynamic_preprocessor.h @src_header=$?; dst_header=$@; $(massage_headers) +include/attribute_table_api.h: $(srcdir)/../dynamic-plugins/attribute_table_api.h + @src_header=$?; dst_header=$@; $(massage_headers) + # From dynamic-plugins/sf_preproc_example include/sf_dynamic_preproc_lib.c: $(srcdir)/../dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c @src_header=$?; dst_header=$@; $(copy_headers) @@ -274,10 +374,28 @@ include/sfrt_dir.c: $(srcdir)/../sfutil/sfrt_dir.c @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat.h: $(srcdir)/../sfutil/sfrt_flat.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat.c: $(srcdir)/../sfutil/sfrt_flat.c + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat_dir.h: $(srcdir)/../sfutil/sfrt_flat_dir.h + @src_header=$?; dst_header=$@; $(copy_headers) +include/sfrt_flat_dir.c: $(srcdir)/../sfutil/sfrt_flat_dir.c + @src_header=$?; dst_header=$@; $(copy_headers) + include/sfrt_trie.h: $(srcdir)/../sfutil/sfrt_trie.h @src_header=$?; dst_header=$@; $(copy_headers) +include/segment_mem.c: $(srcdir)/../sfutil/segment_mem.c + @src_header=$?; dst_header=$@; $(copy_headers) + +include/segment_mem.h: $(srcdir)/../sfutil/segment_mem.h + @src_header=$?; dst_header=$@; $(copy_headers) + include/mempool.h: $(srcdir)/../mempool.h @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) @@ -287,24 +405,42 @@ include/sf_sdlist.h: $(srcdir)/../sf_sdlist.h @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) +include/sf_sdlist_types.h: $(srcdir)/../sf_sdlist_types.h + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + include/sf_sdlist.c: $(srcdir)/../sf_sdlist.c @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) include/sfPolicyUserData.c: $(srcdir)/../sfutil/sfPolicyUserData.c @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) - + include/sfPolicyUserData.h: $(srcdir)/../sfutil/sfPolicyUserData.h @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) - + include/sfPolicy.h: $(srcdir)/../sfutil/sfPolicy.h @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) +include/util_unfold.h: $(srcdir)/../sfutil/util_unfold.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/util_unfold.c: $(srcdir)/../sfutil/util_unfold.c + @src_header=$?; dst_header=$@; $(copy_headers) + include/sf_base64decode.h: $(srcdir)/../sfutil/sf_base64decode.h @src_header=$?; dst_header=$@; $(copy_headers) - + include/sf_base64decode.c: $(srcdir)/../sfutil/sf_base64decode.c @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_email_attach_decode.h: $(srcdir)/../sfutil/sf_email_attach_decode.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sf_email_attach_decode.c: $(srcdir)/../sfutil/sf_email_attach_decode.c + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/Unified2_common.h: $(srcdir)/../sfutil/Unified2_common.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins/sf_engine/examples include/sfsnort_dynamic_detection_lib.c: $(srcdir)/../dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c @src_header=$?; dst_header=$@; $(copy_headers) @@ -316,9 +452,15 @@ include/sf_snort_packet.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_packet.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_protocols.h: $(srcdir)/../sf_protocols.h + @src_header=$?; dst_header=$@; $(copy_headers) + include/sf_snort_plugin_api.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_decompression.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_decompression.h + @src_header=$?; dst_header=$@; $(copy_headers) + # Stream API/String Searching, massage it to use SFSnortPacket include/stream_api.h: $(srcdir)/../preprocessors/stream_api.h @src_header=$?; dst_header=$@; $(massage_headers) @@ -335,10 +477,18 @@ include/plugin_enum.h: $(srcdir)/../plugin_enum.h @src_header=$?; dst_header=$@; $(copy_headers) -INCLUDES = @INCLUDES@ +include/sfcontrol.h: $(top_srcdir)/src/control/sfcontrol.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/idle_processing.h: $(top_srcdir)/src/idle_processing.h + @src_header=$?; dst_header=$@; $(copy_headers) + +if WANT_SF_SAAC +RZB_SAAC_DIR=rzb_saac +endif if HAVE_DYNAMIC_PLUGINS -SUBDIRS = libs ftptelnet smtp ssh dns ssl dcerpc2 sdf +SUBDIRS = . libs ftptelnet pop imap smtp ssh dns ssl dcerpc2 sdf sip reputation gtp modbus dnp3 $(RZB_SAAC_DIR) endif clean-local: @@ -362,29 +512,39 @@ include/sf_dynamic_preproc_lib.c \ include/sf_ip.h \ include/sf_snort_packet.h \ +include/sf_protocols.h \ include/sf_snort_plugin_api.h \ +include/sf_decompression.h \ include/sf_types.h \ include/sfsnort_dynamic_detection_lib.h \ include/sfsnort_dynamic_detection_lib.c \ include/pcap_pkthdr32.h \ include/str_search.h \ include/stream_api.h \ -include/debug.h \ +include/snort_debug.h \ include/profiler.h \ include/sfghash.h \ include/sfhashfcn.h \ include/bitop.h \ include/preprocids.h \ include/sfPolicyUserData.h \ +include/util_unfold.h \ +include/util_unfold.c \ include/sf_base64decode.h \ include/sf_base64decode.c \ +include/sf_email_attach_decode.h \ +include/sf_email_attach_decode.c \ include/treenodes.h \ include/signature.h \ include/plugin_enum.h \ include/sfPolicyUserData.c \ include/obfuscation.h \ include/rule_option_types.h \ -include/event.h +include/event.h \ +include/Unified2_common.h \ +include/attribute_table_api.h \ +include/sfcontrol.h \ +include/idle_processing.h install-data-local: @for f in $(exported_files); do \ @@ -407,6 +567,6 @@ ## Make the install directory. $(mkinstalldirs) $(DESTDIR)$(srcinstdir); \ ## Actually install the file. - $(RM) -f $(DESTDIR)$(srcinstdir)/$$truefile; \ + rm -f $(DESTDIR)$(srcinstdir)/$$truefile; \ done endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/Makefile.in snort-2.9.2/src/dynamic-preprocessors/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/Makefile.in 2010-10-08 02:56:53.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/Makefile.in 2011-12-07 11:23:18.000000000 -0800 @@ -14,6 +14,8 @@ # PARTICULAR PURPOSE. @SET_MAKE@ + + VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ @@ -44,10 +46,72 @@ CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(preproclibdir)" \ + "$(DESTDIR)$(preprocdir)" +LTLIBRARIES = $(preproclib_LTLIBRARIES) +libsf_dynamic_preproc_la_LIBADD = +am__libsf_dynamic_preproc_la_SOURCES_DIST = libs/ssl.c libs/sfparser.c +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@am_libsf_dynamic_preproc_la_OBJECTS = libsf_dynamic_preproc_la-ssl.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfparser.lo +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@nodist_libsf_dynamic_preproc_la_OBJECTS = libsf_dynamic_preproc_la-sf_dynamic_preproc_lib.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sf_ip.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfrt.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfrt_dir.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfrt_flat.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfrt_flat_dir.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-segment_mem.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-mempool.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sf_sdlist.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sfPolicyUserData.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-util_unfold.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sf_base64decode.lo \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ libsf_dynamic_preproc_la-sf_email_attach_decode.lo +libsf_dynamic_preproc_la_OBJECTS = \ + $(am_libsf_dynamic_preproc_la_OBJECTS) \ + $(nodist_libsf_dynamic_preproc_la_OBJECTS) +libsf_dynamic_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) \ + $(libsf_dynamic_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@am_libsf_dynamic_preproc_la_rpath = \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ -rpath \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ $(preproclibdir) +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = -SOURCES = -DIST_SOURCES = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_dynamic_preproc_la_SOURCES) \ + $(nodist_libsf_dynamic_preproc_la_SOURCES) +DIST_SOURCES = $(am__libsf_dynamic_preproc_la_SOURCES_DIST) RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ html-recursive info-recursive install-data-recursive \ install-dvi-recursive install-exec-recursive \ @@ -55,6 +119,7 @@ install-pdf-recursive install-ps-recursive install-recursive \ installcheck-recursive installdirs-recursive pdf-recursive \ ps-recursive uninstall-recursive +HEADERS = $(nodist_preproc_HEADERS) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ @@ -62,7 +127,8 @@ distdir ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = libs ftptelnet smtp ssh dns ssl dcerpc2 sdf +DIST_SUBDIRS = . libs ftptelnet pop imap smtp ssh dns ssl dcerpc2 sdf \ + sip reputation gtp modbus dnp3 rzb_saac DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -98,7 +164,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -113,7 +181,8 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = @INCLUDES@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I${top_builddir}/src/dynamic-preprocessors/include -I${top_srcdir}/src/dynamic-preprocessors/libs INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -149,13 +218,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -214,9 +289,72 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@preproclibdir = $(pkglibdir)/dynamic_preproc +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@preproclib_LTLIBRARIES = libsf_dynamic_preproc.la +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libsf_dynamic_preproc_la_CFLAGS = -fPIC -DPIC +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libsf_dynamic_preproc_la_LDFLAGS = -static +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@nodist_libsf_dynamic_preproc_la_SOURCES = \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_preproc_lib.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_ip.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_dir.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_flat.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_flat_dir.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/segment_mem.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/mempool.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_sdlist.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfPolicyUserData.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/util_unfold.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_base64decode.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_email_attach_decode.c + +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libsf_dynamic_preproc_la_SOURCES = \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libs/ssl.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libs/sfparser.c + +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@preprocdir = $(pkgincludedir)/dynamic_preproc +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@nodist_preproc_HEADERS = \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libs/ssl.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libs/sfcommon.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@libs/sf_preproc_info.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_snort_packet.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_protocols.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_snort_plugin_api.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_decompression.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfPolicyUserData.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/snort_debug.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/snort_bounds.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/cpuclock.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/profiler.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/bitop.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/mempool.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_sdlist_types.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_ip.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_flat.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_flat_dir.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/segment_mem.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_common.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_engine.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_define.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_meta.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_preprocessor.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sf_dynamic_preproc_lib.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/ipv6_port.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfPolicy.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_dir.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfrt_trie.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/obfuscation.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/stream_api.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/str_search.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/preprocids.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/attribute_table_api.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/sfcontrol.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@include/idle_processing.h + BUILT_SOURCES = \ - include/bounds.h \ - include/debug.h \ + include/snort_bounds.h \ + include/snort_debug.h \ include/preprocids.h \ include/profiler.h \ include/cpuclock.h \ @@ -238,7 +376,9 @@ include/sfsnort_dynamic_detection_lib.c \ include/sfsnort_dynamic_detection_lib.h \ include/sf_snort_packet.h \ + include/sf_protocols.h \ include/sf_snort_plugin_api.h \ + include/sf_decompression.h \ include/pcap_pkthdr32.h \ include/stream_api.h \ include/str_search.h \ @@ -247,22 +387,37 @@ include/sfrt.c \ include/sfrt_dir.h \ include/sfrt_dir.c \ + include/sfrt_flat.h \ + include/sfrt_flat.c \ + include/sfrt_flat_dir.h \ + include/sfrt_flat_dir.c \ include/sfrt_trie.h \ + include/segment_mem.h \ + include/segment_mem.c \ include/mempool.h \ include/mempool.c \ include/sf_sdlist.h \ + include/sf_sdlist_types.h \ include/sf_sdlist.c \ include/sfPolicyUserData.c \ include/sfPolicyUserData.h \ include/sfPolicy.h \ + include/util_unfold.h \ + include/util_unfold.c \ include/sf_base64decode.h \ include/sf_base64decode.c \ + include/sf_email_attach_decode.h \ + include/sf_email_attach_decode.c \ include/treenodes.h \ include/signature.h \ include/plugin_enum.h \ include/obfuscation.h \ include/rule_option_types.h \ - include/event.h + include/event.h \ + include/Unified2_common.h \ + include/attribute_table_api.h \ + include/sfcontrol.h \ + include/idle_processing.h sed_ipv6_headers = \ sed -e "s/->iph->ip_src/->ip4_header->source/" \ @@ -358,6 +513,7 @@ -e "/SharedObjectAddEnds/d" \ -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" \ -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" \ + -e "s/SnortStrnStr/_dpd.SnortStrnStr/" \ $$dst_header > $$dst_header.new; \ mv $$dst_header.new $$dst_header; \ fi @@ -395,7 +551,8 @@ $(sed_treenode_header); \ fi -@HAVE_DYNAMIC_PLUGINS_TRUE@SUBDIRS = libs ftptelnet smtp ssh dns ssl dcerpc2 sdf +@WANT_SF_SAAC_TRUE@RZB_SAAC_DIR = rzb_saac +@HAVE_DYNAMIC_PLUGINS_TRUE@SUBDIRS = . libs ftptelnet pop imap smtp ssh dns ssl dcerpc2 sdf sip reputation gtp modbus dnp3 $(RZB_SAAC_DIR) EXTRA_DIST = \ dynamic_preprocessors.dsp \ sf_dynamic_initialize/sf_dynamic_initialize.dsp \ @@ -412,34 +569,45 @@ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_dynamic_preproc_lib.c \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_ip.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_snort_packet.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_protocols.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_snort_plugin_api.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_decompression.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_types.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sfsnort_dynamic_detection_lib.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sfsnort_dynamic_detection_lib.c \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/pcap_pkthdr32.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/str_search.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/stream_api.h \ -@HAVE_DYNAMIC_PLUGINS_TRUE@include/debug.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/snort_debug.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/profiler.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sfghash.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sfhashfcn.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/bitop.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/preprocids.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sfPolicyUserData.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/util_unfold.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/util_unfold.c \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_base64decode.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_base64decode.c \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_email_attach_decode.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sf_email_attach_decode.c \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/treenodes.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/signature.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/plugin_enum.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/sfPolicyUserData.c \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/obfuscation.h \ @HAVE_DYNAMIC_PLUGINS_TRUE@include/rule_option_types.h \ -@HAVE_DYNAMIC_PLUGINS_TRUE@include/event.h +@HAVE_DYNAMIC_PLUGINS_TRUE@include/event.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/Unified2_common.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/attribute_table_api.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/sfcontrol.h \ +@HAVE_DYNAMIC_PLUGINS_TRUE@include/idle_processing.h all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive .SUFFIXES: +.SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ @@ -470,12 +638,125 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +install-preproclibLTLIBRARIES: $(preproclib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(preproclibdir)" || $(MKDIR_P) "$(DESTDIR)$(preproclibdir)" + @list='$(preproclib_LTLIBRARIES)'; test -n "$(preproclibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(preproclibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(preproclibdir)"; \ + } + +uninstall-preproclibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(preproclib_LTLIBRARIES)'; test -n "$(preproclibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(preproclibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(preproclibdir)/$$f"; \ + done + +clean-preproclibLTLIBRARIES: + -test -z "$(preproclib_LTLIBRARIES)" || rm -f $(preproclib_LTLIBRARIES) + @list='$(preproclib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_dynamic_preproc.la: $(libsf_dynamic_preproc_la_OBJECTS) $(libsf_dynamic_preproc_la_DEPENDENCIES) + $(libsf_dynamic_preproc_la_LINK) $(am_libsf_dynamic_preproc_la_rpath) $(libsf_dynamic_preproc_la_OBJECTS) $(libsf_dynamic_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +libsf_dynamic_preproc_la-ssl.lo: libs/ssl.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-ssl.lo `test -f 'libs/ssl.c' || echo '$(srcdir)/'`libs/ssl.c + +libsf_dynamic_preproc_la-sfparser.lo: libs/sfparser.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfparser.lo `test -f 'libs/sfparser.c' || echo '$(srcdir)/'`libs/sfparser.c + +libsf_dynamic_preproc_la-sf_dynamic_preproc_lib.lo: include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sf_dynamic_preproc_lib.lo `test -f 'include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`include/sf_dynamic_preproc_lib.c + +libsf_dynamic_preproc_la-sf_ip.lo: include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sf_ip.lo `test -f 'include/sf_ip.c' || echo '$(srcdir)/'`include/sf_ip.c + +libsf_dynamic_preproc_la-sfrt.lo: include/sfrt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfrt.lo `test -f 'include/sfrt.c' || echo '$(srcdir)/'`include/sfrt.c + +libsf_dynamic_preproc_la-sfrt_dir.lo: include/sfrt_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfrt_dir.lo `test -f 'include/sfrt_dir.c' || echo '$(srcdir)/'`include/sfrt_dir.c + +libsf_dynamic_preproc_la-sfrt_flat.lo: include/sfrt_flat.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfrt_flat.lo `test -f 'include/sfrt_flat.c' || echo '$(srcdir)/'`include/sfrt_flat.c + +libsf_dynamic_preproc_la-sfrt_flat_dir.lo: include/sfrt_flat_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfrt_flat_dir.lo `test -f 'include/sfrt_flat_dir.c' || echo '$(srcdir)/'`include/sfrt_flat_dir.c + +libsf_dynamic_preproc_la-segment_mem.lo: include/segment_mem.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-segment_mem.lo `test -f 'include/segment_mem.c' || echo '$(srcdir)/'`include/segment_mem.c + +libsf_dynamic_preproc_la-mempool.lo: include/mempool.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-mempool.lo `test -f 'include/mempool.c' || echo '$(srcdir)/'`include/mempool.c + +libsf_dynamic_preproc_la-sf_sdlist.lo: include/sf_sdlist.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sf_sdlist.lo `test -f 'include/sf_sdlist.c' || echo '$(srcdir)/'`include/sf_sdlist.c + +libsf_dynamic_preproc_la-sfPolicyUserData.lo: include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sfPolicyUserData.lo `test -f 'include/sfPolicyUserData.c' || echo '$(srcdir)/'`include/sfPolicyUserData.c + +libsf_dynamic_preproc_la-util_unfold.lo: include/util_unfold.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-util_unfold.lo `test -f 'include/util_unfold.c' || echo '$(srcdir)/'`include/util_unfold.c + +libsf_dynamic_preproc_la-sf_base64decode.lo: include/sf_base64decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sf_base64decode.lo `test -f 'include/sf_base64decode.c' || echo '$(srcdir)/'`include/sf_base64decode.c + +libsf_dynamic_preproc_la-sf_email_attach_decode.lo: include/sf_email_attach_decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsf_dynamic_preproc_la_CFLAGS) $(CFLAGS) -c -o libsf_dynamic_preproc_la-sf_email_attach_decode.lo `test -f 'include/sf_email_attach_decode.c' || echo '$(srcdir)/'`include/sf_email_attach_decode.c mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs +install-nodist_preprocHEADERS: $(nodist_preproc_HEADERS) + @$(NORMAL_INSTALL) + test -z "$(preprocdir)" || $(MKDIR_P) "$(DESTDIR)$(preprocdir)" + @list='$(nodist_preproc_HEADERS)'; test -n "$(preprocdir)" || list=; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(preprocdir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(preprocdir)" || exit $$?; \ + done + +uninstall-nodist_preprocHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(nodist_preproc_HEADERS)'; test -n "$(preprocdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(preprocdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(preprocdir)" && rm -f $$files # This directory's subdirectories are mostly independent; you can cd # into them and run `make' without going through this Makefile. @@ -673,9 +954,14 @@ check-am: all-am check: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) check-recursive -all-am: Makefile +@HAVE_DYNAMIC_PLUGINS_FALSE@all-local: +@SO_WITH_STATIC_LIB_FALSE@all-local: +all-am: Makefile $(LTLIBRARIES) $(HEADERS) all-local installdirs: installdirs-recursive installdirs-am: + for dir in "$(DESTDIR)$(preproclibdir)" "$(DESTDIR)$(preprocdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-recursive install-exec: install-exec-recursive @@ -707,11 +993,13 @@ @HAVE_DYNAMIC_PLUGINS_FALSE@install-data-local: clean: clean-recursive -clean-am: clean-generic clean-libtool clean-local mostlyclean-am +clean-am: clean-generic clean-libtool clean-local \ + clean-preproclibLTLIBRARIES mostlyclean-am distclean: distclean-recursive -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-tags +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags dvi: dvi-recursive @@ -725,7 +1013,8 @@ info-am: -install-data-am: install-data-local +install-data-am: install-data-local install-nodist_preprocHEADERS \ + install-preproclibLTLIBRARIES install-dvi: install-dvi-recursive @@ -759,7 +1048,8 @@ mostlyclean: mostlyclean-recursive -mostlyclean-am: mostlyclean-generic mostlyclean-libtool +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf: pdf-recursive @@ -769,29 +1059,38 @@ ps-am: -uninstall-am: uninstall-local +uninstall-am: uninstall-local uninstall-nodist_preprocHEADERS \ + uninstall-preproclibLTLIBRARIES .MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all check \ ctags-recursive install install-am install-strip \ tags-recursive .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ - all all-am check check-am clean clean-generic clean-libtool \ - clean-local ctags ctags-recursive distclean distclean-generic \ + all all-am all-local check check-am clean clean-generic \ + clean-libtool clean-local clean-preproclibLTLIBRARIES ctags \ + ctags-recursive distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-data-local install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs installdirs-am \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am uninstall-local + install-info install-info-am install-man \ + install-nodist_preprocHEADERS install-pdf install-pdf-am \ + install-preproclibLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + installdirs-am maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \ + uninstall uninstall-am uninstall-local \ + uninstall-nodist_preprocHEADERS \ + uninstall-preproclibLTLIBRARIES + +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@all-local: $(LTLIBRARIES) +@HAVE_DYNAMIC_PLUGINS_TRUE@@SO_WITH_STATIC_LIB_TRUE@ $(MAKE) DESTDIR=`pwd`/build install-preproclibLTLIBRARIES # From main src tree -include/debug.h: $(srcdir)/../debug.h +include/snort_debug.h: $(srcdir)/../snort_debug.h @src_header=$?; dst_header=$@; $(copy_debug_header) include/preprocids.h: $(srcdir)/../preprocids.h @@ -806,10 +1105,10 @@ include/pcap_pkthdr32.h: $(srcdir)/../pcap_pkthdr32.h @src_header=$?; dst_header=$@; $(copy_headers) -include/bounds.h: $(srcdir)/../bounds.h +include/snort_bounds.h: $(srcdir)/../snort_bounds.h @src_header=$?; dst_header=$@; $(copy_headers) -include/ipv6_port.h: $(srcdir)/../ipv6_port.h +include/ipv6_port.h: $(srcdir)/../ipv6_port.h @src_header=$?; dst_header=$@; $(massage_ipv6_headers) include/sf_types.h: $(srcdir)/../sf_types.h @@ -840,6 +1139,9 @@ include/sf_dynamic_preprocessor.h: $(srcdir)/../dynamic-plugins/sf_dynamic_preprocessor.h @src_header=$?; dst_header=$@; $(massage_headers) +include/attribute_table_api.h: $(srcdir)/../dynamic-plugins/attribute_table_api.h + @src_header=$?; dst_header=$@; $(massage_headers) + # From dynamic-plugins/sf_preproc_example include/sf_dynamic_preproc_lib.c: $(srcdir)/../dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c @src_header=$?; dst_header=$@; $(copy_headers) @@ -881,9 +1183,27 @@ include/sfrt_dir.c: $(srcdir)/../sfutil/sfrt_dir.c @src_header=$?; dst_header=$@; $(copy_headers) +include/sfrt_flat.h: $(srcdir)/../sfutil/sfrt_flat.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat.c: $(srcdir)/../sfutil/sfrt_flat.c + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat_dir.h: $(srcdir)/../sfutil/sfrt_flat_dir.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sfrt_flat_dir.c: $(srcdir)/../sfutil/sfrt_flat_dir.c + @src_header=$?; dst_header=$@; $(copy_headers) + include/sfrt_trie.h: $(srcdir)/../sfutil/sfrt_trie.h @src_header=$?; dst_header=$@; $(copy_headers) +include/segment_mem.c: $(srcdir)/../sfutil/segment_mem.c + @src_header=$?; dst_header=$@; $(copy_headers) + +include/segment_mem.h: $(srcdir)/../sfutil/segment_mem.h + @src_header=$?; dst_header=$@; $(copy_headers) + include/mempool.h: $(srcdir)/../mempool.h @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) @@ -893,6 +1213,9 @@ include/sf_sdlist.h: $(srcdir)/../sf_sdlist.h @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) +include/sf_sdlist_types.h: $(srcdir)/../sf_sdlist_types.h + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + include/sf_sdlist.c: $(srcdir)/../sf_sdlist.c @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) @@ -905,12 +1228,27 @@ include/sfPolicy.h: $(srcdir)/../sfutil/sfPolicy.h @src_header=$?; dst_header=$@; $(copy_headers); $(replace_policy_globals) +include/util_unfold.h: $(srcdir)/../sfutil/util_unfold.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/util_unfold.c: $(srcdir)/../sfutil/util_unfold.c + @src_header=$?; dst_header=$@; $(copy_headers) + include/sf_base64decode.h: $(srcdir)/../sfutil/sf_base64decode.h @src_header=$?; dst_header=$@; $(copy_headers) include/sf_base64decode.c: $(srcdir)/../sfutil/sf_base64decode.c @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_email_attach_decode.h: $(srcdir)/../sfutil/sf_email_attach_decode.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/sf_email_attach_decode.c: $(srcdir)/../sfutil/sf_email_attach_decode.c + @src_header=$?; dst_header=$@; $(copy_headers); $(copy_error_message); $(replace_policy_globals) + +include/Unified2_common.h: $(srcdir)/../sfutil/Unified2_common.h + @src_header=$?; dst_header=$@; $(copy_headers) + # From dynamic-plugins/sf_engine/examples include/sfsnort_dynamic_detection_lib.c: $(srcdir)/../dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c @src_header=$?; dst_header=$@; $(copy_headers) @@ -922,9 +1260,15 @@ include/sf_snort_packet.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_packet.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_protocols.h: $(srcdir)/../sf_protocols.h + @src_header=$?; dst_header=$@; $(copy_headers) + include/sf_snort_plugin_api.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_snort_plugin_api.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sf_decompression.h: $(srcdir)/../dynamic-plugins/sf_engine/sf_decompression.h + @src_header=$?; dst_header=$@; $(copy_headers) + # Stream API/String Searching, massage it to use SFSnortPacket include/stream_api.h: $(srcdir)/../preprocessors/stream_api.h @src_header=$?; dst_header=$@; $(massage_headers) @@ -941,6 +1285,12 @@ include/plugin_enum.h: $(srcdir)/../plugin_enum.h @src_header=$?; dst_header=$@; $(copy_headers) +include/sfcontrol.h: $(top_srcdir)/src/control/sfcontrol.h + @src_header=$?; dst_header=$@; $(copy_headers) + +include/idle_processing.h: $(top_srcdir)/src/idle_processing.h + @src_header=$?; dst_header=$@; $(copy_headers) + clean-local: rm -rf include build @@ -956,7 +1306,7 @@ @HAVE_DYNAMIC_PLUGINS_TRUE@ @for f in $(exported_files); do \ @HAVE_DYNAMIC_PLUGINS_TRUE@ truefile=`echo $$f | sed -e "s/.*\///"`; \ @HAVE_DYNAMIC_PLUGINS_TRUE@ $(mkinstalldirs) $(DESTDIR)$(srcinstdir); \ -@HAVE_DYNAMIC_PLUGINS_TRUE@ $(RM) -f $(DESTDIR)$(srcinstdir)/$$truefile; \ +@HAVE_DYNAMIC_PLUGINS_TRUE@ rm -f $(DESTDIR)$(srcinstdir)/$$truefile; \ @HAVE_DYNAMIC_PLUGINS_TRUE@ done # Tell versions [3.59,3.63) of GNU make to not export all variables. diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/modbus/Makefile.am snort-2.9.2/src/dynamic-preprocessors/modbus/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/modbus/Makefile.am 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,34 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_modbus_preproc.la + +libsf_modbus_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_modbus_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_modbus_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif + +libsf_modbus_preproc_la_SOURCES = \ +spp_modbus.c \ +spp_modbus.h \ +modbus_decode.c \ +modbus_decode.h \ +modbus_roptions.c \ +modbus_roptions.h \ +modbus_paf.c \ +modbus_paf.h + +EXTRA_DIST = \ +sf_modbus.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/modbus/Makefile.in snort-2.9.2/src/dynamic-preprocessors/modbus/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/modbus/Makefile.in 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/Makefile.in 2011-12-07 11:23:19.000000000 -0800 @@ -0,0 +1,556 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/modbus +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_modbus_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_modbus_preproc_la_OBJECTS = spp_modbus.lo modbus_decode.lo \ + modbus_roptions.lo modbus_paf.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_modbus_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_modbus_preproc_la_OBJECTS = \ + $(am_libsf_modbus_preproc_la_OBJECTS) \ + $(nodist_libsf_modbus_preproc_la_OBJECTS) +libsf_modbus_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_modbus_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_modbus_preproc_la_SOURCES) \ + $(nodist_libsf_modbus_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_modbus_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_modbus_preproc.la +libsf_modbus_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_modbus_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_modbus_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +libsf_modbus_preproc_la_SOURCES = \ +spp_modbus.c \ +spp_modbus.h \ +modbus_decode.c \ +modbus_decode.h \ +modbus_roptions.c \ +modbus_roptions.h \ +modbus_paf.c \ +modbus_paf.h + +EXTRA_DIST = \ +sf_modbus.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/modbus/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/modbus/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_modbus_preproc.la: $(libsf_modbus_preproc_la_OBJECTS) $(libsf_modbus_preproc_la_DEPENDENCIES) + $(libsf_modbus_preproc_la_LINK) -rpath $(libdir) $(libsf_modbus_preproc_la_OBJECTS) $(libsf_modbus_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_decode.c snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_decode.c --- snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_decode.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_decode.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,428 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the Modbus protocol + * + */ + +#include "modbus_decode.h" + +/* Modbus Function Codes */ +#define MODBUS_FUNC_READ_COILS 0x01 +#define MODBUS_FUNC_READ_DISCRETE_INPUTS 0x02 +#define MODBUS_FUNC_READ_HOLDING_REGISTERS 0x03 +#define MODBUS_FUNC_READ_INPUT_REGISTERS 0x04 +#define MODBUS_FUNC_WRITE_SINGLE_COIL 0x05 +#define MODBUS_FUNC_WRITE_SINGLE_REGISTER 0x06 +#define MODBUS_FUNC_READ_EXCEPTION_STATUS 0x07 +#define MODBUS_FUNC_DIAGNOSTICS 0x08 +#define MODBUS_FUNC_GET_COMM_EVENT_COUNTER 0x0B +#define MODBUS_FUNC_GET_COMM_EVENT_LOG 0x0C +#define MODBUS_FUNC_WRITE_MULTIPLE_COILS 0x0F +#define MODBUS_FUNC_WRITE_MULTIPLE_REGISTERS 0x10 +#define MODBUS_FUNC_REPORT_SLAVE_ID 0x11 +#define MODBUS_FUNC_READ_FILE_RECORD 0x14 +#define MODBUS_FUNC_WRITE_FILE_RECORD 0x15 +#define MODBUS_FUNC_MASK_WRITE_REGISTER 0x16 +#define MODBUS_FUNC_READ_WRITE_MULTIPLE_REGISTERS 0x17 +#define MODBUS_FUNC_READ_FIFO_QUEUE 0x18 +#define MODBUS_FUNC_ENCAPSULATED_INTERFACE_TRANSPORT 0x2B +#define MODBUS_SUB_FUNC_CANOPEN 0x0D +#define MODBUS_SUB_FUNC_READ_DEVICE_ID 0x0E + + +/* Other defines */ +#define MODBUS_PROTOCOL_ID 0 +#define MODBUS_BYTE_COUNT_SIZE 1 +#define MODBUS_FILE_RECORD_SUB_REQUEST_SIZE 7 +#define MODBUS_FILE_RECORD_SUB_REQUEST_LEN_OFFSET 5 +#define MODBUS_READ_DEVICE_ID_HEADER_LEN 6 +#define MODBUS_READ_DEVICE_ID_NUM_OBJ_OFFSET 5 + +/* Modbus data structures */ +typedef struct _modbus_header +{ + /* MBAP Header */ + uint16_t transaction_id; + uint16_t protocol_id; + uint16_t length; + uint8_t unit_id; + + /* PDU Start */ + uint8_t function_code; +} modbus_header_t; + + +static void ModbusCheckRequestLengths(modbus_session_data_t *session, SFSnortPacket *packet) +{ + uint16_t modbus_payload_len = packet->payload_size - MODBUS_MIN_LEN; + uint8_t tmp_count; + int check_passed = 0; + + switch (session->func) + { + case MODBUS_FUNC_READ_COILS: + case MODBUS_FUNC_READ_DISCRETE_INPUTS: + case MODBUS_FUNC_READ_HOLDING_REGISTERS: + case MODBUS_FUNC_READ_INPUT_REGISTERS: + case MODBUS_FUNC_WRITE_SINGLE_COIL: + case MODBUS_FUNC_WRITE_SINGLE_REGISTER: + case MODBUS_FUNC_DIAGNOSTICS: + if (modbus_payload_len == 4) + check_passed = 1; + break; + + case MODBUS_FUNC_READ_EXCEPTION_STATUS: + case MODBUS_FUNC_GET_COMM_EVENT_COUNTER: + case MODBUS_FUNC_GET_COMM_EVENT_LOG: + case MODBUS_FUNC_REPORT_SLAVE_ID: + if (modbus_payload_len == 0) + check_passed = 1; + break; + + case MODBUS_FUNC_WRITE_MULTIPLE_COILS: + case MODBUS_FUNC_WRITE_MULTIPLE_REGISTERS: + if (modbus_payload_len >= 5) /* start addr + quantity + byte count */ + { + tmp_count = *(packet->payload + MODBUS_MIN_LEN + 5); + if (modbus_payload_len == tmp_count + 5) + check_passed = 1; + } + break; + + case MODBUS_FUNC_MASK_WRITE_REGISTER: + if (modbus_payload_len == 6) + check_passed = 1; + break; + + case MODBUS_FUNC_READ_WRITE_MULTIPLE_REGISTERS: + if (modbus_payload_len >= 8) + { + tmp_count = *(packet->payload + MODBUS_MIN_LEN + 8); /* byte count */ + if (modbus_payload_len == 9 + tmp_count) + check_passed = 1; + } + break; + + + case MODBUS_FUNC_READ_FIFO_QUEUE: + if (modbus_payload_len == 2) + check_passed = 1; + break; + + case MODBUS_FUNC_ENCAPSULATED_INTERFACE_TRANSPORT: + if (modbus_payload_len >= 1) + { + uint8_t mei_type = *(packet->payload + MODBUS_MIN_LEN); + + /* MEI Type 0x0E is covered under the Modbus spec as + "Read Device Identification". Type 0x0D is defined in + the spec as "CANopen General Reference Request and Response PDU" + and falls outside the scope of the Modbus preprocessor. + + Other values are reserved. + */ + if ((mei_type == 0x0E) && modbus_payload_len == 3) + check_passed = 1; + } + break; + + + case MODBUS_FUNC_READ_FILE_RECORD: + /* Modbus read file record request contains a byte count, followed + by a set of 7-byte sub-requests. */ + if (modbus_payload_len >= 1) + { + tmp_count = *(packet->payload + MODBUS_MIN_LEN); + if ((tmp_count == modbus_payload_len - 1) && + (tmp_count % MODBUS_FILE_RECORD_SUB_REQUEST_SIZE == 0)) + { + check_passed = 1; + } + } + break; + + case MODBUS_FUNC_WRITE_FILE_RECORD: + /* Modbus write file record request contains a byte count, followed + by a set of sub-requests that contain a 7-byte header and a + variable amount of data. */ + + if (modbus_payload_len >= 1) + { + tmp_count = *(packet->payload + MODBUS_MIN_LEN); + if (tmp_count == modbus_payload_len - 1) + { + uint16_t bytes_processed = 0; + + while (bytes_processed < (uint16_t)tmp_count) + { + uint16_t record_length = 0; + + /* Check space for sub-request header info */ + if ((modbus_payload_len - bytes_processed) < + MODBUS_FILE_RECORD_SUB_REQUEST_SIZE) + break; + + /* Extract record length. */ + record_length = *(packet->payload + MODBUS_MIN_LEN + + MODBUS_BYTE_COUNT_SIZE + bytes_processed + + MODBUS_FILE_RECORD_SUB_REQUEST_LEN_OFFSET); + + record_length = record_length << 8; + + record_length |= *(packet->payload + MODBUS_MIN_LEN + + MODBUS_BYTE_COUNT_SIZE + bytes_processed + + MODBUS_FILE_RECORD_SUB_REQUEST_LEN_OFFSET + 1); + + /* Jump over record data. */ + bytes_processed += MODBUS_FILE_RECORD_SUB_REQUEST_SIZE + + 2*record_length; + + if (bytes_processed == (uint16_t)tmp_count) + check_passed = 1; + } + } + } + break; + + default: /* Don't alert if we couldn't check the length. */ + check_passed = 1; + break; + } + + if (!check_passed) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_BAD_LENGTH, 1, 0, 3, + MODBUS_BAD_LENGTH_STR, 0); + } +} + +static void ModbusCheckResponseLengths(modbus_session_data_t *session, SFSnortPacket *packet) +{ + uint16_t modbus_payload_len = packet->payload_size - MODBUS_MIN_LEN; + uint8_t tmp_count; + int check_passed = 0; + + switch (session->func) + { + case MODBUS_FUNC_READ_COILS: + case MODBUS_FUNC_READ_DISCRETE_INPUTS: + case MODBUS_FUNC_GET_COMM_EVENT_LOG: + case MODBUS_FUNC_READ_WRITE_MULTIPLE_REGISTERS: + if (modbus_payload_len >= 1) + { + tmp_count = *(packet->payload + MODBUS_MIN_LEN); /* byte count */ + if (modbus_payload_len == 1 + tmp_count) + check_passed = 1; + } + break; + + case MODBUS_FUNC_READ_HOLDING_REGISTERS: + case MODBUS_FUNC_READ_INPUT_REGISTERS: + if (modbus_payload_len >= 1) + { + /* count of 2-byte registers*/ + tmp_count = *(packet->payload + MODBUS_MIN_LEN); + if (modbus_payload_len == 1 + 2*tmp_count) + check_passed = 1; + } + break; + + case MODBUS_FUNC_WRITE_SINGLE_COIL: + case MODBUS_FUNC_WRITE_SINGLE_REGISTER: + case MODBUS_FUNC_DIAGNOSTICS: + case MODBUS_FUNC_GET_COMM_EVENT_COUNTER: + case MODBUS_FUNC_WRITE_MULTIPLE_COILS: + case MODBUS_FUNC_WRITE_MULTIPLE_REGISTERS: + if (modbus_payload_len == 4) + check_passed = 1; + break; + + case MODBUS_FUNC_READ_EXCEPTION_STATUS: + if (modbus_payload_len == 1) + check_passed = 1; + break; + + case MODBUS_FUNC_MASK_WRITE_REGISTER: + if (modbus_payload_len == 6) + check_passed = 1; + break; + + case MODBUS_FUNC_READ_FIFO_QUEUE: + if (modbus_payload_len >= 2) + { + uint16_t tmp_count_16; + + /* This function uses a 2-byte byte count!! */ + tmp_count_16 = *(uint16_t *)(packet->payload + MODBUS_MIN_LEN); + tmp_count_16 = ntohs(tmp_count_16); + if (modbus_payload_len == 2 + tmp_count_16) + check_passed = 1; + } + break; + + case MODBUS_FUNC_ENCAPSULATED_INTERFACE_TRANSPORT: + if (modbus_payload_len >= MODBUS_READ_DEVICE_ID_HEADER_LEN) + { + uint8_t mei_type = *(packet->payload + MODBUS_MIN_LEN); + uint8_t num_objects = *(packet->payload + MODBUS_MIN_LEN + + MODBUS_READ_DEVICE_ID_NUM_OBJ_OFFSET); + uint16_t offset; + uint8_t i; + + /* MEI Type 0x0E is covered under the Modbus spec as + "Read Device Identification". Type 0x0D is defined in + the spec as "CANopen General Reference Request and Response PDU" + and falls outside the scope of the Modbus preprocessor. + + Other values are reserved. + */ + + if (mei_type == MODBUS_SUB_FUNC_CANOPEN) + check_passed = 1; + + if (mei_type != MODBUS_SUB_FUNC_READ_DEVICE_ID) + break; + + /* Loop through sub-requests, make sure that the lengths inside + don't violate our total Modbus PDU size. */ + + offset = MODBUS_READ_DEVICE_ID_HEADER_LEN; + for (i = 0; i < num_objects; i++) + { + uint8_t sub_request_data_len; + + /* Sub request starts with 2 bytes, type + len */ + if (offset + 2 > modbus_payload_len) + break; + + /* Length is second byte in sub-request */ + sub_request_data_len = *(packet->payload + MODBUS_MIN_LEN + + offset + 1); + + /* Set offset to byte after sub-request */ + offset += (2 + sub_request_data_len); + } + + if ((i == num_objects) && (offset == modbus_payload_len)) + check_passed = 1; + } + break; + + /* Cannot check this response, as it is device specific. */ + case MODBUS_FUNC_REPORT_SLAVE_ID: + + /* Cannot check these responses, as their sizes depend on the corresponding + requests. Can re-visit if we bother with request/response tracking. */ + case MODBUS_FUNC_READ_FILE_RECORD: + case MODBUS_FUNC_WRITE_FILE_RECORD: + + default: /* Don't alert if we couldn't check the lengths. */ + check_passed = 1; + break; + } + + if (!check_passed) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_BAD_LENGTH, 1, 0, 3, + MODBUS_BAD_LENGTH_STR, 0); + } +} + +static void ModbusCheckReservedFuncs(modbus_header_t *header, SFSnortPacket *packet) +{ + switch (header->function_code) + { + /* Reserved function codes */ + case MODBUS_FUNC_DIAGNOSTICS: + /* Only some sub-functions are reserved here. */ + { + uint16_t sub_func; + + if (packet->payload_size < MODBUS_MIN_LEN+2) + break; + + sub_func = *((uint16_t *)(packet->payload + MODBUS_MIN_LEN)); + sub_func = ntohs(sub_func); + + if ((sub_func == 19) || (sub_func >= 21)) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_RESERVED_FUNCTION, + 1, 0, 3, MODBUS_RESERVED_FUNCTION_STR, 0); + } + } + break; + case 0x09: + case 0x0A: + case 0x0D: + case 0x0E: + case 0x29: + case 0x2A: + case 0x5A: + case 0x5B: + case 0x7D: + case 0x7E: + case 0x7F: + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_RESERVED_FUNCTION, 1, 0, 3, + MODBUS_RESERVED_FUNCTION_STR, 0); + break; + } +} + +int ModbusDecode(modbus_config_t *config, SFSnortPacket *packet) +{ + modbus_session_data_t *session; + modbus_header_t *header; + + if (packet->payload_size < MODBUS_MIN_LEN) + return MODBUS_FAIL; + + session = (modbus_session_data_t *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_MODBUS); + + /* Lay the header struct over the payload */ + header = (modbus_header_t *) packet->payload; + + /* The protocol ID field should read 0x0000 for Modbus. It allows for + multiplexing with some other protocols over serial line. */ + if (header->protocol_id != MODBUS_PROTOCOL_ID) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_BAD_PROTO_ID, 1, 0, 3, + MODBUS_BAD_PROTO_ID_STR, 0); + return MODBUS_FAIL; + } + + /* Set the session data. + Normally we'd need to swap byte order, but these are 8-bit fields. */ + session->unit = header->unit_id; + session->func = header->function_code; + + /* Check for reserved function codes */ + ModbusCheckReservedFuncs(header, packet); + + /* Read the Modbus payload and check lengths against the expected length for + each function. */ + if (packet->flags & FLAG_FROM_CLIENT) + ModbusCheckRequestLengths(session, packet); + else + ModbusCheckResponseLengths(session, packet); + + return MODBUS_OK; +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_decode.h snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_decode.h --- snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_decode.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_decode.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,49 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the Modbus protocol + * + */ + +#ifndef MODBUS_DECODE_H +#define MODBUS_DECODE_H + +#include <stdint.h> + +#include "spp_modbus.h" +#include "sf_snort_plugin_api.h" + +/* Need 8 bytes for MBAP Header + Function Code */ +#define MODBUS_MIN_LEN 8 + +/* GIDs, SIDs, and Strings */ +#define GENERATOR_SPP_MODBUS 144 + +#define MODBUS_BAD_LENGTH 1 +#define MODBUS_BAD_PROTO_ID 2 +#define MODBUS_RESERVED_FUNCTION 3 + +#define MODBUS_BAD_LENGTH_STR "(spp_modbus): Length in Modbus MBAP header does not match the length needed for the given Modbus function." +#define MODBUS_BAD_PROTO_ID_STR "(spp_modbus): Modbus protocol ID is non-zero." +#define MODBUS_RESERVED_FUNCTION_STR "(spp_modbus): Reserved Modbus function code in use." + +int ModbusDecode(modbus_config_t *config, SFSnortPacket *packet); + +#endif /* MODBUS_DECODE_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_paf.c snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_paf.c --- snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_paf.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_paf.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,138 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Protocol-Aware Flushing (PAF) code for the Modbus preprocessor. + * + */ + +#include "spp_modbus.h" +#include "modbus_decode.h" +#include "modbus_paf.h" +#include "sf_dynamic_preprocessor.h" + +/* Defines */ +#define MODBUS_MIN_HDR_LEN 2 /* Enough for Unit ID + Function */ +#define MODBUS_MAX_HDR_LEN 254 /* Max PDU size is 260, 6 bytes already seen */ + + +int ModbusPafRegister(uint16_t port, tSfPolicyId policy_id) +{ + if (!_dpd.isPafEnabled()) + return 0; + + _dpd.streamAPI->register_paf_cb(policy_id, port, 0, ModbusPaf, true); + _dpd.streamAPI->register_paf_cb(policy_id, port, 1, ModbusPaf, true); + + return 0; +} + + +/* Function: ModbusPaf() + + Purpose: Modbus/TCP PAF callback. + Statefully inspects Modbus traffic from the start of a session, + Reads up until the length octet is found, then sets a flush point. + + Arguments: + void * - stream5 session pointer + void ** - Modbus state tracking structure + const uint8_t * - payload data to inspect + uint32_t - length of payload data + uint32_t - flags to check whether client or server + uint32_t * - pointer to set flush point + + Returns: + PAF_Status - PAF_FLUSH if flush point found, PAF_SEARCH otherwise +*/ + +PAF_Status ModbusPaf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp) +{ + modbus_paf_data_t *pafdata = *(modbus_paf_data_t **)user; + uint32_t bytes_processed = 0; + + /* Allocate state object if it doesn't exist yet. */ + if (pafdata == NULL) + { + pafdata = calloc(1, sizeof(modbus_paf_data_t)); + if (pafdata == NULL) + return PAF_ABORT; + + *user = pafdata; + } + + /* Process this packet 1 byte at a time */ + while (bytes_processed < len) + { + switch (pafdata->state) + { + /* Skip the Transaction & Protocol IDs */ + case MODBUS_PAF_STATE__TRANS_ID_1: + case MODBUS_PAF_STATE__TRANS_ID_2: + case MODBUS_PAF_STATE__PROTO_ID_1: + case MODBUS_PAF_STATE__PROTO_ID_2: + pafdata->state++; + break; + + /* Read length 1 byte at a time, in case a TCP segment is sent + * with only 5 bytes from the MBAP header */ + case MODBUS_PAF_STATE__LENGTH_1: + pafdata->modbus_length |= ( *(data + bytes_processed) << 8 ); + pafdata->state++; + break; + + case MODBUS_PAF_STATE__LENGTH_2: + pafdata->modbus_length |= *(data + bytes_processed); + pafdata->state++; + break; + + case MODBUS_PAF_STATE__SET_FLUSH: + if ((pafdata->modbus_length < MODBUS_MIN_HDR_LEN) || + (pafdata->modbus_length > MODBUS_MAX_HDR_LEN)) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_BAD_LENGTH, 1, 0, 3, + MODBUS_BAD_LENGTH_STR, 0); + } + + *fp = pafdata->modbus_length + bytes_processed; + pafdata->state = MODBUS_PAF_STATE__TRANS_ID_1; + pafdata->modbus_length = 0; + return PAF_FLUSH; + } + + bytes_processed++; + } + + return PAF_SEARCH; +} + +/* Take a Modbus config + Snort policy, iterate through ports, register PAF callback */ +void ModbusAddPortsToPaf(modbus_config_t *config, tSfPolicyId policy_id) +{ + unsigned int i; + + for (i = 0; i < MAX_PORTS; i++) + { + if (config->ports[PORT_INDEX(i)] & CONV_PORT(i)) + { + ModbusPafRegister((uint16_t) i, policy_id); + } + } +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_paf.h snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_paf.h --- snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_paf.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_paf.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,53 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Protocol-Aware Flushing (PAF) code for the Modbus preprocessor. + * + */ + +#ifndef MODBUS_PAF__H +#define MODBUS_PAF__H + +#include "spp_modbus.h" +#include "stream_api.h" + +typedef enum _modbus_paf_state +{ + MODBUS_PAF_STATE__TRANS_ID_1 = 0, + MODBUS_PAF_STATE__TRANS_ID_2, + MODBUS_PAF_STATE__PROTO_ID_1, + MODBUS_PAF_STATE__PROTO_ID_2, + MODBUS_PAF_STATE__LENGTH_1, + MODBUS_PAF_STATE__LENGTH_2, + MODBUS_PAF_STATE__SET_FLUSH +} modbus_paf_state_t; + +typedef struct _modbus_paf_data +{ + modbus_paf_state_t state; + uint16_t modbus_length; +} modbus_paf_data_t; + +void ModbusAddPortsToPaf(modbus_config_t *config, tSfPolicyId policy_id); +int ModbusPafRegister(uint16_t port, tSfPolicyId policy_id); +PAF_Status ModbusPaf(void *ssn, void **user, const uint8_t *data, + uint32_t len, uint32_t flags, uint32_t *fp); + +#endif /* MODBUS_PAF__H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_roptions.c snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_roptions.c --- snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_roptions.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_roptions.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,249 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Rule options for Modbus preprocessor + * + */ + +#include <string.h> + +#include "sf_types.h" +#include "sf_snort_plugin_api.h" +#include "sf_dynamic_preprocessor.h" +#include "spp_modbus.h" +#include "modbus_decode.h" +#include "modbus_roptions.h" + +/* Mapping of name -> function code for 'modbus_func' option. */ +static modbus_func_map_t func_map[] = +{ + {"read_coils", 1}, + {"read_discrete_inputs", 2}, + {"read_holding_registers", 3}, + {"read_input_registers", 4}, + {"write_single_coil", 5}, + {"write_single_register", 6}, + {"read_exception_status", 7}, + {"diagnostics", 8}, + {"get_comm_event_counter", 11}, + {"get_comm_event_log", 12}, + {"write_multiple_coils", 15}, + {"write_multiple_registers", 16}, + {"report_slave_id", 17}, + {"read_file_record", 20}, + {"write_file_record", 21}, + {"mask_write_register", 22}, + {"read_write_multiple_registers", 23}, + {"read_fifo_queue", 24}, + {"encapsulated_interface_transport", 43} +}; + +int ModbusFuncInit(char *name, char *params, void **data) +{ + char *endptr; + modbus_option_data_t *modbus_data; + unsigned int func_code = 0; + + if (name == NULL || data == NULL) + return 0; + + if (strcmp(name, MODBUS_FUNC_NAME) != 0) + return 0; + + if (params == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): No argument given for modbus_func. " + "modbus_func requires a number between 0 and 255, or a valid function " + "name.\n", *_dpd.config_file, *_dpd.config_line); + } + + modbus_data = (modbus_option_data_t *)calloc(1, sizeof(modbus_option_data_t)); + if (modbus_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "modbus_func data structure.\n", __FILE__, __LINE__); + } + + /* Parsing time */ + if (isdigit(params[0])) + { + /* Function code given as integer */ + func_code = _dpd.SnortStrtoul(params, &endptr, 10); + if ((func_code > 255) || (*endptr != '\0')) + { + DynamicPreprocessorFatalMessage("%s(%d): modbus_func requires a " + "number between 0 and 255, or a valid function name.\n", + *_dpd.config_file, *_dpd.config_line); + } + } + else + { + /* Check the argument against the map in modbus_roptions.h */ + size_t i; + int parse_success = 0; + for (i = 0; i < (sizeof(func_map) / sizeof(modbus_func_map_t)); i++) + { + if (strcmp(params, func_map[i].name) == 0) + { + parse_success = 1; + func_code = func_map[i].func; + break; + } + } + + if (!parse_success) + { + DynamicPreprocessorFatalMessage("%s(%d): modbus_func requires a " + "number between 0 and 255, or a valid function name.\n", + *_dpd.config_file, *_dpd.config_line); + } + } + + modbus_data->type = MODBUS_FUNC; + modbus_data->arg = (uint8_t) func_code; + + *data = (void *)modbus_data; + + return 1; +} + +int ModbusUnitInit(char *name, char *params, void **data) +{ + char *endptr; + modbus_option_data_t *modbus_data; + unsigned int unit_code; + + if (name == NULL || data == NULL) + return 0; + + if (strcmp(name, MODBUS_UNIT_NAME) != 0) + return 0; + + if (params == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): No argument given for modbus_unit. " + "modbus_unit requires a number between 0 and 255.\n", + *_dpd.config_file, *_dpd.config_line); + } + + modbus_data = (modbus_option_data_t *)calloc(1, sizeof(modbus_option_data_t)); + if (modbus_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "modbus_unit data structure.\n", __FILE__, __LINE__); + } + + /* Parsing time */ + unit_code = _dpd.SnortStrtoul(params, &endptr, 10); + if ((unit_code > 255) || (*endptr != '\0')) + { + DynamicPreprocessorFatalMessage("%s(%d): modbus_unit requires a " + "number between 0 and 255.\n", + *_dpd.config_file, *_dpd.config_line); + } + + modbus_data->type = MODBUS_UNIT; + modbus_data->arg = (uint8_t) unit_code; + + *data = (void *)modbus_data; + + return 1; +} + +int ModbusDataInit(char *name, char *params, void **data) +{ + modbus_option_data_t *modbus_data; + + if (strcmp(name, MODBUS_DATA_NAME) != 0) + return 0; + + /* Nothing to parse. */ + if (params) + { + DynamicPreprocessorFatalMessage("%s(%d): modbus_data does not take " + "any arguments.\n", *_dpd.config_file, *_dpd.config_line); + } + + modbus_data = (modbus_option_data_t *)calloc(1, sizeof(modbus_option_data_t)); + if (modbus_data == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) Failed to allocate memory for " + "modbus_data data structure.\n", __FILE__, __LINE__); + } + + modbus_data->type = MODBUS_DATA; + modbus_data->arg = 0; + + *data = (void *)modbus_data; + + return 1; +} + +/* Modbus rule evaluation callback. */ +int ModbusRuleEval(void *raw_packet, const uint8_t **cursor, void *data) +{ + SFSnortPacket *packet = (SFSnortPacket *)raw_packet; + modbus_option_data_t *rule_data = (modbus_option_data_t *)data; + modbus_session_data_t *session_data; + + /* The preprocessor only evaluates PAF-flushed PDUs. If the rule options + don't check for this, they'll fire on stale session data when the + original packet goes through before flushing. */ + if (!PacketHasFullPDU(packet)) + return RULE_NOMATCH; + + session_data = (modbus_session_data_t *) + _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_MODBUS); + + if ((packet->payload_size == 0 ) || (session_data == NULL)) + { + return RULE_NOMATCH; + } + + + switch (rule_data->type) + { + case MODBUS_FUNC: + if (session_data->func == rule_data->arg) + return RULE_MATCH; + break; + + case MODBUS_UNIT: + if (session_data->unit == rule_data->arg) + return RULE_MATCH; + break; + + case MODBUS_DATA: + /* XXX: If a PDU contains only the MBAP + Function, should this + option fail or set the cursor to the end of the payload? */ + if (packet->payload_size < MODBUS_MIN_LEN) + return RULE_NOMATCH; + + /* Modbus data is always directly after the function code. */ + *cursor = (const uint8_t *) (packet->payload + MODBUS_MIN_LEN); + _dpd.SetAltDetect((uint8_t *)*cursor, (uint16_t)(packet->payload_size - MODBUS_MIN_LEN)); + + return RULE_MATCH; + } + + return RULE_NOMATCH; +} + + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_roptions.h snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_roptions.h --- snort-2.9.0.1/src/dynamic-preprocessors/modbus/modbus_roptions.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/modbus_roptions.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,60 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Rule options for Modbus preprocessor. + * + */ + +#ifndef MODBUS_ROPTIONS_H +#define MODBUS_ROPTIONS_H + +#include <stdint.h> + +#define MODBUS_FUNC_NAME "modbus_func" +#define MODBUS_UNIT_NAME "modbus_unit" +#define MODBUS_DATA_NAME "modbus_data" + +/* Data types */ +typedef enum _modbus_option_type_t +{ + MODBUS_FUNC = 0, + MODBUS_UNIT, + MODBUS_DATA +} modbus_option_type_t; + +typedef struct _modbus_option_data_t +{ + modbus_option_type_t type; + uint16_t arg; +} modbus_option_data_t; + +typedef struct _modbus_func_map_t +{ + char *name; + uint8_t func; +} modbus_func_map_t; + +int ModbusFuncInit(char *name, char *params, void **data); +int ModbusUnitInit(char *name, char *params, void **data); +int ModbusDataInit(char *name, char *params, void **data); + +int ModbusRuleEval(void *raw_packet, const uint8_t **cursor, void *data); + +#endif /* MODBUS_ROPTIONS_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/modbus/sf_modbus.dsp snort-2.9.2/src/dynamic-preprocessors/modbus/sf_modbus.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/modbus/sf_modbus.dsp 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/sf_modbus.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,215 @@ +# Microsoft Developer Studio Project File - Name="sf_modbus" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_modbus - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_modbus.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_modbus.mak" CFG="sf_modbus - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_modbus - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_modbus - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_modbus - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_modbus - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_modbus - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ELSEIF "$(CFG)" == "sf_modbus - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_modbus - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_modbus___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_modbus___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_modbus - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_modbus___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_modbus___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ENDIF + +# Begin Target + +# Name "sf_modbus - Win32 Release" +# Name "sf_modbus - Win32 Debug" +# Name "sf_modbus - Win32 IPv6 Debug" +# Name "sf_modbus - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=.\modbus_decode.c +# End Source File +# Begin Source File + +SOURCE=.\modbus_paf.c +# End Source File +# Begin Source File + +SOURCE=.\modbus_roptions.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\spp_modbus.c +# End Source File +# Begin Source File + +SOURCE=..\include\strtok_r.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\modbus_decode.h +# End Source File +# Begin Source File + +SOURCE=.\modbus_paf.h +# End Source File +# Begin Source File + +SOURCE=.\modbus_roptions.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=.\spp_modbus.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/modbus/spp_modbus.c snort-2.9.2/src/dynamic-preprocessors/modbus/spp_modbus.c --- snort-2.9.0.1/src/dynamic-preprocessors/modbus/spp_modbus.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/spp_modbus.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,661 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the Modbus protocol + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#include <string.h> + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_plugin_api.h" +#include "snort_debug.h" + +#include "preprocids.h" +#include "spp_modbus.h" +#include "sf_preproc_info.h" + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats modbusPerfStats; +#endif + +#include "sf_types.h" + +#include "modbus_decode.h" +#include "modbus_roptions.h" +#include "modbus_paf.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_MODBUS (IPV6)"; +#else +const char *PREPROC_NAME = "SF_MODBUS"; +#endif + +#define SetupModbus DYNAMIC_PREPROC_SETUP + +/* Preprocessor config objects */ +static tSfPolicyUserContextId modbus_context_id = NULL; +#ifdef SNORT_RELOAD +static tSfPolicyUserContextId modbus_swap_context_id = NULL; +#endif +static modbus_config_t *modbus_eval_config = NULL; + + +/* Target-based app ID */ +#ifdef TARGET_BASED +int16_t modbus_app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + +/* Prototypes */ +static void ModbusInit(char *argp); +static void ModbusOneTimeInit(void); +static modbus_config_t * ModbusPerPolicyInit(tSfPolicyUserContextId); + +static void ProcessModbus(void *, void *); + +#ifdef SNORT_RELOAD +static void ModbusReload(char *); +static int ModbusReloadVerify(void); +static void * ModbusReloadSwap(void); +static void ModbusReloadSwapFree(void *); +#endif + +static void _addPortsToStream5Filter(modbus_config_t *, tSfPolicyId); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif + +static void ModbusFreeConfig(tSfPolicyUserContextId context_id); +static void FreeModbusData(void *); +static void ModbusCheckConfig(void); +static void ModbusCleanExit(int, void *); + +static void ParseModbusArgs(modbus_config_t *config, char *args); +static void ModbusPrintConfig(modbus_config_t *config); + +static int ModbusPortCheck(modbus_config_t *config, SFSnortPacket *packet); +static modbus_session_data_t * ModbusCreateSessionData(SFSnortPacket *); + +/* Register init callback */ +void SetupModbus(void) +{ +#ifndef SNORT_RELOAD + _dpd.registerPreproc("modbus", ModbusInit); +#else + _dpd.registerPreproc("modbus", ModbusInit, ModbusReload, + ModbusReloadSwap, ModbusReloadSwapFree); +#endif +} + +/* Allocate memory for preprocessor config, parse the args, set up callbacks */ +static void ModbusInit(char *argp) +{ + modbus_config_t *modbus_policy = NULL; + + if (modbus_context_id == NULL) + { + ModbusOneTimeInit(); + } + + modbus_policy = ModbusPerPolicyInit(modbus_context_id); + + ParseModbusArgs(modbus_policy, argp); + + /* Can't add ports until they've been parsed... */ + ModbusAddPortsToPaf(modbus_policy, _dpd.getParserPolicy()); + + ModbusPrintConfig(modbus_policy); +} + +static inline void ModbusOneTimeInit() +{ + /* context creation & error checking */ + modbus_context_id = sfPolicyConfigCreate(); + if (modbus_context_id == NULL) + { + _dpd.fatalMsg("%s(%d) Failed to allocate memory for " + "Modbus config.\n", *_dpd.config_file, *_dpd.config_line); + } + + if (_dpd.streamAPI == NULL) + { + _dpd.fatalMsg("%s(%d) SetupModbus(): The Stream preprocessor " + "must be enabled.\n", *_dpd.config_file, *_dpd.config_line); + } + + /* callback registration */ + _dpd.addPreprocConfCheck(ModbusCheckConfig); + _dpd.addPreprocExit(ModbusCleanExit, NULL, PRIORITY_LAST, PP_MODBUS); + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("modbus", (void *)&modbusPerfStats, 0, _dpd.totalPerfStats); +#endif + + /* Set up target-based app id */ +#ifdef TARGET_BASED + modbus_app_id = _dpd.findProtocolReference("modbus"); + if (modbus_app_id == SFTARGET_UNKNOWN_PROTOCOL) + modbus_app_id = _dpd.addProtocolReference("modbus"); +#endif +} + +/* Responsible for allocating a Modbus policy. Never returns NULL. */ +static inline modbus_config_t * ModbusPerPolicyInit(tSfPolicyUserContextId context_id) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + modbus_config_t *modbus_policy = NULL; + + /* Check for existing policy & bail if found */ + sfPolicyUserPolicySet(context_id, policy_id); + modbus_policy = (modbus_config_t *)sfPolicyUserDataGetCurrent(context_id); + if (modbus_policy != NULL) + { + _dpd.fatalMsg("%s(%d) Modbus preprocessor can only be " + "configured once.\n", *_dpd.config_file, *_dpd.config_line); + } + + /* Allocate new policy */ + modbus_policy = (modbus_config_t *)calloc(1, sizeof(modbus_config_t)); + if (!modbus_policy) + { + _dpd.fatalMsg("%s(%d) Could not allocate memory for " + "modbus preprocessor configuration.\n" + , *_dpd.config_file, *_dpd.config_line); + } + + sfPolicyUserDataSetCurrent(context_id, modbus_policy); + + /* Register callbacks that are done for each policy */ + _dpd.addPreproc(ProcessModbus, PRIORITY_APPLICATION, PP_MODBUS, PROTO_BIT__TCP); + _addPortsToStream5Filter(modbus_policy, policy_id); +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif + + /* Add preprocessor rule options here */ + /* _dpd.preprocOptRegister("foo_bar", FOO_init, FOO_rule_eval, free, NULL, NULL, NULL, NULL); */ + _dpd.preprocOptRegister("modbus_func", ModbusFuncInit, ModbusRuleEval, free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister("modbus_unit", ModbusUnitInit, ModbusRuleEval, free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister("modbus_data", ModbusDataInit, ModbusRuleEval, free, NULL, NULL, NULL, NULL); + + return modbus_policy; +} + +static void ParseSinglePort(modbus_config_t *config, char *token) +{ + /* single port number */ + char *endptr; + unsigned long portnum = _dpd.SnortStrtoul(token, &endptr, 10); + + if ((*endptr != '\0') || (portnum >= MAX_PORTS)) + { + _dpd.fatalMsg("%s(%d) Bad modbus port number: %s\n" + "Port number must be an integer between 0 and 65535.\n", + *_dpd.config_file, *_dpd.config_line, token); + } + + /* Good port number! */ + config->ports[PORT_INDEX(portnum)] |= CONV_PORT(portnum); +} + +static void ParseModbusArgs(modbus_config_t *config, char *args) +{ + char *saveptr; + char *token; + + /* Set default port */ + config->ports[PORT_INDEX(MODBUS_PORT)] |= CONV_PORT(MODBUS_PORT); + + /* No args? Stick to the default. */ + if (args == NULL) + return; + + token = strtok_r(args, " ", &saveptr); + while (token != NULL) + { + if (strcmp(token, "ports") == 0) + { + unsigned nPorts = 0; + + /* Un-set the default port */ + config->ports[PORT_INDEX(MODBUS_PORT)] = 0; + + /* Parse ports */ + token = strtok_r(NULL, " ", &saveptr); + + if (token == NULL) + { + _dpd.fatalMsg("%s(%d) Missing argument for Modbus preprocessor " + "'ports' option.\n", *_dpd.config_file, *_dpd.config_line); + } + + if (isdigit(token[0])) + { + ParseSinglePort(config, token); + nPorts++; + } + + else if (*token == '{') + { + /* list of ports */ + token = strtok_r(NULL, " ", &saveptr); + while (token != NULL && *token != '}') + { + ParseSinglePort(config, token); + nPorts++; + token = strtok_r(NULL, " ", &saveptr); + } + } + + else + { + nPorts = 0; + } + if ( nPorts == 0 ) + { + _dpd.fatalMsg("%s(%d) Bad Modbus 'ports' argument: '%s'\n" + "Argument to Modbus 'ports' must be an integer, or a list " + "enclosed in { } braces.\n", *_dpd.config_file, *_dpd.config_line, token); + } + } + else + { + _dpd.fatalMsg("%s(%d) Failed to parse modbus argument: %s\n", + *_dpd.config_file, *_dpd.config_line, token); + } + + token = strtok_r(NULL, " ", &saveptr); + } + +} + +/* Print a Modbus config */ +static void ModbusPrintConfig(modbus_config_t *config) +{ + int index; + int newline = 1; + + if (config == NULL) + return; + + _dpd.logMsg("Modbus config: \n"); + _dpd.logMsg(" Ports:\n"); + + /* Loop through port array & print, 5 ports per line */ + for (index = 0; index < MAX_PORTS; index++) + { + if (config->ports[PORT_INDEX(index)] & CONV_PORT(index)) + { + _dpd.logMsg("\t%d", index); + if ( !((newline++) % 5) ) + { + _dpd.logMsg("\n"); + } + } + } + _dpd.logMsg("\n"); +} + +/* Main runtime entry point */ +static void ProcessModbus(void *ipacketp, void *contextp) +{ + SFSnortPacket *packetp = (SFSnortPacket *)ipacketp; + modbus_session_data_t *sessp; + PROFILE_VARS; + + /* Sanity checks. Should this preprocessor run? */ + if (( !packetp ) || + ( !packetp->payload ) || + ( !packetp->payload_size ) || + ( !IPH_IS_VALID(packetp) ) || + ( !packetp->tcp_header )) + { + return; + } + + PREPROC_PROFILE_START(modbusPerfStats); + + /* Fetch me a preprocessor config to use with this VLAN/subnet/etc.! */ + modbus_eval_config = sfPolicyUserDataGetCurrent(modbus_context_id); + + /* Look for a previously-allocated session data. */ + sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_MODBUS); + + if (sessp == NULL) + { + /* No existing session. Check those ports. */ + if (ModbusPortCheck(modbus_eval_config, packetp) != MODBUS_OK) + { + PREPROC_PROFILE_END(modbusPerfStats); + return; + } + } + + if ( !PacketHasFullPDU(packetp) ) + { + /* If a packet is rebuilt, but not a full PDU, then it's garbage that + got flushed at the end of a stream. */ + if ( packetp->flags & (FLAG_REBUILT_STREAM|FLAG_PDU_HEAD) ) + { + _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_BAD_LENGTH, 1, 0, 3, + MODBUS_BAD_LENGTH_STR, 0); + } + + PREPROC_PROFILE_END(modbusPerfStats); + return; + } + + if (sessp == NULL) + { + /* Create session data and attach it to the Stream5 session */ + sessp = ModbusCreateSessionData(packetp); + + if ( !sessp ) + { + PREPROC_PROFILE_END(modbusPerfStats); + return; + } + } + + /* When pipelined Modbus PDUs appear in a single TCP segment, the + detection engine caches the results of the rule options after + evaluating on the first PDU. Setting this flag stops the caching. */ + packetp->flags |= FLAG_ALLOW_MULTIPLE_DETECT; + + /* Do preprocessor-specific detection stuff here */ + ModbusDecode(modbus_eval_config, packetp); + + /* That's the end! */ + PREPROC_PROFILE_END(modbusPerfStats); +} + +/* Check ports & services */ +static int ModbusPortCheck(modbus_config_t *config, SFSnortPacket *packet) +{ +#ifdef TARGET_BASED + int16_t app_id = _dpd.streamAPI->get_application_protocol_id(packet->stream_session_ptr); + + /* call to get_application_protocol_id gave an error */ + if (app_id == SFTARGET_UNKNOWN_PROTOCOL) + return MODBUS_FAIL; + + /* this is positively identified as something non-modbus */ + if (app_id && (app_id != modbus_app_id)) + return MODBUS_FAIL; + + /* this is identified as modbus */ + if (app_id == modbus_app_id) + return MODBUS_OK; + + /* fall back to port check */ +#endif + + if (config->ports[PORT_INDEX(packet->src_port)] & CONV_PORT(packet->src_port)) + return MODBUS_OK; + + if (config->ports[PORT_INDEX(packet->dst_port)] & CONV_PORT(packet->dst_port)) + return MODBUS_OK; + + return MODBUS_FAIL; +} + +static modbus_session_data_t * ModbusCreateSessionData(SFSnortPacket *packet) +{ + modbus_session_data_t *data = NULL; + + /* Sanity Check */ + if (!packet || !packet->stream_session_ptr) + return NULL; + + data = (modbus_session_data_t *)calloc(1, sizeof(modbus_session_data_t)); + + if (!data) + return NULL; + + /* Attach to Stream5 session */ + _dpd.streamAPI->set_application_data(packet->stream_session_ptr, PP_MODBUS, + data, FreeModbusData); + + /* Not sure when this reference counting stuff got added to the old preprocs */ + data->policy_id = _dpd.getRuntimePolicy(); + data->context_id = modbus_context_id; + ((modbus_config_t *)sfPolicyUserDataGetCurrent(modbus_context_id))->ref_count++; + + return data; +} + + +/* Reload functions */ +#ifdef SNORT_RELOAD +/* Almost like ModbusInit, but not quite. */ +static void ModbusReload(char *args) +{ + modbus_config_t *modbus_policy = NULL; + + if (modbus_swap_context_id == NULL) + { + modbus_swap_context_id = sfPolicyConfigCreate(); + if (modbus_swap_context_id == NULL) + { + _dpd.fatalMsg("Failed to allocate memory " + "for Modbus config.\n"); + } + + if (_dpd.streamAPI == NULL) + { + _dpd.fatalMsg("SetupModbus(): The Stream preprocessor " + "must be enabled.\n"); + } + } + + modbus_policy = ModbusPerPolicyInit(modbus_swap_context_id); + + ParseModbusArgs(modbus_policy, args); + + /* Can't add ports until they've been parsed... */ + ModbusAddPortsToPaf(modbus_policy, _dpd.getParserPolicy()); + + ModbusPrintConfig(modbus_policy); + + _dpd.addPreprocReloadVerify(ModbusReloadVerify); +} + +static int ModbusReloadVerify(void) +{ + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + _dpd.fatalMsg("SetupModbus(): The Stream preprocessor must be enabled.\n"); + } + + return 0; +} + +static int ModbusFreeUnusedConfigPolicy( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + modbus_config_t *modbus_config = (modbus_config_t *)data; + + /* do any housekeeping before freeing modbus config */ + if (modbus_config->ref_count == 0) + { + sfPolicyUserDataClear(context_id, policy_id); + free(modbus_config); + } + + return 0; +} + +static void * ModbusReloadSwap(void) +{ + tSfPolicyUserContextId old_context_id = modbus_context_id; + + if (modbus_swap_context_id == NULL) + return NULL; + + modbus_context_id = modbus_swap_context_id; + modbus_swap_context_id = NULL; + + sfPolicyUserDataIterate(old_context_id, ModbusFreeUnusedConfigPolicy); + + if (sfPolicyUserPolicyGetActive(old_context_id) == 0) + { + /* No more outstanding configs - free the config array */ + return (void *)old_context_id; + } + + return NULL; +} + +static void ModbusReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + ModbusFreeConfig( (tSfPolicyUserContextId)data ); +} +#endif + +/* Stream5 filter functions */ +static void _addPortsToStream5Filter(modbus_config_t *config, tSfPolicyId policy_id) +{ + if (config == NULL) + return; + + if (_dpd.streamAPI) + { + int portNum; + + for (portNum = 0; portNum < MAX_PORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status( + IPPROTO_TCP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + } + } + } + +} + +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(modbus_app_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif + +static int ModbusFreeConfigPolicy( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + modbus_config_t *modbus_config = (modbus_config_t *)data; + + /* do any housekeeping before freeing modbus_config */ + + sfPolicyUserDataClear(context_id, policy_id); + free(modbus_config); + return 0; +} + +static void ModbusFreeConfig(tSfPolicyUserContextId context_id) +{ + if (context_id == NULL) + return; + + sfPolicyUserDataIterate(context_id, ModbusFreeConfigPolicy); + sfPolicyConfigDelete(context_id); +} + +static int ModbusCheckPolicyConfig( + tSfPolicyUserContextId context_id, + tSfPolicyId policy_id, + void *data + ) +{ + _dpd.setParserPolicy(policy_id); + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + _dpd.fatalMsg("%s(%d) ModbusCheckPolicyConfig(): The Stream preprocessor " + "must be enabled.\n", *_dpd.config_file, *_dpd.config_line); + } + return 0; +} + +static void ModbusCheckConfig(void) +{ + sfPolicyUserDataIterate(modbus_context_id, ModbusCheckPolicyConfig); +} + +static void ModbusCleanExit(int signal, void *data) +{ + if (modbus_context_id != NULL) + { + ModbusFreeConfig(modbus_context_id); + modbus_context_id = NULL; + } +} + +static void FreeModbusData(void *data) +{ + modbus_session_data_t *session = (modbus_session_data_t *)data; + modbus_config_t *config = NULL; + + if (session == NULL) + return; + + if (session->context_id != NULL) + { + config = (modbus_config_t *)sfPolicyUserDataGet(session->context_id, session->policy_id); + } + + if (config != NULL) + { + config->ref_count--; + if ((config->ref_count == 0) && + (session->context_id != modbus_context_id)) + { + sfPolicyUserDataClear(session->context_id, session->policy_id); + free(config); + + if (sfPolicyUserPolicyGetActive(session->context_id) == 0) + { + /* No more outstanding configs - free the config array */ + ModbusFreeConfig(session->context_id); + } + } + } +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/modbus/spp_modbus.h snort-2.9.2/src/dynamic-preprocessors/modbus/spp_modbus.h --- snort-2.9.0.1/src/dynamic-preprocessors/modbus/spp_modbus.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/modbus/spp_modbus.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,73 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * Author: Ryan Jordan + * + * Dynamic preprocessor for the Modbus protocol + * + */ + +#ifndef SPP_MODBUS_H +#define SPP_MODBUS_H + +#include "sf_types.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +#define MAX_PORTS 65536 + +/* Default MODBUS port */ +#define MODBUS_PORT 502 + +/* Convert port value into an index for the modbus_config->ports array */ +#define PORT_INDEX(port) port/8 + +/* Convert port value into a value for bitwise operations */ +#define CONV_PORT(port) 1<<(port%8) + +/* Session data flags */ +#define MODBUS_FUNC_RULE_FIRED 0x0001 +#define MODBUS_UNIT_RULE_FIRED 0x0002 +#define MODBUS_DATA_RULE_FIRED 0x0004 + +/* Modbus preprocessor configuration */ +typedef struct _modbus_config +{ + char ports[MAX_PORTS/8]; + + int ref_count; +} modbus_config_t; + +/* Modbus session data */ +typedef struct _modbus_session_data +{ + uint8_t func; + uint8_t unit; + uint16_t flags; + + tSfPolicyId policy_id; + tSfPolicyUserContextId context_id; +} modbus_session_data_t; + +#define MODBUS_PORTS_KEYWORD "ports" +#define MODBUS_MEMCAP_KEYWORD "memcap" + +#define MODBUS_OK 1 +#define MODBUS_FAIL (-1) + +#endif /* SPP_MODBUS_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/Makefile.am snort-2.9.2/src/dynamic-preprocessors/pop/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/pop/Makefile.am 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/Makefile.am 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,41 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_pop_preproc.la + +libsf_pop_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_pop_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_pop_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/mempool.c \ +../include/sf_sdlist.c \ +../include/util_unfold.c \ +../include/sf_base64decode.c \ +../include/sf_email_attach_decode.c \ +../include/sfPolicyUserData.c +endif + +libsf_pop_preproc_la_SOURCES = \ +pop_config.c \ +pop_config.h \ +pop_log.c \ +pop_log.h \ +pop_util.c \ +pop_util.h \ +snort_pop.c \ +snort_pop.h \ +spp_pop.c \ +spp_pop.h + +EXTRA_DIST = \ +sf_pop.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/Makefile.in snort-2.9.2/src/dynamic-preprocessors/pop/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/pop/Makefile.in 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/Makefile.in 2011-12-07 11:23:20.000000000 -0800 @@ -0,0 +1,580 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/pop +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_pop_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_pop_preproc_la_OBJECTS = pop_config.lo pop_log.lo pop_util.lo \ + snort_pop.lo spp_pop.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_pop_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo mempool.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_sdlist.lo util_unfold.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_base64decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_email_attach_decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_pop_preproc_la_OBJECTS = $(am_libsf_pop_preproc_la_OBJECTS) \ + $(nodist_libsf_pop_preproc_la_OBJECTS) +libsf_pop_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_pop_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_pop_preproc_la_SOURCES) \ + $(nodist_libsf_pop_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_pop_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_pop_preproc.la +libsf_pop_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_pop_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_pop_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/mempool.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_sdlist.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/util_unfold.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_base64decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_email_attach_decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +libsf_pop_preproc_la_SOURCES = \ +pop_config.c \ +pop_config.h \ +pop_log.c \ +pop_log.h \ +pop_util.c \ +pop_util.h \ +snort_pop.c \ +snort_pop.h \ +spp_pop.c \ +spp_pop.h + +EXTRA_DIST = \ +sf_pop.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/pop/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/pop/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_pop_preproc.la: $(libsf_pop_preproc_la_OBJECTS) $(libsf_pop_preproc_la_DEPENDENCIES) + $(libsf_pop_preproc_la_LINK) -rpath $(libdir) $(libsf_pop_preproc_la_OBJECTS) $(libsf_pop_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +mempool.lo: ../include/mempool.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mempool.lo `test -f '../include/mempool.c' || echo '$(srcdir)/'`../include/mempool.c + +sf_sdlist.lo: ../include/sf_sdlist.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_sdlist.lo `test -f '../include/sf_sdlist.c' || echo '$(srcdir)/'`../include/sf_sdlist.c + +util_unfold.lo: ../include/util_unfold.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o util_unfold.lo `test -f '../include/util_unfold.c' || echo '$(srcdir)/'`../include/util_unfold.c + +sf_base64decode.lo: ../include/sf_base64decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_base64decode.lo `test -f '../include/sf_base64decode.c' || echo '$(srcdir)/'`../include/sf_base64decode.c + +sf_email_attach_decode.lo: ../include/sf_email_attach_decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_email_attach_decode.lo `test -f '../include/sf_email_attach_decode.c' || echo '$(srcdir)/'`../include/sf_email_attach_decode.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_config.c snort-2.9.2/src/dynamic-preprocessors/pop/pop_config.c --- snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_config.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_config.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,630 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/*************************************************************************** + * pop_config.c + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * Handle configuration of the POP preprocessor + * + * Entry point functions: + * + * POP_ParseArgs() + * + ***************************************************************************/ + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#include <string.h> +#include <stdio.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_pop.h" +#include "pop_config.h" +#include "snort_bounds.h" +#include "sf_dynamic_preprocessor.h" +#include "sfPolicy.h" + + +/* Global variable to hold configuration */ +extern POPConfig **pop_config; + +extern const POPToken pop_known_cmds[]; + +/* Private functions */ +static int ProcessPorts(POPConfig *, char *, int); +static int ProcessPopMemcap(POPConfig *, char *, int); +static int ProcessDecodeDepth(POPConfig *, char *, int, char *, DecodeType); + +/* + * Function: POP_ParseArgs(char *) + * + * Purpose: Process the preprocessor arguments from the rules file and + * initialize the preprocessor's data struct. This function doesn't + * have to exist if it makes sense to parse the args in the init + * function. + * + * Arguments: args => argument list + * + * Returns: void function + * + */ +void POP_ParseArgs(POPConfig *config, char *args) +{ + int ret = 0; + char *arg; + char errStr[ERRSTRLEN]; + int errStrLen = ERRSTRLEN; + + if ((config == NULL) || (args == NULL)) + return; + + config->ports[POP_DEFAULT_SERVER_PORT / 8] |= 1 << (POP_DEFAULT_SERVER_PORT % 8); + config->memcap = DEFAULT_POP_MEMCAP; + config->b64_depth = DEFAULT_DEPTH; + config->qp_depth = DEFAULT_DEPTH; + config->uu_depth = DEFAULT_DEPTH; + config->bitenc_depth = DEFAULT_DEPTH; + config->max_depth = MIN_DEPTH; + + *errStr = '\0'; + + arg = strtok(args, CONF_SEPARATORS); + + while ( arg != NULL ) + { + if ( !strcasecmp(CONF_PORTS, arg) ) + { + ret = ProcessPorts(config, errStr, errStrLen); + } + else if ( !strcasecmp(CONF_POP_MEMCAP, arg) ) + { + ret = ProcessPopMemcap(config, errStr, errStrLen); + } + else if ( !strcasecmp(CONF_B64_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_B64_DECODE, DECODE_B64); + } + else if ( !strcasecmp(CONF_QP_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_QP_DECODE, DECODE_QP); + } + else if ( !strcasecmp(CONF_UU_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_UU_DECODE, DECODE_UU); + } + else if ( !strcasecmp(CONF_BITENC_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_BITENC_DECODE, DECODE_BITENC); + } + else if ( !strcasecmp(CONF_DISABLED, arg) ) + { + config->disabled = 1; + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) => Unknown POP configuration option %s\n", + *(_dpd.config_file), *(_dpd.config_line), arg); + } + + if (ret == -1) + { + /* + ** Fatal Error, log error and exit. + */ + if (*errStr) + { + DynamicPreprocessorFatalMessage("%s(%d) => %s\n", + *(_dpd.config_file), *(_dpd.config_line), errStr); + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + } + + /* Get next token */ + arg = strtok(NULL, CONF_SEPARATORS); + } + +} + +int POP_IsDecodingEnabled(POPConfig *pPolicyConfig) +{ + if( (pPolicyConfig->b64_depth > -1) || (pPolicyConfig->qp_depth > -1) + || (pPolicyConfig->uu_depth > -1) || (pPolicyConfig->bitenc_depth > -1) ) + { + return 0; + } + else + return -1; + +} + +void POP_CheckConfig(POPConfig *pPolicyConfig, tSfPolicyUserContextId context) +{ + int max = -1; + POPConfig *defaultConfig = + (POPConfig *)sfPolicyUserDataGetDefault(context); + + if (pPolicyConfig == defaultConfig) + { + if (!pPolicyConfig->memcap) + pPolicyConfig->memcap = DEFAULT_POP_MEMCAP; + + if(!pPolicyConfig->b64_depth || !pPolicyConfig->qp_depth + || !pPolicyConfig->uu_depth || !pPolicyConfig->bitenc_depth) + { + pPolicyConfig->max_depth = MAX_DEPTH; + return; + } + else + { + if(max < pPolicyConfig->b64_depth) + max = pPolicyConfig->b64_depth; + + if(max < pPolicyConfig->qp_depth) + max = pPolicyConfig->qp_depth; + + if(max < pPolicyConfig->bitenc_depth) + max = pPolicyConfig->bitenc_depth; + + if(max < pPolicyConfig->uu_depth) + max = pPolicyConfig->uu_depth; + + pPolicyConfig->max_depth = max; + } + + } + else if (defaultConfig == NULL) + { + if (pPolicyConfig->memcap) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: memcap must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->b64_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: b64_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->qp_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: qp_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->uu_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: uu_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->bitenc_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: bitenc_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + } + else + { + pPolicyConfig->memcap = defaultConfig->memcap; + pPolicyConfig->max_depth = defaultConfig->max_depth; + + if(pPolicyConfig->disabled) + { + pPolicyConfig->b64_depth = defaultConfig->b64_depth; + pPolicyConfig->qp_depth = defaultConfig->qp_depth; + pPolicyConfig->uu_depth = defaultConfig->uu_depth; + pPolicyConfig->bitenc_depth = defaultConfig->bitenc_depth; + return; + } + if(!pPolicyConfig->b64_depth && defaultConfig->b64_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: Cannot enable unlimited Base64 decoding" + " in non-default config without turning on unlimited Base64 decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->b64_depth && (pPolicyConfig->b64_depth > defaultConfig->b64_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: b64_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->b64_depth, defaultConfig->b64_depth); + } + + if(!pPolicyConfig->qp_depth && defaultConfig->qp_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: Cannot enable unlimited Quoted-Printable decoding" + " in non-default config without turning on unlimited Quoted-Printable decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->qp_depth && (pPolicyConfig->qp_depth > defaultConfig->qp_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: qp_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->qp_depth, defaultConfig->qp_depth); + } + + if(!pPolicyConfig->uu_depth && defaultConfig->uu_depth ) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: Cannot enable unlimited Unix-to-Unix decoding" + " in non-default config without turning on unlimited Unix-to-Unix decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->uu_depth && (pPolicyConfig->uu_depth > defaultConfig->uu_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: uu_decode_depth value %d in the non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line),pPolicyConfig->uu_depth, defaultConfig->uu_depth); + } + + if(!pPolicyConfig->bitenc_depth && defaultConfig->bitenc_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: Cannot enable unlimited 7bit/8bit/binary extraction" + " in non-default config without turning on unlimited 7bit/8bit/binary extraction in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->bitenc_depth && (pPolicyConfig->bitenc_depth > defaultConfig->bitenc_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => POP: bitenc_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->bitenc_depth, defaultConfig->bitenc_depth); + } + + pPolicyConfig->memcap = defaultConfig->memcap; + pPolicyConfig->max_depth = defaultConfig->max_depth; + } +} + +void POP_PrintConfig(POPConfig *config) +{ + int i; + int j = 0; + char buf[8192]; + + if (config == NULL) + return; + + memset(&buf[0], 0, sizeof(buf)); + + _dpd.logMsg("POP Config:\n"); + + if(config->disabled) + _dpd.logMsg(" POP: INACTIVE\n"); + + snprintf(buf, sizeof(buf) - 1, " Ports: "); + + for (i = 0; i < 65536; i++) + { + if (config->ports[i / 8] & (1 << (i % 8))) + { + j++; + _dpd.printfappend(buf, sizeof(buf) - 1, "%d ", i); + if(!(j%10)) + _dpd.printfappend(buf, sizeof(buf) - 1, "\n "); + } + } + + _dpd.logMsg("%s\n", buf); + + + _dpd.logMsg(" POP Memcap: %u\n", + config->memcap); + + if(config->b64_depth > -1) + { + _dpd.logMsg(" Base64 Decoding: %s\n", "Enabled"); + switch(config->b64_depth) + { + case 0: + _dpd.logMsg(" Base64 Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Base64 Decoding Depth: %d\n", config->b64_depth); + break; + } + } + else + _dpd.logMsg(" Base64 Decoding: %s\n", "Disabled"); + + if(config->qp_depth > -1) + { + _dpd.logMsg(" Quoted-Printable Decoding: %s\n","Enabled"); + switch(config->qp_depth) + { + case 0: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %d\n", config->qp_depth); + break; + } + } + else + _dpd.logMsg(" Quoted-Printable Decoding: %s\n", "Disabled"); + + if(config->uu_depth > -1) + { + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n","Enabled"); + switch(config->uu_depth) + { + case 0: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %d\n", config->uu_depth); + break; + } + } + else + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n", "Disabled"); + + if(config->bitenc_depth > -1) + { + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n","Enabled"); + switch(config->bitenc_depth) + { + case 0: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %d\n", config->bitenc_depth); + break; + } + } + else + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n", "Disabled"); + +} + +/* +** NAME +** ProcessPorts:: +*/ +/** +** Process the port list. +** +** This configuration is a list of valid ports and is ended by a +** delimiter. +** +** @param ErrorString error string buffer +** @param ErrStrLen the length of the error string buffer +** +** @return an error code integer +** (0 = success, >0 = non-fatal error, <0 = fatal error) +** +** @retval 0 successs +** @retval -1 generic fatal error +** @retval 1 generic non-fatal error +*/ +static int ProcessPorts(POPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *pcToken; + char *pcEnd; + int iPort; + int iEndPorts = 0; + int num_ports = 0; + + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "POP config is NULL.\n"); + return -1; + } + + pcToken = strtok(NULL, CONF_SEPARATORS); + if(!pcToken) + { + snprintf(ErrorString, ErrStrLen, "Invalid port list format."); + return -1; + } + + if(strcmp(CONF_START_LIST, pcToken)) + { + snprintf(ErrorString, ErrStrLen, + "Must start a port list with the '%s' token.", CONF_START_LIST); + + return -1; + } + + /* Since ports are specified, clear default ports */ + config->ports[POP_DEFAULT_SERVER_PORT / 8] &= ~(1 << (POP_DEFAULT_SERVER_PORT % 8)); + + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) + { + if(!strcmp(CONF_END_LIST, pcToken)) + { + iEndPorts = 1; + break; + } + + iPort = strtol(pcToken, &pcEnd, 10); + + /* + ** Validity check for port + */ + if(*pcEnd) + { + snprintf(ErrorString, ErrStrLen, + "Invalid port number."); + + return -1; + } + + if(iPort < 0 || iPort > MAXPORTS-1) + { + snprintf(ErrorString, ErrStrLen, + "Invalid port number. Must be between 0 and 65535."); + + return -1; + } + + config->ports[iPort / 8] |= (1 << (iPort % 8)); + num_ports++; + } + + if(!iEndPorts) + { + snprintf(ErrorString, ErrStrLen, + "Must end '%s' configuration with '%s'.", + CONF_PORTS, CONF_END_LIST); + + return -1; + } + else if(!num_ports) + { + snprintf(ErrorString, ErrStrLen, + "POP: Empty port list not allowed."); + return -1; + } + + return 0; +} + +static int ProcessPopMemcap(POPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *endptr; + char *value; + uint32_t pop_memcap = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "POP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for POP config option 'memcap'."); + return -1; + } + pop_memcap = strtoul(value, &endptr, 10); + + if((value[0] == '-') || (*endptr != '\0')) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for POP config option 'memcap'."); + return -1; + } + + if (pop_memcap < MIN_POP_MEMCAP || pop_memcap > MAX_POP_MEMCAP) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for memcap." + "It should range between %d and %d.", + MIN_POP_MEMCAP, MAX_POP_MEMCAP); + return -1; + } + + config->memcap = pop_memcap; + return 0; +} + + +static int ProcessDecodeDepth(POPConfig *config, char *ErrorString, int ErrStrLen, char *decode_type, DecodeType type) +{ + char *endptr; + char *value; + int decode_depth = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "POP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for POP config option '%s'.", decode_type); + return -1; + } + decode_depth = strtol(value, &endptr, 10); + + if(*endptr) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for POP config option '%s'.", decode_type); + return -1; + } + if(decode_depth < MIN_DEPTH || decode_depth > MAX_DEPTH) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for POP config option '%s'." + "It should range between %d and %d.", + decode_type, MIN_DEPTH, MAX_DEPTH); + return -1; + } + + switch(type) + { + case DECODE_B64: + if((decode_depth > 0) && (decode_depth & 3)) + { + decode_depth += 4 - (decode_depth & 3); + + if(decode_depth > MAX_DEPTH ) + { + decode_depth = decode_depth - 4; + } + _dpd.logMsg("WARNING: %s(%d) => POP: 'b64_decode_depth' is not a multiple of 4. " + "Rounding up to the next multiple of 4. The new 'b64_decode_depth' is %d.\n", + *(_dpd.config_file), *(_dpd.config_line), decode_depth); + + } + config->b64_depth = decode_depth; + break; + case DECODE_QP: + config->qp_depth = decode_depth; + break; + case DECODE_UU: + config->uu_depth = decode_depth; + break; + case DECODE_BITENC: + config->bitenc_depth = decode_depth; + break; + default: + return -1; + } + + return 0; +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_config.h snort-2.9.2/src/dynamic-preprocessors/pop/pop_config.h --- snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_config.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_config.h 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,107 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/*************************************************************************** + * + * pop_config.h + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + ***************************************************************************/ + +#ifndef __POP_CONFIG_H__ +#define __POP_CONFIG_H__ + +#include "sfPolicyUserData.h" +#define CONF_SEPARATORS " \t\n\r" +#define CONF_PORTS "ports" +#define CONF_POP_MEMCAP "memcap" +#define CONF_B64_DECODE "b64_decode_depth" +#define CONF_QP_DECODE "qp_decode_depth" +#define CONF_BITENC_DECODE "bitenc_decode_depth" +#define CONF_UU_DECODE "uu_decode_depth" +#define CONF_DISABLED "disabled" +#define CONF_START_LIST "{" +#define CONF_END_LIST "}" + +/*These are temporary values*/ + +#define DEFAULT_POP_MEMCAP 838860 +#define DEFAULT_DEPTH 1464 +#define MAX_POP_MEMCAP 104857600 +#define MIN_POP_MEMCAP 3276 +#define MAX_DEPTH 65535 +#define MIN_DEPTH -1 +#define POP_DEFAULT_SERVER_PORT 110 /* POP normally runs on port 110 */ + +#define ERRSTRLEN 512 + +typedef struct _POPSearch +{ + char *name; + int name_len; + +} POPSearch; + +typedef struct _POPToken +{ + char *name; + int name_len; + int search_id; + +} POPToken; + +typedef struct _POPCmdConfig +{ + char alert; /* 1 if alert when seen */ + char normalize; /* 1 if we should normalize this command */ + int max_line_len; /* Max length of this particular command */ + +} POPCmdConfig; + +typedef struct _POPConfig +{ + char ports[8192]; + uint32_t memcap; + int max_depth; + int b64_depth; + int qp_depth; + int bitenc_depth; + int uu_depth; + POPToken *cmds; + POPSearch *cmd_search; + void *cmd_search_mpse; + int num_cmds; + int disabled; + + int ref_count; + +} POPConfig; + +/* Function prototypes */ +void POP_ParseArgs(POPConfig *, char *); +void POP_PrintConfig(POPConfig *config); + +void POP_CheckConfig(POPConfig *, tSfPolicyUserContextId); +int POP_IsDecodingEnabled(POPConfig *); + +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_log.c snort-2.9.2/src/dynamic-preprocessors/pop/pop_log.c --- snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_log.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_log.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,111 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * pop_log.c + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file handles POP alerts. + * + * Entry point functions: + * + * POP_GenerateAlert() + * + * + **************************************************************************/ + +#include <stdarg.h> +#include <stdio.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" +#include "pop_config.h" +#include "pop_log.h" +#include "snort_pop.h" +#include "sf_dynamic_preprocessor.h" + +extern POPConfig *pop_eval_config; +extern POP *pop_ssn; + +char pop_event[POP_EVENT_MAX][EVENT_STR_LEN]; + + +void POP_GenerateAlert(int event, char *format, ...) +{ + va_list ap; + + /* Only log a specific alert once per session */ + if (pop_ssn->alert_mask & (1 << event)) + { +#ifdef DEBUG_MSGS + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Already alerted on: %s - " + "ignoring event.\n", pop_event[event]);); +#endif + return; + } + + /* set bit for this alert so we don't alert on again + * in this session */ + pop_ssn->alert_mask |= (1 << event); + + va_start(ap, format); + + pop_event[event][0] = '\0'; + vsnprintf(&pop_event[event][0], EVENT_STR_LEN - 1, format, ap); + pop_event[event][EVENT_STR_LEN - 1] = '\0'; + + _dpd.alertAdd(GENERATOR_SPP_POP, event, 1, 0, 3, &pop_event[event][0], 0); + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP Alert generated: %s\n", pop_event[event]);); + + va_end(ap); +} + +void POP_DecodeAlert(void) +{ + switch( pop_ssn->decode_state->decode_type ) + { + case DECODE_B64: + POP_GenerateAlert(POP_B64_DECODING_FAILED, "%s", POP_B64_DECODING_FAILED_STR); + break; + case DECODE_QP: + POP_GenerateAlert(POP_QP_DECODING_FAILED, "%s", POP_QP_DECODING_FAILED_STR); + break; + case DECODE_UU: + POP_GenerateAlert(POP_UU_DECODING_FAILED, "%s", POP_UU_DECODING_FAILED_STR); + break; + case DECODE_BITENC: + POP_GenerateAlert(POP_BITENC_DECODING_FAILED, "%s", POP_BITENC_DECODING_FAILED_STR); + break; + + default: + break; + } +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_log.h snort-2.9.2/src/dynamic-preprocessors/pop/pop_log.h --- snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_log.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_log.h 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,65 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * pop_log.h + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + **************************************************************************/ + +#ifndef __POP_LOG_H__ +#define __POP_LOG_H__ + + +#define GENERATOR_SPP_POP 142 + +/* Events for POP */ +#define POP_UNKNOWN_CMD 1 +#define POP_UNKNOWN_RESP 2 +#define POP_MEMCAP_EXCEEDED 3 +#define POP_B64_DECODING_FAILED 4 +#define POP_QP_DECODING_FAILED 5 +#define POP_BITENC_DECODING_FAILED 6 +#define POP_UU_DECODING_FAILED 7 + +#define POP_EVENT_MAX 8 + +/* Messages for each event */ +#define POP_UNKNOWN_CMD_STR "(POP) Unknown POP3 command" +#define POP_UNKNOWN_RESP_STR "(POP) Unknown POP3 response" +#define POP_MEMCAP_EXCEEDED_STR "(POP) No memory available for decoding. Memcap exceeded" +#define POP_B64_DECODING_FAILED_STR "(POP) Base64 Decoding failed." +#define POP_QP_DECODING_FAILED_STR "(POP) Quoted-Printable Decoding failed." +#define POP_BITENC_DECODING_FAILED_STR "(POP) 7bit/8bit/binary/text Extraction failed." +#define POP_UU_DECODING_FAILED_STR "(POP) Unix-to-Unix Decoding failed." + +#define EVENT_STR_LEN 256 + + +/* Function prototypes */ +void POP_GenerateAlert(int, char *, ...); +void POP_DecodeAlert(void); + + +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_util.c snort-2.9.2/src/dynamic-preprocessors/pop/pop_util.c --- snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_util.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_util.c 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,180 @@ +/* + * pop_util.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file contains POP helper functions. + * + * Entry point functions: + * + * safe_strchr() + * safe_strstr() + * copy_to_space() + * safe_sscanf() + * + * + */ + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#include <string.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" +#include "snort_bounds.h" + +#include "snort_pop.h" +#include "pop_util.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_packet.h" +#include "Unified2_common.h" + +extern POP *pop_ssn; + +void POP_GetEOL(const uint8_t *ptr, const uint8_t *end, + const uint8_t **eol, const uint8_t **eolm) +{ + const uint8_t *tmp_eol; + const uint8_t *tmp_eolm; + + /* XXX maybe should fatal error here since none of these + * pointers should be NULL */ + if (ptr == NULL || end == NULL || eol == NULL || eolm == NULL) + return; + + tmp_eol = (uint8_t *)memchr(ptr, '\n', end - ptr); + if (tmp_eol == NULL) + { + tmp_eol = end; + tmp_eolm = end; + } + else + { + /* end of line marker (eolm) should point to marker and + * end of line (eol) should point to end of marker */ + if ((tmp_eol > ptr) && (*(tmp_eol - 1) == '\r')) + { + tmp_eolm = tmp_eol - 1; + } + else + { + tmp_eolm = tmp_eol; + } + + /* move past newline */ + tmp_eol++; + } + + *eol = tmp_eol; + *eolm = tmp_eolm; +} + +void POP_DecodeType(const char *start, int length) +{ + const char *tmp = NULL; + + if(pop_ssn->decode_state->b64_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "base64"); + if( tmp != NULL ) + { + pop_ssn->decode_state->decode_type = DECODE_B64; + return; + } + } + + if(pop_ssn->decode_state->qp_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "quoted-printable"); + if( tmp != NULL ) + { + pop_ssn->decode_state->decode_type = DECODE_QP; + return; + } + } + + if(pop_ssn->decode_state->uu_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "uuencode"); + if( tmp != NULL ) + { + pop_ssn->decode_state->decode_type = DECODE_UU; + return; + } + } + + if(pop_ssn->decode_state->bitenc_state.depth > -1) + { + pop_ssn->decode_state->decode_type = DECODE_BITENC; + return; + } + + return; +} + + +#ifdef DEBUG_MSGS +char pop_print_buffer[65537]; + +const char * POP_PrintBuffer(SFSnortPacket *p) +{ + const uint8_t *ptr = NULL; + int len = 0; + int iorig, inew; + + ptr = p->payload; + len = p->payload_size; + + for (iorig = 0, inew = 0; iorig < len; iorig++, inew++) + { + if ((isascii((int)ptr[iorig]) && isprint((int)ptr[iorig])) || (ptr[iorig] == '\n')) + { + pop_print_buffer[inew] = ptr[iorig]; + } + else if (ptr[iorig] == '\r' && + ((iorig + 1) < len) && (ptr[iorig + 1] == '\n')) + { + iorig++; + pop_print_buffer[inew] = '\n'; + } + else if (isspace((int)ptr[iorig])) + { + pop_print_buffer[inew] = ' '; + } + else + { + pop_print_buffer[inew] = '.'; + } + } + + pop_print_buffer[inew] = '\0'; + + return &pop_print_buffer[0]; +} +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_util.h snort-2.9.2/src/dynamic-preprocessors/pop/pop_util.h --- snort-2.9.0.1/src/dynamic-preprocessors/pop/pop_util.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/pop_util.h 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,43 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************* + * + * pop_util.h + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + *************************************************************************/ + +#ifndef __POP_UTIL_H__ +#define __POP_UTIL_H__ + +#include "sf_snort_packet.h" + +void POP_GetEOL(const uint8_t *, const uint8_t *, const uint8_t **, const uint8_t **); +void POP_DecodeType(const char *start, int length); + +#ifdef DEBUG_MSGS +const char * POP_PrintBuffer(SFSnortPacket *); +#endif + +#endif /* __POP_UTIL_H__ */ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/sf_pop.dsp snort-2.9.2/src/dynamic-preprocessors/pop/sf_pop.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/pop/sf_pop.dsp 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/sf_pop.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,260 @@ +# Microsoft Developer Studio Project File - Name="sf_pop" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_pop - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_pop.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_pop.mak" CFG="sf_pop - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_pop - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_pop - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_pop - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_pop - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_pop - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_POP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_pop - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_POP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_pop - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_pop___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_pop___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" + +!ELSEIF "$(CFG)" == "sf_pop - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_pop___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_pop___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_POP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# SUBTRACT LINK32 /pdb:none + +!ENDIF + +# Begin Target + +# Name "sf_pop - Win32 Release" +# Name "sf_pop - Win32 Debug" +# Name "sf_pop - Win32 IPv6 Debug" +# Name "sf_pop - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=..\include\mempool.c +# End Source File +# Begin Source File + +SOURCE=.\pop_config.c +# End Source File +# Begin Source File + +SOURCE=.\pop_log.c +# End Source File +# Begin Source File + +SOURCE=.\pop_util.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_base64decode.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_email_attach_decode.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\snort_pop.c +# End Source File +# Begin Source File + +SOURCE=.\spp_pop.c +# End Source File +# Begin Source File + +SOURCE=..\include\util_unfold.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=..\include\mempool.h +# End Source File +# Begin Source File + +SOURCE=.\pop_config.h +# End Source File +# Begin Source File + +SOURCE=.\pop_log.h +# End Source File +# Begin Source File + +SOURCE=.\pop_util.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_base64decode.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_email_attach_decode.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=..\include\sf_sdlist.h +# End Source File +# Begin Source File + +SOURCE=.\snort_pop.h +# End Source File +# Begin Source File + +SOURCE=.\spp_pop.h +# End Source File +# Begin Source File + +SOURCE=..\include\util_unfold.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/snort_pop.c snort-2.9.2/src/dynamic-preprocessors/pop/snort_pop.c --- snort-2.9.0.1/src/dynamic-preprocessors/pop/snort_pop.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/snort_pop.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,1660 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * snort_pop.c + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file handles POP protocol checking and normalization. + * + * Entry point functions: + * + * SnortPOP() + * POP_Init() + * POP_Free() + * + **************************************************************************/ + + +/* Includes ***************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <sys/types.h> +#include <stdlib.h> +#include <string.h> +#include <ctype.h> +#include <pcre.h> + +#include "sf_types.h" +#include "snort_pop.h" +#include "pop_config.h" +#include "pop_util.h" +#include "pop_log.h" + +#include "sf_snort_packet.h" +#include "stream_api.h" +#include "snort_debug.h" +#include "profiler.h" +#include "snort_bounds.h" +#include "sf_dynamic_preprocessor.h" +#include "ssl.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +#ifdef DEBUG_MSGS +#include "sf_types.h" +#endif + +/**************************************************************************/ + + +/* Externs ****************************************************************/ + +#ifdef PERF_PROFILING +extern PreprocStats popDetectPerfStats; +extern int popDetectCalled; +#endif + +extern tSfPolicyUserContextId pop_config; +extern POPConfig *pop_eval_config; +extern MemPool *pop_mempool; + +#ifdef DEBUG_MSGS +extern char pop_print_buffer[]; +#endif + +/**************************************************************************/ + + +/* Globals ****************************************************************/ + +const POPToken pop_known_cmds[] = +{ + {"APOP", 4, CMD_APOP}, + {"AUTH", 4, CMD_AUTH}, + {"CAPA", 4, CMD_CAPA}, + {"DELE", 4, CMD_DELE}, + {"LIST", 4, CMD_LIST}, + {"NOOP", 4, CMD_NOOP}, + {"PASS", 4, CMD_PASS}, + {"QUIT", 4, CMD_QUIT}, + {"RETR", 4, CMD_RETR}, + {"RSET", 4, CMD_RSET}, + {"STAT", 4, CMD_STAT}, + {"STLS", 4, CMD_STLS}, + {"TOP", 3, CMD_TOP}, + {"UIDL", 4, CMD_UIDL}, + {"USER", 4, CMD_USER}, + {NULL, 0, 0} +}; + +const POPToken pop_resps[] = +{ + {"+OK", 3, RESP_OK}, /* SUCCESS */ + {"-ERR", 4, RESP_ERR}, /* FAILURE */ + {NULL, 0, 0} +}; + +const POPToken pop_hdrs[] = +{ + {"Content-type:", 13, HDR_CONTENT_TYPE}, + {"Content-Transfer-Encoding:", 26, HDR_CONT_TRANS_ENC}, + {NULL, 0, 0} +}; + +const POPToken pop_data_end[] = +{ + {"\r\n.\r\n", 5, DATA_END_1}, + {"\n.\r\n", 4, DATA_END_2}, + {"\r\n.\n", 4, DATA_END_3}, + {"\n.\n", 3, DATA_END_4}, + {NULL, 0, 0} +}; + +POP *pop_ssn = NULL; +POP pop_no_session; +POPPcre mime_boundary_pcre; +char pop_normalizing; +POPSearchInfo pop_search_info; + +#ifdef DEBUG_MSGS +uint64_t pop_session_counter = 0; +#endif + +#ifdef TARGET_BASED +int16_t pop_proto_id; +#endif + +void *pop_resp_search_mpse = NULL; +POPSearch pop_resp_search[RESP_LAST]; + +void *pop_hdr_search_mpse = NULL; +POPSearch pop_hdr_search[HDR_LAST]; + +void *pop_data_search_mpse = NULL; +POPSearch pop_data_end_search[DATA_END_LAST]; + +POPSearch *pop_current_search = NULL; + + +/**************************************************************************/ + + +/* Private functions ******************************************************/ + +static int POP_Setup(SFSnortPacket *p, POP *ssn); +static void POP_ResetState(void); +static void POP_SessionFree(void *); +static void POP_NoSessionFree(void); +static int POP_GetPacketDirection(SFSnortPacket *, int); +static void POP_ProcessClientPacket(SFSnortPacket *); +static void POP_ProcessServerPacket(SFSnortPacket *); +static void POP_DisableDetect(SFSnortPacket *); +static const uint8_t * POP_HandleCommand(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * POP_HandleData(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * POP_HandleHeader(SFSnortPacket *, const uint8_t *, const uint8_t *); +static const uint8_t * POP_HandleDataBody(SFSnortPacket *, const uint8_t *, const uint8_t *); +static int POP_SearchStrFound(void *, void *, int, void *, void *); + +static int POP_BoundaryStrFound(void *, void *, int , void *, void *); +static int POP_GetBoundary(const char *, int); + +static int POP_Inspect(SFSnortPacket *); + +/**************************************************************************/ + +static void SetPopBuffers(POP *ssn) +{ + if ((ssn != NULL) && (ssn->decode_state == NULL) + && (!POP_IsDecodingEnabled(pop_eval_config))) + { + MemBucket *bkt = mempool_alloc(pop_mempool); + + if (bkt != NULL) + { + ssn->decode_state = (Email_DecodeState *)calloc(1, sizeof(Email_DecodeState)); + if( ssn->decode_state != NULL ) + { + ssn->decode_bkt = bkt; + SetEmailDecodeState(ssn->decode_state, bkt->data, pop_eval_config->max_depth, + pop_eval_config->b64_depth, pop_eval_config->qp_depth, + pop_eval_config->uu_depth, pop_eval_config->bitenc_depth); + } + else + { + /*free mempool if calloc fails*/ + mempool_free(pop_mempool, bkt); + } + } + else + { + POP_GenerateAlert(POP_MEMCAP_EXCEEDED, "%s", POP_MEMCAP_EXCEEDED_STR); + DEBUG_WRAP(DebugMessage(DEBUG_POP, "No memory available for decoding. Memcap exceeded \n");); + } + } +} + +void POP_InitCmds(POPConfig *config) +{ + const POPToken *tmp; + + if (config == NULL) + return; + + /* add one to CMD_LAST for NULL entry */ + config->cmds = (POPToken *)calloc(CMD_LAST + 1, sizeof(POPToken)); + if (config->cmds == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for pop " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + for (tmp = &pop_known_cmds[0]; tmp->name != NULL; tmp++) + { + config->cmds[tmp->search_id].name_len = tmp->name_len; + config->cmds[tmp->search_id].search_id = tmp->search_id; + config->cmds[tmp->search_id].name = strdup(tmp->name); + + if (config->cmds[tmp->search_id].name == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for pop " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + } + + /* initialize memory for command searches */ + config->cmd_search = (POPSearch *)calloc(CMD_LAST, sizeof(POPSearch)); + if (config->cmd_search == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for pop " + "command structure\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + config->num_cmds = CMD_LAST; +} + + +/* + * Initialize POP searches + * + * @param none + * + * @return none + */ +void POP_SearchInit(void) +{ + const char *error; + int erroffset; + const POPToken *tmp; + + /* Response search */ + pop_resp_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pop_resp_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate POP " + "response search.\n"); + } + + for (tmp = &pop_resps[0]; tmp->name != NULL; tmp++) + { + pop_resp_search[tmp->search_id].name = tmp->name; + pop_resp_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pop_resp_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pop_resp_search_mpse); + + /* Header search */ + pop_hdr_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pop_hdr_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate POP " + "header search.\n"); + } + + for (tmp = &pop_hdrs[0]; tmp->name != NULL; tmp++) + { + pop_hdr_search[tmp->search_id].name = tmp->name; + pop_hdr_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pop_hdr_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pop_hdr_search_mpse); + + /* Data end search */ + pop_data_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pop_data_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate POP " + "data search.\n"); + } + + for (tmp = &pop_data_end[0]; tmp->name != NULL; tmp++) + { + pop_data_end_search[tmp->search_id].name = tmp->name; + pop_data_end_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pop_data_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pop_data_search_mpse); + + + /* create regex for finding boundary string - since it can be cut across multiple + * lines, a straight search won't do. Shouldn't be too slow since it will most + * likely only be acting on a small portion of data */ + //"^content-type:\\s*multipart.*boundary\\s*=\\s*\"?([^\\s]+)\"?" + //"^\\s*multipart.*boundary\\s*=\\s*\"?([^\\s]+)\"?" + //mime_boundary_pcre.re = pcre_compile("^.*boundary\\s*=\\s*\"?([^\\s\"]+)\"?", + //mime_boundary_pcre.re = pcre_compile("boundary(?:\n|\r\n)?=(?:\n|\r\n)?\"?([^\\s\"]+)\"?", + mime_boundary_pcre.re = pcre_compile("boundary\\s*=\\s*\"?([^\\s\"]+)\"?", + PCRE_CASELESS | PCRE_DOTALL, + &error, &erroffset, NULL); + if (mime_boundary_pcre.re == NULL) + { + DynamicPreprocessorFatalMessage("Failed to compile pcre regex for getting boundary " + "in a multipart POP message: %s\n", error); + } + + mime_boundary_pcre.pe = pcre_study(mime_boundary_pcre.re, 0, &error); + + if (error != NULL) + { + DynamicPreprocessorFatalMessage("Failed to study pcre regex for getting boundary " + "in a multipart POP message: %s\n", error); + } +} + +/* + * Initialize run-time boundary search + */ +static int POP_BoundarySearchInit(void) +{ + if (pop_ssn->mime_boundary.boundary_search != NULL) + _dpd.searchAPI->search_instance_free(pop_ssn->mime_boundary.boundary_search); + + pop_ssn->mime_boundary.boundary_search = _dpd.searchAPI->search_instance_new(); + + if (pop_ssn->mime_boundary.boundary_search == NULL) + return -1; + + _dpd.searchAPI->search_instance_add(pop_ssn->mime_boundary.boundary_search, + pop_ssn->mime_boundary.boundary, + pop_ssn->mime_boundary.boundary_len, BOUNDARY); + + _dpd.searchAPI->search_instance_prep(pop_ssn->mime_boundary.boundary_search); + + return 0; +} + + + +/* + * Reset POP session state + * + * @param none + * + * @return none + */ +static void POP_ResetState(void) +{ + if (pop_ssn->mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(pop_ssn->mime_boundary.boundary_search); + pop_ssn->mime_boundary.boundary_search = NULL; + } + + pop_ssn->state = STATE_UNKNOWN; + pop_ssn->data_state = STATE_DATA_INIT; + pop_ssn->state_flags = 0; + ClearEmailDecodeState(pop_ssn->decode_state); + memset(&pop_ssn->mime_boundary, 0, sizeof(POPMimeBoundary)); +} + + +/* + * Given a server configuration and a port number, we decide if the port is + * in the POP server port list. + * + * @param port the port number to compare with the configuration + * + * @return integer + * @retval 0 means that the port is not a server port + * @retval !0 means that the port is a server port + */ +int POP_IsServer(uint16_t port) +{ + if (pop_eval_config->ports[port / 8] & (1 << (port % 8))) + return 1; + + return 0; +} + +static POP * POP_GetNewSession(SFSnortPacket *p, tSfPolicyId policy_id) +{ + POP *ssn; + POPConfig *pPolicyConfig = NULL; + + pPolicyConfig = (POPConfig *)sfPolicyUserDataGetCurrent(pop_config); + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Creating new session data structure\n");); + + ssn = (POP *)calloc(1, sizeof(POP)); + if (ssn == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate POP session data\n"); + } + + pop_ssn = ssn; + SetPopBuffers(ssn); + + _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_POP, + ssn, &POP_SessionFree); + + if (p->flags & SSNFLAG_MIDSTREAM) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Got midstream packet - " + "setting state to unknown\n");); + ssn->state = STATE_UNKNOWN; + } + +#ifdef DEBUG_MSGS + pop_session_counter++; + ssn->session_number = pop_session_counter; +#endif + + if (p->stream_session_ptr != NULL) + { + /* check to see if we're doing client reassembly in stream */ + if (_dpd.streamAPI->get_reassembly_direction(p->stream_session_ptr) & SSN_DIR_CLIENT) + ssn->reassembling = 1; + + if(!ssn->reassembling) + { + _dpd.streamAPI->set_reassembly(p->stream_session_ptr, + STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_CLIENT, STREAM_FLPOLICY_SET_ABSOLUTE); + ssn->reassembling = 1; + } + } + + ssn->policy_id = policy_id; + ssn->config = pop_config; + pPolicyConfig->ref_count++; + + return ssn; +} + + +/* + * Do first-packet setup + * + * @param p standard Packet structure + * + * @return none + */ +static int POP_Setup(SFSnortPacket *p, POP *ssn) +{ + int flags = 0; + int pkt_dir; + + if (p->stream_session_ptr != NULL) + { + /* set flags to session flags */ + flags = _dpd.streamAPI->get_session_flags(p->stream_session_ptr); + } + + /* Figure out direction of packet */ + pkt_dir = POP_GetPacketDirection(p, flags); + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Session number: "STDu64"\n", ssn->session_number);); + + /* Check to see if there is a reassembly gap. If so, we won't know + * what state we're in when we get the _next_ reassembled packet */ + if ((pkt_dir != POP_PKT_FROM_SERVER) && + (p->flags & FLAG_REBUILT_STREAM)) + { + int missing_in_rebuilt = + _dpd.streamAPI->missing_in_reassembled(p->stream_session_ptr, SSN_DIR_CLIENT); + + if (ssn->session_flags & POP_FLAG_NEXT_STATE_UNKNOWN) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Found gap in previous reassembly buffer - " + "set state to unknown\n");); + ssn->state = STATE_UNKNOWN; + ssn->session_flags &= ~POP_FLAG_NEXT_STATE_UNKNOWN; + } + + if (missing_in_rebuilt == SSN_MISSING_BOTH) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Found missing packets before and after " + "in reassembly buffer - set state to unknown and " + "next state to unknown\n");); + ssn->state = STATE_UNKNOWN; + ssn->session_flags |= POP_FLAG_NEXT_STATE_UNKNOWN; + } + else if (missing_in_rebuilt == SSN_MISSING_BEFORE) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Found missing packets before " + "in reassembly buffer - set state to unknown\n");); + ssn->state = STATE_UNKNOWN; + } + else if (missing_in_rebuilt == SSN_MISSING_AFTER) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Found missing packets after " + "in reassembly buffer - set next state to unknown\n");); + ssn->session_flags |= POP_FLAG_NEXT_STATE_UNKNOWN; + } + } + + return pkt_dir; +} + +/* + * Determine packet direction + * + * @param p standard Packet structure + * + * @return none + */ +static int POP_GetPacketDirection(SFSnortPacket *p, int flags) +{ + int pkt_direction = POP_PKT_FROM_UNKNOWN; + + if (flags & SSNFLAG_MIDSTREAM) + { + if (POP_IsServer(p->src_port) && + !POP_IsServer(p->dst_port)) + { + pkt_direction = POP_PKT_FROM_SERVER; + } + else if (!POP_IsServer(p->src_port) && + POP_IsServer(p->dst_port)) + { + pkt_direction = POP_PKT_FROM_CLIENT; + } + } + else + { + if (p->flags & FLAG_FROM_SERVER) + { + pkt_direction = POP_PKT_FROM_SERVER; + } + else if (p->flags & FLAG_FROM_CLIENT) + { + pkt_direction = POP_PKT_FROM_CLIENT; + } + + /* if direction is still unknown ... */ + if (pkt_direction == POP_PKT_FROM_UNKNOWN) + { + if (POP_IsServer(p->src_port) && + !POP_IsServer(p->dst_port)) + { + pkt_direction = POP_PKT_FROM_SERVER; + } + else if (!POP_IsServer(p->src_port) && + POP_IsServer(p->dst_port)) + { + pkt_direction = POP_PKT_FROM_CLIENT; + } + } + } + + return pkt_direction; +} + + +/* + * Free POP-specific related to this session + * + * @param v pointer to POP session structure + * + * + * @return none + */ +static void POP_SessionFree(void *session_data) +{ + POP *pop = (POP *)session_data; +#ifdef SNORT_RELOAD + POPConfig *pPolicyConfig = NULL; +#endif + + if (pop == NULL) + return; + +#ifdef SNORT_RELOAD + pPolicyConfig = (POPConfig *)sfPolicyUserDataGet(pop->config, pop->policy_id); + + if (pPolicyConfig != NULL) + { + pPolicyConfig->ref_count--; + if ((pPolicyConfig->ref_count == 0) && + (pop->config != pop_config)) + { + sfPolicyUserDataClear (pop->config, pop->policy_id); + POP_FreeConfig(pPolicyConfig); + + /* No more outstanding policies for this config */ + if (sfPolicyUserPolicyGetActive(pop->config) == 0) + POP_FreeConfigs(pop->config); + } + } +#endif + + if (pop->mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(pop->mime_boundary.boundary_search); + pop->mime_boundary.boundary_search = NULL; + } + + if(pop->decode_state != NULL) + { + mempool_free(pop_mempool, pop->decode_bkt); + free(pop->decode_state); + } + + free(pop); +} + + +static void POP_NoSessionFree(void) +{ + if (pop_no_session.mime_boundary.boundary_search != NULL) + { + _dpd.searchAPI->search_instance_free(pop_no_session.mime_boundary.boundary_search); + pop_no_session.mime_boundary.boundary_search = NULL; + } +} + +static int POP_FreeConfigsPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + POPConfig *pPolicyConfig = (POPConfig *)pData; + + //do any housekeeping before freeing POPConfig + sfPolicyUserDataClear (config, policyId); + POP_FreeConfig(pPolicyConfig); + + return 0; +} + +void POP_FreeConfigs(tSfPolicyUserContextId config) +{ + if (config == NULL) + return; + + sfPolicyUserDataIterate (config, POP_FreeConfigsPolicy); + sfPolicyConfigDelete(config); +} + +void POP_FreeConfig(POPConfig *config) +{ + if (config == NULL) + return; + + if (config->cmds != NULL) + { + POPToken *tmp = config->cmds; + + for (; tmp->name != NULL; tmp++) + free(tmp->name); + + free(config->cmds); + } + + if (config->cmd_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(config->cmd_search_mpse); + + if (config->cmd_search != NULL) + free(config->cmd_search); + + free(config); +} + + +/* + * Free anything that needs it before shutting down preprocessor + * + * @param none + * + * @return none + */ +void POP_Free(void) +{ + POP_NoSessionFree(); + + POP_FreeConfigs(pop_config); + pop_config = NULL; + + if (pop_resp_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(pop_resp_search_mpse); + + if (pop_hdr_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(pop_hdr_search_mpse); + + if (pop_data_search_mpse != NULL) + _dpd.searchAPI->search_instance_free(pop_data_search_mpse); + + if (mime_boundary_pcre.re ) + pcre_free(mime_boundary_pcre.re); + + if (mime_boundary_pcre.pe ) + pcre_free(mime_boundary_pcre.pe); +} + + +/* + * Callback function for string search + * + * @param id id in array of search strings from pop_config.cmds + * @param index index in array of search strings from pop_config.cmds + * @param data buffer passed in to search function + * + * @return response + * @retval 1 commands caller to stop searching + */ +static int POP_SearchStrFound(void *id, void *unused, int index, void *data, void *unused2) +{ + int search_id = (int)(uintptr_t)id; + + pop_search_info.id = search_id; + pop_search_info.index = index; + pop_search_info.length = pop_current_search[search_id].name_len; + + /* Returning non-zero stops search, which is okay since we only look for one at a time */ + return 1; +} + + +/* + * Callback function for boundary search + * + * @param id id in array of search strings + * @param index index in array of search strings + * @param data buffer passed in to search function + * + * @return response + * @retval 1 commands caller to stop searching + */ +static int POP_BoundaryStrFound(void *id, void *unused, int index, void *data, void *unused2) +{ + int boundary_id = (int)(uintptr_t)id; + + pop_search_info.id = boundary_id; + pop_search_info.index = index; + pop_search_info.length = pop_ssn->mime_boundary.boundary_len; + + return 1; +} + +static int POP_GetBoundary(const char *data, int data_len) +{ + int result; + int ovector[9]; + int ovecsize = 9; + const char *boundary; + int boundary_len; + int ret; + char *mime_boundary; + int *mime_boundary_len; + + + mime_boundary = &pop_ssn->mime_boundary.boundary[0]; + mime_boundary_len = &pop_ssn->mime_boundary.boundary_len; + + /* result will be the number of matches (including submatches) */ + result = pcre_exec(mime_boundary_pcre.re, mime_boundary_pcre.pe, + data, data_len, 0, 0, ovector, ovecsize); + if (result < 0) + return -1; + + result = pcre_get_substring(data, ovector, result, 1, &boundary); + if (result < 0) + return -1; + + boundary_len = strlen(boundary); + if (boundary_len > MAX_BOUNDARY_LEN) + { + /* XXX should we alert? breaking the law of RFC */ + boundary_len = MAX_BOUNDARY_LEN; + } + + mime_boundary[0] = '-'; + mime_boundary[1] = '-'; + ret = SafeMemcpy(mime_boundary + 2, boundary, boundary_len, + mime_boundary + 2, mime_boundary + 2 + MAX_BOUNDARY_LEN); + + pcre_free_substring(boundary); + + if (ret != SAFEMEM_SUCCESS) + { + return -1; + } + + *mime_boundary_len = 2 + boundary_len; + mime_boundary[*mime_boundary_len] = '\0'; + + return 0; +} + + +/* + * Handle COMMAND state + * + * @param p standard Packet structure + * @param ptr pointer into p->payload buffer to start looking at data + * @param end points to end of p->payload buffer + * + * @return pointer into p->payload where we stopped looking at data + * will be end of line or end of packet + */ +static const uint8_t * POP_HandleCommand(SFSnortPacket *p, const uint8_t *ptr, const uint8_t *end) +{ + const uint8_t *eol; /* end of line */ + const uint8_t *eolm; /* end of line marker */ + int cmd_line_len; + int cmd_found; + + /* get end of line and end of line marker */ + POP_GetEOL(ptr, end, &eol, &eolm); + + /* calculate length of command line */ + cmd_line_len = eol - ptr; + + /* TODO If the end of line marker coincides with the end of payload we can't be + * sure that we got a command and not a substring which we could tell through + * inspection of the next packet. Maybe a command pending state where the first + * char in the next packet is checked for a space and end of line marker */ + + /* do not confine since there could be space chars before command */ + pop_current_search = &pop_eval_config->cmd_search[0]; + cmd_found = _dpd.searchAPI->search_instance_find + (pop_eval_config->cmd_search_mpse, (const char *)ptr, + eolm - ptr, 0, POP_SearchStrFound); + + /* see if we actually found a command and not a substring */ + if (cmd_found > 0) + { + const uint8_t *tmp = ptr; + const uint8_t *cmd_start = ptr + pop_search_info.index; + const uint8_t *cmd_end = cmd_start + pop_search_info.length; + + /* move past spaces up until start of command */ + while ((tmp < cmd_start) && isspace((int)*tmp)) + tmp++; + + /* if not all spaces before command, we found a + * substring */ + if (tmp != cmd_start) + cmd_found = 0; + + /* if we're before the end of line marker and the next + * character is not whitespace, we found a substring */ + if ((cmd_end < eolm) && !isspace((int)*cmd_end)) + cmd_found = 0; + + /* there is a chance that end of command coincides with the end of payload + * in which case, it could be a substring, but for now, we will treat it as found */ + } + + /* if command not found, alert and move on */ + if (!cmd_found) + { + POP_GenerateAlert(POP_UNKNOWN_CMD, "%s", POP_UNKNOWN_CMD_STR); + DEBUG_WRAP(DebugMessage(DEBUG_POP, "No known command found\n");); + + return eol; + } + + /* At this point we have definitely found a legitimate command */ + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "%s\n", pop_eval_config->cmds[pop_search_info.id].name);); + +/* switch (pop_search_info.id) + { + case CMD_USER: + case CMD_PASS: + case CMD_RSET: + case CMD_QUIT: + case CMD_RETR: + break; + + default: + break; + }*/ + + return eol; +} + + +static const uint8_t * POP_HandleData(SFSnortPacket *p, const uint8_t *ptr, const uint8_t *end) +{ + const uint8_t *data_end_marker = NULL; + const uint8_t *data_end = NULL; + int data_end_found; + + /* if we've just entered the data state, check for a dot + end of line + * if found, no data */ + if ((pop_ssn->data_state == STATE_DATA_INIT) || + (pop_ssn->data_state == STATE_DATA_UNKNOWN)) + { + if ((ptr < end) && (*ptr == '.')) + { + const uint8_t *eol = NULL; + const uint8_t *eolm = NULL; + + POP_GetEOL(ptr, end, &eol, &eolm); + + /* this means we got a real end of line and not just end of payload + * and that the dot is only char on line */ + if ((eolm != end) && (eolm == (ptr + 1))) + { + /* if we're normalizing and not ignoring data copy data end marker + * and dot to alt buffer */ + + POP_ResetState(); + + return eol; + } + } + + if (pop_ssn->data_state == STATE_DATA_INIT) + pop_ssn->data_state = STATE_DATA_HEADER; + + /* XXX A line starting with a '.' that isn't followed by a '.' is + * deleted (RFC 821 - 4.5.2. TRANSPARENCY). If data starts with + * '. text', i.e a dot followed by white space then text, some + * servers consider it data header and some data body. + * Postfix and Qmail will consider the start of data: + * . text\r\n + * . text\r\n + * to be part of the header and the effect will be that of a + * folded line with the '.' deleted. Exchange will put the same + * in the body which seems more reasonable. */ + } + + /* get end of data body + * TODO check last bytes of previous packet to see if we had a partial + * end of data */ + pop_current_search = &pop_data_end_search[0]; + data_end_found = _dpd.searchAPI->search_instance_find + (pop_data_search_mpse, (const char *)ptr, end - ptr, + 0, POP_SearchStrFound); + + if (data_end_found > 0) + { + data_end_marker = ptr + pop_search_info.index; + data_end = data_end_marker + pop_search_info.length; + } + else + { + data_end_marker = data_end = end; + } + + _dpd.setFileDataPtr((uint8_t*)ptr, (uint16_t)(data_end - ptr)); + + if ((pop_ssn->data_state == STATE_DATA_HEADER) || + (pop_ssn->data_state == STATE_DATA_UNKNOWN)) + { +#ifdef DEBUG_MSGS + if (pop_ssn->data_state == STATE_DATA_HEADER) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "DATA HEADER STATE ~~~~~~~~~~~~~~~~~~~~~~\n");); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "DATA UNKNOWN STATE ~~~~~~~~~~~~~~~~~~~~~\n");); + } +#endif + + ptr = POP_HandleHeader(p, ptr, data_end_marker); + if (ptr == NULL) + return NULL; + + } + + /* now we shouldn't have to worry about copying any data to the alt buffer + * only mime headers if we find them and only if we're ignoring data */ + + while ((ptr != NULL) && (ptr < data_end_marker)) + { + /* multiple MIME attachments in one single packet. + * Pipeline the MIME decoded data.*/ + if ( pop_ssn->state_flags & POP_FLAG_MULTIPLE_EMAIL_ATTACH) + { + _dpd.setFileDataPtr(pop_ssn->decode_state->decodePtr, (uint16_t)pop_ssn->decode_state->decoded_bytes); + _dpd.detect(p); + pop_ssn->state_flags &= ~POP_FLAG_MULTIPLE_EMAIL_ATTACH; + ResetEmailDecodeState(pop_ssn->decode_state); + p->flags |=FLAG_ALLOW_MULTIPLE_DETECT; + /* Reset the log count when a packet goes through detection multiple times */ + p->xtradata_mask = 0; + p->per_packet_xtradata = 0; + _dpd.DetectReset((uint8_t *)p->payload, p->payload_size); + } + switch (pop_ssn->data_state) + { + case STATE_MIME_HEADER: + DEBUG_WRAP(DebugMessage(DEBUG_POP, "MIME HEADER STATE ~~~~~~~~~~~~~~~~~~~~~~\n");); + ptr = POP_HandleHeader(p, ptr, data_end_marker); + break; + case STATE_DATA_BODY: + DEBUG_WRAP(DebugMessage(DEBUG_POP, "DATA BODY STATE ~~~~~~~~~~~~~~~~~~~~~~~~\n");); + ptr = POP_HandleDataBody(p, ptr, data_end_marker); + break; + } + } + + /* We have either reached the end of MIME header or end of MIME encoded data*/ + + if(pop_ssn->decode_state != NULL) + { + _dpd.setFileDataPtr(pop_ssn->decode_state->decodePtr, (uint16_t)pop_ssn->decode_state->decoded_bytes); + ResetDecodedBytes(pop_ssn->decode_state); + } + + /* if we got the data end reset state, otherwise we're probably still in the data + * to expect more data in next packet */ + if (data_end_marker != end) + { + POP_ResetState(); + } + + return data_end; +} + + +/* + * Handle Headers - Data or Mime + * + * @param packet standard Packet structure + * + * @param i index into p->payload buffer to start looking at data + * + * @return i index into p->payload where we stopped looking at data + */ +static const uint8_t * POP_HandleHeader(SFSnortPacket *p, const uint8_t *ptr, + const uint8_t *data_end_marker) +{ + const uint8_t *eol; + const uint8_t *eolm; + const uint8_t *colon; + const uint8_t *content_type_ptr = NULL; + const uint8_t *cont_trans_enc = NULL; + int header_found; + int ret; + const uint8_t *start_hdr; + + start_hdr = ptr; + + /* if we got a content-type in a previous packet and are + * folding, the boundary still needs to be checked for */ + if (pop_ssn->state_flags & POP_FLAG_IN_CONTENT_TYPE) + content_type_ptr = ptr; + + if (pop_ssn->state_flags & POP_FLAG_IN_CONT_TRANS_ENC) + cont_trans_enc = ptr; + + while (ptr < data_end_marker) + { + POP_GetEOL(ptr, data_end_marker, &eol, &eolm); + + /* got a line with only end of line marker should signify end of header */ + if (eolm == ptr) + { + /* reset global header state values */ + pop_ssn->state_flags &= + ~(POP_FLAG_FOLDING | POP_FLAG_IN_CONTENT_TYPE | POP_FLAG_DATA_HEADER_CONT + | POP_FLAG_IN_CONT_TRANS_ENC ); + + pop_ssn->data_state = STATE_DATA_BODY; + + /* if no headers, treat as data */ + if (ptr == start_hdr) + return eolm; + else + return eol; + } + + /* if we're not folding, see if we should interpret line as a data line + * instead of a header line */ + if (!(pop_ssn->state_flags & (POP_FLAG_FOLDING | POP_FLAG_DATA_HEADER_CONT))) + { + char got_non_printable_in_header_name = 0; + + /* if we're not folding and the first char is a space or + * colon, it's not a header */ + if (isspace((int)*ptr) || *ptr == ':') + { + pop_ssn->data_state = STATE_DATA_BODY; + return ptr; + } + + /* look for header field colon - if we're not folding then we need + * to find a header which will be all printables (except colon) + * followed by a colon */ + colon = ptr; + while ((colon < eolm) && (*colon != ':')) + { + if (((int)*colon < 33) || ((int)*colon > 126)) + got_non_printable_in_header_name = 1; + + colon++; + } + + /* If the end on line marker and end of line are the same, assume + * header was truncated, so stay in data header state */ + if ((eolm != eol) && + ((colon == eolm) || got_non_printable_in_header_name)) + { + /* no colon or got spaces in header name (won't be interpreted as a header) + * assume we're in the body */ + pop_ssn->state_flags &= + ~(POP_FLAG_FOLDING | POP_FLAG_IN_CONTENT_TYPE | POP_FLAG_DATA_HEADER_CONT + |POP_FLAG_IN_CONT_TRANS_ENC); + + pop_ssn->data_state = STATE_DATA_BODY; + + return ptr; + } + + if(tolower((int)*ptr) == 'c') + { + pop_current_search = &pop_hdr_search[0]; + header_found = _dpd.searchAPI->search_instance_find + (pop_hdr_search_mpse, (const char *)ptr, + eolm - ptr, 1, POP_SearchStrFound); + + /* Headers must start at beginning of line */ + if ((header_found > 0) && (pop_search_info.index == 0)) + { + switch (pop_search_info.id) + { + case HDR_CONTENT_TYPE: + /* for now we're just looking for the boundary in the data + * header section */ + if (pop_ssn->data_state != STATE_MIME_HEADER) + { + content_type_ptr = ptr + pop_search_info.length; + pop_ssn->state_flags |= POP_FLAG_IN_CONTENT_TYPE; + } + + break; + case HDR_CONT_TRANS_ENC: + cont_trans_enc = ptr + pop_search_info.length; + pop_ssn->state_flags |= POP_FLAG_IN_CONT_TRANS_ENC; + break; + + default: + break; + } + } + } + else if(tolower((int)*ptr) == 'e') + { + if((eolm - ptr) >= 9) + { + if(strncasecmp((const char *)ptr, "Encoding:", 9) == 0) + { + cont_trans_enc = ptr + 9; + pop_ssn->state_flags |= POP_FLAG_IN_CONT_TRANS_ENC; + } + } + } + } + else + { + pop_ssn->state_flags &= ~POP_FLAG_DATA_HEADER_CONT; + } + + + /* check for folding + * if char on next line is a space and not \n or \r\n, we are folding */ + if ((eol < data_end_marker) && isspace((int)eol[0]) && (eol[0] != '\n')) + { + if ((eol < (data_end_marker - 1)) && (eol[0] != '\r') && (eol[1] != '\n')) + { + pop_ssn->state_flags |= POP_FLAG_FOLDING; + } + else + { + pop_ssn->state_flags &= ~POP_FLAG_FOLDING; + } + } + else if (eol != eolm) + { + pop_ssn->state_flags &= ~POP_FLAG_FOLDING; + } + + /* check if we're in a content-type header and not folding. if so we have the whole + * header line/lines for content-type - see if we got a multipart with boundary + * we don't check each folded line, but wait until we have the complete header + * because boundary=BOUNDARY can be split across mulitple folded lines before + * or after the '=' */ + if ((pop_ssn->state_flags & + (POP_FLAG_IN_CONTENT_TYPE | POP_FLAG_FOLDING)) == POP_FLAG_IN_CONTENT_TYPE) + { + /* we got the full content-type header - look for boundary string */ + ret = POP_GetBoundary((const char *)content_type_ptr, eolm - content_type_ptr); + if (ret != -1) + { + ret = POP_BoundarySearchInit(); + if (ret != -1) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Got mime boundary: %s\n", + pop_ssn->mime_boundary.boundary);); + + pop_ssn->state_flags |= POP_FLAG_GOT_BOUNDARY; + } + } + + pop_ssn->state_flags &= ~POP_FLAG_IN_CONTENT_TYPE; + content_type_ptr = NULL; + } + else if ((pop_ssn->state_flags & + (POP_FLAG_IN_CONT_TRANS_ENC | POP_FLAG_FOLDING)) == POP_FLAG_IN_CONT_TRANS_ENC) + { + /* Check for Content-Transfer-Encoding : */ + if( (!POP_IsDecodingEnabled(pop_eval_config)) && (pop_ssn->decode_state != NULL)) + { + POP_DecodeType((const char *)cont_trans_enc, eolm - cont_trans_enc ); + pop_ssn->state_flags |= POP_FLAG_EMAIL_ATTACH; + /* check to see if there are other attachments in this packet */ + if( pop_ssn->decode_state->decoded_bytes ) + pop_ssn->state_flags |= POP_FLAG_MULTIPLE_EMAIL_ATTACH; + } + pop_ssn->state_flags &= ~POP_FLAG_IN_CONT_TRANS_ENC; + + cont_trans_enc = NULL; + } + + /* if state was unknown, at this point assume we know */ + if (pop_ssn->data_state == STATE_DATA_UNKNOWN) + pop_ssn->data_state = STATE_DATA_HEADER; + + ptr = eol; + + if (ptr == data_end_marker) + pop_ssn->state_flags |= POP_FLAG_DATA_HEADER_CONT; + } + + return ptr; +} + + +/* + * Handle DATA_BODY state + * + * @param packet standard Packet structure + * + * @param i index into p->payload buffer to start looking at data + * + * @return i index into p->payload where we stopped looking at data + */ +static const uint8_t * POP_HandleDataBody(SFSnortPacket *p, const uint8_t *ptr, + const uint8_t *data_end_marker) +{ + int boundary_found = 0; + const uint8_t *boundary_ptr = NULL; + const uint8_t *attach_start = NULL; + const uint8_t *attach_end = NULL; + + if ( pop_ssn->state_flags & POP_FLAG_EMAIL_ATTACH ) + attach_start = ptr; + /* look for boundary */ + if (pop_ssn->state_flags & POP_FLAG_GOT_BOUNDARY) + { + boundary_found = _dpd.searchAPI->search_instance_find + (pop_ssn->mime_boundary.boundary_search, (const char *)ptr, + data_end_marker - ptr, 0, POP_BoundaryStrFound); + + if (boundary_found > 0) + { + boundary_ptr = ptr + pop_search_info.index; + + /* should start at beginning of line */ + if ((boundary_ptr == ptr) || (*(boundary_ptr - 1) == '\n')) + { + const uint8_t *eol; + const uint8_t *eolm; + const uint8_t *tmp; + + if (pop_ssn->state_flags & POP_FLAG_EMAIL_ATTACH ) + { + attach_end = boundary_ptr-1; + pop_ssn->state_flags &= ~POP_FLAG_EMAIL_ATTACH; + if(attach_start < attach_end) + { + if(EmailDecode( attach_start, attach_end, pop_ssn->decode_state) != DECODE_SUCCESS ) + { + POP_DecodeAlert(); + } + } + } + + + /* Check for end boundary */ + tmp = boundary_ptr + pop_search_info.length; + if (((tmp + 1) < data_end_marker) && (tmp[0] == '-') && (tmp[1] == '-')) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Mime boundary end found: %s--\n", + (char *)pop_ssn->mime_boundary.boundary);); + + /* no more MIME */ + pop_ssn->state_flags &= ~POP_FLAG_GOT_BOUNDARY; + + /* free boundary search */ + _dpd.searchAPI->search_instance_free(pop_ssn->mime_boundary.boundary_search); + pop_ssn->mime_boundary.boundary_search = NULL; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Mime boundary found: %s\n", + (char *)pop_ssn->mime_boundary.boundary);); + + pop_ssn->data_state = STATE_MIME_HEADER; + } + + /* get end of line - there could be spaces after boundary before eol */ + POP_GetEOL(boundary_ptr + pop_search_info.length, data_end_marker, &eol, &eolm); + + return eol; + } + } + } + + if ( pop_ssn->state_flags & POP_FLAG_EMAIL_ATTACH ) + { + attach_end = data_end_marker; + if(attach_start < attach_end) + { + if(EmailDecode( attach_start, attach_end, pop_ssn->decode_state) != DECODE_SUCCESS ) + { + POP_DecodeAlert(); + } + } + } + + return data_end_marker; +} + + +/* + * Process client packet + * + * @param packet standard Packet structure + * + * @return none + */ +static void POP_ProcessClientPacket(SFSnortPacket *p) +{ + const uint8_t *ptr = p->payload; + const uint8_t *end = p->payload + p->payload_size; + + ptr = POP_HandleCommand(p, ptr, end); + + +} + + + +/* + * Process server packet + * + * @param packet standard Packet structure + * + */ +static void POP_ProcessServerPacket(SFSnortPacket *p) +{ + int resp_found; + const uint8_t *ptr; + const uint8_t *end; + const uint8_t *eolm; + const uint8_t *eol; + int resp_line_len; + const char *tmp = NULL; + + ptr = p->payload; + end = p->payload + p->payload_size; + + while (ptr < end) + { + if(pop_ssn->state == STATE_DATA) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "DATA STATE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");); + ptr = POP_HandleData(p, ptr, end); + continue; + } + POP_GetEOL(ptr, end, &eol, &eolm); + + resp_line_len = eol - ptr; + + /* Check for response code */ + pop_current_search = &pop_resp_search[0]; + resp_found = _dpd.searchAPI->search_instance_find + (pop_resp_search_mpse, (const char *)ptr, + resp_line_len, 1, POP_SearchStrFound); + + if (resp_found > 0) + { + const uint8_t *cmd_start = ptr + pop_search_info.index; + switch (pop_search_info.id) + { + case RESP_OK: + tmp = _dpd.SnortStrcasestr((const char *)cmd_start, (eol - cmd_start), "octets"); + if(tmp != NULL) + pop_ssn->state = STATE_DATA; + else + pop_ssn->state = STATE_UNKNOWN; + break; + + default: + break; + } + + } + else + { + if(*ptr == '+' ) + { + POP_GenerateAlert(POP_UNKNOWN_RESP, "%s", POP_UNKNOWN_RESP_STR); + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Server response not found\n");); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Server response description\n");); + } + + } + + ptr = eol; + + } + + return; +} + +/* For Target based + * If a protocol for the session is already identified and not one POP is + * interested in, POP should leave it alone and return without processing. + * If a protocol for the session is already identified and is one that POP is + * interested in, decode it. + * If the protocol for the session is not already identified and the preprocessor + * is configured to detect on one of the packet ports, detect. + * Returns 0 if we should not inspect + * 1 if we should continue to inspect + */ +static int POP_Inspect(SFSnortPacket *p) +{ +#ifdef TARGET_BASED + /* POP could be configured to be stateless. If stream isn't configured, assume app id + * will never be set and just base inspection on configuration */ + if (p->stream_session_ptr == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: No stream session.\n");); + + if ((POP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (POP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: Configured for this " + "traffic, so let's inspect.\n");); + return 1; + } + } + else + { + int16_t app_id = _dpd.streamAPI->get_application_protocol_id(p->stream_session_ptr); + + if (app_id != 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: App id: %u.\n", app_id);); + + if (app_id == pop_proto_id) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: App id is " + "set to \"%s\".\n", POP_PROTO_REF_STR);); + return 1; + } + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: Unknown protocol for " + "this session. See if we're configured.\n");); + + if ((POP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (POP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP: Target-based: POP port is configured.");); + return 1; + } + } + } + + DEBUG_WRAP(DebugMessage(DEBUG_POP,"POP: Target-based: Not inspecting ...\n");); + +#else + /* Make sure it's traffic we're interested in */ + if ((POP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + (POP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) + return 1; + +#endif /* TARGET_BASED */ + + return 0; +} + +/* + * Entry point to snort preprocessor for each packet + * + * @param packet standard Packet structure + * + * @return none + */ +void SnortPOP(SFSnortPacket *p) +{ + int detected = 0; + int pkt_dir; + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + + PROFILE_VARS; + + + pop_ssn = (POP *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_POP); + if (pop_ssn != NULL) + pop_eval_config = (POPConfig *)sfPolicyUserDataGet(pop_ssn->config, pop_ssn->policy_id); + else + pop_eval_config = (POPConfig *)sfPolicyUserDataGetCurrent(pop_config); + + if (pop_eval_config == NULL) + return; + + if (pop_ssn == NULL) + { + if (!POP_Inspect(p)) + return; + + pop_ssn = POP_GetNewSession(p, policy_id); + if (pop_ssn == NULL) + return; + } + + pkt_dir = POP_Setup(p, pop_ssn); + + if (pkt_dir == POP_PKT_FROM_CLIENT) + { + POP_ProcessClientPacket(p); + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP client packet\n");); + } + else + { +#ifdef DEBUG_MSGS + if (pkt_dir == POP_PKT_FROM_SERVER) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP server packet\n");); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP packet NOT from client or server! " + "Processing as a server packet\n");); + } +#endif + + if (p->flags & FLAG_STREAM_INSERT) + { + /* Packet will be rebuilt, so wait for it */ + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Client packet will be reassembled\n")); + return; + } + else if (pop_ssn->reassembling && !(p->flags & FLAG_REBUILT_STREAM)) + { + /* If this isn't a reassembled packet and didn't get + * inserted into reassembly buffer, there could be a + * problem. If we miss syn or syn-ack that had window + * scaling this packet might not have gotten inserted + * into reassembly buffer because it fell outside of + * window, because we aren't scaling it */ + pop_ssn->session_flags |= POP_FLAG_GOT_NON_REBUILT; + pop_ssn->state = STATE_UNKNOWN; + } + else if (pop_ssn->reassembling && (pop_ssn->session_flags & POP_FLAG_GOT_NON_REBUILT)) + { + /* This is a rebuilt packet. If we got previous packets + * that were not rebuilt, state is going to be messed up + * so set state to unknown. It's likely this was the + * beginning of the conversation so reset state */ + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Got non-rebuilt packets before " + "this rebuilt packet\n");); + + pop_ssn->state = STATE_UNKNOWN; + pop_ssn->session_flags &= ~POP_FLAG_GOT_NON_REBUILT; + } + /* Process as a server packet */ + POP_ProcessServerPacket(p); + } + + + PREPROC_PROFILE_START(popDetectPerfStats); + + detected = _dpd.detect(p); + +#ifdef PERF_PROFILING + popDetectCalled = 1; +#endif + + PREPROC_PROFILE_END(popDetectPerfStats); + + /* Turn off detection since we've already done it. */ + POP_DisableDetect(p); + + if (detected) + { + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP vulnerability detected\n");); + } +} + +static void POP_DisableDetect(SFSnortPacket *p) +{ + _dpd.disableAllDetect(p); + + _dpd.setPreprocBit(p, PP_SFPORTSCAN); + _dpd.setPreprocBit(p, PP_PERFMONITOR); + _dpd.setPreprocBit(p, PP_STREAM5); + _dpd.setPreprocBit(p, PP_SDF); +} + + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/snort_pop.h snort-2.9.2/src/dynamic-preprocessors/pop/snort_pop.h --- snort-2.9.0.1/src/dynamic-preprocessors/pop/snort_pop.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/snort_pop.h 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,218 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * **************************************************************************/ + +/************************************************************************** + * + * snort_pop.h + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file defines everything specific to the POP preprocessor. + * + **************************************************************************/ + +#ifndef __POP_H__ +#define __POP_H__ + + +/* Includes ***************************************************************/ + +#include <pcre.h> + +#include "sf_snort_packet.h" +#include "pop_config.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "mempool.h" +#include "sf_email_attach_decode.h" + +#ifdef DEBUG +#include "sf_types.h" +#endif + +/**************************************************************************/ + + +/* Defines ****************************************************************/ + +/* Direction packet is coming from, if we can figure it out */ +#define POP_PKT_FROM_UNKNOWN 0 +#define POP_PKT_FROM_CLIENT 1 +#define POP_PKT_FROM_SERVER 2 + +#define SEARCH_CMD 0 +#define SEARCH_RESP 1 +#define SEARCH_HDR 2 +#define SEARCH_DATA_END 3 +#define NUM_SEARCHES 4 + +#define BOUNDARY 0 + +#define MAX_BOUNDARY_LEN 70 /* Max length of boundary string, defined in RFC 2046 */ + +#define STATE_DATA 0 /* Data state */ +#define STATE_UNKNOWN 1 + +#define STATE_DATA_INIT 0 +#define STATE_DATA_HEADER 1 /* Data header section of data state */ +#define STATE_DATA_BODY 2 /* Data body section of data state */ +#define STATE_MIME_HEADER 3 /* MIME header section within data section */ +#define STATE_DATA_UNKNOWN 4 + +/* state flags */ +#define POP_FLAG_FOLDING 0x00000001 +#define POP_FLAG_IN_CONTENT_TYPE 0x00000002 +#define POP_FLAG_GOT_BOUNDARY 0x00000004 +#define POP_FLAG_DATA_HEADER_CONT 0x00000008 +#define POP_FLAG_IN_CONT_TRANS_ENC 0x00000010 +#define POP_FLAG_EMAIL_ATTACH 0x00000020 +#define POP_FLAG_MULTIPLE_EMAIL_ATTACH 0x00000040 + +/* session flags */ +#define POP_FLAG_NEXT_STATE_UNKNOWN 0x00000004 +#define POP_FLAG_GOT_NON_REBUILT 0x00000008 + +#define POP_SSL_ERROR_FLAGS (SSL_BOGUS_HS_DIR_FLAG | \ + SSL_BAD_VER_FLAG | \ + SSL_BAD_TYPE_FLAG | \ + SSL_UNKNOWN_FLAG) + +/* Maximum length of header chars before colon, based on Exim 4.32 exploit */ +#define MAX_HEADER_NAME_LEN 64 + +#define POP_PROTO_REF_STR "pop" + +/**************************************************************************/ + + +/* Data structures ********************************************************/ + +typedef enum _POPCmdEnum +{ + CMD_APOP = 0, + CMD_AUTH, + CMD_CAPA, + CMD_DELE, + CMD_LIST, + CMD_NOOP, + CMD_PASS, + CMD_QUIT, + CMD_RETR, + CMD_RSET, + CMD_STAT, + CMD_STLS, + CMD_TOP, + CMD_UIDL, + CMD_USER, + CMD_LAST + +} POPCmdEnum; + +typedef enum _POPRespEnum +{ + RESP_OK = 0, + RESP_ERR, + RESP_LAST + +} POPRespEnum; + +typedef enum _POPHdrEnum +{ + HDR_CONTENT_TYPE = 0, + HDR_CONT_TRANS_ENC, + HDR_LAST + +} POPHdrEnum; + +typedef enum _POPDataEndEnum +{ + DATA_END_1 = 0, + DATA_END_2, + DATA_END_3, + DATA_END_4, + DATA_END_LAST + +} POPDataEndEnum; + +typedef struct _POPSearchInfo +{ + int id; + int index; + int length; + +} POPSearchInfo; + +typedef struct _POPMimeBoundary +{ + char boundary[2 + MAX_BOUNDARY_LEN + 1]; /* '--' + MIME boundary string + '\0' */ + int boundary_len; + void *boundary_search; + +} POPMimeBoundary; + +typedef struct _POPPcre +{ + pcre *re; + pcre_extra *pe; + +} POPPcre; + +typedef struct _POP +{ + int state; + int data_state; + int state_flags; + int session_flags; + int alert_mask; + int reassembling; +#ifdef DEBUG_MSGS + uint64_t session_number; +#endif + + MemBucket *decode_bkt; + POPMimeBoundary mime_boundary; + Email_DecodeState *decode_state; + + tSfPolicyId policy_id; + tSfPolicyUserContextId config; + +} POP; + + +/**************************************************************************/ + + +/* Function prototypes ****************************************************/ + +void POP_InitCmds(POPConfig *config); +void POP_SearchInit(void); +void POP_Free(void); +void SnortPOP(SFSnortPacket *); +int POP_IsServer(uint16_t); +void POP_FreeConfig(POPConfig *); +void POP_FreeConfigs(tSfPolicyUserContextId); + +/**************************************************************************/ + +#endif /* __POP_H__ */ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/spp_pop.c snort-2.9.2/src/dynamic-preprocessors/pop/spp_pop.c --- snort-2.9.0.1/src/dynamic-preprocessors/pop/spp_pop.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/spp_pop.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,670 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/************************************************************************** + * + * spp_pop.c + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file initializes POP as a Snort preprocessor. + * + * This file registers the POP initialization function, + * adds the POP function into the preprocessor list. + * + * In general, this file is a wrapper to POP functionality, + * by interfacing with the Snort preprocessor functions. The rest + * of POP should be separate from the preprocessor hooks. + * + **************************************************************************/ + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#include <string.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "spp_pop.h" +#include "sf_preproc_info.h" +#include "snort_pop.h" +#include "pop_config.h" +#include "pop_log.h" + +#include "preprocids.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "snort_debug.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats popPerfStats; +PreprocStats popDetectPerfStats; +int popDetectCalled = 0; +#endif + +#include "sf_types.h" +#include "mempool.h" +#include "snort_bounds.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 0; +const int BUILD_VERSION = 1; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_POP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_POP"; +#endif + +#define SetupPOP DYNAMIC_PREPROC_SETUP + +MemPool *pop_mempool = NULL; + +tSfPolicyUserContextId pop_config = NULL; +POPConfig *pop_eval_config = NULL; + +extern POP pop_no_session; +extern int16_t pop_proto_id; + +static void POPInit(char *); +static void POPDetect(void *, void *context); +static void POPCleanExitFunction(int, void *); +static void POPResetFunction(int, void *); +static void POPResetStatsFunction(int, void *); +static void _addPortsToStream5Filter(POPConfig *, tSfPolicyId); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif +static void POPCheckConfig(void); + +#ifdef SNORT_RELOAD +tSfPolicyUserContextId pop_swap_config = NULL; +static void POPReload(char *); +static int POPReloadVerify(void); +static void * POPReloadSwap(void); +static void POPReloadSwapFree(void *); +#endif + + +/* + * Function: SetupPOP() + * + * Purpose: Registers the preprocessor keyword and initialization + * function into the preprocessor list. This is the function that + * gets called from InitPreprocessors() in plugbase.c. + * + * Arguments: None. + * + * Returns: void function + * + */ +void SetupPOP(void) +{ + /* link the preprocessor keyword to the init function in the preproc list */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc("pop", POPInit); +#else + _dpd.registerPreproc("pop", POPInit, POPReload, + POPReloadSwap, POPReloadSwapFree); +#endif +} + + +/* + * Function: POPInit(char *) + * + * Purpose: Calls the argument parsing function, performs final setup on data + * structs, links the preproc function into the function list. + * + * Arguments: args => ptr to argument string + * + * Returns: void function + * + */ +static void POPInit(char *args) +{ + POPToken *tmp; + tSfPolicyId policy_id = _dpd.getParserPolicy(); + POPConfig * pPolicyConfig = NULL; + + if (pop_config == NULL) + { + //create a context + pop_config = sfPolicyConfigCreate(); + if (pop_config == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create POP " + "configuration.\n"); + } + + /* Initialize the searches not dependent on configuration. + * headers, reponsed, data, mime boundary regular expression */ + POP_SearchInit(); + + /* zero out static POP global used for stateless POP or if there + * is no session pointer */ + memset(&pop_no_session, 0, sizeof(POP)); + + /* Put the preprocessor function into the function list */ + /* _dpd.addPreproc(POPDetect, PRIORITY_APPLICATION, PP_POP, PROTO_BIT__TCP);*/ + _dpd.addPreprocExit(POPCleanExitFunction, NULL, PRIORITY_LAST, PP_POP); + _dpd.addPreprocReset(POPResetFunction, NULL, PRIORITY_LAST, PP_POP); + _dpd.addPreprocResetStats(POPResetStatsFunction, NULL, PRIORITY_LAST, PP_POP); + _dpd.addPreprocConfCheck(POPCheckConfig); + +#ifdef TARGET_BASED + pop_proto_id = _dpd.findProtocolReference(POP_PROTO_REF_STR); + if (pop_proto_id == SFTARGET_UNKNOWN_PROTOCOL) + pop_proto_id = _dpd.addProtocolReference(POP_PROTO_REF_STR); + + DEBUG_WRAP(DebugMessage(DEBUG_POP,"POP: Target-based: Proto id for %s: %u.\n", + POP_PROTO_REF_STR, pop_proto_id);); +#endif + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("pop", (void*)&popPerfStats, 0, _dpd.totalPerfStats); +#endif + } + + sfPolicyUserPolicySet (pop_config, policy_id); + pPolicyConfig = (POPConfig *)sfPolicyUserDataGetCurrent(pop_config); + if (pPolicyConfig != NULL) + { + DynamicPreprocessorFatalMessage("Can only configure POP preprocessor once.\n"); + } + + pPolicyConfig = (POPConfig *)calloc(1, sizeof(POPConfig)); + if (pPolicyConfig == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create POP " + "configuration.\n"); + } + + sfPolicyUserDataSetCurrent(pop_config, pPolicyConfig); + + POP_InitCmds(pPolicyConfig); + POP_ParseArgs(pPolicyConfig, args); + + POP_CheckConfig(pPolicyConfig, pop_config); + POP_PrintConfig(pPolicyConfig); + + if(pPolicyConfig->disabled) + return; + + _dpd.addPreproc(POPDetect, PRIORITY_APPLICATION, PP_POP, PROTO_BIT__TCP); + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for POP preprocessor\n"); + } + + /* Command search - do this here because it's based on configuration */ + pPolicyConfig->cmd_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pPolicyConfig->cmd_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate POP " + "command search.\n"); + } + + for (tmp = pPolicyConfig->cmds; tmp->name != NULL; tmp++) + { + pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; + pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pPolicyConfig->cmd_search_mpse); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +/* + * Function: POPDetect(void *, void *) + * + * Purpose: Perform the preprocessor's intended function. This can be + * simple (statistics collection) or complex (IP defragmentation) + * as you like. Try not to destroy the performance of the whole + * system by trying to do too much.... + * + * Arguments: p => pointer to the current packet data struct + * + * Returns: void function + * + */ +static void POPDetect(void *pkt, void *context) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + PROFILE_VARS; + + if ((p->payload_size == 0) || !IsTCP(p) || (p->payload == NULL)) + return; + + PREPROC_PROFILE_START(popPerfStats); + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP Start (((((((((((((((((((((((((((((((((((((((\n");); + + sfPolicyUserPolicySet (pop_config, policy_id); + + SnortPOP(p); + + DEBUG_WRAP(DebugMessage(DEBUG_POP, "POP End )))))))))))))))))))))))))))))))))))))))))\n\n");); + + PREPROC_PROFILE_END(popPerfStats); +#ifdef PERF_PROFILING + if (PROFILING_PREPROCS && popDetectCalled) + { + popPerfStats.ticks -= popDetectPerfStats.ticks; + /* And Reset ticks to 0 */ + popDetectPerfStats.ticks = 0; + popDetectCalled = 0; + } +#endif + +} + + +/* + * Function: POPCleanExitFunction(int, void *) + * + * Purpose: This function gets called when Snort is exiting, if there's + * any cleanup that needs to be performed (e.g. closing files) + * it should be done here. + * + * Arguments: signal => the code of the signal that was issued to Snort + * data => any arguments or data structs linked to this + * function when it was registered, may be + * needed to properly exit + * + * Returns: void function + */ +static void POPCleanExitFunction(int signal, void *data) +{ + POP_Free(); + if (mempool_destroy(pop_mempool) == 0) + { + free(pop_mempool); + pop_mempool = NULL; + } + +} + + +static void POPResetFunction(int signal, void *data) +{ + return; +} + +static void POPResetStatsFunction(int signal, void *data) +{ + return; +} + +static void _addPortsToStream5Filter(POPConfig *config, tSfPolicyId policy_id) +{ + unsigned int portNum; + + if (config == NULL) + return; + + for (portNum = 0; portNum < MAXPORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status(IPPROTO_TCP, (uint16_t)portNum, + PORT_MONITOR_SESSION, policy_id, 1); + } + } +} + +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(pop_proto_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif + +static int POPEnableDecoding(tSfPolicyUserContextId config, + tSfPolicyId policyId, void *pData) +{ + POPConfig *context = (POPConfig *)pData; + + if (pData == NULL) + return 0; + + if(context->disabled) + return 0; + + if(!POP_IsDecodingEnabled(context)) + return 1; + + return 0; +} + +static int POPCheckPolicyConfig( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + POPConfig *context = (POPConfig *)pData; + + _dpd.setParserPolicy(policyId); + + /* In a multiple-policy setting, the POP preproc can be turned on in a + "disabled" state. In this case, we don't require Stream5. */ + if (context->disabled) + return 0; + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for POP preprocessor\n"); + } + + return 0; +} + +static void POPCheckConfig(void) +{ + + POPConfig *defaultConfig = + (POPConfig *)sfPolicyUserDataGetDefault(pop_config); + + sfPolicyUserDataIterate (pop_config, POPCheckPolicyConfig); + + if (sfPolicyUserDataIterate(pop_config, POPEnableDecoding) != 0) + { + int encode_depth; + int max_sessions; + + if (defaultConfig == NULL) + { + /*error message */ + DynamicPreprocessorFatalMessage("POP: Must configure a default " + "configuration if you want to pop decoding.\n"); + } + + encode_depth = defaultConfig->max_depth; + + if (encode_depth & 7) + { + encode_depth += (8 - (encode_depth & 7)); + } + + max_sessions = defaultConfig->memcap / (2 * encode_depth ); + + pop_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + + if (mempool_init(pop_mempool, max_sessions, + (2 * encode_depth )) != 0) + { + DynamicPreprocessorFatalMessage("POP: Could not allocate POP mempool.\n"); + } + } + + +} + +#ifdef SNORT_RELOAD +static void POPReload(char *args) +{ + POPToken *tmp; + tSfPolicyId policy_id = _dpd.getParserPolicy(); + POPConfig *pPolicyConfig = NULL; + + if (pop_swap_config == NULL) + { + //create a context + pop_swap_config = sfPolicyConfigCreate(); + if (pop_swap_config == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create POP " + "configuration.\n"); + } + + _dpd.addPreprocReloadVerify(POPReloadVerify); + } + + sfPolicyUserPolicySet (pop_swap_config, policy_id); + pPolicyConfig = (POPConfig *)sfPolicyUserDataGetCurrent(pop_swap_config); + + if (pPolicyConfig != NULL) + DynamicPreprocessorFatalMessage("Can only configure POP preprocessor once.\n"); + + pPolicyConfig = (POPConfig *)calloc(1, sizeof(POPConfig)); + if (pPolicyConfig == NULL) + { + DynamicPreprocessorFatalMessage("Not enough memory to create POP " + "configuration.\n"); + } + + sfPolicyUserDataSetCurrent(pop_swap_config, pPolicyConfig); + + POP_InitCmds(pPolicyConfig); + POP_ParseArgs(pPolicyConfig, args); + + POP_CheckConfig(pPolicyConfig, pop_swap_config); + POP_PrintConfig(pPolicyConfig); + + if( pPolicyConfig->disabled ) + return; + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for POP preprocessor\n"); + } + + /* Command search - do this here because it's based on configuration */ + pPolicyConfig->cmd_search_mpse = _dpd.searchAPI->search_instance_new(); + if (pPolicyConfig->cmd_search_mpse == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate POP " + "command search.\n"); + } + + for (tmp = pPolicyConfig->cmds; tmp->name != NULL; tmp++) + { + pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; + pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; + + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, + tmp->name_len, tmp->search_id); + } + + _dpd.searchAPI->search_instance_prep(pPolicyConfig->cmd_search_mpse); + + _dpd.addPreproc(POPDetect, PRIORITY_APPLICATION, PP_POP, PROTO_BIT__TCP); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +static int POPReloadVerify(void) +{ + POPConfig *config = NULL; + POPConfig *configNext = NULL; + + if (pop_swap_config == NULL) + return 0; + + if (pop_config != NULL) + { + config = (POPConfig *)sfPolicyUserDataGet(pop_config, _dpd.getDefaultPolicy()); + } + + configNext = (POPConfig *)sfPolicyUserDataGet(pop_swap_config, _dpd.getDefaultPolicy()); + + if (config == NULL) + { + return 0; + } + + if (pop_mempool != NULL) + { + if (configNext == NULL) + { + _dpd.errMsg("POP reload: Changing the POP configuration requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + if (configNext->memcap != config->memcap) + { + _dpd.errMsg("POP reload: Changing the memcap requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + if(configNext->b64_depth != config->b64_depth) + { + _dpd.errMsg("POP reload: Changing the b64_decode_depth requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + if(configNext->qp_depth != config->qp_depth) + { + _dpd.errMsg("POP reload: Changing the qp_decode_depth requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + if(configNext->bitenc_depth != config->bitenc_depth) + { + _dpd.errMsg("POP reload: Changing the bitenc_decode_depth requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + if(configNext->uu_depth != config->uu_depth) + { + _dpd.errMsg("POP reload: Changing the uu_decode_depth requires a restart.\n"); + POP_FreeConfigs(pop_swap_config); + pop_swap_config = NULL; + return -1; + } + + } + else if(configNext != NULL) + { + if (sfPolicyUserDataIterate(pop_swap_config, POPEnableDecoding) != 0) + { + int encode_depth; + int max_sessions; + + + encode_depth = configNext->max_depth; + + if (encode_depth & 7) + { + encode_depth += (8 - (encode_depth & 7)); + } + + max_sessions = configNext->memcap / ( 2 * encode_depth); + + pop_mempool = (MemPool *)calloc(1, sizeof(MemPool)); + + if (mempool_init(pop_mempool, max_sessions, + (2 * encode_depth)) != 0) + { + DynamicPreprocessorFatalMessage("POP: Could not allocate POP mempool.\n"); + } + } + + } + + + if ( configNext->disabled ) + return 0; + + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " + "for POP preprocessor\n"); + } + + return 0; +} + +static int POPReloadSwapPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData + ) +{ + POPConfig *pPolicyConfig = (POPConfig *)pData; + + if (pPolicyConfig->ref_count == 0) + { + sfPolicyUserDataClear (config, policyId); + POP_FreeConfig(pPolicyConfig); + } + + return 0; +} + +static void * POPReloadSwap(void) +{ + tSfPolicyUserContextId old_config = pop_config; + + if (pop_swap_config == NULL) + return NULL; + + pop_config = pop_swap_config; + pop_swap_config = NULL; + + sfPolicyUserDataIterate (old_config, POPReloadSwapPolicy); + + if (sfPolicyUserPolicyGetActive(old_config) == 0) + POP_FreeConfigs(old_config); + + return NULL; +} + +static void POPReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + POP_FreeConfigs((tSfPolicyUserContextId)data); +} +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/pop/spp_pop.h snort-2.9.2/src/dynamic-preprocessors/pop/spp_pop.h --- snort-2.9.0.1/src/dynamic-preprocessors/pop/spp_pop.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/pop/spp_pop.h 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,37 @@ + +/* + * spp_pop.h + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + * + * Description: + * + * This file defines the publicly available functions for the POP + * functionality for Snort. + * + */ + +#ifndef __SPP_POP_H__ +#define __SPP_POP_H__ + +void SetupPOP(void); + +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/Makefile.am snort-2.9.2/src/dynamic-preprocessors/reputation/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/Makefile.am 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/Makefile.am 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,61 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_reputation_preproc.la + +libsf_reputation_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_reputation_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_reputation_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sf_ip.c \ +../include/sfrt.c \ +../include/sfrt_dir.c \ +../include/sfrt_flat.c \ +../include/sfrt_flat_dir.c \ +../include/segment_mem.c \ +../include/sfPolicyUserData.c +endif + +if HAVE_SHARED_REP +libsf_reputation_preproc_la_SOURCES = \ +spp_reputation.c \ +spp_reputation.h \ +reputation_config.c \ +reputation_config.h \ +reputation_utils.c \ +reputation_utils.h \ +reputation_debug.h \ +./shmem/sflinux_helpers.c \ +./shmem/sflinux_helpers.h \ +./shmem/shmem_common.h \ +./shmem/shmem_config.h \ +./shmem/shmem_config.c \ +./shmem/shmem_datamgmt.h \ +./shmem/shmem_datamgmt.c \ +./shmem/shmem_lib.h \ +./shmem/shmem_lib.c \ +./shmem/shmem_mgmt.h \ +./shmem/shmem_mgmt.c +else +libsf_reputation_preproc_la_SOURCES = \ +spp_reputation.c \ +spp_reputation.h \ +reputation_config.c \ +reputation_config.h \ +reputation_utils.c \ +reputation_utils.h \ +reputation_debug.h +endif + + +EXTRA_DIST = \ +sf_reputation.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/Makefile.in snort-2.9.2/src/dynamic-preprocessors/reputation/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/Makefile.in 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/Makefile.in 2011-12-07 11:23:20.000000000 -0800 @@ -0,0 +1,631 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/reputation +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_reputation_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am__libsf_reputation_preproc_la_SOURCES_DIST = spp_reputation.c \ + spp_reputation.h reputation_config.c reputation_config.h \ + reputation_utils.c reputation_utils.h reputation_debug.h \ + ./shmem/sflinux_helpers.c ./shmem/sflinux_helpers.h \ + ./shmem/shmem_common.h ./shmem/shmem_config.h \ + ./shmem/shmem_config.c ./shmem/shmem_datamgmt.h \ + ./shmem/shmem_datamgmt.c ./shmem/shmem_lib.h \ + ./shmem/shmem_lib.c ./shmem/shmem_mgmt.h ./shmem/shmem_mgmt.c +@HAVE_SHARED_REP_FALSE@am_libsf_reputation_preproc_la_OBJECTS = \ +@HAVE_SHARED_REP_FALSE@ spp_reputation.lo reputation_config.lo \ +@HAVE_SHARED_REP_FALSE@ reputation_utils.lo +@HAVE_SHARED_REP_TRUE@am_libsf_reputation_preproc_la_OBJECTS = \ +@HAVE_SHARED_REP_TRUE@ spp_reputation.lo reputation_config.lo \ +@HAVE_SHARED_REP_TRUE@ reputation_utils.lo sflinux_helpers.lo \ +@HAVE_SHARED_REP_TRUE@ shmem_config.lo shmem_datamgmt.lo \ +@HAVE_SHARED_REP_TRUE@ shmem_lib.lo shmem_mgmt.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_reputation_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo sf_ip.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfrt.lo sfrt_dir.lo sfrt_flat.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfrt_flat_dir.lo segment_mem.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_reputation_preproc_la_OBJECTS = \ + $(am_libsf_reputation_preproc_la_OBJECTS) \ + $(nodist_libsf_reputation_preproc_la_OBJECTS) +libsf_reputation_preproc_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libsf_reputation_preproc_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_reputation_preproc_la_SOURCES) \ + $(nodist_libsf_reputation_preproc_la_SOURCES) +DIST_SOURCES = $(am__libsf_reputation_preproc_la_SOURCES_DIST) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_reputation_preproc.la +libsf_reputation_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_reputation_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_reputation_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_ip.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt_dir.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt_flat.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfrt_flat_dir.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/segment_mem.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +@HAVE_SHARED_REP_FALSE@libsf_reputation_preproc_la_SOURCES = \ +@HAVE_SHARED_REP_FALSE@spp_reputation.c \ +@HAVE_SHARED_REP_FALSE@spp_reputation.h \ +@HAVE_SHARED_REP_FALSE@reputation_config.c \ +@HAVE_SHARED_REP_FALSE@reputation_config.h \ +@HAVE_SHARED_REP_FALSE@reputation_utils.c \ +@HAVE_SHARED_REP_FALSE@reputation_utils.h \ +@HAVE_SHARED_REP_FALSE@reputation_debug.h + +@HAVE_SHARED_REP_TRUE@libsf_reputation_preproc_la_SOURCES = \ +@HAVE_SHARED_REP_TRUE@spp_reputation.c \ +@HAVE_SHARED_REP_TRUE@spp_reputation.h \ +@HAVE_SHARED_REP_TRUE@reputation_config.c \ +@HAVE_SHARED_REP_TRUE@reputation_config.h \ +@HAVE_SHARED_REP_TRUE@reputation_utils.c \ +@HAVE_SHARED_REP_TRUE@reputation_utils.h \ +@HAVE_SHARED_REP_TRUE@reputation_debug.h \ +@HAVE_SHARED_REP_TRUE@./shmem/sflinux_helpers.c \ +@HAVE_SHARED_REP_TRUE@./shmem/sflinux_helpers.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_common.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_config.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_config.c \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_datamgmt.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_datamgmt.c \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_lib.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_lib.c \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_mgmt.h \ +@HAVE_SHARED_REP_TRUE@./shmem/shmem_mgmt.c + +EXTRA_DIST = \ +sf_reputation.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/reputation/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/reputation/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_reputation_preproc.la: $(libsf_reputation_preproc_la_OBJECTS) $(libsf_reputation_preproc_la_DEPENDENCIES) + $(libsf_reputation_preproc_la_LINK) -rpath $(libdir) $(libsf_reputation_preproc_la_OBJECTS) $(libsf_reputation_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sflinux_helpers.lo: ./shmem/sflinux_helpers.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sflinux_helpers.lo `test -f './shmem/sflinux_helpers.c' || echo '$(srcdir)/'`./shmem/sflinux_helpers.c + +shmem_config.lo: ./shmem/shmem_config.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shmem_config.lo `test -f './shmem/shmem_config.c' || echo '$(srcdir)/'`./shmem/shmem_config.c + +shmem_datamgmt.lo: ./shmem/shmem_datamgmt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shmem_datamgmt.lo `test -f './shmem/shmem_datamgmt.c' || echo '$(srcdir)/'`./shmem/shmem_datamgmt.c + +shmem_lib.lo: ./shmem/shmem_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shmem_lib.lo `test -f './shmem/shmem_lib.c' || echo '$(srcdir)/'`./shmem/shmem_lib.c + +shmem_mgmt.lo: ./shmem/shmem_mgmt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shmem_mgmt.lo `test -f './shmem/shmem_mgmt.c' || echo '$(srcdir)/'`./shmem/shmem_mgmt.c + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sf_ip.lo: ../include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_ip.lo `test -f '../include/sf_ip.c' || echo '$(srcdir)/'`../include/sf_ip.c + +sfrt.lo: ../include/sfrt.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt.lo `test -f '../include/sfrt.c' || echo '$(srcdir)/'`../include/sfrt.c + +sfrt_dir.lo: ../include/sfrt_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt_dir.lo `test -f '../include/sfrt_dir.c' || echo '$(srcdir)/'`../include/sfrt_dir.c + +sfrt_flat.lo: ../include/sfrt_flat.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt_flat.lo `test -f '../include/sfrt_flat.c' || echo '$(srcdir)/'`../include/sfrt_flat.c + +sfrt_flat_dir.lo: ../include/sfrt_flat_dir.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfrt_flat_dir.lo `test -f '../include/sfrt_flat_dir.c' || echo '$(srcdir)/'`../include/sfrt_flat_dir.c + +segment_mem.lo: ../include/segment_mem.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o segment_mem.lo `test -f '../include/segment_mem.c' || echo '$(srcdir)/'`../include/segment_mem.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/reputation_config.c snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_config.c --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/reputation_config.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_config.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,1423 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 6/7/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include <ctype.h> +#include <errno.h> +#include <stdint.h> +#include "sf_snort_packet.h" +#include "sf_types.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "reputation_config.h" +#include "spp_reputation.h" +#include "reputation_debug.h" +#include "reputation_utils.h" +#ifdef SHARED_REP +#include "./shmem/shmem_mgmt.h" +#include <sys/stat.h> +#endif +enum +{ + IP_INSERT_SUCCESS = 0, + IP_INVALID, + IP_INSERT_FAILURE, + IP_INSERT_DUPLICATE, + IP_MEM_ALLOC_FAILURE +}; + + +/* + * Default values for configurable parameters. + */ +#define REPUTATION_DEFAULT_MEMCAP 500 /*Mega bytes*/ +#define REPUTATION_DEFAULT_REFRESH_PERIOD 60 /*60 seconds*/ + + +/* + * Min/Max values for each configurable parameter. + */ +#define MIN_MEMCAP 1 +#define MAX_MEMCAP 4095 +#define MIN_SHARED_MEM_REFRESH_PERIOD 1 +#define MAX_SHARED_MEM_REFRESH_PERIOD UINT32_MAX + +#define MAX_ADDR_LINE_LENGTH 8192 + +/* + * Keyword strings for parsing configuration options. + */ +#define REPUTATION_MEMCAP_KEYWORD "memcap" +#define REPUTATION_SCANLOCAL_KEYWORD "scan_local" +#define REPUTATION_BLACKLIST_KEYWORD "blacklist" +#define REPUTATION_WHITELIST_KEYWORD "whitelist" +#define REPUTATION_PRIORITY_KEYWORD "priority" +#define REPUTATION_NESTEDIP_KEYWORD "nested_ip" +#define REPUTATION_SHAREMEM_KEYWORD "shared_mem" +#define REPUTATION_SHAREDREFRESH_KEYWORD "shared_refresh" + +#define REPUTATION_CONFIG_SECTION_SEPERATORS ",;" +#define REPUTATION_CONFIG_VALUE_SEPERATORS " " +#define REPUTATION_SEPARATORS " \t\r\n" + + +static bw_list black = {BLACKLISTED}; +static bw_list white = {WHITELISTED}; + +static char *black_info = REPUTATION_BLACKLIST_KEYWORD; +static char *white_info = REPUTATION_WHITELIST_KEYWORD; + +char* NestedIPKeyword[] = +{ + "inner", + "outer", + "both", + NULL +}; + +#define MAX_MSGS_TO_PRINT 20 + +static unsigned long total_duplicates; +static unsigned long total_invalids; + +void **IPtables; +table_flat_t *emptyIPtables; +#ifdef SHARED_REP +ReputationConfig *reputation_shmem_config; +#endif +/* + * Function prototype(s) + */ +static void IpListInit(uint32_t,ReputationConfig *config); +static void LoadListFile(char *filename, INFO info, ReputationConfig *config); +static void DisplayIPlistStats(ReputationConfig *); +static void DisplayReputationConfig(ReputationConfig *); + +/* ******************************************************************** + * Function: estimateSizeFromEntries + * + * Estimate the memory segment size based on number of entries and memcap. + * + * Arguments: + * + * uint32_t num_entries: number of entries. + * uint32_t the memcap value set in configuration + * + * RETURNS: estimated memory size. + *********************************************************************/ +uint32_t estimateSizeFromEntries(uint32_t num_entries, uint32_t memcap) +{ + uint64_t size; + uint64_t sizeFromEntries; + + /*memcap value is in Megabytes*/ + size = memcap << 20; + + if (size > UINT32_MAX) + size = UINT32_MAX; + + /*Worst case, 15k ~ 2^14 per entry, plus one Megabytes for empty table*/ + if (num_entries > ((UINT32_MAX - (1 << 20))>> 14)) + sizeFromEntries = UINT32_MAX; + else + sizeFromEntries = (num_entries << 14) + (1 << 20); + + if (size > sizeFromEntries) + { + size = sizeFromEntries; + } + + return (uint32_t) size; +} +#ifdef SHARED_REP +/**************************************************************************** + * + * Function: CheckIPlistDir() + * + * Purpose: We only check if IP list directory exist and + * readable + * Arguments: None. + * + * Returns: + * 0 : fail + * 1 : success + * + ****************************************************************************/ +static int CheckIPlistDir(char *path) +{ + struct stat st; + + if (path == NULL) + return 0; + + if (stat(path, &st) == -1) + return 0; + + if (!S_ISDIR(st.st_mode) || (access(path, R_OK) == -1)) + { + return 0; + } + return 1; +} + +/* ******************************************************************** + * Function: LoadFileIntoShmem + * + * Call back function for shared memory + * This is called when new files in the list + * Arguments: + * + * void* ptrSegment: start of shared memory segment. + * ShmemDataFileList** file_list: the list of whitelist/blacklist files + * int num_files: number of files + * + * RETURNS: + * 0: success + * other value fails + *********************************************************************/ + +int LoadFileIntoShmem(void* ptrSegment, ShmemDataFileList** file_list, int num_files) +{ + table_flat_t *table; + int i; + MEM_OFFSET black_ptr; + MEM_OFFSET white_ptr; + uint8_t *base; + + segment_meminit((uint8_t*)ptrSegment, reputation_shmem_config->memsize); + +#ifdef SUP_IP6 + /*DIR_16x7_4x4 for performance, but memory usage is high + *Use DIR_8x16 worst case IPV4 5K, IPV6 15K (bytes) + *Use DIR_16x7_4x4 worst case IPV4 500, IPV6 2.5M + */ + table = sfrt_flat_new(DIR_8x16, IPv6, reputation_shmem_config->numEntries, reputation_shmem_config->memcap); +#else + table = sfrt_flat_new(DIR_8x4, IPv4, reputation_shmem_config->numEntries, reputation_load_config->memcap); + +#endif + if (table == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): Failed to create IP list.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + reputation_shmem_config->iplist = table; + base = (uint8_t *)ptrSegment; + + black_ptr = segment_malloc(sizeof(bw_list)); + white_ptr = segment_malloc(sizeof(bw_list)); + *((bw_list *)&base[black_ptr]) = black; + *((bw_list *)&base[white_ptr]) = white; + + reputation_shmem_config->memCapReached = false; + + /*Reset the log message count*/ + total_duplicates = 0; + for (i = 0; i < num_files; i++) + { + if (BLACK_LIST == file_list[i]->filetype) + LoadListFile(file_list[i]->filename,black_ptr, reputation_shmem_config); + else if (WHITE_LIST == file_list[i]->filetype) + LoadListFile(file_list[i]->filename,white_ptr, reputation_shmem_config); + + } + + _dpd.logMsg(" Reputation Preprocessor shared memory summary:\n"); + DisplayIPlistStats(reputation_shmem_config); + return 0; +} + +/* ******************************************************************** + * Function: GetSegmentSizeFromFileList + * + * Call back function for shared memory + * This is called when new files in the list + * + * Arguments: + * + * ShmemDataFileList** file_list: the list of whitelist/blacklist files + * int num_files: number of files + * + * RETURNS: + * uint32_t: segment size + *********************************************************************/ +uint32_t GetSegmentSizeFromFileList(ShmemDataFileList** file_list, int file_count) +{ + int numlines; + int totalLines = 0; + int i; + + if (file_count == 0) + { + return ZEROSEG; + } + for (i = 0; i < file_count; i++) + { + errno = 0; + numlines = numLinesInFile(file_list[i]->filename); + if ((0 == numlines) && (0 != errno)) + { + char errBuf[STD_BUF]; +#ifdef WIN32 + snprintf(errBuf, STD_BUF, "%s", strerror(errno)); +#else + strerror_r(errno, errBuf, STD_BUF); +#endif + DynamicPreprocessorFatalMessage( "Unable to open address file %s, Error: %s\n", + file_list[i]->filename, errBuf); + } + + if (totalLines + numlines < totalLines) + { + DynamicPreprocessorFatalMessage("Too many entries.\n"); + } + + totalLines += numlines; + } + + if (totalLines == 0) + { + return ZEROSEG; + } + reputation_shmem_config->numEntries = totalLines + 1; + + reputation_shmem_config->memsize = estimateSizeFromEntries(reputation_shmem_config->numEntries, reputation_shmem_config->memcap); + return reputation_shmem_config->memsize; +} + +/* ******************************************************************** + * Function: InitPerProcessZeroSegment + * + * Call back function for shared memory + * This is called during initialization + * + * Arguments: + * + * void*** data_ptr: (output) the address of shared memory address + * + * RETURNS: + * uint32_t: segment size + *********************************************************************/ +int InitPerProcessZeroSegment(void*** data_ptr) +{ + /*The size of empty segment is 1 Megabytes*/ + size_t size = 1; + long maxEntries = 1; + static bool initiated = false; + + if (true == initiated) + { + *data_ptr = (void **)&emptyIPtables; + return 0; + } + reputation_shmem_config->emptySegment = malloc(size*1024*1024); + segment_meminit((uint8_t*) reputation_shmem_config->emptySegment, size*1024*1024); + + initiated = true; + +#ifdef SUP_IP6 + /*DIR_16x7_4x4 for performance, but memory usage is high + *Use DIR_8x16 worst case IPV4 5K, IPV6 15K (bytes) + *Use DIR_16x7_4x4 worst case IPV4 500, IPV6 2.5M + */ + emptyIPtables = sfrt_flat_new(DIR_8x16, IPv6, maxEntries, size); +#else + emptyIPtables = sfrt_flat_new(DIR_8x4, IPv4, maxEntries, size); + +#endif + if (emptyIPtables == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): Failed to create IP list.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + *data_ptr = (void **)&emptyIPtables; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, " Total memory " + "allocated for empty table: %d bytes\n", + sfrt_flat_usage(emptyIPtables));); + return 0; +} + +/* ******************************************************************** + * Function: initShareMemory + * + * Initialize for shared memory + * This is called during initialization + * + * Arguments: + * + * ReputationConfig *config: the configure file + * + * RETURNS: + * 1: success + *********************************************************************/ +void initShareMemory(void *conf) +{ + int segment_number; + uint32_t snortID; + ReputationConfig *config = (ReputationConfig *)conf; + + reputation_shmem_config = config; + if (InitShmemDataMgmtFunctions(InitPerProcessZeroSegment, + GetSegmentSizeFromFileList,LoadFileIntoShmem)) + { + DynamicPreprocessorFatalMessage("Unable to initialize DataManagement functions\n"); + + } + /*use snort instance ID to designate server (writer)*/ + snortID = _dpd.getSnortInstance(); + if (SHMEM_SERVER_ID_1 == snortID) + { + if ((segment_number = InitShmemWriter(snortID,IPREP,GROUP_0,NUMA_0, + config->sharedMem.path, &IPtables,config->sharedMem.updateInterval)) == NO_ZEROSEG) + { + DynamicPreprocessorFatalMessage("Unable to init share memory writer\n"); + + } + } + else + { + if ((segment_number = InitShmemReader(snortID,IPREP,GROUP_0,NUMA_0, + config->sharedMem.path, &IPtables,config->sharedMem.updateInterval)) == NO_ZEROSEG) + { + DynamicPreprocessorFatalMessage("Unable to init share memory reader\n"); + + } + } + +} +#endif +/* ******************************************************************** + * Function: DisplayIPlistStats + * + * Display the statistics for the Reputation iplist table. + * + * Arguments: + * + * ReputationConfig *config: Reputation preprocessor configuration. + * + * RETURNS: Nothing. + *********************************************************************/ +static void DisplayIPlistStats(ReputationConfig *config) +{ + /*Print out the summary*/ + reputation_stats.memoryAllocated = sfrt_flat_usage(config->iplist); + _dpd.logMsg(" Reputation total memory usage: %u bytes\n", + reputation_stats.memoryAllocated); + config->numEntries = sfrt_flat_num_entries(config->iplist); + _dpd.logMsg(" Reputation total entries loaded: %u, invalid: %u, re-defined: %u\n", + config->numEntries,total_invalids,total_duplicates); +} +/* ******************************************************************** + * Function: DisplayReputationConfig + * + * Display the configuration for the Reputation preprocessor. + * + * Arguments: + * + * ReputationConfig *config: Reputation preprocessor configuration. + * + * RETURNS: Nothing. + *********************************************************************/ +static void DisplayReputationConfig(ReputationConfig *config) +{ + + if (config == NULL) + return; + + _dpd.logMsg(" Memcap: %d %s \n", + config->memcap, + config->memcap + == REPUTATION_DEFAULT_MEMCAP ? + "(Default) M bytes" : "M bytes" ); + _dpd.logMsg(" Scan local network: %s\n", + config->scanlocal ? + "ENABLED":"DISABLED (Default)"); + _dpd.logMsg(" Reputation priority: %s \n", + config->priority + == WHITELISTED? + REPUTATION_WHITELIST_KEYWORD "(Default)" : REPUTATION_BLACKLIST_KEYWORD ); + _dpd.logMsg(" Nested IP: %s %s \n", + NestedIPKeyword[config->nestedIP], + config->nestedIP + == INNER? + "(Default)" : "" ); + if (config->sharedMem.path) + { + _dpd.logMsg(" Shared memory supported, Update directory: %s\n", + config->sharedMem.path ); + _dpd.logMsg(" Shared memory refresh period: %d %s \n", + config->sharedMem.updateInterval, + config->sharedMem.updateInterval + == REPUTATION_DEFAULT_REFRESH_PERIOD ? + "(Default) seconds" : "seconds" ); + } + else + { + _dpd.logMsg(" Shared memory is Not supported.\n"); + + } + _dpd.logMsg("\n"); +} + + + +/******************************************************************** + * Function: IpListInit + * + * Initiate an iplist table + * + * Arguments: + * Reputation_Config * + * The configuration to use. + * + * Returns: None + * + ********************************************************************/ + +static void IpListInit(uint32_t maxEntries, ReputationConfig *config) +{ + uint8_t *base; + + if (config->iplist == NULL) + { + uint32_t mem_size; + mem_size = estimateSizeFromEntries(maxEntries, config->memcap); + config->localSegment = malloc(mem_size); + segment_meminit((uint8_t*)config->localSegment,mem_size); + base = (uint8_t *)config->localSegment; + +#ifdef SUP_IP6 + /*DIR_16x7_4x4 for performance, but memory usage is high + *Use DIR_8x16 worst case IPV4 5K, IPV6 15K (bytes) + *Use DIR_16x7_4x4 worst case IPV4 500, IPV6 2.5M + */ + config->iplist = sfrt_flat_new(DIR_8x16, IPv6, maxEntries, config->memcap); +#else + config->iplist = sfrt_flat_new(DIR_8x4, IPv4, maxEntries, config->memcap); + +#endif + config->local_black_ptr = segment_malloc(sizeof(bw_list)); + config->local_white_ptr = segment_malloc(sizeof(bw_list)); + + *((bw_list *)&base[config->local_black_ptr]) = black; + *((bw_list *)&base[config->local_white_ptr]) = white; + + if (config->iplist == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d): Failed to create IP list.\n", + *(_dpd.config_file), *(_dpd.config_line)); + return; + } + } +} + +/******************************************************************** + * Function: AddIPtoList + * + * Add ip address to config file + * + * Arguments: + * sfip_t *: ip address + * void *: information about the file. + * ReputationConfig *: The configuration to be update. + * + * Returns: + * IP_INSERT_SUCCESS=0, + * IP_INSERT_FAILURE, + * IP_INSERT_DUPLICATE + * + ********************************************************************/ + +static int AddIPtoList(sfip_t *ipAddr,INFO info, ReputationConfig *config) +{ + int iRet; + int iFinalRet = IP_INSERT_SUCCESS; + /*This variable is used to check whether a more generic address + * overrides specific address + */ + uint32_t usageBeforeAdd; + uint32_t usageAfterAdd; + +#ifndef SUP_IP6 + if (ipAddr->family == AF_INET6) + { + return RT_INSERT_FAILURE; + } +#endif + if (ipAddr->family == AF_INET) + { + ipAddr->ip32[0] = ntohl(ipAddr->ip32[0]); + } + else if (ipAddr->family == AF_INET6) + { + int i; + for(i = 0; i < 4 ; i++) + ipAddr->ip32[i] = ntohl(ipAddr->ip32[i]); + } +#ifdef DEBUG_MSGS + + if (NULL != sfrt_flat_lookup((void *)ipAddr, config->iplist)) + { + DebugMessage(DEBUG_REPUTATION, "Find address before insert: %s \n",sfip_to_str(ipAddr) ); + + } + else + { + DebugMessage(DEBUG_REPUTATION, "Can't find address before insert: %s \n",sfip_to_str(ipAddr) ); + + } +#endif + + usageBeforeAdd = sfrt_flat_usage(config->iplist); + + /*Check whether the same or more generic address is already in the table*/ + if (NULL != sfrt_flat_lookup((void *)ipAddr, config->iplist)) + { + iFinalRet = IP_INSERT_DUPLICATE; + } + + +#ifdef SUP_IP6 + iRet = sfrt_flat_insert((void *)ipAddr, (unsigned char)ipAddr->bits, info, RT_FAVOR_TIME, config->iplist); +#else + iRet = sfrt_flat_insert((void *)&(ipAddr->ip.u6_addr32[0]), (unsigned char)ipAddr->bits, info, RT_FAVOR_TIME, config->iplist); +#endif + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Unused memory: %d \n",segment_unusedmem());); + + + if (RT_SUCCESS == iRet) + { + totalNumEntries++; +#ifdef DEBUG_MSGS + + DebugMessage(DEBUG_REPUTATION, "Number of entries input: %d, in table: %d \n", + totalNumEntries,sfrt_flat_num_entries(config->iplist) ); + DebugMessage(DEBUG_REPUTATION, "Memory allocated: %d \n",sfrt_flat_usage(config->iplist) ); + if (NULL != sfrt_flat_lookup((void *)ipAddr, config->iplist)) + { + DebugMessage(DEBUG_REPUTATION, "Find address after insert: %s \n",sfip_to_str(ipAddr) ); + + } +#endif + } + else if (MEM_ALLOC_FAILURE == iRet) + { + iFinalRet = IP_MEM_ALLOC_FAILURE; + DEBUG_WRAP( DebugMessage(DEBUG_REPUTATION, "Insert error: %d for address: %s \n",iRet, sfip_to_str(ipAddr) );); + } + else + { + iFinalRet = IP_INSERT_FAILURE; + DEBUG_WRAP( DebugMessage(DEBUG_REPUTATION, "Insert error: %d for address: %s \n",iRet, sfip_to_str(ipAddr) );); + + } + + usageAfterAdd = sfrt_flat_usage(config->iplist); + /*Compare in the same scale*/ + if (usageAfterAdd > (config->memcap << 20)) + { + iFinalRet = IP_MEM_ALLOC_FAILURE; + } + /*Check whether there a more specific address will be overridden*/ + if (usageBeforeAdd > usageAfterAdd ) + { + iFinalRet = IP_INSERT_DUPLICATE; + } + + return iFinalRet; + +} + +/******************************************************************** + * Function: + * + * Load one IP list file + * + * Arguments: + * char *: the line to be processed + * void *: information about the file. + * ReputationConfig *: The configuration to be update. + * + * Returns: + * IP_INSERT_SUCCESS, + * IP_INSERT_FAILURE, + * IP_INSERT_DUPLICATE + * + ********************************************************************/ + +static int ProcessLine(char *line, INFO info, ReputationConfig *config) +{ + sfip_t ipAddr; + char *lineBuff; + char *nextBuff; + char *arg = NULL; + + if (!line) + return IP_INSERT_SUCCESS; + lineBuff = strdup(line); + if (NULL == lineBuff) + return IP_MEM_ALLOC_FAILURE; + if((arg = strtok_r(lineBuff, REPUTATION_SEPARATORS, &nextBuff)) != NULL) + { + int iRet; + if (Reputation_IsEmptyStr(arg)) + { + free(lineBuff); + return IP_INSERT_SUCCESS; + } + + if(sfip_pton(arg, &ipAddr) != SFIP_SUCCESS) + { + free(lineBuff); + return IP_INVALID; + + } + iRet = AddIPtoList(&ipAddr, info, config); + if( IP_INSERT_SUCCESS != iRet) + { + free(lineBuff); + return iRet; + } + if ((arg = strtok_r(nextBuff, REPUTATION_SEPARATORS, &nextBuff)) != NULL) + { + if (!Reputation_IsEmptyStr(arg)) + { + free(lineBuff); + return IP_INSERT_FAILURE; + } + } + + } + free(lineBuff); + return IP_INSERT_SUCCESS; +} + +/******************************************************************** + * Function: UpdatePathToFile + * + * Update the patch to file, if using relative patch + * The relative path is based on config file directory + * + * Arguments: + * fullfilename: file name string + * info: information about the file. + * ReputationConfig *: The configuration to be update. + * + * Returns: + * 1 successful + * 0 fail + * + ********************************************************************/ + +static int UpdatePathToFile(char *full_path_filename, unsigned int max_size, char *filename) +{ + char *snort_conf_dir = *(_dpd.snort_conf_dir); + + if (!snort_conf_dir || !(*snort_conf_dir) || !full_path_filename || !filename) + { + DynamicPreprocessorFatalMessage(" %s(%d) => can't create path.\n", + *(_dpd.config_file), *(_dpd.config_line)); + return 0; + } + /*filename is too long*/ + if (max_size < strlen(filename) ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => the file name length %u is longer than allowed %u.\n", + *(_dpd.config_file), *(_dpd.config_line), strlen(filename), max_size); + return 0; + } + /* + * If an absolute path is specified, then use that. + */ +#ifndef WIN32 + if(filename[0] == '/') + { + snprintf(full_path_filename, max_size, "%s", filename); + } + else + { + /* + ** Set up the file name directory + */ + if (snort_conf_dir[strlen(snort_conf_dir) - 1] == '/') + { + snprintf(full_path_filename,max_size, + "%s%s", snort_conf_dir, filename); + } + else + { + snprintf(full_path_filename, max_size, + "%s/%s", snort_conf_dir, filename); + } + } +#else + if(strlen(filename)>3 && filename[1]==':' && filename[2]=='\\') + { + snprintf(full_path_filename, max_size, "%s", filename); + } + else + { + /* + ** Set up the file name directory + */ + if (snort_conf_dir[strlen(snort_conf_dir) - 1] == '\\' || + snort_conf_dir[strlen(snort_conf_dir) - 1] == '/' ) + { + snprintf(full_path_filename,max_size, + "%s%s", snort_conf_dir, filename); + } + else + { + snprintf(full_path_filename, max_size, + "%s\\%s", snort_conf_dir, filename); + } + } +#endif + return 1; +} + +/******************************************************************** + * Function: GetListInfo + * + * Get information about the file + * + * Arguments: + * + * info: information about the file. + * + * Returns: + * None + * + ********************************************************************/ + +static char* GetListInfo(INFO info) +{ + uint8_t *base; + bw_list *info_value; + base = (uint8_t *)segment_basePtr(); + info_value = (bw_list *)(&base[info]); + if (!info_value) + return NULL; + switch(info_value->isBlack) + { + case DECISION_NULL: + return NULL; + break; + case BLACKLISTED: + return black_info; + break; + case WHITELISTED: + return white_info; + break; + default: + return NULL; + } + return NULL; +} +/******************************************************************** + * Function: LoadListFile + * + * Load one IP list file + * + * Arguments: + * filename: file name string + * info: information about the file. + * ReputationConfig *: The configuration to be update. + * + * Returns: + * None + * + ********************************************************************/ + +static void LoadListFile(char *filename, INFO info, ReputationConfig *config) +{ + + char list_buf[MAX_ADDR_LINE_LENGTH+1]; + char full_path_filename[PATH_MAX+1]; + char *lb = list_buf; + int addrline = 0; + FILE *fp = NULL; + char *cmt = NULL; + char *list_info; + + /*entries processing statistics*/ + unsigned int num_duplicates = 0; /*number of duplicates in this file*/ + unsigned int num_invalids = 0; /*number of invalid entries in this file*/ + unsigned int num_loaded_before = 0; /*number of valid entries loaded */ + + if ((NULL == filename)||(0 == info)|| (NULL == config)||config->memCapReached) + return; + + UpdatePathToFile(full_path_filename, PATH_MAX, filename); + + list_info = GetListInfo(info); + + if (!list_info) + return; + + _dpd.logMsg(" Processing %s file %s\n", list_info, full_path_filename); + + if((fp = fopen(full_path_filename, "r")) == NULL) + { + char errBuf[STD_BUF]; +#ifdef WIN32 + snprintf(errBuf, STD_BUF, "%s", strerror(errno)); +#else + strerror_r(errno, errBuf, STD_BUF); +#endif + DynamicPreprocessorFatalMessage("%s(%d) => Unable to open address file %s, Error: %s\n", + *(_dpd.config_file), *(_dpd.config_line), full_path_filename, errBuf); + } + + num_loaded_before = sfrt_flat_num_entries(config->iplist); + while((fgets(lb, MAX_ADDR_LINE_LENGTH, fp)) != NULL) + { + int iRet; + addrline++; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Reputation configurations: %s\n",lb );); + /* remove comments */ + if((cmt = strchr(lb, '#')) != NULL) + { + *cmt = '\0'; + } + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Reputation configurations: %s\n",lb );); + /* process the line */ + iRet = ProcessLine(lb, info, config); + + if (IP_INSERT_SUCCESS == iRet) + { + continue; + } + else if (IP_INSERT_FAILURE == iRet) + { + if (num_invalids++ < MAX_MSGS_TO_PRINT) + { + _dpd.errMsg(" (%d) => Can't insert IP Address: %s", + addrline, lb); + } + } + else if (IP_INVALID == iRet) + { + if (num_invalids++ < MAX_MSGS_TO_PRINT) + { + _dpd.errMsg(" (%d) => Invalid IP Address: %s", + addrline, lb); + } + } + + else if (IP_MEM_ALLOC_FAILURE == iRet) + { + _dpd.logMsg("WARNING: %s(%d) => Memcap %u Mbytes reached when inserting IP Address: %s.", + full_path_filename, addrline, config->memcap,lb); + config->memCapReached = true; + break; + } + else if (IP_INSERT_DUPLICATE == iRet) + { + if (num_duplicates++ < MAX_MSGS_TO_PRINT) + { + _dpd.logMsg(" (%d) => Re-defined address: %s", + addrline, lb ); + } + + } + + lb = list_buf; + } + + total_duplicates += num_duplicates; + total_invalids += num_invalids; + /*Print out the summary*/ + if (num_invalids > MAX_MSGS_TO_PRINT) + _dpd.logMsg(" Additional address is invalid but not printed.\n"); + if (num_duplicates > MAX_MSGS_TO_PRINT) + _dpd.logMsg(" Additional address has been redefined but not printed.\n"); + + _dpd.logMsg(" Reputation entries loaded: %u, invalid: %u, re-defined: %u (from file %s)\n", + sfrt_flat_num_entries(config->iplist)- num_loaded_before,num_invalids,num_duplicates, + full_path_filename); + + fclose(fp); + +} + +/******************************************************************** + * Function: Reputation_FreeConfig + * + * Frees a reputation configuration + * + * Arguments: + * Reputation_Config * + * The configuration to free. + * + * Returns: None + * + ********************************************************************/ +void Reputation_FreeConfig (ReputationConfig *config) +{ + + if (config == NULL) + return; + + + if (config->emptySegment != NULL) + { + free(config->emptySegment); + } + + if (config->localSegment != NULL) + { + free(config->localSegment); + } + + if(config->sharedMem.path) + free(config->sharedMem.path); + free(config); +} + + +/********************************************************************* + * Function: EstimateNumEntries + * + * First pass to decide iplist table size. + * + * Arguments: + * + * ReputationConfig *config: Reputation preprocessor configuration. + * argp: Pointer to string containing the config arguments. + * + * RETURNS: int. estimated number of Entries based on number of lines + *********************************************************************/ +int EstimateNumEntries(ReputationConfig *config, u_char* argp) +{ + char* cur_sectionp = NULL; + char* next_sectionp = NULL; + char* argcpyp = NULL; + int totalLines = 0; + + + /*Default values*/ + + argcpyp = strdup( (char*) argp ); + + if ( !argcpyp ) + { + DynamicPreprocessorFatalMessage("Could not allocate memory to parse Reputation options.\n"); + return 0; + } + + cur_sectionp = strtok_r( argcpyp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Arguments token: %s\n",cur_sectionp );); + + while ( cur_sectionp ) + { + char* next_tokenp = NULL; + char* cur_tokenp = strtok_r( cur_sectionp, REPUTATION_CONFIG_VALUE_SEPERATORS, &next_tokenp); + + if (!cur_tokenp) + { + cur_sectionp = strtok_r( next_sectionp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + continue; + } + + if ( !strcmp( cur_tokenp, REPUTATION_MEMCAP_KEYWORD )) + { + int value; + char *endStr = NULL; + + cur_tokenp = strtok_r(next_tokenp, REPUTATION_CONFIG_VALUE_SEPERATORS, &next_tokenp); + + if ( !cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => No option to '%s'.\n", + *(_dpd.config_file), *(_dpd.config_line), REPUTATION_MEMCAP_KEYWORD); + } + + value = _dpd.SnortStrtol( cur_tokenp, &endStr, 10); + + if (( *endStr) || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), + REPUTATION_MEMCAP_KEYWORD, MIN_MEMCAP, MAX_MEMCAP); + } + + if (value < MIN_MEMCAP || value > MAX_MEMCAP) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), + REPUTATION_MEMCAP_KEYWORD, MIN_MEMCAP, MAX_MEMCAP); + } + config->memcap = (uint32_t) value; + + } + else if ( !strcmp( cur_tokenp, REPUTATION_BLACKLIST_KEYWORD ) + ||!strcmp( cur_tokenp, REPUTATION_WHITELIST_KEYWORD )) + { + int numlines; + char full_path_filename[PATH_MAX+1]; + cur_tokenp = strtok_r( next_tokenp, REPUTATION_CONFIG_VALUE_SEPERATORS, &next_tokenp); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Check list size %s\n",cur_tokenp );); + if(cur_tokenp == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => Bad list filename in IP List.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + errno = 0; + UpdatePathToFile(full_path_filename,PATH_MAX, cur_tokenp); + numlines = numLinesInFile(full_path_filename); + if ((0 == numlines) && (0 != errno)) + { + char errBuf[STD_BUF]; + +#ifdef WIN32 + snprintf(errBuf, STD_BUF, "%s", strerror(errno)); +#else + strerror_r(errno, errBuf, STD_BUF); +#endif + DynamicPreprocessorFatalMessage("%s(%d) => Unable to open address file %s, Error: %s\n", + *(_dpd.config_file), *(_dpd.config_line), full_path_filename, errBuf); + } + + if (totalLines + numlines < totalLines) + { + DynamicPreprocessorFatalMessage("%s(%d) => Too many entries in one file.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + totalLines += numlines; + + } +#ifdef SHARED_REP + else if ( !strcmp( cur_tokenp, REPUTATION_SHAREMEM_KEYWORD )) + { + + if (Reputation_IsEmptyStr(next_tokenp)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Missing argument for %s," + " please specify a path\n", + *(_dpd.config_file), *(_dpd.config_line), REPUTATION_SHAREMEM_KEYWORD); + } + + if (!CheckIPlistDir(next_tokenp)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Can't find or access the path: %s\n", + *(_dpd.config_file), *(_dpd.config_line), next_tokenp); + } + + config->sharedMem.path = strdup( (char*) next_tokenp ); + + if ( !config->sharedMem.path ) + { + DynamicPreprocessorFatalMessage("Could not allocate memory to parse Reputation options.\n"); + + } + + config->sharedMem.updateInterval = REPUTATION_DEFAULT_REFRESH_PERIOD; + + } +#endif + + cur_sectionp = strtok_r( next_sectionp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Arguments token: %s\n",cur_sectionp );); + } + + free(argcpyp); + return totalLines; +} + +/********************************************************************* + * Function: ParseReputationArgs + * + * Parses and processes the configuration arguments + * supplied in the Reputation preprocessor rule. + * + * Arguments: + * + * ReputationConfig *config: Reputation preprocessor configuration. + * argp: Pointer to string containing the config arguments. + * + * RETURNS: Nothing. + *********************************************************************/ +void ParseReputationArgs(ReputationConfig *config, u_char* argp) +{ + char* cur_sectionp = NULL; + char* next_sectionp = NULL; + char* argcpyp = NULL; + + if (config == NULL) + return; + + _dpd.logMsg("Reputation config: \n"); + + /*Default values*/ + config->memcap = REPUTATION_DEFAULT_MEMCAP; + config->priority = WHITELISTED; + config->nestedIP = INNER; + config->localSegment = NULL; + config->emptySegment = NULL; + config->memsize = 0; + config->memCapReached = false; + + /* Sanity check(s) */ + if ( !argp ) + { + _dpd.logMsg("WARNING: Can't find any whitelist/blacklist entries. " + "Reputation Preprocessor disabled.\n"); + return; + } + + argcpyp = strdup( (char*) argp ); + + if ( !argcpyp ) + { + DynamicPreprocessorFatalMessage("Could not allocate memory to parse Reputation options.\n"); + return; + } + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Reputation configurations: %s\n",argcpyp );); + + /*We need to parse the memcap, numEntries earlier, then create iplist table*/ + + config->numEntries = EstimateNumEntries(config, argp ); + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Estimated number of entries: %d\n",config->numEntries );); + + if ((config->numEntries <= 0) && (!config->sharedMem.path)) + { + _dpd.logMsg("WARNING: Can't find any whitelist/blacklist entries. " + "Reputation Preprocessor disabled.\n"); + free(argcpyp); + return; + } + if (!config->sharedMem.path) + IpListInit(config->numEntries + 1,config); + + cur_sectionp = strtok_r( argcpyp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Arguments token: %s\n",cur_sectionp );); + /*Reset the log message count*/ + total_duplicates = 0; + while ( cur_sectionp ) + { + + char* cur_config; + char* cur_tokenp = strtok( cur_sectionp, REPUTATION_CONFIG_VALUE_SEPERATORS); + + if (!cur_tokenp) + { + cur_sectionp = strtok_r( next_sectionp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + continue; + } + cur_config = cur_tokenp; + + if ( !strcmp( cur_tokenp, REPUTATION_SCANLOCAL_KEYWORD )) + { + config->scanlocal = 1; + } + else if ( !strcmp( cur_tokenp, REPUTATION_MEMCAP_KEYWORD )) + { + cur_tokenp = strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + /* processed before */ + } + else if ( !strcmp( cur_tokenp, REPUTATION_BLACKLIST_KEYWORD )) + { + cur_tokenp = strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Loading blacklist from %s\n",cur_tokenp );); + if(cur_tokenp == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => Bad list filename in IP List.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + if (!config->sharedMem.path) + LoadListFile(cur_tokenp, config->local_black_ptr, config); + else + { + _dpd.logMsg("WARNING: %s(%d) => List file %s is not loaded " + "when using shared memory.\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp); + } + } + + else if ( !strcmp( cur_tokenp, REPUTATION_WHITELIST_KEYWORD )) + { + cur_tokenp = strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Loading whitelist from %s\n",cur_tokenp );); + if(cur_tokenp == NULL) + { + DynamicPreprocessorFatalMessage("%s(%d) => Bad list filename in IP List.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (!config->sharedMem.path) + LoadListFile(cur_tokenp, config->local_white_ptr, config); + else + { + _dpd.logMsg("WARNING: %s(%d) => List file %s is not loaded " + "when using shared memory.\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp); + } + } + else if ( !strcmp( cur_tokenp, REPUTATION_PRIORITY_KEYWORD )) + { + + cur_tokenp = strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + if (!cur_tokenp) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Missing argument for %s\n", + *(_dpd.config_file), *(_dpd.config_line), REPUTATION_PRIORITY_KEYWORD); + return; + } + + if((strlen(REPUTATION_BLACKLIST_KEYWORD) == strlen (cur_tokenp)) + && !strcmp(REPUTATION_BLACKLIST_KEYWORD,cur_tokenp)) + { + config->priority = BLACKLISTED; + } + else if((strlen(REPUTATION_WHITELIST_KEYWORD) == strlen (cur_tokenp)) + && !strcmp(REPUTATION_WHITELIST_KEYWORD,cur_tokenp)) + { + config->priority = WHITELISTED; + } + else + { + DynamicPreprocessorFatalMessage(" %s(%d) => Invalid argument: %s for %s," + " Use [%s] or [%s]\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp, + REPUTATION_PRIORITY_KEYWORD, + REPUTATION_BLACKLIST_KEYWORD, REPUTATION_WHITELIST_KEYWORD); + return; + } + + } + else if ( !strcmp( cur_tokenp, REPUTATION_NESTEDIP_KEYWORD )) + { + int i = 0; + char NestIPKeyworBuff[STD_BUF]; + NestIPKeyworBuff[0] = '\0'; + cur_tokenp = strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + if (!cur_tokenp) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Missing argument for %s\n", + *(_dpd.config_file), *(_dpd.config_line), REPUTATION_NESTEDIP_KEYWORD); + return; + } + while(NULL != NestedIPKeyword[i]) + { + if((strlen(NestedIPKeyword[i]) == strlen (cur_tokenp)) + && !strcmp(NestedIPKeyword[i],cur_tokenp)) + { + config->nestedIP = (NestedIP) i; + break; + } + _dpd.printfappend(NestIPKeyworBuff, STD_BUF, "[%s] ", NestedIPKeyword[i] ); + i++; + } + if (NULL == NestedIPKeyword[i]) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Invalid argument: %s for %s, use %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp, + REPUTATION_NESTEDIP_KEYWORD, NestIPKeyworBuff); + return; + } + + } +#ifdef SHARED_REP + else if ( !strcmp( cur_tokenp, REPUTATION_SHAREMEM_KEYWORD )) + { + cur_sectionp = strtok_r( next_sectionp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + continue; + /* processed before */ + } + else if ( !strcmp( cur_tokenp, REPUTATION_SHAREDREFRESH_KEYWORD )) + { + unsigned long value; + char *endStr = NULL; + + if (!config->sharedMem.path) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Specify option '%s' when using option '%s'.\n", + *(_dpd.config_file), *(_dpd.config_line), + REPUTATION_SHAREMEM_KEYWORD, REPUTATION_SHAREDREFRESH_KEYWORD); + } + cur_tokenp = strtok(NULL, REPUTATION_CONFIG_VALUE_SEPERATORS); + + if ( !cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => No option to '%s'.\n", + *(_dpd.config_file), *(_dpd.config_line), REPUTATION_SHAREDREFRESH_KEYWORD); + } + + value = _dpd.SnortStrtoul( cur_tokenp, &endStr, 10); + + if ( *endStr) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %u and %u.\n", + *(_dpd.config_file), *(_dpd.config_line), + REPUTATION_SHAREDREFRESH_KEYWORD, + MIN_SHARED_MEM_REFRESH_PERIOD, MAX_SHARED_MEM_REFRESH_PERIOD); + } + + if (value < MIN_SHARED_MEM_REFRESH_PERIOD || value > MAX_SHARED_MEM_REFRESH_PERIOD + || (errno == ERANGE)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %u and %u.\n", + *(_dpd.config_file), *(_dpd.config_line), + REPUTATION_SHAREDREFRESH_KEYWORD, MIN_SHARED_MEM_REFRESH_PERIOD, + MAX_SHARED_MEM_REFRESH_PERIOD); + } + config->sharedMem.updateInterval = (uint32_t) value; + + } +#endif + else + { + DynamicPreprocessorFatalMessage(" %s(%d) => Invalid argument: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp); + return; + } + /*Check whether too many parameters*/ + if (NULL != strtok( NULL, REPUTATION_CONFIG_VALUE_SEPERATORS)) + { + DynamicPreprocessorFatalMessage("%s(%d) => Too many arguments: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_config); + + } + cur_sectionp = strtok_r( next_sectionp, REPUTATION_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Arguments token: %s\n",cur_sectionp );); + } + DisplayIPlistStats(config); + DisplayReputationConfig(config); + free(argcpyp); +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/reputation_config.h snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_config.h --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/reputation_config.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_config.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,102 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 6/11/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifndef _REPUTATION_CONFIG_H_ +#define _REPUTATION_CONFIG_H_ +#include "sf_types.h" +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "reputation_debug.h" +#include "sf_ip.h" +#include "sfrt_flat.h" + +#define REPUTATION_NAME "reputation" + +typedef enum _NestedIP +{ + INNER, + OUTER, + BOTH +}NestedIP; + +typedef struct _SharedMem +{ + char *path; + uint32_t updateInterval; +}SharedMem; + + +typedef enum _IPdecision +{ + DECISION_NULL , + BLACKLISTED , + WHITELISTED +}IPdecision; + +/* + * Reputation preprocessor configuration. + * + * memcap: the memcap for IP table. + * numEntries: number of entries in the table + * scanlocal: to scan local network + * prioirity: the priority of whitelist, blacklist + * nestedIP: which IP address to use when IP encapsulation + * iplist: the IP table + * ref_count: reference account + */ +typedef struct _reputationConfig +{ + uint32_t memcap; + int numEntries; + uint8_t scanlocal; + IPdecision priority; + NestedIP nestedIP; + MEM_OFFSET local_black_ptr; + MEM_OFFSET local_white_ptr; + void *emptySegment; + void *localSegment; + SharedMem sharedMem; + int segment_version; + uint32_t memsize; + bool memCapReached; + table_flat_t *iplist; + int ref_count; + +} ReputationConfig; + + + +typedef struct { + IPdecision isBlack; +} bw_list; + +/******************************************************************** + * Public function prototypes + ********************************************************************/ +void Reputation_FreeConfig(ReputationConfig *); +void ParseReputationArgs(ReputationConfig *, u_char*); +void initShareMemory(void *config); + +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/reputation_debug.h snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_debug.h --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/reputation_debug.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_debug.h 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,44 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides macros and functions for debugging the preprocessor. + * If Snort is not configured to do debugging, macros are empty. + * + * 6/11/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifndef _REPUTATION_DEBUG_H_ +#define _REPUTATION_DEBUG_H_ + +#include <stdio.h> +#include "sfPolicyUserData.h" + +/******************************************************************** + * Macros + ********************************************************************/ +#define DEBUG_REPUTATION 0x00000020 /* 16 */ + + +#define REPUTATION_DEBUG__START_MSG "REPUTATION Start ********************************************" +#define REPUTATION_DEBUG__END_MSG "REPUTATION End **********************************************" + + +#endif /* _REPUTATION_DEBUG_H_ */ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/reputation_utils.c snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_utils.c --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/reputation_utils.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_utils.c 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,101 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions. + * + * 6/11/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include "reputation_utils.h" +#include <stdio.h> +#include <limits.h> + +#define MAX_ADDR_LINE_LENGTH 8192 + +/******************************************************************** + * Function: Reputation_IsEmptyStr() + * + * Checks if string is NULL, empty or just spaces. + * String must be 0 terminated. + * + * Arguments: + * char * - string to check + * + * Returns: + * 1 if string is NULL, empty or just spaces + * 0 otherwise + * + ********************************************************************/ +int Reputation_IsEmptyStr(char *str) +{ + char *end; + + if (str == NULL) + return 1; + + end = str + strlen(str); + + while ((str < end) && isspace((int)*str)) + str++; + + if (str == end) + return 1; + + return 0; +} + +/******************************************************************** + * Function: numLinesInFile() + * + * Number of lines in the file + * + * Arguments: + * fname: file name + * + * Returns: + * uint32_t number of lines + * + ********************************************************************/ +int numLinesInFile(char *fname) +{ + FILE *fp; + uint32_t numlines = 0; + char buf[MAX_ADDR_LINE_LENGTH]; + + fp = fopen(fname, "rb"); + + if (NULL == fp) + return 0; + + while((fgets(buf, MAX_ADDR_LINE_LENGTH, fp)) != NULL) + { + if (buf[0] != '#') + { + numlines++; + if (numlines == INT_MAX) + return INT_MAX; + } + } + + fclose(fp); + return numlines; +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/reputation_utils.h snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_utils.h --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/reputation_utils.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/reputation_utils.h 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,33 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions. + * + * 6/11/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifndef REPUTATION_UTILS_H_ +#define REPUTATION_UTILS_H_ +#include "sf_ip.h" +#include "sf_snort_packet.h" +#include <string.h> +int Reputation_IsEmptyStr(char *); +int numLinesInFile(char *fname); +#endif /* REPUTATION_UTILS_H_ */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/sf_reputation.dsp snort-2.9.2/src/dynamic-preprocessors/reputation/sf_reputation.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/sf_reputation.dsp 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/sf_reputation.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,255 @@ +# Microsoft Developer Studio Project File - Name="sf_reputation" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_reputation - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_reputation.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_reputation.mak" CFG="sf_reputation - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_reputation - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_reputation - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_reputation - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_reputation - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_reputation - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /c +# SUBTRACT CPP /X +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ELSEIF "$(CFG)" == "sf_reputation - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /GZ /c +# SUBTRACT CPP /X +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_reputation - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_reputation___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_reputation___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /GZ /c +# SUBTRACT CPP /X +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_reputation - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_reputation___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_reputation___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /c +# SUBTRACT CPP /X +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ENDIF + +# Begin Target + +# Name "sf_reputation - Win32 Release" +# Name "sf_reputation - Win32 Debug" +# Name "sf_reputation - Win32 IPv6 Debug" +# Name "sf_reputation - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=..\include\inet_aton.c +# End Source File +# Begin Source File + +SOURCE=..\include\inet_pton.c +# End Source File +# Begin Source File + +SOURCE=.\reputation_config.c +# End Source File +# Begin Source File + +SOURCE=.\reputation_utils.c +# End Source File +# Begin Source File + +SOURCE=..\include\segment_mem.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_ip.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt_dir.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt_flat.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt_flat_dir.c +# End Source File +# Begin Source File + +SOURCE=.\spp_reputation.c +# End Source File +# Begin Source File + +SOURCE=..\include\strtok_r.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\reputation_config.h +# End Source File +# Begin Source File + +SOURCE=.\reputation_debug.h +# End Source File +# Begin Source File + +SOURCE=.\reputation_utils.h +# End Source File +# Begin Source File + +SOURCE=..\include\segment_mem.h +# End Source File +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt_flat.h +# End Source File +# Begin Source File + +SOURCE=..\include\sfrt_flat_dir.h +# End Source File +# Begin Source File + +SOURCE=.\spp_reputation.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,62 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file sflinux_helpers.c +// @author Pramod Chandrashekar <pramod@sourcefire.com> + +#include <stdio.h> +#include <unistd.h> +#include <stdio.h> +#include <stdint.h> +#include <errno.h> +#include <string.h> +#include <dirent.h> +#include <errno.h> + +#include "shmem_common.h" + +int CheckNumaNodes() +{ + char filename[1024]; + int num_nodes = 0; + struct dirent *de; + DIR *dir; + + snprintf(filename, sizeof(filename), "/sys/devices/system/node"); + + if ((dir = opendir(filename))) + { + while ((de = readdir(dir))) + { + if (!de->d_name || strncmp(de->d_name, "node", 4) != 0) + continue; + num_nodes++; + } + } + closedir(dir); + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Number of numa nodes is %d\n",num_nodes);); + + return num_nodes; +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,31 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file sflinux_helpers.h +// @author Pramod Chandrashekar <pramod@sourcefire.com> + +#ifndef _SFLINUX_HELPERS_H_ +#define _SFLINUX_HELPERS_H_ + +int CheckNumaNodes(void); + +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_common.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_common.h --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_common.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_common.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,39 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_common.h +// @author Pramod Chandrashekar <pramod@sourcefire.com> + +#ifndef _SHMEMCOMMON_H_ +#define _SHMEMCOMMON_H_ +#include "sf_types.h" +#include "snort_debug.h" +#include "../reputation_debug.h" + +#define IPREP 0 + +#define BLACK_LIST 1 +#define WHITE_LIST 2 + +#define VERSION_FILENAME "IPRVersion.dat" + +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_config.c snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.c --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_config.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,143 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_config.c +// @author Pramod Chandrashekar <pramod@sourcefire.com> + +#include <string.h> +#include "sf_types.h" +#include "sf_dynamic_preprocessor.h" +#include "snort_debug.h" + +#include "sflinux_helpers.h" +#include "shmem_config.h" + +static const char* const MODULE_NAME ="SharedMemConfig"; + +ShmemUserInfo *shmusr_ptr = NULL; +ShmemDataMgmtFunctions *dmfunc_ptr = NULL; + +static DatasetInfo dataset_names[] = +{ + { "SFIPReputation.rt", IPREP } +}; + +static void ConstructSegmentNames (int dataset, int group_id, int numa_node) +{ + int i; + + snprintf(shmusr_ptr->mgmtSeg, sizeof(shmusr_ptr->mgmtSeg), + "%s.%d.%d",SHMEM_MGMT,group_id,numa_node); + + for (i=0; i<MAX_SEGMENTS; i++) + snprintf(shmusr_ptr->dataSeg[i], sizeof(shmusr_ptr->dataSeg[0]), + "%s.%d.%d.%d",dataset_names[dataset].name,group_id,numa_node,i); +} + +int InitShmemUser ( + uint32_t instance_num, int instance_type, int dataset, + int group_id, int numa_node, const char* path, uint16_t instance_polltime) +{ + int rval = SF_EINVAL, num_nodes; + + if ( + (instance_num >= MAX_INSTANCES) || + (instance_type != READ && instance_type != WRITE) || + (dataset != IPREP) || !path || !instance_polltime ) + goto exit; + + if ((shmusr_ptr = calloc(1, sizeof(*shmusr_ptr))) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Unable to allocate memory for configuration data");); + goto exit; + } + + shmusr_ptr->instance_num = instance_num; + shmusr_ptr->instance_type = instance_type; + shmusr_ptr->dataset = dataset; + shmusr_ptr->group_id = group_id; + shmusr_ptr->instance_polltime = instance_polltime; + + num_nodes = CheckNumaNodes(); + if (numa_node > num_nodes) + numa_node = NUMA_0; + + shmusr_ptr->numa_node = numa_node; + strncpy(shmusr_ptr->path,path,sizeof(shmusr_ptr->path)); + shmusr_ptr->path[sizeof(shmusr_ptr->path)-1] = '\0'; + ConstructSegmentNames(dataset,group_id,numa_node); + + return SF_SUCCESS; + +exit: + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Error in setting config");); + return rval; +} + +int InitShmemDataMgmtFunctions ( + CreateMallocZero create_malloc_zero, + GetDataSize get_data_size, + LoadData load_data) +{ + if ((dmfunc_ptr = (ShmemDataMgmtFunctions*) + malloc(sizeof(ShmemDataMgmtFunctions))) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not allocate memory for Shmem Datamanagement function list");); + return SF_EINVAL; + } + dmfunc_ptr->CreatePerProcessZeroSegment = create_malloc_zero; + dmfunc_ptr->GetSegmentSize = get_data_size; + dmfunc_ptr->LoadShmemData = load_data; + + return SF_SUCCESS; +} + +void FreeShmemUser() +{ + if (shmusr_ptr) + free(shmusr_ptr); +} + +void FreeShmemDataMgmtFunctions() +{ + if (dmfunc_ptr) + free(dmfunc_ptr); +} + +void PrintConfig() +{ + int i; + + _dpd.logMsg("Instance number %u:",shmusr_ptr->instance_num); + _dpd.logMsg("Instance type %d:",shmusr_ptr->instance_type); + _dpd.logMsg("Instance datatype %d:",shmusr_ptr->dataset); + _dpd.logMsg("Instance Group ID %d:",shmusr_ptr->group_id); + _dpd.logMsg("Instance Numa node %d:",shmusr_ptr->numa_node); + _dpd.logMsg("Instance Poll time %d:",shmusr_ptr->instance_polltime); + _dpd.logMsg("Data Path is %s:",shmusr_ptr->path); + + for (i=0; i<MAX_SEGMENTS; i++) + _dpd.logMsg("Available data segments are %s",shmusr_ptr->dataSeg[i]); +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_config.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.h --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_config.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_config.h 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,113 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_config.h +// @author Pramod Chandrashekar <pramod@sourcefire.com> + +#ifndef _SHMEMCFG_H_ +#define _SHMEMCFG_H_ + +#include <stdint.h> + +#include "shmem_datamgmt.h" //defines shmemdata filelist +#include "shmem_common.h" + +#define SHMEM_MGMT "SFShmemMgmt" + +#define MAX_SEGMENTS 2 +#define MAX_INSTANCES 50 + +#define WRITE 0 +#define READ 1 + +#define SERVER 0 +#define CLIENT1 1 +#define CLIENT2 2 + +#define STARTUP 1 +#define RELOAD 0 + +#define ACTIVE 1 +#define INACTIVE 0 + +#define NO_DATASEG -1 +#define NO_ZEROSEG -2 +#define UNMAP_OLDSEG -3 +#define NO_FILE -4 +#define ZEROSEG 100 + +#define NUMA_0 0 +#define NUMA_1 1 + +#define GROUP_0 0 + +#define SLEEP_TIME 2 // in micro seconds + +#define TBMAP 99 +#define UNUSED_TIMEOUT 5 //this number is multiplied with outofband check time to determine timeout. +#define OUT_OF_BAND_CHEK_TIME 10 + +typedef struct shmemUserInfo { + uint32_t instance_num; //unique ID for each snort instance + int instance_type; // READ or WRITE + int dataset; // IPRep + int group_id; // 0,1... + int numa_node; + char mgmtSeg[MAX_NAME]; + char dataSeg[MAX_SEGMENTS][MAX_NAME]; + char path[MAX_NAME]; + uint16_t instance_polltime; +}ShmemUserInfo; + +typedef struct +{ + const char *const name; + const uint32_t type; +} DatasetInfo; + +typedef struct shmemDataManagmentFunctions { + int (*CreatePerProcessZeroSegment)(void*** data_ptr); + uint32_t (*GetSegmentSize)(ShmemDataFileList** file_list, int file_count); + int (*LoadShmemData)(void* data_ptr, ShmemDataFileList** file_list, int file_count); +} ShmemDataMgmtFunctions; + +typedef int (*CreateMallocZero)(void***); +typedef uint32_t (*GetDataSize)(ShmemDataFileList**, int); +typedef int (*LoadData)(void*,ShmemDataFileList**,int); + +extern ShmemDataMgmtFunctions *dmfunc_ptr; +extern ShmemUserInfo *shmusr_ptr; + +void PrintConfig(void); + +int InitShmemUser( + uint32_t instance_num, int instance_type, int dataset, int group_id, + int numa_node, const char* path, uint16_t instance_polltime); + +int InitShmemDataMgmtFunctions( + CreateMallocZero create_malloc_zero, GetDataSize get_data_size, + LoadData load_data); + +void FreeShmemUser(void); +void FreeShmemDataMgmtFunctions(void); +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,226 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_datamgmt.c +// @author Pramod Chandrashekar <pramod@sourcefire.com> + +#include <dirent.h> +#include <limits.h> +#include <string.h> +#include <sys/types.h> + +#include "shmem_config.h" +#include "shmem_common.h" + +static const char* const MODULE_NAME = "ShmemFileMgmt"; + +// FIXTHIS eliminate these globals +ShmemDataFileList **filelist_ptr = NULL; +int file_count = 0; + +static int StringCompare(const void *elem1, const void *elem2) +{ + ShmemDataFileList * const *a = elem1; + ShmemDataFileList * const *b = elem2; + + return strcmp((*a)->filename,(*b)->filename); +} + +static int AllocShmemDataFileList() +{ + if ((filelist_ptr = (ShmemDataFileList**) + realloc(filelist_ptr,(file_count + FILE_LIST_BUCKET_SIZE)* + sizeof(ShmemDataFileList*))) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Cannot allocate memory to store shmem data files\n");); + return SF_ENOMEM; + } + return SF_SUCCESS; +} + +static void FreeShmemDataFileListFiles() +{ + int i; + + if (!filelist_ptr) + return; + + for(i = 0; i < file_count; i++) + { + free(filelist_ptr[i]->filename); + free(filelist_ptr[i]); + } + file_count = 0; +} + +static int ReadShmemDataFiles() +{ + char filename[PATH_MAX]; + struct dirent *de; + DIR *dd; + int max_files = MAX_FILES; + char *ext_end = NULL; + int type = 0; + int counter = 0; + int startup = 1; + + FreeShmemDataFileListFiles(); + + if ((dd = opendir(shmusr_ptr->path)) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not open %s to read IPRep data files\n",shmusr_ptr->path);); + return SF_EINVAL; + } + while ((de = readdir(dd)) != NULL && max_files) + { + //DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Files are %s\n",de->d_name);); + if (strstr(de->d_name, ".blf") || strstr(de->d_name, ".wlf")) + { + //no need to check for NULL, established there is a period in strstr + ext_end = (char*)strrchr(de->d_name,'.'); + + if (strncmp(ext_end,".blf",4) == 0) + type = BLACK_LIST; + else if (strncmp(ext_end,".wlf",4) == 0) + type = WHITE_LIST; + + if (type == 0) continue; + + counter++; + + if (startup || counter == FILE_LIST_BUCKET_SIZE) + { + startup=0; + counter=0; + if (AllocShmemDataFileList()) + return SF_ENOMEM; + } + + if ((filelist_ptr[file_count] = (ShmemDataFileList*) + malloc(sizeof(ShmemDataFileList))) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Cannot allocate memory to store file information\n");); + return SF_ENOMEM; + } + snprintf(filename, sizeof(filename), "%s/%s", shmusr_ptr->path,de->d_name); + filelist_ptr[file_count]->filename = strdup(filename); + filelist_ptr[file_count]->filetype = type; + max_files--; + file_count++; + type = 0; + } + } + closedir(dd); + return SF_SUCCESS; +} + +int GetSortedListOfShmemDataFiles() +{ + int rval; + + if ((rval = ReadShmemDataFiles()) != SF_SUCCESS) + return rval; + + qsort(filelist_ptr,file_count,sizeof(*filelist_ptr),StringCompare); + return rval; +} + +//valid version values are 1 through UINT_MAX +int GetLatestShmemDataSetVersionOnDisk(uint32_t* shmemVersion) +{ + unsigned long tmpVersion; + FILE *fp; + char line[PATH_MAX]; + char version_file[PATH_MAX]; + const char *const key = "VERSION"; + char* keyend_ptr = NULL; + + snprintf(version_file, sizeof(version_file), + "%s/%s",shmusr_ptr->path,VERSION_FILENAME); + + if ((fp = fopen(version_file, "r")) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Error opening file at: %s\n", version_file);); + return NO_FILE; + } + + while (fgets(line,sizeof(line),fp)) + { + char *strptr; + if ( !strncmp(line,"#",1) ) + continue; + if ( (strptr = strstr(line, key )) && (strptr == line) ) + { + keyend_ptr = line; + keyend_ptr += strlen(key) + 1; + tmpVersion = strtoul(keyend_ptr,NULL,0); + break; + } + } + + if (!keyend_ptr) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Invalid file format %s\n", version_file);); + return NO_FILE; + } + + if (tmpVersion > UINT_MAX) //someone tampers with the file + *shmemVersion = 1; + else + *shmemVersion = (uint32_t)tmpVersion; + + fclose(fp); + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "version information being returned is %u\n", *shmemVersion);); + + return SF_SUCCESS; +} + +void PrintDataFiles() +{ + int i; + + if (file_count) + { + for (i=0;i<file_count;i++) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "File %s of type %d found \n", + filelist_ptr[i]->filename, filelist_ptr[i]->filetype);); + } + } + return; +} + +void FreeShmemDataFileList() +{ + FreeShmemDataFileListFiles(); + free(filelist_ptr); + return; +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,55 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_datamgmt.h +// @author Pramod Chandrashekar <pramod@sourcefire.com> + +#ifndef _SHMEM_DMGMT_H_ +#define _SHMEM_DMGMT_H_ + +#include <stdint.h> + +#define SF_EINVAL 1 +#define SF_SUCCESS 0 +#define SF_ENOMEM 2 +#define SF_EEXIST 3 + +#define MAX_NAME 1024 +#define MAX_FILES 1024 + +#define FILE_LIST_BUCKET_SIZE 100 + +typedef struct _FileList +{ + char* filename; + int filetype; +} ShmemDataFileList; + +extern ShmemDataFileList** filelist_ptr; +extern int file_count; + +int GetSortedListOfShmemDataFiles(void); +int GetLatestShmemDataSetVersionOnDisk(uint32_t* shmemVersion); +void FreeShmemDataFileList(void); +void PrintDataFiles(void); +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_lib.c snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.c --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_lib.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.c 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,142 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_lib.c +// @author Pramod Chandrashekar <pramod@sourcefire.com> + +#include <fcntl.h> +#include <unistd.h> + +#include <sys/types.h> +#include <sys/mman.h> +#include <sys/stat.h> + +#include "shmem_mgmt.h" +#include "shmem_lib.h" + +static const char* const MODULE_NAME = "ShmemLib"; + +static int ShmemOpen(const char *shmemName, uint32_t size, int mode) +{ + int fd, flags; + mode_t prev_mask; + + if (mode == WRITE) + flags = (O_CREAT | O_RDWR); + else if (mode == READ) + flags = O_RDWR; + else + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Invalid mode specified\n");); + return -1; + } + + prev_mask = umask(0); + + if ( (fd = shm_open(shmemName, flags, + (S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH) )) == -1 ) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Unable to open shared memory\n");); + umask(prev_mask); + return -1; + } + + umask(prev_mask); + + if (ftruncate(fd, size) == -1) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Unable to open shared memory\n");); + return -1; + } + _dpd.logMsg(" Reputation Preprocessor: Size of shared memory segment %s is %u\n", shmemName, size); + + return fd; +} + +static void *ShmemMMap (int fd, uint32_t size) +{ + void *shmem_ptr; + + if ((shmem_ptr = mmap(0, size,(PROT_READ | PROT_WRITE),MAP_SHARED,fd,0)) + == MAP_FAILED ) + return NULL; + + return shmem_ptr; +} + +int ShmemExists(const char *shmemName) +{ + int fd; + + if ((fd = shm_open(shmemName,(O_RDWR),(S_IRUSR))) < 0 ) + return 0; + + close(fd); + return SF_EEXIST; +} + +void ShmemUnlink(const char *shmemName) +{ + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Unlinking segment %\n",shmemName);); + shm_unlink(shmemName); +} + +void ShmemDestroy(const char *shmemName) +{ + ShmemUnlink(shmemName); + unlink(shmemName); + _dpd.logMsg(" Reputation Preprocessor: %s is freed\n", shmemName); +} + +void* ShmemMap(const char* segment_name, uint32_t size, int mode) +{ + int fd = 0; + void *shmem_ptr = NULL; + + if ((mode == WRITE) && ShmemExists(segment_name)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Cannot create shared memory segment %s, already exists\n", + segment_name);); + mode = READ; + } + if ((fd = ShmemOpen(segment_name,size,mode)) == -1) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Failed to open shm %s\n",segment_name);); + return NULL; + } + + if ((shmem_ptr = ShmemMMap(fd,size)) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Failed to mmmap %s\n",segment_name);); + } + close(fd); + + return shmem_ptr; +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_lib.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.h --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_lib.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_lib.h 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,36 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_lib.h +// @author Pramod Chandrashekar <pramod@sourcefire.com> + +#ifndef _SHMEMLIB_H_ +#define _SHMEMLIB_H_ + +#include <stdint.h> + +int ShmemExists(const char *shmemName); +void* ShmemMap(const char* segment_name, uint32_t size, int mode); +void ShmemUnlink(const char *shmemName); +void ShmemDestroy(const char *shmemName); + +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,601 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_mgmt.c +// @author Pramod Chandrashekar <pramod@sourcefire.com> + +#include "shmem_lib.h" +#include "shmem_mgmt.h" + +#include <sys/mman.h> + +ShmemMgmtData* mgmt_ptr = NULL; +void* zeroseg_ptr = NULL; +unsigned int usec = SLEEP_TIME; + +static const char* const MODULE_NAME = "SharedMemMgmt"; + +static void SetShmemMgmtVariables(int value, uint32_t instance_num) +{ + int i; + + mgmt_ptr->instance[instance_num].active = value; + mgmt_ptr->instance[instance_num].version = 0; + mgmt_ptr->instance[instance_num].activeSegment = NO_DATASEG; + mgmt_ptr->instance[instance_num].prevSegment = NO_DATASEG; + mgmt_ptr->instance[instance_num].updateTime = time(NULL); + mgmt_ptr->instance[instance_num].shmemCurrPtr = zeroseg_ptr; + mgmt_ptr->instance[instance_num].shmemZeroPtr = zeroseg_ptr; + + for (i=0; i<MAX_SEGMENTS; i++) + mgmt_ptr->instance[instance_num].shmemSegActiveFlag[i] = 0; + + for (i=0; i<MAX_SEGMENTS; i++) + mgmt_ptr->instance[instance_num].shmemSegmentPtr[i] = zeroseg_ptr; +} + +static void InitShmemDataSegmentMgmtVariables() +{ + int i; + mgmt_ptr->activeSegment = NO_DATASEG; + + for (i=0; i<MAX_SEGMENTS; i++) + { + mgmt_ptr->segment[i].version = 0; + mgmt_ptr->segment[i].active = 0; + mgmt_ptr->segment[i].size = 0; + } +} + +int MapShmemMgmt() +{ + uint32_t nBytes = sizeof(ShmemMgmtData); + int mgmtExists; + + if (!(mgmtExists = ShmemExists(shmusr_ptr->mgmtSeg))) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "No Shmem mgmt segment present\n");); + if (shmusr_ptr->instance_type == READ) + return SF_EINVAL; + } + + if ((mgmt_ptr = (ShmemMgmtData *) + ShmemMap(shmusr_ptr->mgmtSeg,nBytes,shmusr_ptr->instance_type)) == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Failed to create shmem mgmt segment\n");); + return SF_EINVAL; + } + + if (shmusr_ptr->instance_type == WRITE && !mgmtExists) + InitShmemDataSegmentMgmtVariables(); + + return SF_SUCCESS; +} + +static void DoHeartbeat() +{ + uint32_t instance_num = shmusr_ptr->instance_num; + if (mgmt_ptr) + { + mgmt_ptr->instance[instance_num].updateTime = time(NULL); + } + return; +} + +void ForceShutdown() +{ + int currActiveSegment; + _dpd.logMsg(" Repuation Preprocessor: Shared memory is disabled. \n"); + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemCurrPtr = + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemZeroPtr; + + if ((currActiveSegment = + mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment) >= 0) + { + mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment = NO_DATASEG; + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[currActiveSegment] = 0; + } + return; +} + +//client side calls for shared memory +int CheckForSharedMemSegment() +{ + void *shmem_ptr = NULL; + int currActive = NO_DATASEG, newSegment = NO_DATASEG; + uint32_t size = 0; + + if (!mgmt_ptr) + { + if (MapShmemMgmt()) + return newSegment; + + SetShmemMgmtVariables(ACTIVE,shmusr_ptr->instance_num); + } + + if (!mgmt_ptr->instance[shmusr_ptr->instance_num].active) + goto exit; + + if ((currActive = mgmt_ptr->activeSegment) >= 0) + { + if ( mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment != currActive && + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[currActive] != TBMAP ) + { + //new segment available and not mapped already + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[currActive] = TBMAP; + + if ((size = mgmt_ptr->segment[currActive].size) != 0) + { + if ((shmem_ptr = ShmemMap(shmusr_ptr->dataSeg[currActive],size,READ)) != NULL) + { + //Store Data segment pointer for instance + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[currActive] = shmem_ptr; + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Shmem ptr for segment %d is %p\n",currActive,shmem_ptr);); + newSegment = currActive; + } + else + { + currActive = NO_DATASEG; + } + } + else + { + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[currActive] = 0; + } + } + } + else if (mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment >= 0) + { + ForceShutdown(); + goto exit; + } + + DoHeartbeat(); + +exit: + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "new segment being returned is %d\n", newSegment);); + return newSegment; +} + +int InitShmemReader ( + uint32_t instance_num, int dataset, int group_id, + int numa_node, const char* path, void*** data_ptr, + uint16_t instance_polltime) +{ + int segment_number = NO_ZEROSEG; + if (InitShmemUser(instance_num,READ,dataset,group_id,numa_node,path,instance_polltime)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not initialize config data \n");); + return segment_number; + } + if (dmfunc_ptr->CreatePerProcessZeroSegment(data_ptr)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not initialize zero segment\n");); + return segment_number; + } + + zeroseg_ptr = *data_ptr; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Address of zero segment is %p\n",zeroseg_ptr);); + + if ((segment_number = CheckForSharedMemSegment() ) >=0) + { + SwitchToActiveSegment(segment_number,data_ptr); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Switched to segment %d\n",segment_number);); + } + return segment_number; +} + +static int FindFirstUnusedShmemSegment() +{ + int i; + for (i=0; i<MAX_SEGMENTS; i++) + { + if (mgmt_ptr->segment[i].active != 1) + return i; + } + return NO_DATASEG; +} + +static int FindActiveSharedMemDataSegmentVersion() +{ + if (mgmt_ptr->activeSegment < 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Active segment does not exist\n");); + return 0; + } + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Active segment is %d and current version is %u\n", + mgmt_ptr->activeSegment,mgmt_ptr->segment[mgmt_ptr->activeSegment].version);); + + return mgmt_ptr->segment[mgmt_ptr->activeSegment].version; +} + +static int MapShmemDataSegmentForWriter(uint32_t size, uint32_t disk_version, int *mode) +{ + int available_segment = NO_DATASEG; + uint32_t active_version = 0; + void* shmem_ptr = NULL; + *mode = WRITE; + + if ((active_version = FindActiveSharedMemDataSegmentVersion()) == disk_version ) + { + if ((available_segment = mgmt_ptr->activeSegment) >= 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Attaching to segment %d\n", available_segment);); + *mode = READ; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "No active segment to attach to\n");); + goto exit; + } + } + + if (*mode == WRITE) + { + if ((available_segment = FindFirstUnusedShmemSegment()) < 0) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "No more segments available, all are in use\n");); + goto exit; + } + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Shared memory segment %d will be initialized\n",available_segment);); + } + + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[available_segment] = TBMAP; + + if ((shmem_ptr = ShmemMap(shmusr_ptr->dataSeg[available_segment],size,*mode)) != NULL) + { + //store data segment pointer for instance + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[available_segment] = shmem_ptr; + } + else + { + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[available_segment] = 0; + available_segment = NO_DATASEG; + } + +exit: + return available_segment; +} + +static void ShutdownSegment(int32_t segment_num) +{ + mgmt_ptr->segment[segment_num].active = 0; + mgmt_ptr->segment[segment_num].version = 0; + + munmap(mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[segment_num], + mgmt_ptr->segment[segment_num].size); + ShmemDestroy(shmusr_ptr->dataSeg[segment_num]); + + mgmt_ptr->segment[segment_num].size = 0; + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[segment_num] = + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemZeroPtr; +} + +// writer side +static int InitSharedMemDataSegmentForWriter(uint32_t size, uint32_t disk_version) +{ + int segment_num = NO_DATASEG, mode = -1; + int rval; + + if ((segment_num = MapShmemDataSegmentForWriter(size,disk_version,&mode)) < 0) + goto exit; + + if (mode == WRITE) + { + if ((rval = dmfunc_ptr->LoadShmemData((void *)( + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[segment_num]), + filelist_ptr,file_count)) != SF_SUCCESS) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Loading file into shared memory failed\n");); + ShutdownSegment(segment_num); + segment_num = NO_DATASEG; + goto exit; + } + mgmt_ptr->segment[segment_num].size = size; + + if (mgmt_ptr->activeSegment != segment_num) + mgmt_ptr->activeSegment = segment_num; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Active segment is %d\n",mgmt_ptr->activeSegment);); + + mgmt_ptr->segment[segment_num].active = 1; + mgmt_ptr->segment[segment_num].version = disk_version; + ManageUnusedSegments(); + } +exit: + return segment_num; +} + + +int LoadSharedMemDataSegmentForWriter(int startup) +{ + int segment_num = NO_DATASEG, retval = -1; + uint32_t size = 0; + uint32_t disk_version = 0, shmem_version = 0; + + shmem_version = FindActiveSharedMemDataSegmentVersion(); + + //if version file is not present(open source user), increment version and reload. + if ((retval = GetLatestShmemDataSetVersionOnDisk(&disk_version)) == SF_SUCCESS) + { + if (disk_version > 0) + { + if ((shmem_version == disk_version) && !startup) + goto exit; + } + else + { + goto force_shutdown; + } + } + else + { + disk_version = shmem_version + 1; + if (disk_version == 0) disk_version++; + } + + if (GetSortedListOfShmemDataFiles()) + goto exit; + +#ifdef DEBUG_MSGS + PrintDataFiles(); +#endif + if ((size = dmfunc_ptr->GetSegmentSize(filelist_ptr, file_count)) != ZEROSEG) + { + segment_num = InitSharedMemDataSegmentForWriter(size,disk_version); + goto exit; + } + +force_shutdown: + //got back zero which means its time to shutdown shared memory + mgmt_ptr->activeSegment = NO_DATASEG; + ForceShutdown(); + +exit: + return segment_num; +} + +int InitShmemWriter( + uint32_t instance_num, int dataset, int group_id, + int numa_node, const char* path, void*** data_ptr, + uint16_t instance_polltime) +{ + int segment_number = NO_ZEROSEG; + + if (InitShmemUser(instance_num,WRITE,dataset,group_id,numa_node,path,instance_polltime)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not initialize shmem writer config\n");); + goto exit; + } + + if (dmfunc_ptr->CreatePerProcessZeroSegment(data_ptr)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not initialize zero segment\n");); + goto cleanup_exit; + } + + zeroseg_ptr = *data_ptr; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Address of zero segment is %p\n",zeroseg_ptr);); + + if (MapShmemMgmt()) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Could not initialize shared memory management segment\n");); + FreeShmemDataFileList(); + goto cleanup_exit; + } + + ManageUnusedSegments(); + SetShmemMgmtVariables(ACTIVE,shmusr_ptr->instance_num); + + //valid segments are 0 through N + if ((segment_number = LoadSharedMemDataSegmentForWriter(STARTUP)) >= 0) + SwitchToActiveSegment(segment_number,data_ptr); //pointer switch + + goto exit; + +cleanup_exit: + FreeShmemUser(); + +exit: + return segment_number; +} + +//switch to active DB +void SwitchToActiveSegment(int segment_num, void*** data_ptr) +{ + if (segment_num < 0) + return; + + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemCurrPtr = + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[segment_num]; + + *data_ptr = (void *)(&mgmt_ptr->instance[shmusr_ptr->instance_num].shmemCurrPtr); + + mgmt_ptr->instance[shmusr_ptr->instance_num].prevSegment = + mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Prev segment has been set to %d\n", + mgmt_ptr->instance[shmusr_ptr->instance_num].prevSegment);); + + mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment = segment_num; + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[segment_num] = 1; +} + +void UnmapInactiveSegments() +{ + int i, segment_num; + for (i=0; i<MAX_SEGMENTS; i++) + { + if (i != mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment) + { + if (shmusr_ptr->instance_type != WRITE) + { + if ((segment_num = mgmt_ptr->instance[shmusr_ptr->instance_num].prevSegment) != NO_DATASEG) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Unmapping segment %d which has address %p and size %u\n", + segment_num,mgmt_ptr->instance[shmusr_ptr->instance_num]. + shmemSegmentPtr[segment_num],mgmt_ptr->segment[segment_num].size);); + + munmap(mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[segment_num], + mgmt_ptr->segment[segment_num].size); + ShmemUnlink(shmusr_ptr->dataSeg[segment_num]); + mgmt_ptr->instance[shmusr_ptr->instance_num].prevSegment = NO_DATASEG; + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegmentPtr[i] = + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemZeroPtr; + } + } + mgmt_ptr->instance[shmusr_ptr->instance_num].shmemSegActiveFlag[i] = 0; + } + } + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Active segment for instance %u is %d\n", + shmusr_ptr->instance_num,mgmt_ptr->instance[shmusr_ptr->instance_num].activeSegment);); + return; +} + +static void ExpireTimedoutInstances() +{ + int i; + time_t current_time = time(NULL); + + for(i=0; i<MAX_INSTANCES; i++) + { + if (mgmt_ptr && mgmt_ptr->instance[i].active) + { + if ((current_time - mgmt_ptr->instance[i].updateTime) > + (UNUSED_TIMEOUT * shmusr_ptr->instance_polltime)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Instance %d has expired, last update %jd and current time is %jd\n", + i,(intmax_t)mgmt_ptr->instance[i].updateTime,(intmax_t)current_time);); + SetShmemMgmtVariables(INACTIVE,i); + } + } + } + return; +} + +//WRITER only +int ManageUnusedSegments() +{ + uint32_t j,in_use = 0; + int i; + DoHeartbeat(); //writer heartbeat + ExpireTimedoutInstances(); + for (i=0; i<MAX_SEGMENTS; i++) + { + for(j=0; j<MAX_INSTANCES; j++) + { + if (mgmt_ptr && mgmt_ptr->instance[j].active) + { + if (mgmt_ptr->instance[j].shmemSegActiveFlag[i]) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Instance %u is still using segment %d\n",j,i);); + in_use++; + } + } + } + if (!in_use) + { + if (mgmt_ptr && mgmt_ptr->segment[i].active && (mgmt_ptr->activeSegment != i)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "Shutting down segment %d\n",i);); + ShutdownSegment(i); + } + } + in_use = 0; + } + return SF_SUCCESS; +} + +int ShutdownSharedMemory() +{ + if (mgmt_ptr) + SetShmemMgmtVariables(INACTIVE,shmusr_ptr->instance_num); + + FreeShmemUser(); + FreeShmemDataMgmtFunctions(); + FreeShmemDataFileList(); + + return SF_SUCCESS; +} + +void PrintShmemMgmtInfo() +{ + uint32_t i = 0; + + if ( !mgmt_ptr ) + return; + + for (i=0; i<MAX_INSTANCES; i++) + { + if (mgmt_ptr->instance[i].active) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "instance:%u address:%p updateTime:%jd\n", + i, (void *)mgmt_ptr->instance[i].shmemCurrPtr, + (intmax_t)mgmt_ptr->instance[i].updateTime);); + } + } + for (i=0; i<MAX_SEGMENTS; i++) + { + if (mgmt_ptr->segment[i].active) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "segment:%u active:%d version:%u\n", + i,mgmt_ptr->segment[i].active,mgmt_ptr->segment[i].version);); + } + } + + if (mgmt_ptr->activeSegment != NO_DATASEG) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, + "active segment:%d\n",mgmt_ptr->activeSegment);); + } +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,74 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +// @file shmem_mgmt.h +// @author Pramod Chandrashekar <pramod@sourcefire.com> + +#ifndef _SHMEMMGMT_H_ +#define _SHMEMMGMT_H_ + +#include <time.h> +#include <stdint.h> +#include "shmem_config.h" + +typedef struct _shmemInstance { + int active; + uint32_t version; + time_t updateTime; + int activeSegment; + int prevSegment; + int shmemSegActiveFlag[MAX_SEGMENTS]; + void* shmemSegmentPtr[MAX_SEGMENTS]; + void* shmemCurrPtr; + void* shmemZeroPtr; +} shmemInstance; + +typedef struct _shmemSegment { + int active; + uint32_t version; + uint32_t size; +} shmemSegment; + +typedef struct _shmemMgmtData { + shmemInstance instance[MAX_INSTANCES]; + shmemSegment segment[MAX_SEGMENTS]; + int activeSegment; +} ShmemMgmtData; + +extern void *zeroseg_ptr; + +//reader +int InitShmemReader(uint32_t instance_num, int dataset, int group_id, int numa_node, + const char* path, void*** data_ptr, uint16_t instance_polltime); +int CheckForSharedMemSegment(void); +//writer +int InitShmemWriter(uint32_t instance_num, int dataset, int group_id, int numa_node, + const char* path, void*** data_ptr, uint16_t instance_polltime); +int LoadSharedMemDataSegmentForWriter(int startup); +void SwitchToActiveSegment(int segment_num,void*** data_ptr); +void UnmapInactiveSegments(void); +int ManageUnusedSegments(void); +int ShutdownSharedMemory(void); +void PrintShmemMgmtInfo(void); + +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/spp_reputation.c snort-2.9.2/src/dynamic-preprocessors/reputation/spp_reputation.c --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/spp_reputation.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/spp_reputation.c 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,789 @@ +/* $Id */ + +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + + +/* + * Reputation preprocessor + * + * This is the main entry point for this preprocessor + * + * Author: Hui Cao + * Date: 06-01-2011 + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_plugin_api.h" +#include "snort_debug.h" + +#include "preprocids.h" +#include "spp_reputation.h" +#include "reputation_config.h" +#include "reputation_utils.h" + +#include <assert.h> +#include <stdio.h> +#include <syslog.h> +#include <string.h> +#ifndef WIN32 +#include <strings.h> +#include <sys/time.h> +#endif +#include <stdlib.h> +#include <ctype.h> +#ifdef SHARED_REP +#include "./shmem/shmem_mgmt.h" +#endif +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats reputationPerfStats; +#endif + + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; + +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_REPUTATION (IPV6)"; +#else +const char *PREPROC_NAME = "SF_REPUTATION"; +#endif + +#define SetupReputation DYNAMIC_PREPROC_SETUP + + +/* + * Function prototype(s) + */ +static void ReputationInit( char* ); +static void ReputationCheckConfig(void); +static inline void ReputationProcess(SFSnortPacket *); +static void ReputationMain( void*, void* ); +static void ReputationFreeConfig(tSfPolicyUserContextId); +static void ReputationPrintStats(int); +static void ReputationCleanExit(int, void *); + +#ifdef SHARED_REP +typedef enum +{ + NO_SWITCH, + SWITCHING, + SWITCHED +}Swith_State; +static int switch_state = NO_SWITCH; +int available_segment = NO_DATASEG; +static void ReputationMaintenanceCheck(int, void *); +#endif +/******************************************************************** + * Global variables + ********************************************************************/ +int totalNumEntries = 0; +Reputation_Stats reputation_stats; +ReputationConfig *reputation_eval_config; +tSfPolicyUserContextId reputation_config; +ReputationConfig *pDefaultPolicyConfig = NULL; + +#ifdef SNORT_RELOAD +static tSfPolicyUserContextId reputation_swap_config = NULL; +static void ReputationReload(char *); +static void * ReputationReloadSwap(void); +static void ReputationReloadSwapFree(void *); +static int ReputationReloadVerify(void); +#endif + + +/* Called at preprocessor setup time. Links preprocessor keyword + * to corresponding preprocessor initialization function. + * + * PARAMETERS: None. + * + * RETURNS: Nothing. + * + */ +void SetupReputation(void) +{ + /* Link preprocessor keyword to initialization function + * in the preprocessor list. */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc( "reputation", ReputationInit ); +#else + _dpd.registerPreproc("reputation", ReputationInit, ReputationReload, + ReputationReloadSwap, ReputationReloadSwapFree); +#endif +} +#ifdef SHARED_REP +static int Reputation_PreControl(uint16_t type, const uint8_t *data, uint32_t length, void **new_config) +{ + int segment_version = NO_DATASEG; + + ReputationConfig *pDefaultPolicyConfig = NULL; + ReputationConfig *nextConfig = NULL; + + pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config); + + if (!pDefaultPolicyConfig) + { + *new_config = NULL; + return -1; + } + + nextConfig = (ReputationConfig *)calloc(1, sizeof(ReputationConfig)); + + if (!nextConfig) + { + *new_config = NULL; + return -1; + } + nextConfig->segment_version = segment_version; + nextConfig->memcap = pDefaultPolicyConfig->memcap; + reputation_shmem_config = nextConfig; + + if ((segment_version = LoadSharedMemDataSegmentForWriter(RELOAD)) >= 0) + { + *new_config = nextConfig; + nextConfig->segment_version = segment_version; + _dpd.logMsg("***Received segment %d\n", + segment_version); + } + else + { + *new_config = NULL; + free(nextConfig); + return -1; + } + return 0; +} + +static int Reputation_Control(uint16_t type, void *new_config, void **old_config) +{ + ReputationConfig *config = (ReputationConfig *) new_config; + + if (NULL != config) + { + SwitchToActiveSegment(config->segment_version, &IPtables); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION,"***Switched to segment %d\n", + config->segment_version)); + *old_config = config; + return 0; + } + return -1; +} + +static void Reputation_PostControl(uint16_t type, void *old_config) +{ + ReputationConfig *config = (ReputationConfig *) old_config; + ReputationConfig *pDefaultPolicyConfig = NULL; + + pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config); + + if (!pDefaultPolicyConfig) + { + return; + } + + UnmapInactiveSegments(); + + pDefaultPolicyConfig->memCapReached = config->memCapReached; + pDefaultPolicyConfig->segment_version = config->segment_version; + pDefaultPolicyConfig->memsize = config->memsize; + pDefaultPolicyConfig->numEntries = config->numEntries; + pDefaultPolicyConfig->iplist = config->iplist; + reputation_shmem_config = pDefaultPolicyConfig; + free(config); + +} +static void ReputationShmemReaderUpdate(void) +{ + if (SWITCHING == switch_state) + { + SwitchToActiveSegment(available_segment, &IPtables); + switch_state = SWITCHED; + } +} +static void ReputationMaintenanceCheck(int signal, void *data) +{ + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Reputation Preprocessor Maintenance!\n");); + PrintShmemMgmtInfo(); + if (SHMEM_SERVER_ID_1 == _dpd.getSnortInstance()) + { + ManageUnusedSegments(); + if (SWITCHED == switch_state) + { + _dpd.logMsg("***Instance %d switched to segment_version %d\n", + _dpd.getSnortInstance(), available_segment); + UnmapInactiveSegments(); + switch_state = NO_SWITCH; + } + } + else + { + if ((NO_SWITCH == switch_state)&&((available_segment = CheckForSharedMemSegment()) >= 0)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION,"***Switched to segment_version %d ",available_segment);); + switch_state = SWITCHING; + + } + if (SWITCHED == switch_state) + { + _dpd.logMsg("***Instance %d switched to segment_version %d\n", + _dpd.getSnortInstance(), available_segment); + UnmapInactiveSegments(); + switch_state = NO_SWITCH; + } + } +} + +#endif + +/* Initializes the Reputation preprocessor module and registers + * it in the preprocessor list. + * + * PARAMETERS: + * + * argp: Pointer to argument string to process for configuration data. + * + * RETURNS: Nothing. + */ +static void ReputationInit(char *argp) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + ReputationConfig *pDefaultPolicyConfig = NULL; + ReputationConfig *pPolicyConfig = NULL; + + + if (reputation_config == NULL) + { + /*create a context*/ + reputation_config = sfPolicyConfigCreate(); + if (reputation_config == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for Reputation config.\n"); + } + + _dpd.addPreprocConfCheck(ReputationCheckConfig); + _dpd.registerPreprocStats(REPUTATION_NAME, ReputationPrintStats); + _dpd.addPreprocExit(ReputationCleanExit, NULL, PRIORITY_LAST, PP_REPUTATION); + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("reputation", (void *)&reputationPerfStats, 0, _dpd.totalPerfStats); +#endif + + } + + sfPolicyUserPolicySet (reputation_config, policy_id); + pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config); + pPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetCurrent(reputation_config); + if ((pPolicyConfig != NULL) && (pDefaultPolicyConfig == NULL)) + { + DynamicPreprocessorFatalMessage("Reputation preprocessor can only be " + "configured once.\n"); + } + + pPolicyConfig = (ReputationConfig *)calloc(1, sizeof(ReputationConfig)); + if (!pPolicyConfig) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "Reputation preprocessor configuration.\n"); + } + + sfPolicyUserDataSetCurrent(reputation_config, pPolicyConfig); + + ParseReputationArgs(pPolicyConfig, (u_char *)argp); +#ifdef SHARED_REP + if (pPolicyConfig->sharedMem.path) + { + _dpd.addPeriodicCheck(ReputationMaintenanceCheck,NULL, PRIORITY_FIRST, PP_REPUTATION, pPolicyConfig->sharedMem.updateInterval); + + /*Only writer or server has control channel*/ + if (SHMEM_SERVER_ID_1 == _dpd.getSnortInstance()) + { + _dpd.controlSocketRegisterHandler(CS_TYPE_REPUTATION_SHAREMEM, + &Reputation_PreControl, &Reputation_Control, &Reputation_PostControl); + } + _dpd.registerIdleHandler(&ReputationShmemReaderUpdate); + + } +#endif + + if ((0 == pPolicyConfig->numEntries)&&(!pPolicyConfig->sharedMem.path)) + { + return; + } + + if (policy_id != 0) + pPolicyConfig->memcap = pDefaultPolicyConfig->memcap; + + if (!pPolicyConfig->sharedMem.path && pPolicyConfig->localSegment) + IPtables = &pPolicyConfig->localSegment; + + _dpd.addPreproc( ReputationMain, PRIORITY_FIRST, PP_REPUTATION, PROTO_BIT__IP ); +#ifdef SHARED_REP + if (pPolicyConfig->sharedMem.path) + _dpd.addPostConfigFunc(initShareMemory, pPolicyConfig); +#endif + +} + + +/********************************************************************* + * Lookup the iplist table. + * + * Arguments: + * snort_ip_p - ip to be searched + * + * Returns: + * IPdecision - + * DECISION_NULL + * BLACKLISTED + * WHITELISTED + * + *********************************************************************/ +static inline IPdecision ReputationLookup(snort_ip_p ip) +{ + bw_list * result; + +#ifdef SUP_IP6 + DEBUG_WRAP( DebugMessage(DEBUG_REPUTATION, "Lookup address: %s \n",sfip_to_str(ip) );); +#else + DEBUG_WRAP( DebugMessage(DEBUG_REPUTATION, "Lookup address: %lx \n", ip);); +#endif + if (!reputation_eval_config->scanlocal) + { + if (sfip_is_private(ip) ) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Private address\n");); + return DECISION_NULL; + } + } + +#ifdef SUP_IP6 + + result = (bw_list *) sfrt_flat_dir8x_lookup((void *)ip, reputation_eval_config->iplist ); + +#else + + result = (bw_list *) sfrt_flat_dir8x_lookup((void *)&ip, reputation_eval_config->iplist); + +#endif + /*Check the source and destination*/ + if (NULL != result) + { +#ifdef SUP_IP6 + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "Decision: %s \n", + WHITELISTED == result->isBlack? "WHITED": "BLACKED" );); +#endif + return (result->isBlack); + } + else + return DECISION_NULL; + +} + +/********************************************************************* + * Make decision based on ip addresses + * + * Arguments: + * SFSnortPacket * - pointer to packet structure + * + * Returns: + * IPdecision - + * DECISION_NULL + * BLACKLISTED + * WHITELISTED + * + *********************************************************************/ +static inline IPdecision ReputationDecision(SFSnortPacket *p) +{ + snort_ip_p ip; + IPdecision decision; + IPdecision decision_final = DECISION_NULL; + + /*Check INNER IP, when configured or only one layer*/ + if (( ! p->outer_family ) + ||(INNER == reputation_eval_config->nestedIP) + ||(BOTH == reputation_eval_config->nestedIP)) + { + ip = GET_INNER_SRC_IP(((SFSnortPacket *)p)); + decision = ReputationLookup(ip); + if (DECISION_NULL != decision) + { + if ( reputation_eval_config->priority == decision) + return decision; + decision_final = decision; + } + + + ip = GET_INNER_DST_IP(((SFSnortPacket *)p)); + decision = ReputationLookup(ip); + if (DECISION_NULL != decision) + { + if ( reputation_eval_config->priority == decision) + return decision; + decision_final = decision; + } + } + /*Check OUTER IP*/ + if (( p->outer_family) && + ((OUTER == reputation_eval_config->nestedIP) + ||(BOTH == reputation_eval_config->nestedIP))) + { + ip = GET_OUTER_SRC_IP(((SFSnortPacket *)p)); + decision = ReputationLookup(ip); + if (DECISION_NULL != decision) + { + if ( reputation_eval_config->priority == decision) + return decision; + decision_final = decision; + } + + ip = GET_OUTER_DST_IP(((SFSnortPacket *)p)); + decision = ReputationLookup(ip); + if (DECISION_NULL != decision) + { + if ( reputation_eval_config->priority == decision) + return decision; + decision_final = decision; + } + + } + return (decision_final); +} + +/********************************************************************* + * Main entry point for Reputation processing. + * + * Arguments: + * SFSnortPacket * - pointer to packet structure + * + * Returns: + * None + * + *********************************************************************/ +static inline void ReputationProcess(SFSnortPacket *p) +{ + + IPdecision decision; + + reputation_eval_config->iplist = (table_flat_t *)*IPtables; + decision = ReputationDecision(p); + + if (DECISION_NULL == decision) + { + return; + } + else if (BLACKLISTED == decision) + { + ALERT(REPUTATION_EVENT_BLACKLIST,REPUTATION_EVENT_BLACKLIST_STR); + _dpd.disableAllDetect(p); + _dpd.setPreprocBit(p, PP_PERFMONITOR); + reputation_stats.blacklisted++; + } + else if (WHITELISTED == decision) + { + ALERT(REPUTATION_EVENT_WHITELIST,REPUTATION_EVENT_WHITELIST_STR); + p->flags |= FLAG_IGNORE_PORT; + _dpd.disableAllDetect(p); + _dpd.setPreprocBit(p, PP_PERFMONITOR); + reputation_stats.whitelisted++; + } + +} +/* Main runtime entry point for Reputation preprocessor. + * Analyzes Reputation packets for anomalies/exploits. + * + * PARAMETERS: + * + * packetp: Pointer to current packet to process. + * contextp: Pointer to context block, not used. + * + * RETURNS: Nothing. + */ +static void ReputationMain( void* ipacketp, void* contextp ) +{ + + PROFILE_VARS; + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "%s\n", REPUTATION_DEBUG__START_MSG)); + + if (!IsIP((SFSnortPacket*) ipacketp) + ||( ((SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_FRAG) + ||( ((SFSnortPacket*)ipacketp)->flags & FLAG_REBUILT_STREAM)) + { + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION," -> spp_reputation: Not IP or Is a rebuilt packet\n");); + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "%s\n", REPUTATION_DEBUG__END_MSG)); + return; + } + + + sfPolicyUserPolicySet (reputation_config, runtimePolicyId); + + reputation_eval_config = sfPolicyUserDataGetCurrent(reputation_config); + + PREPROC_PROFILE_START(reputationPerfStats); + /* + * Start process + */ + + ReputationProcess((SFSnortPacket*) ipacketp); + + DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION, "%s\n", REPUTATION_DEBUG__END_MSG)); + PREPROC_PROFILE_END(reputationPerfStats); + +} + +static int ReputationCheckPolicyConfig(tSfPolicyUserContextId config, tSfPolicyId policyId, void* pData) +{ + _dpd.setParserPolicy(policyId); + + return 0; +} +void ReputationCheckConfig(void) +{ + sfPolicyUserDataIterate (reputation_config, ReputationCheckPolicyConfig); +} + + +static void ReputationCleanExit(int signal, void *data) +{ + if (reputation_config != NULL) + { + ReputationFreeConfig(reputation_config); + reputation_config = NULL; +#ifdef SHARED_REP + ShutdownSharedMemory(); +#endif + } +} +static int ReputationFreeConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + ReputationConfig *pPolicyConfig = (ReputationConfig *)pData; + + //do any housekeeping before freeing ReputationConfig + + sfPolicyUserDataClear (config, policyId); + + Reputation_FreeConfig(pPolicyConfig); + return 0; +} + +void ReputationFreeConfig(tSfPolicyUserContextId config) +{ + if (config == NULL) + return; + + sfPolicyUserDataIterate (config, ReputationFreeConfigPolicy); + sfPolicyConfigDelete(config); +} +/****************************************************************** + * Print statistics being kept by the preprocessor. + * + * Arguments: + * int - whether Snort is exiting or not + * + * Returns: None + * + ******************************************************************/ +static void ReputationPrintStats(int exiting) +{ + + _dpd.logMsg("Reputation Preprocessor Statistics\n"); + + _dpd.logMsg(" Total Memory Allocated: "STDu64"\n", reputation_stats.memoryAllocated); + + if (reputation_stats.blacklisted > 0) + _dpd.logMsg(" Number of packets blacklisted: "STDu64"\n", reputation_stats.blacklisted); + if (reputation_stats.whitelisted > 0) + _dpd.logMsg(" Number of packets whitelisted: "STDu64"\n", reputation_stats.whitelisted); + +} + +#ifdef SNORT_RELOAD +static void ReputationReload(char *args) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + ReputationConfig * pPolicyConfig = NULL; + ReputationConfig *pDefaultPolicyConfig = NULL; + + if (reputation_swap_config == NULL) + { + //create a context + reputation_swap_config = sfPolicyConfigCreate(); + if (reputation_swap_config == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for Reputation config.\n"); + } + + } + + sfPolicyUserPolicySet (reputation_swap_config, policy_id); + pPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetCurrent(reputation_swap_config); + pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config); + if ((pPolicyConfig != NULL) && (pDefaultPolicyConfig == NULL)) + { + DynamicPreprocessorFatalMessage("Reputation preprocessor can only be " + "configured once.\n"); + } + + pPolicyConfig = (ReputationConfig *)calloc(1, sizeof(ReputationConfig)); + if (!pPolicyConfig) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "Reputation preprocessor configuration.\n"); + } + sfPolicyUserDataSetCurrent(reputation_swap_config, pPolicyConfig); + + ParseReputationArgs(pPolicyConfig, (u_char *)args); + + if ((0 == pPolicyConfig->numEntries) &&(!pPolicyConfig->sharedMem.path)) + { + return; + } + if (policy_id != 0) + pPolicyConfig->memcap = pDefaultPolicyConfig->memcap; + + _dpd.addPreproc( ReputationMain, PRIORITY_FIRST, PP_REPUTATION, PROTO_BIT__IP ); + _dpd.addPreprocReloadVerify(ReputationReloadVerify); +} + +static int ReputationReloadVerify(void) +{ + ReputationConfig * pPolicyConfig = NULL; + ReputationConfig * pCurrentConfig = NULL; + + if (reputation_swap_config == NULL) + return 0; + + pPolicyConfig = (ReputationConfig *)sfPolicyUserDataGet(reputation_swap_config, _dpd.getDefaultPolicy()); + + if (!pPolicyConfig) + return 0; + + + if (reputation_config != NULL) + { + pCurrentConfig = (ReputationConfig *)sfPolicyUserDataGet(reputation_config, _dpd.getDefaultPolicy()); + } + + if (!pCurrentConfig) + return 0; + + if (pPolicyConfig->memcap != pCurrentConfig->memcap) + { + _dpd.errMsg("Reputation reload: Changing memcap settings requires a restart.\n"); + ReputationFreeConfig(reputation_swap_config); + reputation_swap_config = NULL; + return -1; + } + +#ifdef SHARED_REP + /* Shared memory is used*/ + if (pPolicyConfig->sharedMem.path || pCurrentConfig->sharedMem.path) + { + /*Shared memory setting is changed*/ + if ( (!pCurrentConfig->sharedMem.path)||(!pPolicyConfig->sharedMem.path) + || strcmp(pPolicyConfig->sharedMem.path, pCurrentConfig->sharedMem.path) + ||(pPolicyConfig->sharedMem.updateInterval != pCurrentConfig->sharedMem.updateInterval)) + { + _dpd.errMsg("Reputation reload: Changing memory settings requires a restart.\n"); + ReputationFreeConfig(reputation_swap_config); + reputation_swap_config = NULL; + return -1; + } + else /*no change, do a reload of list*/ + { + reputation_shmem_config = pPolicyConfig; + if ((available_segment = LoadSharedMemDataSegmentForWriter(RELOAD)) >= 0) + { + pPolicyConfig->segment_version = available_segment; + _dpd.logMsg("***New segment %d\n", + available_segment); + switch_state = SWITCHING; + } + + } + } +#endif + return 0; +} + +static int ReputationFreeUnusedConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + ReputationConfig *pPolicyConfig = (ReputationConfig *)pData; + + //do any housekeeping before freeing ReputationConfig + if (pPolicyConfig->ref_count == 0) + { + sfPolicyUserDataClear (config, policyId); + Reputation_FreeConfig(pPolicyConfig); + } + return 0; +} + +static void * ReputationReloadSwap(void) +{ + tSfPolicyUserContextId old_config = reputation_config; + ReputationConfig *pDefaultPolicyConfig = NULL; + + if (reputation_swap_config == NULL) + return NULL; + + reputation_config = reputation_swap_config; + reputation_swap_config = NULL; + + pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config); + if (pDefaultPolicyConfig->localSegment) + IPtables = &pDefaultPolicyConfig->localSegment; + + sfPolicyUserDataIterate (old_config, ReputationFreeUnusedConfigPolicy); + + if (sfPolicyUserPolicyGetActive(old_config) == 0) + { + /* No more outstanding configs - free the config array */ + return (void *)old_config; + } + + return NULL; +} + +static void ReputationReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + ReputationFreeConfig((tSfPolicyUserContextId)data); +} +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/reputation/spp_reputation.h snort-2.9.2/src/dynamic-preprocessors/reputation/spp_reputation.h --- snort-2.9.0.1/src/dynamic-preprocessors/reputation/spp_reputation.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/reputation/spp_reputation.h 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,80 @@ +/* $Id */ + +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* + * spp_reputation.h: Definitions, structs, function prototype(s) for + * the Reputation preprocessor. + * Author: Hui Cao + */ + +#ifndef SPP_REPUTATION_H +#define SPP_REPUTATION_H + +#include "sf_types.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "sf_ip.h" +#include "sfrt_flat.h" +#include "reputation_config.h" + +/* + * Generator id. Define here the same as the official registry + * in generators.h + */ +#define GENERATOR_SPP_REPUTATION 136 + +#define CS_TYPE_REPUTATION_SHAREMEM ((GENERATOR_SPP_REPUTATION *10) + 1) + +/*These IDs are reserved for snort shared memory server (writer)*/ +#define SHMEM_SERVER_ID_1 1 + +/* Ultimately calls SnortEventqAdd */ +/* Arguments are: gid, sid, rev, classification, priority, message, rule_info */ +#define ALERT(x,y) { _dpd.alertAdd(GENERATOR_SPP_REPUTATION, x, 1, 0, 3, y, 0 ); } + +#define REPUTATION_EVENT_BLACKLIST 1 +#define REPUTATION_EVENT_BLACKLIST_STR "(spp_reputation) packets blacklisted" +#define REPUTATION_EVENT_WHITELIST 2 +#define REPUTATION_EVENT_WHITELIST_STR "(spp_reputation) packets whitelisted" + + +typedef struct _Reputation_Stats +{ + uint64_t blacklisted; + uint64_t whitelisted; + uint64_t memoryAllocated; + +} Reputation_Stats; + +extern Reputation_Stats reputation_stats; +extern int totalNumEntries; +extern ReputationConfig *reputation_eval_config; +extern tSfPolicyUserContextId reputation_config; +extern void **IPtables; +#ifdef SHARED_REP +extern ReputationConfig *reputation_shmem_config; +#endif +/* Prototypes for public interface */ +void SetupReputation(void); + +#endif /* SPP_REPUTATION_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/Makefile.am snort-2.9.2/src/dynamic-preprocessors/rzb_saac/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/Makefile.am 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/Makefile.am 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,38 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs + +pkglibdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +pkglib_LTLIBRARIES = sf_rzb_saac_preproc.la + +sf_rzb_saac_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +PREPROCLIB=../libsf_dynamic_preproc.la +else +nodist_sf_rzb_saac_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sf_ip.c \ +../include/sfPolicyUserData.c +endif +sf_rzb_saac_preproc_la_LIBADD = ${PREPROCLIB} @RAZORBACK_LIBS@ +sf_rzb_saac_preproc_la_CFLAGS = @RAZORBACK_CFLAGS@ -Werror + +sf_rzb_saac_preproc_la_SOURCES = \ +rzb_debug.c \ +rzb_debug.h \ +rzb_http-client.c \ +rzb_http-client.h \ +rzb_http.h \ +rzb_http-fileinfo.c \ +rzb_http-fileinfo.h \ +rzb_http-server.c \ +rzb_http-server.h \ +rzb_smtp-collector.c \ +rzb_smtp-collector.h \ +spp_rzb-saac.c + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-pkglibLTLIBRARIES + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/Makefile.in snort-2.9.2/src/dynamic-preprocessors/rzb_saac/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/Makefile.in 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/Makefile.in 2011-12-07 11:23:20.000000000 -0800 @@ -0,0 +1,586 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/rzb_saac +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(pkglibdir)" +LTLIBRARIES = $(pkglib_LTLIBRARIES) +sf_rzb_saac_preproc_la_DEPENDENCIES = $(PREPROCLIB) +am_sf_rzb_saac_preproc_la_OBJECTS = \ + sf_rzb_saac_preproc_la-rzb_debug.lo \ + sf_rzb_saac_preproc_la-rzb_http-client.lo \ + sf_rzb_saac_preproc_la-rzb_http-fileinfo.lo \ + sf_rzb_saac_preproc_la-rzb_http-server.lo \ + sf_rzb_saac_preproc_la-rzb_smtp-collector.lo \ + sf_rzb_saac_preproc_la-spp_rzb-saac.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_sf_rzb_saac_preproc_la_OBJECTS = sf_rzb_saac_preproc_la-sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_rzb_saac_preproc_la-sf_ip.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_rzb_saac_preproc_la-sfPolicyUserData.lo +sf_rzb_saac_preproc_la_OBJECTS = $(am_sf_rzb_saac_preproc_la_OBJECTS) \ + $(nodist_sf_rzb_saac_preproc_la_OBJECTS) +sf_rzb_saac_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) \ + $(sf_rzb_saac_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(sf_rzb_saac_preproc_la_SOURCES) \ + $(nodist_sf_rzb_saac_preproc_la_SOURCES) +DIST_SOURCES = $(sf_rzb_saac_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +pkglibdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +pkglib_LTLIBRARIES = sf_rzb_saac_preproc.la +sf_rzb_saac_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@PREPROCLIB = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_sf_rzb_saac_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_ip.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +sf_rzb_saac_preproc_la_LIBADD = ${PREPROCLIB} @RAZORBACK_LIBS@ +sf_rzb_saac_preproc_la_CFLAGS = @RAZORBACK_CFLAGS@ -Werror +sf_rzb_saac_preproc_la_SOURCES = \ +rzb_debug.c \ +rzb_debug.h \ +rzb_http-client.c \ +rzb_http-client.h \ +rzb_http.h \ +rzb_http-fileinfo.c \ +rzb_http-fileinfo.h \ +rzb_http-server.c \ +rzb_http-server.h \ +rzb_smtp-collector.c \ +rzb_smtp-collector.h \ +spp_rzb-saac.c + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/rzb_saac/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/rzb_saac/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-pkglibLTLIBRARIES: $(pkglib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(pkglibdir)" || $(MKDIR_P) "$(DESTDIR)$(pkglibdir)" + @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \ + } + +uninstall-pkglibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \ + done + +clean-pkglibLTLIBRARIES: + -test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES) + @list='$(pkglib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +sf_rzb_saac_preproc.la: $(sf_rzb_saac_preproc_la_OBJECTS) $(sf_rzb_saac_preproc_la_DEPENDENCIES) + $(sf_rzb_saac_preproc_la_LINK) -rpath $(pkglibdir) $(sf_rzb_saac_preproc_la_OBJECTS) $(sf_rzb_saac_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_rzb_saac_preproc_la-rzb_debug.lo: rzb_debug.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-rzb_debug.lo `test -f 'rzb_debug.c' || echo '$(srcdir)/'`rzb_debug.c + +sf_rzb_saac_preproc_la-rzb_http-client.lo: rzb_http-client.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-rzb_http-client.lo `test -f 'rzb_http-client.c' || echo '$(srcdir)/'`rzb_http-client.c + +sf_rzb_saac_preproc_la-rzb_http-fileinfo.lo: rzb_http-fileinfo.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-rzb_http-fileinfo.lo `test -f 'rzb_http-fileinfo.c' || echo '$(srcdir)/'`rzb_http-fileinfo.c + +sf_rzb_saac_preproc_la-rzb_http-server.lo: rzb_http-server.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-rzb_http-server.lo `test -f 'rzb_http-server.c' || echo '$(srcdir)/'`rzb_http-server.c + +sf_rzb_saac_preproc_la-rzb_smtp-collector.lo: rzb_smtp-collector.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-rzb_smtp-collector.lo `test -f 'rzb_smtp-collector.c' || echo '$(srcdir)/'`rzb_smtp-collector.c + +sf_rzb_saac_preproc_la-spp_rzb-saac.lo: spp_rzb-saac.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-spp_rzb-saac.lo `test -f 'spp_rzb-saac.c' || echo '$(srcdir)/'`spp_rzb-saac.c + +sf_rzb_saac_preproc_la-sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sf_rzb_saac_preproc_la-sf_ip.lo: ../include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-sf_ip.lo `test -f '../include/sf_ip.c' || echo '$(srcdir)/'`../include/sf_ip.c + +sf_rzb_saac_preproc_la-sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sf_rzb_saac_preproc_la_CFLAGS) $(CFLAGS) -c -o sf_rzb_saac_preproc_la-sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(pkglibdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-pkglibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-pkglibLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pkglibLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libtool clean-pkglibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pkglibLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pkglibLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-pkglibLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_debug.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.c --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_debug.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,43 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif + +#include "sf_types.h" +#include "rzb_debug.h" + +#include <stdio.h> +#include <string.h> +#include <ctype.h> + +void prettyprint(const unsigned char *data, unsigned int size) { + unsigned int i; + const unsigned char *dataptr = data; + unsigned char asciigraph[17]; + + memset(asciigraph, '\x00', 17); + +#ifdef PACKETDUMPSIZE + size = (size > PACKETDUMPSIZE) ? PACKETDUMPSIZE : size; +#endif + + for(i=0; i < size; i++, dataptr++) { + printf("%02x ", *dataptr); + asciigraph[i % 16] = (isgraph(*dataptr) || (*dataptr == ' ')) ? *dataptr : '.'; + + if(i % 16 == 15) { + printf("%s\n", asciigraph); + memset(asciigraph, '\x00', 17); + } + } + + // Dump any remaining data + if(i % 16) { + printf("%*s", (16 - (i%16)) * 3, " "); + printf("%s\n", asciigraph); + } +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_debug.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.h --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_debug.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_debug.h 2011-02-09 15:23:21.000000000 -0800 @@ -0,0 +1,37 @@ +#ifndef NRT_DEBUG_H +#define NRT_DEBUG_H + +#define D_CRITICAL 0xFFFF + +#define D_EMERG 0x0001 +#define D_WARN 0x0002 +#define D_DEBUG 0x0004 +#define D_INFO 0x0008 +#define D_ALLLVL 0x00FF +#define D_CRIT 0x0080 + +#define D_CLIENT 0x0100 +#define D_SERVER 0X0200 +#define D_DETECT 0x0400 +#define D_PACKET 0x0800 +#define D_FILE 0x1000 +#define D_ALERT 0x2000 +#define D_ALLCOMP 0xFF00 + +#define D_ALLDEBUG 0xFFFF + +#define DEBUG +#ifdef DEBUG +#define DEBUGLEVEL D_ALLDEBUG //((D_ALLCOMP & ~D_PACKET) | D_CRIT)// (D_ALLDEBUG & ~D_PACKET) +#define DEBUGOUT(flag, code) if((flag & DEBUGLEVEL & 0xFF00) && (flag & DEBUGLEVEL & 0x00FF)) code +#else +#define DEBUGOUT(flag, code) +#endif + +#define PACKETDUMPSIZE 256 + +void prettyprint(const unsigned char *, unsigned int); + + +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-client.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.c --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-client.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,249 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif + +#include "sf_types.h" +#include <rzb_collection_api.h> +#include "rzb_http-client.h" +#include "rzb_debug.h" +#include "rzb_http-fileinfo.h" +#include "rzb_http-server.h" +#include "rzb_http.h" + +#include "sf_snort_plugin_api.h" +#include "sfPolicyUserData.h" + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <pcre.h> + +typedef struct { + pcre *re; + pcre_extra *pe; +} pcrestruct; + +// Ensure the pcre enum lines up with the pcre strings array +enum { PCRE_EOH, PCRE_URL, PCRE_HOST, PCRE_COOKIE, PCRE_UA } http_pcre_enum; +#define NUM_HTTP_PCRES PCRE_UA+1 +pcrestruct http_pcre_structs[NUM_HTTP_PCRES]; +char *http_pcre_strings[] = { + "\\n\\r?\\n", + "^(GET|POST)\\s+([^\\s]+)\\s+HTTP/1\\.[01]\\s*$", + "^Host:\\s*([^\\r\\n]+)", + "^Cookie:\\s*([^\\r\\n]+)", + "^User-Agent:\\s*([^\\r\\n]+)" + }; + +int init_HTTP_PCREs(void) { + const char *error; + int erroffset; + + int i; + + for(i = 0; i < NUM_HTTP_PCRES; i++) { +// /*DEBUGOUT((D_CLIENT | D_INFO),*/printf("Initializing PCRE %d: %s\n", i, http_pcre_strings[i]);//); + + http_pcre_structs[i].re = pcre_compile(http_pcre_strings[i], PCRE_CASELESS | PCRE_DOTALL | PCRE_MULTILINE, &error, &erroffset, NULL); + + if(http_pcre_structs[i].re == NULL) { + printf("Failed to compile pcre regex %d (%s): %s\n", i, http_pcre_strings[i], error); + return(-1); + } + + http_pcre_structs[i].pe = pcre_study(http_pcre_structs[i].re, 0, &error); + + if(error != NULL) { + printf("Failed to study pcre regex %d /%s/: %s\n", i, http_pcre_strings[i], error); + return(-1); + } + } + + return 1; +} + +// < 0 for error. >= 0 for len of extracted string +int extractHTTPClientHeaderVal(const u_int8_t *buf, u_int32_t size, int pcreidx, int substringnum, char *valuebuf, int valuelen) { + int result; + int ovector[9]; + int ovecsize = 9; + const char *tmpstring; + +// printf("Searching for pcre %d (%s)\n", pcreidx, http_pcre_strings[pcreidx]); + + result = pcre_exec(http_pcre_structs[pcreidx].re, http_pcre_structs[pcreidx].pe, + (const char *)buf, size, 0, 0, ovector, ovecsize); + + if(result < 0 || result == PCRE_ERROR_NOMATCH) { +// printf("pcre not found\n"); + return(-1); // We need to find the URL or this isn't a valid request + } + + if(valuebuf) { + result = pcre_get_substring((const char *)buf, ovector, result, substringnum, &tmpstring); + if(result < 0) { +// printf("unable to extract substring\n"); + return(-2); + } + + strncpy(valuebuf, tmpstring, valuelen); + valuebuf[valuelen-1] = '\0'; + + pcre_free_substring(tmpstring); + return(strlen(valuebuf)); + } + + return(0); +} + + +int ParseClientRequest(const u_int8_t *payload, u_int32_t payload_size, WEB_ENTRY* webentry) { + + u_int32_t offset_eoh = 0; + int result; + + DEBUGOUT((D_CLIENT | D_INFO), printf("ParseClientRequest enter\n")); + + if(payload == NULL) { + DEBUGOUT(D_CRITICAL, printf("ParseClientRequest payload is NULL. wtf.\n")); + return(-1); + } + + if(payload_size < 15) { + return(-1); + } + + // I get the sneaking suspicion that eventually I'm going to realize that I still + // need to keep track of HEAD, OPTION, etc because some jackass is going to desynch me by + // injecting such requests into the stream so when I receive file data it won't line up + // correctly. I really should just rob the code from http_inspect here. + + // Find the end of the HTTP headers + // XXX This code is pretty useless here unless I get an offset for the end of headers + result = extractHTTPClientHeaderVal(payload, payload_size, PCRE_EOH, 0, NULL, 0); + offset_eoh = /*(result >= 0) ? result :*/ payload_size; + + // Get the URL + result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_URL, 2, webentry->url, sizeof(webentry->url)); + + // We need a URL (also validates this is a valid request) + if(result < 0) { + printf("Unable to extract URL\n"); + return(-1); + } + + // The remaining headers are optional (PCRE_HOST, PCRE_COOKIE, PCRE_UA) + result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_HOST, 1, webentry->host, sizeof(webentry->host)); + if(result < 0) { +// printf("Unable to extract Host header\n"); + webentry->host[0] = '\0'; + } + + result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_COOKIE, 1, webentry->cookie, sizeof(webentry->cookie)); + if(result < 0) { +// printf("Unable to extract Cookie header\n"); + webentry->cookie[0] = '\0'; + } + + result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_UA, 1, webentry->user_agent, sizeof(webentry->user_agent)); + if(result < 0) { +// printf("Unable to extract User-Agent header\n"); + webentry->user_agent[0] = '\0'; + } + + return(1); +} + +int ProcessFromClient(SFSnortPacket *sp) { + RULEDATA *ruledata; + + WEB_ENTRY webentry; + + int result; + FILEINFO *fileinfo; + + DEBUGOUT((D_CLIENT | D_INFO), printf("ProcessFromClient enter\n")); + DEBUGOUT((D_PACKET | D_WARN), prettyprint(sp->payload, sp->payload_size)); + + ruledata = _dpd.streamAPI->get_application_data(sp->stream_session_ptr, SAAC_HTTP); + + if(!ruledata) { + DEBUGOUT((D_CLIENT | D_DEBUG), printf("ProcessFromClient: adding new rule data\n")); + ruledata = calloc(1, sizeof(RULEDATA)); + if(!ruledata) { + DEBUGOUT(D_CRITICAL, printf("ProcessFromClient: ruledata malloc failed\n")); + return(-1); + } + + _dpd.streamAPI->set_application_data(sp->stream_session_ptr, SAAC_HTTP, ruledata, &free); + ruledata->sid = NRTSID; + ruledata->streaminfoidx = INVALIDSTREAMIDX; + ruledata->state = WAITINGFORRESPONSEHEADER; + + } else if(ruledata->sid != NRTSID) { + DEBUGOUT(D_CRITICAL, printf("ProcessFromClient: Not our data! (sid %d/0x%08x)\n", ruledata->sid, ruledata->sid)); + return(-1); + } else if(IsStreamIgnored(ruledata)) { + DEBUGOUT((D_SERVER | D_WARN), printf("ProcessFromClient: stream is ignored\n")); + return(-1); + } + + fileinfo = calloc(1, sizeof(FILEINFO)); + + // Set all counts and sizes to 0, all strings to empty, and pointers to NULL + // memset(fileinfo, '\0', sizeof(FILEINFO)); + + result = ParseClientRequest(sp->payload, sp->payload_size, &webentry); + DEBUGOUT((D_CLIENT | D_INFO), printf("return from ParseClientRequest() was %d\n", result)); + + if(result <= 0) { + free(fileinfo); + return(-1); + } + + // Copy URL and Host header out of webentry into fileinfo + snprintf(fileinfo->url, sizeof(fileinfo->url), "%s", webentry.url); + fileinfo->url[sizeof(fileinfo->url) - 1] = 0; + snprintf(fileinfo->hostname, sizeof(fileinfo->hostname), "%s", webentry.host); + fileinfo->hostname[sizeof(fileinfo->hostname) - 1] = 0; + + // Now store what we know about this request + fileinfo->saddr = sp->ip4_header->source; + fileinfo->daddr = sp->ip4_header->destination; + + // Add address info to webentry + webentry.src_ip.ip.ipv4 = sp->ip4_header->source; + webentry.src_ip.family = AF_INET; + webentry.dst_ip.ip.ipv4 = sp->ip4_header->destination; + webentry.dst_ip.family = AF_INET; + + // Now send our webentry as an Intel Nugget! + if(rzb_collection.sendWebTrack(&webentry) == R_FAIL) { + printf("Failed to send web track info!\n"); + // Not making this fatal error + } + + DEBUGOUT((D_CLIENT | D_DEBUG), DumpFileInfo(fileinfo)); + + result = AddFileInfoListElem(ruledata, fileinfo); + + DEBUGOUT((D_CLIENT | D_INFO), printf("return from StoreFileData() was %d\n", result)); + + if(result < 0) { + DEBUGOUT(D_CRITICAL, printf("AddFileInfoListElem failed!\n")); + free(fileinfo); + return(-1); + } + + DEBUGOUT((D_CLIENT | D_WARN), DumpFileInfoList(ruledata)); + +// _dpd.alertAdd(GENERATOR_NRT, DST_PORT_MATCH, +// 1, 0, 3, DST_PORT_MATCH_STR, 0); + + return(0); +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-client.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.h --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-client.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-client.h 2011-02-09 15:23:21.000000000 -0800 @@ -0,0 +1,13 @@ +#ifndef NRT_CLIENT_H +#define NRT_CLIENT_H + +#include <rzb_collection_api.h> + +#include "sf_snort_packet.h" + +int ParseClientRequest(const u_int8_t *, u_int32_t, WEB_ENTRY*); +int ProcessFromClient(SFSnortPacket *); +int init_HTTP_PCREs(void); + +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,262 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif + +#include "sf_types.h" +#include <rzb_collection_api.h> +#include "rzb_http-client.h" +#include "rzb_debug.h" +#include "rzb_http-fileinfo.h" +#include "rzb_http-server.h" +#include "sf_ip.h" + +#include <stdio.h> +#include <stdlib.h> + +int numfileinfostructsinuse = 0; + +u_int32_t nextfreestreaminfoidx = 0; +struct FILEINFOLISTELEM *fileinfolist[NUMSTREAMSTOTRACK]; + +void DumpFileInfo(FILEINFO *fileinfo) { + + char srcaddr[INET_ADDRSTRLEN], dstaddr[INET_ADDRSTRLEN]; + + if(fileinfo == NULL) { + DEBUGOUT(D_CRITICAL, printf("DumpFileInfo fileinfo is NULL!\n")); + return; + } + + // snort typedefs inet_ntoa to sfip_ntoa. We use inetaddrs. wtf. + sfip_raw_ntop(AF_INET, &fileinfo->saddr, srcaddr, sizeof(srcaddr)); + sfip_raw_ntop(AF_INET, &fileinfo->daddr, dstaddr, sizeof(dstaddr)); + + printf("/--- fileinfo start ---\n"); + printf("| url: %s\n", fileinfo->url); + printf("| hostname: %s\n", fileinfo->hostname); + printf("| saddr: %s\n", srcaddr); + printf("| daddr: %s\n", dstaddr); + printf("| filesize: %d\n", fileinfo->filesize); + printf("| amountstored: %d\n", fileinfo->amountstored); + printf("| bufferindex: %d\n", fileinfo->bufferindex); + printf("| filedata = %p\n", fileinfo->filedata); + + if(fileinfo->filedata != NULL) { + DEBUGOUT((D_FILE | D_WARN), prettyprint(fileinfo->filedata, fileinfo->filesize)); +#ifndef DEBUG + prettyprint(fileinfo->filedata, (fileinfo->filesize > 256) ? 256 : fileinfo->filesize); +#endif + } + + printf("\\--- fileinfo end ---\n"); +} + + +int DumpFileInfoList(RULEDATA *ruledata) { + struct FILEINFOLISTELEM *tmp; + + printf("DumpFileInfoList, index %d\n", ruledata->streaminfoidx); + if(ruledata->streaminfoidx == INVALIDSTREAMIDX) { + printf("Invalid stream index!\n"); + return(-1); + } + + tmp = fileinfolist[ruledata->streaminfoidx]; + + if(tmp == NULL) { + printf("Head node is NULL!\n"); + return(-1); + } + + do { + DumpFileInfo(tmp->fileinfo); + } while((tmp = tmp->next)); + + return(1); +} + + +void FreeFileInfo(FILEINFO *fileinfo) { + if(fileinfo) { + if(fileinfo->filedata) { + //printf("Freeing file data 0x%08x\n", fileinfo->filedata); + free(fileinfo->filedata); + //fileinfo->filedata = NULL; + } + + free(fileinfo); + numfileinfostructsinuse--; + } + +// printf("FreeFileInfo numfileinfostructsinuse=%d\n", numfileinfostructsinuse); +} + +void FreeNRTStreamData(void *inptr) { + RULEDATA *ruledata = (RULEDATA *)inptr; + + printf("Freeing NRT stream data. Be afraid. Be very afraid.\n"); + + DEBUGOUT((D_CLIENT|D_SERVER|D_DEBUG), printf("FreeNRTStreamData enter\n")); + + if(!ruledata) { + DEBUGOUT((D_SERVER|D_CLIENT|D_DEBUG), printf(" inptr is NULL, exiting\n")); + return; + } + + FreeFileInfoList(ruledata); + + free(ruledata); +} + + +void FreeFileInfoList(RULEDATA *ruledata) { + + DEBUGOUT((D_CLIENT|D_SERVER|D_DEBUG), printf("FreeFileInfoList enter\n")); + + if(!ruledata) { + DEBUGOUT((D_SERVER|D_CLIENT|D_DEBUG), printf(" inptr is NULL, exiting\n")); + return; + } + + if(ruledata->streaminfoidx != INVALIDSTREAMIDX) { + while(fileinfolist[ruledata->streaminfoidx]) { + DEBUGOUT((D_DEBUG | D_SERVER), printf(" deleting %s\n", (fileinfolist[ruledata->streaminfoidx])->fileinfo->url)); + + DeleteFileInfoListHead(ruledata); + } + } + + ruledata->streaminfoidx = INVALIDSTREAMIDX; +} + +int AddFileInfoListElem(RULEDATA *ruledata, FILEINFO *fileinfo) { + struct FILEINFOLISTELEM *tmp, *addme; + + int i; + + DEBUGOUT((D_FILE | D_INFO), printf("AddFileInfoListElem enter\n")); + + if(ruledata->streaminfoidx == INVALIDSTREAMIDX) { + if(nextfreestreaminfoidx == OUTOFSTREAMINFOSTORAGE) { + DEBUGOUT(D_CRITICAL, printf("out of stream storage!\n")); + return(-1); + } + + ruledata->streaminfoidx = nextfreestreaminfoidx; + DEBUGOUT((D_FILE | D_DEBUG), printf("Using next open slot, at index %d\n", nextfreestreaminfoidx)); + + // Now let's find the next open index + i = nextfreestreaminfoidx + 1; + while(i < NUMSTREAMSTOTRACK) { + if(fileinfolist[i] == NULL) + break; + else + i++; + } + + if(i == NUMSTREAMSTOTRACK) { + i = 0; + while(i < nextfreestreaminfoidx) { + if(fileinfolist[i] == NULL) + break; + else + i++; + } + } + + // Out of additional storage + if(i == ruledata->streaminfoidx) + { + printf("Out of streaminfo storage\n"); + nextfreestreaminfoidx = OUTOFSTREAMINFOSTORAGE; + }else + nextfreestreaminfoidx = i; + + DEBUGOUT((D_FILE | D_DEBUG), printf("nextfreestreaminfoidx = %d\n", nextfreestreaminfoidx)); + } + + DEBUGOUT((D_FILE | D_DEBUG), printf("adding fileinfo at index %d\n", ruledata->streaminfoidx)); + + addme = calloc(1, sizeof(*addme)); + + if(addme == NULL) { + DEBUGOUT(D_CRITICAL, printf("Unable to allocate fileinfolistelem!\n")); + return(-1); + } + + addme->fileinfo = fileinfo; + addme->next = '\0'; + + tmp = fileinfolist[ruledata->streaminfoidx]; + + if(tmp) { + while(tmp->next) { + tmp = tmp->next; + } + + tmp->next = addme; + } else { + fileinfolist[ruledata->streaminfoidx] = addme; + } + + numfileinfostructsinuse++; +// printf("AddFileInfoListElem numfileinfostructsinuse=%d\n", numfileinfostructsinuse); + + return(1); +} + + +FILEINFO *PopFileInfo(RULEDATA *ruledata) { + struct FILEINFOLISTELEM *tmp; + FILEINFO *fileinfo; + + DEBUGOUT((D_FILE | D_INFO), printf("PopFileInfo enter\n")); + + if(ruledata->streaminfoidx == INVALIDSTREAMIDX) { + DEBUGOUT(D_CRITICAL, printf("PopFileInfo streaminfoidx is INVALIDSTREAMIDX!\n")); + return(NULL); + } + + tmp = fileinfolist[ruledata->streaminfoidx]; + + if(tmp == NULL) { + DEBUGOUT(D_CRITICAL, printf("PopFileInfo fileinfolist entry is NULL!\n")); + return(NULL); + } + + // Change the head + fileinfolist[ruledata->streaminfoidx] = tmp->next; + + // Grab the fileinfo and free the container + fileinfo = tmp->fileinfo; + free(tmp); + + DEBUGOUT((D_CLIENT | D_SERVER | D_INFO), printf("PopFileInfo freed fileinfo container at %p\n", tmp)); + + return(fileinfo); +} + + +int DeleteFileInfoListHead(RULEDATA *ruledata) { + FILEINFO *fileinfo; + + DEBUGOUT((D_FILE | D_INFO), printf("DeleteFileInfoListHead enter\n")); + + fileinfo = PopFileInfo(ruledata); + + DEBUGOUT((D_CLIENT | D_SERVER | D_INFO), printf("freeing fileinfo at %p\n", fileinfo)); + + if(fileinfo == NULL) + return(-1); + + FreeFileInfo(fileinfo); + + return(1); +} + + + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h 2011-02-09 15:23:21.000000000 -0800 @@ -0,0 +1,47 @@ +#ifndef NRT_FILEINFO_H +#define NRT_FILEINFO_H + +#include <rzb_collection_api.h> +#include "rzb_http.h" + +enum filereadstatus { ERROR = -1, WAITINGFORRESPONSEHEADER = 1, SERVERRETURNNOT200, SKIPTONEXTRESPONSE, WAITINGFORDATA, IGNORESTREAM }; + +typedef struct _RULEDATA { + u_int32_t sid; + u_int32_t streaminfoidx; + enum filereadstatus state; +} RULEDATA; + +typedef struct _FILEINFO { + char url[URLLEN]; + char hostname[HOSTNAMELEN]; + struct in_addr saddr; + struct in_addr daddr; + unsigned int filesize; + unsigned int amountstored; + unsigned int bufferindex; + unsigned char *filedata; + unsigned char md5[16]; + int alert; +} FILEINFO; + +struct FILEINFOLISTELEM { + FILEINFO *fileinfo; + struct FILEINFOLISTELEM *next; +}; + +int AddFileInfoListElem(RULEDATA *, FILEINFO *); +void DumpFileInfo(FILEINFO *); +int DumpFileInfoList(RULEDATA *); +void FreeFileInfo(FILEINFO *); + +int DeleteFileInfoListHead(RULEDATA *); +FILEINFO *PopFileInfo(RULEDATA *); +void FreeFileInfoList(RULEDATA *); +void FreeNRTStreamData(void *); + +extern int numfileinfostructsinuse; + +extern struct FILEINFOLISTELEM *fileinfolist[NUMSTREAMSTOTRACK]; +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http.h --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http.h 2011-02-09 15:23:21.000000000 -0800 @@ -0,0 +1,15 @@ +#ifndef RZB_SAAC_H +#define RZB_SAAC_H + +#define SAAC_HTTP 6880 + +#define URLLEN 1000 +#define HOSTNAMELEN 256 +#define NUMSTREAMSTOTRACK 5000 + +#define NRTSID 0xa5a5a5a5 +#define INVALIDSTREAMIDX 0xFFFFFFFF +#define OUTOFSTREAMINFOSTORAGE 0xFFFFFFFF + +#endif // RZB_SAAC_H + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-server.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.c --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-server.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,402 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif + +#include "sf_types.h" +#include <rzb_collection_api.h> +#include "rzb_http-client.h" +#include "rzb_http-server.h" +#include "rzb_debug.h" +#include "rzb_http-fileinfo.h" +#include "rzb_http.h" + +#include "sf_snort_plugin_api.h" +#include "sfPolicyUserData.h" + +#include <stdio.h> +#include <stdlib.h> +#include <pthread.h> +#include <limits.h> + +int SkipToEndOfHTTPHeader(const u_int8_t **in_cursor, const u_int8_t *end_of_data) { + const u_int8_t *cursor = *in_cursor; + + while(cursor < end_of_data) { + while(cursor < end_of_data && *cursor++ != '\n'); + + if(cursor[0] == '\r' && cursor[1] == '\n') { + cursor += 2; + *in_cursor = cursor; + return(1); + } else if(cursor[0] == '\n') { + cursor++; + *in_cursor = cursor; + return(1); + } + } + + return(-1); +} + + +enum filereadstatus ReadFileData(const u_int8_t **in_cursor, const u_int8_t *end_of_data, FILEINFO *fileinfo) { + const u_int8_t *cursor = *in_cursor; + + u_int32_t amounttoalloc; + u_int32_t bytesavailable; + + const u_int8_t *end_of_file; + u_int8_t *filedataptr; + + if(cursor >= end_of_data) + return(ERROR); + + // Make sure we have somewhere to store our data + if((fileinfo->filedata) == NULL) { + // ZDNOTE Need to limit the amount of memory that will be allocated at a time. This may involve some + // ZDNOTE changes to the FILEINFO struct. + // ZDNOTE amounttoalloc = (fileinfo->filesize < MAXFILEALLOCCHUNK) ? fileinfo->filesize : MAXFILEALLOCCHUNK; + if(fileinfo->filesize > 100000000 /*ULONG_MAX*/) { + // ZDNOTE this will also trip on files for which we don't have a Content-Length header + DEBUGOUT((D_FILE | D_DEBUG), printf("ReadFileData filesize is >100M! Bailing!\n")); + return(ERROR); + } + + amounttoalloc = fileinfo->filesize; + + fileinfo->filedata = calloc(amounttoalloc, 1); + + if((fileinfo->filedata) == NULL) { + printf("ReadFileData unable to allocate file contents buffer!\n"); + return(ERROR); + } + + fileinfo->amountstored = 0; + fileinfo->bufferindex = 0; + } + + end_of_file = cursor + (fileinfo->filesize - fileinfo->amountstored); + if(end_of_file > end_of_data) { + end_of_file = end_of_data; + } + + bytesavailable = end_of_file - cursor; + + // ZDNOTE Need to verify there is enough space left in the buffer before copy + + filedataptr = &((fileinfo->filedata)[fileinfo->bufferindex]); + + while(cursor < end_of_file) { + *filedataptr++ = *cursor++; + } + + *in_cursor = cursor; + fileinfo->amountstored += bytesavailable; + fileinfo->bufferindex += bytesavailable; // ZDNOTE again, check buffer size + + DEBUGOUT((D_FILE | D_DEBUG), printf("Saved %d bytes. (%d/%d total)\n", bytesavailable, fileinfo->amountstored, fileinfo->filesize)); + + if(fileinfo->amountstored == fileinfo->filesize) + return(WAITINGFORRESPONSEHEADER); + else if(fileinfo->amountstored < fileinfo->filesize) + return(WAITINGFORDATA); + else + return(ERROR); +} + + +int CallDetectionFunction(FILEINFO *fileinfo) { + + BLOCK_META_DATA *mdata = NULL; + const unsigned char *tmp; + + // Init the metadata structure + if((mdata = calloc(1, sizeof(*mdata))) == NULL) { + perror("Error allocating mdata\n"); + return -1; + } + + // Fill in the required fields + mdata->timestamp = (unsigned int)time(NULL); + mdata->data = fileinfo->filedata; + mdata->size = fileinfo->filesize; + mdata->src_ip.ip.ipv4 = fileinfo->saddr; + mdata->src_ip.family = AF_INET; + mdata->dst_ip.ip.ipv4 = fileinfo->daddr; + mdata->dst_ip.family = AF_INET; + mdata->ip_proto = 6; + mdata->src_port = 25; + mdata->dst_port = 8000; + tmp = rzb_collection.file_type_lookup(fileinfo->filedata, fileinfo->filesize); + uuid_copy(mdata->datatype, tmp); + +// DEBUGOUT((D_DETECT | D_INFO), printf("CallDetectionFunction enter\n")); + + // ZDNOTE Dunno what to do, so we're just going to... + printf("Calling detection function with following file information:\n"); + DumpFileInfo(fileinfo); + + rzb_collection.sendData(mdata); + + fileinfo->filedata = NULL; + fileinfo->filesize = 0; + + return(0); +} + + +enum filereadstatus ProcessServerHeader(const u_int8_t **in_cursor, const u_int8_t *end_of_data, FILEINFO *fileinfo) { + const u_int8_t *cursor = *in_cursor; + + if(cursor + 15 >= end_of_data) { + DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader not enough data!\n")); + return(ERROR); + } + + // Check for HTTP/1.[01] header + if( (strncasecmp((const char *)cursor, "http/1.", 7) != 0) || (cursor[7] != '0' && cursor[7] != '1')) + { + DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader not a valid HTTP version\n")); + return(ERROR); + } + + cursor += 8; + + while(cursor < end_of_data && *cursor == ' ') + cursor++; + + if(cursor + 6 >= end_of_data) { + DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader not enough data 2!\n")); + return(ERROR); + } + + if( memcmp(cursor, "200", 3) != 0) + { +// DEBUGOUT((D_FILE | D_DEBUG), printf("Unhandled response code: %c%c%c%c%c\n", cursor[-2], cursor[-1], cursor[0], cursor[1], cursor[2])); +// DEBUGOUT((D_SERVER | D_WARN), printf("ProcessServerHeader not 200 response (is %c%c%d)\n", *(cursor-3), *(cursor-2), *(cursor-1))); + DEBUGOUT((D_SERVER | D_WARN), printf("ProcessServerHeader not 200 response (is %c%c%d)\n", *cursor, *(cursor+1), *(cursor+2))); + *in_cursor = cursor; + return(SERVERRETURNNOT200); // ZDNOTE We really need to handle other codes to skip over data + } + + cursor += 3; + // ZDNOTE Don't know if it matters, but we're not caring about the response message + + // Now, we're going to see if we can find a Content-Length header. + // By definition, it has to be at the start of a line. So, we're just going + // To look for newlines and every time we find one, see if we're now looking + // at Content-Length: + while(cursor < end_of_data) { + while(cursor < end_of_data && *cursor++ != '\n'); // Find next newline + + // No Content-Length: header. + if(cursor + 16 >= end_of_data) { + DEBUGOUT((D_SERVER | D_EMERG), printf("No content-length header\n")); + //SkipToEndOfHTTPHeader(&cursor, end_of_data); + fileinfo->filesize = UINT_MAX; + break; //return(WAITINGFORDATA); // ZDNOTE bug if header spans packets. INHTTPHEADERS state?? + } + if( strncasecmp((const char *)cursor, "content-length:", 15) == 0 ) + { + cursor += 15; + if(cursor + 10 <= end_of_data) { + fileinfo->filesize = strtoul((char *)cursor, (char**)(&cursor), 10); // ignores preceeding whitespace + } + + DEBUGOUT((D_SERVER | D_DEBUG), printf("Found content-length. Filesize = %d\n", fileinfo->filesize)); + + SkipToEndOfHTTPHeader(&cursor, end_of_data); + break; + + } else if(cursor[0] == '\r' && cursor[1] == '\n') { + cursor += 2; + break; + } else if(cursor[0] == '\n') { + cursor++; + break; + } + } + + *in_cursor = cursor; + + return(WAITINGFORDATA); +} + + +int ProcessFromServer(SFSnortPacket *sp) { + RULEDATA *ruledata; + + int result; + + const u_int8_t *cursor = sp->payload; + const u_int8_t *end_of_data; + + FILEINFO *currentfile; + +// u_int32_t remaining_data = 0; + + DEBUGOUT((D_SERVER | D_INFO), printf("ProcessFromServer enter\n")); + DEBUGOUT((D_PACKET | D_WARN), prettyprint(sp->payload, sp->payload_size)); + + ruledata = _dpd.streamAPI->get_application_data(sp->stream_session_ptr, SAAC_HTTP); + + if(!ruledata) { + DEBUGOUT((D_SERVER | D_DEBUG), printf("ProcessFromServer: no rule data!\n")); + return(-1); + } else if(ruledata->sid != NRTSID) { + DEBUGOUT((D_SERVER | D_WARN), printf("Not our data! (sid %d/0x%08x)\n", ruledata->sid, ruledata->sid)); + return(-1); + } else if(IsStreamIgnored(ruledata)) { + DEBUGOUT((D_SERVER | D_WARN), printf("ProcessFromServer: stream is ignored\n")); + return(-1); + } + + + if(fileinfolist[ruledata->streaminfoidx] == NULL) { + printf("Craptacular, the fileinfolist is NULL, ruledata->streaminfoidx = %d\n", ruledata->streaminfoidx); + DEBUGOUT(D_CRITICAL, printf("ProcessFromServer fileinfolist[ruledata->streaminfoidx] is NULL!\n")); + return(-1); + } + + currentfile = (fileinfolist[ruledata->streaminfoidx])->fileinfo; + + if(currentfile == NULL) { + DEBUGOUT(D_CRITICAL, printf("ProcessFromServer head fileinfo is NULL!\n")); + return(-1); + } + + cursor = sp->payload; +// dataremaining = sp->dsize; + end_of_data = sp->payload + sp->payload_size; + + while(cursor < end_of_data && !IsStreamIgnored(ruledata)) { + switch(ruledata->state) { + case WAITINGFORRESPONSEHEADER: + // We're currently waiting for the server to answer our request + // ProcessServerHeader moves the cursor to the beginning of the response body + // ...unless the header bridges packets. This will be a bug. ZDNOTE + result = ProcessServerHeader(&cursor, end_of_data, currentfile); + + DEBUGOUT((D_SERVER | D_INFO), printf("return from ProcessServerResponse() was %d\n", result)); + DEBUGOUT((D_SERVER | D_WARN), DumpFileInfo(currentfile)); + + switch(result) { + case WAITINGFORDATA: + // Successfully processed header, now waiting for data + ruledata->state = WAITINGFORDATA; + break; + + case SERVERRETURNNOT200: + case IGNORESTREAM: + case ERROR: + default: + DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader() unhandled response code (%d)\n", result)); + IgnoreStream(ruledata); + //cursor = end_of_data; + break; + } + break; + + case WAITINGFORDATA: + result = ReadFileData(&cursor, end_of_data, currentfile); + + switch(result) { + case WAITINGFORDATA: + // Nothing's changed regarding state + break; + + case WAITINGFORRESPONSEHEADER: + + DEBUGOUT((D_DEBUG | D_SERVER), printf("WE HAVE A COMPLETE FILE! ruledata=%p, streaminfoidx=%d\n", ruledata, ruledata->streaminfoidx)); + DEBUGOUT((D_DEBUG | D_SERVER), DumpFileInfoList(ruledata)); + + // This means we got all of our data. Call the detection function. + CallDetectionFunction(currentfile); + + // Get the current file off of the stack + PopFileInfo(ruledata); + + // And grab the next file on the list + if(fileinfolist[ruledata->streaminfoidx]) + currentfile = (fileinfolist[ruledata->streaminfoidx])->fileinfo; + else + currentfile = NULL; // ZDNOTE hm.... + + IgnoreStream(ruledata); // POC1 for now we're ignoring pipelining + + //cursor = end_of_data; + //ruledata->state = IGNORESTREAM; + break; + + default: + DEBUGOUT(D_CRITICAL, printf("ProcessFromServer Unhandled response from ReadFileData (%d)\n", result)); + IgnoreStream(ruledata); + //cursor = end_of_data; + break; + } + + break; + + case SKIPTONEXTRESPONSE: + // Read data, skipping until we find a server response. + // We can totally cheat if we know a content length. +// break; + + default: + DEBUGOUT(D_CRITICAL, printf("ProcessFromServer Unhandled ruledate state (%d). Bailing.\n", ruledata->state)); + IgnoreStream(ruledata); + //cursor = end_of_data; + break; + } + } + +// _dpd.alertAdd(GENERATOR_NRT, DST_PORT_MATCH, +// 1, 0, 3, DST_PORT_MATCH_STR, 0); + + if(IsStreamIgnored(ruledata)) + return(-1); + else + return(0); +} + + +// Partially debug / hackery, partially something we'll probably want to keep +void IgnoreStream(RULEDATA *ruledata) { + + if(ruledata == NULL) + return; + + DEBUGOUT((D_DEBUG | D_SERVER), printf("Clearing streaminfoidx %d (%p)\n", ruledata->streaminfoidx, ruledata)); + + // Set state to ignore and clear out the list + ruledata->state = IGNORESTREAM; + + FreeFileInfoList(ruledata); + +// if(ruledata->streaminfoidx == INVALIDSTREAMIDX) { +// DEBUGOUT((D_DEBUG | D_SERVER), printf(" INVALIDSTREAMIDX, exiting\n")); +// return; +// } +// +// while(fileinfolist[ruledata->streaminfoidx]) { +// DEBUGOUT((D_DEBUG | D_SERVER), printf(" popping %s\n", (fileinfolist[ruledata->streaminfoidx])->fileinfo->url)); +// +// DeleteFileInfoListHead(ruledata); +//// printf("ZDNOTE MEMORY LEAK! Setting pointer to NULL.\n"); +//// fileinfolist[ruledata->streaminfoidx] = NULL; +// } +// +// ruledata->streaminfoidx = INVALIDSTREAMIDX; +} + +int IsStreamIgnored(RULEDATA *ruledata) { + if(ruledata == NULL || ruledata->state == IGNORESTREAM || ruledata->streaminfoidx == INVALIDSTREAMIDX) + return(1); + + return(0); +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-server.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.h --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_http-server.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_http-server.h 2011-02-09 15:23:21.000000000 -0800 @@ -0,0 +1,19 @@ +#ifndef NRT_SERVER_H +#define NRT_SERVER_H + +#include <rzb_collection_api.h> +#include "rzb_http-fileinfo.h" + +#include "sf_snort_packet.h" + +int ProcessFromServer(SFSnortPacket *); +enum filereadstatus ProcessServerHeader(const u_int8_t **, const u_int8_t *, FILEINFO *); +enum filereadstatus ReadFileData(const u_int8_t **, const u_int8_t *, FILEINFO *); +int SkipToEndOfHTTPHeader(const u_int8_t **, const u_int8_t *); +int CallDetectionFunction(FILEINFO *); + +int IsStreamIgnored(RULEDATA *); +void IgnoreStream(RULEDATA *); + +#endif + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,219 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sfPolicyUserData.h" + +#include <errno.h> +#include <string.h> +#include <ctype.h> + +#include <uuid/uuid.h> + +#include <rzb_collection_api.h> +#include "rzb_smtp-collector.h" +#include "rzb_debug.h" + +#define SAAC_SMTP 6825 + +#ifndef RULE_MATCH + #define RULE_MATCH 1 +#endif + +#ifndef RULE_NOMATCH + #define RULE_NOMATCH -1 +#endif + +#define SMTPDUMPERID 2525 + +#define DISPLAY_DEMO_OUTPUT + +#define SMTPCAP_INITSIZE 30000 +#define SMTPCAP_MAXSIZE 15000000 + +typedef struct { + u_int32_t sid; + u_int32_t totalsize; + u_int32_t storedsize; + u_int8_t *clientdata; +} smtpcapture; + + +void smtpdumper_freedata(smtpcapture *sessiondata) { + + //printf("SMTPDUMP smtpdumper_freedata enter\n"); + + if(!sessiondata) { + //printf("SMTPDUMP sessiondata is NULL!\n"); + return; + } + + if(sessiondata->clientdata) { + free(sessiondata->clientdata); + } else { + //printf("SMTPDUMP sessiondata->clientdata is NULL!\n"); + } + + free(sessiondata); +} + +void smtpdumper_calldetection(void *dataptr) { + + BLOCK_META_DATA *mdata = NULL; + + smtpcapture *smtpcapturedata = (smtpcapture*)dataptr; + + //printf("SMTPDUMP smtpdumper_calldetection enter\n"); + + if(!dataptr) { + //printf("SMTPDUMP dataptr is NULL!\n"); + return; + } + + if(smtpcapturedata->clientdata) { + +// printf("SMTPDUMP Calling sendData() with the following data (%d bytes):\n\n", ((smtpcapture*)(dataptr))->storedsize); +#ifdef DISPLAY_DEMO_OUTPUT + prettyprint(smtpcapturedata->clientdata, smtpcapturedata->storedsize); + printf("\n\n"); +#endif + + mdata = calloc(1, sizeof(*mdata)); + if(mdata == NULL) return; + + // Fill in the required fields + mdata->timestamp = (unsigned int)time(NULL); + mdata->data = smtpcapturedata->clientdata; + mdata->size = smtpcapturedata->storedsize; +// mdata->src_ip = 0x01010101; +// mdata->dst_ip = 0x02020202; + mdata->ip_proto = 6; + mdata->src_port = 25; + mdata->dst_port = 8000; + + uuid_copy(mdata->datatype, MAIL_CAPTURE); + + rzb_collection.sendData(mdata); + + } else { + //printf("SMTPDUMP dataptr->clientdata is NULL!\n"); + } + + //printf("SMTPDUMP Freeing session data\n"); + // Data is freed by sendData; we just need to clear out the rest of the structure. + // We can accomplish this by setting clientdata to NULL so we don't do the doublefree + smtpcapturedata->clientdata = NULL; + smtpdumper_freedata(smtpcapturedata); + +} + + +/* detection functions */ +int smtpdumpereval(SFSnortPacket *sp) { + const u_int8_t *cursor_normal, *end_of_payload = 0; +// Packet *sp = (Packet *) p; + + smtpcapture *sessiondata = NULL; + u_int8_t *tmpdataptr; // For realloc()s + + u_int32_t incoming_data_size = 0; + + //printf("SMTPDUMP smtpdumpereval enter\n"); + + if(sp == NULL) + return RULE_NOMATCH; + + if(sp->payload == NULL) + return RULE_NOMATCH; + + sessiondata = _dpd.streamAPI->get_application_data(sp->stream_session_ptr, SAAC_SMTP); + + //printf("SMTPDUMP sessiondata = %p\n", sessiondata); + + if(sessiondata) { + if(sessiondata->sid != SMTPDUMPERID) { + printf("SMTPDUMP Someone else's data!\n"); + return RULE_NOMATCH; + } + + if(sessiondata->storedsize >= SMTPCAP_MAXSIZE) { + printf("SMTPDUMP Already have SMTPCAP_MAXSIZE(%d) bytes of data\n", SMTPCAP_MAXSIZE); + return RULE_NOMATCH; + } + } else { + + sessiondata = (smtpcapture*)calloc(1, sizeof(smtpcapture)); + + if(!sessiondata) { + printf("SMTPDUMP sessiondata malloc failed!\n"); + return RULE_NOMATCH; + } + + sessiondata->sid = SMTPDUMPERID; + sessiondata->clientdata = (u_int8_t*)malloc(SMTPCAP_INITSIZE); + + if(!sessiondata->clientdata) { + printf("SMTPDUMP sessiondata->clientdata malloc failed!\n"); + smtpdumper_freedata(sessiondata); + return RULE_NOMATCH; + } + + sessiondata->totalsize = SMTPCAP_INITSIZE; + sessiondata->storedsize = 0; + + //printf("SMTPDUMP storing rule data\n"); + + _dpd.streamAPI->set_application_data(sp->stream_session_ptr, SAAC_SMTP, sessiondata, &smtpdumper_calldetection); + //printf("SMTPDUMP stored rule data\n"); + } + + cursor_normal = sp->payload; + end_of_payload = sp->payload + sp->payload_size; + + incoming_data_size = sp->payload_size; //end_of_payload - cursor_normal; + + //printf("SMTPDUMP incoming_data_size = %d\n", incoming_data_size); + + // Check if we have enough room for the incoming data + if(incoming_data_size > (sessiondata->totalsize - sessiondata->storedsize)) { + // We've previously ensured we are not already overcapped on data + + //printf("SMTPDUMP reallocating to %d bytes\n", sessiondata->totalsize * 2); + + // Double our amount of storage + tmpdataptr = realloc(sessiondata->clientdata, sessiondata->totalsize * 2); + + if(!tmpdataptr) { + // If there is not enough available memory, realloc() returns a null pointer and sets errno to [ENOMEM]. + if(errno == ENOMEM) { + smtpdumper_freedata(sessiondata); + return(RULE_NOMATCH); + } else { + printf("SMTPDUMP realloc() failed but I dunno wtf\n"); + smtpdumper_freedata(sessiondata); + return(RULE_NOMATCH); + } + } + + sessiondata->clientdata = tmpdataptr; + sessiondata->totalsize *= 2; + + //printf("SMTPDUMP totalsize is now %d\n", sessiondata->totalsize); + } + + // We have enough room, so store the data + //printf("SMTPDUMP storing %d bytes at %p\n", incoming_data_size, &((sessiondata->clientdata)[sessiondata->storedsize])); + memcpy(&((sessiondata->clientdata)[sessiondata->storedsize]), cursor_normal, incoming_data_size); + sessiondata->storedsize += incoming_data_size; + //printf("SMTPDUMP stored size is now %d\n", sessiondata->storedsize); + + return RULE_NOMATCH; +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h 2011-02-09 15:23:22.000000000 -0800 @@ -0,0 +1,9 @@ +#ifndef __RZB_SMTP_DUMP_H__ +#define __RZB_SMTP_DUMP_H__ + +#include "sf_snort_packet.h" + +int smtpdumpereval(SFSnortPacket *); + +#endif // __RZB_SMTP_DUMP_H__ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c snort-2.9.2/src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c --- snort-2.9.0.1/src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,200 @@ +/* +** Copyright (C) 2005-2009 Sourcefire, Inc. +** Copyright (C) 1998-2005 Martin Roesch <roesch@sourcefire.com> +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, RZBston, MA 02111-1307, USA. +*/ + +/* $Id$ */ +/* Snort Preprocessor Plugin Source File RZB */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif + +#include <sys/types.h> +#include <stdlib.h> +#include <ctype.h> +#include <string.h> + +#include "sf_types.h" +#include "preprocids.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preproc_lib.h" +#include "sf_dynamic_preprocessor.h" +#include "snort_debug.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "sf_preproc_info.h" + +#define CONF_SEPARATORS " \t\n\r" +#define RZB_CONF "rzb_conf" + +#define PP_SAAC 6868 + +#include <rzb_collection_api.h> +#include "rzb_smtp-collector.h" +#include "rzb_http-server.h" +#include "rzb_http-client.h" + +#define RZB_COLLECT_DISP_GID 3535 +#define RZB_COLLECT_DISP_SID 3535 +#define RZB_COLLECT_DISP_MESG "Bad file found" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 0; +const int BUILD_VERSION = 1; +const char *PREPROC_NAME = "SF_RZB_SaaC_Preprocessor"; + +#define SetupRZB DYNAMIC_PREPROC_SETUP + +void * dlHandle = NULL; // For the API library + +static void RZBCleanExit(int, void *); +static void RZBProcess(void *, void *); + +/* list of function prototypes for this preprocessor */ +static void RZBInit(char *); + +#ifdef SNORT_RELOAD +static void RZBReload(char *); +static void * RZBReloadSwap(void); +static void RZBReloadSwapFree(void *); +#endif + +extern char *maxToken; + +void __attribute__((constructor)) detect_init() { + + printf("Razorback SaaC Initializing.\n"); + + init_HTTP_PCREs(); +} + +void __attribute__((destructor)) detect_fini() { + printf("Razorback SaaC shutting down\n"); +} + +static void RZBCleanExit(int signal, void *unused) { + rzb_collection.finiRZB(10); +} + +#ifdef SNORT_RELOAD +static void RZBReload(char *args) { + printf("Razorback SaaC RZBReload() not implemented\n"); +} + +static void * RZBReloadSwap(void) { + printf("Razorback SaaC RZBReloadSwap() not implemented\n"); + return NULL; +} + +static void RZBReloadSwapFree(void *data) { + printf("Razorback SaaC RZBReloadSwapFree() not implemented\n"); +} +#endif + + +void RZBProcess(void *p, void *context) +{ + SFSnortPacket *sp = (SFSnortPacket *)p; + + if(!sp->ip4_header || sp->ip4_header->proto != IPPROTO_TCP || !sp->tcp_header) + { + /* Not for me, return */ + return; + } + + // Only rebuilt packets from server + if (sp->src_port == 80 && !(sp->flags & FLAG_REBUILT_STREAM) && sp->payload_size != 0) + { + ProcessFromServer(sp); + return; + } + + // No rebuilt packets to server, and only packets with data + if(sp->dst_port == 80 && !(sp->flags & FLAG_REBUILT_STREAM) && sp->payload_size != 0) + { + ProcessFromClient(sp); + return; + } + + if(sp->dst_port == 25 && (sp->flags & FLAG_REBUILT_STREAM) && sp->payload_size != 0) + { + smtpdumpereval(sp); + return; + } + + return; +} + +static int functionsRegistered = 0; + +static void RZBInit(char *args) +{ + if ((args == NULL) || (strlen(args) == 0)) + { + DynamicPreprocessorFatalMessage("%s(%d) No arguments to RZB SaaC configuration.\n", *_dpd.config_file, *_dpd.config_line); + } + + if (!functionsRegistered) + { + char *pcToken; + + pcToken = strtok(args, CONF_SEPARATORS); + if (!pcToken) + { + DynamicPreprocessorFatalMessage("%s(%d)strtok returned NULL when it should not.\n", __FILE__, __LINE__); + } + if (strcmp(RZB_CONF, pcToken) == 0) + { + pcToken = strtok(NULL, CONF_SEPARATORS); + if (!pcToken) + { + DynamicPreprocessorFatalMessage("%s(%d)strtok returned NULL when it should not.\n", __FILE__, __LINE__); + } + rzb_collection.initRZB(pcToken); + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) Invalid arguments to RZB SaaC configuration.\n", *_dpd.config_file, *_dpd.config_line); + } + + _dpd.addPreprocExit(RZBCleanExit, NULL, PRIORITY_LAST, PP_SAAC); + _dpd.addPreproc(RZBProcess, PRIORITY_TUNNEL, PP_SAAC, PROTO_BIT__TCP); + functionsRegistered = 1; + } + else + { + DynamicPreprocessorFatalMessage("%s(%d) More than one RZB SaaC configuration.\n", *_dpd.config_file, *_dpd.config_line); + } +} + +void SetupRZB(void) +{ + /* link the preprocessor keyword to the init function in + the preproc list */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc("rzb", RZBInit); +#else + _dpd.registerPreproc("rzb", RZBInit, RZBReload, RZBReloadSwap, RZBReloadSwapFree); +#endif +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/Makefile.am snort-2.9.2/src/dynamic-preprocessors/sdf/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/Makefile.am 2010-06-09 15:05:14.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/Makefile.am 2011-07-13 15:44:51.000000000 -0700 @@ -1,21 +1,20 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include +INCLUDES = -I../include -I${srcdir}/../libs libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_sdf_preproc.la libsf_sdf_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - +if SO_WITH_STATIC_LIB +libsf_sdf_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_sdf_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif libsf_sdf_preproc_la_SOURCES = \ spp_sdf.c \ @@ -27,21 +26,11 @@ sdf_us_ssn.c \ sdf_us_ssn.h \ sdf_detection_option.c \ -sdf_detection_option.h \ -sf_preproc_info.h +sdf_detection_option.h EXTRA_DIST = \ sf_sdf.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c - rm -f sfPolicyUserData.c diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/Makefile.in snort-2.9.2/src/dynamic-preprocessors/sdf/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/Makefile.in 2010-10-08 02:56:53.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/Makefile.in 2011-12-07 11:23:20.000000000 -0800 @@ -68,11 +68,13 @@ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_sdf_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_sdf_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_sdf_preproc_la_OBJECTS = spp_sdf.lo sdf_pattern_match.lo \ sdf_credit_card.lo sdf_us_ssn.lo sdf_detection_option.lo -nodist_libsf_sdf_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sfPolicyUserData.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_sdf_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_sdf_preproc_la_OBJECTS = $(am_libsf_sdf_preproc_la_OBJECTS) \ $(nodist_libsf_sdf_preproc_la_OBJECTS) libsf_sdf_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -105,7 +107,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -120,7 +124,8 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -156,13 +161,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -223,13 +234,10 @@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_sdf_preproc.la libsf_sdf_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -nodist_libsf_sdf_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +@SO_WITH_STATIC_LIB_TRUE@libsf_sdf_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_sdf_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_sdf_preproc_la_SOURCES = \ spp_sdf.c \ @@ -241,14 +249,12 @@ sdf_us_ssn.c \ sdf_us_ssn.h \ sdf_detection_option.c \ -sdf_detection_option.h \ -sf_preproc_info.h +sdf_detection_option.h EXTRA_DIST = \ sf_sdf.dsp -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -331,6 +337,12 @@ .c.lo: $(LTCOMPILE) -c -o $@ $< +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + mostlyclean-libtool: -rm -f *.lo @@ -420,15 +432,13 @@ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am +check: check-am all-am: Makefile $(LTLIBRARIES) all-local installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am +install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -453,10 +463,9 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am @@ -523,11 +532,11 @@ uninstall-am: uninstall-libLTLIBRARIES -.MAKE: all check install install-am install-strip +.MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -540,19 +549,9 @@ tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c - rm -f sfPolicyUserData.c - # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_credit_card.c snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_credit_card.c --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_credit_card.c 2010-08-25 13:22:44.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_credit_card.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2009-2010 Sourcefire, Inc. +** Copyright (C) 2009-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify @@ -18,6 +18,11 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "spp_sdf.h" #include "sdf_credit_card.h" #include <stdint.h> @@ -52,7 +57,7 @@ return 0; } -/* This function takes a string representation of a credit card number and +/* This function takes a string representation of a credit card number and * checks that it's a valid number. The number may contain spaces or dashes. * * Returns: 1 on match, 0 otherwise. @@ -94,7 +99,7 @@ else break; } - + cc_digits[digits++] = buf[j]; } cc_digits[digits] = '\0'; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_credit_card.h snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_credit_card.h --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_credit_card.h 2010-08-25 13:22:44.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_credit_card.h 2011-02-09 15:23:22.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2009-2010 Sourcefire, Inc. +** Copyright (C) 2009-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_detection_option.c snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_detection_option.c --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_detection_option.c 2010-09-27 08:28:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_detection_option.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2009-2010 Sourcefire, Inc. +** Copyright (C) 2009-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify @@ -22,6 +22,11 @@ #include <string.h> #include <stdint.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "spp_sdf.h" #include "sdf_pattern_match.h" #include "sdf_detection_option.h" @@ -32,7 +37,6 @@ #include "sfPolicyUserData.h" #include "treenodes.h" -extern DynamicPreprocessorData _dpd; extern tSfPolicyUserContextId sdf_context_id; extern sdf_tree_node *head_node; extern uint32_t num_patterns; @@ -99,7 +103,7 @@ " 1 - 255: %s\n", args); } - sdf_data->count = (u_int8_t)tmpcount; + sdf_data->count = (uint8_t)tmpcount; /* Take everything after the comma as a pattern. */ token = endptr + 1; @@ -178,7 +182,7 @@ preproc_info->optionEval != (PreprocOptionEval) SDFOptionEval) { DynamicPreprocessorFatalMessage("%s(%d) Rules with SDF options cannot " - "have other detection options in the same rule.\n", + "have other detection options in the same rule.\n", *_dpd.config_file, *_dpd.config_line); } @@ -267,10 +271,10 @@ } } - /* Cleanup */ + /* Cleanup */ if (src_parray) free(src_parray); - if (dst_parray) + if (dst_parray) free(dst_parray); } @@ -297,7 +301,7 @@ } /* Stub function -- We're not evaluating SDF during rule-matching */ -int SDFOptionEval(void *p, const u_int8_t **cursor, void *data) +int SDFOptionEval(void *p, const uint8_t **cursor, void *data) { return RULE_NOMATCH; } diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_detection_option.h snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_detection_option.h --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_detection_option.h 2010-08-25 13:22:44.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_detection_option.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2009-2010 Sourcefire, Inc. +** Copyright (C) 2009-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify @@ -27,7 +27,7 @@ #include "spp_sdf.h" int SDFOptionInit(char *name, char *args, void **data); -int SDFOptionEval(void *p, const u_int8_t **cursor, void *data); +int SDFOptionEval(void *p, const uint8_t **cursor, void *data); int SDFOtnHandler(void *potn); /* Struct for SDF option data */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_pattern_match.c snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.c --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_pattern_match.c 2010-09-27 08:28:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2009-2010 Sourcefire, Inc. +** Copyright (C) 2009-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -21,6 +21,11 @@ #include <stdlib.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "sdf_pattern_match.h" #include "treenodes.h" #include "sf_dynamic_preprocessor.h" @@ -134,7 +139,7 @@ /* By this point, the brackets all match up. */ if (num_brackets == 0) return; - + /* Allocate the new pii string. */ new_pii_size = (strlen(*pii) + total_reps - 2*num_brackets + 1); new_pii = (char *) calloc(new_pii_size, sizeof(char)); @@ -159,7 +164,7 @@ repeated_section[1] = pii_position[0]; pii_position++; } - + if (pii_position[0] == '{') { reps = strtoul(pii_position+1, &endptr, 10); @@ -195,7 +200,7 @@ * 0: pattern did not go in this subtree * 1: pattern was added in this subtree */ -int AddPiiPiece(sdf_tree_node *node, char *new_pattern, SDFOptionData *data) +int AddPiiPiece(sdf_tree_node *node, char *new_pattern, SDFOptionData *data) { /* Potential cases: 1) node->pattern and new_pattern overlap by some number of bytes, @@ -502,7 +507,7 @@ node_match ) { /* Match a byte at a time. */ - if ( *(node->pattern + pattern_index) == '\\' && + if ( *(node->pattern + pattern_index) == '\\' && *(node->pattern + pattern_index + 1) != '\0' ) { /* Escape sequence found */ @@ -516,7 +521,7 @@ case '?': node_match = (*(buf + *buf_index) == *(node->pattern + pattern_index)); break; - + /* \d : match digit */ case 'd': node_match = isdigit( (int)(*(buf + *buf_index)) ); @@ -606,7 +611,7 @@ node_contains_matches = 1; } } - + if (node_contains_matches) return node; } diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_pattern_match.h snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.h --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_pattern_match.h 2010-08-25 13:22:44.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_pattern_match.h 2011-02-09 15:23:22.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2009-2010 Sourcefire, Inc. +** Copyright (C) 2009-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_us_ssn.c snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.c --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_us_ssn.c 2010-04-06 07:05:48.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2009-2010 Sourcefire, Inc. +** Copyright (C) 2009-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify @@ -18,6 +18,11 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "spp_sdf.h" #include "sdf_us_ssn.h" #include <stdio.h> @@ -99,7 +104,7 @@ 4. ODD numbers from 11 through 99 For this reason, the group check is not simple. */ - + int group_category = SSNGroupCategory(group); int max_group_category = SSNGroupCategory(max_group); @@ -110,7 +115,7 @@ return 1; if ((group_category == max_group_category) && (group <= max_group)) return 1; - + return 0; } @@ -184,7 +189,7 @@ free(contents); return -1; } - + token = strtok_r(NULL, " ,\n", &saveptr); } @@ -198,45 +203,45 @@ { int i; int default_max_group[MAX_AREA+1] = { 0, - 8, 8, 6, 11, 11, 11, 8, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, - 92, 92, 92, 92, 92, 92, 92, 92, 92, 90, 90, 90, 90, 90, 90, 74, 74, 72, 72, - 72, 15, 13, 13, 13, 13, 13, 13, 13, 13, 13, 98, 98, 98, 98, 98, 98, 98, 98, - 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, - 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, - 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, - 98, 98, 98, 98, 98, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, - 96, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, - 21, 21, 21, 21, 21, 21, 86, 86, 86, 86, 86, 86, 86, 86, 84, 84, 84, 84, 84, - 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, - 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, - 84, 84, 85, 85, 85, 85, 85, 85, 85, 85, 85, 8, 8, 99, 99, 99, 99, 99, 99, - 99, 99, 99, 55, 55, 55, 55, 55, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, - 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, - 99, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, - 15, 15, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 35, 35, - 35, 35, 35, 35, 35, 35, 33, 33, 33, 33, 33, 33, 33, 8, 8, 8, 8, 8, 8, - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 6, 6, 6, 6, 6, 6, 6, 6, - 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 35, 35, 35, 35, 35, 35, 35, 35, - 35, 35, 35, 35, 35, 35, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 29, - 71, 71, 71, 71, 71, 71, 69, 69, 99, 99, 99, 99, 99, 99, 99, 99, 65, 65, 65, - 65, 65, 65, 65, 63, 63, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, - 99, 99, 27, 25, 25, 25, 25, 25, 25, 25, 25, 99, 99, 99, 99, 99, 99, 99, 99, - 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 55, 53, 53, 53, 53, 53, 53, 53, - 53, 53, 41, 41, 39, 39, 39, 39, 39, 39, 27, 27, 27, 27, 27, 27, 27, 27, 27, - 27, 27, 27, 27, 27, 27, 35, 35, 43, 43, 55, 55, 55, 55, 31, 31, 31, 29, 29, - 29, 29, 47, 47, 83, 83, 59, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 67, 67, - 67, 67, 67, 67, 67, 67, 65, 79, 79, 79, 77, 77, 99, 99, 99, 99, 99, 99, 99, - 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, - 99, 99, 99, 57, 99, 99, 49, 49, 49, 39, 99, 99, 99, 99, 99, 65, 99, 5, 99, - 99, 99, 99, 99, 99, 99, 90, 88, 88, 88, 99, 99, 79, 79, 79, 79, 79, 77, 77, - 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 23, - 23, 23, 23, 23, 23, 23, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 13, - 11, 52, 52, 56, 56, 54, 54, 32, 32, 32, 32, 32, 20, 20, 20, 20, 18, 18, 18, - 44, 42, 42, 42, 42, 42, 42, 42, 42, 18, 18, 18, 16, 17, 20, 20, 20, 20, 18, - 18, 18, 18, 18, 18, 12, 12, 12, 12, 12, 12, 12, 12, 12, 18, 18, 18, 18, 18, - 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, - 28, 18, 18, 10, 14, 20, 18, 18, 18, 18, 14, 14, 5, 5, 5, 5, 10, 9, 9, + 8, 8, 6, 11, 11, 11, 8, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, + 92, 92, 92, 92, 92, 92, 92, 92, 92, 90, 90, 90, 90, 90, 90, 74, 74, 72, 72, + 72, 15, 13, 13, 13, 13, 13, 13, 13, 13, 13, 98, 98, 98, 98, 98, 98, 98, 98, + 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, + 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, + 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, 98, + 98, 98, 98, 98, 98, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, 96, + 96, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, + 21, 21, 21, 21, 21, 21, 86, 86, 86, 86, 86, 86, 86, 86, 84, 84, 84, 84, 84, + 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, + 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, + 84, 84, 85, 85, 85, 85, 85, 85, 85, 85, 85, 8, 8, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 55, 55, 55, 55, 55, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, + 99, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, + 15, 15, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 35, 35, + 35, 35, 35, 35, 35, 35, 33, 33, 33, 33, 33, 33, 33, 8, 8, 8, 8, 8, 8, + 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, + 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 6, 6, 6, 6, 6, 6, 6, 6, + 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 37, 35, 35, 35, 35, 35, 35, 35, 35, + 35, 35, 35, 35, 35, 35, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 31, 29, + 71, 71, 71, 71, 71, 71, 69, 69, 99, 99, 99, 99, 99, 99, 99, 99, 65, 65, 65, + 65, 65, 65, 65, 63, 63, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 27, 25, 25, 25, 25, 25, 25, 25, 25, 99, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 55, 53, 53, 53, 53, 53, 53, 53, + 53, 53, 41, 41, 39, 39, 39, 39, 39, 39, 27, 27, 27, 27, 27, 27, 27, 27, 27, + 27, 27, 27, 27, 27, 27, 35, 35, 43, 43, 55, 55, 55, 55, 31, 31, 31, 29, 29, + 29, 29, 47, 47, 83, 83, 59, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 67, 67, + 67, 67, 67, 67, 67, 67, 65, 79, 79, 79, 77, 77, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 57, 99, 99, 49, 49, 49, 39, 99, 99, 99, 99, 99, 65, 99, 5, 99, + 99, 99, 99, 99, 99, 99, 90, 88, 88, 88, 99, 99, 79, 79, 79, 79, 79, 77, 77, + 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 77, 23, + 23, 23, 23, 23, 23, 23, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 13, + 11, 52, 52, 56, 56, 54, 54, 32, 32, 32, 32, 32, 20, 20, 20, 20, 18, 18, 18, + 44, 42, 42, 42, 42, 42, 42, 42, 42, 18, 18, 18, 16, 17, 20, 20, 20, 20, 18, + 18, 18, 18, 18, 18, 12, 12, 12, 12, 12, 12, 12, 12, 12, 18, 18, 18, 18, 18, + 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, 18, + 28, 18, 18, 10, 14, 20, 18, 18, 18, 18, 14, 14, 5, 5, 5, 5, 10, 9, 9, 9, 9, 9, 9, 9, 11, 8, 86, 86, 86, 86, 84, 84, 84 }; diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_us_ssn.h snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.h --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/sdf_us_ssn.h 2010-01-22 15:59:33.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sdf_us_ssn.h 2011-02-09 15:23:22.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2009-2010 Sourcefire, Inc. +** Copyright (C) 2009-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/sdf/sf_preproc_info.h --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/sf_preproc_info.h 2010-01-26 10:10:05.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sf_preproc_info.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,34 +0,0 @@ -/* Copyright (C) 2005-2010 Sourcefire, Inc. -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 1 -#define BUILD_VERSION 1 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_SDF (IPV6)" -#else -#define PREPROC_NAME "SF_SDF" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupSDF -extern void SetupSDF(void); - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/sf_sdf.dsp snort-2.9.2/src/dynamic-preprocessors/sdf/sf_sdf.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/sf_sdf.dsp 2010-08-25 13:22:44.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/sf_sdf.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_sdf - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_sdf - Win32 IPv6 Debug" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_sdf___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_sdf - Win32 IPv6 Release" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_sdf___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -130,18 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ENDIF diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/spp_sdf.c snort-2.9.2/src/dynamic-preprocessors/sdf/spp_sdf.c --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/spp_sdf.c 2010-09-27 08:28:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/spp_sdf.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2009-2010 Sourcefire, Inc. +** Copyright (C) 2009-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -32,13 +32,14 @@ #include <strings.h> #endif +#include "sf_types.h" /* #include "snort.h" #include "parser.h" #include "util.h" #include "plugbase.h" */ -#include "debug.h" +#include "snort_debug.h" #include "stream_api.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" @@ -53,11 +54,21 @@ #include "profiler.h" #include "spp_sdf.h" +#include "sf_preproc_info.h" #include "sdf_us_ssn.h" #include "sdf_detection_option.h" #include "sdf_pattern_match.h" -extern DynamicPreprocessorData _dpd; +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_SDF (IPV6)"; +#else +const char *PREPROC_NAME = "SF_SDF"; +#endif + +#define SetupSDF DYNAMIC_PREPROC_SETUP /* PROTOTYPES */ static void SDFInit(char *args); @@ -110,7 +121,7 @@ #ifndef SNORT_RELOAD _dpd.registerPreproc("sensitive_data", SDFInit); #else - _dpd.registerPreproc("sensitive_data", SDFInit, SDFReload, SDFReloadSwap, + _dpd.registerPreproc("sensitive_data", SDFInit, SDFReload, SDFReloadSwap, SDFReloadSwapFree); #endif } @@ -338,7 +349,7 @@ if (session->counters[found_pattern->counter_index] == found_pattern->count) { - + /* Raise the alert for this particular pattern */ _dpd.alertAdd(GENERATOR_SPP_SDF_RULES, found_pattern->otn->sigInfo.id, @@ -397,7 +408,7 @@ SFSnortPacket *packet = (SFSnortPacket *)p; SDFSessionData *session; char *begin, *end; - u_int16_t buflen; + uint16_t buflen; PROFILE_VARS; /* Check if we should be working on this packet */ @@ -442,8 +453,18 @@ PREPROC_PROFILE_START(sdfPerfStats); - /* If HTTP Inspect left decoded buffers for us, we'll search those. */ - if (packet->num_uris > 0) + /* Inspect HTTP Body or Email attachments. */ + if (_dpd.fileDataBuf->len > 0) + { + begin = (char *) _dpd.fileDataBuf->data; + buflen = _dpd.fileDataBuf->len; + end = begin + buflen; + + SDFSearch(config, packet, session, begin, end, buflen); + } + + /* If this packet is HTTP, inspect the URI and Client Body while ignoring headers. */ + if (packet->flags & FLAG_HTTP_DECODE) { if (_dpd.uriBuffers[HTTP_BUFFER_URI]->uriLength > 0) { @@ -464,6 +485,8 @@ } else { + /* Only inspect raw packet payload on non-HTTP. This is done so that + when server_flow_depth == -1, we don't inspect anyway. */ begin = (char *)packet->payload; buflen = packet->payload_size; end = begin + buflen; @@ -513,7 +536,7 @@ /* Copy args so that we can break them up wtih strtok */ argcpy = strdup(args); if (argcpy == NULL) - DynamicPreprocessorFatalMessage("Could not allocate memory to parse " + DynamicPreprocessorFatalMessage("Could not allocate memory to parse " "SDF options.\n"); cur_tokenp = strtok(argcpy, " "); @@ -525,7 +548,7 @@ if (!strcmp(cur_tokenp, SDF_THRESHOLD_KEYWORD)) { char *endptr; - + cur_tokenp = strtok(NULL, " "); if (cur_tokenp == NULL) { @@ -611,7 +634,7 @@ { SDFConfig *config = NULL; tSfPolicyId policy_id = _dpd.getParserPolicy(); - + /* Check for an existing configuration in this policy */ sfPolicyUserPolicySet(context, policy_id); @@ -708,7 +731,7 @@ swap_head_node = (sdf_tree_node *)calloc(1, sizeof(sdf_tree_node)); if (!swap_head_node) DynamicPreprocessorFatalMessage("Failed to allocate memory for SDF " - "configuration.\n"); + "configuration.\n"); } config = NewSDFConfig(sdf_swap_context_id); @@ -758,9 +781,9 @@ * * w - short words of data * blen - byte length -* +* */ -static INLINE unsigned short in_chksum_ip( unsigned short * w, int blen ) +static inline unsigned short in_chksum_ip( unsigned short * w, int blen ) { unsigned int cksum; @@ -801,9 +824,9 @@ if (config == NULL || session == NULL || real_packet == NULL) return; - _dpd.encodeFormat(ENC_DYN_FWD|ENC_DYN_NET, real_packet, config->pseudo_packet); + _dpd.encodeFormat(ENC_DYN_FWD|ENC_DYN_NET, real_packet, config->pseudo_packet, PSEUDO_PKT_SDF); - if ( IS_IP4(real_packet) ) + if ( IS_IP4(real_packet) ) { ((IPV4Header *)p->ip4_header)->proto = IPPROTO_SDF; #ifdef SUP_IP6 @@ -826,14 +849,14 @@ #ifdef SUP_IP6 if (real_packet->family == AF_INET) - { + { p->ip4h->ip_len = p->ip4_header->data_length; - } - else - { + } + else + { IP6RawHdr* ip6h = (IP6RawHdr*)p->raw_ip6_header; if ( ip6h ) p->ip6h->len = ip6h->payload_len; - } + } #endif } @@ -866,14 +889,14 @@ { /* Print line */ char *sigmessage = option_data->otn->sigInfo.message; - uint8_t *dest = (u_int8_t*)p->payload + *dlen; + uint8_t *dest = (uint8_t*)p->payload + *dlen; size_t siglen = strlen(sigmessage); uint16_t space_left = p->max_payload - *dlen; if (space_left < siglen + SDF_ALERT_LENGTH) return; - *dlen += (siglen + SDF_ALERT_LENGTH); + *dlen += (siglen + SDF_ALERT_LENGTH); snprintf((char *)dest, space_left, "%s: %3d", sigmessage, counter); } } diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sdf/spp_sdf.h snort-2.9.2/src/dynamic-preprocessors/sdf/spp_sdf.h --- snort-2.9.0.1/src/dynamic-preprocessors/sdf/spp_sdf.h 2010-08-25 13:22:45.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sdf/spp_sdf.h 2011-02-09 15:23:23.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2009-2010 Sourcefire, Inc. +** Copyright (C) 2009-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp snort-2.9.2/src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp 2010-06-09 15:05:14.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp 2011-10-26 11:28:52.000000000 -0700 @@ -91,13 +91,13 @@ # Name "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Source File -SOURCE=..\..\sfutil\bitop.h +SOURCE="..\..\dynamic-plugins\attribute_table_api.h" !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\bitop.h -InputName=bitop +InputPath="..\..\dynamic-plugins\attribute_table_api.h" +InputName=attribute_table_api "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -108,8 +108,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\bitop.h -InputName=bitop +InputPath="..\..\dynamic-plugins\attribute_table_api.h" +InputName=attribute_table_api "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -120,8 +120,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\bitop.h -InputName=bitop +InputPath="..\..\dynamic-plugins\attribute_table_api.h" +InputName=attribute_table_api "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -132,8 +132,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\bitop.h -InputName=bitop +InputPath="..\..\dynamic-plugins\attribute_table_api.h" +InputName=attribute_table_api "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -146,13 +146,13 @@ # End Source File # Begin Source File -SOURCE=..\..\bounds.h +SOURCE=..\..\sfutil\bitop.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\bounds.h -InputName=bounds +InputPath=..\..\sfutil\bitop.h +InputName=bitop "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -163,8 +163,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\bounds.h -InputName=bounds +InputPath=..\..\sfutil\bitop.h +InputName=bitop "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -175,8 +175,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\bounds.h -InputName=bounds +InputPath=..\..\sfutil\bitop.h +InputName=bitop "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -187,8 +187,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\bounds.h -InputName=bounds +InputPath=..\..\sfutil\bitop.h +InputName=bitop "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -256,82 +256,54 @@ # End Source File # Begin Source File -SOURCE=..\..\debug.h +SOURCE=..\..\event.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug - -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ - +InputPath=..\..\event.h +InputName=event "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug - -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ - +InputPath=..\..\event.h +InputName=event "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug - -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ - +InputPath=..\..\event.h +InputName=event "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug - -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ - +InputPath=..\..\event.h +InputName=event "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) - -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + # End Custom Build !ENDIF @@ -339,13 +311,13 @@ # End Source File # Begin Source File -SOURCE=..\..\event.h +SOURCE=..\..\idle_processing.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\event.h -InputName=event +InputPath=..\..\idle_processing.h +InputName=idle_processing "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -356,8 +328,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\event.h -InputName=event +InputPath=..\..\idle_processing.h +InputName=idle_processing "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -368,8 +340,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\event.h -InputName=event +InputPath=..\..\idle_processing.h +InputName=idle_processing "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -380,8 +352,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\event.h -InputName=event +InputPath=..\..\idle_processing.h +InputName=idle_processing "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -515,7 +487,7 @@ BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -534,7 +506,7 @@ BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -553,7 +525,7 @@ BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -572,7 +544,7 @@ BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../include/$(InputName).h.new > ../include/$(InputName).h \ "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -1111,6 +1083,116 @@ # End Source File # Begin Source File +SOURCE=..\..\sfutil\segment_mem.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\segment_mem.c +InputName=segment_mem + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\segment_mem.c +InputName=segment_mem + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\segment_mem.c +InputName=segment_mem + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\segment_mem.c +InputName=segment_mem + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\segment_mem.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\segment_mem.h +InputName=segment_mem + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\segment_mem.h +InputName=segment_mem + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\segment_mem.h +InputName=segment_mem + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\segment_mem.h +InputName=segment_mem + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + SOURCE=..\..\sfutil\sf_base64decode.c !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" @@ -1634,54 +1716,82 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sf_ip.c +SOURCE=..\..\sfutil\sf_email_attach_decode.c !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sfutil\sf_email_attach_decode.c +InputName=sf_email_attach_decode -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/SnortStrnStr/_dpd.SnortStrnStr/" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sfutil\sf_email_attach_decode.c +InputName=sf_email_attach_decode -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/SnortStrnStr/_dpd.SnortStrnStr/" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sfutil\sf_email_attach_decode.c +InputName=sf_email_attach_decode -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/SnortStrnStr/_dpd.SnortStrnStr/" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sfutil\sf_email_attach_decode.c +InputName=sf_email_attach_decode -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/SnortStrnStr/_dpd.SnortStrnStr/" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).c.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ENDIF @@ -1689,13 +1799,13 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sf_ip.h +SOURCE=..\..\sfutil\sf_email_attach_decode.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sfutil\sf_email_attach_decode.h +InputName=sf_email_attach_decode "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1706,8 +1816,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sfutil\sf_email_attach_decode.h +InputName=sf_email_attach_decode "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1718,8 +1828,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sfutil\sf_email_attach_decode.h +InputName=sf_email_attach_decode "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1730,8 +1840,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sfutil\sf_email_attach_decode.h +InputName=sf_email_attach_decode "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -1744,18 +1854,183 @@ # End Source File # Begin Source File -SOURCE=..\..\sf_sdlist.c +SOURCE=..\..\sfutil\sf_ip.c !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sf_sdlist.c -InputName=sf_sdlist +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).c.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sf_ip.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sf_protocols.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sf_protocols.h +InputName=sf_protocols + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sf_protocols.h +InputName=sf_protocols + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sf_protocols.h +InputName=sf_protocols + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sf_protocols.h +InputName=sf_protocols + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sf_sdlist.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sf_sdlist.c +InputName=sf_sdlist + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).c.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).c.new > ../include/$(InputName).c \ "..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -1910,6 +2185,89 @@ # End Source File # Begin Source File +SOURCE=..\..\sf_sdlist_types.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sf_sdlist_types.h +InputName=sf_sdlist_types + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sf_sdlist_types.h +InputName=sf_sdlist_types + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sf_sdlist_types.h +InputName=sf_sdlist_types + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sf_sdlist_types.h +InputName=sf_sdlist_types + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" -e "s/ErrorMessage/_dpd.errMsg/" -e "s/LogMessage /_dpd.logMsg /" -e "/util.h/d" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + SOURCE="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" @@ -2075,13 +2433,13 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sfhashfcn.h +SOURCE=..\..\control\sfcontrol.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfhashfcn.h -InputName=sfhashfcn +InputPath=..\..\control\sfcontrol.h +InputName=sfcontrol "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -2092,8 +2450,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfhashfcn.h -InputName=sfhashfcn +InputPath=..\..\control\sfcontrol.h +InputName=sfcontrol "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -2104,8 +2462,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfhashfcn.h -InputName=sfhashfcn +InputPath=..\..\control\sfcontrol.h +InputName=sfcontrol "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -2116,8 +2474,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfhashfcn.h -InputName=sfhashfcn +InputPath=..\..\control\sfcontrol.h +InputName=sfcontrol "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -2130,22 +2488,77 @@ # End Source File # Begin Source File -SOURCE="..\..\sfutil\sfPolicy.h" +SOURCE=..\..\sfutil\sfhashfcn.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\sfutil\sfPolicy.h" -InputName=sfPolicy - -BuildCmds= \ - mkdir ..\include \ - copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ - +InputPath=..\..\sfutil\sfhashfcn.h +InputName=sfhashfcn "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfhashfcn.h +InputName=sfhashfcn + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfhashfcn.h +InputName=sfhashfcn + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfhashfcn.h +InputName=sfhashfcn + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE="..\..\sfutil\sfPolicy.h" + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath="..\..\sfutil\sfPolicy.h" +InputName=sfPolicy + +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -e "/SharedObjectAddStarts/d" -e "/SharedObjectAddEnds/d" -e "/SharedObjectDeleteBegins/,/SharedObjectDeleteEnds/d" -e "s/getDefaultPolicy()/_dpd.getDefaultPolicy()/" ../include/$(InputName).h.new > ../include/$(InputName).h \ + + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) "..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) @@ -2599,6 +3012,226 @@ # End Source File # Begin Source File +SOURCE=..\..\sfutil\sfrt_flat.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.c +InputName=sfrt_flat + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.c +InputName=sfrt_flat + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.c +InputName=sfrt_flat + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.c +InputName=sfrt_flat + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt_flat.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.h +InputName=sfrt_flat + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.h +InputName=sfrt_flat + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.h +InputName=sfrt_flat + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat.h +InputName=sfrt_flat + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt_flat_dir.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.c +InputName=sfrt_flat_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.c +InputName=sfrt_flat_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.c +InputName=sfrt_flat_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.c +InputName=sfrt_flat_dir + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfrt_flat_dir.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.h +InputName=sfrt_flat_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.h +InputName=sfrt_flat_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.h +InputName=sfrt_flat_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfrt_flat_dir.h +InputName=sfrt_flat_dir + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + SOURCE=..\..\sfutil\sfrt_trie.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" @@ -2695,10 +3328,120 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" -InputName=sfsnort_dynamic_detection_lib +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.c" +InputName=sfsnort_dynamic_detection_lib + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" +InputName=sfsnort_dynamic_detection_lib + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" +InputName=sfsnort_dynamic_detection_lib + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" +InputName=sfsnort_dynamic_detection_lib + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" +InputName=sfsnort_dynamic_detection_lib + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sfxhash.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfxhash.h +InputName=sfxhash + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfxhash.h +InputName=sfxhash + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sfxhash.h +InputName=sfxhash + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sfxhash.h +InputName=sfxhash -"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include copy $(InputPath) ..\include @@ -2709,54 +3452,82 @@ # End Source File # Begin Source File -SOURCE="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" +SOURCE=..\..\signature.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\signature.h +InputName=signature -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\signature.h +InputName=signature -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\signature.h +InputName=signature -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath="..\..\dynamic-plugins\sf_engine\examples\sfsnort_dynamic_detection_lib.h" -InputName=sfsnort_dynamic_detection_lib +InputPath=..\..\signature.h +InputName=signature -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - mkdir ..\include - copy $(InputPath) ..\include +BuildCmds= \ + mkdir ..\include \ + copy $(InputPath) ..\include\$(InputName).h.new \ + c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ENDIF @@ -2764,13 +3535,13 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sfxhash.h +SOURCE=..\..\snort_bounds.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfxhash.h -InputName=sfxhash +InputPath=..\..\snort_bounds.h +InputName=snort_bounds "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -2781,8 +3552,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfxhash.h -InputName=sfxhash +InputPath=..\..\snort_bounds.h +InputName=snort_bounds "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -2793,8 +3564,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sfxhash.h -InputName=sfxhash +InputPath=..\..\snort_bounds.h +InputName=snort_bounds "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -2805,8 +3576,8 @@ !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sfxhash.h -InputName=sfxhash +InputPath=..\..\snort_bounds.h +InputName=snort_bounds "..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" mkdir ..\include @@ -2819,81 +3590,81 @@ # End Source File # Begin Source File -SOURCE=..\..\signature.h +SOURCE=..\..\snort_debug.h !IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\signature.h -InputName=signature +InputPath=..\..\snort_debug.h +InputName=snort_debug BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\signature.h -InputName=signature +InputPath=..\..\snort_debug.h +InputName=snort_debug BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\signature.h -InputName=signature +InputPath=..\..\snort_debug.h +InputName=snort_debug BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\signature.h -InputName=signature +InputPath=..\..\snort_debug.h +InputName=snort_debug BuildCmds= \ mkdir ..\include \ copy $(InputPath) ..\include\$(InputName).h.new \ - c:\cygwin\bin\sed -f ..\treenodes.sed ../include/$(InputName).h.new > ../include/$(InputName).h \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_dpd.debugMsgFile = /" -e "s/DebugMessageLine = /*_dpd.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _dpd.debugMsg/" -e "s/; DebugWideMessageFunc$/; _dpd.debugWideMsg/" ../include/$(InputName).h.new > ../include/$(InputName).h \ -"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) -"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\include\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" $(BuildCmds) # End Custom Build @@ -3204,5 +3975,170 @@ !ENDIF # End Source File +# Begin Source File + +SOURCE=..\..\sfutil\Unified2_common.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\Unified2_common.h +InputName=Unified2_common + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\Unified2_common.h +InputName=Unified2_common + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\Unified2_common.h +InputName=Unified2_common + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\Unified2_common.h +InputName=Unified2_common + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\util_unfold.c + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\util_unfold.c +InputName=util_unfold + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\util_unfold.c +InputName=util_unfold + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\util_unfold.c +InputName=util_unfold + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\util_unfold.c +InputName=util_unfold + +"..\include\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\util_unfold.h + +!IF "$(CFG)" == "sf_dynamic_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\util_unfold.h +InputName=util_unfold + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\util_unfold.h +InputName=util_unfold + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\util_unfold.h +InputName=util_unfold + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_dynamic_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\util_unfold.h +InputName=util_unfold + +"..\include\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + mkdir ..\include + copy $(InputPath) ..\include + +# End Custom Build + +!ENDIF + +# End Source File # End Target # End Project diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/Makefile.am snort-2.9.2/src/dynamic-preprocessors/sip/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/sip/Makefile.am 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,39 @@ +## $Id +AUTOMAKE_OPTIONS=foreign no-dependencies + +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes + +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor + +lib_LTLIBRARIES = libsf_sip_preproc.la + +libsf_sip_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +if SO_WITH_STATIC_LIB +libsf_sip_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else +nodist_libsf_sip_preproc_la_SOURCES = \ +../include/sf_dynamic_preproc_lib.c \ +../include/sf_ip.c \ +../include/sfPolicyUserData.c +endif + +libsf_sip_preproc_la_SOURCES = \ +spp_sip.c \ +spp_sip.h \ +sip_config.c \ +sip_config.h \ +sip_parser.c \ +sip_parser.h \ +sip_dialog.c \ +sip_dialog.h \ +sip_roptions.c \ +sip_roptions.h \ +sip_utils.c \ +sip_utils.h \ +sip_debug.h + +EXTRA_DIST = \ +sf_sip.dsp + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/Makefile.in snort-2.9.2/src/dynamic-preprocessors/sip/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/sip/Makefile.in 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/Makefile.in 2011-12-07 11:23:20.000000000 -0800 @@ -0,0 +1,564 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/dynamic-preprocessors/sip +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +@SO_WITH_STATIC_LIB_TRUE@libsf_sip_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la +am_libsf_sip_preproc_la_OBJECTS = spp_sip.lo sip_config.lo \ + sip_parser.lo sip_dialog.lo sip_roptions.lo sip_utils.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_sip_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo sf_ip.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo +libsf_sip_preproc_la_OBJECTS = $(am_libsf_sip_preproc_la_OBJECTS) \ + $(nodist_libsf_sip_preproc_la_OBJECTS) +libsf_sip_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libsf_sip_preproc_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsf_sip_preproc_la_SOURCES) \ + $(nodist_libsf_sip_preproc_la_SOURCES) +DIST_SOURCES = $(libsf_sip_preproc_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs -I$(srcdir)/includes +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign no-dependencies +lib_LTLIBRARIES = libsf_sip_preproc.la +libsf_sip_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ +@SO_WITH_STATIC_LIB_TRUE@libsf_sip_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_sip_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_ip.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c + +libsf_sip_preproc_la_SOURCES = \ +spp_sip.c \ +spp_sip.h \ +sip_config.c \ +sip_config.h \ +sip_parser.c \ +sip_parser.h \ +sip_dialog.c \ +sip_dialog.h \ +sip_roptions.c \ +sip_roptions.h \ +sip_utils.c \ +sip_utils.h \ +sip_debug.h + +EXTRA_DIST = \ +sf_sip.dsp + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dynamic-preprocessors/sip/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/dynamic-preprocessors/sip/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsf_sip_preproc.la: $(libsf_sip_preproc_la_OBJECTS) $(libsf_sip_preproc_la_DEPENDENCIES) + $(libsf_sip_preproc_la_LINK) -rpath $(libdir) $(libsf_sip_preproc_la_OBJECTS) $(libsf_sip_preproc_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sf_ip.lo: ../include/sf_ip.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_ip.lo `test -f '../include/sf_ip.c' || echo '$(srcdir)/'`../include/sf_ip.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) all-local +installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-libLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-libLTLIBRARIES + + +all-local: $(LTLIBRARIES) + $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sf_sip.dsp snort-2.9.2/src/dynamic-preprocessors/sip/sf_sip.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sf_sip.dsp 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sf_sip.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,247 @@ +# Microsoft Developer Studio Project File - Name="sf_sip" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=sf_sip - Win32 IPv6 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "sf_sip.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "sf_sip.mak" CFG="sf_sip - Win32 IPv6 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "sf_sip - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_sip - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_sip - Win32 IPv6 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "sf_sip - Win32 IPv6 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "sf_sip - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ELSEIF "$(CFG)" == "sf_sip - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_sip - Win32 IPv6 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "sf_sip___Win32_IPv6_Debug" +# PROP BASE Intermediate_Dir "sf_sip___Win32_IPv6_Debug" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "IPv6_Debug" +# PROP Intermediate_Dir "IPv6_Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ELSEIF "$(CFG)" == "sf_sip - Win32 IPv6 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "sf_sip___Win32_IPv6_Release" +# PROP BASE Intermediate_Dir "sf_sip___Win32_IPv6_Release" +# PROP BASE Ignore_Export_Lib 0 +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "IPv6_Release" +# PROP Intermediate_Dir "IPv6_Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c +# SUBTRACT BASE CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 + +!ENDIF + +# Begin Target + +# Name "sf_sip - Win32 Release" +# Name "sf_sip - Win32 Debug" +# Name "sf_sip - Win32 IPv6 Debug" +# Name "sf_sip - Win32 IPv6 Release" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=..\include\inet_aton.c +# End Source File +# Begin Source File + +SOURCE=..\include\inet_pton.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_dynamic_preproc_lib.c +# End Source File +# Begin Source File + +SOURCE=..\include\sf_ip.c +# End Source File +# Begin Source File + +SOURCE=..\include\sfPolicyUserData.c +# End Source File +# Begin Source File + +SOURCE=.\sip_config.c +# End Source File +# Begin Source File + +SOURCE=.\sip_dialog.c +# End Source File +# Begin Source File + +SOURCE=.\sip_parser.c +# End Source File +# Begin Source File + +SOURCE=.\sip_roptions.c +# End Source File +# Begin Source File + +SOURCE=.\sip_utils.c +# End Source File +# Begin Source File + +SOURCE=.\spp_sip.c +# End Source File +# Begin Source File + +SOURCE=..\include\strtok_r.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# Begin Source File + +SOURCE=.\sf_preproc_info.h +# End Source File +# Begin Source File + +SOURCE=.\sip_config.h +# End Source File +# Begin Source File + +SOURCE=.\sip_debug.h +# End Source File +# Begin Source File + +SOURCE=.\sip_dialog.h +# End Source File +# Begin Source File + +SOURCE=.\sip_parser.h +# End Source File +# Begin Source File + +SOURCE=.\sip_roptions.h +# End Source File +# Begin Source File + +SOURCE=.\sip_utils.h +# End Source File +# Begin Source File + +SOURCE=.\spp_sip.h +# End Source File +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_config.c snort-2.9.2/src/dynamic-preprocessors/sip/sip_config.c --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_config.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_config.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,757 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 2/17/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include <ctype.h> +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "sip_config.h" +#include "spp_sip.h" +#include "sip_debug.h" + +#define METHOD_NOT_FOUND -1 +/* + * Default SIP port + */ +#define SIP_PORT 5060 +#define SIPS_PORT 5061 +/* + * Default values for configurable parameters. + */ +#define SIP_DEFAULT_MAX_SESSIONS 10000 +#define SIP_DEFAULT_MAX_URI_LEN 256 +#define SIP_DEFAULT_MAX_CALL_ID_LEN 256 +#define SIP_DEFAULT_MAX_REQUEST_NAME_LEN 20 +#define SIP_DEFAULT_MAX_FROM_LEN 256 +#define SIP_DEFAULT_MAX_TO_LEN 256 +#define SIP_DEFAULT_MAX_VIA_LEN 1024 +#define SIP_DEFAULT_MAX_CONTACT_LEN 256 +#define SIP_DEFAULT_MAX_CONTENT_LEN 1024 + +/* + * Min/Max values for each configurable parameter. + */ +#define MIN_MAX_NUM_SESSION 1024 +#define MAX_MAX_NUM_SESSION 4194303 +#define MIN_MAX_URI_LEN 0 +#define MAX_MAX_URI_LEN 65535 +#define MIN_MAX_CALL_ID_LEN 0 +#define MAX_MAX_CALL_ID_LEN 65535 +#define MIN_MAX_REQUEST_NAME_LEN 0 +#define MAX_MAX_REQUEST_NAME_LEN 65535 +#define MIN_MAX_FROM_LEN 0 +#define MAX_MAX_FROM_LEN 65535 +#define MIN_MAX_TO_LEN 0 +#define MAX_MAX_TO_LEN 65535 +#define MIN_MAX_VIA_LEN 0 +#define MAX_MAX_VIA_LEN 65535 +#define MIN_MAX_CONTACT_LEN 0 +#define MAX_MAX_CONTACT_LEN 65535 +#define MIN_MAX_CONTENT_LEN 0 +#define MAX_MAX_CONTENT_LEN 65535 +/* + * Keyword strings for parsing configuration options. + */ +#define SIP_DISABLED_KEYWORD "disabled" +#define SIP_PORTS_KEYWORD "ports" +#define SIP_MAX_SESSION_KEYWORD "max_sessions" +#define SIP_METHODS_KEYWORD "methods" +#define SIP_MAX_URI_LEN_KEYWORD "max_uri_len" +#define SIP_MAX_CALL_ID_LEN_KEYWORD "max_call_id_len" +#define SIP_MAX_REQUEST_NAME_LEN_KEYWORD "max_requestName_len" +#define SIP_MAX_FROM_LEN_KEYWORD "max_from_len" +#define SIP_MAX_TO_LEN_KEYWORD "max_to_len" +#define SIP_MAX_VIA_LEN_KEYWORD "max_via_len" +#define SIP_MAX_CONTACT_LEN_KEYWORD "max_contact_len" +#define SIP_MAX_CONTENT_LEN_KEYWORD "max_content_len" +#define SIP_IGNORE_CHANNEL_KEYWORD "ignore_call_channel" + +#define SIP_SEPERATORS "()<>@,;:\\/[]?={}\" " +#define SIP_CONFIG_SECTION_SEPERATORS ",;" +#define SIP_CONFIG_VALUE_SEPERATORS " " + + +/* + * method names defined by standard, 14 methods defined up to Mar. 2011 + * The first 6 methods are standard defined by RFC3261 + */ + +SIPMethod StandardMethods[] = +{ + {"invite", SIP_METHOD_INVITE}, + {"cancel",SIP_METHOD_CANCEL}, + {"ack", SIP_METHOD_ACK}, + {"bye", SIP_METHOD_BYE}, + {"register", SIP_METHOD_REGISTER}, + {"options",SIP_METHOD_OPTIONS}, + {"refer", SIP_METHOD_REFER}, + {"subscribe", SIP_METHOD_SUBSCRIBE}, + {"update", SIP_METHOD_UPDATE}, + {"join", SIP_METHOD_JOIN}, + {"info", SIP_METHOD_INFO}, + {"message", SIP_METHOD_MESSAGE}, + {"notify", SIP_METHOD_NOTIFY}, + {"prack", SIP_METHOD_PRACK}, + {NULL, SIP_METHOD_NULL} +}; + +static SIPMethodsFlag currentUseDefineMethod = SIP_METHOD_USER_DEFINE; +/* + * Function prototype(s) + */ + +static void DisplaySIPConfig(SIPConfig *); +static void SIP_SetDefaultMethods(SIPConfig *); +static void SIP_ParsePortList(char **, uint8_t *); +static void SIP_ParseMethods(char **, uint32_t *,SIPMethodlist*); +static SIPMethodNode* SIP_AddMethodToList(char *, SIPMethodsFlag, SIPMethodlist*); +static int SIP_findMethod(char *, SIPMethod *); +static int ParseNumInRange(char *token, char *keyword, int min, int max); + +/* + * Find method from the array methods + * + * PARAMETERS: + * char *token: the method token name to be checked + * SIPMethod* methods: methods array. + * + * RETURNS: + * the index of the method in the array, -1 if not found + */ +static int SIP_findMethod(char *token, SIPMethod* methods) +{ + int i = 0; + while(NULL != methods[i].name) + { + if ((strlen(token) == strlen(methods[i].name))&& + (strncasecmp(methods[i].name, token, strlen(token)) == 0)) + return i; + i++; + } + return METHOD_NOT_FOUND; +} +/* Display the configuration for the SIP preprocessor. + * + * PARAMETERS: + * + * SIPConfig *config: SIP preprocessor configuration. + * + * RETURNS: Nothing. + */ +static void DisplaySIPConfig(SIPConfig *config) +{ + int index; + int newline; + SIPMethodNode *method; + if (config == NULL) + return; + + _dpd.logMsg("SIP config: \n"); + _dpd.logMsg(" Max number of sessions: %d %s \n", + config->maxNumSessions, + config->maxNumSessions + == SIP_DEFAULT_MAX_SESSIONS ? + "(Default)" : "" ); + _dpd.logMsg(" Status: %s\n", + config->disabled ? + "DISABLED":"ENABLED"); + + if (config->disabled) + return; + + _dpd.logMsg(" Ignore media channel: %s\n", + config->ignoreChannel ? + "ENABLED":"DISABLED"); + _dpd.logMsg(" Max URI length: %d %s \n", + config->maxUriLen, + config->maxUriLen + == SIP_DEFAULT_MAX_URI_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max Call ID length: %d %s \n", + config->maxCallIdLen, + config->maxCallIdLen + == SIP_DEFAULT_MAX_CALL_ID_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max Request name length: %d %s \n", + config->maxRequestNameLen, + config->maxRequestNameLen + == SIP_DEFAULT_MAX_REQUEST_NAME_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max From length: %d %s \n", + config->maxFromLen, + config->maxFromLen + == SIP_DEFAULT_MAX_FROM_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max To length: %d %s \n", + config->maxToLen, + config->maxToLen + == SIP_DEFAULT_MAX_TO_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max Via length: %d %s \n", + config->maxViaLen, + config->maxViaLen + == SIP_DEFAULT_MAX_VIA_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max Contact length: %d %s \n", + config->maxContactLen, + config->maxContactLen + == SIP_DEFAULT_MAX_CONTACT_LEN ? + "(Default)" : "" ); + _dpd.logMsg(" Max Content length: %d %s \n", + config->maxContentLen, + config->maxContentLen + == SIP_DEFAULT_MAX_CONTENT_LEN ? + "(Default)" : "" ); + + + /* Traverse list, printing ports, 5 per line */ + newline = 1; + _dpd.logMsg(" Ports:\n"); + for(index = 0; index < MAXPORTS; index++) + { + if( config->ports[ PORT_INDEX(index) ] & CONV_PORT(index) ) + { + _dpd.logMsg("\t%d", index); + if ( !((newline++)% 5) ) + { + _dpd.logMsg("\n"); + } + } + } + _dpd.logMsg("\n"); + _dpd.logMsg(" Methods:\n"); + _dpd.logMsg("\t%s ", + config->methodsConfig + == SIP_METHOD_DEFAULT ? + "(Default)" : ""); + method = config->methods; + while(NULL != method) + { + _dpd.logMsg(" %s", method->methodName); + method = method->nextm; + } + + _dpd.logMsg("\n"); +} + +/* + * The first 6 methods are standard defined by RFC3261 + * We use those first 6 methods as default + * + */ +static void SIP_SetDefaultMethods(SIPConfig *config) +{ + + int i; + config->methodsConfig = SIP_METHOD_DEFAULT; + for (i = 0; i < 6 ; i++) + { + SIP_AddMethodToList(StandardMethods[i].name, StandardMethods[i].methodFlag, &config->methods); + } + +} + + +/******************************************************************** + * Function: SIP_ParsePortList() + * + * Parses a port list and adds bits associated with the ports + * parsed to a bit array. + * + * Arguments: + * char ** + * Pointer to the pointer to the current position in the + * configuration line. This is updated to the current position + * after parsing the IP list. + * uint8_t * + * Pointer to the port array mask to set bits for the ports + * parsed. + * + * Returns: + * SIP_Ret + * SIP_SUCCESS if we were able to successfully parse the + * port list. + * SIP_FAILURE if an error occured in parsing the port list. + * + ********************************************************************/ +static void SIP_ParsePortList(char **ptr, uint8_t *port_array) +{ + int port; + char* cur_tokenp = *ptr; + /* If the user specified ports, remove SIP_PORT for now since + * it now needs to be set explicitly. */ + port_array[ PORT_INDEX( SIP_PORT ) ] = 0; + port_array[ PORT_INDEX( SIPS_PORT ) ] = 0; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Port configurations: %s\n",*ptr );); + + /* Eat the open brace. */ + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Port token: %s\n",cur_tokenp );); + + /* Check the space after '{'*/ + if (( !cur_tokenp ) || ( 0 != strncmp (cur_tokenp, "{", 2 ))) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, make sure space before and after '{'.\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_PORTS_KEYWORD); + } + + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + while (( cur_tokenp ) && ( 0 != strncmp (cur_tokenp, "}", 2 ))) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Port token: %s\n",cur_tokenp );); + + port = ParseNumInRange(cur_tokenp, SIP_PORTS_KEYWORD, 1, MAXPORTS-1); + port_array[ PORT_INDEX( port ) ] |= CONV_PORT(port); + + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + } + if ( NULL == cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, missing '}'.\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_PORTS_KEYWORD); + } + *ptr = cur_tokenp; +} +/* Parses a single numerical value. + * A fatal error is made if the parsed value is out of bounds. + * + * PARAMETERS: + * + * token: String containing argument + * keyword: String containing option's name. Used when printing an error. + * min: Minimum value of argument + * max: Maximum value of argument + * + * RETURNS: bounds-checked integer value of argument. + */ +static int ParseNumInRange(char *token, char *keyword, int min, int max) +{ + long int value; + char *str; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Num token: %s\n",token );); + + if (( !token ) || !isdigit((int)token[0]) ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), keyword, min, max); + } + + value = _dpd.SnortStrtol( token, &str, 10); + + if (0 != strlen(str)) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. " + "Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), keyword, min, max); + } + + if (value < min || value > max) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of " + "bounds. Please specify an integer between %d and %d.\n", + *(_dpd.config_file), *(_dpd.config_line), keyword, min, max); + } + + return value; +} + + +/******************************************************************** + * Function: SIP_ParseMethods() + * + * Parses the methods to detect + * + * + * Arguments: + * char ** + * Pointer to the pointer to the current position in the + * configuration line. This is updated to the current position + * after parsing the methods list. + * SIPMethods* + * Flag for the methods. + * NULL flag if not a valid method type + * Returns: + * + ********************************************************************/ +static void SIP_ParseMethods(char **ptr, uint32_t *methodsConfig, SIPMethodlist* pmethods) +{ + char* cur_tokenp = *ptr; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Method configurations: %s\n",*ptr );); + /* If the user specified methods, remove default methods for now since + * it now needs to be set explicitly. */ + *methodsConfig = SIP_METHOD_NULL; + /* Eat the open brace. */ + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Method token: %s\n",cur_tokenp );); + + /* Check the space after '{'*/ + if (( !cur_tokenp ) || ( 0 != strncmp (cur_tokenp, "{", 2 ))) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, make sure space before and after '{'.\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_METHODS_KEYWORD); + } + + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + + while (( cur_tokenp ) && (0 != strncmp (cur_tokenp, "}", 2 ))) + { + int i_method; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Method token: %s\n",cur_tokenp );); + // Check whether this is a standard method + i_method = SIP_findMethod(cur_tokenp, StandardMethods); + if (METHOD_NOT_FOUND != i_method ) + { + *methodsConfig |= 1 << (StandardMethods[i_method].methodFlag - 1); + SIP_AddMethodToList(cur_tokenp,StandardMethods[i_method].methodFlag, pmethods); + + } + else + { + SIP_AddUserDefinedMethod(cur_tokenp, methodsConfig, pmethods); + } + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + + } + if ( NULL == cur_tokenp ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s, missing '}'.\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_METHODS_KEYWORD); + } + *ptr = cur_tokenp; + +} + +static SIPMethodNode* SIP_AddMethodToList(char *methodName, SIPMethodsFlag methodConf, SIPMethodlist* p_methodList) +{ + + SIPMethodNode* method; + int methodLen; + SIPMethodNode* lastMethod; + + if (NULL == methodName) + return NULL; + methodLen = strlen(methodName); + method =*p_methodList; + lastMethod = *p_methodList; + while(method) + { + // Already in the list, return + if(strcasecmp(method->methodName, methodName) == 0) + return method; + lastMethod = method; + method = method->nextm; + } + + method = (SIPMethodNode *) malloc(sizeof (SIPMethodNode)); + if (NULL == method) + return NULL; + method->methodName = strdup(methodName); + if (NULL == method->methodName) + return NULL; + method->methodLen = methodLen; + method->methodFlag = methodConf; + method->nextm = NULL; + // The first method, point to the first created one + if (NULL == *p_methodList) + { + *p_methodList = method; + } + else + { + lastMethod->nextm = method; + } + + return method; +} +/******************************************************************** + * Function: SIP_FreeConfig + * + * Frees a sip configuration + * + * Arguments: + * SIP_Config * + * The configuration to free. + * + * Returns: None + * + ********************************************************************/ +void SIP_FreeConfig (SIPConfig *config) +{ + SIPMethodNode *nextNode; + SIPMethodNode *curNode; + if (config == NULL) + return; + curNode = config->methods; + + while (NULL != curNode) + { + if (NULL != curNode->methodName) + free(curNode->methodName); + nextNode = curNode->nextm; + free(curNode); + curNode = nextNode; + } + free(config); +} +/* Parses and processes the configuration arguments + * supplied in the SIP preprocessor rule. + * + * PARAMETERS: + * + * SIPConfig *config: SIP preprocessor configuration. + * argp: Pointer to string containing the config arguments. + * + * RETURNS: Nothing. + */ +void ParseSIPArgs(SIPConfig *config, u_char* argp) +{ + char* cur_sectionp = NULL; + char* next_sectionp = NULL; + char* argcpyp = NULL; + + if (config == NULL) + return; + config->maxNumSessions = SIP_DEFAULT_MAX_SESSIONS; + config->maxUriLen = SIP_DEFAULT_MAX_URI_LEN; + config->maxCallIdLen = SIP_DEFAULT_MAX_CALL_ID_LEN; + config->maxRequestNameLen = SIP_DEFAULT_MAX_REQUEST_NAME_LEN; + config->maxFromLen = SIP_DEFAULT_MAX_FROM_LEN; + config->maxToLen = SIP_DEFAULT_MAX_TO_LEN; + config->maxViaLen = SIP_DEFAULT_MAX_VIA_LEN; + config->maxContactLen = SIP_DEFAULT_MAX_CONTACT_LEN; + config->maxContentLen = SIP_DEFAULT_MAX_CONTENT_LEN; + + /* Set up default port to listen on */ + config->ports[ PORT_INDEX( SIP_PORT ) ] |= CONV_PORT(SIP_PORT); + config->ports[ PORT_INDEX( SIPS_PORT ) ] |= CONV_PORT(SIPS_PORT); + + config->methodsConfig = SIP_METHOD_NULL; + config->methods = NULL; + + /* Reset user defined method for every policy*/ + currentUseDefineMethod = SIP_METHOD_USER_DEFINE; + + /* Sanity check(s) */ + if ( !argp ) + { + SIP_SetDefaultMethods(config); + DisplaySIPConfig(config); + return; + } + + argcpyp = strdup( (char*) argp ); + + if ( !argcpyp ) + { + DynamicPreprocessorFatalMessage("Could not allocate memory to parse SIP options.\n"); + return; + } + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "SIP configurations: %s\n",argcpyp );); + + cur_sectionp = strtok_r( argcpyp, SIP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Arguments token: %s\n",cur_sectionp );); + + while ( cur_sectionp ) + { + + char* cur_config; + char* cur_tokenp = strtok( cur_sectionp, SIP_CONFIG_VALUE_SEPERATORS); + + if (!cur_tokenp) + { + cur_sectionp = strtok_r( next_sectionp, SIP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + continue; + } + + cur_config = cur_tokenp; + + if ( !strcmp( cur_tokenp, SIP_PORTS_KEYWORD )) + { + SIP_ParsePortList(&cur_tokenp, config->ports); + + } + else if ( !strcmp( cur_tokenp, SIP_METHODS_KEYWORD )) + { + SIP_ParseMethods(&cur_tokenp, &config->methodsConfig, &config->methods ); + + } + else if ( !strcmp( cur_tokenp, SIP_DISABLED_KEYWORD )) + { + config->disabled = 1; + } + else if ( !strcmp( cur_tokenp, SIP_MAX_SESSION_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxNumSessions = (uint32_t)ParseNumInRange(cur_tokenp, + SIP_MAX_SESSION_KEYWORD, + MIN_MAX_NUM_SESSION, + MAX_MAX_NUM_SESSION); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_URI_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxUriLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_URI_LEN_KEYWORD, + MIN_MAX_URI_LEN, + MAX_MAX_URI_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_CALL_ID_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxCallIdLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_CALL_ID_LEN_KEYWORD, + MIN_MAX_CALL_ID_LEN, + MAX_MAX_CALL_ID_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_REQUEST_NAME_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxRequestNameLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_REQUEST_NAME_LEN_KEYWORD, + MIN_MAX_REQUEST_NAME_LEN, + MAX_MAX_REQUEST_NAME_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_FROM_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxFromLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_FROM_LEN_KEYWORD, + MIN_MAX_FROM_LEN, + MAX_MAX_FROM_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_TO_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxToLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_TO_LEN_KEYWORD, + MIN_MAX_TO_LEN, + MAX_MAX_TO_LEN); + } + + else if ( !strcmp( cur_tokenp, SIP_MAX_VIA_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxViaLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_VIA_LEN_KEYWORD, + MIN_MAX_VIA_LEN, + MAX_MAX_VIA_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_CONTACT_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxContactLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_CONTACT_LEN_KEYWORD, + MIN_MAX_CONTACT_LEN, + MAX_MAX_CONTACT_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_MAX_CONTENT_LEN_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxContentLen = (uint16_t)ParseNumInRange(cur_tokenp, + SIP_MAX_CONTENT_LEN_KEYWORD, + MIN_MAX_CONTENT_LEN, + MAX_MAX_CONTENT_LEN); + } + else if ( !strcmp( cur_tokenp, SIP_IGNORE_CHANNEL_KEYWORD )) + { + config->ignoreChannel = 1; + } + else + { + DynamicPreprocessorFatalMessage(" %s(%d) => Invalid argument: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_tokenp); + return; + } + /*Check whether too many parameters*/ + if (NULL != strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS)) + { + DynamicPreprocessorFatalMessage("%s(%d) => To many arguments: %s\n", + *(_dpd.config_file), *(_dpd.config_line), cur_config); + + } + cur_sectionp = strtok_r( next_sectionp, SIP_CONFIG_SECTION_SEPERATORS, &next_sectionp); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Arguments token: %s\n",cur_sectionp );); + } + /*If no methods defined, use the default*/ + if (SIP_METHOD_NULL == config->methodsConfig) + { + SIP_SetDefaultMethods(config); + } + DisplaySIPConfig(config); + free(argcpyp); +} +/******************************************************************** + * Function: SIP_AddUserDefinedMethod + * + * Add a user defined method + * + * Arguments: + * char *: the method name + * SIPMethodlist *: the list to be added + * + * Returns: user defined method + * + ********************************************************************/ +SIPMethodNode* SIP_AddUserDefinedMethod(char *methodName, uint32_t *methodsConfig, SIPMethodlist* pmethods) +{ + + int i = 0; + SIPMethodNode* method; + + /*Check whether all the chars are defined by RFC2616*/ + while(methodName[i]) + { + if (iscntrl(methodName[i])|(NULL != strchr(SIP_SEPERATORS,methodName[i]))| (methodName[i] < 0) ) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Bad character included in the User defined method: %s." + "Make sure space before and after '}'. \n", + *(_dpd.config_file), *(_dpd.config_line), methodName ); + return NULL; + } + i++; + } + if (currentUseDefineMethod > SIP_METHOD_USER_DEFINE_MAX) + { + DynamicPreprocessorFatalMessage(" %s(%d) => Exceeded max number of user defined methods (%d), can't add %s.\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_METHOD_USER_DEFINE_MAX - SIP_METHOD_USER_DEFINE + 1, + methodName ); + return NULL; + } + *methodsConfig |= 1 << (currentUseDefineMethod - 1); + method = SIP_AddMethodToList(methodName, currentUseDefineMethod, pmethods); + currentUseDefineMethod = (SIPMethodsFlag) (currentUseDefineMethod + 1); + return method; +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_config.h snort-2.9.2/src/dynamic-preprocessors/sip/sip_config.h --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_config.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_config.h 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,137 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 2/17/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifndef _SIP_CONFIG_H_ +#define _SIP_CONFIG_H_ + +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "sip_debug.h" + +#define SIP_NAME "sip" + + +typedef enum _SIP_method +{ + SIP_METHOD_NULL = 0, //0x0000, + SIP_METHOD_INVITE = 1, //0x0001, + SIP_METHOD_CANCEL = 2, //0x0002, + SIP_METHOD_ACK = 3, //0x0004, + SIP_METHOD_BYE = 4, //0x0008, + SIP_METHOD_REGISTER = 5, //0x0010, + SIP_METHOD_OPTIONS = 6, //0x0020, + SIP_METHOD_REFER = 7, //0x0040, + SIP_METHOD_SUBSCRIBE = 8, //0x0080, + SIP_METHOD_UPDATE = 9, //0x0100, + SIP_METHOD_JOIN = 10,//0x0200, + SIP_METHOD_INFO = 11,//0x0400, + SIP_METHOD_MESSAGE = 12,//0x0800, + SIP_METHOD_NOTIFY = 13,//0x1000, + SIP_METHOD_PRACK = 14,//0x2000, + SIP_METHOD_USER_DEFINE = 15,//0x4000, + SIP_METHOD_USER_DEFINE_MAX = 32//0x80000000, + +} SIPMethodsFlag; + +#define SIP_METHOD_DEFAULT 0x003f +#define SIP_METHOD_ALL 0xffffffff +/* + * Header fields and processing functions + */ +typedef struct _SIPMethod +{ + char *name; + SIPMethodsFlag methodFlag; + +}SIPMethod; + +extern SIPMethod StandardMethods[]; + + +typedef struct _sipMethodlistNode +{ + char *methodName; + int methodLen; + SIPMethodsFlag methodFlag; + struct _sipMethodlistNode* nextm; +} SIPMethodNode; + +typedef SIPMethodNode * SIPMethodlist; + +/* + * One of these structures is kept for each configured + * server port. + */ +typedef struct _sipPortlistNode +{ + uint16_t server_port; + struct _sipPortlistNode* nextp; +} SIPPortNode; + +/* + * SIP preprocessor configuration. + * + * disabled: Whether or not to disable SIP PP. + * maxNumSessions: Maximum amount of run-time memory + * ports: Which ports to check for SIP messages + * methods: Which methods to check + * maxUriLen: Maximum requst_URI size + * maxCallIdLen: Maximum call_ID size. + * maxRequestNameLen: Maximum length of request name in the CSeqID. + * maxFromLen: Maximum From field size + * maxToLen: Maximum To field size + * maxViaLen: Maximum Via field size + * maxContactLen: Maximum Contact field size + * maxContentLen: Maximum Content length + * ignoreChannel: Whether to ignore media channels found by SIP PP + */ +typedef struct _sipConfig +{ + uint8_t disabled; + uint32_t maxNumSessions; + uint8_t ports[MAXPORTS/8]; + uint32_t methodsConfig; + SIPMethodlist methods; + uint16_t maxUriLen; + uint16_t maxCallIdLen; + uint16_t maxRequestNameLen; + uint16_t maxFromLen; + uint16_t maxToLen; + uint16_t maxViaLen; + uint16_t maxContactLen; + uint16_t maxContentLen; + uint8_t ignoreChannel; + int ref_count; + +} SIPConfig; + +/******************************************************************** + * Public function prototypes + ********************************************************************/ +void SIP_FreeConfig(SIPConfig *); +void ParseSIPArgs(SIPConfig *, u_char*); +SIPMethodNode* SIP_AddUserDefinedMethod(char *, uint32_t *, SIPMethodlist*); + +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_debug.h snort-2.9.2/src/dynamic-preprocessors/sip/sip_debug.h --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_debug.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_debug.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,41 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides macros and functions for debugging the preprocessor. + * If Snort is not configured to do debugging, macros are empty. + * + * 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com> + * + ****************************************************************************/ + +#ifndef _SIP_DEBUG_H_ +#define _SIP_DEBUG_H_ + +#include <stdio.h> +#include "snort_debug.h" + +/******************************************************************** + * Macros + ********************************************************************/ + +#define SIP_DEBUG__START_MSG "SIP Start ********************************************" +#define SIP_DEBUG__END_MSG "SIP End **********************************************" + +#endif /* _SIP_DEBUG_H_ */ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_dialog.c snort-2.9.2/src/dynamic-preprocessors/sip/sip_dialog.c --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_dialog.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_dialog.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,722 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for dialog management + * Dialog management is the central part of SIP call flow analysis + * + * 3/15/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include "sf_types.h" +#include "sip_dialog.h" +#include "sip_parser.h" +#include "sip_debug.h" +#include "sf_ip.h" +#include "spp_sip.h" +#include "stream_api.h" +#include <assert.h> + + +static void SIP_updateMedias(SIP_MediaSession *, SIP_MediaList *); +static int SIP_compareMedias(SIP_MediaDataList , SIP_MediaDataList ); +static int SIP_checkMediaChange(SIPMsg *sipMsg, SIP_DialogData *dialog); +static int SIP_processRequest(SIPMsg *, SIP_DialogData *, SIP_DialogList *, SFSnortPacket *); +static int SIP_processInvite(SIPMsg *, SIP_DialogData *, SIP_DialogList *); +static int SIP_processACK(SIPMsg *, SIP_DialogData *, SIP_DialogList *, SFSnortPacket *); +static int SIP_processResponse(SIPMsg *, SIP_DialogData *, SIP_DialogList *, SFSnortPacket *); +static int SIP_ignoreChannels( SIP_DialogData *, SFSnortPacket *p); +static SIP_DialogData* SIP_addDialog(SIPMsg *, SIP_DialogData *, SIP_DialogList *); +static int SIP_deleteDialog(SIP_DialogData *, SIP_DialogList *); +#ifdef DEBUG_MSGS +void SIP_displayMedias(SIP_MediaList *dList); +#endif + + + +/******************************************************************** + * Function: SIP_processRequest() + * + * Based on the new received sip request message, update the dialog information. + * Note: dialog is created through dialog + * Arguments: + * SIPMsg * - sip request message + * SIP_DialogData* - dialog to be updated, + * SFSnortPacket* - the packet + * + * Returns: + * SIP_SUCCESS: request message has been processed correctly + * SIP_FAILURE: request message has not been processed correctly + ********************************************************************/ +static int SIP_processRequest(SIPMsg *sipMsg, SIP_DialogData *dialog, SIP_DialogList *dList, SFSnortPacket *p) +{ + + SIPMethodsFlag methodFlag; + int ret = SIP_SUCCESS; + + assert (NULL != sipMsg); + + /*If dialog not exist, create one */ + if((NULL == dialog)&&(SIP_METHOD_CANCEL != sipMsg->methodFlag)) + { + dialog = SIP_addDialog(sipMsg, *dList, dList); + } + + methodFlag = sipMsg->methodFlag; + sip_stats.requests[TOTAL_REQUESTS]++; + if (methodFlag > 0) + sip_stats.requests[methodFlag]++; + switch (methodFlag) + { + case SIP_METHOD_INVITE: + + ret = SIP_processInvite(sipMsg, dialog, dList); + + break; + + case SIP_METHOD_CANCEL: + + if (NULL == dialog) + return SIP_FAILURE; + /*dialog can be deleted in the early state*/ + if((SIP_DLG_EARLY == dialog->state)||(SIP_DLG_INVITING == dialog->state) + || (SIP_DLG_CREATE == dialog->state)) + SIP_deleteDialog(dialog, dList); + + break; + + case SIP_METHOD_ACK: + + SIP_processACK(sipMsg, dialog, dList, p); + + break; + + case SIP_METHOD_BYE: + + if(SIP_DLG_ESTABLISHED == dialog->state) + dialog->state = SIP_DLG_TERMINATING; + break; + + default: + + break; + + } + return ret; +} + +/******************************************************************** + * Function: SIP_processInvite() + * + * Based on the new received sip invite request message, update the dialog information. + * Note: dialog is created through dialog + * Arguments: + * SIPMsg * - sip request message + * SIP_DialogData* - dialog to be updated, + * SIP_DialogList*- dialog list + * Returns: + * SIP_SUCCESS: + * SIP_FAILURE: + ********************************************************************/ +static int SIP_processInvite(SIPMsg *sipMsg, SIP_DialogData *dialog, SIP_DialogList *dList) +{ + + int ret = SIP_SUCCESS; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Processing invite, dialog state %d \n", dialog->state );); + + if (NULL == dialog) + return SIP_FAILURE; + + /*Check for the invite replay attack: authenticated invite without challenge*/ + // check whether this invite has authorization information + if ((SIP_DLG_AUTHENCATING != dialog->state) && (NULL != sipMsg ->authorization)) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Dialog state code: %u\n", + dialog->status_code)); + + ALERT(SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK,SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK_STR); + return SIP_FAILURE; + + } + if (SIP_DLG_ESTABLISHED == dialog->state) + { + /* this is the case of re-INVITE*/ + // create a temporary new dialog before the current dialog + dialog = SIP_addDialog(sipMsg, dialog, dList); + dialog->state = SIP_DLG_REINVITING; + return SIP_SUCCESS; + } + /*Check for the fake busy attack: change media session before dialog established*/ + else if((SIP_DLG_INVITING == dialog->state) || (SIP_DLG_EARLY == dialog->state) + || (SIP_DLG_REINVITING == dialog->state)|| (SIP_DLG_AUTHENCATING == dialog->state)) + { + ret = SIP_checkMediaChange(sipMsg, dialog); + if (SIP_FAILURE == ret) + ALERT(SIP_EVENT_AUTH_INVITE_DIFF_SESSION,SIP_EVENT_AUTH_INVITE_DIFF_SESSION_STR); + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + } + else if (SIP_DLG_TERMINATED == dialog->state) + { + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + } + dialog->state = SIP_DLG_INVITING; + return ret; +} + +/******************************************************************** + * Function: SIP_processACK() + * + * Based on the new received sip ACK request message, update the dialog information. + * Note: dialog is created through dialog + * Arguments: + * SIPMsg * - sip request message + * SIP_DialogData* - dialog to be updated, + * SIP_DialogList* - dialog list + * SFSnortPacket* - the packet + * Returns: + * SIP_SUCCESS: + * SIP_FAILURE: + ********************************************************************/ +static int SIP_processACK(SIPMsg *sipMsg, SIP_DialogData *dialog, SIP_DialogList *dList, SFSnortPacket *p) +{ + if (NULL == dialog) + return SIP_FAILURE; + + if (SIP_DLG_ESTABLISHED == dialog->state) + { + if ((SIP_METHOD_INVITE == dialog->creator)&&(SIP_checkMediaChange(sipMsg, dialog) == SIP_FAILURE)) + { + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + SIP_ignoreChannels(dialog, p); + } + } + return SIP_SUCCESS; +} +/******************************************************************** + * Function: SIP_processResponse() + * + * Based on the new received sip response message, update the dialog information. + * + * Arguments: + * SIPMsg * - sip response message + * SIP_DialogData* - dialog to be updated, + * SFSnortPacket* - the packet + * + * Returns: + * SIP_SUCCESS: + * SIP_FAILURE: + ********************************************************************/ +static int SIP_processResponse(SIPMsg *sipMsg, SIP_DialogData *dialog, SIP_DialogList *dList, SFSnortPacket *p) +{ + + int statusType; + SIP_DialogData *currDialog = dialog; + + assert (NULL != sipMsg); + + statusType = sipMsg->status_code / 100; + sip_stats.responses[TOTAL_RESPONSES]++; + if (statusType < NUM_OF_RESPONSE_TYPES) + sip_stats.responses[statusType]++; + + if(NULL == dialog) + return SIP_FAILURE; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Processing response, dialog state %d \n", dialog->state );); + + if(sipMsg->status_code > 0) + dialog->status_code = sipMsg->status_code; + + + switch (statusType) + { + case 0: + break; + case RESPONSE1XX: + + if (SIP_DLG_CREATE == currDialog->state) + currDialog->state = SIP_DLG_EARLY; + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + break; + case RESPONSE2XX: + + if (SIP_DLG_REINVITING == currDialog->state) + { + SIP_deleteDialog(currDialog->nextD, dList); + if (SIP_checkMediaChange(sipMsg, dialog) == SIP_FAILURE) + { + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + SIP_ignoreChannels(currDialog, p); + } + currDialog->state = SIP_DLG_ESTABLISHED; + } + else if (SIP_DLG_TERMINATING == currDialog->state) + { + SIP_deleteDialog(currDialog, dList); + return SIP_SUCCESS; + } + else + { + if ((SIP_METHOD_INVITE == currDialog->creator)&& + (SIP_checkMediaChange(sipMsg, dialog) == SIP_FAILURE)) + { + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + SIP_ignoreChannels(currDialog, p); + } + currDialog->state = SIP_DLG_ESTABLISHED; + } + break; + case RESPONSE3XX: + case RESPONSE4XX: + case RESPONSE5XX: + case RESPONSE6XX: + + // If authentication is required + if((401 == sipMsg->status_code) || (407 == sipMsg->status_code)) + { + currDialog->state = SIP_DLG_AUTHENCATING; + } + /*Failed re-Invite will resume to the original state*/ + else if(SIP_DLG_REINVITING == currDialog->state) + { + SIP_deleteDialog(currDialog, dList); + } + else + currDialog->state = SIP_DLG_TERMINATED; + + break; + + default: + break; + } + + + return SIP_SUCCESS; + +} +/******************************************************************** + * Function: SIP_checkMediaChange() + * + * Based on the new received sip invite request message, check whether SDP has been changed + * + * Arguments: + * SIPMsg * - sip request message + * SIP_DialogData* - dialog to be updated, + * + * Returns: + * SIP_SUCCESS: media not changed + * SIP_FAILURE: media changed + ********************************************************************/ +static int SIP_checkMediaChange(SIPMsg *sipMsg, SIP_DialogData *dialog) +{ + SIP_MediaSession *medias; + + // Compare the medias (SDP part) + if (NULL == sipMsg->mediaSession) + return SIP_SUCCESS; + + medias = dialog->mediaSessions; + while(NULL != medias) + { + if (sipMsg->mediaSession->sessionID == medias->sessionID) + break; + medias = medias->nextS; + } + + if (NULL == medias) + { + // Can't find the media session by ID, SDP has been changed. + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Can't find the media data, ID: %u\n", sipMsg->mediaSession->sessionID );); + + return SIP_FAILURE; + } + // The media content has been changed + if (0 != SIP_compareMedias(medias->medias, sipMsg->mediaSession->medias)) + { + // Can't find the media session by ID, SDP has been changed. + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "The media data is different!\n");); + return SIP_FAILURE; + } + return SIP_SUCCESS; +} +/******************************************************************** + * Function: SIP_ignoreChannels + * + * Ignore the channels in the current dialog: for a dialog,there will be media + * sessions, one from each side of conversation + * + * Arguments: + * SIP_DialogData * - the current dialog + * + * + * Returns: + * SIP_SUCCESS: the channel has been ignored + * SIP_FAILURE: the channel has not been ignored + * + ********************************************************************/ +static int SIP_ignoreChannels( SIP_DialogData *dialog, SFSnortPacket *p) +{ + SIP_MediaData *mdataA,*mdataB; + + if (0 == sip_eval_config->ignoreChannel) + return SIP_FAILURE; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Ignoring the media data in Dialog: %u\n", dialog->dlgID.callIdHash);); + // check the first media session + if (NULL == dialog->mediaSessions) + return SIP_FAILURE; + // check the second media session + if (NULL == dialog->mediaSessions->nextS) + return SIP_FAILURE; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Ignoring the media sessions ID: %u and %u\n", + dialog->mediaSessions->sessionID, dialog->mediaSessions->nextS->sessionID);); + mdataA = dialog->mediaSessions->medias; + mdataB = dialog->mediaSessions->nextS->medias; + sip_stats.ignoreSessions++; + while((NULL != mdataA)&&(NULL != mdataB)) + { + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Ignoring channels Source IP: %s Port: %u\n", + sfip_to_str(&mdataA->maddress), mdataA->mport);); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Ignoring channels Destine IP: %s Port: %u\n", + sfip_to_str(&mdataB->maddress), mdataB->mport);); + /* Call into Streams to mark data channel as something to ignore. */ +#ifdef SUP_IP6 + _dpd.streamAPI->ignore_session(&mdataA->maddress, + mdataA->mport, &mdataB->maddress, + mdataB->mport, IPPROTO_UDP, p->pkt_header->ts.tv_sec, + PP_SIP, SSN_DIR_BOTH, + 0 /* Not permanent */ ); +#else + _dpd.streamAPI->ignore_session( (snort_ip_p)mdataA->maddress.ip.u6_addr32[0], + mdataA->mport, (snort_ip_p)mdataB->maddress.ip.u6_addr32[0], + mdataB->mport, IPPROTO_UDP, p->pkt_header->ts.tv_sec, + PP_SIP, SSN_DIR_BOTH, + 0 /* Not permanent */ ); +#endif + sip_stats.ignoreChannels++; + mdataA = mdataA->nextM; + mdataB = mdataB->nextM; + } + return SIP_SUCCESS; + +} +/******************************************************************** + * Function: SIP_compareMedias + * + * Compare two media list + * + * Arguments: + * SIPMsg * - the message used to create a dialog + * SIP_DialogData * - the current dialog location + * SIP_DialogList * - the dialogs to be added. + * + * + * Returns: + * 1: not the same + * 0: the same + * + ********************************************************************/ +static int SIP_compareMedias(SIP_MediaDataList mlistA, SIP_MediaDataList mlistB ) +{ + SIP_MediaData *mdataA,*mdataB; + mdataA = mlistA; + mdataB = mlistB; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Compare the media data \n");); + while((NULL != mdataA) && (NULL != mdataB)) + { + if(sfip_compare(&mdataA->maddress, &mdataB->maddress) != SFIP_EQUAL) + break; + if((mdataA->mport != mdataB->mport)|| (mdataA->numPort != mdataB->numPort)) + break; + mdataA = mdataA->nextM; + mdataB = mdataB->nextM; + } + if((NULL == mdataA) && (NULL == mdataB)) + return 0; + else + return 1; +} +/******************************************************************** + * Function: SIP_updateMedias() + * + * Based on the new received media session information, update the media list. + * If not in the current list, created one and add it to the head. + * + * Arguments: + * SIP_MediaSession* - media session + * SIP_MediaList* - media session list to be updated, + * + * Returns: + * + ********************************************************************/ +static void SIP_updateMedias(SIP_MediaSession *mSession, SIP_MediaList *dList) +{ + SIP_MediaSession *currSession, *preSession = NULL; + + if(NULL == mSession) + return; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Updating session id: %u\n", + mSession->sessionID)); + mSession->savedFlag = SIP_SESSION_SAVED; + // Find out the media session based on session id + currSession = *dList; + while(NULL != currSession) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Session id: %u\n", + currSession->sessionID)); + if(currSession->sessionID == mSession->sessionID) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Found Session id: %u\n", + currSession->sessionID)); + break; + } + preSession = currSession; + currSession = currSession->nextS; + } + // if this is a new session data, add to the list head + if (NULL == currSession) + { + mSession->nextS = *dList; + *dList = mSession; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Add Session id: %u\n", + mSession->sessionID)); + // Display the final media session + #ifdef DEBUG_MSGS + SIP_displayMedias(dList); + #endif + return; + } + // if this session needs to be updated + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Insert Session id: %u\n", + mSession->sessionID)); + mSession->nextS = currSession->nextS; + // if this is the header, update the new header + if (NULL == preSession) + *dList = mSession; + else + preSession->nextS = mSession; + + // Clear the old session + currSession->nextS = NULL; + sip_freeMediaSession(currSession); + + // Display the final media session +#ifdef DEBUG_MSGS + SIP_displayMedias(dList); +#endif + return; +} +#ifdef DEBUG_MSGS +void SIP_displayMedias(SIP_MediaList *dList) +{ + SIP_MediaSession *currSession; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Updated Session information------------\n")); + currSession = *dList; + while(NULL != currSession) + { + SIP_MediaData *mdata; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Session id: %u\n", currSession->sessionID)); + mdata = currSession->medias; + while(NULL != mdata) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Media IP: %s, port: %u, number of ports %u\n", + sfip_to_str(&mdata->maddress), mdata->mport, mdata->numPort)); + mdata = mdata->nextM; + } + currSession = currSession->nextS; + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "End of Session information------------\n")); +} +#endif +/******************************************************************** + * Function: SIP_addDialog + * + * Add a sip dialog before the current dialog + * + * Arguments: + * SIPMsg * - the message used to create a dialog + * SIP_DialogData * - the current dialog location + * SIP_DialogList * - the dialogs to be added. + * + * + * Returns: None + * + ********************************************************************/ +static SIP_DialogData* SIP_addDialog(SIPMsg *sipMsg, SIP_DialogData *currDialog, SIP_DialogList *dList) +{ + SIP_DialogData* dialog; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Add Dialog id: %u, From: %u, To: %u, status code: %u\n", + sipMsg->dlgID.callIdHash,sipMsg->dlgID.fromTagHash,sipMsg->dlgID.toTagHash, sipMsg->status_code)); + + sip_stats.dialogs++; + + dialog = (SIP_DialogData *) calloc(1, sizeof(SIP_DialogData)); + if (NULL == dialog) + return NULL; + + // Add to the head + dialog->nextD = currDialog; + if(NULL != currDialog) + { + dialog->prevD = currDialog->prevD; + if (NULL != currDialog->prevD) + currDialog->prevD->nextD = dialog; + else + *dList = dialog; // become the head + currDialog->prevD = dialog; + } + else + { + // The first dialog + dialog->prevD = NULL; + *dList = dialog; + } + dialog->dlgID = sipMsg->dlgID; + dialog->creator = sipMsg->methodFlag; + dialog->state = SIP_DLG_CREATE; + + SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); + + return dialog; + +} +/******************************************************************** + * Function: SIP_deleteDialog + * + * Delete a sip dialog from the list + * + * Arguments: + * SIP_DialogData * - the current dialog to be deleted + * SIP_DialogList * - the dialog list. + * + * Returns: None + * + ********************************************************************/ +static int SIP_deleteDialog(SIP_DialogData *currDialog, SIP_DialogList *dList) +{ + if ((NULL == currDialog)||(NULL == dList)) + return SIP_FAILURE; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Delete Dialog id: %u, From: %u, To: %u \n", + currDialog->dlgID.callIdHash,currDialog->dlgID.fromTagHash,currDialog->dlgID.toTagHash)); + // If this is the header + if(NULL == currDialog->prevD) + { + if(NULL != currDialog->nextD) + currDialog->nextD->prevD = NULL; + *dList = currDialog->nextD; + } + else + { + currDialog->prevD->nextD = currDialog->nextD; + if(NULL != currDialog->nextD) + currDialog->nextD->prevD = currDialog->prevD; + } + sip_freeMediaList(currDialog->mediaSessions); + free(currDialog); + return SIP_SUCCESS; +} +/******************************************************************** + * Function: SIP_updateDialog() + * + * Based on the new received sip message, update the dialog information. + * If not in the current list, created one and add it to the head. + * + * Arguments: + * SIPMsg * - sip message + * SIP_DialogList* - dialog list to be updated, + * + * Returns: + * SIP_SUCCESS: dialog has been updated + * SIP_FAILURE: dialog has not been updated + ********************************************************************/ +int SIP_updateDialog(SIPMsg *sipMsg, SIP_DialogList *dList, SFSnortPacket *p) +{ + SIP_DialogData* dialog; + int ret; + + if ((NULL == sipMsg)||(0 == sipMsg->dlgID.callIdHash)) + return SIP_FAILURE; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Updating Dialog id: %u, From: %u, To: %u\n", + sipMsg->dlgID.callIdHash,sipMsg->dlgID.fromTagHash,sipMsg->dlgID.toTagHash)); + dialog = *dList; + + /*Find out the dialog in the dialog list*/ + + while(NULL != dialog) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Dialog id: %u, From: %u, To: %u\n", + dialog->dlgID.callIdHash,dialog->dlgID.fromTagHash,dialog->dlgID.toTagHash)); + if (sipMsg->dlgID.callIdHash == dialog->dlgID.callIdHash) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Found Dialog id: %u, From: %u, To: %u\n", + dialog->dlgID.callIdHash,dialog->dlgID.fromTagHash,dialog->dlgID.toTagHash)); + break; + + } + dialog = dialog->nextD; + } + + /*Update the dialog information*/ + + if (sipMsg->status_code == 0) + ret = SIP_processRequest(sipMsg, dialog, dList, p); + else if (sipMsg->status_code > 0) + ret = SIP_processResponse(sipMsg, dialog, dList, p); + else + ret = SIP_FAILURE; + + + return ret; +} + +/******************************************************************** + * Function: sip_freeDialogs + * + * Frees a sip dialog + * + * Arguments: + * SIP_DialogList + * The dialogs to free. + * + * Returns: None + * + ********************************************************************/ +void sip_freeDialogs (SIP_DialogList list) +{ + SIP_DialogData *nextNode; + SIP_DialogData *curNode = list; + + while (NULL != curNode) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "*Clean Dialog creator: 0x%x, id: %u, From: %u, To: %u, State: %d\n", + curNode->creator, curNode->dlgID.callIdHash,curNode->dlgID.fromTagHash,curNode->dlgID.toTagHash,curNode->state)); + nextNode = curNode->nextD; + sip_freeMediaList(curNode->mediaSessions); + free(curNode); + curNode = nextNode; + } + +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_dialog.h snort-2.9.2/src/dynamic-preprocessors/sip/sip_dialog.h --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_dialog.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_dialog.h 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,34 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions. + * + * 3/15/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifndef SIP_DIALOG_H_ +#define SIP_DIALOG_H_ + +#include "spp_sip.h" + +int SIP_updateDialog(SIPMsg *sipMsg, SIP_DialogList *dList, SFSnortPacket *p); +void sip_freeDialogs (SIP_DialogList list); + +#endif /* SIP_DIALOG_H_ */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_parser.c snort-2.9.2/src/dynamic-preprocessors/sip/sip_parser.c --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_parser.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_parser.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,1290 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 2/17/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifndef HAVE_PARSER_H +#include <ctype.h> +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "sip_parser.h" +#include "spp_sip.h" +#include "sip_config.h" +#include "sip_utils.h" +#include "sf_ip.h" + + +#define MAX_NUM_32BIT 2147483647 + + +#define SIP_PARSE_NOFOLDING (-2) +#define SIP_PARSE_ERROR (-1) +#define SIP_PARSE_SUCCESS (1) + +/*Should at least have SIP/2.0 */ +#define SIP_KEYWORD "SIP/" +#define SIP_KEYWORD_LEN 4 +#define SIP_VERSION_NUM_LEN 3 /*2.0 or 1.0 or 1.1*/ +#define SIP_VERSION_LEN SIP_KEYWORD_LEN + SIP_VERSION_NUM_LEN +#define SIP_MIN_MSG_LEN SIP_VERSION_LEN + +#define SIP_TAG_KEYWORD "tag=" +#define SIP_TAG_KEYWORD_LEN 4 + +static int sip_headers_parse(SIPMsg *, const char *, char *,char **); +static int sip_startline_parse(SIPMsg *, const char *, char *,char **); +static int sip_body_parse(SIPMsg *, const char *, char *, char **); +static int sip_check_headers(SIPMsg *); + +static int sip_parse_via(SIPMsg *, const char *, const char *); +static int sip_parse_from(SIPMsg *, const char *, const char *); +static int sip_parse_to(SIPMsg *, const char *, const char *); +static int sip_parse_call_id(SIPMsg *, const char *, const char *); +static int sip_parse_cseq(SIPMsg *, const char *, const char *); +static int sip_parse_contact(SIPMsg *, const char *, const char *); +static int sip_parse_authorization(SIPMsg *, const char *, const char *); +static int sip_parse_content_type(SIPMsg *, const char *, const char *); +static int sip_parse_content_len(SIPMsg *, const char *, const char *); +static int sip_parse_content_encode(SIPMsg *, const char *, const char *); +static int sip_process_headField(SIPMsg *, const char *, const char *, int *); +static int sip_process_bodyField(SIPMsg *, const char *, const char *); +static int sip_parse_sdp_o(SIPMsg *, const char *, const char *); +static int sip_parse_sdp_c(SIPMsg *, const char *, const char *); +static int sip_parse_sdp_m(SIPMsg *, const char *, const char *); +static int sip_find_linebreak(const char *, char *, char **); + +/* + * Header fields and processing functions + */ +typedef struct _SIPheaderField +{ + char *fname; + int fnameLen; + char *shortName; + int (*setfield) (SIPMsg *, const char *,const char *); + +} SIPheaderField; + +/* + * Body fields and processing functions + */ +typedef struct _SIPbodyField +{ + char *fname; + int fnameLen; + int (*setfield) (SIPMsg *, const char *,const char *); + +} SIPbodyField; + +/* + * header field name, short form field name, and field processing function + */ + +SIPheaderField headerFields[] = +{ + {"Via", 3, NULL, &sip_parse_via}, + {"From", 4,"f", &sip_parse_from}, + {"To", 2, "t", &sip_parse_to}, + {"Call-ID", 7, "i", &sip_parse_call_id}, + {"CSeq", 4, NULL, &sip_parse_cseq}, + {"Contact", 7, "m", &sip_parse_contact}, + {"Authorization", 13, NULL, &sip_parse_authorization}, + {"Content-Type", 12, "c", &sip_parse_content_type}, + {"Content-Length", 14, "l", &sip_parse_content_len}, + {"Content-Encoding", 16, "e", &sip_parse_content_encode}, + {NULL, 0, NULL, NULL} +}; + +/* + * body field name, field processing function + */ + +SIPbodyField bodyFields[] = +{ + {"o=", 2, &sip_parse_sdp_o}, + {"c=", 2, &sip_parse_sdp_c}, + {"m=", 2, &sip_parse_sdp_m}, + {NULL, 0, NULL} +}; + +/******************************************************************** + * Function: sip_process_headField() + * + * Process the header fields (lines). This also deals with folding. + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the header line + * char* end - end of the header line + * int* - index of last field processed. Used for folding processing + * This value will be updated after current field been processed + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ +static int sip_process_headField(SIPMsg *msg, const char *start, const char *end, int *lastFieldIndex) +{ + int findex =0; + int length = end -start; + char *colonIndex; + char *newStart, *newEnd, newLength; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "process line: %.*s\n", length, start)); + + // If this is folding + if((' ' == start[0]) || ('\t' == start[0])) + { + if(SIP_PARSE_NOFOLDING != *lastFieldIndex) + { + SIP_TrimSP(start, end, &newStart, &newEnd); + return(headerFields[*lastFieldIndex].setfield(msg, newStart, newEnd)); + } + } + // Otherwise, continue normal processing + colonIndex = memchr(start, ':', length); + + if (!colonIndex || (colonIndex < start + 1)) + return SIP_PARSE_ERROR; + + if (!SIP_TrimSP(start, colonIndex, &newStart, &newEnd)) + return SIP_PARSE_ERROR; + + newLength = newEnd - newStart; + + /*Find out whether the field name needs to process*/ + while (NULL != headerFields[findex].fname) + { + //Use the full name to check + if ((headerFields[findex].fnameLen == newLength)&& + (0 == strncasecmp(headerFields[findex].fname, newStart, newLength))) + { + break; + } + //Use short name to check + else if ((NULL != headerFields[findex].shortName) && + ( 1 == newLength)&& + (0 == strncasecmp(headerFields[findex].shortName, newStart, newLength))) + { + break; + } + findex++; + } + + if (NULL != headerFields[findex].fname) + { + // Found the field name, evaluate the value + SIP_TrimSP(colonIndex + 1, end, &newStart, &newEnd); + *lastFieldIndex = findex; + return (headerFields[findex].setfield(msg, newStart, newEnd)); + } + *lastFieldIndex = SIP_PARSE_NOFOLDING; + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_process_bodyField() + * + * Process the body fields. + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the line + * char* end - end of the line + * + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ +static int sip_process_bodyField(SIPMsg *msg, const char *start, const char *end) +{ + int findex =0; + if (start == end) + return SIP_PARSE_SUCCESS; + /*Find out whether the field name needs to process*/ + while (NULL != bodyFields[findex].fname) + { + int length = bodyFields[findex].fnameLen; + if (0 == strncasecmp(bodyFields[findex].fname, start,length)) + { + return (bodyFields[findex].setfield(msg,start + length, end)); + } + + findex++; + } + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_find_linebreak() + * + * Find the line break \r \n in the current buffer + * + * Arguments: + * char* start - start of the buffer + * char* end - end of the buffer + * char **lineEnd - output, point to the end of the line defined by line breaks + * Returns: + * int - number of line breaks found in the line found. + ********************************************************************/ +static int sip_find_linebreak(const char *start, char *end, char **lineEnd) +{ + int numCRLF; + char *s = (char *)start; + *lineEnd = NULL; + numCRLF = 0; + if (start >= end) + return 0; + + while ((s < end) && !('\r' ==*s || '\n' == *s)) + { + s++; + } + + if (s == end) + return 0; + + s++; + numCRLF = 1; + + if ((s < end) && ('\r' == s[-1]) && ('\n' == s[0])) + { + s++; + numCRLF = 2; + } + + *lineEnd= s; + return numCRLF; +} +/******************************************************************** + * Function: sip_is_valid_version() + * + * Check whether the version is a valid version (2.0, 1.1, 1.0) + * + * Arguments: + * char* start - start of the version + * + * Returns: + * SIP_TRUE + * SIP_FALSE + ********************************************************************/ +static inline int sip_is_valid_version(const char *start) +{ + if (!strncmp(start, "1.", 2)) + { + if ((*(start+2) == '1') || (*(start+2) == '0')) + return SIP_TRUE; + } + else if (!strncmp(start, "2.0", 3)) + return SIP_TRUE; + + return SIP_FALSE; +} +/******************************************************************** + * Function: sip_startline_parse() + * + * Parse the start line: request and response are different + * + * Arguments: + * SIPMsg * - sip message + * char* buff - start of the sip message buffer + * char* end - end of the buffer + * char**lineEnd - output, the found end of start line + * Returns: + * SIP_FAILURE + * SIP_SUCCESS + ********************************************************************/ + +static int sip_startline_parse(SIPMsg *msg, const char *buff, char *end, char **lineEnd) +{ + char *next; + char *start; + int length; + int numOfLineBreaks; + + start = (char *) buff; + + numOfLineBreaks = sip_find_linebreak(start, end, &next); + if (numOfLineBreaks < 1) + { + /*No CRLF */ + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "No CRLF, check failed\n")); + return SIP_FAILURE; + } + + /*Exclude CRLF from start line*/ + length = next - start - numOfLineBreaks; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Start line: %.*s \n", length, start)); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "End of Start line \n")); + + /*Should at least have SIP/2.0 */ + if (length < SIP_MIN_MSG_LEN) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Message too short, check failed\n")); + return SIP_FAILURE; + } + + *lineEnd = next; + // This is a response + if (0 == strncmp((const char *) buff, (const char *) SIP_KEYWORD, SIP_KEYWORD_LEN)) + { + char *space; + unsigned long statusCode; + + /*Process response*/ + msg->method = NULL; + msg->uri = NULL; + + /*Check SIP version number, end with SP*/ + if (!(sip_is_valid_version(buff + SIP_KEYWORD_LEN) && (*(buff + SIP_VERSION_LEN) == ' '))) + { + ALERT(SIP_EVENT_INVALID_VERSION,SIP_EVENT_INVALID_VERSION_STR); + } + + space = strchr(buff, ' '); + if (space == NULL) + return SIP_FAILURE; + statusCode = _dpd.SnortStrtoul(space + 1, NULL, 10); + if (( statusCode > MAX_STAT_CODE) || (statusCode < MIN_STAT_CODE )) + { + ALERT(SIP_EVENT_BAD_STATUS_CODE,SIP_EVENT_BAD_STATUS_CODE_STR) + msg->status_code = MAX_STAT_CODE + 1; + } + else + msg->status_code = (uint16_t)statusCode; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Status code: %d \n", msg->status_code)); + + } + else /* This might be a request*/ + { + char *space; + char *version; + int length; + SIPMethodNode *method; + + /*Process request*/ + if (NULL ==sip_eval_config) + return SIP_FAILURE; + msg->status_code = 0; + + // Parse the method + space = memchr(buff, ' ', end - buff); + if (space == NULL) + return SIP_FAILURE; + length = space - buff; + msg->method = (char*)buff; + msg->methodLen = length; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "method: %.*s\n", msg->methodLen, msg->method)); + + method = SIP_FindMethod (sip_eval_config->methods, msg->method, msg->methodLen); + if (NULL == method) + { + ALERT(SIP_EVENT_UNKOWN_METHOD, SIP_EVENT_UNKOWN_METHOD_STR); + return SIP_FAILURE; + } + else + { + msg->methodFlag = method->methodFlag; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Found the method: %s, Flag: 0x%x\n", method->methodName, method->methodFlag)); + } + + // parse the uri + if (space + 1 > end) + return SIP_FAILURE; + msg->uri = space + 1; + space = memchr(space + 1, ' ', end - msg->uri); + if (space == NULL) + return SIP_FAILURE; + msg->uriLen = space - msg->uri; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "uri: %.*s, length: %u\n", msg->uriLen, msg->uri, msg->uriLen)); + if(0 == msg->uriLen) + ALERT(SIP_EVENT_EMPTY_REQUEST_URI,SIP_EVENT_EMPTY_REQUEST_URI_STR) + else if (sip_eval_config->maxUriLen && (msg->uriLen > sip_eval_config->maxUriLen)) + ALERT(SIP_EVENT_BAD_URI,SIP_EVENT_BAD_URI_STR); + + version = space + 1; + if (version + SIP_VERSION_LEN > end) + return SIP_FAILURE; + if (0 != strncmp((const char *) version, (const char *) SIP_KEYWORD, SIP_KEYWORD_LEN)) + return SIP_FAILURE; + /*Check SIP version number, end with CRLF*/ + if (!sip_is_valid_version(*lineEnd - SIP_VERSION_NUM_LEN - numOfLineBreaks)) + { + ALERT(SIP_EVENT_INVALID_VERSION,SIP_EVENT_INVALID_VERSION_STR); + } + + } + + + return SIP_SUCCESS; +} +/******************************************************************** + * Function: sip_headers_parse() + * + * Parse the SIP header: request and response are the same + * + * Arguments: + * SIPMsg * - sip message + * char* buff - start of the header + * char* end - end of the buffer + * char**lineEnd - output, the found end of header + * Returns: + * SIP_FAILURE + * SIP_SUCCESS + ********************************************************************/ +static int sip_headers_parse(SIPMsg *msg, const char *buff, char *end, char **headEnd) +{ + char *next; + char *start; + int length; + int numOfLineBreaks; + int lastFieldIndex = SIP_PARSE_NOFOLDING ; + + start = (char *) buff; + /* + * The end of header is defined by two CRLFs, or CRCR, or LFLF + */ + numOfLineBreaks = sip_find_linebreak(start, end, &next); + + while (numOfLineBreaks > 0) + { + + /*Processing this line*/ + length = next - start - numOfLineBreaks; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Header line: %.*s\n", length, start)); + /*Process headers*/ + sip_process_headField(msg, start, start + length, &lastFieldIndex); + + /*check the end of header*/ + if ((1 == numOfLineBreaks) && ( start[0] == start[-1])) + { + /*Either CRCR or LFLF*/ + *headEnd = next ; + return SIP_SUCCESS; + + } + else if ( (2 == numOfLineBreaks) && ('\r' == start[0])&&('\n' == start[1])) + { + *headEnd = next; + return SIP_SUCCESS; + } + + start = next; + numOfLineBreaks = sip_find_linebreak(start, end, &next); + + } + return SIP_SUCCESS; +} +/******************************************************************** + * Function: sip_body_parse() + * + * Parse the SIP body: request and response are the same + * + * Arguments: + * SIPMsg * - sip message + * char* buff - start of the body + * char* end - end of the buffer + * char**lineEnd - output, the found end of body + * Returns: + * SIP_FAILURE + * SIP_SUCCESS + ********************************************************************/ +static int sip_body_parse(SIPMsg *msg, const char *buff, char *end, char **bodyEnd) +{ + int length; + char *next; + char *start; + int numOfLineBreaks; + length = end - buff; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Body length: %d\n", length);); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Body line: %.*s\n", length, buff);); + + // Initialize it + *bodyEnd = end; + + if (buff == end) + return SIP_SUCCESS; + + msg->body_data = (uint8_t *)buff; + + // Create a media session + msg->mediaSession = (SIP_MediaSession *)calloc(1, sizeof(SIP_MediaSession)); + if (NULL == msg->mediaSession) + return SIP_FAILURE; + start = (char *) buff; + + /* + * The end of body is defined by two CRLFs or CRCR or LFLF + */ + numOfLineBreaks = sip_find_linebreak(start, end, &next); + + while (numOfLineBreaks > 0) + { + /*Processing this line*/ + length = next - start - numOfLineBreaks; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Body line: %.*s\n", length, start)); + /*Process body fields*/ + sip_process_bodyField(msg, start, start + length); + + start = next; + numOfLineBreaks = sip_find_linebreak(start, end, &next); + } + *bodyEnd = start; + return SIP_SUCCESS; +} + +/******************************************************************** + * Function: sip_check_headers() + * + * Check whether the headers are mal-formed. + * Most checks are here, except some need context information are scattered + * in the parsing. + * + * Arguments: + * SIPMsg * - sip message + * + * Returns: + * SIP_FAILURE + * SIP_SUCCESS + ********************************************************************/ +static int sip_check_headers(SIPMsg *msg) +{ + int ret = SIP_SUCCESS; + if(0 == msg->fromLen) + { + ALERT(SIP_EVENT_EMPTY_FROM,SIP_EVENT_EMPTY_FROM_STR) + ret = SIP_FAILURE; + } + else if (sip_eval_config->maxFromLen && (msg->fromLen > sip_eval_config->maxFromLen)) + { + ALERT(SIP_EVENT_BAD_FROM,SIP_EVENT_BAD_FROM_STR); + ret = SIP_FAILURE; + } + + if(0 == msg->toLen) + { + ALERT(SIP_EVENT_EMPTY_TO,SIP_EVENT_EMPTY_TO_STR) + ret = SIP_FAILURE; + } + else if (sip_eval_config->maxToLen && (msg->toLen > sip_eval_config->maxToLen)) + { + ALERT(SIP_EVENT_BAD_TO,SIP_EVENT_BAD_TO_STR); + ret = SIP_FAILURE; + } + + if(0 == msg->callIdLen) + { + ALERT(SIP_EVENT_EMPTY_CALL_ID,SIP_EVENT_EMPTY_CALL_ID_STR) + ret = SIP_FAILURE; + } + else if ( sip_eval_config->maxCallIdLen && (msg->callIdLen > sip_eval_config->maxCallIdLen)) + { + ALERT(SIP_EVENT_BAD_CALL_ID,SIP_EVENT_BAD_CALL_ID_STR); + ret = SIP_FAILURE; + } + + if(msg->cseqnum > MAX_NUM_32BIT) + { + ALERT(SIP_EVENT_BAD_CSEQ_NUM,SIP_EVENT_BAD_CSEQ_NUM_STR); + ret = SIP_FAILURE; + } + if ( sip_eval_config->maxRequestNameLen && (msg->cseqNameLen > sip_eval_config->maxRequestNameLen)) + { + ALERT(SIP_EVENT_BAD_CSEQ_NAME,SIP_EVENT_BAD_CSEQ_NAME_STR); + ret = SIP_FAILURE; + } + + /*Alert here after parsing*/ + if(0 == msg->viaLen) + { + ALERT(SIP_EVENT_EMPTY_VIA,SIP_EVENT_EMPTY_VIA_STR) + ret = SIP_FAILURE; + } + else if (sip_eval_config->maxViaLen && (msg->viaLen > sip_eval_config->maxViaLen)) + { + ALERT(SIP_EVENT_BAD_VIA,SIP_EVENT_BAD_VIA_STR); + ret = SIP_FAILURE; + } + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Method flag: %d\n", msg->methodFlag)); + + // Contact is required for invite message + if((0 == msg->contactLen)&&(msg->methodFlag == SIP_METHOD_INVITE)&&(0 == msg->status_code)) + { + ALERT(SIP_EVENT_EMPTY_CONTACT,SIP_EVENT_EMPTY_CONTACT_STR) + ret = SIP_FAILURE; + } + else if (sip_eval_config->maxContactLen && (msg->contactLen > sip_eval_config->maxContactLen)) + { + ALERT(SIP_EVENT_BAD_CONTACT,SIP_EVENT_BAD_CONTACT_STR); + ret = SIP_FAILURE; + } + + if((0 == msg->contentTypeLen) && (msg->content_len > 0)) + { + ALERT(SIP_EVENT_EMPTY_CONTENT_TYPE,SIP_EVENT_EMPTY_CONTENT_TYPE_STR) + ret = SIP_FAILURE; + } + + return ret; +} + +/******************************************************************** + * Function: sip_parse_via() + * + * Parse the via field: Via can have multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the via filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_via(SIPMsg *msg, const char *start, const char *end) +{ + int length = end -start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Via value: %.*s\n", length, start);); + msg->viaLen = msg->viaLen + length; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Via length: %d\n", msg->viaLen);); + + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_from() + * + * Parse the from field and get from tag + * Note: From has no multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the from filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_from(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + char *buff; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "From value: %.*s\n", length, start);); + msg->from = (char *)start; + msg->fromLen = end - start; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "From length: %d , content: %.*s\n", + msg->fromLen, msg->fromLen, msg->from);); + + + /*Get the from tag*/ + msg->fromTagLen = 0; + + buff = memchr(start, ';', msg->fromLen); + while ((NULL != buff)&& (buff < end)) + { + if (0 == strncmp(buff + 1, SIP_TAG_KEYWORD, SIP_TAG_KEYWORD_LEN)) + { + msg->from_tag = buff + SIP_TAG_KEYWORD_LEN + 1; + msg->fromTagLen = end - msg->from_tag; + msg->dlgID.fromTagHash = strToHash(msg->from_tag,msg->fromTagLen); + break; + } + buff = memchr(buff + 1, ';', msg->fromLen); + } + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "From tag length: %d , hash: %u, content: %.*s\n", + msg->fromTagLen, msg->dlgID.fromTagHash, msg->fromTagLen, msg->from_tag);); + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_to() + * + * Parse the to field and get to tag information + * Note: To has no multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the to filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_to(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + char *buff; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "To value: %.*s\n", length, start);); + msg->to = (char *)start; + msg->toLen = end - start; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "To length: %d , content: %.*s\n", + msg->toLen, msg->toLen, msg->to);); + + /*Processing tag information*/ + msg->toTagLen = 0; + + buff = memchr(start, ';', msg->toLen); + while ((NULL != buff)&& (buff < end)) + { + if (0 == strncmp(buff + 1, SIP_TAG_KEYWORD, SIP_TAG_KEYWORD_LEN)) + { + msg->to_tag = buff + SIP_TAG_KEYWORD_LEN + 1; + msg->toTagLen = end - msg->to_tag; + msg->dlgID.toTagHash = strToHash(msg->to_tag,msg->toTagLen); + break; + } + buff = memchr(buff + 1, ';', msg->toLen); + } + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "To tag length: %d , Hash: %u, content: %.*s\n", + msg->toTagLen, msg->dlgID.toTagHash, msg->toTagLen, msg->to_tag);); + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_call_id() + * + * Parse the call-id field + * Note: call-id has no multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_call_id(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Call-Id value: %.*s\n", length, start);); + msg->call_id = (char *) start; + msg->callIdLen = end - start; + msg->dlgID.callIdHash = strToHash(msg->call_id, msg->callIdLen); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Call-Id length: %d, Hash: %u\n", + msg->callIdLen, msg->dlgID.callIdHash);); + + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_cseq() + * + * Parse the cseq field: get sequence number and request name + * Note: Cseq has no multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_cseq(SIPMsg *msg, const char *start, const char *end) +{ + char *next = NULL; + DEBUG_WRAP(int length = end -start;) + SIPMethodNode* method = NULL; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "CSeq value: %.*s\n", length, start);); + msg->cseqnum = _dpd.SnortStrtoul(start, &next, 10); + if ((NULL != next )&&(next < end)) + { + msg->cseqName = next + 1; + msg->cseqNameLen = end - msg->cseqName; + method = SIP_FindMethod (sip_eval_config->methods, msg->cseqName, msg->cseqNameLen); + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "CSeq number: %d, CSeqName: %.*s\n", + msg->cseqnum, msg->cseqNameLen, msg->cseqName);); + + if (NULL == method) + { + ALERT(SIP_EVENT_INVALID_CSEQ_NAME,SIP_EVENT_INVALID_CSEQ_NAME_STR) + return SIP_PARSE_ERROR; + } + else + { + /*Use request name only for response message*/ + if ((SIP_METHOD_NULL == msg->methodFlag)&&( msg->status_code > 0)) + msg->methodFlag = method->methodFlag; + else if ( method->methodFlag != msg->methodFlag) + { + ALERT(SIP_EVENT_MISMATCH_METHOD,SIP_EVENT_MISMATCH_METHOD_STR) + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Found the method: %s, Flag: 0x%x\n", method->methodName, method->methodFlag)); + + } + + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_contact() + * + * Parse the to contact field + * Note: Contact has multiple header + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_contact(SIPMsg *msg, const char *start, const char *end) +{ + int length = end -start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Contact value: %.*s\n", length, start);); + msg->contact = (char *) start; + msg->contactLen = msg->contactLen + length; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Contact length: %d\n", msg->contactLen);); + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_authorization() + * + * Parse the to authorization field + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_authorization(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Authorization value: %.*s\n", length, start);); + msg->authorization = (char *) start; + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_content_type() + * + * Parse the to content type field + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_content_type(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Content type value: %.*s\n", length, start);); + msg->contentTypeLen = end - start; + msg->content_type = (char *) start; + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_content_len() + * + * Parse the to content length field + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_content_len(SIPMsg *msg, const char *start, const char *end) +{ + int length; + char *next = NULL; + length = end - start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Content length value: %.*s\n", length, start);); + + msg->content_len = _dpd.SnortStrtoul(start, &next, 10); + if ( sip_eval_config->maxContentLen && (msg->content_len > sip_eval_config->maxContentLen)) + ALERT(SIP_EVENT_BAD_CONTENT_LEN,SIP_EVENT_BAD_CONTENT_LEN_STR); + /*Check the length of the value*/ + if (next > start + SIP_CONTENT_LEN) // This check is to prevent overflow + { + if (sip_eval_config->maxContentLen) + ALERT(SIP_EVENT_BAD_CONTENT_LEN,SIP_EVENT_BAD_CONTENT_LEN_STR); + return SIP_PARSE_ERROR; + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Content length: %u\n", msg->content_len);); + + return SIP_PARSE_SUCCESS; +} + +/******************************************************************** + * Function: sip_parse_content_encode() + * + * Parse the to content encode field + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ + +static int sip_parse_content_encode(SIPMsg *msg, const char *start, const char *end) +{ + DEBUG_WRAP(int length = end -start;) + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Content encode value: %.*s\n", length, start);); + msg->content_encode = (char *) start; + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_sdp_o() + * + * Parse SDP origination information + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ +static int sip_parse_sdp_o(SIPMsg *msg, const char *start, const char *end) +{ + int length; + char *spaceIndex = NULL; + + if (NULL == msg->mediaSession) + return SIP_PARSE_ERROR; + length = end - start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Origination information: %.*s\n", length, start);); + // Get username and session ID information (before second space) + spaceIndex = memchr(start, ' ', length); // first space + if ((NULL == spaceIndex)||(spaceIndex == end)) + return SIP_PARSE_ERROR; + spaceIndex = memchr(spaceIndex + 1, ' ', end - spaceIndex -1 ); // second space + if (NULL == spaceIndex) + return SIP_PARSE_ERROR; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Session information: %.*s\n", spaceIndex - start, start);); + msg->mediaSession->sessionID = strToHash(start, spaceIndex - start); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Session ID: %u\n", msg->mediaSession->sessionID);); + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_sdp_c() + * + * Parse SDP connection data + * + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ +static int sip_parse_sdp_c(SIPMsg *msg, const char *start, const char *end) +{ + int length; + sfip_t *ip; + char ipStr[INET6_ADDRSTRLEN + 5]; /* Enough for IPv4 plus netmask or + full IPv6 plus prefix */ + char *spaceIndex = NULL; + + if (NULL == msg->mediaSession) + return SIP_PARSE_ERROR; + length = end - start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Connection data: %.*s\n", length, start);); + + /*Get the IP address*/ + spaceIndex = memchr(start, ' ', length); // first space + if ((NULL == spaceIndex)||(spaceIndex == end)) + return SIP_PARSE_ERROR; + spaceIndex = memchr(spaceIndex + 1, ' ', end - spaceIndex -1 ); // second space + if (NULL == spaceIndex) + return SIP_PARSE_ERROR; + length = end - spaceIndex; + + memset(ipStr, 0, sizeof(ipStr)); + if(length > INET6_ADDRSTRLEN) + { + length = INET6_ADDRSTRLEN; + } + strncpy(ipStr, spaceIndex, length); + ipStr[length] = '\0'; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "IP data: %s\n", ipStr);); + + // If no default session connect information, add it + if(NULL == msg->mediaSession->medias) + { + ip = &(msg->mediaSession->maddress_default); + } + else // otherwise, update the latest media data (header of media list) + { + ip = &(msg->mediaSession->medias->maddress); + } + if( (sfip_pton(ipStr, ip)) != SFIP_SUCCESS) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed error! \n");); + return SIP_PARSE_ERROR; + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed Connection data: %s\n", sfip_to_str (ip));); + + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse_sdp_c() + * + * Parse media type information + * Note: to make it easier update the media address, media data are added to the header of media list + * Arguments: + * SIPMsg * - sip message + * char* start - start of the filed line + * char* end - end of the line + * Returns: + * SIP_PARSE_ERROR + * SIP_PARSE_SUCCESS + ********************************************************************/ +static int sip_parse_sdp_m(SIPMsg *msg, const char *start, const char *end) +{ + int length; + char *spaceIndex = NULL; + char *next; + SIP_MediaData *mdata; + + if (NULL == msg->mediaSession) + return SIP_PARSE_ERROR; + length = end - start; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Media information: %.*s\n", length, start);); + + spaceIndex = memchr(start, ' ', length); // first space + if ((NULL == spaceIndex)||(spaceIndex == end)) + return SIP_PARSE_ERROR; + mdata = (SIP_MediaData *) calloc(1, sizeof(SIP_MediaData)); + + if (NULL == mdata) + return SIP_PARSE_ERROR; + + mdata->mport = (uint16_t) _dpd.SnortStrtoul(spaceIndex + 1, &next, 10); + if ((NULL != next)&&('/'==next[0])) + mdata->numPort = (uint8_t)_dpd.SnortStrtoul(spaceIndex + 1, &next, 10); + // Put + mdata->nextM = msg->mediaSession->medias; + mdata->maddress = msg->mediaSession->maddress_default; + msg->mediaSession->medias = mdata; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Media IP: %s, Media port %u, number of media: %d\n", + sfip_to_str(&mdata->maddress), mdata->mport, mdata->numPort);); + return SIP_PARSE_SUCCESS; +} +/******************************************************************** + * Function: sip_parse() + * + * The main entry for parser: process the sip messages. + * + * Arguments: + * SIPMsg * - sip message + * char* buff - start of the sip message buffer + * char* end - end of the buffer + * + * Returns: + * SIP_FAILURE + * SIP_SUCCESS + ********************************************************************/ +int sip_parse(SIPMsg *msg, const char *buff, char *end) +{ + char *nextIndex; + char *start; + int status; + + /*Initialize key values*/ + msg->methodFlag = SIP_METHOD_NULL; + msg->status_code = 0; + + /*Parse the start line*/ + start = (char *) buff; + nextIndex = NULL; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Start parsing...\n")); + + msg->header = (uint8_t *) buff; + status = sip_startline_parse(msg, start, end, &nextIndex); + + if(SIP_FAILURE == status ) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Start line parsing failed...\n")); + return status; + } + + /*Parse the headers*/ + start = nextIndex; + status = sip_headers_parse(msg, start, end, &nextIndex); + msg->headerLen = nextIndex - buff; + + if(SIP_FAILURE == status ) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Header parsing failed...\n")); + } + + status = sip_check_headers(msg); + + if(SIP_FAILURE == status ) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Headers validation failed...\n")); + } + + /*Parse the body*/ + start = nextIndex; + msg->bodyLen = end - start; + /*Disable this check for TCP. Revisit this again when PAF enabled for SIP*/ + if((!msg->isTcp)&&(msg->content_len != msg->bodyLen)) + ALERT(SIP_EVENT_MISMATCH_CONTENT_LEN,SIP_EVENT_MISMATCH_CONTENT_LEN_STR); + + if (msg->content_len < msg->bodyLen) + status = sip_body_parse(msg, start, start + msg->content_len, &nextIndex); + else + status = sip_body_parse(msg, start, end, &nextIndex); + + if(SIP_FAILURE == status ) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Headers validation failed...\n")); + } + + // Find out whether multiple SIP messages in this packet + /*Disable this check for TCP. Revisit this again when PAF enabled for SIP*/ + if ((!msg->isTcp) && (nextIndex < end)) + { + if (SIP_SUCCESS == sip_startline_parse(msg, nextIndex, end, &nextIndex)) + ALERT(SIP_EVENT_MULTI_MSGS,SIP_EVENT_MULTI_MSGS_STR); + } + return status; +} + +/******************************************************************** + * Function: sip_freeMsg + * + * Frees a sip msg. + * Media session information will be release if they are not used by dialog. + * + * Arguments: + * SIPMsg * + * The sip message to free. + * + * Returns: None + * + ********************************************************************/ +void sip_freeMsg (SIPMsg *msg) +{ + + if (NULL == msg) + return; + if (NULL != msg->mediaSession) + { + if (SIP_SESSION_SAVED != msg->mediaSession->savedFlag) + sip_freeMediaSession(msg->mediaSession); + } + +} +/******************************************************************** + * Function: sip_freeMediaSession + * + * Frees a sip media session + * + * Arguments: + * SIP_MediaSession * + * The media session to free. + * + * Returns: None + * + ********************************************************************/ +void sip_freeMediaSession (SIP_MediaSession *mediaSession) +{ + SIP_MediaData *nextNode; + SIP_MediaData *curNode = NULL; + + + if (NULL != mediaSession) + { + curNode = mediaSession->medias; + } + + while (NULL != curNode) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Clear media ip: %s, port: %d, number of port: %d\n", + sfip_to_str(&curNode->maddress), curNode->mport, curNode->numPort )); + nextNode = curNode->nextM; + free(curNode); + curNode = nextNode; + } + if (NULL != mediaSession) + free (mediaSession); +} +/******************************************************************** + * Function: sip_freeMediaList + * + * Frees a sip media session list + * + * Arguments: + * SIP_MediaList + * The media session list to free. + * + * Returns: None + * + ********************************************************************/ +void sip_freeMediaList (SIP_MediaList medias) +{ + SIP_MediaSession *nextNode; + SIP_MediaSession *curNode = medias; + + while (NULL != curNode) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Clean Media session default IP: %s, session ID: %u\n", + sfip_to_str(&curNode->maddress_default), curNode->sessionID)); + nextNode = curNode->nextS; + sip_freeMediaSession(curNode); + curNode = nextNode; + } + +} +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_parser.h snort-2.9.2/src/dynamic-preprocessors/sip/sip_parser.h --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_parser.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_parser.h 2011-06-07 17:33:14.000000000 -0700 @@ -0,0 +1,41 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions for parsing and querying configuration. + * + * 2/17/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifndef _SIP_PARSER_H_ +#define _SIP_PARSE_H_ + +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "sip_debug.h" +#include "spp_sip.h" +#include "sf_ip.h" + + +int sip_parse(SIPMsg *, const char *, char *); +void sip_freeMsg (SIPMsg *msg); +void sip_freeMediaSession (SIP_MediaSession*); +void sip_freeMediaList (SIP_MediaList medias); + +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_roptions.c snort-2.9.2/src/dynamic-preprocessors/sip/sip_roptions.c --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_roptions.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_roptions.c 2011-06-07 17:33:15.000000000 -0700 @@ -0,0 +1,472 @@ +/**************************************************************************** + * Copyright (C) 20011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * + ****************************************************************************/ + +#include <errno.h> +#include <string.h> +#include <stdarg.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "sip_roptions.h" +#include "spp_sip.h" +#include "sf_types.h" +#include "sf_dynamic_preprocessor.h" +#include "stream_api.h" +#include "sf_dynamic_engine.h" +#include "sf_snort_plugin_api.h" +#include "sfhashfcn.h" +#include "profiler.h" +#include "sip_utils.h" +#include "sip_debug.h" +#include "sip_config.h" +#include "treenodes.h" + +#define SIP_ROPT__METHOD "sip_method" +#define SIP_ROPT__STATUS_CODE "sip_stat_code" +#define SIP_ROPT__HEADER "sip_header" +#define SIP_ROPT__BODY "sip_body" + + +/******************************************************************** + * Private function prototypes + ********************************************************************/ +static int SIP_MethodInit(char *, char *, void **); +static int SIP_MethodEval(void *, const uint8_t **, void *); +static int SIP_HeaderInit(char *, char *, void **); +static int SIP_HeaderEval(void *, const uint8_t **, void *); +static int SIP_StatCodeInit(char *, char *, void **); +static int SIP_StatCodeEval(void *, const uint8_t **, void *); +static int SIP_BodyInit(char *, char *, void **); +static int SIP_BodyEval(void *, const uint8_t **, void *); +static int SIP_MethodAddFastPatterns(void *, int, int, FPContentInfo **); + + +static inline int SIP_RoptDoEval(SFSnortPacket *p) +{ + if ((p->payload_size == 0) || + (p->stream_session_ptr == NULL) || + (!IsTCP(p) && !IsUDP(p))) + { + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "No payload or no " + "session pointer or not TCP or UDP - not evaluating.\n")); + return 0; + } + + return 1; +} + +static inline int IsRequest(SIP_Roptions *ropts) +{ + if (ropts->status_code) + return FALSE; + else + return TRUE; +} + +/* Parsing for the rule option */ +static int SIP_MethodInit(char *name, char *params, void **data) +{ + + int flags = 0, mask = 0; + char *end = NULL; + char *tok; + int negated = 0; + int numTokens = 0; + SipMethodRuleOptData *sdata; + SIPMethodNode *method; + + if (strcasecmp(name, SIP_ROPT__METHOD) != 0) + return 0; + + + /*Evaluate whether all the methods are in the PP configurations */ + sip_eval_config = sfPolicyUserDataGetCurrent(sip_config); + + if (NULL == sip_eval_config) + DynamicPreprocessorFatalMessage("%s(%d) => Configuration error!\n", + *(_dpd.config_file), *(_dpd.config_line)); + + /* Must have arguments */ + if (SIP_IsEmptyStr(params)) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to sip_method keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + tok = strtok_r(params, ",", &end); + + if(!tok) + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to sip_method keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + + while (NULL != tok) + { + + numTokens++; + + if (tok[0] == '!') + { + negated = 1; + tok++; + } + + /*Only one method is allowed with !*/ + if (negated && (numTokens > 1)) + { + DynamicPreprocessorFatalMessage("%s(%d) => %s, only one method is allowed with ! for %s.\n", + *(_dpd.config_file), *(_dpd.config_line), tok, name); + } + method = SIP_FindMethod (sip_eval_config->methods, tok, strlen (tok)); + + /*if method is not found, add it as a user defined method*/ + if (NULL == method) + { + method = SIP_AddUserDefinedMethod(tok, &sip_eval_config->methodsConfig, &sip_eval_config->methods ); + if (NULL == method) + DynamicPreprocessorFatalMessage("%s(%d) => %s can't add new method to %s.\n", + *(_dpd.config_file), *(_dpd.config_line), tok, name); + _dpd.logMsg("%s(%d) => Add user defined method: %s to SIP preprocessor through rule.\n", + *(_dpd.config_file), *(_dpd.config_line), method->methodName); + } + + flags |= 1 << (method->methodFlag - 1); + if (negated) + mask |= 1 << (method->methodFlag - 1); + + tok = strtok_r(NULL, ", ", &end); + + } + + sdata = (SipMethodRuleOptData *)calloc(1, sizeof(*sdata)); + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "sip preprocessor rule option.\n"); + } + + sdata->flags = flags; + sdata->mask = mask; + *data = (void *)sdata; + return 1; + +} +/* Rule option evaluation */ +static int SIP_MethodEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + SIPData *sd; + SIP_Roptions *ropts; + SipMethodRuleOptData *sdata = (SipMethodRuleOptData *)data; + uint32_t methodFlag; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Evaluating \"%s\" rule option.\n", SIP_ROPT__METHOD)); + + if (!SIP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (SIPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_SIP); + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Rule Flags: %x Data Flags: %x, Mask: %x \n", sdata->flags, ropts->methodFlag, sdata->mask )); + // Not response + methodFlag = 1 << (ropts->methodFlag - 1); + if (IsRequest(ropts) && ((sdata->flags & methodFlag) ^ sdata->mask)) + { + return RULE_MATCH; + } + return RULE_NOMATCH; + +} +static int SIP_MethodAddFastPatterns(void *data, int protocol, + int direction, FPContentInfo **info) +{ + + char *sip = "SIP"; + FPContentInfo *method_fp; + SipMethodRuleOptData *sdata = (SipMethodRuleOptData *)data; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Evaluating \"%s\" fast pattern rule option.\n", SIP_ROPT__METHOD)); + if ((sdata == NULL) || (info == NULL)) + return -1; + + if ((protocol != IPPROTO_TCP) && (protocol != IPPROTO_UDP)) + return -1; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "adding info to \"%s\" fast pattern rule option.\n", SIP_ROPT__METHOD)); + + method_fp = (FPContentInfo *)calloc(1,sizeof(FPContentInfo)); + if (NULL == method_fp) + return -1; + + method_fp->content = (char *)malloc(strlen(sip)); + if (NULL == method_fp->content) + return -1; + memcpy(method_fp->content, sip, strlen(sip)); + method_fp->length = strlen(sip); + *info = method_fp; + return 0; +} +/* Parsing for the rule option */ +static int SIP_HeaderInit(char *name, char *params, void **data) +{ + if (strcasecmp(name, SIP_ROPT__HEADER) != 0) + return 0; + + /* Must not have arguments */ + if (!SIP_IsEmptyStr(params)) + { + DynamicPreprocessorFatalMessage("%s, %s(%d) => rule option: This option has no arguments.\n", + SIP_ROPT__HEADER, *(_dpd.config_file), *(_dpd.config_line)); + + } + + return 1; +} +/* Rule option evaluation */ +static int SIP_HeaderEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + SIPData *sd; + SIP_Roptions *ropts; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Evaluating \"%s\" rule option.\n", SIP_ROPT__HEADER)); + + if (!SIP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (SIPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_SIP); + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + if (ropts->header_data != NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Setting cursor to header data: %p.\n", ropts->header_data)); + *cursor = ropts->header_data; + //Limit the length + _dpd.SetAltDetect((uint8_t *)ropts->header_data, ropts->header_len); + + return RULE_MATCH; + } + return RULE_NOMATCH; +} + + +/* Parsing for the rule option */ +static int SIP_StatCodeInit(char *name, char *params, void **data) +{ + char *end = NULL; + char *tok; + int i_tok = 0; + SipStatCodeRuleOptData *sdata; + + if (strcasecmp(name, SIP_ROPT__STATUS_CODE) != 0) + return 0; + + /* Must have arguments */ + if (SIP_IsEmptyStr(params)) + { + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to sip_stat_code keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + tok = strtok_r(params, ",", &end); + + if(!tok) + DynamicPreprocessorFatalMessage("%s(%d) => missing argument to sip_stat_code keyword\n", + *(_dpd.config_file), *(_dpd.config_line)); + + sdata = (SipStatCodeRuleOptData *)calloc(1, sizeof(*sdata)); + + if (sdata == NULL) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for the " + "sip preprocessor rule option.\n"); + } + + while ((NULL != tok) && (i_tok < SIP_NUM_STAT_CODE_MAX)) + { + + unsigned long statCode = _dpd.SnortStrtoul(tok, NULL, 10); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Rule Status code: %d.\n",sdata->stat_codes[i_tok])); + if ((statCode > MAX_STAT_CODE) || + ((statCode > NUM_OF_RESPONSE_TYPES - 1) && (statCode < MIN_STAT_CODE))) + { + DynamicPreprocessorFatalMessage("%s(%d) => Status code %u specified is not a 3 digit number or 1 - %d\n ", + *(_dpd.config_file), *(_dpd.config_line), statCode, NUM_OF_RESPONSE_TYPES-1); + } + sdata->stat_codes[i_tok] = (uint16_t)statCode; + + tok = strtok_r(NULL, ", ", &end); + i_tok++; + } + + if (NULL != tok) + DynamicPreprocessorFatalMessage("%s(%d) => More than %d argument to sip_stat_code keyword\n", + *(_dpd.config_file), *(_dpd.config_line), SIP_NUM_STAT_CODE_MAX); + + + *data = (void *)sdata; + return 1; + +} +/* Rule option evaluation */ +static int SIP_StatCodeEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + SIPData *sd; + SIP_Roptions *ropts; + SipStatCodeRuleOptData *sdata = (SipStatCodeRuleOptData *)data; + uint16_t short_code; + int i_code; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Evaluating \"%s\" rule option.\n", SIP_ROPT__STATUS_CODE)); + + if (!SIP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (SIPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_SIP); + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Status code in packet: %d \n", ropts->status_code)); + + if (0 == ropts->status_code) + return RULE_NOMATCH; + + /*Match the status code*/ + short_code = ropts->status_code / 100; + for(i_code = 0; i_code < SIP_NUM_STAT_CODE_MAX; i_code++) + { + if ((sdata->stat_codes[i_code] == short_code)|| + (sdata->stat_codes[i_code] == ropts->status_code)) + return RULE_MATCH; + } + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Rule No Match\n")); + return RULE_NOMATCH; +} + +/* Parsing for the rule option */ +static int SIP_BodyInit(char *name, char *params, void **data) +{ + + if (strcasecmp(name, SIP_ROPT__BODY) != 0) + return 0; + + /* Must not have arguments */ + if (!SIP_IsEmptyStr(params)) + { + DynamicPreprocessorFatalMessage("%s, %s(%d) => rule option: This option has no arguments.\n", + SIP_ROPT__BODY, *(_dpd.config_file), *(_dpd.config_line)); + + } + + return 1; +} +/* Rule option evaluation */ +static int SIP_BodyEval(void *pkt, const uint8_t **cursor, void *data) +{ + SFSnortPacket *p = (SFSnortPacket *)pkt; + SIPData *sd; + SIP_Roptions *ropts; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Evaluating \"%s\" rule option.\n", SIP_ROPT__BODY)); + + if (!SIP_RoptDoEval(p)) + return RULE_NOMATCH; + + sd = (SIPData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_SIP); + if (sd == NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "No session data - not evaluating.\n")); + return RULE_NOMATCH; + } + + ropts = &sd->ropts; + + if (ropts->body_data != NULL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, + "Setting cursor to body data: %p.\n", ropts->body_data)); + *cursor = ropts->body_data; + //Limit the length + _dpd.SetAltDetect((uint8_t *)ropts->body_data, ropts->body_len); + + return RULE_MATCH; + } + + return RULE_NOMATCH; +} +/******************************************************************** + * Function: SIP_RegRuleOptions + * + * Purpose: Register rule options + * + * Arguments: void + * + * Returns: void + * + ********************************************************************/ +void SIP_RegRuleOptions(void) +{ + _dpd.preprocOptRegister(SIP_ROPT__METHOD, SIP_MethodInit, SIP_MethodEval, + free, NULL, NULL, NULL, SIP_MethodAddFastPatterns); + _dpd.preprocOptRegister(SIP_ROPT__HEADER, SIP_HeaderInit, SIP_HeaderEval, + NULL, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(SIP_ROPT__STATUS_CODE, SIP_StatCodeInit, SIP_StatCodeEval, + free, NULL, NULL, NULL, NULL); + _dpd.preprocOptRegister(SIP_ROPT__BODY, SIP_BodyInit, SIP_BodyEval, + NULL, NULL, NULL, NULL, NULL); +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_roptions.h snort-2.9.2/src/dynamic-preprocessors/sip/sip_roptions.h --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_roptions.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_roptions.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,71 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * + ****************************************************************************/ + +#ifndef _SIP_ROPTIONS_H_ +#define _SIP_ROPTIONS_H_ + +#include "sip_config.h" + +#define SIP_NUM_STAT_CODE_MAX 20 +/******************************************************************** + * Structures + ********************************************************************/ +typedef struct _SIP_Roptions +{ + + /* sip_method data*/ + SIPMethodsFlag methodFlag; + /* sip_stat_code data*/ + uint16_t status_code; + /* sip header data */ + const uint8_t *header_data; /* Set to NULL if not applicable */ + uint16_t header_len; + /* sip body data */ + const uint8_t *body_data; /* Set to NULL if not applicable */ + uint16_t body_len; + +} SIP_Roptions; + + +typedef struct _SipMethodRuleOptData +{ + int flags; + int mask; + +} SipMethodRuleOptData; + + +typedef struct _SipStatCodeRuleOptData +{ + uint16_t stat_codes[SIP_NUM_STAT_CODE_MAX]; + +} SipStatCodeRuleOptData; + + +/******************************************************************** + * Public function prototypes + ********************************************************************/ +void SIP_RegRuleOptions(void); + + +#endif /* _SIP_ROPTIONS_H_ */ + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_utils.c snort-2.9.2/src/dynamic-preprocessors/sip/sip_utils.c --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_utils.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_utils.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,190 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions. + * + * 2/17/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include "sf_types.h" +#include "sip_utils.h" + +/******************************************************************** + * Function: SIP_IsEmptyStr() + * + * Checks if string is NULL, empty or just spaces. + * String must be 0 terminated. + * + * Arguments: + * char * - string to check + * + * Returns: + * 1 if string is NULL, empty or just spaces + * 0 otherwise + * + ********************************************************************/ +int SIP_IsEmptyStr(char *str) +{ + char *end; + + if (str == NULL) + return 1; + + end = str + strlen(str); + + while ((str < end) && isspace((int)*str)) + str++; + + if (str == end) + return 1; + + return 0; +} +/* + * Trim spaces non-destructively on both sides of string : '', \t, \n, \r + * If string is empty return 0, otherwise 1 + * Note: end point to the location start + length, + * not necessary the real end of string if not end with \0 + */ +int SIP_TrimSP(const char *start, const char *end, char **new_start, char** new_end) +{ + char *before; + char *after; + + if (start >= end ) + { + *new_start = (char *)start; + *new_end = *new_start; + return 0; + } + + before = (char *) start; + + // Trim the starting spaces + while((before < end) && isspace((int)*before)) + { + before++; + } + // This is an empty string + if (before == end) + { + *new_start = (char *)end; + *new_end = *new_start; + return 0; + } + + // Trim the ending spaces + after = (char *) end - 1; + while((before < after) && isspace((int)*after)) + { + after--; + } + *new_start = before; + *new_end = after + 1; + return 1; +} +/******************************************************************** + * Function: SIP_FindMethod() + * + * Find method in the method list by name + * + * Arguments: + * SIPMethodlist - methods list to be searched, + * char * - method name, + * int - length of the method name + * + * Returns: + * SIPMethodNode*- the founded method node, or NULL if not founded + * + ********************************************************************/ + +SIPMethodNode* SIP_FindMethod(SIPMethodlist methods, char* methodName, unsigned int length) +{ + SIPMethodNode* method = NULL; + + method = methods; + while (NULL != method) + { + + if ((length == strlen(method->methodName))&& + (strncasecmp(method->methodName, methodName, length) == 0)) + { + return method; + } + method = method->nextm; + } + return method; +} +/******************************************************************** + * Function: strToHash() + * + * Calculate the hash value of a string + * + * Arguments: + * char * - string to be hashed + * int: length of the string + * + * Returns: + * 1 if string is NULL, empty or just spaces + * 0 otherwise + * + ********************************************************************/ +uint32_t strToHash(const char *str, int length ) +{ + uint32_t a,b,c,tmp; + int i,j,k,l; + a = b = c = 0; + for (i=0,j=0;i<length;i+=4) + { + tmp = 0; + k = length - i; + if (k > 4) + k=4; + + for (l=0;l<k;l++) + { + tmp |= *(str + i + l) << l*8; + } + + switch (j) + { + case 0: + a += tmp; + break; + case 1: + b += tmp; + break; + case 2: + c += tmp; + break; + } + j++; + + if (j == 3) + { + mix(a,b,c); + j = 0; + } + } + final(a,b,c); + return c; +} diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_utils.h snort-2.9.2/src/dynamic-preprocessors/sip/sip_utils.h --- snort-2.9.0.1/src/dynamic-preprocessors/sip/sip_utils.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/sip_utils.h 2011-06-07 17:33:15.000000000 -0700 @@ -0,0 +1,35 @@ +/**************************************************************************** + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + **************************************************************************** + * Provides convenience functions. + * + * 2/17/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + * + ****************************************************************************/ + +#ifndef SIP_UTILS_H_ +#define SIP_UTILS_H_ +#include "sip_config.h" +#include "sfhashfcn.h" + +int SIP_IsEmptyStr(char *); +int SIP_TrimSP(const char *, const char *, char **, char** ); +SIPMethodNode * SIP_FindMethod(SIPMethodlist, char*, unsigned int); +uint32_t strToHash(const char *, int ); +#endif /* SIP_UTILS_H_ */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/spp_sip.c snort-2.9.2/src/dynamic-preprocessors/sip/spp_sip.c --- snort-2.9.0.1/src/dynamic-preprocessors/sip/spp_sip.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/spp_sip.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,856 @@ +/* $Id */ + +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + + +/* + * SIP preprocessor + * + * This is the main entry point for this preprocessor + * + * Author: Hui Cao + * Date: 03-15-2011 + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#include "sf_types.h" +#include "sf_snort_packet.h" +#include "sf_dynamic_preprocessor.h" +#include "sf_snort_plugin_api.h" +#include "snort_debug.h" + +#include "preprocids.h" +#include "spp_sip.h" +#include "sip_config.h" +#include "sip_roptions.h" +#include "sip_parser.h" +#include "sip_dialog.h" + +#include <assert.h> +#include <stdio.h> +#include <syslog.h> +#include <string.h> +#ifndef WIN32 +#include <strings.h> +#include <sys/time.h> +#endif +#include <stdlib.h> +#include <ctype.h> + +#include "profiler.h" +#ifdef PERF_PROFILING +PreprocStats sipPerfStats; +#endif + +#include "sf_types.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 1; + +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_SIP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_SIP"; +#endif + +#define SetupSIP DYNAMIC_PREPROC_SETUP + +#ifdef TARGET_BASED +int16_t sip_app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + +/* + * Session state flags for SIPData::state_flags + */ + +#define SIP_FLG_MISSED_PACKETS (0x10000) +#define SIP_FLG_REASSEMBLY_SET (0x20000) +/* + * Function prototype(s) + */ +SIPData * SIPGetNewSession(SFSnortPacket *, tSfPolicyId); +static void SIPInit( char* ); +static void SIPCheckConfig(void); +static void FreeSIPData( void* ); +static inline int SIP_Process(SFSnortPacket *, SIPData*); +static void SIPmain( void*, void* ); +static inline int CheckSIPPort( uint16_t ); +static void SIPFreeConfig(tSfPolicyUserContextId); +static void _addPortsToStream5Filter(SIPConfig *, tSfPolicyId); +static void SIP_PrintStats(int); +#ifdef TARGET_BASED +static void _addServicesToStream5Filter(tSfPolicyId); +#endif + +static void SIPCleanExit(int, void *); + +/******************************************************************** + * Global variables + ********************************************************************/ +uint32_t numSessions = 0; +SIP_Stats sip_stats; +SIPConfig *sip_eval_config; +tSfPolicyUserContextId sip_config; + +#ifdef SNORT_RELOAD +static tSfPolicyUserContextId sip_swap_config = NULL; +static void SIPReload(char *); +static int SIPReloadVerify(void); +static void * SIPReloadSwap(void); +static void SIPReloadSwapFree(void *); +#endif + + +/* Called at preprocessor setup time. Links preprocessor keyword + * to corresponding preprocessor initialization function. + * + * PARAMETERS: None. + * + * RETURNS: Nothing. + * + */ +void SetupSIP(void) +{ + /* Link preprocessor keyword to initialization function + * in the preprocessor list. */ +#ifndef SNORT_RELOAD + _dpd.registerPreproc( "sip", SIPInit ); +#else + _dpd.registerPreproc("sip", SIPInit, SIPReload, + SIPReloadSwap, SIPReloadSwapFree); +#endif +} + +/* Initializes the SIP preprocessor module and registers + * it in the preprocessor list. + * + * PARAMETERS: + * + * argp: Pointer to argument string to process for config + * data. + * + * RETURNS: Nothing. + */ +static void SIPInit(char *argp) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + SIPConfig *pDefaultPolicyConfig = NULL; + SIPConfig *pPolicyConfig = NULL; + + + if (sip_config == NULL) + { + //create a context + sip_config = sfPolicyConfigCreate(); + if (sip_config == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for SIP config.\n"); + } + + _dpd.addPreprocConfCheck(SIPCheckConfig); + _dpd.registerPreprocStats(SIP_NAME, SIP_PrintStats); + _dpd.addPreprocExit(SIPCleanExit, NULL, PRIORITY_LAST, PP_SIP); + +#ifdef PERF_PROFILING + _dpd.addPreprocProfileFunc("sip", (void *)&sipPerfStats, 0, _dpd.totalPerfStats); +#endif + +#ifdef TARGET_BASED + sip_app_id = _dpd.findProtocolReference("sip"); + if (sip_app_id == SFTARGET_UNKNOWN_PROTOCOL) + sip_app_id = _dpd.addProtocolReference("sip"); + +#endif + } + + sfPolicyUserPolicySet (sip_config, policy_id); + pDefaultPolicyConfig = (SIPConfig *)sfPolicyUserDataGetDefault(sip_config); + pPolicyConfig = (SIPConfig *)sfPolicyUserDataGetCurrent(sip_config); + if ((pPolicyConfig != NULL) && (pDefaultPolicyConfig == NULL)) + { + DynamicPreprocessorFatalMessage("SIP preprocessor can only be " + "configured once.\n"); + } + + pPolicyConfig = (SIPConfig *)calloc(1, sizeof(SIPConfig)); + if (!pPolicyConfig) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "SIP preprocessor configuration.\n"); + } + + sfPolicyUserDataSetCurrent(sip_config, pPolicyConfig); + + SIP_RegRuleOptions(); + + ParseSIPArgs(pPolicyConfig, (u_char *)argp); + + if (policy_id != 0) + pPolicyConfig->maxNumSessions = pDefaultPolicyConfig->maxNumSessions; + if ( pPolicyConfig->disabled ) + return; + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupSIP(): The Stream preprocessor must be enabled.\n"); + } + + _dpd.addPreproc( SIPmain, PRIORITY_APPLICATION, PP_SIP, PROTO_BIT__UDP|PROTO_BIT__TCP ); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} +/********************************************************************* + * Overload PCRE options: this is to support the "H" + * + * For SIP messages, uri Buffers will point to SIP instead of HTTP + * + * Arguments: + * SFSnortPacket * - pointer to packet structure + * + * Returns: + * None + * + *********************************************************************/ +static inline void SIP_overloadURI(SFSnortPacket *p, SIPMsg *sipMsg) +{ + _dpd.uriBuffers[HTTP_BUFFER_HEADER]->uriBuffer = (uint8_t *) sipMsg->header; + _dpd.uriBuffers[HTTP_BUFFER_HEADER]->uriLength = sipMsg->headerLen; + _dpd.uriBuffers[HTTP_BUFFER_CLIENT_BODY]->uriBuffer = (uint8_t *) sipMsg->body_data; + _dpd.uriBuffers[HTTP_BUFFER_CLIENT_BODY]->uriLength = sipMsg->bodyLen; + p->num_uris = HTTP_BUFFER_CLIENT_BODY + 1; + +} +/********************************************************************* + * Main entry point for SIP processing. + * + * Arguments: + * SFSnortPacket * - pointer to packet structure + * + * Returns: + * int - SIP_SUCCESS + * SIP_FAILURE + * + *********************************************************************/ +static inline int SIP_Process(SFSnortPacket *p, SIPData* sessp) +{ + int status; + char* sip_buff = (char*) p->payload; + char* end; + SIP_Roptions *pRopts; + SIPMsg sipMsg; + + memset(&sipMsg, 0, SIPMSG_ZERO_LEN); + + /*Input parameters*/ + sipMsg.isTcp = IsTCP(p); + + end = sip_buff + p->payload_size; + + status = sip_parse(&sipMsg, sip_buff, end); + + if (SIP_SUCCESS == status) + { + SIP_overloadURI(p, &sipMsg); + /*Update the dialog state*/ + SIP_updateDialog(&sipMsg, &(sessp->dialogs), p); + } + /*Update the session data*/ + pRopts = &(sessp->ropts); + pRopts->methodFlag = sipMsg.methodFlag; + pRopts->header_data = sipMsg.header; + pRopts->header_len = sipMsg.headerLen; + pRopts->body_len = sipMsg.bodyLen; + pRopts->body_data = sipMsg.body_data; + pRopts->status_code = sipMsg.status_code; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "SIP message header length: %d\n", + sipMsg.headerLen)); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed method: %.*s, Flag: 0x%x\n", + sipMsg.methodLen, sipMsg.method, sipMsg.methodFlag)); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed status code: %d\n", + sipMsg.status_code)); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed header address: %p.\n", + sipMsg.header)); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed body address: %p.\n", + sipMsg.body_data)); + + sip_freeMsg(&sipMsg); + + return status; +} +/* Main runtime entry point for SIP preprocessor. + * Analyzes SIP packets for anomalies/exploits. + * + * PARAMETERS: + * + * packetp: Pointer to current packet to process. + * contextp: Pointer to context block, not used. + * + * RETURNS: Nothing. + */ +static void SIPmain( void* ipacketp, void* contextp ) +{ + SIPData* sessp = NULL; + uint8_t source = 0; + uint8_t dest = 0; + + SFSnortPacket* packetp; +#ifdef TARGET_BASED + int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL; +#endif + tSfPolicyId policy_id = _dpd.getRuntimePolicy(); + PROFILE_VARS; + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__START_MSG)); + + packetp = (SFSnortPacket*) ipacketp; + sfPolicyUserPolicySet (sip_config, policy_id); + + /* Make sure this preprocessor should run. */ + if (( !packetp ) || ( !packetp->payload ) ||( !packetp->payload_size )) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "No payload - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + return; + } + /* check if we're waiting on stream reassembly */ + else if ( packetp->flags & FLAG_STREAM_INSERT) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Stream inserted - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + return; + } + else if (!IsTCP(packetp) && !IsUDP(packetp)) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not UDP or TCP - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + return; + } + + PREPROC_PROFILE_START(sipPerfStats); + + sip_eval_config = sfPolicyUserDataGetCurrent(sip_config); + + /* Attempt to get a previously allocated SIP block. */ + sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_SIP); + if (sessp != NULL) + { + sip_eval_config = sfPolicyUserDataGet(sessp->config, sessp->policy_id); + + } + + if (sessp == NULL) + { + /* If not doing autodetection, check the ports to make sure this is + * running on an SIP port, otherwise no need to examine the traffic. + */ +#ifdef TARGET_BASED + app_id = _dpd.streamAPI->get_application_protocol_id(packetp->stream_session_ptr); + if (app_id == SFTARGET_UNKNOWN_PROTOCOL) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Unknown protocol - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } + + else if (app_id && (app_id != sip_app_id)) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not SIP - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } + + else if (!app_id) + { +#endif + source = (uint8_t)CheckSIPPort( packetp->src_port ); + dest = (uint8_t)CheckSIPPort( packetp->dst_port ); + + if ( !source && !dest ) + { + /* Not one of the ports we care about. */ + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not SIP ports - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } +#ifdef TARGET_BASED + } +#endif + /* Check the stream session. If it does not currently + * have our SIP data-block attached, create one. + */ + sessp = SIPGetNewSession(packetp, policy_id); + + if ( !sessp ) + { + /* Could not get/create the session data for this packet. */ + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Create session error - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } + + } + + /* Don't process if we've missed packets */ + if (sessp->state_flags & SIP_FLG_MISSED_PACKETS) + { + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Missed packets - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } + + /* If we picked up mid-stream or missed any packets (midstream pick up + * means we've already missed packets) set missed packets flag and make + * sure we don't do any more reassembly on this session */ + if (IsTCP(packetp)) + { + if ((_dpd.streamAPI->get_session_flags(packetp->stream_session_ptr) & SSNFLAG_MIDSTREAM) + || _dpd.streamAPI->missed_packets(packetp->stream_session_ptr, SSN_DIR_BOTH)) + { + _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, + STREAM_FLPOLICY_IGNORE, SSN_DIR_BOTH, + STREAM_FLPOLICY_SET_ABSOLUTE); + + sessp->state_flags |= SIP_FLG_MISSED_PACKETS; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Missed packets - not inspecting.\n")); + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + return; + } + } + + /* We're interested in this session. Turn on stream reassembly. */ + if ( !(sessp->state_flags & SIP_FLG_REASSEMBLY_SET )) + { + _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, + STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_ABSOLUTE); + sessp->state_flags |= SIP_FLG_REASSEMBLY_SET; + } + /* + * Start process PAYLOAD + */ + SIP_Process(packetp,sessp); + + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG)); + PREPROC_PROFILE_END(sipPerfStats); + +} + +/********************************************************************** + * Retrieves the SIP data block registered with the stream + * session associated w/ the current packet. If none exists, + * allocates it and registers it with the stream API. + * + * Arguments: + * + * packetp: Pointer to the packet from which/in which to + * retrieve/store the SIP data block. + * + * RETURNS: Pointer to an SIP data block, upon success. + * NULL, upon failure. + **********************************************************************/ +SIPData * SIPGetNewSession(SFSnortPacket *packetp, tSfPolicyId policy_id) +{ + SIPData* datap = NULL; + static int MaxSessionsAlerted = 0; + /* Sanity check(s) */ + assert( packetp ); + if ( !packetp->stream_session_ptr ) + { + return NULL; + } + if(numSessions > ((SIPConfig *)sfPolicyUserDataGetCurrent(sip_config))->maxNumSessions) + { + if (!MaxSessionsAlerted) + ALERT(SIP_EVENT_MAX_SESSIONS,SIP_EVENT_MAX_SESSIONS_STR); + MaxSessionsAlerted = 1; + return NULL; + } + else + { + MaxSessionsAlerted = 0; + } + datap = (SIPData *)calloc(1, sizeof(SIPData)); + + if ( !datap ) + return NULL; + + /*Register the new SIP data block in the stream session. */ + _dpd.streamAPI->set_application_data( + packetp->stream_session_ptr, + PP_SIP, datap, FreeSIPData ); + + datap->policy_id = policy_id; + datap->config = sip_config; + ((SIPConfig *)sfPolicyUserDataGetCurrent(sip_config))->ref_count++; + numSessions++; + sip_stats.sessions++; + DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Number of sessions created: %u\n", numSessions)); + + return datap; +} + + +/*********************************************************************** + * Registered as a callback with our SIP data blocks when + * they are added to the underlying stream session. Called + * by the stream preprocessor when a session is about to be + * destroyed. + * + * PARAMETERS: + * + * idatap: Pointer to the moribund data. + * + * RETURNS: Nothing. + ***********************************************************************/ +static void FreeSIPData( void* idatap ) +{ + SIPData *ssn = (SIPData *)idatap; + SIPConfig *config = NULL; + + if (ssn == NULL) + return; + if (numSessions > 0) + numSessions--; + + /*Free all the dialog data*/ + sip_freeDialogs(ssn->dialogs); + + /*Clean the configuration data*/ + if (ssn->config != NULL) + { + config = (SIPConfig *)sfPolicyUserDataGet(ssn->config, ssn->policy_id); + } + + if (config == NULL) + { + free(ssn); + return; + } + + config->ref_count--; + if ((config->ref_count == 0) && (ssn->config != sip_config)) + { + sfPolicyUserDataClear (ssn->config, ssn->policy_id); + free(config); + + if (sfPolicyUserPolicyGetActive(ssn->config) == 0) + { + /* No more outstanding configs - free the config array */ + SIPFreeConfig(ssn->config); + } + + } + + free(ssn); +} +/* ********************************************************************** + * Validates given port as an SIP server port. + * + * PARAMETERS: + * + * port: Port to validate. + * + * RETURNS: SIP_TRUE, if the port is indeed an SIP server port. + * SIP_FALSE, otherwise. + ***********************************************************************/ +static inline int CheckSIPPort( uint16_t port ) +{ + if ( sip_eval_config->ports[ PORT_INDEX(port) ] & CONV_PORT( port ) ) + { + return SIP_TRUE; + } + + return SIP_FALSE; +} + +static void _addPortsToStream5Filter(SIPConfig *config, tSfPolicyId policy_id) +{ + int portNum; + + assert(config); + assert(_dpd.streamAPI); + + for (portNum = 0; portNum < MAXPORTS; portNum++) + { + if(config->ports[(portNum/8)] & (1<<(portNum%8))) + { + //Add port the port + _dpd.streamAPI->set_port_filter_status(IPPROTO_UDP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + _dpd.streamAPI->set_port_filter_status(IPPROTO_TCP, (uint16_t)portNum, PORT_MONITOR_SESSION, policy_id, 1); + } + } + +} +#ifdef TARGET_BASED + +static void _addServicesToStream5Filter(tSfPolicyId policy_id) +{ + _dpd.streamAPI->set_service_filter_status(sip_app_id, PORT_MONITOR_SESSION, policy_id, 1); +} +#endif +static int SIPCheckPolicyConfig(tSfPolicyUserContextId config, tSfPolicyId policyId, void* pData) +{ + SIPConfig *pPolicyConfig = (SIPConfig *)pData; + + _dpd.setParserPolicy(policyId); + + if (pPolicyConfig->disabled) + return 0; + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("SIPCheckPolicyConfig(): The Stream preprocessor must be enabled.\n"); + } + return 0; +} +void SIPCheckConfig(void) +{ + sfPolicyUserDataIterate (sip_config, SIPCheckPolicyConfig); +} + + +static void SIPCleanExit(int signal, void *data) +{ + if (sip_config != NULL) + { + SIPFreeConfig(sip_config); + sip_config = NULL; + } +} +static int SIPFreeConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + SIPConfig *pPolicyConfig = (SIPConfig *)pData; + + //do any housekeeping before freeing SIPConfig + + sfPolicyUserDataClear (config, policyId); + + SIP_FreeConfig(pPolicyConfig); + return 0; +} + +void SIPFreeConfig(tSfPolicyUserContextId config) +{ + if (config == NULL) + return; + + sfPolicyUserDataIterate (config, SIPFreeConfigPolicy); + sfPolicyConfigDelete(config); +} +/****************************************************************** + * Print statistics being kept by the preprocessor. + * + * Arguments: + * int - whether Snort is exiting or not + * + * Returns: None + * + ******************************************************************/ +static void SIP_PrintStats(int exiting) +{ + int i; + _dpd.logMsg("SIP Preprocessor Statistics\n"); + _dpd.logMsg(" Total sessions: "STDu64"\n", sip_stats.sessions); + if (sip_stats.sessions > 0) + { + if (sip_stats.events > 0) + _dpd.logMsg(" SIP anomalies : "STDu64"\n", sip_stats.events); + if (sip_stats.dialogs > 0) + _dpd.logMsg(" Total dialogs: "STDu64"\n", sip_stats.dialogs); + + _dpd.logMsg(" Requests: "STDu64"\n", sip_stats.requests[0]); + i = 0; + while (NULL != StandardMethods[i].name) + { + _dpd.logMsg("%16s: "STDu64"\n", + StandardMethods[i].name, sip_stats.requests[StandardMethods[i].methodFlag]); + i++; + } + + _dpd.logMsg(" Responses: "STDu64"\n", sip_stats.responses[TOTAL_RESPONSES]); + for (i = 1; i <NUM_OF_RESPONSE_TYPES; i++ ) + { + _dpd.logMsg(" %dxx: "STDu64"\n", i, sip_stats.responses[i]); + } + + _dpd.logMsg(" Ignore sessions: "STDu64"\n", sip_stats.ignoreSessions); + _dpd.logMsg(" Ignore channels: "STDu64"\n", sip_stats.ignoreChannels); + } +} +#ifdef SNORT_RELOAD +static void SIPReload(char *args) +{ + tSfPolicyId policy_id = _dpd.getParserPolicy(); + SIPConfig * pPolicyConfig = NULL; + + if (sip_swap_config == NULL) + { + //create a context + sip_swap_config = sfPolicyConfigCreate(); + if (sip_swap_config == NULL) + { + DynamicPreprocessorFatalMessage("Failed to allocate memory " + "for SIP config.\n"); + } + + } + + sfPolicyUserPolicySet (sip_swap_config, policy_id); + pPolicyConfig = (SIPConfig *)sfPolicyUserDataGetCurrent(sip_swap_config); + if (pPolicyConfig != NULL) + { + DynamicPreprocessorFatalMessage("SIP preprocessor can only be " + "configured once.\n"); + } + + pPolicyConfig = (SIPConfig *)calloc(1, sizeof(SIPConfig)); + if (!pPolicyConfig) + { + DynamicPreprocessorFatalMessage("Could not allocate memory for " + "SIP preprocessor configuration.\n"); + } + sfPolicyUserDataSetCurrent(sip_swap_config, pPolicyConfig); + + SIP_RegRuleOptions(); + + ParseSIPArgs(pPolicyConfig, (u_char *)args); + + if( pPolicyConfig->disabled ) + return; + + if (_dpd.streamAPI == NULL) + { + DynamicPreprocessorFatalMessage("SetupSIP(): The Stream preprocessor must be enabled.\n"); + } + + _dpd.addPreproc( SIPmain, PRIORITY_APPLICATION, PP_SIP, PROTO_BIT__UDP|PROTO_BIT__TCP ); + _dpd.addPreprocReloadVerify(SIPReloadVerify); + + _addPortsToStream5Filter(pPolicyConfig, policy_id); + +#ifdef TARGET_BASED + _addServicesToStream5Filter(policy_id); +#endif +} + +static int SIPReloadVerify(void) +{ + SIPConfig * pPolicyConfig = NULL; + SIPConfig * pCurrentConfig = NULL; + + if (sip_swap_config == NULL) + return 0; + + pPolicyConfig = (SIPConfig *)sfPolicyUserDataGet(sip_swap_config, _dpd.getDefaultPolicy()); + + if (!pPolicyConfig) + return 0; + + if ( pPolicyConfig->disabled ) + return 0; + + if (!_dpd.isPreprocEnabled(PP_STREAM5)) + { + DynamicPreprocessorFatalMessage("SetupSIP(): The Stream preprocessor must be enabled.\n"); + } + + if (sip_config != NULL) + { + pCurrentConfig = (SIPConfig *)sfPolicyUserDataGet(sip_config, _dpd.getDefaultPolicy()); + } + + if (!pCurrentConfig) + return 0; + + if (pPolicyConfig->maxNumSessions != pCurrentConfig->maxNumSessions) + { + _dpd.errMsg("SIP reload: Changing the max_sessions requires a restart.\n"); + SIPFreeConfig(sip_swap_config); + sip_swap_config = NULL; + return -1; + } + + return 0; +} +static int SIPFreeUnusedConfigPolicy( + tSfPolicyUserContextId config, + tSfPolicyId policyId, + void* pData +) +{ + SIPConfig *pPolicyConfig = (SIPConfig *)pData; + + //do any housekeeping before freeing SIPConfig + if (pPolicyConfig->ref_count == 0) + { + sfPolicyUserDataClear (config, policyId); + SIP_FreeConfig(pPolicyConfig); + } + return 0; +} + +static void * SIPReloadSwap(void) +{ + tSfPolicyUserContextId old_config = sip_config; + + if (sip_swap_config == NULL) + return NULL; + + sip_config = sip_swap_config; + sip_swap_config = NULL; + + sfPolicyUserDataIterate (old_config, SIPFreeUnusedConfigPolicy); + + if (sfPolicyUserPolicyGetActive(old_config) == 0) + { + /* No more outstanding configs - free the config array */ + return (void *)old_config; + } + + return NULL; +} + +static void SIPReloadSwapFree(void *data) +{ + if (data == NULL) + return; + + SIPFreeConfig((tSfPolicyUserContextId)data); +} +#endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/sip/spp_sip.h snort-2.9.2/src/dynamic-preprocessors/sip/spp_sip.h --- snort-2.9.0.1/src/dynamic-preprocessors/sip/spp_sip.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/sip/spp_sip.h 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,286 @@ +/* $Id */ + +/* +** Copyright (C) 2011-2011 Sourcefire, Inc. +** +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* + * spp_sip.h: Definitions, structs, function prototype(s) for + * the SIP preprocessor. + * Author: Hui Cao + */ + +#ifndef SPP_SIP_H +#define SPP_SIP_H +#include <stddef.h> +#include "sfPolicy.h" +#include "sfPolicyUserData.h" +#include "snort_bounds.h" +#include "sip_roptions.h" +#include "sf_ip.h" + +/* Convert port value into an index for the sip_config->ports array */ +#define PORT_INDEX(port) port/8 + +/* Convert port value into a value for bitwise operations */ +#define CONV_PORT(port) 1<<(port%8) + +/* + * Boolean values. + */ +#define SIP_TRUE (1) +#define SIP_FALSE (0) + +#define SIP_STATUS_CODE_LEN (3) +#define SIP_CONTENT_LEN (5) +/* + * Error codes. + */ +#define SIP_SUCCESS (1) +#define SIP_FAILURE (0) + +typedef struct _SIP_MediaData +{ + sfip_t maddress; // media IP + uint16_t mport; // media port + uint8_t numPort; // number of media ports + struct _SIP_MediaData *nextM; +} SIP_MediaData; + +typedef SIP_MediaData* SIP_MediaDataList; + +#define SIP_SESSION_SAVED (1) +#define SIP_SESSION_INIT (0) + +typedef struct _SIP_MediaSession +{ + uint32_t sessionID; // a hash value of the session + int savedFlag; // whether this data has been saved by a dialog, + // if savedFlag = 1, this session will be deleted after sip message is processed. + sfip_t maddress_default; //Default media IP + SIP_MediaDataList medias; //Media list in the session + struct _SIP_MediaSession *nextS; // Next media session +} SIP_MediaSession; + +typedef SIP_MediaSession* SIP_MediaList; + + +typedef struct _SIP_DialogID +{ + uint32_t callIdHash; + uint32_t fromTagHash; + uint32_t toTagHash; +} SIP_DialogID; + +typedef enum _SIP_DialogState +{ + SIP_DLG_CREATE = 1, //1 + SIP_DLG_INVITING, //2 + SIP_DLG_EARLY, //3 + SIP_DLG_AUTHENCATING, //4 + SIP_DLG_ESTABLISHED, //5 + SIP_DLG_REINVITING, //6 + SIP_DLG_TERMINATING, //7 + SIP_DLG_TERMINATED //8 +} SIP_DialogState; + +typedef struct _SIP_DialogData +{ + SIP_DialogID dlgID; + SIP_DialogState state; + SIPMethodsFlag creator; + uint16_t status_code; + SIP_MediaList mediaSessions; + struct _SIP_DialogData *nextD; + struct _SIP_DialogData *prevD; +} SIP_DialogData; + +typedef SIP_DialogData* SIP_DialogList; + +/* + * Per-session data block containing current state + * of the SIP preprocessor for the session. + * + * state_flags: Bit vector describing the current state of the + * session. + */ +typedef struct _sipData +{ + + uint32_t state_flags; + SIP_DialogList dialogs; + SIP_Roptions ropts; + tSfPolicyId policy_id; + tSfPolicyUserContextId config; + +} SIPData; + +typedef struct _SIPMsg +{ + uint16_t headerLen; + uint16_t methodLen; + SIPMethodsFlag methodFlag; + uint16_t status_code; + + uint16_t uriLen; + uint16_t callIdLen; + uint16_t cseqNameLen; + uint16_t fromLen; + uint16_t fromTagLen; + uint16_t toLen; + uint16_t toTagLen; + uint16_t viaLen; + uint16_t contactLen; + uint16_t bodyLen; + uint16_t contentTypeLen; + uint32_t content_len; + SIP_DialogID dlgID; + SIP_MediaSession *mediaSession; + char *authorization; + const uint8_t *header; + const uint8_t *body_data; /* Set to NULL if not applicable */ + uint64_t cseqnum; + + /* nothing after this point is zeroed ...*/ + /*Input parameters*/ + unsigned char isTcp; + + char *method; + char *uri; + char *call_id; + char *cseqName; + char *from; + char *from_tag; + char *to; + char *to_tag; + char *via; + char *contact; + + char *content_type; + char *content_encode; + +} SIPMsg; + +#define SIPMSG_ZERO_LEN offsetof(SIPMsg, isTcp) + +/* + * Generator id. Define here the same as the official registry + * in generators.h + */ +#define GENERATOR_SPP_SIP 140 + +/* Ultimately calls SnortEventqAdd */ +/* Arguments are: gid, sid, rev, classification, priority, message, rule_info */ +#define ALERT(x,y) { _dpd.alertAdd(GENERATOR_SPP_SIP, x, 1, 0, 3, y, 0 ); sip_stats.events++; } + +/* + * SIP preprocessor alert types. + */ +#define SIP_EVENT_MAX_SESSIONS 1 +#define SIP_EVENT_EMPTY_REQUEST_URI 2 +#define SIP_EVENT_BAD_URI 3 +#define SIP_EVENT_EMPTY_CALL_ID 4 +#define SIP_EVENT_BAD_CALL_ID 5 +#define SIP_EVENT_BAD_CSEQ_NUM 6 +#define SIP_EVENT_BAD_CSEQ_NAME 7 +#define SIP_EVENT_EMPTY_FROM 8 +#define SIP_EVENT_BAD_FROM 9 +#define SIP_EVENT_EMPTY_TO 10 +#define SIP_EVENT_BAD_TO 11 +#define SIP_EVENT_EMPTY_VIA 12 +#define SIP_EVENT_BAD_VIA 13 +#define SIP_EVENT_EMPTY_CONTACT 14 +#define SIP_EVENT_BAD_CONTACT 15 +#define SIP_EVENT_BAD_CONTENT_LEN 16 +#define SIP_EVENT_MULTI_MSGS 17 +#define SIP_EVENT_MISMATCH_CONTENT_LEN 18 +#define SIP_EVENT_INVALID_CSEQ_NAME 19 +#define SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK 20 +#define SIP_EVENT_AUTH_INVITE_DIFF_SESSION 21 +#define SIP_EVENT_BAD_STATUS_CODE 22 +#define SIP_EVENT_EMPTY_CONTENT_TYPE 23 +#define SIP_EVENT_INVALID_VERSION 24 +#define SIP_EVENT_MISMATCH_METHOD 25 +#define SIP_EVENT_UNKOWN_METHOD 26 + +/* + * SIP preprocessor alert strings. + */ +#define SIP_EVENT_MAX_SESSIONS_STR "(spp_sip) Maximum sessions reached" +#define SIP_EVENT_EMPTY_REQUEST_URI_STR "(spp_sip) Empty request URI" +#define SIP_EVENT_BAD_URI_STR "(spp_sip) URI is too long" +#define SIP_EVENT_EMPTY_CALL_ID_STR "(spp_sip) Empty call-Id" +#define SIP_EVENT_BAD_CALL_ID_STR "(spp_sip) Call-Id is too long" +#define SIP_EVENT_BAD_CSEQ_NUM_STR "(spp_sip) CSeq number is too large or negative" +#define SIP_EVENT_BAD_CSEQ_NAME_STR "(spp_sip) Request name in CSeq is too long" +#define SIP_EVENT_EMPTY_FROM_STR "(spp_sip) Empty From header" +#define SIP_EVENT_BAD_FROM_STR "(spp_sip) From header is too long" +#define SIP_EVENT_EMPTY_TO_STR "(spp_sip) Empty To header" +#define SIP_EVENT_BAD_TO_STR "(spp_sip) To header is too long" +#define SIP_EVENT_EMPTY_VIA_STR "(spp_sip) Empty Via header" +#define SIP_EVENT_BAD_VIA_STR "(spp_sip) Via header is too long" +#define SIP_EVENT_EMPTY_CONTACT_STR "(spp_sip) Empty Contact" +#define SIP_EVENT_BAD_CONTACT_STR "(spp_sip) Contact is too long" +#define SIP_EVENT_BAD_CONTENT_LEN_STR "(spp_sip) Content length is too large or negative" +#define SIP_EVENT_MULTI_MSGS_STR "(spp_sip) Multiple SIP messages in a packet" +#define SIP_EVENT_MISMATCH_CONTENT_LEN_STR "(spp_sip) Content length mismatch" +#define SIP_EVENT_INVALID_CSEQ_NAME_STR "(spp_sip) Request name is invalid" +#define SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK_STR "(spp_sip) Invite replay attack" +#define SIP_EVENT_AUTH_INVITE_DIFF_SESSION_STR "(spp_sip) Illegal session information modification" +#define SIP_EVENT_BAD_STATUS_CODE_STR "(spp_sip) Response status code is not a 3 digit number" +#define SIP_EVENT_EMPTY_CONTENT_TYPE_STR "(spp_sip) Empty Content-type header" +#define SIP_EVENT_INVALID_VERSION_STR "(spp_sip) SIP version is invalid" +#define SIP_EVENT_MISMATCH_METHOD_STR "(spp_sip) Mismatch in METHOD of request and the CSEQ header" +#define SIP_EVENT_UNKOWN_METHOD_STR "(spp_sip) Method is unknown" + +#define MAX_STAT_CODE 999 +#define MIN_STAT_CODE 100 +#define TOTAL_RESPONSES 0 +#define RESPONSE1XX 1 +#define RESPONSE2XX 2 +#define RESPONSE3XX 3 +#define RESPONSE4XX 4 +#define RESPONSE5XX 5 +#define RESPONSE6XX 6 +#define NUM_OF_RESPONSE_TYPES 10 +#define TOTAL_REQUESTS 0 +#define NUM_OF_REQUEST_TYPES SIP_METHOD_USER_DEFINE_MAX + +typedef struct _SIP_Stats +{ + uint64_t sessions; + uint64_t events; + + uint64_t dialogs; + uint64_t requests[NUM_OF_REQUEST_TYPES]; + uint64_t responses[NUM_OF_RESPONSE_TYPES]; + uint64_t ignoreChannels; + uint64_t ignoreSessions; + +} SIP_Stats; + +extern SIP_Stats sip_stats; +extern SIPConfig *sip_eval_config; +extern tSfPolicyUserContextId sip_config; + + +/* Prototypes for public interface */ +void SetupSIP(void); + +#endif /* SPP_SIP_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/Makefile.am snort-2.9.2/src/dynamic-preprocessors/smtp/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/Makefile.am 2010-06-09 15:05:14.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/Makefile.am 2011-07-13 15:44:51.000000000 -0700 @@ -1,30 +1,27 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include -I${top_srcdir}/src/dynamic-preprocessors/libs +INCLUDES = -I../include -I${srcdir}/../libs libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_smtp_preproc.la libsf_smtp_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -mempool.c \ -sf_sdlist.c \ -sfPolicyUserData.c \ -sf_base64decode.c - +if SO_WITH_STATIC_LIB +libsf_smtp_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_smtp_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -mempool.c \ -sf_sdlist.c \ -sfPolicyUserData.c \ -sf_base64decode.c +../include/sf_dynamic_preproc_lib.c \ +../include/mempool.c \ +../include/sf_sdlist.c \ +../include/sf_base64decode.c \ +../include/util_unfold.c \ +../include/sf_email_attach_decode.c \ +../include/sfPolicyUserData.c +endif libsf_smtp_preproc_la_SOURCES = \ -sf_preproc_info.h \ smtp_config.c \ smtp_config.h \ smtp_log.c \ @@ -45,22 +42,6 @@ EXTRA_DIST = \ sf_smtp.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ -mempool.c: ../include/mempool.c - cp $? $@ - -sf_sdlist.c: ../include/sf_sdlist.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -sf_base64decode.c: ../include/sf_base64decode.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c mempool.c sf_sdlist.c sfPolicyUserData.c sf_base64decode.c diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/Makefile.in snort-2.9.2/src/dynamic-preprocessors/smtp/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/Makefile.in 2010-10-08 02:56:53.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/Makefile.in 2011-12-07 11:23:20.000000000 -0800 @@ -68,12 +68,17 @@ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_smtp_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_smtp_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_smtp_preproc_la_OBJECTS = smtp_config.lo smtp_log.lo \ smtp_normalize.lo smtp_util.lo smtp_xlink2state.lo \ snort_smtp.lo spp_smtp.lo ssl.lo -nodist_libsf_smtp_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - mempool.lo sf_sdlist.lo sfPolicyUserData.lo sf_base64decode.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_smtp_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo mempool.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_sdlist.lo sf_base64decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ util_unfold.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sf_email_attach_decode.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_smtp_preproc_la_OBJECTS = $(am_libsf_smtp_preproc_la_OBJECTS) \ $(nodist_libsf_smtp_preproc_la_OBJECTS) libsf_smtp_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -106,7 +111,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -121,7 +128,8 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include -I${top_srcdir}/src/dynamic-preprocessors/libs +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -157,13 +165,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -224,22 +238,17 @@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_smtp_preproc.la libsf_smtp_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -mempool.c \ -sf_sdlist.c \ -sfPolicyUserData.c \ -sf_base64decode.c - -nodist_libsf_smtp_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -mempool.c \ -sf_sdlist.c \ -sfPolicyUserData.c \ -sf_base64decode.c +@SO_WITH_STATIC_LIB_TRUE@libsf_smtp_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_smtp_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/mempool.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_sdlist.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_base64decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/util_unfold.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_email_attach_decode.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_smtp_preproc_la_SOURCES = \ -sf_preproc_info.h \ smtp_config.c \ smtp_config.h \ smtp_log.c \ @@ -260,8 +269,7 @@ EXTRA_DIST = \ sf_smtp.dsp -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -347,6 +355,27 @@ ssl.lo: ${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ssl.lo `test -f '${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c' || echo '$(srcdir)/'`${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +mempool.lo: ../include/mempool.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mempool.lo `test -f '../include/mempool.c' || echo '$(srcdir)/'`../include/mempool.c + +sf_sdlist.lo: ../include/sf_sdlist.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_sdlist.lo `test -f '../include/sf_sdlist.c' || echo '$(srcdir)/'`../include/sf_sdlist.c + +sf_base64decode.lo: ../include/sf_base64decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_base64decode.lo `test -f '../include/sf_base64decode.c' || echo '$(srcdir)/'`../include/sf_base64decode.c + +util_unfold.lo: ../include/util_unfold.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o util_unfold.lo `test -f '../include/util_unfold.c' || echo '$(srcdir)/'`../include/util_unfold.c + +sf_email_attach_decode.lo: ../include/sf_email_attach_decode.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_email_attach_decode.lo `test -f '../include/sf_email_attach_decode.c' || echo '$(srcdir)/'`../include/sf_email_attach_decode.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + mostlyclean-libtool: -rm -f *.lo @@ -436,15 +465,13 @@ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am +check: check-am all-am: Makefile $(LTLIBRARIES) all-local installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am +install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -469,10 +496,9 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am @@ -539,11 +565,11 @@ uninstall-am: uninstall-libLTLIBRARIES -.MAKE: all check install install-am install-strip +.MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -556,26 +582,9 @@ tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ -mempool.c: ../include/mempool.c - cp $? $@ - -sf_sdlist.c: ../include/sf_sdlist.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - -sf_base64decode.c: ../include/sf_base64decode.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c mempool.c sf_sdlist.c sfPolicyUserData.c sf_base64decode.c - # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/smtp/sf_preproc_info.h --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/sf_preproc_info.h 2010-01-26 10:10:05.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/sf_preproc_info.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,37 +0,0 @@ -/**************************************************************************** - * - * Copyright (C) 2005-2010 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - ****************************************************************************/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 1 -#define BUILD_VERSION 9 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_SMTP (IPV6)" -#else -#define PREPROC_NAME "SF_SMTP" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupSMTP -extern void SetupSMTP(void); - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/sf_smtp.dsp snort-2.9.2/src/dynamic-preprocessors/smtp/sf_smtp.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/sf_smtp.dsp 2010-08-25 13:22:45.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/sf_smtp.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\libs" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" !ELSEIF "$(CFG)" == "sf_smtp - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\libs" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" !ELSEIF "$(CFG)" == "sf_smtp - Win32 IPv6 Debug" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_smtp___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\libs" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" -# ADD LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"../../../src/win32/WIN32-Libraries" !ELSEIF "$(CFG)" == "sf_smtp - Win32 IPv6 Release" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_smtp___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -130,17 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\libs" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" -# ADD LINK32 pcre.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" +# ADD LINK32 pcre.lib ws2_32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 /libpath:"../../../src/win32/WIN32-Libraries" # SUBTRACT LINK32 /pdb:none !ENDIF @@ -168,6 +169,10 @@ # End Source File # Begin Source File +SOURCE=..\include\sf_email_attach_decode.c +# End Source File +# Begin Source File + SOURCE=..\include\sf_sdlist.c # End Source File # Begin Source File @@ -202,6 +207,10 @@ SOURCE=.\spp_smtp.c # End Source File +# Begin Source File + +SOURCE=..\include\util_unfold.c +# End Source File # End Group # Begin Group "Header Files" @@ -216,6 +225,10 @@ # End Source File # Begin Source File +SOURCE=..\include\sf_email_attach_decode.h +# End Source File +# Begin Source File + SOURCE=.\sf_preproc_info.h # End Source File # Begin Source File @@ -250,6 +263,10 @@ SOURCE=.\spp_smtp.h # End Source File +# Begin Source File + +SOURCE=..\include\util_unfold.h +# End Source File # End Group # Begin Group "Resource Files" diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_config.c snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_config.c --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_config.c 2010-06-09 15:05:15.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_config.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** - * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -45,9 +45,10 @@ #include "config.h" #endif +#include "sf_types.h" #include "snort_smtp.h" #include "smtp_config.h" -#include "bounds.h" +#include "snort_bounds.h" #include "sf_dynamic_preprocessor.h" #include "sfPolicy.h" @@ -55,26 +56,27 @@ /* Global variable to hold configuration */ extern SMTPConfig **smtp_config; -extern DynamicPreprocessorData _dpd; extern const SMTPToken smtp_known_cmds[]; /* Private functions */ -static void PrintConfig(SMTPConfig *); static int ProcessPorts(SMTPConfig *, char *, int); static int ProcessCmds(SMTPConfig *, char *, int, int); static int GetCmdId(SMTPConfig *, char *); static int AddCmd(SMTPConfig *, char *name); static int ProcessAltMaxCmdLen(SMTPConfig *, char *, int); static int ProcessMaxMimeMem(SMTPConfig *, char *, int); +static int ProcessSmtpMemcap(SMTPConfig *, char *, int); static int ProcessMaxMimeDepth(SMTPConfig *, char *, int); +static int ProcessLogDepth(SMTPConfig *, char *, int); static int ProcessXlink2State(SMTPConfig *, char *, int); +static int ProcessDecodeDepth(SMTPConfig *, char *, int , char *, DecodeType ); /* * Function: SMTP_ParseArgs(char *) * - * Purpose: Process the preprocessor arguments from the rules file and + * Purpose: Process the preprocessor arguments from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -89,6 +91,8 @@ char *value; char errStr[ERRSTRLEN]; int errStrLen = ERRSTRLEN; + int b64_option = 0; + int deprecated_options = 0; if ((config == NULL) || (args == NULL)) return; @@ -102,22 +106,33 @@ config->max_response_line_len = DEFAULT_MAX_RESPONSE_LINE_LEN; config->max_mime_depth = DEFAULT_MAX_MIME_DEPTH; config->max_mime_mem = DEFAULT_MAX_MIME_MEM; + config->memcap = DEFAULT_SMTP_MEMCAP; config->alert_xlink2state = 1; config->print_cmds = 1; config->enable_mime_decoding = 0; + config->b64_depth = DEFAULT_MAX_MIME_DEPTH; + config->qp_depth = DEFAULT_MAX_MIME_DEPTH; + config->uu_depth = DEFAULT_MAX_MIME_DEPTH; + config->bitenc_depth = DEFAULT_MAX_MIME_DEPTH; + config->max_depth = MIN_DEPTH; + config->log_filename = 0; + config->log_mailfrom = 0; + config->log_rcptto = 0; + config->log_email_hdrs = 0; + config->email_hdrs_log_depth = DEFAULT_LOG_DEPTH; config->cmd_config = (SMTPCmdConfig *)calloc(CMD_LAST, sizeof(SMTPCmdConfig)); if (config->cmd_config == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for SMTP " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } *errStr = '\0'; arg = strtok(args, CONF_SEPARATORS); - + while ( arg != NULL ) { if ( !strcasecmp(CONF_PORTS, arg) ) @@ -161,12 +176,12 @@ } } else if ( !strcasecmp(CONF_IGNORE_DATA, arg) ) - { - config->ignore_data = 1; + { + config->ignore_data = 1; } else if ( !strcasecmp(CONF_IGNORE_TLS_DATA, arg) ) { - config->ignore_tls_data = 1; + config->ignore_tls_data = 1; } else if ( !strcasecmp(CONF_MAX_COMMAND_LINE_LEN, arg) ) { @@ -199,7 +214,7 @@ config->max_response_line_len = strtol(value, &endptr, 10); } else if ( !strcasecmp(CONF_NO_ALERTS, arg) ) - { + { config->no_alerts = 1; } else if ( !strcasecmp(CONF_ALERT_UNKNOWN_CMDS, arg) ) @@ -214,7 +229,7 @@ else if ( !strcasecmp(CONF_VALID_CMDS, arg) ) { /* Parse allowed commands */ - ret = ProcessCmds(config, errStr, errStrLen, ACTION_NO_ALERT); + ret = ProcessCmds(config, errStr, errStrLen, ACTION_NO_ALERT); } else if ( !strcasecmp(CONF_NORMALIZE_CMDS, arg) ) { @@ -226,17 +241,29 @@ /* Parse max line len for commands */ ret = ProcessAltMaxCmdLen(config, errStr, errStrLen); } + else if ( !strcasecmp(CONF_SMTP_MEMCAP, arg) ) + { + ret = ProcessSmtpMemcap(config, errStr, errStrLen); + } else if ( !strcasecmp(CONF_MAX_MIME_MEM, arg) ) { ret = ProcessMaxMimeMem(config, errStr, errStrLen); } else if ( !strcasecmp(CONF_MAX_MIME_DEPTH, arg) ) { - ret = ProcessMaxMimeDepth(config, errStr, errStrLen); + deprecated_options = 1; + _dpd.logMsg("WARNING: %s(%d) => The SMTP config option 'max_mime_depth' is deprecated.\n", + *(_dpd.config_file), *(_dpd.config_line)); + if(!b64_option) + ret = ProcessMaxMimeDepth(config, errStr, errStrLen); } else if ( !strcasecmp(CONF_ENABLE_MIME_DECODING, arg) ) { - config->enable_mime_decoding = 1; + deprecated_options = 1; + _dpd.logMsg("WARNING: %s(%d) => The SMTP config option 'enable_mime_decoding' is deprecated.\n", + *(_dpd.config_file), *(_dpd.config_line)); + if(!b64_option) + config->enable_mime_decoding = 1; } else if ( !strcasecmp(CONF_DISABLED, arg) ) { @@ -246,16 +273,53 @@ { ret = ProcessXlink2State(config, errStr, errStrLen); } + else if ( !strcasecmp(CONF_LOG_FILENAME, arg) ) + { + config->log_filename = 1; + } + else if ( !strcasecmp(CONF_LOG_MAIL_FROM, arg) ) + { + config->log_mailfrom = 1; + } + else if ( !strcasecmp(CONF_LOG_RCPT_TO, arg) ) + { + config->log_rcptto = 1; + } + else if ( !strcasecmp(CONF_LOG_EMAIL_HDRS, arg) ) + { + config->log_email_hdrs = 1; + } + else if ( !strcasecmp(CONF_EMAIL_HDRS_LOG_DEPTH, arg) ) + { + ret = ProcessLogDepth(config, errStr, errStrLen); + } else if ( !strcasecmp(CONF_PRINT_CMDS, arg) ) { config->print_cmds = 1; } + else if ( !strcasecmp(CONF_B64_DECODE, arg) ) + { + b64_option = 1; + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_B64_DECODE, DECODE_B64); + } + else if ( !strcasecmp(CONF_QP_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_QP_DECODE, DECODE_QP); + } + else if ( !strcasecmp(CONF_UU_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_UU_DECODE, DECODE_UU); + } + else if ( !strcasecmp(CONF_BITENC_DECODE, arg) ) + { + ret = ProcessDecodeDepth(config, errStr, errStrLen, CONF_BITENC_DECODE, DECODE_BITENC); + } else { - DynamicPreprocessorFatalMessage("%s(%d) => Unknown SMTP configuration option %s\n", + DynamicPreprocessorFatalMessage("%s(%d) => Unknown SMTP configuration option %s\n", *(_dpd.config_file), *(_dpd.config_line), arg); - } + } if (ret == -1) { @@ -264,12 +328,12 @@ */ if (*errStr) { - DynamicPreprocessorFatalMessage("%s(%d) => %s\n", + DynamicPreprocessorFatalMessage("%s(%d) => %s\n", *(_dpd.config_file), *(_dpd.config_line), errStr); } else { - DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", + DynamicPreprocessorFatalMessage("%s(%d) => Undefined Error.\n", *(_dpd.config_file), *(_dpd.config_line)); } } @@ -278,51 +342,211 @@ arg = strtok(NULL, CONF_SEPARATORS); } - PrintConfig(config); + if(!b64_option) + { + if(config->enable_mime_decoding) + config->b64_depth = config->max_mime_depth; + } + else if(deprecated_options) + { + DynamicPreprocessorFatalMessage("%s(%d) => Cannot specify 'enable_mime_decoding' or 'max_mime_depth' with " + "'b64_decode_depth'\n", + *(_dpd.config_file), *(_dpd.config_line), arg); + } + + if(!config->email_hdrs_log_depth) + { + if(config->log_email_hdrs) + { + _dpd.logMsg("WARNING: %s(%d) => 'log_email_hdrs' enabled with 'email_hdrs_log_depth' = 0." + "Email headers won't be logged. Please set 'email_hdrs_log_depth' > 0 to enable logging.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + config->log_email_hdrs = 0; + } + } +int SMTP_IsDecodingEnabled(SMTPConfig *pPolicyConfig) +{ + if( (pPolicyConfig->b64_depth > -1) || (pPolicyConfig->qp_depth > -1) + || (pPolicyConfig->uu_depth > -1) || (pPolicyConfig->bitenc_depth > -1) ) + { + return 0; + } + else + return -1; + +} + void SMTP_CheckConfig(SMTPConfig *pPolicyConfig, tSfPolicyUserContextId context) { + int max = -1; SMTPConfig *defaultConfig = (SMTPConfig *)sfPolicyUserDataGetDefault(context); if (pPolicyConfig == defaultConfig) - { + { if (!pPolicyConfig->max_mime_mem) pPolicyConfig->max_mime_mem = DEFAULT_MAX_MIME_MEM; - if (!pPolicyConfig->max_mime_depth) - pPolicyConfig->max_mime_depth = DEFAULT_MAX_MIME_DEPTH; + if(!pPolicyConfig->b64_depth || !pPolicyConfig->qp_depth + || !pPolicyConfig->uu_depth || !pPolicyConfig->bitenc_depth) + { + pPolicyConfig->max_depth = MAX_DEPTH; + return; + } + else + { + if(max < pPolicyConfig->b64_depth) + max = pPolicyConfig->b64_depth; + + if(max < pPolicyConfig->qp_depth) + max = pPolicyConfig->qp_depth; + if(max < pPolicyConfig->bitenc_depth) + max = pPolicyConfig->bitenc_depth; - } + if(max < pPolicyConfig->uu_depth) + max = pPolicyConfig->uu_depth; + + pPolicyConfig->max_depth = max; + } + + + if (!pPolicyConfig->memcap) + pPolicyConfig->memcap = DEFAULT_SMTP_MEMCAP; + + if(pPolicyConfig->disabled && !pPolicyConfig->email_hdrs_log_depth) + pPolicyConfig->email_hdrs_log_depth = DEFAULT_LOG_DEPTH; + + } else if (defaultConfig == NULL) - { + { if (pPolicyConfig->max_mime_mem) - { + { DynamicPreprocessorFatalMessage("%s(%d) => SMTP: max_mime_mem must be " - "configured in the default policy.\n", + "configured in the default config.\n", *(_dpd.config_file), *(_dpd.config_line)); - } + } + + if (pPolicyConfig->b64_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: b64_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->qp_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: qp_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } - if (pPolicyConfig->max_mime_depth) - { - DynamicPreprocessorFatalMessage("%s(%d) => SMTP: max_mime_depth must be " - "configured in the default policy.\n", - *(_dpd.config_file), *(_dpd.config_line)); - } - - } - else - { + if (pPolicyConfig->uu_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: uu_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->bitenc_depth > -1) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: bitenc_decode_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if (pPolicyConfig->memcap) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: memcap must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + if(pPolicyConfig->log_email_hdrs && pPolicyConfig->email_hdrs_log_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: email_hdrs_log_depth must be " + "configured in the default config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + + } + else + { pPolicyConfig->max_mime_mem = defaultConfig->max_mime_mem; - pPolicyConfig->max_mime_depth = defaultConfig->max_mime_depth; - pPolicyConfig->max_mime_decode_bytes = defaultConfig->max_mime_decode_bytes; - pPolicyConfig->max_mime_sessions = defaultConfig->max_mime_sessions; - } + pPolicyConfig->max_depth = defaultConfig->max_depth; + pPolicyConfig->memcap = defaultConfig->memcap; + pPolicyConfig->email_hdrs_log_depth = defaultConfig->email_hdrs_log_depth; + if(pPolicyConfig->disabled) + { + pPolicyConfig->b64_depth = defaultConfig->b64_depth; + pPolicyConfig->qp_depth = defaultConfig->qp_depth; + pPolicyConfig->uu_depth = defaultConfig->uu_depth; + pPolicyConfig->bitenc_depth = defaultConfig->bitenc_depth; + return; + } + if(!pPolicyConfig->b64_depth && defaultConfig->b64_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: Cannot enable unlimited Base64 decoding" + " in non-default config without turning on unlimited Base64 decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->b64_depth && (pPolicyConfig->b64_depth > defaultConfig->b64_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: b64_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->b64_depth, defaultConfig->b64_depth); + } + + if(!pPolicyConfig->qp_depth && defaultConfig->qp_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: Cannot enable unlimited Quoted-Printable decoding" + " in non-default config without turning on unlimited Quoted-Printable decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->qp_depth && (pPolicyConfig->qp_depth > defaultConfig->qp_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: qp_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->qp_depth, defaultConfig->qp_depth); + } + + if(!pPolicyConfig->uu_depth && defaultConfig->uu_depth ) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: Cannot enable unlimited Unix-to-Unix decoding" + " in non-default config without turning on unlimited Unix-to-Unix decoding in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->uu_depth && (pPolicyConfig->uu_depth > defaultConfig->uu_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: uu_decode_depth value %d in non-default config" + " cannot exceed default config's value %d.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->uu_depth, defaultConfig->uu_depth); + } + + if(!pPolicyConfig->bitenc_depth && defaultConfig->bitenc_depth) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: Cannot enable unlimited 7bit/8bit/binary extraction" + " in non-default config without turning on unlimited 7bit/8bit/binary extraction in the default " + " config.\n", + *(_dpd.config_file), *(_dpd.config_line)); + } + else if(defaultConfig->bitenc_depth && (pPolicyConfig->bitenc_depth > defaultConfig->bitenc_depth)) + { + DynamicPreprocessorFatalMessage("%s(%d) => SMTP: bitenc_decode_depth value %d in non-default config " + " cannot exceed default config's value.\n", + *(_dpd.config_file), *(_dpd.config_line), pPolicyConfig->bitenc_depth, defaultConfig->bitenc_depth); + } + + } } -static void PrintConfig(SMTPConfig *config) +void SMTP_PrintConfig(SMTPConfig *config) { int i; const SMTPToken *cmd; @@ -334,7 +558,12 @@ memset(&buf[0], 0, sizeof(buf)); _dpd.logMsg("SMTP Config:\n"); - + + if(config->disabled) + { + _dpd.logMsg(" SMTP: INACTIVE\n"); + } + snprintf(buf, sizeof(buf) - 1, " Ports: "); for (i = 0; i < 65536; i++) @@ -375,15 +604,15 @@ { _dpd.printfappend(buf, sizeof(buf) - 1, "cmds"); } - + break; } _dpd.logMsg("%s\n", buf); - _dpd.logMsg(" Ignore Data: %s\n", + _dpd.logMsg(" Ignore Data: %s\n", config->ignore_data ? "Yes" : "No"); - _dpd.logMsg(" Ignore TLS Data: %s\n", + _dpd.logMsg(" Ignore TLS Data: %s\n", config->ignore_tls_data ? "Yes" : "No"); _dpd.logMsg(" Ignore SMTP Alerts: %s\n", config->no_alerts ? "Yes" : "No"); @@ -447,7 +676,7 @@ else _dpd.logMsg("%s%d\n", buf, config->max_response_line_len); } - + _dpd.logMsg(" X-Link2State Alert: %s\n", config->alert_xlink2state ? "Yes" : "No"); if (config->alert_xlink2state) @@ -459,7 +688,7 @@ if (config->print_cmds && !config->no_alerts) { int alert_count = 0; - + snprintf(buf, sizeof(buf) - 1, " Alert on commands: "); for (cmd = config->cmds; cmd->name != NULL; cmd++) @@ -480,6 +709,96 @@ _dpd.logMsg("%s\n", buf); } } + _dpd.logMsg(" Alert on unknown commands: %s\n", + config->alert_unknown_cmds ? "Yes" : "No"); + + _dpd.logMsg(" SMTP Memcap: %u\n", + config->memcap); + + _dpd.logMsg(" MIME Max Mem: %d\n", + config->max_mime_mem); + + if(config->b64_depth > -1) + { + _dpd.logMsg(" Base64 Decoding: %s\n", "Enabled"); + switch(config->b64_depth) + { + case 0: + _dpd.logMsg(" Base64 Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Base64 Decoding Depth: %d\n", config->b64_depth); + break; + } + } + else + _dpd.logMsg(" Base64 Decoding: %s\n", "Disabled"); + + if(config->qp_depth > -1) + { + _dpd.logMsg(" Quoted-Printable Decoding: %s\n","Enabled"); + switch(config->qp_depth) + { + case 0: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Quoted-Printable Decoding Depth: %d\n", config->qp_depth); + break; + } + } + else + _dpd.logMsg(" Quoted-Printable Decoding: %s\n", "Disabled"); + + if(config->uu_depth > -1) + { + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n","Enabled"); + switch(config->uu_depth) + { + case 0: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" Unix-to-Unix Decoding Depth: %d\n", config->uu_depth); + break; + } + } + else + _dpd.logMsg(" Unix-to-Unix Decoding: %s\n", "Disabled"); + + if(config->bitenc_depth > -1) + { + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n","Enabled"); + switch(config->bitenc_depth) + { + case 0: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %s\n", "Unlimited"); + break; + default: + _dpd.logMsg(" 7bit/8bit/binary Extraction Depth: %d\n", config->bitenc_depth); + break; + } + } + else + _dpd.logMsg(" 7bit/8bit/binary Extraction: %s\n", "Disabled"); + + _dpd.logMsg(" Log Attachment filename: %s\n", + config->log_filename ? "Enabled" : "Not Enabled"); + + _dpd.logMsg(" Log MAIL FROM Address: %s\n", + config->log_mailfrom ? "Enabled" : "Not Enabled"); + + _dpd.logMsg(" Log RCPT TO Addresses: %s\n", + config->log_rcptto ? "Enabled" : "Not Enabled"); + + _dpd.logMsg(" Log Email Headers: %s\n", + config->log_email_hdrs ? "Enabled" : "Not Enabled"); + + if(config->log_email_hdrs) + { + _dpd.logMsg(" Email Hdrs Log Depth: %u\n", + config->email_hdrs_log_depth); + } } /* @@ -489,13 +808,13 @@ /** ** Process the port list. ** -** This configuration is a list of valid ports and is ended by a +** This configuration is a list of valid ports and is ended by a ** delimiter. ** ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -508,6 +827,7 @@ char *pcEnd; int iPort; int iEndPorts = 0; + int num_ports = 0; if (config == NULL) { @@ -565,6 +885,7 @@ } config->ports[iPort / 8] |= (1 << (iPort % 8)); + num_ports++; } if(!iEndPorts) @@ -575,6 +896,12 @@ return -1; } + else if(!num_ports) + { + snprintf(ErrorString, ErrStrLen, + "SMTP: Empty port list not allowed."); + return -1; + } return 0; } @@ -586,13 +913,13 @@ /** ** Process the command list. ** -** This configuration is a list of valid ports and is ended by a +** This configuration is a list of valid ports and is ended by a ** delimiter. ** ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -609,7 +936,7 @@ snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); return -1; } - + pcToken = strtok(NULL, CONF_SEPARATORS); if (!pcToken) { @@ -625,7 +952,7 @@ return -1; } - + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) { if (strcmp(CONF_END_LIST, pcToken) == 0) @@ -676,7 +1003,7 @@ return cmd->search_id; } } - + return AddCmd(config, name); } @@ -701,7 +1028,7 @@ if (cmds == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for SMTP " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -710,7 +1037,7 @@ if (cmd_search == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for SMTP " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -718,7 +1045,7 @@ if (cmd_config == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for SMTP " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -729,7 +1056,7 @@ if (ret != SAFEMEM_SUCCESS) { - DynamicPreprocessorFatalMessage("%s(%d) => Failed to memory copy SMTP command structure\n", + DynamicPreprocessorFatalMessage("%s(%d) => Failed to memory copy SMTP command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -738,7 +1065,7 @@ if (ret != SAFEMEM_SUCCESS) { - DynamicPreprocessorFatalMessage("%s(%d) => Failed to memory copy SMTP command structure\n", + DynamicPreprocessorFatalMessage("%s(%d) => Failed to memory copy SMTP command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -753,7 +1080,7 @@ if (tmp_cmds->name == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for SMTP " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -806,7 +1133,7 @@ { snprintf(ErrorString, ErrStrLen, "Invalid value for max_mime_mem." - "It should range between %d and %d.", + "It should range between %d and %d.", MIN_MIME_MEM, MAX_MIME_MEM); return -1; } @@ -816,6 +1143,47 @@ } +static int ProcessSmtpMemcap(SMTPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *endptr; + char *value; + uint32_t smtp_memcap = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for memcap."); + return -1; + } + smtp_memcap = strtoul(value, &endptr, 10); + + if((value[0] == '-') || (*endptr != '\0')) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for memcap."); + return -1; + } + + if (smtp_memcap < MIN_SMTP_MEMCAP || smtp_memcap > MAX_SMTP_MEMCAP) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for memcap." + "It should range between %d and %d.", + MIN_SMTP_MEMCAP, MAX_SMTP_MEMCAP); + return -1; + } + + config->memcap = smtp_memcap; + return 0; +} + + static int ProcessMaxMimeDepth(SMTPConfig *config, char *ErrorString, int ErrStrLen) { char *endptr; @@ -839,7 +1207,7 @@ if(*endptr) { snprintf(ErrorString, ErrStrLen, - "Invalid format for max_mime_mem."); + "Invalid format for max_mime_depth."); return -1; } @@ -847,15 +1215,143 @@ { snprintf(ErrorString, ErrStrLen, "Invalid value for max_mime_depth." - "It should range between %d and %d.", + "It should range between %d and %d.", MIN_MIME_DEPTH, MAX_MIME_DEPTH); return -1; } + if(max_mime_depth & 3) + { + max_mime_depth += 4 - (max_mime_depth & 3); + _dpd.logMsg("WARNING: %s(%d) => SMTP: 'max_mime_depth' is not a multiple of 4. " + "Rounding up to the next multiple of 4. The new 'max_mime_depth' is %d.\n", + *(_dpd.config_file), *(_dpd.config_line), max_mime_depth); + + } config->max_mime_depth = max_mime_depth; return 0; } +static int ProcessLogDepth(SMTPConfig *config, char *ErrorString, int ErrStrLen) +{ + char *endptr; + char *value; + uint32_t log_depth = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Missing value for email_hdrs_log_depth."); + return -1; + } + log_depth = strtoul(value, &endptr, 10); + + if((value[0] == '-') || (*endptr != '\0')) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format '%s' for email_hdrs_log_depth.", + value); + return -1; + } + + if(log_depth && log_depth < MIN_LOG_DEPTH) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for email_hdrs_log_depth." + "It should range between %d and %d.", + MIN_LOG_DEPTH, MAX_LOG_DEPTH); + return -1; + } + else if (log_depth > MAX_LOG_DEPTH) + { + _dpd.logMsg("WARNING: %s(%d) => Invalid value for email_hdrs_log_depth. " + "It should range between %d and %d. The email_hdrs_log_depth " + "will be reduced to the max value.\n", *(_dpd.config_file), *(_dpd.config_line), + MIN_LOG_DEPTH, MAX_LOG_DEPTH); + + log_depth = MAX_LOG_DEPTH; + } + + + config->email_hdrs_log_depth = log_depth; + return 0; +} + +static int ProcessDecodeDepth(SMTPConfig *config, char *ErrorString, int ErrStrLen, char *decode_type, DecodeType type) +{ + char *endptr; + char *value; + int decode_depth = 0; + if (config == NULL) + { + snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); + return -1; + } + + value = strtok(NULL, CONF_SEPARATORS); + if ( value == NULL ) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for SMTP config option '%s'.", decode_type); + return -1; + } + decode_depth = strtol(value, &endptr, 10); + + if(*endptr) + { + snprintf(ErrorString, ErrStrLen, + "Invalid format for SMTP config option '%s'.", decode_type); + return -1; + } + if(decode_depth < MIN_DEPTH || decode_depth > MAX_DEPTH) + { + snprintf(ErrorString, ErrStrLen, + "Invalid value for SMTP config option '%s'." + "It should range between %d and %d.", + decode_type, MIN_DEPTH, MAX_DEPTH); + return -1; + } + + switch(type) + { + case DECODE_B64: + if((decode_depth > 0) && (decode_depth & 3)) + { + decode_depth += 4 - (decode_depth & 3); + if(decode_depth > MAX_DEPTH ) + { + decode_depth = decode_depth - 4; + } + _dpd.logMsg("WARNING: %s(%d) => SMTP: 'b64_decode_depth' is not a multiple of 4. " + "Rounding up to the next multiple of 4. The new 'b64_decode_depth' is %d.\n", + *(_dpd.config_file), *(_dpd.config_line), decode_depth); + } + config->b64_depth = decode_depth; + break; + case DECODE_QP: + config->qp_depth = decode_depth; + break; + case DECODE_UU: + config->uu_depth = decode_depth; + break; + case DECODE_BITENC: + config->bitenc_depth = decode_depth; + break; + default: + return -1; + } + + return 0; +} + + + /* ** NAME ** ProcessAltMaxCmdLen:: @@ -867,7 +1363,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -887,7 +1383,7 @@ snprintf(ErrorString, ErrStrLen, "SMTP config is NULL.\n"); return -1; } - + /* Find number */ pcLen = strtok(NULL, CONF_SEPARATORS); if (!pcLen) @@ -906,7 +1402,7 @@ return -1; } - + cmd_len = strtoul(pcLen, &pcLenEnd, 10); if (pcLenEnd == pcLen) { @@ -924,7 +1420,7 @@ return -1; } - + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) { if (strcmp(CONF_END_LIST, pcToken) == 0) @@ -932,7 +1428,7 @@ iEndCmds = 1; break; } - + id = GetCmdId(config, pcToken); config->cmd_config[id].max_line_len = cmd_len; @@ -942,7 +1438,7 @@ { snprintf(ErrorString, ErrStrLen, "Must end alt_max_command_line_len configuration with '%s'.", CONF_END_LIST); - + return -1; } @@ -961,7 +1457,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -995,7 +1491,7 @@ return -1; } - + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) { if(!strcmp(CONF_END_LIST, pcToken)) diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_config.h snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_config.h --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_config.h 2010-06-09 15:05:15.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_config.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -46,6 +46,16 @@ #define CONF_MAX_MIME_MEM "max_mime_mem" #define CONF_MAX_MIME_DEPTH "max_mime_depth" #define CONF_ENABLE_MIME_DECODING "enable_mime_decoding" +#define CONF_B64_DECODE "b64_decode_depth" +#define CONF_QP_DECODE "qp_decode_depth" +#define CONF_BITENC_DECODE "bitenc_decode_depth" +#define CONF_UU_DECODE "uu_decode_depth" +#define CONF_LOG_FILENAME "log_filename" +#define CONF_LOG_MAIL_FROM "log_mailfrom" +#define CONF_LOG_RCPT_TO "log_rcptto" +#define CONF_LOG_EMAIL_HDRS "log_email_hdrs" +#define CONF_SMTP_MEMCAP "memcap" +#define CONF_EMAIL_HDRS_LOG_DEPTH "email_hdrs_log_depth" #define CONF_DISABLED "disabled" #define CONF_NO_ALERTS "no_alerts" #define CONF_VALID_CMDS "valid_cmds" @@ -78,16 +88,25 @@ #define DEFAULT_MAX_RESPONSE_LINE_LEN 0 /*These are temporary values*/ - +#define MAX_DEPTH 65535 +#define MIN_DEPTH -1 #define DEFAULT_MAX_MIME_MEM 838860 #define DEFAULT_MAX_MIME_DEPTH 1460 +#define DEFAULT_SMTP_MEMCAP 838860 +#define DEFAULT_LOG_DEPTH 1464 #define MAX_MIME_MEM 104857600 #define MIN_MIME_MEM 3276 #define MAX_MIME_DEPTH 20480 -#define MIN_MIME_DEPTH 5 +#define MIN_MIME_DEPTH 4 +#define MAX_SMTP_MEMCAP 104857600 +#define MIN_SMTP_MEMCAP 3276 +#define MAX_LOG_DEPTH 20480 +#define MIN_LOG_DEPTH 1 #define SMTP_DEFAULT_SERVER_PORT 25 /* SMTP normally runs on port 25 */ #define SMTP_DEFAULT_SUBMISSION_PORT 587 /* SMTP Submission port - see RFC 2476 */ #define XLINK2STATE_DEFAULT_PORT 691 /* XLINK2STATE sometimes runs on port 691 */ +#define MAX_FILE 1024 +#define MAX_EMAIL 1024 #define ERRSTRLEN 512 @@ -128,12 +147,22 @@ char alert_unknown_cmds; char alert_xlink2state; char drop_xlink2state; - char print_cmds; + char print_cmds; char enable_mime_decoding; + char log_mailfrom; + char log_rcptto; + char log_filename; + char log_email_hdrs; + uint32_t email_hdrs_log_depth; + uint32_t memcap; int max_mime_mem; int max_mime_depth; - int max_mime_decode_bytes; - int max_mime_sessions; + int max_depth; + int b64_depth; + int qp_depth; + int bitenc_depth; + int uu_depth; + SMTPToken *cmds; SMTPCmdConfig *cmd_config; SMTPSearch *cmd_search; @@ -142,13 +171,19 @@ int disabled; int ref_count; + uint32_t xtra_filename_id; + uint32_t xtra_mfrom_id; + uint32_t xtra_rcptto_id; + uint32_t xtra_ehdrs_id; } SMTPConfig; /* Function prototypes */ void SMTP_ParseArgs(SMTPConfig *, char *); +void SMTP_PrintConfig(SMTPConfig *config); void SMTP_CheckConfig(SMTPConfig *, tSfPolicyUserContextId); +int SMTP_IsDecodingEnabled(SMTPConfig *pPolicyConfig); #endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_log.c snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_log.c --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_log.c 2010-01-26 10:10:05.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_log.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,8 +18,8 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - -/************************************************************************** + +/************************************************************************** * * smtp_log.c * @@ -39,14 +39,18 @@ #include <stdarg.h> #include <stdio.h> -#include "debug.h" +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" #include "smtp_config.h" #include "smtp_log.h" #include "snort_smtp.h" #include "sf_dynamic_preprocessor.h" extern SMTPConfig *smtp_eval_config; -extern DynamicPreprocessorData _dpd; extern SMTP *smtp_ssn; char smtp_event[SMTP_EVENT_MAX][EVENT_STR_LEN]; @@ -59,7 +63,7 @@ /* Only log a specific alert once per session */ if (smtp_ssn->alert_mask & (1 << event)) { -#ifdef DEBUG +#ifdef DEBUG_MSGS DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Already alerted on: %s - " "ignoring event.\n", smtp_event[event]);); #endif @@ -72,7 +76,7 @@ if (smtp_eval_config->no_alerts) { -#ifdef DEBUG +#ifdef DEBUG_MSGS va_start(ap, format); smtp_event[event][0] = '\0'; @@ -100,3 +104,25 @@ va_end(ap); } +void SMTP_DecodeAlert(void) +{ + switch( smtp_ssn->decode_state->decode_type ) + { + case DECODE_B64: + SMTP_GenerateAlert(SMTP_B64_DECODING_FAILED, "%s", SMTP_B64_DECODING_FAILED_STR); + break; + case DECODE_QP: + SMTP_GenerateAlert(SMTP_QP_DECODING_FAILED, "%s", SMTP_QP_DECODING_FAILED_STR); + break; + case DECODE_UU: + SMTP_GenerateAlert(SMTP_UU_DECODING_FAILED, "%s", SMTP_UU_DECODING_FAILED_STR); + break; + case DECODE_BITENC: + SMTP_GenerateAlert(SMTP_BITENC_DECODING_FAILED, "%s", SMTP_BITENC_DECODING_FAILED_STR); + break; + + default: + break; + } +} + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_log.h snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_log.h --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_log.h 2010-01-26 10:10:05.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_log.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** - * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -42,8 +42,13 @@ #define SMTP_ILLEGAL_CMD 6 #define SMTP_HEADER_NAME_OVERFLOW 7 #define SMTP_XLINK2STATE_OVERFLOW 8 +#define SMTP_DECODE_MEMCAP_EXCEEDED 9 +#define SMTP_B64_DECODING_FAILED 10 +#define SMTP_QP_DECODING_FAILED 11 +#define SMTP_BITENC_DECODING_FAILED 12 +#define SMTP_UU_DECODING_FAILED 13 -#define SMTP_EVENT_MAX 9 +#define SMTP_EVENT_MAX 14 /* Messages for each event */ #define SMTP_COMMAND_OVERFLOW_STR "(smtp) Attempted command buffer overflow" @@ -54,13 +59,19 @@ #define SMTP_ILLEGAL_CMD_STR "(smtp) Illegal command" #define SMTP_HEADER_NAME_OVERFLOW_STR "(smtp) Attempted header name buffer overflow" #define SMTP_XLINK2STATE_OVERFLOW_STR "(smtp) Attempted X-Link2State command buffer overflow" +#define SMTP_DECODE_MEMCAP_EXCEEDED_STR "(smtp) No memory available for decoding. Max Mime Mem exceeded" +#define SMTP_B64_DECODING_FAILED_STR "(smtp) Base64 Decoding failed." +#define SMTP_QP_DECODING_FAILED_STR "(smtp) Quoted-Printable Decoding failed." +#define SMTP_BITENC_DECODING_FAILED_STR "(smtp) 7bit/8bit/binary/text Extraction failed." +#define SMTP_UU_DECODING_FAILED_STR "(smtp) Unix-to-Unix Decoding failed." #define EVENT_STR_LEN 256 /* Function prototypes */ void SMTP_GenerateAlert(int, char *, ...); - +void SMTP_Decode( void ); +void SMTP_DecodeAlert(void); #endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_normalize.c snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_normalize.c --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_normalize.c 2010-01-26 10:10:05.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_normalize.c 2011-10-26 11:28:52.000000000 -0700 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Andy Mullican * @@ -34,25 +34,28 @@ #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "snort_smtp.h" #include "smtp_util.h" -#include "bounds.h" +#include "snort_bounds.h" #include "sf_dynamic_preprocessor.h" #include "sf_snort_packet.h" extern SMTP *smtp_ssn; -extern DynamicPreprocessorData _dpd; extern char smtp_normalizing; - /* * SMTP_NormalizeCmd - * + * * If command doesn't need normalizing it will do nothing, except in * the case where we are already normalizing in which case the line * will get copied to the alt buffer. - * If the command needs normalizing the normalized data will be copied - * to the alt buffer. If we are not already normalizing, all of the + * If the command needs normalizing the normalized data will be copied + * to the alt buffer. If we are not already normalizing, all of the * data up to this point will be copied into the alt buffer first. * * XXX This may copy unwanted data if we are ignoring the data in the diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_normalize.h snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_normalize.h --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_normalize.h 2010-01-26 10:10:06.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_normalize.h 2011-02-09 15:23:24.000000000 -0800 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Andy Mullican * diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_util.c snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_util.c --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_util.c 2010-10-25 12:49:07.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_util.c 2011-11-21 12:15:24.000000000 -0800 @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Andy Mullican * @@ -39,16 +39,19 @@ #include <ctype.h> #include <string.h> -#include "debug.h" -#include "bounds.h" +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" +#include "snort_bounds.h" #include "snort_smtp.h" #include "smtp_util.h" #include "sf_dynamic_preprocessor.h" #include "sf_snort_packet.h" -#include "sf_base64decode.h" -extern DynamicPreprocessorData _dpd; extern SMTP *smtp_ssn; extern char smtp_normalizing; @@ -58,7 +61,7 @@ const uint8_t *tmp_eol; const uint8_t *tmp_eolm; - /* XXX maybe should fatal error here since none of these + /* XXX maybe should fatal error here since none of these * pointers should be NULL */ if (ptr == NULL || end == NULL || eol == NULL || eolm == NULL) return; @@ -71,7 +74,7 @@ } else { - /* end of line marker (eolm) should point to marker and + /* end of line marker (eolm) should point to marker and * end of line (eol) should point to end of marker */ if ((tmp_eol > ptr) && (*(tmp_eol - 1) == '\r')) { @@ -99,7 +102,6 @@ /* if we make a call to this it means we want to use the alt buffer * regardless of whether we copy any data into it or not - barring a failure */ - p->flags |= FLAG_ALT_DECODE; smtp_normalizing = 1; /* if start and end the same, nothing to copy */ @@ -114,110 +116,330 @@ if (ret != SAFEMEM_SUCCESS) { - ResetAltBuffer(p); + _dpd.DetectFlag_Disable(SF_FLAG_ALT_DECODE); smtp_normalizing = 0; return -1; } - *alt_len += length; + _dpd.SetAltDecode(*alt_len); + return 0; } - -int SMTP_IsBase64Data(const char *start, int length) +/* Accumulate EOL seperated headers, one or more at a time */ +int SMTP_CopyEmailHdrs(const uint8_t *start, int length) { - const char *tmp = NULL; - - tmp = _dpd.SnortStrnStr(start, length, "base64"); + int log_avail = 0; + uint8_t *log_buf; + uint32_t *hdrs_logged; + int ret = 0; - if( tmp == NULL ) + if ((smtp_ssn->log_state == NULL) || (length <= 0)) return -1; + + log_avail = (smtp_ssn->log_state->log_depth - smtp_ssn->log_state->hdrs_logged); + hdrs_logged = &(smtp_ssn->log_state->hdrs_logged); + log_buf = (uint8_t *)smtp_ssn->log_state->emailHdrs; + + if(log_avail <= 0) + { + return -1; + } + + if(length > log_avail ) + { + length = log_avail; + } + + /* appended by the EOL \r\n */ + + ret = SafeMemcpy(log_buf + *hdrs_logged, start, length, log_buf, log_buf+(smtp_ssn->log_state->log_depth)); + + if (ret != SAFEMEM_SUCCESS) + { + return -1; + } + + *hdrs_logged += length; + smtp_ssn->log_flags |= SMTP_FLAG_EMAIL_HDRS_PRESENT; + return 0; } -void SMTP_Base64Decode(const uint8_t *start, const uint8_t *end) +/* Accumulate email addresses from RCPT TO and/or MAIL FROM commands. Email addresses are separated by comma */ +int SMTP_CopyEmailID(const uint8_t *start, int length, int command_type) { - uint32_t encode_avail = 0, decode_avail = 0 ; - uint8_t *encode_buf, *decode_buf; - uint32_t act_encode_size = 0, act_decode_size = 0; - uint32_t prev_bytes = 0; - int i = 0; + uint8_t *alt_buf; + int alt_size; + uint16_t *alt_len; + int ret; + int log_avail=0; + const uint8_t *tmp_eol; - if (smtp_ssn == NULL || smtp_ssn->decode_state == NULL ) - return; + if ((smtp_ssn->log_state == NULL) || (length <= 0)) + return -1; + + tmp_eol = (uint8_t *)memchr(start, ':', length); + if(tmp_eol == NULL) + return -1; + + if((tmp_eol+1) < (start+length)) + { + length = length - ( (tmp_eol+1) - start ); + start = tmp_eol+1; + } + else + return -1; + + + + switch (command_type) + { + case CMD_MAIL: + alt_buf = smtp_ssn->log_state->senders; + alt_size = MAX_EMAIL; + alt_len = &(smtp_ssn->log_state->snds_logged); + break; + case CMD_RCPT: + alt_buf = smtp_ssn->log_state->recipients; + alt_size = MAX_EMAIL; + alt_len = &(smtp_ssn->log_state->rcpts_logged); + break; + + default: + return -1; + } + + log_avail = alt_size - *alt_len; + + if(log_avail <= 0 || !alt_buf) + return -1; + + if ( *alt_len > 0 && ((*alt_len + 1) < alt_size)) + { + alt_buf[*alt_len] = ','; + *alt_len = *alt_len + 1; + } + + ret = SafeMemcpy(alt_buf + *alt_len, start, length, alt_buf, alt_buf + alt_size); + + if (ret != SAFEMEM_SUCCESS) + { + if(*alt_len != 0) + *alt_len = *alt_len - 1; + return -1; + } + + *alt_len += length; + + return 0; +} + + +void SMTP_DecodeType(const char *start, int length) +{ + const char *tmp = NULL; - encode_avail = (smtp_ssn->decode_state->encode_depth - smtp_ssn->decode_state->encode_bytes_read); - decode_avail = (smtp_ssn->decode_state->decode_depth - smtp_ssn->decode_state->decode_bytes_read); - encode_buf = (uint8_t *)smtp_ssn->decode_state->encodeBuf; - decode_buf = (uint8_t *)smtp_ssn->decode_state->decodeBuf; - - /* 1. Stop decoding when we have reached either the decode depth or encode depth. - * 2. Stop decoding when we are out of memory */ - if(encode_avail ==0 || decode_avail ==0 || - (!encode_buf) || (!decode_buf)) + if(smtp_ssn->decode_state->b64_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "base64"); + if( tmp != NULL ) + { + smtp_ssn->decode_state->decode_type = DECODE_B64; + return; + } + } + + if(smtp_ssn->decode_state->qp_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "quoted-printable"); + if( tmp != NULL ) + { + smtp_ssn->decode_state->decode_type = DECODE_QP; + return; + } + } + + if(smtp_ssn->decode_state->uu_state.encode_depth > -1) + { + tmp = _dpd.SnortStrcasestr(start, length, "uuencode"); + if( tmp != NULL ) + { + smtp_ssn->decode_state->decode_type = DECODE_UU; + return; + } + } + + if(smtp_ssn->decode_state->bitenc_state.depth > -1) { - ResetDecodeState(smtp_ssn->decode_state); + smtp_ssn->decode_state->decode_type = DECODE_BITENC; return; } - - /*The non decoded encoded data in the previous packet is required for successful decoding - * in case of base64 data spanned across packets*/ - if( smtp_ssn->decode_state->prev_encoded_bytes && - (smtp_ssn->decode_state->prev_encoded_bytes <= (int) encode_avail)) + + return; +} + + + +/* Extract the filename from the header */ +static inline int SMTP_ExtractFileName(const char **start, int length) +{ + const char *tmp = NULL; + const char *end = *start+length; + + if ((smtp_ssn->log_state == NULL) || (length <= 0)) + return -1; + + + if (!(smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP_CONT)) + { + tmp = _dpd.SnortStrcasestr(*start, length, "filename"); + + if( tmp == NULL ) + return -1; + + tmp = tmp + 8; + while( (tmp < end) && ((isspace(*tmp)) || (*tmp == '=') )) + { + tmp++; + } + } + else + tmp = *start; + + if(tmp < end) { - if(smtp_ssn->decode_state->prev_encoded_buf) + if(*tmp == '"' || (smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP_CONT)) { - prev_bytes = smtp_ssn->decode_state->prev_encoded_bytes; - while(smtp_ssn->decode_state->prev_encoded_bytes) + if(*tmp == '"') { - /* Since this data cannot be more than 3 bytes*/ - encode_buf[i] = smtp_ssn->decode_state->prev_encoded_buf[i]; - i++; - smtp_ssn->decode_state->prev_encoded_bytes--; + if(smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP_CONT) + { + smtp_ssn->state_flags &= ~SMTP_FLAG_IN_CONT_DISP_CONT; + return (tmp - *start); + } + tmp++; + + } + *start = tmp; + tmp = _dpd.SnortStrnPbrk(*start ,(end - tmp),"\""); + if(tmp == NULL ) + { + if ((end - tmp) > 0 ) + { + tmp = end; + smtp_ssn->state_flags |= SMTP_FLAG_IN_CONT_DISP_CONT; + } + else + return -1; } + else + smtp_ssn->state_flags &= ~SMTP_FLAG_IN_CONT_DISP_CONT; + end = tmp; } + else + { + *start = tmp; + } + return (end - *start); } - - if(sf_unfold_smtp(start, (end-start), encode_buf + prev_bytes, encode_avail, &act_encode_size) != 0) + else { - ResetDecodeState(smtp_ssn->decode_state); - return; + return -1; } - act_encode_size = act_encode_size + prev_bytes; + return 0; +} + + +/* accumulate MIME attachment filenames. The filenames are appended by commas */ +int SMTP_CopyFileName(const uint8_t *start, int length) +{ + uint8_t *alt_buf; + int alt_size; + uint16_t *alt_len; + int ret=0; + int cont =0; + int log_avail = 0; - i = (act_encode_size)%4 ; - /* Encoded data should be in multiples of 4. Then we need to wait for the remainder encoded data to - * successfully decode the base64 data. This happens when base64 data is spanned across packets*/ - if(i) + if(length == 0) + return -1; + + if(smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP_CONT) + cont = 1; + + ret = SMTP_ExtractFileName((const char **)(&start), length ); + + if (ret == -1) + return ret; + + length = ret; + + alt_buf = smtp_ssn->log_state->filenames; + alt_size = MAX_FILE; + alt_len = &(smtp_ssn->log_state->file_logged); + log_avail = alt_size - *alt_len; + + if(!alt_buf || (log_avail <= 0)) + return -1; + + + if ( *alt_len > 0 && ((*alt_len + 1) < alt_size)) { - smtp_ssn->decode_state->prev_encoded_bytes = i; - act_encode_size = act_encode_size - i; - smtp_ssn->decode_state->prev_encoded_buf = encode_buf + act_encode_size; + if(!cont) + { + alt_buf[*alt_len] = ','; + *alt_len = *alt_len + 1; + } } - - smtp_ssn->decode_state->encode_bytes_read += act_encode_size; - if(sf_base64decode(encode_buf, act_encode_size, decode_buf, decode_avail, &act_decode_size) != 0) + ret = SafeMemcpy(alt_buf + *alt_len, start, length, alt_buf, alt_buf + alt_size); + + if (ret != SAFEMEM_SUCCESS) { - ResetDecodeState(smtp_ssn->decode_state); + if(*alt_len != 0) + *alt_len = *alt_len - 1; + return -1; + } + + *alt_len += length; + smtp_ssn->log_flags |= SMTP_FLAG_FILENAME_PRESENT; + + return 0; +} + + +void SMTP_LogFuncs(SMTPConfig *config, SFSnortPacket *p) +{ + if((smtp_ssn->log_flags == 0) || !config) return; + + if(smtp_ssn->log_flags & SMTP_FLAG_FILENAME_PRESENT) + { + SetLogFuncs(p, config->xtra_filename_id, 0); } + if(smtp_ssn->log_flags & SMTP_FLAG_MAIL_FROM_PRESENT) + { + SetLogFuncs(p, config->xtra_mfrom_id, 0); + } - - smtp_ssn->decode_state->decode_present = 1; - smtp_ssn->decode_state->decoded_bytes = act_decode_size; - smtp_ssn->decode_state->decode_bytes_read += act_decode_size; + if(smtp_ssn->log_flags & SMTP_FLAG_RCPT_TO_PRESENT) + { + SetLogFuncs(p, config->xtra_rcptto_id, 0); + } + if(smtp_ssn->log_flags & SMTP_FLAG_EMAIL_HDRS_PRESENT) + { + SetLogFuncs(p, config->xtra_ehdrs_id, 0); + } - return; } -#ifdef DEBUG +#ifdef DEBUG_MSGS char smtp_print_buffer[65537]; const char * SMTP_PrintBuffer(SFSnortPacket *p) diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_util.h snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_util.h --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_util.h 2010-06-09 15:05:15.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_util.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** - * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -35,10 +35,13 @@ void SMTP_GetEOL(const uint8_t *, const uint8_t *, const uint8_t **, const uint8_t **); int SMTP_CopyToAltBuffer(SFSnortPacket *, const uint8_t *, int); -int SMTP_IsBase64Data(const char *, int ); -void SMTP_Base64Decode(const uint8_t *, const uint8_t *); +int SMTP_CopyEmailHdrs(const uint8_t *, int ); +int SMTP_CopyEmailID(const uint8_t *, int , int ); +int SMTP_CopyFileName(const uint8_t *, int ); +void SMTP_LogFuncs(SMTPConfig *config, SFSnortPacket *p); +void SMTP_DecodeType(const char *, int ); -#ifdef DEBUG +#ifdef DEBUG_MSGS const char * SMTP_PrintBuffer(SFSnortPacket *); #endif diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_xlink2state.c snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.c --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_xlink2state.c 2010-06-09 15:05:16.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /*************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -20,7 +20,7 @@ ****************************************************************************/ /************************************************************************ - * + * * smtp_xlink2state.c * * Author: Andy Mullican @@ -43,6 +43,11 @@ #include <ctype.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "snort_smtp.h" #include "smtp_config.h" #include "smtp_util.h" @@ -62,11 +67,8 @@ /* X-Link2State overlong length */ #define XLINK2STATE_MAX_LEN 520 - extern SMTP *smtp_ssn; extern SMTPConfig *smtp_eval_config; -extern DynamicPreprocessorData _dpd; - /* Prototypes */ static uint32_t get_xlink_hex_value(const uint8_t *, const uint8_t *); @@ -78,7 +80,7 @@ * @param buf pointer to beginning of buffer to parse * @param end end pointer of buffer to parse * - * @return unsigned long value of number extracted + * @return unsigned long value of number extracted * * @note this could be more efficient, but the search buffer should be pretty short */ @@ -121,7 +123,7 @@ /* * Check for X-LINK2STATE keywords FIRST or CHUNK - * + * * * @param x pointer to "X-LINK2STATE" in buffer * @param x_len length of buffer after x @@ -147,7 +149,7 @@ len = end - ptr; - if (len > 5 && strncasecmp((const char *)ptr, "FIRST", 5) == 0) + if (len > 5 && strncasecmp((const char *)ptr, "FIRST", 5) == 0) { return XLINK_FIRST; } @@ -161,9 +163,9 @@ /* * Handle X-Link2State vulnerability - * + * * From Lurene Grenier: - + The X-LINK2STATE command always takes the following form: X-LINK2STATE [FIRST|NEXT|LAST] CHUNK=<SOME DATA> @@ -186,7 +188,7 @@ next; # chunks came with proper first chunk specified if (/X-LINK2STATE [FIRST|NEXT|LAST] CHUNK/) { if (/X-LINK2STATE FIRST CHUNK/) gotFirstChunk = TRUE; - next; # some specifier is marked + next; # some specifier is marked } if (chunkLen > 520) attempt = TRUE; # Gotcha! @@ -272,7 +274,7 @@ * (outside of whether its thresholded). */ if (smtp_eval_config->drop_xlink2state) { - _dpd.inlineDrop(p); + _dpd.inlineDropAndReset(p); } SMTP_GenerateAlert(SMTP_XLINK2STATE_OVERFLOW, "%s", SMTP_XLINK2STATE_OVERFLOW_STR); diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_xlink2state.h snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.h --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/smtp_xlink2state.h 2010-01-26 10:10:06.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/smtp_xlink2state.h 2011-02-09 15:23:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/snort_smtp.c snort-2.9.2/src/dynamic-preprocessors/smtp/snort_smtp.c --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/snort_smtp.c 2010-10-25 12:49:08.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/snort_smtp.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -45,14 +45,12 @@ #endif #include <sys/types.h> - -#include "sf_types.h" - #include <stdlib.h> #include <string.h> #include <ctype.h> #include <pcre.h> +#include "sf_types.h" #include "snort_smtp.h" #include "smtp_config.h" #include "smtp_normalize.h" @@ -62,15 +60,15 @@ #include "sf_snort_packet.h" #include "stream_api.h" -#include "debug.h" +#include "snort_debug.h" #include "profiler.h" -#include "bounds.h" +#include "snort_bounds.h" #include "sf_dynamic_preprocessor.h" #include "ssl.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" - -#ifdef DEBUG +#include "Unified2_common.h" +#ifdef DEBUG_MSGS #include "sf_types.h" #endif @@ -87,9 +85,9 @@ extern tSfPolicyUserContextId smtp_config; extern SMTPConfig *smtp_eval_config; extern MemPool *smtp_mime_mempool; -extern DynamicPreprocessorData _dpd; +extern MemPool *smtp_mempool; -#ifdef DEBUG +#ifdef DEBUG_MSGS extern char smtp_print_buffer[]; #endif @@ -176,6 +174,7 @@ { {"Content-type:", 13, HDR_CONTENT_TYPE}, {"Content-Transfer-Encoding:", 26, HDR_CONT_TRANS_ENC}, + {"Content-Disposition:", 20, HDR_CONT_DISP}, {NULL, 0, 0} }; @@ -194,7 +193,7 @@ char smtp_normalizing; SMTPSearchInfo smtp_search_info; -#ifdef DEBUG +#ifdef DEBUG_MSGS uint64_t smtp_session_counter = 0; #endif @@ -246,26 +245,63 @@ static void SetSmtpBuffers(SMTP *ssn) { if ((ssn != NULL) && (ssn->decode_state == NULL) - && smtp_eval_config->enable_mime_decoding) + && (!SMTP_IsDecodingEnabled(smtp_eval_config))) { MemBucket *bkt = mempool_alloc(smtp_mime_mempool); if (bkt != NULL) { - ssn->decode_state = (SMTP_DecodeState *)calloc(1, sizeof(SMTP_DecodeState)); + ssn->decode_state = (Email_DecodeState *)calloc(1, sizeof(Email_DecodeState)); if( ssn->decode_state != NULL ) { - ssn->decode_state->decode_present = 0; - ssn->decode_state->mime_bucket = bkt; - ssn->decode_state->encode_depth = smtp_eval_config->max_mime_depth; - ssn->decode_state->decode_depth = smtp_eval_config->max_mime_decode_bytes; - ssn->decode_state->encodeBuf = (unsigned char *)bkt->data; - ssn->decode_state->decodeBuf = (unsigned char *)bkt->data + smtp_eval_config->max_mime_depth; - ssn->decode_state->decoded_bytes = 0; - ssn->decode_state->prev_encoded_bytes = 0; - ssn->decode_state->prev_encoded_buf = NULL; + ssn->decode_bkt = bkt; + SetEmailDecodeState(ssn->decode_state, bkt->data, smtp_eval_config->max_depth, + smtp_eval_config->b64_depth, smtp_eval_config->qp_depth, + smtp_eval_config->uu_depth, smtp_eval_config->bitenc_depth); + } + else + { + /*free mempool if calloc fails*/ + mempool_free(smtp_mime_mempool, bkt); + } + } + else + { + SMTP_GenerateAlert(SMTP_DECODE_MEMCAP_EXCEEDED, "%s", SMTP_DECODE_MEMCAP_EXCEEDED_STR); + } + } +} + +static void SetLogBuffers(SMTP *ssn) +{ + if((ssn != NULL) && (ssn->log_state == NULL) + && (smtp_eval_config->log_email_hdrs || smtp_eval_config->log_filename + || smtp_eval_config->log_mailfrom || smtp_eval_config->log_rcptto)) + { + MemBucket *bkt = mempool_alloc(smtp_mempool); + + if(bkt != NULL) + { + ssn->log_state = (SMTP_LogState *)calloc(1, sizeof(SMTP_LogState)); + if(ssn->log_state != NULL) + { + ssn->log_state->log_hdrs_bkt = bkt; + ssn->log_state->log_depth = smtp_eval_config->email_hdrs_log_depth; + ssn->log_state->recipients = (uint8_t *)bkt->data; + ssn->log_state->rcpts_logged = 0; + ssn->log_state->senders = (uint8_t *)bkt->data + MAX_EMAIL; + ssn->log_state->snds_logged = 0; + ssn->log_state->filenames = (uint8_t *)bkt->data + (2*MAX_EMAIL); + ssn->log_state->file_logged = 0; + ssn->log_state->emailHdrs = (unsigned char *)bkt->data + (2*MAX_EMAIL) + MAX_FILE; + ssn->log_state->hdrs_logged = 0; } - } + else + { + /*free bkt if calloc fails*/ + mempool_free(smtp_mempool, bkt); + } + } } } @@ -282,7 +318,7 @@ if (config->cmds == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for smtp " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -295,7 +331,7 @@ if (config->cmds[tmp->search_id].name == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for smtp " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } } @@ -305,7 +341,7 @@ if (config->cmd_search == NULL) { DynamicPreprocessorFatalMessage("%s(%d) => failed to allocate memory for smtp " - "command structure\n", + "command structure\n", *(_dpd.config_file), *(_dpd.config_line)); } @@ -409,7 +445,7 @@ } } -/* +/* * Initialize run-time boundary search */ static int SMTP_BoundarySearchInit(void) @@ -451,7 +487,7 @@ smtp_ssn->state = STATE_COMMAND; smtp_ssn->data_state = STATE_DATA_INIT; smtp_ssn->state_flags = 0; - ResetDecodeState(smtp_ssn->decode_state); + ClearEmailDecodeState(smtp_ssn->decode_state); memset(&smtp_ssn->mime_boundary, 0, sizeof(SMTPMimeBoundary)); } @@ -483,7 +519,7 @@ if ((p->stream_session_ptr == NULL) || (pPolicyConfig->inspection_type == SMTP_STATELESS)) { -#ifdef DEBUG +#ifdef DEBUG_MSGS if (p->stream_session_ptr == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Stream session pointer is NULL - " @@ -507,10 +543,11 @@ DynamicPreprocessorFatalMessage("Failed to allocate SMTP session data\n"); } - SetSmtpBuffers(ssn); - + smtp_ssn = ssn; + SetSmtpBuffers(smtp_ssn); + SetLogBuffers(smtp_ssn); _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_SMTP, - ssn, &SMTP_SessionFree); + ssn, &SMTP_SessionFree); if (p->flags & SSNFLAG_MIDSTREAM) { @@ -519,7 +556,7 @@ ssn->state = STATE_UNKNOWN; } -#ifdef DEBUG +#ifdef DEBUG_MSGS smtp_session_counter++; ssn->session_number = smtp_session_counter; #endif @@ -560,7 +597,7 @@ /* Figure out direction of packet */ pkt_dir = SMTP_GetPacketDirection(p, flags); - DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Session number: "STDu64"\n", ssn->session_number);); + DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Session number: "STDu64"\n", ssn->session_number);); /* reset check ssl flag for new packet */ if (!(ssn->session_flags & SMTP_FLAG_CHECK_SSL)) @@ -615,7 +652,7 @@ * @return none */ static int SMTP_GetPacketDirection(SFSnortPacket *p, int flags) -{ +{ int pkt_direction = SMTP_PKT_FROM_UNKNOWN; if (flags & SSNFLAG_MIDSTREAM) @@ -707,10 +744,16 @@ if(smtp->decode_state != NULL) { - mempool_free(smtp_mime_mempool, smtp->decode_state->mime_bucket); + mempool_free(smtp_mime_mempool, smtp->decode_bkt); free(smtp->decode_state); } + if(smtp->log_state != NULL) + { + mempool_free(smtp_mempool, smtp->log_state->log_hdrs_bkt); + free(smtp->log_state); + } + free(smtp); } @@ -726,7 +769,7 @@ static int SMTP_FreeConfigsPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -825,6 +868,7 @@ smtp_search_info.index = index; smtp_search_info.length = smtp_current_search[search_id].name_len; + /* Returning non-zero stops search, which is okay since we only look for one at a time */ return 1; } @@ -865,7 +909,7 @@ mime_boundary = &smtp_ssn->mime_boundary.boundary[0]; mime_boundary_len = &smtp_ssn->mime_boundary.boundary_len; - + /* result will be the number of matches (including submatches) */ result = pcre_exec(mime_boundary_pcre.re, mime_boundary_pcre.pe, data, data_len, 0, 0, ovector, ovecsize); @@ -927,7 +971,7 @@ /* calculate length of command line */ cmd_line_len = eol - ptr; - /* check for command line exceeding maximum + /* check for command line exceeding maximum * do this before checking for a command since this could overflow * some server's buffers without the presence of a known command */ if ((smtp_eval_config->max_command_line_len != 0) && @@ -958,11 +1002,11 @@ while ((tmp < cmd_start) && isspace((int)*tmp)) tmp++; - /* if not all spaces before command, we found a + /* if not all spaces before command, we found a * substring */ if (tmp != cmd_start) cmd_found = 0; - + /* if we're before the end of line marker and the next * character is not whitespace, we found a substring */ if ((cmd_end < eolm) && !isspace((int)*cmd_end)) @@ -995,7 +1039,7 @@ if (smtp_eval_config->ignore_tls_data) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring encrypted data\n");); - SetAltBuffer(p, 0); + _dpd.SetAltDecode(0); } return end; @@ -1075,6 +1119,11 @@ * caused the error */ case CMD_MAIL: smtp_ssn->state_flags |= SMTP_FLAG_GOT_MAIL_CMD; + if( smtp_eval_config->log_mailfrom ) + { + if(!SMTP_CopyEmailID(ptr, eolm - ptr, CMD_MAIL)) + smtp_ssn->log_flags |= SMTP_FLAG_MAIL_FROM_PRESENT; + } break; @@ -1085,6 +1134,12 @@ smtp_ssn->state_flags |= SMTP_FLAG_GOT_RCPT_CMD; } + if( smtp_eval_config->log_rcptto) + { + if(!SMTP_CopyEmailID(ptr, eolm - ptr, CMD_RCPT)) + smtp_ssn->log_flags |= SMTP_FLAG_RCPT_TO_PRESENT; + } + break; case CMD_RSET: @@ -1113,7 +1168,7 @@ /* bad BDAT command - needs chunk argument */ if (begin_chunk == eolm) break; - + end_chunk = begin_chunk; while ((end_chunk < eolm) && isdigit((int)*end_chunk)) end_chunk++; @@ -1171,7 +1226,7 @@ { break; } - + smtp_ssn->bdat_last = 1; } } @@ -1213,13 +1268,13 @@ smtp_ssn->state = STATE_TLS_CLIENT_PEND; break; - - case CMD_X_LINK2STATE: + + case CMD_X_LINK2STATE: if (smtp_eval_config->alert_xlink2state) ParseXLink2State(p, ptr + smtp_search_info.index); break; - + default: break; } @@ -1236,7 +1291,7 @@ ret = SMTP_NormalizeCmd(p, ptr, eolm, eol); if (ret == -1) return NULL; - } + } else if (smtp_normalizing) /* Already normalizing */ { ret = SMTP_CopyToAltBuffer(p, ptr, eol - ptr); @@ -1254,6 +1309,7 @@ const uint8_t *data_end = NULL; int data_end_found; int ret; + uint16_t alt_decode_len = 0; /* if we've just entered the data state, check for a dot + end of line * if found, no data */ @@ -1267,7 +1323,7 @@ SMTP_GetEOL(ptr, end, &eol, &eolm); - /* this means we got a real end of line and not just end of payload + /* this means we got a real end of line and not just end of payload * and that the dot is only char on line */ if ((eolm != end) && (eolm == (ptr + 1))) { @@ -1296,7 +1352,7 @@ * Postfix and Qmail will consider the start of data: * . text\r\n * . text\r\n - * to be part of the header and the effect will be that of a + * to be part of the header and the effect will be that of a * folded line with the '.' deleted. Exchange will put the same * in the body which seems more reasonable. */ } @@ -1319,10 +1375,12 @@ data_end_marker = data_end = end; } + _dpd.setFileDataPtr((uint8_t*)ptr, (uint16_t)(data_end - ptr)); + if ((smtp_ssn->data_state == STATE_DATA_HEADER) || (smtp_ssn->data_state == STATE_DATA_UNKNOWN)) { -#ifdef DEBUG +#ifdef DEBUG_MSGS if (smtp_ssn->data_state == STATE_DATA_HEADER) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "DATA HEADER STATE ~~~~~~~~~~~~~~~~~~~~~~\n");); @@ -1334,9 +1392,9 @@ #endif ptr = SMTP_HandleHeader(p, ptr, data_end_marker); - _dpd.setFileDataPtr(ptr, 0); if (ptr == NULL) return NULL; + } /* if we're ignoring data and not already normalizing, copy everything @@ -1361,17 +1419,29 @@ while ((ptr != NULL) && (ptr < data_end_marker)) { - /* multiple base64 attachments in one single packet. - * Pipeline the base64 decoded data.*/ - if ( smtp_ssn->state_flags & SMTP_FLAG_MULTIPLE_BASE64) - { - _dpd.setFileDataPtr(smtp_ssn->decode_state->decodeBuf, smtp_ssn->decode_state->decoded_bytes); + /* multiple MIME attachments in one single packet. + * Pipeline the MIME decoded data.*/ + if ( smtp_ssn->state_flags & SMTP_FLAG_MULTIPLE_EMAIL_ATTACH) + { + alt_decode_len = 0; + _dpd.setFileDataPtr(smtp_ssn->decode_state->decodePtr, (uint16_t)smtp_ssn->decode_state->decoded_bytes); + SMTP_LogFuncs(smtp_eval_config, p); + if (_dpd.Is_DetectFlag(SF_FLAG_ALT_DECODE)) + { + alt_decode_len = _dpd.altBuffer->len; + } _dpd.detect(p); - smtp_ssn->state_flags &= ~SMTP_FLAG_MULTIPLE_BASE64; - smtp_ssn->decode_state->decode_present = 0; - smtp_ssn->decode_state->decoded_bytes = 0; - ClearPrevEncode(smtp_ssn->decode_state); + smtp_ssn->state_flags &= ~SMTP_FLAG_MULTIPLE_EMAIL_ATTACH; + ResetEmailDecodeState(smtp_ssn->decode_state); p->flags |=FLAG_ALLOW_MULTIPLE_DETECT; + /* Reset the log count when a packet goes through detection multiple times */ + p->xtradata_mask = 0; + p->per_packet_xtradata = 0; + _dpd.DetectReset((uint8_t *)p->payload, p->payload_size); + + /* There might be previously normalized data for this session which should not be cleared */ + if(alt_decode_len) + _dpd.SetAltDecode(alt_decode_len); } switch (smtp_ssn->data_state) { @@ -1386,13 +1456,12 @@ } } - /* We have either reached the end of MIME header or end of base64 encoded data*/ - - if(smtp_ssn->decode_state) - { - _dpd.setFileDataPtr(smtp_ssn->decode_state->decodeBuf, smtp_ssn->decode_state->decoded_bytes); - smtp_ssn->decode_state->decode_present = 0; - smtp_ssn->decode_state->decoded_bytes = 0; + /* We have either reached the end of MIME header or end of MIME encoded data*/ + + if(smtp_ssn->decode_state != NULL) + { + _dpd.setFileDataPtr(smtp_ssn->decode_state->decodePtr, (uint16_t)smtp_ssn->decode_state->decoded_bytes); + ResetDecodedBytes(smtp_ssn->decode_state); } /* if we got the data end reset state, otherwise we're probably still in the data @@ -1423,6 +1492,7 @@ const uint8_t *colon; const uint8_t *content_type_ptr = NULL; const uint8_t *cont_trans_enc = NULL; + const uint8_t *cont_disp = NULL; int header_line_len; int header_found; int ret; @@ -1435,10 +1505,13 @@ * folding, the boundary still needs to be checked for */ if (smtp_ssn->state_flags & SMTP_FLAG_IN_CONTENT_TYPE) content_type_ptr = ptr; - + if (smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_TRANS_ENC) cont_trans_enc = ptr; + if (smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP) + cont_disp = ptr; + while (ptr < data_end_marker) { SMTP_GetEOL(ptr, data_end_marker, &eol, &eolm); @@ -1449,7 +1522,7 @@ /* reset global header state values */ smtp_ssn->state_flags &= ~(SMTP_FLAG_FOLDING | SMTP_FLAG_IN_CONTENT_TYPE | SMTP_FLAG_DATA_HEADER_CONT - | SMTP_FLAG_IN_CONT_TRANS_ENC ); + | SMTP_FLAG_IN_CONT_TRANS_ENC |SMTP_FLAG_IN_CONT_DISP ); smtp_ssn->data_state = STATE_DATA_BODY; @@ -1460,7 +1533,7 @@ return eol; } - /* if we're not folding, see if we should interpret line as a data line + /* if we're not folding, see if we should interpret line as a data line * instead of a header line */ if (!(smtp_ssn->state_flags & (SMTP_FLAG_FOLDING | SMTP_FLAG_DATA_HEADER_CONT))) { @@ -1475,7 +1548,7 @@ } /* look for header field colon - if we're not folding then we need - * to find a header which will be all printables (except colon) + * to find a header which will be all printables (except colon) * followed by a colon */ colon = ptr; while ((colon < eolm) && (*colon != ':')) @@ -1503,50 +1576,69 @@ /* no colon or got spaces in header name (won't be interpreted as a header) * assume we're in the body */ smtp_ssn->state_flags &= - ~(SMTP_FLAG_FOLDING | SMTP_FLAG_IN_CONTENT_TYPE | SMTP_FLAG_DATA_HEADER_CONT - |SMTP_FLAG_IN_CONT_TRANS_ENC); + ~(SMTP_FLAG_FOLDING | SMTP_FLAG_IN_CONTENT_TYPE | SMTP_FLAG_DATA_HEADER_CONT + |SMTP_FLAG_IN_CONT_TRANS_ENC | SMTP_FLAG_IN_CONT_DISP); smtp_ssn->data_state = STATE_DATA_BODY; return ptr; } - smtp_current_search = &smtp_hdr_search[0]; - header_found = _dpd.searchAPI->search_instance_find - (smtp_hdr_search_mpse, (const char *)ptr, - eolm - ptr, 1, SMTP_SearchStrFound); - - /* Headers must start at beginning of line */ - if ((header_found > 0) && (smtp_search_info.index == 0)) + if(tolower((int)*ptr) == 'c') { - switch (smtp_search_info.id) + + smtp_current_search = &smtp_hdr_search[0]; + header_found = _dpd.searchAPI->search_instance_find + (smtp_hdr_search_mpse, (const char *)ptr, + eolm - ptr, 1, SMTP_SearchStrFound); + /* Headers must start at beginning of line */ + if ((header_found > 0) && (smtp_search_info.index == 0)) { - case HDR_CONTENT_TYPE: - /* for now we're just looking for the boundary in the data - * header section */ - if (smtp_ssn->data_state != STATE_MIME_HEADER) - { - content_type_ptr = ptr + smtp_search_info.length; - smtp_ssn->state_flags |= SMTP_FLAG_IN_CONTENT_TYPE; - } + switch (smtp_search_info.id) + { + case HDR_CONTENT_TYPE: + /* for now we're just looking for the boundary in the data + * header section */ + if (smtp_ssn->data_state != STATE_MIME_HEADER) + { + content_type_ptr = ptr + smtp_search_info.length; + smtp_ssn->state_flags |= SMTP_FLAG_IN_CONTENT_TYPE; + } - break; - case HDR_CONT_TRANS_ENC: - cont_trans_enc = ptr + smtp_search_info.length; - smtp_ssn->state_flags |= SMTP_FLAG_IN_CONT_TRANS_ENC; - break; + break; + case HDR_CONT_TRANS_ENC: + cont_trans_enc = ptr + smtp_search_info.length; + smtp_ssn->state_flags |= SMTP_FLAG_IN_CONT_TRANS_ENC; + break; + case HDR_CONT_DISP: + cont_disp = ptr + smtp_search_info.length; + smtp_ssn->state_flags |= SMTP_FLAG_IN_CONT_DISP; + break; - default: - break; + break; + } } } + else if(tolower((int)*ptr) == 'e') + { + if( (eolm - ptr) >= 9 ) + { + if(strncasecmp((const char *)ptr, "Encoding:", 9) == 0) + { + cont_trans_enc = ptr + 9; + smtp_ssn->state_flags |= SMTP_FLAG_IN_CONT_TRANS_ENC; + } + } + + } + } else { smtp_ssn->state_flags &= ~SMTP_FLAG_DATA_HEADER_CONT; } - + /* get length of header line */ header_line_len = eol - ptr; @@ -1564,7 +1656,7 @@ smtp_ssn->data_state = STATE_DATA_BODY; smtp_ssn->state_flags &= ~(SMTP_FLAG_FOLDING | SMTP_FLAG_IN_CONTENT_TYPE | SMTP_FLAG_DATA_HEADER_CONT - | SMTP_FLAG_IN_CONT_TRANS_ENC); + | SMTP_FLAG_IN_CONT_TRANS_ENC | SMTP_FLAG_IN_CONT_DISP); return ptr; } } @@ -1578,7 +1670,15 @@ return NULL; } - /* check for folding + if(smtp_eval_config->log_email_hdrs) + { + if(smtp_ssn->data_state == STATE_DATA_HEADER) + { + ret = SMTP_CopyEmailHdrs(ptr, eol - ptr); + } + } + + /* check for folding * if char on next line is a space and not \n or \r\n, we are folding */ if ((eol < data_end_marker) && isspace((int)eol[0]) && (eol[0] != '\n')) { @@ -1624,22 +1724,29 @@ else if ((smtp_ssn->state_flags & (SMTP_FLAG_IN_CONT_TRANS_ENC | SMTP_FLAG_FOLDING)) == SMTP_FLAG_IN_CONT_TRANS_ENC) { - /* Check for Content-Transfer-Encoding : base64 */ - if( smtp_eval_config->enable_mime_decoding ) + /* Check for Content-Transfer-Encoding : */ + if( (!SMTP_IsDecodingEnabled(smtp_eval_config)) && (smtp_ssn->decode_state != NULL)) { - ret = SMTP_IsBase64Data((const char *)cont_trans_enc, eolm - cont_trans_enc ); - if (ret != -1) - { - /* Check to see if there is already an base64 decoded data*/ - smtp_ssn->state_flags |= SMTP_FLAG_BASE64_DATA; - if( smtp_ssn->decode_state && smtp_ssn->decode_state->decode_present ) - smtp_ssn->state_flags |= SMTP_FLAG_MULTIPLE_BASE64; - } + SMTP_DecodeType((const char *)cont_trans_enc, eolm - cont_trans_enc ); + smtp_ssn->state_flags |= SMTP_FLAG_EMAIL_ATTACH; + /* check to see if there are other attachments in this packet */ + if( smtp_ssn->decode_state->decoded_bytes ) + smtp_ssn->state_flags |= SMTP_FLAG_MULTIPLE_EMAIL_ATTACH; } smtp_ssn->state_flags &= ~SMTP_FLAG_IN_CONT_TRANS_ENC; cont_trans_enc = NULL; } + else if ((smtp_ssn->state_flags & + (SMTP_FLAG_IN_CONT_DISP | SMTP_FLAG_FOLDING)) == SMTP_FLAG_IN_CONT_DISP) + { + if( smtp_eval_config->log_filename ) + SMTP_CopyFileName(cont_disp, eolm - cont_disp); + if (!(smtp_ssn->state_flags & SMTP_FLAG_IN_CONT_DISP_CONT)) + smtp_ssn->state_flags &= ~SMTP_FLAG_IN_CONT_DISP; + + cont_disp = NULL; + } /* if state was unknown, at this point assume we know */ if (smtp_ssn->data_state == STATE_DATA_UNKNOWN) @@ -1669,11 +1776,11 @@ { int boundary_found = 0; const uint8_t *boundary_ptr = NULL; - const uint8_t *base64_start = NULL; - const uint8_t *base64_end = NULL; + const uint8_t *attach_start = NULL; + const uint8_t *attach_end = NULL; - if ( smtp_ssn->state_flags & SMTP_FLAG_BASE64_DATA ) - base64_start = ptr; + if ( smtp_ssn->state_flags & SMTP_FLAG_EMAIL_ATTACH ) + attach_start = ptr; /* look for boundary */ if (smtp_ssn->state_flags & SMTP_FLAG_GOT_BOUNDARY) { @@ -1692,11 +1799,17 @@ const uint8_t *eolm; const uint8_t *tmp; - if (smtp_ssn->state_flags & SMTP_FLAG_BASE64_DATA ) + if (smtp_ssn->state_flags & SMTP_FLAG_EMAIL_ATTACH ) { - base64_end = boundary_ptr-1; - smtp_ssn->state_flags &= ~SMTP_FLAG_BASE64_DATA; - SMTP_Base64Decode( base64_start, base64_end); + attach_end = boundary_ptr-1; + smtp_ssn->state_flags &= ~SMTP_FLAG_EMAIL_ATTACH; + if( attach_start < attach_end ) + { + if(EmailDecode( attach_start, attach_end, smtp_ssn->decode_state) != DECODE_SUCCESS ) + { + SMTP_DecodeAlert(); + } + } } @@ -1730,12 +1843,18 @@ } } - if ( smtp_ssn->state_flags & SMTP_FLAG_BASE64_DATA ) + if ( smtp_ssn->state_flags & SMTP_FLAG_EMAIL_ATTACH ) { - base64_end = data_end_marker; - SMTP_Base64Decode( base64_start, base64_end); + attach_end = data_end_marker; + if( attach_start < attach_end ) + { + if(EmailDecode( attach_start, attach_end, smtp_ssn->decode_state) != DECODE_SUCCESS ) + { + SMTP_DecodeAlert(); + } + } } - + return data_end_marker; } @@ -1779,7 +1898,7 @@ } } -#ifdef DEBUG +#ifdef DEBUG_MSGS if (smtp_normalizing) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Normalized payload\n%s\n", SMTP_PrintBuffer(p));); @@ -1788,8 +1907,8 @@ } -/* very simplistic - just enough to say this is binary data - the rules will make a final - * judgement. Should maybe add an option to the smtp configuration to enable the +/* very simplistic - just enough to say this is binary data - the rules will make a final + * judgement. Should maybe add an option to the smtp configuration to enable the * continuing of command inspection like ftptelnet. */ static int SMTP_IsTlsClientHello(const uint8_t *ptr, const uint8_t *end) { @@ -1850,9 +1969,9 @@ const uint8_t *end; const uint8_t *eolm; const uint8_t *eol; - int do_flush = 0; + int do_flush = 0; int resp_line_len; -#ifdef DEBUG +#ifdef DEBUG_MSGS const uint8_t *dash; #endif @@ -1871,19 +1990,19 @@ smtp_ssn->state = STATE_COMMAND; } } - + if (smtp_ssn->state == STATE_TLS_DATA) { /* Ignore data */ if (smtp_eval_config->ignore_tls_data) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server TLS encrypted data\n");); - SetAltBuffer(p, 0); + _dpd.SetAltDecode(0); } return 0; } - + while (ptr < end) { SMTP_GetEOL(ptr, end, &eol, &eolm); @@ -1895,7 +2014,7 @@ resp_found = _dpd.searchAPI->search_instance_find (smtp_resp_search_mpse, (const char *)ptr, resp_line_len, 1, SMTP_SearchStrFound); - + if (resp_found > 0) { switch (smtp_search_info.id) @@ -1920,13 +2039,13 @@ break; } -#ifdef DEBUG +#ifdef DEBUG_MSGS dash = ptr + smtp_search_info.index + smtp_search_info.length; /* only add response if not a dash after response code */ if ((dash == eolm) || ((dash < eolm) && (*dash != '-'))) { - DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Server sent %s response\n", + DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Server sent %s response\n", smtp_resps[smtp_search_info.id].name);); } #endif @@ -1946,7 +2065,7 @@ if (smtp_eval_config->ignore_tls_data) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Ignoring Server TLS encrypted data\n");); - SetAltBuffer(p, 0); + _dpd.SetAltDecode(0); } return 0; @@ -1963,7 +2082,7 @@ SMTP_GenerateAlert(SMTP_RESPONSE_OVERFLOW, "%s: %d chars", SMTP_RESPONSE_OVERFLOW_STR, resp_line_len); } - + ptr = eol; } @@ -2002,7 +2121,7 @@ { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP: Target-based: No stream session.\n");); - if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || (SMTP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP: Target-based: Configured for this " @@ -2030,7 +2149,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP: Target-based: Unknown protocol for " "this session. See if we're configured.\n");); - if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || (SMTP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP: Target-based: SMTP port is configured.");); @@ -2043,7 +2162,7 @@ #else /* Make sure it's traffic we're interested in */ - if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || + if ((SMTP_IsServer(p->src_port) && (p->flags & FLAG_FROM_SERVER)) || (SMTP_IsServer(p->dst_port) && (p->flags & FLAG_FROM_CLIENT))) return 1; @@ -2067,11 +2186,12 @@ PROFILE_VARS; - smtp_eval_config = (SMTPConfig *)sfPolicyUserDataGetCurrent(smtp_config); smtp_ssn = (SMTP *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_SMTP); if (smtp_ssn != NULL) smtp_eval_config = (SMTPConfig *)sfPolicyUserDataGet(smtp_ssn->config, smtp_ssn->policy_id); + else + smtp_eval_config = (SMTPConfig *)sfPolicyUserDataGetCurrent(smtp_config); if (smtp_eval_config == NULL) return; @@ -2090,7 +2210,7 @@ /* reset normalization stuff */ smtp_normalizing = 0; - ResetAltBuffer(p); + _dpd.DetectFlag_Disable(SF_FLAG_ALT_DECODE); p->normalized_payload_size = 0; if (pkt_dir == SMTP_PKT_FROM_SERVER) @@ -2110,7 +2230,7 @@ } else { -#ifdef DEBUG +#ifdef DEBUG_MSGS if (pkt_dir == SMTP_PKT_FROM_CLIENT) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP client packet\n");); @@ -2144,7 +2264,7 @@ /* if we're ignoring tls data, set a zero length alt buffer */ if (smtp_eval_config->ignore_tls_data) { - SetAltBuffer(p, 0); + _dpd.SetAltDecode(0); } } else @@ -2157,11 +2277,11 @@ } else if (smtp_ssn->reassembling && !(p->flags & FLAG_REBUILT_STREAM)) { - /* If this isn't a reassembled packet and didn't get + /* If this isn't a reassembled packet and didn't get * inserted into reassembly buffer, there could be a * problem. If we miss syn or syn-ack that had window * scaling this packet might not have gotten inserted - * into reassembly buffer because it fell outside of + * into reassembly buffer because it fell outside of * window, because we aren't scaling it */ smtp_ssn->session_flags |= SMTP_FLAG_GOT_NON_REBUILT; smtp_ssn->state = STATE_UNKNOWN; @@ -2179,7 +2299,7 @@ smtp_ssn->session_flags &= ~SMTP_FLAG_GOT_NON_REBUILT; } -#ifdef DEBUG +#ifdef DEBUG_MSGS /* Interesting to see how often packets are rebuilt */ DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Payload: %s\n%s\n", (p->flags & FLAG_REBUILT_STREAM) ? @@ -2193,6 +2313,7 @@ PREPROC_PROFILE_START(smtpDetectPerfStats); + SMTP_LogFuncs(smtp_eval_config, p); detected = _dpd.detect(p); #ifdef PERF_PROFILING @@ -2203,7 +2324,7 @@ /* Turn off detection since we've already done it. */ SMTP_DisableDetect(p); - + if (detected) { DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "SMTP vulnerability detected\n");); @@ -2221,3 +2342,70 @@ } +static inline SMTP *SMTP_GetSession(void *data) +{ + if(data) + return (SMTP *)_dpd.streamAPI->get_application_data(data, PP_SMTP); + + return NULL; +} + +/* Callback to return the MIME attachment filenames accumulated */ +int SMTP_GetFilename(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + SMTP *ssn = SMTP_GetSession(data); + + if(ssn == NULL) + return 0; + + *buf = ssn->log_state->filenames; + *len = ssn->log_state->file_logged; + *type = EVENT_INFO_SMTP_FILENAME; + return 1; +} + +/* Callback to return the email addresses accumulated from the MAIL FROM command */ +int SMTP_GetMailFrom(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + SMTP *ssn = SMTP_GetSession(data); + + if(ssn == NULL) + return 0; + + *buf = ssn->log_state->senders; + *len = ssn->log_state->snds_logged; + *type = EVENT_INFO_SMTP_MAILFROM; + return 1; +} + +/* Callback to return the email addresses accumulated from the RCP TO command */ +int SMTP_GetRcptTo(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + SMTP *ssn = SMTP_GetSession(data); + + if(ssn == NULL) + return 0; + + *buf = ssn->log_state->recipients; + *len = ssn->log_state->rcpts_logged; + *type = EVENT_INFO_SMTP_RCPTTO; + return 1; +} + +/* Calback to return the email headers */ +int SMTP_GetEmailHdrs(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + SMTP *ssn = SMTP_GetSession(data); + + if(ssn == NULL) + return 0; + + *buf = ssn->log_state->emailHdrs; + *len = ssn->log_state->hdrs_logged; + *type = EVENT_INFO_SMTP_EMAIL_HDRS; + return 1; +} + + + + diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/snort_smtp.h snort-2.9.2/src/dynamic-preprocessors/smtp/snort_smtp.h --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/snort_smtp.h 2010-06-09 15:05:16.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/snort_smtp.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** - * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -46,6 +46,7 @@ #include "sfPolicy.h" #include "sfPolicyUserData.h" #include "mempool.h" +#include "sf_email_attach_decode.h" #ifdef DEBUG #include "sf_types.h" @@ -97,8 +98,16 @@ #define SMTP_FLAG_GOT_BOUNDARY 0x00000010 #define SMTP_FLAG_DATA_HEADER_CONT 0x00000020 #define SMTP_FLAG_IN_CONT_TRANS_ENC 0x00000040 -#define SMTP_FLAG_BASE64_DATA 0x00000080 -#define SMTP_FLAG_MULTIPLE_BASE64 0x00000100 +#define SMTP_FLAG_EMAIL_ATTACH 0x00000080 +#define SMTP_FLAG_MULTIPLE_EMAIL_ATTACH 0x00000100 +#define SMTP_FLAG_IN_CONT_DISP 0x00000200 +#define SMTP_FLAG_IN_CONT_DISP_CONT 0x00000400 + +/* log flags */ +#define SMTP_FLAG_MAIL_FROM_PRESENT 0x00000001 +#define SMTP_FLAG_RCPT_TO_PRESENT 0x00000002 +#define SMTP_FLAG_FILENAME_PRESENT 0x00000004 +#define SMTP_FLAG_EMAIL_HDRS_PRESENT 0x00000008 /* session flags */ #define SMTP_FLAG_XLINK2STATE_GOTFIRSTCHUNK 0x00000001 @@ -202,6 +211,7 @@ { HDR_CONTENT_TYPE = 0, HDR_CONT_TRANS_ENC, + HDR_CONT_DISP, HDR_LAST } SMTPHdrEnum; @@ -239,32 +249,30 @@ } SMTPPcre; -typedef struct s_SMTP_DecodeState +typedef struct s_SMTP_LogState { - uint8_t decode_present; - int prev_encoded_bytes; - unsigned char *prev_encoded_buf; - int encode_bytes_read; - int decode_bytes_read; - int encode_depth; - int decode_depth; - uint32_t decoded_bytes; - MemBucket *mime_bucket; - unsigned char *encodeBuf; - unsigned char *decodeBuf; - -} SMTP_DecodeState; - + MemBucket *log_hdrs_bkt; + unsigned char *emailHdrs; + uint32_t log_depth; + uint32_t hdrs_logged; + uint8_t *recipients; + uint16_t rcpts_logged; + uint8_t *senders; + uint16_t snds_logged; + uint8_t *filenames; + uint16_t file_logged; +} SMTP_LogState; typedef struct _SMTP { int state; int data_state; int state_flags; + int log_flags; int session_flags; int alert_mask; int reassembling; -#ifdef DEBUG +#ifdef DEBUG_MSGS uint64_t session_number; #endif @@ -273,8 +281,10 @@ int cur_server_line_len; */ + MemBucket *decode_bkt; SMTPMimeBoundary mime_boundary; - SMTP_DecodeState *decode_state; + Email_DecodeState *decode_state; + SMTP_LogState *log_state; /* In future if we look at forwarded mail (message/rfc822) we may * need to keep track of additional mime boundaries @@ -300,29 +310,12 @@ int SMTP_IsServer(uint16_t); void SMTP_FreeConfig(SMTPConfig *); void SMTP_FreeConfigs(tSfPolicyUserContextId); +int SMTP_GetFilename(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); +int SMTP_GetMailFrom(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); +int SMTP_GetRcptTo(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); +int SMTP_GetEmailHdrs(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); /**************************************************************************/ -static INLINE void ResetDecodeState(SMTP_DecodeState *ds) -{ - if (ds == NULL) - return; - -/* memset(ds->mime_bucket->data, 0, ds->encode_depth + ds->decode_depth);*/ - ds->prev_encoded_bytes = 0; - ds->prev_encoded_buf = NULL; - ds->encode_bytes_read = 0; - ds->decode_bytes_read = 0; - ds->decoded_bytes = 0; - ds->decode_present = 0; -} - -static INLINE void ClearPrevEncode(SMTP_DecodeState *ds) -{ - ds->prev_encoded_bytes = 0; - ds->prev_encoded_buf = NULL; -} - - #endif /* __SMTP_H__ */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/spp_smtp.c snort-2.9.2/src/dynamic-preprocessors/smtp/spp_smtp.c --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/spp_smtp.c 2010-06-09 15:05:16.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/spp_smtp.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /************************************************************************** * * spp_smtp.c @@ -43,7 +43,13 @@ #include <ctype.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "spp_smtp.h" +#include "sf_preproc_info.h" #include "snort_smtp.h" #include "smtp_config.h" #include "smtp_log.h" @@ -51,7 +57,7 @@ #include "preprocids.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" -#include "debug.h" +#include "snort_debug.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" @@ -64,13 +70,25 @@ #include "sf_types.h" #include "mempool.h" +#include "snort_bounds.h" + +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 9; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_SMTP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_SMTP"; +#endif + +#define SetupSMTP DYNAMIC_PREPROC_SETUP MemPool *smtp_mime_mempool = NULL; +MemPool *smtp_mempool = NULL; tSfPolicyUserContextId smtp_config = NULL; SMTPConfig *smtp_eval_config = NULL; -extern DynamicPreprocessorData _dpd; extern SMTP smtp_no_session; extern int16_t smtp_proto_id; @@ -80,6 +98,7 @@ static void SMTPResetFunction(int, void *); static void SMTPResetStatsFunction(int, void *); static void _addPortsToStream5Filter(SMTPConfig *, tSfPolicyId); +static void SMTP_RegXtraDataFuncs(SMTPConfig *config); #ifdef TARGET_BASED static void _addServicesToStream5Filter(tSfPolicyId); #endif @@ -97,7 +116,7 @@ /* * Function: SetupSMTP() * - * Purpose: Registers the preprocessor keyword and initialization + * Purpose: Registers the preprocessor keyword and initialization * function into the preprocessor list. This is the function that * gets called from InitPreprocessors() in plugbase.c. * @@ -170,7 +189,7 @@ #endif #ifdef PERF_PROFILING - _dpd.addPreprocProfileFunc("smtp", (void*)&smtpPerfStats, 0, _dpd.totalPerfStats); + _dpd.addPreprocProfileFunc("smtp", (void*)&smtpPerfStats, 0, _dpd.totalPerfStats); #endif } @@ -187,13 +206,15 @@ DynamicPreprocessorFatalMessage("Not enough memory to create SMTP " "configuration.\n"); } - + sfPolicyUserDataSetCurrent(smtp_config, pPolicyConfig); + SMTP_RegXtraDataFuncs(pPolicyConfig); SMTP_InitCmds(pPolicyConfig); SMTP_ParseArgs(pPolicyConfig, args); SMTP_CheckConfig(pPolicyConfig, smtp_config); + SMTP_PrintConfig(pPolicyConfig); if(pPolicyConfig->disabled) return; @@ -218,7 +239,7 @@ { pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; - + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, tmp->name_len, tmp->search_id); } @@ -240,7 +261,7 @@ * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function * @@ -278,7 +299,7 @@ } -/* +/* * Function: SMTPCleanExitFunction(int, void *) * * Purpose: This function gets called when Snort is exiting, if there's @@ -286,20 +307,25 @@ * it should be done here. * * Arguments: signal => the code of the signal that was issued to Snort - * data => any arguments or data structs linked to this + * data => any arguments or data structs linked to this * function when it was registered, may be * needed to properly exit - * + * * Returns: void function - */ + */ static void SMTPCleanExitFunction(int signal, void *data) -{ +{ SMTP_Free(); if (mempool_destroy(smtp_mime_mempool) == 0) { free(smtp_mime_mempool); smtp_mime_mempool = NULL; } + if (mempool_destroy(smtp_mempool) == 0) + { + free(smtp_mempool); + smtp_mempool = NULL; + } } @@ -339,7 +365,7 @@ } #endif -static int SMTPEnableMimeDecoding(tSfPolicyUserContextId config, +static int SMTPEnableDecoding(tSfPolicyUserContextId config, tSfPolicyId policyId, void *pData) { SMTPConfig *context = (SMTPConfig *)pData; @@ -350,7 +376,24 @@ if(context->disabled) return 0; - if(context->enable_mime_decoding) + if(!SMTP_IsDecodingEnabled(context)) + return 1; + + return 0; +} +static int SMTPLogExtraData(tSfPolicyUserContextId config, + tSfPolicyId policyId, void *pData) +{ + SMTPConfig *context = (SMTPConfig *)pData; + + if (pData == NULL) + return 0; + + if(context->disabled) + return 0; + + if(context->log_email_hdrs || context->log_filename || + context->log_mailfrom || context->log_rcptto) return 1; return 0; @@ -358,12 +401,19 @@ static int SMTPCheckPolicyConfig( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { + SMTPConfig *context = (SMTPConfig *)pData; + _dpd.setParserPolicy(policyId); + /* In a multiple-policy setting, the SMTP preproc can be turned on in a + "disabled" state. In this case, we don't require Stream5. */ + if (context->disabled) + return 0; + if (!_dpd.isPreprocEnabled(PP_STREAM5)) { DynamicPreprocessorFatalMessage("Streaming & reassembly must be enabled " @@ -373,21 +423,14 @@ return 0; } -static void SetMaxMimeSession(SMTPConfig *pPolicyConfig) +static void SMTP_RegXtraDataFuncs(SMTPConfig *config) { - /*decode length will be shorter than encode length in base64 encoding and - * hence this calculation. */ - pPolicyConfig->max_mime_decode_bytes = - ( (pPolicyConfig->max_mime_depth/4)*3 ); - - if ( pPolicyConfig->max_mime_decode_bytes & 7) - { - (pPolicyConfig->max_mime_decode_bytes += 8 - - (pPolicyConfig->max_mime_decode_bytes & 7)); - } - pPolicyConfig->max_mime_sessions = - pPolicyConfig->max_mime_mem / - (pPolicyConfig->max_mime_depth + pPolicyConfig->max_mime_decode_bytes); + if ((_dpd.streamAPI == NULL) || !config) + return; + config->xtra_filename_id = _dpd.streamAPI->reg_xtra_data_cb(SMTP_GetFilename); + config->xtra_mfrom_id = _dpd.streamAPI->reg_xtra_data_cb(SMTP_GetMailFrom); + config->xtra_rcptto_id = _dpd.streamAPI->reg_xtra_data_cb(SMTP_GetRcptTo); + config->xtra_ehdrs_id = _dpd.streamAPI->reg_xtra_data_cb(SMTP_GetEmailHdrs); } @@ -398,42 +441,76 @@ SMTPConfig *defaultConfig = (SMTPConfig *)sfPolicyUserDataGetDefault(smtp_config); - if (sfPolicyUserDataIterate(smtp_config, SMTPEnableMimeDecoding) != 0) + if (sfPolicyUserDataIterate(smtp_config, SMTPEnableDecoding) != 0) { int encode_depth; - int decode_depth; + int max_sessions; if (defaultConfig == NULL) { /*error message */ DynamicPreprocessorFatalMessage("SMTP: Must configure a default " - "configuration if you want to enable mime decoding.\n"); + "configuration if you want to enable smtp decoding.\n"); } - encode_depth = defaultConfig->max_mime_depth; + encode_depth = defaultConfig->max_depth; if (encode_depth & 7) { encode_depth += (8 - (encode_depth & 7)); - defaultConfig->max_mime_depth = encode_depth; } - SetMaxMimeSession(defaultConfig); - - decode_depth = defaultConfig->max_mime_decode_bytes; + max_sessions = defaultConfig->max_mime_mem / (2 * encode_depth ); smtp_mime_mempool = (MemPool *)calloc(1, sizeof(MemPool)); - if (mempool_init(smtp_mime_mempool, defaultConfig->max_mime_sessions, - (encode_depth + decode_depth)) != 0) + if (mempool_init(smtp_mime_mempool, max_sessions, + (2 * encode_depth )) != 0) { - if(defaultConfig->max_mime_sessions) + DynamicPreprocessorFatalMessage("SMTP: Could not allocate SMTP mime mempool.\n"); + } + + } + + if (sfPolicyUserDataIterate(smtp_config, SMTPLogExtraData) != 0) + { + uint32_t log_depth, max_bkt_size; + uint32_t max_sessions_logged; + + if (defaultConfig == NULL) + { + /*error message */ + DynamicPreprocessorFatalMessage("SMTP: Must configure a default " + "configuration if you want to log email headers.\n"); + } + + log_depth = defaultConfig->email_hdrs_log_depth; + + /* Rounding the log depth to a multiple of 8 since + * multiple sessions use the same mempool + */ + + if (log_depth & 7) + { + log_depth += (8 - (log_depth & 7)); + defaultConfig->email_hdrs_log_depth = log_depth; + } + + max_bkt_size = ( (2 * MAX_EMAIL) + MAX_FILE + defaultConfig->email_hdrs_log_depth); + max_sessions_logged = defaultConfig->memcap / max_bkt_size; + + + smtp_mempool = calloc(1, sizeof(*smtp_mempool)); + + if (mempool_init(smtp_mempool, max_sessions_logged, max_bkt_size) != 0) + { + if(!max_sessions_logged) { - DynamicPreprocessorFatalMessage("SMTP: Error setting the \"max_mime_mem\" \n"); + DynamicPreprocessorFatalMessage("SMTP: Could not allocate SMTP mempool.\n"); } else { - DynamicPreprocessorFatalMessage("SMTP: Could not allocate SMTP mempool.\n"); + DynamicPreprocessorFatalMessage("SMTP: Error setting the \"memcap\" \n"); } } } @@ -476,10 +553,12 @@ sfPolicyUserDataSetCurrent(smtp_swap_config, pPolicyConfig); + SMTP_RegXtraDataFuncs(pPolicyConfig); SMTP_InitCmds(pPolicyConfig); SMTP_ParseArgs(pPolicyConfig, args); SMTP_CheckConfig(pPolicyConfig, smtp_swap_config); + SMTP_PrintConfig(pPolicyConfig); if( pPolicyConfig->disabled ) return; @@ -502,7 +581,7 @@ { pPolicyConfig->cmd_search[tmp->search_id].name = tmp->name; pPolicyConfig->cmd_search[tmp->search_id].name_len = tmp->name_len; - + _dpd.searchAPI->search_instance_add(pPolicyConfig->cmd_search_mpse, tmp->name, tmp->name_len, tmp->search_id); } @@ -542,7 +621,7 @@ { if (configNext == NULL) { - _dpd.errMsg("SMTP reload: Changing the max_mime_depth or max_mime_mem requires a restart.\n"); + _dpd.errMsg("SMTP reload: Changing the SMTP configuration requires a restart.\n"); SMTP_FreeConfigs(smtp_swap_config); smtp_swap_config = NULL; return -1; @@ -554,14 +633,59 @@ smtp_swap_config = NULL; return -1; } - if (configNext->max_mime_depth & 7) - configNext->max_mime_depth += (8 - (configNext->max_mime_depth & 7)); + if(configNext->b64_depth != config->b64_depth) + { + _dpd.errMsg("SMTP reload: Changing the b64_decode_depth requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if(configNext->qp_depth != config->qp_depth) + { + _dpd.errMsg("SMTP reload: Changing the qp_decode_depth requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if(configNext->bitenc_depth != config->bitenc_depth) + { + _dpd.errMsg("SMTP reload: Changing the bitenc_decode_depth requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if(configNext->uu_depth != config->uu_depth) + { + _dpd.errMsg("SMTP reload: Changing the uu_decode_depth requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } - SetMaxMimeSession(configNext); + } - if (configNext->max_mime_depth != config->max_mime_depth) + if (smtp_mempool != NULL) + { + if (configNext == NULL) { - _dpd.errMsg("SMTP reload: Changing the max_mime_depth requires a restart.\n"); + _dpd.errMsg("SMTP reload: Changing the memcap or email_hdrs_log_depth requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if (configNext->memcap != config->memcap) + { + _dpd.errMsg("SMTP reload: Changing the memcap requires a restart.\n"); + SMTP_FreeConfigs(smtp_swap_config); + smtp_swap_config = NULL; + return -1; + } + if (configNext->email_hdrs_log_depth & 7) + configNext->email_hdrs_log_depth += (8 - (configNext->email_hdrs_log_depth & 7)); + + if(config->email_hdrs_log_depth != config->email_hdrs_log_depth) + { + _dpd.errMsg("SMTP reload: Changing the email_hdrs_log_depth requires a restart.\n"); SMTP_FreeConfigs(smtp_swap_config); smtp_swap_config = NULL; return -1; @@ -569,41 +693,64 @@ } else if(configNext != NULL) { - - if (sfPolicyUserDataIterate(smtp_swap_config, SMTPEnableMimeDecoding) != 0) + if (sfPolicyUserDataIterate(smtp_swap_config, SMTPEnableDecoding) != 0) { int encode_depth; - int decode_depth; + int max_sessions; + - encode_depth = configNext->max_mime_depth; + encode_depth = configNext->max_depth; if (encode_depth & 7) { encode_depth += (8 - (encode_depth & 7)); - configNext->max_mime_depth = encode_depth; } - SetMaxMimeSession(configNext); - decode_depth = configNext->max_mime_decode_bytes; + max_sessions = configNext->max_mime_mem / ( 2 * encode_depth); smtp_mime_mempool = (MemPool *)calloc(1, sizeof(MemPool)); - if (mempool_init(smtp_mime_mempool, configNext->max_mime_sessions, - (encode_depth + decode_depth)) != 0) + if (mempool_init(smtp_mime_mempool, max_sessions, + (2 * encode_depth)) != 0) + { + DynamicPreprocessorFatalMessage("SMTP: Could not allocate SMTP mime mempool.\n"); + } + } + + if (sfPolicyUserDataIterate(smtp_config, SMTPLogExtraData) != 0) + { + uint32_t log_depth, max_bkt_size; + uint32_t max_sessions_logged; + + log_depth = configNext->email_hdrs_log_depth; + + + if (log_depth & 7) + { + log_depth += (8 - (log_depth & 7)); + configNext->email_hdrs_log_depth = log_depth; + } + + max_bkt_size = configNext->memcap/((2* MAX_EMAIL) + MAX_FILE + configNext->email_hdrs_log_depth); + max_sessions_logged = configNext->memcap/max_bkt_size; + + smtp_mempool = calloc(1, sizeof(*smtp_mempool)); + + if (mempool_init(smtp_mempool, max_sessions_logged, max_bkt_size) != 0) { - if(configNext->max_mime_sessions) + if(!max_sessions_logged) { - DynamicPreprocessorFatalMessage("SMTP: Error setting the \"max_mime_mem\" \n"); + DynamicPreprocessorFatalMessage("SMTP: Could not allocate SMTP mempool.\n"); } else { - DynamicPreprocessorFatalMessage("SMTP: Could not allocate SMTP mempool.\n"); + DynamicPreprocessorFatalMessage("SMTP: Error setting the \"memcap\" \n"); } } } } - + if ( configNext->disabled ) return 0; @@ -620,7 +767,7 @@ static int SMTPReloadSwapPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -631,7 +778,7 @@ sfPolicyUserDataClear (config, policyId); SMTP_FreeConfig(pPolicyConfig); } - + return 0; } diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/smtp/spp_smtp.h snort-2.9.2/src/dynamic-preprocessors/smtp/spp_smtp.h --- snort-2.9.0.1/src/dynamic-preprocessors/smtp/spp_smtp.h 2010-01-26 10:10:07.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/smtp/spp_smtp.h 2011-02-09 15:23:25.000000000 -0800 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * Author: Andy Mullican * diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssh/Makefile.am snort-2.9.2/src/dynamic-preprocessors/ssh/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/ssh/Makefile.am 2010-06-09 15:05:16.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/Makefile.am 2011-07-13 15:44:51.000000000 -0700 @@ -1,39 +1,28 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include +INCLUDES = -I../include -I${srcdir}/../libs libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_ssh_preproc.la libsf_ssh_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - +if SO_WITH_STATIC_LIB +libsf_ssh_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_ssh_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif libsf_ssh_preproc_la_SOURCES = \ spp_ssh.c \ -spp_ssh.h \ -sf_preproc_info.h +spp_ssh.h EXTRA_DIST = \ sf_ssh.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c - rm -f sfPolicyUserData.c diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssh/Makefile.in snort-2.9.2/src/dynamic-preprocessors/ssh/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/ssh/Makefile.in 2010-10-08 02:56:53.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/Makefile.in 2011-12-07 11:23:20.000000000 -0800 @@ -68,10 +68,12 @@ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_ssh_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_ssh_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_ssh_preproc_la_OBJECTS = spp_ssh.lo -nodist_libsf_ssh_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sfPolicyUserData.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ssh_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_ssh_preproc_la_OBJECTS = $(am_libsf_ssh_preproc_la_OBJECTS) \ $(nodist_libsf_ssh_preproc_la_OBJECTS) libsf_ssh_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -104,7 +106,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -119,7 +123,8 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -155,13 +160,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -222,24 +233,19 @@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_ssh_preproc.la libsf_ssh_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -nodist_libsf_ssh_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +@SO_WITH_STATIC_LIB_TRUE@libsf_ssh_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ssh_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_ssh_preproc_la_SOURCES = \ spp_ssh.c \ -spp_ssh.h \ -sf_preproc_info.h +spp_ssh.h EXTRA_DIST = \ sf_ssh.dsp -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -322,6 +328,12 @@ .c.lo: $(LTCOMPILE) -c -o $@ $< +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + mostlyclean-libtool: -rm -f *.lo @@ -411,15 +423,13 @@ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am +check: check-am all-am: Makefile $(LTLIBRARIES) all-local installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am +install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -444,10 +454,9 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am @@ -514,11 +523,11 @@ uninstall-am: uninstall-libLTLIBRARIES -.MAKE: all check install install-am install-strip +.MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -531,19 +540,9 @@ tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c - rm -f sfPolicyUserData.c - # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssh/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/ssh/sf_preproc_info.h --- snort-2.9.0.1/src/dynamic-preprocessors/ssh/sf_preproc_info.h 2010-01-26 10:10:07.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/sf_preproc_info.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,34 +0,0 @@ -/* Copyright (C) 2005-2010 Sourcefire, Inc. -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 1 -#define BUILD_VERSION 3 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_SSH (IPV6)" -#else -#define PREPROC_NAME "SF_SSH" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupSSH -extern void SetupSSH(void); - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssh/sf_ssh.dsp snort-2.9.2/src/dynamic-preprocessors/ssh/sf_ssh.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/ssh/sf_ssh.dsp 2010-08-25 13:22:45.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/sf_ssh.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_ssh - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_ssh - Win32 IPv6 Debug" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_ssh___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_ssh - Win32 IPv6 Release" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_ssh___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -130,18 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib /nologo /dll /machine:I386 !ENDIF diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssh/spp_ssh.c snort-2.9.2/src/dynamic-preprocessors/ssh/spp_ssh.c --- snort-2.9.0.1/src/dynamic-preprocessors/ssh/spp_ssh.c 2010-01-26 10:10:07.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/spp_ssh.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id */ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify @@ -28,23 +28,25 @@ * * * Alert for Gobbles, CRC32, protocol mismatch (Cisco catalyst vulnerability), - * and a SecureCRT vulnerability. Will also alert if the client or server - * traffic appears to flow the wrong direction, or if packets appear + * and a SecureCRT vulnerability. Will also alert if the client or server + * traffic appears to flow the wrong direction, or if packets appear * malformed/spoofed. - * + * */ #ifdef HAVE_CONFIG_H #include "config.h" #endif /* HAVE_CONFIG_H */ +#include "sf_types.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" #include "sf_snort_plugin_api.h" -#include "debug.h" +#include "snort_debug.h" #include "preprocids.h" #include "spp_ssh.h" +#include "sf_preproc_info.h" #include <stdio.h> #include <syslog.h> @@ -63,6 +65,17 @@ #include "sf_types.h" +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 3; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_SSH (IPV6)"; +#else +const char *PREPROC_NAME = "SF_SSH"; +#endif + +#define SetupSSH DYNAMIC_PREPROC_SETUP + #ifdef TARGET_BASED int16_t ssh_app_id = SFTARGET_UNKNOWN_PROTOCOL; #endif @@ -82,8 +95,8 @@ static void FreeSSHData( void* ); static void ParseSSHArgs(SSHConfig *, u_char*); static void ProcessSSH( void*, void* ); -static INLINE int CheckSSHPort( uint16_t ); -static int ProcessSSHProtocolVersionExchange( SSHData*, SFSnortPacket*, +static inline int CheckSSHPort( uint16_t ); +static int ProcessSSHProtocolVersionExchange( SSHData*, SFSnortPacket*, uint8_t, uint8_t ); static int ProcessSSHKeyExchange( SSHData*, SFSnortPacket*, uint8_t ); static int ProcessSSHKeyInitExchange( SSHData*, SFSnortPacket*, uint8_t ); @@ -118,19 +131,17 @@ static void SSHReloadSwapFree(void *); #endif -extern DynamicPreprocessorData _dpd; - /* Called at preprocessor setup time. Links preprocessor keyword * to corresponding preprocessor initialization function. * * PARAMETERS: None. -* +* * RETURNS: Nothing. * */ void SetupSSH(void) { - /* Link preprocessor keyword to initialization function + /* Link preprocessor keyword to initialization function * in the preprocessor list. */ #ifndef SNORT_RELOAD _dpd.registerPreproc( "ssh", SSHInit ); @@ -142,13 +153,13 @@ /* Initializes the SSH preprocessor module and registers * it in the preprocessor list. - * - * PARAMETERS: + * + * PARAMETERS: * * argp: Pointer to argument string to process for config * data. * - * RETURNS: Nothing. + * RETURNS: Nothing. */ static void SSHInit(char *argp) { @@ -199,7 +210,7 @@ DynamicPreprocessorFatalMessage("Could not allocate memory for " "SSH preprocessor configuration.\n"); } - + sfPolicyUserDataSetCurrent(ssh_config, pPolicyConfig); ParseSSHArgs(pPolicyConfig, (u_char *)argp); @@ -248,16 +259,16 @@ return value; } -/* Parses and processes the configuration arguments +/* Parses and processes the configuration arguments * supplied in the SSH preprocessor rule. * - * PARAMETERS: + * PARAMETERS: * * argp: Pointer to string containing the config arguments. - * + * * RETURNS: Nothing. */ -static void +static void ParseSSHArgs(SSHConfig *config, u_char* argp) { char* cur_tokenp = NULL; @@ -270,7 +281,7 @@ config->MaxEncryptedPackets = SSH_DEFAULT_MAX_ENC_PKTS; config->MaxClientBytes = SSH_DEFAULT_MAX_CLIENT_BYTES; config->MaxServerVersionLen = SSH_DEFAULT_MAX_SERVER_VERSION_LEN; - + /* Set up default port to listen on */ config->ports[ PORT_INDEX( 22 ) ] |= CONV_PORT(22); @@ -295,10 +306,10 @@ { if ( !strcmp( cur_tokenp, SSH_SERVERPORTS_KEYWORD )) { - /* If the user specified ports, remove '22' for now since + /* If the user specified ports, remove '22' for now since * it now needs to be set explicitely. */ config->ports[ PORT_INDEX( 22 ) ] = 0; - + /* Eat the open brace. */ cur_tokenp = strtok( NULL, " "); if (( !cur_tokenp ) || ( cur_tokenp[0] != '{' )) @@ -321,19 +332,19 @@ else { port = atoi( cur_tokenp ); - if( port < 0 || port > MAX_PORTS ) + if( port < 0 || port > MAX_PORTS ) { DynamicPreprocessorFatalMessage("Port value illegitimate: %s\n", cur_tokenp); //free(argcpyp); //return; } - + config->ports[ PORT_INDEX( port ) ] |= CONV_PORT(port); } cur_tokenp = strtok( NULL, " "); } - + } else if ( !strcmp( cur_tokenp, SSH_AUTODETECT_KEYWORD )) { @@ -371,17 +382,17 @@ { config->EnabledAlerts |= SSH_ALERT_CRC32; } - else if ( + else if ( !strcmp( cur_tokenp, SSH_ENABLE_SECURECRT_KEYWORD )) { config->EnabledAlerts |= SSH_ALERT_SECURECRT; } - else if ( + else if ( !strcmp( cur_tokenp, SSH_ENABLE_PROTOMISMATCH_KEYWORD )) { config->EnabledAlerts |= SSH_ALERT_PROTOMISMATCH; } - else if ( + else if ( !strcmp( cur_tokenp, SSH_ENABLE_WRONGDIR_KEYWORD )) { config->EnabledAlerts |= SSH_ALERT_WRONGDIR; @@ -389,10 +400,10 @@ #if 0 else if ( !strcmp( cur_tokenp, SSH_DISABLE_RULES_KEYWORD )) { - config->DisableRules++; - } + config->DisableRules++; + } #endif - else if( !strcmp( cur_tokenp, SSH_ENABLE_PAYLOAD_SIZE )) + else if( !strcmp( cur_tokenp, SSH_ENABLE_PAYLOAD_SIZE )) { config->EnabledAlerts |= SSH_ALERT_PAYSIZE; } @@ -413,8 +424,8 @@ free(argcpyp); } -/* Display the configuration for the SSH preprocessor. - * +/* Display the configuration for the SSH preprocessor. + * * PARAMETERS: None. * * RETURNS: Nothing. @@ -427,10 +438,10 @@ if (config == NULL) return; - + _dpd.logMsg("SSH config: \n"); - _dpd.logMsg(" Autodetection: %s\n", - config->AutodetectEnabled ? + _dpd.logMsg(" Autodetection: %s\n", + config->AutodetectEnabled ? "ENABLED":"DISABLED"); _dpd.logMsg(" Challenge-Response Overflow Alert: %s\n", config->EnabledAlerts & SSH_ALERT_RESPOVERFLOW ? @@ -454,22 +465,22 @@ _dpd.logMsg(" Unrecognized Version Alert: %s\n", config->EnabledAlerts & SSH_ALERT_UNRECOGNIZED ? "ENABLED" : "DISABLED" ); - _dpd.logMsg(" Max Encrypted Packets: %d %s \n", - config->MaxEncryptedPackets, - config->MaxEncryptedPackets + _dpd.logMsg(" Max Encrypted Packets: %d %s \n", + config->MaxEncryptedPackets, + config->MaxEncryptedPackets == SSH_DEFAULT_MAX_ENC_PKTS ? "(Default)" : "" ); - _dpd.logMsg(" Max Server Version String Length: %d %s \n", - config->MaxServerVersionLen, + _dpd.logMsg(" Max Server Version String Length: %d %s \n", + config->MaxServerVersionLen, config->MaxServerVersionLen == SSH_DEFAULT_MAX_SERVER_VERSION_LEN ? "(Default)" : "" ); - if ( config->EnabledAlerts & + if ( config->EnabledAlerts & (SSH_ALERT_RESPOVERFLOW | SSH_ALERT_CRC32)) { - _dpd.logMsg(" MaxClientBytes: %d %s \n", - config->MaxClientBytes, + _dpd.logMsg(" MaxClientBytes: %d %s \n", + config->MaxClientBytes, config->MaxClientBytes == SSH_DEFAULT_MAX_CLIENT_BYTES ? "(Default)" : "" ); @@ -477,8 +488,8 @@ /* Traverse list, printing ports, 5 per line */ newline = 1; - _dpd.logMsg(" Ports:\n"); - for(index = 0; index < MAX_PORTS; index++) + _dpd.logMsg(" Ports:\n"); + for(index = 0; index < MAX_PORTS; index++) { if( config->ports[ PORT_INDEX(index) ] & CONV_PORT(index) ) { @@ -492,12 +503,12 @@ _dpd.logMsg("\n"); } -/* Main runtime entry point for SSH preprocessor. - * Analyzes SSH packets for anomalies/exploits. - * +/* Main runtime entry point for SSH preprocessor. + * Analyzes SSH packets for anomalies/exploits. + * * PARAMETERS: * - * packetp: Pointer to current packet to process. + * packetp: Pointer to current packet to process. * contextp: Pointer to context block, not used. * * RETURNS: Nothing. @@ -509,7 +520,7 @@ uint8_t source = 0; uint8_t dest = 0; uint8_t known_port = 0; - uint8_t direction; + uint8_t direction; SFSnortPacket* packetp; #ifdef TARGET_BASED int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL; @@ -530,7 +541,7 @@ ( packetp->flags & FLAG_STREAM_INSERT)) { return; - } + } PREPROC_PROFILE_START(sshPerfStats); @@ -546,7 +557,7 @@ if (sessp == NULL) { - /* If not doing autodetection, check the ports to make sure this is + /* If not doing autodetection, check the ports to make sure this is * running on an SSH port, otherwise no need to examine the traffic. */ #ifdef TARGET_BASED @@ -619,9 +630,15 @@ if ((_dpd.streamAPI->get_session_flags(packetp->stream_session_ptr) & SSNFLAG_MIDSTREAM) || _dpd.streamAPI->missed_packets(packetp->stream_session_ptr, SSN_DIR_BOTH)) { - _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, - STREAM_FLPOLICY_IGNORE, SSN_DIR_BOTH, - STREAM_FLPOLICY_SET_ABSOLUTE); + /* Don't turn off reassembly if autodetected since another preprocessor + * may actually be looking at this session as well and the SSH + * autodetect of this session may be wrong. */ + if (!(sessp->state_flags & SSH_FLG_AUTODETECTED)) + { + _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, + STREAM_FLPOLICY_IGNORE, SSN_DIR_BOTH, + STREAM_FLPOLICY_SET_ABSOLUTE); + } sessp->state_flags |= SSH_FLG_MISSED_PACKETS; @@ -632,7 +649,7 @@ if ( !(sessp->state_flags & SSH_FLG_REASSEMBLY_SET )) { _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr, - STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, 0); + STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_APPEND); sessp->state_flags |= SSH_FLG_REASSEMBLY_SET; } @@ -642,13 +659,13 @@ if ( !(sessp->state_flags & SSH_FLG_SESS_ENCRYPTED )) { - /* If server and client have not performed the protocol + /* If server and client have not performed the protocol * version exchange yet, must look for version strings. */ if ( (sessp->state_flags & SSH_FLG_BOTH_IDSTRING_SEEN) != SSH_FLG_BOTH_IDSTRING_SEEN ) { - if ( ProcessSSHProtocolVersionExchange( sessp, + if ( ProcessSSHProtocolVersionExchange( sessp, packetp, direction, known_port ) == SSH_FAILURE ) { @@ -659,8 +676,8 @@ return; } - /* Expecting to see the key init exchange at this point - * (in SSH2) or the actual key exchange if SSH1 + /* Expecting to see the key init exchange at this point + * (in SSH2) or the actual key exchange if SSH1 */ if ((( sessp->state_flags & SSH_FLG_V1_KEYEXCH_DONE ) != SSH_FLG_V1_KEYEXCH_DONE ) && @@ -668,7 +685,7 @@ != SSH_FLG_V2_KEXINIT_DONE )) { ProcessSSHKeyInitExchange( sessp, packetp, direction ); - + PREPROC_PROFILE_END(sshPerfStats); return; } @@ -681,11 +698,11 @@ } else { - /* Traffic on this session is currently encrypted. + /* Traffic on this session is currently encrypted. * Two of the major SSH exploits, SSH1 CRC-32 and * the Challenge-Response Overflow attack occur within * the encrypted portion of the SSH session. Therefore, - * the only way to detect these attacks is by examining + * the only way to detect these attacks is by examining * amounts of data exchanged for anomalies. */ sessp->num_enc_pkts++; @@ -696,20 +713,20 @@ { sessp->num_client_bytes += packetp->payload_size; - if ( sessp->num_client_bytes >= - ssh_eval_config->MaxClientBytes ) + if ( sessp->num_client_bytes >= + ssh_eval_config->MaxClientBytes ) { /* Probable exploit in progress.*/ - if (sessp->version == SSH_VERSION_1) + if (sessp->version == SSH_VERSION_1) { if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_CRC32 ) { ALERT(SSH_EVENT_CRC32, SSH_EVENT_CRC32_STR); - _dpd.streamAPI->stop_inspection( - packetp->stream_session_ptr, - packetp, - SSN_DIR_BOTH, -1, 0 ); + _dpd.streamAPI->stop_inspection( + packetp->stream_session_ptr, + packetp, + SSN_DIR_BOTH, -1, 0 ); } } else @@ -718,18 +735,18 @@ { ALERT(SSH_EVENT_RESPOVERFLOW, SSH_EVENT_RESPOVERFLOW_STR); - _dpd.streamAPI->stop_inspection( - packetp->stream_session_ptr, - packetp, - SSN_DIR_BOTH, -1, 0 ); + _dpd.streamAPI->stop_inspection( + packetp->stream_session_ptr, + packetp, + SSN_DIR_BOTH, -1, 0 ); } } } } else { - /* - * Have seen a server response, so + /* + * Have seen a server response, so * this appears to be a valid exchange. * Reset suspicious byte count to zero. */ @@ -741,24 +758,24 @@ /* Have already examined more than the limit * of encrypted packets. Both the Gobbles and * the CRC32 attacks occur during authentication - * and therefore cannot be used late in an + * and therefore cannot be used late in an * encrypted session. For performance purposes, * stop examining this session. */ - _dpd.streamAPI->stop_inspection( - packetp->stream_session_ptr, - packetp, - SSN_DIR_BOTH, -1, 0 ); - + _dpd.streamAPI->stop_inspection( + packetp->stream_session_ptr, + packetp, + SSN_DIR_BOTH, -1, 0 ); + } } PREPROC_PROFILE_END(sshPerfStats); } -/* Retrieves the SSH data block registered with the stream +/* Retrieves the SSH data block registered with the stream * session associated w/ the current packet. If none exists, - * allocates it and registers it with the stream API. + * allocates it and registers it with the stream API. * * PARAMETERS: * @@ -784,8 +801,8 @@ return NULL; /*Register the new SSH data block in the stream session. */ - _dpd.streamAPI->set_application_data( - packetp->stream_session_ptr, + _dpd.streamAPI->set_application_data( + packetp->stream_session_ptr, PP_SSH, datap, FreeSSHData ); datap->policy_id = policy_id; @@ -797,7 +814,7 @@ static int SshFreeConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -819,11 +836,11 @@ sfPolicyConfigDelete(config); } -/* Registered as a callback with our SSH data blocks when +/* Registered as a callback with our SSH data blocks when * they are added to the underlying stream session. Called * by the stream preprocessor when a session is about to be * destroyed. - * + * * PARAMETERS: * * idatap: Pointer to the moribund data. @@ -844,7 +861,7 @@ config = (SSHConfig *)sfPolicyUserDataGet(ssn->config, ssn->policy_id); } - if (config != NULL) + if (config != NULL) { config->ref_count--; if ((config->ref_count == 0) && @@ -874,7 +891,7 @@ * RETURNS: SSH_TRUE, if the port is indeed an SSH server port. * SSH_FALSE, otherwise. */ -static INLINE int +static inline int CheckSSHPort( uint16_t port ) { if ( ssh_eval_config->ports[ PORT_INDEX(port) ] & CONV_PORT( port ) ) @@ -885,12 +902,12 @@ return SSH_FALSE; } -/* Checks if the string 'str' is 'max' bytes long or longer. +/* Checks if the string 'str' is 'max' bytes long or longer. * Returns 0 if 'str' is less than or equal to 'max' bytes; * returns 1 otherwise. */ -static INLINE int SSHCheckStrlen(char *str, int max) { +static inline int SSHCheckStrlen(char *str, int max) { while(*(str++) && max--) ; if(max > 0) return 0; /* str size is <= max bytes */ @@ -908,22 +925,22 @@ * packetp: Pointer to the packet to inspect. * direction: Which direction the packet is going. * known_port: A pre-configured or default server port is involved. - * + * * RETURNS: SSH_SUCCESS, if successfully processed a proto exch msg * SSH_FAILURE, otherwise. */ static int -ProcessSSHProtocolVersionExchange( SSHData* sessionp, SFSnortPacket* packetp, +ProcessSSHProtocolVersionExchange( SSHData* sessionp, SFSnortPacket* packetp, uint8_t direction, uint8_t known_port ) { - char* version_stringp = (char*) packetp->payload; + char* version_stringp = (char*) packetp->payload; uint8_t version; /* Get the version. */ - if ( packetp->payload_size >= 6 && + if ( packetp->payload_size >= 6 && !strncasecmp( version_stringp, "SSH-1.", 6)) { - if (( packetp->payload_size > 7 ) && ( version_stringp[6] == '9') + if (( packetp->payload_size > 7 ) && ( version_stringp[6] == '9') && (version_stringp[7] == '9')) { /* SSH 1.99 which is the same as SSH2.0 */ @@ -935,22 +952,22 @@ } /* CAN-2002-0159 */ - /* Verify the version string is not greater than - * the configured maximum. + /* Verify the version string is not greater than + * the configured maximum. * We've already verified the first 6 bytes, so we'll start * check from &version_string[6] */ if( (ssh_eval_config->EnabledAlerts & SSH_ALERT_SECURECRT ) && /* First make sure the payload itself is sufficiently large */ (packetp->payload_size > ssh_eval_config->MaxServerVersionLen) && - /* CheckStrlen will check if the version string up to - * MaxServerVersionLen+1 since there's no reason to + /* CheckStrlen will check if the version string up to + * MaxServerVersionLen+1 since there's no reason to * continue checking after that point*/ (SSHCheckStrlen(&version_stringp[6], ssh_eval_config->MaxServerVersionLen-6))) { ALERT(SSH_EVENT_SECURECRT, SSH_EVENT_SECURECRT_STR); } } - else if ( packetp->payload_size >= 6 && + else if ( packetp->payload_size >= 6 && !strncasecmp( version_stringp, "SSH-2.", 6)) { version = SSH_VERSION_2; @@ -958,10 +975,10 @@ else { /* Not SSH on SSH port, CISCO vulnerability */ - if ((direction == SSH_DIR_FROM_CLIENT) && - ( known_port != 0 ) && + if ((direction == SSH_DIR_FROM_CLIENT) && + ( known_port != 0 ) && ( !(sessionp->state_flags & SSH_FLG_AUTODETECTED) ) && - ( ssh_eval_config->EnabledAlerts & + ( ssh_eval_config->EnabledAlerts & SSH_ALERT_PROTOMISMATCH )) { ALERT(SSH_EVENT_PROTOMISMATCH, SSH_EVENT_PROTOMISMATCH_STR); @@ -971,7 +988,7 @@ } /* Saw a valid protocol exchange message. Mark the session - * according to the direction. + * according to the direction. */ switch( direction ) { @@ -985,10 +1002,10 @@ sessionp->version = version; - return SSH_SUCCESS; + return SSH_SUCCESS; } -/* Called to process SSH1 key exchange or SSH2 key exchange init +/* Called to process SSH1 key exchange or SSH2 key exchange init * messages. On failure, inspection will be continued, but the packet * will be alerted on, and ignored. * @@ -997,14 +1014,14 @@ * sessionp: Pointer to SSH data for packet's session. * packetp: Pointer to the packet to inspect. * direction: Which direction the packet is going. - * - * RETURN: SSH_SUCCESS, if a valid key exchange message is processed + * + * RETURN: SSH_SUCCESS, if a valid key exchange message is processed * SSH_FAILURE, otherwise. */ -static int -ProcessSSHKeyInitExchange( SSHData* sessionp, SFSnortPacket* packetp, +static int +ProcessSSHKeyInitExchange( SSHData* sessionp, SFSnortPacket* packetp, uint8_t direction ) -{ +{ SSH2Packet* ssh2packetp = NULL; if ( sessionp->version == SSH_VERSION_1 ) @@ -1013,9 +1030,9 @@ uint8_t padding_length; uint8_t message_type; - /* + /* * Validate packet payload. - * First 4 bytes should have the SSH packet length, + * First 4 bytes should have the SSH packet length, * minus any padding. */ if ( packetp->payload_size < 4 ) @@ -1028,7 +1045,7 @@ return SSH_FAILURE; } - /* + /* * SSH1 key exchange is very simple and * consists of only two messages, a server * key and a client key message.` @@ -1039,7 +1056,7 @@ if ( packetp->payload_size < length ) { if(ssh_eval_config->EnabledAlerts & SSH_ALERT_PAYSIZE) - { + { ALERT(SSH_EVENT_PAYLOAD_SIZE, SSH_PAYLOAD_SIZE_STR); } @@ -1048,7 +1065,7 @@ padding_length = (uint8_t)(8 - (length % 8)); - /* + /* * With the padding calculated, verify payload is sufficiently large * to include the message type. */ @@ -1061,19 +1078,19 @@ return SSH_FAILURE; } - - message_type = + + message_type = *( (uint8_t*) (packetp->payload + padding_length + 4)); switch( message_type ) { - case SSH_MSG_V1_SMSG_PUBLIC_KEY: + case SSH_MSG_V1_SMSG_PUBLIC_KEY: if ( direction == SSH_DIR_FROM_SERVER ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_SERV_PKEY_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Server msg not from server. */ @@ -1083,13 +1100,13 @@ case SSH_MSG_V1_CMSG_SESSION_KEY: if ( direction == SSH_DIR_FROM_CLIENT ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_CLIENT_SKEY_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { - /* Client msg not from client. */ + /* Client msg not from client. */ ALERT(SSH_EVENT_WRONGDIR, SSH_EVENT_WRONGDIR_STR); } break; @@ -1098,7 +1115,7 @@ break; } - /* Once the V1 key exchange is done, remainder of + /* Once the V1 key exchange is done, remainder of * communications are encrypted. */ if ( (sessionp->state_flags & SSH_FLG_V1_KEYEXCH_DONE) == @@ -1111,17 +1128,17 @@ { /* We want to overlay the payload on our data packet struct, * so first verify that the payload size is big enough. - * This may legitimately occur such as in the case of a + * This may legitimately occur such as in the case of a * retransmission. */ if ( packetp->payload_size < sizeof(SSH2Packet) ) { return SSH_FAILURE; } - + /* Overlay the SSH2 binary data packet struct on the packet */ ssh2packetp = (SSH2Packet*) packetp->payload; - if (( packetp->payload_size < SSH2_HEADERLEN + 1) || + if (( packetp->payload_size < SSH2_HEADERLEN + 1) || ( packetp->payload_size < ntohl(ssh2packetp->packet_length) )) { /* Invalid packet length. */ @@ -1132,7 +1149,7 @@ switch ( packetp->payload[SSH2_HEADERLEN] ) { case SSH_MSG_KEXINIT: - sessionp->state_flags |= + sessionp->state_flags |= (direction == SSH_DIR_FROM_SERVER ? SSH_FLG_SERV_KEXINIT_SEEN : SSH_FLG_CLIENT_KEXINIT_SEEN ); @@ -1152,25 +1169,25 @@ return SSH_FAILURE; } - + return SSH_SUCCESS; } /* Called to process SSH2 key exchange msgs (key exch init msgs already - * processed earlier). On failure, inspection will be continued, but the + * processed earlier). On failure, inspection will be continued, but the * packet will be alerted on, and ignored. - * - * PARAMETERS: + * + * PARAMETERS: * * sessionp: Pointer to SSH data for packet's session. * packetp: Pointer to the packet to inspect. * direction: Which direction the packet is going. - * - * RETURN: SSH_SUCCESS, if a valid key exchange message is processed + * + * RETURN: SSH_SUCCESS, if a valid key exchange message is processed * SSH_FAILURE, otherwise. */ static int -ProcessSSHKeyExchange( SSHData* sessionp, SFSnortPacket* packetp, +ProcessSSHKeyExchange( SSHData* sessionp, SFSnortPacket* packetp, uint8_t direction ) { SSH2Packet* ssh2packetp = NULL; @@ -1180,10 +1197,10 @@ /* Invalid packet length. */ return SSH_FAILURE; } - + ssh2packetp = (SSH2Packet*) packetp->payload; - if (( packetp->payload_size < SSH2_HEADERLEN + 1 ) || + if (( packetp->payload_size < SSH2_HEADERLEN + 1 ) || ( packetp->payload_size < ntohl(ssh2packetp->packet_length) )) { @@ -1201,10 +1218,10 @@ case SSH_MSG_KEXDH_INIT: if ( direction == SSH_DIR_FROM_CLIENT ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_KEXDH_INIT_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Client msg from server. */ @@ -1217,12 +1234,12 @@ /* KEXDH_REPLY has the same msg * type as the new style GEX_REPLY */ - sessionp->state_flags |= - SSH_FLG_KEXDH_REPLY_SEEN | + sessionp->state_flags |= + SSH_FLG_KEXDH_REPLY_SEEN | SSH_FLG_GEX_REPLY_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Server msg from client. */ @@ -1232,10 +1249,10 @@ case SSH_MSG_KEXDH_GEX_REQ: if ( direction == SSH_DIR_FROM_CLIENT ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_GEX_REQ_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Server msg from client. */ @@ -1245,10 +1262,10 @@ case SSH_MSG_KEXDH_GEX_GRP: if ( direction == SSH_DIR_FROM_SERVER ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_GEX_GRP_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Client msg from server. */ @@ -1258,10 +1275,10 @@ case SSH_MSG_KEXDH_GEX_INIT: if ( direction == SSH_DIR_FROM_CLIENT ) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_GEX_INIT_SEEN; } - else if ( ssh_eval_config->EnabledAlerts & + else if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_WRONGDIR ) { /* Server msg from client. */ @@ -1271,9 +1288,9 @@ case SSH_MSG_NEWKEYS: /* This message is required to complete the * key exchange. Both server and client should - * send one, but as per Alex Kirk's note on this, + * send one, but as per Alex Kirk's note on this, * in some implementations the server does not - * actually send this message. So receving a new + * actually send this message. So receving a new * keys msg from the client is sufficient. */ if ( direction == SSH_DIR_FROM_CLIENT ) @@ -1287,14 +1304,14 @@ } /* If either an old-style or new-style Diffie Helman exchange - * has completed, the session will enter encrypted mode. + * has completed, the session will enter encrypted mode. */ if (( (sessionp->state_flags & - SSH_FLG_V2_DHOLD_DONE) == SSH_FLG_V2_DHOLD_DONE ) - || ( (sessionp->state_flags & + SSH_FLG_V2_DHOLD_DONE) == SSH_FLG_V2_DHOLD_DONE ) + || ( (sessionp->state_flags & SSH_FLG_V2_DHNEW_DONE) == SSH_FLG_V2_DHNEW_DONE )) { - sessionp->state_flags |= + sessionp->state_flags |= SSH_FLG_SESS_ENCRYPTED; } @@ -1330,7 +1347,7 @@ static int SSHCheckPolicyConfig( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1417,7 +1434,7 @@ } static int SshFreeUnusedConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssh/spp_ssh.h snort-2.9.2/src/dynamic-preprocessors/ssh/spp_ssh.h --- snort-2.9.0.1/src/dynamic-preprocessors/ssh/spp_ssh.h 2010-01-26 10:10:07.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ssh/spp_ssh.h 2011-06-07 17:33:15.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id */ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** ** ** This program is free software; you can redistribute it and/or modify @@ -31,6 +31,7 @@ #include "sfPolicy.h" #include "sfPolicyUserData.h" +#include "snort_bounds.h" #define MAX_PORTS 65536 @@ -71,7 +72,7 @@ #define MAX_MAX_SERVER_VERSION_LEN 255 /* - * One of these structures is kept for each configured + * One of these structures is kept for each configured * server port. */ typedef struct _sshPortlistNode @@ -113,12 +114,12 @@ /* * Per-session data block containing current state * of the SSH preprocessor for the session. - * - * version: Version of SSH detected for this session. + * + * version: Version of SSH detected for this session. * num_enc_pkts: Number of encrypted packets seen on this session. - * num_client_bytes: Number of bytes of encrypted data sent by client, + * num_client_bytes: Number of bytes of encrypted data sent by client, * without a server response. - * state_flags: Bit vector describing the current state of the + * state_flags: Bit vector describing the current state of the * session. */ typedef struct _sshData @@ -142,7 +143,7 @@ #define SSH_FLG_SERV_PKEY_SEEN (0x4) #define SSH_FLG_CLIENT_SKEY_SEEN (0x8) #define SSH_FLG_CLIENT_KEXINIT_SEEN (0x10) -#define SSH_FLG_SERV_KEXINIT_SEEN (0x20) +#define SSH_FLG_SERV_KEXINIT_SEEN (0x20) #define SSH_FLG_KEXDH_INIT_SEEN (0x40) #define SSH_FLG_KEXDH_REPLY_SEEN (0x80) #define SSH_FLG_GEX_REQ_SEEN (0x100) @@ -207,8 +208,8 @@ } SSH2Packet; -/* - * SSH v1 message types (of interest) +/* + * SSH v1 message types (of interest) */ #define SSH_MSG_V1_SMSG_PUBLIC_KEY 2 #define SSH_MSG_V1_CMSG_SESSION_KEY 3 @@ -216,7 +217,7 @@ /* * SSH v2 message types (of interest) */ -#define SSH_MSG_KEXINIT 20 +#define SSH_MSG_KEXINIT 20 #define SSH_MSG_NEWKEYS 21 #define SSH_MSG_KEXDH_INIT 30 #define SSH_MSG_KEXDH_REPLY 31 diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssl/Makefile.am snort-2.9.2/src/dynamic-preprocessors/ssl/Makefile.am --- snort-2.9.0.1/src/dynamic-preprocessors/ssl/Makefile.am 2010-06-09 15:05:17.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/Makefile.am 2011-07-13 15:44:51.000000000 -0700 @@ -1,26 +1,24 @@ ## $Id AUTOMAKE_OPTIONS=foreign no-dependencies -INCLUDES = -I../include -I${top_srcdir}/src/dynamic-preprocessors/libs +INCLUDES = -I../include -I${srcdir}/../libs libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor lib_LTLIBRARIES = libsf_ssl_preproc.la libsf_ssl_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ - -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - +if SO_WITH_STATIC_LIB +libsf_ssl_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +else nodist_libsf_ssl_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +../include/sf_dynamic_preproc_lib.c \ +../include/sfPolicyUserData.c +endif libsf_ssl_preproc_la_SOURCES = \ spp_ssl.c \ spp_ssl.h \ -sf_preproc_info.h \ ${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c \ ${top_srcdir}/src/dynamic-preprocessors/libs/ssl.h \ ${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c \ @@ -29,15 +27,6 @@ EXTRA_DIST = \ sf_ssl.dsp -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c - rm -f sfPolicyUserData.c diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssl/Makefile.in snort-2.9.2/src/dynamic-preprocessors/ssl/Makefile.in --- snort-2.9.0.1/src/dynamic-preprocessors/ssl/Makefile.in 2010-10-08 02:56:54.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/Makefile.in 2011-12-07 11:23:21.000000000 -0800 @@ -68,10 +68,12 @@ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) -libsf_ssl_preproc_la_LIBADD = +@SO_WITH_STATIC_LIB_TRUE@libsf_ssl_preproc_la_DEPENDENCIES = \ +@SO_WITH_STATIC_LIB_TRUE@ ../libsf_dynamic_preproc.la am_libsf_ssl_preproc_la_OBJECTS = spp_ssl.lo ssl.lo sfparser.lo -nodist_libsf_ssl_preproc_la_OBJECTS = sf_dynamic_preproc_lib.lo \ - sfPolicyUserData.lo +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ssl_preproc_la_OBJECTS = \ +@SO_WITH_STATIC_LIB_FALSE@ sf_dynamic_preproc_lib.lo \ +@SO_WITH_STATIC_LIB_FALSE@ sfPolicyUserData.lo libsf_ssl_preproc_la_OBJECTS = $(am_libsf_ssl_preproc_la_OBJECTS) \ $(nodist_libsf_ssl_preproc_la_OBJECTS) libsf_ssl_preproc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -104,7 +106,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -119,7 +123,8 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ -INCLUDES = -I../include -I${top_srcdir}/src/dynamic-preprocessors/libs +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = -I../include -I${srcdir}/../libs INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -155,13 +160,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -222,18 +233,14 @@ AUTOMAKE_OPTIONS = foreign no-dependencies lib_LTLIBRARIES = libsf_ssl_preproc.la libsf_ssl_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@ -BUILT_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c - -nodist_libsf_ssl_preproc_la_SOURCES = \ -sf_dynamic_preproc_lib.c \ -sfPolicyUserData.c +@SO_WITH_STATIC_LIB_TRUE@libsf_ssl_preproc_la_LIBADD = ../libsf_dynamic_preproc.la +@SO_WITH_STATIC_LIB_FALSE@nodist_libsf_ssl_preproc_la_SOURCES = \ +@SO_WITH_STATIC_LIB_FALSE@../include/sf_dynamic_preproc_lib.c \ +@SO_WITH_STATIC_LIB_FALSE@../include/sfPolicyUserData.c libsf_ssl_preproc_la_SOURCES = \ spp_ssl.c \ spp_ssl.h \ -sf_preproc_info.h \ ${top_srcdir}/src/dynamic-preprocessors/libs/ssl.c \ ${top_srcdir}/src/dynamic-preprocessors/libs/ssl.h \ ${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c \ @@ -242,8 +249,7 @@ EXTRA_DIST = \ sf_ssl.dsp -all: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) all-am +all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -332,6 +338,12 @@ sfparser.lo: ${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfparser.lo `test -f '${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c' || echo '$(srcdir)/'`${top_srcdir}/src/dynamic-preprocessors/libs/sfparser.c +sf_dynamic_preproc_lib.lo: ../include/sf_dynamic_preproc_lib.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sf_dynamic_preproc_lib.lo `test -f '../include/sf_dynamic_preproc_lib.c' || echo '$(srcdir)/'`../include/sf_dynamic_preproc_lib.c + +sfPolicyUserData.lo: ../include/sfPolicyUserData.c + $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sfPolicyUserData.lo `test -f '../include/sfPolicyUserData.c' || echo '$(srcdir)/'`../include/sfPolicyUserData.c + mostlyclean-libtool: -rm -f *.lo @@ -421,15 +433,13 @@ fi; \ done check-am: all-am -check: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) check-am +check: check-am all-am: Makefile $(LTLIBRARIES) all-local installdirs: for dir in "$(DESTDIR)$(libdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) install-am +install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -454,10 +464,9 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." - -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am @@ -524,11 +533,11 @@ uninstall-am: uninstall-libLTLIBRARIES -.MAKE: all check install install-am install-strip +.MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am all-local check check-am clean \ - clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ - ctags distclean distclean-compile distclean-generic \ + clean-generic clean-libLTLIBRARIES clean-libtool ctags \ + distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ install-data-am install-dvi install-dvi-am install-exec \ @@ -541,19 +550,9 @@ tags uninstall uninstall-am uninstall-libLTLIBRARIES -sf_dynamic_preproc_lib.c: ../include/sf_dynamic_preproc_lib.c - cp $? $@ - -sfPolicyUserData.c: ../include/sfPolicyUserData.c - cp $? $@ - all-local: $(LTLIBRARIES) $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES -clean-local: - rm -f sf_dynamic_preproc_lib.c - rm -f sfPolicyUserData.c - # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssl/sf_preproc_info.h snort-2.9.2/src/dynamic-preprocessors/ssl/sf_preproc_info.h --- snort-2.9.0.1/src/dynamic-preprocessors/ssl/sf_preproc_info.h 2010-01-26 10:10:07.000000000 -0800 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/sf_preproc_info.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,34 +0,0 @@ -/* Copyright (C) 2007-2010 Sourcefire, Inc. -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -#ifndef SF_PREPROC_INFO_H -#define SF_PREPROC_INFO_H - -#define MAJOR_VERSION 1 -#define MINOR_VERSION 1 -#define BUILD_VERSION 4 -#ifdef SUP_IP6 -#define PREPROC_NAME "SF_SSLPP (IPV6)" -#else -#define PREPROC_NAME "SF_SSLPP" -#endif - -#define DYNAMIC_PREPROC_SETUP SetupSSLPP -extern void SetupSSLPP(void); - -#endif /* SF_PREPROC_INFO_H */ diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssl/sf_ssl.dsp snort-2.9.2/src/dynamic-preprocessors/ssl/sf_ssl.dsp --- snort-2.9.0.1/src/dynamic-preprocessors/ssl/sf_ssl.dsp 2010-08-25 13:22:45.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/sf_ssl.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -38,25 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\libs" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\..\\" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib ../libs/Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 !ELSEIF "$(CFG)" == "sf_ssl - Win32 Debug" @@ -65,25 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SMTP_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\libs" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\..\\" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib ../libs/Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_ssl - Win32 IPv6 Debug" @@ -93,7 +93,7 @@ # PROP BASE Intermediate_Dir "sf_ssl___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "IPv6_Debug" # PROP Intermediate_Dir "IPv6_Debug" @@ -101,18 +101,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /GZ /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /I "..\libs" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /GZ /c -# SUBTRACT CPP /X +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\..\\" /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /GZ /c +# SUBTRACT CPP /X /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 ws2_32.lib ../libs/IPv6_Debug/sfdynamic_preproc_libs.lib /nologo /dll /debug /machine:I386 /pdbtype:sept !ELSEIF "$(CFG)" == "sf_ssl - Win32 IPv6 Release" @@ -122,7 +122,7 @@ # PROP BASE Intermediate_Dir "sf_ssl___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "IPv6_Release" # PROP Intermediate_Dir "IPv6_Release" @@ -130,17 +130,18 @@ # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I "..\..\\" /I ".\\" /D "NDEBUG" /D "SF_SMTP_EXPORTS" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_SNORT_PREPROC_DLL" /D "HAVE_CONFIG_H" /YX /FD /c # SUBTRACT BASE CPP /X -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\libs" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /YX /FD /I ../libs /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\libs" /I "..\include" /I "..\..\win32\Win32-Includes" /I ".\\" /I "..\..\win32\Win32-Includes\WinPCAP" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_PREPROC_DLL" /D "ENABLE_PAF" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /I ../libs /c +# SUBTRACT CPP /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 +# ADD LINK32 ws2_32.lib ../libs/IPv6_Release/sfdynamic_preproc_libs.lib /nologo /dll /machine:I386 !ENDIF diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssl/spp_ssl.c snort-2.9.2/src/dynamic-preprocessors/ssl/spp_ssl.c --- snort-2.9.0.1/src/dynamic-preprocessors/ssl/spp_ssl.c 2010-09-27 08:28:13.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/spp_ssl.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -28,13 +28,15 @@ #include "config.h" #endif /* HAVE_CONFIG_H */ +#include "sf_types.h" #include "sf_snort_packet.h" #include "sf_dynamic_preprocessor.h" #include "sf_snort_plugin_api.h" -#include "debug.h" +#include "snort_debug.h" #include "preprocids.h" #include "spp_ssl.h" +#include "sf_preproc_info.h" #include <stdio.h> #include <syslog.h> @@ -51,6 +53,17 @@ #include "sfPolicy.h" #include "sfPolicyUserData.h" +const int MAJOR_VERSION = 1; +const int MINOR_VERSION = 1; +const int BUILD_VERSION = 4; +#ifdef SUP_IP6 +const char *PREPROC_NAME = "SF_SSLPP (IPV6)"; +#else +const char *PREPROC_NAME = "SF_SSLPP"; +#endif + +#define SetupSSLPP DYNAMIC_PREPROC_SETUP + #ifdef PERF_PROFILING PreprocStats sslpp_perf_stats; #endif @@ -67,8 +80,6 @@ /* Wraps disabling detect with incrementing the counter */ #define DISABLE_DETECT() { _dpd.disableDetect(packet); counts.disabled++; } -extern DynamicPreprocessorData _dpd; - static tSfPolicyUserContextId ssl_config = NULL; static SSLPP_counters_t counts; @@ -80,9 +91,9 @@ static void SSLReloadSwapFree(void *); #endif -static INLINE void SSLSetPort(SSLPP_config_t *, int); +static inline void SSLSetPort(SSLPP_config_t *, int); static void SSL_UpdateCounts(const uint32_t); -#if DEBUG +#ifdef DEBUG_MSGS static void SSL_PrintFlags(uint32_t); #endif @@ -103,7 +114,7 @@ } SslRuleOptData; -static INLINE int SSLPP_is_encrypted(uint32_t ssl_flags, SFSnortPacket *packet) +static inline int SSLPP_is_encrypted(uint32_t ssl_flags, SFSnortPacket *packet) { SSLPP_config_t *config = NULL; @@ -111,7 +122,7 @@ if (config->flags & SSLPP_TRUSTSERVER_FLAG) { - if(ssl_flags & SSL_SAPP_FLAG) + if(ssl_flags & SSL_SAPP_FLAG) return SSLPP_TRUE; } @@ -123,12 +134,12 @@ counts.completed_hs++; return SSLPP_TRUE; } - /* Check if we're either midstream or if packets were missed after the + /* Check if we're either midstream or if packets were missed after the * connection was established */ else if ((_dpd.streamAPI->get_session_flags (packet->stream_session_ptr) & SSNFLAG_MIDSTREAM) || (_dpd.streamAPI->missed_packets(packet->stream_session_ptr, SSN_DIR_BOTH))) { - if ((ssl_flags & (SSL_CAPP_FLAG | SSL_SAPP_FLAG)) == (SSL_CAPP_FLAG | SSL_SAPP_FLAG)) + if ((ssl_flags & (SSL_CAPP_FLAG | SSL_SAPP_FLAG)) == (SSL_CAPP_FLAG | SSL_SAPP_FLAG)) { return SSLPP_TRUE; } @@ -138,7 +149,7 @@ return SSLPP_FALSE; } -static INLINE uint32_t SSLPP_process_alert( +static inline uint32_t SSLPP_process_alert( uint32_t ssn_flags, uint32_t new_flags, SFSnortPacket *packet) { SSLPP_config_t *config = NULL; @@ -151,7 +162,7 @@ /* Check if we've seen a handshake, that this isn't it, * that the cipher flags is not set, and that we are disabling detection */ - if(SSL_IS_HANDSHAKE(ssn_flags) && + if(SSL_IS_HANDSHAKE(ssn_flags) && !SSL_IS_HANDSHAKE(new_flags) && !(new_flags & SSL_CHANGE_CIPHER_FLAG) && (config->flags & SSLPP_DISABLE_FLAG)) @@ -171,13 +182,13 @@ return ssn_flags; } -static INLINE uint32_t SSLPP_process_hs(uint32_t ssl_flags, uint32_t new_flags) +static inline uint32_t SSLPP_process_hs(uint32_t ssl_flags, uint32_t new_flags) { DEBUG_WRAP(DebugMessage(DEBUG_SSL, "Process Handshake\n");); if(!SSL_BAD_HS(new_flags)) { - ssl_flags |= new_flags & (SSL_CLIENT_HELLO_FLAG | + ssl_flags |= new_flags & (SSL_CLIENT_HELLO_FLAG | SSL_SERVER_HELLO_FLAG | SSL_CLIENT_KEYX_FLAG | SSL_SFINISHED_FLAG); @@ -190,8 +201,8 @@ return ssl_flags; } -static INLINE uint32_t SSLPP_process_app( - uint32_t ssn_flags, uint32_t new_flags, SFSnortPacket *packet) +static inline uint32_t SSLPP_process_app( + uint32_t ssn_flags, uint32_t new_flags, SFSnortPacket *packet) { SSLPP_config_t *config = NULL; @@ -202,7 +213,7 @@ if(!(config->flags & SSLPP_DISABLE_FLAG)) return ssn_flags | new_flags; - if(SSLPP_is_encrypted(ssn_flags | new_flags, packet) ) + if(SSLPP_is_encrypted(ssn_flags | new_flags, packet) ) { ssn_flags |= SSL_ENCRYPTED_FLAG; @@ -216,8 +227,8 @@ return ssn_flags | new_flags; } -static INLINE void SSLPP_process_other( - uint32_t ssn_flags, uint32_t new_flags, SFSnortPacket *packet) +static inline void SSLPP_process_other( + uint32_t ssn_flags, uint32_t new_flags, SFSnortPacket *packet) { SSLPP_config_t *config = NULL; @@ -226,7 +237,7 @@ /* Encrypted SSLv2 will appear unrecognizable. Check if the handshake was * seen and stop inspecting if so. */ /* Check for an existing handshake from both sides */ - if((ssn_flags & SSL_VER_SSLV2_FLAG) && + if((ssn_flags & SSL_VER_SSLV2_FLAG) && SSL_IS_CHELLO(ssn_flags) && SSL_IS_SHELLO(ssn_flags) && (config->flags & SSLPP_DISABLE_FLAG) && !(new_flags & SSL_CHANGE_CIPHER_FLAG)) { @@ -241,14 +252,14 @@ counts.unrecognized++; /* Special handling for SSLv2 */ - if(new_flags & SSL_VER_SSLV2_FLAG) + if(new_flags & SSL_VER_SSLV2_FLAG) ssn_flags |= new_flags; if(new_flags & SSL_UNKNOWN_FLAG) ssn_flags |= new_flags; /* The following block is intentionally disabled. */ -/* If we were unable to decode the packet, and previous packets had been +/* If we were unable to decode the packet, and previous packets had been * missed, we will not assume it is encrypted SSLv2. */ #if 0 /* More special handling for SSLv2. @@ -257,10 +268,10 @@ if( !(ssn_flags & ( SSL_VER_SSLV3_FLAG | SSL_VER_TLS10_FLAG | SSL_VER_TLS11_FLAG | SSL_VER_TLS12_FLAG)) ) { - if(packet->stream_session_ptr && + if(packet->stream_session_ptr && + _dpd.streamAPI->missed_packets( + packet->stream_session_ptr, SSN_DIR_SERVER) && _dpd.streamAPI->missed_packets( - packet->stream_session_ptr, SSN_DIR_SERVER) && - _dpd.streamAPI->missed_packets( packet->stream_session_ptr, SSN_DIR_CLIENT) ) ssn_flags |= SSL_VER_SSLV2_FLAG; @@ -292,16 +303,15 @@ if (config == NULL) return; - PREPROC_PROFILE_START(sslpp_perf_stats); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL Start ================================\n");); packet = (SFSnortPacket*)raw_packet; - if(!packet || !packet->payload || !packet->payload_size || + if(!packet || !packet->payload || !packet->payload_size || !packet->tcp_header || !packet->stream_session_ptr) { -#ifdef DEBUG +#ifdef DEBUG_MSGS if (packet == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL - Packet is NULL\n");); @@ -330,7 +340,6 @@ DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL - Not inspecting packet\n");); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL End ================================\n");); #endif - PREPROC_PROFILE_END(sslpp_perf_stats); return; } #ifdef TARGET_BASED @@ -353,7 +362,6 @@ !(config->ports[PORT_INDEX(packet->dst_port)] & CONV_PORT(packet->dst_port))) { DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL - Not configured for these ports\n");); - PREPROC_PROFILE_END(sslpp_perf_stats); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL End ================================\n");); return; } @@ -361,7 +369,7 @@ } #endif -#ifdef DEBUG +#ifdef DEBUG_MSGS if (packet->flags & FLAG_FROM_SERVER) { DEBUG_WRAP(DebugMessage(DEBUG_SSL, "Server packet\n");); @@ -377,6 +385,8 @@ } #endif + PREPROC_PROFILE_START(sslpp_perf_stats); + ssn_flags = (uint32_t)(uintptr_t) _dpd.streamAPI->get_application_data(packet->stream_session_ptr, PP_SSL); @@ -425,7 +435,7 @@ } #endif -#ifdef DEBUG +#ifdef DEBUG_MSGS DEBUG_WRAP(DebugMessage(DEBUG_SSL, "Ssn flags before ----------------------\n");); SSL_PrintFlags(ssn_flags); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "---------------------------------------\n");); @@ -433,7 +443,7 @@ SSL_CLEAR_TEMPORARY_FLAGS(ssn_flags); -#ifdef DEBUG +#ifdef DEBUG_MSGS if (packet->payload_size >= 5) { const uint8_t *pkt = packet->payload; @@ -465,7 +475,7 @@ counts.decoded++; -#ifdef DEBUG +#ifdef DEBUG_MSGS DEBUG_WRAP(DebugMessage(DEBUG_SSL, "New flags -----------------------------\n");); SSL_PrintFlags(new_flags); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "---------------------------------------\n");); @@ -489,7 +499,7 @@ { ssn_flags = SSLPP_process_app(ssn_flags, new_flags, packet); } - else + else { /* Different record type that we don't care about. * Either it's a 'change cipher spec' or we failed to recognize the @@ -505,7 +515,7 @@ ssn_flags |= new_flags; -#if DEBUG +#ifdef DEBUG_MSGS DEBUG_WRAP(DebugMessage(DEBUG_SSL, "Ssn flags after -----------------------\n");); SSL_PrintFlags(ssn_flags); DEBUG_WRAP(DebugMessage(DEBUG_SSL, "---------------------------------------\n");); @@ -521,7 +531,7 @@ static void SSL_UpdateCounts(const uint32_t new_flags) { - if(new_flags & SSL_CHANGE_CIPHER_FLAG) + if(new_flags & SSL_CHANGE_CIPHER_FLAG) counts.cipher_change++; if (new_flags & SSL_ALERT_FLAG) @@ -556,7 +566,7 @@ } /* Parsing for the ssl_state rule option */ -static int SSLPP_state_init(char *name, char *params, void **data) +static int SSLPP_state_init(char *name, char *params, void **data) { int flags = 0, mask = 0; char *end = NULL; @@ -609,10 +619,10 @@ if (negated) mask |= SSL_UNKNOWN_FLAG; } - else + else { DynamicPreprocessorFatalMessage( - "%s(%d) => %s is not a recognized argument to %s.\n", + "%s(%d) => %s is not a recognized argument to %s.\n", *(_dpd.config_file), _dpd.config_file, tok, name); } @@ -629,11 +639,11 @@ sdata->mask = mask; *data = (void *)sdata; - return 0; + return 1; } /* Parsing for the ssl_version rule option */ -static int SSLPP_ver_init(char *name, char *params, void **data) +static int SSLPP_ver_init(char *name, char *params, void **data) { int flags = 0, mask = 0; char *end = NULL; @@ -686,10 +696,10 @@ if (negated) mask |= SSL_VER_TLS12_FLAG; } - else + else { DynamicPreprocessorFatalMessage( - "%s(%d) => %s is not a recognized argument to %s.\n", + "%s(%d) => %s is not a recognized argument to %s.\n", *(_dpd.config_file), _dpd.config_file, tok, name); } @@ -706,21 +716,21 @@ sdata->mask = mask; *data = (void *)sdata; - return 0; + return 1; } /* Rule option evaluation (for both rule options) */ static int SSLPP_rule_eval(void *raw_packet, const uint8_t **cursor, void *data) { - int ssn_data; - SFSnortPacket *p = (SFSnortPacket*)raw_packet; + int ssn_data; + SFSnortPacket *p = (SFSnortPacket*)raw_packet; SslRuleOptData *sdata = (SslRuleOptData *)data; if (!p || !p->tcp_header || !p->stream_session_ptr || !data) - return RULE_NOMATCH; + return RULE_NOMATCH; - ssn_data = (int)(uintptr_t)_dpd.streamAPI->get_application_data( - p->stream_session_ptr, PP_SSL); + ssn_data = (int)(uintptr_t)_dpd.streamAPI->get_application_data( + p->stream_session_ptr, PP_SSL); if ((sdata->flags & ssn_data) ^ sdata->mask) return RULE_MATCH; @@ -738,15 +748,15 @@ char *search; SFP_errstr_t err; - if(!conf) + if(!conf) return; if (config == NULL) return; - + search = conf; - while( (comma_tok = strtok_r(search, ",", &saveptr)) != NULL ) + while( (comma_tok = strtok_r(search, ",", &saveptr)) != NULL ) { search = NULL; @@ -754,7 +764,7 @@ if(!space_tok) return; - + if(!strcasecmp(space_tok, "ports")) { memset(config->ports, 0, sizeof(config->ports)); @@ -765,14 +775,14 @@ *(_dpd.config_file), *(_dpd.config_line), SFP_GET_ERR(err)); } - else if(!strcasecmp(space_tok, "noinspect_encrypted")) + else if(!strcasecmp(space_tok, "noinspect_encrypted")) { char *tmpChar; tmpChar = strtok_r(NULL, " \t\n", &portptr); if(tmpChar) { DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the" - " SSL preprocessor: '%s' in %s\n", + " SSL preprocessor: '%s' in %s\n", *(_dpd.config_file), *(_dpd.config_line), space_tok, tmpChar); } config->flags |= SSLPP_DISABLE_FLAG; @@ -784,7 +794,7 @@ if(tmpChar) { DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the" - " SSL preprocessor: '%s' in %s\n", + " SSL preprocessor: '%s' in %s\n", *(_dpd.config_file), *(_dpd.config_line), space_tok, tmpChar); } config->flags |= SSLPP_TRUSTSERVER_FLAG; @@ -792,10 +802,10 @@ else { DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the" - " SSL preprocessor: '%s' in %s\n", + " SSL preprocessor: '%s' in %s\n", *(_dpd.config_file), *(_dpd.config_line), comma_tok, conf); } - } + } /* Verify configured options make sense */ if ((config->flags & SSLPP_TRUSTSERVER_FLAG) && @@ -824,12 +834,12 @@ _dpd.logMsg(" Ports:\n"); - for(newline = 0, i = 0; i < MAXPORTS; i++) + for(newline = 0, i = 0; i < MAXPORTS; i++) { if( config->ports[ PORT_INDEX(i) ] & CONV_PORT(i) ) { SFP_snprintfa(buf, sizeof(buf), " %5d", i); - if( !((++newline) % 5) ) + if( !((++newline) % 5) ) { SFP_snprintfa(buf, sizeof(buf), "\n"); _dpd.logMsg(buf); @@ -842,7 +852,7 @@ SFP_snprintfa(buf, sizeof(buf), "\n"); _dpd.logMsg(buf); - + if ( config->flags & SSLPP_TRUSTSERVER_FLAG ) { _dpd.logMsg(" Server side data is trusted\n"); @@ -866,15 +876,15 @@ SSLSetPort(config, 995); /* POPS */ } -static INLINE void SSLSetPort(SSLPP_config_t *config, int port) +static inline void SSLSetPort(SSLPP_config_t *config, int port) { if (config == NULL) return; - config->ports[ PORT_INDEX(port) ] |= CONV_PORT(port); + config->ports[ PORT_INDEX(port) ] |= CONV_PORT(port); } -static void SSLPP_drop_stats(int exiting) +static void SSLPP_drop_stats(int exiting) { if(!counts.decoded) return; @@ -955,7 +965,7 @@ DynamicPreprocessorFatalMessage("Could not allocate memory for the " "SSL preprocessor configuration.\n"); } - + sfPolicyUserDataSetCurrent(ssl_config, pPolicyConfig); SSLPP_init_config(pPolicyConfig); @@ -986,7 +996,7 @@ #endif } -#if DEBUG +#ifdef DEBUG_MSGS static void SSL_PrintFlags(uint32_t flags) { if (flags & SSL_CHANGE_CIPHER_FLAG) @@ -1185,7 +1195,7 @@ static int SSLFreeConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1223,7 +1233,7 @@ static int SSLPP_CheckPolicyConfig( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { diff -Nru snort-2.9.0.1/src/dynamic-preprocessors/ssl/spp_ssl.h snort-2.9.2/src/dynamic-preprocessors/ssl/spp_ssl.h --- snort-2.9.0.1/src/dynamic-preprocessors/ssl/spp_ssl.h 2010-08-25 13:22:45.000000000 -0700 +++ snort-2.9.2/src/dynamic-preprocessors/ssl/spp_ssl.h 2011-02-09 15:23:26.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/encode.c snort-2.9.2/src/encode.c --- snort-2.9.0.1/src/encode.c 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/src/encode.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,12 +19,20 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ + +// @file encode.c +// @author Russ Combs <rcombs@sourcefire.com> + #ifdef HAVE_CONFIG_H #include "config.h" #endif #include <string.h> +#ifdef HAVE_DUMBNET_H #include <dumbnet.h> +#else +#include <dnet.h> +#endif #include "encode.h" #include "sfdaq.h" @@ -40,7 +48,9 @@ #define ICMP_UNREACH_DATA 8 // (per RFC 792) #define IP_ID_COUNT 8192 -static INLINE int IsIcmp (int type) +static uint8_t *dst_mac = NULL; + +static inline int IsIcmp (int type) { static int s_icmp[ENC_MAX] = { 0, 0, 1, 1, 1 }; return ( s_icmp[type] ); @@ -102,7 +112,7 @@ //------------------------------------------------------------------------- -static INLINE PROTO_ID NextEncoder (EncState* enc) +static inline PROTO_ID NextEncoder (EncState* enc) { if ( enc->layer < enc->p->next_layer ) { @@ -203,7 +213,7 @@ // - original ttl is always used //------------------------------------------------------------------------- -int Encode_Format (EncodeFlags f, const Packet* p, Packet* c) +int Encode_Format (EncodeFlags f, const Packet* p, Packet* c, PseudoPacketType type) { DAQ_PktHdr_t* pkth = (DAQ_PktHdr_t*)c->pkth; uint8_t* pkt = (uint8_t*)c->pkt; @@ -261,13 +271,36 @@ // setup payload info c->data = lyr->start + lyr->length; len = c->data - c->pkt; - c->max_dsize = PKT_SZ - len; + + // should actually be max less specific layers + // but this is a safe limit + c->max_dsize = IP_MAXPACKET - len; + c->proto_bits = p->proto_bits; + c->packet_flags |= PKT_PSEUDO; + c->pseudo_type = type; + + switch ( type ) + { + case PSEUDO_PKT_SMB_SEG: + case PSEUDO_PKT_DCE_SEG: + case PSEUDO_PKT_DCE_FRAG: + case PSEUDO_PKT_SMB_TRANS: + c->packet_flags |= PKT_REASSEMBLED_OLD; + break; + default: + break; + } // setup pkt capture header pkth->caplen = pkth->pktlen = len; pkth->ts = p->pkth->ts; + // cooked packet gets same policy as raw + c->configPolicyId = p->configPolicyId; + + c->policyEngineData = p->policyEngineData; + if ( !c->max_dsize ) return -1; @@ -294,7 +327,13 @@ Layer* lyr = p->layers + i; encoders[lyr->proto].fupdate(p, lyr, &len); } - pkth->caplen = pkth->pktlen = len; + // see IP6_Update() for an explanation of this ... + if ( !(p->packet_flags & PKT_MODIFIED) +#ifdef NORMALIZER + || (p->packet_flags & PKT_RESIZED) +#endif + ) + pkth->caplen = pkth->pktlen = len; } //------------------------------------------------------------------------- @@ -323,6 +362,11 @@ free(p); } +/* Set the destination MAC address*/ +void Encode_SetDstMAC(uint8_t *mac) +{ + dst_mac = mac; +} //------------------------------------------------------------------------- // private implementation stuff //------------------------------------------------------------------------- @@ -393,7 +437,7 @@ s_rand = NULL; } -static INLINE uint16_t IpId_Next () +static inline uint16_t IpId_Next () { #ifdef REG_TEST uint16_t id = htons(s_id_index + 1); @@ -412,16 +456,16 @@ // ttl considerations: // // we try to use the TTL captured for the session by the stream preprocessor -// when the session started. if that is not available, we adjust the current -// TTL for forward packets and use the maximum for reverse packets. +// when the session started. if that is not available, we use the current +// TTL for forward packets and use (maximum - current) TTL for reverse +// packets. // -// AdjTTL() was pulled from flexresp2. there it was used for both directions. -// however, it doesn't make sense to try to calculate TTL for one direction -// from the other which is why the max is used as the fallback for the reverse -// direction. +// the reason we don't just force ttl to 255 (max) is to make it look a +// little more authentic. // // for reference, flexresp used a const rand >= 64 in both directions (the -// number was determined at startup and never changed) and react used a const +// number was determined at startup and never changed); flexresp2 used the +// next higher multiple of 64 in both directions; and react used a const // 64 in both directions. // // note that the ip6 hop limit field is entirely equivalent to the ip4 TTL. @@ -429,28 +473,45 @@ // field. //------------------------------------------------------------------------- -static INLINE uint8_t GetTTL (const EncState* enc) +static inline uint8_t GetTTL (const EncState* enc) { char dir; + uint8_t ttl; + int outer = !enc->ip_hdr; + + if ( !enc->p->ssnptr ) + return 0; if ( enc->p->packet_flags & PKT_FROM_CLIENT ) dir = FORWARD(enc) ? SSN_DIR_CLIENT : SSN_DIR_SERVER; else dir = FORWARD(enc) ? SSN_DIR_SERVER : SSN_DIR_CLIENT; - return stream_api->get_session_ttl( - enc->p->ssnptr, dir, !enc->ip_hdr); + // outermost ip is considered to be outer here, + // even if it is the only ip layer ... + ttl = stream_api->get_session_ttl(enc->p->ssnptr, dir, outer); + + // so if we don't get outer, we use inner + if ( 0 == ttl && outer ) + ttl = stream_api->get_session_ttl(enc->p->ssnptr, dir, 0); + + return ttl; } -static INLINE uint8_t AdjTTL (uint8_t ttl) +static inline uint8_t FwdTTL (const EncState* enc, uint8_t ttl) { - switch (ttl / 64) - { - case 3: return 255; - case 2: return 192; - case 1: return 128; - } - return 64; + uint8_t new_ttl = GetTTL(enc); + if ( !new_ttl ) + new_ttl = ttl; + return new_ttl; +} + +static inline uint8_t RevTTL (const EncState* enc, uint8_t ttl) +{ + uint8_t new_ttl = GetTTL(enc); + if ( !new_ttl ) + new_ttl = ( MAX_TTL - ttl ); + return new_ttl; } //------------------------------------------------------------------------- @@ -469,34 +530,44 @@ static ENC_STATUS Eth_Encode (EncState* enc, Buffer* in, Buffer* out) { - int outer = 0; - int raw = enc->flags & ENC_FLAG_RAW; + // not raw ip -> encode layer 2 + int raw = ( enc->flags & ENC_FLAG_RAW ); EtherHdr* hi = (EtherHdr*)enc->p->layers[enc->layer-1].start; PROTO_ID next = NextEncoder(enc); - if ( raw && (out->off == out->end) ) + // if not raw ip AND out buf is empty + if ( !raw && (out->off == out->end) ) { // for alignment out->off = out->end = SPARC_TWIDDLE; - outer = 1; // encoding outermost eth } - if ( raw || !outer ) + // if not raw ip OR out buf is not empty + if ( !raw || (out->off != out->end) ) { - // we get here for outer-most layer when raw is true; + // we get here for outer-most layer when not raw ip // we also get here for any encapsulated ethernet layer. EtherHdr* ho = (EtherHdr*)(out->base + out->end); UPDATE_BOUND(out, sizeof(*ho)); + ho->ether_type = hi->ether_type; if ( FORWARD(enc) ) { - memcpy(ho, hi, sizeof(*ho)); + memcpy(ho->ether_src, hi->ether_src, sizeof(ho->ether_src)); + /*If user configured remote MAC address, use it*/ + if (NULL != dst_mac) + memcpy(ho->ether_dst, dst_mac, sizeof(ho->ether_dst)); + else + memcpy(ho->ether_dst, hi->ether_dst, sizeof(ho->ether_dst)); } else { - ho->ether_type = hi->ether_type; memcpy(ho->ether_src, hi->ether_dst, sizeof(ho->ether_src)); - memcpy(ho->ether_dst, hi->ether_src, sizeof(ho->ether_dst)); + /*If user configured remote MAC address, use it*/ + if (NULL != dst_mac) + memcpy(ho->ether_dst, dst_mac, sizeof(ho->ether_dst)); + else + memcpy(ho->ether_dst, hi->ether_src, sizeof(ho->ether_dst)); } } if ( next < PROTO_MAX ) @@ -570,35 +641,17 @@ if ( FORWARD(enc) ) { - uint8_t ttl = AdjTTL(hi->ip_ttl); - ho->ip_src.s_addr = hi->ip_src.s_addr; ho->ip_dst.s_addr = hi->ip_dst.s_addr; - if ( enc->p->ssnptr ) - ttl = GetTTL(enc); - -#ifdef NORMALIZER - if ( ttl < ScMinTTL() && ScNewTTL() ) - ttl = ScNewTTL(); -#endif - ho->ip_ttl = ttl; + ho->ip_ttl = FwdTTL(enc, hi->ip_ttl); } else { - uint8_t ttl = MAX_TTL; - ho->ip_src.s_addr = hi->ip_dst.s_addr; ho->ip_dst.s_addr = hi->ip_src.s_addr; - if ( enc->p->ssnptr ) - ttl = GetTTL(enc); - -#ifdef NORMALIZER - if ( ttl < ScMinTTL() && ScNewTTL() ) - ttl = ScNewTTL(); -#endif - ho->ip_ttl = ttl; + ho->ip_ttl = RevTTL(enc, hi->ip_ttl); } enc->ip_hdr = (uint8_t*)hi; @@ -606,8 +659,8 @@ if ( next < PROTO_MAX ) { - int err = encoders[next].fencode(enc, in, out); - if ( err ) return err; + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if ( ENC_OK != err ) return err; } if ( enc->proto ) { @@ -615,7 +668,7 @@ enc->proto = 0; } len = out->end - start; - ho->ip_len = htons((u_int16_t)len); + ho->ip_len = htons((uint16_t)len); ip_checksum(ho, len); return ENC_OK; @@ -632,10 +685,10 @@ { *len += p->dsize; } - h->ip_len = htons((u_int16_t)*len); + h->ip_len = htons((uint16_t)*len); if ( !PacketWasCooked(p) || (p->packet_flags & PKT_REBUILT_FRAG) ) - ip_checksum(h, *len); + ip_checksum(h, *len); return ENC_OK; } @@ -674,7 +727,7 @@ // UNR encoder creates ICMP unreachable //------------------------------------------------------------------------- -static INLINE int IcmpCode (EncodeType et) { +static inline int IcmpCode (EncodeType et) { switch ( et ) { case ENC_UNR_NET: return ICMP_UNREACH_NET; case ENC_UNR_HOST: return ICMP_UNREACH_HOST; @@ -739,6 +792,40 @@ static ENC_STATUS UDP_Encode (EncState* enc, Buffer* in, Buffer* out) { + PROTO_ID next = PROTO_MAX; + + if ( enc->layer < enc->p->next_layer ) + { + next = enc->p->layers[enc->layer].proto; + } + if ((PROTO_GTP == next) && (encoders[next].fencode)) + { + int len; + ENC_STATUS err; + uint32_t start = out->end; + + UDPHdr* hi = (UDPHdr*)enc->p->layers[enc->layer-1].start; + UDPHdr* ho = (UDPHdr*)(out->base + out->end); + UPDATE_BOUND(out, sizeof(*ho)); + + if ( FORWARD(enc) ) + { + ho->uh_sport = hi->uh_sport; + ho->uh_dport = hi->uh_dport; + } + else + { + ho->uh_sport = hi->uh_dport; + ho->uh_dport = hi->uh_sport; + } + + next = NextEncoder(enc); + err = encoders[next].fencode(enc, in, out); + if (ENC_OK != err ) return err; + len = out->end - start; + ho->uh_len = htons((uint16_t)len); + return ENC_OK; + } if ( IP_VER((IPHdr*)enc->ip_hdr) == 4 ) return UN4_Encode(enc, in, out); @@ -750,7 +837,7 @@ UDPHdr* h = (UDPHdr*)(lyr->start); *len += sizeof(*h) + p->dsize; - h->uh_len = htons((u_int16_t)*len); + h->uh_len = htons((uint16_t)*len); // don't calculate the UDP checksum here; // dnet's ip_checksum() will do it @@ -902,35 +989,17 @@ if ( FORWARD(enc) ) { - uint8_t ttl = AdjTTL(hi->ip6hops); - memcpy(ho->ip6_src.s6_addr, hi->ip6_src.s6_addr, sizeof(ho->ip6_src.s6_addr)); memcpy(ho->ip6_dst.s6_addr, hi->ip6_dst.s6_addr, sizeof(ho->ip6_dst.s6_addr)); - if ( enc->p->ssnptr ) - ttl = GetTTL(enc); - -#ifdef NORMALIZER - if ( ttl < ScMinTTL() && ScNewTTL() ) - ttl = ScNewTTL(); -#endif - ho->ip6hops = ttl; + ho->ip6hops = FwdTTL(enc, hi->ip6hops); } else { - uint8_t ttl = MAX_TTL; - memcpy(ho->ip6_src.s6_addr, hi->ip6_dst.s6_addr, sizeof(ho->ip6_src.s6_addr)); memcpy(ho->ip6_dst.s6_addr, hi->ip6_src.s6_addr, sizeof(ho->ip6_dst.s6_addr)); - if ( enc->p->ssnptr ) - ttl = GetTTL(enc); - -#ifdef NORMALIZER - if ( ttl < ScMinTTL() && ScNewTTL() ) - ttl = ScNewTTL(); -#endif - ho->ip6hops = ttl; + ho->ip6hops = RevTTL(enc, hi->ip6hops); } enc->ip_hdr = (uint8_t*)hi; @@ -938,8 +1007,8 @@ if ( next < PROTO_MAX ) { - int err = encoders[next].fencode(enc, in, out); - if ( err ) return err; + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if ( ENC_OK != err ) return err; } if ( enc->proto ) { @@ -958,21 +1027,33 @@ IP6RawHdr* h = (IP6RawHdr*)(lyr->start); int i = lyr - p->layers; - if ( i + 1 == p->next_layer ) - *len += p->dsize; + // if we didn't trim payload or format this packet, + // we may not know the actual lengths because not all + // extension headers are decoded and we stop at frag6. + // in such case we do not modify the packet length. + if ( (p->packet_flags & PKT_MODIFIED) +#ifdef NORMALIZER + && !(p->packet_flags & PKT_RESIZED) +#endif + ) { + *len = ntohs(h->ip6plen) + sizeof(*h); + } + else + { + if ( i + 1 == p->next_layer ) + *len += lyr->length + p->dsize; - // TBD can't just add fixed ip6 hdr len until - // all extension headers are decoded as layers - //*len += sizeof(*h); + // w/o all extension headers, can't use just the + // fixed ip6 header length so we compute header delta + else + *len += lyr[1].start - lyr->start; - // the workaround is to do some pointer math - if ( i + 1 == p->next_layer ) - *len += p->data - lyr->start; - else - *len += lyr[1].start - lyr->start; + // len includes header, remove for payload + h->ip6plen = htons((uint16_t)(*len - sizeof(*h))); + } - // len includes header, remove for payload - h->ip6plen = htons((uint16_t)(*len - sizeof(*h))); + if ( !PacketWasCooked(p) || (p->packet_flags & PKT_REBUILT_FRAG) ) + ip6_checksum(h, *len); return ENC_OK; } @@ -1015,8 +1096,8 @@ if ( next < PROTO_MAX ) { - int err = encoders[next].fencode(enc, in, out); - if ( err ) return err; + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if ( ENC_OK != err ) return err; } return ENC_OK; } @@ -1024,20 +1105,11 @@ static ENC_STATUS Opt6_Update (Packet* p, Layer* lyr, uint32_t* len) { int i = lyr - p->layers; + *len += lyr->length; if ( i + 1 == p->next_layer ) *len += p->dsize; - // TBD can't just add layer length until - // all extension headers are decoded as layers - //*len += lyr->length; - - // the workaround is to do some pointer math - if ( i + 1 == p->next_layer ) - *len += p->data - lyr->start; - else - *len += lyr[1].start - lyr->start; - return ENC_OK; } #endif @@ -1096,12 +1168,95 @@ #endif //------------------------------------------------------------------------- +// GTP functions +//------------------------------------------------------------------------- + +static ENC_STATUS update_GTP_length(GTPHdr* h, int gtp_total_len ) +{ + /*The first 3 bits are version number*/ + uint8_t version = (h->flag & 0xE0) >> 5; + switch (version) + { + case 0: /*GTP v0*/ + h->length = htons((uint16_t)(gtp_total_len - GTP_V0_HEADER_LEN)); + break; + case 1: /*GTP v1*/ + h->length = htons((uint16_t)(gtp_total_len - GTP_MIN_LEN)); + break; + default: + return ENC_BAD_PROTO; + } + return ENC_OK; + +} + +static ENC_STATUS GTP_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + int n = enc->p->layers[enc->layer-1].length; + int len; + + GTPHdr* hi = (GTPHdr*) (enc->p->layers[enc->layer-1].start); + GTPHdr* ho = (GTPHdr*)(out->base + out->end); + uint32_t start = out->end; + PROTO_ID next = NextEncoder(enc); + + UPDATE_BOUND(out, n); + memcpy(ho, hi, n); + + if ( next < PROTO_MAX ) + { + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if (ENC_OK != err ) return err; + } + len = out->end - start; + return( update_GTP_length(ho,len)); +} + +static ENC_STATUS GTP_Update (Packet* p, Layer* lyr, uint32_t* len) +{ + GTPHdr* h = (GTPHdr*)(lyr->start); + *len += lyr->length; + return( update_GTP_length(h,*len)); +} + +//------------------------------------------------------------------------- +// PPPoE functions +//------------------------------------------------------------------------- + +static ENC_STATUS PPPoE_Encode (EncState* enc, Buffer* in, Buffer* out) +{ + int n = enc->p->layers[enc->layer-1].length; + int len; + + PPPoEHdr* hi = (PPPoEHdr*)(enc->p->layers[enc->layer-1].start); + PPPoEHdr* ho = (PPPoEHdr*)(out->base + out->end); + + uint32_t start; + PROTO_ID next = NextEncoder(enc); + + UPDATE_BOUND(out, n); + memcpy(ho, hi, n); + + start = out->end; + + if ( next < PROTO_MAX ) + { + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if (ENC_OK != err ) return err; + } + len = out->end - start; + ho->length = htons((uint16_t)len); + + return ENC_OK; +} + +//------------------------------------------------------------------------- // XXX (generic) functions //------------------------------------------------------------------------- static ENC_STATUS XXX_Encode (EncState* enc, Buffer* in, Buffer* out) { - int n = enc->p->layers[enc->layer].length; + int n = enc->p->layers[enc->layer-1].length; uint8_t* hi = enc->p->layers[enc->layer-1].start; uint8_t* ho = (uint8_t*)(out->base + out->end); @@ -1112,8 +1267,8 @@ if ( next < PROTO_MAX ) { - int err = encoders[next].fencode(enc, in, out); - if ( err ) return err; + ENC_STATUS err = encoders[next].fencode(enc, in, out); + if (ENC_OK != err ) return err; } return ENC_OK; } @@ -1163,10 +1318,12 @@ #ifdef GRE { XXX_Encode, XXX_Update, GRE_Format }, #endif - { XXX_Encode, XXX_Update, XXX_Format }, // PPP + { PPPoE_Encode,XXX_Update, XXX_Format }, + { XXX_Encode, XXX_Update, XXX_Format }, // PPP Encap #ifdef MPLS { XXX_Encode, XXX_Update, XXX_Format }, // MPLS #endif - { XXX_Encode, XXX_Update, XXX_Format, } // ARP + { XXX_Encode, XXX_Update, XXX_Format, }, // ARP + { GTP_Encode, GTP_Update, XXX_Format, } // GTP }; diff -Nru snort-2.9.0.1/src/encode.h snort-2.9.2/src/encode.h --- snort-2.9.0.1/src/encode.h 2010-06-09 15:50:08.000000000 -0700 +++ snort-2.9.2/src/encode.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -20,6 +20,9 @@ * ****************************************************************************/ +// @file encode.h +// @author Russ Combs <rcombs@sourcefire.com> + #ifndef __ENCODE_H__ #define __ENCODE_H__ @@ -39,7 +42,7 @@ #define ENC_FLAG_ID 0x20000000 // use randomized IP ID #define ENC_FLAG_NET 0x10000000 // stop after innermost network (ip4/6) layer #define ENC_FLAG_DEF 0x08000000 // stop before innermost ip4 opts or ip6 frag header -#define ENC_FLAG_RAW 0x04000000 // stop before innermost ip4 opts or ip6 frag header +#define ENC_FLAG_RAW 0x04000000 // don't encode outer eth header (this is raw ip) #define ENC_FLAG_RES 0x03000000 // bits reserved for future use #define ENC_FLAG_VAL 0x00FFFFFF // bits for adjusting seq and/or ack @@ -63,10 +66,13 @@ void Encode_Delete(Packet*); // orig is the wire pkt; clone was obtained with New() -int Encode_Format(EncodeFlags, const Packet* orig, Packet* clone); +int Encode_Format(EncodeFlags, const Packet* orig, Packet* clone, PseudoPacketType); // update length and checksum fields in layers and caplen, etc. void Encode_Update(Packet*); +// Set the destination MAC address +void Encode_SetDstMAC(uint8_t* ); + #endif // __ENCODE_H__ diff -Nru snort-2.9.0.1/src/event.h snort-2.9.2/src/event.h --- snort-2.9.0.1/src/event.h 2010-01-26 10:09:16.000000000 -0800 +++ snort-2.9.2/src/event.h 2011-06-07 17:33:05.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -23,18 +23,11 @@ #ifndef __EVENT_H__ #define __EVENT_H__ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - #ifdef OSF1 #include <sys/bitypes.h> #endif #include <sys/types.h> -#ifndef WIN32 -#include <sys/time.h> -#endif #include "pcap_pkthdr32.h" diff -Nru snort-2.9.0.1/src/event_queue.c snort-2.9.2/src/event_queue.c --- snort-2.9.0.1/src/event_queue.c 2010-08-25 13:22:37.000000000 -0700 +++ snort-2.9.2/src/event_queue.c 2011-07-13 15:44:51.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2004-2010 Sourcefire, Inc. + ** Copyright (C) 2004-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -29,13 +29,13 @@ ** functions for ordering incoming events. ** ** Notes: -** 11/1/05 Updates to add support for rules for all events in +** 11/1/05 Updates to add support for rules for all events in ** decoders and preprocessors and the detection engine. ** Added support for rule by rule flushing control via ** metadata. Also added code to check fo an otn for every ** event (gid,sid pair). This is now required to get events -** to be logged. The decoders and preprocessors are still -** configured independently, which allows them to inspect and +** to be logged. The decoders and preprocessors are still +** configured independently, which allows them to inspect and ** call the alerting functions SnortEventqAdd, GenerateSnortEvent() ** and GenerateEvent2() for sfportscan.c. The GenerateSnortEvent() ** function now finds and otn and calls fpLogEvent. @@ -45,17 +45,18 @@ ** configured to detect an alertable event. ** ** In the future, preporcessor may have an api that gets called -** after rules are loaded that checks for the gid/sid -> otn +** after rules are loaded that checks for the gid/sid -> otn ** mapping, and then adjusts it's inspection or detection -** accordingly. +** accordingly. +** +** SnortEventqAdd() - only adds events that have an otn ** -** SnortEventqAdd() - only adds events that have an otn -** */ #ifdef HAVE_CONFIG_H #include "config.h" #endif +#include "sf_types.h" #include "fpcreate.h" #include "fpdetect.h" #include "util.h" @@ -83,8 +84,10 @@ if ( qOverflow > 0 ) qOverflow--; else if ( qIndex > 0 ) qIndex--; } -//------------------------------------------------- +static unsigned s_events = 0; + +//------------------------------------------------- /* ** Set default values */ @@ -118,10 +121,10 @@ * g_event_queue.log_events into the queue. * ... Jan '06 */ -int SnortEventqAdd(unsigned int gid, - unsigned int sid, - unsigned int rev, - unsigned int classification, +int SnortEventqAdd(unsigned int gid, + unsigned int sid, + unsigned int rev, + unsigned int classification, unsigned int pri, char *msg, void *rule_info) @@ -140,24 +143,24 @@ en->msg = msg; en->rule_info = rule_info; - /* + /* * Check if we have a preprocessor or decoder event * Preprocessors and decoders may be configured to inspect - * and alert in their principal configuration (legacy code) - * this test than checks if the rule otn says they should + * and alert in their principal configuration (legacy code) + * this test than checks if the rule otn says they should * be enabled or not. The rule itself will decide if it should * be an alert or a drop (sdrop) condition. */ - + #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS { struct _OptTreeNode * potn; /* every event should have a rule/otn */ potn = OtnLookup(snort_conf->otn_map, gid, sid); - /* - * if no rule otn exists for this event, than it was - * not enabled via rules + /* + * if no rule otn exists for this event, than it was + * not enabled via rules */ if (potn == NULL) @@ -172,10 +175,10 @@ en->priority, en->msg); - if (potn != NULL) + if (potn != NULL) OtnLookupAdd(snort_conf->otn_map, potn); } - if (potn == NULL) + if (potn == NULL) { /* no otn found/created - do not add it to the queue */ return 0; @@ -194,14 +197,16 @@ if ( !rtn ) return 0; } - } + } } #endif - + if (sfeventq_add(snort_conf->event_queue[qIndex], (void *)en)) { return -1; - } + } + s_events++; + return 0; } #ifdef OLD_RULE_ORDER @@ -255,7 +260,7 @@ { /* ** Neither event is a rule. Use incoming as - ** priority. Last one in goes at the end to + ** priority. Last one in goes at the end to ** preserve rule order. */ return 0; @@ -325,6 +330,9 @@ if(!event || !user) return 0; + if ( s_events > 0 ) + s_events--; + en = (EventNode *)event; snort_user = (SNORT_EVENTQ_USER *)user; p = (Packet *)snort_user->pkt; @@ -367,7 +375,7 @@ en->classification, en->priority, en->msg); -#endif +#endif if (potn != NULL) { OtnLookupAdd(snort_conf->otn_map, potn); @@ -420,8 +428,20 @@ return 0; } +static inline void reset_counts (void) +{ + pc.log_limit += s_events; + s_events = 0; +} + +void SnortEventqResetCounts (void) +{ + reset_counts(); +} + void SnortEventqReset(void) { sfeventq_reset(snort_conf->event_queue[qIndex]); + reset_counts(); } diff -Nru snort-2.9.0.1/src/event_queue.h snort-2.9.2/src/event_queue.h --- snort-2.9.0.1/src/event_queue.h 2010-01-26 10:09:16.000000000 -0800 +++ snort-2.9.2/src/event_queue.h 2011-07-13 15:44:51.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -65,6 +65,8 @@ void SnortEventqFree(SF_EVENTQ *[]); void SnortEventqReset(void); +void SnortEventqResetCounts(void); + int SnortEventqLog(SF_EVENTQ *[], Packet *); int SnortEventqAdd(unsigned int gid,unsigned int sid,unsigned int rev, unsigned int classification,unsigned int pri,char *msg, diff -Nru snort-2.9.0.1/src/event_wrapper.c snort-2.9.2/src/event_wrapper.c --- snort-2.9.0.1/src/event_wrapper.c 2010-08-25 13:22:37.000000000 -0700 +++ snort-2.9.2/src/event_wrapper.c 2011-06-07 17:33:05.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 1998-2010 Sourcefire, Inc. + ** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -20,19 +20,19 @@ /** * @file event_wrapper.c * @author Chris Green <cmg@sourcefire.com> - * + * * @date Wed Jun 18 10:49:59 2003 - * + * * @brief generate a snort event - * - * This is a wrapper around SetEvent,CallLogFuncs,CallEventFuncs + * + * This is a wrapper around SetEvent,CallLogFuncs,CallEventFuncs * * Notes: * - * 10/31/05 - Marc Norton + * 10/31/05 - Marc Norton * Changes to support every event being controlled via a rule. - * Modified GenerateSnortEvent() to re-route events to 'fpLogEvent' - * if a suitable otn was found. If no otn was found, than we do + * Modified GenerateSnortEvent() to re-route events to 'fpLogEvent' + * if a suitable otn was found. If no otn was found, than we do * not log the event at all, as no rule was provided. * Preprocessors are configured independently, and may detect * an event, but the rule controls the alert/drop functionality. @@ -42,13 +42,14 @@ #include "config.h" #endif +#include "sf_types.h" #include "rules.h" #include "treenodes.h" #include "signature.h" #include "util.h" #include "event_wrapper.h" #include "fpdetect.h" -#include "debug.h" +#include "snort_debug.h" #include "sfPolicy.h" RuleTreeNode* GenerateSnortEventRtn ( @@ -96,7 +97,7 @@ p->sigInfo.class_id = classification; p->generated = 1; - + p->sigInfo.rule_type=SI_RULE_TYPE_PREPROC; /* TODO: could be detect ... */ p->sigInfo.rule_flushing=SI_RULE_FLUSHING_OFF; /* only standard rules do this */ @@ -107,7 +108,7 @@ p->event_data.priority = priority; rtn = GenerateSnortEventRtn(p, getRuntimePolicy()); - + if( !rtn ) { free(p); @@ -116,15 +117,15 @@ DEBUG_WRAP( LogMessage("Generating OTN for GID: %u, SID: %u\n",gen_id,sig_id);); - + return p; } /* * This function has been updated to find an otn and route the call to fpLogEvent - * if possible. This requires a rule be written for each decoder event, - * and possibly some preporcessor events. The bulk of eventing is handled vie the - * SnortEventqAdd() and SnortEventLog() functions - whichalready route the events to + * if possible. This requires a rule be written for each decoder event, + * and possibly some preporcessor events. The bulk of eventing is handled vie the + * SnortEventqAdd() and SnortEventLog() functions - whichalready route the events to * the fpLogEvent()function. */ uint32_t GenerateSnortEvent(Packet *p, @@ -135,27 +136,27 @@ uint32_t priority, char *msg) { - struct _OptTreeNode * potn; + struct _OptTreeNode * potn; if(!msg) { return 0; } - - /* + + /* * Check if we have a preprocessor or decoder event * Preprocessors and decoders may be configured to inspect - * and alert in their principle configuration (legacy code) - * this test then checks if the rule otn says they should + * and alert in their principle configuration (legacy code) + * this test then checks if the rule otn says they should * be enabled or not. The rule itself will decide if it should * be an alert or a drop (sdrop) condition. */ - + /* every event should have a rule/otn */ potn = OtnLookup(snort_conf->otn_map, gen_id, sig_id); - /* - * if no rule otn exists for this event, than it was - * not enabled via rules + /* + * if no rule otn exists for this event, than it was + * not enabled via rules */ if (potn == NULL) { @@ -172,7 +173,7 @@ msg); } #else - /* + /* * Until we have official 'preprocessor/decoder rules' we * will add the rule to the otn_lookup , once enabled, remove * this call to gen the otn... Once a preprocessor/decoder @@ -186,7 +187,7 @@ priority, msg); #endif - if (potn != NULL) + if (potn != NULL) OtnLookupAdd(snort_conf->otn_map, potn); } @@ -201,9 +202,9 @@ return potn->event_data.event_id; } -/** +/** * Log additional packet data using the same kinda mechanism tagging does. - * + * * @param p Packet to log * @param gen_id generator id * @param sig_id signature id @@ -213,7 +214,7 @@ * @param event_ref reference of a previous event * @param ref_sec the tv_sec of that previous event * @param msg The message data txt - * + * * @return 1 on success, 0 on FAILURE ( note this is to stay the same as GenerateSnortEvent() ) */ int LogTagData(Packet *p, @@ -225,20 +226,20 @@ uint32_t event_ref, time_t ref_sec, char *msg) - + { Event event; - + if(!event_ref || !ref_sec) return 0; SetEvent(&event, gen_id, sig_id, sig_rev, classification, priority, event_ref); event.ref_time.tv_sec = (uint32_t)ref_sec; - + if(p) CallLogFuncs(p, msg, NULL, &event); return 1; } - + diff -Nru snort-2.9.0.1/src/event_wrapper.h snort-2.9.2/src/event_wrapper.h --- snort-2.9.0.1/src/event_wrapper.h 2010-08-25 13:22:37.000000000 -0700 +++ snort-2.9.2/src/event_wrapper.h 2011-02-09 15:22:47.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/fpcreate.c snort-2.9.2/src/fpcreate.c --- snort-2.9.0.1/src/fpcreate.c 2010-09-27 08:28:12.000000000 -0700 +++ snort-2.9.2/src/fpcreate.c 2011-10-26 11:28:52.000000000 -0700 @@ -3,7 +3,7 @@ ** ** fpcreate.c ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** Marc Norton <mnorton@sourcefire.com> ** @@ -34,6 +34,11 @@ #include <stdlib.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "snort.h" #include "rules.h" #include "treenodes.h" #include "treenodes.h" @@ -69,8 +74,8 @@ #include "dynamic-plugins/sp_dynamic.h" #include "dynamic-plugins/sp_preprocopt.h" #endif +#include "dynamic-plugins/sf_dynamic_define.h" - /* * Content flag values */ @@ -91,9 +96,9 @@ #ifdef DYNAMIC_PLUGIN static FPContentInfo * GetLongestDynamicContent(FPContentInfo *content_list); static PatternMatchData * GetDynamicFastPatternPmd(DynamicData *dd, int dd_type); -static INLINE int IsDynamicContentFpEligible(FPContentInfo *content); -static INLINE PatternMatchData * DynamicContentToPmd(FPContentInfo *content_info); -static INLINE void FreeDynamicContentList(FPContentInfo *fplist); +static inline int IsDynamicContentFpEligible(FPContentInfo *content); +static inline PatternMatchData * DynamicContentToPmd(FPContentInfo *content_info); +static inline void FreeDynamicContentList(FPContentInfo *fplist); #endif static PatternMatchData * GetLongestPmdContent(OptTreeNode *otn, int type); static int fpFinishPortGroupRule(PORT_GROUP *pg, PmType pm_type, @@ -102,7 +107,7 @@ static int fpAllocPms(PORT_GROUP *pg, FastPatternConfig *fp); static int fpAddPortGroupRule(PORT_GROUP *pg, OptTreeNode *otn, FastPatternConfig *fp); static int fpAddPortGroupPrmx(PORT_GROUP *pg, OptTreeNode *otn, int cflag); -static INLINE int IsPmdFpEligible(PatternMatchData *content); +static inline int IsPmdFpEligible(PatternMatchData *content); static void PrintFastPatternInfo(OptTreeNode *otn, PatternMatchData *pmd, const char *pattern, int pattern_length, PmType pm_type); #ifdef DYNAMIC_PLUGIN @@ -137,11 +142,11 @@ /* * Test if this otn is for traffic to the server */ -static int fpOtnFlowToServer( OptTreeNode * otn ) +static int fpOtnFlowToServer( OptTreeNode * otn ) { - if( OtnFlowFromClient(otn) ) + if( OtnFlowFromClient(otn) ) return 1; - + #ifdef DYNAMIC_PLUGIN if (otn->ds_list[PLUGIN_DYNAMIC]) { @@ -156,14 +161,14 @@ return 0; } /* - * Test if this otn is for traffic to the client + * Test if this otn is for traffic to the client */ -static -int fpOtnFlowToClient( OptTreeNode * otn ) +static +int fpOtnFlowToClient( OptTreeNode * otn ) { - if( OtnFlowFromServer(otn) ) + if( OtnFlowFromServer(otn) ) return 1; - + #ifdef DYNAMIC_PLUGIN if (otn->ds_list[PLUGIN_DYNAMIC]) { @@ -181,25 +186,25 @@ #if 0 Not currently used /* -* Extract the Icmp Type field to determine the PortGroup. +* Extract the Icmp Type field to determine the PortGroup. * * returns : * -1 : any, or not an EQ tests * >0 : any other ip type -* +* */ -static +static int GetOtnIcmpType (OptTreeNode * otn ) { int type; IcmpTypeCheckData * IcmpType; - + IcmpType = (IcmpTypeCheckData *)otn->ds_list[PLUGIN_ICMP_TYPE]; - + if( IcmpType && (IcmpType->operator == ICMP_TYPE_TEST_EQ) ) { type = IcmpType->icmp_type; - } + } else { return -1; @@ -225,14 +230,14 @@ static srmm_table_t * ServiceMapNew(void) { srmm_table_t *table = (srmm_table_t *)SnortAlloc(sizeof(srmm_table_t)); - - table->tcp_to_srv = alloc_srvmap(); - table->tcp_to_cli = alloc_srvmap(); - table->udp_to_srv = alloc_srvmap(); - table->udp_to_cli = alloc_srvmap(); - - table->icmp_to_srv = alloc_srvmap(); + table->tcp_to_srv = alloc_srvmap(); + table->tcp_to_cli = alloc_srvmap(); + + table->udp_to_srv = alloc_srvmap(); + table->udp_to_cli = alloc_srvmap(); + + table->icmp_to_srv = alloc_srvmap(); table->icmp_to_cli = alloc_srvmap(); table->ip_to_srv = alloc_srvmap(); @@ -267,14 +272,14 @@ static SFGHASH * alloc_spgmm(void) { SFGHASH * p; - + /* TODO: keys are ascii service names - for now ! */ p = sfghash_new(1000, /* # rows in table */ 0, /* size: of key 0 = ascii, >0 = fixed size */ 0, /* bool:user keys, if true just store this pointer, don't copy the key */ fpDeletePortGroup); /* ??? Why shouldn't we delete the port groups ??? */ - //(void(*)(void*))0 /* free nodes are port_groups do not delete here */ ); + //(void(*)(void*))0 /* free nodes are port_groups do not delete here */ ); if (p == NULL) FatalError("could not allocate a service port_group map : no memory?\n"); @@ -286,13 +291,13 @@ { srmm_table_t *table = (srmm_table_t *)SnortAlloc(sizeof(srmm_table_t)); - table->tcp_to_srv = alloc_spgmm(); - table->tcp_to_cli = alloc_spgmm(); + table->tcp_to_srv = alloc_spgmm(); + table->tcp_to_cli = alloc_spgmm(); - table->udp_to_srv = alloc_spgmm(); - table->udp_to_cli = alloc_spgmm(); + table->udp_to_srv = alloc_spgmm(); + table->udp_to_cli = alloc_spgmm(); - table->icmp_to_srv = alloc_spgmm(); + table->icmp_to_srv = alloc_spgmm(); table->icmp_to_cli = alloc_spgmm(); table->ip_to_srv = alloc_spgmm(); @@ -356,43 +361,43 @@ void ServiceMapAddOtnRaw( SFGHASH * table, char * servicename, OptTreeNode * otn ) { SF_LIST * list; - + list = (SF_LIST*) sfghash_find( table, servicename ); - + if( !list ) { /* create the list */ list = sflist_new(); if( !list ) FatalError("service_rule_map: could not create a service rule-list\n"); - + /* add the service list to the table */ if( sfghash_add( table, servicename, list ) != SFGHASH_OK ) { FatalError("service_rule_map: could not add a rule to the rule-service-map\n"); } } - + /* add the rule */ if( sflist_add_tail( list, otn ) ) FatalError("service_rule_map: could not add a rule to the service rule-list\n"); } /* * maintain a table of service maps, one for each protocol and direction, - * each service map maintains a list of otn's for each service it maps to a + * each service map maintains a list of otn's for each service it maps to a * service name. */ static int ServiceMapAddOtn(srmm_table_t *srmm, int proto, char *servicename, OptTreeNode *otn) { SFGHASH * to_srv; /* to srv service rule map */ SFGHASH * to_cli; /* to cli service rule map */ - - if( !servicename ) + + if( !servicename ) return 0; if(!otn ) return 0; - + if( proto == IPPROTO_TCP) { to_srv = srmm->tcp_to_srv; @@ -422,7 +427,7 @@ { ServiceMapAddOtnRaw( to_srv, servicename, otn ); } - else if( fpOtnFlowToClient(otn) ) + else if( fpOtnFlowToClient(otn) ) { ServiceMapAddOtnRaw( to_cli, servicename, otn ); } @@ -456,13 +461,13 @@ return prmFindRuleGroup( prm, type, -1, &src, type_group, gen); } -int prmFindRuleGroupTcp(PORT_RULE_MAP *prm, int dport, int sport, PORT_GROUP ** src, +int prmFindRuleGroupTcp(PORT_RULE_MAP *prm, int dport, int sport, PORT_GROUP ** src, PORT_GROUP **dst , PORT_GROUP ** gen) { return prmFindRuleGroup( prm, dport, sport, src, dst , gen); } -int prmFindRuleGroupUdp(PORT_RULE_MAP *prm, int dport, int sport, PORT_GROUP ** src, +int prmFindRuleGroupUdp(PORT_RULE_MAP *prm, int dport, int sport, PORT_GROUP ** src, PORT_GROUP **dst , PORT_GROUP ** gen) { return prmFindRuleGroup( prm, dport, sport, src, dst , gen); @@ -559,7 +564,7 @@ /* Build out sub-nodes for each option in the OTN fp list */ while (opt_fp) { - /* If child node does not match existing option_data, + /* If child node does not match existing option_data, * Create a child branch from a given sub-node. */ void *option_data = opt_fp->context; char found_child_match = 0; @@ -784,9 +789,9 @@ } /* -** The following functions deal with the intialization of the +** The following functions deal with the intialization of the ** detection engine. These are set through parser.c with the -** option 'config detection:'. This functionality may be +** option 'config detection:'. This functionality may be ** broken out later into it's own file to separate from this ** file's functionality. */ @@ -959,7 +964,7 @@ LogMessage(" Search-Method = AC-Sparse-Bands\n"); } /* These are for backwards compatability - and will be removed in future releases*/ - else if( !strcasecmp(method,"mwm") ) + else if( !strcasecmp(method,"mwm") ) { fp->search_method = MPSE_LOWMEM; LogMessage(" Search-Method = Low-Mem (MWM depracated)\n"); @@ -1035,6 +1040,10 @@ */ void fpSetMaxPatternLen(FastPatternConfig *fp, unsigned int max_len) { + if (fp->max_pattern_len != 0) + { + LogMessage("WARNING: Maximum pattern length redefined.\n"); + } fp->max_pattern_len = max_len; LogMessage(" Maximum pattern length = %u\n", max_len); } @@ -1042,8 +1051,8 @@ /* FLP_Trim * * Trim zero byte prefixes, this increases uniqueness - * - * returns + * + * returns * length - of trimmed pattern * buff - ptr to new beggining of trimmed buffer */ @@ -1051,25 +1060,25 @@ { int i; int size = 0; - + if( !p ) return 0; - + for(i=0;i<plen;i++) { if( p[i] != 0 ) break; } - + if( i < plen ) size = plen - i; else size = 0; - - if( buff && (size==0) ) + + if( buff && (size==0) ) { *buff = 0; } - else if( buff ) + else if( buff ) { *buff = &p[i]; } @@ -1078,7 +1087,7 @@ #ifdef DYNAMIC_PLUGIN -static INLINE PatternMatchData * DynamicContentToPmd(FPContentInfo *content_info) +static inline PatternMatchData * DynamicContentToPmd(FPContentInfo *content_info) { PatternMatchData *pmd; @@ -1126,7 +1135,7 @@ return pmd_list; } -static INLINE void FreeDynamicContentList(FPContentInfo *fplist) +static inline void FreeDynamicContentList(FPContentInfo *fplist) { while (fplist != NULL) { @@ -1155,7 +1164,7 @@ return NULL; } -static INLINE int IsDynamicContentFpEligible(FPContentInfo *content) +static inline int IsDynamicContentFpEligible(FPContentInfo *content) { if (content == NULL) return 0; @@ -1223,7 +1232,7 @@ } #endif -static INLINE int IsPmdFpEligible(PatternMatchData *content) +static inline int IsPmdFpEligible(PatternMatchData *content) { if (content == NULL) return 0; @@ -1284,23 +1293,22 @@ case RULE_OPTION_TYPE_CONTENT: if (type != CONTENT_NORMAL) continue; - if(!(ofl->isRelative)) - { - base64_buf_flag = 0; - mime_buf_flag = 0; - } else if(base64_buf_flag || mime_buf_flag) continue; break; case RULE_OPTION_TYPE_CONTENT_URI: - if (type != CONTENT_HTTP) - continue; base64_buf_flag = 0; mime_buf_flag = 0; + if (type != CONTENT_HTTP) + continue; break; case RULE_OPTION_TYPE_BASE64_DATA: base64_buf_flag =1; continue; + case RULE_OPTION_TYPE_PKT_DATA: + base64_buf_flag = 0; + mime_buf_flag = 0; + continue; case RULE_OPTION_TYPE_FILE_DATA: filedata = (FileData *)ofl->context; if(filedata->mime_decode_flag) @@ -1479,7 +1487,6 @@ case PM_TYPE__HTTP_URI_CONTENT: case PM_TYPE__HTTP_HEADER_CONTENT: case PM_TYPE__HTTP_CLIENT_BODY_CONTENT: - case PM_TYPE__HTTP_METHOD_CONTENT: if (pmd_list == NULL) return -1; pg_type = PGCT_URICONTENT; @@ -1507,8 +1514,8 @@ otnx->content_length = pmd->pattern_size; /* create a rule_node */ - rn = (RULE_NODE *)SnortAlloc(sizeof(RULE_NODE)); - rn->rnRuleData = otnx; + rn = (RULE_NODE *)SnortAlloc(sizeof(RULE_NODE)); + rn->rnRuleData = otnx; /* create pmx */ pmx = (PMX *)SnortAlloc(sizeof(PMX)); @@ -1523,7 +1530,7 @@ pattern, pattern_length, pmd->nocase, - pmd->offset, + pmd->offset, pmd->depth, (unsigned)pmd->exception_flag, pmx, @@ -1551,9 +1558,8 @@ if (mpsePrepPatterns(pg->pgPms[i], pmx_create_tree, add_patrn_to_neg_list) != 0) { - fpDeletePortGroup((void *)pg); FatalError("%s(%d) Failed to compile port group " - "patterns.\n", __FILE__, __LINE__); + "patterns.\n", __FILE__, __LINE__); } if (fp->debug) @@ -1661,13 +1667,15 @@ { /* Need to do this so the pmd can be freed later */ (void)AppendPmdToList(&dd->pmds, pmd); + if (pmd->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd->pattern_size; return 0; } PatternMatchFree((void *)pmd); pmd = NULL; } - + pmd_uri = GetDynamicFastPatternPmd(dd, CONTENT_HTTP); if (pmd_uri != NULL) { @@ -1680,7 +1688,7 @@ else if (pmd_uri->uri_buffer & HTTP_SEARCH_CLIENT_BODY) pm_type = PM_TYPE__HTTP_CLIENT_BODY_CONTENT; else - pm_type = PM_TYPE__HTTP_METHOD_CONTENT; + pm_type = PM_TYPE__CONTENT; if (fpFinishPortGroupRule(pg, pm_type, otn, pmd_uri, fp) == 0) { @@ -1689,13 +1697,15 @@ PatternMatchFree((void *)pmd); (void)AppendPmdToList(&dd->pmds, pmd_uri); + if (pmd_uri->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd_uri->pattern_size; return 0; } PatternMatchFree((void *)pmd_uri); pmd_uri = NULL; } - + /* If we get this far then no URI contents were added */ if (GetPreprocOptPmdList(otn, &preproc_opt_pmds) == 0) @@ -1720,6 +1730,8 @@ if (fpFinishPortGroupRule(pg, PM_TYPE__CONTENT, otn, pmd, fp) == 0) { (void)AppendPmdToList(&dd->pmds, pmd); + if (pmd->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd->pattern_size; return 0; } @@ -1748,7 +1760,12 @@ if ((pmd != NULL) && pmd->fp) { if (fpFinishPortGroupRule(pg, PM_TYPE__CONTENT, otn, pmd, fp) == 0) + { + if (pmd->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd->pattern_size; + return 0; + } } /* http buffer contents take precedence over normal contents if @@ -1766,10 +1783,14 @@ else if (pmd_uri->uri_buffer & HTTP_SEARCH_CLIENT_BODY) pm_type = PM_TYPE__HTTP_CLIENT_BODY_CONTENT; else - pm_type = PM_TYPE__HTTP_METHOD_CONTENT; + pm_type = PM_TYPE__CONTENT; if (fpFinishPortGroupRule(pg, pm_type, otn, pmd_uri, fp) == 0) + { + if (pmd_uri->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd_uri->pattern_size; return 0; + } } /* If we get this far then no URI contents were added */ @@ -1786,7 +1807,7 @@ else { pmd = preproc_opt_pmds; - + /* Need to be able to free this list */ (void)AppendPmdToList( (PatternMatchData **)&otn->preproc_fp_list, @@ -1796,7 +1817,11 @@ #endif if (fpFinishPortGroupRule(pg, PM_TYPE__CONTENT, otn, pmd, fp) == 0) + { + if (pmd->pattern_size > otn->longestPatternLen) + otn->longestPatternLen = pmd->pattern_size; return 0; + } #if 0 /* XXX Not currently used */ @@ -1810,10 +1835,11 @@ if (pmd != NULL) fpAddAllContents(pg->pgPms[PM_TYPE__CONTENT], otn, id, pmd, fp); #endif - +#ifdef DYNAMIC_PLUGIN /* No content added */ if (pmd == preproc_opt_pmds) FreePmdList(pmd); +#endif if (fpFinishPortGroupRule(pg, PM_TYPE__MAX, otn, NULL, fp) != 0) return -1; @@ -1826,7 +1852,7 @@ * -pcrm.h * PORT_RULE_MAP -> srcPortGroup,dstPortGroup,genericPortGroup * PORT_GROUP -> pgPatData, pgPatDataUri (acsm objects), (also rule_node lists 1/rule, not neeed) - * each rule content added to an acsm object has a PMX data ptr associated with it. + * each rule content added to an acsm object has a PMX data ptr associated with it. * RULE_NODE -> iRuleNodeID (used for bitmap object index), otnx * * -fpcreate.h @@ -1841,22 +1867,22 @@ * Generation of PortRuleMaps and data is done differently. * * 1) Build tcp/udp/icmp/ip src and dst PORT_GROUP objects based on the PortList Objects rules. - * + * * 2) For each protocols PortList objects walk it's ports and assign the PORT_RULE_MAP src and dst * PORT_GROUP[port] array pointers to that PortList objects PORT_GROUP. * * Implementation: - * - * Each PortList Object will be translated into a PORT_GROUP, than pointed to by the + * + * Each PortList Object will be translated into a PORT_GROUP, than pointed to by the * PORT_GROUP array in the PORT_RULE_MAP for the procotocol - * + * * protocol = tcp, udp, ip, icmp - one port_rule_map for each of these protocols * { create a port_rule_map * dst port processing * for each port-list object create a port_group object * { create a pattern match object, store its pointer in port_group * for each rule index in port-list object - * { + * { * get the gid+sid for the index * lookup up the otn * create otnx @@ -1867,13 +1893,13 @@ * add the content and pmx to the pattern match object * } * compile the pattern match object - * + * * repeat for uri content * } * src port processing * repeat as for dst port processing * } - * ** bidirectional rules - these are added to both src and dst PortList objects, so they are + * ** bidirectional rules - these are added to both src and dst PortList objects, so they are * automatically handled during conversion to port_group objects. */ /* @@ -1889,24 +1915,24 @@ static int fpCreateInitRuleMap( PORT_RULE_MAP * prm, PortTable * src, PortTable * dst, PortObject * anyany, PortObject * nc ) { - SFGHASH_NODE * node; + SFGHASH_NODE * node; PortObjectItem * poi; PortObject2 * po; int i; //int * pi; - + /* setup the any-any-port content port group */ prm->prmGeneric =(PORT_GROUP*) anyany->data; - + /* all rules that are any any some may not be content ? */ prm->prmNumGenericRules = anyany->rule_list->count; - + prm->prmNumSrcRules= 0; prm->prmNumDstRules= 0; - + prm->prmNumSrcGroups= 0; prm->prmNumDstGroups= 0; - + /* Process src PORT groups */ if(src ) for( node=sfghash_findfirst(src->pt_mpxo_hash); @@ -1914,13 +1940,13 @@ node=sfghash_findnext(src->pt_mpxo_hash) ) { po = (PortObject2*)node->data; - + if( !po ) continue; if( !po->data ) continue; /* Add up the total src rules */ prm->prmNumSrcRules += po->rule_hash->count; - + /* Increment the port group count */ prm->prmNumSrcGroups++; @@ -1951,8 +1977,8 @@ break; } } - } - + } + /* process destination port groups */ if( dst ) for( node=sfghash_findfirst(dst->pt_mpxo_hash); @@ -1960,13 +1986,13 @@ node=sfghash_findnext(dst->pt_mpxo_hash) ) { po = (PortObject2*)node->data; - + if( !po ) continue; if( !po->data ) continue; /* Add up the total src rules */ prm->prmNumDstRules += po->rule_hash->count; - + /* Increment the port group count */ prm->prmNumDstGroups++; @@ -1997,8 +2023,8 @@ break; } } - } - + } + return 0; } /* @@ -2172,7 +2198,7 @@ } #endif -/* +/* * Add a rule to the proper port group RULE_NODE list * * cflag : content flag ( 0=no content, 1=content, 2=uri-content) @@ -2182,7 +2208,7 @@ OTNX *otnx = (OTNX *)SnortAlloc(sizeof(OTNX)); otnx->otn = otn; - otnx->content_length = 0; + otnx->content_length = 0; /* Add the no content rule_node to the port group (NClist) */ switch (cflag) @@ -2230,9 +2256,6 @@ case PM_TYPE__HTTP_CLIENT_BODY_CONTENT: LogMessage("\tHttp Client Body Content: %d\n", count); break; - case PM_TYPE__HTTP_METHOD_CONTENT: - LogMessage("\tHttp Method Content: %d\n", count); - break; default: break; } @@ -2282,7 +2305,7 @@ rn = tmpRn; } pg->pgUriHead = NULL; - + rn = pg->pgHeadNC; while (rn) { @@ -2311,13 +2334,13 @@ /* * Create the PortGroup for these PortObject2 entitiies * - * This builds the 1st pass multi-pattern state machines for + * This builds the 1st pass multi-pattern state machines for * content and uricontent based on the rules in the PortObjects * hash table. */ static int fpCreatePortObject2PortGroup(SnortConfig *sc, PortObject2 *po, PortObject2 *poaa) { - SFGHASH_NODE *node; + SFGHASH_NODE *node; unsigned sid, gid; OptTreeNode * otn; PORT_GROUP * pg; @@ -2346,20 +2369,20 @@ return -1; } - /* - * Walk the rules in the PortObject and add to + /* + * Walk the rules in the PortObject and add to * the PORT_GROUP pattern state machine * and to the port group RULE_NODE lists. * (The lists are still used in some cases * during detection to walk the rules in a group * so we have to load these as well...fpEvalHeader()... for now.) * - * po src/dst ports : content/uri and nocontent + * po src/dst ports : content/uri and nocontent * poaa any-any ports : content/uri and nocontent * - * each PG has src or dst contents, generic-contents, and no-contents + * each PG has src or dst contents, generic-contents, and no-contents * (src/dst or any-any ports) - * + * */ pox = po; @@ -2375,7 +2398,7 @@ int *prindex = (int *)node->data; /* be safe - no rule index, ignore it */ - if (prindex == NULL) + if (prindex == NULL) continue; /* look up gid:sid */ @@ -2413,7 +2436,7 @@ fpPortGroupPrintRuleCount(pg); if (pox == poaa) - break; + break; pox = poaa; } @@ -2434,10 +2457,10 @@ */ static int fpCreatePortTablePortGroups(SnortConfig *sc, PortTable *p, PortObject2 *poaa) { - SFGHASH_NODE * node; + SFGHASH_NODE * node; int cnt=1; FastPatternConfig *fp = sc->fast_pattern_config; - + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) LogMessage("%d Port Groups in Port Table\n",p->pt_mpo_hash->count); @@ -2448,15 +2471,15 @@ PortObject2 * po; po = (PortObject2*)node->data; - if (po == NULL) + if (po == NULL) continue; if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) LogMessage("Creating Port Group Object %d of %d\n",cnt++,p->pt_mpo_hash->count); - /* if the object is not referenced, don't add it to the PORT_GROUPs + /* if the object is not referenced, don't add it to the PORT_GROUPs * as it may overwrite other objects that are more inclusive. */ - if (!po->port_cnt) + if (!po->port_cnt) continue; if (fpCreatePortObject2PortGroup(sc, po, poaa)) @@ -2473,20 +2496,20 @@ } /* - * Create port group objects for all port tables + * Create port group objects for all port tables * - * note: any-any ports are standard PortObjects not PortObject2's so we have to + * note: any-any ports are standard PortObjects not PortObject2's so we have to * uprade them for the create port group function */ static int fpCreatePortGroups(SnortConfig *sc, rule_port_tables_t *p) { PortObject2 *po2, *add_any_any = NULL; FastPatternConfig *fp = sc->fast_pattern_config; - + if (!rule_count) return 0 ; - /* TCP */ + /* TCP */ /* convert the tcp-any-any to a PortObject2 creature */ po2 = PortObject2Dup(p->tcp_anyany); if (po2 == NULL) @@ -2530,7 +2553,7 @@ //LogMessage("fpcreate: calling PortObjectFree2(po2), line = %d\n",__LINE__ ); PortObject2Free(po2); - /* UDP */ + /* UDP */ po2 = PortObject2Dup(p->udp_anyany); if (po2 == NULL ) FatalError("Could not create a PortObject version 2 for udp-any-any rules\n!"); @@ -2571,7 +2594,7 @@ //LogMessage("fpcreate: calling PortObjectFree2(po2), line = %d\n",__LINE__ ); PortObject2Free(po2); - /* ICMP */ + /* ICMP */ po2 = PortObject2Dup(p->icmp_anyany); if (po2 == NULL) FatalError("Could not create a PortObject version 2 for icmp-any-any rules\n!"); @@ -2599,7 +2622,7 @@ if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) LogMessage("\nICMP-ANYANY "); - + if (fpCreatePortObject2PortGroup(sc, po2, 0)) { LogMessage("fpCreatePorTablePortGroups failed-icmp any-any\n"); @@ -2612,7 +2635,7 @@ //LogMessage("fpcreate: calling PortObjectFree2(po2), line = %d\n",__LINE__ ); PortObject2Free(po2); - /* IP */ + /* IP */ po2 = PortObject2Dup(p->ip_anyany); if (po2 == NULL) FatalError("Could not create a PortObject version 2 for ip-any-any rules\n!"); @@ -2660,14 +2683,14 @@ /* * Scan the master otn lists and and pass - * - * + * + * * enabled - if true requires otn to be enabled * fcn - callback * proto - IP,TCP,IDP,ICMP protocol flag * otn - OptTreeNode */ -void fpWalkOtns(int enabled, OtnWalkFcn fcn) +void fpWalkOtns(int enabled, OtnWalkFcn fcn) { RuleTreeNode *rtn; SFGHASH_NODE *hashNode; @@ -2682,8 +2705,8 @@ hashNode = sfghash_findnext(snort_conf->otn_map)) { otn = (OptTreeNode *)hashNode->data; - for ( policyId = 0; - policyId < otn->proto_node_num; + for ( policyId = 0; + policyId < otn->proto_node_num; policyId++ ) { rtn = getRtnFromOtn(otn, policyId); @@ -2694,7 +2717,7 @@ if ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) - { + { //do operation if ( enabled && (otn->rule_state != RULE_STATE_ENABLED) ) continue; @@ -2710,7 +2733,7 @@ * Scan the master otn lists and load the Service maps * for service based rule grouping. */ -static int fpCreateServiceMaps(SnortConfig *sc) +static int fpCreateServiceMaps(SnortConfig *sc) { RuleTreeNode *rtn; SFGHASH_NODE *hashNode; @@ -2723,15 +2746,15 @@ hashNode = sfghash_findnext(sc->otn_map)) { otn = (OptTreeNode *)hashNode->data; - for ( policyId = 0; - policyId < otn->proto_node_num; + for ( policyId = 0; + policyId < otn->proto_node_num; policyId++ ) { rtn = getRtnFromOtn(otn, policyId); if (rtn && ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP))) - { + { //do operation /* Non-content preprocessor or decoder rule. @@ -2759,9 +2782,9 @@ /* -* Build a Port Group for this service based on the list of otns. The final +* Build a Port Group for this service based on the list of otns. The final * port_group pointer is stored using the service name as the key. -* +* * p - hash table mapping services to port_groups * srvc- service name, key used to store the port_group * ...could use a service id instead (bytes, fixed length,etc...) @@ -2778,12 +2801,12 @@ return; } - /* - * add each rule to the port group pattern matchers, - * or to the no-content rule list + /* + * add each rule to the port group pattern matchers, + * or to the no-content rule list */ for (otn = sflist_first(list); - otn; + otn; otn = sflist_next(list)) { if (otn->proto == ETHERNET_TYPE_IP) @@ -2810,19 +2833,19 @@ } /* - * For each service we create a PORT_GROUP based on the otn's defined to + * For each service we create a PORT_GROUP based on the otn's defined to * be applicable to that service by the metadata option. * * Than we lookup the protocol/srvc oridinal in the target-based area * and assign the PORT_GROUP for the srvc to it. - * + * * spg - service port group (lookup should be by service id/tag) * - this table maintains a port_group ptr for each service * srm - service rule map table (lookup by ascii service name) * - this table maintains a sf_list ptr (list of rule otns) for each service * */ -void fpBuildServicePortGroups(SFGHASH *spg, PORT_GROUP **sopg, SFGHASH *srm, FastPatternConfig *fp) +void fpBuildServicePortGroups(SFGHASH *spg, PORT_GROUP **sopg, SFGHASH *srm, FastPatternConfig *fp) { SFGHASH_NODE * n; char * srvc; @@ -2889,13 +2912,13 @@ } /* - * For each proto+dir+service build a PORT_GROUP + * For each proto+dir+service build a PORT_GROUP */ -static void fpCreateServiceMapPortGroups(SnortConfig *sc) +static void fpCreateServiceMapPortGroups(SnortConfig *sc) { FastPatternConfig *fp = sc->fast_pattern_config; - sc->spgmmTable = ServicePortGroupMapNew(); + sc->spgmmTable = ServicePortGroupMapNew(); sc->sopgTable = ServicePortGroupTableNew(); fpBuildServicePortGroups(sc->spgmmTable->tcp_to_srv, sc->sopgTable->tcp_to_srv, @@ -2922,17 +2945,17 @@ PORT_GROUP * fpGetServicePortGroupByOrdinal(sopg_table_t *sopg, int proto, int dir, int16_t proto_ordinal) { //SFGHASH_NODE * n; - PORT_GROUP *pg = NULL; + PORT_GROUP *pg = NULL; if (proto_ordinal >= MAX_PROTOCOL_ORDINAL) return NULL; if (sopg == NULL) return NULL; - + switch (proto) { - case IPPROTO_TCP: + case IPPROTO_TCP: if (dir == TO_SERVER) pg = sopg->tcp_to_srv[proto_ordinal]; else @@ -2940,7 +2963,7 @@ break; - case IPPROTO_UDP: + case IPPROTO_UDP: if (dir == TO_SERVER) pg = sopg->udp_to_srv[proto_ordinal]; else @@ -2948,7 +2971,7 @@ break; - case IPPROTO_ICMP: + case IPPROTO_ICMP: if (dir == TO_SERVER) pg = sopg->icmp_to_srv[proto_ordinal]; else @@ -2956,7 +2979,7 @@ break; - case ETHERNET_TYPE_IP: + case ETHERNET_TYPE_IP: if (dir == TO_SERVER) pg = sopg->ip_to_srv[proto_ordinal]; else @@ -2978,7 +3001,7 @@ void fpPrintRuleList( SF_LIST * list ) { OptTreeNode * otn; - + for( otn=(OptTreeNode*)sflist_first(list); otn; otn=(OptTreeNode*)sflist_next(list) ) @@ -2991,18 +3014,18 @@ { SFGHASH_NODE * n; - if( !p || !p->count ) + if( !p || !p->count ) return; LogMessage("| Protocol [%s] %d services\n",msg,p->count ); LogMessage("----------------------------------------------------\n"); - + for( n = sfghash_findfirst(p); n; n = sfghash_findnext(p) ) { SF_LIST * list; - + list = (SF_LIST*)n->data; if( !list ) continue; @@ -3010,7 +3033,7 @@ LogMessage("| Service [%s] %d rules, rule list follows as gid:sid.\n", (char*)n->key, list->count); - + fpPrintRuleList( list ); } LogMessage("----------------------------------------------------\n"); @@ -3023,13 +3046,13 @@ LogMessage("----------------------------------------------------\n"); fpPrintServiceRuleMapTable( service_map->tcp_to_srv, "tcp to server" ); fpPrintServiceRuleMapTable( service_map->tcp_to_cli, "tcp to client" ); - + fpPrintServiceRuleMapTable( service_map->udp_to_srv, "udp to server" ); fpPrintServiceRuleMapTable( service_map->udp_to_cli, "udp to client" ); - + fpPrintServiceRuleMapTable( service_map->icmp_to_srv, "icmp to server" ); fpPrintServiceRuleMapTable( service_map->icmp_to_cli, "icmp to client" ); - + fpPrintServiceRuleMapTable( service_map->ip_to_srv, "ip to server" ); fpPrintServiceRuleMapTable( service_map->ip_to_cli, "ip to client" ); } @@ -3071,31 +3094,31 @@ * metadata option service parameter. */ static int fpCreateServicePortGroups(SnortConfig *sc) -{ +{ FastPatternConfig *fp = sc->fast_pattern_config; sc->srmmTable = ServiceMapNew(); if (fpCreateServiceMaps(sc)) return -1; - + if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) fpPrintServiceRuleMaps(sc->srmmTable); - + fpCreateServiceMapPortGroups(sc); if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) fpPrintServicePortGroupSummary(sc->spgmmTable); - + //srvcmap_term(); - + return 0; } //TARGET_BASED #endif /* -* Port list version +* Port list version * * 7/2007 - man * @@ -3166,8 +3189,8 @@ if (fpDetectGetDebugPrintRuleGroupBuildDetails(fp)) LogMessage("Creating Service Based Rule Maps....\n"); - /* Build Service based port groups - rules require service metdata - * i.e. 'metatdata: service [=] service-name, ... ;' + /* Build Service based port groups - rules require service metdata + * i.e. 'metatdata: service [=] service-name, ... ;' * * Also requires a service attribute for lookup ... */ @@ -3197,7 +3220,7 @@ LogMessage("[ Number of null byte prefixed patterns trimmed: %d ]\n", fp->num_patterns_trimmed); } -#endif +#endif #ifdef INTEL_SOFT_CPM if (fp->search_method == MPSE_INTEL_CPM) diff -Nru snort-2.9.0.1/src/fpcreate.h snort-2.9.2/src/fpcreate.h --- snort-2.9.0.1/src/fpcreate.h 2010-01-26 10:09:18.000000000 -0800 +++ snort-2.9.2/src/fpcreate.h 2011-02-09 15:22:48.000000000 -0800 @@ -3,7 +3,7 @@ ** ** fpcreate.h ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** Marc Norton <mnorton@sourcefire.com> ** diff -Nru snort-2.9.0.1/src/fpdetect.c snort-2.9.2/src/fpdetect.c --- snort-2.9.0.1/src/fpdetect.c 2010-10-25 12:48:59.000000000 -0700 +++ snort-2.9.2/src/fpdetect.c 2011-10-26 11:28:52.000000000 -0700 @@ -3,7 +3,7 @@ ** ** fpdetect.c ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author(s): Dan Roelker <droelker@sourcefire.com> ** Marc Norton <mnorton@sourcefire.com> ** Andrew R. Baker <andrewb@snort.org> @@ -36,9 +36,13 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ** */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "snort.h" #include "detect.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "tag.h" #include "rules.h" @@ -70,7 +74,7 @@ /* ** This define enables set-wise signature detection for ** IP and ICMP packets. During early testing, the old -** method of detection seemed faster for ICMP and IP +** method of detection seemed faster for ICMP and IP ** signatures, but with modifications to the set-wise engine ** performance became much better. This define could be ** taken out, but is still in for regression testing. @@ -87,7 +91,6 @@ ** Assorted global variables from the old detection engine ** for backwards compatibility. */ -extern uint16_t event_id; extern OptTreeNode *otn_tmp; extern SFEVENT sfEvent; @@ -95,18 +98,18 @@ ** Static function prototypes */ int fpEvalRTN(RuleTreeNode *rtn, Packet *p, int check_ports); -static INLINE int fpEvalHeaderIp(Packet *p, int ip_proto, OTNX_MATCH_DATA *); -static INLINE int fpEvalHeaderIcmp(Packet *p, OTNX_MATCH_DATA *); -static INLINE int fpEvalHeaderTcp(Packet *p, OTNX_MATCH_DATA *); -static INLINE int fpEvalHeaderUdp(Packet *p, OTNX_MATCH_DATA *); -static INLINE int fpEvalHeaderSW(PORT_GROUP *port_group, Packet *p, +static inline int fpEvalHeaderIp(Packet *p, int ip_proto, OTNX_MATCH_DATA *); +static inline int fpEvalHeaderIcmp(Packet *p, OTNX_MATCH_DATA *); +static inline int fpEvalHeaderTcp(Packet *p, OTNX_MATCH_DATA *); +static inline int fpEvalHeaderUdp(Packet *p, OTNX_MATCH_DATA *); +static inline int fpEvalHeaderSW(PORT_GROUP *port_group, Packet *p, int check_ports, char ip_rule, OTNX_MATCH_DATA *); static int rule_tree_match (void* id, void * tree, int index, void * data, void *neg_list ); int fpAddMatch( OTNX_MATCH_DATA *omd_local, OTNX *otnx, int pLen, OptTreeNode *otn); -static INLINE int fpAddSessionAlert(Packet *p, OptTreeNode *otn); -static INLINE int fpSessionAlerted(Packet *p, OptTreeNode *otn); - -//static INLINE int fpLogEvent(RuleTreeNode *rtn, OptTreeNode *otn, Packet *p); +static inline int fpAddSessionAlert(Packet *p, OptTreeNode *otn, int alerted); +static inline int fpSessionAlerted(Packet *p, OptTreeNode *otn); + +//static inline int fpLogEvent(RuleTreeNode *rtn, OptTreeNode *otn, Packet *p); #ifdef PERF_PROFILING PreprocStats rulePerfStats; @@ -144,24 +147,16 @@ ** None ** */ -static INLINE void InitMatchInfo(OTNX_MATCH_DATA *o) +static inline void InitMatchInfo(OTNX_MATCH_DATA *o) { int i = 0; - int total = 0; - - EventQueueConfig *eq = snort_conf->event_queue_config; for(i = 0; i < o->iMatchInfoArraySize; i++) { - total += o->matchInfo[i].iMatchCount; o->matchInfo[i].iMatchCount = 0; o->matchInfo[i].iMatchIndex = 0; o->matchInfo[i].iMatchMaxLen = 0; } - total -= eq->log_events; - - if ( total > 0 ) - pc.log_limit += total; } void OtnxMatchDataFree(OTNX_MATCH_DATA *omd) @@ -169,9 +164,6 @@ if (omd == NULL) return; - if ( snort_conf && snort_conf->event_queue_config ) - InitMatchInfo(omd); - if (omd->matchInfo != NULL) free(omd->matchInfo); @@ -179,11 +171,15 @@ } // called by fpLogEvent(), which does the filtering etc. -// this handles the non-rule-actions (responses and tagging). -static INLINE void fpLogOther (Packet* p, OptTreeNode* otn, int action) +// this handles the non-rule-actions (responses). +static inline void fpLogOther (Packet* p, OptTreeNode* otn, int action) { TriggerResponses(p, otn); - SetTags(p, otn, event_id); + + if ( !EventTrace_IsEnabled() ) + return; + + EventTrace_Log(p, otn, action); } /* @@ -193,7 +189,7 @@ ** ** DESCRIPTION ** This function takes the corresponding RTN and OTN for a snort rule -** and logs the event and packet that was alerted upon. This +** and logs the event and packet that was alerted upon. This ** function was pulled out of fpEvalSomething, so now we can log an ** event no matter where we are. ** @@ -211,10 +207,14 @@ { return 1; } - + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, - " => Got rule match, rtn type = %d\n", - rtn->type);); + " => Got rule match, rtn type = %d, evalIndex = %d, passIndex = %d\n", + rtn->type,ScGetEvalIndex(rtn->type), ScGetEvalIndex(RULE_TYPE__PASS));); + if (RULE_TYPE__PASS == rtn->type) + { + p->packet_flags |= PKT_PASS_RULE; + } if ( otn->stateless ) { @@ -296,10 +296,20 @@ fpLogOther(p, otn, action); return 1; } - + + /* If this packet has been passed based on detection rules, + * check the decoder/preprocessor events (they have been added to Event queue already). + * If its order is lower than 'pass', it should have been passed. + * This is consistent with other detection rules */ + if ( (p->packet_flags & PKT_PASS_RULE) + &&(ScGetEvalIndex(rtn->type) > ScGetEvalIndex(RULE_TYPE__PASS))) + { + fpLogOther(p, otn, rtn->type); + return 1; + } // Set the ref_time to 0 so we make the logging work right. otn->event_data.ref_time.tv_sec = 0; - + /* Set otn_tmp because log.c uses it to log details ** of the event. Maybe we should look into making this ** part of the log routines and not a global variable. @@ -318,22 +328,27 @@ case RULE_TYPE__ACTIVATE: ActivateAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; case RULE_TYPE__ALERT: AlertAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; case RULE_TYPE__DYNAMIC: DynamicAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; case RULE_TYPE__LOG: LogAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; case RULE_TYPE__DROP: DropAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; case RULE_TYPE__SDROP: @@ -342,6 +357,7 @@ case RULE_TYPE__REJECT: DropAction(p, otn, &otn->event_data); + SetTags(p, otn, event_id); break; default: @@ -367,7 +383,7 @@ ** IMPORTANT NOTE: ** fpAddMatch must be called even when the queue has been maxed ** out. This is because there are three different queues (alert, -** pass, log) and unless all three are filled (or at least the +** pass, log) and unless all three are filled (or at least the ** queue that is in the highest priority), events must be looked ** at to see if they are members of a queue that is not maxed out. ** @@ -390,7 +406,7 @@ RuleTreeNode *rtn = getRuntimeRtnFromOtn(otn); evalIndex = rtn->listhead->ruleListNode->evalIndex; - + /* bounds check index */ if( evalIndex >= omd_local->iMatchInfoArraySize ) { @@ -403,7 +419,7 @@ ** If we hit the max number of unique events for any rule type alert, ** log or pass, then we don't add it to the list. */ - if( pmi->iMatchCount >= (int)snort_conf->fast_pattern_config->max_queue_events || + if( pmi->iMatchCount >= (int)snort_conf->fast_pattern_config->max_queue_events || pmi->iMatchCount >= MAX_EVENT_MATCH) { pc.match_limit++; @@ -446,7 +462,7 @@ } pmi->iMatchCount++; - + return 0; } @@ -497,24 +513,24 @@ } } - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "[*] Rule Head %d\n", + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "[*] Rule Head %d\n", rtn->head_node_number);) if(!rtn->rule_func->RuleHeadFunc(p, rtn, rtn->rule_func, check_ports)) { DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " => Header check failed, checking next node\n");); - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " => returned from next node check\n");); PREPROC_PROFILE_END(ruleRTNEvalPerfStats); return 0; } - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n");); DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " => RTN %d Matched!\n", rtn->head_node_number);); - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv\n");); /* ** Return that there is a rule match and log the event outside @@ -627,7 +643,7 @@ if (rval) { /* - ** We have a qualified event from this tree + ** We have a qualified event from this tree */ pomd->pg->pgQEvents++; UpdateQEvents(&sfEvent); @@ -646,7 +662,7 @@ { return -1; } - + #ifdef GRE /* If this is for an IP rule set, evalute the rules from * the inner IP offset as well */ @@ -670,9 +686,9 @@ eval_data.p->dsize = eval_data.p->ip_dsize; /* clear so we dont keep recursing */ - eval_data.p->packet_flags &= ~PKT_IP_RULE; + eval_data.p->packet_flags &= ~PKT_IP_RULE; eval_data.p->packet_flags |= PKT_IP_RULE_2ND; - + /* Recurse, and evaluate with the inner IP */ rval = rule_tree_match(id, tree, index, data, NULL); @@ -705,17 +721,17 @@ otn2 = *(OptTreeNode **)e2; if( otn1->sigInfo.priority < otn2->sigInfo.priority ) - return +1; + return -1; if( otn1->sigInfo.priority > otn2->sigInfo.priority ) - return -1; + return +1; /* This improves stability of repeated tests */ if( otn1->sigInfo.id < otn2->sigInfo.id ) - return +1; + return -1; if( otn1->sigInfo.id > otn2->sigInfo.id ) - return -1; + return +1; return 0; } @@ -731,7 +747,19 @@ otn1 = *(OptTreeNode **)e1; otn2 = *(OptTreeNode **)e2; - /**** XXX: TODO for RULE_OPTION_TREE */ + if (otn1->longestPatternLen < otn2->longestPatternLen) + return +1; + + if (otn1->longestPatternLen > otn2->longestPatternLen) + return -1; + + /* This improves stability of repeated tests */ + if( otn1->sigInfo.id < otn2->sigInfo.id ) + return +1; + + if( otn1->sigInfo.id > otn2->sigInfo.id ) + return -1; + return 0; } @@ -744,7 +772,7 @@ ** DESCRIPTION ** fpFinalSelectEvent is called at the end of packet processing ** to decide, if there hasn't already been a selection, to decide -** what event to select. This function is different from +** what event to select. This function is different from ** fpSelectEvent by the fact that fpSelectEvent only selects an ** event if it is the first priority setting (drop/pass/alert...). ** @@ -807,9 +835,9 @@ ** ** FORMAL OUTPUT ** int - return 0 if no match, 1 if match. -** +** */ -static INLINE int fpFinalSelectEvent(OTNX_MATCH_DATA *o, Packet *p) +static inline int fpFinalSelectEvent(OTNX_MATCH_DATA *o, Packet *p) { int i; int j; @@ -818,6 +846,7 @@ int tcnt = 0; EventQueueConfig *eq = snort_conf->event_queue_config; RuleTreeNode *rtn; + int alerted = 0; for( i = 0; i < o->iMatchInfoArraySize; i++ ) { @@ -876,7 +905,7 @@ { if(o->matchInfo[i].MatchArray[k] == otn) { - otn = NULL; + otn = NULL; break; } } @@ -888,7 +917,7 @@ ** QueueEvent */ int err = SnortEventqAdd( - otn->sigInfo.generator, + otn->sigInfo.generator, otn->sigInfo.id, otn->sigInfo.rev, otn->sigInfo.class_id, @@ -898,14 +927,17 @@ if ( err ) pc.queue_limit++; + alerted = 1; tcnt++; } + else + pc.alert_limit++; /* Only count it if we're going to log it */ if (tcnt <= eq->log_events) { if ( p->ssnptr ) - fpAddSessionAlert(p, otn); + fpAddSessionAlert(p, otn, alerted); if ( p->fragtracker ) fpAddFragAlert(p, otn); @@ -930,7 +962,7 @@ } /* -** +** ** NAME ** fpAddSessionAlert:: ** @@ -940,13 +972,14 @@ ** FORMAL INPUTS ** Packet * - the packet to inspect ** OTNX * - the rule that generated the alert +** int - if the packet generated alert or not. ** ** FORMAL OUTPUTS ** int - 0 if not flagged ** 1 if flagged ** */ -static INLINE int fpAddSessionAlert(Packet *p, OptTreeNode *otn) +static inline int fpAddSessionAlert(Packet *p, OptTreeNode *otn, int alerted) { if ( !p->ssnptr ) return 0; @@ -958,12 +991,12 @@ if (stream_api) return !stream_api->add_session_alert(p->ssnptr, p, otn->sigInfo.generator, - otn->sigInfo.id); + otn->sigInfo.id, alerted); return 0; } /* -** +** ** NAME ** fpSessionAlerted:: ** @@ -980,7 +1013,7 @@ ** 1 if alert previously generated ** */ -static INLINE int fpSessionAlerted(Packet *p, OptTreeNode *otn) +static inline int fpSessionAlerted(Packet *p, OptTreeNode *otn) { SigInfo *si = &otn->sigInfo; @@ -1005,23 +1038,23 @@ { RuleTreeNode *rtn = getParserRtnFromOtn(otn); - LogMessage("rule proto: "); + LogMessage("rule proto: "); if( rtn->proto== IPPROTO_TCP )LogMessage("tcp "); else if( rtn->proto== IPPROTO_UDP )LogMessage("udp "); else if( rtn->proto== IPPROTO_ICMP )LogMessage("icmp "); else if( rtn->proto== ETHERNET_TYPE_IP)LogMessage("ip "); - + LogMessage("gid:%u sid:%5u ", otn->sigInfo.generator,otn->sigInfo.id); - + LogMessage(" sp:"); - + fflush(stdout);fflush(stderr); PortObjectPrintPortsRaw(rtn->src_portobject); fflush(stdout);fflush(stderr); - + LogMessage(" dp:"); - + PortObjectPrintPortsRaw(rtn->dst_portobject); printf("\n"); fflush(stdout);fflush(stderr); @@ -1029,13 +1062,13 @@ #endif /* -** +** ** NAME ** fpEvalHeaderSW:: ** ** DESCRIPTION ** This function does a set-wise match on content, and walks an otn list -** for non-content. The otn list search will eventually be redone for +** for non-content. The otn list search will eventually be redone for ** for performance purposes. ** ** FORMAL INPUTS @@ -1049,7 +1082,7 @@ ** 1 for sucessful pattern match ** */ -static INLINE int fpEvalHeaderSW(PORT_GROUP *port_group, Packet *p, +static inline int fpEvalHeaderSW(PORT_GROUP *port_group, Packet *p, int check_ports, char ip_rule, OTNX_MATCH_DATA *omd) { RULE_NODE *rnWalk; @@ -1109,12 +1142,12 @@ /* ** PKT_STREAM_INSERT packets are being rebuilt and re-injected ** through this detection engine. So in order to avoid pattern - ** matching bytes twice, we wait until the PKT_STREAM_INSERT + ** matching bytes twice, we wait until the PKT_STREAM_INSERT ** packets are rebuilt and injected through the detection engine. ** ** PROBLEM: ** If a stream gets stomped on before it gets re-injected, an attack - ** would be missed. So before a connection gets stomped, we + ** would be missed. So before a connection gets stomped, we ** re-inject the stream we have. */ @@ -1154,7 +1187,7 @@ { int i; - for (i = HTTP_BUFFER_URI; (i < p->uri_count) && (i <= HTTP_BUFFER_METHOD); i++) + for (i = HTTP_BUFFER_URI; (i < p->uri_count) && (i <= HTTP_BUFFER_CLIENT_BODY); i++) { if ((UriBufs[i].uri == NULL) || (UriBufs[i].length == 0)) continue; @@ -1170,9 +1203,6 @@ case HTTP_BUFFER_CLIENT_BODY: so = (void *)port_group->pgPms[PM_TYPE__HTTP_CLIENT_BODY_CONTENT]; break; - case HTTP_BUFFER_METHOD: - so = (void *)port_group->pgPms[PM_TYPE__HTTP_METHOD_CONTENT]; - break; default: so = NULL; break; @@ -1181,7 +1211,7 @@ if ((so != NULL) && (mpseGetPatternCount(so) > 0)) { start_state = 0; - mpseSearch(so, UriBufs[i].uri, UriBufs[i].length, + mpseSearch(so, UriBufs[i].uri, UriBufs[i].length, rule_tree_match, omd, &start_state); #ifdef PPM_MGR /* Bail if we spent too much time already */ @@ -1198,17 +1228,17 @@ ** the global (decode.c) DecodeBuffer. Currently, only ** telnet normalization writes to this buffer. So, if ** it is set, we do this the match against the normalized - ** buffer and we do the check against the original - ** payload, in case any of the rules have the + ** buffer and we do the check against the original + ** payload, in case any of the rules have the ** 'rawbytes' option. */ so = (void *)port_group->pgPms[PM_TYPE__CONTENT]; if ((so != NULL) && (mpseGetPatternCount(so) > 0)) { - if ((p->packet_flags & PKT_ALT_DECODE) && DecodeBuffer.len) + if (Is_DetectFlag(FLAG_ALT_DECODE) && DecodeBuffer.len) { start_state = 0; - mpseSearch(so, DecodeBuffer.data, DecodeBuffer.len, + mpseSearch(so, DecodeBuffer.data, DecodeBuffer.len, rule_tree_match, omd, &start_state); #ifdef PPM_MGR /* Bail if we spent too much time already */ @@ -1217,6 +1247,19 @@ #endif } + /* Adding this extra search on file data since we no more use DecodeBuffer to decode now*/ + if(file_data_ptr.len) + { + start_state = 0; + mpseSearch(so, file_data_ptr.data, file_data_ptr.len, + rule_tree_match, omd, &start_state); +#ifdef PPM_MGR + /* Bail if we spent too much time already */ + if (PPM_PACKET_ABORT_FLAG()) + goto fp_eval_header_sw_reset_ip; +#endif + } + /* ** Content-Match - If no Uri-Content matches, than do a Content search ** @@ -1246,9 +1289,9 @@ /* ** PKT_REBUILT_STREAM packets are re-injected streams. This means - ** that the "packet headers" are completely bogus and only the + ** that the "packet headers" are completely bogus and only the ** content matches are important. So for PKT_REBUILT_STREAMs, we - ** don't inspect against no-content OTNs since these deal with + ** don't inspect against no-content OTNs since these deal with ** packet headers, packet sizes, etc. ** ** NOTE: @@ -1346,7 +1389,7 @@ /* ** fpEvalHeaderUdp:: */ -static INLINE int fpEvalHeaderUdp(Packet *p, OTNX_MATCH_DATA *omd) +static inline int fpEvalHeaderUdp(Packet *p, OTNX_MATCH_DATA *omd) { PORT_GROUP *src = NULL, *dst = NULL, *gen = NULL; @@ -1421,7 +1464,7 @@ /* ** fpEvalHeaderTcp:: */ -static INLINE int fpEvalHeaderTcp(Packet *p, OTNX_MATCH_DATA *omd) +static inline int fpEvalHeaderTcp(Packet *p, OTNX_MATCH_DATA *omd) { PORT_GROUP *src = NULL, *dst = NULL, *gen = NULL; @@ -1505,13 +1548,13 @@ /* ** fpEvalHeaderICMP:: */ -static INLINE int fpEvalHeaderIcmp(Packet *p, OTNX_MATCH_DATA *omd) +static inline int fpEvalHeaderIcmp(Packet *p, OTNX_MATCH_DATA *omd) { PORT_GROUP *gen = NULL, *type = NULL; if (!prmFindRuleGroupIcmp(snort_conf->prmIcmpRTNX, p->icmph->type, &type, &gen)) return 0; - + if (fpDetectGetDebugPrintNcRules(snort_conf->fast_pattern_config)) { LogMessage( @@ -1539,16 +1582,16 @@ /* ** fpEvalHeaderIP:: */ -static INLINE int fpEvalHeaderIp(Packet *p, int ip_proto, OTNX_MATCH_DATA *omd) +static inline int fpEvalHeaderIp(Packet *p, int ip_proto, OTNX_MATCH_DATA *omd) { PORT_GROUP *gen = NULL, *ip_group = NULL; if (!prmFindRuleGroupIp(snort_conf->prmIpRTNX, ip_proto, &ip_group, &gen)) return 0; - + if(fpDetectGetDebugPrintNcRules(snort_conf->fast_pattern_config)) LogMessage("fpEvalHeaderIp: ip_group=%p, gen=%p\n", (void*)ip_group, (void*)gen); - + InitMatchInfo(omd); if (ip_group != NULL) @@ -1572,7 +1615,7 @@ ** fpEvalPacket:: ** ** DESCRIPTION -** This function is the interface to the Detect() routine. Here +** This function is the interface to the Detect() routine. Here ** the IP protocol is processed. If it is TCP, UDP, or ICMP, we ** process the both that particular ruleset and the IP ruleset ** with in the fpEvalHeader for that protocol. If the protocol @@ -1597,7 +1640,7 @@ OTNX_MATCH_DATA *omd = snort_conf->omd; /* Run UDP rules against the UDP header of Teredo packets */ - if (p->proto_bits & PROTO_BIT__TEREDO) + if ( p->udph && (p->proto_bits & (PROTO_BIT__TEREDO | PROTO_BIT__GTP)) ) { uint16_t tmp_sp = p->sp; uint16_t tmp_dp = p->dp; @@ -1612,7 +1655,8 @@ p->sp = ntohs(p->udph->uh_sport); p->dp = ntohs(p->udph->uh_dport); p->data = (const uint8_t *)p->udph + UDP_HEADER_LEN; - p->dsize = p->outer_ip_dsize - UDP_HEADER_LEN; + if (p->outer_ip_dsize > UDP_HEADER_LEN) + p->dsize = p->outer_ip_dsize - UDP_HEADER_LEN; fpEvalHeaderUdp(p, omd); @@ -1626,7 +1670,7 @@ switch(ip_proto) { case IPPROTO_TCP: - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "Detecting on TcpList\n");); if(p->tcph == NULL) @@ -1638,7 +1682,7 @@ return fpEvalHeaderTcp(p, omd); case IPPROTO_UDP: - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "Detecting on UdpList\n");); if(p->udph == NULL) @@ -1646,20 +1690,20 @@ ip_proto = -1; break; } - + return fpEvalHeaderUdp(p, omd); #ifdef SUP_IP6 case IPPROTO_ICMPV6: #endif case IPPROTO_ICMP: - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, + DEBUG_WRAP(DebugMessage(DEBUG_DETECT, "Detecting on IcmpList\n");); if(p->icmph == NULL) { ip_proto = -1; - break; + break; } return fpEvalHeaderIcmp(p, omd); @@ -1688,13 +1732,17 @@ { if (fpEvalRTN(getRuntimeRtnFromOtn(otn), p, 0)) { - SnortEventqAdd(otn->sigInfo.generator, + SnortEventqAdd(otn->sigInfo.generator, otn->sigInfo.id, otn->sigInfo.rev, otn->sigInfo.class_id, otn->sigInfo.priority, otn->sigInfo.message, (void *)NULL); + if (RULE_TYPE__PASS == getRuntimeRtnFromOtn(otn)->type) + { + p->packet_flags |= PKT_PASS_RULE; + } } } } diff -Nru snort-2.9.0.1/src/fpdetect.h snort-2.9.2/src/fpdetect.h --- snort-2.9.0.1/src/fpdetect.h 2010-01-26 10:09:19.000000000 -0800 +++ snort-2.9.2/src/fpdetect.h 2011-06-07 17:33:06.000000000 -0700 @@ -3,7 +3,7 @@ ** ** fpfuncs.h ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** Marc Norton <mnorton@sourcefire.com> ** @@ -35,7 +35,7 @@ #endif #include "fpcreate.h" -#include "debug.h" +#include "snort_debug.h" #include "decode.h" #include "sflsq.h" #include "event_queue.h" @@ -56,9 +56,9 @@ ** to match before choosing which event to log. ** (Since we can only log one.) This define is the limit. */ -#define MAX_EVENT_MATCH 100 +#define MAX_EVENT_MATCH 100 -/* +/* ** MATCH_INFO ** The events that are matched get held in this structure, ** and iMatchIndex gets set to the event that holds the @@ -70,7 +70,7 @@ int iMatchCount; int iMatchIndex; int iMatchMaxLen; - + }MATCH_INFO; /* @@ -82,7 +82,7 @@ ** the event to log based on the event comparison ** function. */ -typedef struct +typedef struct { PORT_GROUP * pg; Packet * p; diff -Nru snort-2.9.0.1/src/generators.h snort-2.9.2/src/generators.h --- snort-2.9.0.1/src/generators.h 2010-10-25 12:48:59.000000000 -0700 +++ snort-2.9.2/src/generators.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -83,7 +83,7 @@ #define DECODE_BAD_VLAN 130 #define DECODE_BAD_VLAN_ETHLLC 131 #define DECODE_BAD_VLAN_OTHER 132 -#define DECODE_BAD_80211_ETHLLC 133 +#define DECODE_BAD_80211_ETHLLC 133 #define DECODE_BAD_80211_OTHER 134 #define DECODE_BAD_TRH 140 @@ -91,8 +91,8 @@ #define DECODE_BAD_TR_MR_LEN 142 #define DECODE_BAD_TRHMR 143 -#define DECODE_BAD_TRAFFIC_LOOPBACK 150 -#define DECODE_BAD_TRAFFIC_SAME_SRCDST 151 +#define DECODE_BAD_TRAFFIC_LOOPBACK 150 +#define DECODE_BAD_TRAFFIC_SAME_SRCDST 151 #ifdef GRE #define DECODE_GRE_DGRAM_LT_GREHDR 160 @@ -119,7 +119,7 @@ #define DECODE_ICMP_ORIG_PAYLOAD_GT_576 254 #define DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET 255 -#define DECODE_IPV6_MIN_TTL 270 +#define DECODE_IPV6_MIN_TTL 270 #define DECODE_IPV6_IS_NOT 271 #define DECODE_IPV6_TRUNCATED_EXT 272 #define DECODE_IPV6_TRUNCATED 273 @@ -149,6 +149,8 @@ #define DECODE_IPV6_BAD_OPT_LEN 295 #define DECODE_IPV6_UNORDERED_EXTENSIONS 296 +#define DECODE_GTP_MULTIPLE_ENCAPSULATION 297 +#define DECODE_GTP_BAD_LEN 298 //----------------------------------------------------- // remember to add rules to preproc_rules/decoder.rules @@ -209,6 +211,10 @@ DECODE_IP_BAD_PROTO, DECODE_ICMP_PATH_MTU_DOS, DECODE_ICMP_DOS_ATTEMPT, + DECODE_IPV6_ISATAP_SPOOF, + DECODE_PGM_NAK_OVERFLOW, + DECODE_IGMP_OPTIONS_DOS, + DECODE_IP6_EXCESS_EXT_HDR, DECODE_INDEX_MAX }; @@ -224,11 +230,15 @@ ** trick is that whatever the number is in HttpInspect, ** it must be +1 when you define it here. */ +// these are client specific events #define GENERATOR_SPP_HTTP_INSPECT_CLIENT 119 #define HI_CLIENT_ASCII 1 /* done */ #define HI_CLIENT_DOUBLE_DECODE 2 /* done */ #define HI_CLIENT_U_ENCODE 3 /* done */ #define HI_CLIENT_BARE_BYTE 4 /* done */ +/* Base 36 is deprecated and essentially a noop + * Leaving here in case anyone out there has historical data with + * alerts of this type */ #define HI_CLIENT_BASE36 5 /* done */ #define HI_CLIENT_UTF_8 6 /* done */ #define HI_CLIENT_IIS_UNICODE 7 /* done */ @@ -248,17 +258,27 @@ #define HI_CLIENT_MULTIPLE_CONTLEN 21 #define HI_CLIENT_CHUNK_SIZE_MISMATCH 22 #define HI_CLIENT_INVALID_TRUEIP 23 +#define HI_CLIENT_MULTIPLE_HOST_HDRS 24 +#define HI_CLIENT_LONG_HOSTNAME 25 +#define HI_CLIENT_EXCEEDS_SPACES 26 +#define HI_CLIENT_CONSECUTIVE_SMALL_CHUNK_SIZES 27 +#define HI_CLIENT_UNBOUNDED_POST 28 +#define HI_CLIENT_MULTIPLE_TRUEIP_IN_SESSION 29 +#define HI_CLIENT_BOTH_TRUEIP_XFF_HDRS 30 -#define GENERATOR_SPP_HTTP_INSPECT_SERVER 120 +// these are either server specific or both client / server +#define GENERATOR_SPP_HTTP_INSPECT 120 #define HI_ANOM_SERVER_ALERT 1 /* done */ -#define HI_SERVER_INVALID_STATCODE 2 +#define HI_SERVER_INVALID_STATCODE 2 #define HI_SERVER_NO_CONTLEN 3 #define HI_SERVER_UTF_NORM_FAIL 4 #define HI_SERVER_UTF7 5 - -/*#define GENERATOR_SPP_HTTP_INSPECT_ANOM_SERVER 120 -#define HI_ANOM_SERVER_ALERT 1 */ - +#define HI_SERVER_DECOMPR_FAILED 6 +#define HI_SERVER_CONSECUTIVE_SMALL_CHUNK_SIZES 7 +#define HI_CLISRV_MSG_SIZE_EXCEPTION 8 +#define HI_SERVER_JS_OBFUSCATION_EXCD 9 +#define HI_SERVER_JS_EXCESS_WS 10 +#define HI_SERVER_MIXED_ENCODINGS 11 #define GENERATOR_PSNG 122 @@ -318,6 +338,11 @@ #define SMTP_ILLEGAL_CMD 6 #define SMTP_HEADER_NAME_OVERFLOW 7 #define SMTP_XLINK2STATE_OVERFLOW 8 +#define SMTP_DECODE_MEMCAP_EXCEEDED 9 +#define SMTP_B64_DECODING_FAILED 10 +#define SMTP_QP_DECODING_FAILED 11 +#define SMTP_BITENC_DECODING_FAILED 12 +#define SMTP_UU_DECODING_FAILED 13 /* ** FTPTelnet Generator IDs @@ -447,8 +472,18 @@ #define GENERATOR_SPP_SDF_RULES 138 #define GENERATOR_SPP_SDF_PREPROC 139 +// #define GENERATOR_SPP_SIP 140 // Defined in spp_sip.h file, not here. +// #define GENERATOR_SPP_IMAP 141 // Defined in imap_log.h file +// #define GENERATOR_SPP_POP 142 // Defined in pop_log.h file. #define SDF_COMBO_ALERT 1 + +#define GENERATOR_SPP_GTP 143 + +#define GENERATOR_SPP_MODBUS 144 + +#define GENERATOR_SPP_DNP3 145 + /* This is where all the alert messages will be archived for each internal alerts */ @@ -508,17 +543,17 @@ #define PPM_EVENT_RULE_TREE_ENABLED_STR "Rule Options Re-enabled by Rule Latency" /* Snort decoder strings */ -#define DECODE_NOT_IPV4_DGRAM_STR "(snort_decoder) WARNING: Not IPv4 datagram!" -#define DECODE_IPV4_INVALID_HEADER_LEN_STR "(snort_decoder) WARNING: hlen < IP_HEADER_LEN!" -#define DECODE_IPV4_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len!" +#define DECODE_NOT_IPV4_DGRAM_STR "(snort_decoder) WARNING: Not IPv4 datagram" +#define DECODE_IPV4_INVALID_HEADER_LEN_STR "(snort_decoder) WARNING: hlen < IP_HEADER_LEN" +#define DECODE_IPV4_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len" #define DECODE_IPV4OPT_BADLEN_STR "(snort_decoder) WARNING: Ipv4 Options found with bad lengths" #define DECODE_IPV4OPT_TRUNCATED_STR "(snort_decoder) WARNING:Truncated Ipv4 Options" -#define DECODE_IPV4_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len!" +#define DECODE_IPV4_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len" #define DECODE_NOT_IPV6_DGRAM_STR "(snort_decoder) WARNING: Not an IPv6 datagram" -#define DECODE_TCP_DGRAM_LT_TCPHDR_STR "(snort_decoder) WARNING: TCP packet len is smaller than 20 bytes!" -#define DECODE_TCP_INVALID_OFFSET_STR "(snort_decoder) WARNING: TCP Data Offset is less than 5!" -#define DECODE_TCP_LARGE_OFFSET_STR "(snort_decoder) WARNING: TCP Header length exceeds packet length!" +#define DECODE_TCP_DGRAM_LT_TCPHDR_STR "(snort_decoder) WARNING: TCP packet len is smaller than 20 bytes" +#define DECODE_TCP_INVALID_OFFSET_STR "(snort_decoder) WARNING: TCP Data Offset is less than 5" +#define DECODE_TCP_LARGE_OFFSET_STR "(snort_decoder) WARNING: TCP Header length exceeds packet length" #define DECODE_TCPOPT_BADLEN_STR "(snort_decoder) WARNING: Tcp Options found with bad lengths" #define DECODE_TCPOPT_TRUNCATED_STR "(snort_decoder) WARNING: Truncated Tcp Options" @@ -527,33 +562,33 @@ #define DECODE_TCPOPT_EXPERIMENT_STR "(snort_decoder) WARNING: Experimental Tcp Options found" #define DECODE_TCPOPT_WSCALE_INVALID_STR "(snort_decoder) WARNING: Tcp Window Scale Option found with length > 14" -#define DECODE_UDP_DGRAM_LT_UDPHDR_STR "(snort_decoder) WARNING: Truncated UDP Header!" +#define DECODE_UDP_DGRAM_LT_UDPHDR_STR "(snort_decoder) WARNING: Truncated UDP Header" #define DECODE_UDP_DGRAM_INVALID_LENGTH_STR "(snort_decoder) WARNING: Invalid UDP header, length field < 8" #define DECODE_UDP_DGRAM_SHORT_PACKET_STR "(snort_decoder) WARNING: Short UDP packet, length field > payload length" #define DECODE_UDP_DGRAM_LONG_PACKET_STR "(snort_decoder) WARNING: Long UDP packet, length field < payload length" -#define DECODE_ICMP_DGRAM_LT_ICMPHDR_STR "(snort_decoder) WARNING: ICMP Header Truncated!" -#define DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR "(snort_decoder) WARNING: ICMP Timestamp Header Truncated!" -#define DECODE_ICMP_DGRAM_LT_ADDRHDR_STR "(snort_decoder) WARNING: ICMP Address Header Truncated!" -#define DECODE_IPV4_DGRAM_UNKNOWN_STR "(snort_decoder) WARNING: Unknown Datagram decoding problem!" -#define DECODE_ARP_TRUNCATED_STR "(snort_decoder) WARNING: Truncated ARP!" -#define DECODE_EAPOL_TRUNCATED_STR "(snort_decoder) WARNING: Truncated EAP Header!" -#define DECODE_EAPKEY_TRUNCATED_STR "(snort_decoder) WARNING: EAP Key Truncated!" -#define DECODE_EAP_TRUNCATED_STR "(snort_decoder) WARNING: EAP Header Truncated!" -#define DECODE_BAD_PPPOE_STR "(snort_decoder) WARNING: Bad PPPOE frame detected!" -#define DECODE_BAD_VLAN_STR "(snort_decoder) WARNING: Bad VLAN Frame!" -#define DECODE_BAD_VLAN_ETHLLC_STR "(snort_decoder) WARNING: Bad LLC header!" -#define DECODE_BAD_VLAN_OTHER_STR "(snort_decoder) WARNING: Bad Extra LLC Info!" -#define DECODE_BAD_80211_ETHLLC_STR "(snort_decoder) WARNING: Bad 802.11 LLC header!" -#define DECODE_BAD_80211_OTHER_STR "(snort_decoder) WARNING: Bad 802.11 Extra LLC Info!" - -#define DECODE_BAD_TRH_STR "(snort_decoder) WARNING: Bad Token Ring Header!" -#define DECODE_BAD_TR_ETHLLC_STR "(snort_decoder) WARNING: Bad Token Ring ETHLLC Header!" -#define DECODE_BAD_TR_MR_LEN_STR "(snort_decoder) WARNING: Bad Token Ring MRLENHeader!" -#define DECODE_BAD_TRHMR_STR "(snort_decoder) WARNING: Bad Token Ring MR Header!" +#define DECODE_ICMP_DGRAM_LT_ICMPHDR_STR "(snort_decoder) WARNING: ICMP Header Truncated" +#define DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR "(snort_decoder) WARNING: ICMP Timestamp Header Truncated" +#define DECODE_ICMP_DGRAM_LT_ADDRHDR_STR "(snort_decoder) WARNING: ICMP Address Header Truncated" +#define DECODE_IPV4_DGRAM_UNKNOWN_STR "(snort_decoder) WARNING: Unknown Datagram decoding problem" +#define DECODE_ARP_TRUNCATED_STR "(snort_decoder) WARNING: Truncated ARP" +#define DECODE_EAPOL_TRUNCATED_STR "(snort_decoder) WARNING: Truncated EAP Header" +#define DECODE_EAPKEY_TRUNCATED_STR "(snort_decoder) WARNING: EAP Key Truncated" +#define DECODE_EAP_TRUNCATED_STR "(snort_decoder) WARNING: EAP Header Truncated" +#define DECODE_BAD_PPPOE_STR "(snort_decoder) WARNING: Bad PPPOE frame detected" +#define DECODE_BAD_VLAN_STR "(snort_decoder) WARNING: Bad VLAN Frame" +#define DECODE_BAD_VLAN_ETHLLC_STR "(snort_decoder) WARNING: Bad LLC header" +#define DECODE_BAD_VLAN_OTHER_STR "(snort_decoder) WARNING: Bad Extra LLC Info" +#define DECODE_BAD_80211_ETHLLC_STR "(snort_decoder) WARNING: Bad 802.11 LLC header" +#define DECODE_BAD_80211_OTHER_STR "(snort_decoder) WARNING: Bad 802.11 Extra LLC Info" + +#define DECODE_BAD_TRH_STR "(snort_decoder) WARNING: Bad Token Ring Header" +#define DECODE_BAD_TR_ETHLLC_STR "(snort_decoder) WARNING: Bad Token Ring ETHLLC Header" +#define DECODE_BAD_TR_MR_LEN_STR "(snort_decoder) WARNING: Bad Token Ring MRLENHeader" +#define DECODE_BAD_TRHMR_STR "(snort_decoder) WARNING: Bad Token Ring MR Header" -#define DECODE_BAD_TRAFFIC_LOOPBACK_STR "(snort decoder) WARNING: Bad Traffic Loopback IP" -#define DECODE_BAD_TRAFFIC_SAME_SRCDST_STR "(snort decoder) WARNING: Bad Traffic Same Src/Dst IP" +#define DECODE_BAD_TRAFFIC_LOOPBACK_STR "(snort decoder) WARNING: Bad Traffic Loopback IP" +#define DECODE_BAD_TRAFFIC_SAME_SRCDST_STR "(snort decoder) WARNING: Bad Traffic Same Src/Dst IP" #ifdef GRE #define DECODE_GRE_DGRAM_LT_GREHDR_STR "(snort decoder) WARNING: GRE header length > payload length" @@ -564,19 +599,19 @@ #define DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR_STR "(snort decoder) WARNING: GRE Trans header length > payload length" #endif /* GRE */ -#define DECODE_ICMP_ORIG_IP_TRUNCATED_STR "(snort_decoder) WARNING: ICMP Original IP Header Truncated!" -#define DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR "(snort_decoder) WARNING: ICMP version and Original IP Header versions differ!" -#define DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR "(snort_decoder) WARNING: ICMP Original Datagram Length < Original IP Header Length!" -#define DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR "(snort_decoder) WARNING: ICMP Original IP Payload < 64 bits!" -#define DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR "(snort_decoder) WARNING: ICMP Origianl IP Payload > 576 bytes!" -#define DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR "(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0!" +#define DECODE_ICMP_ORIG_IP_TRUNCATED_STR "(snort_decoder) WARNING: ICMP Original IP Header Truncated" +#define DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR "(snort_decoder) WARNING: ICMP version and Original IP Header versions differ" +#define DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR "(snort_decoder) WARNING: ICMP Original Datagram Length < Original IP Header Length" +#define DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR "(snort_decoder) WARNING: ICMP Original IP Payload < 64 bits" +#define DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR "(snort_decoder) WARNING: ICMP Origianl IP Payload > 576 bytes" +#define DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR "(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0" #define DECODE_IPV6_MIN_TTL_STR "(snort decoder) WARNING: IPv6 packet below TTL limit" #define DECODE_IPV6_IS_NOT_STR "(snort decoder) WARNING: IPv6 header claims to not be IPv6" #define DECODE_IPV6_TRUNCATED_EXT_STR "(snort decoder) WARNING: IPV6 truncated extension header" #define DECODE_IPV6_TRUNCATED_STR "(snort decoder) WARNING: IPV6 truncated header" -#define DECODE_IPV6_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len!" -#define DECODE_IPV6_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len!" +#define DECODE_IPV6_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len" +#define DECODE_IPV6_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len" #define DECODE_IPV6_DST_ZERO_STR "(snort_decoder) WARNING: IPv6 packet with destination address ::0" #define DECODE_IPV6_SRC_MULTICAST_STR "(snort_decoder) WARNING: IPv6 packet with multicast source address" @@ -600,18 +635,19 @@ #define DECODE_ESP_HEADER_TRUNC_STR "(snort_decoder) WARNING: truncated Encapsulated Security Payload (ESP) header" -#define DECODE_IPV6_BAD_OPT_LEN_STR "(snort_decoder) WARNING: IPv6 header includes an option which is too big for the containing header." +#define DECODE_IPV6_BAD_OPT_LEN_STR "(snort_decoder) WARNING: IPv6 header includes an option which is too big for the containing header" #define DECODE_IPV6_UNORDERED_EXTENSIONS_STR "(snort_decoder) WARNING: IPv6 packet includes out-of-order extension headers" +#define DECODE_GTP_MULTIPLE_ENCAPSULATION_STR "(snort_decoder) WARNING: Two or more GTP encapsulation layers present" +#define DECODE_GTP_BAD_LEN_STR "(snort_decoder) WARNING: GTP header length is invalid" +#define DECODE_TCP_XMAS_STR "(snort_decoder) WARNING: XMAS Attack Detected" +#define DECODE_TCP_NMAP_XMAS_STR "(snort_decoder) WARNING: Nmap XMAS Attack Detected" -#define DECODE_TCP_XMAS_STR "(snort_decoder) WARNING: XMAS Attack Detected!" -#define DECODE_TCP_NMAP_XMAS_STR "(snort_decoder) WARNING: Nmap XMAS Attack Detected!" - -#define DECODE_DOS_NAPTHA_STR "(snort_decoder) WARNING: DOS NAPTHA Vulnerability Detected!" +#define DECODE_DOS_NAPTHA_STR "(snort_decoder) WARNING: DOS NAPTHA Vulnerability Detected" #define DECODE_SYN_TO_MULTICAST_STR "(snort_decoder) WARNING: Bad Traffic SYN to multicast address" #define DECODE_ZERO_TTL_STR "(snort_decoder) WARNING: IPV4 packet with zero TTL" #define DECODE_BAD_FRAGBITS_STR "(snort_decoder) WARNING: IPV4 packet with bad frag bits (Both MF and DF set)" -#define DECODE_UDP_IPV6_ZERO_CHECKSUM_STR "(snort_decoder) WARNING: Invalid IPv6 UDP packet, checksum zero" +#define DECODE_UDP_IPV6_ZERO_CHECKSUM_STR "(snort_decoder) WARNING: Invalid IPv6 UDP packet, checksum zero" #define DECODE_IP4_LEN_OFFSET_STR "(snort_decoder) WARNING: IPV4 packet frag offset + length exceed maximum" #define DECODE_IP4_SRC_THIS_NET_STR "(snort_decoder) WARNING: IPV4 packet from 'current net' source address" #define DECODE_IP4_DST_THIS_NET_STR "(snort_decoder) WARNING: IPV4 packet to 'current net' dest address" @@ -657,6 +693,10 @@ #define DECODE_IP_BAD_PROTO_STR "(snort_decoder) WARNING: BAD-TRAFFIC Bad IP protocol" #define DECODE_ICMP_PATH_MTU_DOS_STR "(snort_decoder) WARNING: ICMP PATH MTU denial of service attempt" #define DECODE_ICMP_DOS_ATTEMPT_STR "(snort_decoder) WARNING: BAD-TRAFFIC linux ICMP header dos attempt" +#define DECODE_IPV6_ISATAP_SPOOF_STR "(snort_decoder) WARNING: BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing attempt" +#define DECODE_PGM_NAK_OVERFLOW_STR "(snort_decoder) WARNING: BAD-TRAFFIC PGM nak list overflow attempt" +#define DECODE_IGMP_OPTIONS_DOS_STR "(snort_decoder) WARNING: DOS IGMP IP Options validation attempt" +#define DECODE_IP6_EXCESS_EXT_HDR_STR "(snort_decoder) WARNING: too many IP6 extension headers" /* RPC decode preprocessor strings */ #define RPC_FRAG_TRAFFIC_STR "(spp_rpc_decode) Fragmented RPC Records" @@ -697,7 +737,7 @@ #define PSNG_OPEN_PORT_STR "(portscan) Open Port" -#define DECODE_BAD_MPLS_STR "(snort_decoder) WARNING: Bad MPLS Frame!" +#define DECODE_BAD_MPLS_STR "(snort_decoder) WARNING: Bad MPLS Frame" #define DECODE_BAD_MPLS_LABEL0_STR "(snort_decoder) WARNING: MPLS Label 0 Appears in Nonbottom Header" #define DECODE_BAD_MPLS_LABEL1_STR "(snort_decoder) WARNING: MPLS Label 1 Appears in Bottom Header" #define DECODE_BAD_MPLS_LABEL2_STR "(snort_decoder) WARNING: MPLS Label 2 Appears in Nonbottom Header" diff -Nru snort-2.9.0.1/src/idle_processing.c snort-2.9.2/src/idle_processing.c --- snort-2.9.0.1/src/idle_processing.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/idle_processing.c 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,80 @@ +/* $Id$ */ +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ +/** + * @file idle_processing.c + * @author Ron Dempster <rdempster@sourcefire.com> + * @date Tue Jun 17 17:09:59 2003 + * + * @brief Allow functions to be registered to be called when packet + * processing is idle. + * + */ + +#include <stdlib.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "idle_processing_funcs.h" +#include "util.h" + +typedef struct _IDLE_HANDLER_ELEMENT +{ + struct _IDLE_HANDLER_ELEMENT *next; + IdleProcessingHandler handler; +} IdleHandlerElement; + +static IdleHandlerElement *idle_handlers; + +int IdleProcessingRegisterHandler(IdleProcessingHandler func) +{ + IdleHandlerElement *e; + + if ((e = calloc(1, sizeof(*e))) == NULL) + { + WarningMessage("%s\n", "Failed to allocate an idle handler element"); + return -1; + } + e->handler = func; + e->next = idle_handlers; + idle_handlers = e; + return 0; +} + +void IdleProcessingExecute(void) +{ + IdleHandlerElement *e; + + for (e = idle_handlers; e; e = e->next) + e->handler(); +} + +void IdleProcessingCleanUp(void) +{ + IdleHandlerElement *e; + + while ((e = idle_handlers)) + { + idle_handlers = e->next; + free(e); + } +} + diff -Nru snort-2.9.0.1/src/idle_processing_funcs.h snort-2.9.2/src/idle_processing_funcs.h --- snort-2.9.0.1/src/idle_processing_funcs.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/idle_processing_funcs.h 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,31 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +#ifndef _IDLE_PROCESSING_FUNCS_H +#define _IDLE_PROCESSING_FUNCS_H + +#include "idle_processing.h" + +int IdleProcessingRegisterHandler(IdleProcessingHandler); +void IdleProcessingExecute(void); +void IdleProcessingCleanUp(void); + +#endif /* _IDLE_PROCESSING_FUNCS_H */ diff -Nru snort-2.9.0.1/src/idle_processing.h snort-2.9.2/src/idle_processing.h --- snort-2.9.0.1/src/idle_processing.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/idle_processing.h 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,27 @@ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +#ifndef _IDLE_PROCESSING_H +#define _IDLE_PROCESSING_H + +typedef void (*IdleProcessingHandler)(void); + +#endif /* _IDLE_PROCESSING_H */ diff -Nru snort-2.9.0.1/src/ipv6_port.h snort-2.9.2/src/ipv6_port.h --- snort-2.9.0.1/src/ipv6_port.h 2010-01-26 10:09:21.000000000 -0800 +++ snort-2.9.2/src/ipv6_port.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -20,8 +20,7 @@ #ifndef IPV6_PORT_H #define IPV6_PORT_H -#include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" /////////////////// /* IPv6 and IPv4 */ @@ -42,63 +41,67 @@ #endif #define inet_ntoa sfip_ntoa -#define GET_SRC_IP(p) (p->iph_api->iph_ret_src(p)) -#define GET_DST_IP(p) (p->iph_api->iph_ret_dst(p)) +#define GET_SRC_IP(p) ((p)->iph_api->iph_ret_src(p)) +#define GET_DST_IP(p) ((p)->iph_api->iph_ret_dst(p)) -#define GET_ORIG_SRC(p) (p->orig_iph_api->orig_iph_ret_src(p)) -#define GET_ORIG_DST(p) (p->orig_iph_api->orig_iph_ret_dst(p)) +#define GET_ORIG_SRC(p) ((p)->orig_iph_api->orig_iph_ret_src(p)) +#define GET_ORIG_DST(p) ((p)->orig_iph_api->orig_iph_ret_dst(p)) /* These are here for backwards compatibility */ #define GET_SRC_ADDR(x) GET_SRC_IP(x) #define GET_DST_ADDR(x) GET_DST_IP(x) -#define IP_EQUALITY(x,y) (sfip_compare(x,y) == SFIP_EQUAL) -#define IP_EQUALITY_UNSET(x,y) (sfip_compare_unset(x,y) == SFIP_EQUAL) -#define IP_LESSER(x,y) (sfip_compare(x,y) == SFIP_LESSER) -#define IP_GREATER(x,y) (sfip_compare(x,y) == SFIP_GREATER) - -#define GET_IPH_TOS(p) p->iph_api->iph_ret_tos(p) -#define GET_IPH_LEN(p) p->iph_api->iph_ret_len(p) -#define GET_IPH_TTL(p) p->iph_api->iph_ret_ttl(p) -#define GET_IPH_ID(p) p->iph_api->iph_ret_id(p) -#define GET_IPH_OFF(p) p->iph_api->iph_ret_off(p) -#define GET_IPH_VER(p) p->iph_api->iph_ret_ver(p) -#define GET_IPH_PROTO(p) p->iph_api->iph_ret_proto(p) - -#define GET_ORIG_IPH_PROTO(p) p->orig_iph_api->orig_iph_ret_proto(p) -#define GET_ORIG_IPH_VER(p) p->orig_iph_api->orig_iph_ret_ver(p) -#define GET_ORIG_IPH_LEN(p) p->orig_iph_api->orig_iph_ret_len(p) -#define GET_ORIG_IPH_OFF(p) p->orig_iph_api->orig_iph_ret_off(p) -#define GET_ORIG_IPH_PROTO(p) p->orig_iph_api->orig_iph_ret_proto(p) +#define IP_EQUALITY(x,y) (sfip_compare((x),(y)) == SFIP_EQUAL) +#define IP_EQUALITY_UNSET(x,y) (sfip_compare_unset((x),(y)) == SFIP_EQUAL) +#define IP_LESSER(x,y) (sfip_compare((x),(y)) == SFIP_LESSER) +#define IP_GREATER(x,y) (sfip_compare((x),(y)) == SFIP_GREATER) + +#define IS_IP4(x) ((x)->family == AF_INET) +#define IS_IP6(x) ((x)->family == AF_INET6) + +#define IS_OUTER_IP4(x) ((x)->outer_family == AF_INET) +#define IS_OUTER_IP6(x) ((x)->outer_family == AF_INET6) + +#define GET_IPH_TOS(p) (p)->iph_api->iph_ret_tos(p) +#define GET_IPH_LEN(p) (p)->iph_api->iph_ret_len(p) +#define GET_IPH_TTL(p) (p)->iph_api->iph_ret_ttl(p) +#define GET_IPH_ID(p) (p)->iph_api->iph_ret_id(p) +#define GET_IPH_OFF(p) (p)->iph_api->iph_ret_off(p) +#define GET_IPH_VER(p) (p)->iph_api->iph_ret_ver(p) +#define GET_IPH_PROTO(p) ((uint8_t)(IS_IP6(p) ? ((p)->ip6h->next) : ((p)->iph_api->iph_ret_proto(p)))) + +#define GET_ORIG_IPH_PROTO(p) (p)->orig_iph_api->orig_iph_ret_proto(p) +#define GET_ORIG_IPH_VER(p) (p)->orig_iph_api->orig_iph_ret_ver(p) +#define GET_ORIG_IPH_LEN(p) (p)->orig_iph_api->orig_iph_ret_len(p) +#define GET_ORIG_IPH_OFF(p) (p)->orig_iph_api->orig_iph_ret_off(p) +#define GET_ORIG_IPH_PROTO(p) (p)->orig_iph_api->orig_iph_ret_proto(p) -#define IS_IP4(x) (x->family == AF_INET) -#define IS_IP6(x) (x->family == AF_INET6) /* XXX make sure these aren't getting confused with sfip_is_valid within the code */ #define IPH_IS_VALID(p) iph_is_valid(p) -#define IP_CLEAR(x) x.bits = x.family = x.ip32[0] = x.ip32[1] = x.ip32[2] = x.ip32[3] = 0; +#define IP_CLEAR(x) (x).bits = (x).family = (x).ip32[0] = (x).ip32[1] = (x).ip32[2] = (x).ip32[3] = 0; -#define IS_SET(x) sfip_is_set(&x) +#define IP_IS_SET(x) sfip_is_set(&x) -/* This loop trickery is intentional. If each copy is performed +/* This loop trickery is intentional. If each copy is performed * individually on each field, then the following expression gets broken: - * + * * if(conditional) IP_COPY_VALUE(a,b); - * + * * If the macro is instead enclosed in braces, then having a semicolon - * trailing the macro causes compile breakage. + * trailing the macro causes compile breakage. * So: use loop. */ #define IP_COPY_VALUE(x,y) \ do { \ - x.bits = y->bits; \ - x.family = y->family; \ - x.ip32[0] = y->ip32[0]; \ - x.ip32[1] = y->ip32[1]; \ - x.ip32[2] = y->ip32[2]; \ - x.ip32[3] = y->ip32[3]; \ + (x).bits = (y)->bits; \ + (x).family = (y)->family; \ + (x).ip32[0] = (y)->ip32[0]; \ + (x).ip32[1] = (y)->ip32[1]; \ + (x).ip32[2] = (y)->ip32[2]; \ + (x).ip32[3] = (y)->ip32[3]; \ } while(0) -#define GET_IPH_HLEN(p) (p->iph_api->iph_ret_hlen(p)) +#define GET_IPH_HLEN(p) ((p)->iph_api->iph_ret_hlen(p)) #define SET_IPH_HLEN(p, val) #define GET_IP_DGMLEN(p) IS_IP6(p) ? (ntohs(GET_IPH_LEN(p)) + (GET_IPH_HLEN(p) << 2)) : ntohs(GET_IPH_LEN(p)) @@ -109,7 +112,11 @@ #define IP_VAL(ipt) (*ipt) #define IP_SIZE(ipp) (sfip_size(ipp)) -static INLINE int sfip_equal (snort_ip* ip1, snort_ip* ip2) +#define GET_INNER_SRC_IP(p) (IS_IP6(p) ? (&((p)->inner_ip6h.ip_src)):(&((p)->inner_ip4h.ip_src))) +#define GET_INNER_DST_IP(p) (IS_IP6(p) ? (&((p)->inner_ip6h.ip_dst)):(&((p)->inner_ip4h.ip_dst))) +#define GET_OUTER_SRC_IP(p) (IS_OUTER_IP6(p) ? (&((p)->outer_ip6h.ip_src)):(&((p)->outer_ip4h.ip_src))) +#define GET_OUTER_DST_IP(p) (IS_OUTER_IP6(p) ? (&((p)->outer_ip6h.ip_dst)):(&((p)->outer_ip4h.ip_dst))) +static inline int sfip_equal (snort_ip* ip1, snort_ip* ip2) { if ( ip1->family != ip2->family ) { @@ -130,52 +137,52 @@ /////////////// /* IPv4 only */ #include <sys/types.h> -#ifdef HAVE_CONFIG_H -#include <config.h> -#endif - -typedef u_int32_t snort_ip; /* 32 bits only -- don't use unsigned long */ -typedef u_int32_t snort_ip_p; /* 32 bits only -- don't use unsigned long */ -#define IP_SRC_EQUALITY(x,y) (x->ip_addr == (y->iph->ip_src.s_addr & x->netmask)) -#define IP_DST_EQUALITY(x,y) (x->ip_addr == (y->iph->ip_dst.s_addr & x->netmask)) +typedef uint32_t snort_ip; /* 32 bits only -- don't use unsigned long */ +typedef uint32_t snort_ip_p; /* 32 bits only -- don't use unsigned long */ -#define GET_SRC_IP(x) x->iph->ip_src.s_addr -#define GET_DST_IP(x) x->iph->ip_dst.s_addr +#define IP_SRC_EQUALITY(x,y) ((x)->ip_addr == ((y)->iph->ip_src.s_addr & x->netmask)) +#define IP_DST_EQUALITY(x,y) ((x)->ip_addr == ((y)->iph->ip_dst.s_addr & x->netmask)) -#define GET_ORIG_SRC(p) (p->orig_iph->ip_src.s_addr) -#define GET_ORIG_DST(p) (p->orig_iph->ip_dst.s_addr) - -#define GET_SRC_ADDR(x) x->iph->ip_src -#define GET_DST_ADDR(x) x->iph->ip_dst - -#define IP_CLEAR_SRC(x) x->iph->ip_src.s_addr = 0 -#define IP_CLEAR_DST(x) x->iph->ip_dst.s_addr = 0 - -#define IP_EQUALITY(x,y) (x == y) -#define IP_EQUALITY_UNSET(x,y) (x == y) -#define IP_LESSER(x,y) (x < y) -#define IP_GREATER(x,y) (x > y) - -#define GET_IPH_PROTO(p) p->iph->ip_proto -#define GET_IPH_TOS(p) p->iph->ip_tos -#define GET_IPH_LEN(p) p->iph->ip_len -#define GET_IPH_TTL(p) p->iph->ip_ttl -#define GET_IPH_VER(p) ((p->iph->ip_verhl & 0xf0) >> 4) -#define GET_IPH_ID(p) p->iph->ip_id -#define GET_IPH_OFF(p) p->iph->ip_off - -#define GET_ORIG_IPH_VER(p) IP_VER(p->orig_iph) -#define GET_ORIG_IPH_LEN(p) p->orig_iph->ip_len -#define GET_ORIG_IPH_OFF(p) p->orig_iph->ip_off -#define GET_ORIG_IPH_PROTO(p) p->orig_iph->ip_proto +#define GET_SRC_IP(x) (x)->iph->ip_src.s_addr +#define GET_DST_IP(x) (x)->iph->ip_dst.s_addr +#define GET_INNER_SRC_IP(x) (x)->iph->ip_src.s_addr +#define GET_INNER_DST_IP(x) (x)->iph->ip_dst.s_addr +#define GET_OUTER_SRC_IP(x) (x)->outer_ip4_header->source.s_addr +#define GET_OUTER_DST_IP(x) (x)->outer_ip4_header->destination.s_addr +#define GET_ORIG_SRC(p) ((p)->orig_iph->ip_src.s_addr) +#define GET_ORIG_DST(p) ((p)->orig_iph->ip_dst.s_addr) + +#define GET_SRC_ADDR(x) (x)->iph->ip_src +#define GET_DST_ADDR(x) (x)->iph->ip_dst + +#define IP_CLEAR_SRC(x) (x)->iph->ip_src.s_addr = 0 +#define IP_CLEAR_DST(x) (x)->iph->ip_dst.s_addr = 0 + +#define IP_EQUALITY(x,y) ((x) == (y)) +#define IP_EQUALITY_UNSET(x,y) ((x) == (y)) +#define IP_LESSER(x,y) ((x) < (y)) +#define IP_GREATER(x,y) ((x) > (y)) + +#define GET_IPH_PROTO(p) (p)->iph->ip_proto +#define GET_IPH_TOS(p) (p)->iph->ip_tos +#define GET_IPH_LEN(p) (p)->iph->ip_len +#define GET_IPH_TTL(p) (p)->iph->ip_ttl +#define GET_IPH_VER(p) (((p)->iph->ip_verhl & 0xf0) >> 4) +#define GET_IPH_ID(p) (p)->iph->ip_id +#define GET_IPH_OFF(p) (p)->iph->ip_off + +#define GET_ORIG_IPH_VER(p) IP_VER((p)->orig_iph) +#define GET_ORIG_IPH_LEN(p) (p)->orig_iph->ip_len +#define GET_ORIG_IPH_OFF(p) (p)->orig_iph->ip_off +#define GET_ORIG_IPH_PROTO(p) (p)->orig_iph->ip_proto #define IS_IP4(x) 1 #define IS_IP6(x) 0 -#define IPH_IS_VALID(p) p->iph +#define IPH_IS_VALID(p) (p)->iph #define IP_CLEAR(x) x = 0; -#define IS_SET(x) x +#define IP_IS_SET(x) x #define IP_COPY_VALUE(x,y) x = y @@ -186,11 +193,11 @@ #define GET_IP_PAYLEN(p) ntohs(GET_IPH_LEN(p)) - (GET_IPH_HLEN(p) << 2) #define IP_ARG(ipt) (ipt) -#define IP_PTR(ipp) (&ipp) +#define IP_PTR(ipp) (&(ipp)) #define IP_VAL(ipt) (ipt) #define IP_SIZE(ipp) (sizeof(ipp)) -static INLINE int sfip_equal (snort_ip ip1, snort_ip ip2) +static inline int sfip_equal (snort_ip ip1, snort_ip ip2) { return IP_EQUALITY(ip1, ip2); } diff -Nru snort-2.9.0.1/src/log.c snort-2.9.2/src/log.c --- snort-2.9.0.1/src/log.c 2010-10-25 12:48:59.000000000 -0700 +++ snort-2.9.2/src/log.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -43,12 +43,13 @@ #include "rules.h" #include "treenodes.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "signature.h" #include "util_net.h" -#include "bounds.h" +#include "snort_bounds.h" #include "obfuscation.h" #include "detection_util.h" +#include "detect.h" #include "snort.h" @@ -58,8 +59,8 @@ int data_dump_buffer_size = 0;/* size of printout buffer */ int dump_size; /* amount of data to print */ -extern uint16_t event_id; - +extern int IsGzipData(void *); +extern int IsJSNormData(void *); void AllocDumpBuf(); @@ -116,7 +117,7 @@ printf("Got NULL ptr in PrintNetData()\n"); return; } - + end = (char*) (start + (len - 1)); /* set the end of buffer ptr */ if(len > IP_MAXPACKET) @@ -503,12 +504,12 @@ else { #ifdef SUP_IP6 - PrintNetData(fp, (u_char *) + PrintNetData(fp, (u_char *) (u_char *)p->iph + (GET_IPH_HLEN(p) << 2), GET_IP_PAYLEN(p), NULL); #else - PrintNetData(fp, (u_char *) - ((u_char *)p->iph + (IP_HLEN(p->iph) << 2)), + PrintNetData(fp, (u_char *) + ((u_char *)p->iph + (IP_HLEN(p->iph) << 2)), (p->actual_ip_len - (IP_HLEN(p->iph) << 2)), NULL); #endif } @@ -523,12 +524,12 @@ else { #ifdef SUP_IP6 - PrintNetData(fp, (u_char *) + PrintNetData(fp, (u_char *) (u_char *)p->iph + (GET_IPH_HLEN(p) << 2), GET_IP_PAYLEN(p), NULL); #else - PrintNetData(fp, (u_char *) - ((u_char *)p->iph + (IP_HLEN(p->iph) << 2)), + PrintNetData(fp, (u_char *) + ((u_char *)p->iph + (IP_HLEN(p->iph) << 2)), (p->actual_ip_len - (IP_HLEN(p->iph) << 2)), NULL); #endif } @@ -543,12 +544,12 @@ else { #ifdef SUP_IP6 - PrintNetData(fp, (u_char *) + PrintNetData(fp, (u_char *) ((u_char *)p->iph + (GET_IPH_HLEN(p) << 2)), GET_IP_PAYLEN(p), NULL); #else - PrintNetData(fp, (u_char *) - ((u_char *) p->iph + (IP_HLEN(p->iph) << 2)), + PrintNetData(fp, (u_char *) + ((u_char *) p->iph + (IP_HLEN(p->iph) << 2)), (ntohs(p->iph->ip_len) - (IP_HLEN(p->iph) << 2)), NULL); #endif } @@ -572,19 +573,29 @@ if (ScOutputCharData()) { PrintCharData(fp, (char*) p->data, p->dsize); - if(p->data_flags & DATA_FLAGS_GZIP) + if(!IsJSNormData(p->ssnptr)) + { + fprintf(fp, "%s\n", "Normalized JavaScript for this packet"); + PrintCharData(fp, (char *)file_data_ptr.data, file_data_ptr.len); + } + else if(!IsGzipData(p->ssnptr)) { fprintf(fp, "%s\n", "Decompressed Data for this packet"); - PrintCharData(fp, (char *)DecodeBuffer.data, DecodeBuffer.len); + PrintCharData(fp, (char *)file_data_ptr.data, file_data_ptr.len); } } else { PrintNetData(fp, p->data, p->dsize, NULL); - if(p->data_flags & DATA_FLAGS_GZIP) + if(!IsJSNormData(p->ssnptr)) + { + fprintf(fp, "%s\n", "Normalized JavaScript for this packet"); + PrintNetData(fp, file_data_ptr.data, file_data_ptr.len, NULL); + } + else if(!IsGzipData(p->ssnptr)) { fprintf(fp, "%s\n", "Decompressed Data for this packet"); - PrintNetData(fp, DecodeBuffer.data, DecodeBuffer.len, NULL); + PrintNetData(fp, file_data_ptr.data, file_data_ptr.len, NULL); } } } @@ -630,7 +641,7 @@ if(!ScDaemonMode()) SnortSnprintf(filename, STD_BUF, "%s/alert%s", snort_conf->log_dir, suffix); else - SnortSnprintf(filename, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(filename, STD_BUF, "%s/%s", snort_conf->log_dir, DEFAULT_DAEMON_ALERT_FILE); } else @@ -690,7 +701,7 @@ if(!ScDaemonMode()) SnortSnprintf(oldname, STD_BUF, "%s/alert%s", snort_conf->log_dir, suffix); else - SnortSnprintf(oldname, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(oldname, STD_BUF, "%s/%s", snort_conf->log_dir, DEFAULT_DAEMON_ALERT_FILE); } else @@ -815,7 +826,7 @@ void Print2ndHeader(FILE * fp, Packet * p) { - switch(DAQ_GetBaseProtocol()) + switch(DAQ_GetBaseProtocol()) { case DLT_EN10MB: /* Ethernet */ if(p && p->eh) @@ -827,12 +838,12 @@ if(p && p->wifih) PrintWifiHeader(fp, p); break; -#endif +#endif case DLT_IEEE802: /* Token Ring */ if(p && p->trh) PrintTrHeader(fp, p); - break; -#ifdef DLT_LINUX_SLL + break; +#ifdef DLT_LINUX_SLL case DLT_LINUX_SLL: if (p && p->sllh) PrintSLLHeader(fp, p); /* Linux cooked sockets */ @@ -843,7 +854,7 @@ if (ScLogVerbose()) { ErrorMessage("Datalink %i type 2nd layer display is not " - "supported\n", DAQ_GetBaseProtocol()); + "supported\n", DAQ_GetBaseProtocol()); } } } @@ -928,7 +939,7 @@ { fprintf(log,"label:0x%05X exp:0x%X bos:0x%X ttl:0x%X\n", - p->mplsHdr.label, p->mplsHdr.exp, p->mplsHdr.bos, p->mplsHdr.ttl); + p->mplsHdr.label, p->mplsHdr.exp, p->mplsHdr.bos, p->mplsHdr.ttl); } #endif @@ -982,7 +993,7 @@ } /* mac addr */ - fprintf(fp, "l/l len: %i l/l type: 0x%X %02X:%02X:%02X:%02X:%02X:%02X\n", + fprintf(fp, "l/l len: %i l/l type: 0x%X %02X:%02X:%02X:%02X:%02X:%02X\n", htons(p->sllh->sll_halen), ntohs(p->sllh->sll_hatype), p->sllh->sll_addr[0], p->sllh->sll_addr[1], p->sllh->sll_addr[2], p->sllh->sll_addr[3], p->sllh->sll_addr[4], p->sllh->sll_addr[5]); @@ -1009,12 +1020,12 @@ ts_print((struct timeval *) & p->pkth->ts, timestamp); /* determine what to use as MAC src and dst */ - if (p->eh != NULL) + if (p->eh != NULL) { mac_src = p->eh->ether_src; mac_dst = p->eh->ether_dst; } /* per table 4, 802.11 section 7.2.2 */ - else if (p->wifih != NULL && + else if (p->wifih != NULL && (p->wifih->frame_control & WLAN_FLAG_FROMDS)) { mac_src = p->wifih->addr3; @@ -1032,8 +1043,8 @@ mac_dst = p->wifih->addr1; } - /* - * if these are null this function will break, exit until + /* + * if these are null this function will break, exit until * someone writes a function for it... */ if(mac_src == NULL || mac_dst == NULL) @@ -1083,7 +1094,7 @@ fprintf(fp, "ARP reply %s", inet_ntoa(ip_addr)); /* print out the originating request if we're on a weirder - * wireless protocol */ + * wireless protocol */ if(memcmp((char *) mac_src, (char *) p->ah->arp_sha, 6) != 0) { fprintf(fp, " (%X:%X:%X:%X:%X:%X)", mac_src[0], @@ -1166,7 +1177,7 @@ GET_IPH_TTL(p), GET_IPH_TOS(p), IS_IP6(p) ? ntohl(GET_IPH_ID(p)) : ntohs((uint16_t)GET_IPH_ID(p)), - GET_IPH_HLEN(p) << 2, + GET_IPH_HLEN(p) << 2, GET_IP_DGMLEN(p)); /* print the reserved bit if it's set */ @@ -1207,7 +1218,7 @@ IP4Hdr *save_ip4h = p->ip4h; IP6Hdr *save_ip6h = p->ip6h; uint8_t save_frag_flag = p->frag_flag; - uint16_t save_sp, save_dp; + uint16_t save_sp = p->sp, save_dp = p->dp; p->family = p->outer_family; p->iph_api = p->outer_iph_api; @@ -1219,9 +1230,6 @@ if (p->proto_bits & PROTO_BIT__TEREDO) { - save_sp = p->sp; - save_dp = p->dp; - if (p->outer_udph) { p->sp = ntohs(p->outer_udph->uh_sport); @@ -1371,7 +1379,7 @@ switch(p->icmph->type) { case ICMP_ECHOREPLY: - fprintf(fp, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), + fprintf(fp, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); fwrite("ECHO REPLY", 10, 1, fp); break; @@ -1419,12 +1427,12 @@ break; case ICMP_PKT_FILTERED_NET: - fwrite("ADMINISTRATIVELY PROHIBITED NETWORK FILTERED", 44, + fwrite("ADMINISTRATIVELY PROHIBITED NETWORK FILTERED", 44, 1, fp); break; case ICMP_PKT_FILTERED_HOST: - fwrite("ADMINISTRATIVELY PROHIBITED HOST FILTERED", 41, + fwrite("ADMINISTRATIVELY PROHIBITED HOST FILTERED", 41, 1, fp); break; @@ -1486,14 +1494,14 @@ fwrite(" TOS HOST", 9, 1, fp); break; } - + #ifdef SUP_IP6 -/* written this way since inet_ntoa was typedef'ed to use sfip_ntoa +/* written this way since inet_ntoa was typedef'ed to use sfip_ntoa * which requires sfip_t instead of inaddr's. This call to inet_ntoa * is a rare case that doesn't use sfip_t's. */ -// XXX-IPv6 NOT YET IMPLEMENTED - IPV6 addresses technically not supported - need to change ICMP header - +// XXX-IPv6 NOT YET IMPLEMENTED - IPV6 addresses technically not supported - need to change ICMP header + sfip_raw_ntop(AF_INET, (void *)&p->icmph->s_icmp_gwaddr, buf, sizeof(buf)); fprintf(fp, " NEW GW: %s", buf); #else @@ -1501,19 +1509,19 @@ #endif PrintICMPEmbeddedIP(fp, p); - + break; case ICMP_ECHO: - fprintf(fp, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), + fprintf(fp, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); fwrite("ECHO", 4, 1, fp); break; case ICMP_ROUTER_ADVERTISE: fprintf(fp, "ROUTER ADVERTISMENT: " - "Num addrs: %d Addr entry size: %d Lifetime: %u", - p->icmph->s_icmp_num_addrs, p->icmph->s_icmp_wpa, + "Num addrs: %d Addr entry size: %d Lifetime: %u", + p->icmph->s_icmp_num_addrs, p->icmph->s_icmp_wpa, ntohs(p->icmph->s_icmp_lifetime)); break; @@ -1561,37 +1569,37 @@ break; case ICMP_TIMESTAMP: - fprintf(fp, "ID: %u Seq: %u TIMESTAMP REQUEST", + fprintf(fp, "ID: %u Seq: %u TIMESTAMP REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_TIMESTAMPREPLY: fprintf(fp, "ID: %u Seq: %u TIMESTAMP REPLY:\n" - "Orig: %u Rtime: %u Ttime: %u", + "Orig: %u Rtime: %u Ttime: %u", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq), - p->icmph->s_icmp_otime, p->icmph->s_icmp_rtime, + p->icmph->s_icmp_otime, p->icmph->s_icmp_rtime, p->icmph->s_icmp_ttime); break; case ICMP_INFO_REQUEST: - fprintf(fp, "ID: %u Seq: %u INFO REQUEST", + fprintf(fp, "ID: %u Seq: %u INFO REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_INFO_REPLY: - fprintf(fp, "ID: %u Seq: %u INFO REPLY", + fprintf(fp, "ID: %u Seq: %u INFO REPLY", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESS: - fprintf(fp, "ID: %u Seq: %u ADDRESS REQUEST", + fprintf(fp, "ID: %u Seq: %u ADDRESS REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESSREPLY: - fprintf(fp, "ID: %u Seq: %u ADDRESS REPLY: 0x%08X", + fprintf(fp, "ID: %u Seq: %u ADDRESS REPLY: 0x%08X", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq), - (u_int) ntohl(p->icmph->s_icmp_mask)); + (u_int) ntohl(p->icmph->s_icmp_mask)); break; default: @@ -1738,7 +1746,7 @@ case ICMP_INFO_REPLY: case ICMP_ADDRESS: case ICMP_ADDRESSREPLY: - fprintf(fp, " Id: %u SeqNo: %u", + fprintf(fp, " Id: %u SeqNo: %u", ntohs(icmph->s_icmp_id), ntohs(icmph->s_icmp_seq)); break; @@ -1780,7 +1788,7 @@ fwrite("\nIP Options => ", 15, 1, fp); init_offset = ftell(fp); } - + switch(p->ip_options[i].code) { case IPOPT_RR: @@ -1822,7 +1830,7 @@ case IPOPT_RTRALT: fwrite("RTRALT ", 7, 1, fp); - break; + break; default: fprintf(fp, "Opt %d: ", p->ip_options[i].code); @@ -1835,7 +1843,7 @@ fprintf(fp, "%02X", p->ip_options[i].data[j]); else fprintf(fp, "%02X", 0); - + if((j % 2) == 0) fprintf(fp, " "); } @@ -1872,7 +1880,7 @@ fwrite("\nTCP Options => ", 16, 1, fp); init_offset = ftell(fp); } - + switch(p->tcp_options[i].code) { case TCPOPT_MAXSEG: @@ -1971,7 +1979,7 @@ fprintf(fp, "%02X", p->tcp_options[i].data[j]); else fprintf(fp, "%02X", 0); - + if ((j + 1) % 2 == 0) fprintf(fp, " "); } @@ -1999,7 +2007,7 @@ * do_newline => tack a \n to the end of the line or not (bool) * * Returns: void function - */ + */ void PrintPriorityData(FILE *fp, int do_newline) { if (otn_tmp == NULL) @@ -2018,7 +2026,7 @@ fprintf(fp, "\n"); } - + /* * Function: PrintXrefs(FILE *) * @@ -2028,7 +2036,7 @@ * do_newline => tack a \n to the end of the line or not (bool) * * Returns: void function - */ + */ void PrintXrefs(FILE *fp, int do_newline) { ReferenceNode *refNode = NULL; @@ -2062,7 +2070,7 @@ #else void SnortSetEvent #endif - (Event *event, uint32_t generator, uint32_t id, uint32_t rev, + (Event *event, uint32_t generator, uint32_t id, uint32_t rev, uint32_t classification, uint32_t priority, uint32_t event_ref) { event->sig_generator = generator; @@ -2097,7 +2105,7 @@ void PrintEapolPkt(FILE * fp, Packet * p) { char timestamp[TIMEBUF_SIZE]; - + bzero((char *) timestamp, TIMEBUF_SIZE); ts_print((struct timeval *) & p->pkth->ts, timestamp); @@ -2130,8 +2138,8 @@ { PrintNetData(fp, p->pkt, p->pkth->caplen, p); } - - fprintf(fp, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n\n"); + + fprintf(fp, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n\n"); } /**************************************************************************** @@ -2174,7 +2182,7 @@ sa = p->wifih->addr2; bssid = p->wifih->addr3; } - + /* DO this switch to provide additional info on the type */ switch(p->wifih->frame_control & 0x00ff) { @@ -2212,7 +2220,7 @@ case WLAN_TYPE_MGMT_DEAUTH: fprintf(fp, "Deauthent. "); break; - + /* Control frames */ case WLAN_TYPE_CONT_PS: case WLAN_TYPE_CONT_RTS: @@ -2222,8 +2230,8 @@ case WLAN_TYPE_CONT_CFACK: fprintf(fp, "Control "); break; - } - + } + if (sa != NULL) { fprintf(fp, "%X:%X:%X:%X:%X:%X -> ", sa[0], sa[1], sa[2], sa[3], sa[4], sa[5]); @@ -2231,8 +2239,8 @@ else if (ta != NULL) { fprintf(fp, "ta: %X:%X:%X:%X:%X:%X da: ", ta[0], ta[1], ta[2], ta[3], ta[4], ta[5]); - } - + } + fprintf(fp, "%X:%X:%X:%X:%X:%X\n", da[0], da[1], da[2], da[3], da[4], da[5]); @@ -2241,7 +2249,7 @@ fprintf(fp, "bssid: %X:%X:%X:%X:%X:%X", bssid[0], bssid[1], bssid[2], bssid[3], bssid[4], bssid[5]); } - + if (ra != NULL) { fprintf(fp, " ra: %X:%X:%X:%X:%X:%X", ra[0], ra[1], ra[2], ra[3], ra[4], ra[5]); @@ -2417,7 +2425,7 @@ void PrintEapolKey(FILE * fp, Packet * p) { uint16_t length; - + if(p->eapolk == NULL) { fprintf(fp, "Eapol Key truncated\n"); diff -Nru snort-2.9.0.1/src/log.h snort-2.9.2/src/log.h --- snort-2.9.0.1/src/log.h 2010-06-23 20:59:42.000000000 -0700 +++ snort-2.9.2/src/log.h 2011-02-09 15:22:49.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/log_text.c snort-2.9.2/src/log_text.c --- snort-2.9.0.1/src/log_text.c 2010-10-25 12:48:59.000000000 -0700 +++ snort-2.9.2/src/log_text.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -19,6 +19,9 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +// @file log_text.c +// @author Russ Combs <rcombs@sourcefire.com> + #ifdef HAVE_CONFIG_H #include "config.h" #endif @@ -43,14 +46,14 @@ #include "rules.h" #include "treenodes.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "signature.h" #include "util_net.h" #include "snort.h" #include "log_text.h" #include "sfutil/sf_textlog.h" -#include "bounds.h" +#include "snort_bounds.h" #include "obfuscation.h" #include "detection_util.h" @@ -60,6 +63,9 @@ extern OptTreeNode *otn_tmp; /* global ptr to current rule data */ +extern int IsGzipData(void *); +extern int IsJSNormData(void *); + /*-------------------------------------------------------------------- * utility functions *-------------------------------------------------------------------- @@ -85,7 +91,7 @@ * * Returns: void function *-------------------------------------------------------------------- - */ + */ void LogPriorityData(TextLog* log, bool doNewLine) { if (otn_tmp == NULL) @@ -177,7 +183,7 @@ /* protocol and pkt size */ TextLog_Print(log, "type:0x%X len:0x%X\n", ntohs(p->eh->ether_type), - p->pkth->pktlen); + p->pkth->pktlen); } #ifdef MPLS @@ -185,7 +191,7 @@ { TextLog_Print(log,"label:0x%05X exp:0x%X bos:0x%X ttl:0x%X\n", - p->mplsHdr.label, p->mplsHdr.exp, p->mplsHdr.bos, p->mplsHdr.ttl); + p->mplsHdr.label, p->mplsHdr.exp, p->mplsHdr.bos, p->mplsHdr.ttl); } #endif @@ -212,7 +218,7 @@ * Returns: void function *-------------------------------------------------------------------- */ -#ifdef DLT_LINUX_SLL +#ifdef DLT_LINUX_SLL static void LogSLLHeader(TextLog* log, Packet* p) { switch (ntohs(p->sllh->sll_pkttype)) { @@ -237,7 +243,7 @@ } /* mac addr */ - TextLog_Print(log, "l/l len: %i l/l type: 0x%X %02X:%02X:%02X:%02X:%02X:%02X\n", + TextLog_Print(log, "l/l len: %i l/l type: 0x%X %02X:%02X:%02X:%02X:%02X:%02X\n", htons(p->sllh->sll_halen), ntohs(p->sllh->sll_hatype), p->sllh->sll_addr[0], p->sllh->sll_addr[1], p->sllh->sll_addr[2], p->sllh->sll_addr[3], p->sllh->sll_addr[4], p->sllh->sll_addr[5]); @@ -288,7 +294,7 @@ sa = p->wifih->addr2; bssid = p->wifih->addr3; } - + /* DO this switch to provide additional info on the type */ switch(p->wifih->frame_control & 0x00ff) { @@ -326,7 +332,7 @@ case WLAN_TYPE_MGMT_DEAUTH: TextLog_Puts(log, "Deauthent. "); break; - + /* Control frames */ case WLAN_TYPE_CONT_PS: case WLAN_TYPE_CONT_RTS: @@ -336,8 +342,8 @@ case WLAN_TYPE_CONT_CFACK: TextLog_Puts(log, "Control "); break; - } - + } + if (sa != NULL) { TextLog_Print(log, "%X:%X:%X:%X:%X:%X -> ", sa[0], sa[1], sa[2], sa[3], sa[4], sa[5]); @@ -345,8 +351,8 @@ else if (ta != NULL) { TextLog_Print(log, "ta: %X:%X:%X:%X:%X:%X da: ", ta[0], ta[1], ta[2], ta[3], ta[4], ta[5]); - } - + } + TextLog_Print(log, "%X:%X:%X:%X:%X:%X\n", da[0], da[1], da[2], da[3], da[4], da[5]); @@ -355,7 +361,7 @@ TextLog_Print(log, "bssid: %X:%X:%X:%X:%X:%X", bssid[0], bssid[1], bssid[2], bssid[3], bssid[4], bssid[5]); } - + if (ra != NULL) { TextLog_Print(log, " ra: %X:%X:%X:%X:%X:%X", ra[0], ra[1], ra[2], ra[3], ra[4], ra[5]); @@ -386,7 +392,7 @@ void Log2ndHeader(TextLog* log, Packet* p) { - switch(DAQ_GetBaseProtocol()) + switch(DAQ_GetBaseProtocol()) { case DLT_EN10MB: /* Ethernet */ if(p && p->eh) @@ -402,8 +408,8 @@ case DLT_IEEE802: /* Token Ring */ if(p && p->trh) LogTrHeader(log, p); - break; -#ifdef DLT_LINUX_SLL + break; +#ifdef DLT_LINUX_SLL case DLT_LINUX_SLL: if (p && p->sllh) LogSLLHeader(log, p); /* Linux cooked sockets */ @@ -415,7 +421,7 @@ { // FIXTHIS should only be output once! ErrorMessage("Datalink %i type 2nd layer display is not " - "supported\n", DAQ_GetBaseProtocol()); + "supported\n", DAQ_GetBaseProtocol()); } } } @@ -447,7 +453,7 @@ TextLog_Puts(log, "\nIP Options => "); init_offset = TextLog_Tell(log); } - + switch(p->ip_options[i].code) { case IPOPT_RR: @@ -489,7 +495,7 @@ case IPOPT_RTRALT: TextLog_Puts(log, "RTRALT "); - break; + break; default: TextLog_Print(log, "Opt %d: ", p->ip_options[i].code); @@ -502,7 +508,7 @@ TextLog_Print(log, "%02X", p->ip_options[i].data[j]); else TextLog_Print(log, "%02X", 0); - + if((j % 2) == 0) TextLog_Putc(log, ' '); } @@ -602,7 +608,7 @@ GET_IPH_TTL(p), GET_IPH_TOS(p), IS_IP6(p) ? ntohl(GET_IPH_ID(p)) : ntohs((uint16_t)GET_IPH_ID(p)), - GET_IPH_HLEN(p) << 2, + GET_IPH_HLEN(p) << 2, GET_IP_DGMLEN(p)); /* print the reserved bit if it's set */ @@ -716,7 +722,7 @@ TextLog_Puts(log, "\nTCP Options => "); init_offset = TextLog_Tell(log); } - **/ + **/ switch(p->tcp_options[i].code) { case TCPOPT_MAXSEG: @@ -814,7 +820,7 @@ TextLog_Print(log, "%02X", p->tcp_options[i].data[j]); else TextLog_Print(log, "%02X", 0); - + if ((j + 1) % 2 == 0) TextLog_Putc(log, ' '); } @@ -955,7 +961,7 @@ case ICMP_INFO_REPLY: case ICMP_ADDRESS: case ICMP_ADDRESSREPLY: - TextLog_Print(log, " Id: %u SeqNo: %u", + TextLog_Print(log, " Id: %u SeqNo: %u", ntohs(icmph->s_icmp_id), ntohs(icmph->s_icmp_seq)); break; @@ -1086,7 +1092,7 @@ switch(p->icmph->type) { case ICMP_ECHOREPLY: - TextLog_Print(log, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), + TextLog_Print(log, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); TextLog_Puts(log, "ECHO REPLY"); break; @@ -1199,14 +1205,14 @@ TextLog_Puts(log, " TOS HOST"); break; } - + #ifdef SUP_IP6 -/* written this way since inet_ntoa was typedef'ed to use sfip_ntoa +/* written this way since inet_ntoa was typedef'ed to use sfip_ntoa * which requires sfip_t instead of inaddr's. This call to inet_ntoa * is a rare case that doesn't use sfip_t's. */ // XXX-IPv6 NOT YET IMPLEMENTED - IPV6 addresses technically not supported - need to change ICMP - + /* no inet_ntop in Windows */ sfip_raw_ntop(AF_INET, (const void *)(&p->icmph->s_icmp_gwaddr.s_addr), buf, sizeof(buf)); @@ -1216,19 +1222,19 @@ #endif LogICMPEmbeddedIP(log, p); - + break; case ICMP_ECHO: - TextLog_Print(log, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), + TextLog_Print(log, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); TextLog_Puts(log, "ECHO"); break; case ICMP_ROUTER_ADVERTISE: TextLog_Print(log, "ROUTER ADVERTISMENT: " - "Num addrs: %d Addr entry size: %d Lifetime: %u", - p->icmph->s_icmp_num_addrs, p->icmph->s_icmp_wpa, + "Num addrs: %d Addr entry size: %d Lifetime: %u", + p->icmph->s_icmp_num_addrs, p->icmph->s_icmp_wpa, ntohs(p->icmph->s_icmp_lifetime)); break; @@ -1276,37 +1282,37 @@ break; case ICMP_TIMESTAMP: - TextLog_Print(log, "ID: %u Seq: %u TIMESTAMP REQUEST", + TextLog_Print(log, "ID: %u Seq: %u TIMESTAMP REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_TIMESTAMPREPLY: TextLog_Print(log, "ID: %u Seq: %u TIMESTAMP REPLY:\n" - "Orig: %u Rtime: %u Ttime: %u", + "Orig: %u Rtime: %u Ttime: %u", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq), - p->icmph->s_icmp_otime, p->icmph->s_icmp_rtime, + p->icmph->s_icmp_otime, p->icmph->s_icmp_rtime, p->icmph->s_icmp_ttime); break; case ICMP_INFO_REQUEST: - TextLog_Print(log, "ID: %u Seq: %u INFO REQUEST", + TextLog_Print(log, "ID: %u Seq: %u INFO REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_INFO_REPLY: - TextLog_Print(log, "ID: %u Seq: %u INFO REPLY", + TextLog_Print(log, "ID: %u Seq: %u INFO REPLY", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESS: - TextLog_Print(log, "ID: %u Seq: %u ADDRESS REQUEST", + TextLog_Print(log, "ID: %u Seq: %u ADDRESS REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESSREPLY: - TextLog_Print(log, "ID: %u Seq: %u ADDRESS REPLY: 0x%08X", + TextLog_Print(log, "ID: %u Seq: %u ADDRESS REPLY: 0x%08X", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq), - (u_int) ntohl(p->icmph->s_icmp_mask)); + (u_int) ntohl(p->icmph->s_icmp_mask)); break; default: @@ -1331,7 +1337,7 @@ if(refNode->system) { if(refNode->system->url) - TextLog_Print(log, "[Xref => %s%s]", refNode->system->url, + TextLog_Print(log, "[Xref => %s%s]", refNode->system->url, refNode->id); else TextLog_Print(log, "[Xref => %s %s]", refNode->system->name, @@ -1342,7 +1348,7 @@ TextLog_Print(log, "[Xref => %s]", refNode->id); } } - return; + return; } /* @@ -1354,8 +1360,8 @@ * doNewLine => tack a \n to the end of the line or not (bool) * * Returns: void function - */ -void LogXrefs(TextLog* log, int doNewLine) + */ +void LogXrefs(TextLog* log, bool doNewLine) { ReferenceNode *refNode = NULL; @@ -1620,7 +1626,7 @@ * Returns: void function *-------------------------------------------------------------------- */ - + #ifdef SUP_IP6 #define DATA_PTR(p) \ ((u_char*)p->iph + (GET_IPH_HLEN(p) << 2)) @@ -1721,19 +1727,29 @@ if (ScOutputCharData()) { LogCharData(log, (char *)p->data, p->dsize); - if(p->data_flags & DATA_FLAGS_GZIP) + if(!IsJSNormData(p->ssnptr)) + { + TextLog_Print(log, "%s\n", "Normalized JavaScript for this packet"); + LogCharData(log, (char *)file_data_ptr.data, file_data_ptr.len); + } + else if(!IsGzipData(p->ssnptr)) { TextLog_Print(log, "%s\n", "Decompressed Data for this packet"); - LogCharData(log, (char *)DecodeBuffer.data, DecodeBuffer.len); + LogCharData(log, (char *)file_data_ptr.data, file_data_ptr.len); } } else { LogNetData(log, p->data, p->dsize, NULL); - if(p->data_flags & DATA_FLAGS_GZIP) + if(!IsJSNormData(p->ssnptr)) + { + TextLog_Print(log, "%s\n", "Normalized JavaScript for this packet"); + LogNetData(log, file_data_ptr.data, file_data_ptr.len, NULL); + } + else if(!IsGzipData(p->ssnptr)) { TextLog_Print(log, "%s\n", "Decompressed Data for this packet"); - LogNetData(log, DecodeBuffer.data, DecodeBuffer.len, NULL); + LogNetData(log, file_data_ptr.data, file_data_ptr.len, NULL); } } } @@ -1767,12 +1783,12 @@ memset((struct in_addr *) &ip_addr, 0, sizeof(struct in_addr)); /* determine what to use as MAC src and dst */ - if (p->eh != NULL) + if (p->eh != NULL) { mac_src = p->eh->ether_src; mac_dst = p->eh->ether_dst; } /* per table 4, 802.11 section 7.2.2 */ - else if (p->wifih != NULL && + else if (p->wifih != NULL && (p->wifih->frame_control & WLAN_FLAG_FROMDS)) { mac_src = p->wifih->addr3; @@ -1790,8 +1806,8 @@ mac_dst = p->wifih->addr1; } - /* - * if these are null this function will break, exit until + /* + * if these are null this function will break, exit until * someone writes a function for it... */ if(mac_src == NULL || mac_dst == NULL) @@ -1841,7 +1857,7 @@ TextLog_Print(log, "ARP reply %s", inet_ntoa(ip_addr)); /* print out the originating request if we're on a weirder - * wireless protocol */ + * wireless protocol */ if(memcmp((char *) mac_src, (char *) p->ah->arp_sha, 6) != 0) { TextLog_Print(log, " (%X:%X:%X:%X:%X:%X)", mac_src[0], diff -Nru snort-2.9.0.1/src/log_text.h snort-2.9.2/src/log_text.h --- snort-2.9.0.1/src/log_text.h 2010-06-23 20:59:42.000000000 -0700 +++ snort-2.9.2/src/log_text.h 2011-06-07 17:33:06.000000000 -0700 @@ -1,7 +1,7 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -22,7 +22,7 @@ /** * @file log_text.h - * @author Russ Combs <cmg@sourcefire.com> + * @author Russ Combs <rcombs@sourcefire.com> * @date Fri Jun 27 10:34:37 2003 * * @brief logging to text file diff -Nru snort-2.9.0.1/src/Makefile.am snort-2.9.2/src/Makefile.am --- snort-2.9.0.1/src/Makefile.am 2010-06-09 15:04:50.000000000 -0700 +++ snort-2.9.2/src/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -10,12 +10,12 @@ snort_SOURCES = cdefs.h \ event.h \ generators.h \ -protocols.h \ +sf_protocols.h \ plugin_enum.h \ rules.h \ treenodes.h \ checksum.h \ -debug.c debug.h \ +debug.c snort_debug.h \ decode.c decode.h \ encode.c encode.h \ active.c active.h \ @@ -35,11 +35,11 @@ detect.c detect.h \ signature.c signature.h \ mempool.c mempool.h \ -sf_sdlist.c sf_sdlist.h \ +sf_sdlist.c sf_sdlist.h sf_sdlist_types.h \ fpcreate.c fpcreate.h \ fpdetect.c fpdetect.h \ pcrm.c pcrm.h \ -bounds.h \ +snort_bounds.h \ byte_extract.c \ byte_extract.h \ timersub.h \ @@ -47,7 +47,6 @@ sfthreshold.c sfthreshold.h \ packet_time.c packet_time.h \ event_wrapper.c event_wrapper.h \ -smalloc.h \ event_queue.c event_queue.h \ ipv6_port.h \ ppm.c ppm.h \ @@ -60,7 +59,8 @@ rate_filter.c rate_filter.h \ obfuscation.c obfuscation.h \ rule_option_types.h \ -sfdaq.c sfdaq.h +sfdaq.c sfdaq.h \ +idle_processing.c idle_processing.h idle_processing_funcs.h snort_LDADD = output-plugins/libspo.a \ detection-plugins/libspd.a \ @@ -70,12 +70,14 @@ target-based/libtarget_based.a \ preprocessors/HttpInspect/libhttp_inspect.a \ preprocessors/Stream5/libstream5.a \ -sfutil/libsfutil.a +sfutil/libsfutil.a \ +control/libsfcontrol.a if BUILD_DYNAMIC_EXAMPLES EXAMPLES_DIR = dynamic-examples endif -SUBDIRS = sfutil win32 output-plugins detection-plugins dynamic-plugins preprocessors parser dynamic-preprocessors target-based $(EXAMPLES_DIR) + +SUBDIRS = sfutil win32 output-plugins detection-plugins dynamic-plugins preprocessors parser dynamic-preprocessors target-based control $(EXAMPLES_DIR) INCLUDES = @INCLUDES@ diff -Nru snort-2.9.0.1/src/Makefile.in snort-2.9.2/src/Makefile.in --- snort-2.9.0.1/src/Makefile.in 2010-10-08 02:56:52.000000000 -0700 +++ snort-2.9.2/src/Makefile.in 2011-12-07 11:23:17.000000000 -0800 @@ -48,23 +48,25 @@ CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(bindir)" PROGRAMS = $(bin_PROGRAMS) -am__snort_SOURCES_DIST = cdefs.h event.h generators.h protocols.h \ - plugin_enum.h rules.h treenodes.h checksum.h debug.c debug.h \ - decode.c decode.h encode.c encode.h active.c active.h log.c \ - log.h mstring.c mstring.h parser.c parser.h profiler.c \ - profiler.h plugbase.c plugbase.h preprocids.h snort.c snort.h \ - build.h snprintf.c snprintf.h strlcatu.c strlcatu.h strlcpyu.c \ - strlcpyu.h tag.c tag.h util.c util.h detect.c detect.h \ - signature.c signature.h mempool.c mempool.h sf_sdlist.c \ - sf_sdlist.h fpcreate.c fpcreate.h fpdetect.c fpdetect.h pcrm.c \ - pcrm.h bounds.h byte_extract.c byte_extract.h timersub.h \ - spo_plugbase.h sfthreshold.c sfthreshold.h packet_time.c \ - packet_time.h event_wrapper.c event_wrapper.h smalloc.h \ - event_queue.c event_queue.h ipv6_port.h ppm.c ppm.h \ - pcap_pkthdr32.h cpuclock.h sf_types.h log_text.c log_text.h \ - detection_filter.c detection_filter.h detection_util.c \ - detection_util.h rate_filter.c rate_filter.h obfuscation.c \ - obfuscation.h rule_option_types.h sfdaq.c sfdaq.h +am__snort_SOURCES_DIST = cdefs.h event.h generators.h sf_protocols.h \ + plugin_enum.h rules.h treenodes.h checksum.h debug.c \ + snort_debug.h decode.c decode.h encode.c encode.h active.c \ + active.h log.c log.h mstring.c mstring.h parser.c parser.h \ + profiler.c profiler.h plugbase.c plugbase.h preprocids.h \ + snort.c snort.h build.h snprintf.c snprintf.h strlcatu.c \ + strlcatu.h strlcpyu.c strlcpyu.h tag.c tag.h util.c util.h \ + detect.c detect.h signature.c signature.h mempool.c mempool.h \ + sf_sdlist.c sf_sdlist.h sf_sdlist_types.h fpcreate.c \ + fpcreate.h fpdetect.c fpdetect.h pcrm.c pcrm.h snort_bounds.h \ + byte_extract.c byte_extract.h timersub.h spo_plugbase.h \ + sfthreshold.c sfthreshold.h packet_time.c packet_time.h \ + event_wrapper.c event_wrapper.h event_queue.c event_queue.h \ + ipv6_port.h ppm.c ppm.h pcap_pkthdr32.h cpuclock.h sf_types.h \ + log_text.c log_text.h detection_filter.c detection_filter.h \ + detection_util.c detection_util.h rate_filter.c rate_filter.h \ + obfuscation.c obfuscation.h rule_option_types.h sfdaq.c \ + sfdaq.h idle_processing.c idle_processing.h \ + idle_processing_funcs.h @BUILD_SNPRINTF_TRUE@am__objects_1 = snprintf.$(OBJEXT) am_snort_OBJECTS = debug.$(OBJEXT) decode.$(OBJEXT) encode.$(OBJEXT) \ active.$(OBJEXT) log.$(OBJEXT) mstring.$(OBJEXT) \ @@ -77,14 +79,16 @@ packet_time.$(OBJEXT) event_wrapper.$(OBJEXT) \ event_queue.$(OBJEXT) ppm.$(OBJEXT) log_text.$(OBJEXT) \ detection_filter.$(OBJEXT) detection_util.$(OBJEXT) \ - rate_filter.$(OBJEXT) obfuscation.$(OBJEXT) sfdaq.$(OBJEXT) + rate_filter.$(OBJEXT) obfuscation.$(OBJEXT) sfdaq.$(OBJEXT) \ + idle_processing.$(OBJEXT) snort_OBJECTS = $(am_snort_OBJECTS) snort_DEPENDENCIES = output-plugins/libspo.a \ detection-plugins/libspd.a dynamic-plugins/libdynamic.a \ preprocessors/libspp.a parser/libparser.a \ target-based/libtarget_based.a \ preprocessors/HttpInspect/libhttp_inspect.a \ - preprocessors/Stream5/libstream5.a sfutil/libsfutil.a + preprocessors/Stream5/libstream5.a sfutil/libsfutil.a \ + control/libsfcontrol.a DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = am__depfiles_maybe = @@ -115,7 +119,7 @@ CTAGS = ctags DIST_SUBDIRS = sfutil win32 output-plugins detection-plugins \ dynamic-plugins preprocessors parser dynamic-preprocessors \ - target-based dynamic-examples + target-based control dynamic-examples DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -151,7 +155,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -166,6 +172,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -202,13 +209,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -271,12 +284,12 @@ snort_SOURCES = cdefs.h \ event.h \ generators.h \ -protocols.h \ +sf_protocols.h \ plugin_enum.h \ rules.h \ treenodes.h \ checksum.h \ -debug.c debug.h \ +debug.c snort_debug.h \ decode.c decode.h \ encode.c encode.h \ active.c active.h \ @@ -296,11 +309,11 @@ detect.c detect.h \ signature.c signature.h \ mempool.c mempool.h \ -sf_sdlist.c sf_sdlist.h \ +sf_sdlist.c sf_sdlist.h sf_sdlist_types.h \ fpcreate.c fpcreate.h \ fpdetect.c fpdetect.h \ pcrm.c pcrm.h \ -bounds.h \ +snort_bounds.h \ byte_extract.c \ byte_extract.h \ timersub.h \ @@ -308,7 +321,6 @@ sfthreshold.c sfthreshold.h \ packet_time.c packet_time.h \ event_wrapper.c event_wrapper.h \ -smalloc.h \ event_queue.c event_queue.h \ ipv6_port.h \ ppm.c ppm.h \ @@ -321,7 +333,8 @@ rate_filter.c rate_filter.h \ obfuscation.c obfuscation.h \ rule_option_types.h \ -sfdaq.c sfdaq.h +sfdaq.c sfdaq.h \ +idle_processing.c idle_processing.h idle_processing_funcs.h snort_LDADD = output-plugins/libspo.a \ detection-plugins/libspd.a \ @@ -331,10 +344,11 @@ target-based/libtarget_based.a \ preprocessors/HttpInspect/libhttp_inspect.a \ preprocessors/Stream5/libstream5.a \ -sfutil/libsfutil.a +sfutil/libsfutil.a \ +control/libsfcontrol.a @BUILD_DYNAMIC_EXAMPLES_TRUE@EXAMPLES_DIR = dynamic-examples -SUBDIRS = sfutil win32 output-plugins detection-plugins dynamic-plugins preprocessors parser dynamic-preprocessors target-based $(EXAMPLES_DIR) +SUBDIRS = sfutil win32 output-plugins detection-plugins dynamic-plugins preprocessors parser dynamic-preprocessors target-based control $(EXAMPLES_DIR) all: all-recursive .SUFFIXES: diff -Nru snort-2.9.0.1/src/mempool.c snort-2.9.2/src/mempool.c --- snort-2.9.0.1/src/mempool.c 2010-08-25 13:22:38.000000000 -0700 +++ snort-2.9.2/src/mempool.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -37,16 +37,17 @@ #endif #include "mempool.h" +#include "sf_sdlist.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" +#include "sf_types.h" /*SharedObjectAddStarts #include "sf_dynamic_preprocessor.h" -extern DynamicPreprocessorData _dpd; SharedObjectAddEnds */ -//#define TEST_MEMPOOL +//#define TEST_MEMPOOL -static INLINE void mempool_free_pools(MemPool *mempool) +static inline void mempool_free_pools(MemPool *mempool) { if (mempool == NULL) return; @@ -72,19 +73,19 @@ /* Function: int mempool_init(MemPool *mempool, * PoolCount num_objects, size_t obj_size) - * + * * Purpose: initialize a mempool object and allocate memory for it * Args: mempool - pointer to a MemPool struct * num_objects - number of items in this pool * obj_size - size of the items - * + * * Returns: 0 on success, 1 on failure - */ + */ int mempool_init(MemPool *mempool, PoolCount num_objects, size_t obj_size) { PoolCount i; - + if(mempool == NULL) return 1; @@ -95,7 +96,7 @@ return 1; mempool->obj_size = obj_size; - + /* this is the basis pool that represents all the *data pointers in the list */ mempool->datapool = calloc(num_objects, obj_size); @@ -146,26 +147,26 @@ bp = &mempool->bucketpool[i]; itemp = &mempool->listpool[i]; - + /* each bucket knows where it resides in the list */ bp->key = itemp; -#ifdef TEST_MEMPOOL +#ifdef TEST_MEMPOOL printf("listpool: %p itemp: %p diff: %u\n", mempool->listpool, itemp, (((char *) itemp) - ((char *) mempool->listpool))); #endif - + bp->data = ((char *) mempool->datapool) + (i * mempool->obj_size); - -#ifdef TEST_MEMPOOL + +#ifdef TEST_MEMPOOL printf("datapool: %p bp.data: %p diff: %u\n", mempool->datapool, mempool->datapool + (i * mempool->obj_size), (((char *) bp->data) - ((char *) mempool->datapool))); #endif - if(sf_sdlist_append(&mempool->free_list, + if(sf_sdlist_append(&mempool->free_list, &mempool->bucketpool[i], &mempool->listpool[i])) { @@ -181,13 +182,13 @@ return 0; } -/* Function: int mempool_clean(MemPool *mempool) - * +/* Function: int mempool_clean(MemPool *mempool) + * * Purpose: return all memory to free list * Args: mempool - pointer to a MemPool struct - * + * * Returns: 0 on success, -1 on failure - */ + */ int mempool_clean(MemPool *mempool) { unsigned int i; @@ -218,13 +219,13 @@ return 0; } -/* Function: int mempool_destroy(MemPool *mempool) - * +/* Function: int mempool_destroy(MemPool *mempool) + * * Purpose: destroy a set of mempool objects * Args: mempool - pointer to a MemPool struct - * + * * Returns: 0 on success, 1 on failure - */ + */ int mempool_destroy(MemPool *mempool) { if(mempool == NULL) @@ -234,23 +235,23 @@ /* TBD - callback to free up every stray pointer */ memset(mempool, 0, sizeof(MemPool)); - - return 0; + + return 0; } /* Function: MemBucket *mempool_alloc(MemPool *mempool); - * + * * Purpose: allocate a new object from the mempool * Args: mempool - pointer to a MemPool struct - * + * * Returns: a pointer to the mempool object on success, NULL on failure - */ + */ MemBucket *mempool_alloc(MemPool *mempool) { SDListItem *li = NULL; MemBucket *b; - + if(mempool == NULL) { return NULL; @@ -264,7 +265,7 @@ if((li == NULL) || sf_sdlist_remove(&mempool->free_list, li)) { -#ifdef TEST_MEMPOOL +#ifdef TEST_MEMPOOL printf("Failure on sf_sdlist_remove\n"); #endif return NULL; @@ -272,7 +273,7 @@ if(sf_sdlist_append(&mempool->used_list, li->data, li)) { -#ifdef TEST_MEMPOOL +#ifdef TEST_MEMPOOL printf("Failure on sf_sdlist_append\n"); #endif return NULL; @@ -281,27 +282,27 @@ /* TBD -- make configurable */ b = li->data; bzero(b->data, mempool->obj_size); - + return b; } void mempool_free(MemPool *mempool, MemBucket *obj) -{ +{ if ((mempool == NULL) || (obj == NULL)) return; if(sf_sdlist_remove(&mempool->used_list, obj->key)) { -#ifdef TEST_MEMPOOL +#ifdef TEST_MEMPOOL printf("failure on remove from used_list"); #endif return; } - + /* put the address of the membucket back in the list */ if(sf_sdlist_append(&mempool->free_list, obj, obj->key)) { -#ifdef TEST_MEMPOOL +#ifdef TEST_MEMPOOL printf("failure on add to free_list"); #endif return; @@ -332,7 +333,7 @@ "1eenie", "2meenie", "3minie", " 4moe", "1eenie", "2meenie", "3minie", " 4moe" }; - + if(mempool_init(&test, 36, 256)) { printf("error in mempool initialization\n"); @@ -358,7 +359,7 @@ mempool_free(&test, bucks[i]); bucks[i] = NULL; } - + for(i = 0; i < 14; i++) { if((bucks[i] = mempool_alloc(&test)) == NULL) @@ -376,7 +377,7 @@ printf("free: %u, used: %u\n", test.free_list.size, test.used_list.size); - + return 0; } #endif /* TEST_MEMPOOL */ diff -Nru snort-2.9.0.1/src/mempool.h snort-2.9.2/src/mempool.h --- snort-2.9.0.1/src/mempool.h 2010-08-25 13:22:38.000000000 -0700 +++ snort-2.9.2/src/mempool.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -23,8 +23,9 @@ #ifndef _MEMPOOL_H #define _MEMPOOL_H -#include "sf_sdlist.h" -#include "debug.h" +#include "sf_sdlist_types.h" +#include "sf_types.h" +#include "snort_debug.h" typedef unsigned int PoolCount; @@ -38,17 +39,17 @@ typedef struct _MemPool { void **datapool; /* memory buffer for MemBucket->data */ - + MemBucket *bucketpool; /* memory buffer */ SDListItem *listpool; /* list of things to use for memory bufs */ PoolCount total; - + sfSDList free_list; sfSDList used_list; - - size_t obj_size; + + size_t obj_size; } MemPool; int mempool_init(MemPool *mempool, PoolCount num_objects, size_t obj_size); @@ -57,7 +58,7 @@ void mempool_free(MemPool *mempool, MemBucket *obj); int mempool_clean(MemPool *mempool); -static INLINE MemBucket* mempool_oldestUsedBucket( +static inline MemBucket* mempool_oldestUsedBucket( MemPool *mempool ) { @@ -70,7 +71,7 @@ return NULL; } -static INLINE unsigned int mempool_numUsedBucket( +static inline unsigned int mempool_numUsedBucket( MemPool *mempool ) { diff -Nru snort-2.9.0.1/src/mstring.c snort-2.9.2/src/mstring.c --- snort-2.9.0.1/src/mstring.c 2010-10-25 12:48:59.000000000 -0700 +++ snort-2.9.2/src/mstring.c 2011-06-07 17:33:06.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** This program is free software; you can redistribute it and/or modify @@ -50,8 +50,9 @@ #include <ctype.h> #include <sys/types.h> +#include "sf_types.h" #include "mstring.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" /* needed for fasthex() */ #include "util.h" #include "detection_util.h" @@ -223,7 +224,7 @@ if (!isspace((int)str[j - 1])) break; } - + /* Allocate a buffer. The length will not have included the * meta char of escaped separators */ toks[cur_tok] = mSplitAddTok(&str[tok_start], j - tok_start, sep_chars, meta_char); @@ -345,7 +346,7 @@ return NULL; } - + /* Trim whitespace at end of last tok */ for (j = i; j > tok_start; j--) { @@ -510,7 +511,7 @@ const char *p_idx; /* index ptr into the pattern buffer */ const char *b_end; /* ptr to the end of the data buffer */ int m_cnt = 0; /* number of pattern matches so far... */ -#ifdef DEBUG +#ifdef DEBUG_MSGS unsigned long loopcnt = 0; #endif @@ -523,7 +524,7 @@ do { -#ifdef DEBUG +#ifdef DEBUG_MSGS loopcnt++; #endif @@ -670,7 +671,7 @@ { int b_idx = plen; -#ifdef DEBUG +#ifdef DEBUG_MSGS char *hexbuf; int cmpcnt = 0; #endif @@ -678,7 +679,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH,"buf: %p blen: %d ptrn: %p " "plen: %d\n", buf, blen, ptrn, plen);); -#ifdef DEBUG +#ifdef DEBUG_MSGS hexbuf = fasthex((const u_char *)buf, blen); DebugMessage(DEBUG_PATTERN_MATCH,"buf: %s\n", hexbuf); free(hexbuf); @@ -687,7 +688,7 @@ free(hexbuf); DebugMessage(DEBUG_PATTERN_MATCH,"buf: %p blen: %d ptrn: %p " "plen: %d\n", buf, blen, ptrn, plen); -#endif /* DEBUG */ +#endif /* DEBUG_MSGS */ if(plen == 0) return 1; @@ -697,7 +698,7 @@ while(buf[--b_idx] == ptrn[--p_idx]) { -#ifdef DEBUG +#ifdef DEBUG_MSGS cmpcnt++; #endif if(b_idx < 0) @@ -705,7 +706,7 @@ if(p_idx == 0) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "match: compares = %d.\n", cmpcnt);); UpdateDoePtr(((const uint8_t *)&(buf[b_idx]) + plen), 0); return 1; @@ -749,7 +750,7 @@ int mSearchCI(const char *buf, int blen, const char *ptrn, int plen, int *skip, int *shift) { int b_idx = plen; -#ifdef DEBUG +#ifdef DEBUG_MSGS int cmpcnt = 0; #endif @@ -760,16 +761,16 @@ { int p_idx = plen, skip_stride, shift_stride; - while((unsigned char) ptrn[--p_idx] == + while((unsigned char) ptrn[--p_idx] == toupper((unsigned char) buf[--b_idx])) { -#ifdef DEBUG +#ifdef DEBUG_MSGS cmpcnt++; #endif if(p_idx == 0) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, - "match: compares = %d.\n", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, + "match: compares = %d.\n", cmpcnt);); UpdateDoePtr(((const uint8_t *)&(buf[b_idx]) + plen), 0); return 1; @@ -813,17 +814,17 @@ int b_idx = plen; int literal = 0; int regexcomp = 0; -#ifdef DEBUG +#ifdef DEBUG_MSGS int cmpcnt = 0; -#endif /*DEBUG*/ - +#endif /* DEBUG_MSGS */ + DEBUG_WRAP( DebugMessage(DEBUG_PATTERN_MATCH, "buf: %p blen: %d ptrn: %p " " plen: %d b_idx: %d\n", buf, blen, ptrn, plen, b_idx); DebugMessage(DEBUG_PATTERN_MATCH, "packet data: \"%s\"\n", buf); DebugMessage(DEBUG_PATTERN_MATCH, "matching for \"%s\"\n", ptrn); ); - + if(plen == 0) return 1; @@ -833,8 +834,8 @@ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Looping... " "([%d]0x%X (%c) -> [%d]0x%X(%c))\n", - b_idx, buf[b_idx-1], - buf[b_idx-1], + b_idx, buf[b_idx-1], + buf[b_idx-1], p_idx, ptrn[p_idx-1], ptrn[p_idx-1]);); while(buf[--b_idx] == ptrn[--p_idx] @@ -842,9 +843,9 @@ || (ptrn[p_idx] == '*' && !literal) || (ptrn[p_idx] == '\\' && !literal)) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "comparing: b:%c -> p:%c\n", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "comparing: b:%c -> p:%c\n", buf[b_idx], ptrn[p_idx]);); -#ifdef DEBUG +#ifdef DEBUG_MSGS cmpcnt++; #endif @@ -876,7 +877,7 @@ if(p_idx == 0) { - DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "match: compares = %d.\n", + DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "match: compares = %d.\n", cmpcnt);); return 1; } @@ -888,7 +889,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "skip-shifting...\n");); skip_stride = skip[(unsigned char) buf[b_idx]]; shift_stride = shift[p_idx]; - + b_idx += (skip_stride > shift_stride) ? skip_stride : shift_stride; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "b_idx skip-shifted to %d\n", b_idx);); b_idx += regexcomp; diff -Nru snort-2.9.0.1/src/mstring.h snort-2.9.2/src/mstring.h --- snort-2.9.0.1/src/mstring.h 2010-01-26 10:09:22.000000000 -0800 +++ snort-2.9.2/src/mstring.h 2011-02-09 15:22:49.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/obfuscation.c snort-2.9.2/src/obfuscation.c --- snort-2.9.0.1/src/obfuscation.c 2010-06-09 15:04:52.000000000 -0700 +++ snort-2.9.2/src/obfuscation.c 2011-06-07 17:33:06.000000000 -0700 @@ -1,5 +1,5 @@ /****************************************************************************** - * Copyright (C) 2009-2010 Sourcefire, Inc. + * Copyright (C) 2009-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,13 +19,18 @@ ******************************************************************************/ #include <daq.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "obfuscation.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" #include "decode.h" #include "util.h" #include "stream_api.h" -#include "bounds.h" +#include "snort_bounds.h" #ifdef OBFUSCATION_TEST_STANDALONE # ifndef OBFUSCATION_TEST @@ -106,16 +111,16 @@ /******************************************************************************* * Private function prototypes ******************************************************************************/ -static INLINE int NumObfuscateMaxLenEntries(void); -static INLINE int NumObfuscateSliceEntries(void); -static INLINE ObRet ObfuscationEntryOverflow(ob_size_t); -static INLINE int PayloadObfuscationRequired(Packet *); -static INLINE void SetObfuscationEntry(ObfuscationEntry *, Packet *, +static inline int NumObfuscateMaxLenEntries(void); +static inline int NumObfuscateSliceEntries(void); +static inline ObRet ObfuscationEntryOverflow(ob_size_t); +static inline int PayloadObfuscationRequired(Packet *); +static inline void SetObfuscationEntry(ObfuscationEntry *, Packet *, ob_size_t, ob_size_t, ob_char_t); -static INLINE void SortObfuscationEntries(void); -static INLINE void SetObfuscationCallbackData( +static inline void SortObfuscationEntries(void); +static inline void SetObfuscationCallbackData( ObfuscationCallbackData *, Packet *, ObfuscationCallback, void *); -static INLINE void SetObfuscationStreamCallbackData( +static inline void SetObfuscationStreamCallbackData( ObfuscationStreamCallbackData *, ObfuscationCallbackData *, Packet *, ObfuscationCallback, void *); @@ -310,7 +315,7 @@ * The number of current OB_LENGTH_MAX entries. * ******************************************************************************/ -static INLINE int NumObfuscateMaxLenEntries(void) +static inline int NumObfuscateMaxLenEntries(void) { return ob_struct.num_maxlen_entries; } @@ -327,7 +332,7 @@ * The number of current slice entries. * ******************************************************************************/ -static INLINE int NumObfuscateSliceEntries(void) +static inline int NumObfuscateSliceEntries(void) { return ob_struct.num_entries - ob_struct.num_maxlen_entries; } @@ -348,7 +353,7 @@ * OB_RET_OVERFLOW if there isn't enough space to add another entry * ******************************************************************************/ -static INLINE ObRet ObfuscationEntryOverflow(ob_size_t length) +static inline ObRet ObfuscationEntryOverflow(ob_size_t length) { if (length == OB_LENGTH_MAX) { @@ -381,7 +386,7 @@ * 1 if the packet has been flagged for obfuscation. * ******************************************************************************/ -static INLINE int PayloadObfuscationRequired(Packet *p) +static inline int PayloadObfuscationRequired(Packet *p) { if ((p == NULL) || (p->pkth == NULL) || (p->pkt == NULL) || (p->data == NULL) @@ -421,7 +426,7 @@ * None * ******************************************************************************/ -static INLINE void SetObfuscationEntry(ObfuscationEntry *entry, +static inline void SetObfuscationEntry(ObfuscationEntry *entry, Packet *p, ob_size_t offset, ob_size_t length, ob_char_t ob_char) { if (entry == NULL) @@ -454,7 +459,7 @@ * None * ******************************************************************************/ -static INLINE void SetObfuscationCallbackData( +static inline void SetObfuscationCallbackData( ObfuscationCallbackData *callback_data, Packet *packet, ObfuscationCallback user_callback, void *user_data) { @@ -491,7 +496,7 @@ * None * ******************************************************************************/ -static INLINE void SetObfuscationStreamCallbackData( +static inline void SetObfuscationStreamCallbackData( ObfuscationStreamCallbackData *stream_callback_data, ObfuscationCallbackData *callback_data, Packet *packet, ObfuscationCallback user_callback, void *user_data) @@ -519,7 +524,7 @@ * None * ******************************************************************************/ -static INLINE void SortObfuscationEntries(void) +static inline void SortObfuscationEntries(void) { if (!ob_struct.sorted) { @@ -1163,7 +1168,7 @@ } } } -} +} static void CreateObEntries(Packet *p, ob_char_t ob_char, ob_size_t ob_offset, ob_size_t ob_length, int reverse, int add_maxlen) diff -Nru snort-2.9.0.1/src/obfuscation.h snort-2.9.2/src/obfuscation.h --- snort-2.9.0.1/src/obfuscation.h 2010-06-09 15:04:52.000000000 -0700 +++ snort-2.9.2/src/obfuscation.h 2011-06-07 17:33:06.000000000 -0700 @@ -1,5 +1,5 @@ /****************************************************************************** - * Copyright (C) 2009-2010 Sourcefire, Inc. + * Copyright (C) 2009-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -22,7 +22,6 @@ #define __OBFUSCATION_H__ #include <daq.h> -#include "sf_types.h" #include "decode.h" diff -Nru snort-2.9.0.1/src/output-plugins/Makefile.in snort-2.9.2/src/output-plugins/Makefile.in --- snort-2.9.0.1/src/output-plugins/Makefile.in 2010-10-08 02:56:54.000000000 -0700 +++ snort-2.9.2/src/output-plugins/Makefile.in 2011-12-07 11:23:21.000000000 -0800 @@ -96,7 +96,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -111,6 +113,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -147,13 +150,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_arubaaction.c snort-2.9.2/src/output-plugins/spo_alert_arubaaction.c --- snort-2.9.0.1/src/output-plugins/spo_alert_arubaaction.c 2009-05-06 15:29:11.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_alert_arubaaction.c 2011-10-26 11:28:52.000000000 -0700 @@ -20,7 +20,7 @@ /* $Id$ */ /* spo_alert_arubaaction - * + * * Purpose: output plugin for dynamically changing station access status on * an Aruba switch. * @@ -30,7 +30,7 @@ * "cleartext" * secret The shared secret configured on the Aruba switch * action The action the switch should take with the target user - * + * * Effect: * * When an alert is passed to this output plugin, the plugin connects to the @@ -46,9 +46,10 @@ #include "config.h" #endif +#include "sf_types.h" #include "event.h" #include "decode.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" @@ -127,7 +128,7 @@ }; -#define ArubaResponseCode ArubaSecretType +#define ArubaResponseCode ArubaSecretType #define ARUBA_RESP_SUCCESS 0 #define ARUBA_RESP_UNKN_USER 1 @@ -146,7 +147,7 @@ { ARUBA_RESP_UNKN_EXT_AGENT, "unknown external agent" }, { ARUBA_RESP_AUTH_FAILED, "authentication failed" }, { ARUBA_RESP_INVAL_CMD, "invalid command" }, - { ARUBA_RESP_INVAL_AUTH_METHOD, + { ARUBA_RESP_INVAL_AUTH_METHOD, "invalid message authentication method" }, { ARUBA_RESP_INVAL_MSG_DGST, "invalid message digest" }, { ARUBA_RESP_MSSNG_MSG_AUTH, "missing message authentication" }, @@ -166,7 +167,7 @@ /* * Function: SetupAlertArubaAction() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -177,7 +178,7 @@ */ void AlertArubaActionSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_aruba_action", OUTPUT_TYPE_FLAG__ALERT, AlertArubaActionInit); @@ -202,6 +203,11 @@ { SpoAlertArubaActionData *data; + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + WarningMessage("!! WARNING: The alert_aruba_action output plugin is considered\n"); + WarningMessage("!! deprecated as of Snort 2.9.2 and will be removed in Snort 2.9.3.\n"); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output: AlertArubaAction " "Initialized\n");); @@ -210,7 +216,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking AlertArubaAction functions " "to call lists...\n");); - + /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertArubaAction, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertArubaActionCleanExitFunc, data); @@ -368,7 +374,7 @@ #endif (unsigned long)strlen(cmdbuf), cmdbuf ); - + /* Send the action command to the switch */ if (ArubaSwitchSend(data, (uint8_t *)post, postlen) != postlen) { ErrorMessage("aruba_action: Error sending data to Aruba " @@ -430,7 +436,7 @@ close(data->fd); - + return; } @@ -471,7 +477,7 @@ return -1; } #ifdef SUP_IP6 - } + } else { memcpy(&sa6.sin6_addr, data->aswitch.ip8, 16); sa6.sin6_family = AF_INET6; @@ -483,7 +489,7 @@ close(data->fd); return -1; } - } + } #endif @@ -500,7 +506,7 @@ close(data->fd); return -1; } - } + } else { memcpy(&sa6.sin6_addr, data->aswitch.ip8, 16); #else @@ -516,9 +522,9 @@ return -1; } #ifdef SUP_IP6 - } + } #endif - + return data->fd; } @@ -526,9 +532,9 @@ /* * Function: ParseAlertArubaActionArgs(char *) * - * Purpose: Process the preprocessor arguments from the rules file and + * Purpose: Process the preprocessor arguments from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -564,9 +570,9 @@ } #ifdef SUP_IP6 // XXX could probably be changed to a macro - if (sfip_pton(toks[0], &data->aswitch) == 0) + if (sfip_pton(toks[0], &data->aswitch) == 0) #else - if (inet_aton(toks[0], &data->aswitch) == 0) + if (inet_aton(toks[0], &data->aswitch) == 0) #endif { ErrorMessage("aruba_action: invalid Aruba switch address " @@ -576,7 +582,7 @@ } for (i=0; secret_lookup[i].name != NULL; i++) { - if (strncmp(toks[1], secret_lookup[i].name, + if (strncmp(toks[1], secret_lookup[i].name, strlen(secret_lookup[i].name)) == 0) { data->secret_type = secret_lookup[i].type; break; @@ -595,7 +601,7 @@ /* action can be "blacklist" or "setrole:rolename", parse */ for (i=0; action_lookup[i].name != NULL; i++) { - if (strncmp(action_lookup[i].name, toks[3], + if (strncmp(action_lookup[i].name, toks[3], strlen(action_lookup[i].name)) == 0) { data->action_type = action_lookup[i].type; break; @@ -617,12 +623,12 @@ "specification \"%s\"\n", toks[3]); FatalError("Improperly formatted action\n"); return NULL; - } + } data->role_name = (char *)SnortAlloc(strlen(action_toks[1])+1); - strncpy(data->role_name, action_toks[1], + strncpy(data->role_name, action_toks[1], strlen(action_toks[1])); - } + } /* free toks */ mSplitFree(&toks, num_toks); @@ -643,11 +649,10 @@ void AlertArubaActionRestartFunc(int signal, void *arg) { SpoAlertArubaActionData *data = (SpoAlertArubaActionData *)arg; - + DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertArubaActionRestartFunc\n");); free(data->secret); free(data->role_name); free(data); } - diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_fast.c snort-2.9.2/src/output-plugins/spo_alert_fast.c --- snort-2.9.0.1/src/output-plugins/spo_alert_fast.c 2010-06-09 15:05:18.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_alert_fast.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2000,2001 Andrew R. Baker <andrewb@uab.edu> ** @@ -22,11 +22,11 @@ /* $Id$ */ /* spo_alert_fast - * + * * Purpose: output plugin for fast alerting * * Arguments: alert file - * + * * Effect: * * Alerts are written to a file in the snort fast alert format @@ -59,7 +59,7 @@ #include "spo_alert_fast.h" #include "event.h" #include "decode.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" @@ -102,7 +102,7 @@ /* * Function: SetupAlertFast() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -113,7 +113,7 @@ */ void AlertFastSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_fast", OUTPUT_TYPE_FLAG__ALERT, AlertFastInit); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output plugin: AlertFast is setup...\n");); @@ -141,7 +141,7 @@ data = ParseAlertFastArgs(args); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking AlertFast functions to call lists...\n");); - + /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertFast, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertFastCleanExitFunc, data); @@ -210,27 +210,34 @@ { /* Log whether or not this is reassembled data - only indicate * if we're actually going to show any of the payload */ - if (ScOutputAppData() && (p->dsize > 0)) + if (ScOutputAppData() && (p->dsize > 0) && PacketWasCooked(p)) { - if ( PacketWasCooked(p) ) - { - TextLog_NewLine(data->log); + switch ( p->pseudo_type ) { + case PSEUDO_PKT_SMB_SEG: + TextLog_Print(data->log, "\n%s", "SMB desegmented packet"); + break; + case PSEUDO_PKT_DCE_SEG: + TextLog_Print(data->log, "\n%s", "DCE/RPC desegmented packet"); + break; + case PSEUDO_PKT_DCE_FRAG: + TextLog_Print(data->log, "\n%s", "DCE/RPC defragmented packet"); + break; + case PSEUDO_PKT_SMB_TRANS: + TextLog_Print(data->log, "\n%s", "SMB Transact reassembled packet"); + break; + case PSEUDO_PKT_DCE_RPKT: + TextLog_Print(data->log, "\n%s", "DCE/RPC reassembled packet"); + break; + case PSEUDO_PKT_TCP: + TextLog_Print(data->log, "\n%s", "Stream reassembled packet"); + break; + case PSEUDO_PKT_IP: + TextLog_Print(data->log, "\n%s", "Frag reassembled packet"); + break; + default: + // FIXTHIS do we get here for portscan or sdf? + break; } - - if (p->packet_flags & PKT_SMB_SEG) - TextLog_Print(data->log, "%s", "SMB desegmented packet"); - else if (p->packet_flags & PKT_DCE_SEG) - TextLog_Print(data->log, "%s", "DCE/RPC desegmented packet"); - else if (p->packet_flags & PKT_DCE_FRAG) - TextLog_Print(data->log, "%s", "DCE/RPC defragmented packet"); - else if (p->packet_flags & PKT_SMB_TRANS) - TextLog_Print(data->log, "%s", "SMB Transact reassembled packet"); - else if (p->packet_flags & PKT_DCE_RPKT) - TextLog_Print(data->log, "%s", "DCE/RPC reassembled packet"); - else if (p->packet_flags & PKT_REBUILT_STREAM) - TextLog_Print(data->log, "%s", "Stream reassembled packet"); - else if (p->packet_flags & PKT_REBUILT_FRAG) - TextLog_Print(data->log, "%s", "Frag reassembled packet"); } TextLog_NewLine(data->log); diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_fast.h snort-2.9.2/src/output-plugins/spo_alert_fast.h --- snort-2.9.0.1/src/output-plugins/spo_alert_fast.h 2010-01-26 10:10:08.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_alert_fast.h 2011-02-09 15:23:26.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2000,2001 Andrew R. Baker <andrewb@uab.edu> ** diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_full.c snort-2.9.2/src/output-plugins/spo_alert_full.c --- snort-2.9.0.1/src/output-plugins/spo_alert_full.c 2010-06-09 15:05:18.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_alert_full.c 2011-06-07 17:33:15.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2000,2001 Andrew R. Baker <andrewb@uab.edu> ** @@ -22,11 +22,11 @@ /* $Id$ */ /* spo_alert_full - * + * * Purpose: output plugin for full alerting * * Arguments: alert file (eventually) - * + * * Effect: * * Alerts are written to a file in the snort full alert format @@ -46,12 +46,13 @@ #include <stdio.h> #include <stdlib.h> +#include "sf_types.h" #include "spo_alert_full.h" #include "event.h" #include "decode.h" #include "plugbase.h" #include "spo_plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "parser.h" #include "util.h" #include "log.h" @@ -83,7 +84,7 @@ /* * Function: SetupAlertFull() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -94,7 +95,7 @@ */ void AlertFullSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_full", OUTPUT_TYPE_FLAG__ALERT, AlertFullInit); @@ -117,7 +118,7 @@ { SpoAlertFullData *data; DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: AlertFull Initialized\n");); - + /* parse the argument list from the rules file */ data = ParseAlertFullArgs(args); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking AlertFull functions to call lists...\n");); @@ -202,9 +203,8 @@ default: break; } - - LogXrefs(data->log, 1); } + LogXrefs(data->log, 1); TextLog_Putc(data->log, '\n'); } /* End of if(p) */ diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_full.h snort-2.9.2/src/output-plugins/spo_alert_full.h --- snort-2.9.0.1/src/output-plugins/spo_alert_full.h 2010-01-26 10:10:08.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_alert_full.h 2011-02-09 15:23:26.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2000,2001 Andrew R. Baker <andrewb@uab.edu> ** diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_prelude.c snort-2.9.2/src/output-plugins/spo_alert_prelude.c --- snort-2.9.0.1/src/output-plugins/spo_alert_prelude.c 2010-06-09 15:05:19.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_alert_prelude.c 2011-10-26 11:28:52.000000000 -0700 @@ -41,7 +41,7 @@ #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" #include "snort.h" @@ -69,7 +69,7 @@ { int ret; prelude_string_t *string; - + ret = idmef_analyzer_new_model(analyzer, &string); if ( ret < 0 ) return ret; @@ -81,7 +81,7 @@ prelude_string_set_constant(string, ANALYZER_CLASS); ret = idmef_analyzer_new_manufacturer(analyzer, &string); - if ( ret < 0 ) + if ( ret < 0 ) return ret; prelude_string_set_constant(string, ANALYZER_MANUFACTURER); @@ -135,7 +135,7 @@ if ( ! IPH_IS_VALID(p) ) return 0; - + ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; @@ -144,17 +144,17 @@ if ( ret < 0 ) return ret; prelude_string_set_ref(string, PRINT_INTERFACE(DAQ_GetInterfaceSpec())); - + ret = idmef_source_new_service(source, &service); if ( ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->sp); - + idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); - + ret = idmef_source_new_node(source, &node); if ( ret < 0 ) return ret; @@ -166,7 +166,7 @@ ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; - + SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(GET_SRC_ADDR(p))); prelude_string_set_ref(string, saddr); @@ -182,28 +182,28 @@ ret = idmef_target_new_service(target, &service); if ( ! ret < 0 ) return ret; - - if ( p->tcph || p->udph ) + + if ( p->tcph || p->udph ) idmef_service_set_port(service, p->dp); - + idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); - + ret = idmef_target_new_node(target, &node); if ( ret < 0 ) return ret; - + ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; - + ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; - + SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(GET_DST_ADDR(p))); prelude_string_set_ref(string, daddr); - + return 0; } @@ -217,7 +217,7 @@ if ( ! data || ! size ) return 0; - + ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; @@ -235,14 +235,14 @@ prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting byte string data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + return 0; } @@ -256,7 +256,7 @@ if ( ! data ) return 0; - + ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; @@ -274,14 +274,14 @@ prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting string data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + return 0; } @@ -292,11 +292,11 @@ int ret; prelude_string_t *str; idmef_additional_data_t *ad; - + ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; - + idmef_additional_data_set_integer(ad, data); ret = idmef_additional_data_new_meaning(ad, &str); @@ -305,14 +305,14 @@ prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting integer data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } - + return 0; } @@ -322,13 +322,13 @@ static int packet_to_data(Packet *p, Event *event, idmef_alert_t *alert) { int i; - + if ( ! p ) return 0; add_int_data(alert, "snort_rule_sid", event->sig_id); add_int_data(alert, "snort_rule_rev", event->sig_rev); - + if ( IPH_IS_VALID(p) ) { add_int_data(alert, "ip_ver", GET_IPH_VER(p)); add_int_data(alert, "ip_hlen", GET_IPH_HLEN(p)); @@ -351,18 +351,18 @@ #else add_int_data(alert, "ip_sum", ntohs(p->iph->ip_csum)); #endif - + for ( i = 0; i < p->ip_option_count; i++ ) { add_int_data(alert, "ip_option_code", p->ip_options[i].code); - add_byte_data(alert, "ip_option_data", - p->ip_options[i].data, p->ip_options[i].len); + add_byte_data(alert, "ip_option_data", + p->ip_options[i].data, p->ip_options[i].len); } } - + if ( p->tcph ) { add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq)); add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack)); - + add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph)); add_int_data(alert, "tcp_res", TCP_X2(p->tcph)); add_int_data(alert, "tcp_flags", p->tcph->th_flags); @@ -371,10 +371,10 @@ add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum)); add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp)); - + for ( i = 0; i < p->tcp_option_count; i++ ) { add_int_data(alert, "tcp_option_code", p->tcp_options[i].code); - add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len); + add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len); } } @@ -389,7 +389,7 @@ add_int_data(alert, "icmp_sum", ntohs(p->icmph->csum)); switch ( p->icmph->type ) { - + case ICMP_ECHO: case ICMP_ECHOREPLY: case ICMP_INFO_REQUEST: @@ -399,13 +399,13 @@ add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); break; - + case ICMP_ADDRESSREPLY: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask)); break; - + case ICMP_REDIRECT: #ifndef SUP_IP6 add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr)); @@ -417,13 +417,13 @@ } #endif break; - + case ICMP_ROUTER_ADVERTISE: add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs); add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa); add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime)); break; - + case ICMP_TIMESTAMPREPLY: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); @@ -435,7 +435,7 @@ } add_byte_data(alert, "payload", p->data, p->dsize); - + return 0; } @@ -449,7 +449,7 @@ idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; - + ret = idmef_alert_new_assessment(alert, &assessment); if ( ret < 0 ) return ret; @@ -473,7 +473,7 @@ if ( ! otn_tmp ) return 0; - + classtype = otn_tmp->sigInfo.classType; if ( classtype ) { ret = idmef_impact_new_description(impact, &str); @@ -482,7 +482,7 @@ prelude_string_set_ref(str, classtype->name); } - + return 0; } @@ -496,15 +496,15 @@ if ( sig_id >= SNORT_MAX_OWNED_SID ) return 0; - + ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; - + ret = idmef_reference_new_name(ref, &str); if ( ret < 0 ) return ret; - + idmef_reference_set_origin(ref, IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC); if ( gen_id == 0 ) @@ -522,7 +522,7 @@ ret = prelude_string_sprintf(str, "Snort Signature ID"); if ( ret < 0 ) return ret; - + ret = idmef_reference_new_url(ref, &str); if ( ret < 0 ) return ret; @@ -531,7 +531,7 @@ ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u", sig_id); else ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u-%u", gen_id, sig_id); - + return ret; } @@ -571,7 +571,7 @@ system = refs->system; if ( ! system ) continue; - + ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; @@ -579,7 +579,7 @@ ret = idmef_reference_new_name(ref, &str); if ( ret < 0 ) return ret; - + idmef_reference_set_origin(ref, reference_to_origin(system->name)); if ( idmef_reference_get_origin(ref) != IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC ) prelude_string_set_ref(str, refs->id); @@ -589,9 +589,9 @@ ret = idmef_reference_new_url(ref, &str); if ( ret < 0 ) return ret; - + prelude_string_sprintf(str, "%s%s", system->url ? system->url : "", refs->id ? refs->id : ""); - } + } return 0; } @@ -637,15 +637,15 @@ ret = event_to_reference(event, class); if ( ret < 0 ) goto err; - + ret = event_to_source_target(p, alert); if ( ret < 0 ) goto err; - + ret = packet_to_data(p, event, alert); if ( ret < 0 ) goto err; - + ret = idmef_alert_new_detect_time(alert, &time); if ( ret < 0 ) goto err; @@ -653,15 +653,15 @@ tv.tv_sec = p->pkth->ts.tv_sec; tv.tv_usec = p->pkth->ts.tv_usec; idmef_time_set_from_timeval(time, &tv); - + ret = idmef_time_new_from_gettimeofday(&time); if ( ret < 0 ) - goto err; + goto err; idmef_alert_set_create_time(alert, time); - + idmef_alert_set_analyzer(alert, idmef_analyzer_ref(prelude_client_get_analyzer(client)), IDMEF_LIST_PREPEND); prelude_client_send_idmef(client, idmef); - + err: idmef_message_destroy(idmef); } @@ -689,26 +689,26 @@ { int i, tokens, ret; char **args_table, *value, *key; - + args_table = mSplit(args, " \t", 0, &tokens, '\\'); for ( i = 0; i < tokens; i++ ) { - + key = args_table[i]; strtok(key, "="); - + value = strtok(NULL, ""); if ( ! value ) FatalError("spo_alert_prelude: missing value for keyword '%s'.\n", key); - + ret = strcasecmp("profile", key); if ( ret == 0 ) { if ( *profile ) free(*profile); - + *profile = strdup(value); continue; } - + ret = strcasecmp("info", key); if ( ret == 0 ) { info_priority = atoi(value); @@ -743,10 +743,15 @@ if ( ! initialized ) return; - + + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + WarningMessage("!! WARNING: The alert_prelude output plugin is considered deprecated\n"); + WarningMessage("!! as of Snort 2.9.2 and will be removed in Snort 2.9.3.\n"); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + parse_args(init_args, &profile); free(init_args); - + ret = prelude_thread_init(NULL); if ( ret < 0 ) FatalError("%s: Unable to initialize the Prelude thread subsystem: %s.\n", @@ -756,26 +761,26 @@ if ( ret < 0 ) FatalError("%s: Unable to initialize the Prelude library: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); - + ret = prelude_client_new(&client, profile ? profile : DEFAULT_ANALYZER_NAME); if ( profile ) free(profile); - + if ( ret < 0 ) FatalError("%s: Unable to create a prelude client object: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); - + flags = PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER; - + ret = prelude_client_set_flags(client, prelude_client_get_flags(client) | flags); if ( ret < 0 ) FatalError("%s: Unable to set asynchronous send and timer: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); - + setup_analyzer(prelude_client_get_analyzer(client)); - + ret = prelude_client_start(client); if ( ret < 0 ) { if ( prelude_client_is_setup_needed(ret) ) @@ -784,7 +789,7 @@ FatalError("%s: Unable to initialize prelude client: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); } - + AddFuncToOutputList(snort_alert_prelude, OUTPUT_TYPE__ALERT, client); AddFuncToCleanExitList(snort_alert_prelude_clean_exit, client); AddFuncToRestartList(snort_alert_prelude_clean_exit, client); diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_sf_socket.c snort-2.9.2/src/output-plugins/spo_alert_sf_socket.c --- snort-2.9.0.1/src/output-plugins/spo_alert_sf_socket.c 2010-06-09 15:05:19.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_alert_sf_socket.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2003-2010 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -27,13 +27,14 @@ #ifdef LINUX +#include "sf_types.h" #include "spo_plugbase.h" #include "plugbase.h" #include "event.h" #include "rules.h" #include "treenodes.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "sfPolicy.h" #include <sys/socket.h> @@ -61,8 +62,8 @@ uint32_t tv_sec; uint32_t generator; uint32_t sid; - snort_ip src_ip; - snort_ip dest_ip; + uint32_t src_ip; + uint32_t dest_ip; uint16_t sport; uint16_t dport; uint8_t protocol; @@ -86,7 +87,7 @@ static int AlertSFSocket_Connect(void); static OptTreeNode *OptTreeNode_Search(uint32_t gid, uint32_t sid); -static int SignatureAddOutputFunc(uint32_t gid, uint32_t sid, +static int SignatureAddOutputFunc(uint32_t gid, uint32_t sid, void (*outputFunc)(Packet *, char *, void *, Event *), void *args); int String2ULong(char *string, unsigned long *result); @@ -120,11 +121,11 @@ if(strlen(sockname) == 0) FatalError("AlertSFSocket: must specify a socket name\n"); - + if(strlen(sockname) > UNIX_PATH_MAX - 1) FatalError("AlertSFSocket: socket name must be less than %i " "characters\n", UNIX_PATH_MAX - 1); - + /* create socket */ if((sock = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) { @@ -134,7 +135,7 @@ memset(&sockAddr, 0, sizeof(sockAddr)); sockAddr.sun_family = AF_UNIX; memcpy(sockAddr.sun_path + 1, sockname, strlen(sockname)); - + if(AlertSFSocket_Connect() == 0) connected = 1; @@ -153,7 +154,7 @@ *gidValue=GENERATOR_SNORT_ENGINE; *sidValue=0; - + i=0; while( args && *args && (i < 20) ) { @@ -163,17 +164,17 @@ i++; } sbuff[i]=0; - + if( i >= 20 ) { return SNORT_EINVAL; } - if( *args == ':' ) + if( *args == ':' ) { memcpy(gbuff,sbuff,i); gbuff[i]=0; - + if(String2ULong(gbuff,&glong)) { return SNORT_EINVAL; @@ -209,7 +210,7 @@ } *sidValue=(uint32_t)slong; } - + return SNORT_SUCCESS; } @@ -218,12 +219,12 @@ uint32_t sidValue; uint32_t gidValue; AlertSFSocketGidSid *new_sid = NULL; - + /* check configured value */ if(!configured) FatalError("AlertSFSocket must be configured before attaching it to a " "sid"); - + if (GidSid2UInt((char*)args, &sidValue, &gidValue) ) FatalError("Invalid argument '%s' to alert_sf_socket_sid\n", args); @@ -267,7 +268,7 @@ break; case SNORT_EINVAL: DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Invalid argument " - "attempting to attach output for sid %u.\n", + "attempting to attach output for sid %u.\n", sidValue);); break; case SNORT_ENOENT: @@ -299,7 +300,7 @@ if(errno == ECONNREFUSED || errno == ENOENT) { LogMessage("WARNING: AlertSFSocket: Unable to connect to socket: " - "%s\n", strerror(errno)); + "%s.\n", strerror(errno)); return 1; } else @@ -310,8 +311,8 @@ } return 0; } - - + + static SnortActionRequest sar; void AlertSFSocket(Packet *packet, char *msg, void *arg, Event *event) @@ -321,14 +322,27 @@ if(!event || !packet || !IPH_IS_VALID(packet)) return; + // for now, only support ip4 + if ( !IS_IP4(packet) ) + return; + /* construct the action request */ sar.event_id = event->event_id; sar.tv_sec = packet->pkth->ts.tv_sec; sar.generator = event->sig_generator; sar.sid = event->sig_id; + + // when ip6 is supported: + // * suggest TLV format where T == family, L is implied by + // T (and not sent), and V is just the address octets in + // network order + // * if T is made the 1st octet of struct, bytes to read + // can be determined by reading 1 byte + // * addresses could be moved to end of struct in uint8_t[32] + // and only 1st 8 used for ip4 #ifdef SUP_IP6 - sar.src_ip = *GET_SRC_IP(packet); - sar.dest_ip = *GET_DST_IP(packet); + sar.src_ip = ntohl(GET_SRC_IP(packet)->ip32[0]); + sar.dest_ip = ntohl(GET_DST_IP(packet)->ip32[0]); #else sar.src_ip = ntohl(packet->iph->ip_src.s_addr); sar.dest_ip = ntohl(packet->iph->ip_dst.s_addr); @@ -376,18 +390,18 @@ { connected = 0; LogMessage("WARNING: AlertSFSocket: connection reset, will attempt " - "to reconnect\n"); + "to reconnect.\n"); } else if(errno == ECONNREFUSED) { LogMessage("WARNING: AlertSFSocket: connection refused, " - "will attempt to reconnect\n"); + "will attempt to reconnect.\n"); connected = 0; } else if(errno == ENOTCONN) { LogMessage("WARNING: AlertSFSocket: not connected, " - "will attempt to reconnect\n"); + "will attempt to reconnect.\n"); connected = 0; } else @@ -401,16 +415,16 @@ return; } -static int SignatureAddOutputFunc( uint32_t gid, uint32_t sid, +static int SignatureAddOutputFunc( uint32_t gid, uint32_t sid, void (*outputFunc)(Packet *, char *, void *, Event *), void *args) { OptTreeNode *optTreeNode = NULL; OutputFuncNode *outputFuncs = NULL; - + if(!outputFunc) return SNORT_EINVAL; /* Invalid argument */ - + if(!(optTreeNode = OptTreeNode_Search(gid,sid))) { LogMessage("Unable to find OptTreeNode for SID %u\n", sid); @@ -425,11 +439,11 @@ outputFuncs->func = outputFunc; outputFuncs->arg = args; - + outputFuncs->next = optTreeNode->outputFuncs; optTreeNode->outputFuncs = outputFuncs; - + return SNORT_SUCCESS; } @@ -443,7 +457,7 @@ if(sid == 0) return NULL; - + for (hashNode = sfghash_findfirst(snort_conf->otn_map); hashNode; hashNode = sfghash_findnext(snort_conf->otn_map)) @@ -453,8 +467,8 @@ if (rtn) { if ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) - || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) - { + || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) + { if (otn->sigInfo.id == sid) { return otn; diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_sf_socket.h snort-2.9.2/src/output-plugins/spo_alert_sf_socket.h --- snort-2.9.0.1/src/output-plugins/spo_alert_sf_socket.h 2010-01-26 10:10:08.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_alert_sf_socket.h 2011-02-09 15:23:26.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2003-2010 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_syslog.c snort-2.9.2/src/output-plugins/spo_alert_syslog.c --- snort-2.9.0.1/src/output-plugins/spo_alert_syslog.c 2010-06-09 15:05:19.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_alert_syslog.c 2011-06-07 17:33:16.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -19,14 +19,14 @@ */ /* $Id$ */ -/* spo_alert_syslog - * +/* spo_alert_syslog + * * Purpose: * * This module sends alerts to the syslog service. * * Arguments: - * + * * Logging mechanism? * * Effect: @@ -63,7 +63,7 @@ #include "treenodes.h" #include "plugbase.h" #include "spo_plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "parser.h" #include "mstring.h" #include "util.h" @@ -93,7 +93,7 @@ /* * Function: SetupSyslog() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -104,7 +104,7 @@ */ void AlertSyslogSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_syslog", OUTPUT_TYPE_FLAG__ALERT, AlertSyslogInit); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output plugin: Alert-Syslog is setup...\n");); @@ -148,9 +148,9 @@ /* * Function: ParseSyslogArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -186,7 +186,7 @@ { /* horrible kludge to catch default initialization */ if(file_name != NULL) - { + { LogMessage("%s(%d) => No arguments to alert_syslog preprocessor!\n", file_name, file_line); } @@ -197,7 +197,7 @@ /* * NON-WIN32: Config should be in the format: * output alert_syslog: LOG_AUTH LOG_ALERT - * + * * WIN32: Config can be in any of these formats: * output alert_syslog: LOG_AUTH LOG_ALERT * output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT @@ -227,7 +227,7 @@ if(num_host_toks > 0 && strcmp(host_toks[0], "host") != 0 ) { FatalError("%s(%d) => Badly formed alert_syslog 'host' " - "argument ('%s')\n", + "argument ('%s')\n", file_name, file_line, host_string); } /* check for empty strings */ @@ -236,7 +236,7 @@ (num_host_toks >= 3 && strlen(host_toks[2]) == 0)) { FatalError("%s(%d) => Badly formed alert_syslog 'host' " - "argument ('%s')\n", + "argument ('%s')\n", file_name, file_line, host_string); } switch(num_host_toks) @@ -253,16 +253,16 @@ { snort_conf->syslog_server_port = DEFAULT_SYSLOG_PORT; /*default*/ LogMessage("WARNING %s(%d) => alert_syslog port " - "appears to be non-numeric ('%s'). Defaulting " - "to port %d!\n", file_name, file_line, + "appears to be non-numeric ('%s'). Defaulting " + "to port %d!\n", file_name, file_line, host_toks[2], DEFAULT_SYSLOG_PORT); - + } break; default: /* badly formed, should never occur */ FatalError("%s(%d) => Badly formed alert_syslog 'host' " - "argument ('%s')\n", + "argument ('%s')\n", file_name, file_line, host_string); } mSplitFree(&host_toks, num_host_toks); @@ -274,7 +274,7 @@ } DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Logging alerts to syslog " - "server %s on port %d\n", snort_conf->syslog_server, + "server %s on port %d\n", snort_conf->syslog_server, snort_conf->syslog_server_port);); mSplitFree(&config_toks, num_facility_toks); #endif /* WIN32 */ @@ -288,7 +288,7 @@ { if((tmp = VarGet(facility_toks[i]+1)) == NULL) { - FatalError("%s(%d) => Undefined variable %s\n", + FatalError("%s(%d) => Undefined variable %s\n", file_name, file_line, facility_toks[i]); } } @@ -299,28 +299,28 @@ /* possible openlog options */ -#ifdef LOG_CONS +#ifdef LOG_CONS if(!strcasecmp("LOG_CONS", tmp)) { data->options |= LOG_CONS; } else #endif -#ifdef LOG_NDELAY +#ifdef LOG_NDELAY if(!strcasecmp("LOG_NDELAY", tmp)) { data->options |= LOG_NDELAY; } else #endif -#ifdef LOG_PERROR +#ifdef LOG_PERROR if(!strcasecmp("LOG_PERROR", tmp)) { data->options |= LOG_PERROR; } else #endif -#ifdef LOG_PID +#ifdef LOG_PID if(!strcasecmp("LOG_PID", tmp)) { data->options |= LOG_PID; @@ -337,84 +337,84 @@ /* possible openlog facilities */ -#ifdef LOG_AUTHPRIV +#ifdef LOG_AUTHPRIV if(!strcasecmp("LOG_AUTHPRIV", tmp)) { data->facility = LOG_AUTHPRIV; } else #endif -#ifdef LOG_AUTH +#ifdef LOG_AUTH if(!strcasecmp("LOG_AUTH", tmp)) { data->facility = LOG_AUTH; } else #endif -#ifdef LOG_DAEMON +#ifdef LOG_DAEMON if(!strcasecmp("LOG_DAEMON", tmp)) { data->facility = LOG_DAEMON; } else #endif -#ifdef LOG_LOCAL0 +#ifdef LOG_LOCAL0 if(!strcasecmp("LOG_LOCAL0", tmp)) { data->facility = LOG_LOCAL0; } else #endif -#ifdef LOG_LOCAL1 +#ifdef LOG_LOCAL1 if(!strcasecmp("LOG_LOCAL1", tmp)) { data->facility = LOG_LOCAL1; } else #endif -#ifdef LOG_LOCAL2 +#ifdef LOG_LOCAL2 if(!strcasecmp("LOG_LOCAL2", tmp)) { data->facility = LOG_LOCAL2; } else #endif -#ifdef LOG_LOCAL3 +#ifdef LOG_LOCAL3 if(!strcasecmp("LOG_LOCAL3", tmp)) { data->facility = LOG_LOCAL3; } else #endif -#ifdef LOG_LOCAL4 +#ifdef LOG_LOCAL4 if(!strcasecmp("LOG_LOCAL4", tmp)) { data->facility = LOG_LOCAL4; } else #endif -#ifdef LOG_LOCAL5 +#ifdef LOG_LOCAL5 if(!strcasecmp("LOG_LOCAL5", tmp)) { data->facility = LOG_LOCAL5; } else #endif -#ifdef LOG_LOCAL6 +#ifdef LOG_LOCAL6 if(!strcasecmp("LOG_LOCAL6", tmp)) { data->facility = LOG_LOCAL6; } else #endif -#ifdef LOG_LOCAL7 +#ifdef LOG_LOCAL7 if(!strcasecmp("LOG_LOCAL7", tmp)) { data->facility = LOG_LOCAL7; } else #endif -#ifdef LOG_USER +#ifdef LOG_USER if(!strcasecmp("LOG_USER", tmp)) { data->facility = LOG_USER; @@ -424,56 +424,56 @@ /* possible syslog priorities */ -#ifdef LOG_EMERG +#ifdef LOG_EMERG if(!strcasecmp("LOG_EMERG", tmp)) { data->priority = LOG_EMERG; } else #endif -#ifdef LOG_ALERT +#ifdef LOG_ALERT if(!strcasecmp("LOG_ALERT", tmp)) { data->priority = LOG_ALERT; } else #endif -#ifdef LOG_CRIT +#ifdef LOG_CRIT if(!strcasecmp("LOG_CRIT", tmp)) { data->priority = LOG_CRIT; } else #endif -#ifdef LOG_ERR +#ifdef LOG_ERR if(!strcasecmp("LOG_ERR", tmp)) { data->priority = LOG_ERR; } else #endif -#ifdef LOG_WARNING +#ifdef LOG_WARNING if(!strcasecmp("LOG_WARNING", tmp)) { data->priority = LOG_WARNING; } else #endif -#ifdef LOG_NOTICE +#ifdef LOG_NOTICE if(!strcasecmp("LOG_NOTICE", tmp)) { data->priority = LOG_NOTICE; } else #endif -#ifdef LOG_INFO +#ifdef LOG_INFO if(!strcasecmp("LOG_INFO", tmp)) { data->priority = LOG_INFO; } else #endif -#ifdef LOG_DEBUG +#ifdef LOG_DEBUG if(!strcasecmp("LOG_DEBUG", tmp)) { data->priority = LOG_DEBUG; @@ -509,7 +509,7 @@ * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function * @@ -529,9 +529,9 @@ if (event != NULL) { SnortSnprintfAppend(event_string, sizeof(event_string), - "[%lu:%lu:%lu] ", + "[%lu:%lu:%lu] ", (unsigned long)event->sig_generator, - (unsigned long)event->sig_id, + (unsigned long)event->sig_id, (unsigned long)event->sig_rev); } @@ -612,7 +612,7 @@ syslog(data->priority, "%s", event_string); } - else + else { syslog(data->priority, "%s", msg == NULL ? "ALERT!" : msg); } diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_syslog.h snort-2.9.2/src/output-plugins/spo_alert_syslog.h --- snort-2.9.0.1/src/output-plugins/spo_alert_syslog.h 2010-01-26 10:10:08.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_alert_syslog.h 2011-02-09 15:23:27.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_test.c snort-2.9.2/src/output-plugins/spo_alert_test.c --- snort-2.9.0.1/src/output-plugins/spo_alert_test.c 2010-06-09 15:05:19.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_alert_test.c 2011-06-07 17:33:16.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -20,7 +20,7 @@ /* $Id$ */ /* spo_alert_test_ - * + * * Purpose: output plugin for test alerting * * Arguments: file <file>, stdout, rebuilt, session, msg @@ -31,7 +31,7 @@ * S - Stream rebuilt * F - IP frag rebuilt * outputs: <rebuilt type>:<rebuilt count> - * session - include src/dst IPs and ports + * session - include src/dst IPs and ports * outputs: <sip>:<sport>-<dip>:<dport> * msg - include alert message * @@ -45,7 +45,7 @@ * output alert_test: rebuilt, session, msg * output alert_test: stdout, rebuilt, session, msg * output alert_test: file test.alert, rebuilt, session, msg - * + * * Effect: * * Alerts are written to a file in the snort test alert format @@ -59,9 +59,10 @@ #include "config.h" #endif +#include "sf_types.h" #include "event.h" #include "decode.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" @@ -106,13 +107,13 @@ void AlertTestRestartFunc(int, void *); void AlertTest(Packet *, char *, void *, Event *); -extern PacketCount pc; +extern PacketCount pc; /* * Function: SetupAlertTest() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -123,7 +124,7 @@ */ void AlertTestSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_test", OUTPUT_TYPE_FLAG__ALERT, AlertTestInit); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output plugin: AlertTest is setup...\n");); @@ -151,7 +152,7 @@ data = ParseAlertTestArgs(args); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking AlertTest functions to call lists...\n");); - + /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertTest, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertTestCleanExitFunc, data); @@ -180,7 +181,7 @@ if (data->flags & TEST_FLAG_MSG) { if (msg != NULL) - fprintf(data->file, "%s\t", msg); + fprintf(data->file, "%s\t", msg); } if (data->flags & TEST_FLAG_SESSION) @@ -201,9 +202,9 @@ /* * Function: ParseAlertTestArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_test.h snort-2.9.2/src/output-plugins/spo_alert_test.h --- snort-2.9.0.1/src/output-plugins/spo_alert_test.h 2010-01-26 10:10:09.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_alert_test.h 2011-02-09 15:23:27.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_unixsock.c snort-2.9.2/src/output-plugins/spo_alert_unixsock.c --- snort-2.9.0.1/src/output-plugins/spo_alert_unixsock.c 2010-06-09 15:05:19.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_alert_unixsock.c 2011-06-07 17:33:16.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2000,2001 Andrew R. Baker <andrewb@uab.edu> ** @@ -21,11 +21,11 @@ */ /* spo_alert_unixsock - * + * * Purpose: output plugin for Unix Socket alerting * * Arguments: none (yet) - * + * * Effect: ??? * */ @@ -45,12 +45,13 @@ #include <unistd.h> #include <errno.h> +#include "sf_types.h" #include "event.h" #include "decode.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "snort.h" @@ -95,7 +96,7 @@ /* * Function: SetupAlertUnixSock() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -106,7 +107,7 @@ */ void AlertUnixSockSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_unixsock", OUTPUT_TYPE_FLAG__ALERT, AlertUnixSockInit); DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output plugin: AlertUnixSock is setup...\n");); @@ -144,9 +145,9 @@ /* * Function: ParseAlertUnixSockArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -203,39 +204,39 @@ { if(p) { - if (p->eh) + if (p->eh) { alertpkt.dlthdr=(char *)p->eh-(char *)p->pkt; } - + /* we don't log any headers besides eth yet */ - if (IPH_IS_VALID(p) && p->pkt && IS_IP4(p)) + if (IPH_IS_VALID(p) && p->pkt && IS_IP4(p)) { alertpkt.nethdr=(char *)p->iph-(char *)p->pkt; - + switch(GET_IPH_PROTO(p)) { case IPPROTO_TCP: - if (p->tcph) + if (p->tcph) { alertpkt.transhdr=(char *)p->tcph-(char *)p->pkt; } break; - + case IPPROTO_UDP: - if (p->udph) + if (p->udph) { alertpkt.transhdr=(char *)p->udph-(char *)p->pkt; } break; - + case IPPROTO_ICMP: - if (p->icmph) + if (p->icmph) { alertpkt.transhdr=(char *)p->icmph-(char *)p->pkt; } break; - + default: /* alertpkt.transhdr is null due to initial bzero */ alertpkt.val|=NO_TRANSHDR; @@ -284,7 +285,7 @@ } bzero((char *) &alertaddr, sizeof(alertaddr)); - + /* 108 is the size of sun_path */ strncpy(alertaddr.sun_path, srv, 108); @@ -296,13 +297,13 @@ } } -static void AlertUnixSockCleanExit(int signal, void *arg) +static void AlertUnixSockCleanExit(int signal, void *arg) { DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertUnixSockCleanExitFunc\n");); CloseAlertSock(); } -static void AlertUnixSockRestart(int signal, void *arg) +static void AlertUnixSockRestart(int signal, void *arg) { DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertUnixSockRestartFunc\n");); CloseAlertSock(); diff -Nru snort-2.9.0.1/src/output-plugins/spo_alert_unixsock.h snort-2.9.2/src/output-plugins/spo_alert_unixsock.h --- snort-2.9.0.1/src/output-plugins/spo_alert_unixsock.h 2010-06-09 15:05:19.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_alert_unixsock.h 2011-02-09 15:23:27.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2000,2001 Andrew R. Baker <andrewb@uab.edu> ** diff -Nru snort-2.9.0.1/src/output-plugins/spo_csv.c snort-2.9.2/src/output-plugins/spo_csv.c --- snort-2.9.0.1/src/output-plugins/spo_csv.c 2010-06-09 15:05:19.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_csv.c 2011-06-07 17:33:16.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2001 Brian Caswell <bmc@mitre.org> ** @@ -22,11 +22,11 @@ /* $Id$ */ /* spo_csv - * + * * Purpose: output plugin for csv alerting * * Arguments: alert file (eventually) - * + * * Effect: * * Alerts are written to a file in the snort csv alert format @@ -58,7 +58,7 @@ #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "mstring.h" #include "util.h" #include "log.h" @@ -103,7 +103,7 @@ /* * Function: SetupCSV() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -114,7 +114,7 @@ */ void AlertCSVSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("alert_CSV", OUTPUT_TYPE_FLAG__ALERT, AlertCSVInit); @@ -195,7 +195,7 @@ if ( !strcasecmp("default", tok) ) data->csvargs = SnortStrdup(DEFAULT_CSV); else - data->csvargs = SnortStrdup(toks[i]); + data->csvargs = SnortStrdup(toks[i]); break; case 2: @@ -244,8 +244,8 @@ AlertCSVData *data = (AlertCSVData *)arg; /* close alert file */ DEBUG_WRAP(DebugMessage(DEBUG_LOG,"%s\n", msg);); - - if(data) + + if(data) { mSplitFree(&data->args, data->numargs); if (data->log) TextLog_Term(data->log); @@ -269,7 +269,7 @@ static void AlertCSV(Packet *p, char *msg, void *arg, Event *event) { AlertCSVData *data = (AlertCSVData *)arg; - RealAlertCSV(p, msg, data->args, data->numargs, event, data->log); + RealAlertCSV(p, msg, data->args, data->numargs, event, data->log); } /* @@ -280,29 +280,29 @@ * * Arguments: p => packet. (could be NULL) * msg => the message to send - * args => CSV output arguements + * args => CSV output arguements * numargs => number of arguements * log => Log * Returns: void function * */ -static void RealAlertCSV(Packet * p, char *msg, char **args, +static void RealAlertCSV(Packet * p, char *msg, char **args, int numargs, Event *event, TextLog* log) { - int num; + int num; char *type; char tcpFlags[9]; if(p == NULL) return; - DEBUG_WRAP(DebugMessage(DEBUG_LOG,"Logging CSV Alert data\n");); + DEBUG_WRAP(DebugMessage(DEBUG_LOG,"Logging CSV Alert data\n");); for (num = 0; num < numargs; num++) { type = args[num]; - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "CSV Got type %s %d\n", type, num);); + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "CSV Got type %s %d\n", type, num);); if (!strcasecmp("timestamp", type)) { @@ -355,7 +355,7 @@ p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], p->eh->ether_src[4], p->eh->ether_src[5]); } - } + } else if (!strcasecmp("ethdst", type)) { if (p->eh != NULL) @@ -399,7 +399,7 @@ break; default: break; - } + } } } else if (!strcasecmp("dstport", type)) @@ -414,7 +414,7 @@ break; default: break; - } + } } } else if (!strcasecmp("src", type)) @@ -425,7 +425,7 @@ else if (!strcasecmp("dst", type)) { if (IPH_IS_VALID(p)) - TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); + TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); } else if (!strcasecmp("icmptype", type)) { @@ -440,7 +440,7 @@ else if (!strcasecmp("icmpid", type)) { if (p->icmph != NULL) - TextLog_Print(log, "%d", ntohs(p->icmph->s_icmp_id)); + TextLog_Print(log, "%d", ntohs(p->icmph->s_icmp_id)); } else if (!strcasecmp("icmpseq", type)) { @@ -501,13 +501,13 @@ else if (!strcasecmp("tcpflags",type)) { if (p->tcph != NULL) - { + { CreateTCPFlagString(p, tcpFlags); TextLog_Print(log, "%s", tcpFlags); } } - if (num < numargs - 1) + if (num < numargs - 1) TextLog_Putc(log, ','); } diff -Nru snort-2.9.0.1/src/output-plugins/spo_csv.h snort-2.9.2/src/output-plugins/spo_csv.h --- snort-2.9.0.1/src/output-plugins/spo_csv.h 2010-01-26 10:10:09.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_csv.h 2011-02-09 15:23:27.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2001 Brian Caswell <bmc@mitre.org> ** diff -Nru snort-2.9.0.1/src/output-plugins/spo_database.c snort-2.9.2/src/output-plugins/spo_database.c --- snort-2.9.0.1/src/output-plugins/spo_database.c 2010-06-09 15:05:20.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_database.c 2011-10-26 11:28:52.000000000 -0700 @@ -22,12 +22,12 @@ /* $Id$ */ /* Snort Database Output Plug-in - * + * * Maintainer: Roman Danyliw <rdd@cert.org>, <roman@danyliw.com> * * Originally written by Jed Pickel <jed@pickel.net> (2000-2001) * - * See the doc/README.database file with this distribution + * See the doc/README.database file with this distribution * documentation or the snortdb web site for configuration * information * @@ -36,9 +36,9 @@ /******** Configuration *************************************************/ -/* - * If you want extra debugging information for solving database - * configuration problems, uncomment the following line. +/* + * If you want extra debugging information for solving database + * configuration problems, uncomment the following line. */ /* #define DEBUG */ @@ -55,6 +55,7 @@ #include <stdlib.h> #include <string.h> +#include "sf_types.h" #include "spo_database.h" #include "event.h" #include "decode.h" @@ -63,7 +64,7 @@ #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "snort.h" #include "sfdaq.h" @@ -338,20 +339,20 @@ #define CLEARSTATEMENT() NULL; #endif /* DEBUG || ENABLE_MSSQL_DEBUG*/ - /* Prototype of SQL Server callback functions. - * See actual declaration elsewhere for details. + /* Prototype of SQL Server callback functions. + * See actual declaration elsewhere for details. */ - static int mssql_err_handler(PDBPROCESS dbproc, int severity, int dberr, + static int mssql_err_handler(PDBPROCESS dbproc, int severity, int dberr, int oserr, LPCSTR dberrstr, LPCSTR oserrstr); - static int mssql_msg_handler(PDBPROCESS dbproc, DBINT msgno, int msgstate, - int severity, LPCSTR msgtext, LPCSTR srvname, LPCSTR procname, + static int mssql_msg_handler(PDBPROCESS dbproc, DBINT msgno, int msgstate, + int severity, LPCSTR msgtext, LPCSTR srvname, LPCSTR procname, DBUSMALLINT line); #endif /* ENABLE_MSSQL */ /******************************************************************************* * Function: SetupDatabase() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -362,7 +363,7 @@ ******************************************************************************/ void DatabaseSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("database", OUTPUT_TYPE_FLAG__ALERT, DatabaseInit); @@ -384,13 +385,20 @@ { DatabaseData *data = NULL; + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + WarningMessage("!! WARNING: The database output plugins are considered deprecated as\n"); + WarningMessage("!! of Snort 2.9.2 and will be removed in Snort 2.9.3.\n"); + WarningMessage("!! The recommended approach to logging is to use unified2 with\n"); + WarningMessage("!! barnyard2 or similar.\n"); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + /* parse the argument list from the rules file */ data = InitDatabaseData(args); - + data->tz = GetLocalTimezone(); ParseDatabaseArgs(data); - + /* Add the processor function into the function list */ if (strncasecmp(data->facility, "log", 3) == 0) { @@ -400,9 +408,9 @@ { AddFuncToOutputList(Database, OUTPUT_TYPE__ALERT, data); } - + AddFuncToCleanExitList(SpoDatabaseCleanExitFunction, data); - AddFuncToRestartList(SpoDatabaseRestartFunction, data); + AddFuncToRestartList(SpoDatabaseRestartFunction, data); AddFuncToPostConfigList(DatabaseInitFinalize, data); ++instances; @@ -452,16 +460,16 @@ { if(snort_conf->bpf_filter == NULL) { - ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, + ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) " - "VALUES ('%s','%s',%u,%u, 0)", + "VALUES ('%s','%s',%u,%u, 0)", escapedSensorName, escapedInterfaceName, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; - ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, + ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " @@ -471,7 +479,7 @@ " AND filter IS NULL", escapedSensorName, escapedInterfaceName, data->detail, data->encoding); - + if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; } @@ -479,16 +487,16 @@ { escapedBPFFilter = snort_escape_string(snort_conf->bpf_filter, data); - ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, + ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, filter, detail, encoding, last_cid) " - "VALUES ('%s','%s','%s',%u,%u, 0)", + "VALUES ('%s','%s','%s',%u,%u, 0)", escapedSensorName, escapedInterfaceName, escapedBPFFilter, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; - ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, + ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " @@ -507,16 +515,16 @@ { if(snort_conf->bpf_filter == NULL) { - ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, + ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) " - "VALUES ('%s','%s',%u,%u, 0)", + "VALUES ('%s','%s',%u,%u, 0)", escapedSensorName, escapedInterfaceName, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; - ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, + ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " @@ -533,16 +541,16 @@ { escapedBPFFilter = snort_escape_string(snort_conf->bpf_filter, data); - ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, + ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, filter, detail, encoding, last_cid) " - "VALUES ('%s','%s','%s',%u,%u, 0)", + "VALUES ('%s','%s','%s',%u,%u, 0)", escapedSensorName, escapedInterfaceName, escapedBPFFilter, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; - ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, + ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " @@ -580,7 +588,7 @@ data->shared->sid = Select(select_sensor_id,data); if(data->shared->sid == 0) { - ErrorMessage("database: Problem obtaining SENSOR ID (sid) from %s->sensor\n", + ErrorMessage("database: Problem obtaining SENSOR ID (sid) from %s->sensor\n", data->shared->dbname); FatalError("%s\n%s\n", FATAL_NO_SENSOR_1, FATAL_NO_SENSOR_2); @@ -591,8 +599,8 @@ * plugin, first we check the shared data list to see if we already * have a value to use, if so, we replace the SharedDatabaseData struct * in the DatabaseData struct with the one out of the sharedDataList. - * Sound confusing enough? - * -Andrew + * Sound confusing enough? + * -Andrew */ /* XXX: Creating a set of list handling functions would make this cleaner */ @@ -611,7 +619,7 @@ } current = current->next; } - + if(foundEntry == 0) { /* Add it the the shared data list */ @@ -632,9 +640,9 @@ current->next = newNode; } - /* Set the cid value + /* Set the cid value * - get the cid value in sensor.last_cid - * - get the MAX(cid) from event + * - get the MAX(cid) from event * - if snort crashed without storing the latest cid, then * the MAX(event.cid) > sensor.last_cid. Update last_cid in this case */ @@ -648,7 +656,7 @@ " FROM event " " WHERE sid = %u", data->shared->sid); - + if (ret != SNORT_SNPRINTF_SUCCESS) FatalError("Database: Unable to construct query - output error or truncation\n"); @@ -661,9 +669,9 @@ if (ret == -1) FatalError("Database: Unable to construct query - output error or truncation\n"); - ErrorMessage("database: inconsistent cid information for sid=%u\n", + ErrorMessage("database: inconsistent cid information for sid=%u\n", data->shared->sid); - ErrorMessage(" Recovering by rolling forward the cid=%u\n", + ErrorMessage(" Recovering by rolling forward the cid=%u\n", event_cid); } @@ -705,7 +713,7 @@ } /* else if ( data->DBschema_version < LATEST_DB_SCHEMA_VERSION ) - { + { ErrorMessage("database: The database is using an older version of the DB schema\n"); } */ @@ -718,6 +726,13 @@ database_support_buf[0] = '\0'; database_in_use_buf[0] = '\0'; + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + WarningMessage("!! WARNING: The database output plugins are considered deprecated as\n"); + WarningMessage("!! of Snort 2.9.2 and will be removed in Snort 2.9.3.\n"); + WarningMessage("!! The recommended approach to logging is to use unified2 with\n"); + WarningMessage("!! barnyard2 or similar.\n"); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + /* These strings will not overflow the buffers */ #ifdef ENABLE_MYSQL snprintf(database_support_buf, sizeof(database_support_buf), @@ -828,7 +843,7 @@ /******************************************************************************* * Function: ParseDatabaseArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. * * Arguments: args => argument list @@ -872,7 +887,7 @@ } else { - ErrorMessage("database: Invalid format for first argment\n"); + ErrorMessage("database: Invalid format for first argment\n"); DatabasePrintUsage(); FatalError("\n"); } @@ -889,23 +904,23 @@ #ifdef ENABLE_MYSQL if(!strncasecmp(type,KEYWORD_MYSQL,strlen(KEYWORD_MYSQL))) - data->shared->dbtype_id = DB_MYSQL; + data->shared->dbtype_id = DB_MYSQL; #endif #ifdef ENABLE_POSTGRESQL if(!strncasecmp(type,KEYWORD_POSTGRESQL,strlen(KEYWORD_POSTGRESQL))) - data->shared->dbtype_id = DB_POSTGRESQL; + data->shared->dbtype_id = DB_POSTGRESQL; #endif #ifdef ENABLE_ODBC if(!strncasecmp(type,KEYWORD_ODBC,strlen(KEYWORD_ODBC))) - data->shared->dbtype_id = DB_ODBC; + data->shared->dbtype_id = DB_ODBC; #endif #ifdef ENABLE_ORACLE if(!strncasecmp(type,KEYWORD_ORACLE,strlen(KEYWORD_ORACLE))) - data->shared->dbtype_id = DB_ORACLE; + data->shared->dbtype_id = DB_ORACLE; #endif #ifdef ENABLE_MSSQL if(!strncasecmp(type,KEYWORD_MSSQL,strlen(KEYWORD_MSSQL))) - data->shared->dbtype_id = DB_MSSQL; + data->shared->dbtype_id = DB_MSSQL; #endif if(data->shared->dbtype_id == 0) @@ -989,7 +1004,7 @@ else { FatalError("database: unknown detail level (%s)", a1); - } + } } if(!strncasecmp(dbarg,KEYWORD_IGNOREBPF,strlen(KEYWORD_IGNOREBPF))) { @@ -1010,7 +1025,7 @@ } dbarg = strtok(NULL, "="); - } + } if(data->shared->dbname == NULL) { @@ -1066,14 +1081,14 @@ rval->next = NULL; return rval; -} +} /******************************************************************************* * Function: Database(Packet *, char * msg, void *arg) * * Purpose: Insert data into the database * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * msg => pointer to the signature message * * Returns: void function @@ -1119,7 +1134,7 @@ #ifdef ENABLE_DB_TRANSACTIONS BeginTransaction(data); #endif - + if(msg == NULL) { msg = ""; @@ -1236,8 +1251,8 @@ } #endif - /* Write the signature information - * - Determine the ID # of the signature of this alert + /* Write the signature information + * - Determine the ID # of the signature of this alert */ select0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); sig_name = snort_escape_string(msg, data); @@ -1245,7 +1260,7 @@ if (event->sig_rev == 0) { ret = SnortSnprintf(sig_rev, sizeof(sig_rev), "IS NULL"); - + if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } @@ -1305,12 +1320,12 @@ * - write the signature * - write the signature's references, classification, priority, id, * revision number - * Note: if a signature (identified with a unique text message, revision #) - * initially is logged to the DB without references/classification, - * but later they are added, this information will _not_ be + * Note: if a signature (identified with a unique text message, revision #) + * initially is logged to the DB without references/classification, + * but later they are added, this information will _not_ be * stored/updated unless the revision number is changed. * This algorithm is used in order to prevent many DB SELECTs to - * verify their presence _every_ time the alert is triggered. + * verify their presence _every_ time the alert is triggered. */ if(sig_id == 0) { @@ -1324,11 +1339,11 @@ /* classification */ if(class_ptr->type) { - /* Get the ID # of this classification */ + /* Get the ID # of this classification */ select1 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); sig_class = snort_escape_string(class_ptr->type, data); - - ret = SnortSnprintf(select1, MAX_QUERY_LENGTH, + + ret = SnortSnprintf(select1, MAX_QUERY_LENGTH, "SELECT sig_class_id " " FROM sig_class " " WHERE sig_class_name = '%s'", @@ -1381,12 +1396,12 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(insert_values, MAX_QUERY_LENGTH - insert_values_len, "'%s'", sig_name); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); @@ -1397,16 +1412,16 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", class_id); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); - } + } if ( event->priority > 0 ) { @@ -1415,13 +1430,13 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", event->priority); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } @@ -1439,7 +1454,7 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } @@ -1451,15 +1466,15 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", event->sig_id); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); - insert_values_len = strlen(insert_values); + insert_values_len = strlen(insert_values); } if ( event->sig_generator > 0 ) @@ -1469,15 +1484,15 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", event->sig_generator); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + insert_fields_len = strlen(insert_fields); - insert_values_len = strlen(insert_values); + insert_values_len = strlen(insert_values); } ret = SnortSnprintf(insert0, MAX_QUERY_LENGTH, @@ -1486,7 +1501,7 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + Insert(insert0,data); sig_id = Select(select0,data); @@ -1513,19 +1528,19 @@ select0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); ref_system_name = snort_escape_string(refNode->system->name, data); - + /* Note: There is an underlying assumption that the SELECT * will do a case-insensitive comparison. */ - ret = SnortSnprintf(select0, MAX_QUERY_LENGTH, + ret = SnortSnprintf(select0, MAX_QUERY_LENGTH, "SELECT ref_system_id " " FROM reference_system " " WHERE ref_system_name = '%s'", ref_system_name); - + if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ret = SnortSnprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO " "reference_system (ref_system_name) " @@ -1534,7 +1549,7 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ref_system_id = Select(select0, data); if ( ref_system_id == 0 ) @@ -1561,11 +1576,11 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + ref_id = Select(select0, data); free(ref_tag); ref_tag = NULL; - + /* If this reference is not in the database, write it */ if ( ref_id == 0 ) { @@ -1624,7 +1639,7 @@ if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; - + Insert(insert0, data); free(insert0); insert0 = NULL; @@ -1645,7 +1660,7 @@ } free(sig_name); sig_name = NULL; - + if ( (data->shared->dbtype_id == DB_ORACLE) && (data->DBschema_version >= 105) ) { @@ -1683,12 +1698,12 @@ free(timestamp_string); timestamp_string = NULL; - /* We do not log fragments! They are assumed to be handled + /* We do not log fragments! They are assumed to be handled by the fragment reassembly pre-processor */ if(p != NULL) { - if((!p->frag_flag) && (IPH_IS_VALID(p))) + if((!p->frag_flag) && (IPH_IS_VALID(p))) { /* query = NewQueryNode(query, 0); */ if(GET_IPH_PROTO(p) == IPPROTO_ICMP && p->icmph) @@ -1699,7 +1714,7 @@ { if(p->icmph) { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) " "VALUES (%u,%u,%u,%u,%u,%u,%u)", @@ -1712,7 +1727,7 @@ } else { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum) " "VALUES (%u,%u,%u,%u,%u)", @@ -1725,7 +1740,7 @@ } else { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code) " "VALUES (%u,%u,%u,%u)", @@ -1742,7 +1757,7 @@ /*** Build a query for the TCP Header ***/ if(data->detail) { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "tcphdr (sid, cid, tcp_sport, tcp_dport, " " tcp_seq, tcp_ack, tcp_off, tcp_res, " @@ -1750,13 +1765,13 @@ "VALUES (%u,%u,%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u)", data->shared->sid, data->shared->cid, - ntohs(p->tcph->th_sport), + ntohs(p->tcph->th_sport), ntohs(p->tcph->th_dport), (u_long)ntohl(p->tcph->th_seq), (u_long)ntohl(p->tcph->th_ack), - TCP_OFFSET(p->tcph), + TCP_OFFSET(p->tcph), TCP_X2(p->tcph), - p->tcph->th_flags, + p->tcph->th_flags, ntohs(p->tcph->th_win), ntohs(p->tcph->th_sum), ntohs(p->tcph->th_urp)); @@ -1766,13 +1781,13 @@ } else { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) " "VALUES (%u,%u,%u,%u,%u)", data->shared->sid, data->shared->cid, - ntohs(p->tcph->th_sport), + ntohs(p->tcph->th_sport), ntohs(p->tcph->th_dport), p->tcph->th_flags); @@ -1788,7 +1803,7 @@ query = NewQueryNode(query, 0); if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII)) { - packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len); + packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len); } else { @@ -1800,7 +1815,7 @@ * opt_data data after query, which later in Insert() * will be cut off and uploaded with OCIBindByPos(). */ - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES (%u,%u,%u,%u,%u,%u,:1)|%s", @@ -1810,8 +1825,8 @@ 6, p->tcp_options[i].code, p->tcp_options[i].len, - packet_data); - + packet_data); + if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; @@ -1819,7 +1834,7 @@ } else { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES (%u,%u,%u,%u,%u,%u,'%s')", @@ -1829,7 +1844,7 @@ 6, p->tcp_options[i].code, p->tcp_options[i].len, - packet_data); + packet_data); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; @@ -1851,7 +1866,7 @@ "VALUES (%u, %u, %u, %u, %u, %u)", data->shared->sid, data->shared->cid, - ntohs(p->udph->uh_sport), + ntohs(p->udph->uh_sport), ntohs(p->udph->uh_dport), ntohs(p->udph->uh_len), ntohs(p->udph->uh_chk)); @@ -1867,14 +1882,14 @@ "VALUES (%u, %u, %u, %u)", data->shared->sid, data->shared->cid, - ntohs(p->udph->uh_sport), + ntohs(p->udph->uh_sport), ntohs(p->udph->uh_dport)); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } } - } + } /*** Build the query for the IP Header ***/ if ( IPH_IS_VALID(p) && IS_IP4(p) ) @@ -1883,7 +1898,7 @@ if(data->detail) { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, " " ip_tos, ip_len, ip_id, ip_flags, ip_off," @@ -1891,16 +1906,16 @@ "VALUES (%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u,%u,%u,%u,%u)", data->shared->sid, data->shared->cid, - (u_long)ntohl(p->iph->ip_src.s_addr), - (u_long)ntohl(p->iph->ip_dst.s_addr), + (u_long)ntohl(p->iph->ip_src.s_addr), + (u_long)ntohl(p->iph->ip_dst.s_addr), IP_VER(p->iph), - IP_HLEN(p->iph), + IP_HLEN(p->iph), p->iph->ip_tos, ntohs(p->iph->ip_len), - ntohs(p->iph->ip_id), + ntohs(p->iph->ip_id), p->frag_flag, ntohs(p->frag_offset), - p->iph->ip_ttl, + p->iph->ip_ttl, GET_IPH_PROTO(p), ntohs(p->iph->ip_csum)); @@ -1909,7 +1924,7 @@ } else { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "iphdr (sid, cid, ip_src, ip_dst, ip_proto) " "VALUES (%u,%u,%lu,%lu,%u)", @@ -1933,11 +1948,11 @@ query = NewQueryNode(query, 0); if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII)) { - packet_data = fasthex(p->ip_options[i].data, p->ip_options[i].len); + packet_data = fasthex(p->ip_options[i].data, p->ip_options[i].len); } else { - packet_data = base64(p->ip_options[i].data, p->ip_options[i].len); + packet_data = base64(p->ip_options[i].data, p->ip_options[i].len); } if(data->shared->dbtype_id == DB_ORACLE) @@ -2013,8 +2028,8 @@ if(data->shared->dbtype_id == DB_ORACLE) { - /* Oracle field BLOB type case. We append unescaped - * packet_payload data after query, which later in Insert() + /* Oracle field BLOB type case. We append unescaped + * packet_payload data after query, which later in Insert() * will be cut off and uploaded with OCIBindByPos(). */ ret = SnortSnprintf(query->val, (p->dsize * 2) + MAX_QUERY_LENGTH - 3, @@ -2070,7 +2085,7 @@ query = query->next; } } - FreeQueryNode(root); + FreeQueryNode(root); root = NULL; /* Increment the cid*/ @@ -2082,7 +2097,7 @@ CommitTransaction(data); } #endif - + /* An ODBC bugfix */ #ifdef ENABLE_ODBC if(data->shared->cid == 600) @@ -2115,21 +2130,21 @@ return; } -/* Some of the code in this function is from the +/* Some of the code in this function is from the mysql_real_escape_string() function distributed with mysql. Those portions of this function remain Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB We needed a more general case that was not MySQL specific so there - were small modifications made to the mysql_real_escape_string() + were small modifications made to the mysql_real_escape_string() function. */ static char * snort_escape_string(const char * from, DatabaseData * data) { char * to; char * to_start; - const char* end; + const char* end; int from_length; from_length = (int)strlen(from); @@ -2165,7 +2180,7 @@ { switch(*from) { - case '\'': /* ' --> '' */ + case '\'': /* ' --> '' */ *to++= '\''; *to++= '\''; break; @@ -2238,11 +2253,11 @@ } else { - *to++= *from; + *to++= *from; } break; default: /* copy character directly */ - *to++= *from; + *to++= *from; } } } @@ -2253,7 +2268,7 @@ { switch(*from) { - case '\'': /* ' --> '' */ + case '\'': /* ' --> '' */ *to++= '\''; *to++= '\''; break; @@ -2269,11 +2284,11 @@ /******************************************************************************* * Function: UpdateLastCid(DatabaseData * data, int sid, int cid) * - * Purpose: Sets the last cid used for a given a sensor ID (sid), + * Purpose: Sets the last cid used for a given a sensor ID (sid), * * Arguments: data : database information * sid : sensor ID - * cid : event ID + * cid : event ID * * Returns: status of the update * @@ -2304,7 +2319,7 @@ /******************************************************************************* * Function: GetLastCid(DatabaseData * data, int sid) * - * Purpose: Returns the last cid used for a given a sensor ID (sid), + * Purpose: Returns the last cid used for a given a sensor ID (sid), * * Arguments: data : database information * sid : sensor ID @@ -2331,7 +2346,7 @@ tmp_cid = Select(select0,data); free(select0); select0 = NULL; - + return tmp_cid; } @@ -2411,7 +2426,7 @@ * Function: BeginTransaction(DatabaseData * data) * * Purpose: Database independent SQL to start a transaction - * + * ******************************************************************************/ static void BeginTransaction(DatabaseData * data) { @@ -2445,7 +2460,7 @@ * Function: CommitTransaction(DatabaseData * data) * * Purpose: Database independent SQL to commit a transaction - * + * ******************************************************************************/ static void CommitTransaction(DatabaseData * data) { @@ -2500,7 +2515,7 @@ * Function: RollbackTransaction(DatabaseData * data) * * Purpose: Database independent SQL to rollback a transaction - * + * ******************************************************************************/ static void RollbackTransaction(DatabaseData * data) { @@ -2555,7 +2570,7 @@ * Function: Insert(char * query, DatabaseData * data) * * Purpose: Database independent function for SQL inserts - * + * * Arguments: query (An SQL insert) * * Returns: 1 if successful, 0 if fail @@ -2580,7 +2595,7 @@ ErrorMessage("database: postgresql_error: %s\n", PQerrorMessage(data->p_connection)); } - } + } PQclear(data->p_result); } #endif @@ -2597,7 +2612,7 @@ { if(mysql_errno(data->m_sock)) { - ErrorMessage("database: mysql_error: %s\nSQL=%s\n", + ErrorMessage("database: mysql_error: %s\nSQL=%s\n", mysql_error(data->m_sock), query); } @@ -2652,7 +2667,7 @@ { char *blob = NULL; - /* If BLOB type - split query to actual SQL and blob to BLOB data */ + /* If BLOB type - split query to actual SQL and blob to BLOB data */ if(strncasecmp(query,"INSERT INTO data",16)==0 || strncasecmp(query,"INSERT INTO opt",15)==0) { if((blob=strchr(query,'|')) != NULL) @@ -2709,7 +2724,7 @@ , OCI_HTYPE_ERROR); ErrorMessage("database: oracle_error: %s\n", data->o_errormsg); ErrorMessage(" : query: %s\n", query); - } + } } #endif @@ -2732,7 +2747,7 @@ } #endif -#ifdef DEBUG +#ifdef DEBUG_MSGS if(result) { DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): (%s) executed\n", query);); @@ -2749,9 +2764,9 @@ /******************************************************************************* * Function: Select(char * query, DatabaeData * data) * - * Purpose: Database independent function for SQL selects that + * Purpose: Database independent function for SQL selects that * return a non zero int - * + * * Arguments: query (An SQL insert) * * Returns: result of query if successful, 0 if fail @@ -2778,7 +2793,7 @@ else { result = atoi(PQgetvalue(data->p_result,0,0)); - } + } } } if(!result) @@ -2940,7 +2955,7 @@ } #endif -#ifdef DEBUG +#ifdef DEBUG_MSGS if(result) { DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): (%s) returned %u\n", query, result);); @@ -2958,7 +2973,7 @@ /******************************************************************************* * Function: Connect(DatabaseData * data) * - * Purpose: Database independent function to initiate a database + * Purpose: Database independent function to initiate a database * connection * ******************************************************************************/ @@ -3113,39 +3128,39 @@ if(data->shared->dbtype_id == DB_ORACLE) { - if (!getenv("ORACLE_HOME")) + if (!getenv("ORACLE_HOME")) { ErrorMessage("database : ORACLE_HOME environment variable not set\n"); } - - if (!data->user || !data->password || !data->shared->dbname) - { + + if (!data->user || !data->password || !data->shared->dbname) + { ErrorMessage("database: user, password and dbname required for Oracle\n"); ErrorMessage("database: dbname must also be in tnsnames.ora\n"); } - if (data->shared->host) + if (data->shared->host) { ErrorMessage("database: hostname not required for Oracle, use dbname\n"); ErrorMessage("database: dbname must be in tnsnames.ora\n"); } - if (OCIInitialize(OCI_DEFAULT, NULL, NULL, NULL, NULL)) + if (OCIInitialize(OCI_DEFAULT, NULL, NULL, NULL, NULL)) PRINT_ORACLE_ERR("OCIInitialize"); - - if (OCIEnvInit(&data->o_environment, OCI_DEFAULT, 0, NULL)) + + if (OCIEnvInit(&data->o_environment, OCI_DEFAULT, 0, NULL)) PRINT_ORACLE_ERR("OCIEnvInit"); - - if (OCIEnvInit(&data->o_environment, OCI_DEFAULT, 0, NULL)) + + if (OCIEnvInit(&data->o_environment, OCI_DEFAULT, 0, NULL)) PRINT_ORACLE_ERR("OCIEnvInit (2)"); - + if (OCIHandleAlloc(data->o_environment, (dvoid **)&data->o_error, OCI_HTYPE_ERROR, (size_t) 0, NULL)) PRINT_ORACLE_ERR("OCIHandleAlloc"); if (OCILogon(data->o_environment, data->o_error, &data->o_servicecontext, - data->user, strlen(data->user), data->password, strlen(data->password), - data->shared->dbname, strlen(data->shared->dbname))) - { + data->user, strlen(data->user), data->password, strlen(data->password), + data->shared->dbname, strlen(data->shared->dbname))) + { OCIErrorGet(data->o_error, 1, NULL, &data->o_errorcode, data->o_errormsg, sizeof(data->o_errormsg), OCI_HTYPE_ERROR); ErrorMessage("database: oracle_error: %s\n", data->o_errormsg); ErrorMessage("database: Checklist: check database is listed in tnsnames.ora\n"); @@ -3153,7 +3168,7 @@ ErrorMessage("database: check database accessible with sqlplus\n"); FatalError("database: OCILogon : Connection to database '%s' failed\n", data->shared->dbname); } - + if (OCIHandleAlloc(data->o_environment, (dvoid **)&data->o_statement, OCI_HTYPE_STMT, 0, NULL)) PRINT_ORACLE_ERR("OCIHandleAlloc (2)"); } @@ -3177,7 +3192,7 @@ DBSETLUSER (data->ms_login, data->user); DBSETLPWD (data->ms_login, data->password); DBSETLAPP (data->ms_login, "snort"); - + data->ms_dbproc = dbopen(data->ms_login, data->shared->host); if( data->ms_dbproc == NULL ) { @@ -3208,9 +3223,16 @@ ******************************************************************************/ static void Disconnect(DatabaseData * data) { - LogMessage("database: Closing connection to database \"%s\"\n", + LogMessage("database: Closing connection to database \"%s\"\n", data->shared->dbname); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + WarningMessage("!! WARNING: The database output plugins are considered deprecated as\n"); + WarningMessage("!! of Snort 2.9.2 and will be removed in Snort 2.9.3.\n"); + WarningMessage("!! The recommended approach to logging is to use unified2 with\n"); + WarningMessage("!! barnyard2 or similar.\n"); + WarningMessage("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); + if(data) { #ifdef ENABLE_POSTGRESQL @@ -3238,8 +3260,8 @@ { if(data->u_handle) { - SQLDisconnect(data->u_connection); - SQLFreeHandle(SQL_HANDLE_ENV, data->u_handle); + SQLDisconnect(data->u_connection); + SQLFreeHandle(SQL_HANDLE_ENV, data->u_handle); } } #endif @@ -3293,15 +3315,15 @@ puts(" The parameter list consists of key value pairs. The proper"); puts(" format is a list of key=value pairs each separated a space.\n"); - puts(" The only parameter that is absolutely necessary is \"dbname\"."); + puts(" The only parameter that is absolutely necessary is \"dbname\"."); puts(" All other parameters are optional but may be necessary"); puts(" depending on how you have configured your RDBMS.\n"); - puts(" dbname - the name of the database you are connecting to\n"); + puts(" dbname - the name of the database you are connecting to\n"); puts(" host - the host the RDBMS is on\n"); - puts(" port - the port number the RDBMS is listening on\n"); + puts(" port - the port number the RDBMS is listening on\n"); puts(" user - connect to the database as this user\n"); @@ -3332,10 +3354,10 @@ DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): entered SpoDatabaseCleanExitFunction\n");); - if(data != NULL) + if(data != NULL) { UpdateLastCid(data, data->shared->sid, data->shared->cid-1); - Disconnect(data); + Disconnect(data); free(data->args); free(data); data = NULL; @@ -3353,7 +3375,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): entered SpoDatabaseRestartFunction\n");); - if(data != NULL) + if(data != NULL) { UpdateLastCid(data, data->shared->sid, data->shared->cid-1); Disconnect(data); @@ -3373,7 +3395,7 @@ SharedDatabaseDataNode *current; while(sharedDataList != NULL) - { + { current = sharedDataList; free(current->data); current->data = NULL; @@ -3390,7 +3412,7 @@ * This should only occur whenever an error has occurred, or when the connection switches to * a different database within the server. */ -static int mssql_err_handler(PDBPROCESS dbproc, int severity, int dberr, int oserr, +static int mssql_err_handler(PDBPROCESS dbproc, int severity, int dberr, int oserr, LPCSTR dberrstr, LPCSTR oserrstr) { int retval; @@ -3412,7 +3434,7 @@ } -static int mssql_msg_handler(PDBPROCESS dbproc, DBINT msgno, int msgstate, int severity, +static int mssql_msg_handler(PDBPROCESS dbproc, DBINT msgno, int msgstate, int severity, LPCSTR msgtext, LPCSTR srvname, LPCSTR procname, DBUSMALLINT line) { ErrorMessage("database: SQL Server message %ld, state %d, severity %d: \n\t%s\n", @@ -3421,7 +3443,7 @@ ErrorMessage("Server '%s', ", srvname); if ( (procname!=NULL) && strlen(procname)!=0 ) ErrorMessage("Procedure '%s', ", procname); - if (line !=0) + if (line !=0) ErrorMessage("Line %d", line); ErrorMessage("\n"); #ifdef ENABLE_MSSQL_DEBUG diff -Nru snort-2.9.0.1/src/output-plugins/spo_log_ascii.c snort-2.9.2/src/output-plugins/spo_log_ascii.c --- snort-2.9.0.1/src/output-plugins/spo_log_ascii.c 2010-01-26 10:10:09.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_log_ascii.c 2011-06-07 17:33:16.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** (C) 2002 Sourcefire, Inc. ** @@ -24,13 +24,13 @@ /* $Id$ */ /* spo_log_ascii - * + * * Purpose: * * This output module provides the default packet logging funtionality * * Arguments: - * + * * None. * * Effect: @@ -63,7 +63,7 @@ #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "decode.h" #include "event.h" #include "log.h" @@ -91,7 +91,7 @@ void LogAsciiSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("log_ascii", OUTPUT_TYPE_FLAG__LOG, LogAsciiInit); @@ -113,7 +113,7 @@ FILE *log_ptr = NULL; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "LogPkt started\n");); if(p) - { + { if(IPH_IS_VALID(p)) log_ptr = OpenLogFile(0, p); #ifndef NO_NON_ETHER_DECODER @@ -128,14 +128,14 @@ if(!log_ptr) FatalError("Unable to open packet log file\n"); - + if(msg) { fwrite("[**] ", 5, 1, log_ptr); /* * Protect against potential log injection, - * check for delimiters and newlines in msg + * check for delimiters and newlines in msg */ if( !strstr(msg,"[**]") && !strchr(msg,'\n') ) { @@ -227,7 +227,7 @@ log_ptr = fopen(log_file, "a"); if (!log_ptr) { - FatalError("OpenLogFile() => fopen(%s) log file: %s\n", + FatalError("OpenLogFile() => fopen(%s) log file: %s\n", log_file, strerror(errno)); } return log_ptr; @@ -246,19 +246,19 @@ if((p->iph->ip_src.s_addr & snort_conf->netmask) != snort_conf->homenet) #endif { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_SRC_ADDR(p))); } else { if(p->sp >= p->dp) { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_SRC_ADDR(p))); } else { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_DST_ADDR(p))); } } @@ -272,19 +272,19 @@ if((p->iph->ip_src.s_addr & snort_conf->netmask) == snort_conf->homenet) #endif { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_DST_ADDR(p))); } else { if(p->sp >= p->dp) { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_SRC_ADDR(p))); } else { - SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, + SnortSnprintf(log_path, STD_BUF, "%s/%s", snort_conf->log_dir, inet_ntoa(GET_DST_ADDR(p))); } } diff -Nru snort-2.9.0.1/src/output-plugins/spo_log_ascii.h snort-2.9.2/src/output-plugins/spo_log_ascii.h --- snort-2.9.0.1/src/output-plugins/spo_log_ascii.h 2010-01-26 10:10:09.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_log_ascii.h 2011-02-09 15:23:27.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** ** Author(s): Andrew R. Baker <andrewb@sourcefire.com> ** diff -Nru snort-2.9.0.1/src/output-plugins/spo_log_null.c snort-2.9.2/src/output-plugins/spo_log_null.c --- snort-2.9.0.1/src/output-plugins/spo_log_null.c 2010-01-26 10:10:09.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_log_null.c 2011-06-07 17:33:16.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -20,15 +20,15 @@ /* $Id$ */ /* spo_log_null - * + * * Purpose: * - * This module is a NULL placeholder for people that want to turn off + * This module is a NULL placeholder for people that want to turn off * logging for whatever reason. Please note that logging is separate from * alerting, they are completely separate output facilities within Snort. * * Arguments: - * + * * None. * * Effect: @@ -41,13 +41,17 @@ #include <sys/types.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "spo_log_null.h" #include "decode.h" #include "event.h" #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "snort.h" @@ -59,7 +63,7 @@ void LogNullSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("log_null", OUTPUT_TYPE_FLAG__LOG, LogNullInit); diff -Nru snort-2.9.0.1/src/output-plugins/spo_log_null.h snort-2.9.2/src/output-plugins/spo_log_null.h --- snort-2.9.0.1/src/output-plugins/spo_log_null.h 2010-01-26 10:10:09.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_log_null.h 2011-02-09 15:23:27.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/output-plugins/spo_log_tcpdump.c snort-2.9.2/src/output-plugins/spo_log_tcpdump.c --- snort-2.9.0.1/src/output-plugins/spo_log_tcpdump.c 2010-06-09 15:05:20.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_log_tcpdump.c 2011-06-07 17:33:16.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -20,14 +20,14 @@ /* $Id$ */ -/* spo_log_tcpdump - * +/* spo_log_tcpdump + * * Purpose: * * This plugin generates tcpdump formatted binary log files * * Arguments: - * + * * filename of the output log (default: snort.log) * * Effect: @@ -65,9 +65,10 @@ #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "snort.h" +#include "sfbpf_dlt.h" /* For the traversal of reassembled packets */ #include "stream_api.h" @@ -117,7 +118,7 @@ /* * Function: SetupLogTcpdump() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -128,7 +129,7 @@ */ void LogTcpdumpSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("log_tcpdump", OUTPUT_TYPE_FLAG__LOG, LogTcpdumpInit); @@ -254,7 +255,7 @@ * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function */ @@ -274,7 +275,7 @@ } } -static INLINE size_t SizeOf (const DAQ_PktHdr_t *pkth) +static inline size_t SizeOf (const DAQ_PktHdr_t *pkth) { return PCAP_PKT_HDR_SZ + pkth->caplen; } @@ -300,7 +301,7 @@ data->size += dumpSize; if (!ScLineBufferedLogging()) - { + { #ifdef WIN32 fflush( NULL ); /* flush all open output streams */ #else @@ -315,8 +316,8 @@ { LogTcpdumpData *data = (LogTcpdumpData *)userdata; - pcap_dump((u_char*)data->dumpd, - (struct pcap_pkthdr*)pkth, + pcap_dump((u_char*)data->dumpd, + (struct pcap_pkthdr*)pkth, (u_char*)packet_data); return 0; @@ -339,7 +340,7 @@ data->size += dumpSize; if (!ScLineBufferedLogging()) - { + { #ifdef WIN32 fflush( NULL ); /* flush all open output streams */ #else @@ -359,7 +360,7 @@ * * Purpose: Initialize the tcpdump log file header * - * Arguments: data => pointer to the plugin's reference data struct + * Arguments: data => pointer to the plugin's reference data struct * * Returns: void function */ @@ -373,16 +374,16 @@ if(data->filename[0] == '/') value = SnortSnprintf(data->logdir, STD_BUF, "%s", data->filename); else - value = SnortSnprintf(data->logdir, STD_BUF, "%s/%s", snort_conf->log_dir, + value = SnortSnprintf(data->logdir, STD_BUF, "%s/%s", snort_conf->log_dir, data->filename); } - else + else { if(data->filename[0] == '/') - value = SnortSnprintf(data->logdir, STD_BUF, "%s.%u", data->filename, + value = SnortSnprintf(data->logdir, STD_BUF, "%s.%u", data->filename, (uint32_t)data->lastTime); else - value = SnortSnprintf(data->logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, + value = SnortSnprintf(data->logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, data->filename, (uint32_t)data->lastTime); } @@ -393,7 +394,15 @@ if (!ScTestMode()) { - pcap_t* pcap = pcap_open_dead(DAQ_GetBaseProtocol(), DAQ_GetSnapLen()); + pcap_t* pcap; + int dlt = DAQ_GetBaseProtocol(); + + // convert these flavors of raw to the generic + // for compatibility with libpcap 1.0.0 + if ( dlt == DLT_IPV4 || dlt == DLT_IPV6 ) + dlt = DLT_RAW; + + pcap = pcap_open_dead(dlt, DAQ_GetSnapLen()); data->dumpd = pcap ? pcap_dump_open(pcap, data->logdir) : NULL; if(data->dumpd == NULL) @@ -452,9 +461,9 @@ data->dumpd = NULL; } - /* + /* * if we haven't written any data, dump the output file so there aren't - * fragments all over the disk + * fragments all over the disk */ if(!ScTestMode() && *data->logdir && (pc.alert_pkts == 0) && (pc.log_pkts == 0)) diff -Nru snort-2.9.0.1/src/output-plugins/spo_log_tcpdump.h snort-2.9.2/src/output-plugins/spo_log_tcpdump.h --- snort-2.9.0.1/src/output-plugins/spo_log_tcpdump.h 2010-01-26 10:10:10.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_log_tcpdump.h 2011-02-09 15:23:27.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/output-plugins/spo_unified2.c snort-2.9.2/src/output-plugins/spo_unified2.c --- snort-2.9.0.1/src/output-plugins/spo_unified2.c 2010-10-25 12:49:08.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_unified2.c 2011-12-07 09:58:23.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -19,7 +19,7 @@ /* spo_unified2.c * Adam Keeton - * + * * 09/26/06 * This file is litterally spo_unified.c converted to write unified2 * @@ -37,6 +37,9 @@ #endif #include <errno.h> #include <time.h> +#ifdef HAVE_UUID_UUID_H +#include <uuid/uuid.h> +#endif #include "sfutil/Unified2_common.h" #include "spo_unified2.h" @@ -47,15 +50,16 @@ #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "mstring.h" #include "event.h" #include "generators.h" -#include "debug.h" -#include "bounds.h" +#include "snort_debug.h" +#include "snort_bounds.h" #include "obfuscation.h" #include "active.h" #include "detection_util.h" +#include "detect.h" #include "snort.h" #include "pcap_pkthdr32.h" @@ -91,10 +95,12 @@ } Unified2LogCallbackData; +Unified2Config *log_config = NULL; +Unified2Config *alert_config = NULL; + /* ----------------External variables -------------------- */ /* From fpdetect.c, for logging reassembled packets */ -extern uint16_t event_id; extern OptTreeNode *otn_tmp; /* -------------------- Global Variables ----------------------*/ @@ -109,10 +115,13 @@ sizeof(Unified2IDSEventIPv6) + IP_MAXPACKET]; #define write_pkt_end_v2 (write_pkt_buffer_v2 + sizeof(write_pkt_buffer_v2)) -#ifdef ZLIB -#define MAX_GZIP_WRITE_BUF_LEN (MAX_XFF_WRITE_BUF_LENGTH - \ +static uint8_t write_pkt_buffer_ng[sizeof(Serial_Unified2_Header) + + sizeof(Unified2IDSEventIPv6_NG) + IP_MAXPACKET]; + +#define write_pkt_end_ng (write_pkt_buffer_ng + sizeof(write_pkt_buffer_ng)) + +#define MAX_XDATA_WRITE_BUF_LEN (MAX_XFF_WRITE_BUF_LENGTH - \ sizeof(struct in6_addr) + DECODE_BLEN) -#endif /* This is the buffer to use for I/O. Try to make big enough so the system * doesn't potentially flush in the middle of a record. Every write is @@ -121,14 +130,14 @@ #define UNIFIED2_SETVBUF #ifndef WIN32 /* use the size of the buffer we copy record data into */ -static char io_buffer[sizeof(write_pkt_buffer_v2)]; +static char io_buffer[sizeof(write_pkt_buffer_ng)]; #else # ifdef _MSC_VER # if _MSC_VER <= 1200 /* use maximum size defined by VC++ 6.0 */ static char io_buffer[32768]; # else -static char io_buffer[sizeof(write_pkt_buffer_v2)]; +static char io_buffer[sizeof(write_pkt_buffer_ng)]; # endif /* _MSC_VER <= 1200 */ # else /* no _MSC_VER, don't set I/O buffer */ @@ -145,7 +154,7 @@ static void Unified2Init(char *); static void Unified2PostConfig(int, void *); static void Unified2InitFile(Unified2Config *); -static INLINE void Unified2RotateFile(Unified2Config *); +static inline void Unified2RotateFile(Unified2Config *); static void Unified2LogAlert(Packet *, char *, void *, Event *); static void _AlertIP4(Packet *, char *, Unified2Config *, Event *); static void _AlertIP6(Packet *, char *, Unified2Config *, Event *); @@ -167,6 +176,9 @@ static ObRet Unified2LogObfuscationCallback(const DAQ_PktHdr_t *pkth, const uint8_t *packet_data, ob_size_t length, ob_char_t ob_char, void *userdata); +void AlertExtraData(void *ssnptr, void *data, LogFunction *log_funcs, uint32_t max_count, uint32_t xtradata_mask, uint32_t event_id, uint32_t event_second); +void AlertExtraDataPerPacket(void *ssnptr, void *data, uint32_t xtradata_mask, uint32_t event_id, uint32_t event_second); + #define U2_PACKET_FLAG 1 /* Obsolete flag as UI wont check the impact_flag field anymore.*/ #define U2_FLAG_BLOCKED 0x20 @@ -177,7 +189,7 @@ /* * Function: SetupUnified2() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -188,7 +200,7 @@ */ void Unified2Setup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("log_unified2", OUTPUT_TYPE_FLAG__LOG, Unified2LogInit); RegisterOutputPlugin("alert_unified2", OUTPUT_TYPE_FLAG__ALERT, Unified2AlertInit); @@ -257,15 +269,21 @@ } config->base_proto = htonl(DAQ_GetBaseProtocol()); + Unified2InitFile(config); + + if(stream_api) + { + stream_api->reg_xtra_data_log(AlertExtraData, (void *)config); + } } /* * Function: Unified2InitFile() * - * Purpose: Initialize the unified2 ouput file + * Purpose: Initialize the unified2 ouput file * - * Arguments: config => pointer to the plugin's reference data struct + * Arguments: config => pointer to the plugin's reference data struct * * Returns: void function */ @@ -329,7 +347,7 @@ } } -static INLINE void Unified2RotateFile(Unified2Config *config) +static inline void Unified2RotateFile(Unified2Config *config) { fclose(config->stream); config->current = 0; @@ -343,7 +361,7 @@ uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Serial_Unified2IDSEvent_legacy); memset(&alertdata, 0, sizeof(alertdata)); - + alertdata.event_id = htonl(event->event_id); alertdata.event_second = htonl(event->ref_time.tv_sec); alertdata.event_microsecond = htonl(event->ref_time.tv_usec); @@ -383,23 +401,23 @@ } } } - + if ((config->current + write_len) > config->limit) Unified2RotateFile(config); hdr.length = htonl(sizeof(Serial_Unified2IDSEvent_legacy)); hdr.type = htonl(UNIFIED2_IDS_EVENT); - if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), + if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - + if (SafeMemcpy(write_pkt_buffer + sizeof(Serial_Unified2_Header), - &alertdata, sizeof(Serial_Unified2IDSEvent_legacy), + &alertdata, sizeof(Serial_Unified2IDSEvent_legacy), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Serial_Unified2IDSEvent_legacy. " @@ -417,7 +435,7 @@ uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Unified2IDSEvent); memset(&alertdata, 0, sizeof(alertdata)); - + alertdata.event_id = htonl(event->event_id); alertdata.event_second = htonl(event->ref_time.tv_sec); alertdata.event_microsecond = htonl(event->ref_time.tv_usec); @@ -434,7 +452,7 @@ alertdata.impact_flag = U2_FLAG_BLOCKED; alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; } - else if ( Active_PacketWouldBeDropped() ) + else if ( Active_PacketWouldBeDropped() ) { alertdata.blocked = U2_BLOCKED_FLAG_WDROP; } @@ -474,23 +492,23 @@ } } - + if ((config->current + write_len) > config->limit) Unified2RotateFile(config); hdr.length = htonl(sizeof(Unified2IDSEvent)); hdr.type = htonl(UNIFIED2_IDS_EVENT_VLAN); - if (SafeMemcpy(write_pkt_buffer_v2, &hdr, sizeof(Serial_Unified2_Header), + if (SafeMemcpy(write_pkt_buffer_v2, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer_v2, write_pkt_end_v2) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - + if (SafeMemcpy(write_pkt_buffer_v2 + sizeof(Serial_Unified2_Header), - &alertdata, sizeof(Unified2IDSEvent), + &alertdata, sizeof(Unified2IDSEvent), write_pkt_buffer_v2, write_pkt_end_v2) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Serial_Unified2IDSEvent_legacy. " @@ -501,7 +519,7 @@ Unified2Write(write_pkt_buffer_v2, write_len, config); } -static void _AlertIP6(Packet *p, char *msg, Unified2Config *config, Event *event) +static void _AlertIP6(Packet *p, char *msg, Unified2Config *config, Event *event) { #ifdef SUP_IP6 Serial_Unified2_Header hdr; @@ -509,7 +527,7 @@ uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Serial_Unified2IDSEventIPv6_legacy); memset(&alertdata, 0, sizeof(alertdata)); - + alertdata.event_id = htonl(event->event_id); alertdata.event_second = htonl(event->ref_time.tv_sec); alertdata.event_microsecond = htonl(event->ref_time.tv_usec); @@ -555,23 +573,23 @@ } } } - + if ((config->current + write_len) > config->limit) Unified2RotateFile(config); hdr.length = htonl(sizeof(Serial_Unified2IDSEventIPv6_legacy)); hdr.type = htonl(UNIFIED2_IDS_EVENT_IPV6); - if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), + if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - + if (SafeMemcpy(write_pkt_buffer + sizeof(Serial_Unified2_Header), - &alertdata, sizeof(Serial_Unified2IDSEventIPv6_legacy), + &alertdata, sizeof(Serial_Unified2IDSEventIPv6_legacy), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Serial_Unified2IDSEventIPv6_legacy. " @@ -653,23 +671,23 @@ } } } - + if ((config->current + write_len) > config->limit) Unified2RotateFile(config); hdr.length = htonl(sizeof(Unified2IDSEventIPv6)); hdr.type = htonl(UNIFIED2_IDS_EVENT_IPV6_VLAN); - if (SafeMemcpy(write_pkt_buffer_v2, &hdr, sizeof(Serial_Unified2_Header), + if (SafeMemcpy(write_pkt_buffer_v2, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer_v2, write_pkt_end_v2) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - + if (SafeMemcpy(write_pkt_buffer_v2 + sizeof(Serial_Unified2_Header), - &alertdata, sizeof(Unified2IDSEventIPv6), + &alertdata, sizeof(Unified2IDSEventIPv6), write_pkt_buffer_v2, write_pkt_end_v2) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Unified2IDSEventIPv6. " @@ -681,149 +699,290 @@ #endif } +static inline void UUIDPack(uint8_t *policy_uuid, char *str, int size) +{ +#ifdef HAVE_LIBUUID + uuid_parse(str, policy_uuid); +#else + strncpy((char *)policy_uuid, str, size); +#endif +} -static INLINE void _AlertXFFData(Packet *p, char *msg, Unified2Config *config, Event *event) +static void _AlertIP4_NG(Packet *p, char *msg, Unified2Config *config, Event *event, PESessionRecord *session) { Serial_Unified2_Header hdr; - SerialUnified2ExtraData alertdata; - Unified2ExtraDataHdr alertHdr; - uint32_t iplen = 0; - uint8_t write_buffer[MAX_XFF_WRITE_BUF_LENGTH]; - uint8_t *write_end = NULL; - uint8_t *ptr = NULL; - sfip_t *true_ip = NULL; - - - uint32_t write_len; + Unified2IDSEventNG alertdata; + tSfPolicyId policy_id; + SnortPolicy *policy = NULL; + uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Unified2IDSEventNG); - if(p) - { - true_ip = GetTrueIPForSession(p); - if(!true_ip) - return; - } - else - return; - - write_len = sizeof(Serial_Unified2_Header) + sizeof(Unified2ExtraDataHdr); + memset(&alertdata, 0, sizeof(alertdata)); - alertdata.sensor_id = 0; alertdata.event_id = htonl(event->event_id); alertdata.event_second = htonl(event->ref_time.tv_sec); - alertdata.data_type = htonl(EVENT_DATA_TYPE_BLOB); + alertdata.event_microsecond = htonl(event->ref_time.tv_usec); + alertdata.generator_id = htonl(event->sig_generator); + alertdata.signature_id = htonl(event->sig_id); + alertdata.signature_revision = htonl(event->sig_rev); + alertdata.classification_id = htonl(event->classification); + alertdata.priority_id = htonl(event->priority); -#ifdef SUP_IP6 - if(true_ip->family == AF_INET6) + if(p) { - alertdata.type = htonl(EVENT_INFO_XFF_IPV6); - iplen = sizeof(struct in6_addr); /*ipv6 address size in bytes*/ + if ( Active_PacketWasDropped() ) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else if ( Active_PacketWouldBeDropped() ) + { + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } - } - else + if(IPH_IS_VALID(p)) + { + alertdata.ip_source = p->iph->ip_src.s_addr; + alertdata.ip_destination = p->iph->ip_dst.s_addr; + alertdata.protocol = GET_IPH_PROTO(p); + + if ((alertdata.protocol == IPPROTO_ICMP) && p->icmph) + { + alertdata.sport_itype = htons(p->icmph->type); + alertdata.dport_icode = htons(p->icmph->code); + } + else if (alertdata.protocol != 255) + { + alertdata.sport_itype = htons(p->sp); + alertdata.dport_icode = htons(p->dp); + } + +#ifdef MPLS + if((p->mpls) && (config->mpls_event_types)) + { + alertdata.mpls_label = htonl(p->mplsHdr.label); + } #endif - { - alertdata.type = htonl(EVENT_INFO_XFF_IPV4); - iplen = sizeof(struct in_addr); /*ipv4 address size in bytes*/ - } + if(config->vlan_event_types) + { + if(p->vh) + { + alertdata.vlanId = htons(VTH_VLAN(p->vh)); + } - alertdata.blob_length = htonl(sizeof(alertdata.data_type) + - sizeof(alertdata.blob_length) + iplen); /* 8 = sizeof(alertdata.data_type) + sizeof(alertdata.blob_length) */ + } + } - write_len = write_len + sizeof(alertdata) + iplen; - alertHdr.event_type = htonl(EVENT_TYPE_EXTRA_DATA); - alertHdr.event_length = htonl(write_len - sizeof(Serial_Unified2_Header)); + policy_id = getRuntimePolicy(); + if(policy_id == getDefaultPolicy()) + { + if(snort_conf->base_version) + { + UUIDPack(alertdata.policy_uuid, snort_conf->base_version, sizeof(alertdata.policy_uuid)); + } + } + else + { + policy = snort_conf->targeted_policies[policy_id]; + + if(policy && policy->policy_version) + UUIDPack(alertdata.policy_uuid, policy->policy_version, sizeof(alertdata.policy_uuid)); + } + + alertdata.user_id = htonl(session->userId); + alertdata.web_application_id = htonl(session->webAppId); + alertdata.client_application_id = htonl(session->clientId); + alertdata.application_protocol_id = htonl(session->appProtoId); + alertdata.policyengine_rule_id = htonl(session->policyengine_ruleId); + memcpy(alertdata.policyengine_policy_uuid, session->policyRevision, sizeof(alertdata.policyengine_policy_uuid)); + memcpy(alertdata.interface_ingress_uuid, session->ingressIntf, sizeof(alertdata.interface_ingress_uuid)); + memcpy(alertdata.interface_egress_uuid, session->egressIntf, sizeof(alertdata.interface_egress_uuid)); + memcpy(alertdata.security_zone_ingress_uuid, session->ingressZone, sizeof(alertdata.security_zone_ingress_uuid)); + memcpy(alertdata.security_zone_egress_uuid, session->egressZone, sizeof(alertdata.security_zone_egress_uuid)); + + } - if ((config->current + write_len) > config->limit) Unified2RotateFile(config); - hdr.length = htonl(write_len - sizeof(Serial_Unified2_Header)); - hdr.type = htonl(UNIFIED2_EXTRA_DATA); - - write_end = write_buffer+sizeof(write_buffer); - - ptr = write_buffer; + hdr.length = htonl(sizeof(Unified2IDSEventNG)); + hdr.type = htonl(UNIFIED2_IDS_EVENT_NG); - if (SafeMemcpy(ptr, &hdr, sizeof(hdr), - write_buffer, write_end) != SAFEMEM_SUCCESS) + if (SafeMemcpy(write_pkt_buffer_ng, &hdr, sizeof(Serial_Unified2_Header), + write_pkt_buffer_ng, write_pkt_end_ng) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - ptr = ptr + sizeof(hdr); - - if (SafeMemcpy(ptr, &alertHdr, sizeof(alertHdr), - write_buffer, write_end) != SAFEMEM_SUCCESS) + if (SafeMemcpy(write_pkt_buffer_ng + sizeof(Serial_Unified2_Header), + &alertdata, sizeof(Unified2IDSEventNG), + write_pkt_buffer_ng, write_pkt_end_ng) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy Unified2ExtraDataHdr. " + ErrorMessage("%s(%d) Failed to copy Unified2IDSEventNG. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - ptr = ptr + sizeof(alertHdr); - - if (SafeMemcpy(ptr, &alertdata, sizeof(alertdata), - write_buffer, write_end) != SAFEMEM_SUCCESS) + Unified2Write(write_pkt_buffer_ng, write_len, config); +} + +static void _AlertIP6_NG(Packet *p, char *msg, Unified2Config *config, Event *event, PESessionRecord *session) +{ +#ifdef SUP_IP6 + Serial_Unified2_Header hdr; + Unified2IDSEventIPv6_NG alertdata; + tSfPolicyId policy_id; + SnortPolicy *policy = NULL; + uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Unified2IDSEventIPv6_NG); + + memset(&alertdata, 0, sizeof(alertdata)); + + alertdata.event_id = htonl(event->event_id); + alertdata.event_second = htonl(event->ref_time.tv_sec); + alertdata.event_microsecond = htonl(event->ref_time.tv_usec); + alertdata.generator_id = htonl(event->sig_generator); + alertdata.signature_id = htonl(event->sig_id); + alertdata.signature_revision = htonl(event->sig_rev); + alertdata.classification_id = htonl(event->classification); + alertdata.priority_id = htonl(event->priority); + + if(p) { - ErrorMessage("%s(%d) Failed to copy SerialUnified2ExtraData. " - "Not writing unified2 event.\n", __FILE__, __LINE__); - return; + if ( Active_PacketWasDropped() ) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else if ( Active_PacketWouldBeDropped() ) + { + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } + + if(IPH_IS_VALID(p)) + { + snort_ip_p ip; + + ip = GET_SRC_IP(p); + alertdata.ip_source = *(struct in6_addr*)ip->ip32; + + ip = GET_DST_IP(p); + alertdata.ip_destination = *(struct in6_addr*)ip->ip32; + + alertdata.protocol = GET_IPH_PROTO(p); + + if ((alertdata.protocol == IPPROTO_ICMP) && p->icmph) + { + alertdata.sport_itype = htons(p->icmph->type); + alertdata.dport_icode = htons(p->icmph->code); + } + else if (alertdata.protocol != 255) + { + alertdata.sport_itype = htons(p->sp); + alertdata.dport_icode = htons(p->dp); + } + +#ifdef MPLS + if((p->mpls) && (config->mpls_event_types)) + { + alertdata.mpls_label = htonl(p->mplsHdr.label); + } +#endif + if(config->vlan_event_types) + { + if(p->vh) + { + alertdata.vlanId = htons(VTH_VLAN(p->vh)); + } + + } + + } + + policy_id = getRuntimePolicy(); + if(policy_id == getDefaultPolicy()) + { + if(snort_conf->base_version) + UUIDPack(alertdata.policy_uuid, snort_conf->base_version, sizeof(alertdata.policy_uuid)); + } + else + { + policy = snort_conf->targeted_policies[policy_id]; + + if(policy && policy->policy_version) + UUIDPack(alertdata.policy_uuid, policy->policy_version, sizeof(alertdata.policy_uuid)); + } + + alertdata.user_id = htonl(session->userId); + alertdata.web_application_id = htonl(session->webAppId); + alertdata.client_application_id = htonl(session->clientId); + alertdata.application_protocol_id = htonl(session->appProtoId); + alertdata.policyengine_rule_id = htonl(session->policyengine_ruleId); + memcpy(alertdata.policyengine_policy_uuid, session->policyRevision, sizeof(alertdata.policyengine_policy_uuid)); + memcpy(alertdata.interface_ingress_uuid, session->ingressIntf, sizeof(alertdata.interface_ingress_uuid)); + memcpy(alertdata.interface_egress_uuid, session->egressIntf, sizeof(alertdata.interface_egress_uuid)); + memcpy(alertdata.security_zone_ingress_uuid, session->ingressZone, sizeof(alertdata.security_zone_ingress_uuid)); + memcpy(alertdata.security_zone_egress_uuid, session->egressZone, sizeof(alertdata.security_zone_egress_uuid)); } - ptr = ptr + sizeof(alertdata); + if ((config->current + write_len) > config->limit) + Unified2RotateFile(config); - if (SafeMemcpy(ptr, true_ip->ip8, iplen, - write_buffer, write_end) != SAFEMEM_SUCCESS) + hdr.length = htonl(sizeof(Unified2IDSEventIPv6_NG)); + hdr.type = htonl(UNIFIED2_IDS_EVENT_IPV6_NG); + + if (SafeMemcpy(write_pkt_buffer_ng, &hdr, sizeof(Serial_Unified2_Header), + write_pkt_buffer_ng, write_pkt_end_ng) != SAFEMEM_SUCCESS) { - ErrorMessage("%s(%d) Failed to copy SerialUnified2ExtraData. " - "Not writing unified2 event.\n", __FILE__, __LINE__); + ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " + "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - Unified2Write(write_buffer, write_len, config); + if (SafeMemcpy(write_pkt_buffer_ng + sizeof(Serial_Unified2_Header), + &alertdata, sizeof(Unified2IDSEventIPv6_NG), + write_pkt_buffer_ng, write_pkt_end_ng) != SAFEMEM_SUCCESS) + { + ErrorMessage("%s(%d) Failed to copy Unified2IDSEventIPv6_NG. " + "Not writing unified2 event.\n", __FILE__, __LINE__); + return; + } + Unified2Write(write_pkt_buffer_ng, write_len, config); +#endif } - - -#ifdef ZLIB -static INLINE void _AlertGzipData(Packet *p, char *msg, Unified2Config *config, Event *event) +void _WriteExtraData(Unified2Config *config, uint32_t event_id, uint32_t event_second, uint8_t *buffer, uint32_t len, uint32_t type ) { + Serial_Unified2_Header hdr; SerialUnified2ExtraData alertdata; Unified2ExtraDataHdr alertHdr; - uint8_t write_buffer[MAX_GZIP_WRITE_BUF_LEN]; + uint8_t write_buffer[MAX_XDATA_WRITE_BUF_LEN]; uint8_t *write_end = NULL; uint8_t *ptr = NULL; - - uint32_t write_len; - if(!(p->packet_flags & PKT_ALT_DECODE)) - { - return; - } - + uint32_t write_len; + write_len = sizeof(Serial_Unified2_Header) + sizeof(Unified2ExtraDataHdr); alertdata.sensor_id = 0; - alertdata.event_id = htonl(event->event_id); - alertdata.event_second = htonl(event->ref_time.tv_sec); + alertdata.event_id = htonl(event_id); + alertdata.event_second = htonl(event_second); alertdata.data_type = htonl(EVENT_DATA_TYPE_BLOB); - alertdata.type = htonl(EVENT_INFO_GZIP_DATA); - alertdata.blob_length = htonl(sizeof(alertdata.data_type) + - sizeof(alertdata.blob_length) + DecodeBuffer.len); + alertdata.type = htonl(type); + alertdata.blob_length = htonl(sizeof(alertdata.data_type) + + sizeof(alertdata.blob_length) + len); - write_len = write_len + sizeof(alertdata) + DecodeBuffer.len; + write_len = write_len + sizeof(alertdata) + len; alertHdr.event_type = htonl(EVENT_TYPE_EXTRA_DATA); alertHdr.event_length = htonl(write_len - sizeof(Serial_Unified2_Header)); - + if ((config->current + write_len) > config->limit) Unified2RotateFile(config); @@ -835,14 +994,14 @@ ptr = write_buffer; - if (SafeMemcpy(ptr, &hdr, sizeof(hdr), + if (SafeMemcpy(ptr, &hdr, sizeof(hdr), write_buffer, write_end) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " "Not writing unified2 event.\n", __FILE__, __LINE__); return; } - + ptr = ptr + sizeof(hdr); if (SafeMemcpy(ptr, &alertHdr, sizeof(alertHdr), @@ -854,7 +1013,7 @@ } ptr = ptr + sizeof(alertHdr); - + if (SafeMemcpy(ptr, &alertdata, sizeof(alertdata), write_buffer, write_end) != SAFEMEM_SUCCESS) { @@ -865,7 +1024,7 @@ ptr = ptr + sizeof(alertdata); - if (SafeMemcpy(ptr, DecodeBuffer.data, DecodeBuffer.len, + if (SafeMemcpy(ptr, buffer, len, write_buffer, write_end) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Gzip Decompressed Buffer. " @@ -875,57 +1034,115 @@ Unified2Write(write_buffer, write_len, config); } -#endif +void AlertExtraDataPerPacket(void *ssnptr, void *data, uint32_t xtradata_mask, uint32_t event_id, uint32_t event_second) +{ + LogFunction *log_funcs; + uint32_t max_count; + + max_count = stream_api->get_xtra_data_map(&log_funcs); -static INLINE void _AlertExtraData(Packet *p, char *msg, Unified2Config *config, Event *event) + if(max_count > 0) + { + AlertExtraData(ssnptr, data, log_funcs, max_count, xtradata_mask, event_id, event_second); + } +} +void AlertExtraData(void *ssnptr, void *data, LogFunction *log_funcs, uint32_t max_count, uint32_t xtradata_mask, uint32_t event_id, uint32_t event_second) { - if( p->data_flags & DATA_FLAGS_TRUE_IP) - _AlertXFFData(p, msg, config, event); -#ifndef SOURCEFIRE -#ifdef ZLIB - if(p->data_flags & DATA_FLAGS_GZIP) - _AlertGzipData(p, msg, config, event); -#endif -#endif + Unified2Config *config = (Unified2Config *)data; + uint32_t type = 0; + uint32_t len = 0; + uint8_t *write_buffer; + uint32_t i = 0; + + if((config == NULL) || !xtradata_mask || !event_second) + return; + + while( i < max_count ) + { + if( xtradata_mask & (1 << i) ) + { + if((*(log_funcs[i]))(ssnptr, &write_buffer,&len,&type)) + { + if(len > 0) + _WriteExtraData(config, event_id, event_second, write_buffer, len, type); + } + } + i++; + } + } static void Unified2LogAlert(Packet *p, char *msg, void *arg, Event *event) { Unified2Config *config = (Unified2Config *)arg; + PESessionRecord *session = NULL; if (config == NULL) return; if(!event) return; + if(p->policyEngineData) + { + session = (PESessionRecord*)(p->policyEngineData); + } if(IS_IP4(p)) { + if(session) + _AlertIP4_NG(p, msg, config, event, session); + else + { #ifdef MPLS - if((config->vlan_event_types) || (config->mpls_event_types)) + if((config->vlan_event_types) || (config->mpls_event_types)) #else - if(config->vlan_event_types) + if(config->vlan_event_types) #endif - { - _AlertIP4_v2(p, msg, config, event); + { + _AlertIP4_v2(p, msg, config, event); + } + else + _AlertIP4(p, msg, config, event); } - else - _AlertIP4(p, msg, config, event); - } - else + } + else { + if(session) + _AlertIP6_NG(p, msg, config, event, session); + else + { #ifdef MPLS - if((config->vlan_event_types) || (config->mpls_event_types)) + if((config->vlan_event_types) || (config->mpls_event_types)) #else - if(config->vlan_event_types) + if(config->vlan_event_types) #endif + { + _AlertIP6_v2(p, msg, config, event); + } + else + _AlertIP6(p, msg, config, event); + } + +#ifdef SUP_IP6 + if(ScLogIPv6Extra() && IS_IP6(p)) { - _AlertIP6_v2(p, msg, config, event); + snort_ip_p ip = GET_SRC_IP(p); + _WriteExtraData(config, event->event_id, event->ref_time.tv_sec, + &ip->ip8[0], sizeof(struct in6_addr), EVENT_INFO_IPV6_SRC); + ip = GET_DST_IP(p); + _WriteExtraData(config, event->event_id, event->ref_time.tv_sec, + &ip->ip8[0], sizeof(struct in6_addr), EVENT_INFO_IPV6_DST); } - else - _AlertIP6(p, msg, config, event); +#endif } - - _AlertExtraData(p, msg, config, event); + + if(p->ssnptr) + { + stream_api->log_session_extra_data(p->ssnptr, p, event->sig_generator, event->sig_id, event->event_id, event->ref_time.tv_sec); + + if(p->per_packet_xtradata) + AlertExtraDataPerPacket(p->ssnptr, config, p->per_packet_xtradata, event->event_id, event->ref_time.tv_sec); + } + return; } @@ -937,15 +1154,15 @@ if (config == NULL) return; - if(p) + if(p) { if ((p->packet_flags & PKT_REBUILT_STREAM) && stream_api) { - DEBUG_WRAP(DebugMessage(DEBUG_LOG, + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "[*] Reassembled packet, dumping stream packets\n");); _Unified2LogStreamAlert(p, msg, config, event); } - else + else { DEBUG_WRAP(DebugMessage(DEBUG_LOG, "[*] Logging unified 2 packets...\n");); _Unified2LogPacketAlert(p, msg, config, event); @@ -953,12 +1170,12 @@ } } -static void _Unified2LogPacketAlert(Packet *p, char *msg, +static void _Unified2LogPacketAlert(Packet *p, char *msg, Unified2Config *config, Event *event) -{ +{ Serial_Unified2_Header hdr; Serial_Unified2Packet logheader; - uint32_t pkt_length = 0; + uint32_t pkt_length = 0; uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Serial_Unified2Packet) - 4; logheader.sensor_id = 0; @@ -1019,7 +1236,7 @@ hdr.length = htonl(sizeof(Serial_Unified2Packet) - 4 + pkt_length); hdr.type = htonl(UNIFIED2_PACKET); - if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), + if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { ErrorMessage("%s(%d) Failed to copy Serial_Unified2_Header. " @@ -1108,7 +1325,7 @@ Unified2Write(write_pkt_buffer, write_len, unifiedData->config); -#if 0 +#if 0 /* DO NOT DO THIS FOR UNIFIED2. * The event referenced below in the unifiedData is a pointer * to the actual event and this changes its gid & sid to 2:1. @@ -1122,7 +1339,7 @@ unifiedData->event->sig_rev = 1; unifiedData->event->classification = 0; unifiedData->event->priority = unifiedData->event->priority; - /* Note that event_id is now incorrect. + /* Note that event_id is now incorrect. * See OldUnified2LogPacketAlert() for details. */ } #endif @@ -1271,9 +1488,9 @@ /* * Function: Unified2ParseArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -1304,9 +1521,9 @@ char *index = toks[i]; while(isspace((int)*index)) ++index; - + stoks = mSplit(index, " \t", 2, &num_stoks, 0); - + if(strcasecmp("filename", stoks[0]) == 0) { if(num_stoks > 1 && config->base_filename == NULL) @@ -1368,7 +1585,7 @@ } else if (config->limit > 512) { - LogMessage("spo_unified2 %s(%d)=> Lowering limit of %iMB to 512MB\n", + LogMessage("spo_unified2 %s(%d)=> Lowering limit of %iMB to 512MB\n", file_name, file_line, config->limit); config->limit = 512; } @@ -1425,6 +1642,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified2: Restart\n");); + log_config = alert_config = NULL; /* free up initialized memory */ if (config != NULL) { @@ -1442,12 +1660,26 @@ static void Unified2AlertInit(char *args) { Unified2Config *config; + int signal = 0; DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Unified2 Alert Initialized\n");); /* parse the argument list from the rules file */ config = Unified2ParseArgs(args, "snort-unified.alert"); + alert_config = config; + + if(log_config && log_config->base_filename) + { + if(strcmp(config->base_filename, log_config->base_filename) == 0) + { + Unified2CleanExit(signal , (void *)log_config); + Unified2CleanExit(signal, (void *)config); + FatalError("Argument Error in %s(%i). Cannot reuse the filename in config option '%s'\n", + file_name, file_line, "alert_unified2"); + } + } + /* Set the preprocessor function into the function list */ AddFuncToOutputList(Unified2LogAlert, OUTPUT_TYPE__ALERT, config); AddFuncToCleanExitList(Unified2CleanExit, config); @@ -1459,12 +1691,26 @@ static void Unified2LogInit(char *args) { Unified2Config *config; + int signal = 0; DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Unified2 Log Initialized\n");); /* parse the argument list from the rules file */ config = Unified2ParseArgs(args, "snort-unified.log"); + log_config = config; + + if(alert_config && alert_config->base_filename) + { + if(strcmp(config->base_filename, alert_config->base_filename) == 0) + { + Unified2CleanExit(signal, (void *)alert_config); + Unified2CleanExit(signal, (void *)config); + FatalError("Argument Error in %s(%i). Cannot reuse the filename in config option '%s'\n", + file_name, file_line, "log_unified2"); + } + } + //LogMessage("Unified2LogFilename = %s\n", Unified2Info->filename); /* Set the preprocessor function into the function list */ @@ -1485,7 +1731,7 @@ * writes sometimes fail and leave the unified2 file corrupted. If the write * to the newly created unified2 file fails, Snort will fatal error. * - * In the case of interrupt errors, the write is retried, but only for a + * In the case of interrupt errors, the write is retried, but only for a * finite number of times. * * All other errors are treated as non-recoverable and Snort will fatal error. @@ -1524,7 +1770,7 @@ int max_retries = 3; /* On iterations other than the first, the only non-zero error will be - * EINTR or interrupt. Only iterate a maximum of max_retries times so + * EINTR or interrupt. Only iterate a maximum of max_retries times so * there is no chance of infinite looping if for some reason the write * is constantly interrupted */ while ((error != 0) && (max_retries != 0)) diff -Nru snort-2.9.0.1/src/output-plugins/spo_unified2.h snort-2.9.2/src/output-plugins/spo_unified2.h --- snort-2.9.0.1/src/output-plugins/spo_unified2.h 2010-06-09 15:05:20.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_unified2.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -33,6 +33,39 @@ #include "decode.h" /* for struct in6_addr -- maybe move to sf_types.h? */ #include "sf_types.h" +typedef struct _PESessionEndRecord +{ + uint32_t sensorId; + uint8_t ingressZone[16]; + uint8_t egressZone[16]; + uint8_t ingressIntf[16]; + uint8_t egressIntf[16]; + uint8_t initiatorIp[16]; + uint8_t responderIp[16]; + uint8_t policyRevision[16]; + uint32_t policyengine_ruleId; + uint32_t policyengine_ruleAction; + uint16_t initiatorPort; + uint16_t responderPort; + uint16_t tcpFlags; + uint8_t protocol; + uint8_t padding; + uint8_t netflowSource[16]; + uint32_t firstPktsecond; + uint32_t lastPktsecond; + uint64_t initiatorPkts; + uint64_t responderPkts; + uint64_t initiatorBytes; + uint64_t responderBytes; + uint32_t appProtoId; + uint32_t webAppId; + uint32_t userId; + uint32_t urlCategory; + uint32_t urlReputation; + uint32_t clientId; + +} PESessionRecord; + void Unified2Setup(void); #endif /* __SPO_UNIFIED_H__ */ diff -Nru snort-2.9.0.1/src/output-plugins/spo_unified.c snort-2.9.2/src/output-plugins/spo_unified.c --- snort-2.9.0.1/src/output-plugins/spo_unified.c 2010-06-09 15:05:20.000000000 -0700 +++ snort-2.9.2/src/output-plugins/spo_unified.c 2011-06-07 17:33:16.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** Copyright (C) 1998-2005 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -20,14 +20,14 @@ /* $Id$ */ -/* spo_unified - * +/* spo_unified + * * Purpose: * * This plugin generates the new unified alert and logging formats * * Arguments: - * + * * filename of the alert and log spools * * Effect: @@ -61,12 +61,13 @@ #include "plugbase.h" #include "spo_plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "mstring.h" #include "event.h" #include "generators.h" -#include "bounds.h" +#include "snort_bounds.h" #include "sfdaq.h" +#include "detect.h" #include "snort.h" #include "pcap_pkthdr32.h" @@ -80,14 +81,11 @@ #define SNORT_VERSION_MAJOR 1 #define SNORT_VERSION_MINOR 2 -/* From fpdetect.c, for logging reassembled packets */ -extern uint16_t event_id; - /* file header for snort unified format log files * * Identical to pcap file header, used for portability where the libpcap * might not be used after the pa_engine code becomes available - */ + */ typedef struct _UnifiedLogFileHeader { uint32_t magic; @@ -107,10 +105,10 @@ uint32_t timezone; } UnifiedAlertFileHeader; -/* unified log packet header format +/* unified log packet header format * - * One of these per packet in the log file, the packets are appended in the - * file after each UnifiedLog header (extended pcap format) + * One of these per packet in the log file, the packets are appended in the + * file after each UnifiedLog header (extended pcap format) */ typedef struct _UnifiedLog { @@ -192,11 +190,11 @@ static void UnifiedRotateFile(UnifiedConfig *); static void UnifiedLogAlert(Packet *, char *, void *, Event *); static void UnifiedLogPacketAlert(Packet *, char *, void *, Event *); -static void RealUnifiedLogAlert(Packet *, char *, void *, Event *, +static void RealUnifiedLogAlert(Packet *, char *, void *, Event *, DataHeader *); -static void RealUnifiedLogAlert6(Packet *, char *, void *, Event *, +static void RealUnifiedLogAlert6(Packet *, char *, void *, Event *, DataHeader *); -static void RealUnifiedLogPacketAlert(Packet *, char *, void *, Event *, +static void RealUnifiedLogPacketAlert(Packet *, char *, void *, Event *, DataHeader *); static void RealUnifiedLogStreamAlert(Packet *,char *,void *,Event *,DataHeader *); static void UnifiedRotateFile(UnifiedConfig *data); @@ -218,13 +216,13 @@ /* Used for buffering header and payload of unified records so only one * write is necessary. */ -static char write_pkt_buffer[sizeof(DataHeader) + +static char write_pkt_buffer[sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET]; /* * Function: SetupUnified() * - * Purpose: Registers the output plugin keyword and initialization + * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * @@ -235,7 +233,7 @@ */ void UnifiedSetup(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("log_unified", OUTPUT_TYPE_FLAG__LOG, UnifiedLogInit); RegisterOutputPlugin("alert_unified", OUTPUT_TYPE_FLAG__ALERT, UnifiedAlertInit); @@ -278,9 +276,9 @@ /* * Function: InitOutputFile() * - * Purpose: Initialize the unified ouput file + * Purpose: Initialize the unified ouput file * - * Arguments: data => pointer to the plugin's reference data struct + * Arguments: data => pointer to the plugin's reference data struct * * Returns: void function */ @@ -297,21 +295,21 @@ if(data == NULL) FatalError("SpoUnified: Unable to get context data\n"); - if(data->nostamp) + if(data->nostamp) { if(*(data->filename) == '/') value = SnortSnprintf(logdir, STD_BUF, "%s", data->filename); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, + value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, data->filename); } - else + else { if(*(data->filename) == '/') - value = SnortSnprintf(logdir, STD_BUF, "%s.%u", data->filename, + value = SnortSnprintf(logdir, STD_BUF, "%s.%u", data->filename, (uint32_t)curr_time); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, + value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, data->filename, (uint32_t)curr_time); } @@ -347,24 +345,24 @@ void UnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event) { DataHeader dHdr; - + /* check for a pseudo-packet, we don't want to log those */ if(IS_IP4(p)) { dHdr.type = UNIFIED_TYPE_ALERT; dHdr.length = sizeof(UnifiedAlert); - + RealUnifiedLogAlert(p, msg, arg, event, &dHdr); } else { dHdr.type = UNIFIED_TYPE_IPV6_ALERT; dHdr.length = sizeof(UnifiedIPv6Alert); - + RealUnifiedLogAlert6(p, msg, arg, event, &dHdr); } } - + static int UnifiedFirstPacketCallback(DAQ_PktHdr_t *pkth, uint8_t *packet_data, void *userdata) { @@ -375,13 +373,13 @@ { alertdata->ts.tv_sec = (uint32_t)pkth->ts.tv_sec; alertdata->ts.tv_usec = (uint32_t)pkth->ts.tv_usec; - } + } /* return non-zero so we only do this once */ return 1; } -static void RealUnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event, +static void RealUnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event, DataHeader *dHdr) { UnifiedConfig *data = (UnifiedConfig *)arg; @@ -407,10 +405,10 @@ { alertdata.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec; alertdata.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec; - + if((p->packet_flags & PKT_REBUILT_STREAM) && stream_api) { - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n");); + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n");); stream_api->traverse_reassembled(p, UnifiedFirstPacketCallback, &alertdata); @@ -438,7 +436,7 @@ alertdata.flags = p->packet_flags; } } - + /* backward compatibility stuff */ if(dHdr == NULL) { @@ -457,7 +455,7 @@ FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(DataHeader); } - + if(fwrite((char *)&alertdata, sizeof(UnifiedAlert), 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); @@ -466,7 +464,7 @@ data->current += sizeof(UnifiedAlert); } -static void RealUnifiedLogAlert6(Packet *p, char *msg, void *arg, Event *event, +static void RealUnifiedLogAlert6(Packet *p, char *msg, void *arg, Event *event, DataHeader *dHdr) { UnifiedConfig *data = (UnifiedConfig *)arg; @@ -492,10 +490,10 @@ { alertdata.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec; alertdata.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec; - + if((p->packet_flags & PKT_REBUILT_STREAM) && stream_api) { - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n");); + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n");); stream_api->traverse_reassembled(p, UnifiedFirstPacketCallback, &alertdata); @@ -523,7 +521,7 @@ alertdata.flags = p->packet_flags; } } - + /* backward compatibility stuff */ if(dHdr == NULL) { @@ -542,7 +540,7 @@ FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(DataHeader); } - + if(fwrite((char *)&alertdata, sizeof(UnifiedIPv6Alert), 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); @@ -557,10 +555,10 @@ DataHeader dHdr; dHdr.type = UNIFIED_TYPE_PACKET_ALERT; dHdr.length = sizeof(UnifiedLog); - + if(p->packet_flags & PKT_REBUILT_STREAM) { - DEBUG_WRAP(DebugMessage(DEBUG_LOG, + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "[*] Reassembled packet, dumping stream packets\n");); RealUnifiedLogStreamAlert(p, msg, arg, event, &dHdr); } @@ -608,10 +606,10 @@ { logheader.flags = p->packet_flags; - /* + /* * this will have to be fixed when we transition to the pa_engine * code (p->pkth is libpcap specific) - */ + */ logheader.pkth.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec; logheader.pkth.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec; logheader.pkth.caplen = p->pkth->caplen; @@ -626,53 +624,53 @@ logheader.pkth.caplen = 0; logheader.pkth.len = 0; } - + /* backward compatibility stuff */ if(dHdr == NULL) { - if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > + if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > data->limit) UnifiedLogRotateFile(data); } else - { - if((data->current + sizeof(UnifiedLog) + sizeof(DataHeader) + { + if((data->current + sizeof(UnifiedLog) + sizeof(DataHeader) + logheader.pkth.caplen) > data->limit) UnifiedRotateFile(data); } if(dHdr) { SafeMemcpy(write_pkt_buffer, dHdr, sizeof(DataHeader), - write_pkt_buffer, write_pkt_buffer + + write_pkt_buffer, write_pkt_buffer + sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET); data->current += sizeof(DataHeader); offset = sizeof(DataHeader); } - + SafeMemcpy(write_pkt_buffer + offset, &logheader, sizeof(UnifiedLog), - write_pkt_buffer, write_pkt_buffer + + write_pkt_buffer, write_pkt_buffer + sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET); data->current += sizeof(UnifiedLog); offset += sizeof(UnifiedLog); - + if(p) { SafeMemcpy(write_pkt_buffer + offset, p->pkt, p->pkth->caplen, - write_pkt_buffer, write_pkt_buffer + + write_pkt_buffer, write_pkt_buffer + sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET); - if(fwrite(write_pkt_buffer, offset + p->pkth->caplen, + if(fwrite(write_pkt_buffer, offset + p->pkth->caplen, 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += p->pkth->caplen; } - else + else { - if(fwrite(write_pkt_buffer, sizeof(DataHeader) + + if(fwrite(write_pkt_buffer, sizeof(DataHeader) + sizeof(UnifiedLog), 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); } @@ -715,15 +713,15 @@ { if((unifiedData->data->current + sizeof(UnifiedLog)+ - unifiedData->logheader->pkth.caplen) > + unifiedData->logheader->pkth.caplen) > unifiedData->data->limit) { UnifiedLogRotateFile(unifiedData->data); } } else - { - if((unifiedData->data->current + sizeof(UnifiedLog) + sizeof(DataHeader) + { + if((unifiedData->data->current + sizeof(UnifiedLog) + sizeof(DataHeader) + unifiedData->logheader->pkth.caplen) > unifiedData->data->limit) UnifiedRotateFile(unifiedData->data); } @@ -739,9 +737,9 @@ unifiedData->data->current += sizeof(DataHeader); } - SafeMemcpy(write_pkt_buffer + offset, unifiedData->logheader, - sizeof(UnifiedLog), write_pkt_buffer, - write_pkt_buffer + sizeof(DataHeader) + + SafeMemcpy(write_pkt_buffer + offset, unifiedData->logheader, + sizeof(UnifiedLog), write_pkt_buffer, + write_pkt_buffer + sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET); offset += sizeof(UnifiedLog); @@ -750,9 +748,9 @@ if(packet_data) { - SafeMemcpy(write_pkt_buffer + offset, packet_data, + SafeMemcpy(write_pkt_buffer + offset, packet_data, offset + unifiedData->logheader->pkth.caplen, - write_pkt_buffer, write_pkt_buffer + + write_pkt_buffer, write_pkt_buffer + sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET); if(fwrite(write_pkt_buffer, offset + unifiedData->logheader->pkth.caplen, @@ -761,7 +759,7 @@ unifiedData->data->current += unifiedData->logheader->pkth.caplen; } - else + else { if(fwrite(write_pkt_buffer, offset, 1, unifiedData->data->stream) != 1) @@ -776,7 +774,7 @@ unifiedData->logheader->event.sig_rev = 1; unifiedData->logheader->event.classification = 0; unifiedData->logheader->event.priority = unifiedData->event->priority; - /* Note that event_id is now incorrect. + /* Note that event_id is now incorrect. * See OldUnifiedLogPacketAlert() for details. */ } @@ -806,7 +804,7 @@ logheader.event.priority = event->priority; logheader.event.event_id = event->event_id; logheader.event.event_reference = event->event_reference; - /* Note that ref_time is probably incorrect. + /* Note that ref_time is probably incorrect. * See OldUnifiedLogPacketAlert() for details. */ logheader.event.ref_time.tv_sec = event->ref_time.tv_sec; logheader.event.ref_time.tv_usec = event->ref_time.tv_usec; @@ -818,11 +816,11 @@ DebugMessage(DEBUG_LOG, "cls: %u\n", logheader.event.classification); DebugMessage(DEBUG_LOG, "pri: %u\n", logheader.event.priority); DebugMessage(DEBUG_LOG, "eid: %u\n", logheader.event.event_id); - DebugMessage(DEBUG_LOG, "erf: %u\n", + DebugMessage(DEBUG_LOG, "erf: %u\n", logheader.event.event_reference); - DebugMessage(DEBUG_LOG, "sec: %lu\n", + DebugMessage(DEBUG_LOG, "sec: %lu\n", logheader.event.ref_time.tv_sec); - DebugMessage(DEBUG_LOG, "usc: %lu\n", + DebugMessage(DEBUG_LOG, "usc: %lu\n", logheader.event.ref_time.tv_usec);); } @@ -836,16 +834,16 @@ unifiedData.once = once; stream_api->traverse_reassembled(p, UnifiedLogStreamCallback, &unifiedData); } - + fflush(data->stream); } /* * Function: UnifiedParseArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -884,9 +882,9 @@ char *index = toks[i]; while(isspace((int)*index)) ++index; - + stoks = mSplit(index, " \t", 2, &num_stoks, 0); - + if(strcasecmp("filename", stoks[0]) == 0) { if(num_stoks > 1 && tmp->filename == NULL) @@ -908,7 +906,7 @@ } } else if(strcasecmp("nostamp", stoks[0]) == 0) - { + { tmp->nostamp = 1; } else @@ -916,7 +914,7 @@ LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); } - + mSplitFree(&stoks, num_stoks); } mSplitFree(&toks, num_toks); @@ -924,7 +922,7 @@ if(tmp->filename == NULL) tmp->filename = strdup(default_filename); - + //LogMessage("limit == %i\n", limit); if(limit <= 0) @@ -1017,7 +1015,7 @@ * * Purpose: Initialize the unified log alert file * - * Arguments: data => pointer to the plugin's reference data struct + * Arguments: data => pointer to the plugin's reference data struct * * Returns: void function */ @@ -1031,21 +1029,21 @@ bzero(logdir, STD_BUF); curr_time = time(NULL); - if(data->nostamp) + if(data->nostamp) { if(data->filename[0] == '/') value = SnortSnprintf(logdir, STD_BUF, "%s", data->filename); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, + value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, data->filename); } else { if(data->filename[0] == '/') - value = SnortSnprintf(logdir, STD_BUF, "%s.%u", data->filename, + value = SnortSnprintf(logdir, STD_BUF, "%s.%u", data->filename, (uint32_t)curr_time); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, + value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, data->filename, (uint32_t)curr_time); } @@ -1071,7 +1069,7 @@ { FatalError("UnifiedAlertInit(): %s\n", strerror(errno)); } - + fflush(data->stream); return; @@ -1141,7 +1139,7 @@ * * Purpose: Initialize the unified log file header * - * Arguments: data => pointer to the plugin's reference data struct + * Arguments: data => pointer to the plugin's reference data struct * * Returns: void function */ @@ -1165,16 +1163,16 @@ if(*(data->filename) == '/') value = SnortSnprintf(logdir, STD_BUF, "%s", data->filename); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, + value = SnortSnprintf(logdir, STD_BUF, "%s/%s", snort_conf->log_dir, data->filename); } else { if(*(data->filename) == '/') - value = SnortSnprintf(logdir, STD_BUF, "%s.%u", data->filename, + value = SnortSnprintf(logdir, STD_BUF, "%s.%u", data->filename, (uint32_t)curr_time); else - value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, + value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%u", snort_conf->log_dir, data->filename, (uint32_t)curr_time); } @@ -1255,18 +1253,18 @@ /* Set reference time equal to log time for the first packet */ if (unifiedData->first_time) - { + { unifiedData->logheader->event.ref_time.tv_sec = unifiedData->logheader->pkth.ts.tv_sec; unifiedData->logheader->event.ref_time.tv_usec = unifiedData->logheader->pkth.ts.tv_usec; - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sec: %lu\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sec: %lu\n", unifiedData->logheader->event.ref_time.tv_sec);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "usc: %lu\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "usc: %lu\n", unifiedData->logheader->event.ref_time.tv_usec);); } if(fwrite((char*)unifiedData->logheader,sizeof(UnifiedLog),1,unifiedData->data->stream) != 1) - FatalError("SpoUnified: write failed: %s\n", + FatalError("SpoUnified: write failed: %s\n", strerror(errno)); unifiedData->data->current += sizeof(UnifiedLog); @@ -1284,10 +1282,10 @@ FatalError("SpoUnified: write failed: %s\n", strerror(errno)); unifiedData->data->current += sizeof(EtherHdr); } - + if(fwrite((char*)packet_data,pkth->caplen,1, unifiedData->data->stream) != 1) - FatalError("SpoUnified: write failed: %s\n", + FatalError("SpoUnified: write failed: %s\n", strerror(errno)); unifiedData->data->current += pkth->caplen; @@ -1295,12 +1293,12 @@ /* after the first logged packet modify the event headers */ if (unifiedData->first_time) - { + { unifiedData->logheader->event.sig_generator = GENERATOR_TAG; unifiedData->logheader->event.sig_id = TAG_LOG_PKT; unifiedData->logheader->event.sig_rev = 1; unifiedData->logheader->event.classification = 0; - unifiedData->logheader->event.priority = unifiedData->event->priority; + unifiedData->logheader->event.priority = unifiedData->event->priority; unifiedData->first_time = 0; } @@ -1318,7 +1316,7 @@ * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function */ @@ -1342,19 +1340,19 @@ logheader.event.ref_time.tv_usec = event->ref_time.tv_usec; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "------------\n");); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "gen: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "gen: %u\n", logheader.event.sig_generator);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sid: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sid: %u\n", logheader.event.sig_id);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "rev: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "rev: %u\n", logheader.event.sig_rev);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "cls: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "cls: %u\n", logheader.event.classification);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "pri: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "pri: %u\n", logheader.event.priority);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "eid: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "eid: %u\n", logheader.event.event_id);); - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "erf: %u\n", + DEBUG_WRAP(DebugMessage(DEBUG_LOG, "erf: %u\n", logheader.event.event_reference);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sec: %lu\n", logheader.event.ref_time.tv_sec);); @@ -1404,7 +1402,7 @@ logheader.pkth.len = 0; } - if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > + if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > data->limit) UnifiedLogRotateFile(data); @@ -1428,9 +1426,9 @@ } fflush(data->stream); - + data->current += sizeof(UnifiedLog); - + if(p && p->pkth) data->current += p->pkth->caplen; } diff -Nru snort-2.9.0.1/src/output-plugins/spo_unified.h snort-2.9.2/src/output-plugins/spo_unified.h --- snort-2.9.0.1/src/output-plugins/spo_unified.h 2010-01-26 10:10:10.000000000 -0800 +++ snort-2.9.2/src/output-plugins/spo_unified.h 2011-02-09 15:23:27.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/packet_time.c snort-2.9.2/src/packet_time.c --- snort-2.9.0.1/src/packet_time.c 2010-01-26 10:09:23.000000000 -0800 +++ snort-2.9.2/src/packet_time.c 2011-06-07 17:33:06.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 1998-2010 Sourcefire, Inc. + ** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -21,15 +21,19 @@ * @file packet_time.c * @author Chris Green <cmg@sourcefire.com> * @date Tue Jun 17 17:09:59 2003 - * + * * @brief Easily allow modules to have a gettimeofday() based on packet time - * + * * In many modules in snort, especially the rate detectors need to * work based off time values. It's very hard to reproduce time * constraints via pcap readbacks so we either have to throttle snort * or use the packet time. I choose the latter. */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "packet_time.h" static time_t s_first_packet = 0; diff -Nru snort-2.9.0.1/src/packet_time.h snort-2.9.2/src/packet_time.h --- snort-2.9.0.1/src/packet_time.h 2010-01-26 10:09:23.000000000 -0800 +++ snort-2.9.2/src/packet_time.h 2011-02-09 15:22:50.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/parser/IpAddrSet.c snort-2.9.2/src/parser/IpAddrSet.c --- snort-2.9.0.1/src/parser/IpAddrSet.c 2010-01-26 10:10:10.000000000 -0800 +++ snort-2.9.2/src/parser/IpAddrSet.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /* - * Copyright (C) 2002-2010 Sourcefire, Inc. - * + * Copyright (C) 2002-2011 Sourcefire, Inc. + * * Author(s): Andrew R. Baker <andrewb@snort.org> * Martin Roesch <roesch@sourcefire.com> * @@ -10,7 +10,7 @@ * published by the Free Software Foundation. You may not use, modify or * distribute this program under any other version of the GNU General * Public License. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the @@ -48,7 +48,7 @@ #include "util.h" #include "mstring.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "snort.h" #include "sfPolicy.h" @@ -85,7 +85,7 @@ iplist = ipAddrSet->iplist; neglist = ipAddrSet->neg_iplist; - while(iplist) + while(iplist) { buffer[0] = '\0'; @@ -105,10 +105,10 @@ LogMessage("%s\n", buffer); iplist = iplist->next; - + } - while(neglist) + while(neglist) { buffer[0] = '\0'; @@ -141,7 +141,7 @@ if(!ipAddrSet) return NULL; newIpAddrSet = (IpAddrSet *)calloc(sizeof(IpAddrSet), 1); - if(!newIpAddrSet) + if(!newIpAddrSet) { goto failed; } @@ -159,7 +159,7 @@ if(!newIpAddrSet->iplist) newIpAddrSet->iplist = current; - + current->ip_addr = iplist->ip_addr; current->netmask = iplist->netmask; current->addr_flags = iplist->addr_flags; @@ -181,7 +181,7 @@ { goto failed; } - + if(!newIpAddrSet->neg_iplist) newIpAddrSet->neg_iplist = current; @@ -219,7 +219,7 @@ * * Arguments: char *addr => address string to convert * IpAddrSet * => - * + * * * Returns: 0 for normal addresses, 1 for an "any" address */ @@ -237,7 +237,7 @@ IpAddrNode *address_data = (IpAddrNode*)SnortAlloc(sizeof(IpAddrNode)); - if(!paddr || !ias) + if(!paddr || !ias) return 1; addr = paddr; @@ -253,13 +253,13 @@ /* check for wildcards */ if(!strcasecmp(addr, "any")) { - if(negate) + if(negate) { FatalError("%s(%d) => !any is not allowed\n", file_name, file_line); } - + /* Make first node 0, which matches anything */ - if(!ias->iplist) + if(!ias->iplist) { ias->iplist = (IpAddrNode*)SnortAlloc(sizeof(IpAddrNode)); } @@ -309,10 +309,10 @@ /* if second char is != '\0', it must be a digit * by Daniel B. Cid, dcid@sourcefire.com - */ + */ if((toks[1][1] != '\0')&&(!isdigit((int) toks[1][1]) )) nmask = -1; - + if((nmask > -1) && (nmask < 33)) { address_data->netmask = netmasks[nmask]; @@ -321,15 +321,15 @@ { FatalError("%s(%d): Invalid CIDR block for IP addr " "%s\n", file_name, file_line, addr); - + } } else { /* convert the netmask into its 32-bit value */ - /* broadcast address fix from - * Steve Beaty <beaty@emess.mscd.edu> + /* broadcast address fix from + * Steve Beaty <beaty@emess.mscd.edu> */ /* @@ -431,15 +431,15 @@ mSplitFree(&toks, num_toks); /* Add new IP address to address set */ - if(!negate) + if(!negate) { IpAddrNode *idx; - if(!ias->iplist) + if(!ias->iplist) { ias->iplist = address_data; } - else + else { /* Get to the end of the list */ for(idx = ias->iplist; idx->next; idx=idx->next) ; @@ -451,11 +451,11 @@ { IpAddrNode *idx; - if(!ias->neg_iplist) + if(!ias->neg_iplist) { ias->neg_iplist = address_data; } - else + else { /* Get to the end of the list */ for(idx = ias->neg_iplist; idx->next; idx=idx->next) ; @@ -465,17 +465,17 @@ address_data->addr_flags |= EXCEPT_IP; } - + return 0; -} +} -void IpAddrSetBuild(char *addr, IpAddrSet *ret, int neg_list) +void IpAddrSetBuild(char *addr, IpAddrSet *ret, int neg_list) { char *tok, *end, *tmp; int neg_ip; - while(*addr) + while(*addr) { /* Skip whitespace and leading commas */ for(; *addr && (isspace((int)*addr) || *addr == ','); addr++) ; @@ -483,98 +483,98 @@ /* Handle multiple negations (such as if someone negates variable that * contains a negated IP */ neg_ip = 0; - for(; *addr == '!'; addr++) + for(; *addr == '!'; addr++) neg_ip = !neg_ip; /* Find end of this token */ - for(end = addr+1; + for(end = addr+1; *end && !isspace((int)*end) && *end != ']' && *end != ','; end++) ; tok = SnortStrndup(addr, end - addr); - if(!tok) + if(!tok) { - FatalError("%s(%d) => Failed to allocate memory for parsing '%s'\n", + FatalError("%s(%d) => Failed to allocate memory for parsing '%s'\n", file_name, file_line, addr); } - if(*addr == '[') + if(*addr == '[') { int brack_count = 0; char *list_tok; - + /* Find corresponding ending bracket */ - for(end = addr; *end; end++) + for(end = addr; *end; end++) { - if(*end == '[') + if(*end == '[') brack_count++; else if(*end == ']') brack_count--; - + if(!brack_count) break; } - - if(!*end) + + if(!*end) { - FatalError("%s(%d) => Unterminated IP List '%s'\n", + FatalError("%s(%d) => Unterminated IP List '%s'\n", file_name, file_line, addr); } - + addr++; list_tok = SnortStrndup(addr, end - addr); - if(!list_tok) + if(!list_tok) { - FatalError("%s(%d) => Failed to allocate memory for parsing '%s'\n", + FatalError("%s(%d) => Failed to allocate memory for parsing '%s'\n", file_name, file_line, addr); } IpAddrSetBuild(list_tok, ret, neg_ip ^ neg_list); free(list_tok); } - else if(*addr == '$') + else if(*addr == '$') { if((tmp = VarGet(tok + 1)) == NULL) { - FatalError("%s(%d) => Undefined variable %s\n", file_name, + FatalError("%s(%d) => Undefined variable %s\n", file_name, file_line, addr); } - - IpAddrSetBuild(tmp, ret, neg_list ^ neg_ip); + + IpAddrSetBuild(tmp, ret, neg_list ^ neg_ip); } else if(*addr == ']') { - if(!(*(addr+1))) + if(!(*(addr+1))) { /* Succesfully reached the end of this list */ free(tok); return; } - FatalError("%s(%d) => Mismatched bracket in '%s'\n", + FatalError("%s(%d) => Mismatched bracket in '%s'\n", file_name, file_line, addr); } - else + else { /* Skip leading commas */ for(; *addr && (*addr == ',' || isspace((int)*addr)); addr++) ; ParseIP(tok, ret, neg_list ^ neg_ip); - if(ret->iplist && !ret->iplist->ip_addr && !ret->iplist->netmask) + if(ret->iplist && !ret->iplist->ip_addr && !ret->iplist->netmask) ret->iplist->addr_flags |= ANY_SRC_IP; - + /* Note: the neg_iplist is not checked for '!any' here since * ParseIP should have already FatalError'ed on it. */ } - + free(tok); if(*end) - addr = end + 1; + addr = end + 1; else break; } @@ -583,7 +583,7 @@ #endif -IpAddrSet *IpAddrSetParse(char *addr) +IpAddrSet *IpAddrSetParse(char *addr) { IpAddrSet *ret; #ifdef SUP_IP6 @@ -600,13 +600,13 @@ ip_vartable = sc->targeted_policies[getParserPolicy()]->ip_vartable; #endif - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Got address string: %s\n", + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Got address string: %s\n", addr);); ret = (IpAddrSet*)SnortAlloc(sizeof(IpAddrSet)); -#ifdef SUP_IP6 - if((ret_code = sfvt_add_to_var(ip_vartable, ret, addr)) != SFIP_SUCCESS) +#ifdef SUP_IP6 + if((ret_code = sfvt_add_to_var(ip_vartable, ret, addr)) != SFIP_SUCCESS) { if(ret_code == SFIP_LOOKUP_FAILURE) FatalError("%s(%d) => Undefined variable in the string: %s\n", @@ -614,7 +614,7 @@ else if(ret_code == SFIP_CONFLICT) FatalError("%s(%d) => Negated IP ranges that equal to or are" " more-specific than non-negated ranges are not allowed." - " Consider inverting the logic: %s.\n", + " Consider inverting the logic: %s.\n", file_name, file_line, addr); else FatalError("%s(%d) => Unable to process the IP address: %s\n", @@ -635,7 +635,7 @@ IpAddrNode *node, *tmp; #endif - if(!ipAddrSet) + if(!ipAddrSet) return; #ifdef SUP_IP6 @@ -669,31 +669,29 @@ int match = 0; if(!ias) - { - DEBUG_WRAP(DebugMessage(DEBUG_ALL,"Null IP address set!\n");); return 0; - } - if(!ias->iplist) + + if(!ias->iplist) match = 1; for(index = ias->iplist; index != NULL; index = index->next) { - if(index->ip_addr == (raw_addr & index->netmask)) + if(index->ip_addr == (raw_addr & index->netmask)) { match = 1; break; } - } + } - if(!match) + if(!match) return 0; - if(!ias->neg_iplist) + if(!ias->neg_iplist) return 1; for(index = ias->neg_iplist; index != NULL; index = index->next) { - if(index->ip_addr == (raw_addr & index->netmask)) + if(index->ip_addr == (raw_addr & index->netmask)) return 0; } diff -Nru snort-2.9.0.1/src/parser/IpAddrSet.h snort-2.9.2/src/parser/IpAddrSet.h --- snort-2.9.0.1/src/parser/IpAddrSet.h 2010-01-26 10:10:10.000000000 -0800 +++ snort-2.9.2/src/parser/IpAddrSet.h 2011-02-09 15:23:28.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* - * Copyright (C) 2002-2010 Sourcefire, Inc. + * Copyright (C) 2002-2011 Sourcefire, Inc. * * Author(s): Andrew R. Baker <andrewb@sourcefire.com> * diff -Nru snort-2.9.0.1/src/parser/Makefile.in snort-2.9.2/src/parser/Makefile.in --- snort-2.9.0.1/src/parser/Makefile.in 2010-10-08 02:56:54.000000000 -0700 +++ snort-2.9.2/src/parser/Makefile.in 2011-12-07 11:23:21.000000000 -0800 @@ -77,7 +77,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -92,6 +94,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -128,13 +131,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/parser.c snort-2.9.2/src/parser.c --- snort-2.9.0.1/src/parser.c 2010-10-25 12:48:59.000000000 -0700 +++ snort-2.9.2/src/parser.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2000,2001 Andrew R. Baker <andrewb@uab.edu> ** @@ -34,6 +34,11 @@ #include <unistd.h> #include <stdarg.h> #include <pcap.h> +#ifdef HAVE_DUMBNET_H +#include <dumbnet.h> +#else +#include <dnet.h> +#endif #ifdef HAVE_STRINGS_H # include <strings.h> @@ -49,13 +54,13 @@ # include <fnmatch.h> #endif /* !WIN32 */ -#include "bounds.h" +#include "snort_bounds.h" #include "rules.h" #include "treenodes.h" #include "parser.h" #include "plugbase.h" #include "plugin_enum.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" #include "detect.h" @@ -97,14 +102,14 @@ #ifdef DYNAMIC_PLUGIN # include "dynamic-plugins/sp_dynamic.h" #endif - + /* Macros *********************************************************************/ #define ENABLE_ALL_RULES 1 #define ENABLE_RULE 1 #define ENABLE_ONE_RULE 0 #define MAX_RULE_OPTIONS 256 #define MAX_LINE_LENGTH 32768 -#define MAX_IPLIST_ENTRIES 4096 +#define MAX_IPLIST_ENTRIES 4096 #define DEFAULT_LARGE_RULE_GROUP 9 #define SF_IPPROTO_UNKNOWN -1 #define MAX_RULE_COUNT (65535 * 2) @@ -231,6 +236,11 @@ #define EVENT_QUEUE_OPT__ORDER_EVENTS "order_events" #define EVENT_QUEUE_OPT__PROCESS_ALL_EVENTS "process_all_events" +#define EVENT_TRACE_OPT__FILE "file" +#define EVENT_TRACE_OPT__MAX_DATA "max_data" +#define EVENT_TRACE_OPT__FILE_DEFAULT "event_trace.txt" +#define EVENT_TRACE_OPT__MAX_DATA_DEFAULT 64 + #define ORDER_EVENTS_OPT__CONTENT_LENGTH "content_length" #define ORDER_EVENTS_OPT__PRIORITY "priority" @@ -286,6 +296,7 @@ #ifdef ACTIVE_RESPONSE #define RESPONSE_OPT__ATTEMPTS "attempts" #define RESPONSE_OPT__DEVICE "device" +#define RESPONSE_OPT__DST_MAC "dst_mac" #endif #define ERR_PAIR_COUNT \ @@ -337,7 +348,7 @@ char *name; KeywordType type; int expand_vars; - int default_policy_only; + int default_policy_only; ParseFunc parse_func; } KeywordFunc; @@ -356,7 +367,7 @@ char *name; int args_required; int only_once; - int default_policy_only; + int default_policy_only; ParseConfigFunc parse_func; } ConfigFunc; @@ -389,7 +400,7 @@ } port_list_t; /* rule counts for port lists */ -typedef struct +typedef struct { int src; int dst; @@ -489,6 +500,8 @@ static void ParseVar(SnortConfig *, SnortPolicy *, char *); static void AddVarToTable(SnortConfig *, char *, char *); +int ParseBool(char *arg); + static const KeywordFunc snort_conf_keywords[] = { /* Rule keywords */ @@ -607,6 +620,7 @@ { CONFIG_OPT__CLASSIFICATION, 1, 0, 0, ConfigClassification }, { CONFIG_OPT__DAEMON, 0, 1, 1, ConfigDaemon }, { CONFIG_OPT__DECODE_DATA_LINK, 0, 1, 1, ConfigDecodeDataLink }, + { CONFIG_OPT__DECODE_ESP, 0, 1, 1, ConfigEnableEspDecoding }, { CONFIG_OPT__DEFAULT_RULE_STATE, 0, 1, 1, ConfigDefaultRuleState }, { CONFIG_OPT__DETECTION, 1, 0, 1, ConfigDetection }, /* This is reconfigurable */ { CONFIG_OPT__DETECTION_FILTER, 1, 1, 1, ConfigDetectionFilter }, @@ -633,6 +647,7 @@ { CONFIG_OPT__ENABLE_DECODE_OVERSIZED_ALERTS, 0, 1, 1, ConfigEnableDecodeOversizedAlerts }, { CONFIG_OPT__ENABLE_DECODE_OVERSIZED_DROPS, 0, 1, 1, ConfigEnableDecodeOversizedDrops }, { CONFIG_OPT__ENABLE_DEEP_TEREDO_INSPECTION, 0, 1, 1, ConfigEnableDeepTeredoInspection }, + { CONFIG_OPT__ENABLE_GTP_DECODING, 0, 1, 1, ConfigEnableGTPDecoding }, { CONFIG_OPT__ENABLE_IP_OPT_DROPS, 0, 1, 1, ConfigEnableIpOptDrops }, #ifdef MPLS { CONFIG_OPT__ENABLE_MPLS_MULTICAST, 0, 1, 1, ConfigEnableMplsMulticast }, @@ -645,6 +660,7 @@ { CONFIG_OPT__ENABLE_TCP_OPT_TTCP_DROPS, 0, 1, 1, ConfigEnableTTcpDrops }, { CONFIG_OPT__EVENT_FILTER, 1, 1, 1, ConfigEventFilter }, { CONFIG_OPT__EVENT_QUEUE, 1, 1, 1, ConfigEventQueue }, + { CONFIG_OPT__EVENT_TRACE, 0, 1, 1, ConfigEventTrace }, { CONFIG_OPT__REACT, 1, 1, 1, ConfigReact }, #ifdef ENABLE_RESPONSE3 { CONFIG_OPT__FLEXRESP2_INTERFACE, 1, 1, 1, ConfigFlexresp2Interface }, @@ -684,6 +700,7 @@ { CONFIG_OPT__NO_PROMISCUOUS, 0, 1, 1, ConfigNoPromiscuous }, { CONFIG_OPT__OBFUSCATE, 0, 1, 1, ConfigObfuscate }, { CONFIG_OPT__ORDER, 1, 1, 1, ConfigRuleListOrder }, + { CONFIG_OPT__PAF_MAX, 1, 1, 0, ConfigPafMax }, { CONFIG_OPT__PKT_COUNT, 1, 1, 1, ConfigPacketCount }, { CONFIG_OPT__PKT_SNAPLEN, 1, 1, 1, ConfigPacketSnaplen }, { CONFIG_OPT__PCRE_MATCH_LIMIT, 1, 1, 1, ConfigPcreMatchLimit }, @@ -717,14 +734,17 @@ { CONFIG_OPT__UMASK, 1, 1, 1, ConfigUmask }, { CONFIG_OPT__UTC, 0, 1, 1, ConfigUtc }, { CONFIG_OPT__VERBOSE, 0, 1, 1, ConfigVerbose }, + { CONFIG_OPT__VLAN_AGNOSTIC, 0, 1, 1, ConfigVlanAgnostic }, + { CONFIG_OPT__LOG_IPV6_EXTRA, 0, 1, 1, ConfigLogIPv6Extra }, #ifdef DYNAMIC_PLUGIN { CONFIG_OPT__DUMP_DYNAMIC_RULES_PATH, 1, 1, 1, ConfigDumpDynamicRulesPath }, #endif + { CONFIG_OPT__CONTROL_SOCKET_DIR, 1, 1, 1, ConfigControlSocketDirectory }, { NULL, 0, 0, 0, NULL } /* Marks end of array */ }; /* Used to determine if a config option has already been configured - * Gets zeroed when initially parsing a configuration file, then each + * Gets zeroed when initially parsing a configuration file, then each * index gets set to 1 as an option is configured. Maps to config_opts */ static uint8_t config_opt_configured[sizeof(config_opts) / sizeof(ConfigFunc)]; @@ -795,7 +815,7 @@ static void DefineIfaceVar(SnortConfig *, char *, uint8_t *, uint8_t *); #endif -#ifdef DEBUG +#ifdef DEBUG_MSGS #if 0 static void DumpList(IpAddrNode *, int); #endif @@ -816,7 +836,7 @@ static void DisallowCrossTableDuplicateVars(SnortConfig *, char *, VarType); static int mergeDuplicateOtn(SnortConfig *, OptTreeNode *, OptTreeNode *, RuleTreeNode *); #if 0 -#ifdef DEBUG +#ifdef DEBUG_MSGS static void PrintRtnPorts(RuleTreeNode *); #endif #endif @@ -826,22 +846,23 @@ static int ParseNetworkBindingLine(tSfPolicyConfig *, int, char **, char *); static int ParseVlanBindingLine(tSfPolicyConfig *, int, char **, char *); +static int ParsePolicyIdBindingLine(tSfPolicyConfig *, int, char **, char *); static OptTreeNode * firstHeadNode(SnortConfig *, int, RuleType, tSfPolicyId *); static OptTreeNode * nextHeadNode(SnortConfig *, int, RuleType, tSfPolicyId *); static RuleTreeNode * findHeadNode(SnortConfig *, RuleTreeNode *, tSfPolicyId); -// only keep drop rules +// only keep drop rules // if we are inline (and can actually drop), // or we are going to just alert instead of drop, // or we are going to ignore session data instead of drop. // the alert case is tested for separately with ScTreatDropAsAlert(). -static INLINE int ScKeepDropRules (void) +static inline int ScKeepDropRules (void) { return ( ScInlineMode() || ScAdapterInlineMode() || ScTreatDropAsIgnore() ); } -static INLINE int ScLoadAsDropRules (void) +static inline int ScLoadAsDropRules (void) { return ( ScInlineTestMode() || ScAdapterInlineTestMode() ); } @@ -967,9 +988,9 @@ sc->targeted_policies[policy_id] = SnortPolicyNew(); InitVarTables(sc->targeted_policies[policy_id]); - InitPolicyMode(sc->targeted_policies[policy_id]); + InitPolicyMode(sc->targeted_policies[policy_id]); setParserPolicy(policy_id); - + /* Need to reset this for each targeted policy */ memset(config_opt_configured, 0, sizeof(config_opt_configured)); @@ -1013,15 +1034,51 @@ return sc; } -static int ParseVlanBindingLine( +static int ParsePolicyIdBindingLine( tSfPolicyConfig *config, - int num_toks, + int num_toks, char **toks, char *fileName ) { int i; - int vlanId1, vlanId2; + int parsedPolicyId; + + for (i = 0; i < num_toks; i++) + { + char *endp; + if ( toks[i] ) + { + errno = 0; + parsedPolicyId = SnortStrtolRange(toks[i], &endp, 10, 0, USHRT_MAX); + if ((errno == ERANGE) || (*endp != '\0')) + return -1; + + if ( sfPolicyIdAddBinding(config, parsedPolicyId, fileName) != 0) + { + return -1; + //FatalError("Unable to add policy: policyId %d, file %s\n", parsedPolicyId, fileName); + } + } + else + { + return -1; + //FatalError("formating error in binding file: %s\n", aLine); + } + } + + return 0; +} + +static int ParseVlanBindingLine( + tSfPolicyConfig *config, + int num_toks, + char **toks, + char *fileName + ) +{ + int i; + int vlanId1=0, vlanId2=0; for (i = 0; i < num_toks; i++) @@ -1048,13 +1105,16 @@ toks2 = mSplit(toks[i], "-", 2, &num_tok2, 0); if (num_tok2 == 2) { - vlanId1 = strtol(toks2[0], &endp, 10); + /* vlanId1 must be < SF_VLAN_BINDING_MAX -1 + to allow for an actual range */ + vlanId1 = SnortStrtolRange(toks2[0], &endp, 10, 0, SF_VLAN_BINDING_MAX-1); if( *endp ) { mSplitFree(&toks2, num_tok2); return -1; } - vlanId2 = strtol(toks2[1], &endp, 10); + /* vlanId2 must be > vlanId1 */ + vlanId2 = SnortStrtolRange(toks2[1], &endp, 10, vlanId1+1, SF_VLAN_BINDING_MAX); if ( *endp ) { mSplitFree(&toks2, num_tok2); @@ -1088,7 +1148,7 @@ else if ( toks[i] ) { - vlanId = strtol(toks[i], &endp, 10); + vlanId = SnortStrtolRange(toks[i], &endp, 10, 0, SF_VLAN_BINDING_MAX-1); if( *endp ) return -1; if ( (vlanId >= SF_VLAN_BINDING_MAX) || sfVlanAddBinding(config, vlanId, fileName) != 0) @@ -1107,9 +1167,9 @@ return 0; } -static int ParseNetworkBindingLine( +static int ParseNetworkBindingLine( tSfPolicyConfig *config, - int num_toks, + int num_toks, char **toks, char *fileName ) @@ -1138,7 +1198,7 @@ return 0; } -#ifdef DEBUG +#ifdef DEBUG_MSGS static void DumpRuleChains(RuleListNode *rule_lists) { RuleListNode *rule = rule_lists; @@ -1186,7 +1246,7 @@ * Purpose: print out the chain lists by header block node group * * Arguments: node => the head node - * + * * Returns: void function * ***************************************************************************/ @@ -1212,7 +1272,7 @@ if(negated) { - DEBUG_WRAP(DebugMessage(DEBUG_RULES, + DEBUG_WRAP(DebugMessage(DEBUG_RULES, " (EXCEPTION_FLAG Active)\n");); } else @@ -1221,7 +1281,7 @@ } idx = idx->next; - } + } } #endif /* 0 */ #endif /* DEBUG */ @@ -1230,15 +1290,15 @@ * Finish adding the rule to the port tables * * 1) find the table this rule should belong to (src/dst/any-any tcp,udp,icmp,ip or nocontent) - * 2) find an index for the sid:gid pair - * 3) add all no content rules to a single no content port object, the ports are irrelevant so + * 2) find an index for the sid:gid pair + * 3) add all no content rules to a single no content port object, the ports are irrelevant so * make it a any-any port object. * 4) if it's an any-any rule with content, add to an any-any port object * 5) find if we have a port object with these ports defined, if so get it, otherwise create it. - * a)do this for src and dst port + * a)do this for src and dst port * b)add the rule index/id to the portobject(s) * c)if the rule is bidir add the rule and port-object to both src and dst tables - * + * */ static int FinishPortListRule(rule_port_tables_t *port_tables, RuleTreeNode *rtn, OptTreeNode *otn, int proto, port_entry_t *pe, FastPatternConfig *fp) @@ -1291,14 +1351,14 @@ { return -1; } - + /* Count rules with both src and dst specific ports */ - if (!(rtn->flags & ANY_DST_PORT) && !(rtn->flags & ANY_SRC_PORT)) + if (!(rtn->flags & ANY_DST_PORT) && !(rtn->flags & ANY_SRC_PORT)) { DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "***\n***Info: src & dst ports are both specific" " >> gid=%u sid=%u src=%s dst=%s\n***\n", - otn->sigInfo.generator, otn->sigInfo.id, + otn->sigInfo.generator, otn->sigInfo.id, pe->src_port, pe->dst_port);); prc->sd++; @@ -1307,7 +1367,7 @@ /* Create/find an index to store this rules sid and gid at, * and use as reference in Port Objects */ rim_index = otn->ruleIndex; - + /* Add up the nocontent rules */ if (!pe->content && !pe->uricontent) prc->nc++; @@ -1315,16 +1375,16 @@ /* If not an any-any rule test for port bleedover, if we are using a * single rule group, don't bother */ if (!fpDetectGetSingleRuleGroup(fp) && - (rtn->flags & (ANY_DST_PORT|ANY_SRC_PORT)) != (ANY_DST_PORT|ANY_SRC_PORT)) + (rtn->flags & (ANY_DST_PORT|ANY_SRC_PORT)) != (ANY_DST_PORT|ANY_SRC_PORT)) { - if (!(rtn->flags & ANY_SRC_PORT)) + if (!(rtn->flags & ANY_SRC_PORT)) { src_cnt = PortObjectPortCount(rtn->src_portobject); if (src_cnt >= fpDetectGetBleedOverPortLimit(fp)) large_port_group = 1; - } + } - if (!(rtn->flags & ANY_DST_PORT)) + if (!(rtn->flags & ANY_DST_PORT)) { dst_cnt = PortObjectPortCount(rtn->dst_portobject); if (dst_cnt >= fpDetectGetBleedOverPortLimit(fp)) @@ -1344,24 +1404,24 @@ PortObjectPrintPortsRaw(rtn->src_portobject); LogMessage(" -> "); PortObjectPrintPortsRaw(rtn->dst_portobject); - LogMessage(" adding to any-any group\n"); + LogMessage(" adding to any-any group\n"); fflush(stdout);fflush(stderr); } } - + /* If an any-any rule add rule index to any-any port object - * both content and no-content type rules go here if they are + * both content and no-content type rules go here if they are * any-any port rules... - * If we have an any-any rule or a large port group or + * If we have an any-any rule or a large port group or * were using a single rule group we make it an any-any rule. */ if (((rtn->flags & (ANY_DST_PORT|ANY_SRC_PORT)) == (ANY_DST_PORT|ANY_SRC_PORT)) || large_port_group || fpDetectGetSingleRuleGroup(fp)) { if (proto == ETHERNET_TYPE_IP) { - /* Add the IP rules to the higher level app protocol groups, if they apply + /* Add the IP rules to the higher level app protocol groups, if they apply * to those protocols. All IP rules should have any-any port descriptors - * and fall into this test. IP rules that are not tcp/udp/icmp go only into the + * and fall into this test. IP rules that are not tcp/udp/icmp go only into the * IP table */ DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "Finishing IP any-any rule %u:%u\n", @@ -1415,7 +1475,7 @@ } /* add rule index to dst table if we have a specific dst port or port list */ - if (!(rtn->flags & ANY_DST_PORT)) + if (!(rtn->flags & ANY_DST_PORT)) { PortObject *pox; @@ -1429,7 +1489,7 @@ if (pox == NULL) { /* Create a permanent port object */ - pox = PortObjectDupPorts(rtn->dst_portobject); + pox = PortObjectDupPorts(rtn->dst_portobject); if (pox == NULL) { FatalError("%s(%d) Could not dup a port object - out of memory!\n", @@ -1443,12 +1503,12 @@ PortObjectAddRule(pox, rim_index); /* if bidir, add this rule and port group to the src table */ - if (rtn->flags & BIDIRECTIONAL) + if (rtn->flags & BIDIRECTIONAL) { pox = PortTableFindInputPortObjectPorts(srcTable, rtn->dst_portobject); if (pox == NULL) { - pox = PortObjectDupPorts(rtn->dst_portobject); + pox = PortObjectDupPorts(rtn->dst_portobject); if (pox == NULL) { FatalError("%s(%d) Could not dup a bidir-port object - out of memory!\n", @@ -1463,7 +1523,7 @@ } /* add rule index to src table if we have a specific src port or port list */ - if (!(rtn->flags & ANY_SRC_PORT)) + if (!(rtn->flags & ANY_SRC_PORT)) { PortObject *pox; @@ -1472,7 +1532,7 @@ pox = PortTableFindInputPortObjectPorts(srcTable, rtn->src_portobject); if (pox == NULL) { - pox = PortObjectDupPorts(rtn->src_portobject); + pox = PortObjectDupPorts(rtn->src_portobject); if (pox == NULL) { FatalError("%s(%d) Could not dup a port object - out of memory!\n", @@ -1485,12 +1545,12 @@ PortObjectAddRule(pox, rim_index); /* if bidir, add this rule and port group to the dst table */ - if (rtn->flags & BIDIRECTIONAL) + if (rtn->flags & BIDIRECTIONAL) { pox = PortTableFindInputPortObjectPorts(dstTable, rtn->src_portobject); if (pox == NULL) { - pox = PortObjectDupPorts(rtn->src_portobject); + pox = PortObjectDupPorts(rtn->src_portobject); if (pox == NULL) { FatalError("%s(%d) Could not dup a bidir-port object - out " @@ -1507,13 +1567,13 @@ return 0; } /* -* Parse a port string as a port var, and create or find a port object for it, +* Parse a port string as a port var, and create or find a port object for it, * and add it to the port var table. These are used by the rtn's * as src and dst port lists for final rtn/otn processing. * * These should not be confused with the port objects used to merge ports and rules * to build PORT_GROUP objects. Those are generated after the otn processing. -* +* */ static PortObject * ParsePortListTcpUdpPort(PortVarTable *pvt, PortTable *noname, char *port_str) @@ -1525,9 +1585,9 @@ if ((pvt == NULL) || (noname == NULL) || (port_str == NULL)) return NULL; - + /* 1st - check if we have an any port */ - if( strcasecmp(port_str,"any")== 0 ) + if( strcasecmp(port_str,"any")== 0 ) { portobject = PortVarTableFind(pvt, "any"); if (portobject == NULL) @@ -1537,37 +1597,35 @@ } /* 2nd - check if we have a PortVar */ - else if( port_str[0]=='$' ) - { + else if( port_str[0]=='$' ) + { /*||isalpha(port_str[0])*/ /*TODO: interferes with protocol names for ports*/ - char * name = port_str; + char * name = port_str + 1; - if( name[0]=='$' ) name++; /* in case this is allowed */ - DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"PortVarTableFind: finding '%s'\n", port_str);); /* look it up in the port var table */ portobject = PortVarTableFind(pvt, name); if (portobject == NULL) - ParseError("***Src PortVar Lookup failed on '%s'."); + ParseError("***PortVar Lookup failed on '%s'.", port_str); DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"PortVarTableFind: '%s' found!\n", port_str);); } - + /* 3rd - and finally process a raw port list */ - else - { - /* port list = [p,p,p:p,p,...] or p or p:p , no embedded spaces due to tokenizer */ + else + { + /* port list = [p,p,p:p,p,...] or p or p:p , no embedded spaces due to tokenizer */ PortObject * pox; - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "parser.c->PortObjectParseString: parsing '%s'\n",port_str);); - + portobject = PortObjectParseString(pvt, &poparser, 0, port_str, 0); DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "parser.c->PortObjectParseString: '%s' done.\n",port_str);); - + if( !portobject ) { errstr = PortObjectParseError( &poparser ); @@ -1576,7 +1634,7 @@ } /* check if we already have this port object in the un-named port var table ... */ - pox = PortTableFindInputPortObjectPorts(noname, portobject); + pox = PortTableFindInputPortObjectPorts(noname, portobject); if( pox ) { DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, @@ -1587,7 +1645,7 @@ } else { - DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "parser.c: adding '%s' as a PortObject line=%d\n",port_str,__LINE__ );); /* Add to the un-named port var table */ if (PortTableAddObject(noname, portobject)) @@ -1602,20 +1660,20 @@ } #ifdef XXXXX /* -* Extract the Icmp Type field to determine the PortGroup. +* Extract the Icmp Type field to determine the PortGroup. */ PortObject * GetPortListIcmpPortObject( OptTreeNode * otn, PortTable * rulesPortTable, PortObject * anyAnyPortObject ) { PortObject * portobject=0; int type; IcmpTypeCheckData * IcmpType; - + IcmpType = (IcmpTypeCheckData *)otn->ds_list[PLUGIN_ICMP_TYPE]; - + if( IcmpType && (IcmpType->operator == ICMP_TYPE_TEST_EQ) ) { type = IcmpType->icmp_type; - } + } else { return anyAnyPortObject; @@ -1625,13 +1683,13 @@ return anyAnyPortObject; } /* - * Extract the IP Protocol field to determine the PortGroup. + * Extract the IP Protocol field to determine the PortGroup. */ PortObject * GetPortListIPPortObject( OptTreeNode * otn,PortTable * rulesPortTable, PortObject * anyAnyPortObject ) { if (GetOtnIpProto(otn) == -1) return anyAnyPortObject; - + /* TODO: optimize */ return anyAnyPortObject; } @@ -1639,20 +1697,20 @@ #if 0 Not currently used /* -* Extract the Icmp Type field to determine the PortGroup. +* Extract the Icmp Type field to determine the PortGroup. */ -static +static int GetOtnIcmpType(OptTreeNode * otn ) { int type; IcmpTypeCheckData * IcmpType; - + IcmpType = (IcmpTypeCheckData *)otn->ds_list[PLUGIN_ICMP_TYPE]; - + if( IcmpType && (IcmpType->operator == ICMP_TYPE_TEST_EQ) ) { type = IcmpType->icmp_type; - } + } else { return -1; @@ -1670,7 +1728,7 @@ * TCP/UDP rules use ports/portlists, icmp uses the icmp type field and ip uses the protocol * field as a dst port for the purposes of looking up a rule group as packets are being * processed. - * + * * TCP/UDP- use src/dst ports * ICMP - use icmp type as dst port,src=-1 * IP - use protocol as dst port,src=-1 @@ -1689,7 +1747,7 @@ /* Get the protocol specific port object */ if( proto == IPPROTO_TCP || proto == IPPROTO_UDP ) { - portobject = ParsePortListTcpUdpPort(pvt, noname, port_str); + portobject = ParsePortListTcpUdpPort(pvt, noname, port_str); } else /* ICMP, IP - no real ports just Type and Protocol */ { @@ -1702,9 +1760,9 @@ } DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"Rule-PortVar Parsed: %s \n",port_str);); - - /* !ports - port lists can be mixed 80:90,!82, - * so the old NOT flag is depracated for port lists + + /* !ports - port lists can be mixed 80:90,!82, + * so the old NOT flag is depracated for port lists */ /* set up any any flags */ @@ -1716,7 +1774,7 @@ rtn->flags |= ANY_SRC_PORT; } - /* check for a pure not rule - fatal if we find one */ + /* check for a pure not rule - fatal if we find one */ if( PortObjectIsPureNot( portobject ) ) { ParseError("Pure NOT ports are not allowed!"); @@ -1728,7 +1786,7 @@ */ } - /* + /* * set to the port object for this rules src/dst port, * these are used during rtn/otn port verification of the rule. */ @@ -1748,7 +1806,7 @@ * Purpose: Checks For IP List Conflicts in a RuleTreeNode. Such as * negations that are overlapping and more general are not allowed. * - * For example, the following is not allowed: + * For example, the following is not allowed: * * [1.1.0.0/16,!1.0.0.0/8] * @@ -1768,27 +1826,27 @@ return 0; #else IpAddrNode *idx = NULL, *neg_idx = NULL; - + if( !addrset ) return( -1 ); - + if(!addrset->iplist || !addrset->neg_iplist) return 0; - - for(idx = addrset->iplist; idx; idx = idx->next) + + for(idx = addrset->iplist; idx; idx = idx->next) { for(neg_idx = addrset->neg_iplist; neg_idx; neg_idx = neg_idx->next) { /* A smaller netmask means "less specific" */ if(neg_idx->netmask <= idx->netmask && /* Verify they overlap */ - ((neg_idx->ip_addr & neg_idx->netmask) == + ((neg_idx->ip_addr & neg_idx->netmask) == (idx->ip_addr & neg_idx->netmask))) { return 1; } } } - + return 0; #endif } @@ -2148,13 +2206,13 @@ /* Parses standalone rate_filter configuration. * - * Parses rate_filter configuration in the following format and populates internal - * structures: + * Parses rate_filter configuration in the following format and populates internal + * structures: * @code - * rate_filter gid <gen-id>, sid <sig-id>, - * track <by_src|by_dst|by_rule>, - * count <c> , seconds <s>, - * new_action <alert|drop|pass|drop|reject|sdrop>, + * rate_filter gid <gen-id>, sid <sig-id>, + * track <by_src|by_dst|by_rule>, + * count <c> , seconds <s>, + * new_action <alert|drop|pass|drop|reject|sdrop>, * timeout <t> [, apply_to <cidr>]; * @endcode * And then adds it into pContext. @@ -2193,7 +2251,7 @@ int num_pairs; pairs = mSplit(toks[i], " \t", 2, &num_pairs, 0); /* get rule option pairs */ - + if (num_pairs != 2) { ParseError(ERR_NOT_PAIRED); @@ -2727,7 +2785,7 @@ * * Function: mergeDuplicateOtn() * - * Purpose: Conditionally removes duplicate SID/GIDs. Keeps duplicate with + * Purpose: Conditionally removes duplicate SID/GIDs. Keeps duplicate with * higher revision. If revision is the same, keeps newest rule. * * Arguments: otn_dup => The existing duplicate @@ -2754,22 +2812,22 @@ rtn_dup = getParserRtnFromOtn(otn_dup); - if((rtn_dup != NULL) && (rtn_dup->type != rtn_new->type)) + if((rtn_dup != NULL) && (rtn_dup->type != rtn_new->type)) { ParseError("GID %d SID %d in rule duplicates previous rule, with " "different type.", otn_new->sigInfo.generator, otn_new->sigInfo.id); } - if((otn_new->sigInfo.shared < otn_dup->sigInfo.shared) - || ((otn_new->sigInfo.shared == otn_dup->sigInfo.shared) + if((otn_new->sigInfo.shared < otn_dup->sigInfo.shared) + || ((otn_new->sigInfo.shared == otn_dup->sigInfo.shared) && (otn_new->sigInfo.rev < otn_dup->sigInfo.rev))) { //existing OTN is newer version. Keep existing and discard the new one. //OTN is for new policy group, salvage RTN deleteRtnFromOtn(otn_new, getParserPolicy()); - ParseMessage("GID %d SID %d duplicates previous rule. Using %s.", + ParseMessage("GID %d SID %d duplicates previous rule. Using %s.", otn_new->sigInfo.generator, otn_new->sigInfo.id, otn_dup->sigInfo.shared ? "SO rule.":"higher revision"); @@ -2794,7 +2852,7 @@ return 0; } - + //delete existing rule instance and keep the new one for (i = 0; i < otn_dup->proto_node_num; i++) @@ -2814,7 +2872,7 @@ ParseError("GID %d SID %d in rule duplicates previous rule.", otn_new->sigInfo.generator, otn_new->sigInfo.id); } - else + else { ParseWarning("GID %d SID %d in rule duplicates previous " "rule. Ignoring old rule.\n", @@ -2897,8 +2955,8 @@ addRtnToOtn(otn, getParserPolicy(), rtn); - otn->ruleIndex = RuleIndexMapAdd(ruleIndexMap, - otn->sigInfo.generator, + otn->ruleIndex = RuleIndexMapAdd(ruleIndexMap, + otn->sigInfo.generator, otn->sigInfo.id); } else @@ -3080,8 +3138,8 @@ } else { - otn->ruleIndex = RuleIndexMapAdd(ruleIndexMap, - otn->sigInfo.generator, + otn->ruleIndex = RuleIndexMapAdd(ruleIndexMap, + otn->sigInfo.generator, otn->sigInfo.id); } @@ -3144,8 +3202,8 @@ } /* setup gid,sid->otn mapping */ - SoRuleOtnLookupAdd(sc->so_rule_otn_map, otn); - OtnLookupAdd(sc->otn_map, otn); + SoRuleOtnLookupAdd(sc->so_rule_otn_map, otn); + OtnLookupAdd(sc->otn_map, otn); return otn; } @@ -3199,16 +3257,16 @@ vartable_t *ip_vartable = sc->targeted_policies[getParserPolicy()]->ip_vartable; #endif - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Got address string: %s\n", + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Got address string: %s\n", addr);); - -#ifdef SUP_IP6 - /* If a rule has a variable in it, we want to copy that variable's + assert(rtn); +#ifdef SUP_IP6 + /* If a rule has a variable in it, we want to copy that variable's * contents to the IP variable (IP list) stored with the rtn. - * This code tries to look up the variable, and if found, will copy it + * This code tries to look up the variable, and if found, will copy it * to the rtn->{sip,dip} */ - if(mode == SRC) - { + if(mode == SRC) + { int ret; if (rtn->sip == NULL) @@ -3234,7 +3292,7 @@ } /* The function sfvt_add_to_var adds 'addr' to the variable 'rtn->sip' */ - if (ret != SFIP_SUCCESS) + if (ret != SFIP_SUCCESS) { if(ret == SFIP_LOOKUP_FAILURE) { @@ -3246,7 +3304,7 @@ "non-negated ranges are not allowed. Consider " "inverting the logic: %s.", addr); } - else if(ret == SFIP_NOT_ANY) + else if(ret == SFIP_NOT_ANY) { ParseError("!any is not allowed: %s.", addr); } @@ -3256,13 +3314,13 @@ } } - if(rtn->sip->head && rtn->sip->head->flags & SFIP_ANY) + if(rtn->sip->head && rtn->sip->head->flags & SFIP_ANY) { rtn->flags |= ANY_SRC_IP; } - } + } /* mode == DST */ - else + else { int ret; @@ -3288,7 +3346,7 @@ ret = sfvt_add_to_var(ip_vartable, rtn->dip, addr); } - if (ret != SFIP_SUCCESS) + if (ret != SFIP_SUCCESS) { if(ret == SFIP_LOOKUP_FAILURE) { @@ -3300,7 +3358,7 @@ "non-negated ranges are not allowed. Consider " "inverting the logic: %s.", addr); } - else if(ret == SFIP_NOT_ANY) + else if(ret == SFIP_NOT_ANY) { ParseError("!any is not allowed: %s.", addr); } @@ -3310,7 +3368,7 @@ } } - if(rtn->dip->head && rtn->dip->head->flags & SFIP_ANY) + if(rtn->dip->head && rtn->dip->head->flags & SFIP_ANY) { rtn->flags |= ANY_DST_IP; } @@ -3349,12 +3407,12 @@ if (ip_var != NULL) { - if (mode == SRC) + if ((mode == SRC) && (rtn->sip)) { rtn->sip->id = ip_var->id; ip_var->addrset = IpAddrSetCopy(rtn->sip); } - else + else if ((mode == DST) && (rtn->dip)) { rtn->dip->id = ip_var->id; ip_var->addrset = IpAddrSetCopy(rtn->dip); @@ -3386,11 +3444,11 @@ /* Handle multiple negations (such as if someone negates variable that * contains a negated IP */ neg_ip = 0; - for(; *addr == '!'; addr++) + for(; *addr == '!'; addr++) neg_ip = !neg_ip; /* Find end of this token */ - for(end = addr+1; + for(end = addr+1; *end && !isspace((int)*end) && *end != ']' && *end != ','; end++) ; @@ -3399,15 +3457,15 @@ if (!tok) ParseError("Unterminated IP List '%s'.", addr); - if(*addr == '[') + if(*addr == '[') { int brack_count = 0; char *list_tok; /* Find corresponding ending bracket */ - for(end = addr; *end; end++) + for(end = addr; *end; end++) { - if(*end == '[') + if(*end == '[') brack_count++; else if(*end == ']') brack_count--; @@ -3416,7 +3474,7 @@ break; } - if(!*end) + if(!*end) ParseError("Unterminated IP List '%s'.", addr); addr++; @@ -3429,16 +3487,16 @@ ProcessIpList(sc, list_tok, rtn, mode, neg_list ^ neg_ip); free(list_tok); } - else if(*addr == '$') + else if(*addr == '$') { if((tmp = VarGet(tok + 1)) == NULL) ParseError("Undefined variable %s.", addr); - ProcessIpList(sc, tmp, rtn, mode, neg_list ^ neg_ip); + ProcessIpList(sc, tmp, rtn, mode, neg_list ^ neg_ip); } else if(*addr == ']') { - if(!(*(addr+1))) + if(!(*(addr+1))) { /* Succesfully reached the end of this list */ free(tok); @@ -3447,20 +3505,20 @@ ParseError("Mismatched bracket in '%s'.", addr); } - else + else { /* Skip leading commas */ for(; *addr && (*addr == ',' || isspace((int)*addr)); addr++) ; - if(mode == SRC) + if(mode == SRC) { if(!rtn->sip) rtn->sip = (IpAddrSet*)SnortAlloc(sizeof(IpAddrSet)); ParseIP(tok, rtn->sip, neg_list ^ neg_ip); - if(rtn->sip->iplist && - !rtn->sip->iplist->ip_addr && !rtn->sip->iplist->netmask) + if(rtn->sip->iplist && + !rtn->sip->iplist->ip_addr && !rtn->sip->iplist->netmask) rtn->flags |= ANY_SRC_IP; } @@ -3472,7 +3530,7 @@ ParseIP(tok, rtn->dip, neg_list ^ neg_ip); if(rtn->dip->iplist && - !rtn->dip->iplist->ip_addr && !rtn->dip->iplist->netmask) + !rtn->dip->iplist->ip_addr && !rtn->dip->iplist->netmask) rtn->flags |= ANY_DST_IP; /* Note: the neg_iplist is not checked for '!any' here since @@ -3483,7 +3541,7 @@ free(tok); if(*end) - addr = end + 1; + addr = end + 1; else break; } @@ -3535,7 +3593,7 @@ *hi_port = 0; *lo_port = 0; return 1; - } + } if(rule_port[0] == '!') { @@ -3544,7 +3602,7 @@ ParseWarning("Negating \"any\" is invalid. Rule " "will be ignored."); return -1; - } + } *not_flag = 1; rule_port++; @@ -3689,7 +3747,7 @@ * Returns: 1 if they match, 0 if they don't * ***************************************************************************/ -int CompareIPNodes(IpAddrNode *one, IpAddrNode *two) +int CompareIPNodes(IpAddrNode *one, IpAddrNode *two) { #ifdef SUP_IP6 if( (sfip_compare(one->ip, two->ip) != SFIP_EQUAL) || @@ -3712,7 +3770,7 @@ if ((one->id != 0) && (one->id == two->id)) return 1; - if (!CompareIPLists(one->iplist, two->iplist)) + if (!CompareIPLists(one->iplist, two->iplist)) return 0; if (!CompareIPLists(one->neg_iplist, two->neg_iplist)) @@ -3731,7 +3789,7 @@ * Returns: 1 if they match, 0 if they don't * ***************************************************************************/ -static int CompareIPLists(IpAddrNode *one, IpAddrNode *two) +static int CompareIPLists(IpAddrNode *one, IpAddrNode *two) { IpAddrNode *idx1, *idx2; int i, match; @@ -3743,19 +3801,19 @@ return 1; /* Walk first list. For each node, check if there is an equal - * counterpart in the second list. This method breaks down of there are + * counterpart in the second list. This method breaks down of there are * duplicated nodes. For instance, if one = {a, b} and two = {a, a}. - * Therefore, need additional data structure[s] ('usage') to check off - * which nodes have been accounted for already. + * Therefore, need additional data structure[s] ('usage') to check off + * which nodes have been accounted for already. * * Also, the lists are unordered, so comparing node-for-node won't work */ - for(idx1 = one; idx1; idx1 = idx1->next) + for(idx1 = one; idx1; idx1 = idx1->next) total1++; - for(idx2 = two; idx2; idx2 = idx2->next) + for(idx2 = two; idx2; idx2 = idx2->next) total2++; - if(total1 != total2) + if(total1 != total2) return 0; usage = (char *)SnortAlloc(total1); @@ -3816,7 +3874,7 @@ return 0; if ((rule->sip != NULL) && (rtn->sip != NULL) && -#ifdef SUP_IP6 +#ifdef SUP_IP6 (sfvar_compare(rule->sip, rtn->sip) != SFIP_EQUAL)) #else (!CompareIPAddrSets(rule->sip, rtn->sip))) @@ -3826,7 +3884,7 @@ } if ((rule->dip != NULL) && (rtn->dip != NULL) && -#ifdef SUP_IP6 +#ifdef SUP_IP6 (sfvar_compare(rule->dip, rtn->dip) != SFIP_EQUAL)) #else (!CompareIPAddrSets(rule->dip, rtn->dip))) @@ -3835,11 +3893,11 @@ return 0; } - /* compare the port group pointers - this prevents confusing src/dst port objects - * with the same port set, and it's quicker. It does assume that we only have + /* compare the port group pointers - this prevents confusing src/dst port objects + * with the same port set, and it's quicker. It does assume that we only have * one port object and pointer for each unique port set...this is handled by the * parsing and initial port object storage and lookup. This must be consistent during - * the rule parsing phase. - man */ + * the rule parsing phase. - man */ if ((rule->src_portobject != rtn->src_portobject) || (rule->dst_portobject != rtn->dst_portobject)) { @@ -3854,7 +3912,7 @@ * * name - portlist name, i.e. http, smtp, ... * s - port number, port range, or a list of numbers/ranges in brackets - * + * * examples: * portvar http [80,8080,8138,8700:8800,!8711] * portvar http $http_basic @@ -3867,9 +3925,9 @@ int rstat; PortVarTable *portVarTable = sc->targeted_policies[getParserPolicy()]->portVarTable; - DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__PORTVAR); + DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__PORTVAR); - if( SnortStrcasestr(s,"any") ) /* this allows 'any' or '[any]' */ + if( SnortStrcasestr(s,strlen(s),"any") ) /* this allows 'any' or '[any]' */ { if(strstr(s,"!")) { @@ -3953,7 +4011,7 @@ static int VarIsIpAddr(vartable_t *ip_vartable, char *value) { char *tmp; - + /* empty list, consider this an IP address */ if ((*value == '[') && (*(value+1) == ']')) return 1; @@ -3962,10 +4020,10 @@ /* Check for dotted-quad */ if( isdigit((int)*value) && - ((tmp = strchr(value, (int)'.')) != NULL) && + ((tmp = strchr(value, (int)'.')) != NULL) && ((tmp = strchr(tmp+1, (int)'.')) != NULL) && (strchr(tmp+1, (int)'.') != NULL)) - return 1; + return 1; /* IPv4 with a mask, and fewer than 4 fields */ else if( isdigit((int)*value) && @@ -3975,15 +4033,15 @@ return 1; /* IPv6 */ - else if((tmp = strchr(value, (int)':')) != NULL) + else if((tmp = strchr(value, (int)':')) != NULL) { char *tmp2; - if((tmp2 = strchr(tmp+1, (int)':')) == NULL) + if((tmp2 = strchr(tmp+1, (int)':')) == NULL) return 0; for(tmp++; tmp < tmp2; tmp++) - if(!isxdigit((int)*tmp)) + if(!isxdigit((int)*tmp)) return 0; return 1; @@ -4001,7 +4059,7 @@ } /**************************************************************************** - * + * * Function: CheckBrackets(char *) * * Purpose: Check that the brackets match up in a string that @@ -4087,13 +4145,13 @@ /**************************************************************************** * - * Function: DisallowCrossTableDuplicateVars(char *, int) + * Function: DisallowCrossTableDuplicateVars(char *, int) * - * Purpose: FatalErrors if the a variable name is redefined across variable + * Purpose: FatalErrors if the a variable name is redefined across variable * types. Enforcing this mutual exclusion prevents the * catatrophe where the variable lookup fall-through (see VarSearch) * finds an unintended variable from the wrong table. Note: VarSearch - * is only necessary for ExpandVars. + * is only necessary for ExpandVars. * * Arguments: name => The name of the variable * var_type => The type of the variable that is about to be defined. @@ -4102,7 +4160,7 @@ * Returns: void function * ***************************************************************************/ -static void DisallowCrossTableDuplicateVars(SnortConfig *sc, char *name, VarType var_type) +static void DisallowCrossTableDuplicateVars(SnortConfig *sc, char *name, VarType var_type) { VarEntry *var_table = sc->targeted_policies[getParserPolicy()]->var_table; PortVarTable *portVarTable = sc->targeted_policies[getParserPolicy()]->portVarTable; @@ -4118,14 +4176,14 @@ var_type = VAR_TYPE__PORTVAR; } - switch (var_type) + switch (var_type) { case VAR_TYPE__DEFAULT: if (PortVarTableFind(portVarTable, name) #ifdef SUP_IP6 || sfvt_lookup_var(ip_vartable, name) #endif - ) + ) { ParseError("Can not redefine variable name %s to be of type " "'var'. Use a different name.", name); @@ -4172,7 +4230,7 @@ } while(p != var_table); } - if(PortVarTableFind(portVarTable, name)) + if(PortVarTableFind(portVarTable, name)) { ParseError("Can not redefine variable name %s to be of type " "'ipvar'. Use a different name.", name); @@ -4213,19 +4271,19 @@ } #ifdef SUP_IP6 - if(VarIsIpList(ip_vartable, value)) + if(VarIsIpList(ip_vartable, value)) { SFIP_RET ret; if (ip_vartable == NULL) return NULL; - /* Verify a variable by this name is not already used as either a + /* Verify a variable by this name is not already used as either a * portvar or regular var. Enforcing this mutual exclusion prevents the * catatrophe where the variable lookup fall-through (see VarSearch) * finds an unintended variable from the wrong table. Note: VarSearch * is only necessary for ExpandVars. */ - DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__IPVAR); + DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__IPVAR); if((ret = sfvt_define(ip_vartable, name, value)) != SFIP_SUCCESS) { @@ -4258,7 +4316,7 @@ else if(*value == '$') { sfip_var_t *var; - if((var = sfvt_lookup_var(ip_vartable, value)) != NULL) + if((var = sfvt_lookup_var(ip_vartable, value)) != NULL) { sfvt_define(ip_vartable, name, value); return NULL; @@ -4289,7 +4347,7 @@ } while (tmp != var_table); } - value = ExpandVars(sc, value); + value = ExpandVars(sc, value); if(!value) { ParseError("Could not expand var('%s').", name); @@ -4298,19 +4356,19 @@ DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "VarDefine: name=%s value=%s (expanded)\n",name,value);); - DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__DEFAULT); + DisallowCrossTableDuplicateVars(sc, name, VAR_TYPE__DEFAULT); if (var_table == NULL) { p = VarAlloc(); p->name = SnortStrdup(name); p->value = SnortStrdup(value); - + p->prev = p; p->next = p; sc->targeted_policies[getParserPolicy()]->var_table = p; - + if (!var_id) p->id = sc->targeted_policies[getParserPolicy()]->var_id++; else @@ -4354,7 +4412,7 @@ #ifdef XXXXXXX vlen = strlen(value); LogMessage("Var '%s' defined, value len = %d chars", p->name, vlen ); - + if( vlen < 64 ) { LogMessage(", value = %s\n", value ); @@ -4436,12 +4494,12 @@ #ifdef SUP_IP6 // XXX-IPv6 This function should never be used if IP6 support is enabled! -// Infact it won't presently even work for IP variables since the raw ASCII +// Infact it won't presently even work for IP variables since the raw ASCII // value is never stored, and is never meant to be used. ip_vartable = sc->targeted_policies[getParserPolicy()]->ip_vartable; if((var = sfvt_lookup_var(ip_vartable, name)) == NULL) { - /* Do the old style lookup since it wasn't found in + /* Do the old style lookup since it wasn't found in * the variable table */ if(var_table != NULL) { @@ -4499,7 +4557,7 @@ * * Returns: * char * - * The expanded string. Note that the string is returned in a + * The expanded string. Note that the string is returned in a * static variable and most likely needs to be string dup'ed. * ***************************************************************************/ @@ -4524,7 +4582,7 @@ while(i < l_string && j < (int)sizeof(estring) - 1) { c = string[i++]; - + if(c == '"') { /* added checks to make sure that we are inside a quoted string @@ -4746,7 +4804,7 @@ { activateData->otn->RTN_activation_ptr = otn->proto_nodes[getParserPolicy()]; //activateData->RTN_activation_ptr = otn->proto_node[policyId]; - activateData->otn->OTN_activation_ptr = otn; + activateData->otn->OTN_activation_ptr = otn; sfghash_remove(actHash, &activateKey); } else @@ -4938,7 +4996,7 @@ * * Notes: man - modified to used .shared flag in otn sigInfo instead of specialGID * sas - removed specialGID - * + * *****************************************************************************/ int CheckRuleStates(SnortConfig *sc) { @@ -4956,8 +5014,8 @@ hashNode = sfghash_findnext(sc->otn_map)) { otn = (OptTreeNode *)hashNode->data; - for (policyId = 0; - policyId < otn->proto_node_num; + for (policyId = 0; + policyId < otn->proto_node_num; policyId++) { rtn = otn->proto_nodes[policyId]; @@ -4968,8 +5026,8 @@ } if ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) || - (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) - { + (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) + { //do operation if ( otn->sigInfo.shared ) { @@ -4985,11 +5043,20 @@ otn->sigInfo.otnKey.gid, otn->sigInfo.otnKey.sid); if (otn_original) { + OptFpList *opt_func = otn->opt_func; + while (opt_func != NULL) + { + /* Delete the option functions that came from the + * parsing -- this rule will be identical to its + * "cloned" brother. */ + OptFpList *tmp = opt_func; + opt_func = opt_func->next; + free(tmp); + } if (otn_original->sigInfo.shared) { /* Its still a shared object -- has its own detection function. */ otn->ds_list[PLUGIN_DYNAMIC] = otn_original->ds_list[PLUGIN_DYNAMIC]; - otn->opt_func = otn_original->opt_func; } else { @@ -4999,10 +5066,10 @@ { otn->ds_list[i] = otn_original->ds_list[i]; } - otn->opt_func = otn_original->opt_func; otn->sigInfo.shared = 0; /* no longer shared */ - otn->sigInfo.dup_opt_func = 1; } + otn->opt_func = otn_original->opt_func; + otn->sigInfo.dup_opt_func = 1; } } } @@ -5034,7 +5101,7 @@ * Returns: void function * * Notes: specialGID is depracated, uses sigInfo.shared flag - * + * *****************************************************************************/ void SetRuleStates(SnortConfig *sc) { @@ -5368,8 +5435,8 @@ if ((sc == NULL) || (fp == NULL) || (arg == NULL)) return; - /* Already parsed this or ignoring for any non-default policy, but need to move past - * the rule declaration because it doesn't have continuation characters + /* Already parsed this or ignoring for any non-default policy, but need to move past + * the rule declaration because it doesn't have continuation characters */ if (prules /* parsing rules */ || (getParserPolicy() != getDefaultPolicy())) @@ -5571,12 +5638,12 @@ vartable_t *ip_vartable = sc->targeted_policies[getParserPolicy()]->ip_vartable; sfip_var_t *ipvar; - if ((ipvar = sfvt_lookup_var(ip_vartable, name)) != NULL) - return ExpandVars(sc, ipvar->value); + if ((ipvar = sfvt_lookup_var(ip_vartable, name)) != NULL) + return ExpandVars(sc, ipvar->value); #endif /* XXX Return a string value */ - if (PortVarTableFind(portVarTable, name)) + if (PortVarTableFind(portVarTable, name)) return name; if (var_table != NULL) @@ -5837,15 +5904,15 @@ #else check_flag = CheckForIPListConflicts(addrset); #endif - + switch( check_flag ) { case -1: ParseError("Empty IP used either as source IP or as destination IP " "in a rule. IP list: %s.", token); break; - - case 1: + + case 1: ParseError("Negated IP ranges that are equal to or are more " "general than non-negated ranges are not allowed. " "Consider inverting the logic: %s.", token); @@ -6007,7 +6074,7 @@ if (dynamic_rule_count != 0) LinkDynamicRules(sc); -#ifdef DEBUG +#ifdef DEBUG_MSGS DumpRuleChains(sc->rule_lists); #endif @@ -6051,7 +6118,7 @@ ParseError("Cannot include \"%s\" in an include directive.", snort_conf_file); } - + /* XXX Maybe not allow an include in an included file to avoid * potential recursion issues */ @@ -6059,7 +6126,7 @@ file_name = SnortStrdup(arg); /* Stat the file. If that fails, stat it relative to the directory - * that the top level snort configuration file was in */ + * that the top level snort configuration file was in */ if (stat(file_name, &file_stat) == -1) { int path_len = strlen(snort_conf_dir) + strlen(arg) + 1; @@ -6129,7 +6196,7 @@ /* If it's an empty line or starts with a comment character */ if ((strlen(index) == 0) || (*index == '#') || (*index == ';')) continue; - + if (continuation) { int new_line_len = strlen(saved_line) + strlen(index) + 1; @@ -6150,13 +6217,13 @@ saved_line = NULL; index = new_line; - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"concat rule: %s\n", + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"concat rule: %s\n", new_line);); } /* check for a '\' continuation character at the end of the line * if it's there we need to get the next line in the file */ - if (ContinuationCheck(index) == 0) + if (ContinuationCheck(index) == 0) { char **toks; int num_toks; @@ -6183,7 +6250,7 @@ snort_conf_keywords[i].default_policy_only) { /* Keyword only configurable in the default policy*/ - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Config option \"%s\" configurable only by default policy. Ignoring it", toks[0])); break; } @@ -6278,10 +6345,10 @@ new_line = NULL; } - /* set the flag to let us know the next line is - * a continuation line */ + /* set the flag to let us know the next line is + * a continuation line */ continuation = 1; - } + } } fclose(fp); @@ -6294,7 +6361,7 @@ idx = rule + strlen(rule) - 1; - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"initial idx set to \'%c\'\n", + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"initial idx set to \'%c\'\n", *idx);); while(isspace((int)*idx)) @@ -6334,7 +6401,7 @@ sc->alert_file = SnortStrdup(args); - DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"alertfile set to: %s\n", + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"alertfile set to: %s\n", sc->alert_file);); } @@ -6395,7 +6462,12 @@ ParseError("Need at least two arguments to 'config binding'"); return; } - if (!strcmp("vlan", toks1[1])) + + if (!strcmp("policy_id", toks1[1])) + { + bindingType = SF_BINDING_TYPE_POLICY_ID; + } + else if (!strcmp("vlan", toks1[1])) { bindingType = SF_BINDING_TYPE_VLAN; } @@ -6432,18 +6504,25 @@ return; } - if (bindingType == SF_BINDING_TYPE_VLAN) + if (bindingType == SF_BINDING_TYPE_POLICY_ID) + { + if (ParsePolicyIdBindingLine(sc->policy_config, num_toks, &toks[0], fileName)) + { + FatalError("%s(%d) Formatting error in binding config for %s\n", file_name, file_line, fileName); + } + } + else if (bindingType == SF_BINDING_TYPE_VLAN) { if (ParseVlanBindingLine(sc->policy_config, num_toks, &toks[0], fileName)) { - FatalError("formating error in binding file: %s\n", fileName); + FatalError("%s(%d) Formatting error in binding config for %s\n", file_name, file_line, fileName); } } - else + else { if (ParseNetworkBindingLine(sc->policy_config, num_toks, &toks[0], fileName)) { - FatalError("formating error in binding file: %s\n", fileName); + FatalError("%s(%d) Formatting error in binding config for %s\n", file_name, file_line, fileName); } } mSplitFree(&toks1, num_toks1); @@ -6528,13 +6607,13 @@ negative_flags = CHECKSUM_FLAG__ALL; got_negative_flag = 1; } - else if (strcasecmp(toks[i], CHECKSUM_MODE_OPT__IP) == 0) + else if (strcasecmp(toks[i], CHECKSUM_MODE_OPT__IP) == 0) { positive_flags |= CHECKSUM_FLAG__IP; negative_flags &= ~CHECKSUM_FLAG__IP; got_positive_flag = 1; } - else if (strcasecmp(toks[i], CHECKSUM_MODE_OPT__NO_IP) == 0) + else if (strcasecmp(toks[i], CHECKSUM_MODE_OPT__NO_IP) == 0) { positive_flags &= ~CHECKSUM_FLAG__IP; negative_flags |= CHECKSUM_FLAG__IP; @@ -6659,7 +6738,7 @@ if (getParserPolicy() == getDefaultPolicy()) { ParseWarning("Duplicate classification \"%s\"" - "found, ignoring this line\n", file_name, file_line, + "found, ignoring this line\n", file_name, file_line, new_node->type); } @@ -6795,11 +6874,11 @@ else if (strcasecmp(toks[i], DETECTION_OPT__DEBUG_PRINT_RULE_GROUPS_UNCOMPILED) == 0) { fpDetectSetDebugPrintRuleGroupsUnCompiled(fp); - } + } else if (strcasecmp(toks[i], DETECTION_OPT__DEBUG_PRINT_RULE_GROUPS_COMPILED) == 0) { fpDetectSetDebugPrintRuleGroupsCompiled(fp); - } + } else if (strcasecmp(toks[i], DETECTION_OPT__DEBUG) == 0) { fpSetDebugMode(fp); @@ -6816,7 +6895,7 @@ else if (strcasecmp(toks[i], DETECTION_OPT__SEARCH_METHOD) == 0) { i++; - if (i < num_toks) + if (i < num_toks) { if (fpSetDetectSearchMethod(fp, toks[i]) == -1) { @@ -7147,6 +7226,58 @@ sc->enable_teredo = 1; /* TODO: add this to some existing flag bitfield? */ } +#define GTP_U_PORT 2152 +#define GTP_U_PORT_V0 3386 +void ConfigEnableGTPDecoding(SnortConfig *sc, char *args) +{ + PortObject *portObject; + int numberOfPorts = 0; + + if (sc == NULL) + return; + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Enabling GTP decoding\n");); + sc->enable_gtp = 1; + + /*Set the ports*/ + + portObject = PortVarTableFind( sc->targeted_policies[getParserPolicy()]->portVarTable, "GTP_PORTS"); + if (portObject) + { + sc->gtp_ports = PortObjectCharPortArray(sc->gtp_ports,portObject, &numberOfPorts); + } + + if (!sc->gtp_ports || (0 == numberOfPorts)) + { + /*No ports defined, use default GTP ports*/ + sc->gtp_ports = (char *)SnortAlloc(UINT16_MAX); + sc->gtp_ports[GTP_U_PORT] = 1; + sc->gtp_ports[GTP_U_PORT_V0] = 1; + + } +} + +void ConfigEnableEspDecoding(SnortConfig *sc, char *args) +{ + int ret; + if (sc == NULL) + return; + + if (args) + { + ret = ParseBool(args); + if (ret == -1) + { + ParseError("Invalid argument to ESP decoder argument: %s\n" + "Please specify \"enable\" or \"disable\".", args); + } + + sc->enable_esp = ret; + } + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Changing ESP decoding\n");); +} + void ConfigEnableIpOptDrops(SnortConfig *sc, char *args) { if (sc == NULL) @@ -7349,6 +7480,70 @@ mSplitFree(&toks, num_toks); } +void ConfigEventTrace(SnortConfig *sc, char *args) +{ + char **toks; + int num_toks = 0; + int i; + + if ( !sc ) + return; + + sc->event_trace_file = EVENT_TRACE_OPT__FILE_DEFAULT; + sc->event_trace_max = EVENT_TRACE_OPT__MAX_DATA_DEFAULT; + + if ( args ) + toks = mSplit(args, ", ", 0, &num_toks, 0); + + for (i = 0; i < num_toks; i++) + { + if (strcasecmp(toks[i], EVENT_TRACE_OPT__MAX_DATA) == 0) + { + i++; + if (i < num_toks) + { + char* endptr; + long max = SnortStrtol(toks[i], &endptr, 0); + + if ( (errno == ERANGE) || (*endptr != '\0') || + (max <= 0) || (max > 65535) ) + { + ParseError("Invalid argument for %s: %s. Must be a positive " + "integer < 65536.", EVENT_TRACE_OPT__MAX_DATA, toks[i]); + } + sc->event_trace_max = (uint16_t)max; + } + else + { + ParseError("No argument to %s. Argument must be a positive " + "integer < 65536.", EVENT_TRACE_OPT__MAX_DATA); + } + } + else if (strcasecmp(toks[i], EVENT_TRACE_OPT__FILE) == 0) + { + i++; + if(i < num_toks) + sc->event_trace_file = toks[i]; + else + { + ParseError("No argument to %s. Argument must be a string." + EVENT_TRACE_OPT__FILE); + } + } + else + { + ParseError("Invalid argument to 'event_trace'. To configure " + "event_trace, only the options 'file' and 'max_data' can " + "can be specified. Defaults are %s and %d.", + EVENT_TRACE_OPT__FILE_DEFAULT, EVENT_TRACE_OPT__MAX_DATA_DEFAULT); + } + } + sc->event_trace_file = SnortStrdup(sc->event_trace_file); + + if ( num_toks > 0 ) + mSplitFree(&toks, num_toks); +} + void ConfigReact (SnortConfig *sc, char *args) { if ((sc == NULL) || (args == NULL)) @@ -7433,6 +7628,23 @@ "layer responses or 'eth0' etc. for link layer responses."); } } + else if ( !strcasecmp(toks[i], RESPONSE_OPT__DST_MAC) ) + { + if ( ++i < num_toks ) + { + eth_addr_t dst; + if (eth_pton( toks[i], &dst) < 0) + { + ParseError("Format check failed: %s, Use format like 12:34:56:78:90:1a", toks[i]); + } + sc->eth_dst = SnortAlloc (sizeof(dst.data)); + memcpy(sc->eth_dst, dst.data, sizeof(dst.data)); + } + else + { + ParseError("No argument to 'dst_mac'. Use format 12:34:56:78:90:1a"); + } + } else { ParseError("Invalid config response option '%s'", toks[i]); @@ -7508,14 +7720,19 @@ } for ( i = 1; i < num_toks; i++ ) - { + { /* Re-use function from rules processing */ - ParsePort(toks[i], &hi_port, &lo_port, toks[0], ¬_flag); - + ParsePort(toks[i], &hi_port, &lo_port, toks[0], ¬_flag); + for ( p = lo_port; p <= hi_port; p++ ) - sc->ignore_ports[p] = (uint8_t)protocol; /* protocol will be 6 (TCP) or 17 (UDP) */ + { + if (protocol == IPPROTO_TCP) + sc->ignore_ports[p] |= PROTO_BIT__TCP; + else if (protocol == IPPROTO_UDP) + sc->ignore_ports[p] |= PROTO_BIT__UDP; + } } - + mSplitFree(&toks, num_toks); } @@ -7596,7 +7813,7 @@ arg_toks = mSplit(opt_toks[i], " \t", 2, &num_args, 0); - if(!arg_toks[1]) + if(!arg_toks[1]) { ParseError("ipv6_frag option '%s' requires an argument.", arg_toks[0]); @@ -7604,18 +7821,18 @@ if(!strcasecmp(arg_toks[0], "bsd_icmp_frag_alert")) { - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "disabling the BSD ICMP fragmentation alert\n");); if(!strcasecmp(arg_toks[1], "off")) sc->targeted_policies[getParserPolicy()]->decoder_alert_flags &= ~DECODE_EVENT_FLAG__IPV6_BSD_ICMP_FRAG; } else if(!strcasecmp(arg_toks[0], "bad_ipv6_frag_alert")) { - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "disabling the IPv6 bad fragmentation packet alerts\n");); if(!strcasecmp(arg_toks[1], "off")) sc->targeted_policies[getParserPolicy()]->decoder_alert_flags &= ~DECODE_EVENT_FLAG__IPV6_BAD_FRAG; - + } else if (!strcasecmp(arg_toks[0], "frag_timeout")) { @@ -7638,7 +7855,7 @@ if(args == endp || *endp) { - ParseError("ipv6_frag_timeout: Invalid argument '%s'.", + ParseError("ipv6_frag_timeout: Invalid argument '%s'.", arg_toks[1]); } @@ -7656,7 +7873,7 @@ } val = strtol(arg_toks[1], &endp, 0); - if (val <= 0) + if (val <= 0) { ParseError("ipv6_max_frag_sessions: Invalid number of sessions " "'%s'. Must be greater than 0.", arg_toks[1]); @@ -7674,12 +7891,12 @@ { if(!strcasecmp(arg_toks[1], "off")) { - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "disabling the BSD ICMP fragmentation alert\n");); sc->targeted_policies[getParserPolicy()]->decoder_drop_flags &= ~DECODE_EVENT_FLAG__IPV6_BAD_FRAG; } } - else + else { ParseError("Invalid option to ipv6_frag '%s %s'.", arg_toks[0], arg_toks[1]); @@ -7828,8 +8045,8 @@ val = strtol(args, &endp, 0); if ((args == endp) || *endp || (val < -1)) val = DEFAULT_LABELCHAIN_LENGTH; - } - else + } + else { val = DEFAULT_LABELCHAIN_LENGTH; } @@ -7847,21 +8064,21 @@ if (strcasecmp(args, MPLS_PAYLOAD_OPT__IPV4) == 0) { sc->mpls_payload_type = MPLS_PAYLOADTYPE_IPV4; - } + } else if (strcasecmp(args, MPLS_PAYLOAD_OPT__IPV6) == 0) { sc->mpls_payload_type = MPLS_PAYLOADTYPE_IPV6; - } + } else if (strcasecmp(args, MPLS_PAYLOAD_OPT__ETHERNET) == 0) { sc->mpls_payload_type = MPLS_PAYLOADTYPE_ETHERNET; - } - else + } + else { ParseError("Non supported mpls payload type: %s.", args); } - } - else + } + else { sc->mpls_payload_type = DEFAULT_MPLS_PAYLOADTYPE; } @@ -7963,9 +8180,9 @@ char **toks; /* dbl ptr to store mSplit return data in */ int num_toks; /* number of tokens mSplit returns */ int nmask; /* temporary netmask storage */ -# ifdef DEBUG +#ifdef DEBUG_MSGS struct in_addr sin; -# endif +#endif #endif if ((sc == NULL) || (args == NULL)) @@ -8001,22 +8218,22 @@ ParseError("No netmask specified for obsucation mask!"); } - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "obfuscation netmask = %#8lX\n", + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "obfuscation netmask = %#8lX\n", sc->obfuscation_mask);); /* convert the IP addr into its 32-bit value */ if((net.s_addr = inet_addr(toks[0])) == INADDR_NONE) ParseError("Obfuscation mask (%s) didn't translate.", toks[0]); - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Obfuscation Net = %s (%X)\n", + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Obfuscation Net = %s (%X)\n", inet_ntoa(net), net.s_addr);); /* set the final homenet address up */ sc->obfuscation_net = net.s_addr & sc->obfuscation_mask; -#ifdef DEBUG +#ifdef DEBUG_MSGS sin.s_addr = sc->obfuscation_net; - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Obfuscation Net = %s (%X)\n", + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Obfuscation Net = %s (%X)\n", inet_ntoa(sin), sin.s_addr);); #endif @@ -8026,6 +8243,34 @@ #endif } +void ConfigPafMax (SnortConfig *sc, char *args) +{ + long int value; + char *endptr; + + // 255 is max pseudo-random flush point; eth mtu + // ensures that maximum flushes are not trimmed + // which throws off the tracking total in stream5_paf.c + const unsigned max = IP_MAXPACKET - ETHERNET_MTU - 255; + + if ((sc == NULL) || (args == NULL)) + return; + + value = SnortStrtoulRange(args, &endptr, 0, 0, max); + + if ( (errno == ERANGE) || (*endptr != '\0') ) + { + ParseError( + "Invalid argument to '%s' configuration: %s. " + "Must be between 0 (off) and %u (max).", + CONFIG_OPT__PAF_MAX, args, max); + } + + { + sc->paf_max = (uint32_t)value; + } +} + void ConfigRuleListOrder(SnortConfig *sc, char *args) { OrderRuleLists(sc, args); @@ -8133,8 +8378,8 @@ sc->run_flags |= RUN_FLAG__CREATE_PID_FILE; if (SnortStrncpy(sc->pid_path, args, sizeof(sc->pid_path)) != SNORT_STRNCPY_SUCCESS) ParseError("Pid path too long."); - - DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Pid Path directory = %s\n", + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Pid Path directory = %s\n", sc->pid_path);); } @@ -8202,7 +8447,7 @@ mode = POLICY_MODE__INLINE_TEST; else if (!ScAdapterInlineMode()) { - ParseWarning("Adapter is in Passive Mode. Hence switching " + ParseWarning("Adapter is in Passive Mode. Hence switching " "policy mode to tap."); mode = POLICY_MODE__PASSIVE; @@ -8305,10 +8550,10 @@ #ifdef PPM_MGR /* * config ppm: feature, feature, feature,.. - * + * * config ppm: max-pkt-time usecs, * disable-pkt-inspection, - * max-rule-time usecs, + * max-rule-time usecs, * disable-rule-inspection, threshold 5, * max-suspend-time secs, * rule-events alert|syslog|console, @@ -8329,7 +8574,7 @@ if (sc == NULL) return; - + toks = mSplit(args, ",", 0, &num_toks, 0); if (!sc->ppm_cfg.enabled) @@ -8339,7 +8584,7 @@ for(i = 0; i < num_toks; i++) { opts = mSplit(toks[i], " \t", 0, &num_opts, 0); - + if (strcasecmp(opts[0], PPM_OPT__MAX_PKT_TIME) == 0) { if (num_opts != 2) @@ -8367,7 +8612,7 @@ { ParseError("config ppm: Invalid %s '%s'.", opts[0], opts[1]); } - + ppm_set_max_rule_time(&sc->ppm_cfg, val); } else if (strcasecmp(opts[0], PPM_OPT__SUSPEND_TIMEOUT) == 0) @@ -8382,7 +8627,7 @@ { ParseError("config ppm: Invalid %s '%s'.", opts[0], opts[1]); } - + ppm_set_max_suspend_time(&sc->ppm_cfg, val); ruleOpts++; } @@ -8431,16 +8676,16 @@ ppm_set_pkt_log(&sc->ppm_cfg, PPM_LOG_MESSAGE); pktOpts++; - } + } else if (strcasecmp(opts[0], PPM_OPT__RULE_LOG) == 0) { int k; - + if (num_opts == 1) { ParseError("config ppm: insufficient %s opts.", opts[0]); } - + for (k = 1; k < num_opts; k++) { if (strcasecmp(opts[k], PPM_OPT__ALERT) == 0) @@ -8458,7 +8703,7 @@ } ruleOpts++; - } + } else if (strcasecmp(opts[0], PPM_OPT__DEBUG_PKTS) == 0) { if (num_opts != 1) @@ -8482,7 +8727,7 @@ ParseError("'%s' is an invalid option to the 'config ppm:' " "configuration.", opts[0]); } - + mSplitFree(&opts, num_opts); } @@ -8588,7 +8833,7 @@ sc->profile_preprocs.filename = ProcessFileOption(sc, opts[1]); if (opts[2] && (strcasecmp(opts[2], PROFILE_OPT__APPEND) == 0)) { - sc->profile_preprocs.append = 1; + sc->profile_preprocs.append = 1; } else { @@ -8709,7 +8954,7 @@ sc->profile_rules.filename = ProcessFileOption(sc, opts[1]); if (opts[2] && (strcasecmp(opts[2], PROFILE_OPT__APPEND) == 0)) { - sc->profile_rules.append = 1; + sc->profile_rules.append = 1; } else { @@ -8747,7 +8992,7 @@ if ((sc == NULL) || (args == NULL)) return; - + toks = mSplit(args, " \t", 2, &num_toks, 0); if (num_toks != 2) { @@ -9112,6 +9357,24 @@ DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Verbose Flag active\n");); } +void ConfigVlanAgnostic(SnortConfig *sc, char *args) +{ + if (sc == NULL) + return; + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "VLAN Agnostic active\n");); + sc->vlan_agnostic = 1; /* TODO: add this to some existing flag bitfield? */ +} + +void ConfigLogIPv6Extra(SnortConfig *sc, char *args) +{ + if (sc == NULL) + return; + + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "LOG IPV6 EXTRA DATA active\n");); + sc->log_ipv6_extra = 1; /* TODO: add this to some existing flag bitfield? */ +} + #ifdef DYNAMIC_PLUGIN void ConfigDumpDynamicRulesPath(SnortConfig *sc, char *args) { @@ -9122,7 +9385,13 @@ sc->dynamic_rules_path = SnortStrdup(args); } #endif - +void ConfigControlSocketDirectory(SnortConfig *sc, char *args) +{ + if (sc == NULL) + return; + if ( args != NULL ) + sc->cs_dir = SnortStrdup(args); +} /**************************************************************************** * * Function: ParseRule() @@ -9152,7 +9421,7 @@ return; memset(&test_rtn, 0, sizeof(RuleTreeNode)); - + memset(&pe, 0, sizeof(pe)); DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"[*] Rule start\n");); @@ -9205,9 +9474,6 @@ case IPPROTO_ICMP: sc->ip_proto_array[IPPROTO_ICMP] = 1; sc->ip_proto_array[IPPROTO_ICMPV6] = 1; - - if ( rule_type == RULE_TYPE__REJECT ) - test_rtn.type = rule_type = RULE_TYPE__ALERT; break; case ETHERNET_TYPE_IP: /* This will be set via ip_protos */ @@ -9296,7 +9562,7 @@ } rule_count++; - + /* Get rule option info */ pe.gid = otn->sigInfo.generator; pe.sid = otn->sigInfo.id; @@ -9352,10 +9618,10 @@ port_list_add_entry(&port_list, &pe); - /* + /* * The src/dst port parsing must be done before the Head Nodes are processed, since they must * compare the ports/port_objects to find the right rtn list to add the otn rule to. - * + * * After otn processing we can finalize port object processing for this rule */ if (FinishPortListRule(sc->port_tables, rtn, otn, protocol, &pe, sc->fast_pattern_config)) @@ -9418,7 +9684,7 @@ } #if 0 -#ifdef DEBUG +#ifdef DEBUG_MSGS static void PrintRtnPorts(RuleTreeNode *rtn_list) { int i = 0; @@ -9642,7 +9908,7 @@ while (tmp != NULL) { - // Already defined this via command line + // Already defined this via command line if (strcasecmp(toks[0], tmp->name) == 0) { mSplitFree(&toks, num_toks); @@ -9651,7 +9917,7 @@ tmp = tmp->next; } - } + } AddVarToTable(sc, toks[0], toks[1]); mSplitFree(&toks, num_toks); @@ -10388,20 +10654,20 @@ /* * metadata may be key/value pairs or just keys - * + * * metadata: key [=] value, key [=] value, key [=] value, key, key, ... ; * * This option may be used one or more times, with one or more key/value pairs. * - * updated 8/28/06 - man + * updated 8/28/06 - man * * keys: - * + * * engine * rule-flushing * rule-type * soid - * service + * service * os */ static void ParseOtnMetadata(SnortConfig *sc, RuleTreeNode *rtn, @@ -10415,9 +10681,9 @@ ParseError("Metadata rule option requires an argument."); DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, "metadata: %s\n", args);); - + metadata_toks = mSplit(args, ",", 100, &num_metadata_toks, 0); - + for (i = 0; i < num_metadata_toks; i++) { char **key_value_toks; @@ -10437,7 +10703,7 @@ DebugMessage(DEBUG_CONFIGRULES, " value=%s", value); DebugMessage(DEBUG_CONFIGRULES, "\n"); ); - + /* process key/value pairs */ if (strcasecmp(key, METADATA_KEY__ENGINE) == 0) { @@ -10529,7 +10795,7 @@ ParseError("Bogus gid %s", toks[0]); otn->sigInfo.otnKey.gid = (uint32_t)long_val; - + long_val = SnortStrtoul(toks[1], &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || (long_val > UINT32_MAX)) ParseError("Bogus sid %s", toks[1]); @@ -10575,7 +10841,7 @@ else if (strcasecmp(key, METADATA_KEY__OS) == 0 ) { // metadata: os = Linux:w - // + // if (value == NULL) ParseError("Metadata key '%s' requires a value.", key); @@ -10810,7 +11076,7 @@ mSplitFree(&toks, num_toks); - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Set type: %d metric: %x count: %d\n", type, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Set type: %d metric: %x count: %d\n", type, metric, count);); otn->tag = (TagData *)SnortAlloc(sizeof(TagData)); @@ -10976,7 +11242,7 @@ static RuleType GetRuleType(char *arg) { if (arg == NULL) - return RULE_TYPE__NONE; + return RULE_TYPE__NONE; if (strcasecmp(arg, SNORT_CONF_KEYWORD__ACTIVATE) == 0) return RULE_TYPE__ACTIVATE; @@ -11130,11 +11396,11 @@ } SafeMemcpy( &plist->pl_array[plist->pl_cnt], pentry, sizeof(port_entry_t), - &plist->pl_array[plist->pl_cnt], + &plist->pl_array[plist->pl_cnt], (char*)(&plist->pl_array[plist->pl_cnt]) + sizeof(port_entry_t)); plist->pl_cnt++; - return 0; + return 0; } #if 0 @@ -11159,9 +11425,9 @@ LogMessage(" src_port %s dst_port %s ", plist->pl_array[i].src_port, plist->pl_array[i].dst_port ); - LogMessage(" content %d", + LogMessage(" content %d", plist->pl_array[i].content); - LogMessage(" uricontent %d", + LogMessage(" uricontent %d", plist->pl_array[i].uricontent); LogMessage(" }\n"); } @@ -11194,9 +11460,9 @@ if( fpDetectGetDebugPrintRuleGroupsCompiled(fp) ) { LogMessage("***\n***Port-Table : %s Ports/Rules-Compiled\n",s); - PortTablePrintCompiledEx( pt, rule_index_map_print_index ); + PortTablePrintCompiledEx( pt, rule_index_map_print_index ); LogMessage("*** End of Compiled Group\n"); - } + } } void rule_index_map_print_index( int index, char *buf, int bufsize ) @@ -11214,7 +11480,7 @@ rule_port_tables_t *rpt = (rule_port_tables_t *)SnortAlloc(sizeof(rule_port_tables_t)); - /* No content rule objects */ + /* No content rule objects */ rpt->tcp_nocontent = PortObjectNew(); if (rpt->tcp_nocontent == NULL) FatalError("ParseRulesFile nocontent PortObjectNew() failed\n"); @@ -11296,14 +11562,14 @@ * someday these could be read from snort.conf, something like... * 'config portlist: large-rule-count <val>' */ - rpt->tcp_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; - rpt->tcp_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; - rpt->udp_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; - rpt->udp_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; - rpt->icmp_src->pt_lrc= DEFAULT_LARGE_RULE_GROUP; - rpt->icmp_dst->pt_lrc= DEFAULT_LARGE_RULE_GROUP; - rpt->ip_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; - rpt->ip_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->tcp_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->tcp_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->udp_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->udp_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->icmp_src->pt_lrc= DEFAULT_LARGE_RULE_GROUP; + rpt->icmp_dst->pt_lrc= DEFAULT_LARGE_RULE_GROUP; + rpt->ip_src->pt_lrc = DEFAULT_LARGE_RULE_GROUP; + rpt->ip_dst->pt_lrc = DEFAULT_LARGE_RULE_GROUP; return rpt; } @@ -11321,7 +11587,7 @@ finish_portlist_table(fp, "tcp src", port_tables->tcp_src); finish_portlist_table(fp, "tcp dst", port_tables->tcp_dst); - /* UDP-SRC */ + /* UDP-SRC */ if (fpDetectGetDebugPrintRuleGroupsCompiled(fp)) { LogMessage("*** UDP-Any-Any Port List\n"); @@ -11332,7 +11598,7 @@ finish_portlist_table(fp, "udp src", port_tables->udp_src); finish_portlist_table(fp, "udp dst", port_tables->udp_dst); - /* ICMP-SRC */ + /* ICMP-SRC */ if (fpDetectGetDebugPrintRuleGroupsCompiled(fp)) { LogMessage("*** ICMP-Any-Any Port List\n"); @@ -11343,7 +11609,7 @@ finish_portlist_table(fp, "icmp src", port_tables->icmp_src); finish_portlist_table(fp, "icmp dst", port_tables->icmp_dst); - /* IP-SRC */ + /* IP-SRC */ if (fpDetectGetDebugPrintRuleGroupsCompiled(fp)) { LogMessage("IP-Any-Any Port List\n"); @@ -11358,10 +11624,10 @@ RuleListSortUniq(port_tables->udp_anyany->rule_list); RuleListSortUniq(port_tables->icmp_anyany->rule_list); RuleListSortUniq(port_tables->ip_anyany->rule_list); - RuleListSortUniq(port_tables->tcp_nocontent->rule_list); - RuleListSortUniq(port_tables->udp_nocontent->rule_list); - RuleListSortUniq(port_tables->icmp_nocontent->rule_list); - RuleListSortUniq(port_tables->ip_nocontent->rule_list); + RuleListSortUniq(port_tables->tcp_nocontent->rule_list); + RuleListSortUniq(port_tables->udp_nocontent->rule_list); + RuleListSortUniq(port_tables->icmp_nocontent->rule_list); + RuleListSortUniq(port_tables->ip_nocontent->rule_list); } void VarTablesFree(SnortConfig *sc) @@ -11520,8 +11786,9 @@ node->name = SnortStrdup(name); node->evalIndex = evalIndex; + sc->evalOrder[node->mode] = evalIndex; sc->num_rule_types++; - + return node->RuleList; } @@ -11578,7 +11845,7 @@ for (i = 0; i < num_vars; i++) { DefineIfaceVar(sc, iface_vars[i].name, - (uint8_t *)&iface_vars[i].net, + (uint8_t *)&iface_vars[i].net, (uint8_t *)&iface_vars[i].netmask); } } @@ -11611,7 +11878,7 @@ sizeof(iface_vars[num_vars].name), "%s", dev->name); #endif DefineIfaceVar(sc, iface_vars[num_vars].name, - (uint8_t *)&net, + (uint8_t *)&net, (uint8_t *)&netmask); iface_vars[num_vars].net = net; @@ -11648,8 +11915,8 @@ SnortSnprintf(varbuf, BUFSIZ, "%s_ADDRESS", iname); SnortSnprintf(valbuf, 32, "%d.%d.%d.%d/%d.%d.%d.%d", - network[0] & 0xff, network[1] & 0xff, network[2] & 0xff, - network[3] & 0xff, netmask[0] & 0xff, netmask[1] & 0xff, + network[0] & 0xff, network[1] & 0xff, network[2] & 0xff, + network[3] & 0xff, netmask[0] & 0xff, netmask[1] & 0xff, netmask[2] & 0xff, netmask[3] & 0xff); VarDefine(sc, varbuf, valbuf); @@ -11698,6 +11965,7 @@ /* Add node to ordered list */ ordered_list = addNodeToOrderedList(ordered_list, node, evalIndex++); + sc->evalOrder[node->mode] = evalIndex; break; } @@ -11724,22 +11992,23 @@ sc->rule_lists = node->next; /* Add node to ordered list */ ordered_list = addNodeToOrderedList(ordered_list, node, evalIndex++); + sc->evalOrder[node->mode] = evalIndex; } /* set the rulelists to the ordered list */ sc->rule_lists = ordered_list; } -static RuleListNode *addNodeToOrderedList(RuleListNode *ordered_list, +static RuleListNode *addNodeToOrderedList(RuleListNode *ordered_list, RuleListNode *node, int evalIndex) { RuleListNode *prev; prev = ordered_list; - + /* set the eval order for this rule set */ node->evalIndex = evalIndex; - + if(!prev) { ordered_list = node; @@ -11835,13 +12104,13 @@ * @return pointer to deleted RTN, NULL otherwise. */ RuleTreeNode * deleteRtnFromOtn( - OptTreeNode *otn, + OptTreeNode *otn, tSfPolicyId policyId ) { RuleTreeNode *rtn = NULL; - if (otn->proto_nodes + if (otn->proto_nodes && (otn->proto_node_num >= (policyId+1))) { rtn = getRtnFromOtn(otn, policyId); @@ -11863,8 +12132,8 @@ * -ve otherwise */ int addRtnToOtn( - OptTreeNode *otn, - tSfPolicyId policyId, + OptTreeNode *otn, + tSfPolicyId policyId, RuleTreeNode *rtn ) { @@ -11878,7 +12147,7 @@ if (!tmpNodeArray) { return -1; - } + } //copy original contents, the remaining elements are already zeroed out by snortAlloc if (otn->proto_nodes) @@ -11890,14 +12159,14 @@ otn->proto_node_num = numNodes; otn->proto_nodes = tmpNodeArray; } - + //add policyId if (otn->proto_nodes[policyId]) { DestroyRuleTreeNode(rtn); } - otn->proto_nodes[policyId] = rtn; + otn->proto_nodes[policyId] = rtn; return 0; //success } @@ -11909,23 +12178,23 @@ char* FixSeparators (char* rule, char c, const char* err) { int list = 0; - char* p = strchr(rule, c); + char* p = strchr(rule, c); if ( p && err ) - { + { FatalError("%s(%d) => %s: '%c' not allowed in argument\n", - file_name, file_line, err, c); - } + file_name, file_line, err, c); + } while ( isspace((int)*rule) ) rule++; p = rule; - while ( *p ) { + while ( *p ) { if ( *p == '[' ) list++; else if ( *p == ']' ) list--; else if ( *p == ',' && !list ) *p = c; p++; - } + } return rule; } @@ -11939,10 +12208,10 @@ *val = arg; if ( err && !**val ) - { + { FatalError("%s(%d) => %s: name value pair expected: %s\n", file_name, file_line, err, *nam); - } + } } static void IntegrityCheckRules(SnortConfig *sc) @@ -11960,8 +12229,8 @@ { otn = (OptTreeNode *)hashNode->data; - for (policyId = 0; - policyId < otn->proto_node_num; + for (policyId = 0; + policyId < otn->proto_node_num; policyId++) { rtn = getRtnFromOtn(otn, policyId); @@ -11972,8 +12241,8 @@ } if ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) - || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) - { + || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) + { //do operation ofl_idx = otn->opt_func; opt_func_count = 0; @@ -12014,15 +12283,15 @@ hashNode = sfghash_findnext(sc->otn_map)) { currHeadNodeOtn = (OptTreeNode *)hashNode->data; - for (currHeadNodePolicy = 0; - currHeadNodePolicy < currHeadNodeOtn->proto_node_num; + for (currHeadNodePolicy = 0; + currHeadNodePolicy < currHeadNodeOtn->proto_node_num; currHeadNodePolicy++) { rtn = getRtnFromOtn(currHeadNodeOtn, currHeadNodePolicy); - if (rtn && (rtn->type == type) + if (rtn && (rtn->type == type) && (rtn->proto == proto)) - { + { *policyId = currHeadNodePolicy; return currHeadNodeOtn; } @@ -12040,15 +12309,15 @@ if (currHeadNodeOtn) { - for (; - currHeadNodePolicy < currHeadNodeOtn->proto_node_num; + for (; + currHeadNodePolicy < currHeadNodeOtn->proto_node_num; currHeadNodePolicy++) { rtn = getRtnFromOtn(currHeadNodeOtn, currHeadNodePolicy); - if (rtn && (rtn->type == type) + if (rtn && (rtn->type == type) && (rtn->proto == proto)) - { + { *policyId = currHeadNodePolicy; return currHeadNodeOtn; } @@ -12061,15 +12330,15 @@ { currHeadNodeOtn = (OptTreeNode *)hashNode->data; - for (currHeadNodePolicy = 0; - currHeadNodePolicy < currHeadNodeOtn->proto_node_num; + for (currHeadNodePolicy = 0; + currHeadNodePolicy < currHeadNodeOtn->proto_node_num; currHeadNodePolicy++) { rtn = getRtnFromOtn(currHeadNodeOtn, currHeadNodePolicy); - if (rtn && (rtn->type == type) + if (rtn && (rtn->type == type) && (rtn->proto == proto)) - { + { *policyId = currHeadNodePolicy; return currHeadNodeOtn; } @@ -12079,7 +12348,7 @@ return NULL; } -/**returns matched header node. +/**returns matched header node. */ static RuleTreeNode * findHeadNode(SnortConfig *sc, RuleTreeNode *testNode, tSfPolicyId policyId) @@ -12136,7 +12405,7 @@ pPolicy->min_ttl = 1; #ifdef NORMALIZER - pPolicy->new_ttl = 5; + pPolicy->new_ttl = 5; #endif /* Turn on all decoder alerts by default except for oversized alert. @@ -12175,3 +12444,39 @@ } #endif } + + +/* Parse a boolean argument, with many ways to say "on" or "off". + Arguments: + char * arg => string argument to parse + Returns: + 1: Parsed a positive argument ("1", "on", "yes", "enable", "true") + 0: Parsed a negative argument ("0", "off", "no", "disable", "false") + -1: Error +*/ +int ParseBool(char *arg) +{ + if (arg == NULL) + return -1; + + /* Trim leading whitespace */ + while (isspace(*arg)) + arg++; + + if ( (strcasecmp(arg, "1") == 0) || + (strcasecmp(arg, "on") == 0) || + (strcasecmp(arg, "yes") == 0) || + (strcasecmp(arg, "enable") == 0) || + (strcasecmp(arg, "true") == 0) ) + return 1; + + if ( (strcasecmp(arg, "0") == 0) || + (strcasecmp(arg, "off") == 0) || + (strcasecmp(arg, "no") == 0) || + (strcasecmp(arg, "disable") == 0) || + (strcasecmp(arg, "false") == 0) ) + return 0; + + /* Other values are invalid! */ + return -1; +} diff -Nru snort-2.9.0.1/src/parser.h snort-2.9.2/src/parser.h --- snort-2.9.0.1/src/parser.h 2010-06-09 15:04:53.000000000 -0700 +++ snort-2.9.2/src/parser.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,8 +1,8 @@ -/* -** Copyright (C) 2002-2010 Sourcefire, Inc. +/* +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** Copyright (C) 2000-2001 Andrew R. Baker <andrewb@uab.edu> -** +** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or @@ -13,11 +13,11 @@ ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. -** +** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ +*/ /* $Id$ */ #ifndef __PARSER_H__ @@ -89,6 +89,7 @@ #define CONFIG_OPT__CLASSIFICATION "classification" #define CONFIG_OPT__DAEMON "daemon" #define CONFIG_OPT__DECODE_DATA_LINK "decode_data_link" +#define CONFIG_OPT__DECODE_ESP "decode_esp" #define CONFIG_OPT__DEFAULT_RULE_STATE "default_rule_state" #define CONFIG_OPT__DETECTION "detection" #define CONFIG_OPT__DETECTION_FILTER "detection_filter" @@ -115,6 +116,7 @@ #define CONFIG_OPT__ENABLE_DECODE_OVERSIZED_ALERTS "enable_decode_oversized_alerts" #define CONFIG_OPT__ENABLE_DECODE_OVERSIZED_DROPS "enable_decode_oversized_drops" #define CONFIG_OPT__ENABLE_DEEP_TEREDO_INSPECTION "enable_deep_teredo_inspection" +#define CONFIG_OPT__ENABLE_GTP_DECODING "enable_gtp" #define CONFIG_OPT__ENABLE_IP_OPT_DROPS "enable_ipopt_drops" #ifdef MPLS # define CONFIG_OPT__ENABLE_MPLS_MULTICAST "enable_mpls_multicast" @@ -127,6 +129,7 @@ #define CONFIG_OPT__ENABLE_TCP_OPT_TTCP_DROPS "enable_tcpopt_ttcp_drops" #define CONFIG_OPT__EVENT_FILTER "event_filter" #define CONFIG_OPT__EVENT_QUEUE "event_queue" +#define CONFIG_OPT__EVENT_TRACE "event_trace" # define CONFIG_OPT__REACT "react" #ifdef ENABLE_RESPONSE3 # define CONFIG_OPT__FLEXRESP2_INTERFACE "flexresp2_interface" @@ -166,6 +169,7 @@ #define CONFIG_OPT__NO_PROMISCUOUS "no_promisc" #define CONFIG_OPT__OBFUSCATE "obfuscate" #define CONFIG_OPT__ORDER "order" +#define CONFIG_OPT__PAF_MAX "paf_max" #define CONFIG_OPT__PCRE_MATCH_LIMIT "pcre_match_limit" #define CONFIG_OPT__PCRE_MATCH_LIMIT_RECURSION "pcre_match_limit_recursion" #define CONFIG_OPT__PKT_COUNT "pkt_count" @@ -196,10 +200,12 @@ #define CONFIG_OPT__UMASK "umask" #define CONFIG_OPT__UTC "utc" #define CONFIG_OPT__VERBOSE "verbose" +#define CONFIG_OPT__VLAN_AGNOSTIC "vlan_agnostic" +#define CONFIG_OPT__LOG_IPV6_EXTRA "log_ipv6_extra_data" #ifdef DYNAMIC_PLUGIN #define CONFIG_OPT__DUMP_DYNAMIC_RULES_PATH "dump-dynamic-rules-path" #endif - +#define CONFIG_OPT__CONTROL_SOCKET_DIR "cs_dir" extern SnortConfig *snort_conf_for_parsing; @@ -207,6 +213,7 @@ extern char *file_name; extern int file_line; + /* rule setup funcs */ SnortConfig * ParseSnortConf(void); void ParseRules(SnortConfig *); @@ -275,6 +282,8 @@ void ConfigEnableDecodeOversizedAlerts(SnortConfig *, char *); void ConfigEnableDecodeOversizedDrops(SnortConfig *, char *); void ConfigEnableDeepTeredoInspection(SnortConfig *sc, char *args); +void ConfigEnableGTPDecoding(SnortConfig *sc, char *args); +void ConfigEnableEspDecoding(SnortConfig *sc, char *args); void ConfigEnableIpOptDrops(SnortConfig *, char *); #ifdef MPLS void ConfigEnableMplsMulticast(SnortConfig *, char *); @@ -286,6 +295,7 @@ void ConfigEnableTTcpDrops(SnortConfig *, char *); void ConfigEventFilter(SnortConfig *, char *); void ConfigEventQueue(SnortConfig *, char *); +void ConfigEventTrace(SnortConfig *, char *); #ifdef ENABLE_RESPONSE3 void ConfigFlexresp2Interface(SnortConfig *, char *); void ConfigFlexresp2Attempts(SnortConfig *, char *); @@ -326,6 +336,7 @@ void ConfigNoPromiscuous(SnortConfig *, char *); void ConfigObfuscate(SnortConfig *, char *); void ConfigObfuscationMask(SnortConfig *, char *); +void ConfigPafMax(SnortConfig *, char *); void ConfigRateFilter(SnortConfig *, char *); void ConfigRuleListOrder(SnortConfig *, char *); void ConfigPacketCount(SnortConfig *, char *); @@ -364,18 +375,21 @@ void ConfigUmask(SnortConfig *, char *); void ConfigUtc(SnortConfig *, char *); void ConfigVerbose(SnortConfig *, char *); +void ConfigVlanAgnostic(SnortConfig *, char *); +void ConfigLogIPv6Extra(SnortConfig *, char *); #ifdef DYNAMIC_PLUGIN void ConfigDumpDynamicRulesPath(SnortConfig *, char *); #endif +void ConfigControlSocketDirectory(SnortConfig *, char *); int addRtnToOtn( - OptTreeNode *otn, + OptTreeNode *otn, tSfPolicyId policyId, RuleTreeNode *rtn ); RuleTreeNode* deleteRtnFromOtn( - OptTreeNode *otn, + OptTreeNode *otn, tSfPolicyId policyId ); @@ -392,7 +406,7 @@ * * @return pointer to deleted RTN, NULL otherwise. */ -static INLINE RuleTreeNode *getRtnFromOtn(OptTreeNode *otn, tSfPolicyId policyId) +static inline RuleTreeNode *getRtnFromOtn(OptTreeNode *otn, tSfPolicyId policyId) { if (otn && otn->proto_nodes && (otn->proto_node_num > (unsigned)policyId)) { @@ -404,12 +418,12 @@ /**Get rtn from otn for the current policy. */ -static INLINE RuleTreeNode *getParserRtnFromOtn(OptTreeNode *otn) +static inline RuleTreeNode *getParserRtnFromOtn(OptTreeNode *otn) { return getRtnFromOtn(otn, getParserPolicy()); } -static INLINE RuleTreeNode *getRuntimeRtnFromOtn(OptTreeNode *otn) +static inline RuleTreeNode *getRuntimeRtnFromOtn(OptTreeNode *otn) { return getRtnFromOtn(otn, getRuntimePolicy()); } diff -Nru snort-2.9.0.1/src/pcap_pkthdr32.h snort-2.9.2/src/pcap_pkthdr32.h --- snort-2.9.0.1/src/pcap_pkthdr32.h 2010-06-09 15:04:53.000000000 -0700 +++ snort-2.9.2/src/pcap_pkthdr32.h 2011-06-07 17:33:06.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -20,20 +20,6 @@ #ifndef __PCAP_PKTHDR32_H__ #define __PCAP_PKTHDR32_H__ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#ifdef WIN32 -#include <winsock2.h> -#else -#include <sys/time.h> -#endif - -#include <stdlib.h> -#include <time.h> -#include <sys/types.h> - #include "sf_types.h" /* we must use fixed size of 32 bits, because on-disk diff -Nru snort-2.9.0.1/src/pcrm.c snort-2.9.2/src/pcrm.c --- snort-2.9.0.1/src/pcrm.c 2010-01-26 10:09:24.000000000 -0800 +++ snort-2.9.2/src/pcrm.c 2011-02-09 15:22:51.000000000 -0800 @@ -3,7 +3,7 @@ ** ** pcrm.c ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton <mnorton@sourcefire.com> ** Dan Roelker <droelker@sourcefire.com> ** diff -Nru snort-2.9.0.1/src/pcrm.h snort-2.9.2/src/pcrm.h --- snort-2.9.0.1/src/pcrm.h 2010-06-09 15:04:53.000000000 -0700 +++ snort-2.9.2/src/pcrm.h 2011-02-09 15:22:51.000000000 -0800 @@ -3,7 +3,7 @@ ** ** pcrm.h ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton <mnorton@sourcefire.com> ** Dan Roelker <droelker@sourcefire.com> ** diff -Nru snort-2.9.0.1/src/plugbase.c snort-2.9.2/src/plugbase.c --- snort-2.9.0.1/src/plugbase.c 2010-08-25 13:22:38.000000000 -0700 +++ snort-2.9.2/src/plugbase.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -45,7 +45,7 @@ #include "plugbase.h" #include "spo_plugbase.h" #include "snort.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "log.h" #include "detect.h" @@ -92,6 +92,7 @@ #include "detection-plugins/sp_file_data.h" #include "detection-plugins/sp_base64_decode.h" #include "detection-plugins/sp_base64_data.h" +#include "detection-plugins/sp_pkt_data.h" #include "detection-plugins/sp_asn1.h" #ifdef ENABLE_REACT #include "detection-plugins/sp_react.h" @@ -147,11 +148,11 @@ extern PluginSignalFuncNode *plugin_restart_funcs; extern OutputFuncNode *AlertList; extern OutputFuncNode *LogList; - +extern PeriodicCheckFuncNode *periodic_check_funcs; /**************************** Detection Plugin API ****************************/ /* For translation from enum to char* */ -#ifdef DEBUG +#ifdef DEBUG_MSGS static const char *optTypeMap[OPT_TYPE_MAX] = { "action", @@ -162,7 +163,7 @@ #define ENUM2STR(num, map) \ ((num < sizeof(map)/sizeof(map[0])) ? map[num] : "undefined") #endif - + void RegisterRuleOptions(void) { @@ -189,6 +190,7 @@ SetupIpProto(); SetupIpSameCheck(); SetupClientServer(); + SetupPktData(); SetupByteTest(); SetupByteJump(); SetupByteExtract(); @@ -295,7 +297,7 @@ tmp = tmp->next; } while (tmp != NULL); - + last->next = node_override; } @@ -327,7 +329,7 @@ RuleOptByteOrderFuncNode *node = (RuleOptByteOrderFuncNode *)SnortAlloc(sizeof(RuleOptByteOrderFuncNode)); RuleOptByteOrderFuncNode *list = rule_opt_byte_order_funcs; RuleOptByteOrderFuncNode *last; - + node->keyword = SnortStrdup(keyword); node->func = roo_func; node->next = NULL; @@ -401,7 +403,7 @@ /**************************************************************************** - * + * * Function: AddOptFuncToList(int (*func)(), OptTreeNode *) * * Purpose: Links the option detection module to the OTN @@ -682,9 +684,9 @@ * ***************************************************************************/ #ifndef SNORT_RELOAD -void RegisterPreprocessor(char *keyword, PreprocConfigFunc pp_config_func) +void RegisterPreprocessor(const char *keyword, PreprocConfigFunc pp_config_func) #else -void RegisterPreprocessor(char *keyword, PreprocConfigFunc pp_config_func, +void RegisterPreprocessor(const char *keyword, PreprocConfigFunc pp_config_func, PreprocReloadFunc rfunc, PreprocReloadSwapFunc sfunc, PreprocReloadSwapFreeFunc ffunc) #endif @@ -757,7 +759,7 @@ while (head != NULL) { if (strcasecmp(head->keyword, keyword) == 0) - return head->config_func; + return head->config_func; head = head->next; } @@ -778,7 +780,7 @@ * Returns: void function * ***************************************************************************/ -void RegisterPreprocStats(char *keyword, PreprocStatsFunc pp_stats_func) +void RegisterPreprocStats(const char *keyword, PreprocStatsFunc pp_stats_func) { PreprocStatsFuncNode *node; @@ -948,6 +950,90 @@ return node; } +PreprocMetaEvalFuncNode * AddFuncToPreprocMetaEvalList( + PreprocMetaEvalFunc pp_meta_eval_func, + uint16_t priority, + uint32_t preproc_id) +{ + PreprocMetaEvalFuncNode *node; + SnortConfig *sc = snort_conf_for_parsing; + tSfPolicyId policy_id = getParserPolicy(); + SnortPolicy *p; + + if (sc == NULL) + { + FatalError("%s(%d) Snort config for parsing is NULL.\n", + __FILE__, __LINE__); + } + +#ifndef HAVE_DAQ_ACQUIRE_WITH_META + WarningMessage("Metadata not available for processing. Not registering Preprocessor Meta Eval id %d\n", preproc_id); + return NULL; // Not supported +#endif + + p = sc->targeted_policies[policy_id]; + if (p == NULL) + return NULL; + + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, + "Adding preprocessor function ID %d/bit %d/pri %d to list\n", + preproc_id, p->num_preprocs, priority);); + + node = (PreprocMetaEvalFuncNode *)SnortAlloc(sizeof(PreprocMetaEvalFuncNode)); + + if (p->preproc_meta_eval_funcs == NULL) + { + p->preproc_meta_eval_funcs = node; + SetupMetadataCallback(); + } + else + { + PreprocMetaEvalFuncNode *tmp = p->preproc_meta_eval_funcs; + PreprocMetaEvalFuncNode *last = NULL; + + do + { + if (tmp->preproc_id == preproc_id) + { + free(node); + FatalError("Preprocessor Meta Eval already registered with ID %d\n", + preproc_id); + } + + /* Insert higher priority preprocessors first. Lower priority + * number means higher priority */ + if (priority < tmp->priority) + break; + + last = tmp; + tmp = tmp->next; + + } while (tmp != NULL); + + /* Priority higher than first item in list */ + if (last == NULL) + { + node->next = tmp; + p->preproc_meta_eval_funcs = node; + } + else + { + node->next = tmp; + last->next = node; + } + } + + node->func = pp_meta_eval_func; + node->priority = priority; + node->preproc_id = preproc_id; + node->preproc_bit = (1 << preproc_id); + + p->num_meta_preprocs++; + p->preproc_meta_bit_mask |= node->preproc_bit; + + return node; +} + void AddFuncToPreprocPostConfigList(PreprocPostConfigFunc pp_post_config_func, void *data) { PreprocPostConfigFuncNode *node; @@ -1177,40 +1263,57 @@ node->priority = priority; } -void AddFuncToPreprocReassemblyPktList(PreprocReassemblyPktFunc pp_reass_pkt_func, uint32_t preproc_id) +void AddFuncToPeriodicCheckList(PeriodicFunc periodic_func, void *arg, + uint16_t priority, uint32_t preproc_id, uint32_t period ) { - PreprocReassemblyPktFuncNode *node; - SnortConfig *sc = snort_conf_for_parsing; - tSfPolicyId policy_id = getParserPolicy(); - SnortPolicy *p; + PeriodicCheckFuncNode **list= &periodic_check_funcs; + PeriodicCheckFuncNode *node; - if (sc == NULL) - { - FatalError("%s(%d) Snort config for parsing is NULL.\n", - __FILE__, __LINE__); - } - - p = sc->targeted_policies[policy_id]; - if (p == NULL) + if (list == NULL) return; - node = (PreprocReassemblyPktFuncNode *)SnortAlloc(sizeof(PreprocReassemblyPktFuncNode)); + node = (PeriodicCheckFuncNode *)SnortAlloc(sizeof(PeriodicCheckFuncNode)); - if (p->preproc_reassembly_pkt_funcs == NULL) + if (*list == NULL) { - p->preproc_reassembly_pkt_funcs = node; + *list = node; } else { - PreprocReassemblyPktFuncNode *tmp = p->preproc_reassembly_pkt_funcs; + PeriodicCheckFuncNode *tmp = *list; + PeriodicCheckFuncNode *last = NULL; - /* just insert at front of list */ - p->preproc_reassembly_pkt_funcs = node; - node->next = tmp; + do + { + /* Insert higher priority stuff first. Lower priority + * number means higher priority */ + if (priority < tmp->priority) + break; + + last = tmp; + tmp = tmp->next; + + } while (tmp != NULL); + + /* Priority higher than first item in list */ + if (last == NULL) + { + node->next = tmp; + *list = node; + } + else + { + node->next = tmp; + last->next = node; + } } - node->func = pp_reass_pkt_func; + node->func = periodic_func; + node->arg = arg; node->preproc_id = preproc_id; + node->priority = priority; + node->period = period; + node->time_left = period; } void FreePreprocConfigFuncs(void) @@ -1280,13 +1383,15 @@ } } -void FreePreprocReassemblyPktFuncs(PreprocReassemblyPktFuncNode *head) +void FreePreprocMetaEvalFuncs(PreprocMetaEvalFuncNode *head) { - PreprocReassemblyPktFuncNode *tmp; + PreprocMetaEvalFuncNode *tmp; while (head != NULL) { tmp = head->next; + //if (head->context) + // free(head->context); free(head); head = tmp; } @@ -1305,6 +1410,19 @@ } } +void FreePeriodicFuncs(PeriodicCheckFuncNode *head) +{ + PeriodicCheckFuncNode *tmp; + + while (head != NULL) + { + tmp = head->next; + /* don't free sig->arg, that's free'd by the CleanExit/Restart func */ + free(head); + head = tmp; + } +} + void CheckPreprocessorsConfig(SnortConfig *sc) { PreprocCheckConfigFuncNode *idx; @@ -1420,7 +1538,7 @@ { OutputConfigFuncNode *node = (OutputConfigFuncNode *)SnortAlloc(sizeof(OutputConfigFuncNode)); - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Registering keyword:output => %s:%p\n", + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Registering keyword:output => %s:%p\n", keyword, oc_func);); if (output_config_funcs == NULL) @@ -1463,7 +1581,7 @@ while (head != NULL) { if (strcasecmp(head->keyword, keyword) == 0) - return head->config_func; + return head->config_func; head = head->next; } diff -Nru snort-2.9.0.1/src/plugbase.h snort-2.9.2/src/plugbase.h --- snort-2.9.0.1/src/plugbase.h 2010-08-25 13:22:38.000000000 -0700 +++ snort-2.9.2/src/plugbase.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -30,7 +30,7 @@ #include "rules.h" #include "treenodes.h" #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" #ifndef WIN32 # include <sys/ioctl.h> @@ -193,8 +193,10 @@ typedef void (*PreprocEvalFunc)(Packet *, void *); typedef void (*PreprocCheckConfigFunc)(void); typedef void (*PreprocSignalFunc)(int, void *); -typedef void * (*PreprocReassemblyPktFunc)(void); typedef void (*PreprocPostConfigFunc)(void *); +typedef void (*PreprocMetaEvalFunc)(int, const uint8_t *); + +typedef void (*PeriodicFunc)(int, void *); #ifdef SNORT_RELOAD typedef void (*PreprocReloadFunc)(char *); @@ -255,6 +257,19 @@ } PreprocEvalFuncNode; +typedef struct _PreprocMetaEvalFuncNode +{ + uint16_t priority; + uint32_t preproc_id; + uint32_t preproc_bit; + union + { + PreprocMetaEvalFunc fptr; + void *void_fptr; + } fptr; + struct _PreprocMetaEvalFuncNode *next; +} PreprocMetaEvalFuncNode; + typedef struct _PreprocCheckConfigFuncNode { union @@ -280,29 +295,33 @@ } PreprocSignalFuncNode; -typedef struct _PreprocReassemblyPktFuncNode +typedef struct _PreprocPostConfigFuncNode { - unsigned int preproc_id; + void *data; union { - PreprocReassemblyPktFunc fptr; + PreprocPostConfigFunc fptr; void *void_fptr; } fptr; - struct _PreprocReassemblyPktFuncNode *next; + struct _PreprocPostConfigFuncNode *next; -} PreprocReassemblyPktFuncNode; +} PreprocPostConfigFuncNode; -typedef struct _PreprocPostConfigFuncNode +typedef struct _PeriodicCheckFuncNode { - void *data; + void *arg; + uint16_t priority; + uint32_t preproc_id; + uint32_t period; + uint32_t time_left; union { - PreprocPostConfigFunc fptr; + PeriodicFunc fptr; void *void_fptr; } fptr; - struct _PreprocPostConfigFuncNode *next; + struct _PeriodicCheckFuncNode *next; -} PreprocPostConfigFuncNode; +} PeriodicCheckFuncNode; #ifdef SNORT_RELOAD typedef struct _PreprocReloadVerifyFuncNode @@ -322,30 +341,30 @@ void RegisterPreprocessors(void); #ifndef SNORT_RELOAD -void RegisterPreprocessor(char *, PreprocConfigFunc); +void RegisterPreprocessor(const char *, PreprocConfigFunc); #else -void RegisterPreprocessor(char *, PreprocConfigFunc, PreprocReloadFunc, +void RegisterPreprocessor(const char *, PreprocConfigFunc, PreprocReloadFunc, PreprocReloadSwapFunc, PreprocReloadSwapFreeFunc); #endif PreprocConfigFuncNode * GetPreprocConfig(char *); PreprocConfigFunc GetPreprocConfigFunc(char *); -void RegisterPreprocStats(char *, PreprocStatsFunc); +void RegisterPreprocStats(const char *, PreprocStatsFunc); void DumpPreprocessors(void); void AddFuncToConfigCheckList(PreprocCheckConfigFunc); void AddFuncToPreprocPostConfigList(PreprocPostConfigFunc, void *); void CheckPreprocessorsConfig(struct _SnortConfig *); PreprocEvalFuncNode * AddFuncToPreprocList(PreprocEvalFunc, uint16_t, uint32_t, uint32_t); +PreprocMetaEvalFuncNode * AddFuncToPreprocMetaEvalList(PreprocMetaEvalFunc, uint16_t, uint32_t); void AddFuncToPreprocCleanExitList(PreprocSignalFunc, void *, uint16_t, uint32_t); void AddFuncToPreprocShutdownList(PreprocSignalFunc, void *, uint16_t, uint32_t); void AddFuncToPreprocResetList(PreprocSignalFunc, void *, uint16_t, uint32_t); void AddFuncToPreprocResetStatsList(PreprocSignalFunc, void *, uint16_t, uint32_t); -void AddFuncToPreprocReassemblyPktList(PreprocReassemblyPktFunc, uint32_t); int IsPreprocEnabled(uint32_t); void FreePreprocConfigFuncs(void); void FreePreprocCheckConfigFuncs(PreprocCheckConfigFuncNode *); void FreePreprocStatsFuncs(PreprocStatsFuncNode *); void FreePreprocEvalFuncs(PreprocEvalFuncNode *); -void FreePreprocReassemblyPktFuncs(PreprocReassemblyPktFuncNode *); +void FreePreprocMetaEvalFuncs(PreprocMetaEvalFuncNode *); void FreePreprocSigFuncs(PreprocSignalFuncNode *); void FreePreprocPostConfigFuncs(PreprocPostConfigFuncNode *); void PostConfigPreprocessors(struct _SnortConfig *); @@ -359,36 +378,36 @@ void FreePreprocReloadVerifyFuncList(PreprocReloadVerifyFuncNode *); #endif -static INLINE void DisablePreprocessors(Packet *p) +void AddFuncToPeriodicCheckList(PeriodicFunc, void *, uint16_t, uint32_t, uint32_t); +void FreePeriodicFuncs(PeriodicCheckFuncNode *head); + +static inline void DisablePreprocessors(Packet *p) { p->preprocessor_bits = PP_ALL_OFF; } -static INLINE void EnablePreprocessors(Packet *p) +static inline void EnablePreprocessors(Packet *p) { p->preprocessor_bits = PP_ALL_ON; } -static INLINE int IsPreprocBitSet(Packet *p, unsigned int preproc_bit) +static inline int IsPreprocBitSet(Packet *p, unsigned int preproc_bit) { return (p->preprocessor_bits & preproc_bit); } -static INLINE int SetPreprocBit(Packet *p, unsigned int preproc_id) +static inline int SetPreprocBit(Packet *p, unsigned int preproc_id) { p->preprocessor_bits |= (1 << preproc_id); return 0; } -static INLINE int IsPreprocReassemblyPktBitSet(Packet *p, unsigned int preproc_id) -{ - return (p->preproc_reassembly_pkt_bits & (1 << preproc_id)) != 0; -} - -static INLINE int SetPreprocReassemblyPktBit(Packet *p, unsigned int preproc_id) +static inline int SetAllPreprocBits(Packet *p) { - p->preproc_reassembly_pkt_bits |= (1 << preproc_id); - p->packet_flags |= PKT_PREPROC_RPKT; + SetPreprocBit(p, PP_SFPORTSCAN); + SetPreprocBit(p, PP_PERFMONITOR); + SetPreprocBit(p, PP_STREAM5); + SetPreprocBit(p, PP_SDF); return 0; } diff -Nru snort-2.9.0.1/src/plugin_enum.h snort-2.9.2/src/plugin_enum.h --- snort-2.9.0.1/src/plugin_enum.h 2010-06-09 15:04:54.000000000 -0700 +++ snort-2.9.2/src/plugin_enum.h 2011-02-09 15:22:51.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/ppm.c snort-2.9.2/src/ppm.c --- snort-2.9.0.1/src/ppm.c 2010-09-27 08:28:12.000000000 -0700 +++ snort-2.9.2/src/ppm.c 2011-06-07 17:33:06.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2006-2010 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -51,6 +51,10 @@ #include <syslog.h> #include <time.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "snort.h" #include "rules.h" #include "treenodes.h" @@ -384,7 +388,7 @@ AlertAction(p, potn, &ev); } - if (ppm_cfg->rule_log & PPM_LOG_MESSAGE) + if (ppm_cfg->rule_log & PPM_LOG_MESSAGE) { int i; diff -Nru snort-2.9.0.1/src/ppm.h snort-2.9.2/src/ppm.h --- snort-2.9.0.1/src/ppm.h 2010-09-27 08:28:12.000000000 -0700 +++ snort-2.9.2/src/ppm.h 2011-02-09 15:22:52.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2006-2010 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c snort-2.9.2/src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c 2010-01-26 10:10:15.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c 2011-06-07 17:33:18.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_ad.c ** @@ -33,6 +33,10 @@ #include <stdlib.h> #include <sys/types.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_ui_config.h" #include "hi_return_codes.h" #include "hi_eo_log.h" diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/anomaly_detection/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/anomaly_detection/Makefile.in --- snort-2.9.0.1/src/preprocessors/HttpInspect/anomaly_detection/Makefile.in 2010-10-08 02:56:54.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/anomaly_detection/Makefile.in 2011-12-07 11:23:21.000000000 -0800 @@ -77,7 +77,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -92,6 +94,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -128,13 +131,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/client/hi_client.c snort-2.9.2/src/preprocessors/HttpInspect/client/hi_client.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/client/hi_client.c 2010-10-25 12:49:10.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/client/hi_client.c 2011-12-08 08:49:14.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_client.c ** @@ -32,12 +32,12 @@ ** protocol, finding where the various fields begin and end. This must ** be accomplished in a stateful and stateless manner. ** -** While the fields are being determined, we also do checks for +** While the fields are being determined, we also do checks for ** normalization, so we don't normalize fields that don't need it. ** ** Currently, the only fields we check for this is the URI and the ** parameter fields. -** +** ** NOTES: ** - 3.8.03: Initial development. DJR ** - 2.4.05: Added tab_uri_delimiter config option. AJM. @@ -50,6 +50,10 @@ #include <sys/types.h> #include <errno.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_ui_config.h" #include "hi_si.h" #include "hi_mi.h" @@ -60,7 +64,7 @@ #include "hi_return_codes.h" #include "util.h" #include "mstring.h" -#include "sfutil/sf_base64decode.h" +#include "sfutil/util_unfold.h" #include "hi_cmd_lookup.h" #include "detection_util.h" @@ -72,22 +76,26 @@ #define HEADER_LENGTH__XFF 15 #define HEADER_NAME__TRUE_IP "True-Client-IP" #define HEADER_LENGTH__TRUE_IP 14 +#define HEADER_NAME__HOSTNAME "Host" +#define HEADER_LENGTH__HOSTNAME 4 +#define HEADER_NAME__TRANSFER_ENCODING "Transfer-encoding" +#define HEADER_LENGTH__TRANSFER_ENCODING 17 /** This makes passing function arguments much more readable and easier ** to follow. */ typedef int (*LOOKUP_FCN)(HI_SESSION *, const u_char *, const u_char *, const u_char **, - URI_PTR *); + URI_PTR *); /* -** The lookup table contains functions for different HTTP delimiters +** The lookup table contains functions for different HTTP delimiters ** (like whitespace and the HTTP delimiter \r and \n). */ LOOKUP_FCN lookup_table[256]; -int hex_lookup[256]; int NextNonWhiteSpace(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr); - +extern const u_char *extract_http_transfer_encoding(HI_SESSION *, HttpSessionData *, + const u_char *, const u_char *, const u_char *, HEADER_PTR *, int); /* ** NAME ** CheckChunkEncoding:: @@ -95,38 +103,40 @@ /** ** This routine checks for chunk encoding anomalies in an HTTP client request ** packet. -** +** ** We convert potential chunk lengths and test them against the user-defined ** max chunk length. We log events on any chunk lengths that are over this ** defined chunk lengths. -** +** ** Chunks are skipped to save time when the chunk is contained in the packet. -** +** ** We assume coming into this function that we are pointed at the beginning ** of what may be a chunk length. That's why the iCheckChunk var is set ** to 1. -** +** ** @param Session pointer to the Session construct ** @param start pointer to where to beginning of buffer ** @param end pointer to the end of buffer -** +** ** @return integer -** +** ** @retval HI_SUCCESS function successful ** @retval HI_INVALID_ARG invalid argument */ -int CheckChunkEncoding(HI_SESSION *Session, const u_char *start, const u_char *end, - const u_char **post_end, u_char *iChunkBuf, int max_size, - int last_chunk_size, int *chunkSize, int *chunkRead) +int CheckChunkEncoding(HI_SESSION *Session, const u_char *start, const u_char *end, + const u_char **post_end, u_char *iChunkBuf, uint32_t max_size, + uint32_t last_chunk_size, uint32_t *chunkSize, uint32_t *chunkRead, HttpSessionData *hsd, + int iInspectMode) { - int iChunkLen = 0; - int iChunkChars = 0; + uint32_t iChunkLen = 0; + uint32_t iChunkChars = 0; int chunkPresent = 0; - int iCheckChunk = 1; + uint32_t iCheckChunk = 1; const u_char *ptr; const u_char *jump_ptr; - int iDataLen = 0; - int chunkBytesCopied = 0; + uint32_t iDataLen = 0; + uint32_t chunkBytesCopied = 0; + uint8_t stateless_chunk_count = 0; if(!start || !end) return HI_INVALID_ARG; @@ -142,6 +152,15 @@ last_chunk_size = max_size; } + iDataLen = end - ptr; + + if(last_chunk_size > iDataLen) + { + if(chunkSize) + *chunkSize = last_chunk_size - iDataLen ; + last_chunk_size = iDataLen; + } + jump_ptr = ptr + last_chunk_size - 1; if(hi_util_in_bounds(start, end, jump_ptr)) @@ -154,7 +173,6 @@ } ptr = jump_ptr + 1; } - } while(hi_util_in_bounds(start, end, ptr)) @@ -163,13 +181,70 @@ { if(iCheckChunk && iChunkLen != 0) { - if(Session->server_conf->chunk_length < (unsigned int)iChunkLen && - hi_eo_generate_event(Session, HI_EO_CLIENT_LARGE_CHUNK)) + if (((Session->server_conf->chunk_length != 0) + && (iInspectMode == HI_SI_CLIENT_MODE) + && (Session->server_conf->chunk_length < iChunkLen) + && hi_eo_generate_event(Session, HI_EO_CLIENT_LARGE_CHUNK))) { hi_eo_client_event_log(Session, HI_EO_CLIENT_LARGE_CHUNK, NULL, NULL); } + if (Session->server_conf->small_chunk_length.size != 0) + { + if (iChunkLen <= Session->server_conf->small_chunk_length.size) + { + uint8_t* chunk_count; + int (*log_func)(HI_SESSION *, int, void *, void (*)(void *)); + int event; + + if (iInspectMode == HI_SI_CLIENT_MODE) + { + if (hsd) + chunk_count = &hsd->cli_small_chunk_count; + else + chunk_count = &stateless_chunk_count; + log_func = hi_eo_client_event_log; + event = HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS; + } + else + { + if (hsd) + chunk_count = &hsd->srv_small_chunk_count; + else + chunk_count = &stateless_chunk_count; + log_func = hi_eo_server_event_log; + event = HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS; + } + + (*chunk_count)++; + if (hi_eo_generate_event(Session, event) + && (*chunk_count >= Session->server_conf->small_chunk_length.num)) + { + log_func(Session, event, NULL, NULL); + *chunk_count = 0; + } + } + else + { + // Reset for non-consecutive small chunks + if (iInspectMode == HI_SI_CLIENT_MODE) + { + if (hsd) + hsd->cli_small_chunk_count = 0; + else + stateless_chunk_count = 0; + } + else + { + if (hsd) + hsd->srv_small_chunk_count = 0; + else + stateless_chunk_count = 0; + } + } + } + SkipBlankAndNewLine(start,end, &ptr); if(*ptr == '\n') @@ -182,19 +257,19 @@ if(chunkSize) *chunkSize = iChunkLen - iDataLen; iChunkLen = iDataLen; - jump_ptr = ptr + iDataLen - 1; - } - else - { - jump_ptr = ptr + iChunkLen; } + jump_ptr = ptr + iChunkLen; + if(jump_ptr <= ptr) { break; } - if(hi_util_in_bounds(start, end, jump_ptr)) + /* Since we're doing a memcpy end and jump_ptr can be the same + * but hi_util_in_bounds ensures last arg is less than so + * subtract 1 from jump_ptr */ + if(hi_util_in_bounds(start, end, jump_ptr - 1)) { chunkPresent = 1; if(iChunkBuf && ((chunkBytesCopied + iChunkLen) <= max_size)) @@ -203,9 +278,14 @@ chunkBytesCopied += iChunkLen; } ptr = jump_ptr; - /* Check to see if the chunks ends */ - if( ((ptr + 2) < end) && (*(ptr + 2) != '\n') && - hi_eo_generate_event(Session, HI_EO_CLIENT_CHUNK_SIZE_MISMATCH)) + + if (!hi_util_in_bounds(start, end, ptr)) + break; + + /* Check to see if the chunks ends - LF or CRLF are valid */ + if (hi_eo_generate_event(Session, HI_EO_CLIENT_CHUNK_SIZE_MISMATCH) + && (*ptr != '\n') && (*ptr != '\r') + && ((ptr + 1) < end) && (*(ptr + 1) != '\n')) { hi_eo_client_event_log(Session, HI_EO_CLIENT_CHUNK_SIZE_MISMATCH, NULL, NULL); @@ -225,7 +305,7 @@ ** for handling new chunks, we reset and starting evaluating possible ** chunk lengths. */ - if(iCheckChunk || *ptr == '\n') + if(iCheckChunk || (hi_util_in_bounds(start, end, ptr) && *ptr == '\n')) { iCheckChunk = 1; iChunkLen = 0; @@ -238,7 +318,7 @@ if(iCheckChunk) { - if(hex_lookup[*ptr] == INVALID_HEX_VAL) + if(valid_lookup[*ptr] != HEX_VAL) { if(*ptr == '\r') { @@ -277,6 +357,15 @@ { if(iChunkChars >= 8) { + if (((Session->server_conf->chunk_length != 0) + && (iInspectMode == HI_SI_CLIENT_MODE) + && (Session->server_conf->chunk_length < iChunkLen) + && hi_eo_generate_event(Session, HI_EO_CLIENT_LARGE_CHUNK))) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_LARGE_CHUNK, + NULL, NULL); + } + iCheckChunk = 0; iChunkLen = 0; iChunkChars = 0; @@ -284,7 +373,7 @@ else { iChunkLen <<= 4; - iChunkLen |= (unsigned int)hex_lookup[*ptr]; + iChunkLen |= (unsigned int)(hex_lookup[*ptr]); iChunkChars++; } } @@ -316,7 +405,7 @@ /** ** Catch multiple requests per packet, by returning pointer to after the ** end of the request header if there is another request. -** +** ** There are 4 types of "valid" delimiters that we look for. They are: ** "\r\n\r\n" ** "\r\n\n" @@ -325,19 +414,19 @@ ** The only patterns that we really only need to look for are: ** "\n\r\n" ** "\n\n" -** The reason being that these two patterns are suffixes of the other +** The reason being that these two patterns are suffixes of the other ** patterns. So once we find those, we are all good. -** +** ** @param Session pointer to the session ** @param start pointer to the start of text ** @param end pointer to the end of text -** +** ** @return pointer -** +** ** @retval NULL Did not find pipeline request ** @retval !NULL Found another possible request. */ -static INLINE const u_char *FindPipelineReq(HI_SESSION *Session, +static inline const u_char *FindPipelineReq(HI_SESSION *Session, const u_char *start, const u_char *end) { const u_char *p; @@ -358,7 +447,7 @@ ** ** a.k.a there needs to be data after the initial request to inspect ** to make it worth our while. - */ + */ while(p < (end - 6)) { if(*p == '\n') @@ -411,25 +500,25 @@ /** ** This checks that there is a version following a space with in an HTTP ** packet. -** +** ** This function gets called when a whitespace area has ended, and we want ** to know if a version identifier is followed directly after. So we look ** for the rfc standard "HTTP/" and report appropriately. We also need ** to make sure that the function succeeds given an end of buffer, so for ** instance if the buffer ends like " HTT", we still assume that this is ** a valid version identifier because of TCP segmentation. -** +** ** We also check for the 0.9 standard of GET URI\r\n. When we see a \r or ** a \n, then we just return with the pointer still pointing to that char. ** The reason is because on the next loop, we'll do the evaluation that ** we normally do and finish up processing there. -** +** ** @param start pointer to the start of the version identifier ** @param end pointer to the end of the buffer (could be the end of the ** data section, or just to the beginning of the delimiter. -** +** ** @return integer -** +** ** @retval 1 this is an HTTP version identifier ** @retval 0 this is not an HTTP identifier, or bad parameters */ @@ -474,15 +563,15 @@ } (*ptr)++; - } + } /* - ** This means that we match all the chars that we could given the + ** This means that we match all the chars that we could given the ** remaining length so we should increment the pointer by that much ** since we don't need to inspect this again. */ - /* This pointer is not used again. When 1 is returned it causes + /* This pointer is not used again. When 1 is returned it causes * NextNonWhiteSpace to return also. */ #if 0 (*ptr)++; @@ -508,14 +597,14 @@ ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index ** @param uri_ptr pointer to the URI_PTR construct -** +** ** @return integer -** -** @retval HI_OUT_OF_BOUNDS +** +** @retval HI_OUT_OF_BOUNDS ** @retval URI_END end of the URI is found, check URI_PTR. ** @retval NO_URI malformed delimiter, no URI. */ -int find_rfc_delimiter(HI_SESSION *Session, const u_char *start, +int find_rfc_delimiter(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) { if(*ptr == start || !uri_ptr->uri) @@ -542,14 +631,14 @@ { return HI_OUT_OF_BOUNDS; } - + if(**ptr == '\n') { uri_ptr->delimiter = (*ptr)-1; if(!uri_ptr->ident) uri_ptr->uri_end = uri_ptr->delimiter; - + return URI_END; } @@ -563,7 +652,7 @@ /** ** Check for non standard delimiter '\n'. ** -** It now appears that apache and iis both take this non-standard +** It now appears that apache and iis both take this non-standard ** delimiter. So, we most likely will always look for it, but maybe ** give off a special alert or something. ** @@ -571,12 +660,12 @@ ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval URI_END delimiter found, end of URI -** @retval NO_URI +** @retval NO_URI */ int find_non_rfc_delimiter(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) @@ -610,10 +699,10 @@ } uri_ptr->delimiter = *ptr; - + if(!uri_ptr->ident) uri_ptr->uri_end = uri_ptr->delimiter; - + return URI_END; } @@ -639,33 +728,33 @@ /** ** Update the URI_PTR fields spaces, find the next non-white space char, ** and validate the HTTP version identifier after the spaces. -** +** ** This is the main part of the URI algorithm. This verifies that there ** isn't too many spaces in the data to be a URI, it checks that after the ** second space that there is an HTTP identifier or otherwise it's no good. ** Also, if we've found an identifier after the first whitespace, and ** find another whitespace, there is no URI. -** +** ** The uri and uri_end pointers are updated in this function depending ** on what space we are at, and if the space was followed by the HTTP ** identifier. (NOTE: the HTTP delimiter is no longer "HTTP/", but ** can also be "\r\n", "\n", or "\r". This is the defunct method, and ** we deal with it in the IsHttpVersion and delimiter functions.) -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS found the next non-whitespace ** @retval HI_OUT_OF_BOUNDS whitespace to the end of the buffer ** @retval URI_END delimiter found, end of URI ** @retval NO_URI */ -int NextNonWhiteSpace(HI_SESSION *Session, const u_char *start, +int NextNonWhiteSpace(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_PTR *uri_ptr) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; @@ -720,7 +809,7 @@ if(uri_ptr->first_sp_end) { /* - ** If the second space has been set, then this means that we have + ** If the second space has been set, then this means that we have ** seen a third space, which we shouldn't see in the URI so we ** are now done and know there is no URI in this packet. */ @@ -729,7 +818,7 @@ return NO_URI; } - /* + /* ** Treat whitespace differently at the end of the URI than we did ** at the beginning. Ignore and return if special characters are ** not defined as whitespace after the URI. @@ -761,7 +850,7 @@ ** and we unset the URI so we can set it later if need be. ** ** This is mainly so we handle data that is all spaces correctly. - ** + ** ** In the normal case where we've seen text and then the first space, ** we leave the uri ptr pointing at the beginning of the data, and ** set the uri end after we've determined where to put it. @@ -791,7 +880,7 @@ { if(ServerConf->apache_whitespace.on) { - if(hi_eo_generate_event(Session, + if(hi_eo_generate_event(Session, ServerConf->apache_whitespace.alert)) { hi_eo_client_event_log(Session, HI_EO_CLIENT_APACHE_WS, @@ -854,7 +943,7 @@ ** ** When we get here it means that we have found the end of ** the FIRST whitespace, and that there was no delimiter, - ** so we reset the uri pointers and other related + ** so we reset the uri pointers and other related ** pointers. */ uri_ptr->uri = *end_sp; @@ -903,7 +992,7 @@ */ /** ** Check for percent normalization in the URI buffer. -** +** ** We don't do much here besides check the configuration, set the pointer, ** and continue processing. ** @@ -911,10 +1000,10 @@ ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful */ int SetPercentNorm(HI_SESSION *Session, const u_char *start, @@ -931,7 +1020,7 @@ } (*ptr)++; - + return HI_SUCCESS; } @@ -941,16 +1030,16 @@ */ /** ** We check the directory length against the global config. -** +** ** @param Session pointer to the current session ** @param uri_ptr pointer to the URI state ** @param ptr pointer to the current index in buffer -** +** ** @return integer -** +** ** @retval HI_SUCCESS */ -static INLINE int CheckLongDir(HI_SESSION *Session, URI_PTR *uri_ptr, +static inline int CheckLongDir(HI_SESSION *Session, URI_PTR *uri_ptr, const u_char *ptr) { int iDirLen; @@ -958,7 +1047,7 @@ /* ** Check for oversize directory */ - if(Session->server_conf->long_dir && + if(Session->server_conf->long_dir && uri_ptr->last_dir && !uri_ptr->param) { iDirLen = ptr - uri_ptr->last_dir; @@ -981,15 +1070,15 @@ */ /** ** Check for any directory traversal or multi-slash normalization. -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful ** @retval HI_OUT_OF_BOUNDS reached the end of the buffer */ @@ -1066,18 +1155,18 @@ */ /** ** Check for backslashes and if we need to normalize. -** +** ** This really just checks the configuration option, and sets the norm ** variable if applicable. -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful */ int SetBackSlashNorm(HI_SESSION *Session, const u_char *start, @@ -1104,16 +1193,16 @@ * */ /** * ** Check for "+" and if we need to normalize. - * ** - * ** + * ** + * ** * ** @param ServerConf pointer to the server configuration * ** @param start pointer to the start of payload * ** @param end pointer to the end of the payload * ** @param ptr pointer to the pointer of the current index - * ** @param uri_ptr pointer to the URI_PTR construct - * ** + * ** @param uri_ptr pointer to the URI_PTR construct + * ** * ** @return integer - * ** + * ** * ** @retval HI_SUCCESS function successful * */ @@ -1137,19 +1226,19 @@ */ /** ** Look for non-ASCII chars in the URI. -** +** ** We look for these chars in the URI and set the normalization variable ** if it's not already set. I think we really only need this for IIS ** servers, but we may want to know if it's in the URI too. -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful */ int SetBinaryNorm(HI_SESSION *Session, const u_char *start, @@ -1173,15 +1262,15 @@ ** This function sets the parameter field as the first '?'. The big thing ** is that we set the param value, so we don't false positive long dir ** events when it's really just a long parameter field. -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful */ int SetParamField(HI_SESSION *Session, const u_char *start, @@ -1202,15 +1291,15 @@ */ /** ** This function checks for an absolute URI in the URI. -** +** ** @param ServerConf pointer to the server configuration ** @param start pointer to the start of payload ** @param end pointer to the end of the payload ** @param ptr pointer to the pointer of the current index -** @param uri_ptr pointer to the URI_PTR construct -** +** @param uri_ptr pointer to the URI_PTR construct +** ** @return integer -** +** ** @retval HI_SUCCESS function successful */ int SetProxy(HI_SESSION *Session, const u_char *start, @@ -1244,12 +1333,12 @@ /** ** This is where we set the HI_CLIENT values that we found during URI ** discovery. This also covers checking these values for errors. -** +** ** @param Client pointer to HI_CLIENT structure ** @param uri_ptr pointer to the uri data -** +** ** @return integer -** +** ** @retval HI_NONFATAL_ERR problem with the uri values. ** @retval HI_SUCCESS values set successfully */ @@ -1271,7 +1360,7 @@ printf("** second_end = %c\n", *uri_ptr->second_sp_end); if(uri_ptr->delimiter) printf("** delimiter = %c\n", *uri_ptr->delimiter); - + if(uri_ptr->uri) printf("** uri = %c\n", *uri_ptr->uri); if(uri_ptr->norm) @@ -1279,7 +1368,7 @@ */ /* - ** This means that there was only spaces or delimiters within the + ** This means that there was only spaces or delimiters within the ** complete URI. In this case, there is no valid URI so we just ** return such. */ @@ -1321,9 +1410,10 @@ return HI_SUCCESS; } -static INLINE int hi_client_extract_post( +static inline int hi_client_extract_post( HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, - const u_char *ptr, const u_char *end, URI_PTR *result, int content_length) + const u_char *ptr, const u_char *end, URI_PTR *result, + int content_length, bool is_chunked, HttpSessionData *hsd) { const u_char *start = ptr; const u_char *post_end = end; @@ -1331,9 +1421,11 @@ Session->norm_flags &= HI_BODY; /* Limit search depth */ - if ((!content_length)) + if (is_chunked) { - if ( ServerConf->chunk_length && (CheckChunkEncoding(Session, start, end, &post_end, NULL, 0, 0 , NULL, NULL) == 1) ) + if ( (ServerConf->chunk_length || ServerConf->small_chunk_length.size) + && (CheckChunkEncoding(Session, start, end, &post_end, NULL, 0, + 0, NULL, NULL, hsd, HI_SI_CLIENT_MODE) == 1) ) { result->uri = start; result->uri_end = post_end; @@ -1344,8 +1436,7 @@ return HI_NONFATAL_ERR; } } - - if(content_length > 0) + else if(content_length > 0) { if ((post_end - ptr ) > content_length) { @@ -1353,7 +1444,9 @@ } } else + { return HI_NONFATAL_ERR; + } result->uri = start; result->uri_end = post_end; @@ -1361,19 +1454,128 @@ return POST_END; } -static INLINE int hi_client_extract_uri( - HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, - HI_CLIENT * Client, const u_char *start, const u_char *end, - const u_char *ptr, URI_PTR *uri_ptr) + +static inline int HTTP_CopyExtraDataToSession(const uint8_t *start, int length, int command_type, HTTP_LOG_STATE *log_state) +{ + uint8_t *alt_buf; + uint32_t alt_size; + uint32_t *alt_len; + int ret; + + if (length <= 0) + return -1; + + + switch (command_type) + { + case COPY_URI: + alt_buf = log_state->uri_extracted; + alt_size = MAX_URI_EXTRACTED; + alt_len = &(log_state->uri_bytes); + break; + + case COPY_HOSTNAME: + alt_buf = log_state->hostname_extracted; + alt_size = MAX_HOSTNAME; + alt_len = &(log_state->hostname_bytes); + break; + + default: + return -1; + } + + if(length > (int) alt_size) + length = alt_size; + + *alt_len = 0; + + ret = SafeMemcpy(alt_buf, start, length, alt_buf, alt_buf + alt_size); + + if (ret != SAFEMEM_SUCCESS) + { + return -1; + } + + *alt_len += length; + + return 0; +} + +static inline void HTTP_CopyUri(HTTPINSPECT_CONF *ServerConf, const u_char *start, const u_char *end, HttpSessionData *hsd, int stream_ins) +{ + int iRet = 0; + const u_char *cur_ptr; + + cur_ptr = start; + + if(ServerConf->log_uri && !stream_ins && hsd) + { + SkipBlankSpace(start,end,&cur_ptr); + + start = cur_ptr; + if(!SetLogBuffers(hsd)) + { + iRet = HTTP_CopyExtraDataToSession((uint8_t *)start, (end - start), COPY_URI, hsd->log_state); + if(!iRet) + hsd->log_flags |= HTTP_LOG_URI; + } + } +} + + +static inline int unfold_http_uri(HTTPINSPECT_CONF *ServerConf, const u_char *end, URI_PTR *uri_ptr, HttpSessionData *hsd, int stream_ins) +{ + uint8_t unfold_buf[DECODE_BLEN]; + uint32_t unfold_size =0; + const u_char *p; + int folded = 0; + const char *tmp = NULL; + int iRet = -1; + + p = uri_ptr->uri; + + + sf_unfold_header(p, (end - p), unfold_buf, sizeof(unfold_buf), &unfold_size, 0, &folded); + + if( !folded) + { + HTTP_CopyUri(ServerConf, uri_ptr->uri , uri_ptr->uri_end, hsd, stream_ins); + return iRet; + } + + tmp = SnortStrnPbrk((const char *)unfold_buf, unfold_size, " \t"); + + if (tmp != NULL) + { + unfold_size = ((uint8_t *)tmp - unfold_buf); + iRet = 0; + } + + p = p + unfold_size; + uri_ptr->uri_end = p; + + HTTP_CopyUri(ServerConf, unfold_buf, unfold_buf + unfold_size, hsd, stream_ins); + + return iRet; +} + + +static inline int hi_client_extract_uri( + HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, + HI_CLIENT * Client, const u_char *start, const u_char *end, + const u_char *ptr, URI_PTR *uri_ptr, HttpSessionData *hsd, int stream_ins) { int iRet = HI_SUCCESS; + const u_char *tmp; + int uri_copied = 0; Session->norm_flags &= ~HI_BODY; + /* ** This loop compares each char to an array of functions ** (one for each char) and calling that function if there is one. - ** + ** ** If there is no function, then we just increment the char ptr and ** continue processing. ** @@ -1393,6 +1595,15 @@ { /* Possible post data or something else strange... */ iRet = URI_END; + /* Find the end of the URI in this case*/ + tmp = (const u_char *)SnortStrnPbrk((const char *)ptr, (uri_ptr->uri_end - ptr), " \r\n\t"); + if(tmp != NULL) + uri_ptr->uri_end = tmp; + + if(!uri_copied) + { + HTTP_CopyUri(ServerConf, uri_ptr->uri , uri_ptr->uri_end, hsd, stream_ins); + } break; } } @@ -1413,6 +1624,19 @@ { if(iRet == URI_END) { + if((*(uri_ptr->uri_end) == '\n') || (*(uri_ptr->uri_end) == '\r') ) + { + uri_copied = 1; + if(!unfold_http_uri(ServerConf, end, uri_ptr, hsd, stream_ins )) + { + SkipCRLF(start,end, &ptr); + continue; + } + } + else if(!uri_copied) + { + HTTP_CopyUri(ServerConf, uri_ptr->uri , uri_ptr->uri_end, hsd, stream_ins); + } /* ** You found a URI, let's break and check it out. */ @@ -1433,14 +1657,17 @@ ** also be a space, which would look like a pipeline request ** to us if we don't do this first. */ - if(Session->server_conf->chunk_length) - CheckChunkEncoding(Session, start, end, NULL, NULL, 0, 0, NULL, NULL); + if(Session->server_conf->chunk_length || Session->server_conf->small_chunk_length.size) + { + (void)CheckChunkEncoding(Session, start, end, NULL, NULL, 0, + 0, NULL, NULL, hsd, HI_SI_CLIENT_MODE); + } /* ** We only inspect the packet for another pipeline ** request if there wasn't a previous pipeline request. - ** The reason that we do this is because - */ + ** The reason that we do this is because + */ if(!Client->request.pipeline_req) { /* @@ -1478,10 +1705,11 @@ } -const u_char *extract_http_cookie(const u_char *p, const u_char *end, HEADER_PTR *header_ptr, +const u_char *extract_http_cookie(const u_char *p, const u_char *end, HEADER_PTR *header_ptr, HEADER_FIELD_PTR *header_field_ptr) { const u_char *crlf; + const u_char *start; if (header_ptr->cookie.cookie) { /* unusal, multiple cookies... alloc new cookie pointer */ @@ -1500,7 +1728,17 @@ { header_field_ptr->cookie = &header_ptr->cookie; } - header_field_ptr->cookie->cookie = p; + + start = p; + /* skip spaces before : */ + SkipBlankSpace(start,end,&p); + if(hi_util_in_bounds(start, end, p) && *p == ':') + { + p++; + SkipBlankSpace(start,end,&p); + } + + header_field_ptr->cookie->cookie = p; { crlf = (u_char *)SnortStrnStr((const char *)p, end - p, "\n"); @@ -1508,12 +1746,16 @@ /* find a \n */ if (crlf) /* && hi_util_in_bounds(start, end, crlf+1)) bounds is checked in SnortStrnStr */ { - header_field_ptr->cookie->cookie_end = crlf + 1; + if(*(crlf -1) == '\r') + header_field_ptr->cookie->cookie_end = crlf - 1; + else + header_field_ptr->cookie->cookie_end = crlf; + p = crlf; } else { - header_ptr->header.uri_end = header_field_ptr->cookie->cookie_end = end; + header_ptr->header.uri_end = header_field_ptr->cookie->cookie_end = end; return end; } } @@ -1521,38 +1763,65 @@ } -const u_char *extract_http_xff(HI_SESSION *Session, const u_char *p, const u_char *start, - const u_char *end, HEADER_PTR *header_ptr, sfip_t **true_ip) +const u_char *extract_http_xff(HI_SESSION *Session, const u_char *p, const u_char *start, + const u_char *end, HI_CLIENT_HDR_ARGS *hdrs_args) { + int num_spaces = 0; SFIP_RET status; sfip_t *tmp; char *ipAddr = NULL; uint8_t unfold_buf[DECODE_BLEN]; uint32_t unfold_size =0; const u_char *start_ptr, *end_ptr, *cur_ptr; + HEADER_PTR *header_ptr; + sfip_t **true_ip; + + header_ptr = hdrs_args->hdr_ptr; + true_ip = &(hdrs_args->sd->true_ip); - if(!true_ip || *true_ip) + if(!true_ip) return p; + if( (hdrs_args->true_clnt_xff & HDRS_BOTH) == HDRS_BOTH) + { + if(hi_eo_generate_event(Session, HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS, NULL, NULL); + } + + } + SkipBlankSpace(start,end,&p); if(hi_util_in_bounds(start, end, p) && *p == ':') { p++; - if(sf_unfold_header(p, end-start, unfold_buf, sizeof(unfold_buf), &unfold_size) != 0) + if(hi_util_in_bounds(start, end, p)) + sf_unfold_header(p, end-p, unfold_buf, sizeof(unfold_buf), &unfold_size, 0 , &num_spaces); + + if(!unfold_size) { header_ptr->header.uri_end = end; return end; } + if(num_spaces >= Session->server_conf->max_spaces) + { + if(hi_eo_generate_event(Session, Session->server_conf->max_spaces)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_EXCEEDS_SPACES, NULL, NULL); + } + + } + p = p + unfold_size; - start_ptr = unfold_buf; + start_ptr = unfold_buf; cur_ptr = unfold_buf; end_ptr = unfold_buf + unfold_size; - SkipBlankSpace(start_ptr,end_ptr,&cur_ptr); - - start_ptr = cur_ptr; + SkipBlankSpace(start_ptr,end_ptr,&cur_ptr); + + start_ptr = cur_ptr; while( cur_ptr < end_ptr ) { if( *cur_ptr == ' ' || *cur_ptr == '\t' || @@ -1585,7 +1854,25 @@ return p; } #endif - *true_ip = tmp; + if(*true_ip) + { + if(!IP_EQUALITY(*true_ip, tmp)) + { + sfip_free(*true_ip); + *true_ip = tmp; + + //alert + if(hi_eo_generate_event(Session, HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION, NULL, NULL); + } + } + else + sfip_free(tmp); + + } + else + *true_ip = tmp; free(ipAddr); } @@ -1597,13 +1884,80 @@ } return p; - + } -const u_char *extract_http_content_length(HI_SESSION *Session, - HTTPINSPECT_CONF *ServerConf, const u_char *p, const u_char *start, + +const u_char *extract_http_hostname(HI_SESSION *Session, const u_char *p, const u_char *start, + const u_char *end, HEADER_PTR *header_ptr, HttpSessionData *hsd) +{ + int num_spaces = 0; + uint8_t unfold_buf[DECODE_BLEN]; + uint32_t unfold_size =0; + const u_char *start_ptr, *end_ptr, *cur_ptr; + int iRet=0; + + + SkipBlankSpace(start,end,&p); + + if(hi_util_in_bounds(start, end, p) && *p == ':') + { + p++; + if(hi_util_in_bounds(start, end, p)) + sf_unfold_header(p, end-p, unfold_buf, sizeof(unfold_buf), &unfold_size, 0, &num_spaces); + + if(!unfold_size) + { + header_ptr->header.uri_end = end; + return end; + } + + if(num_spaces >= Session->server_conf->max_spaces) + { + //alert + if(hi_eo_generate_event(Session, Session->server_conf->max_spaces)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_EXCEEDS_SPACES, NULL, NULL); + } + } + p = p + unfold_size; + + start_ptr = unfold_buf; + cur_ptr = unfold_buf; + end_ptr = unfold_buf + unfold_size; + SkipBlankSpace(start_ptr,end_ptr,&cur_ptr); + + start_ptr = cur_ptr; + + if((end_ptr - start_ptr) >= MAX_HOSTNAME) + { + if(hi_eo_generate_event(Session, HI_EO_CLIENT_LONG_HOSTNAME)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_LONG_HOSTNAME, NULL, NULL); + } + } + + iRet = HTTP_CopyExtraDataToSession((uint8_t *)start_ptr, (end_ptr - start_ptr), COPY_HOSTNAME, hsd->log_state); + if(!iRet) + { + hsd->log_flags |= HTTP_LOG_HOSTNAME; + } + } + else + { + header_ptr->header.uri_end = end; + return end; + } + + return p; +} + + +const u_char *extract_http_content_length(HI_SESSION *Session, + HTTPINSPECT_CONF *ServerConf, const u_char *p, const u_char *start, const u_char *end, HEADER_PTR *header_ptr, HEADER_FIELD_PTR *header_field_ptr) { + int num_spaces = 0; const u_char *crlf; int space_present = 0; if (header_ptr->content_len.cont_len_start) @@ -1629,7 +1983,7 @@ p++; if ( hi_util_in_bounds(start, end, p) ) { - if ( ServerConf->profile == HI_APACHE || ServerConf->profile == HI_ALL) + if ( ServerConf->profile == HI_APACHE || ServerConf->profile == HI_ALL) { SkipWhiteSpace(start,end,&p); } @@ -1646,23 +2000,31 @@ if ( *p == '\n') { p++; - while( hi_util_in_bounds(start, end, p) && ( *p == ' ' || *p == '\t')) + while( hi_util_in_bounds(start, end, p) && ( *p == ' ' || *p == '\t')) { space_present = 1; p++; + num_spaces++; } if ( space_present ) { + if(num_spaces >= Session->server_conf->max_spaces) + { + if(hi_eo_generate_event(Session, Session->server_conf->max_spaces)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_EXCEEDS_SPACES, NULL, NULL); + } + } if ( isdigit((int)*p)) break; - else if(isspace((int)*p) && + else if(isspace((int)*p) && (ServerConf->profile == HI_APACHE || ServerConf->profile == HI_ALL) ) { SkipWhiteSpace(start,end,&p); } else - { - header_field_ptr->content_len->cont_len_start = + { + header_field_ptr->content_len->cont_len_start = header_field_ptr->content_len->cont_len_end = NULL; header_field_ptr->content_len->len = 0; return p; @@ -1670,7 +2032,7 @@ } else { - header_field_ptr->content_len->cont_len_start = + header_field_ptr->content_len->cont_len_start = header_field_ptr->content_len->cont_len_end = NULL; header_field_ptr->content_len->len = 0; return p; @@ -1682,14 +2044,14 @@ } else if(!isdigit((int)*p)) { - header_field_ptr->content_len->cont_len_start = + header_field_ptr->content_len->cont_len_start = header_field_ptr->content_len->cont_len_end = NULL; header_field_ptr->content_len->len = 0; return p; } if(isdigit((int)*p)) { - header_field_ptr->content_len->cont_len_start = p; + header_field_ptr->content_len->cont_len_start = p; p++; while(hi_util_in_bounds(start, end, p)) { @@ -1705,7 +2067,7 @@ } else if( (!isdigit((int)*p)) && (!isspace((int)*p))) /* alphabet after digit*/ { - header_field_ptr->content_len->cont_len_start = + header_field_ptr->content_len->cont_len_start = header_field_ptr->content_len->cont_len_end = NULL; header_field_ptr->content_len->len = 0; @@ -1719,7 +2081,7 @@ header_ptr->header.uri_end = end; return end; } - } + } else { if (ServerConf->profile == HI_APACHE || ServerConf->profile == HI_ALL) @@ -1737,7 +2099,7 @@ } else /*either a "digit digit" or "digit other character" */ { - header_field_ptr->content_len->cont_len_start = + header_field_ptr->content_len->cont_len_start = header_field_ptr->content_len->cont_len_end = NULL; header_field_ptr->content_len->len = 0; crlf = (u_char *)SnortStrnStr((const char *)p, end - p, "\n"); @@ -1758,7 +2120,7 @@ } else { - header_field_ptr->content_len->cont_len_start = + header_field_ptr->content_len->cont_len_start = header_field_ptr->content_len->cont_len_end = NULL; header_field_ptr->content_len->len = 0; return p; @@ -1782,15 +2144,21 @@ } } } - if ( header_field_ptr && (header_field_ptr->content_len->cont_len_start) ) + if ( header_field_ptr && (header_field_ptr->content_len->cont_len_start) && + (header_field_ptr->content_len->cont_len_end) ) { char *pcEnd; - header_field_ptr->content_len->len = SnortStrtol((char *)header_field_ptr->content_len->cont_len_start, &pcEnd, 10); - if(errno == ERANGE || ((char *)header_field_ptr->content_len->cont_len_start == pcEnd)) + uint64_t len; + len = (uint64_t)SnortStrtol((char *)header_field_ptr->content_len->cont_len_start, &pcEnd, 10); + + if ( (errno == ERANGE) + || ((char *)header_field_ptr->content_len->cont_len_start == pcEnd) + || (len > 0xFFFFFFFF) ) { - //warning header_field_ptr->content_len->len = 0; } + else + header_field_ptr->content_len->len = (uint32_t)len; } if(!p || !hi_util_in_bounds(start, end, p)) p = end; @@ -1798,40 +2166,76 @@ return p; } -static INLINE const u_char *extractHeaderFieldValues(HI_SESSION *Session, - HTTPINSPECT_CONF *ServerConf, const u_char *p, const u_char *offset, - const u_char *start, const u_char *end, HEADER_PTR *header_ptr, HEADER_FIELD_PTR *header_field_ptr, - sfip_t **true_ip) +static inline const u_char *extractHeaderFieldValues(HI_SESSION *Session, + HTTPINSPECT_CONF *ServerConf, const u_char *p, const u_char *offset, + const u_char *start, const u_char *end, HI_CLIENT_HDR_ARGS *hdrs_args) { + HttpSessionData *hsd; + + hsd = hdrs_args->sd; if (((p - offset) == 0) && ((*p == 'C') || (*p == 'c'))) { /* Search for 'Cookie' at beginning, starting from current *p */ - if ( ServerConf->enable_cookie && + if ( ServerConf->enable_cookie && IsHeaderFieldName(p, end, HEADER_NAME__COOKIE, HEADER_LENGTH__COOKIE)) { - p = extract_http_cookie(p, end, header_ptr, header_field_ptr); + p = extract_http_cookie((p+ HEADER_LENGTH__COOKIE), end, hdrs_args->hdr_ptr, hdrs_args->hdr_field_ptr); } else if ( IsHeaderFieldName(p, end, HEADER_NAME__CONTENT_LENGTH, HEADER_LENGTH__CONTENT_LENGTH) ) { - p = extract_http_content_length(Session, ServerConf, p, start, end, header_ptr, header_field_ptr ); - + p = extract_http_content_length(Session, ServerConf, p, start, + end, hdrs_args->hdr_ptr, hdrs_args->hdr_field_ptr ); } } else if (((p - offset) == 0) && ((*p == 'x') || (*p == 'X') || (*p == 't') || (*p == 'T'))) { - if ( ServerConf->enable_xff ) + if ( (ServerConf->enable_xff) && hsd ) { if(IsHeaderFieldName(p, end, HEADER_NAME__XFF, HEADER_LENGTH__XFF)) { + hdrs_args->true_clnt_xff |= XFF_HDR; p = p + HEADER_LENGTH__XFF; - p = extract_http_xff(Session, p, start, end, header_ptr, true_ip); + p = extract_http_xff(Session, p, start, end, hdrs_args); } else if(IsHeaderFieldName(p, end, HEADER_NAME__TRUE_IP, HEADER_LENGTH__TRUE_IP)) { + hdrs_args->true_clnt_xff |= TRUE_CLIENT_IP_HDR; p = p + HEADER_LENGTH__TRUE_IP; - p = extract_http_xff(Session, p, start, end, header_ptr, true_ip); + p = extract_http_xff(Session, p, start, end, hdrs_args); + } + } + else if ( IsHeaderFieldName(p, end, HEADER_NAME__TRANSFER_ENCODING, + HEADER_LENGTH__TRANSFER_ENCODING) && hsd) + { + p = p + HEADER_LENGTH__TRANSFER_ENCODING; + p = extract_http_transfer_encoding(Session, hsd, p, start, end, hdrs_args->hdr_ptr, HI_SI_CLIENT_MODE); + } + } + else if(((p - offset) == 0) && ((*p == 'H') || (*p == 'h'))) + { + if(IsHeaderFieldName(p, end, HEADER_NAME__HOSTNAME, HEADER_LENGTH__HOSTNAME)) + { + /* Alert when there are multiple host headers in one request */ + if(hdrs_args->hst_name_hdr) + { + if(hi_eo_generate_event(Session, HI_EO_CLIENT_MULTIPLE_HOST_HDRS)) + { + hi_eo_client_event_log(Session, HI_EO_CLIENT_MULTIPLE_HOST_HDRS, NULL, NULL); + } + return p; + } + else + { + hdrs_args->hst_name_hdr = 1; + if ( hsd && !(hdrs_args->strm_ins) && (ServerConf->log_hostname)) + { + if(!SetLogBuffers(hsd)) + { + p = p + HEADER_LENGTH__HOSTNAME; + p = extract_http_hostname(Session, p, start, end, hdrs_args->hdr_ptr, hsd); + } + } } - } } return p; @@ -1845,7 +2249,7 @@ /** ** Catch multiple requests per packet, by returning pointer to after the ** end of the request header if there is another request. -** +** ** There are 4 types of "valid" delimiters that we look for. They are: ** "\r\n\r\n" ** "\r\n\n" @@ -1854,29 +2258,31 @@ ** The only patterns that we really only need to look for are: ** "\n\r\n" ** "\n\n" -** The reason being that these two patterns are suffixes of the other +** The reason being that these two patterns are suffixes of the other ** patterns. So once we find those, we are all good. -** +** ** @param Session pointer to the session ** @param start pointer to the start of text ** @param end pointer to the end of text -** +** ** @return pointer -** +** ** @retval NULL Did not find pipeline request ** @retval !NULL Found another possible request. */ -static INLINE const u_char *hi_client_extract_header( - HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, - HEADER_PTR *header_ptr, const u_char *start, - const u_char *end, sfip_t **true_ip) +static inline const u_char *hi_client_extract_header( + HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, + HEADER_PTR *header_ptr, const u_char *start, + const u_char *end, HttpSessionData *hsd, int stream_ins) { int iRet = HI_SUCCESS; const u_char *p; const u_char *offset; URI_PTR version_string; HEADER_FIELD_PTR header_field_ptr ; + HI_CLIENT_HDR_ARGS hdrs_args; int header_count = 0; + int num_spaces = 0; if(!start || !end) return NULL; @@ -1891,13 +2297,23 @@ ** ** a.k.a there needs to be data after the initial request to inspect ** to make it worth our while. - */ + */ if (p > (end - 6 )) { header_ptr->header.uri = NULL; return p; } header_ptr->content_len.len = 0; + header_ptr->is_chunked = false; + + header_ptr->header.uri = start; + header_ptr->header.uri_end = end; + hdrs_args.hdr_ptr = header_ptr; + hdrs_args.hdr_field_ptr = &header_field_ptr; + hdrs_args.sd = hsd; + hdrs_args.strm_ins = stream_ins; + hdrs_args.hst_name_hdr = 0; + hdrs_args.true_clnt_xff = 0; /* This is to skip past the HTTP/1.0 (or 1.1) version string */ if (IsHttpVersion(&p, end)) @@ -1931,6 +2347,17 @@ { return p; } + + + if(hi_eo_generate_event(Session, Session->server_conf->max_spaces)) + { + num_spaces = SkipBlankSpace(start,end,&p); + if(num_spaces >= Session->server_conf->max_spaces) + { + //alert + hi_eo_client_event_log(Session, HI_EO_CLIENT_EXCEEDS_SPACES, NULL, NULL); + } + } } break; } @@ -1976,6 +2403,16 @@ p++; + if(hi_eo_generate_event(Session, Session->server_conf->max_spaces)) + { + num_spaces = SkipBlankSpace(start,end,&p); + if(num_spaces >= Session->server_conf->max_spaces) + { + //alert + hi_eo_client_event_log(Session, HI_EO_CLIENT_EXCEEDS_SPACES, NULL, NULL); + } + } + offset = (u_char*)p; if (!hi_util_in_bounds(start, end, p)) @@ -1984,6 +2421,9 @@ return p; } + hdrs_args.hdr_ptr = header_ptr; + hdrs_args.hdr_field_ptr = &header_field_ptr; + /* As performance ugly as this may be, need to bounds check p in each of the * if blocks below to prevent read beyond end of buffer */ if (*p < 0x0E) @@ -2006,14 +2446,14 @@ return p; } } - else if ( (p = extractHeaderFieldValues(Session, ServerConf, p, offset, start, end, header_ptr, &header_field_ptr, true_ip)) == end) + else if ( (p = extractHeaderFieldValues(Session, ServerConf, p, offset, start, end, &hdrs_args)) == end) { return end; } - + } - else if( (p == header_ptr->header.uri) && - (p = extractHeaderFieldValues(Session, ServerConf, p, offset, start, end, header_ptr, &header_field_ptr, true_ip)) == end) + else if( (p == header_ptr->header.uri) && + (p = extractHeaderFieldValues(Session, ServerConf, p, offset, start, end, &hdrs_args)) == end) { return end; } @@ -2049,24 +2489,31 @@ Client->request.cookie.next = NULL;\ } while(0); +#define CLR_METHOD(Client) \ + do { \ + Client->request.method_raw = NULL;\ + Client->request.method_size = 0; \ + Client->request.method = 0 ;\ + } while(0); + /* ** NAME ** StatelessInspection:: */ /** ** Find the URI and determine whether the URI needs to be normalized. -** +** ** This is a big step in stateless inspection, because we need to reliably ** find the URI and when possible filter out non-URIs. We do this using a ** simple state machine that is based on characters found in the data ** buffer. -** +** ** Another important aspect of the stateless inspection is the ability to ** track and inspect pipelined requests. It is VERY IMPORTANT to reset the ** pipeline_req pointer, since we don't memset the whole structure. This ** pointer is reset in the hi_si_session_inspection() function. Check there ** for more details. -** +** ** Normalization is detected when we are looking at the packet for the URI. ** We look for the following issues: ** - //// @@ -2080,25 +2527,26 @@ ** pointer, then the normalization pointer is reset and we start over. ** Using this method should cut down the memcpy()s per URI, since most ** URIs are not normalized. -** +** ** If this function returns HI_NONFATAL_ERR, we return out of mode_inspection ** with an error and abort HttpInspect processing, and continue on with ** any other processing we do. The Session parameters that we use here are ** reset in the next time that we do session_inspection, so we don't do ** any initialization here. -** +** ** @param Session pointer to the HTTP session ** @param data pointer to the start of the packet payload ** @param dsize size of the payload -** +** ** @return integer -** +** ** @retval HI_INVALID_ARG invalid argument ** @retval HI_NONFATAL_ERR no URI detected ** @retval HI_SUCCESS URI detected and Session pointers updated */ + int StatelessInspection(HI_SESSION *Session, const unsigned char *data, - int dsize, sfip_t **true_ip) + int dsize, HttpSessionData *hsd, int stream_ins) { HTTPINSPECT_CONF *ServerConf; HTTPINSPECT_CONF *ClientConf; @@ -2184,7 +2632,7 @@ } } } - + break; } @@ -2221,10 +2669,10 @@ } method_len = method_ptr.uri_end - method_ptr.uri; - /* Need slightly special handling for POST requests + /* Need slightly special handling for POST requests * Since we don't normalize on the request method itself, * just do a strcmp here and skip the characters below. */ - if(method_len == 4 && !strncasecmp("POST", (const char *)method_ptr.uri, 4)) + if(method_len == 4 && !strncasecmp("POST", (const char *)method_ptr.uri, 4)) { hi_stats.post++; Client->request.method = HI_POST_METHOD; @@ -2241,44 +2689,17 @@ if(iRet == -1 || (CmdConf == NULL)) { + sans_uri = 1; Client->request.method = HI_UNKNOWN_METHOD; } } else { + sans_uri = 1; Client->request.method = HI_UNKNOWN_METHOD; } - if (Client->request.method == HI_UNKNOWN_METHOD) - { - if (IsHttpVersion(&ptr, end)) - { - sans_uri = 1; - iRet = URI_END; - method_ptr.uri = method_ptr.uri_end = NULL; - } - else if (method_len == len) - { - sans_uri = 1; - iRet = URI_END; - method_ptr.uri = method_ptr.uri_end = NULL; - } - else if (SnortStrnPbrk((const char *)method_ptr.uri, method_len, "()<>@,;:\\\"/[]?={} \t") != NULL) - { - /* Look for the seperator charactors as part of the method */ - sans_uri = 1; - iRet = URI_END; - method_ptr.uri = method_ptr.uri_end = NULL; - } - else if (non_ascii_mthd == 1) - { - sans_uri = 1; - iRet = URI_END; - method_ptr.uri = method_ptr.uri_end = NULL; - } - } - if (!sans_uri ) { uri_ptr.uri = ptr; @@ -2287,7 +2708,7 @@ /* This will set up the URI pointers - effectively extracting * the URI. */ iRet = hi_client_extract_uri( - Session, ServerConf, Client, start, end, ptr, &uri_ptr); + Session, ServerConf, Client, start, end, ptr, &uri_ptr, hsd, stream_ins); } /* Check if the URI exceeds the max header field length */ @@ -2300,7 +2721,7 @@ hi_eo_client_event_log(Session, HI_EO_CLIENT_LONG_HDR, NULL, NULL); } - if(iRet == URI_END && + if(iRet == URI_END && !(ServerConf->uri_only) && !(Client->request.method & HI_UNKNOWN_METHOD)) { @@ -2312,13 +2733,13 @@ // // uri_ptr.end points to end of URI & HTTP version identifier. if (hi_util_in_bounds(start, end, uri_ptr.uri_end + 1)) - ptr = hi_client_extract_header(Session, ServerConf, &header_ptr, uri_ptr.uri_end+1, end, true_ip); + ptr = hi_client_extract_header(Session, ServerConf, &header_ptr, uri_ptr.uri_end+1, end, hsd, stream_ins); if (header_ptr.header.uri) { Client->request.header_raw = header_ptr.header.uri; Client->request.header_raw_size = header_ptr.header.uri_end - header_ptr.header.uri; - if ((int)Client->request.header_raw_size <= 0) + if(!Client->request.header_raw_size) { CLR_HEADER(Client); } @@ -2348,18 +2769,20 @@ CLR_HEADER(Client); } - /* Need to skip over header and get to the body. - * The unaptly named FindPipelineReq will do that. */ - ptr = FindPipelineReq(Session, uri_ptr.delimiter, end); - //ptr = FindPipelineReq(Session, ptr, end); - if(ptr) - { - if (header_ptr.content_len.cont_len_start) + /* Got a Content-Length or it's a POST request which may be chunked */ + if (header_ptr.content_len.cont_len_start || header_ptr.is_chunked) + { + /* Need to skip over header and get to the body. + * The unaptly named FindPipelineReq will do that. */ + ptr = FindPipelineReq(Session, uri_ptr.delimiter, end); + //ptr = FindPipelineReq(Session, ptr, end); + if(ptr) { post_ptr.uri = ptr; post_ptr.uri_end = end; if((POST_END == hi_client_extract_post( - Session, ServerConf, ptr, end, &post_ptr, header_ptr.content_len.len ))) + Session, ServerConf, ptr, end, &post_ptr, + header_ptr.content_len.len, header_ptr.is_chunked, hsd ))) { hi_stats.post_params++; Client->request.post_raw = post_ptr.uri; @@ -2374,107 +2797,69 @@ if ( ptr < end ) Client->request.pipeline_req = ptr; - } - else - { - uint8_t *tmp = memchr(ptr, (int)' ', end - ptr); - if(tmp && ( (tmp - (uint8_t*)ptr) < 8 )) + if(Client->request.post_raw && (ServerConf->post_depth > -1)) { - Client->request.pipeline_req = ptr; - CLR_POST(Client); - } - else - { - post_ptr.uri = ptr; - post_ptr.uri_end = end; - - if((POST_END == hi_client_extract_post( - Session, ServerConf, ptr, end, &post_ptr, -1))) + if(ServerConf->post_depth && ((int)Client->request.post_raw_size > ServerConf->post_depth)) { - hi_stats.post_params++; - Client->request.post_raw = post_ptr.uri; - Client->request.post_raw_size = post_ptr.uri_end - post_ptr.uri; - Client->request.post_norm = post_ptr.norm; - } - else - { - CLR_POST(Client); + Client->request.post_raw_size = ServerConf->post_depth; } } - } - - if(Client->request.post_raw && (ServerConf->post_depth > -1)) - { - if(ServerConf->post_depth && ((int)Client->request.post_raw_size > ServerConf->post_depth)) + else { - Client->request.post_raw_size = ServerConf->post_depth; + CLR_POST(Client); } } else { CLR_POST(Client); + ptr = uri_ptr.delimiter; } } - else + else { - CLR_POST(Client); ptr = uri_ptr.delimiter; } } - else + else { CLR_HEADER(Client); CLR_POST(Client); - if (method_ptr.uri) + if (!(Client->request.method & HI_UNKNOWN_METHOD) && method_ptr.uri) { Client->request.method_raw = method_ptr.uri; Client->request.method_size = method_ptr.uri_end - method_ptr.uri; } - ptr = uri_ptr.delimiter; - } - - /* - ** If there is a pipelined request in this packet, we should always - ** see the first space followed by text (which is the URI). Without - ** that first space, then we never get to the URI, so we should just - ** return, since there is nothing else to inspect. - */ - if(Client->request.pipeline_req) - { - if(uri_ptr.uri != uri_ptr.first_sp_end) + else { - if(Session->server_conf->chunk_length) - CheckChunkEncoding(Session, start, end, NULL, NULL, 0, 0, NULL, NULL); - + CLR_METHOD(Client); return HI_NONFATAL_ERR; } + ptr = uri_ptr.delimiter; } - else + + /* + ** Find the next pipeline request, if one is there. If we don't find + ** a pipeline request, then we return NULL here, so this is always + ** set to the correct value. + */ + if(!ServerConf->no_pipeline) { - /* - ** Find the next pipeline request, if one is there. If we don't find - ** a pipeline request, then we return NULL here, so this is always - ** set to the correct value. - */ - if(!ServerConf->no_pipeline) + if(post_ptr.uri) { - if(post_ptr.uri) - { - Client->request.pipeline_req = - FindPipelineReq(Session, post_ptr.delimiter, end); - } - else if(!Client->request.pipeline_req && uri_ptr.uri) - { - Client->request.pipeline_req = - FindPipelineReq(Session, ptr, end); - } + Client->request.pipeline_req = + FindPipelineReq(Session, post_ptr.delimiter, end); } - else + else if(!Client->request.pipeline_req && uri_ptr.uri) { - Client->request.pipeline_req = NULL; + Client->request.pipeline_req = + FindPipelineReq(Session, ptr, end); } } + else + { + Client->request.pipeline_req = NULL; + } /* ** We set the HI_CLIENT variables from the URI_PTR structure. We also @@ -2485,7 +2870,6 @@ { return iRet; } - /* ** One last check for an oversize directory. This gets the long ** directory when there is a beginning slash and no other slashes @@ -2510,7 +2894,7 @@ { if(hi_eo_generate_event(Session, HI_EO_CLIENT_PROXY_USE)) { - hi_eo_client_event_log(Session, HI_EO_CLIENT_PROXY_USE, + hi_eo_client_event_log(Session, HI_EO_CLIENT_PROXY_USE, NULL, NULL); } } @@ -2518,7 +2902,7 @@ return HI_SUCCESS; } -int hi_client_inspection(void *S, const unsigned char *data, int dsize, sfip_t **true_ip) +int hi_client_inspection(void *S, const unsigned char *data, int dsize, HttpSessionData *hsd, int stream_ins) { HTTPINSPECT_GLOBAL_CONF *GlobalConf; HI_SESSION *Session; @@ -2555,7 +2939,7 @@ /* ** Otherwise we assume stateless inspection */ - iRet = StatelessInspection(Session, data, dsize, true_ip); + iRet = StatelessInspection(Session, data, dsize, hsd, stream_ins); if (iRet) { return iRet; @@ -2572,17 +2956,16 @@ /** ** Initializes arrays and search algorithms depending on the type of ** inspection that we are doing. -** +** ** @param GlobalConf pointer to the global configuration -** +** ** @return integer -** +** ** @retval HI_SUCCESS function successful. */ int hi_client_init(HTTPINSPECT_GLOBAL_CONF *GlobalConf) { int iCtr; - int iNum; if(GlobalConf->inspection_type == HI_UI_CONFIG_STATEFUL) { @@ -2593,7 +2976,6 @@ else { memset(lookup_table, 0x00, sizeof(lookup_table)); - memset(hex_lookup, -1, sizeof(hex_lookup)); /* ** Set up the non-ASCII register for processing. @@ -2637,35 +3019,6 @@ */ lookup_table[':'] = SetProxy; - /* - ** Set up the hex array - */ - iNum = 0; - for(iCtr = 48; iCtr < 58; iCtr++) - { - hex_lookup[iCtr] = iNum; - iNum++; - } - - /* - ** Set the upper case values. - */ - iNum = 10; - for(iCtr = 65; iCtr < 71; iCtr++) - { - hex_lookup[iCtr] = iNum; - iNum++; - } - - /* - ** Set the lower case values. - */ - iNum = 10; - for(iCtr = 97; iCtr < 103; iCtr++) - { - hex_lookup[iCtr] = iNum; - iNum++; - } } return HI_SUCCESS; @@ -2710,12 +3063,12 @@ printf("** error client init\n"); return iRet; } - + SiInput.sip = inet_addr("1.1.1.1"); SiInput.sip = inet_addr("1.1.1.2"); SiInput.dport = 80; SiInput.sport = 7880; - + if((iRet = hi_si_session_inspection(&GlobalConf, &Session, &SiInput, &iInspectMode))) { @@ -2724,7 +3077,7 @@ } printf("** iInspectMode = %d\n", iInspectMode); - if((iRet = hi_mi_mode_inspection(Session, iInspectMode, data, + if((iRet = hi_mi_mode_inspection(Session, iInspectMode, data, strlen(data)))) { printf("** error mode_inspection\n"); @@ -2734,5 +3087,5 @@ return 0; } #endif - - + + diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/client/hi_client_norm.c snort-2.9.2/src/preprocessors/HttpInspect/client/hi_client_norm.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/client/hi_client_norm.c 2010-01-26 10:10:15.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/client/hi_client_norm.c 2011-06-07 17:33:18.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,17 +18,17 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_client_norm.c -** +** ** @author Daniel Roelker <droelker@sourcefire.com> -** +** ** @brief HTTP client normalization routines -** -** We deal with the normalization of HTTP client requests headers and +** +** We deal with the normalization of HTTP client requests headers and ** URI. -** +** ** In this file, we handle all the different HTTP request URI evasions. The ** list is: ** - ASCII decoding @@ -39,8 +39,10 @@ ** - Double decoding ** - %U decoding ** - Bare Byte Unicode decoding +** +** Base 36 is deprecated and essentially a noop ** - Base36 decoding -** +** ** NOTES: ** - Initial development. DJR */ @@ -49,13 +51,16 @@ #include <sys/types.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_norm.h" #include "hi_util.h" #include "hi_return_codes.h" -#include "bounds.h" +#include "snort_bounds.h" -#define MAX_URI 4096 int hi_split_header_cookie(HI_SESSION *Session, u_char *header, int *i_header_len, u_char *cookie_header, int *i_cookie_len, @@ -219,7 +224,7 @@ if(ClientReq->uri_norm) { Session->norm_flags &= ~HI_BODY; - iRet = hi_norm_uri(Session, UriBuf, &iUriBufSize, + iRet = hi_norm_uri(Session, UriBuf, &iUriBufSize, ClientReq->uri, ClientReq->uri_size, &encodeType); if (iRet == HI_NONFATAL_ERR) { @@ -228,9 +233,9 @@ ClientReq->uri_norm_size = 0; ClientReq->uri_encode_type = 0; } - else + else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ ClientReq->uri_norm = UriBuf; ClientReq->uri_norm_size = iUriBufSize; @@ -274,7 +279,7 @@ if(ClientReq->header_norm && Session->server_conf->normalize_headers) { Session->norm_flags &= ~HI_BODY; - iRet = hi_norm_uri(Session, HeaderBuf, &iHeaderBufSize, + iRet = hi_norm_uri(Session, HeaderBuf, &iHeaderBufSize, RawHeaderBuf, iRawHeaderBufSize, &encodeType); if (iRet == HI_NONFATAL_ERR) { @@ -283,9 +288,9 @@ ClientReq->header_norm_size = 0; ClientReq->header_encode_type = 0; } - else + else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ ClientReq->header_norm = HeaderBuf; ClientReq->header_norm_size = iHeaderBufSize; @@ -295,7 +300,7 @@ } else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ if (iRawHeaderBufSize) { @@ -308,7 +313,7 @@ if(ClientReq->cookie.cookie && Session->server_conf->normalize_cookies) { Session->norm_flags &= ~HI_BODY; - iRet = hi_norm_uri(Session, CookieBuf, &iCookieBufSize, + iRet = hi_norm_uri(Session, CookieBuf, &iCookieBufSize, RawCookieBuf, iRawCookieBufSize, &encodeType); if (iRet == HI_NONFATAL_ERR) { @@ -317,9 +322,9 @@ ClientReq->cookie_norm_size = 0; ClientReq->cookie_encode_type = 0; } - else + else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ ClientReq->cookie_norm = CookieBuf; ClientReq->cookie_norm_size = iCookieBufSize; @@ -329,7 +334,7 @@ } else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ if (iRawCookieBufSize) { @@ -339,12 +344,12 @@ } } - /* Handle normalization of post methods. + /* Handle normalization of post methods. * Note: posts go into a different buffer. */ if(ClientReq->post_norm) { Session->norm_flags |= HI_BODY; - iRet = hi_norm_uri(Session, PostBuf, &iPostBufSize, + iRet = hi_norm_uri(Session, PostBuf, &iPostBufSize, ClientReq->post_raw, ClientReq->post_raw_size, &encodeType); if (iRet == HI_NONFATAL_ERR) { @@ -352,7 +357,7 @@ ClientReq->post_norm_size = 0; ClientReq->post_encode_type = 0; } - else + else { ClientReq->post_norm = PostBuf; ClientReq->post_norm_size = iPostBufSize; diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/client/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/client/Makefile.in --- snort-2.9.0.1/src/preprocessors/HttpInspect/client/Makefile.in 2010-10-08 02:56:54.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/client/Makefile.in 2011-12-07 11:23:21.000000000 -0800 @@ -78,7 +78,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -93,6 +95,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -129,13 +132,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/event_output/hi_eo_log.c snort-2.9.2/src/preprocessors/HttpInspect/event_output/hi_eo_log.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2010-09-27 08:28:14.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,19 +18,19 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_eo_log.c ** ** @author Daniel Roelker <droelker@sourcefire.com> ** -** @brief This file contains the event output functionality that +** @brief This file contains the event output functionality that ** HttpInspect uses to log events and data associated with ** the events. ** ** Log events, retrieve events, and select events that HttpInspect ** generates. -** +** ** Logging Events: ** Since the object behind this is no memset()s, we have to rely on the ** stack interface to make sure we don't log the same event twice. So @@ -44,6 +44,10 @@ */ #include <stdlib.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_si.h" #include "hi_eo.h" #include "hi_util_xmalloc.h" @@ -54,7 +58,7 @@ ** Any time that a new client event is added, we have to ** add the event id and the priority here. If you want to ** change either of those characteristics, you have to change -** them here. +** them here. */ static HI_EVENT_INFO client_event_info[HI_EO_CLIENT_EVENT_NUM] = { { HI_EO_CLIENT_ASCII, HI_EO_LOW_PRIORITY, HI_EO_CLIENT_ASCII_STR }, @@ -62,13 +66,14 @@ HI_EO_CLIENT_DOUBLE_DECODE_STR }, { HI_EO_CLIENT_U_ENCODE, HI_EO_MED_PRIORITY, HI_EO_CLIENT_U_ENCODE_STR }, { HI_EO_CLIENT_BARE_BYTE, HI_EO_HIGH_PRIORITY, HI_EO_CLIENT_BARE_BYTE_STR}, + /* Base36 is deprecated - leave here so events keep the same number */ { HI_EO_CLIENT_BASE36, HI_EO_HIGH_PRIORITY, HI_EO_CLIENT_BASE36_STR }, { HI_EO_CLIENT_UTF_8, HI_EO_LOW_PRIORITY, HI_EO_CLIENT_UTF_8_STR }, - { HI_EO_CLIENT_IIS_UNICODE, HI_EO_LOW_PRIORITY, + { HI_EO_CLIENT_IIS_UNICODE, HI_EO_LOW_PRIORITY, HI_EO_CLIENT_IIS_UNICODE_STR }, { HI_EO_CLIENT_MULTI_SLASH, HI_EO_MED_PRIORITY, HI_EO_CLIENT_MULTI_SLASH_STR }, - { HI_EO_CLIENT_IIS_BACKSLASH, HI_EO_MED_PRIORITY, + { HI_EO_CLIENT_IIS_BACKSLASH, HI_EO_MED_PRIORITY, HI_EO_CLIENT_IIS_BACKSLASH_STR }, { HI_EO_CLIENT_SELF_DIR_TRAV, HI_EO_HIGH_PRIORITY, HI_EO_CLIENT_SELF_DIR_TRAV_STR }, @@ -91,11 +96,25 @@ {HI_EO_CLIENT_MAX_HEADERS, HI_EO_LOW_PRIORITY, HI_EO_CLIENT_MAX_HEADERS_STR}, {HI_EO_CLIENT_MULTIPLE_CONTLEN, HI_EO_HIGH_PRIORITY, - HI_EO_CLIENT_MULTIPLE_CONTLEN_STR}, + HI_EO_CLIENT_MULTIPLE_CONTLEN_STR}, {HI_EO_CLIENT_CHUNK_SIZE_MISMATCH, HI_EO_HIGH_PRIORITY, - HI_EO_CLIENT_CHUNK_SIZE_MISMATCH_STR}, + HI_EO_CLIENT_CHUNK_SIZE_MISMATCH_STR}, {HI_EO_CLIENT_INVALID_TRUEIP, HI_EO_LOW_PRIORITY, - HI_EO_CLIENT_INVALID_TRUEIP_STR} + HI_EO_CLIENT_INVALID_TRUEIP_STR}, + {HI_EO_CLIENT_MULTIPLE_HOST_HDRS, HI_EO_LOW_PRIORITY, + HI_EO_CLIENT_MULTIPLE_HOST_HDRS_STR}, + {HI_EO_CLIENT_LONG_HOSTNAME, HI_EO_LOW_PRIORITY, + HI_EO_CLIENT_LONG_HOSTNAME_STR}, + {HI_EO_CLIENT_EXCEEDS_SPACES, HI_EO_LOW_PRIORITY, + HI_EO_CLIENT_EXCEEDS_SPACES_STR}, + {HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS, HI_EO_MED_PRIORITY, + HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS_STR}, + {HI_EO_CLIENT_UNBOUNDED_POST, HI_EO_MED_PRIORITY, + HI_EO_CLIENT_UNBOUNDED_POST_STR}, + {HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION, HI_EO_MED_PRIORITY, + HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION_STR}, + {HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS, HI_EO_LOW_PRIORITY, + HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS_STR} }; static HI_EVENT_INFO server_event_info[HI_EO_SERVER_EVENT_NUM] = { @@ -103,12 +122,23 @@ {HI_EO_SERVER_INVALID_STATCODE, HI_EO_MED_PRIORITY, HI_EO_SERVER_INVALID_STATCODE_STR}, {HI_EO_SERVER_NO_CONTLEN, HI_EO_MED_PRIORITY, - HI_EO_SERVER_NO_CONTLEN_STR}, + HI_EO_SERVER_NO_CONTLEN_STR}, {HI_EO_SERVER_UTF_NORM_FAIL, HI_EO_MED_PRIORITY, - HI_EO_SERVER_UTF_NORM_FAIL_STR}, + HI_EO_SERVER_UTF_NORM_FAIL_STR}, {HI_EO_SERVER_UTF7, HI_EO_MED_PRIORITY, - HI_EO_SERVER_UTF7_STR} - + HI_EO_SERVER_UTF7_STR}, + {HI_EO_SERVER_DECOMPR_FAILED, HI_EO_MED_PRIORITY, + HI_EO_SERVER_DECOMPR_FAILED_STR}, + {HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS, HI_EO_MED_PRIORITY, + HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS_STR}, + {HI_EO_CLISRV_MSG_SIZE_EXCEPTION, HI_EO_MED_PRIORITY, + HI_EO_CLISRV_MSG_SIZE_EXCEPTION_STR}, + {HI_EO_SERVER_JS_OBFUSCATION_EXCD, HI_EO_MED_PRIORITY, + HI_EO_SERVER_JS_OBFUSCATION_EXCD_STR}, + {HI_EO_SERVER_JS_EXCESS_WS, HI_EO_MED_PRIORITY, + HI_EO_SERVER_JS_EXCESS_WS_STR}, + {HI_EO_SERVER_MIXED_ENCODINGS, HI_EO_MED_PRIORITY, + HI_EO_SERVER_MIXED_ENCODINGS_STR} }; /* @@ -116,7 +146,7 @@ */ /** ** This routine logs anomalous server events to the event queue. -** +** ** @param Session pointer to the HttpInspect session ** @param iEvent the event id for the client ** @param data pointer to the user data of the event @@ -199,7 +229,7 @@ ** performance. We accomplish this utilizing an optimized stack as an ** index into the client event array, instead of walking a list for ** already logged events. The problem here is that we can't just log -** every event that we've already seen, because this opens us up to a +** every event that we've already seen, because this opens us up to a ** DOS. So by using this method, we can quickly check if an event ** has already been logged and deal appropriately. ** @@ -275,7 +305,7 @@ ** performance. We accomplish this utilizing an optimized stack as an ** index into the server event array, instead of walking a list for ** already logged events. The problem here is that we can't just log -** every event that we've already seen, because this opens us up to a +** every event that we've already seen, because this opens us up to a ** DOS. So by using this method, we can quickly check if an event ** has already been logged and deal appropriately. ** diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/event_output/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/event_output/Makefile.in --- snort-2.9.0.1/src/preprocessors/HttpInspect/event_output/Makefile.in 2010-10-08 02:56:54.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/event_output/Makefile.in 2011-12-07 11:23:21.000000000 -0800 @@ -77,7 +77,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -92,6 +94,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -128,13 +131,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_ad.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ad.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_ad.h 2010-01-26 10:10:15.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ad.h 2011-02-09 15:23:31.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_client.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_client.h 2010-06-09 15:05:24.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -30,13 +30,19 @@ #include <sys/types.h> +#include "snort_httpinspect.h" #include "hi_include.h" #include "hi_eo.h" #include "hi_eo_events.h" #define URI_END 99 #define POST_END 100 #define NO_URI 101 -#define INVALID_HEX_VAL -1 +typedef enum { + TRUE_CLIENT_IP_HDR = 0x01, + XFF_HDR = 0x02, + HDRS_BOTH = 0x03 +} ActionSFCC; + typedef struct s_COOKIE_PTR { @@ -50,7 +56,7 @@ { const u_char *cont_len_start; const u_char *cont_len_end; - int len; + uint32_t len; }CONTLEN_PTR; typedef struct s_CONT_ENCODING_PTR @@ -67,7 +73,7 @@ CONT_ENCODING_PTR *content_encoding; } HEADER_FIELD_PTR; -/* These numbers were chosen to avoid conflicting with +/* These numbers were chosen to avoid conflicting with * the return codes in hi_return_codes.h */ /** @@ -78,7 +84,7 @@ ** For example, ** ** GET / HTTP/1.0 - ** ^ ^ + ** ^ ^ ** start end ** ** The end space pointers are set to NULL if there is space until the end @@ -107,6 +113,7 @@ COOKIE_PTR cookie; CONTLEN_PTR content_len; CONT_ENCODING_PTR content_encoding; + bool is_chunked; } HEADER_PTR; @@ -171,7 +178,17 @@ } HI_CLIENT; -int hi_client_inspection(void *Session, const unsigned char *data, int dsize, sfip_t **true_ip); +typedef struct s_HI_CLIENT_HDR_ARGS +{ + HEADER_PTR *hdr_ptr; + HEADER_FIELD_PTR *hdr_field_ptr; + HttpSessionData *sd; + int strm_ins; + int hst_name_hdr; + int true_clnt_xff; +} HI_CLIENT_HDR_ARGS; + +int hi_client_inspection(void *Session, const unsigned char *data, int dsize, HttpSessionData *hsd, int stream_ins); int hi_client_init(HTTPINSPECT_GLOBAL_CONF *GlobalConf); -#endif +#endif diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_client_norm.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client_norm.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_client_norm.h 2010-01-26 10:10:16.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client_norm.h 2011-02-09 15:23:31.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_client_stateful.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client_stateful.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_client_stateful.h 2010-01-26 10:10:16.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_client_stateful.h 2011-02-09 15:23:31.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_cmd_lookup.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_cmd_lookup.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_cmd_lookup.h 2010-06-23 21:06:09.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_cmd_lookup.h 2011-02-09 15:23:31.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * * - * * Copyright (C) 2003-2010 Sourcefire, Inc. + * * Copyright (C) 2003-2011 Sourcefire, Inc. * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_eo_events.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo_events.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_eo_events.h 2010-09-27 08:28:14.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo_events.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef __HI_EO_EVENTS_H__ #define __HI_EO_EVENTS_H__ @@ -27,43 +27,57 @@ /* ** Client Events */ -typedef enum _HI_EVENTS +typedef enum _HI_CLI_EVENTS { HI_EO_CLIENT_ASCII = 0, HI_EO_CLIENT_DOUBLE_DECODE , HI_EO_CLIENT_U_ENCODE , HI_EO_CLIENT_BARE_BYTE , - HI_EO_CLIENT_BASE36 , + /* Base36 is deprecated - leave here so events keep the same number */ + HI_EO_CLIENT_BASE36 , HI_EO_CLIENT_UTF_8 , HI_EO_CLIENT_IIS_UNICODE , HI_EO_CLIENT_MULTI_SLASH , HI_EO_CLIENT_IIS_BACKSLASH , HI_EO_CLIENT_SELF_DIR_TRAV , HI_EO_CLIENT_DIR_TRAV , - HI_EO_CLIENT_APACHE_WS , - HI_EO_CLIENT_IIS_DELIMITER , - HI_EO_CLIENT_NON_RFC_CHAR , - HI_EO_CLIENT_OVERSIZE_DIR , - HI_EO_CLIENT_LARGE_CHUNK , - HI_EO_CLIENT_PROXY_USE , - HI_EO_CLIENT_WEBROOT_DIR , + HI_EO_CLIENT_APACHE_WS , + HI_EO_CLIENT_IIS_DELIMITER , + HI_EO_CLIENT_NON_RFC_CHAR , + HI_EO_CLIENT_OVERSIZE_DIR , + HI_EO_CLIENT_LARGE_CHUNK , + HI_EO_CLIENT_PROXY_USE , + HI_EO_CLIENT_WEBROOT_DIR , HI_EO_CLIENT_LONG_HDR , HI_EO_CLIENT_MAX_HEADERS , HI_EO_CLIENT_MULTIPLE_CONTLEN, HI_EO_CLIENT_CHUNK_SIZE_MISMATCH, HI_EO_CLIENT_INVALID_TRUEIP , - HI_EO_CLIENT_EVENT_NUM -} HI_EVENTS; + HI_EO_CLIENT_MULTIPLE_HOST_HDRS, + HI_EO_CLIENT_LONG_HOSTNAME , + HI_EO_CLIENT_EXCEEDS_SPACES , + HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS, + HI_EO_CLIENT_UNBOUNDED_POST, + HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION, + HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS, + HI_EO_CLIENT_EVENT_NUM +} HI_CLI_EVENTS; -typedef enum _HI_SERV_EVENTS +typedef enum _HI_EVENTS { HI_EO_ANOM_SERVER = 0, HI_EO_SERVER_INVALID_STATCODE, HI_EO_SERVER_NO_CONTLEN, HI_EO_SERVER_UTF_NORM_FAIL, HI_EO_SERVER_UTF7, + HI_EO_SERVER_DECOMPR_FAILED, + HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS, + HI_EO_CLISRV_MSG_SIZE_EXCEPTION, + HI_EO_SERVER_JS_OBFUSCATION_EXCD, + HI_EO_SERVER_JS_EXCESS_WS, + HI_EO_SERVER_MIXED_ENCODINGS, HI_EO_SERVER_EVENT_NUM -}HI_SERV_EVENTS; +}HI_EVENTS; /* ** These defines are the alert names for each event @@ -76,8 +90,9 @@ "(http_inspect) U ENCODING" #define HI_EO_CLIENT_BARE_BYTE_STR \ "(http_inspect) BARE BYTE UNICODE ENCODING" +/* Base36 is deprecated - leave here so events keep the same number */ #define HI_EO_CLIENT_BASE36_STR \ - "(http_inspect) BASE36 ENCODING" + "(http_inspect) BASE36 ENCODING" #define HI_EO_CLIENT_UTF_8_STR \ "(http_inspect) UTF-8 ENCODING" #define HI_EO_CLIENT_IIS_UNICODE_STR \ @@ -112,8 +127,22 @@ "(http_inspect) MULTIPLE CONTENT LENGTH" #define HI_EO_CLIENT_CHUNK_SIZE_MISMATCH_STR \ "(http_inspect) CHUNK SIZE MISMATCH DETECTED" +#define HI_EO_CLIENT_MULTIPLE_HOST_HDRS_STR \ + "(http_inspect) MULTIPLE HOST HDRS DETECTED" #define HI_EO_CLIENT_INVALID_TRUEIP_STR \ "(http_inspect) INVALID IP IN TRUE-CLIENT-IP/XFF HEADER" +#define HI_EO_CLIENT_LONG_HOSTNAME_STR \ + "(http_inspect) HOSTNAME EXCEEDS 255 CHARACTERS" +#define HI_EO_CLIENT_EXCEEDS_SPACES_STR \ + "(http_inspect) HEADER PARSING SPACE SATURATION" +#define HI_EO_CLIENT_CONSECUTIVE_SMALL_CHUNKS_STR \ + "(http_inspect) CLIENT CONSECUTIVE SMALL CHUNK SIZES" +#define HI_EO_CLIENT_UNBOUNDED_POST_STR \ + "(http_inspect) POST W/O CONTENT-LENGTH OR CHUNKS" +#define HI_EO_CLIENT_MULTIPLE_TRUEIP_IN_SESSION_STR \ + "(http_inspect) MULTIPLE TRUE IPS IN A SESSION" +#define HI_EO_CLIENT_BOTH_TRUEIP_XFF_HDRS_STR \ + "(http_inspect) BOTH TRUE_CLIENT_IP AND XFF HDRS PRESENT" /* ** Server Events @@ -129,6 +158,18 @@ "(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE" #define HI_EO_SERVER_UTF7_STR \ "(http_inspect) HTTP RESPONSE HAS UTF-7 CHARSET" +#define HI_EO_SERVER_DECOMPR_FAILED_STR \ + "(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED" +#define HI_EO_SERVER_CONSECUTIVE_SMALL_CHUNKS_STR \ + "(http_inspect) SERVER CONSECUTIVE SMALL CHUNK SIZES" +#define HI_EO_CLISRV_MSG_SIZE_EXCEPTION_STR \ + "(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE" +#define HI_EO_SERVER_JS_OBFUSCATION_EXCD_STR \ + "(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1" +#define HI_EO_SERVER_JS_EXCESS_WS_STR \ + "(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED" +#define HI_EO_SERVER_MIXED_ENCODINGS_STR \ + "(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA" /* ** Event Priorities diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_eo.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_eo.h 2010-06-09 15:05:24.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo.h 2011-02-09 15:23:31.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_eo_log.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo_log.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_eo_log.h 2010-06-09 15:05:24.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_eo_log.h 2011-06-07 17:33:18.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef __HI_EO_LOG_H__ #define __HI_EO_LOG_H__ @@ -26,7 +26,7 @@ #include "hi_si.h" #include "hi_return_codes.h" -static INLINE int hi_eo_generate_event(HI_SESSION *Session, int iAlert) +static inline int hi_eo_generate_event(HI_SESSION *Session, int iAlert) { if(iAlert && !(Session->norm_flags & HI_BODY) && !Session->server_conf->no_alerts) diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_include.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_include.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_include.h 2010-04-06 07:05:50.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_include.h 2011-06-07 17:33:18.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,12 +18,12 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef __HI_INCLUDE_H__ #define __HI_INCLUDE_H__ #include "sf_types.h" -#include "debug.h" +#include "snort_debug.h" #include "ipv6_port.h" #define HI_UNKNOWN_METHOD 1 @@ -34,7 +34,6 @@ uint64_t unicode; uint64_t double_unicode; uint64_t non_ascii; /* Non ASCII-representable character in URL */ - uint64_t base36; uint64_t dir_trav; /* '../' */ uint64_t slashes; /* '//' */ uint64_t self_ref; /* './' */ @@ -58,18 +57,18 @@ uint64_t gzip_pkts; uint64_t compr_bytes_read; uint64_t decompr_bytes_read; -#endif +#endif } HIStats; extern HIStats hi_stats; -#ifndef INLINE +#ifndef inline #ifdef WIN32 -#define INLINE __inline +#define inline __inline #else -#define INLINE inline +#define inline inline #endif -#endif /* endif for INLINE */ +#endif /* endif for inline */ #endif diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_mi.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_mi.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_mi.h 2010-04-06 07:05:50.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_mi.h 2011-02-09 15:23:31.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_norm.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_norm.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_norm.h 2010-09-27 08:28:14.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_norm.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -40,7 +40,6 @@ #include "hi_ui_config.h" #include "hi_si.h" -int hi_norm_init(HTTPINSPECT_GLOBAL_CONF *GlobalConf); int hi_normalization(HI_SESSION *Session, int iInspectMode, HttpSessionData *hsd); int hi_norm_uri(HI_SESSION *Session, u_char *uribuf,int *uribuf_size, const u_char *uri, int uri_size, uint16_t *encodeType); diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_paf.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_paf.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_paf.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_paf.h 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,41 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +//-------------------------------------------------------------------- +// hi stuff +// +// @file hi_paf.h +// @author Russ Combs <rcombs@sourcefire.com> +//-------------------------------------------------------------------- + +#ifndef __HI_PAF_H__ +#define __HI_PAF_H__ + +#include "sfPolicy.h" +#include "sf_types.h" + +bool hi_paf_init(uint32_t cap); +void hi_paf_term(void); +int hi_paf_register(uint16_t port, bool client, bool server, tSfPolicyId pid); + +#endif + diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_reqmethod_check.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_reqmethod_check.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_reqmethod_check.h 2010-01-26 10:10:17.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_reqmethod_check.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_return_codes.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_return_codes.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_return_codes.h 2010-01-26 10:10:17.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_return_codes.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_server.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_server.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_server.h 2010-06-09 15:05:24.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_server.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_server_norm.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_server_norm.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_server_norm.h 2010-09-27 08:28:14.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_server_norm.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_si.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_si.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_si.h 2010-01-26 10:10:17.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_si.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_stateful_inspect.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_stateful_inspect.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_stateful_inspect.h 2010-01-26 10:10:17.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_stateful_inspect.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_ui_config.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_config.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_ui_config.h 2010-09-27 08:28:14.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_config.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,10 +18,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_ui_config.h -** +** ** @author Daniel Roelker <droelker@sourcefire.com> ** ** @brief This file contains the internal configuration structures @@ -36,6 +36,7 @@ #define __HI_UI_CONFIG_H__ #include "hi_include.h" +#include "snort_bounds.h" #include "sfrt.h" #include "ipv6_port.h" #include "sf_ip.h" @@ -51,6 +52,7 @@ #define HI_UI_CONFIG_MAX_HDR_DEFAULT 0 #define HI_UI_CONFIG_MAX_HEADERS_DEFAULT 0 +#define HI_UI_CONFIG_MAX_SPACES_DEFAULT 200 /* ** Special characters treated as whitespace before or after URI @@ -84,7 +86,7 @@ /* The following are used to delineate server profiles for user output * and debugging information. */ -typedef enum e_PROFILES +typedef enum e_PROFILES { HI_ALL, HI_APACHE, @@ -101,6 +103,13 @@ } HTTP_CMD_CONF; +typedef struct _HISmallChunkLength +{ + uint8_t size; + uint8_t num; + +} HISmallChunkLength; + /** ** This is the configuration construct that holds the specific ** options for a server. Each unique server has it's own structure @@ -123,24 +132,27 @@ int iis_unicode_codepage; int long_dir; - + /* ** Chunk encoding anomaly detection */ unsigned int chunk_length; + HISmallChunkLength small_chunk_length; char uri_only; char no_alerts; char enable_cookie; char inspect_response; char enable_xff; + char log_uri; + char log_hostname; #ifdef ZLIB char extract_gzip; char unlimited_decompress; #endif - - /* Support Extended ascii codes in the URI */ + + /* Support Extended ascii codes in the URI */ char extended_ascii_uri; /* ** pipeline requests @@ -164,13 +176,13 @@ char tab_uri_delimiter; /* - ** Normalize HTTP Headers if they exist. + ** Normalize HTTP Headers if they exist. XXX Not sure what Apache & IIS do with respect to HTTP header 'uri' normalization. */ char normalize_headers; /* - ** Normalize HTTP Headers if they exist. + ** Normalize HTTP Headers if they exist. XXX Not sure what Apache & IIS do with respect to HTTP header 'uri' normalization. */ char normalize_cookies; @@ -181,6 +193,11 @@ char normalize_utf; /* + * Normalize Javascripts in HTTP server responses + */ + char normalize_javascript; + + /* ** Characters to be treated as whitespace bracketing a URI. */ char whitespace[256]; @@ -192,7 +209,6 @@ HTTPINSPECT_CONF_OPT double_decoding; HTTPINSPECT_CONF_OPT u_encoding; HTTPINSPECT_CONF_OPT bare_byte; - HTTPINSPECT_CONF_OPT base36; HTTPINSPECT_CONF_OPT utf_8; HTTPINSPECT_CONF_OPT iis_unicode; char non_rfc_chars[256]; @@ -208,15 +224,17 @@ HTTPINSPECT_CONF_OPT iis_delimiter; int max_hdr_len; int max_headers; + int max_spaces; + int max_js_ws; PROFILES profile; CMD_LOOKUP *cmd_lookup; - + /**Used to track references to this allocated data structure. Each additional - * reference should increment referenceCount. Each attempted free should - * decrement it. When free is attempted and reference count is 0, then - * this HTTPINSPECT_CONF should be actually freed. - */ + * reference should increment referenceCount. Each attempted free should + * decrement it. When free is attempted and reference count is 0, then + * this HTTPINSPECT_CONF should be actually freed. + */ int referenceCount; } HTTPINSPECT_CONF; @@ -229,9 +247,7 @@ */ typedef struct s_HTTPINSPECT_GLOBAL_CONF { -#ifdef ZLIB int disabled; -#endif int max_pipeline_requests; int inspection_type; int anomalous_servers; @@ -248,8 +264,6 @@ HTTPINSPECT_CONF *global_server; SERVER_LOOKUP *server_lookup; - int hex_lookup[256]; - int valid_lookup[256]; #ifdef ZLIB int max_gzip_sessions; @@ -257,8 +271,17 @@ int compr_depth; int decompr_depth; #endif + int memcap; + uint32_t xtra_trueip_id; + uint32_t xtra_uri_id; + uint32_t xtra_hname_id; + uint32_t xtra_gzip_id; + uint32_t xtra_jsnorm_id; + +} HTTPINSPECT_GLOBAL_CONF; -} HTTPINSPECT_GLOBAL_CONF; +#define INVALID_HEX_VAL -1 +#define HEX_VAL 1 /* ** Functions @@ -267,6 +290,7 @@ int hi_ui_config_default(HTTPINSPECT_CONF *GlobalConf); int hi_ui_config_reset_global(HTTPINSPECT_GLOBAL_CONF *GlobalConf); int hi_ui_config_reset_server(HTTPINSPECT_CONF *ServerConf); +void hi_ui_config_reset_http_methods(HTTPINSPECT_CONF *ServerConf); int hi_ui_config_add_server(HTTPINSPECT_GLOBAL_CONF *GlobalConf, sfip_t *ServerIP, @@ -278,4 +302,6 @@ int hi_ui_config_set_profile_all(HTTPINSPECT_CONF *GlobalConf, int *); void HttpInspectCleanupHttpMethodsConf(void *); +extern int hex_lookup[256]; +extern int valid_lookup[256]; #endif diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h 2010-01-26 10:10:17.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h 2010-01-26 10:10:18.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_uri.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_uri.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_uri.h 2010-01-26 10:10:18.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_uri.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_util.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_util.h 2010-04-06 07:05:50.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util.h 2011-07-13 15:44:51.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,14 +18,14 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_util.h -** +** ** @author Daniel Roelker <droelker@sourcefire.com> ** ** @brief HttpInspect utility functions. -** +** ** Contains function prototype and inline utility functions. ** ** NOTES: @@ -43,25 +43,25 @@ ** hi_util_in_bounds:: */ /** -** This function checks for in bounds condition on buffers. -** +** This function checks for in bounds condition on buffers. +** ** This is very important for much of what we do here, since inspecting ** data buffers is mainly what we do. So we always make sure that we are ** within the buffer. -** +** ** This checks a half-open interval with the end pointer being one char ** after the end of the buffer. -** +** ** @param start the start of the buffer. ** @param end the end of the buffer. ** @param p the pointer within the buffer -** +** ** @return integer -** +** ** @retval 1 within bounds ** @retval 0 not within bounds */ -static INLINE int hi_util_in_bounds(const u_char *start, const u_char *end, const u_char *p) +static inline int hi_util_in_bounds(const u_char *start, const u_char *end, const u_char *p) { if(p >= start && p < end) { @@ -71,42 +71,56 @@ return 0; } -static INLINE void SkipWhiteSpace(const u_char *start, const u_char *end, +static inline void SkipWhiteSpace(const u_char *start, const u_char *end, const u_char **ptr) { - while (hi_util_in_bounds(start, end, *ptr) && isspace((int)**ptr) && (**ptr != '\n')) + while (hi_util_in_bounds(start, end, *ptr) && isspace((int)**ptr) && (**ptr != '\n')) (*ptr)++; } -static INLINE void SkipBlankSpace(const u_char *start, const u_char *end, +static inline int SkipBlankSpace(const u_char *start, const u_char *end, const u_char **ptr) { - while((hi_util_in_bounds(start, end, *ptr)) && ( **ptr == ' ' || **ptr == '\t') ) {(*ptr)++;} + int count = 0; + while((hi_util_in_bounds(start, end, *ptr)) && ( **ptr == ' ' || **ptr == '\t') ) + { + (*ptr)++; + count++; + } + return count; } -static INLINE void SkipDigits(const u_char *start, const u_char *end, +static inline void SkipDigits(const u_char *start, const u_char *end, const u_char **ptr) { while((hi_util_in_bounds(start, end, *ptr)) && (isdigit((int)**ptr)) ) {(*ptr)++;} } -static INLINE void SkipBlankAndNewLine(const u_char *start, const u_char *end, +static inline void SkipBlankAndNewLine(const u_char *start, const u_char *end, const u_char **ptr) { - while( (hi_util_in_bounds(start, end, *ptr)) && + while( (hi_util_in_bounds(start, end, *ptr)) && ( **ptr == ' ' || **ptr == '\t') && (**ptr != '\n') ) {(*ptr)++;} } -static INLINE int IsHeaderFieldName(const u_char *p, const u_char *end, +static inline void SkipCRLF(const u_char *start, const u_char *end, + const u_char **ptr) +{ + while( (hi_util_in_bounds(start, end, *ptr)) && + ( **ptr == '\r' || **ptr == '\n') ) {(*ptr)++;} +} + + +static inline int IsHeaderFieldName(const u_char *p, const u_char *end, const char *header_name, size_t header_len) -{ +{ if ((p+header_len) <= end) - { + { if(!strncasecmp((const char *)p, header_name, header_len)) return 1; - else - return 0; + else + return 0; } return 0; -} +} #endif /* __HI_UTIL_H__ */ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_util_hbm.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_hbm.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_util_hbm.h 2010-01-26 10:10:18.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_hbm.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_util_kmap.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_kmap.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_util_kmap.h 2010-01-26 10:10:18.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_kmap.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_util_xmalloc.h snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_xmalloc.h --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/hi_util_xmalloc.h 2010-01-26 10:10:18.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/hi_util_xmalloc.h 2011-02-09 15:23:32.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/Makefile.am snort-2.9.2/src/preprocessors/HttpInspect/include/Makefile.am --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/Makefile.am 2010-06-23 21:06:09.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/Makefile.am 2011-06-07 17:33:18.000000000 -0700 @@ -8,6 +8,7 @@ hi_eo_events.h \ hi_eo.h \ hi_eo_log.h \ +hi_paf.h \ hi_include.h \ hi_mi.h \ hi_norm.h \ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/include/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/include/Makefile.in --- snort-2.9.0.1/src/preprocessors/HttpInspect/include/Makefile.in 2010-10-08 02:56:54.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/include/Makefile.in 2011-12-07 11:23:21.000000000 -0800 @@ -58,7 +58,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -73,6 +75,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -109,13 +112,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -182,6 +191,7 @@ hi_eo_events.h \ hi_eo.h \ hi_eo_log.h \ +hi_paf.h \ hi_include.h \ hi_mi.h \ hi_norm.h \ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/Makefile.am snort-2.9.2/src/preprocessors/HttpInspect/Makefile.am --- snort-2.9.0.1/src/preprocessors/HttpInspect/Makefile.am 2010-06-23 21:06:09.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/Makefile.am 2011-06-07 17:33:18.000000000 -0700 @@ -19,6 +19,7 @@ utils/hi_util_xmalloc.o \ utils/hi_util_hbm.o \ utils/hi_cmd_lookup.o \ +utils/hi_paf.o \ event_output/hi_eo_log.o \ client/hi_client.o \ client/hi_client_norm.o \ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/Makefile.in --- snort-2.9.0.1/src/preprocessors/HttpInspect/Makefile.in 2010-10-08 02:56:54.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/Makefile.in 2011-12-07 11:23:21.000000000 -0800 @@ -54,7 +54,7 @@ session_inspection/hi_si.o mode_inspection/hi_mi.o \ anomaly_detection/hi_ad.o utils/hi_util_kmap.o \ utils/hi_util_xmalloc.o utils/hi_util_hbm.o \ - utils/hi_cmd_lookup.o event_output/hi_eo_log.o \ + utils/hi_cmd_lookup.o utils/hi_paf.o event_output/hi_eo_log.o \ client/hi_client.o client/hi_client_norm.o server/hi_server.o \ server/hi_server_norm.o normalization/hi_norm.o am_libhttp_inspect_a_OBJECTS = @@ -123,7 +123,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -138,6 +140,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -174,13 +177,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -255,6 +264,7 @@ utils/hi_util_xmalloc.o \ utils/hi_util_hbm.o \ utils/hi_cmd_lookup.o \ +utils/hi_paf.o \ event_output/hi_eo_log.o \ client/hi_client.o \ client/hi_client_norm.o \ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/mode_inspection/hi_mi.c snort-2.9.2/src/preprocessors/HttpInspect/mode_inspection/hi_mi.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/mode_inspection/hi_mi.c 2010-06-09 15:05:24.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/mode_inspection/hi_mi.c 2011-06-07 17:33:19.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_mi.c ** @@ -35,6 +35,10 @@ ** - 3.2.03: Initial development. DJR */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_si.h" #include "hi_client.h" #include "hi_server.h" @@ -71,7 +75,7 @@ /* ** Depending on the mode, we inspect the packet differently. - ** + ** ** HI_SI_CLIENT_MODE: ** Inspect for HTTP client communication. ** @@ -80,18 +84,16 @@ */ if(iInspectMode == HI_SI_CLIENT_MODE) { - if(hsd) - { - iRet = hi_client_inspection((void *)Session, p->data, p->dsize, &(hsd->true_ip)); - if(hsd->true_ip) - p->data_flags |= DATA_FLAGS_TRUE_IP; - } +#ifdef ENABLE_PAF + if ( ScPafEnabled() ) + iRet = hi_client_inspection((void *)Session, p->data, p->dsize, hsd, !PacketHasStartOfPDU(p)); else - iRet = hi_client_inspection((void *)Session, p->data, p->dsize, NULL); +#endif + iRet = hi_client_inspection((void *)Session, p->data, p->dsize, hsd, p->packet_flags & PKT_STREAM_INSERT); if (iRet) return iRet; } - else if(iInspectMode == HI_SI_SERVER_MODE) + else if( hsd && iInspectMode == HI_SI_SERVER_MODE ) { iRet = hi_server_inspection((void *)Session, p, hsd); if (iRet) diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/mode_inspection/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/mode_inspection/Makefile.in --- snort-2.9.0.1/src/preprocessors/HttpInspect/mode_inspection/Makefile.in 2010-10-08 02:56:54.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/mode_inspection/Makefile.in 2011-12-07 11:23:21.000000000 -0800 @@ -77,7 +77,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -92,6 +94,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -128,13 +131,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/normalization/hi_norm.c snort-2.9.2/src/preprocessors/HttpInspect/normalization/hi_norm.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/normalization/hi_norm.c 2010-10-25 12:49:10.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/normalization/hi_norm.c 2011-06-07 17:33:19.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,19 +18,19 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_norm.c -** +** ** @author Daniel Roelker <droelker@sourcefire.com -** +** ** @brief Contains normalization skeleton for server and client ** normalization routines. -** +** ** This file contains the core routines to normalize the different fields ** within the HTTP protocol. We currently only support client URI ** normalization, but the hooks are here to easily add other routines. -** +** ** NOTES: ** - Initial development. DJR */ @@ -40,6 +40,10 @@ #include <ctype.h> #include <sys/types.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_client_norm.h" #include "hi_server_norm.h" #include "hi_eo.h" @@ -55,9 +59,6 @@ #define MAX_DIRS 2048 -#define NO_HEX_VAL -1 -#define BASE36_VAL -2 -#define HEX_VAL 1 /** ** This define checks for negative return codes, since we have multiple @@ -87,8 +88,6 @@ typedef int (*DECODE_FUNC)(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_NORM_STATE *, uint16_t *); -int hex_lookup[256] = {0}; -int valid_lookup[256] = {0}; /* ** NAME @@ -96,30 +95,30 @@ */ /** ** This routine is for getting bytes in the U decode. -** +** ** This checks the current bounds and checking for the double decoding. ** This routine differs from the other Get routines because it returns ** other values than just END_OF_BUFFER and the char. -** +** ** We also return DOUBLE_ENCODING if there is a % and double decoding ** is turned on. -** +** ** When using this function it is important to note that it increments ** the buffer before checking the bounds. So, if you call this function -** in a loop and don't check for END_OF_BUFFER being returned, then +** in a loop and don't check for END_OF_BUFFER being returned, then ** you are going to overwrite the buffer. If I put the check in, you ** would just be in an never-ending loop. So just use this correctly. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI -** +** ** @return integer -** +** ** @retval END_OF_BUFFER the end of the buffer has been reached. ** @retval DOUBLE_ENCODING a percent was found and double decoding is on -** @retval <= 0xff an ASCII char +** @retval <= 0xff an ASCII char */ static int GetPtr(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_NORM_STATE *norm_state, uint16_t *encodeType) @@ -136,7 +135,7 @@ *encodeType |= HTTP_ENCODE_TYPE__DOUBLE_ENCODE ; return DOUBLE_ENCODING; } - + return (int)**ptr; } @@ -146,18 +145,18 @@ */ /** ** Handles the single decode for %U encoding. -** +** ** This routine receives the ptr pointing to the u. We check the bounds ** and continue with processing. %u encoding works by specifying the ** exact codepoint to be used. For example, %u002f would be /. So this ** all seems fine. BUT, the problem is that IIS maps multiple codepoints ** to ASCII characters. So, %u2044 also maps to /. So this is what we ** need to handle here. -** +** ** This routine only handles the single encoding. For double decoding, ** %u is handled in DoubleDecode(). It's the same routine, with just ** the GetByte function different. -** +** ** We use a get_byte function to get the bytes, so we can use this ** routine for PercentDecode and for DoubleDecode. ** @@ -166,9 +165,9 @@ ** @param end the end of the URI ** @param ptr the current pointer into the URI ** @param get_byte the function pointer to get bytes. -** +** ** @return integer -** +** ** @retval END_OF_BUFFER we are at the end of the buffer ** @retval DOUBLE_ENCODING this U encoding is possible double encoded ** @retval NON_ASCII_CHAR return this char for non-ascii or bad decodes @@ -218,7 +217,7 @@ iNorm = ServerConf->iis_unicode_map[iNorm]; if(iNorm == HI_UI_NON_ASCII_CODEPOINT) - { + { *encodeType |= HTTP_ENCODE_TYPE__NONASCII; hi_stats.non_ascii++; iNorm = NON_ASCII_CHAR; @@ -263,31 +262,31 @@ ** This function is the main decoding function. It handles all the ASCII ** encoding and the U encoding, and tells us when there is a double ** encoding. -** +** ** We use the GetPtr() routine to get the bytes for us. This routine ** checks for DOUBLE_ENCODING and tells us about it if it finds something, ** so we can reset the ptrs and run it through the double decoding ** routine. -** +** ** The philosophy behind this routine is that if we run out of buffer ** we return such, the only other thing we return besides the decodes ** char is a NON_ASCII_CHAR in the case that we try and decode something ** like %tt. This is no good, so we return a place holder. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI -** +** ** @return integer -** +** ** @retval END_OF_BUFFER We've hit the end of buffer while decoding. ** @retval NON_ASCII_CHAR Invalid hex encoding, so we return a placeholder. ** @retval char return the valid char -** +** ** @see GetPtr() */ -static int PercentDecode(HI_SESSION *Session, const u_char *start, +static int PercentDecode(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, URI_NORM_STATE *norm_state, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; @@ -354,25 +353,12 @@ return iNorm; } - else if(!ServerConf->base36.on || - valid_lookup[(u_char)iByte] != BASE36_VAL) + else { *encodeType |= HTTP_ENCODE_TYPE__NONASCII; hi_stats.non_ascii++; return NON_ASCII_CHAR; } - - /* - ** The logic above dictates that if we get to this point, we - ** have a valid base36 encoding, so let's log the event. - */ - *encodeType |= HTTP_ENCODE_TYPE__BASE36; - hi_stats.base36++; - if(hi_eo_generate_event(Session, ServerConf->base36.alert) && - !norm_state->param) - { - hi_eo_client_event_log(Session, HI_EO_CLIENT_BASE36, NULL, NULL); - } } iNorm = (hex_lookup[(u_char)iByte]<<4); @@ -391,24 +377,9 @@ if(valid_lookup[(u_char)iByte] < 0) { - if(!ServerConf->base36.on || valid_lookup[(u_char)iByte] != BASE36_VAL) - { - *encodeType |= HTTP_ENCODE_TYPE__NONASCII; - hi_stats.non_ascii++; - return NON_ASCII_CHAR; - } - - /* - ** Once again, we know we have a valid base36 encoding, let's alert - ** if possible. - */ - *encodeType |= HTTP_ENCODE_TYPE__BASE36; - hi_stats.base36++; - if(hi_eo_generate_event(Session, ServerConf->base36.alert) && - !norm_state->param) - { - hi_eo_client_event_log(Session, HI_EO_CLIENT_BASE36, NULL, NULL); - } + *encodeType |= HTTP_ENCODE_TYPE__NONASCII; + hi_stats.non_ascii++; + return NON_ASCII_CHAR; } iNorm = (iNorm | (hex_lookup[(u_char)iByte])) & 0xff; @@ -432,23 +403,23 @@ /** ** Wrapper for PercentDecode() and handles the return values from ** PercentDecode(). -** +** ** This really decodes the chars for UnicodeDecode(). If the char is ** a percent then we process stuff, otherwise we just increment the ** pointer and return. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI ** @param bare_byte value for a non-ASCII char or a decoded non-ASCII char -** +** ** @return integer -** +** ** @retval END_OF_BUFFER End of the buffer has been reached before decode. ** @retval NON_ASCII_CHAR End of buffer during decoding, return decoded char. ** @retval char return the valid decoded/undecoded char -** +** ** @see PercentDecode() ** @see GetByte() */ @@ -463,7 +434,7 @@ return END_OF_BUFFER; iNorm = (int)(**ptr); - + if(**ptr == '%' && ServerConf->ascii.on) { /* @@ -522,24 +493,24 @@ /* ** Decode the UTF-8 sequences and check for valid codepoints via the ** Unicode standard and the IIS standard. -** +** ** We decode up to 3 bytes of UTF-8 because that's all I've been able to ** get to work on various servers, so let's reduce some false positives. ** So we decode valid UTF-8 sequences and then check the value. If the ** value is ASCII, then it's decoded to that. Otherwise, if iis_unicode ** is turned on, we will check the unicode codemap for valid IIS mappings. ** If a mapping turns up, then we return the mapped ASCII. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI -** +** ** @return integer -** +** ** @retval NON_ASCII_CHAR Reached end of buffer while decoding ** @retval char return the decoded or badly decoded char -** +** ** @see GetByte() ** @see UnicodeDecode() */ @@ -555,7 +526,7 @@ int iByte; /* - ** Right now we support up to 3 byte unicode sequences. We can add + ** Right now we support up to 3 byte unicode sequences. We can add ** more if any of the HTTP servers support more. */ if((iFirst & 0xe0) == 0xc0) @@ -660,21 +631,21 @@ */ /** ** Checks for the ServerConf values before we actually decode. -** +** ** This function is really a ServerConf wrapper for UTF8Decode. ** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI -** +** ** @return integer -** +** ** @retval char the decode/undecoded byte. -** +** ** @see GetByte() */ -static int UnicodeDecode(HI_SESSION *Session, const u_char *start, +static int UnicodeDecode(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **ptr, int iFirst, URI_NORM_STATE *norm_state, uint16_t *encodeType) { @@ -696,17 +667,17 @@ /** ** Handles the first stage of URI decoding for the case of IIS double ** decoding. -** +** ** The first stage consists of ASCII decoding and unicode decoding. %U ** decoding is handled in the ASCII decoding. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI -** +** ** @return integer -** +** ** @retval END_OF_BUFFER means that we've reached the end of buffer in ** GetChar. ** @retval iChar this is the character that was decoded. @@ -741,7 +712,7 @@ */ /** ** The double decoding routine for IIS good times. -** +** ** Coming into this function means that we just decoded a % or that ** we just saw two percents in a row. We know which state we are ** in depending if the first char is a '%' or not. @@ -753,15 +724,15 @@ ** - ascii ** ** Knowing this, we can decode appropriately. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI ** @param norm_state the ptr to the URI norm state -** +** ** @return integer -** +** ** @retval NON_ASCII_CHAR End of buffer reached while decoding ** @retval char The decoded char */ @@ -801,7 +772,7 @@ if(ServerConf->u_encoding.on && (toupper(iByte) == 'U')) { iNorm = UDecode(Session, start, end, ptr, GetByte, norm_state, encodeType); - + if(iNorm == END_OF_BUFFER) { /* @@ -850,32 +821,32 @@ ** This is the final GetByte routine. The value that is returned from this ** routine is the final decoded byte, and normalization can begin. This ** routine handles the double phase of decoding that IIS is fond of. -** +** ** So to recap all the decoding up until this point. -** +** ** The first phase is to call GetByte(). GetByte() returns the first stage ** of decoding, which handles the UTF-8 decoding. If we have decoded a ** % of some type, then we head into DoubleDecode() if the ServerConf ** allows it. -** +** ** What returns from DoubleDecode is the final result. -** +** ** @param ServerConf the server configuration ** @param start the start of the URI ** @param end the end of the URI ** @param ptr the current pointer into the URI ** @param norm_state the pointer to the URI norm state -** +** ** @return integer -** +** ** @retval END_OF_BUFFER While decoding, the end of buffer was reached. ** @retval char The resultant decoded char. -** +** ** @see DoubleDecode(); ** @see GetByte(); */ static int GetDecodedByte(HI_SESSION *Session, const u_char *start, - const u_char *end, const u_char **ptr, + const u_char *end, const u_char **ptr, URI_NORM_STATE *norm_state, uint16_t *encodeType) { HTTPINSPECT_CONF *ServerConf = Session->server_conf; @@ -898,7 +869,7 @@ if(hi_eo_generate_event(Session, ServerConf->iis_backslash.alert) && !norm_state->param) { - hi_eo_client_event_log(Session, HI_EO_CLIENT_IIS_BACKSLASH, + hi_eo_client_event_log(Session, HI_EO_CLIENT_IIS_BACKSLASH, NULL, NULL); } @@ -919,18 +890,18 @@ */ /** ** Set the ub_ptr and update the URI_NORM_STATE. -** +** ** The main point of this function is to take care of the details in ** updating the directory stack and setting the buffer pointer to the ** last directory. -** +** ** @param norm_state pointer to the normalization state struct ** @param ub_ptr double pointer to the normalized buffer -** +** ** @return integer -** +** ** @retval HI_SUCCESS function successful -** +** ** @see hi_norm_uri() */ static int DirTrav(HI_SESSION *Session, URI_NORM_STATE *norm_state, @@ -942,7 +913,7 @@ if(norm_state->dir_count) { *ub_ptr = norm_state->dir_track[norm_state->dir_count - 1]; - + /* ** Check to make sure that we aren't at the beginning */ @@ -972,7 +943,7 @@ } } - return HI_SUCCESS; + return HI_SUCCESS; } /* @@ -982,18 +953,18 @@ /** ** Set the directory by writing a '/' to the normalization buffer and ** updating the directory stack. -** +** ** This gets called after every slash that isn't a directory traversal. We ** just write a '/' and then update the directory stack to point to the ** last directory, in the case of future directory traversals. -** +** ** @param norm_state pointer to the normalization state struct ** @param ub_ptr double pointer to the normalized buffer -** +** ** @return integer -** +** ** @retval HI_SUCCESS function successful -** +** ** @see hi_norm_uri() */ static int DirSet(URI_NORM_STATE *norm_state, u_char **ub_ptr) @@ -1023,42 +994,42 @@ /** ** The main function for dealing with multiple slashes, self-referential ** directories, and directory traversals. -** +** ** This routine does GetDecodedByte() while looking for directory foo. It's ** called every time that we see a slash in the main hi_norm_uri. Most of -** the time we just enter this loop, find a non-directory-foo char and +** the time we just enter this loop, find a non-directory-foo char and ** return that char. hi_norm_uri() takes care of the directory state ** updating and so forth. -** +** ** But when we run into trouble with directories, this function takes care ** of that. We loop through multiple slashes until we get to the next ** directory. We also loop through self-referential directories until we -** get to the next directory. Then finally we deal with directory +** get to the next directory. Then finally we deal with directory ** traversals. -** +** ** With directory traversals we do a kind of "look ahead". We verify that ** there is indeed a directory traversal, and then set the ptr back to ** the beginning of the '/', so when we iterate through hi_norm_uri() we ** catch it. -** +** ** The return value for this function is usually the character after ** the directory. When there was a directory traversal, it returns the ** value DIR_TRAV. And when END_OF_BUFFER is returned, it means that we've ** really hit the end of the buffer, or we were looping through multiple ** slashes and self-referential directories until the end of the URI ** buffer. -** +** ** @param ServerConf pointer to the Server configuration ** @param start pointer to the start of the URI buffer ** @param end pointer to the end of the URI buffer ** @param ptr pointer to the index in the URI buffer -** +** ** @return integer -** +** ** @retval END_OF_BUFFER we've reached the end of buffer ** @retval DIR_TRAV we found a directory traversal ** @retval char return the next char after the directory -** +** ** @see hi_norm_uri() ** @see GetDecodedByte() */ @@ -1171,7 +1142,7 @@ continue; } } - + /* ** This means that we saw '.' and then another char, so ** it was just a file/dir that started with a '.'. @@ -1196,16 +1167,16 @@ */ /** ** This function checks for long directory names in the request URI. -** +** ** @param Session pointer to the session ** @param norm_state pointer to the directory stack ** @param ub_ptr current pointer in normalization buffer -** +** ** @return integer -** +** ** @retval HI_SUCCESS */ -static int CheckLongDir(HI_SESSION *Session, URI_NORM_STATE *norm_state, +static int CheckLongDir(HI_SESSION *Session, URI_NORM_STATE *norm_state, u_char *ub_ptr) { int iDirLen; @@ -1241,18 +1212,18 @@ /** ** This function inspects the normalized chars for any other processing ** that we need to do, such as directory traversals. -** +** ** The main things that we check for here are '/' and '?'. There reason ** for '/' is that we do directory traversals. If it's a slash, we call ** the routine that will normalize mutli-slashes, self-referential dirs, ** and dir traversals. We do all that processing here and call the ** appropriate functions. -** +** ** The '?' is so we can mark the parameter field, and check for oversize ** directories one last time. Once the parameter field is set, we don't ** do any more oversize directory checks since we aren't in the url ** any more. -** +** ** @param Session pointer to the current session ** @param iChar the char to inspect ** @param norm_state the normalization state @@ -1262,16 +1233,16 @@ ** @param ub_start the start of the norm buffer ** @param ub_end the end of the norm buffer ** @param ub_ptr the address of the pointer index into the norm buffer -** +** ** @return integer -** +** ** @retval END_OF_BUFFER we've reached the end of the URI or norm buffer ** @retval HI_NONFATAL_ERR no special char, so just write the char and ** increment the ub_ptr. ** @retval HI_SUCCESS normalized the special char and already ** incremented the buffers. */ -static INLINE int InspectUriChar(HI_SESSION *Session, int iChar, +static inline int InspectUriChar(HI_SESSION *Session, int iChar, URI_NORM_STATE *norm_state, const u_char *start, const u_char *end, const u_char **ptr, u_char *ub_start, u_char *ub_end, @@ -1370,7 +1341,7 @@ */ if(!hi_util_in_bounds(ub_start, ub_end, *ub_ptr)) return END_OF_BUFFER; - + /* ** Set the char to what we got in DirNorm() */ @@ -1398,7 +1369,7 @@ if((u_char)iChar == '?') { /* - ** We assume that this is the beginning of the parameter field, + ** We assume that this is the beginning of the parameter field, ** and check for a long directory following. Event though seeing ** a question mark does not guarantee the parameter field, thanks ** IIS. @@ -1420,27 +1391,27 @@ */ /** ** Normalize the URI into the URI normalize buffer. -** +** ** This is the routine that users call to normalize the URI. It iterates ** through the URI buffer decoding the next character and is then checked ** for any directory problems before writing the decoded character into the ** normalizing buffer. -** +** ** We return the length of the normalized URI buffer in the variable, ** uribuf_size. This value is passed in as the max size of the normalization ** buffer, which we then set in iMaxUriBufSize for later reference. -** +** ** If there was some sort of problem during normalizing we set the normalized ** URI buffer size to 0 and return HI_NONFATAL_ERR. -** +** ** @param ServerConf the pointer to the server configuration ** @param uribuf the pointer to the normalize uri buffer ** @param uribuf_size the size of the normalize buffer ** @param uri the pointer to the unnormalized uri buffer ** @param uri_size the size of the unnormalized uri buffer -** +** ** @return integer -** +** ** @retval HI_NONFATAL_ERR there was a problem during normalizing, the ** uribuf_size is also set to 0 ** @retval HI_SUCCESS Normalizing the URI was successful @@ -1535,93 +1506,19 @@ /* ** NAME -** hi_norm_init:: -*/ -/** -** Initialize the arrays neccessary to normalize the HTTP protocol fields. -** -** Currently, we set a hex_lookup array where we can convert the hex encoding -** that we encounter in the URI into numbers we deal with. -** -** @param GlobalConf pointer to the global configuration of HttpInspect -** -** @return HI_SUCCESS function successful -*/ -int hi_norm_init(HTTPINSPECT_GLOBAL_CONF *GlobalConf) -{ - int iCtr; - int iNum; - - memset(hex_lookup, NO_HEX_VAL, sizeof(hex_lookup)); - memset(valid_lookup, NO_HEX_VAL, sizeof(valid_lookup)); - - /* - ** Set the decimal number values - */ - iNum = 0; - for(iCtr = 48; iCtr < 58; iCtr++) - { - hex_lookup[iCtr] = iNum; - valid_lookup[iCtr] = HEX_VAL; - iNum++; - } - - /* - ** Set the upper case values. - */ - iNum = 10; - for(iCtr = 65; iCtr < 71; iCtr++) - { - hex_lookup[iCtr] = iNum; - valid_lookup[iCtr] = HEX_VAL; - iNum++; - } - - iNum = 16; - for(iCtr = 71; iCtr < 91; iCtr++) - { - hex_lookup[iCtr] = iNum; - valid_lookup[iCtr] = BASE36_VAL; - iNum++; - } - - /* - ** Set the lower case values. - */ - iNum = 10; - for(iCtr = 97; iCtr < 103; iCtr++) - { - hex_lookup[iCtr] = iNum; - valid_lookup[iCtr] = HEX_VAL; - iNum++; - } - - iNum = 16; - for(iCtr = 103; iCtr < 123; iCtr++) - { - hex_lookup[iCtr] = iNum; - valid_lookup[iCtr] = BASE36_VAL; - iNum++; - } - - return HI_SUCCESS; -} - -/* -** NAME ** hi_normalization:: */ /** ** Wrap the logic for normalizing different inspection modes. -** +** ** We call the various normalization modes here, and adjust the appropriate ** Session constructs. -** +** ** @param Session pointer to the session structure. ** @param iInspectMode the type of inspection/normalization to do -** +** ** @return integer -** +** ** @retval HI_SUCCESS function successful ** @retval HI_INVALID_ARG invalid argument */ @@ -1654,7 +1551,7 @@ { iRet = hi_server_norm((void *)Session, hsd); if (iRet) - { + { return iRet; } } diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/normalization/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/normalization/Makefile.in --- snort-2.9.0.1/src/preprocessors/HttpInspect/normalization/Makefile.in 2010-10-08 02:56:54.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/normalization/Makefile.in 2011-12-07 11:23:21.000000000 -0800 @@ -77,7 +77,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -92,6 +94,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -128,13 +131,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/server/hi_server.c snort-2.9.2/src/preprocessors/HttpInspect/server/hi_server.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/server/hi_server.c 2010-10-25 12:49:10.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/server/hi_server.c 2011-12-08 08:49:14.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,21 +18,21 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_server.c -** +** ** @author Daniel Roelker <droelker@sourcefire.com> -** +** ** @brief Handles inspection of HTTP server responses. -** +** ** HttpInspect handles server responses in a stateless manner because we ** are really only interested in the first response packet that contains ** the HTTP response code, headers, and the payload. -** +** ** The first big thing is to incorporate the HTTP protocol flow ** analyzer. -** +** ** NOTES: ** - Initial development. DJR */ @@ -53,9 +53,10 @@ #include "hi_return_codes.h" #include "hi_si.h" #include "hi_eo_log.h" -#include "bounds.h" +#include "snort_bounds.h" #include "detection_util.h" #include "stream_api.h" +#include "sfutil/util_unfold.h" #define STAT_END 100 #define HTTPRESP_HEADER_NAME__COOKIE "Set-Cookie" @@ -72,14 +73,15 @@ #define HTTPRESP_HEADER_LENGTH__CONTENT_LENGTH 14 #define HTTPRESP_HEADER_NAME__CONTENT_TYPE "Content-Type" #define HTTPRESP_HEADER_LENGTH__CONTENT_TYPE 12 - +#define HTTPRESP_HEADER_NAME__TRANSFER_ENCODING "Transfer-Encoding" +#define HTTPRESP_HEADER_LENGTH__TRANSFER_ENCODING 17 typedef int (*LOOKUP_FCN)(HI_SESSION *, const u_char *, const u_char *, const u_char **, - URI_PTR *); + URI_PTR *); extern LOOKUP_FCN lookup_table[256]; -extern int hex_lookup[256]; extern int NextNonWhiteSpace(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); -extern int CheckChunkEncoding(HI_SESSION *, const u_char *, const u_char *, const u_char **, u_char *, int , int, int *, int *); +extern int CheckChunkEncoding(HI_SESSION *, const u_char *, const u_char *, const u_char **, u_char *, + uint32_t , uint32_t, uint32_t *, uint32_t *, HttpSessionData *, int); extern int IsHttpVersion(const u_char **, const u_char *); extern int find_rfc_delimiter(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); extern int find_non_rfc_delimiter(HI_SESSION *, const u_char *, const u_char *, const u_char **, URI_PTR *); @@ -94,7 +96,7 @@ extern const u_char *extract_http_cookie(const u_char *p, const u_char *end, HEADER_PTR *, HEADER_FIELD_PTR *); extern const u_char *extract_http_content_length(HI_SESSION *, HTTPINSPECT_CONF *, const u_char *, const u_char *, const u_char *, HEADER_PTR *, HEADER_FIELD_PTR *) ; - +static inline void ApplyFlowDepth(HTTPINSPECT_CONF *, Packet *, HttpSessionData *, int, int, uint32_t); #define CLR_SERVER_HEADER(Server) \ do { \ Server->response.header_raw = NULL;\ @@ -116,20 +118,26 @@ Server->response.status_msg_size = 0;\ }while(0); +#define CLR_SERVER_STAT_MSG(Server) \ + do { \ + Server->response.status_msg = NULL;\ + Server->response.status_msg_size = 0;\ + }while(0); + #define CLR_SERVER_BODY(Server)\ do { \ Server->response.body = NULL;\ Server->response.body_size = 0;\ }while(0); -static INLINE void clearHttpRespBuffer(HI_SERVER *Server) +static inline void clearHttpRespBuffer(HI_SERVER *Server) { CLR_SERVER_HEADER(Server); CLR_SERVER_STAT(Server); CLR_SERVER_BODY(Server); } -static INLINE const u_char *MovePastDelims(const u_char *start, const u_char *end,const u_char *ptr) +static inline const u_char *MovePastDelims(const u_char *start, const u_char *end,const u_char *ptr) { while(hi_util_in_bounds(start, end, ptr)) @@ -163,38 +171,47 @@ */ /** ** Inspect an HTTP server response packet to determine the state. -** +** ** We inspect this packet and determine whether we are in the beginning ** of a response header or if we are looking at payload. We limit the ** amount of inspection done on responses by only inspecting the HTTP header ** and some payload. If the whole packet is a payload, then we just ignore ** it, since we inspected the previous header and payload. -** +** ** We limit the amount of the payload by adjusting the Server structure ** members, header and header size. -** +** ** @param Server the server structure ** @param data pointer to the beginning of payload ** @param dsize the size of the payload ** @param flow_depth the amount of header and payload to inspect -** +** ** @return integer -** +** ** @retval HI_INVALID_ARG invalid argument ** @retval HI_SUCCESS function success */ -static int IsHttpServerData(HI_SERVER *Server, Packet *p, int flow_depth) +static int IsHttpServerData(HI_SESSION *Session, Packet *p, HttpSessionData *sd) { const u_char *start; const u_char *end; const u_char *ptr; int len; + uint32_t seq_num = 0; + HI_SERVER *Server; + HTTPINSPECT_CONF *ServerConf; + + ServerConf = Session->server_conf; + if(!ServerConf) + return HI_INVALID_ARG; + + Server = &(Session->server); clearHttpRespBuffer(Server); - /* + /* ** HTTP:Server-Side-Session-Performance-Optimization - ** This drops Server->Client packets which are not part of the - ** HTTP Response header. It can miss part of the response header + ** This drops Server->Client packets which are not part of the + ** HTTP Response header. It can miss part of the response header ** if the header is sent as multiple packets. */ if(!(p->data)) @@ -202,6 +219,8 @@ return HI_INVALID_ARG; } + seq_num = GET_PKT_SEQ(p); + /* ** Let's set up the data pointers. */ @@ -219,12 +238,21 @@ { if(!IsHttpVersion(&ptr, end)) { + p->packet_flags |= PKT_HTTP_DECODE; + ApplyFlowDepth(ServerConf, p, sd, 0, 0, seq_num); return HI_SUCCESS; } else { + if(ServerConf->server_flow_depth > 0) + { + sd->resp_state.is_max_seq = 1; + sd->resp_state.max_seq = seq_num + ServerConf->server_flow_depth; + } p->packet_flags |= PKT_HTTP_DECODE; - } + ApplyFlowDepth(ServerConf, p, sd, 0, 1, seq_num); + return HI_SUCCESS; + } } else { @@ -232,12 +260,10 @@ } - if( flow_depth == -1 ) - Server->response.header_raw_size = 0; return HI_SUCCESS; } -static INLINE int hi_server_extract_status_msg( const u_char *start, const u_char *ptr, +static inline int hi_server_extract_status_msg( const u_char *start, const u_char *ptr, const u_char *end, URI_PTR *result) { int iRet = HI_SUCCESS; @@ -249,14 +275,21 @@ result->uri = ptr; if (crlf) { - result->uri_end = crlf + 1; + if(crlf[-1] == '\r') + result->uri_end = crlf - 1; + else + result->uri_end = crlf; ptr = crlf; } else { result->uri_end =end; } - iRet = STAT_END; + + if(result->uri < result->uri_end) + iRet = STAT_END; + else + iRet = HI_OUT_OF_BOUNDS; } else iRet = HI_OUT_OF_BOUNDS; @@ -265,13 +298,14 @@ } -static INLINE int hi_server_extract_status_code(HI_SESSION *Session, const u_char *start, const u_char *ptr, +static inline int hi_server_extract_status_code(HI_SESSION *Session, const u_char *start, const u_char *ptr, const u_char *end, URI_PTR *result) { int iRet = HI_SUCCESS; SkipBlankSpace(start,end,&ptr); result->uri = ptr; + result->uri_end = ptr; while( hi_util_in_bounds(start, end, ptr) ) { @@ -288,6 +322,7 @@ } else { + result->uri_end = ptr; iRet = HI_NONFATAL_ERR; return iRet; } @@ -317,69 +352,70 @@ } /* Grab the argument of "charset=foo" from a Content-Type header */ -static INLINE const u_char *extract_http_content_type_charset(HI_SESSION *Session, +static inline const u_char *extract_http_content_type_charset(HI_SESSION *Session, HttpSessionData *hsd, const u_char *p, const u_char *start, const u_char *end ) { - const char *crlf; + size_t cmplen; + uint8_t unfold_buf[DECODE_BLEN]; + uint32_t unfold_size =0; + const char *ptr, *ptr_end; if (hsd == NULL) return p; - /* find end of Content-Type header */ - crlf = SnortStrnStr((const char*)p, (int)(end - p), "\n"); + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_DEFAULT); - if (crlf) - { - char *charset; + /* Don't trim spaces so p is set to end of header */ + sf_unfold_header(p, end-p, unfold_buf, sizeof(unfold_buf), &unfold_size, 0, 0); + if (!unfold_size) + return p; - /* search for "charset=utf-" within the header */ - charset = (char *) SnortStrnStr((const char*)p, (int)(crlf - (const char*)p), "charset=utf-"); - /* if found, check the argument after "charset=utf-" */ - if (charset) - { - size_t cmplen; - - charset += 12; /* length of "charset=utf-" */ - cmplen = (size_t) ((char *) crlf - charset); - - if (cmplen > 4) - cmplen = 4; - - if ( !strncmp(charset, "16le", cmplen) ) - set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF16LE); - else if ( !strncmp(charset, "16be", cmplen) ) - set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF16BE); - else if ( !strncmp(charset, "32le", cmplen) ) - set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF32LE); - else if ( !strncmp(charset, "32be", cmplen) ) - set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF32BE); - else - { - if (cmplen > 1) - cmplen = 1; + p += unfold_size; - if ( !strncmp(charset, "7", cmplen) ) - { - set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF7); - if(hi_eo_generate_event(Session, HI_EO_SERVER_UTF7)) - { - hi_eo_server_event_log(Session, HI_EO_SERVER_UTF7, NULL, NULL); - } - } - } - } - else - set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_DEFAULT); + ptr = (const char *)unfold_buf; + ptr_end = (const char *)(ptr + strlen((const char *)unfold_buf)); + + ptr = SnortStrcasestr(ptr, (int)(ptr_end - ptr), "text"); + if (!ptr) + return p; + + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UNKNOWN); + + ptr = SnortStrcasestr(ptr, (int)(ptr_end - ptr), "utf-"); + if (!ptr) + return p; + + ptr += 4; /* length of "utf-" */ + cmplen = ptr_end - ptr; - p = (const u_char*)crlf; + if ((cmplen > 0) && (*ptr == '8')) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_DEFAULT); + } + else if ((cmplen > 0) && (*ptr == '7')) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF7); + if(hi_eo_generate_event(Session, HI_EO_SERVER_UTF7)) + hi_eo_server_event_log(Session, HI_EO_SERVER_UTF7, NULL, NULL); + } + else if (cmplen >= 4) + { + if ( !strncasecmp(ptr, "16le", 4) ) + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF16LE); + else if ( !strncasecmp(ptr, "16be", 4) ) + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF16BE); + else if ( !strncasecmp(ptr, "32le", 4) ) + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF32LE); + else if ( !strncasecmp(ptr, "32be", 4) ) + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF32BE); } return p; } #ifdef ZLIB -static INLINE const u_char *extract_http_content_encoding(HTTPINSPECT_CONF *ServerConf, - const u_char *p, const u_char *start, const u_char *end, HEADER_PTR *header_ptr, +static inline const u_char *extract_http_content_encoding(HTTPINSPECT_CONF *ServerConf, + const u_char *p, const u_char *start, const u_char *end, HEADER_PTR *header_ptr, HEADER_FIELD_PTR *header_field_ptr) { const u_char *crlf; @@ -517,52 +553,117 @@ } #endif +const u_char *extract_http_transfer_encoding(HI_SESSION *Session, HttpSessionData *hsd, + const u_char *p, const u_char *start, const u_char *end, + HEADER_PTR *header_ptr, int iInspectMode) +{ + uint8_t unfold_buf[DECODE_BLEN]; + uint32_t unfold_size =0; + const u_char *start_ptr, *end_ptr, *cur_ptr; + + + SkipBlankSpace(start,end,&p); + + if(hi_util_in_bounds(start, end, p) && *p == ':') + { + p++; + if(hi_util_in_bounds(start, end, p)) + sf_unfold_header(p, end-p, unfold_buf, sizeof(unfold_buf), &unfold_size, 1, 0); + + if(!unfold_size) + { + header_ptr->header.uri_end = end; + return end; + } + + p = p + unfold_size; + + start_ptr = unfold_buf; + cur_ptr = unfold_buf; + end_ptr = unfold_buf + unfold_size; + SkipBlankSpace(start_ptr,end_ptr,&cur_ptr); + + start_ptr = cur_ptr; + -static INLINE const u_char *extractHttpRespHeaderFieldValues(HTTPINSPECT_CONF *ServerConf, - const u_char *p, const u_char *offset, const u_char *start, - const u_char *end, HEADER_PTR *header_ptr, + if(!strncasecmp((const char *)start_ptr, "chunked", (end_ptr - start_ptr))) + { + if ((iInspectMode == HI_SI_SERVER_MODE) && hsd) + { + hsd->resp_state.last_pkt_chunked = 1; + hsd->resp_state.last_pkt_contlen = 0; + } + header_ptr->content_len.len = 0 ; + header_ptr->content_len.cont_len_start = NULL; + header_ptr->is_chunked = true; + } + } + else + { + header_ptr->header.uri_end = end; + return end; + } + + return p; +} + + + +static inline const u_char *extractHttpRespHeaderFieldValues(HTTPINSPECT_CONF *ServerConf, + const u_char *p, const u_char *offset, const u_char *start, + const u_char *end, HEADER_PTR *header_ptr, HEADER_FIELD_PTR *header_field_ptr, int parse_cont_encoding, HttpSessionData *hsd, HI_SESSION *Session) { if (((p - offset) == 0) && ((*p == 'S') || (*p == 's'))) { /* Search for 'Cookie' at beginning, starting from current *p */ - if ( ServerConf->enable_cookie && - IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__COOKIE, + if ( ServerConf->enable_cookie && + IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__COOKIE, HTTPRESP_HEADER_LENGTH__COOKIE)) { - p = extract_http_cookie(p, end, header_ptr, header_field_ptr); + p = extract_http_cookie((p + HTTPRESP_HEADER_LENGTH__COOKIE), end, header_ptr, header_field_ptr); } } else if (((p - offset) == 0) && ((*p == 'C') || (*p == 'c'))) { if ( IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__CONTENT_TYPE, - HTTPRESP_HEADER_LENGTH__CONTENT_TYPE) ) + HTTPRESP_HEADER_LENGTH__CONTENT_TYPE) && ServerConf->normalize_utf) { p = extract_http_content_type_charset(Session, hsd, p, start, end); } #ifdef ZLIB - else if ( IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__CONTENT_ENCODING, + else if ( IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__CONTENT_ENCODING, HTTPRESP_HEADER_LENGTH__CONTENT_ENCODING) && ServerConf->extract_gzip && - parse_cont_encoding) + parse_cont_encoding) { p = extract_http_content_encoding(ServerConf, p, start, end, header_ptr, header_field_ptr ); } #endif - else if ( IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__CONTENT_LENGTH, + else if ( IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__CONTENT_LENGTH, HTTPRESP_HEADER_LENGTH__CONTENT_LENGTH) ) { - p = extract_http_content_length(Session, ServerConf, p, start, end, header_ptr, header_field_ptr ); + if(!hsd->resp_state.last_pkt_chunked) + p = extract_http_content_length(Session, ServerConf, p, start, end, header_ptr, header_field_ptr ); + } + } + else if (((p - offset) == 0) && ((*p == 'T') || (*p == 't'))) + { + if ( IsHeaderFieldName(p, end, HTTPRESP_HEADER_NAME__TRANSFER_ENCODING, + HTTPRESP_HEADER_LENGTH__TRANSFER_ENCODING)) + { + p = p + HTTPRESP_HEADER_LENGTH__TRANSFER_ENCODING; + p = extract_http_transfer_encoding(Session, hsd, p, start, end, header_ptr, HI_SI_SERVER_MODE); } } return p; } -static INLINE const u_char *hi_server_extract_header( - HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, - HEADER_PTR *header_ptr, const u_char *start, +static inline const u_char *hi_server_extract_header( + HI_SESSION *Session, HTTPINSPECT_CONF *ServerConf, + HEADER_PTR *header_ptr, const u_char *start, const u_char *end, int parse_cont_encoding, HttpSessionData *hsd) { @@ -578,8 +679,10 @@ offset = (u_char*)p; header_ptr->header.uri = p; + header_ptr->header.uri_end = end; header_ptr->content_encoding.compress_fmt = 0; header_ptr->content_len.len = 0; + header_ptr->is_chunked = false; while (hi_util_in_bounds(start, end, p)) { @@ -615,16 +718,16 @@ return p; } } - else if ( (p = extractHttpRespHeaderFieldValues(ServerConf, p, offset, - start, end, header_ptr, &header_field_ptr, + else if ( (p = extractHttpRespHeaderFieldValues(ServerConf, p, offset, + start, end, header_ptr, &header_field_ptr, parse_cont_encoding, hsd, Session)) == end) { return end; } } - else if( (p == header_ptr->header.uri) && - (p = extractHttpRespHeaderFieldValues(ServerConf, p, offset, + else if( (p == header_ptr->header.uri) && + (p = extractHttpRespHeaderFieldValues(ServerConf, p, offset, start, end, header_ptr, &header_field_ptr, parse_cont_encoding, hsd, Session)) == end) { @@ -638,41 +741,75 @@ return p; } -static INLINE int hi_server_extract_body( +static inline int hi_server_extract_body( HI_SESSION *Session, HttpSessionData *sd, const u_char *ptr, const u_char *end, URI_PTR *result) { HTTPINSPECT_CONF *ServerConf; const u_char *start = ptr; int iRet = HI_SUCCESS; - const u_char *post_end = end; - int chunk_size = 0; - int chunk_read = 0; + const u_char *post_end = end; + uint32_t chunk_size = 0; + uint32_t chunk_read = 0; + int bytes_to_read = 0; ServerConf = Session->server_conf; - if( ServerConf->server_flow_depth && ((end - ptr) > ServerConf->server_flow_depth) ) + + switch(ServerConf->server_flow_depth) { - end = ptr + ServerConf->server_flow_depth; + case -1: + result->uri = result->uri_end = NULL; + return iRet; + case 0: + break; + default: + if(sd->resp_state.flow_depth_read < ServerConf->server_flow_depth) + { + bytes_to_read = ServerConf->server_flow_depth - sd->resp_state.flow_depth_read; + if((end-ptr) > bytes_to_read ) + { + end = ptr + bytes_to_read; + } + sd->resp_state.flow_depth_read +=bytes_to_read; + } + else + { + result->uri = result->uri_end = NULL; + return iRet; + } } +/* if( ServerConf->server_flow_depth && ((end - ptr) > ServerConf->server_flow_depth) ) + { + end = ptr + ServerConf->server_flow_depth; + }*/ + if (!(sd->resp_state.last_pkt_contlen)) { - if( ServerConf->chunk_length ) + if( ServerConf->chunk_length || ServerConf->small_chunk_length.size ) { - if(CheckChunkEncoding(Session, start, end, &post_end, (u_char *)DecodeBuffer.data, sizeof(DecodeBuffer.data), - sd->resp_state.last_chunk_size, &chunk_size, &chunk_read ) == 1) + if (sd->resp_state.last_pkt_chunked + && CheckChunkEncoding(Session, start, end, &post_end, + (u_char *)HttpDecodeBuf.data, sizeof(HttpDecodeBuf.data), + sd->resp_state.last_chunk_size, &chunk_size, &chunk_read, + sd, HI_SI_SERVER_MODE) == 1) { sd->resp_state.last_chunk_size = chunk_size; sd->resp_state.last_pkt_chunked = 1; - result->uri = (u_char *)DecodeBuffer.data; + result->uri = (u_char *)HttpDecodeBuf.data; result->uri_end = result->uri + chunk_read; return iRet; } else { - if(hi_eo_generate_event(Session, HI_EO_SERVER_NO_CONTLEN)) + if(!(sd->resp_state.last_pkt_chunked)) { - hi_eo_server_event_log(Session, HI_EO_SERVER_NO_CONTLEN, NULL, NULL); + if(hi_eo_generate_event(Session, HI_EO_SERVER_NO_CONTLEN)) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_NO_CONTLEN, NULL, NULL); + } } + else + sd->resp_state.last_pkt_chunked = 0; result->uri = start; result->uri_end = end; } @@ -702,18 +839,26 @@ if (bkt != NULL) { - hsd->decomp_state = (DECOMPRESS_STATE *)SnortAlloc(sizeof(DECOMPRESS_STATE)); - hsd->decomp_state->gzip_bucket = bkt; - hsd->decomp_state->compr_depth = session->global_conf->compr_depth; - hsd->decomp_state->decompr_depth = session->global_conf->decompr_depth; - hsd->decomp_state->compr_buffer = (unsigned char *)bkt->data; - hsd->decomp_state->decompr_buffer = (unsigned char *)bkt->data + session->global_conf->compr_depth; + hsd->decomp_state = (DECOMPRESS_STATE *)calloc(1, sizeof(DECOMPRESS_STATE)); + if(hsd->decomp_state != NULL) + { + hsd->decomp_state->gzip_bucket = bkt; + hsd->decomp_state->compr_depth = session->global_conf->compr_depth; + hsd->decomp_state->decompr_depth = session->global_conf->decompr_depth; + hsd->decomp_state->compr_buffer = (unsigned char *)bkt->data; + hsd->decomp_state->decompr_buffer = (unsigned char *)bkt->data + session->global_conf->compr_depth; + hsd->decomp_state->inflate_init = 0; + } + else + { + mempool_free(hi_gzip_mempool, bkt); + } } } } -int uncompress_gzip ( u_char *dest, int destLen, u_char *source, - int sourceLen, HttpSessionData *sd, int *total_bytes_read, int first_pkt, int compr_fmt) +int uncompress_gzip ( u_char *dest, int destLen, u_char *source, + int sourceLen, HttpSessionData *sd, int *total_bytes_read, int compr_fmt) { z_stream stream; int err; @@ -723,7 +868,7 @@ stream.next_in = (Bytef*)source; stream.avail_in = (uInt)sourceLen; - if ((uLong)stream.avail_in != (uLong)sourceLen) + if ((uLong)stream.avail_in != (uLong)sourceLen) { sd->decomp_state->d_stream = stream; return HI_FATAL_ERR; @@ -732,21 +877,22 @@ stream.next_out = dest; stream.avail_out = (uInt)destLen; if ((uLong)stream.avail_out != (uLong)destLen) - { + { sd->decomp_state->d_stream = stream; return HI_FATAL_ERR; } - if(first_pkt) + if(!sd->decomp_state->inflate_init) { + sd->decomp_state->inflate_init = 1; stream.zalloc = (alloc_func)0; stream.zfree = (free_func)0; if(compr_fmt & HTTP_RESP_COMPRESS_TYPE__DEFLATE) - err = inflateInit2(&stream, DEFLATE_WBITS); - else + err = inflateInit(&stream); + else err = inflateInit2(&stream, GZIP_WBITS); - if (err != Z_OK) + if (err != Z_OK) { sd->decomp_state->d_stream = stream; return HI_FATAL_ERR; @@ -758,9 +904,33 @@ stream.total_out =0; } + err = inflate(&stream, Z_SYNC_FLUSH); + if ((!sd->decomp_state->deflate_initialized) + && (err == Z_DATA_ERROR) + && (compr_fmt & HTTP_RESP_COMPRESS_TYPE__DEFLATE)) + { + /* Might not have zlib header - add one */ + static char zlib_header[2] = { 0x78, 0x01 }; + + inflateReset(&stream); + stream.next_in = (Bytef *)zlib_header; + stream.avail_in = sizeof(zlib_header); + + sd->decomp_state->deflate_initialized = true; + + err = inflate(&stream, Z_SYNC_FLUSH); + if (err == Z_OK) + { + stream.next_in = (Bytef*)source; + stream.avail_in = (uInt)sourceLen; + + err = inflate(&stream, Z_SYNC_FLUSH); + } + } + + if ((err != Z_STREAM_END) && (err !=Z_OK)) + { - err = inflate(&stream, Z_STREAM_END); - if ((err != Z_STREAM_END) && (err !=Z_OK)) { /* If some of the compressed data is decompressed we need to provide that for detection */ if( stream.total_out > 0) { @@ -778,8 +948,8 @@ return HI_SUCCESS; } -static INLINE int hi_server_decompress(HI_SESSION *Session, HttpSessionData *sd, const u_char *ptr, - const u_char *end, URI_PTR *result, int first_pkt) +static inline int hi_server_decompress(HI_SESSION *Session, HttpSessionData *sd, const u_char *ptr, + const u_char *end, URI_PTR *result) { const u_char *start = ptr; int rawbuf_size = end - ptr; @@ -789,8 +959,8 @@ int compr_bytes_read, decompr_bytes_read; int compr_avail, decompr_avail; int total_bytes_read = 0; - int chunk_size = 0; - int chunk_read = 0; + uint32_t chunk_size = 0; + uint32_t chunk_read = 0; u_char *compr_buffer; u_char *decompr_buffer; @@ -812,6 +982,30 @@ decompr_avail = decompr_depth - decompr_bytes_read; } + /* Apply the server flow depth + * If the server flow depth is set then we need to decompress only upto the + * server flow depth + */ + switch ( Session->server_conf->server_flow_depth) + { + case -1: + decompr_avail=0; + break; + case 0: + break; + default: + if(sd->resp_state.flow_depth_read < Session->server_conf->server_flow_depth) + { + if(decompr_avail > (Session->server_conf->server_flow_depth - sd->resp_state.flow_depth_read)) + decompr_avail = Session->server_conf->server_flow_depth - sd->resp_state.flow_depth_read; + } + else + { + decompr_avail = 0; + } + break; + } + if(compr_avail <=0 || decompr_avail <=0 || (!compr_buffer) || (!decompr_buffer)) { @@ -828,13 +1022,15 @@ if(!(sd->resp_state.last_pkt_contlen)) { - if(CheckChunkEncoding(Session, start, end, NULL, compr_buffer, compr_avail, - sd->resp_state.last_chunk_size, &chunk_size, &chunk_read ) == 1) + if(sd->resp_state.last_pkt_chunked + && CheckChunkEncoding(Session, start, end, NULL, compr_buffer, compr_avail, + sd->resp_state.last_chunk_size, &chunk_size, &chunk_read, + sd, HI_SI_SERVER_MODE ) == 1) { sd->resp_state.last_chunk_size = chunk_size; compr_avail = chunk_read; zRet = uncompress_gzip(decompr_buffer,decompr_avail,compr_buffer, compr_avail, sd, &total_bytes_read, - first_pkt, sd->decomp_state->compress_fmt); + sd->decomp_state->compress_fmt); } else { @@ -845,17 +1041,17 @@ } memcpy(compr_buffer, ptr, compr_avail); - zRet = uncompress_gzip(decompr_buffer,decompr_avail,compr_buffer, compr_avail, sd, - &total_bytes_read, first_pkt, sd->decomp_state->compress_fmt); + zRet = uncompress_gzip(decompr_buffer,decompr_avail,compr_buffer, compr_avail, sd, + &total_bytes_read, sd->decomp_state->compress_fmt); } } else { memcpy(compr_buffer, ptr, compr_avail); - zRet = uncompress_gzip(decompr_buffer,decompr_avail,compr_buffer, compr_avail, sd, - &total_bytes_read, first_pkt, sd->decomp_state->compress_fmt); + zRet = uncompress_gzip(decompr_buffer,decompr_avail,compr_buffer, compr_avail, sd, + &total_bytes_read, sd->decomp_state->compress_fmt); } - + sd->decomp_state->compr_bytes_read += compr_avail; hi_stats.compr_bytes_read += compr_avail; @@ -868,12 +1064,14 @@ { result->uri_end = decompr_buffer + total_bytes_read; sd->decomp_state->decompr_bytes_read += total_bytes_read; + sd->resp_state.flow_depth_read += total_bytes_read; hi_stats.decompr_bytes_read += total_bytes_read; } else { result->uri_end = decompr_buffer + decompr_avail; sd->decomp_state->decompr_bytes_read += decompr_avail; + sd->resp_state.flow_depth_read += decompr_avail; hi_stats.decompr_bytes_read += decompr_avail; } } @@ -884,16 +1082,27 @@ ResetRespState(&(sd->resp_state)); } + if(zRet!=HI_SUCCESS) + { + if(hi_eo_generate_event(Session, HI_EO_SERVER_DECOMPR_FAILED)) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_DECOMPR_FAILED, NULL, NULL); + } + } + return iRet; } #endif -static INLINE int hi_server_inspect_body(HI_SESSION *Session, HttpSessionData *sd, const u_char *ptr, - const u_char *end, URI_PTR *result, int first_pkt) +static inline int hi_server_inspect_body(HI_SESSION *Session, HttpSessionData *sd, const u_char *ptr, + const u_char *end, URI_PTR *result) { int iRet = HI_SUCCESS; + + result->uri =ptr; + result->uri_end = end; if(!Session || !sd ) { if ((sd != NULL)) @@ -909,7 +1118,7 @@ #ifdef ZLIB if((sd->decomp_state != NULL) && sd->decomp_state->decompress_data) { - iRet = hi_server_decompress(Session, sd, ptr, end, result, first_pkt); + iRet = hi_server_decompress(Session, sd, ptr, end, result); } else #endif @@ -922,8 +1131,79 @@ return iRet; } +static inline void ApplyFlowDepth(HTTPINSPECT_CONF *ServerConf, Packet *p, + HttpSessionData *sd, int resp_header_size, int expected, uint32_t seq_num) +{ + if(!ServerConf->server_flow_depth) + { + SetDetectLimit(p, p->dsize); + } + else if(ServerConf->server_flow_depth == -1) + { + SetDetectLimit(p, resp_header_size); + } + else + { + if(sd != NULL) + { + if(sd->resp_state.is_max_seq ) + { + if(SEQ_GEQ((sd->resp_state.max_seq), seq_num)) + { + if(((uint32_t)p->dsize) > (sd->resp_state.max_seq- seq_num)) + { + SetDetectLimit(p, (uint16_t)(sd->resp_state.max_seq-seq_num)); + return; + } + else + { + SetDetectLimit(p, p->dsize); + return; + } + } + else + { + SetDetectLimit(p, resp_header_size); + return; + } + } + else + { + if(expected) + { + if(p->dsize > ServerConf->server_flow_depth) + { + SetDetectLimit(p, ServerConf->server_flow_depth); + return; + } + else + { + SetDetectLimit(p, p->dsize); + return; + } + } + else + { + SetDetectLimit(p, 0); + return; + } + } + + } + else + { + SetDetectLimit(p, p->dsize); + } + } +} - +static inline void ResetState (HttpSessionData* sd) +{ +#ifdef ZLIB + ResetGzipState(sd->decomp_state); +#endif + ResetRespState(&(sd->resp_state)); +} int HttpResponseInspection(HI_SESSION *Session, Packet *p, const unsigned char *data, int dsize, HttpSessionData *sd) @@ -934,11 +1214,13 @@ HEADER_PTR header_ptr; URI_PTR body_ptr; HI_SERVER *Server; + const u_char *start; const u_char *end; const u_char *ptr; int len; int iRet = 0; + int resp_header_size = 0; /* Refers to the stream reassembled packets when reassembly is turned on. * Refers to all packets when reassembly is turned off. */ @@ -949,6 +1231,7 @@ #endif int expected_pkt = 0; int alt_dsize; + uint32_t seq_num = 0; if (!Session || !p || !data || (dsize == 0)) return HI_INVALID_ARG; @@ -958,46 +1241,114 @@ return HI_INVALID_ARG; + Server = &(Session->server); + clearHttpRespBuffer(Server); + + seq_num = GET_PKT_SEQ(p); + +#ifdef ENABLE_PAF + if ( ScPafEnabled() ) + { + expected_pkt = !PacketHasStartOfPDU(p); +#ifdef ZLIB + parse_cont_encoding = !expected_pkt; +#endif + not_stream_insert = PacketHasPAFPayload(p); + + if ( !expected_pkt ) + { + if ( sd ) + { + ResetState(sd); + } + } + else if ( sd && ServerConf->server_flow_depth ) + { + if ( !(sd->resp_state.is_max_seq) || + !SEQ_LT(seq_num, (sd->resp_state.max_seq)) ) + { + ResetState(sd); + } + } + } + else + // when PAF is hardened, the following can be removed +#endif if ( (sd != NULL) ) { - /* If the previously inspected packet in this session identified as a body - * and if the packets are stream inserted wait for reassembled */ - if (sd->resp_state.inspect_reassembled) + /* If the previously inspected packet in this session identified as a body + * and if the packets are stream inserted wait for reassembled */ + if (sd->resp_state.inspect_reassembled) + { + if(p->packet_flags & PKT_STREAM_INSERT) { - if(p->packet_flags & PKT_STREAM_INSERT) - { #ifdef ZLIB - parse_cont_encoding = 0; + parse_cont_encoding = 0; #endif - not_stream_insert = 0; - } + not_stream_insert = 0; } + } /* If this packet is the next expected packet to be inspected and is out of sequence * clear out the resp state*/ #ifdef ZLIB - if((sd->resp_state.inspect_body || ( sd->decomp_state && sd->decomp_state->decompress_data)) - && parse_cont_encoding ) -#else - if(sd->resp_state.inspect_body && not_stream_insert) -#endif + if(( sd->decomp_state && sd->decomp_state->decompress_data) && parse_cont_encoding) { if( sd->resp_state.next_seq && - (ntohl(p->tcph->th_seq) == sd->resp_state.next_seq) ) + (seq_num == sd->resp_state.next_seq) ) { - sd->resp_state.next_seq = ntohl(p->tcph->th_seq) + p->dsize; + sd->resp_state.next_seq = seq_num + p->dsize; expected_pkt = 1; } else { -#ifdef ZLIB ResetGzipState(sd->decomp_state); -#endif ResetRespState(&(sd->resp_state)); } } - } + else +#endif + if(sd->resp_state.inspect_body && not_stream_insert) + { + /* If the server flow depth is 0 then we need to check if the packet + * is in sequence + */ + if(!ServerConf->server_flow_depth) + { + if( sd->resp_state.next_seq && + (seq_num == sd->resp_state.next_seq) ) + { + sd->resp_state.next_seq = seq_num + p->dsize; + expected_pkt = 1; + } + else + { +#ifdef ZLIB + ResetGzipState(sd->decomp_state); +#endif + ResetRespState(&(sd->resp_state)); + } + } + else + { + /*Check if the sequence number of the packet is within the allowed + * flow_depth + */ + if( (sd->resp_state.is_max_seq) && + SEQ_LT(seq_num, (sd->resp_state.max_seq))) + { + expected_pkt = 1; + } + else + { +#ifdef ZLIB + ResetGzipState(sd->decomp_state); +#endif + ResetRespState(&(sd->resp_state)); + } + } - Server = &(Session->server); + } + } memset(&stat_code_ptr, 0x00, sizeof(URI_PTR)); memset(&stat_msg_ptr, 0x00, sizeof(URI_PTR)); @@ -1008,7 +1359,6 @@ end = data + dsize; ptr = start; - clearHttpRespBuffer(Server); /* moving past the CRLF */ while(hi_util_in_bounds(start, end, ptr)) @@ -1039,7 +1389,7 @@ if ( len > 4 ) { if(!IsHttpVersion(&ptr, end)) - { + { if(expected_pkt) { ptr = start; @@ -1047,6 +1397,8 @@ } else { + p->packet_flags |= PKT_HTTP_DECODE; + ApplyFlowDepth(ServerConf, p, sd, resp_header_size, 0, seq_num); if ( not_stream_insert && (sd != NULL)) { #ifdef ZLIB @@ -1085,21 +1437,21 @@ return HI_SUCCESS; } - /*If this is the next expected packet to be decompressed, send this packet + /*If this is the next expected packet to be decompressed, send this packet * decompression */ if (expected_pkt) { if (hi_util_in_bounds(start, end, ptr)) { - iRet = hi_server_inspect_body(Session, sd, ptr, end, &body_ptr, 0); + iRet = hi_server_inspect_body(Session, sd, ptr, end, &body_ptr); } } else { iRet = hi_server_extract_status_code(Session, start,ptr,end , &stat_code_ptr); - if ( iRet == STAT_END ) + if ( iRet != HI_OUT_OF_BOUNDS ) { Server->response.status_code = stat_code_ptr.uri; Server->response.status_code_size = stat_code_ptr.uri_end - stat_code_ptr.uri; @@ -1109,18 +1461,17 @@ } else { - iRet = hi_server_extract_status_msg(start, stat_code_ptr.uri_end , + iRet = hi_server_extract_status_msg(start, stat_code_ptr.uri_end , end, &stat_msg_ptr); - + if ( stat_msg_ptr.uri ) { Server->response.status_msg = stat_msg_ptr.uri; Server->response.status_msg_size = stat_msg_ptr.uri_end - stat_msg_ptr.uri; if ((int)Server->response.status_msg_size <= 0) { - CLR_SERVER_STAT(Server); + CLR_SERVER_STAT_MSG(Server); } - else { #ifdef ZLIB ptr = hi_server_extract_header(Session, ServerConf, &header_ptr, @@ -1137,18 +1488,19 @@ CLR_SERVER_STAT(Server); } } - + if (header_ptr.header.uri) { Server->response.header_raw = header_ptr.header.uri; - Server->response.header_raw_size = + Server->response.header_raw_size = header_ptr.header.uri_end - header_ptr.header.uri; - if ((int)Server->response.header_raw_size <= 0) + if(!Server->response.header_raw_size) { CLR_SERVER_HEADER(Server); } else { + resp_header_size = (header_ptr.header.uri_end - p->data); hi_stats.resp_headers++; Server->response.header_norm = header_ptr.header.uri; if (header_ptr.cookie.cookie) @@ -1190,11 +1542,31 @@ sd->resp_state.inspect_body = 1; } - sd->resp_state.last_pkt_contlen = header_ptr.content_len.len; + sd->resp_state.last_pkt_contlen = (header_ptr.content_len.len != 0); + if(ServerConf->server_flow_depth == -1) + sd->resp_state.is_max_seq = 0; + else + { + sd->resp_state.is_max_seq = 1; + sd->resp_state.max_seq = seq_num + + (header_ptr.header.uri_end - start)+ ServerConf->server_flow_depth; + } if (p->packet_flags & PKT_STREAM_INSERT) { - if((end - (header_ptr.header.uri_end)) >= header_ptr.content_len.len) +#ifdef ENABLE_PAF + if ( ScPafEnabled() ) + { + if ( PacketHasFullPDU(p) ) + expected_pkt = 1; + else + sd->resp_state.inspect_reassembled = 1; + } + else +#endif + if ( + header_ptr.content_len.cont_len_start && + ((uint32_t)(end - (header_ptr.header.uri_end)) >= header_ptr.content_len.len)) { /* change this when the api is fixed to flush correctly */ //stream_api->response_flush_stream(p); @@ -1202,7 +1574,6 @@ } else sd->resp_state.inspect_reassembled = 1; - } else { @@ -1213,12 +1584,12 @@ } if(expected_pkt) { - sd->resp_state.next_seq = ntohl(p->tcph->th_seq) + p->dsize; + sd->resp_state.next_seq = seq_num + p->dsize; if(hi_util_in_bounds(start, end, header_ptr.header.uri_end)) { iRet = hi_server_inspect_body(Session, sd, header_ptr.header.uri_end, - end, &body_ptr, 1); + end, &body_ptr); } } } @@ -1242,53 +1613,65 @@ Server->response.body_size = body_ptr.uri_end - body_ptr.uri; if( Server->response.body_size > 0) { - if ( Server->response.body_size < sizeof(DecodeBuffer.data) ) + if ( Server->response.body_size < sizeof(HttpDecodeBuf.data) ) { alt_dsize = Server->response.body_size; } else { - alt_dsize = sizeof(DecodeBuffer.data); + alt_dsize = sizeof(HttpDecodeBuf.data); } #ifdef ZLIB if(sd->decomp_state && sd->decomp_state->decompress_data) { - p->data_flags |= DATA_FLAGS_GZIP; - SetAltDecode(p, alt_dsize); - status = SafeMemcpy(DecodeBuffer.data, Server->response.body, - alt_dsize, DecodeBuffer.data, DecodeBuffer.data + sizeof(DecodeBuffer)); + status = SafeMemcpy(HttpDecodeBuf.data, Server->response.body, + alt_dsize, HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); if( status != SAFEMEM_SUCCESS ) return HI_MEM_ALLOC_FAIL; + + SetHttpDecode((uint16_t)alt_dsize); + Server->response.body = HttpDecodeBuf.data; + Server->response.body_size = HttpDecodeBuf.len; + if(sd) + sd->log_flags |= HTTP_LOG_GZIP_DATA; } else #endif { if(sd->resp_state.last_pkt_chunked) { - p->data_flags |= DATA_FLAGS_RESP_BODY; - SetAltDecode(p, alt_dsize); + SetHttpDecode((uint16_t)alt_dsize); + Server->response.body = HttpDecodeBuf.data; + Server->response.body_size = HttpDecodeBuf.len; } else { - p->data_flags |= DATA_FLAGS_RESP_BODY; - p->packet_flags |= PKT_HTTP_RESP_BODY; + Server->response.body_size = alt_dsize; } } - if (get_decode_utf_state_charset(&(sd->utf_state)) != CHARSET_DEFAULT) + if ((get_decode_utf_state_charset(&(sd->utf_state)) != CHARSET_DEFAULT) + || (ServerConf->normalize_javascript && Server->response.body_size)) { - if ( Server->response.body_size < sizeof(DecodeBuffer.data) ) + if ( Server->response.body_size < sizeof(HttpDecodeBuf.data) ) { alt_dsize = Server->response.body_size; - } + } else { - alt_dsize = sizeof(DecodeBuffer.data); + alt_dsize = sizeof(HttpDecodeBuf.data); } - SetAltDecode(p, alt_dsize); + Server->response.body_size = alt_dsize; + SetHttpDecode((uint16_t)alt_dsize); } } - + + } + { + /* There is no body to the HTTP response. + * In this case we need to inspect the entire HTTP response header. + */ + ApplyFlowDepth(ServerConf, p, sd, resp_header_size, 1, seq_num); } return HI_SUCCESS; @@ -1309,8 +1692,7 @@ } else { - iRet = IsHttpServerData(&Session->server, p, - Session->server_conf->server_flow_depth); + iRet = IsHttpServerData(Session, p, hsd); } if (iRet) diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/server/hi_server_norm.c snort-2.9.2/src/preprocessors/HttpInspect/server/hi_server_norm.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/server/hi_server_norm.c 2010-10-25 12:49:12.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/server/hi_server_norm.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,17 +18,17 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_client_norm.c -** +** ** @author Daniel Roelker <droelker@sourcefire.com> -** +** ** @brief HTTP client normalization routines -** -** We deal with the normalization of HTTP client requests headers and +** +** We deal with the normalization of HTTP client requests headers and ** URI. -** +** ** In this file, we handle all the different HTTP request URI evasions. The ** list is: ** - ASCII decoding @@ -39,8 +39,10 @@ ** - Double decoding ** - %U decoding ** - Bare Byte Unicode decoding +** +** Base 36 is deprecated and essentially a noop ** - Base36 decoding -** +** ** NOTES: ** - Initial development. DJR */ @@ -49,15 +51,18 @@ #include <sys/types.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_norm.h" #include "hi_util.h" #include "hi_return_codes.h" #include "hi_eo_log.h" -#include "bounds.h" +#include "snort_bounds.h" #include "detection_util.h" -#define MAX_URI 4096 extern int hi_split_header_cookie(HI_SESSION *, u_char *, int *, u_char *, int *, const u_char *, int , COOKIE_PTR *); @@ -118,7 +123,7 @@ if(ServerResp->header_norm && Session->server_conf->normalize_headers) { Session->norm_flags &= ~HI_BODY; - iRet = hi_norm_uri(Session, HeaderBuf, &iHeaderBufSize, + iRet = hi_norm_uri(Session, HeaderBuf, &iHeaderBufSize, RawHeaderBuf, iRawHeaderBufSize, &encodeType); if (iRet == HI_NONFATAL_ERR) { @@ -127,9 +132,9 @@ ServerResp->header_norm_size = 0; ServerResp->header_encode_type = 0; } - else + else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ ServerResp->header_norm = HeaderBuf; ServerResp->header_norm_size = iHeaderBufSize; @@ -139,7 +144,7 @@ } else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ if (iRawHeaderBufSize) { @@ -152,7 +157,7 @@ if(ServerResp->cookie.cookie && Session->server_conf->normalize_cookies) { Session->norm_flags &= ~HI_BODY; - iRet = hi_norm_uri(Session, CookieBuf, &iCookieBufSize, + iRet = hi_norm_uri(Session, CookieBuf, &iCookieBufSize, RawCookieBuf, iRawCookieBufSize, &encodeType); if (iRet == HI_NONFATAL_ERR) { @@ -161,9 +166,9 @@ ServerResp->cookie_norm_size = 0; ServerResp->cookie_encode_type = 0; } - else + else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ ServerResp->cookie_norm = CookieBuf; ServerResp->cookie_norm_size = iCookieBufSize; @@ -173,7 +178,7 @@ } else { - /* Client code is expecting these to be set to non-NULL if + /* Client code is expecting these to be set to non-NULL if * normalization occurred. */ if (iRawCookieBufSize) { @@ -191,27 +196,190 @@ { charset = get_decode_utf_state_charset(&(hsd->utf_state)); + if (charset == CHARSET_UNKNOWN) + { + /* Got a text content type but no charset. + * Look for potential BOM (Byte Order Mark) */ + if (ServerResp->body_size >= 4) + { + uint8_t size = 0; + + if (!memcmp(ServerResp->body, "\x00\x00\xFE\xFF", 4)) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF32BE); + size = 4; + } + else if (!memcmp(ServerResp->body, "\xFF\xFE\x00\x00", 4)) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF32LE); + size = 4; + } + else if (!memcmp(ServerResp->body, "\xFE\xFF", 2)) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF16BE); + size = 2; + } + else if (!memcmp(ServerResp->body, "\xFF\xFE", 2)) + { + set_decode_utf_state_charset(&(hsd->utf_state), CHARSET_UTF16LE); + size = 2; + } + + ServerResp->body += size; + ServerResp->body_size -= size; + + charset = get_decode_utf_state_charset(&(hsd->utf_state)); + } + } + /* Normalize server responses with utf-16le, utf-16be, utf-32le, or utf-32be charsets.*/ - if ((charset != CHARSET_DEFAULT) && (charset != CHARSET_UTF7)) + switch (charset) + { + case CHARSET_UTF16LE: + case CHARSET_UTF16BE: + case CHARSET_UTF32LE: + case CHARSET_UTF32BE: + result = DecodeUTF((char *)ServerResp->body, ServerResp->body_size, + (char *)HttpDecodeBuf.data, sizeof(HttpDecodeBuf.data), + &bytes_copied, + &(hsd->utf_state)); + + if (result == DECODE_UTF_FAILURE) + { + if(hi_eo_generate_event(Session, HI_EO_SERVER_UTF_NORM_FAIL)) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_UTF_NORM_FAIL, NULL, NULL); + } + } + SetHttpDecode((uint16_t)bytes_copied); + ServerResp->body = HttpDecodeBuf.data; + ServerResp->body_size = HttpDecodeBuf.len; + break; + default: + break; + } + } + } + + if (Session->server_conf->normalize_javascript && (ServerResp->body_size > 0)) + { + int js_present, status, index; + char *ptr, *start, *end; + JSState js; + + js.allowed_spaces = Session->server_conf->max_js_ws; + js.allowed_levels = MAX_ALLOWED_OBFUSCATION; + js.alerts = 0; + + js_present = status = index = 0; + start = (char *)ServerResp->body; + ptr = start; + end = start + ServerResp->body_size; + + while(ptr < end) + { + char *angle_bracket, *js_start; + int type_js, bytes_copied, script_found; + bytes_copied = 0; + type_js = 0; + hi_current_search = &hi_js_search[0]; + script_found = search_api->search_instance_find(hi_javascript_search_mpse, (const char *)ptr, + (end-ptr), 0 , HI_SearchStrFound); + if (script_found > 0) { - result = DecodeUTF((char *)ServerResp->body, ServerResp->body_size, - (char *)DecodeBuffer.data, sizeof(DecodeBuffer.data), - &bytes_copied, - &(hsd->utf_state)); + js_start = ptr + hi_search_info.index; + angle_bracket = (char *)SnortStrnStr((const char *)(js_start), (end - js_start), ">"); + if(!angle_bracket) + break; - if (result == DECODE_UTF_FAILURE) + if(angle_bracket > js_start) { - if(hi_eo_generate_event(Session, HI_EO_SERVER_UTF_NORM_FAIL)) + script_found = search_api->search_instance_find(hi_htmltype_search_mpse, (const char *)js_start, + (angle_bracket-js_start), 0 , HI_SearchStrFound); + js_start = angle_bracket; + if(script_found > 0) + { + switch (hi_search_info.id) + { + case HTML_JS: + js_present = 1; + type_js = 1; + break; + default: + type_js = 0; + break; + } + } + else { - hi_eo_server_event_log(Session, HI_EO_SERVER_UTF_NORM_FAIL, NULL, NULL); + //if no type or language is found we assume its a javascript + js_present = 1; + type_js = 1; } + + } + //Save before the <script> begins + if(js_start > ptr) + { + status = SafeMemcpy(HttpDecodeBuf.data+index, ptr, (js_start - ptr), HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); + if(status == SAFEMEM_SUCCESS) + index += (js_start - ptr); + else + break; + } + + ptr = js_start; + if(!type_js) + continue; + + if(Session->server_conf->iis_unicode.on) + { + JSNormalizeDecode(js_start, (uint16_t)(end-js_start), (char *)HttpDecodeBuf.data+index, (uint16_t)(sizeof(HttpDecodeBuf.data) - index), + &ptr, &bytes_copied, &js, Session->server_conf->iis_unicode_map); } - DecodeBuffer.len = bytes_copied; + else + { + JSNormalizeDecode(js_start, (uint16_t)(end-js_start), (char *)HttpDecodeBuf.data+index, (uint16_t)(sizeof(HttpDecodeBuf.data) - index), + &ptr, &bytes_copied, &js, NULL); + } + index += bytes_copied; } + else + break; } - } + if(js_present) + { + if( ptr < end ) + { + status = SafeMemcpy(HttpDecodeBuf.data+index, ptr, (end - ptr), HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); + if(status == SAFEMEM_SUCCESS) + index += (end - ptr); + } + SetHttpDecode((uint16_t)index); + ServerResp->body = HttpDecodeBuf.data; + ServerResp->body_size = index; + if(js.alerts) + { + if((js.alerts & ALERT_LEVELS_EXCEEDED) && (hi_eo_generate_event(Session, HI_EO_SERVER_JS_OBFUSCATION_EXCD))) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_JS_OBFUSCATION_EXCD, NULL, NULL); + } + if( (js.alerts & ALERT_SPACES_EXCEEDED) && (hi_eo_generate_event(Session, HI_EO_SERVER_JS_EXCESS_WS))) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_JS_EXCESS_WS, NULL, NULL); + } + if((js.alerts & ALERT_MIXED_ENCODINGS) && (hi_eo_generate_event(Session, HI_EO_SERVER_MIXED_ENCODINGS))) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_MIXED_ENCODINGS, NULL, NULL); + } + } + + if(hsd) + hsd->log_flags |= HTTP_LOG_JSNORM_DATA; + } + } return HI_SUCCESS; } diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/server/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/server/Makefile.in --- snort-2.9.0.1/src/preprocessors/HttpInspect/server/Makefile.in 2010-10-08 02:56:54.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/server/Makefile.in 2011-12-07 11:23:21.000000000 -0800 @@ -78,7 +78,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -93,6 +95,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -129,13 +132,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/session_inspection/hi_si.c snort-2.9.2/src/preprocessors/HttpInspect/session_inspection/hi_si.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/session_inspection/hi_si.c 2010-06-09 15:05:25.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/session_inspection/hi_si.c 2011-06-07 17:33:19.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_si.c ** @@ -27,8 +27,8 @@ ** @brief This file contains functions to select server configurations ** and begin the HttpInspect process. ** -** The Session Inspection Module interfaces with the Stream Inspection -** Module and the User Interface Module to select the appropriate +** The Session Inspection Module interfaces with the Stream Inspection +** Module and the User Interface Module to select the appropriate ** HttpInspect configuration and in the case of stateful inspection the ** Session Inspection Module retrieves the user-data from the Stream ** Module. For stateless inspection, the Session Inspection Module uses @@ -47,6 +47,10 @@ #include <stdio.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_return_codes.h" #include "hi_ui_config.h" #include "hi_ui_server_lookup.h" @@ -90,13 +94,13 @@ ** InitServerConf:: */ /** -** When a session is initialized, we must select the appropriate server -** configuration and select the type of inspection based on the source and +** When a session is initialized, we must select the appropriate server +** configuration and select the type of inspection based on the source and ** destination ports. ** ** IMPORTANT NOTE: -** We should check to make sure that there are some unique configurations, -** otherwise we can just default to the global default and work some magic +** We should check to make sure that there are some unique configurations, +** otherwise we can just default to the global default and work some magic ** that way. ** ** @param GlobalConf pointer to the global configuration @@ -104,14 +108,14 @@ ** set it. ** @param SiInput pointer to the packet info (sip,dip,sport,dport) ** @param piInspectMode pointer so we can set the inspection mode -** +** ** @return integer -** +** ** @retval HI_SUCCESS function successful */ -static int InitServerConf(HTTPINSPECT_GLOBAL_CONF *GlobalConf, - HTTPINSPECT_CONF **ServerConf, - HTTPINSPECT_CONF **ClientConf, +static int InitServerConf(HTTPINSPECT_GLOBAL_CONF *GlobalConf, + HTTPINSPECT_CONF **ServerConf, + HTTPINSPECT_CONF **ClientConf, HI_SI_INPUT *SiInput, int *piInspectMode, Packet *p) { HTTPINSPECT_CONF *ServerConfSip; @@ -150,7 +154,7 @@ ** is at least one unique server configuration. If there isn't then we ** assume the global server configuration. */ - ServerConfDip = hi_ui_server_lookup_find(GlobalConf->server_lookup, + ServerConfDip = hi_ui_server_lookup_find(GlobalConf->server_lookup, #ifdef SUP_IP6 &dip, #else @@ -183,8 +187,8 @@ ** is a sort of problem. We don't know which side is the client and which ** side is the server so we have to assume one. ** - ** In stateful processing, we only do this stage on the startup of a - ** session, so we can still assume that the initial packet is the client + ** In stateful processing, we only do this stage on the startup of a + ** session, so we can still assume that the initial packet is the client ** talking. */ iServerSip = IsServer(ServerConfSip, SiInput->sport); @@ -220,7 +224,7 @@ { case HI_SI_NO_MODE: /* - ** We check for the case where both SIP and DIP + ** We check for the case where both SIP and DIP ** appear to be servers. In this case, we assume client ** and process that way. */ @@ -276,10 +280,10 @@ *ClientConf = NULL; break; } - + return HI_SUCCESS; } - + static int StatefulSessionInspection(HTTPINSPECT_GLOBAL_CONF *GlobalConf, HI_SESSION **Session, HI_SI_INPUT *SiInput, int *piInspectType, Packet *p) @@ -299,16 +303,16 @@ ** This function resets all the variables that need to be initialized for ** a new Session. I've tried to keep this to a minimum, so we don't have ** to worry about initializing big structures. -** +** ** @param Session pointer to the session to reset -** +** ** @return integer -** +** ** @retval HI_SUCCESS */ -static INLINE int ResetSession(HI_SESSION *Session) +static inline int ResetSession(HI_SESSION *Session) { - + Session->client.event_list.stack_count = 0; Session->server.event_list.stack_count = 0; Session->anom_server.event_list.stack_count = 0; @@ -347,7 +351,7 @@ Session->server.response.cookie_norm = NULL; Session->server.response.cookie_norm_size = 0; Session->server.response.body = NULL; - Session->server.response.body_size = 0; + Session->server.response.body_size = 0; Session->server.response.status_code_size = 0; Session->server.response.status_msg_size = 0; Session->server.response.header_raw_size = 0; @@ -372,8 +376,8 @@ ** is no knowledge retained from one packet to another. If you want to track ** an HTTP session for real, use stateful mode. ** -** In this function, we set the Session pointer (which includes the correct -** server configuration). The actual processing to find which IP is the +** In this function, we set the Session pointer (which includes the correct +** server configuration). The actual processing to find which IP is the ** server and which is the client, is done in the InitServerConf() function. ** ** @param GlobalConf pointer to the global configuration @@ -401,7 +405,7 @@ { return iRet; } - + StaticSession.server_conf = ServerConf; StaticSession.client_conf = ClientConf; StaticSession.global_conf = GlobalConf; @@ -410,7 +414,7 @@ return HI_SUCCESS; } - + /* ** NAME @@ -418,7 +422,7 @@ */ /** ** The Session Inspection module selects the appropriate server configuration -** for the session, and the type of inspection to be performed (client or +** for the session, and the type of inspection to be performed (client or ** server.) ** ** When the Session Inspection module is in stateful mode, it checks to see if @@ -430,7 +434,7 @@ ** overhead. ** ** The inspection mode can be either client, server, or neither. In the case -** of neither, the packet is inspected for rogue HTTP servers and HTTP +** of neither, the packet is inspected for rogue HTTP servers and HTTP ** tunneling. ** ** @param GlobalConf pointer to the global configuration @@ -451,10 +455,10 @@ int iRet; /* - ** We get the server configuration and the session structure differently - ** depending on what type of inspection we are doing. In the case of + ** We get the server configuration and the session structure differently + ** depending on what type of inspection we are doing. In the case of ** stateful processing, we may get the session structure from the Stream - ** Reassembly module (which includes the server configuration) or the + ** Reassembly module (which includes the server configuration) or the ** structure will be allocated and added to the stream pointer for the ** rest of the session. ** diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/session_inspection/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/session_inspection/Makefile.in --- snort-2.9.0.1/src/preprocessors/HttpInspect/session_inspection/Makefile.in 2010-10-08 02:56:55.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/session_inspection/Makefile.in 2011-12-07 11:23:22.000000000 -0800 @@ -77,7 +77,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -92,6 +94,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -128,13 +131,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c snort-2.9.2/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2010-09-27 08:28:15.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_ui_config.c ** @@ -45,6 +45,10 @@ #include <arpa/inet.h> #endif +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_return_codes.h" #include "hi_util_xmalloc.h" #include "hi_ui_server_lookup.h" @@ -95,7 +99,7 @@ ** change this function. ** ** @param GlobalConf pointer to the global configuration structure -** +** ** @return integer ** ** @retval HI_INVALID_ARG Fatal Error. Undefined pointer to GlobalConf @@ -118,7 +122,7 @@ global_server->client_flow_depth = 300; global_server->post_depth = -1; - + global_server->chunk_length = 500000; global_server->ascii.on = 1; @@ -145,6 +149,8 @@ global_server->max_hdr_len = HI_UI_CONFIG_MAX_HDR_DEFAULT; global_server->max_headers = HI_UI_CONFIG_MAX_HEADERS_DEFAULT; + global_server->max_spaces = HI_UI_CONFIG_MAX_SPACES_DEFAULT; + global_server->max_js_ws = HI_UI_CONFIG_MAX_SPACES_DEFAULT; return HI_SUCCESS; } @@ -171,7 +177,7 @@ return HI_SUCCESS; } - + /* ** NAME ** hi_ui_config_reset_server:: @@ -196,6 +202,25 @@ /* ** NAME +** hi_ui_config_reset_http_methods:: +*/ +/** +** This function resets the cmd lookup for http_methods +** +** @param ServerConf pointer to the HTTPINSPECT_CONF structure +** +** @return integer +** +** @return None +*/ +void hi_ui_config_reset_http_methods(HTTPINSPECT_CONF *ServerConf) +{ + http_cmd_lookup_cleanup(&ServerConf->cmd_lookup); + http_cmd_lookup_init(&ServerConf->cmd_lookup); +} + +/* +** NAME ** hi_ui_set_profile_apache:: */ /** @@ -226,7 +251,7 @@ ServerConf->non_strict = 1; - ServerConf->chunk_length = 500000; + ServerConf->chunk_length = 500000; ServerConf->ascii.on = 1; @@ -242,6 +267,7 @@ ServerConf->utf_8.on = 1; ServerConf->normalize_utf = 1; + ServerConf->normalize_javascript = 0; ServerConf->whitespace[9] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* horizontal tab */ ServerConf->whitespace[11] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* vertical tab */ @@ -250,10 +276,12 @@ ServerConf->max_hdr_len = HI_UI_CONFIG_MAX_HDR_DEFAULT; ServerConf->max_headers = HI_UI_CONFIG_MAX_HEADERS_DEFAULT; + ServerConf->max_spaces = HI_UI_CONFIG_MAX_SPACES_DEFAULT; + ServerConf->max_js_ws = HI_UI_CONFIG_MAX_SPACES_DEFAULT; return HI_SUCCESS; } - + /* ** NAME ** hi_ui_set_profile_iis:: @@ -290,7 +318,7 @@ ServerConf->client_flow_depth = 300; ServerConf->post_depth = -1; - ServerConf->chunk_length = 500000; + ServerConf->chunk_length = 500000; ServerConf->iis_unicode_map = iis_unicode_map; @@ -324,6 +352,7 @@ ServerConf->non_strict = 1; ServerConf->normalize_utf = 1; + ServerConf->normalize_javascript = 0; ServerConf->whitespace[9] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* horizontal tab */ ServerConf->whitespace[11] = HI_UI_CONFIG_WS_BEFORE_URI; /* vertical tab */ @@ -332,6 +361,8 @@ ServerConf->max_hdr_len = HI_UI_CONFIG_MAX_HDR_DEFAULT; ServerConf->max_headers = HI_UI_CONFIG_MAX_HEADERS_DEFAULT; + ServerConf->max_spaces = HI_UI_CONFIG_MAX_SPACES_DEFAULT; + ServerConf->max_js_ws = HI_UI_CONFIG_MAX_SPACES_DEFAULT; return HI_SUCCESS; } @@ -352,12 +383,12 @@ int *iis_unicode_map) { int ret; - + ret = hi_ui_config_set_profile_iis(ServerConf, iis_unicode_map); - + ServerConf->double_decoding.on = 1; ServerConf->double_decoding.alert = 1; - + return ret; } @@ -395,7 +426,7 @@ ServerConf->client_flow_depth = 300; ServerConf->post_depth = -1; - ServerConf->chunk_length = 500000; + ServerConf->chunk_length = 500000; ServerConf->iis_unicode_map = iis_unicode_map; @@ -429,6 +460,7 @@ ServerConf->non_strict = 1; ServerConf->normalize_utf = 1; + ServerConf->normalize_javascript = 0; ServerConf->whitespace[9] = HI_UI_CONFIG_WS_BEFORE_URI | HI_UI_CONFIG_WS_AFTER_URI; /* horizontal tab */ ServerConf->whitespace[11] = HI_UI_CONFIG_WS_BEFORE_URI; /* vertical tab */ @@ -437,6 +469,8 @@ ServerConf->max_hdr_len = HI_UI_CONFIG_MAX_HDR_DEFAULT; ServerConf->max_headers = HI_UI_CONFIG_MAX_HEADERS_DEFAULT; + ServerConf->max_spaces = HI_UI_CONFIG_MAX_SPACES_DEFAULT; + ServerConf->max_js_ws = HI_UI_CONFIG_MAX_SPACES_DEFAULT; return HI_SUCCESS; } diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c snort-2.9.2/src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c 2010-01-26 10:10:20.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c 2011-02-09 15:23:33.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c snort-2.9.2/src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c 2010-06-23 21:06:09.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c 2011-06-07 17:33:19.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_ui_server_lookup.c ** @@ -39,6 +39,10 @@ #include <stdio.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_xmalloc.h" #include "hi_util_kmap.h" #include "hi_ui_config.h" @@ -100,8 +104,8 @@ ** @return integer ** ** @retval HI_SUCCESS function successful -** @retval HI_INVALID_ARG invalid argument, most likely NULL pointer -** @retval HI_MEM_ALLOC_FAIL memory allocation failed +** @retval HI_INVALID_ARG invalid argument, most likely NULL pointer +** @retval HI_MEM_ALLOC_FAIL memory allocation failed ** @retval HI_NONFATAL_ERR key is already in table, don't overwrite ** configuration. */ @@ -148,7 +152,7 @@ ** @retval HI_INVALID_ARG argument(s) are invalid ** @retval HI_NOT_FOUND IP not found */ -HTTPINSPECT_CONF *hi_ui_server_lookup_find(SERVER_LOOKUP *ServerLookup, +HTTPINSPECT_CONF *hi_ui_server_lookup_find(SERVER_LOOKUP *ServerLookup, snort_ip_p Ip, int *iError) { HTTPINSPECT_CONF *ServerConf; @@ -180,14 +184,14 @@ } void hi_ui_server_iterate( - SERVER_LOOKUP *ServerLookup, + SERVER_LOOKUP *ServerLookup, void (*userfunc)(void *) ) { sfrt_iterate(ServerLookup, userfunc); } #if 0 -/** Obsoleted. After changing underlying KMAP to SFRT. SFRT provides an iterator with +/** Obsoleted. After changing underlying KMAP to SFRT. SFRT provides an iterator with * a callback function but does not support getFirst, getNext operations. */ @@ -278,7 +282,7 @@ return ServerConf; } -#endif +#endif void hi_ui_server_lookup_destroy(SERVER_LOOKUP *ServerLookup) { @@ -286,9 +290,9 @@ sfrt_free(ServerLookup); } -/**Free pData buffer, which may be referenced multiple times. ReferenceCount - * is the number of times the buffer is referenced. For freeing the buffer, - * we just decrement referenceCount till it reaches 0, at which time the +/**Free pData buffer, which may be referenced multiple times. ReferenceCount + * is the number of times the buffer is referenced. For freeing the buffer, + * we just decrement referenceCount till it reaches 0, at which time the * buffer is also freed. */ static void serverConfFree(void *pData) diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/user_interface/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/user_interface/Makefile.in --- snort-2.9.0.1/src/preprocessors/HttpInspect/user_interface/Makefile.in 2010-10-08 02:56:55.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/user_interface/Makefile.in 2011-12-07 11:23:22.000000000 -0800 @@ -78,7 +78,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -93,6 +95,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -129,13 +132,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c snort-2.9.2/src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c 2010-06-23 21:06:10.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c 2011-06-07 17:33:19.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * -* Copyright (C) 2003-2010 Sourcefire, Inc. +* Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -22,6 +22,10 @@ #include <stdio.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "hi_cmd_lookup.h" @@ -42,7 +46,7 @@ */ int http_cmd_lookup_init(CMD_LOOKUP **CmdLookup) { - KMAP *km = KMapNew((KMapUserFreeFunc)HttpInspectCleanupHttpMethodsConf); + KMAP *km = KMapNew((KMapUserFreeFunc)HttpInspectCleanupHttpMethodsConf); *CmdLookup = km; if(*CmdLookup == NULL) { @@ -86,9 +90,9 @@ /* * Function: http_cmd_lookup_add(CMD_LOOKUP *CmdLookup, - * char *ip, int len, + * char *ip, int len, * HTTP_CMD_CONF *HTTPCmd) - * + * * Purpose: Add a cmd configuration to the list. * We add these keys like you would normally think to add * them, because on low endian machines the least significant @@ -104,7 +108,7 @@ * Returns: int => return code indicating error or success * */ -int http_cmd_lookup_add(CMD_LOOKUP *CmdLookup, char *cmd, int len, +int http_cmd_lookup_add(CMD_LOOKUP *CmdLookup, char *cmd, int len, HTTP_CMD_CONF *HTTPCmd) { int iRet; @@ -153,7 +157,7 @@ * matching IP if found, NULL otherwise. * */ -HTTP_CMD_CONF *http_cmd_lookup_find(CMD_LOOKUP *CmdLookup, +HTTP_CMD_CONF *http_cmd_lookup_find(CMD_LOOKUP *CmdLookup, const char *cmd, int len, int *iError) { HTTP_CMD_CONF *HTTPCmd = NULL; diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/utils/hi_paf.c snort-2.9.2/src/preprocessors/HttpInspect/utils/hi_paf.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/utils/hi_paf.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/utils/hi_paf.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,704 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +//-------------------------------------------------------------------- +// hi stuff +// +// @file hi_paf.c +// @author Russ Combs <rcombs@sourcefire.com> + +// the goal is to perform the minimal http paf parsing required for +// correctness while maintaining loose coupling wiht hi proper: + +// * distinguish request from response by presence of http version +// as first token in first header of response +// * identify head request so response is understood to not have body +// * determine length of body from content-length header +// * determine chunking from transfer-endoding header +// * extract chunk lengths for body chunks +// * determine end of chunks from chunk length of zero + +// Support for "Expect: 100-continue" is deferred. this is so far +// intended to be a standalone, "bolt on" addition to hi but expect +// and certain other cases may require simplified parsing here and +// feedback from hi to reset or otherwise adjust state. + +// 1XX, 204, or 304 status responses must not have a body per RFC but +// if other headers indicate a body is present we will process that. +// This is different for head responses because content-length or +// transfer-encoding are expected. + +// future work: +// * capture headers of interest to hi packet processing (including +// offset and length) so hi doesn't have to search, size, or unfold +// * fsm initialization could possibly be simpler eg by converting +// strings into state array +//-------------------------------------------------------------------- + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <assert.h> +#include <ctype.h> +#include <stdio.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> + +#include "generators.h" +#include "hi_paf.h" +#include "hi_eo_events.h" +#include "decode.h" +#include "snort.h" +#include "stream_api.h" +#include "snort_debug.h" + +#define HI_TRACE // define for state trace + +// config stuff +// FIXTHIS replace hi_cap with flow depths or delete altogether? +static uint32_t hi_cap = 0; + +// stats +static uint32_t hi_paf_calls = 0; +static uint32_t hi_paf_bytes = 0; + +//-------------------------------------------------------------------- +// session data +//-------------------------------------------------------------------- + +#define HIF_REQ 0x0001 // message is request +#define HIF_RSP 0x0002 // message is response +#define HIF_LEN 0x0004 // content-length +#define HIF_CHK 0x0008 // transfer-encoding: chunked +#define HIF_NOB 0x0010 // head (no body in response) +#define HIF_NOF 0x0020 // no flush (chunked body follows) +#define HIF_V0 0x0040 // server response version 0 +#define HIF_V1 0x0080 // server response version 1 +#define HIF_ERR 0x0100 // flag error for deferred abort (at eoh) +#define HIF_PST 0x0200 // post (requires content-length or chunks) + +typedef struct { + uint32_t len; + uint16_t flags; + uint8_t msg; + uint8_t fsm; +} HiState; + +//-------------------------------------------------------------------- +// fsm stuff +//-------------------------------------------------------------------- + +typedef enum { + ACT_NOP, ACT_NOB, ACT_PST, + ACT_V0, ACT_V1, + ACT_REQ, ACT_RSP, + ACT_SHI, ACT_SHX, + ACT_LNB, ACT_LNC, ACT_LN0, + ACT_CHK, ACT_CK0 +} Action; + +typedef struct { + uint8_t state; + uint8_t event; + uint8_t match; + uint8_t other; + uint8_t action; +} HiFsm; + +#define EOL '\n' // \r is ignored +#define ANY '\0' // don't care +#define LWS ' ' // space or tab + +// these are just convenient jump points to the start +// of blocks; the states MUST match array index +#define Z0 (0) +#define Z1 (Z0+18) +#define Z2 (Z1+10) +#define Z3 (Z2+17) +#define Z4 (Z3+20) +#define Z5 (Z4+7) +#define Z6 (Z5+2) +#define Z7 (Z6+2) +#define Z8 (Z7+2) +#define Z9 (Z8+2) + +#define RSP_START_STATE Z0 +#define REQ_START_STATE Z1 +#define MSG_CHUNK_STATE Z6 + +static HiFsm hi_fsm[] = +{ + // http version starts response + { Z0+ 0, 'H', Z0+ 1, Z8 , ACT_NOP }, + { Z0+ 1, 'T', Z0+ 2, Z9 , ACT_NOP }, + { Z0+ 2, 'T', Z0+ 3, Z9 , ACT_NOP }, + { Z0+ 3, 'P', Z0+ 4, Z9 , ACT_NOP }, + { Z0+ 4, '/', Z0+ 5, Z9 , ACT_NOP }, + { Z0+ 5, '1', Z0+ 6, Z9 , ACT_NOP }, + { Z0+ 6, '.', Z0+ 7, Z9 , ACT_NOP }, + { Z0+ 7, '0', Z0+ 9, Z0+ 8, ACT_V0 }, + { Z0+ 8, '1', Z0+ 9, Z9 , ACT_V1 }, + { Z0+ 9, LWS, Z0+10, Z9 , ACT_NOP }, + { Z0+10, LWS, Z0+10, Z0+11, ACT_NOP }, + { Z0+11, '1', Z0+16, Z0+12, ACT_NOB }, + { Z0+12, '2', Z0+14, Z0+13, ACT_NOP }, + { Z0+13, '3', Z0+14, Z0+16, ACT_NOP }, + { Z0+14, '0', Z0+15, Z0+16, ACT_NOP }, + { Z0+15, '4', Z0+17, Z0+16, ACT_NOB }, + { Z0+16, ANY, Z0+17, Z0+17, ACT_NOP }, + { Z0+17, LWS, Z9+ 0, Z0+16, ACT_RSP }, + + // head method signals no body in response + // post method must have content-length or chunks + { Z1+ 0, 'H', Z1+ 1, Z1+ 5, ACT_NOP }, + { Z1+ 1, 'E', Z1+ 2, Z9 , ACT_NOP }, + { Z1+ 2, 'A', Z1+ 3, Z9 , ACT_NOP }, + { Z1+ 3, 'D', Z1+ 4, Z9 , ACT_NOP }, + { Z1+ 4, LWS, Z9+ 0, Z9 , ACT_NOB }, + { Z1+ 5, 'P', Z1+ 6, Z2 , ACT_NOP }, + { Z1+ 6, 'O', Z1+ 7, Z9 , ACT_NOP }, + { Z1+ 7, 'S', Z1+ 8, Z9 , ACT_NOP }, + { Z1+ 8, 'T', Z1+ 9, Z9 , ACT_NOP }, + { Z1+ 9, LWS, Z9+ 0, Z9 , ACT_PST }, + + // content-length can be anywhere after 1st header + { Z2+ 0, 'C', Z2+ 1, Z3 , ACT_NOP }, + { Z2+ 1, 'O', Z2+ 2, Z9 , ACT_NOP }, + { Z2+ 2, 'N', Z2+ 3, Z9 , ACT_NOP }, + { Z2+ 3, 'T', Z2+ 4, Z9 , ACT_NOP }, + { Z2+ 4, 'E', Z2+ 5, Z9 , ACT_NOP }, + { Z2+ 5, 'N', Z2+ 6, Z9 , ACT_NOP }, + { Z2+ 6, 'T', Z2+ 7, Z9 , ACT_NOP }, + { Z2+ 7, '-', Z2+ 8, Z9 , ACT_NOP }, + { Z2+ 8, 'L', Z2+ 9, Z9 , ACT_NOP }, + { Z2+ 9, 'E', Z2+10, Z9 , ACT_NOP }, + { Z2+10, 'N', Z2+11, Z9 , ACT_NOP }, + { Z2+11, 'G', Z2+12, Z9 , ACT_NOP }, + { Z2+12, 'T', Z2+13, Z9 , ACT_NOP }, + { Z2+13, 'H', Z2+14, Z9 , ACT_NOP }, + { Z2+14, LWS, Z2+14, Z2+15, ACT_NOP }, + { Z2+15, ':', Z2+16, Z9 , ACT_NOP }, + { Z2+16, LWS, Z2+16, Z5 , ACT_LN0 }, + + // transfer-encoding can be anywhere after 1st header + { Z3+ 0, 'T', Z3+ 1, Z9 , ACT_NOP }, + { Z3+ 1, 'R', Z3+ 2, Z9 , ACT_NOP }, + { Z3+ 2, 'A', Z3+ 3, Z9 , ACT_NOP }, + { Z3+ 3, 'N', Z3+ 4, Z9 , ACT_NOP }, + { Z3+ 4, 'S', Z3+ 5, Z9 , ACT_NOP }, + { Z3+ 5, 'F', Z3+ 6, Z9 , ACT_NOP }, + { Z3+ 6, 'E', Z3+ 7, Z9 , ACT_NOP }, + { Z3+ 7, 'R', Z3+ 8, Z9 , ACT_NOP }, + { Z3+ 8, '-', Z3+ 9, Z9 , ACT_NOP }, + { Z3+ 9, 'E', Z3+10, Z9 , ACT_NOP }, + { Z3+10, 'N', Z3+11, Z9 , ACT_NOP }, + { Z3+11, 'C', Z3+12, Z9 , ACT_NOP }, + { Z3+12, 'O', Z3+13, Z9 , ACT_NOP }, + { Z3+13, 'D', Z3+14, Z9 , ACT_NOP }, + { Z3+14, 'I', Z3+15, Z9 , ACT_NOP }, + { Z3+15, 'N', Z3+16, Z9 , ACT_NOP }, + { Z3+16, 'G', Z3+17, Z9 , ACT_NOP }, + { Z3+17, LWS, Z3+17, Z3+18, ACT_NOP }, + { Z3+18, ':', Z3+19, Z9 , ACT_NOP }, + { Z3+19, LWS, Z3+19, Z4 , ACT_NOP }, + + // only recognized encoding + { Z4+ 0, 'C', Z4+ 1, Z9 , ACT_NOP }, + { Z4+ 1, 'H', Z4+ 2, Z9 , ACT_NOP }, + { Z4+ 2, 'U', Z4+ 3, Z9 , ACT_NOP }, + { Z4+ 3, 'N', Z4+ 4, Z9 , ACT_NOP }, + { Z4+ 4, 'K', Z4+ 5, Z9 , ACT_NOP }, + { Z4+ 5, 'E', Z4+ 6, Z9 , ACT_NOP }, + { Z4+ 6, 'D', Z9 , Z9 , ACT_CHK }, + + // extract decimal content length + { Z5+ 0, EOL, Z2 , Z5+ 1, ACT_LNB }, + { Z5+ 1, ANY, Z5 , Z5 , ACT_SHI }, + + // extract hex chunk length + { Z6+ 0, EOL, Z7 , Z6+ 1, ACT_LNC }, + { Z6+ 1, ANY, Z6 , Z6 , ACT_SHX }, + + // skip to end of line after chunk data + { Z7+ 0, EOL, Z6 , Z7+ 1, ACT_LN0 }, + { Z7+ 1, ANY, Z7 , Z7 , ACT_NOP }, + + // ignore empty lines before start of message + { Z8+ 0, LWS, Z0 , Z8+ 1, ACT_NOP }, + { Z8+ 1, EOL, Z0 , Z9+ 1, ACT_NOP }, + + // skip to end of line + { Z9+ 0, EOL, Z2 , Z9+ 1, ACT_NOP }, + { Z9+ 1, ANY, Z9 , Z9 , ACT_NOP } +}; + +//-------------------------------------------------------------------- +// actions +//-------------------------------------------------------------------- + +static inline int dton (int c) +{ + return c - '0'; +} + +static inline int xton (int c) +{ + if ( isdigit(c) ) + return c - '0'; + + if ( isupper(c) ) + return c - 'A' + 10; + + return c - 'a' + 10; +} + +static inline void hi_paf_event_post () +{ + SnortEventqAdd( + GENERATOR_SPP_HTTP_INSPECT_CLIENT, + HI_EO_CLIENT_UNBOUNDED_POST+1, 1, 0, 3, + HI_EO_CLIENT_UNBOUNDED_POST_STR, NULL); +} + +static inline void hi_paf_event_msg_size () +{ + SnortEventqAdd( + GENERATOR_SPP_HTTP_INSPECT, + HI_EO_CLISRV_MSG_SIZE_EXCEPTION+1, 1, 0, 3, + HI_EO_CLISRV_MSG_SIZE_EXCEPTION_STR, NULL); +} + +static inline PAF_Status hi_exec (HiState* s, Action a, int c) +{ + switch ( a ) + { + case ACT_NOP: + break; + case ACT_V0: + s->flags |= HIF_V0; + break; + case ACT_V1: + s->flags |= HIF_V1; + break; + case ACT_NOB: + s->flags |= HIF_NOB; + break; + case ACT_PST: + s->flags |= HIF_PST; + break; + case ACT_REQ: + s->flags |= HIF_REQ; + break; + case ACT_RSP: + s->flags |= HIF_RSP; + break; + case ACT_SHI: + if ( s->flags & HIF_ERR ) + break; + if ( isdigit(c) && (s->len < 429496728) ) + s->len = (10 * s->len) + dton(c); + else + { + hi_paf_event_msg_size(); + s->flags |= HIF_ERR; + } + break; + case ACT_SHX: + if ( s->flags & HIF_ERR ) + break; + if ( isxdigit(c) && !(s->len & 0xF8000000) ) + s->len = (s->len << 4) + xton(c); + else + { + hi_paf_event_msg_size(); + s->flags |= HIF_ERR; + return PAF_FLUSH; + } + break; + case ACT_LNB: + s->flags |= HIF_LEN; + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: lnb=%u\n", __FUNCTION__, s->len);) + break; + case ACT_LNC: + s->flags |= HIF_LEN; + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: lnc=%u\n", __FUNCTION__, s->len);) + if ( s->len ) + return PAF_SKIP; + s->flags &= ~HIF_NOF; + s->msg = 3; + break; + case ACT_LN0: + s->len = 0; + break; + case ACT_CHK: + s->flags |= HIF_CHK; + break; + case ACT_CK0: + s->flags |= HIF_NOF; + s->flags &= ~HIF_CHK; + s->fsm = MSG_CHUNK_STATE; + s->len = 0; + break; + } + return PAF_SEARCH; +} + +//-------------------------------------------------------------------- +// control +//-------------------------------------------------------------------- + +// this is the 2nd step of stateful scanning, which executes +// the fsm. +static PAF_Status hi_scan_fsm (HiState* s, int c) +{ + HiFsm* m = hi_fsm + s->fsm; +#ifdef HI_TRACE +#ifdef DEBUG_MSGS + uint8_t prev = s->fsm; +#endif +#endif + + if ( c == '\t' ) + c = LWS; + else + c = toupper(c); + + do + { + if ( !m->event || (m->event == c) ) + { + s->fsm = m->match; + break; + } + s->fsm = m->other; + m = hi_fsm + s->fsm; + } + while ( 1 ); + +#ifdef HI_TRACE + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%d[0x%2X, '%c'] -> %d,%d\n", + prev, c, isgraph(c) ? c : '.', m->action, s->fsm);) +#endif + + return hi_exec(s, m->action, c); +} + +static PAF_Status hi_eoh (HiState* s) +{ + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: flags=0x%X, len=%u\n", __FUNCTION__, s->flags, s->len);) + + if ( (s->flags & HIF_PST) && + !(s->flags & (HIF_CHK|HIF_LEN)) ) + { + hi_paf_event_post(); + s->flags |= HIF_ERR; + } + if ( (s->flags & HIF_ERR) || + ((s->flags & HIF_NOB) && (s->flags & HIF_RSP)) + ) { + hi_exec(s, ACT_LN0, 0); + return PAF_FLUSH; + } + if ( s->flags & HIF_CHK ) + { + hi_exec(s, ACT_CK0, 0); + return PAF_SEARCH; + } + if ( (s->flags & (HIF_REQ|HIF_LEN)) ) + return PAF_FLUSH; + + if ( (s->flags & HIF_V1) && (s->flags & HIF_RSP) ) + { + hi_exec(s, ACT_LN0, 0); + hi_paf_event_msg_size(); + return PAF_FLUSH; + } + return PAF_ABORT; +} + +// http messages are scanned statefully, char-by-char, in +// two steps. this is the 1st step, which figures out +// end-of-line (eol) and end-of-headers (eoh) from the byte +// stream. also unfolds headers before fsm scanning. this +// simplified version ignores \r (in the spirit of send strict, +// recv tolerant, but it would only take 2 more states to check +// for \r). the 2nd step is hi_scan_fsm(). +static inline PAF_Status hi_scan_msg (HiState* s, int c, uint32_t* fp) +{ + PAF_Status paf = PAF_SEARCH; + + if ( c == '\r' ) + { + *fp = 0; + return paf; + } + switch ( s->msg ) + { + case 0: + if ( c == '\n' ) + { + if ( s->flags & HIF_NOF ) + paf = hi_scan_fsm(s, EOL); + else + s->msg = 1; + } + else + paf = hi_scan_fsm(s, c); + break; + + case 1: + if ( c == '\n' ) + { + hi_scan_fsm(s, EOL); + paf = hi_eoh(s); + } + else if ( c == ' ' || c == '\t' ) + { + // folding, just continue + paf = hi_scan_fsm(s, LWS); + } + else + { + paf = hi_scan_fsm(s, EOL); + + if ( paf == PAF_SEARCH ) + paf = hi_scan_fsm(s, c); + } + s->msg = 0; + break; + + case 3: + if ( c == '\n' ) + paf = hi_eoh(s); + else + s->msg = 4; + break; + + case 4: + if ( c == '\n' ) + s->msg = 3; + break; + } + if ( paf != PAF_SEARCH ) + { + *fp = s->len; + } + return paf; +} + +//-------------------------------------------------------------------- +// utility +//-------------------------------------------------------------------- + +static void hi_reset (HiState* s, uint32_t flags) +{ + s->len = s->msg = 0; + + if ( flags & PKT_FROM_CLIENT ) + { + s->fsm = REQ_START_STATE; + s->flags = HIF_REQ; + } + else + { + s->fsm = RSP_START_STATE ; + s->flags = HIF_RSP ; + } + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: fsm=%u, flags=0x%X\n", __FUNCTION__, s->fsm, s->flags);) +} + +// verify that HiFsm.state corresponds to array index +// HiFsm.state is used solely for this purpose. +static bool hi_check (void) +{ + int i = 0; + bool ok = true; + int max = sizeof(hi_fsm) / sizeof(hi_fsm[0]); + + while ( i < max ) + { + if ( hi_fsm[i].state != i ) + { + printf("FATAL: hi_fsm[%d].state = %d\n", i, hi_fsm[i].state); + ok = false; + } + i++; + } + return ok; +} + +// update flag on peer so head response doesn't expect body +static void hi_update_peer (HiState* s, void* ssn) +{ + void** pv; + const uint8_t head = (HIF_NOB | HIF_REQ); + + if ( (s->flags & head) != head ) + return; + + pv = stream_api->get_paf_user_data(ssn, 0); + + if ( !*pv ) + { + *pv = calloc(1, sizeof(HiState)); + + if ( *pv ) + hi_reset(*pv, 0); + } + + if ( !*pv ) + return; + + s = *pv; + s->flags |= HIF_NOB; +} + +//-------------------------------------------------------------------- +// callback for stateful scanning of in-order raw payload +//-------------------------------------------------------------------- + +static PAF_Status hi_paf ( + void* ssn, void** pv, const uint8_t* data, uint32_t len, + uint32_t flags, uint32_t* fp) +{ + HiState* hip = *pv; + PAF_Status paf = PAF_SEARCH; + + uint32_t n = 0; + *fp = 0; + + if ( !hip ) + { + // beware - we allocate here but s5 calls free() directly + // so no pointers allowed + hip = calloc(1, sizeof(HiState)); + + if ( !hip ) + return PAF_ABORT; + + *pv = hip; + + hi_reset(hip, flags); + } + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: len=%u\n", __FUNCTION__, len);) + + if ( hip->flags & HIF_ERR ) + return PAF_ABORT; + + if ( hi_cap && (hi_paf_bytes > hi_cap) ) + return PAF_ABORT; + + while ( n < len ) + { + // jump ahead to next linefeed when possible + if ( (hip->msg == 0) && (hip->fsm == Z9) ) + { + uint8_t* lf = memchr(data+n, '\n', len-n); + if ( !lf ) + { + n = len; + break; + } + n += (lf - (data + n)); + } + paf = hi_scan_msg(hip, data[n++], fp); + + if ( paf != PAF_SEARCH ) + { + if ( hip->flags & HIF_ERR ) + { + *fp = len; + break; + } + *fp += n; + + hi_update_peer(hip, ssn); + + if ( paf != PAF_SKIP ) + hi_reset(hip, flags); + break; + } + } + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: paf=%d, rfp=%u\n", __FUNCTION__, paf, *fp);) + + hi_paf_calls++; + hi_paf_bytes += n; + + return paf; +} + +//-------------------------------------------------------------------- +// public stuff +//-------------------------------------------------------------------- + +int hi_paf_register (uint16_t port, bool client, bool server, tSfPolicyId pid) +{ + if ( !ScPafEnabled() ) + return 0; + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: policy %u, port %u\n", __FUNCTION__, pid, port);) + + if ( !stream_api ) + return -1; + + if ( client ) + stream_api->register_paf_cb(pid, port, true, hi_paf, false); + + if ( server ) + stream_api->register_paf_cb(pid, port, false, hi_paf, false); + + return 0; +} + +//-------------------------------------------------------------------- + +bool hi_paf_init (uint32_t cap) +{ + assert( hi_check() ); + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: cap=%u\n", __FUNCTION__, cap);) + + hi_cap = cap; + + return true; +} + +void hi_paf_term (void) +{ + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: calls=%u, bytes=%u\n", __FUNCTION__, + hi_paf_calls, hi_paf_bytes);) +} + diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/utils/hi_util_hbm.c snort-2.9.2/src/preprocessors/HttpInspect/utils/hi_util_hbm.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/utils/hi_util_hbm.c 2010-01-26 10:10:20.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/utils/hi_util_hbm.c 2011-06-07 17:33:19.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,25 +18,29 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file hi_hbm.c -** +** ** @author Marc Norton <mnorton@sourcefire.com> -** +** ** @brief Implementation of a Horspool method of Boyer-Moore -** +** */ #include <stdlib.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_hbm.h" #include "util.h" /* * * Boyer-Moore-Horspool for small pattern groups -* +* */ #ifndef WIN32 /* To avoid naming conflict, Win32 will use the hbm_prepx() in mwm.c */ int hbm_prepx(HBM_STRUCT *p, unsigned char * pat, int m) @@ -94,29 +98,29 @@ pat = px->P; bcShift= px->bcShift; - t = text + m1; - et = text + n; + t = text + m1; + et = text + n; /* Handle 1 Byte patterns - it's a faster loop */ /* if( !m1 ) { - for( ;t<et; t++ ) + for( ;t<et; t++ ) if( *t == *pat ) return t; return 0; } */ - + /* Handle MultiByte Patterns */ while( t < et ) { /* Scan Loop - Bad Character Shift */ - do + do { t += bcShift[*t]; if( t >= et )return 0;; - t += (k=bcShift[*t]); + t += (k=bcShift[*t]); if( t >= et )return 0; } while( k ); @@ -140,9 +144,9 @@ return q; NoMatch: - + /* Shift by 1, this replaces the good suffix shift */ - t++; + t++; } return 0; diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/utils/hi_util_kmap.c snort-2.9.2/src/preprocessors/HttpInspect/utils/hi_util_kmap.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/utils/hi_util_kmap.c 2010-01-26 10:10:20.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/utils/hi_util_kmap.c 2011-06-07 17:33:19.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,12 +18,12 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* * * kmap.c - a generic map library - maps key + data pairs -* -* Uses Lexical Keyword Trie +* +* Uses Lexical Keyword Trie * The tree uses linked lists to build the finite automata * * MapKeyFind(): Performs a setwise strcmp() equivalant. @@ -36,7 +36,7 @@ * and independent of the number of keys in the table. * May use more memory than a hash table, depends. * Memory is allocated as needed, so none is wasted. -* +* * Author: Marc Norton * */ @@ -45,12 +45,16 @@ #include <string.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "hi_util_kmap.h" #include "hi_util_xmalloc.h" //#define MEMASSERT(p) if(!p){printf("KMAP-No Memory: File: %s Line:%d!\n",__FILE__,__LINE__);exit(0);} -#define MEMASSERT(p) +#define MEMASSERT(p) #define LOWERCASE tolower /* @@ -59,11 +63,11 @@ static void * s_malloc( int n ) { void * p; - + p = xmalloc( n ); - + MEMASSERT(p); - + return p; } @@ -80,13 +84,13 @@ KMAP * KMapNew( KMapUserFreeFunc userfree ) { KMAP * km = (KMAP*) s_malloc( sizeof(KMAP) ); - + if( !km ) return 0; - - memset(km, 0, sizeof(KMAP)); - + + memset(km, 0, sizeof(KMAP)); + km->userfree = userfree; - + return km; } /* @@ -103,7 +107,7 @@ static int KMapFreeNodeList(KMAP * km ) { KEYNODE * k, *kold; - + for( k=km->keylist; k; ) { if( k->key ) @@ -112,13 +116,13 @@ } if( km->userfree && k->userdata ) { - km->userfree( k->userdata ); + km->userfree( k->userdata ); } kold = k; k = k->next; s_free(kold); } - + return 0; } /* @@ -130,14 +134,14 @@ { KMapFreeNode( km, r->sibling ); } - + if( r->child ) { KMapFreeNode( km, r->child ); } - + s_free( r ); -} +} /* * Free the KMAP and all of it's memory and nodes */ @@ -145,21 +149,21 @@ { KMAPNODE * r; int i; - + /* Free the tree - on root node at a time */ for(i=0;i<256;i++) { r = km->root[i]; if( r ) - { - KMapFreeNode(km,r); + { + KMapFreeNode(km,r); } km->root[i] = NULL; } - + /* Free the node list */ KMapFreeNodeList( km ); - + s_free(km); } @@ -176,26 +180,26 @@ } knode = (KEYNODE*) s_malloc( sizeof(KEYNODE) ); - + if( !knode ) { return 0; } - - memset(knode, 0, sizeof(KEYNODE) ); - + + memset(knode, 0, sizeof(KEYNODE) ); + knode->key = (unsigned char*)s_malloc(n); // Alloc the key space - if( !knode->key ) + if( !knode->key ) { free(knode); return 0; } - + memcpy(knode->key,key,n); // Copy the key knode->nkey = n; knode->userdata = userdata; - - if( km->keylist ) // Insert at front of list + + if( km->keylist ) // Insert at front of list { knode->next = km->keylist; km->keylist = knode; @@ -204,7 +208,7 @@ { km->keylist = knode; } - + return knode; } /* @@ -213,14 +217,14 @@ static KMAPNODE * KMapCreateNode(KMAP * km) { KMAPNODE * mn=(KMAPNODE*)s_malloc( sizeof(KMAPNODE) ); - + if(!mn) return NULL; - + memset(mn,0,sizeof(KMAPNODE)); - + km->nchars++; - + return mn; } @@ -243,26 +247,26 @@ unsigned char *P = (unsigned char *)key; KMAPNODE *root; unsigned char xkey[256]; - + if( n <= 0 ) { n = strlen( (char*) key ); if( n > (int)sizeof(xkey) ) return -99; } - + if( km->nocase ) { for(i=0;i<n;i++) xkey[i] = LOWERCASE( P[i] ); P = xkey; } - + /* Save key size */ ksize = n; - + //printf("adding key='%.*s'\n",n,P); - + /* Make sure we at least have a root character for the tree */ if( !km->root[ *P ] ) { @@ -271,13 +275,13 @@ return -1; km->root[ *P ] = root; root->nodechar = *P; - + }else{ - + root = km->root[ *P ]; } - - /* Walk exisitng Patterns */ + + /* Walk exisitng Patterns */ while( n ) { if( root->nodechar == *P ) @@ -287,12 +291,12 @@ n--; if( n && root->child ) { - root=root->child; + root=root->child; } else /* cannot continue */ { type = 0; /* Expand the tree via the child */ - break; + break; } } else @@ -304,13 +308,13 @@ else /* cannot continue */ { type = 1; /* Expand the tree via the sibling */ - break; + break; } } } - - - /* + + + /* * Add the next char of the Keyword, if any */ if( n ) @@ -318,7 +322,7 @@ if( type == 0 ) { /* - * Start with a new child to finish this Keyword + * Start with a new child to finish this Keyword */ //printf("added child branch nodechar = %c \n",*P); root->child= KMapCreateNode( km ); @@ -330,9 +334,9 @@ n--; } else - { + { /* - * Start a new sibling bracnch to finish this Keyword + * Start a new sibling bracnch to finish this Keyword */ //printf("added sibling branch nodechar = %c \n",*P); root->sibling= KMapCreateNode( km ); @@ -344,7 +348,7 @@ n--; } } - + /* * Finish the keyword as child nodes */ @@ -359,24 +363,24 @@ P++; n--; } - - /* - * Iteration support - Add this key/data to the linked list - * This allows us to do a findfirst/findnext search of + + /* + * Iteration support - Add this key/data to the linked list + * This allows us to do a findfirst/findnext search of * all map nodes. */ if( root->knode ) /* Already present */ return 1; - + root->knode = KMapAddKeyNode( km, key, ksize, userdata ); if( !root->knode ) return -1; - + return 0; } /* -* Exact Keyword Match - unique keys, with just one piece of +* Exact Keyword Match - unique keys, with just one piece of * 'userdata' , for multiple entries, we could use a list * of 'userdata' nodes. */ @@ -386,27 +390,27 @@ KMAPNODE * root; unsigned char xkey[256]; int i; - + if( n <= 0 ) { n = strlen( (char*)key ); if( n > (int)sizeof(xkey) ) return 0; - + } if( ks->nocase ) { for(i=0;i<n;i++) xkey[i] = LOWERCASE( T[i] ); - + T = xkey; } //printf("finding key='%.*s'\n",n,T); - + /* Check if any keywords start with this character */ root = ks->root[ *T ]; if( !root ) return NULL; - + while( n ) { if( root->nodechar == *T ) @@ -415,11 +419,11 @@ n--; if( n && root->child ) { - root = root->child; + root = root->child; } else /* cannot continue -- match is over */ { - break; + break; } } else @@ -430,17 +434,17 @@ } else /* cannot continue */ { - break; + break; } } } - + if( !n ) { if (root && root->knode) return root->knode->userdata; /* success */ } - + return NULL; } /* @@ -449,12 +453,12 @@ KEYNODE * KMapFindFirstKey( KMAP * km ) { km->keynext = km->keylist; - + if(!km->keynext) { return NULL; } - + return km->keynext; } /* @@ -463,12 +467,12 @@ void * KMapFindFirst( KMAP * km ) { km->keynext = km->keylist; - + if(!km->keynext) { return NULL; } - + return km->keynext->userdata; } /* @@ -478,12 +482,12 @@ { if( !km->keynext ) return 0; - - km->keynext = km->keynext->next; - + + km->keynext = km->keynext->next; + if( !km->keynext ) return 0; - + return km->keynext; } /* @@ -493,12 +497,12 @@ { if( !km->keynext ) return 0; - - km->keynext = km->keynext->next; - + + km->keynext = km->keynext->next; + if( !km->keynext ) return 0; - + return km->keynext->userdata; } @@ -512,18 +516,18 @@ KMAP * km; char * p; char str[80]; - + printf("usage: kmap nkeys (default=10)\n\n"); - + km = KMapNew( free ); /* use 'free' to free 'userdata' */ - + KMapSetNoCase(km,1); //need to add xlat.... - + if( argc > 1 ) { n = atoi(argv[1]); } - + for(i=1;i<=n;i++) { SnortSnprintf(str, sizeof(str), "KeyWord%d",i); @@ -531,7 +535,7 @@ printf("Adding Key=%s\n",str); } printf("xmem: %u bytes, %d chars\n",xmalloc_bytes(),km->nchars); - + printf("\nKey Find test...\n"); for(i=1;i<=n;i++) { @@ -540,7 +544,7 @@ if(p)printf("key=%s, data=%*s\n",str,strlen(str),p); else printf("'%s' NOT found.\n",str); } - + KMapSetNoCase(km,0); // this should fail all key searches printf("\nKey Find test2...\n"); for(i=1;i<=n;i++) @@ -550,19 +554,19 @@ if(p)printf("key=%s, data=%*s\n",str,strlen(str),p); else printf("'%s' NOT found.\n",str); } - + printf("\nKey FindFirst/Next test...\n"); for(p = (char*) KMapFindFirst(km); p; p=(char*)KMapFindNext(km) ) printf("data=%s\n",p); - + printf("\nKey FindFirst/Next test done.\n"); - + KMapDelete( km ); - + printf("xmem: %u bytes\n",xmalloc_bytes()); - + printf("normal pgm finish.\n"); - + return 0; } diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c snort-2.9.2/src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c --- snort-2.9.0.1/src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c 2010-01-26 10:10:20.000000000 -0800 +++ snort-2.9.2/src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c 2011-06-07 17:33:19.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* ** util.c */ @@ -28,6 +28,10 @@ #include <time.h> #include <sys/types.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + //#define MDEBUG static unsigned msize=0; @@ -78,14 +82,14 @@ msize -= *q; free(q); - + #else - + free(p); #endif - + } void xshowmem(void) @@ -97,14 +101,19 @@ char *xstrdup(const char *str) { - char *data = (char *)xmalloc( strlen(str) + 1 ); - + int data_size; + char *data = NULL; + + data_size = strlen(str) + 1; + data = (char *)xmalloc(data_size); + if(data == NULL) { return NULL; } - strcpy(data,str); + strncpy(data, str, data_size - 1); + data[data_size - 1] = '\0'; return data; } diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/utils/Makefile.am snort-2.9.2/src/preprocessors/HttpInspect/utils/Makefile.am --- snort-2.9.0.1/src/preprocessors/HttpInspect/utils/Makefile.am 2010-06-23 21:06:10.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/utils/Makefile.am 2011-06-07 17:33:19.000000000 -0700 @@ -2,9 +2,11 @@ noinst_LIBRARIES = libhi_utils.a -libhi_utils_a_SOURCES = hi_util_kmap.c \ +libhi_utils_a_SOURCES = \ +hi_util_kmap.c \ hi_util_xmalloc.c \ hi_util_hbm.c \ -hi_cmd_lookup.c +hi_cmd_lookup.c \ +hi_paf.c INCLUDES = @INCLUDES@ diff -Nru snort-2.9.0.1/src/preprocessors/HttpInspect/utils/Makefile.in snort-2.9.2/src/preprocessors/HttpInspect/utils/Makefile.in --- snort-2.9.0.1/src/preprocessors/HttpInspect/utils/Makefile.in 2010-10-08 02:56:55.000000000 -0700 +++ snort-2.9.2/src/preprocessors/HttpInspect/utils/Makefile.in 2011-12-07 11:23:22.000000000 -0800 @@ -51,7 +51,7 @@ libhi_utils_a_LIBADD = am_libhi_utils_a_OBJECTS = hi_util_kmap.$(OBJEXT) \ hi_util_xmalloc.$(OBJEXT) hi_util_hbm.$(OBJEXT) \ - hi_cmd_lookup.$(OBJEXT) + hi_cmd_lookup.$(OBJEXT) hi_paf.$(OBJEXT) libhi_utils_a_OBJECTS = $(am_libhi_utils_a_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = @@ -79,7 +79,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -94,6 +96,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -130,13 +133,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -196,10 +205,12 @@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies noinst_LIBRARIES = libhi_utils.a -libhi_utils_a_SOURCES = hi_util_kmap.c \ +libhi_utils_a_SOURCES = \ +hi_util_kmap.c \ hi_util_xmalloc.c \ hi_util_hbm.c \ -hi_cmd_lookup.c +hi_cmd_lookup.c \ +hi_paf.c all: all-am diff -Nru snort-2.9.0.1/src/preprocessors/Makefile.am snort-2.9.2/src/preprocessors/Makefile.am --- snort-2.9.0.1/src/preprocessors/Makefile.am 2010-06-09 15:05:21.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -11,7 +11,7 @@ libspp_a_SOURCES = spp_arpspoof.c spp_arpspoof.h spp_bo.c spp_bo.h \ spp_rpc_decode.c spp_rpc_decode.h \ -stream_ignore.c stream_ignore.h \ +stream_expect.c stream_expect.h \ spp_perfmonitor.c spp_perfmonitor.h \ perf.c perf.h \ perf-base.c perf-base.h \ diff -Nru snort-2.9.0.1/src/preprocessors/Makefile.in snort-2.9.2/src/preprocessors/Makefile.in --- snort-2.9.0.1/src/preprocessors/Makefile.in 2010-10-08 02:56:55.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Makefile.in 2011-12-07 11:23:22.000000000 -0800 @@ -50,8 +50,8 @@ libspp_a_AR = $(AR) $(ARFLAGS) libspp_a_LIBADD = am__libspp_a_SOURCES_DIST = spp_arpspoof.c spp_arpspoof.h spp_bo.c \ - spp_bo.h spp_rpc_decode.c spp_rpc_decode.h stream_ignore.c \ - stream_ignore.h spp_perfmonitor.c spp_perfmonitor.h perf.c \ + spp_bo.h spp_rpc_decode.c spp_rpc_decode.h stream_expect.c \ + stream_expect.h spp_perfmonitor.c spp_perfmonitor.h perf.c \ perf.h perf-base.c perf-base.h perf-flow.c perf-flow.h \ perf-event.c perf-event.h sfprocpidstats.c sfprocpidstats.h \ spp_httpinspect.c spp_httpinspect.h snort_httpinspect.c \ @@ -62,7 +62,7 @@ normalize.h @BUILD_PROCPIDSTATS_TRUE@am__objects_1 = sfprocpidstats.$(OBJEXT) am_libspp_a_OBJECTS = spp_arpspoof.$(OBJEXT) spp_bo.$(OBJEXT) \ - spp_rpc_decode.$(OBJEXT) stream_ignore.$(OBJEXT) \ + spp_rpc_decode.$(OBJEXT) stream_expect.$(OBJEXT) \ spp_perfmonitor.$(OBJEXT) perf.$(OBJEXT) perf-base.$(OBJEXT) \ perf-flow.$(OBJEXT) perf-event.$(OBJEXT) $(am__objects_1) \ spp_httpinspect.$(OBJEXT) snort_httpinspect.$(OBJEXT) \ @@ -135,7 +135,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -150,6 +152,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -186,13 +189,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -256,7 +265,7 @@ @BUILD_PROCPIDSTATS_TRUE@PROCPIDSTATS_SOURCE = sfprocpidstats.c sfprocpidstats.h libspp_a_SOURCES = spp_arpspoof.c spp_arpspoof.h spp_bo.c spp_bo.h \ spp_rpc_decode.c spp_rpc_decode.h \ -stream_ignore.c stream_ignore.h \ +stream_expect.c stream_expect.h \ spp_perfmonitor.c spp_perfmonitor.h \ perf.c perf.h \ perf-base.c perf-base.h \ diff -Nru snort-2.9.0.1/src/preprocessors/normalize.c snort-2.9.2/src/preprocessors/normalize.c --- snort-2.9.0.1/src/preprocessors/normalize.c 2011-12-28 14:36:52.000000000 -0800 +++ snort-2.9.2/src/preprocessors/normalize.c 2011-06-07 17:33:16.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -27,14 +27,18 @@ #endif #include <string.h> +#ifdef HAVE_DUMBNET_H #include <dumbnet.h> +#else +#include <dnet.h> +#endif #include "normalize.h" #include "perf.h" #include "sfdaq.h" typedef enum { - PC_IP4_RESZ, + PC_IP4_TRIM, PC_IP4_TOS, PC_IP4_DF, PC_IP4_RF, @@ -59,7 +63,7 @@ } PegCounts; static const char* pegName[PC_MAX] = { - "ip4::resize", + "ip4::trim", "ip4::tos", "ip4::df", "ip4::rf", @@ -72,7 +76,7 @@ "icmp6::echo", #endif "tcp::syn_opt", - "tcp::tsecr", + "tcp::ts_ecr", "tcp::opt", "tcp::pad", "tcp::rsv", @@ -118,6 +122,10 @@ p->packet_flags |= PKT_MODIFIED; return 1; } + if ( p->packet_flags & PKT_RESIZED ) + { + return 1; + } return 0; } @@ -145,27 +153,39 @@ #define IP4_FLAG_DF 0x4000 #define IP4_FLAG_MF 0x2000 +// TBD support configurable minimum length / obtain from DAQ +// ether header + min payload (excludes FCS, which makes it 64 total) +#define ETH_MIN_LEN 60 + static int Norm_IP4 ( - NormalizerContext* c, Packet * p, uint8_t layer, int changes) + NormalizerContext* c, Packet * p, uint8_t layer, int changes) { IPHdr* h = (IPHdr*)(p->layers[layer].start); uint16_t fragbits = ntohs(h->ip_off); uint16_t origbits = fragbits; - if ( layer == 1 && - (p->layers[0].length + ntohs(h->ip_len) < p->pkth->pktlen) - ) { - p->packet_flags |= PKT_RESIZED; - normStats[PC_IP4_RESZ]++; - sfBase.iPegs[PERF_COUNT_IP4_RESZ]++; - changes++; + if ( Norm_IsEnabled(c, NORM_IP4_TRIM) && (layer == 1) ) + { + uint32_t len = p->layers[0].length + ntohs(h->ip_len); + + if ( (len < p->pkth->pktlen) && + ( (len >= ETH_MIN_LEN) || (p->pkth->pktlen > ETH_MIN_LEN) ) + ) { + ((DAQ_PktHdr_t*)p->pkth)->pktlen = (len < ETH_MIN_LEN) ? ETH_MIN_LEN : len; + p->packet_flags |= PKT_RESIZED; + normStats[PC_IP4_TRIM]++; + sfBase.iPegs[PERF_COUNT_IP4_TRIM]++; + } } - if ( h->ip_tos ) + if ( Norm_IsEnabled(c, NORM_IP4_TOS) ) { - h->ip_tos = 0; - normStats[PC_IP4_TOS]++; - sfBase.iPegs[PERF_COUNT_IP4_TOS]++; - changes++; + if ( h->ip_tos ) + { + h->ip_tos = 0; + normStats[PC_IP4_TOS]++; + sfBase.iPegs[PERF_COUNT_IP4_TOS]++; + changes++; + } } #if 0 if ( Norm_IsEnabled(c, NORM_IP4_ID) ) @@ -243,7 +263,7 @@ #ifdef SUP_IP6 static int Norm_IP6 ( - NormalizerContext* c, Packet * p, uint8_t layer, int changes) + NormalizerContext* c, Packet * p, uint8_t layer, int changes) { IP6RawHdr* h = (IP6RawHdr*)(p->layers[layer].start); @@ -294,7 +314,7 @@ #define IP6_OPT_PAD_N 1 static int Norm_IP6_Opts ( - NormalizerContext* c, Packet * p, uint8_t layer, int changes) + NormalizerContext* c, Packet * p, uint8_t layer, int changes) { uint8_t* b = p->layers[layer].start; ExtOpt* x = (ExtOpt*)b; @@ -323,7 +343,7 @@ //----------------------------------------------------------------------- -static INLINE void NopDaOpt (uint8_t* opt, uint8_t len) +static inline void NopDaOpt (uint8_t* opt, uint8_t len) { memset(opt, TCPOPT_NOP, len); } @@ -331,7 +351,7 @@ #define TS_ECR_OFFSET 6 #define TS_ECR_LENGTH 4 -static INLINE int Norm_TCPOptions ( +static inline int Norm_TCPOptions ( NormalizerContext* context, uint8_t* opts, size_t len, const TCPHdr* h, uint8_t numOpts, int changes) { @@ -399,7 +419,7 @@ return changes; } -static INLINE int Norm_TCPPadding ( +static inline int Norm_TCPPadding ( uint8_t* opts, size_t len, uint8_t numOpts, int changes) { size_t i = 0; @@ -467,7 +487,7 @@ sfBase.iPegs[PERF_COUNT_TCP_URP]++; changes++; } - else if ( Norm_IsEnabled(c, NORM_TCP_URP) && + else if ( Norm_IsEnabled(c, NORM_TCP_URP) && (ntohs(h->th_urp) > p->dsize) ) { h->th_urp = ntohs(p->dsize); @@ -511,7 +531,7 @@ for ( i = 0; i < PC_MAX; i++ ) { // for now, 23 aligns with frag3 - LogMessage("%23s: %lu\n", pegName[i], normStats[i]); + LogMessage("%23s: " STDu64 "\n", pegName[i], normStats[i]); } } @@ -539,6 +559,15 @@ { nc->normalizers[PROTO_IP4] = Norm_IP4; } + if ( Norm_IsEnabled(nc, NORM_IP4_TRIM) ) + { + if ( !DAQ_CanInject() ) + { + LogMessage("WARNING: normalize_ip4: trim disabled since DAQ " + "can't inject packets.\n"); + Norm_Disable(nc, NORM_IP4_TRIM); + } + } if ( Norm_IsEnabled(nc, NORM_ICMP4) ) { nc->normalizers[PROTO_ICMP4] = Norm_ICMP4; diff -Nru snort-2.9.0.1/src/preprocessors/normalize.h snort-2.9.2/src/preprocessors/normalize.h --- snort-2.9.0.1/src/preprocessors/normalize.h 2010-08-25 13:22:46.000000000 -0700 +++ snort-2.9.2/src/preprocessors/normalize.h 2011-06-07 17:33:16.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -48,34 +48,34 @@ int Norm_SetConfig(NormalizerContext*); int Norm_Packet(NormalizerContext*, Packet*); -static INLINE void Norm_Enable(NormalizerContext* nc, NormFlags nf) +static inline void Norm_Enable(NormalizerContext* nc, NormFlags nf) { nc->normalizer_flags |= nf; } -static INLINE void Norm_Disable(NormalizerContext* nc, NormFlags nf) +static inline void Norm_Disable(NormalizerContext* nc, NormFlags nf) { nc->normalizer_flags &= ~nf; } -static INLINE int Norm_IsEnabled(const NormalizerContext* nc, NormFlags nf) +static inline int Norm_IsEnabled(const NormalizerContext* nc, NormFlags nf) { return ( (nc->normalizer_flags & nf) != 0 ); } -static INLINE void Norm_TcpPassOption(NormalizerContext* nc, uint8_t opt) +static inline void Norm_TcpPassOption(NormalizerContext* nc, uint8_t opt) { uint8_t byte = (opt >> 3), bit = (1 << (opt & 0x07)); nc->normalizer_options[byte] |= bit; } -static INLINE void Norm_TcpDropOption(NormalizerContext* nc, uint8_t opt) +static inline void Norm_TcpDropOption(NormalizerContext* nc, uint8_t opt) { uint8_t byte = (opt >> 3), bit = (1 << (opt & 0x07)); nc->normalizer_options[byte] &= ~bit; } -static INLINE int Norm_TcpIsOptional(const NormalizerContext* nc, uint8_t opt) +static inline int Norm_TcpIsOptional(const NormalizerContext* nc, uint8_t opt) { uint8_t byte = (opt >> 3), bit = (1 << (opt & 0x07)); return ( (nc->normalizer_options[byte] & bit) != 0 ); diff -Nru snort-2.9.0.1/src/preprocessors/perf-base.c snort-2.9.2/src/preprocessors/perf-base.c --- snort-2.9.0.1/src/preprocessors/perf-base.c 2010-08-25 13:22:46.000000000 -0700 +++ snort-2.9.2/src/preprocessors/perf-base.c 2011-10-26 11:28:52.000000000 -0700 @@ -3,7 +3,7 @@ ** ** perf-base.c ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** Marc Norton <mnorton@sourcefire.com> ** @@ -28,7 +28,7 @@ ** takes in processing packets. The times measured are ** kernel and user time for the process. Real-time ** (wall clock) is also measured to show when processing -** has reached capacity and to measure the true processing +** has reached capacity and to measure the true processing ** that the app is currently doing. ** ** NOTES @@ -51,6 +51,11 @@ #include <stdio.h> #include <sys/types.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "snort.h" #include "util.h" #include "mpse.h" @@ -72,10 +77,10 @@ ** ** FORMAL INPUTS ** SFBASE * -- pointer to structure to initialize -** +** ** FORMAL OUTPUTS ** int -- 0 is successful -*/ +*/ int InitBaseStats(SFBASE *sfBase) { int todRet = -1; @@ -86,18 +91,11 @@ struct rusage rusage; int rusageRet = -1; #endif - -#ifdef LINUX_SMP - static int first_time = 0; - if(!first_time) - { - sfInitProcPidStats(&(sfBase->sfProcPidStats)); - first_time = 1; - } +#ifdef LINUX_SMP todRet = gettimeofday(&tvTime, NULL); #else - + rusageRet = getrusage(RUSAGE_SELF, &rusage); todRet = gettimeofday(&tvTime, NULL); @@ -132,6 +130,7 @@ } sfBase->total_blocked_packets = 0; + sfBase->total_injected_packets = 0; sfBase->total_wire_packets = 0; sfBase->total_ipfragmented_packets = 0; sfBase->total_ipreassembled_packets = 0; @@ -160,7 +159,7 @@ //sfBase->iSessionsInitializing = 0; //sfBase->iSessionsEstablished = 0; //sfBase->iSessionsClosing = 0; - + sfBase->iFragCreates = 0; sfBase->iFragCompletes = 0; sfBase->iFragInserts = 0; @@ -190,6 +189,10 @@ sfBase->total_tcp_filtered_packets = 0; sfBase->total_udp_filtered_packets = 0; + + sfBase->frag3_mem_in_use = 0; + sfBase->stream5_mem_in_use = 0; + return 0; } @@ -231,17 +234,17 @@ ** ** Even if the actual data is only 40 bytes per packet (ie, an empty ** TCP ACK), wire data is still 64 bytes per packet, even though actual -** packet size is 40 bytes. Bandwith drops to 480 Mbits. +** packet size is 40 bytes. Bandwith drops to 480 Mbits. ** ** This explains why when a network goes over 50% capactiy you are closer to -** the edge than you realize, depending on the traffic profile. At 75% you +** the edge than you realize, depending on the traffic profile. At 75% you ** are at the limit of your network, if you can get there. ** ** iRebuiltPkt determines whether the packet is rebuilt or not. We keep ** separate statistics between wire pkts and rebuilt pkts. ** */ -int UpdateBaseStats(SFBASE *sfBase, int len, int iRebuiltPkt) +int UpdateBaseStats(SFBASE *sfBase, uint32_t len, int iRebuiltPkt) { /* If rebuilt, count info for TCP rebuilt packet */ if(iRebuiltPkt) @@ -278,18 +281,20 @@ ** FORMAL OUTPUTS ** none */ -void UpdateWireStats(SFBASE *sfBase, int len, int dropped) +void UpdateWireStats(SFBASE *sfBase, int len, int dropped, int inject) { sfBase->total_wire_packets++; len += 4; /* for the CRC */ sfBase->total_wire_bytes += len; - + if( dropped ) { sfBase->total_blocked_packets++; sfBase->total_blocked_bytes += len; } + if ( inject ) + sfBase->total_injected_packets++; } void UpdateMPLSStats(SFBASE *sfBase, int len, int dropped) @@ -299,7 +304,7 @@ len += 4; /* for the CRC */ sfBase->total_mpls_bytes += len; - + if( dropped ) { sfBase->total_blocked_mpls_packets++; @@ -387,7 +392,7 @@ */ int AddStreamSession(SFBASE *sfBase, uint32_t flags) -{ +{ sfBase->iTotalSessions++; sfBase->iNewSessions++; @@ -466,7 +471,7 @@ ** int - 0 is successful */ int AddUDPSession(SFBASE *sfBase) -{ +{ sfBase->iTotalUDPSessions++; sfBase->iNewUDPSessions++; @@ -523,7 +528,7 @@ if( console ) DisplayBasePerfStatsConsole(&sfBaseStats, perfmon_config->base_flags); - + if( file ) LogBasePerfStats(&sfBaseStats, fh ); @@ -570,16 +575,16 @@ return todRet; } - Systimes->realtime = ((double)tvTime.tv_sec + + Systimes->realtime = ((double)tvTime.tv_sec + ((double)tvTime.tv_usec * 1.0e-6)) - sfBase->realtime_sec; return 0; } -int GetEventsPerSecond(SFBASE *sfBase, SFBASE_STATS *sfBaseStats, +int GetEventsPerSecond(SFBASE *sfBase, SFBASE_STATS *sfBaseStats, SYSTIMES *Systimes) { - sfBaseStats->alerts_per_second = + sfBaseStats->alerts_per_second = (double)(pc.alert_pkts - sfBase->iAlerts) / Systimes->realtime; sfBase->iAlerts = pc.alert_pkts; @@ -587,36 +592,36 @@ sfBaseStats->total_sessions = sfBase->iTotalSessions; sfBaseStats->max_sessions = sfBase->iMaxSessions; - sfBaseStats->syns_per_second = + sfBaseStats->syns_per_second = (double)(sfBase->iSyns) / Systimes->realtime; - sfBaseStats->synacks_per_second = + sfBaseStats->synacks_per_second = (double)(sfBase->iSynAcks) / Systimes->realtime; - sfBaseStats->deleted_sessions_per_second = + sfBaseStats->deleted_sessions_per_second = (double)(sfBase->iDeletedSessions) / Systimes->realtime; - sfBaseStats->new_sessions_per_second = + sfBaseStats->new_sessions_per_second = (double)(sfBase->iNewSessions) / Systimes->realtime; - sfBaseStats->tcp_sessions_midstream_per_second = + sfBaseStats->tcp_sessions_midstream_per_second = (double)(sfBase->iMidStreamSessions) / Systimes->realtime; - sfBaseStats->tcp_sessions_closed_per_second = + sfBaseStats->tcp_sessions_closed_per_second = (double)(sfBase->iClosedSessions) / Systimes->realtime; - sfBaseStats->tcp_sessions_timedout_per_second = + sfBaseStats->tcp_sessions_timedout_per_second = (double)(sfBase->iStreamTimeouts) / Systimes->realtime; - sfBaseStats->tcp_sessions_pruned_per_second = + sfBaseStats->tcp_sessions_pruned_per_second = (double)(sfBase->iPrunedSessions) / Systimes->realtime; - sfBaseStats->tcp_sessions_dropped_async_per_second = + sfBaseStats->tcp_sessions_dropped_async_per_second = (double)(sfBase->iDroppedAsyncSessions) / Systimes->realtime; sfBaseStats->max_tcp_sessions_interval = sfBase->iMaxSessionsInterval; - sfBaseStats->stream_flushes_per_second = + sfBaseStats->stream_flushes_per_second = (double)sfBase->iStreamFlushes / Systimes->realtime; sfBaseStats->stream_faults = sfBase->iStreamFaults; @@ -624,23 +629,23 @@ sfBaseStats->curr_tcp_sessions_initializing = sfBase->iSessionsInitializing; sfBaseStats->curr_tcp_sessions_established = sfBase->iSessionsEstablished; sfBaseStats->curr_tcp_sessions_closing = sfBase->iSessionsClosing; - - sfBaseStats->frag_creates_per_second = + + sfBaseStats->frag_creates_per_second = (double)sfBase->iFragCreates / Systimes->realtime; - - sfBaseStats->frag_completes_per_second = + + sfBaseStats->frag_completes_per_second = (double)sfBase->iFragCompletes / Systimes->realtime; - - sfBaseStats->frag_inserts_per_second = + + sfBaseStats->frag_inserts_per_second = (double)sfBase->iFragInserts / Systimes->realtime; - - sfBaseStats->frag_deletes_per_second = + + sfBaseStats->frag_deletes_per_second = (double)sfBase->iFragDeletes / Systimes->realtime; - - sfBaseStats->frag_autofrees_per_second = + + sfBaseStats->frag_autofrees_per_second = (double)sfBase->iFragAutoFrees / Systimes->realtime; - - sfBaseStats->frag_flushes_per_second = + + sfBaseStats->frag_flushes_per_second = (double)sfBase->iFragFlushes / Systimes->realtime; sfBaseStats->max_frags = sfBase->iMaxFrags; @@ -656,7 +661,7 @@ sfBase->iStreamFlushes = 0; sfBase->iStreamFaults = 0; sfBase->iStreamTimeouts = 0; - + sfBase->iFragCreates = 0; sfBase->iFragCompletes = 0; sfBase->iFragInserts = 0; @@ -676,15 +681,15 @@ sfBaseStats->total_udp_sessions = sfBase->iTotalUDPSessions; sfBaseStats->max_udp_sessions = sfBase->iMaxUDPSessions; - sfBaseStats->deleted_udp_sessions_per_second = + sfBaseStats->deleted_udp_sessions_per_second = (double)(sfBase->iDeletedUDPSessions) / Systimes->realtime; - sfBaseStats->new_udp_sessions_per_second = + sfBaseStats->new_udp_sessions_per_second = (double)(sfBase->iNewUDPSessions) / Systimes->realtime; sfBase->iNewUDPSessions = 0; sfBase->iDeletedUDPSessions = 0; - + sfBase->iMaxSessionsInterval = sfBase->iTotalSessions; sfBase->iMidStreamSessions = 0; sfBase->iClosedSessions = 0; @@ -693,110 +698,110 @@ return 0; } - + int GetPacketsPerSecond(SFBASE *sfBase, SFBASE_STATS *sfBaseStats, SYSTIMES *Systimes) { - sfBaseStats->kpackets_per_sec.realtime = + sfBaseStats->kpackets_per_sec.realtime = (double)((double)sfBase->total_packets / 1000) / Systimes->realtime; if(perfmon_config->base_flags & MAX_PERF_STATS) { - sfBaseStats->kpackets_per_sec.usertime = - (double)((double)sfBase->total_packets / 1000) / + sfBaseStats->kpackets_per_sec.usertime = + (double)((double)sfBase->total_packets / 1000) / Systimes->usertime; - sfBaseStats->kpackets_per_sec.systemtime = - (double)((double)sfBase->total_packets / 1000) / + sfBaseStats->kpackets_per_sec.systemtime = + (double)((double)sfBase->total_packets / 1000) / Systimes->systemtime; - sfBaseStats->kpackets_per_sec.totaltime = - (double)((double)sfBase->total_packets / 1000) / + sfBaseStats->kpackets_per_sec.totaltime = + (double)((double)sfBase->total_packets / 1000) / Systimes->totaltime; } - sfBaseStats->kpackets_wire_per_sec.realtime = + sfBaseStats->kpackets_wire_per_sec.realtime = (double)((double)sfBase->total_wire_packets / 1000) / Systimes->realtime; if(perfmon_config->base_flags & MAX_PERF_STATS) { - sfBaseStats->kpackets_wire_per_sec.usertime = - (double)((double)sfBase->total_wire_packets / 1000) / + sfBaseStats->kpackets_wire_per_sec.usertime = + (double)((double)sfBase->total_wire_packets / 1000) / Systimes->usertime; - sfBaseStats->kpackets_wire_per_sec.systemtime = - (double)((double)sfBase->total_wire_packets / 1000) / + sfBaseStats->kpackets_wire_per_sec.systemtime = + (double)((double)sfBase->total_wire_packets / 1000) / Systimes->systemtime; - sfBaseStats->kpackets_wire_per_sec.totaltime = - (double)((double)sfBase->total_wire_packets / 1000) / + sfBaseStats->kpackets_wire_per_sec.totaltime = + (double)((double)sfBase->total_wire_packets / 1000) / Systimes->totaltime; } - sfBaseStats->kpackets_ipfrag_per_sec.realtime = + sfBaseStats->kpackets_ipfrag_per_sec.realtime = (double)((double)sfBase->total_ipfragmented_packets / 1000) / Systimes->realtime; if(perfmon_config->base_flags & MAX_PERF_STATS) { - sfBaseStats->kpackets_ipfrag_per_sec.usertime = - (double)((double)sfBase->total_ipfragmented_packets / 1000) / + sfBaseStats->kpackets_ipfrag_per_sec.usertime = + (double)((double)sfBase->total_ipfragmented_packets / 1000) / Systimes->usertime; - sfBaseStats->kpackets_ipfrag_per_sec.systemtime = - (double)((double)sfBase->total_ipfragmented_packets / 1000) / + sfBaseStats->kpackets_ipfrag_per_sec.systemtime = + (double)((double)sfBase->total_ipfragmented_packets / 1000) / Systimes->systemtime; - sfBaseStats->kpackets_ipfrag_per_sec.totaltime = - (double)((double)sfBase->total_ipfragmented_packets / 1000) / + sfBaseStats->kpackets_ipfrag_per_sec.totaltime = + (double)((double)sfBase->total_ipfragmented_packets / 1000) / Systimes->totaltime; } - sfBaseStats->kpackets_ipreass_per_sec.realtime = + sfBaseStats->kpackets_ipreass_per_sec.realtime = (double)((double)sfBase->total_ipreassembled_packets / 1000) / Systimes->realtime; if(perfmon_config->base_flags & MAX_PERF_STATS) { - sfBaseStats->kpackets_ipreass_per_sec.usertime = - (double)((double)sfBase->total_ipreassembled_packets / 1000) / + sfBaseStats->kpackets_ipreass_per_sec.usertime = + (double)((double)sfBase->total_ipreassembled_packets / 1000) / Systimes->usertime; - sfBaseStats->kpackets_ipreass_per_sec.systemtime = - (double)((double)sfBase->total_ipreassembled_packets / 1000) / + sfBaseStats->kpackets_ipreass_per_sec.systemtime = + (double)((double)sfBase->total_ipreassembled_packets / 1000) / Systimes->systemtime; - sfBaseStats->kpackets_ipreass_per_sec.totaltime = - (double)((double)sfBase->total_ipreassembled_packets / 1000) / + sfBaseStats->kpackets_ipreass_per_sec.totaltime = + (double)((double)sfBase->total_ipreassembled_packets / 1000) / Systimes->totaltime; } - sfBaseStats->kpackets_rebuilt_per_sec.realtime = + sfBaseStats->kpackets_rebuilt_per_sec.realtime = (double)((double)sfBase->total_rebuilt_packets / 1000) / Systimes->realtime; if(perfmon_config->base_flags & MAX_PERF_STATS) { - sfBaseStats->kpackets_rebuilt_per_sec.usertime = - (double)((double)sfBase->total_rebuilt_packets / 1000) / + sfBaseStats->kpackets_rebuilt_per_sec.usertime = + (double)((double)sfBase->total_rebuilt_packets / 1000) / Systimes->usertime; - sfBaseStats->kpackets_rebuilt_per_sec.systemtime = - (double)((double)sfBase->total_rebuilt_packets / 1000) / + sfBaseStats->kpackets_rebuilt_per_sec.systemtime = + (double)((double)sfBase->total_rebuilt_packets / 1000) / Systimes->systemtime; - sfBaseStats->kpackets_rebuilt_per_sec.totaltime = - (double)((double)sfBase->total_rebuilt_packets / 1000) / + sfBaseStats->kpackets_rebuilt_per_sec.totaltime = + (double)((double)sfBase->total_rebuilt_packets / 1000) / Systimes->totaltime; } - sfBaseStats->kpackets_per_sec_mpls.realtime = + sfBaseStats->kpackets_per_sec_mpls.realtime = (double)((double)sfBase->total_mpls_packets / 1000) / Systimes->realtime; if(perfmon_config->base_flags & MAX_PERF_STATS) { - sfBaseStats->kpackets_per_sec_mpls.usertime = - (double)((double)sfBase->total_mpls_packets / 1000) / + sfBaseStats->kpackets_per_sec_mpls.usertime = + (double)((double)sfBase->total_mpls_packets / 1000) / Systimes->usertime; - sfBaseStats->kpackets_per_sec_mpls.systemtime = - (double)((double)sfBase->total_mpls_packets / 1000) / + sfBaseStats->kpackets_per_sec_mpls.systemtime = + (double)((double)sfBase->total_mpls_packets / 1000) / Systimes->systemtime; - sfBaseStats->kpackets_per_sec_mpls.totaltime = - (double)((double)sfBase->total_mpls_packets / 1000) / + sfBaseStats->kpackets_per_sec_mpls.totaltime = + (double)((double)sfBase->total_mpls_packets / 1000) / Systimes->totaltime; } - + return 0; } -int GetuSecondsPerPacket(SFBASE *sfBase, SFBASE_STATS *sfBaseStats, +int GetuSecondsPerPacket(SFBASE *sfBase, SFBASE_STATS *sfBaseStats, SYSTIMES *Systimes) { sfBaseStats->usecs_per_packet.usertime = (Systimes->usertime * 1.0e6) / @@ -811,7 +816,7 @@ return 0; } -int GetMbitsPerSecond(SFBASE *sfBase, SFBASE_STATS *sfBaseStats, +int GetMbitsPerSecond(SFBASE *sfBase, SFBASE_STATS *sfBaseStats, SYSTIMES *Systimes) { /* @@ -838,25 +843,25 @@ sfBaseStats->mbits_per_sec.realtime = ((double)(sfBase->total_bytes<<3) * 1.0e-6) / Systimes->realtime; - sfBaseStats->wire_mbits_per_sec.realtime = + sfBaseStats->wire_mbits_per_sec.realtime = ((double)(sfBase->total_wire_bytes<<3) * 1.0e-6) / Systimes->realtime; - sfBaseStats->rebuilt_mbits_per_sec.realtime = + sfBaseStats->rebuilt_mbits_per_sec.realtime = ((double)(sfBase->total_rebuilt_bytes<<3) * 1.0e-6) / Systimes->realtime; - sfBaseStats->ipfrag_mbits_per_sec.realtime = + sfBaseStats->ipfrag_mbits_per_sec.realtime = ((double)(sfBase->total_ipfragmented_bytes<<3) * 1.0e-6) / Systimes->realtime; - sfBaseStats->ipreass_mbits_per_sec.realtime = + sfBaseStats->ipreass_mbits_per_sec.realtime = ((double)(sfBase->total_ipreassembled_bytes<<3) * 1.0e-6) / Systimes->realtime; - sfBaseStats->mpls_mbits_per_sec.realtime = + sfBaseStats->mpls_mbits_per_sec.realtime = ((double)(sfBase->total_mpls_bytes<<3) * 1.0e-6) / Systimes->realtime; @@ -868,9 +873,9 @@ { #ifndef LINUX_SMP unsigned char needToNormalize = 0; - sfBaseStats->user_cpu_time = (Systimes->usertime / + sfBaseStats->user_cpu_time = (Systimes->usertime / Systimes->realtime) * 100; - sfBaseStats->system_cpu_time = (Systimes->systemtime / + sfBaseStats->system_cpu_time = (Systimes->systemtime / Systimes->realtime) * 100; sfBaseStats->idle_cpu_time = ((Systimes->realtime - Systimes->totaltime) / @@ -922,7 +927,7 @@ ** CalculateBasePerfStats ** ** DESCRIPTION -** This is the main function that calculates the stats. Stats +** This is the main function that calculates the stats. Stats ** that we caculate are: ** *uSecs per Packet ** *Packets per Second @@ -949,7 +954,7 @@ time_t clock; #ifdef LINUX_SMP - + /* ** We also give sfBaseStats access to the CPU usage ** contained in sfProcPidStats. This way we don't need @@ -957,11 +962,12 @@ */ sfBaseStats->sfProcPidStats = &(sfBase->sfProcPidStats); -#endif +#endif if(GetProcessingTime(&Systimes, sfBase)) return -1; sfBaseStats->total_blocked_packets = sfBase->total_blocked_packets; + sfBaseStats->total_injected_packets = sfBase->total_injected_packets; sfBaseStats->total_mpls_packets = sfBase->total_mpls_packets; sfBaseStats->total_mpls_bytes = sfBase->total_mpls_bytes; sfBaseStats->total_blocked_mpls_packets = sfBase->total_blocked_mpls_packets; @@ -1022,7 +1028,7 @@ (double)(sfBase->total_mpls_packets)); else sfBaseStats->avg_bytes_per_mpls_packet = 0; - + /* ** CPU time */ @@ -1080,7 +1086,10 @@ */ sfBaseStats->current_attribute_hosts = sfBase->iAttributeHosts; sfBaseStats->attribute_table_reloads = sfBase->iAttributeReloads; - + + sfBaseStats->frag3_mem_in_use = sfBase->frag3_mem_in_use; + sfBaseStats->stream5_mem_in_use = sfBase->stream5_mem_in_use; + /* ** Set the date string for print out */ @@ -1132,26 +1141,26 @@ sum = sfBaseStats->pkt_stats.pkts_recv + sfBaseStats->pkt_stats.pkts_drop; - + if ( !sum ) sfBaseStats->pkt_drop_percent = 0.0; else sfBaseStats->pkt_drop_percent = ((double)sfBaseStats->pkt_stats.pkts_drop / (double)sum) * 100.0; - + /* ** Reset sfBase stats for next go round. */ sfBase->pkt_stats.pkts_recv = recv; sfBase->pkt_stats.pkts_drop = drop; - + return 0; } /* - * - * Log Base Per Stats to File for Use by the MC + * + * Log Base Per Stats to File for Use by the MC * * unixtime(in secs since epoch) * %pkts dropped @@ -1159,7 +1168,7 @@ * alerts/sec * K-Packets/Sec (wire) * Avg Bytes/Pkt (wire) - * %bytes pattern matched + * %bytes pattern matched * syns/sec * synacks/sec * new-sessions/sec (tcp stream cache) @@ -1218,13 +1227,15 @@ * */ +// IMPORTANT - whatever changes you make here, please be sure +// they are reflected in the LogBasePerfHeader() below! int LogBasePerfStats(SFBASE_STATS *sfBaseStats, FILE * fh ) { double sys=0.0,usr=0.0,idle=0.0; int iCtr = 0; if( ! fh ) return 0; - + fprintf(fh,"%lu,%.3f,%.3f,%.3f,%.3f,%d,%.3f,", (unsigned long)sfBaseStats->time, sfBaseStats->pkt_drop_percent, @@ -1233,7 +1244,7 @@ sfBaseStats->kpackets_wire_per_sec.realtime, sfBaseStats->avg_bytes_per_wire_packet, sfBaseStats->patmatch_percent); - + /* Session estimation statistics */ fprintf(fh, "%.3f,%.3f,%.3f,%.3f," CSVu64 CSVu64, @@ -1261,11 +1272,11 @@ sfBaseStats->max_frags, sfBaseStats->frag_timeouts, sfBaseStats->frag_faults); - - /* CPU STATS - at the end of output record */ + + /* CPU STATS - at the end of output record */ #ifdef LINUX_SMP /* First the number of CPUs */ - fprintf(fh, "%d,", sfBaseStats->sfProcPidStats->iCPUs); + fprintf(fh, "%d,", sfBaseStats->sfProcPidStats->iCPUs); /* Next, stats for each CPU (a triple) */ for(iCtr = 0; iCtr < sfBaseStats->sfProcPidStats->iCPUs; iCtr++) @@ -1273,7 +1284,7 @@ usr= sfBaseStats->sfProcPidStats->SysCPUs[iCtr].user; sys= sfBaseStats->sfProcPidStats->SysCPUs[iCtr].sys; idle= sfBaseStats->sfProcPidStats->SysCPUs[iCtr].idle; - + fprintf(fh,"%.3f,%.3f,%.3f,",usr,sys,idle); } @@ -1282,8 +1293,8 @@ usr=sfBaseStats->user_cpu_time; sys=sfBaseStats->system_cpu_time; idle=sfBaseStats->idle_cpu_time; - - /* 1 CPU hardcoded */ + + /* 1 CPU hardcoded */ fprintf(fh,"1,%.3f,%.3f,%.3f,",usr,sys,idle); #endif @@ -1297,25 +1308,25 @@ sfBaseStats->ipreass_mbits_per_sec.realtime, sfBaseStats->rebuilt_mbits_per_sec.realtime, sfBaseStats->mbits_per_sec.realtime); - + fprintf(fh,"%d,%d,%d,%d,%d,", sfBaseStats->avg_bytes_per_wire_packet, sfBaseStats->avg_bytes_per_ipfrag_packet, sfBaseStats->avg_bytes_per_ipreass_packet, sfBaseStats->avg_bytes_per_rebuilt_packet, sfBaseStats->avg_bytes_per_packet); - + fprintf(fh,"%.3f,%.3f,%.3f,%.3f,%.3f,", sfBaseStats->kpackets_wire_per_sec.realtime, sfBaseStats->kpackets_ipfrag_per_sec.realtime, sfBaseStats->kpackets_ipreass_per_sec.realtime, sfBaseStats->kpackets_rebuilt_per_sec.realtime, sfBaseStats->kpackets_per_sec.realtime); - + fprintf(fh, CSVu64,sfBaseStats->pkt_stats.pkts_recv); fprintf(fh, CSVu64, sfBaseStats->pkt_stats.pkts_drop); - + fprintf(fh, CSVu64, sfBaseStats->total_blocked_packets); fprintf(fh, "%.3f,%.3f," CSVu64 CSVu64, @@ -1341,17 +1352,21 @@ fprintf(fh, "%.3f,%d,%.3f,", sfBaseStats->mpls_mbits_per_sec.realtime, sfBaseStats->avg_bytes_per_mpls_packet, - sfBaseStats->kpackets_per_sec_mpls.realtime); - + sfBaseStats->kpackets_per_sec_mpls.realtime); + fprintf(fh, CSVu64 CSVu64, sfBaseStats->total_tcp_filtered_packets, sfBaseStats->total_udp_filtered_packets); - + #ifdef NORMALIZER for ( iCtr = 0; iCtr < PERF_COUNT_MAX; iCtr++ ) fprintf(fh, CSVu64, sfBaseStats->pegs[iCtr]); #endif + fprintf(fh, CSVu64, sfBaseStats->total_injected_packets); + fprintf(fh, CSVu64, sfBaseStats->frag3_mem_in_use); + fprintf(fh, CSVu64, sfBaseStats->stream5_mem_in_use); + fprintf(fh,"\n"); fflush(fh); @@ -1360,7 +1375,7 @@ #ifdef NORMALIZER static const char* iNames[PERF_COUNT_MAX] = { - "ip4::resize", + "ip4::trim", "ip4::tos", "ip4::df", "ip4::rf", @@ -1369,8 +1384,7 @@ "icmp4::echo", #ifdef SUP_IP6 "ip6::ttl", - "ip6::hop_opts", - "ip6::dst_opts", + "ip6::opts", "icmp6::echo", #endif "tcp::syn_opt", @@ -1379,19 +1393,167 @@ "tcp::rsv", "tcp::ns", "tcp::urg", - "tcp::urp" - "tcp::trim" + "tcp::urp", + "tcp::trim", "tcp::ecn_pkt", "tcp::ecn_ssn", "tcp::ts_ecr", "tcp::ts_nop", + "tcp::ips_data", + "tcp::block" }; #endif +// IMPORTANT - whatever changes you make here, please be sure +// they correspond to the LogBasePerfStats() above! +void LogBasePerfHeader (FILE* fh) +{ + int iCtr, iCPUs; + if( !fh ) return; + + fprintf(fh, + "#%s,%s,%s,%s,%s,%s,%s", + "time", + "pkt_drop_percent", + "wire_mbits_per_sec.realtime", + "alerts_per_second", + "kpackets_wire_per_sec.realtime", + "avg_bytes_per_wire_packet", + "patmatch_percent"); + + /* Session estimation statistics */ + + fprintf(fh, + ",%s,%s,%s,%s,%s,%s", + "syns_per_second", + "synacks_per_second", + "new_sessions_per_second", + "deleted_sessions_per_second", + "total_sessions", + "max_sessions"); + + fprintf(fh, + ",%s,%s,%s", + "stream_flushes_per_second", + "stream_faults", + "stream_timeouts"); + + fprintf(fh, + ",%s,%s,%s,%s,%s,%s,%s,%s,%s,%s", + "frag_creates_per_second", + "frag_completes_per_second", + "frag_inserts_per_second", + "frag_deletes_per_second", + "frag_autofrees_per_second", + "frag_flushes_per_second", + "current_frags", + "max_frags", + "frag_timeouts", + "frag_faults"); + + /* First the number of CPUs */ + fprintf(fh, + ",%s", "iCPUs"); + +#ifdef LINUX_SMP + iCPUs = sfBase.sfProcPidStats.iCPUs; +#else + iCPUs = 1; +#endif + /* Next, stats for each CPU (a triple) */ + for ( iCtr = 0; iCtr < iCPUs; iCtr++ ) + { + fprintf(fh, + ",%s[%d],%s[%d],%s[%d]", + "usr",iCtr,"sys",iCtr,"idle",iCtr); + } + + /* Status for MBits/s, Bytes/Pkt, KPkts/s for each of + * wire, IP Fragmented, IP Reassembled, Stream Reassembled, + * App Layer (data that reaches protocol decoders). */ + fprintf(fh, + ",%s,%s,%s,%s,%s", + "wire_mbits_per_sec.realtime", + "ipfrag_mbits_per_sec.realtime", + "ipreass_mbits_per_sec.realtime", + "rebuilt_mbits_per_sec.realtime", + "mbits_per_sec.realtime"); + + fprintf(fh, + ",%s,%s,%s,%s,%s", + "avg_bytes_per_wire_packet", + "avg_bytes_per_ipfrag_packet", + "avg_bytes_per_ipreass_packet", + "avg_bytes_per_rebuilt_packet", + "avg_bytes_per_packet"); + + fprintf(fh, + ",%s,%s,%s,%s,%s", + "kpackets_wire_per_sec.realtime", + "kpackets_ipfrag_per_sec.realtime", + "kpackets_ipreass_per_sec.realtime", + "kpackets_rebuilt_per_sec.realtime", + "kpackets_per_sec.realtime"); + + fprintf(fh, + ",%s,%s,%s", + "pkt_stats.pkts_recv", + "pkt_stats.pkts_drop", + "total_blocked_packets"); + + fprintf(fh, + ",%s,%s,%s,%s", + "new_udp_sessions_per_second", + "deleted_udp_sessions_per_second", + "total_udp_sessions", + "max_udp_sessions"); + + fprintf(fh, + ",%s,%s,%s,%s,%s,%s,%s,%s,%s", + "max_tcp_sessions_interval", + "curr_tcp_sessions_initializing", + "curr_tcp_sessions_established", + "curr_tcp_sessions_closing", + "tcp_sessions_midstream_per_second", + "tcp_sessions_closed_per_second", + "tcp_sessions_timedout_per_second", + "tcp_sessions_pruned_per_second", + "tcp_sessions_dropped_async_per_second"); + + fprintf(fh, + ",%s,%s", + "current_attribute_hosts", + "attribute_table_reloads"); + + fprintf(fh, + ",%s,%s,%s", "mpls_mbits_per_sec.realtime", + "avg_bytes_per_mpls_packet", + "kpackets_per_sec_mpls.realtime"); + + fprintf(fh, + ",%s,%s", + "total_tcp_filtered_packets", + "total_udp_filtered_packets"); + +#ifdef NORMALIZER + for ( iCtr = 0; iCtr < PERF_COUNT_MAX; iCtr++ ) + fprintf(fh, ",%s", iNames[iCtr]); +#endif + + fprintf(fh, + ",%s,%s,%s", + "total_injected_packets", + "frag3_mem_in_use", + "stream5_mem_in_use"); + + fprintf(fh,"\n"); + fflush(fh); +} + /* -** NAME +** NAME ** DisplayBasePerfStats -** +** ** DESCRIPTION ** Output Function. We can easily code multiple output buffers ** because all that is received is a SFBASE_STATS struct which @@ -1411,7 +1573,7 @@ LogMessage("\n"); LogMessage("\n"); - LogMessage("Snort Realtime Performance : %s--------------------------\n", + LogMessage("Snort Realtime Performance : %s--------------------------\n", ctime(&sfBaseStats->time)); LogMessage("Pkts Recv: " STDu64 "\n", sfBaseStats->pkt_stats.pkts_recv); @@ -1421,22 +1583,23 @@ LogMessage("%% Dropped: %.3f%%\n", sfBaseStats->pkt_drop_percent); LogMessage("Blocked: " STDu64 "\n", sfBaseStats->total_blocked_packets); + LogMessage("Injected: " STDu64 "\n", sfBaseStats->total_injected_packets); LogMessage("Pkts Filtered TCP: " STDu64 "\n", sfBaseStats->total_tcp_filtered_packets); LogMessage("Pkts Filtered UDP: " STDu64 "\n\n", sfBaseStats->total_udp_filtered_packets); - LogMessage("Mbits/Sec: %.3f (wire)\n", + LogMessage("Mbits/Sec: %.3f (wire)\n", sfBaseStats->wire_mbits_per_sec.realtime); #ifdef MPLS - LogMessage("Mbits/Sec: %.3f (mpls)\n", + LogMessage("Mbits/Sec: %.3f (mpls)\n", sfBaseStats->mpls_mbits_per_sec.realtime); #endif - LogMessage("Mbits/Sec: %.3f (ip fragmented)\n", + LogMessage("Mbits/Sec: %.3f (ip fragmented)\n", sfBaseStats->ipfrag_mbits_per_sec.realtime); - LogMessage("Mbits/Sec: %.3f (ip reassembled)\n", + LogMessage("Mbits/Sec: %.3f (ip reassembled)\n", sfBaseStats->ipreass_mbits_per_sec.realtime); - LogMessage("Mbits/Sec: %.3f (tcp rebuilt)\n", + LogMessage("Mbits/Sec: %.3f (tcp rebuilt)\n", sfBaseStats->rebuilt_mbits_per_sec.realtime); - LogMessage("Mbits/Sec: %.3f (app layer)\n\n", + LogMessage("Mbits/Sec: %.3f (app layer)\n\n", sfBaseStats->mbits_per_sec.realtime); LogMessage("Bytes/Pkt: %d (wire)\n", @@ -1482,7 +1645,7 @@ for(iCtr = 0; iCtr < sfBaseStats->sfProcPidStats->iCPUs; iCtr++) { - LogMessage("CPU%d Usage: %.3f%% (user) %.3f%% (sys) %.3f%% (idle)\n", + LogMessage("CPU%d Usage: %.3f%% (user) %.3f%% (sys) %.3f%% (idle)\n", iCtr, sfBaseStats->sfProcPidStats->SysCPUs[iCtr].user, sfBaseStats->sfProcPidStats->SysCPUs[iCtr].sys, @@ -1492,7 +1655,7 @@ #else - LogMessage("CPU Usage: %.3f%% (user) %.3f%% (sys) %.3f%% (idle)\n\n", + LogMessage("CPU Usage: %.3f%% (user) %.3f%% (sys) %.3f%% (idle)\n\n", sfBaseStats->user_cpu_time, sfBaseStats->system_cpu_time, sfBaseStats->idle_cpu_time); @@ -1509,7 +1672,7 @@ LogMessage("Syn-Acks/Sec : %.3f\n", sfBaseStats->synacks_per_second); LogMessage("New Cached Sessions/Sec: %.3f\n", sfBaseStats->new_sessions_per_second); LogMessage("Midstream Sessions/Sec : %.3f\n", sfBaseStats->tcp_sessions_midstream_per_second); - LogMessage("Cached Sessions Del/Sec: %.3f\n", sfBaseStats->deleted_sessions_per_second); + LogMessage("Cached Sessions Del/Sec: %.3f\n", sfBaseStats->deleted_sessions_per_second); LogMessage("Closed Sessions/Sec : %.3f\n", sfBaseStats->tcp_sessions_closed_per_second); LogMessage("TimedOut Sessions/Sec : %.3f\n", sfBaseStats->tcp_sessions_timedout_per_second); LogMessage("Pruned Sessions/Sec : %.3f\n", sfBaseStats->tcp_sessions_pruned_per_second); @@ -1540,7 +1703,7 @@ LogMessage("Frag Faults : " STDu64 "\n\n", sfBaseStats->frag_faults); LogMessage("New Cached UDP Ssns/Sec: %.3f\n", sfBaseStats->new_udp_sessions_per_second); - LogMessage("Cached UDP Ssns Del/Sec: %.3f\n", sfBaseStats->deleted_udp_sessions_per_second); + LogMessage("Cached UDP Ssns Del/Sec: %.3f\n", sfBaseStats->deleted_udp_sessions_per_second); LogMessage("Current Cached UDP Ssns: " STDu64 "\n", sfBaseStats->total_udp_sessions); LogMessage("Max Cached UDP Ssns : " STDu64 "\n\n", sfBaseStats->max_udp_sessions); @@ -1552,14 +1715,14 @@ #ifdef NORMALIZER for ( iCtr = 0; iCtr < PERF_COUNT_MAX; iCtr++ ) - LogMessage("%-26s: " STDu64 "\n", + LogMessage("%-26s: " STDu64 "\n", iNames[iCtr], sfBaseStats->pegs[iCtr]); #endif LogMessage("\n"); /* ** Snort Maximum Performance Statistics - ** These statistics calculate the maximum performance that + ** These statistics calculate the maximum performance that ** snort could attain by using the getrusage numbers. We've ** seen in testing that these numbers come close to the actual ** throughput for Mbits/Sec and Pkt/Sec. But note that these @@ -1568,16 +1731,16 @@ */ if(iFlags & MAX_PERF_STATS) { - + LogMessage("Snort Maximum Performance\n"); LogMessage("-------------------------\n\n"); - + LogMessage("Mbits/Second\n"); LogMessage("----------------\n"); LogMessage("Snort: %.3f\n",sfBaseStats->mbits_per_sec.usertime); LogMessage("Sniffing: %.3f\n",sfBaseStats->mbits_per_sec.systemtime); LogMessage("Combined: %.3f\n\n",sfBaseStats->mbits_per_sec.totaltime); - + LogMessage("uSeconds/Pkt\n"); LogMessage("----------------\n"); diff -Nru snort-2.9.0.1/src/preprocessors/perf-base.h snort-2.9.2/src/preprocessors/perf-base.h --- snort-2.9.0.1/src/preprocessors/perf-base.h 2010-08-25 13:22:46.000000000 -0700 +++ snort-2.9.2/src/preprocessors/perf-base.h 2011-11-21 12:15:24.000000000 -0800 @@ -3,7 +3,7 @@ ** ** perf-base.h ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker (droelker@sourcefire.com) ** Marc Norton (mnorton@sourcefire.com) ** Chris Green (stream4 instrumentation) @@ -35,8 +35,8 @@ #endif #include "sfprocpidstats.h" -#include "debug.h" #include "sf_types.h" +#include "snort_debug.h" #include <time.h> #include <stdio.h> @@ -51,7 +51,7 @@ } PKTSTATS; typedef enum { - PERF_COUNT_IP4_RESZ, + PERF_COUNT_IP4_TRIM, PERF_COUNT_IP4_TOS, PERF_COUNT_IP4_DF, PERF_COUNT_IP4_RF, @@ -75,6 +75,8 @@ PERF_COUNT_TCP_ECN_SSN, PERF_COUNT_TCP_TS_ECR, PERF_COUNT_TCP_TS_NOP, + PERF_COUNT_TCP_IPS_DATA, + PERF_COUNT_TCP_BLOCK, PERF_COUNT_MAX } PerfCounts; @@ -87,7 +89,8 @@ * unfragmented/stream rebuilt */ uint64_t total_blocked_packets; - + uint64_t total_injected_packets; // due to normalize_ip4: trim blocks + uint64_t total_rebuilt_packets; uint64_t total_wire_bytes; uint64_t total_ipfragmented_bytes; @@ -117,7 +120,7 @@ uint64_t iStreamFlushes; /* # of fake packet is flushed */ uint64_t iStreamFaults; /* # of times we run out of memory */ uint64_t iStreamTimeouts; /* # of timeouts we get in this quanta */ - + uint64_t iFragCreates; /* # of times we call Frag3NewTracker() */ uint64_t iFragCompletes; /* # of times we call FragIsComplete() */ uint64_t iFragInserts; /* # of fraginserts */ @@ -127,7 +130,7 @@ uint64_t iMaxFrags; uint64_t iCurrentFrags; uint64_t iFragTimeouts; /* # of times we've reached timeout */ - uint64_t iFragFaults; /* # of times we've run out of memory */ + uint64_t iFragFaults; /* # of times we've run out of memory */ #ifdef NORMALIZER uint64_t iPegs[PERF_COUNT_MAX]; @@ -164,6 +167,8 @@ /**UDP packets ignored due to port/service filtering.*/ uint64_t total_udp_filtered_packets; + uint64_t frag3_mem_in_use; + uint64_t stream5_mem_in_use; } SFBASE; typedef struct _SYSTIMES { @@ -200,7 +205,7 @@ double user_cpu_time; double system_cpu_time; PKTSTATS pkt_stats; - double pkt_drop_percent; + double pkt_drop_percent; double alerts_per_second; double syns_per_second; double synacks_per_second; @@ -221,7 +226,7 @@ uint64_t frag_faults; uint64_t current_frags; uint64_t max_frags; - + double patmatch_percent; time_t time; @@ -235,6 +240,7 @@ uint64_t total_blocked_packets; uint64_t total_blocked_bytes; + uint64_t total_injected_packets; uint64_t total_udp_sessions; uint64_t max_udp_sessions; @@ -265,10 +271,13 @@ uint64_t total_tcp_filtered_packets; /**UDP packets ignored due to port/service filtering.*/ uint64_t total_udp_filtered_packets; + + uint64_t frag3_mem_in_use; + uint64_t stream5_mem_in_use; } SFBASE_STATS; int InitBaseStats(SFBASE *sfBase); -int UpdateBaseStats(SFBASE *sfBase, int len, int iRebuiltPkt); +int UpdateBaseStats(SFBASE *sfBase, uint32_t len, int iRebuiltPkt); int ProcessBaseStats(SFBASE *sfBase,int console, int file, FILE * fh); int AddStreamSession(SFBASE *sfBase, uint32_t flags); #define SESSION_CLOSED_NORMALLY 0x01 @@ -280,12 +289,13 @@ int AddUDPSession(SFBASE *sfBase); int RemoveUDPSession(SFBASE *sfBase); -void UpdateWireStats(SFBASE *sfBase, int len, int dropped); +void UpdateWireStats(SFBASE *sfBase, int len, int dropped, int injected); void UpdateMPLSStats(SFBASE *sfBase, int len, int dropped); void UpdateIPFragStats(SFBASE *sfBase, int len); void UpdateIPReassStats(SFBASE *sfBase, int len); void UpdateFilteredPacketStats(SFBASE *sfBase, unsigned int proto); +void LogBasePerfHeader(FILE*); #endif diff -Nru snort-2.9.0.1/src/preprocessors/perf.c snort-2.9.2/src/preprocessors/perf.c --- snort-2.9.0.1/src/preprocessors/perf.c 2010-01-26 10:10:11.000000000 -0800 +++ snort-2.9.2/src/preprocessors/perf.c 2011-10-26 11:28:52.000000000 -0700 @@ -3,7 +3,7 @@ ** ** perf.c ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -40,6 +40,10 @@ # include <unistd.h> #endif /* WIN32 */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "util.h" #include "perf.h" #include "sf_types.h" @@ -55,7 +59,7 @@ int InitPerfStats(SFPERF *sfPerf, Packet *p); -int UpdatePerfStats(SFPERF *sfPerf, const unsigned char *pucPacket, int len, +int UpdatePerfStats(SFPERF *sfPerf, const unsigned char *pucPacket, uint32_t len, int iRebuiltPkt); int ProcessPerfStats(SFPERF *sfPerf); @@ -66,6 +70,10 @@ sfSetPerformanceSampleTime(sfPerf, 0); sfSetPerformanceStatistics(sfPerf, 0); +#ifdef LINUX_SMP + sfInitProcPidStats(&(sfBase.sfProcPidStats)); +#endif + return 0; } @@ -79,7 +87,7 @@ int sfSetPerformanceSampleTime(SFPERF *sfPerf, int iSeconds) { sfPerf->sample_time = 0; - + if(iSeconds < 0) { iSeconds = 0; @@ -94,7 +102,7 @@ int sfSetPerformanceAccounting(SFPERF *sfPerf, int iReset) { sfPerf->base_reset = iReset; - + return 0; } @@ -131,43 +139,63 @@ { sfPerf->perf_flags = sfPerf->perf_flags | SFPERF_CONSOLE; } - + return 0; } +static void WriteTimeStamp (SFPERF* sfPerf, const char* action) +{ + time_t curr_time = time(NULL); + + if ( !sfPerf->fh ) + return; + + fprintf(sfPerf->fh, + "################################### " + "Perfmon %s: pid=%u at=%.24s (%lu) " + "###################################\n", + action, getpid(), + ctime(&curr_time), (unsigned long)curr_time); + + fflush(sfPerf->fh); +} + int sfSetPerformanceStatisticsEx(SFPERF *sfPerf, int iFlag, void * p) { -#ifndef WIN32 +#ifndef WIN32 mode_t old_umask; -#endif - +#endif + if(iFlag & SFPERF_FILE) { static char start_up = 1; sfPerf->perf_flags = sfPerf->perf_flags | SFPERF_FILE; - + /* this file needs to be readable by everyone */ #ifndef WIN32 old_umask = umask(022); -#endif +#endif /* append to existing perfmon file if just starting up */ if (start_up) { sfPerf->fh = fopen(sfPerf->file, "a"); + WriteTimeStamp(sfPerf, "start"); start_up = 0; } /* otherwise we've rotated - start a new one */ else { sfPerf->fh = fopen(sfPerf->file, "w"); + WriteTimeStamp(sfPerf, "rotate"); } + LogBasePerfHeader(sfPerf->fh); #ifndef WIN32 umask(old_umask); #endif - + if( !sfPerf->fh ) return -1; } @@ -175,6 +203,7 @@ { if (sfPerf->fh) { + WriteTimeStamp(sfPerf, "stop"); fclose(sfPerf->fh); sfPerf->fh = NULL; } @@ -233,11 +262,11 @@ } } -static INLINE FILE *OpenPerfFileAndCheckMaxSize(struct tm *tm, +static inline FILE *OpenPerfFileAndCheckMaxSize(struct tm *tm, FILE *oldfh, SFPERF *sfPerf, struct stat *file_stats, - int prefix_len, + int prefix_len, int *file_index, int *newfd, const char *filename, @@ -294,13 +323,13 @@ LogMessage("Performance log file '%s' not open", filename); return 1; } - + ret = fclose(oldfh); if (ret != 0) { FatalError("Cannot close performance log file '%s': %s\n", filename, strerror(errno)); } - + /* Rename current stats file with yesterday's date */ #ifndef WIN32 ptr = strrchr(filename, '/'); @@ -310,7 +339,7 @@ if (ptr != NULL) { - /* take length of string up to path separator and add + /* take length of string up to path separator and add * one to include path separator */ prefix_len = (ptr - &filename[0]) + 1; } @@ -342,10 +371,10 @@ int file_index = 0; int newfd = -1; -#ifndef WIN32 +#ifndef WIN32 mode_t old_umask; old_umask = umask(022); -#endif +#endif do { newfh = fopen(newfile, "a"); @@ -433,7 +462,7 @@ int sfRotatePerformanceStatisticsFile(void) { int ret = 0; - + if (perfmon_config != NULL) { ret = sfRotateFile(perfmon_config->file, perfmon_config->fh); @@ -451,13 +480,13 @@ int sfRotateFlowIPStatisticsFile(void) { int ret; - + ret = sfRotateFile(perfmon_config->flowip_file, perfmon_config->flowip_fh); if (ret != 0) return ret; if (sfOpenFlowIPStatsFile(perfmon_config) != 0) - FatalError("Cannot open performance log file '%s': %s\n", perfmon_config->file, strerror(errno)); + FatalError("Cannot open performance log file '%s': %s\n", perfmon_config->flowip_file, strerror(errno)); return 0; } @@ -505,20 +534,6 @@ if(prev_time == 0) { InitPerfStats(sfPerf, p); - - /****** Log an empty line in the file to indicate a restart *********/ - if ((sfPerf->perf_flags & SFPERF_BASE) && (sfPerf->perf_flags & SFPERF_FILE)) - { - if( sfPerf->fh ) - { - fprintf(sfPerf->fh, - "################################### " - "New Log File: %lu" - "###################################\n", - (unsigned long)curr_time); - fflush(sfPerf->fh); - } - } } else if((curr_time - prev_time) >= sfPerf->sample_interval) { @@ -547,22 +562,22 @@ } if(sfPerf->perf_flags & SFPERF_BASE) - { + { InitBaseStats(&sfBase); } if(sfPerf->perf_flags & SFPERF_FLOW) - { + { InitFlowStats(&sfFlow); } if(sfPerf->perf_flags & SFPERF_FLOWIP) - { + { InitFlowIPStats(&sfFlow); } if(sfPerf->perf_flags & SFPERF_EVENT) - { + { InitEventStats(&sfEvent); } @@ -574,7 +589,7 @@ return InitPerfStats(sfPerf, NULL); } -int UpdatePerfStats(SFPERF *sfPerf, const unsigned char *pucPacket, int len, +int UpdatePerfStats(SFPERF *sfPerf, const unsigned char *pucPacket, uint32_t len, int iRebuiltPkt) { if(sfPerf->perf_flags & SFPERF_BASE) @@ -618,7 +633,7 @@ } } } - + /* Always goes to the console */ if(sfPerf->perf_flags & SFPERF_FLOW) { @@ -642,7 +657,7 @@ } } } - + if (sfPerf->perf_flags & SFPERF_EVENT) { if (sfPerf->perf_flags & SFPERF_CONSOLE) diff -Nru snort-2.9.0.1/src/preprocessors/perf-event.c snort-2.9.2/src/preprocessors/perf-event.c --- snort-2.9.0.1/src/preprocessors/perf-event.c 2010-06-09 15:05:21.000000000 -0700 +++ snort-2.9.2/src/preprocessors/perf-event.c 2011-06-07 17:33:16.000000000 -0700 @@ -3,7 +3,7 @@ ** ** perf-event.c ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton <mnorton@sourcefire.com> ** Dan Roelker <droelker@sourcefire.com> ** @@ -28,6 +28,11 @@ ** */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "snort.h" #include "util.h" @@ -85,9 +90,9 @@ if(sfEvent->TotalEvents) { - sfEventStats.NQPercent = 100.0 * (double)sfEvent->NQEvents / + sfEventStats.NQPercent = 100.0 * (double)sfEvent->NQEvents / (double)sfEvent->TotalEvents; - sfEventStats.QPercent = 100.0 * (double)sfEvent->QEvents / + sfEventStats.QPercent = 100.0 * (double)sfEvent->QEvents / (double)sfEvent->TotalEvents; } else @@ -121,5 +126,5 @@ return 0; } - + diff -Nru snort-2.9.0.1/src/preprocessors/perf-event.h snort-2.9.2/src/preprocessors/perf-event.h --- snort-2.9.0.1/src/preprocessors/perf-event.h 2010-01-26 10:10:11.000000000 -0800 +++ snort-2.9.2/src/preprocessors/perf-event.h 2011-02-09 15:23:28.000000000 -0800 @@ -3,7 +3,7 @@ ** ** perf-event.h ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton <mnorton@sourcefire.com> ** Dan Roelker <droelker@sourcefire.com> ** diff -Nru snort-2.9.0.1/src/preprocessors/perf-flow.c snort-2.9.2/src/preprocessors/perf-flow.c --- snort-2.9.0.1/src/preprocessors/perf-flow.c 2010-06-09 15:05:21.000000000 -0700 +++ snort-2.9.2/src/preprocessors/perf-flow.c 2011-10-26 11:28:52.000000000 -0700 @@ -4,7 +4,7 @@ ** perf-flow.c ** ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton <mnorton@sourcefire.com> ** Dan Roelker <droelker@sourcefire.com> ** @@ -12,7 +12,7 @@ ** 4.10.02 - Initial Checkin. Norton ** 5.5.02 - Changed output format and added output structure for ** easy stat printing. Roelker -** 5.29.02 - Added ICMP traffic stats and overall protocol flow +** 5.29.02 - Added ICMP traffic stats and overall protocol flow ** stats. Roelker ** ** This program is free software; you can redistribute it and/or modify @@ -37,7 +37,7 @@ ** PacketLen vs Packet Count ** TCP-Port vs Packet Count ** UDP-Port vs Packet Count -** TCP High<->High Port Count +** TCP High<->High Port Count ** UDP High<->High Port Count ** ** @@ -52,6 +52,11 @@ #include <stdio.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "snort.h" #include "util.h" #include "sf_types.h" @@ -91,7 +96,7 @@ if (first) { - sfFlow->pktLenCnt = (uint64_t*)SnortAlloc(sizeof(uint64_t) * (SF_MAX_PKT_LEN + 1)); + sfFlow->pktLenCnt = (uint64_t*)SnortAlloc(sizeof(uint64_t) * (SF_MAX_PKT_LEN + 2)); sfFlow->portTcpSrc = (uint64_t*)SnortAlloc(sizeof(uint64_t) * SF_MAX_PORT); sfFlow->portTcpDst = (uint64_t*)SnortAlloc(sizeof(uint64_t) * SF_MAX_PORT); sfFlow->portUdpSrc = (uint64_t*)SnortAlloc(sizeof(uint64_t) * SF_MAX_PORT); @@ -102,7 +107,7 @@ } else { - memset(sfFlow->pktLenCnt, 0, sizeof(uint64_t) * (SF_MAX_PKT_LEN + 1)); + memset(sfFlow->pktLenCnt, 0, sizeof(uint64_t) * (SF_MAX_PKT_LEN + 2)); memset(sfFlow->portTcpSrc, 0, sizeof(uint64_t) * SF_MAX_PORT); memset(sfFlow->portTcpDst, 0, sizeof(uint64_t) * SF_MAX_PORT); memset(sfFlow->portUdpSrc, 0, sizeof(uint64_t) * SF_MAX_PORT); @@ -120,7 +125,7 @@ sfFlow->portUdpTotal=0; sfFlow->typeIcmpTotal = 0; - + return 0; } @@ -198,12 +203,12 @@ { sfFlow->portTcpSrc [ sport ]+= len; } - + if( dport < sfFlow->maxPortToTrack ) { sfFlow->portTcpDst [ dport ]+= len; } - + if( sport > 1023 && dport > 1023 ) { sfFlow->portTcpHigh += len; @@ -227,7 +232,7 @@ { sfFlow->portTcpSrc [ sport ]+= len; sfFlow->portTcpDst [ dport ]+= len; - + sfFlow->portTcpHigh += len; } @@ -269,7 +274,7 @@ { sfFlow->portUdpSrc [ sport ]+= len; sfFlow->portUdpDst [ dport ]+= len; - + sfFlow->portUdpHigh += len; } @@ -394,14 +399,18 @@ * * Packet lengths */ -int UpdateFlowStats(SFFLOW *sfFlow, const unsigned char *pucPacket, int len, int iRebuiltPkt) +int UpdateFlowStats(SFFLOW *sfFlow, const unsigned char *pucPacket, uint32_t len, int iRebuiltPkt) { /* * Track how many packets of each length */ - if( (!iRebuiltPkt)&&(len <= SF_MAX_PKT_LEN) ) + if(!iRebuiltPkt) { - sfFlow->pktLenCnt[ len ]++; + if (len <= SF_MAX_PKT_LEN) + sfFlow->pktLenCnt[ len ]++; + else + sfFlow->pktLenCnt[ SF_MAX_PKT_LEN + 1 ]++; + sfFlow->pktTotal++; sfFlow->byteTotal += len; } @@ -437,16 +446,16 @@ (double)sfFlow->portUdpTotal + (double)sfFlow->typeIcmpTotal)) / (double)sfFlow->byteTotal; - + /* ** Calculate Packet percent of total pkt length ** distribution. */ - for(i=1;i<SF_MAX_PKT_LEN;i++) + for(i=1;i<SF_MAX_PKT_LEN + 2;i++) { if( !sfFlow->pktLenCnt[i] ) continue; - - rate = 100.0 * (double)(sfFlow->pktLenCnt[i]) / + + rate = 100.0 * (double)(sfFlow->pktLenCnt[i]) / (double)(sfFlow->pktTotal); if( rate > .10 ) @@ -456,8 +465,8 @@ else { sfFlowStats.pktLenPercent[i] = 0; - } - + } + sfFlow->pktLenCnt[i]=0; } @@ -475,12 +484,12 @@ } totperc = 100.0 * tot / sfFlow->portTcpTotal; - + if(totperc > .1) { srate = 100.0 * (double)(sfFlow->portTcpSrc[i]) / tot ; drate = 100.0 * (double)(sfFlow->portTcpDst[i]) / tot ; - + sfFlowStats.portflowTCP.totperc[i] = totperc; sfFlowStats.portflowTCP.sport_rate[i] = srate; sfFlowStats.portflowTCP.dport_rate[i] = drate; @@ -489,7 +498,7 @@ { sfFlowStats.portflowTCP.totperc[i] = 0; } - + sfFlow->portTcpSrc[i] = sfFlow->portTcpDst[i] = 0; } @@ -501,7 +510,7 @@ */ sfFlow->portTcpHigh=0; sfFlow->portTcpTotal=0; - + /* ** Calculate UDP port processing based on src, dst and ** total distributions. @@ -516,7 +525,7 @@ } totperc= 100.0 * tot / sfFlow->portUdpTotal; - + if(totperc > .1) { srate = 100.0 * (double)(sfFlow->portUdpSrc[i]) / tot ; @@ -530,7 +539,7 @@ { sfFlowStats.portflowUDP.totperc[i] = 0; } - + sfFlow->portUdpSrc[i] = sfFlow->portUdpDst[i] = 0; } @@ -556,7 +565,7 @@ } totperc= 100.0 * tot / sfFlow->typeIcmpTotal; - + if(totperc > .1) { sfFlowStats.flowICMP.totperc[i] = totperc; @@ -572,11 +581,11 @@ sfFlow->typeIcmpTotal = 0; sfFlow->byteTotal = 0; - - sfFlow->pktTotal = 0; + + sfFlow->pktTotal = 0; DisplayFlowStats(&sfFlowStats); - + return 0; } @@ -593,7 +602,7 @@ static int DisplayFlowStats(SFFLOW_STATS *sfFlowStats) { int i; - + LogMessage("\n"); LogMessage("\n"); LogMessage("Protocol Byte Flows - %%Total Flow\n"); @@ -606,21 +615,24 @@ LogMessage("\n"); LogMessage("\n"); LogMessage("PacketLen - %%TotalPackets\n"); - LogMessage( "-------------------------\n"); - for(i=1;i<SF_MAX_PKT_LEN;i++) + LogMessage( "-------------------------\n"); + for(i=1;i<SF_MAX_PKT_LEN + 1;i++) { if( sfFlowStats->pktLenPercent[i] < .1 ) continue; - + LogMessage("Bytes[%d] %.2f%%\n", i, sfFlowStats->pktLenPercent[i]); } + if( sfFlowStats->pktLenPercent[SF_MAX_PKT_LEN + 1] >= .1 ) + LogMessage("Bytes[>%d] %.2f%%\n", SF_MAX_PKT_LEN, sfFlowStats->pktLenPercent[SF_MAX_PKT_LEN + 1]); + LogMessage("\n"); LogMessage("\n"); LogMessage("TCP Port Flows\n"); - LogMessage( "--------------\n"); + LogMessage( "--------------\n"); for(i=0;i<SF_MAX_PORT;i++) { - if(sfFlowStats->portflowTCP.totperc[i] && + if(sfFlowStats->portflowTCP.totperc[i] && sfFlowStats->portflowTCP.dport_rate[i] ) { LogMessage("Port[%d] %.2f%% of Total, Src: %6.2f%% Dst: %6.2f%%\n", @@ -632,17 +644,17 @@ if(sfFlowStats->portflowHighTCP > .1) { - LogMessage("Ports[High<->High]: %.2f%%\n", + LogMessage("Ports[High<->High]: %.2f%%\n", sfFlowStats->portflowHighTCP); } LogMessage("\n"); LogMessage("\n"); LogMessage("UDP Port Flows\n"); - LogMessage( "--------------\n"); + LogMessage( "--------------\n"); for(i=0;i<SF_MAX_PORT;i++) { - if(sfFlowStats->portflowUDP.totperc[i] && + if(sfFlowStats->portflowUDP.totperc[i] && sfFlowStats->portflowUDP.dport_rate[i] ) { LogMessage("Port[%d] %.2f%% of Total, Src: %6.2f%% Dst: %6.2f%%\n", @@ -654,7 +666,7 @@ if(sfFlowStats->portflowHighUDP > .1) { - LogMessage("Ports[High<->High]: %.2f%%\n", + LogMessage("Ports[High<->High]: %.2f%%\n", sfFlowStats->portflowHighUDP); } diff -Nru snort-2.9.0.1/src/preprocessors/perf-flow.h snort-2.9.2/src/preprocessors/perf-flow.h --- snort-2.9.0.1/src/preprocessors/perf-flow.h 2010-01-26 10:10:11.000000000 -0800 +++ snort-2.9.2/src/preprocessors/perf-flow.h 2011-10-26 11:28:52.000000000 -0700 @@ -2,7 +2,7 @@ /* ** perf-flow.h ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton <mnorton@sourcefire.com> ** Dan Roelker <droelker@sourcefire.com> ** @@ -72,7 +72,7 @@ uint64_t byteTotal; uint64_t *pktLenPercent; - + uint64_t *portTcpSrc; uint64_t *portTcpDst; uint64_t *portUdpSrc; @@ -93,8 +93,8 @@ typedef struct _sfflow_stats { - double pktLenPercent[SF_MAX_PKT_LEN]; - + double pktLenPercent[SF_MAX_PKT_LEN + 2]; + double trafficTCP; double trafficUDP; double trafficICMP; @@ -116,7 +116,7 @@ */ int InitFlowStats (SFFLOW *sfFlow); int InitFlowIPStats (SFFLOW *sfFlow); -int UpdateFlowStats (SFFLOW *sfFlow, const unsigned char *pucBuffer, int len, +int UpdateFlowStats (SFFLOW *sfFlow, const unsigned char *pucBuffer, uint32_t len, int iRebuiltPkt); int ProcessFlowStats(SFFLOW *sfFlow); int ProcessFlowIPStats(SFFLOW *sfFlow, FILE *fh); diff -Nru snort-2.9.0.1/src/preprocessors/perf.h snort-2.9.2/src/preprocessors/perf.h --- snort-2.9.0.1/src/preprocessors/perf.h 2010-06-09 15:05:21.000000000 -0700 +++ snort-2.9.2/src/preprocessors/perf.h 2011-11-21 12:15:24.000000000 -0800 @@ -3,7 +3,7 @@ ** ** perf.h ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -23,7 +23,7 @@ ** ** ** DESCRIPTION -** These are the basic functions and structures that are needed to call +** These are the basic functions and structures that are needed to call ** performance functions. ** ** Dan Roelker @@ -64,7 +64,8 @@ #include "perf-base.h" #include "perf-flow.h" #include "perf-event.h" -#include "debug.h" +#include "sf_types.h" +#include "snort_debug.h" #include "decode.h" #define LINUX_FILE_LIMIT 0x80000000 /* 2 GB */ @@ -112,17 +113,17 @@ int CheckSampleInterval(Packet *, SFPERF *); int ResetPerfStats(SFPERF *); -static INLINE void SetRotatePerfFileFlag(void) +static inline void SetRotatePerfFileFlag(void) { perfmon_rotate_perf_file = 1; } -static INLINE int IsSetRotatePerfFileFlag(void) +static inline int IsSetRotatePerfFileFlag(void) { return perfmon_rotate_perf_file; } -static INLINE void ClearRotatePerfFileFlag(void) +static inline void ClearRotatePerfFileFlag(void) { perfmon_rotate_perf_file = 0; } diff -Nru snort-2.9.0.1/src/preprocessors/portscan.c snort-2.9.2/src/preprocessors/portscan.c --- snort-2.9.0.1/src/preprocessors/portscan.c 2010-09-27 08:28:13.000000000 -0700 +++ snort-2.9.2/src/preprocessors/portscan.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* ** @file portscan.c ** @@ -50,7 +50,7 @@ ** and take the form of either an invalid response (TCP RSTs, ICMP ** unreachables) or no response (in which case the host is firewalled or ** filtered). We detect portscans from these negative queries. -** +** ** The primary goal of this portscan detection engine is to catch nmap and ** variant scanners. The engine tracks connection attempts on TCP, UDP, ** ICMP, and IP Protocols. If there is a valid response, the connection @@ -95,7 +95,7 @@ ** Each of these scans can also be detected as a filtered portscan, or a ** portscan where there wasn't invalid responses and the responses have ** been firewalled in some way. -** +** */ #include <stdlib.h> #include <string.h> @@ -107,6 +107,10 @@ # include <arpa/inet.h> #endif /* !WIN32 */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "decode.h" #include "portscan.h" #include "packet_time.h" @@ -253,13 +257,13 @@ /* ** Initialize the portscan infrastructure. We check to make sure that ** we have enough memory to support at least 100 nodes. -** +** ** @return int -** +** ** @retval -2 memcap is too low */ int ps_init(PortscanConfig *config, int detect_scans, int detect_scan_type, - int sense_level, IPSET *scanner, IPSET *scanned, IPSET *watch, int memcap) + int sense_level, IPSET *scanner, IPSET *scanned, IPSET *watch, unsigned long memcap) { if (getParserPolicy() != getDefaultPolicy()) { @@ -269,7 +273,7 @@ if (!(detect_scans & PS_PROTO_ALL)) return -1; - if(!(detect_scan_type & PS_TYPE_ALL)) + if(!(detect_scan_type & PS_TYPE_ALL)) return -1; if(sense_level < 1 || sense_level > 3) @@ -312,9 +316,19 @@ } } -void ps_init_hash(int memcap) +void ps_init_hash(unsigned long memcap) { - portscan_hash = sfxhash_new(50000, sizeof(PS_HASH_KEY), sizeof(PS_TRACKER), + int rows = 0; + int factor = 0; +#if SIZEOF_LONG_INT == 8 + factor = 125; +#else + factor = 250; +#endif + + rows = memcap/factor; + + portscan_hash = sfxhash_new(rows, sizeof(PS_HASH_KEY), sizeof(PS_TRACKER), memcap, 1, ps_tracker_free, NULL, 1); if (portscan_hash == NULL) @@ -401,7 +415,7 @@ { if(!(portscan_eval_config->detect_scans & PS_PROTO_TCP)) return 1; - + /* ** This is where we check all of snort's flags for different ** TCP session scenarios. The checks cover: @@ -413,9 +427,9 @@ */ /* ** Ignore packets that are already part of an established TCP - ** stream. + ** stream. */ - if(((p->packet_flags & (PKT_STREAM_EST | PKT_STREAM_TWH)) + if(((p->packet_flags & (PKT_STREAM_EST | PKT_STREAM_TWH)) == PKT_STREAM_EST) && !(p->tcph->th_flags & TH_RST)) { return 1; @@ -478,7 +492,7 @@ scanner = ntohl(p->iph->ip_src.s_addr); scanned = ntohl(p->iph->ip_dst.s_addr); #endif - + if(reverse_pkt) { if(ps_ignore_ip(scanned, p->dp, scanner, p->sp)) @@ -489,12 +503,12 @@ if(ps_ignore_ip(scanner, p->sp, scanned, p->dp)) return 1; } - + ps_pkt->reverse_pkt = reverse_pkt; if(portscan_eval_config->watch_ip) { -#ifdef SUP_IP6 +#ifdef SUP_IP6 if(ipset_contains(portscan_eval_config->watch_ip, scanner, &(p->sp))) return 0; if(ipset_contains(portscan_eval_config->watch_ip, scanned, &(p->dp))) @@ -580,11 +594,11 @@ ** Let's lookup the host that is being scanned, taking into account ** the pkt may be reversed. */ - if (portscan_eval_config->detect_scan_type & + if (portscan_eval_config->detect_scan_type & (PS_TYPE_PORTSCAN | PS_TYPE_DECOYSCAN | PS_TYPE_DISTPORTSCAN)) { IP_CLEAR(key.scanner); - + if(ps_pkt->reverse_pkt) IP_COPY_VALUE(key.scanned, GET_SRC_IP(p)); else @@ -603,7 +617,7 @@ if(portscan_eval_config->detect_scan_type & PS_TYPE_PORTSWEEP) { IP_CLEAR(key.scanned); - + if(ps_pkt->reverse_pkt) IP_COPY_VALUE(key.scanner, GET_DST_IP(p)); else @@ -625,7 +639,7 @@ */ /** ** This logic finds the index to the proto array based on the -** portscan configuration. We need special logic because the +** portscan configuration. We need special logic because the ** index of the protocol changes based on the configuration. */ static int ps_get_proto(PS_PKT *ps_pkt, int *proto) @@ -654,7 +668,7 @@ if ((p->udph != NULL) || ((p->icmph != NULL) && (p->icmph->type == ICMP_DEST_UNREACH) && (p->icmph->code == ICMP_PORT_UNREACH) && (p->orig_udph != NULL))) - { + { *proto = PS_PROTO_UDP; return 0; } @@ -673,7 +687,7 @@ if (portscan_eval_config->detect_scans & PS_PROTO_ICMP) { - if (p->icmph != NULL) + if (p->icmph != NULL) { *proto = PS_PROTO_ICMP; return 0; @@ -814,7 +828,7 @@ IP_COPY_VALUE(proto->low_ip, ip); } #else - if(IS_SET(proto->low_ip)) + if(IP_IS_SET(proto->low_ip)) { if(IP_GREATER(proto->low_ip, ip)) IP_COPY_VALUE(proto->low_ip, ip); @@ -825,7 +839,7 @@ IP_COPY_VALUE(proto->low_ip, ip); } - if(IS_SET(proto->high_ip)) + if(IP_IS_SET(proto->high_ip)) { #ifdef SUP_IP6 if(IP_LESSER(&proto->high_ip, ip)) @@ -844,7 +858,7 @@ proto->u_port_count++; proto->u_ports = port; } - + if(proto->low_p) { if(proto->low_p > port) @@ -871,13 +885,13 @@ static int ps_update_open_ports(PS_PROTO *proto, unsigned short port) { int iCtr; - + for(iCtr = 0; iCtr < proto->open_ports_cnt; iCtr++) { if(port == proto->open_ports[iCtr]) return 0; } - + if(iCtr < (PS_OPEN_PORTS - 1)) { proto->open_ports[iCtr] = port; @@ -891,7 +905,7 @@ return 0; } - + /* ** NAME ** ps_tracker_update_tcp:: @@ -901,7 +915,7 @@ ** of TCP packet we have. ** ** We are concerned with three types of TCP packets: -** +** ** - initiating TCP packets (we don't care about flags) ** - TCP 3-way handshake packets (we decrement the counter) ** - TCP reset packets on unestablished streams. @@ -914,7 +928,7 @@ uint32_t session_flags; snort_ip cleared; IP_CLEAR(cleared); - + p = (Packet *)ps_pkt->pkt; pkt_time = packet_timeofday(); @@ -939,7 +953,7 @@ { session_flags = stream_api->get_session_flags(p->ssnptr); - if((session_flags & SSNFLAG_SEEN_CLIENT) && + if((session_flags & SSNFLAG_SEEN_CLIENT) && !(session_flags & SSNFLAG_SEEN_SERVER) && (portscan_eval_config->include_midstream || !(session_flags & SSNFLAG_MIDSTREAM))) { @@ -1004,7 +1018,7 @@ { ps_update_open_ports(&scanned->proto, p->sp); } - + if(scanner) { if(scanner->proto.alerts == PS_ALERT_GENERATED) @@ -1095,7 +1109,7 @@ time_t pkt_time; snort_ip cleared; IP_CLEAR(cleared); - + p = (Packet *)ps_pkt->pkt; pkt_time = packet_timeofday(); @@ -1133,12 +1147,12 @@ time_t pkt_time; snort_ip cleared; IP_CLEAR(cleared); - + p = (Packet *)ps_pkt->pkt; pkt_time = packet_timeofday(); if(p->icmph) - { + { if(p->icmph->type == ICMP_DEST_UNREACH && p->icmph->code == ICMP_PORT_UNREACH) { @@ -1222,7 +1236,7 @@ time_t pkt_time; snort_ip cleared; IP_CLEAR(cleared); - + p = (Packet *)ps_pkt->pkt; pkt_time = packet_timeofday(); @@ -1240,7 +1254,7 @@ ps_proto_update(&scanner->proto,1,0, GET_DST_IP(p), 0, pkt_time); } - + break; case ICMP_DEST_UNREACH: @@ -1286,7 +1300,7 @@ if(scanned && scanned->proto.alerts) scanned->proto.alerts = PS_ALERT_GENERATED; - + switch (ps_pkt->proto) { case PS_PROTO_TCP: @@ -1440,7 +1454,7 @@ } } } - + return 0; } @@ -1449,7 +1463,7 @@ { if(!conf) return -1; - + if(scanner && !scanner->alerts) { if(scanner->priority_count >= conf->priority_count) @@ -1474,7 +1488,7 @@ } } } - + return 0; } @@ -1533,8 +1547,8 @@ { return 0; } - - if((portscan_eval_config->detect_scan_type & PS_TYPE_PORTSWEEP) && + + if((portscan_eval_config->detect_scan_type & PS_TYPE_PORTSWEEP) && ps_alert_one_to_many(scanner, scanned, one_to_many)) { return 0; @@ -1545,7 +1559,7 @@ { return 0; } - + return 0; } @@ -1604,8 +1618,8 @@ { return 0; } - - if((portscan_eval_config->detect_scan_type & PS_TYPE_PORTSWEEP) && + + if((portscan_eval_config->detect_scan_type & PS_TYPE_PORTSWEEP) && ps_alert_one_to_many(scanner, scanned, one_to_many)) { return 0; @@ -1616,7 +1630,7 @@ { return 0; } - + return 0; } @@ -1675,8 +1689,8 @@ { return 0; } - - if((portscan_eval_config->detect_scan_type & PS_TYPE_PORTSWEEP) && + + if((portscan_eval_config->detect_scan_type & PS_TYPE_PORTSWEEP) && ps_alert_one_to_many(scanner, scanned, one_to_many)) { return 0; @@ -1687,7 +1701,7 @@ { return 0; } - + return 0; } @@ -1703,7 +1717,7 @@ { case PS_SENSE_HIGH: one_to_many = &g_icmp_hi_sweep; - + break; case PS_SENSE_MEDIUM: @@ -1723,12 +1737,12 @@ /* ** Do detection on the different portscan types. */ - if((portscan_eval_config->detect_scan_type & PS_TYPE_PORTSWEEP) && + if((portscan_eval_config->detect_scan_type & PS_TYPE_PORTSWEEP) && ps_alert_one_to_many(scanner, scanned, one_to_many)) { return 0; } - + return 0; } /* @@ -1854,7 +1868,7 @@ //printf("** alert\n"); ps_pkt->scanner = scanner; ps_pkt->scanned = scanned; - + return 1; } @@ -1874,12 +1888,12 @@ printf(" priority count = %d\n", proto->priority_count); printf(" connection count = %d\n", proto->connection_count); printf(" unique IP count = %d\n", proto->u_ip_count); - + ip.s_addr = proto->low_ip; printf(" IP range = %s:", inet_ntoa(ip)); ip.s_addr = proto->high_ip; printf("%s\n", inet_ntoa(ip)); - + printf(" unique port count = %d\n", proto->u_port_count); printf(" port range = %d:%d\n", proto->low_p, proto->high_p); diff -Nru snort-2.9.0.1/src/preprocessors/portscan.h snort-2.9.2/src/preprocessors/portscan.h --- snort-2.9.0.1/src/preprocessors/portscan.h 2010-01-26 10:10:12.000000000 -0800 +++ snort-2.9.2/src/preprocessors/portscan.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef __PORTSCAN_H__ #define __PORTSCAN_H__ @@ -41,7 +41,7 @@ typedef struct _PortscanConfig { int disabled; - int memcap; + unsigned long memcap; int detect_scans; int detect_scan_type; int sense_level; @@ -80,7 +80,7 @@ time_t window; -} PS_PROTO; +} PS_PROTO; typedef struct s_PS_TRACKER { @@ -131,15 +131,15 @@ #define PS_ALERT_GENERATED 255 -int ps_init(PortscanConfig *, int, int, int, IPSET *, IPSET *, IPSET *, int); +int ps_init(PortscanConfig *, int, int, int, IPSET *, IPSET *, IPSET *, unsigned long); void ps_cleanup(void); void ps_reset(void); - + int ps_detect(PS_PKT *p); void ps_tracker_print(PS_TRACKER *tracker); int ps_get_protocols(tSfPolicyId policyId); -void ps_init_hash(int); +void ps_init_hash(unsigned long); #endif diff -Nru snort-2.9.0.1/src/preprocessors/sfprocpidstats.c snort-2.9.2/src/preprocessors/sfprocpidstats.c --- snort-2.9.0.1/src/preprocessors/sfprocpidstats.c 2010-04-06 07:05:48.000000000 -0700 +++ snort-2.9.2/src/preprocessors/sfprocpidstats.c 2011-06-07 17:33:16.000000000 -0700 @@ -3,7 +3,7 @@ ** ** sfprocpidstats.c ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -26,6 +26,10 @@ ** This file gets the correct CPU usage for SMP linux machines. ** */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sfprocpidstats.h" #ifdef LINUX_SMP @@ -128,7 +132,7 @@ } acCpuName[sizeof(acCpuName)-1] = 0x00; - + if(strncmp(acCpuName, "cpu", 3)) { break; @@ -253,7 +257,7 @@ if(gpStatCPUs_2[iCtr].user > gpStatCPUs[iCtr].user) { - sfProcPidStats->SysCPUs[iCtr].user = (((double)(gpStatCPUs_2[iCtr].user - + sfProcPidStats->SysCPUs[iCtr].user = (((double)(gpStatCPUs_2[iCtr].user - gpStatCPUs[iCtr].user)) / ulCPUjiffies) * 100.0; if(sfProcPidStats->SysCPUs[iCtr].user < .01) @@ -268,7 +272,7 @@ if(gpStatCPUs_2[iCtr].sys > gpStatCPUs[iCtr].sys) { - sfProcPidStats->SysCPUs[iCtr].sys = (((double)(gpStatCPUs_2[iCtr].sys - + sfProcPidStats->SysCPUs[iCtr].sys = (((double)(gpStatCPUs_2[iCtr].sys - gpStatCPUs[iCtr].sys)) / ulCPUjiffies) * 100.0; if(sfProcPidStats->SysCPUs[iCtr].sys < .01) @@ -283,7 +287,7 @@ if(gpStatCPUs_2[iCtr].idle > gpStatCPUs[iCtr].idle) { - sfProcPidStats->SysCPUs[iCtr].idle = (((double)(gpStatCPUs_2[iCtr].idle - + sfProcPidStats->SysCPUs[iCtr].idle = (((double)(gpStatCPUs_2[iCtr].idle - gpStatCPUs[iCtr].idle)) / ulCPUjiffies) * 100.0; if(sfProcPidStats->SysCPUs[iCtr].idle < .01) diff -Nru snort-2.9.0.1/src/preprocessors/sfprocpidstats.h snort-2.9.2/src/preprocessors/sfprocpidstats.h --- snort-2.9.0.1/src/preprocessors/sfprocpidstats.h 2010-04-06 07:05:48.000000000 -0700 +++ snort-2.9.2/src/preprocessors/sfprocpidstats.h 2011-02-09 15:23:28.000000000 -0800 @@ -3,7 +3,7 @@ ** ** sfprocpidstats.h ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/preprocessors/snort_httpinspect.c snort-2.9.2/src/preprocessors/snort_httpinspect.c --- snort-2.9.0.1/src/preprocessors/snort_httpinspect.c 2010-10-25 12:49:08.000000000 -0700 +++ snort-2.9.2/src/preprocessors/snort_httpinspect.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file snort_httpinspect.c ** @@ -30,7 +30,7 @@ ** ** The file takes a Packet structure from the Snort IDS to start the ** HttpInspect flow. This also uses the Stream Interface Module which -** is also Snort-centric. Mainly, just a wrapper to HttpInspect +** is also Snort-centric. Mainly, just a wrapper to HttpInspect ** functionality, but a key part to starting the basic flow. ** ** The main bulk of this file is taken up with user configuration and @@ -38,7 +38,7 @@ ** very detailed configuration parameters for each specified server. ** Hopefully every web server that is out there can be emulated ** with these configuration options. -** +** ** The main functions of note are: ** - HttpInspectSnortConf::this is the configuration portion ** - SnortHttpInspect::this is the actual inspection flow @@ -59,13 +59,17 @@ #include <arpa/inet.h> #endif +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "snort.h" #include "detect.h" #include "decode.h" #include "log.h" #include "event.h" #include "generators.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" #include "util.h" #include "event_queue.h" @@ -82,6 +86,8 @@ #include "detection_util.h" #include "profiler.h" #include "hi_cmd_lookup.h" +#include "Unified2_common.h" +#include "mempool.h" #ifdef PERF_PROFILING extern PreprocStats hiDetectPerfStats; extern int hiDetectCalled; @@ -90,13 +96,36 @@ extern char *snort_conf_dir; #ifdef ZLIB -#include "mempool.h" extern MemPool *hi_gzip_mempool; #endif /* Stats tracking for HTTP Inspect */ HIStats hi_stats; +DataBuffer HttpDecodeBuf; + +const HiSearchToken hi_patterns[] = +{ + {"<SCRIPT", 7, HI_JAVASCRIPT}, + {NULL, 0, 0} +}; + +const HiSearchToken html_patterns[] = +{ + {"JAVASCRIPT", 10, HTML_JS}, + {"ECMASCRIPT", 10, HTML_EMA}, + {"VBSCRIPT", 8, HTML_VB}, + {NULL, 0, 0} +}; + +void *hi_javascript_search_mpse = NULL; +void *hi_htmltype_search_mpse = NULL; +HISearch hi_js_search[HI_LAST]; +HISearch hi_html_search[HTML_LAST]; +HISearch *hi_current_search = NULL; +HISearchInfo hi_search_info; + + #define MAX_FILENAME 1000 /* @@ -138,12 +167,15 @@ #define POST_DEPTH "post_depth" #define IIS_UNICODE_MAP "iis_unicode_map" #define CHUNK_LENGTH "chunk_length" +#define SMALL_CHUNK_LENGTH "small_chunk_length" #define MAX_HDR_LENGTH "max_header_length" #define PIPELINE "no_pipeline_req" #define ASCII "ascii" #define DOUBLE_DECODE "double_decode" #define U_ENCODE "u_encode" #define BARE_BYTE "bare_byte" +/* Base 36 is deprecated and essentially a noop + * Leave this here so as to print out a warning when the option is used */ #define BASE36 "base36" #define UTF_8 "utf_8" #define IIS_UNICODE "iis_unicode" @@ -165,6 +197,8 @@ #define NORMALIZE_HEADERS "normalize_headers" #define NORMALIZE_COOKIES "normalize_cookies" #define NORMALIZE_UTF "normalize_utf" +#define NORMALIZE_JS "normalize_javascript" +#define MAX_JS_WS "max_javascript_whitespaces" #define MAX_HEADERS "max_headers" #define INSPECT_COOKIES "enable_cookie" #define EXTRACT_GZIP "inspect_gzip" @@ -177,9 +211,13 @@ #define OPT_DISABLED "disabled" #define ENABLE_XFF "enable_xff" #define HTTP_METHODS "http_methods" +#define LOG_URI "log_uri" +#define LOG_HOSTNAME "log_hostname" +#define HTTP_MEMCAP "memcap" +#define MAX_SPACES "max_spaces" #define MAX_CLIENT_DEPTH 1460 -#define MAX_SERVER_DEPTH 2920 +#define MAX_SERVER_DEPTH 65535 /* ** Alert subkeywords @@ -213,6 +251,12 @@ */ #define SERVER_DEFAULT "default" +typedef enum { + CONFIG_MAX_SPACES = 0, + CONFIG_MAX_JS_WS +} SpaceType; + + /* ** NAME ** ProcessGlobalAlert:: @@ -228,7 +272,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the lenght of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -245,7 +289,7 @@ } */ -/* +/* ** NAME ** ProcessMaxPipeline:: */ @@ -261,7 +305,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the lenght of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -300,7 +344,7 @@ return -1; } - if(GlobalConf->max_pipeline_requests < 0 || + if(GlobalConf->max_pipeline_requests < 0 || GlobalConf->max_pipeline_requests > HI_UI_CONFIG_MAX_PIPE) { SnortSnprintf(ErrorString, ErrStrLen, @@ -313,7 +357,7 @@ return 0; } -/* +/* ** NAME ** ProcessInspectType:: */ @@ -327,7 +371,7 @@ ** ** @param ErrStrLen the lenght of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -378,7 +422,7 @@ return 0; } -static int ProcessIISUnicodeMap(int **iis_unicode_map, +static int ProcessIISUnicodeMap(int **iis_unicode_map, char **iis_unicode_map_filename, int *iis_unicode_map_codepage, char *ErrorString, int ErrStrLen) @@ -413,7 +457,7 @@ */ if (snort_conf_dir[strlen(snort_conf_dir) - 1] == '/') { - iRet = SnortSnprintf(filename, sizeof(filename), + iRet = SnortSnprintf(filename, sizeof(filename), "%s%s", snort_conf_dir, pcToken); } else @@ -435,7 +479,7 @@ if (snort_conf_dir[strlen(snort_conf_dir) - 1] == '\\' || snort_conf_dir[strlen(snort_conf_dir) - 1] == '/' ) { - iRet = SnortSnprintf(filename, sizeof(filename), + iRet = SnortSnprintf(filename, sizeof(filename), "%s%s", snort_conf_dir, pcToken); } else @@ -548,7 +592,7 @@ { SnortSnprintf(ErrorString, ErrStrLen, "Invalid argument to token '%s'.", OVERSIZE_DIR); - + return -1; } @@ -557,13 +601,52 @@ return 0; } +static int ProcessHttpMemcap(HTTPINSPECT_GLOBAL_CONF *GlobalConf, + char *ErrorString, int ErrStrLen) +{ + char *pcToken, *pcEnd; + int memcap; + + pcToken = strtok(NULL, CONF_SEPARATORS); + if(pcToken == NULL) + { + SnortSnprintf(ErrorString, ErrStrLen, + "No argument to '%s' token.", HTTP_MEMCAP); + return -1; + } + + memcap = SnortStrtolRange(pcToken, &pcEnd, 10, 0 , INT_MAX); + if(*pcEnd) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Invalid argument to '%s'.", HTTP_MEMCAP); + + return -1; + } + + if(memcap < MIN_HTTP_MEMCAP || memcap > MAX_HTTP_MEMCAP) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Invalid argument to '%s'. Must be between %d and " + "%d.", HTTP_MEMCAP, MIN_HTTP_MEMCAP, MAX_HTTP_MEMCAP); + + return -1; + } + + GlobalConf->memcap = memcap; + + return 0; + +} + + #ifdef ZLIB static int ProcessMaxGzipMem(HTTPINSPECT_GLOBAL_CONF *GlobalConf, char *ErrorString, int ErrStrLen) { char *pcToken, *pcEnd; int max_gzip_mem; - + pcToken = strtok(NULL, CONF_SEPARATORS); if(pcToken == NULL) { @@ -572,7 +655,7 @@ return -1; } - max_gzip_mem = strtol(pcToken, &pcEnd, 0); + max_gzip_mem = SnortStrtol(pcToken, &pcEnd, 10); if(*pcEnd) { SnortSnprintf(ErrorString, ErrStrLen, @@ -612,7 +695,7 @@ return -1; } - compress_depth = strtol(pcToken, &pcEnd, 10); + compress_depth = SnortStrtol(pcToken, &pcEnd, 10); if(*pcEnd) { SnortSnprintf(ErrorString, ErrStrLen, @@ -651,7 +734,7 @@ return -1; } - decompress_depth = strtol(pcToken, &pcEnd, 10); + decompress_depth = SnortStrtol(pcToken, &pcEnd, 10); if(*pcEnd) { SnortSnprintf(ErrorString, ErrStrLen, @@ -701,7 +784,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the lenght of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -781,16 +864,22 @@ if(iRet) return iRet; } +#endif else if (!strcmp(OPT_DISABLED, pcToken)) { GlobalConf->disabled = 1; return 0; } -#endif + else if (!strcmp(HTTP_MEMCAP, pcToken)) + { + iRet = ProcessHttpMemcap(GlobalConf, ErrorString, ErrStrLen); + if(iRet) + return iRet; + } else { SnortSnprintf(ErrorString, ErrStrLen, - "Invalid keyword '%s' for '%s' configuration.", + "Invalid keyword '%s' for '%s' configuration.", pcToken, GLOBAL); return -1; @@ -834,7 +923,7 @@ ** ** Called exclusively by ProcessProfile. */ -static INLINE int _ProcessProfileErr(int iRet, char* ErrorString, +static inline int _ProcessProfileErr(int iRet, char* ErrorString, int ErrStrLen, char *token) { if(iRet == HI_MEM_ALLOC_FAIL) @@ -868,7 +957,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -958,14 +1047,14 @@ /** ** Process the port list for the server configuration. ** -** This configuration is a list of valid ports and is ended by a +** This configuration is a list of valid ports and is ended by a ** delimiter. ** ** @param ServerConf pointer to the server configuration ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -997,7 +1086,7 @@ return -1; } - + memset(ServerConf->ports, 0, MAXPORTS_STORAGE); while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) @@ -1061,7 +1150,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -1084,7 +1173,7 @@ return -1; } - iFlowDepth = strtol(pcToken, &pcEnd, 10); + iFlowDepth = SnortStrtol(pcToken, &pcEnd, 10); if(*pcEnd) { SnortSnprintf(ErrorString, ErrStrLen, @@ -1125,7 +1214,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -1148,7 +1237,7 @@ return -1; } - post_depth = strtol(pcToken, &pcEnd, 10); + post_depth = SnortStrtol(pcToken, &pcEnd, 10); if(*pcEnd) { SnortSnprintf(ErrorString, ErrStrLen, @@ -1179,12 +1268,12 @@ */ /** ** Process and verify the chunk length for the server configuration. -** +** ** @param ServerConf pointer to the server configuration ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -1223,17 +1312,129 @@ /* ** NAME +** ProcessSmallChunkLength:: +*/ +/** +** Process and verify the small chunk length for the server configuration. +** +** @param ServerConf pointer to the server configuration +** @param ErrorString error string buffer +** @param ErrStrLen the length of the error string buffer +** +** @return an error code integer +** (0 = success, >0 = non-fatal error, <0 = fatal error) +** +** @retval 0 successs +** @retval -1 generic fatal error +** @retval 1 generic non-fatal error +*/ +static int ProcessSmallChunkLength(HTTPINSPECT_CONF *ServerConf, + char *ErrorString, int ErrStrLen) +{ + char *pcToken; + char *pcEnd; + int num_toks = 0; + bool got_param_end = 0; + + pcToken = strtok(NULL, CONF_SEPARATORS); + if (!pcToken) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Invalid cmd list format."); + + return -1; + } + + if (strcmp(START_PORT_LIST, pcToken)) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Must start small chunk length parameters with the '%s' token.", + START_PORT_LIST); + + return -1; + } + + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) + { + if (!strcmp(END_PORT_LIST, pcToken)) + { + got_param_end = 1; + break; + } + + num_toks++; + if (num_toks > 2) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Too many arguments to '%s'.", SMALL_CHUNK_LENGTH); + + return -1; + } + + if (num_toks == 1) + { + uint32_t chunk_length = (uint32_t)SnortStrtoulRange(pcToken, &pcEnd, 10, 0, UINT8_MAX); + if ((pcEnd == pcToken) || *pcEnd || (errno == ERANGE)) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Invalid argument to chunk length param of '%s'. " + "Must be between 0 and %u.\n", + SMALL_CHUNK_LENGTH, UINT8_MAX); + + return -1; + } + + ServerConf->small_chunk_length.size = (uint8_t)chunk_length; + } + else + { + uint32_t num_chunks_threshold = (uint32_t)SnortStrtoulRange(pcToken, &pcEnd, 10, 0, UINT8_MAX); + if ((pcEnd == pcToken) || *pcEnd || (errno == ERANGE)) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Invalid argument to number of consecutive chunks " + "threshold of '%s'. Must be between 0 and %u.\n", + SMALL_CHUNK_LENGTH, UINT8_MAX); + + return -1; + } + + ServerConf->small_chunk_length.num = (uint8_t)num_chunks_threshold; + } + } + + if (num_toks != 2) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Not enough arguments to '%s'.", SMALL_CHUNK_LENGTH); + + return -1; + } + + if (!got_param_end) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Must end '%s' configuration with '%s'.", SMALL_CHUNK_LENGTH, END_PORT_LIST); + + return -1; + } + + return 0; +} + +/* +** NAME ** ProcessMaxHeaders:: */ /** -** Process and verify the maximum allowed number of headers for the +** Process and verify the maximum allowed number of headers for the ** server configuration. -** +** ** @param ServerConf pointer to the server configuration ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -1291,14 +1492,14 @@ ** ProcessMaxHdrLen:: */ /** -** Process and verify the maximum allowed header length for the +** Process and verify the maximum allowed header length for the ** server configuration. -** +** ** @param ServerConf pointer to the server configuration ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -1367,7 +1568,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -1427,7 +1628,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -1459,7 +1660,7 @@ return -1; } - + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) { if(!strcmp(END_PORT_LIST, pcToken)) @@ -1515,7 +1716,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -1547,7 +1748,7 @@ return -1; } - + while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL) { if(!strcmp(END_PORT_LIST, pcToken)) @@ -1628,10 +1829,11 @@ cmd = pcToken; + /* Max method length cannot exceed 256, as this is the size of the key array used in KMapAdd function */ if(strlen(pcToken) > MAX_METHOD_LEN) { snprintf(ErrorString, ErrStrLen, - "Length of the http request method shoould not exceed the max request method length of '%d'.", + "Length of the http request method should not exceed the max request method length of '%d'.", MAX_METHOD_LEN); return -1; } @@ -1668,6 +1870,81 @@ return 0; } +/* +** NAME +** ProcessMaxSpaces:: +*/ +/** +** Process and verify the maximum allowed spaces for the +** server configuration. +** +** @param ServerConf pointer to the server configuration +** @param ErrorString error string buffer +** @param ErrStrLen the length of the error string buffer +** +** @return an error code integer +** (0 = success, >0 = non-fatal error, <0 = fatal error) +** +** @retval 0 successs +** @retval -1 generic fatal error +** @retval 1 generic non-fatal error +*/ +static int ProcessMaxSpaces(HTTPINSPECT_CONF *ServerConf, + char *ErrorString, int ErrStrLen, char *configOption, SpaceType type) +{ + char *pcToken; + int num_spaces; + char *pcEnd; + + pcToken = strtok(NULL, CONF_SEPARATORS); + if(pcToken == NULL) + { + SnortSnprintf(ErrorString, ErrStrLen, + "No argument to '%s' token.", configOption); + + return -1; + } + + num_spaces = SnortStrtolRange(pcToken, &pcEnd, 10, 0 , INT_MAX); + if(*pcEnd) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Invalid argument to '%s'.", configOption); + + return -1; + } + + if(num_spaces < 0) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Invalid argument to '%s'. Valid range is 0 to 65535.", configOption); + + return -1; + } + + if(num_spaces > 65535) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Invalid argument to '%s'. Valid range is 0 to 65535.", configOption); + + return -1; + } + + switch(type) + { + case CONFIG_MAX_SPACES: + ServerConf->max_spaces = num_spaces; + break; + case CONFIG_MAX_JS_WS: + ServerConf->max_js_ws = num_spaces; + break; + default: + break; + } + + return 0; +} + /* ** NAME @@ -1684,7 +1961,7 @@ ** @param ErrorString error string buffer ** @param ErrStrLen the length of the error string buffer ** -** @return an error code integer +** @return an error code integer ** (0 = success, >0 = non-fatal error, <0 = fatal error) ** ** @retval 0 successs @@ -1708,7 +1985,7 @@ if(pcToken == NULL) { SnortSnprintf(ErrorString, ErrStrLen, - "No tokens to '%s' configuration.", GLOBAL); + "WARNING: No tokens to '%s' configuration.", SERVER); return 1; } @@ -1786,13 +2063,13 @@ ServerConf->no_alerts = 1; } else if(!strcmp(OVERSIZE_DIR, pcToken)) - { + { iRet = ProcessOversizeDir(ServerConf, ErrorString, ErrStrLen); if (iRet) { return iRet; } - + } else if(!strcmp(INSPECT_URI_ONLY, pcToken)) { @@ -1810,6 +2087,31 @@ { ServerConf->normalize_utf = 1; } + else if (!strcmp(NORMALIZE_JS, pcToken)) + { + if(!ServerConf->inspect_response) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Enable '%s' before setting '%s'",INSPECT_RESPONSE, NORMALIZE_JS); + return -1; + } + ServerConf->normalize_javascript = 1; + } + else if(!strcmp(MAX_JS_WS, pcToken)) + { + if(!ServerConf->normalize_javascript) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Enable '%s' before setting '%s'", NORMALIZE_JS, MAX_JS_WS); + return -1; + } + iRet = ProcessMaxSpaces(ServerConf, ErrorString, ErrStrLen, MAX_JS_WS, CONFIG_MAX_JS_WS); + if (iRet) + { + return iRet; + } + } + else if (!strcmp(INSPECT_COOKIES, pcToken)) { ServerConf->enable_cookie = 1; @@ -1847,6 +2149,14 @@ return -1; } + if((GlobalConf->compr_depth != MAX_GZIP_DEPTH) && (GlobalConf->decompr_depth != MAX_GZIP_DEPTH)) + { + SnortSnprintf(ErrorString, ErrStrLen, + "'%s' and '%s' should be set to max in the default policy to enable '%s'", + COMPRESS_DEPTH, DECOMPRESS_DEPTH, UNLIMIT_DECOMPRESS); + return -1; + } + GlobalConf->compr_depth = GlobalConf->decompr_depth = MAX_GZIP_DEPTH; ServerConf->unlimited_decompress = 1; } @@ -1867,10 +2177,34 @@ return iRet; } } + else if(!strcmp(MAX_SPACES, pcToken)) + { + iRet = ProcessMaxSpaces(ServerConf, ErrorString, ErrStrLen, MAX_SPACES, CONFIG_MAX_SPACES); + if (iRet) + { + return iRet; + } + } else if(!strcmp(ENABLE_XFF, pcToken)) { ServerConf->enable_xff = 1; } + else if(!strcmp(LOG_URI, pcToken)) + { + ServerConf->log_uri = 1; + } + else if(!strcmp(LOG_HOSTNAME, pcToken)) + { + ServerConf->log_hostname = 1; + } + else if(!strcmp(SMALL_CHUNK_LENGTH, pcToken)) + { + iRet = ProcessSmallChunkLength(ServerConf,ErrorString,ErrStrLen); + if (iRet) + { + return iRet; + } + } else { SnortSnprintf(ErrorString, ErrStrLen, @@ -1878,12 +2212,13 @@ "The only allowed tokens when configuring profiles " "are: '%s', '%s', '%s', '%s', '%s', '%s', '%s', " "'%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s'," - "'%s', '%s', '%s', and '%s'. ", + "'%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', and '%s'. ", PORTS,IIS_UNICODE_MAP, ALLOW_PROXY, FLOW_DEPTH, - CLIENT_FLOW_DEPTH, GLOBAL_ALERT, OVERSIZE_DIR, MAX_HDR_LENGTH, + CLIENT_FLOW_DEPTH, GLOBAL_ALERT, OVERSIZE_DIR, MAX_HDR_LENGTH, INSPECT_URI_ONLY, INSPECT_COOKIES, INSPECT_RESPONSE, - EXTRACT_GZIP,MAX_HEADERS, NORMALIZE_COOKIES, ENABLE_XFF, - NORMALIZE_HEADERS, NORMALIZE_UTF, UNLIMIT_DECOMPRESS, HTTP_METHODS); + EXTRACT_GZIP,MAX_HEADERS, NORMALIZE_COOKIES, ENABLE_XFF, + NORMALIZE_HEADERS, NORMALIZE_UTF, UNLIMIT_DECOMPRESS, HTTP_METHODS, + LOG_URI, LOG_HOSTNAME, MAX_SPACES, NORMALIZE_JS, MAX_JS_WS); return -1; } @@ -1905,6 +2240,9 @@ ** If there is no profile configuration then we go into the hard-core ** configuration. */ + + hi_ui_config_reset_http_methods(ServerConf); + do { if(!strcmp(PORTS, pcToken)) @@ -1958,6 +2296,14 @@ return iRet; } } + else if(!strcmp(SMALL_CHUNK_LENGTH, pcToken)) + { + iRet = ProcessSmallChunkLength(ServerConf,ErrorString,ErrStrLen); + if (iRet) + { + return iRet; + } + } else if(!strcmp(PIPELINE, pcToken)) { ServerConf->no_pipeline = 1; @@ -1994,6 +2340,30 @@ { ServerConf->normalize_utf = 1; } + else if (!strcmp(NORMALIZE_JS, pcToken)) + { + if(!ServerConf->inspect_response) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Enable '%s' before setting '%s'", INSPECT_RESPONSE, NORMALIZE_JS); + return -1; + } + ServerConf->normalize_javascript = 1; + } + else if(!strcmp(MAX_JS_WS, pcToken)) + { + if(!ServerConf->normalize_javascript) + { + SnortSnprintf(ErrorString, ErrStrLen, + "Enable '%s' before setting '%s'", NORMALIZE_JS, MAX_JS_WS); + return -1; + } + iRet = ProcessMaxSpaces(ServerConf, ErrorString, ErrStrLen, MAX_JS_WS, CONFIG_MAX_JS_WS); + if (iRet) + { + return iRet; + } + } else if(!strcmp(OVERSIZE_DIR, pcToken)) { iRet = ProcessOversizeDir(ServerConf, ErrorString, ErrStrLen); @@ -2001,7 +2371,7 @@ { return iRet; } - + } else if(!strcmp(INSPECT_URI_ONLY, pcToken)) { @@ -2044,6 +2414,13 @@ "Enable '%s' inspection before setting '%s'",EXTRACT_GZIP, UNLIMIT_DECOMPRESS); return -1; } + if((GlobalConf->compr_depth != MAX_GZIP_DEPTH) && (GlobalConf->decompr_depth != MAX_GZIP_DEPTH)) + { + SnortSnprintf(ErrorString, ErrStrLen, + "'%s' and '%s' should be set to max in the default policy to enable '%s'", + COMPRESS_DEPTH, DECOMPRESS_DEPTH, UNLIMIT_DECOMPRESS); + return -1; + } GlobalConf->compr_depth = GlobalConf->decompr_depth = MAX_GZIP_DEPTH; ServerConf->unlimited_decompress = 1; @@ -2089,6 +2466,8 @@ ** - U_ENCODE ** - BARE_BYTE ** - IIS_UNICODE + ** + ** Base 36 is deprecated and essentially a noop ** - BASE36 */ ServerConf->ascii.on = 1; @@ -2114,12 +2493,6 @@ else if(!strcmp(U_ENCODE, pcToken)) { /* - ** With %U encoding, we don't want base36 on. - */ - ServerConf->base36.on = 0; - ServerConf->base36.alert = 0; - - /* ** We set the unicode map to default if it's not already ** set. */ @@ -2146,21 +2519,15 @@ } else if(!strcmp(BASE36, pcToken)) { - ServerConf->ascii.on = 1; - - /* - ** With Base36 encoding, we don't want to have %U encoding - ** turned on. - */ - ServerConf->u_encoding.on = 0; - ServerConf->u_encoding.alert = 0; - - ConfOpt = &ServerConf->base36; - iRet = ProcessConfOpt(ConfOpt, BASE36, ErrorString, ErrStrLen); - if (iRet) - { - return iRet; - } + /* Base 36 is deprecated and essentially a noop */ + ErrorMessage("WARNING: %s (%d): The \"base36\" option to the " + "\"http_inspect\" preprocessor configuration is " + "deprecated and void of functionality.\n", + file_name, file_line); + + /* Need to get and chuck yes/no argument to option since + * we're not doing anything with this anymore. */ + pcToken = strtok(NULL, CONF_SEPARATORS); } else if(!strcmp(NON_RFC_CHAR, pcToken)) { @@ -2248,10 +2615,26 @@ return iRet; } } + else if(!strcmp(MAX_SPACES, pcToken)) + { + iRet = ProcessMaxSpaces(ServerConf, ErrorString, ErrStrLen, MAX_SPACES, CONFIG_MAX_SPACES); + if (iRet) + { + return iRet; + } + } else if(!strcmp(ENABLE_XFF, pcToken)) { ServerConf->enable_xff = 1; } + else if(!strcmp(LOG_URI, pcToken)) + { + ServerConf->log_uri = 1; + } + else if(!strcmp(LOG_HOSTNAME, pcToken)) + { + ServerConf->log_hostname = 1; + } else { SnortSnprintf(ErrorString, ErrStrLen, @@ -2262,7 +2645,7 @@ } } while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL); - + return 0; } @@ -2291,6 +2674,7 @@ char buf[STD_BUF+1]; int iCtr; int iChar = 0; + char* paf = ""; PROFILES prof; if(!ServerConf) @@ -2304,10 +2688,14 @@ prof==HI_APACHE?"Apache": prof==HI_IIS?"IIS": prof==HI_IIS4?"IIS4":"IIS5"); - - + + memset(buf, 0, STD_BUF+1); - SnortSnprintf(buf, STD_BUF + 1, " Ports: "); +#ifdef ENABLE_PAF + if ( ScPafEnabled() && stream_api ) + paf = " (PAF)"; +#endif + SnortSnprintf(buf, STD_BUF + 1, " Ports%s: ", paf); /* ** Print out all the applicable ports. @@ -2325,15 +2713,19 @@ LogMessage(" Server Flow Depth: %d\n", ServerConf->server_flow_depth); LogMessage(" Client Flow Depth: %d\n", ServerConf->client_flow_depth); LogMessage(" Max Chunk Length: %d\n", ServerConf->chunk_length); + if (ServerConf->small_chunk_length.size > 0) + LogMessage(" Small Chunk Length Evasion: chunk size <= %u, threshold >= %u times\n", + ServerConf->small_chunk_length.size, ServerConf->small_chunk_length.num); LogMessage(" Max Header Field Length: %d\n", ServerConf->max_hdr_len); LogMessage(" Max Number Header Fields: %d\n", ServerConf->max_headers); + LogMessage(" Max Number of WhiteSpaces allowed with header folding: %d\n", ServerConf->max_spaces); LogMessage(" Inspect Pipeline Requests: %s\n", ServerConf->no_pipeline ? "NO" : "YES"); LogMessage(" URI Discovery Strict Mode: %s\n", ServerConf->non_strict ? "NO" : "YES"); LogMessage(" Allow Proxy Usage: %s\n", ServerConf->allow_proxy ? "YES" : "NO"); - LogMessage(" Disable Alerting: %s\n", + LogMessage(" Disable Alerting: %s\n", ServerConf->no_alerts ? "YES":"NO"); LogMessage(" Oversize Dir Length: %d\n", ServerConf->long_dir); @@ -2342,7 +2734,7 @@ LogMessage(" Normalize HTTP Headers: %s\n", ServerConf->normalize_headers ? "YES" : "NO"); LogMessage(" Inspect HTTP Cookies: %s\n", - ServerConf->enable_cookie ? "YES" : "NO"); + ServerConf->enable_cookie ? "YES" : "NO"); LogMessage(" Inspect HTTP Responses: %s\n", ServerConf->inspect_response ? "YES" : "NO"); #ifdef ZLIB @@ -2351,19 +2743,29 @@ LogMessage(" Unlimited decompression of gzip data from responses: %s\n", ServerConf->unlimited_decompress ? "YES" : "NO"); #endif + LogMessage(" Normalize Javascripts in HTTP Responses: %s\n", + ServerConf->normalize_javascript ? "YES" : "NO"); + if(ServerConf->normalize_javascript) + { + if(ServerConf->max_js_ws) + LogMessage(" Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: %d\n", ServerConf->max_js_ws); + } LogMessage(" Normalize HTTP Cookies: %s\n", ServerConf->normalize_cookies ? "YES" : "NO"); LogMessage(" Enable XFF and True Client IP: %s\n", ServerConf->enable_xff ? "YES" : "NO"); + LogMessage(" Log HTTP URI data: %s\n", + ServerConf->log_uri ? "YES" : "NO"); + LogMessage(" Log HTTP Hostname data: %s\n", + ServerConf->log_hostname ? "YES" : "NO"); LogMessage(" Extended ASCII code support in URI: %s\n", ServerConf->extended_ascii_uri ? "YES" : "NO"); - + PrintConfOpt(&ServerConf->ascii, "Ascii"); PrintConfOpt(&ServerConf->double_decoding, "Double Decoding"); PrintConfOpt(&ServerConf->u_encoding, "%U Encoding"); PrintConfOpt(&ServerConf->bare_byte, "Bare Byte"); - PrintConfOpt(&ServerConf->base36, "Base36"); PrintConfOpt(&ServerConf->utf_8, "UTF 8"); PrintConfOpt(&ServerConf->iis_unicode, "IIS Unicode"); PrintConfOpt(&ServerConf->multiple_slash, "Multiple Slash"); @@ -2382,7 +2784,7 @@ } else if(ServerConf->iis_unicode_map) { - LogMessage(" IIS Unicode Map: " + LogMessage(" IIS Unicode Map: " "GLOBAL IIS UNICODE MAP CONFIG\n"); } else @@ -2520,7 +2922,7 @@ /*list begin didn't match so this must be an IP address*/ pIpAddressList = pcToken; } - + pIpAddressList2 = strdup(pIpAddressList); if (!pIpAddressList2) @@ -2533,10 +2935,10 @@ - for (pcToken = strtok_r(pIpAddressList, CONF_SEPARATORS, &brkt); - pcToken; - pcToken = strtok_r(NULL, CONF_SEPARATORS, &brkt)) - { + for (pcToken = strtok_r(pIpAddressList, CONF_SEPARATORS, &brkt); + pcToken; + pcToken = strtok_r(NULL, CONF_SEPARATORS, &brkt)) + { if (sfip_pton(pcToken, &Ip) != SFIP_SUCCESS) { @@ -2563,7 +2965,7 @@ /* ** allocate the memory for the server configuration */ - if (firstIpAddress) + if (firstIpAddress) { ServerConf = (HTTPINSPECT_CONF *)calloc(1, sizeof(HTTPINSPECT_CONF)); if(!ServerConf) @@ -2604,26 +3006,26 @@ } } - if (firstIpAddress) + if (firstIpAddress) { //process the first IP address as usual firstIpAddress = 0; } - + //create a reference ServerConf->referenceCount++; } - + if (firstIpAddress) { //no IP address was found SnortSnprintf(ErrorString, ErrStrLen, "Invalid IP Address list in '%s' token.", SERVER); - + goto _return; } - + /* ** Print out the configuration header */ @@ -2650,16 +3052,18 @@ LogMessage("HttpInspect Config:\n"); LogMessage(" GLOBAL CONFIG\n"); -#ifdef ZLIB if(GlobalConf->disabled) { LogMessage(" Http Inspect: INACTIVE\n"); +#ifdef ZLIB LogMessage(" Max Gzip Memory: %d\n", GlobalConf->max_gzip_mem); +#endif + LogMessage(" Memcap used for logging URI and Hostname: %u\n", + GlobalConf->memcap); return 0; } -#endif - LogMessage(" Max Pipeline Requests: %d\n", + LogMessage(" Max Pipeline Requests: %d\n", GlobalConf->max_pipeline_requests); LogMessage(" Inspection Type: %s\n", GlobalConf->inspection_type ? "STATEFUL" : "STATELESS"); @@ -2669,6 +3073,8 @@ GlobalConf->iis_unicode_map_filename); LogMessage(" IIS Unicode Map Codepage: %d\n", GlobalConf->iis_unicode_codepage); + LogMessage(" Memcap used for logging URI and Hostname: %u\n", + GlobalConf->memcap); #ifdef ZLIB LogMessage(" Max Gzip Memory: %d\n", GlobalConf->max_gzip_mem); @@ -2689,37 +3095,37 @@ */ /** ** This is the routine that logs HttpInspect alerts through Snort. -** +** ** Every Session gets looked at for any logged events, and if there are ** events to be logged then we select the one with the highest priority. -** +** ** We use a generic event structure that we set for each different event ** structure. This way we can use the same code for event logging regardless ** of what type of event strucure we are dealing with. -** +** ** The important things to know about this function is how to work with ** the event queue. The number of unique events is contained in the ** stack_count variable. So we loop through all the unique events and ** find which one has the highest priority. During this loop, we also ** re-initialize the individual event counts for the next iteration, saving ** us time in a separate initialization phase. -** +** ** After we've iterated through all the events and found the one with the ** highest priority, we then log that event through snort. -** +** ** We've mapped the HttpInspect and the Snort alert IDs together, so we ** can access them directly instead of having a more complex mapping ** function. It's the only good way to do this. -** +** ** @param Session pointer to Session construct ** @param p pointer to the Snort packet construct ** @param iInspectMode inspection mode to take event queue from -** +** ** @return integer -** +** ** @retval 0 this function only return success */ -static INLINE int LogEvents(HI_SESSION *hi_ssn, Packet *p, +static inline int LogEvents(HI_SESSION *hi_ssn, Packet *p, int iInspectMode, HttpSessionData *hsd) { HI_GEN_EVENTS GenEvents; @@ -2748,7 +3154,7 @@ GenEvents.stack_count = &(hi_ssn->server.event_list.stack_count); GenEvents.events = hi_ssn->server.event_list.events; - iGenerator = GENERATOR_SPP_HTTP_INSPECT_SERVER; + iGenerator = GENERATOR_SPP_HTTP_INSPECT; } else { @@ -2756,7 +3162,7 @@ GenEvents.stack_count = &(hi_ssn->anom_server.event_list.stack_count); GenEvents.events = hi_ssn->anom_server.event_list.events; - iGenerator = GENERATOR_SPP_HTTP_INSPECT_SERVER; + iGenerator = GENERATOR_SPP_HTTP_INSPECT; } /* @@ -2840,7 +3246,7 @@ return 0; } -static INLINE int SetSiInput(HI_SI_INPUT *SiInput, Packet *p) +static inline int SetSiInput(HI_SI_INPUT *SiInput, Packet *p) { IP_COPY_VALUE(SiInput->sip, GET_SRC_IP(p)); IP_COPY_VALUE(SiInput->dip, GET_DST_IP(p)); @@ -2872,7 +3278,7 @@ } -static INLINE void InitUriBufs( void ) +static inline void InitUriBufs( void ) { int i; /*UriBufs[HTTP_BUFFER_URI].decode_flags = 0;*/ @@ -2885,19 +3291,52 @@ } +static inline void ApplyFlowDepth (Packet* p, int flow_depth) +{ + switch (flow_depth) + { + case -1: + // Inspect none of the client if there is normalized/extracted + // URI/Method/Header/Body data */ + SetDetectLimit(p, 0); + break; + + case 0: + // Inspect all of the client, even if there is normalized/extracted + // URI/Method/Header/Body data */ + /* XXX: HUGE performance hit here */ + SetDetectLimit(p, p->dsize); + break; + + default: + // Limit inspection of the client, even if there is normalized/extracted + // URI/Method/Header/Body data */ + /* XXX: Potential performance hit here */ + if (flow_depth < p->dsize) + { + SetDetectLimit(p, flow_depth); + } + else + { + SetDetectLimit(p, p->dsize); + } + break; + } +} + /* ** NAME ** SnortHttpInspect:: */ /** -** This function calls the HttpInspect function that processes an HTTP +** This function calls the HttpInspect function that processes an HTTP ** session. ** -** We need to instantiate a pointer for the HI_SESSION that HttpInspect -** fills in. Right now stateless processing fills in this session, which -** we then normalize, and eventually detect. We'll have to handle +** We need to instantiate a pointer for the HI_SESSION that HttpInspect +** fills in. Right now stateless processing fills in this session, which +** we then normalize, and eventually detect. We'll have to handle ** separately the normalization events, etc. -** +** ** This function is where we can see from the highest level what the ** HttpInspect flow looks like. ** @@ -2927,7 +3366,7 @@ HttpSessionData *hsd = NULL; PROFILE_VARS; - + hi_stats.total++; /* @@ -2963,8 +3402,8 @@ ** HTTP Event Output Module:: ** The Event Ouput Module handles any events that have been logged ** in the inspection, normalization, or detection phases. - */ - + */ + /* ** Session Inspection Module:: */ @@ -2987,7 +3426,7 @@ ** We log events before doing detection because every non-HTTP ** packet is possible an anomalous server. So we still want to ** go through the regular detection engine, and just log any - ** alerts here before returning. + ** alerts here before returning. ** ** Return normally if this isn't either HTTP client or server ** traffic. @@ -2999,12 +3438,48 @@ return 0; } +#ifdef ENABLE_PAF + if ( ScPafEnabled() && + (p->packet_flags & PKT_STREAM_INSERT) && + !PacketHasFullPDU(p) ) + { + int flow_depth; + + if ( iInspectMode == HI_SI_CLIENT_MODE ) + flow_depth = Session->server_conf->client_flow_depth; + else + flow_depth = Session->server_conf->server_flow_depth; + + p->packet_flags |= PKT_HTTP_DECODE; + ApplyFlowDepth(p, flow_depth); + + if ( p->alt_dsize == 0 ) + { + DisableDetect(p); + SetAllPreprocBits(p); + return 0; + } + // see comments on call to Detect() below + PREPROC_PROFILE_START(hiDetectPerfStats); + p->http_pipeline_count++; /* Increment the count */ + Detect(p); +#ifdef PERF_PROFILING + hiDetectCalled = 1; +#endif + PREPROC_PROFILE_END(hiDetectPerfStats); + return 0; + } +#endif + hsd = GetHttpSessionData(p); if (hsd == NULL) hsd = SetNewHttpSessionData(p, (void *)Session); - - if(hsd && hsd->true_ip) - p->data_flags |= DATA_FLAGS_TRUE_IP; + else + { + /* Gzip data should not be logged with all the packets of the session.*/ + hsd->log_flags &= ~HTTP_LOG_GZIP_DATA; + hsd->log_flags &= ~HTTP_LOG_JSNORM_DATA; + } /* ** HTTP Inspection Module:: @@ -3025,39 +3500,10 @@ ** requests. We don't want to bail before we get to setting the ** URI, so we make sure here that this can't happen. */ + SetHttpDecode(0); p->uri_count = 0; InitUriBufs(); - if(iInspectMode == HI_SI_SERVER_MODE) - { - /* Don't do server inspection */ - if (Session->server_conf->server_flow_depth == -1) - { - DisableDetect(p); - - SetPreprocBit(p, PP_SFPORTSCAN); - SetPreprocBit(p, PP_PERFMONITOR); - SetPreprocBit(p, PP_STREAM5); - SetPreprocBit(p, PP_DCE2); - SetPreprocBit(p, PP_SDF); - - return 0; - } - } - else if(iInspectMode == HI_SI_CLIENT_MODE) - { - if (Session->server_conf->client_flow_depth == -1) - { - DisableDetect(p); - - SetPreprocBit(p, PP_SFPORTSCAN); - SetPreprocBit(p, PP_PERFMONITOR); - SetPreprocBit(p, PP_STREAM5); - SetPreprocBit(p, PP_DCE2); - SetPreprocBit(p, PP_SDF); - } - } - iRet = hi_mi_mode_inspection(Session, iInspectMode, p, hsd); if (iRet) { @@ -3072,6 +3518,8 @@ return iRet; } + HttpLogFuncs(GlobalConf, hsd, p, iCallDetect); + /* ** Let's setup the pointers for the detection engine, and ** then go for it. @@ -3089,6 +3537,7 @@ UriBufs[HTTP_BUFFER_RAW_URI].length = Session->client.request.uri_size; p->packet_flags |= PKT_HTTP_DECODE; p->uri_count = HTTP_BUFFER_RAW_URI + 1; + } else if(Session->client.request.uri) { @@ -3131,16 +3580,16 @@ p->uri_count = HTTP_BUFFER_RAW_HEADER + 1; } - if(Session->client.request.method & (HI_POST_METHOD | HI_GET_METHOD)) - { + if(Session->client.request.method & (HI_POST_METHOD | HI_GET_METHOD)) + { if(Session->client.request.post_raw) { - UriBufs[HTTP_BUFFER_CLIENT_BODY].uri = + UriBufs[HTTP_BUFFER_CLIENT_BODY].uri = Session->client.request.post_raw; - UriBufs[HTTP_BUFFER_CLIENT_BODY].length = + UriBufs[HTTP_BUFFER_CLIENT_BODY].length = Session->client.request.post_raw_size; UriBufs[HTTP_BUFFER_CLIENT_BODY].encode_type = - Session->client.request.post_encode_type; + Session->client.request.post_encode_type; p->packet_flags |= PKT_HTTP_DECODE; p->uri_count = HTTP_BUFFER_CLIENT_BODY + 1; @@ -3166,18 +3615,18 @@ UriBufs[HTTP_BUFFER_COOKIE].length = Session->client.request.cookie_norm_size; UriBufs[HTTP_BUFFER_COOKIE].encode_type = Session->client.request.cookie_encode_type; UriBufs[HTTP_BUFFER_RAW_COOKIE].uri = Session->client.request.cookie.cookie; - UriBufs[HTTP_BUFFER_RAW_COOKIE].length = + UriBufs[HTTP_BUFFER_RAW_COOKIE].length = Session->client.request.cookie.cookie_end - Session->client.request.cookie.cookie; p->packet_flags |= PKT_HTTP_DECODE; } else { UriBufs[HTTP_BUFFER_COOKIE].uri = Session->client.request.cookie.cookie; - UriBufs[HTTP_BUFFER_COOKIE].length = + UriBufs[HTTP_BUFFER_COOKIE].length = Session->client.request.cookie.cookie_end - Session->client.request.cookie.cookie; UriBufs[HTTP_BUFFER_COOKIE].encode_type = Session->client.request.cookie_encode_type; UriBufs[HTTP_BUFFER_RAW_COOKIE].uri = Session->client.request.cookie.cookie; - UriBufs[HTTP_BUFFER_RAW_COOKIE].length = + UriBufs[HTTP_BUFFER_RAW_COOKIE].length = Session->client.request.cookie.cookie_end - Session->client.request.cookie.cookie; p->packet_flags |= PKT_HTTP_DECODE; } @@ -3186,7 +3635,7 @@ #endif p->uri_count = HTTP_BUFFER_RAW_COOKIE + 1; } - else if(!Session->server_conf->enable_cookie) + else if(!Session->server_conf->enable_cookie && UriBufs[HTTP_BUFFER_HEADER].uri) { UriBufs[HTTP_BUFFER_COOKIE].uri = UriBufs[HTTP_BUFFER_HEADER].uri; UriBufs[HTTP_BUFFER_COOKIE].length = UriBufs[HTTP_BUFFER_HEADER].length; @@ -3198,28 +3647,15 @@ p->uri_count = HTTP_BUFFER_RAW_COOKIE + 1; } - if(p->packet_flags & PKT_HTTP_DECODE) + if(IsLimitedDetect(p)) { + ApplyFlowDepth(p, Session->server_conf->client_flow_depth); - switch (Session->server_conf->client_flow_depth) + if( (p->uri_count == 0) && (p->alt_dsize == 0) ) { - case -1: - /* Inspect none of the client if there is normalized/extracted URI/Method/Header/Body data */ - p->alt_dsize = 0; - break; - case 0: - /* Inspect all of the client, even if there is normalized/extracted URI/Method/Header/Body data */ - /* XXX: HUGE performance hit here */ - p->alt_dsize = p->dsize; - break; - default: - /* Limit inspection of the client, even if there is normalized/extracted URI/Method/Header/Body data */ - /* XXX: Potential performance hit here */ - if (Session->server_conf->client_flow_depth < p->dsize) - p->alt_dsize = Session->server_conf->client_flow_depth; - else - p->alt_dsize = p->dsize; - break; + DisableDetect(p); + SetAllPreprocBits(p); + return 0; } } @@ -3231,20 +3667,20 @@ ** header or not. If the header size is 0 then, we know that this ** is not the header and don't do any detection. */ - if(!(Session->server_conf->inspect_response) && - (p->packet_flags & PKT_HTTP_DECODE) && Session->server.response.header_raw_size == 0) + if(!(Session->server_conf->inspect_response) && + IsLimitedDetect(p) && !p->alt_dsize) { + DisableDetect(p); - - SetPreprocBit(p, PP_SFPORTSCAN); - SetPreprocBit(p, PP_PERFMONITOR); - SetPreprocBit(p, PP_STREAM5); - SetPreprocBit(p, PP_SDF); + SetAllPreprocBits(p); + if(Session->server_conf->server_flow_depth == -1) + { + SetPreprocBit(p, PP_DCE2); + } return 0; } - - p->uri_count = 0; + p->uri_count = 0; if (Session->server.response.header_norm || Session->server.response.header_raw) { @@ -3281,18 +3717,18 @@ UriBufs[HTTP_BUFFER_COOKIE].length = Session->server.response.cookie_norm_size; UriBufs[HTTP_BUFFER_COOKIE].encode_type = Session->server.response.cookie_encode_type; UriBufs[HTTP_BUFFER_RAW_COOKIE].uri = Session->server.response.cookie.cookie; - UriBufs[HTTP_BUFFER_RAW_COOKIE].length = + UriBufs[HTTP_BUFFER_RAW_COOKIE].length = Session->server.response.cookie.cookie_end-Session->server.response.cookie.cookie; UriBufs[HTTP_BUFFER_RAW_COOKIE].encode_type = 0; } else { UriBufs[HTTP_BUFFER_COOKIE].uri = Session->server.response.cookie.cookie; - UriBufs[HTTP_BUFFER_COOKIE].length = + UriBufs[HTTP_BUFFER_COOKIE].length = Session->server.response.cookie.cookie_end - Session->server.response.cookie.cookie; UriBufs[HTTP_BUFFER_COOKIE].encode_type = 0; UriBufs[HTTP_BUFFER_RAW_COOKIE].uri = Session->server.response.cookie.cookie; - UriBufs[HTTP_BUFFER_RAW_COOKIE].length = + UriBufs[HTTP_BUFFER_RAW_COOKIE].length = Session->server.response.cookie.cookie_end-Session->server.response.cookie.cookie; UriBufs[HTTP_BUFFER_RAW_COOKIE].encode_type = 0; @@ -3302,7 +3738,7 @@ hi_stats.resp_cookie_len += UriBufs[HTTP_BUFFER_COOKIE].length; #endif } - else if(!Session->server_conf->enable_cookie) + else if(!Session->server_conf->enable_cookie && UriBufs[HTTP_BUFFER_HEADER].uri) { UriBufs[HTTP_BUFFER_COOKIE].uri = UriBufs[HTTP_BUFFER_HEADER].uri; UriBufs[HTTP_BUFFER_COOKIE].length = UriBufs[HTTP_BUFFER_HEADER].length; @@ -3316,7 +3752,7 @@ { UriBufs[HTTP_BUFFER_STAT_CODE].uri = Session->server.response.status_code; UriBufs[HTTP_BUFFER_STAT_CODE].length = Session->server.response.status_code_size; - UriBufs[HTTP_BUFFER_STAT_CODE].encode_type = 0; + UriBufs[HTTP_BUFFER_STAT_CODE].encode_type = 0; p->uri_count = HTTP_BUFFER_STAT_CODE + 1; } @@ -3330,44 +3766,21 @@ if(Session->server.response.body_size > 0) { - if (p->packet_flags & PKT_ALT_DECODE) - { - setFileDataPtr((u_char *)DecodeBuffer.data, 0); - } - else if (p->packet_flags & PKT_HTTP_RESP_BODY) - { - setFileDataPtr(Session->server.response.body, 0); - } + setFileDataPtr((uint8_t *)Session->server.response.body, (uint16_t)Session->server.response.body_size); } - if(p->packet_flags & PKT_HTTP_DECODE) + + if( IsLimitedDetect(p) && + (p->uri_count == 0) && (p->alt_dsize == 0) ) { - switch (Session->server_conf->server_flow_depth) + DisableDetect(p); + + SetAllPreprocBits(p); + if(Session->server_conf->server_flow_depth == -1) { - case -1: - if(p->packet_flags & PKT_ALT_DECODE) - DecodeBuffer.len = 0; - else - p->alt_dsize = 0; - break; - case 0: - if(!(p->packet_flags & PKT_ALT_DECODE)) - p->alt_dsize = p->dsize; - break; - default: - if(p->packet_flags & PKT_ALT_DECODE) - { - if (Session->server_conf->server_flow_depth < DecodeBuffer.len) - DecodeBuffer.len = Session->server_conf->server_flow_depth; - } - else - { - if (Session->server_conf->server_flow_depth < p->dsize) - p->alt_dsize = Session->server_conf->server_flow_depth; - else - p->alt_dsize = p->dsize; - } - break; + SetPreprocBit(p, PP_DCE2); } + return 0; + } } @@ -3394,10 +3807,10 @@ ** Handle event stuff after we do detection. ** ** Here's the reason why: - ** - since snort can only handle one logged event per packet, + ** - since snort can only handle one logged event per packet, ** we only log HttpInspect events if there wasn't one in the ** detection engine. I say that events generated in the - ** "advanced generic content matching" engine is more + ** "advanced generic content matching" engine is more ** important than generic events that I can log here. */ LogEvents(Session, p, iInspectMode, hsd); @@ -3453,14 +3866,6 @@ return -1; } - iRet = hi_norm_init(config); - if (iRet) - { - snprintf(ErrorString, iErrStrLen, - "Error initializing normalization module."); - return -1; - } - return 0; } @@ -3473,6 +3878,8 @@ hsd = (HttpSessionData *)SnortAlloc(sizeof(HttpSessionData)); + init_decode_utf_state(&hsd->utf_state); + stream_api->set_application_data(p->ssnptr, PP_HTTPINSPECT, hsd, FreeHttpSessionData); return hsd; @@ -3494,9 +3901,203 @@ } #endif + if (hsd->log_state != NULL) + { + mempool_free(http_mempool, hsd->log_state->log_bucket); + free(hsd->log_state); + } + if(hsd->true_ip) sfip_free(hsd->true_ip); free(hsd); } +int GetHttpTrueIP(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + sfip_t *true_ip = NULL; + + true_ip = GetTrueIPForSession(data); + if(!true_ip) + return 0; + +#ifdef SUP_IP6 + if(true_ip->family == AF_INET6) + { + *type = EVENT_INFO_XFF_IPV6; + *len = sizeof(struct in6_addr); /*ipv6 address size in bytes*/ + + } + else +#endif + { + *type = EVENT_INFO_XFF_IPV4; + *len = sizeof(struct in_addr); /*ipv4 address size in bytes*/ + } + + *buf = true_ip->ip8; + return 1; +} + +int IsGzipData(void *data) +{ + HttpSessionData *hsd = NULL; + + if (data == NULL) + return -1; + hsd = (HttpSessionData *)stream_api->get_application_data(data, PP_HTTPINSPECT); + + if(hsd == NULL) + return -1; + + if((hsd->log_flags & HTTP_LOG_GZIP_DATA) && (file_data_ptr.len > 0 )) + return 0; + else + return -1; +} + + +int GetHttpGzipData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + if(!IsGzipData(data)) + { + *buf = file_data_ptr.data; + *len = file_data_ptr.len; + *type = EVENT_INFO_GZIP_DATA; + return 1; + } + + return 0; + +} + +int IsJSNormData(void *data) +{ + HttpSessionData *hsd = NULL; + + if (data == NULL) + return -1; + hsd = (HttpSessionData *)stream_api->get_application_data(data, PP_HTTPINSPECT); + + if(hsd == NULL) + return -1; + + if((hsd->log_flags & HTTP_LOG_JSNORM_DATA) && (file_data_ptr.len > 0 )) + return 0; + else + return -1; + +} + +int GetHttpJSNormData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + if(!IsJSNormData(data)) + { + *buf = file_data_ptr.data; + *len = file_data_ptr.len; + *type = EVENT_INFO_JSNORM_DATA; + return 1; + } + + return 0; +} + +int GetHttpUriData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + HttpSessionData *hsd = NULL; + + if (data == NULL) + return 0; + hsd = (HttpSessionData *)stream_api->get_application_data(data, PP_HTTPINSPECT); + + if(hsd == NULL) + return 0; + + if(hsd->log_state && hsd->log_state->uri_bytes > 0) + { + *buf = hsd->log_state->uri_extracted; + *len = hsd->log_state->uri_bytes; + *type = EVENT_INFO_HTTP_URI; + return 1; + } + + return 0; +} + + +int GetHttpHostnameData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type) +{ + HttpSessionData *hsd = NULL; + + if (data == NULL) + return 0; + hsd = (HttpSessionData *)stream_api->get_application_data(data, PP_HTTPINSPECT); + + if(hsd == NULL) + return 0; + + if(hsd->log_state && hsd->log_state->hostname_bytes > 0) + { + *buf = hsd->log_state->hostname_extracted; + *len = hsd->log_state->hostname_bytes; + *type = EVENT_INFO_HTTP_HOSTNAME; + return 1; + } + + return 0; +} + +void HI_SearchInit(void) +{ + const HiSearchToken *tmp; + hi_javascript_search_mpse = search_api->search_instance_new(); + if (hi_javascript_search_mpse == NULL) + { + FatalError("%s(%d) Could not allocate memory for HTTP <script> tag search.\n", + __FILE__, __LINE__); + } + for (tmp = &hi_patterns[0]; tmp->name != NULL; tmp++) + { + hi_js_search[tmp->search_id].name = tmp->name; + hi_js_search[tmp->search_id].name_len = tmp->name_len; + search_api->search_instance_add(hi_javascript_search_mpse, tmp->name, tmp->name_len, tmp->search_id); + } + search_api->search_instance_prep(hi_javascript_search_mpse); + + hi_htmltype_search_mpse = search_api->search_instance_new(); + if (hi_htmltype_search_mpse == NULL) + { + FatalError("%s(%d) Could not allocate memory for HTTP <script> type search.\n", + __FILE__, __LINE__); + } + for (tmp = &html_patterns[0]; tmp->name != NULL; tmp++) + { + hi_html_search[tmp->search_id].name = tmp->name; + hi_html_search[tmp->search_id].name_len = tmp->name_len; + search_api->search_instance_add(hi_htmltype_search_mpse, tmp->name, tmp->name_len, tmp->search_id); + } + search_api->search_instance_prep(hi_htmltype_search_mpse); +} + +void HI_SearchFree(void) +{ + if (hi_javascript_search_mpse != NULL) + search_api->search_instance_free(hi_javascript_search_mpse); + + if (hi_htmltype_search_mpse != NULL) + search_api->search_instance_free(hi_htmltype_search_mpse); +} + +int HI_SearchStrFound(void *id, void *unused, int index, void *data, void *unused2) +{ + int search_id = (int)(uintptr_t)id; + + hi_search_info.id = search_id; + hi_search_info.index = index; + hi_search_info.length = hi_current_search[search_id].name_len; + + /* Returning non-zero stops search, which is okay since we only look for one at a time */ + return 1; +} + + diff -Nru snort-2.9.0.1/src/preprocessors/snort_httpinspect.h snort-2.9.2/src/preprocessors/snort_httpinspect.h --- snort-2.9.0.1/src/preprocessors/snort_httpinspect.h 2010-09-27 08:28:13.000000000 -0700 +++ snort-2.9.2/src/preprocessors/snort_httpinspect.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef __SNORT_HTTPINSPECT_H__ #define __SNORT_HTTPINSPECT_H__ @@ -26,21 +26,28 @@ #include "stream_api.h" #include "hi_ui_config.h" #include "util_utf.h" +#include "detection_util.h" +#include "mempool.h" +#include "str_search.h" +#include "util_jsnorm.h" #ifdef ZLIB -#include "mempool.h" #include <zlib.h> #endif +extern MemPool *http_mempool; + +extern DataBuffer HttpDecodeBuf; + /** ** The definition of the configuration separators in the snort.conf ** configure line. */ #define CONF_SEPARATORS " \t\n\r" -#define MAX_METHOD_LEN 7 +#define MAX_METHOD_LEN 256 /* -** These are the definitions of the parser section delimiting +** These are the definitions of the parser section delimiting ** keywords to configure HttpInspect. When one of these keywords ** are seen, we begin a new section. */ @@ -49,19 +56,27 @@ #define SERVER "server" #define CLIENT "client" +#define DEFAULT_HTTP_MEMCAP 150994944 /* 144 MB */ +#define MIN_HTTP_MEMCAP 2304 +#define MAX_HTTP_MEMCAP 603979776 /* 576 MB */ +#define MAX_URI_EXTRACTED 2048 +#define MAX_HOSTNAME 256 + #ifdef ZLIB -#define DEFAULT_MAX_GZIP_MEM 838860 +#define DEFAULT_MAX_GZIP_MEM 838860 #define GZIP_MEM_MAX 104857600 #define GZIP_MEM_MIN 3276 #define MAX_GZIP_DEPTH 65535 #define DEFAULT_COMP_DEPTH 1460 #define DEFAULT_DECOMP_DEPTH 2920 -#define DEFLATE_WBITS -15 +#define DEFLATE_RAW_WBITS -15 +#define DEFLATE_WBITS 15 #define GZIP_WBITS 31 + typedef enum _HttpRespCompressType { HTTP_RESP_COMPRESS_TYPE__GZIP = 0x00000001, @@ -71,6 +86,7 @@ typedef struct s_DECOMPRESS_STATE { + uint8_t inflate_init; int compr_bytes_read; int decompr_bytes_read; int compr_depth; @@ -81,6 +97,7 @@ MemBucket *gzip_bucket; unsigned char *compr_buffer; unsigned char *decompr_buffer; + bool deflate_initialized; } DECOMPRESS_STATE; #endif @@ -92,9 +109,21 @@ uint8_t last_pkt_contlen; uint8_t last_pkt_chunked; uint32_t next_seq; - int last_chunk_size; + uint32_t last_chunk_size; + int flow_depth_read; + uint32_t max_seq; + int is_max_seq; }HTTP_RESP_STATE; +typedef struct s_HTTP_LOG_STATE +{ + uint32_t uri_bytes; + uint32_t hostname_bytes; + MemBucket *log_bucket; + uint8_t *uri_extracted; + uint8_t *hostname_extracted; +}HTTP_LOG_STATE; + typedef struct _HttpSessionData { uint32_t event_flags; @@ -102,31 +131,97 @@ #ifdef ZLIB DECOMPRESS_STATE *decomp_state; #endif + HTTP_LOG_STATE *log_state; sfip_t *true_ip; decode_utf_state_t utf_state; + uint8_t log_flags; + uint8_t cli_small_chunk_count; + uint8_t srv_small_chunk_count; } HttpSessionData; +typedef struct _HISearch +{ + char *name; + int name_len; + +} HISearch; + +typedef struct _HiSearchToken +{ + char *name; + int name_len; + int search_id; +} HiSearchToken; + +typedef struct _HISearchInfo +{ + int id; + int index; + int length; +} HISearchInfo; + + +#define COPY_URI 1 +#define COPY_HOSTNAME 2 + +#define HTTP_LOG_URI 0x0001 +#define HTTP_LOG_HOSTNAME 0x0002 +#define HTTP_LOG_GZIP_DATA 0x0004 +#define HTTP_LOG_JSNORM_DATA 0x0008 + +typedef enum _HiSearchIdEnum +{ + HI_JAVASCRIPT = 0, + HI_LAST +} HiSearchId; + +typedef enum _HtmlSearchIdEnum +{ + HTML_JS = 0, + HTML_EMA, + HTML_VB, + HTML_LAST +} HtmlSearchId; + +extern void *hi_javascript_search_mpse; +extern void *hi_htmltype_search_mpse; +extern HISearch hi_js_search[HI_LAST]; +extern HISearch hi_html_search[HTML_LAST]; +extern HISearch *hi_current_search; +extern HISearchInfo hi_search_info; + + int SnortHttpInspect(HTTPINSPECT_GLOBAL_CONF *GlobalConf, Packet *p); int ProcessGlobalConf(HTTPINSPECT_GLOBAL_CONF *, char *, int); int PrintGlobalConf(HTTPINSPECT_GLOBAL_CONF *); int ProcessUniqueServerConf(HTTPINSPECT_GLOBAL_CONF *, char *, int); int HttpInspectInitializeGlobalConfig(HTTPINSPECT_GLOBAL_CONF *, char *, int); -HttpSessionData * SetNewHttpSessionData(Packet *p, void *session); +HttpSessionData * SetNewHttpSessionData(Packet *, void *); void FreeHttpSessionData(void *data); +int GetHttpTrueIP(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); +int GetHttpGzipData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); +int GetHttpJSNormData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); +int GetHttpUriData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); +int GetHttpHostnameData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type); +void HI_SearchInit(void); +void HI_SearchFree(void); +int HI_SearchStrFound(void *, void *, int , void *, void *); -static INLINE HttpSessionData * GetHttpSessionData(Packet *p) +static inline HttpSessionData * GetHttpSessionData(Packet *p) { if (p->ssnptr == NULL) return NULL; return (HttpSessionData *)stream_api->get_application_data(p->ssnptr, PP_HTTPINSPECT); } -static INLINE sfip_t *GetTrueIPForSession(Packet *p) +static inline sfip_t *GetTrueIPForSession(void *data) { HttpSessionData *hsd = NULL; - hsd = GetHttpSessionData(p); + if (data == NULL) + return NULL; + hsd = (HttpSessionData *)stream_api->get_application_data(data, PP_HTTPINSPECT); if(hsd == NULL) return NULL; @@ -135,8 +230,47 @@ } +static inline void HttpLogFuncs(HTTPINSPECT_GLOBAL_CONF *GlobalConf, HttpSessionData *hsd, Packet *p, int iCallDetect ) +{ + if(!hsd) + return; + + /* for pipelined HTTP requests */ + if(!iCallDetect) + p->xtradata_mask = 0; + + if(hsd->true_ip) + { + SetLogFuncs(p, GlobalConf->xtra_trueip_id, 0); + } + + if(hsd->log_flags & HTTP_LOG_URI) + { + SetLogFuncs(p, GlobalConf->xtra_uri_id, 0); + } + + if(hsd->log_flags & HTTP_LOG_HOSTNAME) + { + SetLogFuncs(p, GlobalConf->xtra_hname_id, 0); + } + +#ifndef SOURCEFIRE + if(hsd->log_flags & HTTP_LOG_JSNORM_DATA) + { + SetLogFuncs(p, GlobalConf->xtra_jsnorm_id, 1); + } +#ifdef ZLIB + if(hsd->log_flags & HTTP_LOG_GZIP_DATA) + { + SetLogFuncs(p, GlobalConf->xtra_gzip_id, 1); + } +#endif +#endif +} + + #ifdef ZLIB -static INLINE void ResetGzipState(DECOMPRESS_STATE *ds) +static inline void ResetGzipState(DECOMPRESS_STATE *ds) { if (ds == NULL) return; @@ -145,6 +279,7 @@ memset(ds->gzip_bucket->data, 0, ds->compr_depth + ds->decompr_depth); + ds->inflate_init = 0; ds->compr_bytes_read = 0; ds->decompr_bytes_read = 0; ds->compress_fmt = 0; @@ -152,7 +287,7 @@ } #endif /* ZLIB */ -static INLINE void ResetRespState(HTTP_RESP_STATE *ds) +static inline void ResetRespState(HTTP_RESP_STATE *ds) { if (ds == NULL) return; @@ -162,6 +297,45 @@ ds->inspect_reassembled = 0; ds->next_seq = 0; ds->last_chunk_size = 0; + ds->flow_depth_read = 0; + ds->max_seq = 0; + ds->is_max_seq = 0; +} + +static inline int SetLogBuffers(HttpSessionData *hsd) +{ + int iRet = 0; + if (hsd->log_state == NULL) + { + MemBucket *bkt = mempool_alloc(http_mempool); + + if (bkt != NULL) + { + hsd->log_state = (HTTP_LOG_STATE *)calloc(1, sizeof(HTTP_LOG_STATE)); + if( hsd->log_state != NULL ) + { + hsd->log_state->log_bucket = bkt; + hsd->log_state->uri_bytes = 0; + hsd->log_state->hostname_bytes = 0; + hsd->log_state->uri_extracted = (uint8_t *)bkt->data; + hsd->log_state->hostname_extracted = (uint8_t *)bkt->data + MAX_URI_EXTRACTED; + } + else + { + mempool_free(http_mempool, bkt); + iRet = -1; + } + } + else + iRet = -1; + } + + return iRet; +} + +static inline void SetHttpDecode(uint16_t altLen) +{ + HttpDecodeBuf.len = altLen; } diff -Nru snort-2.9.0.1/src/preprocessors/spp_arpspoof.c snort-2.9.2/src/preprocessors/spp_arpspoof.c --- snort-2.9.0.1/src/preprocessors/spp_arpspoof.c 2010-06-09 15:05:22.000000000 -0700 +++ snort-2.9.2/src/preprocessors/spp_arpspoof.c 2011-06-07 17:33:16.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2004-2010 Sourcefire, Inc. +** Copyright (C) 2004-2011 Sourcefire, Inc. ** Copyright (C) 2001-2004 Jeff Nathan <jeff@snort.org> ** ** This program is free software; you can redistribute it and/or modify @@ -13,7 +13,7 @@ ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. -** +** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. @@ -25,7 +25,7 @@ * * Purpose: * - * This preprocessor looks for anomalies in ARP traffic and attempts to + * This preprocessor looks for anomalies in ARP traffic and attempts to * maliciously overwrite ARP cache information on hosts. * * Arguments: @@ -33,7 +33,7 @@ * To check for unicast ARP requests use: * arpspoof: -unicast * - * WARNING: this can generate false positives as Linux systems send unicast + * WARNING: this can generate false positives as Linux systems send unicast * ARP requests repetatively for entries in their cache. * * This plugin also takes a list of IP addresses and MAC address in the form: @@ -43,24 +43,24 @@ * * Effect: * By comparing information in the Ethernet header to the ARP frame, obvious - * anomalies are detected. Also, utilizing a user supplied list of IP - * addresses and MAC addresses, ARP traffic appearing to have originated from - * any IP in that list is carefully examined by comparing the source hardware - * address to the user supplied hardware address. If there is a mismatch, an - * alert is generated as either an ARP request or REPLY can be used to - * overwrite cache information on a remote host. This should only be used for + * anomalies are detected. Also, utilizing a user supplied list of IP + * addresses and MAC addresses, ARP traffic appearing to have originated from + * any IP in that list is carefully examined by comparing the source hardware + * address to the user supplied hardware address. If there is a mismatch, an + * alert is generated as either an ARP request or REPLY can be used to + * overwrite cache information on a remote host. This should only be used for * hosts/devices on the **same layer 2 segment** !! * * Bugs: - * This is a proof of concept ONLY. It is clearly not complete. Also, the + * This is a proof of concept ONLY. It is clearly not complete. Also, the * lookup function LookupIPMacEntryByIP is in need of optimization. The * arpspoof_detect_host functionality may false alarm in redundant environments. * Also, see the comment above pertaining to Linux systems. * * Thanks: * * First and foremost Patrick Mullen who sat beside me and helped every step of - * the way. Andrew Baker for graciously supplying the tougher parts of this - * code. W. Richard Stevens for readable documentation and finally + * the way. Andrew Baker for graciously supplying the tougher parts of this + * code. W. Richard Stevens for readable documentation and finally * Marty for being a badass. All your packets are belong to Marty. * */ @@ -80,6 +80,10 @@ # include <time.h> #endif +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "generators.h" #include "log.h" #include "detect.h" @@ -88,7 +92,7 @@ #include "plugbase.h" #include "parser.h" #include "mstring.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "event_queue.h" @@ -152,9 +156,9 @@ static void DetectARPattacks(Packet *p, void *context); static void ARPspoofCleanExit(int signal, void *unused); static void FreeIPMacEntryList(IPMacEntryList *ip_mac_entry_list); -static int AddIPMacEntryToList(IPMacEntryList *ip_mac_entry_list, +static int AddIPMacEntryToList(IPMacEntryList *ip_mac_entry_list, IPMacEntry *ip_mac_entry); -static IPMacEntry *LookupIPMacEntryByIP(IPMacEntryList *ip_mac_entry_list, +static IPMacEntry *LookupIPMacEntryByIP(IPMacEntryList *ip_mac_entry_list, uint32_t ipv4_addr); static void ArpSpoofFreeConfig(tSfPolicyUserContextId config); @@ -163,7 +167,7 @@ #endif #ifdef SNORT_RELOAD -static tSfPolicyUserContextId arp_spoof_swap_config = NULL; +static tSfPolicyUserContextId arp_spoof_swap_config = NULL; static void ARPspoofReload(char *); static void ARPspoofReloadHost(char *); static void * ARPspoofReloadSwap(void); @@ -183,7 +187,7 @@ ARPspoofReloadHost, NULL, NULL); #endif - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Preprocessor: ARPspoof is setup...\n");); } @@ -194,7 +198,7 @@ ArpSpoofConfig *pDefaultPolicyConfig = NULL; ArpSpoofConfig *pCurrentPolicyConfig = NULL; - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Preprocessor: ARPspoof Initialized\n");); if (arp_spoof_config == NULL) @@ -221,7 +225,7 @@ if (pCurrentPolicyConfig) { ParseError("Arpspoof can only be configured once.\n"); - } + } pCurrentPolicyConfig = (ArpSpoofConfig *)SnortAlloc(sizeof(ArpSpoofConfig)); if (!pCurrentPolicyConfig) @@ -250,7 +254,7 @@ * Parse arguments passed to the arpspoof keyword. * * @param args preprocessor argument string - * + * * @return void function */ static void ParseARPspoofArgs(ArpSpoofConfig *config, char *args) @@ -271,7 +275,7 @@ ArpSpoofConfig *pPolicyConfig = NULL; sfPolicyUserPolicySet (arp_spoof_config, policy_id); pPolicyConfig = (ArpSpoofConfig *)sfPolicyUserDataGetCurrent(arp_spoof_config); - + if ((arp_spoof_config == NULL) || (pPolicyConfig == NULL) ) { @@ -279,9 +283,9 @@ "use arpspoof_detect_host."); } - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Preprocessor: ARPspoof (overwrite list) Initialized\n");); - + if (pPolicyConfig->ipmel == NULL) { pPolicyConfig->ipmel = (IPMacEntryList *)SnortAlloc(sizeof(IPMacEntryList)); @@ -299,13 +303,13 @@ * Parse arguments passed to the arpspoof_detect_host keyword. * * @param args preprocessor argument string - * + * * @return void function */ static void ParseARPspoofHostArgs(IPMacEntryList *ipmel, char *args) { char **toks; - char **macbytes; + char **macbytes; int num_toks, num_macbytes; int i; struct in_addr IP_struct; @@ -379,7 +383,7 @@ return; /* is the ARP protocol type IP and the ARP hardware type Ethernet? */ - if ((ntohs(p->ah->ea_hdr.ar_hrd) != 0x0001) || + if ((ntohs(p->ah->ea_hdr.ar_hrd) != 0x0001) || (ntohs(p->ah->ea_hdr.ar_pro) != ETHERNET_TYPE_IP)) return; @@ -388,41 +392,41 @@ switch(ntohs(p->ah->ea_hdr.ar_op)) { case ARPOP_REQUEST: - if (aconfig->check_unicast_arp) + if (aconfig->check_unicast_arp) { if (memcmp((u_char *)p->eh->ether_dst, (u_char *)bcast, 6) != 0) { SnortEventqAdd(GENERATOR_SPP_ARPSPOOF, ARPSPOOF_UNICAST_ARP_REQUEST, 1, 0, 3, ARPSPOOF_UNICAST_ARP_REQUEST_STR, 0); - - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "MODNAME: Unicast request\n");); } } - else if (memcmp((u_char *)p->eh->ether_src, - (u_char *)p->ah->arp_sha, 6) != 0) + else if (memcmp((u_char *)p->eh->ether_src, + (u_char *)p->ah->arp_sha, 6) != 0) { SnortEventqAdd(GENERATOR_SPP_ARPSPOOF, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC, 1, 0, 3, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC_STR, 0); - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "MODNAME: Ethernet/ARP mismatch request\n");); } break; case ARPOP_REPLY: - if (memcmp((u_char *)p->eh->ether_src, + if (memcmp((u_char *)p->eh->ether_src, (u_char *)p->ah->arp_sha, 6) != 0) { SnortEventqAdd(GENERATOR_SPP_ARPSPOOF, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC, 1, 0, 3, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC_STR, 0); - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "MODNAME: Ethernet/ARP mismatch reply src\n");); } - else if (memcmp((u_char *)p->eh->ether_dst, + else if (memcmp((u_char *)p->eh->ether_dst, (u_char *)p->ah->arp_tha, 6) != 0) { SnortEventqAdd(GENERATOR_SPP_ARPSPOOF, @@ -441,36 +445,36 @@ return; /* LookupIPMacEntryByIP() is too slow, will be fixed later */ - if ((ipme = LookupIPMacEntryByIP(aconfig->ipmel, + if ((ipme = LookupIPMacEntryByIP(aconfig->ipmel, *(uint32_t *)&p->ah->arp_spa)) == NULL) { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "MODNAME: LookupIPMacEntryByIp returned NULL\n");); return; } else { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "MODNAME: LookupIPMacEntryByIP returned %p\n", ipme);); /* If the Ethernet source address or the ARP source hardware address * in p doesn't match the MAC address in ipme, then generate an alert */ - if ((memcmp((uint8_t *)p->eh->ether_src, - (uint8_t *)ipme->mac_addr, 6)) || - (memcmp((uint8_t *)p->ah->arp_sha, + if ((memcmp((uint8_t *)p->eh->ether_src, + (uint8_t *)ipme->mac_addr, 6)) || + (memcmp((uint8_t *)p->ah->arp_sha, (uint8_t *)ipme->mac_addr, 6))) { SnortEventqAdd(GENERATOR_SPP_ARPSPOOF, ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK, 1, 0, 3, ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR, 0); - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "MODNAME: Attempted ARP cache overwrite attack\n");); return; } - } + } } @@ -482,7 +486,7 @@ * * @return 0 if the node is added successfully, 1 otherwise */ -static int AddIPMacEntryToList(IPMacEntryList *ip_mac_entry_list, +static int AddIPMacEntryToList(IPMacEntryList *ip_mac_entry_list, IPMacEntry *ip_mac_entry) { IPMacEntryListNode *newNode; @@ -517,7 +521,7 @@ * * @return pointer to a structure node if a match is found, NULL otherwise */ -static IPMacEntry *LookupIPMacEntryByIP(IPMacEntryList *ip_mac_entry_list, +static IPMacEntry *LookupIPMacEntryByIP(IPMacEntryList *ip_mac_entry_list, uint32_t ipv4_addr) { IPMacEntryListNode *current; @@ -529,7 +533,7 @@ if (ip_mac_entry_list == NULL) return NULL; - for (current = ip_mac_entry_list->head; current != NULL; + for (current = ip_mac_entry_list->head; current != NULL; current = current->next) { #if defined(DEBUG) @@ -538,12 +542,12 @@ cha = strdup(inet_ntoa(ina)); chb = strdup(inet_ntoa(inb)); - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "MODNAME: LookupIPMacEntryByIP() comparing %s to %s\n", cha, chb);); #endif if (current->ip_mac_entry->ipv4_addr == ipv4_addr) { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "MODNAME: LookupIPMecEntryByIP() match!");); return current->ip_mac_entry; @@ -647,7 +651,7 @@ } printf("\n"); current = current->next; - } + } return; } #endif @@ -678,7 +682,7 @@ ParseError("ARPSPOOF preprocessor: memory allocate failed.\n"); } sfPolicyUserDataSetCurrent(arp_spoof_swap_config, pPolicyConfig); - + /* Add arpspoof to the preprocessor function list */ AddFuncToPreprocList(DetectARPattacks, PRIORITY_NETWORK, PP_ARPSPOOF, PROTO_BIT__ARP); @@ -699,7 +703,7 @@ int policy_id = (int)getParserPolicy(); ArpSpoofConfig *pPolicyConfig = NULL; sfPolicyUserPolicySet (arp_spoof_swap_config, policy_id); - pPolicyConfig = (ArpSpoofConfig *)sfPolicyUserDataGetCurrent(arp_spoof_swap_config); + pPolicyConfig = (ArpSpoofConfig *)sfPolicyUserDataGetCurrent(arp_spoof_swap_config); if ((arp_spoof_swap_config == NULL) || (pPolicyConfig == NULL)) @@ -708,7 +712,7 @@ "use arpspoof_detect_host."); } - DEBUG_WRAP(DebugMessage(DEBUG_INIT, + DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Preprocessor: ARPspoof (overwrite list) Initialized\n");); if (pPolicyConfig->ipmel == NULL) diff -Nru snort-2.9.0.1/src/preprocessors/spp_arpspoof.h snort-2.9.2/src/preprocessors/spp_arpspoof.h --- snort-2.9.0.1/src/preprocessors/spp_arpspoof.h 2010-01-26 10:10:12.000000000 -0800 +++ snort-2.9.2/src/preprocessors/spp_arpspoof.h 2011-02-09 15:23:29.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2003-2010 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** Copyright (C) 2001-2003 Jeff Nathan <jeff@snort.org> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/preprocessors/spp_bo.c snort-2.9.2/src/preprocessors/spp_bo.c --- snort-2.9.0.1/src/preprocessors/spp_bo.c 2010-06-09 15:05:22.000000000 -0700 +++ snort-2.9.2/src/preprocessors/spp_bo.c 2011-06-07 17:33:16.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** Copyright (C) 1998-2005 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -21,15 +21,15 @@ /* $Id$ */ /* Snort Preprocessor Plugin Source File Bo */ -/* spp_bo - * +/* spp_bo + * * Purpose: Detects Back Orifice traffic by brute forcing the weak encryption * of the program's network protocol and detects the magic cookie - * that it's servers and clients require to communicate with each + * that it's servers and clients require to communicate with each * other. * * Arguments: none - * + * * Effect: Analyzes UDP traffic for the BO magic cookie, reports if it finds * traffic matching the profile. * @@ -56,7 +56,7 @@ * Random: E4 42 FB 83 41 B3 4A F0 * ------- -- -- -- -- -- -- -- -- * Result: CE 63 D1 D2 16 E7 13 CF (XOR'd result) - * + * * For demonstration purposes: * * static long holdrand = 1L; @@ -88,7 +88,7 @@ * Random: 26 27 F6 85 97 15 AD 1D * ------- -- -- -- -- -- -- -- -- * Result: 0C 06 DC D4 C0 41 F4 22 (XOR'd result) - * + * * For demonstration purposes: * * int BoRandValues_DefaultKey[8]; @@ -101,14 +101,14 @@ * BoRandValues_DefaultKey[5] = LocalBoRand() % 256; --> 21 (0x15) * BoRandValues_DefaultKey[6] = LocalBoRand() % 256; --> 173 (0xad) * BoRandValues_DefaultKey[7] = LocalBoRand() % 256; --> 29 (0x1d) - * + * * Notes: - * - * 10/13/2005 marc norton - This has a lot of changes to the runtime - * decoding and testing. The '% 256' op was removed, - * the xor op is bit wise so modulo is not needed, + * + * 10/13/2005 marc norton - This has a lot of changes to the runtime + * decoding and testing. The '% 256' op was removed, + * the xor op is bit wise so modulo is not needed, * the char casting truncates to one byte, - * and len testing has been modified as was the xor decode copy and + * and len testing has been modified as was the xor decode copy and * final PONG test. */ @@ -116,6 +116,11 @@ #include <stdlib.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "generators.h" #include "log.h" #include "detect.h" @@ -123,7 +128,7 @@ #include "event.h" #include "plugbase.h" #include "parser.h" -#include "debug.h" +#include "snort_debug.h" #include "mstring.h" #include "util.h" #include "event_queue.h" @@ -200,8 +205,8 @@ /* * Function: SetupBo() * - * Purpose: Registers the preprocessor keyword and initialization - * function into the preprocessor list. + * Purpose: Registers the preprocessor keyword and initialization + * function into the preprocessor list. * * Arguments: None. * @@ -210,7 +215,7 @@ */ void SetupBo(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ #ifndef SNORT_RELOAD RegisterPreprocessor("bo", BoInit); @@ -218,7 +223,7 @@ RegisterPreprocessor("bo", BoInit, BoReload, BoReloadSwap, BoReloadSwapFree); #endif - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Preprocessor: Back Orifice is setup...\n");); } @@ -242,7 +247,7 @@ { //create a context bo_config = sfPolicyConfigCreate(); - + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Preprocessor: Bo Initialized\n");); /* we no longer need to take args */ @@ -297,12 +302,12 @@ static void ProcessArgs(BoConfig *bo, char *args) { char *arg; - + if ((args == NULL) || (bo == NULL)) return; arg = strtok(args, CONF_SEPARATORS); - + while ( arg != NULL ) { if ( !strcasecmp("noalert", arg) ) @@ -315,7 +320,7 @@ } else { - FatalError("%s(%d) => Unknown bo option %s.\n", + FatalError("%s(%d) => Unknown bo option %s.\n", file_name, file_line, arg); } @@ -346,10 +351,10 @@ if ( arg == NULL || strcmp(START_LIST, arg) ) { - FatalError("%s(%d) => Invalid bo option.\n", file_name, file_line); + FatalError("%s(%d) => Invalid bo option.\n", file_name, file_line); //return 0; } - + while ((arg = strtok(NULL, CONF_SEPARATORS)) != NULL) { if ( !strcmp(END_LIST, arg) ) @@ -376,15 +381,15 @@ } else { - FatalError("%s(%d) => Invalid bo option argument %s.\n", - file_name, file_line, arg); + FatalError("%s(%d) => Invalid bo option argument %s.\n", + file_name, file_line, arg); } } if ( !endList ) { - FatalError("%s(%d) => Must end configuration list with %s.\n", - file_name, file_line, END_LIST); + FatalError("%s(%d) => Must end configuration list with %s.\n", + file_name, file_line, END_LIST); //return 0; } @@ -408,7 +413,7 @@ if ( bo->noalert_flags != 0 || bo->drop_flags != 0 ) LogMessage("Back Orifice Config:\n"); - + if ( bo->noalert_flags != 0 ) { LogMessage(" Disable alerts:"); @@ -454,7 +459,7 @@ /* - * Precalculate the known cyphertext into a prefix and suffix lookup table + * Precalculate the known cyphertext into a prefix and suffix lookup table * to recover the key. Using this in the BoFind() function below is much * faster than the old brute force method */ @@ -469,7 +474,7 @@ memset(&lookup1[0], 0, sizeof(lookup1)); memset(&lookup2[0], 0, sizeof(lookup2)); - + for(key=0;key<65536;key++) { /* setup to generate cyphertext for this key */ @@ -483,7 +488,7 @@ cp_ptr++; } - /* + /* * generate the key lookup mechanism from the first 2 characters of * the cyphertext */ @@ -507,8 +512,8 @@ lookup1[cyphertext_referent][0] = (uint16_t)key; } - /* - * generate the second lookup from the last two characters of + /* + * generate the second lookup from the last two characters of * the cyphertext */ cyphertext_referent = (uint16_t) (cookie_cyphertext[6] << 8) & 0xFF00; @@ -527,7 +532,7 @@ * * Purpose: Look for the magic cookie, squawk if you find it. * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function * @@ -558,7 +563,7 @@ /* make sure it's UDP and that it's at least 19 bytes long */ if(!IsUDP(p)) { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, " -> spp_bo: Not UDP\n");); return; } @@ -571,13 +576,13 @@ PREPROC_PROFILE_START(boPerfStats); /* - * take the first two characters of the packet and generate the + * take the first two characters of the packet and generate the * first reference that gives us a reference key */ cyphertext_referent = (uint16_t) (p->data[0] << 8) & 0xFF00; cyphertext_referent |= (uint16_t) (p->data[1]) & 0x00FF; - /* + /* * generate the second referent from the last two characters * of the cyphertext */ @@ -589,12 +594,12 @@ /* get the key from the cyphertext */ key = lookup1[cyphertext_referent][i]; - /* + /* * if the lookup from the proposed key matches the cyphertext reference - * then we've probably go the right key and can proceed to full + * then we've probably go the right key and can proceed to full * decryption using the key * - * moral of the story: don't use a lame keyspace + * moral of the story: don't use a lame keyspace */ if(lookup2[key] == cyphertext_suffix) { @@ -609,8 +614,8 @@ if(*magic_data != plaintext) { - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, - "Failed check one on 0x%X : 0x%X\n", + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + "Failed check one on 0x%X : 0x%X\n", *magic_data, plaintext);); PREPROC_PROFILE_END(boPerfStats); return; @@ -619,9 +624,9 @@ magic_data++; pkt_data++; } - + /* if we fall thru there's a detect */ - DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Detected Back Orifice Data!\n"); DebugMessage(DEBUG_PLUGIN, "hash value: %d\n", key);); @@ -664,7 +669,7 @@ { Active_DropSession(); } - } + } } } @@ -716,9 +721,9 @@ { return BO_FROM_SERVER; } - - /* Didn't find default port, so look for ping packet */ - + + /* Didn't find default port, so look for ping packet */ + /* Get length from BO header - 32 bit int */ for ( i = 0; i < 4; i++ ) { @@ -736,12 +741,12 @@ id += l << (8*i); pkt_data++; } - + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Data length = %lu\n", len);); DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "ID = %lu\n", id);); /* Do more len checking */ - + if ( len >= BO_BUF_ATTACK_SIZE ) { if ( !(bo->noalert_flags & BO_ALERT_SNORT_ATTACK) ) @@ -761,7 +766,7 @@ if (len <= BACKORIFICE_MIN_SIZE) { /* Need some data, or we can't figure out client or server */ - return BO_FROM_UNKNOWN; + return BO_FROM_UNKNOWN; } else { @@ -783,7 +788,7 @@ /* We don't have enough data to inspect */ return BO_FROM_UNKNOWN; } - + if ( type & 0x80 ) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Partial packet\n");); @@ -811,13 +816,13 @@ buf1[i] = (char) (pkt_data[i] ^ BoRand()); if ( buf1[i] == 0 ) { - return BO_FROM_UNKNOWN; + return BO_FROM_UNKNOWN; } } if( ( buf1[3] == 'P' || buf1[3] == 'p' ) && - ( buf1[4] == 'O' || buf1[4] == 'o' ) && - ( buf1[5] == 'N' || buf1[5] == 'n' ) && + ( buf1[4] == 'O' || buf1[4] == 'o' ) && + ( buf1[5] == 'N' || buf1[5] == 'n' ) && ( buf1[6] == 'G' || buf1[6] == 'g' ) ) { return BO_FROM_SERVER; @@ -826,15 +831,15 @@ { return BO_FROM_CLIENT; } - } - + } + return BO_FROM_UNKNOWN; } static int BoFreeConfigPolicy( tSfPolicyUserContextId bo, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { diff -Nru snort-2.9.0.1/src/preprocessors/spp_bo.h snort-2.9.2/src/preprocessors/spp_bo.h --- snort-2.9.0.1/src/preprocessors/spp_bo.h 2010-01-26 10:10:13.000000000 -0800 +++ snort-2.9.2/src/preprocessors/spp_bo.h 2011-02-09 15:23:29.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/preprocessors/spp_frag3.c snort-2.9.2/src/preprocessors/spp_frag3.c --- snort-2.9.0.1/src/preprocessors/spp_frag3.c 2010-08-25 13:22:46.000000000 -0700 +++ snort-2.9.2/src/preprocessors/spp_frag3.c 2011-11-21 12:15:24.000000000 -0800 @@ -5,11 +5,11 @@ * @author Martin Roesch <roesch@sourcefire.com> * @date Thu Sep 30 14:12:37 EDT 2004 * - * @brief Frag3: IP defragmentation preprocessor for Snort. + * @brief Frag3: IP defragmentation preprocessor for Snort. */ /* - ** Copyright (C) 2004-2010 Sourcefire, Inc. + ** Copyright (C) 2004-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -28,7 +28,7 @@ */ /* - * Notes: + * Notes: * Frag3 sports the following improvements over frag2: * - Target-based IP defragmentation, harder to evade * - 8 Anomaly detection event types @@ -36,29 +36,29 @@ * performance for specific environments * - Up to 250% faster than frag2. * - * The mechanism for processing frags is based on the Linux IP stack + * The mechanism for processing frags is based on the Linux IP stack * implementation of IP defragmentation with proper amounts of paranoia - * and an IDS perspective applied. Some of this code was derived from + * and an IDS perspective applied. Some of this code was derived from * frag2 originally, but it's basically unrecognizeable if you compare * it to frag2 IMO. * - * I switched from using the UBI libs to using sfxhash and linked lists for - * fragment management because I suspected that the management code was - * the cause of performance issues that we were observing at Sourcefire + * I switched from using the UBI libs to using sfxhash and linked lists for + * fragment management because I suspected that the management code was + * the cause of performance issues that we were observing at Sourcefire * in certain customer situations. Splay trees are cool and really hard - * to screw with from an attack perspective, but they also incur a lot - * of overhead for managing the tree and lose the order of the fragments in + * to screw with from an attack perspective, but they also incur a lot + * of overhead for managing the tree and lose the order of the fragments in * the FragTracker's fraglist, so I dropped them. Originally the * frag3 code was just supposed to migrate away from the splay tree system * that I was using in frag2, but I figured since I was doing the work to * pull out the splay trees I may as well solve some of the other problems - * we were seeing. + * we were seeing. * * Initial performance testing that I've done shows that frag3 can be as much - * as 250% faster than frag2, but we still need to do more testing and + * as 250% faster than frag2, but we still need to do more testing and * optimization, we may be able to squeeze out some more performance. * - * Frag3 is also capable of performing "Target-based" IP defragmentation. + * Frag3 is also capable of performing "Target-based" IP defragmentation. * What this means practically is that frag3 can model the IP stack of a * target on the network to avoid Ptacek-Newsham evasions of the IDS through * sensor/target desynchronization. In terms of implentation, this is @@ -86,7 +86,7 @@ #include <errno.h> #include "spp_frag3.h" -#include "bounds.h" +#include "snort_bounds.h" #include "generators.h" #include "log.h" #include "detect.h" @@ -94,7 +94,7 @@ #include "encode.h" #include "event.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" #include "parser.h" #include "mstring.h" @@ -130,7 +130,7 @@ #define FRAG_NO_BSD_VULN 0x00000010 #define FRAG_DROP_FRAGMENTS 0x00000020 -/* default frag timeout, 90-120 might be better values, can we do +/* default frag timeout, 90-120 might be better values, can we do * target-based quanta? */ #define FRAG_PRUNE_QUANTA 60 @@ -256,10 +256,11 @@ { int disabled; uint32_t max_frags; /* max frags to track */ - uint32_t memcap; /* memcap for frag3 */ - int ten_percent; /* holder for self preservation data */ + unsigned long memcap; /* memcap for frag3 */ + int ten_percent; /* holder for self preservation data */ uint32_t static_frags; /* static frag nodes to keep around */ uint8_t use_prealloc; /* flag to indicate prealloc nodes in use */ + uint8_t use_prealloc_frags; /* flag to indicate prealloc nodes in use */ Frag3Context *default_context; Frag3Context **frag3ContextList; /* List of Frag3 Contexts configured */ uint8_t numFrag3Contexts; @@ -286,11 +287,11 @@ uint8_t alerted; uint32_t frag_flags; /* bit field */ - uint32_t frag_bytes; /* number of fragment bytes stored, based + uint32_t frag_bytes; /* number of fragment bytes stored, based * on aligned fragment offsets/sizes */ - uint32_t calculated_size; /* calculated size of reassembled pkt, based on + uint32_t calculated_size; /* calculated size of reassembled pkt, based on * last frag offset */ @@ -323,7 +324,7 @@ uint32_t frag_policy; /**Count of IP fragment overlap for each packet id. */ - uint32_t overlap_count; + uint32_t overlap_count; /* Configuration in use when this tracker was created */ tSfPolicyId policy_id; @@ -367,7 +368,7 @@ static SFXHASH *f_cache = NULL; /* fragment hash table */ static Frag3Frag *prealloc_frag_list = NULL; /* head for prealloc queue */ -static uint32_t mem_in_use; /* memory in use, used for self pres */ +static unsigned long mem_in_use = 0; /* memory in use, used for self pres */ static uint32_t prealloc_nodes_in_use; /* counter for debug */ @@ -399,8 +400,8 @@ /* * external globals for startup */ -extern char *file_name; -extern int file_line; +extern char *file_name; +extern int file_line; /* P R O T O T Y P E S ********************************************/ @@ -410,7 +411,7 @@ static int Frag3NewTracker(Packet *p, FRAGKEY *fkey, Frag3Context *); static int Frag3Insert(Packet *, FragTracker *, FRAGKEY *, Frag3Context *); static void Frag3Rebuild(FragTracker *, Packet *); -static INLINE int Frag3IsComplete(FragTracker *); +static inline int Frag3IsComplete(FragTracker *); static int Frag3HandleIPOptions(FragTracker *, Packet *); static void Frag3PrintStats(int); static void Frag3FreeConfig(Frag3Config *); @@ -434,12 +435,12 @@ static int Frag3UserFree(void *, void *); /* fraglist handler funcs */ -static INLINE void Frag3FraglistAddNode(FragTracker *, Frag3Frag *, Frag3Frag *); -static INLINE void Frag3FraglistDeleteNode(FragTracker *, Frag3Frag *); +static inline void Frag3FraglistAddNode(FragTracker *, Frag3Frag *, Frag3Frag *); +static inline void Frag3FraglistDeleteNode(FragTracker *, Frag3Frag *); /* prealloc queue handler funcs */ -static INLINE Frag3Frag *Frag3PreallocPop(); -static INLINE void Frag3PreallocPush(Frag3Frag *); +static inline Frag3Frag *Frag3PreallocPop(); +static inline void Frag3PreallocPush(Frag3Frag *); /* main preprocessor functions */ static void Frag3Defrag(Packet *, void *); @@ -457,7 +458,7 @@ char *ret_str; sfip_t srcip; sfip_set_raw(&srcip, ip, proto == 4 ? AF_INET : AF_INET6); - + ret_str = sfip_to_str(&srcip); return ret_str; } @@ -495,7 +496,7 @@ LogMessage(" frag_bytes: %d\n", ft->frag_bytes); LogMessage(" calc_size: %d\n", ft->calculated_size); LogMessage(" frag_pkts: %d\n", ft->frag_pkts); - LogMessage(" frag_time: %lu %lu\n", ft->frag_time.tv_sec, + LogMessage(" frag_time: %lu %lu\n", ft->frag_time.tv_sec, ft->frag_time.tv_usec); LogMessage(" fraglist: %p\n", ft->fraglist); LogMessage(" fl_tail: %p\n", ft->fraglist_tail); @@ -564,13 +565,23 @@ return; LogMessage("Frag3 global config:\n"); + if(gconfig->disabled) + { + LogMessage(" Frag3: INACTIVE\n"); + } LogMessage(" Max frags: %d\n", gconfig->max_frags); if(!gconfig->use_prealloc) - LogMessage(" Fragment memory cap: %lu bytes\n", - (unsigned long)gconfig->memcap); + LogMessage(" Fragment memory cap: %lu bytes\n", + gconfig->memcap); else - LogMessage(" Preallocated frag nodes: %u\n", + { + if (gconfig->static_frags) + LogMessage(" Preallocated frag nodes: %u\n", gconfig->static_frags); + if (!gconfig->use_prealloc_frags) + LogMessage(" Memory cap used to determine preallocated frag nodes: %lu\n", + gconfig->memcap); + } } @@ -583,26 +594,27 @@ */ static void Frag3PrintEngineConfig(Frag3Context *context) { - LogMessage("Frag3 engine config:\n"); - LogMessage(" Target-based policy: %s\n", - frag_policy_names[context->frag_policy]); - LogMessage(" Fragment timeout: %d seconds\n", - context->frag_timeout); - LogMessage(" Fragment min_ttl: %d\n", context->min_ttl); - LogMessage(" Fragment Problems: %X\n", context->frag3_alerts); + LogMessage("Frag3 engine config:\n"); if (context->bound_addrs != NULL) { -#ifdef SUP_IP6 - // XXX NOT YET IMPLEMENTED - debugging -#else IpAddrSetPrint(" Bound Addresses: ", context->bound_addrs); -#endif } + else + { + LogMessage(" Bound Address: default\n"); + } + LogMessage(" Target-based policy: %s\n", + frag_policy_names[context->frag_policy]); + LogMessage(" Fragment timeout: %d seconds\n", + context->frag_timeout); + LogMessage(" Fragment min_ttl: %d\n", context->min_ttl); + LogMessage(" Fragment Anomalies: %s\n", + context->frag3_alerts ? "Alert" : "No Alert"); - LogMessage(" Overlap Limit: %d\n", + LogMessage(" Overlap Limit: %d\n", context->overlap_limit); - LogMessage(" Min fragment Length: %d\n", + LogMessage(" Min fragment Length: %d\n", context->min_fragment_length); } @@ -613,12 +625,12 @@ * * @return none */ -static INLINE void EventAnomIpOpts(Frag3Context *context) +static inline void EventAnomIpOpts(Frag3Context *context) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; - SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ + SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ FRAG3_IPOPTIONS, /* SID */ 1, /* rev */ 0, /* classification enum */ @@ -636,12 +648,12 @@ * * @return none */ -static INLINE void EventAttackTeardrop(Frag3Context *context) +static inline void EventAttackTeardrop(Frag3Context *context) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; - SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ + SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ FRAG3_TEARDROP, /* SID */ 1, /* rev */ 0, /* classification enum */ @@ -653,18 +665,18 @@ } /** - * Generate an event for very small fragment + * Generate an event for very small fragment * * @param context Current run context * * @return none */ -static INLINE void EventTinyFragments(Frag3Context *context) +static inline void EventTinyFragments(Frag3Context *context) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; - SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ + SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ FRAG3_TINY_FRAGMENT, /* SID */ 1, /* rev */ 0, /* classification enum */ @@ -682,13 +694,13 @@ * * @return none */ -static INLINE void EventExcessiveOverlap(Frag3Context *context) +static inline void EventExcessiveOverlap(Frag3Context *context) { //@TBD dschahal do I need this if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; - SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ + SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ FRAG3_EXCESSIVE_OVERLAP, /* SID */ 1, /* rev */ 0, /* classification enum */ @@ -707,12 +719,12 @@ * * @return none */ -static INLINE void EventAnomShortFrag(Frag3Context *context) +static inline void EventAnomShortFrag(Frag3Context *context) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; - SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ + SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ FRAG3_SHORT_FRAG, /* SID */ 1, /* rev */ 0, /* classification enum */ @@ -732,12 +744,12 @@ * * @return none */ -static INLINE void EventAnomOversize(Frag3Context *context) +static inline void EventAnomOversize(Frag3Context *context) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; - SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ + SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ FRAG3_ANOMALY_OVERSIZE, /* SID */ 1, /* rev */ 0, /* classification enum */ @@ -757,12 +769,12 @@ * * @return none */ -static INLINE void EventAnomZeroFrag(Frag3Context *context) +static inline void EventAnomZeroFrag(Frag3Context *context) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; - SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ + SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ FRAG3_ANOMALY_ZERO, /* SID */ 1, /* rev */ 0, /* classification enum */ @@ -781,12 +793,12 @@ * * @return none */ -static INLINE void EventAnomBadsizeLg(Frag3Context *context) +static inline void EventAnomBadsizeLg(Frag3Context *context) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; - SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ + SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ FRAG3_ANOMALY_BADSIZE_LG, /* SID */ 1, /* rev */ 0, /* classification enum */ @@ -805,12 +817,12 @@ * * @return none */ -static INLINE void EventAnomBadsizeSm(Frag3Context *context) +static inline void EventAnomBadsizeSm(Frag3Context *context) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; - SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ + SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ FRAG3_ANOMALY_BADSIZE_SM, /* SID */ 1, /* rev */ 0, /* classification enum */ @@ -829,12 +841,12 @@ * * @return none */ -static INLINE void EventAnomOverlap(Frag3Context *context) +static inline void EventAnomOverlap(Frag3Context *context) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; - SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ + SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ FRAG3_ANOMALY_OVLP, /* SID */ 1, /* rev */ 0, /* classification enum */ @@ -853,12 +865,12 @@ * * @return none */ -static INLINE void EventAnomScMinTTL(Frag3Context *context) +static inline void EventAnomScMinTTL(Frag3Context *context) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; - SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ + SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ FRAG3_MIN_TTL_EVASION, /* SID */ 1, /* rev */ 0, /* classification enum */ @@ -934,12 +946,13 @@ } #endif final(a,b,c); - + return c; } int Frag3KeyCmpFunc(const void *s1, const void *s2, size_t n) { +#ifndef SPARCV9 /* ie, everything else, use 64bit comparisons */ uint64_t *a, *b; a = (uint64_t*)s1; @@ -966,22 +979,64 @@ /* SUP_IP6 Compares IPv6 id, vlan/proto/ipver */ #ifdef MPLS + a++; + b++; { uint32_t *x, *y; x = (uint32_t *)a; y = (uint32_t *)b; - x++; - y++; + //x++; + //y++; if (*x - *y) return 1; /* Compares mpls label */ } #endif +#else /* SPARCV9 */ + uint32_t *a,*b; + + a = (uint32_t*)s1; + b = (uint32_t*)s2; + if ((*a - *b) || (*(a+1) - *(b+1))) return 1; /* Compares IPv4 sip/dip */ + /* SUP_IP6 Compares IPv6 sip[0,1] */ +#ifdef SUP_IP6 + a+=2; + b+=2; + if ((*a - *b) || (*(a+1) - *(b+1))) return 1; /* SUP_IP6 Compares IPv6 sip[2,3] */ + + a+=2; + b+=2; + if ((*a - *b) || (*(a+1) - *(b+1))) return 1; /* SUP_IP6 Compares IPv6 dip[0,1] */ + + a+=2; + b+=2; + if ((*a - *b) || (*(a+1) - *(b+1))) return 1; /* SUP_IP6 Compares IPv6 dip[2,3] */ +#endif + + a+=2; + b+=2; + if ((*a - *b) || (*(a+1) - *(b+1))) return 1; /* Compares IPv4 id/pad, vlan/proto/ipver */ + /* SUP_IP6 Compares IPv6 id, vlan/proto/ipver */ + +#ifdef MPLS + a+=2; + b+=2; + { + uint32_t *x, *y; + x = (uint32_t *)a; + y = (uint32_t *)b; + //x++; + //y++; + if (*x - *y) return 1; /* Compares mpls label */ + } +#endif +#endif /* SPARCV9 */ + return 0; } /** - * Global init function, handles setting up the runtime hash table and - * memory management mode. Global configuration applies only to default configuration, + * Global init function, handles setting up the runtime hash table and + * memory management mode. Global configuration applies only to default configuration, * which is in vlanGroup 0 * * @param args argument string to process for config data @@ -1042,6 +1097,7 @@ pCurrentPolicyConfig->memcap = FRAG_MEMCAP; pCurrentPolicyConfig->static_frags = 0; pCurrentPolicyConfig->use_prealloc = 0; + pCurrentPolicyConfig->use_prealloc_frags = 0; Frag3ParseGlobalArgs(pCurrentPolicyConfig, args); @@ -1051,24 +1107,25 @@ pCurrentPolicyConfig->memcap = pDefaultPolicyConfig->memcap; pCurrentPolicyConfig->max_frags = pDefaultPolicyConfig->max_frags; pCurrentPolicyConfig->use_prealloc = pDefaultPolicyConfig->use_prealloc; + pCurrentPolicyConfig->use_prealloc_frags = pDefaultPolicyConfig->use_prealloc_frags; pCurrentPolicyConfig->static_frags = pDefaultPolicyConfig->static_frags; } - /* + /* * we really only need one frag cache no matter how many different * contexts we have loaded */ if(f_cache == NULL) { /* we keep FragTrackers in the hash table.. */ - int hashTableSize = (int) (pCurrentPolicyConfig->max_frags * 1.4); - int maxFragMem = pCurrentPolicyConfig->max_frags * ( - sizeof(FragTracker) + + unsigned long hashTableSize = (unsigned long) (pCurrentPolicyConfig->max_frags * 1.4); + unsigned long maxFragMem = pCurrentPolicyConfig->max_frags * ( + sizeof(FragTracker) + sizeof(SFXHASH_NODE) + sizeof (FRAGKEY) + sizeof(SFXHASH_NODE *)); - int tableMem = (hashTableSize + 1) * sizeof(SFXHASH_NODE *); - int maxMem = maxFragMem + tableMem; + unsigned long tableMem = (hashTableSize + 1) * sizeof(SFXHASH_NODE *); + unsigned long maxMem = maxFragMem + tableMem; f_cache = sfxhash_new( hashTableSize, /* number of hash buckets */ sizeof(FRAGKEY), /* size of the key we're going to use */ @@ -1083,7 +1140,7 @@ if(!f_cache) { LogMessage("WARNING: Unable to generate new sfxhash for frag3, " - "defragmentation disabled!\n"); + "defragmentation disabled.\n"); return; } @@ -1093,6 +1150,12 @@ /* display the global config for the user */ Frag3PrintGlobalConfig(pCurrentPolicyConfig); +#ifdef REG_TEST + LogMessage("\n"); + LogMessage(" FragTracker Size: %lu\n",sizeof(FragTracker)); + LogMessage("\n"); +#endif + /* register the preprocessor func node */ if ( !pCurrentPolicyConfig->disabled ) AddFuncToPreprocList(Frag3Defrag, PRIORITY_NETWORK, PP_FRAG3, PROTO_BIT__IP); @@ -1107,7 +1170,7 @@ */ static void Frag3Init(char *args) { - Frag3Context *context; /* context pointer */ + Frag3Context *context; /* context pointer */ tSfPolicyId policy_id = getParserPolicy(); Frag3Config *config = NULL; @@ -1125,7 +1188,7 @@ /* - * setup default context config. Thinking maybe we should go with + * setup default context config. Thinking maybe we should go with * FRAG_POLICY_FIRST or FRAG_POLICY_LINUX as the default instead of * BSD since Win32/Linux have a higher incidence of occurrence. Anyone * with an opinion on the matter feel free to email me... @@ -1231,7 +1294,7 @@ host_entry->hostInfo.vendor.value.s_value, host_entry->hostInfo.version.value.s_value, host_entry->hostInfo.fragPolicyName);); - + return 0; } #endif @@ -1245,7 +1308,7 @@ */ static int Frag3VerifyConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -1255,7 +1318,7 @@ return 0; //do any housekeeping before processingFrag3Config - if ((policyId != getDefaultPolicy()) + if ((policyId != getDefaultPolicy()) && (pPolicyConfig->numFrag3Contexts == 0)) { FatalError("Frag3VerifyConfig: PolicyId %d, policy engine required " @@ -1288,22 +1351,22 @@ Frag3Frag *tmp; /* for initializing the prealloc queue */ unsigned int i; /* counter */ Frag3Config *config = NULL; - + config = sfPolicyUserDataGetDefault(frag3_config); if (config == NULL) return; pkt_snaplen = DAQ_GetSnapLen(); - /* - * user has decided to prealloc the node structs for performance + /* + * user has decided to prealloc the node structs for performance */ if(config->use_prealloc) { if (config->static_frags == 0) { - config->static_frags = (uint32_t)config->memcap / - (sizeof(Frag3Frag) + sizeof(uint8_t) * pkt_snaplen) + 1; + config->static_frags = (uint32_t)(config->memcap / + (sizeof(Frag3Frag) + sizeof(uint8_t) * pkt_snaplen) + 1); config->ten_percent = config->static_frags >> 5; } @@ -1320,7 +1383,7 @@ } /** - * Config parser for global config. + * Config parser for global config. * * @param args List of configuration parameters * @@ -1335,7 +1398,8 @@ char **stoks = NULL; int s_toks; char *endPtr; - int32_t value; + long ivalue; + unsigned long value; if ((args == NULL) || (gconfig == NULL)) return; @@ -1356,12 +1420,12 @@ file_name, file_line); } - gconfig->max_frags = value = strtoul(stoks[1], &endPtr, 10); + gconfig->max_frags = ivalue = strtol(stoks[1], &endPtr, 10); - if ((endPtr == &stoks[1][0]) || (value <= 0)) + if ((endPtr == &stoks[1][0]) || (ivalue <= 0)) { FatalError("%s(%d) => Invalid max_frags in config file. " - "Integer parameter required.\n", file_name, + "Integer parameter required.\n", file_name, file_line); } } @@ -1376,17 +1440,17 @@ gconfig->memcap = value = strtoul(stoks[1], &endPtr, 10); - if ((endPtr == &stoks[1][0]) || (value <= 0)) + if (!*stoks[1] || *stoks[1] == '-' || *endPtr) { FatalError("%s(%d) => Invalid memcap in config file. " - "Integer parameter required.\n", file_name, + "Integer parameter required.\n", file_name, file_line); } if (gconfig->memcap < 16384) { LogMessage("WARNING %s(%d) => Ludicrous (<16k) memcap " - "size, setting to default (%d bytes)\n", + "size, setting to default (%d bytes)\n", file_name, file_line, FRAG_MEMCAP); gconfig->memcap = FRAG_MEMCAP; @@ -1398,7 +1462,7 @@ else if(!strcasecmp(stoks[0], "prealloc_memcap")) { /* Use memcap to calculate prealloc_frag value */ - int memcap = FRAG_MEMCAP; + unsigned long memcap = FRAG_MEMCAP; if (s_toks != 2) { @@ -1409,17 +1473,17 @@ memcap = value = strtoul(stoks[1], &endPtr, 10); - if ((endPtr == &stoks[1][0]) || (value <= 0)) + if (!*stoks[1] || *stoks[1] == '-' || *endPtr) { FatalError("%s(%d) => Invalid prealloc_memcap in config file. " - "Integer parameter required.\n", file_name, + "Integer parameter required.\n", file_name, file_line); } if(memcap < 16384) { LogMessage("WARNING %s(%d) => Ludicrous (<16k) prealloc_memcap " - "size, setting to default (%d bytes)\n", + "size, setting to default (%d bytes)\n", file_name, file_line, FRAG_MEMCAP); memcap = FRAG_MEMCAP; } @@ -1437,12 +1501,12 @@ } gconfig->static_frags = value = strtoul(stoks[1], &endPtr, 10); - gconfig->use_prealloc = 1; + gconfig->use_prealloc_frags = gconfig->use_prealloc = 1; - if ((endPtr == &stoks[1][0]) || (value <= 0)) + if (!*stoks[1] || *stoks[1] == '-' || *endPtr) { FatalError("%s(%d) => Invalid prealloc_frags in config file. " - "Integer parameter required.\n", file_name, + "Integer parameter required.\n", file_name, file_line); } } @@ -1463,7 +1527,7 @@ } /** - * Config parser for engine context config. + * Config parser for engine context config. * * @param args List of configuration parameters * @@ -1644,10 +1708,9 @@ PROFILE_VARS; /* check to make sure this preprocessor should run */ - if( (p == NULL) || + if( (p == NULL) || !IPH_IS_VALID(p) || !p->frag_flag || - (p->error_flags & PKT_ERR_CKSUM_IP) ) /*|| - (p->packet_flags & PKT_REBUILT_FRAG)) */ + (p->error_flags & PKT_ERR_CKSUM_IP) ) { return; } @@ -1682,7 +1745,7 @@ if(IpAddrSetContains(f3context->bound_addrs, GET_DST_ADDR(p))) #endif { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[FRAG3] Found engine context in IpAddrSet\n");); break; } @@ -1693,43 +1756,50 @@ if (!f3context) { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[FRAG3] Could not find Frag3 engine context " "for IP %s\n", inet_ntoa(GET_SRC_ADDR(p)));); return; } } - /* Ugly HACK -- if frag offset is 0 & UDP, let that packet go - * through the rest of the system. This results in the - * first packet going through detection. If we do see - * the rest of the frags, the contents of that first frag - * will go through again with the defrag'd (built) packet. + /* + * First case: if frag offset is 0 & UDP, let that packet go + * through the rest of the system. Ugly HACK to detect DNS + * attack on 0 offset UDP. + * + * Second case: If frag offset is 0 & !more frags, this is a + * full-frame "fragment", let the packet go through the rest + * of the system. + * + * In other words: + * a = frag_offset != 0 + * b = !UDP + * c = More Fragments + * + * if (a | (b & c)) + * Disable Inspection since we'll look at the payload in + * a rebuilt packet later. So don't process it further. */ - if ((p->frag_offset != 0) || (GET_IPH_PROTO(p) != IPPROTO_UDP)) + if ((p->frag_offset != 0) || ((GET_IPH_PROTO(p) != IPPROTO_UDP) && (p->mf))) { - /* - * This packet is fragmented, will either be dropped - * or payload included in a rebuilt packet later. Don't - * process it further. - */ - DisableDetect(p); - SetPreprocBit(p, PP_SFPORTSCAN); - SetPreprocBit(p, PP_PERFMONITOR); - otn_tmp = NULL; + DisableDetect(p); + SetPreprocBit(p, PP_SFPORTSCAN); + SetPreprocBit(p, PP_PERFMONITOR); + otn_tmp = NULL; } /* - * pkt's not going to make it to the target, bail + * pkt's not going to make it to the target, bail */ if(GET_IPH_TTL(p) < f3context->min_ttl) { DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[FRAG3] Fragment discarded due to low TTL " - "[0x%X->0x%X], TTL: %d " "Offset: %d Length: %d\n", - ntohl(p->iph->ip_src.s_addr), - ntohl(p->iph->ip_dst.s_addr), - GET_IPH_TTL(p), p->frag_offset, + "[0x%X->0x%X], TTL: %d " "Offset: %d Length: %d\n", + ntohl(p->iph->ip_src.s_addr), + ntohl(p->iph->ip_dst.s_addr), + GET_IPH_TTL(p), p->frag_offset, p->dsize);); EventAnomScMinTTL(f3context); @@ -1742,42 +1812,42 @@ PREPROC_PROFILE_START(frag3PerfStats); - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "\n++++++++++++++++++++++++++++++++++++++++++++++\n");); - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[**] [FRAG3] Inspecting fragment...\n");); - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[FRAG3] Got frag packet (mem use: %ld frag " "trackers: %d p->pkt_flags: 0x%X " - "prealloc nodes in use: %lu/%lu)\n", + "prealloc nodes in use: %lu/%lu)\n", mem_in_use, - sfxhash_count(f_cache), - p->packet_flags, prealloc_nodes_in_use, + sfxhash_count(f_cache), + p->packet_flags, prealloc_nodes_in_use, frag3_eval_config->static_frags);); pkttime = (struct timeval *) &p->pkth->ts; - /* - * try to get the tracker that this frag should go with + /* + * try to get the tracker that this frag should go with */ if (ft == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Adding New FragTracker...\n");); - /* - * first frag for this packet, start a new tracker + /* + * first frag for this packet, start a new tracker */ Frag3NewTracker(p, &fkey, f3context); - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[FRAG3] mem use: %ld frag " "trackers: %d prealloc " - "nodes in use: %lu/%lu\n", + "nodes in use: %lu/%lu\n", mem_in_use, - sfxhash_count(f_cache), - prealloc_nodes_in_use, + sfxhash_count(f_cache), + prealloc_nodes_in_use, frag3_eval_config->static_frags);); - /* + /* * all done, return control to Snort */ PREPROC_PROFILE_END(frag3PerfStats); @@ -1800,7 +1870,7 @@ case FRAG_INSERT_FAILED: #ifdef DEBUG LogMessage("WARNING: Insert into Fraglist failed, " - "(offset: %u)\n", p->frag_offset); + "(offset: %u).\n", p->frag_offset); #endif PREPROC_PROFILE_END(frag3PerfStats); return; @@ -1808,10 +1878,10 @@ DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[FRAG3] Fragment discarded due to large TTL Delta " "[0x%X->0x%X], TTL: %d orig TTL: %d " - "Offset: %d Length: %d\n", - ntohl(p->iph->ip_src.s_addr), - ntohl(p->iph->ip_dst.s_addr), - GET_IPH_TTL(p), ft->ttl, p->frag_offset, + "Offset: %d Length: %d\n", + ntohl(p->iph->ip_src.s_addr), + ntohl(p->iph->ip_dst.s_addr), + GET_IPH_TTL(p), ft->ttl, p->frag_offset, p->dsize);); f3stats.discards++; PREPROC_PROFILE_END(frag3PerfStats); @@ -1824,14 +1894,14 @@ case FRAG_INSERT_TIMEOUT: #ifdef DEBUG LogMessage("WARNING: Insert into Fraglist failed due to timeout, " - "(offset: %u)\n", p->frag_offset); + "(offset: %u).\n", p->frag_offset); #endif PREPROC_PROFILE_END(frag3PerfStats); return; case FRAG_INSERT_OVERLAP_LIMIT: #ifdef DEBUG LogMessage("WARNING: Excessive IP fragment overlap, " - "(More: %u, offset: %u, offsetSize: %u)\n", + "(More: %u, offset: %u, offsetSize: %u).\n", p->mf, (p->frag_offset<<3), p->ip_frag_len); #endif f3stats.discards++; @@ -1855,15 +1925,15 @@ f3stats.drops++; } - /* - * check to see if it's reassembly time + /* + * check to see if it's reassembly time */ if(Frag3IsComplete(ft)) { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[*] Fragment is complete, rebuilding!\n");); - /* + /* * if the frag completes but it's bad we're just going to drop it * instead of wasting time on putting it back together */ @@ -1891,13 +1961,13 @@ } - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[FRAG3] Dumped fragtracker (mem use: %ld frag " "trackers: %d prealloc " - "nodes in use: %lu/%lu)\n", + "nodes in use: %lu/%lu)\n", mem_in_use, - sfxhash_count(f_cache), - prealloc_nodes_in_use, + sfxhash_count(f_cache), + prealloc_nodes_in_use, frag3_eval_config->static_frags);); PREPROC_PROFILE_END(frag3PerfStats); @@ -1912,20 +1982,20 @@ * @param f3context Engine context * * @return status - * @retval FRAG_TIMEOUT Current time diff is greater than the current + * @retval FRAG_TIMEOUT Current time diff is greater than the current * context's timeout value * @retval FRAG_TIME_OK Current time diff is within the context's prune - * window + * window */ -static INLINE int CheckTimeout(struct timeval *current_time, - struct timeval *start_time, +static inline int CheckTimeout(struct timeval *current_time, + struct timeval *start_time, Frag3Context *f3context) { - struct timeval tv_diff; /* storage struct for the difference between + struct timeval tv_diff; /* storage struct for the difference between current_time and start_time */ TIMERSUB(current_time, start_time, &tv_diff); - + if(tv_diff.tv_sec >= (int)f3context->frag_timeout) { return FRAG_TIMEOUT; @@ -1936,7 +2006,7 @@ /** * Time-related expiration of fragments from the system. Checks the current - * FragTracker for timeout, then walks up the LRU list looking to see if + * FragTracker for timeout, then walks up the LRU list looking to see if * anyone should have timed out. * * @param p Current packet (contains pointer to the current timestamp) @@ -1949,9 +2019,9 @@ * @retval FRAG_OK The current FragTracker has not timed out */ static int Frag3Expire( - Packet *p, - FragTracker *ft, - FRAGKEY *fkey, + Packet *p, + FragTracker *ft, + FRAGKEY *fkey, Frag3Context *f3context) { /* @@ -1959,7 +2029,7 @@ */ if(CheckTimeout( pkttime, - &(ft)->frag_time, + &(ft)->frag_time, f3context) == FRAG_TIMEOUT) { /* @@ -1995,7 +2065,7 @@ } #ifdef SUP_IP6 -static INLINE void FragEvent(Packet *p, int gid, char *str, +static inline void FragEvent(Packet *p, int gid, char *str, int event_flag, int drop_flag) { if (ScIdsMode() && event_flag) @@ -2020,11 +2090,11 @@ * set the appropriate frag_flags * * @param p Packet to get the info from - * @param ft FragTracker to set the flags on + * @param ft FragTracker to set the flags on * * @return none */ -static INLINE int Frag3CheckFirstLast(Packet *p, FragTracker *ft, char timeout) +static inline int Frag3CheckFirstLast(Packet *p, FragTracker *ft, char timeout) { uint16_t fragLength; int retVal = FRAG_FIRSTLAST_OK; @@ -2049,11 +2119,13 @@ { if (p->ip_dsize > 100) { - FragEvent(p, FRAG3_IPV6_BSD_ICMP_FRAG, + if (ft->frag_policy == FRAG_POLICY_LINUX) + { + FragEvent(p, FRAG3_IPV6_BSD_ICMP_FRAG, FRAG3_IPV6_BSD_ICMP_FRAG_STR , ScDecoderIpv6BadFragAlerts(), ScDecoderIpv6BadFragDrops()); - + } alerted = 1; } else @@ -2182,10 +2254,10 @@ } #endif - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Frag Status: %s:%s\n", - ft->frag_flags&FRAG_GOT_FIRST?"FIRST":"No FIRST", + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Frag Status: %s:%s\n", + ft->frag_flags&FRAG_GOT_FIRST?"FIRST":"No FIRST", ft->frag_flags&FRAG_GOT_LAST?"LAST":"No LAST");); - return retVal; + return retVal; } /** @@ -2194,14 +2266,14 @@ * @param p The current packet to get the key info from * @param fkey Pointer to a container for the FragKey * - * @return Pointer to the FragTracker in the hash bucket or NULL if there is + * @return Pointer to the FragTracker in the hash bucket or NULL if there is * no fragment in the hash bucket */ static FragTracker *Frag3GetTracker(Packet *p, FRAGKEY *fkey) { FragTracker *returned; /* FragTracker ptr returned by the lookup */ - /* + /* * we have to setup the key first, downstream functions depend on * it being setup here */ @@ -2220,7 +2292,7 @@ COPY4(fkey->sip, p->ip6h->ip_src.ip32); COPY4(fkey->dip, p->ip6h->ip_dst.ip32); fkey->ipver = 6; - /* Data points to the offset, and does not include the next hdr + /* Data points to the offset, and does not include the next hdr * and reserved. Offset it by -2 to get there */ fragHdr = (IP6Frag *)p->ip6_extensions[p->ip6_frag_index].data; /* Can't rely on the next header. Only the 0 offset packet @@ -2248,10 +2320,6 @@ else fkey->mlabel = 0; #endif - if (p->vh) - fkey->vlan_tag = (uint16_t)VTH_VLAN(p->vh); - else - fkey->vlan_tag = 0; /* * if the hash table is empty we're done @@ -2259,7 +2327,7 @@ if(sfxhash_count(f_cache) == 0) return NULL; - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[*] Looking up FragTracker using key:\n");); #ifdef DEBUG_FRAG3 @@ -2268,7 +2336,7 @@ returned = (FragTracker *) sfxhash_find(f_cache, fkey); - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Frag3GetTracker returning %p for\n", returned);); return returned; @@ -2299,8 +2367,20 @@ { ft->ip_options_len = p->ip_options_len; ft->ip_option_count = p->ip_option_count; - ft->ip_options_data = SnortAlloc(p->ip_options_len); - memcpy(ft->ip_options_data, p->ip_options_data, p->ip_options_len); + if (ft->ip_options_data) + { + /* Already seen 0 offset packet and copied some IP options */ + if (ft->copied_ip_option_count && (ft->copied_ip_option_count != p->ip_option_count)) + { + EventAnomIpOpts(ft->context); + } + } + else + { + /* Allocate and copy in the options */ + ft->ip_options_data = SnortAlloc(p->ip_options_len); + memcpy(ft->ip_options_data, p->ip_options_data, p->ip_options_len); + } } } else @@ -2400,7 +2480,7 @@ * captured. */ //fragLength = p->actual_ip_len - GET_IPH_HLEN(p) * 4; fragLength = p->ip_frag_len; -#ifdef DEBUG +#ifdef DEBUG_MSGS if (p->actual_ip_len != ntohs(GET_IPH_LEN(p))) { DEBUG_WRAP(DebugMessage(DEBUG_FRAG, @@ -2446,8 +2526,8 @@ } } - /* - * setup the frag tracker + /* + * setup the frag tracker */ #ifdef SUP_IP6 COPY4(tmp->sip,fkey->sip); @@ -2493,8 +2573,8 @@ tmp->config = frag3_config; ((Frag3Config *)sfPolicyUserDataGet(tmp->config, tmp->policy_id))->ref_count++; - /* - * get our first fragment storage struct + /* + * get our first fragment storage struct */ if(!frag3_eval_config->use_prealloc) { @@ -2514,8 +2594,8 @@ f->fptr = (uint8_t *) SnortAlloc(fragLength); mem_in_use += fragLength; - + sfBase.frag3_mem_in_use = mem_in_use; } else { @@ -2556,15 +2636,15 @@ } else { - /* - * all non-last frags are supposed to end on 8-byte boundries + /* + * all non-last frags are supposed to end on 8-byte boundries */ if(frag_end & 7) { - /* - * bonk/boink/jolt/etc attack... + /* + * bonk/boink/jolt/etc attack... */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Short frag (Bonk, etc) attack!\n");); EventAnomShortFrag(f3context); @@ -2594,8 +2674,8 @@ Frag3HandleIPOptions(tmp, p); - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, - "[#] accumulated bytes on FragTracker: %d\n", + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + "[#] accumulated bytes on FragTracker: %d\n", tmp->frag_bytes);); DEBUG_WRAP(DebugMessage(DEBUG_FRAG, @@ -2604,10 +2684,10 @@ #ifdef DEBUG_FRAG3 PrintFragKey(fkey); -#endif +#endif DEBUG_WRAP(DebugMessage(DEBUG_FRAG, - "Calling sfxhash(add), overhead at %lu\n", + "Calling sfxhash(add), overhead at %lu\n", f_cache->overhead_bytes);); f3stats.fragtrackers_created++; @@ -2654,17 +2734,17 @@ if (newSize <= 0) { - /* + /* * zero size frag */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "zero size frag after left & right trimming " - "(len: %d slide: %d trunc: %d)\n", + "(len: %d slide: %d trunc: %d)\n", len, slide, trunc);); f3stats.discards++; -#ifdef DEBUG +#ifdef DEBUG_MSGS newfrag = ft->fraglist; while (newfrag) { @@ -2698,22 +2778,24 @@ } } - /* - * build a frag struct to track this particular fragment + /* + * build a frag struct to track this particular fragment */ - newfrag = (Frag3Frag *) SnortAlloc(sizeof(Frag3Frag)); + newfrag = (Frag3Frag *) SnortAlloc(sizeof(Frag3Frag)); mem_in_use += sizeof(Frag3Frag); - /* - * allocate some space to hold the actual data + /* + * allocate some space to hold the actual data */ newfrag->fptr = (uint8_t*)SnortAlloc(fragLength); mem_in_use += fragLength; + + sfBase.frag3_mem_in_use = mem_in_use; } else { - /* - * fragments are preallocated, grab one from the list + /* + * fragments are preallocated, grab one from the list */ while((newfrag = Frag3PreallocPop()) == NULL) { @@ -2726,17 +2808,17 @@ } } - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "got newfrag (%p) from prealloc\n", newfrag);); } f3stats.fragnodes_created++; - newfrag->flen = fragLength; + newfrag->flen = fragLength; memcpy(newfrag->fptr, fragStart, fragLength); newfrag->ord = ft->ordinal++; - /* + /* * twiddle the frag values for overlaps */ newfrag->data = newfrag->fptr + slide; @@ -2744,7 +2826,7 @@ newfrag->offset = frag_offset; newfrag->last = lastfrag; - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[+] Adding new frag, offset %d, size %d\n" " nf->data = nf->fptr(%p) + slide (%d)\n" " nf->size = len(%d) - slide(%d) - trunc(%d)\n", @@ -2752,12 +2834,12 @@ slide, fragLength, slide, trunc);); /* - * insert the new frag into the list + * insert the new frag into the list */ Frag3FraglistAddNode(ft, left, newfrag); - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, - "[*] Inserted new frag %d@%d ptr %p data %p prv %p nxt %p\n", + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + "[*] Inserted new frag %d@%d ptr %p data %p prv %p nxt %p\n", newfrag->size, newfrag->offset, newfrag, newfrag->data, newfrag->prev, newfrag->next);); @@ -2766,7 +2848,7 @@ */ ft->frag_bytes += newfrag->size; - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[#] accumulated bytes on FragTracker %d, count" " %d\n", ft->frag_bytes, ft->fraglist_count);); @@ -2807,22 +2889,24 @@ } } - /* - * build a frag struct to track this particular fragment + /* + * build a frag struct to track this particular fragment */ - newfrag = (Frag3Frag *) SnortAlloc(sizeof(Frag3Frag)); + newfrag = (Frag3Frag *) SnortAlloc(sizeof(Frag3Frag)); mem_in_use += sizeof(Frag3Frag); - /* - * allocate some space to hold the actual data + /* + * allocate some space to hold the actual data */ newfrag->fptr = (uint8_t*)SnortAlloc(left->flen); mem_in_use += left->flen; + + sfBase.frag3_mem_in_use = mem_in_use; } else { - /* - * fragments are preallocated, grab one from the list + /* + * fragments are preallocated, grab one from the list */ while((newfrag = Frag3PreallocPop()) == NULL) { @@ -2835,14 +2919,14 @@ } } - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "got newfrag (%p) from prealloc\n", newfrag);); } f3stats.fragnodes_created++; newfrag->ord = ft->ordinal++; - /* + /* * twiddle the frag values for overlaps */ newfrag->flen = left->flen; @@ -2853,12 +2937,12 @@ newfrag->last = left->last; /* - * insert the new frag into the list + * insert the new frag into the list */ Frag3FraglistAddNode(ft, left, newfrag); - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, - "[*] Inserted new frag %d@%d ptr %p data %p prv %p nxt %p\n", + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + "[*] Inserted new frag %d@%d ptr %p data %p prv %p nxt %p\n", newfrag->size, newfrag->offset, newfrag, newfrag->data, newfrag->prev, newfrag->next);); @@ -2867,7 +2951,7 @@ */ ft->frag_bytes += newfrag->size; - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[#] accumulated bytes on FragTracker %d, count" " %d\n", ft->frag_bytes, ft->fraglist_count);); @@ -2885,19 +2969,19 @@ * @returns 1 if tiny fragment was detected, 0 otherwise */ static inline int checkTinyFragments( - Frag3Context *f3context, - Packet *p, + Frag3Context *f3context, + Packet *p, unsigned int trimmedLength ) { //Snort may need to raise a separate event if - //only trimmed length is tiny. + //only trimmed length is tiny. if(p->mf) { ///detect tiny fragments before processing overlaps. if (f3context->min_fragment_length) { - if (p->ip_frag_len <= f3context->min_fragment_length) + if (p->ip_frag_len <= f3context->min_fragment_length) { DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Frag3: Received fragment size(%d) is not more than configured min_fragment_length (%d)\n", @@ -2922,7 +3006,7 @@ } int frag3DropAllFragments( - Packet *p + Packet *p ) { FragTracker *ft = (FragTracker *)p->fragtracker; @@ -2939,7 +3023,7 @@ } /** - * This is where the rubber hits the road. Insert the new fragment's data + * This is where the rubber hits the road. Insert the new fragment's data * into the current FragTracker's fraglist, doing anomaly detection and * handling overlaps in a target-based manner. * @@ -2955,7 +3039,7 @@ * @retval FRAG_INSERT_TTL Delta of TTL values beyond configured value * @retval FRAG_INSERT_OK Fragment has been inserted successfully */ -static int Frag3Insert(Packet *p, FragTracker *ft, FRAGKEY *fkey, +static int Frag3Insert(Packet *p, FragTracker *ft, FRAGKEY *fkey, Frag3Context *f3context) { uint16_t orig_offset; /* offset specified in this fragment header */ @@ -2979,15 +3063,15 @@ Frag3Frag *dump_me = NULL; /* frag ptr for complete overlaps to dump */ const uint8_t *fragStart; int16_t fragLength; - char timeout = 0; + char timeout = 0; PROFILE_VARS; - + sfBase.iFragInserts++; PREPROC_PROFILE_START(frag3InsertPerfStats); - /* - * check this fragtracker for expiration as well as + /* + * check this fragtracker for expiration as well as * the rest of the hash table */ if(Frag3Expire(p, ft, fkey, f3context) == FRAG_TRACKER_TIMEOUT) @@ -3020,7 +3104,7 @@ ft->ordinal = 0; timeout = 1; - //DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + //DEBUG_WRAP(DebugMessage(DEBUG_FRAG, // "[..] Deleting fragtracker due to timeout!\n");); //PREPROC_PROFILE_END(frag3InsertPerfStats); @@ -3051,7 +3135,7 @@ * captured. */ //len = fragLength = p->actual_ip_len - GET_IPH_HLEN(p) * 4; len = fragLength = p->ip_frag_len; -#ifdef DEBUG +#ifdef DEBUG_MSGS if (p->actual_ip_len != ntohs(GET_IPH_LEN(p))) { DEBUG_WRAP(DebugMessage(DEBUG_FRAG, @@ -3059,7 +3143,7 @@ "truncated packet (%d)?\n", p->actual_ip_len, ntohs(GET_IPH_LEN(p)), pkt_snaplen);); } -#endif +#endif /* * setup local variables for tracking this frag @@ -3070,7 +3154,7 @@ frag_offset = (uint16_t)ft->calculated_size; frag_end = frag_offset + fragLength; - /* + /* * might have last frag... */ if(!p->mf) @@ -3088,15 +3172,15 @@ else { uint16_t oldfrag_end; - /* - * all non-last frags are supposed to end on 8-byte boundries + /* + * all non-last frags are supposed to end on 8-byte boundries */ if(frag_end & 7) { - /* - * bonk/boink/jolt/etc attack... + /* + * bonk/boink/jolt/etc attack... */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Short frag (Bonk, etc) attack!\n");); EventAnomShortFrag(f3context); @@ -3120,7 +3204,7 @@ if(ft->frag_flags & FRAG_GOT_LAST) { /* oversize frag attack */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Oversize frag pkt!\n");); EventAnomOversize(f3context); @@ -3134,10 +3218,10 @@ if(frag_end == frag_offset) { - /* - * zero size frag... + /* + * zero size frag... */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Zero size frag!\n");); if(f3context->frag3_alerts & FRAG3_DETECT_ANOMALIES) @@ -3151,10 +3235,10 @@ if(ft->calculated_size > IP_MAXPACKET) { - /* - * oversize pkt... + /* + * oversize pkt... */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Oversize frag!\n");); EventAnomBadsizeLg(f3context); @@ -3165,7 +3249,7 @@ return FRAG_INSERT_ANOMALY; } - /* + /* * This may alert on bad options, but we still want to * insert the packet */ @@ -3173,11 +3257,11 @@ ft->frag_pkts++; - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Walking frag list (%d nodes), new frag %d@%d\n", ft->fraglist_count, fragLength, frag_offset);); - /* + /* * Need to figure out where in the frag list this frag should go * and who its neighbors are */ @@ -3186,8 +3270,8 @@ i++; right = idx; - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, - "%d right o %d s %d ptr %p prv %p nxt %p\n", + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + "%d right o %d s %d ptr %p prv %p nxt %p\n", i, right->offset, right->size, right, right->prev, right->next);); @@ -3199,22 +3283,22 @@ left = right; } - /* - * null things out if we walk to the end of the list + /* + * null things out if we walk to the end of the list */ if(idx == NULL) right = NULL; - /* - * handle forward (left-side) overlaps... + /* + * handle forward (left-side) overlaps... */ if(left) { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, - "Dealing with previous (left) frag %d@%d\n", + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + "Dealing with previous (left) frag %d@%d\n", left->size, left->offset);); /* - * generate the overlap of the current packet fragment + * generate the overlap of the current packet fragment * over this left-side fragment */ /* NOTE: If frag_offset is really large, overlap can be @@ -3228,15 +3312,15 @@ ft->overlap_count++; if(frag_end < ft->calculated_size || - ((ft->frag_flags & FRAG_GOT_LAST) && + ((ft->frag_flags & FRAG_GOT_LAST) && frag_end != ft->calculated_size)) { if (!p->mf) { - /* - * teardrop attack... + /* + * teardrop attack... */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Teardrop attack!\n");); EventAttackTeardrop(f3context); @@ -3251,13 +3335,13 @@ /* * Ok, we've got an overlap so we need to handle it. * - * The target-based modes here match the data generated by + * The target-based modes here match the data generated by * Paxson's Active Mapping paper as do the policy types. */ switch(ft->frag_policy) { - /* - * new frag gets moved around + /* + * new frag gets moved around */ case FRAG_POLICY_LINUX: case FRAG_POLICY_FIRST: @@ -3267,16 +3351,16 @@ frag_offset += (int16_t)overlap; slide = (int16_t)overlap; - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "left overlap, new frag moves: %d bytes, " "slide: %d\n", overlap, slide);); if(frag_end <= frag_offset) { - /* + /* * zero size frag */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "zero size frag\n");); EventAnomZeroFrag(f3context); @@ -3290,9 +3374,9 @@ break; - /* - * new frag stays where it is, overlapee (existing frag) - * gets whacked + /* + * new frag stays where it is, overlapee (existing frag) + * gets whacked */ case FRAG_POLICY_BSD_RIGHT: if (left->offset + left->size >= frag_offset + len) @@ -3312,7 +3396,7 @@ /* The new frag is overlapped on both sides by an * existing frag -- existing frag needs to be split * and the new frag inserted in the middle. - * + * * Need to duplciate left. Adjust that guys * offset by + (frag_offset + len) and * size by - (frag_offset + len - left->offset). @@ -3349,7 +3433,7 @@ dump_me = left; DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "retrans, " - "dumping old frag (offset: %d overlap: %d)\n", + "dumping old frag (offset: %d overlap: %d)\n", dump_me->offset, overlap);); left = left->prev; @@ -3365,7 +3449,7 @@ */ if(frag_end < frag_offset) { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "frag_end < frag_offset!");); if(f3context->frag3_alerts & FRAG3_DETECT_ANOMALIES) @@ -3393,7 +3477,7 @@ return FRAG_INSERT_FAILED; } - /* + /* * handle tail (right-side) overlaps * * We have to walk thru all the right side frags until the offset of the @@ -3401,8 +3485,8 @@ */ while(right && (right->offset < frag_end) && !done) { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, - "Next (right)fragment %d@%d\n", + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + "Next (right)fragment %d@%d\n", right->size, right->offset);); #ifdef DEBUG_FRAG3 @@ -3414,15 +3498,15 @@ if (overlap) { if(frag_end < ft->calculated_size || - ((ft->frag_flags & FRAG_GOT_LAST) && + ((ft->frag_flags & FRAG_GOT_LAST) && frag_end != ft->calculated_size)) { if (!p->mf) { - /* - * teardrop attack... + /* + * teardrop attack... */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Teardrop attack!\n");); EventAttackTeardrop(f3context); @@ -3435,24 +3519,24 @@ } } - /* - * partial right-side overlap, this will be the last frag to check + /* + * partial right-side overlap, this will be the last frag to check */ if(overlap < right->size) { f3stats.overlaps++; ft->overlap_count++; - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Right-side overlap %d bytes\n", overlap);); - /* + /* * once again, target-based policy processing */ switch(ft->frag_policy) { - /* - * existing fragment gets truncated + /* + * existing fragment gets truncated */ case FRAG_POLICY_LAST: case FRAG_POLICY_LINUX: @@ -3473,14 +3557,14 @@ DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[!!] right overlap, " "truncating old frag (offset: %d, " "overlap: %d)\n", right->offset, overlap); - DebugMessage(DEBUG_FRAG, + DebugMessage(DEBUG_FRAG, "Exiting right overlap loop...\n");); if (right->size <= 0) { dump_me = right; DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "retrans, " - "dumping old frag (offset: %d overlap: %d)\n", + "dumping old frag (offset: %d overlap: %d)\n", dump_me->offset, overlap);); right = right->next; @@ -3489,8 +3573,8 @@ } break; - /* - * new frag gets truncated + /* + * new frag gets truncated */ case FRAG_POLICY_FIRST: case FRAG_POLICY_WINDOWS: @@ -3499,9 +3583,9 @@ trunc = (int16_t)overlap; DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[!!] right overlap, " "truncating new frag (offset: %d " - "overlap: %d)\n", + "overlap: %d)\n", right->offset, overlap); - DebugMessage(DEBUG_FRAG, + DebugMessage(DEBUG_FRAG, "Exiting right overlap loop...\n");); break; } @@ -3518,7 +3602,7 @@ */ if(!alerted_overlap && (f3context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) { - /* + /* * retrans/full overlap */ EventAnomOverlap(f3context); @@ -3551,7 +3635,7 @@ ft->frag_bytes -= right->size; DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "retrans, " - "dumping old frag (offset: %d overlap: %d)\n", + "dumping old frag (offset: %d overlap: %d)\n", dump_me->offset, overlap);); right = right->next; @@ -3581,7 +3665,7 @@ /* ie, fall through to the next case */ - /* + /* * overlap is rejected */ case FRAG_POLICY_FIRST: @@ -3604,11 +3688,11 @@ if (frag_end - trunc <= frag_offset) { - /* + /* * zero size frag */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, - "zero size frag (len: %d overlap: %d)\n", + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + "zero size frag (len: %d overlap: %d)\n", fragLength, overlap);); f3stats.discards++; @@ -3645,7 +3729,7 @@ { curr_end = right->offset + right->size; left = right; - right = right->next; + right = right->next; } if (right && (right->offset < frag_end)) @@ -3686,8 +3770,8 @@ } break; - /* - * retrans accepted, dump old frag + /* + * retrans accepted, dump old frag */ right_overlap_last: case FRAG_POLICY_BSD_RIGHT: @@ -3697,7 +3781,7 @@ ft->frag_bytes -= right->size; DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "retrans, " - "dumping old frag (offset: %d overlap: %d)\n", + "dumping old frag (offset: %d overlap: %d)\n", dump_me->offset, overlap);); right = right->next; @@ -3712,7 +3796,7 @@ ///detect tiny fragments but continue processing checkTinyFragments(f3context, p, len-slide-trunc); - if ((f3context->overlap_limit) && + if ((f3context->overlap_limit) && (ft->overlap_count >= f3context->overlap_limit)) { //overlap limit exceeded. Raise event on all subsequent fragments @@ -3735,7 +3819,7 @@ "Fully truncated right overlap\n");); } - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Frag3Insert(): returning normally\n");); PREPROC_PROFILE_END(frag3InsertPerfStats); @@ -3751,9 +3835,9 @@ * @retval 1 If the FragTracker is ready to be rebuilt * @retval 0 If the FragTracker hasn't fulfilled its completion criteria */ -static INLINE int Frag3IsComplete(FragTracker *ft) +static inline int Frag3IsComplete(FragTracker *ft) { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[$] Checking completion criteria\n");); /* @@ -3762,7 +3846,7 @@ if((ft->frag_flags & FRAG_GOT_FIRST) && (ft->frag_flags & FRAG_GOT_LAST)) { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, " Got First and Last frags\n");); /* @@ -3771,7 +3855,7 @@ */ if(ft->frag_bytes == ft->calculated_size) { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, " [!] frag_bytes = calculated_size!\n");); sfBase.iFragCompletes++; @@ -3781,7 +3865,7 @@ if (ft->frag_bytes > ft->calculated_size) { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, " [!] frag_bytes > calculated_size!\n");); sfBase.iFragCompletes++; @@ -3789,7 +3873,7 @@ return 1; } - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, " Calc size (%d) != frag bytes (%d)\n", ft->calculated_size, ft->frag_bytes);); @@ -3799,8 +3883,8 @@ return 0; } - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, - " Missing First or Last frags (frag_flags: 0x%X)\n", + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + " Missing First or Last frags (frag_flags: 0x%X)\n", ft->frag_flags);); return 0; @@ -3827,10 +3911,10 @@ #ifdef SUP_IP6 // XXX NOT YET IMPLEMENTED - debugging #else - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Rebuilding pkt [0x%X:%d 0x%X:%d]\n", - p->iph->ip_src.s_addr, p->sp, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Rebuilding pkt [0x%X:%d 0x%X:%d]\n", + p->iph->ip_src.s_addr, p->sp, p->iph->ip_dst.s_addr, p->dp); - DebugMessage(DEBUG_FRAG, "Calculated size: %d\n", + DebugMessage(DEBUG_FRAG, "Calculated size: %d\n", ft->calculated_size); DebugMessage(DEBUG_FRAG, "Frag Bytes: %d\n", ft->frag_bytes); ); @@ -3845,8 +3929,8 @@ #endif dpkt = defrag_pkt; - Encode_Format(ENC_FLAG_DEF|ENC_FLAG_FWD, p, dpkt); - /* + Encode_Format(ENC_FLAG_DEF|ENC_FLAG_FWD, p, dpkt, PSEUDO_PKT_IP); + /* * set the pointer to the end of the rebuild packet */ rebuild_ptr = (uint8_t*)dpkt->data; @@ -3856,7 +3940,7 @@ { /* * if there are IP options, copy those in as well - * these are for the inner IP... + * these are for the inner IP... */ if (ft->ip_options_data && ft->ip_options_len) { @@ -3867,7 +3951,7 @@ "Adjusting IP Header to %d bytes\n", new_ip_hlen);); SET_IP_HLEN((IPHdr *)dpkt->iph, new_ip_hlen>>2); - + ret = SafeMemcpy(rebuild_ptr, ft->ip_options_data, ft->ip_options_len, rebuild_ptr, rebuild_end); @@ -3886,29 +3970,29 @@ */ } - /* - * clear the packet fragment fields - */ + /* + * clear the packet fragment fields + */ ((IPHdr *)dpkt->iph)->ip_off = 0x0000; dpkt->frag_flag = 0; - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[^^] Walking fraglist:\n");); } - /* - * walk the fragment list and rebuild the packet + /* + * walk the fragment list and rebuild the packet */ for(frag = ft->fraglist; frag; frag = frag->next) { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, " frag: %p\n" " frag->data: %p\n" " frag->offset: %d\n" " frag->size: %d\n" " frag->prev: %p\n" " frag->next: %p\n", - frag, frag->data, frag->offset, + frag, frag->data, frag->offset, frag->size, frag->prev, frag->next);); /* @@ -3918,12 +4002,12 @@ if ((frag->offset + frag->size) > (uint16_t)ft->calculated_size) continue; - /* + /* * try to avoid buffer overflows... */ if (frag->size) { - ret = SafeMemcpy(rebuild_ptr+frag->offset, frag->data, frag->size, + ret = SafeMemcpy(rebuild_ptr+frag->offset, frag->data, frag->size, rebuild_ptr, rebuild_end); if (ret == SAFEMEM_ERROR) @@ -3937,13 +4021,14 @@ if (IS_IP4(p)) { - dpkt->dsize = (uint16_t)ft->calculated_size; - Encode_Update(dpkt); - /* - * tell the rest of the system that this is a rebuilt fragment + /* + * tell the rest of the system that this is a rebuilt fragment */ - dpkt->packet_flags = PKT_REBUILT_FRAG; + dpkt->packet_flags |= PKT_REBUILT_FRAG; dpkt->frag_flag = 0; + dpkt->dsize = (uint16_t)ft->calculated_size; + + Encode_Update(dpkt); } #ifdef SUP_IP6 else /* Inner/only is IP6 */ @@ -3976,17 +4061,17 @@ Encode_Update(dpkt); } #endif - + pc.rebuilt_frags++; sfBase.iFragFlushes++; /* Rebuild is complete */ PREPROC_PROFILE_END(frag3RebuildPerfStats); - /* - * process the packet through the detection engine + /* + * process the packet through the detection engine */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Processing rebuilt packet:\n");); f3stats.reassembles++; @@ -4011,7 +4096,7 @@ ProcessPacket(NULL, dpkt->pkth, dpkt->pkt, ft); SnortEventqPop(); - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Done with rebuilt packet, marking rebuilt...\n");); ft->frag_flags = ft->frag_flags | FRAG_REBUILT; @@ -4026,7 +4111,7 @@ */ static void Frag3DeleteFrag(Frag3Frag *frag) { - /* + /* * delete the fragment either in prealloc or dynamic mode */ if(!frag3_eval_config->use_prealloc) @@ -4036,10 +4121,12 @@ free(frag); mem_in_use -= sizeof(Frag3Frag); + + sfBase.frag3_mem_in_use = mem_in_use; } else { - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "o %d s %d ptr %p prv %p nxt %p\n", + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "o %d s %d ptr %p prv %p nxt %p\n", frag->offset, frag->size, frag, frag->prev, frag->next);); Frag3PreallocPush(frag); } @@ -4048,7 +4135,7 @@ } /** - * Delete the contents of a FragTracker, in this instance that just means to + * Delete the contents of a FragTracker, in this instance that just means to * dump the fraglist. The sfxhash system deletes the actual FragTracker mem. * * @param ft FragTracker to delete @@ -4060,8 +4147,8 @@ Frag3Frag *idx = ft->fraglist; /* pointer to the fraglist to delete */ Frag3Frag *dump_me = NULL; /* ptr to the Frag3Frag element to drop */ - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, - "Frag3DeleteTracker %d nodes to dump\n", ft->fraglist_count);); + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + "Frag3DeleteTracker %d nodes to dump\n", ft->fraglist_count);); /* * delete all the nodes in a fraglist @@ -4092,7 +4179,7 @@ */ static void Frag3RemoveTracker(void *key, void *data) { - /* + /* * sfxhash maintains its own self preservation stuff/node freeing stuff */ if(sfxhash_remove(f_cache, key) != SFXHASH_OK) @@ -4126,7 +4213,7 @@ policy_id = ft->policy_id; pPolicyConfig = (Frag3Config *)sfPolicyUserDataGet(config, policy_id); - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Calling Frag3DeleteTracker()\n");); Frag3DeleteTracker(ft); @@ -4177,7 +4264,7 @@ policy_id = ft->policy_id; pPolicyConfig = (Frag3Config *)sfPolicyUserDataGet(config, policy_id); - DEBUG_WRAP(DebugMessage(DEBUG_FRAG, + DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Calling Frag3DeleteTracker()\n");); Frag3DeleteTracker(ft); @@ -4242,11 +4329,11 @@ (f_cache->count > (frag3_eval_config->max_frags - 5))) { hnode = sfxhash_lru_node(f_cache); - if(!hnode) + if(!hnode) { break; } - + if (hnode && hnode->data == not_me) { if (found_this) @@ -4268,7 +4355,7 @@ { char *src_str = SnortStrdup(FragIPToStr(ft->sip, ft->ipver)); LogMessage("(spp_frag3) Frag3Prune: Fragment dropped (timeout)! " - "[%s->%s ID: %d Count: %d]\n", src_str, FragIPToStr(ft->dip, ft->ipver), + "[%s->%s ID: %d Count: %d]\n", src_str, FragIPToStr(ft->dip, ft->ipver), ft->id, ft->fraglist_count); free(src_str); f3stats.timeouts++; @@ -4278,7 +4365,7 @@ { char *src_str = SnortStrdup(FragIPToStr(ft->sip, ft->ipver)); LogMessage("(spp_frag3) Frag3Prune: Fragment dropped (memory)! " - "[%s->%s ID: %d Count: %d]\n", src_str, FragIPToStr(ft->dip, ft->ipver), + "[%s->%s ID: %d Count: %d]\n", src_str, FragIPToStr(ft->dip, ft->ipver), ft->id, ft->fraglist_count); free(src_str); } @@ -4297,7 +4384,7 @@ (frag3_eval_config->static_frags - frag3_eval_config->ten_percent)) { hnode = sfxhash_lru_node(f_cache); - if(!hnode) + if(!hnode) { break; } @@ -4324,7 +4411,7 @@ { char *src_str = SnortStrdup(FragIPToStr(ft->sip, ft->ipver)); LogMessage("(spp_frag3) Frag3Prune: Fragment dropped (timeout)! " - "[%s->%s ID: %d Count: %d]\n", src_str, FragIPToStr(ft->dip, ft->ipver), + "[%s->%s ID: %d Count: %d]\n", src_str, FragIPToStr(ft->dip, ft->ipver), ft->id, ft->fraglist_count); free(src_str); f3stats.timeouts++; @@ -4334,7 +4421,7 @@ { char *src_str = SnortStrdup(FragIPToStr(ft->sip, ft->ipver)); LogMessage("(spp_frag3) Frag3Prune: Fragment dropped (memory)! " - "[%s->%s ID: %d Count: %d]\n", src_str, FragIPToStr(ft->dip, ft->ipver), + "[%s->%s ID: %d Count: %d]\n", src_str, FragIPToStr(ft->dip, ft->ipver), ft->id, ft->fraglist_count); free(src_str); } @@ -4380,7 +4467,7 @@ static int Frag3FreeConfigsPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -4488,14 +4575,14 @@ * @return pointer to a Frag3Frag preallocated structure or NULL if the list * is empty */ -static INLINE Frag3Frag *Frag3PreallocPop(void) +static inline Frag3Frag *Frag3PreallocPop(void) { Frag3Frag *node; if(prealloc_frag_list) { node = prealloc_frag_list; - prealloc_frag_list = prealloc_frag_list->next; + prealloc_frag_list = prealloc_frag_list->next; if (prealloc_frag_list) { prealloc_frag_list->prev = NULL; @@ -4527,14 +4614,14 @@ return node; } -/** +/** * Put a prealloc node back into the prealloc_cache pool * * @param node Prealloc node to place back in the pool * * @return none */ -static INLINE void Frag3PreallocPush(Frag3Frag *node) +static inline void Frag3PreallocPush(Frag3Frag *node) { if (!prealloc_frag_list) { @@ -4570,8 +4657,8 @@ * * @return none */ -static INLINE void Frag3FraglistAddNode(FragTracker *ft, Frag3Frag *prev, - Frag3Frag *node) +static inline void Frag3FraglistAddNode(FragTracker *ft, Frag3Frag *prev, + Frag3Frag *node) { if(prev) { @@ -4605,7 +4692,7 @@ * * @return none */ -static INLINE void Frag3FraglistDeleteNode(FragTracker *ft, Frag3Frag *node) +static inline void Frag3FraglistDeleteNode(FragTracker *ft, Frag3Frag *node) { DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Deleting list node %p (p %p n %p)\n", node, node->prev, node->next);); @@ -4633,7 +4720,7 @@ } /* -** +** ** NAME ** fpAddFragAlert:: ** @@ -4671,7 +4758,7 @@ } /* -** +** ** NAME ** fpFragAlerted:: ** @@ -4854,7 +4941,7 @@ static void Frag3ReloadEngine(char *args) { - Frag3Context *context; /* context pointer */ + Frag3Context *context; /* context pointer */ tSfPolicyId policy_id = getParserPolicy(); Frag3Config *config = NULL; @@ -4911,7 +4998,7 @@ static int Frag3ReloadVerifyPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -4961,7 +5048,7 @@ static int Frag3ReloadSwapPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { diff -Nru snort-2.9.0.1/src/preprocessors/spp_frag3.h snort-2.9.2/src/preprocessors/spp_frag3.h --- snort-2.9.0.1/src/preprocessors/spp_frag3.h 2010-01-26 10:10:13.000000000 -0800 +++ snort-2.9.2/src/preprocessors/spp_frag3.h 2011-02-09 15:23:29.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2004-2010 Sourcefire, Inc. +** Copyright (C) 2004-2011 Sourcefire, Inc. ** Copyright (C) 1998-2004 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/preprocessors/spp_httpinspect.c snort-2.9.2/src/preprocessors/spp_httpinspect.c --- snort-2.9.0.1/src/preprocessors/spp_httpinspect.c 2010-10-25 12:49:09.000000000 -0700 +++ snort-2.9.2/src/preprocessors/spp_httpinspect.c 2011-11-21 14:46:52.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,13 +18,13 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file preproc_setup.c -** +** ** @author Daniel Roelker <droelker@sourcefire.com> ** -** @brief This file initializes HttpInspect as a Snort +** @brief This file initializes HttpInspect as a Snort ** preprocessor. ** ** This file registers the HttpInspect initialization function, @@ -44,9 +44,13 @@ #include <string.h> #include <sys/types.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "decode.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "parser.h" @@ -58,6 +62,7 @@ #include "hi_util_kmap.h" #include "hi_util_xmalloc.h" #include "hi_cmd_lookup.h" +#include "hi_paf.h" #include "snort.h" #include "profiler.h" @@ -71,6 +76,7 @@ #endif #include "snort_stream5_session.h" #include "sfPolicy.h" +#include "mempool.h" /* ** Defines for preprocessor initialization @@ -116,10 +122,12 @@ static tSfPolicyId httpCurrentPolicy = 0; #ifdef ZLIB -#include "mempool.h" MemPool *hi_gzip_mempool = NULL; #endif +MemPool *http_mempool = NULL; +int hex_lookup[256]; +int valid_lookup[256]; /* ** Prototypes */ @@ -138,6 +146,8 @@ static int HttpEncodeEval(void *, const uint8_t **, void *); static void HttpEncodeCleanup(void *); static void HttpInspectRegisterRuleOptions(void); +static void HttpInspectRegisterXtraDataFuncs(HTTPINSPECT_GLOBAL_CONF *); +static inline void InitLookupTables(void); #ifdef TARGET_BASED static void HttpInspectAddServicesOfInterest(tSfPolicyId); #endif @@ -206,7 +216,7 @@ /* XXX: * NOTE: this includes the HTTPInspect directly - * calling the detection engine - + * calling the detection engine - * to get the true HTTPInspect only stats, have another * var inside SnortHttpInspect that tracks the time * spent in Detect(). @@ -226,7 +236,7 @@ return; } -static void HttpInspectDropStats(int exiting) +static void HttpInspectDropStats(int exiting) { if(!hi_stats.total) return; @@ -253,14 +263,14 @@ #endif LogMessage(" Post parameters extracted: %-10I64u\n", hi_stats.post_params); LogMessage(" HTTP Response Headers extracted: %-10I64u\n", hi_stats.resp_headers); -#ifdef DEBUG +#ifdef DEBUG if (hi_stats.resp_headers == 0) LogMessage(" Avg Response Header length: %-10s\n", "n/a"); - else + else LogMessage(" Avg Response Header length: %-10.2f\n", (double)hi_stats.resp_header_len / (double)hi_stats.resp_headers); -#endif +#endif LogMessage(" HTTP Response cookies extracted: %-10I64u\n", hi_stats.resp_cookies); -#ifdef DEBUG +#ifdef DEBUG if (hi_stats.resp_cookies == 0) LogMessage(" Avg Response Cookie length: %-10s\n", "n/a"); else @@ -269,7 +279,6 @@ LogMessage(" Unicode: %-10I64u\n", hi_stats.unicode); LogMessage(" Double unicode: %-10I64u\n", hi_stats.double_unicode); LogMessage(" Non-ASCII representable: %-10I64u\n", hi_stats.non_ascii); - LogMessage(" Base 36: %-10I64u\n", hi_stats.base36); LogMessage(" Directory traversals: %-10I64u\n", hi_stats.dir_trav); LogMessage(" Extra slashes (\"//\"): %-10I64u\n", hi_stats.slashes); LogMessage(" Self-referencing paths (\"./\"): %-10I64u\n", hi_stats.self_ref); @@ -322,7 +331,6 @@ LogMessage(" Unicode: "FMTu64("-10")"\n", hi_stats.unicode); LogMessage(" Double unicode: "FMTu64("-10")"\n", hi_stats.double_unicode); LogMessage(" Non-ASCII representable: "FMTu64("-10")"\n", hi_stats.non_ascii); - LogMessage(" Base 36: "FMTu64("-10")"\n", hi_stats.base36); LogMessage(" Directory traversals: "FMTu64("-10")"\n", hi_stats.dir_trav); LogMessage(" Extra slashes (\"//\"): "FMTu64("-10")"\n", hi_stats.slashes); LogMessage(" Self-referencing paths (\"./\"): "FMTu64("-10")"\n", hi_stats.self_ref); @@ -345,6 +353,10 @@ static void HttpInspectCleanExit(int signal, void *data) { + hi_paf_term(); + + HI_SearchFree(); + HttpInspectFreeConfigs(hi_config); #ifdef ZLIB @@ -354,6 +366,12 @@ hi_gzip_mempool = NULL; } #endif + + if (mempool_destroy(http_mempool) == 0) + { + free(http_mempool); + http_mempool = NULL; + } } static void HttpInspectReset(int signal, void *data) @@ -369,7 +387,7 @@ #ifdef ZLIB static void SetMaxGzipSession(HTTPINSPECT_GLOBAL_CONF *pPolicyConfig) { - pPolicyConfig->max_gzip_sessions = + pPolicyConfig->max_gzip_sessions = pPolicyConfig->max_gzip_mem / (pPolicyConfig->compr_depth + pPolicyConfig->decompr_depth); } @@ -423,6 +441,34 @@ } #endif + +static void CheckMemcap(HTTPINSPECT_GLOBAL_CONF *pPolicyConfig, + tSfPolicyUserContextId context) +{ + HTTPINSPECT_GLOBAL_CONF *defaultConfig = + (HTTPINSPECT_GLOBAL_CONF *)sfPolicyUserDataGetDefault(context); + + if (pPolicyConfig == defaultConfig) + { + if (!pPolicyConfig->memcap) + pPolicyConfig->memcap = DEFAULT_HTTP_MEMCAP; + + } + else if (defaultConfig == NULL) + { + if (pPolicyConfig->memcap) + { + FatalError("http_inspect: memcap must be " + "configured in the default policy.\n"); + } + + } + else + { + pPolicyConfig->memcap = defaultConfig->memcap; + } +} + /* ** NAME ** HttpInspectInit:: @@ -430,7 +476,7 @@ /** ** This function initializes HttpInspect with a user configuration. ** -** The function is called when HttpInspect is configured in +** The function is called when HttpInspect is configured in ** snort.conf. It gets passed a string of arguments, which gets ** parsed into configuration constructs that HttpInspect understands. ** @@ -471,7 +517,7 @@ if (hi_config == NULL) { hi_config = sfPolicyConfigCreate(); - memset(&hi_stats, 0, sizeof(HIStats)); + memset(&hi_stats, 0, sizeof(HIStats)); /* ** Remember to add any cleanup functions into the appropriate @@ -492,6 +538,8 @@ /* Find and cache protocol ID for packet comparison */ hi_app_protocol_id = AddProtocolReference("http"); #endif + hi_paf_init(0); // FIXTHIS is cap needed? + HI_SearchInit(); } /* @@ -505,7 +553,7 @@ pPolicyConfig = (HTTPINSPECT_GLOBAL_CONF *)sfPolicyUserDataGetCurrent(hi_config); if (pPolicyConfig == NULL) { - if (strcasecmp(pcToken, GLOBAL) != 0) + if (strcasecmp(pcToken, GLOBAL) != 0) { ParseError("Must configure the http inspect global " "configuration first."); @@ -513,11 +561,12 @@ HttpInspectRegisterRuleOptions(); - pPolicyConfig = (HTTPINSPECT_GLOBAL_CONF *)SnortAlloc(sizeof(HTTPINSPECT_GLOBAL_CONF)); + pPolicyConfig = (HTTPINSPECT_GLOBAL_CONF *)SnortAlloc(sizeof(HTTPINSPECT_GLOBAL_CONF)); if (!pPolicyConfig) { ParseError("HTTP INSPECT preprocessor: memory allocate failed.\n"); } + sfPolicyUserDataSetCurrent(hi_config, pPolicyConfig); iRet = HttpInspectInitializeGlobalConfig(pPolicyConfig, @@ -532,22 +581,33 @@ #ifdef ZLIB CheckGzipConfig(pPolicyConfig, hi_config); #endif + CheckMemcap(pPolicyConfig, hi_config); PrintGlobalConf(pPolicyConfig); /* Add HttpInspect into the preprocessor list */ -#ifdef ZLIB if ( pPolicyConfig->disabled ) return; -#endif - AddFuncToPreprocList(HttpInspect, PRIORITY_APPLICATION, PP_HTTPINSPECT, PROTO_BIT__TCP); + AddFuncToPreprocList(HttpInspect, PRIORITY_APPLICATION, PP_HTTPINSPECT, PROTO_BIT__TCP); } } } else { +#ifdef SNORT_RELOAD + if (hi_swap_config) + { + HTTPINSPECT_GLOBAL_CONF *pReloadPolicyConfig = NULL; + sfPolicyUserPolicySet (hi_swap_config, policy_id); + pReloadPolicyConfig = (HTTPINSPECT_GLOBAL_CONF *)sfPolicyUserDataGetCurrent(hi_swap_config); + if(pReloadPolicyConfig == NULL) + sfPolicyUserPolicySet (hi_config, policy_id); + else + pPolicyConfig = pReloadPolicyConfig; + } +#endif if (strcasecmp(pcToken, SERVER) != 0) { - if (strcasecmp(pcToken, GLOBAL) != 0) + if (strcasecmp(pcToken, GLOBAL) != 0) ParseError("Must configure the http inspect global configuration first."); else ParseError("Invalid http inspect token: %s.", pcToken); @@ -557,6 +617,8 @@ ErrorString, iErrStrLen); } + + if (iRet) { if(iRet > 0) @@ -566,7 +628,7 @@ */ if(*ErrorString) { - ErrorMessage("%s(%d) => %s\n", + ErrorMessage("%s(%d) => %s\n", file_name, file_line, ErrorString); } } @@ -577,7 +639,7 @@ */ if(*ErrorString) { - FatalError("%s(%d) => %s\n", + FatalError("%s(%d) => %s\n", file_name, file_line, ErrorString); } else @@ -587,17 +649,18 @@ */ if(iRet == -2) { - FatalError("%s(%d) => ErrorString is undefined.\n", + FatalError("%s(%d) => ErrorString is undefined.\n", file_name, file_line); } else { - FatalError("%s(%d) => Undefined Error.\n", + FatalError("%s(%d) => Undefined Error.\n", file_name, file_line); } } } } + } /* @@ -629,6 +692,8 @@ RegisterPreprocessor(SERVER_KEYWORD, HttpInspectInit, HttpInspectReload, NULL, NULL); #endif + InitLookupTables(); + InitJSNormLookupTable(); DEBUG_WRAP(DebugMessage(DEBUG_HTTPINSPECT, "Preprocessor: HttpInspect is " "setup . . .\n");); @@ -642,16 +707,32 @@ #endif } +static void HttpInspectRegisterXtraDataFuncs(HTTPINSPECT_GLOBAL_CONF *pPolicyConfig) +{ + if (!stream_api || !pPolicyConfig) + return; + pPolicyConfig->xtra_trueip_id = stream_api->reg_xtra_data_cb(GetHttpTrueIP); + pPolicyConfig->xtra_uri_id = stream_api->reg_xtra_data_cb(GetHttpUriData); + pPolicyConfig->xtra_hname_id = stream_api->reg_xtra_data_cb(GetHttpHostnameData); +#ifndef SOURCEFIRE +#ifdef ZLIB + pPolicyConfig->xtra_gzip_id = stream_api->reg_xtra_data_cb(GetHttpGzipData); +#endif + pPolicyConfig->xtra_jsnorm_id = stream_api->reg_xtra_data_cb(GetHttpJSNormData); +#endif + +} static int HttpInspectVerifyPolicy(tSfPolicyUserContextId config, tSfPolicyId policyId, void* pData) { HTTPINSPECT_GLOBAL_CONF *pPolicyConfig = (HTTPINSPECT_GLOBAL_CONF *)pData; -#ifdef ZLIB + HttpInspectRegisterXtraDataFuncs(pPolicyConfig); + if ( pPolicyConfig->disabled ) return 0; -#endif + if (!stream_api || (stream_api->version < STREAM_API_VERSION5)) { FatalError("HttpInspectConfigCheck() Streaming & reassembly " @@ -674,7 +755,7 @@ } -/** Add ports configured for http preprocessor to stream5 port filtering so that if +/** Add ports configured for http preprocessor to stream5 port filtering so that if * any_any rules are being ignored them the the packet still reaches http-inspect. * * For ports in global_server configuration, server_lookup, @@ -691,10 +772,10 @@ hi_ui_server_iterate(config->server_lookup, addServerConfPortsToStream5); } -/**Add server ports from http_inspect preprocessor from snort.comf file to pass through +/**Add server ports from http_inspect preprocessor from snort.comf file to pass through * port filtering. */ -void addServerConfPortsToStream5(void *pData) +static void addServerConfPortsToStream5(void *pData) { unsigned int i; @@ -705,9 +786,19 @@ { if (pConf->ports[i/8] & (1 << (i % 8) )) { + bool client = (pConf->client_flow_depth > -1); + bool server = (pConf->server_flow_depth > -1); + //Add port the port stream_api->set_port_filter_status (IPPROTO_TCP, (uint16_t)i, PORT_MONITOR_SESSION, httpCurrentPolicy, 1); + + // there is a fundamental issue here in that both hi and s5 + // can configure ports per ip independently of each other. + // as is, we enable paf for all http servers if any server + // has a flow depth enabled (per direction). still, if eg + // all server_flow_depths are -1, we will only enable client. + hi_paf_register((uint16_t)i, client, server, httpCurrentPolicy); } } } @@ -750,15 +841,15 @@ if(idx == NULL) { FatalError("%s(%d): Failed allocate data for %s option\n", - file_name, file_line, name); + file_name, file_line, name); } toks = mSplit(parameters, ",", 2, &num_toks, 0); - if(num_toks != 2 ) + if(num_toks != 2 ) { - FatalError("%s (%d): %s option takes two parameters \n", + FatalError("%s (%d): %s option takes two parameters \n", file_name, file_line, name); } @@ -785,7 +876,7 @@ if( findStr1 ) { findStr2 = strchr(toks[1], '!' ); - if( findStr2 ) + if( findStr2 ) { FatalError("%s (%d): \"|\" is not supported in conjunction with \"!\" for %s option \n", file_name, file_line, name); @@ -805,58 +896,62 @@ { etype = toks1[i]; - if( *etype == '!' ) - { - negate_flag = 1; - etype++; - while(isspace((int)*etype)) {etype++;} - } - - if(!strcasecmp(etype, "utf8")) - { - if(negate_flag) - idx->encode_type &= ~HTTP_ENCODE_TYPE__UTF8_UNICODE; - else - idx->encode_type |= HTTP_ENCODE_TYPE__UTF8_UNICODE; - } - - else if(!strcasecmp(etype, "double_encode")) - { - if(negate_flag) - idx->encode_type &= ~HTTP_ENCODE_TYPE__DOUBLE_ENCODE; - else idx->encode_type |= HTTP_ENCODE_TYPE__DOUBLE_ENCODE; - } - - else if(!strcasecmp(etype, "non_ascii")) - { - if(negate_flag) idx->encode_type &= ~HTTP_ENCODE_TYPE__NONASCII; - else - idx->encode_type |= HTTP_ENCODE_TYPE__NONASCII; - } - - else if(!strcasecmp(etype, "base36")) - { - if(negate_flag) - idx->encode_type &= ~HTTP_ENCODE_TYPE__BASE36; - else - idx->encode_type |= HTTP_ENCODE_TYPE__BASE36; - } - - else if(!strcasecmp(etype, "uencode")) - { - if(negate_flag) - idx->encode_type &= ~HTTP_ENCODE_TYPE__UENCODE; - else - idx->encode_type |= HTTP_ENCODE_TYPE__UENCODE; - } - - else if(!strcasecmp(etype, "bare_byte")) - { - if(negate_flag) - idx->encode_type &= ~HTTP_ENCODE_TYPE__BARE_BYTE; - else - idx->encode_type |= HTTP_ENCODE_TYPE__BARE_BYTE; - } + if( *etype == '!' ) + { + negate_flag = 1; + etype++; + while(isspace((int)*etype)) {etype++;} + } + + if(!strcasecmp(etype, "utf8")) + { + if(negate_flag) + idx->encode_type &= ~HTTP_ENCODE_TYPE__UTF8_UNICODE; + else + idx->encode_type |= HTTP_ENCODE_TYPE__UTF8_UNICODE; + } + + else if(!strcasecmp(etype, "double_encode")) + { + if(negate_flag) + idx->encode_type &= ~HTTP_ENCODE_TYPE__DOUBLE_ENCODE; + else idx->encode_type |= HTTP_ENCODE_TYPE__DOUBLE_ENCODE; + } + + else if(!strcasecmp(etype, "non_ascii")) + { + if(negate_flag) idx->encode_type &= ~HTTP_ENCODE_TYPE__NONASCII; + else + idx->encode_type |= HTTP_ENCODE_TYPE__NONASCII; + } + + /* Base 36 is deprecated and essentially a noop */ + else if(!strcasecmp(etype, "base36")) + { + ErrorMessage("WARNING: %s (%d): The \"base36\" argument to the " + "\"http_encode\" rule option is deprecated and void " + "of functionality.\n", file_name, file_line); + + /* Set encode type so we can check below to see if base36 was the + * only argument in the encode chain */ + idx->encode_type |= HTTP_ENCODE_TYPE__BASE36; + } + + else if(!strcasecmp(etype, "uencode")) + { + if(negate_flag) + idx->encode_type &= ~HTTP_ENCODE_TYPE__UENCODE; + else + idx->encode_type |= HTTP_ENCODE_TYPE__UENCODE; + } + + else if(!strcasecmp(etype, "bare_byte")) + { + if(negate_flag) + idx->encode_type &= ~HTTP_ENCODE_TYPE__BARE_BYTE; + else + idx->encode_type |= HTTP_ENCODE_TYPE__BARE_BYTE; + } else if (!strcasecmp(etype, "iis_encode")) { if(negate_flag) @@ -872,19 +967,27 @@ idx->encode_type |= HTTP_ENCODE_TYPE__ASCII; } - else - { - FatalError("%s(%d): Unknown modifier \"%s\" for option \"%s\"\n", - file_name, file_line, toks1[i], name); - } - negate_flag = 0; - } + else + { + FatalError("%s(%d): Unknown modifier \"%s\" for option \"%s\"\n", + file_name, file_line, toks1[i], name); + } + negate_flag = 0; + } - *dataPtr = idx; - mSplitFree(&toks,num_toks); + /* Only got base36 parameter which is deprecated. If it's the only + * parameter in the chain make it so it always matches as if the + * entire rule option were non-existent. */ + if (idx->encode_type == HTTP_ENCODE_TYPE__BASE36) + { + idx->encode_type = 0xffffffff; + } + + *dataPtr = idx; + mSplitFree(&toks,num_toks); mSplitFree(&toks1,num_toks1); - return 0; + return 0; } @@ -901,7 +1004,7 @@ { if (!UriBufs[i].uri || (UriBufs[i].length == 0)) continue; - + if (!(idx->uri_buffer == i) || i == HTTP_BUFFER_METHOD || i == HTTP_BUFFER_CLIENT_BODY || i == HTTP_BUFFER_RAW_URI || i == HTTP_BUFFER_RAW_HEADER) continue; @@ -961,6 +1064,43 @@ } #endif +static int HttpInspectExtractUriHostIterate(void *data) +{ + HTTPINSPECT_CONF *server = (HTTPINSPECT_CONF *)data; + + if (server == NULL) + return 0; + + if (server->log_uri || server->log_hostname) + return 1; + + return 0; +} + +static int HttpInspectExtractUriHost(tSfPolicyUserContextId config, + tSfPolicyId policyId, void *pData) +{ + HTTPINSPECT_GLOBAL_CONF *context = (HTTPINSPECT_GLOBAL_CONF *)pData; + + if (pData == NULL) + return 0; + + if(context->disabled) + return 0; + + if ((context->global_server != NULL) && (context->global_server->log_uri || context->global_server->log_hostname)) + return 1; + + if (context->server_lookup != NULL) + { + if (sfrt_iterate2(context->server_lookup, HttpInspectExtractUriHostIterate) != 0) + return 1; + } + + return 0; +} + + /* ** NAME ** HttpInspectCheckConfig:: @@ -972,17 +1112,18 @@ */ static void HttpInspectCheckConfig(void) { + HTTPINSPECT_GLOBAL_CONF *defaultConfig; + if (hi_config == NULL) return; sfPolicyUserDataIterate (hi_config, HttpInspectVerifyPolicy); + defaultConfig = (HTTPINSPECT_GLOBAL_CONF *)sfPolicyUserDataGetDefault(hi_config); + #ifdef ZLIB { - HTTPINSPECT_GLOBAL_CONF *defaultConfig = - (HTTPINSPECT_GLOBAL_CONF *)sfPolicyUserDataGetDefault(hi_config); - if (sfPolicyUserDataIterate(hi_config, HttpInspectExtractGzip) != 0) { int compress_depth; @@ -1030,6 +1171,24 @@ } } #endif + if (sfPolicyUserDataIterate(hi_config, HttpInspectExtractUriHost) != 0) + { + uint32_t max_sessions_logged; + if (defaultConfig == NULL) + { + FatalError("http_inspect: Must configure a default global " + "configuration if you want to enable logging of uri or hostname in any " + "server configuration.\n"); + } + + max_sessions_logged = defaultConfig->memcap / (MAX_URI_EXTRACTED + MAX_HOSTNAME); + + http_mempool = (MemPool *)SnortAlloc(sizeof(MemPool)); + if (mempool_init(http_mempool, max_sessions_logged, (MAX_URI_EXTRACTED + MAX_HOSTNAME)) != 0) + { + FatalError("http_inspect: Could not allocate HTTP mempool.\n"); + } + } } static int HttpInspectFreeConfigPolicy(tSfPolicyUserContextId config,tSfPolicyId policyId, void* pData ) @@ -1075,7 +1234,7 @@ char ErrorString[ERRSTRLEN]; int iErrStrLen = ERRSTRLEN; int iRet; - HTTPINSPECT_GLOBAL_CONF *pPolicyConfig = NULL; + HTTPINSPECT_GLOBAL_CONF *pPolicyConfig = NULL; char *pcToken; tSfPolicyId policy_id = getParserPolicy(); @@ -1095,6 +1254,7 @@ if (hi_swap_config == NULL) { hi_swap_config = sfPolicyConfigCreate(); + AddFuncToPreprocReloadVerifyList(HttpInspectReloadVerify); } /* @@ -1108,7 +1268,7 @@ pPolicyConfig = (HTTPINSPECT_GLOBAL_CONF *)sfPolicyUserDataGetCurrent(hi_swap_config); if (pPolicyConfig == NULL) { - if (strcasecmp(pcToken, GLOBAL) != 0) + if (strcasecmp(pcToken, GLOBAL) != 0) ParseError("Must configure the http inspect global configuration first."); HttpInspectRegisterRuleOptions(); @@ -1131,16 +1291,14 @@ #ifdef ZLIB CheckGzipConfig(pPolicyConfig, hi_swap_config); #endif + CheckMemcap(pPolicyConfig, hi_swap_config); PrintGlobalConf(pPolicyConfig); /* Add HttpInspect into the preprocessor list */ -#ifdef ZLIB if ( pPolicyConfig->disabled ) return; -#endif - AddFuncToPreprocList(HttpInspect, PRIORITY_APPLICATION, PP_HTTPINSPECT, PROTO_BIT__TCP); - - AddFuncToPreprocReloadVerifyList(HttpInspectReloadVerify); + AddFuncToPreprocList(HttpInspect, PRIORITY_APPLICATION, PP_HTTPINSPECT, PROTO_BIT__TCP); + } } } @@ -1148,7 +1306,7 @@ { if (strcasecmp(pcToken, SERVER) != 0) { - if (strcasecmp(pcToken, GLOBAL) != 0) + if (strcasecmp(pcToken, GLOBAL) != 0) ParseError("Must configure the http inspect global configuration first."); else ParseError("Invalid http inspect token: %s.", pcToken); @@ -1167,7 +1325,7 @@ */ if(*ErrorString) { - ErrorMessage("%s(%d) => %s\n", + ErrorMessage("%s(%d) => %s\n", file_name, file_line, ErrorString); } } @@ -1178,7 +1336,7 @@ */ if(*ErrorString) { - FatalError("%s(%d) => %s\n", + FatalError("%s(%d) => %s\n", file_name, file_line, ErrorString); } else @@ -1188,12 +1346,12 @@ */ if(iRet == -2) { - FatalError("%s(%d) => ErrorString is undefined.\n", + FatalError("%s(%d) => ErrorString is undefined.\n", file_name, file_line); } else { - FatalError("%s(%d) => Undefined Error.\n", + FatalError("%s(%d) => Undefined Error.\n", file_name, file_line); } } @@ -1203,18 +1361,18 @@ static int HttpInspectReloadVerify(void) { + HTTPINSPECT_GLOBAL_CONF *defaultConfig; + HTTPINSPECT_GLOBAL_CONF *defaultSwapConfig; + if (hi_swap_config == NULL) return 0; sfPolicyUserDataIterate (hi_swap_config, HttpInspectVerifyPolicy); + defaultConfig = (HTTPINSPECT_GLOBAL_CONF *)sfPolicyUserDataGetDefault(hi_config); + defaultSwapConfig = (HTTPINSPECT_GLOBAL_CONF *)sfPolicyUserDataGetDefault(hi_swap_config); #ifdef ZLIB { - HTTPINSPECT_GLOBAL_CONF *defaultConfig = - (HTTPINSPECT_GLOBAL_CONF *)sfPolicyUserDataGetDefault(hi_config); - HTTPINSPECT_GLOBAL_CONF *defaultSwapConfig = - (HTTPINSPECT_GLOBAL_CONF *)sfPolicyUserDataGetDefault(hi_swap_config); - if (hi_gzip_mempool != NULL) { if (defaultSwapConfig == NULL) @@ -1249,6 +1407,9 @@ return -1; } + if (defaultSwapConfig->decompr_depth & 7) + defaultSwapConfig->decompr_depth += (8 - (defaultSwapConfig->decompr_depth & 7)); + if (defaultSwapConfig->decompr_depth != defaultConfig->decompr_depth) { ErrorMessage("http_inspect: Changing decompress_depth requires " @@ -1302,6 +1463,48 @@ } } #endif + if (http_mempool != NULL) + { + if (defaultSwapConfig == NULL) + { + ErrorMessage("http_inspect: Changing HTTP memcap requires a restart.\n"); + HttpInspectFreeConfigs(hi_swap_config); + hi_swap_config = NULL; + return -1; + } + + if (defaultSwapConfig->memcap != defaultConfig->memcap) + { + ErrorMessage("http_inspect: Changing memcap requires a restart.\n"); + HttpInspectFreeConfigs(hi_swap_config); + hi_swap_config = NULL; + return -1; + } + } + else if (defaultSwapConfig != NULL) + { + if (sfPolicyUserDataIterate(hi_swap_config, HttpInspectExtractUriHost) != 0) + { + uint32_t max_sessions_logged; + + if (defaultSwapConfig == NULL) + { + FatalError("http_inspect: Must configure a default global " + "configuration if you want to enable logging of uri or hostname in any " + "server configuration.\n"); + } + + max_sessions_logged = defaultConfig->memcap / (MAX_URI_EXTRACTED + MAX_HOSTNAME); + + http_mempool = (MemPool *)SnortAlloc(sizeof(MemPool)); + + if (mempool_init(http_mempool, max_sessions_logged,(MAX_URI_EXTRACTED + MAX_HOSTNAME)) != 0) + { + FatalError("http_inspect: Could not allocate HTTP mempool.\n"); + } + } + } + return 0; } @@ -1327,3 +1530,43 @@ HttpInspectFreeConfigs((tSfPolicyUserContextId)data); } #endif + +static inline void InitLookupTables(void) +{ + int iNum; + int iCtr; + + memset(hex_lookup, INVALID_HEX_VAL, sizeof(hex_lookup)); + memset(valid_lookup, INVALID_HEX_VAL, sizeof(valid_lookup)); + + iNum = 0; + for(iCtr = 48; iCtr < 58; iCtr++) + { + hex_lookup[iCtr] = iNum; + valid_lookup[iCtr] = HEX_VAL; + iNum++; + } + + /* + * Set the upper case values. + */ + iNum = 10; + for(iCtr = 65; iCtr < 71; iCtr++) + { + hex_lookup[iCtr] = iNum; + valid_lookup[iCtr] = HEX_VAL; + iNum++; + } + + /* + * Set the lower case values. + */ + iNum = 10; + for(iCtr = 97; iCtr < 103; iCtr++) + { + hex_lookup[iCtr] = iNum; + valid_lookup[iCtr] = HEX_VAL; + iNum++; + } +} + diff -Nru snort-2.9.0.1/src/preprocessors/spp_httpinspect.h snort-2.9.2/src/preprocessors/spp_httpinspect.h --- snort-2.9.0.1/src/preprocessors/spp_httpinspect.h 2010-01-26 10:10:13.000000000 -0800 +++ snort-2.9.2/src/preprocessors/spp_httpinspect.h 2011-02-09 15:23:29.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/spp_normalize.c snort-2.9.2/src/preprocessors/spp_normalize.c --- snort-2.9.0.1/src/preprocessors/spp_normalize.c 2010-08-25 13:22:46.000000000 -0700 +++ snort-2.9.2/src/preprocessors/spp_normalize.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2010-2010 Sourcefire, Inc. + ** Copyright (C) 2010-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -29,6 +29,7 @@ #include "parser.h" #include "plugbase.h" #include "profiler.h" +#include "sf_types.h" #include "sfPolicy.h" #include "snort.h" #include "spp_normalize.h" @@ -37,6 +38,7 @@ static tSfPolicyUserContextId base_set = NULL; #ifdef SNORT_RELOAD static tSfPolicyUserContextId swap_set = NULL; +static bool swap_pend = false; #endif #ifdef PERF_PROFILING @@ -118,10 +120,12 @@ NormalizerContext* pc = NULL; tSfPolicyId policy_id = getParserPolicy(); + if ( !ScInlineMode() ) + return NULL; + if ( !base_set ) { base_set = sfPolicyConfigCreate(); - Preproc_Install(); } sfPolicyUserPolicySet(base_set, policy_id); @@ -138,53 +142,58 @@ return pc; } -#define NOT_INLINE "WARNING: %s normalizations disabled because not inline" +#define NOT_INLINE "WARNING: %s normalizations disabled because not inline.\n" static void Init_IP4 (char* args) { NormalizerContext* pc = Init_GetContext(); - if ( pc && ScInlineMode() ) + + if ( pc ) Parse_IP4(pc, args); else - LogMessage(NOT_INLINE, "ip4"); + LogMessage(NOT_INLINE, "ip4"); } static void Init_ICMP4 (char* args) { NormalizerContext* pc = Init_GetContext(); - if ( pc && ScInlineMode() ) + + if ( pc ) Parse_ICMP4(pc, args); else - LogMessage(NOT_INLINE, "icmp4"); + LogMessage(NOT_INLINE, "icmp4"); } #ifdef SUP_IP6 static void Init_IP6 (char* args) { NormalizerContext* pc = Init_GetContext(); - if ( pc && ScInlineMode() ) + + if ( pc ) Parse_IP6(pc, args); else - LogMessage(NOT_INLINE, "ip6"); + LogMessage(NOT_INLINE, "ip6"); } static void Init_ICMP6 (char* args) { NormalizerContext* pc = Init_GetContext(); - if ( pc && ScInlineMode() ) + + if ( pc ) Parse_ICMP6(pc, args); else - LogMessage(NOT_INLINE, "icmp6"); + LogMessage(NOT_INLINE, "icmp6"); } #endif static void Init_TCP (char* args) { NormalizerContext* pc = Init_GetContext(); - if ( pc && ScInlineMode() ) + + if ( pc ) Parse_TCP(pc, args); else - LogMessage(NOT_INLINE, "tcp"); + LogMessage(NOT_INLINE, "tcp"); } //------------------------------------------------------------------------- @@ -192,7 +201,7 @@ //------------------------------------------------------------------------- // options may appear in any order separated by ',': -// preprocessor normalize_ip4: [id] [df] [rf] +// preprocessor normalize_ip4: [id] [df] [rf] [tos] [trim] static void Parse_IP4 (NormalizerContext* pc, char* args) { char** toks; @@ -223,6 +232,14 @@ { Norm_Enable(pc, NORM_IP4_RF); } + else if ( !strcasecmp(toks[i], "tos") ) + { + Norm_Enable(pc, NORM_IP4_TOS); + } + else if ( !strcasecmp(toks[i], "trim") ) + { + Norm_Enable(pc, NORM_IP4_TRIM); + } else { ParseError("Invalid preprocessor normalize_ip4 option '%s'", toks[i]); @@ -282,7 +299,7 @@ { char **toks; int num_toks; - int i, state = 0, opts; + int i, state = 0, opts = 0; if ( !args ) args = ""; toks = mSplit(args, ", ", 0, &num_toks, 0); @@ -315,6 +332,10 @@ { Norm_Enable(pc, NORM_TCP_IPS); } + else if ( !strcasecmp(toks[i], "trim") ) + { + Norm_Enable(pc, NORM_TCP_TRIM); + } else { ParseError("Invalid preprocessor normalize_tcp option '%s'", toks[i]); @@ -419,12 +440,12 @@ #define ON "on" #define OFF "off" -static INLINE void LogConf (const char* p, const char* s) +static inline void LogConf (const char* p, const char* s) { LogMessage("%12s: %s\n", p, s); } -static INLINE void LogFlag ( +static inline void LogFlag ( const char* p, const NormalizerContext* nc, NormFlags nf) { const char* s = Norm_IsEnabled(nc, nf) ? ON : OFF; @@ -441,6 +462,8 @@ //LogFlag("ip4::id", nc, NORM_IP4_ID); LogFlag("ip4::df", nc, NORM_IP4_DF); LogFlag("ip4::rf", nc, NORM_IP4_RF); + LogFlag("ip4::tos", nc, NORM_IP4_TOS); + LogFlag("ip4::trim", nc, NORM_IP4_TRIM); if ( Norm_IsEnabled(nc, NORM_IP4_TTL) ) { @@ -556,7 +579,7 @@ AddFuncToPreprocResetStatsList( Preproc_ResetStats, NULL, PRIORITY_FIRST, PP_NORMALIZE); - AddFuncToConfigCheckList(Preproc_CheckConfig ); + AddFuncToConfigCheckList(Preproc_CheckConfig); AddFuncToPreprocPostConfigList(Preproc_PostConfigInit, NULL); RegisterPreprocStats("normalize", Preproc_PrintStats); } @@ -565,7 +588,7 @@ static int Preproc_CheckPolicy ( tSfPolicyUserContextId set, - tSfPolicyId pid, + tSfPolicyId pid, void* pv) { //NormalizerContext* pc = (NormalizerContext*)pv; @@ -582,11 +605,12 @@ static int Preproc_PostInit ( tSfPolicyUserContextId set, - tSfPolicyId pid, + tSfPolicyId pid, void* pv) { NormalizerContext *pc = (NormalizerContext *)pv; - SnortPolicy* policy = snort_conf_for_parsing->targeted_policies[pid]; + SnortConfig* sc = snort_conf_for_parsing ? snort_conf_for_parsing : snort_conf; + SnortPolicy* policy = sc->targeted_policies[pid]; if ( policy->new_ttl && policy->new_ttl < policy->min_ttl ) { @@ -631,7 +655,7 @@ static int Preproc_FreePolicy( tSfPolicyUserContextId set, - tSfPolicyId pid, + tSfPolicyId pid, void* pv ) { @@ -686,10 +710,17 @@ NormalizerContext* pc = NULL; tSfPolicyId policy_id = getParserPolicy(); + swap_pend = true; + + //if ( !ScInlineMode() ) // can't use this; need snort_conf_for_parsing + if ( !snort_conf_for_parsing || + (snort_conf_for_parsing->targeted_policies[policy_id]->policy_mode + != POLICY_MODE__INLINE) ) + return NULL; + if ( !swap_set ) { swap_set = sfPolicyConfigCreate(); - AddFuncToPreprocReloadVerifyList(Reload_Verify); } sfPolicyUserPolicySet(swap_set, policy_id); @@ -709,45 +740,60 @@ static void Reload_IP4 (char* args) { NormalizerContext* pc = Reload_GetContext(); + if ( pc ) Parse_IP4(pc, args); + else + LogMessage(NOT_INLINE, "tcp"); } static void Reload_ICMP4 (char* args) { NormalizerContext* pc = Reload_GetContext(); + if ( pc ) Parse_ICMP4(pc, args); + else + LogMessage(NOT_INLINE, "tcp"); } #ifdef SUP_IP6 static void Reload_IP6 (char* args) { NormalizerContext* pc = Reload_GetContext(); + if ( pc ) Parse_IP6(pc, args); + else + LogMessage(NOT_INLINE, "tcp"); } static void Reload_ICMP6 (char* args) { NormalizerContext* pc = Reload_GetContext(); + if ( pc ) Parse_ICMP6(pc, args); + else + LogMessage(NOT_INLINE, "tcp"); } #endif static void Reload_TCP (char* args) { NormalizerContext* pc = Reload_GetContext(); + if ( pc ) Parse_TCP(pc, args); + else + LogMessage(NOT_INLINE, "tcp"); } //------------------------------------------------------------------------- static int Reload_VerifyPolicy ( tSfPolicyUserContextId set, - tSfPolicyId pid, + tSfPolicyId pid, void* pv ) { //NormalizerContext* pc = (NormalizerContext*)pv; @@ -772,7 +818,7 @@ static int Reload_SwapPolicy ( tSfPolicyUserContextId set, - tSfPolicyId pid, + tSfPolicyId pid, void* pv) { NormalizerContext* pc = (NormalizerContext*)pv; @@ -787,17 +833,23 @@ { tSfPolicyUserContextId old_set = base_set; - if ( !swap_set ) + if ( !swap_pend ) return NULL; base_set = swap_set; swap_set = NULL; + swap_pend = false; - sfPolicyUserDataIterate(old_set, Reload_SwapPolicy); + if ( base_set ) + sfPolicyUserDataIterate(base_set, Preproc_PostInit); - if ( !sfPolicyUserPolicyGetActive(old_set) ) - return (void*)old_set; + if ( old_set ) + { + sfPolicyUserDataIterate(old_set, Reload_SwapPolicy); + if ( !sfPolicyUserPolicyGetActive(old_set) ) + return (void*)old_set; + } return NULL; } diff -Nru snort-2.9.0.1/src/preprocessors/spp_normalize.h snort-2.9.2/src/preprocessors/spp_normalize.h --- snort-2.9.0.1/src/preprocessors/spp_normalize.h 2010-08-25 13:22:46.000000000 -0700 +++ snort-2.9.2/src/preprocessors/spp_normalize.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,6 @@ /* $Id$ */ - /* -** Copyright (C) 2010-2010 Sourcefire, Inc. +** Copyright (C) 2010-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -46,7 +45,10 @@ NORM_TCP_URP = 0x00001000, // trim urp to dsize NORM_TCP_OPT = 0x00002000, // nop over non-essential options NORM_TCP_IPS = 0x00004000, // enable stream normalization/pre-ack flushing - NORM_ALL = 0x00007FFF // all normalizations on + NORM_IP4_TOS = 0x00008000, // clear tos/diff-serv + NORM_IP4_TRIM = 0x00010000, // enforce min frame + NORM_TCP_TRIM = 0x00020000, // enforce min frame + NORM_ALL = 0x0003FFFF // all normalizations on } NormFlags; typedef uint64_t PegCount; diff -Nru snort-2.9.0.1/src/preprocessors/spp_perfmonitor.c snort-2.9.2/src/preprocessors/spp_perfmonitor.c --- snort-2.9.0.1/src/preprocessors/spp_perfmonitor.c 2010-06-09 15:05:22.000000000 -0700 +++ snort-2.9.2/src/preprocessors/spp_perfmonitor.c 2011-12-07 09:58:23.000000000 -0800 @@ -1,8 +1,8 @@ -/* $Id$ +/* $Id$ ** ** spp_perfmonitor.c ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton <mnorton@sourcefire.com> ** Dan Roelker <droelker@sourcefire.com> ** @@ -29,10 +29,16 @@ #include <stdlib.h> #include <ctype.h> #include <errno.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "plugbase.h" #include "mstring.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "parser.h" #include "sfdaq.h" #include "snort.h" @@ -40,6 +46,11 @@ #include "perf-base.h" #include "profiler.h" +#ifndef WIN32 +# include <unistd.h> +# include <sys/stat.h> +#endif + SFPERF *perfmon_config = NULL; /* @@ -52,6 +63,11 @@ static void PerfMonitorReset(int, void *); static void PerfMonitorResetStats(int, void *); static void PerfMonitorFreeConfig(SFPERF *); +static void PerfMonitorOpenLogFiles(void *); + +#ifndef WIN32 +static void PerfMonitorChangeLogFilesPermission(void); +#endif #ifdef SNORT_RELOAD SFPERF *perfmon_swap_config = NULL; @@ -68,7 +84,7 @@ /* * Function: SetupPerfMonitor() * - * Purpose: Registers the preprocessor keyword and initialization + * Purpose: Registers the preprocessor keyword and initialization * function into the preprocessor list. This is the function that * gets called from InitPreprocessors() in plugbase.c. * @@ -79,7 +95,7 @@ */ void SetupPerfMonitor(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ #ifndef SNORT_RELOAD RegisterPreprocessor("PerfMonitor", PerfMonitorInit); @@ -105,7 +121,7 @@ static void PerfMonitorInit(char *args) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Preprocessor: PerfMonitor Initialized\n");); - + //not policy specific. Perf monitor configuration should be in the default //configuration file. if (getParserPolicy() != 0) @@ -118,25 +134,18 @@ /* parse the argument list from the rules file */ ParsePerfMonitorArgs(perfmon_config, args); - - if (perfmon_config->file != NULL) - { - if (sfSetPerformanceStatisticsEx(perfmon_config, SFPERF_FILE, perfmon_config->file)) - ParseError("Cannot open performance log file '%s'.", perfmon_config->file); - } - - if (perfmon_config->flowip_file != NULL) - { - if (sfOpenFlowIPStatsFile(perfmon_config)) - ParseError("Cannot open Flow-IP log file '%s'.", perfmon_config->flowip_file); - } + ResetPerfStats(perfmon_config); +#ifndef WIN32 + PerfMonitorChangeLogFilesPermission(); +#endif /* Set the preprocessor function into the function list */ AddFuncToPreprocList(ProcessPerfMonitor, PRIORITY_SCANNER, PP_PERFMONITOR, PROTO_BIT__ALL); AddFuncToPreprocCleanExitList(PerfMonitorCleanExit, NULL, PRIORITY_LAST, PP_PERFMONITOR); AddFuncToPreprocResetList(PerfMonitorReset, NULL, PRIORITY_LAST, PP_PERFMONITOR); AddFuncToPreprocResetStatsList(PerfMonitorResetStats, NULL, PRIORITY_LAST, PP_PERFMONITOR); - + AddFuncToPreprocPostConfigList(PerfMonitorOpenLogFiles, NULL); + #ifdef PERF_PROFILING RegisterPreprocessorProfile("perfmon", &perfmonStats, 0, &totalPerfStats); #endif @@ -145,9 +154,9 @@ /* * Function: ParsePerfMonitorArgs(char *) * - * Purpose: Process the preprocessor arguements from the rules file and + * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't - * have to exist if it makes sense to parse the args in the init + * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list @@ -184,7 +193,7 @@ { Tokens = mSplit(args, " \t", 0, &iTokenNum, 0); } - + for( i = 0; i < iTokenNum; i++ ) { /* Check for a 'time number' parameter */ @@ -209,7 +218,7 @@ i++; if( (i< iTokenNum) && Tokens[i] ) iFlowMaxPort= atoi(Tokens[i]); - + if( iFlowMaxPort > SF_MAX_PORT ) iFlowMaxPort = SF_MAX_PORT; @@ -224,7 +233,7 @@ ** troubleshooting and performance tuning. */ iFlow = 1; - } + } else if( strcasecmp( Tokens[i],"accumulate")==0) { iReset=0; @@ -238,7 +247,7 @@ /* ** The events paramenter gives the total number ** of qualified and non-qualified events during - ** the processing sample time. This allows + ** the processing sample time. This allows ** performance problems to be seen in a general ** manner. */ @@ -381,7 +390,7 @@ if (iMaxPerfStats) sfSetPerformanceStatistics(pconfig, SFPERF_BASE_MAX); - + if (iConsole) sfSetPerformanceStatistics(pconfig, SFPERF_CONSOLE); @@ -419,7 +428,7 @@ pconfig->file = snortfile; } } - + if (iPkts) sfSetPerformanceStatisticsEx(pconfig, SFPERF_PKTCNT, &iPkts); @@ -436,20 +445,13 @@ LogMessage(" Flow IP File: %s\n", flowipfile ? flowipfile : "INACTIVE"); } LogMessage(" Event Stats: %s\n", iEvents ? "ACTIVE" : "INACTIVE"); - LogMessage(" Max Perf Stats: %s\n", - iMaxPerfStats ? "ACTIVE" : "INACTIVE"); + LogMessage(" Max Perf Stats: %s\n", iMaxPerfStats ? "ACTIVE" : "INACTIVE"); LogMessage(" Console Mode: %s\n", iConsole ? "ACTIVE" : "INACTIVE"); - LogMessage(" File Mode: %s\n", - iFile ? file : "INACTIVE"); - LogMessage(" SnortFile Mode: %s\n", - iSnortFile ? snortfile : "INACTIVE"); + LogMessage(" File Mode: %s\n", iFile ? file : "INACTIVE"); + LogMessage(" SnortFile Mode: %s\n", iSnortFile ? snortfile : "INACTIVE"); LogMessage(" Packet Count: %d\n", iPkts); - LogMessage(" Dump Summary: %s\n", pconfig->perf_flags & SFPERF_SUMMARY ? - "Yes" : "No"); + LogMessage(" Dump Summary: %s\n", pconfig->perf_flags & SFPERF_SUMMARY ? "Yes" : "No"); LogMessage(" Max file size: %u\n", uiMaxFileSize); - - if (pconfig->perf_flags & SFPERF_SUMMARY) - CheckSampleInterval(NULL, pconfig); } @@ -461,7 +463,7 @@ * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function * @@ -480,7 +482,7 @@ first = 0; } - if(p == NULL) + if(p == NULL) { return; } @@ -488,7 +490,7 @@ PREPROC_PROFILE_START(perfmonStats); /* - * Performance Statistics + * Performance Statistics */ if (IsSetRotatePerfFileFlag()) { @@ -503,7 +505,7 @@ sfPerformanceStats(perfmon_config, p, p->packet_flags & PKT_REBUILT_STREAM); } } - + if( p->tcph ) { if((p->tcph->th_flags & TH_SYN) && !(p->tcph->th_flags & TH_ACK)) @@ -610,6 +612,70 @@ ResetPerfStats(perfmon_config); } +/* This function changes the perfmon log files permission if exists. + It is done in the PerfMonitorInit() before Snort changed its user & group. + */ +#ifndef WIN32 +static void PerfMonitorChangeLogFilesPermission(void) +{ + struct stat pt; + mode_t mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH; + + if (perfmon_config == NULL) + return; + + if (perfmon_config->file != NULL) + { + /*Check file before change permission*/ + if (stat(perfmon_config->file, &pt) == 0) + { + /*Only change permission for file owned by root*/ + if ((0 == pt.st_uid) || (0 == pt.st_gid)) + { + chmod(perfmon_config->file, mode); + chown(perfmon_config->file, ScUid(), ScGid()); + } + } + } + + if (perfmon_config->flowip_file != NULL) + { + /*Check file before change permission*/ + if (stat(perfmon_config->flowip_file, &pt) == 0) + { + /*Only change permission for file owned by root*/ + if ((0 == pt.st_uid) || (0 == pt.st_gid)) + { + chmod(perfmon_config->flowip_file, mode); + chown(perfmon_config->file, ScUid(), ScGid()); + } + } + + } +} +#endif +/* This function opens the perfmon log files. + The logic was moved out of PerfMonitorInit() to avoid creating files + before Snort changed its user & group. +*/ +static void PerfMonitorOpenLogFiles(void *data) +{ + if (perfmon_config == NULL) + return; + + if (perfmon_config->file != NULL) + { + if (sfSetPerformanceStatisticsEx(perfmon_config, SFPERF_FILE, perfmon_config->file)) + ParseError("Cannot open performance log file '%s'.", perfmon_config->file); + } + + if (perfmon_config->flowip_file != NULL) + { + if (sfOpenFlowIPStatsFile(perfmon_config)) + ParseError("Cannot open Flow-IP log file '%s'.", perfmon_config->flowip_file); + } +} + #ifdef SNORT_RELOAD static void PerfMonitorReload(char *args) { @@ -635,10 +701,16 @@ perfmon_swap_config->perf_flags |= perfmon_config->perf_flags & SFPERF_FILE; } + /* Same goes for the FlowIP log file. */ + if (perfmon_config->flowip_fh != NULL) + { + perfmon_swap_config->flowip_fh = perfmon_config->flowip_fh; + } + AddFuncToPreprocList(ProcessPerfMonitor, PRIORITY_SCANNER, PP_PERFMONITOR, PROTO_BIT__ALL); AddFuncToPreprocReloadVerifyList(PerfmonReloadVerify); } - + static int PerfmonReloadVerify(void) { if ((perfmon_config == NULL) || (perfmon_swap_config == NULL)) @@ -649,8 +721,7 @@ /* File - don't do case insensitive compare */ if (strcmp(perfmon_config->file, perfmon_swap_config->file) != 0) { - ErrorMessage("Perfmonitor Reload: Changing the log file requires " - "a restart.\n"); + ErrorMessage("Perfmonitor Reload: Changing the log file requires a restart.\n"); PerfMonitorFreeConfig(perfmon_swap_config); perfmon_swap_config = NULL; return -1; @@ -658,8 +729,25 @@ } else if (perfmon_config->file != perfmon_swap_config->file) { - ErrorMessage("Perfmonitor Reload: Changing the log file requires " - "a restart.\n"); + ErrorMessage("Perfmonitor Reload: Changing the log file requires a restart.\n"); + PerfMonitorFreeConfig(perfmon_swap_config); + perfmon_swap_config = NULL; + return -1; + } + + if ((perfmon_config->flowip_file != NULL) && (perfmon_swap_config->flowip_file != NULL)) + { + if (strcmp(perfmon_config->flowip_file, perfmon_swap_config->flowip_file) != 0) + { + ErrorMessage("Perfmonitor Reload: Changing the FlowIP log file requires a restart.\n"); + PerfMonitorFreeConfig(perfmon_swap_config); + perfmon_swap_config = NULL; + return -1; + } + } + else if (perfmon_config->flowip_file != perfmon_swap_config->flowip_file) + { + ErrorMessage("Perfmonitor Reload: Changing the FlowIP log file requires a restart.\n"); PerfMonitorFreeConfig(perfmon_swap_config); perfmon_swap_config = NULL; return -1; diff -Nru snort-2.9.0.1/src/preprocessors/spp_perfmonitor.h snort-2.9.2/src/preprocessors/spp_perfmonitor.h --- snort-2.9.0.1/src/preprocessors/spp_perfmonitor.h 2010-01-26 10:10:13.000000000 -0800 +++ snort-2.9.2/src/preprocessors/spp_perfmonitor.h 2011-02-09 15:23:29.000000000 -0800 @@ -2,7 +2,7 @@ ** ** spp_perfmonitor.h ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton <mnorton@sourcefire.com> ** Dan Roelker <droelker@sourcefire.com> ** diff -Nru snort-2.9.0.1/src/preprocessors/spp_rpc_decode.c snort-2.9.2/src/preprocessors/spp_rpc_decode.c --- snort-2.9.0.1/src/preprocessors/spp_rpc_decode.c 2010-10-25 12:49:09.000000000 -0700 +++ snort-2.9.2/src/preprocessors/spp_rpc_decode.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -19,8 +19,8 @@ */ /* $Id$ */ -/* spp_rpc_decode - * +/* spp_rpc_decode + * * Purpose: * * This preprocessor normalizes the RPC requests from remote machines by @@ -30,7 +30,7 @@ * string 0186A0 is broken up. * * Arguments: - * + * * This plugin takes a list of integers representing the TCP ports that the * user is interested in having normalized * @@ -43,23 +43,23 @@ * */ -#ifdef HAVE_CONFIG_H -#include "config.h" +#ifdef HAVE_CONFIG_H +#include "config.h" #endif #include <sys/types.h> #include <stdlib.h> #include <ctype.h> -#ifdef HAVE_STRINGS_H -#include <strings.h> +#ifdef HAVE_STRINGS_H +#include <strings.h> #endif #include "decode.h" #include "plugbase.h" #include "parser.h" #include "log.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "mstring.h" @@ -70,7 +70,7 @@ #include "event_queue.h" #include "profiler.h" -#include "bounds.h" +#include "snort_bounds.h" #include "strlcatu.h" #include "detection_util.h" @@ -171,23 +171,23 @@ static RpcSsnData * RpcSsnDataNew(Packet *); static void RpcSsnDataFree(void *); -static INLINE void RpcSsnClean(RpcSsnData *); -static INLINE void RpcSsnSetInactive(RpcSsnData *, Packet *); -static INLINE int RpcSsnIsActive(RpcSsnData *); +static inline void RpcSsnClean(RpcSsnData *); +static inline void RpcSsnSetInactive(RpcSsnData *, Packet *); +static inline int RpcSsnIsActive(RpcSsnData *); static RpcStatus RpcStatefulInspection(RpcDecodeConfig *, RpcSsnData *, Packet *); -static INLINE void RpcPreprocEvent(RpcDecodeConfig *, RpcSsnData *, int); +static inline void RpcPreprocEvent(RpcDecodeConfig *, RpcSsnData *, int); static RpcStatus RpcHandleFrag(RpcDecodeConfig *, RpcSsnData *, const uint8_t *); static RpcStatus RpcPrepRaw(const uint8_t *, uint32_t, Packet *); static RpcStatus RpcPrepFrag(RpcSsnData *, Packet *); static RpcStatus RpcPrepSeg(RpcSsnData *, Packet *); -static INLINE uint32_t RpcBufLen(RpcBuffer *); -static INLINE uint8_t * RpcBufData(RpcBuffer *); +static inline uint32_t RpcBufLen(RpcBuffer *); +static inline uint8_t * RpcBufData(RpcBuffer *); static RpcStatus RpcBufAdd(RpcBuffer *, const uint8_t *, uint32_t); -static INLINE void RpcBufClean(RpcBuffer *); +static inline void RpcBufClean(RpcBuffer *); -static INLINE void * RpcAlloc(uint32_t); -static INLINE void RpcFree(void *, uint32_t); +static inline void * RpcAlloc(uint32_t); +static inline void RpcFree(void *, uint32_t); //function to assign the RpcDecodePorts array @@ -230,7 +230,7 @@ /* * Function: SetupRpcDecode() * - * Purpose: Registers the preprocessor keyword and initialization + * Purpose: Registers the preprocessor keyword and initialization * function into the preprocessor list. * * Arguments: None. @@ -240,7 +240,7 @@ */ void SetupRpcDecode(void) { - /* link the preprocessor keyword to the init function in + /* link the preprocessor keyword to the init function in the preproc list */ #ifndef SNORT_RELOAD RegisterPreprocessor("rpc_decode", RpcDecodeInit); @@ -272,7 +272,7 @@ if (rpc_decode_config == NULL) { - rpc_decode_config = sfPolicyConfigCreate(); + rpc_decode_config = sfPolicyConfigCreate(); AddFuncToPreprocCleanExitList(RpcDecodeCleanExit, NULL, PRIORITY_LAST, PP_RPCDECODE); @@ -353,7 +353,7 @@ toks = mSplit(portlist, " \t", 0, &num_toks, 0); LogMessage("rpc_decode arguments:\n"); - + /* convert the tokens and place them into the port list */ for(num = 0; num < num_toks; num++) { @@ -418,30 +418,30 @@ { RpcDecodePortsAssign(rpc->RpcDecodePorts, RPC_DECODE_DEFAULT_PORTS); } - + /* print out final port list */ - LogMessage(" Ports to decode RPC on: %s\n", is_reset ? portstr : RPC_DECODE_DEFAULT_PORTS); + LogMessage(" Ports to decode RPC on: %s\n", is_reset ? portstr : RPC_DECODE_DEFAULT_PORTS); LogMessage(" %s: %s\n", OPT_ALERT_FRAGMENTS, rpc->alert_fragments ? "ACTIVE": "INACTIVE"); LogMessage(" %s: %s\n", TEXT_ALERT_LARGE_FRAGMENTS, rpc->alert_large ? "ACTIVE": "INACTIVE"); LogMessage(" %s: %s\n", TEXT_ALERT_INCOMPLETE, rpc->alert_incomplete ? "ACTIVE": "INACTIVE"); LogMessage(" %s: %s\n", TEXT_ALERT_MULTIPLE_REQUESTS, rpc->alert_multi ? "ACTIVE": "INACTIVE"); -} - +} + /* * Function: PreprocRpcDecode(Packet *) * - * Purpose: Inspects the packet's payload for fragment records and + * Purpose: Inspects the packet's payload for fragment records and * converts them into one infragmented record. * - * Arguments: p => pointer to the current packet data struct + * Arguments: p => pointer to the current packet data struct * * Returns: void function * */ static void PreprocRpcDecode(Packet *p, void *context) { - RpcDecodeConfig *rconfig = NULL; + RpcDecodeConfig *rconfig = NULL; RpcSsnData *rsdata = NULL; PROFILE_VARS; @@ -455,8 +455,17 @@ if (!IsTCP(p) || (p->dsize == 0)) return; - if (ScStateful() && (p->packet_flags & PKT_FROM_SERVER)) + /* If we're stateful that means stream5 has been configured. + * In this case we don't look at server packets. + * There is the case were stream5 configuration requires a 3 way handshake. + * If no 3 way, then the packet flags won't be set, so don't look at it + * since we won't be able to determeine who's the client and who's the server. */ + if (ScStateful() + && ((p->packet_flags & PKT_FROM_SERVER) + || (!(p->packet_flags & PKT_FROM_CLIENT)))) + { return; + } if ((stream_api != NULL) && (p->ssnptr != NULL)) rsdata = stream_api->get_application_data(p->ssnptr, PP_RPCDECODE); @@ -498,10 +507,10 @@ RpcPreprocEvent(rconfig, rsdata, ConvertRPC(rconfig, rsdata, p)); PREPROC_PROFILE_END(rpcdecodePerfStats); - return; + return; } -static INLINE void RpcPreprocEvent(RpcDecodeConfig *rconfig, RpcSsnData *rsdata, int event) +static inline void RpcPreprocEvent(RpcDecodeConfig *rconfig, RpcSsnData *rsdata, int event) { if (rconfig == NULL) return; @@ -520,35 +529,35 @@ case RPC_FRAG_TRAFFIC: if (rconfig->alert_fragments) { - SnortEventqAdd(GENERATOR_SPP_RPC_DECODE, RPC_FRAG_TRAFFIC, + SnortEventqAdd(GENERATOR_SPP_RPC_DECODE, RPC_FRAG_TRAFFIC, 1, RPC_CLASS, 3, RPC_FRAG_TRAFFIC_STR, 0); } break; case RPC_MULTIPLE_RECORD: if (rconfig->alert_multi) { - SnortEventqAdd(GENERATOR_SPP_RPC_DECODE, RPC_MULTIPLE_RECORD, + SnortEventqAdd(GENERATOR_SPP_RPC_DECODE, RPC_MULTIPLE_RECORD, 1, RPC_CLASS, 3, RPC_MULTIPLE_RECORD_STR, 0); } break; case RPC_LARGE_FRAGSIZE: if (rconfig->alert_large) { - SnortEventqAdd(GENERATOR_SPP_RPC_DECODE, RPC_LARGE_FRAGSIZE, + SnortEventqAdd(GENERATOR_SPP_RPC_DECODE, RPC_LARGE_FRAGSIZE, 1, RPC_CLASS, 3, RPC_LARGE_FRAGSIZE_STR, 0); } break; case RPC_INCOMPLETE_SEGMENT: if (rconfig->alert_incomplete) { - SnortEventqAdd(GENERATOR_SPP_RPC_DECODE, RPC_INCOMPLETE_SEGMENT, + SnortEventqAdd(GENERATOR_SPP_RPC_DECODE, RPC_INCOMPLETE_SEGMENT, 1, RPC_CLASS, 3, RPC_INCOMPLETE_SEGMENT_STR, 0); } break; case RPC_ZERO_LENGTH_FRAGMENT: if (rconfig->alert_multi) { - SnortEventqAdd(GENERATOR_SPP_RPC_DECODE, RPC_ZERO_LENGTH_FRAGMENT, + SnortEventqAdd(GENERATOR_SPP_RPC_DECODE, RPC_ZERO_LENGTH_FRAGMENT, 1, RPC_CLASS, 3, RPC_ZERO_LENGTH_FRAGMENT_STR, 0); } break; @@ -577,8 +586,23 @@ return 0; #endif - if (!valid_app_id && !(rconfig->RpcDecodePorts[(p->dp/8)] & (1<<(p->dp%8)))) - return 0; + if (!valid_app_id) + { + uint16_t check_port; + + if (p->packet_flags & PKT_FROM_CLIENT) + check_port = p->dp; + else if (p->packet_flags & PKT_FROM_SERVER) + check_port = p->sp; + /* The below are for the case where stream5 is not configured */ + else if (p->sp < p->dp) + check_port = p->sp; + else + check_port = p->dp; + + if (!(rconfig->RpcDecodePorts[(check_port/8)] & (1<<(check_port%8)))) + return 0; + } return 1; } @@ -651,7 +675,7 @@ /* Might need to evaluate same packet, different decode buffer * more than once and detection option tree won't let us do that * by default */ - p->packet_flags |= PKT_RPC_PKT; + p->packet_flags |= PKT_ALLOW_MULTIPLE_DETECT; while (dsize > 0) { @@ -841,7 +865,7 @@ return RPC_STATUS__ERROR; } - SetAltDecode(p, RPC_FRAG_HDR_SIZE + fraglen); + SetAltDecode((uint16_t)(RPC_FRAG_HDR_SIZE + fraglen)); return RPC_STATUS__SUCCESS; } @@ -859,7 +883,7 @@ DecodeBuffer.data[0] |= 0x80; status = SafeMemcpy(DecodeBuffer.data+4, RpcBufData(&rsdata->frag), - RpcBufLen(&rsdata->frag), DecodeBuffer.data+4, + RpcBufLen(&rsdata->frag), DecodeBuffer.data+4, DecodeBuffer.data + sizeof(DecodeBuffer.data)); if (status != SAFEMEM_SUCCESS) @@ -870,7 +894,7 @@ return RPC_STATUS__ERROR; } - SetAltDecode(p, (uint16_t)RpcBufLen(&rsdata->frag)); + SetAltDecode((uint16_t)RpcBufLen(&rsdata->frag)); if (RpcBufLen(&rsdata->frag) > RPC_MAX_BUF_SIZE) RpcBufClean(&rsdata->frag); @@ -894,7 +918,7 @@ return RPC_STATUS__ERROR; } - SetAltDecode(p, (uint16_t)RpcBufLen(&rsdata->seg)); + SetAltDecode((uint16_t)RpcBufLen(&rsdata->seg)); if (RpcBufLen(&rsdata->seg) > RPC_MAX_BUF_SIZE) { @@ -937,12 +961,12 @@ return RPC_STATUS__SUCCESS; } -static INLINE uint32_t RpcBufLen(RpcBuffer *buf) +static inline uint32_t RpcBufLen(RpcBuffer *buf) { return buf == NULL ? 0 : buf->len; } -static INLINE uint8_t * RpcBufData(RpcBuffer *buf) +static inline uint8_t * RpcBufData(RpcBuffer *buf) { return buf == NULL ? NULL : buf->data; } @@ -1016,7 +1040,7 @@ return RPC_STATUS__SUCCESS; } -static INLINE void RpcBufClean(RpcBuffer *buf) +static inline void RpcBufClean(RpcBuffer *buf) { if (buf->data != NULL) { @@ -1028,7 +1052,7 @@ buf->size = 0; } -static INLINE void * RpcAlloc(uint32_t size) +static inline void * RpcAlloc(uint32_t size) { if ((rpc_memory + size) > rpc_memcap) { @@ -1040,7 +1064,7 @@ return SnortAlloc(size); } -static INLINE void RpcFree(void *data, uint32_t size) +static inline void RpcFree(void *data, uint32_t size) { if (data == NULL) return; @@ -1053,7 +1077,7 @@ free(data); } -static INLINE void RpcSsnSetInactive(RpcSsnData *rsdata, Packet *p) +static inline void RpcSsnSetInactive(RpcSsnData *rsdata, Packet *p) { if (rsdata == NULL) return; @@ -1065,14 +1089,14 @@ RpcSsnClean(rsdata); } -static INLINE int RpcSsnIsActive(RpcSsnData *rsdata) +static inline int RpcSsnIsActive(RpcSsnData *rsdata) { if (rsdata == NULL) return 0; return rsdata->active; } -static INLINE void RpcSsnClean(RpcSsnData *rsdata) +static inline void RpcSsnClean(RpcSsnData *rsdata) { if (rsdata == NULL) return; @@ -1131,7 +1155,7 @@ /* * For proto ref, see rfc1831 section 10 and page 445 UNP vol2 - * + * * check to make sure we've got enough data to process a record * * Where did the original 16 come from? It seems that it could be @@ -1154,10 +1178,10 @@ * * Fragment Header ( 1 flag bit, 31 bit uint ) * RPC Body - * - * unsigned int xid + * + * unsigned int xid * struct call_body { - * unsigned int rpcvers; // must be equal to two (2) + * unsigned int rpcvers; // must be equal to two (2) * unsigned int prog; * unsigned int vers; * unsigned int proc; @@ -1197,12 +1221,12 @@ *(((uint8_t *) &fraghdr) + 1) = data[1]; *(((uint8_t *) &fraghdr) + 2) = data[2]; *(((uint8_t *) &fraghdr) + 3) = data[3]; - + /* The fragment header is 4 bytes in network byte order */ fraghdr = ntohl(fraghdr); length = fraghdr & 0x7FFFFFFF; - + /* Check to see if we are on the last fragment */ if(fraghdr & MSB) { @@ -1212,13 +1236,13 @@ if((length + 4 != psize) && !(p->packet_flags & PKT_REBUILT_STREAM)) { DEBUG_WRAP(DebugMessage(DEBUG_RPC, "It's not the only thing in this buffer!" - " length: %d psize: %d!\n", length, psize);); + " length: %d psize: %d!\n", length, psize);); return RPC_MULTIPLE_RECORD; } else if ( length == 0 ) { DEBUG_WRAP(DebugMessage(DEBUG_RPC, "Zero-length RPC fragment detected." - " length: %d psize: %d.\n", length, psize);); + " length: %d psize: %d.\n", length, psize);); return RPC_ZERO_LENGTH_FRAGMENT; } return 0; @@ -1228,18 +1252,18 @@ RpcPreprocEvent(rconfig, rsdata, RPC_FRAG_TRAFFIC); } - norm_index = DecodeBuffer.data; + norm_index = DecodeBuffer.data; data_index = (uint8_t *)data; data_end = (uint8_t *)data + psize; - /* now we know it's in fragmented records, 4 bytes of - * header(of which the most sig bit fragment (0=yes 1=no). - * The header is followed by the value move pointer up 4 - * bytes, we need to stuff header in first 4 bytes. - * But the header has the total length...we don't know - * until the end + /* now we know it's in fragmented records, 4 bytes of + * header(of which the most sig bit fragment (0=yes 1=no). + * The header is followed by the value move pointer up 4 + * bytes, we need to stuff header in first 4 bytes. + * But the header has the total length...we don't know + * until the end */ - + /* This is where decoded data will be written */ norm_index += 4; decoded_len = 4; @@ -1247,7 +1271,7 @@ /* always make sure that we have enough data to process atleast * the header and that we only process at most, one fragment */ - + while(((data_end - data_index) >= 4) && (last_fragment == 0)) { /* get the fragment length (31 bits) and move the pointer to @@ -1263,11 +1287,11 @@ if (length == 0) break; - + /* move the current index into the packet past the fragment header */ - data_index += 4; - + data_index += 4; + if(fraghdr & MSB) { DEBUG_WRAP(DebugMessage(DEBUG_RPC, "Last Fragment detected\n");); @@ -1279,7 +1303,7 @@ /* don't allow integer overflow to confuse us. Should be * caught by length > psize but who knows when weird * psize's might be allowed */ - + DEBUG_WRAP(DebugMessage(DEBUG_RPC, "Integer Overflow" " field(%d) exceeds packet size(%d)\n", length, psize);); @@ -1315,10 +1339,10 @@ else { fragcount++; - + DEBUG_WRAP(DebugMessage(DEBUG_RPC, "length: %d size: %d decoded_len: %d\n", - length, psize, decoded_len);); + length, psize, decoded_len);); ret = SafeMemcpy(norm_index, data_index, length, decode_buf_start, decode_buf_end); if (ret != SAFEMEM_SUCCESS) @@ -1333,14 +1357,14 @@ /* rewrite the header on the request packet */ /* move the fragment header back onto the data */ - + fraghdr = ntohl(decoded_len); /* size */ DecodeBuffer.data[0] = *((uint8_t *) &fraghdr); DecodeBuffer.data[1] = *(((uint8_t *) &fraghdr) + 1); DecodeBuffer.data[2] = *(((uint8_t *) &fraghdr) + 2); DecodeBuffer.data[3] = *(((uint8_t *) &fraghdr) + 3); - + DecodeBuffer.data[0] |= 0x80; /* Mark as unfragmented */ /* is there another request encoded that is trying to evade us by doing @@ -1359,7 +1383,7 @@ //PrintNetData(stdout, data, decoded_len); ); - SetAltDecode(p, (uint16_t)decoded_len); + SetAltDecode((uint16_t)decoded_len); return 0; } @@ -1421,7 +1445,7 @@ static void RpcDecodeReload(char *args) { int policy_id = (int)getParserPolicy(); - RpcDecodeConfig *pPolicyConfig = NULL; + RpcDecodeConfig *pPolicyConfig = NULL; if (rpc_decode_swap_config == NULL) { diff -Nru snort-2.9.0.1/src/preprocessors/spp_rpc_decode.h snort-2.9.2/src/preprocessors/spp_rpc_decode.h --- snort-2.9.0.1/src/preprocessors/spp_rpc_decode.h 2010-01-26 10:10:14.000000000 -0800 +++ snort-2.9.2/src/preprocessors/spp_rpc_decode.h 2011-02-09 15:23:29.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/preprocessors/spp_sfportscan.c snort-2.9.2/src/preprocessors/spp_sfportscan.c --- snort-2.9.0.1/src/preprocessors/spp_sfportscan.c 2010-09-27 08:28:14.000000000 -0700 +++ snort-2.9.2/src/preprocessors/spp_sfportscan.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* ** @file spp_sfportscan.c ** @@ -49,6 +49,10 @@ # include <arpa/inet.h> #endif /* !WIN32 */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "decode.h" #include "encode.h" #include "plugbase.h" @@ -182,7 +186,7 @@ dsize = (g_tmp_pkt->max_dsize - *total_size); if(dsize < PROTO_BUFFER_SIZE) - return -1; + return -1; #ifdef SUP_IP6 ip1 = &proto->low_ip; @@ -297,7 +301,7 @@ return 0; } -static int GeneratePSSnortEvent(Packet *p,uint32_t gen_id,uint32_t sig_id, +static int GeneratePSSnortEvent(Packet *p,uint32_t gen_id,uint32_t sig_id, uint32_t sig_rev, uint32_t class, uint32_t priority, char *msg) { unsigned int event_id; @@ -323,7 +327,7 @@ ** @retval 0 success */ static int GenerateOpenPortEvent(Packet *p, uint32_t gen_id, uint32_t sig_id, - uint32_t sig_rev, uint32_t class, uint32_t pri, + uint32_t sig_rev, uint32_t class, uint32_t pri, uint32_t event_ref, struct timeval *event_time, char *msg) { Event event; @@ -338,7 +342,7 @@ /* reset the thresholding subsystem checks for this packet */ sfthreshold_reset(); - + SetEvent(&event, gen_id, sig_id, sig_rev, class, pri, event_ref); //CallAlertFuncs(p,msg,NULL,&event); @@ -359,8 +363,8 @@ } CallLogFuncs(p,msg,NULL,&event); - } - else + } + else { return -1; } @@ -375,7 +379,7 @@ ** NAME ** MakeOpenPortInfo:: */ -/** +/** ** Write out the open ports info for open port alerts. ** ** @return integer @@ -391,7 +395,7 @@ dsize = (g_tmp_pkt->max_dsize - *total_size); if(dsize < PROTO_BUFFER_SIZE) - return -1; + return -1; SnortSnprintf((char *)buffer, PROTO_BUFFER_SIZE, "Open Port: %u\n", *((unsigned short *)user)); @@ -417,7 +421,7 @@ ** ** We want to copy the network and transport layer headers into our ** fake packet. -** +** */ static int MakePortscanPkt(PS_PKT *ps_pkt, PS_PROTO *proto, int proto_type, void *user) @@ -429,10 +433,10 @@ return -1; if(ps_pkt) - { + { p = (Packet *)ps_pkt->pkt; - if(IS_IP4(p)) + if(IS_IP4(p)) { ((IPHdr*)g_tmp_pkt->iph)->ip_proto = IPPROTO_PS; #ifdef SUP_IP6 @@ -442,7 +446,8 @@ #ifdef SUP_IP6 else if (IS_IP6(p)) { - // FIXTHIS what if there are extension headers? + if ( g_tmp_pkt->raw_ip6h ) + ((IP6RawHdr*)g_tmp_pkt->raw_ip6h)->ip6nxt = IPPROTO_PS; g_tmp_pkt->inner_ip6h.next = IPPROTO_PS; g_tmp_pkt->ip6h = &g_tmp_pkt->inner_ip6h; } @@ -480,7 +485,7 @@ Encode_Update(g_tmp_pkt); #ifdef SUP_IP6 - if(IS_IP4(g_tmp_pkt)) + if(IS_IP4(g_tmp_pkt)) { g_tmp_pkt->inner_ip4h.ip_len = ((IPHdr *)g_tmp_pkt->iph)->ip_len; } @@ -498,14 +503,14 @@ int iCtr; unsigned int event_ref; int portsweep = 0; - + if(!proto) return -1; switch(proto->alerts) { case PS_ALERT_ONE_TO_ONE: - event_ref = GeneratePSSnortEvent(p, GENERATOR_PSNG, + event_ref = GeneratePSSnortEvent(p, GENERATOR_PSNG, PSNG_TCP_PORTSCAN, 0, 0, 3, PSNG_TCP_PORTSCAN_STR); break; @@ -518,24 +523,24 @@ event_ref = GeneratePSSnortEvent(p,GENERATOR_PSNG, PSNG_TCP_PORTSWEEP, 0, 0, 3, PSNG_TCP_PORTSWEEP_STR); portsweep = 1; - + break; case PS_ALERT_DISTRIBUTED: event_ref = GeneratePSSnortEvent(p,GENERATOR_PSNG, - PSNG_TCP_DISTRIBUTED_PORTSCAN, 0, 0, 3, + PSNG_TCP_DISTRIBUTED_PORTSCAN, 0, 0, 3, PSNG_TCP_DISTRIBUTED_PORTSCAN_STR); break; case PS_ALERT_ONE_TO_ONE_FILTERED: event_ref = GeneratePSSnortEvent(p,GENERATOR_PSNG, - PSNG_TCP_FILTERED_PORTSCAN,0,0,3, + PSNG_TCP_FILTERED_PORTSCAN,0,0,3, PSNG_TCP_FILTERED_PORTSCAN_STR); break; case PS_ALERT_ONE_TO_ONE_DECOY_FILTERED: event_ref = GeneratePSSnortEvent(p,GENERATOR_PSNG, - PSNG_TCP_FILTERED_DECOY_PORTSCAN, 0,0,3, + PSNG_TCP_FILTERED_DECOY_PORTSCAN, 0,0,3, PSNG_TCP_FILTERED_DECOY_PORTSCAN_STR); break; @@ -549,7 +554,7 @@ case PS_ALERT_DISTRIBUTED_FILTERED: event_ref = GeneratePSSnortEvent(p,GENERATOR_PSNG, - PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN, 0, 0, 3, + PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN, 0, 0, 3, PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN_STR); break; @@ -573,18 +578,18 @@ for(iCtr = 0; iCtr < proto->open_ports_cnt; iCtr++) { DAQ_PktHdr_t *pkth = (DAQ_PktHdr_t *)g_tmp_pkt->pkth; - PS_PKT ps_pkt; - + PS_PKT ps_pkt; + memset(&ps_pkt, 0x00, sizeof(PS_PKT)); ps_pkt.pkt = (void *)p; - if(MakePortscanPkt(&ps_pkt, proto, PS_PROTO_OPEN_PORT, + if(MakePortscanPkt(&ps_pkt, proto, PS_PROTO_OPEN_PORT, (void *)&proto->open_ports[iCtr])) return -1; pkth->ts.tv_usec += 1; GenerateOpenPortEvent(g_tmp_pkt,GENERATOR_PSNG,PSNG_OPEN_PORT, - 0,0,3, proto->event_ref, &proto->event_time, + 0,0,3, proto->event_ref, &proto->event_time, PSNG_OPEN_PORT_STR); } } @@ -615,7 +620,7 @@ break; case PS_ALERT_DISTRIBUTED: - GeneratePSSnortEvent(p,GENERATOR_PSNG,PSNG_UDP_DISTRIBUTED_PORTSCAN, + GeneratePSSnortEvent(p,GENERATOR_PSNG,PSNG_UDP_DISTRIBUTED_PORTSCAN, 0, 0, 3, PSNG_UDP_DISTRIBUTED_PORTSCAN_STR); break; @@ -636,7 +641,7 @@ case PS_ALERT_DISTRIBUTED_FILTERED: GeneratePSSnortEvent(p,GENERATOR_PSNG, - PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN, 0, 0, 3, + PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN, 0, 0, 3, PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN_STR); break; @@ -670,7 +675,7 @@ break; case PS_ALERT_DISTRIBUTED: - GeneratePSSnortEvent(p,GENERATOR_PSNG,PSNG_IP_DISTRIBUTED_PORTSCAN, + GeneratePSSnortEvent(p,GENERATOR_PSNG,PSNG_IP_DISTRIBUTED_PORTSCAN, 0, 0, 3, PSNG_IP_DISTRIBUTED_PORTSCAN_STR); break; @@ -691,7 +696,7 @@ case PS_ALERT_DISTRIBUTED_FILTERED: GeneratePSSnortEvent(p,GENERATOR_PSNG, - PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN, 0, 0, 3, + PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN, 0, 0, 3, PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN_STR); break; @@ -734,7 +739,7 @@ return -1; p = (Packet *)ps_pkt->pkt; - + if(proto->alerts == PS_ALERT_OPEN_PORT) { if(MakePortscanPkt(ps_pkt, proto, PS_PROTO_OPEN_PORT, (void *)&p->sp)) @@ -782,7 +787,7 @@ PROFILE_VARS; sfPolicyUserPolicySet (portscan_config, policy_id); - pPolicyConfig = (PortscanConfig *)sfPolicyUserDataGetCurrent(portscan_config); + pPolicyConfig = (PortscanConfig *)sfPolicyUserDataGetCurrent(portscan_config); if ( pPolicyConfig == NULL ) return; @@ -803,7 +808,7 @@ flags = ENC_FLAG_NET; if ( !ps_pkt.reverse_pkt ) flags |= ENC_FLAG_FWD; - Encode_Format(flags, p, g_tmp_pkt); + Encode_Format(flags, p, g_tmp_pkt, PSEUDO_PKT_PS); if (ps_pkt.scanner && ps_pkt.scanner->proto.alerts && (ps_pkt.scanner->proto.alerts != PS_ALERT_GENERATED)) @@ -822,25 +827,25 @@ NORETURN static void FatalErrorNoOption(u_char *option) { - FatalError("%s(%d) => No argument to '%s' config option.\n", + FatalError("%s(%d) => No argument to '%s' config option.\n", file_name, file_line, option); } NORETURN static void FatalErrorNoEnd(char *option) { - FatalError("%s(%d) => No ending brace to '%s' config option.\n", + FatalError("%s(%d) => No ending brace to '%s' config option.\n", file_name, file_line, option); } NORETURN static void FatalErrorInvalidArg(char *option) { - FatalError("%s(%d) => Invalid argument to '%s' config option.\n", + FatalError("%s(%d) => Invalid argument to '%s' config option.\n", file_name, file_line, option); } NORETURN static void FatalErrorInvalidOption(char *option) { - FatalError("%s(%d) => Invalid option '%s' to portscan preprocessor.\n", + FatalError("%s(%d) => Invalid option '%s' to portscan preprocessor.\n", file_name, file_line, option); } @@ -883,7 +888,7 @@ static void ParseScanType(int *scan_types, char **savptr) { char *pcTok; - + if(!scan_types) return; @@ -919,7 +924,7 @@ static void ParseSenseLevel(int *sense_level, char **savptr) { char *pcTok; - + if(!sense_level) return; @@ -974,22 +979,23 @@ return; } -static void ParseMemcap(int *memcap, char **savptr) +static void ParseMemcap(unsigned long *memcap, char **savptr) { char *pcTok; + char *p; if(!memcap) return; - + *memcap = 0; - + pcTok = strtok_r(NULL, DELIMITERS, savptr); if(!pcTok) FatalErrorNoEnd("memcap"); - *memcap = atoi(pcTok); + *memcap = strtoul(pcTok, &p, 10); - if(*memcap <= 0) + if(!*pcTok || *pcTok == '-' || *p) FatalErrorInvalidArg("memcap"); pcTok = strtok_r(NULL, DELIMITERS, savptr); @@ -998,7 +1004,7 @@ if(strcmp(pcTok, TOKEN_ARG_END)) FatalErrorInvalidArg("memcap"); - + return; } @@ -1070,7 +1076,7 @@ if ( pr->port_hi != pr->port_lo ) { SnortSnprintfAppend(output_str, sizeof(output_str), "-%d", pr->port_hi); - } + } SnortSnprintfAppend(output_str, sizeof(output_str), " "); } } @@ -1080,7 +1086,7 @@ static void PrintPortscanConf(int detect_scans, int detect_scan_type, int sense_level, IPSET *scanner, IPSET *scanned, IPSET *watch, - int memcap, char *logpath, int disabled) + unsigned long memcap, char *logpath, int disabled) { char buf[STD_BUF + 1]; int proto_cnt = 0; @@ -1091,7 +1097,10 @@ #endif LogMessage("Portscan Detection Config:\n"); - + if(disabled) + { + LogMessage(" Portscan Detection: INACTIVE\n"); + } memset(buf, 0, STD_BUF + 1); if (!disabled) { @@ -1130,8 +1139,8 @@ sfsnprintfappend(buf, STD_BUF, "Low"); LogMessage("%s\n", buf); } - - LogMessage(" Memcap (in bytes): %d\n", memcap); + + LogMessage(" Memcap (in bytes): %lu\n", memcap); if (!disabled) { @@ -1139,7 +1148,7 @@ memcap / (sizeof(PS_PROTO)*proto_cnt-1)); if (logpath != NULL) - LogMessage(" Logfile: %s\n", logpath); + LogMessage(" Logfile: %s\n", logpath); if(scanner) { @@ -1180,7 +1189,7 @@ } #endif } - + if(watch) { LogMessage(" Watch IP List:\n"); @@ -1213,7 +1222,7 @@ pcTok = strtok_r(NULL, DELIMITERS, savptr); if (pcTok == NULL) { - FatalError("%s(%d) => No ending brace to '%s' config option.\n", + FatalError("%s(%d) => No ending brace to '%s' config option.\n", file_name, file_line, "logfile"); } @@ -1222,21 +1231,21 @@ pcTok = strtok_r(NULL, DELIMITERS, savptr); if (pcTok == NULL) { - FatalError("%s(%d) => No ending brace to '%s' config option.\n", + FatalError("%s(%d) => No ending brace to '%s' config option.\n", file_name, file_line, "logfile"); } if (strcmp(pcTok, TOKEN_ARG_END) != 0) { - FatalError("%s(%d) => Invalid argument to '%s' config option.\n", + FatalError("%s(%d) => Invalid argument to '%s' config option.\n", file_name, file_line, "logfile"); } } - + static void PortscanInit(char *args) { tSfPolicyId policy_id = getParserPolicy(); - PortscanConfig *pPolicyConfig = NULL; + PortscanConfig *pPolicyConfig = NULL; if (portscan_config == NULL) { @@ -1244,8 +1253,8 @@ PortscanPacketInit(); AddFuncToPreprocCleanExitList(PortscanCleanExitFunction, NULL, PRIORITY_SCANNER, PP_SFPORTSCAN); - AddFuncToPreprocResetList(PortscanResetFunction, NULL, PRIORITY_SCANNER, PP_SFPORTSCAN); - AddFuncToPreprocResetStatsList(PortscanResetStatsFunction, NULL, PRIORITY_SCANNER, PP_SFPORTSCAN); + AddFuncToPreprocResetList(PortscanResetFunction, NULL, PRIORITY_SCANNER, PP_SFPORTSCAN); + AddFuncToPreprocResetStatsList(PortscanResetStatsFunction, NULL, PRIORITY_SCANNER, PP_SFPORTSCAN); AddFuncToPreprocPostConfigList(PortscanOpenLogFile, NULL); #ifdef PERF_PROFILING @@ -1309,7 +1318,7 @@ int sense_level = PS_SENSE_LOW; int protos = (PS_PROTO_TCP | PS_PROTO_UDP); int scan_types = PS_TYPE_ALL; - int memcap = 1048576; + unsigned long memcap = 1048576; IPSET *ignore_scanners = NULL; IPSET *ignore_scanned = NULL; IPSET *watch_ip = NULL; @@ -1398,7 +1407,7 @@ } else if(!strcasecmp(pcTok, "detect_ack_scans")) { - /* + /* * We will only see ack scan packets if we are looking at sessions that the * have been flagged as being picked up mid-stream */ @@ -1425,7 +1434,7 @@ { FatalError("%s(%d) => 'memcap' limit not sufficient to run " "sfportscan preprocessor. Please increase this " - "value or keep the default memory usage.\n", + "value or keep the default memory usage.\n", file_name, file_line); } @@ -1450,7 +1459,7 @@ g_logfile = fopen(pPolicyConfig->logfile, "a+"); if (g_logfile == NULL) { - FatalError("Portscan log file '%s' could not be opened: %s.\n", + FatalError("Portscan log file '%s' could not be opened: %s.\n", pPolicyConfig->logfile, strerror(errno)); } } @@ -1529,12 +1538,12 @@ "policies are going to be configured."); } - + sfPolicyUserPolicySet (portscan_swap_config, policy_id); pPolicyConfig = (PortscanConfig *)sfPolicyUserDataGetCurrent(portscan_swap_config); if (pPolicyConfig) - { + { ParseError("Can only configure sfportscan once.\n"); } @@ -1543,7 +1552,7 @@ { ParseError("SFPORTSCAN preprocessor: memory allocate failed.\n"); } - + sfPolicyUserDataSetCurrent(portscan_swap_config, pPolicyConfig); ParsePortscan(pPolicyConfig, args); diff -Nru snort-2.9.0.1/src/preprocessors/spp_sfportscan.h snort-2.9.2/src/preprocessors/spp_sfportscan.h --- snort-2.9.0.1/src/preprocessors/spp_sfportscan.h 2010-01-26 10:10:14.000000000 -0800 +++ snort-2.9.2/src/preprocessors/spp_sfportscan.h 2011-02-09 15:23:29.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocessors/spp_stream5.c snort-2.9.2/src/preprocessors/spp_stream5.c --- snort-2.9.0.1/src/preprocessors/spp_stream5.c 2010-10-25 12:49:10.000000000 -0700 +++ snort-2.9.2/src/preprocessors/spp_stream5.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -42,17 +42,19 @@ #include <sys/types.h> /* u_int*_t */ #include "snort.h" -#include "bounds.h" +#include "snort_bounds.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "plugbase.h" #include "spp_stream5.h" #include "stream_api.h" +#include "stream5_paf.h" #include "stream5_common.h" #include "snort_stream5_session.h" #include "snort_stream5_tcp.h" #include "snort_stream5_udp.h" #include "snort_stream5_icmp.h" +#include "snort_stream5_ip.h" #include "checksum.h" #include "mstring.h" #include "parser/IpAddrSet.h" @@ -60,7 +62,7 @@ #include "detect.h" #include "generators.h" #include "event_queue.h" -#include "stream_ignore.h" +#include "stream_expect.h" #include "stream_api.h" #include "perf.h" #include "active.h" @@ -81,11 +83,14 @@ extern PreprocStats s5TcpPerfStats; extern PreprocStats s5UdpPerfStats; extern PreprocStats s5IcmpPerfStats; +extern PreprocStats s5IpPerfStats; #endif extern OptTreeNode *otn_tmp; extern Stream5SessionCache *tcp_lws_cache; extern Stream5SessionCache *udp_lws_cache; +extern Stream5SessionCache *icmp_lws_cache; +extern Stream5SessionCache *ip_lws_cache; extern FlushConfig ignore_flush_policy[MAX_PORTS]; #ifdef TARGET_BASED @@ -105,6 +110,7 @@ #define S5_DEFAULT_MAX_TCP_SESSIONS 262144 /* 256k TCP sessions by default */ #define S5_DEFAULT_MAX_UDP_SESSIONS 131072 /* 128k UDP sessions by default */ #define S5_DEFAULT_MAX_ICMP_SESSIONS 65536 /* 64k ICMP sessions by default */ +#define S5_DEFAULT_MAX_IP_SESSIONS 16384 /* 16k IP sessions by default */ #define S5_MIN_PRUNE_LOG_MAX 1024 /* 1k packet data stored */ #define S5_MAX_PRUNE_LOG_MAX S5_RIDICULOUS_HI_MEMCAP /* 1GB packet data stored */ @@ -116,6 +122,7 @@ #define S5_MIN_RESPONSE_SECONDS_MAX 300 /* we want to stop the flow soonest */ #endif +#define S5_EXPECTED_CHANNEL_TIMEOUT 300 /* G L O B A L S **************************************************/ tSfPolicyUserContextId s5_config = NULL; @@ -123,18 +130,25 @@ Stream5TcpConfig *s5_tcp_eval_config = NULL; Stream5UdpConfig *s5_udp_eval_config = NULL; Stream5IcmpConfig *s5_icmp_eval_config = NULL; +Stream5IpConfig *s5_ip_eval_config = NULL; uint32_t mem_in_use = 0; uint32_t firstPacketTime = 0; Stream5Stats s5stats; MemPool s5FlowMempool; -static PoolCount s_tcp_sessions = 0, s_udp_sessions = 0, s_icmp_sessions = 0; +static PoolCount s_tcp_sessions = 0, s_udp_sessions = 0; +static PoolCount s_icmp_sessions = 0, s_ip_sessions = 0; static int s_proto_flags = 0; /* Define this locally when Flow preprocessor has actually been removed */ unsigned int giFlowbitSize = 128; +uint32_t xtradata_func_count = 0; +LogFunction xtradata_map[LOG_FUNC_MAX]; +LogExtraData extra_data_log = NULL; +void *extra_data_config = NULL; + /* P R O T O T Y P E S ********************************************/ static void Stream5GlobalInit(char *); @@ -142,6 +156,7 @@ static void Stream5PolicyInitTcp(char *); static void Stream5PolicyInitUdp(char *); static void Stream5PolicyInitIcmp(char *); +static void Stream5PolicyInitIp(char *); static void Stream5CleanExit(int, void *); static void Stream5Reset(int, void *); static void Stream5ResetStats(int, void *); @@ -149,7 +164,7 @@ static void Stream5PrintGlobalConfig(Stream5GlobalConfig *); static void Stream5PrintStats(int); static void Stream5Process(Packet *p, void *context); -static INLINE int IsEligible(Packet *p); +static inline int IsEligible(Packet *p); #ifdef TARGET_BASED static void s5InitServiceFilterStatus(void); #endif @@ -160,6 +175,7 @@ static void Stream5TcpReload(char *); static void Stream5UdpReload(char *); static void Stream5IcmpReload(char *); +static void Stream5IpReload(char *); static int Stream5ReloadVerify(void); static void * Stream5ReloadSwap(void); static void Stream5ReloadSwapFree(void *); @@ -195,9 +211,13 @@ uint16_t srcPort, snort_ip_p dstIP, uint16_t dstPort, - char protocol, + uint8_t protocol, + time_t now, + uint32_t preprocId, char direction, char flags); +static int Stream5GetIgnoreDirection( + void *ssnptr); static void Stream5ResumeInspection( void *ssnptr, char dir); @@ -215,20 +235,36 @@ static void *Stream5GetApplicationData( void *ssnptr, uint32_t protocol); +static void *Stream5GetApplicationDataFromIpPort( + snort_ip_p srcIP, + uint16_t srcPort, + snort_ip_p dstIP, + uint16_t dstPort, + char ip_protocol, + uint16_t vlan, + uint32_t mplsId, + uint32_t protocol); static uint32_t Stream5SetSessionFlags( void *ssnptr, uint32_t flags); static uint32_t Stream5GetSessionFlags(void *ssnptr); static int Stream5AlertFlushStream(Packet *p); static int Stream5ResponseFlushStream(Packet *p); -static int Stream5AddSessionAlert(void *ssnptr, +static int Stream5AddSessionAlert(void *ssnptr, Packet *p, uint32_t gid, - uint32_t sid); + uint32_t sid, + int alerted); static int Stream5CheckSessionAlert(void *ssnptr, Packet *p, uint32_t gid, uint32_t sid); +static int Stream5LogSessionAlertExtraData(void *ssnptr, + Packet *p, + uint32_t gid, + uint32_t sid, + uint32_t event_id, + uint32_t event_second); static char Stream5SetReassembly(void *ssnptr, uint8_t flush_policy, char dir, @@ -249,11 +285,22 @@ void *userdata); static StreamFlowData *Stream5GetFlowData(Packet *p); +static int Stream5SetApplicationProtocolIdExpected( + snort_ip_p srcIP, + uint16_t srcPort, + snort_ip_p dstIP, + uint16_t dstPort, + uint8_t protocol, + time_t now, + int16_t protoId, + uint32_t preprocId, + void* protoData, + void (*protoDataFreeFn)(void*)); #ifdef TARGET_BASED static int16_t Stream5GetApplicationProtocolId(void *ssnptr); static int16_t Stream5SetApplicationProtocolId(void *ssnptr, int16_t id); static void s5SetServiceFilterStatus( - int protocolId, + int protocolId, int status, tSfPolicyId policyId, int parsing @@ -263,22 +310,30 @@ tSfPolicyId policyId, int parsing ); -static int Stream5SetApplicationProtocolIdExpected( - snort_ip_p srcIP, - uint16_t srcPort, - snort_ip_p dstIP, - uint16_t dstPort, - char protocol, - int16_t protoId); +static snort_ip_p Stream5GetSessionIpAddress( + void *ssnptr, uint32_t direction); #endif + +static uint16_t s5GetPreprocessorStatusBit(void); + static void s5SetPortFilterStatus( - int protocol, - uint16_t port, - int status, + int protocol, + uint16_t port, + uint16_t status, tSfPolicyId policyId, int parsing ); +static void s5UnsetPortFilterStatus( + int protocol, + uint16_t port, + uint16_t status, + tSfPolicyId policyId, + int parsing + ); + +static void s5GetMaxSessions(tSfPolicyId policyId, StreamSessionLimits* limits); + #ifdef ACTIVE_RESPONSE static void s5InitActiveResponse(Packet*, void* ssnptr); #endif @@ -287,6 +342,17 @@ static uint32_t Stream5GetFlushPoint(void *ssnptr, char dir); static void Stream5SetFlushPoint(void *ssnptr, char dir, uint32_t flush_point); +static bool Stream5RegisterPAF( + tSfPolicyId, uint16_t server_port, bool toServer, + PAF_Callback, bool autoEnable); +static void** Stream5GetPAFUserData(void* ssnptr, bool to_server); +static bool Stream5IsPafActive(void* ssnptr, bool to_server); +static bool Stream5ActivatePaf(void* ssnptr, bool to_server); + + +static uint32_t Stream5RegisterXtraData(LogFunction ); +static uint32_t Stream5GetXtraDataMap(LogFunction **); +static void Stream5RegisterXtraDataLog(LogExtraData, void * ); StreamAPI s5api = { STREAM_API_VERSION5, @@ -295,6 +361,7 @@ Stream5GetPacketDirection, Stream5StopInspection, Stream5IgnoreChannel, + Stream5GetIgnoreDirection, Stream5ResumeInspection, Stream5DropTraffic, Stream5DropPacket, @@ -308,6 +375,7 @@ Stream5GetStreamSegments, Stream5AddSessionAlert, Stream5CheckSessionAlert, + Stream5LogSessionAlertExtraData, Stream5GetFlowData, Stream5SetReassembly, Stream5GetReassemblyDirection, @@ -320,17 +388,30 @@ Stream5SetApplicationProtocolId, s5SetServiceFilterStatus, #endif + s5GetPreprocessorStatusBit, s5SetPortFilterStatus, + s5UnsetPortFilterStatus, #ifdef ACTIVE_RESPONSE s5InitActiveResponse, #endif s5GetHopLimit, Stream5GetFlushPoint, - Stream5SetFlushPoint - /* More to follow */ + Stream5SetFlushPoint, + Stream5SetApplicationProtocolIdExpected, #ifdef TARGET_BASED - , Stream5SetApplicationProtocolIdExpected + Stream5GetSessionIpAddress, #endif + Stream5RegisterPAF, + Stream5GetPAFUserData, + Stream5IsPafActive, + Stream5ActivatePaf, + s5TcpSetSynSessionStatus, + s5TcpUnsetSynSessionStatus, + Stream5GetApplicationDataFromIpPort, + Stream5RegisterXtraData, + Stream5RegisterXtraDataLog, + Stream5GetXtraDataMap, + s5GetMaxSessions }; void SetupStream5(void) @@ -340,6 +421,7 @@ RegisterPreprocessor("stream5_tcp", Stream5PolicyInitTcp); RegisterPreprocessor("stream5_udp", Stream5PolicyInitUdp); RegisterPreprocessor("stream5_icmp", Stream5PolicyInitIcmp); + RegisterPreprocessor("stream5_ip", Stream5PolicyInitIp); #else RegisterPreprocessor("stream5_global", Stream5GlobalInit, Stream5GlobalReload, Stream5ReloadSwap, Stream5ReloadSwapFree); @@ -349,6 +431,8 @@ Stream5UdpReload, NULL, NULL); RegisterPreprocessor("stream5_icmp", Stream5PolicyInitIcmp, Stream5IcmpReload, NULL, NULL); + RegisterPreprocessor("stream5_ip", Stream5PolicyInitIp, + Stream5IpReload, NULL, NULL); #endif DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Preprocessor stream5 is setup\n");); @@ -371,6 +455,7 @@ RegisterPreprocessorProfile("s5tcp", &s5TcpPerfStats, 1, &s5PerfStats); RegisterPreprocessorProfile("s5udp", &s5UdpPerfStats, 1, &s5PerfStats); RegisterPreprocessorProfile("s5icmp", &s5IcmpPerfStats, 1, &s5PerfStats); + RegisterPreprocessorProfile("s5ip", &s5IpPerfStats, 1, &s5PerfStats); #endif AddFuncToPreprocCleanExitList(Stream5CleanExit, NULL, PRIORITY_TRANSPORT, PP_STREAM5); @@ -380,6 +465,8 @@ RegisterPreprocStats("stream5", Stream5PrintStats); stream_api = &s5api; + + StreamExpectInit(); } sfPolicyUserPolicySet (s5_config, policy_id); @@ -411,6 +498,8 @@ pCurrentPolicyConfig->global_config->max_udp_sessions = S5_DEFAULT_MAX_UDP_SESSIONS; pCurrentPolicyConfig->global_config->track_icmp_sessions = S5_TRACK_NO; pCurrentPolicyConfig->global_config->max_icmp_sessions = S5_DEFAULT_MAX_ICMP_SESSIONS; + pCurrentPolicyConfig->global_config->track_ip_sessions = S5_TRACK_NO; + pCurrentPolicyConfig->global_config->max_ip_sessions = S5_DEFAULT_MAX_IP_SESSIONS; pCurrentPolicyConfig->global_config->memcap = S5_DEFAULT_MEMCAP; pCurrentPolicyConfig->global_config->prune_log_max = S5_DEFAULT_PRUNE_LOG_MAX; #ifdef ACTIVE_RESPONSE @@ -425,10 +514,11 @@ if ((!pCurrentPolicyConfig->global_config->disabled) && (pCurrentPolicyConfig->global_config->track_tcp_sessions == S5_TRACK_NO) && (pCurrentPolicyConfig->global_config->track_udp_sessions == S5_TRACK_NO) && - (pCurrentPolicyConfig->global_config->track_icmp_sessions == S5_TRACK_NO)) + (pCurrentPolicyConfig->global_config->track_icmp_sessions == S5_TRACK_NO) && + (pCurrentPolicyConfig->global_config->track_ip_sessions == S5_TRACK_NO)) { FatalError("%s(%d) ==> Stream5 enabled, but not configured to track " - "TCP, UDP, or ICMP.\n", file_name, file_line); + "TCP, UDP, ICMP, or IP.\n", file_name, file_line); } if (policy_id != getDefaultPolicy()) @@ -439,12 +529,20 @@ pDefaultPolicyConfig->global_config->max_udp_sessions; pCurrentPolicyConfig->global_config->max_icmp_sessions = pDefaultPolicyConfig->global_config->max_icmp_sessions; + pCurrentPolicyConfig->global_config->max_ip_sessions = + pDefaultPolicyConfig->global_config->max_ip_sessions; pCurrentPolicyConfig->global_config->memcap = pDefaultPolicyConfig->global_config->memcap; } Stream5PrintGlobalConfig(pCurrentPolicyConfig->global_config); +#ifdef REG_TEST + LogMessage("\n"); + LogMessage(" Stream5LW Session Size: %lu\n",sizeof(Stream5LWSession)); + LogMessage("\n"); +#endif + if (snort_conf_for_parsing == NULL) { FatalError("%s(%d) Snort config for parsing is NULL.\n", @@ -465,6 +563,7 @@ #define MAX_TCP 0x01 #define MAX_UDP 0x02 #define MAX_ICMP 0x04 +#define MAX_IP 0x08 char max_set = 0; if (config == NULL) @@ -634,6 +733,48 @@ file_name, file_line); } } + else if(!strcasecmp(stoks[0], "max_ip")) + { + if (stoks[1]) + { + config->max_ip_sessions = strtoul(stoks[1], &endPtr, 10); + + if (config->track_ip_sessions == S5_TRACK_YES) + { + if ((config->max_ip_sessions > S5_RIDICULOUS_MAX_SESSIONS) || + (config->max_ip_sessions == 0)) + { + FatalError("%s(%d) => 'max_ip %d' invalid: value must be " + "between 1 and %d sessions\n", + file_name, file_line, + config->max_ip_sessions, + S5_RIDICULOUS_MAX_SESSIONS); + } + } + } + + if (!stoks[1] || (endPtr == &stoks[1][0])) + { + FatalError("%s(%d) => Invalid max_ip in config file. Requires integer parameter.\n", + file_name, file_line); + } + max_set |= MAX_IP; + } + else if(!strcasecmp(stoks[0], "track_ip")) + { + if (stoks[1]) + { + if(!strcasecmp(stoks[1], "no")) + config->track_ip_sessions = S5_TRACK_NO; + else + config->track_ip_sessions = S5_TRACK_YES; + } + else + { + FatalError("%s(%d) => 'track_ip' missing option\n", + file_name, file_line); + } + } else if(!strcasecmp(stoks[0], "flush_on_alert")) { config->flags |= STREAM5_CONFIG_FLUSH_ON_ALERT; @@ -760,6 +901,12 @@ if (config->track_icmp_sessions == S5_TRACK_YES) LogMessage(" Max ICMP sessions: %u\n", config->max_icmp_sessions); + LogMessage(" Track IP sessions: %s\n", + config->track_ip_sessions == S5_TRACK_YES ? + "ACTIVE" : "INACTIVE"); + if (config->track_ip_sessions == S5_TRACK_YES) + LogMessage(" Max IP sessions: %u\n", + config->max_ip_sessions); if (config->prune_log_max) { LogMessage(" Log info if session memory consumption exceeds %d\n", @@ -775,6 +922,11 @@ config->min_response_seconds); } #endif +#ifdef ENABLE_PAF + LogMessage(" Protocol Aware Flushing: %s\n", + ScPafEnabled() ? "ACTIVE" : "INACTIVE"); + LogMessage(" Maximum Flush Point: %u\n", ScPafMax()); +#endif } static void Stream5PolicyInitTcp(char *args) @@ -811,6 +963,9 @@ Stream5InitTcp(config->global_config); Stream5TcpInitFlushPoints(); Stream5TcpRegisterRuleOptions(); +#ifdef ENABLE_PAF + AddFuncToPreprocPostConfigList(Stream5PostConfigTcp, config->tcp_config); +#endif } /* Call the protocol specific initializer */ @@ -893,6 +1048,44 @@ Stream5IcmpPolicyInit(config->icmp_config, args); } +static void Stream5PolicyInitIp(char *args) +{ + tSfPolicyId policy_id = getParserPolicy(); + Stream5Config *config; + + if (s5_config == NULL) + FatalError("Tried to config stream5 IP policy without global config!\n"); + + sfPolicyUserPolicySet (s5_config, policy_id); + config = (Stream5Config *)sfPolicyUserDataGetCurrent(s5_config); + + if ((config == NULL) || (config->global_config == NULL)) + { + FatalError("Tried to config stream5 IP policy without global config!\n"); + } + + if (!config->global_config->track_ip_sessions) + { +#ifdef SNORT_RELOAD + /* Return if we're reloading - the discrepancy will be handled in + * the reload verify */ + if (s5_swap_config != NULL) +#endif + return; + } + + if (config->ip_config == NULL) + { + config->ip_config = + (Stream5IpConfig*)SnortAlloc(sizeof(config->ip_config)); + + Stream5InitIp(config->global_config); + } + + /* Call the protocol specific initializer */ + Stream5IpPolicyInit(config->ip_config, args); +} + static void Stream5Reset(int signal, void *foo) { if (s5_config == NULL) @@ -901,6 +1094,7 @@ Stream5ResetTcp(); Stream5ResetUdp(); Stream5ResetIcmp(); + Stream5ResetIp(); mempool_clean(&s5FlowMempool); } @@ -911,6 +1105,7 @@ Stream5ResetTcpPrunes(); Stream5ResetUdpPrunes(); Stream5ResetIcmpPrunes(); + Stream5ResetIpPrunes(); } static void Stream5CleanExit(int signal, void *foo) @@ -918,16 +1113,18 @@ s5stats.tcp_prunes = Stream5GetTcpPrunes(); s5stats.udp_prunes = Stream5GetUdpPrunes(); s5stats.icmp_prunes = Stream5GetIcmpPrunes(); + s5stats.ip_prunes = Stream5GetIpPrunes(); /* Clean up the hash tables for these */ Stream5CleanTcp(); Stream5CleanUdp(); Stream5CleanIcmp(); + Stream5CleanIp(); mempool_destroy(&s5FlowMempool); /* Free up the ignore data that was queued */ - CleanupIgnore(); + StreamExpectCleanup(); Stream5FreeConfigs(s5_config); s5_config = NULL; @@ -935,7 +1132,7 @@ static int Stream5VerifyConfigPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -945,6 +1142,7 @@ int tcpNotConfigured = 0; int udpNotConfigured = 0; int icmpNotConfigured = 0; + int ipNotConfigured = 0; int proto_flags = 0; //do any housekeeping before freeing Stream5Config @@ -959,14 +1157,14 @@ if (pPolicyConfig->global_config->track_tcp_sessions) { - tcpNotConfigured = + tcpNotConfigured = !pPolicyConfig->global_config->max_tcp_sessions || Stream5VerifyTcpConfig(pPolicyConfig->tcp_config, policyId); if (tcpNotConfigured) { ErrorMessage( - "WARNING: Stream5 TCP misconfigured (policy %u)\n", policyId); + "WARNING: Stream5 TCP misconfigured (policy %u).\n", policyId); } else { @@ -979,14 +1177,14 @@ if (pPolicyConfig->global_config->track_udp_sessions) { - udpNotConfigured = + udpNotConfigured = !pPolicyConfig->global_config->max_udp_sessions || Stream5VerifyUdpConfig(pPolicyConfig->udp_config, policyId); if (udpNotConfigured) { ErrorMessage( - "WARNING: Stream5 UDP misconfigured (policy %u)\n", policyId); + "WARNING: Stream5 UDP misconfigured (policy %u).\n", policyId); } else { @@ -999,14 +1197,14 @@ if (pPolicyConfig->global_config->track_icmp_sessions) { - icmpNotConfigured = + icmpNotConfigured = !pPolicyConfig->global_config->max_icmp_sessions || Stream5VerifyIcmpConfig(pPolicyConfig->icmp_config, policyId); if (icmpNotConfigured) { ErrorMessage( - "WARNING: Stream5 ICMP misconfigured (policy %u)\n", policyId); + "WARNING: Stream5 ICMP misconfigured (policy %u).\n", policyId); } else { @@ -1017,7 +1215,27 @@ } } - if ( tcpNotConfigured || udpNotConfigured || icmpNotConfigured ) + if (pPolicyConfig->global_config->track_ip_sessions) + { + ipNotConfigured = + !pPolicyConfig->global_config->max_ip_sessions || + Stream5VerifyIpConfig(pPolicyConfig->ip_config, policyId); + + if (ipNotConfigured) + { + ErrorMessage( + "WARNING: Stream5 IP misconfigured (policy %u).\n", policyId); + } + else + { + if ( !(s_proto_flags & PROTO_BIT__IP) ) + s_ip_sessions += pPolicyConfig->global_config->max_ip_sessions; + + proto_flags |= PROTO_BIT__IP; + } + } + + if ( tcpNotConfigured || udpNotConfigured || icmpNotConfigured || ipNotConfigured ) { FatalError("Stream5 not properly configured... exiting\n"); } @@ -1041,13 +1259,15 @@ if (s5_config == NULL) return; - s_tcp_sessions = s_udp_sessions = s_icmp_sessions = 0; + s_tcp_sessions = s_udp_sessions = 0; + s_icmp_sessions = s_ip_sessions = 0; sfPolicyUserDataIterate (s5_config, Stream5VerifyConfigPolicy); defConfig = sfPolicyUserDataGet(s5_config, getDefaultPolicy()); - total_sessions = s_tcp_sessions + s_udp_sessions + s_icmp_sessions; + total_sessions = s_tcp_sessions + s_udp_sessions + + s_icmp_sessions + s_ip_sessions; if ( !total_sessions ) return; @@ -1070,6 +1290,12 @@ LogMessage("ICMP tracking disabled, no ICMP sessions allocated\n"); } + if ( (defConfig->global_config->max_ip_sessions > 0) + && (s_ip_sessions == 0) ) + { + LogMessage("IP tracking disabled, no IP sessions allocated\n"); + } + /* Initialize the memory pool for Flowbits Data */ /* use giFlowbitSize - 1, since there is already 1 byte in the * StreamFlowData structure */ @@ -1102,14 +1328,17 @@ LogMessage(" Total sessions: %u\n", s5stats.total_tcp_sessions + s5stats.total_udp_sessions + - s5stats.total_icmp_sessions); + s5stats.total_icmp_sessions + + s5stats.total_ip_sessions); LogMessage(" TCP sessions: %u\n", s5stats.total_tcp_sessions); LogMessage(" UDP sessions: %u\n", s5stats.total_udp_sessions); LogMessage(" ICMP sessions: %u\n", s5stats.total_icmp_sessions); + LogMessage(" IP sessions: %u\n", s5stats.total_ip_sessions); LogMessage(" TCP Prunes: %u\n", Stream5GetTcpPrunes()); LogMessage(" UDP Prunes: %u\n", Stream5GetUdpPrunes()); LogMessage(" ICMP Prunes: %u\n", Stream5GetIcmpPrunes()); + LogMessage(" IP Prunes: %u\n", Stream5GetIpPrunes()); LogMessage("TCP StreamTrackers Created: %u\n", s5stats.tcp_streamtrackers_created); LogMessage("TCP StreamTrackers Deleted: %u\n", @@ -1164,7 +1393,7 @@ PREPROC_PROFILE_START(s5PerfStats); - /* Call individual TCP/UDP/ICMP processing, per GET_IPH_PROTO(p) */ + /* Call individual TCP/UDP/ICMP/IP processing, per GET_IPH_PROTO(p) */ switch(GET_IPH_PROTO(p)) { case IPPROTO_TCP: @@ -1202,22 +1431,28 @@ break; case IPPROTO_ICMP: - if (Stream5SetRuntimeConfiguration(NULL, IPPROTO_ICMP) == -1) - return; - - if (s5_global_eval_config->track_icmp_sessions) - Stream5ProcessIcmp(p); + if (Stream5SetRuntimeConfiguration(NULL, IPPROTO_ICMP) != -1) + { + if (s5_global_eval_config->track_icmp_sessions) + Stream5ProcessIcmp(p); - break; + break; + } + // fall thru ... default: + if (Stream5SetRuntimeConfiguration(NULL, IPPROTO_IP) == -1) + return; + + if (s5_global_eval_config->track_ip_sessions) + Stream5ProcessIp(p); break; } PREPROC_PROFILE_END(s5PerfStats); } -static INLINE int IsEligible(Packet *p) +static inline int IsEligible(Packet *p) { if ((p->frag_flag) || (p->error_flags & PKT_ERR_CKSUM_IP)) return 0; @@ -1258,7 +1493,9 @@ } break; default: - return 0; + if(p->iph == NULL) + return 0; + break; } return 1; @@ -1348,6 +1585,41 @@ return data; } +static void * Stream5GetApplicationDataFromIpPort( + snort_ip_p srcIP, + uint16_t srcPort, + snort_ip_p dstIP, + uint16_t dstPort, + char ip_protocol, + uint16_t vlan, + uint32_t mplsId, + uint32_t protocol) +{ + SessionKey key; + Stream5LWSession *ssn; + + GetLWSessionKeyFromIpPort(srcIP, srcPort, dstIP, dstPort, ip_protocol, vlan, mplsId, &key); + + switch (ip_protocol) + { + case IPPROTO_TCP: + ssn = GetLWSessionFromKey(tcp_lws_cache, &key); + break; + case IPPROTO_UDP: + ssn = GetLWSessionFromKey(udp_lws_cache, &key); + break; + case IPPROTO_ICMP: + ssn = GetLWSessionFromKey(icmp_lws_cache, &key); + if (ssn) + break; + // fall through + default: + ssn = GetLWSessionFromKey(ip_lws_cache, &key); + } + + return Stream5GetApplicationData(ssn, protocol); +} + static int Stream5AlertFlushStream(Packet *p) { Stream5LWSession *ssn; @@ -1435,74 +1707,83 @@ Stream5LWSession *ssn; if (ssnptr) { - ssn = (Stream5LWSession *)ssnptr; + ssn = (Stream5LWSession *)ssnptr; return ssn->session_flags; } return 0; } -static int Stream5AddSessionAlert(void *ssnptr, - Packet *p, - uint32_t gid, - uint32_t sid) +static int Stream5AddSessionAlert( + void *ssnptr, + Packet *p, + uint32_t gid, + uint32_t sid, int alerted) { Stream5LWSession *ssn; - if (ssnptr) - { - ssn = (Stream5LWSession *)ssnptr; - if (Stream5SetRuntimeConfiguration(ssn, ssn->protocol) == -1) - return 0; - switch (GET_IPH_PROTO(p)) - { - case IPPROTO_TCP: - return Stream5AddSessionAlertTcp(ssn, p, gid, sid); - break; -#if 0 /* Don't need to do this for UDP/ICMP because they don't - do any reassembly. */ - case IPPROTO_UDP: - return Stream5AddSessionAlertUdp(ssn, p, gid, sid); - break; - case IPPROTO_ICMP: - return Stream5AddSessionAlertIcmp(ssn, p, gid, sid); - break; -#endif - } - } - return 0; + if ( !ssnptr ) + return 0; + + ssn = (Stream5LWSession *)ssnptr; + if (Stream5SetRuntimeConfiguration(ssn, ssn->protocol) == -1) + return 0; + + /* Don't need to do this for other protos because they don't + do any reassembly. */ + if ( GET_IPH_PROTO(p) != IPPROTO_TCP ) + return 0; + + return Stream5AddSessionAlertTcp(ssn, p, gid, sid, alerted); +} + +static int Stream5LogSessionAlertExtraData( + void *ssnptr, + Packet *p, + uint32_t gid, + uint32_t sid, + uint32_t event_id, + uint32_t event_second) +{ + Stream5LWSession *ssn; + + if ( !ssnptr ) + return 0; + + ssn = (Stream5LWSession *)ssnptr; + if (Stream5SetRuntimeConfiguration(ssn, ssn->protocol) == -1) + return 0; + + /* Don't need to do this for other protos because they don't + do any reassembly. */ + if ( GET_IPH_PROTO(p) != IPPROTO_TCP ) + return 0; + + return Stream5LogSessionAlertExtraDataTcp(ssn, p, gid, sid, event_id, event_second); } /* return non-zero if gid/sid have already been seen */ -static int Stream5CheckSessionAlert(void *ssnptr, - Packet *p, - uint32_t gid, - uint32_t sid) +static int Stream5CheckSessionAlert( + void *ssnptr, + Packet *p, + uint32_t gid, + uint32_t sid) { Stream5LWSession *ssn; - if (ssnptr) - { - ssn = (Stream5LWSession *)ssnptr; - if (Stream5SetRuntimeConfiguration(ssn, ssn->protocol) == -1) - return 0; - switch (GET_IPH_PROTO(p)) - { - case IPPROTO_TCP: - return Stream5CheckSessionAlertTcp(ssn, p, gid, sid); - break; -#if 0 /* Don't need to do this for UDP/ICMP because they don't - do any reassembly. */ - case IPPROTO_UDP: - return Stream5CheckSessionAlertUdp(ssn, p, gid, sid); - break; - case IPPROTO_ICMP: - return Stream5CheckSessionAlertIcmp(ssn, p, gid, sid); - break; -#endif - } - } - return 0; + if ( !ssnptr ) + return 0; + + ssn = (Stream5LWSession *)ssnptr; + if (Stream5SetRuntimeConfiguration(ssn, ssn->protocol) == -1) + return 0; + + /* Don't need to do this for other protos because they don't + do any reassembly. */ + if ( GET_IPH_PROTO(p) != IPPROTO_TCP ) + return 0; + + return Stream5CheckSessionAlertTcp(ssn, p, gid, sid); } static int Stream5IgnoreChannel( @@ -1510,12 +1791,24 @@ uint16_t srcPort, snort_ip_p dstIP, uint16_t dstPort, - char protocol, + uint8_t protocol, + time_t now, + uint32_t preprocId, char direction, char flags) { - return IgnoreChannel(srcIP, srcPort, dstIP, dstPort, - protocol, direction, flags, 300, 0); + return StreamExpectAddChannel(srcIP, srcPort, dstIP, dstPort, + protocol, now, direction, flags, S5_EXPECTED_CHANNEL_TIMEOUT, + 0, preprocId, NULL, NULL); +} + +static int Stream5GetIgnoreDirection(void *ssnptr) +{ + Stream5LWSession *ssn = (Stream5LWSession *)ssnptr; + if (!ssn) + return SSN_DIR_NONE; + + return ssn->ignore_direction; } void Stream5DisableInspection(Stream5LWSession *lwssn, Packet *p) @@ -1628,7 +1921,7 @@ UdpUpdateDirection(ssn, dir, ip, port); break; case IPPROTO_ICMP: - //IcmUpdateDirection(ssn, dir, ip, port); + //IcmpUpdateDirection(ssn, dir, ip, port); break; } } @@ -1636,10 +1929,10 @@ static uint32_t Stream5GetPacketDirection(Packet *p) { Stream5LWSession *lwssn; - + if (!p || !(p->ssnptr)) return 0; - + lwssn = (Stream5LWSession *)p->ssnptr; if (Stream5SetRuntimeConfiguration(lwssn, lwssn->protocol) == -1) return 0; @@ -1673,7 +1966,29 @@ static void Stream5DropPacket( Packet *p) { - Stream5TcpBlockPacket(p); + Stream5LWSession* ssn = (Stream5LWSession*)p->ssnptr; + + if ( !ssn ) + return; + + switch (ssn->protocol) + { + case IPPROTO_TCP: + Stream5TcpBlockPacket(p); + break; + case IPPROTO_UDP: + UdpSessionCleanup(ssn); + break; + case IPPROTO_IP: + IpSessionCleanup(ssn); + break; + case IPPROTO_ICMP: + IcmpSessionCleanup(ssn); + break; + default: + break; + } + if (!(p->packet_flags & PKT_STATELESS)) Stream5DropTraffic(p, p->ssnptr, SSN_DIR_BOTH); @@ -1847,10 +2162,19 @@ return Stream5PacketsMissingTcp(ssn, dir); } +static uint16_t s5GetPreprocessorStatusBit(void) +{ + static uint16_t preproc_filter_status_bit = PORT_MONITOR_SESSION; + + preproc_filter_status_bit <<= 1; + + return preproc_filter_status_bit; +} + static void s5SetPortFilterStatus( - int protocol, - uint16_t port, - int status, + int protocol, + uint16_t port, + uint16_t status, tSfPolicyId policyId, int parsing ) @@ -1870,6 +2194,32 @@ } } +static void s5UnsetPortFilterStatus( + int protocol, + uint16_t port, + uint16_t status, + tSfPolicyId policyId, + int parsing + ) +{ + if (status <= PORT_MONITOR_SESSION) + return; + + switch (protocol) + { + case IPPROTO_TCP: + s5TcpUnsetPortFilterStatus(port, status, policyId, parsing); + break; + case IPPROTO_UDP: + s5UdpUnsetPortFilterStatus(port, status, policyId, parsing); + break; + case IPPROTO_ICMP: + break; + default: + break; + } +} + #ifdef ACTIVE_RESPONSE static void s5InitActiveResponse (Packet* p, void* pv) { @@ -1900,6 +2250,23 @@ return outer ? ssn->outer_server_ttl : ssn->inner_server_ttl; } +static int Stream5SetApplicationProtocolIdExpected( + snort_ip_p srcIP, + uint16_t srcPort, + snort_ip_p dstIP, + uint16_t dstPort, + uint8_t protocol, + time_t now, + int16_t protoId, + uint32_t preprocId, + void *protoData, + void (*protoDataFreeFn)(void*)) +{ + return StreamExpectAddChannel(srcIP, srcPort, dstIP, dstPort, + protocol, now, SSN_DIR_BOTH, 0, S5_EXPECTED_CHANNEL_TIMEOUT, + protoId, preprocId, protoData, protoDataFreeFn); +} + #ifdef TARGET_BASED void Stream5SetIPProtocol(Stream5LWSession *lwssn) { @@ -1967,14 +2334,14 @@ { OptTreeNode *otn = (OptTreeNode *)hashNode->data; - for ( policyId = 0; - policyId < otn->proto_node_num; + for ( policyId = 0; + policyId < otn->proto_node_num; policyId++) { RuleTreeNode *rtn = getRtnFromOtn(otn, policyId); if (rtn && (rtn->proto == IPPROTO_TCP)) - { + { unsigned int svc_idx; for (svc_idx = 0; svc_idx < otn->sigInfo.num_services; svc_idx++) @@ -1992,7 +2359,7 @@ } static void s5SetServiceFilterStatus( - int protocolId, + int protocolId, int status, tSfPolicyId policyId, int parsing @@ -2061,9 +2428,9 @@ } #ifdef SUP_IP6 - host_entry = SFAT_LookupHostEntryByIP(&lwssn->server_ip); + host_entry = SFAT_LookupHostEntryByIP(IP_ARG(lwssn->server_ip)); #else - host_entry = SFAT_LookupHostEntryByIp4Addr(ntohl(lwssn->server_ip)); + host_entry = SFAT_LookupHostEntryByIP(ntohl(lwssn->server_ip)); #endif if (host_entry) { @@ -2077,10 +2444,11 @@ } #ifdef SUP_IP6 - host_entry = SFAT_LookupHostEntryByIP(&lwssn->client_ip); + host_entry = SFAT_LookupHostEntryByIP(IP_ARG(lwssn->client_ip)); #else - host_entry = SFAT_LookupHostEntryByIp4Addr(ntohl(lwssn->client_ip)); + host_entry = SFAT_LookupHostEntryByIP(ntohl(lwssn->client_ip)); #endif + if (host_entry) { Stream5SetApplicationProtocolIdFromHostEntry(lwssn, @@ -2108,18 +2476,40 @@ return id; } -static int Stream5SetApplicationProtocolIdExpected( - snort_ip_p srcIP, - uint16_t srcPort, - snort_ip_p dstIP, - uint16_t dstPort, - char protocol, - int16_t protoId) +static snort_ip_p Stream5GetSessionIpAddress(void *ssnptr, uint32_t direction) { - return IgnoreChannel(srcIP, srcPort, dstIP, dstPort, - protocol, SSN_DIR_BOTH, 0, 300, protoId); -} + Stream5LWSession *ssn = (Stream5LWSession *)ssnptr; +#ifdef SUP_IP6 + if (ssn) + { + switch (direction) + { + case SSN_DIR_SERVER: + return (snort_ip_p)(&((Stream5LWSession *)ssn)->server_ip); + case SSN_DIR_CLIENT: + return (snort_ip_p)(&((Stream5LWSession *)ssn)->client_ip); + default: + break; + } + } + return NULL; +#else + if (ssn) + { + switch (direction) + { + case SSN_DIR_SERVER: + return (snort_ip_p)(((Stream5LWSession *)ssn)->server_ip); + case SSN_DIR_CLIENT: + return (snort_ip_p)(((Stream5LWSession *)ssn)->client_ip); + default: + break; + } + } + return 0; +#endif +} #endif int isPacketFilterDiscard( @@ -2168,7 +2558,7 @@ return PORT_MONITOR_PACKET_PROCESS; } - if (!(action & PORT_MONITOR_SESSION)) + if (!(action & PORT_MONITOR_SESSION_BITS)) { if (!(action & PORT_MONITOR_INSPECT) && ignore_any_rules) { @@ -2191,6 +2581,84 @@ return PORT_MONITOR_PACKET_PROCESS; } +static bool Stream5RegisterPAF ( + tSfPolicyId id, uint16_t server_port, bool to_server, + PAF_Callback cb, bool autoEnable) +{ + return s5_paf_register(id, server_port, to_server, cb, autoEnable); +} + +static uint32_t Stream5RegisterXtraData(LogFunction f) +{ + uint32_t i = 0; + while(i < xtradata_func_count) + { + if(xtradata_map[i++] == f) + { + return i; + } + } + if ( xtradata_func_count == LOG_FUNC_MAX) + return 0; + xtradata_map[xtradata_func_count++] = f; + return xtradata_func_count; +} + +static uint32_t Stream5GetXtraDataMap(LogFunction **f) +{ + if(f) + { + *f = xtradata_map; + return xtradata_func_count; + } + else + return 0; +} + +static void Stream5RegisterXtraDataLog(LogExtraData f, void *config) +{ + extra_data_log = f; + extra_data_config = config; +} + +void** Stream5GetPAFUserData(void* ssnptr, bool to_server) +{ + return Stream5GetPAFUserDataTcp((Stream5LWSession*)ssnptr, to_server); +} + +static bool Stream5IsPafActive (void* ssnptr, bool to_server) +{ + return Stream5IsPafActiveTcp((Stream5LWSession*)ssnptr, to_server); +} + +static bool Stream5ActivatePaf (void* ssnptr, bool to_server) +{ + return Stream5ActivatePafTcp((Stream5LWSession*)ssnptr, to_server); +} + +static void s5GetMaxSessions(tSfPolicyId policyId, StreamSessionLimits* limits) +{ + tSfPolicyUserContextId context; + Stream5Config* config; + +#ifdef SNORT_RELOAD + context = s5_swap_config ? s5_swap_config : s5_config; +#else + context = s5_config; +#endif + config = sfPolicyUserDataGet(context, policyId); + + if (config && config->global_config) + { + limits->tcp_session_limit = config->global_config->max_tcp_sessions; + limits->udp_session_limit = config->global_config->max_udp_sessions; + limits->icmp_session_limit = config->global_config->max_icmp_sessions; + limits->ip_session_limit = config->global_config->max_ip_sessions; + } + else + memset(limits, 0, sizeof(*limits)); +} + #ifdef SNORT_RELOAD static void Stream5GlobalReload(char *args) { @@ -2234,6 +2702,8 @@ pCurrentPolicyConfig->global_config->max_udp_sessions = S5_DEFAULT_MAX_UDP_SESSIONS; pCurrentPolicyConfig->global_config->track_icmp_sessions = S5_TRACK_NO; pCurrentPolicyConfig->global_config->max_icmp_sessions = S5_DEFAULT_MAX_ICMP_SESSIONS; + pCurrentPolicyConfig->global_config->track_ip_sessions = S5_TRACK_NO; + pCurrentPolicyConfig->global_config->max_ip_sessions = S5_DEFAULT_MAX_IP_SESSIONS; pCurrentPolicyConfig->global_config->memcap = S5_DEFAULT_MEMCAP; pCurrentPolicyConfig->global_config->prune_log_max = S5_DEFAULT_PRUNE_LOG_MAX; #ifdef ACTIVE_RESPONSE @@ -2248,10 +2718,11 @@ if ((!pCurrentPolicyConfig->global_config->disabled) && (pCurrentPolicyConfig->global_config->track_tcp_sessions == S5_TRACK_NO) && (pCurrentPolicyConfig->global_config->track_udp_sessions == S5_TRACK_NO) && - (pCurrentPolicyConfig->global_config->track_icmp_sessions == S5_TRACK_NO)) + (pCurrentPolicyConfig->global_config->track_icmp_sessions == S5_TRACK_NO) && + (pCurrentPolicyConfig->global_config->track_ip_sessions == S5_TRACK_NO)) { FatalError("%s(%d) ==> Stream5 enabled, but not configured to track " - "TCP, UDP, or ICMP.\n", file_name, file_line); + "TCP, UDP, ICMP, or IP.\n", file_name, file_line); } if (policy_id != getDefaultPolicy()) @@ -2262,6 +2733,8 @@ pDefaultPolicyConfig->global_config->max_udp_sessions; pCurrentPolicyConfig->global_config->max_icmp_sessions = pDefaultPolicyConfig->global_config->max_icmp_sessions; + pCurrentPolicyConfig->global_config->max_ip_sessions = + pDefaultPolicyConfig->global_config->max_ip_sessions; pCurrentPolicyConfig->global_config->memcap = pDefaultPolicyConfig->global_config->memcap; } @@ -2348,9 +2821,31 @@ Stream5IcmpPolicyInit(config->icmp_config, args); } +static void Stream5IpReload(char *args) +{ + tSfPolicyId policy_id = getParserPolicy(); + Stream5Config *config; + + if (s5_swap_config == NULL) + FatalError("Tried to config stream5 IP policy without global config!\n"); + + config = (Stream5Config *)sfPolicyUserDataGet(s5_swap_config, policy_id); + + if ((config == NULL) || (config->global_config == NULL)) + { + FatalError("Tried to config stream5 IP policy without global config!\n"); + } + + if (config->ip_config == NULL) + config->ip_config = (Stream5IpConfig *)SnortAlloc(sizeof(config->ip_config)); + + /* Call the protocol specific initializer */ + Stream5IpPolicyInit(config->ip_config, args); +} + static int Stream5ReloadSwapPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -2394,7 +2889,7 @@ static int Stream5ReloadVerifyPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -2403,6 +2898,7 @@ int tcpNotConfigured = 0; int udpNotConfigured = 0; int icmpNotConfigured = 0; + int ipNotConfigured = 0; int proto_flags = 0; //do any housekeeping before freeing Stream5Config @@ -2417,9 +2913,10 @@ if ((sc->global_config->track_tcp_sessions != cc->global_config->track_tcp_sessions) || (sc->global_config->track_udp_sessions != cc->global_config->track_udp_sessions) || - (sc->global_config->track_icmp_sessions != cc->global_config->track_icmp_sessions)) + (sc->global_config->track_icmp_sessions != cc->global_config->track_icmp_sessions) || + (sc->global_config->track_ip_sessions != cc->global_config->track_ip_sessions)) { - ErrorMessage("Stream5 Reload: Changing tracking of TCP, UDP or ICMP " + ErrorMessage("Stream5 Reload: Changing tracking of TCP, UDP ICMP, or IP " "sessions requires a restart.\n"); Stream5FreeConfigs(s5_swap_config); s5_swap_config = NULL; @@ -2457,6 +2954,14 @@ s5_swap_config = NULL; return -1; } + + if (cc->global_config->max_ip_sessions != sc->global_config->max_ip_sessions) + { + ErrorMessage("Stream5 Reload: Changing \"max_ip\" requires a restart.\n"); + Stream5FreeConfigs(s5_swap_config); + s5_swap_config = NULL; + return -1; + } } if (sc == NULL) @@ -2464,13 +2969,13 @@ if (sc->global_config->track_tcp_sessions) { - tcpNotConfigured = + tcpNotConfigured = !sc->global_config->max_tcp_sessions || Stream5VerifyTcpConfig(sc->tcp_config, policyId); if (tcpNotConfigured) { - ErrorMessage("WARNING: Stream5 TCP misconfigured\n"); + ErrorMessage("WARNING: Stream5 TCP misconfigured.\n"); } else { @@ -2483,13 +2988,13 @@ if (sc->global_config->track_udp_sessions) { - udpNotConfigured = + udpNotConfigured = !sc->global_config->max_udp_sessions || Stream5VerifyUdpConfig(sc->udp_config, policyId); if (udpNotConfigured) { - ErrorMessage("WARNING: Stream5 UDP misconfigured\n"); + ErrorMessage("WARNING: Stream5 UDP misconfigured.\n"); } else { @@ -2502,13 +3007,13 @@ if (sc->global_config->track_icmp_sessions) { - icmpNotConfigured = + icmpNotConfigured = !sc->global_config->max_icmp_sessions || Stream5VerifyIcmpConfig(sc->icmp_config, policyId); if (icmpNotConfigured) { - ErrorMessage("WARNING: Stream5 ICMP misconfigured\n"); + ErrorMessage("WARNING: Stream5 ICMP misconfigured.\n"); } else { @@ -2519,6 +3024,25 @@ } } + if (sc->global_config->track_ip_sessions) + { + ipNotConfigured = + !sc->global_config->max_ip_sessions || + Stream5VerifyIpConfig(sc->ip_config, policyId); + + if (ipNotConfigured) + { + ErrorMessage("WARNING: Stream5 IP misconfigured.\n"); + } + else + { + if ( !(s_proto_flags & PROTO_BIT__IP) ) + s_ip_sessions += sc->global_config->max_ip_sessions; + + proto_flags |= PROTO_BIT__IP; + } + } + if ( sc->global_config->disabled ) return 0; diff -Nru snort-2.9.0.1/src/preprocessors/spp_stream5.h snort-2.9.2/src/preprocessors/spp_stream5.h --- snort-2.9.0.1/src/preprocessors/spp_stream5.h 2010-01-26 10:10:14.000000000 -0800 +++ snort-2.9.2/src/preprocessors/spp_stream5.h 2011-02-09 15:23:30.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** Author: Steven Sturges ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/Makefile.am snort-2.9.2/src/preprocessors/Stream5/Makefile.am --- snort-2.9.0.1/src/preprocessors/Stream5/Makefile.am 2006-08-15 11:00:57.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -10,8 +10,12 @@ snort_stream5_udp.h \ snort_stream5_icmp.c \ snort_stream5_icmp.h \ +snort_stream5_ip.c \ +snort_stream5_ip.h \ snort_stream5_session.c \ snort_stream5_session.h \ +stream5_paf.c \ +stream5_paf.h \ stream5_common.c \ stream5_common.h @@ -19,7 +23,9 @@ snort_stream5_tcp.o \ snort_stream5_udp.o \ snort_stream5_icmp.o \ +snort_stream5_ip.o \ snort_stream5_session.o \ +stream5_paf.o \ stream5_common.o INCLUDES = @INCLUDES@ diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/Makefile.in snort-2.9.2/src/preprocessors/Stream5/Makefile.in --- snort-2.9.0.1/src/preprocessors/Stream5/Makefile.in 2010-10-08 02:56:55.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/Makefile.in 2011-12-07 11:23:22.000000000 -0800 @@ -49,10 +49,12 @@ ARFLAGS = cru libstream5_a_AR = $(AR) $(ARFLAGS) libstream5_a_DEPENDENCIES = snort_stream5_tcp.o snort_stream5_udp.o \ - snort_stream5_icmp.o snort_stream5_session.o stream5_common.o + snort_stream5_icmp.o snort_stream5_ip.o \ + snort_stream5_session.o stream5_paf.o stream5_common.o am_libstream5_a_OBJECTS = snort_stream5_tcp.$(OBJEXT) \ snort_stream5_udp.$(OBJEXT) snort_stream5_icmp.$(OBJEXT) \ - snort_stream5_session.$(OBJEXT) stream5_common.$(OBJEXT) + snort_stream5_ip.$(OBJEXT) snort_stream5_session.$(OBJEXT) \ + stream5_paf.$(OBJEXT) stream5_common.$(OBJEXT) libstream5_a_OBJECTS = $(am_libstream5_a_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = @@ -80,7 +82,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -95,6 +99,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -131,13 +136,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -204,8 +215,12 @@ snort_stream5_udp.h \ snort_stream5_icmp.c \ snort_stream5_icmp.h \ +snort_stream5_ip.c \ +snort_stream5_ip.h \ snort_stream5_session.c \ snort_stream5_session.h \ +stream5_paf.c \ +stream5_paf.h \ stream5_common.c \ stream5_common.h @@ -213,7 +228,9 @@ snort_stream5_tcp.o \ snort_stream5_udp.o \ snort_stream5_icmp.o \ +snort_stream5_ip.o \ snort_stream5_session.o \ +stream5_paf.o \ stream5_common.o all: all-am diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_icmp.c snort-2.9.2/src/preprocessors/Stream5/snort_stream5_icmp.c --- snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_icmp.c 2010-06-09 15:05:26.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/snort_stream5_icmp.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,8 +18,13 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - -#include "debug.h" + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" #include "decode.h" #include "mstring.h" #include "sfxhash.h" @@ -43,9 +48,6 @@ #define icmp_sender_ip lwSsn->client_ip #define icmp_responder_ip lwSsn->server_ip -extern Stream5Config *s5_current_config; - - /* D A T A S T R U C T U R E S ***********************************/ typedef struct _IcmpSession { @@ -59,7 +61,7 @@ /* G L O B A L S **************************************************/ -static Stream5SessionCache *icmp_lws_cache; +Stream5SessionCache *icmp_lws_cache; static MemPool icmp_session_mempool; /* P R O T O T Y P E S ********************************************/ @@ -73,11 +75,11 @@ if (gconfig == NULL) return; - /* Finally ICMP */ + /* Finally ICMP */ if((icmp_lws_cache == NULL) && gconfig->track_icmp_sessions) { icmp_lws_cache = InitLWSessionCache(gconfig->max_icmp_sessions, - 30, 5, 0, NULL); + 30, 30, 5, 0, NULL); if(!icmp_lws_cache) { @@ -138,7 +140,7 @@ { s5IcmpPolicy->session_timeout = strtoul(stoks[1], &endPtr, 10); } - + if (!stoks[1] || (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid timeout in config file. Integer parameter required.\n", @@ -161,7 +163,7 @@ } else { - FatalError("%s(%d) => Invalid Stream5 ICMP policy option\n", + FatalError("%s(%d) => Invalid Stream5 ICMP policy option\n", file_name, file_line); } @@ -184,7 +186,20 @@ void IcmpSessionCleanup(Stream5LWSession *ssn) { IcmpSession *icmpssn = NULL; - + + if (ssn->session_flags & SSNFLAG_PRUNED) + { + CloseStreamSession(&sfBase, SESSION_CLOSED_PRUNED); + } + else if (ssn->session_flags & SSNFLAG_TIMEDOUT) + { + CloseStreamSession(&sfBase, SESSION_CLOSED_TIMEDOUT); + } + else + { + CloseStreamSession(&sfBase, SESSION_CLOSED_NORMALLY); + } + if (ssn->proto_specific_data) icmpssn = ssn->proto_specific_data->data; @@ -199,6 +214,7 @@ ssn->proto_specific_data = NULL; Stream5ResetFlowBits(ssn); + FreeLWApplicationData(ssn); s5stats.icmp_sessions_released++; } @@ -269,7 +285,7 @@ /* We only handle the above ICMP messages with stream5 */ break; } - + return 0; } diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_icmp.h snort-2.9.2/src/preprocessors/Stream5/snort_stream5_icmp.h --- snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_icmp.h 2010-06-09 15:05:26.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/snort_stream5_icmp.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -37,5 +37,5 @@ uint32_t Stream5GetIcmpPrunes(void); void Stream5ResetIcmpPrunes(void); - +void IcmpSessionCleanup(Stream5LWSession *ssn); #endif /* STREAM5_ICMP_H_ */ diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_ip.c snort-2.9.2/src/preprocessors/Stream5/snort_stream5_ip.c --- snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_ip.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/preprocessors/Stream5/snort_stream5_ip.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,418 @@ +/**************************************************************************** +* +* Copyright (C) 2005-2011 Sourcefire, Inc. +* +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License Version 2 as +* published by the Free Software Foundation. You may not use, modify or +* distribute this program under any other version of the GNU General +* Public License. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +* +* ***************************************************************************/ + +/* + * @file snort_stream5_ip.c + * @author Russ Combs <rcombs@sourcefire.com> + * + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "active.h" +#include "decode.h" +#include "detect.h" +#include "mstring.h" +#include "parser.h" +#include "profiler.h" +#include "sfPolicy.h" +#include "sfxhash.h" +#include "sf_types.h" +#include "snort_debug.h" +#include "snort_stream5_ip.h" +#include "snort_stream5_session.h" +#include "stream_expect.h" +#include "util.h" + +#ifdef PERF_PROFILING +PreprocStats s5IpPerfStats; +#endif + +Stream5SessionCache* ip_lws_cache; + +//------------------------------------------------------------------------- +// private methods +//------------------------------------------------------------------------- + +static void Stream5PrintIpConfig (Stream5IpPolicy* policy) +{ + LogMessage("Stream5 IP Policy config:\n"); + LogMessage(" Timeout: %d seconds\n", policy->session_timeout); + +} + +static void Stream5ParseIpArgs (char* args, Stream5IpPolicy* policy) +{ + char* *toks; + int num_toks; + int i; + + policy->session_timeout = S5_DEFAULT_SSN_TIMEOUT; + + if ( !args || !*args ) + return; + + toks = mSplit(args, ",", 0, &num_toks, 0); + + for (i = 0; i < num_toks; i++) + { + int s_toks; + char* *stoks = mSplit(toks[i], " ", 2, &s_toks, 0); + + if (s_toks == 0) + { + ParseError("Missing parameter in Stream5 IP config.\n"); + } + + if(!strcasecmp(stoks[0], "timeout")) + { + char* endPtr = NULL; + + if(stoks[1]) + { + policy->session_timeout = strtoul(stoks[1], &endPtr, 10); + } + + if (!stoks[1] || (endPtr == &stoks[1][0])) + { + ParseError("Invalid timeout in config file. Integer parameter required.\n"); + } + + if ((policy->session_timeout > S5_MAX_SSN_TIMEOUT) || + (policy->session_timeout < S5_MIN_SSN_TIMEOUT)) + { + ParseError("Invalid timeout in config file. Must be between %d and %d\n", + S5_MIN_SSN_TIMEOUT, S5_MAX_SSN_TIMEOUT); + } + if (s_toks > 2) + { + ParseError("Invalid Stream5 IP Policy option. Missing comma?\n"); + } + } + else + { + ParseError("Invalid Stream5 IP policy option\n"); + } + + mSplitFree(&stoks, s_toks); + } + + mSplitFree(&toks, num_toks); +} + +void IpSessionCleanup (Stream5LWSession* lws) +{ + if (lws->session_flags & SSNFLAG_PRUNED) + { + CloseStreamSession(&sfBase, SESSION_CLOSED_PRUNED); + } + else if (lws->session_flags & SSNFLAG_TIMEDOUT) + { + CloseStreamSession(&sfBase, SESSION_CLOSED_TIMEDOUT); + } + else + { + CloseStreamSession(&sfBase, SESSION_CLOSED_NORMALLY); + } + + Stream5ResetFlowBits(lws); + FreeLWApplicationData(lws); + + lws->session_flags = SSNFLAG_NONE; + lws->session_state = STREAM5_STATE_NONE; + + lws->expire_time = 0; + lws->ignore_direction = 0; +} + +//------------------------------------------------------------------------- +// public methods +//------------------------------------------------------------------------- + +void Stream5InitIp (Stream5GlobalConfig* gconfig) +{ + if (gconfig == NULL) + return; + + if((ip_lws_cache == NULL) && gconfig->track_ip_sessions) + { + ip_lws_cache = InitLWSessionCache( + gconfig->max_ip_sessions, 30, 30, 5, 0, IpSessionCleanup); + + if(!ip_lws_cache) + { + ParseError("Unable to init stream5 IP session cache, no IP " + "stream inspection!\n"); + } + } +} + +void Stream5ResetIp (void) +{ + PurgeLWSessionCache(ip_lws_cache); +} + +void Stream5CleanIp (void) +{ + if ( ip_lws_cache ) + s5stats.ip_prunes = ip_lws_cache->prunes; + + /* Clean up hash table -- delete all sessions */ + DeleteLWSessionCache(ip_lws_cache); + ip_lws_cache = NULL; +} + +//------------------------------------------------------------------------- +// public config methods +//------------------------------------------------------------------------- + +void Stream5IpPolicyInit (Stream5IpConfig* config, char* args) +{ + if (config == NULL) + return; + + Stream5ParseIpArgs(args, &config->default_policy); + Stream5PrintIpConfig(&config->default_policy); +} + +void Stream5IpConfigFree (Stream5IpConfig* config) +{ + if (config == NULL) + return; + + free(config); +} + +int Stream5VerifyIpConfig (Stream5IpConfig* config, tSfPolicyId policy_id) +{ + if (config == NULL) + return -1; + + if (!ip_lws_cache) + return -1; + + return 0; +} + +//------------------------------------------------------------------------- +// public access methods +//------------------------------------------------------------------------- + +uint32_t Stream5GetIpPrunes (void) +{ + return ip_lws_cache ? ip_lws_cache->prunes : s5stats.ip_prunes; +} + +void Stream5ResetIpPrunes (void) +{ + if ( ip_lws_cache ) + ip_lws_cache->prunes = 0; +} + +//------------------------------------------------------------------------- +// private packet processing methods +//------------------------------------------------------------------------- + +static inline void InitSession (Packet* p, Stream5LWSession* lws) +{ + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, + "Stream5 IP session created!\n");); + + s5stats.total_ip_sessions++; + + lws->policy = s5_ip_eval_config; + + IP_COPY_VALUE(lws->client_ip, GET_SRC_IP(p)); + IP_COPY_VALUE(lws->server_ip, GET_DST_IP(p)); +} + +static inline void TimeoutSession (Packet* p, Stream5LWSession* lws) +{ + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, + "Stream5 IP session timeout!\n");); + + lws->session_flags |= SSNFLAG_TIMEDOUT; + + IpSessionCleanup(lws); + lws->policy = s5_ip_eval_config; +} + +static inline int BlockedSession (Packet* p, Stream5LWSession* lws) +{ + if ( !(lws->session_flags & (SSNFLAG_DROP_CLIENT|SSNFLAG_DROP_SERVER)) ) + return 0; + + if ( + ((p->packet_flags & PKT_FROM_SERVER) && (lws->session_flags & SSNFLAG_DROP_SERVER)) || + ((p->packet_flags & PKT_FROM_CLIENT) && (lws->session_flags & SSNFLAG_DROP_CLIENT)) ) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Blocking %s packet as session was blocked\n", + p->packet_flags & PKT_FROM_SERVER ? "server" : "client");); + + DisableDetect(p); + /* Still want to add this number of bytes to totals */ + SetPreprocBit(p, PP_PERFMONITOR); + Active_DropPacket(); + +#ifdef ACTIVE_RESPONSE + Stream5ActiveResponse(p, lws); +#endif + return 1; + } + return 0; +} + +static inline int IgnoreSession (Packet* p, Stream5LWSession* lws) +{ + if ( + ((p->packet_flags & PKT_FROM_SERVER) && (lws->ignore_direction & SSN_DIR_CLIENT)) || + ((p->packet_flags & PKT_FROM_CLIENT) && (lws->ignore_direction & SSN_DIR_SERVER)) ) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Stream5 Ignoring packet from %d. Session marked as ignore\n", + p->packet_flags & PKT_FROM_CLIENT? "sender" : "responder");); + + Stream5DisableInspection(lws, p); + return 1; + } + + return 0; +} + +static inline int CheckExpectedSession (Packet* p, Stream5LWSession* lws) +{ + int ignore; + + ignore = SteamExpectCheck(p, lws); + + if (ignore) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Stream5: Ignoring packet from %d. Marking session marked as ignore.\n", + p->packet_flags & PKT_FROM_CLIENT? "sender" : "responder");); + + lws->ignore_direction = ignore; + Stream5DisableInspection(lws, p); + return 1; + } + + return 0; +} + +static inline void UpdateSession (Packet* p, Stream5LWSession* lws) +{ + MarkupPacketFlags(p, lws); + + if ( !(lws->session_flags & SSNFLAG_ESTABLISHED) ) + { + + if ( p->packet_flags & PKT_FROM_CLIENT ) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Stream5: Updating on packet from client\n");); + + lws->session_flags |= SSNFLAG_SEEN_CLIENT; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Stream5: Updating on packet from server\n");); + + lws->session_flags |= SSNFLAG_SEEN_SERVER; + } + + if ( (lws->session_flags & SSNFLAG_SEEN_CLIENT) && + (lws->session_flags & SSNFLAG_SEEN_SERVER) ) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Stream5: session established!\n");); + + lws->session_flags |= SSNFLAG_ESTABLISHED; + +#ifdef ACTIVE_RESPONSE + SetTTL(lws, p, 0); +#endif + } + } + + // set timeout + { + Stream5IpPolicy* policy; + policy = (Stream5IpPolicy*)lws->policy; + Stream5SetExpire(p, lws, policy->session_timeout); + } +} + +//------------------------------------------------------------------------- +// public packet processing method +//------------------------------------------------------------------------- + +int Stream5ProcessIp (Packet *p) +{ + SessionKey key; + Stream5LWSession* lws = GetLWSession(ip_lws_cache, p, &key); + + if ( !lws ) + { + lws = NewLWSession(ip_lws_cache, p, &key, NULL); + + if ( !lws ) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, + "Stream5 IP session failure!\n");); + return 0; + } + InitSession(p, lws); + +#ifdef ENABLE_EXPECTED_IP + if ( CheckExpectedSession(p, lws) ) + return 0; +#endif + } + else if ( + (lws->session_state & STREAM5_STATE_TIMEDOUT) + || Stream5Expire(p, lws)) + { + TimeoutSession(p, lws); + +#ifdef ENABLE_EXPECTED_IP + if ( CheckExpectedSession(p, lws) ) + return 0; +#endif + } + + GetLWPacketDirection(p, lws); + p->ssnptr = lws; + + if ( BlockedSession(p, lws) ) + return 0; + + if ( IgnoreSession(p, lws) ) + return 0; + + UpdateSession(p, lws); + + return 0; +} + diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_ip.h snort-2.9.2/src/preprocessors/Stream5/snort_stream5_ip.h --- snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_ip.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/preprocessors/Stream5/snort_stream5_ip.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,49 @@ +/**************************************************************************** + * + * Copyright (C) 2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +/* + * @file snort_stream5_ip.h + * @author Russ Combs <rcombs@sourcefire.com> + * + */ + +#ifndef __STREAM5_IP_H__ +#define __STREAM5_IP_H__ + +#include "stream5_common.h" +#include "sfPolicy.h" + +void Stream5CleanIp(void); +void Stream5ResetIp(void); +void Stream5InitIp(Stream5GlobalConfig*); + +void Stream5IpPolicyInit(Stream5IpConfig*, char*); +int Stream5VerifyIpConfig(Stream5IpConfig*, tSfPolicyId); +void Stream5IpConfigFree(Stream5IpConfig*); + +int Stream5ProcessIp(Packet*); + +uint32_t Stream5GetIpPrunes(void); +void Stream5ResetIpPrunes(void); + +void IpSessionCleanup (Stream5LWSession* lws); + +#endif diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_session.c snort-2.9.2/src/preprocessors/Stream5/snort_stream5_session.c --- snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_session.c 2010-06-09 15:05:26.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/snort_stream5_session.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** AUTHOR: Steven Sturges <ssturges@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -21,12 +21,12 @@ */ /* snort_stream5_session.c - * + * * Purpose: Hash Table implementation of session management functions for * Stream5 preprocessor. * * Arguments: - * + * * Effect: * * Comments: @@ -35,12 +35,17 @@ * */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "decode.h" -#include "debug.h" +#include "sf_types.h" +#include "snort_debug.h" #include "log.h" #include "util.h" #include "snort_stream5_session.h" -#include "sf_types.h" +#include "stream5_common.h" #include "sfhashfcn.h" #include "bitop_funcs.h" @@ -50,17 +55,7 @@ # include <arpa/inet.h> #endif -#ifdef MPLS -# include "snort.h" -#endif - -extern const unsigned int giFlowbitSize; -extern uint32_t mem_in_use; -extern Stream5GlobalConfig *s5_global_eval_config; -extern Stream5TcpConfig *s5_tcp_eval_config; -extern Stream5UdpConfig *s5_udp_eval_config; -extern Stream5IcmpConfig *s5_icmp_eval_config; -extern tSfPolicyUserContextId s5_config; +#include "snort.h" #if 0 // if you want to use this, print ip_l,h for proper ip4,6 support @@ -71,7 +66,7 @@ LogMessage(" ip_h = 0x%08X\n", skey->ip_h); LogMessage(" prt_l = %d\n", skey->port_l); LogMessage(" prt_h = %d\n", skey->port_h); - LogMessage(" vlan_tag = %d\n", skey->vlan_tag); + LogMessage(" vlan_tag = %d\n", skey->vlan_tag); #ifdef MPLS LogMessage(" mpls label = 0x%08X\n", skey->mplsLabel); #endif @@ -86,11 +81,18 @@ return 0; } -int GetLWSessionKey(Packet *p, SessionKey *key) +int GetLWSessionKeyFromIpPort( + snort_ip_p srcIP, + uint16_t srcPort, + snort_ip_p dstIP, + uint16_t dstPort, + char proto, + uint16_t vlan, + uint32_t mplsId, + SessionKey *key) { uint16_t sport; uint16_t dport; - int proto; /* Because the key is going to be used for hash lookups, * the lower of the values of the IP address field is * stored in the key->ip_l and the port for that ip is @@ -100,20 +102,18 @@ if (!key) return 0; -#ifdef SUP_IP6 - if (IS_IP4(p)) +#ifdef SUP_IP6 + if (IS_IP4(srcIP)) { uint32_t *src; uint32_t *dst; - proto = p->ip4h->ip_proto; - switch (proto) { case IPPROTO_TCP: case IPPROTO_UDP: - sport = p->sp; - dport = p->dp; + sport = srcPort; + dport = dstPort; break; case IPPROTO_ICMP: default: @@ -121,8 +121,8 @@ break; } - src = p->ip4h->ip_src.ip32; - dst = p->ip4h->ip_dst.ip32; + src = srcIP->ip32; + dst = dstIP->ip32; /* These comparisons are done in this fashion for performance reasons */ if (*src < *dst) @@ -155,31 +155,29 @@ key->port_h = sport; } # ifdef MPLS - if (ScMplsOverlappingIp() && (p->mpls != NULL) && + if (ScMplsOverlappingIp() && isPrivateIP(*src) && isPrivateIP(*dst)) { - key->mplsLabel = p->mplsHdr.label; + key->mplsLabel = mplsId; } else { key->mplsLabel = 0; } # endif - } - else + } + else { /* IPv6 */ sfip_t *src; sfip_t *dst; - proto = p->ip6h->next; - switch (proto) { case IPPROTO_TCP: case IPPROTO_UDP: - sport = p->sp; - dport = p->dp; + sport = srcPort; + dport = dstPort; break; case IPPROTO_ICMP: default: @@ -187,8 +185,8 @@ break; } - src = &p->ip6h->ip_src; - dst = &p->ip6h->ip_dst; + src = srcIP; + dst = dstIP; if (sfip_fast_lt6(src, dst)) { @@ -220,9 +218,9 @@ key->port_h = sport; } # ifdef MPLS - if (ScMplsOverlappingIp() && (p->mpls != NULL)) + if (ScMplsOverlappingIp()) { - key->mplsLabel = p->mplsHdr.label; + key->mplsLabel = mplsId; } else { @@ -231,14 +229,12 @@ # endif } #else - proto = GET_IPH_PROTO(p); - switch (proto) { case IPPROTO_TCP: case IPPROTO_UDP: - sport = p->sp; - dport = p->dp; + sport = srcPort; + dport = dstPort; break; case IPPROTO_ICMP: default: @@ -247,17 +243,17 @@ } /* These comparisons are done in this fashion for performance reasons */ - if (IP_LESSER(GET_SRC_IP(p), GET_DST_IP(p))) + if (IP_LESSER(srcIP, dstIP)) { - IP_COPY_VALUE(key->ip_l, GET_SRC_IP(p)); + IP_COPY_VALUE(key->ip_l, srcIP); key->port_l = sport; - IP_COPY_VALUE(key->ip_h, GET_DST_IP(p)); + IP_COPY_VALUE(key->ip_h, dstIP); key->port_h = dport; } - else if (IP_EQUALITY(GET_SRC_IP(p), GET_DST_IP(p))) + else if (IP_EQUALITY(srcIP, dstIP)) { - IP_COPY_VALUE(key->ip_l, GET_SRC_IP(p)); - IP_COPY_VALUE(key->ip_h, GET_DST_IP(p)); + IP_COPY_VALUE(key->ip_l, srcIP); + IP_COPY_VALUE(key->ip_h, dstIP); if (sport < dport) { key->port_l = sport; @@ -271,16 +267,16 @@ } else { - IP_COPY_VALUE(key->ip_l, GET_DST_IP(p)); + IP_COPY_VALUE(key->ip_l, dstIP); key->port_l = dport; - IP_COPY_VALUE(key->ip_h, GET_SRC_IP(p)); + IP_COPY_VALUE(key->ip_h, srcIP); key->port_h = sport; } # ifdef MPLS - if (ScMplsOverlappingIp() && (p->mpls != NULL) && + if (ScMplsOverlappingIp() && isPrivateIP(key->ip_l) && isPrivateIP(key->ip_h)) { - key->mplsLabel = p->mplsHdr.label; + key->mplsLabel = mplsId; } else { @@ -291,8 +287,8 @@ key->protocol = proto; - if (p->vh) - key->vlan_tag = (uint16_t)VTH_VLAN(p->vh); + if (!ScVlanAgnostic()) + key->vlan_tag = vlan; else key->vlan_tag = 0; @@ -303,6 +299,24 @@ return 1; } +int GetLWSessionKey(Packet *p, SessionKey *key) +{ + char proto = GET_IPH_PROTO(p); + uint32_t mplsId = 0; + uint16_t vlanId = 0; +# ifdef MPLS + if (ScMplsOverlappingIp() && (p->mpls != NULL)) + { + mplsId = p->mplsHdr.label; + } +#endif + if (p->vh && !ScVlanAgnostic()) + vlanId = (uint16_t)VTH_VLAN(p->vh); + return GetLWSessionKeyFromIpPort(GET_SRC_IP(p), p->sp, + GET_DST_IP(p), p->dp, + proto, vlanId, mplsId, key); +} + void GetLWPacketDirection(Packet *p, Stream5LWSession *ssn) { #ifndef SUP_IP6 @@ -330,7 +344,7 @@ p->packet_flags |= PKT_FROM_SERVER; } } - else if ( IsICMP(p) ) + else { p->packet_flags |= PKT_FROM_CLIENT; } @@ -359,9 +373,9 @@ p->packet_flags |= PKT_FROM_CLIENT; } } - else if ( IsICMP(p) ) + else { - p->packet_flags |= PKT_FROM_CLIENT; + p->packet_flags |= PKT_FROM_SERVER; } } else @@ -374,7 +388,7 @@ { if (sfip_fast_eq4(&p->ip4h->ip_src, &ssn->client_ip)) { - if (p->ip4h->ip_proto == IPPROTO_TCP) + if (GET_IPH_PROTO(p) == IPPROTO_TCP) { if (p->tcph->th_sport == ssn->client_port) { @@ -385,7 +399,7 @@ p->packet_flags |= PKT_FROM_SERVER; } } - else if (p->ip4h->ip_proto == IPPROTO_UDP) + else if (GET_IPH_PROTO(p) == IPPROTO_UDP) { if (p->udph->uh_sport == ssn->client_port) { @@ -396,14 +410,14 @@ p->packet_flags |= PKT_FROM_SERVER; } } - else if (p->ip4h->ip_proto == IPPROTO_ICMP) + else { p->packet_flags |= PKT_FROM_CLIENT; } } else if (sfip_fast_eq4(&p->ip4h->ip_dst, &ssn->client_ip)) { - if (p->ip4h->ip_proto == IPPROTO_TCP) + if (GET_IPH_PROTO(p) == IPPROTO_TCP) { if (p->tcph->th_dport == ssn->client_port) { @@ -414,7 +428,7 @@ p->packet_flags |= PKT_FROM_CLIENT; } } - else if (p->ip4h->ip_proto == IPPROTO_UDP) + else if (GET_IPH_PROTO(p) == IPPROTO_UDP) { if (p->udph->uh_dport == ssn->client_port) { @@ -425,9 +439,9 @@ p->packet_flags |= PKT_FROM_CLIENT; } } - else if (p->ip4h->ip_proto == IPPROTO_ICMP) + else { - p->packet_flags |= PKT_FROM_CLIENT; + p->packet_flags |= PKT_FROM_SERVER; } } } @@ -435,7 +449,7 @@ { if (sfip_fast_eq6(&p->ip6h->ip_src, &ssn->client_ip)) { - if (p->ip6h->next == IPPROTO_TCP) + if (GET_IPH_PROTO(p) == IPPROTO_TCP) { if (p->tcph->th_sport == ssn->client_port) { @@ -446,7 +460,7 @@ p->packet_flags |= PKT_FROM_SERVER; } } - else if (p->ip6h->next == IPPROTO_UDP) + else if (GET_IPH_PROTO(p) == IPPROTO_UDP) { if (p->udph->uh_sport == ssn->client_port) { @@ -457,14 +471,14 @@ p->packet_flags |= PKT_FROM_SERVER; } } - else if (p->ip6h->next == IPPROTO_ICMP) + else { p->packet_flags |= PKT_FROM_CLIENT; } } else if (sfip_fast_eq6(&p->ip6h->ip_dst, &ssn->client_ip)) { - if (p->ip6h->next == IPPROTO_TCP) + if (GET_IPH_PROTO(p) == IPPROTO_TCP) { if (p->tcph->th_dport == ssn->client_port) { @@ -475,7 +489,7 @@ p->packet_flags |= PKT_FROM_CLIENT; } } - else if (p->ip6h->next == IPPROTO_UDP) + else if (GET_IPH_PROTO(p) == IPPROTO_UDP) { if (p->udph->uh_dport == ssn->client_port) { @@ -486,9 +500,9 @@ p->packet_flags |= PKT_FROM_CLIENT; } } - else if (p->ip6h->next == IPPROTO_ICMP) + else { - p->packet_flags |= PKT_FROM_CLIENT; + p->packet_flags |= PKT_FROM_SERVER; } } } @@ -503,7 +517,7 @@ if (!sessionCache) return NULL; - if (!GetLWSessionKey(p, key)) + if (!GetLWSessionKey(p, key)) { return NULL; } @@ -570,7 +584,7 @@ ssn->flowdata = NULL; pPolicyConfig = (Stream5Config *)sfPolicyUserDataGet(ssn->config, policy_id); - + if (pPolicyConfig != NULL) { pPolicyConfig->ref_count--; @@ -629,7 +643,7 @@ server_ip.s_addr = ssn->server_ip; #endif - /* + /* * Call callback to cleanup the protocol (TCP/UDP/ICMP) * specific session details */ @@ -730,6 +744,11 @@ return retCount; } +static inline int SessionWasBlocked (Stream5LWSession* ssn) +{ + return (ssn->session_flags & (SSNFLAG_DROP_CLIENT|SSNFLAG_DROP_SERVER)) != 0; +} + int PruneLWSessionCache(Stream5SessionCache *sessionCache, uint32_t thetime, Stream5LWSession *save_me, @@ -751,7 +770,7 @@ do { - got_one = 0; + got_one = 0; if(idx == save_me) { SFXHASH_NODE *lastNode = sfxhash_lru_node(sessionCache->hashTable); @@ -769,7 +788,7 @@ } } - if((idx->last_data_seen+sessionCache->timeout) < thetime) + if((idx->last_data_seen+sessionCache->timeoutAggressive) < thetime) { Stream5LWSession *savidx = idx; @@ -829,20 +848,21 @@ (memCheck && s5_over_memcap() ))) { unsigned int i; + unsigned int blocks = 0; DEBUG_WRAP( DebugMessage(DEBUG_STREAM, "S5: Pruning session cache by %d ssns for %s: %d/%d\n", sessionCache->cleanup_sessions, memCheck ? "memcap" : "hash limit", - mem_in_use, + mem_in_use, s5_global_eval_config->memcap);); - + idx = (Stream5LWSession *) sfxhash_lru(sessionCache->hashTable); - for (i=0;i<sessionCache->cleanup_sessions && - (sfxhash_count(sessionCache->hashTable) >= 1); i++) + for (i=0;i<sessionCache->cleanup_sessions && + (sfxhash_count(sessionCache->hashTable) >= blocks+1); i++) { - if(idx != save_me) + if ( (idx != save_me) && (!memCheck || !SessionWasBlocked(idx)) ) { idx->session_flags |= SSNFLAG_PRUNED; DeleteLWSession(sessionCache, idx, memCheck ? "memcap/check" : "memcap/stale"); @@ -851,7 +871,12 @@ } else { - SFXHASH_NODE *lastNode = sfxhash_lru_node(sessionCache->hashTable); + SFXHASH_NODE* lastNode; + + if ( SessionWasBlocked(idx) ) + blocks++; + + lastNode = sfxhash_lru_node(sessionCache->hashTable); sfxhash_gmovetofront(sessionCache->hashTable, lastNode); lastNode = sfxhash_lru_node(sessionCache->hashTable); if ((lastNode) && (lastNode->data == idx)) @@ -864,7 +889,7 @@ } } - /* Nothing (or the one we're working with) in table, couldn't + /* Nothing (or the one we're working with) in table, couldn't * kill it */ if (!memCheck && (pruned == 0)) { @@ -876,7 +901,7 @@ { LogMessage("S5: Pruned %d sessions from cache for memcap. %d ssns remain. memcap: %d/%d\n", pruned, sfxhash_count(sessionCache->hashTable), - mem_in_use, + mem_in_use, s5_global_eval_config->memcap); DEBUG_WRAP( if (sfxhash_count(sessionCache->hashTable) == 1) @@ -908,7 +933,7 @@ /* Should have some freed nodes now */ hnode = sfxhash_get_node(sessionCache->hashTable, key); -#ifdef DEBUG +#ifdef DEBUG_MSGS if (!hnode) { DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Problem, no freed nodes\n");); @@ -924,7 +949,7 @@ /* Save the session key for future use */ memcpy(&(retSsn->key), key, sizeof(SessionKey)); - + retSsn->protocol = key->protocol; retSsn->last_data_seen = p->pkth->ts.tv_sec; retSsn->flowdata = mempool_alloc(&s5FlowMempool); @@ -941,13 +966,13 @@ return retSsn; } -uint32_t HashFunc(SFHASHFCN *p, unsigned char *d, int n) +uint32_t HashFunc(SFHASHFCN *p, unsigned char *d, int n) { uint32_t a,b,c; #ifdef MPLS uint32_t tmp = 0; #endif - + #ifdef SUP_IP6 a = *(uint32_t*)d; /* IPv6 lo[0] */ b = *(uint32_t*)(d+4); /* IPv6 lo[1] */ @@ -998,9 +1023,10 @@ return c; } - -int HashKeyCmp(const void *s1, const void *s2, size_t n) + +int HashKeyCmp(const void *s1, const void *s2, size_t n) { +#ifndef SPARCV9 /* ie, everything else, use 64bit comparisons */ uint64_t *a,*b; a = (uint64_t*)s1; @@ -1030,14 +1056,63 @@ #ifdef MPLS a++; b++; - if(*a - *b) return 1; /* mpls label and pad */ + { + uint32_t *x, *y; + x = (uint32_t *)a; + y = (uint32_t *)b; + //x++; + //y++; + if (*x - *y) return 1; /* Compares mpls label */ + } +#endif + +#else /* SPARCV9 */ + uint32_t *a,*b; + + a = (uint32_t*)s1; + b = (uint32_t*)s2; + if ((*a - *b) || (*(a+1) - *(b+1))) return 1; /* Compares IPv4 lo/hi */ + /* SUP_IP6 Compares IPv6 low[0,1] */ + + a+=2; + b+=2; + if ((*a - *b) || (*(a+1) - *(b+1))) return 1; /* Compares port lo/hi, vlan, protocol, pad */ + /* SUP_IP6 Compares IPv6 low[2,3] */ + +#ifdef SUP_IP6 + a+=2; + b+=2; + if ((*a - *b) || (*(a+1) - *(b+1))) return 1; /* SUP_IP6 Compares IPv6 hi[0,1] */ + + a+=2; + b+=2; + if ((*a - *b) || (*(a+1) - *(b+1))) return 1; /* SUP_IP6 Compares IPv6 hi[2,3] */ + + a+=2; + b+=2; + if ((*a - *b) || (*(a+1) - *(b+1))) return 1; /* SUP_IP6 Compares port lo/hi, vlan, protocol, pad */ #endif - + +#ifdef MPLS + a+=2; + b+=2; + { + uint32_t *x, *y; + x = (uint32_t *)a; + y = (uint32_t *)b; + //x++; + //y++; + if (*x - *y) return 1; /* Compares mpls label */ + } +#endif +#endif /* SPARCV9 */ + return 0; } Stream5SessionCache *InitLWSessionCache(int max_sessions, - uint32_t session_timeout, + uint32_t session_timeout_min, + uint32_t session_timeout_max, uint32_t cleanup_sessions, uint32_t cleanup_percent, Stream5SessionCleanup cleanup_fcn) @@ -1064,7 +1139,8 @@ sessionCache = SnortAlloc(sizeof(Stream5SessionCache)); if (sessionCache) { - sessionCache->timeout = session_timeout; + sessionCache->timeoutAggressive = session_timeout_min; + sessionCache->timeoutNominal = session_timeout_max; sessionCache->max_sessions = max_sessions; if (cleanup_percent) { @@ -1099,14 +1175,14 @@ void PrintLWSessionCache(Stream5SessionCache *sessionCache) { - DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "%lu sessions active\n", + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "%lu sessions active\n", sfxhash_count(sessionCache->hashTable));); } int Stream5SetRuntimeConfiguration( Stream5LWSession *lwssn, - char protocol + uint8_t protocol ) { Stream5Config *pPolicyConfig; @@ -1140,7 +1216,9 @@ s5_icmp_eval_config = pPolicyConfig->icmp_config; break; default: - return -1; + if (pPolicyConfig->ip_config == NULL) + return -1; + s5_ip_eval_config = pPolicyConfig->ip_config; } s5_global_eval_config = pPolicyConfig->global_config; @@ -1148,4 +1226,43 @@ return 0; } +static void checkCacheFlowTimeout(uint32_t flowCount, time_t cur_time, Stream5SessionCache *cache) +{ + uint32_t flowRetiredCount = 0; + Stream5LWSession *idx; + SFXHASH_NODE *hnode; + + if (cache) + { + while ((hnode = sfxhash_lru_node(cache->hashTable))) + { + idx = (Stream5LWSession *)hnode->data; + if((time_t)(idx->last_data_seen + cache->timeoutNominal) > cur_time) + { + break; + } + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "retiring stale session\n");); + idx->session_flags |= SSNFLAG_TIMEDOUT; + DeleteLWSession(cache, idx, "stale/timeout"); + + if (flowRetiredCount++ >= flowCount) + { + break; + } + } + } +} + +extern Stream5SessionCache *tcp_lws_cache, *udp_lws_cache; + +/*get next flow from session cache. */ +void checkLWSessionTimeout(uint32_t flowCount, time_t cur_time) +{ + checkCacheFlowTimeout(flowCount, cur_time, tcp_lws_cache); + checkCacheFlowTimeout(flowCount, cur_time, udp_lws_cache); + //icmp_lws_cache does not need cleaning + +} + diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_session.h snort-2.9.2/src/preprocessors/Stream5/snort_stream5_session.h --- snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_session.h 2010-06-09 15:05:27.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/snort_stream5_session.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef SNORT_STREAM5_SESSION_H_ #define SNORT_STREAM5_SESSION_H_ @@ -32,7 +32,8 @@ typedef struct _Stream5SessionCache { SFXHASH *hashTable; - uint32_t timeout; + uint32_t timeoutAggressive; + uint32_t timeoutNominal; uint32_t max_sessions; uint32_t cleanup_sessions; uint32_t prunes; @@ -52,11 +53,21 @@ #endif Stream5SessionCache *InitLWSessionCache(int max_sessions, - uint32_t session_timeout, + uint32_t session_timeout_min, + uint32_t session_timeout_max, uint32_t cleanup_sessions, uint32_t cleanup_percent, Stream5SessionCleanup clean_fcn); Stream5LWSession *GetLWSession(Stream5SessionCache *, Packet *, SessionKey *); +int GetLWSessionKeyFromIpPort( + snort_ip_p srcIP, + uint16_t srcPort, + snort_ip_p dstIP, + uint16_t dstPort, + char proto, + uint16_t vlan, + uint32_t mplsId, + SessionKey *key); Stream5LWSession *GetLWSessionFromKey(Stream5SessionCache *, SessionKey *); Stream5LWSession *NewLWSession(Stream5SessionCache *, Packet *, SessionKey *, void *); int DeleteLWSession(Stream5SessionCache *, Stream5LWSession *, char *reason); @@ -71,27 +82,26 @@ void GetLWPacketDirection(Packet *p, Stream5LWSession *ssn); void FreeLWApplicationData(Stream5LWSession *ssn); void setPortFilterList( - uint8_t *portList, + uint16_t *portList, int isUdp, int ignoreAnyAnyRules, tSfPolicyId policyId ); int Stream5AnyAnyFlow( - uint8_t *portList, + uint16_t *portList, OptTreeNode *otn, - RuleTreeNode *rtn, + RuleTreeNode *rtn, int any_any_flow, IgnoredRuleList **ppIgnoredRuleList, int ignoreAnyAnyRules ); void s5PrintPortFilter( - uint8_t portList[] + uint16_t portList[] ); int Stream5SetRuntimeConfiguration( Stream5LWSession *lwssn, - char protocol + uint8_t protocol ); - #endif /* SNORT_STREAM5_SESSION_H_ */ diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_tcp.c snort-2.9.2/src/preprocessors/Stream5/snort_stream5_tcp.c --- snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_tcp.c 2010-10-25 12:49:13.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/snort_stream5_tcp.c 2011-12-08 08:49:14.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -45,15 +45,20 @@ * - limit on number of overlapping packets (done, SAS) */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "perf.h" -#include "debug.h" +#include "sf_types.h" +#include "snort_debug.h" #include "detect.h" #include "plugbase.h" #include "mstring.h" #include "sfxhash.h" #include "util.h" #include "sflsq.h" -#include "bounds.h" +#include "snort_bounds.h" #include "generators.h" #include "event_queue.h" #include "snort.h" @@ -69,7 +74,8 @@ #include "snort_stream5_tcp.h" #include "stream_api.h" #include "snort_stream5_session.h" -#include "stream_ignore.h" +#include "stream_expect.h" +#include "stream5_paf.h" #include <errno.h> @@ -86,12 +92,7 @@ #include "sp_preprocopt.h" #include "sfPolicy.h" #include "sfActionQueue.h" - -extern tSfPolicyUserContextId s5_config; -extern Stream5GlobalConfig *s5_global_eval_config; -extern Stream5TcpConfig *s5_tcp_eval_config; -extern uint32_t mem_in_use; -extern tSfActionQueueId decoderActionQ; +#include "detection_util.h" #ifdef PERF_PROFILING PreprocStats s5TcpPerfStats; @@ -106,10 +107,8 @@ PreprocStats streamSizePerfStats; PreprocStats streamReassembleRuleOptionPerfStats; extern PreprocStats preprocRuleOptionPerfStats; -#endif -#ifdef SNORT_RELOAD -extern tSfPolicyUserContextId s5_swap_config; + #endif /* M A C R O S **************************************************/ @@ -139,13 +138,6 @@ #define TCP_STATE_TIME_WAIT 10 #define TCP_STATE_CLOSED 11 -/* Macros to deal with sequence numbers - p810 TCP Illustrated vol 2 */ -#define SEQ_LT(a,b) ((int)((a) - (b)) < 0) -#define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0) -#define SEQ_GT(a,b) ((int)((a) - (b)) > 0) -#define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0) -#define SEQ_EQ(a,b) ((int)((a) - (b)) == 0) - #ifndef MIN # define MIN(a,b) (((a)<(b)) ? (a):(b)) #endif @@ -231,18 +223,24 @@ #define REASSEMBLY_POLICY_HPUX10 11 #define REASSEMBLY_POLICY_VISTA 12 #define REASSEMBLY_POLICY_WINDOWS2K3 13 -#define REASSEMBLY_POLICY_IPS 14 #define REASSEMBLY_POLICY_DEFAULT REASSEMBLY_POLICY_BSD -#define STREAM_MAX_PACKET (IP_MAXPACKET - (IP_HEADER_LEN + TCP_HEADER_LEN)) -#define STREAM_MAX_PACKET6 (IP_MAXPACKET - (IP6_HDR_LEN + TCP_HEADER_LEN)) - -//#define DEBUG_STREAM5 #define SUB_SYN_SENT 0x01 #define SUB_ACK_SENT 0x02 #define SUB_SETUP_OK 0x03 #define SUB_RST_SENT 0x04 +#define SUB_FIN_SENT 0x08 + +// flush types +#define S5_FT_INTERNAL 0 // normal s5 "footprint" +#define S5_FT_EXTERNAL 1 // set by other preprocessor +#define S5_FT_PAF_MAX 2 // paf_max + footprint fp + + +/* Only track a maximum number of alerts per session */ +#define MAX_SESSION_ALERTS 8 +//#define DEBUG_STREAM5 #ifdef DEBUG_STREAM5 #define STREAM5_DEBUG_WRAP(x) DEBUG_WRAP(x) #else @@ -257,8 +255,8 @@ /* D A T A S T R U C T U R E S ***********************************/ typedef struct _TcpDataBlock { - snort_ip sip; - snort_ip dip; + snort_ip sip; + snort_ip dip; uint32_t seq; uint32_t ack; uint32_t win; @@ -278,16 +276,25 @@ #define RAND_FLUSH_POINTS 64 -typedef struct _CustomFlushPolicy +typedef struct _Stream5AlertExtraDataInfo { - FlushMgr client; - FlushMgr server; - IpAddrSet *bound_addrs; -} CustomFlushPolicy; + uint32_t event_id; + uint32_t event_second; + uint32_t xtradata_mask; +} Stream5AlertExtraDataInfo; + +typedef struct _Stream5AlertInfo +{ + /* For storing alerts that have already been seen on the session */ + uint32_t sid; + uint32_t gid; + uint32_t seq; + Stream5AlertExtraDataInfo extra_data; +} Stream5AlertInfo; //----------------------------------------------------------------- // we make a lot of StreamSegments, StreamTrackers, and TcpSessions -// so they are organized by member size/alignment requirements to +// so they are organized by member size/alignment requirements to // minimize unused space in the structs. //----------------------------------------------------------------- @@ -306,16 +313,15 @@ #ifdef DEBUG int ordinal; #endif - uint32_t cksum; uint32_t caplen; // FIXTHIS can pkth->caplen be used instead?? uint32_t ts; uint32_t seq; + uint16_t orig_dsize; uint16_t size; uint16_t urg_offset; uint8_t buffered; - uint8_t blocked; } StreamSegment; @@ -325,6 +331,11 @@ FlushMgr flush_mgr; /* please flush twice, it's a long way to * the bitbucket... */ + // this is intended to be private to s5_paf but is included + // directly to avoid the need for allocation; do not directly + // manipulate within this module. + PAF_State paf_state; // for tracking protocol aware flushing + Stream5AlertInfo alerts[MAX_SESSION_ALERTS]; /* history of alerts */ Stream5TcpPolicy *tcp_policy; @@ -362,7 +373,7 @@ uint32_t total_bytes_queued; /* total bytes queued (life of session) */ uint32_t total_segs_queued; /* number of segments queued (life) */ uint32_t overlap_count; /* overlaps encountered */ - uint32_t small_seg_count; + uint32_t small_seg_count; uint32_t flush_count; /* number of flushed queued segments */ uint16_t os_policy; @@ -381,7 +392,7 @@ typedef struct _TcpSession { StreamTracker client; - StreamTracker server; + StreamTracker server; Stream5LWSession *lwssn; #ifdef DEBUG @@ -395,9 +406,47 @@ #define SL_BUF_FLUSHED 1 #define SL_BUF_DUMPED 2 -static INLINE uint32_t SegsToFlush (const StreamTracker* st) +static inline int SetupOK (const StreamTracker* st) +{ + return ( (st->s_mgr.sub_state & SUB_SETUP_OK) == SUB_SETUP_OK ); +} + +static inline uint32_t SegsToFlush (const StreamTracker* st) +{ + uint32_t n = 0; + StreamSegment* s; + + if ( st->seg_count > st->flush_count ) + n = st->seg_count - st->flush_count; + + if ( n < 2 +#ifdef NORMALIZER + || Normalize_IsEnabled(snort_conf, NORM_TCP_IPS) +#endif + ) + return n; + + n = 0; + s = st->seglist; + + while ( s ) + { + if ( !s->buffered && SEQ_LT(s->seq, st->r_win_base) ) n++; + s = s->next; + } + return n; +} + +static inline bool DataToFlush (const StreamTracker* st) { - return (st->seg_count > st->flush_count) ? st->seg_count - st->flush_count : 0; + if ( (st->flush_mgr.flush_policy == STREAM_FLPOLICY_PROTOCOL) +#ifdef NORMALIZER + || (st->flush_mgr.flush_policy == STREAM_FLPOLICY_PROTOCOL_IPS) +#endif + ) + return ( SegsToFlush(st) > 0 ); + + return ( SegsToFlush(st) > 1 ); } int default_ports[] = @@ -425,21 +474,27 @@ static void Stream5PrintTcpConfig(Stream5TcpPolicy *); static void Stream5InitPacket(); -static INLINE void SetupTcpDataBlock(TcpDataBlock *, Packet *); +static inline void SetupTcpDataBlock(TcpDataBlock *, Packet *); static int ProcessTcp(Stream5LWSession *, Packet *, TcpDataBlock *, Stream5TcpPolicy *); #if OLD_CODE_NOLONGER_USED_DEPENDS_ON_CURRENT_STATE -static INLINE void QueueState(uint8_t, StreamTracker*, uint8_t, +static inline void QueueState(uint8_t, StreamTracker*, uint8_t, uint32_t, uint8_t); -static INLINE int EvalStateQueue(StreamTracker *, uint8_t, uint32_t); +static inline int EvalStateQueue(StreamTracker *, uint8_t, uint32_t); #endif -static int CheckFlushPolicy(TcpSession *, StreamTracker *, StreamTracker *, - TcpDataBlock *, Packet *); +#ifdef NORMALIZER +static inline int CheckFlushPolicyOnData( + TcpSession *, StreamTracker *, StreamTracker *, + TcpDataBlock *, Packet *); +#endif +static inline int CheckFlushPolicyOnAck( + TcpSession *, StreamTracker *, StreamTracker *, + TcpDataBlock *, Packet *); static void Stream5SeglistAddNode(StreamTracker *, StreamSegment *, StreamSegment *); -static int Stream5SeglistDeleteNode(StreamTracker *, StreamSegment *); +static int Stream5SeglistDeleteNode(StreamTracker *, StreamSegment *, uint32_t flush_seq); static int AddStreamNode(StreamTracker *st, Packet *p, - uint32_t ts, + TcpDataBlock*, TcpSession *tcpssn, int16_t len, uint32_t slide, @@ -447,13 +502,19 @@ uint32_t seq, StreamSegment *left, StreamSegment **retSeg); +static int DupStreamNode( + Packet*, + StreamTracker*, + StreamSegment* left, + StreamSegment** retSeg); static uint32_t Stream5GetWscale(Packet *, uint16_t *); static uint32_t Stream5PacketHasWscale(Packet *); static uint32_t Stream5GetMss(Packet *, uint16_t *); static uint32_t Stream5GetTcpTimestamp(Packet *, uint32_t *, int strip); static int FlushStream( - StreamTracker *st, uint32_t toSeq, uint8_t *flushbuf, const uint8_t *flushbuf_end); + Packet*, StreamTracker *st, uint32_t toSeq, uint8_t *flushbuf, + const uint8_t *flushbuf_end); void TcpSessionCleanup(Stream5LWSession *ssn); int s5TcpStreamSizeInit(char *name, char *parameters, void **dataPtr); @@ -462,7 +523,7 @@ int s5TcpStreamReassembleRuleOptionInit(char *name, char *parameters, void **dataPtr); int s5TcpStreamReassembleRuleOptionEval(void *p, const uint8_t **cursor, void *dataPtr); void s5TcpStreamReassembleRuleOptionCleanup(void *dataPtr); -static INLINE void ResetFlushMgrs(void); +static inline void ResetFlushMgrs(void); static void targetPolicyIterate(void (*callback)(int)); static void policyDecoderFlagsSaveNClear(int policyId); static void policyDecoderFlagsRestore(int policyId); @@ -494,7 +555,7 @@ }; #ifdef DEBUG_STREAM5 -static char *state_names[] = { +static char *state_names[] = { "NONE", "LISTEN", "SYN_RCVD", @@ -516,8 +577,14 @@ "Logical", "Response", "Sliding Window", +#if 0 "Consumed", - "Ignore"}; +#endif + "Ignore", + "Protocol", + "Footprint-IPS", + "Protocol-IPS" +}; static int s5_tcp_cleanup = 0; @@ -533,12 +600,12 @@ /* F U N C T I O N S **********************************************/ -static INLINE uint32_t GenerateFlushPoint(FlushPointList *flush_point_list) +static inline uint32_t GenerateFlushPoint(FlushPointList *flush_point_list) { return (rand() % flush_point_list->flush_range) + flush_point_list->flush_base; } -static INLINE void InitFlushPointList(FlushPointList *flush_point_list, uint32_t value, uint32_t range, int use_static) +static inline void InitFlushPointList(FlushPointList *flush_point_list, uint32_t value, uint32_t range, int use_static) { uint32_t i; uint32_t flush_range = range; @@ -560,13 +627,13 @@ if (snort_conf->run_flags & RUN_FLAG__STATIC_HASH) { if ( i == 0 ) - LogMessage("Warning: using constant flush points!\n"); + LogMessage("WARNING: using constant flush points.\n"); flush_point_list->flush_points[i] = 192; } else if (use_static) { if ( i == 0 ) - LogMessage("Warning: using static flush points!\n"); + LogMessage("WARNING: using static flush points.\n"); flush_point_list->flush_points[i] = g_static_points[i]; } else @@ -579,12 +646,20 @@ } } -static INLINE void UpdateFlushMgr(FlushMgr *mgr, FlushPointList *flush_point_list) +static inline void UpdateFlushMgr(FlushMgr *mgr, FlushPointList *flush_point_list) { + if ( mgr->flush_type == S5_FT_EXTERNAL ) + return; + switch (mgr->flush_policy) { case STREAM_FLPOLICY_FOOTPRINT: case STREAM_FLPOLICY_LOGICAL: + case STREAM_FLPOLICY_PROTOCOL: +#ifdef NORMALIZER + case STREAM_FLPOLICY_FOOTPRINT_IPS: + case STREAM_FLPOLICY_PROTOCOL_IPS: +#endif /* Ideally, we would call rand() each time, but that * is a performance headache waiting to happen. */ #ifdef DYNAMIC_RANDOM_FLUSH_POINTS @@ -603,6 +678,10 @@ #endif mgr->last_size = 0; mgr->last_count = 0; + + if ( mgr->flush_type == S5_FT_PAF_MAX ) + mgr->flush_pt += ScPafMax(); + break; default: @@ -610,19 +689,28 @@ } } -static INLINE void InitFlushMgr(FlushMgr *mgr, FlushPointList *flush_point_list, uint8_t policy) +static inline void InitFlushMgr(FlushMgr *mgr, FlushPointList *flush_point_list, uint8_t policy) { mgr->flush_policy = policy; - if ((policy == STREAM_FLPOLICY_FOOTPRINT) || - (policy == STREAM_FLPOLICY_LOGICAL)) + mgr->flush_type = S5_FT_INTERNAL; + + UpdateFlushMgr(mgr, flush_point_list); + +#ifdef NORMALIZER + if ( Normalize_IsEnabled(snort_conf, NORM_TCP_IPS) ) { - UpdateFlushMgr(mgr, flush_point_list); + if ( policy == STREAM_FLPOLICY_FOOTPRINT ) + mgr->flush_policy = STREAM_FLPOLICY_FOOTPRINT_IPS; + + else if ( policy == STREAM_FLPOLICY_PROTOCOL ) + mgr->flush_policy = STREAM_FLPOLICY_PROTOCOL_IPS; } +#endif } static int ResetFlushMgrsPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { @@ -671,7 +759,7 @@ return 0; } -static INLINE void ResetFlushMgrs(void) +static inline void ResetFlushMgrs(void) { if (s5_config == NULL) return; @@ -679,6 +767,76 @@ sfPolicyUserDataIterate (s5_config, ResetFlushMgrsPolicy); } +void** Stream5GetPAFUserDataTcp (Stream5LWSession* lwssn, bool to_server) +{ + TcpSession* tcpssn = (TcpSession *)lwssn->proto_specific_data->data; + + if ( !tcpssn ) + return NULL; + + return to_server ? &tcpssn->server.paf_state.user + : &tcpssn->client.paf_state.user; +} + +bool Stream5IsPafActiveTcp (Stream5LWSession* lwssn, bool to_server) +{ + TcpSession* tcpssn = (TcpSession *)lwssn->proto_specific_data->data; + FlushMgr* fm; + + if ( !tcpssn ) + return false; + + fm = to_server ? &tcpssn->server.flush_mgr : &tcpssn->client.flush_mgr; + + return ( (fm->flush_policy == STREAM_FLPOLICY_PROTOCOL) +#ifdef NORMALIZER + || (fm->flush_policy == STREAM_FLPOLICY_PROTOCOL_IPS) +#endif + ); +} + +bool Stream5ActivatePafTcp (Stream5LWSession* lwssn, bool to_server) +{ + TcpSession* tcpssn = (TcpSession *)lwssn->proto_specific_data->data; + StreamTracker* trk; + FlushMgr* fm; + + if ( !tcpssn ) + return false; + + if ( to_server ) + { + trk = &tcpssn->server; + fm = &tcpssn->server.flush_mgr; + } + else + { + trk = &tcpssn->client; + fm = &tcpssn->client.flush_mgr; + } + + switch ( fm->flush_policy) + { + case STREAM_FLPOLICY_IGNORE: + InitFlushMgr(fm, &trk->tcp_policy->flush_point_list, STREAM_FLPOLICY_PROTOCOL); + break; + + case STREAM_FLPOLICY_FOOTPRINT: + fm->flush_policy = STREAM_FLPOLICY_PROTOCOL; + break; + +#ifdef NORMALIZER + case STREAM_FLPOLICY_FOOTPRINT_IPS: + fm->flush_policy = STREAM_FLPOLICY_PROTOCOL_IPS; + break; +#endif + default: + return false; + } + s5_paf_setup(s5_tcp_eval_config->paf_config, &trk->paf_state, lwssn->server_port, (bool)!to_server); + return true; +} + void Stream5UpdatePerfBaseState(SFBASE *sf_base, Stream5LWSession *lwssn, char newState) @@ -702,7 +860,7 @@ { sf_base->iSessionsEstablished++; if (perfmon_config && (perfmon_config->perf_flags & SFPERF_FLOWIP)) - UpdateFlowIPState(&sfFlow, IP_ARG(lwssn->client_ip), IP_ARG(lwssn->server_ip), SFS_STATE_TCP_ESTABLISHED); + UpdateFlowIPState(&sfFlow, IP_ARG(lwssn->client_ip), IP_ARG(lwssn->server_ip), SFS_STATE_TCP_ESTABLISHED); lwssn->session_flags |= SSNFLAG_COUNTED_ESTABLISH; if (lwssn->session_flags & SSNFLAG_COUNTED_INITIALIZE) { @@ -719,7 +877,7 @@ { sf_base->iSessionsEstablished--; if (perfmon_config && (perfmon_config->perf_flags & SFPERF_FLOWIP)) - UpdateFlowIPState(&sfFlow, IP_ARG(lwssn->client_ip), IP_ARG(lwssn->server_ip), SFS_STATE_TCP_CLOSED); + UpdateFlowIPState(&sfFlow, IP_ARG(lwssn->client_ip), IP_ARG(lwssn->server_ip), SFS_STATE_TCP_CLOSED); } else if (lwssn->session_flags & SSNFLAG_COUNTED_INITIALIZE) { @@ -736,7 +894,7 @@ { sf_base->iSessionsEstablished--; if (perfmon_config && (perfmon_config->perf_flags & SFPERF_FLOWIP)) - UpdateFlowIPState(&sfFlow, IP_ARG(lwssn->client_ip), IP_ARG(lwssn->server_ip), SFS_STATE_TCP_CLOSED); + UpdateFlowIPState(&sfFlow, IP_ARG(lwssn->client_ip), IP_ARG(lwssn->server_ip), SFS_STATE_TCP_CLOSED); } else if (lwssn->session_flags & SSNFLAG_COUNTED_INITIALIZE) { @@ -746,6 +904,7 @@ default: break; } + sf_base->stream5_mem_in_use = mem_in_use; } void Stream5InitTcp(Stream5GlobalConfig *gconfig) @@ -756,7 +915,7 @@ if((tcp_lws_cache == NULL) && gconfig->track_tcp_sessions) { tcp_lws_cache = InitLWSessionCache(gconfig->max_tcp_sessions, - 30, 5, 0, &TcpSessionCleanup); + 30, (60*60), 5, 0, &TcpSessionCleanup); if(!tcp_lws_cache) { @@ -800,12 +959,11 @@ RegisterPreprocessorRuleOption("stream_reassemble", &s5TcpStreamReassembleRuleOptionInit, &s5TcpStreamReassembleRuleOptionEval, &s5TcpStreamReassembleRuleOptionCleanup, NULL, NULL, NULL, NULL); -#endif - #ifdef PERF_PROFILING RegisterPreprocessorProfile("stream_size", &streamSizePerfStats, 4, &preprocRuleOptionPerfStats); RegisterPreprocessorProfile("reassemble", &streamReassembleRuleOptionPerfStats, 4, &preprocRuleOptionPerfStats); #endif +#endif } @@ -867,16 +1025,25 @@ sizeof(Stream5TcpPolicy *) * (config->num_policies - 1)); free(config->policy_list); - + config->policy_list = tmpPolicyList; } config->policy_list[config->num_policies - 1] = s5TcpPolicy; + if ( ScPafEnabled() && !config->paf_config ) + config->paf_config = s5_paf_new(); + Stream5PrintTcpConfig(s5TcpPolicy); + +#ifdef REG_TEST + LogMessage("\n"); + LogMessage(" TCP Session Size: %lu\n",sizeof(TcpSession)); + LogMessage("\n"); +#endif } -static INLINE uint16_t StreamPolicyIdFromName(char *name) +static inline uint16_t StreamPolicyIdFromName(char *name) { if (!name) { @@ -941,7 +1108,7 @@ return STREAM_POLICY_DEFAULT; /* BSD is the default */ } -static INLINE uint16_t GetTcpReassemblyPolicy(int os_policy) +static inline uint16_t GetTcpReassemblyPolicy(int os_policy) { switch (os_policy) { @@ -1016,6 +1183,7 @@ for (i = 0; i < num_toks; i++) { + int max_s_toks = 1; // set to 0 to disable check stoks = mSplit(toks[i], " ", 3, &s_toks, 0); if (s_toks == 0) @@ -1030,7 +1198,7 @@ { s5TcpPolicy->session_timeout = strtoul(stoks[1], &endPtr, 10); } - + if (!stoks[1] || (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid timeout in config file. " @@ -1046,11 +1214,7 @@ file_name, file_line, S5_MIN_SSN_TIMEOUT, S5_MAX_SSN_TIMEOUT); } - if (s_toks > 2) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } + max_s_toks = 2; } else if(!strcasecmp(stoks[0], "overlap_limit")) { @@ -1080,20 +1244,11 @@ file_name, file_line, S5_MIN_OVERLAP_LIMIT, S5_MAX_OVERLAP_LIMIT); } - if (s_toks > 2) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } + max_s_toks = 2; } else if(!strcasecmp(stoks[0], "detect_anomalies")) { s5TcpPolicy->flags |= STREAM5_CONFIG_ENABLE_ALERTS; - if (s_toks > 1) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } } else if(!strcasecmp(stoks[0], "policy")) { @@ -1108,14 +1263,10 @@ FatalError("%s(%d) => Bad policy name \"%s\"\n", file_name, file_line, stoks[1]); } - s5TcpPolicy->reassembly_policy = + s5TcpPolicy->reassembly_policy = GetTcpReassemblyPolicy(s5TcpPolicy->policy); - if (s_toks > 2) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } + max_s_toks = 2; } else if(!strcasecmp(stoks[0], "require_3whs")) { @@ -1140,11 +1291,7 @@ } } - if (s_toks > 2) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } + max_s_toks = 2; } else if(!strcasecmp(stoks[0], "bind_to")) { @@ -1162,12 +1309,7 @@ } s5TcpPolicy->bound_addrs = IpAddrSetParse(stoks[1]); - - if (s_toks > 2) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } + max_s_toks = 2; } else if(!strcasecmp(stoks[0], "max_window")) { @@ -1182,18 +1324,13 @@ } s5TcpPolicy->max_window = (uint32_t)long_val; } - + if (!stoks[1] || (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid Max Window size. Integer parameter required.\n", file_name, file_line); } - if (s_toks > 2) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } if ((long_val > S5_MAX_MAX_WINDOW) || (long_val < S5_MIN_MAX_WINDOW)) { @@ -1202,6 +1339,7 @@ file_name, file_line, S5_MIN_MAX_WINDOW, S5_MAX_MAX_WINDOW); } + max_s_toks = 2; } else if(!strcasecmp(stoks[0], "use_static_footprint_sizes")) { @@ -1223,33 +1361,19 @@ file_name, file_line, s5TcpPolicy->flush_factor, S5_MAX_FLUSH_FACTOR); } + max_s_toks = 2; } else if(!strcasecmp(stoks[0], "dont_store_large_packets")) { s5TcpPolicy->flags |= STREAM5_CONFIG_PERFORMANCE; - if (s_toks > 1) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } } else if(!strcasecmp(stoks[0], "check_session_hijacking")) { s5TcpPolicy->flags |= STREAM5_CONFIG_CHECK_SESSION_HIJACKING; - if (s_toks > 1) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } } else if(!strcasecmp(stoks[0], "ignore_any_rules")) { s5TcpPolicy->flags |= STREAM5_CONFIG_IGNORE_ANY; - if (s_toks > 1) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } } else if(!strcasecmp(stoks[0], "dont_reassemble_async")) { @@ -1268,18 +1392,12 @@ } s5TcpPolicy->max_queued_bytes = (uint32_t)long_val; } - + if (!stoks[1] || (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid Max Queued Bytes. Integer parameter required.\n", file_name, file_line); } - - if (s_toks > 2) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } if (((long_val > S5_MAX_MAX_QUEUED_BYTES) || (long_val < S5_MIN_MAX_QUEUED_BYTES)) && (long_val != 0)) @@ -1289,6 +1407,7 @@ file_name, file_line, S5_MIN_MAX_QUEUED_BYTES, S5_MAX_MAX_QUEUED_BYTES); } + max_s_toks = 2; } else if(!strcasecmp(stoks[0], "max_queued_segs")) { @@ -1303,18 +1422,13 @@ } s5TcpPolicy->max_queued_segs = (uint32_t)long_val; } - + if (!stoks[1] || (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid Max Queued Bytes. Integer parameter required.\n", file_name, file_line); } - if (s_toks > 2) - { - FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", - file_name, file_line); - } if (((long_val > S5_MAX_MAX_QUEUED_SEGS) || (long_val < S5_MIN_MAX_QUEUED_SEGS)) && (long_val != 0)) @@ -1324,6 +1438,7 @@ file_name, file_line, S5_MIN_MAX_QUEUED_SEGS, S5_MAX_MAX_QUEUED_SEGS); } + max_s_toks = 2; } else if (!strcasecmp(stoks[0], "small_segments")) { @@ -1349,7 +1464,7 @@ file_name, file_line); } s5TcpPolicy->max_consec_small_segs = (uint32_t)long_val; - + if ((long_val > S5_MAX_CONSEC_SMALL_SEGS) || (long_val < S5_MIN_CONSEC_SMALL_SEGS)) { @@ -1380,7 +1495,7 @@ file_name, file_line); } s5TcpPolicy->max_consec_small_seg_size = (uint32_t)long_val; - + if ((long_val > S5_MAX_MAX_SMALL_SEG_SIZE) || (long_val < S5_MIN_MAX_SMALL_SEG_SIZE)) { @@ -1421,7 +1536,7 @@ { FatalError( "%s(%d) => Invalid port %ld for small segments ignore_ports " - "parameter, must be between 0 and %d, inclusive\n", + "parameter, must be between 0 and %d, inclusive\n", file_name, file_line, long_port, MAX_PORTS-1); } port = (unsigned short)long_port; @@ -1429,6 +1544,7 @@ s5TcpPolicy->small_seg_ignore[port/8] |= (1 << (port %8)); } } + max_s_toks = 0; // we already checked all tokens mSplitFree(&ptoks, num_ptoks); } else if (!strcasecmp(stoks[0], "ports")) @@ -1514,7 +1630,7 @@ { FatalError( "%s(%d) => Invalid port %ld, must be between 0 and %d, " - "inclusive\n", + "inclusive\n", file_name, file_line, long_port, MAX_PORTS-1); } port = (unsigned short)long_port; @@ -1536,6 +1652,7 @@ } set_flush_policy = 1; } + max_s_toks = 0; // we already checked all tokens } #ifdef TARGET_BASED else if (!strcasecmp(stoks[0], "protocol")) @@ -1569,13 +1686,13 @@ { for (j=1; j<MAX_PROTOCOL_ORDINAL; j++) { - if (reassembly_direction & SSN_DIR_CLIENT) + if (reassembly_direction & SSN_DIR_CLIENT) { FlushMgr *flush_mgr = &s5TcpPolicy->flush_config_protocol[j].client; FlushPointList *flush_point_list = &s5TcpPolicy->flush_point_list; InitFlushMgr(flush_mgr, flush_point_list, STREAM_FLPOLICY_FOOTPRINT); } - if (reassembly_direction & SSN_DIR_SERVER) + if (reassembly_direction & SSN_DIR_SERVER) { FlushMgr *flush_mgr = &s5TcpPolicy->flush_config_protocol[j].server; FlushPointList *flush_point_list = &s5TcpPolicy->flush_point_list; @@ -1621,7 +1738,7 @@ proto_ordinal = AddProtocolReference(ptoks[j]); if (proto_ordinal == SFTARGET_UNKNOWN_PROTOCOL) { - FatalError("%s(%d) => Failed to find protocol reference for '%s'\n", + FatalError("%s(%d) => Failed to find protocol reference for '%s'\n", file_name, file_line, ptoks[j]); } } @@ -1644,14 +1761,20 @@ } set_target_flush_policy = 1; } + max_s_toks = 0; // we already checked all tokens } #endif else { - FatalError("%s(%d) => Invalid Stream5 TCP policy option\n", + FatalError("%s(%d) => Invalid Stream5 TCP policy option\n", file_name, file_line); } + if ( max_s_toks && (s_toks > max_s_toks) ) + { + FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", + file_name, file_line); + } mSplitFree(&stoks, s_toks); } @@ -1720,7 +1843,7 @@ FlushPointList *flush_point_list = &s5TcpPolicy->flush_point_list; InitFlushMgr(flush_mgr, flush_point_list, STREAM_FLPOLICY_FOOTPRINT); } - if (reassembly_direction & SSN_DIR_SERVER) + if (reassembly_direction & SSN_DIR_SERVER) { FlushMgr *flush_mgr = &s5TcpPolicy->flush_config_protocol[app_id].server; FlushPointList *flush_point_list = &s5TcpPolicy->flush_point_list; @@ -1736,6 +1859,14 @@ { int i=0, j=0; LogMessage("Stream5 TCP Policy config:\n"); + if (s5TcpPolicy->bound_addrs != NULL) + { + IpAddrSetPrint(" Bound Addresses: ", s5TcpPolicy->bound_addrs); + } + else + { + LogMessage(" Bound Address: default\n"); + } LogMessage(" Reassembly Policy: %s\n", reassembly_policy_names[s5TcpPolicy->reassembly_policy]); LogMessage(" Timeout: %d seconds\n", s5TcpPolicy->session_timeout); @@ -1791,7 +1922,7 @@ } } LogMessage(" Reassembly Ports:\n"); - for (i=0; i<MAX_PORTS && j<20; i++) + for (i=0; i<MAX_PORTS; i++) { int direction = 0; int client_flushpolicy = s5TcpPolicy->flush_config[i].client.flush_policy; @@ -1804,7 +1935,7 @@ { direction |= SSN_DIR_CLIENT; - if (client_flushpolicy <= STREAM_FLPOLICY_MAX) + if (client_flushpolicy < STREAM_FLPOLICY_MAX) SnortSnprintf(client_policy_str, STD_BUF, "client (%s)", flush_policy_names[client_flushpolicy]); } @@ -1812,28 +1943,25 @@ { direction |= SSN_DIR_SERVER; - if (server_flushpolicy <= STREAM_FLPOLICY_MAX) + if (server_flushpolicy < STREAM_FLPOLICY_MAX) SnortSnprintf(server_policy_str, STD_BUF, "server (%s)", flush_policy_names[server_flushpolicy]); } if (direction) { - LogMessage(" %d %s %s\n", i, - client_policy_str, server_policy_str); -#ifndef DEBUG - /* Don't increment, so we print the full list in - * debug mode. */ + if (j<MAX_PORTS_TO_PRINT) + { + LogMessage(" %d %s %s\n", i, + client_policy_str, server_policy_str); + } j++; -#endif } } -#ifdef SUP_IP6 -// XXX-IPv6 var printing -#else - IpAddrSetPrint(" Bound Addresses:", s5TcpPolicy->bound_addrs); -#endif - + if (j > MAX_PORTS_TO_PRINT) + { + LogMessage(" additional ports configured but not printed.\n"); + } } #ifdef TARGET_BASED @@ -1858,9 +1986,17 @@ } #endif +void Stream5PostConfigTcp (void* pv) +{ + // FIXTHIS how to get tSfPolicyId for config? + static unsigned int pid = 0; + Stream5TcpConfig* config = pv; + s5_paf_print(pid++, config->paf_config); +} + void s5TcpPrintPortFilter(); -/** +/** * Stream5VerifyTcpConfig is is called after all preprocs (static & dynamic) * are inited. */ @@ -1871,19 +2007,19 @@ if (!tcp_lws_cache) { - LogMessage("WARNING: Stream5 TCP Session Cache not initialized\n"); + LogMessage("WARNING: Stream5 TCP Session Cache not initialized.\n"); return -1; } if (config->num_policies == 0) { - LogMessage("WARNING: Stream5 TCP no policies specified in configuration\n"); + LogMessage("WARNING: Stream5 TCP no policies specified in configuration.\n"); return -1; } if (config->default_policy == NULL) { - LogMessage("WARNING: Stream5 TCP default policy not specified in configuration\n"); + LogMessage("WARNING: Stream5 TCP default policy not specified in configuration.\n"); return -1; } @@ -1900,7 +2036,7 @@ #endif /* Post-process TCP rules to establish TCP ports to inspect. */ - setPortFilterList(config->port_filter, IPPROTO_TCP, + setPortFilterList(config->port_filter, IPPROTO_TCP, (config->default_policy->flags & STREAM5_CONFIG_IGNORE_ANY), policy_id); //printf ("TCP Ports with Inspection/Monitoring\n"); @@ -2006,6 +2142,9 @@ free(policy); } + if ( config->paf_config ) + s5_paf_delete(config->paf_config); + free(config->policy_list); free(config); } @@ -2073,7 +2212,7 @@ LogMessage(" end: 0x%08X\n", tdb->end_seq); } -#ifdef DEBUG +#ifdef DEBUG_STREAM5 static void PrintFlushMgr(FlushMgr *fm) { if(fm == NULL) @@ -2081,7 +2220,7 @@ switch(fm->flush_policy) { - case STREAM_FLPOLICY_NONE: + case STREAM_FLPOLICY_NONE: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " NONE\n");); break; @@ -2111,12 +2250,17 @@ STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " IGNORE\n");); break; + + case STREAM_FLPOLICY_PROTOCOL: + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + " PROTOCOL\n");); + break; } } #endif // DEBUG #endif // DEBUG_STREAM5 -static INLINE void EventSynOnEst(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventSynOnEst(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2132,7 +2276,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventExcessiveOverlap(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventExcessiveOverlap(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2148,7 +2292,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventBadTimestamp(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventBadTimestamp(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2164,7 +2308,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventWindowTooLarge(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventWindowTooLarge(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2180,7 +2324,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventDataOnSyn(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventDataOnSyn(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2196,7 +2340,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventDataOnClosed(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventDataOnClosed(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2212,7 +2356,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventDataAfterReset(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventDataAfterReset(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2228,7 +2372,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventBadSegment(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventBadSegment(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2244,7 +2388,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventSessionHijackedClient(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventSessionHijackedClient(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2259,7 +2403,7 @@ STREAM5_SESSION_HIJACKED_CLIENT_STR, /* event msg */ NULL); /* rule info ptr */ } -static INLINE void EventSessionHijackedServer(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventSessionHijackedServer(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2275,7 +2419,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventDataWithoutFlags(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventDataWithoutFlags(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2291,7 +2435,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventMaxSmallSegsExceeded(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventMaxSmallSegsExceeded(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2307,7 +2451,7 @@ NULL); /* rule info ptr */ } -static INLINE void Event4whs(Stream5TcpPolicy *s5TcpPolicy) +static inline void Event4whs(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2323,7 +2467,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventNoTimestamp(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventNoTimestamp(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2339,7 +2483,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventBadReset(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventBadReset(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2355,7 +2499,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventBadFin(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventBadFin(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2371,7 +2515,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventBadAck(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventBadAck(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2387,7 +2531,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventDataAfterRstRcvd(Stream5TcpPolicy *s5TcpPolicy) +static inline void EventDataAfterRstRcvd(Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2403,7 +2547,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventInternal (uint32_t eventSid) +static inline void EventInternal (uint32_t eventSid) { if ( !InternalEventIsEnabled(snort_conf->rate_filter_config, eventSid) ) return; @@ -2422,7 +2566,7 @@ NULL); /* rule info ptr */ } -static INLINE void EventWindowSlam (Stream5TcpPolicy *s5TcpPolicy) +static inline void EventWindowSlam (Stream5TcpPolicy *s5TcpPolicy) { if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; @@ -2446,15 +2590,19 @@ PC_TCP_TRIM, PC_TCP_ECN_SSN, PC_TCP_TS_NOP, + PC_TCP_IPS_DATA, + PC_TCP_BLOCK, PC_MAX } PegCounts; -static PegCount normStats[PC_MAX]; +static uint64_t normStats[PC_MAX]; -static const char* pegName[PC_MAX] = { +static const char* pegName[PC_MAX] = { "tcp::trim", "tcp::ecn_ssn", "tcp::ts_nop", + "tcp::ips_data", + "tcp::block", }; void Stream_PrintNormalizationStats (void) @@ -2465,7 +2613,7 @@ for ( i = 0; i < PC_MAX; i++ ) { // same alignment as in Norm_PrintStats() - LogMessage("%23s: %lu\n", pegName[i], normStats[i]); + LogMessage("%23s: " STDu64 "\n", pegName[i], normStats[i]); } } @@ -2481,25 +2629,39 @@ // fewer total checks. however, it is best to minimize // configuration checks on a per packet basis so there is // still room for improvement. -static INLINE void NormalDropPacket (Packet* p) +static inline void NormalDropPacket (Packet* p) { Active_DropPacket(); } -static INLINE int NormalDropPacketIf (Packet* p, NormFlags f) +static inline int NormalDropPacketIf (Packet* p, NormFlags f) { if ( Normalize_IsEnabled(snort_conf, f) ) { NormalDropPacket(p); + normStats[PC_TCP_BLOCK]++; + sfBase.iPegs[PERF_COUNT_TCP_BLOCK]++; return 1; } return 0; } -static INLINE void NormalStripTimeStamp (Packet* p, int i) +static inline void NormalStripTimeStamp (Packet* p, int i) { + uint8_t* opt; + + if ( i < 0 ) + { + for ( i = 0; i < p->tcp_option_count; i++ ) + { + if ( p->tcp_options[i].code == TCPOPT_TIMESTAMP ) + break; + } + if ( i == p->tcp_option_count ) + return; + } // first set raw option bytes to nops - uint8_t* opt = (uint8_t*)p->tcp_options[i].data - 2; + opt = (uint8_t*)p->tcp_options[i].data - 2; memset(opt, TCPOPT_NOP, TCPOLEN_TIMESTAMP); // then nop decoded option code only @@ -2510,7 +2672,7 @@ sfBase.iPegs[PERF_COUNT_TCP_TS_NOP]++; } -static INLINE void NormalTrimPayload ( +static inline void NormalTrimPayload ( Packet* p, uint16_t max, TcpDataBlock* tdb ) { if ( p->dsize > max ) @@ -2524,10 +2686,10 @@ } } -static INLINE int NormalTrimPayloadIf ( +static inline int NormalTrimPayloadIf ( Packet* p, NormFlags f, uint16_t max, TcpDataBlock* tdb ) { - if ( + if ( Normalize_IsEnabled(snort_conf, f) && p->dsize > max ) { @@ -2537,7 +2699,7 @@ return 0; } -static INLINE void NormalTrackECN (TcpSession* s, TCPHdr* tcph, int req3way) +static inline void NormalTrackECN (TcpSession* s, TCPHdr* tcph, int req3way) { if ( !s ) return; @@ -2551,7 +2713,7 @@ s->ecn = TCP_ISFLAGSET(tcph, (TH_ECE|TH_CWR)); } -static INLINE void NormalCheckECN (TcpSession* s, Packet* p) +static inline void NormalCheckECN (TcpSession* s, Packet* p) { if ( !s->ecn && (p->tcph->th_flags & (TH_ECE|TH_CWR)) ) { @@ -2567,7 +2729,7 @@ #define NormalTrimPayloadIf(p, f, m, t) #endif -static INLINE int IsBetween(uint32_t low, uint32_t high, uint32_t cur) +static inline int IsBetween(uint32_t low, uint32_t high, uint32_t cur) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "(%X, %X, %X) = (low, high, cur)\n", low,high,cur);); @@ -2577,9 +2739,9 @@ return 1; return (SEQ_GEQ(cur, low) && SEQ_LEQ(cur, high)); -} +} -static INLINE uint32_t Stream5GetWindow(StreamTracker *st) +static inline uint32_t Stream5GetWindow(StreamTracker *st) { int32_t window; @@ -2603,18 +2765,21 @@ } // ack number must ack syn -static INLINE int ValidRstSynSent(StreamTracker *st, TcpDataBlock *tdb) +static inline int ValidRstSynSent(StreamTracker *st, TcpDataBlock *tdb) { return tdb->ack == st->l_unackd; } -// seq number must be in window -static INLINE int ValidRst(StreamTracker *st, TcpDataBlock *tdb) +// per rfc 793 a rst is valid if the seq number is in window +// for all states but syn-sent (handled above). however, we +// validate here based on how various implementations actually +// handle a rst. +static inline int ValidRst(StreamTracker *st, TcpDataBlock *tdb) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Checking end_seq (%X) > r_win_base (%X) && " - "seq (%X) < r_nxt_ack(%X)\n", - tdb->end_seq, st->r_win_base, tdb->seq, + "seq (%X) < r_nxt_ack(%X)\n", + tdb->end_seq, st->r_win_base, tdb->seq, st->r_nxt_ack+Stream5GetWindow(st));); switch (st->os_policy) @@ -2662,7 +2827,7 @@ return 1; } } - + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "rst is not valid seq (within window)!\n");); return 0; @@ -2674,7 +2839,7 @@ return 0; } -static INLINE int ValidTimestamp(StreamTracker *talker, +static inline int ValidTimestamp(StreamTracker *talker, StreamTracker *listener, TcpDataBlock *tdb, Packet *p, @@ -2688,21 +2853,23 @@ return ACTION_NOTHING; #ifdef NORMALIZER +#if 0 if ( p->tcph->th_flags & TH_ACK && Normalize_IsEnabled(snort_conf, NORM_TCP_OPT) ) { // FIXTHIS validate tsecr here (check that it was previously sent) - // checking for the most recent ts is easy enough must check if + // checking for the most recent ts is easy enough must check if // ts are up to date in retransmitted packets } #endif +#endif /* * check PAWS */ if((talker->flags & TF_TSTAMP) && (listener->flags & TF_TSTAMP)) { char validate_timestamp = 1; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Checking timestamps for PAWS\n");); *got_ts = Stream5GetTcpTimestamp(p, &tdb->ts, 0); @@ -2756,16 +2923,16 @@ { /* Linux 2.6 accepts timestamp values that are off * by one. */ - result = (int)((tdb->ts - talker->ts_last) + 1); + result = (int)((tdb->ts - talker->ts_last) + 1); } else { - result = (int)(tdb->ts - talker->ts_last); + result = (int)(tdb->ts - talker->ts_last); } if(result < 0) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Packet outside PAWS window, dropping\n");); /* bail, we've got a packet outside the PAWS window! */ //s5stats.tcp_discards++; @@ -2777,7 +2944,7 @@ ((uint32_t)p->pkth->ts.tv_sec > talker->ts_last_pkt+PAWS_24DAYS)) { /* this packet is from way too far into the future */ - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "packet PAWS timestamp way too far ahead of" "last packet %d %d...\n", p->pkth->ts.tv_sec, talker->ts_last_pkt);); @@ -2788,7 +2955,7 @@ } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "packet PAWS ok...\n");); } } @@ -2801,7 +2968,7 @@ * but continue to process the packet */ *eventcode |= EVENT_NO_TIMESTAMP; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "packet no timestamp, had one earlier from this side...ok for now...\n");); if (listener->tcp_policy->policy == STREAM_POLICY_SOLARIS) @@ -2823,15 +2990,23 @@ } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, +#ifdef NORMALIZER + // if we are not handling timestamps, and this isn't a syn + // (only), and we have seen a valid 3way setup, then we strip + // (nop) the timestamp option. this includes the cases where + // we disable timestamp handling. + int strip = ( SetupOK(talker) && SetupOK(listener) ); +#else + int strip = 0; +#endif + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "listener not doing timestamps...\n");); - *got_ts = Stream5GetTcpTimestamp(p, &tdb->ts, 1); + *got_ts = Stream5GetTcpTimestamp(p, &tdb->ts, strip); if (*got_ts) { if (!(talker->flags & TF_TSTAMP)) { - // FIXTHIS this comment is a little off cuz we come here on syn /* Since we skipped the SYN, may have missed the talker's * timestamp there, so set it now. */ @@ -2847,10 +3022,6 @@ * of its value. */ if ((tdb->ts == 0) && (listener->flags & TF_TSTAMP)) { -#ifdef NORMALIZER - if ( Normalize_IsEnabled(snort_conf, NORM_TCP_OPT) ) - NormalDropPacket(p); -#endif switch (listener->os_policy) { case STREAM_POLICY_WINDOWS: @@ -2866,7 +3037,6 @@ //s5stats.tcp_discards++; /* bail */ *eventcode |= EVENT_BAD_TIMESTAMP; - NormalDropPacketIf(p, NORM_TCP_OPT); return ACTION_BAD_PKT; } } @@ -2875,12 +3045,12 @@ return ACTION_NOTHING; } -static INLINE int ValidSeq(StreamTracker *st, TcpDataBlock *tdb) +static inline int ValidSeq(StreamTracker *st, TcpDataBlock *tdb) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Checking end_seq (%X) > r_win_base (%X) && " - "seq (%X) < r_nxt_ack(%X)\n", - tdb->end_seq, st->r_win_base, tdb->seq, + "seq (%X) < r_nxt_ack(%X)\n", + tdb->end_seq, st->r_win_base, tdb->seq, st->r_nxt_ack+Stream5GetWindow(st));); if(SEQ_GEQ(tdb->end_seq, st->r_win_base)) @@ -2905,12 +3075,12 @@ return 0; } -static INLINE void UpdateSsn( +static inline void UpdateSsn( Packet* p, StreamTracker *rcv, StreamTracker *snd, TcpDataBlock *tdb) { #if 0 #ifdef NORMALIZER - if ( + if ( // FIXTHIS these checks are a hack to avoid off by one normalization // due to FIN ... if last segment filled a hole, r_nxt_ack is not at // end of data, FIN is ignored so sequence isn't bumped, and this @@ -2947,7 +3117,7 @@ #endif // ** if we don't see a segment, we can't track seq at ** below // so we update the seq by the ack if it is beyond next expected - // FIXTHIS first test below is implied by second; verify test suite + // FIXTHIS first test below is implied by second; verify test suite // doesn't break if(SEQ_GT(tdb->ack, rcv->l_unackd) && SEQ_GT(tdb->ack, rcv->l_nxt_seq)) rcv->l_unackd = tdb->ack; @@ -2972,7 +3142,7 @@ s5_pkt = Encode_New(); } -static INLINE void SetupTcpDataBlock(TcpDataBlock *tdb, Packet *p) +static inline void SetupTcpDataBlock(TcpDataBlock *tdb, Packet *p) { #ifdef SUP_IP6 tdb->sip = *GET_SRC_IP(p); @@ -2981,7 +3151,7 @@ { *tdb->sip.ip32 = ntohl(*tdb->sip.ip32); *tdb->dip.ip32 = ntohl(*tdb->dip.ip32); - } + } #else tdb->sip = ntohl(p->iph->ip_src.s_addr); tdb->dip = ntohl(p->iph->ip_dst.s_addr); @@ -2998,7 +3168,8 @@ if(!(p->tcph->th_flags & TH_ACK)) EventInternal(INTERNAL_EVENT_SYN_RECEIVED); } - if(p->tcph->th_flags & TH_FIN) tdb->end_seq++; + // don't bump end_seq for fin here + // we will bump if/when fin is processed return; } @@ -3009,8 +3180,8 @@ if(seg != NULL) { - STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, - "Dumping segment at seq %X, size %d, caplen %d\n", + STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, + "Dumping segment at seq %X, size %d, caplen %d\n", seg->seq, seg->size, seg->caplen);); if(seg->pktOrig != NULL) @@ -3027,7 +3198,7 @@ s5stats.tcp_streamsegs_released++; } - STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, "Stream5DropSegment dropped %d bytes\n", dropped);); } @@ -3037,7 +3208,7 @@ StreamSegment *dump_me; int i = 0; - STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, "In DeleteSeglist\n");); while(idx) { @@ -3047,20 +3218,31 @@ Stream5DropSegment(dump_me); } - STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, "Dropped %d segments\n", i);); } -static INLINE int purge_alerts(StreamTracker *st, uint32_t flush_seq) +static inline int purge_alerts(StreamTracker *st, uint32_t flush_seq, void *ssnptr) { int i; int new_count = 0; for (i=0;i<st->alert_count;i++) { + uint32_t alert_seq = ntohl(st->alerts[i].seq); + Stream5AlertExtraDataInfo *pxd = &(st->alerts[i].extra_data); if (SEQ_LT(alert_seq,flush_seq) ) { + if(pxd->xtradata_mask && extra_data_log) + { + extra_data_log(ssnptr, extra_data_config, xtradata_map, + xtradata_func_count, pxd->xtradata_mask, + pxd->event_id, pxd->event_second); + } + pxd->xtradata_mask = 0; + pxd->event_id = 0; + pxd->event_second = 0; st->alerts[i].sid = 0; st->alerts[i].gid = 0; st->alerts[i].seq = 0; @@ -3072,6 +3254,10 @@ st->alerts[new_count].sid = st->alerts[i].sid; st->alerts[new_count].gid = st->alerts[i].gid; st->alerts[new_count].seq = st->alerts[i].seq; + st->alerts[new_count].extra_data.event_id = pxd->event_id; + st->alerts[new_count].extra_data.event_second = pxd->event_second; + st->alerts[new_count].extra_data.xtradata_mask |= pxd->xtradata_mask; + } new_count++; } @@ -3081,7 +3267,7 @@ return new_count; } -static INLINE int purge_to_seq(TcpSession *tcpssn, StreamTracker *st, uint32_t flush_seq) +static inline int purge_to_seq(TcpSession *tcpssn, StreamTracker *st, uint32_t flush_seq) { StreamSegment *ss = NULL; StreamSegment *dump_me = NULL; @@ -3100,13 +3286,13 @@ } ss = st->seglist; - - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "In purge_to_seq, start seq = 0x%X end seq = 0x%X delta %d\n", + + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "In purge_to_seq, start seq = 0x%X end seq = 0x%X delta %d\n", ss->seq, flush_seq, flush_seq-ss->seq);); while(ss) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "s: %X sz: %d\n", ss->seq, ss->size);); dump_me = ss; @@ -3117,7 +3303,7 @@ { last_ts = dump_me->ts; } - purged_bytes += Stream5SeglistDeleteNode(st, dump_me); + purged_bytes += Stream5SeglistDeleteNode(st, dump_me, flush_seq); } else break; @@ -3129,12 +3315,10 @@ "setting st->seglist_base_seq to 0x%X\n", flush_seq);); st->seglist_base_seq = flush_seq; } -#ifdef NORMALIZER - if ( !Normalize_IsEnabled(snort_conf, NORM_TCP_IPS) ) -#endif + if ( SEQ_LT(st->r_nxt_ack, flush_seq) ) st->r_nxt_ack = flush_seq; - purge_alerts(st, flush_seq); + purge_alerts(st, flush_seq,(void *)tcpssn->lwssn); if (st->seglist == NULL) { @@ -3147,7 +3331,7 @@ * last timestamp is the highest one that we had stored and * purged and handle the case when packets arrive out of order, * such as: - * P1: seq 10, length 10, timestamp 10 + * P1: seq 10, length 10, timestamp 10 * P3: seq 30, length 10, timestamp 30 * P2: seq 20, length 10, timestamp 20 * @@ -3175,24 +3359,59 @@ return purged_bytes; } -static INLINE void purge_all (StreamTracker *st) +static inline void purge_all (StreamTracker *st) { DeleteSeglist(st->seglist); - st->seglist = st->seglist_tail = NULL; + st->seglist = st->seglist_tail = st->seglist_next = NULL; st->seg_count = st->flush_count = 0; } /* * purge a seglist up to the the last ack received */ -static INLINE int purge_ackd(TcpSession *tcpssn, StreamTracker *st) +static inline int purge_ackd(TcpSession *tcpssn, StreamTracker *st) { return purge_to_seq(tcpssn, st, st->r_win_base); } +// purge_flushed_ackd(): +// * must only purge flushed and acked bytes +// * we may flush partial segments +// * must adjust seq->seq and seg->size when a flush gets only the +// initial part of a segment +// * FIXTHIS need flag to mark any reassembled packets that have a gap +// (if we reassemble such) +static inline int purge_flushed_ackd (TcpSession *tcpssn, StreamTracker *st) +{ + StreamSegment* seg = st->seglist; + uint32_t seq = 0; + + while ( seg && seg->buffered ) + { + seq = seg->seq + seg->size; + seg = seg->next; + } + if ( seq ) + return purge_to_seq(tcpssn, st, seq); + + return 0; +} + +static void ShowRebuiltPacket (Packet* p) +{ + if(s5_global_eval_config->flags & STREAM5_CONFIG_SHOW_PACKETS) + { + //ClearDumpBuf(); + printf("+++++++++++++++++++Stream Packet+++++++++++++++++++++\n"); + PrintIPPkt(stdout, IPPROTO_TCP, p); + printf("+++++++++++++++++++++++++++++++++++++++++++++++++++++\n"); + //ClearDumpBuf(); + } +} + #ifdef SUP_IP6 -static INLINE int _flush_to_seq_4( - TcpSession *tcpssn, StreamTracker *st, uint32_t bytes, Packet *p, +static inline int _flush_to_seq_4( + TcpSession *tcpssn, StreamTracker *st, uint32_t bytes, Packet *p, snort_ip_p sip, snort_ip_p dip, uint16_t sp, uint16_t dp, uint32_t dir) { uint32_t stop_seq; @@ -3205,7 +3424,7 @@ PREPROC_PROFILE_START(s5TcpFlushPerfStats); if ( htons(sp) == p->sp ) enc_flags |= ENC_FLAG_FWD; - Encode_Format(enc_flags, p, s5_pkt); + Encode_Format(enc_flags, p, s5_pkt, PSEUDO_PKT_TCP); s5_pkt_end = s5_pkt->data + s5_pkt->max_dsize; @@ -3216,48 +3435,51 @@ else ((TCPHdr *)s5_pkt->tcph)->th_seq = htonl(st->seglist_base_seq); + // TBD in ips mode, these should be coming from current packet (tdb) ((TCPHdr *)s5_pkt->tcph)->th_ack = htonl(st->l_unackd); ((TCPHdr *)s5_pkt->tcph)->th_win = htons((uint16_t)st->l_window); // if not specified, set bytes to flush to what was acked - if ( !bytes ) bytes = st->r_win_base - st->seglist_base_seq; + if ( !bytes && SEQ_GT(st->r_win_base, st->seglist_base_seq) ) + bytes = st->r_win_base - st->seglist_base_seq; stop_seq = st->seglist_base_seq + bytes; do { footprint = stop_seq - st->seglist_base_seq; - if(footprint == 0) + if(footprint == 0) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "Negative footprint, bailing %d (0x%X - 0x%X)\n", + "Negative footprint, bailing %d (0x%X - 0x%X)\n", footprint, stop_seq, st->seglist_base_seq);); PREPROC_PROFILE_END(s5TcpFlushPerfStats); return bytes_processed; } -#ifdef DEBUG +#ifdef DEBUG_STREAM5 if(footprint < st->seg_bytes_logical) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Footprint less than queued bytes, " - "win_base: 0x%X base_seq: 0x%X\n", + "win_base: 0x%X base_seq: 0x%X\n", stop_seq, st->seglist_base_seq);); } #endif - if(footprint > STREAM_MAX_PACKET) + if(footprint > s5_pkt->max_dsize) { /* this is as much as we can pack into a stream buffer */ - footprint = STREAM_MAX_PACKET; + footprint = s5_pkt->max_dsize; + stop_seq = st->seglist_base_seq + footprint; } STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Attempting to flush %lu bytes\n", footprint);); /* setup the pseudopacket payload */ - flushed_bytes = FlushStream(st, stop_seq, (uint8_t *)s5_pkt->data, s5_pkt_end); + flushed_bytes = FlushStream(p, st, stop_seq, (uint8_t *)s5_pkt->data, s5_pkt_end); if(flushed_bytes == -1) { @@ -3271,7 +3493,7 @@ purge_all(st); } - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "setting st->seglist_base_seq to 0x%X\n", stop_seq);); st->seglist_base_seq = stop_seq; @@ -3285,9 +3507,9 @@ break; } - s5_pkt->packet_flags = (PKT_REBUILT_STREAM|PKT_STREAM_EST); + s5_pkt->packet_flags |= (PKT_REBUILT_STREAM|PKT_STREAM_EST); s5_pkt->dsize = (uint16_t)flushed_bytes; - + Encode_Update(s5_pkt); s5_pkt->inner_ip4h.ip_len = s5_pkt->iph->ip_len; @@ -3315,33 +3537,25 @@ if (st->flags & TF_MISSING_PKT) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "setting st->seglist_base_seq to 0x%X (gap)\n", st->gap_seq);); st->seglist_base_seq = st->gap_seq; } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "setting st->seglist_base_seq to 0x%X\n", stop_seq);); st->seglist_base_seq = stop_seq; } - if(s5_global_eval_config->flags & STREAM5_CONFIG_SHOW_PACKETS) - { - //ClearDumpBuf(); - printf("+++++++++++++++++++Stream Packet+++++++++++++++++++++\n"); - PrintIPPkt(stdout, IPPROTO_TCP, s5_pkt); - printf("+++++++++++++++++++++++++++++++++++++++++++++++++++++\n"); - //ClearDumpBuf(); - } - - s5stats.tcp_rebuilt_packets++; + ShowRebuiltPacket(s5_pkt); + s5stats.tcp_rebuilt_packets++; PREPROC_PROFILE_TMPEND(s5TcpFlushPerfStats); { int event, tmp_do_detect, tmp_do_detect_content; PROFILE_VARS; - + PREPROC_PROFILE_START(s5TcpProcessRebuiltPerfStats); tmp_do_detect = do_detect; tmp_do_detect_content = do_detect_content; @@ -3349,6 +3563,7 @@ SnortEventqPush(); event = Preprocess(s5_pkt); SnortEventqPop(); + DetectReset((uint8_t *)s5_pkt->data, s5_pkt->dsize); do_detect = tmp_do_detect; do_detect_content = tmp_do_detect_content; @@ -3363,11 +3578,10 @@ /* Reset alert tracking after flushing rebuilt packet */ - } while (!(st->flags & TF_MISSING_PKT) && (SegsToFlush(st) > 1)); + } while (!(st->flags & TF_MISSING_PKT) && DataToFlush(st)); - /* Grab the next random flush point */ - // FIXTHIS should we get next random flush pt per flush or per session? - //UpdateFlushMgr(&st->flush_mgr); + if ( st->tcp_policy ) + UpdateFlushMgr(&st->flush_mgr, &st->tcp_policy->flush_point_list); /* tell them how many bytes we processed */ PREPROC_PROFILE_END(s5TcpFlushPerfStats); @@ -3375,8 +3589,8 @@ } -static INLINE int _flush_to_seq_6( - TcpSession *tcpssn, StreamTracker *st, uint32_t bytes, Packet *p, +static inline int _flush_to_seq_6( + TcpSession *tcpssn, StreamTracker *st, uint32_t bytes, Packet *p, snort_ip_p sip, snort_ip_p dip, uint16_t sp, uint16_t dp, uint32_t dir) { uint32_t base_seq; @@ -3388,9 +3602,9 @@ PROFILE_VARS; PREPROC_PROFILE_START(s5TcpFlushPerfStats); - + if ( htons(sp) == p->sp ) enc_flags |= ENC_FLAG_FWD; - Encode_Format(enc_flags, p, s5_pkt); + Encode_Format(enc_flags, p, s5_pkt, PSEUDO_PKT_TCP); s5_pkt_end = s5_pkt->data + s5_pkt->max_dsize; @@ -3401,51 +3615,53 @@ else ((TCPHdr *)s5_pkt->tcph)->th_seq = htonl(st->seglist_base_seq); + // TBD in ips mode, these should be coming from current packet (tdb) ((TCPHdr *)s5_pkt->tcph)->th_ack = htonl(st->l_unackd); ((TCPHdr *)s5_pkt->tcph)->th_win = htons((uint16_t)st->l_window); - // for now, we allow bytes == 0 for flushing acked - // otherwise, bytes is how many to ack - if ( !bytes ) bytes = st->r_win_base - st->seglist_base_seq; + // if not specified, set bytes to flush to what was acked + if ( !bytes && SEQ_GT(st->r_win_base, st->seglist_base_seq) ) + bytes = st->r_win_base - st->seglist_base_seq; stop_seq = st->seglist_base_seq + bytes; do { - base_seq = st->seglist_base_seq; + base_seq = st->seglist_base_seq; footprint = stop_seq - base_seq; - if(footprint <= 0) + if(footprint <= 0) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "Negative footprint, bailing %d (0x%X - 0x%X)\n", + "Negative footprint, bailing %d (0x%X - 0x%X)\n", footprint, stop_seq, base_seq);); PREPROC_PROFILE_END(s5TcpFlushPerfStats); return bytes_processed; } -#ifdef DEBUG +#ifdef DEBUG_STREAM5 if(footprint < st->seg_bytes_logical) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Footprint less than queued bytes, " - "win_base: 0x%X base_seq: 0x%X\n", + "win_base: 0x%X base_seq: 0x%X\n", stop_seq, base_seq);); } #endif - if(footprint > STREAM_MAX_PACKET6) + if(footprint > s5_pkt->max_dsize) { /* this is as much as we can pack into a stream buffer */ - footprint = STREAM_MAX_PACKET6; + footprint = s5_pkt->max_dsize; + stop_seq = st->seglist_base_seq + footprint; } STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Attempting to flush %lu bytes\n", footprint);); /* setup the pseudopacket payload */ - flushed_bytes = FlushStream(st, stop_seq, (uint8_t *)s5_pkt->data, s5_pkt_end); + flushed_bytes = FlushStream(p, st, stop_seq, (uint8_t *)s5_pkt->data, s5_pkt_end); if(flushed_bytes == -1) { @@ -3459,7 +3675,7 @@ purge_all(st); } - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "setting st->seglist_base_seq to 0x%X\n", stop_seq);); st->seglist_base_seq = stop_seq; @@ -3473,7 +3689,7 @@ break; } - s5_pkt->packet_flags = (PKT_REBUILT_STREAM|PKT_STREAM_EST); + s5_pkt->packet_flags |= (PKT_REBUILT_STREAM|PKT_STREAM_EST); s5_pkt->dsize = (uint16_t)flushed_bytes; Encode_Update(s5_pkt); @@ -3505,33 +3721,25 @@ if (st->flags & TF_MISSING_PKT) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "setting st->seglist_base_seq to 0x%X (gap)\n", st->gap_seq);); st->seglist_base_seq = st->gap_seq; } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "setting st->seglist_base_seq to 0x%X\n", stop_seq);); st->seglist_base_seq = stop_seq; } - if(s5_global_eval_config->flags & STREAM5_CONFIG_SHOW_PACKETS) - { - //ClearDumpBuf(); - printf("+++++++++++++++++++Stream Packet+++++++++++++++++++++\n"); - PrintIPPkt(stdout, IPPROTO_TCP, s5_pkt); - printf("+++++++++++++++++++++++++++++++++++++++++++++++++++++\n"); - //ClearDumpBuf(); - } - - s5stats.tcp_rebuilt_packets++; + ShowRebuiltPacket(s5_pkt); + s5stats.tcp_rebuilt_packets++; PREPROC_PROFILE_TMPEND(s5TcpFlushPerfStats); { int event, tmp_do_detect, tmp_do_detect_content; PROFILE_VARS; - + PREPROC_PROFILE_START(s5TcpProcessRebuiltPerfStats); tmp_do_detect = do_detect; tmp_do_detect_content = do_detect_content; @@ -3539,6 +3747,7 @@ SnortEventqPush(); event = Preprocess(s5_pkt); SnortEventqPop(); + DetectReset((uint8_t *)s5_pkt->data, s5_pkt->dsize); do_detect = tmp_do_detect; do_detect_content = tmp_do_detect_content; @@ -3553,11 +3762,10 @@ /* Reset alert tracking after flushing rebuilt packet */ - } while (!(st->flags & TF_MISSING_PKT) && (SegsToFlush(st) > 1)); + } while (!(st->flags & TF_MISSING_PKT) && DataToFlush(st)); - /* Grab the next random flush point */ - // FIXTHIS should we get next random flush pt per flush or per session? - //UpdateFlushMgr(&st->flush_mgr); + if ( st->tcp_policy ) + UpdateFlushMgr(&st->flush_mgr, &st->tcp_policy->flush_point_list); /* tell them how many bytes we processed */ PREPROC_PROFILE_END(s5TcpFlushPerfStats); @@ -3570,7 +3778,7 @@ * between our base sequence and the last ack'd sequence we * received */ -static INLINE uint32_t get_q_footprint(StreamTracker *st) +static inline uint32_t get_q_footprint(StreamTracker *st) { uint32_t fp; @@ -3590,7 +3798,7 @@ // FIXTHIS get_q_sequenced() performance could possibly be // boosted by tracking sequenced bytes as seglist is updated // to avoid the while loop, etc. below. -static INLINE uint32_t get_q_sequenced(StreamTracker *st) +static inline uint32_t get_q_sequenced(StreamTracker *st) { uint32_t len; StreamSegment* seg = st ? st->seglist : NULL; @@ -3599,6 +3807,9 @@ if ( !seg ) return 0; + if ( SEQ_LT(st->r_win_base, seg->seq) ) + return 0; + while ( seg->next && (seg->next->seq == seg->seq + seg->size) ) { if ( !seg->buffered && !base ) @@ -3622,8 +3833,8 @@ * flush a seglist up to the given point, generate a pseudopacket, * and fire it thru the system. */ -static INLINE int flush_to_seq( - TcpSession *tcpssn, StreamTracker *st, uint32_t bytes, Packet *p, +static inline int flush_to_seq( + TcpSession *tcpssn, StreamTracker *st, uint32_t bytes, Packet *p, snort_ip_p sip, snort_ip_p dip, uint16_t sp, uint16_t dp, uint32_t dir) { uint32_t bytes_processed = 0; @@ -3654,7 +3865,7 @@ return bytes_processed; } - if ((SegsToFlush(st) == 1) && !(st->flags & TF_FORCE_FLUSH)) + if (!DataToFlush(st) && !(st->flags & TF_FORCE_FLUSH)) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "only 1 packet in seglist no need to flush\n");); @@ -3664,18 +3875,18 @@ //PrintSeglist(st); #ifdef SUP_IP6 - if(sfip_family(sip) == AF_INET) + if(sfip_family(sip) == AF_INET) { return _flush_to_seq_4(tcpssn, st, bytes, p, sip, dip, sp, dp, dir); } return _flush_to_seq_6(tcpssn, st, bytes, p, sip, dip, sp, dp, dir); - + #else PREPROC_PROFILE_START(s5TcpFlushPerfStats); if ( htons(sp) == p->sp ) enc_flags |= ENC_FLAG_FWD; - Encode_Format(enc_flags, p, s5_pkt); + Encode_Format(enc_flags, p, s5_pkt, PSEUDO_PKT_TCP); s5_pkt_end = s5_pkt->data + s5_pkt->max_dsize; @@ -3686,50 +3897,55 @@ else ((TCPHdr *)s5_pkt->tcph)->th_seq = htonl(st->seglist_base_seq); + // TBD in ips mode, these should be coming from current packet (tdb) ((TCPHdr *)s5_pkt->tcph)->th_ack = htonl(st->l_unackd); ((TCPHdr *)s5_pkt->tcph)->th_win = htons((uint16_t)st->l_window); + // if not specified, set bytes to flush to what was acked + if ( !bytes && SEQ_GT(st->r_win_base, st->seglist_base_seq) ) + bytes = st->r_win_base - st->seglist_base_seq; stop_seq = st->seglist_base_seq + bytes; do { - base_seq = st->seglist_base_seq; + base_seq = st->seglist_base_seq; footprint = stop_seq - base_seq; // FIXTHIS is this check redundant? should delete // cuz FlushStream() should catch any issues - if(footprint <= 0) + if(footprint <= 0) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "Negative footprint, bailing %d (0x%X - 0x%X)\n", + "Negative footprint, bailing %d (0x%X - 0x%X)\n", footprint, stop_seq, base_seq);); PREPROC_PROFILE_END(s5TcpFlushPerfStats); return bytes_processed; } -#ifdef DEBUG +#ifdef DEBUG_STREAM5 if(footprint < st->seg_bytes_logical) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Footprint less than queued bytes, " - "win_base: 0x%X base_seq: 0x%X\n", + "win_base: 0x%X base_seq: 0x%X\n", stop_seq, base_seq);); } #endif - if(footprint > STREAM_MAX_PACKET) + if(footprint > s5_pkt->max_dsize) { /* this is as much as we can pack into a stream buffer */ - footprint = STREAM_MAX_PACKET; + footprint = s5_pkt->max_dsize; + stop_seq = st->seglist_base_seq + footprint; } STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Attempting to flush %lu bytes\n", footprint);); /* setup the pseudopacket payload */ - flushed_bytes = FlushStream(st, stop_seq, (uint8_t *)s5_pkt->data, s5_pkt_end); + flushed_bytes = FlushStream(p, st, stop_seq, (uint8_t *)s5_pkt->data, s5_pkt_end); if(flushed_bytes == -1) { @@ -3743,7 +3959,7 @@ purge_all(st); } - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "setting st->seglist_base_seq to 0x%X\n", stop_seq);); st->seglist_base_seq = stop_seq; @@ -3757,7 +3973,7 @@ break; } - s5_pkt->packet_flags = (PKT_REBUILT_STREAM|PKT_STREAM_EST); + s5_pkt->packet_flags |= (PKT_REBUILT_STREAM|PKT_STREAM_EST); s5_pkt->dsize = (uint16_t)flushed_bytes; Encode_Update(s5_pkt); @@ -3785,33 +4001,25 @@ if (st->flags & TF_MISSING_PKT) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "setting st->seglist_base_seq to 0x%X (gap)\n", st->gap_seq);); st->seglist_base_seq = st->gap_seq; } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "setting st->seglist_base_seq to 0x%X\n", stop_seq);); st->seglist_base_seq = stop_seq; } - if(s5_global_eval_config->flags & STREAM5_CONFIG_SHOW_PACKETS) - { - //ClearDumpBuf(); - printf("+++++++++++++++++++Stream Packet+++++++++++++++++++++\n"); - PrintIPPkt(stdout, IPPROTO_TCP, s5_pkt); - printf("+++++++++++++++++++++++++++++++++++++++++++++++++++++\n"); - //ClearDumpBuf(); - } - - s5stats.tcp_rebuilt_packets++; + ShowRebuiltPacket(s5_pkt); + s5stats.tcp_rebuilt_packets++; PREPROC_PROFILE_TMPEND(s5TcpFlushPerfStats); { int event, tmp_do_detect, tmp_do_detect_content; PROFILE_VARS; - + PREPROC_PROFILE_START(s5TcpProcessRebuiltPerfStats); tmp_do_detect = do_detect; tmp_do_detect_content = do_detect_content; @@ -3819,6 +4027,7 @@ SnortEventqPush(); event = Preprocess(s5_pkt); SnortEventqPop(); + DetectReset((uint8_t *)s5_pkt->data, s5_pkt->dsize); do_detect = tmp_do_detect; do_detect_content = tmp_do_detect_content; @@ -3833,11 +4042,10 @@ /* Reset alert tracking after flushing rebuilt packet */ - } while (!(st->flags & TF_MISSING_PKT) && (SegsToFlush(st) > 1)); + } while (!(st->flags & TF_MISSING_PKT) && DataToFlush(st)); - /* Grab the next random flush point */ - // FIXTHIS should we get next random flush pt per flush or per session? - //UpdateFlushMgr(&st->flush_mgr); + if ( st->tcp_policy ) + UpdateFlushMgr(&st->flush_mgr, &st->tcp_policy->flush_point_list); /* tell them how many bytes we processed */ PREPROC_PROFILE_END(s5TcpFlushPerfStats); @@ -3845,16 +4053,19 @@ #endif } -static INLINE int flush_ackd( - TcpSession *tcpssn, StreamTracker *st, Packet *p, +static inline int flush_ackd( + TcpSession *tcpssn, StreamTracker *st, Packet *p, snort_ip_p sip, snort_ip_p dip, uint16_t sp, uint16_t dp, uint32_t dir) { uint32_t bytes = get_q_footprint(st); return flush_to_seq(tcpssn, st, bytes, p, sip, dip, sp, dp, dir); } - -static INLINE int flush_stream( - TcpSession *tcpssn, StreamTracker *st, Packet *p, + +// FIXTHIS flush_stream() calls should be replaced with calls to +// CheckFlushPolicyOn*() with the exception that for the *OnAck() case, +// any available ackd data must be flushed in both directions. +static inline int flush_stream( + TcpSession *tcpssn, StreamTracker *st, Packet *p, snort_ip_p sip, snort_ip_p dip, uint16_t sp, uint16_t dp, uint32_t dir) { #ifdef NORMALIZER @@ -3866,10 +4077,12 @@ #endif return flush_ackd(tcpssn, st, p, sip, dip, sp, dp, dir); } - -static INLINE unsigned int getSegmentFlushSize( + +static inline unsigned int getSegmentFlushSize( + StreamTracker* st, StreamSegment *ss, uint32_t base_seq, + uint32_t to_seq, unsigned int flushBufSize ) { @@ -3879,6 +4092,12 @@ if(((ss->seq - base_seq) + flushSize) > flushBufSize) flushSize = flushBufSize - (ss->seq - base_seq); +#ifdef ENABLE_PAF + // copy only to flush point + if ( s5_paf_active(&st->paf_state) && SEQ_GT(ss->seq + flushSize, to_seq) ) + flushSize = to_seq - ss->seq; +#endif + #if 0 printf("FLUSHSZ=%u, base=%u, seq=%u, diff=%d\n", flushSize, base_seq, ss->seq, (int)ss->seq - (int)base_seq); @@ -3891,14 +4110,14 @@ * flush the client seglist up to the most recently acked segment */ static int FlushStream( - StreamTracker *st, uint32_t toSeq, uint8_t *flushbuf, const uint8_t *flushbuf_end) + Packet* p, StreamTracker *st, uint32_t toSeq, uint8_t *flushbuf, + const uint8_t *flushbuf_end) { StreamSegment *ss = NULL, *seglist; uint32_t base_seq; uint16_t bytes_flushed = 0; + uint16_t bytes_skipped = 0; uint32_t bytes_queued = st->seg_bytes_logical; - uint32_t last = 0; - uint32_t last_seq = 0; uint32_t segs = 0; uint32_t flushbuf_size = flushbuf_end - flushbuf; int ret; @@ -3916,21 +4135,9 @@ base_seq = seglist->seq; -#ifdef DEBUG_STREAM5 - for(ss = seglist; ss; ss = ss->next) - { - - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "seq: 0x%X offset: %d size: %d delta: %d\n", ss->seq, - ss->seq-base_seq, ss->size, (ss->seq-base_seq) - last);); - last = ss->seq-base_seq; - } /* Uh, need to reset these here */ - last = 0; -#endif - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Flushing stream, starting seq %X, toSeq: %X " - "base_seq: %X seglist: %p seglist->seq: %X\n", + "base_seq: %X seglist: %p seglist->seq: %X\n", base_seq, toSeq, base_seq, seglist, seglist->seq);); st->flags &= ~TF_MISSING_PKT; @@ -3947,14 +4154,11 @@ { unsigned int bytes_to_copy; - if ( ss->buffered ) - continue; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "seq: 0x%X offset: %d size: %d\n", ss->seq, + "seq: 0x%X offset: %d size: %d\n", ss->seq, ss->seq-base_seq, ss->size);); - bytes_to_copy = getSegmentFlushSize(ss, base_seq, flushbuf_size); + bytes_to_copy = getSegmentFlushSize(st, ss, base_seq, toSeq, flushbuf_size); /* Check for a gap/missing packet */ if ((ss->next && (ss->seq + ss->size != ss->next->seq)) || @@ -3972,32 +4176,25 @@ } STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "s: %p e: %p dlt: %lu off: %d d: %p sz: %d\n", - flushbuf, flushbuf_end, flushbuf_size, + "s: %p e: %p dlt: %lu off: %d d: %p sz: %d\n", + flushbuf, flushbuf_end, flushbuf_size, ss->seq-base_seq, ss->payload, ss->size);); - if(ss->urg_offset) + if(ss->urg_offset == 1) { - unsigned int bytes_to_copy_before; - unsigned int bytes_to_copy_after; - - /* - * have to hop over the byte pointed to by the urg ptr - * - * TODO fix this to not copy in the URG pointer data. Need - * a few PCAPs to test with. Need to track urg_pointer - * offsets to adjust true seq to correct value, sans UrgP - * data. + /* if urg_offset is set, seq + urg_offset is seq # of octet + * in stream following the last urgent octet. all preceding + * octets in segment are considered urgent. this code will + * skip over the urgent data when flushing. */ - bytes_to_copy_before = MIN((int)(bytes_to_copy), (MAX(ss->urg_offset,1)-1)); - - bytes_to_copy_after = MAX((bytes_to_copy - bytes_to_copy_before), (1)) - 1; + unsigned int non_urgent_bytes = + ss->urg_offset < bytes_to_copy ? (bytes_to_copy - ss->urg_offset) : 0; - if (bytes_to_copy_before) + if ( non_urgent_bytes ) { - ret = SafeMemcpy(flushbuf+(ss->seq-base_seq), ss->payload, - bytes_to_copy_before, flushbuf, flushbuf_end); + ret = SafeMemcpy(flushbuf, ss->payload+ss->urg_offset, + non_urgent_bytes, flushbuf, flushbuf_end); if (ret == SAFEMEM_ERROR) { @@ -4005,28 +4202,16 @@ "ERROR writing flushbuf attempting to " "write flushbuf out of range!\n");); } - } - - if (bytes_to_copy_after) - { - ret = SafeMemcpy(flushbuf+(ss->seq-base_seq+(uint32_t)ss->urg_offset), - ss->payload+ss->urg_offset+1, - bytes_to_copy_after, flushbuf, flushbuf_end); + else + flushbuf += non_urgent_bytes; - if (ret == SAFEMEM_ERROR) - { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "ERROR writing flushbuf attempting to " - "write flushbuf out of range!\n");); - } + bytes_skipped += ss->urg_offset; } - - last = bytes_to_copy - 1; } else { - ret = SafeMemcpy(flushbuf+(ss->seq-base_seq), ss->payload, - bytes_to_copy, flushbuf, flushbuf_end); + ret = SafeMemcpy(flushbuf, ss->payload, + bytes_to_copy, flushbuf, flushbuf_end); if (ret == SAFEMEM_ERROR) { @@ -4034,17 +4219,37 @@ "ERROR writing flushbuf attempting to " "write flushbuf out of range!\n");); } - - last = bytes_to_copy; + else + flushbuf += bytes_to_copy; } - last_seq = ss->seq; - if (bytes_to_copy < ss->size) + if (bytes_to_copy < ss->size) { - bytes_flushed += bytes_to_copy; - ss->seq = toSeq; - ss->size -= bytes_to_copy; - ss->payload += bytes_to_copy; + StreamSegment* sr = NULL; // right of ss + +#ifdef NORMALIZER + if ( Normalize_IsEnabled(snort_conf, NORM_TCP_IPS) && + DupStreamNode(p, st, ss, &sr) == STREAM_INSERT_OK ) + { + bytes_flushed += bytes_to_copy; + st->flush_count++; + + ss->buffered = SL_BUF_FLUSHED; + ss->size = bytes_to_copy; + + sr->seq = toSeq; + sr->size -= bytes_to_copy; + sr->payload += bytes_to_copy; + sr->data = sr->payload; + } + else +#endif + { + bytes_flushed += bytes_to_copy; + ss->seq = toSeq; + ss->size -= bytes_to_copy; + ss->payload += bytes_to_copy; + } } else { @@ -4062,30 +4267,15 @@ break; } - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "flushed %d bytes on session (%lu)!\n", bytes_flushed, - last_seq - base_seq + last);); - - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n");); - -#ifdef DEBUG -// PrintHexDump(flushbuf, (last_seq - base_seq) + last, stdout); -#endif - - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n");); - bytes_queued -= bytes_flushed; STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "flushed %d bytes on stream, %d still queued, " - "%d segs flushed\n", - bytes_flushed, bytes_queued, segs);); + "flushed %d bytes / %d segs on stream, " + "skipped %d bytes, %d still queued\n", + bytes_flushed, segs, bytes_skipped, bytes_queued);); - //return (last_seq - base_seq) + last; PREPROC_PROFILE_END(s5TcpBuildPacketPerfStats); - return bytes_flushed; + return bytes_flushed - bytes_skipped; } int Stream5FlushServer(Packet *p, Stream5LWSession *lwssn) @@ -4138,7 +4328,7 @@ int flushed; TcpSession *tcpssn = NULL; StreamTracker *flushTracker = NULL; - + if (lwssn->proto_specific_data) tcpssn = (TcpSession *)lwssn->proto_specific_data->data; @@ -4195,7 +4385,7 @@ * looked at it, so the packet_flags are already set. */ if(p->packet_flags & PKT_FROM_SERVER) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Flushing listener on packet from server\n");); listener = &tcpssn->client; /* dir of flush is the data from the opposite side */ @@ -4203,7 +4393,7 @@ } else if (p->packet_flags & PKT_FROM_CLIENT) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Flushing listener on packet from client\n");); listener = &tcpssn->server; /* dir of flush is the data from the opposite side */ @@ -4243,7 +4433,7 @@ * looked at it, so the packet_flags are already set. */ if(p->packet_flags & PKT_FROM_SERVER) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Flushing talker on packet from server\n");); talker = &tcpssn->server; /* dir of flush is the data from the opposite side */ @@ -4251,7 +4441,7 @@ } else if (p->packet_flags & PKT_FROM_CLIENT) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Flushing talker on packet from client\n");); talker = &tcpssn->client; /* dir of flush is the data from the opposite side */ @@ -4278,6 +4468,60 @@ return GetLWSessionFromKey(tcp_lws_cache, key); } +static void TcpSessionClear (Stream5LWSession* lwssn, TcpSession* tcpssn) +{ + STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, + "In TcpSessionClear, %lu bytes in use\n", mem_in_use);); + STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, + "client has %d segs queued\n", tcpssn->client.seg_count);); + STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, + "server has %d segs queued\n", tcpssn->server.seg_count);); + + // update stats + s5stats.tcp_streamtrackers_released++; + Stream5UpdatePerfBaseState(&sfBase, tcpssn->lwssn, TCP_STATE_CLOSED); + RemoveStreamSession(&sfBase); + + if (lwssn->session_flags & SSNFLAG_PRUNED) + { + CloseStreamSession(&sfBase, SESSION_CLOSED_PRUNED); + } + else if (lwssn->session_flags & SSNFLAG_TIMEDOUT) + { + CloseStreamSession(&sfBase, SESSION_CLOSED_TIMEDOUT); + } + else + { + CloseStreamSession(&sfBase, SESSION_CLOSED_NORMALLY); + } + + // release external state + FreeLWApplicationData(lwssn); + Stream5ResetFlowBits(lwssn); + + // release internal protocol specific state + purge_all(&tcpssn->client); + purge_all(&tcpssn->server); + + s5_paf_clear(&tcpssn->client.paf_state); + s5_paf_clear(&tcpssn->server.paf_state); + + mempool_free(&tcp_session_mempool, lwssn->proto_specific_data); + lwssn->proto_specific_data = NULL; + + // update light-weight state + lwssn->session_flags = SSNFLAG_NONE; + lwssn->session_state = STREAM5_STATE_NONE; + lwssn->expire_time = 0; + lwssn->ignore_direction = 0; + + // generate event for rate filtering + EventInternal(INTERNAL_EVENT_SESSION_DEL); + + STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, + "After cleaning, %lu bytes in use\n", mem_in_use);); +} + void TcpSessionCleanup(Stream5LWSession *lwssn) { DAQ_PktHdr_t tmp_pcap_hdr; @@ -4318,6 +4562,7 @@ SnortEventqPush(); (*grinder)(&p, &tmp_pcap_hdr, tcpssn->client.seglist->pktOrig + SPARC_TWIDDLE); + p.ssnptr = lwssn; //set policy id for this packet @@ -4335,20 +4580,27 @@ sfActionQueueExecAll(decoderActionQ); } SnortEventqPop(); - tcpssn->client.flags |= TF_FORCE_FLUSH; + if ( !p.tcph ) + { + flushed = 0; + } + else + { + // FIXTHIS can use srcIp and dstIp from above #ifdef SUP_IP6 - flushed = flush_stream(tcpssn, &tcpssn->client, &p, - p.iph_api->iph_ret_src(&p), p.iph_api->iph_ret_dst(&p), + flushed = flush_stream(tcpssn, &tcpssn->client, &p, + p.iph_api->iph_ret_src(&p), p.iph_api->iph_ret_dst(&p), p.tcph->th_sport, p.tcph->th_dport, PKT_FROM_SERVER); #else - flushed = flush_stream(tcpssn, &tcpssn->client, &p, + flushed = flush_stream(tcpssn, &tcpssn->client, &p, p.iph->ip_src.s_addr, p.iph->ip_dst.s_addr, p.tcph->th_sport, p.tcph->th_dport, PKT_FROM_SERVER); #endif + } if (flushed) purge_ackd(tcpssn, &tcpssn->client); else @@ -4390,21 +4642,28 @@ sfActionQueueExecAll(decoderActionQ); } SnortEventqPop(); - p.ssnptr = lwssn; - tcpssn->server.flags |= TF_FORCE_FLUSH; + + if ( !p.tcph ) + { + flushed = 0; + } + else + { + // FIXTHIS can use srcIp and dstIp from above #ifdef SUP_IP6 - flushed = flush_stream(tcpssn, &tcpssn->server, &p, - p.iph_api->iph_ret_src(&p), p.iph_api->iph_ret_dst(&p), + flushed = flush_stream(tcpssn, &tcpssn->server, &p, + p.iph_api->iph_ret_src(&p), p.iph_api->iph_ret_dst(&p), p.tcph->th_sport, p.tcph->th_dport, PKT_FROM_CLIENT); #else - flushed = flush_stream(tcpssn, &tcpssn->server, &p, + flushed = flush_stream(tcpssn, &tcpssn->server, &p, p.iph->ip_src.s_addr, p.iph->ip_dst.s_addr, p.tcph->th_sport, p.tcph->th_dport, PKT_FROM_CLIENT); #endif + } if (flushed) purge_ackd(tcpssn, &tcpssn->server); else @@ -4424,50 +4683,7 @@ } } - /* Purge the sequence lists */ - STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, - "In TcpSessionCleanup, %lu bytes in use\n", mem_in_use);); - STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, - "client has %d segs queued\n", tcpssn->client.seg_count);); - STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, - "server has %d segs queued\n", tcpssn->server.seg_count);); - - purge_all(&tcpssn->client); - purge_all(&tcpssn->server); - - STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, - "After cleaning, %lu bytes in use\n", mem_in_use);); - - Stream5UpdatePerfBaseState(&sfBase, tcpssn->lwssn, TCP_STATE_CLOSED); - if (lwssn->session_flags & SSNFLAG_PRUNED) - { - CloseStreamSession(&sfBase, SESSION_CLOSED_PRUNED); - } - else if (lwssn->session_flags & SSNFLAG_TIMEDOUT) - { - CloseStreamSession(&sfBase, SESSION_CLOSED_TIMEDOUT); - } - else - { - CloseStreamSession(&sfBase, SESSION_CLOSED_NORMALLY); - } - - /* Cleanup the proto specific data */ - mempool_free(&tcp_session_mempool, lwssn->proto_specific_data); - lwssn->proto_specific_data = NULL; - lwssn->session_flags = SSNFLAG_NONE; - lwssn->session_state = STREAM5_STATE_NONE; - lwssn->expire_time = 0; - lwssn->ignore_direction = 0; - - Stream5ResetFlowBits(lwssn); - - FreeLWApplicationData(lwssn); - - s5stats.tcp_streamtrackers_released++; - RemoveStreamSession(&sfBase); - - EventInternal(INTERNAL_EVENT_SESSION_DEL); + TcpSessionClear(lwssn, tcpssn); } #ifdef SUP_IP6 @@ -4507,7 +4723,7 @@ return policy; } -#ifdef TARGET_BASED +#ifdef TARGET_BASED #define PRE_SESSION_CLEANUP_TARGET(lwssn) \ app_proto_id = lwssn->application_protocol; #else @@ -4584,33 +4800,31 @@ static void TraceEvent ( const TCPHdr* h, TcpDataBlock* tdb, uint32_t txd, uint32_t rxd, uint32_t len ) { - static unsigned pkt = 1; - int i; char flags[7] = "UAPRSF"; - for ( i = 0; i < 6; i++) - if ( !((1<<(5-i)) & h->th_flags) ) flags[i] = '-'; + for ( i = 0; i < 6; i++) + if ( !((1<<(5-i)) & h->th_flags) ) flags[i] = '-'; // force relative ack to zero if not conveyed if ( flags[1] != 'A' ) rxd = ntohl(h->th_ack); fprintf(stdout, - "\n%-3u %s=0x%02x Seq=%-4u Ack=%-4u Win=%-4u Len=%-4u\n", - //"\n%-3u %s=0x%02x Seq=%-4u Ack=%-4u Win=%-4u Len=%-4u End=%-4u\n", - pkt++, flags, h->th_flags, + "\n" FMTu64("-3") " %s=0x%02x Seq=%-4u Ack=%-4u Win=%-4u Len=%-4u\n", + //"\n" FMTu64("-3") " %s=0x%02x Seq=%-4u Ack=%-4u Win=%-4u Len=%-4u End=%-4u\n", + pc.total_from_daq, flags, h->th_flags, ntohl(h->th_seq)-txd, ntohl(h->th_ack)-rxd, ntohs(h->th_win), len //ntohs(h->th_win), len, tdb->end_seq-txd - ); + ); } -static void TraceSession (const Stream5LWSession* lws) +static void TraceSession (const Stream5LWSession* lws) { fprintf(stdout, " LWS: ST=0x%x SF=0x%x CP=%u SP=%u\n", (unsigned)lws->session_state, lws->session_flags, (unsigned)ntohs(lws->client_port), (unsigned)ntohs(lws->server_port) - ); + ); } static const char* statext[] = { @@ -4619,7 +4833,14 @@ }; static const char* flushxt[] = { - "NON", "FPR", "LOG", "RSP", "SLW", "CON", "IGN" + "NON", "FPR", "LOG", "RSP", "SLW", +#if 0 + "CON", +#endif + "IGN", "PRO", +#ifdef NORMALIZER + "PRE", "PAF" +#endif }; static void TraceState ( @@ -4641,7 +4862,7 @@ ); fprintf(stdout, "\n"); fprintf(stdout, - " FP=%s:%-4u SC=%-4u FL=%-4u SL=%-5u BS=%-4u", + " FP=%s:%-4u SC=%-4u FL=%-4u SL=%-5u BS=%-4u", flushxt[a->flush_mgr.flush_policy], a->flush_mgr.flush_pt, a->seg_count, a->flush_count, a->seg_bytes_logical, a->seglist_base_seq - b->isn @@ -4690,10 +4911,10 @@ static int s5_trace_enabled = -1; -static INLINE void S5TraceTCP ( +static inline void S5TraceTCP ( const Packet* p, const Stream5LWSession* lws, TcpDataBlock* tdb, int event ) { - if ( !s5_trace_enabled ) + if ( !s5_trace_enabled ) return; if ( s5_trace_enabled < 0 ) @@ -4736,6 +4957,32 @@ PREPROC_PROFILE_START(s5TcpPerfStats); + if ( lwssn && + (lwssn->session_flags & (SSNFLAG_DROP_CLIENT|SSNFLAG_DROP_SERVER))) + { + /* Got a packet on a session that was dropped (by a rule). */ + GetLWPacketDirection(p, lwssn); + + /* Drop this packet */ + if (((p->packet_flags & PKT_FROM_SERVER) && + (lwssn->session_flags & SSNFLAG_DROP_SERVER)) || + ((p->packet_flags & PKT_FROM_CLIENT) && + (lwssn->session_flags & SSNFLAG_DROP_CLIENT))) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Blocking %s packet as session was blocked\n", + p->packet_flags & PKT_FROM_SERVER ? + "server" : "client");); + DisableDetect(p); + /* Still want to add this number of bytes to totals */ + SetPreprocBit(p, PP_PERFMONITOR); + NormalDropPacket(p); // already alerted +#ifdef ACTIVE_RESPONSE + Stream5ActiveResponse(p, lwssn); +#endif + return ACTION_NOTHING; + } + } if (s5TcpPolicy == NULL) { /* Find an Tcp policy for this packet */ @@ -4747,7 +4994,7 @@ if (!s5TcpPolicy) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "[Stream5] Could not find Tcp Policy context " "for IP %s\n", inet_ntoa(GET_DST_ADDR(p)));); PREPROC_PROFILE_END(s5TcpPerfStats); @@ -4759,7 +5006,7 @@ STREAM5_CONFIG_IGNORE_ANY)) == PORT_MONITOR_PACKET_DISCARD) { //ignore the packet - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "[Stream5] %s:%d -> %s:%d Packet discarded due to port filtering\n", inet_ntoa(GET_SRC_ADDR(p)),p->sp,inet_ntoa(GET_DST_ADDR(p)),p->dp);); @@ -4811,7 +5058,7 @@ "Handshake, but failed to retrieve session object " "for non SYN packet. Dropped SYN or hacker?\n");); - /* + /* * Do nothing with this packet since we require a 3-way. * Wow that just sounds cool... Require a 3-way. Hehe. */ @@ -4838,7 +5085,7 @@ lwssn = NewLWSession(tcp_lws_cache, p, skey, (void *)s5TcpPolicy); s5stats.total_tcp_sessions++; } - else if ((Stream5PacketHasWscale(p) & TF_WSCALE) && + else if ((s5_tcp_eval_config->session_on_syn || (Stream5PacketHasWscale(p) & TF_WSCALE)) && TCP_ISFLAGSET(p->tcph, TH_SYN)) { /* If we have a wscale option, need to save the @@ -4851,7 +5098,7 @@ { /* No data, no need to create session yet */ /* This is done to handle SYN flood DoS attacks */ -#ifdef DEBUG +#ifdef DEBUG_STREAM5 if (TCP_ISFLAGSET(p->tcph, TH_SYN)) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, @@ -5074,7 +5321,7 @@ return Stream5GetWscale(p, &wscale); } -static INLINE int IsWellFormed(Packet *p, StreamTracker *ts) +static inline int IsWellFormed(Packet *p, StreamTracker *ts) { return ( p->dsize <= ts->mss ); } @@ -5094,19 +5341,24 @@ server->l_window = tdb->win; /* set initial server window */ server->l_unackd = tdb->seq + 1; - server->l_nxt_seq = server->l_unackd + 1; + server->l_nxt_seq = server->l_unackd; server->isn = tdb->seq; client->r_nxt_ack = tdb->end_seq; client->r_win_base = tdb->end_seq; - client->seglist_base_seq = server->l_unackd; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "seglist_base_seq = %X\n", client->seglist_base_seq);); if (!(ssn->lwssn->session_state & STREAM5_STATE_MIDSTREAM)) + { server->s_mgr.state = TCP_STATE_SYN_RCVD; - + client->seglist_base_seq = server->l_unackd; + } + else + { + client->seglist_base_seq = tdb->seq; + } server->flags |= Stream5GetTcpTimestamp(p, &server->ts_last, 0); if (server->ts_last == 0) server->flags |= TF_TSTAMP_ZERO; @@ -5121,7 +5373,7 @@ } #ifdef OLD_CODE_NOLONGER_USED_DEPENDS_ON_CURRENT_STATE -static INLINE void QueueState(uint8_t transition, StreamTracker *st, +static inline void QueueState(uint8_t transition, StreamTracker *st, uint8_t expected_flags, uint32_t seq_num, uint8_t get_seq) { StateMgr *smgr = &st->s_mgr; @@ -5141,14 +5393,14 @@ return; } -static INLINE int EvalStateQueue(StreamTracker *sptr, uint8_t flags, +static inline int EvalStateQueue(StreamTracker *sptr, uint8_t flags, uint32_t ack) { StateMgr *smgr = &sptr->s_mgr; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Evaluating state queue!\n");); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "StreamTracker %p, flags 0x%X ack: 0x%X\n", sptr, flags, ack); PrintStateMgr(smgr);); @@ -5204,7 +5456,7 @@ } #endif -static INLINE int IgnoreLargePkt(StreamTracker *st, Packet *p, TcpDataBlock *tdb) +static inline int IgnoreLargePkt(StreamTracker *st, Packet *p, TcpDataBlock *tdb) { if((st->flush_mgr.flush_policy == STREAM_FLPOLICY_FOOTPRINT) && (st->tcp_policy->flags & STREAM5_CONFIG_PERFORMANCE)) @@ -5233,7 +5485,7 @@ STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "In NewQueue\n");); - + PREPROC_PROFILE_START(s5TcpInsertPerfStats); if(st->flush_mgr.flush_policy != STREAM_FLPOLICY_IGNORE) @@ -5250,7 +5502,7 @@ STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "segment overlaps ack'd data...\n");); overlap = st->seglist_base_seq - tdb->seq; - if(overlap >= p->dsize) + if(overlap >= p->dsize) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "full overlap on ack'd data, dropping segment\n");); @@ -5259,11 +5511,11 @@ } } - AddStreamNode(st, p, tdb->ts, tcpssn, p->dsize, 0, 0, tdb->seq, NULL, &ss); + AddStreamNode(st, p, tdb, tcpssn, p->dsize, 0, 0, tdb->seq, NULL, &ss); STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Attached new queue to seglist, %d bytes queued, " - "base_seq 0x%X\n", + "base_seq 0x%X\n", ss->size, st->seglist_base_seq);); } @@ -5271,7 +5523,7 @@ return; } -static INLINE StreamSegment *FindSegment(StreamTracker *st, uint32_t pkt_seq) +static inline StreamSegment *FindSegment(StreamTracker *st, uint32_t pkt_seq) { int32_t dist_head; int32_t dist_tail; @@ -5312,51 +5564,31 @@ void Stream5TcpBlockPacket(Packet *p) { - StreamSegment *ss; - StreamTracker *tracker; Stream5LWSession *lwssn; TcpSession *ssn; - uint32_t seq; if ((!p) || (!p->ssnptr)) return; - if (p->packet_flags & PKT_REBUILT_STREAM) - return; + lwssn = (Stream5LWSession *)p->ssnptr; - if (!(p->packet_flags & PKT_STREAM_INSERT)) + if (!lwssn->proto_specific_data) return; - lwssn = (Stream5LWSession *)p->ssnptr; - ssn = (TcpSession *)lwssn->proto_specific_data->data; if (!ssn) return; - seq = ntohl(p->tcph->th_seq); - - if (p->packet_flags & PKT_FROM_SERVER) - { - tracker = &ssn->client; - } - else - { - tracker = &ssn->server; - } - - ss = FindSegment(tracker, seq); + TcpSessionClear(lwssn, ssn); - if (ss) - { - ss->blocked = 1; - } + lwssn->session_flags |= (SSNFLAG_DROP_CLIENT|SSNFLAG_DROP_SERVER); } -static INLINE int SegmentFastTrack(StreamSegment *tail, TcpDataBlock *tdb) +static inline int SegmentFastTrack(StreamSegment *tail, TcpDataBlock *tdb) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "Checking seq for fast track: %X > %X\n", tdb->seq, + "Checking seq for fast track: %X > %X\n", tdb->seq, tail->seq + tail->size);); if(SEQ_EQ(tdb->seq, tail->seq + tail->size)) @@ -5393,7 +5625,7 @@ } static int AddStreamNode(StreamTracker *st, Packet *p, - uint32_t ts, + TcpDataBlock* tdb, TcpSession *tcpssn, int16_t len, uint32_t slide, @@ -5416,9 +5648,9 @@ "(len: %d slide: %d trunc: %d)\n", len, slide, trunc);); s5stats.tcp_discards++; - NormalDropPacketIf(p, NORM_TCP_IPS); + NormalTrimPayloadIf(p, NORM_TCP_TRIM, 0, tdb); -#ifdef DEBUG_STREAM +#ifdef DEBUG_STREAM5 { StreamSegment *idx = st->seglist; unsigned long i = 0; @@ -5428,7 +5660,7 @@ { i++; STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "%d ptr: %p seq: 0x%X size: %d nxt: %p prv: %p\n", + "%d ptr: %p seq: 0x%X size: %d nxt: %p prv: %p\n", i, idx, idx->seq, idx->size, idx->next, idx->prev);); if(st->seg_count < i) @@ -5451,7 +5683,7 @@ return STREAM_INSERT_ANOMALY; } #endif - + ss = (StreamSegment *) SegmentAlloc(sizeof(StreamSegment), p); ss->pktOrig = ss->pkt = (uint8_t *) SegmentAlloc(p->pkth->caplen + SPARC_TWIDDLE, p); @@ -5467,15 +5699,15 @@ ss->pkth.pktlen = p->pkth->pktlen; ss->data = ss->pkt + (p->data - p->pkt); + ss->orig_dsize = p->dsize; ss->payload = ss->data + slide; ss->size = (uint16_t)newSize; ss->seq = seq; - ss->ts = ts; - ss->cksum = p->tcph->th_sum; + ss->ts = tdb->ts; /* handle the urg ptr */ - if(p->tcph->th_flags & TH_URG) + if(p->tcph->th_flags & TH_URG) { if(ntohs(p->tcph->th_urp) < p->dsize) { @@ -5553,17 +5785,17 @@ ss->pkt += SPARC_TWIDDLE; ss->data = ss->pkt + (left->data - left->pkt); + ss->orig_dsize = left->orig_dsize; + /* * twiddle the values for overlaps */ ss->payload = ss->data; ss->size = left->size; ss->seq = left->seq; - ss->cksum = left->cksum; Stream5SeglistAddNode(st, left, ss); - //st->seg_bytes_logical += ss->size; - //st->seg_bytes_total += p->dsize; + st->seg_bytes_total += ss->caplen; st->total_segs_queued++; //st->total_bytes_queued += ss->size; @@ -5577,17 +5809,16 @@ } -static int StreamQueue(StreamTracker *st, Packet *p, TcpDataBlock *tdb, +static int StreamQueue(StreamTracker *st, Packet *p, TcpDataBlock *tdb, TcpSession *tcpssn) { StreamSegment *ss = NULL; StreamSegment *left = NULL; StreamSegment *right = NULL; StreamSegment *dump_me = NULL; - uint32_t orig_seq, seq = tdb->seq; + uint32_t seq = tdb->seq; uint32_t seq_end = tdb->end_seq; uint16_t len = p->dsize; - uint16_t reassembly_policy; int trunc = 0; int overlap = 0; int slide = 0; @@ -5596,6 +5827,10 @@ char addthis = 1; int32_t dist_head; int32_t dist_tail; + uint16_t reassembly_policy; +#ifdef NORMALIZER + int ips_data; +#endif PROFILE_VARS; STREAM5_DEBUG_WRAP( StreamSegment *lastptr = NULL; @@ -5603,9 +5838,17 @@ int last = 0; ); +#ifdef NORMALIZER + ips_data = Normalize_IsEnabled(snort_conf, NORM_TCP_IPS); + if ( ips_data ) + reassembly_policy = REASSEMBLY_POLICY_FIRST; + else +#endif + reassembly_policy = st->reassembly_policy; + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Queuing %d bytes on stream!\n" - "base_seq: %X seq: %X seq_end: %X\n", + "base_seq: %X seq: %X seq_end: %X\n", seq_end - seq, base_seq, seq, seq_end);); STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, @@ -5615,8 +5858,6 @@ STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+\n");); - orig_seq = seq; - PREPROC_PROFILE_START(s5TcpInsertPerfStats); /* Check if we should not insert a large packet */ @@ -5635,10 +5876,10 @@ right = NULL; STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "Fast tracking segment! (tail_seq %X size %d)\n", + "Fast tracking segment! (tail_seq %X size %d)\n", st->seglist_tail->seq, st->seglist_tail->size);); - ret = AddStreamNode(st, p, tdb->ts, tcpssn, len, + ret = AddStreamNode(st, p, tdb, tcpssn, len, slide /* 0 */, trunc /* 0 */, seq, left /* tail */, &ss); @@ -5648,7 +5889,7 @@ if (st->seglist && st->seglist_tail) { - if (tdb->seq > st->seglist->seq) + if (SEQ_GT(tdb->seq, st->seglist->seq)) { dist_head = tdb->seq - st->seglist->seq; } @@ -5657,7 +5898,7 @@ dist_head = st->seglist->seq - tdb->seq; } - if (tdb->seq > st->seglist_tail->seq) + if (SEQ_GT(tdb->seq, st->seglist_tail->seq)) { dist_tail = tdb->seq - st->seglist_tail->seq; } @@ -5670,21 +5911,21 @@ { dist_head = dist_tail = 0; } - - if (dist_head <= dist_tail) + + if (SEQ_LEQ(dist_head, dist_tail)) { /* Start iterating at the head (left) */ for(ss = st->seglist; ss; ss = ss->next) { STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, - "ss: %p seq: 0x%X size: %lu delta: %d\n", + "ss: %p seq: 0x%X size: %lu delta: %d\n", ss, ss->seq, ss->size, (ss->seq-base_seq) - last); last = ss->seq-base_seq; lastptr = ss; DebugMessage(DEBUG_STREAM_STATE, - " lastptr: %p ss->next: %p ss->prev: %p\n", + " lastptr: %p ss->next: %p ss->prev: %p\n", lastptr, ss->next, ss->prev); ); @@ -5706,13 +5947,13 @@ { STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, - "ss: %p seq: 0x%X size: %lu delta: %d\n", + "ss: %p seq: 0x%X size: %lu delta: %d\n", ss, ss->seq, ss->size, (ss->seq-base_seq) - last); last = ss->seq-base_seq; lastptr = ss; DebugMessage(DEBUG_STREAM_STATE, - " lastptr: %p ss->next: %p ss->prev: %p\n", + " lastptr: %p ss->next: %p ss->prev: %p\n", lastptr, ss->next, ss->prev); ); @@ -5734,22 +5975,15 @@ "!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+\n");); STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "left: %p:0x%X right: %p:0x%X\n", left, + "left: %p:0x%X right: %p:0x%X\n", left, left?left->seq:0, right, right?right->seq:0);); -#ifdef NORMALIZER - if ( Normalize_IsEnabled(snort_conf, NORM_TCP_IPS) ) - reassembly_policy = REASSEMBLY_POLICY_IPS; - else -#endif - reassembly_policy = st->reassembly_policy; - /* * handle left overlaps */ if(left) { - /* + /* * check if the new segment overlaps on the left side */ overlap = left->seq + left->size - seq; @@ -5775,6 +6009,28 @@ case REASSEMBLY_POLICY_MACOS: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "left overlap, honoring old data\n");); +#ifdef NORMALIZER + if ( ips_data ) + { + if (SEQ_LT(left->seq,tdb->seq) && SEQ_GT(left->seq + left->size, tdb->seq + p->dsize)) + { + unsigned offset = tdb->seq - left->seq; + memcpy((uint8_t*)p->data, left->payload+offset, p->dsize); + p->packet_flags |= PKT_MODIFIED; + normStats[PC_TCP_IPS_DATA]++; + sfBase.iPegs[PERF_COUNT_TCP_IPS_DATA]++; + } + else if (SEQ_LT(left->seq, tdb->seq)) + { + unsigned offset = tdb->seq - left->seq; + unsigned length = left->seq + left->size - tdb->seq; + memcpy((uint8_t*)p->data, left->payload+offset, length); + p->packet_flags |= PKT_MODIFIED; + normStats[PC_TCP_IPS_DATA]++; + sfBase.iPegs[PERF_COUNT_TCP_IPS_DATA]++; + } + } +#endif seq += overlap; slide = overlap; if(SEQ_LEQ(seq_end, seq)) @@ -5785,7 +6041,6 @@ /* flag an anomaly */ EventBadSegment(st->tcp_policy); s5stats.tcp_discards++; - NormalDropPacketIf(p, NORM_TCP_IPS); PREPROC_PROFILE_END(s5TcpInsertPerfStats); return STREAM_INSERT_ANOMALY; } @@ -5793,7 +6048,7 @@ case REASSEMBLY_POLICY_SOLARIS: case REASSEMBLY_POLICY_HPUX11: - if ((left->seq < seq) && (left->seq + left->size >= seq + len)) + if (SEQ_LT(left->seq, seq) && SEQ_GEQ(left->seq + left->size, seq + len)) { /* New packet is entirely overlapped by an * existing packet on both sides. Drop the @@ -5810,7 +6065,6 @@ /* flag an anomaly */ EventBadSegment(st->tcp_policy); s5stats.tcp_discards++; - NormalDropPacketIf(p, NORM_TCP_IPS); PREPROC_PROFILE_END(s5TcpInsertPerfStats); return STREAM_INSERT_ANOMALY; } @@ -5829,30 +6083,12 @@ "overlap: %d)\n", dump_me->seq, overlap);); left = left->prev; - Stream5SeglistDeleteNode(st, dump_me); - } - break; - case REASSEMBLY_POLICY_IPS: - // FIXTHIS check seq == left->seq - if ((left->seq < seq) && (left->seq + left->size > seq + len)) - { - unsigned offset = seq - left->seq; - memcpy((uint8_t*)p->data, left->payload+offset, len); - p->packet_flags |= PKT_MODIFIED; - } - else if ( left->seq < seq ) - { - unsigned offset = seq - left->seq; - unsigned length = left->seq + left->size - seq; - memcpy((uint8_t*)p->data, left->payload+offset, length); - p->packet_flags |= PKT_MODIFIED; - seq += length; + Stream5SeglistDeleteNode(st, dump_me, 0); } - // else FIXTHIS is left->seq >= seq possible here? break; case REASSEMBLY_POLICY_LAST: /* True "Last" policy" */ - if ((left->seq < seq) && (left->seq + left->size > seq + len)) + if (SEQ_LT(left->seq, seq) && SEQ_GT(left->seq + left->size, seq + len)) { /* New data is overlapped on both sides by * existing data. Existing data needs to be @@ -5873,13 +6109,11 @@ } left->size -= (int16_t)overlap; st->seg_bytes_logical -= overlap; - //st->seg_bytes_total -= overlap; - + right->seq = seq + len; right->size -= (int16_t)(seq + len - left->seq); right->payload += (seq + len - left->seq); st->seg_bytes_logical -= (seq + len - left->seq); - //st->seg_bytes_total -= (seq + len - left->seq); } else { @@ -5897,7 +6131,7 @@ "overlap: %d)\n", dump_me->seq, overlap);); left = left->prev; - Stream5SeglistDeleteNode(st, dump_me); + Stream5SeglistDeleteNode(st, dump_me, 0); } break; } @@ -5912,7 +6146,6 @@ /* flag an anomaly */ EventBadSegment(st->tcp_policy); s5stats.tcp_discards++; - NormalDropPacketIf(p, NORM_TCP_IPS); PREPROC_PROFILE_END(s5TcpInsertPerfStats); return STREAM_INSERT_ANOMALY; } @@ -5946,15 +6179,6 @@ switch(reassembly_policy) { - case REASSEMBLY_POLICY_IPS: - { - unsigned offset = right->seq - tdb->seq; - unsigned length = seq + len - right->seq; - memcpy((uint8_t*)p->data+offset, right->payload, length); - p->packet_flags |= PKT_MODIFIED; - } - break; - /* truncate existing data */ case REASSEMBLY_POLICY_LAST: case REASSEMBLY_POLICY_LINUX: @@ -5965,7 +6189,7 @@ case REASSEMBLY_POLICY_IRIX: case REASSEMBLY_POLICY_HPUX10: case REASSEMBLY_POLICY_MACOS: - if ((right->seq == seq) && + if (SEQ_EQ(right->seq, seq) && (reassembly_policy != REASSEMBLY_POLICY_LAST)) { slide = (right->seq + right->size - seq); @@ -5981,25 +6205,25 @@ st->total_bytes_queued -= overlap; } - if (right->size <= 0) - { - dump_me = right; - - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "retrans, " - "dumping old data (seq: %d overlap: %d)\n", - dump_me->seq, overlap);); + // right->size always > 0 since overlap < right->size - right = right->next; - - Stream5SeglistDeleteNode(st, dump_me); - - } break; case REASSEMBLY_POLICY_FIRST: case REASSEMBLY_POLICY_VISTA: case REASSEMBLY_POLICY_SOLARIS: case REASSEMBLY_POLICY_HPUX11: +#ifdef NORMALIZER + if ( ips_data ) + { + unsigned offset = right->seq - tdb->seq; + unsigned length = tdb->seq + p->dsize - right->seq; + memcpy((uint8_t*)p->data+offset, right->payload, length); + p->packet_flags |= PKT_MODIFIED; + normStats[PC_TCP_IPS_DATA]++; + sfBase.iPegs[PERF_COUNT_TCP_IPS_DATA]++; + } +#endif trunc = overlap; break; } @@ -6009,54 +6233,34 @@ } else { - s5stats.tcp_overlaps++; - st->overlap_count++; + /* full overlap */ - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "Got full right overlap\n");); - -#if 0 - if ( ips ) - { - // FIXTHIS csum checks are evasion opportunities - // also get here on a single segment that was normalized above - // can't not inspect because may have more data (seq may have - // been adjusted above) - } else -#endif - if ((right->seq == seq) && (right->cksum == p->tcph->th_sum)) + /* Check for retransmits... + * Don't want to count as overlaps or do anything else with them. + * To be sure, compare orig and curr seqs, not adjusted seqs + * and original sizes and compare each byte of data */ + if (SEQ_EQ(right->seq - (right->payload - right->data), tdb->seq) + && (right->orig_dsize == p->dsize) + && (memcmp(right->data, p->data, p->dsize) == 0)) { /* RETRANSMISSION */ /* Packet was analyzed the first time. - * Don't bother looking at it again. - */ + * Don't bother looking at it again. */ DisableDetect(p); /* Still want to count this in Perfmon */ SetPreprocBit(p, PP_PERFMONITOR); - /* Examined previously, was it blocked? */ - if (right->blocked) - { - /* Previously blocked, block it again */ - DEBUG_WRAP(DebugMessage(DEBUG_STREAM, - "Dropping retransmitted packet -- " - "blocked previously\n");); - NormalDropPacket(p); - } - else - { - /* Previously not blocked, let it through */ - DEBUG_WRAP(DebugMessage(DEBUG_STREAM, - "Allowing retransmitted packet -- " - "not blocked previously\n");); - // NORM must overwrite payload - } + /* Previously not blocked, let it through */ + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, + "Allowing retransmitted packet -- " + "not blocked previously\n");); + addthis = 0; done = 1; break; } - else if ((right->seq == seq) && + else if (SEQ_EQ(right->seq, seq) && (right->size >= p->dsize)) { /* Strange -- different size data. New is same or smaller. */ @@ -6064,6 +6268,12 @@ * the policy-based code below. */ } + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Got full right overlap\n");); + + s5stats.tcp_overlaps++; + st->overlap_count++; + switch(reassembly_policy) { case REASSEMBLY_POLICY_BSD: @@ -6073,18 +6283,17 @@ case REASSEMBLY_POLICY_HPUX10: case REASSEMBLY_POLICY_IRIX: case REASSEMBLY_POLICY_MACOS: - if ((seq_end >= right->seq + right->size) && - (seq < right->seq)) + if (SEQ_GEQ(seq_end, right->seq + right->size) && + SEQ_LT(seq, right->seq)) { dump_me = right; st->seg_bytes_logical -= right->size; - //st->seg_bytes_total -= right->size; STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "retrans, dropping old data at seq %d, size %d\n", right->seq, right->size);); right = right->next; - Stream5SeglistDeleteNode(st, dump_me); + Stream5SeglistDeleteNode(st, dump_me, 0); break; } else @@ -6100,8 +6309,8 @@ break; default: /* All others follow a LAST policy */ - if ((seq_end > right->seq + right->size) && - (seq == right->seq)) + if (SEQ_GT(seq_end, right->seq + right->size) && + SEQ_EQ(seq, right->seq)) { /* When existing data is fully overlapped by new * and sequence numbers are the same, most OSs @@ -6117,44 +6326,53 @@ case REASSEMBLY_POLICY_VISTA: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got full right overlap, truncating new\n");); - /* full overlap */ - if (right->seq == seq) +#ifdef NORMALIZER + if ( ips_data ) { - slide = (int32_t)(right->seq + right->size - seq); - seq += slide; + unsigned offset = right->seq - tdb->seq; + memcpy((uint8_t*)p->data+offset, right->payload, right->size); + p->packet_flags |= PKT_MODIFIED; + normStats[PC_TCP_IPS_DATA]++; + sfBase.iPegs[PERF_COUNT_TCP_IPS_DATA]++; + } +#endif + if (SEQ_EQ(right->seq, seq)) + { + /* Overlap is greater than or equal to right->size + * slide gets set before insertion */ + seq += right->size; left = right; right = right->next; - if (right && (SEQ_EQ(seq,right->seq))) + /* Adjusted seq is fully overlapped */ + if (SEQ_EQ(seq, seq_end)) { - /* same seq as next packet don't insert yet... - * keep going. - */ - continue; + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "StreamQueue got full right overlap with " + "resulting seq too high, bad segment " + "(seq: %X seq_end: %X overlap: %lu\n", + seq, seq_end, overlap);); + EventBadSegment(st->tcp_policy); + s5stats.tcp_discards++; + PREPROC_PROFILE_END(s5TcpInsertPerfStats); + return STREAM_INSERT_ANOMALY; } + + /* No data to add on the left of right, so continue + * since some of the other non-first targets may have + * fallen into this case */ + continue; } - else - { - trunc += overlap; - } - if(SEQ_LEQ((int)(seq_end - trunc), seq)) - { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "StreamQueue got full right overlap with " - "resulting seq too high, bad segment " - "(seq: %X seq_end: %X overlap: %lu\n", - seq, seq_end, overlap);); - EventBadSegment(st->tcp_policy); - s5stats.tcp_discards++; - NormalDropPacketIf(p, NORM_TCP_IPS); - PREPROC_PROFILE_END(s5TcpInsertPerfStats); - return STREAM_INSERT_ANOMALY; - } + + /* seq is less than right->seq */ + + /* trunc is reset to 0 at beginning of loop */ + trunc = overlap; /* insert this one, and see if we need to chunk it up */ - /* Adjust slide so that is correct relative to orig_seq */ - slide = seq - orig_seq; - ret = AddStreamNode(st, p, tdb->ts, tcpssn, len, slide, trunc, seq, left, &ss); + /* Adjust slide so that is correct relative to orig seq */ + slide = seq - tdb->seq; + ret = AddStreamNode(st, p, tdb, tcpssn, len, slide, trunc, seq, left, &ss); if (ret != STREAM_INSERT_OK) { /* no warning, already done above */ @@ -6162,54 +6380,18 @@ return ret; } - { - uint32_t curr_end = ss->seq + ss->size; - - while (right && - (curr_end <= right->seq) && - (right->seq < seq_end)) - { - curr_end = right->seq + right->size; - left = right; - right = right->next; - } - - if (right && (right->seq < seq_end)) - { - /* Adjust seq to end of 'right' */ - seq = right->seq + right->size; - - /* Not overlapping on the left any more */ - slide = 0; - - left = right; - - /* - * Reset trunc, in case the next one kicks us - * out of the loop. This packet will become the - * right-most entry so far. Don't truncate any - * further. - */ - trunc = 0; - if (right->next) - continue; - } + /* Set seq to end of right since overlap was greater than + * or equal to right->size and inserted seq has been + * truncated to beginning of right + * And reset trunc to 0 since we may fall out of loop if + * next right is NULL */ + seq = right->seq + right->size; + left = right; + right = right->next; + trunc = 0; - if (curr_end < seq_end) - { - /* Insert this guy in his proper spot, - * adjust offset to the right-most endpoint - * we saw. - */ - slide = left->seq + left->size - seq; - seq = curr_end; - trunc = 0; - } - else - { - addthis = 0; - } - } + /* Keep looping since in IPS we may need to copy old + * data into packet */ break; @@ -6227,11 +6409,10 @@ STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "StreamQueue got full right overlap with " "resulting seq too high, bad segment " - "(seq: %X seq_end: %X overlap: %lu\n", + "(seq: %X seq_end: %X overlap: %lu\n", seq, seq_end, overlap);); EventBadSegment(st->tcp_policy); s5stats.tcp_discards++; - NormalDropPacketIf(p, NORM_TCP_IPS); PREPROC_PROFILE_END(s5TcpInsertPerfStats); return STREAM_INSERT_ANOMALY; } @@ -6245,16 +6426,7 @@ "Got full right overlap of old, dropping old\n");); dump_me = right; right = right->next; - Stream5SeglistDeleteNode(st, dump_me); - break; - - case REASSEMBLY_POLICY_IPS: - { - unsigned offset = right->seq - tdb->seq; - memcpy((uint8_t*)p->data+offset, right->payload, right->size); - p->packet_flags |= PKT_MODIFIED; - right = right->next; - } + Stream5SeglistDeleteNode(st, dump_me, 0); break; } } @@ -6262,9 +6434,9 @@ if (addthis) { - /* Adjust slide so that is correct relative to orig_seq */ - slide = seq - orig_seq; - ret = AddStreamNode(st, p, tdb->ts, tcpssn, len, + /* Adjust slide so that is correct relative to orig seq */ + slide = seq - tdb->seq; + ret = AddStreamNode(st, p, tdb, tcpssn, len, slide, trunc, seq, left, &ss); } else @@ -6311,7 +6483,7 @@ * on in this TCP policy, action controlled by preprocessor * rule. */ EventMaxSmallSegsExceeded(s5TcpPolicy); - + /* Reset counter, so we're not too noisy */ rcv->small_seg_count = 0; } @@ -6347,7 +6519,7 @@ #endif ": LWstate 0x%x LWFlags 0x%x\n", s5TcpPolicy->max_queued_bytes, rcv->seg_bytes_total, - (rcv == &tcpssn->client) ? "client queue" : "server queue", + (rcv == &tcpssn->client) ? "client queue" : "server queue", client_ip_str, ntohs(tcpssn->lwssn->client_port), server_ip_str, ntohs(tcpssn->lwssn->server_port), #ifdef TARGET_BASED @@ -6395,7 +6567,7 @@ #endif ": LWstate 0x%x LWFlags 0x%x\n", s5TcpPolicy->max_queued_segs, rcv->seg_count, - (rcv == &tcpssn->client) ? "client queue" : "server queue", + (rcv == &tcpssn->client) ? "client queue" : "server queue", client_ip_str, ntohs(tcpssn->lwssn->client_port), server_ip_str, ntohs(tcpssn->lwssn->server_port), #ifdef TARGET_BASED @@ -6428,7 +6600,7 @@ "queuing segment\n");); StreamQueue(rcv, p, tdb, tcpssn); - if ((rcv->tcp_policy->overlap_limit) && + if ((rcv->tcp_policy->overlap_limit) && (rcv->overlap_count > rcv->tcp_policy->overlap_limit)) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, @@ -6504,7 +6676,7 @@ { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Bailing, data on SYN, not MAC Policy!\n");); - NormalDropPacketIf(p, NORM_TCP); + NormalTrimPayloadIf(p, NORM_TCP_TRIM, 0, tdb); PREPROC_PROFILE_END(s5TcpDataPerfStats); return S5_UNALIGNED; } @@ -6517,7 +6689,7 @@ { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Bailing, we're out of the window!\n");); - NormalDropPacketIf(p, NORM_TCP); + NormalTrimPayloadIf(p, NORM_TCP_TRIM, 0, tdb); PREPROC_PROFILE_END(s5TcpDataPerfStats); return S5_UNALIGNED; } @@ -6529,6 +6701,9 @@ if(p->dsize != 0) { + if ( !(tcpssn->lwssn->session_flags & SSNFLAG_STREAM_ORDER_BAD) ) + p->packet_flags |= PKT_STREAM_ORDER_OK; + ProcessTcpStream(listener, tcpssn, p, tdb, s5TcpPolicy); /* set flags to session flags */ @@ -6550,7 +6725,7 @@ */ STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "out of order segment (tdb->seq: 0x%X " - "l->r_nxt_ack: 0x%X!\n", tdb->seq, listener->r_nxt_ack);); + "l->r_nxt_ack: 0x%X!\n", tdb->seq, listener->r_nxt_ack);); if (listener->s_mgr.state_queue == TCP_STATE_NONE) { @@ -6559,7 +6734,7 @@ { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Bailing, we're out of the window!\n");); - NormalDropPacketIf(p, NORM_TCP); + NormalTrimPayloadIf(p, NORM_TCP_TRIM, 0, tdb); PREPROC_PROFILE_END(s5TcpDataPerfStats); return S5_UNALIGNED; } @@ -6579,6 +6754,11 @@ if(p->dsize != 0) { + if ( !(tcpssn->lwssn->session_flags & SSNFLAG_STREAM_ORDER_BAD) ) + { + if ( !SEQ_LEQ((tdb->seq + p->dsize), listener->r_nxt_ack) ) + tcpssn->lwssn->session_flags |= SSNFLAG_STREAM_ORDER_BAD; + } ProcessTcpStream(listener, tcpssn, p, tdb, s5TcpPolicy); } } @@ -6615,12 +6795,12 @@ #else if (direction == FROM_CLIENT) { - host_entry = SFAT_LookupHostEntryByIp4Addr(ntohl(lwssn->server_ip)); + host_entry = SFAT_LookupHostEntryByIP(ntohl(lwssn->server_ip)); ssn_dir = SSN_DIR_SERVER; } else { - host_entry = SFAT_LookupHostEntryByIp4Addr(ntohl(lwssn->client_ip)); + host_entry = SFAT_LookupHostEntryByIP(ntohl(lwssn->client_ip)); ssn_dir = SSN_DIR_CLIENT; } #endif @@ -6672,7 +6852,7 @@ } } -static INLINE int ValidMacAddress(StreamTracker *talker, +static inline int ValidMacAddress(StreamTracker *talker, StreamTracker *listener, Packet *p) { @@ -6708,7 +6888,7 @@ return ret; } -static INLINE void CopyMacAddr(Packet *p, +static inline void CopyMacAddr(Packet *p, TcpSession *tcpssn, int dir) { @@ -6758,7 +6938,7 @@ *****************************************************************/ tmpBucket = mempool_alloc(&tcp_session_mempool); tmp = tmpBucket->data; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Creating new session tracker on SYN!\n");); #ifdef DEBUG @@ -6776,7 +6956,7 @@ tmp->client.s_mgr.state = TCP_STATE_SYN_SENT; tmp->client.isn = tdb->seq; tmp->client.l_unackd = tdb->seq + 1; - tmp->client.l_nxt_seq = tmp->client.l_unackd + 1; /* reset later */ + tmp->client.l_nxt_seq = tmp->client.l_unackd; tmp->client.l_window = tdb->win; tmp->client.ts_last_pkt = p->pkth->ts.tv_sec; @@ -6785,7 +6965,7 @@ tmp->server.r_nxt_ack = tmp->client.l_unackd; tmp->server.r_win_base = tdb->seq+1; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "seglist_base_seq = %X\n", tmp->server.seglist_base_seq);); tmp->server.s_mgr.state = TCP_STATE_LISTEN; @@ -6817,7 +6997,7 @@ *****************************************************************/ tmpBucket = mempool_alloc(&tcp_session_mempool); tmp = tmpBucket->data; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Creating new session tracker on SYN_ACK!\n");); #ifdef DEBUG @@ -6835,7 +7015,7 @@ tmp->server.s_mgr.state = TCP_STATE_SYN_RCVD; tmp->server.isn = tdb->seq; tmp->server.l_unackd = tdb->seq + 1; - tmp->server.l_nxt_seq = tmp->server.l_unackd + 1; /* reset later */ + tmp->server.l_nxt_seq = tmp->server.l_unackd; tmp->server.l_window = tdb->win; /* Double check these two -- should be ACK -1? */ @@ -6853,7 +7033,7 @@ /* Double check this -- should be ACK -1? */ tmp->client.isn = tdb->ack-1; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "seglist_base_seq = %X\n", tmp->client.seglist_base_seq);); tmp->client.s_mgr.state = TCP_STATE_SYN_SENT; @@ -6886,7 +7066,7 @@ *****************************************************************/ tmpBucket = mempool_alloc(&tcp_session_mempool); tmp = tmpBucket->data; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Creating new session tracker on ACK!\n");); #ifdef DEBUG @@ -6904,7 +7084,7 @@ tmp->client.s_mgr.state = TCP_STATE_ESTABLISHED; tmp->client.isn = tdb->seq; tmp->client.l_unackd = tdb->seq + 1; - tmp->client.l_nxt_seq = tmp->client.l_unackd + 1; /* reset later */ + tmp->client.l_nxt_seq = tmp->client.l_unackd; tmp->client.l_window = tdb->win; tmp->client.ts_last_pkt = p->pkth->ts.tv_sec; @@ -6913,8 +7093,9 @@ tmp->server.r_nxt_ack = tmp->client.l_unackd; tmp->server.r_win_base = tdb->seq+1; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "seglist_base_seq = %X\n", tmp->server.seglist_base_seq);); tmp->server.s_mgr.state = TCP_STATE_ESTABLISHED; + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "seglist_base_seq = %X\n", tmp->server.seglist_base_seq);); + tmp->server.s_mgr.state = TCP_STATE_ESTABLISHED; tmp->client.flags |= Stream5GetTcpTimestamp(p, &tmp->client.ts_last, 0); if (tmp->client.ts_last == 0) @@ -6944,7 +7125,7 @@ *****************************************************************/ tmpBucket = mempool_alloc(&tcp_session_mempool); tmp = tmpBucket->data; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Creating new session tracker on data packet (ACK|PSH)!\n");); #ifdef DEBUG @@ -6966,7 +7147,7 @@ tmp->client.s_mgr.state = TCP_STATE_ESTABLISHED; tmp->client.isn = tdb->seq; tmp->client.l_unackd = tdb->seq; - tmp->client.l_nxt_seq = tmp->client.l_unackd + 1; /* reset later */ + tmp->client.l_nxt_seq = tmp->client.l_unackd; tmp->client.l_window = tdb->win; tmp->client.ts_last_pkt = p->pkth->ts.tv_sec; @@ -6980,7 +7161,7 @@ //tmp->server.l_nxt_seq = tdb->ack + 1; tmp->server.l_unackd = tdb->ack - 1; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "seglist_base_seq = %X\n", tmp->server.seglist_base_seq);); tmp->server.s_mgr.state = TCP_STATE_ESTABLISHED; @@ -7013,7 +7194,7 @@ tmp->server.s_mgr.state = TCP_STATE_ESTABLISHED; tmp->server.isn = tdb->seq; tmp->server.l_unackd = tdb->seq; - tmp->server.l_nxt_seq = tmp->server.l_unackd + 1; /* reset later */ + tmp->server.l_nxt_seq = tmp->server.l_unackd; tmp->server.l_window = tdb->win; /* Double check these two -- should be ACK -1? */ @@ -7031,7 +7212,7 @@ /* Double check this -- should be ACK -1? */ tmp->client.isn = tdb->ack-1; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "seglist_base_seq = %X\n", tmp->client.seglist_base_seq);); tmp->client.s_mgr.state = TCP_STATE_ESTABLISHED; @@ -7059,7 +7240,7 @@ if (tmp) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "adding TcpSession to lightweight session\n");); lwssn->proto_specific_data = tmpBucket; lwssn->protocol = GET_IPH_PROTO(p); @@ -7087,36 +7268,77 @@ #ifdef TARGET_BASED if (tmp->server.tcp_policy->flush_config_protocol[lwssn->application_protocol].configured == 1) { + uint8_t flush_policy = + tmp->server.tcp_policy->flush_config_protocol[lwssn->application_protocol].client.flush_policy; + +#ifdef ENABLE_PAF + bool flush = (flush_policy != STREAM_FLPOLICY_IGNORE); + + if ( s5_paf_enabled(s5_tcp_eval_config->paf_config, server_port, TRUE, flush) ) + { + flush_policy = STREAM_FLPOLICY_PROTOCOL; + s5_paf_setup(s5_tcp_eval_config->paf_config, &tmp->server.paf_state, server_port, TRUE); + } +#endif InitFlushMgr(&tmp->server.flush_mgr, - &tmp->server.tcp_policy->flush_point_list, - tmp->server.tcp_policy->flush_config_protocol[lwssn->application_protocol].client.flush_policy); + &tmp->server.tcp_policy->flush_point_list, flush_policy); } else +#endif { + uint8_t flush_policy = + tmp->server.tcp_policy->flush_config[server_port].client.flush_policy; + +#ifdef ENABLE_PAF + bool flush = (flush_policy != STREAM_FLPOLICY_IGNORE); + + if ( s5_paf_enabled(s5_tcp_eval_config->paf_config, server_port, TRUE, flush) ) + { + flush_policy = STREAM_FLPOLICY_PROTOCOL; + s5_paf_setup(s5_tcp_eval_config->paf_config, &tmp->server.paf_state, server_port, TRUE); + } #endif InitFlushMgr(&tmp->server.flush_mgr, - &tmp->server.tcp_policy->flush_point_list, - tmp->server.tcp_policy->flush_config[server_port].client.flush_policy); -#ifdef TARGET_BASED + &tmp->server.tcp_policy->flush_point_list, flush_policy); } -#endif #ifdef TARGET_BASED if (tmp->client.tcp_policy->flush_config_protocol[lwssn->application_protocol].configured == 1) { + uint8_t flush_policy = + tmp->client.tcp_policy->flush_config_protocol[lwssn->application_protocol].server.flush_policy; + +#ifdef ENABLE_PAF + bool flush = (flush_policy != STREAM_FLPOLICY_IGNORE); + + if ( s5_paf_enabled(s5_tcp_eval_config->paf_config, server_port, FALSE, flush) ) + { + flush_policy = STREAM_FLPOLICY_PROTOCOL; + s5_paf_setup(s5_tcp_eval_config->paf_config, &tmp->client.paf_state, server_port, FALSE); + } +#endif InitFlushMgr(&tmp->client.flush_mgr, - &tmp->client.tcp_policy->flush_point_list, - tmp->client.tcp_policy->flush_config_protocol[lwssn->application_protocol].server.flush_policy); + &tmp->client.tcp_policy->flush_point_list, flush_policy); } else +#endif { + uint8_t flush_policy = + tmp->client.tcp_policy->flush_config[server_port].server.flush_policy; + +#ifdef ENABLE_PAF + bool flush = (flush_policy != STREAM_FLPOLICY_IGNORE); + + if ( s5_paf_enabled(s5_tcp_eval_config->paf_config, server_port, FALSE, flush) ) + { + flush_policy = STREAM_FLPOLICY_PROTOCOL; + s5_paf_setup(s5_tcp_eval_config->paf_config, &tmp->client.paf_state, server_port, FALSE); + } #endif InitFlushMgr(&tmp->client.flush_mgr, - &tmp->client.tcp_policy->flush_point_list, - tmp->client.tcp_policy->flush_config[server_port].server.flush_policy); -#ifdef TARGET_BASED + &tmp->client.tcp_policy->flush_point_list, flush_policy); } -#endif + #ifdef DEBUG_STREAM5 PrintTcpSession(tmp); @@ -7157,7 +7379,7 @@ */ if (SEQ_EQ(tdb->seq, listener->r_nxt_ack)) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got syn on established windows ssn, which causes Reset," "bailing\n");); tcpssn->lwssn->session_flags |= SSNFLAG_RESET; @@ -7166,7 +7388,7 @@ } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got syn on established windows ssn, not causing Reset," "bailing\n");); s5stats.tcp_discards++; @@ -7175,7 +7397,7 @@ break; case STREAM_POLICY_MACOS: /* MACOS ignores a 2nd SYN, regardless of the sequence number. */ - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got syn on established macos ssn, not causing Reset," "bailing\n");); s5stats.tcp_discards++; @@ -7194,7 +7416,7 @@ /* If its not a retransmission of the actual SYN... RESET */ if(!SEQ_EQ(tdb->seq,talker->isn)) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got syn on established ssn, which causes Reset, bailing\n");); tcpssn->lwssn->session_flags |= SSNFLAG_RESET; talker->s_mgr.state = TCP_STATE_CLOSED; @@ -7202,7 +7424,7 @@ } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got syn on established ssn, not causing Reset," "bailing\n");); s5stats.tcp_discards++; @@ -7271,15 +7493,14 @@ if (eventcode & EVENT_WINDOW_SLAM) EventWindowSlam(s5TcpPolicy); - } -static int ProcessTcp(Stream5LWSession *lwssn, Packet *p, TcpDataBlock *tdb, +static int ProcessTcp(Stream5LWSession *lwssn, Packet *p, TcpDataBlock *tdb, Stream5TcpPolicy *s5TcpPolicy) { int retcode = 0; int eventcode = 0; - char ignore = 0; + char ignore; int got_ts = 0; int new_ssn = 0; int ts_action = ACTION_NOTHING; @@ -7288,44 +7509,16 @@ StreamTracker *talker = NULL; StreamTracker *listener = NULL; uint32_t require3Way = (s5TcpPolicy->flags & STREAM5_CONFIG_REQUIRE_3WHS); - int16_t protoId = 0; STREAM5_DEBUG_WRAP(char *t = NULL; char *l = NULL;) PROFILE_VARS; if (lwssn->protocol != IPPROTO_TCP) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Lightweight session not TCP on TCP packet\n");); return ACTION_NOTHING; } - if ( - (lwssn->session_flags & (SSNFLAG_DROP_CLIENT|SSNFLAG_DROP_SERVER))) - { - /* Got a packet on a session that was dropped (by a rule). */ - GetLWPacketDirection(p, lwssn); - - /* Drop this packet */ - if (((p->packet_flags & PKT_FROM_SERVER) && - (lwssn->session_flags & SSNFLAG_DROP_SERVER)) || - ((p->packet_flags & PKT_FROM_CLIENT) && - (lwssn->session_flags & SSNFLAG_DROP_CLIENT))) - { - DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "Blocking %s packet as session was blocked\n", - p->packet_flags & PKT_FROM_SERVER ? - "server" : "client");); - DisableDetect(p); - /* Still want to add this number of bytes to totals */ - SetPreprocBit(p, PP_PERFMONITOR); - NormalDropPacket(p); -#ifdef ACTIVE_RESPONSE - Stream5ActiveResponse(p, lwssn); -#endif - return ACTION_NOTHING; - } - } - if (lwssn->proto_specific_data) tcpssn = (TcpSession *)lwssn->proto_specific_data->data; @@ -7333,10 +7526,30 @@ if (tcpssn == NULL) { +#ifdef ENABLE_PAF + if ( ScPafEnabled() ) + { + /* Check if the session is to be ignored */ + ignore = SteamExpectCheck(p, lwssn); + if (ignore) + { + /* Set the directions to ignore... */ + lwssn->ignore_direction = ignore; + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Stream5: Ignoring packet from %d. " + "Marking session marked as ignore.\n", + p->packet_flags & PKT_FROM_SERVER? "server" : "client");); + Stream5DisableInspection(lwssn, p); + PREPROC_PROFILE_END(s5TcpStatePerfStats); + return ACTION_NOTHING; + } + } +#endif + if (TCP_ISFLAGSET(p->tcph, TH_SYN) && !TCP_ISFLAGSET(p->tcph, TH_ACK)) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Stream5 SYN PACKET, establishing lightweight" "session direction.\n");); /* SYN packet from client */ @@ -7346,15 +7559,13 @@ IP_COPY_VALUE(lwssn->server_ip, GET_DST_IP(p)); lwssn->server_port = p->tcph->th_dport; lwssn->session_state |= STREAM5_STATE_SYN; -#ifdef ACTIVE_RESPONSE - SetTTL(lwssn, p, 1); -#endif + if (require3Way || (Stream5PacketHasWscale(p) & TF_WSCALE) || ((p->dsize > 0) && (StreamGetPolicy(lwssn, s5TcpPolicy, FROM_CLIENT) == STREAM_POLICY_MACOS))) { - /* Create TCP session if we + /* Create TCP session if we * 1) require 3-WAY HS, OR * 2) client sent wscale option, OR * 3) have data and its a MAC OS policy -- MAC @@ -7377,7 +7588,7 @@ if ((lwssn->session_state == STREAM5_STATE_NONE) || (lwssn->session_flags & SSNFLAG_RESET)) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Stream5 SYN|ACK PACKET, establishing lightweight" "session direction.\n");); lwssn->direction = FROM_SERVER; @@ -7385,9 +7596,6 @@ lwssn->client_port = p->tcph->th_dport; IP_COPY_VALUE(lwssn->server_ip, GET_SRC_IP(p)); lwssn->server_port = p->tcph->th_sport; -#ifdef ACTIVE_RESPONSE - SetTTL(lwssn, p, 0); -#endif } lwssn->session_state |= STREAM5_STATE_SYN_ACK; if (!require3Way) @@ -7430,9 +7638,6 @@ lwssn->client_port = p->tcph->th_sport; IP_COPY_VALUE(lwssn->server_ip, GET_DST_IP(p)); lwssn->server_port = p->tcph->th_dport; -#ifdef ACTIVE_RESPONSE - SetTTL(lwssn, p, 1); -#endif } else { @@ -7441,14 +7646,11 @@ lwssn->client_port = p->tcph->th_dport; IP_COPY_VALUE(lwssn->server_ip, GET_SRC_IP(p)); lwssn->server_port = p->tcph->th_sport; -#ifdef ACTIVE_RESPONSE - SetTTL(lwssn, p, 0); -#endif } lwssn->session_state |= STREAM5_STATE_MIDSTREAM; lwssn->session_flags |= SSNFLAG_MIDSTREAM; -#ifdef DEBUG +#ifdef DEBUG_STREAM5 if (ScReadMode()) { /* If we're in readback mode... may only have one packet. @@ -7506,10 +7708,10 @@ if (!(lwssn->session_state & STREAM5_STATE_ESTABLISHED) && !require3Way) { /* If not requiring 3-way Handshake... */ - + /* TCP session created on TH_SYN above, * or maybe on SYN-ACK, or anything else */ - + /* Need to update Lightweight session state */ if (TCP_ISFLAGSET(p->tcph, (TH_SYN|TH_ACK))) { @@ -7537,7 +7739,7 @@ if(p->packet_flags & PKT_FROM_SERVER) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Stream5: Updating on packet from server\n");); lwssn->session_flags |= SSNFLAG_SEEN_SERVER; if (tcpssn) @@ -7560,12 +7762,12 @@ !(lwssn->session_state & STREAM5_STATE_ESTABLISHED)) { FinishServerInit(p, tdb, tcpssn); - if((p->tcph->th_flags & TH_ECE) && + if((p->tcph->th_flags & TH_ECE) && lwssn->session_flags & SSNFLAG_ECN_CLIENT_QUERY) { lwssn->session_flags |= SSNFLAG_ECN_SERVER_REPLY; } - + if (lwssn->session_flags & SSNFLAG_SEEN_CLIENT) { // should TCP state go to established too? @@ -7574,10 +7776,14 @@ Stream5UpdatePerfBaseState(&sfBase, tcpssn->lwssn, TCP_STATE_ESTABLISHED); } } +#ifdef ACTIVE_RESPONSE + if ( !lwssn->inner_server_ttl ) + SetTTL(lwssn, p, 0); +#endif } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Stream5: Updating on packet from client\n");); /* if we got here we had to see the SYN already... */ lwssn->session_flags |= SSNFLAG_SEEN_CLIENT; @@ -7601,6 +7807,10 @@ lwssn->session_flags |= SSNFLAG_ESTABLISHED; } } +#ifdef ACTIVE_RESPONSE + if ( !lwssn->inner_client_ttl ) + SetTTL(lwssn, p, 1); +#endif } /* @@ -7626,7 +7836,7 @@ if (p->tcph->th_flags & TH_RST) { /* Got SYN/RST. We're done. */ - NormalTrimPayloadIf(p, NORM_TCP, 0, tdb); + NormalTrimPayloadIf(p, NORM_TCP_TRIM, 0, tdb); tcpssn = NULL; PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_RST; @@ -7685,7 +7895,7 @@ lwssn->session_flags = SSNFLAG_SEEN_SERVER; } } - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got SYN pkt on reset ssn, re-SYN-ing\n");); } @@ -7705,7 +7915,7 @@ } Stream5DisableInspection(lwssn, p); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Stream5 Ignoring packet from %d. " "Session marked as ignore\n", p->packet_flags & PKT_FROM_SERVER? "server" : "client");); @@ -7714,25 +7924,23 @@ } /* Check if the session is to be ignored */ - ignore = CheckIgnoreChannel(p, &protoId); - if (ignore) - { - /* Set the directions to ignore... */ - lwssn->ignore_direction = ignore; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "Stream5: Ignoring packet from %d. " - "Marking session marked as ignore.\n", - p->packet_flags & PKT_FROM_SERVER? "server" : "client");); - Stream5DisableInspection(lwssn, p); - PREPROC_PROFILE_END(s5TcpStatePerfStats); - return ACTION_NOTHING; - } - else if (protoId != 0) - { -#ifdef TARGET_BASED - if (IsAdaptiveConfigured(getRuntimePolicy(), 0)) - lwssn->application_protocol = protoId; +#ifdef ENABLE_PAF + if ( !ScPafEnabled() ) #endif + { + ignore = SteamExpectCheck(p, lwssn); + if (ignore) + { + /* Set the directions to ignore... */ + lwssn->ignore_direction = ignore; + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Stream5: Ignoring packet from %d. " + "Marking session marked as ignore.\n", + p->packet_flags & PKT_FROM_SERVER? "server" : "client");); + Stream5DisableInspection(lwssn, p); + PREPROC_PROFILE_END(s5TcpStatePerfStats); + return ACTION_NOTHING; + } } /* Handle data on SYN */ @@ -7743,14 +7951,14 @@ STREAM_POLICY_MACOS) { #ifdef NORMALIZER - if ( Normalize_IsEnabled(snort_conf, NORM_TCP) ) + if ( Normalize_IsEnabled(snort_conf, NORM_TCP_TRIM) ) { NormalTrimPayload(p, 0, tdb); // remove data on SYN } else #endif { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got data on SYN packet, not processing it\n");); //EventDataOnSyn(s5TcpPolicy); eventcode |= EVENT_DATA_ON_SYN; @@ -7766,13 +7974,13 @@ return ACTION_NOTHING | retcode; } - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - " %s [talker] state: %s\n", t, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + " %s [talker] state: %s\n", t, state_names[talker->s_mgr.state]);); STREAM5_DEBUG_WRAP(PrintFlushMgr(&talker->flush_mgr);); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - " %s state: %s(%d)\n", l, - state_names[listener->s_mgr.state], + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + " %s state: %s(%d)\n", l, + state_names[listener->s_mgr.state], listener->s_mgr.state);); STREAM5_DEBUG_WRAP(PrintFlushMgr(&listener->flush_mgr);); @@ -7790,15 +7998,15 @@ { if(p->tcph->th_flags & TH_ACK) { - /* - * make sure we've got a valid segment + /* + * make sure we've got a valid segment */ if(!IsBetween(listener->l_unackd, listener->l_nxt_seq, tdb->ack)) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Pkt ack is out of bounds, bailing!\n");); s5stats.tcp_discards++; - NormalDropPacketIf(p, NORM_TCP); + NormalTrimPayloadIf(p, NORM_TCP_TRIM, 0, tdb); LogTcpEvents(listener->tcp_policy, eventcode); PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_BAD_PKT; @@ -7810,21 +8018,21 @@ talker->flags |= TF_TSTAMP_ZERO; /* - * catch resets sent by server + * catch resets sent by server */ if(p->tcph->th_flags & TH_RST) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "got RST\n");); - NormalTrimPayloadIf(p, NORM_TCP, 0, tdb); + NormalTrimPayloadIf(p, NORM_TCP_TRIM, 0, tdb); /* Reset is valid when in SYN_SENT if the * ack field ACKs the SYN. */ if(ValidRstSynSent(listener, tdb)) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "got RST, closing talker\n");); /* Reset is valid */ /* Mark session as reset... Leave it around so that any @@ -7840,7 +8048,7 @@ return ACTION_RST; } /* Reset not valid. */ - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "bad sequence number, bailing\n");); s5stats.tcp_discards++; eventcode |= EVENT_BAD_RST; @@ -7861,16 +8069,16 @@ talker->ts_last_pkt = p->pkth->ts.tv_sec; talker->ts_last = tdb->ts; } - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Finish server init got called!\n");); } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Finish server init didn't get called!\n");); } - if((p->tcph->th_flags & TH_ECE) && + if((p->tcph->th_flags & TH_ECE) && lwssn->session_flags & SSNFLAG_ECN_CLIENT_QUERY) { lwssn->session_flags |= SSNFLAG_ECN_SERVER_REPLY; @@ -7880,7 +8088,7 @@ * explicitly set the state */ listener->s_mgr.state = TCP_STATE_SYN_SENT; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Accepted SYN ACK\n");); LogTcpEvents(listener->tcp_policy, eventcode); PREPROC_PROFILE_END(s5TcpStatePerfStats); @@ -7913,11 +8121,11 @@ */ if(p->tcph->th_flags & TH_RST) { - NormalTrimPayloadIf(p, NORM_TCP, 0, tdb); + NormalTrimPayloadIf(p, NORM_TCP_TRIM, 0, tdb); if(ValidRst(listener, tdb)) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got RST, bailing\n");); lwssn->session_flags |= SSNFLAG_RESET; talker->s_mgr.state = TCP_STATE_CLOSED; @@ -7936,7 +8144,7 @@ return ACTION_RST; } /* Reset not valid. */ - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "bad sequence number, bailing\n");); s5stats.tcp_discards++; eventcode |= EVENT_BAD_RST; @@ -7950,10 +8158,10 @@ /* check for valid seqeuence/retrans */ if(!ValidSeq(listener, tdb)) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "bad sequence number, bailing\n");); s5stats.tcp_discards++; - NormalDropPacketIf(p, NORM_TCP); + NormalTrimPayloadIf(p, NORM_TCP_TRIM, 0, tdb); LogTcpEvents(listener->tcp_policy, eventcode); PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING | ts_action; @@ -7962,10 +8170,10 @@ if (ts_action != ACTION_NOTHING) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "bad timestamp, bailing\n");); s5stats.tcp_discards++; - NormalDropPacketIf(p, NORM_TCP); + // this packet was normalized elsewhere LogTcpEvents(listener->tcp_policy, eventcode); PREPROC_PROFILE_END(s5TcpStatePerfStats); return ts_action; @@ -7974,7 +8182,7 @@ /* * update PAWS timestamps */ - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "PAWS update tdb->seq %lu > listener->r_win_base %lu\n", tdb->seq, listener->r_win_base);); if(got_ts && SEQ_EQ(listener->r_nxt_ack, tdb->seq)) @@ -7982,7 +8190,7 @@ if((int32_t)(tdb->ts - talker->ts_last) >= 0 || (uint32_t)p->pkth->ts.tv_sec >= talker->ts_last_pkt+PAWS_24DAYS) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "updating timestamps...\n");); talker->ts_last = tdb->ts; talker->ts_last_pkt = p->pkth->ts.tv_sec; @@ -7990,14 +8198,14 @@ } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "not updating timestamps...\n");); } /* - * check for repeat SYNs + * check for repeat SYNs */ - if ( !new_ssn && + if ( !new_ssn && ((p->tcph->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) ) { int action; @@ -8023,7 +8231,7 @@ */ if (listener->tcp_policy->max_window && (tdb->win > listener->tcp_policy->max_window)) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got window that was beyond the allowed policy value, bailing\n");); /* got a window too large, alert! */ eventcode |= EVENT_WINDOW_TOO_LARGE; @@ -8033,19 +8241,19 @@ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING | ACTION_BAD_PKT; } - else if ( !tdb->win && !listener->total_bytes_queued && + else if ( !tdb->win && !talker->total_bytes_queued && !(p->tcph->th_flags & (TH_FIN|TH_RST)) ) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Window slammed shut!\n");); /* got a window slam alert! */ eventcode |= EVENT_WINDOW_SLAM; s5stats.tcp_discards++; - LogTcpEvents(listener->tcp_policy, eventcode); #ifdef NORMALIZER if ( NormalDropPacketIf(p, NORM_TCP) ) { + LogTcpEvents(listener->tcp_policy, eventcode); PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING | ACTION_BAD_PKT; } @@ -8054,28 +8262,28 @@ if(talker->s_mgr.state_queue != TCP_STATE_NONE) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Found queued state transition on ack 0x%X, " - "current 0x%X!\n", talker->s_mgr.transition_seq, + "current 0x%X!\n", talker->s_mgr.transition_seq, tdb->ack);); if(tdb->ack == talker->s_mgr.transition_seq) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "accepting transition!\n");); talker->s_mgr.state = talker->s_mgr.state_queue; talker->s_mgr.state_queue = TCP_STATE_NONE; } } - - /* + + /* * process ACK flags */ if(p->tcph->th_flags & TH_ACK) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got an ACK...\n");); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - " %s [listener] state: %s\n", l, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + " %s [listener] state: %s\n", l, state_names[listener->s_mgr.state]);); switch(listener->s_mgr.state) @@ -8085,12 +8293,12 @@ break; // fall thru ... case TCP_STATE_SYN_RCVD: - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "listener state is SYN_SENT...\n");); if(IsBetween(listener->l_unackd, listener->l_nxt_seq, tdb->ack) && ( !require3Way || ((talker->s_mgr.sub_state == SUB_SETUP_OK) && - (listener->s_mgr.sub_state == SUB_SETUP_OK)) )) + (listener->s_mgr.sub_state == SUB_SETUP_OK)) )) { UpdateSsn(p, listener, talker, tdb); lwssn->session_flags |= SSNFLAG_ESTABLISHED; @@ -8119,7 +8327,7 @@ case TCP_STATE_FIN_WAIT_1: UpdateSsn(p, listener, talker, tdb); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "tdb->ack %X >= talker->r_nxt_ack %X\n", tdb->ack, talker->r_nxt_ack);); if ( SEQ_EQ(tdb->ack, listener->l_nxt_seq) ) @@ -8128,13 +8336,13 @@ if ( (p->tcph->th_flags & TH_FIN) ) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "seq ok, setting state!\n");); if (talker->s_mgr.state_queue == TCP_STATE_NONE) { talker->s_mgr.state = TCP_STATE_LAST_ACK; - } + } // FIXTHIS this should be handled below in fin section // but midstream sessions fail the seq test listener->s_mgr.state_queue = TCP_STATE_TIME_WAIT; @@ -8144,7 +8352,7 @@ } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "bad ack!\n");); } break; @@ -8194,14 +8402,14 @@ */ if(p->dsize) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - " %s state: %s(%d) getting data\n", l, - state_names[listener->s_mgr.state], + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + " %s state: %s(%d) getting data\n", l, + state_names[listener->s_mgr.state], listener->s_mgr.state);); // FIN means only that sender is done talking, // other side may continue yapping. - if(TCP_STATE_FIN_WAIT_2 == talker->s_mgr.state || + if(TCP_STATE_FIN_WAIT_2 == talker->s_mgr.state || TCP_STATE_TIME_WAIT == talker->s_mgr.state) { /* data on a segment when we're not accepting data any more */ @@ -8233,33 +8441,38 @@ } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Queuing data on listener, t %s, l %s...\n", flush_policy_names[talker->flush_mgr.flush_policy], flush_policy_names[listener->flush_mgr.flush_policy]);); #ifdef NORMALIZER - // sender of syn w/mss limits payloads from peer - // since we store mss on sender side, use listener mss - // same reasoning for window size - if ( Normalize_IsEnabled(snort_conf, NORM_TCP) ) - { - // get the current window size - StreamTracker* st = listener; - uint32_t max = (st->r_win_base + st->l_window) - st->r_nxt_ack; - - // get lesser of current window or mss but - // if mss is zero it is unset so don't use it - if ( st->mss && st->mss < max ) - max = st->mss; - - NormalTrimPayload(p, max, tdb); + // these normalizations can't be done if we missed setup. and + // window is zero in one direction until we've seen both sides. + if ( !(lwssn->session_flags & SSNFLAG_MIDSTREAM) ) + { + if ( Normalize_IsEnabled(snort_conf, NORM_TCP_TRIM) ) + { + // sender of syn w/mss limits payloads from peer + // since we store mss on sender side, use listener mss + // same reasoning for window size + StreamTracker* st = listener; + + // get the current window size + uint32_t max = (st->r_win_base + st->l_window) - st->r_nxt_ack; + + // get lesser of current window or mss but + // if mss is zero it is unset so don't use it + if ( st->mss && st->mss < max ) + max = st->mss; + NormalTrimPayload(p, max, tdb); + } if ( Normalize_IsEnabled(snort_conf, NORM_TCP_ECN_STR) ) NormalCheckECN(tcpssn, p); } #endif - /* + /* * dunno if this is RFC but fragroute testing expects it * for the record, I've seen FTP data sessions that send * data packets with no tcp flags set @@ -8278,29 +8491,23 @@ if(p->tcph->th_flags & TH_FIN) { - // listener->r_nxt_ack includes fin iff data present - // (because ProcessTcpData() is called above) - uint32_t seq = tdb->end_seq; - if ( !p->dsize ) - seq--; - - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got an FIN...\n");); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - " %s state: %s(%d)\n", l, - state_names[talker->s_mgr.state], + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + " %s state: %s(%d)\n", l, + state_names[talker->s_mgr.state], talker->s_mgr.state);); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "checking ack (0x%X) vs nxt_ack (0x%X)\n", - seq, listener->r_nxt_ack);); - if(SEQ_LT(seq,listener->r_nxt_ack)) + tdb->end_seq, listener->r_win_base);); + if(SEQ_LT(tdb->end_seq,listener->r_win_base)) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "FIN inside r_nxt_ack, bailing\n");); + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "FIN inside r_win_base, bailing\n");); goto dupfin; } - else if(SEQ_EQ(seq,listener->r_nxt_ack)) + else { switch(talker->s_mgr.state) { @@ -8311,6 +8518,10 @@ talker->s_mgr.state_queue = TCP_STATE_CLOSING; } talker->s_mgr.state = TCP_STATE_FIN_WAIT_1; +#ifdef NORMALIZER + if ( !p->dsize ) + CheckFlushPolicyOnData(tcpssn, talker, listener, tdb, p); +#endif Stream5UpdatePerfBaseState(&sfBase, tcpssn->lwssn, TCP_STATE_CLOSING); break; @@ -8327,48 +8538,55 @@ { case TCP_STATE_ESTABLISHED: listener->s_mgr.state_queue = TCP_STATE_CLOSE_WAIT; - listener->s_mgr.transition_seq = tdb->end_seq; + listener->s_mgr.transition_seq = tdb->end_seq + 1; listener->s_mgr.expected_flags = TH_ACK; break; case TCP_STATE_FIN_WAIT_1: listener->s_mgr.state_queue = TCP_STATE_CLOSING; - listener->s_mgr.transition_seq = tdb->end_seq; + listener->s_mgr.transition_seq = tdb->end_seq + 1; listener->s_mgr.expected_flags = TH_ACK; break; case TCP_STATE_FIN_WAIT_2: - listener->s_mgr.state_queue = TCP_STATE_TIME_WAIT; - listener->s_mgr.transition_seq = tdb->end_seq; + listener->s_mgr.state_queue = TCP_STATE_TIME_WAIT; + listener->s_mgr.transition_seq = tdb->end_seq + 1; listener->s_mgr.expected_flags = TH_ACK; break; } - } - else - { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "FIN beyond r_nxt_ack, ignoring\n");); - switch(talker->s_mgr.state) + // need substate since we don't change state immediately + if ( !(talker->s_mgr.sub_state & SUB_FIN_SENT) ) { - case TCP_STATE_FIN_WAIT_1: - case TCP_STATE_LAST_ACK: - eventcode |= EVENT_BAD_FIN; - LogTcpEvents(talker->tcp_policy, eventcode); - NormalDropPacketIf(p, NORM_TCP); - PREPROC_PROFILE_END(s5TcpStatePerfStats); - return ACTION_NOTHING | ACTION_BAD_PKT; + talker->l_nxt_seq++; + listener->r_nxt_ack++; + talker->s_mgr.sub_state |= SUB_FIN_SENT; + } + else if(SEQ_GEQ(tdb->end_seq,talker->l_nxt_seq)) + { + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "FIN beyond l_nxt_seq, ignoring\n");); + switch(talker->s_mgr.state) + { + case TCP_STATE_FIN_WAIT_1: + case TCP_STATE_LAST_ACK: + eventcode |= EVENT_BAD_FIN; + LogTcpEvents(talker->tcp_policy, eventcode); + NormalDropPacketIf(p, NORM_TCP); + PREPROC_PROFILE_END(s5TcpStatePerfStats); + return ACTION_NOTHING | ACTION_BAD_PKT; + } } } } dupfin: - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - " %s [talker] state: %s\n", t, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + " %s [talker] state: %s\n", t, state_names[talker->s_mgr.state]);); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - " %s state: %s(%d)\n", l, - state_names[listener->s_mgr.state], + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + " %s state: %s(%d)\n", l, + state_names[listener->s_mgr.state], listener->s_mgr.state);); /* @@ -8378,52 +8596,68 @@ (listener->s_mgr.state == TCP_STATE_TIME_WAIT && talker->s_mgr.state == TCP_STATE_CLOSED)) { //dropssn: - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Session terminating, flushing session buffers\n");); if(p->packet_flags & PKT_FROM_SERVER) { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "flushing FROM_SERVER\n");); if(talker->seg_bytes_logical) - flush_stream(tcpssn, talker, p, + { + uint32_t flushed = flush_stream(tcpssn, talker, p, GET_DST_IP(p), GET_SRC_IP(p), p->tcph->th_dport, p->tcph->th_sport, PKT_FROM_CLIENT); + if(flushed) + purge_alerts(talker, talker->r_win_base, (void *)tcpssn->lwssn); + } + if(listener->seg_bytes_logical) - flush_stream(tcpssn, listener, p, + { + uint32_t flushed = flush_stream(tcpssn, listener, p, GET_SRC_IP(p), GET_DST_IP(p), p->tcph->th_sport, p->tcph->th_dport, PKT_FROM_SERVER); + + if(flushed) + purge_alerts(listener, listener->r_win_base, (void *)tcpssn->lwssn); + } } else { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "flushing FROM_CLIENT\n");); if(listener->seg_bytes_logical) { - flush_stream(tcpssn, listener, p, + uint32_t flushed = flush_stream(tcpssn, listener, p, GET_SRC_IP(p), GET_DST_IP(p), p->tcph->th_sport, p->tcph->th_dport, PKT_FROM_CLIENT); + + if(flushed) + purge_alerts(listener, listener->r_win_base, (void *)tcpssn->lwssn); } + if(talker->seg_bytes_logical) { - flush_stream(tcpssn, talker, p, + uint32_t flushed = flush_stream(tcpssn, talker, p, GET_DST_IP(p), GET_SRC_IP(p), p->tcph->th_dport, p->tcph->th_sport, PKT_FROM_SERVER); + + if(flushed) + purge_alerts(talker, talker->r_win_base,(void *)tcpssn->lwssn); } } - /* yoink that shit */ LogTcpEvents(listener->tcp_policy, eventcode); DeleteLWSession(tcp_lws_cache, lwssn, "closed normally"); p->ssnptr = NULL; PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_LWSSN_DELETED; - } + } else if(listener->s_mgr.state == TCP_STATE_CLOSED && talker->s_mgr.state == TCP_STATE_SYN_SENT) { if(p->tcph->th_flags & TH_SYN && @@ -8434,7 +8668,13 @@ } } - CheckFlushPolicy(tcpssn, talker, listener, tdb, p); +#ifdef NORMALIZER + if ( p->dsize > 0 ) + CheckFlushPolicyOnData(tcpssn, talker, listener, tdb, p); +#endif + + if ( p->tcph->th_flags & TH_ACK ) + CheckFlushPolicyOnAck(tcpssn, talker, listener, tdb, p); LogTcpEvents(listener->tcp_policy, eventcode); PREPROC_PROFILE_END(s5TcpStatePerfStats); @@ -8442,7 +8682,7 @@ } // this is for post-ack flushing -static INLINE int GetReverseDir (const Packet* p) +static inline uint32_t GetReverseDir (const Packet* p) { /* Remember, one side's packets are stored in the * other side's queue. So when talker ACKs data, @@ -8463,7 +8703,7 @@ } #ifdef NORMALIZER -static INLINE uint32_t GetForwardDir (const Packet* p) +static inline uint32_t GetForwardDir (const Packet* p) { if ( p->packet_flags & PKT_FROM_SERVER ) return PKT_FROM_SERVER; @@ -8474,7 +8714,7 @@ return 0; } -static INLINE int CheckFlushCoercion ( +static inline int CheckFlushCoercion ( Packet* p, FlushMgr* fm, uint16_t flush_factor ) { if ( !flush_factor ) @@ -8484,9 +8724,9 @@ p->dsize && (p->dsize < fm->last_size) && (fm->last_count >= flush_factor) ) - { - fm->last_size = 0; - fm->last_count = 0; + { + fm->last_size = 0; + fm->last_count = 0; return 1; } if ( p->dsize > fm->last_size ) @@ -8497,40 +8737,83 @@ } #endif -int CheckFlushPolicy(TcpSession *tcpssn, StreamTracker *talker, - StreamTracker *listener, TcpDataBlock *tdb, Packet *p) +#ifdef NORMALIZER +// see flush_pdu_ackd() for details +// the key difference is that we operate on forward moving data +// because we don't wait until it is acknowledged +static inline uint32_t flush_pdu_ips ( + TcpSession* ssn, StreamTracker* trk, Packet* pkt, uint32_t* flags) +{ + bool to_srv = ( *flags == PKT_FROM_CLIENT ); + uint16_t srv_port = ( to_srv ? pkt->dp : pkt->sp ); + uint32_t total = 0, avail = get_q_sequenced(trk); + StreamSegment* seg = trk->seglist_next; + + // * must stop if gap + while ( seg && *flags && (total < avail) + && !(trk->flags & TF_MISSING_PKT) ) + { + uint32_t flush_pt; + uint32_t size = seg->size; + uint32_t end = seg->seq + seg->size; + uint32_t pos = s5_paf_position(&trk->paf_state); + + total += size; + + if ( s5_paf_initialized(&trk->paf_state) && SEQ_LEQ(end, pos) ) + { + seg = seg->next; + continue; + } + + flush_pt = s5_paf_check( + s5_tcp_eval_config->paf_config, &trk->paf_state, ssn->lwssn, + seg->payload, size, total, seg->seq, srv_port, flags, + trk->flush_mgr.flush_pt); + + if ( flush_pt > 0 ) + return flush_pt; + + seg = seg->next; + } + if ( trk->flags & TF_MISSING_PKT ) + trk->flush_mgr.flush_policy = STREAM_FLPOLICY_FOOTPRINT_IPS; + + return 0; +} + +static inline int CheckFlushPolicyOnData( + TcpSession *tcpssn, StreamTracker *talker, + StreamTracker *listener, TcpDataBlock *tdb, Packet *p) { uint32_t flushed = 0; + uint32_t avail; - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "In CheckFlushPolicy\n");); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "Talker flush policy: %s\n", + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "In CheckFlushPolicyOnData\n");); + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Talker flush policy: %s\n", flush_policy_names[talker->flush_mgr.flush_policy]);); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "Listener flush policy: %s\n", + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Listener flush policy: %s\n", flush_policy_names[listener->flush_mgr.flush_policy]);); -#ifdef NORMALIZER - if ( Normalize_IsEnabled(snort_conf, NORM_TCP_IPS) ) + switch(listener->flush_mgr.flush_policy) { - int coerce; - uint32_t avail; - - switch(listener->flush_mgr.flush_policy) - { case STREAM_FLPOLICY_IGNORE: - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "STREAM_FLPOLICY_IGNORE\n");); return 0; - case STREAM_FLPOLICY_FOOTPRINT: - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "STREAM_FLPOLICY_FOOTPRINT\n");); + case STREAM_FLPOLICY_FOOTPRINT_IPS: + { + int coerce; + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "STREAM_FLPOLICY_FOOTPRINT-IPS\n");); + avail = get_q_sequenced(listener); coerce = CheckFlushCoercion( p, &listener->flush_mgr, listener->tcp_policy->flush_factor); - avail = get_q_sequenced(listener); if ( (avail > 0) && @@ -8542,27 +8825,143 @@ if ( talker->s_mgr.state == TCP_STATE_FIN_WAIT_1 ) listener->flags |= TF_FORCE_FLUSH; - flushed = flush_to_seq(tcpssn, listener, avail, p, - GET_SRC_IP(p), GET_DST_IP(p), - p->tcph->th_sport, p->tcph->th_dport, dir); + flushed = flush_to_seq( + tcpssn, listener, avail, p, + GET_SRC_IP(p), GET_DST_IP(p), + p->tcph->th_sport, p->tcph->th_dport, dir); + } + } + break; - if ( flushed ) - purge_ackd(tcpssn, listener); + case STREAM_FLPOLICY_PROTOCOL_IPS: + { + uint32_t flags = GetForwardDir(p); + uint32_t flush_amt = flush_pdu_ips(tcpssn, listener, p, &flags); + + while ( flush_amt > 0 ) + { + // if this payload is exactly one pdu, don't + // actually flush, just use the raw packet + if ( (tdb->seq == listener->seglist->seq) && + (flush_amt == listener->seglist->size) && + (flush_amt == p->dsize) ) + { + flushed += flush_amt; + listener->seglist->buffered = SL_BUF_FLUSHED; + listener->flush_count++; + p->packet_flags |= PKT_PDU_FULL; + ShowRebuiltPacket(p); + } + else + { + flushed += flush_to_seq( + tcpssn, listener, flush_amt, p, + GET_SRC_IP(p), GET_DST_IP(p), + p->tcph->th_sport, p->tcph->th_dport, flags); + } + flags = GetForwardDir(p); + flush_amt = flush_pdu_ips(tcpssn, listener, p, &flags); + } + if ( !flags ) + { + listener->flush_mgr.flush_policy = STREAM_FLPOLICY_FOOTPRINT_IPS; + listener->flush_mgr.flush_pt += ScPafMax(); + listener->flush_mgr.flush_type = S5_FT_PAF_MAX; + return CheckFlushPolicyOnData(tcpssn, talker, listener, tdb, p); } - break; } - return flushed; + break; } + return flushed; +} #endif + +// iterate over seglist and scan all new acked bytes +// - new means not yet scanned +// - must use seglist data (not packet) since this packet may plug a +// hole and enable paf scanning of following segments +// - if we reach a flush point +// - return bytes to flush if data available (must be acked) +// - return zero if not yet received or received but not acked +// - if we reach a skip point +// - jump ahead and resume scanning any available data +// - must stop if we reach a gap +// - one segment may lead to multiple checks since +// it may contain multiple encapsulated PDUs +// - if we partially scan a segment we must save state so we +// know where we left off and can resume scanning the remainder + +static inline uint32_t flush_pdu_ackd ( + TcpSession* ssn, StreamTracker* trk, Packet* pkt, uint32_t* flags) +{ + bool to_srv = ( *flags == PKT_FROM_CLIENT ); + uint16_t srv_port = ( to_srv ? pkt->sp : pkt->dp ); + uint32_t total = 0; + + StreamSegment* seg = trk->seglist; + + // * must stop if not acked + // * must use adjusted size of seg if not fully acked + // * must stop if gap + while ( seg && *flags + && !(trk->flags & TF_MISSING_PKT) + && SEQ_LT(seg->seq, trk->r_win_base) ) + { + uint32_t flush_pt; + uint32_t size = seg->size; + uint32_t end = seg->seq + seg->size; + uint32_t pos = s5_paf_position(&trk->paf_state); + + if ( SEQ_GT(end, trk->r_win_base) ) + size = trk->r_win_base - seg->seq; + + total += size; + + if ( s5_paf_initialized(&trk->paf_state) && SEQ_LEQ(end, pos) ) + { + seg = seg->next; + continue; + } + flush_pt = s5_paf_check( + s5_tcp_eval_config->paf_config, &trk->paf_state, ssn->lwssn, + seg->payload, size, total, seg->seq, srv_port, flags, + trk->flush_mgr.flush_pt); + + if ( flush_pt > 0 ) + return flush_pt; + + seg = seg->next; + } + if ( trk->flags & TF_MISSING_PKT ) + trk->flush_mgr.flush_policy = STREAM_FLPOLICY_FOOTPRINT; + + return 0; +} + +int CheckFlushPolicyOnAck( + TcpSession *tcpssn, StreamTracker *talker, + StreamTracker *listener, TcpDataBlock *tdb, Packet *p) +{ + uint32_t flushed = 0; + + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "In CheckFlushPolicyOnAck\n");); + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Talker flush policy: %s\n", + flush_policy_names[talker->flush_mgr.flush_policy]);); + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Listener flush policy: %s\n", + flush_policy_names[listener->flush_mgr.flush_policy]);); + switch(talker->flush_mgr.flush_policy) { case STREAM_FLPOLICY_IGNORE: - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "STREAM_FLPOLICY_IGNORE\n");); return 0; case STREAM_FLPOLICY_FOOTPRINT: - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "STREAM_FLPOLICY_FOOTPRINT\n");); { if(get_q_footprint(talker) >= talker->flush_mgr.flush_pt) @@ -8580,7 +8979,7 @@ break; case STREAM_FLPOLICY_LOGICAL: - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "STREAM_FLPOLICY_LOGICAL\n");); if(talker->seg_bytes_logical > talker->flush_mgr.flush_pt) { @@ -8596,19 +8995,19 @@ break; case STREAM_FLPOLICY_RESPONSE: - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Running FLPOLICY_RESPONSE\n");); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "checking l.r_win_base (0x%X) > " - "t.seglist_base_seq (0x%X)\n", + "t.seglist_base_seq (0x%X)\n", talker->r_win_base, talker->seglist_base_seq);); - if(SEQ_GT(talker->r_win_base, talker->seglist_base_seq) && + if(SEQ_GT(talker->r_win_base, talker->seglist_base_seq) && IsWellFormed(p, talker)) { uint32_t dir = GetReverseDir(p); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "flushing talker, t->sbl: %d\n", talker->seg_bytes_logical);); //PrintStreamTracker(talker); @@ -8618,7 +9017,7 @@ GET_DST_IP(p), GET_SRC_IP(p), p->tcph->th_dport, p->tcph->th_sport, dir); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "bye bye data...\n");); if(flushed) @@ -8627,7 +9026,7 @@ break; case STREAM_FLPOLICY_SLIDING_WINDOW: - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "STREAM_FLPOLICY_SLIDING_WINDOW\n");); if(get_q_footprint(talker) >= talker->flush_mgr.flush_pt) { @@ -8637,16 +9036,16 @@ GET_DST_IP(p), GET_SRC_IP(p), p->tcph->th_dport, p->tcph->th_sport, dir); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Deleting head node for sliding window...\n");); /* Base sequence for next window'd flush is the end * of the first packet. */ talker->seglist_base_seq = talker->seglist->seq + talker->seglist->size; - Stream5SeglistDeleteNode(talker, talker->seglist); + Stream5SeglistDeleteNode(talker, talker->seglist, 0); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "setting talker->seglist_base_seq to 0x%X\n", + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "setting talker->seglist_base_seq to 0x%X\n", talker->seglist->seq);); } @@ -8654,7 +9053,7 @@ #if 0 case STREAM_FLPOLICY_CONSUMED: - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "STREAM_FLPOLICY_CONSUMED\n");); if(get_q_footprint(talker) >= talker->flush_mgr.flush_pt) { @@ -8664,23 +9063,62 @@ p->iph->ip_dst.s_addr, p->iph->ip_src.s_addr, p->tcph->th_dport, p->tcph->th_sport, dir); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Deleting head node for sliding window...\n");); talker->seglist_base_seq = talker->seglist->seq + talker->seglist->size; /* TODO: Delete up to the consumed bytes */ - Stream5SeglistDeleteNode(talker, talker->seglist); + Stream5SeglistDeleteNode(talker, talker->seglist, 0); - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "setting talker->seglist_base_seq to 0x%X\n", + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "setting talker->seglist_base_seq to 0x%X\n", talker->seglist->seq);); } break; #endif + case STREAM_FLPOLICY_PROTOCOL: + { + uint32_t flags = GetReverseDir(p); + uint32_t flush_amt = flush_pdu_ackd(tcpssn, talker, p, &flags); + + while ( flush_amt > 0 ) + { + uint32_t base = talker->seglist_base_seq; + + // for consistency with other cases, should return total + // but that breaks flushing pipelined pdus + flushed = flush_to_seq( + tcpssn, talker, flush_amt, p, + GET_DST_IP(p), GET_SRC_IP(p), + p->tcph->th_dport, p->tcph->th_sport, flags); + + // ideally we would purge just once after this loop + // but that throws off base + if ( flushed ) + purge_to_seq(tcpssn, talker, base + flushed); + + flags = GetReverseDir(p); + flush_amt = flush_pdu_ackd(tcpssn, talker, p, &flags); + } + if ( !flags ) + { + talker->flush_mgr.flush_policy = STREAM_FLPOLICY_FOOTPRINT; + talker->flush_mgr.flush_pt += ScPafMax(); + talker->flush_mgr.flush_type = S5_FT_PAF_MAX; + return CheckFlushPolicyOnAck(tcpssn, talker, listener, tdb, p); + } + } + break; +#ifdef NORMALIZER + case STREAM_FLPOLICY_FOOTPRINT_IPS: + case STREAM_FLPOLICY_PROTOCOL_IPS: + purge_flushed_ackd(tcpssn, talker); + break; +#endif } - + return flushed; } @@ -8719,17 +9157,36 @@ return; } -static int Stream5SeglistDeleteNode(StreamTracker *st, StreamSegment *seg) +static int Stream5SeglistDeleteNode( + StreamTracker *st, StreamSegment *seg, uint32_t flush_seq) { int ret; if(st == NULL || seg == NULL) return 0; - STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, - "Dropping segment at seq %X, len %d\n", + if ( s5_paf_active(&st->paf_state) && + flush_seq && ((seg->seq + seg->size) > flush_seq) ) + { + uint32_t delta = seg->seq + seg->size - flush_seq; + + if ( delta < seg->size ) + { + STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, + "Left-Trimming segment at seq %X, len %d, delta %u\n", + seg->seq, seg->size, delta);); + + seg->seq = flush_seq; + seg->size -= (uint16_t)delta; + + return 0; + } + } + + STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, + "Dropping segment at seq %X, len %d\n", seg->seq, seg->size);); - + if(seg->prev) seg->prev->next = seg->next; else @@ -8905,7 +9362,7 @@ return packets; } -int Stream5AddSessionAlertTcp(Stream5LWSession *lwssn, Packet *p, uint32_t gid, uint32_t sid) +int Stream5AddSessionAlertTcp(Stream5LWSession *lwssn, Packet *p, uint32_t gid, uint32_t sid, int alerted) { TcpSession *tcpssn = NULL; StreamTracker *st; @@ -8937,6 +9394,10 @@ st->alerts[st->alert_count].gid = gid; st->alerts[st->alert_count].sid = sid; st->alerts[st->alert_count].seq = p->tcph->th_seq; + if(alerted) + { + st->alerts[st->alert_count].extra_data.xtradata_mask |= p->xtradata_mask; + } st->alert_count++; return 0; @@ -8947,6 +9408,7 @@ TcpSession *tcpssn = NULL; StreamTracker *st; int i; + int iRet = 0; if (lwssn->proto_specific_data) tcpssn = (TcpSession *)lwssn->proto_specific_data->data; @@ -8983,11 +9445,64 @@ if ( st->alerts[i].gid == gid && st->alerts[i].sid == sid ) { + if(p->xtradata_mask != st->alerts[i].extra_data.xtradata_mask) + { + st->alerts[i].extra_data.xtradata_mask |= p->xtradata_mask; + iRet = -1; + continue; + } return -1; } } - return 0; + return iRet; +} + + +int Stream5LogSessionAlertExtraDataTcp(Stream5LWSession *lwssn, Packet *p, uint32_t gid, uint32_t sid, uint32_t event_id, uint32_t event_second) +{ + TcpSession *tcpssn = NULL; + StreamTracker *st; + int i; + uint32_t seq_num; + + if (lwssn->proto_specific_data) + tcpssn = (TcpSession *)lwssn->proto_specific_data->data; + + if (!tcpssn) + { + return 0; + } + +#ifdef SUP_IP6 + if (IP_EQUALITY(GET_SRC_IP(p), &tcpssn->tcp_client_ip)) +#else + if (p->iph->ip_src.s_addr == tcpssn->tcp_client_ip) +#endif + { + st = &tcpssn->server; + } + else + { + st = &tcpssn->client; + } + + seq_num = GET_PKT_SEQ(p); + + for (i=0;i<st->alert_count;i++) + { + uint32_t alert_seq = ntohl(st->alerts[i].seq); + if ( st->alerts[i].gid == gid && + st->alerts[i].sid == sid && SEQ_EQ(alert_seq,seq_num)) + { + st->alerts[i].extra_data.xtradata_mask |= p->xtradata_mask; + st->alerts[i].extra_data.event_id = event_id; + st->alerts[i].extra_data.event_second = event_second; + return 0; + } + } + + return -1; } char Stream5GetReassemblyDirectionTcp(Stream5LWSession *lwssn) @@ -9062,12 +9577,14 @@ tcpssn->client.flush_mgr.flush_pt = flush_point; tcpssn->client.flush_mgr.last_size = 0; tcpssn->client.flush_mgr.last_count = 0; + tcpssn->client.flush_mgr.flush_type = S5_FT_EXTERNAL; } else if (dir & SSN_DIR_SERVER) { tcpssn->server.flush_mgr.flush_pt = flush_point; tcpssn->server.flush_mgr.last_size = 0; tcpssn->server.flush_mgr.last_count = 0; + tcpssn->server.flush_mgr.flush_type = S5_FT_EXTERNAL; } } @@ -9094,14 +9611,12 @@ if (tcpssn->client.flush_mgr.flush_policy != STREAM_FLPOLICY_NONE) { /* Changing policy with APPEND, Bad */ - DEBUG_WRAP( - LogMessage("Stream: Changing client flush policy using " + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Stream: Changing client flush policy using " "append is asking for trouble. Ignored\n");); } else { - tcpssn->client.flush_mgr.flush_policy = flush_policy; - /* And Initialize the Flush Mgr */ InitFlushMgr(&tcpssn->client.flush_mgr, &tcpssn->client.tcp_policy->flush_point_list, flush_policy); @@ -9113,14 +9628,12 @@ if (tcpssn->server.flush_mgr.flush_policy != STREAM_FLPOLICY_NONE) { /* Changing policy with APPEND, Bad */ - DEBUG_WRAP( - LogMessage("Stream: Changing server flush policy using " + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Stream: Changing server flush policy using " "append is asking for trouble. Ignored\n");); } else { - tcpssn->server.flush_mgr.flush_policy = flush_policy; - /* And Initialize the Flush Mgr */ InitFlushMgr(&tcpssn->server.flush_mgr, &tcpssn->server.tcp_policy->flush_point_list, flush_policy); @@ -9132,8 +9645,6 @@ { if (dir & SSN_DIR_CLIENT) { - tcpssn->client.flush_mgr.flush_policy = flush_policy; - /* And Initialize the Flush Mgr */ InitFlushMgr(&tcpssn->client.flush_mgr, &tcpssn->client.tcp_policy->flush_point_list, flush_policy); @@ -9141,9 +9652,7 @@ if (dir & SSN_DIR_SERVER) { - tcpssn->server.flush_mgr.flush_policy = flush_policy; - /* And Initialize the Flush Mgr */ - InitFlushMgr(&tcpssn->server.flush_mgr, + InitFlushMgr(&tcpssn->server.flush_mgr, &tcpssn->server.tcp_policy->flush_point_list, flush_policy); } @@ -9331,7 +9840,7 @@ } else { - FatalError("%s(%d): Invalid direction: %s for option %s\n", + FatalError("%s(%d): Invalid direction: %s for option %s\n", file_name, file_line, toks[0], name); } @@ -9364,14 +9873,14 @@ } else { - FatalError("%s(%d): Invalid operator: %s for option %s\n", + FatalError("%s(%d): Invalid operator: %s for option %s\n", file_name, file_line, toks[1], name); } ssod->size = SnortStrtoul(toks[2], &endp, 0); if ((endp == toks[2]) || (errno == ERANGE)) { - FatalError("%s(%d): Invalid size: %s for option %s\n", + FatalError("%s(%d): Invalid size: %s for option %s\n", file_name, file_line, toks[2], name); } @@ -9381,7 +9890,7 @@ return 1; } -static INLINE int s5TcpStreamSizeCompare(uint32_t size1, uint32_t size2, char operator) +static inline int s5TcpStreamSizeCompare(uint32_t size1, uint32_t size2, char operator) { int retval = 0; switch (operator) @@ -9419,7 +9928,7 @@ int s5TcpStreamSizeEval(void *p, const uint8_t **cursor, void *dataPtr) { Packet *pkt = p; - Stream5LWSession *lwssn = NULL; + Stream5LWSession *lwssn = NULL; TcpSession *tcpssn = NULL; StreamSizeOptionData *ssod = (StreamSizeOptionData *)dataPtr; uint32_t client_size; @@ -9555,7 +10064,7 @@ else { FatalError("%s(%d): Invalid action: %s for option %s. Valid " - "parameters are 'enable' or 'disable'\n", + "parameters are 'enable' or 'disable'\n", file_name, file_line, toks[0], name); } @@ -9578,7 +10087,7 @@ } else { - FatalError("%s(%d): Invalid direction: %s for option %s\n", + FatalError("%s(%d): Invalid direction: %s for option %s\n", file_name, file_line, toks[1], name); } @@ -9606,7 +10115,7 @@ } else { - FatalError("%s(%d): Invalid optional parameter: %s for option %s\n", + FatalError("%s(%d): Invalid optional parameter: %s for option %s\n", file_name, file_line, toks[i], name); } } @@ -9621,7 +10130,7 @@ int s5TcpStreamReassembleRuleOptionEval(void *p, const uint8_t **cursor, void *dataPtr) { Packet *pkt = p; - Stream5LWSession *lwssn = NULL; + Stream5LWSession *lwssn = NULL; StreamReassembleRuleOptionData *srod = (StreamReassembleRuleOptionData *)dataPtr; PROFILE_VARS; @@ -9664,7 +10173,7 @@ } } -void s5TcpSetPortFilterStatus(unsigned short port, int status, tSfPolicyId policyId, int parsing) +void s5TcpSetPortFilterStatus(unsigned short port, uint16_t status, tSfPolicyId policyId, int parsing) { Stream5Config *config; Stream5TcpConfig *tcp_config; @@ -9686,6 +10195,28 @@ tcp_config->port_filter[port] |= status; } +void s5TcpUnsetPortFilterStatus(unsigned short port, uint16_t status, tSfPolicyId policyId, int parsing) +{ + Stream5Config *config; + Stream5TcpConfig *tcp_config; + +#ifdef SNORT_RELOAD + if (parsing && (s5_swap_config != NULL)) + config = (Stream5Config *)sfPolicyUserDataGet(s5_swap_config, policyId); + else +#endif + config = (Stream5Config *)sfPolicyUserDataGet(s5_config, policyId); + + if (config == NULL) + return; + + tcp_config = config->tcp_config; + if (tcp_config == NULL) + return; + + tcp_config->port_filter[port] &= ~status; +} + int s5TcpGetPortFilterStatus(unsigned short port, tSfPolicyId policyId, int parsing) { Stream5Config *config; @@ -9705,7 +10236,57 @@ if (tcp_config == NULL) return PORT_MONITOR_NONE; - return tcp_config->port_filter[port]; + return (int)tcp_config->port_filter[port]; +} + +void s5TcpSetSynSessionStatus(uint16_t status, tSfPolicyId policyId, int parsing) +{ + Stream5Config *config; + Stream5TcpConfig *tcp_config; + + if (status <= PORT_MONITOR_SESSION) + return; + +#ifdef SNORT_RELOAD + if (parsing && (s5_swap_config != NULL)) + config = (Stream5Config *)sfPolicyUserDataGet(s5_swap_config, policyId); + else +#endif + config = (Stream5Config *)sfPolicyUserDataGet(s5_config, policyId); + + if (config == NULL) + return; + + tcp_config = config->tcp_config; + if (tcp_config == NULL) + return; + + tcp_config->session_on_syn |= status; +} + +void s5TcpUnsetSynSessionStatus(uint16_t status, tSfPolicyId policyId, int parsing) +{ + Stream5Config *config; + Stream5TcpConfig *tcp_config; + + if (status <= PORT_MONITOR_SESSION) + return; + +#ifdef SNORT_RELOAD + if (parsing && (s5_swap_config != NULL)) + config = (Stream5Config *)sfPolicyUserDataGet(s5_swap_config, policyId); + else +#endif + config = (Stream5Config *)sfPolicyUserDataGet(s5_config, policyId); + + if (config == NULL) + return; + + tcp_config = config->tcp_config; + if (tcp_config == NULL) + return; + + tcp_config->session_on_syn &= ~status; } static void targetPolicyIterate(void (*callback)(int)) @@ -9742,11 +10323,10 @@ if (pPolicy) { pPolicy->decoder_alert_flags = pPolicy->decoder_alert_flags_saved; - pPolicy->decoder_drop_flags = pPolicy->decoder_drop_flags_saved; + pPolicy->decoder_drop_flags = pPolicy->decoder_drop_flags_saved; pPolicy->decoder_alert_flags_saved = 0; pPolicy->decoder_drop_flags_saved = 0; } } - diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_tcp.h snort-2.9.2/src/preprocessors/Stream5/snort_stream5_tcp.h --- snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_tcp.h 2010-06-09 15:05:27.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/snort_stream5_tcp.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,13 +18,18 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef STREAM5_TCP_H_ #define STREAM5_TCP_H_ #include "stream5_common.h" #include "sfPolicy.h" +extern uint32_t xtradata_func_count; +extern LogFunction xtradata_map[LOG_FUNC_MAX]; +extern LogExtraData extra_data_log; +extern void *extra_data_config; + void Stream5CleanTcp(void); void Stream5ResetTcp(void); void Stream5InitTcp(Stream5GlobalConfig *); @@ -47,8 +52,9 @@ PacketIterator callback, void *userdata); int GetTcpStreamSegments(Packet *p, Stream5LWSession *ssn, StreamSegmentIterator callback, void *userdata); -int Stream5AddSessionAlertTcp(Stream5LWSession *lwssn, Packet *p, uint32_t gid, uint32_t sid); +int Stream5AddSessionAlertTcp(Stream5LWSession *lwssn, Packet *p, uint32_t gid, uint32_t sid, int alerted); int Stream5CheckSessionAlertTcp(Stream5LWSession *lwssn, Packet *p, uint32_t gid, uint32_t sid); +int Stream5LogSessionAlertExtraDataTcp(Stream5LWSession *lwssn, Packet *p, uint32_t gid, uint32_t sid, uint32_t event_id, uint32_t event_second); char Stream5GetReassemblyDirectionTcp(Stream5LWSession *lwssn); uint32_t Stream5GetFlushPointTcp(Stream5LWSession *lwssn, char dir); void Stream5SetFlushPointTcp(Stream5LWSession *lwssn, char dir, uint32_t flush_point); @@ -58,8 +64,14 @@ int Stream5MissingInReassembledTcp(Stream5LWSession *lwssn, char dir); char Stream5PacketsMissingTcp(Stream5LWSession *lwssn, char dir); void s5TcpSetPortFilterStatus( - unsigned short port, - int status, + unsigned short port, + uint16_t status, + tSfPolicyId policyId, + int parsing + ); +void s5TcpUnsetPortFilterStatus( + unsigned short port, + uint16_t status, tSfPolicyId policyId, int parsing ); @@ -68,7 +80,12 @@ tSfPolicyId policyId, int parsing ); +void s5TcpSetSynSessionStatus(uint16_t status, tSfPolicyId policyId, int parsing); +void s5TcpUnsetSynSessionStatus(uint16_t status, tSfPolicyId policyId, int parsing); void Stream5TcpConfigFree(Stream5TcpConfig *); +void** Stream5GetPAFUserDataTcp(Stream5LWSession*, bool to_server); +bool Stream5IsPafActiveTcp(Stream5LWSession*, bool to_server); +bool Stream5ActivatePafTcp(Stream5LWSession*, bool to_server); uint32_t Stream5GetTcpPrunes(void); void Stream5ResetTcpPrunes(void); @@ -78,4 +95,8 @@ void Stream_ResetNormalizationStats(void); #endif +#ifdef ENABLE_PAF +void Stream5PostConfigTcp(void*); +#endif + #endif /* STREAM5_TCP_H_ */ diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_udp.c snort-2.9.2/src/preprocessors/Stream5/snort_stream5_udp.c --- snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_udp.c 2010-06-09 15:05:28.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/snort_stream5_udp.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,8 +18,13 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - -#include "debug.h" + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" #include "detect.h" #include "plugbase.h" #include "mstring.h" @@ -30,7 +35,7 @@ #include "stream5_common.h" #include "stream_api.h" #include "snort_stream5_session.h" -#include "stream_ignore.h" +#include "stream_expect.h" #include "snort_stream5_udp.h" #include "plugin_enum.h" @@ -60,14 +65,6 @@ #define udp_responder_ip lwSsn->server_ip #define udp_responder_port lwSsn->server_port -extern Stream5UdpConfig *s5_udp_eval_config; -extern tSfPolicyUserContextId s5_config; - -#ifdef SNORT_RELOAD -extern tSfPolicyUserContextId s5_swap_config; -#endif - - /* D A T A S T R U C T U R E S ***********************************/ typedef struct _UdpSession { @@ -88,19 +85,18 @@ /* P R O T O T Y P E S ********************************************/ static void Stream5ParseUdpArgs(Stream5UdpConfig *, char *, Stream5UdpPolicy *); static void Stream5PrintUdpConfig(Stream5UdpPolicy *); -void UdpSessionCleanup(Stream5LWSession *lwssn); -static int ProcessUdp(Stream5LWSession *, Packet *, Stream5UdpPolicy *); +static int ProcessUdp(Stream5LWSession *, Packet *, Stream5UdpPolicy *, SFXHASH_NODE *); void Stream5InitUdp(Stream5GlobalConfig *gconfig) { if (gconfig == NULL) return; - /* Now UDP */ + /* Now UDP */ if ((udp_lws_cache == NULL) && (gconfig->track_udp_sessions)) { udp_lws_cache = InitLWSessionCache(gconfig->max_udp_sessions, - 30, 5, 0, &UdpSessionCleanup); + 30, (3*60), 5, 0, &UdpSessionCleanup); if(!udp_lws_cache) { @@ -145,13 +141,19 @@ sizeof(Stream5UdpPolicy *) * (config->num_policies - 1)); free(config->policy_list); - + config->policy_list = tmpPolicyList; } config->policy_list[config->num_policies - 1] = s5UdpPolicy; Stream5PrintUdpConfig(s5UdpPolicy); + +#ifdef REG_TEST + LogMessage("\n"); + LogMessage(" UDP Session Size: %lu\n",sizeof(UdpSession)); + LogMessage("\n"); +#endif } static void Stream5ParseUdpArgs(Stream5UdpConfig *config, char *args, Stream5UdpPolicy *s5UdpPolicy) @@ -196,7 +198,7 @@ { s5UdpPolicy->session_timeout = strtoul(stoks[1], &endPtr, 10); } - + if (!stoks[1] || (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid timeout in config file. Integer parameter required.\n", @@ -230,7 +232,7 @@ } else { - FatalError("%s(%d) => Invalid Stream5 UDP Policy option\n", + FatalError("%s(%d) => Invalid Stream5 UDP Policy option\n", file_name, file_line); } @@ -321,6 +323,19 @@ { UdpSession *udpssn = NULL; + if (lwssn->session_flags & SSNFLAG_PRUNED) + { + CloseStreamSession(&sfBase, SESSION_CLOSED_PRUNED); + } + else if (lwssn->session_flags & SSNFLAG_TIMEDOUT) + { + CloseStreamSession(&sfBase, SESSION_CLOSED_TIMEDOUT); + } + else + { + CloseStreamSession(&sfBase, SESSION_CLOSED_NORMALLY); + } + if (lwssn->proto_specific_data) udpssn = (UdpSession *)lwssn->proto_specific_data->data; @@ -339,6 +354,7 @@ lwssn->ignore_direction = 0; Stream5ResetFlowBits(lwssn); + FreeLWApplicationData(lwssn); s5stats.udp_sessions_released++; @@ -388,14 +404,14 @@ return -1; tmp = tmpBucket->data; - DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Creating new session tracker!\n");); tmp->ssn_time.tv_sec = p->pkth->ts.tv_sec; tmp->ssn_time.tv_usec = p->pkth->ts.tv_usec; lwssn->session_flags |= SSNFLAG_SEEN_SENDER; - DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "adding UdpSession to lightweight session\n");); lwssn->proto_specific_data = tmpBucket; lwssn->protocol = GET_IPH_PROTO(p); @@ -411,7 +427,7 @@ AddUDPSession(&sfBase); if (perfmon_config && (perfmon_config->perf_flags & SFPERF_FLOWIP)) - UpdateFlowIPState(&sfFlow, IP_ARG(lwssn->client_ip), IP_ARG(lwssn->server_ip), SFS_STATE_UDP_CREATED); + UpdateFlowIPState(&sfFlow, IP_ARG(lwssn->client_ip), IP_ARG(lwssn->server_ip), SFS_STATE_UDP_CREATED); return 0; } @@ -423,6 +439,8 @@ int Stream5ProcessUdp(Packet *p, Stream5LWSession *lwssn, Stream5UdpPolicy *s5UdpPolicy, SessionKey *skey) { + SFXHASH_NODE *hash_node = NULL; + #ifdef SUP_IP6 // XXX-IPv6 Stream5ProcessUDP debugging #else @@ -461,35 +479,34 @@ if(IpAddrSetContains(s5UdpPolicy->bound_addrs, GET_DST_ADDR(p))) #endif { - DEBUG_WRAP(DebugMessage(DEBUG_STREAM, + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "[Stream5] Found udp policy in IpAddrSet\n");); break; } } - + if (policyIndex == s5_udp_eval_config->num_policies) s5UdpPolicy = s5_udp_eval_config->default_policy; if (!s5UdpPolicy) { - DEBUG_WRAP(DebugMessage(DEBUG_STREAM, + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "[Stream5] Could not find Udp Policy context " "for IP %s\n", inet_ntoa(GET_DST_ADDR(p)));); return 0; } } - if (isPacketFilterDiscard(p, s5UdpPolicy->flags & STREAM5_CONFIG_IGNORE_ANY) - == PORT_MONITOR_PACKET_DISCARD) - { - //ignore the packet - UpdateFilteredPacketStats(&sfBase, IPPROTO_UDP); - return 0; - } - - /* UDP Sessions required */ + /* UDP Sessions required */ if (lwssn == NULL) { + if ((isPacketFilterDiscard(p, s5UdpPolicy->flags & STREAM5_CONFIG_IGNORE_ANY) == PORT_MONITOR_PACKET_DISCARD) + && !StreamExpectIsExpected(p, &hash_node)) + { + //ignore the packet + UpdateFilteredPacketStats(&sfBase, IPPROTO_UDP); + return 0; + } /* Create a new session, mark SENDER seen */ lwssn = NewLWSession(udp_lws_cache, p, skey, (void *)s5UdpPolicy); s5stats.total_udp_sessions++; @@ -525,11 +542,11 @@ /* Clean it up */ UdpSessionCleanup(lwssn); - ProcessUdp(lwssn, p, s5UdpPolicy); + ProcessUdp(lwssn, p, s5UdpPolicy, hash_node); } else { - ProcessUdp(lwssn, p, s5UdpPolicy); + ProcessUdp(lwssn, p, s5UdpPolicy, hash_node); DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Finished Stream5 UDP cleanly!\n" "---------------------------------------------------\n");); @@ -541,11 +558,11 @@ } static int ProcessUdp(Stream5LWSession *lwssn, Packet *p, - Stream5UdpPolicy *s5UdpPolicy) + Stream5UdpPolicy *s5UdpPolicy, SFXHASH_NODE *hash_node) { - char ignore = 0; + char ignore; UdpSession *udpssn = NULL; - int16_t protoId = 0; + DEBUG_WRAP( char *t = NULL; char *l = NULL; @@ -556,7 +573,7 @@ if (lwssn->protocol != IPPROTO_UDP) { - DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Lightweight session not UDP on UDP packet\n");); return ACTION_NOTHING; } @@ -598,6 +615,23 @@ if (NewUdpSession(p, lwssn, s5UdpPolicy) == -1) return ACTION_NOTHING; udpssn = (UdpSession *)lwssn->proto_specific_data->data; + + /* Check if the session is to be ignored */ + if (hash_node) + ignore = SteamExpectProcessNode(p, lwssn, hash_node); + else + ignore = SteamExpectCheck(p, lwssn); + if (ignore) + { + /* Set the directions to ignore... */ + lwssn->ignore_direction = ignore; + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "Stream5: Ignoring packet from %d. " + "Marking session marked as ignore.\n", + p->packet_flags & PKT_FROM_CLIENT? "sender" : "responder");); + Stream5DisableInspection(lwssn, p); + return ACTION_NOTHING; + } } /* figure out direction of this packet */ @@ -607,38 +641,17 @@ ((p->packet_flags & PKT_FROM_CLIENT) && (lwssn->ignore_direction & SSN_DIR_SERVER))) { Stream5DisableInspection(lwssn, p); - DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Stream5 Ignoring packet from %d. " "Session marked as ignore\n", p->packet_flags & PKT_FROM_CLIENT? "sender" : "responder");); return ACTION_NOTHING; } - /* Check if the session is to be ignored */ - ignore = CheckIgnoreChannel(p, &protoId); - if (ignore) - { - /* Set the directions to ignore... */ - lwssn->ignore_direction = ignore; - DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "Stream5: Ignoring packet from %d. " - "Marking session marked as ignore.\n", - p->packet_flags & PKT_FROM_CLIENT? "sender" : "responder");); - Stream5DisableInspection(lwssn, p); - return ACTION_NOTHING; - } - else if (protoId != 0) - { -#ifdef TARGET_BASED - if (IsAdaptiveConfigured(getRuntimePolicy(), 0)) - lwssn->application_protocol = protoId; -#endif - } - /* if both seen, mark established */ if(p->packet_flags & PKT_FROM_SERVER) { - DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Stream5: Updating on packet from responder\n");); lwssn->session_flags |= SSNFLAG_SEEN_RESPONDER; #ifdef ACTIVE_RESPONSE @@ -651,7 +664,7 @@ } else { - DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Stream5: Updating on packet from client\n");); /* if we got here we had to see the SYN already... */ lwssn->session_flags |= SSNFLAG_SEEN_SENDER; @@ -728,7 +741,7 @@ udpssn->udp_responder_port = tmpPort; } -void s5UdpSetPortFilterStatus(unsigned short port, int status, tSfPolicyId policyId, int parsing) +void s5UdpSetPortFilterStatus(unsigned short port, uint16_t status, tSfPolicyId policyId, int parsing) { Stream5Config *config; Stream5UdpConfig *udp_config; @@ -750,6 +763,28 @@ udp_config->port_filter[port] |= status; } +void s5UdpUnsetPortFilterStatus(unsigned short port, uint16_t status, tSfPolicyId policyId, int parsing) +{ + Stream5Config *config; + Stream5UdpConfig *udp_config; + +#ifdef SNORT_RELOAD + if (parsing && (s5_swap_config != NULL)) + config = (Stream5Config *)sfPolicyUserDataGet(s5_swap_config, policyId); + else +#endif + config = (Stream5Config *)sfPolicyUserDataGet(s5_config, policyId); + + if (config == NULL) + return; + + udp_config = config->udp_config; + if (udp_config == NULL) + return; + + udp_config->port_filter[port] &= ~status; +} + int s5UdpGetPortFilterStatus(unsigned short port, tSfPolicyId policyId, int parsing) { Stream5Config *config; @@ -769,7 +804,7 @@ if (udp_config == NULL) return PORT_MONITOR_NONE; - return udp_config->port_filter[port]; + return (int)udp_config->port_filter[port]; } void Stream5UdpConfigFree(Stream5UdpConfig *config) diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_udp.h snort-2.9.2/src/preprocessors/Stream5/snort_stream5_udp.h --- snort-2.9.0.1/src/preprocessors/Stream5/snort_stream5_udp.h 2010-06-09 15:05:28.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/snort_stream5_udp.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef STREAM5_UDP_H_ #define STREAM5_UDP_H_ @@ -36,8 +36,14 @@ snort_ip_p ip, uint16_t port); Stream5LWSession *GetLWUdpSession(SessionKey *key); void s5UdpSetPortFilterStatus( - unsigned short port, - int status, + unsigned short port, + uint16_t status, + tSfPolicyId policyId, + int parsing + ); +void s5UdpUnsetPortFilterStatus( + unsigned short port, + uint16_t status, tSfPolicyId policyId, int parsing ); @@ -50,5 +56,5 @@ uint32_t Stream5GetUdpPrunes(void); void Stream5ResetUdpPrunes(void); - +void UdpSessionCleanup(Stream5LWSession *lwssn); #endif /* STREAM5_UDP_H_ */ diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/stream5_common.c snort-2.9.2/src/preprocessors/Stream5/stream5_common.c --- snort-2.9.0.1/src/preprocessors/Stream5/stream5_common.c 2010-06-09 15:05:28.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/stream5_common.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,39 +18,41 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - -#include "debug.h" + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" #include "decode.h" #include "log.h" #include "util.h" #include "generators.h" #include "event_queue.h" #include "snort.h" -#include "sf_types.h" #include "snort_stream5_session.h" #include "stream5_common.h" #include "portscan.h" #include "sftarget_protocol_reference.h" -#include "sp_dynamic.h" +#include "sp_dynamic.h" #include "snort_stream5_tcp.h" #include "snort_stream5_udp.h" #include "snort_stream5_icmp.h" -#include "parser.h" -#include "active.h" - -extern tSfPolicyUserContextId s5_config; +#include "parser.h" +#include "active.h" static void printIgnoredRules( IgnoredRuleList *pIgnoredRuleList, int any_any_flow ); static void addRuleToIgnoreList( - IgnoredRuleList **ppIgnoredRuleList, + IgnoredRuleList **ppIgnoredRuleList, OptTreeNode *otn); /* M A C R O S **************************************************/ -static INLINE uint64_t CalcJiffies(Packet *p) +static inline uint64_t CalcJiffies(Packet *p) { uint64_t ret = 0; uint64_t sec = (p->pkth->ts.tv_sec * TCP_HZ); @@ -59,7 +61,7 @@ ret = sec + usec; return ret; - //return (p->pkth->ts.tv_sec * TCP_HZ) + + //return (p->pkth->ts.tv_sec * TCP_HZ) + // (p->pkth->ts.tv_usec / (1000000UL/TCP_HZ)); } @@ -72,7 +74,7 @@ /* Not yet set, not expired */ return 0; } - + if((int)(pkttime - lwssn->expire_time) > 0) { sfBase.iStreamTimeouts++; @@ -100,7 +102,7 @@ return 0; } -void Stream5SetExpire(Packet *p, +void Stream5SetExpire(Packet *p, Stream5LWSession *lwssn, uint32_t timeout) { lwssn->expire_time = CalcJiffies(p) + (timeout * TCP_HZ); @@ -133,7 +135,7 @@ ( (lwssn->session_state & STREAM5_STATE_DROP_CLIENT) && (lwssn->session_state & STREAM5_STATE_DROP_SERVER) ) ? ENC_FLAG_FWD : 0; // reverse dir is always true - + Active_KillSession(p, &flags); ++lwssn->response_count; Stream5SetExpire(p, lwssn, delay); @@ -144,35 +146,29 @@ void SetTTL (Stream5LWSession* ssn, Packet* p, int client) { - Layer* inner = NULL, *outer = NULL; - int i; + uint8_t inner_ttl = 0, outer_ttl = 0; +#ifdef SUP_IP6 + if ( p->outer_iph_api ) + outer_ttl = p->outer_iph_api->iph_ret_ttl(p); + + if ( p->iph_api ) + inner_ttl = p->iph_api->iph_ret_ttl(p); +#else + if ( p->outer_iph ) + outer_ttl = p->outer_iph->ip_ttl; - for ( i = 0; i < p->next_layer; i++ ) - { - if ( p->layers[i].proto == PROTO_IP4 - // || p->layers[i].proto == PROTO_IP6 - ) { - outer = inner; - inner = p->layers + i; - } - } - if ( outer ) + if ( p->iph ) + inner_ttl = p->iph->ip_ttl; +#endif + if ( client ) { - if ( outer->proto == PROTO_IP4 ) - { - uint8_t ttl = ((IP4Hdr*)outer->start)->ip_ttl; - if ( client ) ssn->outer_client_ttl = ttl; - else ssn->outer_server_ttl = ttl; - } + ssn->outer_client_ttl = outer_ttl; + ssn->inner_client_ttl = inner_ttl; } - if ( inner ) + else { - if ( inner->proto == PROTO_IP4 ) - { - uint8_t ttl = ((IP4Hdr*)inner->start)->ip_ttl; - if ( client ) ssn->inner_client_ttl = ttl; - else ssn->inner_server_ttl = ttl; - } + ssn->outer_server_ttl = outer_ttl; + ssn->inner_server_ttl = inner_ttl; } } #endif @@ -184,13 +180,9 @@ if((lwssn->session_flags & SSNFLAG_ESTABLISHED) != SSNFLAG_ESTABLISHED) { - if((lwssn->session_flags & (SSNFLAG_SEEN_SERVER|SSNFLAG_SEEN_CLIENT)) == + if((lwssn->session_flags & (SSNFLAG_SEEN_SERVER|SSNFLAG_SEEN_CLIENT)) != (SSNFLAG_SEEN_SERVER|SSNFLAG_SEEN_CLIENT)) { - p->packet_flags |= PKT_STREAM_UNEST_BI; - } - else - { p->packet_flags |= PKT_STREAM_UNEST_UNI; } } @@ -202,16 +194,18 @@ p->packet_flags ^= PKT_STREAM_UNEST_UNI; } } + if ( lwssn->session_flags & SSNFLAG_STREAM_ORDER_BAD ) + p->packet_flags |= PKT_STREAM_ORDER_BAD; } #if 0 /** Get rule list for a specific protocol * - * @param rule - * @param ptocool protocol type + * @param rule + * @param ptocool protocol type * @returns RuleTreeNode* rule list for specific protocol */ -static INLINE RuleTreeNode * protocolRuleList(RuleListNode *rule, int protocol) +static inline RuleTreeNode * protocolRuleList(RuleListNode *rule, int protocol) { switch (protocol) { @@ -227,7 +221,7 @@ return NULL; } #endif -static INLINE char * getProtocolName (int protocol) +static inline char * getProtocolName (int protocol) { static char *protocolName[] = {"TCP", "UDP", "ICMP"}; switch (protocol) @@ -265,12 +259,12 @@ } /**initialize given port list from the given ruleset, for a given policy - * @param portList pointer to array of MAX_PORTS+1 uint8_t. This array content + * @param portList pointer to array of MAX_PORTS+1 uint8_t. This array content * is changed by walking through the rulesets. * @param protocol - protocol type */ void setPortFilterList( - uint8_t *portList, + uint16_t *portList, int protocol, int ignoreAnyAnyRules, tSfPolicyId policyId @@ -323,7 +317,7 @@ } if (rtn->proto == protocol) - { + { //do operation inspectSrc = inspectDst = 0; if (PortObjectHasAny(rtn->src_portobject)) @@ -411,15 +405,15 @@ if (any_any_flow == 1) { - LogMessage("Warning: 'ignore_any_rules' option for Stream5 %s " - "disabled because of %s rule with flow or flowbits option\n", + LogMessage("WARNING: 'ignore_any_rules' option for Stream5 %s " + "disabled because of %s rule with flow or flowbits option.\n", protocolName, protocolName); } else if (pIgnoredRuleList) { - LogMessage("Warning: Rules (GID:SID) effectively ignored because of " - "'ignore_any_rules' option for Stream5 %s:\n", protocolName); + LogMessage("WARNING: Rules (GID:SID) effectively ignored because of " + "'ignore_any_rules' option for Stream5 %s.\n", protocolName); } // free list; print iff any_any_flow printIgnoredRules(pIgnoredRuleList, any_any_flow); @@ -428,7 +422,7 @@ /**Determines whether any_any_flow should be ignored or not. * - * Dont ignore any_any_flows if flow bit is set on an any_any_flow, + * Dont ignore any_any_flows if flow bit is set on an any_any_flow, * or ignoreAnyAnyRules is not set. * @param portList port list * @param rtn Rule tree node @@ -438,9 +432,9 @@ * @returns */ int Stream5AnyAnyFlow( - uint8_t *portList, + uint16_t *portList, OptTreeNode *otn, - RuleTreeNode *rtn, + RuleTreeNode *rtn, int any_any_flow, IgnoredRuleList **ppIgnoredRuleList, int ignoreAnyAnyRules @@ -536,7 +530,7 @@ } else { - SnortSnprintfAppend(buf, STD_BUF-1, ", %d:%d", + SnortSnprintfAppend(buf, STD_BUF-1, ", %d:%d", ignored_rule->otn->sigInfo.generator, ignored_rule->otn->sigInfo.id); } @@ -562,7 +556,7 @@ static int Stream5FreeConfigsPolicy( tSfPolicyUserContextId config, - tSfPolicyId policyId, + tSfPolicyId policyId, void* pData ) { diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/stream5_common.h snort-2.9.2/src/preprocessors/Stream5/stream5_common.h --- snort-2.9.0.1/src/preprocessors/Stream5/stream5_common.h 2010-10-25 12:49:13.000000000 -0700 +++ snort-2.9.2/src/preprocessors/Stream5/stream5_common.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef STREAM5_COMMON_H_ #define STREAM5_COMMON_H_ @@ -28,6 +28,7 @@ #endif #include "sfutil/bitop_funcs.h" +#include "sfutil/sfActionQueue.h" #include "parser/IpAddrSet.h" #include "stream_api.h" @@ -43,8 +44,6 @@ //#define DEBUG_STREAM5 DEBUG -/* Only track a maximum number of alerts per session */ -#define MAX_SESSION_ALERTS 8 /* defaults and limits */ #define S5_DEFAULT_SSN_TIMEOUT 30 /* seconds to timeout a session */ @@ -56,6 +55,7 @@ #define S5_MAX_MAX_WINDOW 0x3FFFc000 /* max window allowed by TCP */ /* 65535 << 14 (max wscale) */ #define S5_MIN_MAX_WINDOW 0 +#define MAX_PORTS_TO_PRINT 20 #define S5_DEFAULT_MAX_QUEUED_BYTES 1048576 /* 1 MB */ #define S5_MIN_MAX_QUEUED_BYTES 1024 /* Don't let this go below 1024 */ @@ -144,7 +144,7 @@ uint16_t port_l; /* Low Port - 0 if ICMP */ uint16_t port_h; /* High Port - 0 if ICMP */ uint16_t vlan_tag; - char protocol; + uint8_t protocol; char pad; #ifdef MPLS uint32_t mplsLabel; /* MPLS label */ @@ -162,13 +162,6 @@ StreamAppDataFree freeFunc; } Stream5AppData; -typedef struct _Stream5AlertInfo -{ - /* For storing alerts that have already been seen on the session */ - uint32_t sid; - uint32_t gid; - uint32_t seq; -} Stream5AlertInfo; // this struct is organized by member size for compactness typedef struct _Stream5LWSession @@ -203,7 +196,7 @@ int16_t application_protocol; #endif - char protocol; + uint8_t protocol; char direction; char ignore_direction; /* flag to ignore traffic on this session */ @@ -222,9 +215,11 @@ char track_tcp_sessions; char track_udp_sessions; char track_icmp_sessions; + char track_ip_sessions; uint32_t max_tcp_sessions; uint32_t max_udp_sessions; uint32_t max_icmp_sessions; + uint32_t max_ip_sessions; uint32_t memcap; uint32_t prune_log_max; uint32_t flags; @@ -242,6 +237,7 @@ uint16_t last_count; uint16_t last_size; uint8_t flush_policy; + uint8_t flush_type; } FlushMgr; @@ -308,8 +304,12 @@ { Stream5TcpPolicy *default_policy; Stream5TcpPolicy **policy_list; + + void* paf_config; + uint8_t num_policies; - uint8_t port_filter[MAX_PORTS + 1]; + uint16_t session_on_syn; + uint16_t port_filter[MAX_PORTS + 1]; } Stream5TcpConfig; @@ -326,7 +326,8 @@ Stream5UdpPolicy *default_policy; Stream5UdpPolicy **policy_list; uint8_t num_policies; - uint8_t port_filter[MAX_PORTS + 1]; + uint8_t dummy; /* For alignment */ + uint16_t port_filter[MAX_PORTS + 1]; } Stream5UdpConfig; @@ -344,12 +345,25 @@ } Stream5IcmpConfig; +typedef struct _Stream5IpPolicy +{ + uint32_t session_timeout; + +} Stream5IpPolicy; + +typedef struct _Stream5IpConfig +{ + Stream5IpPolicy default_policy; + +} Stream5IpConfig; + typedef struct _Stream5Config { Stream5GlobalConfig *global_config; Stream5TcpConfig *tcp_config; Stream5UdpConfig *udp_config; Stream5IcmpConfig *icmp_config; + Stream5IpConfig *ip_config; #ifdef TARGET_BASED uint8_t service_filter[MAX_PROTOCOL_ORDINAL]; @@ -381,9 +395,11 @@ uint32_t total_tcp_sessions; uint32_t total_udp_sessions; uint32_t total_icmp_sessions; + uint32_t total_ip_sessions; uint32_t tcp_prunes; uint32_t udp_prunes; uint32_t icmp_prunes; + uint32_t ip_prunes; uint32_t tcp_timeouts; uint32_t tcp_streamtrackers_created; uint32_t tcp_streamtrackers_released; @@ -401,6 +417,7 @@ uint32_t icmp_timeouts; uint32_t icmp_sessions_created; uint32_t icmp_sessions_released; + uint32_t ip_timeouts; uint32_t events; uint32_t internalEvents; tPortFilterStats tcp_port_filter; @@ -409,7 +426,7 @@ /**Whether incoming packets should be ignored or processed. */ -typedef enum { +typedef enum { /**Ignore the packet. */ PORT_MONITOR_PACKET_PROCESS = 0, @@ -418,10 +435,6 @@ } PortMonitorPacketStates; -extern Stream5Stats s5stats; -extern uint32_t firstPacketTime; -extern MemPool s5FlowMempool; - void Stream5DisableInspection(Stream5LWSession *lwssn, Packet *p); int Stream5Expire(Packet *p, Stream5LWSession *ssn); @@ -448,7 +461,7 @@ int ignore_any_rules ); -static INLINE void Stream5ResetFlowBits(Stream5LWSession *lwssn) +static inline void Stream5ResetFlowBits(Stream5LWSession *lwssn) { StreamFlowData *flowdata; @@ -459,4 +472,28 @@ boResetBITOP(&(flowdata->boFlowbits)); } +void checkLWSessionTimeout( + uint32_t flowCount, + time_t cur_time + ); + +// shared stream state +extern Stream5Stats s5stats; +extern uint32_t firstPacketTime; +extern MemPool s5FlowMempool; + +extern uint32_t mem_in_use; +extern unsigned int giFlowbitSize; +extern Stream5GlobalConfig *s5_global_eval_config; +extern Stream5TcpConfig *s5_tcp_eval_config; +extern Stream5UdpConfig *s5_udp_eval_config; +extern Stream5IcmpConfig *s5_icmp_eval_config; +extern Stream5IpConfig *s5_ip_eval_config; +extern tSfPolicyUserContextId s5_config; +extern tSfActionQueueId decoderActionQ; + +#ifdef SNORT_RELOAD +extern tSfPolicyUserContextId s5_swap_config; +#endif + #endif /* STREAM5_COMMON_H_ */ diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/stream5_paf.c snort-2.9.2/src/preprocessors/Stream5/stream5_paf.c --- snort-2.9.0.1/src/preprocessors/Stream5/stream5_paf.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/preprocessors/Stream5/stream5_paf.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,469 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +//-------------------------------------------------------------------- +// s5 stuff +// +// @file stream5_paf.c +// @author Russ Combs <rcombs@sourcefire.com> +//-------------------------------------------------------------------- + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <assert.h> +#include <ctype.h> +#include <stdio.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> + +#include "sf_types.h" +#include "snort_bounds.h" +#include "snort_debug.h" +#include "snort.h" +#include "sfPolicyUserData.h" +#include "stream5_common.h" +#include "stream5_paf.h" + +//-------------------------------------------------------------------- +// private state +//-------------------------------------------------------------------- + +typedef enum { + FT_NOP, // no flush + FT_SFP, // abort paf + FT_PAF, // flush to paf pt when len >= paf + FT_MAX // flush len when len >= mfp +} FlushType; + +typedef struct { + uint8_t cb_mask; + uint8_t auto_on; +} PAF_Map; + +typedef struct { + uint32_t mfp; + + uint32_t prep_calls; + uint32_t prep_bytes; + + PAF_Map map[MAXPORTS][2]; +} PAF_Config; + +// for cb registration +#define MAX_CB 8 // depends on sizeof(PAF_Map.cb_mask) +static PAF_Callback s5_cb[MAX_CB]; +static uint8_t s5_cb_idx = 0; + +// s5_len and s5_idx are used only during the +// lifetime of s5_paf_check() +static uint32_t s5_len; // total bytes queued +static uint32_t s5_idx; // offset from start of queued bytes + +//-------------------------------------------------------------------- + +static uint32_t s5_paf_flush ( + PAF_Config* pc, PAF_State* ps, FlushType ft, uint32_t* flags) +{ + uint32_t at = 0; + *flags &= ~(PKT_PDU_HEAD | PKT_PDU_TAIL); + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: type=%d, fpt=%u, len=%u, tot=%u\n", + __FUNCTION__, ft, ps->fpt, s5_len, ps->tot);) + + switch ( ft ) + { + case FT_NOP: + return 0; + + case FT_SFP: + *flags = 0; + return 0; + + case FT_PAF: + at = ps->fpt; + *flags |= PKT_PDU_TAIL; + break; + + // use of s5_len is suboptimal here because the actual amount + // flushed is determined later and can differ in certain cases + // such as exceeding s5_pkt->max_dsize. the actual amount + // flushed would ideally be applied to ps->fpt later. for + // now we try to circumvent such cases so we track correctly. + case FT_MAX: + at = s5_len; + if ( ps->fpt > s5_len ) + ps->fpt -= s5_len; + else + ps->fpt = 0; + break; + } + + if ( !at || !s5_len ) + return 0; + + if ( !ps->tot ) + *flags |= PKT_PDU_HEAD; + + if ( *flags & PKT_PDU_TAIL ) + ps->tot = 0; + else + ps->tot += at; + + return at; +} + +//-------------------------------------------------------------------- + +static inline PAF_Status s5_paf_callback ( + PAF_State* ps, void* ssn, + const uint8_t* data, uint32_t len, uint32_t flags) +{ + PAF_Status paf; + uint8_t mask = ps->cb_mask; + bool update = false; + int i = 0; + + while ( mask ) + { + uint8_t bit = (1<<i); + if ( bit & mask ) + { + paf = s5_cb[i](ssn, &ps->user, data, len, flags, &ps->fpt); + + if ( paf == PAF_ABORT ) + { + // this one bailed out + ps->cb_mask ^= bit; + } + else if ( paf != PAF_SEARCH ) + { + // this one selected + ps->cb_mask = bit; + update = true; + break; + } + mask ^= bit; + } + if ( ++i == MAX_CB ) + break; + } + if ( !ps->cb_mask ) + { + ps->paf = PAF_ABORT; + update = true; + } + else if ( paf != PAF_ABORT ) + { + ps->paf = paf; + } + if ( update ) + { + ps->fpt += s5_idx; + + if ( ps->fpt <= s5_len ) + { + s5_idx = ps->fpt; + return true; + } + } + s5_idx = s5_len; + return false; +} + +//-------------------------------------------------------------------- + +static inline bool s5_paf_eval ( + PAF_Config* pc, PAF_State* ps, void* ssn, + uint16_t port, uint32_t flags, uint32_t fuzz, + const uint8_t* data, uint32_t len, FlushType* ft) +{ + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: paf=%d, idx=%u, len=%u, fpt=%u\n", + __FUNCTION__, ps->paf, s5_idx, s5_len, ps->fpt);) + + switch ( ps->paf ) + { + case PAF_SEARCH: + if ( s5_len > s5_idx ) + { + return s5_paf_callback(ps, ssn, data, len, flags); + } + return false; + + case PAF_FLUSH: + if ( s5_len >= ps->fpt ) + { + *ft = FT_PAF; + ps->paf = PAF_SEARCH; + return true; + } + if ( s5_len >= pc->mfp + fuzz ) + { + *ft = FT_MAX; + return false; + } + return false; + + case PAF_SKIP: + if ( s5_len > ps->fpt ) + { + if ( ps->fpt > s5_idx ) + { + uint32_t delta = ps->fpt - s5_idx; + if ( delta > len ) + return false; + data += delta; + len -= delta; + } + s5_idx = ps->fpt; + return s5_paf_callback(ps, ssn, data, len, flags); + } + return false; + + default: + // PAF_ABORT || PAF_START + break; + } + + *ft = FT_SFP; + return false; +} + +//-------------------------------------------------------------------- +// public stuff +//-------------------------------------------------------------------- + +void s5_paf_setup (void* pv, PAF_State* ps, uint16_t port, bool c2s) +{ + PAF_Config* pc = pv; + PAF_Map* pm = pc->map[port] + (c2s?1:0); + memset(ps, 0, sizeof(*ps)); + ps->paf = PAF_START; + ps->cb_mask = pm->cb_mask; +} + +void s5_paf_clear (PAF_State* ps) +{ + // either require pp to manage in other session state + // or provide user free func? + if ( ps->user ) + { + free(ps->user); + ps->user = NULL; + } + ps->paf = PAF_ABORT; +} + +//-------------------------------------------------------------------- + +uint32_t s5_paf_check ( + void* pv, PAF_State* ps, void* ssn, + const uint8_t* data, uint32_t len, uint32_t total, + uint32_t seq, uint16_t port, uint32_t* flags, uint32_t fuzz) +{ + PAF_Config* pc = pv; + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: len=%u, tot=%u, seq=%u, cur=%u\n", + __FUNCTION__, len, total, seq, ps->seq);) + + if ( !s5_paf_initialized(ps) ) + { + ps->seq = ps->pos = seq; + ps->paf = PAF_SEARCH; + } + else if ( SEQ_LEQ(seq + len, ps->seq) ) + { + return 0; + } + else if ( SEQ_LT(seq, ps->seq) ) + { + uint32_t shift = ps->seq - seq; + data += shift; + len -= shift; + } + ps->seq += len; + + pc->prep_calls++; + pc->prep_bytes += len; + + s5_len = total; + s5_idx = total - len; + + do { + FlushType ft = FT_NOP; + uint32_t idx = s5_idx; + uint32_t shift, fp; + + bool cont = s5_paf_eval(pc, ps, ssn, port, *flags, fuzz, data, len, &ft); + + if ( ft != FT_NOP ) + { + fp = s5_paf_flush(pc, ps, ft, flags); + + ps->pos += fp; + ps->seq = ps->pos; + + return fp; + } + if ( s5_idx > idx ) + { + shift = s5_idx - idx; + data += shift; + len -= shift; + } + if ( !cont ) + break; + + } while ( 1 ); + + if ( (ps->paf != PAF_FLUSH) && (s5_len > pc->mfp+fuzz) ) + { + uint32_t fp = s5_paf_flush(pc, ps, FT_MAX, flags); + + ps->pos += fp; + ps->seq = ps->pos; + + return fp; + } + return 0; +} + +//-------------------------------------------------------------------- + +bool s5_paf_register ( + tSfPolicyId pid, uint16_t port, bool c2s, PAF_Callback cb, bool auto_on) +{ + tSfPolicyUserContextId context; + Stream5Config* config; + int i, dir = c2s ? 1 : 0; + +#ifdef SNORT_RELOAD + context = s5_swap_config ? s5_swap_config : s5_config; +#else + context = s5_config; +#endif + config = sfPolicyUserDataGet(context, pid); + + if ( !config || !config->tcp_config || !config->tcp_config->paf_config ) + return false; + + //DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + // "%s: port=%u, dir=%d\n", __FUNCTION__, port, c2s);) + + for ( i = 0; i < s5_cb_idx; i++ ) + { + if ( s5_cb[i] == cb ) + break; + } + if ( i == MAX_CB ) + return false; + + if ( i == s5_cb_idx ) + { + s5_cb[i] = cb; + s5_cb_idx++; + } + { + PAF_Config* pc = config->tcp_config->paf_config; + + pc->map[port][dir].cb_mask |= (1<<i); + pc->map[port][dir].auto_on = (uint8_t)auto_on; + } + return true; +} + +bool s5_paf_enabled (void* pv, uint16_t port, bool c2s, bool flush) +{ + PAF_Config* pc = pv; + PAF_Map* pm; + + if ( !pc ) + return false; + + pm = pc->map[port] + (c2s?1:0); + + if ( !pm->cb_mask ) + return false; + + return ( pm->auto_on ? true : flush ); +} + +void s5_paf_print (tSfPolicyId pid, void* pv) +{ +#if 0 + PAF_Config* pc = pv; + unsigned i; + char* t[2] = { "conf", "auto" }; + + if ( !pc ) + return; + + for ( i = 0; i < MAXPORTS; i++ ) + { + PAF_Map* pm = pc->map[i]; + + if ( pm[0].cb_mask || pm[1].cb_mask ) + { + DebugMessage(DEBUG_STREAM_PAF, + "PAF policy=%u, port=%u, c2s=%s, s2c=%s\n", + pid, i, t[pm[1].auto_on], t[pm[0].auto_on]); + } + } +#endif +} + +//-------------------------------------------------------------------- + +void* s5_paf_new (void) +{ + PAF_Config* pc = SnortAlloc(sizeof(*pc)); + assert( pc ); + + pc->mfp = ScPafMax(); + + if ( !pc->mfp ) + // this ensures max < IP_MAXPACKET + pc->mfp = (65535 - 255); + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: mfp=%u\n", + __FUNCTION__, pc->mfp);) + + return pc; +} + +void s5_paf_delete (void* pv) +{ + PAF_Config* pc = (PAF_Config*)pv; + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM_PAF, + "%s: prep=%u/%u\n", __FUNCTION__, + pc->prep_calls, pc->prep_bytes);) + + free(pc); +} + diff -Nru snort-2.9.0.1/src/preprocessors/Stream5/stream5_paf.h snort-2.9.2/src/preprocessors/Stream5/stream5_paf.h --- snort-2.9.0.1/src/preprocessors/Stream5/stream5_paf.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/preprocessors/Stream5/stream5_paf.h 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,92 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2011-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +//-------------------------------------------------------------------- +// s5 protocol aware flushing stuff +// +// @file stream5_paf.h +// @author Russ Combs <rcombs@sourcefire.com> +//-------------------------------------------------------------------- + +#ifndef __STREAM5_PAF_H__ +#define __STREAM5_PAF_H__ + +#include "sf_types.h" +#include "sfPolicy.h" +#include "stream_api.h" + +void* s5_paf_new(void); // create new paf config (per policy) +void s5_paf_delete(void*); // free config + +bool s5_paf_register( + tSfPolicyId, // applicable policy + uint16_t port, // server port + bool toServer, // direction of interest relative to server port + PAF_Callback, // stateful byte scanning function + bool autoEnable // enable PAF reassembly regardless of s5 ports config +); + +void s5_paf_print(tSfPolicyId, void*); // print instance config + +// flush indicates s5 port config +bool s5_paf_enabled(void* pv, uint16_t port, bool toServer, bool flush); + +typedef struct { + void* user; // arbitrary user data + + uint32_t seq; // stream cursor + uint32_t pos; // last flush position + + uint32_t fpt; // current flush point + uint32_t tot; // total bytes flushed + + PAF_Status paf; // current scan state + uint8_t cb_mask; // callback mask +} PAF_State; // per session direction + +// called at session start +void s5_paf_setup(void* paf_config, PAF_State* ps, uint16_t port, bool c2s); +void s5_paf_clear(PAF_State*); // called at session end + +static inline uint32_t s5_paf_position (PAF_State* ps) +{ + return ps->seq; +} + +static inline uint32_t s5_paf_initialized (PAF_State* ps) +{ + return ( ps->paf != PAF_START ); +} + +static inline uint32_t s5_paf_active (PAF_State* ps) +{ + return ( ps->paf != PAF_ABORT ); +} + +// called on each in order segment +uint32_t s5_paf_check( + void* paf_config, PAF_State*, void* ssn, + const uint8_t* data, uint32_t len, uint32_t total, + uint32_t seq, uint16_t port, uint32_t* flags, uint32_t fuzz); + +#endif + diff -Nru snort-2.9.0.1/src/preprocessors/stream_api.c snort-2.9.2/src/preprocessors/stream_api.c --- snort-2.9.0.1/src/preprocessors/stream_api.c 2010-01-26 10:10:14.000000000 -0800 +++ snort-2.9.2/src/preprocessors/stream_api.c 2011-02-09 15:23:30.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /* - * ** Copyright (C) 2005-2010 Sourcefire, Inc. + * ** Copyright (C) 2005-2011 Sourcefire, Inc. * ** AUTHOR: Steven Sturges * ** * ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/preprocessors/stream_api.h snort-2.9.2/src/preprocessors/stream_api.h --- snort-2.9.0.1/src/preprocessors/stream_api.h 2010-06-09 15:05:23.000000000 -0700 +++ snort-2.9.2/src/preprocessors/stream_api.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /* - * ** Copyright (C) 2005-2010 Sourcefire, Inc. + * ** Copyright (C) 2005-2011 Sourcefire, Inc. * ** AUTHOR: Steven Sturges * ** * ** This program is free software; you can redistribute it and/or modify @@ -23,7 +23,7 @@ /* stream_api.h * * Purpose: Definition of the StreamAPI. To be used as a common interface - * for TCP (and later UDP & ICMP) Stream access for other + * for TCP (and later UDP & ICMP) Stream access for other * preprocessors and detection plugins. * * Arguments: @@ -47,7 +47,7 @@ #include "decode.h" #include "sfPolicy.h" -#define IGNORE_FLAG_ALWAYS 0x01 +#define EXPECT_FLAG_ALWAYS 0x01 #define SSN_MISSING_NONE 0x00 #define SSN_MISSING_BEFORE 0x01 @@ -85,20 +85,27 @@ #define SSNFLAG_DROP_CLIENT 0x00080000 #define SSNFLAG_DROP_SERVER 0x00100000 #define SSNFLAG_LOGGED_QUEUE_FULL 0x00200000 +#define SSNFLAG_STREAM_ORDER_BAD 0x00400000 #define SSNFLAG_ALL 0xFFFFFFFF /* all that and a bag of chips */ #define SSNFLAG_NONE 0x00000000 /* nothing, an MT bag of chips */ -#define STREAM_FLPOLICY_NONE 0x00 -#define STREAM_FLPOLICY_FOOTPRINT 0x01 /* size-based footprint flush */ -#define STREAM_FLPOLICY_LOGICAL 0x02 /* queued bytes-based flush */ -#define STREAM_FLPOLICY_RESPONSE 0x03 /* flush when we see response */ -#define STREAM_FLPOLICY_SLIDING_WINDOW 0x04 /* flush on sliding window */ +typedef enum { + STREAM_FLPOLICY_NONE, + STREAM_FLPOLICY_FOOTPRINT, /* size-based footprint flush */ + STREAM_FLPOLICY_LOGICAL, /* queued bytes-based flush */ + STREAM_FLPOLICY_RESPONSE, /* flush when we see response */ + STREAM_FLPOLICY_SLIDING_WINDOW, /* flush on sliding window */ #if 0 -#define STREAM_FLPOLICY_CONSUMED 0x05 /* purge consumed bytes */ + STREAM_FLPOLICY_CONSUMED, /* purge consumed bytes */ #endif -#define STREAM_FLPOLICY_IGNORE 0x06 /* ignore this traffic */ - -#define STREAM_FLPOLICY_MAX STREAM_FLPOLICY_IGNORE + STREAM_FLPOLICY_IGNORE, /* ignore this traffic */ + STREAM_FLPOLICY_PROTOCOL, /* protocol aware flushing (PAF) */ +#ifdef NORMALIZER + STREAM_FLPOLICY_FOOTPRINT_IPS, /* protocol agnostic ips */ + STREAM_FLPOLICY_PROTOCOL_IPS, /* protocol aware ips */ +#endif + STREAM_FLPOLICY_MAX +} FlushPolicy; #define STREAM_FLPOLICY_SET_ABSOLUTE 0x01 #define STREAM_FLPOLICY_SET_APPEND 0x02 @@ -107,6 +114,7 @@ #define STREAM_API_VERSION5 5 +typedef void (*LogExtraData)(void *ssnptr, void *config, LogFunction *funcs, uint32_t max_count, uint32_t xtradata_mask, uint32_t id, uint32_t sec); typedef void (*StreamAppDataFree)(void *); typedef int (*PacketIterator) ( @@ -130,6 +138,32 @@ unsigned char flowb[1]; } StreamFlowData; +// for protocol aware flushing (PAF): +typedef enum { + PAF_ABORT, // non-paf operation + PAF_START, // internal use only + PAF_SEARCH, // searching for next flush point + PAF_FLUSH, // flush at given offset + PAF_SKIP // skip ahead to given offset +} PAF_Status; + +typedef PAF_Status (*PAF_Callback)( // return your scan state + void* session, // session pointer + void** user, // arbitrary user data hook + const uint8_t* data, // in order segment data as it arrives + uint32_t len, // length of data + uint32_t flags, // packet flags indicating direction of data + uint32_t* fp // flush point (offset) relative to data +); + +typedef struct _StreamSessionLimits +{ + uint32_t tcp_session_limit; + uint32_t udp_session_limit; + uint32_t icmp_session_limit; + uint32_t ip_session_limit; +} StreamSessionLimits; + typedef struct _stream_api { int version; @@ -189,6 +223,8 @@ * IP addr #2 * Port #2 * Protocol + * Current time (from packet) + * Preprocessor ID * Direction * Flags (permanent) * @@ -197,7 +233,14 @@ * -1 on failure */ int (*ignore_session)(snort_ip_p, uint16_t, snort_ip_p, uint16_t, - char, char, char); + uint8_t, time_t, uint32_t, char, char); + + /* Get direction that data is being ignored. + * + * Parameters + * Session Ptr + */ + int (*get_ignore_direction)(void *); /* Resume inspection for session. * @@ -249,7 +292,7 @@ /* Sets the flags for a session * This ORs the supplied flags with the previous values - * + * * Parameters * Session Ptr * Flags @@ -322,7 +365,7 @@ * -1 failure (max alerts reached) * */ - int (*add_session_alert)(void *, Packet *p, uint32_t, uint32_t); + int (*add_session_alert)(void *, Packet *p, uint32_t, uint32_t, int); /* Check session alert * @@ -338,6 +381,20 @@ */ int (*check_session_alerted)(void *, Packet *p, uint32_t, uint32_t); + /* Set Extra Data Logging + * + * Parameters + * Session Ptr + * Packet + * gen ID + * sig ID + * Returns + * 0 success + * -1 failure ( no alerts ) + * + */ + int (*log_session_extra_data)(void *, Packet *p, uint32_t, uint32_t, uint32_t, uint32_t); + /* Get Flowbits data * * Parameters @@ -346,6 +403,7 @@ * Returns * Ptr to Flowbits Data */ + StreamFlowData *(*get_flow_data)(Packet *p); /* Set reassembly flush policy/direction for given session @@ -426,7 +484,7 @@ * * Parameters * Session Ptr - * + * * Returns * integer protocol identifier */ @@ -437,7 +495,7 @@ * Parameters * Session Ptr * ID - * + * * Returns * integer protocol identifier */ @@ -450,11 +508,27 @@ void (*set_service_filter_status)(int service, int status, tSfPolicyId policyId, int parsing); #endif - /** Set port to either ignore, inspect or maintain session state. + /** Get an independent bit to allow an entity to enable and + * disable port session tracking and syn session creation + * without affecting the status of set by other entities. + * Returns a bitmask (with the bit range 3-15) or 0, if no bits + * are available. + */ + uint16_t (*get_preprocessor_status_bit)(void); + + /** Set port to either ignore, inspect or maintain session state. * If this is called during parsing a preprocessor configuration, make * sure to set the parsing argument to 1. */ - void (*set_port_filter_status)(int protocol, uint16_t port, int status, tSfPolicyId policyId, int parsing); + void (*set_port_filter_status)(int protocol, uint16_t port, uint16_t status, tSfPolicyId policyId, int parsing); + + /** Unset port to maintain session state. This function can only + * be used with independent bits acquired from + * get_preprocessor_status_bit. If this is called during + * parsing a preprocessor configuration, make sure to set the + * parsing argument to 1. + */ + void (*unset_port_filter_status)(int protocol, uint16_t port, uint16_t status, tSfPolicyId policyId, int parsing); #ifdef ACTIVE_RESPONSE // initialize response count and expiration time @@ -485,7 +559,6 @@ */ void (*set_flush_point)(void *, char, uint32_t); -#ifdef TARGET_BASED /* Turn off inspection for potential session. * Adds session identifiers to a hash table. * TCP only. @@ -496,26 +569,103 @@ * IP addr #2 * Port #2 * Protocol - * ID + * Current time (from packet) + * ID, + * Preprocessor ID calling this function, + * Preprocessor specific data, + * Preprocessor data free function. If NULL, then static buffer is assumed. * * Returns * 0 on success * -1 on failure */ int (*set_application_protocol_id_expected)(snort_ip_p, uint16_t, snort_ip_p, uint16_t, - char, int16_t); + uint8_t, time_t, int16_t, uint32_t, void*, void (*)(void*)); + +#ifdef TARGET_BASED + /* Get server IP address. This could be used either during packet processing or when + * a session is being closed. Caller should make a deep copy if return value is needed + * for later use. + * + * Arguments + * void * - session pointer + * uint32_t - direction. Valid values are SSN_DIR_SERVER or SSN_DIR_CLIENT + * + * Returns + * IP address. Contents at the buffer should not be changed. The + */ + snort_ip_p (*get_session_ip_address)(void *, uint32_t); #endif + + // register for stateful scanning of in-order payload to determine flush points + // autoEnable allows PAF regardless of s5 ports config + bool (*register_paf_cb)( + tSfPolicyId, uint16_t server_port, bool toServer, + PAF_Callback, bool autoEnable); + + // get any paf user data stored for this session + void** (*get_paf_user_data)(void* ssnptr, bool toServer); + + bool (*is_paf_active)(void* ssn, bool toServer); + bool (*activate_paf)(void* ssn, bool toServer); + + /** Set flag to force sessions to be created on SYN packets. + * This function can only be used with independent bits + * acquired from get_preprocessor_status_bit. If this is called + * during parsing a preprocessor configuration, make sure to + * set the parsing argument to 1. + */ + void (*set_tcp_syn_session_status)(uint16_t status, tSfPolicyId policyId, int parsing); + + /** Unset flag that forces sessions to be created on SYN + * packets. This function can only be used with independent + * bits acquired from get_preprocessor_status_bit. If this is + * called during parsing a preprocessor configuration, make + * sure to set the parsing argument to 1. + */ + void (*unset_tcp_syn_session_status)(uint16_t status, tSfPolicyId policyId, int parsing); + + /** Retrieve application session data based on the lookup tuples for + * cases where Snort does not have an active packet that is + * relevant. + * + * Parameters + * IP addr #1 + * Port #1 (0 for non TCP/UDP) + * IP addr #2 + * Port #2 (0 for non TCP/UDP) + * Protocol + * VLAN ID + * MPLS ID + * Preprocessor ID + * + * Returns + * Application Data reference (pointer) + */ + void *(*get_application_data_from_ip_port)(snort_ip_p, uint16_t, snort_ip_p, uint16_t, char, uint16_t, uint32_t, uint32_t); + + //Register callbacks for extra data logging + uint32_t (*reg_xtra_data_cb)(LogFunction ); + + //Register Extra Data Log Function + void (*reg_xtra_data_log)(LogExtraData, void *); + + //Get the Extra data map + uint32_t (*get_xtra_data_map)(LogFunction **); + + //Retrieve the maximum session limits for the given policy + void (*get_max_session_limits)(tSfPolicyId, StreamSessionLimits*); } StreamAPI; -/* To be set by Stream5 (or Stream4) */ +/* To be set by Stream5 */ extern StreamAPI *stream_api; /**Port Inspection States. Port can be either ignored, * or inspected or session tracked. The values are bitmasks. */ -typedef enum { +typedef enum { /**Dont monitor the port. */ - PORT_MONITOR_NONE = 0x00, + PORT_MONITOR_NONE = 0x00, /**Inspect the port. */ PORT_MONITOR_INSPECT = 0x01, @@ -525,5 +675,7 @@ } PortMonitorStates; +#define PORT_MONITOR_SESSION_BITS 0xFFFE + #endif /* STREAM_API_H_ */ diff -Nru snort-2.9.0.1/src/preprocessors/stream_expect.c snort-2.9.2/src/preprocessors/stream_expect.c --- snort-2.9.0.1/src/preprocessors/stream_expect.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/preprocessors/stream_expect.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,648 @@ +/* $Id$ */ + +/* +** Copyright (C) 2005-2011 Sourcefire, Inc. +** AUTHOR: Steven Sturges +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* stream_expect.c + * + * Purpose: Handle hash table storage and lookups for ignoring + * entire data streams. + * + * Arguments: + * + * Effect: + * + * Comments: + * + * Any comments? + * + */ +#include <sys/types.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#ifndef WIN32 +#include <sys/socket.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#endif /* WIN32 */ +#include <time.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "snort.h" +#include "stream_expect.h" +#include "sf_types.h" +#include "snort_debug.h" +#include "decode.h" +#include "stream_api.h" +#include "sfxhash.h" +#include "util.h" +#include "ipv6_port.h" +#include "sfPolicy.h" +#include "sfPolicyUserData.h" + +/* Reasonably small, and prime */ +#define EXPECT_HASH_SIZE 1021 + +/* Number of unique ExpectSessionData stored in each hash entry. */ +#define NUM_SESSION_DATA_MAX 8 +#define STREAM_EXPECT_CLEAN_LIMIT 5 + +typedef struct _ExpectedSessionData +{ + uint32_t preprocId; + void *appData; + void (*appDataFreeFn)(void *); + struct _ExpectedSessionData *next; +} ExpectedSessionData; + +typedef struct _ExpectedSessionDataList +{ + ExpectedSessionData *data; + struct _ExpectedSessionDataList *next; +} ExpectedSessionDataList; + +typedef struct _ExpectHashKey +{ + snort_ip ip1; + snort_ip ip2; + uint16_t port1; + uint16_t port2; + uint32_t protocol; +} ExpectHashKey; + +typedef struct _ExpectNode +{ + int reversed_key; + time_t expires; + int direction; + unsigned data_list_count; + int16_t appId; + ExpectedSessionDataList *data_list; + ExpectedSessionDataList *data_list_tail; +} ExpectNode; + +/* The hash table of expected channels */ +static SFXHASH *channelHash = NULL; + +static void freeExpectedSessionData(ExpectedSessionData *data) +{ + ExpectedSessionData *tmp; + + while ((tmp = data)) + { + data = tmp->next; + if (tmp->appData && tmp->appDataFreeFn) + tmp->appDataFreeFn(tmp->appData); + free(tmp); + } +} + +static void freeNodeAppData(ExpectNode *node) +{ + ExpectedSessionDataList *data_list; + + while ((data_list = node->data_list)) + { + node->data_list = data_list->next; + freeExpectedSessionData(data_list->data); + free(data_list); + } + node->data_list_tail = NULL; + node->data_list_count = 0; +} + +static int freeHashNode(void *k, void *p) +{ + freeNodeAppData((ExpectNode*)p); + return 0; +} + +static snort_ip zeroed; + +/**Either expect or expect future session. + * + * Preprocessors may add sessions to be expected altogether or to be associated with some data. For example, + * FTP preprocessor may add data channel that should be expected. Alternatively, FTP preprocessor may add + * session with appId FTP-DATA. + * + * It is assumed that only one of cliPort or srvPort should be known (!0). This violation of this assumption + * will cause hash collision that will cause some session to be not expected and expected. This will occur only + * rarely and therefore acceptable design optimization. + * + * Also, appId is assumed to be consistent between different preprocessors. Each session can be assigned only + * one AppId. When new appId mismatches existing appId, new appId and associated data is not stored. + * + * @param cliIP - client IP address. All preprocessors must have consistent view of client side of a session. + * @param cliPort - client port number + * @param srvIP - server IP address. All preprocessors must have consisten view of server side of a session. + * @param srcPort - server port number + * @param protocol - IPPROTO_TCP or IPPROTO_UDP. + * @param direction - direction of session. Assumed that direction value for session being expected or expected will + * remain same across different calls to this function. + * @param expiry - session expiry in seconds. + */ +int StreamExpectAddChannel(snort_ip_p cliIP, uint16_t cliPort, + snort_ip_p srvIP, uint16_t srvPort, + uint8_t protocol, time_t now, char direction, uint8_t flags, + uint32_t timeout, int16_t appId, uint32_t preprocId, + void *appData, void (*appDataFreeFn)(void*)) +{ + ExpectHashKey hashKey; + SFXHASH_NODE *hash_node; + ExpectNode new_node; + ExpectNode *node; + ExpectedSessionDataList *data_list; + ExpectedSessionData *data; + int reversed_key; +#ifdef SUP_IP6 + SFIP_RET rval; +#endif + + if (cliPort != UNKNOWN_PORT) + srvPort = UNKNOWN_PORT; + +#ifdef DEBUG_MSGS + { + char src_ip[INET6_ADDRSTRLEN]; + char dst_ip[INET6_ADDRSTRLEN]; + + sfip_ntop(cliIP, src_ip, sizeof(src_ip)); + sfip_ntop(srvIP, dst_ip, sizeof(dst_ip)); + DebugMessage(DEBUG_STREAM, "Creating expected %s-%u -> %s-%u %u appid %d preproc %u\n", src_ip, + cliPort, dst_ip, srvPort, protocol, appId, preprocId); + } +#endif + + /* Add the info to a tree that marks this channel as one to expect. + * Only one of the port values may be UNKNOWN_PORT. + * As a sanity check, the IP addresses may not be 0 or 255.255.255.255. + */ + if ((cliPort == UNKNOWN_PORT) && (srvPort == UNKNOWN_PORT)) + return -1; + +#ifdef SUP_IP6 + if (cliIP->family == AF_INET) + { + if (!cliIP->ip.u6_addr32[0] || cliIP->ip.u6_addr32[0] == 0xFFFFFFFF || + !srvIP->ip.u6_addr32[0] || srvIP->ip.u6_addr32[0] == 0xFFFFFFFF) + { + return -1; + } + } + else if (sfip_fast_eq6(cliIP, IP_ARG(zeroed)) || sfip_fast_eq6(srvIP, IP_ARG(zeroed))) + { + return -1; + } +#else + if (!cliIP || cliIP == 0xFFFFFFFF || + !srvIP || srvIP == 0xFFFFFFFF) + { + return -1; + } +#endif + +#ifdef SUP_IP6 + rval = sfip_compare(cliIP, srvIP); + if (rval == SFIP_LESSER || (rval == SFIP_EQUAL && cliPort < srvPort)) +#else + if (cliIP < srvIP || (cliIP == srvIP && cliPort < srvPort)) +#endif + { + IP_COPY_VALUE(hashKey.ip1, cliIP); + hashKey.port1 = cliPort; + IP_COPY_VALUE(hashKey.ip2, srvIP); + hashKey.port2 = srvPort; + reversed_key = 0; + } + else + { + IP_COPY_VALUE(hashKey.ip1, srvIP); + hashKey.port1 = srvPort; + IP_COPY_VALUE(hashKey.ip2, cliIP); + hashKey.port2 = cliPort; + reversed_key = 1; + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "reversed\n");); + } + + /* Actually add it to the hash table with a timestamp of now. + * so we can expire entries that are older than a configurable + * time. Those entries will be for sessions that we missed or + * never occured. Should not keep the entry around indefinitely. + */ + hashKey.protocol = (uint32_t)protocol; + + hash_node = sfxhash_find_node(channelHash, &hashKey); + if (hash_node) + { + if (!(node = hash_node->data)) + sfxhash_free_node(channelHash, hash_node); + } + else + node = NULL; + if (node) + { + int expired; + + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "exists\n");); + /* + * This handles the case where there is already an entry + * for this key (IP addresses/port). It could occur when + * multiple users from behind a NAT'd Firewall all go to the + * same site when in FTP Port mode. To get around this issue, + * we keep a counter of the number of pending open channels + * with the same known endpoints (2 IPs & a port). When that + * channel is actually opened, the counter is decremented, and + * the entry is removed when the counter hits 0. + * Because all of this is single threaded, there is no potential + * for a race condition. + */ + expired = (node->expires != 0) && (now > node->expires); + if (expired) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "expected session is expired\n");); + //free older data + freeNodeAppData(node); + node->appId = appId; + } + if (node->appId != appId) + { + if (node->appId && appId) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "expected session has different appId %d != %d\n", node->appId, appId);); + return -1; + } + node->appId = appId; + } + if (node->data_list_count >= NUM_SESSION_DATA_MAX) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "expected session has maximum data slots used\n");); + return -1; + } + if ((data_list = node->data_list_tail)) + { + for (data = data_list->data; data && data->preprocId != preprocId; data = data->next); + if (data) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Found an existing occurance\n");); + data_list = NULL; + } + } + data = malloc(sizeof(*data)); + if (!data) + { + if (!node->data_list_count) + sfxhash_free_node(channelHash, hash_node); + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Memory alloc error\n");); + return -1; + } + data->appData = appData; + data->appDataFreeFn = appDataFreeFn; + data->preprocId = preprocId; + if (!data_list) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Adding new occurance\n");); + data_list = calloc(1, sizeof(*data_list)); + if (!data_list) + { + if (!node->data_list_count) + sfxhash_free_node(channelHash, hash_node); + free(data); + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Memory alloc error\n");); + return -1; + } + if (node->data_list_tail) + { + node->data_list_tail->next = data_list; + node->data_list_tail = data_list; + } + else + node->data_list = node->data_list_tail = data_list; + node->data_list_count++; + } +#ifdef DEBUG_MSGS + else + { + DebugMessage(DEBUG_STREAM, "Using an existing occurance\n"); + } +#endif + data->next = data_list->data; + data_list->data = data; + + if (flags & EXPECT_FLAG_ALWAYS) + node->expires = 0; + else + node->expires = now + timeout; + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Updating expect channel node with %u occurances\n", node->data_list_count);); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Adding expect channel node\n");); + + new_node.appId = appId; + new_node.reversed_key = reversed_key; + new_node.direction = direction; + /* now + 5 minutes (configurable?) + * + * use the time that we keep sessions around + * since this info would effectively be invalid + * after that anyway because the session that + * caused this will be gone. + */ + if (flags & EXPECT_FLAG_ALWAYS) + new_node.expires = 0; + else + new_node.expires = now + timeout; + data = malloc(sizeof(*data)); + if (!data) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Memory alloc error\n");); + return -1; + } + data->appData = appData; + data->appDataFreeFn = appDataFreeFn; + data->preprocId = preprocId; + data->next = NULL; + data_list = malloc(sizeof(*data_list)); + if (!data_list) + { + free(data); + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Memory alloc error\n");); + return -1; + } + data_list->next = NULL; + data_list->data = data; + new_node.data_list_count = 1; + new_node.data_list = new_node.data_list_tail = data_list; + + /* Add it to the table */ + if (sfxhash_add(channelHash, &hashKey, &new_node) != SFXHASH_OK) + { + /* Uh, shouldn't get here... + * There is already a node or couldn't alloc space + * for key. This means bigger problems, but fail + * gracefully. + */ + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, + "Failed to add channel node to expected hash table\n");); + free(data_list); + free(data); + return -1; + } + } + + return 0; +} + +int StreamExpectIsExpected(Packet *p, SFXHASH_NODE **expected_hash_node) +{ + snort_ip_p srcIP, dstIP; + SFXHASH_NODE *hash_node; + ExpectHashKey hashKey; + ExpectNode *node; +#ifdef SUP_IP6 + SFIP_RET rval; +#endif + uint16_t port1; + uint16_t port2; + int reversed_key; + + /* No hash table, or its empty? Get out of dodge. */ + if (!sfxhash_count(channelHash)) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "No expected sessions\n");); + return 0; + } + + srcIP = GET_SRC_IP(p); + dstIP = GET_DST_IP(p); + +#ifdef DEBUG_MSGS + { + char src_ip[INET6_ADDRSTRLEN]; + char dst_ip[INET6_ADDRSTRLEN]; + + sfip_ntop(srcIP, src_ip, sizeof(src_ip)); + sfip_ntop(dstIP, dst_ip, sizeof(dst_ip)); + DebugMessage(DEBUG_STREAM, "Checking isExpected %s-%u -> %s-%u %u\n", src_ip, + p->sp, dst_ip, p->dp, GET_IPH_PROTO(p)); + } +#endif + +#ifdef SUP_IP6 + rval = sfip_compare(dstIP, srcIP); + if (rval == SFIP_LESSER || (rval == SFIP_EQUAL && p->dp < p->sp)) +#else + if (dstIP < srcIP || (dstIP == srcIP && p->dp < p->sp)) +#endif + { + IP_COPY_VALUE(hashKey.ip1, dstIP); + IP_COPY_VALUE(hashKey.ip2, srcIP); + hashKey.port1 = p->dp; + hashKey.port2 = 0; + port1 = 0; + port2 = p->sp; + reversed_key = 1; + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "reversed\n");); + } + else + { + IP_COPY_VALUE(hashKey.ip1, srcIP); + IP_COPY_VALUE(hashKey.ip2, dstIP); + hashKey.port1 = 0; + hashKey.port2 = p->dp; + port1 = p->sp; + port2 = 0; + reversed_key = 0; + } + hashKey.protocol = (uint32_t)GET_IPH_PROTO(p); + + hash_node = sfxhash_find_node(channelHash, &hashKey); + if (hash_node) + { + if (!(node = hash_node->data)) + sfxhash_free_node(channelHash, hash_node); + } + else + node = NULL; + if (!node) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Could not find with dp\n");); + hashKey.port1 = port1; + hashKey.port2 = port2; + hash_node = sfxhash_find_node(channelHash, &hashKey); + if (hash_node) + { + if (!(node = hash_node->data)) + sfxhash_free_node(channelHash, hash_node); + } + } + if (node) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Found expected\n");); + if (node->expires && p->pkth->ts.tv_sec > node->expires) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Expected expired\n");); + sfxhash_free_node(channelHash, hash_node); + return 0; + } + if (!node->data_list) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Expected session has no data???\n");); + sfxhash_free_node(channelHash, hash_node); + return 0; + } + /* Make sure the packet direction is correct */ + switch (node->direction) + { + case SSN_DIR_BOTH: + break; + case SSN_DIR_CLIENT: + case SSN_DIR_SERVER: + if (node->reversed_key != reversed_key) + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Expected is the wrong direction\n");); + return 0; + } + break; + } + *expected_hash_node = hash_node; + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "using expected\n");); + return 1; + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Could not find with sp\n");); + } + return 0; +} + +char SteamExpectProcessNode(Packet *p, Stream5LWSession* lws, SFXHASH_NODE *expected_hash_node) +{ + SFXHASH_NODE *hash_node; + ExpectNode *node; + ExpectedSessionDataList *data_list; + ExpectedSessionData *data; + time_t now; + int retVal = SSN_DIR_NONE; + unsigned i; + + node = expected_hash_node->data; + node->data_list_count--; + data_list = node->data_list; + node->data_list = data_list->next; + + while ((data = data_list->data)) + { + data_list->data = data->next; + if (data->appData && stream_api->set_application_data(lws, data->preprocId, data->appData, data->appDataFreeFn) && + data->appDataFreeFn) + { + data->appDataFreeFn(data->appData); + } + free(data); + } + free(data_list); + + /* If this is 0, we're ignoring, otherwise setting id of new session */ + if (!node->appId) + retVal = node->direction; +#ifdef TARGET_BASED + else + lws->application_protocol = node->appId; +#endif + +#ifdef DEBUG_MSGS + { + snort_ip_p srcIP, dstIP; + char src_ip[INET6_ADDRSTRLEN]; + char dst_ip[INET6_ADDRSTRLEN]; + + srcIP = GET_SRC_IP(p); + dstIP = GET_DST_IP(p); + sfip_ntop(srcIP, src_ip, sizeof(src_ip)); + sfip_ntop(dstIP, dst_ip, sizeof(dst_ip)); + DebugMessage(DEBUG_STREAM, + "Ignoring channel %s:%d --> %s:%d, policyId %d\n", + src_ip, p->sp, + dst_ip, p->dp, getRuntimePolicy()); + } +#endif + + if (!node->data_list) + sfxhash_free_node(channelHash, expected_hash_node); + + now = p->pkth->ts.tv_sec; + /* Clean the hash table of at most STREAM_EXPECT_CLEAN_LIMIT expired nodes */ + for (i = 0; i < STREAM_EXPECT_CLEAN_LIMIT && (hash_node = sfxhash_lru_node(channelHash)); i++) + { + node = hash_node->data; + if (node) + { + if (node->expires && now > node->expires) + { + /* sayonara baby... */ + sfxhash_free_node(channelHash, hash_node); + } + else + { + /* This one's not expired, fine... + * no need to prune further. + */ + break; + } + } + } + + return retVal; +} + +char SteamExpectCheck(Packet *p, Stream5LWSession* lws) +{ + SFXHASH_NODE *hash_node; + + if (!StreamExpectIsExpected(p, &hash_node)) + return SSN_DIR_NONE; + + return SteamExpectProcessNode(p, lws, hash_node); +} + +void StreamExpectInit(void) +{ + channelHash = sfxhash_new(-EXPECT_HASH_SIZE, sizeof(ExpectHashKey), sizeof(ExpectNode), 0, 1, + freeHashNode, freeHashNode, 1); + if (!channelHash) + FatalError("Failed to create the expected channel hash table.\n"); + + memset(&zeroed, 0, sizeof(zeroed)); +} + +void StreamExpectCleanup(void) +{ + if (channelHash) + { + sfxhash_delete(channelHash); + channelHash = NULL; + } +} + diff -Nru snort-2.9.0.1/src/preprocessors/stream_expect.h snort-2.9.2/src/preprocessors/stream_expect.h --- snort-2.9.0.1/src/preprocessors/stream_expect.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/preprocessors/stream_expect.h 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,58 @@ +/* $Id$ */ + +/* +** Copyright (C) 2005-2011 Sourcefire, Inc. +** AUTHOR: Steven Sturges +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* stream_expect.h + * + * Purpose: Handle hash table storage and lookups for ignoring + * entire data streams. + * + * Arguments: + * + * Effect: + * + * Comments: Used by Stream4 & Stream5 -- don't delete too soon. + * + * Any comments? + * + */ + +#ifndef STREAM_EXPECT_H_ +#define STREAM_EXPECT_H_ + +#include "ipv6_port.h" +#include "stream5_common.h" +#include "sfxhash.h" + +int StreamExpectAddChannel(snort_ip_p cliIP, uint16_t cliPort, + snort_ip_p srvIP, uint16_t srvPort, + uint8_t protocol, time_t now, char direction, uint8_t flags, + uint32_t timeout, int16_t appId, uint32_t preprocId, + void *appData, void (*appDataFreeFn)(void*)); + +int StreamExpectIsExpected(Packet *p, SFXHASH_NODE **expected_hash_node); +char SteamExpectProcessNode(Packet *p, Stream5LWSession* lws, SFXHASH_NODE *expected_hash_node); +char SteamExpectCheck(Packet *, Stream5LWSession *); +void StreamExpectInit(void); +void StreamExpectCleanup(void); + +#endif /* STREAM_EXPECT_H_ */ + diff -Nru snort-2.9.0.1/src/preprocessors/stream_ignore.c snort-2.9.2/src/preprocessors/stream_ignore.c --- snort-2.9.0.1/src/preprocessors/stream_ignore.c 2010-04-06 07:05:49.000000000 -0700 +++ snort-2.9.2/src/preprocessors/stream_ignore.c 1969-12-31 16:00:00.000000000 -0800 @@ -1,452 +0,0 @@ -/* $Id$ */ - -/* -** Copyright (C) 2005-2010 Sourcefire, Inc. -** AUTHOR: Steven Sturges -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -/* stream_ignore.c - * - * Purpose: Handle hash table storage and lookups for ignoring - * entire data streams. - * - * Arguments: - * - * Effect: - * - * Comments: - * - * Any comments? - * - */ -#include <sys/types.h> -#include <stdlib.h> -#include <string.h> -#include <errno.h> -#ifndef WIN32 -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#endif /* WIN32 */ -#include <time.h> - -#include "debug.h" -#include "decode.h" -#include "stream_api.h" -#include "sfghash.h" -#include "util.h" -#include "ipv6_port.h" -#include "sfPolicy.h" -#include "sfPolicyUserData.h" - -/* Reasonably small, and prime */ -#define IGNORE_HASH_SIZE 1021 -typedef struct _IgnoreNode -{ - snort_ip ip1; - short port1; - snort_ip ip2; - short port2; - char protocol; - time_t expires; - int direction; - int numOccurances; - tSfPolicyId policyId; - int16_t appId; -} IgnoreNode; - -typedef struct _IgnoreHashKey -{ - snort_ip ip1; - snort_ip ip2; - tSfPolicyId policyId; - short port; - char protocol; - char pad; -} IgnoreHashKey; - -/* The hash table of ignored channels */ -static SFGHASH *channelHash = NULL; - -int IgnoreChannel(snort_ip_p cliIP, uint16_t cliPort, - snort_ip_p srvIP, uint16_t srvPort, - char protocol, char direction, char flags, - uint32_t timeout, int16_t appId) -{ - IgnoreHashKey hashKey; - time_t now; - IgnoreNode *node = NULL; - short portToHash = cliPort != UNKNOWN_PORT ? cliPort : srvPort; - snort_ip_p ip1, ip2; - snort_ip zeroed, oned; - IP_CLEAR(zeroed); -#ifdef SUP_IP6 - memset(oned.ip8, 1, 16); - zeroed.family = oned.family = cliIP->family; -#else - oned = 0xffffffff; -#endif - - if (!channelHash) - { - /* Create the hash table */ - channelHash = sfghash_new(IGNORE_HASH_SIZE, - sizeof(IgnoreHashKey), 0, free); - } - - time(&now); - - /* Add the info to a tree that marks this channel as one to ignore. - * Only one of the port values may be UNKNOWN_PORT. - * As a sanity check, the IP addresses may not be 0 or 255.255.255.255. - */ - if ((cliPort == UNKNOWN_PORT) && (srvPort == UNKNOWN_PORT)) - return -1; - - if (sfip_equal(cliIP, IP_ARG(zeroed)) || sfip_equal(cliIP, IP_ARG(oned)) || - sfip_equal(srvIP, IP_ARG(zeroed)) || sfip_equal(srvIP, IP_ARG(oned)) ) - return -1; - - if (IP_LESSER(cliIP, srvIP)) - { - ip1 = cliIP; - ip2 = srvIP; - } - else - { - ip1 = srvIP; - ip2 = cliIP; - } - - /* Actually add it to the hash table with a timestamp of now. - * so we can expire entries that are older than a configurable - * time. Those entries will be for sessions that we missed or - * never occured. Should not keep the entry around indefinitely. - */ - IP_COPY_VALUE(hashKey.ip1, ip1); - IP_COPY_VALUE(hashKey.ip2, ip2); - hashKey.port = portToHash; - hashKey.protocol = protocol; - hashKey.policyId = getRuntimePolicy(); - hashKey.pad = 0; - - node = sfghash_find(channelHash, &hashKey); - if (node) - { - /* - * This handles the case where there is already an entry - * for this key (IP addresses/port). It could occur when - * multiple users from behind a NAT'd Firewall all go to the - * same site when in FTP Port mode. To get around this issue, - * we keep a counter of the number of pending open channels - * with the same known endpoints (2 IPs & a port). When that - * channel is actually opened, the counter is decremented, and - * the entry is removed when the counter hits 0. - * Because all of this is single threaded, there is no potential - * for a race condition. - */ - int expired = (node->expires != 0) && (now > node->expires); - if (expired) - { - IP_COPY_VALUE(node->ip1, cliIP); - node->port1 = cliPort; - IP_COPY_VALUE(node->ip2, srvIP); - node->port2 = srvPort; - node->direction = direction; - node->protocol = protocol; - node->policyId = getRuntimePolicy(); - node->appId = appId; - } - else - { - node->numOccurances++; - } - if (flags & IGNORE_FLAG_ALWAYS) - node->expires = 0; - else - node->expires = now + timeout; - DEBUG_WRAP(DebugMessage(DEBUG_STREAM, - "Updating ignore channel node\n");); - } - else - { - DEBUG_WRAP(DebugMessage(DEBUG_STREAM, - "Adding ignore channel node\n");); - - node = SnortAlloc(sizeof(IgnoreNode)); - if (!node) - { - DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Memory alloc error\n");); - return -1; - } - IP_COPY_VALUE(node->ip1, cliIP); - node->port1 = cliPort; - IP_COPY_VALUE(node->ip2, srvIP); - node->port2 = srvPort; - node->direction = direction; - node->protocol = protocol; - node->policyId = getRuntimePolicy(); - /* now + 5 minutes (configurable?) - * - * use the time that we keep sessions around - * since this info would effectively be invalid - * after that anyway because the session that - * caused this will be gone. - */ - if (flags & IGNORE_FLAG_ALWAYS) - node->expires = 0; - else - node->expires = now + timeout; - node->numOccurances = 1; - node->appId = appId; - - /* Add it to the table */ - if (sfghash_add(channelHash, &hashKey, (void *)node) - != SFGHASH_OK) - { - /* Uh, shouldn't get here... - * There is already a node or couldn't alloc space - * for key. This means bigger problems, but fail - * gracefully. - */ - DEBUG_WRAP(DebugMessage(DEBUG_STREAM, - "Failed to add channel node to hash table\n");); - free(node); - return -1; - } - } - - return 0; -} - -char CheckIgnoreChannel(Packet *p, int16_t *appId) -{ - snort_ip_p srcIP, dstIP; - short srcPort, dstPort; - char protocol; - - IgnoreHashKey hashKey; - time_t now; - int match = 0; - int retVal = 0; - IgnoreNode *node = NULL; - int expired = 0; - int i; - - /* No hash table, or its empty? Get out of dodge. */ - if (!channelHash || channelHash->count == 0) - return retVal; - - srcIP = GET_SRC_IP(p); - dstIP = GET_DST_IP(p); - srcPort = p->sp; - dstPort = p->dp; - protocol = GET_IPH_PROTO(p); - - /* First try the hash table using the dstPort. - * For FTP data channel this would be the client's port when the PORT - * command is used and the server is initiating the connection. - * This is done first because it is the most common case for FTP clients. - */ - if (IP_LESSER(dstIP,srcIP)) - { - IP_COPY_VALUE(hashKey.ip1, dstIP); - IP_COPY_VALUE(hashKey.ip2, srcIP); - } - else - { - IP_COPY_VALUE(hashKey.ip1, srcIP); - IP_COPY_VALUE(hashKey.ip2, dstIP); - } - hashKey.port = dstPort; - hashKey.protocol = protocol; - hashKey.pad = 0; - hashKey.policyId = getRuntimePolicy(); - - node = sfghash_find(channelHash, &hashKey); - - if (!node) - { - /* Okay, next try the hash table using the srcPort. - * For FTP data channel this would be the servers's port when the - * PASV command is used and the client is initiating the connection. - */ - hashKey.port = srcPort; - node = sfghash_find(channelHash, &hashKey); - - /* We could also check the reverses of these, ie. use - * srcIP then dstIP in the hashKey. Don't need to, though. - * - * Here's why: - * - * Since there will be an ACK that comes back from the server - * side, we don't need to look for the hash entry the other - * way -- it will be found when we get the ACK. This approach - * results in 2 checks per packet -- and 2 checks on the ACK. - * If we find a match, cool. If not we've done at most 4 checks - * between the packet and the ACK. - * - * Whereas, if we check the reverses, we do 4 checks on each - * side, or 8 checks between the packet and the ACK. While - * this would more quickly find the channel to ignore, it is - * a performance hit when we the session in question is - * NOT being ignored. Err on the side of performance here. - */ - } - - - /* Okay, found the key --> verify that the info in the node - * does in fact match and has not expired. - */ - time(&now); - if (node) - { - /* If the IPs match and if the ports match (or the port is - * "unknown"), we should ignore this channel. - */ - if( -#ifdef SUP_IP6 - IP_EQUALITY(&node->ip1, srcIP) && IP_EQUALITY(&node->ip2, dstIP) && -#else - IP_EQUALITY(node->ip1, srcIP) && IP_EQUALITY(node->ip2, dstIP) && -#endif - (node->policyId == getRuntimePolicy()) && - (node->port1 == srcPort || node->port1 == UNKNOWN_PORT) && - (node->port2 == dstPort || node->port2 == UNKNOWN_PORT) ) - { - match = 1; - } - else if ( -#ifdef SUP_IP6 - IP_EQUALITY(&node->ip2, srcIP) && IP_EQUALITY(&node->ip1, dstIP) && -#else - IP_EQUALITY(node->ip2, srcIP) && IP_EQUALITY(node->ip1, dstIP) && -#endif - (node->policyId == getRuntimePolicy()) && - (node->port2 == srcPort || node->port2 == UNKNOWN_PORT) && - (node->port1 == dstPort || node->port1 == UNKNOWN_PORT) ) - { - match = 1; - } - - /* Make sure the packet direction is correct */ - switch (node->direction) - { - case SSN_DIR_BOTH: - break; - case SSN_DIR_CLIENT: - if (!(p->packet_flags & PKT_FROM_CLIENT)) - match = 0; - break; - case SSN_DIR_SERVER: - if (!(p->packet_flags & PKT_FROM_SERVER)) - match = 0; - break; - } - - if (node->expires) - expired = (now > node->expires); - if (match) - { - /* Uh, just check to be sure it hasn't expired, - * in case we missed a packet and this is a - * different connection. */ - if ((node->numOccurances > 0) && (!expired)) - { - node->numOccurances--; - /* Matched & Still valid --> ignore it! */ - - if (node->appId) /* If this is 0, we're ignoring, otherwise setting id of new session */ - *appId = node->appId; - else - retVal = node->direction; -#ifdef DEBUG - { - /* Have to allocate & copy one of these since inet_ntoa - * clobbers the info from the previous call. */ - -#ifdef SUP_IP6 - sfip_t *tmpAddr; - char srcAddr[40]; - tmpAddr = srcIP; - SnortStrncpy(srcAddr, sfip_ntoa(tmpAddr), sizeof(srcAddr)); - tmpAddr = dstIP; -#else - - struct in_addr tmpAddr; - char srcAddr[17]; - tmpAddr.s_addr = srcIP; - SnortStrncpy(srcAddr, inet_ntoa(tmpAddr), sizeof(srcAddr)); - tmpAddr.s_addr = dstIP; -#endif - - DEBUG_WRAP(DebugMessage(DEBUG_STREAM, - "Ignoring channel %s:%d --> %s:%d, policyId %d\n", - srcAddr, srcPort, - inet_ntoa(tmpAddr), dstPort, getRuntimePolicy());); - } -#endif - } - } - - if (((node->numOccurances <= 0) || (expired)) && - (node->expires != 0)) - { - /* Either expired or was the only one in the hash - * table. Remove this node. */ - sfghash_remove(channelHash, &hashKey); - } - } - - /* Clean the hash table of at most 5 expired nodes */ - for (i=0;i<5 && channelHash->count>0;i++) - { - SFGHASH_NODE *hash_node = sfghash_findfirst(channelHash); - if (hash_node) - { - node = hash_node->data; - if (node) - { - expired = (node->expires != 0) && (now > node->expires); - if (expired) - { - /* sayonara baby... */ - sfghash_remove(channelHash, hash_node->key); - } - else - { - /* This one's not expired, fine... - * no need to prune further. - */ - break; - } - } - } - } - - return retVal; -} - -void CleanupIgnore(void) -{ - if (channelHash) - { - sfghash_delete(channelHash); - channelHash = NULL; - } -} diff -Nru snort-2.9.0.1/src/preprocessors/stream_ignore.h snort-2.9.2/src/preprocessors/stream_ignore.h --- snort-2.9.0.1/src/preprocessors/stream_ignore.h 2010-04-06 07:05:49.000000000 -0700 +++ snort-2.9.2/src/preprocessors/stream_ignore.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,52 +0,0 @@ -/* $Id$ */ - -/* -** Copyright (C) 2005-2010 Sourcefire, Inc. -** AUTHOR: Steven Sturges -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -/* stream_ignore.h - * - * Purpose: Handle hash table storage and lookups for ignoring - * entire data streams. - * - * Arguments: - * - * Effect: - * - * Comments: Used by Stream4 & Stream5 -- don't delete too soon. - * - * Any comments? - * - */ - -#ifndef STREAM_IGNORE_H_ -#define STREAM_IGNORE_H_ - -#include "ipv6_port.h" - -int IgnoreChannel(snort_ip_p cliIP, uint16_t cliPort, - snort_ip_p srvIP, uint16_t srvPort, - char protocol, char direction, char flags, - uint32_t timeout, int16_t appId); - -char CheckIgnoreChannel(Packet *, int16_t *appId); -void CleanupIgnore(void); - -#endif /* STREAM_IGNORE_H_ */ - diff -Nru snort-2.9.0.1/src/preprocessors/str_search.c snort-2.9.2/src/preprocessors/str_search.c --- snort-2.9.0.1/src/preprocessors/str_search.c 2010-01-26 10:10:14.000000000 -0800 +++ snort-2.9.2/src/preprocessors/str_search.c 2011-06-07 17:33:18.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,13 +18,17 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #include <sys/types.h> #include <stdlib.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "str_search.h" #include "mpse.h" @@ -37,7 +41,7 @@ static t_search *_mpse = NULL; static unsigned int _num_mpse=0; - + void SearchFreeId(unsigned int id); int SearchInit(unsigned int num) @@ -71,7 +75,7 @@ NULL, NULL, NULL); _mpse[i].max_len = 0; _mpse[i].in_use=1; - + if ( !_mpse[i].mpse ) return -1; @@ -114,13 +118,13 @@ if ( !_mpse[i].mpse && !_mpse[i].in_use ) { _mpse[i].in_use=1; - + return i; } } return -1; - + } int SearchPutHandle(unsigned int id) @@ -137,8 +141,8 @@ } -/* - Do efficient search of data +/* + Do efficient search of data @param mpse_id specify which engine to use to search @param str string to search @param str_len length of string to search @@ -163,9 +167,9 @@ } start_state = 0; - num = mpseSearch(_mpse[mpse_id].mpse, (unsigned char*)str, str_len, Match, (void *) str, + num = mpseSearch(_mpse[mpse_id].mpse, (unsigned char*)str, str_len, Match, (void *) str, &start_state ); - + return num; } @@ -187,12 +191,12 @@ /* * Instance Functions * - * max_len is not handled by + * max_len is not handled by */ void * SearchInstanceNew(void) { t_search * search = malloc(sizeof(t_search)); - if( !search ) + if( !search ) return NULL; search->mpse = mpseNew(MPSE_AC_BNFA, MPSE_DONT_INCREMENT_GLOBAL_COUNT, @@ -220,13 +224,13 @@ void SearchInstanceAdd( void*instance, const char *pat, unsigned int pat_len, int id) { t_search * search = (t_search*)instance; - + if( search && search->mpse ) mpseAddPattern( search->mpse, (void *)pat, pat_len, 1, 0, 0, 0, (void *)(long) id, 0); - + if ( search && pat_len > search->max_len ) search->max_len = pat_len; - + } void SearchInstancePrepPatterns(void * instance) { @@ -239,14 +243,14 @@ int SearchInstanceFindString(void * instance, const char *str, - unsigned int str_len, - int confine, + unsigned int str_len, + int confine, int (*Match) (void *, void *, int, void *, void *)) { int num; int start_state = 0; t_search * search = (t_search*)instance; - + if ( confine && (search->max_len > 0) ) { if ( search->max_len < str_len ) @@ -256,9 +260,9 @@ } num = mpseSearch( search->mpse, (unsigned char*)str, str_len, Match, (void *) str, &start_state); - + return num; - + } diff -Nru snort-2.9.0.1/src/preprocessors/str_search.h snort-2.9.2/src/preprocessors/str_search.h --- snort-2.9.0.1/src/preprocessors/str_search.h 2010-01-26 10:10:14.000000000 -0800 +++ snort-2.9.2/src/preprocessors/str_search.h 2011-02-09 15:23:30.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/preprocids.h snort-2.9.2/src/preprocids.h --- snort-2.9.0.1/src/preprocids.h 2010-06-09 15:04:55.000000000 -0700 +++ snort-2.9.2/src/preprocids.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #ifndef _PREPROC_IDS_H #define _PREPROC_IDS_H @@ -31,7 +31,7 @@ ** during preprocessing. ** ** Currently, the order in which the preprocessors are -** placed in the snort.conf determine the order of +** placed in the snort.conf determine the order of ** evaluation. So if one module wants to turn off ** another module, it must come first in the order. */ @@ -47,7 +47,7 @@ #define PP_HTTPINSPECT 5 #define PP_PERFMONITOR 6 #define PP_RPCDECODE 7 -#define PP_RULES 8 +#define PP_SHARED_RULES 8 #define PP_SFPORTSCAN 9 #define PP_SMTP 10 #define PP_SSH 11 @@ -58,10 +58,17 @@ #define PP_DCE2 16 #define PP_SDF 17 #define PP_NORMALIZE 18 - -// used externally -#define PP_ISAKMP 19 -#define PP_SKYPE 20 +#define PP_ISAKMP 19 // used externally +#define PP_SKYPE 20 // used externally +#define PP_SIP 21 +#define PP_POP 22 +#define PP_IMAP 23 +#define PP_APPLICATION_IDENTIFICATION 24 // used externally +#define PP_RULE_ENGINE 25 // used externally +#define PP_REPUTATION 26 +#define PP_GTP 27 +#define PP_MODBUS 28 +#define PP_DNP3 29 #define PP_ALL_ON 0xFFFFFFFF #define PP_ALL_OFF 0x00000000 diff -Nru snort-2.9.0.1/src/profiler.c snort-2.9.2/src/profiler.c --- snort-2.9.0.1/src/profiler.c 2010-09-27 08:28:12.000000000 -0700 +++ snort-2.9.2/src/profiler.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,9 +1,9 @@ /* ** $Id$ -** +** ** profiler.c ** -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** Steven Sturges <ssturges@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -28,6 +28,10 @@ #include <string.h> #include <unistd.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "snort.h" #include "rules.h" #include "treenodes.h" @@ -75,6 +79,7 @@ Preproc_WorstPerformer *worstPreprocPerformers = NULL; PreprocStats totalPerfStats; +PreprocStats metaPerfStats; static PreprocStatsNode * PreprocStatsNodeList = NULL; int max_layers = 0; @@ -108,16 +113,16 @@ hashNode = sfghash_findnext(sc->otn_map)) { otn = (OptTreeNode *)hashNode->data; - for ( policyId = 0; - policyId < otn->proto_node_num; + for ( policyId = 0; + policyId < otn->proto_node_num; policyId++ ) { rtn = getRtnFromOtn(otn, policyId); //rtn = currHeadNodeOtn->proto_node[currHeadNodePolicy]; if ((rtn->proto == IPPROTO_TCP) || (rtn->proto == IPPROTO_UDP) - || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) - { + || (rtn->proto == IPPROTO_ICMP) || (rtn->proto == ETHERNET_TYPE_IP)) + { //do operation otn->ticks = 0; otn->ticks_match = 0; @@ -217,7 +222,7 @@ "%*s%*s%*s%*s%*s%*s%*s%*s%*s%*s%*s\n", #endif 6, "Num", - 9, "SID", 4, "GID", 4, "Rev", + 9, "SID", 4, "GID", 4, "Rev", 11, "Checks", 10, "Matches", 10, "Alerts", @@ -239,7 +244,7 @@ "%*s%*s%*s%*s%*s%*s%*s%*s%*s%*s%*s\n", #endif 6, "Num", - 9, "SID", 4, "GID", 4, "Rev", + 9, "SID", 4, "GID", 4, "Rev", 11, "Checks", 10, "Matches", 10, "Alerts", @@ -381,8 +386,8 @@ hashNode = sfghash_findnext(sc->otn_map)) { otn = (OptTreeNode *)hashNode->data; - for ( policyId = 0; - policyId < otn->proto_node_num; + for ( policyId = 0; + policyId < otn->proto_node_num; policyId++ ) { rtn = getRtnFromOtn(otn, policyId); @@ -522,7 +527,7 @@ /* The preprocessor profile list is only accessed for printing stats when * Snort shuts down, so adding new nodes during a reload shouldn't be a * problem. */ -void RegisterPreprocessorProfile(char *keyword, PreprocStats *stats, int layer, PreprocStats *parent) +void RegisterPreprocessorProfile(const char *keyword, PreprocStats *stats, int layer, PreprocStats *parent) { PreprocStatsNode *node; diff -Nru snort-2.9.0.1/src/profiler.h snort-2.9.2/src/profiler.h --- snort-2.9.0.1/src/profiler.h 2010-01-26 10:09:26.000000000 -0800 +++ snort-2.9.2/src/profiler.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** Author: Steven Sturges <ssturges@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -25,7 +25,6 @@ #ifdef PERF_PROFILING -#include "sf_types.h" #include "cpuclock.h" /* Sort preferences for rule profiling */ @@ -95,38 +94,38 @@ ppstat.checks++; \ PROFILE_START; \ ppstat.ticks_start = ticks_start; \ - } + } #define PREPROC_PROFILE_REENTER_START(ppstat) \ if (PROFILING_PREPROCS) { \ PROFILE_START; \ ppstat.ticks_start = ticks_start; \ - } + } #define PREPROC_PROFILE_TMPSTART(ppstat) \ if (PROFILING_PREPROCS) { \ PROFILE_START; \ ppstat.ticks_start = ticks_start; \ - } + } #define PREPROC_PROFILE_END(ppstat) \ if (PROFILING_PREPROCS) { \ PROFILE_END; \ ppstat.exits++; \ ppstat.ticks += ticks_end - ppstat.ticks_start; \ - } + } #define PREPROC_PROFILE_REENTER_END(ppstat) \ if (PROFILING_PREPROCS) { \ PROFILE_END; \ ppstat.ticks += ticks_end - ppstat.ticks_start; \ - } + } #define PREPROC_PROFILE_TMPEND(ppstat) \ if (PROFILING_PREPROCS) { \ PROFILE_END; \ ppstat.ticks += ticks_end - ppstat.ticks_start; \ - } + } /************** Profiling API ******************/ void ShowRuleProfiles(void); @@ -157,7 +156,7 @@ } ProfileConfig; -void RegisterPreprocessorProfile(char *keyword, PreprocStats *stats, int layer, PreprocStats *parent); +void RegisterPreprocessorProfile(const char *keyword, PreprocStats *stats, int layer, PreprocStats *parent); void ShowPreprocProfiles(void); void ResetRuleProfiling(void); void ResetPreprocProfiling(void); diff -Nru snort-2.9.0.1/src/protocols.h snort-2.9.2/src/protocols.h --- snort-2.9.0.1/src/protocols.h 2010-08-25 13:22:39.000000000 -0700 +++ snort-2.9.2/src/protocols.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,113 +0,0 @@ -/* $Id$ */ -/**************************************************************************** - * - * Copyright (C) 2005-2010 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - * - ****************************************************************************/ - -#ifndef __PROTOCOLS_H__ -#define __PROTOCOLS_H__ - -typedef enum { - PROTO_ETH, // DecodeEthPkt - - PROTO_IP4, // DecodeIP - // DecodeIPOptions - handled with IP4 - PROTO_ICMP4, // DecodeICMP - PROTO_ICMP_IP4, // DecodeICMPEmbeddedIP - cloned ARP/non-IP comment should be - // removed here since ICMP won't contain non-IP. - - PROTO_UDP, // DecodeUDP - PROTO_TCP, // DecodeTCP - // DecodeTCPOptions - handled with TCP - -#ifdef SUP_IP6 - PROTO_IP6, // DecodeIPV6 - // DecodeIPV6Extensions - nothing to do here, calls below - PROTO_IP6_HOP_OPTS, // DecodeIPV6Options - ip6 hop, dst, rte, and frag exts - PROTO_IP6_DST_OPTS, - PROTO_ICMP6, // DecodeICMP6 - PROTO_ICMP_IP6, // DecodeICMPEmbeddedIP6 - same ARP comment thing. -#endif - PROTO_VLAN, // DecodeVlan -#ifdef GRE - PROTO_GRE, // DecodeGRE - // DecodeTransBridging - basically same as DecodeEthPkt -#endif - PROTO_PPP, // DecodePppPkt - weird - optionally skips addr and cntl - // bytes; what about flag and protocol? - // calls only DecodePppPktEncapsulated. - PROTO_MPLS, // DecodeMPLS - decoder changes pkth len/caplen! - // DecodeEthOverMPLS - basically same as straight eth - PROTO_ARP, // DecodeARP - should remove setting PROTO_BIT__ARP - // since it is never checked anywhere. - -#if 0 - PROTO_PPP_ENCAP, // DecodePppPktEncapsulated - PROTO_ETH_PPP, // DecodePPPoEPkt - this looks broke; PPPoEHdr still contains - // an EtherHdr but this decoder was "fixed" to skip it - - -#ifndef NO_NON_ETHER_DECODER - PROTO_TR, // DecodeTRPkt - PROTO_FDDI, // DecodeFDDIPkt - PROTO_LSLL, // DecodeLinuxSLLPkt sockaddr_ll for "any" device and - // certain misbehaving link layer encapsulations - PROTO_80211, // DecodeIEEE80211Pkt - PROTO_SLIP, // DecodeSlipPkt - actually, based on header size, this - // must be CSLIP (TCP/IP header compression) but all it - // does is skip over the presumed header w/o expanding - // and then jumps into IP4 decoding only; also, the actual - // esc/end sequences must already have been removed because - // there is no attempt to do that. - PROTO_L2I4, // DecodeI4LRawIPPkt - always skips 2 bytes and then does - // IP4 decoding only - PROTO_L2I4C, // DecodeI4LCiscoIPPkt -always skips 4 bytes and then does - // IP4 decoding only - PROTO_CHDLC, // DecodeChdlcPkt - skips 4 bytes and decodes IP4 only. - PROTO_PFLOG, // DecodePflog - PROTO_OLD_PFLOG, // DecodeOldPflog - PROTO_PPP_SERIAL, // DecodePppSerialPkt - also weird - requires addr, cntl, - // and proto (no flag) but optionally skips only 2 bytes - // (presumably the trailer w/chksum is already stripped) - // Calls either DecodePppPktEncapsulated or DecodeChdlcPkt. - PROTO_ENC, // DecodeEncPkt - skips 12 bytes and decodes IP4 only. - // (add family + "spi" + "flags" - don't know what this is) - PROTO_EAP, // DecodeEAP - PROTO_EAPOL, // DecodeEapol - leaf decoder - PROTO_EAPOL_KEY, // DecodeEapolKey - leaf decoder -#endif // NO_NON_ETHER_DECODER -#endif // 0 - - PROTO_MAX -} PROTO_ID; - - // DecodeIPX - just counts; no decoding - // DecodeEthLoopback - same as ipx - // DecodeRawPkt - jumps straight into IP4 decoding - // there is nothing to do - // DecodeNullPkt - same as DecodeRawPkt - -typedef struct { - PROTO_ID proto; - uint16_t length; - uint8_t* start; -} Layer; - -#endif // __PROTOCOLS_H__ - diff -Nru snort-2.9.0.1/src/rate_filter.c snort-2.9.2/src/rate_filter.c --- snort-2.9.0.1/src/rate_filter.c 2010-01-26 10:09:26.000000000 -0800 +++ snort-2.9.2/src/rate_filter.c 2011-06-07 17:33:06.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2009-2010 Sourcefire, Inc. + * Copyright (C) 2009-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,19 +19,23 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* @file rate_filter.c * @brief rate filter interface for Snort - * @ingroup rate_filter + * @ingroup rate_filter * @author Dilbagh Chahal */ -/* @ingroup rate_filter +/* @ingroup rate_filter * @{ */ #include <stdio.h> #include <stdlib.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "mstring.h" #include "util.h" #include "parser.h" @@ -62,7 +66,7 @@ return rf_config; } - + /* Free threshold context * @param pContext pointer to global threshold context. */ @@ -105,14 +109,14 @@ #endif /* Add the object to the table - */ - error = SFRF_ConfigAdd(rf_config, thdx); + error = SFRF_ConfigAdd(rf_config, thdx); // enable internal events as required if ( !error && EventIsInternal(thdx->gid) ) { EnableInternalEvent(rf_config, thdx->sid); - if ( thdx->sid == INTERNAL_EVENT_SESSION_ADD ) + if ( thdx->sid == INTERNAL_EVENT_SESSION_ADD ) EnableInternalEvent(rf_config, INTERNAL_EVENT_SESSION_DEL); } return error; @@ -125,7 +129,7 @@ returns 1 - rate threshold reached 0 - rate threshold not reached */ -int RateFilter_Test( +int RateFilter_Test( OptTreeNode* otn, Packet* p) { @@ -233,7 +237,7 @@ } SnortSnprintfAppend(buf, STD_BUF, " policyId=%-10d", p->policyId ); - + switch ( p->tracking ) { case SFRF_TRACK_BY_SRC : trackBy = "src"; break; case SFRF_TRACK_BY_DST : trackBy = "dst"; break; @@ -243,9 +247,9 @@ SnortSnprintfAppend(buf, STD_BUF, " tracking=%s", trackBy); SnortSnprintfAppend(buf, STD_BUF, " count=%-3d", p->count); SnortSnprintfAppend(buf, STD_BUF, " seconds=%-3d", p->seconds); - + LogMessage("%s\n", buf); - + return 1; } @@ -256,7 +260,7 @@ if (config == NULL) return 0; - + for ( gid=0; gid < SFRF_MAX_GENID; gid++ ) { SFGHASH_NODE* item_hash_node; @@ -266,9 +270,9 @@ { continue; } - + for ( item_hash_node = sfghash_findfirst( sfrf_hash ); - item_hash_node != 0; + item_hash_node != 0; item_hash_node = sfghash_findnext( sfrf_hash ) ) { tSFRFSidNode* sfrf_item; @@ -276,11 +280,11 @@ /* Check for any Permanent sid objects for this gid */ sfrf_item = (tSFRFSidNode*)item_hash_node->data; - - for ( sfrf_node = + + for ( sfrf_node = (tSFRFConfigNode*)sflist_first(sfrf_item->configNodeList); sfrf_node != 0; - sfrf_node = + sfrf_node = (tSFRFConfigNode*)sflist_next(sfrf_item->configNodeList) ) { if ( _logConfigNode( sfrf_node) != 0 ) @@ -288,9 +292,9 @@ } } } - + if ( ! lcnt ) LogMessage("| none\n"); - + return 0; } diff -Nru snort-2.9.0.1/src/rate_filter.h snort-2.9.2/src/rate_filter.h --- snort-2.9.0.1/src/rate_filter.h 2010-01-26 10:09:26.000000000 -0800 +++ snort-2.9.2/src/rate_filter.h 2011-02-09 15:22:52.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2009-2010 Sourcefire, Inc. + * Copyright (C) 2009-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/rule_option_types.h snort-2.9.2/src/rule_option_types.h --- snort-2.9.0.1/src/rule_option_types.h 2010-06-09 15:04:55.000000000 -0700 +++ snort-2.9.2/src/rule_option_types.h 2011-06-07 17:33:06.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -47,6 +47,7 @@ RULE_OPTION_TYPE_FILE_DATA, RULE_OPTION_TYPE_BASE64_DECODE, RULE_OPTION_TYPE_BASE64_DATA, + RULE_OPTION_TYPE_PKT_DATA, RULE_OPTION_TYPE_CONTENT, RULE_OPTION_TYPE_CONTENT_URI, RULE_OPTION_TYPE_PCRE, diff -Nru snort-2.9.0.1/src/rules.h snort-2.9.2/src/rules.h --- snort-2.9.0.1/src/rules.h 2010-06-09 15:04:55.000000000 -0700 +++ snort-2.9.2/src/rules.h 2011-06-07 17:33:06.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -57,8 +57,8 @@ #define R_PSH 0x08 #define R_ACK 0x10 #define R_URG 0x20 -#define R_RES2 0x40 -#define R_RES1 0x80 +#define R_ECE 0x40 /* ECN echo, RFC 3168 */ +#define R_CWR 0x80 /* Congestion Window Reduced, RFC 3168 */ #define MODE_EXIT_ON_MATCH 0 #define MODE_FULL_SEARCH 1 diff -Nru snort-2.9.0.1/src/sfdaq.c snort-2.9.2/src/sfdaq.c --- snort-2.9.0.1/src/sfdaq.c 2010-08-25 13:22:39.000000000 -0700 +++ snort-2.9.2/src/sfdaq.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -20,12 +20,20 @@ * ****************************************************************************/ +// @file sfdaq.c +// @author Russ Combs <rcombs@sourcefire.com> + #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sfdaq.h" #include "snort.h" #include "util.h" #include "sfutil/strvec.h" +#include "sfcontrol_funcs.h" #define PKT_SNAPLEN 1514 @@ -43,13 +51,14 @@ #endif #endif -static char interface_spec[STD_BUF]; +static char* interface_spec = NULL; static const DAQ_Module_t* daq_mod = NULL; static void* daq_hand = NULL; static DAQ_Mode daq_mode = DAQ_MODE_PASSIVE; static uint32_t snap = PKT_SNAPLEN; static int daq_dlt = -1; static int loaded = 0; +static int s_error = DAQ_SUCCESS; static DAQ_Stats_t daq_stats, tot_stats; static void DAQ_Accumulate(void); @@ -165,7 +174,7 @@ return 1; if ( !(caps & DAQ_CAPA_BLOCK) ) - LogMessage("Warning: inline mode configured but DAQ can't " + LogMessage("WARNING: inline mode configured but DAQ can't " "block packets.\n"); #if 0 @@ -173,14 +182,14 @@ // and warned/disabled only if it was configured if ( !(caps & DAQ_CAPA_REPLACE) ) { - LogMessage("Warning: normalizations/replacements disabled " + LogMessage("WARNING: normalizations/replacements disabled " " because DAQ can't replace packets.\n"); - } + } // this is checked in spp_stream5.c and active.c // and warned/disabled only if it was configured if ( !(caps & DAQ_CAPA_INJECT) ) - LogMessage("Warning: inline mode configured but DAQ can't " + LogMessage("WARNING: inline mode configured but DAQ can't " "inject packets.\n"); #endif @@ -189,6 +198,30 @@ //-------------------------------------------------------------------- +#if HAVE_DAQ_HUP_APPLY +static int DAQ_PreControl(uint16_t type, const uint8_t *data, uint32_t length, void **new_config) +{ + if (daq_mod && daq_hand) + return daq_hup_prep(daq_mod, daq_hand, new_config); + return -1; +} + +static int DAQ_Control(uint16_t type, void *new_config, void **old_config) +{ + if (daq_mod && daq_hand) + return daq_hup_apply(daq_mod, daq_hand, new_config, old_config); + return -1; +} + +static void DAQ_PostControl(uint16_t type, void *old_config) +{ + if (daq_mod && daq_hand) + daq_hup_post(daq_mod, daq_hand, old_config); +} +#endif + +//-------------------------------------------------------------------- + void DAQ_Init (const SnortConfig* sc) { const char* type = DAQ_DEFAULT; @@ -214,13 +247,26 @@ LogMessage("%s DAQ configured to %s.\n", type, daq_mode_string(daq_mode)); + +#if HAVE_DAQ_HUP_APPLY + if (ControlSocketRegisterHandler(CS_TYPE_HUP_DAQ, &DAQ_PreControl, &DAQ_Control, &DAQ_PostControl)) + { + LogMessage("Failed to register the DAQ control handler.\n"); + } +#else + LogMessage("The DAQ version does not support reload.\n"); +#endif } void DAQ_Term () { +#ifndef WIN32 +# ifndef DISABLE_DLCLOSE_FOR_VALGRIND_TESTING if ( loaded ) DAQ_Unload(); daq_mod = NULL; +# endif +#endif } void DAQ_Abort () @@ -236,7 +282,7 @@ const char* DAQ_GetInterfaceSpec (void) { - return interface_spec; + return interface_spec ? interface_spec : ""; } const char* DAQ_GetType(void) @@ -356,13 +402,12 @@ if ( !daq_mod ) FatalError("DAQ_Init not called!\n"); - if ( !intf ) - intf = ""; - - SnortStrncpy(interface_spec, intf, sizeof(interface_spec)); + if ( intf ) + interface_spec = SnortStrdup(intf); + intf = DAQ_GetInterfaceSpec(); memset(&cfg, 0, sizeof(cfg)); - cfg.name = interface_spec; + cfg.name = (char*)intf; cfg.snaplen = snap; cfg.timeout = PKT_TIMEOUT; cfg.mode = daq_mode; @@ -379,12 +424,12 @@ DAQ_Config(&cfg); - if ( !DAQ_ValidateInstance(sc) ) + if ( !DAQ_ValidateInstance() ) FatalError("DAQ configuration incompatible with intended operation.\n"); if ( DAQ_UnprivilegedStart() ) daq_dlt = daq_get_datalink_type(daq_mod, daq_hand); - + if ( intf && *intf ) { LogMessage("Acquiring network traffic from \"%s\".\n", @@ -404,6 +449,11 @@ daq_shutdown(daq_mod, daq_hand); daq_hand = NULL; } + if ( interface_spec ) + { + free(interface_spec); + interface_spec = NULL; + } return 0; } @@ -440,7 +490,7 @@ int err = daq_stop(daq_mod, daq_hand); if ( err ) - FatalError("Can't stop DAQ (%d) - %s!\n", + LogMessage("Can't stop DAQ (%d) - %s!\n", err, daq_get_error(daq_mod, daq_hand)); return err; @@ -448,14 +498,31 @@ //-------------------------------------------------------------------- +#ifdef HAVE_DAQ_ACQUIRE_WITH_META +static DAQ_Meta_Func_t daq_meta_callback = NULL; +void DAQ_Set_MetaCallback(DAQ_Meta_Func_t meta_callback) +{ + daq_meta_callback = meta_callback; +} +#endif + int DAQ_Acquire (int max, DAQ_Analysis_Func_t callback, uint8_t* user) { +#if HAVE_DAQ_ACQUIRE_WITH_META + int err = daq_acquire_with_meta(daq_mod, daq_hand, max, callback, daq_meta_callback, user); +#else int err = daq_acquire(daq_mod, daq_hand, max, callback, user); +#endif if ( err && err != DAQ_READFILE_EOF ) LogMessage("Can't acquire (%d) - %s!\n", err, daq_get_error(daq_mod, daq_hand)); + if ( s_error != DAQ_SUCCESS ) + { + err = s_error; + s_error = DAQ_SUCCESS; + } return err; } @@ -470,8 +537,9 @@ return err; } -int DAQ_BreakLoop (void) +int DAQ_BreakLoop (int error) { + s_error = error; return ( daq_breakloop(daq_mod, daq_hand) == DAQ_SUCCESS ); } @@ -511,9 +579,25 @@ if ( !daq_stats.hw_packets_received ) // some DAQs don't provide hw numbers - // so we default hw rx to the pkt rx - daq_stats.hw_packets_received = daq_stats.packets_received; + // so we default hw rx to the sw equivalent + // (this means outstanding packets = 0) + daq_stats.hw_packets_received = + daq_stats.packets_received + daq_stats.packets_filtered; return &daq_stats; } +//-------------------------------------------------------------------- + +int DAQ_ModifyFlow(const void* h, uint32_t id) +{ +#ifdef HAVE_DAQ_ACQUIRE_WITH_META + const DAQ_PktHdr_t *hdr = (DAQ_PktHdr_t*) h; + DAQ_ModFlow_t mod; + + mod.opaque = id; + return daq_modify_flow(daq_mod, daq_hand, hdr, &mod); +#else + return -1; +#endif +} diff -Nru snort-2.9.0.1/src/sfdaq.h snort-2.9.2/src/sfdaq.h --- snort-2.9.0.1/src/sfdaq.h 2010-08-25 13:22:39.000000000 -0700 +++ snort-2.9.2/src/sfdaq.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -19,6 +19,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ + +// @file sfdaq.h +// @author Russ Combs <rcombs@sourcefire.com> + #ifndef __DAQ_H__ #define __DAQ_H__ @@ -62,7 +66,12 @@ // (but only where performance justifies exposing implementation!) int DAQ_Acquire(int max, DAQ_Analysis_Func_t, uint8_t* user); int DAQ_Inject(const DAQ_PktHdr_t*, int rev, const uint8_t* buf, uint32_t len); -int DAQ_BreakLoop(void); +int DAQ_BreakLoop(int error); +#ifdef HAVE_DAQ_ACQUIRE_WITH_META +void DAQ_Set_MetaCallback(DAQ_Meta_Func_t meta_callback); +#endif + +int DAQ_ModifyFlow(const void* h, uint32_t id); // returns total stats if no daq else current stats // returns statically allocated stats - don't free diff -Nru snort-2.9.0.1/src/sf_protocols.h snort-2.9.2/src/sf_protocols.h --- snort-2.9.0.1/src/sf_protocols.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sf_protocols.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,107 @@ +/* $Id$ */ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ + +#ifndef __SF_PROTOCOLS_H__ +#define __SF_PROTOCOLS_H__ + +typedef enum { + PROTO_ETH, // DecodeEthPkt + + PROTO_IP4, // DecodeIP + // DecodeIPOptions - handled with IP4 + PROTO_ICMP4, // DecodeICMP + PROTO_ICMP_IP4, // DecodeICMPEmbeddedIP + + PROTO_UDP, // DecodeUDP + PROTO_TCP, // DecodeTCP + // DecodeTCPOptions - handled with TCP + +#ifdef SUP_IP6 + PROTO_IP6, // DecodeIPV6 + // DecodeIPV6Extensions - nothing to do here, calls below + PROTO_IP6_HOP_OPTS, // DecodeIPV6Options - ip6 hop, dst, rte, and frag exts + PROTO_IP6_DST_OPTS, + PROTO_ICMP6, // DecodeICMP6 + PROTO_ICMP_IP6, // DecodeICMPEmbeddedIP6 +#endif + PROTO_VLAN, // DecodeVlan +#ifdef GRE + PROTO_GRE, // DecodeGRE + // DecodeTransBridging - basically same as DecodeEthPkt +#endif + PROTO_PPPOE, // DecodePPPoEPkt + PROTO_PPP_ENCAP, // DecodePppPktEncapsulated + PROTO_MPLS, // DecodeMPLS - decoder changes pkth len/caplen! + // DecodeEthOverMPLS - basically same as straight eth + PROTO_ARP, // DecodeARP + PROTO_GTP, // DecodeGTP + +#ifndef NO_NON_ETHER_DECODER + PROTO_TR, // DecodeTRPkt + PROTO_FDDI, // DecodeFDDIPkt + PROTO_LSLL, // DecodeLinuxSLLPkt sockaddr_ll for "any" device and + // certain misbehaving link layer encapsulations + PROTO_80211, // DecodeIEEE80211Pkt + PROTO_SLIP, // DecodeSlipPkt - actually, based on header size, this + // must be CSLIP (TCP/IP header compression) but all it + // does is skip over the presumed header w/o expanding + // and then jumps into IP4 decoding only; also, the actual + // esc/end sequences must already have been removed because + // there is no attempt to do that. + PROTO_L2I4, // DecodeI4LRawIPPkt - always skips 2 bytes and then does + // IP4 decoding only + PROTO_L2I4C, // DecodeI4LCiscoIPPkt -always skips 4 bytes and then does + // IP4 decoding only + PROTO_CHDLC, // DecodeChdlcPkt - skips 4 bytes and decodes IP4 only. + PROTO_PFLOG, // DecodePflog + PROTO_OLD_PFLOG, // DecodeOldPflog + PROTO_PPP, // DecodePppPkt - weird - optionally skips addr and cntl + // bytes; what about flag and protocol? + // calls only DecodePppPktEncapsulated. + PROTO_PPP_SERIAL, // DecodePppSerialPkt - also weird - requires addr, cntl, + // and proto (no flag) but optionally skips only 2 bytes + // (presumably the trailer w/chksum is already stripped) + // Calls either DecodePppPktEncapsulated or DecodeChdlcPkt. + PROTO_ENC, // DecodeEncPkt - skips 12 bytes and decodes IP4 only. + // (add family + "spi" + "flags" - don't know what this is) + PROTO_EAP, // DecodeEAP + PROTO_EAPOL, // DecodeEapol - leaf decoder + PROTO_EAPOL_KEY, // DecodeEapolKey - leaf decoder +#endif // NO_NON_ETHER_DECODER + + PROTO_MAX +} PROTO_ID; + + // DecodeIPX - just counts; no decoding + // DecodeEthLoopback - same as ipx + // DecodeRawPkt - jumps straight into IP4 decoding + // there is nothing to do + // DecodeNullPkt - same as DecodeRawPkt + +typedef struct { + PROTO_ID proto; + uint16_t length; + uint8_t* start; +} Layer; + +#endif // __PROTOCOLS_H__ + diff -Nru snort-2.9.0.1/src/sf_sdlist.c snort-2.9.2/src/sf_sdlist.c --- snort-2.9.0.1/src/sf_sdlist.c 2010-01-26 10:09:27.000000000 -0800 +++ snort-2.9.2/src/sf_sdlist.c 2011-06-07 17:33:07.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -20,6 +20,10 @@ */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sf_sdlist.h" #include <stdio.h> #include <stdlib.h> @@ -27,13 +31,13 @@ #include "util.h" /* Function: int sf_sdlist_init(sfSDlist *list, void (*destroy)(void *data)) - * + * * Purpose: initialize an dlist * Args: list - pointer to a dlist structure * destroy - free function ( use NULL for none ) * Returns: * 1 on failure , 0 on success - */ + */ int sf_sdlist_init(sfSDList *list, void (*destroy)(void *data)) { @@ -46,40 +50,40 @@ } -/* Function: int sf_sdlist_delete(sfSDList *list) - * +/* Function: int sf_sdlist_delete(sfSDList *list) + * * Purpose: delete every item of a list * Args: list -> pointer to a dlist structure - * + * * Returns: 1 on failure , 0 on success - */ + */ int sf_sdlist_delete(sfSDList *list) { while(list->head != NULL) { sf_sdlist_remove_next(list, NULL); } - + return 0; } /* * Function: int sf_sdlist_insert_next(sfSDList *list, SDListItem *item, - * void *data, SDListItem *container) + * void *data, SDListItem *container) * * Purpose: insert data in container in the list after the item * Args: list - dlist structure * item - current position in list structure * data - current data to insert - * container - place to put the data + * container - place to put the data * * Returns: 0 on sucess, 1 on failure - */ + */ int sf_sdlist_insert_next(sfSDList *list, SDListItem *item, void *data, - SDListItem *container) + SDListItem *container) { SDListItem *new = container; - + if(!new) return -1; new->data = data; @@ -92,7 +96,7 @@ { list->tail = new; } - + new->next = list->head; list->head = new; } @@ -105,7 +109,7 @@ } new->next = item->next; - item->next = new; + item->next = new; } new->prev = item; @@ -113,12 +117,12 @@ return 0; } -int sf_sdlist_append(sfSDList *list, void *data, SDListItem *container) +int sf_sdlist_append(sfSDList *list, void *data, SDListItem *container) { return sf_sdlist_insert_next(list, list->tail, data, container); } -int sf_sdlist_remove_next(sfSDList *list, SDListItem *item) +int sf_sdlist_remove_next(sfSDList *list, SDListItem *item) { SDListItem *li = NULL; void *data; @@ -137,7 +141,7 @@ } else { - data = item->data; + data = item->data; if(item->next == NULL) { return -1; @@ -155,9 +159,9 @@ if(list->destroy != NULL) list->destroy(data); - + list->size--; - + if(list->size == 0) { list->tail = NULL; } @@ -174,8 +178,8 @@ * item - item to unlink from the list * * Returns: 0 on success , 1 on exception - * - */ + * + */ int sf_sdlist_remove(sfSDList *list, SDListItem *item) { SDListItem *next_item; @@ -198,7 +202,7 @@ if(prev_item != NULL) { - prev_item->next = next_item; + prev_item->next = next_item; } else { /* HEAD */ list->head = next_item; @@ -210,7 +214,7 @@ list->size--; - + if(list->size == 0) { list->head = NULL; @@ -241,19 +245,19 @@ SDListItem *li; SDListItem listpool[1000]; - + sf_sdlist_init(&a, &bad); if(sf_sdlist_append(&a, (char *) SnortStrdup("hello"), &listpool[0])) { printf("error appending!\n"); } - + sf_sdlist_append(&a, (char *)SnortStrdup("goodbye"), &listpool[1]); sf_sdlist_insert_next(&a, NULL, (char *)SnortStrdup("woo"), &listpool[2]); printf("list size %d\n", a.size); - + for(li = a.head; li != NULL; li = li->next) { printf("%s\n", (char *) li->data); diff -Nru snort-2.9.0.1/src/sf_sdlist.h snort-2.9.2/src/sf_sdlist.h --- snort-2.9.0.1/src/sf_sdlist.h 2010-01-26 10:09:27.000000000 -0800 +++ snort-2.9.2/src/sf_sdlist.h 2011-06-07 17:33:07.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> ** ** This is hi @@ -25,30 +25,16 @@ #ifndef _SF_SDLIST #define _SF_SDLIST +#include "sf_sdlist_types.h" + /* based off Linked List structure p. 57 _Mastering algorithms in C_ * * Differs from sf_list by using static listitem blocks. * * Use mempool as the interface to this code instead of trying to use it directly - * + * */ -typedef struct _SDListItem { - void *data; - struct _SDListItem *next; - struct _SDListItem *prev; -} SDListItem; - - -typedef struct sfSDList { - int size; - SDListItem *head; - SDListItem *tail; - void (*destroy)(void *data); /* delete function called for each - member of the linked list */ -} sfSDList; - - /* initialize a DList */ int sf_sdlist_init(sfSDList *list, void (*destroy)(void *data)); diff -Nru snort-2.9.0.1/src/sf_sdlist_types.h snort-2.9.2/src/sf_sdlist_types.h --- snort-2.9.0.1/src/sf_sdlist_types.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sf_sdlist_types.h 2011-06-08 07:37:17.000000000 -0700 @@ -0,0 +1,51 @@ +/* $Id$ */ +/* +** Copyright (C) 2002-2011 Sourcefire, Inc. +** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> +** +** This is hi +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + + +#ifndef _SF_SDLIST_TYPES +#define _SF_SDLIST_TYPES + +/* based off Linked List structure p. 57 _Mastering algorithms in C_ + * + * Differs from sf_list by using static listitem blocks. + * + * Use mempool as the interface to this code instead of trying to use it directly + * + */ + +typedef struct _SDListItem { + void *data; + struct _SDListItem *next; + struct _SDListItem *prev; +} SDListItem; + + +typedef struct sfSDList { + int size; + SDListItem *head; + SDListItem *tail; + void (*destroy)(void *data); /* delete function called for each + member of the linked list */ +} sfSDList; + +#endif /* _SF_SDLIST_TYPES */ diff -Nru snort-2.9.0.1/src/sfthreshold.c snort-2.9.2/src/sfthreshold.c --- snort-2.9.0.1/src/sfthreshold.c 2010-06-09 15:04:55.000000000 -0700 +++ snort-2.9.2/src/sfthreshold.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* - ** Copyright (C) 2003-2010 Sourcefire, Inc. + ** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -20,17 +20,17 @@ /* sfthreshold.c - This file contains functions that glue the generic thresholding2 code to + This file contains functions that glue the generic thresholding2 code to snort. - dependent files: sfthd sfxghash sfghash sflsq + dependent files: sfthd sfxghash sfghash sflsq util mstring Marc Norton 2003-05-29: cmg: Added s_checked variable -- - when this is 1, the sfthreshold_test will always return the same + when this is 1, the sfthreshold_test will always return the same answer until sfthreshold_reset is called @@ -41,6 +41,10 @@ #include <stdlib.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "mstring.h" #include "util.h" #include "parser.h" @@ -106,20 +110,20 @@ if(p->type == THD_TYPE_SUPPRESS ) return 0; if(p->sig_id != 0 ) return 0; break; - + case PRINT_LOCAL: if(p->type == THD_TYPE_SUPPRESS ) return 0; if(p->sig_id == 0 || p->gen_id == 0 ) return 0; break; - + case PRINT_SUPPRESS: if(p->type != THD_TYPE_SUPPRESS ) return 0; break; } - + /* SnortSnprintfAppend(buf, STD_BUF, "| thd-id=%d", p->thd_id ); */ - + if ( *prnMode && !p->filtered ) return 1; @@ -139,17 +143,17 @@ { SnortSnprintfAppend(buf, STD_BUF, " sig-id=%-10d", p->sig_id ); } - + switch ( p->type ) { case THD_TYPE_LIMIT: SnortSnprintfAppend(buf, STD_BUF, " type=Limit "); break; - + case THD_TYPE_THRESHOLD: SnortSnprintfAppend(buf, STD_BUF, " type=Threshold"); break; - + case THD_TYPE_BOTH: SnortSnprintfAppend(buf, STD_BUF, " type=Both "); break; @@ -159,7 +163,7 @@ SnortSnprintfAppend(buf, STD_BUF, " type=Suppress "); break; } - + switch ( p->tracking ) { case THD_TRK_NONE: @@ -188,7 +192,7 @@ SnortSnprintfAppend(buf, STD_BUF, " count=%-3d", p->count); SnortSnprintfAppend(buf, STD_BUF, " seconds=%-3d", p->seconds); } - + if ( *prnMode ) { if ( *prnMode == 1 ) @@ -199,15 +203,15 @@ SnortSnprintfAppend(buf, STD_BUF, " filtered=" STDu64, p->filtered); } LogMessage("%s\n", buf); - + return 1; } /* - * + * */ static int print_thd_local(ThresholdObjects *thd_objs, PrintFormat type, unsigned* prnMode) { - SFGHASH * sfthd_hash; + SFGHASH * sfthd_hash; THD_ITEM * sfthd_item; THD_NODE * sfthd_node; int gen_id; @@ -226,7 +230,7 @@ } for(item_hash_node = sfghash_findfirst( sfthd_hash ); - item_hash_node != 0; + item_hash_node != 0; item_hash_node = sfghash_findnext( sfthd_hash ) ) { /* Check for any Permanent sig_id objects for this gen_id */ @@ -263,6 +267,9 @@ int i; THD_NODE * thd; + if (thd_config == NULL) + return; + if ( !shutdown ) { LogMessage("\n"); @@ -295,7 +302,7 @@ gcnt++; } - if( !gcnt ) + if( !gcnt ) { if ( !shutdown ) LogMessage("| none\n"); @@ -414,10 +421,10 @@ called gen_id: - sig_id: + sig_id: sip: host ordered sip dip: host ordered dip - curtime: + curtime: 2003-05-29 cmg: @@ -445,11 +452,11 @@ thd_answer = sfthd_test_threshold(snort_conf->threshold_config->thd_objs, thd_runtime, gen_id, sig_id, sip, dip, curtime); } - + return thd_answer; } -/** +/** * Reset the thresholding system so that subsequent calls to * sfthreshold_test will indeed try to alter the thresholding system * diff -Nru snort-2.9.0.1/src/sfthreshold.h snort-2.9.2/src/sfthreshold.h --- snort-2.9.0.1/src/sfthreshold.h 2010-06-09 15:04:55.000000000 -0700 +++ snort-2.9.2/src/sfthreshold.h 2011-02-09 15:22:53.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sf_types.h snort-2.9.2/src/sf_types.h --- snort-2.9.0.1/src/sf_types.h 2010-01-26 10:09:28.000000000 -0800 +++ snort-2.9.2/src/sf_types.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -135,6 +135,7 @@ # endif /* SIZEOF_UNSIGNED_LONG_INT == 8 */ # define PRIu64 _SF_PREFIX "u" # define PRIi64 _SF_PREFIX "i" +# define PRIx64 _SF_PREFIX "x" #endif /* PRIu64 */ /* use these macros (and those in <inttypes.h>) @@ -148,6 +149,10 @@ #define CSVi64 STDi64 "," #define FMTi64(fmt) "%" fmt PRIi64 +#define STDx64 "%" PRIx64 +#define CSVx64 STDx64 "," +#define FMTx64(fmt) "%" fmt PRIx64 + #ifndef UINT8_MAX # define UINT8_MAX 0xff #endif @@ -175,8 +180,36 @@ # define PATH_MAX 4096 #endif -#define MAXPORTS 65536 -#define MAXPORTS_STORAGE 8192 +/* utilities */ +#ifndef boolean +#ifndef HAVE_BOOLEAN +typedef unsigned char boolean; +#endif +#endif + +#ifndef TRUE +# define TRUE 1 +#endif + +#ifndef FALSE +# define FALSE 0 +#endif + +#ifdef HAVE_STDBOOL_H +# include <stdbool.h> +#else +# ifndef HAVE__BOOL +# ifdef __cplusplus +typedef bool _Bool; +# else +# define _Bool signed char +# endif +# endif +# define bool _Bool +# define false 0 +# define true 1 +# define __bool_true_false_are_defined 1 +#endif #endif /* __SF_TYPES_H__ */ diff -Nru snort-2.9.0.1/src/sfutil/acsmx2.c snort-2.9.2/src/sfutil/acsmx2.c --- snort-2.9.0.1/src/sfutil/acsmx2.c 2010-06-09 15:05:28.000000000 -0700 +++ snort-2.9.2/src/sfutil/acsmx2.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,9 +1,9 @@ /* ** $Id$ -** +** ** Copyright(C) 2002,2003,2004 Marc Norton -** Copyright(C) 2003,2004 Daniel Roelker -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright(C) 2003,2004 Daniel Roelker +** Copyright (C) 2002-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -26,12 +26,12 @@ ** ** Aho-Corasick State Machine - version 2.0 ** -** Supports both Non-Deterministic and Deterministic Finite Automata +** Supports both Non-Deterministic and Deterministic Finite Automata ** ** ** Reference - Efficient String matching: An Aid to Bibliographic Search ** Alfred V Aho and Margaret J Corasick -** Bell Labratories +** Bell Labratories ** Copyright(C) 1975 Association for Computing Machinery,Inc ** ** +++ @@ -40,14 +40,14 @@ ** ** Original implementation based on the 4 algorithms in the paper by ** Aho & Corasick, some implementation ideas from 'Practical Algorithms -** in C', and some of my own. +** in C', and some of my own. ** ** 1) Finds all occurrences of all patterns within a text. ** ** +++ ** +++ Version 2.0 Notes - Marc Norton/Dan Roelker: ** +++ -** +** ** New implementation modifies the state table storage and access model to ** use compacted sparse vector storage. Dan Roelker and I hammered this ** strategy out amongst many others in order to reduce memory usage and @@ -57,7 +57,7 @@ ** Unfortunately, once a pattern match test has been performed Snort moves ** on to doing many other things before we get back to a patteren match test, ** so the cache is voided. -** +** ** This versions has better caching performance characteristics, reduced ** memory, more state table storage options, and requires no a priori case ** conversions. It does maintain the same public interface. (Snort only @@ -67,7 +67,7 @@ ** 2) Initial transition table uses Linked Lists ** 3) Improved state table memory options. NFA and DFA state transition ** tables are converted to one of 4 formats during compilation. -** a) Full matrix +** a) Full matrix ** b) Sparse matrix ** c) Banded matrix (Default-this is the only one used in snort) ** d) Sparse-Banded matrix @@ -82,7 +82,7 @@ ** 6) The search functions are very sensitive, don't change them without ** extensive testing, or you'll just spoil the caching and prefetching ** opportunities. -** +** ** Extras for fellow pattern matchers: ** The table below explains the storage format used at each step. ** You can use an NFA or DFA to match with, the NFA is slower but tiny - @@ -101,15 +101,15 @@ ** Keyword State Table -> NFA (List) ** NFA -> DFA (List) ** DFA (List)-> Sparse Rows O(m-avg # transitions per state) -** -> Banded Rows O(1) +** -> Banded Rows O(1) ** -> Sparse-Banded Rows O(nb-# bands) ** -> Full Matrix O(1) ** ** Notes: -** +** ** 8/28/06 ** man - Sparse and SparseBands - fixed off by one in calculating matching index -** SparseBands changed ps increment to 2+n to increment between bands. +** SparseBands changed ps increment to 2+n to increment between bands. ** ** 01/2008 ** man - added 2 phase pattern matcher using a pattern match queue. @@ -120,16 +120,22 @@ ** duplicate rule processing. The queue is limited in size and ** is flushed if it becomes full during the scan. This allows ** simple insertions. Tracking queue ops is optional, as this can -** impose a modest performance hit of a few percent. +** impose a modest performance hit of a few percent. ** -*/ +*/ + - #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" + #define ACSMX2_TRACK_Q #ifdef ACSMX2_TRACK_Q @@ -138,7 +144,7 @@ #include "acsmx2.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #define printf LogMessage @@ -193,15 +199,15 @@ } /* -** Case Translation Table -*/ +** Case Translation Table +*/ static unsigned char xlatcase[256]; /* * -*/ +*/ static void -init_xlatcase() +init_xlatcase() { int i; for (i = 0; i < 256; i++) @@ -211,11 +217,11 @@ } /* * Case Conversion -*/ -static -INLINE +*/ +static +inline void -ConvertCaseEx (unsigned char *d, unsigned char *s, int m) +ConvertCaseEx (unsigned char *d, unsigned char *s, int m) { int i; #ifdef XXXX @@ -249,7 +255,7 @@ /* * -*/ +*/ void acsmSetVerbose2(void) { s_verbose = 1; @@ -267,12 +273,12 @@ /* * -*/ +*/ static void * AC_MALLOC( int n, Acsm2MemoryType type - ) + ) { void *p = calloc(1, n); @@ -339,13 +345,13 @@ /* * -*/ +*/ static void AC_FREE( void *p, int n, Acsm2MemoryType type - ) + ) { if (p != NULL) { @@ -405,7 +411,7 @@ /* * Simple QUEUE NODE - */ + */ typedef struct _qnode { int state; @@ -415,7 +421,7 @@ /* * Simple QUEUE Structure -*/ +*/ typedef struct _queue { QNODE * head, *tail; @@ -425,9 +431,9 @@ /* * Initialize the queue -*/ +*/ static void -queue_init (QUEUE * s) +queue_init (QUEUE * s) { s->head = s->tail = 0; s->count= 0; @@ -435,9 +441,9 @@ /* * Find a State in the queue -*/ +*/ static int -queue_find (QUEUE * s, int state) +queue_find (QUEUE * s, int state) { QNODE * q; q = s->head; @@ -451,13 +457,13 @@ /* * Add Tail Item to queue (FiFo/LiLo) -*/ +*/ static void -queue_add (QUEUE * s, int state) +queue_add (QUEUE * s, int state) { QNODE * q; - if( queue_find( s, state ) ) return; + if( queue_find( s, state ) ) return; if (!s->head) { @@ -482,9 +488,9 @@ /* * Remove Head Item from queue -*/ +*/ static int -queue_remove (QUEUE * s) +queue_remove (QUEUE * s) { int state = 0; QNODE * q; @@ -508,9 +514,9 @@ /* * Return items in the queue -*/ +*/ static int -queue_count (QUEUE * s) +queue_count (QUEUE * s) { return s->count; } @@ -518,9 +524,9 @@ /* * Free the queue -*/ +*/ static void -queue_free (QUEUE * s) +queue_free (QUEUE * s) { while (queue_count (s)) { @@ -531,7 +537,7 @@ /* * Get Next State-NFA */ -static +static int List_GetNextState( ACSM_STRUCT2 * acsm, int state, int input ) { trans_node_t * t = acsm->acsmTransTable[state]; @@ -546,14 +552,14 @@ } if( state == 0 ) return 0; - + return ACSM_FAIL_STATE2; /* Fail state ??? */ } /* * Get Next State-DFA */ -static +static int List_GetNextState2( ACSM_STRUCT2 * acsm, int state, int input ) { trans_node_t * t = acsm->acsmTransTable[state]; @@ -572,7 +578,7 @@ /* * Put Next State - Head insertion, and transition updates */ -static +static int List_PutNextState( ACSM_STRUCT2 * acsm, int state, int input, int next_state ) { trans_node_t * p; @@ -589,7 +595,7 @@ if( p->key == (acstate_t)input ) { p->next_state = next_state; - return 0; + return 0; } p=p->next; } @@ -597,21 +603,21 @@ /* Definitely not an existing transition - add it */ tnew = (trans_node_t*)AC_MALLOC(sizeof(trans_node_t), ACSM2_MEMORY_TYPE__TRANSTABLE); - if( !tnew ) return -1; + if( !tnew ) return -1; tnew->key = input; tnew->next_state = next_state; tnew->next = 0; tnew->next = acsm->acsmTransTable[state]; - acsm->acsmTransTable[state] = tnew; + acsm->acsmTransTable[state] = tnew; acsm->acsmNumTrans++; - - return 0; + + return 0; } /* -* Free the entire transition table +* Free the entire transition table */ static int List_FreeTransTable( @@ -625,7 +631,7 @@ return 0; for (i = 0; i < acsm->acsmMaxStates; i++) - { + { t = acsm->acsmTransTable[i]; while (t != NULL) @@ -645,10 +651,10 @@ } /* -* +* */ /* -static +static int List_FreeList( trans_node_t * t ) { int tcnt=0; @@ -658,7 +664,7 @@ while( t ) { p = t->next; - free(t); + free(t); t = p; acsm2_total_memory -= sizeof(trans_node_t); tcnt++; @@ -671,7 +677,7 @@ /* * Print the trans table to stdout */ -static +static int List_PrintTransTable( ACSM_STRUCT2 * acsm ) { int i; @@ -683,13 +689,13 @@ printf("Print Transition Table- %d active states\n",acsm->acsmNumStates); for(i=0;i< acsm->acsmNumStates;i++) - { + { t = acsm->acsmTransTable[i]; printf("state %3d: ",i); while( t ) - { + { if( isascii((int)t->key) && isprint((int)t->key) ) printf("%3c->%-5d\t",t->key,t->next_state); else @@ -703,7 +709,7 @@ while( patrn ) { printf("%.*s ",patrn->n,patrn->patrn); - + patrn = patrn->next; } @@ -715,7 +721,7 @@ /* * Converts row of states from list to a full vector format -*/ +*/ static int List_ConvToFull( ACSM_STRUCT2 *acsm, @@ -755,9 +761,9 @@ /* * Copy a Match List Entry - don't dup the pattern data -*/ +*/ static ACSM_PATTERN2* -CopyMatchListEntry (ACSM_PATTERN2 * px) +CopyMatchListEntry (ACSM_PATTERN2 * px) { ACSM_PATTERN2 * p; @@ -779,7 +785,7 @@ */ /* static -int FindMatchListEntry (ACSM_STRUCT2 * acsm, int state, ACSM_PATTERN2 * px) +int FindMatchListEntry (ACSM_STRUCT2 * acsm, int state, ACSM_PATTERN2 * px) { ACSM_PATTERN2 * p; @@ -788,7 +794,7 @@ { if( p->id == px->id ) return 1; p = p->next; - } + } return 0; } @@ -798,15 +804,15 @@ /* * Add a pattern to the list of patterns terminated at this state. * Insert at front of list. -*/ +*/ static void -AddMatchListEntry (ACSM_STRUCT2 * acsm, int state, ACSM_PATTERN2 * px) +AddMatchListEntry (ACSM_STRUCT2 * acsm, int state, ACSM_PATTERN2 * px) { ACSM_PATTERN2 * p; p = (ACSM_PATTERN2 *)AC_MALLOC(sizeof (ACSM_PATTERN2), ACSM2_MEMORY_TYPE__MATCHLIST); - + MEMASSERT (p, "AddMatchListEntry"); memcpy (p, px, sizeof (ACSM_PATTERN2)); @@ -818,7 +824,7 @@ static void -AddPatternStates (ACSM_STRUCT2 * acsm, ACSM_PATTERN2 * p) +AddPatternStates (ACSM_STRUCT2 * acsm, ACSM_PATTERN2 * p) { int state, next, n; unsigned char *pattern; @@ -829,10 +835,10 @@ if(s_verbose)printf(" Begin AddPatternStates: acsmNumStates=%d\n",acsm->acsmNumStates); if(s_verbose)printf(" adding '%.*s', nocase=%d\n", n,p->patrn, p->nocase ); - - /* + + /* * Match up pattern with existing states - */ + */ for (; n > 0; pattern++, n--) { if(s_verbose)printf(" find char='%c'\n", *pattern ); @@ -844,15 +850,15 @@ } state = next; } - + /* * Add new states for the rest of the pattern bytes, 1 state per byte - */ + */ for (; n > 0; pattern++, n--) { if(s_verbose)printf(" add char='%c' state=%d NumStates=%d\n", *pattern, state, acsm->acsmNumStates ); - acsm->acsmNumStates++; + acsm->acsmNumStates++; List_PutNextState(acsm,state,*pattern,acsm->acsmNumStates); state = acsm->acsmNumStates; } @@ -865,21 +871,21 @@ /* * Build A Non-Deterministic Finite Automata * The keyword state table must already be built, via AddPatternStates(). -*/ +*/ static void -Build_NFA (ACSM_STRUCT2 * acsm) +Build_NFA (ACSM_STRUCT2 * acsm) { int r, s, i; QUEUE q, *queue = &q; acstate_t * FailState = acsm->acsmFailState; ACSM_PATTERN2 ** MatchList = acsm->acsmMatchList; ACSM_PATTERN2 * mlist,* px; - - /* Init a Queue */ + + /* Init a Queue */ queue_init (queue); - - /* Add the state 0 transitions 1st, the states at depth 1, fail to state 0 */ + + /* Add the state 0 transitions 1st, the states at depth 1, fail to state 0 */ for (i = 0; i < acsm->acsmAlphabetSize; i++) { s = List_GetNextState2(acsm,0,i); @@ -889,13 +895,13 @@ FailState[s] = 0; } } - - /* Build the fail state successive layer of transitions */ + + /* Build the fail state successive layer of transitions */ while (queue_count (queue) > 0) { r = queue_remove (queue); - - /* Find Final States for any Failure */ + + /* Find Final States for any Failure */ for (i = 0; i < acsm->acsmAlphabetSize; i++) { int fs, next; @@ -903,14 +909,14 @@ s = List_GetNextState(acsm,r,i); if( (acstate_t)s != ACSM_FAIL_STATE2 ) - { + { queue_add (queue, s); - + fs = FailState[r]; - /* - * Locate the next valid state for 'i' starting at fs - */ + /* + * Locate the next valid state for 'i' starting at fs + */ while ((acstate_t)(next = List_GetNextState(acsm,fs,i)) == ACSM_FAIL_STATE2 ) { @@ -919,29 +925,29 @@ /* * Update 's' state failure state to point to the next valid state - */ + */ FailState[s] = next; /* - * Copy 'next'states MatchList to 's' states MatchList, + * Copy 'next'states MatchList to 's' states MatchList, * we copy them so each list can be AC_FREE'd later, * else we could just manipulate pointers to fake the copy. - */ - for( mlist = MatchList[next]; + */ + for( mlist = MatchList[next]; mlist; mlist = mlist->next) { px = CopyMatchListEntry (mlist); - /* Insert at front of MatchList */ + /* Insert at front of MatchList */ px->next = MatchList[s]; MatchList[s] = px; } } } } - - /* Clean up the queue */ + + /* Clean up the queue */ queue_free (queue); if( s_verbose)printf("End Build_NFA: NumStates=%d\n",acsm->acsmNumStates); @@ -949,17 +955,17 @@ /* * Build Deterministic Finite Automata from the NFA -*/ +*/ static void -Convert_NFA_To_DFA (ACSM_STRUCT2 * acsm) +Convert_NFA_To_DFA (ACSM_STRUCT2 * acsm) { int i, r, s, cFailState; QUEUE q, *queue = &q; acstate_t * FailState = acsm->acsmFailState; - + /* Init a Queue */ queue_init (queue); - + /* Add the state 0 transitions 1st */ for(i=0; i<acsm->acsmAlphabetSize; i++) { @@ -969,13 +975,13 @@ queue_add (queue, s); } } - + /* Start building the next layer of transitions */ while( queue_count(queue) > 0 ) { r = queue_remove(queue); - - /* Process this states layer */ + + /* Process this states layer */ for (i = 0; i < acsm->acsmAlphabetSize; i++) { s = List_GetNextState(acsm,r,i); @@ -995,8 +1001,8 @@ } } } - - /* Clean up the queue */ + + /* Clean up the queue */ queue_free (queue); if(s_verbose)printf("End Convert_NFA_To_DFA: NumStates=%d\n",acsm->acsmNumStates); @@ -1008,10 +1014,10 @@ * Convert a row lists for the state table to a full vector format * */ -static int +static int Conv_List_To_Full( ACSM_STRUCT2 *acsm - ) + ) { acstate_t k; acstate_t *p; @@ -1050,35 +1056,35 @@ } /* -* Convert DFA memory usage from list based storage to a sparse-row storage. +* Convert DFA memory usage from list based storage to a sparse-row storage. * * The Sparse format allows each row to be either full or sparse formatted. If the sparse row has -* too many transitions, performance or space may dictate that we use the standard full formatting -* for the row. More than 5 or 10 transitions per state ought to really whack performance. So the -* user can specify the max state transitions per state allowed in the sparse format. +* too many transitions, performance or space may dictate that we use the standard full formatting +* for the row. More than 5 or 10 transitions per state ought to really whack performance. So the +* user can specify the max state transitions per state allowed in the sparse format. * * Standard Full Matrix Format * --------------------------- * acstate_t ** NextState ( 1st index is row/state, 2nd index is column=event/input) * -* example: -* +* example: +* * events -> a b c d e f g h i j k l m n o p -* states +* states * N 1 7 0 0 0 3 0 0 0 0 0 0 0 0 0 0 -* +* * Sparse Format, each row : Words Value * 1-1 fmt(0-full,1-sparse,2-banded,3-sparsebands) * 2-2 bool match flag (indicates this state has pattern matches) * 3-3 sparse state count ( # of input/next-state pairs ) * 4-3+2*cnt 'input,next-state' pairs... each sizof(acstate_t) -* +* * above example case yields: * Full Format: 0, 1 7 0 0 0 3 0 0 0 0 0 0 0 0 0 0 ... * Sparse format: 1, 3, 'a',1,'b',7,'f',3 - uses 2+2*ntransitions (non-default transitions) -*/ -static int -Conv_Full_DFA_To_Sparse(ACSM_STRUCT2 * acsm) +*/ +static int +Conv_Full_DFA_To_Sparse(ACSM_STRUCT2 * acsm) { int cnt, m, k, i; acstate_t * p, state, maxstates=0; @@ -1107,7 +1113,7 @@ p[0] = ACF_FULL; p[1] = 0; - memcpy(&p[2],full,acsm->acsmAlphabetSize*sizeof(acstate_t)); + memcpy(&p[2],full,acsm->acsmAlphabetSize*sizeof(acstate_t)); } else { @@ -1116,13 +1122,13 @@ if(!p) return -1; m = 0; - p[m++] = ACF_SPARSE; + p[m++] = ACF_SPARSE; p[m++] = 0; /* no matches */ p[m++] = cnt; for(i = 0; i < acsm->acsmAlphabetSize ; i++) { - state = full[i]; + state = full[i]; if( state != 0 && state != ACSM_FAIL_STATE2 ) { p[m++] = i; @@ -1146,8 +1152,8 @@ 4 - 3+n next-state values at each index */ -static int -Conv_Full_DFA_To_Banded(ACSM_STRUCT2 * acsm) +static int +Conv_Full_DFA_To_Banded(ACSM_STRUCT2 * acsm) { int first = -1, last; acstate_t * p, state, full[MAX_ALPHABET_SIZE]; @@ -1182,14 +1188,14 @@ if(!p) return -1; m = 0; - p[m++] = ACF_BANDED; + p[m++] = ACF_BANDED; p[m++] = 0; /* no matches */ p[m++] = cnt; p[m++] = first; for(i = first; i <= last; i++) { - p[m++] = full[i]; + p[m++] = full[i]; } NextState[k] = p; /* now we are a banded formatted state transition array */ @@ -1212,7 +1218,7 @@ * 3 number of items in this band* 4 start index of this band * 5- next-state values in this band... */ -static +static int calcSparseBands( acstate_t * next, int * begin, int * end, int asize, int zmax ) { int i, nbands,zcnt,last=0; @@ -1229,15 +1235,15 @@ for( ; i< asize; i++ ) { state = next[i]; - if( state ==0 || state == ACSM_FAIL_STATE2 ) + if( state ==0 || state == ACSM_FAIL_STATE2 ) { zcnt++; if( zcnt > zmax ) break; } - else + else { zcnt=0; - last = i; + last = i; } } end[nbands++] = last; @@ -1258,13 +1264,13 @@ * 4 number of elements in this band * 5 start index of this band * 6- list of next states -* +* * m number of elements in this band * m+1 start index of this band * m+2- list of next states */ -static int -Conv_Full_DFA_To_SparseBands(ACSM_STRUCT2 * acsm) +static int +Conv_Full_DFA_To_SparseBands(ACSM_STRUCT2 * acsm) { acstate_t * p; acstate_t ** NextState = acsm->acsmNextState; @@ -1282,7 +1288,7 @@ List_ConvToFull(acsm, (acstate_t)k, full ); nbands = calcSparseBands( full, band_begin, band_end, acsm->acsmAlphabetSize, zcnt ); - + /* calc band width space*/ cnt = 3; for(i=0;i<nbands;i++) @@ -1298,7 +1304,7 @@ if(!p) return -1; m = 0; - p[m++] = ACF_SPARSEBANDS; + p[m++] = ACF_SPARSEBANDS; p[m++] = 0; /* no matches */ p[m++] = nbands; @@ -1306,7 +1312,7 @@ { p[m++] = band_end[i] - band_begin[i] + 1; /* # states in this band */ p[m++] = band_begin[i]; /* start index */ - + for( j=band_begin[i]; j<=band_end[i]; j++ ) { if (j >= MAX_ALPHABET_SIZE) @@ -1322,12 +1328,12 @@ return 0; } -static void +static void Print_DFA_MatchList( ACSM_STRUCT2 * acsm, int state ) { ACSM_PATTERN2 * mlist; - for (mlist = acsm->acsmMatchList[state]; + for (mlist = acsm->acsmMatchList[state]; mlist; mlist = mlist->next) { @@ -1338,7 +1344,7 @@ * */ static void -Print_DFA(ACSM_STRUCT2 * acsm) +Print_DFA(ACSM_STRUCT2 * acsm) { int k,i; acstate_t * p, state, n, fmt, index, nb; @@ -1352,15 +1358,15 @@ if( !p ) continue; - fmt = *p++; + fmt = *p++; printf("state %3d, fmt=%d: ",k,fmt); if( fmt ==ACF_SPARSE ) { - n = *p++; + n = *p++; for( ; n>0; n--, p+=2 ) - { + { if( isascii((int)p[0]) && isprint((int)p[0]) ) printf("%3c->%-5d\t",p[0],p[1]); else @@ -1370,11 +1376,11 @@ else if( fmt ==ACF_BANDED ) { - n = *p++; + n = *p++; index = *p++; for( ; n>0; n--, p++ ) - { + { if( isascii((int)p[0]) && isprint((int)p[0]) ) printf("%3c->%-5d\t",index++,p[0]); else @@ -1383,13 +1389,13 @@ } else if( fmt ==ACF_SPARSEBANDS ) { - nb = *p++; + nb = *p++; for(i=0;(acstate_t)i<nb;i++) { n = *p++; index = *p++; for( ; n>0; n--, p++ ) - { + { if( isascii((int)index) && isprint((int)index) ) printf("%3c->%-5d\t",index++,p[0]); else @@ -1397,7 +1403,7 @@ } } } - else if( fmt == ACF_FULL ) + else if( fmt == ACF_FULL ) { for( i=0; i<acsm->acsmAlphabetSize; i++ ) @@ -1424,7 +1430,7 @@ */ /* static void -Write_DFA(ACSM_STRUCT2 * acsm, char * f) +Write_DFA(ACSM_STRUCT2 * acsm, char * f) { int k,i; acstate_t * p, n, fmt, index, nb, bmatch; @@ -1436,7 +1442,7 @@ fp = fopen(f,"wb"); if(!fp) { - printf("*** WARNING: could not write dfa to file - %s\n",f); + printf("WARNING: could not write dfa to file - %s.\n",f); return; } @@ -1448,22 +1454,22 @@ if( !p ) continue; - fmt = *p++; + fmt = *p++; bmatch = *p++; fwrite( &fmt, sizeof(acstate_t), 1, fp); fwrite( &bmatch, sizeof(acstate_t), 1, fp); - + if( fmt ==ACF_SPARSE ) { - n = *p++; + n = *p++; fwrite( &n, sizeof(acstate_t), 1, fp); fwrite( p, n*2*sizeof(acstate_t), 1, fp); } else if( fmt ==ACF_BANDED ) { - n = *p++; + n = *p++; fwrite( &n, sizeof(acstate_t), 1, fp); index = *p++; @@ -1473,7 +1479,7 @@ } else if( fmt ==ACF_SPARSEBANDS ) { - nb = *p++; + nb = *p++; fwrite( &nb, sizeof(acstate_t), 1, fp); for(i=0;i<nb;i++) { @@ -1486,7 +1492,7 @@ fwrite( p, sizeof(acstate_t), 1, fp); } } - else if( fmt == ACF_FULL ) + else if( fmt == ACF_FULL ) { fwrite( p, sizeof(acstate_t), acsm->acsmAlphabetSize, fp); } @@ -1510,7 +1516,7 @@ * */ /* -static +static acstate_t * acsmConvToFull(ACSM_STRUCT2 * acsm, acstate_t k, acstate_t * full ) { int i; @@ -1521,38 +1527,38 @@ if( !p ) return 0; - fmt = *p++; + fmt = *p++; bmatch = *p++; if( fmt ==ACF_SPARSE ) { - n = *p++; + n = *p++; for( ; n>0; n--, p+=2 ) - { + { full[ p[0] ] = p[1]; } } else if( fmt ==ACF_BANDED ) { - n = *p++; + n = *p++; index = *p++; for( ; n>0; n--, p++ ) - { + { full[ index++ ] = p[0]; } } else if( fmt ==ACF_SPARSEBANDS ) { - nb = *p++; + nb = *p++; for(i=0;i<nb;i++) { n = *p++; index = *p++; for( ; n>0; n--, p++ ) - { + { full[ index++ ] = p[0]; } } @@ -1561,8 +1567,8 @@ { memcpy(full,p,acsm->acsmAlphabetSize*sizeof(acstate_t)); } - - return full; + + return full; } */ @@ -1591,7 +1597,7 @@ */ void acsmSetMaxSparseBandZeros2( ACSM_STRUCT2 * acsm, int n ) { - acsm->acsmSparseMaxZcnt = n; + acsm->acsmSparseMaxZcnt = n; } /* * @@ -1601,7 +1607,7 @@ acsm->acsmSparseMaxRowNodes = n; } /* -* +* */ int acsmSelectFSA2( ACSM_STRUCT2 * acsm, int m ) { @@ -1616,7 +1622,7 @@ } } /* -* +* */ int acsmSetAlphabetSize2( ACSM_STRUCT2 * acsm, int n ) { @@ -1632,7 +1638,7 @@ } /* * Create a new AC state machine -*/ +*/ ACSM_STRUCT2 * acsmNew2 (void (*userfree)(void *p), void (*optiontreefree)(void **p), void (*neg_list_free)(void **p)) @@ -1653,21 +1659,21 @@ p->acsmFormat = ACF_FULL;//ACF_BANDED; p->acsmAlphabetSize = 256; p->acsmSparseMaxRowNodes = 256; - p->acsmSparseMaxZcnt = 10; + p->acsmSparseMaxZcnt = 10; p->userfree = userfree; p->optiontreefree = optiontreefree; p->neg_list_free = neg_list_free; } - + return p; } /* * Add a pattern to the list of patterns for this state machine * -*/ +*/ int acsmAddPattern2 (ACSM_STRUCT2 * p, unsigned char *pat, int n, int nocase, - int offset, int depth, int negative, void * id, int iid) + int offset, int depth, int negative, void * id, int iid) { ACSM_PATTERN2 * plist; @@ -1680,11 +1686,11 @@ MEMASSERT (plist->patrn, "acsmAddPattern"); ConvertCaseEx(plist->patrn, pat, n); - + plist->casepatrn = (unsigned char *)AC_MALLOC(n, ACSM2_MEMORY_TYPE__PATTERN); MEMASSERT (plist->casepatrn, "acsmAddPattern"); - + memcpy (plist->casepatrn, pat, n); plist->n = n; @@ -1703,7 +1709,7 @@ } /* * Add a Key to the list of key+data pairs -*/ +*/ int acsmAddKey2(ACSM_STRUCT2 * p, unsigned char *key, int klen, int nocase, void * data) { ACSM_PATTERN2 * plist; @@ -1711,7 +1717,7 @@ plist = (ACSM_PATTERN2 *) AC_MALLOC(sizeof(ACSM_PATTERN2), ACSM2_MEMORY_TYPE__PATTERN); MEMASSERT (plist, "acsmAddPattern"); - + plist->patrn = (unsigned char *)AC_MALLOC(klen, ACSM2_MEMORY_TYPE__PATTERN); MEMASSERT (plist->patrn, "acsmAddPattern"); @@ -1771,7 +1777,7 @@ } } -static int acsmBuildMatchStateTrees2( ACSM_STRUCT2 * acsm, +static int acsmBuildMatchStateTrees2( ACSM_STRUCT2 * acsm, int (*build_tree)(void * id, void **existing_tree), int (*neg_list_func)(void *id, void **list) ) { @@ -1779,7 +1785,7 @@ ACSM_PATTERN2 ** MatchList = acsm->acsmMatchList; ACSM_PATTERN2 * mlist; - /* Find the states that have a MatchList */ + /* Find the states that have a MatchList */ for (i = 0; i < acsm->acsmNumStates; i++) { for ( mlist=MatchList[i]; @@ -1809,7 +1815,7 @@ } return cnt; -} +} void acsmCompressStates( ACSM_STRUCT2 *acsm, @@ -1823,7 +1829,7 @@ /* * Compile State Machine - NFA or DFA and Full or Banded or Sparse or SparseBands -*/ +*/ int acsmCompile2( ACSM_STRUCT2* acsm, @@ -1833,7 +1839,7 @@ { ACSM_PATTERN2* plist; - /* Count number of possible states */ + /* Count number of possible states */ for (plist = acsm->acsmPatterns; plist != NULL; plist = plist->next) acsm->acsmMaxStates += plist->n; @@ -1867,10 +1873,10 @@ "states\n", acsm2_total_memory, acsm->acsmMaxStates, acsm->acsmNumStates); } - /* Initialize state zero as a branch */ + /* Initialize state zero as a branch */ acsm->acsmNumStates = 0; - /* Add each Pattern to the State Table - This forms a keywords state table */ + /* Add each Pattern to the State Table - This forms a keywords state table */ for (plist = acsm->acsmPatterns; plist != NULL; plist = plist->next) { summary.num_patterns++; @@ -1919,7 +1925,7 @@ if (s_verbose) { printf("ACSMX-Max Trie List Memory : %d bytes, %d states, %d " - "active states\n", + "active states\n", acsm2_total_memory, acsm->acsmMaxStates, acsm->acsmNumStates); List_PrintTransTable(acsm); } @@ -1944,7 +1950,7 @@ if (acsm->acsmFSA == FSA_DFA) { - /* Convert the NFA to a DFA */ + /* Convert the NFA to a DFA */ if (s_verbose) printf("Convert_NFA_To_DFA\n"); @@ -2033,7 +2039,7 @@ acsmUpdateMatchStates(acsm); /* Free up the Table Of Transition Lists */ - List_FreeTransTable(acsm); + List_FreeTransTable(acsm); if (s_verbose) { @@ -2064,7 +2070,7 @@ * Get the NextState from the NFA, all NFA storage formats use this */ static -INLINE +inline acstate_t SparseGetNextStateNFA(acstate_t * ps, acstate_t state, unsigned input) { acstate_t fmt; @@ -2075,7 +2081,7 @@ fmt = *ps++; ps++; /* skip bMatchState */ - + switch( fmt ) { case ACF_BANDED: @@ -2083,38 +2089,38 @@ n = ps[0]; index = ps[1]; - if( input < index ) + if( input < index ) { if(state==0) { - return 0; + return 0; } else - { + { return (acstate_t)ACSM_FAIL_STATE2; } } if( input >= index + n ) - { + { if(state==0) { - return 0; + return 0; } - else + else { return (acstate_t)ACSM_FAIL_STATE2; } } - if( ps[input-index] == 0 ) + if( ps[input-index] == 0 ) { - if( state != 0 ) + if( state != 0 ) { - return ACSM_FAIL_STATE2; + return ACSM_FAIL_STATE2; } } return (acstate_t) ps[input-index]; - } + } case ACF_SPARSE: { @@ -2137,30 +2143,30 @@ return 0; } return ACSM_FAIL_STATE2; - } + } case ACF_SPARSEBANDS: { nb = *ps++; /* number of bands */ while( nb > 0 ) /* for each band */ - { + { n = *ps++; /* number of elements */ index = *ps++; /* 1st element value */ if( input < index ) { - if( state != 0 ) + if( state != 0 ) { return (acstate_t)ACSM_FAIL_STATE2; } return (acstate_t)0; } - if( (input >= index) && (input < (index + n)) ) + if( (input >= index) && (input < (index + n)) ) { if( ps[input-index] == 0 ) { - if( state != 0 ) + if( state != 0 ) { return ACSM_FAIL_STATE2; } @@ -2175,19 +2181,19 @@ return (acstate_t)ACSM_FAIL_STATE2; } return (acstate_t)0; - } + } case ACF_FULL: case ACF_FULLQ: { if( ps[input] == 0 ) { - if( state != 0 ) + if( state != 0 ) { - return ACSM_FAIL_STATE2; + return ACSM_FAIL_STATE2; } } - return ps[input]; + return ps[input]; } } @@ -2198,17 +2204,17 @@ /* * Get the NextState from the DFA Next State Transition table -* Full and banded are supported separately, this is for +* Full and banded are supported separately, this is for * sparse and sparse-bands */ static -INLINE +inline acstate_t SparseGetNextStateDFA(acstate_t * ps, acstate_t state, unsigned input) { acstate_t n, nb; unsigned int index; - switch( ps[0] ) + switch( ps[0] ) { /* BANDED */ case ACF_BANDED: @@ -2216,26 +2222,26 @@ /* n=ps[2] : number of entries in the band */ /* index=ps[3] : index of the 1st entry, sequential thereafter */ - if( input < ps[3] ) return 0; - if( input >= (unsigned)(ps[3]+ps[2]) ) return 0; + if( input < ps[3] ) return 0; + if( input >= (unsigned)(ps[3]+ps[2]) ) return 0; return ps[4+input-ps[3]]; - } + } /* FULL */ case ACF_FULL: { - return ps[2+input]; + return ps[2+input]; } /* SPARSE */ case ACF_SPARSE: { n = ps[2]; /* number of entries/ key+next pairs */ - + ps += 3; - - for( ; n>0 ; n-- ) + + for( ; n>0 ; n-- ) { if( input < ps[0] ) /* cannot match the input, already a higher value than the input */ { @@ -2248,25 +2254,25 @@ ps += 2; } return (acstate_t)0; - } + } /* SPARSEBANDS */ case ACF_SPARSEBANDS: { nb = ps[2]; /* number of bands */ - + ps += 3; while( nb > 0 ) /* for each band */ - { + { n = ps[0]; /* number of elements in this band */ index = ps[1]; /* start index/char of this band */ if( input < index ) { return (acstate_t)0; } - if( (input < (index + n)) ) + if( (input < (index + n)) ) { return (acstate_t) ps[2+input-index]; } @@ -2274,7 +2280,7 @@ ps += 2 + n; } return (acstate_t)0; - } + } } return 0; @@ -2285,11 +2291,11 @@ * Sparse & Sparse-Banded Matrix search */ static -INLINE +inline int acsmSearchSparseDFA(ACSM_STRUCT2 * acsm, unsigned char *Tx, int n, int (*Match)(void * id, void *tree, int index, void *data, void *neg_list), - void *data, int* current_state ) + void *data, int* current_state ) { acstate_t state; ACSM_PATTERN2 * mlist; @@ -2297,7 +2303,7 @@ int nfound = 0; unsigned char * T, * Tc; int index; - acstate_t ** NextState = acsm->acsmNextState; + acstate_t ** NextState = acsm->acsmNextState; ACSM_PATTERN2 ** MatchList = acsm->acsmMatchList; Tc = Tx; @@ -2315,14 +2321,14 @@ for( ; T < Tend; T++ ) { state = SparseGetNextStateDFA ( NextState[state], state, xlatcase[*T] ); - + /* test if this state has any matching patterns */ - if( NextState[state][1] ) - { + if( NextState[state][1] ) + { mlist = MatchList[state]; if (mlist) { - index = T - mlist->n - Tc + 1; + index = T - mlist->n - Tc + 1; nfound++; if (Match (mlist->udata, mlist->rule_option_tree, index, data, mlist->neg_list) > 0) { @@ -2352,8 +2358,8 @@ } static -INLINE -void +inline +void _init_queue( PMQ * b) { b->inq=0; @@ -2361,11 +2367,11 @@ } /* uniquely insert into q, should splay elements for performance */ -static -INLINE +static +inline int _add_queue(PMQ * b, void * p ) - + { int i; @@ -2376,7 +2382,7 @@ for(i=(int)(b->inq)-1;i>=0;i--) if( p == b->q[i] ) return 0; - + #ifdef ACSMX2_TRACK_Q snort_conf->tot_inq_uinserts++; #endif @@ -2397,17 +2403,17 @@ } static -INLINE +inline unsigned -_process_queue( PMQ * q, +_process_queue( PMQ * q, int (*Match)(void * id, void *tree, int index, void *data, void *neg_list), - void *data ) + void *data ) { ACSM_PATTERN2 * mlist; unsigned int i; #ifdef ACSMX2_TRACK_Q - if( q->inq > snort_conf->max_inq ) + if( q->inq > snort_conf->max_inq ) snort_conf->max_inq = q->inq; snort_conf->tot_inq_flush += q->inq_flush; #endif @@ -2424,7 +2430,7 @@ } } } - q->inq=0; + q->inq=0; return 0; } @@ -2436,7 +2442,7 @@ * is flushed if it becomes full during the scan. This allows * simple insertions. Tracking queue ops is optional, as this can * impose a modest performance hit of a few percent. - */ + */ #define AC_SEARCH_Q \ for (; T < Tend; T++) \ { \ @@ -2459,7 +2465,7 @@ state = ps[2 + sindex]; \ } -static INLINE int +static inline int acsmSearchSparseDFA_Full_q( ACSM_STRUCT2 *acsm, unsigned char *T, @@ -2467,7 +2473,7 @@ int (*Match)(void * id, void *tree, int index, void *data, void *neg_list), void *data, int *current_state - ) + ) { unsigned char *Tend; int sindex; @@ -2487,21 +2493,21 @@ { case 1: { - uint8_t *ps; + uint8_t *ps; uint8_t **NextState = (uint8_t **)acsm->acsmNextState; AC_SEARCH_Q; } break; case 2: { - uint16_t *ps; + uint16_t *ps; uint16_t **NextState = (uint16_t **)acsm->acsmNextState; AC_SEARCH_Q; } break; default: { - acstate_t *ps; + acstate_t *ps; acstate_t **NextState = acsm->acsmNextState; AC_SEARCH_Q; } @@ -2513,20 +2519,20 @@ if (MatchList[state]) _add_queue(&acsm->q,MatchList[state]); - _process_queue(&acsm->q,Match,data); + _process_queue(&acsm->q,Match,data); return 0; } /* * Full format DFA search -* Do not change anything here without testing, caching and prefetching +* Do not change anything here without testing, caching and prefetching * performance is very sensitive to any changes. * -* Perf-Notes: +* Perf-Notes: * 1) replaced ConvertCaseEx with inline xlatcase - this improves performance 5-10% * 2) using 'nocase' improves performance again by 10-15%, since memcmp is not needed -* 3) +* 3) */ #define AC_SEARCH \ for( ; T < Tend; T++ ) \ @@ -2550,7 +2556,7 @@ state = ps[2u + sindex]; \ } -static INLINE int +static inline int acsmSearchSparseDFA_Full( ACSM_STRUCT2 *acsm, unsigned char *Tx, @@ -2558,7 +2564,7 @@ int (*Match)(void * id, void *tree, int index, void *data, void *neg_list), void *data, int *current_state - ) + ) { ACSM_PATTERN2 *mlist; unsigned char *Tend; @@ -2581,21 +2587,21 @@ { case 1: { - uint8_t *ps; + uint8_t *ps; uint8_t **NextState = (uint8_t **)acsm->acsmNextState; AC_SEARCH; } break; case 2: { - uint16_t *ps; + uint16_t *ps; uint16_t **NextState = (uint16_t **)acsm->acsmNextState; AC_SEARCH; } break; default: { - acstate_t *ps; + acstate_t *ps; acstate_t **NextState = acsm->acsmNextState; AC_SEARCH; } @@ -2621,20 +2627,20 @@ /* * Banded-Row format DFA search -* Do not change anything here, caching and prefetching +* Do not change anything here, caching and prefetching * performance is very sensitive to any changes. * -* ps[0] = storage fmt +* ps[0] = storage fmt * ps[1] = bool match flag -* ps[2] = # elements in band +* ps[2] = # elements in band * ps[3] = index of 1st element */ -static -INLINE +static +inline int acsmSearchSparseDFA_Banded(ACSM_STRUCT2 * acsm, unsigned char *Tx, int n, int (*Match)(void * id, void *tree, int index, void *data, void *neg_list), - void *data, int* current_state ) + void *data, int* current_state ) { acstate_t state; unsigned char * Tend; @@ -2644,7 +2650,7 @@ acstate_t ** NextState = acsm->acsmNextState; ACSM_PATTERN2 ** MatchList = acsm->acsmMatchList; ACSM_PATTERN2 * mlist; - acstate_t * ps; + acstate_t * ps; int nfound = 0; T = Tx; @@ -2660,16 +2666,16 @@ for( ; T < Tend; T++ ) { ps = NextState[state]; - + sindex = xlatcase[ T[0] ]; - + /* test if this state has any matching patterns */ - if( ps[1] ) - { + if( ps[1] ) + { mlist = MatchList[state]; if (mlist) { - index = T - mlist->n - Tx; + index = T - mlist->n - Tx; nfound++; if (Match (mlist->udata, mlist->rule_option_tree, index, data, mlist->neg_list) > 0) { @@ -2678,9 +2684,9 @@ } } } - + if( (acstate_t)sindex < ps[3] ) state = 0; - else if( (acstate_t)sindex >= (ps[3] + ps[2]) ) state = 0; + else if( (acstate_t)sindex >= (ps[3] + ps[2]) ) state = 0; else state = ps[ 4u + sindex - ps[3] ]; } @@ -2688,7 +2694,7 @@ mlist = MatchList[state]; if (mlist) { - index = T - mlist->n - Tx; + index = T - mlist->n - Tx; nfound++; if (Match (mlist->udata, mlist->rule_option_tree, index, data, mlist->neg_list) > 0) { @@ -2708,11 +2714,11 @@ * Sparse Storage Version */ static -INLINE +inline int acsmSearchSparseNFA(ACSM_STRUCT2 * acsm, unsigned char *Tx, int n, int (*Match)(void * id, void *tree, int index, void *data, void *neg_list), - void *data, int* current_state ) + void *data, int* current_state ) { acstate_t state; ACSM_PATTERN2 * mlist; @@ -2749,7 +2755,7 @@ mlist = MatchList[state]; if (mlist) { - index = T - mlist->n - Tx; + index = T - mlist->n - Tx; nfound++; if (Match (mlist->udata, mlist->rule_option_tree, index, data, mlist->neg_list) > 0) { @@ -2765,10 +2771,10 @@ /* * Search Function */ -int +int acsmSearch2(ACSM_STRUCT2 * acsm, unsigned char *Tx, int n, int (*Match)(void * id, void *tree, int index, void *data, void *neg_list), - void *data, int* current_state ) + void *data, int* current_state ) { switch( acsm->acsmFSA ) @@ -2777,12 +2783,12 @@ if( acsm->acsmFormat == ACF_FULL ) { - return acsmSearchSparseDFA_Full( acsm, Tx, n, Match, data, + return acsmSearchSparseDFA_Full( acsm, Tx, n, Match, data, current_state ); } else if( acsm->acsmFormat == ACF_FULLQ ) { - return acsmSearchSparseDFA_Full_q( acsm, Tx, n, Match, data, + return acsmSearchSparseDFA_Full_q( acsm, Tx, n, Match, data, current_state ); } else if( acsm->acsmFormat == ACF_BANDED ) @@ -2792,13 +2798,13 @@ } else { - return acsmSearchSparseDFA( acsm, Tx, n, Match, data, + return acsmSearchSparseDFA( acsm, Tx, n, Match, data, current_state ); } case FSA_NFA: - return acsmSearchSparseNFA( acsm, Tx, n, Match, data, + return acsmSearchSparseNFA( acsm, Tx, n, Match, data, current_state ); case FSA_TRIE: @@ -2811,11 +2817,11 @@ /* * Free all memory -*/ +*/ void acsmFree2( ACSM_STRUCT2 *acsm - ) + ) { int i; ACSM_PATTERN2 * mlist, *ilist, *plist; @@ -3035,17 +3041,17 @@ #ifdef ACSMX2S_MAIN - + /* * Text Data Buffer -*/ +*/ unsigned char text[512]; -/* +/* * A Match is found -*/ +*/ int -MatchFound (void* id, int index, void *data) +MatchFound (void* id, int index, void *data) { fprintf (stdout, "%s\n", (char *) id); return 0; @@ -3053,16 +3059,16 @@ /* * -*/ +*/ int -main (int argc, char **argv) +main (int argc, char **argv) { int i, nc, nocase = 0; ACSM_STRUCT2 * acsm; char * p; if (argc < 3) - + { fprintf (stderr,"Usage: %s search-text pattern +pattern... [flags]\n",argv[0]); fprintf (stderr," flags: -nfa -nocase -full -sparse -bands -sparsebands -z zcnt (sparsebands) -sparsetree -v\n"); @@ -3106,10 +3112,10 @@ if (strcmp (argv[i], "-sparsebands") == 0){ acsm->acsmFormat = ACF_SPARSEBANDS; - acsm->acsmSparseMaxZcnt = 10; + acsm->acsmSparseMaxZcnt = 10; } if (strcmp (argv[i], "-z") == 0){ - acsm->acsmSparseMaxZcnt = atoi(argv[++i]); + acsm->acsmSparseMaxZcnt = atoi(argv[++i]); } if (strcmp (argv[i], "-nfa") == 0){ @@ -3142,7 +3148,7 @@ acsmAddPattern2 (acsm, p, strlen(p), nc, 0, 0,(void*)p, i - 2); } - + if(s_verbose)printf("Patterns added\n"); Print_DFA (acsm); diff -Nru snort-2.9.0.1/src/sfutil/acsmx2.h snort-2.9.2/src/sfutil/acsmx2.h --- snort-2.9.0.1/src/sfutil/acsmx2.h 2010-01-26 10:10:22.000000000 -0800 +++ snort-2.9.2/src/sfutil/acsmx2.h 2011-02-09 15:23:35.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/acsmx.c snort-2.9.2/src/sfutil/acsmx.c --- snort-2.9.0.1/src/sfutil/acsmx.c 2010-01-26 10:10:22.000000000 -0800 +++ snort-2.9.2/src/sfutil/acsmx.c 2011-06-07 17:33:19.000000000 -0700 @@ -6,10 +6,10 @@ ** ** Aho-Corasick State Machine - uses a Deterministic Finite Automata - DFA ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton ** -** +** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or @@ -28,41 +28,45 @@ ** ** Reference - Efficient String matching: An Aid to Bibliographic Search ** Alfred V Aho and Margaret J Corasick -** Bell Labratories +** Bell Labratories ** Copyright(C) 1975 Association for Computing Machinery,Inc ** ** Implemented from the 4 algorithms in the paper by Aho & Corasick ** and some implementation ideas from 'Practical Algorithms in C' ** ** Notes: -** 1) This version uses about 1024 bytes per pattern character - heavy on the memory. -** 2) This algorithm finds all occurrences of all patterns within a +** 1) This version uses about 1024 bytes per pattern character - heavy on the memory. +** 2) This algorithm finds all occurrences of all patterns within a ** body of text. -** 3) Support is included to handle upper and lower case matching. +** 3) Support is included to handle upper and lower case matching. ** 4) Some comopilers optimize the search routine well, others don't, this makes all the difference. ** 5) Aho inspects all bytes of the search text, but only once so it's very efficient, ** if the patterns are all large than the Modified Wu-Manbar method is often faster. ** 6) I don't subscribe to any one method is best for all searching needs, ** the data decides which method is best, ** and we don't know until after the search method has been tested on the specific data sets. -** ** -** May 2002 : Marc Norton 1st Version +** +** May 2002 : Marc Norton 1st Version ** June 2002 : Modified interface for SNORT, added case support ** Aug 2002 : Cleaned up comments, and removed dead code. ** Nov 2,2002: Fixed queue_init() , added count=0 -** -** -*/ - +** +** +*/ + #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> - + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "acsmx.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #define MEMASSERT(p,s) if(!p){fprintf(stderr,"ACSM-No Memory: %s!\n",s);exit(0);} @@ -74,9 +78,9 @@ /* * -*/ +*/ static void * -AC_MALLOC (int n) +AC_MALLOC (int n) { void *p; p = calloc (1,n); @@ -90,9 +94,9 @@ /* * -*/ +*/ static void -AC_FREE (void *p) +AC_FREE (void *p) { if (p) free (p); @@ -101,7 +105,7 @@ /* * Simple QUEUE NODE -*/ +*/ typedef struct _qnode { int state; @@ -111,7 +115,7 @@ /* * Simple QUEUE Structure -*/ +*/ typedef struct _queue { QNODE * head, *tail; @@ -121,9 +125,9 @@ /* * -*/ +*/ static void -queue_init (QUEUE * s) +queue_init (QUEUE * s) { s->head = s->tail = 0; s->count = 0; @@ -132,9 +136,9 @@ /* * Add Tail Item to queue -*/ +*/ static void -queue_add (QUEUE * s, int state) +queue_add (QUEUE * s, int state) { QNODE * q; if (!s->head) @@ -159,9 +163,9 @@ /* * Remove Head Item from queue -*/ +*/ static int -queue_remove (QUEUE * s) +queue_remove (QUEUE * s) { int state = 0; QNODE * q; @@ -184,9 +188,9 @@ /* * -*/ +*/ static int -queue_count (QUEUE * s) +queue_count (QUEUE * s) { return s->count; } @@ -194,9 +198,9 @@ /* * -*/ +*/ static void -queue_free (QUEUE * s) +queue_free (QUEUE * s) { while (queue_count (s)) { @@ -206,15 +210,15 @@ /* -** Case Translation Table -*/ +** Case Translation Table +*/ static unsigned char xlatcase[256]; /* * -*/ +*/ static void -init_xlatcase () +init_xlatcase () { int i; for (i = 0; i < 256; i++) @@ -226,9 +230,9 @@ /* * -*/ -static INLINE void -ConvertCaseEx (unsigned char *d, unsigned char *s, int m) +*/ +static inline void +ConvertCaseEx (unsigned char *d, unsigned char *s, int m) { int i; for (i = 0; i < m; i++) @@ -240,9 +244,9 @@ /* * -*/ +*/ static ACSM_PATTERN * -CopyMatchListEntry (ACSM_PATTERN * px) +CopyMatchListEntry (ACSM_PATTERN * px) { ACSM_PATTERN * p; p = (ACSM_PATTERN *) AC_MALLOC (sizeof (ACSM_PATTERN)); @@ -257,9 +261,9 @@ /* * Add a pattern to the list of patterns terminated at this state. * Insert at front of list. -*/ +*/ static void -AddMatchListEntry (ACSM_STRUCT * acsm, int state, ACSM_PATTERN * px) +AddMatchListEntry (ACSM_STRUCT * acsm, int state, ACSM_PATTERN * px) { ACSM_PATTERN * p; p = (ACSM_PATTERN *) AC_MALLOC (sizeof (ACSM_PATTERN)); @@ -270,20 +274,20 @@ } -/* +/* Add Pattern States -*/ +*/ static void -AddPatternStates (ACSM_STRUCT * acsm, ACSM_PATTERN * p) +AddPatternStates (ACSM_STRUCT * acsm, ACSM_PATTERN * p) { unsigned char *pattern; int state=0, next, n; n = p->n; pattern = p->patrn; - - /* + + /* * Match up pattern with existing states - */ + */ for (; n > 0; pattern++, n--) { next = acsm->acsmStateTable[state].NextState[*pattern]; @@ -291,37 +295,37 @@ break; state = next; } - + /* * Add new states for the rest of the pattern bytes, 1 state per byte - */ + */ for (; n > 0; pattern++, n--) { acsm->acsmNumStates++; acsm->acsmStateTable[state].NextState[*pattern] = acsm->acsmNumStates; state = acsm->acsmNumStates; } - + AddMatchListEntry (acsm, state, p); } /* * Build Non-Deterministic Finite Automata -*/ +*/ static void -Build_NFA (ACSM_STRUCT * acsm) +Build_NFA (ACSM_STRUCT * acsm) { int r, s; int i; QUEUE q, *queue = &q; ACSM_PATTERN * mlist=0; ACSM_PATTERN * px=0; - - /* Init a Queue */ + + /* Init a Queue */ queue_init (queue); - - /* Add the state 0 transitions 1st */ + + /* Add the state 0 transitions 1st */ for (i = 0; i < ALPHABET_SIZE; i++) { s = acsm->acsmStateTable[0].NextState[i]; @@ -331,13 +335,13 @@ acsm->acsmStateTable[s].FailState = 0; } } - - /* Build the fail state transitions for each valid state */ + + /* Build the fail state transitions for each valid state */ while (queue_count (queue) > 0) { r = queue_remove (queue); - - /* Find Final States for any Failure */ + + /* Find Final States for any Failure */ for (i = 0; i < ALPHABET_SIZE; i++) { int fs, next; @@ -346,9 +350,9 @@ queue_add (queue, s); fs = acsm->acsmStateTable[r].FailState; - /* - * Locate the next valid state for 'i' starting at s - */ + /* + * Locate the next valid state for 'i' starting at s + */ while ((next=acsm->acsmStateTable[fs].NextState[i]) == ACSM_FAIL_STATE) { @@ -357,15 +361,15 @@ /* * Update 's' state failure state to point to the next valid state - */ + */ acsm->acsmStateTable[s].FailState = next; /* - * Copy 'next'states MatchList to 's' states MatchList, + * Copy 'next'states MatchList to 's' states MatchList, * we copy them so each list can be AC_FREE'd later, * else we could just manipulate pointers to fake the copy. - */ - for (mlist = acsm->acsmStateTable[next].MatchList; + */ + for (mlist = acsm->acsmStateTable[next].MatchList; mlist != NULL ; mlist = mlist->next) { @@ -376,33 +380,33 @@ FatalError("*** Out of memory Initializing Aho Corasick in acsmx.c ****"); } - /* Insert at front of MatchList */ + /* Insert at front of MatchList */ px->next = acsm->acsmStateTable[s].MatchList; acsm->acsmStateTable[s].MatchList = px; } } } } - - /* Clean up the queue */ + + /* Clean up the queue */ queue_free (queue); } /* * Build Deterministic Finite Automata from NFA -*/ +*/ static void -Convert_NFA_To_DFA (ACSM_STRUCT * acsm) +Convert_NFA_To_DFA (ACSM_STRUCT * acsm) { int r, s; int i; QUEUE q, *queue = &q; - - /* Init a Queue */ + + /* Init a Queue */ queue_init (queue); - - /* Add the state 0 transitions 1st */ + + /* Add the state 0 transitions 1st */ for (i = 0; i < ALPHABET_SIZE; i++) { s = acsm->acsmStateTable[0].NextState[i]; @@ -411,13 +415,13 @@ queue_add (queue, s); } } - - /* Start building the next layer of transitions */ + + /* Start building the next layer of transitions */ while (queue_count (queue) > 0) { r = queue_remove (queue); - - /* State is a branch state */ + + /* State is a branch state */ for (i = 0; i < ALPHABET_SIZE; i++) { if ((s = acsm->acsmStateTable[r].NextState[i]) != ACSM_FAIL_STATE) @@ -432,15 +436,15 @@ } } } - - /* Clean up the queue */ + + /* Clean up the queue */ queue_free (queue); } /* * -*/ +*/ ACSM_STRUCT * acsmNew (void (*userfree)(void *p), void (*optiontreefree)(void **p), void (*neg_list_free)(void **p)) @@ -462,10 +466,10 @@ /* * Add a pattern to the list of patterns for this state machine -*/ +*/ int acsmAddPattern (ACSM_STRUCT * p, unsigned char *pat, int n, int nocase, - int offset, int depth, int negative, void * id, int iid) + int offset, int depth, int negative, void * id, int iid) { ACSM_PATTERN * plist; plist = (ACSM_PATTERN *) AC_MALLOC (sizeof (ACSM_PATTERN)); @@ -492,14 +496,14 @@ return 0; } -static int acsmBuildMatchStateTrees( ACSM_STRUCT * acsm, +static int acsmBuildMatchStateTrees( ACSM_STRUCT * acsm, int (*build_tree)(void * id, void **existing_tree), int (*neg_list_func)(void *id, void **list) ) { int i, cnt = 0; ACSM_PATTERN * mlist; - /* Find the states that have a MatchList */ + /* Find the states that have a MatchList */ for (i = 0; i < acsm->acsmMaxStates; i++) { for ( mlist=acsm->acsmStateTable[i].MatchList; @@ -529,12 +533,12 @@ } return cnt; -} +} /* * Compile State Machine -*/ +*/ int acsmCompile (ACSM_STRUCT * acsm, int (*build_tree)(void * id, void **existing_tree), @@ -542,8 +546,8 @@ { int i, k; ACSM_PATTERN * plist; - - /* Count number of states */ + + /* Count number of states */ acsm->acsmMaxStates = 1; for (plist = acsm->acsmPatterns; plist != NULL; plist = plist->next) { @@ -556,10 +560,10 @@ memset (acsm->acsmStateTable, 0, sizeof (ACSM_STATETABLE) * acsm->acsmMaxStates); - /* Initialize state zero as a branch */ + /* Initialize state zero as a branch */ acsm->acsmNumStates = 0; - /* Initialize all States NextStates to FAILED */ + /* Initialize all States NextStates to FAILED */ for (k = 0; k < acsm->acsmMaxStates; k++) { for (i = 0; i < ALPHABET_SIZE; i++) @@ -567,14 +571,14 @@ acsm->acsmStateTable[k].NextState[i] = ACSM_FAIL_STATE; } } - - /* Add each Pattern to the State Table */ + + /* Add each Pattern to the State Table */ for (plist = acsm->acsmPatterns; plist != NULL; plist = plist->next) { AddPatternStates (acsm, plist); } - - /* Set all failed state transitions to return to the 0'th state */ + + /* Set all failed state transitions to return to the 0'th state */ for (i = 0; i < ALPHABET_SIZE; i++) { if (acsm->acsmStateTable[0].NextState[i] == ACSM_FAIL_STATE) @@ -582,11 +586,11 @@ acsm->acsmStateTable[0].NextState[i] = 0; } } - - /* Build the NFA */ + + /* Build the NFA */ Build_NFA (acsm); - /* Convert the NFA to a DFA */ + /* Convert the NFA to a DFA */ Convert_NFA_To_DFA (acsm); /* @@ -609,11 +613,11 @@ /* * Search Text or Binary Data for Pattern matches -*/ +*/ int acsmSearch (ACSM_STRUCT * acsm, unsigned char *Tx, int n, int (*Match)(void * id, void *tree, int index, void *data, void *neg_list), - void *data, int* current_state ) + void *data, int* current_state ) { int state = 0; ACSM_PATTERN * mlist; @@ -622,8 +626,8 @@ int nfound = 0; unsigned char *T; int index; - - /* Case conversion */ + + /* Case conversion */ ConvertCaseEx (Tc, Tx, n); T = Tc; Tend = T + n; @@ -658,9 +662,9 @@ /* * Free all memory -*/ +*/ void -acsmFree (ACSM_STRUCT * acsm) +acsmFree (ACSM_STRUCT * acsm) { int i; ACSM_PATTERN * mlist, *ilist; @@ -713,15 +717,15 @@ } /* - * - */ + * + */ /* static void Print_DFA( ACSM_STRUCT * acsm ) { int k; int i; int next; - + for (k = 0; k < acsm->acsmMaxStates; k++) { for (i = 0; i < ALPHABET_SIZE; i++) @@ -738,10 +742,10 @@ } printf("\n"); } - -} + +} */ - + int acsmPrintDetailInfo(ACSM_STRUCT * p) { @@ -749,7 +753,7 @@ p = p; return 0; } - + int acsmPrintSummaryInfo(void) { #ifdef XXXXX @@ -763,7 +767,7 @@ if( !summary.num_states ) return; - + LogMessage("+--[Pattern Matcher:Aho-Corasick Summary]----------------------\n"); LogMessage("| Alphabet Size : %d Chars\n",p->acsmAlphabetSize); LogMessage("| Sizeof State : %d bytes\n",sizeof(acstate_t)); @@ -784,17 +788,17 @@ #ifdef ACSMX_MAIN - + /* * Text Data Buffer -*/ +*/ unsigned char text[512]; -/* +/* * A Match is found -*/ +*/ int -MatchFound (unsigned id, int index, void *data) +MatchFound (unsigned id, int index, void *data) { fprintf (stdout, "%s\n", (char *) id); return 0; @@ -803,14 +807,14 @@ /* * -*/ +*/ int -main (int argc, char **argv) +main (int argc, char **argv) { int i, nocase = 0; ACSM_STRUCT * acsm; if (argc < 3) - + { fprintf (stderr, "Usage: acsmx pattern word-1 word-2 ... word-n -nocase\n"); @@ -822,7 +826,7 @@ if (strcmp (argv[i], "-nocase") == 0) nocase = 1; for (i = 2; i < argc; i++) - + { if (argv[i][0] == '-') continue; diff -Nru snort-2.9.0.1/src/sfutil/acsmx.h snort-2.9.2/src/sfutil/acsmx.h --- snort-2.9.0.1/src/sfutil/acsmx.h 2010-01-26 10:10:22.000000000 -0800 +++ snort-2.9.2/src/sfutil/acsmx.h 2011-02-09 15:23:35.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/sfutil/asn1.c snort-2.9.2/src/sfutil/asn1.c --- snort-2.9.0.1/src/sfutil/asn1.c 2010-01-26 10:10:22.000000000 -0800 +++ snort-2.9.2/src/sfutil/asn1.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file asn1.c ** @@ -32,7 +32,7 @@ ** processing. That way we don't have to worry about attackers trying ** to overload the machine stack. ** -** Handles both DER and BER encodings, and also the indefinite encoding +** Handles both DER and BER encodings, and also the indefinite encoding ** that BER supports. Lots of functionality can be added on top of ** this library. SNMP will probably be the first. ** @@ -205,7 +205,7 @@ { return ASN1_ERR_OOB; } - + } while(iExtension); return ASN1_OK; @@ -308,7 +308,7 @@ ** Decode the extended length version. Basically we read the first ** byte for the number of bytes in the extended length. We then read ** that number of bytes to determine the length. If the number of bytes -** in the length is greater than our variable, then we return +** in the length is greater than our variable, then we return ** ASN1_ERR_OVERLONG_LEN, and exit decoding. ** ** @return integer @@ -330,7 +330,7 @@ *size = 0; iBytes = (*asn1_data->data & 0x7f); - + asn1_data->data++; if(ASN1_OOB(asn1_data->start, asn1_data->end, asn1_data->data)) { @@ -357,7 +357,7 @@ if(ASN1_OOB(asn1_data->start, asn1_data->end, asn1_data->data)) { /* - ** Check to see if this was just an extended length that was zero at + ** Check to see if this was just an extended length that was zero at ** the end of the buffer. If it was, then return normal. */ if(*size == 0 && (iCtr+1) == iBytes) @@ -401,7 +401,7 @@ { case SF_BER_LEN_DEF_SHORT: len->size = *asn1_data->data; - + (asn1_data->data)++; if(ASN1_OOB(asn1_data->start, asn1_data->end, asn1_data->data)) { @@ -434,7 +434,7 @@ return ASN1_ERR_OOB; break; - + default: /* ** This should be one of the three values. So we are in @@ -464,7 +464,7 @@ if(!asn1) return 0; - if(asn1->ident.asn1_class == 0x00 && asn1->ident.flag == 0x00 && + if(asn1->ident.asn1_class == 0x00 && asn1->ident.flag == 0x00 && asn1->ident.tag == 0x00 && asn1->len.type == SF_BER_LEN_DEF_SHORT && asn1->len.size == 0) { @@ -528,7 +528,7 @@ return ASN1_ERR_MEM_ALLOC; } memset(*asn1_type, 0x00, sizeof(ASN1_TYPE)); - + asn1data.start = *data; asn1data.end = (*data) + *len; asn1data.data = *data; @@ -577,7 +577,7 @@ ** see if we are an eoc, so we don't have to check again. */ (*asn1_type)->data_len = 0; - + if(asn1_is_eoc(*asn1_type)) (*asn1_type)->eoc = 1; } @@ -714,7 +714,7 @@ { return iRet; } - + /* ** Check next child for ending of indefinite encodings. */ @@ -864,7 +864,7 @@ if(!index && !(cur->next) && (data < end)) { len = (end - data); - + iRet = asn1_decode_type(&data, &len, &cur->next); if(iRet) return iRet; @@ -897,7 +897,7 @@ ** @retval 1 detection function successful ** @retval 0 detection function unsuccessful */ -int asn1_traverse(ASN1_TYPE *asn1, void *user, +int asn1_traverse(ASN1_TYPE *asn1, void *user, int (*DetectFunc)(ASN1_TYPE *, void *)) { ASN1_TYPE *asnstack[ASN1_MAX_STACK]; @@ -980,8 +980,8 @@ for(iCtr = 0; iCtr < iTabs; iCtr++) printf(" "); - - printf("LEN - type: %d | size: %u\n", asn1_type->len.type, + + printf("LEN - type: %d | size: %u\n", asn1_type->len.type, asn1_type->len.size); for(iCtr = 0; iCtr < iTabs; iCtr++) @@ -1008,7 +1008,7 @@ // printf("!! BITSTRING OVERFLOW\n"); //} printf("\n"); - + if(asn1_type->cnext) asn1_print_types(asn1_type->cnext, iTabs+1); @@ -1065,7 +1065,7 @@ printf("** No valid characters in data string.\n"); return 1; } - + if(buf_size % 2) { printf("** Data must be represent in hex, meaning that there is an " @@ -1075,7 +1075,7 @@ buf_size >>= 1; - buf = (char *)calloc(1,buf_size + 1); + buf = calloc(1,buf_size + 1); if(!buf) { return 1; @@ -1095,11 +1095,7 @@ buf[iCtr] = 0x00; - if(asn1_init_mem(256)) - { - printf("** asn1_init_mem() failed\n"); - return 1; - } + asn1_init_mem(256); iRet = asn1_decode(buf, buf_size, &asn1_type); if(iRet && !asn1_type) diff -Nru snort-2.9.0.1/src/sfutil/asn1.h snort-2.9.2/src/sfutil/asn1.h --- snort-2.9.0.1/src/sfutil/asn1.h 2010-01-26 10:10:22.000000000 -0800 +++ snort-2.9.2/src/sfutil/asn1.h 2011-02-09 15:23:35.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/bitop_funcs.h snort-2.9.2/src/sfutil/bitop_funcs.h --- snort-2.9.0.1/src/sfutil/bitop_funcs.h 2010-01-26 10:10:22.000000000 -0800 +++ snort-2.9.2/src/sfutil/bitop_funcs.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,9 +1,9 @@ /* ** $Id$ -** +** ** bitopt_funcs.h ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** Marc Norton <mnorton@sourcefire.com> ** @@ -27,7 +27,7 @@ ** 5.23.02 - Moved bitop functions to bitop.h to inline. Norton/Roelker ** 1.21.04 - Added static initialization. Roelker ** 9.13.05 - Separated type and inline func definitions. Sturges -** +** */ #ifndef _BITOP_FUNCS_H @@ -41,7 +41,7 @@ #include "config.h" #endif -#include "debug.h" +#include "snort_debug.h" #include "bitop.h" /* @@ -58,7 +58,7 @@ ** @return 0 successful ** @return !0 failed */ -static INLINE int boInitStaticBITOP(BITOP *BitOp,int iBytes,unsigned char *buf) +static inline int boInitStaticBITOP(BITOP *BitOp,int iBytes,unsigned char *buf) { if(iBytes < 1 || !buf || !BitOp) return 1; @@ -92,14 +92,14 @@ ** int - 0 if successful, 1 if failed. ** */ -static INLINE int boInitBITOP(BITOP *BitOp, int iSize) +static inline int boInitBITOP(BITOP *BitOp, int iBytes) { - int iBytes; + int iSize; /* ** Sanity check for size */ - if((iSize < 1) || (BitOp == NULL)) + if((iBytes < 1) || (BitOp == NULL)) { return 1; } @@ -114,11 +114,7 @@ return 0; } - iBytes = iSize >> 3; - if(iSize & 7) - { - iBytes++; - } + iSize = iBytes << 3; BitOp->pucBitBuffer = (unsigned char *)calloc(1, iBytes); if(BitOp->pucBitBuffer == NULL) @@ -147,7 +143,7 @@ ** int - 0 if successful, 1 if failed. ** */ -static INLINE int boResetBITOP(BITOP *BitOp) +static inline int boResetBITOP(BITOP *BitOp) { if (BitOp == NULL) return 1; @@ -171,7 +167,7 @@ ** int - 0 if successful, 1 if failed. ** */ -static INLINE int boSetAllBits(BITOP *BitOp) +static inline int boSetAllBits(BITOP *BitOp) { if (BitOp == NULL) return 1; @@ -196,7 +192,7 @@ ** int - 0 if the bit was set, 1 if there was an error. ** */ -static INLINE int boSetBit(BITOP *BitOp, unsigned int uiPos) +static inline int boSetBit(BITOP *BitOp, unsigned int uiPos) { unsigned char mask; @@ -228,7 +224,7 @@ ** int - 0 if bit not set, 1 if bit is set. ** */ -static INLINE int boIsBitSet(BITOP *BitOp, unsigned int uiPos) +static inline int boIsBitSet(BITOP *BitOp, unsigned int uiPos) { unsigned char mask; @@ -259,7 +255,7 @@ ** int - 0 if the bit was cleared, 1 if there was an error. ** */ -static INLINE void boClearBit(BITOP *BitOp, unsigned int uiPos) +static inline void boClearBit(BITOP *BitOp, unsigned int uiPos) { unsigned char mask; @@ -290,7 +286,7 @@ ** int - 0 if the byte was cleared, 1 if there was an error. ** */ -static INLINE void boClearByte(BITOP *BitOp, unsigned int uiPos) +static inline void boClearByte(BITOP *BitOp, unsigned int uiPos) { /* ** Sanity Check while clearing bytes @@ -320,7 +316,7 @@ ** void function ** **/ -static INLINE void boFreeBITOP(BITOP *BitOp) +static inline void boFreeBITOP(BITOP *BitOp) { if((BitOp == NULL) || (BitOp->pucBitBuffer == NULL)) return; diff -Nru snort-2.9.0.1/src/sfutil/bitop.h snort-2.9.2/src/sfutil/bitop.h --- snort-2.9.0.1/src/sfutil/bitop.h 2010-01-26 10:10:22.000000000 -0800 +++ snort-2.9.2/src/sfutil/bitop.h 2011-02-09 15:23:35.000000000 -0800 @@ -3,7 +3,7 @@ ** ** bitopt.c ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Dan Roelker <droelker@sourcefire.com> ** Marc Norton <mnorton@sourcefire.com> ** diff -Nru snort-2.9.0.1/src/sfutil/bnfa_search.c snort-2.9.2/src/sfutil/bnfa_search.c --- snort-2.9.0.1/src/sfutil/bnfa_search.c 2010-01-26 10:10:23.000000000 -0800 +++ snort-2.9.2/src/sfutil/bnfa_search.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** bnfa_search.c +** bnfa_search.c ** ** Basic multi-pattern search engine using Aho-Corasick NFA construction. ** @@ -8,14 +8,14 @@ ** author: marc norton ** date: started 12/21/05 ** -** Copyright (C) 2005-2010 Sourcefire, Inc. -** +** Copyright (C) 2005-2011 Sourcefire, Inc. +** ** General Design -** Aho-Corasick based NFA state machine. +** Aho-Corasick based NFA state machine. ** Compacted sparse storage mode for better performance. ** Up to 16 Million states + transitions (combined) in compacted sparse mode. ** -** ** Compacted sparse array storage ** +** ** Compacted sparse array storage ** ** ** The primary data is held in one array. ** The patterns themselves are stored separately. @@ -24,7 +24,7 @@ ** ** word 1 : state ( only low 24 bits are used ) ** word 2 : control word = cb << 24 | fs -** cb: control byte +** cb: control byte ** cb = mb | fb | nt ** mb : 8th bit - if set state has matching patterns bit ** fb : 7th bit - if set full storage array bit (256 entries used), @@ -38,27 +38,27 @@ ** ...repeat for each state ... ** ** * if a state is empty it has words 1 and 2, but no transition words. -** +** ** Construction: ** ** Patterns are added to a list based trie. ** The list based trie is compiled into a list based NFA with failure states. -** The list based NFA is converted to full or sparse format NFA. +** The list based NFA is converted to full or sparse format NFA. ** The Zero'th state sparse transitions may be stored in full format for ** performance. ** Sparse transition arrays are searched using linear and binary search ** strategies depending on the number of entries to search through in ** each state. -** The state machine in sparse mode is compacted into a single vector for +** The state machine in sparse mode is compacted into a single vector for ** better performance. -** +** ** Notes: -** +** ** The NFA can require twice the state transitions that a DFA uses. However, ** the construction of a DFA generates many additional transitions in each -** state which consumes significant additional memory. This particular -** implementation is best suited to environments where the very large memory -** requirements of a full state table implementation is not possible and/or +** state which consumes significant additional memory. This particular +** implementation is best suited to environments where the very large memory +** requirements of a full state table implementation is not possible and/or ** the speed trade off is warranted to maintain a small memory footprint. ** ** Each state of an NFA usually has very few transitions but can have up to @@ -93,26 +93,26 @@ ** bnfaAddPattern(bnfa,..); add a pattern to the state machine ** bnfaCompile (bnfa,..) compile the state machine ** bnfaPrintInfo(bnfa); print memory usage and state info -** bnfaPrint(bnfa); print the state machine in total +** bnfaPrint(bnfa); print the state machine in total ** state=bnfaSearch(bnfa, ...,state); search a data buffer for a pattern match ** bnfaFree (bnfa); free the bnfa ** ** ** Reference - Efficient String matching: An Aid to Bibliographic Search ** Alfred V Aho and Margaret J Corasick -** Bell Labratories +** Bell Labratories ** Copyright(C) 1975 Association for Computing Machinery,Inc ** ** 12/4/06 - man - modified summary ** 6/26/07 - man - Added last_match tracking, and accounted for nocase/case by -** preseting the last match state, and reverting if we fail the +** preseting the last match state, and reverting if we fail the ** case memcmp test for any rule in the states matching rule ** list. The states in the defaul matcher represent either ** case or nocase states, so they are dual mode, that makes ** this a bit tricky. When we sue the pure exact match, or ** pure don't care matching routines, we just track the last ** state, and never need to revert. This only tracks the -** single repeated states and repeated data. +** single repeated states and repeated data. ** 01/2008 - man - added 2 phase pattern matcher using a pattern match queue. ** Text is scanned and matching states are queued, duplicate ** matches are dropped, and after the complete buffer scan the @@ -121,7 +121,7 @@ ** queue is limited in size and is flushed if it becomes full ** during the scan. This allows simple insertions. Tracking ** queue ops is optional, as this can impose a modest -** performance hit of a few percent. +** performance hit of a few percent. ** ** LICENSE (GPL) ** @@ -140,13 +140,19 @@ ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ** -*/ +*/ #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" + #define BNFA_TRACK_Q #ifdef BNFA_TRACK_Q @@ -154,7 +160,7 @@ #endif #include "bnfa_search.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" /* @@ -165,18 +171,18 @@ #define printf LogMessage /* -* Case Translation Table - his guarantees we use +* Case Translation Table - his guarantees we use * indexed lookups for case conversion -*/ -static +*/ +static unsigned char xlatcase[BNFA_MAX_ALPHABET_SIZE]; static -void init_xlatcase(void) +void init_xlatcase(void) { int i; static int first=1; - if( !first ) + if( !first ) return; for(i=0; i<BNFA_MAX_ALPHABET_SIZE; i++) @@ -189,7 +195,7 @@ /* * Custom memory allocator -*/ +*/ static void * bnfa_alloc( int n, int * m ) { @@ -224,7 +230,7 @@ /* * simple queue node -*/ +*/ typedef struct _qnode { unsigned state; @@ -233,7 +239,7 @@ QNODE; /* * simple fifo queue structure -*/ +*/ typedef struct _queue { QNODE * head, *tail; @@ -243,9 +249,9 @@ QUEUE; /* * Initialize the fifo queue -*/ +*/ static -void queue_init (QUEUE * s) +void queue_init (QUEUE * s) { s->head = s->tail = 0; s->count= 0; @@ -253,9 +259,9 @@ } /* * Add items to tail of queue (fifo) -*/ +*/ static -int queue_add (QUEUE * s, int state) +int queue_add (QUEUE * s, int state) { QNODE * q; if (!s->head) @@ -274,7 +280,7 @@ s->tail = q; } s->count++; - + if( s->count > s->maxcnt ) s->maxcnt = s->count; @@ -282,9 +288,9 @@ } /* * Remove items from head of queue (fifo) -*/ -static -int queue_remove (QUEUE * s) +*/ +static +int queue_remove (QUEUE * s) { int state = 0; QNODE * q; @@ -306,17 +312,17 @@ } /* * Return count of items in the queue -*/ -static -int queue_count (QUEUE * s) +*/ +static +int queue_count (QUEUE * s) { return s->count; } /* * Free the queue -*/ +*/ static -void queue_free (QUEUE * s) +void queue_free (QUEUE * s) { while (queue_count (s)) { @@ -327,13 +333,13 @@ /* * Get next state from transition list */ -static +static int _bnfa_list_get_next_state( bnfa_struct_t * bnfa, int state, int input ) { if ( state == 0 ) /* Full set of states always */ { bnfa_state_t * p = (bnfa_state_t*)bnfa->bnfaTransTable[0]; - if(!p) + if(!p) { return 0; } @@ -357,7 +363,7 @@ /* * Put next state - head insertion, and transition updates */ -static +static int _bnfa_list_put_next_state( bnfa_struct_t * bnfa, int state, int input, int next_state ) { if( state >= bnfa->bnfaMaxStates ) @@ -372,15 +378,15 @@ if( state == 0 ) { - bnfa_state_t * p; + bnfa_state_t * p; p = (bnfa_state_t*)bnfa->bnfaTransTable[0]; if( !p ) { p = (bnfa_state_t*)BNFA_MALLOC(sizeof(bnfa_state_t)*bnfa->bnfaAlphabetSize,bnfa->list_memory); - if( !p ) + if( !p ) { - return -1; + return -1; } bnfa->bnfaTransTable[0] = (bnfa_trans_node_t*)p; @@ -404,7 +410,7 @@ if( p->key == (unsigned)input ) /* transition already exists- reset the next state */ { p->next_state = next_state; - return 0; + return 0; } p=p->next; } @@ -413,25 +419,25 @@ tnew = (bnfa_trans_node_t*)BNFA_MALLOC(sizeof(bnfa_trans_node_t),bnfa->list_memory); if( !tnew ) { - return -1; + return -1; } tnew->key = input; tnew->next_state = next_state; tnew->next = bnfa->bnfaTransTable[state]; - bnfa->bnfaTransTable[state] = tnew; + bnfa->bnfaTransTable[state] = tnew; } bnfa->bnfaNumTrans++; - return 0; + return 0; } /* -* Free the entire transition list table +* Free the entire transition list table */ -static +static int _bnfa_list_free_table( bnfa_struct_t * bnfa ) { int i; @@ -445,14 +451,14 @@ } for(i=1; i<bnfa->bnfaMaxStates; i++) - { + { t = bnfa->bnfaTransTable[i]; while( t ) { p = t; t = t->next; - BNFA_FREE(p,sizeof(bnfa_trans_node_t),bnfa->list_memory); + BNFA_FREE(p,sizeof(bnfa_trans_node_t),bnfa->list_memory); } } @@ -511,7 +517,7 @@ /* * Print the transition list table to stdout */ -static +static int _bnfa_list_print_table( bnfa_struct_t * bnfa ) { int i; @@ -527,7 +533,7 @@ printf("Print Transition Table- %d active states\n",bnfa->bnfaNumStates); for(i=0;i< bnfa->bnfaNumStates;i++) - { + { printf("state %3d: ",i); if( i == 0 ) @@ -550,7 +556,7 @@ { t = bnfa->bnfaTransTable[i]; while( t ) - { + { if( isascii((int)t->key) && isprint((int)t->key) ) printf("%3c->%-5d\t",t->key,t->next_state); else @@ -573,8 +579,8 @@ #endif /* * Converts a single row of states from list format to a full format -*/ -static +*/ +static int _bnfa_list_conv_row_to_full(bnfa_struct_t * bnfa, bnfa_state_t state, bnfa_state_t * full ) { if( (int)state >= bnfa->bnfaMaxStates ) /* protects 'full' against overflow */ @@ -594,11 +600,11 @@ else { int tcnt = 0; - + bnfa_trans_node_t * t = bnfa->bnfaTransTable[ state ]; memset(full,0,sizeof(bnfa_state_t)*bnfa->bnfaAlphabetSize); - + if( !t ) { return 0; @@ -619,8 +625,8 @@ * unless Exact has been specified, in which case all patterns * are assumed to be case specific. */ -static -int _bnfa_add_pattern_states (bnfa_struct_t * bnfa, bnfa_pattern_t * p) +static +int _bnfa_add_pattern_states (bnfa_struct_t * bnfa, bnfa_pattern_t * p) { int state, next, n; unsigned char * pattern; @@ -630,9 +636,9 @@ pattern = p->casepatrn; state = 0; - /* + /* * Match up pattern with existing states - */ + */ for (; n > 0; pattern++, n--) { if( bnfa->bnfaCaseMode == BNFA_CASE ) @@ -646,13 +652,13 @@ } state = next; } - + /* * Add new states for the rest of the pattern bytes, 1 state per byte, uppercase - */ + */ for (; n > 0; pattern++, n--) { - bnfa->bnfaNumStates++; + bnfa->bnfaNumStates++; if( bnfa->bnfaCaseMode == BNFA_CASE ) { @@ -693,7 +699,7 @@ if ( state == 0 ) /* Full set of states always */ { bnfa_state_t * p = (bnfa_state_t*)bnfa->bnfaTransTable[0]; - if(!p) + if(!p) { return 0; } @@ -715,19 +721,19 @@ } #endif static /* used only by KcontainsJ() */ -int +int _bnfa_conv_node_to_full(bnfa_trans_node_t *t, bnfa_state_t * full ) { int tcnt = 0; - + memset(full,0,sizeof(bnfa_state_t)*BNFA_MAX_ALPHABET_SIZE); - + if( !t ) { return 0; } - while(t && (t->key < BNFA_MAX_ALPHABET_SIZE ) ) + while(t && (t->key < BNFA_MAX_ALPHABET_SIZE ) ) { full[ t->key ] = t->next_state; tcnt++; @@ -740,12 +746,12 @@ * test if all of tj transitions are in tk */ #ifdef XXXX -static +static int KcontainsJx(bnfa_trans_node_t * tk, bnfa_trans_node_t *tj ) { bnfa_trans_node_t *t; int found; - + while( tj ) { found=0; @@ -759,25 +765,25 @@ } if( !found ) return 0; - + tj=tj->next; /* get next tj key */ } return 1; } #endif -static +static int KcontainsJ(bnfa_trans_node_t * tk, bnfa_trans_node_t *tj ) { bnfa_state_t full[BNFA_MAX_ALPHABET_SIZE]; - + if( !_bnfa_conv_node_to_full(tk,full) ) return 1; /* emtpy state */ - + while( tj ) { if( !full[tj->key] ) return 0; - + tj=tj->next; /* get next tj key */ } return 1; @@ -788,13 +794,13 @@ * check if a fail state is a subset of the current state, * if so recurse to the next fail state, and so on. */ -static -int _bnfa_opt_nfa (bnfa_struct_t * bnfa) +static +int _bnfa_opt_nfa (bnfa_struct_t * bnfa) { int cnt=0; int k, fs, fr; bnfa_state_t * FailState = bnfa->bnfaFailState; - + for(k=2;k<bnfa->bnfaNumStates;k++) { fr = fs = FailState[k]; @@ -802,7 +808,7 @@ { fs = FailState[fs]; } - if( fr != fs ) + if( fr != fs ) { cnt++; FailState[ k ] = fs; @@ -817,9 +823,9 @@ /* * Build a non-deterministic finite automata using Aho-Corasick construction * The keyword trie must already be built via _bnfa_add_pattern_states() -*/ -static -int _bnfa_build_nfa (bnfa_struct_t * bnfa) +*/ +static +int _bnfa_build_nfa (bnfa_struct_t * bnfa) { int r, s, i; QUEUE q, *queue = &q; @@ -827,35 +833,35 @@ bnfa_match_node_t ** MatchList = bnfa->bnfaMatchList; bnfa_match_node_t * mlist; bnfa_match_node_t * px; - - /* Init a Queue */ + + /* Init a Queue */ queue_init (queue); - - /* Add the state 0 transitions 1st, - * the states at depth 1, fail to state 0 - */ + + /* Add the state 0 transitions 1st, + * the states at depth 1, fail to state 0 + */ for (i = 0; i < bnfa->bnfaAlphabetSize; i++) { - /* note that state zero deos not fail, - * it just returns 0..nstates-1 + /* note that state zero deos not fail, + * it just returns 0..nstates-1 */ - s = _bnfa_list_get_next_state(bnfa,0,i); + s = _bnfa_list_get_next_state(bnfa,0,i); if( s ) /* don't bother adding state zero */ { - if( queue_add (queue, s) ) + if( queue_add (queue, s) ) { return -1; } FailState[s] = 0; } } - + /* Build the fail state successive layer of transitions */ while (queue_count (queue) > 0) { r = queue_remove (queue); - - /* Find Final States for any Failure */ + + /* Find Final States for any Failure */ for(i = 0; i<bnfa->bnfaAlphabetSize; i++) { int fs, next; @@ -864,31 +870,31 @@ if( s == (int)BNFA_FAIL_STATE ) continue; - - if( queue_add (queue, s) ) + + if( queue_add (queue, s) ) { return -1; } - + fs = FailState[r]; - /* - * Locate the next valid state for 'i' starting at fs - */ + /* + * Locate the next valid state for 'i' starting at fs + */ while( (next=_bnfa_list_get_next_state(bnfa,fs,i)) == (int)BNFA_FAIL_STATE ) { fs = FailState[fs]; } - + /* * Update 's' state failure state to point to the next valid state - */ + */ FailState[s] = next; - + /* - * Copy 'next'states MatchList into 's' states MatchList, + * Copy 'next'states MatchList into 's' states MatchList, * we just create a new list nodes, the patterns are not copied. - */ + */ for( mlist = MatchList[next];mlist;mlist = mlist->next) { /* Dup the node, don't copy the data */ @@ -898,15 +904,15 @@ return 0; } - px->data = mlist->data; - + px->data = mlist->data; + px->next = MatchList[s]; /* insert at head */ - + MatchList[s] = px; } } } - + /* Clean up the queue */ queue_free (queue); @@ -921,8 +927,8 @@ /* * Conver state machine to full format */ -static -int _bnfa_conv_list_to_full(bnfa_struct_t * bnfa) +static +int _bnfa_conv_list_to_full(bnfa_struct_t * bnfa) { int k; bnfa_state_t * p; @@ -952,16 +958,16 @@ * For each state we use a state-word followed by the transition list for * the state sw(state 0 )...tl(state 0) sw(state 1)...tl(state1) sw(state2)... * tl(state2) .... -* +* * The transition and failure states are replaced with the start index of * transition state, this eliminates the NextState[] lookup.... * * The compaction of multiple arays into a single array reduces the total * number of states that can be handled since the max index is 2^24-1, -* whereas without compaction we had 2^24-1 states. +* whereas without compaction we had 2^24-1 states. */ -static -int _bnfa_conv_list_to_csparse_array(bnfa_struct_t * bnfa) +static +int _bnfa_conv_list_to_csparse_array(bnfa_struct_t * bnfa) { int m, k, i, nc; bnfa_state_t state; @@ -972,7 +978,7 @@ unsigned nps; bnfa_state_t full[BNFA_MAX_ALPHABET_SIZE]; - + /* count total state transitions, account for state and control words */ nps = 0; for(k=0;k<bnfa->bnfaNumStates;k++) @@ -989,7 +995,7 @@ if( state != 0 ) { nc++; - } + } } /* add in transition count */ @@ -1005,7 +1011,7 @@ if( state != 0 ) { nps++; - } + } } } } @@ -1021,24 +1027,24 @@ Alloc The Transition List - we need an array of bnfa_state_t items of size 'nps' */ ps = BNFA_MALLOC( nps*sizeof(bnfa_state_t),bnfa->nextstate_memory); - if( !ps ) + if( !ps ) { /* Fatal */ return -1; } bnfa->bnfaTransList = ps; - - /* - State Index list for pi - we need an array of bnfa_state_t items of size 'NumStates' + + /* + State Index list for pi - we need an array of bnfa_state_t items of size 'NumStates' */ pi = BNFA_MALLOC( bnfa->bnfaNumStates*sizeof(bnfa_state_t),bnfa->nextstate_memory); - if( !pi ) + if( !pi ) { /* Fatal */ return -1; } - /* + /* Build the Transition List Array */ for(k=0;k<bnfa->bnfaNumStates;k++) @@ -1046,7 +1052,7 @@ pi[k] = ps_index; /* save index of start of state 'k' */ ps[ ps_index ] = k; /* save the state were in as the 1st word */ - + ps_index++; /* skip past state word */ /* conver state 'k' to full format */ @@ -1060,11 +1066,11 @@ if( state != 0 ) { nc++; - } + } } /* add a full state or a sparse state */ - if( (k == 0 && bnfa->bnfaForceFullZeroState) || + if( (k == 0 && bnfa->bnfaForceFullZeroState) || nc > BNFA_SPARSE_MAX_ROW_TRANSITIONS ) { /* set the control word */ @@ -1074,7 +1080,7 @@ { ps[ps_index] |= BNFA_SPARSE_MATCH_BIT; } - ps_index++; + ps_index++; /* copy the transitions */ _bnfa_list_conv_row_to_full(bnfa, (bnfa_state_t)k, &ps[ps_index] ); @@ -1107,14 +1113,14 @@ } /* sanity check we have not overflowed our buffer */ - if( ps_index > nps ) + if( ps_index > nps ) { /* Fatal */ return -1; } - /* - Replace Transition states with Transition Indices. + /* + Replace Transition states with Transition Indices. This allows us to skip using NextState[] to locate the next state This limits us to <16M transitions due to 24 bit state sizes, and the fact we have now converted next-state fields to next-index fields in this array, @@ -1136,15 +1142,15 @@ if( ps[ps_index] & BNFA_SPARSE_FULL_BIT ) { /* Do the fail-state */ - ps[ps_index] = ( ps[ps_index] & 0xff000000 ) | - ( pi[ ps[ps_index] & BNFA_SPARSE_MAX_STATE ] ) ; + ps[ps_index] = ( ps[ps_index] & 0xff000000 ) | + ( pi[ ps[ps_index] & BNFA_SPARSE_MAX_STATE ] ) ; ps_index++; /* Do the transition-states */ for(i=0;i<BNFA_MAX_ALPHABET_SIZE;i++) { - ps[ps_index] = ( ps[ps_index] & 0xff000000 ) | - ( pi[ ps[ps_index] & BNFA_SPARSE_MAX_STATE ] ) ; + ps[ps_index] = ( ps[ps_index] & 0xff000000 ) | + ( pi[ ps[ps_index] & BNFA_SPARSE_MAX_STATE ] ) ; ps_index++; } } @@ -1153,10 +1159,10 @@ else { nc = (ps[ps_index] & BNFA_SPARSE_COUNT_BITS)>>BNFA_SPARSE_COUNT_SHIFT; - + /* Do the cw = [cb | fail-state] */ ps[ps_index] = ( ps[ps_index] & 0xff000000 ) | - ( pi[ ps[ps_index] & BNFA_SPARSE_MAX_STATE ] ); + ( pi[ ps[ps_index] & BNFA_SPARSE_MAX_STATE ] ); ps_index++; /* Do the transition-states */ @@ -1185,7 +1191,7 @@ /* * Print the state machine - rather verbose */ -void bnfaPrint(bnfa_struct_t * bnfa) +void bnfaPrint(bnfa_struct_t * bnfa) { int k; bnfa_match_node_t ** MatchList = bnfa->bnfaMatchList; @@ -1193,10 +1199,10 @@ int ps_index=0; bnfa_state_t * ps=0; - if( !bnfa ) + if( !bnfa ) return; - - if( !bnfa->bnfaNumStates ) + + if( !bnfa->bnfaNumStates ) return; if( bnfa->bnfaFormat ==BNFA_SPARSE ) @@ -1213,8 +1219,8 @@ printf("Print NFA-FULL state machine : %d active states\n", bnfa->bnfaNumStates); } #endif - - + + for(k=0;k<bnfa->bnfaNumStates;k++) { printf(" state %-4d fmt=%d ",k,bnfa->bnfaFormat); @@ -1222,11 +1228,11 @@ if( bnfa->bnfaFormat == BNFA_SPARSE ) { unsigned i,cw,fs,nt,fb,mb; - + ps_index++; /* skip state number */ cw = ps[ps_index]; /* control word */ - fb = (cw & BNFA_SPARSE_FULL_BIT)>>BNFA_SPARSE_VALUE_SHIFT; /* full storage bit */ + fb = (cw & BNFA_SPARSE_FULL_BIT)>>BNFA_SPARSE_VALUE_SHIFT; /* full storage bit */ mb = (cw & BNFA_SPARSE_MATCH_BIT)>>BNFA_SPARSE_VALUE_SHIFT; /* matching state bit */ nt = (cw & BNFA_SPARSE_COUNT_BITS)>>BNFA_SPARSE_VALUE_SHIFT;/* number of transitions 0-63 */ fs = (cw & BNFA_SPARSE_MAX_STATE)>>BNFA_SPARSE_VALUE_SHIFT; /* fail state */ @@ -1240,7 +1246,7 @@ printf(" nt=%-3d : ",bnfa->bnfaAlphabetSize); for( i=0; i<(unsigned)bnfa->bnfaAlphabetSize; i++, ps_index++ ) - { + { if( ps[ps_index] == 0 ) continue; if( isascii((int)i) && isprint((int)i) ) @@ -1248,13 +1254,13 @@ else printf("%3d->%-6d\t",i,ps[ps_index]); } - } + } else { printf(" nt=%-3d : ",nt); for( i=0; i<nt; i++, ps_index++ ) - { + { if( isascii(ps[ps_index]>>BNFA_SPARSE_VALUE_SHIFT) && isprint(ps[ps_index]>>BNFA_SPARSE_VALUE_SHIFT) ) printf("%3c->%-6d\t",ps[ps_index]>>BNFA_SPARSE_VALUE_SHIFT,ps[ps_index] & BNFA_SPARSE_MAX_STATE); @@ -1264,15 +1270,15 @@ } } #ifdef ALLOW_NFA_FULL - else if( bnfa->bnfaFormat == BNFA_FULL ) + else if( bnfa->bnfaFormat == BNFA_FULL ) { int i; bnfa_state_t state; - bnfa_state_t * p; + bnfa_state_t * p; bnfa_state_t ** NextState; NextState = (bnfa_state_t **)bnfa->bnfaNextState; - if( !NextState ) + if( !NextState ) continue; p = NextState[k]; @@ -1312,18 +1318,18 @@ /* * Create a new AC state machine -*/ +*/ bnfa_struct_t * bnfaNew(void (*userfree)(void *p), void (*optiontreefree)(void **p), void (*neg_list_free)(void **p)) { bnfa_struct_t * p; int bnfa_memory=0; - + init_xlatcase (); p = (bnfa_struct_t *) BNFA_MALLOC(sizeof(bnfa_struct_t),bnfa_memory); - if(!p) + if(!p) return 0; if( p ) @@ -1338,7 +1344,7 @@ p->optiontreefree = optiontreefree; p->neg_list_free = neg_list_free; } - + queue_memory = 0; return p; } @@ -1350,15 +1356,15 @@ void bnfaSetCase(bnfa_struct_t * p, int flag) { - if( flag == BNFA_PER_PAT_CASE ) p->bnfaCaseMode = flag; - if( flag == BNFA_CASE ) p->bnfaCaseMode = flag; - if( flag == BNFA_NOCASE ) p->bnfaCaseMode = flag; + if( flag == BNFA_PER_PAT_CASE ) p->bnfaCaseMode = flag; + if( flag == BNFA_CASE ) p->bnfaCaseMode = flag; + if( flag == BNFA_NOCASE ) p->bnfaCaseMode = flag; } /* -* Fee all memory -*/ -void bnfaFree (bnfa_struct_t * bnfa) +* Fee all memory +*/ +void bnfaFree (bnfa_struct_t * bnfa) { int i; bnfa_pattern_t * patrn, *ipatrn; @@ -1421,10 +1427,10 @@ /* * Add a pattern to the pattern list -*/ +*/ int -bnfaAddPattern (bnfa_struct_t * p, - unsigned char *pat, +bnfaAddPattern (bnfa_struct_t * p, + unsigned char *pat, int n, int nocase, int negative, @@ -1437,14 +1443,14 @@ plist->casepatrn = (unsigned char *)BNFA_MALLOC(n,p->pat_memory ); if(!plist->casepatrn) return -1; - + memcpy (plist->casepatrn, pat, n); plist->n = n; plist->nocase = nocase; plist->negative = negative; plist->userdata = userdata; - + plist->next = p->bnfaPatterns; /* insert at front of list */ p->bnfaPatterns = plist; @@ -1454,8 +1460,8 @@ } /* -* Compile the patterns into an nfa state machine -*/ +* Compile the patterns into an nfa state machine +*/ int bnfaCompile (bnfa_struct_t * bnfa, int (*build_tree)(void * id, void **existing_tree), @@ -1468,7 +1474,7 @@ queue_memory =0; - /* Count number of states */ + /* Count number of states */ for(plist = bnfa->bnfaPatterns; plist != NULL; plist = plist->next) { bnfa->bnfaMaxStates += plist->n; @@ -1489,7 +1495,7 @@ return -1; } - /* Add each Pattern to the State Table - This forms a keyword trie using lists */ + /* Add each Pattern to the State Table - This forms a keyword trie using lists */ bnfa->bnfaNumStates = 0; for (plist = bnfa->bnfaPatterns; plist != NULL; plist = plist->next) { @@ -1510,12 +1516,12 @@ { return -1; } - + memcpy(bnfa->bnfaMatchList,tmpMatchList,sizeof(void*) * bnfa->bnfaNumStates); - + BNFA_FREE(tmpMatchList,sizeof(void*) * bnfa->bnfaMaxStates,bnfa->matchlist_memory); - -#ifdef MATCH_LIST_CNT + +#ifdef MATCH_LIST_CNT bnfa->bnfaMatchListCnt=(unsigned*)calloc(sizeof(unsigned) * bnfa->bnfaNumStates); if(!bnfa->bnfaMatchListCnt) { @@ -1534,15 +1540,15 @@ { /* Alloc a state transition table - only need NumStates */ bnfa->bnfaNextState=(bnfa_state_t**)BNFA_MALLOC(sizeof(bnfa_state_t*) * bnfa->bnfaNumStates,bnfa->nextstate_memory); - if(!bnfa->bnfaNextState) + if(!bnfa->bnfaNextState) { return -1; } } #endif - + /* Build the nfa w/failure states - time the nfa construction */ - if( _bnfa_build_nfa (bnfa) ) + if( _bnfa_build_nfa (bnfa) ) { return -1; } @@ -1572,7 +1578,7 @@ } /* Free up the Table Of Transition Lists */ - _bnfa_list_free_table( bnfa ); + _bnfa_list_free_table( bnfa ); /* Count states with Pattern Matches */ cntMatchStates=0; @@ -1601,11 +1607,11 @@ * Full Matrix Format Search */ static -INLINE -unsigned +inline +unsigned _bnfa_search_full_nfa( bnfa_struct_t * bnfa, unsigned char *Tx, int n, - int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), - void *data, bnfa_state_t state, int *current_state ) + int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), + void *data, bnfa_state_t state, int *current_state ) { unsigned char * Tend; unsigned char * T; @@ -1621,10 +1627,10 @@ int res; unsigned last_match=LAST_STATE_INIT; unsigned last_match_saved=LAST_STATE_INIT; - + T = Tx; Tend = T + n; - + for( ; T < Tend; T++ ) { Tchar = xlatcase[ *T ]; @@ -1647,13 +1653,18 @@ { if( state == last_match ) continue; - + last_match_saved=last_match; last_match = state; - + { mlist = MatchList[state]; - patrn = (bnfa_pattern_t*)mlist->data; + if (!mlist) + { + continue; + } + patrn = (bnfa_pattern_t*)mlist->data; + index = T - Tx - patrn->n + 1; nfound++; /* Don't do anything specific for case sensitive patterns and not, * since that will be covered by the rule tree itself. Each tree @@ -1662,7 +1673,7 @@ res = Match (patrn->userdata, mlist->rule_option_tree, index, data, mlist->neg_list); if ( res > 0 ) { - *current_state = sindex; + *current_state = state; return nfound; } else if( res < 0 ) @@ -1678,11 +1689,11 @@ * Full Matrix Format Search - Exact matching patterns only */ static -INLINE -unsigned +inline +unsigned _bnfa_search_full_nfa_case( bnfa_struct_t * bnfa, unsigned char *Tx, int n, - int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), - void *data, bnfa_state_t state, int *current_state ) + int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), + void *data, bnfa_state_t state, int *current_state ) { unsigned char * Tend; unsigned char * T; @@ -1698,10 +1709,10 @@ unsigned last_match=LAST_STATE_INIT; unsigned last_match_saved=LAST_STATE_INIT; int res; - + T = Tx; Tend = T + n; - + for( ; T < Tend; T++ ) { Tchar = *T ; @@ -1724,13 +1735,18 @@ { if( state == last_match ) continue; - + last_match_saved=last_match; last_match = state; - + { mlist = MatchList[state]; - patrn = (bnfa_pattern_t*)mlist->data; + if (!mlist) + { + continue; + } + patrn = (bnfa_pattern_t*)mlist->data; + index = T - Tx - patrn->n + 1; nfound++; /* Don't do anything specific for case (in)sensitive patterns * since that will be covered by the rule tree itself. Each @@ -1739,7 +1755,7 @@ res = Match (patrn->userdata, mlist->rule_option_tree, index, data, mlist->neg_list); if ( res > 0 ) { - *current_state = sindex; + *current_state = state; return nfound; } else if( res < 0 ) @@ -1755,11 +1771,11 @@ * Full Matrix Format Search - no case */ static -INLINE -unsigned +inline +unsigned _bnfa_search_full_nfa_nocase( bnfa_struct_t * bnfa, unsigned char *Tx, int n, - int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), - void *data, bnfa_state_t state, int *current_state ) + int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), + void *data, bnfa_state_t state, int *current_state ) { unsigned char * Tend; unsigned char * T; @@ -1778,7 +1794,7 @@ T = Tx; Tend = T + n; - + for( ; T < Tend; T++ ) { Tchar = xlatcase[ *T ]; @@ -1801,14 +1817,18 @@ { if( state == last_match ) continue; - + last_match_saved=last_match; last_match = state; - + { mlist = MatchList[state]; - patrn = (bnfa_pattern_t*)mlist->data; - nfound++; + if (!mlist) + { + continue; + } + patrn = (bnfa_pattern_t*)mlist->data; + index = T - Tx - patrn->n + 1; /* Don't do anything specific for case sensitive patterns and not, * since that will be covered by the rule tree itself. Each tree * might have both case sensitive & case insensitive patterns. @@ -1816,7 +1836,7 @@ res = Match (patrn->userdata, mlist->rule_option_tree, index, data, mlist->neg_list); if ( res > 0 ) { - *current_state = sindex; + *current_state = state; return nfound; } else if( res < 0 ) @@ -1837,14 +1857,14 @@ data must be in sorted order in the array. return: = -1 => not found - >= 0 => index of element 'val' + >= 0 => index of element 'val' notes: val is tested against the high 8 bits of the 'a' array entry, this is particular to the storage format we are using. */ static -INLINE +inline int _bnfa_binearch( bnfa_state_t * a, int a_len, int val ) { int m, l, r; @@ -1871,7 +1891,7 @@ else /* val > c */ { - l = m + 1; + l = m + 1; } } return -1; @@ -1887,16 +1907,16 @@ * mb : bit 8 set if match state, zero otherwise * fb : bit 7 set if using full format, zero otherwise * nt : number of transitions 0..63 (more than 63 requires full format) -* fs: failure-transition-state +* fs: failure-transition-state * word 3+: byte-value(0-255) << 24 | transition-state */ static -INLINE -unsigned +inline +unsigned _bnfa_get_next_state_csparse_nfa_qx(bnfa_state_t * pcx, unsigned sindex, unsigned input) { int k; - int nc; + int nc; int index; register bnfa_state_t * pcs; @@ -1905,14 +1925,14 @@ pcs = pcx + sindex + 1; /* skip state-id == 1st word */ if( pcs[0] & BNFA_SPARSE_FULL_BIT ) - { + { if( sindex == 0 ) { - return pcs[1+input] & BNFA_SPARSE_MAX_STATE; + return pcs[1+input] & BNFA_SPARSE_MAX_STATE; } else { - if( pcs[1+input] & BNFA_SPARSE_MAX_STATE ) + if( pcs[1+input] & BNFA_SPARSE_MAX_STATE ) return pcs[1+input] & BNFA_SPARSE_MAX_STATE; } } @@ -1931,8 +1951,8 @@ else { /* linear search... */ - for( k=0; k<nc; k++ ) - { + for( k=0; k<nc; k++ ) + { if( (pcs[k+1]>>BNFA_SPARSE_VALUE_SHIFT) == input ) { return pcs[k+1] & BNFA_SPARSE_MAX_STATE; @@ -1942,7 +1962,7 @@ } return 0; /* no transition keyword match failed */ - } + } } /* @@ -1955,16 +1975,16 @@ * mb : bit 8 set if match state, zero otherwise * fb : bit 7 set if using full format, zero otherwise * nt : number of transitions 0..63 (more than 63 requires full format) -* fs: failure-transition-state +* fs: failure-transition-state * word 3+: byte-value(0-255) << 24 | transition-state */ static -INLINE -unsigned +inline +unsigned _bnfa_get_next_state_csparse_nfa(bnfa_state_t * pcx, unsigned sindex, unsigned input) { int k; - int nc; + int nc; int index; register bnfa_state_t * pcs; @@ -1973,14 +1993,14 @@ pcs = pcx + sindex + 1; /* skip state-id == 1st word */ if( pcs[0] & BNFA_SPARSE_FULL_BIT ) - { + { if( sindex == 0 ) { - return pcs[1+input] & BNFA_SPARSE_MAX_STATE; + return pcs[1+input] & BNFA_SPARSE_MAX_STATE; } else { - if( pcs[1+input] & BNFA_SPARSE_MAX_STATE ) + if( pcs[1+input] & BNFA_SPARSE_MAX_STATE ) return pcs[1+input] & BNFA_SPARSE_MAX_STATE; } } @@ -1999,8 +2019,8 @@ else { /* linear search... */ - for( k=0; k<nc; k++ ) - { + for( k=0; k<nc; k++ ) + { if( (pcs[k+1]>>BNFA_SPARSE_VALUE_SHIFT) == input ) { return pcs[k+1] & BNFA_SPARSE_MAX_STATE; @@ -2011,7 +2031,7 @@ /* no transition found ... get the failure state and try again */ sindex = pcs[0] & BNFA_SPARSE_MAX_STATE; - } + } } /* @@ -2036,16 +2056,16 @@ #endif } static -INLINE -void +inline +void _init_queue(bnfa_struct_t * b) { b->inq=0; b->inq_flush=0; } /* uniquely insert into q, should splay elements for performance */ -static -INLINE +static +inline int _add_queue(bnfa_struct_t* b, bnfa_match_node_t * p ) { @@ -2058,7 +2078,7 @@ for(i=(int)(b->inq)-1;i>=0;i--) if( p == b->q[i] ) return 0; - + #ifdef BNFA_TRACK_Q snort_conf->tot_inq_uinserts++; #endif @@ -2080,11 +2100,11 @@ } static -INLINE +inline unsigned -_process_queue( bnfa_struct_t * bnfa, - int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), - void *data ) +_process_queue( bnfa_struct_t * bnfa, + int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), + void *data ) { bnfa_match_node_t * mlist; bnfa_pattern_t * patrn; @@ -2092,10 +2112,10 @@ unsigned int i; #ifdef BNFA_TRACK_Q - if( bnfa->inq > snort_conf->max_inq ) + if( bnfa->inq > snort_conf->max_inq ) snort_conf->max_inq = bnfa->inq; snort_conf->tot_inq_flush += bnfa->inq_flush; -#endif +#endif for( i=0; i<bnfa->inq; i++ ) { @@ -2117,29 +2137,29 @@ } static -INLINE +inline unsigned _bnfa_search_csparse_nfa_qx(bnfa_struct_t * bnfa, unsigned char *T, int n, - int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), - void *data ) + int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), + void *data ) { bnfa_match_node_t * mlist; unsigned char * Tend; bnfa_match_node_t ** MatchList = bnfa->bnfaMatchList; bnfa_state_t * transList = bnfa->bnfaTransList; unsigned sindex=0; - + Tend = T + n; for(; T<Tend; T++) { /* Transition to next state index */ sindex = _bnfa_get_next_state_csparse_nfa_qx(transList,sindex,xlatcase[*T]); - + /* Log matches in this state - if any */ if( sindex ) { - if( transList[sindex+1] & BNFA_SPARSE_MATCH_BIT ) + if( transList[sindex+1] & BNFA_SPARSE_MATCH_BIT ) { mlist = MatchList[ transList[sindex] ]; if( mlist ) @@ -2163,11 +2183,11 @@ } static -INLINE +inline unsigned _bnfa_search_csparse_nfa_q( bnfa_struct_t * bnfa, unsigned char *T, int n, - int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), - void *data, unsigned sindex, int *current_state ) + int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), + void *data, unsigned sindex, int *current_state ) { bnfa_match_node_t * mlist; unsigned char * Tend; @@ -2176,7 +2196,7 @@ unsigned last_sindex; Tend = T + n; - + _init_queue(bnfa); for(; T<Tend; T++) @@ -2192,7 +2212,7 @@ /* Test for same as last state */ if( sindex == last_sindex ) continue; - + mlist = MatchList[ transList[sindex] ]; if( mlist ) { @@ -2209,7 +2229,7 @@ } *current_state = sindex; - return _process_queue( bnfa, Match, data ); + return _process_queue( bnfa, Match, data ); } /* @@ -2219,11 +2239,11 @@ * note: index is not used by snort, so it's commented */ static -INLINE +inline unsigned _bnfa_search_csparse_nfa( bnfa_struct_t * bnfa, unsigned char *Tx, int n, - int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), - void *data, unsigned sindex, int *current_state ) + int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), + void *data, unsigned sindex, int *current_state ) { bnfa_match_node_t * mlist; unsigned char * Tend; @@ -2262,7 +2282,7 @@ #ifdef MATCH_LIST_CNT if( MatchList[ transList[sindex] ] ) MatchTestCnt[ transList[index] ]++; -#endif +#endif { mlist = MatchList[ transList[sindex] ]; @@ -2294,11 +2314,11 @@ * note: index is not used by snort, so it's commented */ static -INLINE +inline unsigned _bnfa_search_csparse_nfa_case( bnfa_struct_t * bnfa, unsigned char *Tx, int n, - int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), - void *data, unsigned sindex, int *current_state ) + int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), + void *data, unsigned sindex, int *current_state ) { bnfa_match_node_t * mlist; unsigned char * Tend; @@ -2314,7 +2334,7 @@ T = Tx; Tend = T + n; - + for(; T<Tend; T++) { /* Transition to next state index */ @@ -2325,10 +2345,10 @@ { if( sindex == last_match ) continue; - + last_match_saved = last_match; last_match = sindex; - + { mlist = MatchList[ transList[sindex] ]; patrn = (bnfa_pattern_t*)mlist->data; @@ -2359,11 +2379,11 @@ * note: index is not used by snort, so it's commented */ static -INLINE +inline unsigned _bnfa_search_csparse_nfa_nocase( bnfa_struct_t * bnfa, unsigned char *Tx, int n, - int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), - void *data, unsigned sindex, int *current_state ) + int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), + void *data, unsigned sindex, int *current_state ) { bnfa_match_node_t * mlist; unsigned char * Tend; @@ -2377,10 +2397,10 @@ unsigned last_match=LAST_STATE_INIT; unsigned last_match_saved=LAST_STATE_INIT; int res; - + T = Tx; Tend = T + n; - + for(; T<Tend; T++) { Tchar = xlatcase[ *T ]; @@ -2393,10 +2413,10 @@ { if( sindex == last_match ) continue; - + last_match_saved = last_match; last_match = sindex; - + { mlist = MatchList[ transList[sindex] ]; patrn = (bnfa_pattern_t*)mlist->data; @@ -2427,23 +2447,23 @@ * * bnfa - state machine * Tx - text buffer to search -* n - number of bytes in Tx +* n - number of bytes in Tx * Match - function to call when a match is found * data - user supplied data that is passed to the Match function * sindex - state tracker, set value to zero to reset the state machine, * zero should be the value passed in on the 1st buffer or each buffer -* that is to be analyzed on its own, the state machine updates this -* during searches. This allows for sequential buffer searchs without -* reseting the state machine. Save this value as returned from the +* that is to be analyzed on its own, the state machine updates this +* during searches. This allows for sequential buffer searchs without +* reseting the state machine. Save this value as returned from the * previous search for the next search. * -* returns +* returns * The state or sindex of the state machine. This can than be passed back -* in on the next search, if desired. +* in on the next search, if desired. */ -unsigned +unsigned bnfaSearchX( bnfa_struct_t * bnfa, unsigned char *T, int n, - int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), + int (*Match)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list), void *data, unsigned sindex, int* current_state ) { int ret; @@ -2456,15 +2476,15 @@ if( ret ) return 0; } - return _process_queue( bnfa, Match, data ); + return _process_queue( bnfa, Match, data ); } -unsigned +unsigned bnfaSearch( bnfa_struct_t * bnfa, unsigned char *Tx, int n, - int (*Match)(void * id, void *tree, int index, void *data, void *neg_list), + int (*Match)(void * id, void *tree, int index, void *data, void *neg_list), void *data, unsigned sindex, int* current_state ) { - int ret = 0; + int ret = 0; /***** This should be tested before we use it *******/ /* @@ -2481,26 +2501,26 @@ { if (bnfa->bnfaMethod) { - ret = _bnfa_search_csparse_nfa( bnfa, Tx, n, + ret = _bnfa_search_csparse_nfa( bnfa, Tx, n, (int (*)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list)) Match, data, sindex, current_state ); } else { - ret = _bnfa_search_csparse_nfa_q( bnfa, Tx, n, + ret = _bnfa_search_csparse_nfa_q( bnfa, Tx, n, (int (*)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list)) Match, data, sindex, current_state ); } } else if( bnfa->bnfaCaseMode == BNFA_CASE ) { - ret = _bnfa_search_csparse_nfa_case( bnfa, Tx, n, + ret = _bnfa_search_csparse_nfa_case( bnfa, Tx, n, (int (*)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list)) Match, data, sindex, current_state ); } else /* NOCASE */ { - ret = _bnfa_search_csparse_nfa_nocase( bnfa, Tx, n, + ret = _bnfa_search_csparse_nfa_nocase( bnfa, Tx, n, (int (*)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list)) Match, data, sindex, current_state ); } @@ -2509,19 +2529,19 @@ { if( bnfa->bnfaCaseMode == BNFA_PER_PAT_CASE ) { - ret = _bnfa_search_full_nfa( bnfa, Tx, n, + ret = _bnfa_search_full_nfa( bnfa, Tx, n, (int (*)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list)) Match, data, (bnfa_state_t) sindex, current_state ); } else if( bnfa->bnfaCaseMode == BNFA_CASE ) { - ret = _bnfa_search_full_nfa_case( bnfa, Tx, n, + ret = _bnfa_search_full_nfa_case( bnfa, Tx, n, (int (*)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list)) Match, data, (bnfa_state_t) sindex, current_state ); } else { - ret = _bnfa_search_full_nfa_nocase( bnfa, Tx, n, + ret = _bnfa_search_full_nfa_nocase( bnfa, Tx, n, (int (*)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list)) Match, data, (bnfa_state_t) sindex, current_state ); } @@ -2531,26 +2551,26 @@ { if (bnfa->bnfaMethod) { - ret = _bnfa_search_csparse_nfa( bnfa, Tx, n, + ret = _bnfa_search_csparse_nfa( bnfa, Tx, n, (int (*)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list)) Match, data, sindex, current_state ); } else { - ret = _bnfa_search_csparse_nfa_q( bnfa, Tx, n, + ret = _bnfa_search_csparse_nfa_q( bnfa, Tx, n, (int (*)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list)) Match, data, sindex, current_state ); } } else if( bnfa->bnfaCaseMode == BNFA_CASE ) { - ret = _bnfa_search_csparse_nfa_case( bnfa, Tx, n, + ret = _bnfa_search_csparse_nfa_case( bnfa, Tx, n, (int (*)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list)) Match, data, sindex, current_state ); } else/* NOCASE */ { - ret = _bnfa_search_csparse_nfa_nocase( bnfa, Tx, n, + ret = _bnfa_search_csparse_nfa_nocase( bnfa, Tx, n, (int (*)(bnfa_pattern_t * id, void *tree, int index, void *data, void *neg_list)) Match, data, sindex, current_state ); } @@ -2580,7 +2600,7 @@ { return; } - max_memory = p->bnfa_memory + p->pat_memory + p->list_memory + + max_memory = p->bnfa_memory + p->pat_memory + p->list_memory + p->matchlist_memory + p->failstate_memory + p->nextstate_memory; if( text && summary_cnt ) @@ -2646,7 +2666,7 @@ px->failstate_memory += p->failstate_memory; } -#ifdef MATCH_LIST_CNT +#ifdef MATCH_LIST_CNT void bnfaPrintMatchListCnt( bnfa_struct_t * p ) { unsigned * cnt = p->bnfaMatchListCnt; @@ -2670,6 +2690,6 @@ printf("\n"); fflush(stdout); } - } -} + } +} #endif diff -Nru snort-2.9.0.1/src/sfutil/bnfa_search.h snort-2.9.2/src/sfutil/bnfa_search.h --- snort-2.9.0.1/src/sfutil/bnfa_search.h 2010-01-26 10:10:23.000000000 -0800 +++ snort-2.9.2/src/sfutil/bnfa_search.h 2011-02-09 15:23:36.000000000 -0800 @@ -8,7 +8,7 @@ ** ** author: marc norton ** date: 12/21/05 -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** ** LICENSE (GPL) ** diff -Nru snort-2.9.0.1/src/sfutil/getopt.h snort-2.9.2/src/sfutil/getopt.h --- snort-2.9.0.1/src/sfutil/getopt.h 2010-01-26 10:10:23.000000000 -0800 +++ snort-2.9.2/src/sfutil/getopt.h 2011-02-09 15:23:36.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/sfutil/intel-soft-cpm.c snort-2.9.2/src/sfutil/intel-soft-cpm.c --- snort-2.9.0.1/src/sfutil/intel-soft-cpm.c 2010-08-25 13:22:48.000000000 -0700 +++ snort-2.9.2/src/sfutil/intel-soft-cpm.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2009-2010 Sourcefire, Inc. + * Copyright (C) 2009-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -21,10 +21,15 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "intel-soft-cpm.h" #include "pm/cpa_pm_compile.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "fpcreate.h" /* MACROS *********************************************************************/ @@ -83,16 +88,16 @@ /* PROTOTYPES *****************************************************************/ -static INLINE const char * GetCpaStatusStr(CpaStatus); +static inline const char * GetCpaStatusStr(CpaStatus); static void IntelPmSearchCallback(const CpaInstanceHandle, CpaPmMatchCtx *); -static INLINE void IntelPmInitQueue(IntelPmMatchQueue *); -static INLINE int IntelPmAddQueue(IntelPmMatchQueue *, void *); -static INLINE unsigned int IntelPmProcessQueue(IntelPmMatchQueue *, MatchFunc, void *); +static inline void IntelPmInitQueue(IntelPmMatchQueue *); +static inline int IntelPmAddQueue(IntelPmMatchQueue *, void *); +static inline unsigned int IntelPmProcessQueue(IntelPmMatchQueue *, MatchFunc, void *); static void IntelPmRelease(IntelPmHandles *); /* FUNCTIONS ******************************************************************/ -static INLINE const char * GetCpaStatusStr(CpaStatus status) +static inline const char * GetCpaStatusStr(CpaStatus status) { switch (status) { @@ -115,13 +120,13 @@ return "Unknown Cpa error"; } -static INLINE void IntelPmInitQueue(IntelPmMatchQueue *q) +static inline void IntelPmInitQueue(IntelPmMatchQueue *q) { q->inq = 0; q->inq_flush = 0; } -static INLINE int IntelPmAddQueue(IntelPmMatchQueue *q, void *p) +static inline int IntelPmAddQueue(IntelPmMatchQueue *q, void *p) { int i; @@ -140,7 +145,7 @@ return 0; } -static INLINE unsigned int IntelPmProcessQueue(IntelPmMatchQueue *q, +static inline unsigned int IntelPmProcessQueue(IntelPmMatchQueue *q, MatchFunc match, void *data) { unsigned int i; @@ -158,7 +163,7 @@ } } - q->inq = 0; + q->inq = 0; return 0; } @@ -547,7 +552,7 @@ for (i = 0; i < pMatchCtxList->numMatchResults; i++) { CpaPmMatchResult *result = &pMatchCtxList->pMatchResult[i]; - + //intel_pm_matches++; if (result->matchLength == 0) @@ -579,7 +584,7 @@ ipm->data = data; ipm->match = match; - /* Note: Search options + /* Note: Search options CPA_PM_MATCH_OPTION_RESET_STREAM | CPA_PM_MATCH_OPTION_END_OF_STREAM specify a stateless search. */ diff -Nru snort-2.9.0.1/src/sfutil/intel-soft-cpm.h snort-2.9.2/src/sfutil/intel-soft-cpm.h --- snort-2.9.0.1/src/sfutil/intel-soft-cpm.h 2010-06-09 15:50:09.000000000 -0700 +++ snort-2.9.2/src/sfutil/intel-soft-cpm.h 2011-06-07 17:33:20.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2009-2010 Sourcefire, Inc. + * Copyright (C) 2009-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -24,7 +24,7 @@ #include "cpa.h" #include "pm/cpa_pm.h" #include "cpa_types.h" -#include "debug.h" +#include "snort_debug.h" /* DATA TYPES *****************************************************************/ diff -Nru snort-2.9.0.1/src/sfutil/ipobj.c snort-2.9.2/src/sfutil/ipobj.c --- snort-2.9.0.1/src/sfutil/ipobj.c 2010-01-26 10:10:23.000000000 -0800 +++ snort-2.9.2/src/sfutil/ipobj.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* ipobj.c @@ -50,6 +50,7 @@ #include "ipobj.h" #include "util.h" +#include "snort_bounds.h" #ifndef SUP_IP6 @@ -95,17 +96,17 @@ if( p->family == IPV4_FAMILY ) { if( ip4_sprintx( s, slen, p->ip ) ) - return -1; + return -1; return 0; - } + } else if( p->family == IPV6_FAMILY ) { if( ip6_sprintx( s, slen, p->ip ) ) - return -1; + return -1; return 0; - } + } return -1; } @@ -225,12 +226,12 @@ if( ia->family == IPV4_FAMILY ) { - if( memcmp(ip,ia->ip,IPV4_LEN) == 0 ) + if( memcmp(ip,ia->ip,IPV4_LEN) == 0 ) return 1; } else if( ia->family == IPV6_FAMILY ) { - if( memcmp(ip,ia->ip,IPV6_LEN) == 0 ) + if( memcmp(ip,ia->ip,IPV6_LEN) == 0 ) return 1; } return 0; @@ -246,12 +247,12 @@ if( ia->family == IPV4_FAMILY ) { - if( memcmp(ib->ip,ia->ip,IPV4_LEN) == 0 ) + if( memcmp(ib->ip,ia->ip,IPV4_LEN) == 0 ) return 1; } else if( ia->family == IPV6_FAMILY ) { - if( memcmp(ib->ip,ia->ip,IPV6_LEN) == 0 ) + if( memcmp(ib->ip,ia->ip,IPV6_LEN) == 0 ) return 1; } return 0; @@ -274,7 +275,7 @@ These can all be handled via the CIDR block notation : IP/MaskBits We use collections (lists) of cidr blocks to represent address blocks - and indivdual addresses. + and indivdual addresses. For a single IPAddress the implied Mask is 32 bits,or 255.255.255.255, or 0xffffffff, or -1. @@ -307,7 +308,7 @@ if (ipc) { - IP_PORT *p = (IP_PORT *) sflist_first(&ipc->ip_list); + IP_PORT *p = (IP_PORT *) sflist_first(&ipc->ip_list); while ( p ) { sflist_static_free_all(&p->portset.port_list, free); @@ -352,7 +353,7 @@ portu = 0; - for(p =(IP_PORT*)sflist_first( &ipc->ip_list ); + for(p =(IP_PORT*)sflist_first( &ipc->ip_list ); p!=0; p =(IP_PORT*)sflist_next( &ipc->ip_list ) ) { @@ -362,7 +363,7 @@ pr != 0; pr=(PORTRANGE*)sflist_next(&p->portset.port_list) ) { - /* + /* * If the matching IP has a wildcard port (pr->port_hi == 0 ) * or if the ports actually match. */ @@ -398,7 +399,7 @@ SnortSnprintf(ip_str, 80, "%s", sfip_to_str(&p->ip)); printf("CIDR BLOCK: %c%s", p->notflag ? '!' : ' ', ip_str); - + for( pr=(PORTRANGE*)sflist_first(&p->portset.port_list); pr != 0; pr=(PORTRANGE*)sflist_next(&p->portset.port_list) ) @@ -417,7 +418,7 @@ { if( ipc ) { - ipc->family = IPV4_FAMILY; + ipc->family = IPV4_FAMILY; sflist_init( &ipc->cidr_list ); } } @@ -426,7 +427,7 @@ { if( ipc ) { - ipc->family = IPV6_FAMILY; + ipc->family = IPV6_FAMILY; sflist_init( &ipc->cidr_list ); } } @@ -490,7 +491,7 @@ { if( ipc->family == IPV4_FAMILY ) { - CIDRBLOCK *p = (CIDRBLOCK *) sflist_first(&ipc->cidr_list); + CIDRBLOCK *p = (CIDRBLOCK *) sflist_first(&ipc->cidr_list); while ( p ) { sflist_static_free_all(&p->portset.port_list, free); @@ -499,7 +500,7 @@ } else if( ipc->family == IPV6_FAMILY ) { - CIDRBLOCK6 *p = (CIDRBLOCK6 *) sflist_first(&ipc->cidr_list); + CIDRBLOCK6 *p = (CIDRBLOCK6 *) sflist_first(&ipc->cidr_list); while ( p ) { sflist_static_free_all(&p->portset.port_list, free); @@ -513,10 +514,10 @@ int ipset_family( IPSET * ipset ) { - return ipset->family; + return ipset->family; } -/* - The user must know what kind of address he's adding, +/* + The user must know what kind of address he's adding, and the family of the IPSET */ int ipset_add( IPSET * ipc, void * vip, void * vmask, void *vport, int notflag , int family ) @@ -593,7 +594,7 @@ CIDRBLOCK * p; unsigned * ipu = (unsigned*)ip; - for(p =(CIDRBLOCK*)sflist_first( &ipc->cidr_list ); + for(p =(CIDRBLOCK*)sflist_first( &ipc->cidr_list ); p!=0; p =(CIDRBLOCK*)sflist_next( &ipc->cidr_list ) ) { @@ -603,7 +604,7 @@ pr != 0; pr=(PORTRANGE*)sflist_next(&p->portset.port_list) ) { - /* + /* * If the matching IP has a wildcard port (pr->port_hi == 0 ) or * if the ports actually match. */ @@ -628,7 +629,7 @@ for(p = (CIDRBLOCK6*)sflist_first( &ipc->cidr_list ); p!= 0; p = (CIDRBLOCK6*)sflist_next( &ipc->cidr_list ) ) - { + { mip[0] = (unsigned short)(p->mask[0] & ips[0]); mip[1] = (unsigned short)(p->mask[1] & ips[1]); mip[2] = (unsigned short)(p->mask[2] & ips[2]); @@ -644,14 +645,14 @@ pr != 0; pr=(PORTRANGE*)sflist_next(&p->portset.port_list) ) { - /* + /* * If the caller wants to match any port (portu == 0) or * if the matching IP has a wildcard port (pr->port_hi == 0 ) or * if the ports actually match. */ if ( portu == 0 || pr->port_hi == 0 || (portu >= pr->port_lo && portu <= pr->port_hi) ) - { + { if( p->notflag ) return 0; return 1; @@ -716,7 +717,7 @@ if( p->notflag ) printf("CIDR BLOCK: !%s / %s", ip_str,mask_str); else - printf("CIDR BLOCK: %s / %s", ip_str,mask_str); + printf("CIDR BLOCK: %s / %s", ip_str,mask_str); for( pr=(PORTRANGE*)sflist_first(&p->portset.port_list); pr != 0; pr=(PORTRANGE*)sflist_next(&p->portset.port_list) ) @@ -737,7 +738,7 @@ static void portset_init( PORTSET * portset ) -{ +{ sflist_init(&portset->port_list); } @@ -913,7 +914,7 @@ return 0; } -int ipset_parse(IPSET *ipset, char *ipstr) +int ipset_parse(IPSET *ipset, char *ipstr) { char *copy, *startIP, *endIP; int parse_count = 0; @@ -979,7 +980,7 @@ free(copy); if (!parse_count) - return -7; + return -7; if (open_bracket) return -8; @@ -1065,7 +1066,7 @@ return -2; } - port_hi = port_lo = atoi(port1); + port_hi = port_lo = atoi(port1); } /* check to see if port is out of range */ @@ -1104,15 +1105,15 @@ return 0; } -/** - * Break an IP4 Address down into its components - * +/** + * Break an IP4 Address down into its components + * * @param ipstr string to parse * @param use network order for return values (defaults to host order) * @param not_flag return value if the ip is negated * @param host ipv4 host argument * @param mask ipv4 mask argument - * + * * @return 0 on sucess, else failure parsing the address * @retval -3 \0 encountered prematurely * @retval -2 strdup failed @@ -1127,7 +1128,7 @@ struct in_addr addrstuff; char *end_s_copy; - if(!ipstr || !not_flag || !host || !mask) + if(!ipstr || !not_flag || !host || !mask) return -1; @@ -1251,7 +1252,7 @@ else { *host = ntohl(addrstuff.s_addr); - } + } if(maskptr) { @@ -1306,7 +1307,7 @@ else { *mask = ntohl(addrstuff.s_addr); - } + } } else { @@ -1334,7 +1335,7 @@ } if(portptr) - { + { while (isspace((int)(*portptr))) portptr++; @@ -1361,14 +1362,14 @@ if(network_order) { *mask = htonl(*mask); - *host = htonl(*host); + *host = htonl(*host); } free(saved); return 0; } -int ipset_parse(IPSET *ipset, char *ipstr) +int ipset_parse(IPSET *ipset, char *ipstr) { char *copy, *startIP, *endIP; int parse_count = 0; @@ -1392,7 +1393,7 @@ while (startIP) { - while (isspace((int)*startIP) || (*startIP == '[') ) + while (isspace((int)*startIP) || (*startIP == '[') ) { startIP++; } @@ -1432,7 +1433,7 @@ free(copy); if (!parse_count) - return -7; + return -7; return 0; } @@ -1447,7 +1448,7 @@ #define srand srandom #endif -#define MAXIP 100 +#define MAXIP 100 #include "sflsq.c" @@ -1457,7 +1458,7 @@ PORTSET portset; char **curip; int ret; - IPADDRESS *adp; + IPADDRESS *adp; char *ips[] = { "138.26.1.24:25", "1.1.1.1/255.255.255.0:444", @@ -1480,8 +1481,8 @@ fprintf(stderr, "Unable to parse %s with ret %d\n", curip[0], ret); } else - { - printf("%c", not_flag ? '!' : ' '); + { + printf("%c", not_flag ? '!' : ' '); printf("%s/", inet_ntoa(*(struct in_addr *) &host)); printf("%s", inet_ntoa(*(struct in_addr *) &mask)); printf(" parsed successfully!\n"); @@ -1498,7 +1499,7 @@ ip_set(adp, &host, IPV4_FAMILY); ip_fprint(stdout, adp); fprintf(stdout, "*****************\n"); - ip_free(adp); + ip_free(adp); } } @@ -1520,7 +1521,7 @@ "z/24", "0/0", "0.0.0.0/0.0.0.0", - "0.0.0.0/0.0.2.0", + "0.0.0.0/0.0.2.0", NULL }; for(curip = ips; curip[0] != NULL; curip++) @@ -1576,7 +1577,7 @@ { ipa[i]= ip_new(IPV6_FAMILY); - for(k=0;k<8;k++) ipaddress6[k] = (char) (rand() % (1<<16)); + for(k=0;k<8;k++) ipaddress6[k] = (char) (rand() % (1<<16)); ip_set( ipa[i], ipaddress6, IPV6_FAMILY ); @@ -1639,7 +1640,7 @@ } else { - for(k=0;k<8;k++) ipaddress6[k] = (char) (rand() % (1<<16)); + for(k=0;k<8;k++) ipaddress6[k] = (char) (rand() % (1<<16)); for(k=0;k<8;k++) mask6[k] = 0xffff; diff -Nru snort-2.9.0.1/src/sfutil/ipobj.h snort-2.9.2/src/sfutil/ipobj.h --- snort-2.9.0.1/src/sfutil/ipobj.h 2010-01-26 10:10:23.000000000 -0800 +++ snort-2.9.2/src/sfutil/ipobj.h 2011-02-09 15:23:36.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/Makefile.am snort-2.9.2/src/sfutil/Makefile.am --- snort-2.9.0.1/src/sfutil/Makefile.am 2010-09-27 08:28:15.000000000 -0700 +++ snort-2.9.2/src/sfutil/Makefile.am 2011-12-07 09:58:23.000000000 -0800 @@ -25,10 +25,14 @@ util_net.c util_net.h \ util_str.c util_str.h \ util_utf.c util_utf.h \ + util_jsnorm.c util_jsnorm.h \ + util_unfold.c util_unfold.h \ asn1.c asn1.h \ sfeventq.c sfeventq.h \ sfsnprintfappend.c sfsnprintfappend.h \ sfrt.c sfrt.h sfrt_trie.h sfrt_dir.c sfrt_dir.h \ + sfrt_flat.c sfrt_flat.h sfrt_flat_dir.c sfrt_flat_dir.h \ + segment_mem.c segment_mem.h \ sfportobject.c sfportobject.h \ sfrim.c sfrim.h \ sfprimetable.c sfprimetable.h \ @@ -42,8 +46,10 @@ sfActionQueue.c sfActionQueue.h \ sfrf.c sfrf.h \ strvec.c strvec.h \ + sf_email_attach_decode.c sf_email_attach_decode.h \ sf_base64decode.c sf_base64decode.h \ Unified2_common.h \ $(INTEL_SOFT_CPM_SOURCES) INCLUDES = @INCLUDES@ + diff -Nru snort-2.9.0.1/src/sfutil/Makefile.in snort-2.9.2/src/sfutil/Makefile.in --- snort-2.9.0.1/src/sfutil/Makefile.in 2010-10-08 02:56:55.000000000 -0700 +++ snort-2.9.2/src/sfutil/Makefile.in 2011-12-07 11:23:22.000000000 -0800 @@ -56,16 +56,19 @@ sfksearch.c sfksearch.h bnfa_search.c bnfa_search.h mpse.c \ mpse.h bitop.h bitop_funcs.h util_math.c util_math.h \ util_net.c util_net.h util_str.c util_str.h util_utf.c \ - util_utf.h asn1.c asn1.h sfeventq.c sfeventq.h \ + util_utf.h util_jsnorm.c util_jsnorm.h util_unfold.c \ + util_unfold.h asn1.c asn1.h sfeventq.c sfeventq.h \ sfsnprintfappend.c sfsnprintfappend.h sfrt.c sfrt.h \ - sfrt_trie.h sfrt_dir.c sfrt_dir.h sfportobject.c \ - sfportobject.h sfrim.c sfrim.h sfprimetable.c sfprimetable.h \ - sf_ip.c sf_ip.h sf_ipvar.c sf_ipvar.h sf_vartable.c \ - sf_vartable.h sf_iph.c sf_iph.h sf_textlog.c sf_textlog.h \ - sfPolicy.c sfPolicy.h sfPolicyUserData.c sfPolicyUserData.h \ - sfActionQueue.c sfActionQueue.h sfrf.c sfrf.h strvec.c \ - strvec.h sf_base64decode.c sf_base64decode.h Unified2_common.h \ - intel-soft-cpm.c intel-soft-cpm.h + sfrt_trie.h sfrt_dir.c sfrt_dir.h sfrt_flat.c sfrt_flat.h \ + sfrt_flat_dir.c sfrt_flat_dir.h segment_mem.c segment_mem.h \ + sfportobject.c sfportobject.h sfrim.c sfrim.h sfprimetable.c \ + sfprimetable.h sf_ip.c sf_ip.h sf_ipvar.c sf_ipvar.h \ + sf_vartable.c sf_vartable.h sf_iph.c sf_iph.h sf_textlog.c \ + sf_textlog.h sfPolicy.c sfPolicy.h sfPolicyUserData.c \ + sfPolicyUserData.h sfActionQueue.c sfActionQueue.h sfrf.c \ + sfrf.h strvec.c strvec.h sf_email_attach_decode.c \ + sf_email_attach_decode.h sf_base64decode.c sf_base64decode.h \ + Unified2_common.h intel-soft-cpm.c intel-soft-cpm.h @HAVE_INTEL_SOFT_CPM_TRUE@am__objects_1 = intel-soft-cpm.$(OBJEXT) am_libsfutil_a_OBJECTS = sfghash.$(OBJEXT) sfhashfcn.$(OBJEXT) \ sflsq.$(OBJEXT) sfmemcap.$(OBJEXT) sfthd.$(OBJEXT) \ @@ -73,13 +76,15 @@ acsmx.$(OBJEXT) acsmx2.$(OBJEXT) sfksearch.$(OBJEXT) \ bnfa_search.$(OBJEXT) mpse.$(OBJEXT) util_math.$(OBJEXT) \ util_net.$(OBJEXT) util_str.$(OBJEXT) util_utf.$(OBJEXT) \ - asn1.$(OBJEXT) sfeventq.$(OBJEXT) sfsnprintfappend.$(OBJEXT) \ - sfrt.$(OBJEXT) sfrt_dir.$(OBJEXT) sfportobject.$(OBJEXT) \ - sfrim.$(OBJEXT) sfprimetable.$(OBJEXT) sf_ip.$(OBJEXT) \ - sf_ipvar.$(OBJEXT) sf_vartable.$(OBJEXT) sf_iph.$(OBJEXT) \ - sf_textlog.$(OBJEXT) sfPolicy.$(OBJEXT) \ - sfPolicyUserData.$(OBJEXT) sfActionQueue.$(OBJEXT) \ - sfrf.$(OBJEXT) strvec.$(OBJEXT) sf_base64decode.$(OBJEXT) \ + util_jsnorm.$(OBJEXT) util_unfold.$(OBJEXT) asn1.$(OBJEXT) \ + sfeventq.$(OBJEXT) sfsnprintfappend.$(OBJEXT) sfrt.$(OBJEXT) \ + sfrt_dir.$(OBJEXT) sfrt_flat.$(OBJEXT) sfrt_flat_dir.$(OBJEXT) \ + segment_mem.$(OBJEXT) sfportobject.$(OBJEXT) sfrim.$(OBJEXT) \ + sfprimetable.$(OBJEXT) sf_ip.$(OBJEXT) sf_ipvar.$(OBJEXT) \ + sf_vartable.$(OBJEXT) sf_iph.$(OBJEXT) sf_textlog.$(OBJEXT) \ + sfPolicy.$(OBJEXT) sfPolicyUserData.$(OBJEXT) \ + sfActionQueue.$(OBJEXT) sfrf.$(OBJEXT) strvec.$(OBJEXT) \ + sf_email_attach_decode.$(OBJEXT) sf_base64decode.$(OBJEXT) \ $(am__objects_1) libsfutil_a_OBJECTS = $(am_libsfutil_a_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) @@ -108,7 +113,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -123,6 +130,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -159,13 +167,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -245,10 +259,14 @@ util_net.c util_net.h \ util_str.c util_str.h \ util_utf.c util_utf.h \ + util_jsnorm.c util_jsnorm.h \ + util_unfold.c util_unfold.h \ asn1.c asn1.h \ sfeventq.c sfeventq.h \ sfsnprintfappend.c sfsnprintfappend.h \ sfrt.c sfrt.h sfrt_trie.h sfrt_dir.c sfrt_dir.h \ + sfrt_flat.c sfrt_flat.h sfrt_flat_dir.c sfrt_flat_dir.h \ + segment_mem.c segment_mem.h \ sfportobject.c sfportobject.h \ sfrim.c sfrim.h \ sfprimetable.c sfprimetable.h \ @@ -262,6 +280,7 @@ sfActionQueue.c sfActionQueue.h \ sfrf.c sfrf.h \ strvec.c strvec.h \ + sf_email_attach_decode.c sf_email_attach_decode.h \ sf_base64decode.c sf_base64decode.h \ Unified2_common.h \ $(INTEL_SOFT_CPM_SOURCES) diff -Nru snort-2.9.0.1/src/sfutil/mpse.c snort-2.9.2/src/sfutil/mpse.c --- snort-2.9.0.1/src/sfutil/mpse.c 2010-06-09 15:05:29.000000000 -0700 +++ snort-2.9.2/src/sfutil/mpse.c 2011-06-07 17:33:20.000000000 -0700 @@ -2,16 +2,16 @@ * $Id$ * * mpse.c -* +* * An abstracted interface to the Multi-Pattern Matching routines, * thats why we're passing 'void *' objects around. * -* Copyright (C) 2002-2010 Sourcefire, Inc. +* Copyright (C) 2002-2011 Sourcefire, Inc. * Marc A Norton <mnorton@sourcefire.com> * * Updates: * 3/06 - Added AC_BNFA search -** +** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or @@ -37,8 +37,8 @@ #include "acsmx.h" #include "acsmx2.h" #include "sfksearch.h" -#include "mpse.h" -#include "debug.h" +#include "mpse.h" +#include "snort_debug.h" #include "sf_types.h" #include "util.h" @@ -144,7 +144,7 @@ { MPSE * p = (MPSE*)pvoid; p->verbose = 1; -} +} void mpseSetOpt( void * pvoid, int flag ) { @@ -221,7 +221,7 @@ } } -int mpseAddPattern ( void * pvoid, void * P, int m, +int mpseAddPattern ( void * pvoid, void * P, int m, unsigned noCase, unsigned offset, unsigned depth, unsigned negative, void* ID, int IID ) { @@ -263,7 +263,7 @@ void mpseLargeShifts ( void * pvoid, int flag ) { MPSE * p = (MPSE*)pvoid; - + switch( p->method ) { default: @@ -284,11 +284,11 @@ case MPSE_AC_BNFA_Q: retv = bnfaCompile( (bnfa_struct_t*) p->obj, build_tree, neg_list_func ); break; - + case MPSE_AC: retv = acsmCompile( (ACSM_STRUCT*) p->obj, build_tree, neg_list_func ); break; - + case MPSE_ACF: case MPSE_ACF_Q: case MPSE_ACS: @@ -296,7 +296,7 @@ case MPSE_ACSB: retv = acsmCompile2( (ACSM_STRUCT2*) p->obj, build_tree, neg_list_func ); break; - + case MPSE_LOWMEM: case MPSE_LOWMEM_Q: return KTrieCompile( (KTRIE_STRUCT *)p->obj, build_tree, neg_list_func ); @@ -308,9 +308,9 @@ default: retv = 1; - break; + break; } - + return retv; } @@ -346,7 +346,7 @@ case MPSE_ACB: case MPSE_ACSB: return acsmPrintDetailInfo2( (ACSM_STRUCT2*) p->obj ); - + default: return 1; } @@ -404,9 +404,9 @@ KTrieInitMemUsed(); } -int mpseSearch( void *pvoid, const unsigned char * T, int n, - int ( *action )(void* id, void * tree, int index, void *data, void *neg_list), - void * data, int* current_state ) +int mpseSearch( void *pvoid, const unsigned char * T, int n, + int ( *action )(void* id, void * tree, int index, void *data, void *neg_list), + void * data, int* current_state ) { MPSE * p = (MPSE*)pvoid; int ret; @@ -418,7 +418,7 @@ if(p->inc_global_counter) s_bcnt += n; - + switch( p->method ) { case MPSE_AC_BNFA: @@ -433,7 +433,7 @@ ret = acsmSearch( (ACSM_STRUCT*) p->obj, (unsigned char *)T, n, action, data, current_state ); PREPROC_PROFILE_END(mpsePerfStats); return ret; - + case MPSE_ACF: case MPSE_ACF_Q: case MPSE_ACS: @@ -498,7 +498,7 @@ uint64_t mpseGetPatByteCount(void) { - return s_bcnt; + return s_bcnt; } void mpseResetByteCount(void) diff -Nru snort-2.9.0.1/src/sfutil/mpse.h snort-2.9.2/src/sfutil/mpse.h --- snort-2.9.0.1/src/sfutil/mpse.h 2010-06-09 15:05:29.000000000 -0700 +++ snort-2.9.2/src/sfutil/mpse.h 2011-02-09 15:23:36.000000000 -0800 @@ -3,7 +3,7 @@ ** ** mpse.h ** -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Marc Norton <mnorton@sourcefire.com> ** ** Multi-Pattern Search Engine diff -Nru snort-2.9.0.1/src/sfutil/segment_mem.c snort-2.9.2/src/sfutil/segment_mem.c --- snort-2.9.0.1/src/sfutil/segment_mem.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/segment_mem.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,115 @@ +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + ** + ** 8/7/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include <string.h> +#include "segment_mem.h" + +/*point to the start of the unused memory*/ +static MEM_OFFSET unused_ptr = 0; +static size_t unused_mem = 0; +static void *base_ptr = NULL; + +size_t segment_unusedmem(void) +{ + return unused_mem; +} +/*************************************************************************** + * Initialize the segment memory + * Return values: + * 1: success + * 0: fail + **************************************************************************/ +int segment_meminit(uint8_t* buff, size_t mem_cap) +{ + base_ptr = buff; + unused_ptr = 0; + unused_mem = mem_cap; + return 1; +} + +/*************************************************************************** + * allocate memory block from segment + * todo:currently, we only allocate memory continuously. Need to reuse freed + * memory in the future. + * return: + * 0: fail + * other: the offset of the allocated memory block + **************************************************************************/ +MEM_OFFSET segment_malloc ( size_t size ) +{ + MEM_OFFSET current_ptr = unused_ptr; + + if (unused_mem < size) + return 0; + + unused_ptr += size; + unused_mem -= size; + + return current_ptr; +} + +/*************************************************************************** + * Free memory block from segment + * Todo: currently, no action for free. Need to reuse freed memory in the + * future. + **************************************************************************/ + +void segment_free ( MEM_OFFSET ptr ) +{ + return; +} + +/*************************************************************************** + * allocate memory block from segment and initialize it to zero + * It calls segment_malloc() to get memory. + * todo:currently, we only allocate memory continuously. Need to reuse freed + * memory in the future. + * return: + * 0: fail + * other: the offset of the allocated memory block + **************************************************************************/ + +MEM_OFFSET segment_calloc ( size_t num, size_t size ) +{ + MEM_OFFSET current_ptr; + uint64_t total; + + if ((0 == size)||(0 == num)) + return 0; + /*Check possible overflow*/ + if (num > SIZE_MAX/size) + return 0; + total = num * size; + current_ptr = segment_malloc((size_t)total); + if (0 != current_ptr) + memset((uint8_t *)base_ptr + current_ptr, 0, (size_t)total); + + return current_ptr; +} + +void * segment_basePtr() +{ + return base_ptr; +} diff -Nru snort-2.9.0.1/src/sfutil/segment_mem.h snort-2.9.2/src/sfutil/segment_mem.h --- snort-2.9.0.1/src/sfutil/segment_mem.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/segment_mem.h 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,37 @@ +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + ** + ** 8/7/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + */ + +#ifndef _SFSHARE_MEMEORY_H_ +#define _SFSHARE_MEMEORY_H_ + +#include <stdlib.h> +#include "sf_types.h" + +typedef uint32_t MEM_OFFSET; + +int segment_meminit(uint8_t*, size_t); +MEM_OFFSET segment_malloc ( size_t size ); +void segment_free (MEM_OFFSET ptr ); +MEM_OFFSET segment_calloc ( size_t num, size_t size ); +size_t segment_unusedmem(); +void * segment_basePtr(); +#endif diff -Nru snort-2.9.0.1/src/sfutil/sfActionQueue.c snort-2.9.2/src/sfutil/sfActionQueue.c --- snort-2.9.0.1/src/sfutil/sfActionQueue.c 2010-08-25 13:22:48.000000000 -0700 +++ snort-2.9.2/src/sfutil/sfActionQueue.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,6 +18,10 @@ * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "stdlib.h" #include "stdio.h" #include "string.h" @@ -44,8 +48,8 @@ } int sfActionQueueAdd( - tSfActionQueueId actionQ, - void (*callback)(void *), + tSfActionQueueId actionQ, + void (*callback)(void *), void *data ) { @@ -90,7 +94,7 @@ } } -/**Destroys action queue. All memory allocated by the actionQueue module is +/**Destroys action queue. All memory allocated by the actionQueue module is * freed. Since the queued actions are not executed, any memory freed in the action * will be lost. User should do a execAll if there is a potential memory leak * or the actions must be completed. diff -Nru snort-2.9.0.1/src/sfutil/sfActionQueue.h snort-2.9.2/src/sfutil/sfActionQueue.h --- snort-2.9.0.1/src/sfutil/sfActionQueue.h 2010-01-26 10:10:24.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfActionQueue.h 2011-02-09 15:23:36.000000000 -0800 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sf_base64decode.c snort-2.9.2/src/sfutil/sf_base64decode.c --- snort-2.9.0.1/src/sfutil/sf_base64decode.c 2010-06-09 15:50:09.000000000 -0700 +++ snort-2.9.2/src/sfutil/sf_base64decode.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,5 +1,5 @@ /* - ** Copyright (C) 1998-2010 Sourcefire, Inc. + ** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** Writen by Patrick Mullen <pmullen@sourcefire.com> ** @@ -19,6 +19,10 @@ ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sf_base64decode.h" uint8_t sf_decode64tab[256] = { @@ -39,91 +43,6 @@ 100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100, 100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100}; -/* Given a string, removes header folding (\r\n followed by linear whitespace) - * and exits when the end of a header is found, defined as \n followed by a - * non-whitespace. This is especially helpful for HTML. -*/ -int sf_unfold_header(const uint8_t *inbuf, uint32_t inbuf_size, uint8_t *outbuf, - uint32_t outbuf_size, uint32_t *output_bytes) { - const uint8_t *cursor, *endofinbuf; - uint8_t *outbuf_ptr; - - uint32_t n = 0; - - int httpheaderfolding = 0; - - cursor = inbuf; - endofinbuf = inbuf + inbuf_size; - outbuf_ptr = outbuf; - - /* Keep adding chars until we get to the end of the line. If we get to the - end of the line and the next line starts with a tab or space, add the space - to the buffer and keep reading. If the next line does not start with a - tab or space, stop reading because that's the end of the header. */ - while((cursor < endofinbuf) && (n < outbuf_size)) { - if(((*cursor == ' ') || (*cursor == '\t')) && (httpheaderfolding != 2)) { - /* Spaces are valid except after CRs */ - *outbuf_ptr++ = *cursor; - httpheaderfolding = 0; - } else if((*cursor == '\n') && (httpheaderfolding != 1)) { - /* Can't have multiple LFs in a row, but if we get one it - needs to be followed by at least one space */ - httpheaderfolding = 1; - } else if((*cursor == '\r') && !httpheaderfolding) { - /* CR needs to be followed by LF and can't start a line */ - httpheaderfolding = 2; - } else if(!httpheaderfolding) { - *outbuf_ptr++ = *cursor; - n++; - } else { - /* We have reached the end of the header */ - /* Unless we get multiple CRs, which is suspicious, but not for us to decide */ - break; - } - cursor++; - } - - if(n < outbuf_size) - *outbuf_ptr = '\0'; - else - outbuf[outbuf_size - 1] = '\0'; - - *output_bytes = outbuf_ptr - outbuf; - return(0); -} - - -int sf_unfold_smtp(const uint8_t *inbuf, uint32_t inbuf_size, uint8_t *outbuf, - uint32_t outbuf_size, uint32_t *output_bytes) { - const uint8_t *cursor, *endofinbuf; - uint8_t *outbuf_ptr; - - uint32_t n = 0; - - - cursor = inbuf; - endofinbuf = inbuf + inbuf_size; - outbuf_ptr = outbuf; - - while((cursor < endofinbuf) && (n < outbuf_size)) { - if((*cursor != '\n') && (*cursor != '\r')) - { - *outbuf_ptr++ = *cursor; - n++; - } - cursor++; - } - - if(n < outbuf_size) - *outbuf_ptr = '\0'; - else - outbuf[outbuf_size - 1] = '\0'; - - *output_bytes = outbuf_ptr - outbuf; - return(0); -} - - /* base64decode assumes the input data terminates with '=' and/or at the end of the input buffer * at inbuf_size. If extra characters exist within inbuf before inbuf_size is reached, it will * happily decode what it can and skip over what it can't. This is consistent with other decoders @@ -131,7 +50,7 @@ * data is valid up until the point you care about. Note base64 data does NOT have to end with * '=' and won't if the number of bytes of input data is evenly divisible by 3. */ -int sf_base64decode(uint8_t *inbuf, uint32_t inbuf_size, uint8_t *outbuf, uint32_t outbuf_size, uint32_t *bytes_written) +int sf_base64decode(uint8_t *inbuf, uint32_t inbuf_size, uint8_t *outbuf, uint32_t outbuf_size, uint32_t *bytes_written) { uint8_t *cursor, *endofinbuf; uint8_t *outbuf_ptr; @@ -201,14 +120,8 @@ cursor++; } - if(n < max_base64_chars) - *outbuf_ptr = '\0'; - else - outbuf_ptr[max_base64_chars - 1] = '\0'; - if(error) return(-1); else return(0); } - diff -Nru snort-2.9.0.1/src/sfutil/sf_base64decode.h snort-2.9.2/src/sfutil/sf_base64decode.h --- snort-2.9.0.1/src/sfutil/sf_base64decode.h 2010-06-09 15:50:09.000000000 -0700 +++ snort-2.9.2/src/sfutil/sf_base64decode.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* - ** Copyright (C) 1998-2010 Sourcefire, Inc. + ** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** Writen by Patrick Mullen <pmullen@sourcefire.com> ** @@ -23,10 +23,8 @@ #define _SF_BASE64DECODE_H_ #include "sf_types.h" +#include "util_unfold.h" - -int sf_unfold_header(const uint8_t*, uint32_t, uint8_t*, uint32_t, uint32_t*); -int sf_unfold_smtp(const uint8_t*, uint32_t, uint8_t*, uint32_t, uint32_t*); int sf_base64decode(uint8_t*, uint32_t, uint8_t*, uint32_t, uint32_t*); -#endif +#endif diff -Nru snort-2.9.0.1/src/sfutil/sf_email_attach_decode.c snort-2.9.2/src/sfutil/sf_email_attach_decode.c --- snort-2.9.0.1/src/sfutil/sf_email_attach_decode.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/sf_email_attach_decode.c 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,611 @@ +/* + ** Copyright (C) 1998-2011 Sourcefire, Inc. + ** + ** Author: Bhagyashree Bantwal <bbantwal@sourcefire.com> + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +/*SharedObjectAddStarts +#include "sf_dynamic_preprocessor.h" +SharedObjectAddEnds */ +#include "util.h" +#include "sf_email_attach_decode.h" + +#define UU_DECODE_CHAR(c) (((c) - 0x20) & 0x3f) + +int sf_qpdecode(char *src, uint32_t slen, char *dst, uint32_t dlen, uint32_t *bytes_read, uint32_t *bytes_copied ) +{ + char ch; + + if(!src || !slen || !dst || !dlen || !bytes_read || !bytes_copied ) + return -1; + + *bytes_read = 0; + *bytes_copied = 0; + + while( (*bytes_read < slen) && (*bytes_copied < dlen)) + { + ch = src[*bytes_read]; + *bytes_read += 1; + if( ch == '=' ) + { + if( (*bytes_read < slen)) + { + if(src[*bytes_read] == '\n') + { + *bytes_read += 1; + continue; + } + else if( *bytes_read < (slen - 1) ) + { + char ch1 = src[*bytes_read]; + char ch2 = src[*bytes_read + 1]; + if( ch1 == '\r' && ch2 == '\n') + { + *bytes_read += 2; + continue; + } + if (isxdigit((int)ch1) && isxdigit((int)ch2)) + { + char hexBuf[3]; + char *eptr; + hexBuf[0] = ch1; + hexBuf[1] = ch2; + hexBuf[2] = '\0'; + dst[*bytes_copied]= (char)strtoul(hexBuf, &eptr, 16); + if((*eptr != '\0')) + { + return -1; + } + *bytes_read += 2; + *bytes_copied +=1; + continue; + } + dst[*bytes_copied] = ch; + *bytes_copied +=1; + continue; + } + else + { + *bytes_read -= 1; + return 0; + } + } + else + { + *bytes_read -= 1; + return 0; + } + } + else + { + dst[*bytes_copied] = ch; + *bytes_copied +=1; + + } + } + + return 0; + +} +int sf_uudecode(uint8_t *src, uint32_t slen, uint8_t *dst, uint32_t dlen, uint32_t *bytes_read, uint32_t *bytes_copied, uint8_t *begin_found, uint8_t *end_found) +{ + uint8_t *sod; + int sol = 1, length = 0; + uint8_t *ptr, *end, *dptr, *dend; + + if(!src || !slen || !dst || !dlen || !bytes_read || !bytes_copied || !begin_found || !end_found ) + return -1; + + ptr = src; + end = src + slen; + dptr = dst; + dend = dst + dlen; + /* begin not found. Search for begin */ + if( !(*begin_found) ) + { + if( slen < 5 ) + { + /* Not enough data to search */ + *bytes_read = 0; + *bytes_copied = 0; + return 0; + } + else + { + sod = (uint8_t *)SnortStrnStr((const char *)src, 5 , "begin"); + if(sod) + { + *begin_found = 1; + /*begin str found. Move to the actual data*/ + ptr = (uint8_t *)SnortStrnStr((const char *)(sod), (end - sod), "\n"); + if( !ptr ) + { + *bytes_read = slen; + *bytes_copied = 0; + return 0; + } + } + else + { + /*Encoded data for UUencode should start with begin. Error encountered.*/ + return -1; + } + } + } + + while( (ptr < end) && (dptr < dend)) + { + if(*ptr == '\n') + { + length = 0; + sol = 1; + ptr++; + continue; + } + + if(sol) + { + sol = 0; + length = UU_DECODE_CHAR(*ptr); + + if( length <= 0 ) + { + /* empty line with no encoded characters indicates end of output */ + break; + } + else if( length == 5 ) + { + if(*ptr == 'e') + { + *end_found = 1; + break; + } + } + /* check if destination buffer is big enough */ + if(( dend - dptr) < length) + { + length = dend - dptr; + } + + length = (length * 4) / 3 ; + + /*check if src buffer has enough encoded data*/ + if( (end - (ptr + 1)) < length) + { + /*not enough data to decode. We will wait for the next packet*/ + break; + } + + ptr++; + + while( length > 0 ) + { + *dptr++ = (UU_DECODE_CHAR(ptr[0]) << 2) | (UU_DECODE_CHAR(ptr[1]) >> 4); + ptr++; + if(--length == 0 ) + break; + + *dptr++ = (UU_DECODE_CHAR(ptr[0]) << 4) | (UU_DECODE_CHAR(ptr[1]) >> 2); + ptr++; + if (--length == 0) + break; + + *dptr++ = (UU_DECODE_CHAR(ptr[0]) << 6) | (UU_DECODE_CHAR(ptr[1])); + ptr += 2; + length -= 2; + } + } + else + { + /* probably padding. skip over it.*/ + ptr++; + } + } + + if(*end_found) + *bytes_read = end - src; + else + *bytes_read = ptr - src; + *bytes_copied = dptr - dst; + return 0; +} + + +int Base64Decode(const uint8_t *start, const uint8_t *end, Email_DecodeState *ds) +{ + uint32_t encode_avail = 0, decode_avail = 0 ; + uint8_t *encode_buf, *decode_buf; + uint32_t act_encode_size = 0, act_decode_size = 0; + uint32_t prev_bytes = 0; + uint32_t i = 0; + + if (!(ds->b64_state.encode_depth)) + { + encode_avail = MAX_BUF; + decode_avail = MAX_BUF; + } + else if ((ds->b64_state.encode_depth) < 0) + { + return DECODE_FAIL; + } + else + { + encode_avail = ds->b64_state.encode_depth - ds->b64_state.encode_bytes_read; + decode_avail = ds->b64_state.decode_depth - ds->b64_state.decode_bytes_read; + } + + encode_buf = ds->encodeBuf; + decode_buf = ds->decodeBuf; + + /* 1. Stop decoding when we have reached either the decode depth or encode depth. + * 2. Stop decoding when we are out of memory */ + if(encode_avail ==0 || decode_avail ==0 || + (!encode_buf) || (!decode_buf)) + { + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + + /*The non decoded encoded data in the previous packet is required for successful decoding + * in case of base64 data spanned across packets*/ + if( ds->prev_encoded_bytes ) + { + if(ds->prev_encoded_bytes > encode_avail) + ds->prev_encoded_bytes = encode_avail; + + if(ds->prev_encoded_buf) + { + prev_bytes = ds->prev_encoded_bytes; + encode_avail = encode_avail - prev_bytes; + while(ds->prev_encoded_bytes) + { + /* Since this data cannot be more than 3 bytes*/ + encode_buf[i] = ds->prev_encoded_buf[i]; + i++; + ds->prev_encoded_bytes--; + } + } + } + + if(sf_strip_CRLF(start, (end-start), encode_buf + prev_bytes, encode_avail, &act_encode_size) != 0) + { + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + + act_encode_size = act_encode_size + prev_bytes; + + i = (act_encode_size)%4 ; + + /* Encoded data should be in multiples of 4. Then we need to wait for the remainder encoded data to + * successfully decode the base64 data. This happens when base64 data is spanned across packets*/ + if(i) + { + ds->prev_encoded_bytes = i; + act_encode_size = act_encode_size - i; + ds->prev_encoded_buf = encode_buf + act_encode_size; + } + + if(sf_base64decode(encode_buf, act_encode_size, decode_buf, decode_avail, &act_decode_size) != 0) + { + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + else if(!act_decode_size && !encode_avail) + { + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + + + ds->decode_present = 1; + ds->decodePtr = decode_buf; + ds->decoded_bytes = act_decode_size; + ds->b64_state.encode_bytes_read += act_encode_size; + ds->b64_state.decode_bytes_read += act_decode_size; + + return DECODE_SUCCESS; +} + +int QPDecode(const uint8_t *start, const uint8_t *end, Email_DecodeState *ds) +{ + uint32_t encode_avail = 0, decode_avail = 0 ; + uint8_t *encode_buf, *decode_buf; + uint32_t act_encode_size = 0, act_decode_size = 0, bytes_read = 0; + uint32_t prev_bytes = 0; + uint32_t i = 0; + + if (!(ds->qp_state.encode_depth)) + { + encode_avail = MAX_BUF; + decode_avail = MAX_BUF; + } + else if ((ds->qp_state.encode_depth) < 0) + { + return DECODE_FAIL; + } + else + { + encode_avail = ds->qp_state.encode_depth - ds->qp_state.encode_bytes_read; + decode_avail = ds->qp_state.decode_depth - ds->qp_state.decode_bytes_read; + } + + encode_buf = ds->encodeBuf; + decode_buf = ds->decodeBuf; + + /* 1. Stop decoding when we have reached either the decode depth or encode depth. + * 2. Stop decoding when we are out of memory */ + if(encode_avail ==0 || decode_avail ==0 || + (!encode_buf) || (!decode_buf)) + { + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + + /*The non decoded encoded data in the previous packet is required for successful decoding + * in case of base64 data spanned across packets*/ + if( ds->prev_encoded_bytes ) + { + if(ds->prev_encoded_bytes > encode_avail) + ds->prev_encoded_bytes = encode_avail; + + if(ds->prev_encoded_buf) + { + prev_bytes = ds->prev_encoded_bytes; + encode_avail = encode_avail - prev_bytes; + while(ds->prev_encoded_bytes) + { + /* Since this data cannot be more than 3 bytes*/ + encode_buf[i] = ds->prev_encoded_buf[i]; + i++; + ds->prev_encoded_bytes--; + } + } + } + + if(sf_strip_LWS(start, (end-start), encode_buf + prev_bytes, encode_avail, &act_encode_size) != 0) + { + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + + act_encode_size = act_encode_size + prev_bytes; + + if(sf_qpdecode((char *)encode_buf, act_encode_size, (char *)decode_buf, decode_avail, &bytes_read, &act_decode_size) != 0) + { + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + else if(!act_decode_size && !encode_avail) + { + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + + + if(bytes_read < act_encode_size) + { + ds->prev_encoded_bytes = (act_encode_size - bytes_read); + ds->prev_encoded_buf = encode_buf + bytes_read; + act_encode_size = bytes_read; + } + + ds->decode_present = 1; + ds->decodePtr = decode_buf; + ds->decoded_bytes = act_decode_size; + ds->qp_state.encode_bytes_read += act_encode_size; + ds->qp_state.decode_bytes_read += act_decode_size; + + return DECODE_SUCCESS; +} + + +int UUDecode(const uint8_t *start, const uint8_t *end, Email_DecodeState *ds) +{ + uint32_t encode_avail = 0, decode_avail = 0 ; + uint8_t *encode_buf, *decode_buf; + uint32_t act_encode_size = 0, act_decode_size = 0, bytes_read = 0; + uint32_t prev_bytes = 0; + uint32_t i = 0; + + if (!(ds->uu_state.encode_depth)) + { + encode_avail = MAX_BUF; + decode_avail = MAX_BUF; + } + else if ((ds->uu_state.encode_depth) < 0) + { + ds->uu_state.begin_found = 0; + return DECODE_FAIL; + } + else + { + encode_avail = ds->uu_state.encode_depth - ds->uu_state.encode_bytes_read; + decode_avail = ds->uu_state.decode_depth - ds->uu_state.decode_bytes_read; + } + + encode_buf = ds->encodeBuf; + decode_buf = ds->decodeBuf; + + /* 1. Stop decoding when we have reached either the decode depth or encode depth. + * 2. Stop decoding when we are out of memory */ + if(encode_avail ==0 || decode_avail ==0 || + (!encode_buf) || (!decode_buf)) + { + ds->uu_state.begin_found = 0; + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + + /*The non decoded encoded data in the previous packet is required for successful decoding + * in case of base64 data spanned across packets*/ + if( ds->prev_encoded_bytes ) + { + if(ds->prev_encoded_bytes > encode_avail) + ds->prev_encoded_bytes = encode_avail; + + if(ds->prev_encoded_buf) + { + prev_bytes = ds->prev_encoded_bytes; + encode_avail = encode_avail - prev_bytes; + while(ds->prev_encoded_bytes) + { + /* Since this data cannot be more than 3 bytes*/ + encode_buf[i] = ds->prev_encoded_buf[i]; + i++; + ds->prev_encoded_bytes--; + } + } + } + + if((uint32_t)(end- start) > encode_avail) + act_encode_size = encode_avail; + else + act_encode_size = end - start; + + + if(encode_avail > 0) + { + if(SafeMemcpy((encode_buf + prev_bytes), start, act_encode_size, encode_buf, (encode_buf+ encode_avail + prev_bytes)) != SAFEMEM_SUCCESS) + { + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + } + + act_encode_size = act_encode_size + prev_bytes; + + + if(sf_uudecode(encode_buf, act_encode_size, decode_buf, decode_avail, &bytes_read, &act_decode_size, + &(ds->uu_state.begin_found), &(ds->uu_state.end_found)) != 0) + { + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + else if(!act_decode_size && !encode_avail) + { + /* Have insufficient data to decode */ + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + + /* Found the end. No more encoded data */ + + if(ds->uu_state.end_found) + { + ds->uu_state.end_found = 0; + ds->uu_state.begin_found = 0; + ds->decode_type = DECODE_NONE; + } + + + if(bytes_read < act_encode_size) + { + ds->prev_encoded_bytes = (act_encode_size - bytes_read); + ds->prev_encoded_buf = encode_buf + bytes_read; + act_encode_size = bytes_read; + } + + ds->decode_present = 1; + ds->decoded_bytes = act_decode_size; + ds->decodePtr = decode_buf; + ds->uu_state.encode_bytes_read += act_encode_size; + ds->uu_state.decode_bytes_read += act_decode_size; + + return DECODE_SUCCESS; +} + + + + +int BitEncExtract(const uint8_t *start, const uint8_t *end, Email_DecodeState *ds) +{ + uint32_t bytes_avail = 0; + uint32_t act_size = 0; + + ClearPrevEncodeBuf(ds); + + if (!(ds->bitenc_state.depth)) + { + bytes_avail = MAX_BUF; + } + else if ((ds->bitenc_state.depth) < 0) + { + return DECODE_FAIL; + } + else + { + bytes_avail = ds->bitenc_state.depth - ds->bitenc_state.bytes_read; + } + + /* 1. Stop decoding when we have reached either the decode depth or encode depth. + * 2. Stop decoding when we are out of memory */ + if(bytes_avail ==0) + { + ResetEmailDecodeState(ds); + return DECODE_FAIL; + } + + + if( (uint32_t)(end-start) < bytes_avail ) + { + act_size = ( end - start); + } + else + { + act_size = bytes_avail; + } + + ds->decode_present = 1; + ds->decodePtr = (uint8_t *)start; + ds->decoded_bytes = act_size; + ds->bitenc_state.bytes_read += act_size; + + return DECODE_SUCCESS; +} + +int EmailDecode(const uint8_t *start, const uint8_t *end, Email_DecodeState *ds) +{ + int iRet = DECODE_FAIL; + + switch(ds->decode_type) + { + case DECODE_B64: + iRet = Base64Decode(start, end, ds); + break; + case DECODE_QP: + iRet = QPDecode(start, end, ds); + break; + case DECODE_UU: + iRet = UUDecode(start, end, ds); + break; + case DECODE_BITENC: + iRet = BitEncExtract(start, end, ds); + break; + default: + break; + } + + return iRet; +} + diff -Nru snort-2.9.0.1/src/sfutil/sf_email_attach_decode.h snort-2.9.2/src/sfutil/sf_email_attach_decode.h --- snort-2.9.0.1/src/sfutil/sf_email_attach_decode.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/sf_email_attach_decode.h 2011-06-07 17:33:20.000000000 -0700 @@ -0,0 +1,166 @@ +/* + ** Copyright (C) 1998-2011 Sourcefire, Inc. + ** + ** Writen by Bhagyashree Bantwal <bbantwal@sourcefire.com> + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifndef _SF_EMAIL_ATTACH_DECODE_H_ +#define _SF_EMAIL_ATTACH_DECODE_H_ + +#include "sf_types.h" +#include "util_unfold.h" +#include "sf_base64decode.h" +#include "snort_bounds.h" + +#define MAX_BUF 65535 +#define DECODE_SUCCESS 0 +#define DECODE_FAIL -1 + +typedef enum { + + DECODE_NONE = 0, + DECODE_B64, + DECODE_QP, + DECODE_UU, + DECODE_BITENC, + DECODE_ALL + +} DecodeType; + +typedef struct s_Base64_DecodeState +{ + uint32_t encode_bytes_read; + uint32_t decode_bytes_read; + int encode_depth; + int decode_depth; +} Base64_DecodeState; + +typedef struct s_QP_DecodeState +{ + uint32_t encode_bytes_read; + uint32_t decode_bytes_read; + int encode_depth; + int decode_depth; +} QP_DecodeState; + +typedef struct s_UU_DecodeState +{ + uint32_t encode_bytes_read; + uint32_t decode_bytes_read; + int encode_depth; + int decode_depth; + uint8_t begin_found; + uint8_t end_found; +} UU_DecodeState; + +typedef struct s_BitEnc_DecodeState +{ + uint32_t bytes_read; + int depth; +} BitEnc_DecodeState; + +typedef struct s_Email_DecodeState +{ + DecodeType decode_type; + uint8_t decode_present; + uint32_t prev_encoded_bytes; + unsigned char *prev_encoded_buf; + uint32_t decoded_bytes; + uint8_t *encodeBuf; + uint8_t *decodeBuf; + uint8_t *decodePtr; + Base64_DecodeState b64_state; + QP_DecodeState qp_state; + UU_DecodeState uu_state; + BitEnc_DecodeState bitenc_state; + +} Email_DecodeState; + + +int EmailDecode(const uint8_t *, const uint8_t *, Email_DecodeState *); + +static inline void SetEmailDecodeState(Email_DecodeState *ds, void *data, int max_depth, + int b64_depth, int qp_depth, int uu_depth, int bitenc_depth) +{ + if ( max_depth & 7 ) + { + max_depth += (8 - (max_depth & 7)); + } + + ds->decode_type = DECODE_NONE; + ds->decode_present = 0; + ds->prev_encoded_bytes = 0; + ds->prev_encoded_buf = NULL; + ds->decoded_bytes = 0; + + ds->encodeBuf = (uint8_t *)data; + ds->decodeBuf = (uint8_t *)data + max_depth; + ds->decodePtr = ds->decodeBuf; + + ds->b64_state.encode_depth = ds->b64_state.decode_depth = b64_depth; + ds->b64_state.encode_bytes_read = ds->b64_state.decode_bytes_read = 0; + + ds->qp_state.encode_depth = ds->qp_state.decode_depth = qp_depth; + ds->qp_state.encode_bytes_read = ds->qp_state.decode_bytes_read = 0; + + ds->uu_state.encode_depth = ds->uu_state.decode_depth = uu_depth; + ds->uu_state.encode_bytes_read = ds->uu_state.decode_bytes_read = 0; + ds->uu_state.begin_found = 0; + ds->uu_state.end_found = 0; + + ds->bitenc_state.depth = bitenc_depth; + ds->bitenc_state.bytes_read = 0; + +} + +static inline void ClearPrevEncodeBuf(Email_DecodeState *ds) +{ + ds->prev_encoded_bytes = 0; + ds->prev_encoded_buf = NULL; +} + +static inline void ResetDecodedBytes(Email_DecodeState *ds) +{ + ds->decodePtr = NULL; + ds->decoded_bytes = 0; + ds->decode_present = 0; +} + + +static inline void ResetEmailDecodeState(Email_DecodeState *ds) +{ + if ( ds == NULL ) + return; + + ds->uu_state.begin_found = ds->uu_state.end_found = 0; + ResetDecodedBytes(ds); + ClearPrevEncodeBuf(ds); + +} + +static inline void ClearEmailDecodeState(Email_DecodeState *ds) +{ + if(ds == NULL) + return; + + ds->decode_type = DECODE_NONE; + ResetEmailDecodeState(ds); +} + + +#endif diff -Nru snort-2.9.0.1/src/sfutil/sfeventq.c snort-2.9.2/src/sfutil/sfeventq.c --- snort-2.9.0.1/src/sfutil/sfeventq.c 2010-06-09 15:05:31.000000000 -0700 +++ snort-2.9.2/src/sfutil/sfeventq.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** ** @file sfeventq.c ** @@ -50,6 +50,10 @@ */ #include <stdlib.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sfeventq.h" #include "util.h" @@ -68,7 +72,7 @@ ** @retval -1 failure ** @retval 0 success */ -SF_EVENTQ * sfeventq_new(int max_nodes, int log_nodes, int event_size, +SF_EVENTQ * sfeventq_new(int max_nodes, int log_nodes, int event_size, int (*sort)(void *, void *)) { SF_EVENTQ *eq; @@ -117,7 +121,7 @@ { if (eq->reserve_event == NULL) return NULL; - + event = (void *)eq->reserve_event; eq->reserve_event = NULL; @@ -154,7 +158,7 @@ ** sfeventq_free:: */ /** -** Cleanup the event queue. +** Cleanup the event queue. ** ** @return none ** @@ -266,7 +270,7 @@ { SF_EVENTQ_NODE *node; SF_EVENTQ_NODE *tmp; - + if(!event) return -1; @@ -335,7 +339,7 @@ ** NAME ** sfeventq_action:: */ -/** +/** ** Call the supplied user action function on the highest priority ** events. ** @@ -482,7 +486,7 @@ sfeventq_reset(); } while(getc(stdin) < 14); - + return 0; } #endif diff -Nru snort-2.9.0.1/src/sfutil/sfeventq.h snort-2.9.2/src/sfutil/sfeventq.h --- snort-2.9.0.1/src/sfutil/sfeventq.h 2010-01-26 10:10:26.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfeventq.h 2011-02-09 15:23:36.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sfghash.c snort-2.9.2/src/sfutil/sfghash.c --- snort-2.9.0.1/src/sfutil/sfghash.c 2010-01-26 10:10:26.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfghash.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -30,9 +30,9 @@ * Features: * 1) Keys may be ascii strings of variable size, or * fixed length (per table) binary byte sequences. This -* allows use as a Mapping for String+Data pairs, or a +* allows use as a Mapping for String+Data pairs, or a * generic hashing. -* 2) User can allocate keys, or pass copies and we can +* 2) User can allocate keys, or pass copies and we can * allocate space and save keys. * 3) User can pass a free function to free up user data * when the table is deleted. @@ -41,7 +41,7 @@ * * 6/10/03 - man - Upgraded the hash function to a Hardened hash function, * it has no predictable cycles, and each hash table gets a different -* randomized hashing function. So even with the source code, you cannot predict +* randomized hashing function. So even with the source code, you cannot predict * anything with this function. If an attacker can setup a feedback * loop he might gain some knowledge of how to muck with us, but even in that case * his odds are astronomically skinny. This is actually the same problem as solved @@ -49,7 +49,7 @@ * produce very long bucket chains. * * 8/31/06 - man - Added prime tables to speed up prime number lookup. -* +* * Author: Marc Norton * */ @@ -58,13 +58,17 @@ #include <string.h> #include <time.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sfghash.h" #include "sfprimetable.h" /* * Private Malloc */ -static +static void * s_alloc( int n ) { return calloc( 1,n ); @@ -73,7 +77,7 @@ /* * Private Free */ -static +static void s_free( void * p ) { if( p )free( p ); @@ -88,14 +92,14 @@ * < 0 => we use the magnitude as nrows. * keysize : > 0 => bytes in each key, keys are binary bytes, * all keys are the same size. -* ==0 => keys are strings and are null terminated, -* allowing random key lengths. +* ==0 => keys are strings and are null terminated, +* allowing random key lengths. * userkeys : > 0 => indicates user owns the key data * and we should not allocate or free space for it, * nor should we attempt to free the user key. We just -* save the pointer to the key. +* save the pointer to the key. * ==0 => we should copy the keys and manage them internally -* userfree : routine to free users data, null if we should not +* userfree : routine to free users data, null if we should not * free user data in sfghash_delete(). The routine * should be of the form 'void userfree(void * userdata)', * 'free' works for simple allocations. @@ -110,25 +114,25 @@ nrows = sf_nearest_prime( nrows ); } else /* use the magnitude or nrows as is */ - { + { nrows = -nrows; } h = (SFGHASH*)s_alloc( sizeof(SFGHASH) ); - if( !h ) + if( !h ) return 0; memset( h, 0, sizeof(SFGHASH) ); h->sfhashfcn = sfhashfcn_new( nrows ); - if( !h->sfhashfcn ) + if( !h->sfhashfcn ) { free(h); return 0; } h->table = (SFGHASH_NODE**) s_alloc( sizeof(SFGHASH_NODE*) * nrows ); - if( !h->table ) + if( !h->table ) { free(h->sfhashfcn); free(h); @@ -166,10 +170,10 @@ } /* -* Delete the hash Table +* Delete the hash Table * * free key's, free node's, and free the users data, if they -* supply a free function +* supply a free function */ void sfghash_delete( SFGHASH * h ) { @@ -177,11 +181,11 @@ SFGHASH_NODE * node, * onode; if( !h ) return; - + sfhashfcn_free( h->sfhashfcn ); if( h->table ) - { + { for(i=0;i<h->nrows;i++) { for( node=h->table[i]; node; ) @@ -189,7 +193,7 @@ onode = node; node = node->next; - if( !h->userkey && onode->key ) + if( !h->userkey && onode->key ) s_free( onode->key ); if( h->userfree && onode->data ) @@ -232,7 +236,7 @@ * * Notes: * If the key node already exists, then t->cnode points to it on return, -* this allows you to do something with the node - like add the data to a +* this allows you to do something with the node - like add the data to a * linked list of data items held by the node, or track a counter, or whatever. * */ @@ -248,7 +252,7 @@ /* * Get proper Key Size - */ + */ if( t->keysize > 0 ) { klen = t->keysize; @@ -258,13 +262,13 @@ /* need the null byte for strcmp() in sfghash_find() */ klen = strlen( (char*)key ) + 1; } - + hashkey = t->sfhashfcn->hash_fcn( t->sfhashfcn, (unsigned char*) key, klen ); - + index = hashkey % t->nrows; /* - * Uniqueness: + * Uniqueness: * Check 1st to see if the key is already in the table * Just bail if it is. */ @@ -288,13 +292,13 @@ } } - /* - * Create new node + /* + * Create new node */ hnode = (SFGHASH_NODE*)s_alloc(sizeof(SFGHASH_NODE)); if( !hnode ) return SFGHASH_NOMEM; - + /* Add the Key */ if( t->userkey ) { @@ -314,7 +318,7 @@ /* Copy key */ memcpy(hnode->key,key,klen); } - + /* Add The Node */ if( t->table[index] ) /* add the node to the existing list */ { @@ -347,7 +351,7 @@ /* Unlink the node */ if( n->prev ) n->prev->next = n->next; if( n->next ) n->next->prev = n->prev; - + /* Link at front of list */ n->prev=0; n->next=t->table[index]; @@ -374,9 +378,9 @@ } hashkey = t->sfhashfcn->hash_fcn( t->sfhashfcn, (unsigned char*) key, klen ); - + index = hashkey % t->nrows; - + for( hnode=t->table[index]; hnode; hnode=hnode->next ) { if( t->keysize == 0 ) @@ -424,7 +428,7 @@ /* Returns whether or not the there is an entry in the table with key * Sets argument data to data in hash node which could be NULL. * This function is used to both make sure there is an entry in the - * table and get potential data associated with entry */ + * table and get potential data associated with entry */ int sfghash_find2(SFGHASH *t, void *key, void **data) { SFGHASH_NODE * hnode; @@ -448,7 +452,7 @@ */ static int sfghash_free_node( SFGHASH * t, unsigned index, SFGHASH_NODE * hnode ) { - if( !t->userkey && hnode->key ) + if( !t->userkey && hnode->key ) s_free( hnode->key ); hnode->key = 0; @@ -495,7 +499,7 @@ } hashkey = t->sfhashfcn->hash_fcn( t->sfhashfcn, (unsigned char*) key, klen ); - + index = hashkey % t->nrows; for( hnode=t->table[index]; hnode; hnode=hnode->next ) @@ -516,7 +520,7 @@ } } - return SFGHASH_ERR; + return SFGHASH_ERR; } @@ -525,7 +529,7 @@ { if( !t->cnode ) return ; - + /* Next node in current node list */ t->cnode = t->cnode->next; if( t->cnode ) @@ -533,12 +537,12 @@ return; } - /* Next row */ + /* Next row */ /* Get 1st node in next non-emtoy row/node list */ for( t->crow++; t->crow < t->nrows; t->crow++ ) - { + { t->cnode = t->table[ t->crow ]; - if( t->cnode ) + if( t->cnode ) { return; } @@ -553,7 +557,7 @@ /* Start with 1st row */ for( t->crow=0; t->crow < t->nrows; t->crow++ ) - { + { /* Get 1st Non-Null node in row list */ t->cnode = t->table[ t->crow ]; @@ -584,15 +588,15 @@ } /* - Preload next node into current node + Preload next node into current node */ - sfghash_next( t ); + sfghash_next( t ); return n; } -/** +/** * Make sfhashfcn use a separate set of operators for the backend. * * @param h sfhashfcn ptr @@ -620,10 +624,10 @@ /* * * Test Driver for Hashing -* +* */ -#ifdef SFGHASH_MAIN +#ifdef SFGHASH_MAIN void myfree ( void * p ) { @@ -632,7 +636,7 @@ } /* -* Hash test program +* Hash test program */ int main ( int argc, char ** argv ) { @@ -651,19 +655,19 @@ t = sfghash_new( 1000, 0 , GH_COPYKEYS , myfree ); /* Add Nodes to the Hash Table */ - for(i=0;i<num;i++) + for(i=0;i<num;i++) { snprintf(str, sizeof(str), "KeyWord%d",i+1); str[sizeof(str) - 1] = '\0'; sfghash_add( t, str, strupr(strdup(str)) ); sfatom_add( str, strupr(strdup(str)) ); - } + } /* Find and Display Nodes in the Hash Table */ printf("\n** FIND KEY TEST\n"); - for(i=0;i<num;i++) + for(i=0;i<num;i++) { snprintf(str, sizeof(str), "KeyWord%d",i+1); str[sizeof(str) - 1] = '\0'; @@ -675,7 +679,7 @@ p = (char*) sfatom_find( str ); printf("Atom-key=%*s, data=%*s\n", strlen(str),str, strlen(str), p ); - } + } /* Display All Nodes in the Hash Table */ printf("\n** FINDFIRST / FINDNEXT TEST\n"); @@ -685,9 +689,9 @@ printf("hash-findfirst/next: key=%s, data=%s\n", n->key, n->data ); // hashing code frees user data using 'myfree' above .... - if( sfghash_remove(t,n->key) ) + if( sfghash_remove(t,n->key) ) printf("Could not remove the key node\n"); - else + else printf("key node removed\n"); } diff -Nru snort-2.9.0.1/src/sfutil/sfghash.h snort-2.9.2/src/sfutil/sfghash.h --- snort-2.9.0.1/src/sfutil/sfghash.h 2010-01-26 10:10:26.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfghash.h 2011-02-09 15:23:37.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sfhashfcn.c snort-2.9.2/src/sfutil/sfhashfcn.c --- snort-2.9.0.1/src/sfutil/sfhashfcn.c 2010-01-26 10:10:26.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfhashfcn.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,21 +18,27 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* - sfhashfcn.c + sfhashfcn.c Each hash table must allocate it's own SFGHASH struct, this is because sfghash_new uses the number of rows in the hash table to modulo the random values. Updates: - - 8/31/2006 - man - changed to use sfprimetable.c + + 8/31/2006 - man - changed to use sfprimetable.c */ - + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" + #ifndef MODULUS_HASH -# include "snort.h" +# include "snort.h" #endif #include "sfhashfcn.h" @@ -103,7 +109,7 @@ return hash ^ p->hardener; } -/** +/** * Make sfhashfcn use a separate set of operators for the backend. * * @param h sfhashfcn ptr diff -Nru snort-2.9.0.1/src/sfutil/sfhashfcn.h snort-2.9.2/src/sfutil/sfhashfcn.h --- snort-2.9.0.1/src/sfutil/sfhashfcn.h 2010-01-26 10:10:26.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfhashfcn.h 2011-02-09 15:23:37.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sf_ip.c snort-2.9.2/src/sfutil/sf_ip.c --- snort-2.9.0.1/src/sfutil/sf_ip.c 2010-06-09 15:05:29.000000000 -0700 +++ snort-2.9.2/src/sfutil/sf_ip.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,8 +1,8 @@ /* -** Copyright (C) 1998-2010 Sourcefire, Inc. +** Copyright (C) 1998-2011 Sourcefire, Inc. ** Adam Keeton ** Kevin Liu <kliu@sourcefire.com> -** +** ** $Id$ ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -25,7 +25,7 @@ * sf_ip.c * 11/17/06 * - * Library for managing IP addresses of either v6 or v4 families. + * Library for managing IP addresses of either v6 or v4 families. */ #ifdef HAVE_CONFIG_H @@ -48,7 +48,7 @@ #if 0 /* Support function .. but could see some external uses */ -static INLINE int sfip_length(sfip_t *ip) { +static inline int sfip_length(sfip_t *ip) { ARG_CHECK1(ip, 0); if(sfip_family(ip) == AF_INET) return 4; @@ -62,7 +62,7 @@ // no valid ip4 format (including mask) with 2 ':'s // we don't have to figure out if the format is entirely legal // we just have to be able to tell correct formats apart -static INLINE int sfip_str_to_fam(const char *str) { +static inline int sfip_str_to_fam(const char *str) { const char* s; ARG_CHECK1(str, 0); s = strchr(str, (int)':'); @@ -72,19 +72,19 @@ } /* Place-holder allocation incase we want to do something more indepth later */ -static INLINE sfip_t *_sfip_alloc() { - /* Note: using calloc here instead of SnortAlloc since the dynamic libs +static inline sfip_t *_sfip_alloc() { + /* Note: using calloc here instead of SnortAlloc since the dynamic libs * can't presently resolve SnortAlloc */ - return (sfip_t*)calloc(sizeof(sfip_t), 1); + return (sfip_t*)calloc(sizeof(sfip_t), 1); } /* Masks off 'val' bits from the IP contained within 'ip' */ -static INLINE int sfip_cidr_mask(sfip_t *ip, int val) { +static inline int sfip_cidr_mask(sfip_t *ip, int val) { int i; - unsigned int mask = 0; + unsigned int mask = 0; unsigned int *p; int index = (int)ceil(val / 32.0) - 1; - + ARG_CHECK1(ip, SFIP_ARG_ERR); p = ip->ip32; @@ -94,8 +94,8 @@ ((sfip_family(ip) == AF_INET) && val > 32) ) { return SFIP_ARG_ERR; } - - /* Build the netmask by converting "val" into + + /* Build the netmask by converting "val" into * the corresponding number of bits that are set */ for(i = 0; i < 32- (val - (index * 32)); i++) mask = (mask<<1) + 1; @@ -114,7 +114,7 @@ sfip_t *sfip_alloc(const char *ip, SFIP_RET *status) { SFIP_RET tmp; sfip_t *ret; - + if(!ip) { if(status) *status = SFIP_ARG_ERR; @@ -122,20 +122,20 @@ } if((ret = _sfip_alloc()) == NULL) { - if(status) + if(status) *status = SFIP_ALLOC_ERR; return NULL; } - + if( (tmp = sfip_pton(ip, ret)) != SFIP_SUCCESS) { - if(status) + if(status) *status = tmp; sfip_free(ret); return NULL; } - if(status) + if(status) *status = SFIP_SUCCESS; return ret; @@ -169,8 +169,8 @@ } /* Support function for _netmask_str_to_bit_count */ -static INLINE int _count_bits(unsigned int val) { - unsigned int count; +static inline int _count_bits(unsigned int val) { + unsigned int count; for (count = 0; val; count++) { val &= val - 1; @@ -181,14 +181,14 @@ /* Support function for sfip_pton. Used for converting a netmask string * into a number of bits to mask off */ -static INLINE int _netmask_str_to_bit_count(char *mask, int family) { - u_int32_t buf[4]; +static inline int _netmask_str_to_bit_count(char *mask, int family) { + uint32_t buf[4]; int bits, i, nBits, nBytes; - u_int8_t* bytes = (u_int8_t*)buf; + uint8_t* bytes = (uint8_t*)buf; - /* XXX - * Mask not validated. - * Only sfip_pton should be using this function, and using it safely. + /* XXX + * Mask not validated. + * Only sfip_pton should be using this function, and using it safely. * XXX */ if(inet_pton(family, mask, buf) < 1) @@ -230,10 +230,10 @@ char *ip; int bits; - if(!dst || !src) + if(!dst || !src) return SFIP_ARG_ERR; - - if((sfip_buf = strdup(src)) == NULL) + + if((sfip_buf = strdup(src)) == NULL) return SFIP_ALLOC_ERR; ip = sfip_buf; @@ -244,7 +244,7 @@ /* check for and extract a mask in CIDR form */ if( (mask = strchr(ip, (int)'/')) != NULL ) { - /* NULL out this character so inet_pton will see the + /* NULL out this character so inet_pton will see the * correct ending to the IP string */ char* end = mask++; while ( (end > ip) && isspace((int)end[-1]) ) end--; @@ -255,12 +255,12 @@ /* verify a leading digit */ if(((dst->family == AF_INET6) && !isxdigit((int)*mask)) || ((dst->family == AF_INET) && !isdigit((int)*mask))) { - free(sfip_buf); + free(sfip_buf); return SFIP_CIDR_ERR; } /* Check if there's a netmask here instead of the number of bits */ - if(strchr(mask, (int)'.') || strchr(mask, (int)':')) + if(strchr(mask, (int)'.') || strchr(mask, (int)':')) bits = _netmask_str_to_bit_count(mask, sfip_str_to_fam(mask)); else bits = atoi(mask); @@ -269,7 +269,7 @@ /* If this is IPv4, ia ':' may used specified to indicate a netmask */ ((dst->family == AF_INET) && (mask = strchr(ip, (int)':')) != NULL) || - /* We've already skipped the leading whitespace, if there is more + /* We've already skipped the leading whitespace, if there is more * whitespace, then there's probably a netmask specified after it. */ (mask = strchr(ip, (int)' ')) != NULL ) { @@ -283,23 +283,23 @@ /* Make sure we're either looking at a valid digit, or a leading * colon, such as can be the case with IPv6 */ if(((dst->family == AF_INET) && isdigit((int)*mask)) || - ((dst->family == AF_INET6) && (isxdigit((int)*mask) || *mask == ':'))) { + ((dst->family == AF_INET6) && (isxdigit((int)*mask) || *mask == ':'))) { bits = _netmask_str_to_bit_count(mask, sfip_str_to_fam(mask)); - } + } /* No netmask */ - else { + else { if(dst->family == AF_INET) bits = 32; - else bits = 128; + else bits = 128; } } /* No netmask */ else { if(dst->family == AF_INET) bits = 32; - else bits = 128; + else bits = 128; } if(inet_pton(dst->family, ip, dst->ip8) < 1) { - free(sfip_buf); + free(sfip_buf); return SFIP_INET_PARSE_ERR; } @@ -311,20 +311,20 @@ free(sfip_buf); return SFIP_INVALID_MASK; } - + free(sfip_buf); return SFIP_SUCCESS; } /* Sets existing IP, "dst", to be source IP, "src" */ SFIP_RET sfip_set_raw(sfip_t *dst, void *src, int family) { - + ARG_CHECK3(dst, src, dst->ip32, SFIP_ARG_ERR); dst->family = family; if(family == AF_INET) { - dst->ip32[0] = *(u_int32_t*)src; + dst->ip32[0] = *(uint32_t*)src; memset(&dst->ip32[1], 0, 12); dst->bits = 32; } else if(family == AF_INET6) { @@ -333,7 +333,7 @@ } else { return SFIP_ARG_ERR; } - + return SFIP_SUCCESS; } @@ -364,7 +364,7 @@ ob_p = ob->ip32; ip_p = ip->ip32; - /* Build the netmask by converting "val" into + /* Build the netmask by converting "val" into * the corresponding number of bits that are set */ index = (int)ceil(ob->bits / 32.0) - 1; @@ -387,9 +387,9 @@ } -/* Check if ip is contained within the network specified by net */ -/* Returns SFIP_EQUAL if so. - * XXX sfip_contains assumes that "ip" is +/* Check if ip is contained within the network specified by net */ +/* Returns SFIP_EQUAL if so. + * XXX sfip_contains assumes that "ip" is * not less-specific than "net" XXX */ SFIP_RET sfip_contains(sfip_t *net, sfip_t *ip) { @@ -397,7 +397,7 @@ int net_fam, ip_fam; unsigned int *p1, *p2; - /* SFIP_CONTAINS is returned here due to how IpAddrSetContains + /* SFIP_CONTAINS is returned here due to how IpAddrSetContains * handles zero'ed IPs" */ ARG_CHECK2(net, ip, SFIP_CONTAINS); @@ -414,7 +414,7 @@ /* Both are really IPv4. Only compare last 4 bytes of 'ip'*/ p1 = net->ip32; p2 = &ip->ip32[3]; - + /* Mask off bits */ bits = 32 - bits; temp = (ntohl(*p2) >> bits) << bits; @@ -429,7 +429,7 @@ /* Iterate over each 32 bit segment */ for(i=0; i < bits/32 && i < 3; i++, p1++, p2++) { - if(*p1 != *p2) + if(*p1 != *p2) return SFIP_NOT_CONTAINS; } @@ -442,86 +442,98 @@ temp = ntohl(*p2); temp = (temp >> mask) << mask; - /* If p1 was setup correctly through this library, there is no need to + /* If p1 was setup correctly through this library, there is no need to * mask off any bits of its own. */ - if(ntohl(*p1) == temp) + if(ntohl(*p1) == temp) return SFIP_CONTAINS; return SFIP_NOT_CONTAINS; } -void sfip_raw_ntop(int family, const void *ip_raw, char *buf, int bufsize) { - int i; - - if(!ip_raw || !buf || !bufsize || - (family != AF_INET && family != AF_INET6) || +void sfip_raw_ntop(int family, const void *ip_raw, char *buf, int bufsize) +{ + if(!ip_raw || !buf || + (family != AF_INET && family != AF_INET6) || /* Make sure if it's IPv6 that the buf is large enough. */ - /* Need atleast a max of 8 fields of 4 bytes plus 7 for colons in + /* Need atleast a max of 8 fields of 4 bytes plus 7 for colons in * between. Need 1 more byte for null. */ - (family == AF_INET6 && bufsize < 8*4 + 7 + 1) || + (family == AF_INET6 && bufsize < INET6_ADDRSTRLEN) || /* Make sure if it's IPv4 that the buf is large enough. */ /* 4 fields of 3 numbers, plus 3 dots and a null byte */ - (family == AF_INET && bufsize < 3*4 + 4) ) + (family == AF_INET && bufsize < INET_ADDRSTRLEN) ) { if(buf && bufsize > 0) buf[0] = 0; return; } +#if defined(HAVE_INET_NTOP) && !defined(REG_TEST) + if (!inet_ntop(family, ip_raw, buf, bufsize)) + snprintf(buf, bufsize, "ERROR"); +#else /* 4 fields of at most 3 characters each */ if(family == AF_INET) { - u_int8_t *p = (u_int8_t*)ip_raw; + int i; + uint8_t *p = (uint8_t*)ip_raw; - for(i=0; p < ((u_int8_t*)ip_raw) + 4; p++) { + for(i=0; p < ((uint8_t*)ip_raw) + 4; p++) { i += sprintf(&buf[i], "%d", *p); /* If this is the last iteration, this could technically cause one * extra byte to be written past the end. */ - if(i < bufsize && ((p + 1) < ((u_int8_t*)ip_raw+4))) + if(i < bufsize && ((p + 1) < ((uint8_t*)ip_raw+4))) buf[i] = '.'; i++; } - /* Check if this is really just an IPv4 address represented as 6, + /* Check if this is really just an IPv4 address represented as 6, * in compatible format */ #if 0 - } + } else if(!field[0] && !field[1] && !field[2]) { unsigned char *p = (unsigned char *)(&ip->ip[12]); - for(i=0; p < &ip->ip[16]; p++) + for(i=0; p < &ip->ip[16]; p++) i += sprintf(&buf[i], "%d.", *p); #endif - } + } else { - u_int16_t *p = (u_int16_t*)ip_raw; + int i; + uint16_t *p = (uint16_t*)ip_raw; - for(i=0; p < ((u_int16_t*)ip_raw) + 8; p++) { + for(i=0; p < ((uint16_t*)ip_raw) + 8; p++) { i += sprintf(&buf[i], "%04x", ntohs(*p)); /* If this is the last iteration, this could technically cause one * extra byte to be written past the end. */ - if(i < bufsize && ((p + 1) < ((u_int16_t*)ip_raw) + 8)) + if(i < bufsize && ((p + 1) < ((uint16_t*)ip_raw) + 8)) buf[i] = ':'; i++; } } +#endif +} + +void sfip_ntop(const sfip_t *ip, char *buf, int bufsize) +{ + if(!ip) + { + if(buf && bufsize > 0) buf[0] = 0; + return; + } + + sfip_raw_ntop(sfip_family(ip), ip->ip32, buf, bufsize); } /* Uses a static buffer to return a string representation of the IP */ -char *sfip_to_str(const sfip_t *ip) { - /* IPv6 addresses will be at most 8 fields, of 4 characters each, - * with 7 colons inbetween, one NULL, and one fudge byte for sloppy use - * in sfip_to_strbuf */ - static char buf[8*4 + 7 + 1 + 1]; +char *sfip_to_str(const sfip_t *ip) +{ + static char buf[INET6_ADDRSTRLEN]; - if(!ip) - return NULL; + sfip_ntop(ip, buf, sizeof(buf)); - sfip_raw_ntop(sfip_family(ip), ip->ip32, buf, sizeof(buf)); - return buf; } @@ -565,9 +577,9 @@ ARG_CHECK1(ip, 0); - if(sfip_family(ip) == AF_INET) + if(sfip_family(ip) == AF_INET) return 0; - + p = ip->ip32; if(p[0] || p[1] || (ntohl(p[2]) != 0xffff && p[2] != 0)) return 0; diff -Nru snort-2.9.0.1/src/sfutil/sf_ip.h snort-2.9.2/src/sfutil/sf_ip.h --- snort-2.9.0.1/src/sfutil/sf_ip.h 2010-06-09 15:05:29.000000000 -0700 +++ snort-2.9.2/src/sfutil/sf_ip.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,8 +1,8 @@ /* -** Copyright (C) 1998-2010 Sourcefire, Inc. +** Copyright (C) 1998-2011 Sourcefire, Inc. ** Adam Keeton ** Kevin Liu <kliu@sourcefire.com> -* +* ** $ID: $ ** ** This program is free software; you can redistribute it and/or modify @@ -30,23 +30,14 @@ #ifndef SF_IP_H #define SF_IP_H -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - #ifndef WIN32 #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> +#include <netinet/in.h> #endif -#ifdef SF_IP_TEST -#define INLINE inline -#else -#include "debug.h" /* for INLINE definition */ -#endif - -#include "sf_types.h" +#include "snort_debug.h" /* for inline definition */ /* define SFIP_ROBUST to check pointers passed into the sfip libs. * Robustification should not be enabled if the client code is trustworthy. @@ -70,8 +61,8 @@ #else -#define ARG_CHECK1(a, z) -#define ARG_CHECK2(a, b, z) +#define ARG_CHECK1(a, z) +#define ARG_CHECK2(a, b, z) #define ARG_CHECK3(a, b, c, z) #endif @@ -128,11 +119,11 @@ /* Frees an sfip_t */ void sfip_free(sfip_t *ip); -/* Allocate IP address from an array of integers. The array better be +/* Allocate IP address from an array of integers. The array better be * long enough for the given family! */ sfip_t *sfip_alloc_raw(void *ip, int family, SFIP_RET *status); -/* Sets existing IP, "dst", to a raw source IP (4 or 16 bytes, +/* Sets existing IP, "dst", to a raw source IP (4 or 16 bytes, * according to family) */ SFIP_RET sfip_set_raw(sfip_t *dst, void *src, int src_family); @@ -144,7 +135,7 @@ /* return required size (eg for hashing) * requires that address bytes be the last field in sfip_t */ -static INLINE unsigned int sfip_size(sfip_t* ipt) +static inline unsigned int sfip_size(sfip_t* ipt) { if ( ipt->family == AF_INET6 ) return sizeof(*ipt); return (unsigned int)((ipt->ip.u6_addr8+4) - (u_int8_t*)ipt); @@ -159,12 +150,12 @@ #define sfip_family(ip) ip->family /* Returns the number of bits used for masking "ip" */ -static INLINE unsigned char sfip_bits(sfip_t *ip) { +static inline unsigned char sfip_bits(sfip_t *ip) { ARG_CHECK1(ip, 0); return (unsigned char)ip->bits; -} +} -static INLINE void sfip_set_bits(sfip_t *p, int bits) { +static inline void sfip_set_bits(sfip_t *p, int bits) { if(!p) return; @@ -181,19 +172,19 @@ /* IP Comparisons ******************************************************/ -/* Check if ip is contained within the network specified by net */ +/* Check if ip is contained within the network specified by net */ /* Returns SFIP_EQUAL if so */ SFIP_RET sfip_contains(sfip_t *net, sfip_t *ip); /* Returns 1 if the IP is non-zero. 0 otherwise */ /* XXX This is a performance critical function, \ * need to determine if it's safe to not check these pointers */\ -static INLINE int sfip_is_set(sfip_t *ip) { +static inline int sfip_is_set(sfip_t *ip) { // ARG_CHECK1(ip, -1); - return ip->ip32[0] || - ( (ip->family == AF_INET6) && - (ip->ip32[1] || - ip->ip32[2] || + return ip->ip32[0] || + ( (ip->family == AF_INET6) && + (ip->ip32[1] || + ip->ip32[2] || ip->ip32[3] || ip->bits != 128)) || ((ip->family == AF_INET) && ip->bits != 32) ; } @@ -204,7 +195,7 @@ int sfip_ismapped(sfip_t *ip); /* Support function for sfip_compare */ -static INLINE SFIP_RET _ip4_cmp(u_int32_t ip1, u_int32_t ip2) { +static inline SFIP_RET _ip4_cmp(u_int32_t ip1, u_int32_t ip2) { u_int32_t hip1 = htonl(ip1); u_int32_t hip2 = htonl(ip2); if(hip1 < hip2) return SFIP_LESSER; @@ -213,13 +204,13 @@ } /* Support function for sfip_compare */ -static INLINE SFIP_RET _ip6_cmp(sfip_t *ip1, sfip_t *ip2) { +static inline SFIP_RET _ip6_cmp(sfip_t *ip1, sfip_t *ip2) { SFIP_RET ret; - u_int32_t *p1, *p2; + u_int32_t *p1, *p2; /* XXX * Argument are assumed trusted! - * This function is presently only called by sfip_compare + * This function is presently only called by sfip_compare * on validated pointers. * XXX */ @@ -234,12 +225,12 @@ return ret; } -/* Compares two IPs - * Returns SFIP_LESSER, SFIP_EQUAL, SFIP_GREATER, if ip1 is less than, equal to, - * or greater than ip2 In the case of mismatched families, the IPv4 address +/* Compares two IPs + * Returns SFIP_LESSER, SFIP_EQUAL, SFIP_GREATER, if ip1 is less than, equal to, + * or greater than ip2 In the case of mismatched families, the IPv4 address * is converted to an IPv6 representation. */ /* XXX-IPv6 Should add version of sfip_compare that just tests equality */ -static INLINE SFIP_RET sfip_compare(sfip_t *ip1, sfip_t *ip2) { +static inline SFIP_RET sfip_compare(sfip_t *ip1, sfip_t *ip2) { int f1,f2; ARG_CHECK2(ip1, ip2, SFIP_ARG_ERR); @@ -254,7 +245,7 @@ if(f1 == AF_INET && f2 == AF_INET) { return _ip4_cmp(*ip1->ip32, *ip2->ip32); - } + } /* Mixed families not presently supported */ #if 0 else if(f1 == AF_INET && f2 == AF_INET6) { @@ -263,7 +254,7 @@ } else if(f1 == AF_INET6 && f2 == AF_INET) { conv = sfip_4to6(ip2); return _ip6_cmp(ip1, &conv); - } + } else { return _ip6_cmp(ip1, ip2); } @@ -275,12 +266,12 @@ return SFIP_FAILURE; } -/* Compares two IPs - * Returns SFIP_LESSER, SFIP_EQUAL, SFIP_GREATER, if ip1 is less than, equal to, - * or greater than ip2 In the case of mismatched families, the IPv4 address +/* Compares two IPs + * Returns SFIP_LESSER, SFIP_EQUAL, SFIP_GREATER, if ip1 is less than, equal to, + * or greater than ip2 In the case of mismatched families, the IPv4 address * is converted to an IPv6 representation. */ /* XXX-IPv6 Should add version of sfip_compare that just tests equality */ -static INLINE SFIP_RET sfip_compare_unset(sfip_t *ip1, sfip_t *ip2) { +static inline SFIP_RET sfip_compare_unset(sfip_t *ip1, sfip_t *ip2) { int f1,f2; ARG_CHECK2(ip1, ip2, SFIP_ARG_ERR); @@ -296,7 +287,7 @@ if(f1 == AF_INET && f2 == AF_INET) { return _ip4_cmp(*ip1->ip32, *ip2->ip32); - } + } /* Mixed families not presently supported */ #if 0 else if(f1 == AF_INET && f2 == AF_INET6) { @@ -305,7 +296,7 @@ } else if(f1 == AF_INET6 && f2 == AF_INET) { conv = sfip_4to6(ip2); return _ip6_cmp(ip1, &conv); - } + } else { return _ip6_cmp(ip1, ip2); } @@ -317,18 +308,18 @@ return SFIP_FAILURE; } -static INLINE int sfip_fast_lt4(sfip_t *ip1, sfip_t *ip2) { +static inline int sfip_fast_lt4(sfip_t *ip1, sfip_t *ip2) { return *ip1->ip32 < *ip2->ip32; } -static INLINE int sfip_fast_gt4(sfip_t *ip1, sfip_t *ip2) { +static inline int sfip_fast_gt4(sfip_t *ip1, sfip_t *ip2) { return *ip1->ip32 > *ip2->ip32; } -static INLINE int sfip_fast_eq4(sfip_t *ip1, sfip_t *ip2) { +static inline int sfip_fast_eq4(sfip_t *ip1, sfip_t *ip2) { return *ip1->ip32 == *ip2->ip32; } -static INLINE int sfip_fast_lt6(sfip_t *ip1, sfip_t *ip2) { - u_int32_t *p1, *p2; +static inline int sfip_fast_lt6(sfip_t *ip1, sfip_t *ip2) { + u_int32_t *p1, *p2; p1 = ip1->ip32; p2 = ip2->ip32; @@ -348,8 +339,8 @@ return 0; } -static INLINE int sfip_fast_gt6(sfip_t *ip1, sfip_t *ip2) { - u_int32_t *p1, *p2; +static inline int sfip_fast_gt6(sfip_t *ip1, sfip_t *ip2) { + u_int32_t *p1, *p2; p1 = ip1->ip32; p2 = ip2->ip32; @@ -369,8 +360,8 @@ return 0; } -static INLINE int sfip_fast_eq6(sfip_t *ip1, sfip_t *ip2) { - u_int32_t *p1, *p2; +static inline int sfip_fast_eq6(sfip_t *ip1, sfip_t *ip2) { + u_int32_t *p1, *p2; p1 = ip1->ip32; p2 = ip2->ip32; @@ -384,7 +375,7 @@ } /* Checks if ip2 is equal to ip1 or contained within the CIDR ip1 */ -static INLINE int sfip_fast_cont4(sfip_t *ip1, sfip_t *ip2) { +static inline int sfip_fast_cont4(sfip_t *ip1, sfip_t *ip2) { u_int32_t shift = 32 - sfip_bits(ip1); u_int32_t ip = ntohl(*ip2->ip32); @@ -395,7 +386,7 @@ } /* Checks if ip2 is equal to ip1 or contained within the CIDR ip1 */ -static INLINE int sfip_fast_cont6(sfip_t *ip1, sfip_t *ip2) { +static inline int sfip_fast_cont6(sfip_t *ip1, sfip_t *ip2) { u_int32_t ip; int i, bits = sfip_bits(ip1); int words = bits / 32; @@ -415,6 +406,83 @@ return ntohl(ip1->ip32[i]) == ip; } +/******************************************************************** + * Function: sfip_is_private() + * + * Checks if the address is local + * + * Arguments: + * sfip_t * - IP address to check + * + * Returns: + * 1 if the IP is in local network + * 0 otherwise + * + ********************************************************************/ +#ifdef SUP_IP6 +static inline int sfip_is_private(sfip_t *ip) +{ + unsigned int *p; + + ARG_CHECK1(ip, 0); + + if(sfip_family(ip) == AF_INET) { + /* + * 10.0.0.0 - 10.255.255.255 (10/8 prefix) + * 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) + * 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) + * */ + return( (ip->ip8[0] == 10) + ||((ip->ip8[0] == 172) && ((ip->ip8[1] & 0xf0 ) == 16)) + ||((ip->ip8[0] == 192) && (ip->ip8[1] == 168)) ); + + } + + p = ip->ip32; + + /* Check the first 64 bits in an IPv6 address, and */ + /* verify they're zero. If not, it's not a loopback */ + if(p[0] || p[1]) return 0; + + /* Check if the 3rd 32-bit int is zero */ + if ( p[2] == 0 ) { + /* ::ipv4 compatible ipv6 */ + /* ::1 is the IPv6 loopback */ + return ( (ip->ip8[12] == 10) + ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16)) + ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168)) + || (ntohl(p[3]) == 0x1) ); + } + /* Check the 3rd 32-bit int for a mapped IPv4 address */ + if ( ntohl(p[2]) == 0xffff ) { + /* ::ffff: IPv4 loopback mapped over IPv6 */ + return ( (ip->ip8[12] == 10) + ||((ip->ip8[12] == 172) && ((ip->ip8[13] & 0xf0 ) == 16)) + ||((ip->ip8[12] == 192) && (ip->ip8[13] == 168)) ); + } + return 0; + +} +#else +static inline int sfip_is_private(uint32_t ip) +{ + + /* Loopback traffic - don't use htonl for speed reasons - + * s_addr is always in network order */ +#ifdef WORDS_BIGENDIAN + + return( ((ip >> 24) == 10) + ||(((ip >> 24) == 172) && (((ip >> 16) & 0xf0 ) == 16)) + ||((ip >> 16) == 0xc0a8) ); +#else + + return( ((ip & 0xff) == 10) + ||(((ip & 0xff) == 172) && (((ip >> 8) & 0xf0 ) == 16)) + ||((ip & 0xffff) == 0xa8c0) ); + +#endif +} +#endif #define sfip_equals(x,y) (sfip_compare(&x, &y) == SFIP_EQUAL) #define sfip_not_equals !sfip_equals @@ -426,6 +494,7 @@ char *sfip_to_str(const sfip_t *ip); #define sfip_ntoa(x) sfip_to_str(x) void sfip_raw_ntop(int family, const void *ip_raw, char *buf, int bufsize); +void sfip_ntop(const sfip_t *ip, char *buf, int bufsize); #endif // SF_IP_H diff -Nru snort-2.9.0.1/src/sfutil/sf_iph.c snort-2.9.2/src/sfutil/sf_iph.c --- snort-2.9.0.1/src/sfutil/sf_iph.c 2010-01-26 10:10:25.000000000 -0800 +++ snort-2.9.2/src/sfutil/sf_iph.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2007-2010 Sourcefire, Inc. + * Copyright (C) 2007-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -21,7 +21,11 @@ ****************************************************************************/ #include <string.h> -#include "decode.h" +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "decode.h" #ifdef SUP_IP6 @@ -33,9 +37,9 @@ #define IP6_VER(x) ((x) >> 28) /* The 'Packet' structure is almost always allocated on the stack. - * Likewise, return buffers will almost always be aswell. + * Likewise, return buffers will almost always be aswell. * So, for performance reasons, argument validation can be disabled - * and removed from the code at compile time to prevent unecessary extra + * and removed from the code at compile time to prevent unecessary extra * conditionals from being checked at run-time. */ #define ERR_CHK_LVL 0 #if ERR_CHK_LVL == 2 @@ -46,21 +50,21 @@ #define VALIDATE(x,y) #endif -sfip_t *ip6_ret_src(Packet *p) +sfip_t *ip6_ret_src(const Packet *p) { VALIDATE(p, 1); return &p->ip6h->ip_src; } -sfip_t *orig_ip6_ret_src(Packet *p) +sfip_t *orig_ip6_ret_src(const Packet *p) { VALIDATE(p, 1); return &p->orig_ip6h->ip_src; } -sfip_t *ip6_ret_dst(Packet *p) +sfip_t *ip6_ret_dst(const Packet *p) { VALIDATE(p, 1); @@ -68,14 +72,14 @@ } -sfip_t *orig_ip6_ret_dst(Packet *p) +sfip_t *orig_ip6_ret_dst(const Packet *p) { VALIDATE(p, 1); return &p->orig_ip6h->ip_dst; } -uint16_t ip6_ret_toc(Packet *p) +uint16_t ip6_ret_toc(const Packet *p) { uint16_t toc; VALIDATE(p,1); @@ -85,7 +89,7 @@ return toc; } -uint16_t orig_ip6_ret_toc(Packet *p) +uint16_t orig_ip6_ret_toc(const Packet *p) { uint16_t toc; VALIDATE(p,1); @@ -94,20 +98,20 @@ return toc; } -uint8_t ip6_ret_hops(Packet *p) +uint8_t ip6_ret_hops(const Packet *p) { // VALIDATE(p,1); return p->ip6h->hop_lmt; } -uint8_t orig_ip6_ret_hops(Packet *p) +uint8_t orig_ip6_ret_hops(const Packet *p) { // VALIDATE(p,1); return p->orig_ip6h->hop_lmt; } -uint16_t ip6_ret_len(Packet *p) +uint16_t ip6_ret_len(const Packet *p) { VALIDATE(p,1); @@ -117,14 +121,14 @@ return p->ip6h->len; } -uint16_t orig_ip6_ret_len(Packet *p) +uint16_t orig_ip6_ret_len(const Packet *p) { VALIDATE(p,1); return p->orig_ip6h->len; } -uint32_t ip6_ret_id(Packet *p) +uint32_t ip6_ret_id(const Packet *p) { IP6Frag *frag_hdr; if (p->ip6_extension_count == 0) @@ -135,25 +139,25 @@ return frag_hdr->ip6f_ident; } -uint32_t orig_ip6_ret_id(Packet *p) +uint32_t orig_ip6_ret_id(const Packet *p) { // XXX-IPv6 "NOT YET IMPLEMENTED - IP6 identification" return 0; } -uint8_t ip6_ret_next(Packet *p) +uint8_t ip6_ret_next(const Packet *p) { VALIDATE(p,1); return p->ip6h->next; } -uint8_t orig_ip6_ret_next(Packet *p) +uint8_t orig_ip6_ret_next(const Packet *p) { VALIDATE(p,1); return p->orig_ip6h->next; } -uint16_t ip6_ret_off(Packet *p) +uint16_t ip6_ret_off(const Packet *p) { IP6Frag *frag_hdr; if (p->ip6_extension_count == 0) @@ -164,153 +168,153 @@ return frag_hdr->ip6f_offlg; } -uint16_t orig_ip6_ret_off(Packet *p) +uint16_t orig_ip6_ret_off(const Packet *p) { // XXX-IPv6 "NOT YET IMPLEMENTED - IP6 frag offset" return 0; } -uint8_t ip6_ret_ver(Packet *p) +uint8_t ip6_ret_ver(const Packet *p) { - return (uint8_t)IP6_VER(p->ip6h->vcl); + return (uint8_t)IP6_VER(p->ip6h->vcl); } -uint8_t orig_ip6_ret_ver(Packet *p) +uint8_t orig_ip6_ret_ver(const Packet *p) { - return (uint8_t)IP6_VER(p->orig_ip6h->vcl); + return (uint8_t)IP6_VER(p->orig_ip6h->vcl); } -sfip_t *ip4_ret_dst(Packet *p) +sfip_t *ip4_ret_dst(const Packet *p) { VALIDATE(p,1); return &p->ip4h->ip_dst; } -sfip_t *orig_ip4_ret_dst(Packet *p) +sfip_t *orig_ip4_ret_dst(const Packet *p) { VALIDATE(p,1); return &p->orig_ip4h->ip_dst; } -sfip_t *ip4_ret_src(Packet *p) +sfip_t *ip4_ret_src(const Packet *p) { VALIDATE(p,1); return &p->ip4h->ip_src; } -sfip_t *orig_ip4_ret_src(Packet *p) +sfip_t *orig_ip4_ret_src(const Packet *p) { VALIDATE(p,1); return &p->orig_ip4h->ip_src; } -uint16_t ip4_ret_tos(Packet *p) +uint16_t ip4_ret_tos(const Packet *p) { VALIDATE(p,1); return p->ip4h->ip_tos; } -uint16_t orig_ip4_ret_tos(Packet *p) +uint16_t orig_ip4_ret_tos(const Packet *p) { VALIDATE(p,1); return p->orig_ip4h->ip_tos; } -uint8_t ip4_ret_ttl(Packet *p) +uint8_t ip4_ret_ttl(const Packet *p) { VALIDATE(p,1); return p->ip4h->ip_ttl; } -uint8_t orig_ip4_ret_ttl(Packet *p) +uint8_t orig_ip4_ret_ttl(const Packet *p) { VALIDATE(p,1); return p->orig_ip4h->ip_ttl; } -uint16_t ip4_ret_len(Packet *p) +uint16_t ip4_ret_len(const Packet *p) { VALIDATE(p,1); return p->ip4h->ip_len; } -uint16_t orig_ip4_ret_len(Packet *p) +uint16_t orig_ip4_ret_len(const Packet *p) { VALIDATE(p,1); return p->orig_ip4h->ip_len; } -uint32_t ip4_ret_id(Packet *p) +uint32_t ip4_ret_id(const Packet *p) { VALIDATE(p,1); - + return (uint32_t)p->ip4h->ip_id; } -uint32_t orig_ip4_ret_id(Packet *p) +uint32_t orig_ip4_ret_id(const Packet *p) { VALIDATE(p,1); - + return (uint32_t)p->orig_ip4h->ip_id; } -uint8_t ip4_ret_proto(Packet *p) +uint8_t ip4_ret_proto(const Packet *p) { // VALIDATION() - + return p->ip4h->ip_proto; } -uint8_t orig_ip4_ret_proto(Packet *p) +uint8_t orig_ip4_ret_proto(const Packet *p) { // VALIDATION() - + return p->orig_ip4h->ip_proto; } -uint16_t ip4_ret_off(Packet *p) +uint16_t ip4_ret_off(const Packet *p) { return p->ip4h->ip_off; } -uint16_t orig_ip4_ret_off(Packet *p) +uint16_t orig_ip4_ret_off(const Packet *p) { return p->orig_ip4h->ip_off; } -uint8_t ip4_ret_ver(Packet *p) +uint8_t ip4_ret_ver(const Packet *p) { - return IP_VER(p->iph); + return IP_VER(p->iph); } -uint8_t orig_ip4_ret_ver(Packet *p) +uint8_t orig_ip4_ret_ver(const Packet *p) { return IP_VER(p->orig_iph); } -uint8_t ip4_ret_hlen(Packet *p) +uint8_t ip4_ret_hlen(const Packet *p) { return IP_HLEN(p->iph); } -uint8_t orig_ip4_ret_hlen(Packet *p) +uint8_t orig_ip4_ret_hlen(const Packet *p) { return IP_HLEN(p->orig_iph); } -uint8_t ip6_ret_hlen(Packet *p) +uint8_t ip6_ret_hlen(const Packet *p) { /* Snort is expecting this number to be in terms of 32 bit words */ return IP6_HDR_LEN / 4 ; } -uint8_t orig_ip6_ret_hlen(Packet *p) +uint8_t orig_ip6_ret_hlen(const Packet *p) { return IP6_HDR_LEN / 4; } @@ -342,7 +346,7 @@ { hdr4 = (IPHdr*)hdr; - /* The struct Snort uses is identical to the actual IP6 struct, + /* The struct Snort uses is identical to the actual IP6 struct, * with the exception of the IP addresses. Copy over everything but * the IPs */ memcpy(&p->inner_ip4h, hdr4, sizeof(IPHdr) - 8); @@ -354,8 +358,8 @@ else { hdr6 = (IP6RawHdr*)hdr; - - /* The struct Snort uses is identical to the actual IP6 struct, + + /* The struct Snort uses is identical to the actual IP6 struct, * with the exception of the IP addresses. Copy over everything but * the IPs*/ memcpy(&p->inner_ip6h, hdr6, sizeof(IP6RawHdr) - 32); @@ -393,7 +397,7 @@ { hdr4 = (IPHdr*)hdr; - /* The struct Snort uses is identical to the actual IP6 struct, + /* The struct Snort uses is identical to the actual IP6 struct, * with the exception of the IP addresses. Copy over everything but * the IPs */ memcpy(&p->inner_orig_ip4h, hdr4, sizeof(IPHdr) - 8); @@ -405,8 +409,8 @@ else { hdr6 = (IP6RawHdr*)hdr; - - /* The struct Snort uses is identical to the actual IP6 struct, + + /* The struct Snort uses is identical to the actual IP6 struct, * with the exception of the IP addresses. Copy over everything but * the IPs*/ memcpy(&p->inner_orig_ip6h, hdr6, sizeof(IP6RawHdr) - 32); diff -Nru snort-2.9.0.1/src/sfutil/sf_iph.h snort-2.9.2/src/sfutil/sf_iph.h --- snort-2.9.0.1/src/sfutil/sf_iph.h 2010-01-26 10:10:25.000000000 -0800 +++ snort-2.9.2/src/sfutil/sf_iph.h 2011-02-09 15:23:36.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sf_ipvar.c snort-2.9.2/src/sfutil/sf_ipvar.c --- snort-2.9.0.1/src/sfutil/sf_ipvar.c 2010-06-09 15:05:30.000000000 -0700 +++ snort-2.9.2/src/sfutil/sf_ipvar.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 1998-2010 Sourcefire, Inc. +** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -29,6 +29,10 @@ #include <string.h> #include <ctype.h> #include <stdio.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "util.h" #include "sf_ipvar.h" #include "sf_vartable.h" @@ -38,7 +42,7 @@ static SFIP_RET sfvar_list_compare(sfip_node_t *, sfip_node_t *); -static INLINE sfip_var_t *_alloc_var(void) +static inline sfip_var_t *_alloc_var(void) { return (sfip_var_t*)calloc(1, sizeof(sfip_var_t)); } @@ -48,7 +52,7 @@ sfip_node_t *p, *next; if(!var) return; - + if(var->name) free(var->name); if(var->value) free(var->value); @@ -94,15 +98,15 @@ *status = SFIP_ALLOC_ERR; return NULL; } - + /* Check if this string starts with a '!', if so, * then the node needs to be negated */ if(*str == '!') { str++; ret->flags |= SFIP_NEGATED; - } - + } + /* Check if this is an "any" */ if(!strncasecmp(str, "any", 3)) { @@ -121,7 +125,7 @@ { /* Failed to parse this string, so free and return */ if(status) - *status = SFIP_ALLOC_ERR; + *status = SFIP_ALLOC_ERR; free(ret); return NULL; @@ -140,7 +144,7 @@ } #endif - } + } else if( (ret->ip = sfip_alloc(str, status)) == NULL ) { /* Failed to parse this string, so free and return */ @@ -157,7 +161,7 @@ *status = SFIP_NOT_ANY; free(ret->ip); free(ret); - return NULL; + return NULL; } return ret; @@ -179,7 +183,7 @@ { return SFIP_ALLOC_ERR; } - + dst->head = copiedvar->head; dst->neg_head = copiedvar->neg_head; @@ -187,11 +191,11 @@ if(dst->head) { - for(idx = dst->head; idx->next; idx = idx->next) + for(idx = dst->head; idx->next; idx = idx->next) ; idx->next = oldhead; - } + } else { dst->head = oldhead; @@ -199,10 +203,10 @@ if(dst->neg_head) { - for(idx = dst->neg_head; idx->next; idx = idx->next) + for(idx = dst->neg_head; idx->next; idx = idx->next) ; - idx->next = oldneg; + idx->next = oldneg; } else { @@ -219,16 +223,16 @@ sfip_node_t **head; if(!var || !node) return SFIP_ARG_ERR; - + /* XXX */ - /* As of this writing, 11/20/06, nodes are always added to + /* As of this writing, 11/20/06, nodes are always added to * the list, regardless of the mode (list or table). */ if(negated) - head = &var->neg_head; + head = &var->neg_head; else head = &var->head; - + if(!(*head)) { @@ -238,7 +242,7 @@ /* "Anys" should always be inserted first */ /* Otherwise, check if this IP is less than the head's IP */ - if((node->flags & SFIP_ANY) || + if((node->flags & SFIP_ANY) || (sfip_compare(node->ip, (*head)->ip) == SFIP_LESSER)) { node->next = *head; @@ -273,7 +277,7 @@ return SFIP_SUCCESS; /* XXX Insert new node into routing table */ -// sfrt_add(node->ip, +// sfrt_add(node->ip, } static SFIP_RET sfvar_list_compare(sfip_node_t *list1, sfip_node_t *list2) @@ -287,20 +291,20 @@ return SFIP_EQUAL; /* Check the ip lists for count mismatch */ - for (tmp = list1; tmp != NULL; tmp = tmp->next) + for (tmp = list1; tmp != NULL; tmp = tmp->next) total1++; - for (tmp = list2; tmp != NULL; tmp = tmp->next) + for (tmp = list2; tmp != NULL; tmp = tmp->next) total2++; - if (total1 != total2) + if (total1 != total2) return SFIP_FAILURE; /* Walk first list. For each node, check if there is an equal - * counterpart in the second list. This method breaks down of there are + * counterpart in the second list. This method breaks down of there are * duplicated nodes. For instance, if one = {a, b} and two = {a, a}. - * Therefore, need additional data structure[s] ('usage') to check off - * which nodes have been accounted for already. + * Therefore, need additional data structure[s] ('usage') to check off + * which nodes have been accounted for already. * - * Also, the lists are not necessarily ordered, so comparing + * Also, the lists are not necessarily ordered, so comparing * node-for-node won't work */ /* Lists are of equal size */ @@ -340,7 +344,7 @@ return SFIP_EQUAL; /* If one NULL and not the other, consider unequal */ - if((one && !two) || (!one && two)) + if((one && !two) || (!one && two)) return SFIP_FAILURE; if (sfvar_is_alias(one, two)) @@ -355,9 +359,9 @@ return SFIP_EQUAL; } -/* Support function for sfvar_parse_iplist. Used to - * correctly match up end brackets. - * (Can't just do strchr(str, ']') because of the +/* Support function for sfvar_parse_iplist. Used to + * correctly match up end brackets. + * (Can't just do strchr(str, ']') because of the * [a, [b], c] case, and can't do strrchr because * of the [a, [b], [c]] case) */ static char *_find_end_token(char *str) @@ -403,12 +407,12 @@ sfip_node_t *node; sfip_node_t *temp; - for(node = var->head; node; node=node->next) + for(node = var->head; node; node=node->next) _negate_node(node); - for(node = var->neg_head; node; node=node->next) + for(node = var->neg_head; node; node=node->next) _negate_node(node); - + /* Swap lists */ temp = var->head; var->head = var->neg_head; @@ -422,7 +426,7 @@ SFIP_RET ret; int neg_ip; - if(!var || !table || !str) + if(!var || !table || !str) return SFIP_ARG_ERR; while(*str) @@ -437,11 +441,11 @@ neg_ip = 0; /* Handle multiple negations */ - for(; *str == '!'; str++) + for(; *str == '!'; str++) neg_ip = !neg_ip; /* Find end of this token */ - for(end = str+1; + for(end = str+1; *end && !isspace((int)*end) && *end != LIST_CLOSE && *end != ','; end++) ; @@ -457,7 +461,7 @@ /* No trailing bracket found */ return SFIP_UNMATCHED_BRACKET; } - + str++; list_tok = SnortStrndup(str, end - str); @@ -470,7 +474,7 @@ } free(list_tok); - } + } else if(*str == '$') { sfip_var_t *tmp_var; @@ -507,7 +511,7 @@ sfvar_add(var, copy_var); sfvar_free(copy_var); - } + } else if(*str == LIST_CLOSE) { /* This should be the last character, if not, then this is an @@ -515,7 +519,7 @@ if(!(*(str+1))) { free(tok); - return SFIP_SUCCESS; + return SFIP_SUCCESS; } free(tok); @@ -534,11 +538,11 @@ free(tok); return SFIP_NOT_ANY; } - + /* This should be an IP address! */ /* Allocate new node for this string and add it to "ret" */ if((node = sfipnode_alloc(tok, &ret)) == NULL) - { + { free(tok); return ret; } @@ -576,11 +580,11 @@ SFIP_RET sfvar_validate(sfip_var_t *var) { sfip_node_t *idx, *neg_idx; - + if(!var->head || !var->neg_head) return SFIP_SUCCESS; - - for(idx = var->head; idx; idx = idx->next) + + for(idx = var->head; idx; idx = idx->next) { for(neg_idx = var->neg_head; neg_idx; neg_idx = neg_idx->next) { @@ -593,7 +597,7 @@ } } } - + return SFIP_SUCCESS; } @@ -630,14 +634,14 @@ sfip_var_t *ret, *tmpvar; char *str, *end, *tmp; SFIP_RET stat; - + if(!variable || !(*variable)) { if(status) *status = SFIP_ARG_ERR; return NULL; } - + if( (ret = _alloc_var()) == NULL ) { if(status) @@ -726,7 +730,7 @@ return NULL; } - if(ret->head && + if(ret->head && (ret->head->flags & SFIP_ANY && ret->head->flags & SFIP_NEGATED)) { if(status) @@ -748,12 +752,12 @@ return ret; } -static INLINE sfip_node_t *_sfvar_deep_copy_list(const sfip_node_t *idx) +static inline sfip_node_t *_sfvar_deep_copy_list(const sfip_node_t *idx) { sfip_node_t *ret, *temp, *prev; ret = temp = NULL; - + for( ; idx; idx = idx->next) { @@ -783,7 +787,7 @@ { ret = temp; } - } + } return ret; } @@ -805,7 +809,7 @@ /* Support function for sfvar_ip_in */ -static INLINE int _sfvar_ip_in4(sfip_var_t *var, sfip_t *ip) +static inline int _sfvar_ip_in4(sfip_var_t *var, sfip_t *ip) { int match; sfip_node_t *pos_idx, *neg_idx; @@ -815,23 +819,23 @@ pos_idx = var->head; neg_idx = var->neg_head; - if(!pos_idx) + if(!pos_idx) { - for( ; neg_idx; neg_idx = neg_idx->next) + for( ; neg_idx; neg_idx = neg_idx->next) { - if(sfip_family(neg_idx->ip) != AF_INET) + if(sfip_family(neg_idx->ip) != AF_INET) continue; - + if(sfip_fast_cont4(neg_idx->ip, ip)) { return 0; } - } + } return 1; } - - while(pos_idx) + + while(pos_idx) { if(neg_idx) { @@ -840,20 +844,20 @@ { return 0; } - + neg_idx = neg_idx->next; - } + } /* No more potential negations. Check if we've already matched. */ else if(match) { return 1; } - if(!match) + if(!match) { if(sfip_is_set(pos_idx->ip)) { - if(sfip_family(pos_idx->ip) == AF_INET && + if(sfip_family(pos_idx->ip) == AF_INET && sfip_fast_cont4(pos_idx->ip, ip)) { match = 1; @@ -868,13 +872,13 @@ match = 1; } } - } + } return 0; } /* Support function for sfvar_ip_in */ -static INLINE int _sfvar_ip_in6(sfip_var_t *var, sfip_t *ip) +static inline int _sfvar_ip_in6(sfip_var_t *var, sfip_t *ip) { int match; sfip_node_t *pos_idx, *neg_idx; @@ -884,23 +888,23 @@ pos_idx = var->head; neg_idx = var->neg_head; - if(!pos_idx) + if(!pos_idx) { - for( ; neg_idx; neg_idx = neg_idx->next) + for( ; neg_idx; neg_idx = neg_idx->next) { - if(sfip_family(neg_idx->ip) != AF_INET6) + if(sfip_family(neg_idx->ip) != AF_INET6) continue; - + if(sfip_fast_cont6(neg_idx->ip, ip)) { return 0; } - } + } return 1; } - - while(pos_idx) + + while(pos_idx) { if(neg_idx) { @@ -909,21 +913,21 @@ { return 0; } - + neg_idx = neg_idx->next; - } + } /* No more potential negations. Check if we've already matched. */ else if(match) { return 1; } - if(!match) + if(!match) { if(sfip_is_set(pos_idx->ip)) { - if(sfip_family(pos_idx->ip) == AF_INET6 && + if(sfip_family(pos_idx->ip) == AF_INET6 && sfip_fast_cont6(pos_idx->ip, ip)) { match = 1; @@ -938,7 +942,7 @@ match = 1; } } - } + } return 0; } @@ -958,14 +962,14 @@ { #endif /* Since this is a performance-critical function it uses different - * codepaths for IPv6 and IPv4 traffic, rather than the dual-stack + * codepaths for IPv6 and IPv4 traffic, rather than the dual-stack * functions. */ - if(sfip_family(ip) == AF_INET) + if(sfip_family(ip) == AF_INET) { return _sfvar_ip_in4(var, ip); } - else + else { return _sfvar_ip_in6(var, ip); } @@ -974,27 +978,68 @@ #endif } - -/* Prints the variable "var" to the file descriptor 'f' */ -void sfvar_print(FILE *f, sfip_var_t *var) +static char buffer[1024]; +void sfip_set_print(const char *prefix, sfip_node_t *p) { - if(!f) return; - - if(!var || !var->head) + int ret; + for(; p; p = p->next) { - fprintf(f, "[no variable]\n"); - return; + buffer[0] = '\0'; + if(!p->ip) continue; + if(p->flags & SFIP_NEGATED) + { + if (((p->ip->family == AF_INET6) && (p->ip->bits != 128)) || + ((p->ip->family == AF_INET) && (p->ip->bits != 32))) + { + ret = SnortSnprintfAppend(buffer, sizeof(buffer), "!%s/%d", sfip_to_str(p->ip), p->ip->bits); + } + else + { + ret = SnortSnprintfAppend(buffer, sizeof(buffer), "!%s", sfip_to_str(p->ip)); + } + if (ret != SNORT_SNPRINTF_SUCCESS) + return; + } + else + { + if (((p->ip->family == AF_INET6) && (p->ip->bits != 128)) || + ((p->ip->family == AF_INET) && (p->ip->bits != 32))) + { + ret = SnortSnprintfAppend(buffer, sizeof(buffer), "%s/%d", sfip_to_str(p->ip), p->ip->bits); + } + else + { + ret = SnortSnprintfAppend(buffer, sizeof(buffer), "%s", sfip_to_str(p->ip)); + } + if (ret != SNORT_SNPRINTF_SUCCESS) + return; + } + if (prefix) + LogMessage("%s%s\n", prefix, buffer); + else + LogMessage("%s\n", buffer); } +} - fprintf(f, "Name: %s\n", var->name); +void sfvar_print(const char *prefix, sfip_var_t *var) +{ + if (!var || !var->head) + { + return; + } if(var->mode == SFIP_LIST) { - if(var->head->flags & SFIP_ANY) - fprintf(f, "\t%p: <any>\n", (void*)var->head); + if(var->head->flags & SFIP_ANY) + { + if (prefix) + LogMessage("%sany\n", prefix); + else + LogMessage("any\n"); + } else - { - sfip_set_print(f, var->head); + { + sfip_set_print(prefix, var->head); } } else if(var->mode == SFIP_TABLE) @@ -1003,7 +1048,7 @@ } } -void sfip_set_print(FILE *f, sfip_node_t *p) +void sfip_set_print_to_file(FILE *f, sfip_node_t *p) { for(; p; p = p->next) { @@ -1015,6 +1060,34 @@ } } +/* Prints the variable "var" to the file descriptor 'f' */ +void sfvar_print_to_file(FILE *f, sfip_var_t *var) +{ + if(!f) return; + + if(!var || !var->head) + { + fprintf(f, "[no variable]\n"); + return; + } + + fprintf(f, "Name: %s\n", var->name); + + if(var->mode == SFIP_LIST) + { + if(var->head->flags & SFIP_ANY) + fprintf(f, "\t%p: <any>\n", (void*)var->head); + else + { + sfip_set_print_to_file(f, var->head); + } + } + else if(var->mode == SFIP_TABLE) + { + // XXX + } +} + int sfvar_flags(sfip_node_t *node) { if(node) return node->flags; @@ -1029,9 +1102,9 @@ sfip_vtable *table; sfip_var_t *var; sfip_t *ip; - + /* Test parsing */ - /* Allowable arguments: + /* Allowable arguments: * { <ip>[, <ip>, ... , <ip> } * Where an IP can be in CIDR notation, or be specified with a netmask. * IPs may also be negated with '!' */ @@ -1052,4 +1125,4 @@ } #endif - + diff -Nru snort-2.9.0.1/src/sfutil/sf_ipvar.h snort-2.9.2/src/sfutil/sf_ipvar.h --- snort-2.9.0.1/src/sfutil/sf_ipvar.h 2010-06-09 15:05:30.000000000 -0700 +++ snort-2.9.2/src/sfutil/sf_ipvar.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 1998-2010 Sourcefire, Inc. +** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -34,7 +34,7 @@ #include <stdio.h> #include "sf_ip.h" -/* Selects which mode a given variable is using to +/* Selects which mode a given variable is using to * store and lookup IP addresses */ typedef enum _modes { SFIP_LIST, @@ -51,17 +51,17 @@ int flags; // XXX int addr_flags; /* Flags used exlusively by Snort */ - /* Keeping these variables seperate keeps + /* Keeping these variables seperate keeps * this from stepping on Snort's toes. */ /* Should merge them later */ } sfip_node_t; /* An IP variable onkect */ typedef struct _var_t { - /* Selects whether or not to use the list, the table, + /* Selects whether or not to use the list, the table, * or any other method added later */ MODES mode; - + /* Linked lists. Switch to something faster later */ sfip_node_t *head; sfip_node_t *neg_head; @@ -69,7 +69,7 @@ /* The mode above will select whether to use the sfip_node_t linked list * or the IP routing table */ // sfrt rt; - + /* Linked list of IP variables for the variable table */ struct _var_t *next; @@ -111,7 +111,7 @@ SFIP_RET sfvar_add(sfip_var_t *dst, sfip_var_t *src); /* Adds the nodes in 'src' to the variable 'dst' */ -/* The mismatch of types is for ease-of-supporting Snort4 and +/* The mismatch of types is for ease-of-supporting Snort4 and * Snort6 simultaneously */ SFIP_RET sfvar_add_node(sfip_var_t *dst, sfip_node_t *src, int negated); @@ -129,9 +129,11 @@ int sfvar_ip_in(sfip_var_t *var, sfip_t *ip); /* Prints the variable "var" to the file descriptor 'f' */ -void sfvar_print(FILE *f, sfip_var_t *var); +void sfvar_print(const char *prefix, sfip_var_t *var); +void sfip_set_print(const char *prefix, sfip_node_t *head); -void sfip_set_print(FILE *f, sfip_node_t *head); +void sfvar_print_to_file(FILE *f, sfip_var_t *var); +void sfip_set_print_to_file(FILE *f, sfip_node_t *head); /* Returns the node's flags */ int sfvar_flags(sfip_node_t *node); diff -Nru snort-2.9.0.1/src/sfutil/sfksearch.c snort-2.9.2/src/sfutil/sfksearch.c --- snort-2.9.0.1/src/sfutil/sfksearch.c 2010-01-26 10:10:26.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfksearch.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,17 +1,17 @@ /* * ksearch.c -* +* * Basic Keyword Search Trie - uses linked lists to build the finite automata * -* Keyword-Match: Performs the equivalent of a multi-string strcmp() +* Keyword-Match: Performs the equivalent of a multi-string strcmp() * - use for token testing after parsing the language tokens using lex or the like. * -* Keyword-Search: searches the input text for one of multiple keywords, +* Keyword-Search: searches the input text for one of multiple keywords, * and supports case sensitivite and case insensitive patterns. -* +* * ** Copyright (C) 2001 Marc Norton -** Copyright (C) 2003-2010 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -36,6 +36,12 @@ #include <sys/types.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" + #define SFKSEARCH_TRACK_Q #ifdef SFKSEARCH_TRACK_Q @@ -43,9 +49,9 @@ # include "util.h" #endif -#include "debug.h" +#include "snort_debug.h" #include "sfksearch.h" -#include "bounds.h" +#include "snort_bounds.h" static void KTrieFree(KTRIENODE *n); @@ -57,7 +63,7 @@ { mtot = 0; } - + /* * Allocate Memory */ @@ -79,7 +85,7 @@ /* * Free Memory */ -static void KTRIE_FREE(void *p) +static void KTRIE_FREE(void *p) { if (p == NULL) return; @@ -93,7 +99,7 @@ static unsigned char Tnocase[65*1024]; /* -** Case Translation Table +** Case Translation Table */ static unsigned char xlatcase[256]; @@ -106,7 +112,7 @@ static int first=1; if( !first ) return; /* thread safe */ - + for(i=0;i<256;i++) { xlatcase[ i ] = (unsigned char)tolower(i); @@ -118,7 +124,7 @@ /* * */ -static INLINE void ConvertCaseEx( unsigned char * d, unsigned char *s, int m ) +static inline void ConvertCaseEx( unsigned char * d, unsigned char *s, int m ) { int i; for( i=0; i < m; i++ ) @@ -138,8 +144,8 @@ KTRIE_STRUCT * ts = (KTRIE_STRUCT*) KTRIE_MALLOC( sizeof(KTRIE_STRUCT) ); if( !ts ) return 0; - - memset(ts, 0, sizeof(KTRIE_STRUCT)); + + memset(ts, 0, sizeof(KTRIE_STRUCT)); init_xlatcase(); @@ -207,7 +213,7 @@ KTRIE_FREE(k); } -/* +/* * Recursively delete all nodes in trie */ static void KTrieFree(KTRIENODE *n) @@ -231,17 +237,17 @@ if (n < 1) return NULL; - + p = (KTRIEPATTERN*) KTRIE_MALLOC( sizeof(KTRIEPATTERN) ); if (p == NULL) return NULL; - /* Save as a nocase string */ + /* Save as a nocase string */ p->P = (unsigned char*) KTRIE_MALLOC( n ); - if( !p->P ) + if( !p->P ) { - KTRIE_FREE(p); + KTRIE_FREE(p); return NULL; } @@ -249,22 +255,22 @@ /* Save Case specific version */ p->Pcase = (unsigned char*) KTRIE_MALLOC( n ); - if( !p->Pcase ) + if( !p->Pcase ) { - KTRIE_FREE(p->P); - KTRIE_FREE(p); + KTRIE_FREE(p->P); + KTRIE_FREE(p); return NULL; } ret = SafeMemcpy(p->Pcase, P, n, p->Pcase, p->Pcase + n); if (ret != SAFEMEM_SUCCESS) { - KTRIE_FREE(p->Pcase); - KTRIE_FREE(p->P); - KTRIE_FREE(p); + KTRIE_FREE(p->Pcase); + KTRIE_FREE(p->P); + KTRIE_FREE(p); return NULL; } - + p->n = n; p->next = NULL; @@ -274,7 +280,7 @@ /* * Add Pattern info to the list of patterns */ -int KTrieAddPattern( KTRIE_STRUCT * ts, unsigned char * P, int n, +int KTrieAddPattern( KTRIE_STRUCT * ts, unsigned char * P, int n, int nocase, int negative, void * id ) { KTRIEPATTERN *pnew; @@ -303,7 +309,7 @@ ts->npats++; ts->memory += sizeof(KTRIEPATTERN) + 2 * n ; /* Case and nocase */ - + return 0; } @@ -321,7 +327,7 @@ memset(t,0,sizeof(KTRIENODE)); ts->memory += sizeof(KTRIENODE); - + return t; } @@ -336,7 +342,7 @@ int n = px->n; unsigned char *P = px->P; KTRIENODE *root; - + /* Make sure we at least have a root character for the tree */ if( !ts->root[*P] ) { @@ -349,7 +355,7 @@ root = ts->root[*P]; } - /* Walk existing Patterns */ + /* Walk existing Patterns */ while( n ) { if( root->edge == *P ) @@ -359,12 +365,12 @@ if( n && root->child ) { - root=root->child; + root=root->child; } else /* cannot continue */ { type = 0; /* Expand the tree via the child */ - break; + break; } } else @@ -376,12 +382,12 @@ else /* cannot continue */ { type = 1; /* Expand the tree via the sibling */ - break; + break; } } } - /* + /* * Add the next char of the Keyword, if any */ if( n ) @@ -389,7 +395,7 @@ if( type == 0 ) { /* - * Start with a new child to finish this Keyword + * Start with a new child to finish this Keyword */ root->child= KTrieCreateNode( ts ); if( ! root->child ) return -1; @@ -401,9 +407,9 @@ } else - { + { /* - * Start a new sibling bracnch to finish this Keyword + * Start a new sibling bracnch to finish this Keyword */ root->sibling= KTrieCreateNode( ts ); if( ! root->sibling ) return -1; @@ -451,30 +457,30 @@ static void Build_Bad_Character_Shifts( KTRIE_STRUCT * kt ) { int i,k; - KTRIEPATTERN *plist; + KTRIEPATTERN *plist; /* Calc the min pattern size */ kt->bcSize = 32000; for( plist=kt->patrn; plist!=NULL; plist=plist->next ) - { - if( plist->n < kt->bcSize ) + { + if( plist->n < kt->bcSize ) { kt->bcSize = plist->n; /* smallest pattern size */ } } /* - * Initialze the Bad Character shift table. + * Initialze the Bad Character shift table. */ for (i = 0; i < KTRIE_ROOT_NODES; i++) { - kt->bcShift[i] = (unsigned short)kt->bcSize; + kt->bcShift[i] = (unsigned short)kt->bcSize; } - /* + /* * Finish the Bad character shift table - */ + */ for( plist=kt->patrn; plist!=NULL; plist=plist->next ) { int shift, cindex; @@ -493,7 +499,7 @@ } } -static int KTrieBuildMatchStateNode(KTRIENODE *root, +static int KTrieBuildMatchStateNode(KTRIENODE *root, int (*build_tree)(void * id, void **existing_tree), int (*neg_list_func)(void *id, void **list)) { @@ -543,14 +549,14 @@ return cnt; } -static int KTrieBuildMatchStateTrees( KTRIE_STRUCT * ts, +static int KTrieBuildMatchStateTrees( KTRIE_STRUCT * ts, int (*build_tree)(void * id, void **existing_tree), int (*neg_list_func)(void *id, void **list)) { int i, cnt = 0; KTRIENODE * root; - /* Find the states that have a MatchList */ + /* Find the states that have a MatchList */ for (i = 0; i < KTRIE_ROOT_NODES; i++) { root = ts->root[i]; @@ -562,11 +568,11 @@ } return cnt; -} +} /* * Build the Keyword TRIE -* +* */ int KTrieCompile(KTRIE_STRUCT * ts, int (*build_tree)(void * id, void **existing_tree), @@ -574,11 +580,11 @@ { KTRIEPATTERN * p; /* - static int tmem=0; + static int tmem=0; */ - /* - * Build the Keyword TRIE + /* + * Build the Keyword TRIE */ for( p=ts->patrn; p; p=p->next ) { @@ -616,8 +622,8 @@ #endif } static -INLINE -void +inline +void _init_queue( SFK_PMQ * b) { b->inq=0; @@ -625,8 +631,8 @@ } /* uniquely insert into q */ -static -INLINE +static +inline int _add_queue(SFK_PMQ * b, void * p ) { @@ -639,7 +645,7 @@ for(i=(int)(b->inq)-1;i>=0;i--) if( p == b->q[i] ) return 0; - + #ifdef SFKSEARCH_TRACK_Q snort_conf->tot_inq_uinserts++; #endif @@ -660,17 +666,17 @@ } static -INLINE +inline unsigned -_process_queue( SFK_PMQ * q, +_process_queue( SFK_PMQ * q, int(*match)(void * id, void *tree, int index, void *data, void *neg_list), - void *data ) + void *data ) { KTRIEPATTERN * pk; unsigned int i; #ifdef SFKSEARCH_TRACK_Q - if( q->inq > snort_conf->max_inq ) + if( q->inq > snort_conf->max_inq ) snort_conf->max_inq = q->inq; snort_conf->tot_inq_flush += q->inq_flush; #endif @@ -682,19 +688,19 @@ { if (match (pk->id, pk->rule_option_tree, 0, data, pk->neg_list) > 0) { - q->inq=0; + q->inq=0; return 1; } } } - q->inq=0; + q->inq=0; return 0; } -static -INLINE -int KTriePrefixMatchQ( KTRIE_STRUCT * kt, - unsigned char * T, +static +inline +int KTriePrefixMatchQ( KTRIE_STRUCT * kt, + unsigned char * T, int n, int(*match)(void * id, void *tree, int index, void *data, void *neg_list), void * data ) @@ -705,9 +711,9 @@ root = kt->root[ xlatcase[*T] ]; - if( !root ) + if( !root ) return 0; - + while( n ) { if( root->edge == xlatcase[*T] ) @@ -715,7 +721,7 @@ T++; n--; - if( root->pkeyword ) + if( root->pkeyword ) { if( _add_queue( &kt->q, root->pkeyword ) ) { @@ -728,11 +734,11 @@ if( n && root->child ) { - root = root->child; + root = root->child; } else /* cannot continue -- match is over */ { - break; + break; } } else @@ -743,7 +749,7 @@ } else /* cannot continue */ { - break; + break; } } } @@ -758,20 +764,20 @@ * and processes all prefix matches. This is used for generic * pattern searching with a set of keywords and a body of text. * -* * -* kt- Trie Structure +* +* kt- Trie Structure * T - nocase text * Tc- case specific text -* n - text length -* +* n - text length +* * returns: * # pattern matches */ -static INLINE int KTriePrefixMatch( KTRIE_STRUCT * kt, - unsigned char * T, - unsigned char * Tc, - unsigned char * bT, +static inline int KTriePrefixMatch( KTRIE_STRUCT * kt, + unsigned char * T, + unsigned char * Tc, + unsigned char * bT, int n, int(*match)(void * id, void *tree, int index, void *data, void *neg_list), void * data ) @@ -783,7 +789,7 @@ /* Check if any keywords start with this character */ if( !root ) return 0; - + while( n ) { if( root->edge == *T ) @@ -804,11 +810,11 @@ if( n && root->child ) { - root = root->child; + root = root->child; } else /* cannot continue -- match is over */ { - break; + break; } } else @@ -819,7 +825,7 @@ } else /* cannot continue */ { - break; + break; } } } @@ -828,8 +834,8 @@ } static -INLINE -int KTrieSearchQ( KTRIE_STRUCT * ks, unsigned char * T, int n, +inline +int KTrieSearchQ( KTRIE_STRUCT * ks, unsigned char * T, int n, int(*match)(void * id, void *tree, int index, void *data, void *neg_list), void * data ) { @@ -844,8 +850,8 @@ return 0; } -static -INLINE +static +inline int KTrieSearchQBC( KTRIE_STRUCT * ks, unsigned char * T, int n, int(*match)(void * id, void *tree, int index, void *data, void *neg_list), void * data ) @@ -856,17 +862,17 @@ int bcSize = ks->bcSize; _init_queue(&ks->q); - + Tend = T + n - bcSize; bcSize--; for( ;T <= Tend; n--, T++ ) { - while( (tshift = bcShift[ T[bcSize] ]) > 0 ) + while( (tshift = bcShift[ T[bcSize] ]) > 0 ) { T += tshift; - if( T > Tend ) + if( T > Tend ) return 0; } @@ -884,7 +890,7 @@ * */ static -INLINE +inline int KTrieSearchNoBC( KTRIE_STRUCT * ks, unsigned char * Tx, int n, int(*match)(void * id, void *tree, int index, void *data, void *neg_list), void * data ) @@ -909,7 +915,7 @@ * */ static -INLINE +inline int KTrieSearchBC( KTRIE_STRUCT * ks, unsigned char * Tx, int n, int(*match)(void * id, void *tree, int index, void *data, void *neg_list), void * data ) @@ -917,7 +923,7 @@ int tshift; unsigned char *Tend; unsigned char *T, *bT; - int nfound = 0; + int nfound = 0; short *bcShift = (short*)ks->bcShift; int bcSize = ks->bcSize; @@ -932,7 +938,7 @@ for( ;T <= Tend; n--, T++, Tx++ ) { - while( (tshift = bcShift[ *( T + bcSize ) ]) > 0 ) + while( (tshift = bcShift[ *( T + bcSize ) ]) > 0 ) { T += tshift; Tx += tshift; @@ -948,7 +954,7 @@ /* * */ -int KTrieSearch( KTRIE_STRUCT * ks, unsigned char * T, int n, +int KTrieSearch( KTRIE_STRUCT * ks, unsigned char * T, int n, int(*match)(void * id, void *tree, int index, void *data, void *neg_list), void * data ) { @@ -997,18 +1003,18 @@ int nocase=1; // don't care about case gargv = argv; - + ts = KTrieNew(); if( argc < 3 ) { printf("%s text pat1 pat2 ... patn [-c(ase-sensitive)\n",argv[0]); printf("search for keywords-default, or match keywords\n"); - exit(0); + exit(0); } for(i=1;i<argc;i++) - { + { if( strcmp(argv[i],"-c")==0 ) nocase=0; /* ignore case */ } @@ -1016,12 +1022,12 @@ for(i=2;i<argc;i++) { - if( argv[i][0]=='-' ) + if( argv[i][0]=='-' ) continue; KTrieAddPattern( ts, (unsigned char *)argv[i], strlen(argv[i]), nocase, i ); } - + printf("Patterns added \n"); KTrieCompile( ts ); @@ -1036,7 +1042,7 @@ printf("%d matches found\n",trie_nmatches); printf("normal pgm finish.\n"); - + return 0; } diff -Nru snort-2.9.0.1/src/sfutil/sfksearch.h snort-2.9.2/src/sfutil/sfksearch.h --- snort-2.9.0.1/src/sfutil/sfksearch.h 2010-01-26 10:10:26.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfksearch.h 2011-02-09 15:23:37.000000000 -0800 @@ -5,7 +5,7 @@ * * * Copyright (C) 2001 Marc Norton -** Copyright (C) 2003-2010 Sourcefire, Inc. +** Copyright (C) 2003-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sflsq.c snort-2.9.2/src/sfutil/sflsq.c --- snort-2.9.0.1/src/sfutil/sflsq.c 2010-01-26 10:10:26.000000000 -0800 +++ snort-2.9.2/src/sfutil/sflsq.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,18 +18,18 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* -* sflsq.c +* sflsq.c * -* Simple list, stack, queue, and dictionary implementations +* Simple list, stack, queue, and dictionary implementations * ( most of these implementations are list based - not performance monsters, * and they all use alloc via s_alloc/s_free ) * Stack based Ineteger and Pointer Stacks, these are for performance.(inline would be better) * * 11/05/2005 - man - Added sflist_firstx() and sflist_nextx() with user * provided SF_NODE inputs for tracking the list position. This allows -* multiple readers to traverse a list. The built in 'cur' field does not +* multiple readers to traverse a list. The built in 'cur' field does not * wrok for multiple readers. * * @@ -39,12 +39,16 @@ #include <stdlib.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sflsq.h" /* * private alloc -*/ -static void * s_alloc (size_t n) +*/ +static void * s_alloc (size_t n) { void *p = (void*) calloc( 1,n ); return p; @@ -52,25 +56,25 @@ /* * private free -*/ -static void s_free (void *p) +*/ +static void s_free (void *p) { if( p ) free( p ); } /* * INIT - called by the NEW functions -*/ -void sflist_init ( SF_LIST * s) +*/ +void sflist_init ( SF_LIST * s) { - s->count=0; + s->count=0; s->head = s->tail = s->cur = 0; } /* * NEW */ -SF_LIST * sflist_new(void) +SF_LIST * sflist_new(void) { SF_LIST * s; s = (SF_LIST*)s_alloc( sizeof(SF_LIST) ); @@ -78,18 +82,18 @@ return s; } -SF_STACK * sfstack_new(void) +SF_STACK * sfstack_new(void) { return (SF_STACK*)sflist_new(); } -SF_QUEUE * sfqueue_new(void) +SF_QUEUE * sfqueue_new(void) { return (SF_QUEUE*)sflist_new(); } /* -* Add-before Item -*/ +* Add-before Item +*/ int sflist_add_before ( SF_LIST* s, SF_LNODE * lnode, NODE_DATA ndata ) { SF_LNODE * q; @@ -125,9 +129,9 @@ * ADD to List/Stack/Queue/Dictionary */ /* -* Add-Head Item -*/ -int +* Add-Head Item +*/ +int sflist_add_head ( SF_LIST* s, NODE_DATA ndata ) { SF_LNODE * q; @@ -156,9 +160,9 @@ } /* -* Add-Tail Item -*/ -int +* Add-Tail Item +*/ +int sflist_add_tail ( SF_LIST* s, NODE_DATA ndata ) { SF_LNODE * q; @@ -185,26 +189,26 @@ return 0; } -int sfqueue_add(SF_QUEUE * s, NODE_DATA ndata ) +int sfqueue_add(SF_QUEUE * s, NODE_DATA ndata ) { return sflist_add_tail ( s, ndata ); } -int sfstack_add( SF_STACK* s, NODE_DATA ndata ) +int sfstack_add( SF_STACK* s, NODE_DATA ndata ) { return sflist_add_tail ( s, ndata ); } -/* +/* * List walk - First/Next - return the node data or NULL */ NODE_DATA sflist_first( SF_LIST * s ) { - if(!s) + if(!s) return 0; s->cur = s->head; - if( s->cur ) + if( s->cur ) return s->cur->ndata; return 0; } @@ -216,7 +220,7 @@ if( s->cur ) { s->cur = s->cur->next; - if( s->cur ) + if( s->cur ) return s->cur->ndata; } return 0; @@ -225,9 +229,9 @@ { if(!s) return 0; - + *v = s->head; - + if( *v ) return (*v)->ndata; @@ -237,19 +241,19 @@ { if(!s) return 0; - + if(v) { if(*v) { *v = (*v)->next; - if( *v ) + if( *v ) return (*v)->ndata; } } return 0; } -/* +/* * List walk - First/Next - return the node data or NULL */ SF_LNODE * sflist_first_node( SF_LIST * s ) @@ -258,7 +262,7 @@ return 0; s->cur = s->head; - if( s->cur ) + if( s->cur ) return s->cur; return 0; } @@ -269,7 +273,7 @@ if( s->cur ) { s->cur = s->cur->next; - if( s->cur ) + if( s->cur ) return s->cur; } return 0; @@ -277,8 +281,8 @@ /* * Remove Head Item from list -*/ -NODE_DATA sflist_remove_head (SF_LIST * s) +*/ +NODE_DATA sflist_remove_head (SF_LIST * s) { NODE_DATA ndata = 0; SF_QNODE * q; @@ -327,11 +331,11 @@ return (NODE_DATA)ndata; } -void sflist_remove_node (SF_LIST * s, SF_LNODE * n, void(*nfree)(void*) ) +void sflist_remove_node (SF_LIST * s, SF_LNODE * n, void(*nfree)(void*) ) { // NODE_DATA ndata = 0; SF_LNODE * cur; - + if( n == s->head ) { s->head = s->head->next; @@ -378,34 +382,34 @@ /* * Remove Head Item from queue -*/ -NODE_DATA sfqueue_remove (SF_QUEUE * s) +*/ +NODE_DATA sfqueue_remove (SF_QUEUE * s) { return (NODE_DATA)sflist_remove_head( s ); } /* * Remove Tail Item from stack -*/ -NODE_DATA sfstack_remove (SF_QUEUE * s) +*/ +NODE_DATA sfstack_remove (SF_QUEUE * s) { return (NODE_DATA)sflist_remove_tail( s ); } /* * COUNT -*/ -int sfqueue_count (SF_QUEUE * s) +*/ +int sfqueue_count (SF_QUEUE * s) { if(!s)return 0; return s->count; } -int sflist_count ( SF_LIST* s) +int sflist_count ( SF_LIST* s) { if(!s)return 0; return s->count; } -int sfstack_count ( SF_STACK * s) +int sfstack_count ( SF_STACK * s) { if(!s)return 0; return s->count; @@ -413,59 +417,59 @@ /* -* Free List + Free it's data nodes using 'nfree' +* Free List + Free it's data nodes using 'nfree' */ -void sflist_free_all( SF_LIST * s, void (*nfree)(void*) ) +void sflist_free_all( SF_LIST * s, void (*nfree)(void*) ) { void * p; - + if(!s) return; - + while( s->count > 0 ) { p = sflist_remove_head (s); - - if( p && nfree ) + + if( p && nfree ) nfree( p ); } s_free(s); } -void sfqueue_free_all(SF_QUEUE * s,void (*nfree)(void*) ) +void sfqueue_free_all(SF_QUEUE * s,void (*nfree)(void*) ) { - sflist_free_all( s, nfree ); + sflist_free_all( s, nfree ); } -void sfstack_free_all(SF_STACK * s,void (*nfree)(void*) ) +void sfstack_free_all(SF_STACK * s,void (*nfree)(void*) ) { - sflist_free_all( s, nfree ); + sflist_free_all( s, nfree ); } -void sflist_static_free_all( SF_LIST * s, void (*nfree)(void*) ) +void sflist_static_free_all( SF_LIST * s, void (*nfree)(void*) ) { void * p; - + if(!s) return; - + while( s->count > 0 ) { p = sflist_remove_head (s); - - if( p && nfree ) + + if( p && nfree ) nfree( p ); } } -void sfqueue_static_free_all(SF_QUEUE * s,void (*nfree)(void*) ) +void sfqueue_static_free_all(SF_QUEUE * s,void (*nfree)(void*) ) { - sflist_static_free_all( s, nfree ); + sflist_static_free_all( s, nfree ); } -void sfstack_static_free_all(SF_STACK * s,void (*nfree)(void*) ) +void sfstack_static_free_all(SF_STACK * s,void (*nfree)(void*) ) { - sflist_static_free_all( s, nfree ); + sflist_static_free_all( s, nfree ); } @@ -473,7 +477,7 @@ * FREE List/Queue/Stack/Dictionary * * This does not free a nodes data -*/ +*/ void sflist_free (SF_LIST * s) { while( sflist_count(s) ) @@ -482,13 +486,13 @@ } s_free(s); } -void sfqueue_free (SF_QUEUE * s) +void sfqueue_free (SF_QUEUE * s) { - sflist_free ( s ); + sflist_free ( s ); } void sfstack_free (SF_STACK * s) { - sflist_free ( s ); + sflist_free ( s ); } /* Use these if the SF_LIST was not dynamically allocated via @@ -499,14 +503,14 @@ sflist_remove_head(s); } -void sfqueue_static_free(SF_QUEUE *s) +void sfqueue_static_free(SF_QUEUE *s) { - sflist_static_free(s); + sflist_static_free(s); } void sfstack_static_free(SF_STACK *s) { - sflist_static_free(s); + sflist_static_free(s); } /* diff -Nru snort-2.9.0.1/src/sfutil/sflsq.h snort-2.9.2/src/sfutil/sflsq.h --- snort-2.9.0.1/src/sfutil/sflsq.h 2010-01-26 10:10:27.000000000 -0800 +++ snort-2.9.2/src/sfutil/sflsq.h 2011-02-09 15:23:37.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sfmemcap.c snort-2.9.2/src/sfutil/sfmemcap.c --- snort-2.9.0.1/src/sfutil/sfmemcap.c 2010-01-26 10:10:27.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfmemcap.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,28 +18,34 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* sfmemcap.c These functions wrap the alloc & free functions. They enforce a memory cap using the MEMCAP structure. The MEMCAP structure tracks memory usage. Each allocation - has 4 bytes added to it so we can store the allocation size. This allows us to + has 4 bytes added to it so we can store the allocation size. This allows us to free a block and accurately track how much memory was recovered. - - Marc Norton + + Marc Norton */ #include <stdlib.h> #include <stdio.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" #include "sfmemcap.h" #include "util.h" /* * Set max # bytes & init other variables. */ -void sfmemcap_init( MEMCAP * mc, unsigned nbytes ) +void sfmemcap_init( MEMCAP * mc, unsigned long nbytes ) { mc->memcap = nbytes; mc->memused= 0; @@ -56,7 +62,7 @@ mc = (MEMCAP*)calloc(1,sizeof(MEMCAP)); if( mc ) sfmemcap_init( mc, nbytes ); - + return mc; } @@ -71,7 +77,7 @@ /* * Allocate some memory */ -void * sfmemcap_alloc( MEMCAP * mc, unsigned nbytes ) +void * sfmemcap_alloc( MEMCAP * mc, unsigned long nbytes ) { long * data; @@ -126,8 +132,8 @@ */ void sfmemcap_showmem( MEMCAP * mc ) { - fprintf(stderr, "memcap: memcap = %u bytes,",mc->memcap); - fprintf(stderr, " memused= %u bytes,",mc->memused); + fprintf(stderr, "memcap: memcap = %lu bytes,",mc->memcap); + fprintf(stderr, " memused= %lu bytes,",mc->memused); fprintf(stderr, " nblocks= %d blocks\n",mc->nblocks); } @@ -155,7 +161,7 @@ /* * Dup Some memory. */ -void * sfmemcap_dupmem( MEMCAP * mc, void * src, int n ) +void * sfmemcap_dupmem( MEMCAP * mc, void * src, unsigned long n ) { void * data = (char *)sfmemcap_alloc( mc, n ); if(data == NULL) diff -Nru snort-2.9.0.1/src/sfutil/sfmemcap.h snort-2.9.2/src/sfutil/sfmemcap.h --- snort-2.9.0.1/src/sfutil/sfmemcap.h 2010-01-26 10:10:27.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfmemcap.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* ** sfmemcap.h */ @@ -27,19 +27,19 @@ typedef struct { - unsigned memused; - unsigned memcap; + unsigned long memused; + unsigned long memcap; int nblocks; }MEMCAP; -void sfmemcap_init(MEMCAP * mc, unsigned nbytes); +void sfmemcap_init(MEMCAP * mc, unsigned long nbytes); MEMCAP * sfmemcap_new( unsigned nbytes ); void sfmemcap_delete( MEMCAP * mc ); -void * sfmemcap_alloc(MEMCAP * mc, unsigned nbytes); +void * sfmemcap_alloc(MEMCAP * mc, unsigned long nbytes); void sfmemcap_showmem(MEMCAP * mc ); void sfmemcap_free( MEMCAP * mc, void * memory); char * sfmemcap_strdup(MEMCAP * mc, const char *str); -void * sfmemcap_dupmem(MEMCAP * mc, void * src, int n ); +void * sfmemcap_dupmem(MEMCAP * mc, void * src, unsigned long n ); #endif diff -Nru snort-2.9.0.1/src/sfutil/sfPolicy.c snort-2.9.2/src/sfutil/sfPolicy.c --- snort-2.9.0.1/src/sfutil/sfPolicy.c 2010-01-26 10:10:24.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfPolicy.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,22 +18,26 @@ * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "stdlib.h" #include "stdio.h" #include "string.h" #include "sfPolicy.h" -#include "debug.h" +#include "snort_debug.h" #include "sfrt.h" -static INLINE int IsBound ( +static inline int IsBound ( tSfPolicyId id ) { return ( id != SF_VLAN_UNBOUND ); } -static INLINE int NotBound ( +static inline int NotBound ( tSfPolicyId id ) { @@ -129,7 +133,7 @@ config->ppPolicies[i]->refCount++; return i; } - } + } else if (emptyIndex == -1) { emptyIndex = i; @@ -201,7 +205,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, "sfPolicyDelete: freed policyConfig policyId %d\n", policyId);); } - } + } } char * sfPolicyGet(tSfPolicyConfig *config, tSfPolicyId policyId) @@ -246,7 +250,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, "Added vlandId %d, file %s, policyId: %d\n", vlanId, fileName, policyId);); - return 0; + return 0; } tSfPolicyId sfVlanGetBinding(tSfPolicyConfig *config, int vlanId) @@ -278,7 +282,58 @@ } } -/**Get applicable policy given <vlan, srcIp, dstIp> of a packet. Vlan can be negative +int sfPolicyIdAddBinding(tSfPolicyConfig *config, int parsedPolicyId, char *fileName) +{ + tSfPolicyId policyId; + + if (config == NULL) + return -1; + + //create a policyId + policyId = sfPolicyAdd(config, fileName); + + if ( NotBound(policyId) ) + { + return -1; + } + + config->policyIdBindings[parsedPolicyId] = policyId; + + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, + "Added parsedPolicyId %d, file %s, policyId: %d\n", parsedPolicyId, fileName, policyId);); + return 0; +} + +tSfPolicyId sfPolicyIdGetBinding(tSfPolicyConfig *config, int parsedPolicyId) +{ + tSfPolicyId policyId = config->policyIdBindings[parsedPolicyId]; + + if ( NotBound(policyId) ) + { + //return default policyId for uninitialized binding + return config->defaultPolicyId; + } + + return policyId; +} + +void sfPolicyIdDeleteBinding(tSfPolicyConfig *config, int parsedPolicyId) +{ + tSfPolicyId policyId; + + if ((config == NULL) || (parsedPolicyId < 0)) + return; + + policyId = config->policyIdBindings[parsedPolicyId]; + + if ( IsBound(policyId) ) + { + sfPolicyDelete(config, policyId); + config->vlanBindings[parsedPolicyId] = SF_VLAN_UNBOUND; + } +} + +/**Get applicable policy given <vlan, srcIp, dstIp> of a packet. Vlan can be negative * number if vlan header is not present. * * Search policy bound to vlan if vlan is not negative. If matched polciy is default one, @@ -322,7 +377,7 @@ */ int sfNetworkAddBinding( tSfPolicyConfig *config, - sfip_t* Ip, + sfip_t* Ip, char *fileName ) { @@ -377,7 +432,7 @@ return -1; } - return 0; + return 0; } unsigned int sfNetworkGetBinding( @@ -477,8 +532,8 @@ * and therefore dynArray[0] will cause memory allocation. */ int sfDynArrayCheckBounds ( - void ** dynArray, - unsigned int index, + void ** dynArray, + unsigned int index, unsigned int *maxElements ) { diff -Nru snort-2.9.0.1/src/sfutil/sfPolicy.h snort-2.9.2/src/sfutil/sfPolicy.h --- snort-2.9.0.1/src/sfutil/sfPolicy.h 2010-01-26 10:10:24.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfPolicy.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -24,11 +24,12 @@ #include "sf_ip.h" #include "ipv6_port.h" #include "sfrt.h" -#include "debug.h" +#include "snort_debug.h" /**Number of additional policies allocated with each re-alloc operation. */ #define POLICY_ALLOCATION_CHUNK 10 #define SF_VLAN_BINDING_MAX 4096 +#define SF_POLICY_ID_BINDING_MAX 4096 #define SF_NETWORK_BINDING_MAX 4096 #define SF_VLAN_UNBOUND 0xffffffff @@ -48,6 +49,7 @@ typedef enum { SF_BINDING_TYPE_VLAN, SF_BINDING_TYPE_NETWORK, + SF_BINDING_TYPE_POLICY_ID, SF_BINDING_TYPE_UNKNOWN } tSF_BINDING_TYPE; @@ -64,6 +66,8 @@ unsigned int numActivePolicies; /**vlan to policyId bindings. */ tSfPolicyId vlanBindings[SF_VLAN_BINDING_MAX]; + /**policyId to policyId bindings. */ + tSfPolicyId policyIdBindings[SF_POLICY_ID_BINDING_MAX]; /**Network to policyId bindings. */ table_t *netBindTable; @@ -104,6 +108,19 @@ tSfPolicyConfig *, int ); +int sfPolicyIdAddBinding( + tSfPolicyConfig *, + int, + char * + ); +tSfPolicyId sfPolicyIdGetBinding( + tSfPolicyConfig *, + int + ); +void sfPolicyIdDeleteBinding( + tSfPolicyConfig *, + int + ); unsigned int sfGetApplicablePolicyId( tSfPolicyConfig *, int, @@ -124,7 +141,7 @@ snort_ip_p ); -static INLINE tSfPolicyId sfGetDefaultPolicy( +static inline tSfPolicyId sfGetDefaultPolicy( tSfPolicyConfig *config ) { @@ -134,7 +151,7 @@ return config->defaultPolicyId; } -static INLINE void sfSetDefaultPolicy( +static inline void sfSetDefaultPolicy( tSfPolicyConfig *config, tSfPolicyId policyId ) @@ -145,7 +162,7 @@ config->defaultPolicyId = policyId; } -static INLINE tSfPolicyId sfPolicyNumAllocated( +static inline tSfPolicyId sfPolicyNumAllocated( tSfPolicyConfig *config ) { @@ -157,8 +174,8 @@ //dynamic array functions int sfDynArrayCheckBounds ( - void ** dynArray, - unsigned int index, + void ** dynArray, + unsigned int index, unsigned int *maxElements ); #endif diff -Nru snort-2.9.0.1/src/sfutil/sfPolicyUserData.c snort-2.9.2/src/sfutil/sfPolicyUserData.c --- snort-2.9.0.1/src/sfutil/sfPolicyUserData.c 2010-01-26 10:10:24.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfPolicyUserData.c 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,8 +18,13 @@ * ****************************************************************************/ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "stdlib.h" #include "string.h" +#include "sf_types.h" #include "sfPolicy.h" #include "sfPolicyUserData.h" @@ -39,7 +44,7 @@ * and put it in a new policy management module. Policy management module will set a single * pointer to user data before calling appropriate callback function in a preprocessor. As * an example, policy module will iterate over all policies and call CleanExit functions in every - * preprocessor for each policy. This will make policy management module will hide policies from + * preprocessor for each policy. This will make policy management module will hide policies from * preprocessors and make them policy agnostic. * @{ */ @@ -48,14 +53,14 @@ * Allocates a new context and return it to user. All transactions within a context are independent from * any other transactions in a different context. * - * @returns tSfPolicyUserContextId + * @returns tSfPolicyUserContextId */ tSfPolicyUserContextId sfPolicyConfigCreate(void) { tSfPolicyUserContext *pTmp = NULL; pTmp = calloc(1, sizeof(tSfPolicyUserContext)); - + return pTmp; } @@ -78,11 +83,11 @@ /**Store a pointer to user data. * @param pContext * @param policyId is 0 based. - * @param config - pointer to user configuration. + * @param config - pointer to user configuration. */ int sfPolicyUserDataSet ( - tSfPolicyUserContextId pContext, - tSfPolicyId policyId, + tSfPolicyUserContextId pContext, + tSfPolicyId policyId, void *config ) { @@ -111,7 +116,7 @@ { //dont overwrite existing configuration return -1; - } + } pContext->userConfig[policyId] = config; pContext->numActivePolicies++; @@ -139,7 +144,7 @@ } int sfPolicyUserDataIterate ( - tSfPolicyUserContextId pContext, + tSfPolicyUserContextId pContext, int (*callback)(tSfPolicyUserContextId pContext, tSfPolicyId policyId, void* config) ) { diff -Nru snort-2.9.0.1/src/sfutil/sfPolicyUserData.h snort-2.9.2/src/sfutil/sfPolicyUserData.h --- snort-2.9.0.1/src/sfutil/sfPolicyUserData.h 2010-01-26 10:10:24.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfPolicyUserData.h 2011-06-07 17:33:20.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -26,7 +26,6 @@ #include "sfPolicy.h" /*SharedObjectAddStarts #include "sf_dynamic_preprocessor.h" -extern DynamicPreprocessorData _dpd; SharedObjectAddEnds */ typedef struct @@ -39,11 +38,11 @@ */ unsigned int numAllocatedPolicies; - /**Number of policies active. Since we use an array of policy pointers, + /**Number of policies active. Since we use an array of policy pointers, * number of allocated policies may be more than active policies. */ unsigned int numActivePolicies; - /**user configuration for a policy. This is a pointer to an array of pointers + /**user configuration for a policy. This is a pointer to an array of pointers * to user configuration. */ void **userConfig; @@ -56,37 +55,37 @@ extern tSfPolicyId runtimePolicyId; extern tSfPolicyId parserPolicyId; -static INLINE tSfPolicyId getRuntimePolicy(void) +static inline tSfPolicyId getRuntimePolicy(void) { return runtimePolicyId; } -static INLINE void setRuntimePolicy(tSfPolicyId id) +static inline void setRuntimePolicy(tSfPolicyId id) { runtimePolicyId = id; } -static INLINE int isRuntimePolicyDefault(void) +static inline int isRuntimePolicyDefault(void) { return (runtimePolicyId == 0); } -static INLINE tSfPolicyId getParserPolicy(void) +static inline tSfPolicyId getParserPolicy(void) { return parserPolicyId; } -static INLINE void setParserPolicy(tSfPolicyId id) +static inline void setParserPolicy(tSfPolicyId id) { parserPolicyId = id; } -static INLINE int isParserPolicyDefault(void) +static inline int isParserPolicyDefault(void) { return (parserPolicyId == 0); } -static INLINE tSfPolicyId getDefaultPolicy(void) +static inline tSfPolicyId getDefaultPolicy(void) { return 0; } @@ -101,22 +100,22 @@ ); //Functions for setting, getting and clearing policy ids -static INLINE void sfPolicyUserPolicySet ( - tSfPolicyUserContextId pContext, - tSfPolicyId policyId +static inline void sfPolicyUserPolicySet ( + tSfPolicyUserContextId pContext, + tSfPolicyId policyId ) { pContext->currentPolicyId = policyId; } -static INLINE tSfPolicyId sfPolicyUserPolicyGet ( - tSfPolicyUserContextId pContext +static inline tSfPolicyId sfPolicyUserPolicyGet ( + tSfPolicyUserContextId pContext ) { return pContext->currentPolicyId; } -static INLINE unsigned int sfPolicyUserPolicyGetActive ( +static inline unsigned int sfPolicyUserPolicyGetActive ( tSfPolicyUserContextId pContext ) { @@ -125,12 +124,12 @@ //Functions for setting, getting and clearing user data specific to policies. int sfPolicyUserDataSet ( - tSfPolicyUserContextId pContext, - tSfPolicyId policyId, + tSfPolicyUserContextId pContext, + tSfPolicyId policyId, void *config ); -static INLINE void * sfPolicyUserDataGet ( - tSfPolicyUserContextId pContext, +static inline void * sfPolicyUserDataGet ( + tSfPolicyUserContextId pContext, tSfPolicyId policyId ) { @@ -142,29 +141,29 @@ return NULL; } -static INLINE int sfPolicyUserDataSetDefault ( - tSfPolicyUserContextId pContext, +static inline int sfPolicyUserDataSetDefault ( + tSfPolicyUserContextId pContext, void *config ) { return sfPolicyUserDataSet (pContext, getDefaultPolicy(), config); } -static INLINE void * sfPolicyUserDataGetDefault ( +static inline void * sfPolicyUserDataGetDefault ( tSfPolicyUserContextId pContext ) { return sfPolicyUserDataGet (pContext, getDefaultPolicy()); } -static INLINE int sfPolicyUserDataSetCurrent ( - tSfPolicyUserContextId pContext, +static inline int sfPolicyUserDataSetCurrent ( + tSfPolicyUserContextId pContext, void *config ) { return sfPolicyUserDataSet (pContext, pContext->currentPolicyId, config); } -static INLINE void * sfPolicyUserDataGetCurrent ( +static inline void * sfPolicyUserDataGetCurrent ( tSfPolicyUserContextId pContext ) { diff -Nru snort-2.9.0.1/src/sfutil/sfportobject.c snort-2.9.2/src/sfutil/sfportobject.c --- snort-2.9.0.1/src/sfutil/sfportobject.c 2010-06-09 15:05:31.000000000 -0700 +++ snort-2.9.2/src/sfutil/sfportobject.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -21,43 +21,43 @@ /* sfportobject.c - + author: marc norton date: 11/05/2005 - description: - - Port objects provides support for generic ports lists comprised of + description: + + Port objects provides support for generic ports lists comprised of individual ports, port ranges, and negation of ports and port ranges. - + Port lists require a somewhat more complex scheme to determine the proper - grouping of rules for each port while minimizing the number of rule groups + grouping of rules for each port while minimizing the number of rule groups created. We can use a single group of rules in the multi-pattern detection phase, - however that can have a huge impact on performance. Instead we try to create + however that can have a huge impact on performance. Instead we try to create a smaller grouping of rules that might be applicable to each port. - + As rules are defined using port ranges, and port lists there will be port overlapps between rules. This requires us to determine whether we should - create one larger rule group to apply to all relevant ports, or to - create multiple rule groups and apply the smallest applicable one to + create one larger rule group to apply to all relevant ports, or to + create multiple rule groups and apply the smallest applicable one to each port. In practice snort has some rules which span almost all 64K ports which might cause all rules in all port-rule groups to be merged into one set unless we apply a more complex logic than simply merging rule-port groups with common ports. This is the problem addressed by the sfportobject module. - + port list examples of acceptable usage: - var has been overloaded, if it includes _port we add as a port-object also. var http_ports 80 - var http_range_ports 80:81 + var http_range_ports 80:81 var http_list_ports [80,8080,8138] - + - portvar has been added to indicate portvariables, this form does not require _port portvar http 80 portvar http_range 80:81 portvar http_list [80,8080,8138] - + 80 $http !90 @@ -69,51 +69,51 @@ [$http,$http_list] [2001,2008,20022,8100:8150,!8121,!8123] [!any] - uhhh, why do people ask about this ? - - Rules are defined using a port, a port-range or a list of these, we call - these port objects. + + Rules are defined using a port, a port-range or a list of these, we call + these port objects. As rules are loaded we generate some large rule counts on some ports, and - small rule counts on most ports. If for each port you build a list of + small rule counts on most ports. If for each port you build a list of rules on that port, we may end up with some ports with a large rule set that - differs by the addition of a few rules on each port (relative to the group sizes) - we don't want to generate compeletely different rule groups for these as that - would than generate multiple large state machines for the multi-pattern matching + differs by the addition of a few rules on each port (relative to the group sizes) + we don't want to generate compeletely different rule groups for these as that + would than generate multiple large state machines for the multi-pattern matching phase of the detection engine which in turn could use a lot of memory. It turns out that one scheme, the one used herein, provides some blending of rule groups to minimize memory, and tries to minimize large group sizes to keep performance more optimal - although this is at the expense of memory. - + --- Port variables - Var - has been overloaded. If it's name includes _port as part of the var name it is - added to the PortVarTable. + Var - has been overloaded. If it's name includes _port as part of the var name it is + added to the PortVarTable. PortVar - has been added. These are always added to the PortVarTable. - + --- Loading Port lists and rules - PortTables - we support src and dst tables for tcp/udp/icmp/ip/arp rules. + PortTables - we support src and dst tables for tcp/udp/icmp/ip/arp rules. PortVar References - we dup the PortVar entries as needed into each table if referenced, so HTTP_PORTS for tcp and udp contain different rules. If a rule references a PortVar we look it up in the table, if its not present we dup it from the PortVarTable, otherwise - we just add the rule index to the PortVar HTTP_PORTS in the proper table. If a PortVar - is not used to specify a Port entry in a rule we create a temp port-object, and check if - it's port-list is already in the table. If it's not we make the temp port-object the - permanent entry in the table. If it is, we just add the rule index to the existing entry, - and delete the temp port-object. When the rules are done loading we should have a set of - port-objects with port-lists that differ by at least one port. The next step handles the + we just add the rule index to the PortVar HTTP_PORTS in the proper table. If a PortVar + is not used to specify a Port entry in a rule we create a temp port-object, and check if + it's port-list is already in the table. If it's not we make the temp port-object the + permanent entry in the table. If it is, we just add the rule index to the existing entry, + and delete the temp port-object. When the rules are done loading we should have a set of + port-objects with port-lists that differ by at least one port. The next step handles the cases where we have multiple port-objects with at least one common port. - + --- Merging Ports and Rules - We maintain for each port a list of port objects and their rules that apply + We maintain for each port a list of port objects and their rules that apply to it. This allows us to view combining the rules associated with each port - object using a few heuristics. A list of port objects applicable to each port + object using a few heuristics. A list of port objects applicable to each port presents rules in one of four catagories: 1) a single port object, and all rules associated with it. 2) multiple port objects each with a small set of rules associated with it. - 3) one port object with a large rule set, and one or more port objects + 3) one port object with a large rule set, and one or more port objects with a small set of rules associated with each. - 4) multiple port objects with large rule sets, and zero or more port objects + 4) multiple port objects with large rule sets, and zero or more port objects each with a small set of rules associated with it. We process these four categories as follows: @@ -121,32 +121,32 @@ 1) -a single port object (large or small) do nothing, each port referencing this port object is complete. 2) -multiple small port objects - merge the rules for all port objects into one virtual object, + merge the rules for all port objects into one virtual object, for each port in this category lookup it's combined port object to see if it's already defined, if not create one. This way - all ports that have the same port groups point to the same virtual - port object. + all ports that have the same port groups point to the same virtual + port object. 3) -one large port object, and one or more small port objects - add the small rule groups into the large rule set, using the existing + add the small rule groups into the large rule set, using the existing port object. 4) -multiple large port objects and zero or more small port objects - merge the large port objects into a virtual port object and + merge the large port objects into a virtual port object and add all rules from both large and small sets into it's rule set. - we use the combined large group ports to form a key, so any ports + we use the combined large group ports to form a key, so any ports referencing just these large rule groups, and some small ones will be recognized as the same. This handles cases where we have - 2,3,4.etc large rule groups combined. Any time we see a 'n' grouping - of the same large rule sets we'll look it up and point to it for that + 2,3,4.etc large rule groups combined. Any time we see a 'n' grouping + of the same large rule sets we'll look it up and point to it for that port. - To determine when a port object has a large rule set or a small one we use - a simple threshold value. In theory the larger this value is the more - merging of rules in category 2 and 3 will occur. When this value is + To determine when a port object has a large rule set or a small one we use + a simple threshold value. In theory the larger this value is the more + merging of rules in category 2 and 3 will occur. When this value is small category 4 should become a more prevalent situation. However, the behavior of groupings for a given threshold can change as more rules are added to port groups. Therefore generous statistics are printed after the rules and port objects are compiled into their final groupings. - + Procedure for using PortLists @@ -158,29 +158,29 @@ a) Read port numbers and lists 1) Dereference PortVar/Var Names if any are referenced. b) Create a Port Object - c) Test if this Port object exists already, + c) Test if this Port object exists already, 1) If so, add the sid to it. 2) If not add it .... - + Notes: - All any-any port rules are managed separately, and added in to the final + All any-any port rules are managed separately, and added in to the final rules lists of each port group after this analysis. Rules defined with ranges are no longer considered any-any rules for the purpose of organizing port-rule groupings. This should help prevent some cross fertilization of - rule groups with rules that are unneccessary, this causes rule group + rule groups with rules that are unneccessary, this causes rule group sizes to bloat and performance to slow. Hierarchy: - PortTable -> PortObject's + PortTable -> PortObject's PortVar -> PortObject ( These are pure, and are dup'ed for use in the PortTables ) PortObject -> PortObjectItems (port or port range) - + */ @@ -189,8 +189,15 @@ #include <sys/types.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" + #include "snort.h" -#include "debug.h" +#include "snort_bounds.h" +#include "snort_debug.h" #include "sfportobject.h" #include "sfrim.h" #include "util.h" @@ -244,13 +251,13 @@ static void plx_free(void * p ) { plx_t * plx=(plx_t*)p; - + if( !plx ) return; if( plx->p ) free(plx->p); free( p ); } -#ifdef DEBUG +#ifdef DEBUG_MSGS static void plx_print(plx_t * p) { @@ -272,9 +279,9 @@ unsigned k, hash = p->seed; int i; plx_t* plx; - + n = n; /* To silence a Win32 warning */ - + plx = *(plx_t**)d; for(i=0;i<plx->n;i++) @@ -291,7 +298,7 @@ /* for sorting an array of pointers */ -static INLINE +static inline int p_keycmp( const void *a , const void *b ) { if( *(unsigned long**)a < *(unsigned long**)b ) return -1; @@ -307,7 +314,7 @@ return values memcmp style this only needs to produce 0 => exact match, otherwise not. - -1, and +1 are not strictly needed, they could both return + -1, and +1 are not strictly needed, they could both return a non zero value for the purposes of hashing and searching. */ static @@ -322,7 +329,7 @@ if( pla->n < plb->n ) return -1; if( pla->n > plb->n ) return 1; - + for(i=0;i<pla->n;i++) { if((cmp = p_keycmp(&pla->p[i], &plb->p[i])) != 0) @@ -355,7 +362,7 @@ free( po ); return 0; } - + po->rule_list =(SF_LIST*) sflist_new(); if( !po->rule_list ) { @@ -363,8 +370,8 @@ free( po ); return 0; } - - return po; + + return po; } /* This is the opposite of ntohl/htonl defines, and does the @@ -408,8 +415,8 @@ free( po ); return 0; } - - po->rule_hash =(SFGHASH*) sfghash_new(nrules,sizeof(int),0,free /* frees data - should be rule id ptrs == (int*) */); + + po->rule_hash =(SFGHASH*) sfghash_new(nrules,sizeof(int),0,free /* frees data - should be rule id ptrs == (int*) */); if( !po->rule_hash ) { sflist_free_all( po->item_list, free ); @@ -420,9 +427,9 @@ /* Use hash function defined above for hashing the key as an int. */ sfghash_set_keyops(po->rule_hash, po_rule_hash_func, memcmp); - //sfhashfcn_static( po->rule_hash->sfhashfcn ); /* TODO: Leave this in, else we get different events */ - - return po; + //sfhashfcn_static( po->rule_hash->sfhashfcn ); /* TODO: Leave this in, else we get different events */ + + return po; } /* * Set the name of the Port Object @@ -431,15 +438,15 @@ { if( !po ) return -1; - + if( !name ) return -1; - + /* free the old name */ if(po->name) free(po->name); - /* alloc a new name */ + /* alloc a new name */ po->name = SnortStrdup(name); if( !po->name ) return -1; @@ -458,13 +465,13 @@ /* * Free the PortObject */ -void PortObjectFree( void * pvoid ) +void PortObjectFree( void * pvoid ) { - PortObject * po = (PortObject *)pvoid; + PortObject * po = (PortObject *)pvoid; DEBUG_WRAP(static int pof_cnt = 0; pof_cnt++;); - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"PortObjectFree-Cnt: %d ptr=%p\n",pof_cnt,pvoid);); - + if( !po ) return ; if( po->name ) free (po->name ); @@ -481,13 +488,13 @@ /* * Free the PortObject2 */ -void PortObject2Free( void * pvoid ) +void PortObject2Free( void * pvoid ) { - PortObject2 * po = (PortObject2 *)pvoid; + PortObject2 * po = (PortObject2 *)pvoid; DEBUG_WRAP(static int pof2_cnt = 0; pof2_cnt++;); - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"PortObjectFree2-Cnt: %d ptr=%p\n",pof2_cnt,pvoid);); - + if( !po ) return; if( po->name ) free (po->name ); @@ -574,7 +581,7 @@ PortObjectItem * PortObjectItemDup( PortObjectItem * poi) { PortObjectItem * poinew; - + if( !poi ) return 0; @@ -612,9 +619,9 @@ if( !ponew->name ) { free( ponew ); - return NULL; + return NULL; } - + /* Dup the Item List */ if( po->item_list ) { @@ -679,9 +686,9 @@ if( !ponew->name ) { free( ponew ); - return NULL; + return NULL; } - + /* Dup the Item List */ if( po->item_list ) { @@ -710,12 +717,12 @@ int * prid = NULL; int * prule = NULL; - if( !po ) + if( !po ) return NULL; - + if( !po->rule_list ) return NULL; - + ponew = PortObject2New(po->rule_list->count + PO_EXTRA_RULE_CNT); if( !ponew ) return NULL; @@ -729,9 +736,9 @@ if( !ponew->name ) { free( ponew ); - return NULL; + return NULL; } - + /* Dup the Item List */ if( po->item_list ) { @@ -742,7 +749,7 @@ poinew = PortObjectItemDup( poi ); if(!poinew) return 0; - + PortObjectAddItem( (PortObject*)ponew, poinew, NULL ); } } @@ -844,7 +851,7 @@ } /* - * Check if we have any ANY ports + * Check if we have any ANY ports */ int PortObjectHasAny (PortObject * po ) { @@ -852,12 +859,12 @@ if( !po ) return 0; - + for(poi=(PortObjectItem*)sflist_first(po->item_list); poi != 0; poi=(PortObjectItem*)sflist_next(po->item_list) ) { - if( poi->type == PORT_OBJECT_ANY ) + if( poi->type == PORT_OBJECT_ANY ) return 1; } return 0; @@ -868,7 +875,7 @@ if( !po ) return 0; - + for(poi=(PortObjectItem*)sflist_first(po->item_list); poi != 0; poi=(PortObjectItem*)sflist_next(po->item_list) ) @@ -884,7 +891,7 @@ if( !po ) return 0; - + for(poi=(PortObjectItem*)sflist_first(po->item_list); poi != 0; poi=(PortObjectItem*)sflist_next(po->item_list) ) @@ -895,12 +902,12 @@ } if( cnt == 0 ) return 0; - + return 1; } /* - * This does NOT return true if the object is an ANY port + * This does NOT return true if the object is an ANY port */ int PortObjectHasPort (PortObject * po, int port ) { @@ -926,7 +933,7 @@ break; case PORT_OBJECT_RANGE: - if( (uint16_t)port >= poi->lport && + if( (uint16_t)port >= poi->lport && (uint16_t)port <= poi->hport ) return 1; if( poi->flags & PORT_OBJECT_NOT_FLAG ) @@ -936,8 +943,8 @@ } return 0; } -/* - * This returns true if the object is an ANY port +/* + * This returns true if the object is an ANY port */ int PortObjectIncludesPort (PortObject * po, int port ) { @@ -963,7 +970,7 @@ break; case PORT_OBJECT_RANGE: - if( (uint16_t)port >= poi->lport && + if( (uint16_t)port >= poi->lport && (uint16_t)port <= poi->hport ) return 1; if( poi->flags & PORT_OBJECT_NOT_FLAG ) @@ -999,9 +1006,9 @@ /* * Calcs number of ports in this object, * object do not have to be normalized, - * but if the same ports are referenced + * but if the same ports are referenced * twice, the count will be off. - * + * * returns: * any = -1 * 0 = none/empty @@ -1012,7 +1019,7 @@ PortObjectItem *poi; int cnt=0; int nports; - + if( !po ) return 0; @@ -1037,7 +1044,7 @@ break; case PORT_OBJECT_RANGE: - nports = poi->hport - poi->lport + 1; + nports = poi->hport - poi->lport + 1; if( poi->flags & PORT_OBJECT_NOT_FLAG ) { cnt-=nports; @@ -1051,28 +1058,28 @@ if( cnt < 0 ) { - /* we have a pure not port or port range + /* we have a pure not port or port range * * !80 = -1, add 64K (65535 -1 = 65534) * !80:81 = -2, (65535 - 2 = 65533) * * [:1023,!80] = 1024 - 1 = 1023 ports - * + * */ cnt += SFPO_MAX_PORTS; /* add back in the acceptable ports */ } - + return cnt; } /* - * Build a PortMap Char Array + * Build a PortMap Char Array * returns: 0 if an ANY port. * n number of unique ports. */ char * PortObjectCharPortArray ( char * parray, PortObject * po, int * nports ) { - int cnt = 0; + int cnt = 0; unsigned not_cnt=0; PortObjectItem * poi; SF_LNODE * pos; @@ -1099,10 +1106,10 @@ not_cnt++; continue; } - - if( poi->type == PORT_OBJECT_PORT ) + + if( poi->type == PORT_OBJECT_PORT ) { - if( !parray[poi->lport] ) + if( !parray[poi->lport] ) cnt++; parray[poi->lport] = 1; @@ -1113,13 +1120,13 @@ int i; for(i=poi->lport;i<=poi->hport;i++) { - if( !parray[i] ) + if( !parray[i] ) cnt++; parray[i] = 1; } } } - + /* Remove any NOT'd ports that may have been added above */ for(poi=(PortObjectItem*)sflist_firstpos(po->item_list,&pos); poi != 0; @@ -1127,10 +1134,10 @@ { if( !( poi->flags & PORT_OBJECT_NOT_FLAG) ) continue; - - if( poi->type == PORT_OBJECT_PORT ) + + if( poi->type == PORT_OBJECT_PORT ) { - if( parray[poi->lport] ) + if( parray[poi->lport] ) cnt--; parray[poi->lport] =0; @@ -1168,10 +1175,10 @@ { if( !( poi->flags & PORT_OBJECT_NOT_FLAG) ) continue; /* should not happen */ - - if( poi->type == PORT_OBJECT_PORT ) + + if( poi->type == PORT_OBJECT_PORT ) { - if( parray[poi->lport] ) + if( parray[poi->lport] ) cnt--; parray[poi->lport] =0; } @@ -1191,15 +1198,15 @@ } *nports = cnt; - - return parray; + + return parray; } - + /* - * Make a list of ports form the char array, each char is either + * Make a list of ports form the char array, each char is either * on or off. */ -static +static SF_LIST * PortObjectItemListFromCharPortArray( char * parray, int n ) { int i, lport ,hport; @@ -1217,7 +1224,7 @@ /* Either a port or the start of a range */ lport = hport = i; - for(i++;i<n;i++) + for(i++;i<n;i++) { if( parray[i] ) { @@ -1226,7 +1233,7 @@ } break; } - + poi = PortObjectItemNew(); if( !poi ) { @@ -1234,7 +1241,7 @@ return 0; } - if( hport == lport ) + if( hport == lport ) { poi->type = PORT_OBJECT_PORT; poi->lport = (unsigned short)lport; @@ -1245,17 +1252,17 @@ poi->lport =(unsigned short)lport; poi->hport =(unsigned short)hport; } - + if( sflist_add_tail( plist, poi ) ) { sflist_free_all( plist, free ); return 0; } } - + return plist; } - + /* * Removes Ports in B from A ... A = A - B */ @@ -1267,13 +1274,13 @@ SF_LIST * plist; static char pA[SFPO_MAX_PORTS]; static char pB[SFPO_MAX_PORTS]; - + memset(pA,0,SFPO_MAX_PORTS); memset(pB,0,SFPO_MAX_PORTS); - + /* Create a char array of ports */ PortObjectCharPortArray ( pA, a, &nportsa ); - + /* Create a char array of ports */ PortObjectCharPortArray ( pB, b, &nportsb ); @@ -1281,13 +1288,13 @@ { if( pB[i] ) pA[i] = 0; /* remove portB from A */ } - + /* Convert the array into a Port Object list */ plist = PortObjectItemListFromCharPortArray( pA, SFPO_MAX_PORTS ); - + /* Release the old port list */ sflist_free_all( a->item_list, free ); - + /* Replace the old PortObject list */ a->item_list = plist; @@ -1295,8 +1302,8 @@ } /* - * Normalize a port object - * + * Normalize a port object + * * The reduces multiple references to a given port to a single unique reference * This function should be used on each PortObject, once it's completed. After * the normalized PortObject is created, the input PortObject may be deleted. @@ -1304,31 +1311,31 @@ int PortObjectNormalize (PortObject * po ) { SF_LIST * plist; - int nports = 0; - + int nports = 0; + static char parray[SFPO_MAX_PORTS]; - + if( PortObjectHasAny ( po ) ) { return 0; /* ANY =65K */ } - + memset(parray,0,SFPO_MAX_PORTS); - + /* Create a char array of ports */ PortObjectCharPortArray ( parray, po, &nports ); - + /* Convert the array into a Port Object list */ plist = PortObjectItemListFromCharPortArray( parray, SFPO_MAX_PORTS ); - if( !plist ) - return -1; - + if( !plist ) + return -1; + /* Release the old port list */ sflist_free_all( po->item_list, free ); - + /* Replace the old PortObject list */ po->item_list = plist; - + return nports; } @@ -1339,17 +1346,17 @@ { int i; SF_LIST * plist; - int nports = 0; - + int nports = 0; + static char parray[SFPO_MAX_PORTS]; - + if( PortObjectHasAny ( po ) ) { return 0; /* ANY =65K */ } - + memset(parray,0,SFPO_MAX_PORTS); - + /* Create a char array of ports */ PortObjectCharPortArray ( parray, po, &nports ); @@ -1357,28 +1364,28 @@ { if( parray[i] ) /* negate */ parray[i] = 0; - else - parray[i] = 1; + else + parray[i] = 1; } - + /* Convert the array into a Port Object list */ plist = PortObjectItemListFromCharPortArray( parray, SFPO_MAX_PORTS ); - + /* Release the old port list */ sflist_free_all( po->item_list, free ); - + /* Replace the old PortObject list */ po->item_list = plist; - + return nports; } -/* +/* PortObjects should be normalized, prior to testing */ static -int PortObjectItemsEqual(PortObjectItem * a, PortObjectItem * b ) +int PortObjectItemsEqual(PortObjectItem * a, PortObjectItem * b ) { if( a->type != b->type ) return 0; @@ -1400,7 +1407,7 @@ return 0; } -/* +/* PortObjects should be normalized, prior to testing */ int PortObjectEqual( PortObject * a, PortObject *b ) @@ -1409,25 +1416,25 @@ PortObjectItem *pb; SF_LNODE * posa; SF_LNODE * posb; - + if( a->item_list->count != b->item_list->count ) return 0; - + pa = (PortObjectItem*)sflist_firstpos(a->item_list,&posa); pb = (PortObjectItem*)sflist_firstpos(b->item_list,&posb); - + while( pa && pb ) { if( !PortObjectItemsEqual( pa, pb) ) return 0; - + pa = (PortObjectItem*)sflist_nextpos(a->item_list,&posa); pb = (PortObjectItem*)sflist_nextpos(b->item_list,&posb); } - + if( pa || pb ) /* both are not done - cannot match */ return 0; - + return 1; /* match */ } @@ -1438,18 +1445,18 @@ { PortObjectItem * poia; PortObjectItem * poib; - + for( poib = (PortObjectItem*) sflist_first(pob->item_list); poib!= 0; poib = (PortObjectItem*)sflist_next(pob->item_list) ) { poia = PortObjectItemNew(); - + if(!poia) return 0; - + memcpy(poia,poib,sizeof(PortObjectItem)); - + sflist_add_tail(poa->item_list,poia); } return poa; @@ -1460,7 +1467,7 @@ int * prid; int * prid2; SF_LNODE * lpos; - + for( prid = (int*) sflist_firstpos(pob->rule_list,&lpos); prid!= 0; prid = (int*)sflist_nextpos(pob->rule_list,&lpos) ) @@ -1479,7 +1486,7 @@ int * prid; int * prid2; SF_LNODE * lpos; - + for( prid = (int*) sflist_firstpos(pob->rule_list,&lpos); prid!= 0; prid = (int*)sflist_nextpos(pob->rule_list,&lpos) ) @@ -1501,7 +1508,7 @@ int * prid; int * prid2; SFGHASH_NODE * node; - + for( node = sfghash_findfirst(pob->rule_hash); node!= NULL; node = sfghash_findnext(pob->rule_hash) ) @@ -1513,7 +1520,7 @@ prid2 = calloc( 1, sizeof(int)); if( !prid2 ) return 0; - + *prid2 = *prid; if( sfghash_add(poa->rule_hash,prid2,prid2) != SFGHASH_OK ) { @@ -1529,7 +1536,7 @@ { // LogMessage("PortObjectAppendEx: appending ports\n"); if( !PortObjectAppend( poa, pob ) ) return 0; - + //LogMessage("PortObjectAppendEx: appending rules\n"); if( !PortObjectAppendPortObject( poa, pob ) ) return 0; @@ -1570,7 +1577,7 @@ free(p); return 0; } - + p->pt_lrc = PTBL_LRC_DEFAULT; /* 10 rules, user should really control these */ p->pt_optimize = 1; /* if disabled, only one merged rule group is used */ @@ -1624,7 +1631,7 @@ for (i=0;i<SFPO_MAX_PORTS;i++) { #if 0 - if (p->pt_port_object[i]) + if (p->pt_port_object[i]) { PortObject2Free(p->pt_port_object[i]); } @@ -1641,7 +1648,7 @@ if( !pt ) return NULL; if( !po_name ) return NULL; - + /* Normalize each of the input port objects */ for(po =(PortObject*)sflist_firstpos(pt->pt_polist,&lpos); po!=0; @@ -1655,11 +1662,11 @@ } } } - return NULL; + return NULL; } -/* - * Find PortObject by PortItem Info +/* + * Find PortObject by PortItem Info */ PortObject * PortTableFindInputPortObjectPorts( PortTable * pt, PortObject * pox ) { @@ -1668,7 +1675,7 @@ if( !pt ) return NULL; if( !pox ) return NULL; - + for(po =(PortObject*)sflist_firstpos(pt->pt_polist,&lpos); po!=0; po =(PortObject*)sflist_nextpos(pt->pt_polist,&lpos) ) @@ -1678,7 +1685,7 @@ return po; } } - return NULL; + return NULL; } @@ -1700,7 +1707,7 @@ int PortObjectAddRule( PortObject * po , int rule ) { int * pruleid; - + //LogMessage("Adding Rule %d to Port Object '%s'\n",rule,po->name); if( !po ) return -1; @@ -1714,12 +1721,12 @@ { return -1; } - + *pruleid = rule; - + sflist_add_tail( po->rule_list, pruleid ); - return 0; + return 0; } /* @@ -1758,7 +1765,7 @@ Hash routine for hashing PortObjects as Keys p - SFHASHFCN * - d - PortObject * + d - PortObject * n = 4 bytes (sizeof*) - not used Don't use this for type=ANY port objects @@ -1772,7 +1779,7 @@ SF_LNODE * pos; n = n; /* This quiets a Win32 warning */ - + po = *(PortObject**) d; /* hash up each item */ @@ -1820,11 +1827,11 @@ * 3) make a merged PortObject2 * 4) Try adding the PortObject2 to it's table - mhash * a) if it adds go on, else - * b) if it's already in the table + * b) if it's already in the table * 1) get the one in the table * 2) add any ports in the just created one * 3) free the one just created - * 5) Create a plx object + * 5) Create a plx object * 6) Add the plx object to the plx Table * 1) if it's already in the object - fail this contradicts 1) * 7) return the create PortObject2, or the one retrived from the @@ -1832,14 +1839,14 @@ * * pol - list of input PortObject pointers * pol_cnt- count in 'pol' - * mhash - stores the merged ports, using the merged port objects port list as a key. + * mhash - stores the merged ports, using the merged port objects port list as a key. * mhashx - stores plx keys, and PortObject2 *'s as data for the final merged port objects, * the plx keys provide a quicker way to compare port lists to ensure if two ports * are using the same set of rules (port objects). * mhash and mhashx reference the same port objects as data, but use different keys for lookup * purposes. Once we perform a merge we store the results, using the 'plx' as the key for future lookup. * plx - key to use to lookup and store the merged port object - * + * * */ static @@ -1850,11 +1857,11 @@ PortObject2 * ponew; PortObject2 * pox; plx_t * plx_tmp; - int stat; + int stat; int i; - - /* - * Check for the merged port object in the plx table + + /* + * Check for the merged port object in the plx table */ DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "++++n=%d sfghash_find-mhashx\n",pol_cnt);); @@ -1868,8 +1875,8 @@ DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "n=%d posnew not found in mhashx\n",pol_cnt);); - /* - * Merge the port objects together - ports and rules + /* + * Merge the port objects together - ports and rules */ @@ -1900,7 +1907,7 @@ pol_cnt,ponew->rule_hash->count);); DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"*** merged ponew - follows: \n");); // PortObjectPrint2(ponew); - + /* * Add the Merged PortObject2 to the PortObject2 hash table * keyed by ports. @@ -1917,7 +1924,7 @@ pox = sfghash_find(mhash,&ponew); if( pox ) { - PortObject2AppendPortObject2(pox,ponew); + PortObject2AppendPortObject2(pox,ponew); DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"sfportobject.c: merge_N_pol() line=%d SFGHASH_INTABLE\n",__LINE__);); PortObject2Free( ponew ); ponew = pox; @@ -1935,9 +1942,9 @@ } DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"***%d ports merged object added to mhash table\n",pol_cnt);); - + /* - * Create a plx node and add it to plx table + * Create a plx node and add it to plx table * as the key with the merged port object as the data */ plx_tmp = plx_new( pol, pol_cnt); @@ -1946,8 +1953,8 @@ FatalError("plx_new: memory alloc error\n"); } sflist_add_head(plx_list, (void *)plx_tmp); - - /* + + /* * Add the plx node to the PLX hash table */ DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"n=%d sfghash_add-mhashx\n",pol_cnt);); @@ -1965,7 +1972,7 @@ } DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"Added-%d Merged Rule Groups to PLX HASH\n",pol_cnt);); - + /* * Validate hash table entry */ @@ -1973,26 +1980,26 @@ { FatalError("Find after add failed on PLX HASH table key\n"); } - + return ponew; } /* * Merge Input Port Objects into rule collections that are particular to - * each port. We store the results as objects and point to these in the + * each port. We store the results as objects and point to these in the * pt_port_object[MAX_PORTS] array. - * - * We use plx_t types to manage tracking and testing for merged large + * + * We use plx_t types to manage tracking and testing for merged large * rule groups, and merged small port groups. - * + * * mhash - table of merged port objects ( built and used here ) * mhashx - table of plx_t objects ( built and used here ) * pol - list of input port objects touching the current port * pol_cnt - number of port objects in port list * lcnt - large rule count - * + * */ static -PortObject2 * PortTableCompileMergePortObjectList2(SFGHASH * mhash, +PortObject2 * PortTableCompileMergePortObjectList2(SFGHASH * mhash, SFGHASH * mhashx, SF_LIST * plx_list, PortObject * pol[], @@ -2009,8 +2016,8 @@ plx_t plx_large; unsigned largest; int i; - - /* + + /* * Find the largest rule count of all of the port objects */ largest = 0; @@ -2023,7 +2030,7 @@ } } - /* + /* * Classify PortObjects as large or small based on rule set size * and copy them into separate lists */ @@ -2040,7 +2047,7 @@ posmall[ nsmall++ ] = (void *)pol[i]; } } - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"*** %d small rule groups, %d large rule groups\n",nsmall,nlarge);); /* @@ -2051,13 +2058,13 @@ qsort( polarge, nlarge, sizeof(void*), p_keycmp ); if( nsmall > 1 ) qsort( posmall, nsmall, sizeof(void*), p_keycmp ); - + DEBUG_WRAP( for(i=0;i<nsmall;i++) DebugMessage(DEBUG_PORTLISTS, "posmall[%d]=%lu\n",i,posmall[i]); for(i=0;i<nlarge;i++) DebugMessage(DEBUG_PORTLISTS, "polarge[%d]=%lu\n",i,polarge[i]); ); - - /* + + /* * Setup plx_t representation of port list pointers */ plx_small.n = nsmall; @@ -2065,8 +2072,8 @@ plx_large.n = nlarge; plx_large.p = (void**)&polarge[0]; - -#ifdef DEBUG + +#ifdef DEBUG_MSGS if( nlarge ) { DebugMessage(DEBUG_PORTLISTS, "large "); plx_print(&plx_large); @@ -2076,25 +2083,25 @@ DebugMessage(DEBUG_PORTLISTS, "small "); plx_print(&plx_small); } #endif - + /* - * Merge Large PortObjects + * Merge Large PortObjects */ if( nlarge ) { DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"***nlarge=%d \n",nlarge);); ponew = _merge_N_pol( mhash, mhashx, plx_list, polarge, nlarge, &plx_large); } - - /* - * Merge Small PortObjects + + /* + * Merge Small PortObjects */ if( nsmall ) { DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"***nsmall=%d \n",nsmall);); posnew = _merge_N_pol( mhash, mhashx, plx_list, posmall, nsmall, &plx_small); } - /* + /* * Merge Large and Small (rule groups) PortObject2's together * append small port object rule sets to the large port objects, * remove the large port objects ports from the smaller port objects @@ -2104,21 +2111,21 @@ DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"*** appending small rules to larger rule group\n");); if (ponew != posnew) { - - /* Append small port object, just the rules */ + + /* Append small port object, just the rules */ PortObject2AppendPortObject2( ponew, posnew ); - + /* Remove Ports in ponew from posnew */ PortObjectRemovePorts( (PortObject*)posnew, (PortObject*)ponew ); } - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"*** final - using small+large rule group \n");); } - else if( nsmall ) + else if( nsmall ) { /* Only a small port object */ ponew = posnew; - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"*** final - using small rule group only \n");); } else if( nlarge ) @@ -2131,7 +2138,7 @@ return ponew; } /* - * + * * * mhash * mhashx @@ -2140,8 +2147,8 @@ int PortTableCompileMergePortObjects( PortTable * p ) { SF_LNODE * lpos; - SFGHASH * mhash; - SFGHASH * mhashx; + SFGHASH * mhash; + SFGHASH * mhashx; SFGHASH_NODE * node; SF_LIST * plx_list; int id = PO_INIT_ID; @@ -2149,30 +2156,30 @@ int pol_cnt; char * parray = NULL; int i; - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"***\n***Merging PortObjects->PortObjects2\n***\n");); /* Create a Merged Port Object Table - hash by ports */ mhash = sfghash_new(PO_HASH_TBL_ROWS, sizeof(PortObject *), 0 /*userkeys-no*/, 0 /*free data-don't*/); if( !mhash ) return -1; - + /* Setup hashing function and key comparison function */ sfhashfcn_set_keyops( mhash->sfhashfcn, PortObject_hash, PortObject_keycmp ); - + /* remove randomness */ if (ScStaticHash()) sfhashfcn_static( mhash->sfhashfcn ); - + p->pt_mpo_hash = mhash; - + /* Create a Merged Port Object Table - hash by ports */ mhashx = sfghash_new(PO_HASH_TBL_ROWS, sizeof(plx_t *), 0/*userkeys-no*/, 0/*freedata()-don't*/); if( !mhashx ) return -1; /* Setup hashing function and key comparison function */ sfhashfcn_set_keyops( mhashx->sfhashfcn,plx_hash,plx_keycmp ); - + /* remove randomness */ if (ScStaticHash()) sfhashfcn_static( mhashx->sfhashfcn ); @@ -2188,7 +2195,7 @@ /* * For each port, merge rules from all port objects that touch the port - * into an optimal object, that may be shared with other ports. + * into an optimal object, that may be shared with other ports. */ for(i=0;i<SFPO_MAX_PORTS;i++) { @@ -2204,13 +2211,13 @@ { if( pol_cnt < SFPO_MAX_LPORTS ) { - pol[ pol_cnt++ ] = po; + pol[ pol_cnt++ ] = po; } } } p->pt_port_object[i] = 0; - if( !pol_cnt ) + if( !pol_cnt ) { //port not contained in any PortObject continue; @@ -2219,7 +2226,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"*** merging list for port[%d] \n",i);fflush(stdout);); /* merge the rules into an optimal port object */ - p->pt_port_object[i] = + p->pt_port_object[i] = PortTableCompileMergePortObjectList2( mhash, mhashx, plx_list, pol, pol_cnt, p->pt_lrc ); if( !p->pt_port_object[i] ) { @@ -2227,16 +2234,16 @@ } /* give the new compiled port object an id of its own */ - p->pt_port_object[i]->id = id++; + p->pt_port_object[i]->id = id++; DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"\n");fflush(stdout);); - } - - /* - * Normalize the Ports so they indicate only the ports that + } + + /* + * Normalize the Ports so they indicate only the ports that * reference the composite port object */ - + /* 1st- Setup bitmasks for collecting ports */ for(node=sfghash_findfirst(mhashx); node; @@ -2244,9 +2251,9 @@ { unsigned char * buf; PortObject2 * poa; - + poa = (PortObject2*)node->data; - if( !poa ) + if( !poa ) continue; if (!poa->bitop) @@ -2278,7 +2285,7 @@ poa->port_cnt++; if( poa->bitop ) { - if( boSetBit(poa->bitop, (unsigned int) i ) ) + if( boSetBit(poa->bitop, (unsigned int) i ) ) { FatalError("BitOp-Set error\n"); } @@ -2296,7 +2303,7 @@ { FatalError("Memory error in PortTableCompile()\n"); } - + /* Process Port-Bitop map and print final port-object usage stats */ for(node=sfghash_findfirst(mhashx); node; @@ -2304,22 +2311,22 @@ { SF_LIST * plist; PortObject2 * po; - + po = (PortObject2*)node->data; if( !po ) { FatalError("MergePortOBject-NormalizePorts -NULL po\n"); } - + if( !po->port_cnt )/* port object is not used ignore it */ continue; - + if( !po->bitop ) { //FatalError("MergePortOBject-NormalizePorts -NULL po->bitop\n"); continue; } - + /* Convert the bitop bits to a char array */ memset(parray,0,SFPO_MAX_PORTS); for(i=0;i<SFPO_MAX_PORTS;i++) @@ -2329,7 +2336,7 @@ parray[ i ] = 1; } } - + /* Release bit buffer for each port object */ if( po->bitop ) { @@ -2349,16 +2356,16 @@ { FatalError("MergePortObjects: No PortObjectItems in portobject\n"); } - + /* free the original list */ sflist_free_all( po->item_list, free ); - + /* set the new list - this is a list of port itmes for this port object */ po->item_list = plist; - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"port-object id = %d, port cnt = %d\n",po->id,po->port_cnt);); } - + if(parray) free(parray); return 0; @@ -2367,17 +2374,17 @@ * * Verify all rules in 'po' list are in 'po2' hash * - * return 0 - OK + * return 0 - OK * !0 - a rule in po is not in po2 */ -static +static int _po2_include_po_rules( PortObject2 * po2, PortObject * po ) { //SFGHASH_NODE * node; int * pid; int * id; SF_LNODE * rpos; - + /* get each rule in po */ for(pid=sflist_firstpos(po->rule_list,&rpos); pid; @@ -2389,7 +2396,7 @@ /* make sure it's in po2 */ if(!id ) { - return 1; /* error */ + return 1; /* error */ } } @@ -2417,7 +2424,7 @@ { FatalError("Memory eror in PortTableComopile\n"); } - + /* Make sure each port is only in one composite port object */ for(node=sfghash_findfirst(p->pt_mpo_hash); node; @@ -2425,7 +2432,7 @@ { PortObject2 * po; po = (PortObject2*)node->data; - + if( !po ) { FatalError("PortObject consistency Check failed, hash table problem\n"); @@ -2448,24 +2455,24 @@ } if( parray ) free(parray); - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"***\n***Port Table Compiler Consistency Check Phase-I Passed !\n");); - + /* - * This phase checks the Input port object rules/ports against + * This phase checks the Input port object rules/ports against * the composite port objects. * * For each input object - * check that each port it reference has all of the rules + * check that each port it reference has all of the rules * referenced to that port in the composit object - */ + */ for(ipo=sflist_firstpos(p->pt_polist,&pos); ipo; ipo=sflist_nextpos(p->pt_polist,&pos) ) { /* - * for each port in this object get the composite port object + * for each port in this object get the composite port object * assigned to that port and verify all of the input objects rules * are in the composite object. This verifies all rules are applied * to the originally intended port. @@ -2488,7 +2495,7 @@ case PORT_OBJECT_RANGE: { - for(i=poi->lport;i<=poi->hport;i++) + for(i=poi->lport;i<=poi->hport;i++) { /* small optimization*/ if( lastpo != p->pt_port_object[ i ] ) @@ -2505,32 +2512,32 @@ } } } - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "***\n***Port Table Compiler Consistency Check Phase-II Passed !!! - Good to go Houston\n****\n");); - return 0; + return 0; } /* -* Compile the PortTable -* +* Compile the PortTable +* * This builds a set of Port+Rule objects that are in some way an optimal -* set of objects to indicate which rules to apply to which ports. Since +* set of objects to indicate which rules to apply to which ports. Since * these groups are calculated consistency checking is done witht he finished * objects. */ int PortTableCompile( PortTable * p ) { - /* + /* * If not using an optimized Table use the rule_index_map in parser.c */ - if( !p->pt_optimize ) + if( !p->pt_optimize ) { return 0; } - + DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"#PortTableCompile: Compiling Port Array Lists\n");); - + if( PortTableCompileMergePortObjects( p ) ) { FatalError("Could not create PortArryayLists\n"); @@ -2539,10 +2546,10 @@ DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"Done\n");fflush(stdout);); PortTableConsistencyCheck(p); - + return 0; } -static +static int integer_compare( const void *arg1, const void *arg2 ) { if( *(int*)arg1 < *(int*)arg2 ) return -1; @@ -2550,7 +2557,7 @@ return 0; } -static +static int * RuleListToSortedArray( SF_LIST * rl ) { SF_LNODE * pos = NULL; @@ -2560,7 +2567,7 @@ if( !rl ) return 0; - + if(!rl->count) return NULL; @@ -2572,7 +2579,7 @@ { ra[k++] = *prid; } - + /* sort the array */ qsort(ra,rl->count,sizeof(int),integer_compare); @@ -2580,8 +2587,8 @@ } /**sort and uniq rule list. */ -void RuleListSortUniq( - SF_LIST * rl +void RuleListSortUniq( + SF_LIST * rl ) { unsigned i; @@ -2624,8 +2631,8 @@ /**Sort and make rule index in all port objects unique. Multiple policies may add * the same rule which can lead to duplication. */ -void PortTableSortUniqRules( - PortTable * p +void PortTableSortUniqRules( + PortTable * p ) { PortObject * po; @@ -2638,18 +2645,18 @@ RuleListSortUniq(po->rule_list); } } - -static + +static int * RuleHashToSortedArray( SFGHASH * rh ) { int * prid; int * ra; int k = 0; SFGHASH_NODE * node; - + if( !rh ) return 0; - + if(!rh->count) return NULL; @@ -2665,7 +2672,7 @@ ra[k++] = *prid; } } - + /* sort the array */ qsort(ra,rh->count,sizeof(int),integer_compare); @@ -2689,7 +2696,7 @@ } } -void PortTablePrintInputEx( PortTable * p, +void PortTablePrintInputEx( PortTable * p, void (*print_index_map)(int index, char *buf, int bufsize) ) { PortObject * po; @@ -2702,9 +2709,9 @@ } } /* - Prints Compiled Ports/Rules Objects + Prints Compiled Ports/Rules Objects */ -int PortTablePrintCompiledEx( PortTable * p , +int PortTablePrintCompiledEx( PortTable * p , void (*print_index_map)(int index, char *buf, int bufsize) ) { PortObject2 * po = NULL; @@ -2726,7 +2733,7 @@ } /* - Print port items. Used internally by sfportobject.c. + Print port items. Used internally by sfportobject.c. Buffer assumed trusted. */ static void PortObjectItemPrint ( PortObjectItem * poi, char *dstbuf, int bufsize ) @@ -2735,7 +2742,7 @@ if( poi->flags & PORT_OBJECT_NOT_FLAG ) SnortSnprintfAppend(dstbuf, bufsize, "!"); - + switch( poi->type ) { case PORT_OBJECT_PORT : @@ -2749,7 +2756,7 @@ case PORT_OBJECT_ANY: SnortSnprintfAppend(dstbuf, bufsize, "any"); break; - + default: SnortSnprintfAppend(dstbuf, bufsize, " unknown port type @ %p", (void*)poi); break; @@ -2763,18 +2770,18 @@ char * buf; int bufsize; - /* Need to buffer the string so we only do one LogMessage, + /* Need to buffer the string so we only do one LogMessage, * due to syslog output. The largest string needed to represent * each portobject is the length required to represent: * " unknown port type @ 0x<8 max bytes>" (See PortObjectItemPrint), or: - * 30 bytes. For the entire list, need room for spaces and brackets and + * 30 bytes. For the entire list, need room for spaces and brackets and * potential negations. Or: - * list_size * (30 + 1space_for_each_element, + + * list_size * (30 + 1space_for_each_element, + * 1potential_negation) + surrounding_whitespace + brackets + NULL */ - + bufsize = po->item_list->count * (30 + 1 + 1) + 5; buf = (char*)SnortAlloc(bufsize); - + SnortSnprintfAppend(buf, bufsize, " ["); for(poi=(PortObjectItem*)sflist_firstpos(po->item_list, &pos); @@ -2786,7 +2793,7 @@ SnortSnprintfAppend(buf, bufsize, " ]"); - LogMessage("%s", buf); + LogMessage("%s", buf); free(buf); } @@ -2801,19 +2808,19 @@ po_print_buf[0] = '\0'; SnortSnprintfAppend(po_print_buf, bufsize, " PortObject "); - - if( po->name ) - { + + if( po->name ) + { SnortSnprintfAppend(po_print_buf, bufsize, "%s ", po->name); } - - SnortSnprintfAppend(po_print_buf, bufsize, - " Id:%d Ports:%d Rules:%d\n {\n Ports [", + + SnortSnprintfAppend(po_print_buf, bufsize, + " Id:%d Ports:%d Rules:%d\n {\n Ports [", po->id, po->item_list->count, po->rule_hash->count); if( PortObjectHasAny( (PortObject*)po ) ) { - SnortSnprintfAppend(po_print_buf, bufsize, "any"); + SnortSnprintfAppend(po_print_buf, bufsize, "any"); } else { @@ -2821,7 +2828,7 @@ poi != 0; poi=(PortObjectItem*)sflist_nextpos(po->item_list,&pos) ) { - PortObjectItemPrint(poi, po_print_buf, bufsize); + PortObjectItemPrint(poi, po_print_buf, bufsize); } } @@ -2831,7 +2838,7 @@ /* Print Port Object - Prints input ports and rules (uncompiled) - ports + ports rules (input by user) */ @@ -2849,24 +2856,24 @@ if( !po ) return ; - + if( !po->rule_list ) return ; - + if( !po->rule_list->count ) return ; SnortSnprintfAppend(po_print_buf, bufsize, " PortObject "); - - if( po->name ) + + if( po->name ) { SnortSnprintfAppend(po_print_buf, bufsize, "%s ", po->name); } - - SnortSnprintfAppend(po_print_buf, bufsize, + + SnortSnprintfAppend(po_print_buf, bufsize, " Id:%d Ports:%d Rules:%d\n {\n", - po->id, po->item_list->count,po->rule_list->count ); - + po->id, po->item_list->count,po->rule_list->count ); + SnortSnprintfAppend(po_print_buf, bufsize, " Ports [\n "); if( PortObjectHasAny( po ) ) @@ -2879,7 +2886,7 @@ poi != 0; poi=(PortObjectItem*)sflist_nextpos(po->item_list,&pos) ) { - PortObjectItemPrint(poi, po_print_buf, bufsize); + PortObjectItemPrint(poi, po_print_buf, bufsize); } } SnortSnprintfAppend(po_print_buf, bufsize, " ]\n"); @@ -2889,13 +2896,13 @@ { return ; } - + SnortSnprintfAppend(po_print_buf, bufsize, " Rules [ \n "); for(i=0;i<po->rule_list->count;i++) { if( print_index_map ) { - print_index_map( rlist[i], po_print_buf, bufsize ); + print_index_map( rlist[i], po_print_buf, bufsize ); } else { @@ -2909,8 +2916,8 @@ } } SnortSnprintfAppend(po_print_buf, bufsize, " ]\n }\n"); - - LogMessage("%s", po_print_buf); + + LogMessage("%s", po_print_buf); free(rlist); } // extern void rule_index_map_print_index( int index ); @@ -2919,7 +2926,7 @@ PortObjectPrintEx( po, rule_index_map_print_index ); } -void PortObject2PrintEx(PortObject2 * po, +void PortObject2PrintEx(PortObject2 * po, void (*print_index_map)(int index, char *buf, int bufsize) ) { PortObjectItem * poi = NULL; @@ -2932,12 +2939,12 @@ po_print_buf[0] = '\0'; SnortSnprintfAppend(po_print_buf, bufsize, " PortObject2 "); - + if( po->name ) SnortSnprintfAppend(po_print_buf, bufsize, "%s ",po->name); - + SnortSnprintfAppend(po_print_buf, bufsize, " Id:%d Ports:%d Rules:%d PortUsageCnt=%d\n {\n", po->id, po->item_list->count, po->rule_hash->count, po->port_cnt ); - + SnortSnprintfAppend(po_print_buf, bufsize, " Ports [\n "); if( PortObjectHasAny( (PortObject*)po ) ) @@ -2959,13 +2966,13 @@ rlist = RuleHashToSortedArray( po->rule_hash ); if(!rlist ) return ; - + SnortSnprintfAppend(po_print_buf, bufsize, " Rules [ \n "); for(i=0;i<po->rule_hash->count;i++) { if( print_index_map ) { - print_index_map( rlist[i], po_print_buf, bufsize ); + print_index_map( rlist[i], po_print_buf, bufsize ); } else { @@ -2979,7 +2986,7 @@ } } SnortSnprintfAppend(po_print_buf, bufsize, " ]\n }\n"); - + LogMessage("%s", po_print_buf); free(rlist); @@ -2990,7 +2997,7 @@ PortObject2PrintEx( po, rule_index_map_print_index ); } /* - Prints the original (normalized) PortGroups and + Prints the original (normalized) PortGroups and as sepcified by the user */ void PortTablePrintUserRules( PortTable * p ) @@ -3014,7 +3021,7 @@ void PortTablePrintPortGroups( PortTable * p ) { PortObject2 * po; - SFGHASH_NODE * ponode; + SFGHASH_NODE * ponode; /* normalized user PortObjects and rule ids */ LogMessage(">>>PortTable - Compiled Port Groups\n"); @@ -3024,15 +3031,15 @@ ponode!= 0; ponode = sfghash_findnext(p->pt_mpo_hash) ) { - po = ponode->data; - + po = ponode->data; + PortObject2Print(po); } /* port array of rule ids */ } /* - Print + Print */ void PortTablePrintPortPortObjects( PortTable * p ) { @@ -3044,7 +3051,7 @@ po_print_buf[0] = '\0'; LogMessage(">>>Port PortObjects\n"); - + for(i=0;i<SFPO_MAX_PORTS;i++) { if( !p->pt_port_lists[i] ) continue; @@ -3077,7 +3084,7 @@ * */ -static +static int POParserInit( POParser * pop, char * s, PortVarTable * pvTable ) { memset(pop,0,sizeof(POParser)); @@ -3091,7 +3098,7 @@ } /* - Get a Char + Get a Char */ static int POPGetChar( POParser * pop ) @@ -3108,16 +3115,16 @@ } return 0; } -/* - Skip whitespace till we find a non-whitespace char +/* + Skip whitespace till we find a non-whitespace char */ static int POPGetChar2( POParser * pop ) { int c; - for(;;) + for(;;) { - c=POPGetChar( pop ) ; + c=POPGetChar( pop ) ; if( !c ) return 0; @@ -3129,7 +3136,7 @@ return c; } /* - Restore last char + Restore last char */ static void POPUnGetChar( POParser * pop ) @@ -3169,7 +3176,7 @@ while( k > 0 && cnt < smax ) { c = p->s[ cnt ]; - + if( c == 0 ) break; if( !isalpha(c) ) break; @@ -3191,7 +3198,7 @@ while( p->slen > 0 && cnt < smax ) { c = p->s[ 0 ]; - + if( c == 0 ) break; if( !isalpha(c) ) break; @@ -3210,8 +3217,8 @@ int POPSkipSpace( POParser * p ) { int c; - for( c = POPPeekChar(p); - c != 0 ; + for( c = POPPeekChar(p); + c != 0 ; c = POPPeekChar(p) ) { if( !isspace(c) && c != ',' ) @@ -3231,18 +3238,18 @@ int c; /* check if were done */ - if( !pop || !pop->s || !*(pop->s) ) - return 0; + if( !pop || !pop->s || !*(pop->s) ) + return 0; /* Start the name - skip space */ c = POPGetChar2(pop) ; - if( !c ) + if( !c ) return 0; if( c== '$' )/* skip leading '$' - old Var indicator */ { c = POPGetChar2(pop) ; - if( !c ) + if( !c ) return 0; } @@ -3258,7 +3265,7 @@ } for( c = POPGetChar(pop); - c != 0 && k < POP_MAX_BUFFER_SIZE; + c != 0 && k < POP_MAX_BUFFER_SIZE; c = POPGetChar(pop) ) { if( isalnum(c) || c== '_' || c=='-' || c=='.' ) @@ -3341,7 +3348,7 @@ return NULL; } - pox = PortVarTableFind(pop->pvTable, name); + pox = PortVarTableFind(pop->pvTable, name); free(name); if(!pox) @@ -3355,16 +3362,16 @@ if(!pox) { pop->errflag = POPERR_MALLOC_FAILED; - return NULL; + return NULL; } return pox; } -/* - * Sets the PORT_OBJECT_NOT_FLAG flag on each port object item in the list +/* + * Sets the PORT_OBJECT_NOT_FLAG flag on each port object item in the list */ -static void _PONegateList(PortObject *po) +static void _PONegateList(PortObject *po) { PortObjectItem *poi; SF_LNODE * pos; @@ -3380,7 +3387,7 @@ } } -static PortObject *_POParsePort(POParser *pop) +static PortObject *_POParsePort(POParser *pop) { uint16_t hport, lport; char c; @@ -3497,7 +3504,7 @@ PortObjectFree(po); return NULL; } - + if( (tok = SnortStrndup(pop->s, end - pop->s)) == NULL) { pop->errflag = POPERR_MALLOC_FAILED; @@ -3511,21 +3518,21 @@ potmp = _POParseString(&local_pop); free(tok); - if(!potmp) - { + if(!potmp) + { pop->errflag = local_pop.errflag; PortObjectFree(po); return NULL; } /* Advance "cursor" to end of this list */ - for(; c && pop->s != end; c = POPGetChar2(pop)) + for(; c && pop->s != end; c = POPGetChar2(pop)) ; } else if(c == ']') { list_count--; - + if(list_count < 0) { pop->errflag = POPERR_EXTRA_BRACKET; @@ -3542,7 +3549,7 @@ potmp = _POParsePort(pop); } - if(!potmp) + if(!potmp) { PortObjectFree(po); return NULL; @@ -3553,10 +3560,10 @@ /* Note: this intentionally only sets the negation flag! */ /* The actual negation will take place when normalization is called */ _PONegateList(potmp); - + local_neg = 0; } - + if(PortObjectAddPortObject(po, potmp, &pop->errflag)) { PortObjectFree(po); @@ -3588,7 +3595,7 @@ * PortObject : name value * PortObject : name [!][ value value value ... ] * -* value : [!]port +* value : [!]port * [!]low-port[:high-port] * * inputs: @@ -3596,18 +3603,18 @@ * pop - parsing structure * s - string with port object text * -* nameflag - indicates a name must be present, this allows usage for +* nameflag - indicates a name must be present, this allows usage for * embedded rule or portvar declarations of portlists * returns: * (PortObject *) - a normalized version */ -PortObject * PortObjectParseString ( PortVarTable * pvTable, POParser * pop, +PortObject * PortObjectParseString ( PortVarTable * pvTable, POParser * pop, char * name, char * s , int nameflag ) { PortObject *po, *potmp; DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS,"PortObjectParseString: %s\n",s);); - + POParserInit( pop, s, pvTable ); po = PortObjectNew(); @@ -3634,7 +3641,7 @@ else po->name = SnortStrdup("noname"); } - + // LogMessage("PortObjectParseString: po->name=%s\n",po->name); potmp = _POParseString(pop); @@ -3645,7 +3652,7 @@ return NULL; } - PortObjectNormalize(potmp); + PortObjectNormalize(potmp); if(PortObjectAddPortObject(po, potmp, &pop->errflag)) { @@ -3684,13 +3691,13 @@ /* -* +* * PORT VAR TABLE FUNCTIONS -* +* */ /* -* Create a PortVar Table +* Create a PortVar Table * * The PortVar table used to store and lookup Named PortObjects */ @@ -3725,7 +3732,7 @@ /* * PortVarTableAdd() * -* returns +* returns * -1 : error, no memory... * 0 : added * 1 : in table @@ -3734,9 +3741,9 @@ { int stat; stat = sfghash_add(h,po->name,po); - if( stat == SFGHASH_INTABLE ) + if( stat == SFGHASH_INTABLE ) return 1; - if( stat == SFGHASH_OK ) + if( stat == SFGHASH_OK ) return 0; return -1; } @@ -3752,7 +3759,7 @@ /* This deletes the table, the PortObjects and PortObjectItems, and rule list. -*/ +*/ int PortVarTableFree(PortVarTable * pvt) { if( pvt ) @@ -3764,7 +3771,7 @@ /* - TEST DRIVER + TEST DRIVER PorObjects use the follow creation strategy @@ -3806,7 +3813,7 @@ if( strcmp(argv[i],"-lrp")==0 ) lrp=atoi(argv[++i]); } - /* + /* Create a PortVar table - this is automatic and not necessary */ pvTable=PortVarTableCreate(); @@ -3816,13 +3823,13 @@ exit(1); } - /* - Create a table for src and one for dst + /* + Create a table for src and one for dst we'll only add specific ports, no ANY ports, - but ranges are ok. + but ranges are ok. */ p = PortTableNew(); - if(!p) + if(!p) { LogMessage("no memory\n"); exit(0); @@ -3831,7 +3838,7 @@ for(i=1;i<argc;i++) { - if( argv[i][0] == '-' ) + if( argv[i][0] == '-' ) { if( strcmp(argv[i],"-names")==0 ) names=0;/* disable names in var input*/ continue; @@ -3842,7 +3849,7 @@ //if( i==2) portlist = sample2; //LogMessage("PortObject : '%s' \n",portlist); - /* + /* This is seperate fom PortVar's since some rules may declare these inline */ po = PortObjectParseString ( pvTable, &pop, argv[i], PORTLISTS, names/* bool 0/1 - name required in parse */); @@ -3867,9 +3874,9 @@ exit(0); } - /* - Assume each PortVar object has one rule and add it to the PortTable - PortObjects that are defined in rules have no names and are not + /* + Assume each PortVar object has one rule and add it to the PortTable + PortObjects that are defined in rules have no names and are not added to the PortVar table */ PortTableAddObject(p,po,k++/*rule id*/); diff -Nru snort-2.9.0.1/src/sfutil/sfportobject.h snort-2.9.2/src/sfutil/sfportobject.h --- snort-2.9.0.1/src/sfutil/sfportobject.h 2010-01-26 10:10:27.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfportobject.h 2011-02-09 15:23:37.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sfprimetable.c snort-2.9.2/src/sfutil/sfprimetable.c --- snort-2.9.0.1/src/sfutil/sfprimetable.c 2010-01-26 10:10:27.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfprimetable.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2006-2010 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -25,4119 +25,4123 @@ * Prime number calculation via Table lookups. * * This was implemented for use with the hasing functions -* in sfghash, and sfxhash. +* in sfghash, and sfxhash. * */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sfprimetable.h" /* 0-8K, increments=8 */ -static +static unsigned prime_table0[1024]={ - 3, /* 1 */ - 7, /* 9 */ - 17, /* 17 */ - 23, /* 25 */ - 31, /* 33 */ - 41, /* 41 */ - 47, /* 49 */ - 53, /* 57 */ - 61, /* 65 */ - 73, /* 73 */ - 79, /* 81 */ - 89, /* 89 */ - 97, /* 97 */ - 103, /* 105 */ - 113, /* 113 */ - 113, /* 121 */ - 127, /* 129 */ - 137, /* 137 */ - 139, /* 145 */ - 151, /* 153 */ - 157, /* 161 */ - 167, /* 169 */ - 173, /* 177 */ - 181, /* 185 */ - 193, /* 193 */ - 199, /* 201 */ - 199, /* 209 */ - 211, /* 217 */ - 223, /* 225 */ - 233, /* 233 */ - 241, /* 241 */ - 241, /* 249 */ - 257, /* 257 */ - 263, /* 265 */ - 271, /* 273 */ - 281, /* 281 */ - 283, /* 289 */ - 293, /* 297 */ - 293, /* 305 */ - 313, /* 313 */ - 317, /* 321 */ - 317, /* 329 */ - 337, /* 337 */ - 337, /* 345 */ - 353, /* 353 */ - 359, /* 361 */ - 367, /* 369 */ - 373, /* 377 */ - 383, /* 385 */ - 389, /* 393 */ - 401, /* 401 */ - 409, /* 409 */ - 409, /* 417 */ - 421, /* 425 */ - 433, /* 433 */ - 439, /* 441 */ - 449, /* 449 */ - 457, /* 457 */ - 463, /* 465 */ - 467, /* 473 */ - 479, /* 481 */ - 487, /* 489 */ - 491, /* 497 */ - 503, /* 505 */ - 509, /* 513 */ - 521, /* 521 */ - 523, /* 529 */ - 523, /* 537 */ - 541, /* 545 */ - 547, /* 553 */ - 557, /* 561 */ - 569, /* 569 */ - 577, /* 577 */ - 577, /* 585 */ - 593, /* 593 */ - 601, /* 601 */ - 607, /* 609 */ - 617, /* 617 */ - 619, /* 625 */ - 631, /* 633 */ - 641, /* 641 */ - 647, /* 649 */ - 653, /* 657 */ - 661, /* 665 */ - 673, /* 673 */ - 677, /* 681 */ - 683, /* 689 */ - 691, /* 697 */ - 701, /* 705 */ - 709, /* 713 */ - 719, /* 721 */ - 727, /* 729 */ - 733, /* 737 */ - 743, /* 745 */ - 751, /* 753 */ - 761, /* 761 */ - 769, /* 769 */ - 773, /* 777 */ - 773, /* 785 */ - 787, /* 793 */ - 797, /* 801 */ - 809, /* 809 */ - 811, /* 817 */ - 823, /* 825 */ - 829, /* 833 */ - 839, /* 841 */ - 839, /* 849 */ - 857, /* 857 */ - 863, /* 865 */ - 863, /* 873 */ - 881, /* 881 */ - 887, /* 889 */ - 887, /* 897 */ - 887, /* 905 */ - 911, /* 913 */ - 919, /* 921 */ - 929, /* 929 */ - 937, /* 937 */ - 941, /* 945 */ - 953, /* 953 */ - 953, /* 961 */ - 967, /* 969 */ - 977, /* 977 */ - 983, /* 985 */ - 991, /* 993 */ - 997, /* 1001 */ - 1009, /* 1009 */ - 1013, /* 1017 */ - 1021, /* 1025 */ - 1033, /* 1033 */ - 1039, /* 1041 */ - 1049, /* 1049 */ - 1051, /* 1057 */ - 1063, /* 1065 */ - 1069, /* 1073 */ - 1069, /* 1081 */ - 1087, /* 1089 */ - 1097, /* 1097 */ - 1103, /* 1105 */ - 1109, /* 1113 */ - 1117, /* 1121 */ - 1129, /* 1129 */ - 1129, /* 1137 */ - 1129, /* 1145 */ - 1153, /* 1153 */ - 1153, /* 1161 */ - 1163, /* 1169 */ - 1171, /* 1177 */ - 1181, /* 1185 */ - 1193, /* 1193 */ - 1201, /* 1201 */ - 1201, /* 1209 */ - 1217, /* 1217 */ - 1223, /* 1225 */ - 1231, /* 1233 */ - 1237, /* 1241 */ - 1249, /* 1249 */ - 1249, /* 1257 */ - 1259, /* 1265 */ - 1259, /* 1273 */ - 1279, /* 1281 */ - 1289, /* 1289 */ - 1297, /* 1297 */ - 1303, /* 1305 */ - 1307, /* 1313 */ - 1321, /* 1321 */ - 1327, /* 1329 */ - 1327, /* 1337 */ - 1327, /* 1345 */ - 1327, /* 1353 */ - 1361, /* 1361 */ - 1367, /* 1369 */ - 1373, /* 1377 */ - 1381, /* 1385 */ - 1381, /* 1393 */ - 1399, /* 1401 */ - 1409, /* 1409 */ - 1409, /* 1417 */ - 1423, /* 1425 */ - 1433, /* 1433 */ - 1439, /* 1441 */ - 1447, /* 1449 */ - 1453, /* 1457 */ - 1459, /* 1465 */ - 1471, /* 1473 */ - 1481, /* 1481 */ - 1489, /* 1489 */ - 1493, /* 1497 */ - 1499, /* 1505 */ - 1511, /* 1513 */ - 1511, /* 1521 */ - 1523, /* 1529 */ - 1531, /* 1537 */ - 1543, /* 1545 */ - 1553, /* 1553 */ - 1559, /* 1561 */ - 1567, /* 1569 */ - 1571, /* 1577 */ - 1583, /* 1585 */ - 1583, /* 1593 */ - 1601, /* 1601 */ - 1609, /* 1609 */ - 1613, /* 1617 */ - 1621, /* 1625 */ - 1627, /* 1633 */ - 1637, /* 1641 */ - 1637, /* 1649 */ - 1657, /* 1657 */ - 1663, /* 1665 */ - 1669, /* 1673 */ - 1669, /* 1681 */ - 1669, /* 1689 */ - 1697, /* 1697 */ - 1699, /* 1705 */ - 1709, /* 1713 */ - 1721, /* 1721 */ - 1723, /* 1729 */ - 1733, /* 1737 */ - 1741, /* 1745 */ - 1753, /* 1753 */ - 1759, /* 1761 */ - 1759, /* 1769 */ - 1777, /* 1777 */ - 1783, /* 1785 */ - 1789, /* 1793 */ - 1801, /* 1801 */ - 1801, /* 1809 */ - 1811, /* 1817 */ - 1823, /* 1825 */ - 1831, /* 1833 */ - 1831, /* 1841 */ - 1847, /* 1849 */ - 1847, /* 1857 */ - 1861, /* 1865 */ - 1873, /* 1873 */ - 1879, /* 1881 */ - 1889, /* 1889 */ - 1889, /* 1897 */ - 1901, /* 1905 */ - 1913, /* 1913 */ - 1913, /* 1921 */ - 1913, /* 1929 */ - 1933, /* 1937 */ - 1933, /* 1945 */ - 1951, /* 1953 */ - 1951, /* 1961 */ - 1951, /* 1969 */ - 1973, /* 1977 */ - 1979, /* 1985 */ - 1993, /* 1993 */ - 1999, /* 2001 */ - 2003, /* 2009 */ - 2017, /* 2017 */ - 2017, /* 2025 */ - 2029, /* 2033 */ - 2039, /* 2041 */ - 2039, /* 2049 */ - 2053, /* 2057 */ - 2063, /* 2065 */ - 2069, /* 2073 */ - 2081, /* 2081 */ - 2089, /* 2089 */ - 2089, /* 2097 */ - 2099, /* 2105 */ - 2113, /* 2113 */ - 2113, /* 2121 */ - 2129, /* 2129 */ - 2137, /* 2137 */ - 2143, /* 2145 */ - 2153, /* 2153 */ - 2161, /* 2161 */ - 2161, /* 2169 */ - 2161, /* 2177 */ - 2179, /* 2185 */ - 2179, /* 2193 */ - 2179, /* 2201 */ - 2207, /* 2209 */ - 2213, /* 2217 */ - 2221, /* 2225 */ - 2221, /* 2233 */ - 2239, /* 2241 */ - 2243, /* 2249 */ - 2251, /* 2257 */ - 2251, /* 2265 */ - 2273, /* 2273 */ - 2281, /* 2281 */ - 2287, /* 2289 */ - 2297, /* 2297 */ - 2297, /* 2305 */ - 2311, /* 2313 */ - 2311, /* 2321 */ - 2311, /* 2329 */ - 2333, /* 2337 */ - 2341, /* 2345 */ - 2351, /* 2353 */ - 2357, /* 2361 */ - 2357, /* 2369 */ - 2377, /* 2377 */ - 2383, /* 2385 */ - 2393, /* 2393 */ - 2399, /* 2401 */ - 2399, /* 2409 */ - 2417, /* 2417 */ - 2423, /* 2425 */ - 2423, /* 2433 */ - 2441, /* 2441 */ - 2447, /* 2449 */ - 2447, /* 2457 */ - 2459, /* 2465 */ - 2473, /* 2473 */ - 2477, /* 2481 */ - 2477, /* 2489 */ - 2477, /* 2497 */ - 2503, /* 2505 */ - 2503, /* 2513 */ - 2521, /* 2521 */ - 2521, /* 2529 */ - 2531, /* 2537 */ - 2543, /* 2545 */ - 2551, /* 2553 */ - 2557, /* 2561 */ - 2557, /* 2569 */ - 2557, /* 2577 */ - 2579, /* 2585 */ - 2593, /* 2593 */ - 2593, /* 2601 */ - 2609, /* 2609 */ - 2617, /* 2617 */ - 2621, /* 2625 */ - 2633, /* 2633 */ - 2633, /* 2641 */ - 2647, /* 2649 */ - 2657, /* 2657 */ - 2663, /* 2665 */ - 2671, /* 2673 */ - 2677, /* 2681 */ - 2689, /* 2689 */ - 2693, /* 2697 */ - 2699, /* 2705 */ - 2713, /* 2713 */ - 2719, /* 2721 */ - 2729, /* 2729 */ - 2731, /* 2737 */ - 2741, /* 2745 */ - 2753, /* 2753 */ - 2753, /* 2761 */ - 2767, /* 2769 */ - 2777, /* 2777 */ - 2777, /* 2785 */ - 2791, /* 2793 */ - 2801, /* 2801 */ - 2803, /* 2809 */ - 2803, /* 2817 */ - 2819, /* 2825 */ - 2833, /* 2833 */ - 2837, /* 2841 */ - 2843, /* 2849 */ - 2857, /* 2857 */ - 2861, /* 2865 */ - 2861, /* 2873 */ - 2879, /* 2881 */ - 2887, /* 2889 */ - 2897, /* 2897 */ - 2903, /* 2905 */ - 2909, /* 2913 */ - 2917, /* 2921 */ - 2927, /* 2929 */ - 2927, /* 2937 */ - 2939, /* 2945 */ - 2953, /* 2953 */ - 2957, /* 2961 */ - 2969, /* 2969 */ - 2971, /* 2977 */ - 2971, /* 2985 */ - 2971, /* 2993 */ - 3001, /* 3001 */ - 3001, /* 3009 */ - 3011, /* 3017 */ - 3023, /* 3025 */ - 3023, /* 3033 */ - 3041, /* 3041 */ - 3049, /* 3049 */ - 3049, /* 3057 */ - 3061, /* 3065 */ - 3067, /* 3073 */ - 3079, /* 3081 */ - 3089, /* 3089 */ - 3089, /* 3097 */ - 3089, /* 3105 */ - 3109, /* 3113 */ - 3121, /* 3121 */ - 3121, /* 3129 */ - 3137, /* 3137 */ - 3137, /* 3145 */ - 3137, /* 3153 */ - 3137, /* 3161 */ - 3169, /* 3169 */ - 3169, /* 3177 */ - 3181, /* 3185 */ - 3191, /* 3193 */ - 3191, /* 3201 */ - 3209, /* 3209 */ - 3217, /* 3217 */ - 3221, /* 3225 */ - 3229, /* 3233 */ - 3229, /* 3241 */ - 3229, /* 3249 */ - 3257, /* 3257 */ - 3259, /* 3265 */ - 3271, /* 3273 */ - 3271, /* 3281 */ - 3271, /* 3289 */ - 3271, /* 3297 */ - 3301, /* 3305 */ - 3313, /* 3313 */ - 3319, /* 3321 */ - 3329, /* 3329 */ - 3331, /* 3337 */ - 3343, /* 3345 */ - 3347, /* 3353 */ - 3361, /* 3361 */ - 3361, /* 3369 */ - 3373, /* 3377 */ - 3373, /* 3385 */ - 3391, /* 3393 */ - 3391, /* 3401 */ - 3407, /* 3409 */ - 3413, /* 3417 */ - 3413, /* 3425 */ - 3433, /* 3433 */ - 3433, /* 3441 */ - 3449, /* 3449 */ - 3457, /* 3457 */ - 3463, /* 3465 */ - 3469, /* 3473 */ - 3469, /* 3481 */ - 3469, /* 3489 */ - 3491, /* 3497 */ - 3499, /* 3505 */ - 3511, /* 3513 */ - 3517, /* 3521 */ - 3529, /* 3529 */ - 3533, /* 3537 */ - 3541, /* 3545 */ - 3547, /* 3553 */ - 3559, /* 3561 */ - 3559, /* 3569 */ - 3571, /* 3577 */ - 3583, /* 3585 */ - 3593, /* 3593 */ - 3593, /* 3601 */ - 3607, /* 3609 */ - 3617, /* 3617 */ - 3623, /* 3625 */ - 3631, /* 3633 */ - 3637, /* 3641 */ - 3643, /* 3649 */ - 3643, /* 3657 */ - 3659, /* 3665 */ - 3673, /* 3673 */ - 3677, /* 3681 */ - 3677, /* 3689 */ - 3697, /* 3697 */ - 3701, /* 3705 */ - 3709, /* 3713 */ - 3719, /* 3721 */ - 3727, /* 3729 */ - 3733, /* 3737 */ - 3739, /* 3745 */ - 3739, /* 3753 */ - 3761, /* 3761 */ - 3769, /* 3769 */ - 3769, /* 3777 */ - 3779, /* 3785 */ - 3793, /* 3793 */ - 3797, /* 3801 */ - 3803, /* 3809 */ - 3803, /* 3817 */ - 3823, /* 3825 */ - 3833, /* 3833 */ - 3833, /* 3841 */ - 3847, /* 3849 */ - 3853, /* 3857 */ - 3863, /* 3865 */ - 3863, /* 3873 */ - 3881, /* 3881 */ - 3889, /* 3889 */ - 3889, /* 3897 */ - 3889, /* 3905 */ - 3911, /* 3913 */ - 3919, /* 3921 */ - 3929, /* 3929 */ - 3931, /* 3937 */ - 3943, /* 3945 */ - 3947, /* 3953 */ - 3947, /* 3961 */ - 3967, /* 3969 */ - 3967, /* 3977 */ - 3967, /* 3985 */ - 3989, /* 3993 */ - 4001, /* 4001 */ - 4007, /* 4009 */ - 4013, /* 4017 */ - 4021, /* 4025 */ - 4027, /* 4033 */ - 4027, /* 4041 */ - 4049, /* 4049 */ - 4057, /* 4057 */ - 4057, /* 4065 */ - 4073, /* 4073 */ - 4079, /* 4081 */ - 4079, /* 4089 */ - 4093, /* 4097 */ - 4099, /* 4105 */ - 4111, /* 4113 */ - 4111, /* 4121 */ - 4129, /* 4129 */ - 4133, /* 4137 */ - 4139, /* 4145 */ - 4153, /* 4153 */ - 4159, /* 4161 */ - 4159, /* 4169 */ - 4177, /* 4177 */ - 4177, /* 4185 */ - 4177, /* 4193 */ - 4201, /* 4201 */ - 4201, /* 4209 */ - 4217, /* 4217 */ - 4219, /* 4225 */ - 4231, /* 4233 */ - 4241, /* 4241 */ - 4243, /* 4249 */ - 4253, /* 4257 */ - 4261, /* 4265 */ - 4273, /* 4273 */ - 4273, /* 4281 */ - 4289, /* 4289 */ - 4297, /* 4297 */ - 4297, /* 4305 */ - 4297, /* 4313 */ - 4297, /* 4321 */ - 4327, /* 4329 */ - 4337, /* 4337 */ - 4339, /* 4345 */ - 4349, /* 4353 */ - 4357, /* 4361 */ - 4363, /* 4369 */ - 4373, /* 4377 */ - 4373, /* 4385 */ - 4391, /* 4393 */ - 4397, /* 4401 */ - 4409, /* 4409 */ - 4409, /* 4417 */ - 4423, /* 4425 */ - 4423, /* 4433 */ - 4441, /* 4441 */ - 4447, /* 4449 */ - 4457, /* 4457 */ - 4463, /* 4465 */ - 4463, /* 4473 */ - 4481, /* 4481 */ - 4483, /* 4489 */ - 4493, /* 4497 */ - 4493, /* 4505 */ - 4513, /* 4513 */ - 4519, /* 4521 */ - 4523, /* 4529 */ - 4523, /* 4537 */ - 4523, /* 4545 */ - 4549, /* 4553 */ - 4561, /* 4561 */ - 4567, /* 4569 */ - 4567, /* 4577 */ - 4583, /* 4585 */ - 4591, /* 4593 */ - 4597, /* 4601 */ - 4603, /* 4609 */ - 4603, /* 4617 */ - 4621, /* 4625 */ - 4621, /* 4633 */ - 4639, /* 4641 */ - 4649, /* 4649 */ - 4657, /* 4657 */ - 4663, /* 4665 */ - 4673, /* 4673 */ - 4679, /* 4681 */ - 4679, /* 4689 */ - 4691, /* 4697 */ - 4703, /* 4705 */ - 4703, /* 4713 */ - 4721, /* 4721 */ - 4729, /* 4729 */ - 4733, /* 4737 */ - 4733, /* 4745 */ - 4751, /* 4753 */ - 4759, /* 4761 */ - 4759, /* 4769 */ - 4759, /* 4777 */ - 4783, /* 4785 */ - 4793, /* 4793 */ - 4801, /* 4801 */ - 4801, /* 4809 */ - 4817, /* 4817 */ - 4817, /* 4825 */ - 4831, /* 4833 */ - 4831, /* 4841 */ - 4831, /* 4849 */ - 4831, /* 4857 */ - 4861, /* 4865 */ - 4871, /* 4873 */ - 4877, /* 4881 */ - 4889, /* 4889 */ - 4889, /* 4897 */ - 4903, /* 4905 */ - 4909, /* 4913 */ - 4919, /* 4921 */ - 4919, /* 4929 */ - 4937, /* 4937 */ - 4943, /* 4945 */ - 4951, /* 4953 */ - 4957, /* 4961 */ - 4969, /* 4969 */ - 4973, /* 4977 */ - 4973, /* 4985 */ - 4993, /* 4993 */ - 4999, /* 5001 */ - 5009, /* 5009 */ - 5011, /* 5017 */ - 5023, /* 5025 */ - 5023, /* 5033 */ - 5039, /* 5041 */ - 5039, /* 5049 */ - 5051, /* 5057 */ - 5059, /* 5065 */ - 5059, /* 5073 */ - 5081, /* 5081 */ - 5087, /* 5089 */ - 5087, /* 5097 */ - 5101, /* 5105 */ - 5113, /* 5113 */ - 5119, /* 5121 */ - 5119, /* 5129 */ - 5119, /* 5137 */ - 5119, /* 5145 */ - 5153, /* 5153 */ - 5153, /* 5161 */ - 5167, /* 5169 */ - 5171, /* 5177 */ - 5179, /* 5185 */ - 5189, /* 5193 */ - 5197, /* 5201 */ - 5209, /* 5209 */ - 5209, /* 5217 */ - 5209, /* 5225 */ - 5233, /* 5233 */ - 5237, /* 5241 */ - 5237, /* 5249 */ - 5237, /* 5257 */ - 5261, /* 5265 */ - 5273, /* 5273 */ - 5281, /* 5281 */ - 5281, /* 5289 */ - 5297, /* 5297 */ - 5303, /* 5305 */ - 5309, /* 5313 */ - 5309, /* 5321 */ - 5323, /* 5329 */ - 5333, /* 5337 */ - 5333, /* 5345 */ - 5351, /* 5353 */ - 5351, /* 5361 */ - 5351, /* 5369 */ - 5351, /* 5377 */ - 5381, /* 5385 */ - 5393, /* 5393 */ - 5399, /* 5401 */ - 5407, /* 5409 */ - 5417, /* 5417 */ - 5419, /* 5425 */ - 5431, /* 5433 */ - 5441, /* 5441 */ - 5449, /* 5449 */ - 5449, /* 5457 */ - 5449, /* 5465 */ - 5471, /* 5473 */ - 5479, /* 5481 */ - 5483, /* 5489 */ - 5483, /* 5497 */ - 5503, /* 5505 */ - 5507, /* 5513 */ - 5521, /* 5521 */ - 5527, /* 5529 */ - 5531, /* 5537 */ - 5531, /* 5545 */ - 5531, /* 5553 */ - 5557, /* 5561 */ - 5569, /* 5569 */ - 5573, /* 5577 */ - 5581, /* 5585 */ - 5591, /* 5593 */ - 5591, /* 5601 */ - 5591, /* 5609 */ - 5591, /* 5617 */ - 5623, /* 5625 */ - 5623, /* 5633 */ - 5641, /* 5641 */ - 5647, /* 5649 */ - 5657, /* 5657 */ - 5659, /* 5665 */ - 5669, /* 5673 */ - 5669, /* 5681 */ - 5689, /* 5689 */ - 5693, /* 5697 */ - 5701, /* 5705 */ - 5711, /* 5713 */ - 5717, /* 5721 */ - 5717, /* 5729 */ - 5737, /* 5737 */ - 5743, /* 5745 */ - 5749, /* 5753 */ - 5749, /* 5761 */ - 5749, /* 5769 */ - 5749, /* 5777 */ - 5783, /* 5785 */ - 5791, /* 5793 */ - 5801, /* 5801 */ - 5807, /* 5809 */ - 5813, /* 5817 */ - 5821, /* 5825 */ - 5827, /* 5833 */ - 5839, /* 5841 */ - 5849, /* 5849 */ - 5857, /* 5857 */ - 5861, /* 5865 */ - 5869, /* 5873 */ - 5881, /* 5881 */ - 5881, /* 5889 */ - 5897, /* 5897 */ - 5903, /* 5905 */ - 5903, /* 5913 */ - 5903, /* 5921 */ - 5927, /* 5929 */ - 5927, /* 5937 */ - 5939, /* 5945 */ - 5953, /* 5953 */ - 5953, /* 5961 */ - 5953, /* 5969 */ - 5953, /* 5977 */ - 5981, /* 5985 */ - 5987, /* 5993 */ - 5987, /* 6001 */ - 6007, /* 6009 */ - 6011, /* 6017 */ - 6011, /* 6025 */ - 6029, /* 6033 */ - 6037, /* 6041 */ - 6047, /* 6049 */ - 6053, /* 6057 */ - 6053, /* 6065 */ - 6073, /* 6073 */ - 6079, /* 6081 */ - 6089, /* 6089 */ - 6091, /* 6097 */ - 6101, /* 6105 */ - 6113, /* 6113 */ - 6121, /* 6121 */ - 6121, /* 6129 */ - 6133, /* 6137 */ - 6143, /* 6145 */ - 6151, /* 6153 */ - 6151, /* 6161 */ - 6163, /* 6169 */ - 6173, /* 6177 */ - 6173, /* 6185 */ - 6173, /* 6193 */ - 6199, /* 6201 */ - 6203, /* 6209 */ - 6217, /* 6217 */ - 6221, /* 6225 */ - 6229, /* 6233 */ - 6229, /* 6241 */ - 6247, /* 6249 */ - 6257, /* 6257 */ - 6263, /* 6265 */ - 6271, /* 6273 */ - 6277, /* 6281 */ - 6287, /* 6289 */ - 6287, /* 6297 */ - 6301, /* 6305 */ - 6311, /* 6313 */ - 6317, /* 6321 */ - 6329, /* 6329 */ - 6337, /* 6337 */ - 6343, /* 6345 */ - 6353, /* 6353 */ - 6361, /* 6361 */ - 6367, /* 6369 */ - 6373, /* 6377 */ - 6379, /* 6385 */ - 6389, /* 6393 */ - 6397, /* 6401 */ - 6397, /* 6409 */ - 6397, /* 6417 */ - 6421, /* 6425 */ - 6427, /* 6433 */ - 6427, /* 6441 */ - 6449, /* 6449 */ - 6451, /* 6457 */ - 6451, /* 6465 */ - 6473, /* 6473 */ - 6481, /* 6481 */ - 6481, /* 6489 */ - 6491, /* 6497 */ - 6491, /* 6505 */ - 6491, /* 6513 */ - 6521, /* 6521 */ - 6529, /* 6529 */ - 6529, /* 6537 */ - 6529, /* 6545 */ - 6553, /* 6553 */ - 6553, /* 6561 */ - 6569, /* 6569 */ - 6577, /* 6577 */ - 6581, /* 6585 */ - 6581, /* 6593 */ - 6599, /* 6601 */ - 6607, /* 6609 */ - 6607, /* 6617 */ - 6619, /* 6625 */ - 6619, /* 6633 */ - 6637, /* 6641 */ - 6637, /* 6649 */ - 6653, /* 6657 */ - 6661, /* 6665 */ - 6673, /* 6673 */ - 6679, /* 6681 */ - 6689, /* 6689 */ - 6691, /* 6697 */ - 6703, /* 6705 */ - 6709, /* 6713 */ - 6719, /* 6721 */ - 6719, /* 6729 */ - 6737, /* 6737 */ - 6737, /* 6745 */ - 6737, /* 6753 */ - 6761, /* 6761 */ - 6763, /* 6769 */ - 6763, /* 6777 */ - 6781, /* 6785 */ - 6793, /* 6793 */ - 6793, /* 6801 */ - 6803, /* 6809 */ - 6803, /* 6817 */ - 6823, /* 6825 */ - 6833, /* 6833 */ - 6841, /* 6841 */ - 6841, /* 6849 */ - 6857, /* 6857 */ - 6863, /* 6865 */ - 6871, /* 6873 */ - 6871, /* 6881 */ - 6883, /* 6889 */ - 6883, /* 6897 */ - 6899, /* 6905 */ - 6911, /* 6913 */ - 6917, /* 6921 */ - 6917, /* 6929 */ - 6917, /* 6937 */ - 6917, /* 6945 */ - 6949, /* 6953 */ - 6961, /* 6961 */ - 6967, /* 6969 */ - 6977, /* 6977 */ - 6983, /* 6985 */ - 6991, /* 6993 */ - 7001, /* 7001 */ - 7001, /* 7009 */ - 7013, /* 7017 */ - 7019, /* 7025 */ - 7027, /* 7033 */ - 7039, /* 7041 */ - 7043, /* 7049 */ - 7057, /* 7057 */ - 7057, /* 7065 */ - 7069, /* 7073 */ - 7079, /* 7081 */ - 7079, /* 7089 */ - 7079, /* 7097 */ - 7103, /* 7105 */ - 7109, /* 7113 */ - 7121, /* 7121 */ - 7129, /* 7129 */ - 7129, /* 7137 */ - 7129, /* 7145 */ - 7151, /* 7153 */ - 7159, /* 7161 */ - 7159, /* 7169 */ - 7177, /* 7177 */ - 7177, /* 7185 */ - 7193, /* 7193 */ - 7193, /* 7201 */ - 7207, /* 7209 */ - 7213, /* 7217 */ - 7219, /* 7225 */ - 7229, /* 7233 */ - 7237, /* 7241 */ - 7247, /* 7249 */ - 7253, /* 7257 */ - 7253, /* 7265 */ - 7253, /* 7273 */ - 7253, /* 7281 */ - 7283, /* 7289 */ - 7297, /* 7297 */ - 7297, /* 7305 */ - 7309, /* 7313 */ - 7321, /* 7321 */ - 7321, /* 7329 */ - 7333, /* 7337 */ - 7333, /* 7345 */ - 7351, /* 7353 */ - 7351, /* 7361 */ - 7369, /* 7369 */ - 7369, /* 7377 */ - 7369, /* 7385 */ - 7393, /* 7393 */ - 7393, /* 7401 */ - 7393, /* 7409 */ - 7417, /* 7417 */ - 7417, /* 7425 */ - 7433, /* 7433 */ - 7433, /* 7441 */ - 7433, /* 7449 */ - 7457, /* 7457 */ - 7459, /* 7465 */ - 7459, /* 7473 */ - 7481, /* 7481 */ - 7489, /* 7489 */ - 7489, /* 7497 */ - 7499, /* 7505 */ - 7507, /* 7513 */ - 7517, /* 7521 */ - 7529, /* 7529 */ - 7537, /* 7537 */ - 7541, /* 7545 */ - 7549, /* 7553 */ - 7561, /* 7561 */ - 7561, /* 7569 */ - 7577, /* 7577 */ - 7583, /* 7585 */ - 7591, /* 7593 */ - 7591, /* 7601 */ - 7607, /* 7609 */ - 7607, /* 7617 */ - 7621, /* 7625 */ - 7621, /* 7633 */ - 7639, /* 7641 */ - 7649, /* 7649 */ - 7649, /* 7657 */ - 7649, /* 7665 */ - 7673, /* 7673 */ - 7681, /* 7681 */ - 7687, /* 7689 */ - 7691, /* 7697 */ - 7703, /* 7705 */ - 7703, /* 7713 */ - 7717, /* 7721 */ - 7727, /* 7729 */ - 7727, /* 7737 */ - 7741, /* 7745 */ - 7753, /* 7753 */ - 7759, /* 7761 */ - 7759, /* 7769 */ - 7759, /* 7777 */ - 7759, /* 7785 */ - 7793, /* 7793 */ - 7793, /* 7801 */ - 7793, /* 7809 */ - 7817, /* 7817 */ - 7823, /* 7825 */ - 7829, /* 7833 */ - 7841, /* 7841 */ - 7841, /* 7849 */ - 7853, /* 7857 */ - 7853, /* 7865 */ - 7873, /* 7873 */ - 7879, /* 7881 */ - 7883, /* 7889 */ - 7883, /* 7897 */ - 7901, /* 7905 */ - 7907, /* 7913 */ - 7919, /* 7921 */ - 7927, /* 7929 */ - 7937, /* 7937 */ - 7937, /* 7945 */ - 7951, /* 7953 */ - 7951, /* 7961 */ - 7963, /* 7969 */ - 7963, /* 7977 */ - 7963, /* 7985 */ - 7993, /* 7993 */ - 7993, /* 8001 */ - 8009, /* 8009 */ - 8017, /* 8017 */ - 8017, /* 8025 */ - 8017, /* 8033 */ - 8039, /* 8041 */ - 8039, /* 8049 */ - 8053, /* 8057 */ - 8059, /* 8065 */ - 8069, /* 8073 */ - 8081, /* 8081 */ - 8089, /* 8089 */ - 8093, /* 8097 */ - 8101, /* 8105 */ - 8111, /* 8113 */ - 8117, /* 8121 */ - 8123, /* 8129 */ - 8123, /* 8137 */ - 8123, /* 8145 */ - 8147, /* 8153 */ - 8161, /* 8161 */ - 8167, /* 8169 */ - 8171, /* 8177 */ - 8179, /* 8185 */ + 3, /* 1 */ + 7, /* 9 */ + 17, /* 17 */ + 23, /* 25 */ + 31, /* 33 */ + 41, /* 41 */ + 47, /* 49 */ + 53, /* 57 */ + 61, /* 65 */ + 73, /* 73 */ + 79, /* 81 */ + 89, /* 89 */ + 97, /* 97 */ + 103, /* 105 */ + 113, /* 113 */ + 113, /* 121 */ + 127, /* 129 */ + 137, /* 137 */ + 139, /* 145 */ + 151, /* 153 */ + 157, /* 161 */ + 167, /* 169 */ + 173, /* 177 */ + 181, /* 185 */ + 193, /* 193 */ + 199, /* 201 */ + 199, /* 209 */ + 211, /* 217 */ + 223, /* 225 */ + 233, /* 233 */ + 241, /* 241 */ + 241, /* 249 */ + 257, /* 257 */ + 263, /* 265 */ + 271, /* 273 */ + 281, /* 281 */ + 283, /* 289 */ + 293, /* 297 */ + 293, /* 305 */ + 313, /* 313 */ + 317, /* 321 */ + 317, /* 329 */ + 337, /* 337 */ + 337, /* 345 */ + 353, /* 353 */ + 359, /* 361 */ + 367, /* 369 */ + 373, /* 377 */ + 383, /* 385 */ + 389, /* 393 */ + 401, /* 401 */ + 409, /* 409 */ + 409, /* 417 */ + 421, /* 425 */ + 433, /* 433 */ + 439, /* 441 */ + 449, /* 449 */ + 457, /* 457 */ + 463, /* 465 */ + 467, /* 473 */ + 479, /* 481 */ + 487, /* 489 */ + 491, /* 497 */ + 503, /* 505 */ + 509, /* 513 */ + 521, /* 521 */ + 523, /* 529 */ + 523, /* 537 */ + 541, /* 545 */ + 547, /* 553 */ + 557, /* 561 */ + 569, /* 569 */ + 577, /* 577 */ + 577, /* 585 */ + 593, /* 593 */ + 601, /* 601 */ + 607, /* 609 */ + 617, /* 617 */ + 619, /* 625 */ + 631, /* 633 */ + 641, /* 641 */ + 647, /* 649 */ + 653, /* 657 */ + 661, /* 665 */ + 673, /* 673 */ + 677, /* 681 */ + 683, /* 689 */ + 691, /* 697 */ + 701, /* 705 */ + 709, /* 713 */ + 719, /* 721 */ + 727, /* 729 */ + 733, /* 737 */ + 743, /* 745 */ + 751, /* 753 */ + 761, /* 761 */ + 769, /* 769 */ + 773, /* 777 */ + 773, /* 785 */ + 787, /* 793 */ + 797, /* 801 */ + 809, /* 809 */ + 811, /* 817 */ + 823, /* 825 */ + 829, /* 833 */ + 839, /* 841 */ + 839, /* 849 */ + 857, /* 857 */ + 863, /* 865 */ + 863, /* 873 */ + 881, /* 881 */ + 887, /* 889 */ + 887, /* 897 */ + 887, /* 905 */ + 911, /* 913 */ + 919, /* 921 */ + 929, /* 929 */ + 937, /* 937 */ + 941, /* 945 */ + 953, /* 953 */ + 953, /* 961 */ + 967, /* 969 */ + 977, /* 977 */ + 983, /* 985 */ + 991, /* 993 */ + 997, /* 1001 */ + 1009, /* 1009 */ + 1013, /* 1017 */ + 1021, /* 1025 */ + 1033, /* 1033 */ + 1039, /* 1041 */ + 1049, /* 1049 */ + 1051, /* 1057 */ + 1063, /* 1065 */ + 1069, /* 1073 */ + 1069, /* 1081 */ + 1087, /* 1089 */ + 1097, /* 1097 */ + 1103, /* 1105 */ + 1109, /* 1113 */ + 1117, /* 1121 */ + 1129, /* 1129 */ + 1129, /* 1137 */ + 1129, /* 1145 */ + 1153, /* 1153 */ + 1153, /* 1161 */ + 1163, /* 1169 */ + 1171, /* 1177 */ + 1181, /* 1185 */ + 1193, /* 1193 */ + 1201, /* 1201 */ + 1201, /* 1209 */ + 1217, /* 1217 */ + 1223, /* 1225 */ + 1231, /* 1233 */ + 1237, /* 1241 */ + 1249, /* 1249 */ + 1249, /* 1257 */ + 1259, /* 1265 */ + 1259, /* 1273 */ + 1279, /* 1281 */ + 1289, /* 1289 */ + 1297, /* 1297 */ + 1303, /* 1305 */ + 1307, /* 1313 */ + 1321, /* 1321 */ + 1327, /* 1329 */ + 1327, /* 1337 */ + 1327, /* 1345 */ + 1327, /* 1353 */ + 1361, /* 1361 */ + 1367, /* 1369 */ + 1373, /* 1377 */ + 1381, /* 1385 */ + 1381, /* 1393 */ + 1399, /* 1401 */ + 1409, /* 1409 */ + 1409, /* 1417 */ + 1423, /* 1425 */ + 1433, /* 1433 */ + 1439, /* 1441 */ + 1447, /* 1449 */ + 1453, /* 1457 */ + 1459, /* 1465 */ + 1471, /* 1473 */ + 1481, /* 1481 */ + 1489, /* 1489 */ + 1493, /* 1497 */ + 1499, /* 1505 */ + 1511, /* 1513 */ + 1511, /* 1521 */ + 1523, /* 1529 */ + 1531, /* 1537 */ + 1543, /* 1545 */ + 1553, /* 1553 */ + 1559, /* 1561 */ + 1567, /* 1569 */ + 1571, /* 1577 */ + 1583, /* 1585 */ + 1583, /* 1593 */ + 1601, /* 1601 */ + 1609, /* 1609 */ + 1613, /* 1617 */ + 1621, /* 1625 */ + 1627, /* 1633 */ + 1637, /* 1641 */ + 1637, /* 1649 */ + 1657, /* 1657 */ + 1663, /* 1665 */ + 1669, /* 1673 */ + 1669, /* 1681 */ + 1669, /* 1689 */ + 1697, /* 1697 */ + 1699, /* 1705 */ + 1709, /* 1713 */ + 1721, /* 1721 */ + 1723, /* 1729 */ + 1733, /* 1737 */ + 1741, /* 1745 */ + 1753, /* 1753 */ + 1759, /* 1761 */ + 1759, /* 1769 */ + 1777, /* 1777 */ + 1783, /* 1785 */ + 1789, /* 1793 */ + 1801, /* 1801 */ + 1801, /* 1809 */ + 1811, /* 1817 */ + 1823, /* 1825 */ + 1831, /* 1833 */ + 1831, /* 1841 */ + 1847, /* 1849 */ + 1847, /* 1857 */ + 1861, /* 1865 */ + 1873, /* 1873 */ + 1879, /* 1881 */ + 1889, /* 1889 */ + 1889, /* 1897 */ + 1901, /* 1905 */ + 1913, /* 1913 */ + 1913, /* 1921 */ + 1913, /* 1929 */ + 1933, /* 1937 */ + 1933, /* 1945 */ + 1951, /* 1953 */ + 1951, /* 1961 */ + 1951, /* 1969 */ + 1973, /* 1977 */ + 1979, /* 1985 */ + 1993, /* 1993 */ + 1999, /* 2001 */ + 2003, /* 2009 */ + 2017, /* 2017 */ + 2017, /* 2025 */ + 2029, /* 2033 */ + 2039, /* 2041 */ + 2039, /* 2049 */ + 2053, /* 2057 */ + 2063, /* 2065 */ + 2069, /* 2073 */ + 2081, /* 2081 */ + 2089, /* 2089 */ + 2089, /* 2097 */ + 2099, /* 2105 */ + 2113, /* 2113 */ + 2113, /* 2121 */ + 2129, /* 2129 */ + 2137, /* 2137 */ + 2143, /* 2145 */ + 2153, /* 2153 */ + 2161, /* 2161 */ + 2161, /* 2169 */ + 2161, /* 2177 */ + 2179, /* 2185 */ + 2179, /* 2193 */ + 2179, /* 2201 */ + 2207, /* 2209 */ + 2213, /* 2217 */ + 2221, /* 2225 */ + 2221, /* 2233 */ + 2239, /* 2241 */ + 2243, /* 2249 */ + 2251, /* 2257 */ + 2251, /* 2265 */ + 2273, /* 2273 */ + 2281, /* 2281 */ + 2287, /* 2289 */ + 2297, /* 2297 */ + 2297, /* 2305 */ + 2311, /* 2313 */ + 2311, /* 2321 */ + 2311, /* 2329 */ + 2333, /* 2337 */ + 2341, /* 2345 */ + 2351, /* 2353 */ + 2357, /* 2361 */ + 2357, /* 2369 */ + 2377, /* 2377 */ + 2383, /* 2385 */ + 2393, /* 2393 */ + 2399, /* 2401 */ + 2399, /* 2409 */ + 2417, /* 2417 */ + 2423, /* 2425 */ + 2423, /* 2433 */ + 2441, /* 2441 */ + 2447, /* 2449 */ + 2447, /* 2457 */ + 2459, /* 2465 */ + 2473, /* 2473 */ + 2477, /* 2481 */ + 2477, /* 2489 */ + 2477, /* 2497 */ + 2503, /* 2505 */ + 2503, /* 2513 */ + 2521, /* 2521 */ + 2521, /* 2529 */ + 2531, /* 2537 */ + 2543, /* 2545 */ + 2551, /* 2553 */ + 2557, /* 2561 */ + 2557, /* 2569 */ + 2557, /* 2577 */ + 2579, /* 2585 */ + 2593, /* 2593 */ + 2593, /* 2601 */ + 2609, /* 2609 */ + 2617, /* 2617 */ + 2621, /* 2625 */ + 2633, /* 2633 */ + 2633, /* 2641 */ + 2647, /* 2649 */ + 2657, /* 2657 */ + 2663, /* 2665 */ + 2671, /* 2673 */ + 2677, /* 2681 */ + 2689, /* 2689 */ + 2693, /* 2697 */ + 2699, /* 2705 */ + 2713, /* 2713 */ + 2719, /* 2721 */ + 2729, /* 2729 */ + 2731, /* 2737 */ + 2741, /* 2745 */ + 2753, /* 2753 */ + 2753, /* 2761 */ + 2767, /* 2769 */ + 2777, /* 2777 */ + 2777, /* 2785 */ + 2791, /* 2793 */ + 2801, /* 2801 */ + 2803, /* 2809 */ + 2803, /* 2817 */ + 2819, /* 2825 */ + 2833, /* 2833 */ + 2837, /* 2841 */ + 2843, /* 2849 */ + 2857, /* 2857 */ + 2861, /* 2865 */ + 2861, /* 2873 */ + 2879, /* 2881 */ + 2887, /* 2889 */ + 2897, /* 2897 */ + 2903, /* 2905 */ + 2909, /* 2913 */ + 2917, /* 2921 */ + 2927, /* 2929 */ + 2927, /* 2937 */ + 2939, /* 2945 */ + 2953, /* 2953 */ + 2957, /* 2961 */ + 2969, /* 2969 */ + 2971, /* 2977 */ + 2971, /* 2985 */ + 2971, /* 2993 */ + 3001, /* 3001 */ + 3001, /* 3009 */ + 3011, /* 3017 */ + 3023, /* 3025 */ + 3023, /* 3033 */ + 3041, /* 3041 */ + 3049, /* 3049 */ + 3049, /* 3057 */ + 3061, /* 3065 */ + 3067, /* 3073 */ + 3079, /* 3081 */ + 3089, /* 3089 */ + 3089, /* 3097 */ + 3089, /* 3105 */ + 3109, /* 3113 */ + 3121, /* 3121 */ + 3121, /* 3129 */ + 3137, /* 3137 */ + 3137, /* 3145 */ + 3137, /* 3153 */ + 3137, /* 3161 */ + 3169, /* 3169 */ + 3169, /* 3177 */ + 3181, /* 3185 */ + 3191, /* 3193 */ + 3191, /* 3201 */ + 3209, /* 3209 */ + 3217, /* 3217 */ + 3221, /* 3225 */ + 3229, /* 3233 */ + 3229, /* 3241 */ + 3229, /* 3249 */ + 3257, /* 3257 */ + 3259, /* 3265 */ + 3271, /* 3273 */ + 3271, /* 3281 */ + 3271, /* 3289 */ + 3271, /* 3297 */ + 3301, /* 3305 */ + 3313, /* 3313 */ + 3319, /* 3321 */ + 3329, /* 3329 */ + 3331, /* 3337 */ + 3343, /* 3345 */ + 3347, /* 3353 */ + 3361, /* 3361 */ + 3361, /* 3369 */ + 3373, /* 3377 */ + 3373, /* 3385 */ + 3391, /* 3393 */ + 3391, /* 3401 */ + 3407, /* 3409 */ + 3413, /* 3417 */ + 3413, /* 3425 */ + 3433, /* 3433 */ + 3433, /* 3441 */ + 3449, /* 3449 */ + 3457, /* 3457 */ + 3463, /* 3465 */ + 3469, /* 3473 */ + 3469, /* 3481 */ + 3469, /* 3489 */ + 3491, /* 3497 */ + 3499, /* 3505 */ + 3511, /* 3513 */ + 3517, /* 3521 */ + 3529, /* 3529 */ + 3533, /* 3537 */ + 3541, /* 3545 */ + 3547, /* 3553 */ + 3559, /* 3561 */ + 3559, /* 3569 */ + 3571, /* 3577 */ + 3583, /* 3585 */ + 3593, /* 3593 */ + 3593, /* 3601 */ + 3607, /* 3609 */ + 3617, /* 3617 */ + 3623, /* 3625 */ + 3631, /* 3633 */ + 3637, /* 3641 */ + 3643, /* 3649 */ + 3643, /* 3657 */ + 3659, /* 3665 */ + 3673, /* 3673 */ + 3677, /* 3681 */ + 3677, /* 3689 */ + 3697, /* 3697 */ + 3701, /* 3705 */ + 3709, /* 3713 */ + 3719, /* 3721 */ + 3727, /* 3729 */ + 3733, /* 3737 */ + 3739, /* 3745 */ + 3739, /* 3753 */ + 3761, /* 3761 */ + 3769, /* 3769 */ + 3769, /* 3777 */ + 3779, /* 3785 */ + 3793, /* 3793 */ + 3797, /* 3801 */ + 3803, /* 3809 */ + 3803, /* 3817 */ + 3823, /* 3825 */ + 3833, /* 3833 */ + 3833, /* 3841 */ + 3847, /* 3849 */ + 3853, /* 3857 */ + 3863, /* 3865 */ + 3863, /* 3873 */ + 3881, /* 3881 */ + 3889, /* 3889 */ + 3889, /* 3897 */ + 3889, /* 3905 */ + 3911, /* 3913 */ + 3919, /* 3921 */ + 3929, /* 3929 */ + 3931, /* 3937 */ + 3943, /* 3945 */ + 3947, /* 3953 */ + 3947, /* 3961 */ + 3967, /* 3969 */ + 3967, /* 3977 */ + 3967, /* 3985 */ + 3989, /* 3993 */ + 4001, /* 4001 */ + 4007, /* 4009 */ + 4013, /* 4017 */ + 4021, /* 4025 */ + 4027, /* 4033 */ + 4027, /* 4041 */ + 4049, /* 4049 */ + 4057, /* 4057 */ + 4057, /* 4065 */ + 4073, /* 4073 */ + 4079, /* 4081 */ + 4079, /* 4089 */ + 4093, /* 4097 */ + 4099, /* 4105 */ + 4111, /* 4113 */ + 4111, /* 4121 */ + 4129, /* 4129 */ + 4133, /* 4137 */ + 4139, /* 4145 */ + 4153, /* 4153 */ + 4159, /* 4161 */ + 4159, /* 4169 */ + 4177, /* 4177 */ + 4177, /* 4185 */ + 4177, /* 4193 */ + 4201, /* 4201 */ + 4201, /* 4209 */ + 4217, /* 4217 */ + 4219, /* 4225 */ + 4231, /* 4233 */ + 4241, /* 4241 */ + 4243, /* 4249 */ + 4253, /* 4257 */ + 4261, /* 4265 */ + 4273, /* 4273 */ + 4273, /* 4281 */ + 4289, /* 4289 */ + 4297, /* 4297 */ + 4297, /* 4305 */ + 4297, /* 4313 */ + 4297, /* 4321 */ + 4327, /* 4329 */ + 4337, /* 4337 */ + 4339, /* 4345 */ + 4349, /* 4353 */ + 4357, /* 4361 */ + 4363, /* 4369 */ + 4373, /* 4377 */ + 4373, /* 4385 */ + 4391, /* 4393 */ + 4397, /* 4401 */ + 4409, /* 4409 */ + 4409, /* 4417 */ + 4423, /* 4425 */ + 4423, /* 4433 */ + 4441, /* 4441 */ + 4447, /* 4449 */ + 4457, /* 4457 */ + 4463, /* 4465 */ + 4463, /* 4473 */ + 4481, /* 4481 */ + 4483, /* 4489 */ + 4493, /* 4497 */ + 4493, /* 4505 */ + 4513, /* 4513 */ + 4519, /* 4521 */ + 4523, /* 4529 */ + 4523, /* 4537 */ + 4523, /* 4545 */ + 4549, /* 4553 */ + 4561, /* 4561 */ + 4567, /* 4569 */ + 4567, /* 4577 */ + 4583, /* 4585 */ + 4591, /* 4593 */ + 4597, /* 4601 */ + 4603, /* 4609 */ + 4603, /* 4617 */ + 4621, /* 4625 */ + 4621, /* 4633 */ + 4639, /* 4641 */ + 4649, /* 4649 */ + 4657, /* 4657 */ + 4663, /* 4665 */ + 4673, /* 4673 */ + 4679, /* 4681 */ + 4679, /* 4689 */ + 4691, /* 4697 */ + 4703, /* 4705 */ + 4703, /* 4713 */ + 4721, /* 4721 */ + 4729, /* 4729 */ + 4733, /* 4737 */ + 4733, /* 4745 */ + 4751, /* 4753 */ + 4759, /* 4761 */ + 4759, /* 4769 */ + 4759, /* 4777 */ + 4783, /* 4785 */ + 4793, /* 4793 */ + 4801, /* 4801 */ + 4801, /* 4809 */ + 4817, /* 4817 */ + 4817, /* 4825 */ + 4831, /* 4833 */ + 4831, /* 4841 */ + 4831, /* 4849 */ + 4831, /* 4857 */ + 4861, /* 4865 */ + 4871, /* 4873 */ + 4877, /* 4881 */ + 4889, /* 4889 */ + 4889, /* 4897 */ + 4903, /* 4905 */ + 4909, /* 4913 */ + 4919, /* 4921 */ + 4919, /* 4929 */ + 4937, /* 4937 */ + 4943, /* 4945 */ + 4951, /* 4953 */ + 4957, /* 4961 */ + 4969, /* 4969 */ + 4973, /* 4977 */ + 4973, /* 4985 */ + 4993, /* 4993 */ + 4999, /* 5001 */ + 5009, /* 5009 */ + 5011, /* 5017 */ + 5023, /* 5025 */ + 5023, /* 5033 */ + 5039, /* 5041 */ + 5039, /* 5049 */ + 5051, /* 5057 */ + 5059, /* 5065 */ + 5059, /* 5073 */ + 5081, /* 5081 */ + 5087, /* 5089 */ + 5087, /* 5097 */ + 5101, /* 5105 */ + 5113, /* 5113 */ + 5119, /* 5121 */ + 5119, /* 5129 */ + 5119, /* 5137 */ + 5119, /* 5145 */ + 5153, /* 5153 */ + 5153, /* 5161 */ + 5167, /* 5169 */ + 5171, /* 5177 */ + 5179, /* 5185 */ + 5189, /* 5193 */ + 5197, /* 5201 */ + 5209, /* 5209 */ + 5209, /* 5217 */ + 5209, /* 5225 */ + 5233, /* 5233 */ + 5237, /* 5241 */ + 5237, /* 5249 */ + 5237, /* 5257 */ + 5261, /* 5265 */ + 5273, /* 5273 */ + 5281, /* 5281 */ + 5281, /* 5289 */ + 5297, /* 5297 */ + 5303, /* 5305 */ + 5309, /* 5313 */ + 5309, /* 5321 */ + 5323, /* 5329 */ + 5333, /* 5337 */ + 5333, /* 5345 */ + 5351, /* 5353 */ + 5351, /* 5361 */ + 5351, /* 5369 */ + 5351, /* 5377 */ + 5381, /* 5385 */ + 5393, /* 5393 */ + 5399, /* 5401 */ + 5407, /* 5409 */ + 5417, /* 5417 */ + 5419, /* 5425 */ + 5431, /* 5433 */ + 5441, /* 5441 */ + 5449, /* 5449 */ + 5449, /* 5457 */ + 5449, /* 5465 */ + 5471, /* 5473 */ + 5479, /* 5481 */ + 5483, /* 5489 */ + 5483, /* 5497 */ + 5503, /* 5505 */ + 5507, /* 5513 */ + 5521, /* 5521 */ + 5527, /* 5529 */ + 5531, /* 5537 */ + 5531, /* 5545 */ + 5531, /* 5553 */ + 5557, /* 5561 */ + 5569, /* 5569 */ + 5573, /* 5577 */ + 5581, /* 5585 */ + 5591, /* 5593 */ + 5591, /* 5601 */ + 5591, /* 5609 */ + 5591, /* 5617 */ + 5623, /* 5625 */ + 5623, /* 5633 */ + 5641, /* 5641 */ + 5647, /* 5649 */ + 5657, /* 5657 */ + 5659, /* 5665 */ + 5669, /* 5673 */ + 5669, /* 5681 */ + 5689, /* 5689 */ + 5693, /* 5697 */ + 5701, /* 5705 */ + 5711, /* 5713 */ + 5717, /* 5721 */ + 5717, /* 5729 */ + 5737, /* 5737 */ + 5743, /* 5745 */ + 5749, /* 5753 */ + 5749, /* 5761 */ + 5749, /* 5769 */ + 5749, /* 5777 */ + 5783, /* 5785 */ + 5791, /* 5793 */ + 5801, /* 5801 */ + 5807, /* 5809 */ + 5813, /* 5817 */ + 5821, /* 5825 */ + 5827, /* 5833 */ + 5839, /* 5841 */ + 5849, /* 5849 */ + 5857, /* 5857 */ + 5861, /* 5865 */ + 5869, /* 5873 */ + 5881, /* 5881 */ + 5881, /* 5889 */ + 5897, /* 5897 */ + 5903, /* 5905 */ + 5903, /* 5913 */ + 5903, /* 5921 */ + 5927, /* 5929 */ + 5927, /* 5937 */ + 5939, /* 5945 */ + 5953, /* 5953 */ + 5953, /* 5961 */ + 5953, /* 5969 */ + 5953, /* 5977 */ + 5981, /* 5985 */ + 5987, /* 5993 */ + 5987, /* 6001 */ + 6007, /* 6009 */ + 6011, /* 6017 */ + 6011, /* 6025 */ + 6029, /* 6033 */ + 6037, /* 6041 */ + 6047, /* 6049 */ + 6053, /* 6057 */ + 6053, /* 6065 */ + 6073, /* 6073 */ + 6079, /* 6081 */ + 6089, /* 6089 */ + 6091, /* 6097 */ + 6101, /* 6105 */ + 6113, /* 6113 */ + 6121, /* 6121 */ + 6121, /* 6129 */ + 6133, /* 6137 */ + 6143, /* 6145 */ + 6151, /* 6153 */ + 6151, /* 6161 */ + 6163, /* 6169 */ + 6173, /* 6177 */ + 6173, /* 6185 */ + 6173, /* 6193 */ + 6199, /* 6201 */ + 6203, /* 6209 */ + 6217, /* 6217 */ + 6221, /* 6225 */ + 6229, /* 6233 */ + 6229, /* 6241 */ + 6247, /* 6249 */ + 6257, /* 6257 */ + 6263, /* 6265 */ + 6271, /* 6273 */ + 6277, /* 6281 */ + 6287, /* 6289 */ + 6287, /* 6297 */ + 6301, /* 6305 */ + 6311, /* 6313 */ + 6317, /* 6321 */ + 6329, /* 6329 */ + 6337, /* 6337 */ + 6343, /* 6345 */ + 6353, /* 6353 */ + 6361, /* 6361 */ + 6367, /* 6369 */ + 6373, /* 6377 */ + 6379, /* 6385 */ + 6389, /* 6393 */ + 6397, /* 6401 */ + 6397, /* 6409 */ + 6397, /* 6417 */ + 6421, /* 6425 */ + 6427, /* 6433 */ + 6427, /* 6441 */ + 6449, /* 6449 */ + 6451, /* 6457 */ + 6451, /* 6465 */ + 6473, /* 6473 */ + 6481, /* 6481 */ + 6481, /* 6489 */ + 6491, /* 6497 */ + 6491, /* 6505 */ + 6491, /* 6513 */ + 6521, /* 6521 */ + 6529, /* 6529 */ + 6529, /* 6537 */ + 6529, /* 6545 */ + 6553, /* 6553 */ + 6553, /* 6561 */ + 6569, /* 6569 */ + 6577, /* 6577 */ + 6581, /* 6585 */ + 6581, /* 6593 */ + 6599, /* 6601 */ + 6607, /* 6609 */ + 6607, /* 6617 */ + 6619, /* 6625 */ + 6619, /* 6633 */ + 6637, /* 6641 */ + 6637, /* 6649 */ + 6653, /* 6657 */ + 6661, /* 6665 */ + 6673, /* 6673 */ + 6679, /* 6681 */ + 6689, /* 6689 */ + 6691, /* 6697 */ + 6703, /* 6705 */ + 6709, /* 6713 */ + 6719, /* 6721 */ + 6719, /* 6729 */ + 6737, /* 6737 */ + 6737, /* 6745 */ + 6737, /* 6753 */ + 6761, /* 6761 */ + 6763, /* 6769 */ + 6763, /* 6777 */ + 6781, /* 6785 */ + 6793, /* 6793 */ + 6793, /* 6801 */ + 6803, /* 6809 */ + 6803, /* 6817 */ + 6823, /* 6825 */ + 6833, /* 6833 */ + 6841, /* 6841 */ + 6841, /* 6849 */ + 6857, /* 6857 */ + 6863, /* 6865 */ + 6871, /* 6873 */ + 6871, /* 6881 */ + 6883, /* 6889 */ + 6883, /* 6897 */ + 6899, /* 6905 */ + 6911, /* 6913 */ + 6917, /* 6921 */ + 6917, /* 6929 */ + 6917, /* 6937 */ + 6917, /* 6945 */ + 6949, /* 6953 */ + 6961, /* 6961 */ + 6967, /* 6969 */ + 6977, /* 6977 */ + 6983, /* 6985 */ + 6991, /* 6993 */ + 7001, /* 7001 */ + 7001, /* 7009 */ + 7013, /* 7017 */ + 7019, /* 7025 */ + 7027, /* 7033 */ + 7039, /* 7041 */ + 7043, /* 7049 */ + 7057, /* 7057 */ + 7057, /* 7065 */ + 7069, /* 7073 */ + 7079, /* 7081 */ + 7079, /* 7089 */ + 7079, /* 7097 */ + 7103, /* 7105 */ + 7109, /* 7113 */ + 7121, /* 7121 */ + 7129, /* 7129 */ + 7129, /* 7137 */ + 7129, /* 7145 */ + 7151, /* 7153 */ + 7159, /* 7161 */ + 7159, /* 7169 */ + 7177, /* 7177 */ + 7177, /* 7185 */ + 7193, /* 7193 */ + 7193, /* 7201 */ + 7207, /* 7209 */ + 7213, /* 7217 */ + 7219, /* 7225 */ + 7229, /* 7233 */ + 7237, /* 7241 */ + 7247, /* 7249 */ + 7253, /* 7257 */ + 7253, /* 7265 */ + 7253, /* 7273 */ + 7253, /* 7281 */ + 7283, /* 7289 */ + 7297, /* 7297 */ + 7297, /* 7305 */ + 7309, /* 7313 */ + 7321, /* 7321 */ + 7321, /* 7329 */ + 7333, /* 7337 */ + 7333, /* 7345 */ + 7351, /* 7353 */ + 7351, /* 7361 */ + 7369, /* 7369 */ + 7369, /* 7377 */ + 7369, /* 7385 */ + 7393, /* 7393 */ + 7393, /* 7401 */ + 7393, /* 7409 */ + 7417, /* 7417 */ + 7417, /* 7425 */ + 7433, /* 7433 */ + 7433, /* 7441 */ + 7433, /* 7449 */ + 7457, /* 7457 */ + 7459, /* 7465 */ + 7459, /* 7473 */ + 7481, /* 7481 */ + 7489, /* 7489 */ + 7489, /* 7497 */ + 7499, /* 7505 */ + 7507, /* 7513 */ + 7517, /* 7521 */ + 7529, /* 7529 */ + 7537, /* 7537 */ + 7541, /* 7545 */ + 7549, /* 7553 */ + 7561, /* 7561 */ + 7561, /* 7569 */ + 7577, /* 7577 */ + 7583, /* 7585 */ + 7591, /* 7593 */ + 7591, /* 7601 */ + 7607, /* 7609 */ + 7607, /* 7617 */ + 7621, /* 7625 */ + 7621, /* 7633 */ + 7639, /* 7641 */ + 7649, /* 7649 */ + 7649, /* 7657 */ + 7649, /* 7665 */ + 7673, /* 7673 */ + 7681, /* 7681 */ + 7687, /* 7689 */ + 7691, /* 7697 */ + 7703, /* 7705 */ + 7703, /* 7713 */ + 7717, /* 7721 */ + 7727, /* 7729 */ + 7727, /* 7737 */ + 7741, /* 7745 */ + 7753, /* 7753 */ + 7759, /* 7761 */ + 7759, /* 7769 */ + 7759, /* 7777 */ + 7759, /* 7785 */ + 7793, /* 7793 */ + 7793, /* 7801 */ + 7793, /* 7809 */ + 7817, /* 7817 */ + 7823, /* 7825 */ + 7829, /* 7833 */ + 7841, /* 7841 */ + 7841, /* 7849 */ + 7853, /* 7857 */ + 7853, /* 7865 */ + 7873, /* 7873 */ + 7879, /* 7881 */ + 7883, /* 7889 */ + 7883, /* 7897 */ + 7901, /* 7905 */ + 7907, /* 7913 */ + 7919, /* 7921 */ + 7927, /* 7929 */ + 7937, /* 7937 */ + 7937, /* 7945 */ + 7951, /* 7953 */ + 7951, /* 7961 */ + 7963, /* 7969 */ + 7963, /* 7977 */ + 7963, /* 7985 */ + 7993, /* 7993 */ + 7993, /* 8001 */ + 8009, /* 8009 */ + 8017, /* 8017 */ + 8017, /* 8025 */ + 8017, /* 8033 */ + 8039, /* 8041 */ + 8039, /* 8049 */ + 8053, /* 8057 */ + 8059, /* 8065 */ + 8069, /* 8073 */ + 8081, /* 8081 */ + 8089, /* 8089 */ + 8093, /* 8097 */ + 8101, /* 8105 */ + 8111, /* 8113 */ + 8117, /* 8121 */ + 8123, /* 8129 */ + 8123, /* 8137 */ + 8123, /* 8145 */ + 8147, /* 8153 */ + 8161, /* 8161 */ + 8167, /* 8169 */ + 8171, /* 8177 */ + 8179, /* 8185 */ }; /* 0-64K, increments=64 */ -static +static unsigned prime_table1[]={ - 1, /* 1 */ - 61, /* 65 */ - 127, /* 129 */ - 193, /* 193 */ - 257, /* 257 */ - 317, /* 321 */ - 383, /* 385 */ - 449, /* 449 */ - 509, /* 513 */ - 577, /* 577 */ - 641, /* 641 */ - 701, /* 705 */ - 769, /* 769 */ - 829, /* 833 */ - 887, /* 897 */ - 953, /* 961 */ - 1021, /* 1025 */ - 1087, /* 1089 */ - 1153, /* 1153 */ - 1217, /* 1217 */ - 1279, /* 1281 */ - 1327, /* 1345 */ - 1409, /* 1409 */ - 1471, /* 1473 */ - 1531, /* 1537 */ - 1601, /* 1601 */ - 1663, /* 1665 */ - 1723, /* 1729 */ - 1789, /* 1793 */ - 1847, /* 1857 */ - 1913, /* 1921 */ - 1979, /* 1985 */ - 2039, /* 2049 */ - 2113, /* 2113 */ - 2161, /* 2177 */ - 2239, /* 2241 */ - 2297, /* 2305 */ - 2357, /* 2369 */ - 2423, /* 2433 */ - 2477, /* 2497 */ - 2557, /* 2561 */ - 2621, /* 2625 */ - 2689, /* 2689 */ - 2753, /* 2753 */ - 2803, /* 2817 */ - 2879, /* 2881 */ - 2939, /* 2945 */ - 3001, /* 3009 */ - 3067, /* 3073 */ - 3137, /* 3137 */ - 3191, /* 3201 */ - 3259, /* 3265 */ - 3329, /* 3329 */ - 3391, /* 3393 */ - 3457, /* 3457 */ - 3517, /* 3521 */ - 3583, /* 3585 */ - 3643, /* 3649 */ - 3709, /* 3713 */ - 3769, /* 3777 */ - 3833, /* 3841 */ - 3889, /* 3905 */ - 3967, /* 3969 */ - 4027, /* 4033 */ - 4093, /* 4097 */ - 4159, /* 4161 */ - 4219, /* 4225 */ - 4289, /* 4289 */ - 4349, /* 4353 */ - 4409, /* 4417 */ - 4481, /* 4481 */ - 4523, /* 4545 */ - 4603, /* 4609 */ - 4673, /* 4673 */ - 4733, /* 4737 */ - 4801, /* 4801 */ - 4861, /* 4865 */ - 4919, /* 4929 */ - 4993, /* 4993 */ - 5051, /* 5057 */ - 5119, /* 5121 */ - 5179, /* 5185 */ - 5237, /* 5249 */ - 5309, /* 5313 */ - 5351, /* 5377 */ - 5441, /* 5441 */ - 5503, /* 5505 */ - 5569, /* 5569 */ - 5623, /* 5633 */ - 5693, /* 5697 */ - 5749, /* 5761 */ - 5821, /* 5825 */ - 5881, /* 5889 */ - 5953, /* 5953 */ - 6011, /* 6017 */ - 6079, /* 6081 */ - 6143, /* 6145 */ - 6203, /* 6209 */ - 6271, /* 6273 */ - 6337, /* 6337 */ - 6397, /* 6401 */ - 6451, /* 6465 */ - 6529, /* 6529 */ - 6581, /* 6593 */ - 6653, /* 6657 */ - 6719, /* 6721 */ - 6781, /* 6785 */ - 6841, /* 6849 */ - 6911, /* 6913 */ - 6977, /* 6977 */ - 7039, /* 7041 */ - 7103, /* 7105 */ - 7159, /* 7169 */ - 7229, /* 7233 */ - 7297, /* 7297 */ - 7351, /* 7361 */ - 7417, /* 7425 */ - 7489, /* 7489 */ - 7549, /* 7553 */ - 7607, /* 7617 */ - 7681, /* 7681 */ - 7741, /* 7745 */ - 7793, /* 7809 */ - 7873, /* 7873 */ - 7937, /* 7937 */ - 7993, /* 8001 */ - 8059, /* 8065 */ - 8123, /* 8129 */ - 8191, /* 8193 */ - 8243, /* 8257 */ - 8317, /* 8321 */ - 8377, /* 8385 */ - 8447, /* 8449 */ - 8513, /* 8513 */ - 8573, /* 8577 */ - 8641, /* 8641 */ - 8699, /* 8705 */ - 8761, /* 8769 */ - 8831, /* 8833 */ - 8893, /* 8897 */ - 8951, /* 8961 */ - 9013, /* 9025 */ - 9067, /* 9089 */ - 9151, /* 9153 */ - 9209, /* 9217 */ - 9281, /* 9281 */ - 9343, /* 9345 */ - 9403, /* 9409 */ - 9473, /* 9473 */ - 9533, /* 9537 */ - 9601, /* 9601 */ - 9661, /* 9665 */ - 9721, /* 9729 */ - 9791, /* 9793 */ - 9857, /* 9857 */ - 9907, /* 9921 */ - 9973, /* 9985 */ - 10039, /* 10049 */ - 10111, /* 10113 */ - 10177, /* 10177 */ - 10223, /* 10241 */ - 10303, /* 10305 */ - 10369, /* 10369 */ - 10433, /* 10433 */ - 10487, /* 10497 */ - 10559, /* 10561 */ - 10613, /* 10625 */ - 10687, /* 10689 */ - 10753, /* 10753 */ - 10799, /* 10817 */ - 10867, /* 10881 */ - 10939, /* 10945 */ - 11003, /* 11009 */ - 11071, /* 11073 */ - 11131, /* 11137 */ - 11197, /* 11201 */ - 11261, /* 11265 */ - 11329, /* 11329 */ - 11393, /* 11393 */ - 11447, /* 11457 */ - 11519, /* 11521 */ - 11579, /* 11585 */ - 11633, /* 11649 */ - 11701, /* 11713 */ - 11777, /* 11777 */ - 11839, /* 11841 */ - 11903, /* 11905 */ - 11969, /* 11969 */ - 12011, /* 12033 */ - 12097, /* 12097 */ - 12161, /* 12161 */ - 12211, /* 12225 */ - 12289, /* 12289 */ - 12347, /* 12353 */ - 12413, /* 12417 */ - 12479, /* 12481 */ - 12541, /* 12545 */ - 12601, /* 12609 */ - 12671, /* 12673 */ - 12721, /* 12737 */ - 12799, /* 12801 */ - 12853, /* 12865 */ - 12923, /* 12929 */ - 12983, /* 12993 */ - 13049, /* 13057 */ - 13121, /* 13121 */ - 13183, /* 13185 */ - 13249, /* 13249 */ - 13313, /* 13313 */ - 13367, /* 13377 */ - 13441, /* 13441 */ - 13499, /* 13505 */ - 13567, /* 13569 */ - 13633, /* 13633 */ - 13697, /* 13697 */ - 13759, /* 13761 */ - 13807, /* 13825 */ - 13883, /* 13889 */ - 13933, /* 13953 */ - 14011, /* 14017 */ - 14081, /* 14081 */ - 14143, /* 14145 */ - 14207, /* 14209 */ - 14251, /* 14273 */ - 14327, /* 14337 */ - 14401, /* 14401 */ - 14461, /* 14465 */ - 14519, /* 14529 */ - 14593, /* 14593 */ - 14657, /* 14657 */ - 14717, /* 14721 */ - 14783, /* 14785 */ - 14843, /* 14849 */ - 14897, /* 14913 */ - 14969, /* 14977 */ - 15031, /* 15041 */ - 15101, /* 15105 */ - 15161, /* 15169 */ - 15233, /* 15233 */ - 15289, /* 15297 */ - 15361, /* 15361 */ - 15413, /* 15425 */ - 15473, /* 15489 */ - 15551, /* 15553 */ - 15607, /* 15617 */ - 15679, /* 15681 */ - 15739, /* 15745 */ - 15809, /* 15809 */ - 15859, /* 15873 */ - 15937, /* 15937 */ - 16001, /* 16001 */ - 16063, /* 16065 */ - 16127, /* 16129 */ - 16193, /* 16193 */ - 16253, /* 16257 */ - 16319, /* 16321 */ - 16381, /* 16385 */ - 16447, /* 16449 */ - 16493, /* 16513 */ - 16573, /* 16577 */ - 16633, /* 16641 */ - 16703, /* 16705 */ - 16763, /* 16769 */ - 16831, /* 16833 */ - 16889, /* 16897 */ - 16943, /* 16961 */ - 17021, /* 17025 */ - 17077, /* 17089 */ - 17137, /* 17153 */ - 17209, /* 17217 */ - 17257, /* 17281 */ - 17341, /* 17345 */ - 17401, /* 17409 */ - 17471, /* 17473 */ - 17519, /* 17537 */ - 17599, /* 17601 */ - 17659, /* 17665 */ - 17729, /* 17729 */ - 17791, /* 17793 */ - 17851, /* 17857 */ - 17921, /* 17921 */ - 17981, /* 17985 */ - 18049, /* 18049 */ - 18097, /* 18113 */ - 18169, /* 18177 */ - 18233, /* 18241 */ - 18301, /* 18305 */ - 18367, /* 18369 */ - 18433, /* 18433 */ - 18493, /* 18497 */ - 18553, /* 18561 */ - 18617, /* 18625 */ - 18679, /* 18689 */ - 18749, /* 18753 */ - 18803, /* 18817 */ - 18869, /* 18881 */ - 18919, /* 18945 */ - 19009, /* 19009 */ - 19073, /* 19073 */ - 19121, /* 19137 */ - 19183, /* 19201 */ - 19259, /* 19265 */ - 19319, /* 19329 */ - 19391, /* 19393 */ - 19457, /* 19457 */ - 19507, /* 19521 */ - 19583, /* 19585 */ - 19609, /* 19649 */ - 19709, /* 19713 */ - 19777, /* 19777 */ - 19841, /* 19841 */ - 19891, /* 19905 */ - 19963, /* 19969 */ - 20029, /* 20033 */ - 20089, /* 20097 */ - 20161, /* 20161 */ - 20219, /* 20225 */ - 20287, /* 20289 */ - 20353, /* 20353 */ - 20411, /* 20417 */ - 20479, /* 20481 */ - 20543, /* 20545 */ - 20599, /* 20609 */ - 20663, /* 20673 */ - 20731, /* 20737 */ - 20789, /* 20801 */ - 20857, /* 20865 */ - 20929, /* 20929 */ - 20983, /* 20993 */ - 21031, /* 21057 */ - 21121, /* 21121 */ - 21179, /* 21185 */ - 21247, /* 21249 */ - 21313, /* 21313 */ - 21377, /* 21377 */ - 21433, /* 21441 */ - 21503, /* 21505 */ - 21569, /* 21569 */ - 21617, /* 21633 */ - 21683, /* 21697 */ - 21757, /* 21761 */ - 21821, /* 21825 */ - 21881, /* 21889 */ - 21943, /* 21953 */ - 22013, /* 22017 */ - 22079, /* 22081 */ - 22133, /* 22145 */ - 22193, /* 22209 */ - 22273, /* 22273 */ - 22307, /* 22337 */ - 22397, /* 22401 */ - 22453, /* 22465 */ - 22511, /* 22529 */ - 22573, /* 22593 */ - 22651, /* 22657 */ - 22721, /* 22721 */ - 22783, /* 22785 */ - 22817, /* 22849 */ - 22907, /* 22913 */ - 22973, /* 22977 */ - 23041, /* 23041 */ - 23099, /* 23105 */ - 23167, /* 23169 */ - 23227, /* 23233 */ - 23297, /* 23297 */ - 23357, /* 23361 */ - 23417, /* 23425 */ - 23473, /* 23489 */ - 23549, /* 23553 */ - 23609, /* 23617 */ - 23677, /* 23681 */ - 23743, /* 23745 */ - 23801, /* 23809 */ - 23873, /* 23873 */ - 23929, /* 23937 */ - 24001, /* 24001 */ - 24061, /* 24065 */ - 24121, /* 24129 */ - 24181, /* 24193 */ - 24251, /* 24257 */ - 24317, /* 24321 */ - 24379, /* 24385 */ - 24443, /* 24449 */ - 24509, /* 24513 */ - 24571, /* 24577 */ - 24631, /* 24641 */ - 24697, /* 24705 */ - 24767, /* 24769 */ - 24821, /* 24833 */ - 24889, /* 24897 */ - 24953, /* 24961 */ - 25013, /* 25025 */ - 25087, /* 25089 */ - 25153, /* 25153 */ - 25189, /* 25217 */ - 25261, /* 25281 */ - 25343, /* 25345 */ - 25409, /* 25409 */ - 25471, /* 25473 */ - 25537, /* 25537 */ - 25601, /* 25601 */ - 25657, /* 25665 */ - 25717, /* 25729 */ - 25793, /* 25793 */ - 25849, /* 25857 */ - 25919, /* 25921 */ - 25981, /* 25985 */ - 26041, /* 26049 */ - 26113, /* 26113 */ - 26177, /* 26177 */ - 26237, /* 26241 */ - 26297, /* 26305 */ - 26357, /* 26369 */ - 26431, /* 26433 */ - 26497, /* 26497 */ - 26561, /* 26561 */ - 26597, /* 26625 */ - 26687, /* 26689 */ - 26737, /* 26753 */ - 26813, /* 26817 */ - 26881, /* 26881 */ - 26927, /* 26945 */ - 26993, /* 27009 */ - 27073, /* 27073 */ - 27127, /* 27137 */ - 27197, /* 27201 */ - 27259, /* 27265 */ - 27329, /* 27329 */ - 27367, /* 27393 */ - 27457, /* 27457 */ - 27509, /* 27521 */ - 27583, /* 27585 */ - 27647, /* 27649 */ - 27701, /* 27713 */ - 27773, /* 27777 */ - 27827, /* 27841 */ - 27901, /* 27905 */ - 27967, /* 27969 */ - 28031, /* 28033 */ - 28097, /* 28097 */ - 28151, /* 28161 */ - 28219, /* 28225 */ - 28289, /* 28289 */ - 28351, /* 28353 */ - 28411, /* 28417 */ - 28477, /* 28481 */ - 28541, /* 28545 */ - 28607, /* 28609 */ - 28669, /* 28673 */ - 28729, /* 28737 */ - 28793, /* 28801 */ - 28859, /* 28865 */ - 28927, /* 28929 */ - 28979, /* 28993 */ - 29033, /* 29057 */ - 29101, /* 29121 */ - 29179, /* 29185 */ - 29243, /* 29249 */ - 29311, /* 29313 */ - 29363, /* 29377 */ - 29437, /* 29441 */ - 29501, /* 29505 */ - 29569, /* 29569 */ - 29633, /* 29633 */ - 29683, /* 29697 */ - 29761, /* 29761 */ - 29819, /* 29825 */ - 29881, /* 29889 */ - 29947, /* 29953 */ - 30013, /* 30017 */ - 30071, /* 30081 */ - 30139, /* 30145 */ - 30203, /* 30209 */ - 30271, /* 30273 */ - 30323, /* 30337 */ - 30391, /* 30401 */ - 30449, /* 30465 */ - 30529, /* 30529 */ - 30593, /* 30593 */ - 30649, /* 30657 */ - 30713, /* 30721 */ - 30781, /* 30785 */ - 30841, /* 30849 */ - 30911, /* 30913 */ - 30977, /* 30977 */ - 31039, /* 31041 */ - 31091, /* 31105 */ - 31159, /* 31169 */ - 31231, /* 31233 */ - 31277, /* 31297 */ - 31357, /* 31361 */ - 31397, /* 31425 */ - 31489, /* 31489 */ - 31547, /* 31553 */ - 31607, /* 31617 */ - 31667, /* 31681 */ - 31741, /* 31745 */ - 31799, /* 31809 */ - 31873, /* 31873 */ - 31907, /* 31937 */ - 31991, /* 32001 */ - 32063, /* 32065 */ - 32119, /* 32129 */ - 32191, /* 32193 */ - 32257, /* 32257 */ - 32321, /* 32321 */ - 32381, /* 32385 */ - 32443, /* 32449 */ - 32507, /* 32513 */ - 32573, /* 32577 */ - 32633, /* 32641 */ - 32693, /* 32705 */ - 32749, /* 32769 */ - 32833, /* 32833 */ - 32887, /* 32897 */ - 32957, /* 32961 */ - 33023, /* 33025 */ - 33083, /* 33089 */ - 33151, /* 33153 */ - 33211, /* 33217 */ - 33247, /* 33281 */ - 33343, /* 33345 */ - 33409, /* 33409 */ - 33469, /* 33473 */ - 33533, /* 33537 */ - 33601, /* 33601 */ - 33647, /* 33665 */ - 33721, /* 33729 */ - 33791, /* 33793 */ - 33857, /* 33857 */ - 33911, /* 33921 */ - 33967, /* 33985 */ - 34039, /* 34049 */ - 34061, /* 34113 */ - 34171, /* 34177 */ - 34231, /* 34241 */ - 34303, /* 34305 */ - 34369, /* 34369 */ - 34429, /* 34433 */ - 34487, /* 34497 */ - 34549, /* 34561 */ - 34613, /* 34625 */ - 34687, /* 34689 */ - 34747, /* 34753 */ - 34807, /* 34817 */ - 34877, /* 34881 */ - 34939, /* 34945 */ - 34981, /* 35009 */ - 35069, /* 35073 */ - 35129, /* 35137 */ - 35201, /* 35201 */ - 35257, /* 35265 */ - 35327, /* 35329 */ - 35393, /* 35393 */ - 35449, /* 35457 */ - 35521, /* 35521 */ - 35573, /* 35585 */ - 35617, /* 35649 */ - 35677, /* 35713 */ - 35771, /* 35777 */ - 35839, /* 35841 */ - 35899, /* 35905 */ - 35969, /* 35969 */ - 36017, /* 36033 */ - 36097, /* 36097 */ - 36161, /* 36161 */ - 36217, /* 36225 */ - 36277, /* 36289 */ - 36353, /* 36353 */ - 36389, /* 36417 */ - 36479, /* 36481 */ - 36541, /* 36545 */ - 36607, /* 36609 */ - 36671, /* 36673 */ - 36721, /* 36737 */ - 36793, /* 36801 */ - 36857, /* 36865 */ - 36929, /* 36929 */ - 36979, /* 36993 */ - 37057, /* 37057 */ - 37117, /* 37121 */ - 37181, /* 37185 */ - 37243, /* 37249 */ - 37313, /* 37313 */ - 37369, /* 37377 */ - 37441, /* 37441 */ - 37501, /* 37505 */ - 37567, /* 37569 */ - 37633, /* 37633 */ - 37693, /* 37697 */ - 37747, /* 37761 */ - 37813, /* 37825 */ - 37889, /* 37889 */ - 37951, /* 37953 */ - 38011, /* 38017 */ - 38069, /* 38081 */ - 38119, /* 38145 */ - 38201, /* 38209 */ - 38273, /* 38273 */ - 38333, /* 38337 */ - 38393, /* 38401 */ - 38461, /* 38465 */ - 38501, /* 38529 */ - 38593, /* 38593 */ - 38653, /* 38657 */ - 38713, /* 38721 */ - 38783, /* 38785 */ - 38839, /* 38849 */ - 38903, /* 38913 */ - 38977, /* 38977 */ - 39041, /* 39041 */ - 39103, /* 39105 */ - 39163, /* 39169 */ - 39233, /* 39233 */ - 39293, /* 39297 */ - 39359, /* 39361 */ - 39419, /* 39425 */ - 39461, /* 39489 */ - 39551, /* 39553 */ - 39607, /* 39617 */ - 39679, /* 39681 */ - 39733, /* 39745 */ - 39799, /* 39809 */ - 39869, /* 39873 */ - 39937, /* 39937 */ - 39989, /* 40001 */ - 40063, /* 40065 */ - 40129, /* 40129 */ - 40193, /* 40193 */ - 40253, /* 40257 */ - 40289, /* 40321 */ - 40361, /* 40385 */ - 40433, /* 40449 */ - 40507, /* 40513 */ - 40577, /* 40577 */ - 40639, /* 40641 */ - 40699, /* 40705 */ - 40763, /* 40769 */ - 40829, /* 40833 */ - 40897, /* 40897 */ - 40961, /* 40961 */ - 41023, /* 41025 */ - 41081, /* 41089 */ - 41149, /* 41153 */ - 41213, /* 41217 */ - 41281, /* 41281 */ - 41341, /* 41345 */ - 41399, /* 41409 */ - 41467, /* 41473 */ - 41521, /* 41537 */ - 41597, /* 41601 */ - 41659, /* 41665 */ - 41729, /* 41729 */ - 41777, /* 41793 */ - 41851, /* 41857 */ - 41911, /* 41921 */ - 41983, /* 41985 */ - 42043, /* 42049 */ - 42101, /* 42113 */ - 42169, /* 42177 */ - 42239, /* 42241 */ - 42299, /* 42305 */ - 42359, /* 42369 */ - 42433, /* 42433 */ - 42491, /* 42497 */ - 42557, /* 42561 */ - 42611, /* 42625 */ - 42689, /* 42689 */ - 42751, /* 42753 */ - 42797, /* 42817 */ - 42863, /* 42881 */ - 42943, /* 42945 */ - 43003, /* 43009 */ - 43067, /* 43073 */ - 43133, /* 43137 */ - 43201, /* 43201 */ - 43261, /* 43265 */ - 43321, /* 43329 */ - 43391, /* 43393 */ - 43457, /* 43457 */ - 43517, /* 43521 */ - 43579, /* 43585 */ - 43649, /* 43649 */ - 43711, /* 43713 */ - 43777, /* 43777 */ - 43801, /* 43841 */ - 43891, /* 43905 */ - 43969, /* 43969 */ - 44029, /* 44033 */ - 44089, /* 44097 */ - 44159, /* 44161 */ - 44221, /* 44225 */ - 44281, /* 44289 */ - 44351, /* 44353 */ - 44417, /* 44417 */ - 44453, /* 44481 */ - 44543, /* 44545 */ - 44587, /* 44609 */ - 44657, /* 44673 */ - 44729, /* 44737 */ - 44797, /* 44801 */ - 44851, /* 44865 */ - 44927, /* 44929 */ - 44987, /* 44993 */ - 45053, /* 45057 */ - 45121, /* 45121 */ - 45181, /* 45185 */ - 45247, /* 45249 */ - 45307, /* 45313 */ - 45377, /* 45377 */ - 45439, /* 45441 */ - 45503, /* 45505 */ - 45569, /* 45569 */ - 45631, /* 45633 */ - 45697, /* 45697 */ - 45757, /* 45761 */ - 45823, /* 45825 */ - 45887, /* 45889 */ - 45953, /* 45953 */ - 45989, /* 46017 */ - 46073, /* 46081 */ - 46141, /* 46145 */ - 46199, /* 46209 */ - 46273, /* 46273 */ - 46337, /* 46337 */ - 46399, /* 46401 */ - 46457, /* 46465 */ - 46523, /* 46529 */ - 46591, /* 46593 */ - 46649, /* 46657 */ - 46703, /* 46721 */ - 46771, /* 46785 */ - 46831, /* 46849 */ - 46901, /* 46913 */ - 46957, /* 46977 */ - 47041, /* 47041 */ - 47093, /* 47105 */ - 47161, /* 47169 */ - 47221, /* 47233 */ - 47297, /* 47297 */ - 47353, /* 47361 */ - 47419, /* 47425 */ - 47459, /* 47489 */ - 47543, /* 47553 */ - 47609, /* 47617 */ - 47681, /* 47681 */ - 47743, /* 47745 */ - 47809, /* 47809 */ - 47869, /* 47873 */ - 47933, /* 47937 */ - 47981, /* 48001 */ - 48049, /* 48065 */ - 48121, /* 48129 */ - 48193, /* 48193 */ - 48247, /* 48257 */ - 48313, /* 48321 */ - 48383, /* 48385 */ - 48449, /* 48449 */ - 48497, /* 48513 */ - 48571, /* 48577 */ - 48623, /* 48641 */ - 48679, /* 48705 */ - 48767, /* 48769 */ - 48823, /* 48833 */ - 48889, /* 48897 */ - 48953, /* 48961 */ - 49019, /* 49025 */ - 49081, /* 49089 */ - 49139, /* 49153 */ - 49211, /* 49217 */ - 49279, /* 49281 */ - 49339, /* 49345 */ - 49409, /* 49409 */ - 49463, /* 49473 */ - 49537, /* 49537 */ - 49597, /* 49601 */ - 49663, /* 49665 */ - 49727, /* 49729 */ - 49789, /* 49793 */ - 49853, /* 49857 */ - 49921, /* 49921 */ - 49957, /* 49985 */ - 50047, /* 50049 */ - 50111, /* 50113 */ - 50177, /* 50177 */ - 50231, /* 50241 */ - 50291, /* 50305 */ - 50363, /* 50369 */ - 50423, /* 50433 */ - 50497, /* 50497 */ - 50551, /* 50561 */ - 50599, /* 50625 */ - 50683, /* 50689 */ - 50753, /* 50753 */ - 50789, /* 50817 */ - 50873, /* 50881 */ - 50929, /* 50945 */ - 51001, /* 51009 */ - 51071, /* 51073 */ - 51137, /* 51137 */ - 51199, /* 51201 */ - 51263, /* 51265 */ - 51329, /* 51329 */ - 51383, /* 51393 */ - 51449, /* 51457 */ - 51521, /* 51521 */ - 51581, /* 51585 */ - 51647, /* 51649 */ - 51713, /* 51713 */ - 51769, /* 51777 */ - 51839, /* 51841 */ - 51899, /* 51905 */ - 51949, /* 51969 */ - 52027, /* 52033 */ - 52081, /* 52097 */ - 52153, /* 52161 */ - 52223, /* 52225 */ - 52289, /* 52289 */ - 52321, /* 52353 */ - 52391, /* 52417 */ - 52457, /* 52481 */ - 52543, /* 52545 */ - 52609, /* 52609 */ - 52673, /* 52673 */ - 52733, /* 52737 */ - 52783, /* 52801 */ - 52861, /* 52865 */ - 52919, /* 52929 */ - 52981, /* 52993 */ - 53051, /* 53057 */ - 53117, /* 53121 */ - 53173, /* 53185 */ - 53239, /* 53249 */ - 53309, /* 53313 */ - 53377, /* 53377 */ - 53441, /* 53441 */ - 53503, /* 53505 */ - 53569, /* 53569 */ - 53633, /* 53633 */ - 53693, /* 53697 */ - 53759, /* 53761 */ - 53819, /* 53825 */ - 53887, /* 53889 */ - 53951, /* 53953 */ - 54013, /* 54017 */ - 54059, /* 54081 */ - 54139, /* 54145 */ - 54193, /* 54209 */ - 54269, /* 54273 */ - 54331, /* 54337 */ - 54401, /* 54401 */ - 54449, /* 54465 */ - 54521, /* 54529 */ - 54583, /* 54593 */ - 54647, /* 54657 */ - 54721, /* 54721 */ - 54779, /* 54785 */ - 54833, /* 54849 */ - 54907, /* 54913 */ - 54973, /* 54977 */ - 55021, /* 55041 */ - 55103, /* 55105 */ - 55163, /* 55169 */ - 55229, /* 55233 */ - 55291, /* 55297 */ - 55351, /* 55361 */ - 55411, /* 55425 */ - 55487, /* 55489 */ - 55547, /* 55553 */ - 55609, /* 55617 */ - 55681, /* 55681 */ - 55733, /* 55745 */ - 55807, /* 55809 */ - 55871, /* 55873 */ - 55933, /* 55937 */ - 55997, /* 56001 */ - 56053, /* 56065 */ - 56123, /* 56129 */ - 56179, /* 56193 */ - 56249, /* 56257 */ - 56311, /* 56321 */ - 56383, /* 56385 */ - 56443, /* 56449 */ - 56509, /* 56513 */ - 56569, /* 56577 */ - 56633, /* 56641 */ - 56701, /* 56705 */ - 56767, /* 56769 */ - 56827, /* 56833 */ - 56897, /* 56897 */ - 56957, /* 56961 */ - 56999, /* 57025 */ - 57089, /* 57089 */ - 57149, /* 57153 */ - 57203, /* 57217 */ - 57271, /* 57281 */ - 57331, /* 57345 */ - 57397, /* 57409 */ - 57467, /* 57473 */ - 57529, /* 57537 */ - 57601, /* 57601 */ - 57653, /* 57665 */ - 57727, /* 57729 */ - 57793, /* 57793 */ - 57853, /* 57857 */ - 57917, /* 57921 */ - 57977, /* 57985 */ - 58049, /* 58049 */ - 58111, /* 58113 */ - 58171, /* 58177 */ - 58237, /* 58241 */ - 58271, /* 58305 */ - 58369, /* 58369 */ - 58427, /* 58433 */ - 58481, /* 58497 */ - 58549, /* 58561 */ - 58613, /* 58625 */ - 58687, /* 58689 */ - 58741, /* 58753 */ - 58789, /* 58817 */ - 58831, /* 58881 */ - 58943, /* 58945 */ - 59009, /* 59009 */ - 59069, /* 59073 */ - 59123, /* 59137 */ - 59197, /* 59201 */ - 59263, /* 59265 */ - 59281, /* 59329 */ - 59393, /* 59393 */ - 59453, /* 59457 */ - 59513, /* 59521 */ - 59581, /* 59585 */ - 59629, /* 59649 */ - 59707, /* 59713 */ - 59771, /* 59777 */ - 59833, /* 59841 */ - 59887, /* 59905 */ - 59957, /* 59969 */ - 60029, /* 60033 */ - 60091, /* 60097 */ - 60161, /* 60161 */ - 60223, /* 60225 */ - 60289, /* 60289 */ - 60353, /* 60353 */ - 60413, /* 60417 */ - 60457, /* 60481 */ - 60539, /* 60545 */ - 60607, /* 60609 */ - 60661, /* 60673 */ - 60737, /* 60737 */ - 60793, /* 60801 */ - 60859, /* 60865 */ - 60923, /* 60929 */ - 60961, /* 60993 */ - 61057, /* 61057 */ - 61121, /* 61121 */ - 61169, /* 61185 */ - 61231, /* 61249 */ - 61297, /* 61313 */ - 61363, /* 61377 */ - 61441, /* 61441 */ - 61493, /* 61505 */ - 61561, /* 61569 */ - 61631, /* 61633 */ - 61687, /* 61697 */ - 61757, /* 61761 */ - 61819, /* 61825 */ - 61879, /* 61889 */ - 61949, /* 61953 */ - 62017, /* 62017 */ - 62081, /* 62081 */ - 62143, /* 62145 */ - 62207, /* 62209 */ - 62273, /* 62273 */ - 62327, /* 62337 */ - 62401, /* 62401 */ - 62459, /* 62465 */ - 62507, /* 62529 */ - 62591, /* 62593 */ - 62653, /* 62657 */ - 62701, /* 62721 */ - 62773, /* 62785 */ - 62827, /* 62849 */ - 62903, /* 62913 */ - 62971, /* 62977 */ - 63031, /* 63041 */ - 63103, /* 63105 */ - 63149, /* 63169 */ - 63211, /* 63233 */ - 63281, /* 63297 */ - 63361, /* 63361 */ - 63421, /* 63425 */ - 63487, /* 63489 */ - 63541, /* 63553 */ - 63617, /* 63617 */ - 63671, /* 63681 */ - 63743, /* 63745 */ - 63809, /* 63809 */ - 63863, /* 63873 */ - 63929, /* 63937 */ - 63997, /* 64001 */ - 64063, /* 64065 */ - 64123, /* 64129 */ - 64189, /* 64193 */ - 64237, /* 64257 */ - 64319, /* 64321 */ - 64381, /* 64385 */ - 64439, /* 64449 */ - 64513, /* 64513 */ - 64577, /* 64577 */ - 64633, /* 64641 */ - 64693, /* 64705 */ - 64763, /* 64769 */ - 64817, /* 64833 */ - 64891, /* 64897 */ - 64951, /* 64961 */ - 65011, /* 65025 */ - 65089, /* 65089 */ - 65147, /* 65153 */ - 65213, /* 65217 */ - 65269, /* 65281 */ - 65327, /* 65345 */ - 65407, /* 65409 */ - 65449, /* 65473 */ + 1, /* 1 */ + 61, /* 65 */ + 127, /* 129 */ + 193, /* 193 */ + 257, /* 257 */ + 317, /* 321 */ + 383, /* 385 */ + 449, /* 449 */ + 509, /* 513 */ + 577, /* 577 */ + 641, /* 641 */ + 701, /* 705 */ + 769, /* 769 */ + 829, /* 833 */ + 887, /* 897 */ + 953, /* 961 */ + 1021, /* 1025 */ + 1087, /* 1089 */ + 1153, /* 1153 */ + 1217, /* 1217 */ + 1279, /* 1281 */ + 1327, /* 1345 */ + 1409, /* 1409 */ + 1471, /* 1473 */ + 1531, /* 1537 */ + 1601, /* 1601 */ + 1663, /* 1665 */ + 1723, /* 1729 */ + 1789, /* 1793 */ + 1847, /* 1857 */ + 1913, /* 1921 */ + 1979, /* 1985 */ + 2039, /* 2049 */ + 2113, /* 2113 */ + 2161, /* 2177 */ + 2239, /* 2241 */ + 2297, /* 2305 */ + 2357, /* 2369 */ + 2423, /* 2433 */ + 2477, /* 2497 */ + 2557, /* 2561 */ + 2621, /* 2625 */ + 2689, /* 2689 */ + 2753, /* 2753 */ + 2803, /* 2817 */ + 2879, /* 2881 */ + 2939, /* 2945 */ + 3001, /* 3009 */ + 3067, /* 3073 */ + 3137, /* 3137 */ + 3191, /* 3201 */ + 3259, /* 3265 */ + 3329, /* 3329 */ + 3391, /* 3393 */ + 3457, /* 3457 */ + 3517, /* 3521 */ + 3583, /* 3585 */ + 3643, /* 3649 */ + 3709, /* 3713 */ + 3769, /* 3777 */ + 3833, /* 3841 */ + 3889, /* 3905 */ + 3967, /* 3969 */ + 4027, /* 4033 */ + 4093, /* 4097 */ + 4159, /* 4161 */ + 4219, /* 4225 */ + 4289, /* 4289 */ + 4349, /* 4353 */ + 4409, /* 4417 */ + 4481, /* 4481 */ + 4523, /* 4545 */ + 4603, /* 4609 */ + 4673, /* 4673 */ + 4733, /* 4737 */ + 4801, /* 4801 */ + 4861, /* 4865 */ + 4919, /* 4929 */ + 4993, /* 4993 */ + 5051, /* 5057 */ + 5119, /* 5121 */ + 5179, /* 5185 */ + 5237, /* 5249 */ + 5309, /* 5313 */ + 5351, /* 5377 */ + 5441, /* 5441 */ + 5503, /* 5505 */ + 5569, /* 5569 */ + 5623, /* 5633 */ + 5693, /* 5697 */ + 5749, /* 5761 */ + 5821, /* 5825 */ + 5881, /* 5889 */ + 5953, /* 5953 */ + 6011, /* 6017 */ + 6079, /* 6081 */ + 6143, /* 6145 */ + 6203, /* 6209 */ + 6271, /* 6273 */ + 6337, /* 6337 */ + 6397, /* 6401 */ + 6451, /* 6465 */ + 6529, /* 6529 */ + 6581, /* 6593 */ + 6653, /* 6657 */ + 6719, /* 6721 */ + 6781, /* 6785 */ + 6841, /* 6849 */ + 6911, /* 6913 */ + 6977, /* 6977 */ + 7039, /* 7041 */ + 7103, /* 7105 */ + 7159, /* 7169 */ + 7229, /* 7233 */ + 7297, /* 7297 */ + 7351, /* 7361 */ + 7417, /* 7425 */ + 7489, /* 7489 */ + 7549, /* 7553 */ + 7607, /* 7617 */ + 7681, /* 7681 */ + 7741, /* 7745 */ + 7793, /* 7809 */ + 7873, /* 7873 */ + 7937, /* 7937 */ + 7993, /* 8001 */ + 8059, /* 8065 */ + 8123, /* 8129 */ + 8191, /* 8193 */ + 8243, /* 8257 */ + 8317, /* 8321 */ + 8377, /* 8385 */ + 8447, /* 8449 */ + 8513, /* 8513 */ + 8573, /* 8577 */ + 8641, /* 8641 */ + 8699, /* 8705 */ + 8761, /* 8769 */ + 8831, /* 8833 */ + 8893, /* 8897 */ + 8951, /* 8961 */ + 9013, /* 9025 */ + 9067, /* 9089 */ + 9151, /* 9153 */ + 9209, /* 9217 */ + 9281, /* 9281 */ + 9343, /* 9345 */ + 9403, /* 9409 */ + 9473, /* 9473 */ + 9533, /* 9537 */ + 9601, /* 9601 */ + 9661, /* 9665 */ + 9721, /* 9729 */ + 9791, /* 9793 */ + 9857, /* 9857 */ + 9907, /* 9921 */ + 9973, /* 9985 */ + 10039, /* 10049 */ + 10111, /* 10113 */ + 10177, /* 10177 */ + 10223, /* 10241 */ + 10303, /* 10305 */ + 10369, /* 10369 */ + 10433, /* 10433 */ + 10487, /* 10497 */ + 10559, /* 10561 */ + 10613, /* 10625 */ + 10687, /* 10689 */ + 10753, /* 10753 */ + 10799, /* 10817 */ + 10867, /* 10881 */ + 10939, /* 10945 */ + 11003, /* 11009 */ + 11071, /* 11073 */ + 11131, /* 11137 */ + 11197, /* 11201 */ + 11261, /* 11265 */ + 11329, /* 11329 */ + 11393, /* 11393 */ + 11447, /* 11457 */ + 11519, /* 11521 */ + 11579, /* 11585 */ + 11633, /* 11649 */ + 11701, /* 11713 */ + 11777, /* 11777 */ + 11839, /* 11841 */ + 11903, /* 11905 */ + 11969, /* 11969 */ + 12011, /* 12033 */ + 12097, /* 12097 */ + 12161, /* 12161 */ + 12211, /* 12225 */ + 12289, /* 12289 */ + 12347, /* 12353 */ + 12413, /* 12417 */ + 12479, /* 12481 */ + 12541, /* 12545 */ + 12601, /* 12609 */ + 12671, /* 12673 */ + 12721, /* 12737 */ + 12799, /* 12801 */ + 12853, /* 12865 */ + 12923, /* 12929 */ + 12983, /* 12993 */ + 13049, /* 13057 */ + 13121, /* 13121 */ + 13183, /* 13185 */ + 13249, /* 13249 */ + 13313, /* 13313 */ + 13367, /* 13377 */ + 13441, /* 13441 */ + 13499, /* 13505 */ + 13567, /* 13569 */ + 13633, /* 13633 */ + 13697, /* 13697 */ + 13759, /* 13761 */ + 13807, /* 13825 */ + 13883, /* 13889 */ + 13933, /* 13953 */ + 14011, /* 14017 */ + 14081, /* 14081 */ + 14143, /* 14145 */ + 14207, /* 14209 */ + 14251, /* 14273 */ + 14327, /* 14337 */ + 14401, /* 14401 */ + 14461, /* 14465 */ + 14519, /* 14529 */ + 14593, /* 14593 */ + 14657, /* 14657 */ + 14717, /* 14721 */ + 14783, /* 14785 */ + 14843, /* 14849 */ + 14897, /* 14913 */ + 14969, /* 14977 */ + 15031, /* 15041 */ + 15101, /* 15105 */ + 15161, /* 15169 */ + 15233, /* 15233 */ + 15289, /* 15297 */ + 15361, /* 15361 */ + 15413, /* 15425 */ + 15473, /* 15489 */ + 15551, /* 15553 */ + 15607, /* 15617 */ + 15679, /* 15681 */ + 15739, /* 15745 */ + 15809, /* 15809 */ + 15859, /* 15873 */ + 15937, /* 15937 */ + 16001, /* 16001 */ + 16063, /* 16065 */ + 16127, /* 16129 */ + 16193, /* 16193 */ + 16253, /* 16257 */ + 16319, /* 16321 */ + 16381, /* 16385 */ + 16447, /* 16449 */ + 16493, /* 16513 */ + 16573, /* 16577 */ + 16633, /* 16641 */ + 16703, /* 16705 */ + 16763, /* 16769 */ + 16831, /* 16833 */ + 16889, /* 16897 */ + 16943, /* 16961 */ + 17021, /* 17025 */ + 17077, /* 17089 */ + 17137, /* 17153 */ + 17209, /* 17217 */ + 17257, /* 17281 */ + 17341, /* 17345 */ + 17401, /* 17409 */ + 17471, /* 17473 */ + 17519, /* 17537 */ + 17599, /* 17601 */ + 17659, /* 17665 */ + 17729, /* 17729 */ + 17791, /* 17793 */ + 17851, /* 17857 */ + 17921, /* 17921 */ + 17981, /* 17985 */ + 18049, /* 18049 */ + 18097, /* 18113 */ + 18169, /* 18177 */ + 18233, /* 18241 */ + 18301, /* 18305 */ + 18367, /* 18369 */ + 18433, /* 18433 */ + 18493, /* 18497 */ + 18553, /* 18561 */ + 18617, /* 18625 */ + 18679, /* 18689 */ + 18749, /* 18753 */ + 18803, /* 18817 */ + 18869, /* 18881 */ + 18919, /* 18945 */ + 19009, /* 19009 */ + 19073, /* 19073 */ + 19121, /* 19137 */ + 19183, /* 19201 */ + 19259, /* 19265 */ + 19319, /* 19329 */ + 19391, /* 19393 */ + 19457, /* 19457 */ + 19507, /* 19521 */ + 19583, /* 19585 */ + 19609, /* 19649 */ + 19709, /* 19713 */ + 19777, /* 19777 */ + 19841, /* 19841 */ + 19891, /* 19905 */ + 19963, /* 19969 */ + 20029, /* 20033 */ + 20089, /* 20097 */ + 20161, /* 20161 */ + 20219, /* 20225 */ + 20287, /* 20289 */ + 20353, /* 20353 */ + 20411, /* 20417 */ + 20479, /* 20481 */ + 20543, /* 20545 */ + 20599, /* 20609 */ + 20663, /* 20673 */ + 20731, /* 20737 */ + 20789, /* 20801 */ + 20857, /* 20865 */ + 20929, /* 20929 */ + 20983, /* 20993 */ + 21031, /* 21057 */ + 21121, /* 21121 */ + 21179, /* 21185 */ + 21247, /* 21249 */ + 21313, /* 21313 */ + 21377, /* 21377 */ + 21433, /* 21441 */ + 21503, /* 21505 */ + 21569, /* 21569 */ + 21617, /* 21633 */ + 21683, /* 21697 */ + 21757, /* 21761 */ + 21821, /* 21825 */ + 21881, /* 21889 */ + 21943, /* 21953 */ + 22013, /* 22017 */ + 22079, /* 22081 */ + 22133, /* 22145 */ + 22193, /* 22209 */ + 22273, /* 22273 */ + 22307, /* 22337 */ + 22397, /* 22401 */ + 22453, /* 22465 */ + 22511, /* 22529 */ + 22573, /* 22593 */ + 22651, /* 22657 */ + 22721, /* 22721 */ + 22783, /* 22785 */ + 22817, /* 22849 */ + 22907, /* 22913 */ + 22973, /* 22977 */ + 23041, /* 23041 */ + 23099, /* 23105 */ + 23167, /* 23169 */ + 23227, /* 23233 */ + 23297, /* 23297 */ + 23357, /* 23361 */ + 23417, /* 23425 */ + 23473, /* 23489 */ + 23549, /* 23553 */ + 23609, /* 23617 */ + 23677, /* 23681 */ + 23743, /* 23745 */ + 23801, /* 23809 */ + 23873, /* 23873 */ + 23929, /* 23937 */ + 24001, /* 24001 */ + 24061, /* 24065 */ + 24121, /* 24129 */ + 24181, /* 24193 */ + 24251, /* 24257 */ + 24317, /* 24321 */ + 24379, /* 24385 */ + 24443, /* 24449 */ + 24509, /* 24513 */ + 24571, /* 24577 */ + 24631, /* 24641 */ + 24697, /* 24705 */ + 24767, /* 24769 */ + 24821, /* 24833 */ + 24889, /* 24897 */ + 24953, /* 24961 */ + 25013, /* 25025 */ + 25087, /* 25089 */ + 25153, /* 25153 */ + 25189, /* 25217 */ + 25261, /* 25281 */ + 25343, /* 25345 */ + 25409, /* 25409 */ + 25471, /* 25473 */ + 25537, /* 25537 */ + 25601, /* 25601 */ + 25657, /* 25665 */ + 25717, /* 25729 */ + 25793, /* 25793 */ + 25849, /* 25857 */ + 25919, /* 25921 */ + 25981, /* 25985 */ + 26041, /* 26049 */ + 26113, /* 26113 */ + 26177, /* 26177 */ + 26237, /* 26241 */ + 26297, /* 26305 */ + 26357, /* 26369 */ + 26431, /* 26433 */ + 26497, /* 26497 */ + 26561, /* 26561 */ + 26597, /* 26625 */ + 26687, /* 26689 */ + 26737, /* 26753 */ + 26813, /* 26817 */ + 26881, /* 26881 */ + 26927, /* 26945 */ + 26993, /* 27009 */ + 27073, /* 27073 */ + 27127, /* 27137 */ + 27197, /* 27201 */ + 27259, /* 27265 */ + 27329, /* 27329 */ + 27367, /* 27393 */ + 27457, /* 27457 */ + 27509, /* 27521 */ + 27583, /* 27585 */ + 27647, /* 27649 */ + 27701, /* 27713 */ + 27773, /* 27777 */ + 27827, /* 27841 */ + 27901, /* 27905 */ + 27967, /* 27969 */ + 28031, /* 28033 */ + 28097, /* 28097 */ + 28151, /* 28161 */ + 28219, /* 28225 */ + 28289, /* 28289 */ + 28351, /* 28353 */ + 28411, /* 28417 */ + 28477, /* 28481 */ + 28541, /* 28545 */ + 28607, /* 28609 */ + 28669, /* 28673 */ + 28729, /* 28737 */ + 28793, /* 28801 */ + 28859, /* 28865 */ + 28927, /* 28929 */ + 28979, /* 28993 */ + 29033, /* 29057 */ + 29101, /* 29121 */ + 29179, /* 29185 */ + 29243, /* 29249 */ + 29311, /* 29313 */ + 29363, /* 29377 */ + 29437, /* 29441 */ + 29501, /* 29505 */ + 29569, /* 29569 */ + 29633, /* 29633 */ + 29683, /* 29697 */ + 29761, /* 29761 */ + 29819, /* 29825 */ + 29881, /* 29889 */ + 29947, /* 29953 */ + 30013, /* 30017 */ + 30071, /* 30081 */ + 30139, /* 30145 */ + 30203, /* 30209 */ + 30271, /* 30273 */ + 30323, /* 30337 */ + 30391, /* 30401 */ + 30449, /* 30465 */ + 30529, /* 30529 */ + 30593, /* 30593 */ + 30649, /* 30657 */ + 30713, /* 30721 */ + 30781, /* 30785 */ + 30841, /* 30849 */ + 30911, /* 30913 */ + 30977, /* 30977 */ + 31039, /* 31041 */ + 31091, /* 31105 */ + 31159, /* 31169 */ + 31231, /* 31233 */ + 31277, /* 31297 */ + 31357, /* 31361 */ + 31397, /* 31425 */ + 31489, /* 31489 */ + 31547, /* 31553 */ + 31607, /* 31617 */ + 31667, /* 31681 */ + 31741, /* 31745 */ + 31799, /* 31809 */ + 31873, /* 31873 */ + 31907, /* 31937 */ + 31991, /* 32001 */ + 32063, /* 32065 */ + 32119, /* 32129 */ + 32191, /* 32193 */ + 32257, /* 32257 */ + 32321, /* 32321 */ + 32381, /* 32385 */ + 32443, /* 32449 */ + 32507, /* 32513 */ + 32573, /* 32577 */ + 32633, /* 32641 */ + 32693, /* 32705 */ + 32749, /* 32769 */ + 32833, /* 32833 */ + 32887, /* 32897 */ + 32957, /* 32961 */ + 33023, /* 33025 */ + 33083, /* 33089 */ + 33151, /* 33153 */ + 33211, /* 33217 */ + 33247, /* 33281 */ + 33343, /* 33345 */ + 33409, /* 33409 */ + 33469, /* 33473 */ + 33533, /* 33537 */ + 33601, /* 33601 */ + 33647, /* 33665 */ + 33721, /* 33729 */ + 33791, /* 33793 */ + 33857, /* 33857 */ + 33911, /* 33921 */ + 33967, /* 33985 */ + 34039, /* 34049 */ + 34061, /* 34113 */ + 34171, /* 34177 */ + 34231, /* 34241 */ + 34303, /* 34305 */ + 34369, /* 34369 */ + 34429, /* 34433 */ + 34487, /* 34497 */ + 34549, /* 34561 */ + 34613, /* 34625 */ + 34687, /* 34689 */ + 34747, /* 34753 */ + 34807, /* 34817 */ + 34877, /* 34881 */ + 34939, /* 34945 */ + 34981, /* 35009 */ + 35069, /* 35073 */ + 35129, /* 35137 */ + 35201, /* 35201 */ + 35257, /* 35265 */ + 35327, /* 35329 */ + 35393, /* 35393 */ + 35449, /* 35457 */ + 35521, /* 35521 */ + 35573, /* 35585 */ + 35617, /* 35649 */ + 35677, /* 35713 */ + 35771, /* 35777 */ + 35839, /* 35841 */ + 35899, /* 35905 */ + 35969, /* 35969 */ + 36017, /* 36033 */ + 36097, /* 36097 */ + 36161, /* 36161 */ + 36217, /* 36225 */ + 36277, /* 36289 */ + 36353, /* 36353 */ + 36389, /* 36417 */ + 36479, /* 36481 */ + 36541, /* 36545 */ + 36607, /* 36609 */ + 36671, /* 36673 */ + 36721, /* 36737 */ + 36793, /* 36801 */ + 36857, /* 36865 */ + 36929, /* 36929 */ + 36979, /* 36993 */ + 37057, /* 37057 */ + 37117, /* 37121 */ + 37181, /* 37185 */ + 37243, /* 37249 */ + 37313, /* 37313 */ + 37369, /* 37377 */ + 37441, /* 37441 */ + 37501, /* 37505 */ + 37567, /* 37569 */ + 37633, /* 37633 */ + 37693, /* 37697 */ + 37747, /* 37761 */ + 37813, /* 37825 */ + 37889, /* 37889 */ + 37951, /* 37953 */ + 38011, /* 38017 */ + 38069, /* 38081 */ + 38119, /* 38145 */ + 38201, /* 38209 */ + 38273, /* 38273 */ + 38333, /* 38337 */ + 38393, /* 38401 */ + 38461, /* 38465 */ + 38501, /* 38529 */ + 38593, /* 38593 */ + 38653, /* 38657 */ + 38713, /* 38721 */ + 38783, /* 38785 */ + 38839, /* 38849 */ + 38903, /* 38913 */ + 38977, /* 38977 */ + 39041, /* 39041 */ + 39103, /* 39105 */ + 39163, /* 39169 */ + 39233, /* 39233 */ + 39293, /* 39297 */ + 39359, /* 39361 */ + 39419, /* 39425 */ + 39461, /* 39489 */ + 39551, /* 39553 */ + 39607, /* 39617 */ + 39679, /* 39681 */ + 39733, /* 39745 */ + 39799, /* 39809 */ + 39869, /* 39873 */ + 39937, /* 39937 */ + 39989, /* 40001 */ + 40063, /* 40065 */ + 40129, /* 40129 */ + 40193, /* 40193 */ + 40253, /* 40257 */ + 40289, /* 40321 */ + 40361, /* 40385 */ + 40433, /* 40449 */ + 40507, /* 40513 */ + 40577, /* 40577 */ + 40639, /* 40641 */ + 40699, /* 40705 */ + 40763, /* 40769 */ + 40829, /* 40833 */ + 40897, /* 40897 */ + 40961, /* 40961 */ + 41023, /* 41025 */ + 41081, /* 41089 */ + 41149, /* 41153 */ + 41213, /* 41217 */ + 41281, /* 41281 */ + 41341, /* 41345 */ + 41399, /* 41409 */ + 41467, /* 41473 */ + 41521, /* 41537 */ + 41597, /* 41601 */ + 41659, /* 41665 */ + 41729, /* 41729 */ + 41777, /* 41793 */ + 41851, /* 41857 */ + 41911, /* 41921 */ + 41983, /* 41985 */ + 42043, /* 42049 */ + 42101, /* 42113 */ + 42169, /* 42177 */ + 42239, /* 42241 */ + 42299, /* 42305 */ + 42359, /* 42369 */ + 42433, /* 42433 */ + 42491, /* 42497 */ + 42557, /* 42561 */ + 42611, /* 42625 */ + 42689, /* 42689 */ + 42751, /* 42753 */ + 42797, /* 42817 */ + 42863, /* 42881 */ + 42943, /* 42945 */ + 43003, /* 43009 */ + 43067, /* 43073 */ + 43133, /* 43137 */ + 43201, /* 43201 */ + 43261, /* 43265 */ + 43321, /* 43329 */ + 43391, /* 43393 */ + 43457, /* 43457 */ + 43517, /* 43521 */ + 43579, /* 43585 */ + 43649, /* 43649 */ + 43711, /* 43713 */ + 43777, /* 43777 */ + 43801, /* 43841 */ + 43891, /* 43905 */ + 43969, /* 43969 */ + 44029, /* 44033 */ + 44089, /* 44097 */ + 44159, /* 44161 */ + 44221, /* 44225 */ + 44281, /* 44289 */ + 44351, /* 44353 */ + 44417, /* 44417 */ + 44453, /* 44481 */ + 44543, /* 44545 */ + 44587, /* 44609 */ + 44657, /* 44673 */ + 44729, /* 44737 */ + 44797, /* 44801 */ + 44851, /* 44865 */ + 44927, /* 44929 */ + 44987, /* 44993 */ + 45053, /* 45057 */ + 45121, /* 45121 */ + 45181, /* 45185 */ + 45247, /* 45249 */ + 45307, /* 45313 */ + 45377, /* 45377 */ + 45439, /* 45441 */ + 45503, /* 45505 */ + 45569, /* 45569 */ + 45631, /* 45633 */ + 45697, /* 45697 */ + 45757, /* 45761 */ + 45823, /* 45825 */ + 45887, /* 45889 */ + 45953, /* 45953 */ + 45989, /* 46017 */ + 46073, /* 46081 */ + 46141, /* 46145 */ + 46199, /* 46209 */ + 46273, /* 46273 */ + 46337, /* 46337 */ + 46399, /* 46401 */ + 46457, /* 46465 */ + 46523, /* 46529 */ + 46591, /* 46593 */ + 46649, /* 46657 */ + 46703, /* 46721 */ + 46771, /* 46785 */ + 46831, /* 46849 */ + 46901, /* 46913 */ + 46957, /* 46977 */ + 47041, /* 47041 */ + 47093, /* 47105 */ + 47161, /* 47169 */ + 47221, /* 47233 */ + 47297, /* 47297 */ + 47353, /* 47361 */ + 47419, /* 47425 */ + 47459, /* 47489 */ + 47543, /* 47553 */ + 47609, /* 47617 */ + 47681, /* 47681 */ + 47743, /* 47745 */ + 47809, /* 47809 */ + 47869, /* 47873 */ + 47933, /* 47937 */ + 47981, /* 48001 */ + 48049, /* 48065 */ + 48121, /* 48129 */ + 48193, /* 48193 */ + 48247, /* 48257 */ + 48313, /* 48321 */ + 48383, /* 48385 */ + 48449, /* 48449 */ + 48497, /* 48513 */ + 48571, /* 48577 */ + 48623, /* 48641 */ + 48679, /* 48705 */ + 48767, /* 48769 */ + 48823, /* 48833 */ + 48889, /* 48897 */ + 48953, /* 48961 */ + 49019, /* 49025 */ + 49081, /* 49089 */ + 49139, /* 49153 */ + 49211, /* 49217 */ + 49279, /* 49281 */ + 49339, /* 49345 */ + 49409, /* 49409 */ + 49463, /* 49473 */ + 49537, /* 49537 */ + 49597, /* 49601 */ + 49663, /* 49665 */ + 49727, /* 49729 */ + 49789, /* 49793 */ + 49853, /* 49857 */ + 49921, /* 49921 */ + 49957, /* 49985 */ + 50047, /* 50049 */ + 50111, /* 50113 */ + 50177, /* 50177 */ + 50231, /* 50241 */ + 50291, /* 50305 */ + 50363, /* 50369 */ + 50423, /* 50433 */ + 50497, /* 50497 */ + 50551, /* 50561 */ + 50599, /* 50625 */ + 50683, /* 50689 */ + 50753, /* 50753 */ + 50789, /* 50817 */ + 50873, /* 50881 */ + 50929, /* 50945 */ + 51001, /* 51009 */ + 51071, /* 51073 */ + 51137, /* 51137 */ + 51199, /* 51201 */ + 51263, /* 51265 */ + 51329, /* 51329 */ + 51383, /* 51393 */ + 51449, /* 51457 */ + 51521, /* 51521 */ + 51581, /* 51585 */ + 51647, /* 51649 */ + 51713, /* 51713 */ + 51769, /* 51777 */ + 51839, /* 51841 */ + 51899, /* 51905 */ + 51949, /* 51969 */ + 52027, /* 52033 */ + 52081, /* 52097 */ + 52153, /* 52161 */ + 52223, /* 52225 */ + 52289, /* 52289 */ + 52321, /* 52353 */ + 52391, /* 52417 */ + 52457, /* 52481 */ + 52543, /* 52545 */ + 52609, /* 52609 */ + 52673, /* 52673 */ + 52733, /* 52737 */ + 52783, /* 52801 */ + 52861, /* 52865 */ + 52919, /* 52929 */ + 52981, /* 52993 */ + 53051, /* 53057 */ + 53117, /* 53121 */ + 53173, /* 53185 */ + 53239, /* 53249 */ + 53309, /* 53313 */ + 53377, /* 53377 */ + 53441, /* 53441 */ + 53503, /* 53505 */ + 53569, /* 53569 */ + 53633, /* 53633 */ + 53693, /* 53697 */ + 53759, /* 53761 */ + 53819, /* 53825 */ + 53887, /* 53889 */ + 53951, /* 53953 */ + 54013, /* 54017 */ + 54059, /* 54081 */ + 54139, /* 54145 */ + 54193, /* 54209 */ + 54269, /* 54273 */ + 54331, /* 54337 */ + 54401, /* 54401 */ + 54449, /* 54465 */ + 54521, /* 54529 */ + 54583, /* 54593 */ + 54647, /* 54657 */ + 54721, /* 54721 */ + 54779, /* 54785 */ + 54833, /* 54849 */ + 54907, /* 54913 */ + 54973, /* 54977 */ + 55021, /* 55041 */ + 55103, /* 55105 */ + 55163, /* 55169 */ + 55229, /* 55233 */ + 55291, /* 55297 */ + 55351, /* 55361 */ + 55411, /* 55425 */ + 55487, /* 55489 */ + 55547, /* 55553 */ + 55609, /* 55617 */ + 55681, /* 55681 */ + 55733, /* 55745 */ + 55807, /* 55809 */ + 55871, /* 55873 */ + 55933, /* 55937 */ + 55997, /* 56001 */ + 56053, /* 56065 */ + 56123, /* 56129 */ + 56179, /* 56193 */ + 56249, /* 56257 */ + 56311, /* 56321 */ + 56383, /* 56385 */ + 56443, /* 56449 */ + 56509, /* 56513 */ + 56569, /* 56577 */ + 56633, /* 56641 */ + 56701, /* 56705 */ + 56767, /* 56769 */ + 56827, /* 56833 */ + 56897, /* 56897 */ + 56957, /* 56961 */ + 56999, /* 57025 */ + 57089, /* 57089 */ + 57149, /* 57153 */ + 57203, /* 57217 */ + 57271, /* 57281 */ + 57331, /* 57345 */ + 57397, /* 57409 */ + 57467, /* 57473 */ + 57529, /* 57537 */ + 57601, /* 57601 */ + 57653, /* 57665 */ + 57727, /* 57729 */ + 57793, /* 57793 */ + 57853, /* 57857 */ + 57917, /* 57921 */ + 57977, /* 57985 */ + 58049, /* 58049 */ + 58111, /* 58113 */ + 58171, /* 58177 */ + 58237, /* 58241 */ + 58271, /* 58305 */ + 58369, /* 58369 */ + 58427, /* 58433 */ + 58481, /* 58497 */ + 58549, /* 58561 */ + 58613, /* 58625 */ + 58687, /* 58689 */ + 58741, /* 58753 */ + 58789, /* 58817 */ + 58831, /* 58881 */ + 58943, /* 58945 */ + 59009, /* 59009 */ + 59069, /* 59073 */ + 59123, /* 59137 */ + 59197, /* 59201 */ + 59263, /* 59265 */ + 59281, /* 59329 */ + 59393, /* 59393 */ + 59453, /* 59457 */ + 59513, /* 59521 */ + 59581, /* 59585 */ + 59629, /* 59649 */ + 59707, /* 59713 */ + 59771, /* 59777 */ + 59833, /* 59841 */ + 59887, /* 59905 */ + 59957, /* 59969 */ + 60029, /* 60033 */ + 60091, /* 60097 */ + 60161, /* 60161 */ + 60223, /* 60225 */ + 60289, /* 60289 */ + 60353, /* 60353 */ + 60413, /* 60417 */ + 60457, /* 60481 */ + 60539, /* 60545 */ + 60607, /* 60609 */ + 60661, /* 60673 */ + 60737, /* 60737 */ + 60793, /* 60801 */ + 60859, /* 60865 */ + 60923, /* 60929 */ + 60961, /* 60993 */ + 61057, /* 61057 */ + 61121, /* 61121 */ + 61169, /* 61185 */ + 61231, /* 61249 */ + 61297, /* 61313 */ + 61363, /* 61377 */ + 61441, /* 61441 */ + 61493, /* 61505 */ + 61561, /* 61569 */ + 61631, /* 61633 */ + 61687, /* 61697 */ + 61757, /* 61761 */ + 61819, /* 61825 */ + 61879, /* 61889 */ + 61949, /* 61953 */ + 62017, /* 62017 */ + 62081, /* 62081 */ + 62143, /* 62145 */ + 62207, /* 62209 */ + 62273, /* 62273 */ + 62327, /* 62337 */ + 62401, /* 62401 */ + 62459, /* 62465 */ + 62507, /* 62529 */ + 62591, /* 62593 */ + 62653, /* 62657 */ + 62701, /* 62721 */ + 62773, /* 62785 */ + 62827, /* 62849 */ + 62903, /* 62913 */ + 62971, /* 62977 */ + 63031, /* 63041 */ + 63103, /* 63105 */ + 63149, /* 63169 */ + 63211, /* 63233 */ + 63281, /* 63297 */ + 63361, /* 63361 */ + 63421, /* 63425 */ + 63487, /* 63489 */ + 63541, /* 63553 */ + 63617, /* 63617 */ + 63671, /* 63681 */ + 63743, /* 63745 */ + 63809, /* 63809 */ + 63863, /* 63873 */ + 63929, /* 63937 */ + 63997, /* 64001 */ + 64063, /* 64065 */ + 64123, /* 64129 */ + 64189, /* 64193 */ + 64237, /* 64257 */ + 64319, /* 64321 */ + 64381, /* 64385 */ + 64439, /* 64449 */ + 64513, /* 64513 */ + 64577, /* 64577 */ + 64633, /* 64641 */ + 64693, /* 64705 */ + 64763, /* 64769 */ + 64817, /* 64833 */ + 64891, /* 64897 */ + 64951, /* 64961 */ + 65011, /* 65025 */ + 65089, /* 65089 */ + 65147, /* 65153 */ + 65213, /* 65217 */ + 65269, /* 65281 */ + 65327, /* 65345 */ + 65407, /* 65409 */ + 65449, /* 65473 */ }; /* 0-1M, increments=1024 */ -static +static unsigned prime_table2[1024]={ - 1021, /* 1024 */ - 2039, /* 2048 */ - 3067, /* 3072 */ - 4093, /* 4096 */ - 5119, /* 5120 */ - 6143, /* 6144 */ - 7159, /* 7168 */ - 8191, /* 8192 */ - 9209, /* 9216 */ - 10223, /* 10240 */ - 11261, /* 11264 */ - 12281, /* 12288 */ - 13309, /* 13312 */ - 14327, /* 14336 */ - 15359, /* 15360 */ - 16381, /* 16384 */ - 17401, /* 17408 */ - 18427, /* 18432 */ - 19447, /* 19456 */ - 20479, /* 20480 */ - 21503, /* 21504 */ - 22511, /* 22528 */ - 23549, /* 23552 */ - 24571, /* 24576 */ - 25589, /* 25600 */ - 26597, /* 26624 */ - 27647, /* 27648 */ - 28669, /* 28672 */ - 29683, /* 29696 */ - 30713, /* 30720 */ - 31741, /* 31744 */ - 32749, /* 32768 */ - 33791, /* 33792 */ - 34807, /* 34816 */ - 35839, /* 35840 */ - 36857, /* 36864 */ - 37879, /* 37888 */ - 38903, /* 38912 */ - 39929, /* 39936 */ - 40949, /* 40960 */ - 41983, /* 41984 */ - 43003, /* 43008 */ - 44029, /* 44032 */ - 45053, /* 45056 */ - 46073, /* 46080 */ - 47093, /* 47104 */ - 48121, /* 48128 */ - 49139, /* 49152 */ - 50159, /* 50176 */ - 51199, /* 51200 */ - 52223, /* 52224 */ - 53239, /* 53248 */ - 54269, /* 54272 */ - 55291, /* 55296 */ - 56311, /* 56320 */ - 57331, /* 57344 */ - 58367, /* 58368 */ - 59387, /* 59392 */ - 60413, /* 60416 */ - 61417, /* 61440 */ - 62459, /* 62464 */ - 63487, /* 63488 */ - 64499, /* 64512 */ - 65521, /* 65536 */ - 66553, /* 66560 */ - 67579, /* 67584 */ - 68597, /* 68608 */ - 69623, /* 69632 */ - 70639, /* 70656 */ - 71671, /* 71680 */ - 72701, /* 72704 */ - 73727, /* 73728 */ - 74747, /* 74752 */ - 75773, /* 75776 */ - 76781, /* 76800 */ - 77813, /* 77824 */ - 78839, /* 78848 */ - 79867, /* 79872 */ - 80863, /* 80896 */ - 81919, /* 81920 */ - 82939, /* 82944 */ - 83939, /* 83968 */ - 84991, /* 84992 */ - 86011, /* 86016 */ - 87037, /* 87040 */ - 88037, /* 88064 */ - 89087, /* 89088 */ - 90107, /* 90112 */ - 91129, /* 91136 */ - 92153, /* 92160 */ - 93179, /* 93184 */ - 94207, /* 94208 */ - 95231, /* 95232 */ - 96233, /* 96256 */ - 97259, /* 97280 */ - 98299, /* 98304 */ - 99317, /* 99328 */ - 100343, /* 100352 */ - 101363, /* 101376 */ - 102397, /* 102400 */ - 103423, /* 103424 */ - 104417, /* 104448 */ - 105467, /* 105472 */ - 106487, /* 106496 */ - 107509, /* 107520 */ - 108541, /* 108544 */ - 109567, /* 109568 */ - 110587, /* 110592 */ - 111611, /* 111616 */ - 112621, /* 112640 */ - 113657, /* 113664 */ - 114679, /* 114688 */ - 115693, /* 115712 */ - 116731, /* 116736 */ - 117757, /* 117760 */ - 118757, /* 118784 */ - 119797, /* 119808 */ - 120829, /* 120832 */ - 121853, /* 121856 */ - 122869, /* 122880 */ - 123887, /* 123904 */ - 124919, /* 124928 */ - 125941, /* 125952 */ - 126967, /* 126976 */ - 127997, /* 128000 */ - 129023, /* 129024 */ - 130043, /* 130048 */ - 131071, /* 131072 */ - 132071, /* 132096 */ - 133117, /* 133120 */ - 134129, /* 134144 */ - 135151, /* 135168 */ - 136189, /* 136192 */ - 137209, /* 137216 */ - 138239, /* 138240 */ - 139241, /* 139264 */ - 140281, /* 140288 */ - 141311, /* 141312 */ - 142327, /* 142336 */ - 143357, /* 143360 */ - 144383, /* 144384 */ - 145399, /* 145408 */ - 146423, /* 146432 */ - 147451, /* 147456 */ - 148471, /* 148480 */ - 149503, /* 149504 */ - 150523, /* 150528 */ - 151549, /* 151552 */ - 152567, /* 152576 */ - 153589, /* 153600 */ - 154621, /* 154624 */ - 155627, /* 155648 */ - 156671, /* 156672 */ - 157679, /* 157696 */ - 158699, /* 158720 */ - 159739, /* 159744 */ - 160757, /* 160768 */ - 161783, /* 161792 */ - 162791, /* 162816 */ - 163819, /* 163840 */ - 164839, /* 164864 */ - 165887, /* 165888 */ - 166909, /* 166912 */ - 167917, /* 167936 */ - 168943, /* 168960 */ - 169957, /* 169984 */ - 171007, /* 171008 */ - 172031, /* 172032 */ - 173053, /* 173056 */ - 174079, /* 174080 */ - 175103, /* 175104 */ - 176123, /* 176128 */ - 177131, /* 177152 */ - 178169, /* 178176 */ - 179173, /* 179200 */ - 180221, /* 180224 */ - 181243, /* 181248 */ - 182261, /* 182272 */ - 183289, /* 183296 */ - 184309, /* 184320 */ - 185327, /* 185344 */ - 186343, /* 186368 */ - 187387, /* 187392 */ - 188407, /* 188416 */ - 189439, /* 189440 */ - 190409, /* 190464 */ - 191473, /* 191488 */ - 192499, /* 192512 */ - 193513, /* 193536 */ - 194543, /* 194560 */ - 195581, /* 195584 */ - 196597, /* 196608 */ - 197621, /* 197632 */ - 198647, /* 198656 */ - 199679, /* 199680 */ - 200699, /* 200704 */ - 201709, /* 201728 */ - 202751, /* 202752 */ - 203773, /* 203776 */ - 204797, /* 204800 */ - 205823, /* 205824 */ - 206827, /* 206848 */ - 207869, /* 207872 */ - 208891, /* 208896 */ - 209917, /* 209920 */ - 210943, /* 210944 */ - 211949, /* 211968 */ - 212987, /* 212992 */ - 214009, /* 214016 */ - 214993, /* 215040 */ - 216061, /* 216064 */ - 217081, /* 217088 */ - 218111, /* 218112 */ - 219133, /* 219136 */ - 220151, /* 220160 */ - 221173, /* 221184 */ - 222199, /* 222208 */ - 223229, /* 223232 */ - 224251, /* 224256 */ - 225263, /* 225280 */ - 226283, /* 226304 */ - 227303, /* 227328 */ - 228341, /* 228352 */ - 229373, /* 229376 */ - 230393, /* 230400 */ - 231419, /* 231424 */ - 232439, /* 232448 */ - 233437, /* 233472 */ - 234473, /* 234496 */ - 235519, /* 235520 */ - 236527, /* 236544 */ - 237563, /* 237568 */ - 238591, /* 238592 */ - 239611, /* 239616 */ - 240631, /* 240640 */ - 241663, /* 241664 */ - 242681, /* 242688 */ - 243709, /* 243712 */ - 244733, /* 244736 */ - 245759, /* 245760 */ - 246781, /* 246784 */ - 247799, /* 247808 */ - 248827, /* 248832 */ - 249853, /* 249856 */ - 250871, /* 250880 */ - 251903, /* 251904 */ - 252919, /* 252928 */ - 253951, /* 253952 */ - 254971, /* 254976 */ - 255989, /* 256000 */ - 257017, /* 257024 */ - 258031, /* 258048 */ - 259033, /* 259072 */ - 260089, /* 260096 */ - 261101, /* 261120 */ - 262139, /* 262144 */ - 263167, /* 263168 */ - 264179, /* 264192 */ - 265207, /* 265216 */ - 266239, /* 266240 */ - 267259, /* 267264 */ - 268283, /* 268288 */ - 269281, /* 269312 */ - 270329, /* 270336 */ - 271357, /* 271360 */ - 272383, /* 272384 */ - 273367, /* 273408 */ - 274423, /* 274432 */ - 275453, /* 275456 */ - 276467, /* 276480 */ - 277499, /* 277504 */ - 278503, /* 278528 */ - 279551, /* 279552 */ - 280561, /* 280576 */ - 281581, /* 281600 */ - 282617, /* 282624 */ - 283639, /* 283648 */ - 284659, /* 284672 */ - 285673, /* 285696 */ - 286711, /* 286720 */ - 287731, /* 287744 */ - 288767, /* 288768 */ - 289789, /* 289792 */ - 290803, /* 290816 */ - 291833, /* 291840 */ - 292849, /* 292864 */ - 293863, /* 293888 */ - 294911, /* 294912 */ - 295909, /* 295936 */ - 296941, /* 296960 */ - 297971, /* 297984 */ - 298999, /* 299008 */ - 300023, /* 300032 */ - 301051, /* 301056 */ - 302053, /* 302080 */ - 303097, /* 303104 */ - 304127, /* 304128 */ - 305147, /* 305152 */ - 306169, /* 306176 */ - 307189, /* 307200 */ - 308219, /* 308224 */ - 309241, /* 309248 */ - 310243, /* 310272 */ - 311293, /* 311296 */ - 312313, /* 312320 */ - 313343, /* 313344 */ - 314359, /* 314368 */ - 315389, /* 315392 */ - 316403, /* 316416 */ - 317437, /* 317440 */ - 318457, /* 318464 */ - 319483, /* 319488 */ - 320483, /* 320512 */ - 321509, /* 321536 */ - 322559, /* 322560 */ - 323581, /* 323584 */ - 324593, /* 324608 */ - 325631, /* 325632 */ - 326633, /* 326656 */ - 327673, /* 327680 */ - 328687, /* 328704 */ - 329723, /* 329728 */ - 330749, /* 330752 */ - 331769, /* 331776 */ - 332791, /* 332800 */ - 333821, /* 333824 */ - 334843, /* 334848 */ - 335857, /* 335872 */ - 336887, /* 336896 */ - 337919, /* 337920 */ - 338927, /* 338944 */ - 339959, /* 339968 */ - 340979, /* 340992 */ - 341993, /* 342016 */ - 343037, /* 343040 */ - 344053, /* 344064 */ - 345067, /* 345088 */ - 346111, /* 346112 */ - 347131, /* 347136 */ - 348149, /* 348160 */ - 349183, /* 349184 */ - 350191, /* 350208 */ - 351229, /* 351232 */ - 352249, /* 352256 */ - 353263, /* 353280 */ - 354301, /* 354304 */ - 355321, /* 355328 */ - 356351, /* 356352 */ - 357359, /* 357376 */ - 358373, /* 358400 */ - 359419, /* 359424 */ - 360439, /* 360448 */ - 361469, /* 361472 */ - 362473, /* 362496 */ - 363497, /* 363520 */ - 364543, /* 364544 */ - 365567, /* 365568 */ - 366547, /* 366592 */ - 367613, /* 367616 */ - 368633, /* 368640 */ - 369661, /* 369664 */ - 370687, /* 370688 */ - 371699, /* 371712 */ - 372733, /* 372736 */ - 373757, /* 373760 */ - 374783, /* 374784 */ - 375799, /* 375808 */ - 376823, /* 376832 */ - 377851, /* 377856 */ - 378869, /* 378880 */ - 379903, /* 379904 */ - 380917, /* 380928 */ - 381949, /* 381952 */ - 382961, /* 382976 */ - 383987, /* 384000 */ - 385013, /* 385024 */ - 386047, /* 386048 */ - 387071, /* 387072 */ - 388081, /* 388096 */ - 389117, /* 389120 */ - 390119, /* 390144 */ - 391163, /* 391168 */ - 392177, /* 392192 */ - 393209, /* 393216 */ - 394223, /* 394240 */ - 395261, /* 395264 */ - 396269, /* 396288 */ - 397303, /* 397312 */ - 398323, /* 398336 */ - 399353, /* 399360 */ - 400381, /* 400384 */ - 401407, /* 401408 */ - 402419, /* 402432 */ - 403439, /* 403456 */ - 404461, /* 404480 */ - 405499, /* 405504 */ - 406517, /* 406528 */ - 407527, /* 407552 */ - 408563, /* 408576 */ - 409597, /* 409600 */ - 410623, /* 410624 */ - 411641, /* 411648 */ - 412667, /* 412672 */ - 413689, /* 413696 */ - 414709, /* 414720 */ - 415729, /* 415744 */ - 416761, /* 416768 */ - 417773, /* 417792 */ - 418813, /* 418816 */ - 419831, /* 419840 */ - 420859, /* 420864 */ - 421847, /* 421888 */ - 422911, /* 422912 */ - 423931, /* 423936 */ - 424939, /* 424960 */ - 425977, /* 425984 */ - 427001, /* 427008 */ - 428027, /* 428032 */ - 429043, /* 429056 */ - 430061, /* 430080 */ - 431099, /* 431104 */ - 432121, /* 432128 */ - 433151, /* 433152 */ - 434167, /* 434176 */ - 435191, /* 435200 */ - 436217, /* 436224 */ - 437243, /* 437248 */ - 438271, /* 438272 */ - 439289, /* 439296 */ - 440311, /* 440320 */ - 441319, /* 441344 */ - 442367, /* 442368 */ - 443389, /* 443392 */ - 444403, /* 444416 */ - 445433, /* 445440 */ - 446461, /* 446464 */ - 447481, /* 447488 */ - 448451, /* 448512 */ - 449473, /* 449536 */ - 450557, /* 450560 */ - 451579, /* 451584 */ - 452597, /* 452608 */ - 453631, /* 453632 */ - 454637, /* 454656 */ - 455659, /* 455680 */ - 456697, /* 456704 */ - 457711, /* 457728 */ - 458747, /* 458752 */ - 459763, /* 459776 */ - 460793, /* 460800 */ - 461819, /* 461824 */ - 462841, /* 462848 */ - 463867, /* 463872 */ - 464879, /* 464896 */ - 465917, /* 465920 */ - 466919, /* 466944 */ - 467963, /* 467968 */ - 468983, /* 468992 */ - 469993, /* 470016 */ - 471007, /* 471040 */ - 472063, /* 472064 */ - 473027, /* 473088 */ - 474101, /* 474112 */ - 475109, /* 475136 */ - 476143, /* 476160 */ - 477163, /* 477184 */ - 478207, /* 478208 */ - 479231, /* 479232 */ - 480209, /* 480256 */ - 481249, /* 481280 */ - 482281, /* 482304 */ - 483323, /* 483328 */ - 484339, /* 484352 */ - 485371, /* 485376 */ - 486397, /* 486400 */ - 487423, /* 487424 */ - 488441, /* 488448 */ - 489457, /* 489472 */ - 490493, /* 490496 */ - 491503, /* 491520 */ - 492523, /* 492544 */ - 493567, /* 493568 */ - 494591, /* 494592 */ - 495613, /* 495616 */ - 496631, /* 496640 */ - 497663, /* 497664 */ - 498679, /* 498688 */ - 499711, /* 499712 */ - 500729, /* 500736 */ - 501731, /* 501760 */ - 502781, /* 502784 */ - 503803, /* 503808 */ - 504821, /* 504832 */ - 505823, /* 505856 */ - 506873, /* 506880 */ - 507901, /* 507904 */ - 508919, /* 508928 */ - 509947, /* 509952 */ - 510943, /* 510976 */ - 511997, /* 512000 */ - 513017, /* 513024 */ - 514021, /* 514048 */ - 515041, /* 515072 */ - 516091, /* 516096 */ - 517091, /* 517120 */ - 518137, /* 518144 */ - 519161, /* 519168 */ - 520151, /* 520192 */ - 521201, /* 521216 */ - 522239, /* 522240 */ - 523261, /* 523264 */ - 524287, /* 524288 */ - 525299, /* 525312 */ - 526307, /* 526336 */ - 527353, /* 527360 */ - 528383, /* 528384 */ - 529393, /* 529408 */ - 530429, /* 530432 */ - 531383, /* 531456 */ - 532453, /* 532480 */ - 533459, /* 533504 */ - 534511, /* 534528 */ - 535547, /* 535552 */ - 536563, /* 536576 */ - 537599, /* 537600 */ - 538621, /* 538624 */ - 539641, /* 539648 */ - 540629, /* 540672 */ - 541693, /* 541696 */ - 542719, /* 542720 */ - 543713, /* 543744 */ - 544759, /* 544768 */ - 545791, /* 545792 */ - 546781, /* 546816 */ - 547831, /* 547840 */ - 548861, /* 548864 */ - 549883, /* 549888 */ - 550909, /* 550912 */ - 551933, /* 551936 */ - 552917, /* 552960 */ - 553981, /* 553984 */ - 554977, /* 555008 */ - 556027, /* 556032 */ - 557041, /* 557056 */ - 558067, /* 558080 */ - 559099, /* 559104 */ - 560123, /* 560128 */ - 561109, /* 561152 */ - 562169, /* 562176 */ - 563197, /* 563200 */ - 564197, /* 564224 */ - 565247, /* 565248 */ - 566233, /* 566272 */ - 567277, /* 567296 */ - 568303, /* 568320 */ - 569323, /* 569344 */ - 570359, /* 570368 */ - 571381, /* 571392 */ - 572399, /* 572416 */ - 573437, /* 573440 */ - 574439, /* 574464 */ - 575479, /* 575488 */ - 576509, /* 576512 */ - 577531, /* 577536 */ - 578537, /* 578560 */ - 579583, /* 579584 */ - 580607, /* 580608 */ - 581617, /* 581632 */ - 582649, /* 582656 */ - 583673, /* 583680 */ - 584699, /* 584704 */ - 585727, /* 585728 */ - 586741, /* 586752 */ - 587773, /* 587776 */ - 588779, /* 588800 */ - 589811, /* 589824 */ - 590839, /* 590848 */ - 591863, /* 591872 */ - 592877, /* 592896 */ - 593903, /* 593920 */ - 594931, /* 594944 */ - 595967, /* 595968 */ - 596987, /* 596992 */ - 598007, /* 598016 */ - 599023, /* 599040 */ - 600053, /* 600064 */ - 601079, /* 601088 */ - 602111, /* 602112 */ - 603133, /* 603136 */ - 604073, /* 604160 */ - 605177, /* 605184 */ - 606181, /* 606208 */ - 607219, /* 607232 */ - 608213, /* 608256 */ - 609277, /* 609280 */ - 610301, /* 610304 */ - 611323, /* 611328 */ - 612349, /* 612352 */ - 613367, /* 613376 */ - 614387, /* 614400 */ - 615413, /* 615424 */ - 616439, /* 616448 */ - 617471, /* 617472 */ - 618463, /* 618496 */ - 619511, /* 619520 */ - 620531, /* 620544 */ - 621541, /* 621568 */ - 622577, /* 622592 */ - 623591, /* 623616 */ - 624607, /* 624640 */ - 625663, /* 625664 */ - 626687, /* 626688 */ - 627709, /* 627712 */ - 628721, /* 628736 */ - 629747, /* 629760 */ - 630737, /* 630784 */ - 631789, /* 631808 */ - 632813, /* 632832 */ - 633833, /* 633856 */ - 634871, /* 634880 */ - 635893, /* 635904 */ - 636919, /* 636928 */ - 637939, /* 637952 */ - 638971, /* 638976 */ - 639997, /* 640000 */ - 640993, /* 641024 */ - 642013, /* 642048 */ - 643061, /* 643072 */ - 644089, /* 644096 */ - 645097, /* 645120 */ - 646103, /* 646144 */ - 647161, /* 647168 */ - 648191, /* 648192 */ - 649183, /* 649216 */ - 650227, /* 650240 */ - 651257, /* 651264 */ - 652283, /* 652288 */ - 653311, /* 653312 */ - 654323, /* 654336 */ - 655357, /* 655360 */ - 656377, /* 656384 */ - 657403, /* 657408 */ - 658417, /* 658432 */ - 659453, /* 659456 */ - 660449, /* 660480 */ - 661483, /* 661504 */ - 662527, /* 662528 */ - 663547, /* 663552 */ - 664571, /* 664576 */ - 665591, /* 665600 */ - 666607, /* 666624 */ - 667643, /* 667648 */ - 668671, /* 668672 */ - 669689, /* 669696 */ - 670711, /* 670720 */ - 671743, /* 671744 */ - 672767, /* 672768 */ - 673787, /* 673792 */ - 674813, /* 674816 */ - 675839, /* 675840 */ - 676861, /* 676864 */ - 677857, /* 677888 */ - 678907, /* 678912 */ - 679933, /* 679936 */ - 680959, /* 680960 */ - 681983, /* 681984 */ - 683003, /* 683008 */ - 684017, /* 684032 */ - 685051, /* 685056 */ - 686057, /* 686080 */ - 687101, /* 687104 */ - 688111, /* 688128 */ - 689141, /* 689152 */ - 690163, /* 690176 */ - 691199, /* 691200 */ - 692221, /* 692224 */ - 693223, /* 693248 */ - 694271, /* 694272 */ - 695293, /* 695296 */ - 696317, /* 696320 */ - 697327, /* 697344 */ - 698359, /* 698368 */ - 699383, /* 699392 */ - 700393, /* 700416 */ - 701419, /* 701440 */ - 702451, /* 702464 */ - 703471, /* 703488 */ - 704507, /* 704512 */ - 705533, /* 705536 */ - 706547, /* 706560 */ - 707573, /* 707584 */ - 708601, /* 708608 */ - 709609, /* 709632 */ - 710641, /* 710656 */ - 711679, /* 711680 */ - 712697, /* 712704 */ - 713681, /* 713728 */ - 714751, /* 714752 */ - 715753, /* 715776 */ - 716789, /* 716800 */ - 717817, /* 717824 */ - 718847, /* 718848 */ - 719839, /* 719872 */ - 720887, /* 720896 */ - 721909, /* 721920 */ - 722933, /* 722944 */ - 723967, /* 723968 */ - 724991, /* 724992 */ - 726013, /* 726016 */ - 727021, /* 727040 */ - 728047, /* 728064 */ - 729073, /* 729088 */ - 730111, /* 730112 */ - 731117, /* 731136 */ - 732157, /* 732160 */ - 733177, /* 733184 */ - 734207, /* 734208 */ - 735211, /* 735232 */ - 736249, /* 736256 */ - 737279, /* 737280 */ - 738301, /* 738304 */ - 739327, /* 739328 */ - 740351, /* 740352 */ - 741373, /* 741376 */ - 742393, /* 742400 */ - 743423, /* 743424 */ - 744431, /* 744448 */ - 745471, /* 745472 */ - 746483, /* 746496 */ - 747499, /* 747520 */ - 748541, /* 748544 */ - 749557, /* 749568 */ - 750571, /* 750592 */ - 751613, /* 751616 */ - 752639, /* 752640 */ - 753659, /* 753664 */ - 754651, /* 754688 */ - 755707, /* 755712 */ - 756727, /* 756736 */ - 757753, /* 757760 */ - 758783, /* 758784 */ - 759799, /* 759808 */ - 760813, /* 760832 */ - 761833, /* 761856 */ - 762877, /* 762880 */ - 763901, /* 763904 */ - 764903, /* 764928 */ - 765949, /* 765952 */ - 766967, /* 766976 */ - 767957, /* 768000 */ - 769019, /* 769024 */ - 770047, /* 770048 */ - 771049, /* 771072 */ - 772091, /* 772096 */ - 773117, /* 773120 */ - 774143, /* 774144 */ - 775163, /* 775168 */ - 776183, /* 776192 */ - 777209, /* 777216 */ - 778237, /* 778240 */ - 779249, /* 779264 */ - 780287, /* 780288 */ - 781309, /* 781312 */ - 782329, /* 782336 */ - 783359, /* 783360 */ - 784379, /* 784384 */ - 785377, /* 785408 */ - 786431, /* 786432 */ - 787447, /* 787456 */ - 788479, /* 788480 */ - 789493, /* 789504 */ - 790523, /* 790528 */ - 791543, /* 791552 */ - 792563, /* 792576 */ - 793591, /* 793600 */ - 794593, /* 794624 */ - 795647, /* 795648 */ - 796657, /* 796672 */ - 797689, /* 797696 */ - 798713, /* 798720 */ - 799741, /* 799744 */ - 800759, /* 800768 */ - 801791, /* 801792 */ - 802811, /* 802816 */ - 803819, /* 803840 */ - 804857, /* 804864 */ - 805877, /* 805888 */ - 806903, /* 806912 */ - 807931, /* 807936 */ - 808957, /* 808960 */ - 809983, /* 809984 */ - 810989, /* 811008 */ - 812011, /* 812032 */ - 813049, /* 813056 */ - 814069, /* 814080 */ - 815063, /* 815104 */ - 816121, /* 816128 */ - 817151, /* 817152 */ - 818173, /* 818176 */ - 819187, /* 819200 */ - 820223, /* 820224 */ - 821209, /* 821248 */ - 822259, /* 822272 */ - 823283, /* 823296 */ - 824287, /* 824320 */ - 825343, /* 825344 */ - 826363, /* 826368 */ - 827389, /* 827392 */ - 828409, /* 828416 */ - 829399, /* 829440 */ - 830449, /* 830464 */ - 831461, /* 831488 */ - 832499, /* 832512 */ - 833509, /* 833536 */ - 834527, /* 834560 */ - 835559, /* 835584 */ - 836573, /* 836608 */ - 837631, /* 837632 */ - 838633, /* 838656 */ - 839669, /* 839680 */ - 840703, /* 840704 */ - 841727, /* 841728 */ - 842747, /* 842752 */ - 843763, /* 843776 */ - 844777, /* 844800 */ - 845809, /* 845824 */ - 846841, /* 846848 */ - 847871, /* 847872 */ - 848893, /* 848896 */ - 849917, /* 849920 */ - 850943, /* 850944 */ - 851957, /* 851968 */ - 852989, /* 852992 */ - 853999, /* 854016 */ - 855031, /* 855040 */ - 856061, /* 856064 */ - 857083, /* 857088 */ - 858103, /* 858112 */ - 859121, /* 859136 */ - 860143, /* 860160 */ - 861167, /* 861184 */ - 862207, /* 862208 */ - 863231, /* 863232 */ - 864251, /* 864256 */ - 865261, /* 865280 */ - 866293, /* 866304 */ - 867319, /* 867328 */ - 868349, /* 868352 */ - 869371, /* 869376 */ - 870391, /* 870400 */ - 871393, /* 871424 */ - 872441, /* 872448 */ - 873469, /* 873472 */ - 874487, /* 874496 */ - 875519, /* 875520 */ - 876529, /* 876544 */ - 877567, /* 877568 */ - 878573, /* 878592 */ - 879607, /* 879616 */ - 880603, /* 880640 */ - 881663, /* 881664 */ - 882659, /* 882688 */ - 883703, /* 883712 */ - 884717, /* 884736 */ - 885737, /* 885760 */ - 886777, /* 886784 */ - 887759, /* 887808 */ - 888827, /* 888832 */ - 889829, /* 889856 */ - 890867, /* 890880 */ - 891899, /* 891904 */ - 892919, /* 892928 */ - 893939, /* 893952 */ - 894973, /* 894976 */ - 895987, /* 896000 */ - 897019, /* 897024 */ - 898033, /* 898048 */ - 899069, /* 899072 */ - 900091, /* 900096 */ - 901111, /* 901120 */ - 902141, /* 902144 */ - 903163, /* 903168 */ - 904181, /* 904192 */ - 905213, /* 905216 */ - 906233, /* 906240 */ - 907259, /* 907264 */ - 908287, /* 908288 */ - 909301, /* 909312 */ - 910307, /* 910336 */ - 911359, /* 911360 */ - 912367, /* 912384 */ - 913397, /* 913408 */ - 914429, /* 914432 */ - 915451, /* 915456 */ - 916477, /* 916480 */ - 917503, /* 917504 */ - 918497, /* 918528 */ - 919531, /* 919552 */ - 920561, /* 920576 */ - 921589, /* 921600 */ - 922619, /* 922624 */ - 923641, /* 923648 */ - 924661, /* 924672 */ - 925679, /* 925696 */ - 926707, /* 926720 */ - 927743, /* 927744 */ - 928703, /* 928768 */ - 929791, /* 929792 */ - 930779, /* 930816 */ - 931837, /* 931840 */ - 932863, /* 932864 */ - 933883, /* 933888 */ - 934909, /* 934912 */ - 935903, /* 935936 */ - 936953, /* 936960 */ - 937969, /* 937984 */ - 939007, /* 939008 */ - 940031, /* 940032 */ - 941041, /* 941056 */ - 942079, /* 942080 */ - 943097, /* 943104 */ - 944123, /* 944128 */ - 945151, /* 945152 */ - 946163, /* 946176 */ - 947197, /* 947200 */ - 948187, /* 948224 */ - 949243, /* 949248 */ - 950269, /* 950272 */ - 951283, /* 951296 */ - 952313, /* 952320 */ - 953341, /* 953344 */ - 954367, /* 954368 */ - 955391, /* 955392 */ - 956401, /* 956416 */ - 957433, /* 957440 */ - 958459, /* 958464 */ - 959479, /* 959488 */ - 960499, /* 960512 */ - 961531, /* 961536 */ - 962543, /* 962560 */ - 963581, /* 963584 */ - 964589, /* 964608 */ - 965623, /* 965632 */ - 966653, /* 966656 */ - 967667, /* 967680 */ - 968699, /* 968704 */ - 969721, /* 969728 */ - 970747, /* 970752 */ - 971767, /* 971776 */ - 972799, /* 972800 */ - 973823, /* 973824 */ - 974837, /* 974848 */ - 975869, /* 975872 */ - 976883, /* 976896 */ - 977897, /* 977920 */ - 978931, /* 978944 */ - 979949, /* 979968 */ - 980963, /* 980992 */ - 981983, /* 982016 */ - 982981, /* 983040 */ - 984059, /* 984064 */ - 985079, /* 985088 */ - 986101, /* 986112 */ - 987127, /* 987136 */ - 988157, /* 988160 */ - 989173, /* 989184 */ - 990181, /* 990208 */ - 991229, /* 991232 */ - 992249, /* 992256 */ - 993269, /* 993280 */ - 994303, /* 994304 */ - 995327, /* 995328 */ - 996329, /* 996352 */ - 997369, /* 997376 */ - 998399, /* 998400 */ - 999389, /* 999424 */ - 1000429, /* 1000448 */ - 1001467, /* 1001472 */ - 1002493, /* 1002496 */ - 1003517, /* 1003520 */ - 1004537, /* 1004544 */ - 1005553, /* 1005568 */ - 1006589, /* 1006592 */ - 1007609, /* 1007616 */ - 1008617, /* 1008640 */ - 1009651, /* 1009664 */ - 1010687, /* 1010688 */ - 1011697, /* 1011712 */ - 1012733, /* 1012736 */ - 1013741, /* 1013760 */ - 1014779, /* 1014784 */ - 1015769, /* 1015808 */ - 1016789, /* 1016832 */ - 1017851, /* 1017856 */ - 1018879, /* 1018880 */ - 1019903, /* 1019904 */ - 1020913, /* 1020928 */ - 1021919, /* 1021952 */ - 1022963, /* 1022976 */ - 1023991, /* 1024000 */ - 1025021, /* 1025024 */ - 1026043, /* 1026048 */ - 1027067, /* 1027072 */ - 1028089, /* 1028096 */ - 1029113, /* 1029120 */ - 1030121, /* 1030144 */ - 1031161, /* 1031168 */ - 1032191, /* 1032192 */ - 1033189, /* 1033216 */ - 1034239, /* 1034240 */ - 1035263, /* 1035264 */ - 1036271, /* 1036288 */ - 1037303, /* 1037312 */ - 1038329, /* 1038336 */ - 1039351, /* 1039360 */ - 1040381, /* 1040384 */ - 1041373, /* 1041408 */ - 1042427, /* 1042432 */ - 1043453, /* 1043456 */ - 1044479, /* 1044480 */ - 1045493, /* 1045504 */ - 1046527, /* 1046528 */ - 1047551, /* 1047552 */ + 1021, /* 1024 */ + 2039, /* 2048 */ + 3067, /* 3072 */ + 4093, /* 4096 */ + 5119, /* 5120 */ + 6143, /* 6144 */ + 7159, /* 7168 */ + 8191, /* 8192 */ + 9209, /* 9216 */ + 10223, /* 10240 */ + 11261, /* 11264 */ + 12281, /* 12288 */ + 13309, /* 13312 */ + 14327, /* 14336 */ + 15359, /* 15360 */ + 16381, /* 16384 */ + 17401, /* 17408 */ + 18427, /* 18432 */ + 19447, /* 19456 */ + 20479, /* 20480 */ + 21503, /* 21504 */ + 22511, /* 22528 */ + 23549, /* 23552 */ + 24571, /* 24576 */ + 25589, /* 25600 */ + 26597, /* 26624 */ + 27647, /* 27648 */ + 28669, /* 28672 */ + 29683, /* 29696 */ + 30713, /* 30720 */ + 31741, /* 31744 */ + 32749, /* 32768 */ + 33791, /* 33792 */ + 34807, /* 34816 */ + 35839, /* 35840 */ + 36857, /* 36864 */ + 37879, /* 37888 */ + 38903, /* 38912 */ + 39929, /* 39936 */ + 40949, /* 40960 */ + 41983, /* 41984 */ + 43003, /* 43008 */ + 44029, /* 44032 */ + 45053, /* 45056 */ + 46073, /* 46080 */ + 47093, /* 47104 */ + 48121, /* 48128 */ + 49139, /* 49152 */ + 50159, /* 50176 */ + 51199, /* 51200 */ + 52223, /* 52224 */ + 53239, /* 53248 */ + 54269, /* 54272 */ + 55291, /* 55296 */ + 56311, /* 56320 */ + 57331, /* 57344 */ + 58367, /* 58368 */ + 59387, /* 59392 */ + 60413, /* 60416 */ + 61417, /* 61440 */ + 62459, /* 62464 */ + 63487, /* 63488 */ + 64499, /* 64512 */ + 65521, /* 65536 */ + 66553, /* 66560 */ + 67579, /* 67584 */ + 68597, /* 68608 */ + 69623, /* 69632 */ + 70639, /* 70656 */ + 71671, /* 71680 */ + 72701, /* 72704 */ + 73727, /* 73728 */ + 74747, /* 74752 */ + 75773, /* 75776 */ + 76781, /* 76800 */ + 77813, /* 77824 */ + 78839, /* 78848 */ + 79867, /* 79872 */ + 80863, /* 80896 */ + 81919, /* 81920 */ + 82939, /* 82944 */ + 83939, /* 83968 */ + 84991, /* 84992 */ + 86011, /* 86016 */ + 87037, /* 87040 */ + 88037, /* 88064 */ + 89087, /* 89088 */ + 90107, /* 90112 */ + 91129, /* 91136 */ + 92153, /* 92160 */ + 93179, /* 93184 */ + 94207, /* 94208 */ + 95231, /* 95232 */ + 96233, /* 96256 */ + 97259, /* 97280 */ + 98299, /* 98304 */ + 99317, /* 99328 */ + 100343, /* 100352 */ + 101363, /* 101376 */ + 102397, /* 102400 */ + 103423, /* 103424 */ + 104417, /* 104448 */ + 105467, /* 105472 */ + 106487, /* 106496 */ + 107509, /* 107520 */ + 108541, /* 108544 */ + 109567, /* 109568 */ + 110587, /* 110592 */ + 111611, /* 111616 */ + 112621, /* 112640 */ + 113657, /* 113664 */ + 114679, /* 114688 */ + 115693, /* 115712 */ + 116731, /* 116736 */ + 117757, /* 117760 */ + 118757, /* 118784 */ + 119797, /* 119808 */ + 120829, /* 120832 */ + 121853, /* 121856 */ + 122869, /* 122880 */ + 123887, /* 123904 */ + 124919, /* 124928 */ + 125941, /* 125952 */ + 126967, /* 126976 */ + 127997, /* 128000 */ + 129023, /* 129024 */ + 130043, /* 130048 */ + 131071, /* 131072 */ + 132071, /* 132096 */ + 133117, /* 133120 */ + 134129, /* 134144 */ + 135151, /* 135168 */ + 136189, /* 136192 */ + 137209, /* 137216 */ + 138239, /* 138240 */ + 139241, /* 139264 */ + 140281, /* 140288 */ + 141311, /* 141312 */ + 142327, /* 142336 */ + 143357, /* 143360 */ + 144383, /* 144384 */ + 145399, /* 145408 */ + 146423, /* 146432 */ + 147451, /* 147456 */ + 148471, /* 148480 */ + 149503, /* 149504 */ + 150523, /* 150528 */ + 151549, /* 151552 */ + 152567, /* 152576 */ + 153589, /* 153600 */ + 154621, /* 154624 */ + 155627, /* 155648 */ + 156671, /* 156672 */ + 157679, /* 157696 */ + 158699, /* 158720 */ + 159739, /* 159744 */ + 160757, /* 160768 */ + 161783, /* 161792 */ + 162791, /* 162816 */ + 163819, /* 163840 */ + 164839, /* 164864 */ + 165887, /* 165888 */ + 166909, /* 166912 */ + 167917, /* 167936 */ + 168943, /* 168960 */ + 169957, /* 169984 */ + 171007, /* 171008 */ + 172031, /* 172032 */ + 173053, /* 173056 */ + 174079, /* 174080 */ + 175103, /* 175104 */ + 176123, /* 176128 */ + 177131, /* 177152 */ + 178169, /* 178176 */ + 179173, /* 179200 */ + 180221, /* 180224 */ + 181243, /* 181248 */ + 182261, /* 182272 */ + 183289, /* 183296 */ + 184309, /* 184320 */ + 185327, /* 185344 */ + 186343, /* 186368 */ + 187387, /* 187392 */ + 188407, /* 188416 */ + 189439, /* 189440 */ + 190409, /* 190464 */ + 191473, /* 191488 */ + 192499, /* 192512 */ + 193513, /* 193536 */ + 194543, /* 194560 */ + 195581, /* 195584 */ + 196597, /* 196608 */ + 197621, /* 197632 */ + 198647, /* 198656 */ + 199679, /* 199680 */ + 200699, /* 200704 */ + 201709, /* 201728 */ + 202751, /* 202752 */ + 203773, /* 203776 */ + 204797, /* 204800 */ + 205823, /* 205824 */ + 206827, /* 206848 */ + 207869, /* 207872 */ + 208891, /* 208896 */ + 209917, /* 209920 */ + 210943, /* 210944 */ + 211949, /* 211968 */ + 212987, /* 212992 */ + 214009, /* 214016 */ + 214993, /* 215040 */ + 216061, /* 216064 */ + 217081, /* 217088 */ + 218111, /* 218112 */ + 219133, /* 219136 */ + 220151, /* 220160 */ + 221173, /* 221184 */ + 222199, /* 222208 */ + 223229, /* 223232 */ + 224251, /* 224256 */ + 225263, /* 225280 */ + 226283, /* 226304 */ + 227303, /* 227328 */ + 228341, /* 228352 */ + 229373, /* 229376 */ + 230393, /* 230400 */ + 231419, /* 231424 */ + 232439, /* 232448 */ + 233437, /* 233472 */ + 234473, /* 234496 */ + 235519, /* 235520 */ + 236527, /* 236544 */ + 237563, /* 237568 */ + 238591, /* 238592 */ + 239611, /* 239616 */ + 240631, /* 240640 */ + 241663, /* 241664 */ + 242681, /* 242688 */ + 243709, /* 243712 */ + 244733, /* 244736 */ + 245759, /* 245760 */ + 246781, /* 246784 */ + 247799, /* 247808 */ + 248827, /* 248832 */ + 249853, /* 249856 */ + 250871, /* 250880 */ + 251903, /* 251904 */ + 252919, /* 252928 */ + 253951, /* 253952 */ + 254971, /* 254976 */ + 255989, /* 256000 */ + 257017, /* 257024 */ + 258031, /* 258048 */ + 259033, /* 259072 */ + 260089, /* 260096 */ + 261101, /* 261120 */ + 262139, /* 262144 */ + 263167, /* 263168 */ + 264179, /* 264192 */ + 265207, /* 265216 */ + 266239, /* 266240 */ + 267259, /* 267264 */ + 268283, /* 268288 */ + 269281, /* 269312 */ + 270329, /* 270336 */ + 271357, /* 271360 */ + 272383, /* 272384 */ + 273367, /* 273408 */ + 274423, /* 274432 */ + 275453, /* 275456 */ + 276467, /* 276480 */ + 277499, /* 277504 */ + 278503, /* 278528 */ + 279551, /* 279552 */ + 280561, /* 280576 */ + 281581, /* 281600 */ + 282617, /* 282624 */ + 283639, /* 283648 */ + 284659, /* 284672 */ + 285673, /* 285696 */ + 286711, /* 286720 */ + 287731, /* 287744 */ + 288767, /* 288768 */ + 289789, /* 289792 */ + 290803, /* 290816 */ + 291833, /* 291840 */ + 292849, /* 292864 */ + 293863, /* 293888 */ + 294911, /* 294912 */ + 295909, /* 295936 */ + 296941, /* 296960 */ + 297971, /* 297984 */ + 298999, /* 299008 */ + 300023, /* 300032 */ + 301051, /* 301056 */ + 302053, /* 302080 */ + 303097, /* 303104 */ + 304127, /* 304128 */ + 305147, /* 305152 */ + 306169, /* 306176 */ + 307189, /* 307200 */ + 308219, /* 308224 */ + 309241, /* 309248 */ + 310243, /* 310272 */ + 311293, /* 311296 */ + 312313, /* 312320 */ + 313343, /* 313344 */ + 314359, /* 314368 */ + 315389, /* 315392 */ + 316403, /* 316416 */ + 317437, /* 317440 */ + 318457, /* 318464 */ + 319483, /* 319488 */ + 320483, /* 320512 */ + 321509, /* 321536 */ + 322559, /* 322560 */ + 323581, /* 323584 */ + 324593, /* 324608 */ + 325631, /* 325632 */ + 326633, /* 326656 */ + 327673, /* 327680 */ + 328687, /* 328704 */ + 329723, /* 329728 */ + 330749, /* 330752 */ + 331769, /* 331776 */ + 332791, /* 332800 */ + 333821, /* 333824 */ + 334843, /* 334848 */ + 335857, /* 335872 */ + 336887, /* 336896 */ + 337919, /* 337920 */ + 338927, /* 338944 */ + 339959, /* 339968 */ + 340979, /* 340992 */ + 341993, /* 342016 */ + 343037, /* 343040 */ + 344053, /* 344064 */ + 345067, /* 345088 */ + 346111, /* 346112 */ + 347131, /* 347136 */ + 348149, /* 348160 */ + 349183, /* 349184 */ + 350191, /* 350208 */ + 351229, /* 351232 */ + 352249, /* 352256 */ + 353263, /* 353280 */ + 354301, /* 354304 */ + 355321, /* 355328 */ + 356351, /* 356352 */ + 357359, /* 357376 */ + 358373, /* 358400 */ + 359419, /* 359424 */ + 360439, /* 360448 */ + 361469, /* 361472 */ + 362473, /* 362496 */ + 363497, /* 363520 */ + 364543, /* 364544 */ + 365567, /* 365568 */ + 366547, /* 366592 */ + 367613, /* 367616 */ + 368633, /* 368640 */ + 369661, /* 369664 */ + 370687, /* 370688 */ + 371699, /* 371712 */ + 372733, /* 372736 */ + 373757, /* 373760 */ + 374783, /* 374784 */ + 375799, /* 375808 */ + 376823, /* 376832 */ + 377851, /* 377856 */ + 378869, /* 378880 */ + 379903, /* 379904 */ + 380917, /* 380928 */ + 381949, /* 381952 */ + 382961, /* 382976 */ + 383987, /* 384000 */ + 385013, /* 385024 */ + 386047, /* 386048 */ + 387071, /* 387072 */ + 388081, /* 388096 */ + 389117, /* 389120 */ + 390119, /* 390144 */ + 391163, /* 391168 */ + 392177, /* 392192 */ + 393209, /* 393216 */ + 394223, /* 394240 */ + 395261, /* 395264 */ + 396269, /* 396288 */ + 397303, /* 397312 */ + 398323, /* 398336 */ + 399353, /* 399360 */ + 400381, /* 400384 */ + 401407, /* 401408 */ + 402419, /* 402432 */ + 403439, /* 403456 */ + 404461, /* 404480 */ + 405499, /* 405504 */ + 406517, /* 406528 */ + 407527, /* 407552 */ + 408563, /* 408576 */ + 409597, /* 409600 */ + 410623, /* 410624 */ + 411641, /* 411648 */ + 412667, /* 412672 */ + 413689, /* 413696 */ + 414709, /* 414720 */ + 415729, /* 415744 */ + 416761, /* 416768 */ + 417773, /* 417792 */ + 418813, /* 418816 */ + 419831, /* 419840 */ + 420859, /* 420864 */ + 421847, /* 421888 */ + 422911, /* 422912 */ + 423931, /* 423936 */ + 424939, /* 424960 */ + 425977, /* 425984 */ + 427001, /* 427008 */ + 428027, /* 428032 */ + 429043, /* 429056 */ + 430061, /* 430080 */ + 431099, /* 431104 */ + 432121, /* 432128 */ + 433151, /* 433152 */ + 434167, /* 434176 */ + 435191, /* 435200 */ + 436217, /* 436224 */ + 437243, /* 437248 */ + 438271, /* 438272 */ + 439289, /* 439296 */ + 440311, /* 440320 */ + 441319, /* 441344 */ + 442367, /* 442368 */ + 443389, /* 443392 */ + 444403, /* 444416 */ + 445433, /* 445440 */ + 446461, /* 446464 */ + 447481, /* 447488 */ + 448451, /* 448512 */ + 449473, /* 449536 */ + 450557, /* 450560 */ + 451579, /* 451584 */ + 452597, /* 452608 */ + 453631, /* 453632 */ + 454637, /* 454656 */ + 455659, /* 455680 */ + 456697, /* 456704 */ + 457711, /* 457728 */ + 458747, /* 458752 */ + 459763, /* 459776 */ + 460793, /* 460800 */ + 461819, /* 461824 */ + 462841, /* 462848 */ + 463867, /* 463872 */ + 464879, /* 464896 */ + 465917, /* 465920 */ + 466919, /* 466944 */ + 467963, /* 467968 */ + 468983, /* 468992 */ + 469993, /* 470016 */ + 471007, /* 471040 */ + 472063, /* 472064 */ + 473027, /* 473088 */ + 474101, /* 474112 */ + 475109, /* 475136 */ + 476143, /* 476160 */ + 477163, /* 477184 */ + 478207, /* 478208 */ + 479231, /* 479232 */ + 480209, /* 480256 */ + 481249, /* 481280 */ + 482281, /* 482304 */ + 483323, /* 483328 */ + 484339, /* 484352 */ + 485371, /* 485376 */ + 486397, /* 486400 */ + 487423, /* 487424 */ + 488441, /* 488448 */ + 489457, /* 489472 */ + 490493, /* 490496 */ + 491503, /* 491520 */ + 492523, /* 492544 */ + 493567, /* 493568 */ + 494591, /* 494592 */ + 495613, /* 495616 */ + 496631, /* 496640 */ + 497663, /* 497664 */ + 498679, /* 498688 */ + 499711, /* 499712 */ + 500729, /* 500736 */ + 501731, /* 501760 */ + 502781, /* 502784 */ + 503803, /* 503808 */ + 504821, /* 504832 */ + 505823, /* 505856 */ + 506873, /* 506880 */ + 507901, /* 507904 */ + 508919, /* 508928 */ + 509947, /* 509952 */ + 510943, /* 510976 */ + 511997, /* 512000 */ + 513017, /* 513024 */ + 514021, /* 514048 */ + 515041, /* 515072 */ + 516091, /* 516096 */ + 517091, /* 517120 */ + 518137, /* 518144 */ + 519161, /* 519168 */ + 520151, /* 520192 */ + 521201, /* 521216 */ + 522239, /* 522240 */ + 523261, /* 523264 */ + 524287, /* 524288 */ + 525299, /* 525312 */ + 526307, /* 526336 */ + 527353, /* 527360 */ + 528383, /* 528384 */ + 529393, /* 529408 */ + 530429, /* 530432 */ + 531383, /* 531456 */ + 532453, /* 532480 */ + 533459, /* 533504 */ + 534511, /* 534528 */ + 535547, /* 535552 */ + 536563, /* 536576 */ + 537599, /* 537600 */ + 538621, /* 538624 */ + 539641, /* 539648 */ + 540629, /* 540672 */ + 541693, /* 541696 */ + 542719, /* 542720 */ + 543713, /* 543744 */ + 544759, /* 544768 */ + 545791, /* 545792 */ + 546781, /* 546816 */ + 547831, /* 547840 */ + 548861, /* 548864 */ + 549883, /* 549888 */ + 550909, /* 550912 */ + 551933, /* 551936 */ + 552917, /* 552960 */ + 553981, /* 553984 */ + 554977, /* 555008 */ + 556027, /* 556032 */ + 557041, /* 557056 */ + 558067, /* 558080 */ + 559099, /* 559104 */ + 560123, /* 560128 */ + 561109, /* 561152 */ + 562169, /* 562176 */ + 563197, /* 563200 */ + 564197, /* 564224 */ + 565247, /* 565248 */ + 566233, /* 566272 */ + 567277, /* 567296 */ + 568303, /* 568320 */ + 569323, /* 569344 */ + 570359, /* 570368 */ + 571381, /* 571392 */ + 572399, /* 572416 */ + 573437, /* 573440 */ + 574439, /* 574464 */ + 575479, /* 575488 */ + 576509, /* 576512 */ + 577531, /* 577536 */ + 578537, /* 578560 */ + 579583, /* 579584 */ + 580607, /* 580608 */ + 581617, /* 581632 */ + 582649, /* 582656 */ + 583673, /* 583680 */ + 584699, /* 584704 */ + 585727, /* 585728 */ + 586741, /* 586752 */ + 587773, /* 587776 */ + 588779, /* 588800 */ + 589811, /* 589824 */ + 590839, /* 590848 */ + 591863, /* 591872 */ + 592877, /* 592896 */ + 593903, /* 593920 */ + 594931, /* 594944 */ + 595967, /* 595968 */ + 596987, /* 596992 */ + 598007, /* 598016 */ + 599023, /* 599040 */ + 600053, /* 600064 */ + 601079, /* 601088 */ + 602111, /* 602112 */ + 603133, /* 603136 */ + 604073, /* 604160 */ + 605177, /* 605184 */ + 606181, /* 606208 */ + 607219, /* 607232 */ + 608213, /* 608256 */ + 609277, /* 609280 */ + 610301, /* 610304 */ + 611323, /* 611328 */ + 612349, /* 612352 */ + 613367, /* 613376 */ + 614387, /* 614400 */ + 615413, /* 615424 */ + 616439, /* 616448 */ + 617471, /* 617472 */ + 618463, /* 618496 */ + 619511, /* 619520 */ + 620531, /* 620544 */ + 621541, /* 621568 */ + 622577, /* 622592 */ + 623591, /* 623616 */ + 624607, /* 624640 */ + 625663, /* 625664 */ + 626687, /* 626688 */ + 627709, /* 627712 */ + 628721, /* 628736 */ + 629747, /* 629760 */ + 630737, /* 630784 */ + 631789, /* 631808 */ + 632813, /* 632832 */ + 633833, /* 633856 */ + 634871, /* 634880 */ + 635893, /* 635904 */ + 636919, /* 636928 */ + 637939, /* 637952 */ + 638971, /* 638976 */ + 639997, /* 640000 */ + 640993, /* 641024 */ + 642013, /* 642048 */ + 643061, /* 643072 */ + 644089, /* 644096 */ + 645097, /* 645120 */ + 646103, /* 646144 */ + 647161, /* 647168 */ + 648191, /* 648192 */ + 649183, /* 649216 */ + 650227, /* 650240 */ + 651257, /* 651264 */ + 652283, /* 652288 */ + 653311, /* 653312 */ + 654323, /* 654336 */ + 655357, /* 655360 */ + 656377, /* 656384 */ + 657403, /* 657408 */ + 658417, /* 658432 */ + 659453, /* 659456 */ + 660449, /* 660480 */ + 661483, /* 661504 */ + 662527, /* 662528 */ + 663547, /* 663552 */ + 664571, /* 664576 */ + 665591, /* 665600 */ + 666607, /* 666624 */ + 667643, /* 667648 */ + 668671, /* 668672 */ + 669689, /* 669696 */ + 670711, /* 670720 */ + 671743, /* 671744 */ + 672767, /* 672768 */ + 673787, /* 673792 */ + 674813, /* 674816 */ + 675839, /* 675840 */ + 676861, /* 676864 */ + 677857, /* 677888 */ + 678907, /* 678912 */ + 679933, /* 679936 */ + 680959, /* 680960 */ + 681983, /* 681984 */ + 683003, /* 683008 */ + 684017, /* 684032 */ + 685051, /* 685056 */ + 686057, /* 686080 */ + 687101, /* 687104 */ + 688111, /* 688128 */ + 689141, /* 689152 */ + 690163, /* 690176 */ + 691199, /* 691200 */ + 692221, /* 692224 */ + 693223, /* 693248 */ + 694271, /* 694272 */ + 695293, /* 695296 */ + 696317, /* 696320 */ + 697327, /* 697344 */ + 698359, /* 698368 */ + 699383, /* 699392 */ + 700393, /* 700416 */ + 701419, /* 701440 */ + 702451, /* 702464 */ + 703471, /* 703488 */ + 704507, /* 704512 */ + 705533, /* 705536 */ + 706547, /* 706560 */ + 707573, /* 707584 */ + 708601, /* 708608 */ + 709609, /* 709632 */ + 710641, /* 710656 */ + 711679, /* 711680 */ + 712697, /* 712704 */ + 713681, /* 713728 */ + 714751, /* 714752 */ + 715753, /* 715776 */ + 716789, /* 716800 */ + 717817, /* 717824 */ + 718847, /* 718848 */ + 719839, /* 719872 */ + 720887, /* 720896 */ + 721909, /* 721920 */ + 722933, /* 722944 */ + 723967, /* 723968 */ + 724991, /* 724992 */ + 726013, /* 726016 */ + 727021, /* 727040 */ + 728047, /* 728064 */ + 729073, /* 729088 */ + 730111, /* 730112 */ + 731117, /* 731136 */ + 732157, /* 732160 */ + 733177, /* 733184 */ + 734207, /* 734208 */ + 735211, /* 735232 */ + 736249, /* 736256 */ + 737279, /* 737280 */ + 738301, /* 738304 */ + 739327, /* 739328 */ + 740351, /* 740352 */ + 741373, /* 741376 */ + 742393, /* 742400 */ + 743423, /* 743424 */ + 744431, /* 744448 */ + 745471, /* 745472 */ + 746483, /* 746496 */ + 747499, /* 747520 */ + 748541, /* 748544 */ + 749557, /* 749568 */ + 750571, /* 750592 */ + 751613, /* 751616 */ + 752639, /* 752640 */ + 753659, /* 753664 */ + 754651, /* 754688 */ + 755707, /* 755712 */ + 756727, /* 756736 */ + 757753, /* 757760 */ + 758783, /* 758784 */ + 759799, /* 759808 */ + 760813, /* 760832 */ + 761833, /* 761856 */ + 762877, /* 762880 */ + 763901, /* 763904 */ + 764903, /* 764928 */ + 765949, /* 765952 */ + 766967, /* 766976 */ + 767957, /* 768000 */ + 769019, /* 769024 */ + 770047, /* 770048 */ + 771049, /* 771072 */ + 772091, /* 772096 */ + 773117, /* 773120 */ + 774143, /* 774144 */ + 775163, /* 775168 */ + 776183, /* 776192 */ + 777209, /* 777216 */ + 778237, /* 778240 */ + 779249, /* 779264 */ + 780287, /* 780288 */ + 781309, /* 781312 */ + 782329, /* 782336 */ + 783359, /* 783360 */ + 784379, /* 784384 */ + 785377, /* 785408 */ + 786431, /* 786432 */ + 787447, /* 787456 */ + 788479, /* 788480 */ + 789493, /* 789504 */ + 790523, /* 790528 */ + 791543, /* 791552 */ + 792563, /* 792576 */ + 793591, /* 793600 */ + 794593, /* 794624 */ + 795647, /* 795648 */ + 796657, /* 796672 */ + 797689, /* 797696 */ + 798713, /* 798720 */ + 799741, /* 799744 */ + 800759, /* 800768 */ + 801791, /* 801792 */ + 802811, /* 802816 */ + 803819, /* 803840 */ + 804857, /* 804864 */ + 805877, /* 805888 */ + 806903, /* 806912 */ + 807931, /* 807936 */ + 808957, /* 808960 */ + 809983, /* 809984 */ + 810989, /* 811008 */ + 812011, /* 812032 */ + 813049, /* 813056 */ + 814069, /* 814080 */ + 815063, /* 815104 */ + 816121, /* 816128 */ + 817151, /* 817152 */ + 818173, /* 818176 */ + 819187, /* 819200 */ + 820223, /* 820224 */ + 821209, /* 821248 */ + 822259, /* 822272 */ + 823283, /* 823296 */ + 824287, /* 824320 */ + 825343, /* 825344 */ + 826363, /* 826368 */ + 827389, /* 827392 */ + 828409, /* 828416 */ + 829399, /* 829440 */ + 830449, /* 830464 */ + 831461, /* 831488 */ + 832499, /* 832512 */ + 833509, /* 833536 */ + 834527, /* 834560 */ + 835559, /* 835584 */ + 836573, /* 836608 */ + 837631, /* 837632 */ + 838633, /* 838656 */ + 839669, /* 839680 */ + 840703, /* 840704 */ + 841727, /* 841728 */ + 842747, /* 842752 */ + 843763, /* 843776 */ + 844777, /* 844800 */ + 845809, /* 845824 */ + 846841, /* 846848 */ + 847871, /* 847872 */ + 848893, /* 848896 */ + 849917, /* 849920 */ + 850943, /* 850944 */ + 851957, /* 851968 */ + 852989, /* 852992 */ + 853999, /* 854016 */ + 855031, /* 855040 */ + 856061, /* 856064 */ + 857083, /* 857088 */ + 858103, /* 858112 */ + 859121, /* 859136 */ + 860143, /* 860160 */ + 861167, /* 861184 */ + 862207, /* 862208 */ + 863231, /* 863232 */ + 864251, /* 864256 */ + 865261, /* 865280 */ + 866293, /* 866304 */ + 867319, /* 867328 */ + 868349, /* 868352 */ + 869371, /* 869376 */ + 870391, /* 870400 */ + 871393, /* 871424 */ + 872441, /* 872448 */ + 873469, /* 873472 */ + 874487, /* 874496 */ + 875519, /* 875520 */ + 876529, /* 876544 */ + 877567, /* 877568 */ + 878573, /* 878592 */ + 879607, /* 879616 */ + 880603, /* 880640 */ + 881663, /* 881664 */ + 882659, /* 882688 */ + 883703, /* 883712 */ + 884717, /* 884736 */ + 885737, /* 885760 */ + 886777, /* 886784 */ + 887759, /* 887808 */ + 888827, /* 888832 */ + 889829, /* 889856 */ + 890867, /* 890880 */ + 891899, /* 891904 */ + 892919, /* 892928 */ + 893939, /* 893952 */ + 894973, /* 894976 */ + 895987, /* 896000 */ + 897019, /* 897024 */ + 898033, /* 898048 */ + 899069, /* 899072 */ + 900091, /* 900096 */ + 901111, /* 901120 */ + 902141, /* 902144 */ + 903163, /* 903168 */ + 904181, /* 904192 */ + 905213, /* 905216 */ + 906233, /* 906240 */ + 907259, /* 907264 */ + 908287, /* 908288 */ + 909301, /* 909312 */ + 910307, /* 910336 */ + 911359, /* 911360 */ + 912367, /* 912384 */ + 913397, /* 913408 */ + 914429, /* 914432 */ + 915451, /* 915456 */ + 916477, /* 916480 */ + 917503, /* 917504 */ + 918497, /* 918528 */ + 919531, /* 919552 */ + 920561, /* 920576 */ + 921589, /* 921600 */ + 922619, /* 922624 */ + 923641, /* 923648 */ + 924661, /* 924672 */ + 925679, /* 925696 */ + 926707, /* 926720 */ + 927743, /* 927744 */ + 928703, /* 928768 */ + 929791, /* 929792 */ + 930779, /* 930816 */ + 931837, /* 931840 */ + 932863, /* 932864 */ + 933883, /* 933888 */ + 934909, /* 934912 */ + 935903, /* 935936 */ + 936953, /* 936960 */ + 937969, /* 937984 */ + 939007, /* 939008 */ + 940031, /* 940032 */ + 941041, /* 941056 */ + 942079, /* 942080 */ + 943097, /* 943104 */ + 944123, /* 944128 */ + 945151, /* 945152 */ + 946163, /* 946176 */ + 947197, /* 947200 */ + 948187, /* 948224 */ + 949243, /* 949248 */ + 950269, /* 950272 */ + 951283, /* 951296 */ + 952313, /* 952320 */ + 953341, /* 953344 */ + 954367, /* 954368 */ + 955391, /* 955392 */ + 956401, /* 956416 */ + 957433, /* 957440 */ + 958459, /* 958464 */ + 959479, /* 959488 */ + 960499, /* 960512 */ + 961531, /* 961536 */ + 962543, /* 962560 */ + 963581, /* 963584 */ + 964589, /* 964608 */ + 965623, /* 965632 */ + 966653, /* 966656 */ + 967667, /* 967680 */ + 968699, /* 968704 */ + 969721, /* 969728 */ + 970747, /* 970752 */ + 971767, /* 971776 */ + 972799, /* 972800 */ + 973823, /* 973824 */ + 974837, /* 974848 */ + 975869, /* 975872 */ + 976883, /* 976896 */ + 977897, /* 977920 */ + 978931, /* 978944 */ + 979949, /* 979968 */ + 980963, /* 980992 */ + 981983, /* 982016 */ + 982981, /* 983040 */ + 984059, /* 984064 */ + 985079, /* 985088 */ + 986101, /* 986112 */ + 987127, /* 987136 */ + 988157, /* 988160 */ + 989173, /* 989184 */ + 990181, /* 990208 */ + 991229, /* 991232 */ + 992249, /* 992256 */ + 993269, /* 993280 */ + 994303, /* 994304 */ + 995327, /* 995328 */ + 996329, /* 996352 */ + 997369, /* 997376 */ + 998399, /* 998400 */ + 999389, /* 999424 */ + 1000429, /* 1000448 */ + 1001467, /* 1001472 */ + 1002493, /* 1002496 */ + 1003517, /* 1003520 */ + 1004537, /* 1004544 */ + 1005553, /* 1005568 */ + 1006589, /* 1006592 */ + 1007609, /* 1007616 */ + 1008617, /* 1008640 */ + 1009651, /* 1009664 */ + 1010687, /* 1010688 */ + 1011697, /* 1011712 */ + 1012733, /* 1012736 */ + 1013741, /* 1013760 */ + 1014779, /* 1014784 */ + 1015769, /* 1015808 */ + 1016789, /* 1016832 */ + 1017851, /* 1017856 */ + 1018879, /* 1018880 */ + 1019903, /* 1019904 */ + 1020913, /* 1020928 */ + 1021919, /* 1021952 */ + 1022963, /* 1022976 */ + 1023991, /* 1024000 */ + 1025021, /* 1025024 */ + 1026043, /* 1026048 */ + 1027067, /* 1027072 */ + 1028089, /* 1028096 */ + 1029113, /* 1029120 */ + 1030121, /* 1030144 */ + 1031161, /* 1031168 */ + 1032191, /* 1032192 */ + 1033189, /* 1033216 */ + 1034239, /* 1034240 */ + 1035263, /* 1035264 */ + 1036271, /* 1036288 */ + 1037303, /* 1037312 */ + 1038329, /* 1038336 */ + 1039351, /* 1039360 */ + 1040381, /* 1040384 */ + 1041373, /* 1041408 */ + 1042427, /* 1042432 */ + 1043453, /* 1043456 */ + 1044479, /* 1044480 */ + 1045493, /* 1045504 */ + 1046527, /* 1046528 */ + 1047551, /* 1047552 */ }; /* 0-128M, increments=102400 */ -static +static unsigned prime_table3[1024]={ - 131071, /* 131072 */ - 262139, /* 262144 */ - 393209, /* 393216 */ - 524287, /* 524288 */ - 655357, /* 655360 */ - 786431, /* 786432 */ - 917503, /* 917504 */ - 1048573, /* 1048576 */ - 1179641, /* 1179648 */ - 1310719, /* 1310720 */ - 1441771, /* 1441792 */ - 1572853, /* 1572864 */ - 1703903, /* 1703936 */ - 1835003, /* 1835008 */ - 1966079, /* 1966080 */ - 2097143, /* 2097152 */ - 2228221, /* 2228224 */ - 2359267, /* 2359296 */ - 2490337, /* 2490368 */ - 2621431, /* 2621440 */ - 2752499, /* 2752512 */ - 2883577, /* 2883584 */ - 3014653, /* 3014656 */ - 3145721, /* 3145728 */ - 3276799, /* 3276800 */ - 3407857, /* 3407872 */ - 3538933, /* 3538944 */ - 3670013, /* 3670016 */ - 3801073, /* 3801088 */ - 3932153, /* 3932160 */ - 4063217, /* 4063232 */ - 4194301, /* 4194304 */ - 4325359, /* 4325376 */ - 4456433, /* 4456448 */ - 4587503, /* 4587520 */ - 4718579, /* 4718592 */ - 4849651, /* 4849664 */ - 4980727, /* 4980736 */ - 5111791, /* 5111808 */ - 5242877, /* 5242880 */ - 5373931, /* 5373952 */ - 5505023, /* 5505024 */ - 5636077, /* 5636096 */ - 5767129, /* 5767168 */ - 5898209, /* 5898240 */ - 6029299, /* 6029312 */ - 6160381, /* 6160384 */ - 6291449, /* 6291456 */ - 6422519, /* 6422528 */ - 6553577, /* 6553600 */ - 6684659, /* 6684672 */ - 6815741, /* 6815744 */ - 6946813, /* 6946816 */ - 7077883, /* 7077888 */ - 7208951, /* 7208960 */ - 7340009, /* 7340032 */ - 7471099, /* 7471104 */ - 7602151, /* 7602176 */ - 7733233, /* 7733248 */ - 7864301, /* 7864320 */ - 7995391, /* 7995392 */ - 8126453, /* 8126464 */ - 8257531, /* 8257536 */ - 8388593, /* 8388608 */ - 8519647, /* 8519680 */ - 8650727, /* 8650752 */ - 8781797, /* 8781824 */ - 8912887, /* 8912896 */ - 9043967, /* 9043968 */ - 9175037, /* 9175040 */ - 9306097, /* 9306112 */ - 9437179, /* 9437184 */ - 9568219, /* 9568256 */ - 9699323, /* 9699328 */ - 9830393, /* 9830400 */ - 9961463, /* 9961472 */ - 10092539, /* 10092544 */ - 10223593, /* 10223616 */ - 10354667, /* 10354688 */ - 10485751, /* 10485760 */ - 10616831, /* 10616832 */ - 10747903, /* 10747904 */ - 10878961, /* 10878976 */ - 11010037, /* 11010048 */ - 11141113, /* 11141120 */ - 11272181, /* 11272192 */ - 11403247, /* 11403264 */ - 11534329, /* 11534336 */ - 11665403, /* 11665408 */ - 11796469, /* 11796480 */ - 11927551, /* 11927552 */ - 12058621, /* 12058624 */ - 12189677, /* 12189696 */ - 12320753, /* 12320768 */ - 12451807, /* 12451840 */ - 12582893, /* 12582912 */ - 12713959, /* 12713984 */ - 12845033, /* 12845056 */ - 12976121, /* 12976128 */ - 13107197, /* 13107200 */ - 13238263, /* 13238272 */ - 13369333, /* 13369344 */ - 13500373, /* 13500416 */ - 13631477, /* 13631488 */ - 13762549, /* 13762560 */ - 13893613, /* 13893632 */ - 14024671, /* 14024704 */ - 14155763, /* 14155776 */ - 14286809, /* 14286848 */ - 14417881, /* 14417920 */ - 14548979, /* 14548992 */ - 14680063, /* 14680064 */ - 14811133, /* 14811136 */ - 14942197, /* 14942208 */ - 15073277, /* 15073280 */ - 15204349, /* 15204352 */ - 15335407, /* 15335424 */ - 15466463, /* 15466496 */ - 15597559, /* 15597568 */ - 15728611, /* 15728640 */ - 15859687, /* 15859712 */ - 15990781, /* 15990784 */ - 16121849, /* 16121856 */ - 16252919, /* 16252928 */ - 16383977, /* 16384000 */ - 16515067, /* 16515072 */ - 16646099, /* 16646144 */ - 16777213, /* 16777216 */ - 16908263, /* 16908288 */ - 17039339, /* 17039360 */ - 17170429, /* 17170432 */ - 17301463, /* 17301504 */ - 17432561, /* 17432576 */ - 17563633, /* 17563648 */ - 17694709, /* 17694720 */ - 17825791, /* 17825792 */ - 17956849, /* 17956864 */ - 18087899, /* 18087936 */ - 18219001, /* 18219008 */ - 18350063, /* 18350080 */ - 18481097, /* 18481152 */ - 18612211, /* 18612224 */ - 18743281, /* 18743296 */ - 18874367, /* 18874368 */ - 19005433, /* 19005440 */ - 19136503, /* 19136512 */ - 19267561, /* 19267584 */ - 19398647, /* 19398656 */ - 19529717, /* 19529728 */ - 19660799, /* 19660800 */ - 19791869, /* 19791872 */ - 19922923, /* 19922944 */ - 20054011, /* 20054016 */ - 20185051, /* 20185088 */ - 20316151, /* 20316160 */ - 20447191, /* 20447232 */ - 20578297, /* 20578304 */ - 20709347, /* 20709376 */ - 20840429, /* 20840448 */ - 20971507, /* 20971520 */ - 21102583, /* 21102592 */ - 21233651, /* 21233664 */ - 21364727, /* 21364736 */ - 21495797, /* 21495808 */ - 21626819, /* 21626880 */ - 21757951, /* 21757952 */ - 21889019, /* 21889024 */ - 22020091, /* 22020096 */ - 22151167, /* 22151168 */ - 22282199, /* 22282240 */ - 22413289, /* 22413312 */ - 22544351, /* 22544384 */ - 22675403, /* 22675456 */ - 22806521, /* 22806528 */ - 22937591, /* 22937600 */ - 23068667, /* 23068672 */ - 23199731, /* 23199744 */ - 23330773, /* 23330816 */ - 23461877, /* 23461888 */ - 23592937, /* 23592960 */ - 23724031, /* 23724032 */ - 23855101, /* 23855104 */ - 23986159, /* 23986176 */ - 24117217, /* 24117248 */ - 24248299, /* 24248320 */ - 24379391, /* 24379392 */ - 24510463, /* 24510464 */ - 24641479, /* 24641536 */ - 24772603, /* 24772608 */ - 24903667, /* 24903680 */ - 25034731, /* 25034752 */ - 25165813, /* 25165824 */ - 25296893, /* 25296896 */ - 25427957, /* 25427968 */ - 25559033, /* 25559040 */ - 25690097, /* 25690112 */ - 25821179, /* 25821184 */ - 25952243, /* 25952256 */ - 26083273, /* 26083328 */ - 26214379, /* 26214400 */ - 26345471, /* 26345472 */ - 26476543, /* 26476544 */ - 26607611, /* 26607616 */ - 26738687, /* 26738688 */ - 26869753, /* 26869760 */ - 27000817, /* 27000832 */ - 27131903, /* 27131904 */ - 27262931, /* 27262976 */ - 27394019, /* 27394048 */ - 27525109, /* 27525120 */ - 27656149, /* 27656192 */ - 27787213, /* 27787264 */ - 27918323, /* 27918336 */ - 28049407, /* 28049408 */ - 28180459, /* 28180480 */ - 28311541, /* 28311552 */ - 28442551, /* 28442624 */ - 28573673, /* 28573696 */ - 28704749, /* 28704768 */ - 28835819, /* 28835840 */ - 28966909, /* 28966912 */ - 29097977, /* 29097984 */ - 29229047, /* 29229056 */ - 29360087, /* 29360128 */ - 29491193, /* 29491200 */ - 29622269, /* 29622272 */ - 29753341, /* 29753344 */ - 29884411, /* 29884416 */ - 30015481, /* 30015488 */ - 30146531, /* 30146560 */ - 30277627, /* 30277632 */ - 30408701, /* 30408704 */ - 30539749, /* 30539776 */ - 30670847, /* 30670848 */ - 30801917, /* 30801920 */ - 30932987, /* 30932992 */ - 31064063, /* 31064064 */ - 31195117, /* 31195136 */ - 31326181, /* 31326208 */ - 31457269, /* 31457280 */ - 31588351, /* 31588352 */ - 31719409, /* 31719424 */ - 31850491, /* 31850496 */ - 31981567, /* 31981568 */ - 32112607, /* 32112640 */ - 32243707, /* 32243712 */ - 32374781, /* 32374784 */ - 32505829, /* 32505856 */ - 32636921, /* 32636928 */ - 32767997, /* 32768000 */ - 32899037, /* 32899072 */ - 33030121, /* 33030144 */ - 33161201, /* 33161216 */ - 33292283, /* 33292288 */ - 33423319, /* 33423360 */ - 33554393, /* 33554432 */ - 33685493, /* 33685504 */ - 33816571, /* 33816576 */ - 33947621, /* 33947648 */ - 34078699, /* 34078720 */ - 34209787, /* 34209792 */ - 34340861, /* 34340864 */ - 34471933, /* 34471936 */ - 34602991, /* 34603008 */ - 34734079, /* 34734080 */ - 34865141, /* 34865152 */ - 34996223, /* 34996224 */ - 35127263, /* 35127296 */ - 35258347, /* 35258368 */ - 35389423, /* 35389440 */ - 35520467, /* 35520512 */ - 35651579, /* 35651584 */ - 35782613, /* 35782656 */ - 35913727, /* 35913728 */ - 36044797, /* 36044800 */ - 36175871, /* 36175872 */ - 36306937, /* 36306944 */ - 36438013, /* 36438016 */ - 36569083, /* 36569088 */ - 36700159, /* 36700160 */ - 36831227, /* 36831232 */ - 36962291, /* 36962304 */ - 37093373, /* 37093376 */ - 37224437, /* 37224448 */ - 37355503, /* 37355520 */ - 37486591, /* 37486592 */ - 37617653, /* 37617664 */ - 37748717, /* 37748736 */ - 37879783, /* 37879808 */ - 38010871, /* 38010880 */ - 38141951, /* 38141952 */ - 38273023, /* 38273024 */ - 38404081, /* 38404096 */ - 38535151, /* 38535168 */ - 38666219, /* 38666240 */ - 38797303, /* 38797312 */ - 38928371, /* 38928384 */ - 39059431, /* 39059456 */ - 39190519, /* 39190528 */ - 39321599, /* 39321600 */ - 39452671, /* 39452672 */ - 39583727, /* 39583744 */ - 39714799, /* 39714816 */ - 39845887, /* 39845888 */ - 39976939, /* 39976960 */ - 40108027, /* 40108032 */ - 40239103, /* 40239104 */ - 40370173, /* 40370176 */ - 40501231, /* 40501248 */ - 40632313, /* 40632320 */ - 40763369, /* 40763392 */ - 40894457, /* 40894464 */ - 41025499, /* 41025536 */ - 41156569, /* 41156608 */ - 41287651, /* 41287680 */ - 41418739, /* 41418752 */ - 41549803, /* 41549824 */ - 41680871, /* 41680896 */ - 41811949, /* 41811968 */ - 41943023, /* 41943040 */ - 42074101, /* 42074112 */ - 42205183, /* 42205184 */ - 42336253, /* 42336256 */ - 42467317, /* 42467328 */ - 42598397, /* 42598400 */ - 42729437, /* 42729472 */ - 42860537, /* 42860544 */ - 42991609, /* 42991616 */ - 43122683, /* 43122688 */ - 43253759, /* 43253760 */ - 43384813, /* 43384832 */ - 43515881, /* 43515904 */ - 43646963, /* 43646976 */ - 43778011, /* 43778048 */ - 43909111, /* 43909120 */ - 44040187, /* 44040192 */ - 44171261, /* 44171264 */ - 44302303, /* 44302336 */ - 44433391, /* 44433408 */ - 44564461, /* 44564480 */ - 44695549, /* 44695552 */ - 44826611, /* 44826624 */ - 44957687, /* 44957696 */ - 45088739, /* 45088768 */ - 45219827, /* 45219840 */ - 45350869, /* 45350912 */ - 45481973, /* 45481984 */ - 45613039, /* 45613056 */ - 45744121, /* 45744128 */ - 45875191, /* 45875200 */ - 46006249, /* 46006272 */ - 46137319, /* 46137344 */ - 46268381, /* 46268416 */ - 46399471, /* 46399488 */ - 46530557, /* 46530560 */ - 46661627, /* 46661632 */ - 46792699, /* 46792704 */ - 46923761, /* 46923776 */ - 47054809, /* 47054848 */ - 47185907, /* 47185920 */ - 47316991, /* 47316992 */ - 47448061, /* 47448064 */ - 47579131, /* 47579136 */ - 47710207, /* 47710208 */ - 47841257, /* 47841280 */ - 47972341, /* 47972352 */ - 48103417, /* 48103424 */ - 48234451, /* 48234496 */ - 48365563, /* 48365568 */ - 48496639, /* 48496640 */ - 48627697, /* 48627712 */ - 48758783, /* 48758784 */ - 48889837, /* 48889856 */ - 49020913, /* 49020928 */ - 49151987, /* 49152000 */ - 49283063, /* 49283072 */ - 49414111, /* 49414144 */ - 49545193, /* 49545216 */ - 49676267, /* 49676288 */ - 49807327, /* 49807360 */ - 49938431, /* 49938432 */ - 50069497, /* 50069504 */ - 50200573, /* 50200576 */ - 50331599, /* 50331648 */ - 50462683, /* 50462720 */ - 50593783, /* 50593792 */ - 50724859, /* 50724864 */ - 50855899, /* 50855936 */ - 50987003, /* 50987008 */ - 51118069, /* 51118080 */ - 51249131, /* 51249152 */ - 51380179, /* 51380224 */ - 51511277, /* 51511296 */ - 51642341, /* 51642368 */ - 51773431, /* 51773440 */ - 51904511, /* 51904512 */ - 52035569, /* 52035584 */ - 52166641, /* 52166656 */ - 52297717, /* 52297728 */ - 52428767, /* 52428800 */ - 52559867, /* 52559872 */ - 52690919, /* 52690944 */ - 52821983, /* 52822016 */ - 52953077, /* 52953088 */ - 53084147, /* 53084160 */ - 53215229, /* 53215232 */ - 53346301, /* 53346304 */ - 53477357, /* 53477376 */ - 53608441, /* 53608448 */ - 53739493, /* 53739520 */ - 53870573, /* 53870592 */ - 54001663, /* 54001664 */ - 54132721, /* 54132736 */ - 54263789, /* 54263808 */ - 54394877, /* 54394880 */ - 54525917, /* 54525952 */ - 54656983, /* 54657024 */ - 54788089, /* 54788096 */ - 54919159, /* 54919168 */ - 55050217, /* 55050240 */ - 55181311, /* 55181312 */ - 55312351, /* 55312384 */ - 55443433, /* 55443456 */ - 55574507, /* 55574528 */ - 55705589, /* 55705600 */ - 55836659, /* 55836672 */ - 55967701, /* 55967744 */ - 56098813, /* 56098816 */ - 56229881, /* 56229888 */ - 56360911, /* 56360960 */ - 56491993, /* 56492032 */ - 56623093, /* 56623104 */ - 56754167, /* 56754176 */ - 56885219, /* 56885248 */ - 57016319, /* 57016320 */ - 57147379, /* 57147392 */ - 57278461, /* 57278464 */ - 57409529, /* 57409536 */ - 57540599, /* 57540608 */ - 57671671, /* 57671680 */ - 57802739, /* 57802752 */ - 57933817, /* 57933824 */ - 58064861, /* 58064896 */ - 58195939, /* 58195968 */ - 58327039, /* 58327040 */ - 58458091, /* 58458112 */ - 58589161, /* 58589184 */ - 58720253, /* 58720256 */ - 58851307, /* 58851328 */ - 58982389, /* 58982400 */ - 59113469, /* 59113472 */ - 59244539, /* 59244544 */ - 59375587, /* 59375616 */ - 59506679, /* 59506688 */ - 59637733, /* 59637760 */ - 59768831, /* 59768832 */ - 59899901, /* 59899904 */ - 60030953, /* 60030976 */ - 60162029, /* 60162048 */ - 60293119, /* 60293120 */ - 60424183, /* 60424192 */ - 60555227, /* 60555264 */ - 60686321, /* 60686336 */ - 60817397, /* 60817408 */ - 60948479, /* 60948480 */ - 61079531, /* 61079552 */ - 61210603, /* 61210624 */ - 61341659, /* 61341696 */ - 61472753, /* 61472768 */ - 61603811, /* 61603840 */ - 61734899, /* 61734912 */ - 61865971, /* 61865984 */ - 61997053, /* 61997056 */ - 62128127, /* 62128128 */ - 62259193, /* 62259200 */ - 62390261, /* 62390272 */ - 62521331, /* 62521344 */ - 62652407, /* 62652416 */ - 62783477, /* 62783488 */ - 62914549, /* 62914560 */ - 63045613, /* 63045632 */ - 63176693, /* 63176704 */ - 63307763, /* 63307776 */ - 63438839, /* 63438848 */ - 63569917, /* 63569920 */ - 63700991, /* 63700992 */ - 63832057, /* 63832064 */ - 63963131, /* 63963136 */ - 64094207, /* 64094208 */ - 64225267, /* 64225280 */ - 64356349, /* 64356352 */ - 64487417, /* 64487424 */ - 64618493, /* 64618496 */ - 64749563, /* 64749568 */ - 64880587, /* 64880640 */ - 65011703, /* 65011712 */ - 65142769, /* 65142784 */ - 65273851, /* 65273856 */ - 65404909, /* 65404928 */ - 65535989, /* 65536000 */ - 65667067, /* 65667072 */ - 65798137, /* 65798144 */ - 65929211, /* 65929216 */ - 66060277, /* 66060288 */ - 66191351, /* 66191360 */ - 66322427, /* 66322432 */ - 66453479, /* 66453504 */ - 66584561, /* 66584576 */ - 66715643, /* 66715648 */ - 66846709, /* 66846720 */ - 66977767, /* 66977792 */ - 67108859, /* 67108864 */ - 67239883, /* 67239936 */ - 67370999, /* 67371008 */ - 67502063, /* 67502080 */ - 67633127, /* 67633152 */ - 67764223, /* 67764224 */ - 67895251, /* 67895296 */ - 68026363, /* 68026368 */ - 68157433, /* 68157440 */ - 68288503, /* 68288512 */ - 68419567, /* 68419584 */ - 68550631, /* 68550656 */ - 68681719, /* 68681728 */ - 68812769, /* 68812800 */ - 68943851, /* 68943872 */ - 69074933, /* 69074944 */ - 69205987, /* 69206016 */ - 69337087, /* 69337088 */ - 69468151, /* 69468160 */ - 69599221, /* 69599232 */ - 69730303, /* 69730304 */ - 69861331, /* 69861376 */ - 69992443, /* 69992448 */ - 70123513, /* 70123520 */ - 70254563, /* 70254592 */ - 70385641, /* 70385664 */ - 70516729, /* 70516736 */ - 70647793, /* 70647808 */ - 70778861, /* 70778880 */ - 70909933, /* 70909952 */ - 71041021, /* 71041024 */ - 71172091, /* 71172096 */ - 71303153, /* 71303168 */ - 71434229, /* 71434240 */ - 71565283, /* 71565312 */ - 71696363, /* 71696384 */ - 71827423, /* 71827456 */ - 71958521, /* 71958528 */ - 72089573, /* 72089600 */ - 72220663, /* 72220672 */ - 72351733, /* 72351744 */ - 72482807, /* 72482816 */ - 72613861, /* 72613888 */ - 72744937, /* 72744960 */ - 72876031, /* 72876032 */ - 73007089, /* 73007104 */ - 73138171, /* 73138176 */ - 73269247, /* 73269248 */ - 73400311, /* 73400320 */ - 73531379, /* 73531392 */ - 73662461, /* 73662464 */ - 73793521, /* 73793536 */ - 73924583, /* 73924608 */ - 74055637, /* 74055680 */ - 74186747, /* 74186752 */ - 74317801, /* 74317824 */ - 74448877, /* 74448896 */ - 74579951, /* 74579968 */ - 74711027, /* 74711040 */ - 74842099, /* 74842112 */ - 74973181, /* 74973184 */ - 75104243, /* 75104256 */ - 75235327, /* 75235328 */ - 75366397, /* 75366400 */ - 75497467, /* 75497472 */ - 75628513, /* 75628544 */ - 75759613, /* 75759616 */ - 75890653, /* 75890688 */ - 76021661, /* 76021760 */ - 76152821, /* 76152832 */ - 76283897, /* 76283904 */ - 76414973, /* 76414976 */ - 76546039, /* 76546048 */ - 76677113, /* 76677120 */ - 76808119, /* 76808192 */ - 76939253, /* 76939264 */ - 77070317, /* 77070336 */ - 77201347, /* 77201408 */ - 77332471, /* 77332480 */ - 77463541, /* 77463552 */ - 77594599, /* 77594624 */ - 77725691, /* 77725696 */ - 77856767, /* 77856768 */ - 77987821, /* 77987840 */ - 78118903, /* 78118912 */ - 78249973, /* 78249984 */ - 78381047, /* 78381056 */ - 78512101, /* 78512128 */ - 78643199, /* 78643200 */ - 78774259, /* 78774272 */ - 78905303, /* 78905344 */ - 79036411, /* 79036416 */ - 79167479, /* 79167488 */ - 79298543, /* 79298560 */ - 79429619, /* 79429632 */ - 79560673, /* 79560704 */ - 79691761, /* 79691776 */ - 79822829, /* 79822848 */ - 79953901, /* 79953920 */ - 80084969, /* 80084992 */ - 80216063, /* 80216064 */ - 80347103, /* 80347136 */ - 80478199, /* 80478208 */ - 80609279, /* 80609280 */ - 80740339, /* 80740352 */ - 80871419, /* 80871424 */ - 81002489, /* 81002496 */ - 81133567, /* 81133568 */ - 81264587, /* 81264640 */ - 81395683, /* 81395712 */ - 81526763, /* 81526784 */ - 81657841, /* 81657856 */ - 81788923, /* 81788928 */ - 81919993, /* 81920000 */ - 82051043, /* 82051072 */ - 82182137, /* 82182144 */ - 82313213, /* 82313216 */ - 82444279, /* 82444288 */ - 82575331, /* 82575360 */ - 82706431, /* 82706432 */ - 82837501, /* 82837504 */ - 82968563, /* 82968576 */ - 83099641, /* 83099648 */ - 83230717, /* 83230720 */ - 83361781, /* 83361792 */ - 83492863, /* 83492864 */ - 83623931, /* 83623936 */ - 83754997, /* 83755008 */ - 83886053, /* 83886080 */ - 84017117, /* 84017152 */ - 84148213, /* 84148224 */ - 84279277, /* 84279296 */ - 84410353, /* 84410368 */ - 84541421, /* 84541440 */ - 84672487, /* 84672512 */ - 84803581, /* 84803584 */ - 84934621, /* 84934656 */ - 85065719, /* 85065728 */ - 85196789, /* 85196800 */ - 85327849, /* 85327872 */ - 85458929, /* 85458944 */ - 85589989, /* 85590016 */ - 85721081, /* 85721088 */ - 85852147, /* 85852160 */ - 85983217, /* 85983232 */ - 86114279, /* 86114304 */ - 86245343, /* 86245376 */ - 86376443, /* 86376448 */ - 86507507, /* 86507520 */ - 86638577, /* 86638592 */ - 86769647, /* 86769664 */ - 86900731, /* 86900736 */ - 87031759, /* 87031808 */ - 87162857, /* 87162880 */ - 87293939, /* 87293952 */ - 87425021, /* 87425024 */ - 87556087, /* 87556096 */ - 87687167, /* 87687168 */ - 87818239, /* 87818240 */ - 87949307, /* 87949312 */ - 88080359, /* 88080384 */ - 88211449, /* 88211456 */ - 88342519, /* 88342528 */ - 88473569, /* 88473600 */ - 88604653, /* 88604672 */ - 88735721, /* 88735744 */ - 88866797, /* 88866816 */ - 88997827, /* 88997888 */ - 89128939, /* 89128960 */ - 89260027, /* 89260032 */ - 89391103, /* 89391104 */ - 89522171, /* 89522176 */ - 89653217, /* 89653248 */ - 89784313, /* 89784320 */ - 89915383, /* 89915392 */ - 90046441, /* 90046464 */ - 90177533, /* 90177536 */ - 90308599, /* 90308608 */ - 90439667, /* 90439680 */ - 90570751, /* 90570752 */ - 90701797, /* 90701824 */ - 90832871, /* 90832896 */ - 90963967, /* 90963968 */ - 91095013, /* 91095040 */ - 91226101, /* 91226112 */ - 91357177, /* 91357184 */ - 91488251, /* 91488256 */ - 91619321, /* 91619328 */ - 91750391, /* 91750400 */ - 91881443, /* 91881472 */ - 92012537, /* 92012544 */ - 92143609, /* 92143616 */ - 92274671, /* 92274688 */ - 92405723, /* 92405760 */ - 92536823, /* 92536832 */ - 92667863, /* 92667904 */ - 92798969, /* 92798976 */ - 92930039, /* 92930048 */ - 93061117, /* 93061120 */ - 93192191, /* 93192192 */ - 93323249, /* 93323264 */ - 93454307, /* 93454336 */ - 93585379, /* 93585408 */ - 93716471, /* 93716480 */ - 93847549, /* 93847552 */ - 93978559, /* 93978624 */ - 94109681, /* 94109696 */ - 94240733, /* 94240768 */ - 94371833, /* 94371840 */ - 94502899, /* 94502912 */ - 94633963, /* 94633984 */ - 94765039, /* 94765056 */ - 94896119, /* 94896128 */ - 95027197, /* 95027200 */ - 95158249, /* 95158272 */ - 95289329, /* 95289344 */ - 95420401, /* 95420416 */ - 95551487, /* 95551488 */ - 95682541, /* 95682560 */ - 95813621, /* 95813632 */ - 95944691, /* 95944704 */ - 96075739, /* 96075776 */ - 96206839, /* 96206848 */ - 96337919, /* 96337920 */ - 96468979, /* 96468992 */ - 96600041, /* 96600064 */ - 96731101, /* 96731136 */ - 96862169, /* 96862208 */ - 96993269, /* 96993280 */ - 97124347, /* 97124352 */ - 97255409, /* 97255424 */ - 97386467, /* 97386496 */ - 97517543, /* 97517568 */ - 97648637, /* 97648640 */ - 97779701, /* 97779712 */ - 97910759, /* 97910784 */ - 98041831, /* 98041856 */ - 98172887, /* 98172928 */ - 98303999, /* 98304000 */ - 98435063, /* 98435072 */ - 98566121, /* 98566144 */ - 98697187, /* 98697216 */ - 98828281, /* 98828288 */ - 98959337, /* 98959360 */ - 99090427, /* 99090432 */ - 99221489, /* 99221504 */ - 99352567, /* 99352576 */ - 99483647, /* 99483648 */ - 99614689, /* 99614720 */ - 99745787, /* 99745792 */ - 99876851, /* 99876864 */ - 100007927, /* 100007936 */ - 100138979, /* 100139008 */ - 100270069, /* 100270080 */ - 100401139, /* 100401152 */ - 100532207, /* 100532224 */ - 100663291, /* 100663296 */ - 100794319, /* 100794368 */ - 100925431, /* 100925440 */ - 101056507, /* 101056512 */ - 101187577, /* 101187584 */ - 101318647, /* 101318656 */ - 101449717, /* 101449728 */ - 101580793, /* 101580800 */ - 101711839, /* 101711872 */ - 101842931, /* 101842944 */ - 101974009, /* 101974016 */ - 102105049, /* 102105088 */ - 102236149, /* 102236160 */ - 102367189, /* 102367232 */ - 102498301, /* 102498304 */ - 102629369, /* 102629376 */ - 102760387, /* 102760448 */ - 102891499, /* 102891520 */ - 103022537, /* 103022592 */ - 103153649, /* 103153664 */ - 103284733, /* 103284736 */ - 103415791, /* 103415808 */ - 103546879, /* 103546880 */ - 103677949, /* 103677952 */ - 103809011, /* 103809024 */ - 103940093, /* 103940096 */ - 104071157, /* 104071168 */ - 104202233, /* 104202240 */ - 104333311, /* 104333312 */ - 104464369, /* 104464384 */ - 104595397, /* 104595456 */ - 104726527, /* 104726528 */ - 104857589, /* 104857600 */ - 104988641, /* 104988672 */ - 105119741, /* 105119744 */ - 105250811, /* 105250816 */ - 105381841, /* 105381888 */ - 105512951, /* 105512960 */ - 105644029, /* 105644032 */ - 105775079, /* 105775104 */ - 105906167, /* 105906176 */ - 106037237, /* 106037248 */ - 106168319, /* 106168320 */ - 106299379, /* 106299392 */ - 106430449, /* 106430464 */ - 106561523, /* 106561536 */ - 106692601, /* 106692608 */ - 106823677, /* 106823680 */ - 106954747, /* 106954752 */ - 107085799, /* 107085824 */ - 107216891, /* 107216896 */ - 107347943, /* 107347968 */ - 107479033, /* 107479040 */ - 107610079, /* 107610112 */ - 107741167, /* 107741184 */ - 107872249, /* 107872256 */ - 108003323, /* 108003328 */ - 108134393, /* 108134400 */ - 108265459, /* 108265472 */ - 108396521, /* 108396544 */ - 108527603, /* 108527616 */ - 108658681, /* 108658688 */ - 108789727, /* 108789760 */ - 108920831, /* 108920832 */ - 109051903, /* 109051904 */ - 109182947, /* 109182976 */ - 109314043, /* 109314048 */ - 109445107, /* 109445120 */ - 109576189, /* 109576192 */ - 109707253, /* 109707264 */ - 109838293, /* 109838336 */ - 109969403, /* 109969408 */ - 110100409, /* 110100480 */ - 110231531, /* 110231552 */ - 110362559, /* 110362624 */ - 110493661, /* 110493696 */ - 110624753, /* 110624768 */ - 110755793, /* 110755840 */ - 110886883, /* 110886912 */ - 111017983, /* 111017984 */ - 111148963, /* 111149056 */ - 111280121, /* 111280128 */ - 111411173, /* 111411200 */ - 111542261, /* 111542272 */ - 111673343, /* 111673344 */ - 111804389, /* 111804416 */ - 111935459, /* 111935488 */ - 112066553, /* 112066560 */ - 112197629, /* 112197632 */ - 112328683, /* 112328704 */ - 112459751, /* 112459776 */ - 112590839, /* 112590848 */ - 112721893, /* 112721920 */ - 112852981, /* 112852992 */ - 112984061, /* 112984064 */ - 113115133, /* 113115136 */ - 113246183, /* 113246208 */ - 113377279, /* 113377280 */ - 113508319, /* 113508352 */ - 113639419, /* 113639424 */ - 113770457, /* 113770496 */ - 113901553, /* 113901568 */ - 114032599, /* 114032640 */ - 114163703, /* 114163712 */ - 114294721, /* 114294784 */ - 114425807, /* 114425856 */ - 114556913, /* 114556928 */ - 114687977, /* 114688000 */ - 114819031, /* 114819072 */ - 114950131, /* 114950144 */ - 115081189, /* 115081216 */ - 115212287, /* 115212288 */ - 115343341, /* 115343360 */ - 115474417, /* 115474432 */ - 115605467, /* 115605504 */ - 115736539, /* 115736576 */ - 115867627, /* 115867648 */ - 115998719, /* 115998720 */ - 116129789, /* 116129792 */ - 116260849, /* 116260864 */ - 116391917, /* 116391936 */ - 116523007, /* 116523008 */ - 116654077, /* 116654080 */ - 116785133, /* 116785152 */ - 116916223, /* 116916224 */ - 117047291, /* 117047296 */ - 117178367, /* 117178368 */ - 117309421, /* 117309440 */ - 117440509, /* 117440512 */ - 117571523, /* 117571584 */ - 117702649, /* 117702656 */ - 117833711, /* 117833728 */ - 117964793, /* 117964800 */ - 118095853, /* 118095872 */ - 118226893, /* 118226944 */ - 118358003, /* 118358016 */ - 118489081, /* 118489088 */ - 118620143, /* 118620160 */ - 118751207, /* 118751232 */ - 118882279, /* 118882304 */ - 119013347, /* 119013376 */ - 119144447, /* 119144448 */ - 119275511, /* 119275520 */ - 119406587, /* 119406592 */ - 119537653, /* 119537664 */ - 119668723, /* 119668736 */ - 119799803, /* 119799808 */ - 119930873, /* 119930880 */ - 120061951, /* 120061952 */ - 120193019, /* 120193024 */ - 120324077, /* 120324096 */ - 120455147, /* 120455168 */ - 120586231, /* 120586240 */ - 120717307, /* 120717312 */ - 120848353, /* 120848384 */ - 120979447, /* 120979456 */ - 121110523, /* 121110528 */ - 121241597, /* 121241600 */ - 121372649, /* 121372672 */ - 121503737, /* 121503744 */ - 121634801, /* 121634816 */ - 121765871, /* 121765888 */ - 121896949, /* 121896960 */ - 122028019, /* 122028032 */ - 122159101, /* 122159104 */ - 122290171, /* 122290176 */ - 122421241, /* 122421248 */ - 122552317, /* 122552320 */ - 122683391, /* 122683392 */ - 122814463, /* 122814464 */ - 122945527, /* 122945536 */ - 123076601, /* 123076608 */ - 123207677, /* 123207680 */ - 123338737, /* 123338752 */ - 123469783, /* 123469824 */ - 123600857, /* 123600896 */ - 123731963, /* 123731968 */ - 123863023, /* 123863040 */ - 123994099, /* 123994112 */ - 124125161, /* 124125184 */ - 124256243, /* 124256256 */ - 124387321, /* 124387328 */ - 124518397, /* 124518400 */ - 124649449, /* 124649472 */ - 124780531, /* 124780544 */ - 124911601, /* 124911616 */ - 125042663, /* 125042688 */ - 125173759, /* 125173760 */ - 125304787, /* 125304832 */ - 125435897, /* 125435904 */ - 125566963, /* 125566976 */ - 125698021, /* 125698048 */ - 125829103, /* 125829120 */ - 125960189, /* 125960192 */ - 126091241, /* 126091264 */ - 126222293, /* 126222336 */ - 126353407, /* 126353408 */ - 126484469, /* 126484480 */ - 126615551, /* 126615552 */ - 126746623, /* 126746624 */ - 126877693, /* 126877696 */ - 127008733, /* 127008768 */ - 127139833, /* 127139840 */ - 127270849, /* 127270912 */ - 127401947, /* 127401984 */ - 127533047, /* 127533056 */ - 127664113, /* 127664128 */ - 127795181, /* 127795200 */ - 127926263, /* 127926272 */ - 128057327, /* 128057344 */ - 128188409, /* 128188416 */ - 128319469, /* 128319488 */ - 128450533, /* 128450560 */ - 128581631, /* 128581632 */ - 128712691, /* 128712704 */ - 128843761, /* 128843776 */ - 128974841, /* 128974848 */ - 129105901, /* 129105920 */ - 129236959, /* 129236992 */ - 129368051, /* 129368064 */ - 129499129, /* 129499136 */ - 129630199, /* 129630208 */ - 129761273, /* 129761280 */ - 129892333, /* 129892352 */ - 130023407, /* 130023424 */ - 130154483, /* 130154496 */ - 130285567, /* 130285568 */ - 130416631, /* 130416640 */ - 130547621, /* 130547712 */ - 130678781, /* 130678784 */ - 130809853, /* 130809856 */ - 130940911, /* 130940928 */ - 131071987, /* 131072000 */ - 131203069, /* 131203072 */ - 131334131, /* 131334144 */ - 131465177, /* 131465216 */ - 131596279, /* 131596288 */ - 131727359, /* 131727360 */ - 131858413, /* 131858432 */ - 131989477, /* 131989504 */ - 132120557, /* 132120576 */ - 132251621, /* 132251648 */ - 132382717, /* 132382720 */ - 132513781, /* 132513792 */ - 132644851, /* 132644864 */ - 132775931, /* 132775936 */ - 132907007, /* 132907008 */ - 133038053, /* 133038080 */ - 133169137, /* 133169152 */ - 133300207, /* 133300224 */ - 133431293, /* 133431296 */ - 133562329, /* 133562368 */ - 133693433, /* 133693440 */ - 133824503, /* 133824512 */ - 133955581, /* 133955584 */ - 134086639, /* 134086656 */ + 131071, /* 131072 */ + 262139, /* 262144 */ + 393209, /* 393216 */ + 524287, /* 524288 */ + 655357, /* 655360 */ + 786431, /* 786432 */ + 917503, /* 917504 */ + 1048573, /* 1048576 */ + 1179641, /* 1179648 */ + 1310719, /* 1310720 */ + 1441771, /* 1441792 */ + 1572853, /* 1572864 */ + 1703903, /* 1703936 */ + 1835003, /* 1835008 */ + 1966079, /* 1966080 */ + 2097143, /* 2097152 */ + 2228221, /* 2228224 */ + 2359267, /* 2359296 */ + 2490337, /* 2490368 */ + 2621431, /* 2621440 */ + 2752499, /* 2752512 */ + 2883577, /* 2883584 */ + 3014653, /* 3014656 */ + 3145721, /* 3145728 */ + 3276799, /* 3276800 */ + 3407857, /* 3407872 */ + 3538933, /* 3538944 */ + 3670013, /* 3670016 */ + 3801073, /* 3801088 */ + 3932153, /* 3932160 */ + 4063217, /* 4063232 */ + 4194301, /* 4194304 */ + 4325359, /* 4325376 */ + 4456433, /* 4456448 */ + 4587503, /* 4587520 */ + 4718579, /* 4718592 */ + 4849651, /* 4849664 */ + 4980727, /* 4980736 */ + 5111791, /* 5111808 */ + 5242877, /* 5242880 */ + 5373931, /* 5373952 */ + 5505023, /* 5505024 */ + 5636077, /* 5636096 */ + 5767129, /* 5767168 */ + 5898209, /* 5898240 */ + 6029299, /* 6029312 */ + 6160381, /* 6160384 */ + 6291449, /* 6291456 */ + 6422519, /* 6422528 */ + 6553577, /* 6553600 */ + 6684659, /* 6684672 */ + 6815741, /* 6815744 */ + 6946813, /* 6946816 */ + 7077883, /* 7077888 */ + 7208951, /* 7208960 */ + 7340009, /* 7340032 */ + 7471099, /* 7471104 */ + 7602151, /* 7602176 */ + 7733233, /* 7733248 */ + 7864301, /* 7864320 */ + 7995391, /* 7995392 */ + 8126453, /* 8126464 */ + 8257531, /* 8257536 */ + 8388593, /* 8388608 */ + 8519647, /* 8519680 */ + 8650727, /* 8650752 */ + 8781797, /* 8781824 */ + 8912887, /* 8912896 */ + 9043967, /* 9043968 */ + 9175037, /* 9175040 */ + 9306097, /* 9306112 */ + 9437179, /* 9437184 */ + 9568219, /* 9568256 */ + 9699323, /* 9699328 */ + 9830393, /* 9830400 */ + 9961463, /* 9961472 */ + 10092539, /* 10092544 */ + 10223593, /* 10223616 */ + 10354667, /* 10354688 */ + 10485751, /* 10485760 */ + 10616831, /* 10616832 */ + 10747903, /* 10747904 */ + 10878961, /* 10878976 */ + 11010037, /* 11010048 */ + 11141113, /* 11141120 */ + 11272181, /* 11272192 */ + 11403247, /* 11403264 */ + 11534329, /* 11534336 */ + 11665403, /* 11665408 */ + 11796469, /* 11796480 */ + 11927551, /* 11927552 */ + 12058621, /* 12058624 */ + 12189677, /* 12189696 */ + 12320753, /* 12320768 */ + 12451807, /* 12451840 */ + 12582893, /* 12582912 */ + 12713959, /* 12713984 */ + 12845033, /* 12845056 */ + 12976121, /* 12976128 */ + 13107197, /* 13107200 */ + 13238263, /* 13238272 */ + 13369333, /* 13369344 */ + 13500373, /* 13500416 */ + 13631477, /* 13631488 */ + 13762549, /* 13762560 */ + 13893613, /* 13893632 */ + 14024671, /* 14024704 */ + 14155763, /* 14155776 */ + 14286809, /* 14286848 */ + 14417881, /* 14417920 */ + 14548979, /* 14548992 */ + 14680063, /* 14680064 */ + 14811133, /* 14811136 */ + 14942197, /* 14942208 */ + 15073277, /* 15073280 */ + 15204349, /* 15204352 */ + 15335407, /* 15335424 */ + 15466463, /* 15466496 */ + 15597559, /* 15597568 */ + 15728611, /* 15728640 */ + 15859687, /* 15859712 */ + 15990781, /* 15990784 */ + 16121849, /* 16121856 */ + 16252919, /* 16252928 */ + 16383977, /* 16384000 */ + 16515067, /* 16515072 */ + 16646099, /* 16646144 */ + 16777213, /* 16777216 */ + 16908263, /* 16908288 */ + 17039339, /* 17039360 */ + 17170429, /* 17170432 */ + 17301463, /* 17301504 */ + 17432561, /* 17432576 */ + 17563633, /* 17563648 */ + 17694709, /* 17694720 */ + 17825791, /* 17825792 */ + 17956849, /* 17956864 */ + 18087899, /* 18087936 */ + 18219001, /* 18219008 */ + 18350063, /* 18350080 */ + 18481097, /* 18481152 */ + 18612211, /* 18612224 */ + 18743281, /* 18743296 */ + 18874367, /* 18874368 */ + 19005433, /* 19005440 */ + 19136503, /* 19136512 */ + 19267561, /* 19267584 */ + 19398647, /* 19398656 */ + 19529717, /* 19529728 */ + 19660799, /* 19660800 */ + 19791869, /* 19791872 */ + 19922923, /* 19922944 */ + 20054011, /* 20054016 */ + 20185051, /* 20185088 */ + 20316151, /* 20316160 */ + 20447191, /* 20447232 */ + 20578297, /* 20578304 */ + 20709347, /* 20709376 */ + 20840429, /* 20840448 */ + 20971507, /* 20971520 */ + 21102583, /* 21102592 */ + 21233651, /* 21233664 */ + 21364727, /* 21364736 */ + 21495797, /* 21495808 */ + 21626819, /* 21626880 */ + 21757951, /* 21757952 */ + 21889019, /* 21889024 */ + 22020091, /* 22020096 */ + 22151167, /* 22151168 */ + 22282199, /* 22282240 */ + 22413289, /* 22413312 */ + 22544351, /* 22544384 */ + 22675403, /* 22675456 */ + 22806521, /* 22806528 */ + 22937591, /* 22937600 */ + 23068667, /* 23068672 */ + 23199731, /* 23199744 */ + 23330773, /* 23330816 */ + 23461877, /* 23461888 */ + 23592937, /* 23592960 */ + 23724031, /* 23724032 */ + 23855101, /* 23855104 */ + 23986159, /* 23986176 */ + 24117217, /* 24117248 */ + 24248299, /* 24248320 */ + 24379391, /* 24379392 */ + 24510463, /* 24510464 */ + 24641479, /* 24641536 */ + 24772603, /* 24772608 */ + 24903667, /* 24903680 */ + 25034731, /* 25034752 */ + 25165813, /* 25165824 */ + 25296893, /* 25296896 */ + 25427957, /* 25427968 */ + 25559033, /* 25559040 */ + 25690097, /* 25690112 */ + 25821179, /* 25821184 */ + 25952243, /* 25952256 */ + 26083273, /* 26083328 */ + 26214379, /* 26214400 */ + 26345471, /* 26345472 */ + 26476543, /* 26476544 */ + 26607611, /* 26607616 */ + 26738687, /* 26738688 */ + 26869753, /* 26869760 */ + 27000817, /* 27000832 */ + 27131903, /* 27131904 */ + 27262931, /* 27262976 */ + 27394019, /* 27394048 */ + 27525109, /* 27525120 */ + 27656149, /* 27656192 */ + 27787213, /* 27787264 */ + 27918323, /* 27918336 */ + 28049407, /* 28049408 */ + 28180459, /* 28180480 */ + 28311541, /* 28311552 */ + 28442551, /* 28442624 */ + 28573673, /* 28573696 */ + 28704749, /* 28704768 */ + 28835819, /* 28835840 */ + 28966909, /* 28966912 */ + 29097977, /* 29097984 */ + 29229047, /* 29229056 */ + 29360087, /* 29360128 */ + 29491193, /* 29491200 */ + 29622269, /* 29622272 */ + 29753341, /* 29753344 */ + 29884411, /* 29884416 */ + 30015481, /* 30015488 */ + 30146531, /* 30146560 */ + 30277627, /* 30277632 */ + 30408701, /* 30408704 */ + 30539749, /* 30539776 */ + 30670847, /* 30670848 */ + 30801917, /* 30801920 */ + 30932987, /* 30932992 */ + 31064063, /* 31064064 */ + 31195117, /* 31195136 */ + 31326181, /* 31326208 */ + 31457269, /* 31457280 */ + 31588351, /* 31588352 */ + 31719409, /* 31719424 */ + 31850491, /* 31850496 */ + 31981567, /* 31981568 */ + 32112607, /* 32112640 */ + 32243707, /* 32243712 */ + 32374781, /* 32374784 */ + 32505829, /* 32505856 */ + 32636921, /* 32636928 */ + 32767997, /* 32768000 */ + 32899037, /* 32899072 */ + 33030121, /* 33030144 */ + 33161201, /* 33161216 */ + 33292283, /* 33292288 */ + 33423319, /* 33423360 */ + 33554393, /* 33554432 */ + 33685493, /* 33685504 */ + 33816571, /* 33816576 */ + 33947621, /* 33947648 */ + 34078699, /* 34078720 */ + 34209787, /* 34209792 */ + 34340861, /* 34340864 */ + 34471933, /* 34471936 */ + 34602991, /* 34603008 */ + 34734079, /* 34734080 */ + 34865141, /* 34865152 */ + 34996223, /* 34996224 */ + 35127263, /* 35127296 */ + 35258347, /* 35258368 */ + 35389423, /* 35389440 */ + 35520467, /* 35520512 */ + 35651579, /* 35651584 */ + 35782613, /* 35782656 */ + 35913727, /* 35913728 */ + 36044797, /* 36044800 */ + 36175871, /* 36175872 */ + 36306937, /* 36306944 */ + 36438013, /* 36438016 */ + 36569083, /* 36569088 */ + 36700159, /* 36700160 */ + 36831227, /* 36831232 */ + 36962291, /* 36962304 */ + 37093373, /* 37093376 */ + 37224437, /* 37224448 */ + 37355503, /* 37355520 */ + 37486591, /* 37486592 */ + 37617653, /* 37617664 */ + 37748717, /* 37748736 */ + 37879783, /* 37879808 */ + 38010871, /* 38010880 */ + 38141951, /* 38141952 */ + 38273023, /* 38273024 */ + 38404081, /* 38404096 */ + 38535151, /* 38535168 */ + 38666219, /* 38666240 */ + 38797303, /* 38797312 */ + 38928371, /* 38928384 */ + 39059431, /* 39059456 */ + 39190519, /* 39190528 */ + 39321599, /* 39321600 */ + 39452671, /* 39452672 */ + 39583727, /* 39583744 */ + 39714799, /* 39714816 */ + 39845887, /* 39845888 */ + 39976939, /* 39976960 */ + 40108027, /* 40108032 */ + 40239103, /* 40239104 */ + 40370173, /* 40370176 */ + 40501231, /* 40501248 */ + 40632313, /* 40632320 */ + 40763369, /* 40763392 */ + 40894457, /* 40894464 */ + 41025499, /* 41025536 */ + 41156569, /* 41156608 */ + 41287651, /* 41287680 */ + 41418739, /* 41418752 */ + 41549803, /* 41549824 */ + 41680871, /* 41680896 */ + 41811949, /* 41811968 */ + 41943023, /* 41943040 */ + 42074101, /* 42074112 */ + 42205183, /* 42205184 */ + 42336253, /* 42336256 */ + 42467317, /* 42467328 */ + 42598397, /* 42598400 */ + 42729437, /* 42729472 */ + 42860537, /* 42860544 */ + 42991609, /* 42991616 */ + 43122683, /* 43122688 */ + 43253759, /* 43253760 */ + 43384813, /* 43384832 */ + 43515881, /* 43515904 */ + 43646963, /* 43646976 */ + 43778011, /* 43778048 */ + 43909111, /* 43909120 */ + 44040187, /* 44040192 */ + 44171261, /* 44171264 */ + 44302303, /* 44302336 */ + 44433391, /* 44433408 */ + 44564461, /* 44564480 */ + 44695549, /* 44695552 */ + 44826611, /* 44826624 */ + 44957687, /* 44957696 */ + 45088739, /* 45088768 */ + 45219827, /* 45219840 */ + 45350869, /* 45350912 */ + 45481973, /* 45481984 */ + 45613039, /* 45613056 */ + 45744121, /* 45744128 */ + 45875191, /* 45875200 */ + 46006249, /* 46006272 */ + 46137319, /* 46137344 */ + 46268381, /* 46268416 */ + 46399471, /* 46399488 */ + 46530557, /* 46530560 */ + 46661627, /* 46661632 */ + 46792699, /* 46792704 */ + 46923761, /* 46923776 */ + 47054809, /* 47054848 */ + 47185907, /* 47185920 */ + 47316991, /* 47316992 */ + 47448061, /* 47448064 */ + 47579131, /* 47579136 */ + 47710207, /* 47710208 */ + 47841257, /* 47841280 */ + 47972341, /* 47972352 */ + 48103417, /* 48103424 */ + 48234451, /* 48234496 */ + 48365563, /* 48365568 */ + 48496639, /* 48496640 */ + 48627697, /* 48627712 */ + 48758783, /* 48758784 */ + 48889837, /* 48889856 */ + 49020913, /* 49020928 */ + 49151987, /* 49152000 */ + 49283063, /* 49283072 */ + 49414111, /* 49414144 */ + 49545193, /* 49545216 */ + 49676267, /* 49676288 */ + 49807327, /* 49807360 */ + 49938431, /* 49938432 */ + 50069497, /* 50069504 */ + 50200573, /* 50200576 */ + 50331599, /* 50331648 */ + 50462683, /* 50462720 */ + 50593783, /* 50593792 */ + 50724859, /* 50724864 */ + 50855899, /* 50855936 */ + 50987003, /* 50987008 */ + 51118069, /* 51118080 */ + 51249131, /* 51249152 */ + 51380179, /* 51380224 */ + 51511277, /* 51511296 */ + 51642341, /* 51642368 */ + 51773431, /* 51773440 */ + 51904511, /* 51904512 */ + 52035569, /* 52035584 */ + 52166641, /* 52166656 */ + 52297717, /* 52297728 */ + 52428767, /* 52428800 */ + 52559867, /* 52559872 */ + 52690919, /* 52690944 */ + 52821983, /* 52822016 */ + 52953077, /* 52953088 */ + 53084147, /* 53084160 */ + 53215229, /* 53215232 */ + 53346301, /* 53346304 */ + 53477357, /* 53477376 */ + 53608441, /* 53608448 */ + 53739493, /* 53739520 */ + 53870573, /* 53870592 */ + 54001663, /* 54001664 */ + 54132721, /* 54132736 */ + 54263789, /* 54263808 */ + 54394877, /* 54394880 */ + 54525917, /* 54525952 */ + 54656983, /* 54657024 */ + 54788089, /* 54788096 */ + 54919159, /* 54919168 */ + 55050217, /* 55050240 */ + 55181311, /* 55181312 */ + 55312351, /* 55312384 */ + 55443433, /* 55443456 */ + 55574507, /* 55574528 */ + 55705589, /* 55705600 */ + 55836659, /* 55836672 */ + 55967701, /* 55967744 */ + 56098813, /* 56098816 */ + 56229881, /* 56229888 */ + 56360911, /* 56360960 */ + 56491993, /* 56492032 */ + 56623093, /* 56623104 */ + 56754167, /* 56754176 */ + 56885219, /* 56885248 */ + 57016319, /* 57016320 */ + 57147379, /* 57147392 */ + 57278461, /* 57278464 */ + 57409529, /* 57409536 */ + 57540599, /* 57540608 */ + 57671671, /* 57671680 */ + 57802739, /* 57802752 */ + 57933817, /* 57933824 */ + 58064861, /* 58064896 */ + 58195939, /* 58195968 */ + 58327039, /* 58327040 */ + 58458091, /* 58458112 */ + 58589161, /* 58589184 */ + 58720253, /* 58720256 */ + 58851307, /* 58851328 */ + 58982389, /* 58982400 */ + 59113469, /* 59113472 */ + 59244539, /* 59244544 */ + 59375587, /* 59375616 */ + 59506679, /* 59506688 */ + 59637733, /* 59637760 */ + 59768831, /* 59768832 */ + 59899901, /* 59899904 */ + 60030953, /* 60030976 */ + 60162029, /* 60162048 */ + 60293119, /* 60293120 */ + 60424183, /* 60424192 */ + 60555227, /* 60555264 */ + 60686321, /* 60686336 */ + 60817397, /* 60817408 */ + 60948479, /* 60948480 */ + 61079531, /* 61079552 */ + 61210603, /* 61210624 */ + 61341659, /* 61341696 */ + 61472753, /* 61472768 */ + 61603811, /* 61603840 */ + 61734899, /* 61734912 */ + 61865971, /* 61865984 */ + 61997053, /* 61997056 */ + 62128127, /* 62128128 */ + 62259193, /* 62259200 */ + 62390261, /* 62390272 */ + 62521331, /* 62521344 */ + 62652407, /* 62652416 */ + 62783477, /* 62783488 */ + 62914549, /* 62914560 */ + 63045613, /* 63045632 */ + 63176693, /* 63176704 */ + 63307763, /* 63307776 */ + 63438839, /* 63438848 */ + 63569917, /* 63569920 */ + 63700991, /* 63700992 */ + 63832057, /* 63832064 */ + 63963131, /* 63963136 */ + 64094207, /* 64094208 */ + 64225267, /* 64225280 */ + 64356349, /* 64356352 */ + 64487417, /* 64487424 */ + 64618493, /* 64618496 */ + 64749563, /* 64749568 */ + 64880587, /* 64880640 */ + 65011703, /* 65011712 */ + 65142769, /* 65142784 */ + 65273851, /* 65273856 */ + 65404909, /* 65404928 */ + 65535989, /* 65536000 */ + 65667067, /* 65667072 */ + 65798137, /* 65798144 */ + 65929211, /* 65929216 */ + 66060277, /* 66060288 */ + 66191351, /* 66191360 */ + 66322427, /* 66322432 */ + 66453479, /* 66453504 */ + 66584561, /* 66584576 */ + 66715643, /* 66715648 */ + 66846709, /* 66846720 */ + 66977767, /* 66977792 */ + 67108859, /* 67108864 */ + 67239883, /* 67239936 */ + 67370999, /* 67371008 */ + 67502063, /* 67502080 */ + 67633127, /* 67633152 */ + 67764223, /* 67764224 */ + 67895251, /* 67895296 */ + 68026363, /* 68026368 */ + 68157433, /* 68157440 */ + 68288503, /* 68288512 */ + 68419567, /* 68419584 */ + 68550631, /* 68550656 */ + 68681719, /* 68681728 */ + 68812769, /* 68812800 */ + 68943851, /* 68943872 */ + 69074933, /* 69074944 */ + 69205987, /* 69206016 */ + 69337087, /* 69337088 */ + 69468151, /* 69468160 */ + 69599221, /* 69599232 */ + 69730303, /* 69730304 */ + 69861331, /* 69861376 */ + 69992443, /* 69992448 */ + 70123513, /* 70123520 */ + 70254563, /* 70254592 */ + 70385641, /* 70385664 */ + 70516729, /* 70516736 */ + 70647793, /* 70647808 */ + 70778861, /* 70778880 */ + 70909933, /* 70909952 */ + 71041021, /* 71041024 */ + 71172091, /* 71172096 */ + 71303153, /* 71303168 */ + 71434229, /* 71434240 */ + 71565283, /* 71565312 */ + 71696363, /* 71696384 */ + 71827423, /* 71827456 */ + 71958521, /* 71958528 */ + 72089573, /* 72089600 */ + 72220663, /* 72220672 */ + 72351733, /* 72351744 */ + 72482807, /* 72482816 */ + 72613861, /* 72613888 */ + 72744937, /* 72744960 */ + 72876031, /* 72876032 */ + 73007089, /* 73007104 */ + 73138171, /* 73138176 */ + 73269247, /* 73269248 */ + 73400311, /* 73400320 */ + 73531379, /* 73531392 */ + 73662461, /* 73662464 */ + 73793521, /* 73793536 */ + 73924583, /* 73924608 */ + 74055637, /* 74055680 */ + 74186747, /* 74186752 */ + 74317801, /* 74317824 */ + 74448877, /* 74448896 */ + 74579951, /* 74579968 */ + 74711027, /* 74711040 */ + 74842099, /* 74842112 */ + 74973181, /* 74973184 */ + 75104243, /* 75104256 */ + 75235327, /* 75235328 */ + 75366397, /* 75366400 */ + 75497467, /* 75497472 */ + 75628513, /* 75628544 */ + 75759613, /* 75759616 */ + 75890653, /* 75890688 */ + 76021661, /* 76021760 */ + 76152821, /* 76152832 */ + 76283897, /* 76283904 */ + 76414973, /* 76414976 */ + 76546039, /* 76546048 */ + 76677113, /* 76677120 */ + 76808119, /* 76808192 */ + 76939253, /* 76939264 */ + 77070317, /* 77070336 */ + 77201347, /* 77201408 */ + 77332471, /* 77332480 */ + 77463541, /* 77463552 */ + 77594599, /* 77594624 */ + 77725691, /* 77725696 */ + 77856767, /* 77856768 */ + 77987821, /* 77987840 */ + 78118903, /* 78118912 */ + 78249973, /* 78249984 */ + 78381047, /* 78381056 */ + 78512101, /* 78512128 */ + 78643199, /* 78643200 */ + 78774259, /* 78774272 */ + 78905303, /* 78905344 */ + 79036411, /* 79036416 */ + 79167479, /* 79167488 */ + 79298543, /* 79298560 */ + 79429619, /* 79429632 */ + 79560673, /* 79560704 */ + 79691761, /* 79691776 */ + 79822829, /* 79822848 */ + 79953901, /* 79953920 */ + 80084969, /* 80084992 */ + 80216063, /* 80216064 */ + 80347103, /* 80347136 */ + 80478199, /* 80478208 */ + 80609279, /* 80609280 */ + 80740339, /* 80740352 */ + 80871419, /* 80871424 */ + 81002489, /* 81002496 */ + 81133567, /* 81133568 */ + 81264587, /* 81264640 */ + 81395683, /* 81395712 */ + 81526763, /* 81526784 */ + 81657841, /* 81657856 */ + 81788923, /* 81788928 */ + 81919993, /* 81920000 */ + 82051043, /* 82051072 */ + 82182137, /* 82182144 */ + 82313213, /* 82313216 */ + 82444279, /* 82444288 */ + 82575331, /* 82575360 */ + 82706431, /* 82706432 */ + 82837501, /* 82837504 */ + 82968563, /* 82968576 */ + 83099641, /* 83099648 */ + 83230717, /* 83230720 */ + 83361781, /* 83361792 */ + 83492863, /* 83492864 */ + 83623931, /* 83623936 */ + 83754997, /* 83755008 */ + 83886053, /* 83886080 */ + 84017117, /* 84017152 */ + 84148213, /* 84148224 */ + 84279277, /* 84279296 */ + 84410353, /* 84410368 */ + 84541421, /* 84541440 */ + 84672487, /* 84672512 */ + 84803581, /* 84803584 */ + 84934621, /* 84934656 */ + 85065719, /* 85065728 */ + 85196789, /* 85196800 */ + 85327849, /* 85327872 */ + 85458929, /* 85458944 */ + 85589989, /* 85590016 */ + 85721081, /* 85721088 */ + 85852147, /* 85852160 */ + 85983217, /* 85983232 */ + 86114279, /* 86114304 */ + 86245343, /* 86245376 */ + 86376443, /* 86376448 */ + 86507507, /* 86507520 */ + 86638577, /* 86638592 */ + 86769647, /* 86769664 */ + 86900731, /* 86900736 */ + 87031759, /* 87031808 */ + 87162857, /* 87162880 */ + 87293939, /* 87293952 */ + 87425021, /* 87425024 */ + 87556087, /* 87556096 */ + 87687167, /* 87687168 */ + 87818239, /* 87818240 */ + 87949307, /* 87949312 */ + 88080359, /* 88080384 */ + 88211449, /* 88211456 */ + 88342519, /* 88342528 */ + 88473569, /* 88473600 */ + 88604653, /* 88604672 */ + 88735721, /* 88735744 */ + 88866797, /* 88866816 */ + 88997827, /* 88997888 */ + 89128939, /* 89128960 */ + 89260027, /* 89260032 */ + 89391103, /* 89391104 */ + 89522171, /* 89522176 */ + 89653217, /* 89653248 */ + 89784313, /* 89784320 */ + 89915383, /* 89915392 */ + 90046441, /* 90046464 */ + 90177533, /* 90177536 */ + 90308599, /* 90308608 */ + 90439667, /* 90439680 */ + 90570751, /* 90570752 */ + 90701797, /* 90701824 */ + 90832871, /* 90832896 */ + 90963967, /* 90963968 */ + 91095013, /* 91095040 */ + 91226101, /* 91226112 */ + 91357177, /* 91357184 */ + 91488251, /* 91488256 */ + 91619321, /* 91619328 */ + 91750391, /* 91750400 */ + 91881443, /* 91881472 */ + 92012537, /* 92012544 */ + 92143609, /* 92143616 */ + 92274671, /* 92274688 */ + 92405723, /* 92405760 */ + 92536823, /* 92536832 */ + 92667863, /* 92667904 */ + 92798969, /* 92798976 */ + 92930039, /* 92930048 */ + 93061117, /* 93061120 */ + 93192191, /* 93192192 */ + 93323249, /* 93323264 */ + 93454307, /* 93454336 */ + 93585379, /* 93585408 */ + 93716471, /* 93716480 */ + 93847549, /* 93847552 */ + 93978559, /* 93978624 */ + 94109681, /* 94109696 */ + 94240733, /* 94240768 */ + 94371833, /* 94371840 */ + 94502899, /* 94502912 */ + 94633963, /* 94633984 */ + 94765039, /* 94765056 */ + 94896119, /* 94896128 */ + 95027197, /* 95027200 */ + 95158249, /* 95158272 */ + 95289329, /* 95289344 */ + 95420401, /* 95420416 */ + 95551487, /* 95551488 */ + 95682541, /* 95682560 */ + 95813621, /* 95813632 */ + 95944691, /* 95944704 */ + 96075739, /* 96075776 */ + 96206839, /* 96206848 */ + 96337919, /* 96337920 */ + 96468979, /* 96468992 */ + 96600041, /* 96600064 */ + 96731101, /* 96731136 */ + 96862169, /* 96862208 */ + 96993269, /* 96993280 */ + 97124347, /* 97124352 */ + 97255409, /* 97255424 */ + 97386467, /* 97386496 */ + 97517543, /* 97517568 */ + 97648637, /* 97648640 */ + 97779701, /* 97779712 */ + 97910759, /* 97910784 */ + 98041831, /* 98041856 */ + 98172887, /* 98172928 */ + 98303999, /* 98304000 */ + 98435063, /* 98435072 */ + 98566121, /* 98566144 */ + 98697187, /* 98697216 */ + 98828281, /* 98828288 */ + 98959337, /* 98959360 */ + 99090427, /* 99090432 */ + 99221489, /* 99221504 */ + 99352567, /* 99352576 */ + 99483647, /* 99483648 */ + 99614689, /* 99614720 */ + 99745787, /* 99745792 */ + 99876851, /* 99876864 */ + 100007927, /* 100007936 */ + 100138979, /* 100139008 */ + 100270069, /* 100270080 */ + 100401139, /* 100401152 */ + 100532207, /* 100532224 */ + 100663291, /* 100663296 */ + 100794319, /* 100794368 */ + 100925431, /* 100925440 */ + 101056507, /* 101056512 */ + 101187577, /* 101187584 */ + 101318647, /* 101318656 */ + 101449717, /* 101449728 */ + 101580793, /* 101580800 */ + 101711839, /* 101711872 */ + 101842931, /* 101842944 */ + 101974009, /* 101974016 */ + 102105049, /* 102105088 */ + 102236149, /* 102236160 */ + 102367189, /* 102367232 */ + 102498301, /* 102498304 */ + 102629369, /* 102629376 */ + 102760387, /* 102760448 */ + 102891499, /* 102891520 */ + 103022537, /* 103022592 */ + 103153649, /* 103153664 */ + 103284733, /* 103284736 */ + 103415791, /* 103415808 */ + 103546879, /* 103546880 */ + 103677949, /* 103677952 */ + 103809011, /* 103809024 */ + 103940093, /* 103940096 */ + 104071157, /* 104071168 */ + 104202233, /* 104202240 */ + 104333311, /* 104333312 */ + 104464369, /* 104464384 */ + 104595397, /* 104595456 */ + 104726527, /* 104726528 */ + 104857589, /* 104857600 */ + 104988641, /* 104988672 */ + 105119741, /* 105119744 */ + 105250811, /* 105250816 */ + 105381841, /* 105381888 */ + 105512951, /* 105512960 */ + 105644029, /* 105644032 */ + 105775079, /* 105775104 */ + 105906167, /* 105906176 */ + 106037237, /* 106037248 */ + 106168319, /* 106168320 */ + 106299379, /* 106299392 */ + 106430449, /* 106430464 */ + 106561523, /* 106561536 */ + 106692601, /* 106692608 */ + 106823677, /* 106823680 */ + 106954747, /* 106954752 */ + 107085799, /* 107085824 */ + 107216891, /* 107216896 */ + 107347943, /* 107347968 */ + 107479033, /* 107479040 */ + 107610079, /* 107610112 */ + 107741167, /* 107741184 */ + 107872249, /* 107872256 */ + 108003323, /* 108003328 */ + 108134393, /* 108134400 */ + 108265459, /* 108265472 */ + 108396521, /* 108396544 */ + 108527603, /* 108527616 */ + 108658681, /* 108658688 */ + 108789727, /* 108789760 */ + 108920831, /* 108920832 */ + 109051903, /* 109051904 */ + 109182947, /* 109182976 */ + 109314043, /* 109314048 */ + 109445107, /* 109445120 */ + 109576189, /* 109576192 */ + 109707253, /* 109707264 */ + 109838293, /* 109838336 */ + 109969403, /* 109969408 */ + 110100409, /* 110100480 */ + 110231531, /* 110231552 */ + 110362559, /* 110362624 */ + 110493661, /* 110493696 */ + 110624753, /* 110624768 */ + 110755793, /* 110755840 */ + 110886883, /* 110886912 */ + 111017983, /* 111017984 */ + 111148963, /* 111149056 */ + 111280121, /* 111280128 */ + 111411173, /* 111411200 */ + 111542261, /* 111542272 */ + 111673343, /* 111673344 */ + 111804389, /* 111804416 */ + 111935459, /* 111935488 */ + 112066553, /* 112066560 */ + 112197629, /* 112197632 */ + 112328683, /* 112328704 */ + 112459751, /* 112459776 */ + 112590839, /* 112590848 */ + 112721893, /* 112721920 */ + 112852981, /* 112852992 */ + 112984061, /* 112984064 */ + 113115133, /* 113115136 */ + 113246183, /* 113246208 */ + 113377279, /* 113377280 */ + 113508319, /* 113508352 */ + 113639419, /* 113639424 */ + 113770457, /* 113770496 */ + 113901553, /* 113901568 */ + 114032599, /* 114032640 */ + 114163703, /* 114163712 */ + 114294721, /* 114294784 */ + 114425807, /* 114425856 */ + 114556913, /* 114556928 */ + 114687977, /* 114688000 */ + 114819031, /* 114819072 */ + 114950131, /* 114950144 */ + 115081189, /* 115081216 */ + 115212287, /* 115212288 */ + 115343341, /* 115343360 */ + 115474417, /* 115474432 */ + 115605467, /* 115605504 */ + 115736539, /* 115736576 */ + 115867627, /* 115867648 */ + 115998719, /* 115998720 */ + 116129789, /* 116129792 */ + 116260849, /* 116260864 */ + 116391917, /* 116391936 */ + 116523007, /* 116523008 */ + 116654077, /* 116654080 */ + 116785133, /* 116785152 */ + 116916223, /* 116916224 */ + 117047291, /* 117047296 */ + 117178367, /* 117178368 */ + 117309421, /* 117309440 */ + 117440509, /* 117440512 */ + 117571523, /* 117571584 */ + 117702649, /* 117702656 */ + 117833711, /* 117833728 */ + 117964793, /* 117964800 */ + 118095853, /* 118095872 */ + 118226893, /* 118226944 */ + 118358003, /* 118358016 */ + 118489081, /* 118489088 */ + 118620143, /* 118620160 */ + 118751207, /* 118751232 */ + 118882279, /* 118882304 */ + 119013347, /* 119013376 */ + 119144447, /* 119144448 */ + 119275511, /* 119275520 */ + 119406587, /* 119406592 */ + 119537653, /* 119537664 */ + 119668723, /* 119668736 */ + 119799803, /* 119799808 */ + 119930873, /* 119930880 */ + 120061951, /* 120061952 */ + 120193019, /* 120193024 */ + 120324077, /* 120324096 */ + 120455147, /* 120455168 */ + 120586231, /* 120586240 */ + 120717307, /* 120717312 */ + 120848353, /* 120848384 */ + 120979447, /* 120979456 */ + 121110523, /* 121110528 */ + 121241597, /* 121241600 */ + 121372649, /* 121372672 */ + 121503737, /* 121503744 */ + 121634801, /* 121634816 */ + 121765871, /* 121765888 */ + 121896949, /* 121896960 */ + 122028019, /* 122028032 */ + 122159101, /* 122159104 */ + 122290171, /* 122290176 */ + 122421241, /* 122421248 */ + 122552317, /* 122552320 */ + 122683391, /* 122683392 */ + 122814463, /* 122814464 */ + 122945527, /* 122945536 */ + 123076601, /* 123076608 */ + 123207677, /* 123207680 */ + 123338737, /* 123338752 */ + 123469783, /* 123469824 */ + 123600857, /* 123600896 */ + 123731963, /* 123731968 */ + 123863023, /* 123863040 */ + 123994099, /* 123994112 */ + 124125161, /* 124125184 */ + 124256243, /* 124256256 */ + 124387321, /* 124387328 */ + 124518397, /* 124518400 */ + 124649449, /* 124649472 */ + 124780531, /* 124780544 */ + 124911601, /* 124911616 */ + 125042663, /* 125042688 */ + 125173759, /* 125173760 */ + 125304787, /* 125304832 */ + 125435897, /* 125435904 */ + 125566963, /* 125566976 */ + 125698021, /* 125698048 */ + 125829103, /* 125829120 */ + 125960189, /* 125960192 */ + 126091241, /* 126091264 */ + 126222293, /* 126222336 */ + 126353407, /* 126353408 */ + 126484469, /* 126484480 */ + 126615551, /* 126615552 */ + 126746623, /* 126746624 */ + 126877693, /* 126877696 */ + 127008733, /* 127008768 */ + 127139833, /* 127139840 */ + 127270849, /* 127270912 */ + 127401947, /* 127401984 */ + 127533047, /* 127533056 */ + 127664113, /* 127664128 */ + 127795181, /* 127795200 */ + 127926263, /* 127926272 */ + 128057327, /* 128057344 */ + 128188409, /* 128188416 */ + 128319469, /* 128319488 */ + 128450533, /* 128450560 */ + 128581631, /* 128581632 */ + 128712691, /* 128712704 */ + 128843761, /* 128843776 */ + 128974841, /* 128974848 */ + 129105901, /* 129105920 */ + 129236959, /* 129236992 */ + 129368051, /* 129368064 */ + 129499129, /* 129499136 */ + 129630199, /* 129630208 */ + 129761273, /* 129761280 */ + 129892333, /* 129892352 */ + 130023407, /* 130023424 */ + 130154483, /* 130154496 */ + 130285567, /* 130285568 */ + 130416631, /* 130416640 */ + 130547621, /* 130547712 */ + 130678781, /* 130678784 */ + 130809853, /* 130809856 */ + 130940911, /* 130940928 */ + 131071987, /* 131072000 */ + 131203069, /* 131203072 */ + 131334131, /* 131334144 */ + 131465177, /* 131465216 */ + 131596279, /* 131596288 */ + 131727359, /* 131727360 */ + 131858413, /* 131858432 */ + 131989477, /* 131989504 */ + 132120557, /* 132120576 */ + 132251621, /* 132251648 */ + 132382717, /* 132382720 */ + 132513781, /* 132513792 */ + 132644851, /* 132644864 */ + 132775931, /* 132775936 */ + 132907007, /* 132907008 */ + 133038053, /* 133038080 */ + 133169137, /* 133169152 */ + 133300207, /* 133300224 */ + 133431293, /* 133431296 */ + 133562329, /* 133562368 */ + 133693433, /* 133693440 */ + 133824503, /* 133824512 */ + 133955581, /* 133955584 */ + 134086639, /* 134086656 */ }; int sf_nearest_prime( int n ) @@ -4165,7 +4169,7 @@ { return prime_table3[(n>>20)&1023]; } - - return 134086639; /* too big for table, just use a big prime */ + + return 134086639; /* too big for table, just use a big prime */ } diff -Nru snort-2.9.0.1/src/sfutil/sfprimetable.h snort-2.9.2/src/sfutil/sfprimetable.h --- snort-2.9.0.1/src/sfutil/sfprimetable.h 2010-01-26 10:10:27.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfprimetable.h 2011-02-09 15:23:37.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2006-2010 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sfrf.c snort-2.9.2/src/sfutil/sfrf.c --- snort-2.9.0.1/src/sfutil/sfrf.c 2010-01-26 10:10:27.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfrf.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2009-2010 Sourcefire, Inc. + * Copyright (C) 2009-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -21,10 +21,10 @@ /* @file sfrf.c * @brief rate filter implementation for Snort - * @ingroup rate_filter + * @ingroup rate_filter * @author Dilbagh Chahal */ -/* @ingroup rate_filter +/* @ingroup rate_filter * @{ */ @@ -38,6 +38,10 @@ #endif /* !WIN32 */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "parser/IpAddrSet.h" #include "generators.h" #include "rules.h" @@ -59,14 +63,14 @@ */ typedef struct { - ///policy identifier. + ///policy identifier. tSfPolicyId policyId; /* Internally generated threshold identity for a configured threshold. */ int tid; - /* Stores either source or destination IP address on a matching packet, depending on + /* Stores either source or destination IP address on a matching packet, depending on * whether dos threshold is tracking by source or destination IP address. For tracking * by rule, it is cleared out (all 0s). */ @@ -79,7 +83,7 @@ * destination IP address. For rule based tracking, IP is cleared in the * created node. Nodes are deleted when hash performs ANR on hash. */ -typedef struct +typedef struct { // automatically initialized to FS_NEW when allocated FilterState filterState; @@ -93,7 +97,7 @@ */ unsigned count; - /* time when this sampling period started. + /* time when this sampling period started. */ time_t tstart; @@ -109,13 +113,13 @@ static int _checkThreshold( tSFRFConfigNode*, tSFRFTrackingNode*, - time_t curTime + time_t curTime ); static int _checkSamplingPeriod( tSFRFConfigNode*, tSFRFTrackingNode*, - time_t curTime + time_t curTime ); static tSFRFTrackingNode *_getSFRFTrackingNode( @@ -136,11 +140,11 @@ // public methods ... /* Create a new threshold global context * - * Create a threshold table, initialize the threshold system, and optionally - * limit it's memory usage. + * Create a threshold table, initialize the threshold system, and optionally + * limit it's memory usage. * * @param nbytes maximum memory to use for thresholding objects, in bytes. - * @return pointer to newly created tSFRFContext + * @return pointer to newly created tSFRFContext */ #define SFRF_BYTES (sizeof(tSFRFTrackingNodeKey) + sizeof(tSFRFTrackingNode)) @@ -215,15 +219,15 @@ /* Add a permanent threshold object to the threshold table. Multiple * objects may be defined for each gid and sid pair. Internally * a unique threshold id is generated for each pair. - * + * * Threshold objects track the number of events seen during the time * interval specified by seconds. Depending on the type of threshold * object and the count value, the thresholding object determines if * the current event should be logged or dropped. - * + * * @param pContext Threshold object from SFRF_ContextNew() * @param cfgNode Permanent Thresholding Object - * + * * @return @retval 0 successfully added the thresholding object, !0 otherwise */ int SFRF_ConfigAdd(RateFilterConfig *rf_config, tSFRFConfigNode *cfgNode) @@ -349,7 +353,7 @@ #ifdef SFRF_DEBUG - printf("--%d-%d-%d: Threshold node added to tail of list\n", + printf("--%d-%d-%d: Threshold node added to tail of list\n", pNewConfigNode->tid, pNewConfigNode->gid, pNewConfigNode->sid); @@ -398,7 +402,7 @@ tSFRFConfigNode* cfgNode, snort_ip_p ip, time_t curTime, - SFRF_COUNT_OPERATION op + SFRF_COUNT_OPERATION op ) { tSFRFTrackingNode* dynNode; int retValue = -1; @@ -444,7 +448,7 @@ retValue = _checkThreshold(cfgNode, dynNode, curTime); // we drop after the session count has been incremented - // but the decrement will never come so we "fix" it here + // but the decrement will never come so we "fix" it here // if the count were not incremented in such cases, the // threshold would never be exceeded. if ( !cfgNode->seconds && dynNode->count > cfgNode->count ) @@ -452,8 +456,8 @@ dynNode->count--; #ifdef SFRF_DEBUG - printf("--SFRF_DEBUG: %d-%d-%d: %d Packet IP %s, op: %d, count %d, action %d\n", - cfgNode->tid, cfgNode->gid, + printf("--SFRF_DEBUG: %d-%d-%d: %d Packet IP %s, op: %d, count %d, action %d\n", + cfgNode->tid, cfgNode->gid, cfgNode->sid, (unsigned) curTime, get_netip(ip), op, dynNode->count, retValue); fflush(stdout); @@ -461,7 +465,7 @@ return retValue; } -static INLINE int SFRF_AppliesTo(tSFRFConfigNode* pCfg, snort_ip_p ip) +static inline int SFRF_AppliesTo(tSFRFConfigNode* pCfg, snort_ip_p ip) { #ifndef SUP_IP6 struct in_addr addr; @@ -485,7 +489,7 @@ * @param op operation of type SFRF_COUNT_OPERATION * * @return -1 if packet is within dos_threshold and therefore action is allowed. - * >=0 if packet violates a dos_threshold and therefore new_action should + * >=0 if packet violates a dos_threshold and therefore new_action should * replace rule action. new_action value is returned. */ int SFRF_TestThreshold( @@ -528,7 +532,7 @@ printf("--SFRF_DEBUG: %d-%d-%d: no hash table entry for gid\n", 0, gid, sid); fflush(stdout); #endif - return status; + return status; } /* @@ -551,7 +555,7 @@ if ( !pSidNode->configNodeList ) { #ifdef SFRF_DEBUG - printf("--SFRF_DEBUG: %d-%d-%d: No user configuration\n", + printf("--SFRF_DEBUG: %d-%d-%d: No user configuration\n", 0, gid, sid); fflush(stdout); #endif @@ -595,7 +599,7 @@ } #ifdef SFRF_DEBUG - printf("--SFRF_DEBUG: %d-%d-%d: Time %d, rate limit blocked: %d\n", + printf("--SFRF_DEBUG: %d-%d-%d: Time %d, rate limit blocked: %d\n", cfgNode->tid, gid, sid, (unsigned)curTime, newStatus); fflush(stdout); #endif @@ -608,13 +612,13 @@ } // rate limit not reached - return status; + return status; } /* A function to print the thresholding objects to stdout. * * @param pContext pointer to global threshold context - * @return + * @return */ void SFRF_ShowObjects(RateFilterConfig *config) { @@ -672,10 +676,10 @@ static int _checkSamplingPeriod( tSFRFConfigNode* cfgNode, tSFRFTrackingNode* dynNode, - time_t curTime + time_t curTime ) { unsigned dt; - + if ( cfgNode->seconds ) { dt = (unsigned)(curTime - dynNode->tstart); @@ -694,7 +698,7 @@ } } #ifdef SFRF_OVER_RATE - else + else { dynNode->overRate = (dynNode->count > cfgNode->count); } @@ -705,14 +709,14 @@ /* Checks if rate limit is reached for a configured threshold. * - * DOS Threshold monitoring is done is discrete time intervals specified by + * DOS Threshold monitoring is done is discrete time intervals specified by * 'cfgNode->seconds'. Once threshold action is activated, it stays active * for the revert timeout. Counters and seconds is maintained current at all * times. This may cause threshold action to be reactivated immediately if counter - * is above threshold. + * is above threshold. * Threshold is tracked using a hash with ANR. This could cause some tracking nodes * to disappear when memory is low. Node deletion and subsequent creation will cause - * rate limiting to start afresh for a specific stream. + * rate limiting to start afresh for a specific stream. * * @param cfgNode threshold configuration node * @param dynNode tracking node for a configured node @@ -724,16 +728,16 @@ static int _checkThreshold( tSFRFConfigNode* cfgNode, tSFRFTrackingNode* dynNode, - time_t curTime + time_t curTime ) { /* Once newAction is activated, it stays active for the revert timeout, unless ANR * causes the node itself to disappear. * Also note that we want to maintain the counters and rates update so that we reblock * offending traffic again quickly if it has not subsided. */ - if ( dynNode->filterState == FS_ON ) + if ( dynNode->filterState == FS_ON ) { - if ( (cfgNode->timeout != 0 ) + if ( (cfgNode->timeout != 0 ) && ((unsigned)(curTime - dynNode->revertTime) >= cfgNode->timeout)) { #ifdef SFRF_OVER_RATE @@ -774,7 +778,7 @@ printf("...DOS action nop, count %u\n", dynNode->count); fflush(stdout); #endif - return -1; + return -1; } // rate limit reached. diff -Nru snort-2.9.0.1/src/sfutil/sfrf.h snort-2.9.2/src/sfutil/sfrf.h --- snort-2.9.0.1/src/sfutil/sfrf.h 2010-01-26 10:10:28.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfrf.h 2011-02-09 15:23:37.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2009-2010 Sourcefire, Inc. + * Copyright (C) 2009-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sfrim.c snort-2.9.2/src/sfutil/sfrim.c --- snort-2.9.0.1/src/sfutil/sfrim.c 2010-01-26 10:10:28.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfrim.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -20,7 +20,7 @@ ****************************************************************************/ /* - * sfrim.c + * sfrim.c * * Rule Index Map * @@ -29,6 +29,10 @@ */ #include <stdio.h> #include <stdlib.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sfrim.h" /* @@ -39,7 +43,7 @@ { if( ! map ) return 0; - + if( index < map->num_rules ) { return map->map[index].sid; @@ -63,7 +67,7 @@ return 0; } /* - * Create a rule index map table + * Create a rule index map table * author: marc norton */ rule_index_map_t * RuleIndexMapCreate( int max_rules ) @@ -84,7 +88,7 @@ return p; } /* - * Free a rule index map table + * Free a rule index map table * author: marc norton */ void RuleIndexMapFree( rule_index_map_t ** p ) @@ -103,14 +107,14 @@ } /* - * Add a rule to a rule index map table + * Add a rule to a rule index map table * author: marc norton */ int RuleIndexMapAdd( rule_index_map_t * p, unsigned gid, unsigned sid ) { int index; - - if( !p ) + + if( !p ) { return -1; } @@ -118,7 +122,7 @@ { return -1; } - index = p->num_rules ; + index = p->num_rules ; p->map[ index ].gid = gid; p->map[ index ].sid = sid; p->num_rules++; @@ -127,7 +131,7 @@ return index; } /* - * print a rule index map table to stdout + * print a rule index map table to stdout * author: marc norton */ void print_rule_index_map( rule_index_map_t * p ) diff -Nru snort-2.9.0.1/src/sfutil/sfrim.h snort-2.9.2/src/sfutil/sfrim.h --- snort-2.9.0.1/src/sfutil/sfrim.h 2010-01-26 10:10:28.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfrim.h 2011-02-09 15:23:37.000000000 -0800 @@ -4,7 +4,7 @@ * Rule Index Map * * author: marc norton - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. */ #ifndef SFRIM_H #define SFRIM_H diff -Nru snort-2.9.0.1/src/sfutil/sfrt.c snort-2.9.2/src/sfutil/sfrt.c --- snort-2.9.0.1/src/sfutil/sfrt.c 2010-04-06 07:05:51.000000000 -0700 +++ snort-2.9.2/src/sfutil/sfrt.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2006-2010 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -25,57 +25,57 @@ * @date Thu July 20 10:16:26 EDT 2006 * * Route implements two different routing table lookup mechanisms. The table - * lookups have been adapted to return a void pointer so any information can - * be associated with each CIDR block. + * lookups have been adapted to return a void pointer so any information can + * be associated with each CIDR block. * - * As of this writing, the two methods used are Stefan Nilsson and Gunnar - * Karlsson's LC-trie, and a multibit-trie method similar to Gupta et-al.'s - * DIR-n-m. Presently, the LC-trie is used primarily for testing purposes as + * As of this writing, the two methods used are Stefan Nilsson and Gunnar + * Karlsson's LC-trie, and a multibit-trie method similar to Gupta et-al.'s + * DIR-n-m. Presently, the LC-trie is used primarily for testing purposes as * the current implementation does not allow for fast dynamic inserts. * - * The intended use is for a user to optionally specify large IP blocks and - * then more specific information will be written into the routing tables + * The intended use is for a user to optionally specify large IP blocks and + * then more specific information will be written into the routing tables * from RNA. Ideally, information will only move from less specific to more * specific. If a more general information is to overwrite existing entries, * the table should be free'ed and rebuilt. - * + * * * Implementation: * - * The routing tables associate an index into a "data" table with each CIDR. - * Each entry in the data table stores a pointer to actual data. This - * implementation was chosen so each routing entry only needs one word to - * either index the data array, or point to another table. + * The routing tables associate an index into a "data" table with each CIDR. + * Each entry in the data table stores a pointer to actual data. This + * implementation was chosen so each routing entry only needs one word to + * either index the data array, or point to another table. * * Inserts are performed by specifying a CIDR and a pointer to its associated - * data. Since a new routing table entry may overwrite previous entries, + * data. Since a new routing table entry may overwrite previous entries, * a flag selects whether the insert favors the most recent or favors the most - * specific. Favoring most specific should be the default behvior. If - * the user wishes to overwrite routing entries with more general data, the + * specific. Favoring most specific should be the default behvior. If + * the user wishes to overwrite routing entries with more general data, the * table should be flushed, rather than using favor-most-recent. - * + * * Before modifying the routing or data tables, the insert function performs a - * lookup on the CIDR-to-be-insertted. If no entry or an entry *of differing + * lookup on the CIDR-to-be-insertted. If no entry or an entry *of differing * bit length* is found, the data is insertted into the data table, and its - * index is used for the new routing table entry. If an entry is found that - * is as specific as the new CIDR, the index stored points to where the new + * index is used for the new routing table entry. If an entry is found that + * is as specific as the new CIDR, the index stored points to where the new * data is written into the data table. - * - * If more specific CIDR blocks overwrote the data table, then the more + * + * If more specific CIDR blocks overwrote the data table, then the more * general routing table entries that were not overwritten will be referencing * the wrong data. Alternatively, less specific entries can only overwrite * existing routing table entries if favor-most-recent inserts are used. * * Because there is no quick way to clean the data-table if a user wishes to * use a favor-most-recent insert for more general data, the user should flush - * the table with sfrt_free and create one anew. Alternatively, a small + * the table with sfrt_free and create one anew. Alternatively, a small * memory leak occurs with the data table, as it will be storing pointers that * no routing table entry cares about. * * - * The API calls that should be used are: + * The API calls that should be used are: * sfrt_new - create new table - * sfrt_insert - insert entry + * sfrt_insert - insert entry * sfrt_lookup - lookup entry * sfrt_free - free table */ @@ -84,6 +84,7 @@ #include "config.h" #endif +#include "sf_types.h" #include "sfrt.h" char *rt_error_messages[] = @@ -102,9 +103,11 @@ #endif }; -/* Create new lookup table - * @param table_type Type of table. Uses the types enumeration in route.h - * @param ip_type IPv4 or IPv6. Uses the types enumeration in route.h +static inline int allocateTableIndex(table_t *table); + +/* Create new lookup table + * @param table_type Type of table. Uses the types enumeration in route.h + * @param ip_type IPv4 or IPv6. Uses the types enumeration in route.h * @param data_size Max number of unique data entries * * Returns the new table. */ @@ -131,7 +134,7 @@ * applies to DIR-n-m. */ #ifdef SUPPORT_LCTRIE #if SIZEOF_LONG_INT == 8 - if(data_size >= 0x800000000000000 && table_type == LCT) + if(data_size >= 0x800000000000000 && table_type == LCT) #else if(data_size >= 0x8000000 && table_type != LCT) #endif @@ -152,6 +155,7 @@ /* Maximum allowable number of stored entries */ table->max_size = data_size; + table->lastAllocatedIndex = 0; table->data = (GENERIC*)calloc(sizeof(GENERIC) * table->max_size, 1); @@ -174,7 +178,7 @@ /* index 0 will be used for failed lookups, so set this to 1 */ table->num_ent = 1; - + switch(table_type) { #ifdef SUPPORT_LCTRIE @@ -185,13 +189,16 @@ table->lookup = sfrt_lct_lookup; table->free = sfrt_lct_free; table->usage = sfrt_lct_usage; + table->print = NULL; + table->remove = NULL; + table->rt = sfrt_lct_new(data_size); free(table->data); free(table); return NULL; break; -#endif +#endif /* Setup DIR-n-m table */ case DIR_24_8: case DIR_16x2: @@ -210,6 +217,8 @@ table->lookup = sfrt_dir_lookup; table->free = sfrt_dir_free; table->usage = sfrt_dir_usage; + table->print = sfrt_dir_print; + table->remove = sfrt_dir_remove; break; @@ -237,15 +246,15 @@ case DIR_8x4: table->rt = sfrt_dir_new(mem_cap, 4, 8,8,8,8); break; - /* There is no reason to use 4x8 except for benchmarking and - * comparison purposes. */ + /* There is no reason to use 4x8 except for benchmarking and + * comparison purposes. */ case DIR_4x8: table->rt = sfrt_dir_new(mem_cap, 8, 4,4,4,4,4,4,4,4); break; - /* There is no reason to use 2x16 except for benchmarking and - * comparison purposes. */ + /* There is no reason to use 2x16 except for benchmarking and + * comparison purposes. */ case DIR_2x16: - table->rt = sfrt_dir_new(mem_cap, 16, + table->rt = sfrt_dir_new(mem_cap, 16, 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2); break; #ifdef SUP_IP6 @@ -262,8 +271,8 @@ table->rt6 = sfrt_dir_new(mem_cap, 8, 16,16,16,16,16,16,16,16); break; case DIR_8x16: - table->rt = sfrt_dir_new(mem_cap, 4, 8,8,8,8); - table->rt6 = sfrt_dir_new(mem_cap, 16, + table->rt = sfrt_dir_new(mem_cap, 4, 16,8,4,4); + table->rt6 = sfrt_dir_new(mem_cap, 16, 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8); break; #endif @@ -273,7 +282,7 @@ { free(table->data); free(table); - return NULL; + return NULL; } #ifdef SUP_IP6 @@ -378,7 +387,7 @@ tuple = table->lookup(ip, rt); - if(tuple.index >= table->num_ent) + if(tuple.index >= table->max_size) { return NULL; } @@ -388,14 +397,20 @@ void sfrt_iterate(table_t* table, sfrt_iterator_callback userfunc) { - uint32_t index; + uint32_t index, count; + if (!table) return; - for (index = 0; index < table->num_ent; index++) + for (index = 0, count = 0; + index < table->max_size; + index++) { if (table->data[index]) + { userfunc(table->data[index]); + if (++count == table->num_ent) break; + } } return; @@ -403,17 +418,20 @@ int sfrt_iterate2(table_t* table, sfrt_iterator_callback3 userfunc) { - uint32_t index; + uint32_t index, count; if (!table) return 0; - for (index = 0; index < table->num_ent; index++) + for (index = 0, count = 0; + index < table->max_size; + index++) { if (table->data[index]) { int ret = userfunc(table->data[index]); if (ret != 0) return ret; + if (++count == table->num_ent) break; } } @@ -426,37 +444,49 @@ void *data ) { - uint32_t index; + uint32_t index, count; if (!table) return; - for (index = 0; index < table->num_ent; index++) + for (index = 0, count = 0; + index < table->max_size; + index++) { if (table->data[index]) + { cleanup_func(table->data[index], data); - /* cleanup_func is supposed to free memory associated with this - * table->data[index]. Set that to NULL. - */ - table->data[index] = NULL; + /* cleanup_func is supposed to free memory associated with this + * table->data[index]. Set that to NULL. + */ + table->data[index] = NULL; + if (++count == table->num_ent) break; + } } } void sfrt_cleanup(table_t* table, sfrt_iterator_callback cleanup_func) { - uint32_t index; + uint32_t index, count; + if (!table) return; - for (index = 0; index < table->num_ent; index++) + for (index = 0, count = 0; + index < table->max_size; + index++) { if (table->data[index]) + { cleanup_func(table->data[index]); - /* cleanup_func is supposed to free memory associated with this - * table->data[index]. Set that to NULL. - */ - table->data[index] = NULL; + /* cleanup_func is supposed to free memory associated with this + * table->data[index]. Set that to NULL. + */ + table->data[index] = NULL; + + if (++count == table->num_ent) break; + } } return; @@ -469,7 +499,7 @@ #else uint32_t ip; #endif - tuple_t tuple; + tuple_t tuple; void *rt = NULL; if ((adr == NULL) || (table == NULL) || (len == 0)) @@ -525,13 +555,14 @@ int behavior, table_t *table) { int index; + int newIndex = 0; int res; #ifdef SUP_IP6 sfip_t *ip; #else uint32_t ip; #endif - tuple_t tuple; + tuple_t tuple; void *rt = NULL; if(!adr) @@ -546,7 +577,7 @@ { return RT_INSERT_FAILURE; } - + if( (table->ip_type == IPv4 && len > 32) || (table->ip_type == IPv6 && len > 128) ) { @@ -559,7 +590,7 @@ ip = *(uint32_t*)adr; #endif - /* Check if we can reuse an existing data table entry by + /* Check if we can reuse an existing data table entry by * seeing if there is an existing entry with the same length. */ /* Only perform this if the table is not an LC-trie */ #ifdef SUPPORT_LCTRIE @@ -599,38 +630,48 @@ #endif if( table->num_ent >= table->max_size) { - return RT_POLICY_TABLE_EXCEEDED; + return RT_POLICY_TABLE_EXCEEDED; } - index = table->num_ent; - table->num_ent++; - } + index = newIndex = allocateTableIndex(table); + if (!index) + return RT_POLICY_TABLE_EXCEEDED; + } else { index = tuple.index; } - /* Insert value into policy table */ - table->data[ index ] = ptr; - - /* The actual value that is looked-up is an index + /* The actual value that is looked-up is an index * into the data table. */ res = table->insert(ip, len, index, behavior, rt); - /* Check if we ran out of memory. If so, need to decrement - * table->num_ent */ - if(res == MEM_ALLOC_FAILURE) - { - /* From the control flow above, it's possible table->num_ent was not - * incremented. It should be safe to decrement here, because the only - * time it will be incremented above is when we are potentially - * mallocing one or more new entries (It's not incremented when we - * overwrite an existing entry). */ - table->num_ent--; + if ((res == RT_SUCCESS) && newIndex) + { + table->num_ent++; + table->data[ index ] = ptr; } - + return res; } +/** Pretty print table + * Pretty print sfrt table. + * @param table - routing table. + */ +void sfrt_print(table_t *table) +{ + if(!table || !table->print ) + { + return; + } + + if (table->rt) + table->print(table->rt); +#ifdef SUP_IP6 + if (table->rt6) + table->print(table->rt6); +#endif +} uint32_t sfrt_num_entries(table_t *table) { @@ -638,7 +679,7 @@ { return 0; } - + /* There is always a root node, so subtract 1 for it */ return table->num_ent - 1; } @@ -650,19 +691,128 @@ { return 0; } - + usage = table->allocated + table->usage( table->rt ); #ifdef SUP_IP6 if (table->rt6) { - usage += table->usage( table->rt6 ); + usage += table->usage( table->rt6 ); } #endif return usage; } +/** Remove subnet from sfrt table. + * Remove subnet identified by ip/len and return associated data. + * @param adr - IP address + * @param len - length of netmask + * @param ptr - void ** that is set to value associated with subnet + * @param behavior - RT_FAVOR_SPECIFIC or RT_FAVOR_TIME + * @note - For RT_FAVOR_TIME behavior, if partial subnet is removed then table->data[x] is nulled. Any remaining entries + * will then point to null data. This can cause hung or crosslinked data. RT_FAVOR_SPECIFIC does not have this drawback. + * hung or crosslinked entries. + */ +int sfrt_remove(void *adr, unsigned char len, GENERIC *ptr, + int behavior, table_t *table) +{ + int index; +#ifdef SUP_IP6 + sfip_t *ip; +#else + uint32_t ip; +#endif + void *rt = NULL; + + if(!adr) + { + return RT_REMOVE_FAILURE; + } + + if (len == 0) + return RT_REMOVE_FAILURE; + + if(!table || !table->data || !table->remove || !table->lookup ) + { + //remove operation will fail for LCT since this operation is not implemented + return RT_REMOVE_FAILURE; + } + + if( (table->ip_type == IPv4 && len > 32) || + (table->ip_type == IPv6 && len > 128) ) + { + return RT_REMOVE_FAILURE; + } + +#ifdef SUP_IP6 + ip = adr; +#else + ip = *(uint32_t*)adr; +#endif + +#ifdef SUPPORT_LCTRIE + if(table->table_type != LCT) + { +#endif + +#ifdef SUP_IP6 + if (ip->family == AF_INET) + { + rt = table->rt; + } + else if (ip->family == AF_INET6) + { + rt = table->rt6; + } +#else + rt = table->rt; +#endif + if (!rt) + { + return RT_REMOVE_FAILURE; + } + +#ifdef SUPPORT_LCTRIE + } +#endif + + /* The actual value that is looked-up is an index + * into the data table. */ + index = table->remove(ip, len, behavior, rt); + + /* Remove value into policy table. See TBD in function header*/ + if (index) + { + *ptr = table->data[ index ]; + table->data[ index ] = 0; + table->num_ent--; + } + + return RT_SUCCESS; +} + +/**allocate first unused index value. With delete operation, index values can be non-contiguous. + * Index 0 is error in this function but this is valid entry in table->data that is used + * for failure case. Calling function must check for 0 and take appropriate error action. + */ +static inline int allocateTableIndex(table_t *table) +{ + uint32_t index; + + //0 is special index for failed entries. + for (index = table->lastAllocatedIndex+1; + index != table->lastAllocatedIndex; + index = (index+1) % table->max_size) + { + if (index && !table->data[index]) + { + return index; + } + } + return 0; +} + #ifdef DEBUG_SFRT #define NUM_IPS 32 @@ -678,9 +828,9 @@ for(index=0; index<NUM_IPS; index++) { ip_list[index] = (uint32_t)rand()%NUM_IPS; - data[index%NUM_DATA] = index%26 + 65; /* Random letter */ + data[index%NUM_DATA] = index%26 + 65; /* Random letter */ } - + dir = sfrt_new(DIR_16x2, IPv4, NUM_IPS, 20); if(!dir) @@ -691,27 +841,27 @@ for(index=0; index < NUM_IPS; index++) { - if(sfrt_insert(&ip_list[index], 32, &data[index%NUM_DATA], + if(sfrt_insert(&ip_list[index], 32, &data[index%NUM_DATA], RT_FAVOR_SPECIFIC, dir) != RT_SUCCESS) { printf("DIR Insertion failure\n"); return 1; } - printf("%d\t %x: %c -> %c\n", index, ip_list[index], + printf("%d\t %x: %c -> %c\n", index, ip_list[index], data[index%NUM_DATA], *(uint32_t*)sfrt_lookup(&ip_list[index], dir)); - } + } for(index=0; index < NUM_IPS; index++) { val = *(uint32_t*)sfrt_lookup(&ip_list[index], dir); - printf("\t@%d\t%x: %c. originally:\t%c\n", + printf("\t@%d\t%x: %c. originally:\t%c\n", index, ip_list[index], val, data[index%NUM_DATA]); - } + } printf("Usage: %d bytes\n", ((dir_table_t*)(dir->rt))->allocated); - + sfrt_free(dir); return 0; } diff -Nru snort-2.9.0.1/src/sfutil/sfrt_dir.c snort-2.9.2/src/sfutil/sfrt_dir.c --- snort-2.9.0.1/src/sfutil/sfrt_dir.c 2010-01-26 10:10:28.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfrt_dir.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2006-2010 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -24,7 +24,7 @@ * @author Adam Keeton <akeeton@sourcefire.com> * @date Thu July 20 10:16:26 EDT 2006 * - * The implementation uses an multibit-trie that is similar to Gupta et-al's + * The implementation uses an multibit-trie that is similar to Gupta et-al's * DIR-n-m. */ @@ -35,6 +35,7 @@ #include <stdarg.h> /* For variadic */ #include <stdio.h> #include <string.h> /* For memset */ +#include "sf_types.h" #include "sfrt.h" #include "sfrt_dir.h" @@ -54,20 +55,20 @@ #endif /* Create new "sub" table of 2^width entries */ -static dir_sub_table_t *_sub_table_new(dir_table_t *root, uint32_t dimension, +static dir_sub_table_t *_sub_table_new(dir_table_t *root, uint32_t dimension, uint32_t prefill, uint32_t bit_length) { - int width = root->dimensions[dimension]; + int width = root->dimensions[dimension]; int len = 1 << width; int index; dir_sub_table_t *sub; /* Check if creating this node will exceed the memory cap. - * The symbols in the conditional (other than cap), come from the + * The symbols in the conditional (other than cap), come from the * allocs below. */ - if( root->mem_cap < ( root->allocated + - sizeof(dir_sub_table_t) + + if( root->mem_cap < ( root->allocated + + sizeof(dir_sub_table_t) + sizeof(word) * len + len ) || bit_length > 128) { @@ -99,9 +100,9 @@ /* A "length" needs to be stored with each entry above. The length refers * to how specific the insertion that set the entry was. It is necessary - * so that the entry is not overwritten by less general routing + * so that the entry is not overwritten by less general routing * information if "RT_FAVOR_SPECIFIC" insertions are being performed. */ - sub->lengths = (char*)malloc(sub->num_entries); + sub->lengths = (char*)malloc(sub->num_entries); if(!sub->lengths) { @@ -119,6 +120,11 @@ sub->cur_num = 0; + if (prefill) + sub->filledEntries = sub->num_entries; + else + sub->filledEntries = 0; + root->allocated += sizeof(dir_sub_table_t) + sizeof(word) * sub->num_entries; root->cur_num++; @@ -189,7 +195,7 @@ for(index=0; index < sub->num_entries; index++) { - /* The following condition will only be true if + /* The following condition will only be true if * this entry is a pointer */ if( !sub->lengths[index] && sub->entries[index] ) { @@ -199,7 +205,7 @@ if(sub->entries) { - /* This probably does not need to be checked + /* This probably does not need to be checked * since if it was not allocated, we would have errored out * in _sub_table_new */ free(sub->entries); @@ -209,7 +215,7 @@ if(sub->lengths) { - /* This probably does not need to be checked + /* This probably does not need to be checked * since if it was not allocated, we would have errored out * in _sub_table_new */ free(sub->lengths); @@ -234,7 +240,7 @@ if(table->sub_table) { - _sub_table_free(&table->allocated, table->sub_table); + _sub_table_free(&table->allocated, table->sub_table); } if(table->dimensions) @@ -245,7 +251,7 @@ free(table); } -static INLINE void _dir_fill_all(uint32_t *allocated, uint32_t index, uint32_t fill, +static inline void _dir_fill_all(uint32_t *allocated, uint32_t index, uint32_t fill, word length, uint32_t val, dir_sub_table_t *table) { @@ -254,9 +260,16 @@ { /* Before overwriting this entry, verify there's not an existing * pointer ... otherwise free it to avoid a huge memory leak. */ - if( table->entries[index] && !table->lengths[index]) + if(table->entries[index]) + { + if (!table->lengths[index]) + { + _sub_table_free(allocated, (dir_sub_table_t*)table->entries[index]); + } + } + else { - _sub_table_free(allocated, (dir_sub_table_t*)table->entries[index]); + table->filledEntries++; } table->entries[index] = val; @@ -264,15 +277,15 @@ } } -static INLINE void _dir_fill_less_specific(int index, int fill, +static inline void _dir_fill_less_specific(int index, int fill, word length, uint32_t val, dir_sub_table_t *table) { /* Fill entries */ for(; index < fill; index++) { - /* If we encounter a pointer, and we're inserting at this level, we - * automatically know that this entry refers to more specific + /* If we encounter a pointer, and we're inserting at this level, we + * automatically know that this entry refers to more specific * information. However, there might only be one more specific entry * in the entire block, meaning the rest must be filled. * @@ -285,27 +298,118 @@ if( !table->lengths[index] && table->entries[index]) { - dir_sub_table_t *next = (dir_sub_table_t*)table->entries[index]; + dir_sub_table_t *next = (dir_sub_table_t*)table->entries[index]; _dir_fill_less_specific(0, 1 << next->width, length, val, next); } else if(length >= (word)table->lengths[index]) { + if (!table->entries[index]) + { + table->filledEntries++; + } table->entries[index] = val; table->lengths[index] = (char)length; } } } +/*Remove entries all this level and discard any more specific entries. + * + * @note RT_FAVOR_TIME behavior can cause hung or crosslinked entries if part of a subnet + * (which was added) are deleted. Same issue is there when a more general subnet overwrites + * a specific subnet. table->data[] entry for more specific subnet is not cleared. + * + * @note RT_FAVOR_TIME can cause orphaned table->data[] entries if the entire subnet + * is replaced by more specific sudnets. + */ +static inline uint32_t _dir_remove_all(uint32_t *allocated, uint32_t index, uint32_t fill, + word length, dir_sub_table_t *table) +{ + uint32_t valueIndex = 0; + + /* Fill entries */ + for(; index < fill; index++) + { + /* Before overwriting this entry, verify there's not an existing + * pointer ... otherwise free it to avoid a huge memory leak. */ + if (table->entries[index]) + { + if (!table->lengths[index]) + { + _sub_table_free(allocated, (dir_sub_table_t*)table->entries[index]); + } + + if(length == (word)table->lengths[index]) + { + valueIndex = table->entries[index]; + } + + table->filledEntries--; + + //zero value here works since sfrt uses 0 for failed entries. + table->entries[index] = 0; + table->lengths[index] = 0; + } + } + + return valueIndex; +} + +/**Remove entries which match in address/length in all subtables. + * @note RT_FAVOR_SPECIFIC can cause orphaned table->data[] entries if the entire subnet + * is replaced by more specific subnets. + */ +static inline uint32_t _dir_remove_less_specific(uint32_t *allocated, int index, int fill, + word length, dir_sub_table_t *table) +{ + uint32_t valueIndexRet = 0; + uint32_t valueIndex = 0; + + for(; index < fill; index++) + { + if( !table->lengths[index] && table->entries[index]) + { + dir_sub_table_t *next = (dir_sub_table_t*)table->entries[index]; + valueIndex = _dir_remove_less_specific(allocated, 0, 1 << next->width, length, next); + if (valueIndex) + { + valueIndexRet = valueIndex; + } + + if (!next->filledEntries) //table can be collapsed. + { + _sub_table_free(allocated, next); + table->entries[index] = 0; + table->lengths[index] = 0; + table->filledEntries--; + + } + } + else if(length == (word)table->lengths[index]) + { + if (table->entries[index]) + { + table->filledEntries--; + valueIndexRet = table->entries[index]; + } + table->entries[index] = 0; + table->lengths[index] = 0; + } + } + + return valueIndexRet; +} + /* Sub table insertion * This is called by dir_insert and recursively to find the the sub table * that should house the value "ptr" * @param ip IP address structure * @param cur_len Number of bits of the IP left at this depth - * @param length Number of bits of the IP used to specify this CIDR + * @param length Number of bits of the IP used to specify this CIDR * @param ptr Information to be associated with this IP range * @param master_table The table that describes all, returned by dir_new */ -static int _dir_sub_insert(IPLOOKUP *ip, int length, int cur_len, GENERIC ptr, - int current_depth, int behavior, +static int _dir_sub_insert(IPLOOKUP *ip, int length, int cur_len, GENERIC ptr, + int current_depth, int behavior, dir_sub_table_t *sub_table, dir_table_t *root_table) { @@ -354,10 +458,10 @@ /* Check if this is the last table to traverse to */ if(sub_table->width >= cur_len) { - /* Calculate how many entries need to be filled + /* Calculate how many entries need to be filled * in this table. If the table is 24 bits wide, and the entry * is 20 bytes long, 2^4 entries need to be filled. */ - fill = 1 << (sub_table->width - cur_len); + fill = 1 << (sub_table->width - cur_len); index = (index >> (sub_table->width - cur_len)) << (sub_table->width - cur_len); @@ -367,7 +471,7 @@ /* Favor most recent CIDR */ if(behavior == RT_FAVOR_TIME) { - _dir_fill_all(&root_table->allocated, index, fill, length, + _dir_fill_all(&root_table->allocated, index, fill, length, (word)ptr, sub_table); } /* Fill over less specific CIDR */ @@ -379,10 +483,10 @@ /* Need to traverse to a sub-table */ else { - dir_sub_table_t *next_sub = + dir_sub_table_t *next_sub = (dir_sub_table_t *)sub_table->entries[index]; - /* Check if we need to alloc a new sub table. + /* Check if we need to alloc a new sub table. * If next_sub was 0/NULL, there's no entry at this index * If the length is non-zero, there is an entry */ if(!next_sub || sub_table->lengths[index]) @@ -392,10 +496,15 @@ return RT_INSERT_FAILURE; } - sub_table->entries[index] = - (word) _sub_table_new(root_table, current_depth+1, + sub_table->entries[index] = + (word) _sub_table_new(root_table, current_depth+1, (word) next_sub, sub_table->lengths[index]); + if (!next_sub) + { + sub_table->filledEntries++; + } + sub_table->cur_num++; sub_table->lengths[index] = 0; @@ -411,14 +520,14 @@ * bits and update the length accordingly. */ #ifdef SUP_IP6 ip->bits += sub_table->width; - _dir_sub_insert(ip, length, - cur_len - sub_table->width, ptr, current_depth+1, - behavior, next_sub, root_table); + return (_dir_sub_insert(ip, length, + cur_len - sub_table->width, ptr, current_depth+1, + behavior, next_sub, root_table)); #else iplu = *ip << sub_table->width; - _dir_sub_insert(&iplu, length, - cur_len - sub_table->width, ptr, current_depth+1, - behavior, next_sub, root_table); + return ( _dir_sub_insert(&iplu, length, + cur_len - sub_table->width, ptr, current_depth+1, + behavior, next_sub, root_table)); #endif } @@ -430,7 +539,7 @@ * @param len Number of bits of the IP used for lookup * @param ptr Information to be associated with this IP range * @param master_table The table that describes all, returned by dir_new */ -int sfrt_dir_insert(IP ip, int len, word data_index, +int sfrt_dir_insert(IP ip, int len, word data_index, int behavior, void *table) { dir_table_t *root = (dir_table_t*)table; @@ -549,3 +658,192 @@ return ((dir_table_t*)(table))->allocated; } +static void _sub_table_print(dir_sub_table_t *sub, uint32_t level, dir_table_t *table) { + int index; + + char label[100]; + + memset(label, ' ', sizeof(label)); + label[level*5] = '\0'; + + printf("%sCurrent Nodes: %d, Filled Entries: %d, table Width: %d\n", label, sub->cur_num, sub->filledEntries, sub->width); + for(index=0; index < sub->num_entries; index++) + { + if (sub->lengths[index] || sub->entries[index]) + printf("%sIndex: %d, Length: %d, dataIndex: %d\n", label, index, sub->lengths[index], + (uint32_t)sub->entries[index]); + + if( !sub->lengths[index] && sub->entries[index] ) { + _sub_table_print((dir_sub_table_t*) sub->entries[index], level+1, table); + } + } +} + +/* Print a table. + * Prints a table and its subtable. This is used for debugging purpose only. + * @param table The table that describes all, returned by dir_new + */ +void sfrt_dir_print(void *tbl) { + dir_table_t *table = (dir_table_t*)tbl; + + if(!table) { + return; + } + + printf ("Nodes in use: %d\n", table->cur_num); + if(table->sub_table) { + _sub_table_print(table->sub_table, 1, table); + } +} + +/* Sub table removal + * Recursive function to drill down to subnet table and remove entries. + * @param ip IP address structure + * @param length Number of bits of the IP used to specify this CIDR + * @param cur_len Number of bits of the IP left at this depth + * @param current_depth Number of levels down from root_table. + * @param behavior RT_FAVOR_SPECIFIC or RT_FAVOR_TIME + * @param root_table The table that describes all, returned by dir_new + * @returns index of entry removed. Returns 0, which is a valid index, as failure code. + * Calling function should treat 0 index as failure case.*/ + +static int _dir_sub_remove(IPLOOKUP *ip, int length, int cur_len, + int current_depth, int behavior, + dir_sub_table_t *sub_table, dir_table_t *root_table) +{ + + word index; + uint32_t fill; + uint32_t valueIndex = 0; + +#ifdef SUP_IP6 + { + uint32_t local_index, i; + /* need to handle bits usage across multiple 32bit vals within IPv6. */ + if (ip->ip->family == AF_INET) + { + i=0; + } + else if (ip->ip->family == AF_INET6) + { + if (ip->bits < 32 ) + { + i=0; + } + else if (ip->bits < 64) + { + i=1; + } + else if (ip->bits < 96) + { + i=2; + } + else + { + i=3; + } + } + else + { + return 0; + } + local_index = ip->ip->ip32[i] << (ip->bits %32); + index = local_index >> (ARCH_WIDTH - sub_table->width); + } +#else + IPLOOKUP iplu; + /* Index is determined by the highest 'len' bits in 'ip' */ + index = *ip >> (ARCH_WIDTH - sub_table->width); +#endif + + /* Check if this is the last table to traverse to */ + if(sub_table->width >= cur_len) + { + + /* Calculate how many entries need to be removed (filled with 0) + * in this table. If the table is 24 bits wide, and the entry + * is 20 bytes long, 2^4 entries need to be filled. */ + fill = 1 << (sub_table->width - cur_len); + + index = (index >> (sub_table->width - cur_len)) << + (sub_table->width - cur_len); + + fill += index; + + /* Remove and overwrite without consedering CIDR specificity*/ + if(behavior == RT_FAVOR_TIME) + { + valueIndex = _dir_remove_all(&root_table->allocated, index, fill, length, sub_table); + } + /* Remove and overwrite only less specific CIDR */ + else + { + valueIndex = _dir_remove_less_specific(&root_table->allocated, index, fill, length, sub_table); + } + } + else + { + /* traverse to a next sub-table down*/ + + dir_sub_table_t *next_sub = (dir_sub_table_t *)sub_table->entries[index]; + + /*subtable was never added. */ + if(!next_sub || sub_table->lengths[index]) + { + return 0; + } + /* Recurse to next level. Rightshift off appropriate number of + * bits and update the length accordingly. */ +#ifdef SUP_IP6 + ip->bits += sub_table->width; + valueIndex = _dir_sub_remove(ip, length, + cur_len - sub_table->width, current_depth+1, + behavior, next_sub, root_table); +#else + iplu = *ip << sub_table->width; + valueIndex = _dir_sub_remove(&iplu, length, + cur_len - sub_table->width, current_depth+1, + behavior, next_sub, root_table); +#endif + if (!next_sub->filledEntries) + { + _sub_table_free(&root_table->allocated, next_sub); + sub_table->entries[index] = 0; + sub_table->lengths[index] = 0; + sub_table->filledEntries--; + root_table->cur_num--; + } + } + + return valueIndex; +} + +/* Remove entry into DIR-n-m tables + * @param ip IP address structure + * @param len Number of bits of the IP used for lookup + * @param behavior RT_FAVOR_SPECIFIC or RT_FAVOR_TIME + * @param table The table that describes all, returned by dir_new + * @return index to data or 0 on failure. Calling function should check for 0 since + * this is valid index for failed operation. + */ +word sfrt_dir_remove(IP ip, int len, int behavior, void *table) +{ + dir_table_t *root = (dir_table_t*)table; +#ifdef SUP_IP6 + IPLOOKUP iplu; + iplu.ip = ip; + iplu.bits = 0; +#else + IPLOOKUP iplu = ip; +#endif + + /* Validate arguments */ + if(!root || !root->sub_table) + { + return 0; + } + + /* Find the sub table in which to remove */ + return _dir_sub_remove(&iplu, len, len, 0, behavior, root->sub_table, root); +} + diff -Nru snort-2.9.0.1/src/sfutil/sfrt_dir.h snort-2.9.2/src/sfutil/sfrt_dir.h --- snort-2.9.0.1/src/sfutil/sfrt_dir.h 2010-01-26 10:10:28.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfrt_dir.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2006-2010 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -24,19 +24,16 @@ * @author Adam Keeton <akeeton@sourcefire.com> * @date Thu July 20 10:16:26 EDT 2006 * - * The implementation uses an multibit-trie that is similar to Gupta et-al's + * The implementation uses an multibit-trie that is similar to Gupta et-al's * DIR-n-m. */ #ifndef SFRT_DIR_H_ #define SFRT_DIR_H_ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif /*******************************************************************/ -/* DIR-n-m data structures - * Each table in the DIR-n-m method is represented by a +/* DIR-n-m data structures + * Each table in the DIR-n-m method is represented by a * dir_sub_table_t. They are managed by a dir_table_t. */ typedef struct { @@ -44,10 +41,15 @@ char *lengths; int num_entries; /* Number of entries in this table */ int width; /* width of this table. */ - /* While one determines the other, this way fewer + /* While one determines the other, this way fewer * calculations are needed at runtime, since both * are used. */ int cur_num; /* Present number of used nodes */ + + /** number of entries filled including chidren sub_tables. This is used + * for freeing sub_tables when all entried are freed by delete operation. + */ + int filledEntries; } dir_sub_table_t; /* Master data structure for the DIR-n-m derivative */ @@ -56,7 +58,7 @@ int *dimensions; /* DIR-n-m will consist of any number of arbitrarily * long tables. This variable keeps track of the * dimensions */ - int dim_size; /* And this variable keeps track of 'dimensions''s + int dim_size; /* And this variable keeps track of 'dimensions''s * dimensions! */ uint32_t mem_cap; /* User-defined maximum memory that can be allocated * for the DIR-n-m derivative */ @@ -76,6 +78,8 @@ int sfrt_dir_insert(IP ip, int len, word data_index, int behavior, void *table); uint32_t sfrt_dir_usage(void *table); +void sfrt_dir_print(void *table); +word sfrt_dir_remove(IP ip, int len, int behavior, void *table); #endif /* SFRT_DIR_H_ */ diff -Nru snort-2.9.0.1/src/sfutil/sfrt_flat.c snort-2.9.2/src/sfutil/sfrt_flat.c --- snort-2.9.0.1/src/sfutil/sfrt_flat.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfrt_flat.c 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,427 @@ +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + ** + ** 9/7/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "sfrt_flat.h" + + +/* Create new lookup table + * @param table_flat_type Type of table. Uses the types enumeration in route.h + * @param ip_type IPv4 or IPv6. Uses the types enumeration in route.h + * @param data_size Max number of unique data entries + * + * Returns the new table. */ +table_flat_t *sfrt_flat_new(char table_flat_type, char ip_type, long data_size, uint32_t mem_cap) +{ + table_flat_t *table; + MEM_OFFSET table_ptr; + uint8_t *base; + + table_ptr = segment_malloc(sizeof(table_flat_t)); + + if(!table_ptr) + { + // return NULL; + } + + base = (uint8_t *)segment_basePtr(); + table = (table_flat_t *)(&base[table_ptr]); + +#ifndef SUP_IP6 + /* IPv6 is not supported */ + if(ip_type == IPv6) + { + segment_free(table_ptr); + return NULL; + } +#endif + + /* If this limit is exceeded, there will be no way to distinguish + * between pointers and indeces into the data table. Only + * applies to DIR-n-m. */ + +#if SIZEOF_LONG_INT == 8 + if(data_size >= 0x800000000000000) +#else + if(data_size >= 0x8000000) +#endif + { + segment_free(table_ptr); + return NULL; + } + + /* mem_cap is specified in megabytes, but internally uses bytes. Convert */ + mem_cap *= 1024*1024; + + /* Maximum allowable number of stored entries */ + table->max_size = data_size; + + table->data = (INFO)segment_calloc(sizeof(INFO) * table->max_size, 1); + + if(!table->data) + { + segment_free(table_ptr); + return NULL; + } + + table->allocated = sizeof(table_flat_t) + sizeof(INFO) * table->max_size; + + table->ip_type = ip_type; + table->table_flat_type = table_flat_type; + + /* This will point to the actual table lookup algorithm */ + table->rt = 0; +#ifdef SUP_IP6 + table->rt6 = 0; +#endif + + /* index 0 will be used for failed lookups, so set this to 1 */ + table->num_ent = 1; + + /* Allocate the user-specified DIR-n-m table */ + switch(table_flat_type) + { + case DIR_24_8: + table->rt = sfrt_dir_flat_new( mem_cap, 2, 24, 8); + break; + case DIR_16x2: + table->rt = sfrt_dir_flat_new( mem_cap, 2, 16,16); + break; + case DIR_16_8x2: + table->rt = sfrt_dir_flat_new( mem_cap, 3, 16,8,8); + break; + case DIR_16_4x4: + table->rt = sfrt_dir_flat_new( mem_cap, 5, 16,4,4,4,4); + break; + case DIR_8x4: + table->rt = sfrt_dir_flat_new( mem_cap, 4, 8,8,8,8); + break; + /* There is no reason to use 4x8 except for benchmarking and + * comparison purposes. */ + case DIR_4x8: + table->rt = sfrt_dir_flat_new( mem_cap, 8, 4,4,4,4,4,4,4,4); + break; + /* There is no reason to use 2x16 except for benchmarking and + * comparison purposes. */ + case DIR_2x16: + table->rt = sfrt_dir_flat_new( mem_cap, 16, + 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2); + break; +#ifdef SUP_IP6 + case DIR_16_4x4_16x5_4x4: + table->rt = sfrt_dir_flat_new(mem_cap, 5, 16,4,4,4,4); + table->rt6 = sfrt_dir_flat_new(mem_cap, 14, 16,4,4,4,4,16,16,16,16,16,4,4,4,4); + break; + case DIR_16x7_4x4: + table->rt = sfrt_dir_flat_new(mem_cap, 5, 16,4,4,4,4); + table->rt6 = sfrt_dir_flat_new(mem_cap, 11, 16,16,16,16,16,16,16,4,4,4,4); + break; + case DIR_16x8: + table->rt = sfrt_dir_flat_new(mem_cap, 2, 16,16); + table->rt6 = sfrt_dir_flat_new(mem_cap, 8, 16,16,16,16,16,16,16,16); + break; + case DIR_8x16: + table->rt = sfrt_dir_flat_new( mem_cap, 4, 16,8,4,4); + table->rt6 = sfrt_dir_flat_new(mem_cap, 16, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8); + break; +#endif + }; + + if(!table->rt) + { + segment_free(table->data); + segment_free(table_ptr); + return NULL; + } + +#ifdef SUP_IP6 + if (!table->rt6) + { + sfrt_dir_flat_free( table->rt ); + segment_free(table->data); + segment_free(table_ptr); + } +#endif + + return table; +} + +/* Free lookup table */ +void sfrt_flat_free(TABLE_PTR table_ptr) +{ + + table_flat_t *table; + uint8_t *base; + + if(!table_ptr) + { + /* What are you calling me for? */ + return; + } + + base = (uint8_t *)segment_basePtr(); + table = (table_flat_t *)(&base[table_ptr]); + + if(!table->data) + { + /* This really really should not have happened */ + } + else + { + segment_free(table->data); + } + + if(!table->rt) + { + /* This should not have happened either */ + } + else + { + sfrt_dir_flat_free( table->rt ); + } + +#ifdef SUP_IP6 + if(!table->rt6) + { + /* This should not have happened either */ + } + else + { + sfrt_dir_flat_free( table->rt6 ); + } +#endif + + segment_free(table_ptr); +} + +/* Perform a lookup on value contained in "ip" */ +GENERIC sfrt_flat_lookup(void *adr, table_flat_t *table) +{ + tuple_flat_t tuple; + INFO *data; +#ifdef SUP_IP6 + sfip_t *ip; +#else + uint32_t ip; +#endif + TABLE_PTR rt = 0; + uint8_t *base; + + if(!adr) + { + return NULL; + } + + if(!table) + { + return NULL; + } + +#ifdef SUP_IP6 + ip = adr; + if (ip->family == AF_INET) + { + rt = table->rt; + } + else if (ip->family == AF_INET6) + { + rt = table->rt6; + } +#else + /* IPv6 not yet supported */ + if(table->ip_type == IPv6) + { + return NULL; + } + + ip = *(uint32_t*)adr; + rt = table->rt; +#endif + + if (!rt) + { + return NULL; + } + + tuple = sfrt_dir_flat_lookup(ip, rt); + + if(tuple.index >= table->num_ent) + { + return NULL; + } + base = (uint8_t *)segment_basePtr(); + data = (INFO *)(&base[table->data]); + if (data[tuple.index]) + return (GENERIC) &base[data[tuple.index]]; + else + return NULL; + +} + + + +/* Insert "ip", of length "len", into "table", and have it point to "ptr" */ +/* Insert "ip", of length "len", into "table", and have it point to "ptr" */ +int sfrt_flat_insert(void *adr, unsigned char len, INFO ptr, + int behavior, table_flat_t* table) +{ + int index; + int res; + INFO *data; +#ifdef SUP_IP6 + sfip_t *ip; +#else + uint32_t ip; +#endif + tuple_flat_t tuple; + TABLE_PTR rt = 0; + uint8_t *base; + + if(!adr ) + { + return RT_INSERT_FAILURE; + } + + if (len == 0) + return RT_INSERT_FAILURE; + + + if(!table || !table->data) + { + return RT_INSERT_FAILURE; + } + + if( (table->ip_type == IPv4 && len > 32) || + (table->ip_type == IPv6 && len > 128) ) + { + return RT_INSERT_FAILURE; + } + +#ifdef SUP_IP6 + ip = adr; +#else + ip = *(uint32_t*)adr; +#endif + + +#ifdef SUP_IP6 + if (ip->family == AF_INET) + { + rt = table->rt; + } + else if (ip->family == AF_INET6) + { + rt = table->rt6; + } +#else + rt = table->rt; +#endif + if (!rt) + { + return RT_INSERT_FAILURE; + } + + tuple = sfrt_dir_flat_lookup(ip, table->rt); + + + if(tuple.length != len) + { + + if( table->num_ent >= table->max_size) + { + return RT_POLICY_TABLE_EXCEEDED; + } + + index = table->num_ent; + table->num_ent++; + } + else + { + index = tuple.index; + } + + /* Insert value into policy table */ + base = (uint8_t *)segment_basePtr(); + data = (INFO *)(&base[table->data]); + data[index] = ptr; + + /* The actual value that is looked-up is an index + * into the data table. */ + res = sfrt_dir_flat_insert(ip, len, index, behavior, rt); + + /* Check if we ran out of memory. If so, need to decrement + * table->num_ent */ + if(res == MEM_ALLOC_FAILURE) + { + /* From the control flow above, it's possible table->num_ent was not + * incremented. It should be safe to decrement here, because the only + * time it will be incremented above is when we are potentially + * mallocing one or more new entries (It's not incremented when we + * overwrite an existing entry). */ + table->num_ent--; + } + + return res; +} + +uint32_t sfrt_flat_num_entries(table_flat_t* table) +{ + if(!table) + { + return 0; + } + + if( !table->rt || !table->allocated) + { + return 0; + } + + /* There is always a root node, so subtract 1 for it */ + return table->num_ent - 1; +} + +uint32_t sfrt_flat_usage(table_flat_t *table) +{ + uint32_t usage; + if(!table || !table->rt || !table->allocated ) + { + return 0; + } + + usage = table->allocated + sfrt_dir_flat_usage( table->rt ); + +#ifdef SUP_IP6 + if (table->rt6) + { + usage += sfrt_dir_flat_usage( table->rt6 ); + } +#endif + + return usage; +} + + diff -Nru snort-2.9.0.1/src/sfutil/sfrt_flat_dir.c snort-2.9.2/src/sfutil/sfrt_flat_dir.c --- snort-2.9.0.1/src/sfutil/sfrt_flat_dir.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfrt_flat_dir.c 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,576 @@ +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + ** + ** 9/7/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <stdarg.h> /* For variadic */ +#include <stdio.h> +#include <string.h> /* For memset */ +#include "sf_types.h" +#include "sfrt_flat.h" +#include "sfrt_flat_dir.h" + +#if SIZEOF_UNSIGNED_LONG_INT == 8 +#define ARCH_WIDTH 64 +#else +#define ARCH_WIDTH 32 +#endif + +#ifdef SUP_IP6 +typedef struct { + snort_ip_p ip; + int bits; +} IPLOOKUP; +#else +typedef snort_ip_p IPLOOKUP; +#endif + +/* Create new "sub" table of 2^width entries */ +static TABLE_PTR _sub_table_flat_new(dir_table_flat_t *root, uint32_t dimension, + uint32_t prefill, uint32_t bit_length) +{ + + int width = root->dimensions[dimension]; + int len = 1 << width; + int index; + dir_sub_table_flat_t *sub; + TABLE_PTR sub_ptr; + uint8_t *base; + DIR_Entry *entries; + + /* Check if creating this node will exceed the memory cap. + * The symbols in the conditional (other than cap), come from the + * allocs below. */ + if( root->mem_cap < ( root->allocated + + sizeof(dir_sub_table_flat_t) + + sizeof(DIR_Entry) * len ) || + bit_length > 128) + { + return 0; + } + + /* Set up the initial prefilled "sub table" */ + sub_ptr = segment_malloc(sizeof(dir_sub_table_flat_t)); + + if(!sub_ptr) + { + return 0; + } + + base = (uint8_t *)segment_basePtr(); + sub = (dir_sub_table_flat_t *)(&base[sub_ptr]); + + /* This keeps the width readily available rather than recalculating it + * from the number of entries during an insert or lookup */ + sub->width = width; + + /* need 2^sub->width entries */ + /* A "length" needs to be stored with each entry above. The length refers + * to how specific the insertion that set the entry was. It is necessary + * so that the entry is not overwritten by less general routing + * information if "RT_FAVOR_SPECIFIC" insertions are being performed. */ + sub->num_entries = len; + + sub->entries = segment_malloc(sizeof(DIR_Entry) * sub->num_entries); + + if(!sub->entries) + { + segment_free(sub_ptr); + return 0; + } + + entries = (DIR_Entry *)(&base[sub->entries]); + /* Can't use memset here since prefill is multibyte */ + for(index = 0; index < sub->num_entries; index++) + { + entries[index].value = prefill; + entries[index].length = (char)bit_length; + } + + sub->cur_num = 0; + + root->allocated += sizeof(dir_sub_table_flat_t) + sizeof(DIR_Entry) * sub->num_entries; + + root->cur_num++; + + return sub_ptr; +} + +/* Create new dir-n-m root table with 'count' depth */ +TABLE_PTR sfrt_dir_flat_new(uint32_t mem_cap, int count,...) +{ + va_list ap; + uint32_t val; + int index; + TABLE_PTR table_ptr; + dir_table_flat_t* table; + uint8_t *base; + + table_ptr = segment_malloc(sizeof(dir_table_flat_t)); + + if(!table_ptr) + { + return 0; + } + + base = (uint8_t *)segment_basePtr(); + table = (dir_table_flat_t *)(&base[table_ptr]); + + table->allocated = 0; + + table->dim_size = count; + + va_start(ap, count); + + for(index=0; index < count; index++) + { + val = va_arg(ap, int); + table->dimensions[index] = val; + } + + va_end(ap); + + table->mem_cap = mem_cap; + + table->cur_num = 0; + + table->sub_table = _sub_table_flat_new(table, 0, 0, 0); + + if(!table->sub_table) + { + segment_free(table_ptr); + return 0; + } + + table->allocated += sizeof(dir_table_flat_t) + sizeof(int)*count; + + return table_ptr; +} + +/* Traverse "sub" tables, freeing each */ +static void _sub_table_flat_free(uint32_t *allocated, SUB_TABLE_PTR sub_ptr) +{ + int index; + dir_sub_table_flat_t *sub; + uint8_t *base; + + base = (uint8_t *)segment_basePtr(); + sub = (dir_sub_table_flat_t *)(&base[sub_ptr]); + + sub->cur_num--; + + for(index=0; index < sub->num_entries; index++) + { + /* The following condition will only be true if + * this entry is a pointer */ + DIR_Entry *entry = (DIR_Entry *)(&base[sub->entries]); + if( !entry[index].length && entry[index].value ) + { + _sub_table_flat_free( allocated, entry[index].value); + } + } + + if(sub->entries) + { + /* This probably does not need to be checked + * since if it was not allocated, we would have errored out + * in _sub_table_flat_new */ + segment_free(sub->entries); + + *allocated -= sizeof(DIR_Entry) * sub->num_entries; + } + + + segment_free(sub_ptr); + + *allocated -= sizeof(dir_sub_table_flat_t); +} + +/* Free the DIR-n-m structure */ +void sfrt_dir_flat_free(TABLE_PTR tbl_ptr) +{ + dir_table_flat_t *table; + uint8_t *base; + + if(!tbl_ptr) + { + return; + } + + base = (uint8_t *)segment_basePtr(); + table = (dir_table_flat_t *)(&base[tbl_ptr]); + + if(table->sub_table) + { + _sub_table_flat_free(&table->allocated, table->sub_table); + } + + segment_free(tbl_ptr); +} + +static inline void _dir_fill_all(uint32_t *allocated, uint32_t index, uint32_t fill, + word length, uint32_t val, SUB_TABLE_PTR sub_ptr) +{ + dir_sub_table_flat_t *subtable; + uint8_t *base; + + base = (uint8_t *)segment_basePtr(); + subtable = (dir_sub_table_flat_t *)(&base[sub_ptr]); + + /* Fill entries */ + for(; index < fill; index++) + { + /* Before overwriting this entry, verify there's not an existing + * pointer ... otherwise free it to avoid a huge memory leak. */ + DIR_Entry *entry = (DIR_Entry *)(&base[subtable->entries]); + if( entry[index].value && !entry[index].length) + { + _sub_table_flat_free(allocated, entry[index].value); + } + + entry[index].value = val; + entry[index].length = (char)length; + } +} + +static inline void _dir_fill_less_specific(int index, int fill, + word length, uint32_t val, SUB_TABLE_PTR sub_ptr) +{ + + dir_sub_table_flat_t *subtable; + uint8_t *base; + + base = (uint8_t *)segment_basePtr(); + subtable = (dir_sub_table_flat_t *)(&base[sub_ptr]); + + /* Fill entries */ + for(; index < fill; index++) + { + /* If we encounter a pointer, and we're inserting at this level, we + * automatically know that this entry refers to more specific + * information. However, there might only be one more specific entry + * in the entire block, meaning the rest must be filled. + * + * For instance, imagine a 24-8 with 1.2.3/24 -> A and 1.2.3.4/32 -> B + * There will be a pointer at 1.2.3 in the first table. The second + * table needs to have 255 entries pointing A, and 1 entry pointing to + * B. + * + * Therefore, recurse to this next level. */ + DIR_Entry *entry = (DIR_Entry *)(&base[subtable->entries]); + if( entry[index].value && !entry[index].length) + { + + dir_sub_table_flat_t *next = (dir_sub_table_flat_t*)(&base[entry[index].value]); + _dir_fill_less_specific(0, 1 << next->width, length, val, entry[index].value); + } + + + else if(length >= (unsigned)entry[index].length) + { + entry[index].value = val; + entry[index].length = (char)length; + } + } +} + +/* Sub table insertion + * This is called by dir_insert and recursively to find the the sub table + * that should house the value "ptr" + * @param ip IP address structure + * @param cur_len Number of bits of the IP left at this depth + * @param length Number of bits of the IP used to specify this CIDR + * @param ptr Information to be associated with this IP range + * @param master_table The table that describes all, returned by dir_new */ +static int _dir_sub_insert(IPLOOKUP *ip, int length, int cur_len, INFO ptr, + int current_depth, int behavior, + SUB_TABLE_PTR sub_ptr, dir_table_flat_t *root_table) +{ + + word index; + uint32_t fill; + uint8_t *base = (uint8_t *)segment_basePtr(); + dir_sub_table_flat_t *sub_table = (dir_sub_table_flat_t *)(&base[sub_ptr]); + +#ifdef SUP_IP6 + { + uint32_t local_index, i; + /* need to handle bits usage across multiple 32bit vals within IPv6. */ + if (ip->ip->family == AF_INET) + { + i=0; + } + else if (ip->ip->family == AF_INET6) + { + if (ip->bits < 32 ) + { + i=0; + } + else if (ip->bits < 64) + { + i=1; + } + else if (ip->bits < 96) + { + i=2; + } + else + { + i=3; + } + } + else + { + return RT_INSERT_FAILURE; + } + local_index = ip->ip->ip32[i] << (ip->bits %32); + index = local_index >> (ARCH_WIDTH - sub_table->width); + } +#else + IPLOOKUP iplu; + /* Index is determined by the highest 'len' bits in 'ip' */ + index = *ip >> (ARCH_WIDTH - sub_table->width); +#endif + + /* Check if this is the last table to traverse to */ + if(sub_table->width >= cur_len) + { + /* Calculate how many entries need to be filled + * in this table. If the table is 24 bits wide, and the entry + * is 20 bytes long, 2^4 entries need to be filled. */ + fill = 1 << (sub_table->width - cur_len); + + index = (index >> (sub_table->width - cur_len)) << + (sub_table->width - cur_len); + + fill += index; + + /* Favor most recent CIDR */ + if(behavior == RT_FAVOR_TIME) + { + _dir_fill_all(&root_table->allocated, index, fill, length, + (word)ptr, sub_ptr); + } + /* Fill over less specific CIDR */ + else + { + _dir_fill_less_specific(index, fill, length, (word)ptr, sub_ptr); + } + } + /* Need to traverse to a sub-table */ + else + { + dir_sub_table_flat_t *next_sub; + DIR_Entry *entry = (DIR_Entry *)(&base[sub_table->entries]); + next_sub = (dir_sub_table_flat_t *)(&base[entry[index].value]); + + /* Check if we need to alloc a new sub table. + * If next_sub was 0/NULL, there's no entry at this index + * If the length is non-zero, there is an entry */ + if(!entry[index].value || entry[index].length) + { + if( root_table->dim_size <= current_depth ) + { + return RT_INSERT_FAILURE; + } + + entry[index].value = + (word) _sub_table_flat_new(root_table, current_depth+1, + (word) entry[index].value, entry[index].length); + + sub_table->cur_num++; + + entry[index].length = 0; + + next_sub = (dir_sub_table_flat_t *)(&base[entry[index].value]); + + if(!entry[index].value) + { + return MEM_ALLOC_FAILURE; + } + } + /* Recurse to next level. Rightshift off appropriate number of + * bits and update the length accordingly. */ +#ifdef SUP_IP6 + ip->bits += sub_table->width; + return (_dir_sub_insert(ip, length, + cur_len - sub_table->width, ptr, current_depth+1, + behavior, entry[index].value, root_table)); +#else + iplu = *ip << sub_table->width; + return ( _dir_sub_insert(&iplu, length, + cur_len - sub_table->width, ptr, current_depth+1, + behavior, entry[index].value, root_table)); +#endif + } + + return RT_SUCCESS; +} + +/* Insert entry into DIR-n-m tables + * @param ip IP address structure + * @param len Number of bits of the IP used for lookup + * @param ptr Information to be associated with this IP range + * @param master_table The table that describes all, returned by dir_new */ +int sfrt_dir_flat_insert(snort_ip_p ip, int len, word data_index, + int behavior, TABLE_PTR table_ptr) +{ + dir_table_flat_t *root; + + uint8_t *base; + + + +#ifdef SUP_IP6 + IPLOOKUP iplu; + iplu.ip = ip; + iplu.bits = 0; +#else + IPLOOKUP iplu = ip; +#endif + + base = (uint8_t *)segment_basePtr(); + root = (dir_table_flat_t *)(&base[table_ptr]); + /* Validate arguments */ + if(!root || !root->sub_table) + { + return DIR_INSERT_FAILURE; + } + + /* Find the sub table in which to insert */ + return _dir_sub_insert(&iplu, len, len, data_index, + 0, behavior, root->sub_table, root); +} + +/* Traverse sub tables looking for match */ +/* Called by dir_lookup and recursively */ +static tuple_flat_t _dir_sub_flat_lookup(IPLOOKUP *ip, TABLE_PTR table_ptr) +{ + word index; + uint8_t *base = (uint8_t *)segment_basePtr(); + DIR_Entry *entry; + dir_sub_table_flat_t *table = (dir_sub_table_flat_t *)(&base[table_ptr]); + +#ifdef SUP_IP6 + { + uint32_t local_index, i; + /* need to handle bits usage across multiple 32bit vals within IPv6. */ + if (ip->ip->family == AF_INET) + { + i=0; + } + else if (ip->ip->family == AF_INET6) + { + if (ip->bits < 32 ) + { + i=0; + } + else if (ip->bits < 64) + { + i=1; + } + else if (ip->bits < 96) + { + i=2; + } + else + { + i=3; + } + } + else + { + tuple_flat_t ret = { 0, 0 }; + return ret; + } + local_index = ip->ip->ip32[i] << (ip->bits %32); + index = local_index >> (ARCH_WIDTH - table->width); + } +#else + IPLOOKUP iplu; + index = *ip >> (ARCH_WIDTH - table->width); +#endif + entry = (DIR_Entry *)(&base[table->entries]); + + if( !entry[index].value || entry[index].length ) + { + tuple_flat_t ret; + ret.index = entry[index].value; + ret.length = (word)entry[index].length; + return ret; + } + +#ifdef SUP_IP6 + ip->bits += table->width; + return _dir_sub_flat_lookup( ip, entry[index].value); +#else + iplu = *ip << table->width; + return _dir_sub_flat_lookup( &iplu, entry[index].value); +#endif +} + +/* Lookup information associated with the value "ip" */ +tuple_flat_t sfrt_dir_flat_lookup(snort_ip_p ip, TABLE_PTR table_ptr) +{ + dir_table_flat_t *root; + uint8_t *base = (uint8_t *)segment_basePtr(); +#ifdef SUP_IP6 + IPLOOKUP iplu; + iplu.ip = ip; + iplu.bits = 0; +#else + IPLOOKUP iplu = ip; +#endif + + if(!table_ptr ) + { + tuple_flat_t ret = { 0, 0 }; + return ret; + } + + root = (dir_table_flat_t *)(&base[table_ptr]); + + if(!root->sub_table) + { + tuple_flat_t ret = { 0, 0 }; + return ret; + } + + return _dir_sub_flat_lookup(&iplu, root->sub_table); +} + + +uint32_t sfrt_dir_flat_usage(TABLE_PTR table_ptr) +{ + dir_table_flat_t *table; + uint8_t *base; + if(!table_ptr) + { + return 0; + } + base = (uint8_t *)segment_basePtr(); + table = (dir_table_flat_t *)(&base[table_ptr]); + return ((dir_table_flat_t*)(table))->allocated; +} + diff -Nru snort-2.9.0.1/src/sfutil/sfrt_flat_dir.h snort-2.9.2/src/sfutil/sfrt_flat_dir.h --- snort-2.9.0.1/src/sfutil/sfrt_flat_dir.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfrt_flat_dir.h 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,84 @@ +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + ** + ** 9/7/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + */ + +#ifndef SFRT_DIR_FLAT_H_ +#define SFRT_DIR_FLAT_H_ + +#include "sfrt_flat.h" +#include "sfrt.h" + +typedef MEM_OFFSET SUB_TABLE_PTR; +typedef MEM_OFFSET ENTRIES_PTR; + +typedef struct +{ + MEM_OFFSET value; + char length; + +}DIR_Entry; + +/*******************************************************************/ +/* DIR-n-m data structures + * Each table in the DIR-n-m method is represented by a + * dir_sub_table_t. They are managed by a dir_table_t. */ +typedef struct +{ + int num_entries; /* Number of entries in this table */ + int width; /* width of this table. */ + /* While one determines the other, this way fewer + * calculations are needed at runtime, since both + * are used. */ + int cur_num; /* Present number of used nodes */ + + ENTRIES_PTR entries; + +} dir_sub_table_flat_t; + +/* Master data structure for the DIR-n-m derivative */ +typedef struct +{ + int dimensions[20]; /* DIR-n-m will consist of any number of arbitrarily + * long tables. This variable keeps track of the + * dimensions */ + int dim_size; /* And this variable keeps track of 'dimensions''s + * dimensions! */ + uint32_t mem_cap; /* User-defined maximum memory that can be allocated + * for the DIR-n-m derivative */ + + int cur_num; /* Present number of used nodes */ + + uint32_t allocated; + + SUB_TABLE_PTR sub_table; +} dir_table_flat_t; + +/*******************************************************************/ +/* DIR-n-m functions, these are not intended to be called directly */ +TABLE_PTR sfrt_dir_flat_new(uint32_t mem_cap, int count,...); +void sfrt_dir_flat_free(TABLE_PTR); +tuple_flat_t sfrt_dir_flat_lookup(snort_ip_p ip, TABLE_PTR table); +int sfrt_dir_flat_insert(snort_ip_p ip, int len, word data_index, + int behavior, TABLE_PTR); +uint32_t sfrt_dir_flat_usage(TABLE_PTR); + +#endif /* SFRT_DIR_FLAT_H_ */ + diff -Nru snort-2.9.0.1/src/sfutil/sfrt_flat.h snort-2.9.2/src/sfutil/sfrt_flat.h --- snort-2.9.0.1/src/sfutil/sfrt_flat.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfrt_flat.h 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,195 @@ +/* + ** Copyright (C) 2011-2011 Sourcefire, Inc. + ** + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + ** + ** 9/7/2011 - Initial implementation ... Hui Cao <hcao@sourcefire.com> + ** + ** This is based on the original sfrt.h, but using the flat segment memory. + ** When allocating memory, it uses memory in the segment, and returns + ** the offset. + ** When accessing memory, it must use the base address and offset to + ** correctly refer to it. + */ + +#ifndef _SFRT_FLAT_H_ +#define _SFRT_FLAT_H_ + +#include <stdlib.h> +#include <sys/types.h> +#include "snort_debug.h" +#include "ipv6_port.h" +#include "segment_mem.h" + +typedef MEM_OFFSET INFO; /* To be replaced with a pointer to a policy */ +typedef MEM_OFFSET FLAT_INDEX; +typedef MEM_OFFSET TABLE_PTR; + +typedef struct { + FLAT_INDEX index; + int length; +} tuple_flat_t; + +#include "sfrt_flat_dir.h" + + + +/*******************************************************************/ +/* Master table struct. Abstracts DIR and LC-trie methods */ +typedef struct { + uint32_t num_ent; /* Number of entries in the policy table */ + uint32_t max_size; /* Max size of policies array */ + char ip_type; /* Only IPs of this family will be used */ + char table_flat_type; + char mem_type; + uint32_t allocated; + INFO data; /* data table. Each IP points to an entry here */ + TABLE_PTR rt; /* Actual "routing" table */ +#ifdef SUP_IP6 + TABLE_PTR rt6; /* Actual "routing" table */ +#endif + +} table_flat_t; +/*******************************************************************/ + +/* Abstracted routing table API */ +table_flat_t * sfrt_flat_new(char table_flat_type, char ip_type, + long data_size, uint32_t mem_cap); +void sfrt_flat_free(TABLE_PTR table); +GENERIC sfrt_flat_lookup(void *adr, table_flat_t *table); +int sfrt_flat_insert(void *adr, unsigned char len, INFO ptr, int behavior, + table_flat_t *table); +uint32_t sfrt_flat_usage(table_flat_t *table); +uint32_t sfrt_flat_num_entries(table_flat_t *table); + +/* Perform a lookup on value contained in "ip" + * For performance reason, we use this simplified version instead of sfrt_lookup + * Note: this only applied to table setting: DIR_8x16 (DIR_16_8_4x2 for IPV4), DIR_8x4*/ +static inline GENERIC sfrt_flat_dir8x_lookup(void *adr, table_flat_t* table) { + dir_sub_table_flat_t *subtable; + DIR_Entry *entry; + uint8_t *base = (uint8_t *) table; + int i; +#ifdef SUP_IP6 + sfip_t *ip; +#else + uint8_t *ip; +#endif + dir_table_flat_t *rt = NULL; + int index; + INFO *data = (INFO *) (&base[table->data]); + +#ifdef SUP_IP6 + ip = adr; + if (ip->family == AF_INET) + { + rt = (dir_table_flat_t *)(&base[table->rt]); + subtable = (dir_sub_table_flat_t *)(&base[rt->sub_table]); + /* 16 bits*/ + index = ntohs(ip->ip16[0]); + entry = (DIR_Entry *)(&base[subtable->entries]); + if( !entry[index].value || entry[index].length) + { + if (data[entry[index].value]) + return (GENERIC) &base[data[entry[index].value]]; + else + return NULL; + } + subtable = (dir_sub_table_flat_t *)(&base[entry[index].value]); + + /* 8 bits*/ + index = ip->ip8[2]; + entry = (DIR_Entry *)(&base[subtable->entries]); + if( !entry[index].value || entry[index].length) + { + if (data[entry[index].value]) + return (GENERIC) &base[data[entry[index].value]]; + else + return NULL; + } + subtable = (dir_sub_table_flat_t *)(&base[entry[index].value]); + + /* 4 bits */ + index = ip->ip8[3] >> 4; + entry = (DIR_Entry *)(&base[subtable->entries]); + if( !entry[index].value || entry[index].length) + { + if (data[entry[index].value]) + return (GENERIC) &base[data[entry[index].value]]; + else + return NULL; + } + subtable = (dir_sub_table_flat_t *)(&base[entry[index].value]); + + /* 4 bits */ + index = ip->ip8[3] & 0xF; + entry = (DIR_Entry *)(&base[subtable->entries]); + if( !entry[index].value || entry[index].length) + { + if (data[entry[index].value]) + return (GENERIC) &base[data[entry[index].value]]; + else + return NULL; + } + subtable = (dir_sub_table_flat_t *)(&base[entry[index].value]); + + } + else if (ip->family == AF_INET6) + { + + rt = (dir_table_flat_t *)(&base[table->rt6]); + subtable = (dir_sub_table_flat_t *)(&base[rt->sub_table]); + for (i = 0; i < 16; i++) + { + index = ip->ip8[i]; + entry = (DIR_Entry *)(&base[subtable->entries]); + if( !entry[index].value || entry[index].length) + { + if (data[entry[index].value]) + return (GENERIC) &base[data[entry[index].value]]; + else + return NULL; + } + subtable = (dir_sub_table_flat_t *)(&base[entry[index].value]); + } + } +#else + /* IPv6 not yet supported */ + if (table->ip_type == IPv6) { + return NULL; + } + ip = (uint8_t*) adr; + rt = (dir_table_flat_t *) (&base[table->rt]); + subtable = (dir_sub_table_flat_t *) (&base[rt->sub_table]); + for (i = 0; i < 4; i++) { + index = ip[i]; + entry = (DIR_Entry *) (&base[subtable->entries]); + if (!entry[index].value || entry[index].length) + { + if (data[entry[index].value]) + return (GENERIC) &base[data[entry[index].value]]; + else + return NULL; + } + subtable = (dir_sub_table_flat_t *) (&base[entry[index].value]); + } +#endif +return NULL; + +} +#endif + diff -Nru snort-2.9.0.1/src/sfutil/sfrt.h snort-2.9.2/src/sfutil/sfrt.h --- snort-2.9.0.1/src/sfutil/sfrt.h 2010-04-06 07:05:51.000000000 -0700 +++ snort-2.9.2/src/sfutil/sfrt.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2006-2010 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -24,20 +24,20 @@ * @author Adam Keeton <akeeton@sourcefire.com> * @date Thu July 20 10:16:26 EDT 2006 * - * SFRT implements two different routing table lookup methods that have been - * adapted to return a void pointers. Any generic information may be + * SFRT implements two different routing table lookup methods that have been + * adapted to return a void pointers. Any generic information may be * associated with a given IP or CIDR block. * - * As of this writing, the two methods used are Stefan Nilsson and Gunnar - * Karlsson's LC-trie, and a multibit-trie method similar to Gupta et-al.'s + * As of this writing, the two methods used are Stefan Nilsson and Gunnar + * Karlsson's LC-trie, and a multibit-trie method similar to Gupta et-al.'s * DIR-n-m. Presently, the LC-trie is used for testing purposes as the * current implementation does not allow for fast, dynamic inserts. * * The intended use is to associate large IP blocks with specific information; - * such as what may be written into the table by RNA. + * such as what may be written into the table by RNA. * * NOTE: information should only move from less specific to more specific, ie: - * + * * First insert: 1.1.0.0/16 -> some data * Second insert: 1.1.2.3 -> some other data * @@ -46,49 +46,49 @@ * First insert: 1.1.2.3 -> some other data * Second insert: 1.1.0.0/16 -> some data * - * If more general information is to overwrite existing entries, the table - * should be free'ed and rebuilt. This is due to the difficulty of cleaning + * If more general information is to overwrite existing entries, the table + * should be free'ed and rebuilt. This is due to the difficulty of cleaning * out stale entries with the current implementation. At runtime, this won't * be a significant issue since inserts should apply to specific IP addresses * and not entire blocks of IPs. - * + * * * Implementation: * - * The routing tables associate an index into a "data" table with each CIDR. - * Each entry in the data table stores a pointer to actual data. This - * implementation was chosen so each routing entry only needs one word to - * either index the data array, or point to another table. - * + * The routing tables associate an index into a "data" table with each CIDR. + * Each entry in the data table stores a pointer to actual data. This + * implementation was chosen so each routing entry only needs one word to + * either index the data array, or point to another table. + * * Inserts are performed by specifying a CIDR and a pointer to its associated - * data. Since a new routing table entry may overwrite previous entries, + * data. Since a new routing table entry may overwrite previous entries, * a flag selects whether the insert favors the most recent or favors the most - * specific. Favoring most specific should be the default behvior. If - * the user wishes to overwrite routing entries with more general data, the + * specific. Favoring most specific should be the default behvior. If + * the user wishes to overwrite routing entries with more general data, the * table should be flushed, rather than using favor-most-recent. - * + * * Before modifying the routing or data tables, the insert function performs a - * lookup on the CIDR-to-be-insertted. If no entry or an entry *of differing + * lookup on the CIDR-to-be-insertted. If no entry or an entry *of differing * bit length* is found, the data is insertted into the data table, and its - * index is used for the new routing table entry. If an entry is found that - * is as specific as the new CIDR, the index stored points to where the new + * index is used for the new routing table entry. If an entry is found that + * is as specific as the new CIDR, the index stored points to where the new * data is written into the data table. - * - * If more specific CIDR blocks overwrote the data table, then the more + * + * If more specific CIDR blocks overwrote the data table, then the more * general routing table entries that were not overwritten will be referencing * the wrong data. Alternatively, less specific entries can only overwrite * existing routing table entries if favor-most-recent inserts are used. * * Because there is no quick way to clean the data-table if a user wishes to * use a favor-most-recent insert for more general data, the user should flush - * the table with sfrt_free and create one anew. Alternatively, a small + * the table with sfrt_free and create one anew. Alternatively, a small * memory leak occurs with the data table, as it will be storing pointers that * no routing table entry cares about. * * - * The API calls that should be used are: + * The API calls that should be used are: * sfrt_new - create new table - * sfrt_insert - insert entry + * sfrt_insert - insert entry * sfrt_lookup - lookup entry * sfrt_free - free table */ @@ -96,14 +96,10 @@ #ifndef _SFRT_H_ #define _SFRT_H_ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - #include <stdlib.h> #include <sys/types.h> #include "sfrt_trie.h" -#include "debug.h" +#include "snort_debug.h" #include "ipv6_port.h" #ifdef SUP_IP6 @@ -154,13 +150,13 @@ RT_POLICY_TABLE_EXCEEDED, DIR_INSERT_FAILURE, DIR_LOOKUP_FAILURE, - MEM_ALLOC_FAILURE + MEM_ALLOC_FAILURE, #ifdef SUPPORT_LCTRIE - , LCT_COMPILE_FAILURE, LCT_INSERT_FAILURE, - LCT_LOOKUP_FAILURE + LCT_LOOKUP_FAILURE, #endif + RT_REMOVE_FAILURE }; /* Defined in sfrt.c */ @@ -179,8 +175,10 @@ GENERIC *data; /* data table. Each IP points to an entry here */ uint32_t num_ent; /* Number of entries in the policy table */ uint32_t max_size; /* Max size of policies array */ + uint32_t lastAllocatedIndex; /* Index allocated last. Search for unused index + starts from this value and then wraps around at max_size.*/ char ip_type; /* Only IPs of this family will be used */ - char table_type; + char table_type; uint32_t allocated; void *rt; /* Actual "routing" table */ @@ -188,10 +186,12 @@ void *rt6; /* Actual "routing" table */ #endif - tuple_t (*lookup)(IP ip, GENERIC); - int (*insert)(IP ip, int len, word index, int behavior, GENERIC); - void (*free)(void *); - uint32_t (*usage)(void *); + tuple_t (*lookup)(IP ip, GENERIC tbl); + int (*insert)(IP ip, int len, word index, int behavior, GENERIC tbl); + void (*free)(GENERIC tbl); + uint32_t (*usage)(GENERIC tbl); + void (*print)(GENERIC tbl); + word (*remove)(IP ip, int len, int behavior, GENERIC tbl); } table_t; /*******************************************************************/ @@ -207,10 +207,102 @@ int sfrt_iterate2(table_t* table, sfrt_iterator_callback3 userfunc); void sfrt_cleanup(table_t* table, sfrt_iterator_callback userfunc); void sfrt_cleanup2(table_t*, sfrt_iterator_callback2, void *); -int sfrt_insert(void *adr, unsigned char len, GENERIC ptr, +int sfrt_insert(void *adr, unsigned char len, GENERIC ptr, + int behavior, table_t *table); +int sfrt_remove(void *adr, unsigned char len, GENERIC *ptr, int behavior, table_t *table); uint32_t sfrt_usage(table_t *table); +void sfrt_print(table_t *table); uint32_t sfrt_num_entries(table_t *table); +/* Perform a lookup on value contained in "ip" + * For performance reason, we use this simplified version instead of sfrt_lookup + * Note: this only applied to table setting: DIR_8x16 (DIR_16_8_4x2 for IPV4), DIR_8x4*/ +static inline GENERIC sfrt_dir8x_lookup(void *adr, table_t* table) +{ + dir_sub_table_t *subtable; + int i; +#ifdef SUP_IP6 + sfip_t *ip; +#else + uint8_t *ip; +#endif + void *rt = NULL; + int index; + +#ifdef SUP_IP6 + ip = adr; + if (ip->family == AF_INET) + { + rt = table->rt; + subtable = ((dir_table_t *)rt)->sub_table; + /* 16 bits*/ + index = ntohs(ip->ip16[0]); + if( !subtable->entries[index] || subtable->lengths[index] ) + { + return table->data[subtable->entries[index]]; + } + subtable = (dir_sub_table_t *) subtable->entries[index]; + + /* 8 bits*/ + index = ip->ip8[2]; + if( !subtable->entries[index] || subtable->lengths[index] ) + { + return table->data[subtable->entries[index]]; + } + subtable = (dir_sub_table_t *) subtable->entries[index]; + + /* 4 bits */ + index = ip->ip8[3] >> 4; + if( !subtable->entries[index] || subtable->lengths[index] ) + { + return table->data[subtable->entries[index]]; + } + subtable = (dir_sub_table_t *) subtable->entries[index]; + + /* 4 bits */ + index = ip->ip8[3] & 0xF; + if( !subtable->entries[index] || subtable->lengths[index] ) + { + return table->data[subtable->entries[index]]; + } + } + else if (ip->family == AF_INET6) + { + + rt = table->rt6; + subtable = ((dir_table_t *)rt)->sub_table; + for (i = 0; i < 16; i++) + { + index = ip->ip8[i]; + if( !subtable->entries[index] || subtable->lengths[index] ) + { + return table->data[subtable->entries[index]]; + } + subtable = (dir_sub_table_t *) subtable->entries[index]; + } + } +#else + /* IPv6 not yet supported */ + if(table->ip_type == IPv6) + { + return NULL; + } + ip = (uint8_t*)adr; + rt = table->rt; + subtable = ((dir_table_t *)rt)->sub_table; + for (i = 0; i < 4; i++) + { + index = ip[i]; + if( !subtable->entries[index] || subtable->lengths[index] ) + { + return table->data[subtable->entries[index]]; + } + subtable = (dir_sub_table_t *) subtable->entries[index]; + } +#endif + return NULL; + +} #endif diff -Nru snort-2.9.0.1/src/sfutil/sfrt_trie.h snort-2.9.2/src/sfutil/sfrt_trie.h --- snort-2.9.0.1/src/sfutil/sfrt_trie.h 2010-01-26 10:10:29.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfrt_trie.h 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2006-2010 Sourcefire, Inc. + * Copyright (C) 2006-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -130,7 +130,7 @@ int len; int pre; int policy; -} comp_pre_t; +} comp_pre_t; /* The complete routing table data structure consists of a trie, a base vector, a prefix vector, and a next-hop table. */ @@ -145,23 +145,8 @@ int presize; policy_t *policy; /* the next-hop table */ int policysize; - + int dirty; /* Whether or not the table needs to be rebuilt */ }; -/* utilities */ -#ifndef boolean -#ifndef HAVE_BOOLEAN -typedef unsigned char boolean; -#endif -#endif - -#ifndef TRUE -# define TRUE 1 -#endif - -#ifndef FALSE -# define FALSE 0 -#endif - #endif diff -Nru snort-2.9.0.1/src/sfutil/sfsnprintfappend.c snort-2.9.2/src/sfutil/sfsnprintfappend.c --- snort-2.9.0.1/src/sfutil/sfsnprintfappend.c 2010-01-26 10:10:29.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfsnprintfappend.c 2011-02-09 15:23:37.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sfsnprintfappend.h snort-2.9.2/src/sfutil/sfsnprintfappend.h --- snort-2.9.0.1/src/sfutil/sfsnprintfappend.h 2010-01-26 10:10:29.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfsnprintfappend.h 2011-02-09 15:23:37.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2005-2010 Sourcefire, Inc. + * Copyright (C) 2005-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sf_textlog.c snort-2.9.2/src/sfutil/sf_textlog.c --- snort-2.9.0.1/src/sfutil/sf_textlog.c 2010-06-09 15:05:31.000000000 -0700 +++ snort-2.9.2/src/sfutil/sf_textlog.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,12 +18,12 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** * @file sf_textlog.c * @author Russ Combs <rcombs@sourcefire.com> - * @date - * + * @date + * * @brief implements buffered text stream for logging */ @@ -33,6 +33,12 @@ #include <string.h> #include <sys/stat.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" + #include "sf_textlog.h" #include "log.h" #include "util.h" @@ -144,7 +150,7 @@ ok = fwrite(this->buf, this->pos, 1, this->file); - if ( ok == 1 ) + if ( ok == 1 ) { this->size += this->pos; TextLog_Reset(this); diff -Nru snort-2.9.0.1/src/sfutil/sf_textlog.h snort-2.9.2/src/sfutil/sf_textlog.h --- snort-2.9.0.1/src/sfutil/sf_textlog.h 2010-01-26 10:10:25.000000000 -0800 +++ snort-2.9.2/src/sfutil/sf_textlog.h 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,14 +18,14 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** * @file sf_textlog.h - * @author Russ Combs <cmg@sourcefire.com> + * @author Russ Combs <rcombs@sourcefire.com> * @date Fri Jun 27 10:34:37 2003 - * + * * @brief declares buffered text stream for logging - * + * * Declares a TextLog_*() api for buffered logging. This allows * relatively painless transition from fprintf(), fwrite(), etc. * to a buffer that is formatted in memory and written with one @@ -44,12 +44,6 @@ #include <string.h> #include <time.h> -#include "debug.h" /* for INLINE */ - -typedef int bool; -#define TRUE 1 -#define FALSE 0 - #define K_BYTES (1024) #define M_BYTES (K_BYTES*K_BYTES) #define G_BYTES (K_BYTES*M_BYTES) @@ -90,28 +84,28 @@ * helper functions *------------------------------------------------------------------- */ - static INLINE int TextLog_Tell (TextLog* this) + static inline int TextLog_Tell (TextLog* this) { return this->pos; } - - static INLINE int TextLog_Avail (TextLog* this) + + static inline int TextLog_Avail (TextLog* this) { return this->maxBuf - this->pos - 1; } - - static INLINE void TextLog_Reset (TextLog* this) - { + + static inline void TextLog_Reset (TextLog* this) + { this->pos = 0; this->buf[this->pos] = '\0'; } -static INLINE bool TextLog_NewLine (TextLog* this) +static inline bool TextLog_NewLine (TextLog* this) { return TextLog_Putc(this, '\n'); } -static INLINE bool TextLog_Puts (TextLog* this, const char* str) +static inline bool TextLog_Puts (TextLog* this, const char* str) { return TextLog_Write(this, str, strlen(str)); } diff -Nru snort-2.9.0.1/src/sfutil/sfthd.c snort-2.9.2/src/sfutil/sfthd.c --- snort-2.9.0.1/src/sfutil/sfthd.c 2010-06-09 15:05:31.000000000 -0700 +++ snort-2.9.2/src/sfutil/sfthd.c 2011-06-07 17:33:20.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -96,7 +96,7 @@ SFXHASH * sfthd_local_new(unsigned bytes) { SFXHASH *local_hash = - sfthd_new_hash(bytes, + sfthd_new_hash(bytes, sizeof(THD_IP_NODE_KEY), sizeof(THD_IP_NODE)); @@ -111,7 +111,7 @@ SFXHASH * sfthd_global_new(unsigned bytes) { SFXHASH *global_hash = - sfthd_new_hash(bytes, + sfthd_new_hash(bytes, sizeof(THD_IP_GNODE_KEY), sizeof(THD_IP_NODE)); @@ -253,7 +253,7 @@ free(thd); } -void * sfthd_create_rule_threshold(int id, +void * sfthd_create_rule_threshold(int id, int tracking, int type, int count, @@ -651,7 +651,7 @@ if (thd_objs->sfthd_garray[policyId] == NULL) { return -1; - } + } } if( sig_id == 0 ) @@ -687,7 +687,7 @@ return (status < -1) ? 1 : status; } -static INLINE int sfthd_test_suppress ( +static inline int sfthd_test_suppress ( THD_NODE* sfthd_node, snort_ip_p ip) { @@ -717,7 +717,7 @@ /* * Do the appropriate test for the Threshold Object Type */ -static INLINE int sfthd_test_non_suppress( +static inline int sfthd_test_non_suppress( THD_NODE* sfthd_node, THD_IP_NODE* sfthd_ip_node, time_t curtime) @@ -974,7 +974,7 @@ /* * Test a global thresholding object */ -static INLINE int sfthd_test_global( +static inline int sfthd_test_global( SFXHASH *global_hash, THD_NODE * sfthd_node, unsigned gen_id, /* from current event */ diff -Nru snort-2.9.0.1/src/sfutil/sfthd.h snort-2.9.2/src/sfutil/sfthd.h --- snort-2.9.0.1/src/sfutil/sfthd.h 2010-06-09 15:05:32.000000000 -0700 +++ snort-2.9.2/src/sfutil/sfthd.h 2011-02-09 15:23:38.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sf_vartable.c snort-2.9.2/src/sfutil/sf_vartable.c --- snort-2.9.0.1/src/sfutil/sf_vartable.c 2010-06-09 15:05:31.000000000 -0700 +++ snort-2.9.2/src/sfutil/sf_vartable.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 1998-2010 Sourcefire, Inc. +** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -28,6 +28,11 @@ #include <stdlib.h> #include <string.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" #include "sf_vartable.h" #include "util.h" @@ -40,7 +45,7 @@ * This value should be incremented for each variable that hasn't been * identified as an alias of another variable */ table->id = 1; - + return table; } @@ -223,7 +228,7 @@ *ipret = var; /* Insertion sort */ - + if(!table->head) { table->head = var; @@ -242,22 +247,22 @@ var->next = table->head->next; sfvar_free(table->head); table->head = var; - return SFIP_DUPLICATE; + return SFIP_DUPLICATE; } - + /* The loop below checks table->head->next->name in the first iteration. * Make sure there is a table->head->next first */ if(!table->head->next) { table->head->next = var; return SFIP_SUCCESS; - } + } else if(!strcmp(var->name, table->head->next->name)) { var->next = table->head->next->next; sfvar_free(table->head->next); table->head->next = var; - return SFIP_DUPLICATE; + return SFIP_DUPLICATE; } for(p = table->head; p->next; p=p->next) @@ -276,7 +281,7 @@ var->next = p->next->next; sfvar_free(p->next); p->next = var; - return SFIP_DUPLICATE; + return SFIP_DUPLICATE; } } @@ -290,12 +295,12 @@ { SFIP_RET ret; - if(!table || !dst || !src) return SFIP_ARG_ERR; + if(!table || !dst || !src) return SFIP_ARG_ERR; if((ret = sfvar_parse_iplist(table, dst, src, 0)) == SFIP_SUCCESS) return sfvar_validate(dst); - return ret; + return ret; } /* Looks up a variable from the table by the variable's name */ @@ -304,15 +309,15 @@ sfip_var_t *p; int len; char *end; - + if(!table || !name) return NULL; if(*name == '$') name++; /* XXX should I assume there will be trailing garbage or * should I automatically find where the variable ends? */ - for(end=name; - *end && !isspace((int)*end) && *end != '\\' && *end != ']'; + for(end=name; + *end && !isspace((int)*end) && *end != '\\' && *end != ']'; end++) ; len = end - name; @@ -351,7 +356,7 @@ fprintf(f, "(Table %p)\n", (void*)table); for(p=table->head; p; p=p->next) { - sfvar_print(f, p); + sfvar_print_to_file(f, p); puts(""); } } @@ -368,7 +373,7 @@ vartable_t *table; sfip_var_t *var; sfip_t *ip; - + puts("********************************************************************"); puts("Testing variable table parsing:"); table = sfvt_alloc_table(); @@ -405,7 +410,7 @@ var = sfvt_lookup(table, "goo"); ip = sfip_alloc("192.168.248.255"); TEST(sfvar_ip_in(var, ip) == SFIP_SUCCESS); - + /* Check against the 'any' variable */ var = sfvt_lookup_var(table, "moo"); TEST(sfvar_ip_in(var, ip) == SFIP_SUCCESS); @@ -422,8 +427,8 @@ free_ip(ip); ip = sfip_alloc_str("192.168.0.2"); TEST(sfvar_ip_in(var, ip) == SFIP_SUCCESS); - - + + puts(""); puts("********************************************************************"); diff -Nru snort-2.9.0.1/src/sfutil/sf_vartable.h snort-2.9.2/src/sfutil/sf_vartable.h --- snort-2.9.0.1/src/sfutil/sf_vartable.h 2010-06-09 15:05:31.000000000 -0700 +++ snort-2.9.2/src/sfutil/sf_vartable.h 2011-02-09 15:23:36.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 1998-2010 Sourcefire, Inc. +** Copyright (C) 1998-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/sfxhash.c snort-2.9.2/src/sfutil/sfxhash.c --- snort-2.9.0.1/src/sfutil/sfxhash.c 2010-01-26 10:10:29.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfxhash.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -23,17 +23,17 @@ * * A Customized hash table library for storing and accessing key + data pairs. * - * This table incorporates a memory manager (memcap.c) to provide a memory cap, + * This table incorporates a memory manager (memcap.c) to provide a memory cap, * and an automatic node recovery system for out of memory management. Keys and * Data are copied into the hash table during the add operation. The data may - * be allocated and free'd by the user (by setting the datasize to zero ). A + * be allocated and free'd by the user (by setting the datasize to zero ). A * user callback is provided to allow the user to do cleanup whenever a node * is released, by either the ANR system or the relase() function. * * Users can and should delete nodes when they know they are not needed anymore, - * but this custom table is designed for the case where nodes are allocated - * permanently, we have to limit memory, and we wish to recycle old nodes. - * Many problems have a natural node ageing paradigm working in our favor, + * but this custom table is designed for the case where nodes are allocated + * permanently, we have to limit memory, and we wish to recycle old nodes. + * Many problems have a natural node ageing paradigm working in our favor, * so automated node aging makes sense. i.e. thresholding, tcp state. * * This hash table maps keys to data. All keys must be unique. @@ -48,8 +48,8 @@ * Data may be managed by the user as well. * 3) Table row sizes can be automatically adjusted to * the nearest prime number size during table initialization/creation. - * 4) Memory management includes tracking the size of each allocation, - * number of allocations, enforcing a memory cap, and automatic node + * 4) Memory management includes tracking the size of each allocation, + * number of allocations, enforcing a memory cap, and automatic node * recovery - when memory is low the oldest untouched node * is unlinked and recycled for use as a new node. * @@ -59,7 +59,7 @@ * KEYSIZE bytes * [DATASIZE bytes] if datasize > 0 during call to sfxhash_new. * - * The hash node memory (sfxhash_node,key,and data) is allocated with + * The hash node memory (sfxhash_node,key,and data) is allocated with * one call to s_alloc/memcap_alloc. * * Author: Marc Norton @@ -82,7 +82,7 @@ * * 2003-06-30: rdempster * fixed bug in that would anr from the freelist - * + * * 2005-11-15: modified sfxhash_add to check if 'data' is zero before memcpy'ing. * this allows user to pass null for data, and set up the data area * themselves after the call - this is much more flexible. @@ -92,12 +92,17 @@ #include <stdlib.h> #include <string.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "sf_types.h" +#include "snort_debug.h" #include "sfxhash.h" #include "sfprimetable.h" #include "util.h" -#include "debug.h" -/**@defgroup sfxhash sourcefire.container.sfxhash +/**@defgroup sfxhash sourcefire.container.sfxhash * Implements SFXHASH as specialized hash container * @{ */ @@ -105,12 +110,12 @@ /* * Private Malloc - abstract the memory system */ -static INLINE +static inline void * s_alloc( SFXHASH * t, int n ) { return sfmemcap_alloc( &t->mc, n ); } -static INLINE +static inline void s_free( SFXHASH * t, void * p ) { sfmemcap_free( &t->mc, p ); @@ -128,12 +133,12 @@ s_free( t, p ); } -static int sfxhash_nearest_powerof2(int nrows) +static int sfxhash_nearest_powerof2(int nrows) { unsigned i; nrows -= 1; - for(i=1; i<sizeof(nrows) * 8; i <<= 1) + for(i=1; i<sizeof(nrows) * 8; i <<= 1) nrows = nrows | (nrows >> i); nrows += 1; @@ -145,13 +150,13 @@ return sfxhash_nearest_powerof2(num); // return sf_nearest_prime( nrows ); } - + /*! * * Create a new hash table * - * By default, this will "splay" nodes to the top of a free list. + * By default, this will "splay" nodes to the top of a free list. * * @param nrows number of rows in hash table * @param keysize key size in bytes, same for all keys @@ -163,7 +168,7 @@ * * @return SFXHASH* * @retval 0 out of memory - * @retval !0 Valid SFXHASH pointer + * @retval !0 Valid SFXHASH pointer * */ /* @@ -173,8 +178,8 @@ maxmem of 0 indicates no memory limits. */ -SFXHASH * sfxhash_new( int nrows, int keysize, int datasize, int maxmem, - int anr_flag, +SFXHASH * sfxhash_new( int nrows, int keysize, int datasize, unsigned long maxmem, + int anr_flag, int (*anrfree)(void * key, void * data), int (*usrfree)(void * key, void * data), int recycle_flag ) @@ -185,27 +190,27 @@ if( nrows > 0 ) /* make sure we have a prime number */ { // nrows = sf_nearest_prime( nrows ); - /* If nrows is not a power of two, need to find the + /* If nrows is not a power of two, need to find the * next highest power of two */ nrows = sfxhash_nearest_powerof2(nrows); } else /* use the magnitude of nrows as is */ - { + { nrows = -nrows; } /* Allocate the table structure from general memory */ //h = (SFXHASH*) calloc( 1, sizeof(SFXHASH) ); h = (SFXHASH*)SnortAlloc(sizeof(SFXHASH)); - if( !h ) + if( !h ) { return 0; } /* this has a default hashing function */ h->sfhashfcn = sfhashfcn_new( nrows ); - - if( !h->sfhashfcn ) + + if( !h->sfhashfcn ) { free(h); return 0; @@ -215,7 +220,7 @@ /* Allocate the array of node ptrs */ h->table = (SFXHASH_NODE**) s_alloc( h, sizeof(SFXHASH_NODE*) * nrows ); - if( !h->table ) + if( !h->table ) { free(h->sfhashfcn); free(h); @@ -233,21 +238,21 @@ h->datasize = datasize; h->nrows = nrows; h->max_nodes = 0; - h->crow = 0; - h->cnode = 0; + h->crow = 0; + h->cnode = 0; h->count = 0; h->ghead = 0; h->gtail = 0; - h->anr_count= 0; + h->anr_count= 0; h->anr_tries= 0; - h->anr_flag = anr_flag; - h->splay = 1; + h->anr_flag = anr_flag; + h->splay = 1; h->recycle_nodes = recycle_flag; h->find_success = 0; h->find_fail = 0; - - /* save off how much we've already allocated from our memcap */ + + /* save off how much we've already allocated from our memcap */ h->overhead_bytes = h->mc.memused; h->overhead_blocks = h->mc.nblocks; @@ -257,7 +262,7 @@ /*! * Set the maximum nodes used in this hash table. * Specifying 0 is unlimited (or otherwise limited by memcap). - * + * * @param h SFXHASH table pointer * @param max_nodes maximum nodes to allow. * @@ -272,7 +277,7 @@ /*! * Set Splay mode : Splays nodes to front of list on each access - * + * * @param t SFXHASH table pointer * @param n boolean flag toggles splaying of hash nodes * @@ -315,7 +320,7 @@ } /*! - * Delete the hash Table + * Delete the hash Table * * free key's, free node's, and free the users data. * @@ -330,20 +335,20 @@ if( !h ) return; if( h->sfhashfcn ) sfhashfcn_free( h->sfhashfcn ); - + if( h->table ) - { + { for(i=0;i<h->nrows;i++) { for( node=h->table[i]; node; ) { onode = node; node = node->next; - + /* Notify user that we are about to free this node function */ if( h->usrfree ) h->usrfree( onode->key, onode->data ); - + s_free( h,onode ); } } @@ -385,98 +390,17 @@ } h->max_nodes = 0; - h->crow = 0; - h->cnode = NULL; + h->crow = 0; + h->cnode = NULL; h->count = 0; h->ghead = NULL; h->gtail = NULL; - h->anr_count = 0; + h->anr_count = 0; h->anr_tries = 0; h->find_success = 0; h->find_fail = 0; - - return 0; -} - - -/*! - * Get the # of Nodes in HASH the table - * - * @param t SFXHASH table pointer - * - */ -unsigned sfxhash_count( SFXHASH * t ) -{ - return t->count; -} - -/*! - * Get the # auto recovery - * - * @param t SFXHASH table pointer - * - */ -unsigned sfxhash_anr_count( SFXHASH * t ) -{ - return t->anr_count; -} - -/*! - * Get the # finds - * - * @param t SFXHASH table pointer - * - */ -unsigned sfxhash_find_total( SFXHASH * t ) -{ - return t->find_success + t->find_fail; -} - -/*! - * Get the # unsucessful finds - * - * @param t SFXHASH table pointer - * - */ -unsigned sfxhash_find_fail( SFXHASH * t ) -{ - return t->find_fail; -} - -/*! - * Get the # sucessful finds - * - * @param t SFXHASH table pointer - * - */ -unsigned sfxhash_find_success( SFXHASH * t ) -{ - return t->find_success; -} - - - -/*! - * Get the # of overhead bytes - * - * @param t SFXHASH table pointer - * - */ -unsigned sfxhash_overhead_bytes( SFXHASH * t ) -{ - return t->overhead_bytes; -} - -/*! - * Get the # of overhead blocks - * - * @param t SFXHASH table pointer - * - */ -unsigned sfxhash_overhead_blocks( SFXHASH * t ) -{ - return t->overhead_blocks; + return 0; } /** Save the freed node for later use (recylcing). @@ -488,7 +412,7 @@ /* Add A Node to the Free Node List */ if( t->fhead ) /* add the node to head of the the existing list */ { - hnode->gprev = 0; + hnode->gprev = 0; hnode->gnext = t->fhead; t->fhead->gprev = hnode; t->fhead = hnode; @@ -511,10 +435,10 @@ SFXHASH_NODE * node = t->fhead; /* Remove A Node from the Free Node List - remove the head node */ - if( t->fhead ) + if( t->fhead ) { t->fhead = t->fhead->gnext; - if( t->fhead ) + if( t->fhead ) t->fhead->gprev = 0; if( t->ftail == node ) /* no more nodes - clear the tail */ @@ -530,7 +454,7 @@ /* Add The Node */ if( t->ghead ) /* add the node to head of the the existing list */ { - hnode->gprev = 0; + hnode->gprev = 0; hnode->gnext = t->ghead; t->ghead->gprev = hnode; t->ghead = hnode; @@ -552,7 +476,7 @@ if( t->ghead == hnode ) /* add the node to head of the the existing list */ { t->ghead = t->ghead->gnext; - if( t->ghead ) + if( t->ghead ) t->ghead->gprev = 0; } @@ -560,7 +484,7 @@ if( hnode->gnext ) hnode->gnext->gprev = hnode->gprev; if( t->gtail == hnode ) - t->gtail = hnode->gprev; + t->gtail = hnode->gprev; } /**Move node to the front of global list. Node movement is application specific. @@ -602,7 +526,7 @@ if( hnode->prev ) // definitely not the 1st node in the list { hnode->prev->next = hnode->next; - if( hnode->next ) + if( hnode->next ) hnode->next->prev = hnode->prev; } else if( t->table[hnode->rindex] ) // must be the 1st node in the list @@ -623,7 +547,7 @@ { /* Unlink the node */ sfxhash_unlink_node( t, n ); - + /* Link at front of list */ sfxhash_link_node( t, n ); } @@ -634,15 +558,15 @@ /* * Allocat a new hash node, uses Auto Node Recovery if needed and enabled. - * - * The oldest node is the one with the longest time since it was last touched, + * + * The oldest node is the one with the longest time since it was last touched, * and does not have any direct indication of how long the node has been around. * We don't monitor the actual time since last being touched, instead we use a * splayed global list of node pointers. As nodes are accessed they are splayed * to the front of the list. The oldest node is just the tail node. * */ -static +static SFXHASH_NODE * sfxhash_newnode( SFXHASH * t ) { SFXHASH_NODE * hnode; @@ -659,12 +583,12 @@ t->keysize + t->datasize ); } } - + /* If we still haven't found hnode, we're at our memory limit. * * Uses Automatic Node Recovery, to recycle the oldest node-based on access * (Unlink and reuse the tail node) - */ + */ if( !hnode && t->anr_flag && t->gtail ) { /* Find the oldes node the users willing to let go. */ @@ -673,14 +597,14 @@ if( t->anrfree ) /* User has provided a permission+release callback function */ { t->anr_tries++;/* Count # ANR requests */ - + /* Ask the user for permission to release this node, but let them say no! */ if( t->anrfree( hnode->key, hnode->data ) ) { - /* NO, don't recycle this node, user's not ready to let it go. */ + /* NO, don't recycle this node, user's not ready to let it go. */ continue; } - + /* YES, user said we can recycle this node */ } @@ -701,7 +625,7 @@ * * Find a Node based on the key, return the node and the index. * The index is valid even if the return value is NULL, in which - * case the index is the corect row in which the node should be + * case the index is the corect row in which the node should be * created. * */ @@ -709,7 +633,7 @@ #define hashsize(n) ((uint32_t)1<<(n)) #define hashmask(n) (hashsize(n)-1) -static +static SFXHASH_NODE * sfxhash_find_node_row( SFXHASH * t, void * key, int * rindex ) { unsigned hashkey; @@ -719,17 +643,17 @@ hashkey = t->sfhashfcn->hash_fcn( t->sfhashfcn, (unsigned char*)key, t->keysize ); - + /* printf("hashkey: %u t->keysize: %d\n", hashkey, t->keysize); */ /* flowkey_fprint(stdout, key); */ /* printf("****\n"); */ // index = hashkey % t->nrows; - /* Modulus is slow. Switched to a table size that is a power of 2. */ + /* Modulus is slow. Switched to a table size that is a power of 2. */ index = hashkey & (t->nrows - 1); *rindex = index; - + for( hnode=t->table[index]; hnode; hnode=hnode->next ) { if( !t->sfhashfcn->keycmp_fcn(hnode->key,key,t->keysize) ) @@ -737,12 +661,12 @@ if( t->splay > 0 ) movetofront(t,hnode); - t->find_success++; + t->find_success++; return hnode; } } - t->find_fail++; + t->find_fail++; return NULL; } @@ -781,7 +705,7 @@ return SFXHASH_INTABLE; /* found it - return it. */ } - /* + /* * Alloc new hash node - allocate key space and data space at the same time. */ hnode = sfxhash_newnode( t ); @@ -810,11 +734,11 @@ memcpy(hnode->data,data,t->datasize); } } - else + else { hnode->data = data; } - + /* Link the node into the table row list */ sfxhash_link_node ( t, hnode ); @@ -860,7 +784,7 @@ return hnode; /* found it - return it. */ } - /* + /* * Alloc new hash node - allocate key space and data space at the same time. */ hnode = sfxhash_newnode( t ); @@ -884,11 +808,11 @@ /* Set up the new data pointer */ hnode->data= (char*)hnode + sizeof(SFXHASH_NODE) + t->keysize; } - else + else { hnode->data = NULL; } - + /* Link the node into the table row list */ sfxhash_link_node ( t, hnode ); @@ -942,11 +866,11 @@ } -/** +/** * Get the HEAD of the in use list - * - * @param t table pointer - * + * + * @param t table pointer + * * @return the head of the list or NULL */ SFXHASH_NODE *sfxhash_ghead( SFXHASH * t ) @@ -960,11 +884,11 @@ } -/** +/** * Walk the global list - * + * * @param n current node - * + * * @return the next node in the list or NULL when at the end */ SFXHASH_NODE *sfxhash_gnext( SFXHASH_NODE *n ) @@ -995,7 +919,7 @@ if( hnode ) return hnode->data; - + return NULL; } @@ -1036,7 +960,7 @@ if( hnode ) return hnode; - + return NULL; } @@ -1063,9 +987,9 @@ /*! * Get some hash table statistics. NOT FOR REAL TIME USE. * - * + * * @param t SFXHASH table pointer - * @param filled how many + * @param filled how many * * @return max depth of the table * @@ -1139,13 +1063,13 @@ hashkey = t->sfhashfcn->hash_fcn( t->sfhashfcn, (unsigned char*)key, t->keysize ); - + // index = hashkey % t->nrows; /* Modulus is slow */ index = hashkey & (t->nrows - 1); hnode = t->table[index]; - + for( hnode=t->table[index]; hnode; hnode=hnode->next ) { if( !t->sfhashfcn->keycmp_fcn(hnode->key,key,t->keysize) ) @@ -1154,18 +1078,18 @@ } } - return SFXHASH_ERR; + return SFXHASH_ERR; } -/* - Internal use only +/* + Internal use only */ -static +static void sfxhash_next( SFXHASH * t ) { if( !t->cnode ) return ; - + /* Next node in current node list */ t->cnode = t->cnode->next; if( t->cnode ) @@ -1173,12 +1097,12 @@ return; } - /* Next row */ + /* Next row */ /* Get 1st node in next non-emtoy row/node list */ for( t->crow++; t->crow < t->nrows; t->crow++ ) - { + { t->cnode = t->table[ t->crow ]; - if( t->cnode ) + if( t->cnode ) { return; } @@ -1202,7 +1126,7 @@ /* Start with 1st row */ for( t->crow=0; t->crow < t->nrows; t->crow++ ) - { + { /* Get 1st Non-Null node in row list */ t->cnode = t->table[ t->crow ]; if( t->cnode ) @@ -1212,7 +1136,7 @@ return n; } } - + return NULL; } @@ -1236,15 +1160,15 @@ } /* - Preload next node into current node + Preload next node into current node */ - sfxhash_next( t ); + sfxhash_next( t ); return n; } -/** +/** * Make sfhashfcn use a separate set of operators for the backend. * * @param h sfhashfcn ptr @@ -1274,21 +1198,21 @@ * Test Driver for Hashing * ----------------------------------------------------------------------------------------- */ -#ifdef SFXHASH_MAIN +#ifdef SFXHASH_MAIN -/* - This is called when the user releases a node or kills the table +/* + This is called when the user releases a node or kills the table */ int usrfree( void * key, void * data ) { /* Release any data you need to */ - return 0; + return 0; } -/* - Auto Node Recovery Callback - optional +/* + Auto Node Recovery Callback - optional This is called to ask the user to kill a node, if it reutrns !0 than the hash library does not kill this node. If the user os willing to let the node die, @@ -1335,9 +1259,9 @@ /* Create a Hash Table */ t = sfxhash_new( 100, /* one row per element in table, when possible */ - 20, /* key size : padded with zeros */ - 20, /* data size: padded with zeros */ - mem, /* max bytes, 0=no max */ + 20, /* key size : padded with zeros */ + 20, /* data size: padded with zeros */ + mem, /* max bytes, 0=no max */ 1, /* enable AutoNodeRecovery */ anrfree, /* provide a function to let user know we want to kill a node */ usrfree, /* provide a function to release user memory */ @@ -1348,7 +1272,7 @@ exit(0); } /* Add Nodes to the Hash Table */ - for(i=0;i<num;i++) + for(i=0;i<num;i++) { snprintf(strkey, sizeof(strkey), "KeyWord%5.5d",i+1); strkey[sizeof(strkey) - 1] = '\0'; @@ -1356,11 +1280,11 @@ strdata[sizeof(strdata) - 1] = '\0'; //strupr(strdata); sfxhash_add( t, strkey /* user key */ , strdata /* user data */ ); - } + } /* Find and Display Nodes in the Hash Table */ printf("\n** FIND KEY TEST\n"); - for(i=0;i<num;i++) + for(i=0;i<num;i++) { snprintf(strkey, sizeof(strkey) - 1, "KeyWord%5.5d",i+1); strkey[sizeof(strkey) - 1] = '\0'; @@ -1368,7 +1292,7 @@ p = (char*) sfxhash_find( t, strkey ); if(p)printf("Hash-key=%*s, data=%*s\n", strlen(strkey),strkey, strlen(strkey), p ); - } + } /* Show memcap memory */ printf("\n...******\n"); @@ -1377,8 +1301,8 @@ /* Display All Nodes in the Hash Table findfirst/findnext */ printf("\n...FINDFIRST / FINDNEXT TEST\n"); - for( n = sfxhash_findfirst(t); - n != 0; + for( n = sfxhash_findfirst(t); + n != 0; n = sfxhash_findnext(t) ) { printf("hash-findfirst/next: n=%x, key=%s, data=%s\n", n, n->key, n->data ); @@ -1386,11 +1310,11 @@ /* remove node we are looking at, this is first/next safe. */ - if( sfxhash_remove(t,n->key) ) + if( sfxhash_remove(t,n->key) ) { printf("...ERROR: Could not remove the key node!\n"); } - else + else { printf("...key node removed\n"); } @@ -1402,7 +1326,7 @@ printf("...sfxhash_delete\n"); sfxhash_delete( t ); - + printf("\nnormal pgm finish\n\n"); return 0; diff -Nru snort-2.9.0.1/src/sfutil/sfxhash.h snort-2.9.2/src/sfutil/sfxhash.h --- snort-2.9.0.1/src/sfutil/sfxhash.h 2010-01-26 10:10:29.000000000 -0800 +++ snort-2.9.2/src/sfutil/sfxhash.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,7 +18,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /* * * sfxhash.h @@ -52,14 +52,14 @@ */ typedef struct _sfxhash_node { - struct _sfxhash_node * gnext, * gprev; /// global node list - used for ageing nodes - struct _sfxhash_node * next, * prev; /// row node list + struct _sfxhash_node * gnext, * gprev; /// global node list - used for ageing nodes + struct _sfxhash_node * next, * prev; /// row node list + + int rindex; /// row index of table this node belongs to. - int rindex; /// row index of table this node belongs to. + void * key; /// Pointer to the key. + void * data; /// Pointer to the users data, this is not copied ! - void * key; /// Pointer to the key. - void * data; /// Pointer to the users data, this is not copied ! - } SFXHASH_NODE; /** @@ -68,33 +68,33 @@ typedef struct _sfxhash { SFHASHFCN * sfhashfcn; /// hash function - int keysize; /// bytes in key, if <= 0 -> keys are strings + int keysize; /// bytes in key, if <= 0 -> keys are strings int datasize; /// bytes in key, if == 0 -> user data SFXHASH_NODE ** table; /// array of node ptr's */ - unsigned nrows; /// # rows int the hash table use a prime number 211, 9871 - unsigned count; /// total # nodes in table - + unsigned nrows; /// # rows int the hash table use a prime number 211, 9871 + unsigned count; /// total # nodes in table + unsigned crow; /// findfirst/next row in table SFXHASH_NODE * cnode; /// findfirst/next node ptr int splay; /// whether to splay nodes with same hash bucket unsigned max_nodes; ///maximum # of nodes within a hash MEMCAP mc; - unsigned overhead_bytes; /// # of bytes that will be unavailable for nodes inside the table + unsigned overhead_bytes; /// # of bytes that will be unavailable for nodes inside the table unsigned overhead_blocks; /// # of blocks consumed by the table unsigned find_fail; unsigned find_success; - + SFXHASH_NODE * ghead, * gtail; /// global - root of all nodes allocated in table SFXHASH_NODE * fhead, * ftail; /// list of free nodes, which are recyled int recycle_nodes; /// recycle nodes. Nodes are not freed, but are used for subsequent new nodes - - /**Automatic Node Recover (ANR): When number of nodes in hash is equal to max_nodes, remove the least recently + + /**Automatic Node Recover (ANR): When number of nodes in hash is equal to max_nodes, remove the least recently * used nodes and use it for the new node. anr_tries indicates # of ANR tries.*/ - unsigned anr_tries; - unsigned anr_count; /// # ANR ops performaed - int anr_flag; /// 0=off, !0=on + unsigned anr_tries; + unsigned anr_count; /// # ANR ops performaed + int anr_flag; /// 0=off, !0=on int (*anrfree)( void * key, void * data ); int (*usrfree)( void * key, void * data ); @@ -105,8 +105,8 @@ * HASH PROTOTYPES */ int sfxhash_calcrows(int num); -SFXHASH * sfxhash_new( int nrows, int keysize, int datasize, int memcap, - int anr_flag, +SFXHASH * sfxhash_new( int nrows, int keysize, int datasize, unsigned long memcap, + int anr_flag, int (*anrfunc)(void *key, void * data), int (*usrfunc)(void *key, void * data), int recycle_flag ); @@ -119,8 +119,83 @@ int sfxhash_add ( SFXHASH * h, void * key, void * data ); SFXHASH_NODE * sfxhash_get_node( SFXHASH * t, void * key ); int sfxhash_remove( SFXHASH * h, void * key ); -unsigned sfxhash_count( SFXHASH * h ); -unsigned sfxhash_anr_count( SFXHASH * h ); + +/*! + * Get the # of Nodes in HASH the table + * + * @param t SFXHASH table pointer + * + */ +static inline unsigned sfxhash_count( SFXHASH * t ) +{ + return t->count; +} + +/*! + * Get the # auto recovery + * + * @param t SFXHASH table pointer + * + */ +static inline unsigned sfxhash_anr_count( SFXHASH * t ) +{ + return t->anr_count; +} + +/*! + * Get the # finds + * + * @param t SFXHASH table pointer + * + */ +static inline unsigned sfxhash_find_total( SFXHASH * t ) +{ + return t->find_success + t->find_fail; +} + +/*! + * Get the # unsucessful finds + * + * @param t SFXHASH table pointer + * + */ +static inline unsigned sfxhash_find_fail( SFXHASH * t ) +{ + return t->find_fail; +} + +/*! + * Get the # sucessful finds + * + * @param t SFXHASH table pointer + * + */ +static inline unsigned sfxhash_find_success( SFXHASH * t ) +{ + return t->find_success; +} + +/*! + * Get the # of overhead bytes + * + * @param t SFXHASH table pointer + * + */ +static inline unsigned sfxhash_overhead_bytes( SFXHASH * t ) +{ + return t->overhead_bytes; +} + +/*! + * Get the # of overhead blocks + * + * @param t SFXHASH table pointer + * + */ +static inline unsigned sfxhash_overhead_blocks( SFXHASH * t ) +{ + return t->overhead_blocks; +} void * sfxhash_mru( SFXHASH * t ); void * sfxhash_lru( SFXHASH * t ); @@ -144,11 +219,6 @@ int sfxhash_free_node(SFXHASH *t, SFXHASH_NODE *node); unsigned sfxhash_maxdepth( SFXHASH * t ); -unsigned sfxhash_overhead_bytes( SFXHASH * t ); -unsigned sfxhash_overhead_blocks( SFXHASH * t ); -unsigned sfxhash_find_success( SFXHASH * h ); -unsigned sfxhash_find_fail( SFXHASH * h ); -unsigned sfxhash_find_total( SFXHASH * h ); int sfxhash_set_keyops( SFXHASH *h , diff -Nru snort-2.9.0.1/src/sfutil/strvec.c snort-2.9.2/src/sfutil/strvec.c --- snort-2.9.0.1/src/sfutil/strvec.c 2010-06-09 15:50:09.000000000 -0700 +++ snort-2.9.2/src/sfutil/strvec.c 2011-06-07 17:33:21.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2009-2010 Sourcefire, Inc. + * Copyright (C) 2009-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,8 +18,12 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + #include <stdlib.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "strvec.h" #include "util.h" diff -Nru snort-2.9.0.1/src/sfutil/strvec.h snort-2.9.2/src/sfutil/strvec.h --- snort-2.9.0.1/src/sfutil/strvec.h 2010-06-09 15:50:10.000000000 -0700 +++ snort-2.9.2/src/sfutil/strvec.h 2011-02-09 15:23:38.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2009-2010 Sourcefire, Inc. + * Copyright (C) 2009-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/Unified2_common.h snort-2.9.2/src/sfutil/Unified2_common.h --- snort-2.9.0.1/src/sfutil/Unified2_common.h 2010-06-09 15:50:09.000000000 -0700 +++ snort-2.9.2/src/sfutil/Unified2_common.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* - ** Copyright (C) 2002-2010 Sourcefire, Inc. + ** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -54,6 +54,8 @@ #define UNIFIED2_IDS_EVENT_VLAN 104 #define UNIFIED2_IDS_EVENT_IPV6_VLAN 105 #define UNIFIED2_EXTRA_DATA 110 +#define UNIFIED2_IDS_EVENT_NG 207 +#define UNIFIED2_IDS_EVENT_IPV6_NG 208 /* Data structure used for serialization of Unified2 Records */ @@ -63,6 +65,81 @@ uint32_t length; } Serial_Unified2_Header; +//UNIFIED2_IDS_EVENT_NG = type 207 +typedef struct _Unified2IDSEventNG +{ + uint32_t sensor_id; + uint32_t event_id; + uint32_t event_second; + uint32_t event_microsecond; + uint32_t signature_id; + uint32_t generator_id; + uint32_t signature_revision; + uint32_t classification_id; + uint32_t priority_id; + uint32_t ip_source; + uint32_t ip_destination; + uint16_t sport_itype; + uint16_t dport_icode; + uint8_t protocol; + uint8_t impact_flag;//overloads packet_action + uint8_t impact; + uint8_t blocked; + uint32_t mpls_label; + uint16_t vlanId; + uint16_t pad; + /* Structure should match Unified2IDSEvent up to this point */ + uint8_t policy_uuid[16]; + uint32_t user_id; + uint32_t web_application_id; + uint32_t client_application_id; + uint32_t application_protocol_id; + uint32_t policyengine_rule_id; + uint8_t policyengine_policy_uuid[16]; + uint8_t interface_ingress_uuid[16]; + uint8_t interface_egress_uuid[16]; + uint8_t security_zone_ingress_uuid[16]; + uint8_t security_zone_egress_uuid[16]; +} Unified2IDSEventNG; + + +//UNIFIED2_IDS_EVENT_IPV6_NG = type 208 +typedef struct _Unified2IDSEventIPv6_NG +{ + uint32_t sensor_id; + uint32_t event_id; + uint32_t event_second; + uint32_t event_microsecond; + uint32_t signature_id; + uint32_t generator_id; + uint32_t signature_revision; + uint32_t classification_id; + uint32_t priority_id; + struct in6_addr ip_source; + struct in6_addr ip_destination; + uint16_t sport_itype; + uint16_t dport_icode; + uint8_t protocol; + uint8_t impact_flag;//overloads packet_action + uint8_t impact; + uint8_t blocked; + uint32_t mpls_label; + uint16_t vlanId; + uint16_t pad; + /* Structure should match Unified2IDSEventIPv6 up to this point */ + uint8_t policy_uuid[16]; + uint32_t user_id; + uint32_t web_application_id; + uint32_t client_application_id; + uint32_t application_protocol_id; + uint32_t policyengine_rule_id; + uint8_t policyengine_policy_uuid[16]; + uint8_t interface_ingress_uuid[16]; + uint8_t interface_egress_uuid[16]; + uint8_t security_zone_ingress_uuid[16]; + uint8_t security_zone_egress_uuid[16]; +} Unified2IDSEventIPv6_NG; + //UNIFIED2_IDS_EVENT_VLAN = type 104 //comes from SFDC to EStreamer archive in serialized form with the extended header @@ -168,9 +245,18 @@ typedef enum _EventInfoEnum { EVENT_INFO_XFF_IPV4 = 1, - EVENT_INFO_XFF_IPV6 , + EVENT_INFO_XFF_IPV6, EVENT_INFO_REVIEWED_BY, - EVENT_INFO_GZIP_DATA + EVENT_INFO_GZIP_DATA, + EVENT_INFO_SMTP_FILENAME, + EVENT_INFO_SMTP_MAILFROM, + EVENT_INFO_SMTP_RCPTTO, + EVENT_INFO_SMTP_EMAIL_HDRS, + EVENT_INFO_HTTP_URI, + EVENT_INFO_HTTP_HOSTNAME, + EVENT_INFO_IPV6_SRC, + EVENT_INFO_IPV6_DST, + EVENT_INFO_JSNORM_DATA }EventInfoEnum; typedef enum _EventDataType diff -Nru snort-2.9.0.1/src/sfutil/util_jsnorm.c snort-2.9.2/src/sfutil/util_jsnorm.c --- snort-2.9.0.1/src/sfutil/util_jsnorm.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/util_jsnorm.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,1315 @@ +/* + ** Copyright (C) 1998-2011 Sourcefire, Inc. + ** + ** Writen by Bhagyashree Bantwal <bbantwal@sourcefire.com> + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + + +#include"util_jsnorm.h" + +#define INVALID_HEX_VAL -1 +#define MAX_BUF 8 +#define NON_ASCII_CHAR 0xff + +//Return values +#define RET_OK 0 +#define RET_QUIT -1 +#define RET_INV -2 + +#define IS_OCT 0x1 +#define IS_DEC 0X2 +#define IS_HEX 0x4 +#define IS_PERCENT 0x8 +#define IS_UPERCENT 0x10 +#define IS_BACKSLASH 0x20 +#define IS_UBACKSLASH 0x40 + +#define ANY '\0' + + +typedef enum { + PNORM_ACT_DQUOTES, + PNORM_ACT_NOP, + PNORM_ACT_PLUS, + PNORM_ACT_SPACE, + PNORM_ACT_SQUOTES, + PNORM_ACT_WITHIN_QUOTES +} ActionPNorm; + +// Actions for SFCC +typedef enum { + SFCC_ACT_COMMA, + SFCC_ACT_DEC, + SFCC_ACT_HEX, + SFCC_ACT_INV, + SFCC_ACT_NOP, + SFCC_ACT_OCT, + SFCC_ACT_QUIT, + SFCC_ACT_SPACE +} ActionSFCC; + +// Actions for Unescape +typedef enum { + UNESC_ACT_BACKSLASH, + UNESC_ACT_CONV, + UNESC_ACT_NOP, + UNESC_ACT_PAREN, + UNESC_ACT_PERCENT, + UNESC_ACT_QUIT, + UNESC_ACT_SAVE, + UNESC_ACT_SAVE_NOP, + UNESC_ACT_SPACE, + UNESC_ACT_UBACKSLASH, + UNESC_ACT_UPERCENT, + UNESC_ACT_UNESCAPE +} ActionUnsc; + +// Actions for Javascript norm +typedef enum { + ACT_NOP, + ACT_QUIT, + ACT_SAVE, + ACT_SFCC, + ACT_SPACE, + ACT_UNESCAPE +} ActionJSNorm; + +int hex_lookup[256]; +int valid_chars[256]; + +char decoded_out[6335]; + + +typedef struct { + uint8_t state; + uint8_t event; + uint8_t match; + uint8_t other; + uint8_t action; +} JSNorm; + + +typedef struct { + char *data; + uint16_t size; + uint16_t len; +}Dbuf; + +typedef struct { + uint8_t fsm; + uint8_t fsm_other; + uint8_t prev_event; + uint8_t d_quotes; + uint8_t s_quotes; + uint16_t num_spaces; + char *overwrite; + Dbuf output; +}PNormState; + +typedef struct { + uint8_t fsm; + uint8_t buf[MAX_BUF]; + uint8_t buflen; + uint16_t cur_flags; + uint16_t alert_flags; + Dbuf output; +} SFCCState; + +typedef struct { + uint8_t fsm; + uint8_t prev_event; + uint16_t num_spaces; + int *unicode_map; + char *overwrite; + Dbuf dest; +} JSNormState; + +typedef struct { + uint8_t fsm; + uint8_t multiple_levels; + uint8_t prev_event; + uint16_t alert_flags; + uint16_t num_spaces; + int iNorm; + int paren_count; + int *unicode_map; + char *overwrite; + ActionUnsc prev_action; + Dbuf output; +} UnescapeState; + + + +// STATES for SFCC +#define S0 0 +#define S1 S0+3 +#define S2 S1+1 +#define S3 S2+1 +#define S4 S3+1 + +static JSNorm sfcc_norm[] = +{ + { S0+0, '(', S0+1, S0+1, SFCC_ACT_NOP }, + { S0+1, '0', S0+2, S1+0, SFCC_ACT_NOP }, + { S0+2, 'X', S3+0, S2+0, SFCC_ACT_NOP }, + + //decimal + { S1+0, IS_DEC, S1+0, S4+0, SFCC_ACT_DEC }, + + //Octal + { S2+0, IS_OCT, S2+0, S1+0, SFCC_ACT_OCT }, + + //Hex + { S3+0, IS_HEX, S3+0, S4+0, SFCC_ACT_HEX }, + + { S4+0, ',', S0+1, S4+1, SFCC_ACT_COMMA }, + { S4+1, ')', S0+1, S4+2, SFCC_ACT_QUIT }, + { S4+2, ANY, S4+1, S0+1, SFCC_ACT_INV } +}; + + +#define U0 0 +#define U1 U0+1 +#define U2 U1+8 +#define U3 U2+9 +#define U4 U3+8 +#define U5 U4+19 +#define U6 U5+18 +#define U7 U6+1 + +static JSNorm unescape_norm[] = +{ + { U0+ 0, '(', U1+ 0, U1+ 0, UNESC_ACT_PAREN }, + + { U1+ 0, '%', U1+ 1, U2+ 0, UNESC_ACT_SAVE }, + { U1+ 1, IS_HEX, U1+ 2, U1+ 3, UNESC_ACT_CONV }, + { U1+ 2, IS_HEX, U0+ 0, U0+ 0, UNESC_ACT_PERCENT }, + { U1+ 3, 'U', U1+ 4, U0+ 0, UNESC_ACT_SAVE_NOP }, + { U1+ 4, IS_HEX, U1+ 5, U0+ 0, UNESC_ACT_CONV }, + { U1+ 5, IS_HEX, U1+ 6, U0+ 0, UNESC_ACT_CONV }, + { U1+ 6, IS_HEX, U1+ 7, U0+ 0, UNESC_ACT_CONV }, + { U1+ 7, IS_HEX, U0+ 0, U0+ 0, UNESC_ACT_UPERCENT }, + + { U2+ 0, '\\', U2+ 1, U3+ 0, UNESC_ACT_SAVE }, + { U2+ 1, 'X', U2+ 2, U2+ 4, UNESC_ACT_SAVE_NOP }, + { U2+ 2, IS_HEX, U2+ 3, U0+ 0, UNESC_ACT_CONV }, + { U2+ 3, IS_HEX, U0+ 0, U0+ 0, UNESC_ACT_BACKSLASH }, + { U2+ 4, 'U', U2+ 5, U0+ 0, UNESC_ACT_CONV }, + { U2+ 5, IS_HEX, U2+ 6, U0+ 0, UNESC_ACT_CONV }, + { U2+ 6, IS_HEX, U2+ 7, U0+ 0, UNESC_ACT_CONV }, + { U2+ 7, IS_HEX, U2+ 8, U0+ 0, UNESC_ACT_CONV }, + { U2+ 8, IS_HEX, U0+ 0, U0+ 0, UNESC_ACT_UBACKSLASH }, + + { U3+ 0, 'U', U3+ 1, U4+ 0, UNESC_ACT_NOP }, + { U3+ 1, 'N', U3+ 2, U0+ 0, UNESC_ACT_NOP }, + { U3+ 2, 'E', U3+ 3, U0+ 0, UNESC_ACT_NOP }, + { U3+ 3, 'S', U3+ 4, U0+ 0, UNESC_ACT_NOP }, + { U3+ 4, 'C', U3+ 5, U0+ 0, UNESC_ACT_NOP }, + { U3+ 5, 'A', U3+ 6, U0+ 0, UNESC_ACT_NOP }, + { U3+ 6, 'P', U3+ 7, U0+ 0, UNESC_ACT_NOP }, + { U3+ 7, 'E', U0+ 0, U0+ 0, UNESC_ACT_UNESCAPE }, + + { U4+ 0, 'S', U4+ 1, U5+ 0, UNESC_ACT_NOP }, + { U4+ 1, 'T', U4+ 2, U0+ 0, UNESC_ACT_NOP }, + { U4+ 2, 'R', U4+ 3, U0+ 0, UNESC_ACT_NOP }, + { U4+ 3, 'I', U4+ 4, U0+ 0, UNESC_ACT_NOP }, + { U4+ 4, 'N', U4+ 5, U0+ 0, UNESC_ACT_NOP }, + { U4+ 5, 'G', U4+ 6, U0+ 0, UNESC_ACT_NOP }, + { U4+ 6, '.', U4+ 7, U0+ 0, UNESC_ACT_NOP }, + { U4+ 7, 'F', U4+ 8, U0+ 0, UNESC_ACT_NOP }, + { U4+ 8, 'R', U4+ 9, U0+ 0, UNESC_ACT_NOP }, + { U4+ 9, 'O', U4+10, U0+ 0, UNESC_ACT_NOP }, + { U4+10, 'M', U4+11, U0+ 0, UNESC_ACT_NOP }, + { U4+11, 'C', U4+12, U0+ 0, UNESC_ACT_NOP }, + { U4+12, 'H', U4+13, U0+ 0, UNESC_ACT_NOP }, + { U4+13, 'A', U4+14, U0+ 0, UNESC_ACT_NOP }, + { U4+14, 'R', U4+15, U0+ 0, UNESC_ACT_NOP }, + { U4+15, 'C', U4+16, U0+ 0, UNESC_ACT_NOP }, + { U4+16, 'O', U4+17, U0+ 0, UNESC_ACT_NOP }, + { U4+17, 'D', U4+18, U0+ 0, UNESC_ACT_NOP }, + { U4+18, 'E', U0+ 0, U0+ 0, UNESC_ACT_UNESCAPE }, + + { U5+ 0, 'D', U5+ 1, U6+ 0, UNESC_ACT_NOP }, + { U5+ 1, 'E', U5+ 2, U0+ 0, UNESC_ACT_NOP }, + { U5+ 2, 'C', U5+ 3, U0+ 0, UNESC_ACT_NOP }, + { U5+ 3, 'O', U5+ 4, U0+ 0, UNESC_ACT_NOP }, + { U5+ 4, 'D', U5+ 5, U0+ 0, UNESC_ACT_NOP }, + { U5+ 5, 'E', U5+ 6, U0+ 0, UNESC_ACT_NOP }, + { U5+ 6, 'U', U5+ 7, U0+ 0, UNESC_ACT_NOP }, + { U5+ 7, 'R', U5+ 8, U0+ 0, UNESC_ACT_NOP }, + { U5+ 8, 'I', U5+ 9, U0+ 0, UNESC_ACT_UNESCAPE }, + { U5+ 9, 'C', U5+10, U0+ 0, UNESC_ACT_NOP }, + { U5+10, 'O', U5+11, U0+ 0, UNESC_ACT_NOP }, + { U5+11, 'M', U5+12, U0+ 0, UNESC_ACT_NOP }, + { U5+12, 'P', U5+13, U0+ 0, UNESC_ACT_NOP }, + { U5+13, 'O', U5+14, U0+ 0, UNESC_ACT_NOP }, + { U5+14, 'N', U5+15, U0+ 0, UNESC_ACT_NOP }, + { U5+15, 'E', U5+16, U0+ 0, UNESC_ACT_NOP }, + { U5+16, 'N', U5+17, U0+ 0, UNESC_ACT_NOP }, + { U5+17, 'T', U0+ 0, U0+ 0, UNESC_ACT_UNESCAPE }, + + { U6+ 0, ')', U0+ 0, U7+ 0, UNESC_ACT_QUIT }, + + { U7+ 0, ANY, U0+ 0, U0+ 0, UNESC_ACT_NOP } + +}; + +#define P0 0 +#define P1 P0+3 +#define P2 P1+2 +#define P3 P2+2 +#define P4 P3+1 + +static JSNorm plus_norm[]= +{ + { P0+ 0, ' ', P0+ 0, P0+ 1, PNORM_ACT_SPACE }, + { P0+ 1, '"', P1+ 0, P0+ 2, PNORM_ACT_DQUOTES }, + { P0+ 2, '\'', P2+ 0, P3+ 0, PNORM_ACT_SQUOTES }, + + { P1+ 0, '"', P0+ 0, P1+ 1, PNORM_ACT_DQUOTES }, + { P1+ 1, ANY, P1+ 0, P1+ 0, PNORM_ACT_WITHIN_QUOTES }, + + { P2+ 0, '\'', P0+ 0, P2+ 1, PNORM_ACT_SQUOTES }, + { P2+ 1, ANY, P2+ 0, P2+ 0, PNORM_ACT_WITHIN_QUOTES }, + + { P3+ 0, '+', P0+ 0, P4+ 0, PNORM_ACT_PLUS }, + + { P4+ 0, ANY, P0+ 0, P0+ 0, PNORM_ACT_NOP } +}; + + +#define Z0 0 +#define Z1 Z0+9 +#define Z2 Z1+20 +#define Z3 Z2+19 +#define Z6 Z3+10 + +static JSNorm javascript_norm[] = +{ + { Z0+ 0, 'U', Z0+ 1, Z1+ 0, ACT_SAVE }, + { Z0+ 1, 'N', Z0+ 2, Z0+ 0, ACT_NOP }, + { Z0+ 2, 'E', Z0+ 3, Z0+ 0, ACT_NOP }, + { Z0+ 3, 'S', Z0+ 4, Z0+ 0, ACT_NOP }, + { Z0+ 4, 'C', Z0+ 5, Z0+ 0, ACT_NOP }, + { Z0+ 5, 'A', Z0+ 6, Z0+ 0, ACT_NOP }, + { Z0+ 6, 'P', Z0+ 7, Z0+ 0, ACT_NOP }, + { Z0+ 7, 'E', Z0+ 8, Z0+ 0, ACT_NOP }, + { Z0+ 8, '(', Z0+ 0, Z0+ 0, ACT_UNESCAPE }, + + { Z1+ 0, 'S', Z1+ 1, Z2+ 0, ACT_SAVE }, + { Z1+ 1, 'T', Z1+ 2, Z0+ 0, ACT_NOP }, + { Z1+ 2, 'R', Z1+ 3, Z0+ 0, ACT_NOP }, + { Z1+ 3, 'I', Z1+ 4, Z0+ 0, ACT_NOP }, + { Z1+ 4, 'N', Z1+ 5, Z0+ 0, ACT_NOP }, + { Z1+ 5, 'G', Z1+ 6, Z0+ 0, ACT_NOP }, + { Z1+ 6, '.', Z1+ 7, Z0+ 0, ACT_NOP }, + { Z1+ 7, 'F', Z1+ 8, Z0+ 0, ACT_NOP }, + { Z1+ 8, 'R', Z1+ 9, Z0+ 0, ACT_NOP }, + { Z1+ 9, 'O', Z1+10, Z0+ 0, ACT_NOP }, + { Z1+10, 'M', Z1+11, Z0+ 0, ACT_NOP }, + { Z1+11, 'C', Z1+12, Z0+ 0, ACT_NOP }, + { Z1+12, 'H', Z1+13, Z0+ 0, ACT_NOP }, + { Z1+13, 'A', Z1+14, Z0+ 0, ACT_NOP }, + { Z1+14, 'R', Z1+15, Z0+ 0, ACT_NOP }, + { Z1+15, 'C', Z1+16, Z0+ 0, ACT_NOP }, + { Z1+16, 'O', Z1+17, Z0+ 0, ACT_NOP }, + { Z1+17, 'D', Z1+18, Z0+ 0, ACT_NOP }, + { Z1+18, 'E', Z1+19, Z0+ 0, ACT_NOP }, + { Z1+19, '(', Z0+ 0, Z0+ 0, ACT_SFCC }, + + { Z2+ 0, 'D', Z2+ 1, Z3+ 0, ACT_SAVE }, + { Z2+ 1, 'E', Z2+ 2, Z0+ 0, ACT_NOP }, + { Z2+ 2, 'C', Z2+ 3, Z0+ 0, ACT_NOP }, + { Z2+ 3, 'O', Z2+ 4, Z0+ 0, ACT_NOP }, + { Z2+ 4, 'D', Z2+ 5, Z0+ 0, ACT_NOP }, + { Z2+ 5, 'E', Z2+ 6, Z0+ 0, ACT_NOP }, + { Z2+ 6, 'U', Z2+ 7, Z0+ 0, ACT_NOP }, + { Z2+ 7, 'R', Z2+ 8, Z0+ 0, ACT_NOP }, + { Z2+ 8, 'I', Z2+ 9, Z0+ 0, ACT_NOP }, + { Z2+ 9, 'C', Z2+10, Z2+18, ACT_NOP }, + { Z2+10, 'O', Z2+11, Z0+ 0, ACT_NOP }, + { Z2+11, 'M', Z2+12, Z0+ 0, ACT_NOP }, + { Z2+12, 'P', Z2+13, Z0+ 0, ACT_NOP }, + { Z2+13, 'O', Z2+14, Z0+ 0, ACT_NOP }, + { Z2+14, 'N', Z2+15, Z0+ 0, ACT_NOP }, + { Z2+15, 'E', Z2+16, Z0+ 0, ACT_NOP }, + { Z2+16, 'N', Z2+17, Z0+ 0, ACT_NOP }, + { Z2+17, 'T', Z2+18, Z0+ 0, ACT_NOP }, + { Z2+18, '(', Z0+ 0, Z0+ 0, ACT_UNESCAPE }, + + + { Z3+ 0, '<', Z3+ 1, Z6+ 0, ACT_NOP }, + { Z3+ 1, '/', Z3+ 2, Z0+ 0, ACT_NOP }, + { Z3+ 2, 'S', Z3+ 3, Z0+ 0, ACT_NOP }, + { Z3+ 3, 'C', Z3+ 4, Z0+ 0, ACT_NOP }, + { Z3+ 4, 'R', Z3+ 5, Z0+ 0, ACT_NOP }, + { Z3+ 5, 'I', Z3+ 6, Z0+ 0, ACT_NOP }, + { Z3+ 6, 'P', Z3+ 7, Z0+ 0, ACT_NOP }, + { Z3+ 7, 'T', Z3+ 8, Z0+ 0, ACT_NOP }, + { Z3+ 8, '>', Z3+ 0, Z3+ 9, ACT_QUIT }, + { Z3+ 9, ANY, Z3+ 8, Z3+ 8, ACT_NOP }, + + + { Z6+ 0, ANY, Z0+ 0, Z0+ 0, ACT_NOP } + +}; + + +void UnescapeDecode(char *, uint16_t , char **, char **, uint16_t *, JSState *, int *); + +void InitJSNormLookupTable(void) +{ + int iNum; + int iCtr; + + memset(hex_lookup, INVALID_HEX_VAL, sizeof(hex_lookup)); + memset(valid_chars, 0, sizeof(valid_chars)); + + iNum = 0; + + for(iCtr = 48; iCtr < 56; iCtr++) + { + hex_lookup[iCtr] = iNum; + valid_chars[iCtr] = (IS_HEX|IS_OCT|IS_DEC); + iNum++; + } + + for(iCtr = 56; iCtr < 58; iCtr++) + { + hex_lookup[iCtr] = iNum; + valid_chars[iCtr] = (IS_HEX|IS_DEC); + iNum++; + } + + iNum = 10; + for(iCtr = 65; iCtr < 71; iCtr++) + { + valid_chars[iCtr] = IS_HEX; + hex_lookup[iCtr] = iNum; + iNum++; + } + + iNum = 10; + for(iCtr = 97; iCtr < 103; iCtr++) + { + valid_chars[iCtr] = IS_HEX; + hex_lookup[iCtr] = iNum; + iNum++; + } +} + +static inline int outBounds(const char *start, const char *end, char *ptr) +{ + if((ptr >= start) && (ptr < end)) + return 0; + else + return -1; +} + +static inline void CheckWSExceeded(JSState *js, uint16_t *num_spaces) +{ + if(js->allowed_spaces && (*num_spaces > js->allowed_spaces)) + { + js->alerts |= ALERT_SPACES_EXCEEDED; + } + + *num_spaces = 0; + +} + +static void WriteDecodedPNorm(PNormState *s, int c, JSState *js) +{ + const char *dstart, *dend; + char *dptr; + + dstart = s->output.data; + dend = s->output.data + s->output.size; + dptr = s->output.data + s->output.len; + + CheckWSExceeded(js, &(s->num_spaces)); + + if(dptr < dend) + { + *dptr = (char)c; + dptr++; + } + + s->output.len = dptr - dstart; +} + +static int PNorm_exec (PNormState *s, ActionPNorm a, int c, JSState *js) +{ + char *cur_ptr; + int iRet = RET_OK; + + cur_ptr = s->output.data+ s->output.len; + + switch(a) + { + case PNORM_ACT_DQUOTES: + if(s->prev_event == '\\') + { + s->fsm = s->fsm_other; + WriteDecodedPNorm(s, c, js); + break; + } + s->d_quotes++; + if( s->d_quotes == 2) + { + s->overwrite = cur_ptr; + WriteDecodedPNorm(s, c, js); + s->d_quotes = 0; + break; + } + if(s->prev_event == '+') + { + s->prev_event = 0; + if( s->overwrite && (s->overwrite < cur_ptr)) + { + s->output.len = s->overwrite - s->output.data; + } + else + { + WriteDecodedPNorm(s, c, js); + } + } + else + { + WriteDecodedPNorm(s, c, js); + } + break; + case PNORM_ACT_NOP: + s->prev_event = c; + s->overwrite = NULL; + WriteDecodedPNorm(s, c, js); + break; + case PNORM_ACT_PLUS: + s->prev_event = '+'; + WriteDecodedPNorm(s, c, js); + break; + case PNORM_ACT_SPACE: + if( s->num_spaces == 0) + { + WriteDecodedPNorm(s, c, js); + } + s->num_spaces++; + break; + case PNORM_ACT_SQUOTES: + if(s->prev_event == '\\') + { + s->fsm = s->fsm_other; + WriteDecodedPNorm(s, c, js); + break; + } + s->s_quotes++; + if( s->s_quotes == 2) + { + s->overwrite = cur_ptr; + WriteDecodedPNorm(s, c, js); + s->s_quotes = 0; + break; + } + if(s->prev_event == '+') + { + s->prev_event = 0; + if( s->overwrite && (s->overwrite < cur_ptr)) + { + s->output.len = s->overwrite - s->output.data; + } + else + { + WriteDecodedPNorm(s, c, js); + } + } + else + { + WriteDecodedPNorm(s, c, js); + } + break; + case PNORM_ACT_WITHIN_QUOTES: + s->prev_event = c; + WriteDecodedPNorm(s, c, js); + default: + break; + + } + + return iRet; + +} + +static int PNorm_scan_fsm(PNormState* s, int c, JSState *js) +{ + char uc; + JSNorm *m = plus_norm + s->fsm; + + uc = toupper(c); + + if(isspace(c)) + { + c = uc =' '; + } + + + do + { + if ( !m->event || ( m->event == uc)) + { + s->fsm = m->match; + s->fsm_other = m->other; + break; + } + + s->fsm = m->other; + m = plus_norm + s->fsm; + } while ( 1 ); + + return(PNorm_exec(s, m->action, c, js)); +} + +int PNormDecode(char *src, uint16_t srclen, char *dst, uint16_t dstlen, uint16_t *bytes_copied, JSState *js) +{ + int iRet; + const char *end; + char *ptr; + PNormState s; + + end = src + srclen; + ptr = src; + + s.fsm = 0; + s.prev_event = 0; + s.d_quotes = 0; + s.s_quotes = 0; + s.output.data = dst; + s.output.size = dstlen; + s.output.len = 0; + s.overwrite = NULL; + s.num_spaces = 0; + s.fsm_other = 0; + + while(ptr < end) + { + iRet = PNorm_scan_fsm(&s, *ptr, js); + ptr++; + } + + dst = s.output.data; + *bytes_copied = s.output.len; + + return iRet; + +} + +int ConvertToChar( uint16_t flags, uint8_t *buf, uint8_t buflen) +{ + int val = 0; + char *p = NULL; + buf[buflen] = ANY; + + if(flags & IS_DEC) + { + val = strtoul( (const char *)buf, &p, 10); + } + else if(flags & IS_OCT) + { + val = strtoul( (const char *)buf, &p, 8); + } + else if (flags & IS_HEX) + { + val = strtoul( (const char *)buf, &p, 16); + } + + return val; +} + +static void WriteDecodedSFCC(SFCCState *s) +{ + char *start = s->output.data; + char *end = s->output.data + s->output.size; + uint16_t len = s->output.len; + char *ptr = s->output.data + len; + int copy_len = 0; + + if(ptr < end) + { + if(s->cur_flags) + { + *ptr = (char)ConvertToChar(s->cur_flags, s->buf, s->buflen); + ptr++; + } + else + { + if((end - ptr) < s->buflen) + copy_len = end - ptr; + else + copy_len = s->buflen; + memcpy(ptr , s->buf , copy_len); + ptr = ptr + copy_len; + } + } + + s->output.len = (ptr -start); + s->cur_flags = 0; + s->buflen = 0; + +} + + +static int SFCC_exec (SFCCState *s, ActionSFCC a, int c) +{ + int iRet = RET_OK; + switch(a) + { + case SFCC_ACT_NOP: + break; + case SFCC_ACT_QUIT: + WriteDecodedSFCC(s); + iRet = RET_QUIT; + break; + case SFCC_ACT_INV: + WriteDecodedSFCC(s); + iRet = RET_INV; + break; + case SFCC_ACT_DEC: + if( s->buflen < MAX_BUF) + { + s->buf[s->buflen] = c; + s->buflen++; + s->cur_flags = IS_DEC; + } + else + { + s->cur_flags = 0; + WriteDecodedSFCC(s); + } + break; + case SFCC_ACT_OCT: + if( s->buflen < MAX_BUF) + { + s->buf[s->buflen] = c; + s->buflen++; + s->cur_flags = IS_OCT; + } + else + { + s->cur_flags = 0; + WriteDecodedSFCC(s); + } + break; + case SFCC_ACT_HEX: + if( s->buflen < MAX_BUF) + { + s->buf[s->buflen] = c; + s->buflen++; + s->cur_flags = IS_HEX; + } + else + { + s->cur_flags = 0; + WriteDecodedSFCC(s); + } + break; + case SFCC_ACT_COMMA: + case SFCC_ACT_SPACE: + WriteDecodedSFCC(s); + s->cur_flags = 0; + break; + default: + break; + } + + s->alert_flags |= s->cur_flags; + return iRet; +} + +static int SFCC_scan_fsm (SFCCState* s, int c) +{ + int indexed = 0; + int value = 0; + int uc; + JSNorm *m = sfcc_norm + s->fsm; + + + uc = toupper(c); + + if(isspace(c)) + return (SFCC_exec(s, SFCC_ACT_SPACE, c)); + + value = valid_chars[uc]; + + if(value) + indexed = 1; + + + do + { + if ( !m->event || ((indexed && ((m->event & value) == m->event)) || ( m->event == uc))) + { + s->fsm = m->match; + break; + } + s->fsm = m->other; + m = sfcc_norm + s->fsm; + } + while ( 1 ); + + return(SFCC_exec(s, m->action, c)); + + +} + +void StringFromCharCodeDecode(char *src, uint16_t srclen, char **ptr, char **dst, uint16_t *bytes_copied, JSState *js, int *iis_unicode_map) +{ + int iRet; + const char *start, *end; + SFCCState s; + uint16_t alert = 0; + + start = src; + end = src + srclen; + + s.buflen = 0; + s.fsm = 0; + s.output.data = decoded_out; + s.output.size = sizeof(decoded_out); + s.output.len = 0; + s.cur_flags = s.alert_flags = 0; + + while(!outBounds(start, end, *ptr)) + { + iRet = SFCC_scan_fsm(&s, **ptr); + if(iRet != RET_OK) + { + if( (iRet == RET_INV) && ((*ptr - 1) > start )) + (*ptr)--; + + break; + } + (*ptr)++; + } + + alert = s.alert_flags; + + //alert mixed encodings + if(alert != ( alert & -alert)) + { + js->alerts |= ALERT_MIXED_ENCODINGS; + } + UnescapeDecode(s.output.data, s.output.len, &(s.output.data), &(s.output.data), &(s.output.len), js, iis_unicode_map); + + *dst = s.output.data; + *bytes_copied = s.output.len; + +} +static void WriteDecodedUnescape(UnescapeState *s, int c, JSState *js) +{ + const char *dstart, *dend; + char *dptr; + + dstart = s->output.data; + dend = s->output.data + s->output.size; + dptr = s->output.data + s->output.len; + + CheckWSExceeded(js, &(s->num_spaces)); + + if(dptr < dend) + { + *dptr = (char)c; + dptr++; + } + + s->output.len = dptr - dstart; +} + +static int Unescape_exec (UnescapeState *s, ActionUnsc a, int c, JSState *js) +{ + char *cur_ptr; + int iRet = RET_OK; + + cur_ptr = s->output.data+ s->output.len; + + switch(a) + { + case UNESC_ACT_BACKSLASH: + s->prev_action = 0; + s->alert_flags |= IS_BACKSLASH; + s->iNorm <<= 4; + s->iNorm = (s->iNorm | (hex_lookup[c])); + if( s->overwrite && (s->overwrite < cur_ptr)) + { + s->output.len = s->overwrite - s->output.data; + } + s->overwrite = NULL; + WriteDecodedUnescape(s, s->iNorm, js); + s->iNorm = 0; + break; + case UNESC_ACT_CONV: + s->prev_action = 0; + s->iNorm <<= 4; + s->iNorm = (s->iNorm | (hex_lookup[c])); + WriteDecodedUnescape(s, c, js); + break; + case UNESC_ACT_NOP: + s->prev_action = 0; + s->iNorm = 0; + s->overwrite = NULL; + WriteDecodedUnescape(s, c, js); + break; + case UNESC_ACT_PAREN: + if(s->prev_action == UNESC_ACT_UNESCAPE) + { + s->prev_action = 0; + s->multiple_levels++; + } + s->iNorm = 0; + if(s->paren_count > 0) + WriteDecodedUnescape(s, c, js); + s->paren_count++; + break; + case UNESC_ACT_PERCENT: + s->prev_action = 0; + s->alert_flags |= IS_PERCENT; + s->iNorm <<= 4; + s->iNorm = (s->iNorm | (hex_lookup[c])); + if( s->overwrite && (s->overwrite < cur_ptr)) + { + s->output.len = s->overwrite - s->output.data; + } + s->overwrite = NULL; + WriteDecodedUnescape(s, s->iNorm, js); + s->iNorm = 0; + break; + case UNESC_ACT_QUIT: + s->prev_action = 0; + s->iNorm = 0; + s->overwrite = NULL; + if(s->paren_count) + s->paren_count--; + + if( s->paren_count == 0 ) + iRet = RET_QUIT; + else + WriteDecodedUnescape(s, c, js); + break; + case UNESC_ACT_SAVE: + s->prev_action = 0; + s->iNorm = 0; + s->overwrite = cur_ptr; + WriteDecodedUnescape(s, c, js); + break; + case UNESC_ACT_SAVE_NOP: + s->prev_action = 0; + s->iNorm = 0; + WriteDecodedUnescape(s, c, js); + break; + case UNESC_ACT_SPACE: + s->iNorm = 0; + if(s->prev_event == '\'' || s->prev_event =='"') + { + WriteDecodedUnescape(s, c, js); + return iRet; + } + if( s->prev_event != ' ') + { + WriteDecodedUnescape(s, c, js); + } + s->num_spaces++; + break; + case UNESC_ACT_UBACKSLASH: + s->prev_action = 0; + s->alert_flags |= IS_UBACKSLASH; + s->iNorm <<= 4; + s->iNorm = (s->iNorm | (hex_lookup[c])); + if( s->overwrite && (s->overwrite < cur_ptr)) + { + s->output.len = s->overwrite - s->output.data; + } + s->overwrite = NULL; + + if( s->iNorm > 0xff ) + { + if(s->unicode_map && (s->iNorm <= 0xffff)) + { + s->iNorm = s->unicode_map[s->iNorm]; + if(s->iNorm == -1) + s->iNorm = NON_ASCII_CHAR; + } + else + { + s->iNorm = NON_ASCII_CHAR; + } + } + WriteDecodedUnescape(s, s->iNorm, js); + s->iNorm = 0; + break; + case UNESC_ACT_UPERCENT: + s->prev_action = 0; + s->alert_flags |= IS_UPERCENT; + s->iNorm <<= 4; + s->iNorm = (s->iNorm | (hex_lookup[c])); + if( s->overwrite && (s->overwrite < cur_ptr)) + { + s->output.len = s->overwrite - s->output.data; + } + s->overwrite = NULL; + if( s->iNorm > 0xff ) + { + if(s->unicode_map && (s->iNorm <= 0xffff)) + { + s->iNorm = s->unicode_map[s->iNorm]; + if(s->iNorm == -1) + s->iNorm = NON_ASCII_CHAR; + } + else + { + s->iNorm = NON_ASCII_CHAR; + } + } + WriteDecodedUnescape(s, s->iNorm, js); + s->iNorm = 0; + break; + case UNESC_ACT_UNESCAPE: + /* Save the action and wait till parenthesis to increment the multiple_levels. + * Only space is allowed between this action and parentheses */ + s->prev_action = a; + s->iNorm = 0; + WriteDecodedUnescape(s, c, js); + break; + default: + break; + } + + s->prev_event = c; + return iRet; +} + +static int Unescape_scan_fsm (UnescapeState* s, int c, JSState *js) +{ + int indexed = 0; + int value = 0; + int uc; + JSNorm *m = unescape_norm + s->fsm; + + uc = toupper(c); + + if(isspace(c)) + { + c = uc =' '; + return(Unescape_exec(s, UNESC_ACT_SPACE, c, js)); + } + + + value = valid_chars[uc]; + + if(value) + indexed = 1; + + do + { + if ( !m->event || ( ( m->event == uc) || (indexed && ((m->event & value) == m->event)))) + { + s->fsm = m->match; + break; + } + s->fsm = m->other; + m = unescape_norm + s->fsm; + } + while ( 1 ); + + return(Unescape_exec(s, m->action, c, js)); + +} + +void UnescapeDecode(char *src, uint16_t srclen, char **ptr, char **dst, uint16_t *bytes_copied, JSState *js, int *iis_unicode_map) +{ + int iRet; + const char *start, *end; + UnescapeState s; + uint16_t alert = 0; + + start = src; + end = src + srclen; + + s.iNorm = 0; + s.fsm = 0; + s.output.data = decoded_out; + s.output.size = sizeof(decoded_out); + s.output.len = 0; + s.alert_flags = 0; + s.prev_event = 0; + s.prev_action = 0; + s.overwrite = NULL; + s.multiple_levels = 1; + s.unicode_map = iis_unicode_map; + s.num_spaces = 0; + s.paren_count = 0; + + while(!outBounds(start, end, *ptr)) + { + iRet = Unescape_scan_fsm(&s, **ptr, js); + if(iRet != RET_OK) + { + /*if( (iRet == RET_INV) && ((*ptr - 1) > start )) + (*ptr)--;*/ + + break; + } + (*ptr)++; + } + + alert = s.alert_flags; + + //alert mixed encodings + if(alert != ( alert & -alert)) + { + js->alerts |= ALERT_MIXED_ENCODINGS; + } + + if(s.multiple_levels > js->allowed_levels) + { + js->alerts |= ALERT_LEVELS_EXCEEDED; + } + + PNormDecode(s.output.data, s.output.len, s.output.data, s.output.len, bytes_copied, js); + *dst = s.output.data; + //*bytes_copied = s.output.len; +} + +static inline void WriteJSNormChar(JSNormState *s, int c, JSState *js) +{ + const char *dstart, *dend; + char *dptr; + + dstart = s->dest.data; + dend = s->dest.data + s->dest.size; + dptr = s->dest.data + s->dest.len; + + CheckWSExceeded(js, &(s->num_spaces)); + + if(!outBounds(dstart, dend, dptr)) + { + *dptr = (char)c; + dptr++; + } + s->dest.len = dptr - dstart; +} + +static void WriteJSNorm(JSNormState *s, char *copy_buf, uint16_t copy_len, JSState *js) +{ + const char *end, *dstart, *dend; + char *ptr, *dptr; + + ptr = copy_buf; + end = copy_buf + copy_len; + + dstart = s->dest.data; + dend = s->dest.data + s->dest.size; + dptr = s->dest.data + s->dest.len; + + CheckWSExceeded(js, &(s->num_spaces)); + + if(ptr < end) + { + if((dend - dptr) < copy_len ) + { + copy_len = dend - dptr; + } + memcpy(dptr, ptr, copy_len); + dptr = dptr + copy_len; + } + + s->dest.len = dptr - dstart; +} + +static int JSNorm_exec(JSNormState *s, ActionJSNorm a, int c, char *src, uint16_t srclen, char **ptr, JSState *js) +{ + char *cur_ptr; + int iRet = RET_OK; + uint16_t bcopied = 0; + char *dest; + cur_ptr = s->dest.data+ s->dest.len; + switch(a) + { + case ACT_NOP: + WriteJSNormChar(s, c, js); + break; + case ACT_SAVE: + s->overwrite = cur_ptr; + WriteJSNormChar(s, c, js); + break; + case ACT_SPACE: + if( s->prev_event != ' ') + { + WriteJSNormChar(s, c, js); + } + s->num_spaces++; + break; + case ACT_UNESCAPE: + if(s->overwrite && (s->overwrite < cur_ptr)) + { + s->dest.len = s->overwrite - s->dest.data; + } + UnescapeDecode(src, srclen, ptr, &dest, &bcopied, js, s->unicode_map); + WriteJSNorm(s, dest, bcopied, js); + break; + case ACT_SFCC: + if( s->overwrite && (s->overwrite < cur_ptr)) + { + + s->dest.len = s->overwrite - s->dest.data; + } + StringFromCharCodeDecode(src, srclen, ptr, &dest, &bcopied, js, s->unicode_map); + WriteJSNorm(s, dest, bcopied, js); + break; + case ACT_QUIT: + iRet = RET_QUIT; + WriteJSNormChar(s, c, js); + break; + default: + break; + } + + s->prev_event = c; + + return iRet; +} + +static int JSNorm_scan_fsm (JSNormState* s, int c, char *src, uint16_t srclen, char **ptr, JSState *js) +{ + char uc; + JSNorm *m = javascript_norm + s->fsm; + + + uc = toupper(c); + + if(isspace(c)) + { + c = uc =' '; + return(JSNorm_exec(s, ACT_SPACE, c, src, srclen, ptr, js)); + } + + + do + { + if (!m->event || (m->event == uc)) + { + s->fsm = m->match; + break; + } + s->fsm = m->other; + m = javascript_norm + s->fsm; + }while ( 1 ); + + return(JSNorm_exec(s, m->action, c, src, srclen, ptr, js)); +} + +int JSNormalizeDecode(char *src, uint16_t srclen, char *dst, uint16_t destlen, char **ptr, int *bytes_copied, JSState *js, int *iis_unicode_map) +{ + int iRet; + const char *start, *end; + JSNormState s; + + if(js == NULL) + { + return RET_QUIT; + } + + start = src; + end = src + srclen; + + s.fsm = 0; + s.overwrite = NULL; + s.dest.data = dst; + s.dest.size = destlen; + s.dest.len = 0; + s.prev_event = 0; + s.unicode_map = iis_unicode_map; + s.num_spaces = 0; + + while(!outBounds(start, end, *ptr)) + { + iRet = JSNorm_scan_fsm(&s, **ptr, src, srclen, ptr, js); + if(iRet != RET_OK) + { + break; + } + (*ptr)++; + } + + if(!outBounds(start, end, *ptr) && (iRet == RET_QUIT)) + { + (*ptr)++; + } + + dst = s.dest.data; + *bytes_copied = s.dest.len; + + return RET_OK; +} + + +/* +int main(int argc, char *argv[]) +{ + FILE *iFile = NULL; + FILE *oFile = NULL; + char input[65535]; + char output[65535]; + int bytes_copied = 0; + int bytes_read = 0; + int ret = 0; + char *ptr = input; + JSState js; + + if( argc == 3 ) + { + iFile = fopen(argv[1], "r"); + oFile = fopen(argv[2], "w"); + } + + if(!oFile || !iFile) + { + fprintf(stderr, "usage: %s <in_file> <out_file>\n", argv[0]); + return -1; + } + + bytes_read = fread(input, 1, sizeof(input), iFile); + js.allowed_spaces = 3; + js.allowed_levels = 1; + js.alerts = 0; + + InitJSNormLookupTable(); + ret = JSNormalizeDecode(input, bytes_read, output, sizeof(output),&ptr, &bytes_copied, &js, NULL); + if( ret == RET_OK) + { + fwrite( output, 1, bytes_copied, oFile); + printf("OUTPUT IS %.*s\n",bytes_copied,output); + printf("REMAINING is %s\n",ptr); + if( js.alerts & ALERT_MIXED_ENCODINGS ) + printf("ALERT MIXED ENCODINGS\n"); + if(js.alerts & ALERT_SPACES_EXCEEDED) + printf("ALERT SPACES EXCEEDED\n"); + if(js.alerts & ALERT_LEVELS_EXCEEDED) + printf("ALERT LEVELS EXCEEDED\n"); + } + fclose(iFile); + fclose(oFile); + return 0; + +}*/ diff -Nru snort-2.9.0.1/src/sfutil/util_jsnorm.h snort-2.9.2/src/sfutil/util_jsnorm.h --- snort-2.9.0.1/src/sfutil/util_jsnorm.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/util_jsnorm.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,45 @@ +/* + ** Copyright (C) 1998-2011 Sourcefire, Inc. + ** + ** Writen by Bhagyashree Bantwal <bbantwal@sourcefire.com> + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#include <stdio.h> +#include<stdlib.h> +#include<string.h> +#include<stdint.h> +#include<ctype.h> + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#define ALERT_SPACES_EXCEEDED 0x1 +#define ALERT_LEVELS_EXCEEDED 0x2 +#define ALERT_MIXED_ENCODINGS 0x4 + +#define MAX_ALLOWED_OBFUSCATION 1 + +typedef struct { + int allowed_spaces; + int allowed_levels; + uint16_t alerts; +}JSState; + +int JSNormalizeDecode(char *, uint16_t , char *, uint16_t destlen, char **, int *, JSState *, int *); +void InitJSNormLookupTable(void); diff -Nru snort-2.9.0.1/src/sfutil/util_math.c snort-2.9.2/src/sfutil/util_math.c --- snort-2.9.0.1/src/sfutil/util_math.c 2010-01-26 10:10:29.000000000 -0800 +++ snort-2.9.2/src/sfutil/util_math.c 2011-06-07 17:33:21.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -18,36 +18,40 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ - + /** * @file util_math.c * @author Chris Green <cmg@sourcefire.com> * @date Fri Jun 27 10:12:57 2003 - * + * * @brief math related util functions - * + * * Place simple math functions that are useful all over the place * here. */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "util_math.h" #include "sf_types.h" -/** +/** * Calculate the percentage of something. * * If the total is <= 0, we return 0. - * + * * @param amt amount to that you have * @param total amount there is - * + * * @return a/b * 100 */ double calc_percent(double amt, double total) { if(total <= 0.0) - return 0.0; - + return 0.0; + return (amt/total) * 100.0; } diff -Nru snort-2.9.0.1/src/sfutil/util_math.h snort-2.9.2/src/sfutil/util_math.h --- snort-2.9.0.1/src/sfutil/util_math.h 2010-01-26 10:10:29.000000000 -0800 +++ snort-2.9.2/src/sfutil/util_math.h 2011-02-09 15:23:38.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/util_net.c snort-2.9.2/src/sfutil/util_net.c --- snort-2.9.0.1/src/sfutil/util_net.c 2010-01-26 10:10:30.000000000 -0800 +++ snort-2.9.2/src/sfutil/util_net.c 2011-02-09 15:23:38.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/util_net.h snort-2.9.2/src/sfutil/util_net.h --- snort-2.9.0.1/src/sfutil/util_net.h 2010-01-26 10:10:30.000000000 -0800 +++ snort-2.9.2/src/sfutil/util_net.h 2011-02-09 15:23:38.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/util_str.c snort-2.9.2/src/sfutil/util_str.c --- snort-2.9.0.1/src/sfutil/util_str.c 2010-01-26 10:10:30.000000000 -0800 +++ snort-2.9.2/src/sfutil/util_str.c 2011-02-09 15:23:38.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/util_str.h snort-2.9.2/src/sfutil/util_str.h --- snort-2.9.0.1/src/sfutil/util_str.h 2010-01-26 10:10:30.000000000 -0800 +++ snort-2.9.2/src/sfutil/util_str.h 2011-02-09 15:23:38.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/sfutil/util_unfold.c snort-2.9.2/src/sfutil/util_unfold.c --- snort-2.9.0.1/src/sfutil/util_unfold.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/util_unfold.c 2011-07-13 15:44:51.000000000 -0700 @@ -0,0 +1,191 @@ +/* + ** Copyright (C) 1998-2011 Sourcefire, Inc. + ** + ** Writen by Bhagyashree Bantwal <bbantwal@sourcefire.com> + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "util_unfold.h" + + +/* Given a string, removes header folding (\r\n followed by linear whitespace) + * and exits when the end of a header is found, defined as \n followed by a + * non-whitespace. This is especially helpful for HTML. + */ +int sf_unfold_header(const uint8_t *inbuf, uint32_t inbuf_size, uint8_t *outbuf, + uint32_t outbuf_size, uint32_t *output_bytes, int trim_spaces, int *folded) +{ + int num_spaces = 0; + const uint8_t *cursor, *endofinbuf; + uint8_t *outbuf_ptr; + + uint32_t n = 0; + + int httpheaderfolding = 0; + int folding_present = 0; + + cursor = inbuf; + endofinbuf = inbuf + inbuf_size; + outbuf_ptr = outbuf; + + /* Keep adding chars until we get to the end of the line. If we get to the + * end of the line and the next line starts with a tab or space, add the space + * to the buffer and keep reading. If the next line does not start with a + * tab or space, stop reading because that's the end of the header. */ + while((cursor < endofinbuf) && (n < outbuf_size)) + { + if(((*cursor == ' ') || (*cursor == '\t'))) + { + if(folding_present) + num_spaces++; + if(httpheaderfolding) + { + num_spaces++; + folding_present = 1; + httpheaderfolding = 0; + } + else if(!trim_spaces) + { + /* Spaces are valid except after CRs */ + *outbuf_ptr++ = *cursor; + } + } + else if((*cursor == '\n') && (httpheaderfolding != 1)) + { + /* Can't have multiple LFs in a row, but if we get one it + * needs to be followed by at least one space */ + httpheaderfolding = 1; + } + else if((*cursor == '\r') && !httpheaderfolding) + { + /* CR needs to be followed by LF and can't start a line */ + httpheaderfolding = 2; + } + else if(!httpheaderfolding) + { + *outbuf_ptr++ = *cursor; + n++; + } + else + { + /* We have reached the end of the header */ + /* Unless we get multiple CRs, which is suspicious, but not for us to decide */ + break; + } + cursor++; + } + if(n < outbuf_size) + *outbuf_ptr = '\0'; + else + outbuf[outbuf_size - 1] = '\0'; + + *output_bytes = outbuf_ptr - outbuf; + if(folded) + *folded = num_spaces; + return 0; +} + + +/* Strips the CRLF from the input buffer */ + +int sf_strip_CRLF(const uint8_t *inbuf, uint32_t inbuf_size, uint8_t *outbuf, + uint32_t outbuf_size, uint32_t *output_bytes) +{ + const uint8_t *cursor, *endofinbuf; + uint8_t *outbuf_ptr; + uint32_t n = 0; + + if( !inbuf || !outbuf) + return -1; + + cursor = inbuf; + endofinbuf = inbuf + inbuf_size; + outbuf_ptr = outbuf; + while((cursor < endofinbuf) && (n < outbuf_size)) + { + if((*cursor != '\n') && (*cursor != '\r')) + { + *outbuf_ptr++ = *cursor; + n++; + } + cursor++; + } + + if(output_bytes) + *output_bytes = outbuf_ptr - outbuf; + + return(0); +} + +/* Strips the LWS at the end of line. + * Only strips the LWS before LF or CRLF + */ + +int sf_strip_LWS(const uint8_t *inbuf, uint32_t inbuf_size, uint8_t *outbuf, + uint32_t outbuf_size, uint32_t *output_bytes) +{ + const uint8_t *cursor, *endofinbuf; + uint8_t *outbuf_ptr; + uint32_t n = 0; + uint8_t lws = 0; + + if( !inbuf || !outbuf) + return -1; + + cursor = inbuf; + endofinbuf = inbuf + inbuf_size; + outbuf_ptr = outbuf; + while((cursor < endofinbuf) && (n < outbuf_size)) + { + if((*cursor != '\n') && (*cursor != '\r')) + { + if((*cursor != ' ') && (*cursor != '\t')) + lws = 0; + else + lws = 1; + *outbuf_ptr++ = *cursor; + n++; + } + else + { + if(lws) + { + lws = 0; + while( n > 0 ) + { + if((*(outbuf_ptr-1) != ' ') && (*(outbuf_ptr-1) !='\t')) + break; + n--; + outbuf_ptr--; + } + } + + *outbuf_ptr++ = *cursor; + n++; + } + cursor++; + } + + if(output_bytes) + *output_bytes = outbuf_ptr - outbuf; + + return(0); +} diff -Nru snort-2.9.0.1/src/sfutil/util_unfold.h snort-2.9.2/src/sfutil/util_unfold.h --- snort-2.9.0.1/src/sfutil/util_unfold.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/sfutil/util_unfold.h 2011-06-07 17:33:21.000000000 -0700 @@ -0,0 +1,31 @@ +/* + ** Copyright (C) 1998-2011 Sourcefire, Inc. + ** + ** Writen by Bhagyashree Bantwal <bbantwal@sourcefire.com> + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU General Public License Version 2 as + ** published by the Free Software Foundation. You may not use, modify or + ** distribute this program under any other version of the GNU General + ** Public License. + ** + ** This program is distributed in the hope that it will be useful, + ** but WITHOUT ANY WARRANTY; without even the implied warranty of + ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + ** GNU General Public License for more details. + ** + ** You should have received a copy of the GNU General Public License + ** along with this program; if not, write to the Free Software + ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifndef _UTIL_UNFOLD_H_ +#define _UTIL_UNFOLD_H_ + +#include "sf_types.h" + +int sf_unfold_header(const uint8_t*, uint32_t, uint8_t*, uint32_t, uint32_t*, int, int * ); +int sf_strip_CRLF(const uint8_t*, uint32_t, uint8_t*, uint32_t, uint32_t*); +int sf_strip_LWS(const uint8_t*, uint32_t, uint8_t*, uint32_t, uint32_t*); + +#endif diff -Nru snort-2.9.0.1/src/sfutil/util_utf.c snort-2.9.2/src/sfutil/util_utf.c --- snort-2.9.0.1/src/sfutil/util_utf.c 2010-09-27 08:28:15.000000000 -0700 +++ snort-2.9.2/src/sfutil/util_utf.c 2011-10-26 07:49:57.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2010 Sourcefire, Inc. + * Copyright (C) 2010-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -23,6 +23,10 @@ #include <stdlib.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "util_utf.h" #define DSTATE_FIRST 0 @@ -60,6 +64,7 @@ if (dstate == NULL) return DECODE_UTF_FAILURE; + dstate->state = DSTATE_FIRST; dstate->charset = charset; return DECODE_UTF_SUCCESS; } @@ -83,7 +88,7 @@ * * returns: DECODE_UTF_SUCCESS or DECODE_UTF_FAILURE */ - + static int DecodeUTF16LE(char *src, unsigned int src_len, char *dst, unsigned int dst_len, int *bytes_copied, decode_utf_state_t *dstate) { char *src_index = src; @@ -108,6 +113,8 @@ result = DECODE_UTF_FAILURE; dstate->state = DSTATE_FIRST; break; + default: + return DECODE_UTF_FAILURE; } } @@ -127,7 +134,7 @@ * * returns: DECODE_UTF_SUCCESS or DECODE_UTF_FAILURE */ - + static int DecodeUTF16BE(char *src, unsigned int src_len, char *dst, unsigned int dst_len, int *bytes_copied, decode_utf_state_t *dstate) { char *src_index = src; @@ -152,6 +159,8 @@ *dst_index++ = *src_index++; dstate->state = DSTATE_FIRST; break; + default: + return DECODE_UTF_FAILURE; } } @@ -171,7 +180,7 @@ * * returns: DECODE_UTF_SUCCESS or DECODE_UTF_FAILURE */ - + static int DecodeUTF32LE(char *src, unsigned int src_len, char *dst, unsigned int dst_len, int *bytes_copied, decode_utf_state_t *dstate) { char *src_index = src; @@ -201,9 +210,11 @@ else dstate->state++; break; + default: + return DECODE_UTF_FAILURE; } } - + *bytes_copied = (int) (dst_index - dst); return result; @@ -220,7 +231,7 @@ * * returns: DECODE_UTF_SUCCESS or DECODE_UTF_FAILURE */ - + static int DecodeUTF32BE(char *src, unsigned int src_len, char *dst, unsigned int dst_len, int *bytes_copied, decode_utf_state_t *dstate) { char *src_index = src; @@ -247,9 +258,11 @@ *dst_index++ = *src_index++; dstate->state = DSTATE_FIRST; break; + default: + return DECODE_UTF_FAILURE; } } - + *bytes_copied = (int) (dst_index - dst); return result; diff -Nru snort-2.9.0.1/src/sfutil/util_utf.h snort-2.9.2/src/sfutil/util_utf.h --- snort-2.9.0.1/src/sfutil/util_utf.h 2010-09-27 08:28:15.000000000 -0700 +++ snort-2.9.2/src/sfutil/util_utf.h 2011-10-26 07:49:57.000000000 -0700 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2010 Sourcefire, Inc. + * Copyright (C) 2010-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -34,6 +34,7 @@ #define CHARSET_UTF16BE 3 #define CHARSET_UTF32LE 4 #define CHARSET_UTF32BE 5 +#define CHARSET_UNKNOWN 255 /* Since payloads don't have to end on 2/4-byte boundaries, callers to DecodeUTF are responsible for keeping a decode_utf_state_t. This carries diff -Nru snort-2.9.0.1/src/signature.c snort-2.9.2/src/signature.c --- snort-2.9.0.1/src/signature.c 2010-10-25 12:49:00.000000000 -0700 +++ snort-2.9.2/src/signature.c 2011-06-07 17:33:07.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author(s): Andrew R. Baker <andrewb@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -20,6 +20,10 @@ #include <string.h> #include <ctype.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "signature.h" #include "util.h" #include "rules.h" @@ -54,18 +58,18 @@ /* create the new node */ node = (ReferenceNode *)SnortAlloc(sizeof(ReferenceNode)); - + /* lookup the reference system */ node->system = ReferenceSystemLookup(sc->references, system); if (node->system == NULL) node->system = ReferenceSystemAdd(&sc->references, system, NULL); node->id = SnortStrdup(id); - + /* Add the node to the front of the list */ node->next = *head; *head = node; - + return node; } @@ -79,7 +83,7 @@ { if(ref_node->system->url) { - fprintf(fp, "[Xref => %s%s]", ref_node->system->url, + fprintf(fp, "[Xref => %s%s]", ref_node->system->url, ref_node->id); } else @@ -99,7 +103,7 @@ /********************** Reference System Implementation ***********************/ ReferenceSystemNode * ReferenceSystemAdd(ReferenceSystemNode **head, char *name, char *url) -{ +{ ReferenceSystemNode *node; if (name == NULL) @@ -262,14 +266,14 @@ sfghash_delete(so_rule_otn_map); } -void OtnRemove(SFGHASH *otn_map, SFGHASH *so_rule_otn_map, OptTreeNode *otn) +void OtnRemove(SFGHASH *otn_map, SFGHASH *so_rule_otn_map, OptTreeNode *otn) { OtnKey key; - - if (otn == NULL) + + if (otn == NULL) return; - key.gid = otn->sigInfo.generator; + key.gid = otn->sigInfo.generator; key.sid = otn->sigInfo.id; if (so_rule_otn_map != NULL) @@ -295,9 +299,9 @@ * rule option type (as of now) that this is required for since * patterns are not added to the hash table (via * add_detection_option()) until FinalizeContentUniqueness() is - * called -- after the duplicate OTN checks. + * called -- after the duplicate OTN checks. * - * All other rule option types are added to the hash table + * All other rule option types are added to the hash table * at parse time, thus the data associated with that rule * option is cleaned from the hash table when the table itself * is cleaned up. @@ -356,7 +360,7 @@ if (!otn->generated) free(otn->sigInfo.message); } -#ifdef TARGET_BASED +#ifdef TARGET_BASED for (svc_idx = 0; svc_idx < otn->sigInfo.num_services; svc_idx++) { if (otn->sigInfo.services[svc_idx].service) @@ -479,6 +483,6 @@ sfghash_delete(otn_map); } - + /***************** End of Class/Priority Implementation ***********************/ diff -Nru snort-2.9.0.1/src/signature.h snort-2.9.2/src/signature.h --- snort-2.9.0.1/src/signature.h 2010-10-25 12:49:00.000000000 -0700 +++ snort-2.9.2/src/signature.h 2011-06-07 17:33:07.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Author(s): Andrew R. Baker <andrewb@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -21,9 +21,6 @@ #ifndef __SIGNATURE_H__ #define __SIGNATURE_H__ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif #ifdef OSF1 #include <sys/bitypes.h> #endif diff -Nru snort-2.9.0.1/src/smalloc.h snort-2.9.2/src/smalloc.h --- snort-2.9.0.1/src/smalloc.h 2010-01-26 10:09:30.000000000 -0800 +++ snort-2.9.2/src/smalloc.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,69 +0,0 @@ -/* $Id$ */ -/* -** Copyright (C) 2002-2010 Sourcefire, Inc. -** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -*/ - -/* - * Snort frontend to malloc - */ - -#ifndef __SMALLOC_H__ -#define __SMALLOC_H__ - - -#include <stdlib.h> - -#include "debug.h" - - - -/* MALLOC flags */ - -#define M_EXIT 1 /* exit if memory allocation fails (default) */ -#define M_DONTEXIT 2 /* don't exit if memory allocation fails */ -#define M_ZERO 4 /* zero out the allocated memory */ - - -#define MALLOC(ptr, cast, size, flags) \ -do { \ - (ptr) = (cast) malloc((size)); \ - if (!((flags) & M_DONTEXIT) && ((ptr) == NULL)) \ - { \ - DebugMessage(DEBUG_ALL, "malloc: out of memory (allocating %d bytes)\n", (size)); \ - exit(1); \ - } \ - if (((flags) & M_ZERO) && ((ptr) != NULL)) \ - memset((ptr), '\0', (size)); \ -} while (0) - - -#define FREE(ptr) \ -do { \ - if ((ptr) == NULL) \ - { \ - DebugMessage(DEBUG_ALL, "free: NULL pointer given as an argument\n"); \ - exit(1); \ - } \ - free((ptr)); \ - ptr = NULL; \ -} while(0) - - - -#endif /* __SMALLOC_H__ */ diff -Nru snort-2.9.0.1/src/snort_bounds.h snort-2.9.2/src/snort_bounds.h --- snort-2.9.0.1/src/snort_bounds.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/snort_bounds.h 2011-06-07 17:33:07.000000000 -0700 @@ -0,0 +1,179 @@ +#ifndef _BOUNDS_H +#define _BOUNDS_H +/* +** Copyright (C) 2003-2011 Sourcefire, Inc. +** Chris Green <cmg@sourcefire.com> +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +** +*/ + +#ifdef OSF1 +#include <sys/bitypes.h> +#endif + +#include <string.h> +#include <stdio.h> +#include <stdlib.h> +#include <sys/types.h> +#ifdef DEBUG +#include <assert.h> +#endif +#include <unistd.h> + +#define SAFEMEM_ERROR 0 +#define SAFEMEM_SUCCESS 1 + +#ifdef DEBUG +#define ERRORRET assert(0==1) +#else +#define ERRORRET return SAFEMEM_ERROR; +#endif /* DEBUG */ + +#define MAXPORTS 65536 +#define MAXPORTS_STORAGE 8192 + + +/* + * Check to make sure that p is less than or equal to the ptr range + * pointers + * + * 1 means it's in bounds, 0 means it's not + */ +static inline int inBounds(const uint8_t *start, const uint8_t *end, const uint8_t *p) +{ + if ((p >= start) && (p < end)) + return 1; + return 0; +} + +static inline int SafeMemCheck(void *dst, size_t n, + const void *start, const void *end) +{ + void *tmp; + + if (n < 1) + return SAFEMEM_ERROR; + + if ((dst == NULL) || (start == NULL) || (end == NULL)) + return SAFEMEM_ERROR; + + tmp = ((uint8_t *)dst) + (n - 1); + if (tmp < dst) + return SAFEMEM_ERROR; + + if (!inBounds(start, end, dst) || !inBounds(start, end, tmp)) + return SAFEMEM_ERROR; + + return SAFEMEM_SUCCESS; +} + +/** + * A Safer Memcpy + * + * @param dst where to copy to + * @param src where to copy from + * @param n number of bytes to copy + * @param start start of the dest buffer + * @param end end of the dst buffer + * + * @return SAFEMEM_ERROR on failure, SAFEMEM_SUCCESS on success + */ +static inline int SafeMemcpy(void *dst, const void *src, size_t n, const void *start, const void *end) +{ + if (SafeMemCheck(dst, n, start, end) != SAFEMEM_SUCCESS) + ERRORRET; + if (src == NULL) + ERRORRET; + memcpy(dst, src, n); + return SAFEMEM_SUCCESS; +} + +/** + * A Safer Memmove + * dst and src can be in the same buffer + * + * @param dst where to copy to + * @param src where to copy from + * @param n number of bytes to copy + * @param start start of the dest buffer + * @param end end of the dst buffer + * + * @return SAFEMEM_ERROR on failure, SAFEMEM_SUCCESS on success + */ +static inline int SafeMemmove(void *dst, const void *src, size_t n, const void *start, const void *end) +{ + if (SafeMemCheck(dst, n, start, end) != SAFEMEM_SUCCESS) + ERRORRET; + if (src == NULL) + ERRORRET; + memmove(dst, src, n); + return SAFEMEM_SUCCESS; +} + +/** + * A Safer Memset + * dst and src can be in the same buffer + * + * @param dst where to copy to + * @param c character to set memory with + * @param n number of bytes to set + * @param start start of the dst buffer + * @param end end of the dst buffer + * + * @return SAFEMEM_ERROR on failure, SAFEMEM_SUCCESS on success + */ +static inline int SafeMemset(void *dst, uint8_t c, size_t n, const void *start, const void *end) +{ + if (SafeMemCheck(dst, n, start, end) != SAFEMEM_SUCCESS) + ERRORRET; + memset(dst, c, n); + return SAFEMEM_SUCCESS; +} + +/** + * A Safer *a = *b + * + * @param start start of the dst buffer + * @param end end of the dst buffer + * @param dst the location to write to + * @param src the source to read from + * + * @return 0 on failure, 1 on success + */ +static inline int SafeWrite(uint8_t *start, uint8_t *end, uint8_t *dst, uint8_t *src) +{ + if(!inBounds(start, end, dst)) + { + ERRORRET; + } + + *dst = *src; + return 1; +} + +static inline int SafeRead(uint8_t *start, uint8_t *end, uint8_t *src, uint8_t *read) +{ + if(!inBounds(start,end, src)) + { + ERRORRET; + } + + *read = *start; + return 1; +} + +#endif /* _BOUNDS_H */ diff -Nru snort-2.9.0.1/src/snort.c snort-2.9.2/src/snort.c --- snort-2.9.0.1/src/snort.c 2010-08-25 13:22:39.000000000 -0700 +++ snort-2.9.2/src/snort.c 2011-12-07 09:58:23.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -91,7 +91,7 @@ #include "rules.h" #include "treenodes.h" #include "plugbase.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "parser.h" #include "tag.h" @@ -121,6 +121,9 @@ #include "dynamic-plugins/sp_dynamic.h" #include "dynamic-plugins/sf_dynamic_define.h" #include "sfutil/strvec.h" +#include "detection_util.h" +#include "sfcontrol_funcs.h" +#include "idle_processing_funcs.h" #ifdef HAVE_LIBPRELUDE # include "output-plugins/spo_alert_prelude.h" @@ -137,6 +140,7 @@ #ifdef TARGET_BASED # include "target-based/sftarget_reader.h" #endif +#include "sftarget_reader_live.h" #ifdef EXIT_CHECK # include "cpuclock.h" @@ -147,6 +151,7 @@ #include "sfutil/intel-soft-cpm.h" #endif +#include "stream5_common.h" /* Macros *********************************************************************/ #ifndef DLT_LANE8023 /* @@ -179,13 +184,9 @@ # define MPLS_PAYLOAD_OPT__ETHERNET "ethernet" #endif -/* Data types *****************************************************************/ +#define DEFAULT_PAF_MAX 16384 -enum -{ - SIGLOC_PARSE_RULES_FILE = 1, - SIGLOC_PCAP_LOOP -}; +/* Data types *****************************************************************/ typedef enum _GetOptArgType { @@ -198,7 +199,7 @@ /* Externs *******************************************************************/ /* Undefine the one from sf_dynamic_preprocessor.h */ #ifdef PERF_PROFILING -extern PreprocStats detectPerfStats, decodePerfStats, +extern PreprocStats detectPerfStats, decodePerfStats, metaPerfStats, totalPerfStats, eventqPerfStats, rulePerfStats, mpsePerfStats; extern PreprocStats ruleCheckBitPerfStats, ruleSetBitPerfStats, ruleFailedFlowbitsPerfStats; extern PreprocStats ruleRTNEvalPerfStats, ruleOTNEvalPerfStats, ruleHeaderNoMatchPerfStats; @@ -206,7 +207,6 @@ extern PreprocStats preprocRuleOptionPerfStats; #endif - /* for getopt */ extern char *optarg; extern int optind; @@ -245,6 +245,10 @@ volatile int snort_initializing = 1; static volatile int snort_exiting = 0; +static pid_t snort_main_thread_pid = 0; +#ifndef WIN32 +static pthread_t snort_main_thread_id = 0; +#endif #if defined(SNORT_RELOAD) && !defined(WIN32) static volatile int snort_reload = 0; @@ -255,6 +259,9 @@ #endif const struct timespec thread_sleep = { 0, 100 }; +#ifdef OPENBSD +const struct timespec packet_sleep = { 0, 1 }; +#endif #ifdef HAVE_PCAP_LEX_DESTROY extern void pcap_lex_destroy(void); @@ -280,6 +287,8 @@ OutputFuncNode *AlertList = NULL; /* Alert function list */ OutputFuncNode *LogList = NULL; /* Log function list */ +PeriodicCheckFuncNode *periodic_check_funcs = NULL; + #ifdef DYNAMIC_PLUGIN DynamicRuleNode *dynamic_rules = NULL; #endif @@ -300,24 +309,26 @@ static DAQ_Verdict IgnoreCallback (void*, const DAQ_PktHdr_t*, const uint8_t*); #endif +static char signal_error_msg[STD_BUF]; static int exit_signal = 0; -static int usr_signal = 0; -static int rotate_stats_signal = 0; +static bool dump_stats_signal = false; +static bool rotate_stats_signal = false; #ifdef TARGET_BASED -static int no_attr_table_signal = 0; +static bool no_attr_table_signal = false; #endif #ifndef SNORT_RELOAD -static volatile int hup_signal = 0; +static volatile bool reload_signal = false; #else -/* hup_signal is incremented in the signal handler for SIGHUP which is handled - * in the main thread. The reload thread compares the hup_signal count to - * reload_hups which it increments after an equality test between hup_signal - * and reload_hups fails (which means we got a new SIGHUP). They need to be - * the same type and size to do this comparision. See ReloadConfigThread() */ -typedef uint32_t snort_hup_t; -static volatile snort_hup_t hup_signal = 0; -static snort_hup_t reload_hups = 0; +/* reload_signal is incremented in the signal handler for SIGNAL_SNORT_RELOAD + * which is handled in the main thread. The reload thread compares the + * reload_signal count to reload_total which it increments after an equality + * test between reload_signal and reload_total fails (which means we got a new + * SIGNAL_SNORT_RELOAD). They need to be the same type and size to do this + * comparison. See ReloadConfigThread() */ +typedef uint32_t snort_reload_t; +static volatile snort_reload_t reload_signal = 0; +static snort_reload_t reload_total = 0; #endif static int done_processing = 0; @@ -331,7 +342,7 @@ static char **snort_argv = NULL; /* command line options for getopt */ -static char *valid_options = +static char *valid_options = "?A:bB:c:CdDeEfF:" #ifndef WIN32 "g:" @@ -340,7 +351,7 @@ #ifndef WIN32 "m:" #endif - "Mn:NoOpP:q" + "Mn:NOpP:q" #ifndef WIN32 "Q" #endif @@ -435,6 +446,8 @@ {"enable-inline-test", LONGOPT_ARG_NONE, NULL, ENABLE_INLINE_TEST}, + {"cs-dir", LONGOPT_ARG_REQUIRED, NULL, ARG_CS_DIR}, + {0, 0, 0, 0} }; @@ -453,7 +466,7 @@ static void CleanExit(int); static void SnortInit(int, char **); -static void InitPidChrootAndPrivs(void); +static void InitPidChrootAndPrivs(pid_t); static void ParseCmdLine(int, char **); static int ShowUsage(char *); static void PrintVersion(void); @@ -499,10 +512,13 @@ #endif /* Signal handler declarations ************************************************/ -static void SigUsrHandler(int); +static void SigDumpStatsHandler(int); static void SigExitHandler(int); -static void SigHupHandler(int); +static void SigReloadHandler(int); static void SigRotateStatsHandler(int); +#ifdef CONTROL_SOCKET +static void SigPipeHandler(int); +#endif #ifdef TARGET_BASED static void SigNoAttributeTableHandler(int); @@ -518,8 +534,19 @@ # endif /* DYNAMIC_PLUGIN */ #endif /* SNORT_RELOAD */ -/* INLINE FUNCTION ************************************************************/ -static INLINE void CheckForReload(void) +int InMainThread () +{ + return ( +#ifndef WIN32 + pthread_equal(snort_main_thread_id, pthread_self()) +#else + 1 +#endif + ); +} + +/* inline FUNCTION ************************************************************/ +static inline void CheckForReload(void) { #if defined(SNORT_RELOAD) && !defined(WIN32) @@ -632,7 +659,7 @@ * Returns: 0 => normal exit, 1 => exit on error * */ -int main(int argc, char *argv[]) +int main(int argc, char *argv[]) { #if defined(WIN32) && defined(ENABLE_WIN32_SERVICE) /* Do some sanity checking, because some people seem to forget to @@ -677,6 +704,12 @@ const char* intf; int daqInit; +#ifndef WIN32 + // must be done now in case of fatal error + // and again after daemonization + snort_main_thread_id = pthread_self(); +#endif + SnortInit(argc, argv); intf = GetPacketSource(); @@ -691,7 +724,21 @@ { GoDaemon(); } + + // this must follow daemonization + snort_main_thread_pid = getpid(); +#ifndef WIN32 + snort_main_thread_id = pthread_self(); +#endif + +#ifndef WIN32 + /* Change groups */ + InitGroups(ScUid(), ScGid()); +#endif + #if !defined(HAVE_LINUXTHREADS) && !defined(WIN32) + // this could be moved to linux threads location + // and only done there SnortStartThreads(); #endif @@ -715,7 +762,7 @@ } PacketLoop(); - + // DAQ is shutdown in CleanExit() since we don't always return here CleanExit(0); @@ -787,7 +834,7 @@ for (dev = alldevs; dev != NULL; dev = dev->next, j++) { - u_int8_t *mac_addr = NULL; + uint8_t *mac_addr = NULL; for (i = 0; i<iftable->dwNumEntries; i++) { if (strncmp(dev->description, iftable->table[i].bDescr, iftable->table[i].dwDescrLen) == 0) @@ -827,13 +874,13 @@ { printf("disabled\t"); } - printf("%s\t%s\n", dev->name, dev->description); + printf("%s\t%s\n", dev->name, dev->description); } else { printf("disabled\t%s\t%s\n", dev->name, dev->description); } - + } pcap_freealldevs(alldevs); free(iftable); @@ -952,6 +999,18 @@ return 0; } +static void PQ_Show (const char* pcap) +{ + if ( !ScPcapShow() ) + return; + + if ( !strcmp(pcap, "-") ) pcap = "stdin"; + + fprintf(stdout, + "Reading network traffic from \"%s\" with snaplen = %d\n", + pcap, DAQ_GetSnapLen()); +} + static const char* PQ_First (void) { const char* pcap = (char*)sfqueue_remove(pcap_queue); @@ -962,14 +1021,6 @@ if ( sfqueue_add(pcap_save_queue, (NODE_DATA)pcap) == -1 ) FatalError("Could not add pcap to saved list\n"); - if (ScPcapShow()) - { - if ( !strcmp(pcap, "-") ) pcap = "stdin"; - - fprintf(stdout, - "Reading network traffic from \"%s\" with snaplen = %d\n", - pcap, DAQ_GetSnapLen()); - } return pcap; } @@ -986,7 +1037,7 @@ SnortReset(); dlt = new_dlt; - + /* open a new tcpdump file - necessary because the snaplen and * datalink could be different between pcaps */ if (snort_conf->log_tcpdump) @@ -1043,6 +1094,7 @@ DAQ_Start(); PQ_Reset(); + PQ_Show(pcap); SetPktProcessor(); return 1; @@ -1094,8 +1146,9 @@ if ( ScReadMode() ) { intf = PQ_First(); + PQ_Show(intf); } - else if ( + else if ( !ScVersionMode() #ifdef DYNAMIC_PLUGIN && !ScRuleDumpMode() @@ -1118,13 +1171,13 @@ return intf; } -static void InitPidChrootAndPrivs(void) +static void InitPidChrootAndPrivs(pid_t pid) { /* create the PID file */ - if ( !ScReadMode() && + if ( !ScReadMode() && (ScDaemonMode() || *snort_conf->pidfile_suffix || ScCreatePidFile())) { - CreatePidFile(DAQ_GetInterfaceSpec()); + CreatePidFile(DAQ_GetInterfaceSpec(), pid); } #ifndef WIN32 @@ -1202,7 +1255,7 @@ } } } - + ValidateDynamicEngines(); snort_conf_for_parsing = NULL; } @@ -1225,7 +1278,7 @@ meta->uniqueName, meta->major, meta->minor, meta->build); lib = GetNextEnginePluginVersion(lib); } - + lib = GetNextDetectionPluginVersion(NULL); while ( lib != NULL ) { @@ -1234,8 +1287,8 @@ LogMessage(" Rules Object: %s Version %d.%d <Build %d>\n", meta->uniqueName, meta->major, meta->minor, meta->build); lib = GetNextDetectionPluginVersion(lib); - } - + } + lib = GetNextPreprocessorPluginVersion(NULL); while ( lib != NULL ) { @@ -1244,7 +1297,7 @@ LogMessage(" Preprocessor Object: %s Version %d.%d <Build %d>\n", meta->uniqueName, meta->major, meta->minor, meta->build); lib = GetNextPreprocessorPluginVersion(lib); - } + } } #endif @@ -1261,7 +1314,7 @@ snort_conf->logging_flags &= ~LOGGING_FLAG__QUIET; DisplayBanner(); - + #ifdef DYNAMIC_PLUGIN // Get and print out library versions DisplayDynamicPluginVersions(); @@ -1270,7 +1323,7 @@ snort_conf->logging_flags |= save_quiet_flag; } -static void PrintSpiModules (SnortConfig* sc, char* dir) +static void PrintDaqModules (SnortConfig* sc, char* dir) { if ( dir ) ConfigDaqDir(sc, dir); @@ -1289,7 +1342,7 @@ { return; } - LogMessage("Exit Check: signaling at %ldth callback\n", pc.total_from_daq); + LogMessage("Exit Check: signaling at " STDu64 "callback\n", pc.total_from_daq); get_clockticks(exitTime); #ifndef WIN32 kill(0, SIGINT); // send to all processes in my process group @@ -1319,6 +1372,57 @@ } #endif +#ifdef HAVE_DAQ_ACQUIRE_WITH_META +static int MetaCallback( + void* user, const DAQ_MetaHdr_t *metahdr, const uint8_t* data) +{ + tSfPolicyId policy_id = getRuntimePolicy(); + SnortPolicy *policy = snort_conf->targeted_policies[policy_id]; + PreprocMetaEvalFuncNode *idx; + PROFILE_VARS; + + /* First thing we do is process a Usr signal that we caught */ + if (SignalCheck()) + { +#ifndef SNORT_RELOAD + /* Got SIGNAL_SNORT_RELOAD */ + Restart(); +#endif + } + + CheckForReload(); + + PREPROC_PROFILE_START(metaPerfStats); + + idx = policy->preproc_meta_eval_funcs; + while (idx != NULL) + { + idx->func(metahdr->type, data); + idx = idx->next; + } + + PREPROC_PROFILE_END(metaPerfStats); + +#if defined(WIN32) && defined(ENABLE_WIN32_SERVICE) + if (ScTerminateService() || ScPauseService()) + { + return 0; // time to go + } +#endif + + ControlSocketDoWork(0); + + return 0; +} +#endif + +void SetupMetadataCallback(void) +{ +#ifdef HAVE_DAQ_ACQUIRE_WITH_META + DAQ_Set_MetaCallback(&MetaCallback); +#endif +} + static DAQ_Verdict PacketCallback( void* user, const DAQ_PktHdr_t* pkthdr, const uint8_t* pkt) { @@ -1336,7 +1440,7 @@ if (SignalCheck()) { #ifndef SNORT_RELOAD - /* Got SIGHUP */ + /* Got SIGNAL_SNORT_RELOAD */ PREPROC_PROFILE_END(totalPerfStats); Restart(); #endif @@ -1354,7 +1458,7 @@ CheckForReload(); - /* Save off the time of each and every packet */ + /* Save off the time of each and every packet */ packet_time_update(pkthdr->ts.tv_sec); /* reset the thresholding subsystem checks for this packet */ @@ -1381,6 +1485,10 @@ verdict = ProcessPacket(user, pkthdr, pkt, NULL); + checkLWSessionTimeout(4, pkthdr->ts.tv_sec); + + ControlSocketDoWork(0); + PREPROC_PROFILE_END(totalPerfStats); return verdict; } @@ -1407,11 +1515,12 @@ #endif // NO_NON_ETHER_DECODER } -int ProcessPacket( +DAQ_Verdict ProcessPacket( void* user, const DAQ_PktHdr_t* pkthdr, const uint8_t* pkt, void* ft) { Packet p; DAQ_Verdict verdict = DAQ_VERDICT_PASS; + int inject = 0; setRuntimePolicy(getDefaultPolicy()); @@ -1430,10 +1539,10 @@ DisableAllDetect(&p); } - // TBD why is this stuff done here when it could be done by frag3?? if (ft) { - p.packet_flags |= PKT_REBUILT_FRAG; // this is already done by frag3 + p.packet_flags |= (PKT_PSEUDO | PKT_REBUILT_FRAG); + p.pseudo_type = PSEUDO_PKT_IP; p.fragtracker = ft; } @@ -1472,58 +1581,68 @@ { Active_DropAction(&p); - if ( ScInlineMode() ) + if ( ScInlineMode() || Active_PacketForceDropped() ) verdict = DAQ_VERDICT_BLACKLIST; else verdict = DAQ_VERDICT_IGNORE; } + if ( ft ) + { + // we don't block, modify, pass, or count defrags + // if the defrag trigged a block, this verdict will + // be applied to the raw packet. + return verdict; + } + #ifdef ACTIVE_RESPONSE if ( Active_ResponseQueued() ) { Active_SendResponses(&p); } #endif - - // we don't drop, modify, pass, or count defrags - if ( ft ) - { - Active_Reset(); - return verdict; - } if ( Active_PacketWasDropped() ) { if ( verdict == DAQ_VERDICT_PASS ) verdict = DAQ_VERDICT_BLOCK; } else - { + { Replace_ModifyPacket(&p); if ( p.packet_flags & PKT_MODIFIED ) { // this packet was normalized and/or has replacements Encode_Update(&p); - + verdict = DAQ_VERDICT_REPLACE; + } #ifdef NORMALIZER - if ( p.packet_flags & PKT_RESIZED ) + else if ( p.packet_flags & PKT_RESIZED ) + { + // we never increase, only trim, but + // daq doesn't support resizing wire packet + if ( !DAQ_Inject(p.pkth, 0, p.pkt, p.pkth->pktlen) ) { - // we never increase, only trim, but - // daq doesn't support resizing wire packet - DAQ_Inject(p.pkth, 0, p.pkt, p.pkth->pktlen); verdict = DAQ_VERDICT_BLOCK; + inject = 1; } - else -#endif - verdict = DAQ_VERDICT_REPLACE; } +#endif else { - verdict = DAQ_VERDICT_PASS; + if ((p.packet_flags & PKT_IGNORE_PORT) || + (stream_api && (stream_api->get_ignore_direction(p.ssnptr) == SSN_DIR_BOTH))) + { + verdict = DAQ_VERDICT_WHITELIST; + } + else + { + verdict = DAQ_VERDICT_PASS; + } } } /* Collect some "on the wire" stats about packet size, etc */ - UpdateWireStats(&sfBase, pkthdr->caplen, Active_PacketWasDropped()); + UpdateWireStats(&sfBase, pkthdr->caplen, Active_PacketWasDropped(), inject); Active_Reset(); return verdict; } @@ -1558,7 +1677,7 @@ # define FPUTS_UNIX(msg) NULL # define FPUTS_BOTH(msg) fputs(msg,stdout) #else -# define FPUTS_WIN32(msg) +# define FPUTS_WIN32(msg) # define FPUTS_UNIX(msg) fputs(msg,stdout) # define FPUTS_BOTH(msg) fputs(msg,stdout) #endif @@ -1828,7 +1947,7 @@ /* If daemon or logging to syslog use "snort" as identifier and * start logging there now */ - openlog("snort", LOG_PID | LOG_CONS, LOG_DAEMON); + openlog("snort", LOG_PID | LOG_CONS, LOG_DAEMON); sc->logging_flags |= LOGGING_FLAG__SYSLOG; syslog_configured = 1; @@ -1844,7 +1963,7 @@ /* If daemon or logging to syslog use "snort" as identifier and * start logging there now */ - openlog("snort", LOG_PID | LOG_CONS, LOG_DAEMON); + openlog("snort", LOG_PID | LOG_CONS, LOG_DAEMON); ConfigDaemon(sc, optarg); daemon_configured = 1; @@ -1858,6 +1977,12 @@ ConfigQuiet(sc, NULL); break; + case '?': /* show help and exit with 1 */ + PrintVersion(); + ShowUsage(argv[0]); + exit(1); + break; + default: break; } @@ -1939,7 +2064,7 @@ if ((errno == ERANGE) || (*endPtr != '\0')) FatalError("--exit-check value must be non-negative integer\n"); - LogMessage("Exit Check: limit = %ld callbacks\n", sc->exit_check); + LogMessage("Exit Check: limit = "STDu64" callbacks\n", sc->exit_check); } break; @@ -1978,7 +2103,7 @@ break; case ARG_DAQ_LIST: - PrintSpiModules(sc, optarg); + PrintDaqModules(sc, optarg); exit(0); break; @@ -2120,7 +2245,7 @@ break; - case 'h': + case 'h': /* set home network to x, this will help determine what to set * logging diectories to */ ConfigReferenceNet(sc, optarg); @@ -2179,7 +2304,7 @@ { FatalError("log_tcpdump file name \"%s\" has to be less " "than or equal to 256 characters.\n", optarg); - } + } output_logging = 1; break; @@ -2188,7 +2313,7 @@ /* This is parsed at the beginning so as to start logging * to syslog right away */ break; - + #ifndef WIN32 case 'm': /* set the umask for the output files */ ConfigUmask(sc, optarg); @@ -2315,7 +2440,7 @@ case 'T': /* test mode, verify that the rules load properly */ sc->run_mode_flags |= RUN_MODE_FLAG__TEST; - break; + break; #ifndef WIN32 case 'u': /* setuid */ @@ -2352,11 +2477,11 @@ case 'X': /* display verbose packet bytecode dumps */ ConfigDumpPayloadVerbose(sc, NULL); break; - + case 'x': sc->run_flags |= RUN_FLAG__CONF_ERROR_OUT; break; - + case 'y': /* Add year to timestamp in alert and log files */ ConfigShowYear(sc, NULL); break; @@ -2430,6 +2555,11 @@ sc->run_flags |= RUN_FLAG__REQUIRE_RULE_SID; break; + case ARG_CS_DIR: + if ( optarg != NULL ) + sc->cs_dir = SnortStrdup(optarg); + break; + case '?': /* show help and exit with 1 */ PrintVersion(); ShowUsage(argv[0]); @@ -2453,7 +2583,7 @@ "mode and then restart in daemon mode.\n"); } - if ((sc->run_flags & RUN_FLAG__INLINE) && + if ((sc->run_flags & RUN_FLAG__INLINE) && (sc->run_flags & RUN_FLAG__INLINE_TEST)) { FatalError("Cannot use inline adapter mode and inline test " @@ -2589,7 +2719,62 @@ grinder = DecodeEthPkt; break; +#ifdef DLT_LOOP + case DLT_LOOP: +#endif + case DLT_NULL: + /* loopback and stuff.. you wouldn't perform intrusion detection + * on it, but it's ok for testing. */ + slink = "LoopBack"; + extra = "Data link layer header parsing for this network type " + "isn't implemented yet"; + grinder = DecodeNullPkt; + break; + + case DLT_RAW: + case DLT_IPV4: + slink = "Raw IP4"; + extra = "There's no second layer header available for this datalink"; + grinder = DecodeRawPkt; + break; + + case DLT_IPV6: + slink = "Raw IP6"; + extra = "There's no second layer header available for this datalink"; + grinder = DecodeRawPkt6; + break; + +#ifdef DLT_I4L_IP + case DLT_I4L_IP: + slink = "I4L-ip"; + grinder = DecodeEthPkt; + break; +#endif + #ifndef NO_NON_ETHER_DECODER +#ifdef DLT_I4L_CISCOHDLC + case DLT_I4L_CISCOHDLC: + slink = "I4L-cisco-h"; + grinder = DecodeI4LCiscoIPPkt; + break; +#endif + + case DLT_PPP: + slink = "PPP"; + extra = "Second layer header parsing for this datalink " + "isn't implemented yet"; + grinder = DecodePppPkt; + break; + +#ifdef DLT_I4L_RAWIP + case DLT_I4L_RAWIP: + // you need the I4L modified version of libpcap to get this stuff + // working + slink = "I4L-rawip"; + grinder = DecodeI4LRawIPPkt; + break; +#endif + #ifdef DLT_IEEE802_11 case DLT_IEEE802_11: slink = "IEEE 802.11"; @@ -2628,16 +2813,7 @@ "isn't implemented yet\n"; grinder = DecodeSlipPkt; break; -#endif // NO_NON_ETHER_DECODER - - case DLT_PPP: - slink = "PPP"; - extra = "Second layer header parsing for this datalink " - "isn't implemented yet"; - grinder = DecodePppPkt; - break; -#ifndef NO_NON_ETHER_DECODER #ifdef DLT_PPP_SERIAL case DLT_PPP_SERIAL: /* PPP with full HDLC header*/ slink = "PPP Serial"; @@ -2667,48 +2843,7 @@ grinder = DecodeOldPflog; break; #endif - -#ifdef DLT_LOOP - case DLT_LOOP: -#endif -#endif // NON_ETHER_DECODER - case DLT_NULL: - /* loopback and stuff.. you wouldn't perform intrusion detection - * on it, but it's ok for testing. */ - slink = "LoopBack"; - extra = "Data link layer header parsing for this network type " - "isn't implemented yet"; - grinder = DecodeNullPkt; - break; - - case DLT_RAW: - slink = "Raw IP"; - extra = "There's no second layer header available for this datalink"; - grinder = DecodeRawPkt; - break; - -#ifdef DLT_I4L_RAWIP - case DLT_I4L_RAWIP: - // you need the I4L modified version of libpcap to get this stuff - // working - slink = "I4L-rawip"; - grinder = DecodeI4LRawIPPkt; - break; -#endif - -#ifdef DLT_I4L_IP - case DLT_I4L_IP: - slink = "I4L-ip"; - grinder = DecodeEthPkt; - break; -#endif - -#ifdef DLT_I4L_CISCOHDLC - case DLT_I4L_CISCOHDLC: - slink = "I4L-cisco-h"; - grinder = DecodeI4LCiscoIPPkt; - break; -#endif +#endif // NO_NON_ETHER_DECODER default: /* oops, don't know how to handle this one */ @@ -2722,7 +2857,7 @@ } if (extra && ScOutputDataLink()) { - LogMessage("%s\n", extra); + LogMessage("%s\n", extra); snort_conf->output_flags &= ~OUTPUT_FLAG__SHOW_DATA_LINK; } #ifdef ACTIVE_RESPONSE @@ -2732,16 +2867,24 @@ } /* - * Handle idle time checks in snort packet processing loop + * Handle idle time checks in snort packet processing loop */ static void SnortIdle(void) { - /* Rollover of performance log */ + /* Rollover of performance log */ if (IsSetRotatePerfFileFlag()) { sfRotatePerformanceStatisticsFile(); ClearRotatePerfFileFlag(); } +#ifdef OPENBSD + else if (reload_signal != reload_total) + nanosleep(&packet_sleep, NULL); +#endif + + checkLWSessionTimeout(16384, time(NULL)); + ControlSocketDoWork(1); + IdleProcessingExecute(); } void PacketLoop (void) @@ -2757,10 +2900,13 @@ if ( error ) { - if ( error != DAQ_READFILE_EOF || !PQ_Next() ) + if ( !ScReadMode() || !PQ_Next() ) + { + /* If not read-mode or no next pcap, we're done */ break; + } } - /* Check for any pending signals when no packets are read*/ + /* Check for any pending signals when no packets are read*/ else { // TBD SnortIdle() only checks for perf file rotation @@ -2773,7 +2919,7 @@ if ( SignalCheck() ) { #ifndef SNORT_RELOAD - // Got SIGHUP + // Got SIGNAL_SNORT_RELOAD Restart(); #endif } @@ -2793,12 +2939,17 @@ SnortIdle(); } - if ( !exit_logged && (error < 0) ) + if ( !exit_logged && error ) { if ( error == DAQ_READFILE_EOF ) error = 0; + else if ( error > 0 ) + { + DAQ_Abort(); + exit(1); + } CleanExit(error); - } + } done_processing = 1; } @@ -2835,7 +2986,7 @@ #endif DropStats(0); - + /* zero out packet count */ memset(&pc, 0, sizeof(pc)); @@ -2922,35 +3073,35 @@ exit_signal = signal; } -static void SigUsrHandler(int signal) +static void SigDumpStatsHandler(int signal) { - if (usr_signal != 0) - return; - usr_signal = signal; + dump_stats_signal = true; } static void SigRotateStatsHandler(int signal) { - if (rotate_stats_signal != 0) - return; - rotate_stats_signal = signal; + rotate_stats_signal = true; } -static void SigHupHandler(int signal) +static void SigReloadHandler(int signal) { #if defined(SNORT_RELOAD) && !defined(WIN32) - hup_signal++; + reload_signal++; #else - hup_signal = signal; + reload_signal = true; #endif } +#ifdef CONTROL_SOCKET +static void SigPipeHandler(int signal) +{ +} +#endif + #ifdef TARGET_BASED static void SigNoAttributeTableHandler(int signal) { - if (no_attr_table_signal != 0) - return; - no_attr_table_signal = signal; + no_attr_table_signal = true; } #endif @@ -2969,6 +3120,14 @@ { SnortConfig tmp; +#ifdef TARGET_BASED +#ifdef DEBUG +#if 0 + SFLAT_dump(); +#endif +#endif +#endif + /* Have to trick LogMessage to log correctly after snort_conf * is freed */ memset(&tmp, 0, sizeof(tmp)); @@ -2980,7 +3139,7 @@ tmp.run_flags |= (snort_conf->run_flags & RUN_FLAG__DAEMON); - tmp.logging_flags |= + tmp.logging_flags |= (snort_conf->logging_flags & LOGGING_FLAG__SYSLOG); } @@ -3017,6 +3176,9 @@ snort_exiting = 1; snort_initializing = 0; /* just in case we cut out early */ + ControlSocketCleanUp(); + IdleProcessingCleanUp(); + if ( DAQ_WasStarted() ) { #ifdef EXIT_CHECK @@ -3051,7 +3213,7 @@ * send VTALRM signal to pull it out of the idle sleep. * Thread exits normally on next iteration through its * loop. - * + * * If its doing other processing, that continues post * interrupt and thread exits normally. */ @@ -3155,6 +3317,9 @@ #ifdef TARGET_BASED SFAT_Cleanup(); +#ifdef SUP_IP6 + SFLAT_fini(); +#endif #endif PQ_CleanUp(); @@ -3207,6 +3372,8 @@ } #endif + EventTrace_Term(); + detection_filter_cleanup(); sfthreshold_free(); RateFilter_Cleanup(); @@ -3257,6 +3424,9 @@ FreePluginSigFuncs(plugin_restart_funcs); plugin_restart_funcs = NULL; + FreePeriodicFuncs(periodic_check_funcs); + periodic_check_funcs = NULL; + ParserCleanup(); /* Stuff from plugbase */ @@ -3319,7 +3489,7 @@ if ((!ScReadMode() && (getuid() != 0)) || (snort_conf->chroot_dir != NULL)) { - LogMessage("Reload via Signal HUP does not work if you aren't root " + LogMessage("Reload via Signal Reload does not work if you aren't root " "or are chroot'ed.\n"); # ifdef SNORT_RELOAD /* We are restarting because of a configuration verification problem */ @@ -3401,7 +3571,7 @@ } /* - * Check for signal activity + * Check for signal activity */ int SignalCheck(void) { @@ -3412,7 +3582,7 @@ { ErrorMessage("*** Caught Term-Signal\n"); exit_logged = 1; - if ( DAQ_BreakLoop() ) + if ( DAQ_BreakLoop(DAQ_SUCCESS) ) return 0; } CleanExit(0); @@ -3423,7 +3593,7 @@ { ErrorMessage("*** Caught Int-Signal\n"); exit_logged = 1; - if ( DAQ_BreakLoop() ) + if ( DAQ_BreakLoop(DAQ_SUCCESS) ) return 0; } CleanExit(0); @@ -3434,7 +3604,7 @@ { ErrorMessage("*** Caught Quit-Signal\n"); exit_logged = 1; - if ( DAQ_BreakLoop() ) + if ( DAQ_BreakLoop(DAQ_SUCCESS) ) return 0; } CleanExit(0); @@ -3446,15 +3616,15 @@ exit_signal = 0; - if (usr_signal == SIGUSR1) + if (dump_stats_signal) { - ErrorMessage("*** Caught Usr-Signal\n"); + ErrorMessage("*** Caught Dump Stats-Signal\n"); DropStats(0); } - usr_signal = 0; + dump_stats_signal = false; - if (rotate_stats_signal == SIGNAL_SNORT_ROTATE_STATS) + if (rotate_stats_signal) { ErrorMessage("*** Caught Signal: 'Rotate Perfmonitor Stats'\n"); @@ -3470,23 +3640,22 @@ } } - rotate_stats_signal = 0; + rotate_stats_signal = false; #ifdef TARGET_BASED - if (no_attr_table_signal == SIGNAL_SNORT_READ_ATTR_TBL) + if (no_attr_table_signal) ErrorMessage("!!! Cannot reload attribute table - Attribute table is not configured !!!\n"); - no_attr_table_signal = 0; + no_attr_table_signal = false; #endif #ifndef SNORT_RELOAD - if (hup_signal == SIGHUP) + if (reload_signal ) { - ErrorMessage("*** Caught Hup-Signal\n"); - hup_signal = 0; + ErrorMessage("*** Caught Reload-Signal\n"); + reload_signal = false; return 1; } - - hup_signal = 0; + reload_signal = false; #endif return 0; @@ -3510,7 +3679,8 @@ sc->pkt_cnt = -1; sc->pkt_snaplen = -1; - + /*user_id and group_id should be initialized to -1 by default, because + * chown() use this later, -1 means no change to user_id/group_id*/ sc->user_id = -1; sc->group_id = -1; @@ -3541,6 +3711,10 @@ sc->targeted_policies = NULL; sc->num_policies_allocated = 0; +#ifndef REG_TEST + sc->paf_max = DEFAULT_PAF_MAX; +#endif + return sc; } @@ -3581,6 +3755,9 @@ if (sc->bpf_filter != NULL) free(sc->bpf_filter); + if (sc->event_trace_file != NULL) + free(sc->event_trace_file); + #ifdef PERF_PROFILING if (sc->profile_rules.filename != NULL) free(sc->profile_rules.filename); @@ -3688,6 +3865,19 @@ if ( sc->daq_dirs ) StringVector_Delete(sc->daq_dirs); +#ifdef ACTIVE_RESPONSE + if ( sc->respond_device ) + free(sc->respond_device); + + if (sc->eth_dst ) + free(sc->eth_dst); +#endif + + if (sc->gtp_ports) + free(sc->gtp_ports); + + if(sc->cs_dir) + free(sc->cs_dir); free(sc); } @@ -3840,13 +4030,14 @@ if (p == NULL) continue; - FreePreprocReassemblyPktFuncs(p->preproc_reassembly_pkt_funcs); - p->preproc_reassembly_pkt_funcs = NULL; - FreePreprocEvalFuncs(p->preproc_eval_funcs); p->preproc_eval_funcs = NULL; p->num_preprocs = 0; + FreePreprocMetaEvalFuncs(p->preproc_meta_eval_funcs); + p->preproc_meta_eval_funcs = NULL; + p->num_meta_preprocs = 0; + FreeDetectionEvalFuncs(p->detect_eval_funcs); p->detect_eval_funcs = NULL; p->num_detects = 0; @@ -3905,9 +4096,7 @@ } config_file->run_flags |= cmd_line->run_flags; - config_file->output_flags |= cmd_line->output_flags; - config_file->logging_flags |= cmd_line->logging_flags; /* Merge checksum flags. If command line modified them, use from the @@ -3936,7 +4125,6 @@ } } - #ifdef DYNAMIC_PLUGIN if (cmd_line->dyn_engines != NULL) { @@ -4082,6 +4270,47 @@ if (cmd_line->run_flags & RUN_FLAG__PROCESS_ALL_EVENTS) config_file->event_queue_config->process_all_events = 1; + if (cmd_line->cs_dir != NULL) + { + if (config_file->cs_dir != NULL) + free(config_file->cs_dir); + config_file->cs_dir = SnortStrdup(cmd_line->cs_dir); + } + if (config_file->cs_dir) + { + +#ifndef WIN32 + /* + * If an absolute path is specified, then use that. + * otherwise, relative to pid path + */ + if ((config_file->cs_dir[0] != '/') && config_file->pid_path && config_file->pid_path[0]) + { + + char fullpath[PATH_MAX]; + + if (config_file->pid_path[strlen(config_file->pid_path) - 1] == '/') + { + SnortSnprintf(fullpath, sizeof(fullpath), + "%s%s", config_file->pid_path, config_file->cs_dir); + } + else + { + SnortSnprintf(fullpath, sizeof(fullpath), + "%s/%s", config_file->pid_path, config_file->cs_dir); + } + free (config_file->cs_dir); + config_file->cs_dir = SnortStrdup(fullpath); + + } +#else + /*Not supported in WINDOWS*/ + free (config_file->cs_dir); + config_file->cs_dir = NULL; +#endif + ControlSocketConfigureDirectory(config_file->cs_dir); + } + return config_file; } @@ -4157,7 +4386,7 @@ while (head != NULL) { VarNode *tmp = head; - + head = head->next; if (tmp->name != NULL) @@ -4224,6 +4453,11 @@ LogMessage("\n"); LogMessage(" --== Initializing Snort ==--\n"); + if (SnortStrnlen(signal_error_msg, STD_BUF)> 0) + { + ErrorMessage("%s", signal_error_msg); + } + if (!ScVersionMode()) { /* Every run mode except version will potentially need output @@ -4262,6 +4496,7 @@ RegisterPreprocessorProfile("decode", &decodePerfStats, 0, &totalPerfStats); RegisterPreprocessorProfile("eventq", &eventqPerfStats, 0, &totalPerfStats); RegisterPreprocessorProfile("total", &totalPerfStats, 0, NULL); + RegisterPreprocessorProfile("daq meta", &metaPerfStats, 0, NULL); #endif LogMessage("Parsing Rules file \"%s\"\n", snort_conf_file); @@ -4277,10 +4512,10 @@ #ifdef TARGET_BASED /* Parse attribute table stuff here since config max_attribute_hosts * is apart from attribute table configuration. - * Only attribute table in default policy is processed. Attribute table in - * other policies indicates that attribute table in default table should + * Only attribute table in default policy is processed. Attribute table in + * other policies indicates that attribute table in default table should * be used. Filenames for attribute_table should be same across all policies. - */ + */ { tSfPolicyId defaultPolicyId = sfGetDefaultPolicy(snort_conf->policy_config); TargetBasedConfig *tbc = &snort_conf->targeted_policies[defaultPolicyId]->target_based_config; @@ -4298,6 +4533,12 @@ file_name = saved_file_name; file_line = saved_file_line; } + + /**Live host updates is initialized even if adaptive policy is turned off. + */ +#ifdef SUP_IP6 + SFLAT_init(); +#endif } #endif @@ -4442,6 +4683,8 @@ InitDynamicDetectionPlugins(snort_conf); #endif + EventTrace_Init(); + if (ScIdsMode() || ScTestMode()) { detection_filter_print_config(snort_conf->detection_filter_config); @@ -4452,9 +4695,9 @@ /* Check rule state lists, enable/disabled * and err on 'special' GID without OTN. */ - /* - * Modified toi use sigInfo.shared in otn instead of the GENERATOR ID - man - */ + /* + * Modified toi use sigInfo.shared in otn instead of the GENERATOR ID - man + */ SetRuleStates(snort_conf); /* Verify the preprocessors are configured properly */ @@ -4478,8 +4721,6 @@ __FILE__, __LINE__); } - // the jury is still out on this 2.9 location ... - // see comment in unpriv init for 2.8.X location fpCreateFastPacketDetection(snort_conf); #ifdef INTEL_SOFT_CPM @@ -4491,6 +4732,7 @@ PPM_PRINT_CFG(&snort_conf->ppm_cfg); #endif + ControlSocketInit(); } #if defined(INLINE_FAILOPEN) && !defined(WIN32) @@ -4540,6 +4782,14 @@ // packets in a fail open mode in the main thread. we don't want big delays // here to cause excess latency or dropped packets in that thread which may // be the case if all threads are pinned to a single cpu/core. +// +// clarification: once snort opens/starts the DAQ, packets are queued for snort +// and must be disposed of quickly or the queue will overflow and packets will +// be dropped so the fail open thread does the remaining initialization while +// the main thread passes packets. prior to opening and starting the DAQ, +// packet passing is done by the driver/hardware. the goal then is to put as +// much initialization stuff in SnortInit() as possible and to restrict this +// function to those things that depend on DAQ startup or non-root user/group. static void SnortUnprivilegedInit(void) { #ifdef ACTIVE_RESPONSE @@ -4548,9 +4798,11 @@ Active_Init(snort_conf); #endif - InitPidChrootAndPrivs(); + InitPidChrootAndPrivs(snort_main_thread_pid); #if defined(HAVE_LINUXTHREADS) && !defined(WIN32) + // this must be done after dropping privs for linux threads + // to ensure that child threads can communicate with parent SnortStartThreads(); #endif @@ -4568,9 +4820,6 @@ // to /var/log/snort. in this case they must override log path. PostConfigInitPlugins(snort_conf->plugin_post_config_funcs); - // this is the 2.8.X location - //fpCreateFastPacketDetection(snort_conf); - LogMessage("\n"); LogMessage(" --== Initialization Complete ==--\n"); @@ -4585,7 +4834,7 @@ CleanExit(0); } - LogMessage("Commencing packet processing (pid=%u)\n", getpid()); + LogMessage("Commencing packet processing (pid=%u)\n", snort_main_thread_pid); snort_initializing = 0; } @@ -4601,8 +4850,45 @@ } #endif +/* Add a signal handler + * + * If check needed, also check whether previous signal_handler is neither SIG_IGN nor SIG_DFL + * + * Return: + * 0: error + * 1: success + */ +int SnortAddSignal(int sig, sighandler_t signal_handler, int check_needed) +{ + sighandler_t pre_handler; + +#ifdef HAVE_SIGACTION + struct sigaction action; + struct sigaction old_action; + sigemptyset(&action.sa_mask); + action.sa_flags = 0; + action.sa_handler = signal_handler; + sigaction(sig, &action, &old_action); + pre_handler = old_action.sa_handler; +#else + pre_handler = signal(sig, signal_handler); +#endif + if (SIG_ERR == pre_handler) + { + SnortSnprintfAppend(signal_error_msg, STD_BUF, + "Could not add handler for signal %d \n", sig); + return 0; + } + else if (check_needed && (SIG_IGN != pre_handler) && (SIG_DFL!= pre_handler)) + { + SnortSnprintfAppend(signal_error_msg, STD_BUF, + "WARNING: Handler is already installed for signal %d.\n", sig); + } + return 1; +} static void InitSignals(void) { + #ifndef WIN32 # if defined(LINUX) || defined(FREEBSD) || defined(OPENBSD) || \ defined(SOLARIS) || defined(BSD) || defined(MACOS) @@ -4624,17 +4910,22 @@ * Windows doesn't like all of these signals, and will * set errno for some. Ignore/reset this error so it * doesn't interfere with later checks of errno value. */ - signal(SIGTERM, SigExitHandler); - signal(SIGINT, SigExitHandler); - signal(SIGQUIT, SigExitHandler); - signal(SIGUSR1, SigUsrHandler); - signal(SIGHUP, SigHupHandler); - signal(SIGNAL_SNORT_ROTATE_STATS, SigRotateStatsHandler); + signal_error_msg[0] = '\0'; + SnortAddSignal(SIGTERM, SigExitHandler, 1); + SnortAddSignal(SIGINT, SigExitHandler, 1); + SnortAddSignal(SIGQUIT, SigExitHandler, 1); + SnortAddSignal(SIGNAL_SNORT_DUMP_STATS, SigDumpStatsHandler, 1); + SnortAddSignal(SIGNAL_SNORT_RELOAD, SigReloadHandler, 1); + SnortAddSignal(SIGNAL_SNORT_ROTATE_STATS, SigRotateStatsHandler, 1); + +#ifdef CONTROL_SOCKET + SnortAddSignal(SIGPIPE, SigPipeHandler, 1); +#endif #ifdef TARGET_BASED /* Used to print warning if attribute table is not configured * When it is, it will set new signal handler */ - signal(SIGNAL_SNORT_READ_ATTR_TBL, SigNoAttributeTableHandler); + SnortAddSignal(SIGNAL_SNORT_READ_ATTR_TBL, SigNoAttributeTableHandler, 1); #endif errno = 0; @@ -4750,6 +5041,28 @@ } #if defined(SNORT_RELOAD) && !defined(WIN32) +static void updatePeriodicCheck() +{ + PeriodicCheckFuncNode *checkFunc; + + /* reset preprocessors */ + checkFunc = periodic_check_funcs; + while (checkFunc != NULL) + { + if ( 0 == checkFunc->time_left ) + { + checkFunc->func(-1, checkFunc->arg); + checkFunc->time_left = checkFunc->period; + //LogMessage(" --== Share Memory! ==--\n"); + } + else + checkFunc->time_left--; + + checkFunc = checkFunc->next; + } + +} + static void * ReloadConfigThread(void *data) { sigset_t mtmask; @@ -4766,10 +5079,10 @@ while (!snort_exiting) { - if (hup_signal != reload_hups) + if (reload_signal != reload_total) { int reload_failed = 0; - reload_hups++; + reload_total++; LogMessage("\n"); LogMessage(" --== Reloading Snort ==--\n"); @@ -4814,6 +5127,8 @@ LogMessage("\n"); } } + /* Use the maintenance thread for periodic check*/ + updatePeriodicCheck(); sleep(1); } @@ -5314,17 +5629,26 @@ { for (new_output_config = new_config->output_configs; - new_output_config != NULL; - new_output_config = new_output_config->next) + new_output_config != NULL; + new_output_config = new_output_config->next) { - if ((strcasecmp(old_output_config->keyword, - new_output_config->keyword) == 0) && - (strcasecmp(old_output_config->opts, - new_output_config->opts) == 0)) + if (strcasecmp(old_output_config->keyword, new_output_config->keyword) == 0) { - new_outputs++; - break; + if ((old_output_config->opts != NULL) && + (new_output_config->opts != NULL) && + (strcasecmp(old_output_config->opts, new_output_config->opts) == 0)) + { + new_outputs++; + break; + } + else if (old_output_config->opts == NULL && + new_output_config->opts == NULL) + { + new_outputs++; + break; + } } + } old_outputs++; diff -Nru snort-2.9.0.1/src/snort_debug.h snort-2.9.2/src/snort_debug.h --- snort-2.9.0.1/src/snort_debug.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/snort_debug.h 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,115 @@ +/* $Id$ */ +/* +** Copyright (C) 2002-2011 Sourcefire, Inc. +** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + + +#ifndef DEBUG_H +#define DEBUG_H + +#include <ctype.h> +#ifdef SF_WCHAR +/* ISOC99 is defined to get required prototypes */ +#ifndef __USE_ISOC99 +#define __USE_ISOC99 +#endif +#include <wchar.h> +#endif + +// this env var uses the lower 32 bits of the flags: +#define DEBUG_VARIABLE "SNORT_DEBUG" + +#define DEBUG_INIT 0x0000000000000001 +#define DEBUG_PARSER 0x0000000000000002 +#define DEBUG_MSTRING 0x0000000000000004 +#define DEBUG_PORTLISTS 0x0000000000000008 +#define DEBUG_ATTRIBUTE 0x0000000000000010 +#define DEBUG_PLUGIN 0x0000000000000020 +#define DEBUG_PLUGBASE 0x0000000000000040 +#define DEBUG_DECODE 0x0000000000000080 +#define DEBUG_DATALINK 0x0000000000000100 +#define DEBUG_CONFIGRULES 0x0000000000000200 +#define DEBUG_RULES 0x0000000000000400 +#define DEBUG_DETECT 0x0000000000000800 +#define DEBUG_PATTERN_MATCH 0x0000000000001000 +#define DEBUG_FLOW 0x0000000000002000 +#define DEBUG_LOG 0x0000000000004000 +#define DEBUG_EXP 0x0000000080000000 + +// this env var uses the upper 32 bits of the flags: +#define DEBUG_PP_VAR "SNORT_PP_DEBUG" + +#define DEBUG_FRAG 0x0000000100000000 +#define DEBUG_STREAM 0x0000000200000000 +#define DEBUG_STREAM_STATE 0x0000000400000000 +#define DEBUG_STREAM_PAF 0x0000000800000000 +#define DEBUG_HTTP_DECODE 0x0000001000000000 +#define DEBUG_HTTPINSPECT 0x0000002000000000 +#define DEBUG_ASN1 0x0000004000000000 +#define DEBUG_DNS 0x0000008000000000 +#define DEBUG_FTPTELNET 0x0000010000000000 +#define DEBUG_GTP 0x0000020000000000 +#define DEBUG_IMAP 0x0000040000000000 +#define DEBUG_POP 0x0000080000000000 +#define DEBUG_RPC 0x0000100000000000 +#define DEBUG_SIP 0x0000200000000000 +#define DEBUG_SKYPE 0x0000400000000000 +#define DEBUG_SSL 0x0000800000000000 +#define DEBUG_SMTP 0x0001000000000000 +#define DEBUG_PP_EXP 0x8000000000000000 + +void DebugMessageFunc(uint64_t dbg,char *fmt, ...); +#ifdef SF_WCHAR +void DebugWideMessageFunc(uint64_t dbg,wchar_t *fmt, ...); +#endif + +#ifdef DEBUG_MSGS + + extern char *DebugMessageFile; + extern int DebugMessageLine; + + #define DebugMessage DebugMessageFile = __FILE__; DebugMessageLine = __LINE__; DebugMessageFunc + #define DebugWideMessage DebugMessageFile = __FILE__; DebugMessageLine = __LINE__; DebugWideMessageFunc + + uint64_t GetDebugLevel (void); + int DebugThis(uint64_t level); +#else /* DEBUG_MSGS */ + +#ifdef WIN32 +/* Visual C++ uses the keyword "__inline" rather than "__inline__" */ + #define __inline__ __inline +#endif + +#endif /* DEBUG_MSGS */ + + +#ifdef DEBUG_MSGS +#define DEBUG_WRAP(code) code +void DebugMessageFunc(uint64_t dbg,char *fmt, ...); +#ifdef SF_WCHAR +void DebugWideMessageFunc(uint64_t dbg,wchar_t *fmt, ...); +#endif +#else /* DEBUG_MSGS */ +#define DEBUG_WRAP(code) +/* I would use DebugMessage(dbt,fmt...) but that only works with GCC */ + +#endif /* DEBUG_MSGS */ + +#endif /* DEBUG_H */ + diff -Nru snort-2.9.0.1/src/snort.h snort-2.9.2/src/snort.h --- snort-2.9.0.1/src/snort.h 2010-08-25 13:22:39.000000000 -0700 +++ snort-2.9.2/src/snort.h 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2005-2010 Sourcefire, Inc. +** Copyright (C) 2005-2011 Sourcefire, Inc. ** Copyright (C) 1998-2005 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -31,6 +31,7 @@ #include <sys/types.h> #include <stdio.h> +#include "sf_types.h" #include "spo_plugbase.h" #include "decode.h" #include "perf.h" @@ -56,7 +57,7 @@ #include "sfutil/sfPolicy.h" #include "detection_filter.h" #include "generators.h" - +#include <signal.h> #if defined(HAVE_LIBPRELUDE) || defined(INLINE_FAILOPEN) || \ defined(TARGET_BASED) || defined(SNORT_RELOAD) # include <pthread.h> @@ -114,7 +115,7 @@ # else # define FILEACCESSBITS 0x1FF # endif -#endif +#endif #define DO_IP_CHECKSUMS 0x00000001 #define DO_TCP_CHECKSUMS 0x00000002 @@ -125,10 +126,23 @@ #define LOG_TCPDUMP 0x00000002 #define LOG_UNIFIED2 0x0000004 -#define SIGNAL_SNORT_ROTATE_STATS 28 -#define SIGNAL_SNORT_CHILD_READY 29 +#ifndef SIGNAL_SNORT_RELOAD +#define SIGNAL_SNORT_RELOAD SIGHUP +#endif +#ifndef SIGNAL_SNORT_DUMP_STATS +#define SIGNAL_SNORT_DUMP_STATS SIGUSR1 +#endif +#ifndef SIGNAL_SNORT_ROTATE_STATS +#define SIGNAL_SNORT_ROTATE_STATS SIGUSR2 +#endif + +// this one should not be changed by user +#define SIGNAL_SNORT_CHILD_READY SIGCHLD + #ifdef TARGET_BASED -# define SIGNAL_SNORT_READ_ATTR_TBL 30 +#ifndef SIGNAL_SNORT_READ_ATTR_TBL +# define SIGNAL_SNORT_READ_ATTR_TBL SIGURG +#endif #endif #define MODE_PACKET_DUMP 1 @@ -156,7 +170,7 @@ # define MPLS_PAYLOADTYPE_IPV4 1 # define MPLS_PAYLOADTYPE_ETHERNET 2 # define MPLS_PAYLOADTYPE_IPV6 3 -# define MPLS_PAYLOADTYPE_ERROR -1 +# define MPLS_PAYLOADTYPE_ERROR -1 # define DEFAULT_MPLS_PAYLOADTYPE MPLS_PAYLOADTYPE_IPV4 # define DEFAULT_LABELCHAIN_LENGTH -1 #endif @@ -267,6 +281,8 @@ ENABLE_INLINE_TEST, + ARG_CS_DIR, + GET_OPT_LONG_IDS_MAX } GetOptLongIds; @@ -547,23 +563,25 @@ PortTable *nonamePortVarTable; /* un-named entries */ PreprocEvalFuncNode *preproc_eval_funcs; - PreprocReassemblyPktFuncNode *preproc_reassembly_pkt_funcs; + PreprocMetaEvalFuncNode *preproc_meta_eval_funcs; int preproc_proto_mask; SFGHASH *preproc_rule_options; int num_preprocs; + int num_meta_preprocs; int policy_mode; uint32_t policy_flags; /* mask of preprocessors that have registered runtime process functions */ int preproc_bit_mask; + int preproc_meta_bit_mask; int num_detects; //int detect_bit_mask; int detect_proto_mask; DetectionEvalFuncNode *detect_eval_funcs; - /** Identifier assigned by user to correlate unified2 events to actual + /** Identifier assigned by user to correlate unified2 events to actual * policy. User or DC should assign each policy a unique number. Snort * will not verify uniqueness. */ @@ -695,6 +713,9 @@ void* daq_vars; /* --daq-var or config daq_var */ void* daq_dirs; /* --daq-dir or config daq_dir */ + char* event_trace_file; + uint16_t event_trace_max; + int thiszone; #ifdef WIN32 @@ -733,6 +754,7 @@ #ifdef ACTIVE_RESPONSE uint8_t respond_attempts; /* config respond */ char* respond_device; + uint8_t *eth_dst; /* config destination MAC address */ #endif #ifdef TARGET_BASED @@ -774,6 +796,7 @@ int num_rule_types; RuleListNode *rule_lists; + int evalOrder[RULE_TYPE__MAX + 1]; ListHead Alert; /* Alert Block Header */ ListHead Log; /* Log Block Header */ @@ -802,13 +825,13 @@ #endif /* The port-rule-maps map the src-dst ports to rules for - * udp and tcp, for Ip we map the dst port as the protocol, - * and for Icmp we map the dst port to the Icmp type. This - * allows us to use the decode packet information to in O(1) - * select a group of rules to apply to the packet. These - * rules may have uricontent, content, or they may be no content + * udp and tcp, for Ip we map the dst port as the protocol, + * and for Icmp we map the dst port to the Icmp type. This + * allows us to use the decode packet information to in O(1) + * select a group of rules to apply to the packet. These + * rules may have uricontent, content, or they may be no content * rules, or any combination. We process the uricontent 1st, - * then the content, and then the no content rules for udp/tcp + * then the content, and then the no content rules for udp/tcp * and icmp, than we process the ip rules. */ PORT_RULE_MAP *prmIpRTNX; PORT_RULE_MAP *prmTcpRTNX; @@ -818,7 +841,7 @@ #ifdef TARGET_BASED srmm_table_t *srmmTable; /* srvc rule map master table */ srmm_table_t *spgmmTable; /* srvc port_group map master table */ - sopg_table_t *sopgTable; /* service-oridnal to port_group table */ + sopg_table_t *sopgTable; /* service-oridnal to port_group table */ #endif SFXHASH *detection_option_hash_table; @@ -831,8 +854,15 @@ char *base_version; uint8_t enable_teredo; /* config enable_deep_teredo_inspection */ + uint8_t enable_gtp; /* config enable_gtp */ + char *gtp_ports; + uint8_t enable_esp; + uint8_t vlan_agnostic; /* config vlan_agnostic */ + uint8_t log_ipv6_extra; /* config log_ipv6_extra_data */ uint32_t so_rule_memcap; + uint32_t paf_max; /* config paf_max */ + char *cs_dir; } SnortConfig; /* struct to collect packet statistics */ @@ -905,6 +935,7 @@ uint64_t queue_limit; uint64_t log_limit; uint64_t event_limit; + uint64_t alert_limit; uint64_t frags; /* number of frags that have come in */ uint64_t frag_trackers; /* number of tracking structures generated */ @@ -930,7 +961,7 @@ /* wireless statistics */ uint64_t wifi_mgmt; uint64_t wifi_data; - uint64_t wifi_control; + uint64_t wifi_control; uint64_t assoc_req; uint64_t assoc_resp; uint64_t reassoc_req; @@ -959,7 +990,7 @@ #endif // NO_NON_ETHER_DECODER #ifdef MPLS - uint64_t mpls; + uint64_t mpls; #endif } PacketCount; @@ -989,7 +1020,9 @@ /* P R O T O T Y P E S ******************************************************/ int SnortMain(int argc, char *argv[]); -int ProcessPacket(void*, const DAQ_PktHdr_t*, const uint8_t*, void*); +DAQ_Verdict ProcessPacket(void*, const DAQ_PktHdr_t*, const uint8_t*, void*); +void SetupMetadataCallback(void); +int InMainThread(void); void SigCantHupHandler(int signal); void print_packet_count(void); @@ -1001,533 +1034,551 @@ void CleanupPreprocessors(SnortConfig *); void CleanupPlugins(SnortConfig *); -static INLINE int ScTestMode(void) +typedef void (*sighandler_t)(int); +int SnortAddSignal(int sig, sighandler_t handler, int); + +static inline int ScTestMode(void) { return snort_conf->run_mode == RUN_MODE__TEST; } #ifdef DYNAMIC_PLUGIN -static INLINE int ScRuleDumpMode(void) +static inline int ScRuleDumpMode(void) { return snort_conf->run_mode == RUN_MODE__RULE_DUMP; } #endif -static INLINE int ScVersionMode(void) +static inline int ScVersionMode(void) { return snort_conf->run_mode == RUN_MODE__VERSION; } -static INLINE int ScIdsMode(void) +static inline int ScIdsMode(void) { return snort_conf->run_mode == RUN_MODE__IDS; } -static INLINE int ScPacketLogMode(void) +static inline int ScPacketLogMode(void) { return snort_conf->run_mode == RUN_MODE__PACKET_LOG; } -static INLINE int ScPacketDumpMode(void) +static inline int ScPacketDumpMode(void) { return snort_conf->run_mode == RUN_MODE__PACKET_DUMP; } -static INLINE int ScDaemonMode(void) +static inline int ScDaemonMode(void) { return snort_conf->run_flags & RUN_FLAG__DAEMON; } -static INLINE int ScDaemonRestart(void) +static inline int ScDaemonRestart(void) { return snort_conf->run_flags & RUN_FLAG__DAEMON_RESTART; } -static INLINE int ScReadMode(void) +static inline int ScReadMode(void) { return snort_conf->run_flags & RUN_FLAG__READ; } -static INLINE int ScLogSyslog(void) +static inline int ScLogSyslog(void) { return snort_conf->logging_flags & LOGGING_FLAG__SYSLOG; } #ifdef WIN32 -static INLINE int ScLogSyslogRemote(void) +static inline int ScLogSyslogRemote(void) { return snort_conf->logging_flags & LOGGING_FLAG__SYSLOG_REMOTE; } #endif -static INLINE int ScLogVerbose(void) +static inline int ScLogVerbose(void) { return snort_conf->logging_flags & LOGGING_FLAG__VERBOSE; } -static INLINE int ScLogQuiet(void) +static inline int ScLogQuiet(void) { return snort_conf->logging_flags & LOGGING_FLAG__QUIET; } -static INLINE int ScDecoderAlerts(void) +static inline int ScDecoderAlerts(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_alert_flags & DECODE_EVENT_FLAG__DEFAULT; } -static INLINE int ScDecoderDrops(void) +static inline int ScDecoderDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_drop_flags & DECODE_EVENT_FLAG__DEFAULT; } -static INLINE int ScDecoderOversizedAlerts(void) +static inline int ScDecoderOversizedAlerts(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_alert_flags & DECODE_EVENT_FLAG__OVERSIZED; } -static INLINE int ScDecoderOversizedDrops(void) +static inline int ScDecoderOversizedDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_drop_flags & DECODE_EVENT_FLAG__OVERSIZED; } -static INLINE int ScDecoderIpv6BadFragAlerts(void) +static inline int ScDecoderIpv6BadFragAlerts(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_alert_flags & DECODE_EVENT_FLAG__IPV6_BAD_FRAG; } -static INLINE int ScDecoderIpv6BadFragDrops(void) +static inline int ScDecoderIpv6BadFragDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_drop_flags & DECODE_EVENT_FLAG__IPV6_BAD_FRAG; } -static INLINE int ScDecoderIpv6BsdIcmpFragAlerts(void) +static inline int ScDecoderIpv6BsdIcmpFragAlerts(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_alert_flags & DECODE_EVENT_FLAG__IPV6_BSD_ICMP_FRAG; } -static INLINE int ScDecoderIpv6BsdIcmpFragDrops(void) +static inline int ScDecoderIpv6BsdIcmpFragDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_drop_flags & DECODE_EVENT_FLAG__IPV6_BSD_ICMP_FRAG; } -static INLINE int ScDecoderTcpOptAlerts(void) +static inline int ScDecoderTcpOptAlerts(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_alert_flags & DECODE_EVENT_FLAG__TCP_OPT_ANOMALY; } -static INLINE int ScDecoderTcpOptDrops(void) +static inline int ScDecoderTcpOptDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_drop_flags & DECODE_EVENT_FLAG__TCP_OPT_ANOMALY; } -static INLINE int ScDecoderTcpOptExpAlerts(void) +static inline int ScDecoderTcpOptExpAlerts(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_alert_flags & DECODE_EVENT_FLAG__TCP_EXP_OPT; } -static INLINE int ScDecoderTcpOptExpDrops(void) +static inline int ScDecoderTcpOptExpDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_drop_flags & DECODE_EVENT_FLAG__TCP_EXP_OPT; } -static INLINE int ScDecoderTcpOptObsAlerts(void) +static inline int ScDecoderTcpOptObsAlerts(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_alert_flags & DECODE_EVENT_FLAG__TCP_OBS_OPT; } -static INLINE int ScDecoderTcpOptObsDrops(void) +static inline int ScDecoderTcpOptObsDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_drop_flags & DECODE_EVENT_FLAG__TCP_OBS_OPT; } -static INLINE int ScDecoderTcpOptTTcpAlerts(void) +static inline int ScDecoderTcpOptTTcpAlerts(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_alert_flags & DECODE_EVENT_FLAG__TCP_TTCP_OPT; } -static INLINE int ScDecoderTcpOptTTcpDrops(void) +static inline int ScDecoderTcpOptTTcpDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_drop_flags & DECODE_EVENT_FLAG__TCP_TTCP_OPT; } -static INLINE int ScDecoderIpOptAlerts(void) +static inline int ScDecoderIpOptAlerts(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_alert_flags & DECODE_EVENT_FLAG__IP_OPT_ANOMALY; } -static INLINE int ScDecoderIpOptDrops(void) +static inline int ScDecoderIpOptDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->decoder_drop_flags & DECODE_EVENT_FLAG__IP_OPT_ANOMALY; } -static INLINE int ScIpChecksums(void) +static inline int ScIpChecksums(void) { return snort_conf->targeted_policies[getDefaultPolicy()]->checksum_flags & CHECKSUM_FLAG__IP; } -static INLINE int ScIpChecksumDrops(void) +static inline int ScIpChecksumDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->checksum_drop_flags & CHECKSUM_FLAG__IP; } -static INLINE int ScUdpChecksums(void) +static inline int ScUdpChecksums(void) { return snort_conf->targeted_policies[getDefaultPolicy()]->checksum_flags & CHECKSUM_FLAG__UDP; } -static INLINE int ScUdpChecksumDrops(void) +static inline int ScUdpChecksumDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->checksum_drop_flags & CHECKSUM_FLAG__UDP; } -static INLINE int ScTcpChecksums(void) +static inline int ScTcpChecksums(void) { return snort_conf->targeted_policies[getDefaultPolicy()]->checksum_flags & CHECKSUM_FLAG__TCP; } -static INLINE int ScTcpChecksumDrops(void) +static inline int ScTcpChecksumDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->checksum_drop_flags & CHECKSUM_FLAG__TCP; } -static INLINE int ScIcmpChecksums(void) +static inline int ScIcmpChecksums(void) { return snort_conf->targeted_policies[getDefaultPolicy()]->checksum_flags & CHECKSUM_FLAG__ICMP; } -static INLINE int ScIcmpChecksumDrops(void) +static inline int ScIcmpChecksumDrops(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->checksum_drop_flags & CHECKSUM_FLAG__ICMP; } -static INLINE int ScIgnoreTcpPort(uint16_t port) +static inline int ScIgnoreTcpPort(uint16_t port) { - return snort_conf->ignore_ports[port] == IPPROTO_TCP; + return snort_conf->ignore_ports[port] & PROTO_BIT__TCP; } -static INLINE int ScIgnoreUdpPort(uint16_t port) +static inline int ScIgnoreUdpPort(uint16_t port) { - return snort_conf->ignore_ports[port] == IPPROTO_UDP; + return snort_conf->ignore_ports[port] & PROTO_BIT__UDP; } #ifdef MPLS -static INLINE long int ScMplsStackDepth(void) +static inline long int ScMplsStackDepth(void) { return snort_conf->mpls_stack_depth; } -static INLINE long int ScMplsPayloadType(void) +static inline long int ScMplsPayloadType(void) { return snort_conf->mpls_payload_type; } -static INLINE int ScMplsOverlappingIp(void) +static inline int ScMplsOverlappingIp(void) { return snort_conf->run_flags & RUN_FLAG__MPLS_OVERLAPPING_IP; } -static INLINE int ScMplsMulticast(void) +static inline int ScMplsMulticast(void) { return snort_conf->run_flags & RUN_FLAG__MPLS_MULTICAST; } #endif -static INLINE uint32_t ScIpv6FragTimeout(void) +static inline uint32_t ScIpv6FragTimeout(void) { return snort_conf->ipv6_frag_timeout; } -static INLINE uint32_t ScIpv6MaxFragSessions(void) +static inline uint32_t ScIpv6MaxFragSessions(void) { return snort_conf->ipv6_max_frag_sessions; } -static INLINE uint8_t ScMinTTL(void) +static inline uint8_t ScMinTTL(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->min_ttl; } #ifdef NORMALIZER -static INLINE uint8_t ScNewTTL(void) +static inline uint8_t ScNewTTL(void) { return snort_conf->targeted_policies[getRuntimePolicy()]->new_ttl; } #endif -static INLINE uint32_t ScEventLogId(void) +static inline uint32_t ScPafMax (void) +{ + return snort_conf->paf_max; +} + +static inline bool ScPafEnabled (void) +{ + return ( ScPafMax() > 0 ); +} + +static inline uint32_t ScEventLogId(void) { return snort_conf->event_log_id; } -static INLINE int ScConfErrorOut(void) +static inline int ScConfErrorOut(void) { return snort_conf->run_flags & RUN_FLAG__CONF_ERROR_OUT; } -static INLINE int ScAssureEstablished(void) +static inline int ScAssureEstablished(void) { return snort_conf->run_flags & RUN_FLAG__ASSURE_EST; } /* Set if stream5 is configured */ -static INLINE int ScStateful(void) +static inline int ScStateful(void) { return snort_conf->run_flags & RUN_FLAG__STATEFUL; } -static INLINE long int ScPcreMatchLimit(void) +static inline long int ScPcreMatchLimit(void) { return snort_conf->pcre_match_limit; } -static INLINE long int ScPcreMatchLimitRecursion(void) +static inline long int ScPcreMatchLimitRecursion(void) { return snort_conf->pcre_match_limit_recursion; } #ifdef PERF_PROFILING -static INLINE int ScProfilePreprocs(void) +static inline int ScProfilePreprocs(void) { return snort_conf->profile_preprocs.num; } -static INLINE int ScProfileRules(void) +static inline int ScProfileRules(void) { return snort_conf->profile_rules.num; } #endif -static INLINE int ScStaticHash(void) +static inline int ScStaticHash(void) { return snort_conf->run_flags & RUN_FLAG__STATIC_HASH; } #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS -static INLINE int ScAutoGenPreprocDecoderOtns(void) +static inline int ScAutoGenPreprocDecoderOtns(void) { return (((snort_conf->targeted_policies[getRuntimePolicy()])->policy_flags) & POLICY_FLAG__AUTO_OTN ); } #endif -static INLINE int ScProcessAllEvents(void) +static inline int ScProcessAllEvents(void) { return snort_conf->event_queue_config->process_all_events; } -static INLINE int ScInlineMode(void) +static inline int ScInlineMode(void) { return (((snort_conf->targeted_policies[getRuntimePolicy()])->policy_mode) == POLICY_MODE__INLINE ); } -static INLINE int ScAdapterInlineMode(void) +static inline int ScAdapterInlineMode(void) { return snort_conf->run_flags & RUN_FLAG__INLINE; } -static INLINE int ScInlineTestMode(void) +static inline int ScInlineTestMode(void) { return (((snort_conf->targeted_policies[getRuntimePolicy()])->policy_mode) == POLICY_MODE__INLINE_TEST ); } -static INLINE int ScAdapterInlineTestMode(void) +static inline int ScAdapterInlineTestMode(void) { return snort_conf->run_flags & RUN_FLAG__INLINE_TEST; } -static INLINE int ScOutputIncludeYear(void) +static inline int ScOutputIncludeYear(void) { return snort_conf->output_flags & OUTPUT_FLAG__INCLUDE_YEAR; } -static INLINE int ScOutputUseUtc(void) +static inline int ScOutputUseUtc(void) { return snort_conf->output_flags & OUTPUT_FLAG__USE_UTC; } -static INLINE int ScOutputDataLink(void) +static inline int ScOutputDataLink(void) { return snort_conf->output_flags & OUTPUT_FLAG__SHOW_DATA_LINK; } -static INLINE int ScVerboseByteDump(void) +static inline int ScVerboseByteDump(void) { return snort_conf->output_flags & OUTPUT_FLAG__VERBOSE_DUMP; } -static INLINE int ScAlertPacketCount(void) +static inline int ScAlertPacketCount(void) { return snort_conf->output_flags & OUTPUT_FLAG__ALERT_PKT_CNT; } -static INLINE int ScObfuscate(void) +static inline int ScObfuscate(void) { return snort_conf->output_flags & OUTPUT_FLAG__OBFUSCATE; } -static INLINE int ScOutputAppData(void) +static inline int ScOutputAppData(void) { return snort_conf->output_flags & OUTPUT_FLAG__APP_DATA; } -static INLINE int ScOutputCharData(void) +static inline int ScOutputCharData(void) { return snort_conf->output_flags & OUTPUT_FLAG__CHAR_DATA; } -static INLINE int ScAlertInterface(void) +static inline int ScAlertInterface(void) { return snort_conf->output_flags & OUTPUT_FLAG__ALERT_IFACE; } -static INLINE int ScNoOutputTimestamp(void) +static inline int ScNoOutputTimestamp(void) { return snort_conf->output_flags & OUTPUT_FLAG__NO_TIMESTAMP; } -static INLINE int ScLineBufferedLogging(void) +static inline int ScLineBufferedLogging(void) { return snort_conf->output_flags & OUTPUT_FLAG__LINE_BUFFER; } -static INLINE int ScDefaultRuleState(void) +static inline int ScDefaultRuleState(void) { return snort_conf->default_rule_state; } -static INLINE int ScRequireRuleSid(void) +static inline int ScRequireRuleSid(void) { return snort_conf->run_flags & RUN_FLAG__REQUIRE_RULE_SID; } #ifdef INLINE_FAILOPEN -static INLINE int ScDisableInlineFailopen(void) +static inline int ScDisableInlineFailopen(void) { return snort_conf->run_flags & RUN_FLAG__DISABLE_FAILOPEN; } #endif -static INLINE int ScNoLockPidFile(void) +static inline int ScNoLockPidFile(void) { return snort_conf->run_flags & RUN_FLAG__NO_LOCK_PID_FILE; } -static INLINE long int ScTaggedPacketLimit(void) +static inline long int ScTaggedPacketLimit(void) { return snort_conf->tagged_packet_limit; } -static INLINE int ScCreatePidFile(void) +static inline int ScCreatePidFile(void) { return snort_conf->run_flags & RUN_FLAG__CREATE_PID_FILE; } -static INLINE int ScPcapShow(void) +static inline int ScPcapShow(void) { return snort_conf->run_flags & RUN_FLAG__PCAP_SHOW; } -static INLINE int ScPcapReset(void) +static inline int ScPcapReset(void) { return snort_conf->run_flags & RUN_FLAG__PCAP_RESET; } #ifndef NO_NON_ETHER_DECODER -static INLINE int ScOutputWifiMgmt(void) +static inline int ScOutputWifiMgmt(void) { return snort_conf->output_flags & OUTPUT_FLAG__SHOW_WIFI_MGMT; } #endif #ifdef TARGET_BASED -static INLINE uint32_t ScMaxAttrHosts(void) +static inline uint32_t ScMaxAttrHosts(void) { return snort_conf->max_attribute_hosts; } -static INLINE int ScDisableAttrReload(void) +static inline int ScDisableAttrReload(void) { return snort_conf->run_flags & RUN_FLAG__DISABLE_ATTRIBUTE_RELOAD_THREAD; } #endif -static INLINE int ScTreatDropAsAlert(void) +static inline int ScTreatDropAsAlert(void) { return snort_conf->run_flags & RUN_FLAG__TREAT_DROP_AS_ALERT; } -static INLINE int ScTreatDropAsIgnore(void) +static inline int ScTreatDropAsIgnore(void) { return snort_conf->run_flags & RUN_FLAG__TREAT_DROP_AS_IGNORE; } -static INLINE int ScAlertBeforePass(void) +static inline int ScAlertBeforePass(void) { return snort_conf->run_flags & RUN_FLAG__ALERT_BEFORE_PASS; } -static INLINE int ScNoPcre(void) +static inline int ScNoPcre(void) { return snort_conf->run_flags & RUN_FLAG__NO_PCRE; } -static INLINE int ScNoLog(void) +static inline int ScGetEvalIndex(RuleType type) +{ + return snort_conf->evalOrder[type]; +} + +static inline int ScNoLog(void) { return snort_conf->no_log; } -static INLINE int ScNoAlert(void) +static inline int ScNoAlert(void) { return snort_conf->no_alert; } #if defined(WIN32) && defined(ENABLE_WIN32_SERVICE) -static INLINE int ScTerminateService(void) +static inline int ScTerminateService(void) { return snort_conf->run_flags & RUN_FLAG__TERMINATE_SERVICE; } -static INLINE int ScPauseService(void) +static inline int ScPauseService(void) { return snort_conf->run_flags & RUN_FLAG__PAUSE_SERVICE; } #endif -static INLINE int ScUid(void) +static inline int ScUid(void) { return snort_conf->user_id; } -static INLINE int ScGid(void) +static inline int ScGid(void) { return snort_conf->group_id; } -static INLINE char * ScPcapLogFile(void) +static inline char * ScPcapLogFile(void) { return snort_conf->pcap_log_file; } // use of macro avoids depending on generators.h #define EventIsInternal(gid) (gid == GENERATOR_INTERNAL) - -static INLINE void EnableInternalEvent(RateFilterConfig *config, uint32_t sid) -{ + +static inline void EnableInternalEvent(RateFilterConfig *config, uint32_t sid) +{ if (config == NULL) return; config->internal_event_mask |= (1 << sid); -} +} -static INLINE int InternalEventIsEnabled(RateFilterConfig *config, uint32_t sid) -{ +static inline int InternalEventIsEnabled(RateFilterConfig *config, uint32_t sid) +{ if (config == NULL) return 0; return (config->internal_event_mask & (1 << sid)); -} +} -static INLINE int ScIsPreprocEnabled(uint32_t preproc_id, tSfPolicyId policy_id) +static inline int ScIsPreprocEnabled(uint32_t preproc_id, tSfPolicyId policy_id) { SnortPolicy *policy; @@ -1544,13 +1595,38 @@ return 0; } -static INLINE int ScDeepTeredoInspection(void) +static inline int ScDeepTeredoInspection(void) { return snort_conf->enable_teredo; } -static INLINE uint32_t ScSoRuleMemcap(void) -{ +static inline int ScGTPDecoding(void) +{ + return snort_conf->enable_gtp; +} + +static inline int ScIsGTPPort(uint16_t port) +{ + return snort_conf->gtp_ports[port]; +} + +static inline int ScESPDecoding(void) +{ + return snort_conf->enable_esp; +} + +static inline int ScVlanAgnostic(void) +{ + return snort_conf->vlan_agnostic; +} + +static inline int ScLogIPv6Extra(void) +{ + return snort_conf->log_ipv6_extra; +} + +static inline uint32_t ScSoRuleMemcap(void) +{ return snort_conf->so_rule_memcap; } diff -Nru snort-2.9.0.1/src/spo_plugbase.h snort-2.9.2/src/spo_plugbase.h --- snort-2.9.0.1/src/spo_plugbase.h 2010-06-09 15:04:57.000000000 -0700 +++ snort-2.9.2/src/spo_plugbase.h 2011-02-09 15:22:54.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/tag.c snort-2.9.2/src/tag.c --- snort-2.9.0.1/src/tag.c 2010-08-25 13:22:39.000000000 -0700 +++ snort-2.9.2/src/tag.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Chris Green <cmg@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -35,7 +35,7 @@ #include "decode.h" #include "rules.h" #include "treenodes.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "generators.h" #include "log.h" @@ -49,8 +49,8 @@ /* D E F I N E S **************************************************/ #define MAX_TAG_NODES 256 -/* by default we'll set a 5 minute timeout if we see no activity - * on a tag with a 'count' metric so that we prune dead sessions +/* by default we'll set a 5 minute timeout if we see no activity + * on a tag with a 'count' metric so that we prune dead sessions * periodically since we're not doing TCP state tracking */ #define TAG_PRUNE_QUANTUM 300 @@ -75,7 +75,7 @@ typedef struct _TagNode { /**key identifying a session or host. */ - tTagSessionKey key; + tTagSessionKey key; /** transport proto */ uint8_t proto; @@ -130,7 +130,7 @@ static void TagSession(Packet *, TagData *, uint32_t, uint16_t); static void TagHost(Packet *, TagData *, uint32_t, uint16_t); static void AddTagNode(Packet *, TagData *, int, uint32_t, uint16_t); -static INLINE void SwapTag(TagNode *); +static inline void SwapTag(TagNode *); /**Calculated memory needed per node insertion into respective cache. Its includes * memory needed for allocating TagNode, SFXHASH_NODE, and key size. @@ -138,9 +138,9 @@ * @param hash - pointer to SFXHASH that should point to either ssn_tag_cache_ptr * or host_tag_cache_ptr. * - * @returns number of bytes needed + * @returns number of bytes needed */ -static INLINE unsigned int memory_per_node( +static inline unsigned int memory_per_node( SFXHASH *hash ) { @@ -255,11 +255,11 @@ } -#ifdef DEBUG +#ifdef DEBUG_MSGS -/** +/** * Print out a tag node IFF we are current in debug_flow - * + * * @param np tagnode pointer to print */ static void PrintTagNode(TagNode *np) @@ -274,12 +274,12 @@ { return; } - + printf("+--------------------------------------------------------------\n"); printf("| Ssn Counts: %d, Host Counts: %d\n", ssn_tag_cache_ptr->count, host_tag_cache_ptr->count); - + printf("| (%u) %s:%d -> ", np->proto, #ifdef SUP_IP6 @@ -312,12 +312,12 @@ #endif /* DEBUG */ -/** +/** * swap the sips and dips, dp's and sp's - * + * * @param np TagNode ptr */ -static INLINE void SwapTag(TagNode *np) +static inline void SwapTag(TagNode *np) { snort_ip tip; uint16_t tport; @@ -379,7 +379,7 @@ static void TagHost(Packet *p, TagData *tag, uint32_t time, uint16_t event_id) { - int mode; + int mode; DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "TAGGING HOST\n");); @@ -399,7 +399,7 @@ AddTagNode(p, tag, mode, time, event_id); } -static void AddTagNode(Packet *p, TagData *tag, int mode, uint32_t now, +static void AddTagNode(Packet *p, TagData *tag, int mode, uint32_t now, uint16_t event_id) { TagNode *idx; /* index pointer */ @@ -425,8 +425,8 @@ * and return - won't be able to track this one. */ if (idx == NULL) { - ErrorMessage("AddTagNode(): Unable to allocate %lu bytes of memory for new TagNode\n", - sizeof(TagNode)); + ErrorMessage("AddTagNode(): Unable to allocate %u bytes of memory for new TagNode\n", + (unsigned)sizeof(TagNode)); return; } @@ -442,7 +442,7 @@ idx->event_time.tv_usec = p->pkth->ts.tv_usec; idx->mode = mode; idx->pkt_count = 0; - + if(idx->metric & TAG_METRIC_SECONDS) { /* set the expiration time for this tag */ @@ -462,15 +462,15 @@ } DEBUG_WRAP(PrintTagNode(idx);); - - + + /* check for duplicates */ returned = (TagNode *) sfxhash_find(tag_cache_ptr, idx); - + if(returned == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_FLOW,"Looking the other way!!\n");); - SwapTag(idx); + SwapTag(idx); returned = (TagNode *) sfxhash_find(tag_cache_ptr, idx); SwapTag(idx); } @@ -533,7 +533,7 @@ return 0; } - DEBUG_WRAP(DebugMessage(DEBUG_FLOW,"Host Tags Active: %d Session Tags Active: %d\n", + DEBUG_WRAP(DebugMessage(DEBUG_FLOW,"Host Tags Active: %d Session Tags Active: %d\n", sfxhash_count(host_tag_cache_ptr), sfxhash_count(ssn_tag_cache_ptr));); DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "[*] Checking session tag list (forward)...\n");); @@ -648,22 +648,22 @@ if (create_event) { /* set the event info */ - SetEvent(event, GENERATOR_TAG, TAG_LOG_PKT, 1, 1, 1, + SetEvent(event, GENERATOR_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id); /* set event reference details */ event->ref_time.tv_sec = returned->event_time.tv_sec; event->ref_time.tv_usec = returned->event_time.tv_usec; event->event_reference = returned->event_id | ScEventLogId(); } - - if(returned->bytes == 0 && returned->packets == 0 && + + if(returned->bytes == 0 && returned->packets == 0 && returned->seconds == 0) { DEBUG_WRAP(DebugMessage(DEBUG_FLOW," Prune condition met for tag, removing" " from list\n");); if (sfxhash_remove(taglist, returned) != SFXHASH_OK) { - LogMessage("WARNING: failed to remove tagNode from hash!\n"); + LogMessage("WARNING: failed to remove tagNode from hash.\n"); } } } @@ -712,7 +712,7 @@ { if (sfxhash_remove(ssn_tag_cache_ptr, lru_node) != SFXHASH_OK) { - LogMessage("WARNING: failed to remove tagNode from hash!\n"); + LogMessage("WARNING: failed to remove tagNode from hash.\n"); } pruned++; } @@ -720,7 +720,7 @@ { if (sfxhash_remove(host_tag_cache_ptr, lru_node) != SFXHASH_OK) { - LogMessage("WARNING: failed to remove tagNode from hash!\n"); + LogMessage("WARNING: failed to remove tagNode from hash.\n"); } pruned++; } @@ -741,7 +741,7 @@ { if (sfxhash_remove(tree, lru_node) != SFXHASH_OK) { - LogMessage("WARNING: failed to remove tagNode from hash!\n"); + LogMessage("WARNING: failed to remove tagNode from hash.\n"); } pruned++; } @@ -765,11 +765,11 @@ switch(otn->tag->tag_type) { #ifdef SUP_IP6 - case TAG_SESSION: + case TAG_SESSION: DEBUG_WRAP(DebugMessage(DEBUG_FLOW,"Setting session tag:\n"); DebugMessage(DEBUG_FLOW,"SIP: %s SP: %d ", sfip_ntoa(GET_SRC_IP(p)), p->sp); - DebugMessage(DEBUG_FLOW,"DIP: %s DP: %d\n", + DebugMessage(DEBUG_FLOW,"DIP: %s DP: %d\n", sfip_ntoa(GET_DST_IP(p)),p->dp);); TagSession(p, otn->tag, p->pkth->ts.tv_sec, event_id); break; @@ -777,17 +777,17 @@ DEBUG_WRAP(DebugMessage(DEBUG_FLOW,"Setting host tag:\n"); DebugMessage(DEBUG_FLOW,"SIP: %s SP: %d ", sfip_ntoa(GET_SRC_IP(p)),p->sp); - DebugMessage(DEBUG_FLOW, "DIP: %s DP: %d\n", + DebugMessage(DEBUG_FLOW, "DIP: %s DP: %d\n", sfip_ntoa(GET_DST_IP(p)),p->dp);); TagHost(p, otn->tag, p->pkth->ts.tv_sec, event_id); - break; + break; #else - case TAG_SESSION: + case TAG_SESSION: DEBUG_WRAP(DebugMessage(DEBUG_FLOW,"Setting session tag:\n"); DebugMessage(DEBUG_FLOW,"SIP: 0x%X SP: %d DIP: 0x%X " "DP: %d\n", p->iph->ip_src.s_addr,p->sp, p->iph->ip_dst.s_addr,p->dp);); - + TagSession(p, otn->tag, p->pkth->ts.tv_sec, event_id); break; @@ -797,13 +797,13 @@ "DP: %d\n", p->iph->ip_src.s_addr,p->sp, p->iph->ip_dst.s_addr,p->dp);); TagHost(p, otn->tag, p->pkth->ts.tv_sec, event_id); - break; + break; #endif - + default: LogMessage("WARNING: Trying to tag with unknown " - "tag type!\n"); - break; + "tag type.\n"); + break; } } } diff -Nru snort-2.9.0.1/src/tag.h snort-2.9.2/src/tag.h --- snort-2.9.0.1/src/tag.h 2010-01-26 10:09:33.000000000 -0800 +++ snort-2.9.2/src/tag.h 2011-02-09 15:22:54.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/target-based/Makefile.am snort-2.9.2/src/target-based/Makefile.am --- snort-2.9.0.1/src/target-based/Makefile.am 2009-09-14 12:12:22.000000000 -0700 +++ snort-2.9.2/src/target-based/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -23,7 +23,10 @@ sftarget_protocol_reference.c \ sftarget_protocol_reference.h \ sf_attribute_table_parser.l \ -sf_attribute_table.y +sf_attribute_table.y \ +sftarget_reader_live.c \ +sftarget_reader_live.h + else libtarget_based_a_SOURCES = sftarget_reader.c endif diff -Nru snort-2.9.0.1/src/target-based/Makefile.in snort-2.9.2/src/target-based/Makefile.in --- snort-2.9.0.1/src/target-based/Makefile.in 2010-10-08 02:56:55.000000000 -0700 +++ snort-2.9.2/src/target-based/Makefile.in 2011-12-07 11:23:22.000000000 -0800 @@ -53,7 +53,8 @@ am__libtarget_based_a_SOURCES_DIST = sftarget_reader.c \ sftarget_reader.h sftarget_hostentry.c sftarget_hostentry.h \ sftarget_protocol_reference.c sftarget_protocol_reference.h \ - sf_attribute_table_parser.l sf_attribute_table.y + sf_attribute_table_parser.l sf_attribute_table.y \ + sftarget_reader_live.c sftarget_reader_live.h @HAVE_TARGET_BASED_FALSE@am_libtarget_based_a_OBJECTS = \ @HAVE_TARGET_BASED_FALSE@ sftarget_reader.$(OBJEXT) @HAVE_TARGET_BASED_TRUE@am_libtarget_based_a_OBJECTS = \ @@ -61,7 +62,8 @@ @HAVE_TARGET_BASED_TRUE@ sftarget_hostentry.$(OBJEXT) \ @HAVE_TARGET_BASED_TRUE@ sftarget_protocol_reference.$(OBJEXT) \ @HAVE_TARGET_BASED_TRUE@ sf_attribute_table_parser.$(OBJEXT) \ -@HAVE_TARGET_BASED_TRUE@ sf_attribute_table.$(OBJEXT) +@HAVE_TARGET_BASED_TRUE@ sf_attribute_table.$(OBJEXT) \ +@HAVE_TARGET_BASED_TRUE@ sftarget_reader_live.$(OBJEXT) @HAVE_TARGET_BASED_TRUE@nodist_libtarget_based_a_OBJECTS = \ @HAVE_TARGET_BASED_TRUE@ sf_attribute_table_parser.$(OBJEXT) \ @HAVE_TARGET_BASED_TRUE@ sf_attribute_table.$(OBJEXT) @@ -103,7 +105,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -118,6 +122,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -154,13 +159,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -239,7 +250,9 @@ @HAVE_TARGET_BASED_TRUE@sftarget_protocol_reference.c \ @HAVE_TARGET_BASED_TRUE@sftarget_protocol_reference.h \ @HAVE_TARGET_BASED_TRUE@sf_attribute_table_parser.l \ -@HAVE_TARGET_BASED_TRUE@sf_attribute_table.y +@HAVE_TARGET_BASED_TRUE@sf_attribute_table.y \ +@HAVE_TARGET_BASED_TRUE@sftarget_reader_live.c \ +@HAVE_TARGET_BASED_TRUE@sftarget_reader_live.h all: all-am diff -Nru snort-2.9.0.1/src/target-based/sf_attribute_table.c snort-2.9.2/src/target-based/sf_attribute_table.c --- snort-2.9.0.1/src/target-based/sf_attribute_table.c 2010-10-08 02:58:05.000000000 -0700 +++ snort-2.9.2/src/target-based/sf_attribute_table.c 2011-12-07 11:24:46.000000000 -0800 @@ -85,7 +85,7 @@ #include "util.h" #include "sftarget_reader.h" #include "log.h" -#include "debug.h" +#include "snort_debug.h" #include "sf_types.h" #define YYSTACK_USE_ALLOCA 0 @@ -502,9 +502,9 @@ /* YYNNTS -- Number of nonterminals. */ #define YYNNTS 54 /* YYNRULES -- Number of rules. */ -#define YYNRULES 82 +#define YYNRULES 83 /* YYNRULES -- Number of states. */ -#define YYNSTATES 151 +#define YYNSTATES 152 /* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX. */ #define YYUNDEFTOK 2 @@ -559,11 +559,11 @@ 28, 30, 33, 37, 41, 45, 46, 49, 53, 55, 57, 62, 66, 70, 73, 77, 81, 83, 86, 88, 90, 92, 94, 96, 100, 104, 108, 112, 116, 118, - 121, 124, 126, 129, 131, 135, 139, 143, 147, 151, - 153, 155, 156, 159, 163, 165, 167, 169, 172, 176, - 180, 184, 188, 192, 196, 200, 204, 208, 212, 217, - 221, 225, 227, 229, 230, 233, 237, 239, 241, 243, - 246, 248, 251 + 121, 124, 126, 129, 131, 135, 138, 142, 146, 150, + 154, 156, 158, 159, 162, 166, 168, 170, 172, 175, + 179, 183, 187, 191, 195, 199, 203, 207, 211, 215, + 220, 224, 228, 230, 232, 233, 236, 240, 242, 244, + 246, 249, 251, 254 }; /* YYRHS -- A `-1'-separated list of the rules' RHS. */ @@ -582,19 +582,19 @@ 35, 85, 36, -1, 37, 85, 38, -1, 39, 21, 40, -1, 41, 21, 42, -1, 86, -1, 86, 89, -1, 87, 89, -1, 87, -1, 88, 89, -1, 88, - -1, 27, 21, 28, -1, 27, 22, 28, -1, 29, - 22, 30, -1, 31, 22, 32, -1, 91, 93, 92, - -1, 43, -1, 44, -1, -1, 94, 93, -1, 95, - 97, 96, -1, 45, -1, 46, -1, 98, -1, 98, - 102, -1, 99, 100, 101, -1, 99, 101, 100, -1, - 100, 99, 101, -1, 100, 101, 99, -1, 101, 100, - 99, -1, 101, 99, 100, -1, 51, 85, 52, -1, - 55, 85, 56, -1, 53, 85, 54, -1, 57, 85, - 58, -1, 57, 85, 103, 58, -1, 37, 85, 38, - -1, 105, 107, 106, -1, 47, -1, 48, -1, -1, - 108, 107, -1, 109, 111, 110, -1, 49, -1, 50, - -1, 112, -1, 112, 102, -1, 100, -1, 99, 100, - -1, 100, 99, -1 + -1, 27, 21, 28, -1, 27, 28, -1, 27, 22, + 28, -1, 29, 22, 30, -1, 31, 22, 32, -1, + 91, 93, 92, -1, 43, -1, 44, -1, -1, 94, + 93, -1, 95, 97, 96, -1, 45, -1, 46, -1, + 98, -1, 98, 102, -1, 99, 100, 101, -1, 99, + 101, 100, -1, 100, 99, 101, -1, 100, 101, 99, + -1, 101, 100, 99, -1, 101, 99, 100, -1, 51, + 85, 52, -1, 55, 85, 56, -1, 53, 85, 54, + -1, 57, 85, 58, -1, 57, 85, 103, 58, -1, + 37, 85, 38, -1, 105, 107, 106, -1, 47, -1, + 48, -1, -1, 108, 107, -1, 109, 111, 110, -1, + 49, -1, 50, -1, 112, -1, 112, 102, -1, 100, + -1, 99, 100, -1, 100, 99, -1 }; /* YYRLINE[YYN] -- source line where rule number YYN was defined. */ @@ -604,11 +604,11 @@ 188, 191, 198, 205, 213, 219, 222, 225, 235, 242, 245, 250, 255, 260, 267, 282, 284, 284, 286, 286, 286, 286, 286, 289, 297, 305, 313, 321, 329, 335, - 341, 347, 353, 373, 395, 401, 407, 414, 421, 427, - 434, 440, 443, 449, 457, 464, 470, 474, 480, 485, - 490, 495, 500, 505, 512, 520, 528, 536, 543, 552, - 560, 566, 573, 579, 582, 588, 596, 603, 609, 613, - 619, 624, 629 + 341, 347, 353, 373, 395, 401, 405, 411, 418, 425, + 431, 438, 444, 447, 453, 461, 468, 474, 478, 484, + 489, 494, 499, 504, 509, 516, 524, 532, 540, 547, + 556, 564, 570, 577, 583, 586, 592, 600, 607, 613, + 617, 623, 628, 633 }; #endif @@ -675,11 +675,11 @@ 66, 67, 68, 69, 70, 71, 71, 72, 73, 74, 75, 75, 75, 75, 76, 77, 78, 78, 79, 79, 79, 79, 79, 80, 81, 82, 83, 84, 85, 85, - 85, 85, 85, 85, 86, 87, 88, 89, 90, 91, - 92, 93, 93, 94, 95, 96, 97, 97, 98, 98, - 98, 98, 98, 98, 99, 100, 101, 102, 102, 103, - 104, 105, 106, 107, 107, 108, 109, 110, 111, 111, - 112, 112, 112 + 85, 85, 85, 85, 86, 87, 87, 88, 89, 90, + 91, 92, 93, 93, 94, 95, 96, 97, 97, 98, + 98, 98, 98, 98, 98, 99, 100, 101, 102, 102, + 103, 104, 105, 106, 107, 107, 108, 109, 110, 111, + 111, 112, 112, 112 }; /* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN. */ @@ -689,11 +689,11 @@ 1, 2, 3, 3, 3, 0, 2, 3, 1, 1, 4, 3, 3, 2, 3, 3, 1, 2, 1, 1, 1, 1, 1, 3, 3, 3, 3, 3, 1, 2, - 2, 1, 2, 1, 3, 3, 3, 3, 3, 1, - 1, 0, 2, 3, 1, 1, 1, 2, 3, 3, - 3, 3, 3, 3, 3, 3, 3, 3, 4, 3, - 3, 1, 1, 0, 2, 3, 1, 1, 1, 2, - 1, 2, 2 + 2, 1, 2, 1, 3, 2, 3, 3, 3, 3, + 1, 1, 0, 2, 3, 1, 1, 1, 2, 3, + 3, 3, 3, 3, 3, 3, 3, 3, 3, 4, + 3, 3, 1, 1, 0, 2, 3, 1, 1, 1, + 2, 1, 2, 2 }; /* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state @@ -706,17 +706,17 @@ 0, 14, 18, 16, 0, 3, 0, 10, 8, 0, 11, 0, 0, 0, 13, 0, 0, 19, 17, 0, 23, 12, 24, 0, 0, 0, 0, 0, 0, 26, - 28, 29, 30, 32, 31, 49, 71, 22, 51, 21, - 73, 0, 0, 0, 38, 41, 43, 0, 0, 0, - 0, 25, 27, 20, 54, 0, 51, 0, 76, 0, - 73, 0, 0, 0, 0, 33, 0, 39, 40, 42, - 34, 35, 36, 37, 50, 48, 52, 0, 0, 0, - 0, 56, 0, 0, 0, 72, 70, 74, 0, 80, - 0, 78, 44, 45, 46, 0, 0, 0, 0, 55, - 53, 0, 57, 0, 0, 0, 0, 0, 0, 81, - 82, 77, 75, 79, 47, 64, 66, 65, 0, 58, - 59, 60, 61, 63, 62, 0, 67, 0, 0, 68, - 69 + 28, 29, 30, 32, 31, 50, 72, 22, 52, 21, + 74, 0, 0, 0, 38, 41, 43, 0, 0, 0, + 0, 25, 27, 20, 55, 0, 52, 0, 77, 0, + 74, 0, 0, 0, 45, 0, 33, 0, 39, 40, + 42, 34, 35, 36, 37, 51, 49, 53, 0, 0, + 0, 0, 57, 0, 0, 0, 73, 71, 75, 0, + 81, 0, 79, 44, 46, 47, 0, 0, 0, 0, + 56, 54, 0, 58, 0, 0, 0, 0, 0, 0, + 82, 83, 78, 76, 80, 48, 65, 67, 66, 0, + 59, 60, 61, 62, 64, 63, 0, 68, 0, 0, + 69, 70 }; /* YYDEFGOTO[NTERM-NUM]. */ @@ -725,9 +725,9 @@ -1, 2, 3, 6, 10, 11, 12, 28, 19, 30, 20, 7, 13, 23, 24, 38, 32, 33, 40, 48, 49, 50, 51, 52, 53, 54, 63, 64, 65, 66, - 87, 57, 58, 95, 75, 76, 77, 120, 100, 101, - 102, 103, 104, 122, 147, 59, 60, 106, 79, 80, - 81, 132, 110, 111 + 88, 57, 58, 96, 75, 76, 77, 121, 101, 102, + 103, 104, 105, 123, 148, 59, 60, 107, 79, 80, + 81, 133, 111, 112 }; /* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing @@ -735,22 +735,22 @@ #define YYPACT_NINF -97 static const yytype_int8 yypact[] = { - -2, 26, 22, -97, 28, -97, 27, 54, -97, -97, - 38, 28, 50, 40, 56, -97, -97, -97, 41, 55, - 51, -97, -97, -97, 47, -97, 57, -97, -97, 46, - -97, 49, 53, 43, -97, 58, 59, -97, -97, -21, - -8, -97, -97, -6, -6, -6, 52, 60, -22, -97, - -97, -97, -97, -97, -97, -97, -97, 29, 30, -97, - 25, -13, 61, 44, 62, 62, 62, 48, 42, 45, - 63, -97, -97, -97, -97, 64, 30, -17, -97, 34, - 25, -11, 66, 67, 68, -97, 65, -97, -97, -97, - -97, -97, -97, -97, -97, -97, -97, -6, -6, -6, - 69, 31, -10, -1, -11, -97, -97, -97, 35, 70, - 36, 31, -97, -97, -97, 71, 37, 72, 73, -97, - -97, -6, -97, 39, 35, 39, 70, 35, 70, -97, - -97, -97, -97, -97, -97, -97, -97, -97, -27, -97, - -97, -97, -97, -97, -97, -6, -97, 33, 74, -97, - -97 + 1, 25, 9, -97, 28, -97, 30, 41, -97, -97, + 43, 28, 51, 42, 57, -97, -97, -97, 44, 54, + 52, -97, -97, -97, 48, -97, 56, -97, -97, 49, + -97, 50, 55, 47, -97, 60, 59, -97, -97, -23, + -4, -97, -97, -7, -7, -7, 61, 62, -22, -97, + -97, -97, -97, -97, -97, -97, -97, 22, 31, -97, + 26, 13, 58, 53, 46, 46, 46, 45, 63, 64, + 65, -97, -97, -97, -97, 40, 31, -9, -97, 37, + 26, 2, 66, 67, -97, 68, -97, 69, -97, -97, + -97, -97, -97, -97, -97, -97, -97, -97, -7, -7, + -7, 70, 29, -32, -15, 2, -97, -97, -97, 33, + 38, 71, 29, -97, -97, -97, 73, 72, 36, 74, + -97, -97, -7, -97, 39, 33, 39, 38, 33, 38, + -97, -97, -97, -97, -97, -97, -97, -97, -97, -34, + -97, -97, -97, -97, -97, -97, -7, -97, 35, 75, + -97, -97 }; /* YYPGOTO[NTERM-NUM]. */ @@ -758,9 +758,9 @@ { -97, -97, -97, -97, 85, -97, -97, -97, -97, -97, -97, 91, -97, -97, -97, -97, -97, -97, -97, -97, - 75, -97, -97, -97, -97, -97, -44, -97, -97, -97, - -7, -97, -97, -97, 23, -97, -97, -97, -97, -97, - -79, -76, -96, -9, -97, 76, -97, -97, 20, -97, + 77, -97, -97, -97, -97, -97, -44, -97, -97, -97, + -5, -97, -97, -97, 23, -97, -97, -97, -97, -97, + -79, -76, -96, -12, -97, 76, -97, -97, 32, -97, -97, -97, -97, -97 }; @@ -771,38 +771,38 @@ #define YYTABLE_NINF -1 static const yytype_uint8 yytable[] = { - 67, 68, 108, 1, 71, 109, 124, 126, 82, 83, - 145, 43, 43, 44, 44, 45, 45, 46, 46, 47, - 47, 61, 8, 62, 125, 127, 123, 139, 128, 141, - 130, 146, 129, 4, 97, 55, 98, 9, 99, 56, - 97, 5, 5, 98, 99, 99, 16, 142, 140, 144, - 97, 143, 98, 116, 117, 118, 21, 22, 88, 89, - 15, 18, 25, 26, 29, 27, 31, 35, 39, 34, - 36, 37, 41, 69, 78, 74, 56, 138, 85, 42, - 91, 70, 105, 84, 90, 92, 131, 115, 121, 135, - 99, 149, 98, 86, 112, 113, 17, 14, 114, 96, - 107, 148, 133, 134, 0, 93, 0, 0, 94, 0, - 0, 0, 150, 0, 0, 119, 0, 0, 0, 0, - 0, 97, 0, 72, 0, 0, 136, 0, 0, 137, - 0, 0, 0, 73 + 67, 68, 109, 146, 71, 110, 1, 125, 127, 8, + 43, 43, 44, 44, 45, 45, 46, 46, 47, 47, + 61, 99, 62, 100, 147, 126, 128, 124, 140, 129, + 142, 131, 4, 130, 82, 83, 98, 9, 99, 55, + 5, 84, 98, 56, 99, 5, 100, 15, 143, 141, + 145, 16, 144, 98, 117, 118, 119, 100, 21, 22, + 89, 90, 18, 25, 27, 29, 26, 31, 34, 56, + 35, 36, 39, 37, 41, 78, 74, 87, 139, 42, + 85, 91, 69, 70, 95, 106, 122, 86, 100, 98, + 137, 116, 99, 150, 113, 114, 17, 14, 115, 97, + 134, 92, 149, 0, 93, 135, 0, 94, 0, 0, + 0, 0, 108, 151, 0, 0, 120, 0, 0, 0, + 0, 132, 0, 0, 136, 72, 0, 0, 0, 0, + 138, 0, 0, 73 }; static const yytype_int16 yycheck[] = { - 44, 45, 81, 5, 26, 81, 102, 103, 21, 22, - 37, 33, 33, 35, 35, 37, 37, 39, 39, 41, - 41, 27, 0, 29, 103, 104, 102, 123, 104, 125, - 109, 58, 108, 7, 51, 43, 53, 9, 55, 47, - 51, 15, 15, 53, 55, 55, 8, 126, 124, 128, - 51, 127, 53, 97, 98, 99, 16, 17, 65, 66, - 6, 11, 6, 22, 13, 10, 19, 21, 25, 12, - 21, 18, 14, 21, 49, 45, 47, 121, 34, 20, - 38, 21, 48, 22, 36, 40, 50, 22, 57, 52, - 55, 58, 53, 31, 28, 28, 11, 6, 30, 76, - 80, 145, 111, 32, -1, 42, -1, -1, 44, -1, - -1, -1, 38, -1, -1, 46, -1, -1, -1, -1, - -1, 51, -1, 48, -1, -1, 54, -1, -1, 56, - -1, -1, -1, 57 + 44, 45, 81, 37, 26, 81, 5, 103, 104, 0, + 33, 33, 35, 35, 37, 37, 39, 39, 41, 41, + 27, 53, 29, 55, 58, 104, 105, 103, 124, 105, + 126, 110, 7, 109, 21, 22, 51, 9, 53, 43, + 15, 28, 51, 47, 53, 15, 55, 6, 127, 125, + 129, 8, 128, 51, 98, 99, 100, 55, 16, 17, + 65, 66, 11, 6, 10, 13, 22, 19, 12, 47, + 21, 21, 25, 18, 14, 49, 45, 31, 122, 20, + 22, 36, 21, 21, 44, 48, 57, 34, 55, 51, + 54, 22, 53, 58, 28, 28, 11, 6, 30, 76, + 112, 38, 146, -1, 40, 32, -1, 42, -1, -1, + -1, -1, 80, 38, -1, -1, 46, -1, -1, -1, + -1, 50, -1, -1, 52, 48, -1, -1, -1, -1, + 56, -1, -1, 57 }; /* YYSTOS[STATE-NUM] -- The (internal number of the) accessing @@ -817,14 +817,14 @@ 80, 81, 82, 83, 84, 43, 47, 90, 91, 104, 105, 27, 29, 85, 86, 87, 88, 85, 85, 21, 21, 26, 79, 104, 45, 93, 94, 95, 49, 107, - 108, 109, 21, 22, 22, 34, 31, 89, 89, 89, - 36, 38, 40, 42, 44, 92, 93, 51, 53, 55, - 97, 98, 99, 100, 101, 48, 106, 107, 99, 100, - 111, 112, 28, 28, 30, 22, 85, 85, 85, 46, - 96, 57, 102, 100, 101, 99, 101, 99, 100, 100, - 99, 50, 110, 102, 32, 52, 54, 56, 85, 101, - 100, 101, 99, 100, 99, 37, 58, 103, 85, 58, - 38 + 108, 109, 21, 22, 28, 22, 34, 31, 89, 89, + 89, 36, 38, 40, 42, 44, 92, 93, 51, 53, + 55, 97, 98, 99, 100, 101, 48, 106, 107, 99, + 100, 111, 112, 28, 28, 30, 22, 85, 85, 85, + 46, 96, 57, 102, 100, 101, 99, 101, 99, 100, + 100, 99, 50, 110, 102, 32, 52, 54, 56, 85, + 101, 100, 101, 99, 100, 99, 37, 58, 103, 85, + 58, 38 }; #define yyerrok (yyerrstatus = 0) @@ -1979,80 +1979,89 @@ /* Line 1455 of yacc.c */ #line 402 "sf_attribute_table.y" { - (yyval.numericValue) = (yyvsp[(2) - (3)].numericValue); + (yyval.numericValue) = 0; } break; case 46: /* Line 1455 of yacc.c */ -#line 408 "sf_attribute_table.y" +#line 406 "sf_attribute_table.y" + { + (yyval.numericValue) = (yyvsp[(2) - (3)].numericValue); + } + break; + + case 47: + +/* Line 1455 of yacc.c */ +#line 412 "sf_attribute_table.y" { /* Copy numeric */ (yyval.numericValue) = (yyvsp[(2) - (3)].numericValue); } break; - case 47: + case 48: /* Line 1455 of yacc.c */ -#line 415 "sf_attribute_table.y" +#line 419 "sf_attribute_table.y" { /* Copy numeric */ (yyval.numericValue) = (yyvsp[(2) - (3)].numericValue); } break; - case 48: + case 49: /* Line 1455 of yacc.c */ -#line 422 "sf_attribute_table.y" +#line 426 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "ServiceList (complete)\n");); } break; - case 49: + case 50: /* Line 1455 of yacc.c */ -#line 428 "sf_attribute_table.y" +#line 432 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Start ServiceList\n");); sfat_client_or_service = ATTRIBUTE_SERVICE; } break; - case 50: + case 51: /* Line 1455 of yacc.c */ -#line 435 "sf_attribute_table.y" +#line 439 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "End ServiceList\n");); } break; - case 51: + case 52: /* Line 1455 of yacc.c */ -#line 440 "sf_attribute_table.y" +#line 444 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "EmptyService\n");); } break; - case 52: + case 53: /* Line 1455 of yacc.c */ -#line 444 "sf_attribute_table.y" +#line 448 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service ServiceListData\n");); } break; - case 53: + case 54: /* Line 1455 of yacc.c */ -#line 450 "sf_attribute_table.y" +#line 454 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service Adding Complete\n");); SFAT_AddApplicationData(); @@ -2060,107 +2069,107 @@ } break; - case 54: + case 55: /* Line 1455 of yacc.c */ -#line 458 "sf_attribute_table.y" +#line 462 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service Start\n");); SFAT_CreateApplicationEntry(); } break; - case 55: + case 56: /* Line 1455 of yacc.c */ -#line 465 "sf_attribute_table.y" +#line 469 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service End\n");); } break; - case 56: + case 57: /* Line 1455 of yacc.c */ -#line 471 "sf_attribute_table.y" +#line 475 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service Data (no application)\n");); } break; - case 57: + case 58: /* Line 1455 of yacc.c */ -#line 475 "sf_attribute_table.y" +#line 479 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service Data (application)\n");); } break; - case 58: + case 59: /* Line 1455 of yacc.c */ -#line 481 "sf_attribute_table.y" +#line 485 "sf_attribute_table.y" { /* Order independent */ DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service Data Required (IPProto Proto Port)\n");); } break; - case 59: + case 60: /* Line 1455 of yacc.c */ -#line 486 "sf_attribute_table.y" +#line 490 "sf_attribute_table.y" { /* Order independent */ DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service Data Required (IPProto Port Proto)\n");); } break; - case 60: + case 61: /* Line 1455 of yacc.c */ -#line 491 "sf_attribute_table.y" +#line 495 "sf_attribute_table.y" { /* Order independent */ DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service Data Required (Proto IPProto Port)\n");); } break; - case 61: + case 62: /* Line 1455 of yacc.c */ -#line 496 "sf_attribute_table.y" +#line 500 "sf_attribute_table.y" { /* Order independent */ DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service Data Required (Proto Port IPProto)\n");); } break; - case 62: + case 63: /* Line 1455 of yacc.c */ -#line 501 "sf_attribute_table.y" +#line 505 "sf_attribute_table.y" { /* Order independent */ DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service Data Required (Port Proto IPProto)\n");); } break; - case 63: + case 64: /* Line 1455 of yacc.c */ -#line 506 "sf_attribute_table.y" +#line 510 "sf_attribute_table.y" { /* Order independent */ DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Service Data Required (Port IPProto Proto)\n");); } break; - case 64: + case 65: /* Line 1455 of yacc.c */ -#line 513 "sf_attribute_table.y" +#line 517 "sf_attribute_table.y" { /* Store IPProto Info */ DEBUG_WRAP(PrintAttributeData("IPProto", &(yyvsp[(2) - (3)].data));); @@ -2168,10 +2177,10 @@ } break; - case 65: + case 66: /* Line 1455 of yacc.c */ -#line 521 "sf_attribute_table.y" +#line 525 "sf_attribute_table.y" { /* Store Protocol Info */ DEBUG_WRAP(PrintAttributeData("Protocol", &(yyvsp[(2) - (3)].data));); @@ -2179,10 +2188,10 @@ } break; - case 66: + case 67: /* Line 1455 of yacc.c */ -#line 529 "sf_attribute_table.y" +#line 533 "sf_attribute_table.y" { /* Store Port Info */ DEBUG_WRAP(PrintAttributeData("Port", &(yyvsp[(2) - (3)].data));); @@ -2190,10 +2199,10 @@ } break; - case 67: + case 68: /* Line 1455 of yacc.c */ -#line 537 "sf_attribute_table.y" +#line 541 "sf_attribute_table.y" { /* Store Application Info */ DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Application\n")); @@ -2202,10 +2211,10 @@ } break; - case 68: + case 69: /* Line 1455 of yacc.c */ -#line 544 "sf_attribute_table.y" +#line 548 "sf_attribute_table.y" { /* Store Application Info */ DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Application with Version\n")); @@ -2214,10 +2223,10 @@ } break; - case 69: + case 70: /* Line 1455 of yacc.c */ -#line 553 "sf_attribute_table.y" +#line 557 "sf_attribute_table.y" { /* Store Version Info */ DEBUG_WRAP(PrintAttributeData("Version", &(yyvsp[(2) - (3)].data));); @@ -2225,56 +2234,56 @@ } break; - case 70: + case 71: /* Line 1455 of yacc.c */ -#line 561 "sf_attribute_table.y" +#line 565 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "ClientList (complete)\n");); } break; - case 71: + case 72: /* Line 1455 of yacc.c */ -#line 567 "sf_attribute_table.y" +#line 571 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Start ClientList\n");); sfat_client_or_service = ATTRIBUTE_CLIENT; } break; - case 72: + case 73: /* Line 1455 of yacc.c */ -#line 574 "sf_attribute_table.y" +#line 578 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "End ClientList\n");); } break; - case 73: + case 74: /* Line 1455 of yacc.c */ -#line 579 "sf_attribute_table.y" +#line 583 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "EmptyClient\n");); } break; - case 74: + case 75: /* Line 1455 of yacc.c */ -#line 583 "sf_attribute_table.y" +#line 587 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Client ClientListData\n");); } break; - case 75: + case 76: /* Line 1455 of yacc.c */ -#line 589 "sf_attribute_table.y" +#line 593 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Client Adding Complete\n");); SFAT_AddApplicationData(); @@ -2282,67 +2291,67 @@ } break; - case 76: + case 77: /* Line 1455 of yacc.c */ -#line 597 "sf_attribute_table.y" +#line 601 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Client Start\n");); SFAT_CreateApplicationEntry(); } break; - case 77: + case 78: /* Line 1455 of yacc.c */ -#line 604 "sf_attribute_table.y" +#line 608 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Client End\n");); } break; - case 78: + case 79: /* Line 1455 of yacc.c */ -#line 610 "sf_attribute_table.y" +#line 614 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Client Data (no application)\n");); } break; - case 79: + case 80: /* Line 1455 of yacc.c */ -#line 614 "sf_attribute_table.y" +#line 618 "sf_attribute_table.y" { DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Client Data (application)\n");); } break; - case 80: + case 81: /* Line 1455 of yacc.c */ -#line 620 "sf_attribute_table.y" +#line 624 "sf_attribute_table.y" { /* Order independent */ DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Client Data Required (Proto)\n");); } break; - case 81: + case 82: /* Line 1455 of yacc.c */ -#line 625 "sf_attribute_table.y" +#line 629 "sf_attribute_table.y" { /* Order independent */ DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Client Data Required (IPProto Proto)\n");); } break; - case 82: + case 83: /* Line 1455 of yacc.c */ -#line 630 "sf_attribute_table.y" +#line 634 "sf_attribute_table.y" { /* Order independent */ DEBUG_WRAP(DebugMessage(DEBUG_ATTRIBUTE, "Client Data Required (Proto IPProto)\n");); @@ -2352,7 +2361,7 @@ /* Line 1455 of yacc.c */ -#line 2356 "sf_attribute_table.c" +#line 2365 "sf_attribute_table.c" default: break; } YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc); @@ -2564,7 +2573,7 @@ /* Line 1675 of yacc.c */ -#line 635 "sf_attribute_table.y" +#line 639 "sf_attribute_table.y" /* int yywrap(void) diff -Nru snort-2.9.0.1/src/target-based/sf_attribute_table_parser.c snort-2.9.2/src/target-based/sf_attribute_table_parser.c --- snort-2.9.0.1/src/target-based/sf_attribute_table_parser.c 2010-10-08 02:58:06.000000000 -0700 +++ snort-2.9.2/src/target-based/sf_attribute_table_parser.c 2011-12-07 11:24:46.000000000 -0800 @@ -6214,9 +6214,9 @@ */ /* * Lex for Attribute Table - */ + */ /* Definitions Section. - * Definitions required by the rules section are in here prior to first + * Definitions required by the rules section are in here prior to first * "%%" seperator */ /* Include code between "%{ %}" separators at top of generated @@ -6787,7 +6787,7 @@ #line 154 "sf_attribute_table_parser.l" { sfat_lval.numericValue = strtol( sfattext, NULL, 10 ); -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_ATTRIBUTE, "Number Value: [%d]\n", sfat_lval.numericValue); #endif @@ -6806,7 +6806,7 @@ sfat_lval.stringValue[i] = sfattext[i]; } sfat_lval.stringValue[i] = '\0'; -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_ATTRIBUTE, "String Value: [%s]\n", sfat_lval.stringValue); #endif diff -Nru snort-2.9.0.1/src/target-based/sf_attribute_table_parser.l snort-2.9.2/src/target-based/sf_attribute_table_parser.l --- snort-2.9.0.1/src/target-based/sf_attribute_table_parser.l 2010-09-27 08:28:15.000000000 -0700 +++ snort-2.9.2/src/target-based/sf_attribute_table_parser.l 2011-10-26 11:28:52.000000000 -0700 @@ -24,10 +24,10 @@ /* * Lex for Attribute Table - */ + */ /* Definitions Section. - * Definitions required by the rules section are in here prior to first + * Definitions required by the rules section are in here prior to first * "%%" seperator */ @@ -153,7 +153,7 @@ {numericValue} { sfat_lval.numericValue = strtol( yytext, NULL, 10 ); -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_ATTRIBUTE, "Number Value: [%d]\n", sfat_lval.numericValue); #endif @@ -168,7 +168,7 @@ sfat_lval.stringValue[i] = yytext[i]; } sfat_lval.stringValue[i] = '\0'; -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_ATTRIBUTE, "String Value: [%s]\n", sfat_lval.stringValue); #endif diff -Nru snort-2.9.0.1/src/target-based/sf_attribute_table.y snort-2.9.2/src/target-based/sf_attribute_table.y --- snort-2.9.0.1/src/target-based/sf_attribute_table.y 2010-10-25 12:49:13.000000000 -0700 +++ snort-2.9.2/src/target-based/sf_attribute_table.y 2011-11-21 12:15:24.000000000 -0800 @@ -37,7 +37,7 @@ #include "util.h" #include "sftarget_reader.h" #include "log.h" -#include "debug.h" +#include "snort_debug.h" #include "sf_types.h" #define YYSTACK_USE_ALLOCA 0 @@ -398,7 +398,11 @@ }; AttributeValueNumber: - SF_AT_START_ATTRIBUTE_VALUE SF_AT_NUMERIC SF_AT_END_ATTRIBUTE_VALUE + SF_AT_START_ATTRIBUTE_VALUE SF_AT_END_ATTRIBUTE_VALUE + { + $$ = 0; + } + | SF_AT_START_ATTRIBUTE_VALUE SF_AT_NUMERIC SF_AT_END_ATTRIBUTE_VALUE { $$ = $2; }; diff -Nru snort-2.9.0.1/src/target-based/sftarget_hostentry.c snort-2.9.2/src/target-based/sftarget_hostentry.c --- snort-2.9.0.1/src/target-based/sftarget_hostentry.c 2010-01-26 10:10:30.000000000 -0800 +++ snort-2.9.2/src/target-based/sftarget_hostentry.c 2011-06-07 17:33:21.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2006-2010 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -22,6 +22,10 @@ * sftarget_hostentry.c */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "sftarget_hostentry.h" int hasService(HostAttributeEntry *host_entry, diff -Nru snort-2.9.0.1/src/target-based/sftarget_hostentry.h snort-2.9.2/src/target-based/sftarget_hostentry.h --- snort-2.9.0.1/src/target-based/sftarget_hostentry.h 2010-01-26 10:10:30.000000000 -0800 +++ snort-2.9.2/src/target-based/sftarget_hostentry.h 2011-02-09 15:23:38.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2006-2010 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/target-based/sftarget_protocol_reference.c snort-2.9.2/src/target-based/sftarget_protocol_reference.c --- snort-2.9.0.1/src/target-based/sftarget_protocol_reference.c 2010-06-09 15:05:32.000000000 -0700 +++ snort-2.9.2/src/target-based/sftarget_protocol_reference.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2006-2010 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -22,6 +22,10 @@ * sftarget_protocol_reference.c */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #ifdef TARGET_BASED #include "sftarget_protocol_reference.h" @@ -29,7 +33,7 @@ #include "log.h" #include "util.h" -#include "debug.h" +#include "snort_debug.h" #include "stream_api.h" #include "spp_frag3.h" @@ -73,7 +77,7 @@ /* XXX XXX Probably need to do this during swap time since the * proto_reference_table is accessed during runtime */ -int16_t AddProtocolReference(char *protocol) +int16_t AddProtocolReference(const char *protocol) { SFTargetProtocolReference *reference; @@ -85,7 +89,7 @@ InitializeProtocolReferenceTable(); } - reference = sfghash_find(proto_reference_table, protocol); + reference = sfghash_find(proto_reference_table, (void *)protocol); if (reference) { DEBUG_WRAP( @@ -106,7 +110,7 @@ * defined as 8192. */ LogMessage("WARNING: protocol_number wrapped. This may result" - "in odd behavior and potential false positives\n"); + "in odd behavior and potential false positives.\n"); /* 1 is the first protocol id we use. */ /* 0 is not used */ @@ -125,7 +129,7 @@ return reference->ordinal; } -int16_t FindProtocolReference(char *protocol) +int16_t FindProtocolReference(const char *protocol) { SFTargetProtocolReference *reference; @@ -137,7 +141,7 @@ InitializeProtocolReferenceTable(); } - reference = sfghash_find(proto_reference_table, protocol); + reference = sfghash_find(proto_reference_table, (void *)protocol); if (reference) return reference->ordinal; @@ -234,7 +238,7 @@ if (protocol != 0) { - + break; } diff -Nru snort-2.9.0.1/src/target-based/sftarget_protocol_reference.h snort-2.9.2/src/target-based/sftarget_protocol_reference.h --- snort-2.9.0.1/src/target-based/sftarget_protocol_reference.h 2010-01-26 10:10:30.000000000 -0800 +++ snort-2.9.2/src/target-based/sftarget_protocol_reference.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2006-2010 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -28,7 +28,7 @@ #include "decode.h" #include "util.h" -#define MAX_PROTOCOL_ORDINAL 8192 +#define MAX_PROTOCOL_ORDINAL 8192 typedef struct _SFTargetProtocolReference { @@ -38,8 +38,8 @@ void InitializeProtocolReferenceTable(void); void FreeProtoocolReferenceTable(void); -int16_t AddProtocolReference(char *protocol); -int16_t FindProtocolReference(char *protocol); +int16_t AddProtocolReference(const char *protocol); +int16_t FindProtocolReference(const char *protocol); int16_t GetProtocolReference(Packet *p); diff -Nru snort-2.9.0.1/src/target-based/sftarget_reader.c snort-2.9.2/src/target-based/sftarget_reader.c --- snort-2.9.0.1/src/target-based/sftarget_reader.c 2010-06-09 15:05:32.000000000 -0700 +++ snort-2.9.2/src/target-based/sftarget_reader.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2006-2010 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -55,9 +55,11 @@ #include "snort.h" -#include "debug.h" +#include "snort_debug.h" #include "sfPolicy.h" +#include "sftarget_reader_live.h" + typedef struct { table_t *lookupTable; @@ -160,7 +162,7 @@ if (!pConfig->next.mapTable) return NULL; - + entry = sfxhash_find(pConfig->next.mapTable, &id); if (entry) @@ -250,7 +252,7 @@ void PrintAttributeData(char *prefix, AttributeData *data) { -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_ATTRIBUTE, "AttributeData for %s\n", prefix); if (data->type == ATTRIBUTE_NAME) { @@ -338,7 +340,7 @@ tmp_host = sfrt_lookup(&ipAddr, pConfig->next.lookupTable); /*** If found, free current_host and set current_host to the one found */ - if (tmp_host && + if (tmp_host && (tmp_host->ipAddr == ipAddr) && (tmp_host->bits == bits)) { @@ -518,7 +520,7 @@ return SFAT_OK; } -#ifdef DEBUG +#ifdef DEBUG_MSGS void PrintHostAttributeEntry(HostAttributeEntry *host) { ApplicationEntry *app; @@ -683,9 +685,9 @@ } #ifdef SUP_IP6 -HostAttributeEntry *SFAT_LookupHostEntryByIP(sfip_t *ipAddr) +HostAttributeEntry *fileLookupHostEntryByIP(sfip_t *ipAddr) #else -HostAttributeEntry *SFAT_LookupHostEntryByIp4Addr(uint32_t ipAddr) +HostAttributeEntry *fileLookupHostEntryByIP(uint32_t ipAddr) #endif { tTargetBasedPolicyConfig *pConfig = NULL; @@ -726,6 +728,34 @@ return host; } +#ifdef SUP_IP6 +HostAttributeEntry *SFAT_LookupHostEntryByIP(sfip_t *ipAddr) +#else +HostAttributeEntry *SFAT_LookupHostEntryByIP(uint32_t ipAddr) +#endif +{ + if (IsAdaptiveConfigured(getRuntimePolicy(), 0)) + { + HostAttributeEntry *pEntry = fileLookupHostEntryByIP(ipAddr); +#ifdef SUP_IP6 + if (!pEntry) + { + pEntry = SFLAT_findHost(ipAddr); + } +#endif + return (pEntry); + } +#ifdef SUP_IP6 + else + { + return (SFLAT_findHost(ipAddr)); + } +#endif + return NULL; +} + + + HostAttributeEntry *SFAT_LookupHostEntryBySrc(Packet *p) { #ifdef SUP_IP6 @@ -741,7 +771,7 @@ ipAddr = ntohl(p->iph->ip_src.s_addr); - return SFAT_LookupHostEntryByIp4Addr(ipAddr); + return SFAT_LookupHostEntryByIP(ipAddr); #endif } @@ -760,7 +790,7 @@ ipAddr = ntohl(p->iph->ip_dst.s_addr); - return SFAT_LookupHostEntryByIp4Addr(ipAddr); + return SFAT_LookupHostEntryByIP(ipAddr); #endif } @@ -952,7 +982,7 @@ */ while (!attribute_reload_thread_stop) { -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_ATTRIBUTE, "AttrReloadThread: Checking for new attr table...\n"); #endif @@ -963,7 +993,7 @@ { if (check_attribute_table_flag(ATTRIBUTE_TABLE_AVAILABLE_FLAG)) { -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_ATTRIBUTE, "AttrReloadThread: Freeing old attr table...\n"); #endif @@ -971,7 +1001,7 @@ * prev.mapTable and prev.lookupTable */ sfxhash_delete(pConfig->prev.mapTable); pConfig->prev.mapTable = NULL; - + sfrt_cleanup(pConfig->prev.lookupTable, SFAT_CleanupCallback); sfrt_free(pConfig->prev.lookupTable); pConfig->prev.lookupTable = NULL; @@ -987,7 +1017,7 @@ { /* Is there an new table ready? */ set_attribute_table_flag(ATTRIBUTE_TABLE_RELOADING_FLAG); -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_ATTRIBUTE, "AttrReloadThread: loading new attr table.\n"); #endif @@ -1062,14 +1092,14 @@ else { /* Sleep for 60 seconds */ -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_ATTRIBUTE, "AttrReloadThread: Checked for new attr table... sleeping.\n"); #endif sleep(60); } } -#ifdef DEBUG +#ifdef DEBUG_MSGS DebugMessage(DEBUG_ATTRIBUTE, "AttrReloadThread: exiting... Handled %d reloads\n", reloads); #endif @@ -1092,7 +1122,7 @@ * flag... */ } /* Swap the attribute table pointers. */ - else if ((pConfig != NULL) && + else if ((pConfig != NULL) && check_attribute_table_flag(ATTRIBUTE_TABLE_AVAILABLE_FLAG)) { LogMessage("Swapping Attribute Tables.\n"); @@ -1121,6 +1151,7 @@ } } +/**called once during initialization. Reads attribute table for the first time.*/ int SFAT_ParseAttributeTable(char *args) { char **toks; @@ -1202,8 +1233,9 @@ if (!ScDisableAttrReload()) { /* Register signal handler for attribute table. */ - signal(SIGNAL_SNORT_READ_ATTR_TBL, SigAttributeTableReloadHandler); - if(errno!=0) errno=0; + SnortAddSignal(SIGNAL_SNORT_READ_ATTR_TBL,SigAttributeTableReloadHandler,0); + if(errno != 0) + errno = 0; } #endif diff -Nru snort-2.9.0.1/src/target-based/sftarget_reader.h snort-2.9.2/src/target-based/sftarget_reader.h --- snort-2.9.0.1/src/target-based/sftarget_reader.h 2010-01-26 10:10:31.000000000 -0800 +++ snort-2.9.2/src/target-based/sftarget_reader.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2006-2010 Sourcefire, Inc. +** Copyright (C) 2006-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as @@ -165,7 +165,7 @@ #ifdef SUP_IP6 HostAttributeEntry *SFAT_LookupHostEntryByIP(sfip_t *ipAddr); #else -HostAttributeEntry *SFAT_LookupHostEntryByIp4Addr(uint32_t ipAddr); +HostAttributeEntry *SFAT_LookupHostEntryByIP(uint32_t ipAddr); #endif HostAttributeEntry *SFAT_LookupHostEntryBySrc(Packet *p); HostAttributeEntry *SFAT_LookupHostEntryByDst(Packet *p); @@ -175,4 +175,9 @@ void SFAT_StartReloadThread(void); +#ifdef SUP_IP6 +void SFLAT_init(void); +void SFLAT_fini(void); +int SFLAT_isEnabled(tSfPolicyId id, int parsing); +#endif #endif /* SF_TARGET_READER_H_ */ diff -Nru snort-2.9.0.1/src/target-based/sftarget_reader_live.c snort-2.9.2/src/target-based/sftarget_reader_live.c --- snort-2.9.0.1/src/target-based/sftarget_reader_live.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/target-based/sftarget_reader_live.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,621 @@ +/* +** Copyright (C) 2006-2011 Sourcefire, Inc. +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* + * Author: Dilbagh Chahal + * sftarget_reader_live.c + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifdef TARGET_BASED +#ifdef SUP_IP6 + +#include <stdio.h> +#include "string.h" +#include "mstring.h" +#include "util.h" +#include "parser.h" +#include "sftarget_reader.h" +#include "sftarget_protocol_reference.h" +#include "sfutil/sfrt.h" +#include "sfutil/sfxhash.h" +#include "sfutil/util_net.h" +#include "sftarget_hostentry.h" + +#include <signal.h> +#include <sys/types.h> +#include <stdlib.h> +#include <errno.h> +#include <pthread.h> +#include <unistd.h> +#include <time.h> + +#ifndef WIN32 +#include <sys/socket.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#endif + +#include "snort.h" + +#include "snort_debug.h" +#include "sfPolicy.h" +#include "attribute_table_api.h" + +typedef struct +{ + table_t *lookupTable; + SFXHASH *mapTable; +} tTargetBasedConfig; + +/**current configuration created by live feed, a separate table is created to make + * verification easier when Snort starts using live feed and Snort attribute tables + * together. The table can be dumped on cleanup, for comparison + * with attribute table from DC.*/ +tTargetBasedConfig currLiveTable; + +static int addLiveHost( + snort_ip_p ip + ); +static int updateLiveOs( + snort_ip_p ip, + char *os, + char *vendor, + char *version, + char *fragPolicy, + char *streamPolicy + ); +static int addLiveService( + snort_ip_p ip, + uint16_t port, + const char *ipproto, + char *protocol, + char *application, + char *version, + uint32_t confidence + ); +static int delLiveService( + snort_ip_p ip, + uint16_t port + ); +static void cleanupCallback( + void *host_attr_ent + ); + +HostAttributeTableApi snortAttributeInterface = { + addLiveHost, + //delLiveHost, + updateLiveOs, + addLiveService, + delLiveService, + //addLiveClient, + //delLiveClient, +}; + +HostAttributeTableApi *AttributeTableAPI; + +/**Initializes live attribute table. Current attribute table if populated is discard + */ +void SFLAT_init(void) +{ + if (!currLiveTable.lookupTable) + { + /* Add 1 to max for table purposes */ + currLiveTable.lookupTable = + sfrt_new(DIR_16x7_4x4, IPv6, ScMaxAttrHosts() + 1, + sizeof(HostAttributeEntry) * 200); + if (!currLiveTable.lookupTable) + { + ErrorMessage("Failed to initialize memory for live attribute table\n"); + } + } + else + { + sfrt_cleanup(currLiveTable.lookupTable, cleanupCallback); + sfrt_free(currLiveTable.lookupTable); + } + AttributeTableAPI = &snortAttributeInterface; +} + +void SFLAT_fini(void) +{ + if (currLiveTable.lookupTable) + { + sfrt_cleanup(currLiveTable.lookupTable, cleanupCallback); + sfrt_free(currLiveTable.lookupTable); + currLiveTable.lookupTable = NULL; + } +} + +/**Host information may be streamed into Snort by external source. This + * feature is hardcoded to be enabled.*/ +int SFLAT_isEnabled(tSfPolicyId id, int parsing) +{ + return 1; +} + + +static void cleanupCallback( + void *host_attr_ent + ) +{ + HostAttributeEntry *host_entry = (HostAttributeEntry*)host_attr_ent; + FreeHostEntry(host_entry); +} +static void FreeApplicationEntry(ApplicationEntry *app) +{ + free(app); +} + +#ifdef DEBUG_MSGS +static void printHostLiveAttributeEntry(void *hostentry) +{ + HostAttributeEntry *host = (HostAttributeEntry *)hostentry; + ApplicationEntry *app; + sfip_t host_addr; + + if (!host) + return; + + sfip_set_ip(&host_addr, &host->ipAddr); + host_addr.ip32[0] = ntohl(host_addr.ip32[0]); + + DebugMessage(DEBUG_ATTRIBUTE, "Host IP: %s/%d\n", + inet_ntoa(&host_addr), + host->ipAddr.bits + ); + DebugMessage(DEBUG_ATTRIBUTE, "\tOS Information: %s; %s; %s\n", + host->hostInfo.operatingSystem.value.s_value, + host->hostInfo.vendor.value.s_value, + host->hostInfo.version.value.s_value); + DebugMessage(DEBUG_ATTRIBUTE, "\t\tfrag:%s stream: %s\n", + host->hostInfo.fragPolicyName, + host->hostInfo.streamPolicyName); + for (app = host->services; app; app = app->next) + { + DebugMessage(DEBUG_ATTRIBUTE, "\tService: %d; %s; %s; %s; %s\n", + app->port.value.l_value, + app->ipproto.value.s_value, + app->protocol.value.s_value, + (app->fields & APPLICATION_ENTRY_APPLICATION)? app->application.value.s_value : "", + (app->fields & APPLICATION_ENTRY_VERSION)? app->version.value.s_value : ""); + } + + for (app = host->clients; app; app = app->next) + { + DebugMessage(DEBUG_ATTRIBUTE, "\tClient: %s; %s; %s\n", + app->protocol.value.s_value, + (app->fields & APPLICATION_ENTRY_APPLICATION)? app->application.value.s_value : "", + (app->fields & APPLICATION_ENTRY_VERSION)? app->version.value.s_value : ""); + } +} + +void SFLAT_dump(void) +{ + sfrt_iterate(currLiveTable.lookupTable, printHostLiveAttributeEntry); + +} +#endif + +HostAttributeEntry* SFLAT_findHost(snort_ip_p ip) +{ + return sfrt_lookup(ip, currLiveTable.lookupTable); +} + +/**add or update host to host table.*/ +static int addLiveHost( + snort_ip_p ip + ) +{ + int ret; + HostAttributeEntry *host; + + host = SFLAT_findHost(ip); + if (!host) + { + host = SnortAlloc(sizeof(HostAttributeEntry)); + if (!host) + { + return SFAT_ERROR; + } + + sfip_set_ip(&host->ipAddr, ip); + + ret = sfrt_insert(ip, (unsigned char)ip->bits, host, + RT_FAVOR_SPECIFIC, currLiveTable.lookupTable); + + if (ret != RT_SUCCESS) + { + if (ret == RT_POLICY_TABLE_EXCEEDED) + { + ErrorMessage("Live AttributeTable insertion failed\n"); + ret = RT_SUCCESS; + } + else + { + ErrorMessage("AttributeTable insertion failed: %d '%s'\n", + ret, rt_error_messages[ret]); + } + + FreeHostEntry(host); + } + } + return ret == RT_SUCCESS ? SFAT_OK : SFAT_ERROR; +} + +#if 0 +//delete host operation is not supported yet. This requires extending Under current design, least recently used host will be deleted when +//lookup table is full. + +/**deletes a host to live attribute table.*/ +static int delLiveHost(snort_ip_p ip) +{ + int ret; + HostAttributeEntry *host; + + host = SFLAT_findHost(ip); + + if (host) + { + FreeHostEntry(host); + } + else + { + DEBUG_WRAP( DebugMessage(DEBUG_ATTRIBUTE, "lookup failed: %x\n", ip->ip32[0]);); + ret = DIR_LOOKUP_FAILURE; + } + return ret == RT_SUCCESS ? SFAT_OK : SFAT_ERROR; +} +#endif + +/**Adds, Updates or deletes OS informatio. Existing info is overwritten. Delete is same as + * empty strings. Newest information overwrites old information. + */ +static int updateLiveOs( + snort_ip_p ip, + char *os, + char *vendor, + char *version, + char *fragPolicy, + char *streamPolicy + ) +{ + int ret = RT_SUCCESS; + HostAttributeEntry *host; + + host = SFLAT_findHost(ip); + //inserting host data. Host gets created with just the IP address, os/service/clients + //get added later. + if (host) + { + //update the host + SnortStrncpy (host->hostInfo.operatingSystem.value.s_value, os, STD_BUF); + host->hostInfo.operatingSystem.value.s_value[STD_BUF-1] = 0; + host->hostInfo.operatingSystem.confidence = 50 ; + SnortStrncpy (host->hostInfo.vendor.value.s_value, vendor, STD_BUF); + host->hostInfo.vendor.value.s_value[STD_BUF-1] = 0; + host->hostInfo.vendor.confidence = 50 ; + SnortStrncpy (host->hostInfo.version.value.s_value, version, STD_BUF); + host->hostInfo.version.value.s_value[STD_BUF-1] = 0; + host->hostInfo.version.confidence = 50 ; + + /* Set the policy IDs in the new table... */ + SnortStrncpy(host->hostInfo.fragPolicyName, fragPolicy, STD_BUF); + host->hostInfo.fragPolicyName[STD_BUF-1] = 0; + SnortStrncpy(host->hostInfo.streamPolicyName, streamPolicy, STD_BUF); + host->hostInfo.streamPolicyName[STD_BUF-1] = 0; + + //existing hosts are not updated when host attribute is live updated. + } + else + { + DEBUG_WRAP( DebugMessage(DEBUG_ATTRIBUTE, "lookup failed: %x\n", ip->ip32[0]);); + ret = DIR_LOOKUP_FAILURE; + } + + return ret == RT_SUCCESS ? SFAT_OK : SFAT_ERROR; +} + +/**add or update service information.*/ +static int addLiveService( + snort_ip_p ip, + uint16_t port, + const char *ipproto, + char *protocol, + char *application, + char *version, + uint32_t confidence + ) +{ + int ret = RT_SUCCESS; + HostAttributeEntry *host; + ApplicationEntry *service; + + //inserting host data. Host gets created with just the IP address, os/service/clients + //get added later. + host = SFLAT_findHost(ip); + if (host) + { + int16_t ipProtoOrdinal = AddProtocolReference(ipproto); + int16_t protocolOrdinal = AddProtocolReference(protocol); + + //update the host + for (service = host->services; service; service = service->next) + { + if ((service->port.value.l_value == port) + && ipProtoOrdinal && (service->ipproto.attributeOrdinal == ipProtoOrdinal)) + { + //found matching service + DEBUG_WRAP( DebugMessage(DEBUG_ATTRIBUTE, "Matched service : IP %x, protocol %s, port %d\n", ip->ip32[0], ipproto, port);); + break; + } + } + if (!service) + { + //insert + service = SnortAlloc(sizeof(ApplicationEntry)); + if (service) + { + DEBUG_WRAP( DebugMessage(DEBUG_ATTRIBUTE, "Added new service : IP %x, protocol %s, port %d\n", ip->ip32[0], ipproto, port);); + service->next = host->services; + host->services = service; + + //port + service->port.type = ATTRIBUTE_ID; + service->port.value.l_value = port; + service->port.confidence = 50; + + //ipproto + service->ipproto.type = ATTRIBUTE_NAME; + strncpy (service->ipproto.value.s_value, ipproto, STD_BUF); + service->ipproto.value.s_value[STD_BUF-1] = 0; + service->ipproto.attributeOrdinal = ipProtoOrdinal; + service->ipproto.confidence = 50; + + } + } + + if (service) + { + //protocol + service->protocol.type = ATTRIBUTE_NAME; + strncpy (service->protocol.value.s_value, protocol, STD_BUF); + service->protocol.value.s_value[STD_BUF-1] = 0; + service->protocol.attributeOrdinal = protocolOrdinal; + service->protocol.confidence = 50; + + service->fields |= (APPLICATION_ENTRY_PORT | APPLICATION_ENTRY_IPPROTO | APPLICATION_ENTRY_PROTO); + + //application + if (application) + { + service->application.type = ATTRIBUTE_NAME; + strncpy (service->application.value.s_value, application, STD_BUF); + service->application.value.s_value[STD_BUF-1] = 0; + service->application.attributeOrdinal = 0; + service->application.confidence = 50; + service->fields |= APPLICATION_ENTRY_APPLICATION; + + //version + if (version) + { + service->version.type = ATTRIBUTE_NAME; + strncpy (service->version.value.s_value, version, STD_BUF); + service->version.value.s_value[STD_BUF-1] = 0; + service->version.confidence = 50; + service->fields |= APPLICATION_ENTRY_VERSION; + } + } + } + } + else + { + DEBUG_WRAP( DebugMessage(DEBUG_ATTRIBUTE, "Host not found : IP %x\n", ip->ip32[0]);); + ret = DIR_LOOKUP_FAILURE; + } + + return ret == RT_SUCCESS ? SFAT_OK : SFAT_ERROR; +} +static int delLiveService( + snort_ip_p ip, + uint16_t port + ) +{ + int ret = RT_SUCCESS; + HostAttributeEntry *host; + ApplicationList *service = NULL; + ApplicationList *prevService = NULL; + + //inserting host data. Host gets created with just the IP address, os/service/clients + //get added later. + host = SFLAT_findHost(ip); + if (host) + { + //update the host + for (service = host->services; + service; + prevService = service, service = service->next) + { + //only one service per port. + if (service->port.value.l_value == port) + //&& ipProtoOrdinal && (service->ipproto.attributeOrdinal == ipProtoOrdinal)) + { + //found matching service + break; + } + } + } + if (service) + { + if (prevService) + { + prevService->next = service->next; + } + else + { + host->services = service->next; + } + + FreeApplicationEntry(service); + } + else + { + ret = DIR_LOOKUP_FAILURE; + } + + return ret == RT_SUCCESS ? SFAT_OK : SFAT_ERROR; +} + +#if 0 +static int addLiveClient( + snort_ip_p ip, + char *protocol, + char *application, + char *version, + uint32_t confidence + ) +{ + int ret = RT_SUCCESS; + HostAttributeEntry *host; + ApplicationList *client; + + //inserting host data. Host gets created with just the IP address, os/service/clients + //get added later. + host = SFLAT_findHost(ip); + if (host) + { + int16_t protocolOrdinal = AddProtocolReference(protocol); + + //search existing client app + for (client = host->clients; client; client = client->next) + { + if (protocolOrdinal && (client->protocol.attributeOrdinal == protocolOrdinal) + && !strcasecmp(client->application.value.s_value, application)) + { + break; + } + } + + if (!client) + { + //insert + client = SnortAlloc(sizeof(ApplicationEntry)); + if (client) + { + client->next = host->clients; + host->clients = client; + } + } + + if (client) + { + //protocol + client->protocol.type = ATTRIBUTE_NAME; + strncpy (client->protocol.value.s_value, protocol, STD_BUF); + client->protocol.attributeOrdinal = protocolOrdinal; + client->protocol.confidence = 50; + client->fields |= (APPLICATION_ENTRY_PROTO); + + //application + if (application) + { + client->application.type = ATTRIBUTE_NAME; + strncpy (client->application.value.s_value, application, STD_BUF); + client->application.attributeOrdinal = 0; + client->application.confidence = 50; + client->fields |= (APPLICATION_ENTRY_APPLICATION); + + //version + if (version) + { + client->version.type = ATTRIBUTE_NAME; + strncpy (client->version.value.s_value, version, STD_BUF); + client->version.confidence = 50; + client->fields |= (APPLICATION_ENTRY_VERSION); + } + } + + } + } + else + { + ret = DIR_LOOKUP_FAILURE; + } + + return ret == RT_SUCCESS ? SFAT_OK : SFAT_ERROR; +} + +/**delete a client entry from host. + */ +static int delLiveClient( + snort_ip_p ip, + char *protocol, + char *application) +{ + int ret = RT_SUCCESS; + HostAttributeEntry *host; + ApplicationEntry *client; + ApplicationEntry *prevClient = NULL; + + //get added later. + host = SFLAT_findHost(ip); + if (host) + { + int16_t protocolOrdinal = AddProtocolReference(protocol); + + //search existing client app + for (client = host->clients; + client; + prevClient = client, client = client->next) + { + if (protocolOrdinal && (client->protocol.attributeOrdinal == protocolOrdinal) + && !strcasecmp(client->application.value.s_value,application)) + { + break; + } + } + } + + if (client) + { + if (prevClient) + { + prevClient->next = client->next; + } + else + { + host->clients = client->next; + } + + FreeApplicationEntry(client); + } + else + { + ret = DIR_LOOKUP_FAILURE; + } + + return ret == RT_SUCCESS ? SFAT_OK : SFAT_ERROR; +} +#endif +#endif //SUP_IP6 +#endif //TARGET_BASED + diff -Nru snort-2.9.0.1/src/target-based/sftarget_reader_live.h snort-2.9.2/src/target-based/sftarget_reader_live.h --- snort-2.9.0.1/src/target-based/sftarget_reader_live.h 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/src/target-based/sftarget_reader_live.h 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,37 @@ +/* +** Copyright (C) 2006-2011 Sourcefire, Inc. +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* + * Author: Dilbagh Chahal + * sftarget_reader_live.c + */ + +#ifndef SF_TARGET_READER_LIVE_H_ +#define SF_TARGET_READER_LIVE_H_ +#ifdef TARGET_BASED + +#include "snort.h" + +void SFLAT_init(void); +void SFLAT_fini(void); +int SFLAT_isEnabled(tSfPolicyId id, int parsing); +void SFLAT_dump(void); +HostAttributeEntry* SFLAT_findHost(snort_ip_p ip); +#endif +#endif /* SF_TARGET_READER_LIVE_H_ */ diff -Nru snort-2.9.0.1/src/treenodes.h snort-2.9.2/src/treenodes.h --- snort-2.9.0.1/src/treenodes.h 2010-01-26 10:09:33.000000000 -0800 +++ snort-2.9.2/src/treenodes.h 2011-06-07 17:33:08.000000000 -0700 @@ -1,5 +1,5 @@ /**************************************************************************** - * Copyright (C) 2008-2010 Sourcefire, Inc. + * Copyright (C) 2008-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as @@ -103,6 +103,9 @@ unsigned short proto_node_num; uint8_t failedCheckBits; + char generated; + + uint16_t longestPatternLen; int rule_state; /* Enabled or Disabled */ @@ -120,7 +123,6 @@ uint64_t ppm_suspend_time; /* PPM */ uint64_t ppm_disable_cnt; /*PPM */ - char generated; uint32_t num_detection_opts; /**unique index generated in ruleIndexMap. diff -Nru snort-2.9.0.1/src/util.c snort-2.9.2/src/util.c --- snort-2.9.0.1/src/util.c 2010-10-25 12:49:00.000000000 -0700 +++ snort-2.9.2/src/util.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -44,6 +44,7 @@ #include <unistd.h> #include <pcap.h> #include <timersub.h> +#include <pthread.h> #ifndef WIN32 #include <grp.h> @@ -64,7 +65,7 @@ #include "snort.h" #include "mstring.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" #include "parser.h" #include "sfdaq.h" @@ -190,7 +191,7 @@ BUILD, info); LogMessage(" '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team\n"); - LogMessage(" Copyright (C) 1998-2010 Sourcefire, Inc., et al.\n"); + LogMessage(" Copyright (C) 1998-2011 Sourcefire, Inc., et al.\n"); #ifdef HAVE_PCAP_LIB_VERSION LogMessage(" Using %s\n", pcap_lib_version()); #endif @@ -238,13 +239,13 @@ } localzone = snort_conf->thiszone; - + /* ** If we're doing UTC, then make sure that the timezone is correct. */ if (ScOutputUseUtc()) localzone = 0; - + s = (tvp->tv_sec + localzone) % 86400; Time = (tvp->tv_sec + localzone) - s; @@ -252,13 +253,13 @@ if (ScOutputIncludeYear()) { - (void) SnortSnprintf(timebuf, TIMEBUF_SIZE, - "%02d/%02d/%02d-%02d:%02d:%02d.%06u ", - lt->tm_mon + 1, lt->tm_mday, lt->tm_year - 100, - s / 3600, (s % 3600) / 60, s % 60, + (void) SnortSnprintf(timebuf, TIMEBUF_SIZE, + "%02d/%02d/%02d-%02d:%02d:%02d.%06u ", + lt->tm_mon + 1, lt->tm_mday, lt->tm_year - 100, + s / 3600, (s % 3600) / 60, s % 60, (u_int) tvp->tv_usec); - } - else + } + else { (void) SnortSnprintf(timebuf, TIMEBUF_SIZE, "%02d/%02d-%02d:%02d:%02d.%06u ", lt->tm_mon + 1, @@ -484,6 +485,43 @@ } /* + * Function: WarningMessage(const char *, ...) + * + * Purpose: Print a message to stderr or with logfacility. + * + * Arguments: format => the formatted error string to print out + * ... => format commands/fillers + * + * Returns: void function + */ +void WarningMessage(const char *format,...) +{ + char buf[STD_BUF+1]; + va_list ap; + + if (snort_conf == NULL) + return; + + if (ScLogQuiet() && !ScDaemonMode() && !ScLogSyslog()) + return; + + va_start(ap, format); + + if (ScDaemonMode() || ScLogSyslog()) + { + vsnprintf(buf, STD_BUF, format, ap); + buf[STD_BUF] = '\0'; + syslog(LOG_DAEMON | LOG_WARNING, "%s", buf); + } + else + { + vfprintf(stderr, format, ap); + } + + va_end(ap); +} + +/* * Function: CreateApplicationEventLogEntry(const char *) * * Purpose: Add an entry to the Win32 "Application" EventLog @@ -495,7 +533,7 @@ #if defined(WIN32) && defined(ENABLE_WIN32_SERVICE) void CreateApplicationEventLogEntry(const char *msg) { - HANDLE hEventLog; + HANDLE hEventLog; char* pEventSourceName = "SnortService"; /* prepare to write to Application log on local host @@ -508,7 +546,7 @@ /* Could not register the event source. */ return; } - + if (!ReportEvent(hEventLog, /* event log handle */ EVENTLOG_ERROR_TYPE, /* event type */ 0, /* category zero */ @@ -521,9 +559,9 @@ { /* Could not report the event. */ } - - DeregisterEventSource(hEventLog); -} + + DeregisterEventSource(hEventLog); +} #endif /* WIN32 && ENABLE_WIN32_SERVICE */ @@ -543,6 +581,16 @@ char buf[STD_BUF+1]; va_list ap; + // ----------------------------- + // bail now if we are reentering + static uint8_t fatal = 0; + + if ( fatal ) + exit(1); + else + fatal = 1; + // ----------------------------- + va_start(ap, format); vsnprintf(buf, STD_BUF, format, ap); va_end(ap); @@ -562,8 +610,18 @@ #endif } - DAQ_Abort(); - exit(1); + if ( InMainThread() ) + { + DAQ_Abort(); + exit(1); + } + else + { + DAQ_BreakLoop(1); +#ifndef WIN32 + pthread_exit(NULL); +#endif + } } @@ -580,10 +638,9 @@ ****************************************************************************/ static FILE *pid_lockfile = NULL; static FILE *pid_file = NULL; -void CreatePidFile(const char *intf) +void CreatePidFile(const char *intf, pid_t pid) { struct stat pt; - int pid = (int) getpid(); #ifdef WIN32 char dir[STD_BUF + 1]; #endif @@ -644,7 +701,7 @@ if(!S_ISDIR(pt.st_mode) || access(snort_conf->pid_path, W_OK) == -1) { LogMessage("WARNING: %s is invalid, logging Snort " - "PID path to log directory (%s)\n", snort_conf->pid_path, + "PID path to log directory (%s).\n", snort_conf->pid_path, snort_conf->log_dir); CheckLogDir(); SnortSnprintf(snort_conf->pid_path, sizeof(snort_conf->pid_path), @@ -693,7 +750,7 @@ if (fcntl(lock_fd, F_SETLK, &lock) == -1) { ClosePidFile(); - FatalError("Failed to Lock PID File \"%s\" for PID \"%d\"\n", snort_conf->pid_filename, pid); + FatalError("Failed to Lock PID File \"%s\" for PID \"%d\"\n", snort_conf->pid_filename, (int)pid); } } } @@ -703,13 +760,19 @@ pid_file = fopen(snort_conf->pid_filename, "w"); if(pid_file) { - LogMessage("Writing PID \"%d\" to file \"%s\"\n", pid, snort_conf->pid_filename); - fprintf(pid_file, "%d\n", pid); + LogMessage("Writing PID \"%d\" to file \"%s\"\n", (int)pid, snort_conf->pid_filename); + fprintf(pid_file, "%d\n", (int)pid); fflush(pid_file); } else { - ErrorMessage("Failed to create pid file %s", snort_conf->pid_filename); + char errBuf[STD_BUF]; +#ifdef WIN32 + SnortSnprintf(errBuf, STD_BUF, "%s", strerror(errno)); +#else + strerror_r(errno, errBuf, STD_BUF); +#endif + ErrorMessage("Failed to create pid file %s, Error: %s", snort_conf->pid_filename, errBuf); snort_conf->pid_filename[0] = 0; } } @@ -757,7 +820,7 @@ if ((group_id != -1) && (getgid() != (gid_t)group_id)) { if ( !DAQ_Unprivileged() ) - { + { LogMessage("WARNING: cannot set uid and gid - %s DAQ does not" "support unprivileged operation.\n", DAQ_GetType()); return; @@ -771,38 +834,58 @@ if ((user_id != -1) && (getuid() != (uid_t)user_id)) { - struct passwd *pw = getpwuid(user_id); - if ( !DAQ_Unprivileged() ) - { + { LogMessage("WARNING: cannot set uid and gid - %s DAQ does not" "support unprivileged operation.\n", DAQ_GetType()); return; } + if (setuid(user_id) < 0) + FatalError("Can not set uid: %d\n", user_id); + + LogMessage("Set uid to %d\n", user_id); + } +#endif /* WIN32 */ +} + +/**************************************************************************** + * + * Function: InitGroups() + * + * Purpose: Sets the groups of the process based on the UserID with the + * GroupID added + * + * Arguments: none + * + * Returns: void function + * + ****************************************************************************/ +void InitGroups(int user_id, int group_id) +{ +#ifndef WIN32 + + if ((user_id != -1) && (getuid() == 0)) + { + struct passwd *pw = getpwuid(user_id); + if (pw != NULL) { /* getpwuid and initgroups may use the same static buffers */ char *username = SnortStrdup(pw->pw_name); - if ((getuid() == 0) && (initgroups(username, group_id) < 0)) + if (initgroups(username, group_id) < 0) { free(username); - FatalError("Can not initgroups(%s,%d)", - username, group_id); + FatalError("Can not initgroups(%s,%d)", username, group_id); } free(username); } - /** just to be on a safe side... **/ + /** Just to be on the safe side... **/ endgrent(); endpwent(); - - if (setuid(user_id) < 0) - FatalError("Can not set uid: %d\n", user_id); - - LogMessage("Set uid to %d\n", user_id); } #endif /* WIN32 */ } @@ -812,12 +895,12 @@ #define STATS_SEPARATOR \ "===============================================================================" -static INLINE void LogCount (const char* s, uint64_t n) +static inline void LogCount (const char* s, uint64_t n) { LogMessage("%11s: " FMTu64("12") "\n", s, n); } -static INLINE void LogStat (const char* s, uint64_t n, uint64_t tot) +static inline void LogStat (const char* s, uint64_t n, uint64_t tot) { LogMessage( "%11s: " FMTu64("12") " (%7.3f%%)\n", @@ -843,7 +926,7 @@ LogMessage("%s\n", STATS_SEPARATOR); - LogMessage("Run time for packet processing was %lu.%lu seconds\n", + LogMessage("Run time for packet processing was %lu.%lu seconds\n", (unsigned long)difftime.tv_sec, (unsigned long)difftime.tv_usec); LogMessage("Snort processed " STDu64 " packets.\n", pc.total_from_daq); @@ -915,8 +998,12 @@ pkts_recv = pkt_stats->hw_packets_received; pkts_drop = pkt_stats->hw_packets_dropped; - pkts_out = pkts_recv - pkt_stats->packets_filtered - - pkt_stats->packets_received; + if ( pkts_recv > pkt_stats->packets_filtered + + pkt_stats->packets_received ) + pkts_out = pkts_recv - pkt_stats->packets_filtered + - pkt_stats->packets_received; + else + pkts_out = 0; pkts_inj = pkt_stats->packets_injected; #ifdef ACTIVE_RESPONSE @@ -926,9 +1013,9 @@ LogMessage("%s\n", STATS_SEPARATOR); LogMessage("Packet I/O Totals:\n"); - LogCount("Received", pkts_recv); + LogCount("Received", pkts_recv); LogStat("Analyzed", pkt_stats->packets_received, pkts_recv); - LogStat("Dropped", pkts_drop, pkts_recv); + LogStat("Dropped", pkts_drop, pkts_recv + pkts_drop); LogStat("Filtered", pkt_stats->packets_filtered, pkts_recv); LogStat("Outstanding", pkts_out, pkts_recv); LogCount("Injected", pkts_inj); @@ -1006,16 +1093,24 @@ if ( !ScPacketDumpMode() && !ScPacketLogMode() ) { int i; + + // ensure proper counting of log_limit + SnortEventqResetCounts(); + LogMessage("%s\n", STATS_SEPARATOR); LogMessage("Action Stats:\n"); LogStat("Alerts", pc.alert_pkts, total); LogStat("Logged", pc.log_pkts, total); LogStat("Passed", pc.pass_pkts, total); - LogCount("Match Limit", pc.match_limit); - LogCount("Queue Limit", pc.queue_limit); - LogCount("Log Limit", pc.log_limit); - LogCount("Event Limit", pc.event_limit); + + LogMessage("Limits:\n"); + + LogCount("Match", pc.match_limit); + LogCount("Queue", pc.queue_limit); + LogCount("Log", pc.log_limit); + LogCount("Event", pc.event_limit); + LogCount("Alert", pc.alert_limit); LogMessage("Verdicts:\n"); @@ -1129,7 +1224,7 @@ /* Treat everything upto the end of the line as a space * so that we can put comments in our BPF filters */ - + while((cmt = strchr(cp, '#')) != NULL) { while (*cmt != '\r' && *cmt != '\n' && *cmt != '\0') @@ -1139,7 +1234,7 @@ } /** LogMessage("BPF filter file: %s\n", fname); **/ - + return(cp); } @@ -1198,6 +1293,7 @@ void GoDaemon(void) { #ifndef WIN32 + int exit_val = 0; pid_t cpid; @@ -1207,12 +1303,14 @@ LogMessage("Initializing daemon mode\n"); /* Don't daemonize if we've already daemonized and - * received a SIGHUP. */ + * received a SIGNAL_SNORT_RELOAD. */ if(getppid() != 1) { /* Register signal handler that parent can trap signal */ - signal(SIGNAL_SNORT_CHILD_READY, SigChildReadyHandler); - if (errno != 0) errno=0; + SnortAddSignal(SIGNAL_SNORT_CHILD_READY, SigChildReadyHandler, 1); + + if (errno != 0) + errno = 0; /* now fork the child */ printf("Spawning daemon child...\n"); @@ -1220,6 +1318,8 @@ if(cpid > 0) { + /* Continue waiting until receiving signal from child */ + int status; /* Parent */ printf("My daemon child %d lives...\n", cpid); @@ -1227,34 +1327,33 @@ * to signal that is there and created the PID * file. */ - while (parent_wait) + do { - /* Continue waiting until receiving signal from child */ - int status; #ifdef DEBUG printf("Parent waiting for child...\n"); #endif - if (waitpid(cpid, &status, WNOHANG) == cpid) + sleep(1); + + } while (parent_wait); + + if (waitpid(cpid, &status, WNOHANG) == cpid) + { + if (WIFEXITED(status)) { - /* If the child is gone, parent should go away, too */ - if (WIFEXITED(status)) - { - LogMessage("Child exited unexpectedly\n"); - exit_val = -1; - break; - } - - if (WIFSIGNALED(status)) - { - LogMessage("Child terminated unexpectedly\n"); - exit_val = -2; - break; - } + LogMessage("Child exited unexpectedly\n"); + exit_val = -1; } - sleep(1); - } - printf("Daemon parent exiting\n"); + else if (WIFSIGNALED(status)) + { + LogMessage("Child terminated unexpectedly\n"); + exit_val = -2; + } + } +#ifdef DEBUG + printf("Child terminated unexpectedly (%d)\n", status); +#endif + printf("Daemon parent exiting (%d)\n", exit_val); exit(exit_val); /* parent */ } @@ -1308,7 +1407,7 @@ #ifndef WIN32 pid_t ppid = getppid(); #ifdef DEBUG - LogMessage("Signaling parent %d from child %d\n", ppid, getpid()); + printf("Signaling parent %d from child %d\n", ppid, getpid()); #endif if (kill(ppid, SIGNAL_SNORT_CHILD_READY)) @@ -1320,13 +1419,6 @@ { LogMessage("Daemon initialized, signaled parent pid: %d\n", ppid); } -#if 0 - while ( getppid()== ppid ) - { - LogMessage("Daemon child waiting for parent to exit: %d\n", getpid()); - sleep(1); - } -#endif #endif } @@ -1416,7 +1508,7 @@ /* Appends to a given string * Guaranteed to be '\0' terminated even if truncation occurs. - * + * * returns SNORT_SNPRINTF_SUCCESS if successful * returns SNORT_SNPRINTF_TRUNCATION on truncation * returns SNORT_SNPRINTF_ERROR on error @@ -1510,7 +1602,7 @@ ret_val = SnortStrncpy(ret, src, dst_size + 1); - if(ret_val == SNORT_STRNCPY_ERROR) + if(ret_val == SNORT_STRNCPY_ERROR) { free(ret); return NULL; @@ -1574,7 +1666,7 @@ { char ch; const char *s_end; - if (!s || !*s || !accept || slen == 0) + if (!s || (slen == 0) || !*s || !accept) return NULL; s_end = s + slen; @@ -1597,7 +1689,7 @@ { char ch, nc; int len; - if (!s || !*s || !searchstr || slen == 0) + if (!s || (slen == 0) || !*s || !searchstr) return NULL; if ((ch = *searchstr++) != 0) @@ -1619,7 +1711,6 @@ return NULL; } while (memcmp(s, searchstr, len) != 0); s--; - slen++; } return s; } @@ -1627,12 +1718,12 @@ /* * Find first occurrence of substring in s, ignore case. */ -const char *SnortStrcasestr(const char *s, const char *substr) +const char *SnortStrcasestr(const char *s, int slen, const char *substr) { char ch, nc; int len; - if (!s || !*s || !substr) + if (!s || (slen == 0) || !*s || !substr) return NULL; if ((ch = *substr++) != 0) @@ -1647,7 +1738,12 @@ { return NULL; } + slen--; + if(slen == 0) + return NULL; } while ((char)tolower((uint8_t)nc) != ch); + if(slen - len < 0) + return NULL; } while (strncasecmp(s, substr, len) != 0); s--; } @@ -1693,9 +1789,9 @@ return tmp; } -/** - * Chroot and adjust the snort_conf->log_dir reference - * +/** + * Chroot and adjust the snort_conf->log_dir reference + * * @param directory directory to chroot to * @param logstore ptr to snort_conf->log_dir which must be dynamically allocated */ @@ -1707,7 +1803,7 @@ char *absdir; size_t abslen; char *logdir; - + if(!directory || !logstore) { FatalError("Null parameter passed\n"); @@ -1718,16 +1814,16 @@ if(logdir == NULL || *logdir == '\0') { FatalError("Null log directory\n"); - } + } DEBUG_WRAP(DebugMessage(DEBUG_INIT,"SetChroot: %s\n", CurrentWorkingDir());); - + logdir = GetAbsolutePath(logdir); DEBUG_WRAP(DebugMessage(DEBUG_INIT, "SetChroot: %s\n", CurrentWorkingDir())); - + logdir = SnortStrdup(logdir); /* We're going to reset logstore, so free it now */ @@ -1737,22 +1833,22 @@ /* change to the directory */ if(chdir(directory) != 0) { - FatalError("SetChroot: Can not chdir to \"%s\": %s\n", directory, + FatalError("SetChroot: Can not chdir to \"%s\": %s\n", directory, strerror(errno)); } /* always returns an absolute pathname */ absdir = CurrentWorkingDir(); - if(absdir == NULL) + if(absdir == NULL) { FatalError("NULL Chroot found\n"); } - + abslen = strlen(absdir); DEBUG_WRAP(DebugMessage(DEBUG_INIT, "ABS: %s %d\n", absdir, abslen);); - + /* make the chroot call */ if(chroot(absdir) < 0) { @@ -1762,13 +1858,13 @@ DEBUG_WRAP(DebugMessage(DEBUG_INIT,"chroot success (%s ->", absdir);); DEBUG_WRAP(DebugMessage(DEBUG_INIT,"%s)\n ", CurrentWorkingDir());); - + /* change to "/" in the new directory */ if(chdir("/") < 0) { - FatalError("Can not chdir to \"/\" after chroot: %s\n", + FatalError("Can not chdir to \"/\" after chroot: %s\n", strerror(errno)); - } + } DEBUG_WRAP(DebugMessage(DEBUG_INIT,"chdir success (%s)\n", CurrentWorkingDir());); @@ -1778,7 +1874,7 @@ { FatalError("Absdir is not a subset of the logdir"); } - + if(abslen >= strlen(logdir)) { *logstore = SnortStrdup("/"); @@ -1796,7 +1892,7 @@ #if 0 /* XXX XXX */ /* install the I can't do this signal handler */ - signal(SIGHUP, SigCantHupHandler); + signal(SIGNAL_SNORT_RELOAD, SigCantHupHandler); #endif #endif /* !WIN32 */ } @@ -1809,7 +1905,7 @@ char *CurrentWorkingDir(void) { static char buf[PATH_MAX_UTIL + 1]; - + if(getcwd((char *) buf, PATH_MAX_UTIL) == NULL) { return NULL; @@ -1821,7 +1917,7 @@ } /** - * Given a directory name, return a ptr to a static + * Given a directory name, return a ptr to a static */ char *GetAbsolutePath(char *dir) { @@ -1864,7 +1960,7 @@ if(chdir(savedir) < 0) { LogMessage("Can't change back to directory: %s\n", dir); - free(savedir); + free(savedir); return NULL; } @@ -1976,7 +2072,7 @@ /* Don't look at dot files */ if (strncmp(".", direntry, 1) == 0) continue; - + ret = SnortSnprintf(path_buf, PATH_MAX, "%s%s%s", path, path[strlen(path) - 1] == '/' ? "" : "/", direntry); if (ret == SNORT_SNPRINTF_TRUNCATION) @@ -2056,16 +2152,16 @@ if (iface == NULL) LogMessage("Interface is NULL. Name may not be unique for the host\n"); #ifndef WIN32 - rptr = GetIP(iface); + rptr = GetIP(iface); if(rptr == NULL || !strcmp(rptr, "unknown")) #endif { SnortSnprintf(uniq_name, 255, "%s:%s\n",GetHostname(),iface); - rptr = uniq_name; + rptr = uniq_name; } if (ScLogVerbose()) LogMessage("Node unique name is: %s\n", rptr); return rptr; -} +} /**************************************************************************** * @@ -2112,7 +2208,7 @@ #ifdef SUP_IP6 // XXX-IPv6 uses ioctl to populate a sockaddr_in structure ... but what if the interface only has an IPv6 address? - sfip_set_raw(&ret, addr, AF_INET); + sfip_set_raw(&ret, addr, AF_INET); return SnortStrdup(sfip_ntoa(&ret)); #else return SnortStrdup(inet_ntoa(addr->sin_addr)); @@ -2132,7 +2228,7 @@ * * Arguments: None * - * Returns: A static char * representing the hostname. + * Returns: A static char * representing the hostname. * ***************************************************************************/ char *GetHostname(void) @@ -2155,9 +2251,9 @@ * Function: GetTimestamp(register const struct timeval *tvp, int tz) * * Purpose: Get an ISO-8601 formatted timestamp for tvp within the tz - * timezone. + * timezone. * - * Arguments: tvp is a timeval pointer. tz is a timezone. + * Arguments: tvp is a timeval pointer. tz is a timezone. * * Returns: char * -- You must free this char * when you are done with it. * @@ -2197,7 +2293,7 @@ * * Purpose: Find the offset from GMT for current host * - * Arguments: none + * Arguments: none * * Returns: int representing the offset from GMT * @@ -2228,7 +2324,7 @@ * * Purpose: Generate an ISO-8601 formatted timestamp for the current time. * - * Arguments: none + * Arguments: none * * Returns: char * -- You must free this char * when you are done with it. * @@ -2279,10 +2375,10 @@ * Purpose: Insert data into the database * * Arguments: xdata => pointer to data to base64 encode - * length => how much data to encode + * length => how much data to encode * * Make sure you allocate memory for the output before you pass - * the output pointer into this function. You should allocate + * the output pointer into this function. You should allocate * (1.5 * length) bytes to be safe. * * Returns: data base64 encoded as a char * @@ -2319,7 +2415,7 @@ *output = alpha[bits >> 18]; output++; *output = alpha[(bits >> 12) & 0x3f]; output++; *output = alpha[(bits >> 6) & 0x3f]; output++; - *output = alpha[bits & 0x3f]; output++; + *output = alpha[bits & 0x3f]; output++; cols += 4; if(cols == 72) { @@ -2347,14 +2443,14 @@ } else { - *output = alpha[(bits >> 6) & 0x3f]; - output++; *output = '='; + *output = alpha[(bits >> 6) & 0x3f]; + output++; *output = '='; output++; } } *output = '\0'; return payloadptr; -} +} /**************************************************************************** * @@ -2374,12 +2470,12 @@ char *d_ptr, *ret_val; int i,count = 0; int size; - + if(xdata == NULL) { - return NULL; + return NULL; } - + for(i=0;i<length;i++) { if(xdata[i] == '<') @@ -2392,15 +2488,15 @@ size = length + count + 1; ret_val = (char *) calloc(1,size); - + if(ret_val == NULL) { LogMessage("plugbase.c: ascii(): Out of memory, can't log anything!\n"); return NULL; } - - d_ptr = ret_val; - + + d_ptr = ret_val; + for(i=0;i<length;i++) { if((xdata[i] > 0x1F) && (xdata[i] < 0x7F)) @@ -2428,11 +2524,11 @@ else { *d_ptr++ = '.'; - } + } } - + *d_ptr++ = '\0'; - + return ret_val; } @@ -2468,7 +2564,7 @@ { SnortSnprintf(buf, 3, "%02X", xdata[x]); buf += 2; - } + } rval[length * 2] = '\0'; } @@ -2481,7 +2577,7 @@ char *fasthex(const u_char *xdata, int length) { char conv[] = "0123456789ABCDEF"; - char *retbuf = NULL; + char *retbuf = NULL; const u_char *index; const u_char *end; char *ridx; @@ -2528,7 +2624,7 @@ * strtoul - errors on win32 : ERANGE (VS 6.0) * errors on linux : ERANGE, EINVAL * (for EINVAL, unsupported base which won't happen here) - */ + */ val = SnortStrtol(s, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0')) @@ -2559,7 +2655,7 @@ if (strlen(s) == 0) FatalError("%s: String is empty\n", etext); - if (*s == '-') + if (*s == '-') { FatalError("%s: Invalid unsigned integer - negative sign found, " "input: %s\n", etext, s); @@ -2569,7 +2665,7 @@ /* * strtoul - errors on win32 : ERANGE (VS 6.0) * errors on linux : ERANGE, EINVAL - */ + */ val = SnortStrtoul(s, &endptr, 0); if ((errno == ERANGE) || (*endptr != '\0')) @@ -2581,7 +2677,7 @@ unsigned long int xatoup(const char *s , const char *etext) { unsigned long int val = xatou(s, etext); - if ( !val ) + if ( !val ) FatalError("%s: must be > 0\n", etext); return val; } @@ -2637,7 +2733,7 @@ if (ip == NULL) return ip_buf; - if (!IS_SET(snort_conf->obfuscation_net)) + if (!IP_IS_SET(snort_conf->obfuscation_net)) { if (IS_IP6(ip)) SnortSnprintf(ip_buf, buf_size, "x:x:x:x::x:x:x:x"); @@ -2651,7 +2747,7 @@ IP_COPY_VALUE(tmp, ip); - if (IS_SET(snort_conf->homenet)) + if (IP_IS_SET(snort_conf->homenet)) { if (sfip_contains(&snort_conf->homenet, &tmp) == SFIP_CONTAINS) sfip_obfuscate(&snort_conf->obfuscation_net, &tmp); diff -Nru snort-2.9.0.1/src/util.h snort-2.9.2/src/util.h --- snort-2.9.0.1/src/util.h 2010-06-09 15:04:57.000000000 -0700 +++ snort-2.9.2/src/util.h 2011-10-26 11:28:52.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -47,7 +47,7 @@ /* Macros *********************************************************************/ -/* specifies that a function does not return +/* specifies that a function does not return * used for quieting Visual Studio warnings */ #ifdef _MSC_VER # if _MSC_VER >= 1400 @@ -188,9 +188,10 @@ void CheckLogDir(void); char *read_infile(char *); void CleanupProtoNames(void); -void CreatePidFile(const char *); +void CreatePidFile(const char *, pid_t); void ClosePidFile(void); void SetUidGid(int, int); +void InitGroups(int, int); void SetChroot(char *, char **); void DropStats(int); void *SPAlloc(unsigned long, struct _SPMemControl *); @@ -201,6 +202,7 @@ #define __attribute__(x) /*NOTHING*/ #endif void LogMessage(const char *, ...) __attribute__((format (printf, 1, 2))); +void WarningMessage(const char *, ...) __attribute__((format (printf, 1, 2))); void ErrorMessage(const char *, ...) __attribute__((format (printf, 1, 2))); NORETURN void FatalError(const char *, ...) __attribute__((format (printf, 1, 2))); int SnortSnprintf(char *, size_t, const char *, ...) __attribute__((format (printf, 3, 4))); @@ -212,7 +214,7 @@ int SnortStrnlen(const char *, int); const char *SnortStrnPbrk(const char *s, int slen, const char *accept); const char *SnortStrnStr(const char *s, int slen, const char *searchstr); -const char *SnortStrcasestr(const char *s, const char *substr); +const char *SnortStrcasestr(const char *s, int slen, const char *substr); void *SnortAlloc(unsigned long); void *SnortAlloc2(size_t, const char *, ...); char *CurrentWorkingDir(void); @@ -254,7 +256,7 @@ unsigned long int xatou(const char *, const char *); unsigned long int xatoup(const char *, const char *); // return > 0 -static INLINE long SnortStrtol(const char *nptr, char **endptr, int base) +static inline long SnortStrtol(const char *nptr, char **endptr, int base) { long iRet; errno = 0; @@ -263,7 +265,7 @@ return iRet; } -static INLINE unsigned long SnortStrtoul(const char *nptr, char **endptr, int base) +static inline unsigned long SnortStrtoul(const char *nptr, char **endptr, int base) { unsigned long iRet; errno = 0; @@ -272,7 +274,7 @@ return iRet; } -static INLINE long SnortStrtolRange(const char *nptr, char **endptr, int base, long lo, long hi) +static inline long SnortStrtolRange(const char *nptr, char **endptr, int base, long lo, long hi) { long iRet = SnortStrtol(nptr, endptr, base); if ((iRet > hi) || (iRet < lo)) @@ -281,7 +283,7 @@ return iRet; } -static INLINE unsigned long SnortStrtoulRange(const char *nptr, char **endptr, int base, unsigned long lo, unsigned long hi) +static inline unsigned long SnortStrtoulRange(const char *nptr, char **endptr, int base, unsigned long lo, unsigned long hi) { unsigned long iRet = SnortStrtoul(nptr, endptr, base); if ((iRet > hi) || (iRet < lo)) @@ -290,9 +292,9 @@ return iRet; } -static INLINE int IsEmptyStr(char *str) +static inline int IsEmptyStr(const char *str) { - char *end; + const char *end; if (str == NULL) return 1; diff -Nru snort-2.9.0.1/src/win32/Makefile.in snort-2.9.2/src/win32/Makefile.in --- snort-2.9.0.1/src/win32/Makefile.in 2010-10-08 02:56:55.000000000 -0700 +++ snort-2.9.2/src/win32/Makefile.in 2011-12-07 11:23:22.000000000 -0800 @@ -60,7 +60,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -75,6 +77,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -111,13 +114,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/src/win32/WIN32-Code/getopt.c snort-2.9.2/src/win32/WIN32-Code/getopt.c --- snort-2.9.0.1/src/win32/WIN32-Code/getopt.c 2010-01-26 10:10:31.000000000 -0800 +++ snort-2.9.2/src/win32/WIN32-Code/getopt.c 2011-02-09 15:23:38.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/win32/WIN32-Code/inet_aton.c snort-2.9.2/src/win32/WIN32-Code/inet_aton.c --- snort-2.9.0.1/src/win32/WIN32-Code/inet_aton.c 2010-01-26 10:10:31.000000000 -0800 +++ snort-2.9.2/src/win32/WIN32-Code/inet_aton.c 2011-02-09 15:23:38.000000000 -0800 @@ -1,7 +1,7 @@ /* $Id$ */ /**************************************************************************** * - * Copyright (C) 2004-2010 Sourcefire, Inc. + * Copyright (C) 2004-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/win32/WIN32-Code/misc.c snort-2.9.2/src/win32/WIN32-Code/misc.c --- snort-2.9.0.1/src/win32/WIN32-Code/misc.c 2010-06-09 15:05:32.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Code/misc.c 2011-06-07 17:33:21.000000000 -0700 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify @@ -20,6 +20,10 @@ */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "snort.h" #include "util.h" @@ -289,7 +293,7 @@ } return 1; -} +} int geteuid(void) { diff -Nru snort-2.9.0.1/src/win32/WIN32-Code/name.h snort-2.9.2/src/win32/WIN32-Code/name.h --- snort-2.9.0.1/src/win32/WIN32-Code/name.h 2010-01-26 10:10:31.000000000 -0800 +++ snort-2.9.2/src/win32/WIN32-Code/name.h 2011-02-09 15:23:38.000000000 -0800 @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (C) 2003-2010 Sourcefire, Inc. + * Copyright (C) 2003-2011 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/win32/WIN32-Code/syslog.c snort-2.9.2/src/win32/WIN32-Code/syslog.c --- snort-2.9.0.1/src/win32/WIN32-Code/syslog.c 2009-12-21 18:57:09.000000000 -0800 +++ snort-2.9.2/src/win32/WIN32-Code/syslog.c 2011-06-07 17:33:21.000000000 -0700 @@ -33,6 +33,10 @@ #include <windows.h> #include <stdio.h> #include <time.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "name.h" #include "syslog.h" @@ -108,12 +112,12 @@ fmt_cpy[FMT_LEN - 1] = '\0'; vsnprintf(p, tbuf_left, fmt_cpy, ap); p[tbuf_left - 1] = '\0'; - + /* Get connected, output the message to the local logger. */ if (!opened) openlog(LogTag, LogStat, 0); - + if ((strlen(snort_conf->syslog_server) != 0) && resolve_host(snort_conf->syslog_server)) { @@ -138,7 +142,7 @@ return; } - + /* Check for invalid bits. */ if (pri & ~(LOG_PRIMASK|LOG_FACMASK)) { syslog(INTERNALLOG, @@ -257,7 +261,7 @@ if ((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) == SOCKET_ERROR) { ErrorMessage("[!] ERROR: Could not create the socket to send the " - "syslog alert. Error Number: %d.\n", WSAGetLastError()); + "syslog alert. Error Number: %d.\n", WSAGetLastError()); return; } @@ -268,7 +272,7 @@ if (!sin.sin_addr.s_addr) { ErrorMessage("[!] ERROR: Could not resolve syslog server's hostname. " - "Error Number: %d.\n", WSAGetLastError()); + "Error Number: %d.\n", WSAGetLastError()); closesocket(sockfd); return; } @@ -276,7 +280,7 @@ if(sendto(sockfd,tbuf,cnt,(int)NULL, (SOCKADDR *)&sin, sizeof(SOCKADDR_IN)) == SOCKET_ERROR) { ErrorMessage("[!] ERROR: Could not send the alert to the syslog " - "server. Error Number: %d.\n", WSAGetLastError()); + "server. Error Number: %d.\n", WSAGetLastError()); closesocket(sockfd); return; } @@ -301,57 +305,57 @@ /* Taken from MSDN. */ void AddEventSource(char *ident) { - HKEY hk; - DWORD dwData; + HKEY hk; + DWORD dwData; char szFilePath[_MAX_PATH]; char key[_MAX_PATH]; - - // Add your source name as a subkey under the Application - // key in the EventLog registry key. + + // Add your source name as a subkey under the Application + // key in the EventLog registry key. SnortSnprintf(key, sizeof(key), "SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\%s", ident); if (RegCreateKey(HKEY_LOCAL_MACHINE, key, &hk)) { - printf("Could not create the registry key."); + printf("Could not create the registry key."); exit(-1); } - - // Set the name of the message file. + + // Set the name of the message file. GetModuleFileName(NULL, szFilePath, sizeof(szFilePath)); szFilePath[ sizeof(szFilePath)-1 ] = 0; - // Add the name to the EventMessageFile subkey. - - if (RegSetValueEx(hk, // subkey handle - "EventMessageFile", // value name - 0, // must be zero - REG_EXPAND_SZ, // value type - (LPBYTE) szFilePath, // pointer to value data - strlen(szFilePath) + 1)) { // length of value data - printf("Could not set the event message file."); + // Add the name to the EventMessageFile subkey. + + if (RegSetValueEx(hk, // subkey handle + "EventMessageFile", // value name + 0, // must be zero + REG_EXPAND_SZ, // value type + (LPBYTE) szFilePath, // pointer to value data + strlen(szFilePath) + 1)) { // length of value data + printf("Could not set the event message file."); exit(-1); } - - // Set the supported event types in the TypesSupported subkey. - - dwData = EVENTLOG_ERROR_TYPE | EVENTLOG_WARNING_TYPE | - EVENTLOG_INFORMATION_TYPE | EVENTLOG_AUDIT_SUCCESS | EVENTLOG_AUDIT_FAILURE; - - if (RegSetValueEx(hk, // subkey handle - "TypesSupported", // value name - 0, // must be zero - REG_DWORD, // value type - (LPBYTE) &dwData, // pointer to value data - sizeof(DWORD))){ // length of value data - printf("Could not set the supported types."); + + // Set the supported event types in the TypesSupported subkey. + + dwData = EVENTLOG_ERROR_TYPE | EVENTLOG_WARNING_TYPE | + EVENTLOG_INFORMATION_TYPE | EVENTLOG_AUDIT_SUCCESS | EVENTLOG_AUDIT_FAILURE; + + if (RegSetValueEx(hk, // subkey handle + "TypesSupported", // value name + 0, // must be zero + REG_DWORD, // value type + (LPBYTE) &dwData, // pointer to value data + sizeof(DWORD))){ // length of value data + printf("Could not set the supported types."); exit(-1); } - - RegCloseKey(hk); -} + + RegCloseKey(hk); +} unsigned long resolve_host(char *host) { struct hostent *he; unsigned long ip; - + if (inet_addr(host) == INADDR_NONE) { he = gethostbyname(host); @@ -381,6 +385,6 @@ } else { ip = inet_addr(host); } - + return ip; } diff -Nru snort-2.9.0.1/src/win32/WIN32-Code/win32_service.c snort-2.9.2/src/win32/WIN32-Code/win32_service.c --- snort-2.9.0.1/src/win32/WIN32-Code/win32_service.c 2010-06-09 15:05:32.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Code/win32_service.c 2011-06-07 17:33:21.000000000 -0700 @@ -20,7 +20,7 @@ /* * win32_service.c v1.0 - 20 February 2002 - * + * * Purpose: Lets Snort register as a Win32 Service. This includes both * an installation an uninstallation aspect. * @@ -30,15 +30,15 @@ * saved into the registry when the snort service is * being installed. They are stored in: * HKLM \ SOFTWARE \ Snort - * + * * Usage: * snort.exe /SERVICE /INSTALL [regular command-line params] - * + * * snort.exe /SERVICE /UNINSTALL - * + * * snort.exe /SERVICE /SHOW - * - * References + * + * References * Microsoft has full docs on programming Win32 Services in their * MSDN (Microsoft Developer Network) library. * http://msdn.microsoft.com/ @@ -67,7 +67,7 @@ #include <pcap.h> #include "snort.h" -#include "debug.h" +#include "snort_debug.h" #include "util.h" static LPTSTR g_lpszServiceName = "SnortSvc"; @@ -78,19 +78,19 @@ static LPTSTR g_lpszRegistryCmdFormat = "CmdLineParam_%03d"; static LPTSTR g_lpszRegistryCountFormat= "CmdLineParamCount"; -static SERVICE_STATUS g_SnortServiceStatus; -static SERVICE_STATUS_HANDLE g_SnortServiceStatusHandle; +static SERVICE_STATUS g_SnortServiceStatus; +static SERVICE_STATUS_HANDLE g_SnortServiceStatusHandle; #define MAX_REGISTRY_KEY_LENGTH 255 #define MAX_REGISTRY_DATA_LENGTH 1000 - + static VOID SvcDebugOut(LPSTR String, DWORD Status); static VOID SvcFormatMessage(LPSTR szString, int iCount); static VOID ReadServiceCommandLineParams( int * piArgCounter, char** * pargvDynamic ); -static VOID WINAPI SnortServiceStart (DWORD argc, LPTSTR *argv); -static VOID WINAPI SnortServiceCtrlHandler (DWORD opcode); -static DWORD SnortServiceInitialization (DWORD argc, LPTSTR *argv, DWORD *specificError); +static VOID WINAPI SnortServiceStart (DWORD argc, LPTSTR *argv); +static VOID WINAPI SnortServiceCtrlHandler (DWORD opcode); +static DWORD SnortServiceInitialization (DWORD argc, LPTSTR *argv, DWORD *specificError); static VOID InstallSnortService(int argc, char* argv[]); static VOID UninstallSnortService(); static VOID ShowSnortServiceParams(); @@ -104,7 +104,7 @@ * * Writing a Service Program's main Function * ----------------------------------------------------------------------------- - * + * * The main function of a service program calls the StartServiceCtrlDispatcher * function to connect to the SCM and start the control dispatcher thread. The * dispatcher thread loops, waiting for incoming control requests for the @@ -113,30 +113,30 @@ * all services in a process have terminated, the SCM sends a control request * to the dispatcher thread telling it to shut down. The thread can then return * from the StartServiceCtrlDispatcher call and the process can terminate. - * + * * The following example is a service process that supports only one service. It * takes two parameters: a string that can contain one formatted output * character and a numeric value to be used as the formatted character. The * SvcDebugOut function prints informational messages and errors to the debugger. * For information on writing the SnortServiceStart and SnortServiceInitialization * functions, see Writing a ServiceMain Function. For information on writing the - * SnortServiceCtrlHandler function, see Writing a Control Handler Function. + * SnortServiceCtrlHandler function, see Writing a Control Handler Function. *******************************************************************************/ /* this is the entry point which is called from main() */ -int SnortServiceMain(int argc, char* argv[]) +int SnortServiceMain(int argc, char* argv[]) { int i; /* - SERVICE_TABLE_ENTRY steDispatchTable[] = - { - { g_lpszServiceName, SnortServiceStart }, - { NULL, NULL } - }; + SERVICE_TABLE_ENTRY steDispatchTable[] = + { + { g_lpszServiceName, SnortServiceStart }, + { NULL, NULL } + }; */ - SERVICE_TABLE_ENTRY steDispatchTable[2]; + SERVICE_TABLE_ENTRY steDispatchTable[2]; steDispatchTable[0].lpServiceName = g_lpszServiceName; steDispatchTable[0].lpServiceProc = SnortServiceStart; @@ -188,28 +188,28 @@ } /* If we got to this point, then it's time to start up the Win32 Service */ - if (!StartServiceCtrlDispatcher(steDispatchTable)) + if (!StartServiceCtrlDispatcher(steDispatchTable)) { char szString[1024]; memset(szString, sizeof(szString), '\0'); SvcFormatMessage(szString, sizeof(szString)); - SvcDebugOut(szString, 0); - SvcDebugOut(" [SNORT_SERVICE] StartServiceCtrlDispatcher error = %d\n", GetLastError()); - FatalError (" [SNORT_SERVICE] StartServiceCtrlDispatcher error = %d\n%s\n", GetLastError(), szString); + SvcDebugOut(szString, 0); + SvcDebugOut(" [SNORT_SERVICE] StartServiceCtrlDispatcher error = %d\n", GetLastError()); + FatalError (" [SNORT_SERVICE] StartServiceCtrlDispatcher error = %d\n%s\n", GetLastError(), szString); } return(0); -} - -VOID SvcDebugOut(LPSTR szString, DWORD dwStatus) -{ - CHAR szBuffer[1024]; - if (strlen(szString) < 1000) - { - sprintf(szBuffer, szString, dwStatus); - OutputDebugStringA(szBuffer); - } +} + +VOID SvcDebugOut(LPSTR szString, DWORD dwStatus) +{ + CHAR szBuffer[1024]; + if (strlen(szString) < 1000) + { + sprintf(szBuffer, szString, dwStatus); + OutputDebugStringA(szBuffer); + } } /* Copy the system error message into the buffer provided. @@ -221,21 +221,21 @@ if( szString!=NULL && iCount>0) { memset(szString, 0, iCount); - FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | - FORMAT_MESSAGE_FROM_SYSTEM | + FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | + FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */ (LPTSTR) &lpMsgBuf, 0, - NULL + NULL ); strncpy(szString, (LPCTSTR) lpMsgBuf, iCount-1); - + szString[iCount-1]=0; - + /* Free the buffer. */ LocalFree( lpMsgBuf ); lpMsgBuf = NULL; @@ -267,7 +267,7 @@ SvcFormatMessage(szMsg, sizeof(szMsg)); FatalError(" [SNORT_SERVICE] Unable to open Snort registry entry. " " Perhaps Snort has not been installed as a service." - " %s", szMsg); + " %s", szMsg); } memset(byData, 0, sizeof(byData)); @@ -285,7 +285,7 @@ SvcFormatMessage(szMsg, sizeof(szMsg)); FatalError(" [SNORT_SERVICE] Unable to read Snort registry entry '%s'." " Perhaps Snort has not been installed as a service." - " %s", g_lpszRegistryCountFormat, szMsg); + " %s", g_lpszRegistryCountFormat, szMsg); } (*piArgCounter) = * ((int*)&byData); @@ -314,10 +314,10 @@ SvcFormatMessage(szMsg, sizeof(szMsg)); FatalError(" [SNORT_SERVICE] Unable to read Snort registry entry '%s'." " Perhaps Snort has not been installed as a service." - " %s", szName, szMsg); + " %s", szName, szMsg); } - (*pargvDynamic)[i] = _strdup( (char*) byData ); + (*pargvDynamic)[i] = SnortStrdup( (char*) byData ); DEBUG_WRAP(DebugMessage(DEBUG_INIT, " %s\n", (*pargvDynamic)[i]);); } lRegRC = RegCloseKey( hkSnort ); @@ -327,7 +327,7 @@ SvcFormatMessage(szMsg, sizeof(szMsg)); FatalError(" [SNORT_SERVICE] Unable to close Snort registry entry." " Perhaps Snort has not been installed as a service." - " %s", szMsg); + " %s", szMsg); } hkSnort = NULL; } @@ -339,22 +339,22 @@ * * Writing a ServiceMain Function * ----------------------------------------------------------------------------- - * + * * The SnortServiceStart function in the following example is the entry point for * the service. SnortServiceStart has access to the command-line arguments, in the * way that the main function of a console application does. The first parameter * contains the number of arguments being passed to the service. There will * always be at least one argument. The second parameter is a pointer to an * array of string pointers. The first item in the array always points to the - * service name. - * + * service name. + * * The SnortServiceStart function first fills in the SERVICE_STATUS structure * including the control codes that it accepts. Although this service accepts * SERVICE_CONTROL_PAUSE and SERVICE_CONTROL_CONTINUE, it does nothing * significant when told to pause. The flags SERVICE_ACCEPT_PAUSE_CONTINUE was * included for illustration purposes only; if pausing does not add value to - * your service, do not support it. - * + * your service, do not support it. + * * The SnortServiceStart function then calls the RegisterServiceCtrlHandler * function to register SnortService as the service's Handler function and begin * initialization. The following sample initialization function, @@ -363,13 +363,13 @@ * your service's initialization performs tasks that are expected to take longer * than one second, your code must call the SetServiceStatus function * periodically to send out wait hints and check points indicating that progress - * is being made. - * + * is being made. + * * When initialization has completed successfully, the example calls * SetServiceStatus with a status of SERVICE_RUNNING and the service continues * with its work. If an error has occurred in initialization, SnortServiceStart * reports SERVICE_STOPPED with the SetServiceStatus function and returns. - * + * * Because this sample service does not complete any real tasks, SnortServiceStart * simply returns control to the caller. However, your service should use this * thread to complete whatever tasks it was designed to do. If a service does not @@ -378,9 +378,9 @@ * important for the function to return, rather than call the ExitThread * function, because returning allows for cleanup of the memory allocated for the * arguments. - * + * * To output debugging information, SnortServiceStart calls SvcDebugOut. The source - * code for SvcDebugOut is given in Writing a Service Program's main Function. + * code for SvcDebugOut is given in Writing a Service Program's main Function. *******************************************************************************/ void logmsg(char* msg) @@ -424,65 +424,65 @@ logmsg("\n"); } -void WINAPI SnortServiceStart (DWORD argc, LPTSTR *argv) -{ +void WINAPI SnortServiceStart (DWORD argc, LPTSTR *argv) +{ int i; int iArgCounter; char** argvDynamic = NULL; char errorbuf[PCAP_ERRBUF_SIZE]; char *interfacenames = NULL; - DWORD dwStatus; - DWORD dwSpecificError; + DWORD dwStatus; + DWORD dwSpecificError; + + g_SnortServiceStatus.dwServiceType = SERVICE_WIN32; + g_SnortServiceStatus.dwCurrentState = SERVICE_START_PENDING; + g_SnortServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE; + g_SnortServiceStatus.dwWin32ExitCode = 0; + g_SnortServiceStatus.dwServiceSpecificExitCode = 0; + g_SnortServiceStatus.dwCheckPoint = 0; + g_SnortServiceStatus.dwWaitHint = 0; + + g_SnortServiceStatusHandle = RegisterServiceCtrlHandler(g_lpszServiceName, SnortServiceCtrlHandler); - g_SnortServiceStatus.dwServiceType = SERVICE_WIN32; - g_SnortServiceStatus.dwCurrentState = SERVICE_START_PENDING; - g_SnortServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE; - g_SnortServiceStatus.dwWin32ExitCode = 0; - g_SnortServiceStatus.dwServiceSpecificExitCode = 0; - g_SnortServiceStatus.dwCheckPoint = 0; - g_SnortServiceStatus.dwWaitHint = 0; - - g_SnortServiceStatusHandle = RegisterServiceCtrlHandler(g_lpszServiceName, SnortServiceCtrlHandler); - - if (g_SnortServiceStatusHandle == (SERVICE_STATUS_HANDLE)0) - { + if (g_SnortServiceStatusHandle == (SERVICE_STATUS_HANDLE)0) + { TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); - SvcDebugOut(" [SNORT_SERVICE] RegisterServiceCtrlHandler failed %d\n", GetLastError()); - FatalError (" [SNORT_SERVICE] RegisterServiceCtrlHandler failed %d\n%s\n", GetLastError(), szMsg); - return; - } - + SvcDebugOut(" [SNORT_SERVICE] RegisterServiceCtrlHandler failed %d\n", GetLastError()); + FatalError (" [SNORT_SERVICE] RegisterServiceCtrlHandler failed %d\n%s\n", GetLastError(), szMsg); + return; + } + /* Initialization code goes here. */ - dwStatus = SnortServiceInitialization(argc, argv, &dwSpecificError); - + dwStatus = SnortServiceInitialization(argc, argv, &dwSpecificError); + /* Handle error condition */ - if (dwStatus != NO_ERROR) - { - g_SnortServiceStatus.dwCurrentState = SERVICE_STOPPED; - g_SnortServiceStatus.dwCheckPoint = 0; - g_SnortServiceStatus.dwWaitHint = 0; - g_SnortServiceStatus.dwWin32ExitCode = dwStatus; - g_SnortServiceStatus.dwServiceSpecificExitCode = dwSpecificError; - - SetServiceStatus (g_SnortServiceStatusHandle, &g_SnortServiceStatus); - return; - } - + if (dwStatus != NO_ERROR) + { + g_SnortServiceStatus.dwCurrentState = SERVICE_STOPPED; + g_SnortServiceStatus.dwCheckPoint = 0; + g_SnortServiceStatus.dwWaitHint = 0; + g_SnortServiceStatus.dwWin32ExitCode = dwStatus; + g_SnortServiceStatus.dwServiceSpecificExitCode = dwSpecificError; + + SetServiceStatus (g_SnortServiceStatusHandle, &g_SnortServiceStatus); + return; + } + /* Initialization complete - report running status. */ - g_SnortServiceStatus.dwCurrentState = SERVICE_RUNNING; - g_SnortServiceStatus.dwCheckPoint = 0; - g_SnortServiceStatus.dwWaitHint = 0; - - if (!SetServiceStatus (g_SnortServiceStatusHandle, &g_SnortServiceStatus)) - { + g_SnortServiceStatus.dwCurrentState = SERVICE_RUNNING; + g_SnortServiceStatus.dwCheckPoint = 0; + g_SnortServiceStatus.dwWaitHint = 0; + + if (!SetServiceStatus (g_SnortServiceStatusHandle, &g_SnortServiceStatus)) + { TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); - dwStatus = GetLastError(); - SvcDebugOut(" [SNORT_SERVICE] SetServiceStatus error %ld\n",dwStatus); - FatalError (" [SNORT_SERVICE] SetServiceStatus error %ld\n%s\n",dwStatus,szMsg); - } + dwStatus = GetLastError(); + SvcDebugOut(" [SNORT_SERVICE] SetServiceStatus error %ld\n",dwStatus); + FatalError (" [SNORT_SERVICE] SetServiceStatus error %ld\n%s\n",dwStatus,szMsg); + } /* There seems to be a bug in Winpcap, such that snort works fine * when it is started from the command line, and the service works @@ -508,19 +508,19 @@ free( argvDynamic ); argvDynamic = NULL; - SvcDebugOut(" [SNORT_SERVICE] Returning the Main Thread \n",0); - - return; -} - + SvcDebugOut(" [SNORT_SERVICE] Returning the Main Thread \n",0); + + return; +} + /* Stub initialization function. */ -DWORD SnortServiceInitialization(DWORD argc, LPTSTR *argv, DWORD *pdwSpecificError) -{ - argv; - argc; - pdwSpecificError; - return(0); -} +DWORD SnortServiceInitialization(DWORD argc, LPTSTR *argv, DWORD *pdwSpecificError) +{ + argv; + argc; + pdwSpecificError; + return(0); +} @@ -530,7 +530,7 @@ * * Writing a Control Handler Function * ----------------------------------------------------------------------------- - * + * * The SnortServiceCtrlHandler function in the following example is the Handler * function. When this function is called by the dispatcher thread, it handles * the control code passed in the Opcode parameter and then calls the @@ -538,7 +538,7 @@ * Handler function receives a control code, it is appropriate to return status * with a call to SetServiceStatus regardless of whether the service acts on * the control. - * + * * When the pause control is received, SnortServiceCtrlHandler simply sets the * dwCurrentState field in the SERVICE_STATUS structure to SERVICE_PAUSED. * Likewise, when the continue control is received, the state is set to @@ -550,35 +550,35 @@ * sense. Many services support neither the pause or continue control. If the * service indicates that it does not support pause or continue with the * dwControlsAccepted parameter, then the SCM will not send pause or continue - * controls to the service's Handler function. - * + * controls to the service's Handler function. + * * To output debugging information, SnortServiceCtrlHandler calls SvcDebugOut. The * source code for SvcDebugOut is listed in Writing a Service Program's main * Function. Also, note that the g_SnortServiceStatus variable is a global variable - * and should be initialized as demonstrated in Writing a ServiceMain function. + * and should be initialized as demonstrated in Writing a ServiceMain function. *******************************************************************************/ -VOID WINAPI SnortServiceCtrlHandler (DWORD dwOpcode) -{ - DWORD dwStatus; - - switch(dwOpcode) - { - case SERVICE_CONTROL_PAUSE: +VOID WINAPI SnortServiceCtrlHandler (DWORD dwOpcode) +{ + DWORD dwStatus; + + switch(dwOpcode) + { + case SERVICE_CONTROL_PAUSE: /* Do whatever it takes to pause here. */ snort_conf->run_flags |= RUN_FLAG__PAUSE_SERVICE; - g_SnortServiceStatus.dwCurrentState = SERVICE_PAUSED; - break; - - case SERVICE_CONTROL_CONTINUE: + g_SnortServiceStatus.dwCurrentState = SERVICE_PAUSED; + break; + + case SERVICE_CONTROL_CONTINUE: /* Do whatever it takes to continue here. */ snort_conf->run_flags &= ~RUN_FLAG__PAUSE_SERVICE; - g_SnortServiceStatus.dwCurrentState = SERVICE_RUNNING; - break; - - case SERVICE_CONTROL_STOP: + g_SnortServiceStatus.dwCurrentState = SERVICE_RUNNING; + break; + + case SERVICE_CONTROL_STOP: /* Do whatever it takes to stop here. */ snort_conf->run_flags |= RUN_FLAG__TERMINATE_SERVICE; @@ -586,37 +586,37 @@ * the service has processed any last packets */ - g_SnortServiceStatus.dwWin32ExitCode = 0; - g_SnortServiceStatus.dwCurrentState = SERVICE_STOPPED; - g_SnortServiceStatus.dwCheckPoint = 0; - g_SnortServiceStatus.dwWaitHint = 0; - + g_SnortServiceStatus.dwWin32ExitCode = 0; + g_SnortServiceStatus.dwCurrentState = SERVICE_STOPPED; + g_SnortServiceStatus.dwCheckPoint = 0; + g_SnortServiceStatus.dwWaitHint = 0; + if (!SetServiceStatus (g_SnortServiceStatusHandle, &g_SnortServiceStatus)) - { - dwStatus = GetLastError(); - SvcDebugOut(" [SNORT_SERVICE] SetServiceStatus error %ld\n",dwStatus); - } - - SvcDebugOut(" [SNORT_SERVICE] Leaving SnortService \n",0); - return; - - case SERVICE_CONTROL_INTERROGATE: + { + dwStatus = GetLastError(); + SvcDebugOut(" [SNORT_SERVICE] SetServiceStatus error %ld\n",dwStatus); + } + + SvcDebugOut(" [SNORT_SERVICE] Leaving SnortService \n",0); + return; + + case SERVICE_CONTROL_INTERROGATE: /* Fall through to send current status. */ - break; - - default: - SvcDebugOut(" [SNORT_SERVICE] Unrecognized opcode %ld\n", dwOpcode); - } - + break; + + default: + SvcDebugOut(" [SNORT_SERVICE] Unrecognized opcode %ld\n", dwOpcode); + } + /* Send current status. */ - if (!SetServiceStatus (g_SnortServiceStatusHandle, &g_SnortServiceStatus)) - { - dwStatus = GetLastError(); - SvcDebugOut(" [SNORT_SERVICE] SetServiceStatus error %ld\n",dwStatus); - } + if (!SetServiceStatus (g_SnortServiceStatusHandle, &g_SnortServiceStatus)) + { + dwStatus = GetLastError(); + SvcDebugOut(" [SNORT_SERVICE] SetServiceStatus error %ld\n",dwStatus); + } - return; -} + return; +} @@ -626,15 +626,15 @@ * * Installing a Service * ----------------------------------------------------------------------------- - * + * * A service configuration program uses the CreateService function to install a * service in a SCM database. The application-defined schSCManager handle must * have SC_MANAGER_CREATE_SERVICE access to the SCManager object. The following - * example shows how to install a service. + * example shows how to install a service. *******************************************************************************/ -VOID InstallSnortService(int argc, char* argv[]) -{ +VOID InstallSnortService(int argc, char* argv[]) +{ SC_HANDLE schSCManager, schService; char buffer[_MAX_PATH+1]; LPCTSTR lpszBinaryPathName = NULL; @@ -660,7 +660,7 @@ { TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); - FatalError(" [SNORT_SERVICE] Unable to determine current working directory. %s", szMsg); + FatalError(" [SNORT_SERVICE] Unable to determine current working directory. %s", szMsg); } if( buffer[strlen(buffer) - 1] != '\\' ) @@ -674,7 +674,7 @@ } else { - FatalError(" [SNORT_SERVICE] Unable to create full path to Snort binary."); + FatalError(" [SNORT_SERVICE] Unable to create full path to Snort binary."); } } @@ -705,7 +705,7 @@ { TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); - FatalError(" [SNORT_SERVICE] Unable to create Snort registry entry. %s", szMsg); + FatalError(" [SNORT_SERVICE] Unable to create Snort registry entry. %s", szMsg); } for( iArgCounter=1; iArgCounter<argc; iArgCounter++ ) @@ -721,7 +721,7 @@ } else if( strlen(argv[iArgCounter]) > MAX_REGISTRY_DATA_LENGTH ) { - FatalError(" [SNORT_SERVICE] A single command line parameter cannot exceed %d characters.", MAX_REGISTRY_DATA_LENGTH); + FatalError(" [SNORT_SERVICE] A single command line parameter cannot exceed %d characters.", MAX_REGISTRY_DATA_LENGTH); } else { @@ -739,7 +739,7 @@ { TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); - FatalError(" [SNORT_SERVICE] Unable to write Snort registry entry. %s", szMsg); + FatalError(" [SNORT_SERVICE] Unable to write Snort registry entry. %s", szMsg); } } } /* end for() */ @@ -755,7 +755,7 @@ { TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); - FatalError(" [SNORT_SERVICE] Unable to write Snort registry entry. %s", szMsg); + FatalError(" [SNORT_SERVICE] Unable to write Snort registry entry. %s", szMsg); } lRegRC = RegCloseKey( hkSnort ); @@ -763,7 +763,7 @@ { TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); - FatalError(" [SNORT_SERVICE] Unable to close Snort registry entry. %s", szMsg); + FatalError(" [SNORT_SERVICE] Unable to close Snort registry entry. %s", szMsg); } printf("\n"); @@ -777,29 +777,29 @@ schSCManager = OpenSCManager(NULL, /* local machine */ NULL, /* defaults to SERVICES_ACTIVE_DATABASE */ SC_MANAGER_ALL_ACCESS); /* full access rights */ - + if (schSCManager == NULL) { DWORD dwErr = GetLastError(); - LPCTSTR lpszBasicMessage = "Unable to open a connection to the Services database."; + LPCTSTR lpszBasicMessage = "Unable to open a connection to the Services database."; TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); switch(dwErr) { - case ERROR_ACCESS_DENIED: + case ERROR_ACCESS_DENIED: FatalError(" [SNORT_SERVICE] %s Access is denied. %s", lpszBasicMessage, szMsg); break; - case ERROR_DATABASE_DOES_NOT_EXIST: + case ERROR_DATABASE_DOES_NOT_EXIST: FatalError(" [SNORT_SERVICE] %s Services database does not exist. %s", lpszBasicMessage, szMsg); break; - case ERROR_INVALID_PARAMETER: + case ERROR_INVALID_PARAMETER: FatalError(" [SNORT_SERVICE] %s Invalid parameter. %s", lpszBasicMessage, szMsg); break; - default: + default: FatalError(" [SNORT_SERVICE] %s Unrecognized error (%d). %s", lpszBasicMessage, dwErr, szMsg); break; } @@ -818,50 +818,50 @@ NULL, /* no dependencies */ NULL, /* LocalSystem account */ NULL); /* no password */ - + if (schService == NULL) { DWORD dwErr = GetLastError(); - LPCTSTR lpszBasicMessage = "Error while adding the Snort service to the Services database."; + LPCTSTR lpszBasicMessage = "Error while adding the Snort service to the Services database."; TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); switch(dwErr) { - case ERROR_ACCESS_DENIED: + case ERROR_ACCESS_DENIED: FatalError(" [SNORT_SERVICE] %s Access is denied. %s", lpszBasicMessage, szMsg); break; case ERROR_CIRCULAR_DEPENDENCY: FatalError(" [SNORT_SERVICE] %s Circular dependency. %s", lpszBasicMessage, szMsg); break; - case ERROR_DUP_NAME: + case ERROR_DUP_NAME: FatalError(" [SNORT_SERVICE] %s The display name (\"%s\") is already in use. %s", lpszBasicMessage , g_lpszServiceDisplayName , szMsg); break; - case ERROR_INVALID_HANDLE: + case ERROR_INVALID_HANDLE: FatalError(" [SNORT_SERVICE] %s Invalid handle. %s", lpszBasicMessage, szMsg); break; - case ERROR_INVALID_NAME: + case ERROR_INVALID_NAME: FatalError(" [SNORT_SERVICE] %s Invalid service name. %s", lpszBasicMessage, szMsg); break; - case ERROR_INVALID_PARAMETER: + case ERROR_INVALID_PARAMETER: FatalError(" [SNORT_SERVICE] %s Invalid parameter. %s", lpszBasicMessage, szMsg); break; - case ERROR_INVALID_SERVICE_ACCOUNT: + case ERROR_INVALID_SERVICE_ACCOUNT: FatalError(" [SNORT_SERVICE] %s Invalid service account. %s", lpszBasicMessage, szMsg); break; - case ERROR_SERVICE_EXISTS: + case ERROR_SERVICE_EXISTS: FatalError(" [SNORT_SERVICE] %s Service already exists. %s", lpszBasicMessage, szMsg); break; - default: + default: FatalError(" [SNORT_SERVICE] %s Unrecognized error (%d). %s", lpszBasicMessage, dwErr, szMsg); break; } @@ -876,16 +876,16 @@ { TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); - FatalError(" [SNORT_SERVICE] Unable to add a description to the Snort service. %s", szMsg); + FatalError(" [SNORT_SERVICE] Unable to add a description to the Snort service. %s", szMsg); } #endif printf("\n"); - printf(" [SNORT_SERVICE] Successfully added the Snort service to the Services database.\n"); - - CloseServiceHandle(schService); + printf(" [SNORT_SERVICE] Successfully added the Snort service to the Services database.\n"); + + CloseServiceHandle(schService); CloseServiceHandle(schSCManager); -} +} @@ -895,15 +895,15 @@ * * Deleting a Service * ----------------------------------------------------------------------------- - * + * * In the following example, a service configuration program uses the * OpenService function to get a handle with DELETE access to an installed * service object. The program then uses the service object handle in the - * DeleteService function to remove the service from the SCM database. + * DeleteService function to remove the service from the SCM database. *******************************************************************************/ -VOID UninstallSnortService() -{ +VOID UninstallSnortService() +{ SC_HANDLE schSCManager, schService; //HKEY hkSnort = NULL; long lRegRC = 0; @@ -922,7 +922,7 @@ { TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); - printf(" [SNORT_SERVICE] Warning. Unable to remove root Snort registry entry. %s", szMsg); + printf(" [SNORT_SERVICE] Warning. Unable to remove root Snort registry entry. %s", szMsg); } printf("\n"); @@ -936,29 +936,29 @@ schSCManager = OpenSCManager(NULL, /* local machine */ NULL, /* ServicesActive database */ SC_MANAGER_ALL_ACCESS); /* full access rights */ - - if (schSCManager == NULL) + + if (schSCManager == NULL) { DWORD dwErr = GetLastError(); - LPCTSTR lpszBasicMessage = "Unable to open a connection to the Services database."; + LPCTSTR lpszBasicMessage = "Unable to open a connection to the Services database."; TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); switch(dwErr) { - case ERROR_ACCESS_DENIED: + case ERROR_ACCESS_DENIED: FatalError(" [SNORT_SERVICE] %s Access is denied. %s", lpszBasicMessage, szMsg); break; - case ERROR_DATABASE_DOES_NOT_EXIST: + case ERROR_DATABASE_DOES_NOT_EXIST: FatalError(" [SNORT_SERVICE] %s Services database does not exist. %s", lpszBasicMessage, szMsg); break; - case ERROR_INVALID_PARAMETER: + case ERROR_INVALID_PARAMETER: FatalError(" [SNORT_SERVICE] %s Invalid parameter. %s", lpszBasicMessage, szMsg); break; - default: + default: FatalError(" [SNORT_SERVICE] %s Unrecognized error (%d). %s", lpszBasicMessage, dwErr, szMsg); break; } @@ -967,71 +967,71 @@ schService = OpenService(schSCManager, /* SCManager database */ g_lpszServiceName, /* name of service */ DELETE); /* only need DELETE access */ - - if (schService == NULL) + + if (schService == NULL) { DWORD dwErr = GetLastError(); - LPCTSTR lpszBasicMessage = "Unable to locate Snort in the Services database."; + LPCTSTR lpszBasicMessage = "Unable to locate Snort in the Services database."; TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); switch(dwErr) { - case ERROR_ACCESS_DENIED: + case ERROR_ACCESS_DENIED: FatalError(" [SNORT_SERVICE] %s Access is denied. %s", lpszBasicMessage, szMsg); break; - case ERROR_INVALID_HANDLE: + case ERROR_INVALID_HANDLE: FatalError(" [SNORT_SERVICE] %s Invalid handle. %s", lpszBasicMessage, szMsg); break; - case ERROR_INVALID_NAME: + case ERROR_INVALID_NAME: FatalError(" [SNORT_SERVICE] %s Invalid name. %s", lpszBasicMessage, szMsg); break; - case ERROR_SERVICE_DOES_NOT_EXIST: + case ERROR_SERVICE_DOES_NOT_EXIST: FatalError(" [SNORT_SERVICE] %s Service does not exist. %s", lpszBasicMessage, szMsg); break; - default: + default: FatalError(" [SNORT_SERVICE] %s Unrecognized error (%d). %s", lpszBasicMessage, dwErr, szMsg); break; } } - - if (! DeleteService(schService) ) + + if (! DeleteService(schService) ) { DWORD dwErr = GetLastError(); - LPCTSTR lpszBasicMessage = "Unable to remove Snort from the Services database."; + LPCTSTR lpszBasicMessage = "Unable to remove Snort from the Services database."; TCHAR szMsg[1000]; SvcFormatMessage(szMsg, sizeof(szMsg)); switch(dwErr) { - case ERROR_ACCESS_DENIED: + case ERROR_ACCESS_DENIED: FatalError(" [SNORT_SERVICE] %s Access is denied. %s", lpszBasicMessage, szMsg); break; - case ERROR_INVALID_HANDLE: + case ERROR_INVALID_HANDLE: FatalError(" [SNORT_SERVICE] %s Invalid handle. %s", lpszBasicMessage, szMsg); break; - case ERROR_SERVICE_MARKED_FOR_DELETE: + case ERROR_SERVICE_MARKED_FOR_DELETE: FatalError(" [SNORT_SERVICE] %s Service already marked for delete. %s", lpszBasicMessage, szMsg); break; - default: + default: FatalError(" [SNORT_SERVICE] %s Unrecognized error (%d). %s", lpszBasicMessage, dwErr, szMsg); break; } } printf("\n"); - printf(" [SNORT_SERVICE] Successfully removed the Snort service from the Services database.\n"); - - CloseServiceHandle(schService); + printf(" [SNORT_SERVICE] Successfully removed the Snort service from the Services database.\n"); + + CloseServiceHandle(schService); CloseServiceHandle(schSCManager); -} +} VOID ShowSnortServiceParams(void) diff -Nru snort-2.9.0.1/src/win32/WIN32-Includes/config.h snort-2.9.2/src/win32/WIN32-Includes/config.h --- snort-2.9.0.1/src/win32/WIN32-Includes/config.h 2010-10-08 02:58:33.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Includes/config.h 2011-12-07 11:24:50.000000000 -0800 @@ -1,3 +1,23 @@ +/**************************************************************************** + * + * Copyright (C) 2005-2011 Sourcefire, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License Version 2 as + * published by the Free Software Foundation. You may not use, modify or + * distribute this program under any other version of the GNU General + * Public License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + ****************************************************************************/ /* $Id$ */ #ifndef __CONFIG_H__ @@ -57,6 +77,10 @@ /* Define to 1 if you have zlib support. */ #define HAVE_ZLIB 1 +#ifndef SIZEOF_LONG_INT +#define SIZEOF_LONG_INT 4 +#endif + /* Version number of package */ #ifdef ENABLE_ODBC #define VERSION_ENABLE_ODBC "-ODBC" @@ -101,7 +125,7 @@ * should both match the ones specified in the * AM_INIT_AUTOMAKE() macro of configure.in */ -#define VERSION "2.9.0.1"VERSION_ENABLE_ODBC""VERSION_ENABLE_MYSQL""VERSION_ENABLE_MSSQL""VERSION_ENABLE_ORACLE""VERSION_ENABLE_RESPONSE"-WIN32"VERSION_DEBUG +#define VERSION "2.9.2"VERSION_ENABLE_ODBC""VERSION_ENABLE_MYSQL""VERSION_ENABLE_MSSQL""VERSION_ENABLE_ORACLE""VERSION_ENABLE_RESPONSE"-WIN32"VERSION_DEBUG #define PACKAGE "snort" #define IFNAMSIZ 255 @@ -175,10 +199,10 @@ // #define SIGKILL 9 /* kill (cannot be caught or ignored) */ -#define SIGQUIT 3 /* quit */ -#define SIGHUP 1 /* hangup */ -#define SIGUSR1 30 /* user defined signal 1 */ -#define SIGUSR2 31 /* user defined signal 2 */ +#define SIGQUIT 3 /* quit */ +#define SIGNAL_SNORT_RELOAD 1 /* Reload */ +#define SIGNAL_SNORT_DUMP_STATS 30 /* Dump stats */ +#define SIGNAL_SNORT_ROTATE_STATS 31 /* Rotate stats */ #define SIGPIPE 13 /* write on a pipe with no one to read it */ // #define EEXIST 17 /* File exists */ #ifndef W_OK @@ -201,7 +225,8 @@ #define strncasecmp strnicmp #define strcasecmp stricmp #if _MSC_VER < 1500 /* VC9 defines this */ -#define vsnprintf _vsnprintf +#define vsnprintf _vsnprintf +#define strdup _strdup #endif #define IXDR_GET_LONG(buf) ((long)ntohl((u_long)*(buf)++)) #define IXDR_GET_ENUM(buf, t) ((t)IXDR_GET_LONG(buf)) diff -Nru snort-2.9.0.1/src/win32/WIN32-Includes/getopt.h snort-2.9.2/src/win32/WIN32-Includes/getopt.h --- snort-2.9.0.1/src/win32/WIN32-Includes/getopt.h 2010-01-26 10:10:31.000000000 -0800 +++ snort-2.9.2/src/win32/WIN32-Includes/getopt.h 2011-02-09 15:23:39.000000000 -0800 @@ -1,6 +1,6 @@ /* $Id$ */ /* -** Copyright (C) 2002-2010 Sourcefire, Inc. +** Copyright (C) 2002-2011 Sourcefire, Inc. ** Copyright (C) 2002 Martin Roesch <roesch@sourcefire.com> ** ** This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/src/win32/WIN32-Includes/inttypes.h snort-2.9.2/src/win32/WIN32-Includes/inttypes.h --- snort-2.9.0.1/src/win32/WIN32-Includes/inttypes.h 2010-01-26 10:10:31.000000000 -0800 +++ snort-2.9.2/src/win32/WIN32-Includes/inttypes.h 2011-02-09 15:23:39.000000000 -0800 @@ -1,5 +1,5 @@ /* -** Copyright (C) 2007-2010 Sourcefire, Inc. +** Copyright (C) 2007-2011 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as diff -Nru snort-2.9.0.1/src/win32/WIN32-Includes/libdnet/dnet/ip.h snort-2.9.2/src/win32/WIN32-Includes/libdnet/dnet/ip.h --- snort-2.9.0.1/src/win32/WIN32-Includes/libdnet/dnet/ip.h 2010-06-09 15:54:03.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Includes/libdnet/dnet/ip.h 2011-06-07 17:33:21.000000000 -0700 @@ -40,7 +40,7 @@ uint8_t ip_hl:4, ip_v:4; #else -# error "need to include <dnet.h>" +# error "need to include <dnet.h>" #endif uint8_t ip_tos; /* type of service */ uint16_t ip_len; /* total length (incl header) */ diff -Nru snort-2.9.0.1/src/win32/WIN32-Includes/stdint.h snort-2.9.2/src/win32/WIN32-Includes/stdint.h --- snort-2.9.0.1/src/win32/WIN32-Includes/stdint.h 2010-08-25 13:22:48.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Includes/stdint.h 2011-10-26 07:49:57.000000000 -0700 @@ -118,5 +118,7 @@ # endif #endif +#define SIZE_MAX UINT32_MAX + #endif /* __STDINT_H__ */ diff -Nru snort-2.9.0.1/src/win32/WIN32-Includes/WinPCAP/time_calls.h snort-2.9.2/src/win32/WIN32-Includes/WinPCAP/time_calls.h --- snort-2.9.0.1/src/win32/WIN32-Includes/WinPCAP/time_calls.h 2007-08-20 09:47:53.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Includes/WinPCAP/time_calls.h 2011-06-07 17:33:21.000000000 -0700 @@ -24,7 +24,7 @@ #ifdef WIN_NT_DRIVER -#include "debug.h" +#include "snort_debug.h" #include "ndis.h" #define DEFAULT_TIMESTAMPMODE 0 @@ -43,7 +43,7 @@ /*! \brief A microsecond precise timestamp. - included in the sf_pkthdr or the bpf_hdr that NPF associates with every packet. + included in the sf_pkthdr or the bpf_hdr that NPF associates with every packet. */ struct timeval { @@ -77,17 +77,17 @@ ULONG DefaultTimestampMode = DEFAULT_TIMESTAMPMODE; NewLength = RegistryPath->Length/2; - + NullTerminatedString = ExAllocatePool(PagedPool, (NewLength+1) *sizeof(WCHAR)); - + if (NullTerminatedString != NULL) { RtlCopyMemory(NullTerminatedString, RegistryPath->Buffer, RegistryPath->Length); - + NullTerminatedString[NewLength]=0; RtlZeroMemory(Queries, sizeof(Queries)); - + Queries[0].Flags = RTL_QUERY_REGISTRY_DIRECT; Queries[0].Name = TIMESTAMPMODE_REGKEY; Queries[0].EntryContext = &TimestampMode; @@ -100,14 +100,14 @@ TimestampMode = DEFAULT_TIMESTAMPMODE; } - RtlWriteRegistryValue( RTL_REGISTRY_ABSOLUTE, NullTerminatedString, TIMESTAMPMODE_REGKEY, REG_DWORD, &TimestampMode,sizeof(ULONG)); + RtlWriteRegistryValue( RTL_REGISTRY_ABSOLUTE, NullTerminatedString, TIMESTAMPMODE_REGKEY, REG_DWORD, &TimestampMode,sizeof(ULONG)); ExFreePool(NullTerminatedString); - } + } else TimestampMode = DEFAULT_TIMESTAMPMODE; } -#pragma optimize ("g",off) //Due to some weird behaviour of the optimizer of DDK build 2600 +#pragma optimize ("g",off) //Due to some weird behaviour of the optimizer of DDK build 2600 /* KeQueryPerformanceCounter TimeStamps */ __inline void SynchronizeOnCpu(struct timeval *start) @@ -120,11 +120,11 @@ ULONG tmp2; LARGE_INTEGER TimeFreq,PTime; - // get the absolute value of the system boot time. - + // get the absolute value of the system boot time. + PTime = KeQueryPerformanceCounter(&TimeFreq); KeQuerySystemTime(&SystemTime); - + start->tv_sec = (LONG)(SystemTime.QuadPart/10000000-11644473600); start->tv_usec = (LONG)((SystemTime.QuadPart%10000000)/10); @@ -138,7 +138,7 @@ start->tv_sec --; start->tv_usec += 1000000; } -} +} /*RDTSC timestamps */ /* callers must be at IRQL=PASSIVE_LEVEL*/ @@ -157,7 +157,7 @@ if (data->reference!=0) return; - + KeInitializeEvent(&event,NotificationEvent,FALSE); i.QuadPart=-3500000; @@ -179,7 +179,7 @@ } KeLowerIrql(old); - + KeWaitForSingleObject(&event,UserRequest,KernelMode,TRUE ,&i); KeRaiseIrql(HIGH_LEVEL,&old); @@ -208,16 +208,16 @@ } reference=delta*(start_freq.QuadPart)/delta2; - + data->reference=reference/1000; - if (reference%1000>500) + if (reference%1000>500) data->reference++; data->reference*=1000; reference=data->reference; - + KeQuerySystemTime(&system_time); __asm @@ -233,16 +233,16 @@ pop edx pop eax } - + tmp.tv_sec=-(LONG)(curr_ticks/reference); tmp.tv_usec=-(LONG)((curr_ticks%reference)*1000000/reference); system_time.QuadPart-=116444736000000000; - + tmp.tv_sec+=(LONG)(system_time.QuadPart/10000000); tmp.tv_usec+=(LONG)((system_time.QuadPart%10000000)/10); - + if (tmp.tv_usec<0) { tmp.tv_sec--; @@ -254,7 +254,7 @@ IF_LOUD(DbgPrint("Frequency " STDu64 " MHz\n",data->reference);) } -#pragma optimize ("g",on) //Due to some weird behaviour of the optimizer of DDK build 2600 +#pragma optimize ("g",on) //Due to some weird behaviour of the optimizer of DDK build 2600 __inline VOID TIME_SYNCHRONIZE(struct time_conv *data) { @@ -263,7 +263,7 @@ if (data->reference != 0) return; - + NumberOfCpus = NdisSystemProcessorCount(); if ( TimestampMode == TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_WITH_FIXUP || TimestampMode == TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_NO_FIXUP) @@ -272,7 +272,7 @@ { AffinityMask = (1 << i); ZwSetInformationThread(NtCurrentThread(), ThreadAffinityMask, &AffinityMask, sizeof(KAFFINITY)); - SynchronizeOnCpu(&(data->start[i])); + SynchronizeOnCpu(&(data->start[i])); } AffinityMask = 0xFFFFFFFF; ZwSetInformationThread(NtCurrentThread(), ThreadAffinityMask, &AffinityMask, sizeof(KAFFINITY)); @@ -298,7 +298,7 @@ } -#pragma optimize ("g",off) //Due to some weird behaviour of the optimizer of DDK build 2600 +#pragma optimize ("g",off) //Due to some weird behaviour of the optimizer of DDK build 2600 __inline void GetTimeKQPC(struct timeval *dst, struct time_conv *data) { @@ -313,12 +313,12 @@ if (TimestampMode == TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_WITH_FIXUP || TimestampMode == TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_NO_FIXUP) { - //actually this code is ok only if we are guaranteed that no thread scheduling will take place. - CurrentCpu = KeGetCurrentProcessorNumber(); + //actually this code is ok only if we are guaranteed that no thread scheduling will take place. + CurrentCpu = KeGetCurrentProcessorNumber(); dst->tv_sec = data->start[CurrentCpu].tv_sec + tmp; dst->tv_usec = data->start[CurrentCpu].tv_usec + (LONG)((PTime.QuadPart%TimeFreq.QuadPart)*1000000/TimeFreq.QuadPart); - + if (dst->tv_usec >= 1000000) { dst->tv_sec ++; @@ -329,7 +329,7 @@ { if (old_ts.tv_sec > dst->tv_sec || (old_ts.tv_sec == dst->tv_sec && old_ts.tv_usec > dst->tv_usec) ) *dst = old_ts; - + else old_ts = *dst; } @@ -338,7 +338,7 @@ { //it should be only the normal case i.e. TIMESTAMPMODE_SINGLESYNCHRONIZATION dst->tv_sec = data->start[0].tv_sec + tmp; dst->tv_usec = data->start[0].tv_usec + (LONG)((PTime.QuadPart%TimeFreq.QuadPart)*1000000/TimeFreq.QuadPart); - + if (dst->tv_usec >= 1000000) { dst->tv_sec ++; @@ -372,7 +372,7 @@ dst->tv_sec=(LONG)(tmp/data->reference); dst->tv_usec=(LONG)((tmp-dst->tv_sec*data->reference)*1000000/data->reference); - + dst->tv_sec+=data->start[0].tv_sec; dst->tv_usec+=data->start[0].tv_usec; @@ -391,13 +391,13 @@ LARGE_INTEGER SystemTime; KeQuerySystemTime(&SystemTime); - + dst->tv_sec = (LONG)(SystemTime.QuadPart/10000000-11644473600); dst->tv_usec = (LONG)((SystemTime.QuadPart%10000000)/10); } -#pragma optimize ("g",on) //Due to some weird behaviour of the optimizer of DDK build 2600 +#pragma optimize ("g",on) //Due to some weird behaviour of the optimizer of DDK build 2600 __inline void GET_TIME(struct timeval *dst, struct time_conv *data) Binary files /tmp/ecXKC_j_f4/snort-2.9.0.1/src/win32/WIN32-Libraries/libdnet/dnet.lib and /tmp/wllGJXgrVI/snort-2.9.2/src/win32/WIN32-Libraries/libdnet/dnet.lib differ Binary files /tmp/ecXKC_j_f4/snort-2.9.0.1/src/win32/WIN32-Libraries/mysql/mysqlclient.lib and /tmp/wllGJXgrVI/snort-2.9.2/src/win32/WIN32-Libraries/mysql/mysqlclient.lib differ Binary files /tmp/ecXKC_j_f4/snort-2.9.0.1/src/win32/WIN32-Libraries/Packet.lib and /tmp/wllGJXgrVI/snort-2.9.2/src/win32/WIN32-Libraries/Packet.lib differ Binary files /tmp/ecXKC_j_f4/snort-2.9.0.1/src/win32/WIN32-Libraries/pcre.lib and /tmp/wllGJXgrVI/snort-2.9.2/src/win32/WIN32-Libraries/pcre.lib differ Binary files /tmp/ecXKC_j_f4/snort-2.9.0.1/src/win32/WIN32-Libraries/wpcap.lib and /tmp/wllGJXgrVI/snort-2.9.2/src/win32/WIN32-Libraries/wpcap.lib differ diff -Nru snort-2.9.0.1/src/win32/WIN32-Prj/sf_engine.dsp snort-2.9.2/src/win32/WIN32-Prj/sf_engine.dsp --- snort-2.9.0.1/src/win32/WIN32-Prj/sf_engine.dsp 2010-08-25 13:22:49.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Prj/sf_engine.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -38,24 +38,25 @@ # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "SF_Engine_Release" # PROP Intermediate_Dir "SF_Engine_Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_ENGINE_EXPORTS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\..\dynamic-plugins" /I "..\..\dynamic-plugins\sf_engine" /I "..\Win32-Includes" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SF_SNORT_ENGINE_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /FR /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\..\dynamic-plugins" /I "..\..\dynamic-plugins\sf_engine" /I "..\Win32-Includes" /I "..\Win32-Includes\zlib" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "ENABLE_PAF" /D "SF_SNORT_ENGINE_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "ZLIB" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /c +# SUBTRACT CPP /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 Ws2_32.lib pcre.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 /libpath:"..\Win32-Libraries" +# ADD LINK32 zlib1.lib Ws2_32.lib pcre.lib /nologo /dll /machine:I386 /libpath:"..\Win32-Libraries" !ELSEIF "$(CFG)" == "sf_engine - Win32 Debug" @@ -64,24 +65,25 @@ # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "SF_Engine_Debug" # PROP Intermediate_Dir "SF_Engine_Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SF_ENGINE_EXPORTS" /YX /FD /GZ /c -# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\..\dynamic-plugins" /I "..\..\dynamic-plugins\sf_engine" /I "..\Win32-Includes" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SF_SNORT_ENGINE_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /FR /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\dynamic-plugins" /I "..\..\dynamic-plugins\sf_engine" /I "..\Win32-Includes" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_ENGINE_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "ZLIB" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 Ws2_32.lib pcre.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"..\Win32-Libraries" +# ADD LINK32 zlib1.lib Ws2_32.lib pcre.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"..\Win32-Libraries" !ELSEIF "$(CFG)" == "sf_engine - Win32 IPv6 Debug" @@ -91,24 +93,25 @@ # PROP BASE Intermediate_Dir "sf_engine___Win32_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "SF_Engine_IPv6_Debug" # PROP Intermediate_Dir "SF_Engine_IPv6_Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes" /I "..\..\dynamic-plugins" /I "..\..\sfutil" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "HAVE_CONFIG_H" /D "SF_SNORT_ENGINE_DLL" /D "MODULUS_HASH" /FR /YX /FD /GZ /c -# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\..\dynamic-plugins" /I "..\..\dynamic-plugins\sf_engine" /I "..\Win32-Includes" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "SF_SNORT_ENGINE_DLL" /D "_DEBUG" /D "DEBUG" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /FR /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\..\dynamic-plugins" /I "..\..\dynamic-plugins\sf_engine" /I "..\Win32-Includes" /I "..\Win32-Includes\zlib" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "SUP_IP6" /D "_DEBUG" /D "DEBUG" /D "ENABLE_PAF" /D "SF_SNORT_ENGINE_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "ZLIB" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 Ws2_32.lib pcre.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"..\Win32-Libraries" -# ADD LINK32 Ws2_32.lib pcre.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"..\Win32-Libraries" +# ADD LINK32 zlib1.lib Ws2_32.lib pcre.lib /nologo /dll /debug /machine:I386 /pdbtype:sept /libpath:"..\Win32-Libraries" !ELSEIF "$(CFG)" == "sf_engine - Win32 IPv6 Release" @@ -118,24 +121,25 @@ # PROP BASE Intermediate_Dir "sf_engine___Win32_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "SF_Engine_IPv6_Release" # PROP Intermediate_Dir "SF_Engine_IPv6_Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\Win32-Includes" /I "..\..\dynamic-plugins" /I "..\..\sfutil" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "HAVE_CONFIG_H" /D "SF_SNORT_ENGINE_DLL" /FR /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\..\dynamic-plugins" /I "..\..\dynamic-plugins\sf_engine" /I "..\Win32-Includes" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "SF_SNORT_ENGINE_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /FR /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\..\dynamic-plugins" /I "..\..\dynamic-plugins\sf_engine" /I "..\Win32-Includes" /I "..\Win32-Includes\zlib" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /D "NDEBUG" /D "SUP_IP6" /D "ENABLE_PAF" /D "SF_SNORT_ENGINE_DLL" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_RESPOND" /D "ENABLE_REACT" /D "ZLIB" /D "_WINDLL" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /c +# SUBTRACT CPP /YX # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 Ws2_32.lib pcre.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 /libpath:"..\Win32-Libraries" -# ADD LINK32 Ws2_32.lib pcre.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 /libpath:"..\Win32-Libraries" +# ADD LINK32 zlib1.lib Ws2_32.lib pcre.lib /nologo /dll /machine:I386 /libpath:"..\Win32-Libraries" !ENDIF @@ -170,6 +174,10 @@ # End Source File # Begin Source File +SOURCE="..\..\dynamic-plugins\sf_engine\sf_decompression.c" +# End Source File +# Begin Source File + SOURCE="..\..\dynamic-plugins\sf_engine\sf_snort_detection_engine.c" !IF "$(CFG)" == "sf_engine - Win32 Release" @@ -368,10 +376,18 @@ # End Source File # Begin Source File +SOURCE="..\..\dynamic-plugins\sf_engine\sf_decompression.h" +# End Source File +# Begin Source File + SOURCE="..\..\dynamic-plugins\sf_engine\sf_ip.h" # End Source File # Begin Source File +SOURCE="..\..\dynamic-plugins\sf_engine\sf_snort_detection_engine.h" +# End Source File +# Begin Source File + SOURCE="..\..\dynamic-plugins\sf_engine\sf_snort_packet.h" # End Source File # Begin Source File diff -Nru snort-2.9.0.1/src/win32/WIN32-Prj/sf_engine_initialize.dsp snort-2.9.2/src/win32/WIN32-Prj/sf_engine_initialize.dsp --- snort-2.9.0.1/src/win32/WIN32-Prj/sf_engine_initialize.dsp 2009-10-19 14:46:58.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Prj/sf_engine_initialize.dsp 2011-10-26 11:28:52.000000000 -0700 @@ -91,17 +91,17 @@ # Name "sf_engine_initialize - Win32 IPv6 Release" # Begin Source File -SOURCE=..\..\debug.h +SOURCE=..\..\ipv6_port.h !IF "$(CFG)" == "sf_engine_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug +InputPath=..\..\ipv6_port.h +InputName=ipv6_port BuildCmds= \ copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_ded.debugMsgFile = /" -e "s/DebugMessageLine = /*_ded.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _ded.debugMsg/" -e "s/; DebugWideMessageFunc$/; _ded.debugWideMsg/" ../../dynamic-plugins\sf_engine\$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -114,12 +114,12 @@ !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug +InputPath=..\..\ipv6_port.h +InputName=ipv6_port BuildCmds= \ copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_ded.debugMsgFile = /" -e "s/DebugMessageLine = /*_ded.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _ded.debugMsg/" -e "s/; DebugWideMessageFunc$/; _ded.debugWideMsg/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -132,12 +132,12 @@ !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug +InputPath=..\..\ipv6_port.h +InputName=ipv6_port BuildCmds= \ copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_ded.debugMsgFile = /" -e "s/DebugMessageLine = /*_ded.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _ded.debugMsg/" -e "s/; DebugWideMessageFunc$/; _ded.debugWideMsg/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -150,12 +150,12 @@ !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\debug.h -InputName=debug +InputPath=..\..\ipv6_port.h +InputName=ipv6_port BuildCmds= \ copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_ded.debugMsgFile = /" -e "s/DebugMessageLine = /*_ded.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _ded.debugMsg/" -e "s/; DebugWideMessageFunc$/; _ded.debugWideMsg/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ + c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$/->ip4_header/" -e "s/orig_iph$/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" @@ -170,78 +170,101 @@ # End Source File # Begin Source File -SOURCE=..\..\ipv6_port.h +SOURCE=..\..\sfutil\sf_ip.c !IF "$(CFG)" == "sf_engine_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\ipv6_port.h -InputName=ipv6_port +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip -BuildCmds= \ - copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ - +"..\..\dynamic-plugins\sf_engine\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + copy $(InputPath) ..\..\dynamic-plugins\sf_engine + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip + +"..\..\dynamic-plugins\sf_engine\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + copy $(InputPath) ..\..\dynamic-plugins\sf_engine + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Debug" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip + +"..\..\dynamic-plugins\sf_engine\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + copy $(InputPath) ..\..\dynamic-plugins\sf_engine + +# End Custom Build + +!ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.c +InputName=sf_ip + +"..\..\dynamic-plugins\sf_engine\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + copy $(InputPath) ..\..\dynamic-plugins\sf_engine + +# End Custom Build + +!ENDIF + +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sf_ip.h + +!IF "$(CFG)" == "sf_engine_initialize - Win32 Release" + +# Begin Custom Build +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + copy $(InputPath) ..\..\dynamic-plugins\sf_engine -"..\..\dynamic-plugins\sf_engine\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\ipv6_port.h -InputName=ipv6_port - -BuildCmds= \ - copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ - +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + copy $(InputPath) ..\..\dynamic-plugins\sf_engine -"..\..\dynamic-plugins\sf_engine\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\ipv6_port.h -InputName=ipv6_port - -BuildCmds= \ - copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ - +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + copy $(InputPath) ..\..\dynamic-plugins\sf_engine -"..\..\dynamic-plugins\sf_engine\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\ipv6_port.h -InputName=ipv6_port - -BuildCmds= \ - copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ - c:\cygwin\bin\sed -e "s/->iph->ip_src/->ip4_header->source/" -e "s/->iph->ip_dst/->ip4_header->destination/" -e "s/->iph->/->ip4_header->/" -e "s/->iph$$/->ip4_header/" -e "s/orig_iph/orig_ip4_header/" -e "s/ip_verhl/version_headerlength/" -e "s/ip_tos/type_service/" -e "s/ip_len/data_length/" -e "s/ip_id/identifier/" -e "s/ip_off/offset/" -e "s/ip_ttl/time_to_live/" -e "s/ip_proto/proto/" -e "s/ip_csum/checksum/" -e "s/p->iph$/p->ip4_header/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ - +InputPath=..\..\sfutil\sf_ip.h +InputName=sf_ip "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) + copy $(InputPath) ..\..\dynamic-plugins\sf_engine -"..\..\dynamic-plugins\sf_engine\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - $(BuildCmds) # End Custom Build !ENDIF @@ -249,15 +272,15 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sf_ip.c +SOURCE=..\..\sf_protocols.h !IF "$(CFG)" == "sf_engine_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sf_protocols.h +InputName=sf_protocols -"..\..\dynamic-plugins\sf_engine\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" copy $(InputPath) ..\..\dynamic-plugins\sf_engine # End Custom Build @@ -265,10 +288,10 @@ !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sf_protocols.h +InputName=sf_protocols -"..\..\dynamic-plugins\sf_engine\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" copy $(InputPath) ..\..\dynamic-plugins\sf_engine # End Custom Build @@ -276,10 +299,10 @@ !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sf_protocols.h +InputName=sf_protocols -"..\..\dynamic-plugins\sf_engine\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" copy $(InputPath) ..\..\dynamic-plugins\sf_engine # End Custom Build @@ -287,10 +310,10 @@ !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.c -InputName=sf_ip +InputPath=..\..\sf_protocols.h +InputName=sf_protocols -"..\..\dynamic-plugins\sf_engine\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" +"..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" copy $(InputPath) ..\..\dynamic-plugins\sf_engine # End Custom Build @@ -300,13 +323,13 @@ # End Source File # Begin Source File -SOURCE=..\..\sfutil\sf_ip.h +SOURCE=..\..\sf_types.h !IF "$(CFG)" == "sf_engine_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sf_types.h +InputName=sf_types "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" copy $(InputPath) ..\..\dynamic-plugins\sf_engine @@ -316,8 +339,8 @@ !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sf_types.h +InputName=sf_types "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" copy $(InputPath) ..\..\dynamic-plugins\sf_engine @@ -327,8 +350,8 @@ !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sf_types.h +InputName=sf_types "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" copy $(InputPath) ..\..\dynamic-plugins\sf_engine @@ -338,8 +361,8 @@ !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sfutil\sf_ip.h -InputName=sf_ip +InputPath=..\..\sf_types.h +InputName=sf_types "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" copy $(InputPath) ..\..\dynamic-plugins\sf_engine @@ -685,50 +708,78 @@ # End Source File # Begin Source File -SOURCE=..\..\sf_types.h +SOURCE=..\..\snort_debug.h !IF "$(CFG)" == "sf_engine_initialize - Win32 Release" # Begin Custom Build -InputPath=..\..\sf_types.h -InputName=sf_types +InputPath=..\..\snort_debug.h +InputName=snort_debug + +BuildCmds= \ + copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_ded.debugMsgFile = /" -e "s/DebugMessageLine = /*_ded.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _ded.debugMsg/" -e "s/; DebugWideMessageFunc$/; _ded.debugWideMsg/" ../../dynamic-plugins\sf_engine\$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ + "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - copy $(InputPath) ..\..\dynamic-plugins\sf_engine + $(BuildCmds) +"..\..\dynamic-plugins\sf_engine\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 Debug" # Begin Custom Build -InputPath=..\..\sf_types.h -InputName=sf_types +InputPath=..\..\snort_debug.h +InputName=snort_debug + +BuildCmds= \ + copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_ded.debugMsgFile = /" -e "s/DebugMessageLine = /*_ded.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _ded.debugMsg/" -e "s/; DebugWideMessageFunc$/; _ded.debugWideMsg/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ + "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - copy $(InputPath) ..\..\dynamic-plugins\sf_engine + $(BuildCmds) +"..\..\dynamic-plugins\sf_engine\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Debug" # Begin Custom Build -InputPath=..\..\sf_types.h -InputName=sf_types +InputPath=..\..\snort_debug.h +InputName=snort_debug + +BuildCmds= \ + copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_ded.debugMsgFile = /" -e "s/DebugMessageLine = /*_ded.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _ded.debugMsg/" -e "s/; DebugWideMessageFunc$/; _ded.debugWideMsg/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ + "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - copy $(InputPath) ..\..\dynamic-plugins\sf_engine + $(BuildCmds) +"..\..\dynamic-plugins\sf_engine\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ELSEIF "$(CFG)" == "sf_engine_initialize - Win32 IPv6 Release" # Begin Custom Build -InputPath=..\..\sf_types.h -InputName=sf_types +InputPath=..\..\snort_debug.h +InputName=snort_debug + +BuildCmds= \ + copy $(InputPath) ..\..\dynamic-plugins\sf_engine\$(InputName).h.new \ + c:\cygwin\bin\sed -e "s/DebugMessageFile = /*_ded.debugMsgFile = /" -e "s/DebugMessageLine = /*_ded.debugMsgLine = /" -e "s/; DebugMessageFunc$/; _ded.debugMsg/" -e "s/; DebugWideMessageFunc$/; _ded.debugWideMsg/" ../../dynamic-plugins/sf_engine/$(InputName).h.new > ../../dynamic-plugins/sf_engine/$(InputName).h \ + "..\..\dynamic-plugins\sf_engine\$(InputName).h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - copy $(InputPath) ..\..\dynamic-plugins\sf_engine + $(BuildCmds) +"..\..\dynamic-plugins\sf_engine\$(InputName).h.new" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" + $(BuildCmds) # End Custom Build !ENDIF diff -Nru snort-2.9.0.1/src/win32/WIN32-Prj/snort.dsp snort-2.9.2/src/win32/WIN32-Prj/snort.dsp --- snort-2.9.0.1/src/win32/WIN32-Prj/snort.dsp 2010-09-27 08:28:15.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Prj/snort.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -46,22 +46,23 @@ # PROP BASE Intermediate_Dir "snort___Win32_MySQL_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "snort___Win32_MySQL_Debug" # PROP Intermediate_Dir "snort___Win32_MySQL_Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /D "WIN32" /D "_DEBUG" /D "DEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /FR /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MYSQL" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /FR /YX /FD /GZ /c +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /D "WIN32" /D "_DEBUG" /D "DEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /FR /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MYSQL" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib mysqlclient.lib libnetnt.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /nodefaultlib:"LIBCMT" /pdbtype:sept /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" -# ADD LINK32 mysqlclient.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 mysqlclient.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" !ELSEIF "$(CFG)" == "snort - Win32 MySQL Release" @@ -71,22 +72,23 @@ # PROP BASE Intermediate_Dir "snort___Win32_MySQL_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "snort___Win32_MySQL_Release" # PROP Intermediate_Dir "snort___Win32_MySQL_Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_MYSQL" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /YX /FD /c +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_MYSQL" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib mysqlclient.lib libnetnt.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" -# ADD LINK32 mysqlclient.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 mysqlclient.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" # SUBTRACT LINK32 /incremental:yes !ELSEIF "$(CFG)" == "snort - Win32 SQLServer Debug" @@ -97,22 +99,23 @@ # PROP BASE Intermediate_Dir "snort___Win32_SQLServer_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "snort___Win32_SQLServer_Debug" # PROP Intermediate_Dir "snort___Win32_SQLServer_Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /D "WIN32" /D "_DEBUG" /D "DEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_MSSQL" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /Fr /YX"snort.h" /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MSSQL" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /Fr /YX"snort.h" /FD /GZ /c +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /D "WIN32" /D "_DEBUG" /D "DEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_MSSQL" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /Fr /YX"snort.h" /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MSSQL" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /Fr /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib Ntwdblib.lib mysqlclient.lib libnetnt.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" -# ADD LINK32 zlib1.lib Ntwdblib.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 zlib1.lib Ntwdblib.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" !ELSEIF "$(CFG)" == "snort - Win32 SQLServer Release" @@ -122,24 +125,24 @@ # PROP BASE Intermediate_Dir "snort___Win32_SQLServer_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "snort___Win32_SQLServer_Release" # PROP Intermediate_Dir "snort___Win32_SQLServer_Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_MSSQL" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /YX"snort.pch" /FD /c +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_MSSQL" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /YX"snort.pch" /FD /c # SUBTRACT BASE CPP /Fr -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_MSSQL" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /YX"snort.pch" /FD /c -# SUBTRACT CPP /Fr +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_MSSQL" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /Fr /YX # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib Ntwdblib.lib mysqlclient.lib libnetnt.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" -# ADD LINK32 zlib1.lib Ntwdblib.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 zlib1.lib Ntwdblib.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" !ELSEIF "$(CFG)" == "snort - Win32 Oracle Debug" @@ -149,22 +152,23 @@ # PROP BASE Intermediate_Dir "snort___Win32_Oracle_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "snort___Win32_Oracle_Debug" # PROP Intermediate_Dir "snort___Win32_Oracle_Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "D:\oracle\ora92\oci\include" /D "WIN32" /D "_DEBUG" /D "DEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ORACLE" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /Fr /YX"snort.h" /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_ORACLE" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /Fr /YX"snort.h" /FD /GZ /c +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "D:\oracle\ora92\oci\include" /D "WIN32" /D "_DEBUG" /D "DEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ORACLE" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /Fr /YX"snort.h" /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_ORACLE" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /Fr /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib Ntwdblib.lib mysqlclient.lib libnetnt.lib odbc32.lib oci.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" /libpath:"D:\oracle\ora92\oci\lib\msvc" -# ADD LINK32 Ntwdblib.lib oci.lib zlib1.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 Ntwdblib.lib oci.lib zlib1.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" !ELSEIF "$(CFG)" == "snort - Win32 Oracle Release" @@ -174,24 +178,24 @@ # PROP BASE Intermediate_Dir "snort___Win32_Oracle_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "snort___Win32_Oracle_Release" # PROP Intermediate_Dir "snort___Win32_Oracle_Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "D:\oracle\ora92\oci\include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ORACLE" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /YX"snort.pch" /FD /c +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "D:\oracle\ora92\oci\include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ORACLE" /D "ENABLE_MYSQL" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /YX"snort.pch" /FD /c # SUBTRACT BASE CPP /Fr -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_ORACLE" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /YX"snort.pch" /FD /c -# SUBTRACT CPP /Fr +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_ORACLE" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /Fr /YX # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib Ntwdblib.lib mysqlclient.lib libnetnt.lib odbc32.lib oci.lib /nologo /subsystem:console /machine:I386 /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" /libpath:"D:\oracle\ora92\oci\lib\msvc" -# ADD LINK32 Ntwdblib.lib oci.lib zlib1.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 Ntwdblib.lib oci.lib zlib1.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" !ELSEIF "$(CFG)" == "snort - Win32 MySQL IPv6 Debug" @@ -201,22 +205,23 @@ # PROP BASE Intermediate_Dir "snort___Win32_MySQL_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "snort___Win32_MySQL_IPv6_Debug" # PROP Intermediate_Dir "snort___Win32_MySQL_IPv6_Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MYSQL" /D "PERF_PROFILING" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /FR /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MYSQL" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /FR /YX /FD /GZ /c +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MYSQL" /D "PERF_PROFILING" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /FR /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MYSQL" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FR /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 mysqlclient.lib user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib libnetnt.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" -# ADD LINK32 mysqlclient.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 mysqlclient.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" !ELSEIF "$(CFG)" == "snort - Win32 MySQL IPv6 Release" @@ -226,22 +231,23 @@ # PROP BASE Intermediate_Dir "snort___Win32_MySQL_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "snort___Win32_MySQL_IPv6_Release" # PROP Intermediate_Dir "snort___Win32_MySQL_IPv6_Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "NDEBUG" /D "ENABLE_MYSQL" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_MYSQL" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /YX /FD /c +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "NDEBUG" /D "ENABLE_MYSQL" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_MYSQL" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 mysqlclient.lib odbc32.lib user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib libnetnt.lib /nologo /subsystem:console /machine:I386 /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" -# ADD LINK32 mysqlclient.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 mysqlclient.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" !ELSEIF "$(CFG)" == "snort - Win32 Oracle IPv6 Debug" @@ -251,22 +257,23 @@ # PROP BASE Intermediate_Dir "snort___Win32_Oracle_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "snort___Win32_Oracle_IPv6_Debug" # PROP Intermediate_Dir "snort___Win32_Oracle_IPv6_Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "D:\oracle\ora92\oci\include" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "_DEBUG" /D "DEBUG" /D "ENABLE_ORACLE" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /Fr /YX"snort.h" /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_ORACLE" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /Fr /YX"snort.h" /FD /GZ /c +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "D:\oracle\ora92\oci\include" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "_DEBUG" /D "DEBUG" /D "ENABLE_ORACLE" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /Fr /YX"snort.h" /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_ORACLE" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /Fr /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 Ntwdblib.lib oci.lib user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib libnetnt.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" /libpath:"D:\oracle\ora92\oci\lib\msvc" -# ADD LINK32 Ntwdblib.lib oci.lib zlib1.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 Ntwdblib.lib oci.lib zlib1.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" !ELSEIF "$(CFG)" == "snort - Win32 Oracle IPv6 Release" @@ -276,24 +283,24 @@ # PROP BASE Intermediate_Dir "snort___Win32_Oracle_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "snort___Win32_Oracle_IPv6_Release" # PROP Intermediate_Dir "snort___Win32_Oracle_IPv6_Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "D:\oracle\ora92\oci\include" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "NDEBUG" /D "ENABLE_ORACLE" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /YX"snort.pch" /FD /c +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "D:\oracle\ora92\oci\include" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "NDEBUG" /D "ENABLE_ORACLE" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /YX"snort.pch" /FD /c # SUBTRACT BASE CPP /Fr -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_ORACLE" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /YX"snort.pch" /FD /c -# SUBTRACT CPP /Fr +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_ORACLE" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /Fr /YX # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 Ntwdblib.lib oci.lib user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib libnetnt.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" /libpath:"D:\oracle\ora92\oci\lib\msvc" -# ADD LINK32 Ntwdblib.lib oci.lib zlib1.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 Ntwdblib.lib oci.lib zlib1.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" !ELSEIF "$(CFG)" == "snort - Win32 SQLServer IPv6 Debug" @@ -303,22 +310,23 @@ # PROP BASE Intermediate_Dir "snort___Win32_SQLServer_IPv6_Debug" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "snort___Win32_SQLServer_IPv6_Debug" # PROP Intermediate_Dir "snort___Win32_SQLServer_IPv6_Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MSSQL" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /Fr /YX"snort.h" /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MSSQL" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /Fr /YX"snort.h" /FD /GZ /c +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MSSQL" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /Fr /YX"snort.h" /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "_DEBUG" /D "DEBUG" /D "ENABLE_MSSQL" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /Fr /FD /GZ /c +# SUBTRACT CPP /YX # ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 Ntwdblib.lib user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib libnetnt.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" -# ADD LINK32 zlib1.lib Ntwdblib.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 zlib1.lib Ntwdblib.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\daq\Debug" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" !ELSEIF "$(CFG)" == "snort - Win32 SQLServer IPv6 Release" @@ -328,24 +336,24 @@ # PROP BASE Intermediate_Dir "snort___Win32_SQLServer_IPv6_Release" # PROP BASE Ignore_Export_Lib 0 # PROP BASE Target_Dir "" -# PROP Use_MFC 0 +# PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "snort___Win32_SQLServer_IPv6_Release" # PROP Intermediate_Dir "snort___Win32_SQLServer_IPv6_Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" -# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "NDEBUG" /D "ENABLE_MSSQL" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /YX"snort.pch" /FD /c +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\flow" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\flow\int-snort" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\FTPTelnet" /I "..\..\preprocessors\Stream5" /D "NDEBUG" /D "ENABLE_MSSQL" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "HAVE_CONFIG_H" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "DYNAMIC_PLUGIN" /YX"snort.pch" /FD /c # SUBTRACT BASE CPP /Fr -# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_MSSQL" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPONSE" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /YX"snort.pch" /FD /c -# SUBTRACT CPP /Fr +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\Win32-Includes\zlib" /I "..\..\.." /I "..\.." /I "..\..\control" /I "..\..\sfutil" /I "..\..\target-based" /I "..\Win32-Includes" /I "..\Win32-Includes\mysql" /I "..\Win32-Includes\libnet" /I "..\Win32-Includes\WinPCAP" /I "..\..\output-plugins" /I "..\..\detection-plugins" /I "..\..\dynamic-plugins" /I "..\..\preprocessors" /I "..\..\preprocessors\portscan" /I "..\..\preprocessors\HttpInspect\Include" /I "..\..\preprocessors\Stream5" /I "..\..\..\daq\api" /I "..\..\..\daq\sfbpf" /I "..\Win32-Includes\libdnet" /D "NDEBUG" /D "ENABLE_MSSQL" /D "SUP_IP6" /D "_CONSOLE" /D __BEGIN_DECLS="" /D __END_DECLS="" /D "ENABLE_ODBC" /D "ENABLE_RESPOND" /D "ENABLE_WIN32_SERVICE" /D "PREPROCESSOR_AND_DECODER_RULE_EVENTS" /D "ZLIB" /D "ENABLE_RESPONSE3" /D "DYNAMIC_PLUGIN" /D "_WINDOWS" /D "_USRDLL" /D "ACTIVE_RESPONSE" /D "ENABLE_REACT" /D "GRE" /D "MPLS" /D "TARGET_BASED" /D "PERF_PROFILING" /D "ENABLE_PAF" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /FD /c +# SUBTRACT CPP /Fr /YX # ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 Ntwdblib.lib user32.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib libnetnt.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libnet" -# ADD LINK32 zlib1.lib Ntwdblib.lib dnet.lib daq.lib Packet.lib user32.lib iphlpapi.lib wsock32.lib pcre.lib wpcap.lib advapi32.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" +# ADD LINK32 zlib1.lib Ntwdblib.lib dnet.lib daq.lib Packet.lib iphlpapi.lib wsock32.lib advapi32.lib pcre.lib wpcap.lib odbc32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\daq\Release" /libpath:"..\Win32-Libraries" /libpath:"..\Win32-Libraries\mysql" /libpath:"..\Win32-Libraries\libdnet" !ENDIF @@ -599,6 +607,14 @@ # End Source File # Begin Source File +SOURCE="..\..\detection-plugins\sp_pkt_data.c" +# End Source File +# Begin Source File + +SOURCE="..\..\detection-plugins\sp_pkt_data.h" +# End Source File +# Begin Source File + SOURCE="..\..\detection-plugins\sp_react.c" # End Source File # Begin Source File @@ -885,6 +901,10 @@ # End Source File # Begin Source File +SOURCE=..\..\preprocessors\HttpInspect\include\hi_paf.h +# End Source File +# Begin Source File + SOURCE=..\..\preprocessors\HttpInspect\include\hi_return_codes.h # End Source File # Begin Source File @@ -989,6 +1009,10 @@ # End Source File # Begin Source File +SOURCE=..\..\preprocessors\HttpInspect\utils\hi_paf.c +# End Source File +# Begin Source File + SOURCE=..\..\preprocessors\HttpInspect\utils\hi_util_hbm.c # End Source File # Begin Source File @@ -1014,6 +1038,14 @@ # End Source File # Begin Source File +SOURCE=..\..\preprocessors\Stream5\snort_stream5_ip.c +# End Source File +# Begin Source File + +SOURCE=..\..\preprocessors\Stream5\snort_stream5_ip.h +# End Source File +# Begin Source File + SOURCE=..\..\preprocessors\Stream5\snort_stream5_session.c # End Source File # Begin Source File @@ -1044,6 +1076,14 @@ SOURCE=..\..\preprocessors\Stream5\stream5_common.h # End Source File +# Begin Source File + +SOURCE=..\..\preprocessors\Stream5\stream5_paf.c +# End Source File +# Begin Source File + +SOURCE=..\..\preprocessors\Stream5\stream5_paf.h +# End Source File # End Group # Begin Source File @@ -1199,11 +1239,11 @@ # End Source File # Begin Source File -SOURCE=..\..\preprocessors\stream_ignore.c +SOURCE=..\..\preprocessors\stream_expect.c # End Source File # Begin Source File -SOURCE=..\..\preprocessors\stream_ignore.h +SOURCE=..\..\preprocessors\stream_expect.h # End Source File # End Group # Begin Group "SFUtil" @@ -1327,6 +1367,14 @@ # End Source File # Begin Source File +SOURCE=..\..\sfutil\sf_email_attach_decode.c +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\sf_email_attach_decode.h +# End Source File +# Begin Source File + SOURCE=..\..\sfutil\sf_ip.c # End Source File # Begin Source File @@ -1523,6 +1571,14 @@ # End Source File # Begin Source File +SOURCE=..\..\sfutil\util_jsnorm.c +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\util_jsnorm.h +# End Source File +# Begin Source File + SOURCE=..\..\sfutil\util_math.c # End Source File # Begin Source File @@ -1547,6 +1603,14 @@ # End Source File # Begin Source File +SOURCE=..\..\sfutil\util_unfold.c +# End Source File +# Begin Source File + +SOURCE=..\..\sfutil\util_unfold.h +# End Source File +# Begin Source File + SOURCE=..\..\sfutil\util_utf.c # End Source File # Begin Source File @@ -1983,6 +2047,26 @@ SOURCE="..\..\target-based\sftarget_reader.h" # End Source File +# Begin Source File + +SOURCE="..\..\target-based\sftarget_reader_live.c" +# End Source File +# Begin Source File + +SOURCE="..\..\target-based\sftarget_reader_live.h" +# End Source File +# End Group +# Begin Group "Control" + +# PROP Default_Filter "" +# Begin Source File + +SOURCE=..\..\control\sfcontrol.c +# End Source File +# Begin Source File + +SOURCE=..\..\control\sfcontrol_funcs.h +# End Source File # End Group # Begin Source File @@ -2094,6 +2178,18 @@ # End Source File # Begin Source File +SOURCE=..\..\idle_processing.c +# End Source File +# Begin Source File + +SOURCE=..\..\idle_processing.h +# End Source File +# Begin Source File + +SOURCE=..\..\idle_processing_funcs.h +# End Source File +# Begin Source File + SOURCE=..\..\ipv6_port.h # End Source File # Begin Source File @@ -2214,6 +2310,10 @@ # End Source File # Begin Source File +SOURCE=..\..\sf_sdlist_types.h +# End Source File +# Begin Source File + SOURCE=..\..\sf_types.h # End Source File # Begin Source File diff -Nru snort-2.9.0.1/src/win32/WIN32-Prj/snort.dsw snort-2.9.2/src/win32/WIN32-Prj/snort.dsw --- snort-2.9.0.1/src/win32/WIN32-Prj/snort.dsw 2010-06-17 10:21:13.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Prj/snort.dsw 2011-10-26 11:28:52.000000000 -0700 @@ -23,6 +23,9 @@ Begin Project Dependency Project_Dep_Name snort End Project Dependency + Begin Project Dependency + Project_Dep_Name u2spewfoo + End Project Dependency }}} ############################################################################### @@ -68,6 +71,30 @@ Begin Project Dependency Project_Dep_Name sf_sdf End Project Dependency + Begin Project Dependency + Project_Dep_Name sf_sip + End Project Dependency + Begin Project Dependency + Project_Dep_Name sf_dynamic_initialize + End Project Dependency + Begin Project Dependency + Project_Dep_Name sf_imap + End Project Dependency + Begin Project Dependency + Project_Dep_Name sf_pop + End Project Dependency + Begin Project Dependency + Project_Dep_Name sf_dnp3 + End Project Dependency + Begin Project Dependency + Project_Dep_Name sf_modbus + End Project Dependency + Begin Project Dependency + Project_Dep_Name sf_reputation + End Project Dependency + Begin Project Dependency + Project_Dep_Name sf_gtp + End Project Dependency }}} ############################################################################### @@ -87,6 +114,21 @@ ############################################################################### +Project: "sf_dnp3"="..\..\dynamic-preprocessors\dnp3\sf_dnp3.dsp" - Package Owner=<4> + +Package=<5> +{{{ +}}} + +Package=<4> +{{{ + Begin Project Dependency + Project_Dep_Name sf_dynamic_initialize + End Project Dependency +}}} + +############################################################################### + Project: "sf_dns"="..\..\dynamic-preprocessors\dns\sf_dns.dsp" - Package Owner=<4> Package=<5> @@ -156,6 +198,78 @@ ############################################################################### +Project: "sf_gtp"="..\..\dynamic-preprocessors\gtp\sf_gtp.dsp" - Package Owner=<4> + +Package=<5> +{{{ +}}} + +Package=<4> +{{{ +}}} + +############################################################################### + +Project: "sf_imap"="..\..\dynamic-preprocessors\imap\sf_imap.dsp" - Package Owner=<4> + +Package=<5> +{{{ +}}} + +Package=<4> +{{{ + Begin Project Dependency + Project_Dep_Name sf_dynamic_initialize + End Project Dependency +}}} + +############################################################################### + +Project: "sf_modbus"="..\..\dynamic-preprocessors\modbus\sf_modbus.dsp" - Package Owner=<4> + +Package=<5> +{{{ +}}} + +Package=<4> +{{{ + Begin Project Dependency + Project_Dep_Name sf_dynamic_initialize + End Project Dependency +}}} + +############################################################################### + +Project: "sf_pop"="..\..\dynamic-preprocessors\pop\sf_pop.dsp" - Package Owner=<4> + +Package=<5> +{{{ +}}} + +Package=<4> +{{{ + Begin Project Dependency + Project_Dep_Name sf_dynamic_initialize + End Project Dependency +}}} + +############################################################################### + +Project: "sf_reputation"="..\..\dynamic-preprocessors\reputation\sf_reputation.dsp" - Package Owner=<4> + +Package=<5> +{{{ +}}} + +Package=<4> +{{{ + Begin Project Dependency + Project_Dep_Name sf_dynamic_initialize + End Project Dependency +}}} + +############################################################################### + Project: "sf_sdf"="..\..\dynamic-preprocessors\sdf\sf_sdf.dsp" - Package Owner=<4> Package=<5> @@ -171,6 +285,21 @@ ############################################################################### +Project: "sf_sip"="..\..\dynamic-preprocessors\sip\sf_sip.dsp" - Package Owner=<4> + +Package=<5> +{{{ +}}} + +Package=<4> +{{{ + Begin Project Dependency + Project_Dep_Name sf_dynamic_initialize + End Project Dependency +}}} + +############################################################################### + Project: "sf_smtp"="..\..\dynamic-preprocessors\smtp\sf_smtp.dsp" - Package Owner=<4> Package=<5> @@ -264,6 +393,18 @@ ############################################################################### +Project: "u2spewfoo"="..\..\..\tools\u2spewfoo\u2spewfoo.dsp" - Package Owner=<4> + +Package=<5> +{{{ +}}} + +Package=<4> +{{{ +}}} + +############################################################################### + Global: Package=<5> diff -Nru snort-2.9.0.1/src/win32/WIN32-Prj/snort_initialize.dsp snort-2.9.2/src/win32/WIN32-Prj/snort_initialize.dsp --- snort-2.9.0.1/src/win32/WIN32-Prj/snort_initialize.dsp 2009-10-19 14:46:59.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Prj/snort_initialize.dsp 2011-06-07 17:33:23.000000000 -0700 @@ -203,7 +203,7 @@ BuildCmds= \ copy $(InputPath) ..\..\detection-plugins\$(InputName).c.new \ - c:\cygwin\bin\sed -e "s/_ded.errMsg/ErrorMessage/g" -e "s/sf_snort_packet.h/decode.h/g" -e "s/SFSnortPacket/Packet/g" -e "s/ip4_header/iph/g" -e "s/tcp_header/tcph/g" -e "s/proto/ip_proto/g" -e "s/type_service/ip_tos/g" -e "s/time_to_live/ip_ttl/g" -e "s/num_ip_options/ip_option_count/g" -e "s/IPOptions/Options/g" -e "s/option_code/code/g" -e "s/acknowledgement/th_ack/g" -e "s/sequence/th_seq/g" -e "s/tcph->flags/tcph->th_flags/g" -e "s/tcph->window/tcph->th_win/g" -e "s/num_tcp_options/tcp_option_count/g" -e "s/icmp_header/icmph/g" -e "s/ICMP_ECHO_REPLY/ICMP_ECHOREPLY/g" -e "s/ICMP_ECHO_REQUEST/ICMP_ECHO/g" -e "s/icmph_union.echo.id/s_icmp_id/g" -e "s/icmph_union.echo.seq/s_icmp_seq/g" ../../detection-plugins/$(InputName).c.new > ../../detection-plugins/$(InputName).c \ + c:\cygwin\bin\sed -e "s/_ded.errMsg/ErrorMessage/g" -e "s/sf_snort_packet.h/decode.h/g" -e "s/SFSnortPacket/Packet/g" -e "s/ip4_header/iph/g" -e "s/tcp_header/tcph/g" -e "s/proto/ip_proto/g" -e "s/type_service/ip_tos/g" -e "s/time_to_live/ip_ttl/g" -e "s/num_ip_options/ip_option_count/g" -e "s/IPOptions/Options/g" -e "s/option_code/code/g" -e "s/acknowledgement/th_ack/g" -e "s/sequence/th_seq/g" -e "s/tcph->flags/tcph->th_flags/g" -e "s/tcph->window/tcph->th_win/g" -e "s/num_tcp_options/tcp_option_count/g" -e "s/icmp_header/icmph/g" -e "s/ICMP_ECHO_REPLY/ICMP_ECHOREPLY/g" -e "s/ICMP_ECHO_REQUEST/ICMP_ECHO/g" -e "s/icmph_union.echo.id/s_icmp_id/g" -e "s/icmph_union.echo.seq/s_icmp_seq/g" -e "/sf_snort_detection_engine.h/d" ../../detection-plugins/$(InputName).c.new > ../../detection-plugins/$(InputName).c \ "..\..\detection-plugins\$(InputName).c" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" diff -Nru snort-2.9.0.1/src/win32/WIN32-Prj/snort_installer.nsi snort-2.9.2/src/win32/WIN32-Prj/snort_installer.nsi --- snort-2.9.0.1/src/win32/WIN32-Prj/snort_installer.nsi 2010-10-25 12:49:14.000000000 -0700 +++ snort-2.9.2/src/win32/WIN32-Prj/snort_installer.nsi 2011-10-26 11:28:52.000000000 -0700 @@ -1,17 +1,17 @@ ; $Id$ ; -; NSIS Installation script for Snort 2.9.0.1 Win32 +; NSIS Installation script for Snort 2.9.2 Win32 ; Written by Chris Reid <chris.reid@codecraftconsultants.com> ; Updated by Steven Sturges <ssturges@sourcefire.com> ; -; This script will create a Win32 installer for Snort 2.9.0.1 (Win32 only). +; This script will create a Win32 installer for Snort 2.9.2 (Win32 only). ; For more information about NSIS, see their homepage: ; http://nsis.sourceforge.net/ ; ; Note that this NSIS script is designed for NSIS version 2.09. ; -Name "Snort 2.9.0.1" +Name "Snort 2.9.2" CRCCheck On @@ -23,7 +23,7 @@ ;Configuration ;General - OutFile "Snort_2_9_0_1_Installer.exe" ; The name of the installer executable + OutFile "Snort_2_9_2_Installer.exe" ; The name of the installer executable ;Folder selection page InstallDir "C:\Snort" @@ -228,7 +228,7 @@ CreateDirectory "$INSTDIR\lib" CreateDirectory "$INSTDIR\lib\snort_dynamicpreprocessor" SetOutPath "$INSTDIR\lib\snort_dynamicpreprocessor" - StrCmp $1 "IPv4" 0 +9 + StrCmp $1 "IPv4" 0 +16 File "..\..\dynamic-preprocessors\ftptelnet\Release\sf_ftptelnet.dll" File "..\..\dynamic-preprocessors\smtp\Release\sf_smtp.dll" File "..\..\dynamic-preprocessors\ssh\Release\sf_ssh.dll" @@ -236,7 +236,14 @@ File "..\..\dynamic-preprocessors\ssl\Release\sf_ssl.dll" File "..\..\dynamic-preprocessors\dcerpc2\Release\sf_dce2.dll" File "..\..\dynamic-preprocessors\sdf\Release\sf_sdf.dll" - StrCmp $1 "IPv6" 0 +9 + File "..\..\dynamic-preprocessors\sip\Release\sf_sip.dll" + File "..\..\dynamic-preprocessors\imap\Release\sf_imap.dll" + File "..\..\dynamic-preprocessors\pop\Release\sf_pop.dll" + File "..\..\dynamic-preprocessors\reputation\Release\sf_reputation.dll" + File "..\..\dynamic-preprocessors\modbus\Release\sf_modbus.dll" + File "..\..\dynamic-preprocessors\dnp3\Release\sf_dnp3.dll" + File "..\..\dynamic-preprocessors\gtp\Release\sf_gtp.dll" + StrCmp $1 "IPv6" 0 +16 File "..\..\dynamic-preprocessors\ftptelnet\IPv6_Release\sf_ftptelnet.dll" File "..\..\dynamic-preprocessors\smtp\IPv6_Release\sf_smtp.dll" File "..\..\dynamic-preprocessors\ssh\IPv6_Release\sf_ssh.dll" @@ -244,6 +251,13 @@ File "..\..\dynamic-preprocessors\ssl\IPv6_Release\sf_ssl.dll" File "..\..\dynamic-preprocessors\dcerpc2\IPv6_Release\sf_dce2.dll" File "..\..\dynamic-preprocessors\sdf\IPv6_Release\sf_sdf.dll" + File "..\..\dynamic-preprocessors\sip\IPv6_Release\sf_sip.dll" + File "..\..\dynamic-preprocessors\imap\IPv6_Release\sf_imap.dll" + File "..\..\dynamic-preprocessors\pop\IPv6_Release\sf_pop.dll" + File "..\..\dynamic-preprocessors\reputation\IPv6_Release\sf_reputation.dll" + File "..\..\dynamic-preprocessors\modbus\IPv6_Release\sf_modbus.dll" + File "..\..\dynamic-preprocessors\dnp3\IPv6_Release\sf_dnp3.dll" + File "..\..\dynamic-preprocessors\gtp\IPv6_Release\sf_gtp.dll" CreateDirectory "$INSTDIR\lib\snort_dynamicengine" SetOutPath "$INSTDIR\lib\snort_dynamicengine" diff -Nru snort-2.9.0.1/templates/Makefile.in snort-2.9.2/templates/Makefile.in --- snort-2.9.0.1/templates/Makefile.in 2010-10-08 02:56:55.000000000 -0700 +++ snort-2.9.2/templates/Makefile.in 2011-12-07 11:23:23.000000000 -0800 @@ -58,7 +58,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -73,6 +75,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -109,13 +112,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ diff -Nru snort-2.9.0.1/tools/control/Makefile.am snort-2.9.2/tools/control/Makefile.am --- snort-2.9.0.1/tools/control/Makefile.am 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/tools/control/Makefile.am 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,12 @@ +AUTOMAKE_OPTIONS=foreign +bin_PROGRAMS = snort_control + +docdir = ${datadir}/doc/${PACKAGE} + +snort_control_SOURCES = sfcontrol.c +snort_control_CFLAGS = @CFLAGS@ $(AM_CFLAGS) + +INCLUDES = @INCLUDES@ @extra_incl@ + +dist_doc_DATA = README.snort_control + diff -Nru snort-2.9.0.1/tools/control/Makefile.in snort-2.9.2/tools/control/Makefile.in --- snort-2.9.0.1/tools/control/Makefile.in 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/tools/control/Makefile.in 2011-12-07 11:23:23.000000000 -0800 @@ -0,0 +1,590 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +bin_PROGRAMS = snort_control$(EXEEXT) +subdir = tools/control +DIST_COMMON = $(dist_doc_DATA) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(docdir)" +PROGRAMS = $(bin_PROGRAMS) +am_snort_control_OBJECTS = snort_control-sfcontrol.$(OBJEXT) +snort_control_OBJECTS = $(am_snort_control_OBJECTS) +snort_control_LDADD = $(LDADD) +snort_control_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(snort_control_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(snort_control_SOURCES) +DIST_SOURCES = $(snort_control_SOURCES) +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +DATA = $(dist_doc_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ +CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ +INCLUDES = @INCLUDES@ @extra_incl@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ +STRIP = @STRIP@ +VERSION = @VERSION@ +XCCFLAGS = @XCCFLAGS@ +YACC = @YACC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = ${datadir}/doc/${PACKAGE} +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +extra_incl = @extra_incl@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +AUTOMAKE_OPTIONS = foreign +snort_control_SOURCES = sfcontrol.c +snort_control_CFLAGS = @CFLAGS@ $(AM_CFLAGS) +dist_doc_DATA = README.snort_control +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/control/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign tools/control/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-binPROGRAMS: $(bin_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)" + @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p || test -f $$p1; \ + then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-binPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(bindir)" && rm -f $$files + +clean-binPROGRAMS: + @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +snort_control$(EXEEXT): $(snort_control_OBJECTS) $(snort_control_DEPENDENCIES) + @rm -f snort_control$(EXEEXT) + $(snort_control_LINK) $(snort_control_OBJECTS) $(snort_control_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/snort_control-sfcontrol.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +snort_control-sfcontrol.o: sfcontrol.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_control_CFLAGS) $(CFLAGS) -MT snort_control-sfcontrol.o -MD -MP -MF $(DEPDIR)/snort_control-sfcontrol.Tpo -c -o snort_control-sfcontrol.o `test -f 'sfcontrol.c' || echo '$(srcdir)/'`sfcontrol.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/snort_control-sfcontrol.Tpo $(DEPDIR)/snort_control-sfcontrol.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sfcontrol.c' object='snort_control-sfcontrol.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_control_CFLAGS) $(CFLAGS) -c -o snort_control-sfcontrol.o `test -f 'sfcontrol.c' || echo '$(srcdir)/'`sfcontrol.c + +snort_control-sfcontrol.obj: sfcontrol.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_control_CFLAGS) $(CFLAGS) -MT snort_control-sfcontrol.obj -MD -MP -MF $(DEPDIR)/snort_control-sfcontrol.Tpo -c -o snort_control-sfcontrol.obj `if test -f 'sfcontrol.c'; then $(CYGPATH_W) 'sfcontrol.c'; else $(CYGPATH_W) '$(srcdir)/sfcontrol.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/snort_control-sfcontrol.Tpo $(DEPDIR)/snort_control-sfcontrol.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sfcontrol.c' object='snort_control-sfcontrol.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_control_CFLAGS) $(CFLAGS) -c -o snort_control-sfcontrol.obj `if test -f 'sfcontrol.c'; then $(CYGPATH_W) 'sfcontrol.c'; else $(CYGPATH_W) '$(srcdir)/sfcontrol.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-dist_docDATA: $(dist_doc_DATA) + @$(NORMAL_INSTALL) + test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)" + @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ + done + +uninstall-dist_docDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(docdir)" && rm -f $$files + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(docdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-dist_docDATA + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-binPROGRAMS + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-binPROGRAMS uninstall-dist_docDATA + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-binPROGRAMS \ + clean-generic clean-libtool ctags distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-binPROGRAMS install-data install-data-am \ + install-dist_docDATA install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-binPROGRAMS \ + uninstall-dist_docDATA + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru snort-2.9.0.1/tools/control/README.snort_control snort-2.9.2/tools/control/README.snort_control --- snort-2.9.0.1/tools/control/README.snort_control 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/tools/control/README.snort_control 2011-10-26 07:49:57.000000000 -0700 @@ -0,0 +1,25 @@ +snort_control - Tool to connect to the snort control channel and issue a command +-------------------------------------------- + +About +----- + + The current version of Snort can be configured to provide a Unix socket +that can be used to issue commands to the running process. + +Installation +------------ + + snort_control is made and installed along with snort in the same bin directory +when configured with the --enable-control-socket option. The control socket +functionality is supported on Linux only. + +Usage +----- + + $ snort_control <log path> <command> + +"log path" specifies the directory passed to snort with the -l option + +"command" is an unsigned 32-bit command value + diff -Nru snort-2.9.0.1/tools/control/sfcontrol.c snort-2.9.2/tools/control/sfcontrol.c --- snort-2.9.0.1/tools/control/sfcontrol.c 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/tools/control/sfcontrol.c 2011-10-26 11:28:52.000000000 -0700 @@ -0,0 +1,277 @@ +/* +** $Id$ +** +** sfcontrol.c +** +** Copyright (C) 2002-2011 Sourcefire, Inc. +** Author(s): Ron Dempster <rdempster@sourcefire.com> +** +** NOTES +** 5.5.11 - Initial Source Code. Dempster +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License Version 2 as +** published by the Free Software Foundation. You may not use, modify or +** distribute this program under any other version of the GNU General +** Public License. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +** +*/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <stdio.h> +#include <ctype.h> +#include <string.h> +#include <errno.h> +#include <stdlib.h> +#include <sys/select.h> +#include <sys/socket.h> +#include <sys/un.h> +#include <sys/types.h> +#include <sys/time.h> +#include <signal.h> +#include <unistd.h> +#include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/udp.h> + +#include "sfcontrol.h" + +#ifndef PATH_MAX +#define PATH_MAX 4096 +#endif + +static void DumpHex(FILE *fp, const uint8_t *data, unsigned len) +{ + char str[18]; + unsigned i; + unsigned pos; + char c; + + for (i=0, pos=0; i<len; i++, pos++) + { + if (pos == 17) + { + str[pos] = 0; + fprintf(fp, " %s\n", str); + pos = 0; + } + else if (pos == 8) + { + str[pos] = ' '; + pos++; + fprintf(fp, "%s", " "); + } + c = (char)data[i]; + if (isprint(c) && (c == ' ' || !isspace(c))) + str[pos] = c; + else + str[pos] = '.'; + fprintf(fp, "%02X ", data[i]); + } + if (pos) + { + str[pos] = 0; + for (; pos < 17; pos++) + { + if (pos == 8) + { + str[pos] = ' '; + pos++; + fprintf(fp, "%s", " "); + } + else + { + fprintf(fp, "%s", " "); + } + } + fprintf(fp, " %s\n", str); + } +} + +static int SendMessage(int socket_fd, const CSMessageHeader *msg, uint32_t len) +{ + ssize_t numsent; + unsigned total_len = sizeof(*msg) + len; + unsigned total = 0; + + do + { + numsent = write(socket_fd, (*(uint8_t **)&msg) + total, total_len - total); + if (!numsent) + return 0; + else if (numsent > 0) + total += numsent; + else if (errno != EINTR && errno != EAGAIN) + return -1; + } while (total < total_len); + return 1; +} + +static int ReadData(int socket_fd, uint8_t *buffer, uint32_t length) +{ + ssize_t numread; + unsigned total = 0; + + do + { + numread = read(socket_fd, buffer + total, length - total); + if (!numread) + return 0; + else if (numread > 0) + total += numread; + else if (errno != EINTR && errno != EAGAIN) + return -1; + } while (total < length); + if (total < length) + return 0; + return 1; +} + +static int ReadResponse(int socket_fd, CSMessageHeader *hdr) +{ + ssize_t numread; + unsigned total = 0; + + do + { + numread = read(socket_fd, (*(uint8_t **)&hdr) + total, sizeof(*hdr) - total); + if (!numread) + return 0; + else if (numread > 0) + total += numread; + else if (errno != EINTR && errno != EAGAIN) + return -1; + } while (total < sizeof(*hdr)); + if (total < sizeof(*hdr)) + return 0; + + hdr->length = ntohl(hdr->length); + hdr->version = ntohs(hdr->version); + hdr->type = ntohs(hdr->type); + return 1; +} + +void ConnectToUnixSocket(const char * const name, int * const psock) +{ + struct sockaddr_un sunaddr; + int sock = -1; + int rval; + + memset(&sunaddr, 0, sizeof(sunaddr)); + rval = snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path), "%s", name); + if (rval < 0 || (size_t)rval >= sizeof(sunaddr.sun_path)) + { + fprintf(stderr, "Socket name '%s' is too long\n", name); + exit(-1); + } + + sunaddr.sun_family = AF_UNIX; + + /* open the socket */ + if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) + { + fprintf(stderr, "Error opening socket: %s\n", strerror(errno)); + exit(-1); + } + + if (connect(sock, (struct sockaddr *) &sunaddr, sizeof(sunaddr)) == -1) + { + fprintf(stderr, "Unable to connect to UNIX socket at %s: %s\n", name, strerror(errno)); + close(sock); + exit(-1); + } + + *psock = sock; +} + +int main(int argc, char *argv[]) +{ + int rval; + char socket_fn[PATH_MAX]; + int socket_fd; + char *p; + CSMessageHeader msg; + unsigned long type; + const char *sep; + ssize_t len; + + if (argc != 3 || !*argv[1] || !*argv[2]) + { + fprintf(stderr, "Usage %s <snort log dir> <command>\n", argv[0]); + exit(-1); + } + type = strtoul(argv[2], &p, 0); + if (*p || type > CS_TYPE_MAX) + { + fprintf(stderr, "Usage %s <snort log dir> <command>\n", argv[0]); + exit(-1); + } + len = strlen(argv[1]); + if (len && argv[1][len - 1] == '/') + sep = ""; + else + sep = "/"; + snprintf(socket_fn, sizeof(socket_fn), "%s%s%s", argv[1], sep, CONTROL_FILE); + ConnectToUnixSocket(socket_fn, &socket_fd); + msg.version = htons(CS_HEADER_VERSION); + msg.type = htons((uint16_t)type); + msg.length = 0; + if ((rval = SendMessage(socket_fd, &msg, 0)) < 0) + { + fprintf(stderr, "Failed to send the message: %s\n", strerror(errno)); + close(socket_fd); + exit(-1); + } + else if (!rval) + { + fprintf(stderr, "Server closed the socket\n"); + close(socket_fd); + exit(-1); + } + + if ((rval = ReadResponse(socket_fd, &msg)) < 0) + { + fprintf(stderr, "Failed to read the response: %s\n", strerror(errno)); + close(socket_fd); + exit(-1); + } + else if (!rval) + { + fprintf(stderr, "Server closed the socket before sending a response\n"); + close(socket_fd); + exit(-1); + } + printf("Version %04X response %04X with %u bytes returned\n", msg.version, msg.type, msg.length); + if (msg.version == CS_HEADER_VERSION && msg.length && msg.length <= 4096) + { + uint8_t data[4096]; + + if ((rval = ReadData(socket_fd, data, msg.length)) < 0) + { + fprintf(stderr, "Failed to read the response data: %s\n", strerror(errno)); + close(socket_fd); + exit(-1); + } + else if (!rval) + { + fprintf(stderr, "Server closed the socket before sending the response data\n"); + close(socket_fd); + exit(-1); + } + DumpHex(stdout, data, msg.length); + } + return 0; +} + diff -Nru snort-2.9.0.1/tools/Makefile.am snort-2.9.2/tools/Makefile.am --- snort-2.9.0.1/tools/Makefile.am 2010-06-09 15:37:00.000000000 -0700 +++ snort-2.9.2/tools/Makefile.am 2011-10-26 11:28:52.000000000 -0700 @@ -1,4 +1,9 @@ AUTOMAKE_OPTIONS=foreign no-dependencies -SUBDIRS = u2boat u2spewfoo + +if BUILD_CONTROL_SOCKET +CONTROL_DIR = control +endif + +SUBDIRS = u2boat u2spewfoo $(CONTROL_DIR) INCLUDES = @INCLUDES@ diff -Nru snort-2.9.0.1/tools/Makefile.in snort-2.9.2/tools/Makefile.in --- snort-2.9.0.1/tools/Makefile.in 2010-10-08 02:56:55.000000000 -0700 +++ snort-2.9.2/tools/Makefile.in 2011-12-07 11:23:23.000000000 -0800 @@ -62,7 +62,7 @@ distdir ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = $(SUBDIRS) +DIST_SUBDIRS = u2boat u2spewfoo control DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -98,7 +98,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -113,6 +115,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -149,13 +152,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -214,7 +223,8 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies -SUBDIRS = u2boat u2spewfoo +@BUILD_CONTROL_SOCKET_TRUE@CONTROL_DIR = control +SUBDIRS = u2boat u2spewfoo $(CONTROL_DIR) all: all-recursive .SUFFIXES: diff -Nru snort-2.9.0.1/tools/u2boat/Makefile.am snort-2.9.2/tools/u2boat/Makefile.am --- snort-2.9.0.1/tools/u2boat/Makefile.am 2010-06-09 15:37:00.000000000 -0700 +++ snort-2.9.2/tools/u2boat/Makefile.am 2011-06-21 13:06:27.000000000 -0700 @@ -1,6 +1,8 @@ AUTOMAKE_OPTIONS=foreign bin_PROGRAMS = u2boat +docdir = ${datadir}/doc/${PACKAGE} + u2boat_SOURCES = u2boat.c u2boat.h u2boat_CFLAGS = @CFLAGS@ $(AM_CFLAGS) u2boat_LDADD = -lpcap diff -Nru snort-2.9.0.1/tools/u2boat/Makefile.in snort-2.9.2/tools/u2boat/Makefile.in --- snort-2.9.0.1/tools/u2boat/Makefile.in 2010-10-08 02:56:56.000000000 -0700 +++ snort-2.9.2/tools/u2boat/Makefile.in 2011-12-07 11:23:23.000000000 -0800 @@ -105,7 +105,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -120,6 +122,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ @extra_incl@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -156,13 +159,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -187,7 +196,7 @@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ -docdir = @docdir@ +docdir = ${datadir}/doc/${PACKAGE} dvidir = @dvidir@ exec_prefix = @exec_prefix@ extra_incl = @extra_incl@ diff -Nru snort-2.9.0.1/tools/u2boat/u2boat.c snort-2.9.2/tools/u2boat/u2boat.c --- snort-2.9.0.1/tools/u2boat/u2boat.c 2010-06-09 15:37:00.000000000 -0700 +++ snort-2.9.2/tools/u2boat/u2boat.c 2011-06-21 13:06:27.000000000 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2002-2010 Sourcefire, Inc. + * Copyright (C) 2002-2011 Sourcefire, Inc. * Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> * Author: Ryan Jordan <ryan.jordan@sourcefire.com> * @@ -30,6 +30,10 @@ #include <arpa/inet.h> #include <pcap.h> +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include "u2boat.h" #define FAILURE -1 @@ -89,7 +93,7 @@ } if (ferror(input)) { - fprintf(stderr, "Error reading input file, aborting...\n"); + fprintf(stderr, "Error reading input file, aborting...\n"); return FAILURE; } if (ferror(output)) @@ -223,7 +227,7 @@ items_read, rec->length); return FAILURE; } - + return SUCCESS; } @@ -297,7 +301,7 @@ } /* Open the files */ - if ((input_file = fopen(input_filename, "r")) == NULL) + if ((input_file = fopen(input_filename, "r")) == NULL) { fprintf(stderr, "Unable to open file: %s\n", input_filename); return FAILURE; diff -Nru snort-2.9.0.1/tools/u2boat/u2boat.h snort-2.9.2/tools/u2boat/u2boat.h --- snort-2.9.0.1/tools/u2boat/u2boat.h 2010-06-09 15:37:01.000000000 -0700 +++ snort-2.9.2/tools/u2boat/u2boat.h 2011-06-21 13:06:27.000000000 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2002-2010 Sourcefire, Inc. + * Copyright (C) 2002-2011 Sourcefire, Inc. * Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> * * This program is free software; you can redistribute it and/or modify diff -Nru snort-2.9.0.1/tools/u2spewfoo/Makefile.am snort-2.9.2/tools/u2spewfoo/Makefile.am --- snort-2.9.0.1/tools/u2spewfoo/Makefile.am 2010-06-09 15:37:01.000000000 -0700 +++ snort-2.9.2/tools/u2spewfoo/Makefile.am 2011-07-14 13:23:00.000000000 -0700 @@ -4,5 +4,8 @@ u2spewfoo_SOURCES = u2spewfoo.c u2spewfoo_CFLAGS = @CFLAGS@ $(AM_CFLAGS) +EXTRA_DIST = \ +u2spewfoo.dsp + INCLUDES = @INCLUDES@ @extra_incl@ diff -Nru snort-2.9.0.1/tools/u2spewfoo/Makefile.in snort-2.9.2/tools/u2spewfoo/Makefile.in --- snort-2.9.0.1/tools/u2spewfoo/Makefile.in 2010-10-08 02:56:56.000000000 -0700 +++ snort-2.9.2/tools/u2spewfoo/Makefile.in 2011-12-07 11:23:23.000000000 -0800 @@ -81,7 +81,9 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ +CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ +CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -96,6 +98,7 @@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ @extra_incl@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -132,13 +135,19 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RAZORBACK_CFLAGS = @RAZORBACK_CFLAGS@ +RAZORBACK_LIBS = @RAZORBACK_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ +SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ +SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ +SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ @@ -199,6 +208,9 @@ AUTOMAKE_OPTIONS = foreign u2spewfoo_SOURCES = u2spewfoo.c u2spewfoo_CFLAGS = @CFLAGS@ $(AM_CFLAGS) +EXTRA_DIST = \ +u2spewfoo.dsp + all: all-am .SUFFIXES: diff -Nru snort-2.9.0.1/tools/u2spewfoo/u2spewfoo.c snort-2.9.2/tools/u2spewfoo/u2spewfoo.c --- snort-2.9.0.1/tools/u2spewfoo/u2spewfoo.c 2010-06-09 15:37:01.000000000 -0700 +++ snort-2.9.2/tools/u2spewfoo/u2spewfoo.c 2011-11-21 12:15:24.000000000 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2002-2010 Sourcefire, Inc. + * Copyright (C) 2002-2011 Sourcefire, Inc. * Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> * Author: Adam Keeton * @@ -19,6 +19,13 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifndef WIN32 +#include <ctype.h> #include <stdlib.h> #include <stdio.h> #include <string.h> @@ -27,6 +34,10 @@ #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> +#endif +#ifdef HAVE_UUID_UUID_H +#include<uuid/uuid.h> +#endif #include "Unified2_common.h" @@ -34,12 +45,72 @@ #define STEVE -1 #define FAILURE STEVE - +#ifndef WIN32 #ifndef uint32_t typedef unsigned int uint32_t; typedef unsigned short uint16_t; typedef unsigned char uint8_t; #endif +#else +void inet_ntop(int family, const void *ip_raw, char *buf, int bufsize) { + int i; + + if(!ip_raw || !buf || !bufsize || + (family != AF_INET && family != AF_INET6) || + /* Make sure if it's IPv6 that the buf is large enough. */ + /* Need atleast a max of 8 fields of 4 bytes plus 7 for colons in + * between. Need 1 more byte for null. */ + (family == AF_INET6 && bufsize < 8*4 + 7 + 1) || + /* Make sure if it's IPv4 that the buf is large enough. */ + /* 4 fields of 3 numbers, plus 3 dots and a null byte */ + (family == AF_INET && bufsize < 3*4 + 4) ) + { + if(buf && bufsize > 0) buf[0] = 0; + return; + } + + /* 4 fields of at most 3 characters each */ + if(family == AF_INET) { + u_int8_t *p = (u_int8_t*)ip_raw; + + for(i=0; p < ((u_int8_t*)ip_raw) + 4; p++) { + i += sprintf(&buf[i], "%d", *p); + + /* If this is the last iteration, this could technically cause one + * extra byte to be written past the end. */ + if(i < bufsize && ((p + 1) < ((u_int8_t*)ip_raw+4))) + buf[i] = '.'; + + i++; + } + + /* Check if this is really just an IPv4 address represented as 6, + * in compatible format */ +#if 0 + } + else if(!field[0] && !field[1] && !field[2]) { + unsigned char *p = (unsigned char *)(&ip->ip[12]); + + for(i=0; p < &ip->ip[16]; p++) + i += sprintf(&buf[i], "%d.", *p); +#endif + } + else { + u_int16_t *p = (u_int16_t*)ip_raw; + + for(i=0; p < ((u_int16_t*)ip_raw) + 8; p++) { + i += sprintf(&buf[i], "%04x", ntohs(*p)); + + /* If this is the last iteration, this could technically cause one + * extra byte to be written past the end. */ + if(i < bufsize && ((p + 1) < ((u_int16_t*)ip_raw) + 8)) + buf[i] = ':'; + + i++; + } + } +} +#endif typedef struct _record { uint32_t type; @@ -60,7 +131,7 @@ u2iterator *ret; if(!f) { - printf("new_iterator: Failed to open file: %s\n\tErrno: %s\n", + printf("new_iterator: Failed to open file: %s\n\tErrno: %s\n", filename, strerror(errno)); return NULL; } @@ -68,10 +139,10 @@ ret = (u2iterator*)malloc(sizeof(u2iterator)); if(!ret) { - printf("new_iterator: Failed to malloc %lu bytes.\n", sizeof(u2iterator)); + printf("new_iterator: Failed to malloc %lu bytes.\n", (unsigned long)sizeof(u2iterator)); return NULL; } - + ret->file = f; ret->filename = strdup(filename); return ret; @@ -84,7 +155,7 @@ } int get_record(u2iterator *it, u2record *record) { - uint bytes_read; + uint32_t bytes_read; if(!it || !it->file) return FAILURE; @@ -96,7 +167,7 @@ } /* read type and length */ - bytes_read = fread(record, 1, sizeof(uint) * 2, it->file); + bytes_read = fread(record, 1, sizeof(uint32_t) * 2, it->file); /* But they're in network order! */ record->type= ntohl(record->type); record->length= ntohl(record->length); @@ -107,9 +178,9 @@ /* EOF */ return FAILURE; - if(bytes_read != sizeof(uint)*2) { + if(bytes_read != sizeof(uint32_t)*2) { puts("get_record: (1) Failed to read all of record."); - printf("\tRead %u of %lu bytes\n", bytes_read, sizeof(uint)*2); + printf("\tRead %u of %lu bytes\n", bytes_read, (unsigned long)sizeof(uint32_t)*2); return FAILURE; } @@ -119,18 +190,22 @@ if(bytes_read != record->length) { puts("get_record: (2) Failed to read all of record data."); printf("\tRead %u of %u bytes\n", bytes_read, record->length); - return FAILURE; + return FAILURE; } return SUCCESS; } void extradata_dump(u2record *record) { - uint8_t *field; + uint8_t *field, *data; int i; + int len = 0; SerialUnified2ExtraData event; Unified2ExtraDataHdr eventHdr; - + uint32_t ip; + char ip6buf[INET6_ADDRSTRLEN+1]; + struct in6_addr ipAddr; + memcpy(&eventHdr, record->data, sizeof(Unified2ExtraDataHdr)); memcpy(&event, record->data + sizeof(Unified2ExtraDataHdr) , sizeof(SerialUnified2ExtraData)); @@ -159,32 +234,88 @@ event.event_second, event.type, event.data_type, event.blob_length); - if(event.type & EVENT_INFO_XFF_IPV4) - { - uint32_t ip; - memcpy(&ip, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(uint32_t)); + len = event.blob_length - sizeof(event.blob_length) - sizeof(event.data_type); - ip = ntohl(ip); - printf("Original Client IP: %u.%u.%u.%u\n", - TO_IP(ip)); - } - else if(event.type & EVENT_INFO_XFF_IPV6) + switch(event.type) { - char ip6buf[INET6_ADDRSTRLEN+1]; - struct in6_addr ipAddr; - - memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); - - inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); + case EVENT_INFO_XFF_IPV4: + memcpy(&ip, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(uint32_t)); + ip = ntohl(ip); + printf("Original Client IP: %u.%u.%u.%u\n", + TO_IP(ip)); + break; + + case EVENT_INFO_XFF_IPV6: + memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); + inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); + printf("Original Client IP: %s\n", + ip6buf); + break; + + case EVENT_INFO_GZIP_DATA: + printf("GZIP Decompressed Data: %.*s\n", + len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); + break; + + case EVENT_INFO_JSNORM_DATA: + printf("Normalized JavaScript Data: %.*s\n", + len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); + break; + + case EVENT_INFO_SMTP_FILENAME: + printf("SMTP Attachment Filename: %.*s\n", + len,record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); + break; + + case EVENT_INFO_SMTP_MAILFROM: + printf("SMTP MAIL FROM Addresses: %.*s\n", + len,record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); + break; + + case EVENT_INFO_SMTP_RCPTTO: + printf("SMTP RCPT TO Addresses: %.*s\n", + len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); + break; + + case EVENT_INFO_SMTP_EMAIL_HDRS: + printf("SMTP EMAIL HEADERS: \n%.*s\n", + len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); + break; + + case EVENT_INFO_HTTP_URI: + printf("HTTP URI: %.*s\n", + len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); + break; + + case EVENT_INFO_HTTP_HOSTNAME: + printf("HTTP Hostname: "); + data = record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData); + for(i=0; i < len; i++) + { + if(iscntrl(data[i])) + printf("%c",'.'); + else + printf("%c",data[i]); + } + printf("\n"); + break; + + case EVENT_INFO_IPV6_SRC: + memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); + inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); + printf("IPv6 Source Address: %s\n", + ip6buf); + break; + + case EVENT_INFO_IPV6_DST: + memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); + inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); + printf("IPv6 Destination Address: %s\n", + ip6buf); + break; - printf("Original Client IP: %s\n", - ip6buf); - - } - else if(event.type & EVENT_INFO_GZIP_DATA) - { - printf("GZIP Decompressed Data: %s\n", - record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); + default : + break; } } @@ -209,7 +340,7 @@ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ /* done changing the network ordering */ - + printf("\n(Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" @@ -231,7 +362,7 @@ int i; Serial_Unified2IDSEventIPv6_legacy event; char ip6buf[INET6_ADDRSTRLEN+1]; - + memcpy(&event, record->data, sizeof(Serial_Unified2IDSEventIPv6_legacy)); /* network to host ordering */ @@ -278,7 +409,7 @@ int i; Serial_Unified2IDSEvent event; - + memcpy(&event, record->data, sizeof(Serial_Unified2IDSEvent)); /* network to host ordering */ @@ -294,14 +425,14 @@ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; - *(uint32_t*)field = ntohs(*(uint32_t*)field); /* mpls_label */ + *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ - + printf("\n(Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" @@ -344,7 +475,7 @@ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; - *(uint32_t*)field = ntohs(*(uint32_t*)field); /* mpls_label */ + *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { @@ -376,6 +507,201 @@ } +static inline void print_uuid (const char* label, uint8_t* data) +{ +#ifdef HAVE_LIBUUID + char buf[37]; + uuid_unparse(data, buf); + printf("%s: %s\n", label, buf); +#else + printf("%s: %.*s\n", label, 16, data); +#endif +} + +void eventng_dump(u2record *record) { + uint8_t *field; + int i; + + Unified2IDSEventNG event; + + memcpy(&event, record->data, sizeof(Unified2IDSEventNG)); + + /* network to host ordering */ + /* In the event structure, only the last 40 bits are not 32 bit fields */ + /* The first 11 fields need to be convertted */ + field = (uint8_t*)&event; + for(i=0; i<11; i++, field+=4) { + *(uint32_t*)field = ntohl(*(uint32_t*)field); + } + + /* last 3 fields, with the exception of the last most since it's just one byte */ + *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ + field += 2; + *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ + field +=6; + *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ + field += 4; + /* vlanid */ + *(uint16_t*)field = ntohs(*(uint16_t*)field); + field+=4; + + /* done changing the network ordering */ + + + printf("\n(Event NG)\n" + "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" + "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" + "\tpriority: %u\tip source: %u.%u.%u.%u\tip destination: %u.%u.%u.%u\n" + "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n" + "\tmpls label: %u\tvland id: %u\n", + event.sensor_id, event.event_id, + event.event_second, event.event_microsecond, + event.signature_id, event.generator_id, + event.signature_revision, event.classification_id, + event.priority_id, TO_IP(event.ip_source), + TO_IP(event.ip_destination), event.sport_itype, + event.dport_icode, event.protocol, + event.impact_flag, event.blocked, + event.mpls_label, event.vlanId); + + + print_uuid("\tpolicy UUID", field); + field+=16; + + for(i=0; i<5; i++, field+=4) { + *(uint32_t*)field = ntohl(*(uint32_t*)field); + } + + printf("\tuser id: %u\t web application id: %u\n", + event.user_id, event.web_application_id); + + printf("\tclient application id: %u\tapplication protocol id%u\tpolicy engine rule id: %u\n", + event.client_application_id, event.application_protocol_id, event.policyengine_rule_id); + + print_uuid("\tpolicy engine policy uuid", field); + field+=16; + + print_uuid("\tinterface ingress uuid", field); + field+=16; + + print_uuid("\tinterface engress uuid", field); + field+=16; + + print_uuid("\tsecurity zone ingress uuid", field); + field+=16; + + print_uuid("\tsecurity zone egress uuid", field); +} + +void eventng_6_dump(u2record *record) { + uint8_t *field; + int i; + char ip6buf[INET6_ADDRSTRLEN+1]; + Unified2IDSEventIPv6_NG event; + + memcpy(&event, record->data, sizeof(Unified2IDSEventIPv6_NG)); + + /* network to host ordering */ + /* In the event structure, only the last 40 bits are not 32 bit fields */ + /* The first fields need to be convertted */ + field = (uint8_t*)&event; + for(i=0; i<9; i++, field+=4) { + *(uint32_t*)field = ntohl(*(uint32_t*)field); + } + + field = field + 2*sizeof(struct in6_addr); + + /* last 3 fields, with the exception of the last most since it's just one byte */ + *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ + field += 2; + *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ + field +=6; + *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ + field += 4; + *(uint16_t*)field = ntohs(*(uint16_t*)field); + field += 4; + /* done changing the network ordering */ + + inet_ntop(AF_INET6, &event.ip_source, ip6buf, INET6_ADDRSTRLEN); + + printf("\n(IPv6 NGFW Event)\n" + "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" + "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" + "\tpriority: %u\tip source: %s\t", + event.sensor_id, event.event_id, + event.event_second, event.event_microsecond, + event.signature_id, event.generator_id, + event.signature_revision, event.classification_id, + event.priority_id, ip6buf); + + + inet_ntop(AF_INET6, &event.ip_destination, ip6buf, INET6_ADDRSTRLEN); + printf("ip destination: %s\n" + "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n" + "\tmpls label: %u\tvland id: %u\n", + ip6buf, event.sport_itype, + event.dport_icode, event.protocol, + event.impact_flag, event.blocked, + event.mpls_label, event.vlanId); + + print_uuid("\tpolicy UUID", field); + field+=16; + + for(i=0; i<5; i++, field+=4) { + *(uint32_t*)field = ntohl(*(uint32_t*)field); + } + + printf("\tuser id: %u\t web application id: %u\n", + event.user_id, event.web_application_id); + + printf("\tclient application id: %u\tapplication protocol id%u\tpolicy engine rule id: %u\n", + event.client_application_id, event.application_protocol_id, event.policyengine_rule_id); + + print_uuid("\tpolicy engine policy uuid", field); + field+=16; + + print_uuid("\tinterface ingress uuid", field); + field+=16; + + print_uuid("\tinterface engress uuid", field); + field+=16; + + print_uuid("\tsecurity zone ingress uuid", field); + field+=16; + + print_uuid("\tsecurity zone egress uuid", field); + +} + +#define LOG_CHARS 16 + +static void LogBuffer (const uint8_t* p, unsigned n) +{ + char hex[(3*LOG_CHARS)+1]; + char txt[LOG_CHARS+1]; + unsigned odx = 0, idx = 0, at = 0; + + for ( idx = 0; idx < n; idx++) + { + uint8_t byte = p[idx]; + sprintf(hex + 3*odx, "%2.02X ", byte); + txt[odx++] = isprint(byte) ? byte : '.'; + + if ( odx == LOG_CHARS ) + { + txt[odx] = hex[3*odx] = '\0'; + printf("[%5u] %s %s\n", at, hex, txt); + at = idx + 1; + odx = 0; + } + } + if ( odx ) + { + txt[odx] = hex[3*odx] = '\0'; + printf("[%5u] %-48.48s %s\n", at, hex, txt); + } +} + void packet_dump(u2record *record) { uint32_t counter; uint8_t *field; @@ -389,21 +715,16 @@ *(uint32_t*)field = ntohl(*(uint32_t*)field); } /* done changing from network ordering */ - + printf("\nPacket\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\n" "\tpacket second: %u\tpacket microsecond: %u\n" "\tlinktype: %u\tpacket_length: %u\n", - packet.sensor_id, packet.event_id, packet.event_second, - packet.packet_second, packet.packet_microsecond, packet.linktype, + packet.sensor_id, packet.event_id, packet.event_second, + packet.packet_second, packet.packet_microsecond, packet.linktype, packet.packet_length); - - for(counter = 0; counter < packet.packet_length; counter++) { - printf("%2.02X ", record->data[sizeof(Serial_Unified2Packet)-4 + counter]); - if( !((counter+1)%16) ) puts(""); - else if( !((counter+1)%4) ) printf("| "); - } - puts(""); + + LogBuffer(record->data+sizeof(Serial_Unified2Packet)-4, packet.packet_length); } int u2dump(char *file) { @@ -411,7 +732,7 @@ u2iterator *it = new_iterator(file); memset(&record, 0, sizeof(record)); - + if(!it) { printf("u2dump: Failed to create new iterator with file: %s\n", file); return -1; @@ -424,6 +745,8 @@ else if(record.type == UNIFIED2_IDS_EVENT_IPV6) event6_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_IPV6_VLAN) event2_6_dump(&record); else if(record.type == UNIFIED2_EXTRA_DATA) extradata_dump(&record); + else if(record.type == UNIFIED2_IDS_EVENT_NG) eventng_dump(&record); + else if(record.type == UNIFIED2_IDS_EVENT_IPV6_NG) eventng_6_dump(&record); } free_iterator(it); @@ -437,7 +760,7 @@ if(argc != 2) { puts("usage: u2eventdump <file>"); return 1; - } - + } + return u2dump(argv[1]); } diff -Nru snort-2.9.0.1/tools/u2spewfoo/u2spewfoo.dsp snort-2.9.2/tools/u2spewfoo/u2spewfoo.dsp --- snort-2.9.0.1/tools/u2spewfoo/u2spewfoo.dsp 1969-12-31 16:00:00.000000000 -0800 +++ snort-2.9.2/tools/u2spewfoo/u2spewfoo.dsp 2011-11-21 12:15:24.000000000 -0800 @@ -0,0 +1,102 @@ +# Microsoft Developer Studio Project File - Name="u2spewfoo" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Console Application" 0x0103 + +CFG=u2spewfoo - Win32 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "u2spewfoo.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "u2spewfoo.mak" CFG="u2spewfoo - Win32 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "u2spewfoo - Win32 Release" (based on "Win32 (x86) Console Application") +!MESSAGE "u2spewfoo - Win32 Debug" (based on "Win32 (x86) Console Application") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +RSC=rc.exe + +!IF "$(CFG)" == "u2spewfoo - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c +# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\..\src\win32\WIN32-Includes" /I "..\..\src\sfutil" /D "NDEBUG" /D "_CONSOLE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /c +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386 +# ADD LINK32 wsock32.lib /nologo /subsystem:console /machine:I386 + +!ELSEIF "$(CFG)" == "u2spewfoo - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 2 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\..\src\win32\WIN32-Includes" /I "..\..\src\sfutil" /D "_DEBUG" /D "_CONSOLE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /GZ /c +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept +# ADD LINK32 wsock32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept + +!ENDIF + +# Begin Target + +# Name "u2spewfoo - Win32 Release" +# Name "u2spewfoo - Win32 Debug" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=.\u2spewfoo.c +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project